# Statistical Cryptanalysis Of Arion

In this SageMath notebook we compute the security levels for differential and linear cryptanalysis of Arion.

In [1]:
def log2(n):
    return log(n) / log(2)

## Differential Cryptanalysis

### Differential Trail
Arion's security level against a differential trail is estimated via
$$\kappa \leq r \cdot \big( \log_2 (p) - \log_2 (d_2) \big),$$
where $p$ is the size of the finite field and $d_2$ the exponent of a permutation monomial.

In [2]:
def differential_security_level(q, r, e):
    out = r * (log2(q) - log2(e))
    return float(out)

In [3]:
d_2 = 2**9
size = [60, 120, 250]
r = 9
max_security_level = 128

for n in size:
    q = 2**n
    print("Size: 2^" + str(n))
    print("r", "\t",
          "d_2", "\t",
          "kappa_diff")
    r = 1
    stop = False
    while not stop:
        level = floor(differential_security_level(q, r, d_2))
        print(r, "\t",
              d_2, "\t",
              level, "\t")
        if level > max_security_level:
            stop = True
        r += 1
    print("\n")

Size: 2^60
r 	 d_2 	 kappa_diff
1 	 512 	 51 	
2 	 512 	 102 	
3 	 512 	 152 	


Size: 2^120
r 	 d_2 	 kappa_diff
1 	 512 	 111 	
2 	 512 	 222 	


Size: 2^250
r 	 d_2 	 kappa_diff
1 	 512 	 241 	




### Differential Hull
Arion's security level against the full differential hull
$$\kappa \leq \text{wt} (\boldsymbol{\Delta x}_1) \cdot \Big( \log_2 \left( p \right) - \log_2 \left( d_2 \right) \Big) - \left( r - 1 \right) \cdot \log_2 \Big( \left( d_2 + 1 \right)^n - 1 \Big),$$
where $p$ is the size of the finite field, $n$ the number of branches, $r$ the number of rounds, $d_2$ the exponent of a permutation monomial and $\text{wt} (\boldsymbol{\Delta x}_1)$ the hamming weight of the input difference.

In [4]:
def differential_hull_security_level(q, n, r, e, i=1):
    out = i * (log2(q) - log2(e))
    out = out - (r - 1) * log2((e + 1)**n - 1)
    return float(out)

In [5]:
d_2 = 257
size = [60, 120, 250]
branches = 8
rounds = 6

print("d_2: ", d_2, "\n")

for N in size:
    print("Size: 2^" + str(N))
    print("n", "\t",
          "r", "\t",
          "weight", "\t",
          "kappa_diff_hull")
    for n in range(3, branches + 1):
        for r in range(4, rounds + 1):
            for weight in range(1, n + 1):
                level = floor(differential_hull_security_level(2**N, n, r, d_2, weight))
                if level > 0:
                    print(n, "\t",
                          r, "\t",
                          weight, "\t\t",
                          level)
                    break
    print("\n")

d_2:  257 

Size: 2^60
n 	 r 	 weight 	 kappa_diff_hull
3 	 4 	 2 		 31
3 	 5 	 2 		 7
3 	 6 	 3 		 35
4 	 4 	 2 		 7
4 	 5 	 3 		 27
4 	 6 	 4 		 47
5 	 4 	 3 		 35
5 	 5 	 4 		 47
5 	 6 	 4 		 7
6 	 4 	 3 		 11
6 	 5 	 4 		 15
6 	 6 	 5 		 19
7 	 4 	 4 		 39
7 	 5 	 5 		 35
7 	 6 	 6 		 31
8 	 4 	 4 		 15
8 	 5 	 5 		 3
8 	 6 	 7 		 43


Size: 2^120
n 	 r 	 weight 	 kappa_diff_hull
3 	 4 	 1 		 39
3 	 5 	 1 		 15
3 	 6 	 2 		 103
4 	 4 	 1 		 15
4 	 5 	 2 		 95
4 	 6 	 2 		 63
5 	 4 	 2 		 103
5 	 5 	 2 		 63
5 	 6 	 2 		 23
6 	 4 	 2 		 79
6 	 5 	 2 		 31
6 	 6 	 3 		 95
7 	 4 	 2 		 55
7 	 5 	 3 		 111
7 	 6 	 3 		 55
8 	 4 	 2 		 31
8 	 5 	 3 		 79
8 	 6 	 3 		 15


Size: 2^250
n 	 r 	 weight 	 kappa_diff_hull
3 	 4 	 1 		 169
3 	 5 	 1 		 145
3 	 6 	 1 		 121
4 	 4 	 1 		 145
4 	 5 	 1 		 113
4 	 6 	 1 		 81
5 	 4 	 1 		 121
5 	 5 	 1 		 81
5 	 6 	 1 		 41
6 	 4 	 1 		 97
6 	 5 	 1 		 49
6 	 6 	 1 		 1
7 	 4 	 1 		 73
7 	 5 	 1 		 17
7 	 6 	 2 		 203
8 	 4 	 1 		 49
8 	 5 	 2 		 

### Restricted Differential Hull
Arion's security level against the restructed differential hull
$$\kappa \leq r \cdot \Big( \log_2 \left( p \right) - \log_2 \left( d_2 \right) \Big) - \left( r - 1 \right) \cdot \log_2 \left( M \right),$$
where $p$ is the size of the finite field, $r$ the number of rounds, $d_2$ the exponent of a permutation monomial and $M < (p - 1) \cdot n$ is the size of the restricted differential hull.

In [6]:
def restricted_differential_hull_security_level(q, r, e, M=1):
    out = r * (log2(q) - log2(e))
    out = out - (r - 1) * log2(M)
    return float(out)

In [7]:
d_2 = 257
size = [60, 120, 250]
rounds = 6

print("d_2: ", d_2, "\n")

for N in size:
    print("Size: 2^" + str(N))
    print("r", "\t",
          "data", "\t",
          "kappa_diff_hull")
    for r in range(1, rounds + 1):
        data = N / 2
        level = floor(restricted_differential_hull_security_level(2**N, r, d_2, 2**data))
        print(r, "\t",
              data, "\t",
              level)
    print("\n")

d_2:  257 

Size: 2^60
r 	 data 	 kappa_diff_hull
1 	 30 	 51
2 	 30 	 73
3 	 30 	 95
4 	 30 	 117
5 	 30 	 139
6 	 30 	 161


Size: 2^120
r 	 data 	 kappa_diff_hull
1 	 60 	 111
2 	 60 	 163
3 	 60 	 215
4 	 60 	 267
5 	 60 	 319
6 	 60 	 371


Size: 2^250
r 	 data 	 kappa_diff_hull
1 	 125 	 241
2 	 125 	 358
3 	 125 	 475
4 	 125 	 592
5 	 125 	 709
6 	 125 	 826




## Linear Cryptanalysis

### Linear Trail
Arion's security level against linear cryptanalysis is estimated via
$$ \kappa \leq 2 + r \cdot \log_2 (p) - 2 \cdot r \cdot \log_2 (d_2) - \log_2(D), $$
where $p$ is the size of the finite field, $d_2$ the exponent of a permutation monomial and $D$ the amount of data that is used for an attack. 

In [8]:
def linear_security_level(q, r, e, D):
    out = 2 + r * log2(q) - 2 * r * log2(e) - log2(D)
    return float(out)

In [9]:
d_2 = 2**9
size = [60, 120, 250]
max_block_size = 4
max_security_level = 128

for n in size:
    q = 2**n
    print("Size: 2^" + str(n))
    print("r", "\t",
          "d_2", "\t",
          "data", "\t",
          "kappa_lin")
    for m in range(1, max_block_size + 1):
        stop = False
        r = 1
        while not stop:
            level = 1
            if q**r > q**m:
                level = floor(linear_security_level(q, r, d_2, q**m))
                print(r, "\t", 
                      d_2, "\t",
                      n * m, "\t",
                      level)
            if level > max_security_level:
                stop = True
            r += 1
    print("\n")

Size: 2^60
r 	 d_2 	 data 	 kappa_lin
2 	 512 	 60 	 26
3 	 512 	 60 	 68
4 	 512 	 60 	 109
5 	 512 	 60 	 152
3 	 512 	 120 	 7
4 	 512 	 120 	 50
5 	 512 	 120 	 92
6 	 512 	 120 	 133
4 	 512 	 180 	 -10
5 	 512 	 180 	 32
6 	 512 	 180 	 73
7 	 512 	 180 	 115
8 	 512 	 180 	 158
5 	 512 	 240 	 -28
6 	 512 	 240 	 13
7 	 512 	 240 	 55
8 	 512 	 240 	 98
9 	 512 	 240 	 140


Size: 2^120
r 	 d_2 	 data 	 kappa_lin
2 	 512 	 120 	 86
3 	 512 	 120 	 188
3 	 512 	 240 	 67
4 	 512 	 240 	 170
4 	 512 	 360 	 50
5 	 512 	 360 	 152
5 	 512 	 480 	 32
6 	 512 	 480 	 133


Size: 2^250
r 	 d_2 	 data 	 kappa_lin
2 	 512 	 250 	 216
3 	 512 	 500 	 198
4 	 512 	 750 	 180
5 	 512 	 1000 	 162




### Restricted Linear Hull
Arion's security level against the restricted linear hull is estimated via
$$\kappa \leq r \cdot \Big( \log_2 \left( p \right) - 2 \cdot \log_2 \left( d_2 - 1 \right) \Big) - \left( r - 1 \right) \cdot \log_2 \left( M \right),$$
where $p$ is the size of the finite field, $r$ the number of rounds, $d_2$ the exponent of a permutation monomial and $M < (p - 1) \cdot n$ is the size of the restricted differential hull.

In [10]:
def restricted_linear_hull_security_level(q, r, e, M=1):
    out = r * (log2(q) - 2 * log2(e - 1))
    out = out - (r - 1) * log2(M)
    return float(out)

In [11]:
d_2 = 257
size = [60, 120, 250]
rounds = 6

print("d_2: ", d_2, "\n")

for N in size:
    print("Size: 2^" + str(N))
    print("r", "\t",
          "data", "\t",
          "kappa_lin_hull")
    for r in range(1, rounds + 1):
        data = N / 2
        level = floor(restricted_differential_hull_security_level(2**N, r, d_2, 2**data))
        print(r, "\t",
              data, "\t",
              level)
    print("\n")

d_2:  257 

Size: 2^60
r 	 data 	 kappa_lin_hull
1 	 30 	 51
2 	 30 	 73
3 	 30 	 95
4 	 30 	 117
5 	 30 	 139
6 	 30 	 161


Size: 2^120
r 	 data 	 kappa_lin_hull
1 	 60 	 111
2 	 60 	 163
3 	 60 	 215
4 	 60 	 267
5 	 60 	 319
6 	 60 	 371


Size: 2^250
r 	 data 	 kappa_lin_hull
1 	 125 	 241
2 	 125 	 358
3 	 125 	 475
4 	 125 	 592
5 	 125 	 709
6 	 125 	 826




## Truncated Differential Cryptanalysis

### Weight 1 Input/Output Truncated Differentials
Arion's security level against truncated differential of weight $1$ in the first round and restricted differential hull in the second round is estimated via
$$\kappa \leq n \cdot \left( \log_2 \left( p \right) - \log_2 \left( d \right) \right) - \log_2 \left( M \right),$$
where $p$ is the size of the finite field, $n$ the number of branches, $d_2$ the exponent of a permutation monomial and $M < (p - 1) \cdot n$ is the size of the restricted differential hull.

In [12]:
def restricted__hull_truncated_differential_weight_one_security_level(q, n, e, M=1):
    out = n * (log2(q) - log2(e))
    out = out - log2(M)
    return float(out)

In [13]:
d_2 = 257
params = [#[N, n, M]
           [60, 4, 100], 
           [120, 3, 120], 
           [250, 3, 250],
           ]

print("d_2: ", d_2, "\n")
print("2^N", "\t",
      "n", "\t",
      "2^M", "\t",
      "kappa_trun")
for param in params:
    N = param[0]
    n = param[1]
    M = param[2]
    level = floor(restricted__hull_truncated_differential_weight_one_security_level(2^N, n, d_2, 2^M))
    print(N, "\t",
          n, "\t",
          M, "\t",
          level)

d_2:  257 

2^N 	 n 	 2^M 	 kappa_trun
60 	 4 	 100 	 107
120 	 3 	 120 	 215
250 	 3 	 250 	 475


### Two Round Truncated Differentials
Arion's security level against two round truncated differential is estimated via
$$\kappa \leq n \cdot \left( \log_2 \left( p \right) - \log_2 \left( d \right) \right) - \log_2 \left( M \right),$$
where $p$ is the size of the finite field, $n$ the number of branches, $d_2$ the exponent of a permutation monomial and $M < (p - 1) \cdot n$ is the size of the restricted differential hull.

In [14]:
def restricted_hull_two_round_truncated_differential_security_level(q, r, e, M=1):
    out = (r - 2) * (log2(q) - log2(e) - log2(M))
    return float(out)

In [15]:
d_2 = 257
params = [#[N, r, M]
           [60, 6, 30], 
           [120, 5, 60], 
           [250, 4, 125],
           ]

print("d_2: ", d_2, "\n")
print("2^N", "\t",
      "r - 2", "\t",
      "2^M", "\t",
      "kappa_trun")
for param in params:
    N = param[0]
    r = param[1]
    M = param[2]
    level = floor(restricted_hull_two_round_truncated_differential_security_level(2^N, r, d_2, 2^M))
    print(N, "\t",
          r - 2, "\t",
          M, "\t",
          level)

d_2:  257 

2^N 	 r - 2 	 2^M 	 kappa_trun
60 	 4 	 30 	 87
120 	 3 	 60 	 155
250 	 2 	 125 	 233
