Congruent Differential Cluster for Binary SPN Ciphers

This study is focused on the differential clustering effect of the SPN block cipher, which employs a binary matrix as its diffusion layer. We present a novel strategy for differential estimation, named the congruent differential cluster. This method does not guarantee the optimization of each single differential characteristic but gathers a large number of characteristics satisfying a specific condition, i.e., the output differences of active S-boxes are equal. Given a binary SPN cipher, the exact probability of the congruent differential cluster can be obtained with negligible computational resources. Moreover, we consider a popular instance, binary AES-like ciphers, since the processing of their column-mixing layer can be divided into several independent parts. Therefore, if we set the output differences of the active S-boxes in the same partition to be equal, we can obtain more differential characteristics in the cluster, known as a semicongruent differential cluster. To demonstrate the application of the proposed method, we apply it to several block ciphers, i.e., Midori-64, CRAFT-64, SKINNY-64 and their variants proposed in Todo and Sasaki (2022). Compared with the active S-box counting method, the congruent differential clusters have considerably higher probabilities for most instances. In addition, we find a 7-round semicongruent differential cluster for Midori-64 with probability 2-(52.25), an 8-round semicongruent differential cluster for SKINNY-64 with probability 2-(50.72) and a 10-round semicongruent differential cluster for CRAFT-64 with probability 2-(42.32). To the best of our knowledge, the semicongruent differential clusters we identify for 7-round Midori-64, 8-round SKINNY-64 and 10-round CRAFT-64 have the highest probabilities thus far among the existing differential clusters with the same rounds. Therefore, we believe that the proposed method is a valuable tool for evaluating the differential security of associated block ciphers.