Abstract
Search for different types of distinguishers are common tasks in symmetrickey cryptanalysis. In this work, we employ the constraint programming (CP) technique to tackle such problems. First, we show that a simple application of the CP approach proposed by Gerault et al. leads to the solution of the open problem of determining the exact lower bound of the number of active S-boxes for 6-round AES-128 in the related-key model. Subsequently, we show that the same approach can be applied in searching for integral distinguishers, impossible differentials, zero-correlation linear approximations, in both the single-key and related-(twea)key model. We implement the method using the open source constraint solver Choco and apply it to the block ciphers PRESENT, SKINNY, and HIGHT (ARX construction). As a result, we find 16 related-tweakey impossible differentials for 12-round SKINNY-64-128 based on which we construct an 18-round attack on SKINNY-64-128 (one target version for the crypto competition https://sites.google.com/site/skinnycipher announced at ASK 2016). Moreover, we show that in some cases, when equipped with proper strategies (ordering heuristic, restart and dynamic branching strategy), the CP approach can be very efficient. Therefore, we suggest that the constraint programming technique should become a convenient tool at hand of the symmetric-key cryptanalysts.
Highlights
The design and analysis of symmetric-key cryptographic primitives is considered a tedious, time consuming, and error-prone task which involves tracing the propagation of bit-level patterns against all sorts of different operations according to some intricate rules
Those automatic tools can be divided into four categories, including search algorithms implemented from scratch in general purpose programming languages [Mat95, ANE15, BV14, BN11, FJP13, BDF11, DF16, DEM15, Leu13, YZW15, DDS14, SW16], SAT/SMT based methods [CB07, KY10, RS09, MP13, KLT15, QCW16, AJN14, SHY16], mixed-integer linear programming (MILP) based methods [AC11, MWGP12, WW11, SHW+14, FWG+16, XZBL16] and methods based on classical constraint programming
According to Theorem 1, whether there exists an integral distinguisher for an r-round iterative block cipher E with n-bit block size can be determined by Algorithm 2, where MIENrT(Cj) denotes the constraint programming (CP) model whose set of solutions is the set of all division trails satisfying Cj, which dictates that the output division property is the unit vector ej
Summary
The design and analysis of symmetric-key cryptographic primitives is considered a tedious, time consuming, and error-prone task which involves tracing the propagation of bit-level patterns against all sorts of different operations according to some intricate rules. Automatic tools for cryptanalysis designed by the community have played a significant role in the design and analysis of symmetric-key primitives Speaking, those automatic tools can be divided into four categories, including search algorithms implemented from scratch in general purpose programming languages [Mat, ANE15, BV14, BN11, FJP13, BDF11, DF16, DEM15, Leu, YZW15, DDS14, SW16], SAT/SMT (satisfiability modulo theory) based methods [CB07, KY10, RS09, MP13, KLT15, QCW16, AJN14, SHY16], mixed-integer linear programming (MILP) based methods [AC11, MWGP12, WW11, SHW+14, FWG+16, XZBL16] and methods based on classical constraint programming.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
