Abstract
Among the few works realising the search of truncated differentials (TD) and multidimensional linear approximations (MDLA) holding for sure, the optimality of the distinguisher should be confirmed via an exhaustive search over all possible input differences/masks, which cannot be afforded when the internal state of the primitive has a considerable number of words. The incomplete search is also a long-term problem in the search of optimal impossible differential (ID) and zerocorrelation linear approximation (ZCLA) since all available automatic tools operate under fixed input and output differences/masks, and testing all possible combinations of differences/masks is impracticable for now. In this paper, we start by introducing an automatic approach based on the constraint satisfaction problem for the exploration of deterministic TDs and MDLAs. Since we transform the exhaustive search into an inherent feature of the searching model, the issue of incomplete search is settled. This tool is applied to search for related-key (RK) TDs of AES-192, and a new related-key differential-linear (DL) distinguisher is identified with a TD with certainty. Due to the novel property of the distinguisher, the previous RK DL attack on AES-192 is improved. Also, the new distinguisher is explained from the viewpoint of differentiallinear connectivity table (DLCT) and thus can be regarded as the first application of DLCT in the related-key attack scenario. As the second application of the tool, we propose a method to construct (RK) IDs and ZCLAs automatically. Benefiting from the control of the nonzero fixed differential pattern and the inherent feature of exhaustive search, the new searching scheme can discover longer distinguishers and hence possesses some superiorities over the previous methods. This technique is implemented with several primitives, and the provable security bounds of SKINNY and Midori64 against impossible differential distinguishing attack are generalised.
Highlights
Differential cryptanalysis [BS90] was introduced by Biham and Shamir in the early 1990s
In light of an absence of the automatic tool for the search of deterministic (RK) truncated differential (TD) and multidimensional linear approximation (MDLA), we propose a method based on constraint programming (CP) to fulfil this goal
Since the propagations of differences and linear masks are dual [SLG+16], the method for the search of truncated differentials can be adjusted to search for multidimensional linear approximations, naturally, and we omit it for the space limitation
Summary
Differential cryptanalysis [BS90] was introduced by Biham and Shamir in the early 1990s. Since the feature of the exhaustive search is incorporated in the new model, we settle the long-term problem of incomplete search in the field of discovering truncated (impossible) differential and multidimensional (zero-correlation) linear approximation distinguishers. Constructing (RK) IDs with TDs and ZCLAs with MDLAs. As the second application of the automatic tool, we propose the U∗-method relying on CP to construct (RK) IDs and ZCLAs. The U∗-method is based on the miss-in-the-middle approach and serves as a basic version for the search of (RK) IDs and ZCLAs. Benefiting from the control of the nonzero fixed differential pattern and the inherent feature of exhaustive search, the U∗-method can identify longer distinguishers and is superior over the U-method [KHS+03] and UID-method [LLWG14]. The method relying on CSP for the search of deterministic truncated differentials and multidimensional linear approximations is presented in Sect.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
