Abstract
When analyzing a block cipher, the first step is to search for some valid distinguishers, for example, the differential trails in the differential cryptanalysis and the linear trails in the linear cryptanalysis. A distinguisher is advantageous if it can be utilized to attack more rounds and the amount of the involved key bits during the key-recovery process is small, as this leads to a long attack with a low complexity. In this article, we propose a two-step strategy to search for such advantageous distinguishers. This strategy is inspired by the intuition that if a differential is advantageous only when some properties are satisfied, then we can predefine some constraints describing these properties and search for the differentials in the small set.As applications, our strategy is used to analyze GIFT-128, which was proposed in CHES 2017. Based on some 20-round differentials, we give the first 27-round differential attack on GIFT-128, which covers one more round than the best previous result. Also, based on two 17-round linear trails, we give the first linear hull attack on GIFT-128, which covers 22 rounds. In addition, we also give some results on two GIFT-128 based AEADs GIFT-COFB and SUNDAE-GIFT.
Highlights
Differential cryptanalysis was proposed by Biham and Shamir in [BS91] and linear cryptanalysis was proposed by Matsui in [Mat94]
We propose a two-step strategy for searching advantageous distinguishers which can lead to long attacks with a small number of involved key bits
We find a 17-round linear hull and give the first linear key-recovery attack on GIFT-128, which covers 22 rounds
Summary
Differential cryptanalysis was proposed by Biham and Shamir in [BS91] and linear cryptanalysis was proposed by Matsui in [Mat94]. In [JZD19], Ji et al improved Matsui’s algorithm by using three new methods They claimed the highest probability of the differential trails of GIFT-128 up to 19-round and the highest probability of the best linear trails up to 10-round. We specify the Input(Output) values in a set called the InitialSet which need to satisfy the following two conditions: 1) a distinguisher with an input (output) from the InitialSet can be extended by many rounds at the top (the bottom), to lead a long attack, 2) the amount of involved key bits in the extended rounds is small, to lead a low attack complexity. We utilize the MILP technique and revisit Matsui’s branch-and-bound algorithm to implement a two-step strategy of searching for advantageous differential and linear distinguishers. The key different point of this work and ours is that the MILP technique is utilized to search for trails, while for our strategy, the MILP technique is used to search for the InitialSet and the Matsui’s algorithm is to search for specific trails
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
