Searching for the right pairs of inputs in difference-based distinguishers is an important task for the experimental verification of the distinguishers in symmetric-key ciphers. In this paper, we develop an MILP-based approach to verify the possibility of difference-based distinguishers and extract the right pairs. We apply the proposed method to some published difference-based trails (Related-Key Differentials (RKD), Rotational-XOR (RX)) of block ciphers SIMECK, and SPECK. As a result, we show that some of the reported RX-trails of SIMECK and SPECK are incompatible, i.e. there are no right pairs that follow the expected propagation of the differences for the trail. Also, for compatible trails, the proposed approach can efficiently speed up the search process of finding the exact value of a weak key from the target weak key space. For example, in one of the reported 14-round RX trails of SPECK, the probability of a key pair to be a weak key is \(2^{-94.91}\) when the whole key space is \(2^{96}\); our method can find a key pair for it in a comparatively short time. It is worth noting that it was impossible to find this key pair using a traditional search. As another result, we apply the proposed method to SPECK block cipher, to construct longer related-key differential trails of SPECK which we could reach 15, 16, 17, and 19 rounds for SPECK32/64, SPECK48/96, SPECK64/128, and SPECK128/256, respectively. It should be compared with the best previous results which are 12, 15, 15, and 20 rounds, respectively, that both attacks work for a certain weak key class. It should be also considered as an improvement over the reported result of rotational-XOR cryptanalysis on SPECK.

在基于差异的区分器中搜索正确的输入对是对称密钥密码中区分器实验验证的一项重要任务。在本文中，我们开发了一种基于 MILP 的方法来验证基于差异的区分器的可能性并提取正确的对。我们将所提出的方法应用于分组密码SIMECK和SPECK 的一些已发布的基于差异的路径（相关密钥差分（RKD）、旋转异或（RX））。结果，我们表明一些已报告的SIMECK和SPECK 的RX 轨迹是不兼容的，即没有正确的对遵循路径差异的预期传播。此外，对于兼容路径，所提出的方法可以有效地加快从目标弱密钥空间中找到弱密钥精确值的搜索过程。例如，在SPECK报告的 14 轮 RX 路径之一中，当整个密钥空间为\(2^{96 )时，密钥对成为弱密钥的概率为\(2^{-94.91}\) }\) ; 我们的方法可以在相对较短的时间内为其找到密钥对。值得注意的是，使用传统搜索是不可能找到这个密钥对的。作为另一个结果，我们将所提出的方法应用于SPECK分组密码，构建更长的SPECK相关密钥差分路径，对于SPECK32/64、SPECK48/96、SPECK64/128和SPECK128/256，我们可以分别达到 15、16、17 和 19 轮。应该与之前最好的结果分别是 12、15、15 和 20 轮进行比较，这两种攻击都适用于某个弱密钥类别。它也应该被认为是对SPECK旋转异或密码分析报告结果的改进。