Automatic search method for multiple differentials and its application on MANTIS

  • Shiyao Chen
  • Ru Liu
  • Tingting Cui
  • Meiqin WangEmail author
Research Paper


Multiple differential cryptanalysis is one of the extensions of classic differential cryptanalysis. In this paper, we present a generic automatic search method for clustering multiple differentials on a target block cipher. Our search method has two steps. Firstly, the sets of input and output differences will be determined. With these sets, we get different multiple differentials. Then for each one of these multiple differentials, we enumerate and record all satisfied differential trails, which leads to a more accurate evaluation of the multiple differentials distinguisher. Among these different multiple differentials distinguishers, we can choose the best one for key recovery attack. We demonstrate our search method by applying it on the part of differentials of the block cipher MANTIS. As a result, we find a new 10-round multiple differentials distinguisher with probability 2−55.98 and an 11-round multiple differentials distinguisher with probability 2−63.71, which is the longest distinguisher for MANTIS so far as we know. This new 10-round distinguisher can lead to a better signal-to-noise ratio, so we derive an improved key recovery attack on MANTIS-6 with the complexity of about 251.79 chosen-plaintext queries, 251.91 encryptions and data-time product 2103.70, which is better than the previous best one with data-time product 2110.61. Aiming at exploring the gap between the performance of multiple differential attack and the security margin on MANTIS, we also use the 11-round distinguisher to derive a key recovery attack on MANTIS-7 with the complexity of about 261.86 chosen-plaintext queries, 2102.92 encryptions and data-time product 2164.78. It does not threat the security of full version MANTIS (MANTIS-7) since the security bound of data-time product claimed by the designers is 2126.


multiple differential cryptanalysis structure attack automatic search MANTIS MILP 



This work was supported by National Cryptography Development Fund (Grant No. MMJJ201701-02), National Natural Science Foundation of China (Grant No. 61572293), Major Scientific and Technological Innovation Projects of Shandong Province (Grant No. 2017CXGC0704), and Fundamental Research Fund of Shandong Academy of Sciences (Grant No. 2018:12-16).


  1. 1.
    Biham E, Shamir A. Differential Cryptanalysis of the Data Encryption Standard. Berlin: Springer, 1993CrossRefzbMATHGoogle Scholar
  2. 2.
    Blondeau C, Gérard B. Multiple differential cryptanalysis: theory and practice. In: Proceedings of International Workshop on Fast Software Encryption, 2011. 35–54CrossRefGoogle Scholar
  3. 3.
    Wang M Q, Sun Y, Tischhauser E, et al. A model for structure attacks, with applications to PRESENT and Serpent. In: Proceedings of International Workshop on Fast Software Encryption, 2012. 49–68CrossRefGoogle Scholar
  4. 4.
    Bogdanov A, Knudsen L R, Leander G, et al. PRESENT: an ultra-lightweight block cipher. In: Proceedings of International Workshop on Cryptographic Hardware and Embedded Systems, 2007. 450–466Google Scholar
  5. 5.
    Dobraunig C, Eichlseder M, Kales D, et al. Practical key-recovery attack on MANTIS5. In: Proceedings of International Workshop on Fast Software Encryption, 2016. 248–260Google Scholar
  6. 6.
    Eichlseder M, Kales D. Clustering related-tweak characteristics: application to MANTIS-6. In: Proceedings of International Workshop on Fast Software Encryption, 2018. 111–132Google Scholar
  7. 7.
    Beierle C, Jean J, Kölbl S, et al. The SKINNY family of block ciphers and its low-latency variant MANTIS. In: Proceedings of Annual International Cryptology Conference, 2016. 123–153Google Scholar
  8. 8.
    Borghoff J, Canteaut A, Güneysu T, et al. PRINCE–a low-latency block cipher for pervasive computing applications. In: Proceedings of International Conference on the Theory and Application of Cryptology and Information Security, 2012. 208–225Google Scholar
  9. 9.
    Sun S W, Hu L, Wang M Q, et al. Automatic enumeration of (related-key) differential and linear characteristics with predefined properties and its applications. 2014. version=20140926:084100&file=747.pdfGoogle Scholar
  10. 10.
    Sun S W, Hu L, Wang P, et al. Automatic security evaluation and (related-key) differential characteristic search: application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In: Proceedings of International Conference on the Theory and Application of Cryptology and Information Security, 2014. 158–178zbMATHGoogle Scholar
  11. 11.
    Gurobi Optimization. Gurobi optimizer reference manual. 2018. http://www.gurobi.comGoogle Scholar
  12. 12.
    Balas E, Jeroslow R. Canonical cuts on the unit hypercube. SIAM J Appl Math, 1972, 23: 61–69CrossRefGoogle Scholar
  13. 13.
    Selçuk A A. On probability of success in linear and differential cryptanalysis. J Cryptol, 2008, 21: 131–147MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© Science China Press and Springer-Verlag GmbH Germany, part of Springer Nature 2019

Authors and Affiliations

  • Shiyao Chen
    • 1
  • Ru Liu
    • 2
  • Tingting Cui
    • 3
  • Meiqin Wang
    • 1
    Email author
  1. 1.Key Laboratory of Cryptologic Technology and Information Security, Ministry of EducationShandong UniversityJinanChina
  2. 2.Huawei Digital Technologies (Suzhou) Co.,Ltd.SuzhouChina
  3. 3.School of CyberspaceHangzhou Dianzi UniversityHangzhouChina

Personalised recommendations