Differential Attack With Constants On μ2 Block Cipher

Abstract

Abstract Differential attack is one of the most important methods in cryptanalysis. When finding a high-probability differential trail, the effect of constant has long been ignored. In this paper, we focus on the effect of constants on the differential attack against $\mu ^2$. $\mu ^2$ is a newly proposed block cipher based on a Type-II generalized Feistel structure. Its 16-bit F function (denoted as F-box) is an ultra-lightweight permutation equipped with different constants. The designer applied the minimum number of active S-boxes to determine $\mu ^2$’ security margin in the design document. However, the F-boxes use different round constants in different rounds; the constants may lead to incompatibility of differential trails of F-boxes. Therefore, to provide a more precise differential attack on $\mu ^2$, we construct an model based on STP (Simple Theorem Prover) constraint solver to search for the valid differential trails with a more precise probability of $\mu ^2$ for different starting rounds. Finally, the related-key differential trail covers one more round than the existing methods. Analyzing the effect of constants on the validity and the probability of the differential trail reminds the designers and the attackers to have a more comprehensive analysis of specific ciphers.