Improved Differential Attacks on GIFT-64

GIFT is a new lightweight PRESENT-like block cipher, proposed by Banik et al. at CHES 2017. There are two versions, i.e., GIFT-64 and GIFT-128, with block size 64 and 128 respectively. Both versions have a 128-bit key. The Sbox and the linear layer of GIFT are chosen carefully to avoid single difference bit or linear mask bit path in 2 consecutive rounds. This improves the security of GIFT against differential, linear and linear hull attacks. In this paper, we implement a new automatic search algorithm of differential characteristics on GIFT-64. Considering the situations that some characteristics have the same input and output difference, we find a few of improved differentials with longer rounds or higher probabilities. Among them, the best probability for 12-round differential is \(2^{-56.5737}\), while that for 13-round differential is \(2^{-61.3135}\). In addition, we find 52 13-round differentials with the same output differences. Based on them, we mount a multiple differential attack on 20-round GIFT-64 with \(2^{62}\) chosen plaintexts, which attacks one more round than the best previous result. Also, we can attack 21-round GIFT-64 with the full codebook, using one differential with probability \(2^{-62.0634}\). This is the longest attack as far as we know.