Zero-correlation attacks on tweakable block ciphers with linear tweakey

. The design and analysis of dedicated tweakable block ciphers is a quite recent and very active research ﬁeld that provides an ongoing stream of new insights. For instance, results of Kranz, Leander, and Wiemer from FSE 2017 show that the addition of a tweak using a linear tweak schedule does not introduce new linear characteristics. In this paper, we consider – to the best of our knowledge – for the ﬁrst time the eﬀect of the tweak on zero-correlation linear cryptanalysis for ciphers that have a linear tweak schedule. It turns out that the tweak can often be used to get zero-correlation linear hulls covering more rounds compared to just searching zero-correlation linear hulls on the data-path of a cipher. Moreover, this also implies the existence of integral distinguishers on the same number of rounds. We have applied our technique on round reduced versions of Qarma , Mantis , and Skinny . As a result, we can present – to the best of our knowledge – the best attack (with respect to number of rounds) on a round-reduced variant of Qarma .


Introduction
Tweakable block ciphers are constructions, which have -compared to traditional block ciphers -an additional input called tweak.Ideally, each different choice of the tweak produces a different instance of a block cipher.This concept has first been introduced by Schroeppel in the Hasty pudding cipher [Sch98] and was formally treated by Liskov, Rivest and Wagner [LRW02,LRW11].The concept of tweakable block ciphers allows for very clean modes of operations for authenticated encryption like: ΘCB3 [KR11], or Counter-in-Tweak [PS16].When using such a mode, one faces two choices, either use a construction that takes an ordinary block cipher as building block to build a tweakable block cipher [KR11, LST12, Men15, WGZ + 16], or use a dedicated tweakable block cipher [JNP14, BJK + 16, Ava17].
One can expect that designing a tweakable block cipher from scratch results in more efficient designs rather than reusing a block cipher to create a tweakable block cipher.However, when designing dedicated tweakable block ciphers, it has to be kept in mind that the tweak is an additional publicly known input, which can potentially be influenced by an attacker.This leads to a new challenge in the analysis of such schemes, since in a chosen plaintext/related tweak model, the extra input provides additional freedom for the attacker.This freedom can be exploited in attacks.The most self-evident attack vector that is influenced by the tweak is differential cryptanalysis [BS91].By introducing differences in the tweak, the attacker is able to introduce differences in-between rounds, which typically leads to longer differential characteristics that hold with a good probability.Naturally, this increases the number of rounds that can be covered in a key-recovery attack.
Besides this, there is a constant evaluation of known attack vectors on tweakable block ciphers that exploit the tweak.There are for example: Boomerang attacks [CHP + 17, DL17], meet-in-the-middle attacks [TAY16], impossible differential attacks [DL17,Sas18] and integral attacks [DEM16].A positive result with respect to the security of tweakable block ciphers is that the addition of a tweak, using a linear tweak schedule, does not require additional considerations with respect to linear cryptanalysis [KLW17].
Research Gap and Contribution.Attacks on dedicated tweakable block ciphers exploit the additional freedom introduced by the tweak to extend a distinguisher in the data-path of a cipher.In this work, we follow this general idea to derive distinguishers not only on the data-path but also by considering the tweak schedule, which can be used to improve the attacks.In particular, we exploit zero-correlation linear hulls [BW12,BR14] on the data-path plus tweak.The fact that a lot of state-of-the-art tweakable block cipher constructions not only use a tweak schedule that is linear, but also have very limited diffusion in the tweak bits, becomes an advantage for an attacker.This allows us to search for zero-correlation linear hulls with the help of the miss-in-the-middle approach.In our attacks the miss (contradiction) occurs within the tweak schedule.
These zero-correlation linear hulls typically cover more rounds than zero-correlation linear hulls that only consider the data-path.Next to that, the relation between zerocorrelation and integral distinguishers [SLR + 15, BLNW12] allows us to observe an integral property in the data-path.This property can then be exploited in key-recovery attacks.
In this paper, we first examine the effects of zero-correlation linear cryptanalysis on tweakable block ciphers having a linear tweak schedule.We focus on the implications on tweakable block ciphers following the Superpostion Tweakey (STK) constructions [JNP14].After that, we give examples for zero-correlation linear hulls for three dedicated tweakable block ciphers Qarma [Ava17], Mantis [BJK + 16] and Skinny [BJK + 16].As shown in Table 1, the newly acquired distinguishers allow for attacks covering more rounds compared to previous attacks in the case of round-reduced Qarma [Ava17].Qarma is the tweakable block cipher used for pointer authentication in some ARM processors [Qua17].
Note that some of the attacks shown in Table 1 require more than 2 n data for an n-bit block size.In contrast to standard block ciphers where 2 n is the natural limit per key (i.e. the full-codebook is reached), tweakable block ciphers allow to gather the amount of 2 n data per tweak and hence, a total of 2 n+t data can be collected considering a t-bit tweak.Our attacks on Skinny require data above 2 n , but we do not collect the full-codebook under one fixed tweakey.Hence, we can recover unknown tweakey-information that has not been queried in our key-recovery attacks.
Apart from the dedicated attacks, this new way of searching for integral distinguishers provides further insights in the design of tweakable block ciphers.One of the new insights is a better intuition on how the number of positions and the locations of the tweak addition influences the security of a tweakable block cipher.For instance, consider the case of a cipher where the addition of the tweak is just performed for a few rounds at the beginning and the end of the cipher, while for the rounds in the middle just the round-keys are added.Such a construction can lead to the unfortunate situation, that the zero-correlation linear hulls are independent of the number of keyed middle-rounds.

Related Work.
The conversion [SLR + 15] of zero-correlation linear hulls to what is commonly referred to as integral distinguishers is not the only method to find such distinguishers.Another common approach to find integral distinguishers is to exploit knowledge about upper bounds of the algebraic degree of a function as shown in higherorder differential cryptanalysis [Lai94].Later on, methods that exploit the structure of a cipher in a more direct manner have been introduced in an attack on the block cipher Square [DKR97] which became known under the name integral cryptanalysis [KW02].Moreover, the division property [Tod15b] and bit-based division property [TM16] provide a powerful improvement in the search for integral distinguishers that for example lead to attacks on full Misty-1 [Tod15a,Tod17].
It is worth mentioning that Table 1 just shows key-recovery attacks and thus, does not represent a complete list of results that provide insight into the security of Qarma, .They showed that there exist linear hulls such that their bias are invariant under key difference.More concretely, when some bits in the secret-key must be inactive of a given linear hull, then there exists another linear hull with the same correlation, where the key difference is induced into the inactive bits.In comparison to our work, we review this property from zero-correlation linear hulls.By considering zero-correlation linear hulls, we can construct non-trivial distinguishers even if all bits in the secret-key/tweak are active.Therefore, our attacks are less restricted and improve over the results of Bogdanov et al. [BBR + 13].
Outline.The paper is organized as follows.After briefly revisiting the necessary preliminaries on tweakable block ciphers, linear and zero-correlation cryptanalysis in Section 2, we explain the generic zero-correlation attack on tweakable block cipher in full detail in Section 3.Moreover, we apply the attack to Qarma, Mantis and Skinny in Section 4, 5 and Section 6, respectively.Finally, Section 7 concludes this work.

Tweakable Block Cipher and TWEAKEY Framework
Tweakable block ciphers were initially introduced by the Hasty pudding cipher [Sch98], and then, they were formally defined by Liskov, Rivest and Wagner [LRW11].When the block and key lengths are n and κ bits, respectively, a conventional block cipher ) has an additional input called tweak and it is defined as a function from when the tweak length is t bits.Responding to the high demand, many dedicated tweakable block ciphers have been proposed [JNP14, BJK + 16, Ava17].
Throughout the paper, we consider the case of a tweakable round based block cipher with a linear tweak-scheduling L : r+1 mapping the (master)-tweak to the sub-tweaks, as outlined in Fig. 1.Those sub-tweaks are then XORed to the current state of the cipher.The Tweakey framework [JNP14], as illustrated in Fig. 2, is often used to design dedicated tweakable block ciphers, where the key and tweak are basically treated as one object called tweakey.Moreover, each sub-tweakey is generated by applying the same permutation recursively.Based on this framework, there are several dedicated tweakable block ciphers such as Kiasu-BC [JNP15c], Deoxys [JNP15a], Joltik [JNP15b] and Figure 2 shows the Tweakey framework, where the tweakey scheduling algorithm is used instead of the key scheduling algorithm of the block cipher.The Tweakey framework consists of a sub-tweakey extraction function g, internal update permutation f , and tweakey state update function h.A ciphertext is computed from a plaintext by applying the permutation f iteratively, and the sub-tweakey is XORed with the internal state every round.A class of tweakable block cipher denoted by TK-p is introduced when the size of the tweakey is (p × n) bits.Then, TK-1 is suited to the simple single-key block cipher with n-bit key, and TK-2 is suited to the tweakable block cipher with n-bit key and n-bit tweak.
Jean et al. [JNP14] gave practical subclass of the Tweakey framework named Superposition Tweakey (STK), and Fig. 3 shows the construction with TK-p.In the STK construction, the internal state and tweakey state are partitioned into n/c and pn/c c-bit nibbles, respectively.The function h is decomposed into two functions h and α j , where h is a nibble position substitution function and a non-zero coefficient α j is multiplied with each c-bit nibble over the finite field GF (2 c ).The function g is a simple XOR of p n-bit states, and an additional round constant C i is XORed.We want to highlight that the tweakey scheduling algorithm of the STK construction is fully linear.

Evaluating the Security of Dedicated Tweakable Block Ciphers
The main goal in cryptanalysis is to provide as much insight as possible into the security of symmetric cryptographic primitives.Since full versions of proposed cryptographic primitives are usually computationally hard to attack, it is common to study and evaluate the security of cryptographic primitives by analysing round-reduced versions of those primitives.The difference between the highest number of rounds that can be attacked for a round-reduced variant and the proposed number of rounds specifies the security margin of the primitive.Another important aspect in the analysis of a scheme is the freedom an attacker has.In the case of a block cipher (E k (P ) = C) this actually depends on the specific use of the block cipher, e.g., in which mode of operation it is used.Thus, an attacker might only know the ciphertext C, can make queries with plaintexts and ciphertexts of the attacker's choice [MvV96], or is even able to choose key-relations (related-key attacks [Bih94]).While it is debatable if block ciphers have to withstand powerful models like related-key attacks, it is good to know which do and which do not.However, it is usually expected that a good block cipher withstands attacks where the key is secret, but the attacker can freely choose the ciphertexts and plaintexts.
In the case of a tweakable block cipher (E k (P, T ) = C), we have an additional input called the tweak T .If we take a look at the existing analysis of dedicated tweakable block ciphers, e.g, [ABC + 17, DL17, Sas18, DEKM16, EK18], we see that in most cases, an attacker is not only allowed to choose plaintexts P and ciphertexts C, but also knows and can pick the tweak T .But does this make sense in practical applications?To evaluate this, let us have a look at the authenticated encryption scheme Deoxys-I [JNP15a] in Figure 4, a CAESAR [CAE14] candidate utilizing Deoxys-BC as the underlying block cipher.
The nonce-based authenticated encryption scheme Deoxys-I takes a public nonce N , associated data A and plaintext P as input and returns a ciphertext C together with the tag Tag (E k (N, A, P ) → (C, Tag) and the quadruple (N, A, C, Tag) is transmitted and visible to an attacker.As indicated in Figure 4, the tweak T used in the tweakable block cipher is the concatenation of a constant, the nonce N , and a block counter and thus, is at least known to an attacker.Furthermore, if we consider that CAESAR requires an authenticated encryption algorithm to be secure, independent of the choice of the nonce (except that the nonce just be used once), we can evaluate a worst-case scenario, where an attacker has control over the nonce N and the plaintext P including the length and hence, has also control over the tweak input.In [DEM16] attacks that utilize the resulting (somewhat) chosen-tweak scenario on reduced KIASU = are shown, which uses a similar mode as Deoxys-I.
While in other typical use-cases for tweakable block ciphers like memory encryp-tion [Ava17] the control of the attacker over the tweak might be more limited, designers of dedicated tweakable block ciphers usually do not restrict their claims to limited control.For instance, the designers of the tweakable block ciphers Mantis [BJK + 16], and Qarma [Ava17] that we examine in this paper claim security under chosen tweaks.For instance in the case of Mantis: "For MANTIS 7 , we claim that any adversary who in possession of 2 n chosen plaintext/ciphertext pairs which were obtained under chosen tweaks, but with a fixed unknown key, needs at least 2 126−n calls to the encryption function in order to recover the secret key" [BJK + 16].
The attacks that we show on round-reduced versions of the tweakable block ciphers Mantis and Qarma do not require the power of an attacker to choose the tweaks, instead they happen in a related-tweak scenario.Since our attacks make use of integral distinguishers, we require tweaks to be partially fixed to any value that does not have to be chosen by the attacker, while the other part iterates over all values for several plaintexts of the attacker's choice.This is arguably a lighter scenario than choosing the tweaks and such a behaviour of the tweak might naturally happen in modes of operation that use a counter in the tweak to, e.g., encrypt more than one block or in memory encryption schemes that use the address as tweak input.

Differential Cryptanalysis
For all tweakable block ciphers discussed in this paper, an XOR is used to mix the subtweakey and internal state.This allows an attacker to cancel a difference of an internal state by XORing the same difference of a sub-tweakey to the same position.As a result, one round function is passed for free (i.e., see Fig. 5).In general, such a related-tweak setting allows for controlling differences of certain internal states.The probability of the obtained related-tweak/(twea)key differential characteristics is usually higher than that of single-key characteristics.Therefore, such attacks have been well discussed in the context of both related-key attacks on block ciphers and related-tweakey attacks on tweakable block ciphers.

Linear Cryptanalysis
Linear cryptanalysis makes use of correlations between linear combinations between input and output bits of a block cipher with a fixed key.More specifically, given a function an input mask α ∈ F n 2 , and an output mask where the probability is taken over uniformly distributed inputs x.Traditionally, a high correlation is used as a distinguisher and then extended to a key-recovery attack [Mat94].Moreover, we like to mention that for the understanding of our attacks, it might be helpful to have in mind two special cases for the propagation of masks, namely how linear masks propagate through an XOR-operation and a branching as illustrated in Fig. 6.In the formula, for the XOR operation and for the branching operation

Linear Hull
In the case of a round-based block cipher, the concept of linear hull ([Nyb95, Nyb01]) or correlations matrices ( [Dae95]) are important tools to understand how the correlation is composed.Given a function F as the composition of r functions R i , that is it is known that the correlation of F can be expressed as follows where C Γ is defined as The value Γ, capturing all intermediated masks is what is referred to as the linear trail (or characteristics, path) and C Γ is referred to as the trail correlation.

Zero-Correlation Linear Cryptanalysis
Zero-correlation linear cryptanalysis was introduced by Bogdanov and Rijmen [BR14].Let α and β be the linear mask for a plaintext and ciphertext, respectively, zero-correlation attacks exploit the pair (α, β) with correlation exactly zero.One clear drawback of the basic zero-correlation linear cryptanalysis is its huge data complexity.In order to detect that the correlation is exactly zero, it is necessary to encrypt (almost) every possible message.Later, the data complexity was reduced by exploiting multiple or multidimensional zerocorrelation linear approximations [BW12,BLNW12].When there are zero-correlation linear approximations for an n-bit block cipher, the required data complexity is roughly estimated as O(2 n / √ ).The main technique to derive zero-correlation linear approximations is very similar to deriving impossible differentials, that is a miss-in-the-middle approach.In a nutshell, starting with a given input and output mask, one propagates the input mask forward and the output mask backwards through the encryption (resp.decryption) process.This propagation usually does not capture all linear trails with non-zero correlation in both direction exactly as this might easily get very difficult to handle, but rather captures an easy to describe super-set of all those trails.The fact that the linear approximation is then derived by deducing that those supersets of forward and backward linear trails have an empty intersection.As an illustration, we recall the well known zero-correlation linear hull on 4 rounds of the AES.Here, all bytes of the input mask are non-zero except for one diagonal, and the output linear mask is non-zero for only one byte.This then causes a contradiction in the second round MixColumns operation because of its branch number of 5.

Link From Zero-Correlation Linear to Integral
Several mathematical links among different types of cryptanalysis have been discussed, and here we focus on the link between zero-correlation linear cryptanalysis and integral cryptanalysis [BLNW12, SLR + 15].

Theorem 1 (Link from zero-correlation linear hull to integral [SLR
be a function, and A be a subspace of The Theorem shows that when there exists a zerocorrelation linear hull, it implies an integral distinguisher.The required number of texts is 2 n−m , where m denotes the dimension of the subspace A. Recall the zero-correlation linear hull on 4-round AES (see Fig. 7).The zero-correlation linear hull can be converted into the integral distinguisher with 2 32 texts, which is the exactly same as the well-known integral distinguisher of the 4-round AES [DKR97, KW02].
The known-plaintext assumption is used in the naive key-recovery of (multidimensional) zero-correlation linear cryptanalysis.If we assume a chosen-plaintext scenario, we can reduce the required data complexity by linking to the integral attack from zero-correlation linear cryptanalysis.In this work, when the key-recovery is taken into consideration, we convert the zero-correlation linear hull into integral distinguisher.

Key Recovery Technique for Integral Attacks
When N texts are required in the integral distinguisher and κ-bits of the secret-key are involved to evaluate balanced bits, the trivial key-recovery requires a time complexity of N × 2 κ .There are two improved techniques to reduce the time complexity, i.e., the first one is the partial-sum technique [FKL + 01] and the other is the FFT key recovery technique [TA14].In the partial-sum technique, we first store the frequency of ciphertexts into a memory.Then, the ciphertexts are partially decrypted by guessing the part of involved keys, and the size of the memory is reduced.Since the complexity is the product of the memory size and the partially guessed key size, the attacker can reduce the whole complexity by partial decryption and compressing the data size step-by-step.The FFT key-recovery technique has a simpler description than the partial-sum technique, and thus, we can estimate the time complexity only by enumerating the involved key bits and ciphertext bits.Assuming that we need to evaluate where k 1 is the κ-bit round-key and c and k 2 are -bit (partial) ciphertext and the last round-key, respectively, the time complexity is estimated as 3 × 2 κ+ .Unfortunately, the FFT key-recovery technique cannot reduce the time complexity if some parts of the round-key are not mixed with the state.For example, in the AddRoundTweakey function of Skinny just the two topmost rows of the tweakey are XORed with the full state.In such a case, the partial-sum technique is more efficient than the FFT key-recovery technique.

Zero-Correlation Linear on Tweakable Block Ciphers
In the case of a tweakable block cipher we consider the tweak to be an additional input from which we can include the tweak bits into the linear combination of input bits, when considering linear approximations.More precisely, the input mask α now consists of two parts, α 1 ∈ F n 2 and α 2 ∈ F t 2 and we have to consider where now the probability is taken over uniformly distributed inputs P and T .
Let L : F t 2 → (F n 2 ) r+1 be a linear tweak-schedule, as was shown in [KLW17].The corresponding linear hull for this setting becomes where L T is the adjoint linear layer of L, i.e., the unique linear mapping such that x, L(y) = L T (x), y for all x, y.If we represent L as a matrix multiplication, then L T is the transposed matrix.This was used in [KLW17] to argue that, in contrast to differential cryptanalysis, no new linear trails are introduced by the tweak.Thus, in order to protect against linear cryptanalysis, no fundamental new tools have to be developed.However, given the additional restriction on linear trails in the hull for tweakable ciphers, the formula actually already hints that zero-correlation might be more effective in this case.
As a first example consider the simple case of a two round tweakable cipher, where the tweak is just XORed to the state as illustrated in Fig. 8.
Here, the tweak-scheduling is clearly linear and the mapping is simply The adjoint linear layer, is the mapping Now, consider the linear hull for E k with input mask (α 1 , α 2 ) and output mask β.Note, that the input and output masks are independent [BBR + 13].Here α 1 is the mask for the data input and α 2 is the input mask for the tweak.According to Equation (1), the correlation of and Γ 0 = α as well as Γ 2 = β, we see that Γ 1 = α 1 + α 2 + β and the linear hull reduces to a single trail, namely Thus, for a given α 1 and β by choosing α 2 such that either cor R1 (α 1 , α 1 + α 2 + β) or cor R2 (α 1 + α 2 + β, β) equals zero, we derived a zero-correlation linear approximation.Thus, as long as there exist a zero-correlation linear approximation for R 1 (resp.R 2 ) the corresponding tweakable cipher has a zero-correlation linear approximation for any choice of R 2 (resp.R 1 ).This is the basic observation we are going to use throughout the paper for our attacks.
In the general case, we are going to use forward and backward propagation to get a superset S ⊂ (F n 2 ) r+1 of all characteristics with non-zero correlation.Next, we check if L(S) ⊂ F 2 is not the full space.If so, we get a zero correlation by picking the mask for the tweak in F r 2 \S.Note that, this becomes easier when the tweak-scheduling actually operates on single nibbles, as is the case for the tweakey setting STK as we will explain in Subsection 3.1.

From Zero-Correlation To Integral
In order to make the link between zero-correlation and integral cryptanalysis in the case of tweakable block ciphers more clear, we will demonstrate how to apply it to a simple two-round tweakable block cipher as illustrated in the example in Fig. 8.For this, consider the case where R 1 consists of two parallel applications of a permutation S : The entire function then becomes with x 1 , x 2 (resp.(t 1 , t 2 )) being the two m-bit parts of the 2m bit message (resp.tweak).Splitting R 2 into its two components we get Figure 9 shows the propagation of the simple tweakable block cipher.We now fix any nonzero vector β ∈ F m 2 and consider the output mask (β, 0).As input masks for the message we take (0, γ 1 ) and for the tweak mask (0, γ 2 ).In this case we get cor R1 ((0, γ 1 ), (β, which, as S is a permutation and β is non-zero, is zero for any choice of γ 1 , γ 2 .Thus, Equation (2) implies cor E (((0, γ 1 ) , (0, γ 2 )) , (β, 0)) = 0 for any choice of γ 1 , γ 2 .Thus, the space of input masks with zero-correlation in this case is and its dual is Thus, fixing the second half of both the message and the tweak, results in a function that is balanced (i.e.0 and 1 appear equally often).For completness, we note that this can also be deduced directly as follows.
We subsequently replaced the variables and finally used that β is non-zero.

Zero-Correlation Linear Hull on STK with TK-1
When we consider the zero-correlation linear hull on general tweakable block ciphers, the domain space is expanded to n + t.This implies that we need to collect a huge amount of data, even if we can find a non-trivial zero-correlation linear hull.However, many dedicated tweakable block ciphers are designed based on the STK construction of the TWEAKEY framework.In that case, the domain expansion of the zero-correlation linear hull is limited to a smaller size, and the number of chosen plaintexts and tweaks that we need to collect can be reduced.Figure 10 shows the zero-correlation linear hull on the STK construction with TK-1.The tweakey schedule of the STK construction with TK-1 consists of two functions, h and g as shown in Figure 2. The g function (denoted expand in Figure 10), is a subtweakey extraction function that extracts the individual round keys from the tweakey state and incorporates it to the internal state.The h function is the tweakey update function, where the nibble positions are simply permuted.Therefore, different nibbles are never mixed in the tweakey scheduling algorithm, and we can focus on the ith c-bit nibble in KT 1 .Then, given a pair of input and output linear masks (Γ 0 , Γ R ), we enumerate all possible linear characteristics (Γ 0 , Γ 1 , . . ., Γ R ) and evaluate a set S such that where Γ j [i] denotes the linear mask of the ith nibble in Γ j , for 0 ≤ j ≤ R. If the complement F c 2 \ S is not empty, it causes a contradiction when Λ[i] ∈ F c 2 \ S. Note that the tweakey except for the ith c-bit nibble is independent of this linear hull, and it can be fixed to a (secret) constant.Furthermore, this implies that the domain expansion is only n + c not n + t.Practically, we can use a miss-in-the-middle like algorithm to find such a linear hull.
Definition 1 (Γ sequence).The forward and backward propagations with probability one are evaluated from the given input linear mask Γ 0 and output linear mask Γ r , respectively.Then, for any i, the Γ sequence is defined by the (R + 1) sequence, where whether Γ r [h r (i)] is active, inactive, or any is stored in the rth element.
When the Γ sequence is inactive for any i, it causes a contradiction when Λ[i] is an active mask.Moreover, when there is one active value in the Γ sequence, it causes a contradiction when Λ[i] is the zero mask.We use the following toy cipher to demonstrate the Γ sequence and show how to find a zero-correlation linear hull.
Example 1 (Toy Cipher).The round function is exactly the same as the AES round function.A simple tweakey scheduling algorithm is adopted instead of the AES key scheduling algorithm.The full tweak state is XORed when AddRoundKey is originally applied, and it uses h = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7], which is the same as the permutation P T of Skinny.
Figure 11 shows the 5-round zero-correlation linear hull, where we focus on the first byte in KT 1 .Then, the Γ sequence is (0, 1, 0, 0), where 0 and 1 denotes inactive and active, respectively.Therefore, if a zero linear mask is applied to the first byte of KT 1 , it derives the zero-correlation linear hull.Moreover, we convert the zero-correlation linear hulls to the corresponding integral distinguisher, as shown in [SLR + 15].Zero linear masks are applied to (32 + 8) bits, and any linear mask can be applied to the remaining 96 bits.Therefore, the required data complexity of the corresponding integral distinguisher is 2 40 , and the discovered distinguisher can cover 5 rounds.We have practically verified such a distinguisher on a variant of the toy cipher with 4-bit nibbles using 2 20 texts.More details can be found in Appendix A. An interesting observation is that the second round function is independent of the zero-correlation linear hull.In other words, this distinguisher even holds if the second round function is replaced with any random permutation.

Zero-Correlation Linear Hull on TK-p
The STK construction with TK-p has p lines in the tweakey scheduling algorithm, and the same nibble position substitution function h is applied to each line.However, a different coefficient α j is multiplied with each c-bit nibble over GF (2 c ) in every line.Similarly to the case of the zero-correlation linear hull on the STK with TK-1, we can focus on the ith nibble in KT 1 , KT 2 , . . ., KT p .Sub-tweakeys are generated by the XOR of p lines and all branches connected by XOR must have the same linear mask.Therefore, where α T j : F c 2 → F c 2 denotes the adjoint linear mapping of α j , i.e., the mapping such that We finally enumerate all possible linear characteristics (Γ 0 , Γ 1 , . . ., Γ R ) from a given pair of input and output linear masks (Γ 0 , Γ R ).If the complement of the set of all possible ) is not empty, there exists a zero-correlation linear hull.Practically, we can use the same method as in the case for TK-1.This is, choose Γ 0 and Γ r , we evaluate the Γ sequence for any i.Then, we can show that the following proposition holds.
Proposition 1.If there is a pair of linear masks (Γ 0 , Γ r ) and the nibble position i such that the Γ sequence has at most p linearly active values, the tweakable block cipher has a non-trivial zero-correlation linear hull.
Proof.We consider two cases: the Γ sequence is either inactive or active.The first case is trivial, and active linear mask Λ j [i] causes a contradiction.In the second case, we exploit the structure of the p × (R + 1) matrix.In the STK construction, α j is chosen such that the matrix becomes MDS.Then, the matrix also becomes MDS, as -using a suitable choice for the inner product -the adjoint linear mapping α T j is identical to α j , and thus the matrix is unchanged.Therefore, in order to satisfy Λ j [i] = 0 for all j ∈ {1, 2, . . ., p}, the Γ sequence must have at least p + 1 linearly active nibbles.In other words, if there are at most p linearly active nibbles in the Γ sequence, it causes a contradiction when all Λ j [i] = 0.
Proposition 1 implies that the condition to find non-trivial zero-correlation linear hull is relaxed if there are more lines in the Tweakey construction (i.e., if p becomes larger in TK-p).More details can be found in Appendix A. For example, we can find a 5-round zero-correlation linear hull on a TK-1 construction, but we can further extend the number of rounds to a 6-round zero-correlation linear hull if a TK-2 construction is used.

Application to QARMA
We apply our technique to the Qarma family of lightweight tweakable block ciphers [Ava17].Qarma has a block size of 64 or 128 bits, a key length of 128 or 256 bits, and a tweak length of 64 or 128 bits, respectively.We can successfully attack Qarma-64 whose numbers of forward and backward rounds are reduced to 4 and 8, respectively, under the related-tweak and chosen plaintext setting.More accurately, only 1 out of 16 cells of the tweak is active, while the other 15 cells take a known constant value.Our attack is currently the best known attack with respect to the number of total rounds.

Description of QARMA
An encryption of Qarma consists of forward round functions, a central construction, and backward round functions.In the specifications, the designer defines Qarma r as Qarma whose numbers of forward and backward rounds are r + 1.In this paper however, for simplicity, we use a different notation denoted by Qarma r1,r2 , where the numbers of forward and backward rounds are r 1 and r 2 , respectively.Thus, Qarma r corresponds to Qarma r+1,r+1 .
The state of Qarma is represented as a 4 × 4 matrix, where each index is defined as Every cell takes a 4 or 8-bit value in Qarma-64 and Qarma-128, respectively.In the state denoted by X, let X[i 1 , i 2 , . . ., i m ] be (s i1 , s i2 , . . ., s im ) of X.
One round of Qarma consists of the following round operations (illustrated in Fig. 13): • SubCells (S): substitutes each cell x by an involutory S-box.The following involutory 4-bit S-box σ 1 is directly applied for Qarma-64, and the 8-bit S-box in Qarma-128 is constructed by placing two σ 1 in parallel.

Zero-Correlation Linear Hull on QARMA 4,5
Figure 14 shows two zero-correlation linear hulls on Qarma 4,5 .Any linear masks are applied to 6 cells of the state, i.e., (s 2 , s 7 , s 8 , s 12 , s 13 , s 15 ).Moreover, active linear masks are applied to s 0 and s 8 of the output, as shown in Figure 14.Then, we focus on the tweak cell labelled 12.As illustrated in cells highlighted by red frames, the Γ sequence has just one active cell.Therefore, applying an inactive mask to the tweak cell labelled 12 causes a contradiction due to Proposition 1.Note that we do not need to activate any of the other 15 cells in the tweak and they can take any fixed value.Thus, the domain space of the zero-correlation linear hull becomes at most 17 (= 16 + 1) cells.The attack assumption of the naive algorithm using zero-correlation linear hull is the known-plaintext and tweak setting, but it usually requires a huge data complexity.If we assume a chosen-plaintext and related-tweak setting, the required data complexity can be reduced by linking to integral distinguishers as described in Section 3. Any linear masks are applied to six cells in the two zero-correlation linear hulls, and inactive linear masks are applied to the other 11 (= 10 + 1) cells.Therefore, the corresponding related-tweak integral distinguisher requires 2 10×4 = 2 40 chosen plaintexts over 2 4 related tweaks, and the total data complexity is 2 40+4 = 2 44 .Here, the relation of the tweak is defined in such a way that the 4-bit cell labelled 12 takes all values.Both zero-correlation linear hulls outlined in Fig. 14

Key-Recovery Attacks on QARMA 4,8
In the key recovery, we first add pre-whitening before the integral distinguisher.Let P and T denote the states of plaintext and tweak, respectively.We first prepare a set of plaintexts and tweaks, where 10 cells at position P [0, 1, 3, 4, 5, 6, 9, 10, 11, 14] and 1 cell at position T [12] are active.Moreover, we choose the input such that P [12] = T [12], and then, (P ⊕ T )[12] becomes constant, and further coincides to the input of the integral distinguisher.
We can append three rounds after the integral distinguisher.Figure 15 shows the key-recovery, and let X and Y be the states defined in Fig. 15.Due to the integral distinguisher, both s 0 and s 8 in X are balanced at the same time.Then , ‡ s 10 is also balanced at the same time.

and (X
Moreover ρ 2 is the rotation function, (Y 0 + Y 8 ) = 0. We use the meet-in-the-middle technique for the integral attacks [SW13], where Y 0 and Y 8 are evaluated independently, and round keys satisfying Y 0 = Y 8 are recovered.The size of the involved secret-key is 56(= 14 × 4) bits in w 1 ⊕ k 0 and 28(= (1 + 6) × 4) bits in M (τ (k 0 )), which gives a total of 84 key-bits that can be recovered.Since one structure removes incorrect secret-key bits by a factor of 2 −4 , we need 84/4 = 21 structures to uniquely determine the secret-key.

Application to MANTIS
In this section, we apply the attack to a reduced-round version of Mantis 8 , where the number of forward and backward rounds are reduced to 4 and 8, respectively.Our attack assumption is the same as the case of Qarma, where only 1 cell in the tweak is activated and the other 15 cells can take any known constant.

Description of MANTIS
Mantis is a family of lightweight tweakable block ciphers proposed together with Skinny by Beierle et al. [BJK + 16].Mantis has a block size of 64 bits, a key length of 128 bits, and a tweak length of 64 bits, respectively.The structure of Mantis follows the design of Prince [BCG + 12] and is aimed to achieve low-latency.While it is rather easy to turn the cipher into a tweakable cipher by using the Tweakey framework, the designers reused components of Midori [BBI + 15] to achieve low-latency.One round of Mantis consists of the following round operations (illustrated in Fig. 16): Figure 16: Illustration of the tweakable block cipher Mantis.
• SubCells (SC): substitutes each nibble x by the involutory Midori S-box Sb 0 (x) which is given below: x 0 1 2 3 4 5 6 7 8 9 a b c d e f S(x) c a d 3 e b f 7 8 9 1 5 0 2 4 6 • AddConstant (AC): adds a round constant RC i to the state.The constants are similarly generated as in Prince.
• AddRoundTweakey (ART): adds the (full) round tweakey to the internal state.
• MixColumns (MC): multiplies each column of the state by the binary matrix from Midori M as shown below: The state is represented as a 4 × 4 matrix, where each index is defined as

Zero-Correlation Linear Hull on MANTIS 4,5
The zero-correlation linear hulls and the consequential integral distinguishers for Mantis 4,5 are identical to the distinguishers on Qarma 4,5 .This is because, we can re-arrange the components of the round function in Mantis so that the overall structure of Mantis is the same as for Qarma.We can define Mantis r ∼ Qarma r by changing the applications of the round components from to the round structure of Qarma.Moreover, as the first and last round of Qarma are partial rounds (omitting ShuffleCells and MixColumns), this works for the beginning of the forward/backward rounds.Furthermore, as Qarma employs one forward and one backward round in the central construction, ShuffleCells and MixColumns can be added from Mantis to complete the last round of the forward/backward rounds.The remaining S-box of Qarma is then equivalent to the application of the S-box in the middle construction of Mantis.
Since our attack is of a general nature, and the components of Mantis and Qarma are very similar (see the differences in Table 2), the distinguishers of Qarma can be re-used.All operations of both Mantis and Qarma are in a nibble-by-nibble fashion, and the alignment of the state words is the same.Moreover, in the search for the zero-correlation linear hulls, we consider the m-bit S-box as an arbitrary S-box and do not consider the structure of a particular S-box.Similar the linear layer of Mantis and Qarma just differ by some entries of the MixColumns matrix M , but again as we consider nibble-by-nibble operations and the matrices have the same structure (with an all zero-diagonal), so again there are no differences in the distinguisher.Finally, the additional application of an LFSR ω in the tweak-update function of Qarma also does not change the distinguisher, with a similar argument as for the differences in the MixColumns matrix M .
Figure 24 in Appendix C explicitly shows the zero-correlation linear hull for Mantis 4,5 , where cells s 0 and s 8 after MixColumns are linearly active, respectively.

Key-Recovery Attacks on MANTIS 4,8
Since our attacks are general against the Tweakey framework, and we can reuse the distinguishers of Qarma on Mantis, we can further reuse the key-recovery for Mantis.
Qarma uses a 128-bit master key K that is initially partitioned as w 0 ||k 0 , where w i are the whitening keys and k i are the core keys, respectively, for i ∈ {0, 1}.For encryption, k 0 = k 1 and w 1 = (w 0 ≫ 1) ⊕ (w 0 (64 − 1)).Mantis uses a 128-bit master key K that is split into k 0 ||k 1 that is then further extended to the 192-bit key where k 0 , k 0 are the whitening keys and k 1 is the round key for all rounds in Mantis.
In the key-recovery of Qarma we recover 56-bit of w 1 ⊕ k 0 and 28-bit of M (τ (k 0 )).Since w 1 Qarma = k 0 Mantis and k 0 Qarma = k1 Mantis we can recover the same key information as in Qarma (i.e., we can recover 56-bit of k 0 ⊕ k1 and 28-bit of M (P ( k1 ))).Equally, as in the attack on Qarma 4,8 the complexities to attack Mantis 4,8 are 2 66.2 for time complexity, 2 48.4 for data complexity, and 2 53.64 64-bit blocks for the memory complexity.Figure 25 in Appendix C explicitly shows the key-recovery for Mantis 4,8 .

Description of SKINNY
Skinny is a family of lightweight tweakable block ciphers introduced by Beierle et al. [BJK + 16].Skinny has a block size n of 64 or 128 bits, and a tweakey size of n/2n/3n, where the tweakey can be both tweak and key.The aim of Skinny is to achieve the performance of the NSA ciphers Simon and Speck [BSS + 13], while still offering strong security bounds against differential/linear cryptanalysis.One round of Skinny consists of the following round operations (illustrated in Fig. 17): • SubCells (SC): substitutes each nibble x by the S-box S(x) which is given below: x 0 1 2 3 4 5 6 7 8 9 a b c d e f S(x) c 6 9 0 1 a 2 b 3 8 5 d 4 e 7 f • AddRoundConstants (AC): adds LFSR-based round constants to cells 0,4, and 8 of the state.
• AddRoundTweakey (ART): adds the round tweakey to the first two rows of the state.
• ShiftRows (SR): rotates the i th row, for i = 0 ≤ i ≤ 3, by i positions to the right.
• MixColumns (MC): multiplies each column of the state by the binary matrix M : The state is represented as a 4 × 4 matrix, where each index is defined as In the state denoted by X, let X[i 1 , i 2 , . . ., i m ] be (s i1 , s i2 , . . ., s im ) of X.In this paper, we just consider Skinny-64, however, the attack should easily be applicable to Skinny-128, as we just consider cell-based operations and consider an arbitrary cell-size S-box.For two tweakey words (i.e., TK-2) the designers of Skinny recommend 36 rounds, for three tweakey words (i.e., TK-3) the designers recommend 40 rounds.

Zero-Correlation Linear Hull on SKINNY-64/128
We searched the zero-correlation linear hull by using the miss-in-the-middle like algorithm.
As a result, we found a 13-round zero-correlation linear hull for Skinny-64/128.Here, active linear masks are applied to two cells (s 0 , s 3 ) at the input, and active linear masks are applied to cells s 7 and s 11 in the state before MixColumns at the output, as shown in Fig. 19.Then, we focus on the tweak cell labelled 9, where the Γ sequence is depicted by using a red frame.Since the Γ sequence has just two active cells and Skinny-64/128 is based on TK-2, applying an inactive mask to the before mentioned tweak cell causes a contradiction due to Proposition 1.Note that the remaining 15 × 2 cells in the tweakey can take any constant, and the domain of our zero-correlation linear hull is 64 + 8 = 72 bits.We can link the zero-correlation linear hull to a related-tweakey integral distinguisher.We apply any linear mask to the two cells (s 0 , s 3 ) in the zero-correlation linear hulls as illustrated in Fig. 19 and apply inactive linear masks to the remaining 14 cells.Moreover, we apply inactive linear masks to the 2 × 4 = 8-bit tweak cell labelled 9. Therefore, the corresponding related-tweakey integral distinguisher requires 2 14×4 = 2 56 chosen plaintexts over 2 8 related tweakeys, and the total data complexity is 2 56+8 = 2 64 .Here, the relation of the tweakey is defined in such a way that the 2 × 4 = 8-bit cell labelled 9 takes all values.The integral distinguishers share the same input linear masks Γ 0 , and the output in cell s 11 in the state after MixColumns is balanced.

Key-Recovery Attacks on SKINNY-64/128
Our attack model is a related-tweakey attack, where 2 8 related tweakeys are exploited.Then, there exist generic key-recovery attack with the time complexity of 2 128−8 = 2 120 [BMV11].Therefore, the time complexity of a non-trivial key-recovery attack must be at most 2 120 .
In the key-recovery, we can prepend 1 round and append 6 rounds to the integral distinguisher.In total the attack reaches 20 rounds.Figure 20 shows the key-recovery, and  let X i , Y i , and Z i be the states defined in Fig. 20.Let P and T be the states of plaintext and tweak, respectively.We first prepare a set of chosen Z 1 , where 14 cells are active, i.e., Z 1 [1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15].Moreover, we need the tweak cell T [1] in the two lines to be active, as it will propagate to cell T [9] after 1 round, which coincides with the beginning of both integral distinguishers as shown in Fig. 19.Note that the consistent set of chosen plaintexts and tweaks is computed from Z 1 and T [1] without guessing any bits, since Skinny does not have a whitening-key addition at the beginning.Due to the integral distinguisher, both s 7 and s 11 in Y 14 are balanced.Then , and In Skinny, the full tweakey is not XORed with the internal state (i.e., just the top two rows of the tweakey are XORed to the state), and then, the FFT key-recovery technique is less efficient [TA14].Therefore, we estimate the time complexity to recover round keys satisfying Y 11 = 0 in detail by using the partial-sum technique [FKL + 01].The size of the involved secret key is (7 + 6 + 4 + 2 + 1 + 0) × 4 = 80 bits, and one structure filters incorrect secret-key guesses by a factor of 2 −4 .Therefore, we need about 80/4 = 20 structures to uniquely determine the secret key.

Zero-Correlation Linear Hull on SKINNY-64/192
We can reuse parts of the zero-correlation linear hull for Skinny-64/128 in the TK-2 setting for that of Skinny-64/192 in the TK-3 setting.Therefore, we apply any linear mask to cells (s 0 , s 3 ) in the input mask Γ 0 .In contrast to the case for Skinny-64/128, we now apply active linear masks to only cell s 9 in the state before MixColumns, as shown in Fig. 21.Then, we focus on the tweakey cell labelled 7, and the Γ sequence has now three active cells.Again, by using Proposition 1 and applying an inactive mask to the before mentioned tweakey cell, this causes a contradiction.Note that the remaining 15 × 3 cells in the tweakey can take any constant, and the domain of our zero-correlation linear hull is 64 + 12 = 76 bits.
Again, we link the zero-correlation linear hull to a related-tweakey integral distinguisher.We apply any linear mask to the two cells (s 0 , s 3 ) in the zero-correlation linear hulls as illustrated in Fig. 21 and apply inactive linear masks to the remaining 14 cells.Moreover, we apply inactive linear masks to the 3 × 4 = 12-bit tweak cell labelled 7. Therefore, the corresponding related-tweakey integral distinguisher requires 2 14×4 = 2 56 chosen plaintexts over 2 12 related tweakeys, and the total data complexity is 2 56+12 = 2 68 .Here, the relation of the tweakey is defined in such a way that the 3 × 4 = 12-bit tweak cell labelled 7 takes all values.The cell s 9 before MixColumns is balanced because any linear mask is applied to the cell.

Key-Recovery Attacks on SKINNY-64/192
Our integral distinguisher uses 2 12 related tweakeys, and then, there exist generic keyrecovery attack with a time complexity of 2 192−12 = 2 180 [BMV11].Therefore, the time complexity of a non-trivial key-recovery attack must be at most 2 180 .In the key-recovery, we can prepend 1 round and append 8 rounds to the integral distinguisher.In total the attack reaches 23 rounds.Figure 22 shows the key-recovery, and let X i , Y i , and Z i be the states as defined in Fig. 20.Let P and T be the states of plaintext and tweak, respectively.We first prepare a set of chosen Z 1 , where 14 cells are active, i.e., Z 1 [1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15].Moreover, we need the tweak cell T [11] in all three lines of the tweak-schedule to be active, as it will propagate to cell T [7] after one round, which coincides with the beginning of both integral distinguishers as shown in Fig. 21.Note that the consistent set of chosen plaintexts is computed from Z 1 without guessing any bits.
Due to the integral distinguisher s 9 in Y 16 is balanced.Then We need to repeat these two procedures for 37 times to recover the secret-key.Thus, the total time complexity can be computed by 37 × (2 150.4 + 2 112.3 ) ≈ 2 155.6 the data complexity is 37 × 2 68 ≈ 2 73.2 , and the memory complexity is 1/64 • 2 144 = 2 138 64-bit blocks.Finally, we compare these lists and find a match.Similarly to the attack against Skinny-64/128, our attack requires a data complexity above 2 64 , however, we do not need to collect the full-codebook under a fixed tweakey.

Conclusion
In this paper, we study zero-correlation attacks on tweakable block ciphers and consider for the first time the effect of the tweak.Kranz, Leander and Wiemer [LTW18] showed that the addition of the tweak, that is updated by a linear key schedule, does not introduce new linear characteristics, which is quite different to the differential model.However, the given additional restrictions from the linear tweak schedule allow us to efficiently find zero-correlation linear hulls for tweakable block ciphers.Turning the zero-correlation distinguisher into integral distinguishers allows us to show new attacks on round-reduced variants of Qarma, Mantis and Skinny, where the attack on Qarma is currently the best attack (with respect to number of rounds) on a round-reduced variant of Qarma.This new way of searching for distinguishers on tweakable block ciphers does not only allow attackers to find longer distinguishers, but also provides designers of tweakable block ciphers with new insights.For example in tweakable reflection ciphers like Mantis or Qarma, where the tweak is added just in the forward and backward rounds, while in the middle rounds just round-keys are added, the additional middle rounds do not provide extra security with respect to our attacks.This is because the zero-correlation linear hulls over the tweaks are independent of the number of keyed middle rounds.

A Experimental Verification of Our Distinguishers
For the TK-1, we used the toy cipher described in Example 1, but the size of S-box is shrunk to 4 bits and the 4-bit S-box of Qarma is used.As depicted in Fig. 11, any linear mask is applied to cells except for the first diagonal elements.Then, the Γ sequence of the first nibble of the tweak has 1 active nibble.Therefore, the corresponding related-tweak integral distinguisher requires 2 4×4 = 2 16 chosen plaintexts under 2 4 related tweaks.Then, the first nibble in the output is balanced.We implemented and verified the distinguisher.Similarly to the case of TK-1, we also verified the case of the TK-2 by using the modified toy cipher.We added additional 1-line tweakey schedule in the toy cipher above, where the multiplication by 2 over GF (2 4 ) is applied to every cell.Figure 23 shows the zero-correlation linear hull.The Γ sequence of the first nibble of the tweak has at most 2 active nibbles.Therefore, the corresponding related-tweak integral distinguisher requires 2 4×4 = 2 16 chosen plaintexts under 2 8 related tweaks.Then, the last nibble in the output is balanced, and we implemented and verified the distinguisher too.

Figure 8 :
Figure 8: Propagation of masks in a simple two round tweakable block cipher.

Figure 9 :
Figure 9: Propagation of masks in a simple two round tweakable block cipher with two S-boxes.

Figure 11 :
Figure 11: Zero-correlation linear hull on the toy cipher.

Figure 12 :
Figure 12: Zero-correlation linear hull on the STK with TK-p.

Figure 17 :Figure 18 :
Figure 17: Round function of the tweakable block cipher Skinny.

Table 1 :
Overview on previous and proposed key-recovery attacks on variants of Qarma-64, Mantis, Skinny-64/128 , and Skinny-64/192.MITM/ID/ZC/Inv.= Meet-in-the-Middle/Impossible Differentials/Zero-Correlation/Invariants Mantis and Skinny.For instance Leander, Tezcan, and Wiemer [LTW18] provide results regarding the length of subspace trails for various ciphers including Qarma and Skinny.Furthermore, Cid et al. [CHP + 18] use their new tool called Boomerang Connectivity Table to re-evaluate existing related-tweakey boomerang characteristics of Skinny.Further works [ZR17]9]: Key-alternating tweakable block cipher with linear tweak schedule.givemoreinsightintothesecurity of Skinny against differential cryptanalysis[AK19]and impossible differential cryptanalysis[ST17]and the security of Skinny and Mantis against invariant attacks[BCLR17].Eskandari et al.[EKKT19]search for integral distinguishers based on the division property for Qarma-64, Mantis, and Skinny-64.Furthermore, Zhang and Rijmen[ZR17]give integral distinguishers for 10 rounds of Skinny-64 based on the division property.The property of linear hulls under the related-key setting was also discussed by Bogdanov et al. in[BBR + 13] 5 s 6 s 7 s 8 s 9 s 10 s 11 s 12 s 13 s 14 s 15In the state denoted by X, let X[i 1 , i 2 , . . ., i m ] be (s i1 , s i2 , . . ., s im ) of X.The encryption of Mantis consists of a forward round function, a central construction, and backward round function, similar as in Qarma.The designers of Mantis defines Mantis r as Mantis whose numbers of forward and backward rounds are r.For simplicity, we use a different notation denoted by Mantis r1,r2 , where the numbers of forward and backward rounds are r 1 and r 2 , respectively.

Table 3 :
Procedure for the key-recovery on Skinny-64/128