Improved Neural Differential Distinguisher Model for Lightweight Cipher Speck

Abstract

At CRYPTO 2019, Gohr proposed the neural differential distinguisher using the residual network structure in convolutional neural networks on round-reduced Speck32/64. In this paper, we construct a 7-round differential neural distinguisher for Speck32/64, which results in better than Gohr’s work. The details are as follows. Firstly, a new data format $(C\text{\_}r,C\text{\_}{r}^{\prime },d\text{\_}l,C_l,C_r,C_l^{\prime },C_r^{\prime })$ is proposed for the input data of the differential neural distinguisher, which can help the distinguisher to identify the features of the previous round of ciphertexts in the Speck algorithm. Secondly, this paper modifies the convolution layer of the residual block in the residual network, inspired by the Inception module in GoogLeNet. For Speck32/64, the experiments show that the accuracy of the 7-round differential neural distinguisher is $97.13\%$, which is better than the accuracy of Gohr’s distinguisher of $9.1\%$ and also higher than the currently known accuracy of $89.63\%$. The experiments also show that the data format and neural network in this paper can improve the accuracy of the distinguisher by $2.38\%$ and $2.1\%$, respectively. Finally, to demonstrate the effectiveness of the distinguisher in this paper, a key recovery attack is performed on 8-rounds of Speck32/64. The results show that the success rate of recovering the correct key is $92\%$, with no more than two incorrect bits. Finally, this paper briefly discussed the effect of the number of ciphertext pairs in a sample on the training results of the differential neural distinguisher. When the total number of ciphertext pairs is kept constant, the accuracy of the distinguisher increases with s, but it also leads to the occurrence of overfitting.

1. Introduction

With the rapid development of computer networks [1,2] and Internet of Things [3] (IoT) technology, IoT devices have been applied in many fields and have achieved constructive results. However, in the production of IoT devices, storage and computing resources are compressed to improve their productivity and convenience, which makes traditional algorithms such as DES and AES ineffective in IoT devices and thus reduces the security of the devices.

For this problem, the National Security Agency (NSA) [4] designed the lightweight block cipher Speck, which offers better performance on both hardware and software platforms compared with other existing ciphers. However, the designers of Speck neither provided the design rationale nor gave any security evaluation or cryptanalysis results.

This has spurred further research on Speck in the cryptographic community to deepen the understanding and refine it, such as an ultra-lightweight cryptographic Speck-R proposed by Sleem and Couturier [5] based on Speck. Furthermore, among this cryptanalytic research, differential cryptanalysis is the most promising attack.

Differential cryptanalysis was proposed by Biham and Shamir [6] in 1990 for breaking Data Encryption Standard [7] (DES) block ciphers, and today it is considered one of the most robust techniques in cryptanalysis of symmetric key cryptographic primitives. Abed et al. [8] introduced the first differential attack for almost all Speck variants. Biryukov et al. [9] searched for better differential features of Speck. In [10], Dinur improved the key recovery attack for all variants of Speck and Biryukov [11] showed an automatic algorithm for searching the best differential trajectory with improved MILP-based differential features results.

The development of deep learning has brought some new minds to cryptanalysis. In recent years, deep learning has spread across almost every field of science and technology (medical [12], agriculture [13], etc.) and has made remarkable progress on many difficult tasks. Several researchers have begun to apply deep learning to the study of cryptanalysis of block ciphers.

At CRYPTO 2019, Gohr [14] successfully trained (5∼8)-round of differential neural distinguisher by using the residual network (ResNet) [15] to create a precedent for neural-aided cryptanalysis. It was used to capture the distribution of output pairs when the input pairs of round-reduced Speck32/64 have specific differences.

In Gohr’s work, a sample consists of only one ciphertext pair. To improve the prediction accuracy of the differential neural differentiator, Chen and Yu [16] combine multiple ciphertext pairs generated by encrypting multiple plaintext pairs with the same key into a matrix as one sample of the neural network input. By using more output differences in the matrix, the neural network is made to learn more features. As a result, they improved the prediction accuracy of the (5∼7)-round differential neural distinguisher for Speck32/64 to some extent. Zhang et al. [17] modified the initial convolutional layer by borrowing ideas from the Inception module of GoogLeNet, which was used to construct a new neural network structure. Thus, they trained differential neural distinguishers for (5∼9)-round of Speck32/64.

In this paper, we further improve the data format of the input data and the neural network framework in the differential neural distinguisher, which helps the differential distinguisher identify ciphertext pairs with specific differential features more correctly.

(1) By analyzing the features of Speck’s cipher and modifying the data format in the input data of the differential neural distinguisher according to Speck’s round function. The data format ($C\text{\_}r$, $C\text{\_}{r}^{\prime }$, $d\text{\_}l$, $C_l$, $C_r$, $C_l^{\prime }$, $C_r^{\prime }$) is proposed, which combines information integrity and domain knowledge, and enables the neural network to recognize a large amount of information contained in the previous round of the Speck cipher. This paper also used multiple ciphertext pairs as input to the neural network. Experiments (see Section 4.2) show that this data format can significantly improve the accuracy of the differential neural distinguisher.

(2) This paper adopts the idea of GoogLeNet by replacing the convolutional layers in the residual blocks with Inception modules, which consist of multiple parallel convolutional layers, to capture more dimensional information in the ciphertext pairs and train a better neural distinguisher. As a result, for the 6-round Speck and the 7-round Speck, the accuracy of the neural distinguisher reached $99.97\%$ and $97.13\%$, respectively, which is higher than the accuracy of the above work. The results and comparisons of the differential neural distinguisher for Speck32/64 are listed in Table 1 and Table 2.

(3) To demonstrate the advantage of our distinguisher, this paper performs a key recovery attack on the 8-round Speck32/64.

Table 1. Summary of distinguish accuracy on Speck32/64 using different number of instances.

Number of Speck Rounds	Ours	Zhang [17]	Gohr [14]	Hou [18]
6	$99.97\%$	$99.92\%$	$78.50\%$	$97.67\%$
7	$97.13\%$	$89.63\%$	$59.10\%$	$70.74\%$

Table 1. Summary of distinguish accuracy on Speck32/64 using different number of instances.

Number of Speck Rounds	Ours	Zhang [17]	Gohr [14]	Hou [18]
6	$99.97\%$	$99.92\%$	$78.50\%$	$97.67\%$
7	$97.13\%$	$89.63\%$	$59.10\%$	$70.74\%$

Table 2. Experiment with different neural network model.

Round	Accuracy	Time	Source
7	$86.46\%$	1200 s	Gohr [14]
	$67.73\%$	300 s	Hou [18]
	$87.98\%$	3800 s	Zhang [17]
	$90.08\%$	3600 s	Ours

Training a neural network to distinguish 7-round Speck32/64 output for the input difference $\Delta =(0x0040,0)$ from random data. Only the neural network model is different in these experiments while the other experimental conditions are the same.

Table 2. Experiment with different neural network model.

Round	Accuracy	Time	Source
7	$86.46\%$	1200 s	Gohr [14]
	$67.73\%$	300 s	Hou [18]
	$87.98\%$	3800 s	Zhang [17]
	$90.08\%$	3600 s	Ours

Training a neural network to distinguish 7-round Speck32/64 output for the input difference $\Delta =(0x0040,0)$ from random data. Only the neural network model is different in these experiments while the other experimental conditions are the same.

2. Preliminaries

2.1. Brief Description of Speck Cipher

The lightweight family of ARX block ciphers Speck designed by the NSA [4] to build a cipher efficient in software implementations in Internet of Things (IoT) devices, which adopts a very simple Fesitel structure combining bitwise XOR operation $(\oplus )$, modular addition $(⊞)$ and bit-wise rotation. In ref. [4], various versions of Speck are presented that differ from the number of rounds (r), the block size (n), and the key size (m). Generally, Speckn/m will denote Speck with n bits block size and m bits key size. This paper will focus mainly on Speck32/64 and abbreviate it as Speck32.

Let $(C\text{\_}l,C\text{\_}r)$ be the input of i-round of Speck32. Then the output of i-round is $(C_l,C_r)$, and $(C_l,C_r)$ is computed as follows:

$$C_l:=((C\text{\_}l⋙\alpha )⊞C\text{\_}r)\oplus K$$

$$C_r:=(C\text{\_}r⋘\beta )\oplus C_l$$

The round function of Speck is shown in Figure 1 where $k_i$ represents the subkey at i-round and where $\alpha =7$, $\beta =2$.

2.2. Brief Description of ResNet

Residual neural network (ResNet), which is one of the most well-represented convolutional neural networks (CNN) currently, was proposed by He Kaiming et al. at CVPR 2016 [15]. ResNet can solve the problem of gradient disappearance when training convolutional neural network models and train deeper CNN models to reach higher accuracy. The core concept is introducing a so-called “shortcuts(skip) connection” to a normal convolutional neural network, that is, the data output from the previous layer is superimposed directly on the input of the data layer that follows, skipping one or more convolutional layers. It is composed of a set of residual blocks. A residual block can be expressed as:

$$H\left(x\right)=F\left(x\right)+x$$

where $H\left(x\right)$ is the desired underlying mapping and x is the direct mapping, denoting that the stacked nonlinear layers fit another mapping as $F\left(x\right):=H\left(x\right)-x$ [15]. By rearranging the linking order of the convolution layer(Conv), batch normalization(BN), and activation functions of ReLU, many residual block variants can be designed. Figure 2 shows the residual block.

The batch normalization layer in the figure is to transform the output data of the neural network layer into a standard normal distribution with mean zero and variance one by some methods of normalization, which can effectively prevent the gradient disappearance problem and accelerate the network training speed. ReLU is a one-sided saturating activation function, which is defined as $f\left(x\right)=max(0,x)$; the gradients of the ReLU activation function become constant at positive values and no longer vanish [19]. This means that the gradient vanishing problem can effectively be avoided by using ReLU.

2.3. Brief Description of Inception Module

The Inception module is the core module of GoogLeNet proposed by Christian Szegedy [20], which takes into account the enlarged depth and width of the model. The Inception module was an impressive milestone in the development of CNN classifiers.

As shown in Figure 3, an Inception module has multiple convolutional layers with different convolutional kernel sizes, such as a 1 × 1 convolutional layer, a 2 × 2 convolutional layer, and a 4 × 4 convolutional layer. The 1 × 1 convolutional layer is equivalent to a fully connected layer, which is used to adjust the number of channels usually between each network layer to achieve cross-channel interaction and information integration of convolutional kernels.

3. Improved Neural Distinguishers Model for Speck32

This Section Attempts to Teach Neural Networks to Identify the Differential Features of the Round-Reduced Speck as a Way to Construct a Differential Neural Distinguisher for Speck.

3.1. Data Format

As the number of Speck cipher rounds increases, the features of the Speck cipher algorithm are not easily recognized by the neural network. Therefore, as the data format contains more features from previous cipher rounds, it will help improve the accuracy of the neural network.

Once the ciphertext pair of the i-round $(C_l,C_r,C_l^{\prime },C_r^{\prime })$ is known, one can straightforwardly compute $(C\text{\_}r,C\text{\_}{r}^{\prime })$ without knowing the ($i-1$)-round subkey (K) according to the algorithmic structure of the Speck cipher. Expressed in the formula as:

$$\left\{\begin{array}{c}C\text{\_}r=(C_l\oplus C_r)⋙\beta \hfill \\ C\text{\_}{r}^{\prime }=(C_l^{\prime }\oplus C_r^{\prime })⋙\beta \hfill \end{array}\right.$$

(1)

But one needs to know the (i − 1)-round subkey(K) to calculate $(C\text{\_}l,C\text{\_}{l}^{\prime })$, which is expressed in the formula:

$$\left\{\begin{array}{c}C\text{\_}l=((C_l\oplus K)\boxminus C\text{\_}r)⋘\alpha \hfill \\ C\text{\_}{l}^{\prime }=((C_l^{\prime }\oplus K)\boxminus C\text{\_}{r}^{\prime })⋘\alpha \hfill \end{array}\right.$$

(2)

where ⊟ is modular minus. The difference $d\text{\_}{l}_{real}$ of $C\text{\_}l$ and $C\text{\_}{l}^{\prime }$ is:

$$d\text{\_}{l}_{real}=C\text{\_}l\oplus C\text{\_}{l}^{\prime }=(((C_l\oplus K)\boxminus C\text{\_}r)\oplus ((C_l^{\prime }\oplus K)\boxminus C\text{\_}{r}^{\prime }))⋘\alpha$$

(3)

Definition 1.

Denote $(C_l\oplus K),C\text{\_}r,(C_l^{\prime }\oplus K),C\text{\_}{r}^{\prime }$ by vectors, respectively:

$$\left\{\begin{array}{c}{C}_l\oplus K=(a_1\oplus k_1,a_2\oplus k_2,\cdots ,a_n\oplus k_n)\in {\{0,1\}}^n,n=16\hfill \\ C\text{\_}r=(b_1,b_2,\cdots ,b_n)\in {\{0,1\}}^n,n=16\hfill \\ C_l^{\prime }\oplus K=(x_1\oplus k_1,x_2\oplus k_2,\cdots ,x_n\oplus k_n)\in {\{0,1\}}^n,n=16\hfill \\ C\text{\_}{r}^{\prime }=(y_1,y_2,\cdots ,y_n)\in {\{0,1\}}^n,n=16\hfill \end{array}\right.$$

(4)

Definition 2.

Denote $d\text{\_}l$ as the difference of $C\text{\_}l$ and $C\text{\_}{l}^{\prime }$ without the effect of the (i − 1)-round subkey (K):

$$d\text{\_}l=((C_l\boxminus C\text{\_}r)\oplus (C_l^{\prime }\boxminus C\text{\_}{r}^{\prime }))⋘\alpha$$

(5)

Proposition 1.

Part of the bits of $d\text{\_}{l}_{real}$ that are not affected by (i − 1)-round subkey can be captured by $d\text{\_}l$.

Proof. 

Without loss of generality, let $a_i\oplus k_i>b_i(i\ne 2),a_2\oplus k_2\le b_2,n=16$.

Converting $(C_l\oplus K)\boxminus C\text{\_}r$ to number field will obtain:

$$\begin{array}{cc}\hfill (C_l\oplus K)& \boxminus C\text{\_}r=((a_1\oplus k_1)2^{n-1}+(a_2\oplus k_2)2^{n-2}+(a_3\oplus k_3)2^{n-3}\hfill \\ \hfill & +\cdots +(a_n\oplus k_n)-b_1{2}^{n-1}-b_2{2}^{n-2}-\cdots -b_n)mod{2}^n\hfill \end{array}$$

(6)

We can obtain:

$$\begin{array}{cc}\hfill (C_l\oplus K)& \boxminus C\text{\_}r=((1+a_1\oplus k_1\oplus b_1\oplus a_2\oplus k_2\oplus b_2)2^{n-2}\hfill \\ \hfill & +(a_3\oplus k_3\oplus b_3)2^{n-3}+\cdots +(a_n\oplus k_n\oplus b_n))mod{2}^n\hfill \end{array}$$

(7)

In the same way, we get:

$$\begin{array}{cc}\hfill (C_l^{\prime }\oplus K)& \boxminus C\text{\_}{r}^{\prime }=((1+x_1\oplus k_1\oplus y_1\oplus x_2\oplus k_2\oplus y_2)2^{n-2}\hfill \\ \hfill & +(x_3\oplus k_3\oplus y_3)2^{n-3}+\cdots +(x_n\oplus k_n\oplus y_n))mod{2}^n\hfill \end{array}$$

(8)

When the XOR operation is performed on $((C_l\oplus K)\boxminus C\text{\_}r)$ and $((C_l^{\prime }\oplus K)\boxminus C\text{\_}{r}^{\prime })$, it is obtained that the other bits of K has no effect on the operation except for $k_1,k_2$. That is, the results of $(C_l\boxminus C\text{\_}r)\oplus (C_l^{\prime }\boxminus C\text{\_}{r}^{\prime })$ and $((C_l\oplus K)\boxminus C\text{\_}r)\oplus ((C_l^{\prime }\oplus K)\boxminus C\text{\_}{r}^{\prime })$ are the same for all bits except $k_1,k_2$.

The bit-wise rotation operation does not affect the number of captured bits in the vector. Therefore $d\text{\_}l$ captures the rest of the bits in $d\text{\_}{l}_{real}$ that are not affected by ($i-1$)-round subkey (K).    □

Extending this proof, $d\text{\_}l$ can capture part of the bits of the $d\text{\_}{l}_{real}$ and the number of bits captured is different in each sample. It is certain that the accuracy of the neural network will improve as $d\text{\_}l$ captures more bits of $d\text{\_}{l}_{real}$. The experiments in Section 4.2 show that the inclusion of $d\text{\_}l$ in the data format can improve the accuracy of the neural network by $2.34\%$ under the same conditions.

Integrating the above data formats, this paper proposes a new data format

$$(C\text{\_}r,C\text{\_}{r}^{\prime },d\text{\_}l,C_l,C_r,C_l^{\prime },C_r^{\prime })$$

which contains a number of cryptographic features from the ($i-1$)-round.

3.2. Data Structure

The data structure of multiple ciphertext pairs can achieve higher differentiation accuracy than the data structure of a single ciphertext pair. The dataset required to construct the differential distinguisher is shown in Figure 4.

The training and validation data are obtained by using the Linux random number generator (/dev/urandom) to get uniformly plaintext pairs P and distributed keys k with the input difference $\Delta =0x0040/0000$, followed by a vector of binary-valued real/random labels Y, where s neighboring plaintext pairs are formed into one sample:

$$({P_l}_1,{P_r}_1,{{P_l}_1}^{\prime },{{P_r}_1}^{\prime }),({P_l}_2,{P_r}_2,{{P_l}_2}^{\prime },{{P_r}_2}^{\prime }),\cdots ,({P_l}_s,{P_r}_s,{{P_l}_s}^{\prime },{{P_r}_s}^{\prime }).$$

To generate training or validation data for i-round ciphertext pairs, the s plaintext pairs P in a sample were then encrypted for i rounds if $Y=1$, otherwise the second plaintext of the pair was replaced with a newly generated random plaintext and encrypted for i rounds

$$({C_l}_1,{C_r}_1,{{C_l}_1}^{\prime },{{C_r}_1}^{\prime }),({C_l}_2,{C_r}_2,{{C_l}_2}^{\prime },{{C_r}_2}^{\prime }),\cdots ,({C_l}_s,{C_r}_s,{{C_l}_s}^{\prime },{{C_r}_s}^{\prime }).$$

Then the generated s ciphertext pairs are linearly transformed into ($C\text{\_}r$, $C\text{\_}{r}^{\prime }$, $d\text{\_}l$, $C_l$, $C_r$, $C_l^{\prime }$, $C_r^{\prime }$) to obtain the samples needed for neural network training:

$$\begin{array}{c}({C\text{\_}r}_1,{{C\text{\_}r}_1}^{\prime },{d\text{\_}l}_1,{C_l}_1,{C_r}_1,{{C_l}_1}^{\prime },{{C_r}_1}^{\prime }),\\ ({C\text{\_}r}_2,{{C\text{\_}r}_2}^{\prime },{d\text{\_}l}_2,{C_l}_2,{C_r}_2,{{C_l}_2}^{\prime },{{C_r}_2}^{\prime }),\\ ⋮\\ ({C\text{\_}r}_s,{{C\text{\_}r}_s}^{\prime },{d\text{\_}l}_s,{C_l}_s,{C_r}_s,{{C_l}_s}^{\prime },{{C_r}_s}^{\prime }),\end{array}$$

Finally attach a label $Y=1$ to the sample with $(P_l^{\prime },P_r^{\prime })=(P_l,P_r)\oplus \Delta P$ and a label $Y=0$ to the sample with $(P_l^{\prime },P_r^{\prime })=random$.

3.3. Design the Network Structure

In this paper, the model of Gohr [14] is improved in order to smoothly converge the residual neural network to an optimal solution. A network model with higher accuracy is proposed, which significantly reduces the training time and makes it more efficient to attack the Speck. The framework of the neural network is shown in Figure 5.

The neural network is divided into four parts: an input layer consisting of multiple ciphertext pairs, an initial convolutional layer made of a one-layer convolutional neural network, a residual tower consisting of three layers of convolutional neural network optimized by the Inception module, and a prediction head consisting of multiple fully connected layers (distinguished by the colors in Figure 5).

Initial convolution. After transforming the one-dimensional initial ciphertext data from Section 4.2 into $[s,w,\frac{2L}{w}]$ three-dimensional input data, the train data enters the initial convolution layer, where L represents the block size of the target cipher, w is the size of a basic unit, and $s=16$, $w=16$ for Speck32. The number of channels in the initial convolutional layer is $3N_f$, where $3N_f$ is the number of filters in the convolutional layer and $N_f=32$. The convolutional layer is first convolved by a convolutional kernel of size 1, and then the convolved results are batch normalized. Finally, rectifier nonlinearity is applied to the output of batch normalization, and the resulting $[s,w,3N_f]$ matrix is passed to the residual block.

Residual block. The residual neural network model constructed in this paper contains five residual blocks. Compared with the neural network model of Gohr [14], the residual block in this paper contains three convolutional blocks of $3N_f$ channels. The first convolutional block is convolved by a convolutional kernel of size one and then the output data is directly transferred to the second convolutional block. The second convolutional block consists of a $2\times 2$ convolutional layer, a $4\times 4$ convolutional layer, and an $8\times 8$ convolutional layer; each convolutional layer has $N_f$ channels. The three convolutional layers are concatenated in the channel dimension, similar to the Inception module in GoogLeNet. Batch normalization is applied to the output of the concatenated layers. The nonlinearity of the rectifier is applied to the output of batch normalization. The output from the second convolution block is applied to the convolution of kernel size one, then a batch normalization layer, and finally a rectifier layer. At the end of the convolution block, the output of the last rectification layer in that block is added to the input of the convolution block, and the result is transferred to the next block.

Prediction head. The prediction head consists of a GlobalAveragePooling layer, two hidden layers, and one output cell. The three fully connected layers consist of 64, 64, and 1 neural unit, followed by batch normalization and rectifier layers. Finally, in order to constrain the final output neural unit between 0 and 1, the output neural unit is activated using the Sigmoid activation function. The Sigmoid activation function is a logistic function defined as $f\left(x\right)=\frac{1}{1+e^{-x}}$.

The overall structure of the neural network for training the differential-neural distinguisher is shown in Figure 6.

Basic training scheme. In this paper, the training is run for 20 epochs on the training dataset with a $SN={10}^6$ sample size. The batch size for dataset processing is adjusted according to parameter s to maximize GPU performance, where s is the number of ciphertext pairs in a single sample, so the number of ciphertext pairs in the training dataset is $CN=SN\times s$. The $SM={10}^5$ samples will be used for validation, containing $CM=SM\times s$ ciphertext pairs. Optimization was performed against mean square error (MSE) loss plus a small penalty based on the L2 weights regularization parameter $c={10}^{-5}$ using the Adam algorithm. A cyclic learning rate schedule was adopted, setting the learning rate $L_i$ for epoch i to

$$L_i:=\alpha +\frac{(n-i)mod(n+1)}{n}(\beta -\alpha )$$

with $\alpha ={10}^{-4},$ $\beta =2\times {10}^{-3}$ and $n=9$. The best neural network model is saved by a callback function triggering the ModelCheckPiont method.

3.4. Design the Differential Neural Distinguisher

In this section, a neural differential distinguisher is designed for the round-reduced Speck. The distinguisher uses the data structures generated in Section 3.1 and Section 3.2 as input data and the neural network structure of Section 3.3 as the structure of the distinguisher. The training algorithm for the differential neural distinguisher is shown in Algorithm 1.

Algorithm 1 The training algorithm for the differential neural distinguisher.

Require: Speck cipher $Oracle$, Number of randomly selected plaintext pairs n, Linear transformation $Transform$.

Ensure: Differential neural distinguisher N

1: $TD\leftarrow \varnothing$

2: $Y\leftarrow n$ random sample labels, assigned to 0 or 1

3: $(P_l,P_r,{P_l}^{\prime },{P_r}^{\prime })\leftarrow s$ random plaintext pairs with a difference of $\Delta =0x0040/0000$;

4: for $i=0$ to $n-1$ do

5:   if $Y_i=0$ then

6:     $({P_l}^{\prime },{P_r}^{\prime })\leftarrow s$ random plaintexts

7:   end if

8:   $(C_l,C_r,{C_l}^{\prime },{C_r}^{\prime })\leftarrow Oracle(P_l,P_r,{P_l}^{\prime },{P_r}^{\prime })$

9:   $(C\text{\_}r,C\text{\_}{r}^{\prime },d\text{\_}l,C_l,C_r,C_l^{\prime },C_r^{\prime })\leftarrow Transform(C_l,C_r,{C_l}^{\prime },{C_r}^{\prime })$

10: end for

11:  $TD\leftarrow (X(C\text{\_}r,C\text{\_}{r}^{\prime },d\text{\_}l,C_l,C_r,C_l^{\prime },C_r^{\prime }),Y)$

12:  $N\leftarrow trainNetwork\left(TD\right)$

13: return N

4. Results

In this paper, the experiments were conducted with Python 3.8 on Ubuntu 20.04 OS. The model we use is implemented by Tensorflow 2.9.0. For our experiments, we used a server with an Intel(R) Xeon(R) Platinum 8255C CPU at 2.50 GHz, 80 GB of RAM, and an RTX 3080 10 GB.

4.1. Experiments on Speck32

In this paper, we choose $\Delta =(0x0040,0x0000)$ as the difference of the distinguisher when training the neural network, which transitions deterministically after one round to a difference with low Hamming weights [14], helping the neural network distinguisher to obtain the difference with the highest probability [21]. The parameter s is set to 32, and the batch size is set to 500. Then the plaintext pairs are encrypted by the Speck algorithm, and finally, the input data of the neural network is obtained after format conversion. Figure 7 gives the accuracy and loss rate of the training and validation sets in 6- and 7-rounds of Speck32 with 20 rounds.

It is worth noting that accuracy is used as a measure of distinguisher effectiveness in this paper because it is related to the distinguishing advantage of classical password distinguishers, and when the accuracy rate is higher, it means that the distinguisher is more effective.

In Figure 7, the horizontal axes represent the number of rounds, and the vertical axes represent the accuracy and loss rate of the dataset results. The collapsed line shows the accuracy and loss rate of the data set during the training process of the differential neural distinguisher. From Figure 7a, the validation set accuracy of the 6-round distinguisher using the Speck algorithm trained by the neural network is $99.97\%$ with a loss rate of $0.04\%$, while from Figure 7b, the 7-round distinguisher validation set accuracy is $97.13\%$ with a loss rate of $2.67\%$, which is the highest known accuracy rate.

Since the data format and neural network structure proposed in this paper were not the same as in Zhang [17], Gohr [14], and Hou [18]. In their papers, differential neural distinguishers were obtained by changing the number of ciphertext pairs in a single sample (s) and the number of samples (SN).

In this section, the distinguisher with the highest accuracy in each paper is selected for comparison with the distinguisher proposed in this paper.

From Table 1, it can be seen that by improving the data format and neural network structure, the differential neural distinguisher can identify ciphertext pairs with specific differences more effectively. As a result, the accuracy of the differential neural distinguisher in this paper is higher than the above work, especially the 7-round distinguisher, which exceeds $95\%$ accuracy for the first time.

4.2. Experiment with Different Data Format

In the work of Gohr [14], the data format $(C_l,C_r,C_l^{\prime },C_r^{\prime })$ was used as the input data for the neural network. Subsequently, Benamira et al. [21] transformed the input $(C_l,C_r,C_l^{\prime },C_r^{\prime })$ of Gohr’s neural network into $(dl,dv,V0,V1)$ and a linear combination of these terms to achieve better performance, where $dl=C_l\oplus C_l^{\prime },dv=C_r\oplus C_r^{\prime },V0=C_l\oplus C_r,V1=C_l^{\prime }\oplus C_r^{\prime }$. The data format is simplified to $(dl,dv)$ and the single ciphertext pair structure is converted to a multi-ciphertext pair structure in the work of Hou et al. [18]. Zhang et al. [17]. proposed $(C\text{\_}r,C\text{\_}{r}^{\prime },C_l,C_r,C_l^{\prime },C_r^{\prime })$ considering that the key recovery attack requires ciphertext pairs according to Speck’s round function, which effectively identifies the features of ciphertext pairs and enhances the performance of the distinguisher.

To demonstrate that the data format of this paper outperforms other data formats, this paper designed a comparison experiment that fixed all other parameters but only the data format is variable, where the neural network uses the model from Section 3.3 The results are shown in

Table 3. Experiment with different data format.

Round	Data Format	Accuracy	Source
7	$(C_l,C_r,C_l^{\prime },C_r^{\prime })$	$86.35\%$	Gohr [14]
	$(dl,dv)$	$81.95\%$	Hou [18]
	$(dl,dv,V0,V1)$	$86.43\%$	Benamira [21]
	$(C\text{\_}r,C\text{\_}{r}^{\prime },C_l,C_r,C_l^{\prime },C_r^{\prime })$	$87.74\%$	Zhang [17]
	$(C\text{\_}r,C\text{\_}{r}^{\prime },d\text{\_}l,C_l,C_r,C_l^{\prime },C_r^{\prime })$	$90.08\%$	Ours

Training a neural network to distinguish 7-round Speck32/64 output for the input difference $\Delta =(0x0040,0)$ from random data. Only the data format is different in these experiments while the other experimental conditions are the same.

.

As shown in Table 3, since the data format proposed in this paper contains more features of the previous round of the Speck cipher, the accuracy of the neural network for the Speck has improved to $90.08\%$, which is the highest accuracy we know so far.

4.3. Experiment with Different Neural Network Model

Gohr [14] showed that the residual network could be trained to capture the non-randomness of the value distribution of output pairs when the input pairs of round-reduced Speck32/64 have a certain difference. Subsequently, Benamira [21] used the same neural network, while Hou et al. [18] reduced it to 5 iterations and removed a hidden layer. In order to further improve the accuracy, better differential neural distinguishers have also recently been investigated. Zhang et al. [17] changed the input data of the neural network to three dimensions and modified the initial convolutional layer using the Inception module instead of the width-1 convolutional layer.

In this section, a comparative experiment was designed to investigate the effect of different neural networks on the distinguisher, with $(C\text{\_}r,C\text{\_}{r}^{\prime },d\text{\_}l,C_l,C_r,C_l^{\prime },C_r^{\prime })$ as the input data format. Fixing all other parameters and only changing the neural network model, the neural network in this paper is compared with the neural networks of Gohr [14], Hou [18], and Zhang [17]. The comparison results are shown in Table 2.

It can be found that the accuracy increases when the dimensionality of the input data and the model complexity grow, while the training time also adds up. In order to make a trade-off between training time and accuracy, this paper improves Gohr’s neural network and increases the accuracy of the neural network to $90.08\%$, and the training time is less than Zhang’s model but longer than Gohr’s and Hou’s models.

4.4. Effect of the Number of Ciphertext Pairs in a Single Sample (s) on the Neural Network

Chen et al. [16] explain the high accuracy of neural networks in recognizing multiple ciphertext pairs compared with a single ciphertext pair: if the ciphertext pairs obtained by encrypting plaintext pairs with specific plaintext differences obey a non-uniform distribution, then some derived features are derived from the multiple ciphertext pairs. Once the network captures these features, the accuracy of the neural distinguisher is improved.

Increasing the number of ciphertext pairs in a single sample $\left(s\right)$ can improve the accuracy of the neural network when keeping the number of samples $\left(SN\right)$ in the training dataset constant. And the number of cipher text pairs in the training dataset $(CN=SN\times s)$ also increases. Similarly, keeping s constant and increasing the number of samples in the training dataset $\left(SN\right)$ can also improve the performance of the neural network.

In order to investigate the effect of the number of ciphertext pairs in a single sample (s) on the neural network with a constant number of total ciphertext pairs ($CN$), this paper designs a comparative experiment to explore the effect of s on neural networks: the numbers of ciphertext pairs in the training dataset are $CN={10}^7$ and in the validation dataset are $CM={10}^6$. Keeping the other parameters constant and changing the parameter s, the number of samples in the training and validation sets are $SN=CN/s$ and $SM=CM/s$. The batch size for dataset processing is adjusted according to the number of ciphertext pairs in a single sample (s) to maximize GPU performance, where $s\in \{1,2,4,8,16,32,64,128\}$.

It can be found that the accuracy is growing when the parameter s increases in Figure 8. At the same time, the number of samples in the training dataset $\left(SN\right)$ and validation dataset $\left(SM\right)$ is decreasing, which leads to the overfitting phenomenon of the neural network when the parameter s is higher. Mitigating the overfitting phenomenon can be achieved by increasing the number of ciphertext pairs. Taking into account time and cost, in this paper, the parameter s is set to 32, the batch size is 500, and the number of samples in the training dataset $\left(SN\right)$ and validation dataset $\left(SM\right)$ are ${10}^6$ and ${10}^5$, respectively.

5. Key-Recovery Attack against Speck32

To demonstrate the utility of the neural distinguisher, this paper constructs a partial key recovery attack based on a 7-round distinguisher. The basic idea is the decryption of the resultant ciphertext under all final subkeys for each plaintext pair with a difference $\Delta =0x0040/0000$, and the sorting of each partially decrypted ciphertext using the neural distinguisher in this paper. Then the scores of the returned individual ciphertext pairs are combined into the scores of the keys, and finally, the keys are sorted in descending order according to their scores. A brief description of the attack steps is detailed below in Algorithm 2.

1. Generate n randomly chosen plaintext pairs $(P_1,{P_1}^{\prime })$ with a difference $\Delta =0x0040/0000$, such that it obtains the corresponding sample data ciphertext pair $(C_1,{C_1}^{\prime })$ in encryption 8 rounds.

2. For each last-round subkey k, decrypt the $C_i$ under k to get $(C_k,{C_k}^{\prime })$.

3. Using the neural distinguisher in this paper, the score ${x_i}^k$ is obtained for each partially decrypted ciphertext pair $(C_k,{C_k}^{\prime })$.

4. For each k, the scores ${x_i}^k$ are combined into one score $x^k$ and arranged in descending order.

Algorithm 2 Key-recovery Attack Against Speck32.

Require:  Speck cipher $Oracle$, Number of randomly selected plaintext pairs n, an 8 round neural distinguisher N.

Ensure: A descending sorted list of candidate keys $L_{ck}$.

1:  $(P_1,{P_1}^{\prime })\leftarrow n$ random plaintext pairs with a difference of $\Delta =0x0040/0000$

2:  $(C_k,{C_k}^{\prime })\leftarrow Oracle(P_1,{P_1}^{\prime })$

3:  $L_{ck}\leftarrow \{·\}$

4: for k in subkeys do

5:    for $i=0$ to $n-1$ do

6:      $(C_k,{C_k}^{\prime })\leftarrow DecryptOneRound((C_i,{C_i}^{\prime }),k)$

7:      ${x_i}^k\leftarrow N(C_k,{C_k}^{\prime })$

8:    end for

9:    $x^k\leftarrow {\sum }_{i=0}^{n-1}{log}_2({x_i}^k/(1-{x_i}^k))$

10:    Append $(k,x^k)to{L}_{ck}$

11: end for

12: return  $L_{ck}$

In this attack, the step 3 key ranking score is likely to be high when the 8-round subkey is guessed correctly. So, when a key guess is returned, the distinguisher can be sure that the correct 8-round key has been found.

In this paper, we repeated the key recovery attack 50 times for different keys. The attack is considered successful if the correct key is in the top five in $L_{ck}$. Finally, 46 keys were successfully recovered, with a success rate of about $92\%$ for the experimental attack. The key ranking results are shown in

Table 4. The result of the ranking of the correct subkeys in the list $L_{ck}$.

Ranking of the Correct Subkeys	1st	2nd	3rd	4th	5th	Others
Number of trials	23	11	7	4	1	4

. Of course, the success rate obtained with different success criteria can be different, so this success rate can only be used as a reference for the effectiveness of the key recovery algorithm.

In addition, in order to obtain in detail the correctness of each bit during the key recovery attack. In this paper, the subkey with the highest score is selected as the candidate key for guessing compared with the correct key, and the guess is considered successful if the last subkey is incorrect within only two bits. Then an exhaustive method can be used to eliminate the incorrect bits. The experimental results are shown in

Table 5. Guess the number of errors in the subkey bits.

The Number of Errors in the Subkey Bits	0	1	2	Others
Number of trials	23	15	12	0

and

Table 6. Guess the success rate of each subkey bit.

Subkey Bits	$k_0$	$k_1$	$k_2$	$k_3$	$k_4$	$k_5$	$k_6$	$k_7$
Number of trials	$100\%$	$100\%$	$100\%$	$100\%$	$100\%$	$100\%$	$100\%$	$98\%$
Subkey Bits	$k_8$	$k_9$	$k_{10}$	$k_{11}$	$k_{12}$	$k_{13}$	$k_{14}$	$k_{15}$
Number of trials	$100\%$	$100\%$	$100\%$	$100\%$	$100\%$	$100\%$	$66\%$	$58\%$

.

Table 5 shows that the neural network distinguisher in this paper guessed no more than 2 bits of the subkey incorrectly in 8 rounds of Speck experiments, and 23 experiments had exactly correct subkey guesses, accounting for $46\%$. Among the experiments with incorrect guesses, 15 experiments (in $30\%$) have only 1 bit of incorrect guesses, and 12 experiments have 2 bits of incorrect guesses.

Further analysis of the 16 bits of the subkeys in Table 6 shows that the success rate of the neural network distinguisher in this paper reaches $98\%$ for $k_7$ of the subkey. The success rates of $k_{14}$ and $k_{15}$ are $66\%$ and $58\%$, respectively, and the rest of the bits are guessed correctly.

6. Conclusions

This paper proposed a new data format and model to further improve neural distinguishers and then performed a practical key recovery attack on Speck. Firstly, by adopting the new data format $(C\text{\_}r,C\text{\_}{r}^{\prime },d\text{\_}l,C_l,C_r,C_l^{\prime },C_r^{\prime })$ and stitching multiple ciphertext pairs into a matrix as samples to capture more derived features, this can improve the accuracy of the neural distinguishers. In addition, by using the idea of the Inception module to modify the residual block of the neural network structure. As a result, the accuracy of the distinguisher in this paper is $99.97\%$ and $97.13\%$ for 6- and 7-round of Speck, respectively. Finally, the key recovery attack was performed on the 8-round Speck algorithm by the trained differential neural distinguisher. Among the 50 experiments performed, 46 were successful, with a $92\%$ probability of success. In all the key recovery experiments, the number of subkey bits guessed incorrectly did not exceed 2 bits, and the accuracy of $100\%$ was achieved in 13 of them.

To be sure, there are many factors that affect the accuracy of the neural network distinguisher, such as the data format and structure, the neural network structure and methods of model training, and so on. In this paper, we discuss the effects of data format, network structure, and the number of ciphertext pairs in the samples on the accuracy of neural networks. During the experiments, we found that the choice of neural network model affects the accuracy and time complexity of the trained distinguisher. Therefore, in the future, we will try to further eliminate the effect of the ($i-1$)-round subkey on the data format, optimize the neural network to improve the accuracy of the neural distinguisher, and investigate other block ciphers.