Abstract:Counting the number of differentially active S-boxes is of great importance in evaluating the security of a block cipher against differential attack. Mouha et al. proposed a technique based on Mixed-Integer Linear Programming (MILP) to automatically calculate a lower bound of the number of differentially active S-boxes for word-oriented block ciphers, and applied it to symmetric ciphers AES and Enocoro-128v2. Later Sun et al. extended the method by introducing bit-level representations for S-boxes and new constraints in the MILP problem, and applied the extended method to PRESENT-80 and LBlock. This kind of methods greatly depends on the constraints in the MILP problem describing the differential propagation of the block cipher. A more accurate description of the differential propagation leads to a tighter bound on the number of differentially active S-boxes. In this paper, we refine the constraints in the MILP problem describing XOR operations, and apply the refined MILP modeling to determine a lower bound of the number of active S-boxes for the Lai-Massey type block cipher FOX in the model of single-key differential attack, and obtain a tighter bound in FOX64 than existing results. Experimental results show that 6, instead of currently known 8, rounds of FOX64 is strong enough to resist against basic single-key differential attack since the differential characteristic probability is upper bounded by 2(-64), and thus the maximum differential characteristic probability of 12-round FOX64 is upper bounded by 2(-128), where 128 is the key-length of FOX64. We also get the lower bound of the number of differentially active S-boxes for 5-round FOX128, and proved the security of the full-round FOX128 with respect to single-key differential attack.

Improved MILP Modeling for Automatic Security Evaluation and Application to FOX.

Efficient Algorithms for Modeling SBoxes Using MILP

Explicit Upper Bound Of Impossible Differentials For AES-Like Ciphers: Application To uBlock And Midori

Theoretical Round Modification Fault Analysis on AEGIS-128 with Algebraic Techniques

Modeling Linear and Non-linear Layers: An MILP Approach Towards Finding Differential and Impossible Differential Propagations

Adaptive Side-Channel Analysis Model and Its Applications to White-Box Block Cipher Implementations.

Combining MILP modeling with algebraic bias evaluation for linear mask search: improved fast correlation attacks on SNOW

Improved Differential Fault Analysis on LED with Constraint Equations: Towards Reaching Its Limit

EasyBC: A Cryptography-Specific Language for Security Analysis of Block Ciphers against Differential Cryptanalysis

New Automatic Tool for Finding Impossible Differentials and Zero-Correlation Linear Approximations

MILP-based differential cryptanalysis on full-round shadow

New linear approximation of modular addition and improved differential-linear cryptanalysis of SPARX-64/128

MILP/MIQCP-Based Fully Automatic Method of Searching for Differential-Linear Distinguishers for SIMON-Like Ciphers

Enhanced Differential Cache Attacks on SM4 with Algebraic Analysis and Error-Tolerance

Improved Differential Fault Analysis Of Sosemanuk With Algebraic Techniques

Fault-cube attack on SIMON family of lightweight block ciphers

Improved Impossible Differential Attack on Reduced-Round LBlock.

The Exchange Attack and the Mixture Differential Attack Revisited: From the Perspective of Automatic Evaluation

Linear cryptanalysis of SPECK and SPARX

Differential analysis of block cipher FBC

Automatic Search of Meet-in-the-Middle Differential Fault Analysis on AES-like Ciphers.