Abstract
In recent years, Mixed Integer Linear Programming (MILP) has been widely used in cryptanalysis of symmetric-key primitives. For differential and linear cryptanalysis, MILP can be used to solve two kinds of problems: calculation of the minimum number of differentially/linearly active S-boxes, and search for the best differential/linear characteristics. There are already numerous papers published in this area. However, the efficiency is not satisfactory enough for many symmetric-key primitives. In this paper, we greatly improve the efficiency of the MILP-based search algorithm for both problems. Each of the two problems for an r-round cipher can be converted to an MILP model whose feasible region is the set of all possible r-round differential/linear characteristics. Generally, high-probability differential/linear characteristics are likely to have a low number of active S-boxes at a certain round. Inspired by the idea of a divide-and-conquer approach, we divide the set of all possible differential/linear characteristics into several smaller subsets, then separately search them. That is to say, the search of the whole set is split into easier searches of smaller subsets, and optimal solutions within the smaller subsets are combined to give the optimal solution within the whole set. In addition, we use several techniques to further improve the efficiency of the search algorithm. As applications, we apply our search algorithm to five lightweight block ciphers: PRESENT, GIFT-64, RECTANGLE, LBLOCK and TWINE. For each cipher, we obtain better results than the best-known ones obtained from the MILP method. For the minimum number of differentially/linearly active S-boxes, we reach 31/31, 16/15, 16/16, 20/20 and 20/20 rounds for the five ciphers respectively. For the best differential/linear characteristics, we reach 18/18, 15/13, 15/14, 16/15 and 15/16 rounds for the five ciphers respectively.
Highlights
As a fundamental primitive of cryptography, block ciphers have received extensive attention from academia and industry
Our main contributions are: 1. We propose an improved Mixed Integer Linear Programming (MILP)-based search algorithm to evaluate the security of block ciphers against differential cryptanalysis
If the minimum weight or its lower bound calculated from the minimum number of active S-boxes is greater than or equal to the half of cipher’s block size, it can be concluded that the r-round cipher is secure against linear cryptanalysis
Summary
As a fundamental primitive of cryptography, block ciphers have received extensive attention from academia and industry. At ASIACRYPT 2014, Sun et al [SHW+14b] improved the MILP-based method for automatically evaluating the security of a block cipher against (related-key) differential cryptanalysis, and proposed a heuristic algorithm for finding actual (related-key) differential characteristics. They introduced two systematic methods for generating inequalities to describe the bit-wise S-box operation more accurately: logical condition modeling and convex hull computation. The problem of the calculation of the minimum number of differentially/linearly active S-boxes or the search for the best differential/linear characteristic for an r-round block cipher can be converted to an MILP model. The algorithm can be extended to the security evaluation of block ciphers against linear cryptanalysis with a slight modification
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
