Differential cryptanalysis of full-round ANU-II ultra-lightweight block cipher

Lightweight ciphers are often used as the underlying encryption algorithm in resource-constrained devices. Their cryptographic security is a mandatory goal for ensuring the security of data transmission. Differential cryptanalysis is one of the most fundamental methods applicable primarily to block ciphers, and the resistance against this type of cryptanalysis is a necessary design criterion. ANU-II is an ultra-lightweight block cipher proposed in 2017, whose design offers many advantages such as the use of fewer hardware resources (logic gates), low power consumption and fast encryption for Internet of Things devices. The designers of ANU-II claimed its resistance against differential cryptanalysis and postulated that the design is safe enough for Internet of Things devices. However, as addressed in this article, the security claims made by designers appear not to be well grounded. Using mixed-integer linear programming–like techniques, we identify one-round differential characteristic that holds with probability 1, which is then efficiently employed in mounting the key recovery attack on full-round ANU-II with only 22 chosen plaintexts and 262.4 full-round encryptions. The result shows that the designers’ security evaluation of ANU-II against differential cryptanalysis is incorrect and the design rationale is flawed. To remedy this weakness, we provide an improved variant of ANU-II, which has much better resistance to differential cryptanalysis without affecting the hardware and/or software implementation cost.


Introduction
With a rapid development of 5G technology and networks, the demand for Internet of Things (IoT) devices is constantly increasing in daily life. The information exchange between IoT devices is commonly performed through embedded encryption algorithms for the reasons of providing secure data transmission, device authentication and other sensitive services. A majority of the IoT devices (especially sensors and microcontrollers) implement as encryption algorithm a class of lightweight block ciphers that are designed to operate under certain power, memory and/or computation constraints. 1 In general, this family of ciphers is characterized by a low hardware implementation cost and low power consumption, while at the same time providing sufficient security margins in sensitive applications. On the other hand, for applications without the mentioned limitations, traditionally designed encryption algorithms (e.g. advanced encryption standard (AES)) generally have lower computing efficiency due to their robust design rationales.
Being more suitable for use in restrained environments, lightweight block ciphers have attracted much attention of cryptographic society. To date, there are numerous lightweight block ciphers that have emerged during the last decade, including PRESENT 2 that uses a substation permutation network (SPN), the LBlock 3 cipher implementing the Feistel network, Simon and Speck 4 having highly efficient (fast) software and hardware implementation, and RECTANGLE 5 using the so-called bit-slice technology.
Differential cryptanalysis 6 is one of the earliest generic cryptanalytic tools (along with linear cryptanalysis) applicable to block ciphers. This technique is currently well understood and for testing the resistance of ciphers against differential cryptanalysis the following approach is commonly applied. First, lower bounds on the number of active substitution boxes (S-boxes) is estimated and then a propagating differential characteristic with as high probability as possible needs to be specified. However, the computational complexity of specifying optimal differential paths (involving a few active S-boxes and holding with a high probability) grows exponentially with the number of rounds, which leads to efficient use of different algorithms that may identify optimal solutions.
The use of mixed-integer linear programming (MILP) techniques for this purpose has been quite a common method during the last decade. In 2011, lower bounds of the number of active S-boxes for Enocoro128v2 and AES were obtained by Mouha et al. 7 using MILP-based models. This approach is, however, only applicable to byte-oriented block ciphers. To fill this gap, Sun et al. 8 extended the byteoriented MILP model to bit-oriented block ciphers for the purpose of searching for lower bounds on active Sboxes and good (having a high probability) differential characteristics. Also, in the work of Sun et al., 8 a heuristic search algorithm for finding the best differential characteristic was proposed. Later, automated MILPbased search algorithms have been widely used to evaluate the security of block ciphers with quite outstanding results. Fu et al. 9 applied MILP-based techniques to ARX ciphers, where also a search for good differential characteristics and a linear approximation of the SPECK block cipher were addressed. Abdelkhalek et al. 10 further developed the MILP modelling for (large) S-boxes to optimize the probability of differential characteristics. In addition, Sadeghi et al. 11 presented zero-correlation linear approximations and the related-tweakey impossible differential characteristics for the block cipher SKINNY. Zhou et al. 12 greatly improved the efficiency of MILP-based search algorithms by embedding the divide-and-conquer idea into the MILP model. In Crypto2020, 13 a novel MILP model with the possibility of handling simultaneously the propagation of differentials and their values was developed. In FSE2021, 14 a suitable MILP model for finding more efficient distinguishers that cover more encryption rounds was introduced.
ANU is an ultra-lightweight block cipher proposed by Bansod et al. 15 However, the full-round ANU cipher was broken by Sasaki 16 using the related-key boomerang attack. ANU-II is an improved version of ANU and was proposed by Dahiphale et al., 17 which is superior to ANU in terms of memory, latency, throughput and power consumption. However, in 2020, Wang et al. 18 conducted an eight-round integral attack on ANU-II (designed for 25 encryption rounds) and mounted a key recovery attack using 2 60 chosen plaintexts. The designers made a claim that ANU-II achieves a good resistance against differential cryptanalysis by investigating the differential properties of a roundreduced version of ANU-II. In this article, we show that the statement given by designers about the good resistance against differential cryptanalysis is incorrect and the current design of ANU-II contains serious security flaws.

Our contributions
We investigate the security of ANU-II and the main contributions are summarized as follows: 1. First, we construct an accurate MILP model for specifying exact lower bounds on the number of active S-boxes for ANU-II. Most notably and quite surprisingly, this model identifies an interesting property that the lower bounds of the minimum number of active S-boxes of any round always equal zero. 2. Then, by observing the input and output of each round, we unexpectedly (disproving the claims made by the designers) find a one-round iterative differential characteristic with probability 1. 3. Consequently, using repeatedly found oneround differential characteristic, we could mount a key recovery attack on the full-round ANU-II (consisting of 25 encryption rounds), which shows that the design has severe security flaws. 4. Finally, we propose an improved variant of ANU-II with the same hardware or software implementation expenses as the original cipher. Compared to the actual design, this variant is much more robust against differential cryptanalysis.
The summary of our main results and the previous works is shown in Table 1.

Organization
The article is arranged as follows. In the 'Preliminaries' section, we introduce some basic notations and give a description of the ultra-lightweight block cipher ANU-II. A MILP-based differential search model for a minimal number of active S-boxes is given in the 'Bitoriented MILP model for differential analysis' section. In the 'Differential cryptanalysis of ANU-II' section, a one-round iterative differential characteristic with probability 1 for ANU-II is specified, along with its application to the full-round key recovery attack. In the 'An efficient modification of ANU-II' section, we propose a new modified variant of ANU-II and estimate its resistance against differential cryptanalysis. Some concluding remarks are given in the 'Conclusion' section.

Notations
The following notations are used throughout the article: P: 64 bits input plaintext; P r L : 32 bits input for the left branch of rth round; P r R : 32 bits input for the right branch of rth round; P r + 1 L : 32 bits output for the left branch of rth round; P r + 1 R : 32 bits output for the right branch of rth round; C: 64 bits output ciphertext; DC r À i : ith bit of the rth round ciphertext pairs' difference (0 ł i ł 127); RC r : rth round constant; n: block size of the cipher; w: the input size of the S-box; v: the output size of the S-box; r: iterative rounds (0 ł r ł 24); K: 128 bits master key; K (r) : rth round subkey; K (r) 1 : 0-31 bits of K r ; K (r) 2 : 32-63 bits of K r ; K (r) (i): ith bit of the rth round subkey (0 ł i ł 63); È: XOR; k: concatenation; \ \ \ n: rotation to the left by n bits; . . .n: rotation to the right by n bits.

The description of ANU-II
ANU-II is an ultra-lightweight block cipher with a 64bit block size and an 80/128-bit key size. ANU-II belongs to the family of Feistel networks and uses iteratively 25 encryption rounds. We mainly focus on the variant of ANU-II that uses a 128-bit master key. Let the left-and right-branch inputs of the rth round be denoted as P r L and P r R , respectively, and the corresponding outputs as P r + 1 L and P r + 1 R . The round function is shown in Figure 1.
There are four operations used in the round function: SubBox, AddRoundKey, Rotation and XOR. Among these, the operation SubBox is the only nonlinear component and it employs eight S-boxes of size 4 3 4 in parallel.

Key schedule
When the master key is of length 128 bits, the key schedule extracts 64-bit key and XOR these with the intermediate encryption state. The first-round subkey is Section 'Key recovery attack on full-round ANU-II' Figure 1. The round function of ANU-II.
equal to the master key, and the update process for deriving round subkeys is as follows Rotation to the left by 13 bits Applying S-box operation Applying S-box and XOR with a round constant Note that the S-box in the above key schedule still uses the description in Table 2, and the value of RC r equals to r for the rth encryption round.
Bit-oriented MILP model for differential analysis MILP is a type of integer linear programming, especially suitable for solving optimization problems. Its goal is to minimize or maximize the value of the objective function under certain linear constraints. At the moment, commercial software such as in Sun et al. 19 is usually used to solve such optimization problems. In this section, we introduce a bit-oriented MILP model for searching the exact lower bounds of active S-boxes with respect to propagation of differentials and the best differential characteristics in the singlekey model.

Searching for the exact lower bounds of active S-boxes
To identify which S-boxes are active when specific differentials pass through the intermediate states of a given block cipher, we recall the following notation.
be two binary strings of length n. 19 The difference between X and X Ã is defined as Definition 2. Let N t (t 2 ½0, n=w À 1) be a binary indicator that specifies whether the tth S-box is active or not, given as 19 Next, we explain how to model diverse operations, such as: SubBox, XOR, and linear layer operation.
SubBox. Assume that x = (x 0 , x 1 , . . . , x wÀ1 ) and y = (y 0 , y 1 , . . . , y vÀ1 ) are the input and output differences, respectively, of a w 3 v S-box N t . Then, N t = 1 holds if and only if (x 0 , x 1 , . . . , x wÀ1 ) is not the all zero vector, which leads to the following linear inequalities In addition, we need to consider the propagation of differential values through an (active) S-box. Using the H-representation of the convex hull (a polyhedron obtained by restricting the Euler space through linear (in)equalities), we transform the propagation of possible differences of an S-box into inequality constraints.
and v are the input and output size of the S-box, respectively) is a q-dimensional possible differential pattern. Then, the induced inequalities, of cardinality m say, can be expressed as follows Table 2. S-box of ANU-II.
where a i, j are binary coefficients generated by SageMath. 20 For instance, let x = (x 0 , x 1 , x 2 , x 3 ) = 1001, y = (y 0 , y 1 , y 2 , y 3 ) = 1100 denote the input and output differences of a 4 3 4 S-box. Assuming that (1001)! (1101) is a possible propagation (it occurs with non-zero probability), we express this propagation as an eightdimensional tuple (10011101). Then, we utilize the SageMath software that calls the inequality-generator function in the package sage.geometry.polyhedron. The Sage code is given in Figure 2.
Similarly, we can convert all possible differential propagation patterns into inequalities in accordance to the differential distribution table (DDT) given in Appendix 1 for the S-box of ANU-II. SageMath is generally used to transform possible differential patterns into a large number of linear inequalities.
When this phase is completed, some redundant inequalities need to be excluded. To achieve this, commonly two methods are used: the greedy algorithm by Sun et al. 19 whose removal of redundant inequalities is not optimal and the MILP-reduced algorithm introduced by Sasaki and Todo. 21 The latter algorithm is preferred in this article since it appears to be more efficient in removing redundant inequalities than the greedy algorithm.
XOR. Let a È b = c, where a, b and c represent a single bit. Then, the following constraints can be derived where d is a dummy variable with value in f0, 1g.
Linear operation. For ciphers that employ the Feistel network, the rotation and branch swapping are both included when modelling the linear layer operation.
These operations can be efficiently described by linear equalities. To clarify this, we consider the right (cyclic) rotation of ANU-II as an example. Suppose the input is y = (y 31 , . . . , y 0 ) and that z = (z 31 , . . . , z 0 ) denotes the output after rotation to the right by 3 bits. The following constraints are then easily deduced An initial constraint. The inequality x 0 + x 1 + Á Á Á + x nÀ1 ø 1 needs to be introduced to ensure that the initial input differential is non-zero. Here, n denotes the block size of the cipher.
The objective function. The r-round objective function, minimizing the number of active S-boxes, is set as (w indicating the input size of an S-box) where N j t indicates whether the tth S-box in the jth encryption round is active or not.

Searching for the best differential characteristic
To find the best differential characteristic, we encode the probability information for possible differential patterns of an S-box. Except for the non-linear SubBox operation, the constraints induced by the XOR and Rotation operations are same as described in the 'Searching for the exact lower bounds of active Sboxes' section.
The MILP-reduced algorithm is then applied to remove redundant inequalities.
The objective function. Since equation (7) only describes the probabilities of differentials of a single S-box, we need to introduce additional notation to refer to different S-boxes used. Using t 2 ½0, n=w À 1 to indicate the tth S-box in each round, we derive the following conditions where the integer representation 0, 2 and 3 of the binary tuple (p t À 0 , p t À 1 ) on the right of equation (8), is exactly of the opposite sign compared to the exponents in equation (7). Since a product of probabilities expressed as p i = 2 a i (treating different S-boxes as independent events) will correspond to the addition of exponents a i (with a i ł 0), it is natural to model the probability of differential characteristics of the jth round as P (n=w)À1 t = 0 p j t À 0 + 2p j t À 1 , which takes into account all the S-boxes in the jth round and the superscript j in p j t À i refers to the jth round as well. Then, p = P rÀ1 j = 0 P (n=w)À1 t = 0 p j t À 0 + 2p j t À 1 will contain the information about the probability of differential characteristics for r encryption rounds. It is well-known that a random permutation will induce a uniform probability distribution of differentials being 2 Àn (for a block cipher of size n), and therefore, we need a differential characteristic with probability 2 Àp ) 2 Àn . Thus, encoding the probability information of differential characteristics as above, our goal is to minimize the exponent p. Therefore, the objective function for r encryption rounds is set as An initial constraint. We need to add the inequality x 0 + x 1 + Á Á Á + x nÀ1 ø 1 to ensure that the initial input differential is non-zero, as otherwise the MILP solver would return 0 as an optimal solution.

Differential cryptanalysis of ANU-II
In this section, we first establish an MILP model that specifically searches for lower bounds on the number of active S-boxes for ANU-II. Then, again using our MILP model, we specify a single round differential characteristic that holds with probability one. Finally, we mount a key recovery attack on the full-round ANU-II that only requires 2 2 chosen plaintexts and 2 62.4 full-round encryptions.

The exact lower bounds of the number of differential active S-boxes of ANU-II
In the single-key setting, the linear constraints discussed previously include SubBox, XOR, rotation and the initial constraint. Assume that 64-bit input difference is (x 63 , Á Á Á , x 0 ), where x 0 is the least significant bit (LSB). More precisely, the input differences of left branch is represented as (x 63 , . . . , x 32 ), and the right branch is (x 31 , . . . , x 0 ). The corresponding MILP model, concerning the ANU-II cipher, is then built using the methods described in the 'Searching for the exact lower bounds of active S-boxes' section.
SubBox. ANU-II employs the Feistel network and uses eight S-boxes of size 4 3 4. For each of the eight Sboxes of ANU-II, there are 97 possible differential patterns according to the DDT shown in Appendix 1.

Iterated differential characteristic
The above result related to the lower bound on the number of active S-boxed (being 0), initiated a careful investigation of the design rationales of ANU-II, which then resulted in the identification of an iterative differential characteristic that holds with probability 1, as shown in Figure 3. Apparently, this differential characteristic holds with probability 1, because active bits only appear on the right-hand side (in total 32 bits) and the corresponding S-boxes are not active.

Key recovery attack on full-round ANU-II
Employing the iterative differential characteristic of a single round found in the 'Iterated differential characteristic' section, one can construct a full-round differential characteristic by iterating the single round differential 25 times, as described in Figure 4. We use '1' and '0' to denote active and inactive bits, Table 3. Lower bounds on the number of active S-boxes for ANU-II.

Rounds
Dahiphale et al. 17 This article respectively. Let now the subkeys of 25 rounds of ANU-II be denoted as K (0) , . . . , K (24) , where additionally, K (r) = K (r) 2 k K (r) 1 for 32-bit halves K (r) 1 and K (r) 2 . The differential attack on 25-round ANU-II is now described, which heavily relies on some interesting relationships between the subkeys used in the last two encryption rounds. where RC r is round constant and the notation K (r) j (k;l) generally means that the key bits involved range from kth to lth position.
The attack consists of the following four steps: 1. Select 2 m plaintext pairs where the difference of each pair is the same DP = P È P 0 = (DL 0 k DR 0 ). The values of DL 0 and DR 0 are shown in Figure 4. 2. Since the 25-round differential characteristic holds with probability with 1, having the input difference DP in Step 1 implies that the output difference DC 25 must be DC 25 = C È C 0 = (DL 25 k DR 25 ). The value of DL 25 and DR 25 is shown in Figure 4. Therefore, no filtering process needs to be involved. 3. We now consider the totality of 96 key bits relevant to our attack, more precisely 64 bits of the subkey (K (24) 2 , K (24) 1 ) used in the 25th round and 32 bits of the subkey K (23) 2 used in the 24th round. Note that Step 3(b) is executed after Step 3(a) has been completed. For each plaintext pair selected in Step 1, we execute the following process: 2 )o3) ÈDR 25 È K (24) 1 . If the output difference at round 24 (DL 24 , DR 24 ) equals (0,...,0,1,...,1), as shown in Figure 4, increment the corresponding counter. Due to a large signal-to-noise ratio only a few plaintext pairs are sufficient to extract these 64 bits, see the discussion on data complexity below. Output the 96-bit subkey guessed K (24) 1 , K (24) 2 , and K (23) 2 as the correct subkeys.
Data complexity. We utilize the signal-to-noise ratio (S=N = (2 k 3 p)=(a 3 b), introduced by Biham and Shamir, 6 to determine the cardinality of plaintext pairs, where k is the number of key bits guessed in the  analysis, p is the probability of differential characteristic, a is the average number of keys suggested by a pair and b is the ratio between the pairs that are not discarded and a total number of pairs. Since we are guessing 96 bits of the two subkeys and the probability of the differential characteristic is 1 (also implying that there is no additional filtering), then S=N = 2 96 3 1=1 3 1 = 2 96 (as a = b = p = 1). It also implies that only a few plaintext pairs are enough for a successful differential attack according to Biham and Shamir. 6 Therefore, we select the number of plaintext pairs to be equal to 2 m = 4 3 p À1 = 4, which is also the data complexity of our attack.
Time complexity. The time complexity of the attack is clearly dominated by Step 3(a) that is executed first. In particular, Step 3(a) requires about 2 3 4 3 2 64 = 2 67 one-round decryptions. Note that in Step 3(b), 19 bits of the guessed 32 bits key are related to K (24) (according to property 1), and therefore, these 96 bits of subkeys essentially give 77 subkey bits. Finally, we go through the exhaustive search over the remaining 51 bits. Therefore, the total time complexity is 2 67 3 1=25 + 2 51 ' 2 62:4 full-round encryptions, where the factor 1=25 simply denotes that we perform one-round partial decryption.

An efficient modification of ANU-II
The experimental results confirm that the designers' security evaluation of ANU-II against differential cryptanalysis is incorrect and the design is essentially flawed. The main reason for this is that suitable differences cancel out each other in the right branch (consequently, there is a differential characteristic that holds with probability 1). Therefore, we provide an improved variant of ANU-II given in Figure 5, which avoids this problem (modifying slightly the internal structure) and additionally has the best resistance to differential cryptanalysis without changing hardware and software implementation cost. The minimum number of active S-boxes of the proposed variant of ANU-II is listed in Table 4.
XOR and linear operation. Similar to the method described in the 'Searching for the exact lower bounds of active S-boxes' section.
An initial constraint x 0 + Á Á Á + x 63 ø 1 Objective function. min X rÀ1 j = 0 X 7 t = 0 p t À 0 + 2p t À 1 j At this point, all inequality constraints have been specified and our MILP model can search for the best differential characteristics. The experimental results are shown in Table 5, where clearly the situation is now quite different compared to the original design.

Conclusion
In this article, we have successfully applied the standard differential cryptanalysis to the full-round ANU-II block cipher. Due to the design flaw, a differential characteristic that holds with probability 1 could be identified for the entire cipher, which then leads to an efficient attack that uses a few plaintext pairs and 2 62:4 full-round encryptions. It appears that the internal structure within the Feistel network is responsible for this security issue and we propose a simple modification of the internal structure (without changing hardware and software implementation cost), which efficiently protects the cipher form this kind of attacks. This is also illustrated by applying our MILP model to the modified variant of ANU-II where the best differential characteristic (for five-round reduced ANU-II) holds with much smaller probability than one.

Declaration of conflicting interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship and/or publication of this article. Table 5. The six-round best differential characteristic of our variant of ANU-II.