Security Analysis of KNOT-AEAD and KNOT-Hash

KNOT is one of the 32 second-round candidates in NIST’s lightweight cryptography standardization process. To have a better understanding of the security of KNOT, in this paper, we concentrate on the search of the best differential and linear distinguishers with constraints that can be directly used to mount attacks on KNOT-AEAD and KNOT-Hash. Six attack models for KNOT-AEAD and two attack models for KNOT-Hash are considered. By studying differential/linear trails containing iterative sub-trails, we can efficiently obtain effective difference/linear propagations with constraints with respect to the 6 attack models for each KNOTAEAD member and the 2 attack models for each KNOT-Hash member. Furthermore, we investigate the accuracy of our new method in two different ways. Firstly, we apply our new method to RECTANGLE, which is an ancestor of the KNOT permutations, and compare the results obtained by our new method with those provided by the designers of RECTANGLE. Secondly, we use MILP modelling method to compute the differential and linear clustering effect of the 256-bit KNOT permutation and compare the results obtained by MILP method with those obtained by our new method. According to these comparative results, we can reasonably infer that the results using our new approach provide a quite accurate security evaluation of KNOT-AEAD and KNOT-Hash. To sum up, based on our results in this paper, considering the data limit under one key, each KNOT-AEAD member has at least 50% security margin against the 6 attack models (especially, the initialization phase has at least 72% security margin); each KNOT-Hash member has at least 80% security margin against the 2 attack models.