AlgSAT—A SAT Method for Verification of Differential Trails from an Algebraic Perspective
Huina Li,Haochen Zhang,Kai Hu,Guozhen Liu,Weidong Qiu
DOI: https://doi.org/10.1007/978-981-97-5025-2_23
2024-01-01
Abstract:A good differential is a start for a successful differential attack. However, a differential might be invalid, i.e., there is no right pair following the differential due to some contradictions in the conditions imposed by the differential. In this paper, we present a new automatic model for verifying differential trails from an algebraic perspective. From this algebraic perspective, exact Boolean expressions for differentials over a cryptographic primitive can be conveniently established, allowing the creation of a simpler SAT model. By invoking a SAT solver, the differential trails are verified in full automatically. Compared with the previous MILP models proposed by Liu et al. at CRYPTO 2020, our tool is more concise and direct, for there is no need to analyze any differential properties of components of the targets manually. Thus, it is less error-prone and more friendly for programming, significantly improving the efficiency of verifying a given differential trail. To demonstrate the powerfulness of our new tool, we apply it to Gimli, Keccak-f, and Ascon. For Gimli, our tool takes about one minute to find a semi-free-start collision pair that costs 264 attempts in a random search. Note that Liu et al. ’s model could not find any results in practical time. For Keccak-f, it is interesting to note that for large-state-size permutations such as Keccak-f[1600], our approach still shows excellent performance. We verify two 4-round differential trails presented at ASIACRYPT 2022 and confirm that both are valid. For Ascon, we check several differential trails reported at FSE 2021. Specifically, we find that a 4-round differential used in the forgery attack on Ascon-128’s iteration phase is invalid. Thus, the corresponding forgery attack is also invalid.