Abstract
Automatic modelling to search distinguishers with high probability covering as many rounds as possible, such as MILP, SAT/SMT, CP models, has become a very popular cryptanalysis topic today. In those models, the optimizing objective is usually the probability or the number of rounds of the distinguishers. If we want to recover the secret key for a round-reduced block cipher, there are usually two phases, i.e., finding an efficient distinguisher and performing key-recovery attack by extending several rounds before and after the distinguisher. The total number of attacked rounds is not only related to the chosen distinguisher, but also to the extended rounds before and after the distinguisher. In this paper, we try to combine the two phases in a uniform automatic model.Concretely, we apply this idea to automate the related-key rectangle attacks on SKINNY and ForkSkinny. We propose some new distinguishers with advantage to perform key-recovery attacks. Our key-recovery attacks on a few versions of round-reduced SKINNY and ForkSkinny cover 1 to 2 more rounds than the best previous attacks.
Highlights
Differential cryptanalysis [BS91] proposed by Biham and Shamir, is one of the most successful cryptanalysis techniques
In the perspective of a distinguishing attack, good differential distinguishers are those with relatively high probabilities or those covering a larger number of rounds
In order to search for differential distinguishers targeting at an improvement on the number of covered rounds by a key-recovery attack, one has to take into account multiple factors and their interactive influences, including the probability and the length of the differential distinguisher, the number of inactive bits in the differences after the forward and backward extension, and the number of guessed key bits for a partial decryption
Summary
Differential cryptanalysis [BS91] proposed by Biham and Shamir, is one of the most successful cryptanalysis techniques. In order to search for differential distinguishers targeting at an improvement on the number of covered rounds by a key-recovery attack, one has to take into account multiple factors and their interactive influences, including the probability and the length of the differential distinguisher, the number of inactive bits in the differences after the forward and backward extension, and the number of guessed key bits for a partial decryption. There are several cryptanalysis results on SKINNY under single-tweakey and relatedtweakey settings using different techniques, such as impossible differential attack [TAY17, LGS17, SMB18, YQC17, ABC+17, DHLP20], rectangle attack [LGS17, ZDM+20], zerocorrelation attack [SMB18, ADG+19], Demirci-Selçuk Meet-in-the-Middle attack [SSD+18], etc Among these cryptanalysis results, the rectangle attacks in related-tweakey setting can cover more rounds for most versions. We build a new MILP model combining the key-recovery process and the distinguisher search process together
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
