Abstract
When designing a new symmetric-key primitive, the designer must show resistance to known attacks. Perhaps most prominent amongst these are linear and differential cryptanalysis. However, it is notoriously difficult to accurately demonstrate e.g. a block cipher’s resistance to these attacks, and thus most designers resort to deriving bounds on the linear correlations and differential probabilities of their design. On the other side of the spectrum, the cryptanalyst is interested in accurately assessing the strength of a linear or differential attack.While several tools have been developed to search for optimal linear and differential trails, e.g. MILP and SAT based methods, only few approaches specifically try to find as many trails of a single approximation or differential as possible. This can result in an overestimate of a cipher’s resistance to linear and differential attacks, as was for example the case for PRESENT.In this work, we present a new algorithm for linear and differential trail search. The algorithm represents the problem of estimating approximations and differentials as the problem of finding many long paths through a multistage graph. We demonstrate that this approach allows us to find a very large number of good trails for each approximation or differential. Moreover, we show how the algorithm can be used to efficiently estimate the key dependent correlation distribution of a linear approximation, facilitating advanced linear attacks. We apply the algorithm to 17 different ciphers, and present new and improved results on several of these.
Highlights
Whenever a new design for a symmetric-key primitive is proposed, it is usually accompanied by a design rationale
Two attack techniques that are almost always featured in the security analysis of a new design, due to their long history and many strong results, are linear [Mat93] and differential [BS90] cryptanalysis
It is notoriously difficult to make an accurate and complete analysis of a cipher’s security against these attacks, and for this reason methods of estimating the strength of these attacks feature prominently in the initial analysis of a new design. This will often consist of lower-bounding the number of active S-boxes in a linear or differential trail, showing how many rounds the cipher needs to resist these attacks
Summary
Whenever a new design for a symmetric-key primitive is proposed, it is usually accompanied by a design rationale. It is notoriously difficult to make an accurate and complete analysis of a cipher’s security against these attacks, and for this reason methods of estimating the strength of these attacks feature prominently in the initial analysis of a new design For block ciphers, this will often consist of lower-bounding the number of active S-boxes in a linear or differential trail, showing how many rounds the cipher needs to resist these attacks. As an example of this phenomenon, it was demonstrated in [Ohk09] that for the block cipher present the difference between a single linear trail and the full linear approximation is quite significant It would be extremely helpful for a designer if a simple tool existed that could more accurately find linear approximations and differentials for a given design. This would save the designer time, but potentially allow for exploration of a larger design space as well as enabling a more informed choice of the number of rounds needed to obtain adequate security
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
