An Automated Tool for Rotational-XOR Cryptanalysis of ARX-based Primitives

In ARX structures, constants that are not rotational invariant are often injected into the state, in the form of round constants or as a result of using a fixed key. Rotational cryptanalysis cannot deal with such constants. Rotational cryptanalysis in the presence of constants, also known as rotational-XOR cryptanalysis, is a recently proposed statistical technique to attack ARX primitives. The newly proposed technique investigates how constants affect rotational cryptanalysis by introducing the notion of an RX-difference, which generalizes the idea of a rotational difference. Previously, a 7-round distinguisher for Speck, an ARX block cipher designed by the NSA, was found, mainly to demonstrate the proposed technique. In this paper, it is shown that longer distinguishers exist for Speck32/64, as well as other versions of speck, by using rotational-XOR cryptanalysis . This was done by means of an automated search tool. More specifically, the propagation of RX-differences through ARX structures are transformed into bitwise equations and these equations are then solved by a SAT-solver. Using this method, distinguishers with more rounds than previously reported are found for Speck32/64 and Speck48/96, as well as a 13-round distinguisher for Speck96/144 with a higher probability than previously reported, under the condition that two related keys are available.