Programming the Demirci-SelcukMeet-in-the-Middle Attack with Constraints

Danping Shi1,2, Siwei Sun1,2,3?, Patrick Derbez4, Yosuke Todo5

Bing Sun6, and Lei Hu1,2,3

1 State Key Laboratory of Information Security, Institute of InformationEngineering, Chinese Academy of Sciences, China

2 Data Assurance and Communication Security Research Center,Chinese Academy of Sciences, China

3 School of Cyber Security, University of Chinese Academy of Sciences, China{shidanping, sunsiwei, hulei}@iie.ac.cn

4 Univ Rennes, CNRS, IRISA, France patrick.derbez@irisa.fr5 NTT Secure Platform Laboratories, Japan todo.yosuke@lab.ntt.co.jp

6 College of Liberal Arts and Sciences, National University of Defense Technology,China happy come@163.com

Abstract. Cryptanalysis with SAT/SMT, MILP and CP has increasedin popularity among symmetric-key cryptanalysts and designers due toits high degree of automation. So far, this approach covers differential,linear, impossible differential, zero-correlation, and integral cryptanaly-sis. However, the Demirci-Selcuk meet-in-the-middle (DS-MITM) attackis one of the most sophisticated techniques that has not been automatedwith this approach. By an in-depth study of Derbez and Fouque’s workon DS-MITM analysis with dedicated search algorithms, we identify thecrux of the problem and present a method for automatic DS-MITM at-tack based on general constraint programming, which allows the crypt-analysts to state the problem at a high level without having to say howit should be solved. Our method is not only able to enumerate distin-guishers but can also partly automate the key-recovery process. Thisapproach makes the DS-MITM cryptanalysis more straightforward andeasier to follow, since the resolution of the problem is delegated to off-the-shelf constraint solvers and therefore decoupled from its formulation.We apply the method to SKINNY, TWINE, and LBlock, and we get thecurrently known best DS-MITM attacks on these ciphers. Moreover, todemonstrate the usefulness of our tool for the block cipher designers, weexhaustively evaluate the security of 8! = 40320 versions of LBlock in-stantiated with different words permutations in the F functions. It turnsout that the permutation used in the original LBlock is one of the 64permutations showing the strongest resistance against the DS-MITM at-tack. The whole process is accomplished on a PC in less than 2 hours.The same process is applied to TWINE, and similar results are obtained.

Keywords: Demirci-Selcuk meet-in-the-middle attack, Automated crypt-analysis, Constraint programming, MILP

? The corresponding author

1 Introduction

Cryptanalysis of block ciphers is a highly technical, time consuming and error-prone process. On the one hand, the attackers have to perform a variety ofcryptanalytic techniques, including differential attack [1], linear attack [2], inte-gral attack [3–5], etc., to see which technique leads to the best attack. On theother hand, the designers need to repeat all these different attacks again andagain to identify the optimal choices of parameters and building blocks whichmeet the security and implementation requirements. Therefore, automatic toolsare indispensable to the community, which significantly reduce the manual workand make a thorough exploration of the design/analysis space possible.

One paradigm for automatic symmetric-key cryptanalysis getting increasingpopularity in recent years is to model the problem by means of constraints, whichincludes the methods based on SAT/SMT (satisfiability modulo theory) [6–8],MILP (mixed-integer linear programming) [9–13], and classical constraint pro-gramming [14, 15]. In this paper, these methods are collectively referred to asthe general constraint programming (CP) based approach, or just CP based ap-proach for short. So far, the CP based approach covers a wide range of symmetric-key cryptanalysis techniques. For instance, we can determine the minimum num-ber of differentially or linearly active S-boxes of a block cipher with MILP [9]; wecan search for actual differential characteristics, linear characteristics, and inte-gral distinguishers with SAT/SMT, MILP or classical constraint programming[8, 10, 11, 14]; and we can search for impossible differentials and zero-correlationlinear approximations [12, 16] in a similar way.

Compared with search algorithms implemented from scratch in general pur-pose programming languages [17–24], the CP based approach allows the crypt-analysts to state the problem very naturally, and at a high level without havingto say how it should be solved. The resolution of the problem is delegated togeneric solvers, and therefore decoupled from the formulation of the problem.As Eugene C. Freuder stated [25]: Constraint programming represents one of theclosest approaches computer science has yet made to the Holy Grail of program-ming : the user states the problem, the computer solves it.

However, the Demirci-Selcuk meet-in-the-middle attack (DS-MITM) attack[26], introduced by Demirci and Selcuk at FSE 2008 to attack the famous Ad-vanced Encryption Standard (AES) [27], is one of the cryptanalytic techniqueswhich has not been automated with general constraint programming due toits extraordinary sophistication. After a series of improvements of the attackwith various creative techniques [28–32], the DS-MITM attack reaches the bestknown attack on 7-round AES-128, 9-round AES-256 and 10-round AES-256in the single-key model. The attack has been applied to several specific blockciphers [33–36] as well as on generic balanced Feistel constructions [37]. Mostrecently, Guo et al. show generic attacks on unbalanced Feistel ciphers based onthe DS-MITM technique which penetrate a large number of rounds of some spe-cific class of unbalanced Feistels [38]. Note that despite sharing the same namewith the traditional MITM attacks in some literature (the attacks on some block

ciphers [39, 40] and on a number of hash functions, e.g. [41, 42]), the DS-MITMattack concerned in this paper follows a different and a more complex strategy.

Related work and our contribution. In [30, 31], Derbez and Fouque presenteda tool implemented in C/C++ for finding the DS-MITM attack with dedicatedsearch algorithm. In this paper, we present the first CP-based tool for findingthe DS-MITM attack automatically. Our approach is based on a novel modellingtechnique in which we introduce several different types of variables for everyinput/output word of all operations, and impose constraints on these variablessuch that from a solution of these variables satisfying all the constraints we candeduce a DS-MITM distinguisher or DS-MITM attack.

Compared with Derbez and Fouque’s tool [30, 31] which was implementedin the general purpose programming language C/C++, the CP based methodallows the cryptanalysts to state the problem at a high level very naturally,without considering how to maintain the relationships between the variablesexplicitly with dedicated algorithms. Therefore, our tool should be very usefulin fast prototyping in the process of block cipher design.

In [43], Lin et al. modeled the problem of searching for DS-MITM distin-guishers as an integer programming model. However, their integer programmingmodel is incomplete and is solved by a dedicated search algorithm. Secondly,Lin et al. ’s work only focuses on the distinguisher part. Our CP based approachcan not only enumerate distinguishers but also partly automate the key-recoveryprocess of the attack. Moreover, by applying our CP based approach to LBlock,the same cipher targeted in [43], we show it finds better distinguishers as wellas better attacks. To demonstrate the effectiveness of our approach, we applyit to SKINNY [44], TWINE [45], and LBlock [46]. We produce so far the bestDS-MITM attacks on these well-known ciphers automatically.

For LBlock, we can not only find an 11-round DS-MITM distinguisher whichis 2 rounds longer than the one(s) presented in [43], but also construct thefirst DS-MITM attack on 21-round LBlock. We also rediscover the same attackon TWINE-128 given in [34], and identify the first DS-MITM attack on 20-round TWINE-80. In addition, we report the first concrete DS-MITM analysisof SKINNY. A remarkable fact is that our tool identify an 10.5-round DS-MITMdistinguisher in a few seconds, while its designers expect an upper-bound of 10rounds against such distinguishers in [44]. A summary of these results are givenin Table 1.

We also show how helpful our tool can be in the block cipher design processby searching for the best choices of block shuffles in LBlock and TWINE. Wescan over 40320 variants of LBlock, and 887040 variants of TWINE. We iden-tify permutations which are potentially stronger than the permutations in theoriginal designs. We make the source code of this work publicly available at

https://github.com/siweisun/MITM.

In addition, all supplementary materials referred later on are provided in anextended version of this paper at https://eprint.iacr.org/2018/813.

Table 1: A summary of the results. Though the focus of this paper is the DS-MITM attack, we also list other types of attacks which achieve currently knownbest results against the ciphers targeted. For theDS-MITM attack, the number ofrounds attacked is presented in the form of a+b, where a shows how many roundsare covered by the underlying DS-MITM distinguisher, while b is the number orouter rounds added when performing a key-recovery attack. Therefore, b = 0indicates a distinguishing attack.

Target Rounds Time Data Memory Method Ref

LBlock

11 + 10 270.20 248 CP 261.91 DS-MITM Sect. 7.2

9 + 0 274.5 − − DS-MITM Dist. [43]

23 274.5 259.5CP 274.3 ID [47]

23 275.36 259CP 274 ID [48]

23 272 262.1 Kp 260 MultiD ZC [47]

23 276 262.1 Kp 260 MultiD ZC [49]

TWINE80

11 + 9 277.44 232 CP 282.91 DS-MITM Sect. 7.3

23 279.09 257.85 CP 284.06 ID [50]

23 273 262.1 KP 260 MultiD ZC [47]

TWINE128

11 + 14 2124.7 248 CP 2109 DS-MITM? [34]

25 2124.5 259.1 CP 278.1 ID [34]

25 2119 262.1 KP 260 MultiD ZC [47]

25 2122.12 262.1 KP 260 MultiD ZC [49]

SKINNY-128-38410.5 + 11.5 2382.46 296 CP 2330.99 DS-MITM Sect. 7.1

11 + 11 2373.48 292.22 CP 2147.22 ID [51]

? We find the attacks with the same complexity.

Organization. In Sect. 2, we give the notations used in this paper. An intro-duction of the DS-MITM attack is presented in Sect. 3. We show the generalprinciple of how to model the DS-MITM attack in Sect. 4, and subsequently inSect. 5 the technical detail of the modelling method is given. Sect. 6 discusseshow to use our method in practice. In Sect. 7, we apply our approach to SKINNY,TWINE, LBlock, AES, ARIA, and SIMON. In Sect. 8, we discuss how to use ourtool to find high-quality building blocks (with respect to the DS-MITM attack)in the process of block cipher design. Sect. 9 is the conclusion.

2 Notations

An n-bit state state with n = cnc is alternatively regarded as a sequence(state[0], state[1], · · · , state[nc − 1]) of nc c-bit words. Let A = [j0, j1, · · · , js−1]be an ordered set of integers such that 0 ≤ j0 < · · · < js−1 < nc. Then state[A]is used to represent state[j0]|| · · · ||state[js−1], where state[j] is the j-th c-bit wordof state and || is the operation of bit string concatenation.

Definition 1. A set {P 0, · · · , PN−1} ⊆ Fcnc2 = Fn2 of N = 2sc n-bit values for

state is a δ(A)-set for state with A = [k0, k1, · · · , ks−1] if P 0[A] ⊕ P j [A] = j(1 ≤ j < N), and P i[k] = P j [k] for all i, j ∈ {0, · · · , N−1} and k /∈ A. That is,{P 0, · · · , PN−1} traverse the s c-bit words specified by A while share the samevalue in other word positions.

An r-round iterative block cipher E with r = r0 + r1 + r2, depicted in Fig. 1,is a keyed permutation which transforms an n-bit state state0 into state2r step bystep with nonlinear and linear operations. In our indexing scheme, as illustratedin Fig. 1, state2k is the input state of round k, state2k+1 is the output state of thenonlinear operation of round k, and state2(k+1) is the output of round k or theinput of round k+1 for k ∈ {0, · · · , r0+r1+r2−1}. For the sake of simplicity andconcreteness, we will conduct the discussion based on Fig. 1, which visualizesthe structure of a common SP cipher. Without loss of generality, we assume thatthe key addition is performed after the linear layer L as illustrated in Fig. 1. Thebasic rule is that we should always introduce a new state for the direct inputto the nonlinear layer. For example, if the key addition is performed in betweenstate2i and the NL operation, then a new state (representing the direct input toNL) should be introduced in between the key addition and the NL operation,and the original state may be omitted (regarding the new state as an outputobtained by masking the output of the previous round with the subkey).

Note that though our discussion are based on a SP cipher illustrated in Fig. 1,the ideas and techniques presented in this paper are general enough to be appliedto other structures, such as Feistel and Generalized Feistel structures.

For convenience, a δ(A)-set {P 0, · · · , PN−1} is denoted by Pδ(A), and let∆E(Pδ(A),B) be the sequence [C0[B]⊕C1[B], · · · , C0[B]⊕CN−1[B]], where Ci =E(P i) and B = [j0, · · · , jt−1] such that 0 ≤ j0 < · · · < jt−1 < nc.

Let P , P′ ∈ Fn2 be two values of state0 shown in Fig. 1, which are often

regarded as plaintexts since state0 is the input of the encryption algorithm. Thevalue P creates a series of intermediate values during the encryption process. Wedefine P (statei) as the intermediate value at statei created by the partial encryp-tion of P . Sometimes we only care about the value of P (statei) at some specifiedword positions indexed by an ordered set I, which is denoted by P (statei[I]).We define P ⊕P ′

(statei) and P ⊕P ′(statei[I]) to be the intermediate differences

P (statei) ⊕ P′(statei) and P (statei[I]) ⊕ P ′

(statei[I]) respectively. Let C andC

′be the ciphertexts of P and P

′. An intermediate value can also be regarded

as the result of a partial decryption of the ciphertext C. Therefore, we defineC(statei), C(statei[I]), C⊕C ′

(statei), and C⊕C ′(statei[I]) similarly. Note that

in the above notations, the intermediate values or differences of intermediate val-ues are specified with respect to some plaintexts or ciphertexts. We may as wellspecify them with respect to some intermediate values, say Q = P (statej) and

Q′

= P′(statej). Hence, we may have notations such as Q(statei), Q(statei[I]),

Q⊕Q′(statei), and Q⊕Q′

(statei[I]), whose meanings should be clear from thecontext.

To make the notation succinct, if not stated explicitly, we always assumethat A = [k0, · · · , ks−1], B = [j0, · · · , jt−1], and a state state is viewed as a

Plaintext

Astate0

NL

state1

L

k0

state2E0

(0 → · · · → r0 − 1)

Involved Key: kE0

...state2(r0−1)

NL

state2(r0−1)+1

L

kr0−1Astate2r0

NL

state2r0+1

L

kr0

state2(r0+1)E1

(r0 → · · · → r0 + r1 − 1)...state2(r0+r1−1)

NL

state2(r0+r1−1)+1

L

kr0+r1−1

Bstate2(r0+r1)

NL

state2(r0+r1)+1

L

kr0+r1

state2(r0+r1+1)E2

(r0 + r1 → · · · → r0 + r1 + r2 − 1)

Involved Key: kE2

...state2(r0+r1+r2−1)

NL

state2(r0+r1+r2−1)+1

L

kr0+r1+r2−1

state2(r0+r1+r2)

Ciphertext

Fig. 1: An r-round SP block cipher E = E2 ◦E1 ◦E0 with r = r0 +r1 +r2, whoseround function consists of a layer of nonlinear operation and a layer of linearoperation. A DS-MITM key-recovery attack is performed based on a DS-MITMdistinguisher placed at E1. A more detailed explanation of this figure will begiven in Sect. 3.2.

a sequence of n bits or a sequence of nc c-bit words. Moreover, we make thefollowing assumption which is very natural for a block cipher.

Assumption 1 Let the nonlinear layer in Fig. 1 be a parallel application ofnc c × c invertible S-boxes, and I = [j : Q ⊕ Q

′(state2k[j]) 6= 0, 0 ≤ j <

nc] be an ordered set, where Q and Q′

are two values for state2k. If we knowthe value of Q(state2k[I]), then we can derive the value of Q ⊕ Q

′(state2k+1)

with the knowledge of Q ⊕ Q′(state2k[I]). Similarly, we can derive the value of

Q⊕Q′(state2k) with the knowledge of Q(state2k+1[I]) and Q⊕Q′

(state2k+1[I]).In other words, we can derive the value of the output/input differences if weknow the value of input/output values and differences at the active positions.

3 The Demirci-Selcuk Meet-in-the-Middle Attack

3.1 The DS-MITM Distinguisher

The DS-MITM attack relies on a special differential-type distinguisher. Com-pared with ordinary differential distinguishers, the DS-MITM distinguishers gen-erally lead to much stronger filters.

Let F be a keyed permutation, and Qδ(A) = {Q0, · · · , QN−1} be a δ(A)-setfor the input state of F . If F is a random permutation, then it can be shownthat there are (2ct)2cs−1 possibilities for ∆F (Qδ(A),B). But for a block cipherF , it is possible that the sequence ∆F (Qδ(A),B) can be fully determined withthe knowledge of d c-bit words. For instance, from the values of one internalstate and the master key one can derive the values for all the internal states.Therefore, given Qδ(A), we can get at most 2cd possible cases of ∆F (Qδ(A),B) bytraversing the d c-bit words. We call d the (A,B)-degree of F , which is denotedby DegF (A,B), or simply Deg(A,B) if F can be inferred from the context. IfDegF (A,B) = d is small enough such that λ = 2cd/(2ct)2cs−1 = 2c(d−t·(2

cs−1)) <1, or d < t · (2cs − 1), then we can use this property as a distinguisher andconstruct a key-recovery attack on F . Therefore, a DS-MITM distinguisher of akeyed permutation F can be regarded as a tuple (A,B,DegF (A,B)).

3.2 Key Recovery Attack based on DS-MITM Distinguisher

We now describe how a key-recovery attack can be performed with a DS-MITMdistinguisher. This part should be read while referring to Fig. 1.

As shown in Fig. 1, we divide the target cipher E into 3 parts: E0, E1, andE2, where Ei is a keyed permutation with ri rounds. As depicted in Fig. 1, E0

covers rounds (0→ · · · → r0−1), E1 covers rounds (r0 → · · · → r0 +r1−1), andE2 covers rounds (r0 + r1 → · · · → r0 + r1 + r2 − 1). According to our indexingscheme, as illustrated in Fig. 1, state0 is the input state of E0; state2r0 is theoutput state of E0 which is also the input state of E1; state2(r0+r1) is the outputof E1 or the input of E2; finally, state2(r0+r1+r2) is the output of E2.

In the attack, we place a DS-MITM distinguisher (A,B,DegE1(A,B)) at E1,

and prepare a δ(A)-set Pδ(A) of chosen plaintexts for state0, where A is the

ordered set of integers k (0 ≤ k < nc) such that V 0⊕V j(state0[k]) 6= 0 for someδ(A)-set Vδ(A) = {V 0, · · · , V N−1} for state2r0 (the input state of E1) and somej ∈ {0, · · · , N − 1}. Note that A can be obtained by propagating the differencescreated by Vδ(A) for state2r0 (the input of E1) reversely against E0.

Then we select an arbitrary plaintext P 0 from Pδ(A), and guess the secret

key information kE0 ∈ Fe02 with which we can find P 1, · · · , PN−1 in Pδ(A) such

that Qδ(A) = {Q0, · · · , QN−1} where Qj = E0(P j) forms a δ(A)-set for state2r0 .Finally, we guess the secret key information kE2

∈ Fe22 involved in E2 with whichwe can determine the sequence

∆E1(Qδ(A),B) = [C0 ⊕ C1(state2(r0+r1)[B]), · · · , C0 ⊕ CN−1(state2(r0+r1)[B])]

by partial decryption with E2, where Cj = E(P j).If the resulting sequence is not one of the possible ∆E1

(Qδ(A),B) sequenceswhich can be determined with the DegE1

(A,B) = d c-bit parameters, the guessesof kE0 and kE2 are certainly incorrect and therefore rejected. Similar to [52], weadopt the notion of |kE0 ∪kE2 | to represent the log of the entropy of the involvedsecret key bits in the outer rounds from an information theoretical point of view.

3.3 Complexity Analysis

Offline phase. Store all the 2cd possibilities of the sequence ∆E1(Qδ(A),B) in a

hash table. The time complexity is 2cd ·2cs ·ρE1CE , and the memory complexityis (2cs− 1) · ct · 2cd bits, where CE is the time complexity of one encryption withE, and ρE1

is typically computed in literature as Deg(A,B) divided by the totalnumber of S-boxes in E.

Online phase. For each of the 2|kE0∪kE2

| possible guesses, if the resulting se-quence ∆E1

(Qδ(A),B) is not in the hash table precomputed, then the guess underconsideration is certainly not correct and is discarded. The time complexity ofthis step is 2|kE0

∪kE2| ·2sc ·ρE0∪E2CE , where ρE0∪E2 is typically computed as the

number of S-boxes involved in the outer rounds divided by the total number ofS-boxes in E. After this step, the 2|kE0

∪kE2| key space is reduced approximately

to λ · 2|kE0∪kE2

|, where λ = 2c(d−t·(2cs−1)).

4 Modelling the DS-MITM Attack with Constraints: AHigh Level Overview

In this section, we give a high level overview of our modelling method with theaid of Fig. 1 and Fig. 2, which serves as a road map for the next section (Sect. 5),where the technical details are presented. To model the attack with constraintprogramming (CP) for the cipher E = E2 ◦E1 ◦E0 shown in Fig. 1, we proceedas the following steps.

Step 1. Modelling the distinguisher part• Introduce three types (X, Y , and Z) of 0-1 variables for each word of the

states state2r0 , · · · , state2(r0+r1) involved in E1. We denote the sets of alltype-X, type-Y and type-Z variables by Vars(X), Vars(Y ) and Vars(Z), re-spectively.• Introduce a set of constraints over Vars(X) to model the propagation of the

forward differential, and introduce a set of constraints over Vars(Y ) to modelthe backward determination relationship.• Impose a set of constraints on Vars(Z) such that a type-Z variable for statei[j]

is 1 if and only if the type-X and type-Y variables for statei[j] are 1 simul-taneously.

Remark 1. Under the above configuration, every instantiation of the variablesin Vars(X), Vars(Y ), and Vars(Z) corresponds to a potential DS-MITM distin-guisher. Therefore, all distinguishers can be enumerated with the above model.Also note that the key addition can be omitted while searching for distinguishersif it does not affect the propagation of the forward differential and backward de-termination relationship. This is the case for all the examples presented in thispaper, where key additions are only involved in computing the actual complex-ities.

Step 2. Modelling the outer rounds• Introduce a type-M variable for each word of the states state0, · · · , state2r0

involved in E0, and impose a set of constraints over Vars(M) to model thebackward differential. Note that there are both type-X and type-M variablesfor state2r0 . We require that the corresponding type-X and type-M variablesfor each of the nc words of state2r0 are equal.• Introduce a type-W variable for each word of the states state2(r0+r1), · · · ,state2(r0+r1+r2) involved in E2, and impose a set of constraints over Vars(W )to model the forward determination relationship. Note that there are bothtype-Y and type-W variables for state2(r0+r1). We require that the corre-sponding type-Y and type-W variables for each of the nc words of state2(r0+r1)

are equal.

Remark 2. Every solution of Vars(M) and Vars(W ) helps us to identify theinformation that needs to be guessed in the outer rounds, which will be clearerin the following.

E0

M

E1

X, Y, Z

E2

W

Fig. 2: A high level overview of the modelling method for DS-MITM attack

The overall modelling strategy is depicted in Fig. 2. In summary, given a fullsolution of the variables such that all constraints are fulfilled, we can extract thefollowing information• A : The variables in Vars(X) for state2r0 whose values are 1 indicate A;• B : The variables in Vars(Y ) for state2(r0+r1) whose values are 1 indicate B;• DegE1

(A,B) : The variables in Vars(Z) for state2j , r0 ≤ j < r0 + r1 whosevalues are 1 indicate DegE1

(A,B);• A and guessed materials in E0 : The variables in Vars(M) whose values are

1 indicate A and guessed materials in E0 which tells us how to prepare theplaintexts leading a δ(A) set at state2r0 ;

• Guessed materials in E2 : The variables in Vars(W ) whose values are 1indicate the Guessed materials in E2 with which we can derive the sequenceof differences at state2(r0+r1) from the ciphertexts.

Together this information forms a DS-MITM attack on E. Note that the guessedmaterials in E0 and E2 still need to be converted to guessed key materials, whichcan be done manually or automatically fairly straightforwardly.

According to the semantics of Vars(Z), if we draw the propagation patterns ofVars(X) and Vars(Y ) in two figures, then the propagation pattern of Vars(Z) canbe obtained by superposition of the two figures. Therefore, the key to understandthe details of the modelling of DS-MITM attack is the so-called forward/back-ward differential and forward/backward determination relationship. To make thedescription succinct and without loss of generality, we introduce the conceptsbased on a 5-round keyed permutation shown in Fig. 4 and Fig. 6. We will alsogive two concrete examples of the forward differential and backward determina-tion of a 3-round toy SPN block cipher with 32-bit (4-byte) block size. The roundfunction shown in Fig. 3 of the toy cipher consists of an S-box layer (a parallel ap-plication of four 8×8 Sboxes), and a linear layer L with yi =

⊕j∈{0,1,2,3}−{i} xj

for i ∈ {0, 1, 2, 3}.

S

S

S

S

x0

x1

x2

x3

L

AK

y0

y1

y2

y3

Fig. 3: The round function of the toy cipher

4.1 Forward Differential and Backward Differential

As shown in Fig. 4, given a set Qδ(A) of N values {Q0, · · · , QN−1} for state4

which forms a δ(A) set for the input state of round 2. For every word statei[j] (4 ≤i ≤ 10, 0 ≤ j < nc), we introduce a 0-1 variable Xi[j]. We say that the set of0-1 variables {Xi[j] : 4 ≤ i ≤ 10, 0 ≤ j < nc} models the forward differential ofQδ(A) in rounds (2→ 3→ 4) if the following conditions are satisfied.

- Conditions for state4 (the starting point of the forward differential, which isalso the input of round 2) : ∀j ∈ A, X4[j] = 1 and ∀j /∈ A, X4[j] = 0

- Conditions for rounds (2 → 3 → 4): Xi[j] = 0 (5 ≤ i ≤ 10, 0 ≤ j < nc) ifand only if ∀Qk ∈ Qδ(A), Q

0 ⊕Qk(statei[j]) = 0

Similarly, as depicted in Fig. 4, we say that the set of variables {Xi[j] : 0 ≤i ≤ 4, 0 ≤ j < nc} models the backward differential of Qδ(A) in rounds (1 → 0)if the following conditions are satisfied.

- Conditions for state4 (the starting point of the backward differential, whichis also the output of round 1): ∀j ∈ A, X4[j] = 1 and ∀j /∈ A, X4[j] = 0

- Conditions for rounds (1→ 0): Xi[j] = 0 (0 ≤ i < 4, 0 ≤ j < nc) if and onlyif ∀Qk ∈ Qδ(A), Q

0 ⊕Qk(statei[j]) = 0

NL

L

state0

state1 Round 0

NL

L

state2

state3 Round 1

NL

L

state4

state5 Round 2

NL

L

state6

state7 Round 3

NL

L

state8

state9 Round 4

state10

A

Fig. 4: Forward/backward differential illustrated on a 5-round keyed permutation

Let us give a concrete example. Let A = [3] and Qδ(A) = {(0, 0, 0, x) ∈ (F82)4 :

x ∈ F82}. Then the set of variables Xi[j] with 0 ≤ i ≤ 6 and 0 ≤ j < 4 shown in

Fig. 5 models forward differential of Qδ(A) in rounds (0→ 1→ 2) if we imposethe following constraints on Xi[j]. Since the values in Qδ(A) are active at thethird byte, we have X0[0] = X0[1] = X0[2] = 0, X0[3] = 1. For the S-layers in thetoy cipher, we have X2i[j] = X2i+1[j], 0 ≤ i ≤ 2, 0 ≤ j < 4. For the linear layers,we enforce 3X2(i+1)[j]−X2i+1[j+ 1]−X2i+1[j+ 2]−X2i+1[j+ 3] ≥ 0 to ensurethat X2(i+1)[j] will be equal to 1 when any one of X2i+1[j + 1], X2i+1[j + 2],X2i+1[j + 3] is 1. We also add the constraint

X2i+1[j + 1] +X2i+1[j + 2] +X2i+1[j + 3]−X2(i+1)[j] ≥ 0

to dictate that X2(i+1)[j] must be 0 when all of X2i+1[j + 1], X2i+1[j + 2],X2i+1[j + 3] are 0, where 0 ≤ i ≤ 2, 0 ≤ j < 4 and the indexes are computedmodulo 4. With these constraints, the Xi[j] variables propagate in a patterndepicted in Fig. 5.

state0 state1

X0[0]

X0[1]

X0[2]

X0[3]

S

S

S

S

X1[0]

X1[1]

X1[2]

X1[3]

L

AK

state2 state3

X2[0]

X2[1]

X2[2]

X2[3]

S

S

S

S

X3[0]

X3[1]

X3[2]

X3[3]

L

AK

state4 state5

X4[0]

X4[1]

X4[2]

X4[3]

S

S

S

S

X5[0]

X5[1]

X5[2]

X5[3]

L

AK

state6

X6[0]

X6[1]

X6[2]

X6[3]

Fig. 5: The forward differential of a 3-round toy cipher

4.2 Forward Determination and Backward Determination

As shown in Fig. 6, given a set Q = {Q0, · · · , QN−1} of N values for state6 and anordered set B of indices, we say that the set of variables {Yi[j] : 6 ≤ i ≤ 10, 0 ≤j < nc} models the forward determination relationship of {Q0(state6[B]), · · · ,QN−1(state6[B])} in rounds (3→ 4) if the following conditions hold.

- Conditions for state6 (the starting point of the forward determination rela-tionship, which is also the input of round 3) : ∀j ∈ B, Y6[j] = 1 and ∀j /∈ B,Y6[j] = 0

- Conditions for rounds (3 → 4): For 6 ≤ i < 10, ∀k ∈ {0, · · · , N − 1},with the knowledge of Q0 ⊕ Qk(statei+1[Bi+1]) (and Q0(statei+1[Bi+1]) ifstatei+1 is an output state of a nonlinear layer) one can deduce the valueQ0⊕Qk(statei[Bi]), where Bi+1 = [j : Yi+1[j] = 1, 0 ≤ j < nc] for 6 ≤ i < 10and B6 = B.

Similarly, as shown in Fig. 6, we say that the set of 0-1 variables {Yi[j] :0 ≤ i ≤ 6, 0 ≤ j < nc} models the backward determination relationship of{Q0(state6[B]), · · · , QN−1(state6[B])} in rounds (2 → 1 → 0) if the followingconditions hold.

- Conditions for the state6 (the starting point of the backward determinationrelationship, which is also the output of round 2): ∀j ∈ B, Y6[j] = 1 and∀j /∈ B, Y6[j] = 0

- Conditions for rounds (2→ 1→ 0): For 0 < i ≤ 6, ∀k ∈ {0, · · · , N −1} fromthe knowledge of the values Q0⊕Qk(statei−1[Bi−1]), (and Q0(statei−1[Bi−1])if statei−1 is an input state of a nonlinear layer), one can determine the valueQ0⊕Qk(statei[Bi]), where Bi−1 = [j : Yi−1[j] = 1, 0 ≤ j < nc] for 0 < i ≤ 6,and B6 = B.

Now we show a concrete example. Assume that we have a set {Q0, · · · , Q255} ={(0, 0, 0, x) ∈ (F8

2)4 : x ∈ F82} of 28 values for state0, as depicted in Fig. 7. Af-

ter the 3-round encryption of the toy cipher, we get a set {C0, · · ·C255} of 28

values for state6. Let B = [3]. The set of variables Yi[j] with 0 ≤ i ≤ 6 and0 ≤ j < 4 shown in Fig. 7 models backward determination of {C0, · · ·C255} inrounds (2→ 1→ 0) if we impose the following constraints on Yi[j].

NL

L

state0

state1 Round 0

NL

L

state2

state3 Round 1

NL

L

state4

state5 Round 2

NL

L

state6

state7 Round 3

NL

L

state8

state9 Round 4

state10

B

Fig. 6: The forward/backward determination relationship illustrated on a 5-round keyed permutation

Since B = [3], we have Y6[0] = Y6[1] = Y6[2] = 0, Y6[3] = 1. For the S layersin the toy cipher, we have Y2i[j] = Y2i+1[j], 0 ≤ i ≤ 2, 0 ≤ j < 4. For the linearlayers, we add 3Y2i+1[j]−Y2(i+1)[j+1]−Y2(i+1)[j+2]−Y2(i+1)[j+3] ≥ 0 to ensurethat Y2i+1[j] must be 1 when any one of Y2(i+1)[j+1], Y2(i+1)[j+2], Y2(i+1)[j+3]is 1, and Y2(i+1)[j + 1] + Y2(i+1)[j + 2] + Y2(i+1)[j + 3]− Y2i+1[j] ≥ 0 to dictatethat Y2i+1[j] must be 0 when all of Y2(i+1)[j+ 1], Y2(i+1)[j+ 2], Y2(i+1)[j+ 3] are0, where the indexes are computed modulo 4. With these constraints, the Yi[j]variables propagate in a pattern depicted in Fig. 7.

state0 state1

Y0[0]

Y0[1]

Y0[2]

Y0[3]

S

S

S

S

Y1[0]

Y1[1]

Y1[2]

Y1[3]

L

AK

state2 state3

Y2[0]

Y2[1]

Y2[2]

Y2[3]

S

S

S

S

Y3[0]

Y3[1]

Y3[2]

Y3[3]

L

AK

state4 state5

Y4[0]

Y4[1]

Y4[2]

Y4[3]

S

S

S

S

Y5[0]

Y5[1]

Y5[2]

Y5[3]

L

AK

state6

Y6[0]

Y6[1]

Y6[2]

Y6[3]

Fig. 7: The backward determination of a 3-round toy cipher

Note that the concepts introduced in this section are generic and not limitedto SP ciphers. For instance, we depicted the propagation patterns of the forwarddifferential and backward determination of a Feistel cipher with 8-bit block sizeand 4× 4 S-box in Fig. 8a and Fig. 8b respectively.

S S S

(a) Forward differential

S S S

(b) Backward determination

Fig. 8: The forward differential and backward determination of a 3-round toycipher with Feistel structure

5 Modelling the DS-MITM Attack with Constraints: TheTechnical Details

Given a cipher E = E2 ◦ E1 ◦ E0, we show how to model the distinguisher part(E1), and subsequently the key-recovery part (E0 and E2). These models for E1,E0 and E2 jointly lead to a model for DS-MITM attack on E. Note that thispart of the paper should be read while referring to Fig. 1.

5.1 CP Model for E1: The Distinguisher Part.

We introduce 2 sets of variables Vars(X) = {Xi[j] : 2r0 ≤ i ≤ 2(r0 + r1), 0 ≤j < nc} and Vars(Y ) = {Yi[j] : 2r0 ≤ i ≤ 2(r0 + r1), 0 ≤ j < nc} for all thewords of the states {statei[j] : 2r0 ≤ i ≤ 2(r0 + r1), 0 ≤ j < nc} involved in ther1 rounds of E1 as shown in Fig. 1.

We then impose a set of constraints on Vars(X) such that Vars(X) modelsthe forward differential of a δ(A)-set Qδ(A) = {Q0, · · · , QN−1} for state2r0 withA = [j : X2r0 [j] = 1, 0 ≤ j < nc] in rounds (r0 → r0 + 1 → · · · → r0 + r1 − 1).Also, another set of constraints is imposed on Vars(Y ) such that Vars(Y ) modelsthe backward determination relationship of

{Q0(state2(r0+r1)[B]), · · · , QN−1(state2(r0+r1)[B])}

with B = [j : Y2(r0+r1)[j] = 1, 0 ≤ j < nc] in rounds (r0 + r1 − 1 → · · · → r0).Finally, we introduce a new set of variables Vars(Z) = {Zi[j] : 2r0 ≤ i ≤2(r0 + r1), 0 ≤ j < nc} and impose a set of constraints on Vars(Z) such thatZi[j] = 1 if and only if Xi[j] = Yi[j] = 1. The variables in Vars(X), Vars(Y ), andVars(Z) together with the constraints imposed on them form a CP model.

Then we have the following observations which can be easily derived from theAssumption 1 made at the end of Sect. 2 and the definition of forward/backwarddifferential and forward/backward determination relationship.

Observation 1 If Vars(X) models the forward differential of a δ(A)-set

Qδ(A) = {Q0, · · · , QN−1}

for state2r0 (Fig. 1) with A = [j : X2r0 [j] = 1, 0 ≤ j < nc] in rounds (r0 →r0 + 1 → · · · → r0 + r1 − 1), then for an arbitrary ordered set B of indices, wecan determine the sequence of differences

∆E1(Qδ(A),B) = [Q0 ⊕Q1(state2(r0+r1)[B]), · · · , Q0 ⊕QN−1(state2(r0+r1)[B])]

from the knowledge of the following set of intermediate values of Q0.

{Q0(state2i[j]) : X2i[j] = 1, r0 ≤ i < r0 + r1, 0 ≤ j < nc}.

Observation 2 Let Qδ(A) = {Q0, · · · , QN−1} be a δ(A) set for state2r0 for anarbitrary A. If Vars(Y ) models the backward determination relationship of

{Q0(state2(r0+r1)[B]), · · · , QN−1(state2(r0+r1)[B])}

with B = [j : Y2(r0+r1)[j] = 1, 0 ≤ j < nc] in rounds (r0 + r1 − 1 → · · · → r0),then we can determine the sequence of differences

∆E1(Qδ(A),B) = [Q0 ⊕Q1(state2(r0+r1)[B]), · · · , Q0 ⊕QN−1(state2(r0+r1)[B])]

from the knowledge of the following set of intermediate values of Q0

{Q0(state2i[j]) : Y2i[j] = 1, r0 ≤ i < r0 + r1, 0 ≤ j < nc}.

Note that Observation 1 and Observation 2 are stated with an arbitraryordered set A and B respectively. Therefore, if we know the intermediate valuesof Q0(state[j]) such that X2i[j] and Y2i[j] are equal to 1 simultaneously, we candetermine the sequence ∆E1

(Qδ(A),B) with the specific A and B correspondingto the underlying values of Vars(X) and Vars(Y ).

Observation 3 Let A = [j : X2r0 [j] = 1, 0 ≤ j < nc], B = [j : Y2(r0+r1)[j] =1, 0 ≤ j < nc], and Qδ(A) = {Q0, · · · , QN−1} be a δ(A) set for state2r0 . Then

from the knowledge of the following∑r0+r1−1i=r0

∑nc−1j=0 Z2i[j] c-bit words

{Q0(state2i[j]) : Z2i[j] = 1, r0 ≤ i < r0 + r1, 0 ≤ j < nc},

we can determine the value of the sequence of differences

∆E1(Qδ(A),B) = [Q0 ⊕Q1(state2(r0+r1)[B]), · · · , Q0 ⊕QN−1(state2(r0+r1)[B])].

From the above observations, it is easy to see that any solution of Vars(X),Vars(Y ), and Vars(Z) corresponds to aDS-MITM distinguisher (A,B,DegE1

(A,B))with A = [j : X2r0 [j] = 1, 0 ≤ j < nc], B = [j : Y2(r0+r1)[j] = 1, 0 ≤ j < nc],

and DegE1(A,B) =

∑r0+r1−1i=r0

∑nc−1j=0 Z2i[j].

5.2 CP model for the outer rounds E0 and E2

The CP model for E0. As discussed in Sect. 3, the attacker needs to preparea set Pδ(A) of chosen plaintexts based on the distingusher (A,B,DegE1

(A,B))

placed at E1. According to the definition of A, there must be P 1, · · · , PN−1 inPδ(A) such that Qδ(A) = {Q0, · · · , Qn−1} forms a δ(A)-set for state2r0 , where

Qj = E0(P j).For E0 we introduce a set of 0-1 variables Vars(M) = {Mi[j] : 0 ≤ i ≤

2r0, 0 ≤ j < nc} and impose a set of constraints on Vars(M) such that Vars(M)models the backward differential of the δ(A)-set Qδ(A) with A = {j : X2r0 [j] =1, 0 ≤ j < nc} in rounds (r0 − 1 → · · · → 0). Then according to the definitionof backward differential and assumption 1, we have the following observation.

Observation 4 Given P 0 ∈ Pδ(A), the set

Guess(E0) = {P 0(state2i[j]) : M2i[j] = 1, 0 < i < r0, 0 ≤ j < nc}

ofr0−1∑i=1

nc−1∑j=0

M2i[j] c-bit words needs to be guessed to find P 1, · · · , PN−1 in Pδ(A).

The CP model for E2. After the guess of Guess(E0), we obtain a set {P 0, · · · ,PN−1} ⊆ Pδ(A) such that Qδ(A) = {Q0, · · · , QN−1} with Qj = E0(P j) forms a

δ(A) set for state2r0 (under the guess). Let Cj = E(P j), 0 ≤ j < N . Then wewant to get the sequence

∆E1(Qδ(A),B) = {Q0(state2(r0+r1)[B]), · · · , QN−1(state2(r0+r1)[B])}

by decrypting {C0, · · · , CN−1} with E2.For E2 we introduce a set of 0-1 variables Vars(W ) = {Wi[j] : 2(r0 +

r1) ≤ i ≤ 2(r0 + r1 + r2), 0 ≤ j < nc} and impose a set of constraintson Vars(W ) such that Vars(W ) models the forward determination of the set{Q0(state2(r0+r1)[B]), · · · , QN−1(state2(r0+r1)[B])} with B = {j : Y2(r0+r1)[j] =1, 0 ≤ j < nc} in rounds (r0 + r1 → · · · → r0 + r1 + r2 − 1).

Observation 5 Given {C0, · · · , CN−1}, the set

Guess(E2) = {Q0(state2i[j]) : W2i[j] = 1, r0 + r1 ≤ i < r0 + r1 + r2, 0 ≤ j < nc}

ofr0+r1+r2−1∑i=r0+r1

nc−1∑j=0

W2i[j] c-bit words needs to be guessed to determine the se-

quence

∆E1(Qδ(A),B) = [C0 ⊕ C1(state2(r0+r1)[B]), · · · , C0 ⊕ CN−1(state2(r0+r1)[B])].

Remark. There is still a gap between Guess(Ei) and kEi for i ∈ {0, 2}. Toperform the attack (see Sect. 3), we need to identify kEi rather than Guess(Ei).As we will show in Sect. 7.1, Sect. 7.2 and Sect. 7.3, it is fairly straightforwardto convert Guess(Ei) to kEi

.

6 How to Use the Modelling Technique in Practice?

The modelling technique for DS-MITM attack can be applied in several scenar-ios. In the following, we identify two of them and give a discussion of possibleextensions.

6.1 Enumeration of DS-MITM Distinguishers

In Sect. 5, the descriptions of the modelling of E1 (the distinguisher part) andthe outer rounds (E0 and E2) are intentionally separated to have a methodwhose only purpose is to search for DS-MITM distinguishers.

When we target a cipher with DS-MITM attack, probably the first that comeinto mind is to identify a DS-MITM distinguisher covering as many rounds aspossible. To this end, we can build a model with the method presented in Sect. 5for k rounds of the target cipher, and add one more constraint dictating that

Deg(A,B) =

r0+r1−1∑i=r0

nc−1∑j=0

Z2i[j] < |K|c

to prevent the complexity of the offline phase from being too high, where |K|c isthe number of c-bit words in the master key of the target cipher. Then we canenumerate all solutions using a constraint solver. If the solutions of the modellead to valid distinguishers, we can increase k and try to find distinguisherscovering more rounds.

6.2 Fast Prototyping for DS-MITM Attacks

Given a keyed permutation E = E2◦E1◦E0, it is difficult to determine whichDS-MITM distinguisher covering E1 will lead to the best attack, though intuitivelya distinguisher (A,B,Deg(A,B)) with smaller Deg(A,B) is preferred. In thissituation, we can set up a model for the whole E2 ◦E1 ◦E0 with the constraints

Deg(A,B) =∑r0+r1−1i=r0

∑nc−1j=0 Z2i[j] < |K|c

r0−1∑i=1

nc−1∑j=0

M2i[j] +r0+r1+r2−1∑i=r0+r1

nc−1∑j=0

W2i[j] < |K|c

The resolution of the model leads to both a distinguisher covering E1 and anattack based on the distinguisher simultaneously, which should be very usefulin fast prototyping of DS-MITM attack in the analysis and design of block ci-phers. Note that the output of the tool is a distinguisher (A,B,Deg(A,B)) andthe secret information Guess(E0) and Guess(E2), which needs to be converted tokE0 and kE2 automatically or manually. Then the so-called key-bridging tech-nique [29, 47] can be applied to give an estimation of |kE0

∪ kE2|.

Another strategy is to find all k-round distinguishers (A,B,Deg(A,B)) withDeg(A,B) < d for some integer d. Then various generic or dedicated optimizationtechniques [29] (some of which may be unknown at present) can be applied basedon these distinguishers to see which one leads to the best attack.

7 Applications

7.1 Application to SKINNY

In this section, we apply our method to SKINNY-128-384 (the TK3 versionwith 128-bit block size, 384-bit key, and 0-bit tweak) to have a concrete exampledemonstrating the method presented in Sect. 4. The specification of SKINNYcan be found in [44], and we omit it from this paper due to space restrictions.

The indexing scheme we used for analyzing SKINNY is illustrated in Fig. 9,which is essentially the same as Fig. 1, except that the states are drawn as 4× 4squares and the NL layer is composed of a parallel application of 16 Sboxes anda shift row operation.

To model an r-round DS-MITM distinguisher, we introduce 3 sets Vars(X),Vars(Y ), and Vars(Z) of variables for all the states involved in rounds (k, k + 1,· · · , k + r − 1), where Vars(X) = {Xi[j] : 2k ≤ i ≤ 2(k + r), 0 ≤ j < nc} modelsthe forward differential, Vars(Y ) = {Yi[j] : 2k ≤ i ≤ 2(k + r), 0 ≤ j < nc}models the backward determination relationship, and Vars(Z) = {Zi[j] : 2k ≤i ≤ 2(k + r), 0 ≤ j < nc} such that Zi[j] = 1 if and only if Xi[j] = Yi[j] = 1.Note that the logical statement of Zi[j] can be converted into allowed tuples of(Zi[j], Xi[j], Yi[j]), that is (Zi[j], Xi[j], Yi[j]) ∈ {(0, 0, 0), (0, 0, 1), (0, 1, 0), (1, 1, 1)},which can be modeled in CP or MILP trivially [14, 10]. So the only question leftis what kind of constraints should be imposed on Vars(X) and Vars(Y ) such thatthey model the intended properties.

0 1 2 3

4 5 6 7

8 9 10 11

12 13 14 15

SB,AC

AK,SR

MC SB,AC

AK,SR

MC· · · · · ·

state2i state2i+1 state2(i+1) state2(i+1)+1 state2(i+2)

Round i Round i+ 1

Fig. 9: The indexing scheme used for the rounds, states, and words of SKINNY

0 1 2 3

4 5 6 7

8 9 10 11

12 13 14 15

SB,AC

AK,SR

MC SB,AC

AK,SR

MC

Round 0

state0 state1

Round 1

state2 state3

SB,AC

AK,SR

MC SB,AC

AK,SR

MC

Round 2

state4 state5

Round 3

state6 state7

Round 4

state8

Fig. 10: Forward differential of a δ(A) set for state0 in rounds (0→ 1→ 2→ 3)with A = [13]

The constraints imposed on Vars(X). Firstly, according to the definition offorward differential and the SB, AC, AK, SR operations of SKINNY, we haveX2i+1[4a+b] = X2i[4a+(b−a) mod 4] for k ≤ i < k+r, where a, b ∈ {0, 1, 2, 3}are used to index the rows and columns of a state respectively. Secondly, for everycolumn b ∈ {0, 1, 2, 3} and k ≤ i < k + r, we impose the following constraintsdue to the MC operation

• X2(i+1)[b] = 0 if and only if X2i+1[b] = X2i+1[b+ 8] = X2i+1[b+ 12] = 0;• X2(i+1)[b+ 4] = X2i+1[b];• X2(i+1)[b+ 8] = 0 if and only if X2i+1[b+ 4] = X2i+1[b+ 8] = 0;• X2(i+1)[b+ 12] = 0 if and only if X2i+1[b] = X2i+1[b+ 8] = 0.

Note that all constraints given in the above can be converted to allowed tu-ples of some variables and therefore can be easily modeled by the CP approach.An example solution of a set of variables modelling the forward differential of4-round SKINNY is visualized in Fig. 10.

SB,AC

AK,SR

MC SB,AC

AK,SR

MC

Round 0

state0 state1

Round 1

state2 state3

SB,AC

AK,SR

MC SB,AC

AK,SR

MC

Round 2

state4 state5

Round 3

state6 state7

Round 4

state8

Fig. 11: The backward determination relationship of {Q0(state8[B]), · · · ,QN−1(state8[B])} for state8 in rounds (3→ 2→ 1→ 0) with B = [11]

The constraints imposed on Vars(Y ). Similarly, according to the definitionof backward determination relationship and the SB, AC, AK, SR operations ofSKINNY, we have Y2i+1[4a+ b] = Y2i[4a+ (b− a) mod 4] for k ≤ i < k+ r anda, b ∈ {0, 1, 2, 3}. In addition, for every column b ∈ {0, 1, 2, 3} and k ≤ i < k+ r,we impose the following constraints

• Y2i+1[b] = 0 if and only if Y2(i+1)[b] = Y2(i+1)[b+ 4] = Y2(i+1)[b+ 12] = 0;• Y2i+1[b+ 4] = Y2(i+1)[b+ 8];• Y2i+1[b+ 8] = 0 if and only if Y2(i+1)[b] = Y2(i+1)[b+ 8] = Y2(i+1)[b+ 12] = 0;• Y2i+1[b+ 12] = Y2(i+1)[b].

An example solution of a set of variables modelling the backward determinationrelationship of 4-round SKINNY is visualized in Fig. 11. According to the con-straints imposed on Vars(Z), if Vars(X) and Vars(Y ) are assigned to values asillustrated in Fig. 10 and Fig. 11 respectively, then we can derive the values ofVars(Z) by superposition of Fig. 10 and Fig. 11, as depicted in Fig. 12.

SB,AC

AK,SR

MC SB,AC

AK,SR

MC

Round 0

state0 state1

Round 1

state2 state3

SB,AC

AK,SR

MC SB,AC

AK,SR

MC

Round 2

state4 state5

Round 3

state6 state7

Round 4

state8

Fig. 12: A visualization of an instantiation of Vars(Z) according to the valuesassigned to Vars(X) and Vars(Y ), which can be regarded as a superposition ofFig. 10 and Fig. 11

Additional constraints. We require∑Xi[j] 6= 0,

∑Yi[j] 6= 0, and

∑Zi[j] 6= 0

to exclude the trivial solution where all variables are assigned to 0. Also, tomake the time complexity of the offline phase not exceeding the complexity ofthe exhaustive search attack, we require

∑Z2i[j] ≤ |K|c = 384/8 = 48 .

Objective functions. The objective function is to minimize∑k+r−1i=k

∑15j=0 Z2i[j]

to make Deg(A,B) as small as possible.

Cipher-specific constraints. For SKINNY, we can reduce the number ofguessed parameters by exploiting the properties of its linear transformation.According to the MC operation of SKINNY, for an intermediate value Q andb ∈ {0, 1, 2, 3}, we haveQ(state2(i+1)[b]) = Q(state2i+1[b]) +Q(state2i+1[b+ 8]) +Q(state2i+1[b+ 12])Q(state2(i+1)[b+ 4]) = Q(state2i+1[b])Q(state2(i+1)[b+ 8]) = Q(state2i+1[b+ 4]) +Q(state2i+1[b+ 8])Q(state2(i+1)[b+ 12]) = Q(state2i+1[b]) +Q(state2i+1[b+ 8])

Hence, the tuple (Q(state2i+1[b + 8]), Q(state2(i+1)[b + 4]), Q(state2(i+1)[b +12])) can be fully determined when any two of the three entries are known.Similarly, the tuple (Q(state2i+1[b+ 12]), Q(state2(i+1)[b]), Q(state2(i+1)[b+ 12]))can be fully determined when any two of the three entries are known. To takethese facts into account, we introduce two new sets {φi : k ≤ i < k + r} and{ϕi : k ≤ i < k + r} of 0-1 variables , and include the following constraints forb ∈ {0, 1, 2, 3}

• φi = 1 if and only if Z2i+1[b+ 8] + Z2(i+1)[b+ 4] + Z2(i+1)[b+ 12] = 3;• ψi = 1 if and only if Z2i+1[b+ 12] + Z2(i+1)[b] + Z2(i+1)[b+ 12] = 3;

We also need to set the objective function to minimize

k+r−1∑i=k

15∑j=0

Z2i[j]−k+r−1∑i=k

(φi + ψi).

Using the above model, we can find a DS-MITM distinguisher for 10.5-roundSKINNY-128-384 in 2 seconds. In [44], the designers of SKINNY expected thatthere should be no DS-MITM distinguisher covering more than 10 rounds ofSKINNY since partial-matching can work at most (6− 1) + (6− 1) = 10 rounds.Hence, our result concretize the 10-round distinguisher, and actually our toolfound DS-MITM distinguishers of SKINNY covering more than 10 rounds. Anenumeration of all DS-MITM distinguishers covering 10.5-round SKINNY with40 ≤ Deg(A,B) ≤ 48 is performed and the results are listed in Table. 2. Notethat distinguishers with Deg(A,B) > 48 are ineffective for an attack. We then tryto get an attack on SKINNY by modelling E1 (the distinguisher part), E0 andE2 (the outer rounds) as a whole with the method presented in Sect. 4. We omitthe detailed description of the constraints for Vars(M) and Vars(W ) introducedfor E0 and E2 since they are similar to the constraints imposed on Vars(X)and Vars(Y ) given previously. As a result, we identify a DS-MITM attack on22-round SKINNY-128-384 based on a distinguisher (A,B,Deg(A,B)) with A =[14], B = [7], and deg(A,B) = 40, which is shown in Fig. 17 in [supplementarymaterial]. The secret intermediate values Guess(E0) and Guess(E2) created byP 0 in the outer rounds are presented in Fig. 18 in [supplementary material A].To perform the attack, we still need to convert Guess(E0) and Guess(E2) intothe secret information of subkeys manually, which is visualized in Fig. 19 in[supplementary material A]. Then we perform the key-bridging technique [29, 47]on kin and kout, and find that |kin ∪ kout| ≤ 376.

Complexity analysis. According to the discussion of Sect. 3.3, in the offlinephase, the time complexity is 28×40 × 28×1 × 40

16×22CE ≈ 2324.86CE , and the

memory complexity is (28 − 1) × 8 × 1 × 28×40 ≈ 2330.99 bits. In the onlinephase, the time complexity is 247×8 × 28×1 × 57+64

22×16CE ≈ 2382.46CE . The data

complexity of the attack is 28×12 = 296, which can be obtained from the inputstate of Fig. 18 in [supplementary material A].

7.2 Application to LBlock

The indexing scheme we used for analyzing LBlock is shown in Fig. 13, where theAK is the subkey xor operation, SB is a parallel application of 8 4× 4 S-boxes,and LN is a permutation permuting j to LN[j].

To model an r-round DS-MITM distinguisher of LBlock, we introduce 3 setsVars(X), Vars(Y ), and Vars(Z) of variables for all the states involved in rounds(k, k+ 1, · · · , k+ r−1), where Vars(X) = {XL

i [j], XRi [j] : k ≤ i ≤ k+ r, 0 ≤ j <

nc}∪{XSi [j], XM

i [j] : k ≤ i < k+ r, 0 ≤ j < nc} models the forward differential,Vars(Y ) = {Y Li [j], Y Ri [j] : k ≤ i ≤ k + r, 0 ≤ j < nc} ∪ {Y Si [j], YMi [j] : k ≤i < k + r, 0 ≤ j < nc} models the backward determination relationship, andVars(Z) = {ZLi [j], ZRi [j] : k ≤ i ≤ k + r, 0 ≤ j < nc} ∪ {ZSi [j], ZMi [j] : k ≤ i <k + r, 0 ≤ j < nc} such that

• ZLi [j] = 1 if and only if XLi [j] = Y Li [j] = 1

• ZRi [j] = 1 if and only if XRi [j] = Y Ri [j] = 1

Table 2: An enumeration of allDS-MITM distinguishers for 10.5-round SKINNY-128-384 with 40 ≤ Deg(A,B) ≤ 48.

No. A B Deg(A,B) No. A B Deg(A,B) No. A B Deg(A,B)1 [15] [4] 40 21 [13] [6, 4] 45 41 [13] [5] 462 [12] [5] 40 22 [14] [7, 5] 45 42 [12] [4] 463 [13] [6] 40 23 [13] [6, 4] 45 43 [14] [6] 464 [14] [7] 40 24 [15] [4, 6] 45 44 [15] [7] 465 [15] [5] 42 25 [13] [5] 45 51 [13] [4, 6] 476 [12] [6] 42 26 [15] [6] 45 52 [12] [7, 5] 477 [13] [7] 42 27 [14] [4] 45 53 [14] [5, 7] 478 [14] [4] 42 28 [13] [4] 45 54 [15] [6, 4] 479 [13] [5] 43 29 [14] [5] 45 49 [13] [6] 4710 [14] [6] 43 30 [14] [6] 45 50 [13] [6] 4711 [12] [4] 43 31 [12] [4] 45 51 [14] [7] 4712 [15] [7] 43 32 [15] [5] 45 52 [12] [5] 4713 [12] [7] 44 33 [13] [7] 45 53 [12] [5] 4714 [13] [4] 44 34 [12] [6] 45 54 [14] [7] 4715 [12] [7] 44 35 [15] [7] 45 55 [15] [4] 4716 [13] [4] 44 36 [12] [7] 45 56 [15] [4] 4717 [13] [4] 44 37 [14] [4, 6] 46 57 [15] [7, 5] 4818 [14] [5] 44 38 [13] [7, 5] 46 58 [14] [6, 4] 4819 [14] [5] 44 39 [15] [5, 7] 46 59 [12] [4, 6] 4820 [13] [4] 44 40 [12] [6, 4] 46 60 [13] [5, 7] 48

XLi XR

i

XSi XM

i

XLi+1 XR

i+1

0 0

0 0

XLi XR

i

XSi XM

i

XLi+1 XR

i+1

1 1

1 1

XLi XR

i

XSi XM

i

XLi+1 XR

i+1

2 2

2 2

XLi XR

i

XSi XM

i

XLi+1 XR

i+1

3 3

3 3

XLi XR

i

XSi XM

i

XLi+1 XR

i+1

4 4

4 4

XLi XR

i

XSi XM

i

XLi+1 XR

i+1

5 5

5 5

XLi XR

i

XSi XM

i

XLi+1 XR

i+1

6 6

6 6

XLi XR

i

XSi XM

i

XLi+1 XR

i+1

7 7

7 7

Round i

SB

LN

≪ 8

SK

Fig. 13: The indexing scheme used for LBlock

• ZSi [j] = 1 if and only if XSi [j] = Y Si [j] = 1

• ZMi [j] = 1 if and only if XMi [j] = YMi [j] = 1

Note that the logical statement of Vars(Z) can be converted into allowed tu-ples, e.g. (ZLi [j], XL

i [j], Y Li [j]) ∈ {(0, 0, 0), (0, 0, 1), (0, 1, 0), (1, 1, 1)}, which canbe modeled in CP or MILP trivially [10, 14]. So the only question left is whatkind of constraints should be imposed on Vars(X) and Vars(Y ) such that theymodel the intended properties.

The constraints imposed on Vars(X). According to the definition of forwarddifferential and the AK, SB, LN, ≪ 8, XOR operations of LBlock, we have thefollowing constraints

• XLi [j] = XS

i [j] = XRi+1[j], for k ≤ i < k + r and 0 ≤ j ≤ 7;

• XMi [LN [j]] = XS

i [j], for k ≤ i < k + r and 0 ≤ j ≤ 7;

• XLi+1[j] = 0 if and only if XR

i [(j+2) mod 8] = XMi [j] = 0, for k ≤ i < k+r

and 0 ≤ j ≤ 7.

The constraints imposed on Vars(Y ). Similarly, according to the definitionof the backward determination relationship and the AK, SB, LN, ≪ 8, XORoperations of LBlock, we have the following constraints

• For k ≤ i < k+r and 0 ≤ j ≤ 7, Y Li [j] = 0 if and only if Y Ri+1[j] = Y Si [j] = 0;• YMi [LN [j]] = Y Si [j], for k ≤ i < k + r and 0 ≤ j ≤ 7;• For XOR and SR operations: YMi [j] = Y Ri [(j + 2) mod 8] = Y Li+1[j]

According to the constraints imposed on Vars(Z), if Vars(X) and Vars(Y ) areassigned to values as illustrated in Fig. 14a and Fig. 14b, then we can derive thevalues of Vars(Z) by superposition of Fig. 14a and Fig. 14b, which is depictedin Fig. 14c.

SB

LN

≪ 8

SK

SB

LN

≪ 8

SK

SB

LN

≪ 8

SK

(a) Forward differential

SB

LN

≪ 8

SK

SB

LN

≪ 8

SK

SB

LN

≪ 8

SK

(b) Backward determination

SB

LN

≪ 8

SK

SB

LN

≪ 8

SK

SB

LN

≪ 8

SK

(c) Vars(Z)

Fig. 14: An instantiation of the Vars(X), Vars(Y ) and Vars(Z)

Additional constraints. We require∑XLk [j] +

∑XRk [j] 6= 0,

∑Y Lk+r[j] +∑

Y Rk+r[j] 6= 0, to exclude the trivial solution where all variables are assignedto 0. Also, to make the time complexity of the offline phase not exceeding thecomplexity of the exhaustive search, we require

∑ZSi [j] < |K|c = 80/4 = 20 .

Objective functions. The objective function is to minimize∑k+r−1i=k

∑7j=0 Z

Si [j]

to make Deg(A,B) as small as possible.

By integrating the above model with the models of E0 and E2 with somesimple tweak, we identify a DS-MITM attack on 21-round LBLOCK. The distin-guisher used in the attack is an 11-roundDS-MITM distinguisher (A,B,Deg(A,B))

with A = [12], B = [12], and deg(A,B) = 14, which is shown in Fig. 20 in[supplementary material]. The secret intermediate values Guess(E0) and Guess(E2)created by P 0 in the outer rounds are presented in Fig. 21 in [supplementary ma-terial] marked with red color. To perform the attack, we convert Guess(E0) andGuess(E2) into the secret information of subkeys manually, which is visualized inFig. 22 in [supplementary material], where there are 22 nibbles in kin and 12 nib-bles in kout. Then we perform the key-bridging technique [29, 47] on kin and kout,and find that |kin ∪ kout| ≤ 69, which is illustrated in Fig. 23 in [supplementarymaterial].

Complexity analysis. According to the discussion of Sect. 3.3, in the offlinephase, the time complexity is 24×14×24×1× 14

21×8CE ≈ 256.42CE , and the memory

complexity is (24− 1)× 4× 1× 24×14 ≈ 261.91 bits. In the online phase, the timecomplexity is 269 × 24×1 × 12+12

21×8 CE ≈ 270.20CE . The data complexity of the

attack is 24×12 = 248, which can be obtained from input state (Round 0) ofFig. 21 in [supplementary material].

7.3 Application to TWINE-80

With the method presented in Sect. 4, we find a DS-MITM attack on 20-roundTWINE-80 based on a distinguisher (A,B,Deg(A,B)) with A = [3], B = [9, 13],and deg(A,B) = 19, which is shown in Fig. 24 in [supplementary material]. Thesecret intermediate values Guess(E0) and Guess(E2) created by P 0 in the outerrounds are presented in Fig. 25 in [supplementary material]. To perform the at-tack, we convert Guess(E0) and Guess(E2) into the secret information of sub-keys manually, which is visualized in Fig. 26 in [supplementary material]. Thenwe perform the key-bridging technique [29, 47] on kin and kout, and find that|kin ∪ kout| ≤ 76, which is illustrated in Fig. 27 in [supplementary material].

Complexity analysis. According to the discussion of Sect. 3.3, in the offlinephase, the time complexity is 24×19×24×1× 19

20×8CE ≈ 276.93CE , and the memory

complexity is (24− 1)× 4× 2× 24×19 ≈ 282.91 bits. In the online phase, the timecomplexity is 276×24×1× 7+20

20×8CE ≈ 277.44CE . The data complexity of the attack

is 24×8 = 232, which can be obtained from input state (Round 0) of Fig. 25 in[supplementary material].

7.4 Applications to AES, ARIA, and SIMON

We also apply our method to AES, ARIA, and SIMON. However, no betterresult is obtained. Still, We would like to provide some information about ouranalysis for the sake of completeness.

For AES, our tool can recover the base DS-MITM attacks behind all attacks(including the best ones) presented in [28–30, 53, 54]. However, currently knownbest attacks on AES exploit the differential enumeration technique [28] whichour tool cannot take into account automatically. To deal with this, we use a2-step approach. First, we list all the distinguishers that may lead to a valid

attack using the fact that, at best, the differential enumeration technique candecrease the memory complexity by a factor strictly less than 2n, where n isthe state size. For AES-128 we would only add the constraint dictating that twoconsecutive states cannot be fully active in the distinguisher. Then in a secondstep, we can obtain the concrete complexities of the attacks derived from thedistinguishers by applying known techniques. Usually, the distinguisher leadingto the best attack has the lowest number of active bytes. But some manual workis inevitable to really optimize the attacks. Actually, during our analysis, ourcode generates figures based on the distinguishers automatically, which greatlyfacilitates subsequent manual analysis and the checking of correctness. Note thatthe first step alone can be used to get an upper bound on the number of roundsone may attack (independent of any tricks involving manual work): if there isno distinghuisher then there is no attack.

For ARIA, we obtain the same result presented in [55]. Unlike the othertargets presented in the paper which are modeled using MILP, we also provide aChoco [56] implementation for finding the DS-MITM distinguishers of the ARIAcipher to show that we can choose from MILP/SAT/SMT/CP as the modelinglanguage freely. This fact is important since the solvers are being improvedconstantly, and thus we can expect the resolution of more difficult instancesin the future. We also try our tool on bit-oriented ciphers like SIMON. ForSIMON32/64, only an 8-round DS-MITM distinguisher is identified, which is farless than the rounds can be penetrated by differential attacks.

8 Applications in the Process of Block Cipher Design

In the design process, the designer typically first fixes the general structure ofthe block cipher. Then she or he tries to identify the optimal local components interms of security, efficiency, power consumption etc. by a tweaking-and-analysisstyle iterative approach. Therefore, it is important to have efficient tools at handssuch that a thorough exploration of the design space can be performed. In thissection, we show that our tool can be applied in this situation by tweakingthe block ciphers LBlock and TWINE. Note that unlike Ivica’s tool [57], wherenature-inspired meta-heuristics are employed, our method essentially performsan DS-MITM distinguishing attack for each possible instantiation of the targetcipher, and pick the optimal ones according to the results.

For LBlock-80, we tweak the 8-nibble to 8-nibble permutation. We exhaus-tively search for the 11-roundDS-MITM distinguishers with the lowest Deg(A,B)for the 8! = 40320 cases. The distribution of the 40320 cases in terms of Deg(A,B)is shown in Fig. 15. According to Fig. 15, we can make several interesting obser-vations. Firstly, there are many very weak permutations with very low deg(A,B)which obviously should be avoided. In extreme cases, there are 12560 permuta-tions with Deg(A,B) = 0. Secondly, the number of permutations with highresistance against DS-MITM attack is small. There are 64 permutations amongthe 40320 ones with Deg(A,B) = 14, and actually the original permutation ofLBlock is chosen from these good permutations.

Fig. 15: The horizontal axis shows Deg(A,B) of the 11-round distinguisher (N/Ameans there is no valid distinguisher found), while the vertical axis indicates thecorresponding numbers of permutations

For TWINE-80, we tweak the word shuffle of 16 nibbles. There are totally16! ≈ 244.25 possibilities, which is out of reach of our computational power.However, according to [58], we only need to consider the 8!×8! even-odd shuffles.Let P = (P0, P1), be the word shuffle where P0 is the shuffle of all even positionswhile P1 is the shuffle of all odd positions. Then it can be shown that (P0, P1)is equivalent to (Q ◦ P1 ◦ Q−1, Q ◦ P2 ◦ Q−1), where Q is an arbitrary wordshuffle. Therefore, the number of cases can be further reduced since the 8! × 8!shuffles can be divided into 22 × 8! = 887040 equivalent classes with respectto the DS-MITM attack. We exhaustively search for the 11-round DS-MITMdistinguishers with the lowest Deg(A,B) for the 887040 cases. The distributionof the 887040 cases in terms of Deg(A,B) is shown in Fig. 16. According to

Fig. 16: The horizontal axis shows Deg(A,B) of the 11-round distinguisher (N/Ameans there is no valid distinguisher found), while the vertical axis indicates thecorresponding numbers of permutations

Fig. 16, we can make several interesting observations. Firstly, there are manyvery weak permutations with very low deg(A,B) which obviously should beavoided. In extreme cases, there are 528631 permutations with Deg(A,B) = 0.Secondly, the number of permutations with high resistance against DS-MITM

attack is small. There are only 344 permutations among the 887040 ones withDeg(A,B) = 14, and actually the original permutation of TWINE is chosen fromthese good permutations. Finally, we identify a set of 12 permutations for whichwe can not find any 11-round distinguisher, indicating that they are stronger thanthe original permutation in TWINE-80 with respect to the DS-MITM attack.

Since both the DS-MITM attack in this paper and the word-oriented trun-cated impossible differential attack are structure attacks whose effectiveness isnot affected by the details of the underlying S-boxes, we are wondering whetherthere is a set of strongest word shuffles with respect to the DS-MITM attackand impossible differential attack simultaneously. We exhaustively analysis the887040 TWINE variants. It turns out that for any variant there is a 14-roundimpossible differential, and there are 144 variants with no 15-round impossibledifferential. Finally, we identify a set of 12 word shuffles with no 15-round im-possible differential and no 11-round DS-MITM distinguisher (listed in Table. 4in [supplementary material]). Note that the word shuffle used in TWINE is not inthis set. Therefore, it is potentially better to use one from these 12 word shuffles.

9 Conclusion and Discussion

In this paper, we present the first tool for automatic Demirci-Selcuk meet-in-the-middle analysis based on constraint programming. In our approach, the for-mulation and resolution of the model are decoupled. Hence, the only thing needsto do by the cryptanalysts is to specify the problem in some modeling language,and the remaining work can be done with any open-source or commercially avail-able constraint solvers. This approach should be very useful in fast prototypingblock cipher designs. Finally, we would like to identify a set of limitations of ourapproach, overcoming which is left for future work.

Limitations. First of all, some important techniques for improving the DS-MITM attack have not been integrated into our framework yet, including (butnot limited to) the differential enumeration technique, and using several distin-guishers in parallel. Secondly, we cannot guarantee the optimality of the attacksproduced by our tool, due to the heuristic natures of the key-recovery process,and the lack of automatically considering cipher specific properties. Finally, wedo not know how to apply our method to ARX based constructions.

Acknowledgments. The authors thank the anonymous reviewers for manyhelpful comments, and Gaetan Leurent for careful reading and shepherding ourpaper. The work is supported by the Chinese Major Program of National Cryp-tography Development Foundation (Grant No. MMJJ20180102), the NationalNatural Science Foundation of China (61732021, 61802400, 61772519, 61802399),the Youth Innovation Promotion Association of Chinese Academy of Sciences,and the Institute of Information Engineering, CAS (Grant No. Y7Z0251103).Patrick Derbez is supported by the French Agence Nationale de la Recherchethrough the CryptAudit project under Contract ANR-17-CE39-0003.

References

1. Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. Jour-nal of Cryptology 4(1) (1991) 3–72

2. Matsui, M.: Linear cryptanalysis method for DES cipher. In: Advances inCryptology–EUROCRYPT 1993, Springer (1994) 386–397

3. Daemen, J., Knudsen, L.R., Rijmen, V.: The block cipher square. In: Fast SoftwareEncryption, 4th International Workshop, FSE ’97, Haifa, Israel, January 20-22,1997, Proceedings. (1997) 149–165

4. Knudsen, L.R., Wagner, D.: Integral cryptanalysis. In: Fast Software Encryption,9th International Workshop, FSE 2002, Leuven, Belgium, February 4-6, 2002, Re-vised Papers. (2002) 112–127

5. Todo, Y.: Structural evaluation by generalized integral property. In: Advancesin Cryptology - EUROCRYPT 2015 - 34th Annual International Conference onthe Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April26-30, 2015, Proceedings, Part I. (2015) 287–314

6. Liu, Y., Wang, Q., Rijmen, V.: Automatic search of linear trails in ARX withapplications to SPECK and chaskey. In: Applied Cryptography and Network Se-curity - 14th International Conference, ACNS 2016, Guildford, UK, June 19-22,2016. Proceedings. (2016) 485–499

7. Mouha, N., Preneel, B.: Towards finding optimal differential characteristics forARX: Application to Salsa20. IACR Cryptology ePrint Archive, Report 2013/328(2013) http://eprint.iacr.org/2013/328.

8. Kolbl, S., Leander, G., Tiessen, T.: Observations on the SIMON block cipherfamily. In: Advances in Cryptology - CRYPTO 2015 - 35th Annual CryptologyConference, Santa Barbara, CA, USA, August 16-20, 2015, Proceedings, Part I.(2015) 161–185

9. Mouha, N., Wang, Q., Gu, D., Preneel, B.: Differential and linear cryptanalysisusing mixed-integer linear programming. In: Information Security and Cryptology–ISC 2012, Springer (2012) 57–76

10. Sun, S., Hu, L., Wang, P., Qiao, K., Ma, X., Song, L.: Automatic security eval-uation and (related-key) differential characteristic search: Application to SIMON,PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In: Advancesin Cryptology - ASIACRYPT 2014 - 20th International Conference on the The-ory and Application of Cryptology and Information Security, Kaoshiung, Taiwan,R.O.C., December 7-11, 2014. Proceedings, Part I. (2014) 158–178

11. Xiang, Z., Zhang, W., Bao, Z., Lin, D.: Applying MILP method to searchingintegral distinguishers based on division property for 6 lightweight block ciphers.In: Advances in Cryptology - ASIACRYPT 2016 - 22nd International Conferenceon the Theory and Application of Cryptology and Information Security, Hanoi,Vietnam, December 4-8, 2016, Proceedings, Part I. (2016) 648–678

12. Sasaki, Y., Todo, Y.: New impossible differential search tool from design and crypt-analysis aspects - revealing structural properties of several ciphers. In: Advancesin Cryptology - EUROCRYPT 2017 - 36th Annual International Conference onthe Theory and Applications of Cryptographic Techniques, Paris, France, April 30- May 4, 2017, Proceedings, Part III. (2017) 185–215

13. Fu, K., Wang, M., Guo, Y., Sun, S., Hu, L.: MILP-Based Automatic Search Algo-rithms for Differential and Linear Trails for Speck. In: Fast Software Encryption -23rd International Conference, FSE 2016, Bochum, Germany, March 20-23, 2016,Revised Selected Papers. (2016) 268–288

14. Gerault, D., Minier, M., Solnon, C.: Constraint programming models for chosen keydifferential cryptanalysis. In: Principles and Practice of Constraint Programming- 22nd International Conference, CP 2016, Toulouse, France, September 5-9, 2016,Proceedings. (2016) 584–601

15. Sun, S., Gerault, D., Lafourcade, P., Yang, Q., Todo, Y., Qiao, K., Hu, L.: Anal-ysis of AES, SKINNY, and others with constraint programming. IACR Trans.Symmetric Cryptol. 2017(1) (2017) 281–306

16. Cui, T., Jia, K., Fu, K., Chen, S., Wang, M.: New automatic search tool for im-possible differentials and zero-correlation linear approximations. IACR CryptologyePrint Archive 2016 (2016) 689

17. Matsui, M.: On correlation between the order of S-boxes and the strength of DES.In: Advances in Cryptology–EUROCRYPT 1994, Springer (1995) 366–375

18. Dobraunig, C., Eichlseder, M., Mendel, F.: Heuristic tool for linear cryptanalysiswith applications to CAESAR candidates. In: Advances in Cryptology - ASI-ACRYPT 2015 - 21st International Conference on the Theory and Applicationof Cryptology and Information Security, Auckland, New Zealand, November 29 -December 3, 2015, Proceedings, Part II. (2015) 490–509

19. Biryukov, A., Velichkov, V.: Automatic search for differential trails in ARX ciphers.In: Topics in Cryptology–CT-RSA 2014. Springer (2014) 227–250

20. Biryukov, A., Nikolic, I.: Search for related-key differential characteristics in DES-like ciphers. In: Fast Software Encryption – FSE 2011, Springer (2011) 18–34

21. Fouque, P.A., Jean, J., Peyrin, T.: Structural Evaluation of AES and Chosen-KeyDistinguisher of 9-Round AES-128. In: Advances in Cryptology–CRYPTO 2013.Springer (2013) 183–203

22. Bouillaguet, C., Derbez, P., Fouque, P.A.: Automatic search of attacks on round-reduced AES and applications. In: CRYPTO 2011, Springer (2011) 169–187

23. Dobraunig, C., Eichlseder, M., Mendel, F.: Analysis of SHA-512/224 and SHA-512/256. In: Advances in Cryptology - ASIACRYPT 2015 - 21st InternationalConference on the Theory and Application of Cryptology and Information Security,Auckland, New Zealand, November 29 - December 3, 2015, Proceedings, Part II.(2015) 612–630

24. Mella, S., Daemen, J., Assche, G.V.: New techniques for trail bounds and appli-cation to differential trails in Keccak. IACR Trans. Symmetric Cryptol. 2017(1)(2017) 329–357

25. Freuder, E.C.: In pursuit of the holy grail. Constraints 2(1) (1997) 57–6126. Demirci, H., Selcuk, A.A.: A meet-in-the-middle attack on 8-round AES. In: Fast

Software Encryption, 15th International Workshop, FSE 2008, Lausanne, Switzer-land, February 10-13, 2008, Revised Selected Papers. (2008) 116–126

27. Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced EncryptionStandard. Information Security and Cryptography. Springer (2002)

28. Dunkelman, O., Keller, N., Shamir, A.: Improved single-key attacks on 8-roundAES-192 and AES-256. In: Advances in Cryptology - ASIACRYPT 2010 - 16thInternational Conference on the Theory and Application of Cryptology and Infor-mation Security, Singapore, December 5-9, 2010. Proceedings. (2010) 158–176

29. Derbez, P., Fouque, P., Jean, J.: Improved key recovery attacks on reduced-roundAES in the single-key setting. In: Advances in Cryptology - EUROCRYPT 2013,32nd Annual International Conference on the Theory and Applications of Crypto-graphic Techniques, Athens, Greece, May 26-30, 2013. Proceedings. (2013) 371–387

30. Derbez, P., Fouque, P.: Exhausting demirci-selcuk meet-in-the-middle attacksagainst reduced-round AES. In: Fast Software Encryption - 20th International

Workshop, FSE 2013, Singapore, March 11-13, 2013. Revised Selected Papers.(2013) 541–560

31. Derbez, P., Fouque, P.: Automatic Search of Meet-in-the-Middle and ImpossibleDifferential Attacks. In: Advances in Cryptology - CRYPTO 2016 - 36th AnnualInternational Cryptology Conference, Santa Barbara, CA, USA, August 14-18,2016, Proceedings, Part II. (2016) 157–184

32. Li, R., Jin, C.: Meet-in-the-middle attacks on 10-round AES-256. Des. CodesCryptography 80(3) (2016) 459–471

33. Derbez, P., Perrin, L.: Meet-in-the-middle attacks and structural analysis of round-reduced PRINCE. In: Fast Software Encryption - 22nd International Workshop,FSE 2015, Istanbul, Turkey, March 8-11, 2015, Revised Selected Papers. (2015)190–216

34. Biryukov, A., Derbez, P., Perrin, L.: Differential analysis and meet-in-the-middleattack against round-reduced TWINE. In: Fast Software Encryption - 22nd In-ternational Workshop, FSE 2015, Istanbul, Turkey, March 8-11, 2015, RevisedSelected Papers. (2015) 3–27

35. Li, L., Jia, K., Wang, X., Dong, X.: Meet-in-the-middle technique for truncateddifferential and its applications to CLEFIA and camellia. In: Fast Software En-cryption - 22nd International Workshop, FSE 2015, Istanbul, Turkey, March 8-11,2015, Revised Selected Papers. (2015) 48–70

36. Dong, X., Li, L., Jia, K., Wang, X.: Improved attacks on reduced-round camellia-128/192/256. In: Topics in Cryptology - CT-RSA 2015, The Cryptographer’s Trackat the RSA Conference 2015, San Francisco, CA, USA, April 20-24, 2015. Proceed-ings. (2015) 59–83

37. Guo, J., Jean, J., Nikolic, I., Sasaki, Y.: Meet-in-the-middle attacks on genericFeistel constructions. In: Advances in Cryptology - ASIACRYPT 2014 - 20thInternational Conference on the Theory and Application of Cryptology and Infor-mation Security, Kaoshiung, Taiwan, R.O.C., December 7-11, 2014. Proceedings,Part I. (2014) 458–477

38. Guo, J., Jean, J., Nikolic, I., Sasaki, Y.: Meet-in-the-Middle Attacks on Classesof Contracting and Expanding Feistel Constructions. IACR Trans. SymmetricCryptol. 2016(2) (2016) 307–337

39. Diffie, W., Hellman, M.E.: Special feature exhaustive cryptanalysis of the NBSdata encryption standard. IEEE Computer 10(6) (1977) 74–84

40. Bogdanov, A., Rechberger, C.: A 3-subset meet-in-the-middle attack: Cryptanaly-sis of the lightweight block cipher KTANTAN. In: Selected Areas in Cryptography- 17th International Workshop, SAC 2010, Waterloo, Ontario, Canada, August12-13, 2010, Revised Selected Papers. (2010) 229–240

41. Aoki, K., Sasaki, Y.: Meet-in-the-middle preimage attacks against reduced SHA-0and SHA-1. In: Advances in Cryptology - CRYPTO 2009, 29th Annual Inter-national Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2009.Proceedings. (2009) 70–89

42. Guo, J., Ling, S., Rechberger, C., Wang, H.: Advanced meet-in-the-middle preim-age attacks: First results on full Tiger, and improved results on MD4 and SHA-2.In: Advances in Cryptology - ASIACRYPT 2010 - 16th International Conferenceon the Theory and Application of Cryptology and Information Security, Singapore,December 5-9, 2010. Proceedings. (2010) 56–75

43. Lin, L., Wu, W., Wang, Y., Zhang, L.: General model of the single-key meet-in-the-middle distinguisher on the word-oriented block cipher. In: InformationSecurity and Cryptology - ICISC 2013 - 16th International Conference, Seoul,Korea, November 27-29, 2013, Revised Selected Papers. (2013) 203–223

44. Beierle, C., Jean, J., Kolbl, S., Leander, G., Moradi, A., Peyrin, T., Sasaki, Y.,Sasdrich, P., Sim, S.M.: The SKINNY family of block ciphers and its low-latencyvariant MANTIS. In: Advances in Cryptology - CRYPTO 2016 - 36th AnnualInternational Cryptology Conference, Santa Barbara, CA, USA, August 14-18,2016, Proceedings, Part II. (2016) 123–153

45. Suzaki, T., Minematsu, K., Morioka, S., Kobayashi, E.: TWINE : A lightweightblock cipher for multiple platforms. In: Selected Areas in Cryptography, 19thInternational Conference, SAC 2012, Windsor, ON, Canada, August 15-16, 2012,Revised Selected Papers. (2012) 339–354

46. Wu, W., Zhang, L.: LBlock: A lightweight block cipher. In: Applied Cryptographyand Network Security - 9th International Conference, ACNS 2011, Nerja, Spain,June 7-10, 2011. Proceedings. (2011) 327–344

47. Lin, L., Wu, W., Zheng, Y.: Automatic search for key-bridging technique: Appli-cations to lblock and TWINE. In: Fast Software Encryption - 23rd InternationalConference, FSE 2016, Bochum, Germany, March 20-23, 2016, Revised SelectedPapers. (2016) 247–267

48. Boura, C., Minier, M., Naya-Plasencia, M., Suder, V.: Improved impossible dif-ferential attacks against round-reduced lblock. IACR Cryptology ePrint Archive2014 (2014) 279

49. Wang, Y., Wu, W.: Improved multidimensional zero-correlation linear cryptanal-ysis and applications to lblock and TWINE. In: Information Security and PrivacyACISP. (2014) 1–16

50. Zheng, X., Jia, K.: Impossible differential attack on reduced-round TWINE. In:Information Security and Cryptology - ICISC. (2013) 123–143

51. Tolba, M., Abdelkhalek, A., Youssef, A.M.: Impossible differential cryptanalysisof reduced-round SKINNY. In: Progress in Cryptology - AFRICACRYPT. (2017)117–134

52. Boura, C., Naya-Plasencia, M., Suder, V.: Scrutinizing and Improving ImpossibleDifferential Attacks: Applications to CLEFIA, Camellia, LBlock and Simon. In:Advances in Cryptology - ASIACRYPT 2014 - 20th International Conference onthe Theory and Application of Cryptology and Information Security, Kaoshiung,Taiwan, R.O.C., December 7-11, 2014. Proceedings, Part I. (2014) 179–199

53. Li, L., Jia, K., Wang, X.: Improved single-key attacks on 9-round AES-192/256.In: Fast Software Encryption - 21st International Workshop, FSE 2014, London,UK, March 3-5, 2014. Revised Selected Papers. (2014) 127–146

54. Li, R., Jin, C.: Meet-in-the-middle attacks on 10-round AES-256. Des. CodesCryptography 80(3) (2016) 459–471

55. Akshima, Chang, D., Ghosh, M., Goel, A., Sanadhya, S.K.: Improved meet-in-the-middle attacks on 7 and 8-round ARIA-192 and ARIA-256. In: INDOCRYPT.(2015) 198–217

56. Prud’homme, C., Fages, J.G., Lorca, X.: Choco Documentation. TASC - LS2NCNRS UMR 6241, COSLING S.A.S. (2017)

57. Nikolic, I.: How to use metaheuristics for design of symmetric-key primitives. In:Advances in Cryptology - ASIACRYPT 2017 - 23rd International Conference onthe Theory and Applications of Cryptology and Information Security, Hong Kong,China, December 3-7, 2017, Proceedings, Part III. (2017) 369–391

58. Suzaki, T., Minematsu, K.: Improving the generalized feistel. In: Fast SoftwareEncryption, 17th International Workshop, FSE 2010, Seoul, Korea, February 7-10,2010, Revised Selected Papers. (2010) 19–39

A Visualization of the DS-MITM Distinguishers andAttacks [supplementary material]

SB,AC

AK,SR

MC SB,AC

AK,SR

MC

Round 0 Round 1

SB,AC

AK,SR

MC SB,AC

AK,SR

MC

Round 2 Round 3

SB,AC

AK,SR

MC SB,AC

AK,SR

MC

Round 4 Round 5

SB,AC

AK,SR

MC SB,AC

AK,SR

MC

Round 6 Round 7

SB,AC

AK,SR

MC SB,AC

AK,SR

MC

Round 8 Round 9

SB,AC

AK,SR

Round 10

Fig. 17: A DS-MITM distinguisher (A,B,Deg(A,B)) for 10.5-round SKINNY-128-384 with A = [14] (the nibble marked with crosshatch in the input stateof round 0), B = [7] (the nibbles marked with crosshatch in the input state ofround 11), and Deg(A,B) = 40 (the nibbles before the SB, AC, AK, and SRoperations mark with red color). The nibble marked with blue color are thoseredundant bytes required to be guessed if we do not impose the cipher-specificconstraints presented in Sect. 7.1.

Table 3: The 64 permutations for which we can not find 12-round distin-guishers and have high resistance against 11-round DS-MITM attack, where(7, 6, 5, 4, 3, 2, 1, 0) means that 0 is permuted to 7, 1 is permuted to 6, and so on.No. Permutation No. Permutation No. Permutation No. Permutation

1 (7,6,5,3,4,1,2,0) 17 (7,6,2,4,0,5,1,3) 33 (7,5,6,3,4,2,1,0) 49 (7,5,2,0,3,1,6,4)2 (7,2,4,1,3,6,0,5) 18 (7,2,0,5,3,6,4,1) 34 (7,1,5,4,0,2,6,3) 50 (7,1,6,0,3,5,2,4)3 (6,4,7,5,2,0,3,1) 19 (6,3,5,0,2,7,1,4) 35 (6,3,1,4,2,7,5,0) 51 (6,0,3,5,2,4,7,1)4 (5,7,4,6,1,3,0,2) 20 (5,4,3,2,0,1,6,7) 36 (5,4,2,3,0,1,7,6) 52 (5,3,0,6,1,7,4,2)5 (5,1,3,7,4,0,2,6) 21 (5,1,6,2,4,0,7,3) 37 (5,0,2,7,1,4,6,3) 53 (5,0,6,3,1,4,2,7)6 (4,6,2,7,3,5,1,0) 22 (4,6,1,3,0,2,5,7) 38 (4,5,3,2,1,0,6,7) 54 (4,5,2,3,1,0,7,6)7 (4,2,5,3,0,6,1,7) 23 (4,2,1,0,7,5,6,3) 39 (4,1,5,7,3,2,6,0) 55 (4,1,7,2,0,5,3,6)8 (4,1,3,6,0,5,7,2) 24 (4,1,2,0,7,6,5,3) 40 (4,0,7,3,5,1,6,2) 56 (4,0,2,6,5,1,3,7)9 (3,6,4,1,7,2,0,5) 25 (3,6,0,5,7,2,4,1) 41 (3,5,2,4,7,1,6,0) 57 (3,5,1,0,4,6,2,7)10 (3,2,6,0,4,1,5,7) 26 (3,2,1,7,0,5,6,4) 42 (3,1,2,7,0,6,5,4) 58 (3,1,6,4,7,5,2,0)11 (2,4,7,1,6,0,3,5) 27 (2,7,5,0,6,3,1,4) 43 (2,7,1,4,6,3,5,0) 59 (2,0,3,1,6,4,7,5)12 (1,5,2,6,0,4,3,7) 28 (1,5,7,3,0,4,6,2) 44 (1,4,6,3,5,0,2,7) 60 (1,4,2,7,5,0,6,3)13 (1,3,0,2,5,7,4,6) 29 (1,7,4,2,5,3,0,6) 45 (1,0,7,6,4,5,2,3) 61 (1,0,6,7,4,5,3,2)14 (0,6,5,4,3,1,2,7) 30 (0,6,1,7,4,2,5,3) 46 (0,5,6,4,3,2,1,7) 62 (0,5,3,6,4,1,7,2)15 (0,5,1,3,7,6,2,4) 31 (0,5,7,2,4,1,3,6) 47 (0,4,6,2,1,5,7,3) 63 (0,4,3,7,1,5,2,6)16 (0,2,5,7,4,6,1,3) 32 (0,2,6,3,7,1,5,4) 48 (0,1,6,7,5,4,3,2) 64 (0,1,7,6,5,4,2,3)

Table 4: The 12 strongest word shuffles with respect to both DS-MITM attackand impossible differential attack.No. Permutation No. Permutation

1 (15,2,13,4,11,6,3,8,1,10,5,0,7,12,9,14) 7 (7,2,13,4,15,6,1,8,5,10,3,0,11,12,9,14)

2 (15,2,9,4,1,6,11,8,3,10,13,0,7,12,5,14) 8 (7,2,11,4,9,6,1,8,15,10,13,0,3,12,5,14)

3 (13,2,15,4,11,6,3,8,1,10,5,0,9,12,7,14) 9 (7,2,11,4,9,6,1,8,13,10,15,0,5,12,3,14)

4 (13,2,9,4,1,6,11,8,3,10,15,0,5,12,7,14) 10 (7,2,15,4,13,6,1,8,5,10,3,0,9,12,11,14)

5 (9,2,7,4,11,6,15,8,13,10,5,0,1,12,3,14) 11 (5,2,9,4,13,6,15,8,3,10,7,0,1,12,11,14)

6 (9,2,7,4,11,6,13,8,15,10,5,0,3,12,1,14) 12 (5,2,9,4,15,6,13,8,3,10,7,0,11,12,1,14)

SB,AC

AK,SR

MC SB,AC

AK,SR

MC

Round 0 Round 1

SB,AC

AK,SR

MC

Round 2 Round3

· · · 11-round Distinguisher · · · MC

Round 14 Round 15

Round 16 Round 17

Round 18 Round 19

Round 20 Round 21

Round 22

SB,AC

AK,SR

MC SB,AC

AK,SR

MC

SB,AC

AK,SR

MC SB,AC

AK,SR

MC

SB,AC

AK,SR

MC SB,AC

AK,SR

MC

SB,AC

AK,SR

MC SB,AC

AK,SR

MC

Fig. 18: An illustration of the backward differential and forward determinationrelationship in the outer rounds of SKINNY with the DS-MITM distinguisherpresented in Fig. 17 placed at E1. The bytes in Guess(E0) and Guess(E2) aremarked with red color. From the input state of round 0, we know that A =[0, 2, 3, 4, 5, 6, 7, 8, 9, 10, 13, 14]. Hence, the data complexity is 28×12 = 296.

SB,AC

AK,SR

MC SB,AC

AK,SR

MC

Round 0 Round 1

SB,AC

AK,SR

MC

Round 2 Round3

Round 14 Round 15

Round 16 Round 17

Round 18 Round 19

Round 20 Round 21

Round 22

· · · 11-round Distinguisher · · · MC

SB,AC

AK,SR

MC SB,AC

AK,SR

MC

SB,AC

AK,SR

MC SB,AC

AK,SR

MC

SB,AC

AK,SR

MC SB,AC

AK,SR

MC

SB,AC

AK,SR

MC SB,AC

AK,SR

MC

Fig. 19: Derive kE0 and kE2 from Fig. 18. The subkey nibbles marked with orangecolor are the secret-key information we need to guess. With the knowledge ofthese bytes, we can derive the values of all the bytes of P 0 marked with orangecolor in this figure, from which we can determine all the bytes in Guess(E0) andGuess(E2) shown in Fig. 18.

Round 0

SB,LN

≪ 8

SK

Round 1

SB,LN

≪ 8

SK

Round 2

SB,LN

≪ 8

SK

Round 3

SB,LN

≪ 8

SK

Round 4

SB,LN

≪ 8

SK

Round 5

SB,LN

≪ 8

SK

Round 6

SB,LN

≪ 8

SK

Round 7

SB,LN

≪ 8

SK

Round 8

SB,LN

≪ 8

SK

Round 9

SB,LN

≪ 8

SK

Round 10

SB,LN

≪ 8

SK

Round 11

Fig. 20: A DS-MITM distinguisher (A,B,Deg(A,B)) for 11-round LBlock withA = [12] (the nibble marked with crosshatch in round 0), B = [12] (the nibblesmarked with crosshatch in round 11), and Deg(A,B) = 14 (the nibbles beforethe S-box operations mark with red).

Round 5

...11-round Distinguisher

...

Round 0

SB,LN

≪ 8

SK

Round 1

SB,LN

≪ 8

SK

Round 2

SB,LN

≪ 8

SK

Round 3

SB,LN

≪ 8

SK

Round 4

SB,LN

≪ 8

SK

Round 21

...Distinguisher

...Round 16

SB,LN

≪ 8

SK

Round 17

SB,LN

≪ 8

SK

Round 18

SB,LN

≪ 8

SK

Round 19

SB,LN

≪ 8

SK

Round 20

SB,LN

≪ 8

SK

Fig. 21: An illustration of the backward differential and forward determinationrelationship in the outer rounds of LBlock with the DS-MITM distinguisherpresented in Fig. 20 placed at E1. Nibbles in Guess(E0) and Guess(E2) are markedwith red.

Round 5

...11-round Distinguisher

...

Round 0

SB,LN

≪ 8

SK

Round 1

SB,LN

≪ 8

SK

Round 2

SB,LN

≪ 8

SK

Round 3

SB,LN

≪ 8

SK

Round 4

SB,LN

≪ 8

SK

Round 21

...Distinguisher

...Round 16

SB,LN

≪ 8

SK

Round 17

SB,LN

≪ 8

SK

Round 18

SB,LN

≪ 8

SK

Round 19

SB,LN

≪ 8

SK

Round 20

SB,LN

≪ 8

SK

Fig. 22: Derive kE0and kE2

from Fig. 21. The subkey nibbles marked with orangeare the secret-key information we need to guess.

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

0

0Round 0 1Round 0 2Round 0 3Round 0

1

4Round 0 5Round 0 6Round 0 7Round 0

2

8Round 0 9Round 0 10Round 0 11Round 0

3

12Round 0 13Round 0 14Round 0 15Round 0

4

16Round 0 17Round 0 18Round 0 19Round 0

5

20Round 0 21Round 0 22Round 0 23Round 0

6

24Round 0 25Round 0 26Round 0 27Round 0

7

28Round 0 29Round 0 30Round 0 31Round 0

8

32Round 0 33Round 0 34Round 0 35Round 0

9

36Round 0 37Round 0 38Round 0 39Round 0

10

40Round 0 41Round 0 42Round 0 43Round 0

11

44Round 0 45Round 0 46Round 0 47Round 0

12

48Round 0 49Round 0 50Round 0 51Round 0

13

52Round 0 53Round 0 54Round 0 55Round 0

14

56Round 0 57Round 0 58Round 0 59Round 0

15

60Round 0 61Round 0 62Round 0 63Round 0

16

64Round 0 65Round 0 66Round 0 67Round 0

17

68Round 0 69Round 0 70Round 0 71Round 0

18

72Round 0 73Round 0 74Round 0 75Round 0

19

76Round 0 77Round 0 78Round 0 79Round 0

0

29Round 1 30Round 1 31Round 1 32Round 1

1

33Round 1 34Round 1 35Round 1 36Round 1

2

37Round 1 38Round 1 39Round 1 40Round 1

3

41Round 1 42Round 1 43Round 1 44Round 1

4

45Round 1 46Round 1 47Round 1 48Round 1

5

49Round 1 50Round 1 51Round 1 52Round 1

6

53Round 1 54Round 1 55Round 1 56Round 1

7

57Round 1 58Round 1 59Round 1 60Round 1

8

61Round 1 62Round 1 63Round 1 64Round 1

9

65Round 1 66Round 1 67Round 1 68Round 1

10

69Round 1 70Round 1 71Round 1 72Round 1

11

73Round 1 74Round 1 75Round 1 76Round 1

12

77Round 1 78Round 1 79Round 1 0Round 1

13

1Round 1 2Round 1 3Round 1 4Round 1

14

5Round 1 6Round 1 7Round 1 8Round 1

15

9Round 1 10Round 1 11Round 1 12Round 1

16

13Round 1 14Round 1 15Round 1 16Round 1

17

17Round 1 18Round 1 19Round 1 20Round 1

18

21Round 1 22Round 1 23Round 1 24Round 1

19

25Round 1 26Round 1 27Round 1 28Round 1

0

58Round 2 59Round 2 60Round 2 61Round 2

1

62Round 2 63Round 2 64Round 2 65Round 2

2

66Round 2 67Round 2 68Round 2 69Round 2

3

70Round 2 71Round 2 72Round 2 73Round 2

4

74Round 2 75Round 2 76Round 2 77Round 2

5

78Round 2 79Round 2 0Round 2 1Round 2

6

2Round 2 3Round 2 4Round 2 5Round 2

7

6Round 2 7Round 2 8Round 2 9Round 2

8

10Round 2 11Round 2 12Round 2 13Round 2

9

14Round 2 15Round 2 16Round 2 17Round 2

10

18Round 2 19Round 2 20Round 2 21Round 2

11

22Round 2 23Round 2 24Round 2 25Round 2

12

26Round 2 27Round 2 28Round 2 29Round 2

13

30Round 2 31Round 2 32Round 2 33Round 2

14

34Round 2 35Round 2 36Round 2 37Round 2

15

38Round 2 39Round 2 40Round 2 41Round 2

16

42Round 2 43Round 2 44Round 2 45Round 2

17

46Round 2 47Round 2 48Round 2 49Round 2

18

50Round 2 51Round 2 52Round 2 53Round 2

19

54Round 2 55Round 2 56Round 2 57Round 2

0

7Round 3 8Round 3 9Round 3 10Round 3

1

11Round 3 12Round 3 13Round 3 14Round 3

2

15Round 3 16Round 3 17Round 3 18Round 3

3

19Round 3 20Round 3 21Round 3 22Round 3

4

23Round 3 24Round 3 25Round 3 26Round 3

5

27Round 3 28Round 3 29Round 3 30Round 3

6

31Round 3 32Round 3 33Round 3 34Round 3

7

35Round 3 36Round 3 37Round 3 38Round 3

8

39Round 3 40Round 3 41Round 3 42Round 3

9

43Round 3 44Round 3 45Round 3 46Round 3

10

47Round 3 48Round 3 49Round 3 50Round 3

11

51Round 3 52Round 3 53Round 3 54Round 3

12

55Round 3 56Round 3 57Round 3 58Round 3

13

59Round 3 60Round 3 61Round 3 62Round 3

14

63Round 3 64Round 3 65Round 3 66Round 3

15

67Round 3 68Round 3 69Round 3 70Round 3

16

71Round 3 72Round 3 73Round 3 74Round 3

17

75Round 3 76Round 3 77Round 3 78Round 3

18

79Round 3 0Round 3 1Round 3 2Round 3

19

3Round 3 4Round 3 5Round 3 6Round 3

0

36Round 4 37Round 4 38Round 4 39Round 4

1

40Round 4 41Round 4 42Round 4 43Round 4

2

44Round 4 45Round 4 46Round 4 47Round 4

3

48Round 4 49Round 4 50Round 4 51Round 4

4

52Round 4 53Round 4 54Round 4 55Round 4

5

56Round 4 57Round 4 58Round 4 59Round 4

6

60Round 4 61Round 4 62Round 4 63Round 4

7

64Round 4 65Round 4 66Round 4 67Round 4

8

68Round 4 69Round 4 70Round 4 71Round 4

9

72Round 4 73Round 4 74Round 4 75Round 4

10

76Round 4 77Round 4 78Round 4 79Round 4

11

0Round 4 1Round 4 2Round 4 3Round 4

12

4Round 4 5Round 4 6Round 4 7Round 4

13

8Round 4 9Round 4 10Round 4 11Round 4

14

12Round 4 13Round 4 14Round 4 15Round 4

15

16Round 4 17Round 4 18Round 4 19Round 4

16

20Round 4 21Round 4 22Round 4 23Round 4

17

24Round 4 25Round 4 26Round 4 27Round 4

18

28Round 4 29Round 4 30Round 4 31Round 4

19

32Round 4 33Round 4 34Round 4 35Round 4

0

65Round 5 66Round 5 67Round 5 68Round 5

1

69Round 5 70Round 5 71Round 5 72Round 5

2

73Round 5 74Round 5 75Round 5 76Round 5

3

77Round 5 78Round 5 79Round 5 0Round 5

4

1Round 5 2Round 5 3Round 5 4Round 5

5

5Round 5 6Round 5 7Round 5 8Round 5

6

9Round 5 10Round 5 11Round 5 12Round 5

7

13Round 5 14Round 5 15Round 5 16Round 5

8

17Round 5 18Round 5 19Round 5 20Round 5

9

21Round 5 22Round 5 23Round 5 24Round 5

10

25Round 5 26Round 5 27Round 5 28Round 5

11

29Round 5 30Round 5 31Round 5 32Round 5

12

33Round 5 34Round 5 35Round 5 36Round 5

13

37Round 5 38Round 5 39Round 5 40Round 5

14

41Round 5 42Round 5 43Round 5 44Round 5

15

45Round 5 46Round 5 47Round 5 48Round 5

16

49Round 5 50Round 5 51Round 5 52Round 5

17

53Round 5 54Round 5 55Round 5 56Round 5

18

57Round 5 58Round 5 59Round 5 60Round 5

19

61Round 5 62Round 5 63Round 5 64Round 5

0

14Round 6 15Round 6 16Round 6 17Round 6

1

18Round 6 19Round 6 20Round 6 21Round 6

2

22Round 6 23Round 6 24Round 6 25Round 6

3

26Round 6 27Round 6 28Round 6 29Round 6

4

30Round 6 31Round 6 32Round 6 33Round 6

5

34Round 6 35Round 6 36Round 6 37Round 6

6

38Round 6 39Round 6 40Round 6 41Round 6

7

42Round 6 43Round 6 44Round 6 45Round 6

8

46Round 6 47Round 6 48Round 6 49Round 6

9

50Round 6 51Round 6 52Round 6 53Round 6

10

54Round 6 55Round 6 56Round 6 57Round 6

11

58Round 6 59Round 6 60Round 6 61Round 6

12

62Round 6 63Round 6 64Round 6 65Round 6

13

66Round 6 67Round 6 68Round 6 69Round 6

14

70Round 6 71Round 6 72Round 6 73Round 6

15

74Round 6 75Round 6 76Round 6 77Round 6

16

78Round 6 79Round 6 0Round 6 1Round 6

17

2Round 6 3Round 6 4Round 6 5Round 6

18

6Round 6 7Round 6 8Round 6 9Round 6

19

10Round 6 11Round 6 12Round 6 13Round 6

0

43Round 7 44Round 7 45Round 7 46Round 7

1

47Round 7 48Round 7 49Round 7 50Round 7

2

51Round 7 52Round 7 53Round 7 54Round 7

3

55Round 7 56Round 7 57Round 7 58Round 7

4

59Round 7 60Round 7 61Round 7 62Round 7

5

63Round 7 64Round 7 65Round 7 66Round 7

6

67Round 7 68Round 7 69Round 7 70Round 7

7

71Round 7 72Round 7 73Round 7 74Round 7

8

75Round 7 76Round 7 77Round 7 78Round 7

9

79Round 7 0Round 7 1Round 7 2Round 7

10

3Round 7 4Round 7 5Round 7 6Round 7

11

7Round 7 8Round 7 9Round 7 10Round 7

12

11Round 7 12Round 7 13Round 7 14Round 7

13

15Round 7 16Round 7 17Round 7 18Round 7

14

19Round 7 20Round 7 21Round 7 22Round 7

15

23Round 7 24Round 7 25Round 7 26Round 7

16

27Round 7 28Round 7 29Round 7 30Round 7

17

31Round 7 32Round 7 33Round 7 34Round 7

18

35Round 7 36Round 7 37Round 7 38Round 7

19

39Round 7 40Round 7 41Round 7 42Round 7

0

72Round 8 73Round 8 74Round 8 75Round 8

1

76Round 8 77Round 8 78Round 8 79Round 8

2

0Round 8 1Round 8 2Round 8 3Round 8

3

4Round 8 5Round 8 6Round 8 7Round 8

4

8Round 8 9Round 8 10Round 8 11Round 8

5

12Round 8 13Round 8 14Round 8 15Round 8

6

16Round 8 17Round 8 18Round 8 19Round 8

7

20Round 8 21Round 8 22Round 8 23Round 8

8

24Round 8 25Round 8 26Round 8 27Round 8

9

28Round 8 29Round 8 30Round 8 31Round 8

10

32Round 8 33Round 8 34Round 8 35Round 8

11

36Round 8 37Round 8 38Round 8 39Round 8

12

40Round 8 41Round 8 42Round 8 43Round 8

13

44Round 8 45Round 8 46Round 8 47Round 8

14

48Round 8 49Round 8 50Round 8 51Round 8

15

52Round 8 53Round 8 54Round 8 55Round 8

16

56Round 8 57Round 8 58Round 8 59Round 8

17

60Round 8 61Round 8 62Round 8 63Round 8

18

64Round 8 65Round 8 66Round 8 67Round 8

19

68Round 8 69Round 8 70Round 8 71Round 8

0

21Round 9 22Round 9 23Round 9 24Round 9

1

25Round 9 26Round 9 27Round 9 28Round 9

2

29Round 9 30Round 9 31Round 9 32Round 9

3

33Round 9 34Round 9 35Round 9 36Round 9

4

37Round 9 38Round 9 39Round 9 40Round 9

5

41Round 9 42Round 9 43Round 9 44Round 9

6

45Round 9 46Round 9 47Round 9 48Round 9

7

49Round 9 50Round 9 51Round 9 52Round 9

8

53Round 9 54Round 9 55Round 9 56Round 9

9

57Round 9 58Round 9 59Round 9 60Round 9

10

61Round 9 62Round 9 63Round 9 64Round 9

11

65Round 9 66Round 9 67Round 9 68Round 9

12

69Round 9 70Round 9 71Round 9 72Round 9

13

73Round 9 74Round 9 75Round 9 76Round 9

14

77Round 9 78Round 9 79Round 9 0Round 9

15

1Round 9 2Round 9 3Round 9 4Round 9

16

5Round 9 6Round 9 7Round 9 8Round 9

17

9Round 9 10Round 9 11Round 9 12Round 9

18

13Round 9 14Round 9 15Round 9 16Round 9

19

17Round 9 18Round 9 19Round 9 20Round 9

0

50Round 10 51Round 10 52Round 10 53Round 10

1

54Round 10 55Round 10 56Round 10 57Round 10

2

58Round 10 59Round 10 60Round 10 61Round 10

3

62Round 10 63Round 10 64Round 10 65Round 10

4

66Round 10 67Round 10 68Round 10 69Round 10

5

70Round 10 71Round 10 72Round 10 73Round 10

6

74Round 10 75Round 10 76Round 10 77Round 10

7

78Round 10 79Round 10 0Round 10 1Round 10

8

2Round 10 3Round 10 4Round 10 5Round 10

9

6Round 10 7Round 10 8Round 10 9Round 10

10

10Round 10 11Round 10 12Round 10 13Round 10

11

14Round 10 15Round 10 16Round 10 17Round 10

12

18Round 10 19Round 10 20Round 10 21Round 10

13

22Round 10 23Round 10 24Round 10 25Round 10

14

26Round 10 27Round 10 28Round 10 29Round 10

15

30Round 10 31Round 10 32Round 10 33Round 10

16

34Round 10 35Round 10 36Round 10 37Round 10

17

38Round 10 39Round 10 40Round 10 41Round 10

18

42Round 10 43Round 10 44Round 10 45Round 10

19

46Round 10 47Round 10 48Round 10 49Round 10

0

79Round 11 0Round 11 1Round 11 2Round 11

1

3Round 11 4Round 11 5Round 11 6Round 11

2

7Round 11 8Round 11 9Round 11 10Round 11

3

11Round 11 12Round 11 13Round 11 14Round 11

4

15Round 11 16Round 11 17Round 11 18Round 11

5

19Round 11 20Round 11 21Round 11 22Round 11

6

23Round 11 24Round 11 25Round 11 26Round 11

7

27Round 11 28Round 11 29Round 11 30Round 11

8

31Round 11 32Round 11 33Round 11 34Round 11

9

35Round 11 36Round 11 37Round 11 38Round 11

10

39Round 11 40Round 11 41Round 11 42Round 11

11

43Round 11 44Round 11 45Round 11 46Round 11

12

47Round 11 48Round 11 49Round 11 50Round 11

13

51Round 11 52Round 11 53Round 11 54Round 11

14

55Round 11 56Round 11 57Round 11 58Round 11

15

59Round 11 60Round 11 61Round 11 62Round 11

16

63Round 11 64Round 11 65Round 11 66Round 11

17

67Round 11 68Round 11 69Round 11 70Round 11

18

71Round 11 72Round 11 73Round 11 74Round 11

19

75Round 11 76Round 11 77Round 11 78Round 11

0

28Round 12 29Round 12 30Round 12 31Round 12

1

32Round 12 33Round 12 34Round 12 35Round 12

2

36Round 12 37Round 12 38Round 12 39Round 12

3

40Round 12 41Round 12 42Round 12 43Round 12

4

44Round 12 45Round 12 46Round 12 47Round 12

5

48Round 12 49Round 12 50Round 12 51Round 12

6

52Round 12 53Round 12 54Round 12 55Round 12

7

56Round 12 57Round 12 58Round 12 59Round 12

8

60Round 12 61Round 12 62Round 12 63Round 12

9

64Round 12 65Round 12 66Round 12 67Round 12

10

68Round 12 69Round 12 70Round 12 71Round 12

11

72Round 12 73Round 12 74Round 12 75Round 12

12

76Round 12 77Round 12 78Round 12 79Round 12

13

0Round 12 1Round 12 2Round 12 3Round 12

14

4Round 12 5Round 12 6Round 12 7Round 12

15

8Round 12 9Round 12 10Round 12 11Round 12

16

12Round 12 13Round 12 14Round 12 15Round 12

17

16Round 12 17Round 12 18Round 12 19Round 12

18

20Round 12 21Round 12 22Round 12 23Round 12

19

24Round 12 25Round 12 26Round 12 27Round 12

0

57Round 13 58Round 13 59Round 13 60Round 13

1

61Round 13 62Round 13 63Round 13 64Round 13

2

65Round 13 66Round 13 67Round 13 68Round 13

3

69Round 13 70Round 13 71Round 13 72Round 13

4

73Round 13 74Round 13 75Round 13 76Round 13

5

77Round 13 78Round 13 79Round 13 0Round 13

6

1Round 13 2Round 13 3Round 13 4Round 13

7

5Round 13 6Round 13 7Round 13 8Round 13

8

9Round 13 10Round 13 11Round 13 12Round 13

9

13Round 13 14Round 13 15Round 13 16Round 13

10

17Round 13 18Round 13 19Round 13 20Round 13

11

21Round 13 22Round 13 23Round 13 24Round 13

12

25Round 13 26Round 13 27Round 13 28Round 13

13

29Round 13 30Round 13 31Round 13 32Round 13

14

33Round 13 34Round 13 35Round 13 36Round 13

15

37Round 13 38Round 13 39Round 13 40Round 13

16

41Round 13 42Round 13 43Round 13 44Round 13

17

45Round 13 46Round 13 47Round 13 48Round 13

18

49Round 13 50Round 13 51Round 13 52Round 13

19

53Round 13 54Round 13 55Round 13 56Round 13

0

6Round 14 7Round 14 8Round 14 9Round 14

1

10Round 14 11Round 14 12Round 14 13Round 14

2

14Round 14 15Round 14 16Round 14 17Round 14

3

18Round 14 19Round 14 20Round 14 21Round 14

4

22Round 14 23Round 14 24Round 14 25Round 14

5

26Round 14 27Round 14 28Round 14 29Round 14

6

30Round 14 31Round 14 32Round 14 33Round 14

7

34Round 14 35Round 14 36Round 14 37Round 14

8

38Round 14 39Round 14 40Round 14 41Round 14

9

42Round 14 43Round 14 44Round 14 45Round 14

10

46Round 14 47Round 14 48Round 14 49Round 14

11

50Round 14 51Round 14 52Round 14 53Round 14

12

54Round 14 55Round 14 56Round 14 57Round 14

13

58Round 14 59Round 14 60Round 14 61Round 14

14

62Round 14 63Round 14 64Round 14 65Round 14

15

66Round 14 67Round 14 68Round 14 69Round 14

16

70Round 14 71Round 14 72Round 14 73Round 14

17

74Round 14 75Round 14 76Round 14 77Round 14

18

78Round 14 79Round 14 0Round 14 1Round 14

19

2Round 14 3Round 14 4Round 14 5Round 14

0

35Round 15 36Round 15 37Round 15 38Round 15

1

39Round 15 40Round 15 41Round 15 42Round 15

2

43Round 15 44Round 15 45Round 15 46Round 15

3

47Round 15 48Round 15 49Round 15 50Round 15

4

51Round 15 52Round 15 53Round 15 54Round 15

5

55Round 15 56Round 15 57Round 15 58Round 15

6

59Round 15 60Round 15 61Round 15 62Round 15

7

63Round 15 64Round 15 65Round 15 66Round 15

8

67Round 15 68Round 15 69Round 15 70Round 15

9

71Round 15 72Round 15 73Round 15 74Round 15

10

75Round 15 76Round 15 77Round 15 78Round 15

11

79Round 15 0Round 15 1Round 15 2Round 15

12

3Round 15 4Round 15 5Round 15 6Round 15

13

7Round 15 8Round 15 9Round 15 10Round 15

14

11Round 15 12Round 15 13Round 15 14Round 15

15

15Round 15 16Round 15 17Round 15 18Round 15

16

19Round 15 20Round 15 21Round 15 22Round 15

17

23Round 15 24Round 15 25Round 15 26Round 15

18

27Round 15 28Round 15 29Round 15 30Round 15

19

31Round 15 32Round 15 33Round 15 34Round 15

0

64Round 16 65Round 16 66Round 16 67Round 16

1

68Round 16 69Round 16 70Round 16 71Round 16

2

72Round 16 73Round 16 74Round 16 75Round 16

3

76Round 16 77Round 16 78Round 16 79Round 16

4

0Round 16 1Round 16 2Round 16 3Round 16

5

4Round 16 5Round 16 6Round 16 7Round 16

6

8Round 16 9Round 16 10Round 16 11Round 16

7

12Round 16 13Round 16 14Round 16 15Round 16

8

16Round 16 17Round 16 18Round 16 19Round 16

9

20Round 16 21Round 16 22Round 16 23Round 16

10

24Round 16 25Round 16 26Round 16 27Round 16

11

28Round 16 29Round 16 30Round 16 31Round 16

12

32Round 16 33Round 16 34Round 16 35Round 16

13

36Round 16 37Round 16 38Round 16 39Round 16

14

40Round 16 41Round 16 42Round 16 43Round 16

15

44Round 16 45Round 16 46Round 16 47Round 16

16

48Round 16 49Round 16 50Round 16 51Round 16

17

52Round 16 53Round 16 54Round 16 55Round 16

18

56Round 16 57Round 16 58Round 16 59Round 16

19

60Round 16 61Round 16 62Round 16 63Round 16

0

13Round 17 14Round 17 15Round 17 16Round 17

1

17Round 17 18Round 17 19Round 17 20Round 17

2

21Round 17 22Round 17 23Round 17 24Round 17

3

25Round 17 26Round 17 27Round 17 28Round 17

4

29Round 17 30Round 17 31Round 17 32Round 17

5

33Round 17 34Round 17 35Round 17 36Round 17

6

37Round 17 38Round 17 39Round 17 40Round 17

7

41Round 17 42Round 17 43Round 17 44Round 17

8

45Round 17 46Round 17 47Round 17 48Round 17

9

49Round 17 50Round 17 51Round 17 52Round 17

10

53Round 17 54Round 17 55Round 17 56Round 17

11

57Round 17 58Round 17 59Round 17 60Round 17

12

61Round 17 62Round 17 63Round 17 64Round 17

13

65Round 17 66Round 17 67Round 17 68Round 17

14

69Round 17 70Round 17 71Round 17 72Round 17

15

73Round 17 74Round 17 75Round 17 76Round 17

16

77Round 17 78Round 17 79Round 17 0Round 17

17

1Round 17 2Round 17 3Round 17 4Round 17

18

5Round 17 6Round 17 7Round 17 8Round 17

19

9Round 17 10Round 17 11Round 17 12Round 17

0

42Round 18 43Round 18 44Round 18 45Round 18

1

46Round 18 47Round 18 48Round 18 49Round 18

2

50Round 18 51Round 18 52Round 18 53Round 18

3

54Round 18 55Round 18 56Round 18 57Round 18

4

58Round 18 59Round 18 60Round 18 61Round 18

5

62Round 18 63Round 18 64Round 18 65Round 18

6

66Round 18 67Round 18 68Round 18 69Round 18

7

70Round 18 71Round 18 72Round 18 73Round 18

8

74Round 18 75Round 18 76Round 18 77Round 18

9

78Round 18 79Round 18 0Round 18 1Round 18

10

2Round 18 3Round 18 4Round 18 5Round 18

11

6Round 18 7Round 18 8Round 18 9Round 18

12

10Round 18 11Round 18 12Round 18 13Round 18

13

14Round 18 15Round 18 16Round 18 17Round 18

14

18Round 18 19Round 18 20Round 18 21Round 18

15

22Round 18 23Round 18 24Round 18 25Round 18

16

26Round 18 27Round 18 28Round 18 29Round 18

17

30Round 18 31Round 18 32Round 18 33Round 18

18

34Round 18 35Round 18 36Round 18 37Round 18

19

38Round 18 39Round 18 40Round 18 41Round 18

0

71Round 19 72Round 19 73Round 19 74Round 19

1

75Round 19 76Round 19 77Round 19 78Round 19

2

79Round 19 0Round 19 1Round 19 2Round 19

3

3Round 19 4Round 19 5Round 19 6Round 19

4

7Round 19 8Round 19 9Round 19 10Round 19

5

11Round 19 12Round 19 13Round 19 14Round 19

6

15Round 19 16Round 19 17Round 19 18Round 19

7

19Round 19 20Round 19 21Round 19 22Round 19

8

23Round 19 24Round 19 25Round 19 26Round 19

9

27Round 19 28Round 19 29Round 19 30Round 19

10

31Round 19 32Round 19 33Round 19 34Round 19

11

35Round 19 36Round 19 37Round 19 38Round 19

12

39Round 19 40Round 19 41Round 19 42Round 19

13

43Round 19 44Round 19 45Round 19 46Round 19

14

47Round 19 48Round 19 49Round 19 50Round 19

15

51Round 19 52Round 19 53Round 19 54Round 19

16

55Round 19 56Round 19 57Round 19 58Round 19

17

59Round 19 60Round 19 61Round 19 62Round 19

18

63Round 19 64Round 19 65Round 19 66Round 19

19

67Round 19 68Round 19 69Round 19 70Round 19

0

20Round 20 21Round 20 22Round 20 23Round 20

1

24Round 20 25Round 20 26Round 20 27Round 20

2

28Round 20 29Round 20 30Round 20 31Round 20

3

32Round 20 33Round 20 34Round 20 35Round 20

4

36Round 20 37Round 20 38Round 20 39Round 20

5

40Round 20 41Round 20 42Round 20 43Round 20

6

44Round 20 45Round 20 46Round 20 47Round 20

7

48Round 20 49Round 20 50Round 20 51Round 20

8

52Round 20 53Round 20 54Round 20 55Round 20

9

56Round 20 57Round 20 58Round 20 59Round 20

10

60Round 20 61Round 20 62Round 20 63Round 20

11

64Round 20 65Round 20 66Round 20 67Round 20

12

68Round 20 69Round 20 70Round 20 71Round 20

13

72Round 20 73Round 20 74Round 20 75Round 20

14

76Round 20 77Round 20 78Round 20 79Round 20

15

0Round 20 1Round 20 2Round 20 3Round 20

16

4Round 20 5Round 20 6Round 20 7Round 20

17

8Round 20 9Round 20 10Round 20 11Round 20

18

12Round 20 13Round 20 14Round 20 15Round 20

19

16Round 20 17Round 20 18Round 20 19Round 20

Fig. 23: An illustration that if we know the nibbles marked with red in round2 of the key schedule algorithm of LBlock, we can derive the values of all thenibbles marked with green in the other rounds. The reader can verify that allthe nibbles marked with orange in Fig. 22 are included in the colored nibbles ofthis figure.

RK RK RK RK RK RK RK RK

RK RK RK RK RK RK RK RK

RK RK RK RK RK RK RK RK

RK RK RK RK RK RK RK RK

RK RK RK RK RK RK RK RK

RK RK RK RK RK RK RK RK

RK RK RK RK RK RK RK RK

RK RK RK RK RK RK RK RK

RK RK RK RK RK RK RK RK

RK RK RK RK RK RK RK RK

RK RK RK RK RK RK RK RK

Round 0

Round 1

Round 2

Round 3

Round 4

Round 5

Round 6

Round 7

Round 8

Round 9

Round 10

Round 11

Fig. 24: A DS-MITM distinguisher (A,B,Deg(A,B)) for 11-round TWINE withA = [3] (the nibble marked with crosshatch in round 0), B = [9, 13] (the nibblesmarked with crosshatch in round 11), and Deg(A,B) = 19 (the nibbles beforethe S-box operations mark with red).

Round 0RK RK RK RK RK RK RK RK

Round 1RK RK RK RK RK RK RK RK

Round 2RK RK RK RK RK RK RK RK

Round 3RK RK RK RK RK RK RK RK

Round 4

11-round Distinguisher

Round15RK RK RK RK RK RK RK RK

Round16RK RK RK RK RK RK RK RK

Round17RK RK RK RK RK RK RK RK

Round18RK RK RK RK RK RK RK RK

Round19RK RK RK RK RK RK RK RK

Round 20

Fig. 25: An illustration of the backward differential and forward determinationrelationship in the outer rounds of TWINE with the DS-MITM distinguisherpresented in Fig. 24 placed at E1. Nibbles in Guess(E0) and Guess(E2) are markedwith blue.

Round 0

RK RK RK RK RK RK RK RK

Round 1

RK RK RK RK RK RK RK RK

Round 2

RK RK RK RK RK RK RK RK

Round 3

RK RK RK RK RK RK RK RK

Round 4

11-round Distinguisher

Round15

RK RK RK RK RK RK RK RK

Round16

RK RK RK RK RK RK RK RK

Round17

RK RK RK RK RK RK RK RK

Round18

RK RK RK RK RK RK RK RK

Round19

RK RK RK RK RK RK RK RK

Round 20

Fig. 26: Derive kE0and kE2

from Fig. 25. The subkey nibbles marked with orangeare the secret-key information we need to guess.

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 1 2 3 0

8 9 10 11 12 13 14 15 16 17 18 19 1 2 3 0 5 6 7 4

12 13 14 15 16 17 18 19 1 2 3 0 5 6 7 4 9 10 11 8

16 17 18 19 1 2 3 0 5 6 7 4 9 10 11 8 13 14 15 12

1 2 3 0 5 6 7 4 9 10 11 8 13 14 15 12 17 18 19 16

5 6 7 4 9 10 11 8 13 14 15 12 17 18 19 16 2 3 0 1

9 10 11 8 13 14 15 12 17 18 19 16 2 3 0 1 6 7 4 5

13 14 15 12 17 18 19 16 2 3 0 1 6 7 4 5 10 11 8 9

17 18 19 16 2 3 0 1 6 7 4 5 10 11 8 9 14 15 12 13

2 3 0 1 6 7 4 5 10 11 8 9 14 15 12 13 18 19 16 17

6 7 4 5 10 11 8 9 14 15 12 13 18 19 16 17 3 0 1 2

10 11 8 9 14 15 12 13 18 19 16 17 3 0 1 2 7 4 5 6

14 15 12 13 18 19 16 17 3 0 1 2 7 4 5 6 11 8 9 10

18 19 16 17 3 0 1 2 7 4 5 6 11 8 9 10 15 12 13 14

3 0 1 2 7 4 5 6 11 8 9 10 15 12 13 14 19 16 17 18

7 4 5 6 11 8 9 10 15 12 13 14 19 16 17 18 0 1 2 3

11 8 9 10 15 12 13 14 19 16 17 18 0 1 2 3 4 5 6 7

15 12 13 14 19 16 17 18 0 1 2 3 4 5 6 7 8 9 10 11

Round 0

S S

Round 1

S S

Round 2

S S

Round 3

S S

Round 4

S S

Round 5

S S

Round 6

S S

Round 7

S S

Round 8

S S

Round 9

S S

Round 10

S S

Round 11

S S

Round 12

S S

Round 13

S S

Round 14

S S

Round 15

S S

Round 16

S S

Round 17

S S

Round 18

S S

19 16 17 18 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15Round 19

Fig. 27: A illustration that if we know the nibbles marked with red in round 18of the key schedule algorithm of TWINE, we can derive the values of all thenibbles marked with green in the other rounds. The reader can verify that allthe nibbles marked with orange in Fig. 26 are included in the colored nibbles ofthis figure.