Abstract
The introduction of the automatic search boosts the cryptanalysis of symmetric-key primitives to some degree. However, the performance of the automatic search is not always satisfactory for the search of long trails or ciphers with large state sizes. Compared with the extensive attention on the enhancement for the search with the mixed integer linear programming (MILP) method, few works care for the acceleration of the automatic search with the Boolean satisfiability problem (SAT) or satisfiability modulo theories (SMT) method. This paper intends to fill this vacancy. Firstly, with the additional encoding variables of the sequential counter circuit for the original objective function in the standard SAT method, we put forward a new encoding method to convert the Matsui’s bounding conditions into Boolean formulas. This approach does not rely on new auxiliary variables and significantly reduces the consumption of clauses for integrating multiple bounding conditions into one SAT problem. Then, we evaluate the accelerating effect of the novel encoding method under different sets of bounding conditions. With the observations and experience in the tests, a strategy on how to create the sets of bounding conditions that probably achieve extraordinary advances is proposed. The new idea is applied to search for optimal differential and linear characteristics for multiple ciphers. For PRESENT, GIFT-64, RECTANGLE, LBlock, TWINE, and some versions in SIMON and SPECK families of block ciphers, we obtain the complete bounds (full rounds) on the number of active S-boxes, the differential probability, as well as the linear bias. The acceleration method is also employed to speed up the search of related-key differential trails for GIFT-64. Based on the newly identified 18-round distinguisher with probability 2−58, we launch a 26-round key-recovery attack with 260.96 chosen plaintexts. To our knowledge, this is the longest attack on GIFT-64. Lastly, we note that the attack result is far from threatening the security of GIFT-64 since the designers recommended users to double the number of rounds under the related-key attack setting.
Highlights
Differential [BS90] and linear [Mat93] cryptanalyses can be seen as the cornerstone of modern cryptanalysis techniques for symmetric-key ciphers
The first category of the automatic search is based on the mixed integer linear programming (MILP) method, which was firstly introduced by Mouha et al [MWGP11] to estimate the lower bound on the number of differential and linear active S-boxes
Every Boolean formula can be converted into an equivalent formula that is in conjunctive normal form (CNF) [RN10, Sob10], which
Summary
Differential [BS90] and linear [Mat93] cryptanalyses can be seen as the cornerstone of modern cryptanalysis techniques for symmetric-key ciphers. The first category of the automatic search is based on the mixed integer linear programming (MILP) method, which was firstly introduced by Mouha et al [MWGP11] to estimate the lower bound on the number of differential and linear active S-boxes Later, this method was refined by Sun et al [SHW+14] to search for (related-key) differential characteristics concerning bit-oriented block ciphers. The MILP method is further applied to accomplish tasks in search of multiple sorts of distinguishers, such as differential and linear characteristics for ARX ciphers [FWG+16], integral distinguishers [XZBL16], zerocorrelation distinguishers [CJF+16], impossible differential distinguishers [ST17b], and non-blackbox polynomials manipulated in the cube attack [TIHM17] Another important branch of the automatic search is based on the Boolean satisfiability problem (SAT) or the more general extension called satisfiability modulo theories (SMT) method. This paper is motivated by this vacancy and endeavours to speed up the search with the SAT method
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have