{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,19]],"date-time":"2025-11-19T07:00:19Z","timestamp":1763535619703,"version":"3.41.2"},"reference-count":40,"publisher":"Oxford University Press (OUP)","license":[{"start":{"date-parts":[[2019,10,15]],"date-time":"2019-10-15T00:00:00Z","timestamp":1571097600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/academic.oup.com\/journals\/pages\/open_access\/funder_policies\/chorus\/standard_publication_model"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["61572125","61602276"],"award-info":[{"award-number":["61572125","61602276"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"name":"National Cryptography Development Fund","award":["MMJJ20180201"],"award-info":[{"award-number":["MMJJ20180201"]}]},{"name":"Shandong Natural Science Foundation of China","award":["ZR2016FM22"],"award-info":[{"award-number":["ZR2016FM22"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"abstract":"<jats:title>Abstract<\/jats:title><jats:p>The rectangle attack is the extension of the traditional differential attack and is evolved from the boomerange attack. It has been widely used to attack several existing ciphers. In this article, we study the security of lightweight block ciphers GIFT, Khudra and MIBS against related-key rectangle attack. We use Mixed-Integer Linear Programming-aided cryptanalysis to search rectangle distinguishers by taking into account the effect of the ladder switch technique. For GIFT, we build a 19-round related-key rectangle distinguisher and attack on 23-round GIFT-64, which requires 260 chosen plaintexts and 2107 encryptions. For Khudra, a 14-round related-key rectangle distinguisher can be built, which leads us to a 17-round rectangle attack. Our attack on 17-round Khudra requires a data complexity of 262.9 chosen plaintexts and a time complexity of 273.9 encryptions. For MIBS, we construct a 13-round related-key rectangle distinguisher and propose an attack on 15-round MIBS-64 with time complexity of 259 and data complexity of 245. Compared to the previous best related-key rectangle attack, we can attack one more round on Khudra and MIBS-64 than before.<\/jats:p>","DOI":"10.1093\/comjnl\/bxz076","type":"journal-article","created":{"date-parts":[[2019,6,28]],"date-time":"2019-06-28T11:07:42Z","timestamp":1561720062000},"source":"Crossref","is-referenced-by-count":5,"title":["MILP-based Related-Key Rectangle Attack and Its Application to GIFT, Khudra, MIBS"],"prefix":"10.1093","author":[{"given":"Lele","family":"Chen","sequence":"first","affiliation":[{"name":"Shanghai Key Lab of Trustworthy Computing, East China Normal University, Shanghai 200062, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Gaoli","family":"Wang","sequence":"additional","affiliation":[{"name":"Shanghai Key Lab of Trustworthy Computing, East China Normal University, Shanghai 200062, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"GuoYan","family":"Zhang","sequence":"additional","affiliation":[{"name":"School of Cyber Science and Technology, Shandong University, Jinan 250100, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"286","published-online":{"date-parts":[[2019,10,15]]},"reference":[{"key":"2019101510185057400_ref1","first-page":"2","article-title":"Differential Cryptanalysis of DES-like Cryptosystems","volume-title":"Proc. CRYPTO 1990, Santa Barbara, USA, August 11\u201315","author":"Biham","year":"1990"},{"key":"2019101510185057400_ref2","first-page":"233","article-title":"Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA","volume-title":"Proc. International Conference on Information and Communications Security (ICICS 1997), Beijing, China, November 11\u201314","author":"Kelsey","year":"1997"},{"key":"2019101510185057400_ref3","first-page":"156","article-title":"The Boomerang Attack","volume-title":"Proc. Fast Softeware Encryption (FSE 1999), Rome, Italy, March 24\u201326","author":"Wagner","year":"1999"},{"key":"2019101510185057400_ref4","first-page":"75","article-title":"Amplified Boomerang Attacks Against Reduced-Round MARS and Serpent","volume-title":"Proc. Fast Softeware Encryption (FSE 2000), New York, USA, April 10\u201312","author":"Kelsey","year":"2000"},{"key":"2019101510185057400_ref5","first-page":"340","article-title":"The Rectangle Attack - Rectangling the Serpent","volume-title":"Proc. EUROCRYPT 2001, Innsbruck, Austria, May 6\u201310","author":"Biham","year":"2001"},{"key":"2019101510185057400_ref6","first-page":"1","article-title":"New Results on Boomerang and Rectangle Attacks","volume-title":"Proc. Fast Softeware Encryption (FSE 2002), Leuven, Belgium, February 4\u20136","author":"Biham","year":"2002"},{"key":"2019101510185057400_ref7","doi-asserted-by":"crossref","first-page":"5217","DOI":"10.1109\/TIT.2011.2111091","article-title":"The return of the cryptographic boomerang","volume":"57","author":"Murphy","year":"2011","journal-title":"IEEE Trans. Inf. Theory"},{"key":"2019101510185057400_ref8","first-page":"195","article-title":"Cryptanalysis of SAFER++","volume-title":"Proc. CRYPTO 2003, Santa Barbara, USA, August 18\u201322","author":"Biryukov","year":"2003"},{"key":"2019101510185057400_ref9","first-page":"1","article-title":"Related-Key Cryptanalysis of the Full AES-192 and AES-256","volume-title":"Proc. ASIACRYPT 2009, Tokyo, Japan, December 6\u201310","author":"Biryukov","year":"2009"},{"key":"2019101510185057400_ref10","first-page":"393","article-title":"A Practical-Time Related-Key Attack on the KASUMI Cryptosystem Used in GSM and 3G Telephony","volume-title":"Proc. CRYPTO 2010, Santa Barbara, USA, August 15\u201319","author":"Dunkelman","year":"2010"},{"key":"2019101510185057400_ref11","doi-asserted-by":"crossref","first-page":"824","DOI":"10.1007\/s00145-013-9154-9","article-title":"A practical-time related-key attack on the KASUMI cryptosystem used in GSM and 3G telephony","volume":"27","author":"Dunkelman","year":"2014","journal-title":"J. Cryptol."},{"key":"2019101510185057400_ref12","first-page":"683","article-title":"Boomerang Connectivity Table: A New Cryptanalysis Tool","volume-title":"Proc. EUROCRYPT 2018, Tel Aviv, Israel, April 29 \u2013May 3","author":"Cid","year":"2018"},{"key":"2019101510185057400_ref13","article-title":"Efficient Construction of the Boomerang Connection Table","volume-title":"IACR Cryptology ePrint Archive, 2018\/631, 2018","author":"Dunkelman","year":"2018"},{"key":"2019101510185057400_ref14","doi-asserted-by":"crossref","DOI":"10.1109\/TIT.2019.2918531","article-title":"New Results about the Boomerang Uniformity of Permutation Polynomials","volume-title":"IACR Cryptology ePrint Archive, 2019\/079","author":"Li","year":"2019"},{"key":"2019101510185057400_ref15","first-page":"84","article-title":"Boomerang connectivity table revisited application to SKINNY and AES","volume":"2019","author":"Song","year":"2019","journal-title":"IACR Transactions on Symmetric Cryptology"},{"key":"2019101510185057400_ref16","doi-asserted-by":"crossref","first-page":"142","DOI":"10.46586\/tosc.v2019.i1.142-169","article-title":"Boomerang switch in multiple rounds. Application to AES variants and deoxys","volume":"2019","author":"Wang","year":"2019","journal-title":"IACR Transactions on Symmetric Cryptology"},{"key":"2019101510185057400_ref17","first-page":"507","article-title":"Related-Key Boomerang and Rectangle Attacks","volume-title":"Proc. EUROCRYPT 2005, Aarhus, Denmark, May 22\u201326","author":"Biham","year":"2005"},{"key":"2019101510185057400_ref18","doi-asserted-by":"crossref","first-page":"37","DOI":"10.46586\/tosc.v2017.i3.37-72","article-title":"Security analysis of SKINNY under related-Tweakey settings","volume":"2017","author":"Liu","year":"2017","journal-title":"IACR Transactions on Symmetric Cryptology"},{"key":"2019101510185057400_ref19","first-page":"57","article-title":"Differential and Linear Cryptanalysis Using Mixed-Integer Linear Programming","volume-title":"Proc. Information Security and Cryptology (Inscypt 2011), Beijing, China, November 30\u2013December 3","author":"Mouha","year":"2011"},{"key":"2019101510185057400_ref20","first-page":"158","article-title":"Automatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-Oriented Block Ciphers","volume-title":"Proc. ASIACRYPT 2014, Taiwan, December 7\u201311","author":"Sun","year":"2014"},{"key":"2019101510185057400_ref21","article-title":"Towards Finding the Best Characteristics of Some Bit-oriented Block Ciphers and Automatic Enumeration of (Related-key) Differential and Linear Characteristics with Predefined Properties","volume-title":"IACR Cryptology ePrint Archive, 2014\/747, 2014","author":"Sun","year":"2014"},{"key":"2019101510185057400_ref22","article-title":"New Automatic Search Tool for Impossible Differentials and Zero-Correlation Linear Approximations","volume-title":"IACR Cryptology ePrint Archive, 2016\/689, 2016","author":"Cui","year":"2016"},{"key":"2019101510185057400_ref23","first-page":"185","article-title":"New Impossible Differential Search Tool from Design and Cryptanalysis Aspects","volume-title":"Proc. EUROCRYPT 2017, Paris, France, April 30\u2013May 4","author":"Sasaki","year":"2017"},{"key":"2019101510185057400_ref24","doi-asserted-by":"crossref","first-page":"73","DOI":"10.46586\/tosc.v2017.i3.73-107","article-title":"A security analysis of Deoxys and its internal Tweakable block ciphers","volume":"2017","author":"Cid","year":"2017","journal-title":"IACR Transactions on Symmetric Cryptology"},{"key":"2019101510185057400_ref25","first-page":"648","article-title":"Applying MILP Method to Searching Integral Distinguishers Based on Division Property for 6 Lightweight Block Ciphers","volume-title":"Proc. ASIACRYPT 2016, Hanoi, Vietnam, December 4\u20138","author":"Xiang","year":"2016"},{"key":"2019101510185057400_ref26","first-page":"250","article-title":"Cube attacks on non-blackbox polynomials based on division property","volume-title":"Proc. CRYPTO 2017, Santa Barbara, USA, August 20\u201324","author":"Todo","year":"2017"},{"key":"2019101510185057400_ref27","first-page":"99","article-title":"Improved conditional cube attacks on Keccak keyed modes with MILP method","volume-title":"Proc. ASIACRYPT 2017, Hong Kong, China, December 3\u20137","author":"Li","year":"2017"},{"key":"2019101510185057400_ref28","doi-asserted-by":"crossref","first-page":"321","DOI":"10.1007\/978-3-319-66787-4_16","article-title":"Gift: A Small Present","volume-title":"Proc. Cryptographic Hardware and Embedded Systems (CHES 2017), Taipei, Taiwan, September 25\u201328","author":"Banik","year":"2017"},{"key":"2019101510185057400_ref29","first-page":"372","article-title":"MILP-based Differential Attack on Round-reduced GIFT","volume-title":"Proc. Cryptographers\u2019 Track at the RSA Conference (CT-RSA 2019), San Francisco, USA, March 4\u20138","author":"Zhu","year":"2019"},{"key":"2019101510185057400_ref30","first-page":"227","article-title":"Integer Linear Programming for Three-Subset Meet-in-the-Middle Attacks: Application to GIFT","volume-title":"Proc. Inernational Workshop on Security (IWSEC 2018), Sendai, Japan, September 3\u20135","author":"Sasaki","year":"2018"},{"key":"2019101510185057400_ref31","first-page":"126","article-title":"Khudra: A New Lightweight Block Cipher for FPGAs","volume-title":"Proc. Security, Privacy, and Applied Cryptography Engineering (SPACE 2014), Pune, India, October 18\u201322","author":"Kolay","year":"2014"},{"key":"2019101510185057400_ref32","doi-asserted-by":"crossref","first-page":"1173","DOI":"10.1002\/sec.1409","article-title":"Security analysis of Khudra: A lightweight block cipher for FPGAs","volume":"9","author":"Dai","year":"2016","journal-title":"Secur. Commun. Netw."},{"key":"2019101510185057400_ref33","first-page":"334","article-title":"MIBS: A New Lightweight Block Cipher","volume-title":"Proc. Cryptology and Network Security (CANS 2009), Kanazawa, Japan, December 12\u201314","author":"Izadi","year":"2009"},{"key":"2019101510185057400_ref34","first-page":"87","article-title":"Cryptanalysis of reduced-round MIBS block cipher","volume":"18","author":"Dai","year":"2017","journal-title":"Joumal of Infomation Engineering University"},{"key":"2019101510185057400_ref35","first-page":"331","article-title":"Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher","volume-title":"Proc. Network and System Security (NSS 2015), New York, USA, November 3\u20135","author":"Ma","year":"2015"},{"key":"2019101510185057400_ref36","first-page":"1","article-title":"Cryptanalysis of Reduced-Round MIBS Block Cipher","volume-title":"Proc. Cryptology and Network Security (CANS 2010), Kuala Lumpur, Malaysia, December","author":"Bay","year":"2010"},{"article-title":"Related-key rectangle cryptanalysis of reduced-round block cipher MIBS. In Proc. International Conference on Application of Information and Communication Technologies (AICT 2015), Rostov on Don, Russia, Octorber 14\u201316, pp. 2116-220, IEEE","year":"2015","author":"Qiao","key":"2019101510185057400_ref37"},{"key":"2019101510185057400_ref38","first-page":"443","article-title":"A Related-Key Rectangle Attack on the Full KASUMI","volume-title":"Proc. ASIACRYPT 2005, Chennai, India, December 4\u20138","author":"Biham","year":"2005"},{"key":"2019101510185057400_ref39","doi-asserted-by":"crossref","first-page":"150","DOI":"10.1007\/978-3-319-69284-5_11","article-title":"New Algorithm for Modeling S-box in MILP Based Differential and Division Trail Search","volume-title":"Proc. Innovative Security Solutions for Information Technology and Communications (SecITC 2017), Bucharest, Romania, June 8\u20139","author":"Sasaki","year":"2017"},{"key":"2019101510185057400_ref40","first-page":"450","article-title":"PRESENT: An Ultra-Lightweight Block Cipher","volume-title":"Proc. Cryptographic Hardware and Embedded Systems (CHES 2007), Vienna, Austria, September 10\u201313","year":"2007"}],"container-title":["The Computer Journal"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/academic.oup.com\/comjnl\/advance-article-pdf\/doi\/10.1093\/comjnl\/bxz076\/30151741\/bxz076.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"http:\/\/academic.oup.com\/comjnl\/advance-article-pdf\/doi\/10.1093\/comjnl\/bxz076\/30151741\/bxz076.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,1,8]],"date-time":"2021-01-08T11:39:07Z","timestamp":1610105947000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/comjnl\/advance-article\/doi\/10.1093\/comjnl\/bxz076\/5587703"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,10,15]]},"references-count":40,"URL":"https:\/\/doi.org\/10.1093\/comjnl\/bxz076","relation":{},"ISSN":["0010-4620","1460-2067"],"issn-type":[{"type":"print","value":"0010-4620"},{"type":"electronic","value":"1460-2067"}],"subject":[],"published":{"date-parts":[[2019,10,15]]},"article-number":"bxz076"}}