Abstract
Mixed Integer Linear Programming (MILP) solvers are regularly used by designers for providing security arguments and by cryptanalysts for searching for new distinguishers. For both applications, bitwise models are more refined and permit to analyze properties of primitives more accurately than word-oriented models. Yet, they are much heavier than these last ones. In this work, we first propose many new algorithms for efficiently modeling any subset of Fn2 with MILP inequalities. This permits, among others, to model differential or linear propagation through Sboxes. We manage notably to represent the differential behaviour of the AES Sbox with three times less inequalities than before. Then, we present two new algorithms inspired from coding theory to model complex linear layers without dummy variables. This permits us to represent many diffusion matrices, notably the ones of Skinny-128 and AES in a much more compact way. To demonstrate the impact of our new models on the solving time we ran experiments for both Skinny-128 and AES. Finally, our new models allowed us to computationally prove that there are no impossible differentials for 5-round AES and 13-round Skinny-128 with exactly one input and one output active byte, even if the details of both the Sbox and the linear layer are taken into account.
Highlights
In symmetric-key cryptography, a popular technique for proving resistance against classical attacks is to model the behaviour of the cipher as a Mixed Integer Linear Programming (MILP) problem and solve it by some MILP solver
While the naïve XOR modeling of (MSkinny|I) would have needed 23 + 2 + 22 + 22 = 18 inequalities, using the above matrix for the XOR modeling only requires 14 inequalities. To demonstrate that this representation is more efficient in practice compared to the naïve approach, we computed the time it takes for the Gurobi Optimizer [GO20] to reach the minimum number of active Sboxes over several rounds of Skinny-128 for the two different modelings of MixColumns
The chosen set is typically composed of all possible inputs and outputs with exactly one active byte, i.e. for which exactly one byte has a difference. When all of those computations result in a valid differential transition, showing that the input and output differences can be connected, we consider that resistance against impossible differential cryptanalysis has been partially proven, where partially applies to the fact that the input and output spaces are restricted
Summary
In symmetric-key cryptography, a popular technique for proving resistance against classical attacks is to model the behaviour of the cipher as a Mixed Integer Linear Programming (MILP) problem and solve it by some MILP solver. The problem of these two methods is that they are not efficient for large (e.g. 8-bit) Sboxes To solve this problem for large Sboxes, Abdelkhalek et al [AST+17] observed that generating a minimal number of constraints in logical condition modeling can be converted into the problem of minimizing the product-of-sum representation of Boolean functions. This last problem is well-studied and algorithms for solving it exist, for example the Quine-McCluskey (QM) [Qui, Qui, McC56] or the Espresso [BSVMMH84] algorithms.
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
