Differential-Linear Cryptanalysis of GIFT family and GIFT-based Ciphers

. At CHES 2017, Banik et al. proposed a lightweight block cipher GIFT consisting of two versions GIFT-64 and GIFT-128 . Recently, there are lots of authenticated encryption schemes that adopt GIFT-128 as their underlying primitive, such as GIFT-COFB and HyENA . To promote a comprehensive perception of the soundness of the designs, we evaluate their security against differential-linear cryptanalysis. For this, automatic tools have been developed to search differential-linear approximation for the ciphers based on S-boxes. With the assistance of the automatic tools, we find 13-round differential-linear approximations for GIFT-COFB and HyENA . Based on the distinguishers, 18-round key-recovery attacks are given for the message processing phase and initialization phase of both ciphers. Moreover, the resistance of GIFT-64/128 against differential-linear cryptanalysis is also evaluated. The 12-round and 17-round differential-linear approximations are found for GIFT-64 and GIFT-128 respectively, which lead to 18-round and 19-round key-recovery attacks respectively. Here, we stress that our attacks do not threaten the security of these ciphers.


Introduction
The past few decades have witnessed the increasingly common deployment of small computing devices, such as sensor nodes, RFID tags, smart cards, and industrial controllers, which brings a wide range of new security and privacy concerns.Since conventional cryptographic standards are not acceptable when implemented in the above highly constrained computing environment, numerous algorithms tailored for resource-constrained devices have emerged, often summarized as so-called lightweight cryptography.The lightweight block cipher family GIFT is designed by Banik et al. [BPP + 17], which includes two versions, GIFT-64 and GIFT-128, and both have a 128-bit key size.GIFT inherits the design framework from PRESENT, with the correction of the weakness of the strong linear hull effect.In 2018, the National Institute of Standards and Technology (NIST) initiated a lightweight cryptography project to solicit, evaluate, and standardize lightweight cryptographic algorithms aiming for execution under extreme performance constraints.GIFT-COFB [BCI + 21] instantiates the COFB (COmbined FeedBack) block cipher based Authenticated Encryption with Associated Data (AEAD) mode, using GIFT-128 [BPP + 17].It can be implemented efficiently, and achieves desirable features, thus making its way to the finalists of NIST lightweight cryptography project.HyENA [CDJN19], also instantiating with GIFT-128, provides nonce-based authenticated encryption with associated data functionality.Here, when mentioning HyENA, we refer to its concrete instantiation based on GIFT-128, not the mode of operation.Given its salient features, like inverse-free, low XOR count, low state size, and an optimal number of nonlinear primitive calls, HyENA has been selected as one of the 32 second-round candidates of NIST lightweight cryptography project.
Unlike public-key cryptography, our confidence in the security of symmetric-key primitives mainly lies in their resistance against all known cryptanalytic methods.Therein, differential and linear cryptanalysis, introduced by Biham, Shamir [BS90] and Matsui [Mat93] respectively, are the two most profound techniques for the security evaluation of block ciphers.While the design of symmetric-key primitives assures resistance against differential and linear attacks, combining the short differential characteristics and linear approximations may be also vulnerabilities that can be exploited when evaluating their security.In 1994, Langford and Hellman [LH94] firstly showed that a differential of E 0 and a linear approximation of E 1 could be combined into a distinguisher for the entire cipher E 1 • E 0 by a technique called differential-linear cryptanalysis (abbreviated as DL cryptanalysis).

Automatic Tools of Searching DL Approximation for S-box-based Ciphers.
An MILP (Mixed Integer Linear Programming) model has been developed to search automatically differential-linear approximations for the S-box-based ciphers.First, for an S-box, a way/algorithm is presented to derive the propagation of correlation of differentiallinear approximation from its DDT (Differential Distribution Table ).We have implemented the way by symbolic programming in SageMath, and correspondingly Proposition 1 is obtained which illustrates the propagation of correlation of DL approximation for the S-box of GIFT.The implementation in SageMath can be easily used to analyze other cipher's S-boxes.So the correlation of DL approximation can be efficiently computed for the S-box-based ciphers by combining with the propagation rules for other operations, such as XOR and AND.Further, an integrated model is designed to search differential-linear approximations for the common framework depicted in Figure 1.More precisely, we show how to model the differential-linear part E m by the pattern-choosing rule, which is proved to be equivalently described by two inequalities in Theorem 1. Then the propagation of the three part E d , E m and E l are merged as a whole MILP model to search differentiallinear approximations.Besides, a phenomenon of the differential propagation of 3-round GIFT-128 is found, i.e.Propositions 2 and 3, which reveals the restriction of active bits in key-recovery attacks on the message processing phase of GIFT-COFB and HyENA can be directly converted into the ones of distinguisher's input.We apply our automatic tool to GIFT-64/128 and two GIFT-based AEADs GIFT-COFB and HyENA, and then some differential-linear distinguishers with more rounds are obtained, as summarized in Table 1 where all the results are under the single-key setting.

Differential-linear attacks on two GIFT-based
AEADs GIFT-COFB and HyENA.The security concerns of GIFT-COFB and HyENA have attracted considerable attention from many researchers since their publication.There are several attacks on the encryption procedure in message processing phase.In [ZDC + 21], Zong et al. gave a key-recovery attack on 15-round GIFT-COFB based on a 9-round linear approximation.Subsequently, Sun et al. [SWW21b] improved this result using the automatic search with the Boolean satisfiability problem (SAT), and gave an attack on 16-round GIFT-COFB with a 10-round linear approximation.Besides, Sun et al. gave a key-recovery attack on 16-round HyENA based on a 10-round linear approximation.With the assistance of our automatic tool, we found 13-round differential-linear distinguishers for GIFT-COFB and HyENA.Then the key-recovery attack is given for 18-round GIFT-COFB, which takes time complexity of 2 102.06 and data complexity of 2 64 to recover full 128-bit secret key.With regard to 18-round HyENA, we show a key-recovery attack with 2 119 time complexity and 2 63.97 data complexity.We summarize our attacks and the previous ones against GIFT-COFB and HyENA in Table 2 where all the results are under the single-key setting.Note that for the analysis of the encryption procedure in message processing phase, differential-linear attacks can be launched under the nonce misusing scenario.Moreover, we have analyzed the initialization phase of round-reduced version of GIFT-COFB and HyENA.The attacks on the initialization phase reach 18 rounds for both ciphers, and the details of attack complexities can be found in Table 2.

Evaluation of Security of GIFT-64/128 against Differential-linear Cryptanalysis.
Since the publication of GIFT-64/128, there have been plenty of works on their security against differential and linear cryptanalysis.To promote a comprehensive perception of the soundness of GIFT-64/128's security, their actual resistance to the variants of differential or linear cryptanalysis should be evaluated.With our automatic tool, we analyzed the security of GIFT-64/128 against differential-linear attacks.As a result, for 18-round GIFT-64, a key-recovery attack is launched using a 12-round differential-linear approximation.With regard to GIFT-128, a 19-round key-recovery attack is given with a 17-round differential-linear approximation.The details of attack complexities can be found in Table 2.For both ciphers GIFT-64/128, the differential-linear cryptanalysis could not reach the key-recovery attacks with the highest rounds.
As shown in Table 1, with the help of our automatic tool, we found 13-round differentiallinear distinguishers for GIFT-COFB and HyENA.For the message processing phase of both AEADs, the distinguishers cover three rounds more than the publicly known results.In virtue of the distinguishers, 18-round key-recovery attacks are given for the message processing phases, as summarized in Table 2, which are better than the previous best ones by two more rounds.Moreover, we have given the attacks on the initialization phases of 18-round GIFT-COFB and HyENA respectively, which facilitates our understanding of their security in different phases.For GIFT-64, as shown in Table 1, a 12-round differentiallinear distinguisher is found which has the same rounds as the linear one in [SWW21a] but one less round than the differential one in [CZD19].As regards GIFT-128, a 17-round differential-linear distinguisher is found, which has four or two fewer rounds with the differential [JZZD20a] or linear [SWW21b] ones respectively.Then, 18-round and 19round key-recovery attacks are given for GIFT-64 and GIFT-128 respectively, which could not reach the same rounds with the best attacks obtained by differential cryptanalysis in [CZD19] and [ZDC + 21] respectively, same to the linear case.For the details of attacks, please refer to Table 2.
Table 1: Summary of distinguishers on GIFT-64/128, GIFT-COFB and HyENA.For GIFT-64/128, the attacks target on the encryption phase (Enc.for short).For GIFT-COFB and HyENA, the initialization phase (Init.P.) and message processing phase (Msg.P.) are analyzed.For different types of distinguishers, Diff.denotes for differential, Lin. for linear and DL for differential-linear.PR denotes the probability of differential distinguisher and SC denotes the squared correlation of linear and differential-linear distinguishers.

Cipher
Target Rounds Type PR (SC) Ref. Refer to https://gitfront.io/r/user-9335734/A33hSkkf6eEa/DL-GIFT/ for the full version of this paper with the supplementary material where the codes and details of attacks on GIFT-COFB, HyENA and GIFT-64/128 are provided.

Organization of This Paper
The rest of paper is organized as follows.In Sect.2, we introduce specifications of GIFT family and GIFT-COFB, HyENA, and recall the MILP-based automatic search method and differential-linear cryptanalysis.In Sect.3, we present the automatic tool i.e.MILP model to search differential-linear approximations for the S-box-based ciphers.The details of differential-linear attacks on GIFT-COFB, HyENA and GIFT-64/128 are shown in Sect.4, Sect. 5 and Sect.6 respectively.Finally, we conclude this paper in Sect.7.

Preliminaries
In this section, we first introduce the specifications of GIFT, GIFT-COFB and HyENA.Then we recall the MILP-based automatic search method and differential-linear cryptanalysis.GIFT-128 follows an SPN structure with 40 rounds.The round function has three steps: SubCells, P ermBits and AddRoundkey which are illustrated as follows.

Description of GIFT
SubCells.The Sbox of GIFT-128, denoted by GS, can by found in the full paper.In each round, the state is updated by applying 32 GS operations in parallel to every nibble.
P ermBits.Then update the cipher state by a linear transformation P 128 (•) as b P128(i) ← b i , i = 0, 1, • • • , 127.Refer to the full paper for details.
AddRoundKey.A 64-bit round key is viewed as two 32-bit words.In another way, Then half of the internal state bits are XORed with RK as the following shows: GIFT-COFB and HyENA.The specification of GIFT-COFB and HyENA is in the full paper.
Here we summarize the notations used in our attacks as Table 3.

Automatic Search Methods for Differential and Linear Trails
The automatic search method will be recalled in this section.Mouha et al. [MWGP11] showed that the problem of searching for the minimum number of active S-boxes can be modeled with mixed integer linear programming (MILP), which is effective for evaluating word-oriented ciphers.To apply MILP to bit-oriented ciphers, Sun et al. [SHW + 14b] developed a method to model all possible differential propagation bit by bit for the S-box.In the following, we briefly review the method in [SHW + 14b].Owing to the similarity of the modeling procedure between searching for differential and linear trails, we omit the case of linear cryptanalysis for convenience narration.
We define the vector x = (x 0 , x 1 , • • • , x n−1 ) to mark the active or inactive bit positions as follows: Constraints of S-box.Suppose the two vectors (x 0 , x 1 , • • • , x ω−1 ) and (y 0 , y 1 , • • • , y ν−1 ) are the input and output bit differences of some ω × ν S-box S t .Let the bit variable A t denote the activity of this S-box.That is to say, A t = 1 if S t is active, and A t = 0 otherwise.
The following constraints can be used to ensure that the non-zero input difference of the S-box must activate it: To describe the differential propagation with probabilities, we introduce a vector (x 0 , and then get a finite set of discrete points that just includes all the possible differential propagations and their corresponding probabilities of the S-box.And the above set can be represented by the inequalities called the Hrepresentation of the S-box S t : We can utilize the existing algorithm of SageMath to derive inequalities to represent the propagation of differential or linear masks of the S-box, and then reduce their number by greedy algorithm given in [SHW + 14a].

Objective function of differential propagation model. The objective function should be a linear function of variables and can be the minimum number of active S-boxes
A t or the highest probability of differential trails p t + q t for the cipher.

Differential-Linear Cryptanalysis
In the following, we recall the common framework of differential-linear approximation and the success probability of a key-recovery attack in the differential-linear context.In practice, the assumption of independence between two subciphers might lead to the wrong estimation of the correlation of differential-linear approximation.Usually, one can get some evidence of this independence assumption by computing experimentally the correlation of differential-linear approximation over round-reduced cipher.To obtain a more accurate estimation of the differential-linear approximation, the target cipher is divided into three parts . The overall framework of differential-linear approximation is illustrated in Figure 1.Bar-On et al. [BDKW19] introduced a theoretical method called DLCT to characterize the property of middle part E m .However, it is still a question about how to expand the DLCT to cover more rounds.Subsequently, Beierle et al. [BLT20] presented several improvements in differential-linear attacks for ARX ciphers.In their work, the correlation of middle part E m was experimentally evaluated.Assume that a differential 2 (1 + q), and the approximation for middle part E m holds with probability Pr 2 (1 + r) (or with correlation r), where • denotes the inner product between two vectors.Under the assumption of independence between subciphers, the probability of differential-linear approximation can be simply estimated using Piling-up Lemma, Pr[ ).Therefore, one can distinguish the cipher E from a random permutation using N = O(p −2 r −2 q −4 ) chosen plaintext pairs (P, P ⊕ ∆ in ).
Success Probability.In [BLN17], Blondeau et al. gave the success probability of a keyrecovery attack in the differential-linear context by adapting the one of linear cryptanalysis in [Sel08], where Φ is the cumulative distribution function of the standard normal distribution, p dl is the probability of differential-linear distinguisher, N is the number of chosen plaintext pairs and a is the advantage of attack as defined in [Sel08].
Figure 1: The framework of differential-linear approximation

Automatic Tool of DL Approximation for S-box-Based Ciphers
In this section, we first present the automatic tool i.e. a MILP model to search differentiallinear (DL) approximations for the overall framework shown in Figure 1.For efficiently computing the correlation of middle part E m in the MILP model, we show how to derive the propagation of correlation of differential-linear approximations for S-boxes.At last, a theoretical estimation of the correlation of DL approximation is given for GIFT-128.

MILP Model of Searching DL Approximations
The R-round cipher E is divided into three parts The remaining and central question is how to encode the partial DLCT with correlation into the MILP model.Note that the objective function is required to be linear in the MILP model.For encoding the correlation of partial DLCT, we introduce the auxiliary variables.Precisely, for the input difference δ m and output linear mask γ m of E m , an auxiliary variable z δm,γm is introduced.When ∆ m = δ m and Γ m = γ m , the auxiliary variable z δm,γm equals to one; otherwise zero.So, an auxiliary variable is set for choosing the specific pattern of difference and linear mask in E m .To model the rule of choosing the pattern of E m in MILP, we derive Theorem 1 to express the pattern-choosing rule with linear inequalities.
if and only if z = β can be equivalently described by the following two inequalities: where m ≥ n.
For the condition that ( , the upper inequality excludes the possibility that z ̸ = β and the lower inequality always holds.For the condition that ( , the lower inequality excludes the possibility that z = β and the upper inequality always holds.
Therefore, the two cases not make the system of the above two inequalities satisfied.While the other two cases ( Theorem 1 is actually the extension of the one in [SHW + 14b].According to Theorem 1, we can use two inequalities to describe the pattern-choosing rule that (∆ m , Γ m ) = (δ m , γ m ) if and only if z δm,γm = 1.So, the correlation of E m can be expressed as z δm,γm C m [δ m , γ m ] which is a linear function and can be used in MILP models.
Modeling the parts E d and E l .Here, we briefly describe how to construct MILP models to search linear and differential trails of GIFT-128.The details for modeling the linear part of E l are as follows.For the S-box of GIFT-128, since there are 3 possible correlations, i.e., 1, 2 −1 , 2 −2 , we add two extra bits (q 0 , q 1 ) to encode the correlation of the linear mask propagation.Therefore, a vector (x 0 , • • • , x 3 , y 0 , • • • , y 3 , q 0 , q 1 ) ∈ R 10 can describe a linear mask pattern with correlation for the S-box.Then by SageMath, 454 inequalities are derived through computing the H-Representation of the convex hull, and the number of inequalities is reduced to 20 by greedy algorithm in [SHW + 14a].Since the P ermBits(•) transform is a simple permutation on a 128-bit state, there is no need to introduce new inequalities.Besides, we can ignore the AddRoundKey transform in the linear trail (actually in the differential-linear context).The correlation of the linear trail through E l is expressed as (q 0 + 2q 1 ).
With regard to the differential trails, the modeling process is similar to the aforementioned.In [ZDY19], they presented the MILP-based automatic method to search differential trails for GIFT-128.For the differential part of E d , we just adopt their method to model the differential patterns with their probabilities for the S-box of GIFT-128.Refer to [ZDY19] for details.The probability of differential trail through E d is denoted as As a result, we integrate the three parts into a whole MILP model to search for differential-linear approximations.The objective function is minimization of the formula (3p , which denotes the total correlation of differential-linear approximation through the cipher Single-bit input difference and output linear mask.Let b denote the state size of the block cipher.There are b possibilities of all the single-bit input difference, and the same for single-bit output mask.The single-bit input difference δ m is determined by the position of the active bit in δ m , same for output mask γ m .So, an auxiliary variable z δm,γm depends on two bits, i.e. one bit for input difference and one bit for output mask.In the simplest case, the pattern-choosing rule can be interpreted as the AND operation, i.e., the auxiliary variable z equals one if and only if the bit x 0 of input difference and the bit x 1 of output mask are both one.According to Theorem 1, we can use two inequalities to describe the pattern-choosing rule, that is z + 1 ≥ x 0 + x 1 and x 0 + x 1 ≥ 2z.As a result, there are in total b × b auxiliary variables z δm,γm for choosing the pattern of output difference and linear mask of E m .
For the more general cases, the method can be applied, but there will be too many auxiliary variables so the MILP model will be very time-consuming.

Propagation of Correlation of DL Approximations for S-box
In this subsection, we show how to theoretically and efficiently estimate the correlation of DL approximation for the S-boxes of ciphers, given their DDTs or ANFs.
Calculating the correlation of DL approximations for GS from its DDT.To obtain the propagation rules of DL approximation for S-boxes, we first recall Observation 1 in [LSL21].For the case of differential-linear approximation of S-boxes, let be the output.Let ∆x denote the input difference between x and another input x ′ , i.e., ∆x = x ⊕ x ′ with correlation c i = Cor[∆x i ] = 2 Pr[∆x i = 0] − 1, and ∆y = y ⊕ y ′ the output difference where y ′ = S(x ′ ).Then the probability/correlation of output difference ∆y i = 0 can be determined by the following formula Next, from the view of DDT of S-box, we present a way, i.e., Algorithm 1, to derive the propagation of correlation of DL approximation for S-boxes.This works as follows: for a fixed row of DDT, sum the entries of DDT first column by column which is multiplied by a row-dependent probability, then sum the results for all rows.Algorithm 1 gives an interpretation of the propagation rule of DL approximation from the perspective of differential.Note that we can focus on and sum over the non-zero entries of DDT in Algorithm 1. From the view of DDT, the propagation of DL approximation of S-box is a row-weighted sum of all non-zero entries of DDT.So the propagation of DL approximation takes all possibilities of input/output difference into account with the distribution of input difference under some independence assumption.
We have implemented Algorithm 1 by the symbolic programming in SageMath.Refer to the full paper for the details of codes.The implementation in SageMath code can also be easily used to analyze other ciphers' S-boxes, such as PRESENT and SKINNY, see the full paper for the details.
Calculating the correlation of DL approximations for GS from its ANF.Now we discuss the DL approximation of S-box from another view, i.e., an algebraic view as proposed in [LLL21].By replacing x∆ in with a variable vector for input difference and adding its distribution into D in Algorithm 3 of [LLL21], we derive the propagation of the DL approximation of the S-box for an arbitrary output linear mask, as depicted in Algorithm 2. ).
By performing either Algorithm 1 or Algorithm 2, we get the following proposition to describe the propagation of correlation of DL approximation for the S-box of GIFT.
The corresponding output difference of GS is denoted by ∆y = (∆y 3 , ∆y 2 , ∆y 1 , ∆y 0 ), i.e., y = GS(x) and ∆y = GS(x) ⊕ GS(x ⊕ ∆x).Assuming the bits of x and ∆x are independent, we have Proposition 1 considers the propagation of differences in single bits, and we refer to the full paper for the DL approximation of the S-box with an arbitrary output linear mask.
Independence assumption of Proposition 1.The assumption of the independence of input bits always holds, since the GIFT round function is a bijection.The independence assumption of the four bits of input difference is reasonable for GS because the four bits input to one S-box originate from different S-boxes from the previous round due to the property of bit permutation in the linear layer.Our experiments show that the independence between the four bits of the input x and the four bits of the input difference ∆x are also reasonable.More exactly, we have verified that Pr[(x, ∆x) = a] = 2 −n n−1 i=0 ( 1+(−1) a n+i ci 2 ) holds with a probability greater than 0.98, within the allowed error range of 10%.In the experiments, we set x and ∆x to the bits and difference bits input to the same S-box of the sixth round of GIFT, and the input difference of the first round to a random difference with Hamming weight up to three, and verify the equation for all possible a and repeat it for hundreds of times.

Estimation of Correlation of DL Approximation for GIFT-128
Here, we give an example of GIFT-128 to demonstrate the theoretical estimation of DL approximation's correlation by using Proposition 1.
In Figure 2, for r-round GIFT-128, blue symbol x denotes the logarithm of maximum correlation of single-bit input difference and output mask which is theoretically estimated by Proposition 1 and black circle the one estimated by the sampling experiment, and red line the error percentage which is defined as the absolute value of the difference between the theoretical value and the experimental value, divided by the experimental value.Since at most 2 34 random plaintext pairs are used for each of 2 3 random keys, a correlation of about |Cor| > c • 2 −17 = 2 −13.5 can be detected (where c ≈ √ 128 for reasonable estimation error).As shown in Figure 2, the theoretical estimations of correlation of DL approximation match the experimental results in the first eight rounds, and the error percentage remains within 55%.For the trend of correlation with an increasing number of rounds, the correlation of DL approximation decreases for GIFT-128, especially decreasing sharply after eight rounds.

Differential-Linear Attacks on GIFT-COFB
In this section, we present our differential-linear attacks on GIFT-COFB, including the attacks on message processing phase and initialization phase.

Attack on Message Processing Phase
We first present the procedure of automatically searching differential-linear distinguishers with the assistance of the MILP model.Then the key-recovery attack on GIFT-COFB is given based on the new distinguisher.
Before showing the details of the analysis, let us take a look at the restriction of active bits in attacks on the message processing phase of GIFT-COFB.For the attack on message processing phase which is illustrated in the figure of the full paper.From the plaintextciphertext pair of GIFT-COFB ), we can get the input-output pair of the cipher GIFT-128, and the input is Under the nonce misusing scenario, another input-output pair can be chosen for GIFT-128.Since L is unknown (depending on nonce and secret key), we can not get the value from the most significant 64 bits of the input for GIFT-128 back to (G(Y [a]) ⊕ M [1])[64 − 127].So, the data structure in the key-recovery attacks should not involve the most significant 64 bits of GIFT-128's input.
As stated in [SWW21b], Given the GIFT-128 achieves full diffusion after four rounds, we conjecture the maximum number of rounds annexed before the linear distinguisher in the attack on GIFT-COFB is three.Similarly, the maximum number of rounds extended before the differential-linear approximation is assumed as three.In [SWW21b], they introduced extra variables and Boolean expressions in their model to satisfy the restriction that there are no active bits in the most significant 64 bits of the input for GIFT-128.
By exploiting the structure property of GIFT-128, we have found a phenomenon of the differential propagation of 3-round GIFT-128.The phenomenon is summarized in Proposition 2, which reveals that the most significant 64 bits of GIFT-128's input always go to another fixed set of 64 bits after three rounds.According to Proposition 2, the restriction of active bits for key-recovery attacks can be directly converted into the restriction for distinguisher's inputs.
Proposition 2. Let ∆P be the input difference of plaintext, and ∆X 4 be the input difference of the 4-th round, i.e., the output difference of the 3-rd round.If Index(∆X 4 ) ⊆ S , then Index(∆P ) ⊆ {0, 1, • • • , 63} after three rounds backward; vice versa, where the Index(•) function returns the indices on which the value is non-zero, and Proof.Due to the invertibility of GS, the input difference at a single S-box is zero if and only if the output difference is zero.Besides, the transformation SubCells, which applies 32 parallel S-boxes, does not change the position of bits.Therefore, the function Index(•) remains unchanged through the transformation SubCells in terms of the S-boxes.
Since the set of bit positions S 1 = {0, 1, • • • , 63} corresponds to bit positions of the {0, 1, • • • , 15} S-boxes, then Index(∆P ) ⊆ S 1 if and only if Index(∆X S 1 ) ⊆ S 1 .Because the transformation P ermBits maps the set S 1 to the set of bit positions 97, . . ., 107}, so Index(∆X S 1 ) ⊆ S 1 if and only if Index(∆X P 1 ) ⊆ S 2 .We can ignore the transformation AddRoundKey, because it does not affect the propagation of differences.
Since the set S 3 corresponds to bit positions of {2i|i = 0, 1, • • • , 15} S-boxes, then Index(∆X P 2 ) ⊆ S 3 if and only if Index(∆X S 3 ) ⊆ S 3 .Because the transformation P ermBits maps the set S 3 to the set of bit positions 3 ) ⊆ S 3 if and only if Index(∆X P 3 ) ⊆ S 4 , the same for Index(∆X 4 ).This completes the proof.

Searching Differential-Linear Approximations
The specialized MILP model is applied to assist in searching the differential-linear distinguishers for message processing phase of GIFT-COFB.To make the analysis simple and get a better result, the input difference and output linear mask of E m are restricted to be single-bit.The correlation of differential-linear approximation of E m is theoretically estimated according to the propagation of correlation of DL approximation for GS as shown in Proposition 1.After constructing the partial DLCT of E m , the specialized MILP model is obtained to search for differential-linear approximations.In the test phase, no R-round differential-linear approximation with a correlation greater than 2 −32 is found in our model when R ≥ 14.Targeting for 13-round cipher E, with setting r d = 3, r m = 8, and r l = 2, we can find better differential-linear distinguishers.In the key-recovery phase, with some subkey bits guessed, the distinguishers can be extended backward by three rounds and appended forward by two rounds.Note that the differential-linear distinguisher with the greatest correlation may not lead to the best key-recovery attack.Therefore, to obtain an attack as good as possible, we store thousands of distinguishers with high correlation and find the optimal one that has the lowest complexities in the key-recover attack.In Gurobi, the function P oolSolution is used to find the l-best solution.Therefore, we collect the top l = 1024 differential-linear distinguishers with a correlation greater than 2 −32 .When we extend three rounds at the top and append two rounds at the bottom of these distinguishers, the minimum number of guessed subkey bits is 39.Only one differential-linear distinguisher achieves the minimum of guessed subkey bits.
As a result, we exploit the 13-round differential-linear approximation, with a correlation of 2 −29.76 , which has the minimum number 39 of guessed subkey bits, and the indices of active bits in its input difference are Index ∆in = {84, 92, 94}, the indices of active bits in its output linear mask are Index Γout = {10, 59, 105}.The differential-linear distinguisher is constructed by an 8-round differential-linear approximation of E m with correlation 2 −12.76 , a 3-round differential trail of E d with probability 2 −11 and a 2-round linear trail of E l with correlation 2 −3 .The two trails are shown in the tables in the full paper.By the sampling experiment with 2 33 random plaintext pairs for each of the 2 3 random keys, we have checked the correlation of the 8-round E m , which is about 2 −11.78 with input difference at the 95-th bit and output linear mask at the 39-th bit.Therefore, the correlation of 13-round differential-linear is estimated as 2 −11 × 2 −11.78 × 2 −3×2 = 2 −28.78 which is used in the following.

Key-recovery Attack
With the 13-round differential-linear approximation, an 18-round key-recovery attack on GIFT-COFB is given by appending three rounds at the top and two rounds at the bottom of this distinguisher.As illustrated in Table 4, the key-recovery attack is described by the following procedure where the 39 guessed key bits during the attack are listed in Table 5.In Table 4, the bit ordering is first from right to left, then from down to top.The symbolindicates the inactive bits of the state.In the differential trail propagation, ' * ' denotes an uncertain bit of difference, and '1' denotes an active bit of difference.In the linear trail propagation, '•' indicates a bit whose value needs to be computed, and '1' indicates a bit linearly involved.

Select 2N plaintexts, consisting of 2N
2 32 structures, each is chosen by selecting: (a) Any intermediate X P 1 , and the remaining 2 32 − 1 intermediate values which differ from X P 1 by all the other 2 32 − 1 possibilities of the 32 bits which enter the 8 active S-boxes in round 1, i.e., {64 : 79, 96 : 111}.
2. Request the ciphertexts of these plaintext structures (encrypted under the unknown key K). 4. The rest of the key bits are then recovered by exhaustively searching.

Complexity analysis.
We set the advantage of attack as a = 26 to make a balance between the exhaustive search.When the data complexity is D = 2N = 2 64 , the success probability is 85.23%.Therefore, the time complexity of procedure is

Attack on Initialization Phase
The attack on the initialization phase of GIFT-COFB is similar to the one on the encryption procedure in the message processing phase.For searching differential-linear distinguishers, compared with the one for the message processing phase, there is no restriction on active bits on the input difference of distinguisher for the initialization phase.In the following, we first give the new differential-linear distinguisher, and then the key-recovery attack is presented based on it.
Differential-linear distinguisher.With the automatic tool, we found a 13-round differential-linear approximation with correlation of 2 −27.78 , whose indices of active bits in its input difference are Index ∆in = {86, 87, 94, 95} and output linear mask are Index Γout = {10, 59, 105}.Compared with the differential-linear distinguisher for the message processing phase, the 13-round distinguisher has a different 3-round differential trail of E d with probability 2 −10 , and the same 8-round differential-linear approximation of E m and the 2-round linear trail of E l .The new 3-round differential of E d is shown in the full paper.
Key-recovery attack.Based on the above 13-round differential-linear approximation, an 18-round key-recovery attack is given on the initialization phase of GIFT-COFB by extending three rounds at the top and appending two rounds at the bottom of this distinguisher.The key-recovery attack is presented in the full paper, where 41 key bits are guessed.For the details of the procedure of attack, please refer to the full paper.

Differential-Linear Attacks on HyENA
In this section, we first give the differential-linear distinguisher which is found by the specialized MILP for the message processing phase of HyENA.Then, based on the distinguisher, the key-recovery attacks are given on the message processing phase of HyENA.
For the attacks on the message processing phase, the target is the encryption procedure which is illustrated in the full paper.From the plaintext-ciphertext pair of HyENA (M 0 ||M 1 , C 0 ||C 1 ), we can get the input-output pair of the cipher GIFT-128, and the input is where Y a = M 0 ⊕ C 0 .Under the nonce misusing scenario, another input-output pair can be chosen for GIFT-128.Due to the fact that the value of ∆ is unknown, we can not determine the least significant 64 bits of input for GIFT-128.So, the data structure used in our key-recovery attacks can not involve the least significant 64 bits of the input for GIFT-128.
Similar to the case of GIFT-COFB, we can derive the following proposition for HyENA (actually the complement of Proposition 2, this result can be obtained in the same way).Proposition 3. Let ∆P be the input difference of plaintext, and ∆X 4 be the input difference of the 4-th round, i.e., the output difference of the 3-rd round.If Index(∆X 4 ) ⊆ S ′ , then Index(∆P ) ⊆ {64, 65, • • • , 127} after three rounds backward; vice versa, where the Index(•) function returns the indices on which the value is non-zero, and Therefore, we set the specialized MILP model to search DL approximations for HyENA such that there is no active bit in {0, 1, • • • , 127} \ S ′ , where S ′ is defined in Proposition 3. From Proposition 3, the DL distinguishers returned by the specialized MILP model will always satisfy the restriction in the key-recovery attack.

Searching Differential-Linear Approximations
The specialized MILP model is applied to search differential-linear approximations for the message processing phase of HyENA.Similarly, the input difference and output linear mask of E m are restricted to be single-bit.In the test phase, no R-round differential-linear approximation with a correlation greater than 2 −32 is found in our MILP model when R ≥ 14.As a result, we found a 13-round differential-linear approximation with correlation of 2 −30.37 , and the indices of active bits in its input difference are Index ∆in = {96, 98, 104}, the indices of active bits in its output linear mask are Index Γout = {49, 82, 99}.The differentiallinear distinguisher is constructed by an 8-round differential-linear approximation of E m with correlation 2 −13.37 , a 3-round differential trail of E d with probability 2 −11 and a 2-round linear trail of E l with correlation 2 −3 .The two trails are shown in the full paper.By the sampling experiment with 2 33 random plaintext pairs for each of the 2 3 random keys, we have checked the correlation of the 8-round E m , which is about 2 −12.51 with input difference at the 19-th bit and output linear mask at the 3-rd bit.Therefore, the correlation of 13-round differential-linear is estimated as 2 −11 × 2 −12.51 × 2 −3×2 = 2 −29.51 which is used in the following.

Key-recovery Attack
With 13-round differential-linear approximation, we give an 18-round key-recovery attack on HyENA by extending three rounds at the top and appending two rounds at the bottom of the distinguisher.The key-recovery attack is illustrated in Table 6 where 39 key bits are guessed.For the detailed procedure of the attack, please refer to the full paper.
Complexity analysis.The advantage of attack is set as a = 9 to make a balance between the exhaustive search.When the data complexity is D = 2N = 2 63.97 , the success probability is 85.21%.Therefore, the time complexity of the procedure is T = 2 22 × (2 17 × 2N ) × 12 18×32 + 2 128−a = 2 119 .
Remark.The attack on the initialization phase of HyENA is similar to the one on the message processing phase.Compared with the one for the message processing phase, the input difference can be imposed at the most 96 significant bits.Therefore, the attack on the message processing phase can also be launched for the initialization phase of HyENA.

Differential-Linear Cryptanalysis of GIFT-64/128
To promote a comprehensive perception of the soundness of GIFT-64/128, we evaluated the security GIFT-64/128 against differential-linear attacks in this section.

Attack on GIFT-64
First, a 12-round differential-linear approximation is found, and then we give an 18-round key-recovery attack on GIFT-64 based on the DL approximation.
Searching differential-linear approximation.To simplify, the input difference and output linear mask of E m are restricted to be single-bit.In the test phase, we could not find the R-round differential-linear approximation correlation greater than 2 −32 when R ≥ 13.For 12-round GIFT-64, with setting r d = 2, r m = 7 and r l = 3, the better differential-linear distinguishers was found.With the automatic tool, we found a 13-round differential-linear approximation with correlation of 2 −28.61 , whose indices of active bits in its input difference are Index ∆in = {34, 35, 38, 39}, the indices of active bits in its output linear mask are Index Γout = {20, 30, 41, 54, 58, 60}.The differential-linear distinguisher consists of a 7-round differential-linear approximation of E m with correlation 2 −10.61 , a 2-round differential trail of E d with probability 2 −6 and a 3-round linear trail of E l with correlation 2 −6 which are shown in the full paper.The theoretical estimation of correlation 2 −28.61 is used in the following analysis of attack complexity.
Key-recovery attack.Based on the above 12-round differential-linear distinguisher, an 18-round key-recovery attack is given by appending three rounds at the top and three rounds at the bottom of this distinguisher.The key-recovery attack on 18-round GIFT-64 is given in the full paper, where 66 key bits are guessed.

Complexity analysis.
The advantage of attack is set as a = 6 to make a balance between the exhaustive search.When the data complexity is D = 2N = 2 61.57, the success probability is 85.07%.The time complexity of the procedure is T = 2 66 × 2N × 31 18×16 + 2 128−a = 2 124.61 .

Attack on GIFT-128
In this section, we present a key-recovery attack on 19 rounds of GIFT-128 which is based on a 17-round differential-linear approximation.The differences between on GIFT-128 and GIFT-COFB are no data limitation of 2 64 but less than the space of entire block size 2 128 and no restriction of the input difference on the least significant 64 bits for GIFT-128.

Conclusion
In this paper, we evaluated the security of GIFT-64/128, GIFT-COFB and HyENA against differential-linear cryptanalysis.The automatic tool was developed for searching differentiallinear approximations for the ciphers based on S-boxes.With the application of our automatic tool, we found the 13-round differential-linear distinguishers for GIFT-COFB and HyENA, and the 18-round key-recovery attacks were given on both ciphers, which cover two rounds more than the previous best ones.As regards GIFT-64 and GIFT-128, the 12-round and 17-round differential-linear distinguishers were found, leading to the 18-round and 19-round key-recovery attacks respectively.The attacks on GIFT-64 and GIFT-128 could not reach the same rounds with the best attacks obtained by the differential cryptanalysis in [CZD19] and [ZDC + 21] respectively, same to the linear case.We stress again that our attacks do not threaten the security of these ciphers.
In future work, we will continue to improve the automatic tool for differential-linear cryptanalysis.Although the (differential-linear) distinguishers with more rounds are found, fewer rounds are appended at the top and bottom at the distinguishers to launch the key-recovery attacks.Therefore, more advanced techniques may improve further the key-recovery attacks in differential-linear cryptanalysis, such as the fast Fourier transform (FFT) and filtering technique with guessing partial S-boxes.Another one is how to integrate the key-recovery part into the MILP model.This strategy could be used in our attacks, and we will further investigate how it could improve the results.Furthermore, we are going to analyze other ciphers and evaluate their security with the automatic tool.

Figure 2 :
Figure 2: Estimation of maximum correlation for r-round GIFT-128, where x denotes the theoretical one, black circle the experimental one, and red line the error percentage.

Table 2 :
Summary of attacks on GIFT-64/128, GIFT-COFB and HyENA.For GIFT-64/128, the target of attacks is the encryption phase (Enc.for short).For two AEADs GIFT-COFB and HyENA, we consider the attacks on the initialization phase (Init.P.) and message processing phase (Msg.P.).For different types of attacks, Diff denotes for differential attacks, Lin. for linear attacks and DL for differential-linear attacks.
GIFT, proposed by Banik et al. [BPP + 17] at CHES 2017, has two versions, namely GIFT-64 and GIFT-128.Both of them have the same key length of 128 bits, while the block sizes are 64 and 128 respectively.Here we mainly introduce the description of GIFT-128, and the similar structure to GIFT-64.For more details, please refer to [BPP + 17].

Table 3 :
The notations of GIFT : The i-th bit of round key, and the same to RK ′ [i]

Table 5 :
The 39 guessed key bits for the message processing phase of 18-round GIFT-COFB 1 k 91 k 27 k 90 k 26 k 89 k 25 k 88 k 24 k 83 k 19 k 82 k 18 k 81 k 17 k 80 k 16

Table 6 :
The attack on message processing phase of 18-round HyENA