Cyber Security Cryptography and

Machine Learning Fourth International

Symposium CSCML 2020 Be er Sheva
Israel July 2 3 2020 Proceedings Shlomi
Dolev
Visit to download the full and correct content document:
https://textbookfull.com/product/cyber-security-cryptography-and-machine-learning-fo
urth-international-symposium-cscml-2020-be-er-sheva-israel-july-2-3-2020-proceedin
gs-shlomi-dolev/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...

Cyber Security Cryptography and Machine Learning First

International Conference CSCML 2017 Beer Sheva Israel
June 29 30 2017 Proceedings 1st Edition Shlomi Dolev

https://textbookfull.com/product/cyber-security-cryptography-and-
machine-learning-first-international-conference-cscml-2017-beer-
sheva-israel-june-29-30-2017-proceedings-1st-edition-shlomi-
dolev/

Cyber Security Cryptography and Machine Learning Itai

Dinur

https://textbookfull.com/product/cyber-security-cryptography-and-
machine-learning-itai-dinur/

Computer Science Theory and Applications 15th

International Computer Science Symposium in Russia CSR
2020 Yekaterinburg Russia June 29 July 3 2020
Proceedings Henning Fernau
https://textbookfull.com/product/computer-science-theory-and-
applications-15th-international-computer-science-symposium-in-
russia-csr-2020-yekaterinburg-russia-
june-29-july-3-2020-proceedings-henning-fernau/

Business Modeling and Software Design: 10th

International Symposium, BMSD 2020, Berlin, Germany,
July 6-8, 2020, Proceedings Boris Shishkov

https://textbookfull.com/product/business-modeling-and-software-
design-10th-international-symposium-bmsd-2020-berlin-germany-
july-6-8-2020-proceedings-boris-shishkov/
Human Aspects of Information Security and Assurance
14th IFIP WG 11 12 International Symposium HAISA 2020
Mytilene Lesbos Greece July 8 10 2020 Proceedings
Nathan Clarke
https://textbookfull.com/product/human-aspects-of-information-
security-and-assurance-14th-ifip-wg-11-12-international-
symposium-haisa-2020-mytilene-lesbos-greece-
july-8-10-2020-proceedings-nathan-clarke/

Applied Cryptography and Network Security 18th

International Conference ACNS 2020 Rome Italy October
19 22 2020 Proceedings Part I Mauro Conti

https://textbookfull.com/product/applied-cryptography-and-
network-security-18th-international-conference-acns-2020-rome-
italy-october-19-22-2020-proceedings-part-i-mauro-conti/

Applied Cryptography and Network Security 18th

International Conference ACNS 2020 Rome Italy October
19 22 2020 Proceedings Part II Mauro Conti

https://textbookfull.com/product/applied-cryptography-and-
network-security-18th-international-conference-acns-2020-rome-
italy-october-19-22-2020-proceedings-part-ii-mauro-conti/

Cyber Security and Computer Science Second EAI

International Conference ICONCS 2020 Dhaka Bangladesh
February 15 16 2020 Proceedings Touhid Bhuiyan

https://textbookfull.com/product/cyber-security-and-computer-
science-second-eai-international-conference-iconcs-2020-dhaka-
bangladesh-february-15-16-2020-proceedings-touhid-bhuiyan/

Artificial Intelligence and Security 6th International

Conference ICAIS 2020 Hohhot China July 17 20 2020
Proceedings Part II Xingming Sun

https://textbookfull.com/product/artificial-intelligence-and-
security-6th-international-conference-icais-2020-hohhot-china-
july-17-20-2020-proceedings-part-ii-xingming-sun/
 Shlomi Dolev
Vladimir Kolesnikov
Sachin Lodha
Gera Weiss (Eds.)

Cyber Security
LNCS 12161

Cryptography and
Machine Learning
Fourth International Symposium, CSCML 2020
Be’er Sheva, Israel, July 2–3, 2020
Proceedings
Lecture Notes in Computer Science 12161

Founding Editors
Gerhard Goos
Karlsruhe Institute of Technology, Karlsruhe, Germany
Juris Hartmanis
Cornell University, Ithaca, NY, USA

Editorial Board Members

Elisa Bertino
Purdue University, West Lafayette, IN, USA
Wen Gao
Peking University, Beijing, China
Bernhard Steffen
TU Dortmund University, Dortmund, Germany
Gerhard Woeginger
RWTH Aachen, Aachen, Germany
Moti Yung
Columbia University, New York, NY, USA
More information about this series at http://www.springer.com/series/7410
Shlomi Dolev Vladimir Kolesnikov
• •

Sachin Lodha Gera Weiss (Eds.)

•

Cyber Security
Cryptography and
Machine Learning
Fourth International Symposium, CSCML 2020
Be’er Sheva, Israel, July 2–3, 2020
Proceedings

123
Editors
Shlomi Dolev Vladimir Kolesnikov
Department of Computer Science School of Computer Science
Ben-Gurion University of the Negev Georgia Institute of Technology
Be’er Sheva, Israel Atlanta, GA, USA
Sachin Lodha Gera Weiss
Tata Consultancy Services Department of Computer Science
Chennai, Tamil Nadu, India Ben-Gurion University of the Negev
Be’er Sheva, Israel

ISSN 0302-9743 ISSN 1611-3349 (electronic)

Lecture Notes in Computer Science
ISBN 978-3-030-49784-2 ISBN 978-3-030-49785-9 (eBook)
https://doi.org/10.1007/978-3-030-49785-9
LNCS Sublibrary: SL4 – Security and Cryptology

© Springer Nature Switzerland AG 2020

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book are
believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors
give a warranty, express or implied, with respect to the material contained herein or for any errors or
omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in
published maps and institutional affiliations.

This Springer imprint is published by the registered company Springer Nature Switzerland AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
 Preface

CSCML, the International Symposium on Cyber Security Cryptography and Machine

Learning, is an international forum for researchers, entrepreneurs, and practitioners in
the theory, design, analysis, implementation, or application of cyber security, cryp-
tography, and machine learning systems and networks, and, in particular, of concep-
tually innovative topics in these research areas.
Information technology has become crucial to our everyday lives, an indispensable
infrastructure of our society and therefore a target for attacks by malicious parties.
Cyber security is one of the most important fields of research these days because
of these developments. Two of the (sometimes competing) fields of research, cryp-
tography and machine learning, are the most important building blocks of cyber
security.
Topics of interest for CSCML include: cyber security design; secure software
development methodologies; formal methods, semantics, and verification of secure
systems; fault tolerance, reliability, and availability of distributed secure systems;
game-theoretic approaches to secure computing; automatic recovery self-stabilizing
and self-organizing systems; communication, authentication, and identification
security; cyber security for mobile and Internet of Things; cyber security of corpora-
tions; security and privacy for cloud, edge, and fog computing; cryptocurrency;
blockchain; cryptography; cryptographic implementation analysis and construction;
secure multi-party computation; privacy-enhancing technologies and anonymity;
post-quantum cryptography and security; machine learning and big data; anomaly
detection and malware identification; business intelligence and security; digital
forensics, digital rights management; trust management and reputation systems; and
information retrieval, risk analysis, and DoS.
The 4th CSCML took place during July 2–3, 2020, in Beer-Sheva, Israel. This year
the conference was organized in cooperation with the International Association for
Cryptologic Research (IACR) and selected papers will appear in a dedicated special
issue in the Information and Computation Journal.
This volume contains 12 contributions selected by the Program Committee and
4 short papers. All submitted papers were read and evaluated by Program Committee
members, assisted by external reviewers. We are grateful to the EasyChair system in
assisting the reviewing process.
The support of Ben-Gurion University (BGU), in particular the BGU-NHSA, BGU
Lynne and William Frankel Center for Computer Science, the BGU Cyber Security
Research Center, the Department of Computer Science, TATA Consultancy Services,
IBM, and Check Point are all gratefully acknowledged.

March 2020 Vladimir Kolesnikov

Gera Weiss
Shlomi Dolev
Sachin Lodha
 Organization

CSCML, the International Symposium on Cyber Security Cryptography and Machine

Learning, is an international forum for researchers, entrepreneurs, and practitioners in
the theory, design, analysis, implementation, or application of cyber security,
cryptography, and machine learning systems and networks, and, in particular, of
conceptually innovative topics in the scope.

Founding Steering Committee

Orna Berry DELLEMC, Israel
Shlomi Dolev (Chair) Ben-Gurion University, Israel
Yuval Elovici Ben-Gurion University, Israel
Bezalel Gavish Southern Methodist University, USA
Ehud Gudes Ben-Gurion University, Israel
Jonathan Katz University of Maryland, USA
Rafail Ostrovsky UCLA, USA
Jeffrey D. Ullman Stanford University, USA
Kalyan Veeramachaneni MIT, USA
Yaron Wolfsthal IBM, Israel
Moti Yung Columbia University and Google, USA

Organizing Committee
General Chairs
Shlomi Dolev Ben-Gurion University, Israel
Sachin Lodha Tata Consultancy Services, India

Program Chairs
Vladimir Kolesnikov Georgia Institute of Technology, USA
Gera Weiss Ben-Gurion University, Israel

Organizing Chair
Simcha Mahler Ben-Gurion University, Israel

Program Committee
Adi Akavia University of Haifa, Israel
Gilad Asharov Bar-Ilan University, Israel
Manuel Barbosa University of Porto, Portugal
Carlo Blundo Università degli Studi di Salerno, Italy
Jacir Luiz Bordim University of Brasilia, Brazil
viii Organization

Christina Boura Versailles Saint-Quentin-en-Yvelines University,

France
Ronen Brafman Ben-Gurion University, Israel
Ashish Choudhury IIIT Bangalore, India
Camil Demetrescu Sapienza University of Rome, Italy
Orr Dunkelman University of Haifa, Israel
Klim Efremenko Ben-Gurion University, Israel
Marc Fischlin TU Darmstadt, Germany
Dror Fried The Open University, Israel
Benjamin Fuller University of Connecticut, USA
Ehud Gudes Ben-Gurion University, Israel
Shay Gueron University of Haifa, Israel, and Amazon Web Services,
USA
Ofer Hadar Ben-Gurion University, Israel
David Heath Georgia Institute of Technology, USA
Ben Kreuter Google, USA
Miroslaw Kutylowski Wroclaw University of Science and Technology,
Poland
Mark Last Ben-Gurion University, Israel
Riccardo Lazzeretti Sapienza University of Rome, Italy
Daniel Masny VISA Research, USA
Svetla Nikova KU Leuven, Belgium
Ryo Nishimaki NTT, Japan
Ariel Nof Technion - Israel Institute of Technology, Israel
Giuseppe Persiano Università degli Studi di Salerno, Italy
Thomas Peyrin Nanyang Technological University, Singapore
Antigoni Polychroniadou JPMorgan AI Research, USA
Alessandra Scafuro NC State University, USA
Berry Schoenmakers Eindhoven University of Technology, The Netherlands
Gil Segev Hebrew University, Israel
Sandeep Shukla IIT Kanpur, India
Anatoly Shusterman Ben Gurion University, Israel
David Starobinski Boston University, USA
Ni Trieu Oregon State University, USA
Doug Tygar UC Berkeley, USA
Daniele Venturi Sapienza University of Rome, Italy
Ruoyu Wang Arizona State University, USA
Avishay Yanay Bar-Ilan University, Israel
Stefano Zanero Politecnico di Milano, Italy
Vassilis Zikas University of Edinburgh, UK

External Reviewers

Lilya Kraleva
 Organization ix

Sponsors

In cooperation with
 Contents

Single Tweakey Cryptanalysis of Reduced-Round SKINNY-64 . . . . . . . . . . 1

Orr Dunkelman, Senyang Huang, Eran Lambooij, and Stav Perle

Zero-Knowledge to the Rescue: Consistent Redundant Backup of Keys

Generated for Critical Financial Services . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Moti Yung, Cem Paya, and Daniel James

Security Ranking of IoT Devices Using an AHP Model. . . . . . . . . . . . . . . . 29

Shachar Siboni, Chanan Glezer, Rami Puzis, Asaf Shabtai,
and Yuval Elovici

Robust Malicious Domain Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Nitay Hason, Amit Dvir, and Chen Hajaj

NeuroGIFT: Using a Machine Learning Based Sat Solver

for Cryptanalysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Ling Sun, David Gerault, Adrien Benamira, and Thomas Peyrin

Can the Operator of a Drone Be Located by Following the Drone’s Path? . . . 85

Eliyahu Mashhadi, Yossi Oren, and Gera Weiss

Detecting Malicious Accounts on the Ethereum Blockchain

with Supervised Learning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Nitesh Kumar, Ajay Singh, Anand Handa, and Sandeep Kumar Shukla

Fast Polynomial Inversion for Post Quantum QC-MDPC Cryptography . . . . . 110

Nir Drucker, Shay Gueron, and Dusan Kostic

Efficient CORDIC-Based Sine and Cosine Implementation for a Dataflow

Architecture (Extended Abstract). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Daniel Khankin, Elad Raz, and Ilan Tayari

SecureMCMR: Computation Outsourcing for MapReduce Applications . . . . . 143

Lindsey Kennard and Ana Milanova

Evasion Is Not Enough: A Case Study of Android Malware. . . . . . . . . . . . . 167

Harel Berger, Chen Hajaj, and Amit Dvir

Toward Self-stabilizing Blockchain, Reconstructing Totally Erased

Blockchain (Preliminary Version) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Shlomi Dolev and Matan Liber
xii Contents

A Recommender System for Efficient Implementation of Privacy

Preserving Machine Learning Primitives Based on FHE . . . . . . . . . . . . . . . . 193
Imtiyazuddin Shaik, Ajeet Kumar Singh, Harika Narumanchi,
Nitesh Emmadi, and Rajan Mindigal Alasingara Bhattachar

Comparison of DNS Based Methods for Detecting Malicious Domains . . . . . 219

Eyal Paz and Ehud Gudes

Average-Case Competitive Ratio of Scheduling Algorithms

of Multi-user Cache. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Daniel Berend, Shlomi Dolev, Avinatan Hassidim,
and Marina Kogan-Sadetsky

CryptoRNN - Privacy-Preserving Recurrent Neural Networks Using

Homomorphic Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Maya Bakshi and Mark Last

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

 Single Tweakey Cryptanalysis
of Reduced-Round SKINNY-64

Orr Dunkelman, Senyang Huang, Eran Lambooij(B) , and Stav Perle

University of Haifa, Abba Khoushy Avenue 199, 3498838 Haifa, Israel

eranlambooij@gmail.com

Abstract. SKINNY is a lightweight tweakable block cipher which

received a great deal of cryptanalytic attention following its elegant
structure and efficiency. Inspired by the SKINNY competitions, multiple
attacks on it were reported in different settings (e.g. single vs. related-
tweakey) using different techniques (impossible differentials, meet-in-the-
middle, etc.). In this paper we revisit some of these attacks, identify issues
with several of them, and offer a series of improved attacks which were
experimentally verified. Our best attack can attack up to 18 rounds using
260 chosen ciphertexts data, 2116 time, and 2112 memory.

1 Introduction

Since lightweight cryptography gained academic interest in the early 2000’s,

many different block ciphers have been proposed. In parallel, the cryptographic
community has slowly reached the understanding that “just” block ciphers are
not always suitable or offer somewhat inferior solution, e.g., in the context of
authenticated encryption. Hence, solutions such as tweakable block ciphers were
introduced [9]. Obviously, with the need for lightweight cryptography, the need
for lightweight tweakable block ciphers grew. SKINNY [4] is a lightweight tweak-
able block cipher using the tweakey framework [7]. SKINNY also lies in the basis
of three of the submissions to the lightweight cryptography competition held by
NIST (US National Institute of Standards and Technology), namely ForkAE [1],
Romulus [6], and Skinny-AEAD [5].
This paper contains two main contributions: The paper first looks at extend-
ing truncated differential distinguishers of SKINNY by looking at the bias of
the differences. Namely, we show that one can extend the probability 1 6-round
truncated differential used before in [14] into a longer truncated differential.
However, the new truncated differential has a lower probability, and instead of
predicting the difference in some specific nibble, we predict its bias from random
(in our case, the bias from 1/16). We show that this bias can be observed after
7-, 8-, and even 9-rounds of SKINNY, where some nibbles are biased towards
zero. This results in attacks on up to 15-round SKINNY-64-128 in time 2104
and data 233 .
Our second contribution is to revisit previous impossible differential attacks
against SKINNY. We show that some of these attacks had subtle flaws in them,
c Springer Nature Switzerland AG 2020
S. Dolev et al. (Eds.): CSCML 2020, LNCS 12161, pp. 1–17, 2020.
https://doi.org/10.1007/978-3-030-49785-9_1
2 O. Dunkelman et al.

which invalidate the attack. We then set to fix the attacks, which in turn reduce
their number of rounds and increases their time and data complexity. The result-
ing attack is against 18-round SKINNY-64-128 in time 2116 and data 260 chosen
plaintexts.

1.1 Related Work

Besides being an interesting target of its own accord, the designers of SKINNY
organized several cryptanalysis competitions to further inspire its analysis. This
effort led to several papers focusing on the cryptanalysis of SKINNY.

Single Tweakey Analysis. For the case of single-tweakey model, a series

of impossible differential attacks (against 18-round SKINNY-n-n, 20-round
SKINNY-n-2n and 22-round SKINNY-n-3n) based on an 11-round impossi-
ble differential distinguisher is presented in [14]. As we later show in Sect. 5,
these attacks contain some flaw that increases their complexity and reduces the
number of affected rounds. An additional impossible differential attack in the
single-tweakey setting is presented against 17-round SKINNY-n-n and 19-round
SKINNY-n-2n in [16]. In addition to this, [12] presents zero-correlation linear
attacks against 14-round SKINNY-64-64 and 18-round SKINNY-64-128 in the
single-tweakey model.

Related Tweakey Analysis. An impossible differential attack against 19-

round SKINNY-n-n, 23-round SKINNY-n-2n and 27-round SKINNY-n-3n in
the related-tweakey model is presented in [10]. In addition, this paper presents
several rectangle attacks against 27-round SKINNY-n-3n in the related-tweakey
model. Improved impossible differential attacks against these variants in the
related-tweakey model are presented in [12]. Zero-correlation attacks in the
related-tweakey settings are presented against 20-round SKINNY-64-64 and
23-round SKINNY-64-192 in [3].
Another impossible differential attack in the related-tweakey settings is
described in [2] targeting 21-rounds of SKINNY-64-128. Furthermore, this
attack is extended to 22-round and 23-round SKINNY-64-128 in the related-
tweakey model. These results use the assumption that certain tweakey bits are
public. Another related-tweak impossible differential attack is presented in [13]:
an 18-round SKINNY-64-64 in the related-tweakey model, which can be trans-
formed to an attack against 18-round SKINNY-64-128 in the related-tweakey
model, with 96-bit secret key and 32-bit tweak.
A new automatic search tool for truncated differential characteristics using
Mixed Integer Linear Programming is presented in [11]. This paper presents
8-round truncated differential characteristics with bias 2−8 , 9-round truncated
differential characteristics with bias 2−20 and 10-round truncated differential
characteristics with bias 2−40 .
Table 1 summarizes all previously published attacks against SKINNY-64-64
and SKINNY-64-128.
 Single Tweakey Cryptanalysis of Reduced-Round SKINNY-64 3

Table 1. Complexity of single-tweakey attacks against SKINNY-64

Key (bits) Attack Complexity

Rounds Time Data Memory Source
62
64 Zero-correlation 14 2 262.58 264 [12]
64 Impossible differential 17 261.8 259.5 249.6 [16]
64 Impossible differential† 18 257.1 247.52 258.52 [14]
128 Zero-correlation 18 2126 262.68 264 [12]
128 Impossible differential 18 2116 260 2112 Sect. 5.2
119.8 62
128 Impossible differential 19 2 2 2110 [16]
128 Impossible differential† 20 2 121.08
247.69
274.69 [14]
†
As we show in Sect. 5, the attack is flawed.

1.2 Organization

This paper is organized as follows: In Sect. 2 we briefly reiterate the specification

of SKINNY. After that the proposed distinguishers are described, discussing
both the construction of the differential distinguisher (Sect. 3) and the extension
to biased differential distinguishers (Sect. 4). In Sect. 4.4 we use the previously
described distinguishers to construct key recovery attacks. Section 5, contains a
discussion of a previous impossible differential analysis of SKINNY, which is
fixed in Sect. 5.2, and improved upon in Sect. 5.3. Finally, Sect. 6 summarizes
this paper.

2 Specification of SKINNY

SKINNY is a family of lightweight tweakable block ciphers using a substitution-

permutation network (SPN) structure. The variants of SKINNY are denoted
by SKINNY-n-t, where n represents the block size (n ∈ {64, 128}) and t rep-
resents the tweakey size (t ∈ {n, 2n, 3n}). Namely, the six variants of SKINNY
are SKINNY-64-64, SKINNY-64-128, SKINNY-64-192, SKINNY-128-128,
SKINNY-128-256, and SKINNY-128-384 with 32, 36, 40, 40, 48 and 56 rounds,
respectively. Both the 64-bit and 128-bit internal states are represented as an
array of 4 × 4 cells. The first row contains nibbles 0 to 3 (where 0 is the leftmost
nibble, 3 is the rightmost nibble), the second row contains nibbles 4 to 7, etc.
The cell is a nibble in case of 64-bit version and a byte in case of 128-bit version.
There are 5 operations in each round (depicted in Fig. 1):

ART ShiftRows MixColumns

>>> 1
SC AC
>>> 2
>>> 3

Fig. 1. The SKINNY round function.

4 O. Dunkelman et al.

1. SubCells (SC): The non-linear layer applies an -bit S-box on each cell, where
 ∈ {4, 8}.
2. AddConstants (AC): This step XOR’s three cells of round constants to the
most significant three cells of the internal state.
3. AddRoundTweakey (ART): In this step, the tweakey bits are XORed to the
first two lines of the internal state.
4. ShiftRows (SR): The second, third, and fourth rows of the internal state are
right-rotated by 1 cell, 2 cells, and 3 cells, respectively.
5. MixColumns (MC): Each column of the internal state is multiplied by the
following binary matrix: ⎡ ⎤
1010
⎢1 0 0 0⎥
M =⎢ ⎣0 1 1 0⎦
⎥ (1)
1010

We omit the tweakey schedule as this is not used in our attacks, and refer the
interested reader to [4].

3 Differential Distinguisher

The attacks in this paper are built using extensions of the 6-round truncated
differential characteristic used in [14]. The characteristic is depicted in Fig. 2.
The colored nibbles depict non-zero differences in the differential characteristic,
while the black nibbles signify unknown differences. The distinguisher starts with
a single active nibble, nibble 12, which after six rounds leads to four nibbles: 4, 7,
9, and 15, that necessarily have a non-zero difference. The distinguisher can be
rotated row-wise, e.g., if we take nibble 13 to be active, after six rounds nibbles:
4, 5, 10, 12, are non-zero, etc.
The six-round characteristic can be extended by one, two, or three rounds
by the use of structures at the beginning of the characteristic (see Fig. 3). This
technique can also be used in the distinguishers discussed in Sect. 4. Extending by
one round does not incur any cost with respect to the data and time complexity
since the SC layer is before the key addition. The two and three round extension
respectively increase the data complexity by 28 and 220 with respect to the non
extended distinguisher. The time complexity is increased by 24 and 220 due to
the added key guessing needed.

3.1 Key Recovery Attack

The first attack that we look at is a 10-round attack using the basic 6-round
distinguisher. As can be seen in Fig. 2: if we have an input difference with one
active nibble, i.e. nibble 12, the output difference after 6 rounds in nibbles 4,
7, 9, and 15 are necessarily non-zero. This distinguisher can be transformed
into an impossible differential attack. We can filter out wrong keys by partially
decrypting the ciphertext, such that we recover the difference in one of these
 Single Tweakey Cryptanalysis of Reduced-Round SKINNY-64 5

SC SR MC
AK

SC SR MC
AK

SC SR MC
AK

SC SR MC
AK

SC SR MC
AK

SC SR MC
AK

Fig. 2. The basic six round differential. White cells are zero differences, colored cells
are non-zero differences and black cells have unknown differences. (Color figure online)

(necessarily non-zero) nibbles, and discard the key if we find a pair for which
the difference in one of these nibbles is 0. On average we need to test 24 pairs
to discard a key. Nevertheless, to filter out all but the correct key, with high
6 O. Dunkelman et al.

SC SR MC
AK

SC SR MC
AK

SC SR MC
AK

Fig. 3. Extending the characteristics by one, two, or three rounds. Before the main
differential distinguisher (Fig. 2).

probability, we need more data. The probability that a wrong key passes the
filter is 1−2−4 , thus the probability that a wrong key passes x filters is (1−2−4 )x .
Given 2k candidate keys, we get the following equation:

(1 − 2−4 )x = 2−k (2)

Giving,
k log(2)
x= . (3)
log(1 − 2−4 )
For k = 128 we get: x ≈ 1374 ≈ 210.4 , which is the maximum amount of data
needed to mount this attack. Note that this is an upper bound on the amount
of data needed. If the number of possible keys is smaller the amount of data can
also be smaller, but to simplify the analysis we chose to keep the amount of data
needed constant as it does not affect the time complexities of the attacks.
We denote a difference in the i-th nibble by Δi . Using this 6-round distin-
guisher Δ12 → Δ15 we construct a 10-round attack with four rounds of key
recovery, for which we need to guess 6 nibbles (=6 · 4 bits) of key material. This
results in an attack which uses 26·4+4 = 228 4-round decryptions and
24 · log(2)
≈ 258 ≈ 28
log(1 − 2−4 )
data, and 28 memory to store the data. Analogous to this we can construct
the other attacks using the 6-round distinguisher. Note that in this instance we
 Single Tweakey Cryptanalysis of Reduced-Round SKINNY-64 7

computed the exact amount of data needed for the attack to succeed, in the
summary given in Table 6 we took the maximum amount of data for the attacks
of this form, due to the small difference in complexity.

4 A Biased Differential Distinguisher

The attack described in Sect. 4.4 is based on the observation that after seven
rounds, in some nibbles of the state, the probability that the nibble difference
is 0 is larger or smaller than 2−4 , i.e., it is biased with respect to the random
case. We first show how to efficiently compute the bias of a difference in a state
nibble after r rounds. Then, we list the computed biases after seven and eight
rounds in Tables 2 and 3, respectively. Afterwards, we show the results of our
experiments that confirm the existence of the bias in the output difference. It is
worth noting that in many cases, the observed bias is higher than expected. In
other words, the analysis offers evaluation of explainable attacks (and suggests
a “worst-case” analysis1 ). Note that although the results discussed here are for
the 64-bit version of SKINNY they can easily be extended to SKINNY-128. We
expect that the biases of SKINNY-128-128 are squared, i.e., they are expected
to exist, but their validation would be infeasible.

4.1 Computing Biases of Differences in Nibbles

To compute the biases in the nibbles after one round we need to compute the
biases after each step of SKINNY (AC, ART, MC, SC, SR). The differences
are unaffected by the tweakey addition (ART) or the add constant (AC), thus
we can ignore these step. The SR operation permutes the nibbles in the state.
The other two operations SC and MC change the biases in a more elaborate
way and are discussed below. Note that as we do not take the key schedule in
consideration we assume independence between the rounds of the cipher.
The bias towards each difference value in a nibble is stored in a vector v,
where v[Δ] contains the bias for the output difference Δ. I.e., v contains 16
different biases, one for each possible difference in the nibble. The state of a
cipher is a vector of bias vectors denoted by W , where W [i] denotes the bias
vector for state nibble i, with in this case 0 ≤ i < 16. In other words, W [i][j]
contains the bias of the i-th nibble of the state with respect to the difference j.
The SC layer applies a non-linear S-box to each nibble in the state. We
can compute the biases after the SC layer by using the Difference Distribution
Table (DDT) of SKINNY’s S-box. Recall that the j-th row of the DDT contains
the probability distribution of the output differences given an input difference
with value j. We denote the j-th row of the DDT as DDT[j]. The equation for
computing the biases for a nibble after the SC layer is given in Eq. 4.
j<16

 DDT[i]
W [i] = W [i][j] · (4)
j=0
16
1
One can argue that the only way to verify the full attacks is to run then in practice.
However, the running time of most of the attacks is far from being feasible.
8 O. Dunkelman et al.

To compute the bias after the MC layer we multiply each column of the state
with the matrix M (Eq. 1) where we define the dot product used in the matrix
multiplication between two bias vectors v, w as:
j<16

w [i] = w[j] · v[j ⊕ i] (5)
j=0

Obviously, there is a subtle underlying assumption that the differences in differ-

ent nibbles are independent of each other for the calculation to be accurate (this
actually echoes the Markov cipher assumption [8]). As our verification experi-
ments show, this assumption does not always hold, but luckily in our case, on
our favor.
We calculated the biases for 7 and 8 rounds of SKINNY and put the results
in Tables 2 and 3. From Table 3 we can see that after 8 rounds of SKINNY we
have a bias of ≈2−19.5 when inserting a difference of A into nibble C.
One interesting observation, although the effect on the attack is small, is that
for some entries the choice of the input difference has an influence on the bias.
In some cases this difference is quite significant, but for the biases that we use
in the attack the difference is too small to be of any significance. Nevertheless,
in other cases, it can be useful to look at different input differences when doing
this analysis. To verify the results we ran some experiments, the results of these
experiments can be found in Table 4.
We note that the experimental verification suggests that the biases exists,
and in some cases it appears the the real bias is larger than we expect. A probable
cause for this phenomenon is dependencies between rounds.

4.2 Experimental Verification

We have experimentally verified the computed biases. As listed in Table 4, we can

see that in most of the cases, the observed bias either confirms the calculation,
or is significantly higher. As our calculation assumes independence it is very
likely that the higher biases are the result of dependencies between rounds. The
experiments were done using 240 samples under a single key. Hence, reported
biases of less than 2−19 , are expected to take place at random. We mark in Table 4
the entries which were verified beyond the random case.

4.3 Decreasing the Time and Data Complexity

To distinguish the permutation from random using the bias in the difference, we
need to verify the presence of the bias. In this section we discuss the number of
samples we need to verify the bias. The cost of verifying the bias directly affects
the time and data complexity of the attacks.

Lemma 1 (Number of samples). Given a differential characteristic with a

bias b and block size n we need 2 samples such that the biased distribution is
 Single Tweakey Cryptanalysis of Reduced-Round SKINNY-64 9

Table 2. The absolute bias (log2 ) with respect to zero of each output nibble after 7
full rounds of SKINNY starting with only a difference in nibble 12. The bold values in
the table are verified experimentally, while for the underlined values we found higher
biases that could be verified experimentally.

Nibble Input nibble difference value

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 −26.7 −27.1 −27.4 −27.2 −27.2 −27.2 −27.4 −27.0 −27.0 −27.0 −26.7 −26.7 −26.7 −27.4 −27.2
1 −61.3 −63.9 −66.1 −64.0 −64.5 −64.2 −66.3 −62.4 −62.4 −63.0 −60.9 −61.4 −61.4 −66.2 −64.6
2 −41.0 −42.1 −42.9 −42.1 −42.2 −42.1 −43.0 −41.6 −41.6 −41.5 −40.8 −41.1 −41.1 −42.9 −42.3
3 −19.6 −19.6 −19.6 −19.6 −19.6 −19.6 −19.6 −19.6 −19.6 −19.5 −19.5 −19.6 −19.6 −19.6 −19.6
4 −7.9 −7.9 −7.9 −7.9 −7.9 −7.9 −7.9 −7.9 −7.9 −7.9 −7.9 −7.9 −7.9 −7.9 −7.9
5 −25.4 −26.4 −27.3 −26.5 −26.7 −26.6 −27.4 −25.9 −25.9 −26.1 −25.2 −25.5 −25.5 −27.3 −26.7
6 −29.4 −30.4 −31.2 −30.4 −30.6 −30.4 −31.3 −29.9 −29.9 −29.9 −29.2 −29.4 −29.4 −31.2 −30.6
7 −7.9 −7.9 −7.9 −7.9 −7.9 −7.9 −7.9 −7.9 −7.9 −7.9 −7.9 −7.9 −7.9 −7.9 −7.9
8 −11.7 −11.8 −11.8 −11.8 −11.8 −11.8 −11.8 −11.8 −11.8 −11.7 −11.7 −11.7 −11.7 −11.8 −11.8
9 −14.5 −15.1 −15.6 −15.2 −15.3 −15.3 −15.7 −14.7 −14.7 −15.0 −14.5 −14.6 −14.6 −15.6 −15.3
10 −15.1 −15.5 −15.7 −15.5 −15.6 −15.5 −15.7 −15.3 −15.3 −15.4 −15.2 −15.2 −15.2 −15.7 −15.6
11 −21.9 −22.7 −23.4 −22.7 −22.9 −22.8 −23.5 −22.2 −22.2 −22.4 −21.7 −21.9 −21.9 −23.4 −22.9
12 −15.6 −15.7 −15.7 −15.7 −15.7 −15.7 −15.7 −15.7 −15.7 −15.6 −15.5 −15.6 −15.6 −15.7 −15.7
13 −35.9 −37.5 −38.9 −37.6 −38.0 −37.8 −39.0 −36.5 −36.5 −37.1 −35.7 −36.0 −36.0 −38.9 −38.1
14 −37.1 −38.2 −39.0 −38.2 −38.3 −38.2 −39.1 −37.7 −37.7 −37.6 −36.9 −37.2 −37.2 −39.0 −38.4
15 −11.8 −11.8 −11.8 −11.8 −11.8 −11.8 −11.8 −11.8 −11.8 −11.8 −11.8 −11.8 −11.8 −11.8 −11.8

Table 3. The absolute bias (log2 ) with respect to zero of each output nibble after 8
full rounds of SKINNY starting with only a difference in nibble 12. The bold values in
the table are verified experimentally, while for the underlined values we found higher
biases that could be verified experimentally.

Nibble Input nibble difference value

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 −77.4 −79.9 −81.8 −80.1 −80.5 −80.3 −82.0 −78.7 −78.7 −79.2 −77.2 −77.7 −77.7 −81.9 −80.6
1 −120 −124 −128 −124 −125 −125 −128 −122 −122 −122 −119 −120 −120 −128 −125
2 −64.3 −65.4 −66.4 −65.5 −65.5 −65.4 −66.4 −64.9 −64.9 −64.8 −64.1 −64.3 −64.3 −66.4 −65.6
3 −49.5 −50.2 −50.8 −50.2 −50.3 −50.3 −50.8 −49.8 −49.8 −49.9 −49.3 −49.5 −49.5 −50.8 −50.4
4 −26.7 −27.1 −27.4 −27.2 −27.2 −27.2 −27.4 −27.0 −27.0 −27.0 −26.7 −26.7 −26.7 −27.4 −27.2
5 −61.3 −63.9 −66.1 −64.0 −64.5 −64.2 −66.3 −62.4 −62.4 −63.0 −60.9 −61.4 −61.4 −66.2 −64.6
6 −41.0 −42.1 −42.9 −42.1 −42.2 −42.1 −43.0 −41.6 −41.6 −41.5 −40.8 −41.1 −41.1 −42.9 −42.3
7 −19.6 −19.6 −19.6 −19.6 −19.6 −19.6 −19.6 −19.6 −19.6 −19.5 −19.5 −19.6 −19.6 −19.6 −19.6
8 −22.9 −21.3 −23.5 −23.3 −23.4 −23.3 −23.5 −23.2 −23.2 −23.2 −22.9 −23.0 −23.0 −23.5 −23.4
9 −29.7 −30.5 −31.2 −30.5 −30.7 −30.6 −31.3 −30.0 −30.0 −30.2 −29.5 −29.7 −29.7 −31.2 −30.7
10 −36.9 −38.1 −39.0 −38.2 −38.4 −38.3 −39.1 −37.5 −37.5 −37.7 −36.8 −37.0 −37.0 −39.0 −38.4
11 −43.8 −45.4 −46.7 −45.4 −45.8 −45.6 −46.9 −44.5 −44.5 −44.8 −43.5 −43.9 −43.9 −46.8 −45.8
12 −41.7 −42.5 −43.0 −42.6 −42.6 −42.6 −43.0 −42.2 −42.2 −42.3 −41.7 −41.8 −41.8 −43.0 −42.7
13 −83.0 −86.5 −89.4 −86.6 −87.3 −86.9 −89.7 −84.5 −84.5 −85.2 −82.5 −83.2 −83.2 −89.5 −87.5
14 −52.6 −53.7 −54.6 −53.7 −53.9 −53.8 −54.7 −53.2 −53.2 −53.1 −52.4 −52.7 −52.7 −54.6 −53.9
15 −34.0 −34.6 −35.2 −34.7 −34.8 −34.8 −35.2 −34.2 −34.2 −34.5 −33.9 −34.0 −34.0 −35.2 −34.8

u standard deviations away from the distribution of differences for a random

permutation. Where:

 ≥ 2b − n − log(1 − 2−n ) + 2 · log(u)

10 O. Dunkelman et al.

Table 4. The absolute bias (log2 ) with respect to zero for each output nibble after 7
and 8 rounds. The biases are computed using 240 samples. The statistical significant
results are marked in bold.

Nibble Bias after

7 rounds 8 rounds
Experiment Theory Experiment Theory
0 −16.986 −26.7 −22.067 −75.4
1 −19.610 −61.3 −23.053 −120
2 −20.364 −41.0 −21.580 −64.3
3 −15.505 −19.6 −22.734 −49.5
4 −7.535 −7.9 −18.696 −26.7
5 −11.960 −25.4 −20.470 −61.3
6 −15.790 −29.4 −23.493 −41.0
7 −7.580 −7.9 −15.699 −19.6
8 −9.884 −11.7 −17.772 −22.9
9 −10.836 −14.5 −19.612 −29.7
10 −11.756 −15.5 −20.473 −36.9
11 −14.620 −21.9 −20.051 −43.8
12 −10.446 −15.6 −19.454 −41.7
13 −19.297 −35.9 −21.876 −83.0
14 −18.006 −37.1 −21.753 −52.6
15 −11.382 −11.8 −24.723 −34.0

Proof. The number of output differences observed after N = 2 samples is

binomially distributed with p1 = 2−n in the random permutation case and
p2 = 2−n + 2−b in the construction case. Due to the high number of samples we
are working with we can assume the distributions to be normal. The two dis-
tributions are distinguishable with a non-negligible probability when the means
are at least u standard deviations apart from each other. Thus we look at the
case where:

μ1 + u · sd1 ≤ μ2
N · p1 + u · N · p1 · (1 − p1 ) ≤ N · p2
−
u ·2
2
· 2−n (1 − 2−n ) ≤ 2−2b
 ≥ 2b − n − log(1 − 2−n ) + 2 · log(u)
 Single Tweakey Cryptanalysis of Reduced-Round SKINNY-64 11

Following Lemma 1, we obtain that  ≥ 2b + 3.450, for the case that the
number of guessed keys, k  = 128, and the blocksize n = 4.

k
 ≥ 2b − n − log(1 − 2−n ) + 2 · log(erf( √ ))
2
 ≥ 2b + 3.451

4.4 Key Recovery Attacks

Table 5. For each nibble position the number of key nibbles that have to be guessed
to partially decrypt the nibble for the given number of rounds of SKINNY-64-128 is
given in the table.

Rounds Nibble position

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1
3 3 3 3 3 5 5 5 5 3 3 3 3 3 3 3 3
4 6 6 6 6 11 10 11 11 7 8 8 8 6 6 6 6
5 11 11 11 12 20 19 21 22 15 16 16 14 12 11 12 12
6 20 20 21 23 29 29 30 31 26 26 26 22 23 20 22 22
7 29 29 30 31 32 32 32 32 32 32 32 30 31 29 30 30
8 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32

In this section we look at several key recovery attacks that can be mounted
using the biases in the difference. The attacks are rather straight forward, thus
we only discuss in detail some of the attacks and give the complexities for the
other attacks in Table 6 (Table 5).
Note that for the attacks in this section we use the theoretical biases (Tables 2
and 3). As is shown in Table 4, the real bias of the distinguishers is significantly
higher. Most probably this difference is caused by dependencies between rounds
that were not accounted for. In comparison, given that the 8-round distinguisher
has an observed bias better by a factor of 16, we expect an attack better by a
factor of 256 (data, time, and memory complexities).
Next we construct a 12-round attack using the 7-round distinguisher by
prepending one round and appending 4 rounds of key recovery. As can be seen in
Table 2 we have four sensible choices for the distinguisher: Δ12 → Δ4 ,Δ12 → Δ7 ,
Δ12 → Δ8 , and Δ12 → Δ15 , with biases respectively: 2−7.9 , 2−7.9 , 2−11.7 , 2−11.8 .
Recall that as is shown in Lemma 1 to be able to distinguish a bias of b we need at
most 2−2·b+3.451 pairs (the exact value depends on the number of candidate keys
12 O. Dunkelman et al.

that need to be filtered and can be computed using Lemma 1). To decrease the
number of pairs needed and to optimize the overall time complexity of the key
recovery we use the 7-round distinguisher Δ12 → Δ15 . This means that, since we
have a set of 224 possible keys, for every key we need to evaluate approximately
22·11.8−4+0.028+2·log(5.3) = 224.44 plaintext pairs for each of the 224 possible keys.
time. This adds up to a time complexity of 224.44+24 = 248.44 time, 224.44 data
complexity and 224.44 memory to store the data. We note that due to the SC
layer being before the key addition we do not need to guess the first round subkey
since we can choose the pairs such that they have the right difference.

Table 6. Summary of the time (data/memory) complexities for key recovery attacks
on Skinny using the different differential distinguishers described in this paper.

Distinguisher Rounds
10 11 12 13 14 15
6-round 228.00 (211.00 ) 248.00 (211.00 ) 284.00 (211.00 ) 2120.0 (211.00 ) – –
7-round 235.12 (223.12 ) 248.43 (224.43 ) 273.55 (225.55 ) 2114.49 (226.49 ) – –
8-round 246.09 (238.09 ) 259.75 (239.75 ) 274.90 (246.90 ) 2108.10 (248.10 ) – –

1 + 6-round 216.00 (211.00 ) 228.00 (211.00 ) 248.00 (211.00 ) 284.00 (211.00 ) 2120.0 (211.00 ) –
1 + 7-round – 235.12 (223.12 ) 248.43 (224.43 ) 273.55 (225.55 ) 2114.49 (226.49 ) –
1 + 8-round – 246.09 (238.09 ) 259.75 (239.75 ) 274.90 (246.90 ) 2108.10 (248.10 ) –

2 + 6-round 212.00 (219.00 ) 220.00 (219.00 ) 232.00 (219.00 ) 252.00 (219.00 ) 288.00 (219.00 ) 2124.0 (219.00 )
2 + 7-round – 234.49 (230.49 ) 239.12 (231.12 ) 252.43 (232.43 ) 277.55 (233.55 ) 2118.49 (234.49 )
2 + 8-round – – 250.09 (246.09 ) 263.75 (247.75 ) 278.90 (254.90 ) 2112.10 (256.10 )
28.00 35.00
3 + 6-round – 2 (2 ) 236.00 (235.00 ) 248.00 (235.00 ) 268.00 (235.00 ) 2104.0 (235.00 )
3 + 7-round – – 255.12 (247.12 ) 268.43 (248.43 ) 293.55 (249.55 ) –
3 + 8-round – – – – – –

5 Revisiting Impossible Differential Attacks

on Single-Tweak SKINNY

An impossible differential attack against reduced-round SKINNY in the single-

tweakey model is proposed in [14]. The attack uses an 11-round impossible dif-
ferential, i.e., a single nibble difference in nibble 12 cannot lead to a difference
only in nibble 8 after 11 rounds.

5.1 Problems with the Attack of [14]

Given the 11-round impossible differential, a standard impossible differential
attack is applied—several structures of plaintexts are taken, such that in each
structure there are many pairs which may obtain the input difference needed for
the impossible differential. Then, in each structure, all the pairs that may lead
to the impossible output difference are located, and each pair is analyzed for the
keys it suggests. These keys are of course wrong, and thus discarded.
 Single Tweakey Cryptanalysis of Reduced-Round SKINNY-64 13

The attack relies heavily on two parts: first, using a series of elaborate and
elegant data structures that allow easy and efficient identification of the proposed
key from a given pair, and, that given a pair, it disqualifies a fraction 2−72 of the
2116 subkeys which are recovered by the attack. Unfortunately,2 the true ratio
is 2−84 as can be seen in Fig. 4 in Appendix A: the probability that a pair of
plaintexts chosen from the structure reaches the input difference is 2−24 , whereas
the probability that the corresponding ciphertexts reach the output difference is
2−60 .
The result of this issue is that the attack requires more data (and thus time)
to succeed—namely, about 212 times the reported time and data (which are 247.5
chosen plaintexts for 18-round SKINNY-64-64 and 262.7 chosen plaintexts for 20-
round SKINNY-64-128). Hence, the corrected attacks either require more data
than the entire codebook or take more time than exhaustive search (or both).
In Sect. 5.2 we propose a new attack that solves the aforementioned problems.

5.2 Fixing the Impossible Differential Attack

One can fix the attacks by reducing the number of attacked rounds. For exam-
ple, in the case of SKINNY-64-128, attacking 17-round reduced version (which
corresponds to the first 17 rounds of the original attack). Taking 2m structures
of 228 chosen plaintexts, we expect from each structure 255 pairs, out of which
255 ·2−36 = 219 obtain ciphertext difference that may lead to the output difference
of the impossible differential. Even a naı̈ve implementation, of guessing the 60
involved subkey bits (40 in the two rounds before the impossible differential and
20 after), allows checking which subkeys suggest impossible events. The proba-
bility of an analyzed (pair, subkey) pair to “succeed” (i.e., that a pair/subkey
combination results in a contradiction, thus discarding a wrong subkey guess) is
19+m
2−24 · 2−24 = 2−48 . Hence, we require 260 · (1 − 2−48 )2 260 (as each of the
−48
2 subkeys has probability of (1 − 2 ) to be discarded by any of the 219+m
60

pairs). Picking m = 32.6 balances between the complexity of exhaustive search

over the remaining key candidates and the naı̈ve partial encryption/decryption
of the pairs.
Specifically, 232.7 structures offer 219+32.7 = 251.7 pairs. Given these pairs,
51.7 3.6
a wrong subkey guess remains with probability (1 − 2−48 )2 = (1/e)2 =
(1/e)12.1 = 2−17.5 , which implies an exhaustive key search phase of 2128 ·2−17.5 =
2110.5 , together with 260 · 219+m · 2 = 2112.6 partial encryptions/decryptions for
each pair. Hence, a naı̈ve implementation takes 2112.9 time and 260.7 chosen
plaintexts for attacking 17-round SKINNY-64-128.
We note that there is another small issue with the analysis of the attacks
reported in [14] related to the memory complexity. In impossible differential
attacks, one needs to store both the data and the list of “discarded” keys (some-
times one can optimize various parts of this complexity). Hence, the memory

2
We have contacted the authors of [14] who confirmed our claim.
14 O. Dunkelman et al.

complexity reported in [14] should also be considerably higher. Namely, it is

more than the data complexity (e.g., for the SKINNY-64-128 attack, it is 2116 ).
In comparison, our 17-round attack has memory complexity of 260.7 .

5.3 Improving the Fixed Impossible Differential Attack

We note that one can optimize the time complexity of the impossible differential
attack using pre-computed tables as in [14]. The simplest (and fastest) one is
to construct a table that accepts the two ciphertexts restricted to the 28 bits
with difference, and stores the list of all key candidates that lead to an “output
difference” of the impossible differential, i.e., a difference only in nibble 8. As for
a given 20-bit subkey guessed at the end, the probability that the pair indeed
reaches such an output difference is 2−24 , we expect for each pair about 220 ·
2−24 = 2−4 possible subkey suggestions. There are 256 pairs of two 28-bit values
(one from each ciphertext of the pair), and thus we need a hash table of 256
entries (of which only 252 non-empty entries), we can take a ciphertext pair and
immediately identify the subkey it proposes (if it proposes one).
This reduces the time complexity of the basic filtering by a factor of 220 , which
allows for an improved time complexity, in exchange for some more data.3 For
m = 24 · 229 , we obtain an attack with data complexity of 261.6 chosen plaintexts
and time complexity of 294.6 encryptions. The attack can process each structure
separately and just store the pre-computed table and a bitmap of the subkeys
which are discarded, thus, requiring 260 cells of memory.
The second optimization relies on changing the direction of the attack—
from ciphertext to plaintexts, which allows attacking 18-round variant (rather
than 17 rounds). We collect m = 212 structures of ciphertexts, each structure
with 248 ciphertexts (just before the SC operation of round 18 there are 264
possible values, but they are effectively transformed into 248 possible values
when applying the inverse MC operation, so the structures are defined by having
7 active nibbles at the output of round 16). Each such structure suggests 295
pairs, out of which 295 · 2−36 = 259 satisfy the 0 difference in 9 nibbles when
partially encrypting the obtained plaintexts till the first key addition. For each
of the 40-bit subkey involved in the plaintext side, there is a chance of 2−24 that
a pair is partially encrypted to the input difference of the impossible differential.
Similarly, such a pair has probability 2−44 to partially decrypt (with the 60-bit
subkey involved) to the output difference of the impossible differential. Hence,
we take each of the 259 pairs of each a structure, and use two pre-computed
tables to see which subkeys the pair suggests. On average, we expect a pair to
discard (through the contradiction) a given subkey guess with probability 2−68 .
This means that given m = 212.3 structures, the probability of any given key to
59
remain is (1 − 2−68 )m·2 ≈ (1/e)4.3 = 2−12 . Then, the exhaustive key search
part takes time which is 2128 · 2−12 = 2116 .
3
The extra data is needed to reduce the number of partial keys moving to the exhaus-
tive search phase of the attack, so that the impossible differential phase and the
exhaustive search phase are balanced.
 Single Tweakey Cryptanalysis of Reduced-Round SKINNY-64 15

We note that the list of proposed subkeys can be pre-computed: From the
plaintext side, we take all (228 )2 pairs of plaintexts and all 240 subkeys and
compute for each pair of plaintexts which keys satisfy the “input difference”
(in time 296 and memory of 272 ). For the ciphertext side we can either use
a straightforward approach of testing all (248 )2 pairs of inputs and all 260 bit
subkeys, and amortize the pre-computation cost (as is done in many works). The
second option is to follow the early abort technique. Namely, we take all (248 )2
pairs of input, and by partially encrypting the 8 nibbles which are not involved
with the key through the last round, we obtain the output differences needed
by the other nibbles to “follow” the differential transitions in the other nibbles.
Then, by the standard approach that given an input difference and an output
difference one knows the (expected) one solution for the key, we obtain the exact
subkey of round 17 that the pair suggests. We then continue for the (pair, subkey
value) and try all 220 remaining subkeys to see what options indeed lead to the
output difference of the impossible differential. Hence, the pre-computation of
the second table takes time (248 )2 · 220 = 2116 time (and 2112 memory).
To conclude, by using this technique, we can attack 18-round SKINNY-64-
128 with a data complexity of 260 chosen ciphertexts, a time complexity of 2116
partial encryptions, and using 2112 memory.

6 Conclusion

In this paper we analyzed reduced-round versions of the SKINNY-64-128. We

made several observations regarding the diffusion offered by 8-round SKINNY,
namely showing that even after eight rounds of SKINNY there is a measurable
bias in the output difference. This observation shows that 8 rounds of SKINNY
does not satisfy the strict avalanche criteria [15]. We then used the bias to offer
multiple attacks of which the results are summarized in Table 6.
Finally, we revisited several previous results, showing that [11]’s proposed
bias has a lower bias than expected (if at all). We showed that the impossible
differential attack of [14] contained a subtle, yet, devastating issue. We followed
by fixing the attack (in exchange for a reduced number of attacked rounds). The
best attack we could devise is on 18-round SKINNY-64-128 using 260 chosen
ciphertexts, with time of 2116 encryptions and 2112 memory.

Appendices

A Impossible Differential
16 O. Dunkelman et al.

TK ETK

SC
1 AK SR MC

SC
2 AK SR MC

SC
3 AK SR MC

4-14

SC
15 AK SR MC

SC
16 AK SR MC

SC
17 AK SR MC

SC
18 AK SR MC

SC
19 AK SR MC

SC
20 AK SR MC

Fig. 4. The impossible differential used in [14] and in our attacks and which nibbles
are needed to evaluate its “existence”.
 Single Tweakey Cryptanalysis of Reduced-Round SKINNY-64 17

References
1. Andreevna, E., Lallemand, V., Purnal, A., Reyhanitabar, R., Roy, A., Vizar, D.:
ForkAE (2019)
2. Ankele, R., et al.: Related-key impossible-differential attack on reduced-round
Skinny. In: Gollmann, D., Miyaji, A., Kikuchi, H. (eds.) ACNS 2017. LNCS, vol.
10355, pp. 208–228. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-
61204-1 11
3. Ankele, R., Dobraunig, C., Guo, J., Lambooij, E., Leander, G., Todo, Y.: Zero-
correlation attacks on tweakable block ciphers with linear tweakey expansion. IACR
Trans. Symmetric Cryptol. 2019(1), 192–235 (2019)
4. Beierle, C., et al.: The SKINNY family of block ciphers and its low-latency variant
MANTIS. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp.
123–153. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-
55
5. Beierle, C., et al.: Skinny-AEAD (2019)
6. Iwata, T., Khairallah, M., Minematsu, K., Peyrin, T.: Romulus (2019)
7. Jean, J., Nikolić, I., Peyrin, T.: Tweaks and keys for block ciphers: the TWEAKEY
framework. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp.
274–288. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45608-
8 15
8. Lai, X., Massey, J.L., Murphy, S.: Markov ciphers and differential cryptanalysis.
In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 17–38. Springer,
Heidelberg (1991). https://doi.org/10.1007/3-540-46416-6 2
9. Liskov, M., Rivest, R.L., Wagner, D.A.: Tweakable block ciphers. J. Cryptol. 24(3),
588–613 (2011)
10. Liu, G., Ghosh, M., Song, L.: Security analysis of SKINNY under related-tweakey
settings (long paper). IACR Trans. Symmetric Cryptol. 2017(3), 37–72 (2017)
11. Moghaddam, A.E., Ahmadian, Z.: New automatic search method for truncated-
differential characteristics: application to Midori and SKINNY. IACR Cryptology
ePrint Archive 2019, 126 (2019)
12. Sadeghi, S., Mohammadi, T., Bagheri, N.: Cryptanalysis of reduced round SKINNY
block cipher. IACR Trans. Symmetric Cryptol. 2018(3), 124–162 (2018)
13. Sun, S., et al.: Analysis of AES, SKINNY, and others with constraint programming.
IACR Trans. Symmetric Cryptol. 2017(1), 281–306 (2017)
14. Tolba, M., Abdelkhalek, A., Youssef, A.M.: Impossible differential cryptanalysis
of reduced-round SKINNY. In: Joye, M., Nitaj, A. (eds.) AFRICACRYPT 2017.
LNCS, vol. 10239, pp. 117–134. Springer, Cham (2017). https://doi.org/10.1007/
978-3-319-57339-7 7
15. Webster, A.F., Tavares, S.E.: On the design of S-Boxes. In: Williams, H.C. (ed.)
CRYPTO 1985. LNCS, vol. 218, pp. 523–534. Springer, Heidelberg (1986). https://
doi.org/10.1007/3-540-39799-X 41
16. Yang, D., Qi, W., Chen, H.: Impossible differential attacks on the SKINNY family
of block ciphers. IET Inf. Secur. 11(6), 377–385 (2017)
 Zero-Knowledge to the Rescue:
Consistent Redundant Backup of Keys
Generated for Critical Financial Services

Moti Yung1(B) , Cem Paya2 , and Daniel James2

1
Google and Columbia University, New York, USA
motiyung@gmail.com
2
Gemini, New York, USA
cemp51d@gmail.com, daniel@gemini.com

Abstract. We present the work on HADKEG: a protocol for Highly

Available Distributed Key Generation. The context is a highly sensitive
redundant generation for use and redundant recovery of a set of sym-
metric cryptography keys. These keys need to be trusted (random) and
secure against failures of randomness employment and leakages, and be
available via a recovery procedure which needs to be redundant (high
availability constraints) yet secure and consistent (i.e., the correct recov-
ery has to be assured regardless of recovery server availability). The
working environment allows for distributed key generating parties initi-
ating the system, and a set of recovery and operating agents that hold
the key and may be at time off-line. These very practical concrete secu-
rity, redundancy (availability), and integrity requirements, that typify
real world highly sensitive services, operate in a special environment
where, as we said, not all recovery agents are available at all times,
yet where transfers of encrypted information is semi-synchronous and
globally available to parties that become on-line. In this architecture,
it turned out, that the usually considered theoretical and costly trans-
ferable Zero-Knowledge proofs, actually help overcome the operational
and integrity constraints. We present a protocol we implemented called
HADKEG: Highly Available Distributed Key Generation. It combined
distributed key generation, special encryption and transferable zero-
knowledge proofs to achieve the practical goal in the working environ-
ment.

1 Introduction
Operating online sensitive valuable services like digital assets exchanges or indi-
vidual wallet hosting service require care. Indeed, every so often in this modern
cryptocurrency age, we hear that a currency exchange [1] has lost some stored
coins and cannot recover them, or attacks of similar nature [3] or the more recent
[2] Canadian exchange incident in 2019. Attacks on such services may grow as the
volume and value of transactions increase. Therefore, when one is to operate a
reliable exchange or a reliable repository of wallets, or any other service involving
c Springer Nature Switzerland AG 2020
S. Dolev et al. (Eds.): CSCML 2020, LNCS 12161, pp. 18–28, 2020.
https://doi.org/10.1007/978-3-030-49785-9_2
Another random document with
no related content on Scribd:
export of cotton to so considerable an amount. I found the best-
informed opinion in Southern Nigeria imbued with the belief that the
1911 crop will be a poor one, though better than last year’s, but that
the prospects for the crop of 1912 are good. The newly opened
ginnery at Oshogbo is said to be doing well. The ginnery at Oyo,
however, is apparently lying idle. At any rate, it had done nothing, I
was there informed, ever since it was put up, some four years ago. A
good deal seems to have been spent upon the experimental
plantation at Ibadan, with indifferent results. It has now been taken
over by the Government, whose officers, I was informed, found it in a
very neglected condition.
Personally, I do not attach, in a sense unfavourable to the growth
of the industry, much importance to the drop in the output. The field,
it must always be remembered, is small, the entire Western Province
being only 27,640 miles square, and much of it, as already stated,
covered with forest. In West Africa new industries are always liable
to violent fluctuations. The drop in the maize export is much more
considerable than the falling off in cotton. Unfavourable seasons, too
much rain or too little, late sowing, and other considerations play a
determining part in these matters. Things move very slowly in West
Africa as a rule. The cotton crop is not the easiest to handle.
Compared with ground nuts, for instance, it entails a great deal more
time and trouble. All kinds of obstacles have to be encountered and
overcome which people at home have difficulty in fully appreciating.
The experimental stage of any enterprise, especially in a place like
West Africa, is bound to leave openings for error, and error in West
Africa is a costly luxury. The Protectorate is under considerable
obligations to the Association for the good work it has done and is
doing.
It seems to me that the British Cotton-growing Association may
perhaps find it advisable, so far as the Western Province of Southern
Nigeria is concerned, to reconsider two aspects of its policy.
Fundamentally that policy is without question sound—viz. the
recognition that agricultural development in West Africa can only be
possible on any scale worth mentioning when undertaken by the
natives themselves. A policy of large plantations run under white
supervision by hired native labour will not pay in West Africa, and,
politically speaking, is virtually impossible. The Association should
receive public support in resisting any pressure which might be
placed upon it to alter its fundamental policy by those of its
supporters who may be impatient of a comparatively slow advance—
slow, i.e., in comparison with the unwise optimism displayed by
some of the Association’s friends upon public platforms. I doubt,
however, if an export trade in cotton will ever reach substantial
proportions—let us say 100,000 bales per annum twenty years
hence—in the Western Province unless the element of competition is
introduced. Hitherto, by combining with the merchants, the
Association has established a fixed buying price. In the initial stages
this was a good thing. The native farmer wanted the certainty that his
crop would be purchased if he were induced to grow it. Now that the
industry is well on in its stride it may be seriously questioned whether
the Yoruba farmer, the certainty of sale notwithstanding, will be
content with the prices offered him under the monopoly agreement
now obtaining. He has always the oil palm to fall back upon; but he
has, in addition, cocoa and maize. Cocoa is rapidly increasing, and
the profit realized by the cultivator is a good one. The timber trade,
too, is growing slowly, and the forest is always yielding fresh
elements of trade. The bulk of the cotton produced in the Western
Province to-day is roughly similar to “middling American,” which is
now quoted, I believe, at 8d. a pound, but some of the Yoruba cotton
fetches up to 3d. above “middling American.” It is asserted by the
Association that 4 lbs. of seed cotton are required in the Western
Province to produce 1 lb. of lint. The native cultivator is (now)
supposed to get from the combine—i.e. from the Association and the
merchants, as the case may be—from 1d. to 1⅛d. per lb. of seed
cotton. I say “supposed,” because I was informed that the actual
producer had not always got the amount which he was understood to
be getting. As regards Northern Nigeria, until the close of last year
the native had never been paid 1d. a lb. cash, and I was given to
understand that conditions had been much the same in the Southern
Protectorate, except at Ilushi, where it was proved to my satisfaction
that the amount of 1d. cash had actually been paid.
 The Association reckons, I understand, that at this rate every
pound of lint landed in Liverpool costs the Association 6½d. I cannot
check that figure. I merely quote it. But one may point out that in
addition to the profit at the present price of “middling American”
disclosed by this estimate, there must be a considerable profit to the
Association on the seed, which, upon arrival in England, is worth, I
believe, between £5 and £6 per ton. Moreover, as already stated,
some of this Yoruba cotton is fetching a higher price than “middling
American,” and I do not think it is beyond the mark to say that, but
for the fact that the Association’s ginneries are not continuously
employed, the Association’s profits on Southern Nigerian cotton to-
day would be substantial. It must be fairly obvious from what
precedes that if the industry were placed upon an ordinary
commercial footing like any other, with merchants competing on the
spot for the raw material, the Yoruba farmer would have no difficulty
in obtaining very much more than he gets at present for his crop.
Cultivation, under those circumstances, would become
proportionately more profitable and a greater acreage would be laid
out in cotton. No doubt it would cut both ways, the native restricting
his acreage when the price fell, but it may be fairly argued that no
special reason now exists for treating the cotton industry on an
artificial basis, that it must take its chance like any other, and like any
other become subject to ordinary economic ups and downs. We
cannot expect the native farmer to concentrate upon one particular
crop if he can make a greater profit in cultivating another. No industry
can develop healthily on artificial lines. If this suggestion were
thought worthy of consideration, the Association’s rôle could be
confined to ginning, and, if asked to do so, selling on commission, or
that rôle might be combined with buying and selling in cases where
the producers preferred to deal with the Association, or found it more
convenient to carry the cotton direct to the various ginneries. That,
no doubt, would force the Association into competition with the
merchants, and the merchants, bringing out their own gins (if it paid
them to do so), might cause the Association’s position to become
precarious. The first alternative would, therefore, appear the most
desirable, the merchants being the buyers and the Association, the
ginners, and, if necessary, sellers on commission. Each force would
then be operating within its natural orbit, and an unnatural alliance
would cease, unnatural in the sense that one price means one
market, and that one market is not an inducement to economic
expansion, especially when the price of other tropical products
produced by the Yoruba farmer with an open free market to deal in
has been steadily rising during the last few years. The Association
has always contended that its primary object is not money making,
but the establishment in our oversea dependencies of an Imperial
cotton industry calculated in the course of time to relieve Lancashire,
in whole or in part, of her dangerous dependence on American
speculators.
The other point which those responsible for the management of
the Association might conceivably think over, is one that impressed
me in Northern Nigeria when inspecting the beautifully kept cotton
plantations in the Kano and Zaria provinces. I was later on to find
that it was one upon which very strong, though not unanimous,
opinions were held by persons of experience and judgment in the
Southern Protectorate. A great deal of energy, and doubtless money
too, is apparently expended by the Association in experimenting with
and distributing seeds of non-indigenous varieties of cotton. Now,
although one cannot say without careful cultivation, speaking of the
north, one can at least say without perpetually improving scientific
cultivation extending over a century, Nigeria is able to produce
indigenous cotton, fetching to-day 1¼d., 2d., and even 3d. per lb.
above “middling American.” Does not this fact constitute the
strongest of pleas for concentrating upon the improvement of the
indigenous varieties instead of distributing effort by worrying about
the introduction of exotics? If these indigenous plants, without a
century’s scientific care, can produce cotton superior in value to
“middling American,” what could they not do with a tithe of the
attention which has been lavished upon the industry in the States? I
know the experts will argue that the indigenous varieties make a lot
more wood, and that an acre planted with American varieties will
yield much more lint than an acre planted with a Nigerian variety. Not
being an expert I would not venture to dispute this. All that I would
make bold to query would be whether experiments tending to prove
it have in Nigeria been sufficiently continuous and carried out under
conditions of fairness to the indigenous cotton sufficiently conclusive
to place the matter beyond the pale of discussion. Even if this were
so, I am not sure that it could be taken as an irrefutable reply to the
contention I have ventured to put forward. For, on the other side,
must be reckoned the diseases which invariably attack all exotics,
animal, vegetable, and human, introduced into the West African
forest region. At every halt on my trek from Riga-Chikum to Kano, a
matter of twelve days, wherever I saw cotton plantations, and often
enough at points on the road, I made it my business whenever
practicable to put a number of questions to the Sarikis (chiefs) and to
individual farmers on the subject of cotton-growing. I always
prefaced these questions with an assurance that I did not belong to
the Government and that I was not a commercial man, but merely a
Mallam (I believe my interpreter sometimes inserted on his own
account the word “wise” before Mallam), who travelled about and
wrote “books,” and that my friends could therefore feel satisfied that
they would not be causing me any pleasure at all by answering my
questions in any particular manner—that, in short, I did not care a
row of yams what their answer might be. One question I never failed
to ask was whether the Government had distributed seed to that
particular village or in that particular area, and if so, what result had
followed the sowing of it? Sometimes the answer was in the
negative. When it was in the affirmative it was invariably the same.
The Government seed had come. It had been sown. But it was “no
good.” Now, I disclaim all attributes of wisdom in this matter of
cotton. But I beg you to believe me when I say that the Hausa farmer
is no fool.[14]
 CHAPTER III
THE COTTON INDUSTRY—continued

Cotton is grown extensively in parts of Northern Nigeria, not for

export—outside the Hausa provinces—but for home consumption. In
Kano province—28,600 square miles in extent with 2,500,000
inhabitants, more than one-fourth of the total population of the
Protectorate—its cultivation is accompanied by what can, without
exaggeration, be termed a national industry of weaving,
manufacturing, embroidering, and dyeing the garments, both under-
garments and over-garments, which the Kano people wear. But not
the Kano people alone. For many centuries, for nearly 1000 years
probably, the Kanawa have been famed throughout the great region
comprised between the bend of the Niger and the ocean as the
expert cotton manufacturers of Africa; the most interesting region in
all the Dark Continent, where divers races have ceaselessly
intermingled, attracted thither by its fertile soil and abundant
pastures; Libyan and Berber, Egyptian and Semite, and the
mysterious Fulani. Three-fourths of the “men of the desert,” too, the
fierce-eyed, black-lithamed Tuareg, descendants of the Iberians,
who roam over the vast spaces between Tripoli and the Chad,
replenish their wardrobes from the Kano looms. Throughout Bornu,
Wadai, and Baghirmi, in the northern German Cameroons as far east
as Darfur, Kano cloths hold unquestioned sway. The Kanawa are not
the only Nigerians who manufacture cotton goods; but they are the
only people among whom the industry may be truly called a national
one. As carried out in Kano province this industry adds dignity,
interest, and wealth to the life of the people, assists their inventive
faculties, intensifies their agricultural lore, and sustains several other
branches of industrial activity, binding in close alliance of material
interest the agriculturist and the artisan. It gives a healthy, attractive
employment to many thousand homes—employment carried on in
the free air of heaven, beneath the bright sunshine of Africa. It has
become a part of the national life, the pride and profit of the people.
Men, women, and children participate in it, the men clearing the
ground, hoeing and sowing, the women and children doing the
picking, the women cleaning the lint of the seeds (on flat stones),
teasing, the men weaving, tailoring, and usually, but not always,
embroidering. Woven in long, narrow strips, the manufactured article
is of remarkable durability and firmness of texture. The
predominating dye is the blue of the indigo plant, extensively
cultivated for the purpose, dyepits being common all over the
province. The embroidery, both in regard to design and execution, is
astonishingly handsome, and the colours harmoniously blended. A
fine specimen of a finished riga—the outer robe covering the
shoulders, with an aperture for the head and neck, and falling in
folds to the knee—is a work of art of which any people in any country
might be proud. It is a very heavy garment, and it is costly. But it is
suitable for the cold nights and chilly mornings, and it lasts for years.

WOMEN COTTON SPINNERS.

 MEN WEAVING.

It is impossible to separate the cultivation of cotton from the

agricultural pursuits of the people generally. Cotton, like cassava,
onions, ochro, pepper, ground nuts, and beans, takes its place as
one of the secondary crops. The people are primarily a people of
agriculturists, raising vast quantities of cereals year after year for
home consumption and export to other districts—guinea-corn and
millet, yams, maize, a little wheat. In the Kano Emirate or division—
as distinct from what is known as the Kano province—the population
is exceedingly dense, and virtually the whole land is under
cultivation. I have seen nothing more remarkable in the way of
cultivation either in France or Flanders. And it is all done with the
galma, a peculiar kind of short-handled hoe, which would break the
back of an English labourer to use, but which the Hausa will wield for
hours together. The pattern of the galma is of great antiquity. It came
from ancient Egypt, with the original inhabitants probably; the
plough, which was used in Egypt when intercourse was frequent
between the valleys of the Nile and Niger, never seems to have
penetrated so far West—a curious and unexplained fact.
 Long, deep, broad, parallel ridges cover the surface of the land,
dotted here and there with magnificent specimens of the locust-bean
tree, the shea, the tamarind, and many other varieties, under whose
shade it seems a favourite device to grow a catch crop of pepper.
How does the soil retain, year after year, its nutritive properties? That
is the secret of the Kanawa, who from generation to generation have
studied it in conjunction with the elements, as the Niger pilots have
learned to read the face of the waters and can steer a steam launch
where no white man could without running his craft upon a
sandbank, especially at low water. That they have acquired the
necessary precise knowledge as to the time to prepare the land for
sowing; when to sow and how to sow; how long to let the land lie
fallow; what soils suit certain crops; what varieties of the same crop
will succeed in some localities and what varieties in others; how to
irrigate the land situate in the vicinity of the waterways and planted
with secondary crops in the dry season; how to ensure rotation with
guinea-corn, millet, ground nuts, and beans; when to arrange with
the Fulani herdsmen to pasture their cattle upon the land—so much
at least the outsider interested in agricultural problems can gauge to
some extent. For miles and miles around Kano city one passes
through a smiling country dotted with farms, riven by fine, broad
native roads lined with hedges of euphorbias and other plants.
Great care is lavished upon the cotton and cassava plantations—
the two chief secondary crops. When the cotton fields are in the
neighbourhood of a road, and very often when they are not, they are
surrounded by tall fencing, eight to ten feet in height, usually
composed of reeds and grass or guinea-corn stalks, to protect them
from the depredations of cattle, sheep, and goats, all of which
abound. In April and May, with the advent of the early rains, the land
is cleared and hoed into furrows and ridges. Along the ridges drills
are made at a distance of two and a half to three feet apart, the seed
dropped in, and the ridge hoed up. In some districts, however, this
custom is varied by the ridges being made after the sowing. The
water lies in the hollows between the ridges, prevents the seeds
from being washed away by the torrential downpour, and allows air
to circulate freely, thus keeping the plants in a healthy state. A month
later, when the plants have grown to a foot or more, the ground is
again hoed. That is the first sowing. With variations according to
localities there are successive sowings up to July and even August.
The success of these late sowings depends very much upon the
extent to which the land has been previously manured. Conditions
are slightly different with the variety of cotton grown, but as a rule the
plants are in a fit condition for picking about five months after
sowing. December, January, March, and April appear to be the
months when cotton is most abundant in the markets. In November
and December of last year I observed that while in some of the fields
the pods were bursting well and picking beginning, in others they
were still in full flower; in others, again, they had not reached the
flowering stage. Speaking generally, the plantations were in excellent
condition, and the absence of weeds would have done credit to an
up-to-date British farmer. But the difference in vigour of plant growth
was very marked—affected, doubtless, by locality and manuring or
the lack of it. One of the finest plantations I saw was at Gimmi, to the
north of Zaria province, and the intelligent sariki (chief) of that village
informed me that his people not infrequently treated the plant as a
perennial up to the third year, when it was plucked up. I
subsequently ascertained that in the Hadeija division of the Kano
province, where the soil has a good underlying moisture, the
perennial treatment is carried on sometimes for no less than seven
years. After the third year the annual crop decreases. When so
treated the plant is invariably manured.
I found it exceedingly difficult to obtain reliable figures as to the
average yield of cotton per acre in any one district, or the average
acreage under cultivation; and the Residents share the view that
only continuous residence in the country by a Hausa-speaking (that
is essential) European expert in constant and close touch with the
farmers will permit of anything approaching exact information being
acquired on the point. In the Katagum division of Kano province an
acre is said to produce an average of 266 lbs. The average annual
acreage under cotton in Katsina is said to be 16,000 acres. In Zaria
province the soil, which is a sandy clay, the subsoil being reached at
six inches, is generally rather poor, and the farmer is not so great an
expert as his Kano colleague. In some places it is so poor that one
hundred plants are said to be required to produce a single riga. In
the true cotton-farming districts of the northern part of the province—
such as Soba, Gimba, and Dillaya—the soil is, however, very much
better, obtaining more moisture than the higher ground of Kano
province and producing even finer cotton. Broadly, the problem
which faces the native farmer in Zaria province is how to increase
the fertility of his land. Artificial chemical manuring is out of the
question; the rains would wash it all out of the soil. Green manuring
is well understood but might be improved. The introduction of one or
two shallow ploughs might work wonders by showing the farmers
how the subsoil could be broken up, but the experiment would have
to be carefully demonstrated. The native is only affected by actual
demonstration, and, so far, demonstrations inspired by Europeans
designed to show the Hausa farmer how to improve his agricultural
systems have done little more than provoke a smile. The white man
has failed where the black man has succeeded, because the white
man thought he knew local conditions and did not. A Government
experimental farm was started at Maiganna rather late last year, the
sowings being made in July, if I remember rightly, seventeen miles
from Zaria city. This is an excellent initiative which it is to be hoped
will be maintained. It is really Government work. The British Cotton-
growing Association should be spared all expense of this kind. Two
varieties indigenous to the southern provinces (Bassa and Ilorin) and
“Nyassaland upland” were planted. I was told last November by the
official in charge that the indigenous varieties were doing fairly well,
but that the “Nyassaland” was suffering from red-leaf. The British
Cotton-growing Association was then about to put up a large and
costly ginnery at Zaria. The operation is proceeding, and a
substantial quantity of cotton has already been bought. I will refer to
that later on. Meantime I cannot help thinking that it might have been
better to have waited a little and set up the ginnery at Kano.
However, this is merely a personal opinion.
The chief varieties of indigenous cotton grown in the Kano
province are three in number. The first is known under the four
following names—gundi, bagwandara, lutua, or mailaushi; the
second as chukwi or labai. These two are the best kinds, their quality
being about the same. The third is called yerkarifi or yergeri. It is of
an inferior quality with a shorter staple, usually but not always grown
where the soil is not naturally rich enough to support the other kinds.
It is the yerkarifi variety, I gathered, which is more often used as a
perennial. It fetches a lower price on the local markets and takes a
month longer to mature. Cotton plants are fairly free from insect
pests, but the following are identified: the cotton boll worm (tsutsa),
what is described, doubtfully, as an ant which attacks the root (zago),
and two species of blight (makau and madi). The native remedy,
apart from constant hoeing, is to light a fire to windward, upon which
the dried leaves of a certain plant, and also dried fish, are thrown.
The question of indigenous versus exotic varieties here crops up
again. One hears talk of flooding the country with exotic seed and
doing away altogether with the indigenous varieties. I refer to Zaria,
where some five hundred bags of exotic seed—or at least non-local
seed—were distributed this spring after a palaver with the Emir and
his principal headmen. No doubt it may be all right. From the non-
expert point of view it seems dangerous. As already stated, African
insect life fastens with relentless savagery upon exotic plant life, just
as it revels in nice fresh blood out from Europe. One season’s failure
with an exotic or non-local variety, sown by instructions of the Emir’s
headmen in lieu of the indigenous kind, might create a prejudice in
the native’s mind that it would take years to remove. Concentration
upon improving the fertility of the soil, and therefore the quality and
quantity of the local varieties (combined, of course, with seed
selection) would be a slower process. It is just possible that it might
be a wiser one.
The distribution of the cotton now grown in Zaria and Kano
provinces is as follows: Zaria is visited by the weavers (or their
representatives) of Kano and of French territory—from the
neighbourhood of Zinder principally. They buy up between them
virtually the whole crop, importing live stock and manufactured
goods, which they dispose of in the markets for silver coin, buying
with that coin the cotton. What is not taken by the Zinder people is
taken by Kano. The Kano division of the Kano province consumes all
the cotton it grows. So does the Katagum division. The Katsina
division exports a percentage to Kano and consumes the rest. The
soil of this division compares unfavourably with that of Kano, except
in the southern district, where it is even better than in Kano. In this
district cotton-growing forms the principal means of livelihood of the
inhabitants. The total annual output of the Kano province is
estimated at about 5200 tons—3500 from the Kano division, 1000
from the Katsina division, 700 from Katagum-Hadeija. But these
figures are mere estimates, and not over-reliable at that. The country
is too extensive and the British occupation too recent to permit of
accuracy in such matters at present. I was unable to obtain even an
estimate of the Zaria output, which is, of course, very much lower—
probably about one-fifth, or less than that at Kano.
As already remarked, the whole of the crop now grown is used by
the local industry (except the Association’s purchases this year,
which I will refer to in a moment). So far this industry not only shows
no signs of decreasing, but the demand, especially from the
southern markets is, I was told, steadily increasing. The advent of
the railway may, apart from the activities of the Association, modify
the situation appreciably through the increasing influx of Manchester
goods. As well-being increases—and up to a certain point it is doing
and will do so as the result of our occupation—the consumption of
Manchester goods wall doubtless increase, but it does not altogether
follow that the output of the native looms will decrease. It is curious
that the Kano weavers themselves think that the railway will enlarge
their market. I was informed that the natives of the south, who have
been in touch with Manchester cotton goods for many years, very
much prefer the Kano cloths, which although dearer, are much more
durable. In the north I heard frequent complaints of the quality of the
Manchester goods imported. Many of them, so I was told, were
much too thin, and so heavily starched that on the first washing they
became threadbare and useless. I saw nothing on sale in the
markets from Manchester suited for the early and late hours of the
day. Cheap prints are all very well for the hot hours of the late
morning and afternoon. But the people require warmer garments
than that. I used to strike camp when trekking at about 5 a.m. or 5.30
a.m., and at that time, and for a couple of hours afterwards, I was
glad of two sweaters over a khaki shirt, riding. When the sun goes
down it is equally chilly. The robes worn by the better-class natives
are of a consistency and weight which would astonish us here.
 I am persuaded that the British Cotton-growing Association is in
every way worthy of support, that its ideal is a fine one and a
patriotic one, and that the West African dependencies of Southern
and Northern Nigeria are very much indebted to it. At the same time I
should not be giving honest expression to the views I have rightly or
wrongly formed if I did not enter a caveat against any Government
action calculated to undermine or destroy the weaving industry of the
Kano province. That industry may disappear as the result of natural
causes. But nothing should be done by the Administration to assist
its decay. Frankly, I am compelled to state that from the standpoint of
the happiness and welfare of these Hausa people, our wards, the
disappearance of their national industry would be deplorable. It
would lower their outlook and stunt their development, and send
them down in the scale of civilization. Their intelligence is of an order
which would enable them under tuition to advance their methods of
production beyond the hand-loom. While the duty of the
Administration to lend its moral support, as it is doing, from the
Governor, Sir Henry Hesketh Bell (who is most interested in this
question) downwards, to any legitimate effort directed at increasing
the area of cotton under cultivation, increasing the yield per acre by
improving the fertility of the soil, facilitating communication and the
accessibility of markets, is unquestioned, I submit that there is an
equally clear call of duty on its part to encourage rather than
discourage an indigenous industry of great antiquity, of wonderful
promise, which is at once a source of profit to, and an elevating
influence in, the life of the people of the land.
I have now endeavoured to sketch the chief factors to be
considered in estimating the possibilities of a substantial export trade
in raw cotton from Northern Nigeria. There remains to be examined
the question of price and of competing articles of production. The
British Cotton-growers Association’s début at Zaria has been
attended with no little success. They bought this season, I believe,
something like 60,000 lbs. of cotton, a considerable proportion of
which, I am informed, came from the Katsina division of Kano. Whilst
the Association’s buyers, lent to its representative by the authorities,
could not compete in price with the Kano and Zinder buyers in the
big markets, they competed successfully with them in the remoter
small markets of the province which buyers from the native weaving
interest do not usually visit.
I hope I shall not be thought desirous of “crabbing” the
Association’s efforts or minimising what they have accomplished if I
venture to point out that there would be some danger—of which the
Association is doubtless aware—in drawing too definite conclusions
from these first and satisfactory results. The taxes fell due in Zaria
province at the time of the maturing of the crop, and the growers
were anxious for cash to meet them. The Emir of Katsina is a very
intelligent man and wishful of encouraging in every way he can any
desires he deems the Government to entertain. His influence would
be directed to giving a tangible proof of his interest and goodwill.
This desire would be shared by his people, by whom he is personally
respected. It would be unwise, however, to imagine that Katsina
farmers will permanently be willing to send their cotton all the way to
Zaria for 1d. per lb., when in the ordinary run of things they can get
as much, if not more, than 1d. from the native weaving interest. If the
cotton were bought on the spot the farmers might be willing to sell at
1d. The question of price is bound to play an important part in the
interesting developments which have now begun. Taking year in year
out, the local price of cotton in Zaria and Kano varies from 1¼d. to
2d. per lb. in the seed. In Zaria last November and December it
varied from 1⅝d. to 2d. In Kano it kept at 2d. throughout November,
December, and part of January, having fallen from 2¼d. in
September. In the latter part of January it fell temporarily to 1d. It
went up again to 2d. in February. The bright side consists in the
possibility—the probability, perhaps—that the knowledge of a
permanent and unlimited market at a fixed price, albeit a low one, in
their midst will incline farmers to patronize that market (and increase
their acreage), assuring them as it does of an immediate sale.
Personally, I cannot but think that the Association will have to put up
its price if it is to obtain substantial quantities. Competition here, as
in Southern Nigeria, would undoubtedly tend to increase production,
but I believe that the advent of the European merchant to Zaria and
Kano is to be characterized by the same arrangement as I have
already commented upon in Southern Nigeria. There is, of course,
what there is not in Southern Nigeria, an element of competition in
the Northern provinces—viz. the native weaving interest—and the
play of these two forces, if both are allowed a fair field, will, no doubt,
have a stimulating effect in itself.
Another element comes in here which is worthy of note. I refer to
the price of foodstuffs. Everywhere the price of foodstuffs is growing
with our occupation of the country. Round the main highways and
large markets it has risen enormously in the past eighteen months.
In one part of the Niger province the native farmer now reckons upon
getting, I was informed, £8 to £10 per acre out of yams. Cotton at 1d.
per lb. would bring him in from £3 to £4. That is rather an extreme
case, I admit, nor does the whole country produce yams, and the
farmers generally do not appear yet to have fully grasped the
economic importance for them of the increased demand for
foodstuffs. On the other hand, it is, of course, true that the sowing of
cotton between the ordinary food crops is not uncommon.
I have thought it well to describe the position just as I read it, and
to make certain suggestions, the outcome of personal observation
and discussion on the spot. It may well be that in certain respects I
have read the situation wrong and that the suggestions made are
faulty. Prediction at the present time, I am convinced, must be largely
made in the dark, and they are no friends of the British Cotton-
growing Association who describe the outlook in Nigeria in “high
falutin’” terms. It is too soon to say how matters will develop. That
development will in any case be slow may be taken for granted. The
Administration is in urgent need of a properly equipped agricultural
department with at the head of it the very best man that money can
secure.
Reviewing the whole situation, the only definite conclusions I have
been able to arrive at in my own mind are—first, that all attempts at
giving an artificial basis to cotton production in the Nigerias will, in
the long run, defeat its own ends; secondly, that by some means or
other the price paid to the native farmer must be raised if any
extension of the industry worth talking about is to be looked for.
Everywhere in Northern Nigeria, whether the personal view inclines
to optimism or pessimism, I found the officials without exception
deeply interested in and anxious to assist in every way the effort to
build up an export industry in cotton, and fully persuaded of the great
importance and value of the work of the Association.
 CHAPTER IV
THE LIQUOR TRAFFIC IN SOUTHERN NIGERIA

Apart from religious questions there is probably no subject upon

which it is more difficult to secure reasonable discussion and study
than the subject of drink; none upon which it is more easy to
generalize, or which lends itself more readily to prejudice and
misunderstanding of the real points at issue. That moral reformers in
England and elsewhere should feel strongly about drink is natural
enough. A considerable proportion of the population of this country,
of France, Germany, Belgium, and other European States live
wretched and unhealthy lives. They are over-worked, under-fed,
herded in insanitary tenements with insufficient space, ventilation,
and light, under conditions which preclude decency and breed moral
and physical diseases. Their horizon is one dead, uniform, appalling
greyness from birth to death. Who can feel surprise that people thus
situated should seek momentary forgetfulness in drink? The drink
problem in Europe is not a cause but an effect. The cause lies deep
down in the failure-side of our civilization, and statesmen worthy of
the name are grappling with it everywhere. Those of us who think we
see beyond an effect, are striving to prevent the reproduction in
tropical Africa of this failure-side of our civilization. We are striving to
maintain the economic independence of the West African; to ensure
him a permanency of free access to his land; to preserve his healthy,
open-air life of agriculturist and trader, his national institutions, his
racial characteristics and his freedom. We are endeavouring to show
him to the people of Europe, not as they have been taught by long
years of unconscious misrepresentation to regard him, but as he
really is. We feel that if we can protect the West African from the
profounder economic and social perils which encompass him on
every side; from the restless individualism of Europe; from unfair
economic pressure threatening his free and gradual development on
his own lines; from the disintegrating social effects of well-meaning
but often wrongly informed and misdirected philanthropic effort; from
political injustice—that if we are able to accomplish this even in small
measure, the question of drink, while requiring attention, becomes
one of secondary importance. The West African has always been a
moderate drinker. From time immemorial he has drunk fermented
liquors made from various kinds of corn, and from different kinds of
palm trees. It is not a teetotal race, as the North American race was.
It is a strong, virile race, very prolific.
Unfortunately this question of drink has been given a place in the
public mind as regards Southern Nigeria altogether disproportionate
to the position it does, and should, hold. It has been erected for
many sincere, good people into a sort of fetish, obscuring all the
deeper issues arising from the impact upon the West African of
civilization at a time when civilization has never been so feverishly
active, so potent to originate vast changes in a few short years. The
temperance reformer in England strikes, often blindly, at “drink”
anywhere and everywhere on the same principle, utterly oblivious to
physiological and climatic differences; he cannot see beyond or
behind the subject which specially interests him and which has
become his creed. The use of intoxicants of some kind is common to
humanity all over the world. It responds to a need of the human
body. Christ Himself did not condemn its use, since He Himself, the
Sacred Writings tell us, changed water into wine at a marriage feast.
Excessive indulgence in liquor, like indulgence in any other form of
human appetite, is a human failing. It is not the drink which is an evil,
but the abuse of it. The abuse of liquor nine times out of ten is the
outcome of social discomfort and unhappiness, a way of escape, like
a narcotic, from the pangs of conscience, or of misery. People who
concentrate merely upon effects are unsound guides when
constructive measures are required. The temperance reformer in
England approaches the question of drink in West Africa from the
subjective point of view which characterizes the home outlook upon
most questions lying outside the home latitudes. Saturated with his
home experience, the English temperance reformer places the West
African in the same economic and social setting as the European
and argues on parallel lines. To that mode of reasoning, three-
fourths of the evils which civilization has inflicted upon coloured
races may be traced. Nothing is more curious or more saddening to
observe than the unfailing success of such methods of thought
translated into public action, in their effect upon home sentiment.
Consumption sweeping through the ranks of a coloured people as
the consequence of the educationary and religious processes of
Europeanism may make a holocaust of human victims. The public
remains indifferent. European marriage laws; European ethics, or
nominal ethics, in the matter of sex relationship; the European
individualistic social system grafted upon the communal life of a
coloured people—these things may produce widespread human
misery and immorality. The public is cold and unconcerned.
European interference and innovation in social customs and usages
essential to the well being, to the political and racial needs of a
coloured people in one stage of development, but repugnant to
European twentieth-century notions, may cause social disturbance
and widespread anarchy which those who are responsible for such
interference can never themselves witness, let alone suffer from. It is
virtually impossible to arouse popular interest. For these and kindred
disasters are very largely brought about by the uninstructed zeal of
God-fearing, Christian men and women in Europe who judge other
countries by their own, other peoples by their own people, other
needs by their own needs, with the best of intentions and with the
purest of motives; and outside a small band of students, ethnologists
and experienced officials, the public mind is scandalized and even
incensed if any one ventures to doubt the excellent results
necessarily flowing from disinterested action. It is disinterested:
therefore it must be right. That is the popular belief and the general
fallacy.
Poor Mary Kingsley, who knew her West Africa as few have ever
known it and who had the true scientific mind, fought hard against
this ingrained characteristic of the Anglo-Saxon temperament. But
she fought in vain. Despite her charity, the geniality and the humour
in which she clothed her truths, she had against her the whole
weight of what is called the philanthropic school of home opinion,
responsible for so much good and yet for so much unconscious
harm.