# Statistical Cryptanalysis Of Arion

In this SageMath notebook we compute the security levels for differential and linear cryptanalysis of Arion.

In [1]:
def log2(n):
    return log(n) / log(2)

## Differential Cryptanalysis

### Differential Trail
Arion's security level against a differential trail is estimated via
$$\kappa \leq r \cdot \big( \log_2 (p) - \log_2 (d_2) \big),$$
where $p$ is the size of the finite field and $d_2$ the exponent of a permutation monomial.

In [2]:
def differential_security_level(q, r, e):
    out = r * (log2(q) - log2(e))
    return float(out)

In [3]:
d_2 = 257
size = [60, 120, 250]
r = 9
max_security_level = 128

for n in size:
    q = 2**n
    print("Size: 2^" + str(n))
    print("r", "\t",
          "d_2", "\t",
          "kappa_diff")
    r = 1
    stop = False
    while not stop:
        level = floor(differential_security_level(q, r, d_2))
        print(r, "\t",
              d_2, "\t",
              level, "\t")
        if level > max_security_level:
            stop = True
        r += 1
    print("\n")

Size: 2^60
r 	 d_2 	 kappa_diff
1 	 257 	 51 	
2 	 257 	 103 	
3 	 257 	 155 	


Size: 2^120
r 	 d_2 	 kappa_diff
1 	 257 	 111 	
2 	 257 	 223 	


Size: 2^250
r 	 d_2 	 kappa_diff
1 	 257 	 241 	




## Linear Cryptanalysis

### Linear Trail
Arion's security level against linear cryptanalysis is estimated via
$$ \kappa \leq \left( \frac{\log_2 (p)}{2} - \log_2 (d_2 - 1) \right)^r, $$
where $p$ is the size of the finite field and $d_2$ the exponent of a permutation monomial.

In [4]:
def linear_security_level(q, r, e):
    out = r * (log2(q) / 2 - log2(e - 1))
    return float(out)

In [5]:
d_2 = 257
params = [#[N, r]
           [60, 6], 
           [120, 3], 
           [250, 2],
           ]

print("d_2: ", d_2, "\n")
print("2^N", "\t",
      "r", "\t",
      "kappa_lin")
for param in params:
    N = param[0]
    r = param[1]
    level = floor(linear_security_level(2^N, r, d_2,))
    print(N, "\t",
          r, "\t",
          level)

d_2:  257 

2^N 	 r 	 kappa_lin
60 	 6 	 131
120 	 3 	 155
250 	 2 	 234


## Truncated Differential Cryptanalysis

### Weight 1 Input/Output Truncated Differentials
Arion's security level against truncated differential of weight $1$ in the first round and restricted differential hull in the second round is estimated via
$$\kappa \leq n \cdot \left( \log_2 \left( p \right) - \log_2 \left( d \right) \right),$$
where $p$ is the size of the finite field, $n$ the number of branches and $d_2$ the exponent of a permutation monomial.

In [6]:
def restricted__hull_truncated_differential_weight_one_security_level(q, n, e):
    out = n * (log2(q) - log2(e))
    return float(out)

In [7]:
d_2 = 257
params = [#[N, n]
           [60, 3], 
           [120, 2], 
           [250, 1],
           ]

print("d_2: ", d_2, "\n")
print("2^N", "\t",
      "n", "\t",
      "kappa_trun")
for param in params:
    N = param[0]
    n = param[1]
    level = floor(restricted__hull_truncated_differential_weight_one_security_level(2^N, n, d_2))
    print(N, "\t",
          n, "\t",
          level)

d_2:  257 

2^N 	 n 	 kappa_trun
60 	 3 	 155
120 	 2 	 223
250 	 1 	 241


### Two Round Truncated Differentials
Arion's security level against two round truncated differential is estimated via
$$\kappa \leq n \cdot \left( \log_2 \left( p \right) - \log_2 \left( d \right) \right),$$
where $p$ is the size of the finite field, $n$ the number of branches and $d_2$ the exponent of a permutation monomial.

In [8]:
def two_round_truncated_differential_security_level(q, r, e):
    out = (r - 2) * (log2(q) - log2(e))
    return float(out)

In [9]:
d_2 = 257
params = [#[N, r]
           [60, 5], 
           [120, 4], 
           [250, 3],
           ]

print("d_2: ", d_2, "\n")
print("2^N", "\t",
      "r - 2", "\t",
      "kappa_trun")
for param in params:
    N = param[0]
    r = param[1]
    level = floor(two_round_truncated_differential_security_level(2^N, r, d_2,))
    print(N, "\t",
          r - 2, "\t",
          level)

d_2:  257 

2^N 	 r - 2 	 kappa_trun
60 	 3 	 155
120 	 2 	 223
250 	 1 	 241
