Comprehensive security analysis of CRAFT

. CRAFT is a lightweight block cipher, designed to provide eﬃcient protection against diﬀerential fault attacks. It is a tweakable cipher that includes 32 rounds to produce a ciphertext from a 64-bit plaintext using a 128-bit key and 64-bit public tweak. In this paper, compared to the designers’ analysis, we provide a more detailed analysis of CRAFT against diﬀerential and zero-correlation cryptanalysis, aiming to provide better distinguishers for the reduced rounds of the cipher. Our distinguishers for reduced-round CRAFT cover a higher number of rounds compared to the designers’ analysis. In our analysis, we observed that, for any number of rounds, the diﬀerential eﬀect of CRAFT has an extremely higher probability compared to any diﬀerential trail. As an example, while the best trail for 11 rounds of the cipher has a probability of at least 2 − 80 , we present a diﬀerential with probability 2 − 49 . 79 , containing 2 29 . 66 optimal trails, all with the same optimum probability of 2 − 80 . Next, we use a partitioning technique, based on optimal expandable truncated trails to provide a better estimation of the diﬀerential eﬀect on CRAFT . Thanks to this technique, we are able to ﬁnd diﬀerential distinguishers for 9, 10, 11, 12, 13, and 14 rounds of the cipher in single tweak model with the probabilities of at least 2 − 40 . 20 , 2 − 45 . 12 , 2 − 49 . 79 , 2 − 54 . 49 , 2 − 59 . 13 , and 2 − 63 . 80 , respectively. These probabilities should be compared with the best distinguishers provided by the designers in the same model for 9 and 10 rounds of the cipher with the probabilities of at least 2 − 54 . 67 and 2 − 62 . 61 , respectively. In addition, we consider the security of CRAFT against the new concept of related tweak zero-correlation (ZC) linear cryptanalysis and present a new distinguisher which covers 14 rounds of the cipher, while the best previous ZC distinguisher covered 13 rounds. Thanks to the related tweak ZC distinguisher for 14 rounds of the cipher, we also present 14 rounds integral distinguishers in related tweak mode of the cipher. Although the provided analysis does not compromise the cipher, we think it provides a better insight into the designing of CRAFT .


Introduction
Lightweight cryptography received extensive attention over the last decade, motivated by the emergent growth of resource-constrained devices such as RFID tags and IoT edge devices.To address this demand, several lightweight primitives have been proposed by researchers, to just name some, SKINNY [BJK + 16], PRESENT [BKL + 07], MIBS [ISSK09], SIMON [BSS + 15], Table 1: Summary of the main results of attacks on CRAFT.Where ST , RT and RK denotes single tweak mode, related tweak mode and related key mode respectively and RT i denotes RT mode that is started with T K i .In addition, D, T D, LH, ID, IN T and ZC denote differential effect, truncated differential, linear hull, impossible differential, integral, and zero-correlation cryptanalysis, respectively.For example, RT 0 -D denotes differential effect of CRAFT in related tweak mode, starting with T K 0 .The 64-bit tweak input.

K
The 128-bit master key.

T K i
The main tweaks that are made based on the T and K (i = 0, 1, 2, 3).

T K i i%4
The 64-bit round tweakey which is used in round R i (i = 0, . . ., 31) and T K i i%4 [j] represents the j-th cell (j = 0, . . ., 15) of T K i i%4 .

X i
The internal state before the Mix-Columns (MC) at round R i (i = 0, . . ., 31) and X i [j] represents the j-th cell (j = 0, . . ., 15) of X i .

ΓS
The linear mask of state S and ΓS[j] represents the j-th cell (j = 0, . . ., 15) of ΓS.When the state S is X i , Y i or Z i we denote ΓS with ΓX i , ΓY i or ΓZ i respectively.

∆S
The differential in state S. , where we are using typewriter style.
The rest of the paper is organized as follows: in Section 2, we present the required preliminaries and also briefly describe CRAFT.In Section 3, we present the zero-correlation analysis in related tweak mode.Differential effect analysis of the cipher is described in Section 4. Section 5 presents our investigation results on some of the designers security claims and points out some of their typos.Finally, we conclude the paper in Section 6.

Preliminaries
In this section, we present the required preliminaries and a brief description of CRAFT.

Notations
The notation used in the paper is summarized in Table 2.

A brief description of CRAFT
CRAFT is a 64-bit lightweight block cipher which supports 128-bit key and 64-bit tweak and its round function is composed of involutory building blocks.Then, the internal state is going through 32 rounds R i , i ∈ 0, • • • , 31, to generate a 64-bit ciphertext.As is depicted in Figure 1, each round, excluding the last round, includes five functions, i.e., a binary MixColumn (MC), the round dependent combining with round constant AddRoundConstants (ARC), the round dependent mixing with the sub-tweakey AddTweakey (ATK), a nibble-based permutation PermuteNibbles (PN), and the substitution layer S-box (SB).The last round only includes MC, ARC and ATK, i.e., R 31 = AT K 31 •ARC 31 •M C, while for any 0 ≤ i ≤ 30, MC is a multiplication of internal state by the following binary matrix: After MC, in each round i two round dependent constant nibbles a i = (a i 3 , a i 2 , a i 1 , a i 0 ) and b i = (b i 2 , b i 1 , b i 0 ) are XOR-ed with I 4 and I 5 respectively (a i 0 and b i 0 are the least significant bits).A 4-bit LFSR and a 3-bit LFSR are used to update a and b for each round.Those LFSRs are initialized by values (0001) and (001), respectively and are updated to a i+1 = (a i 1 ⊕ a i 0 , a i 3 , a i 2 , a i 1 ), and ) from i-th round to i + 1-th round.After AddRoundConstants (ARC), a 64-bit round tweakey is XOR-ed with IS.The tweakey schedule of CRAFT is rather simple.Given the secret key K = K 0 K 1 and the tweak T ∈ {0, 1} 64 , where The final function is a non-linear 4 × 4-bit S-box which has been borrowed from MIDORI [BBI + 15].The table representation of the S-box is given in Table 3.

Related tweak zero-correlation and integral cryptanalysis
In this section, we apply the related tweak zero-correlation attack [ADG + 19] to a reducedround version of CRAFT.In the zero-correlation cryptanalysis of a tweakable block cipher E K (P, T ), e.g.CRAFT, tweak bits can also be involved into the linear combination of input bits.Hence, in this case, when one looks for a linear hull with zero correlation, input mask consists of two components, one for plaintext, and another one for (master)-tweak.The correlation of a linear approximation with input mask (α 1 , α 2 ), and output mask β, is calculated as follows: where the probability is taken over the all values of P , and T .
CRAFT has a linear twekey-scheduling L K : F 64 2 → F 64 2 32 , to map the tweak to the subtweakeys.The generated sub-tweakeys are then XORed to the internal states of the cipher as depicted in Figure 2.For a linear trail with input-output masks ((α 1 , α 2 ), β), and internal linear masks Γ = (ΓX 0 , ΓY 0 , ΓZ 0 , ΓX 1 , ΓY 1 , ΓZ 1 , . . ., ΓX r−1 , ΓY r−1 , ΓZ r−1 , ΓX r ), covering r rounds of CRAFT, correlation can be calculated as follows: According to the rule of propagation of linear masks through XOR, linear mask ΓY i must be the same as the linear mask ΓT K i i%4 , for all 0 ≤ i ≤ r − 1.According to the tweakey-scheduling of CRAFT, which is a linear mapping, the linear masks ΓY i , for all 0 ≤ i ≤ r − 1, should satisfy the following relation: In other words, there is a linear relation between nibbles of linear masks ΓY i , for 0 ≤ i ≤ r − 1, as follows: The correlation of a linear hull, with the input linear masks (α 1 , α 2 ) and the output linear mask β, can be calculated as follows: The additional constraint α 2 = L(ΓY 0 , . . ., ΓY r−1 ), which is induced by the tweakeyscheduling, introduces additional restriction on linear trails that are included in a linear hull.Hence, the probability of achieving a zero-correlation is higher than the single tweak zero-correlation cryptanalysis, where the tweakey-scheduling is not considered.
In the related tweak cases, the zero-correlation linear hull behavior of CRAFT is dependent on the starting round, i.e., the index of RT i , (i = 0, 1, 2, 3).Hence, we investigated the security of CRAFT against the related tweak zero-correlation attack in RT 0 , RT 1 , RT 2 and RT 3 modes.To find the related tweak zero-correlation trails, we modeled CRAFT in MILP to find a zero-correlation mask for RT i and proved it manually.As a result, in the case of RT 0 , we found a 14-round zero-correlation linear hull for CRAFT, where the number of forward and backward rounds are both 7.With respect to Figure 3, active linear masks are applied to two cells X 0 [4] and X 0 [12] at the input, and the active linear mask is applied to cell X 14 [4] in the state at the output.Then, we focus on the tweak cell labeled 11, where it is depicted by using a red frame in Figure 3.In the following section, based on the given active linear mask in the master tweak T , we present a 14-round related tweak zero-correlation for CRAFT: Note that the permutation Q operated on T K i i%4 , when i = 2, 3, 6, 7, 10, 11.Based on Figure 3, we have ΓT [11] (the XOR of red frames) and so, We denote the Linear Approximation  4).Now, based on the properties of P N and SB operations of 5-th round, we have Due to the MC operation on the active cells of column 3 of state X 5 in the input of 5-th round, we have ΓY 5 [15] = ΓY 5 [11] and so, based on (Equation 2), we have Now, due to the MC operation on the active cells of column 0 of state X 6 , we have Figure 3: Related tweak zero-correlation of 14-round CRAFT in T K 0 mode Therefore, based on (Equation 1) and (Equation 4), ΓT K 5 1 [11] and ΓT K 6 2 [8] must satisfy the following conditions: These conditions are equivalent to finding an input mask x (x = ΓT K 5 1 [11]) and an output mask y (y = ΓT K 6 2 [8]), such that: Note that, by referring to linear approximation table of CRAFT S-box, we observe there is no input/output mask that satisfies these conditions (see Table 4).
We also searched the zero-correlation linear hulls for each cases RT 1 , RT 2 , and RT 3 .For RT 1 , we could not find a zero-correlation linear hull covering more than 13 rounds, but for both RT 2 , and RT 3 , we found new zero-correlation linear hulls covering 14 rounds of CRAFT.
The activity patterns of linear masks, for the obtained zero-correlation linear hulls in cases RT 2 , and RT 3 are as follows: 0000 γ000 0000 0000

Linking zero-correlation linear hull to integral
The following theorems show how to convert a zero-correlation linear hull to an integral distinguisher.
Theorem 1. [SLR + 15] Let F : F n 2 → F n 2 be a function, and A be a subspace of F n 2 and β ∈ F n 2 \ {0}.Suppose that (α, β) is a zero-correlation linear approximation for any α ∈ A, then for any λ ∈ F n 2 , β, F (x + λ) is balanced on the following set The following theorem shows that the input masks should not necessarily form a subspace.
Theorem 2. [SLR + 15] A nontrivial zero-correlation linear hull of a block cipher always implies the existence of an integral distinguisher.
The number of the required data to verify whether β, F (x + λ) in Theorem 1, and Theorem 2, is balanced over A ⊥ , is equal to the cardinality of A ⊥ which is 2 dim(A ⊥ ) .Therefore, if the input-size of F is n bits, and the dimension of the subspace A is m, the data complexity of the corresponding integral distinguisher is 2 n−m .Considering the tweak in the zero-correlation linear hull on a general tweakable block cipher may expand the domain space form n to n + t, when n, and t, are data-size and tweak-size respectively [ADG + 19], but considering tweak in our related-tweak zero-correlation linear hulls for CRAFT increases the domain space n only by 4.
The CRAFT's tweakey scheduling algorithm never mixes the different nibbles, and as mentioned above, the tweak, excluding the nibble T [11], is independent of the obtained linear hull in our zero-correlation linear hulls for all cases RT 0 , RT 2 , and RT 3 , and it actually can take any (arbitrary) constants.Therefore, the domain space of our zerocorrelation linear hulls is 64 + 4 = 68 bits instead of 128 bits.In other words, to evaluate the correlation of the obtained linear hull in the online phase, an arbitrary constant is taken for those nibbles labeled by * , and the inputs are chosen so that the vector consisting of 17 remaining nibbles, take all the possible values, since the correlation of our linear hulls is equal to zero, independent of those nibble labeled by * .
Suppose that we denote the 14 rounds of CRFAT starting with RT 0 , as follows: where P and T denote plaintext and tweak, respectively.We also denote the function obtained by fixing 15 nibbles of tweak, excluding the cell 11, by an arbitrary value from F 60 2 in function E k by F , which is actually a function from F 64 2 × F 4 2 to F 64 2 .Let M be the set of all input masks in our zero-correlation linear hull in case RT 0 , as follows: where (γ 0 , . . ., γ 15 ) corresponds to input mask for plaintext, and γ corresponds to the input mask for T [11].Although, M is not a subspace of F 68 2 , for each α = (γ 0 , . . ., γ 15 , γ) ∈ M , if A = { 0, α}, then A is a subspace of dimension 1 of F 68 2 .Suppose that β is chosen from the set of output masks of our zero-correlation linear hull for 14 rounds of CRAFT in case RT 0 which is depicted in Figure 3. Thus, based on Theorem 1, for each λ ∈ F 68 2 , β, F (x + λ) is balanced over A ⊥ .Since dim(A ⊥ ) = 67, the data complexity of the integral distinguisher corresponding to the zero-correlation linear hull covering 14 rounds, in case RT 0 is equal to 2 67 .For more details, A, A ⊥ can be displayed as follows: where c 4 = c 12 are non-zero constants from F 4 2 , and, The required data for our integral distinguisher must be taken form A ⊥ , such that (x 0 , . . ., x 15 ) corresponds to the plaintext and t 11 corresponds to cell 11 of tweak.To generate the vectors of A ⊥ , we can choose an arbitrary value for t 11 at first, and then choose a suitable value for (x 0 , . . ., x 15 ), such that vector (x 0 , . . ., x 15 , t 11 ) is in A ⊥ .Since, there are 2 4 possible values for t 11 , and for each of them there are 2 63 plaintexts, the total data complexity is 2 67 .The zero-correlation linear hulls covering 14 rounds of CRAFT in the related-tweak model for cases RT 2 , and RT 3 can also be converted to the integral distinguishers in a similar manner.In case RT 2 , we apply any same linear mask to two cells 4, and 12, and apply zero linear masks to the remaining 14 nibbles.We also apply linear mask 0 to the cell 11 of tweak.In contrast to case RT 0 , the set of all input masks in case RT 2 is a subspace of F 68 2 with dimension 4 which is again denoted by A. Thereby, dim(A ⊥ ) = 68 − 4 = 64, and the data complexity of the corresponding integral distinguisher is equal to 2 64 , or equivalently, 2 4 tweaks, and for each of them 2 60 , plainetexts are required.The integral distinguishers share the same input linear mask, and the cell 5 of the output is balanced.Due to the high similarity between zero-correlation linear hulls for cases RT 2 , and RT 3 , the data complexity of the related-tweak integral distinguisher corresponding to case RT 3 is exactly the same as the case RT 2 , and has the same input, and output linear masks as the zero-correlation linear hulls obtained for 14 rounds in case RT 3 .

Differential effect cryptanalysis
The designers of CRAFT provided extensive security analysis against differential and linear cryptanalysis [BLMR19, See Table 5].They have provided the minimum number of active S-boxes for differential/linear cryptanalysis in single and differential related tweak mode.In addition, they have provided their analysis for differential effect (resp.linear hull) of round reduced CRAFT.In single tweak mode (ST-mode), they presented a differential distinguisher for 9 and 10 rounds of the cipher with the lower bounds of probabilities 2 −54.67 and 2 −62.61 , respectively.For related tweak mode (RT-mode), depending on the starting round based on the TK value, they have presented 15, 16, 17, and 16 rounds differential distinguisher when the cipher is started from round 0, 1, 2, and 3, respectively (denoted as RT 0 , RT 1 , RT 2 and RT 3 respectively).The probability of the presented distinguisher are 2 −55.14 , 2 −57.18 , 2 −60.14 , and 2 −55.14 , respectively.To verify their results, first, we developed an automated tool, based on MILP and CryptoSMT.In the ST-mode, we reached the same number of active S-boxes, but an interesting observation was finding trails with optimum probability for any number of round and in any analysis mode, i.e., all S-boxes are activated by the maximum possible probability, i.e., 2 −2 in differential/linear cryptanalysis (we only found a typo for their report of 17 rounds of RT 1 , which was reported to be 44 S-boxes, while it should be 46).Table 5 represents the minimum number of active S-boxes and also the maximum probability of a single trail for the different number of rounds in different mode of analysis.
Next, we evaluated the differential effect of the cipher in ST-mode.To enumerate the differential trails in a differential effect of CRAFT, similar to previous works [LWR16, KLT15], we used the following approach to enumerate all the solutions in a SAT solver: 1. Build the CNF model for the problem, ask the solver to give one solution x if it exists.
2. Add a new condition to the current CNF model in order to remove x.
3. Ask the solver to give a solution, repeat step 2 until the solver returns unsatisfiable.

Differential effect
In this section, we evaluated the differential effect behavior of CRAFT, by fixing the input and output difference and try to find a better differential probability.We observed that for input/output differences that satisfies a trail with minimum number of active S-boxes, there are many trails with optimum probability and all of them have an identical truncated pattern.While finding an estimation of the real differential behavior of a cipher could be a very time consuming task in general, this observation motivated us to use the following steps to provide a lower bound on the differential probability of CRAFT for different number of rounds: 1. Using MILP, find a truncated differential trail with the minimum number of active S-boxes.
2. Verify the correctness of the truncated differential trail by finding at least one trail that matches the found truncated patterns.
3. Based on the found trail, develop the constraints for CryptoSMT, to limit the search to the truncated pattern with fixed input/output in the previous step.
Then CryptoSMT generates a CNF for each S-box, as a constraint which is satisfiable if and only if the assignment corresponds to a valid trail.In order to generate the CNF of each S-box, it considers all invalid assignments.If an assignment (a 0 , . . ., a n−1 , b 0 , . . ., b n−1 , c 0 , . . ., c n−1 ) is an impossible one, then the following clause is added to the CNF: to exclude the invalid assignment (a,b,c), from the solution space.
By considering all invalid assignments, the CNF modeling the differential behaviour of a n-bit S-box is as follows: The entries in the DDT of a 4-bit S-box with differential uniformity 4, including CRAFT's S-box, only take four possible values, which are 0, 2, 4, and 16; therefore, the possible differential probabilities are 0, 2 −3 , 2 −2 , and 1, respectively.In contrast to the CryptoSMT's encoding, which always uses four variables to encode the probabilities of a given 4-bit S-box, the CRAFT's S-box probabilities can be encoded via only three binary variables denoted as p 0 , p 1 , p 2 , such that wt(p 0 , p 1 , p 2 ) = − log 2 (p).
With the aim of optimizing the CryptoSMT's method for encoding the differential behavior of the CRAFT's S-box, we use a different method than the CryptoSMT's original method, which can be easily generalized for an arbitrary n-bit S-box.We first generate the truth table of the following 11-bit boolean function [SWW18]: where x = (x 0 , . . ., x 3 ), and y = (y 0 , . . .y 3 ) denote the input and the output differences, and p = (p 0 , p 1 , p 2 ) is used to encode Pr{x → y} = 2 −wt(p) .To generate the constraints that model the differential behavior of S-box, we use the minimized product-of-sum representation of the above boolean function, which can be obtained via the Quine-McCluskey[Qui52, Qui55, MJ56], and Espresso algorithm [BHMSV84] implemented at the off-the-shelf program Logic Friday [Log19].The minimized product-of-sum representation of the above boolean function for the CRAFT's S-box is represented in Appendix A.
Following the above steps, we were able to accelerate the time of differential search for reduced rounds CRAFT.For instance, using the un-opimized CryptoSMT, finding a bound for differential of 11 rounds of CRAFT costed 86379s on a personal computer (Intel Core (TM)i-5, 8 Gig RAM, running Ubuntu 18.04 LTS), were we reached 2 −58.7704 based on 2458966 trails (all with optimum probability of 2 −80 ).After optimizing CryptoSMT as above, we reached the identical probability much faster.A comparison of the search time to find the best single differential characteristic for reduced rounds variants of CRAFT is provided in Table 8, and Table 9 of Appendix A. Based on this approach, for 9 rounds of CRAFT, we find the following input/output difference with the differential probability of 2 −44.37 , where the least significant nibble appears in the left most position: The above differential contains 810592 trails, all with probability 2 −64 that have been found in 5417s on the above mentioned PC.It has an advantage of 2 10.3 compared to the distinguisher provided by the designers for the same number of rounds.It should be noted that the presented bound is only the lower bound, given that we limited our searches to optimum trails and a specific truncated differential pattern.In addition, given a truncated differential pattern that minimizes the number of active S-boxes for a specific number of rounds, different trails with different input/output can be presented that satisfy the optimum probability.In the above search, we randomly selected one of them (the first optimum trail which is found by the tool) and bounded its lower-bound of differential.However, it may be possible to find a better bound for that number of rounds using another input/output difference or considering other possibilities too, e.g., non-optimum patterns.For example, for 9 rounds, we changed all active nibbles of the input and the output differences of the above-mentioned trail to A (it is represented in hexadecimal format) and observed a considerable improvement.To be more precise, for the bellow difference we found 2024500 optimum trails, before interrupting the run due to the RAM limitation: AA0A AA00 0000 AA00 In the case of 10 rounds, with the input difference "0AAA 00AA 0000 00AA" and the output difference "0A00 0000 0000 00AA", using a G9 Hp server with 32 Gig RAM and Windows 10 x64 as the operating system, we were able to observe 3513898 optimal trails in 4 days, before interrupting the run, which provides the probability of the 10-round distinguisher to be at least 2 −50.2554 .
For those constrains, it is trivial that we have only one possible difference for the input of E even/odd in,rin and one possible difference for the output of E even/odd out,rout .To determine possible output-differences of E even in,4 , we should consider the pattern before the last MC, i.e., X 4 , and after the last MC, i.e., Y 4 .It can be seen that to satisfy the truncated differential pattern, we should have X 4 [14] = X 4 [10] = X 4 [6].Hence, there are only 5 × 5 × 4 = 100 possible values for Y 4 or outputs of E even in,4 .A similar argument can be provided for the input/output differences of E even/odd m,rm , and the input differences of E even/odd out,rout .Therefore, there are only 100 × 100 possible values for input/output differences of E even/odd m,rm and 100 possible values for input/output differences of E even/odd out,rout .In the next step, we need to determine the differential probability of any possible input/output differences for any partition of the cipher.We provide a horizontal vector containing 100 probabilities for E even in,4 , a matrix containing 100 × 100 probabilities for E even/odd m,rm and a vertical vector containing 100 probabilities for E even/odd out,rout .Given those probabilities, we can calculate the differential probability of any trail, it will be just multiplication of those joint probability vectors/matrices, which can be done very efficiently.To this end, we determined the joint probabilities vectors/matrices of all cipher's partitions of Figure 4 and Figure 5.The joint probability horizontal vector of E even in,4 includes 76 non-zero entries (out of 100) and it is identical to the joint probability vector derived for E odd in,4 .The joint probability vertical vectors of both E even out,4 and E odd out,5 include 92 non-zero entries (each out of 100) and the joint probability matrices derived for E even m,2 and E odd m,2 also include 2734 non-zero entries (each out of 100 × 100).For each possible intermediate entry, e.g., an entry in the E even in,4 vector, we counted all the possible trails from the fixed input difference of E even in,4 to that possible difference of E even in,4 , which can be directly used to determine the probability related to that entry.Next, we used those joint probabilities vectors/matrices to determine the differential effect of different round reduced variants of CRAFT; in all cases we extended the number of rounds by repeating E even/odd m,2 as many times as required: AA0A AA00 0000 AA00 Through our analysis we also investigated the truncated differential behavior of optimum trails of fixed input/output differences.Interestingly, we observed that for any input/output differences with the optimum trails that we have checked (including the input/output differences of Figure 4 and Figure 5) the truncated pattern of all optimum trails of a fixed input/output difference is fixed.To verify this, for a given input/output difference for which there is an optimum trail, we forced the MILP and also SAT tools to finding an optimum trail with different truncated patterns.However, for all input/output differences that we checked, the programs returned infeasible.Hence, for any trail driven from Figure 4 or Figure 5, using our partitioning approach and the way that we have used to determine the probabilities of intermediate entries, we are able to count the exact number of the optimum trails for any number of rounds of CRAFT, starting from 9 and for the given differences; also, we can determine a lower bound of non-optimum trails.In the last column of Table 7, we reported the values of the optimum trails for the several numbers of the rounds.
On the other hand, for a fixed input/output difference, changing r in , r m , and r out , has an influence on the number of non-optimum trails that are considered in the final differential effect.Hence, although the presented distinguishers are the best known distinguishers for the round reduced CRAFT in ST-mode, to improve the results more, we also evaluated other values for r in , r m and r out (it is clear that extending the number of rounds of a partition increases the computational cost of producing the related joint probabilities matrix/vector).As a result, for r m = 4 (for even/odd rounds) and r out = 6 (for even rounds) we could improve the above bounds as follows: 0AAA 00AA 0000 00AA where, as it is also depicted in Table 7, for the 14 rounds trail we used the combination E even out,6 • E even m,4 • E even in,4 .The above distinguishers, to the best of our knowledge, are the best-known differential distinguishers for CRAFT in ST-model.
It should be noted that we also evaluated the differential effect when r in = 6.However, it did not give better results.

Discussion
Through our analysis, we observed some typos in the designers' analysis which reporting them could be useful for later analysis.We already mentioned one of them in Subsection 4.1, i.e., the minimum number of active S-boxes for 17 rounds in the case of RT1.In addition, the designers reported 12 zero-correlation masks for 13 rounds of the cipher.Although we found twelve zero-correlation linear hulls, based on our analysis with both MILP and SAT approaches, 2 of the reported masks are not valid, which are as follows, where γ and δ are non-zero masks in F 4 2 : 0000 00γ0 0000 00γ0 13-round −−−−−→ 0000 δ000 0000 0000, 0000 γ000 0000 γ000 13-round −−−−−→ 0000 00δ0 0000 0000.
In order to verify this claim, for each one of the above linear hulls, a valid linear trail is displayed in Appendix B. We also found the following new zero-correlation linear hulls for 13 rounds of CRAFT, in ST-mode: 0000 00γ0 0000 00γ0 We also checked the validity of the reported input/output patterns for the impossible differential covering 13 rounds of CRAFT.We observed that two of the input/output patterns are not valid in this case too, which are as follows, where γ and δ are non-zero difference in F 4 2 : 00γ0 0000 00γ0 0000 For each one of the input/output patterns above, one possible differential trail is displayed in Appendix C, which proves our claim.We also found the following two new valid impossible differential input/outputs for 13 rounds of CRAFT, in ST-mode: 00γ0 0000 00γ0 0000 where in all cases, ∆T = 0000 0000 00A0 0000.However, for the provided difference for RT 1 , RT 2 and RT 3 , there are no trails for those differences with a reasonable number of active S-boxes.In addition, if the difference bellow is valid: then, given that the input difference has no active nibble and in backward direction it first goes through S-box layers at the first, with probability 1.It is possible to present an 18 round trail for RT 1 with the same probability, i.e., 2 −60.14 .Hence, we also reevaluated the differential effect of CRAFT in RT-model, with the same ∆T = 0000 0000 00A0 0000.Our best results are as follows: 0000 A000 0000 0000 It can be seen that we could find other input/output differences for RT 2 and RT 3 that have identical probabilities as the probabilities reported by the designers.In the case of RT 0 , we received identical differential effect probability as the designers probability, for the same input/output differences.However, in the case of RT 1 we could not find such differences.This distinction between our result, and those of the designers, in the case of RT 1 , motivated us to evaluate the differential effects for 15 and 17 rounds of this mode as follows : AAA0 0AA0 000A 0AA0 where ∆T = 0000 0000 00A0 0000.
It should be noted we also evaluated the security of CRAFT against linear hull, following the same approach as the differential effect.However, we could not beat the designers' claim, which is 2 −62.12 for 14-rounds of CRAFT in ST-model.

Conclusion
In this work, we provided a detailed analysis of CRAFT against differential and related tweak zero-correlation and integral cryptanalysis.Our related tweak zero-correlation and integral cryptanalysis, which cover 14 rounds, are the first analysis of CRAFT against this attack, given that the designers analyzed its security against single tweak zero-correlation and integral cryptanalysis.While we found 14-round distinguishers in the related tweak zero-correlation/integral cryptanalysis for cases RT 0 , RT 2 , and RT 3 , we could not find any related tweak zero-correlation/integral distinguisher for case RT 1 for 14-rounds of the cipher.
Our differential analysis improved the designers' results significantly.For example, the designers' report include the lower bound of probability of differential effect for 10 rounds of the cipher in single tweak model to be 2 −62.61 while we improved this bound and presented a differential distinguisher for the same number of rounds with probability 2 −44.89 and a differential distinguisher for up to 14 rounds, with the probabilities beyond 2 −64 .This analysis shows that there is a huge gap between the differential effect and any differential trails in the round reduced CRAFT, similar to some other lightweight block ciphers already mentioned in [AK18].
Through our differential analysis, we observed that for many fixed input/output differentials, CRAFT included very strong clusters of high-probable trails that helped us to improve the probability of our differential distinguishers significantly.
In our differential effect analysis of the even/odd number of rounds, we fixed the input/output masks for even/odd number of rounds, and provided extendable truncated differential trails for the cipher and then partitioned those trails to estimate the differential effect of the whole target rounds.This approach helped us estimate the differential effect of the cipher more efficiently (in term of time and the used resources), compared to naive approaches based on counting trails.Thanks to the fixed truncated differential pattern of CRAFT for all optimum trails of a fixed input/output mask, partitioning works well to bound its differential effect and we were able to provide the exact number of optimum trails for a given fixed input/output difference; and for any number of rounds, larger than 9, it can be done for any other input/output mask.As a future work, it is worth investigating whether there is any other cipher with the same differential behavior, i.e., fixed truncated differential for dominant trails.If there is, then it should be possible to use the partitioning approach to evaluate its security against differential effect.In addition, while our bound for the number of optimal trails for any fixed input/output mask is tight, we were not able to bound the exact number of non-optimum trails for the used masks.Hence, as another future work, it is possible to improve the reported differential effects considering some missing non-optimum trails in our analysis.
The designer stated [BLMR19, Sec.5.4] "For the key recovery the number of rounds that can be appended for an RT i differential is at most 4 + i rounds before and 7 rounds after the differential".However, given that the focus of this paper was to provide better distinguishers for CRAFT, we have not investigated the key recovery in this paper.Hence, as a future work, it worth to see how many rounds can be attacked based on the provided distinguishers in this paper.
CryptoSMT, uses STP [HMS], as the default SMT solver to solve the obtained SMT problem, but it also supports another SMT solver, called Boolector [NPB15].Table 8 shows that, our optimization improves the speed of solving the obtained SMT problem, for both SMT solvers used in CryptoSMT.Table 9, also shows the impact of our optimization on the solvers' run-time for finding an optimum differential trail for r rounds of CRAFT, where the input, and output differences corresponding to the optimum trail are fixed.

I 0 Table 3 :Figure 1 :
Figure 1: A round of CRAFT XOR-ed with the IS, where the rounds start from i = 0.The next function is PermuteNibbles (PN) which is applying an involutory permutation P over nibbles of IS, where given IS = I 0 I 1 • • • I 14 I 15 , P (IS) = I 15 I 12 I 13 I 14 I 10 I 9 I 8 I 11 I 6 I 5 I 4 I 7 I 1 I 2 I 3 I 0 .

Figure 4 :
Figure4: An expendable truncated trail for even rounds, where E in and E out denote the first 4 and the last 4 rounds, respectively and E m is a repeatable 2-round truncated trail that can be used as much as required.For example, to design a 10-round trail, this stage is repeated once in the current trail.The Cyan-colored cells are inactive due to cancellation after MC step, white-colored cells are inactive, and {Gray, Orange, Green} colors are active cells in different stages of the cipher.

Figure 5 :
Figure5: An expendable truncated trail for odd rounds, where E in and E out denote the first 4 and the last 5 rounds, respectively and E m is a repeatable 2-round truncated trail that can be used as much as required.For example, to design a 9-round trail, this stage is omitted.

Table 4 :
Linear approximation table of CRAFT S-box.

Table 5 :
Optimum differential/linear trails for reduced CRAFT in different model, where for each model, the upper row determines the minimum number of active S-boxes and the lower row shows the − log 2 P , and also P denotes the probability of the best-found trail.
includes three partitions, denoted by E in,rin , E m,rm and E out,rout , where r x is an integer which is used to indicate the number of rounds in a partition.

Table 6 :
Differential distribution table (DDT) of CRAFT S-box.

Table 7 :
The values of r in , r m , and r out of the best differential trails of CRAFT that we have found.Pr denotes the probability of the related trail.