Received: 26 November 2019 | Revised: 9 September 2020 | Accepted: 5 October 2020 DOI: 10.4218/etrij.2019-0539

ORIGINAL ARTICLE

Key-dependent­ side-­channel cube attack on CRAFT

Kok-­An Pang | Shekh Faisal Abdul-­Latip

INSFORNET, Centre for Advanced Computing Technology (C-­ACT), Fakulti Abstract Teknologi Maklumat dan Komunikasi, CRAFT is a tweakable introduced in 2019 that aims to provide strong Universiti Teknikal Malaysia Melaka, protection against differential fault analysis. In this paper, we show that CRAFT Melaka, Malaysia is vulnerable to side-channel­ cube attacks. We apply side-channel­ cube attacks to Correspondence CRAFT with the Hamming weight leakage assumption. We found that the first half Kok-­An Pang and Shekh Faisal Abdul-­ of the secret can be recovered from the Hamming weight leakage after the first Latip, INSFORNET, Centre for Advanced Computing Technology (C-­ACT), Fakulti round. Next, using the recovered key bits, we continue our attack to recover the sec- Teknologi Maklumat dan Komunikasi, ond half of the secret key. We show that the set of equations that are solvable varies Universiti Teknikal Malaysia Melaka, depending on the value of the key bits. Our result shows that 99.90% of the key space Melaka, Malaysia. Email: [email protected] (Kok-­An Pang), can be fully recovered within a practical time. [email protected] (Shekh Faisal Abdul-­Latip) KEYWORDS Block cipher, CRAFT, , cube attack, side-­channel attack Funding information This research was supported by the UTeM Zamalah Scheme and Fundamental Research Grant Scheme (FRGS) of Universiti Teknikal Malaysia Melaka (FRGS/1/2015/ICT05/FTMK/02/ F00293) funded by the Ministry of Higher Education, Malaysia

1 | INTRODUCTION attacks varies depending on the implementation, even if the same cipher is adopted. Nevertheless, it is important to study Resistance against known standard attacks has become one the capabilities of available ciphers to protect communications of the criteria for measuring the security of a block cipher. across various devices. Unfortunately, not all ciphers are de- Cryptanalytic attacks such as linear and differential cryptan- signed to resist side-channel­ attacks. In practice, additional alysis [1,2] have been used widely to facilitate such security countermeasures against side-­channel attacks are implemented, evaluations [3–7].­ However, a cipher that can resist standard which are mostly inefficient and costly [24]. Resistance against attacks may not necessarily be secure against side-­channel side-­channel attacks at the algorithmic level helps reduce im- attacks, which exploits the weaknesses in its physical imple- plementation costs by avoiding extra countermeasures, as can mentation. Leaked information such as timing information [8], be seen in ciphers such as PICARO [25], ZORRO [26], and power consumption [9,10], and electromagnetic leaks [11] can FIDES [27], where countermeasures against side-channel­ anal- be exploited for key recovery. Ciphers which can resist stan- ysis are defined at the algorithmic level. dard attacks [12] are not necessarily secure. They can be bro- CRAFT [24] is a new tweakable block cipher introduced ken from the weaknesses of their implementation, Which have in 2019, which can resist differential fault analysis. CRAFT been shown in [17]. However, the feasibility of side-­channel is also resistant to various known standard attacks [1,28–­31].

This is an Open Access article distributed under the term of Korea Open Government License (KOGL) Type 4: Source Indication + Commercial Use Prohibition + Change Prohibition (https://www.kogl.or.kr/info/license.do#05-tab). 1225-6463/$ © 2020 ETRI

.wileyonlinelibrary.com/journal/etrij  ETRI Journal. 2021;43(2):344–356 | 344 PANG and ABDUL-­LATIP | 345 Moreover, the CRAFT algorithm is nearly involutory. The TABLE 1 Notation algorithm of CRAFT can be turned into decryp- ki The i-­th bit of the secret key tion with minimal area cost. ti The i-­th bit of the tweak ℛ In this paper, we analyze the security of the CRAFT im- i The round function at round i plementation against side-channel­ cube attacks using the Vi The plaintext nibble (v4i, v4i + 1, v4i + 2, v4i + 3) Hamming weight leakage model. The cube attack used in Ti The tweak nibble (t , t , t , t ) this study is key-dependent,­ that is, the superpoly equations 4i 4i + 1 4i + 2 4i + 3 Er ( er , er , er , er ) ℛ used vary depending on the secret key. The selection of su- i The state nibble 4i 4i + 1 4i + 2 4i + 3 before r K perpoly equations depends on the value of their right-hand­ The secret key 0 sides, which are known during the online phase. Moreover, V The plaintext, also known as E the recovery of the second half of the secret key depends on C The , also known as E32 the first half of the secret key. T The tweak r The superpoly equations obtained during the preprocessing E The internal state after r rounds phase are sufficient for recovering all secret key bits within a K0 The first half of K consists of (k0, k1, …, k63) practical time with a success probability of 0.9990. According K1 The second half of K consists of (k64, k65, …, k127) to Liskov and colleagues in Ref. [31], the additional tweak on n Key size a tweakable block cipher should not be considered as another D Degree of superpoly uncertainty to the adversary. Furthermore, the security of a I block cipher should not be compromised even if the adversary The set of cube indices |I| has control of the tweak. However, our result shows that the se- CI The |I|-­dimensional Boolean cube of 2 vectors cret key of CRAFT can be recovered using side-­channel cube (p,i,j) The set of integers {i, i + p, i + 2p, …, q} for any attacks when an adversary has control of its tweak. 0 < j − q ≤ p Our Contribution. We analyze the security of CRAFT HW(X) Hamming weight of any vector X against side-­channel cube attacks with the Hamming leakage assumption. Although the algorithm of CRAFT is claimed by the designers to be resistant to differential fault analysis, which is a type of side-­channel attack, our work shows that CRAFT is not secure against cube attacks within the side-­ channel attack model. To the best of our knowledge, our attack on CRAFT is the first attack on CRAFT within a side-­ FIGURE 1 State of CRAFT channel attack model. We point out that most of the key space (that is, 99.90%) can be recovered within a practical time, but the remaining 0.1% can only be recovered with a complexity significant bit of a vector is labeled with index 0. Throughout faster than brute force. this paper, capital letters are used to represent vectors, unless Organization of the Paper. In Section 2, we describe otherwise stated. For representing terms in a polynomial, bold the notation used in this study. In Section 3, we briefly re- letters are used. Let B denote a vector and b be a polynomial view the design of the CRAFT block cipher. Section 4 pres- term. Next, we denote Bi as the i-th­ bit of B and b i as the i-­th ents an outline of a side-channel­ cube attack. Sections 5 bit of b, respectively, unless otherwise stated. and 6 show the application of side-channel­ cube attacks on CRAFT and describe the result of our work. Section 7 concludes the paper. 3 | BRIEF DESCRIPTION OF THE CRAFT BLOCK CIPHER

2 | NOTATION In this section, we briefly describe the structure of CRAFT. For details on the design rationale, performance, and security ℤ We distinguish between the addition of 2 and the addition of evaluation of CRAFT, please refer to [24]. ℤ , and we use ⊕ as the addition of 2 and + as the addition of CRAFT operates with a 64-bit­ block size, a 128-bit­ secret , respectively. For summation, we denote ∑ as the summation key, and a 64-bit­ tweak. During the encryption, a plaintext is ℤ of , whereas ⊕ is the summation of 2. Table 1 shows the no- divided into 16 nibbles, which are grouped as a matrix similar tation used in this study, unless otherwise stated. Note that all to the Advanced Encryption Standard (AES) [32]. Figure 1 indexing in this paper is based on zero-based­ numbering (that shows the AES-like­ representation for the internal state of ℛ is, 0 is the first round). Bit positions in a vector are labeled CRAFT, where each number 0 ≤ i ≤ 15 in each square box r in Big Endian with zero-based­ numbering, that is, the most represents Ei for any 0 ≤ r ≤ 32. 346 | PANG and ABDUL-­LATIP MC is a MixColumn function, which multiplies the state i matrix E for any 0 ≤ i ≤ 32 with an involutory matrix ℳ such i + 1 i that E = MC(E ) = ℳ⋅E, where.

1011 0101 ℳ = . ⎡0010⎤ ⎢ ⎥ FIGURE 2 Encryption in CRAFT ⎢0001⎥ ⎢ ⎥ ⎢ ⎥ Further, ARCi is the addition of the i-­th round constant RCi ⎣ i⎦+ 1 i (refer to Table 2), with the state E = E ⊕ RCi, whereas i ATKi is the addition of the i-­th round tweakey TKi with E i + 1 i such that E = E ⊕ TKi. Although there are 32 rounds in CRAFT, the same set of round keys are used periodically every four rounds. The round key for each round is generated as follows.

ℛ TKi = K0 ⊕ T, FIGURE 3 The i-­th round function i of CRAFT

TABLE 2 Round constants in hexadecimal for each round TKi+1 = K1 ⊕ T,

Round Round constant Round Round constant TKi+2 = K0 ⊕ Q(T), 0 0 × 11 16 0 × 82

1 0 × 84 17 0 × 45 TKi+3 = K1 ⊕ Q(T). 2 0 × 42 18 0 × 26 3 0 × 25 19 0 × 97 where Q is a permutation of tweak with all i ∈ S(4,0,32). Figure 4 4 0 × 96 20 0 × c3 shows permutation Q on tweak T, where each index i in each 5 0 × c7 21 0 × 61 square box represents Ti. 6 0 × 63 22 0 × b4 PN is the permutation layer that permutes the bit positions r r + 1 r 7 0 × b1 23 0 × 52 in state E for any 0 ≤ r < 32 such that Ei = P Ei for all r 8 0 × 54 24 0 × a5 0 ≤ < 15. Figure 5 shows the permutation of CRAFT.  9 0 × a2 25 0 × d6 10 0 × d5 26 0 × e7 11 0 × a6 27 0 × e7 12 0 × f7 28 0 × 71 13 0 × 73 29 0 × 34 14 0 × 31 30 0 × 12 15 0 × 14 31 0 × 85 FIGURE 4 Permutation Q in key scheduling of the CRAFT block ℛ The i-­th round function i of CRAFT consists of multi- cipher ple operations such as MC, ARCi, ATKi, PN, and SB, and is defined as follows.

ℛ ◦ ◦ ◦ ◦ i = SB PN ATKi ARCi MC

i ∈ 0, 1, 2, …, 30 for with the exception on the last round R31, R which does not have PN and SB. Round 31 is defined as follows. FIGURE 5 Permutation of the CRAFT block cipher ℛ ◦ ◦ 31 = ATK31 ARC31 MC. TABLE 3 Nibble substitution r Ei 0 1 2 3 4 5 6 7 8 9 A B C D E F Figures 2 and 3 show the full encryption of CRAFT and S ( Er ) its i-­th round function, respectively. i C A D 3 E B F 7 8 9 1 5 0 2 4 6 PANG and ABDUL-­LATIP | 347 SB is the nibble substitution, which acts as the non-­linear master polynomial of a higher degree. Such a low-­degree equa- r + 1 r layer of the state such that Ei = S Ei , which is shown in tion is called the superpoly of tI in f(K,V) (denoted by p(K,V)). Table 3.  Having sufficient low-degree­ superpoly equations that are solv- Every component in the round function is involutory. The able from different tIs enables us to recover the value of the decryption of CRAFT can be performed as follows. key bits during the online phase using, for example, Gaussian elimination. ℛ ⋅ ⋅ ⋅ ⋅ i = MC ARCi ATKi PN SB, The problem of analyzing a block cipher with cube attacks is that the degree of the polynomial describing the cipher in- for i = {30, 29, …, 0} with the exception on the first round R31, creases exponentially with the number of rounds. Thus, a where cube attack becomes ineffective if one considers the attack within the standard attack model. Nevertheless, considering ℛ ⋅ ⋅ 31 = MC ARC31 ATK31. a cube attack within the side-channel­ attack model, the at- tack becomes more effective, as the adversary only requires The decryption procedure for CRAFT can also be shown analysis of the leaked state bits after a few rounds. Dinur and as follows. Shamir [34] introduced the concept of a side-­channel cube attack in which the adversary is assumed to have access to ℛ ⋅ ⋅ ⋅ ⋅ i = SB PN MC, ATKi ARCi MC, only one bit of information about the internal state instead of  the ciphertext bits. For detailed information on side-­channel for i = {31, 30, 32, …, 1} with the exception on the last round cube attacks and their applications, refer to [35–­41]. ℛ 0, for which Side-­channel attacks using Hamming weight leakage have been investigated in various studies [18,42,43]. Dinur and ℛ ⋅ ⋅ 0 = MC ATK0 ARC0 MC. Shamir [34] proposed reading the second Hamming weight bit from the least significant bit (LSB), which can also be found The above decryption is similar to its encryption coun- in several other works, such as in [35,37,44]. In other related terpart with round keys and round constants be placed in the work, Zhao and others [40] proposed a practical method to reverse order while each i-­th round key is generated from measure the Hamming weight leakage from a cipher imple- MC(TKi). mentation on an 8-­bit microcontroller. This method can ac- curately measure the value of Hamming weight leakage with probability 1 if we collect the power traces six or more times 4 | OVERVIEW OF SIDE-­ for the same plaintext. CHANNEL CUBE ATTACK

The cube attack proposed by Dinur and Shamir at 5 | APPLICATION OF SIDE-­ EUROCRYPT 2009 [33] is an algebraic attack that recovers CHANNEL CUBE ATTACKS ON key variables from low-­degree equations. The idea of a cube CRAFT attack is that any master polynomial describing a cipher can be factorized by a monomial tI, as in (1). In this section, we describe the cube attack on CRAFT within side-­channel scenarios. As described in Section 3, we realize f (K, V) = tI (p (K, V)) ⊕ q (K, V) , (1) that all round keys for even rounds in CRAFT are derived from K0, whereas all round keys for odd rounds are derived where from K1. Therefore, we apply a side-channel­ cube attack on tI = iI ∈ vi (2) CRAFT considering the Hamming weight leakage assump- tion about the internal states for specific odd and even rounds and where I represents a subset of cube indices in which all of CRAFT. It is well known that measuring the leakage of in- plaintext bits with such indices are active and take all possible ternal states for specific rounds is possible in realistic scenar- combinations of values. As pointed out in [33], when summing ios. This can be achieved by controlling the clock frequency f(K,V) over all variables in tI, of the device, as shown in [45]. More precisely, we consider ℛ ℛ the leakage of the internal states after 0 and 1 represent- tICI ∈ ⊕ tI (p (K, V)) ⊕ q (K, V) = p (K, V) , (3) ing the odd and even rounds, respectively. Considering these  earlier rounds, we are able to obtain low-degree­ polynomials |I| where CI is defined as an |I|-dimensional­ Boolean cube of 2 describing the cipher. Figure 6 shows the Hamming weight vectors. The resultant equation will be a low-degree­ equation leakage in the first two rounds of CRAFT. The framework of with respect to key variables and is easier to solve than the our approach is shown in Figure 7. 348 | PANG and ABDUL-­LATIP case, we assume the second bit from the LSB of HW(E2) is a master polynomial over the bits in E1 and T. For each possi- ble value of the cube variables in T and the value of TK0, we decrypt E1 to obtain the corresponding plaintexts that will be used in the online phase. The selection of the cube indices from the public variables (that is, the tweak) is described for- mally in Observations 1–­4. Dinur and Shamir [33] used the Blum–Luby–­ ­Rubinfield (BLR) test to find linear superpoly equations. The BLR test can be further generalized to find non-­linear superpoly equa- tions, with the number of required function evaluations grow- ing exponentially with the degree of the equation. As a result, to capture superpoly equations of degree d ≤ 3, we choose n four vectors W, X, Y, Z ∈ 2 independently and uniformly at random, representing samples of the n-­bit key. This general- ized BLR test is given by the relation FIGURE 6 Hamming weight leakage taken at the first two rounds p (W⊕X⊕Y⊕Z, V) = p (0, V)⊕p (W, V)⊕p (X, V) ⊕p (Y, V)⊕p (Z, V)⊕p (W⊕X, V)⊕p (W⊕Y, V) ⊕p (W⊕Z, V)⊕p (X⊕Y, V)⊕p (X⊕Z, V) ⊕p (Y⊕Z, V)⊕p (W⊕X⊕Y, V) ⊕p (W⊕X⊕Z, V)⊕p (W⊕Y⊕Z, V) ⊕p (X⊕Y⊕Z, V)

To determine whether a particular selected cube tI results in a superpoly equation of degree d ≤ 3, we choose a total of 100 n pairs of vectors W, X, Y, Z ∈ 2 . If all of these vectors satisfy the generalized relation, with high probability, the superpoly equation is of degree d ≤ 3. Because this relation will also capture constant superpoly equations (constant 0 and constant 1), we need to distinguish and eliminate them from our exper- iment. The constant 0 superpoly equation occurs when given any values to vectors W, X, Y, and Z, the superpoly equation is always equal to 0. However, the constant 1 superpoly equation occurs when given any values to vectors W, X, Y, and Z, the FIGURE 7 Framework of the key-­dependent side-­channel cube attack on CRAFT superpoly equation is always equal to 1. Next, to recover the superpoly equation of degree d, we find all terms of degree 1 We divide our attack into preprocessing and online until degree d and a constant term within a superpoly equation. phases. During the preprocessing phase, we find superpoly For a detailed description of how to find the terms in the super- equations of degree 1 and 3 from the second bits of HW(E1) poly equation, we refer to Lemma 2 in [35]. and HW(E2) (from the LSB) using various cubes of sizes 2 After conducting the above experiment, we were able to and 3. However, we are unable to find superpoly equations find a substantial number of superpoly equations of degrees of degree 2. After finding sufficient superpoly equations, we 1 and 3. However, the number of equations required to find filter out those equations that are not solvable. Next, we move the value of the key bits varies depending on the value of the to the online phase to find the value of the right-hand­ side right-­hand side (similarly, the value of the key bits). Thus, it of each equation by summing the master polynomial over is impossible for us to list all the sets of equations required the same set of cube indices that were obtained during the for all keys. Nevertheless, the set of equations required can preprocessing phase. To recover the value of tweakey TK0, be generalized in Observations 1, 2, 3, and 4. These general- we solve the system of equations using Gaussian elimination. izations are true for finding both sets of key bits, K0 and K1, Knowledge about TK0 enables us to control the intermediate which only differ in the indices of the key bits and the internal 1 0 1 state E “implicitly” to further recover TK1. More precisely, state used (that is, either E or E ) in selecting the cubes. In we determine the cube indices chosen from the tweak bits of Observation 1, we generalize the linear superpoly equations T that yield superpoly equations of degree 1 and 3. In this found at the second bit from the LSB of HW(E1). PANG and ABDUL-­LATIP | 349 Observation 1. Summing a master polynomial over 16 equations, 15 superpoly equations are chosen such that tα+1tα+3 while setting other public variables to 0 yields a su- γ = γ1 (as there are |S(4,0,64)| − 1 = 15 different values of φ, k ⊕ k ∈ S perpoly equation 훼 훼+2 for any (4,0,64) (to find K0) or excluding the instances where φ = γ1), whereas only one ∈ S (4,64,128) (to find K1). superpoly is chosen where γ = γ2. As a result, this yields 23.16 = 27 . Finally, following the same rule, the On the other hand, in Observation 2, we generalize cubic superpoly equation in Observation 4 requires |S(4,0,64)| = 16 superpoly equations found at the same bit position of HW(E1). different values of φ and two different values of φ such that 1, 2, ∈ S(4,0,64). Similarly, 15 superpoly equations are cho- Observation 2. Summing the master polynomial over sen where α = α1 (as there are |S(4,0,64)| − 1 = 15 different tβtβ+1tα+1 while setting other public variables to 0 yields a values of φ, excluding the instances where φ = α1), whereas k ⊕ k k k ∈ S superpoly equation 훽+2 훽+2 훼 훼+2 for any (4,0,64) (to one superpoly equation is chosen where α = α2. This also ∈ S ≠  3 7 find K0) or (4,64,128) (to find K1) with . results in 2 .16 = 2 encryptions. Summing the above number of encryptions reveals that 6 7 7 7 8.81 From Observations 1 and 2, by choosing any α such that finding K0 requires 2 + 2 + 2 + 2 = 2 computations. k ⊕ k = 1 i ∈ S 훼 훼+2 , we can recover ki for all (2,0,128). Further Recovering K1, which also uses the same number of chosen observations are shown in Observations 3 and 4, which can plaintexts as in K0, requires additional computations for partial i ∈ S 1 be exploited to recover ki for all (2,1,128). decryption of the predetermined values of E . This results in 8.81 8.81 8.85 recovering K1, requiring 2 + 2 /32 = 2 computations. Observation 3. Summing the master polynomial over t t +1t Considering that we have been able to find the whole secret key while setting other public variables to 0 yields a superpoly equation K, the total number of computations required to find the cor- 8.81 8.85 9.83 k훾+2 ⊕ k훾+2k휑+2 ⊕ k훾+2k휑+3 ⊕ k훾+2k휑+1k휑+2 ⊕ k훾+2k휑+2k휑+3 rect 128-bit­ key of CRAFT is reduced to 2 + 2 = 2 . ,  ∈ S ,  ∈ S for any (4,0,64) (to find K0) or (4,64,128) (to find Applying our side-channel­ cube attack based on the Hamming ≠  K1) with . weight leakage assumption using the method of [40] requires on average 29.83·6 = 212.41 computations. t t t Observation 4. Summing the master polynomial over ​ +2 +1 while setting other public variables to 0 yields a superpoly ­equation 1 is ⊕ k휑+1 ⊕ k휑+3 ⊕ k훼k훼+2 ⊕ k휑+1k훼k훼+2 ⊕ k휑+3k훼k훼+2 with 6 | SECRET KEYS THAT ≠ . CANNOT BE RECOVERED WITHIN PRACTICAL TIME By choosing α and γ such that k훼 ⊕ k훼+2 = 1 and k +2 = 1, we can solve the superpoly equations obtained from Observations For the secret key to be recovered in a practical time, all bits i ∈ S 3 and 4 to recover ki for all (2,1,128). Recovering ki for all of K0 must be recovered with probability 1, as this enables i ∈ S ∪ S (2,0,128) (2,1,128), we can fully recover secret key K. us to control the intermediate state after the first round. If K0 ℛ Considering the Hamming weight leakage after 1, cannot be recovered completely from the leakages, the whole 0 1 and applying the similar cube indices as used in E to E , secret key must be recovered using brute force. Because K1 is we have been able to find a system of equations similar to not known, the time complexity for recovering the secret key ℛ 64 those after 0, only differing in the indexes of key vari- would be larger than 2 as all key bits in K1 and some key bits ables. Tables A1 and A2 in Appendix A list superpoly in K0 would be recovered by brute force. Note that it is impos- 2 equations resulting from the summation of the Hamming sible to recover K1 directly from HW(E ) over bits in V, T, and weights for E0 and E1. K as the degree of the master polynomial is quite high because The complexity for recovering the right-­hand side of all of the exponential increase in degree after each round. linear superpoly equations from Observation 1 is 22·16 = 26 There are stronger keys that cannot be recovered using (as there are |S(4,0,64)| = 16 different values of α). On the other side-­channel cube attacks in practical time. Propositions 6 hand, we require 16 non-linear­ superpoly equations of degree and 6 show the characteristics of such keys. 3 for recovering all ki with any i ∈ S(2,0,64) in Observation 2. 15 Note that two different values of α are used here such that Proposition 1. Secret keys with i = 0 k4i ⊕ k4i+2 ≤ 1 31 1, 2 ∈ S(4,0,64). More precisely, 15 superpoly equations or = 16 k4i ⊕ k4i+2 ≤ 1 can prevent full recovery by side-­ i ∑ � � are chosen such that α = α (as there are |S | − 1=15 channel cube attacks. 1 (4,0,64) ∑ � � different values of β, excluding the instance where β = α1), whereas only one superpoly is chosen, where α = α2. Thus, Proof. According to Observation 2, to recover kβ+2, the value of 3 7 k ⊕ k ∈ S this requires a 2 ·16 = 2 number of encryptions. Considering 훼 훼+2 must be equal to 1. Thus, guessing kβ+2 for any (4,0,128) 15 ⊕ ≥ 1 Observation 3, |S(4,0,64)| = 16 different values of φ and two in practical time is only possible when i = 0 k4i k4i+2 , , ∈ S 31 k ⊕ k ≥ 1 k different values of γ with 1 2 (4,0,64) are used. Of these and i = 16 4i 4i+2 . However, recovering∑ � β+2 � for ∑ � � 350 | PANG and ABDUL-­LATIP 15 all ∈ S(4,0,128) requires i = 0 k4i ⊕ k4i+2 ≥ 2 and extract superpoly equations from various combinations of cube 31 = 16 k4i ⊕ k4i+2 ≥ 2. This is because kβ cannot be recovered variables. The degree of the superpoly equations is determined i ∑ � +2 � β α α k ⊕ k = 1 practically� when = � . Thus, another such that 훼 훼+2 using the BLR test with four independent random vectors. ∑ ≠  and is needed. Therefore, it is only possible to recover K0 or During the online phase, we find the right-hand­ side of the equa- 15 k ⊕ k ≥ 2 K1 completely in practical time when i = 0 4i 4i+2 and tions extracted during the preprocessing phase and solve the sys- 31 = 16 k4i ⊕ k4i+2 ≥ 2. Even if this property is known to the ad- tem of equations using Gaussian elimination. First, we determine i ∑ � � versary, the adversary still needs to recover ki for all i ∈ S(2,0,128) in the right-hand­ side of the equations from the Hamming weight ∑ � � 32 a time complexity of 2 (because the right-hand­ side of k훼 ⊕ k훼+2 leakage after the first round, which can be used to recover the is known, guessing the values of kα and kα+2 only requires 2 encryp- first half of the secret key, K0. Then, with the recovered K0, we i ∈ S 64 tions). For each possible value of ki for all (2,1,128), 2 encryp- can recover the second half of the secret key from the Hamming tions are required to guess all ki for all i ∈ S(2,1,128). The total time weight leakage after the second round by tweaking the internal complexity for recovering is 232·264 = 296, which is impractical. □ state E1. Thus, on average, the secret key can be recovered in 212.41 computations using 29.83 data. We also show the proper- 15 Preposition 2. Secret keys with i = 0 k4i+2 ≤ 1 or ties of stronger keys that can prevent side-­channel cube attacks 31 = 16 k4i+2 ≤ 1 can prevent full recovery by side-channel­ within practical time, as demonstrated in Propositions 6 and 6, i ∑ cube attacks. and which make up only 0.1% of the key space. From our initial ∑ observation, it seems that these stronger keys could be recovered Proof. According to Observation 3, when kγ+2 =0, the within practical time if we could recover more useful superpoly superpoly equation would have a value of 0, which is not ex- equations that are not bounded by the characteristics as in the ploitable for key recovery. Thus, guessing kφ+1 and kφ+3 from aforementioned propositions. One could consider the leakage 15 k ≥ 1 31 k ≥ 1 2 Observation 3 requires i = 0 4i+2 and i = 16 4i+2 . after E and add the predetermined values of variables in K0 and However, it is not possible to recover kφ and kφ when K , performing further analysis to extract the key considering ∑ +1∑ +3 1 γ = φ. To recover such key bits, another value of γ such that the plaintext variables as cubes. We believe that this may sim- ≠  kγ+2 =1, where is needed. Hence, it is only possible plify the master polynomials, which could make recovering the 15 k ≥ 2 to recover kφ+1 and kφ+3 practically if i = 0 4i+2 and remaining secret keys within the 0.1% of the key space more 31 = 16 k4i+2 ≥ 2. To recover such a secret key, an adversary practical. However, our result does not imply the actual secu- i ∑ must recover the remaining 96 secret key bits. The total com- rity weakness of CRAFT within the real-­world implementation ∑ plexity of recovering secret keys with this property requires environment, as our attack was only conducted within an ab- a time complexity of 296, which is impractical. □ stract model based on the Hamming weight leakage assumption. Further investigation should be conducted to determine the ac- Considering the effectiveness of the key-dependent­ side-­ tual security implications for CRAFT within the real-world­ at- channel cube attack on CRAFT, we compute the number of tack scenario. We leave extending the attack and exploiting such secret keys fulfilling the properties mentioned in Propositions superpoly equations as an interesting work for future research. 16 s ∈ {0, 1} = 16 1 and 2. As a result, for any , there are 1  com- 16s + 15 k ⊕ k = 1 binations of KS in which i = 16s 4i 4i+2 , while there are ORCID 16 16s + 15 = 1 ∑ � � k ⊕ k = 0 only 0  combination such that i = 16s 4i 4i+2 Kok-­An Pang https://orcid.org/0000-0001-5277-6925 16 16 216 − − ≈ 216 Shekh Faisal Abdul-­Latip and the rest 0  1  combinations in which https://orcid. 16s + 15 ⊕ ≥ 2 ∑ 16 � � i = 16s k4i k4i+2 = 16 . Similarly, there are 1 combinations of org/0000-0003-3280-2422 16s + 15  ∑ � � = 1 16s + 15 i = 16s k4i+2 16 k = 0 KS, where , = 1 combination of i = 16s 4i+2 and 0  16s + 15 16 16 ∑ ≥ 2 216 − − ≈ 216 i = 16s k4i+2 ∑ 0  1  combinations of . Table B1 in REFERENCES ∑ Appendix B shows all characteristics of the secret keys that 1. E. Biham and A. Shamir, Differential cryptanalysis of des-­like cannot be recovered within practical time and their respective , J. Cryptol. 4 (1991), no. 1. 3–72.­ number of combinations. Having all combinations of K for 2. M. Matsui, Linear cryptanalysis method for des cipher, in every condition shown in Table B1, the number of such secret Advances in Cryptology—­EUROCRYPT ’93, vol. 765, Springer, Heidelberg, Berlin, 1993, pp. 386–­397. keys is 2118.09. Because the selection of the secret key should 3. Z. Liu et al., New insights on linear cryptanalysis, Sci. China be random, the probability that these keys are used is 0.001. Inform. Sci. 63 (2020), no. 1, 112104. 4. A. Flórez-Gutiérrez­ and M. Naya-­Plasencia, Improving key-­ recovery in linear attacks: Application to 28-round­ present, 7 | CONCLUSIONS in Advances in Cryptology-EUROCRYPT­ 2020, vol. 12105, Springer, Cham, Switzerland, 2020, pp. 221–­249. Automatic search for the linear (hull) In this paper, we studied the security of the CRAFT block cipher 5. M. Huang and L. Wang, characteristics of arx ciphers: Applied to speck, sparx, chaskey, against side-channel­ cube attacks considering the Hamming and cham-­64, Secur. Commun. Netw. 2020 (2020), 1–­14. weight leakage assumption. In the preprocessing phase, we PANG and ABDUL-­LATIP | 351 6. Y. Igarashi, S. Nakazawa, and T. Kaneko, Differential cryptanaly- 27. B. Bilgin et al., FIDES: Lightweight authenticated cipher with sis of block cipher halka, Int. J. Inform. Electron. Eng. 10 (2020), side-­channel resistance for constrained hardware, in Proc. Int. no. 2, 40–­43. Workshop Cryptographic Hardw. Embedded Syst. (Santa Barbara, 7. H. Zhao et al., Milpbased differential cryptanalysis on round-­ CA, USA), Aug. 2013, pp. 142–­158. reduced midori64, IEEE Access 8 (2020), 95888–­95896. 28. A. Bogdanov and V. Rijmen, Linear hulls with correlation zero and 8. D. Brumley and D. Boneh, Remote timing attacks are practical, linear cryptanalysis of block ciphers, Des. Codes Crypt. 70 (2014), Comput. Netw. 48 (2005), no. 5, 701–­716. no. 3, 369–­383. 9. P. Kocher, J. Jaffe, and B. Jun, Differential power analysis, in 29. M. Hellman, A cryptanalytic time-­memory trade-­off, IEEE Trans. Advances in Cryptology–CRYPTO­ ’99, vol. 1666, Springer, Inf. Theory 26 (1980), no. 4, 401–­406. Heidelberg, Berlin, 1999, pp. 388–­397. 30. L. Jiqiang et al., New impossible differential attacks on AES, in 10. P. Kocher et al., Introduction to differential power analysis, J. Proc. Int. Conf. Cryptol. (Kharagpur, India), Dec. 2008, pp. Cryptograph. Eng. 1 (2011), no. 1, 5–­27. 279–­293. 11. E. De Mulder et al., Differential electromagnetic attack on an 31. M. Liskov et al., Tweakable block ciphers, in Proc. Annu. Int. FPGA implementation of elliptic curve cryptosystems, in Proc. Cryptol. Conf. (Santa Barbara, CA, USA), Aug. 2002, pp. 31–­46. World Autom. Congress (Budapest, Hungary), July 2006, pp. 1–­6. 32. J. Daemen and V. Rijmen, The Design of Rijndael: The Advanced 12. O. Dunkelman et al., Single tweakey cryptanalysis of reduced-round­ Encryption Standard (AES), 2nd ed. Springer, Heidelberg, Berlin, skinny-64­ , in Cyber Security and Machine Learning, 2020. vol. 12161, Springer, Cham, Switzerland, 2020, pp. 1–­17. 33. I. Dinur and A. Shamir, Cube attacks on tweakable black box poly- 13. A. Bogdanov, D. Khovratovich, and C. Rechberger, Biclique crypt- nomials, in Proc. Annu. Int. Conf. Theory Applicat. Cryptographic analysis of the full AES, in Proc. Int. Conf. Theory Applicat. Cryptol. Techniques (Cologne, Germany), Apr. 2009, pp. 278–­299. Inf. Secur. (Seoul, Rep. of Korea), Dec. 2011, pp. 344–371.­ 34. I. Dinur and A. Shamir, Side channel cube attacks on block ciphers, 14. K. B. Jithendra and T. K. Shahana, New biclique cryptanalysis on IACR Cryptol. ePrint Archive 2009 (2009), 1–­15. fullround present-80­ block cipher, SN Comput. Sci. 1 (2020), no. 35. S. F. Abdul-­Latip et al., Extended cubes: Enhancing the cube at- 2, 1–­7. tack by extracting low-degree­ non-­linear equations, in Proc. ACM 15. B. Zhu, X. Dong, and Y. Hongbo, Milp-­based differential attack Symp. Inf., Comput. Commun. Security (Hong Kong), Mar. 2011, on round-­reduced GIFT, in Proc. Cryptogr. Track RSA Conf. (San pp. 296–­305. Francisco, CA, USA,), Mar. 2019, pp. 372–­390. 36. G. V. Bard et al., Algebraic, AIDA/cube and side channel analy- 16. R. Rohit, R. AlTawy, and G. Gong, Milp-­based cube attack on the sis of KATAN family of block ciphers, in Proc. Int. Conf. Cryptol. reduced-­round WG-5­ lightweight , in Proc. IMA Int. (Hyderabad, India), Dec. 2010, pp. 176–­196. Conf. Cryptogr. Coding (Oxford, UK), Dec. 2017, pp. 333–­351. 37. A. G. Buja, S. FaisalAbdul-­Latip, and R, Ahmad, A security anal- 17. Y. Xiao, J. Xin, and Y. Shen, CNN based electromagnetic side ysis of iot encryption: Side-channel­ cube attack on simeck32/64, channel attacks on SoC, MS&E 782 (2020), no. 3, e032055. arXiv preprint arXiv:1808.03557, 2018, pp. 79–­90. 18. F. Durvaux and M. Durvaux, SCA-­pitaya: A practical and afford- 38. X. Fan and G. Gong, On the security of hummingbird-­2 against able side-channel­ attack setup for power leakage–based­ evalua- side channel cube attacks, in Proc. Western Eur. Workshop Res. tions, Digital Threats Res. Pract. 1 (2020), no. 1, 1–­16. Cryptol. (Weimar, Germany), July. 2011, pp. 18–­29. 19. S. Saha et al., Fault template attacks on block ciphers exploiting 39. L. Yang, M. Wang, and S. Qiao, Side channel cube attack on pres- fault propagation, in Proc. Annu. Int. Conf. Theory Applicat. ent, in Cryptology and Network Security, vol. 5888, Springer, Cryptogr. Tech. (Zagreb, Croatia), May 2020, pp. 612–­643. Heidelberg, Berlin, 2009, pp. 379–­391. 20. M. Hell and O. Westman, Electromagnetic side-­channel attack on 40. X. Zhao et al., Efficient hamming weight-­based sidechannel cube AES using low-end­ equipment, ECTI Transac. Comput. Inform. attacks on present, J. Syst. Softw. 86 (2013), no. 3, 728–743.­ Technol. 14 (2020), no. 2, 139–148.­ 41. E. Aghaee et al., A practical iterative side channel cube attack on 21. J. Zhang et al., Power analysis attack on a lightweight block cipher aes-­128/256, J. Comput. Technol. Appl. 5 (2019), no. 3, 31–45.­ GIFT, in Proc. Int. Conf. Comput. Eng. Netw. (Changsha, China), 42. P. Saravanan and B. M. Mehtre, A novel approach to detect hard- Oct. 2019, pp. 565–­574. ware malware using hamming weight model and one class sup- 22. M. A. Orumiehchiha et al., A differential fault attack on the WG fam- port vector machine, in VLSI Design and Test, vol. 892, Springer, ily of stream ciphers, J. Cryptograph. Eng. 10 (2020), no. 2, 189–­195. Singapore, 2019, pp. 159–­172. 23. S. Bhasin et al., SITM: See-in-­ the-­ middle­ sidechannel assisted middle 43. E. de Chérisey et al., Best information is most successful, IACR round differential cryptanalysis on SPN block ciphers, IACR Transac. Transac. Cryptogr. Hardw. Embed. Syst. 2019 (2019) no. 2, 49–79.­ Cryptograph. Hardw. Embedded Syst. 2020 (2020) no. 1, 95–122.­ 44. Z. Li et al., Cube cryptanalysis of LBlock with noisy leakage, in 24. C. Beierle et al., CRAFT: Lightweight tweakable block cipher with Proc. Int. Conf. Inf. Security Cryptol. (Seoul, Rep. of Korea), Nov. efficient protection against DFA attacks, IACR Transac. Symmetr. 2012, pp. 141–­155. Cryptol. 2019 (2019), no. 1, 5–­45. 45. S. M. Del Pozo et al., Side-­channel attacks from static power: 25. G. Piret, T. Roche, and C. Carlet, PICARO—­A block cipher allow- When should we care?, in Proc. Design, Autom. Test Eur. Conf. ing efficient higher-­order side-­channel resistance, in Proc. Int. Conf. Exhibition (Grenoble, France), Apr. 2015, pp. 145–150.­ Appl. Cryptogr. Netw. Security (Singapore), June 2012, pp. 311–­328. 26. B. Gérard et al., Block ciphers that are easier to mask: How far can we go?, in Proc. Int. Workshop Cryptogr. Hardw. Embed. Syst. (Santa Barbara, CA, USA), Aug. 2013, pp. 383–­399. 352 | PANG and ABDUL-­LATIP AUTHOR BIOGRAPHIES

Kok-­An Pang is a Masters student at the Faculty of Information Technology and Communication, Universiti Teknikal Malaysia Melaka, Malaysia. He received Bachelor of Computer Science (Computer Network Security) with Honours from Universiti Sultan Zainal Abidin (UniSZA). His research interests include cryptography and cryptanalysis of cryptographic primitives.

Shekh Faisal Abdul-­Latip is cur- rently working at the Faculty of Information and Communication Technology, Universiti Teknikal Malaysia Melaka (UTeM). He re- ceived his PhD degree in 2012 from the University of Wollongong, Australia, in the field of Cryptography. Prior to his PhD studies, he obtained M.Sc in Information Security from the Royal Holloway, University of London in 2003. He obtained both B.Sc (Hons) in Computer Science (2000) and Diploma in Electronic Engineering (1994) from Universiti Teknologi Malaysia (UTM). His main research interest focuses on symmetric-key­ cryptography (ie, de- sign and cryptanalysis of block ciphers, stream ciphers, hash functions and MACs). He is currently a member of focus group and one of the evaluation panel experts for the MySEAL project, that is, a project to recommend a list of trusted cryptographic algorithms to be used by the public and private sectors in Malaysia. To promote new ideas and activities in cryptology related areas in Malaysia, he joint and became a member of executive committee for the Malaysian Society for Cryptology Research (MSCR). PANG and ABDUL-­LATIP | 353 APPENDIX A

CUBES AND SUPERPOLYS

TABLE A1 List of cubes and the corresponding superpolys TABLE A1 (Continued) ℛ considering the second Hamming weight bit from the LSB after 0 Cube Superpoly Cube Superpoly t57t59 k56 ⊕ k58 t t t k k k k k k k k k k k 0 1 60 2 ⊕ 2 62 ⊕ 2 63 ⊕ 2 61 62 ⊕ 2 62 63 t61t63 k60 ⊕ k62 t t t k k k k k k k k k k k 0 4 5 6 ⊕ 2 6 ⊕ 3 6 ⊕ 1 2 6 ⊕ 2 3 6 t0t1t5 k2 ⊕ k2k4k6 t t t k k k k k k k k k k k 4 5 8 6 ⊕ 6 10 ⊕ 6 11 ⊕ 6 9 10 ⊕ 6 10 11 t0t1t9 k2 ⊕ k2k8k10 t t t k k k k k k k k k k k 4 5 12 6 ⊕ 6 14 ⊕ 6 15 ⊕ 6 13 14 ⊕ 6 14 15 t0t1t13 k2 ⊕ k2k12k14 t t t k k k k k k k k k k k 4 5 16 6 ⊕ 6 18 ⊕ 6 19 ⊕ 6 17 18 ⊕ 6 18 19 t0t1t17 k2 ⊕ k2k16k18 t t t k k k k k k k k k k k 4 5 20 6 ⊕ 6 22 ⊕ 6 23 ⊕ 6 21 22 ⊕ 6 22 23 t0t1t21 k2 ⊕ k2k20k22 t t t k k k k k k k k k k 0 2 5 1 ⊕ 1 ⊕ 3 ⊕ 4 6 ⊕ 1 4 6 ⊕ 3 4 6 t0t1t25 k2 ⊕ k2k24k26 t t t k k k k k k k k k k 0 2 9 1 ⊕ 1 ⊕ 3 ⊕ 8 10 ⊕ 1 8 10 ⊕ 3 8 10 t0t1t29 k2 ⊕ k2k28k30 t t t k k k k k k k k k k 0 2 13 1 ⊕ 1 ⊕ 3 ⊕ 12 14 ⊕ 1 12 14 ⊕ 3 12 14 t0t1t33 k2 ⊕ k2k32k34 t t t k k k k k k k k k k 0 2 17 1 ⊕ 1 ⊕ 3 ⊕ 16 18 ⊕ 1 16 18 ⊕ 3 16 18 t0t1t37 k2 ⊕ k2k36k38 t t t k k k k k k k k k k 0 2 21 1 ⊕ 1 ⊕ 3 ⊕ 20 22 ⊕ 1 20 22 ⊕ 3 20 22 t0t1t41 k2 ⊕ k2k40k42 t t t k k k k k k k k k k 0 2 25 1 ⊕ 1 ⊕ 3 ⊕ 24 26 ⊕ 1 24 26 ⊕ 3 24 26 t0t1t45 k2 ⊕ k2k44k46 t t t k k k k k k k k k k 0 2 29 1 ⊕ 1 ⊕ 3 ⊕ 28 30 ⊕ 1 28 30 ⊕ 3 28 30 t0t1t49 k2 ⊕ k2k48k50 t t t k k k k k k k k k k 0 2 33 1 ⊕ 1 ⊕ 3 ⊕ 32 34 ⊕ 1 32 34 ⊕ 3 32 34 t0t1t53 k2 ⊕ k2k52k54 t t t k k k k k k k k k k 0 2 37 1 ⊕ 1 ⊕ 3 ⊕ 36 38 ⊕ 1 36 38 ⊕ 3 36 38 t0t1t57 k2 ⊕ k2k56k58 t t t k k k k k k k k k k 0 2 41 1 ⊕ 1 ⊕ 3 ⊕ 40 42 ⊕ 1 40 42 ⊕ 3 40 42 t0t1t61 k2 ⊕ k2k60k62 t t t k k k k k k k k k k 0 2 45 1 ⊕ 1 ⊕ 3 ⊕ 44 46 ⊕ 1 44 46 ⊕ 3 44 46 t1t4t5 k6 ⊕ k0k2k6 t t t k k k k k k k k k k 0 2 49 1 ⊕ 1 ⊕ 3 ⊕ 48 50 ⊕ 1 48 50 ⊕ 3 48 50 t4t5t9 k6 ⊕ k6k8k10 t t t k k k k k k k k k k 0 2 53 1 ⊕ 1 ⊕ 3 ⊕ 52 54 ⊕ 1 52 54 ⊕ 3 52 54 t4t5t13 k6 ⊕ k6k12k14 t t t k k k k k k k k k k 0 2 57 1 ⊕ 1 ⊕ 3 ⊕ 56 58 ⊕ 1 56 58 ⊕ 3 56 58 t4t5t17 k6 ⊕ k6k16k18 t t t k k k k k k k k k k 0 2 61 1 ⊕ 1 ⊕ 3 ⊕ 60 62 ⊕ 1 60 62 ⊕ 3 60 62 t0t1t4 k2 ⊕ k2k6 ⊕ k2k7 ⊕ k2k5k6 ⊕ k2k6k7 t t t k k k k k k k k k k 1 4 6 1 ⊕ 5 ⊕ 7 ⊕ 0 2 ⊕ 0 2 5 ⊕ 0 2 7 t0t1t8 k2 ⊕ k2k10 ⊕ k2k11 ⊕ k2k9k10 ⊕ k2k10k11 t t t k k k k k k k k k k 4 6 9 1 ⊕ 5 ⊕ 7 ⊕ 8 10 ⊕ 5 8 10 ⊕ 7 8 10 t0t1t12 k2 ⊕ k2k14 ⊕ k2k15 ⊕ k2k13k14 ⊕ k2k14k15 t t t k k k k k k k k k k 4 6 13 1 ⊕ 5 ⊕ 7 ⊕ 12 14 ⊕ 5 12 14 ⊕ 7 12 14 t0t1t16 k2 ⊕ k2k18 ⊕ k2k19 ⊕ k2k17k18 ⊕ k2k18k19 t t t k k k k k k k k k k 4 6 17 1 ⊕ 5 ⊕ 7 ⊕ 16 18 ⊕ 5 16 18 ⊕ 7 16 18 t0t1t20 k2 ⊕ k2k22 ⊕ k2k23 ⊕ k2k21k22 ⊕ k2k22k23 t t t k k k k k k k k k k 4 6 21 1 ⊕ 5 ⊕ 7 ⊕ 20 22 ⊕ 5 20 22 ⊕ 7 20 22 t0t1t24 k2 ⊕ k2k26 ⊕ k2k27 ⊕ k2k25k26 ⊕ k2k26k27 t t k k 1 3 0 ⊕ 2 t0t1t28 k2 ⊕ k2k30 ⊕ k2k31 ⊕ k2k29k30 ⊕ k2k30k31 t t k k 5 7 4 ⊕ 6 t0t1t32 k2 ⊕ k2k34 ⊕ k2k35 ⊕ k2k33k34 ⊕ k2k34k35 t t k k 9 11 8 ⊕ 10 t0t1t36 k2 ⊕ k2k38 ⊕ k2k39 ⊕ k2k37k38 ⊕ k2k38k39 t t k k 13 15 12 ⊕ 14 t0t1t40 k2 ⊕ k2k42 ⊕ k2k43 ⊕ k2k41k42 ⊕ k2k42k43 t t k k 17 19 16 ⊕ 18 t0t1t44 k2 ⊕ k2k46 ⊕ k2k47 ⊕ k2k45k46 ⊕ k2k46k47 t t k k 21 23 20 ⊕ 22 t0t1t48 k2 ⊕ k2k50 ⊕ k2k51 ⊕ k2k49k50 ⊕ k2k50k51 t t k k 25 27 24 ⊕ 26 t0t1t52 k2 ⊕ k2k54 ⊕ k2k55 ⊕ k2k53k54 ⊕ k2k54k55 t t k k 29 31 28 ⊕ 30 t0t1t56 k2 ⊕ k2k58 ⊕ k2k59 ⊕ k2k57k58 ⊕ k2k58k59

t33t35 k32 ⊕ k34

t37t39 k36 ⊕ k38

t41t43 k40 ⊕ k42

t45t47 k44 ⊕ k46

t49t51 k48 ⊕ k50

t53t55 k52 ⊕ k54

(Continues) 354 | PANG and ABDUL-­LATIP TABLE A2 List of cubes and the corresponding superpolys TABLE A2 (Continued) ℛ considering the second Hamming weight bit from the LSB after 1 Cube Superpoly Cube Superpoly t0t1t40 k66 ⊕ k66k106 ⊕ k66k107 ⊕ k66k105k106 ⊕ k66k106k107 t t k k 1 3 64 ⊕ 66 t0t1t44 k66 ⊕ k66k110 ⊕ k66k111 ⊕ k66k109k110 ⊕ k66k110k111 t t k k 5 7 68 ⊕ 70 t0t1t48 k66 ⊕ k66k114 ⊕ k66k115 ⊕ k66k113k114 ⊕ k66k114k115 t t k k 9 11 72 ⊕ 74 t0t1t52 k66 ⊕ k66k118 ⊕ k66k119 ⊕ k66k117k118 ⊕ k66k118k119 t t k k 13 15 76 ⊕ 78 t0t1t56 k66 ⊕ k66k122 ⊕ k66k123 ⊕ k66k121k122 ⊕ k66k122k123 t t k k 17 19 80 ⊕ 82 t0t1t60 k66 ⊕ k66k126 ⊕ k66k127 ⊕ k66k125k126 ⊕ k66k126k127 t t k k 21 23 84 ⊕ 86 t0t4t5 k70 ⊕ k66k70 ⊕ k67k70 ⊕ k65k66k70 ⊕ k66k67k70 t t k k 25 27 88 ⊕ 90 t4t5t8 k70 ⊕ k70k74 ⊕ k70k75 ⊕ k70k73k74 ⊕ k70k74k75 t t k k 29 31 92 ⊕ 94 t4t5t12 k70 ⊕ k70k78 ⊕ k70k79 ⊕ k70k77k78 ⊕ k70k78k79 t t k k 33 35 96 ⊕ 98 t4t5t16 k70 ⊕ k70k82 ⊕ k70k83 ⊕ k70k81k82 ⊕ k6k82k83 t t k k 37 39 100 ⊕ 102 t4t5t20 k70 ⊕ k70k86 ⊕ k70k87 ⊕ k70k85k86 ⊕ k70k86k87 t t k k 41 43 104 ⊕ 106 t0t2t5 1 ⊕ k65 ⊕ k67 ⊕ k68k70 ⊕ k65k68k70 ⊕ k67k68k70 t t k k 45 47 108 ⊕ 110 t0t2t9 1 ⊕ k65 ⊕ k67 ⊕ k72k74 ⊕ k65k72k74 ⊕ k67k72k74 t t k k 49 51 112 ⊕ 114 t0t2t13 1 ⊕ k65 ⊕ k67 ⊕ k76k78 ⊕ k65k76k78 ⊕ k67k76k78 t t k k 53 55 116 ⊕ 118 t0t2t17 1 ⊕ k65 ⊕ k67 ⊕ k80k82 ⊕ k65k80k82 ⊕ k67k80k82 t t k k 57 59 120 ⊕ 122 t0t2t21 1 ⊕ k65 ⊕ k67 ⊕ k84k86 ⊕ k65k84k86 ⊕ k67k84k86 t t k k 61 63 124 ⊕ 126 t0t2t25 1 ⊕ k65 ⊕ k67 ⊕ k88k90 ⊕ k65k88k90 ⊕ k67k88k90 t t t k k k k 0 1 5 66 ⊕ 66 68 70 t0t2t29 1 ⊕ k65 ⊕ k67 ⊕ k92k94 ⊕ k65k92k94 ⊕ k67k92k94 t t t k k k k 0 1 9 66 ⊕ 66 72 74 t0t2t33 1 ⊕ k65 ⊕ k67 ⊕ k96k98 ⊕ k65k96k98 ⊕ k67k96k98 t t t k k k k 0 1 13 66 ⊕ 66 76 78 t0t2t37 1 ⊕ k65 ⊕ k67 ⊕ k100k102 ⊕ k65k100k102 ⊕ k k k t0t1t17 k66 ⊕ k66k80k82 67 100 102 t t t k k k k k k k t0t1t21 k66 ⊕ k66k84k86 0 2 41 1 ⊕ 65 ⊕ 67 ⊕ 104 106 ⊕ 65 104 106 ⊕ k67k104k106 t0t1t25 k66 ⊕ k66k88k90 t0t2t45 1 ⊕ k65 ⊕ k67 ⊕ k108k110 ⊕ k65k108k110 ⊕ t0t1t29 k66 ⊕ k66k92k94 k67k108k110 t0t1t33 k66 ⊕ k66k96k98 t0t2t49 1 ⊕ k65 ⊕ k67 ⊕ k112k114 ⊕ k65k112k114 ⊕ t0t1t37 k66 ⊕ k66k100k102 k67k112k114 t0t1t41 k66 ⊕ k66k104k106 t0t2t53 1 ⊕ k65 ⊕ k67 ⊕ k116k118 ⊕ k65k116k118 ⊕ t t t k k k k 0 1 45 66 ⊕ 66 108 110 k67k116k118 t t t k k k k 0 1 49 66 ⊕ 66 112 114 t0t2t57 1 ⊕ k65 ⊕ k67 ⊕ k120k122 ⊕ k65k120k122 ⊕ k k k t0t1t53 k66 ⊕ k66k116k118 67 120 122 t t t k k k k k k k t0t1t57 k66 ⊕ k66k120k122 0 2 61 1 ⊕ 65 ⊕ 67 ⊕ 124 126 ⊕ 65 124 126 ⊕ k67k124k126 t1t4t5 k70 ⊕ k64k66k70 t1t4t6 1 ⊕ k69 ⊕ k71 ⊕ k64k66 ⊕ k64k66k69 ⊕ k64k66k71 t4t5t9 k70 ⊕ k70k72k74 t4t6t9 1 ⊕ k69 ⊕ k71 ⊕ k72k74 ⊕ k69k72k74 ⊕ k71k72k74 t4t5t13 k70 ⊕ k70k76k78 t4t6t13 1 ⊕ k69 ⊕ k71 ⊕ k76k78 ⊕ k69k76k78 ⊕ k71k76k78 t4t5t17 k70 ⊕ k70k80k82 t4t6t17 1 ⊕ k69 ⊕ k71 ⊕ k80k82 ⊕ k69k80k82 ⊕ k71k80k82 t0t1t4 k66 ⊕ k66k70 ⊕ k66k71 ⊕ k66k69k70 ⊕ k66k70k71

t0t1t8 k66 ⊕ k66k74 ⊕ k66k75 ⊕ k66k73k74 ⊕ k66k74k75

t0t1t12 k66 ⊕ k66k78 ⊕ k66k79 ⊕ k66k77k78 ⊕ k66k78k79

t0t1t16 k66 ⊕ k66k82 ⊕ k66k83 ⊕ k66k81k82 ⊕ k2k82k83

t0t1t20 k66 ⊕ k66k86 ⊕ k66k87 ⊕ k66k85k86 ⊕ k66k86k87

t0t1t24 k66 ⊕ k66k90 ⊕ k66k91 ⊕ k66k89k90 ⊕ k66k90k91

t0t1t28 k66 ⊕ k66k94 ⊕ k66k95 ⊕ k66k93k94 ⊕ k66k94k95

t0t1t32 k66 ⊕ k66k98 ⊕ k66k99 ⊕ k66k97k98 ⊕ k2k98k99

t0t1t36 k66 ⊕ k66k102 ⊕ k66k103 ⊕ k66k101k102 ⊕ k66k102k103

(Continues) PANG and ABDUL-­LATIP | 355 APPENDIX B

CHARACTERISTICS OF STRONGER SECRET KEYS

= 15 ⊕ , = 31 ⊕ , = 15 and = 31 TABLE B1 Characteristics of stronger secret keys, with a i = 0 k4i k4i+2 b i = 16 k4i k4i+2 c i = 0 k4i+2 d i = 16 k4i+2 ∑ � � ∑ � � ∑ � � ∑ � � a b c d Number of combinations 0 0 0 0 1·264 = 264 0 0 0 1 24·264 = 268 0 0 0 ≥2 216·264 = 280 0 0 1 0 24·264 = 268 0 0 1 1 24·24·264 = 272 0 0 1 ≥2 24·216·264 = 284 0 0 ≥2 0 216·264 = 280 0 0 ≥2 1 216·24·264 = 284 0 0 ≥2 ≥2 216·216·264 = 296 0 1 0 0 24·264 = 268 0 1 0 1 24·24·264 = 272 0 1 0 ≥2 24·216·264 = 284 0 1 1 0 24·24·264 = 272 0 1 1 1 24·24·24·264 = 276 0 1 1 ≥2 24·24·216·264 = 288 0 1 ≥2 0 24·216·264 = 284 0 1 ≥2 1 24·216·24·264 = 288 0 1 ≥2 ≥2 24·216·216·264 = 2100 0 ≥2 0 0 216·264 = 280 0 ≥2 0 1 216·24·264 = 284 0 ≥2 0 ≥2 216·216·264 = 296 0 ≥2 1 0 216·24·264 = 284 0 ≥2 1 1 216·24·24·264 = 288 0 ≥2 1 ≥2 216·24·216·264 = 2100 0 ≥2 ≥2 0 216·216·264 = 296 0 ≥2 ≥2 1 216·216·24·264 = 2100 0 ≥2 ≥2 ≥2 216·216·216·264 = 2112 1 0 0 0 24·264 = 268 1 0 0 1 24·24·264 = 272 1 0 0 ≥2 24·216·264 = 284 1 0 1 0 24·24·264 = 272 1 0 1 1 24·24·24·264 = 276 1 0 1 ≥2 24·24·216·264 = 288 1 0 ≥2 0 24·216·264 = 284 1 0 ≥2 1 24·216·24·264 = 288 1 0 ≥2 ≥2 24·216·216·264 = 2100 1 1 0 0 24·24·264 = 272 1 1 0 1 24·24·24·264 = 276 1 1 0 ≥2 24·24·216·264 = 288 1 1 1 0 24·24·24·264 = 276 1 1 1 1 24·24·24·24·264 = 280 (Continues) 356 | PANG and ABDUL-­LATIP TABLE B1 (Continued)

a b c d Number of combinations 1 1 1 ≥2 24·24·24·216·264 = 292 1 1 ≥2 0 24·24·216·264 = 288 1 1 ≥2 1 24·24·216·24·264 = 292 1 1 ≥2 ≥2 24·24·216·216·264 = 2104 1 ≥2 0 0 24·216·264 = 284 1 ≥2 0 1 24·216·24·264 = 288 1 ≥2 0 ≥2 24·216·216·264 = 2100 1 ≥2 1 0 24·216·24·264 = 288 1 ≥2 1 1 24·216·24·24·264 = 292 1 ≥2 1 ≥2 24·216·24·216·264 = 2104 1 ≥2 ≥2 0 24·216·216·264 = 2100 1 ≥2 ≥2 1 24·216·216·24·264 = 2104 1 ≥2 ≥2 ≥2 24·216·216·216·264 = 2116 ≥2 0 0 0 216·264 = 280 ≥2 0 0 1 216·24·264 = 284 ≥2 0 0 ≥2 216·216·264 = 296 ≥2 0 1 0 216·24·264 = 284 ≥2 0 1 1 216·24·24·264 = 288 ≥2 0 1 ≥2 216·24·216·264 = 2100 ≥2 0 ≥2 0 216·216·264 = 296 ≥2 0 ≥2 1 216·216·24·264 = 2100 ≥2 0 ≥2 ≥2 216·216·216·264 = 2112 ≥2 1 0 0 216·24·264 = 284 ≥2 1 0 1 216·24·24·264 = 288 ≥2 1 0 ≥2 216·24·216·264 = 2100 ≥2 1 1 0 216·24·24·264 = 288 ≥2 1 1 1 216·24·24·24·264 = 292 ≥2 1 1 ≥2 216·24·24·216·264 = 2104 ≥2 1 ≥2 0 216·24·216·264 = 2100 ≥2 1 ≥2 1 216·24·216·24·264 = 2104 ≥2 1 ≥2 ≥2 216·24·216·216·264 = 2116 ≥2 ≥2 0 0 216·216·264 = 296 ≥2 ≥2 0 1 216·216·24·2@64 = 2@100 ≥2 ≥2 0 ≥2 216·216·216·264 = 2112 ≥2 ≥2 1 0 216·216·24·264 = 2100 ≥2 ≥2 1 1 216·216·24·24·264 = 2104 ≥2 ≥2 1 ≥2 216·216·24·216·264 = 2116 ≥2 ≥2 ≥2 0 216·216·216·264 = 2112 ≥2 ≥2 ≥2 1 216·216·216·24·264 = 2116