Zejun Xiang,Wentao Zhang,Zhenzhen Bao,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-662-53887-6_24

2016-01-01

Abstract:Division property is a generalized integral property proposed by Todo at EUROCRYPT 2015, and very recently, Todo et al. proposed bit-based division property and applied to SIMON32 at FSE 2016. However, this technique can only be applied to block ciphers with block size no larger than 32 due to its high time and memory complexity. In this paper, we extend Mixed Integer Linear Programming (MILP) method, which is used to search differential characteristics and linear trails of block ciphers, to search integral distinguishers of block ciphers based on division property with block size larger than 32. Firstly, we study how to model division property propagations of three basic operations (copy, bitwise AND, XOR) and an Sbox operation by linear inequalities, based on which we are able to construct a linear inequality system which can accurately describe the division property propagations of a block cipher given an initial division property. Secondly, by choosing an appropriate objective function, we convert a search algorithm under Todo's framework into an MILP problem, and we use this MILP problem appropriately to search integral distinguishers. As an application of our technique, we have searched integral distinguishers for SIMON, SIMECK, PRESENT, RECTANGLE, LBlock and TWINE. Our results show that we can find 14-, 16-, 18-, 22- and 26-round integral distinguishers for SIMON32, 48, 64, 96 and 128 respectively. Moreover, for two SP-network lightweight block ciphers PRESENT and RECTANGLE, we found 9-round integral distinguishers for both ciphers which are two more rounds than the best integral distinguishers in the literature [ 22,29]. For LBlock and TWINE, our results are consistent with the best known ones with respect to the longest distinguishers.

Zejun Xiang,Wentao Zhang,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-319-44524-3_9

2016-01-01

Abstract:SIMON is a family of lightweight block ciphers published by the U.S. National Security Agency (NSA) in 2013. Due to its novel and bit-based design, integral cryptanalysis on SIMON seems a tough job. At EUROCRYPT 2015 Todo proposed division property which is a generalized integral property, and he applied this technique to searching integral distinguishers of SIMON block ciphers by considering the left and right halves of SIMON independently. As a result, he found 11-round integral distinguishers for both SIMON48 and SIMON64. Recently, at FSE 2016 Todo et al. proposed bit-based division property that considered each bit independently. This technique can find more accurate distinguishers, however, as pointed out by Todo et al. the time and memory complexity is bounded by 2(n) for an n-bit block cipher. Thus, bit-based division property is only applicable to SIMON32.In this paper we propose a new technique that achieves a trade-off between considering each bit independently and considering left and right halves as a whole, which is actually a trade-off between time-memory and the accuracy of the distinguishers. We proceed by splitting the state of SIMON into small pieces and study the division property propagations of circular shift and bitwise AND operations under the state partition. Moreover, we propose two different state partitions and study the influences of different partitions on the propagation of division property. We find that different partitions greatly impact the division property propagation of circular shift which will finally result in a big difference on the length of integral distinguishers. By using a tailored search algorithm for SIMON, we find 12-round integral distinguishers for Simon48 and Simon64 respectively, which improve Todo's results by one round for both variants.

Debranjan Pal,Vishal Pankaj Chandratreya,Abhijit Das,Dipanwita Roy Chowdhury

2024-05-01

Abstract:Symmetric key cryptography stands as a fundamental cornerstone in ensuring security within contemporary electronic communication frameworks. The cryptanalysis of classical symmetric key ciphers involves traditional methods and techniques aimed at breaking or analyzing these cryptographic systems. In the evaluation of new ciphers, the resistance against linear and differential cryptanalysis is commonly a key design criterion. The wide trail design technique for block ciphers facilitates the demonstration of security against linear and differential cryptanalysis. Assessing the scheme's security against differential attacks often involves determining the minimum number of active SBoxes for all rounds of a cipher. The propagation characteristics of a cryptographic component, such as an SBox, can be expressed using Boolean functions. Mixed Integer Linear Programming (MILP) proves to be a valuable technique for solving Boolean functions. We formulate a set of inequalities to model a Boolean function, which is subsequently solved by an MILP solver. To efficiently model a Boolean function and select a minimal set of inequalities, two key challenges must be addressed. We propose algorithms to address the second challenge, aiming to find more optimized linear and non-linear components. Our approaches are applied to modeling SBoxes (up to six bits) and EXOR operations with any number of inputs. Additionally, we introduce an MILP-based automatic tool for exploring differential and impossible differential propagations within a cipher. The tool is successfully applied to five lightweight block ciphers: Lilliput, GIFT64, SKINNY64, Klein, and MIBS.

Cryptography and Security

Yonglin Hao,Gregor Leander,Willi Meier,Yosuke Todo,Qingju Wang

DOI: https://doi.org/10.1007/s00145-021-09383-2

2021-01-01

Journal of Cryptology

Abstract:A division property is a generic tool to search for integral distinguishers, and automatic tools such as MILP or SAT/SMT allow us to evaluate the propagation efficiently. In the application to stream ciphers, it enables us to estimate the security of cube attacks theoretically, and it leads to the best key-recovery attacks against well-known stream ciphers. However, it was reported that some of the key-recovery attacks based on the division property degenerate to distinguishing attacks due to the inaccuracy of the division property. Three-subset division property (without unknown subset) is a promising method to solve this inaccuracy problem, and a new algorithm using automatic tools for the three-subset division property was recently proposed at Asiacrypt2019. In this paper, we first show that this state-of-the-art algorithm is not always efficient and we cannot improve the existing key-recovery attacks. Then, we focus on the three-subset division property without unknown subset and propose another new efficient algorithm using automatic tools. Our algorithm is more efficient than existing algorithms, and it can improve existing key-recovery attacks. In the application to Trivium, we show a 842-round key-recovery attack. We also show that a 855-round key-recovery attack, which was proposed at CRYPTO2018, has a critical flaw and does not work. As a result, our 842-round attack becomes the best key-recovery attack. In the application to Grain-128AEAD, we show that the known 184-round key-recovery attack degenerates to a distinguishing attack. Then, the distinguishing attacks are improved up to 189 rounds, and we also show the best key-recovery attack against 190 rounds. In the application to ACORN, we prove that the 772-round key-recovery attack at ISC2019 is in fact a constant-sum distinguisher. We then give new key-recovery attacks mounting to 773-, 774- and 775-round ACORN. We verify the current best key-recovery attack on 892-round Kreyvium and recover the exact superpoly. We further propose a new attack mounting to 893 rounds.

Jorge Nakahara,Pouyan Sepehrdad,Bingsheng Zhang,Meiqin Wang

DOI: https://doi.org/10.1007/978-3-642-10433-6_5

2009-01-01

Abstract:The contributions of this paper include the first linear hull and a revisit of the algebraic cryptanalysis of reduced-round variants of the block cipher PRESENT, under known-plaintext and ciphertext-only settings. We introduce a pure algebraic cryptanalysis of 5-round PRESENT and in one of our attacks we recover half of the bits of the key in less than three minutes using an ordinary desktop PC. The PRESENT block cipher is a design by Bogdanov et al., announced in CHES 2007 and aimed at RFID tags and sensor networks. For our linear attacks, we can attack 25-round PRESENT with the whole code book, 296.68 25-round PRESENT encryptions, 240 blocks of memory and 0.61 success rate. Further we can extend the linear attack to 26-round with small success rate. As a further contribution of this paper we computed linear hulls in practice for the original PRESENT cipher, which corroborated and even improved on the predicted bias (and the corresponding attack complexities) of conventional linear relations based on a single linear trail.

Fen Liu,Zhe Sun,Xi Luo,Chao Li,Junping Wan

DOI: https://doi.org/10.3390/math12111696

IF: 2.4

2024-05-31

Mathematics

Abstract:This paper delves into the realm of cryptographic analysis by employing mixed-integer linear programming (MILP), a powerful tool for automated cryptanalysis. Building on this foundation, we apply the division property method alongside MILP to conduct a comprehensive cryptanalysis of the IIoTBC (industrial Internet of Things block cipher) algorithm, a critical cipher in the security landscape of industrial IoT systems. Our investigation into IIoTBC System A has led to identifying a 14-round integral distinguisher, further extended to a 22-round key recovery. This significant finding underscores the cipher's susceptibility to sophisticated cryptanalytic attacks and demonstrates the profound impact of combining the division property method with MILP in revealing hidden cipher weaknesses. In the case of IIoTBC System B, our innovative approach has uncovered a full-round distinguisher. We provide theoretical validation for this distinguisher and uncover a pivotal structural issue in the System B algorithm, specifically the non-diffusion of its third branch. This discovery sheds light on inherent security challenges within System B and points to areas for potential enhancement in its design. Our research, through its methodical examination and analysis of the IIoTBC algorithm, contributes substantially to the field of cryptographic security, especially concerning industrial IoT applications. By uncovering and analyzing the vulnerabilities within IIoTBC, we enhance the understanding of cipher robustness and pave the way for advancements in securing industrial IoT communications.

mathematics

Yonglin Hao,Gregor Leander,Willi Meier,Yosuke Todo,Qingju Wang

DOI: https://doi.org/10.1007/978-3-030-45721-1_17

2020-01-01

Abstract:A division property is a generic tool to search for integral distinguishers, and automatic tools such as MILP or SAT/SMT allow us to evaluate the propagation efficiently. In the application to stream ciphers, it enables us to estimate the security of cube attacks theoretically, and it leads to the best key-recovery attacks against well-known stream ciphers. However, it was reported that some of the key-recovery attacks based on the division property degenerate to distinguishing attacks due to the inaccuracy of the division property. Three-subset division property (without unknown subset) is a promising method to solve this inaccuracy problem, and a new algorithm using automatic tools for the three-subset division property was recently proposed at Asiacrypt2019. In this paper, we first show that this state-of-the-art algorithm is not always efficient and we cannot improve the existing key-recovery attacks. Then, we focus on the feature of the three-subset division property without unknown subset and propose another new efficient algorithm using automatic tools. Our algorithm is more efficient than existing algorithms, and it can improve existing key-recovery attacks. In the application to Trivium, we show a 841-round key-recovery attack. We also show that a 855-round key-recovery attack, which was proposed at CRYPTO2018, has a critical flaw and does not work. As a result, our 841-round attack becomes the best key-recovery attack. In the application to Grain-128AEAD, we show that the known 184-round key-recovery attack degenerates to distinguishing attacks. Then, the distinguishing attacks are improved up to 189 rounds, and we also show the best key-recovery attack against 190 rounds.

Meltem Kurt Pehlivanoğlu,Mehmet Ali Demir

DOI: https://doi.org/10.7717/peerj-cs.1820

2024-01-20

PeerJ Computer Science

Abstract:Maximum distance separable (MDS) matrices are often used in the linear layer of a block cipher due to their good diffusion property. A well-designed lightweight MDS matrix, especially an involutory one, can provide both security and performance benefits to the cipher. Finding the corresponding effective linear straight-line program (SLP) of the circuit of a linear layer is still a challenging problem. In this article, first, we propose a new heuristic algorithm called Superior Boyar-Peralta (SBP) in the computation of the minimum number of two-input Exclusive-OR (XOR) gates with the minimum circuit depth for the SLPs. Contrary to the existing global optimization methods supporting only two-input XOR gates, SBP heuristic algorithm provides the best global optimization solutions, especially for extracting low-latency circuits. Moreover, we give a new 4 × 4 involutory MDS matrix over F24, which requires only 41 XOR gates and depth 3 after applying SBP heuristic, whereas the previously best-known cost is 45 XOR gates with the same depth. In the second part of the article, for further optimization of the circuit area of linear layers with multiple-input XOR gates, we enhance the recently proposed BDKCI heuristic algorithm by incorporating circuit depth awareness, which limits the depth of the circuits created. By using the proposed circuit depth-bounded version of BDKCI, we present better circuit implementations of linear layers of block ciphers than those given in the literature. For instance, the given circuit for the AES MixColumn matrix only requires 44 XOR gates/depth 3/240.95 GE in the STM 130 nm (simply called ASIC4) library, while the previous best-known result is 55 XOR gates/depth 5/243.00 GE. Much better, our new 4 × 4 involutory MDS matrix requires only 19 XOR gates/depth3/79.75 GE in the STM 90 nm (simply called ASIC1) library, which is the lightest and superior to the state-of-the-art results.

computer science, information systems, artificial intelligence, theory & methods

Wenya Li,Kai Zhang,Bin Hu

DOI: https://doi.org/10.1049/2024/6164262

2024-06-04

IET Information Security

Abstract:Differential and linear cryptanalysis are two important methods to evaluate the security of block ciphers. Building on these two methods, differential‐linear (DL) cryptanalysis was introduced by Langford and Hellman in 1994. This cryptanalytic method has been not only extensively researched but also proven to be effective. In this paper, a security evaluation framework for AND‐RX ciphers against DL cryptanalysis is proposed, which is denoted as K6. In addition to modeling the structure of all the possible differential trails and linear trails at the bit level, we introduce a method to calculate this structure round by round. Based on this approach, an automatic algorithm is proposed to construct the DL distinguisher. Unlike previous methods, K6 uses a truncated differential and a linear hull instead of a differential characteristic and a linear approximation, which brings the bias of the DL distinguisher close to the experimental value. To validate the effectiveness of the framework, K6 is applied to Simon and Simeck, which are two typical AND‐RX ciphers. With the automatic algorithm, we discover an 11‐round DL distinguisher of Simon32 with bias 2−14.89 and a 12‐round DL distinguisher of Simeck32 with bias 2−14.89. Moreover, the 14‐round DL distinguisher of Simon48 with bias 2−22.30 is longer than the longest DL distinguisher currently known. In addition, the framework K6 shows advantages when analyzing ciphers with large block sizes. As far as we know, for Simon64/96/128 and Simeck48/64, the first DL distinguishers are obtained with our framework. The DL distinguishers are 16, 23, 32, 17, and 22 rounds of Simon64/96/128 and Simeck48/64 with bias 2−24.31, 2−47.57, 2−60.75, 2−22.54, and 2−31.41, respectively. To prove the correctness of distinguishers, experiments on Simon32 and Simeck32 have been performed. The experimental bias are 2−13.76 and 2−14.82, respectively. Comparisons of the theoretical and experimental results show good agreement.

computer science, information systems, theory & methods

Yi Chen,Zhenzhen Bao,Hongbo Yu

DOI: https://doi.org/10.1007/978-981-99-8727-6_8

2023-01-01

Abstract:The differential-linear attack is one of the most effective attacks against ARX ciphers. However, two technical problems are preventing it from being more effective and having more applications: (1) there is no efficient method to search for good differential-linear approximations. Existing methods either have many constraints or are currently inefficient. (2) partitioning technique has great potential to reduce the time complexity of the key-recovery attack, but there is no general tool to construct partitions for ARX ciphers. In this work, we step forward in solving the two problems. First, we propose a novel idea for generating new good differential-linear approximations from known ones, based on which new searching algorithms are designed. Second, we propose a general tool named partition tree, for constructing partitions for ARX ciphers. Based on these new techniques, we present better attacks for two ISO/IEC standards, i.e., LEA and Speck. For LEA, we present the first 17-round distinguisher which is 1 round longer than the previous best distinguisher. Furthermore, we present the first key recovery attacks on 17-round LEA-128, 18-round LEA-192, and 18-round LEA-256, which attack 3, 4, and 3 rounds more than the previous best attacks. For Speck, we find better differential-linear distinguishers for Speck48 and Speck64. The first differential-linear distinguishers for Speck96 and Speck128 are also presented.

Debranjan Pal,Vishal Pankaj Chandratreya,Dipanwita Roy Chowdhury

2023-06-05

Abstract:Mixed Integer Linear Programming (MILP) is a well-known approach for the cryptanalysis of a symmetric cipher. A number of MILP-based security analyses have been reported for non-linear (SBoxes) and linear layers. Researchers proposed word- and bit-wise SBox modeling techniques using a set of inequalities which helps in searching differential trails for a cipher. In this paper, we propose two new techniques to reduce the number of inequalities to represent the valid differential transitions for SBoxes. Our first technique chooses the best greedy solution with a random tiebreaker and achieves improved results for the 4-bit SBoxes of MIBS, LBlock, and Serpent over the existing results of Sun et al. [25]. Subset addition, our second approach, is an improvement over the algorithm proposed by Boura and Coggia. Subset addition technique is faster than Boura and Coggia [10] and also improves the count of inequalities. Our algorithm emulates the existing results for the 4-bit SBoxes of Minalpher, LBlock, Serpent, Prince, and Rectangle. The subset addition method also works for 5-bit and 6-bit SBoxes. We improve the boundary of minimum number inequalities from the existing results for 5-bit SBoxes of ASCON and SC2000. Application of subset addition technique for 6-bit SBoxes of APN, FIDES, and SC2000 enhances the existing results. By applying multithreading, we reduced the execution time needed to find the minimum inequality set over the existing techniques.

Cryptography and Security

Kai Zhang,Senpeng Wang,Xuejia Lai,Lei Wang,Jie Guan,Bin Hu,Tairong Shi

DOI: https://doi.org/10.1109/tit.2023.3292241

IF: 2.5

2023-01-01

IEEE Transactions on Information Theory

Abstract:In this paper, a security evaluation framework for AND-RX ciphers against impossible differential cryptanalysis is proposed. This framework is constructed based on three different methods towards finding the theoretical upper boundary, theoretical lower boundary, and practical boundary of impossible differential distinguishers (short for ID) respectively. The provable security boundary (upper boundary) can be calculated with two round-function-related matrices through a few matrix multiplications, this calculation is beyond actual input and output differences. For searching longer IDs (lower boundary), an automatic method is proposed. With this method, given the input and output difference, all the possible direct and indirect contradictions are detected. For the practical boundary, a method of approximating all the potential longest IDs with concrete differential trails is introduced. The three boundaries validate the correctness from each other. According to our result, on the one hand, the boundaries derived with well-designed ID-construction methods can already reach the practical boundary for some block ciphers and it is unlikely to be improved based on known construction methods or future unknown construction methods. On the other hand, for those ciphers whose current best result does not reach our boundary, longer IDs can be discovered with this framework. The correctness is validated by a series of applications. For the provable security boundary, four family ciphers-SIMON, Simeck, Friet-PC and SAND are investigated. For SIMON and Simeck, the lengths of current longest IDs have reached their provable security boundaries. For Friet-PC and SAND, there is a gap between the provable security boundary and current best results. With the automatic searching method, some longer IDs on Friet-PC and SAND are discovered. For Friet-PC, 128 11-round IDs are discovered, while the previous best differential distinguisher is 9-round. For SAND64, 256 11-round IDs are proposed. For SAND128, 456 14-round IDs are presented. Both results extend previous longest IDs by one round and all these newly proposed distinguishers reached corresponding provable security boundaries. For Simeck, the length of longest IDs has not been improved. However, more distinguishers of the same length are discovered. For Simeck64, the increased ratio for the quantity can reach 300%. Besides, the practical boundary of SIMON is investigated, the results indicate that for SIMON, the practical boundary is identical with the provable security boundary or the boundary derived with the automatic searching method.

Nobuyuki Sugio

DOI: https://doi.org/10.1049/2024/1741613

2024-08-26

IET Information Security

Abstract:Many lightweight block ciphers have been proposed for IoT devices that have limited resources. SLIM, LBC‐IoT, and SLA are lightweight block ciphers developed for IoT systems. The designer of SLIM presented a 7‐round differential distinguisher and an 11‐round linear trail using a heuristic method. We have comprehensively sought the longest distinguisher for linear cryptanalysis, zero‐correlation linear cryptanalysis, impossible differential attack, and integral attack using the mixed integer linear Programming (MILP) on SLIM, LBC‐IoT, and SLA. The search led to discovery of a 16‐round linear trail on SLIM, which is 5‐round longer than the earlier result. We have also discovered 7‐, 7‐, and 9‐round distinguishers for zero‐correlation linear cryptanalysis, impossible differential attack, and integral attack, which are new results for SLIM. We have revealed 9‐, 8‐, and 11‐round distinguishers on LBC‐IoT for zero‐correlation linear cryptanalysis, impossible differential attack, and integral attack. We have presented full‐round distinguishers on SLA for integral attack using only two chosen plaintexts. We performed a key recovery attack on 16‐round SLIM with an experimental verification. This verification took 106 s with a success rate of 93%. Moreover, we present a key recovery attack on 19‐round SLIM using 16‐round linear trail with correlation 2−15: the necessary number of known plaintext–ciphertext pairs is 231; the time complexity is 264.4 encryptions; and the memory complexity is 238 bytes. Results show that this is the current best key recovery attack on SLIM. Because the recommended number of rounds is 32, SLIM is secure against linear cryptanalysis, as demonstrated herein.

computer science, information systems, theory & methods

Yong Liu,Zejun Xiang,Siwei Chen,Shasha Zhang,Xiangyong Zeng

DOI: https://doi.org/10.1007/978-3-031-33488-7_5

2023-01-01

Abstract:The Mixed Integer Linear Programming (MILP) is a common method of searching for impossible differentials (IDs). However, the optimality of the distinguisher should be confirmed by an exhaustive search of all input and output differences, which is clearly computationally infeasible due to the huge search space. In this paper, we propose a new technique that uses two-dimensional binary variables to model the input and output differences and characterize contradictions with constraints. In our model, the existence of IDs can be directly obtained by checking whether the model has a solution. In addition, our tool can also detect any contradictions between input and output differences by changing the position of the contradictions. Our method is confirmed by applying it to several block ciphers, and our results show that we can find 6-, 13-, and 12-round IDs for Midori-64, CRAFT, and SKINNY-64 within a few seconds, respectively. Moreover, by carefully analyzing the key schedule of Midori-64, we propose an equivalent key transform technique and construct a complete MILP model for an 11-round impossible differential attack (IDA) on Midori-64 to search for the minimum number of keys to be guessed. Based on our automatic technique, we present a new 11-round IDA on Midori-64, where 23 nibbles of keys need to be guessed, which reduces the time complexity compared to previous work. The time and data complexity of our attack are 2 116.59 and 2 60 , respectively. To the best of our knowledge, this is the best IDA on Midori-64 at present.

Nicky Mouha,Qingju Wang,Dawu Gu,Bart Preneel

DOI: https://doi.org/10.1007/978-3-642-34704-7_5

2011-01-01

Abstract:Differential and linear cryptanalysis are two of the most powerful techniques to analyze symmetric-key primitives. For modern ciphers, resistance against these attacks is therefore a mandatory design criterion. In this paper, we propose a novel technique to prove security bounds against both differential and linear cryptanalysis. We use mixed-integer linear programming (MILP), a method that is frequently used in business and economics to solve optimization problems. Our technique significantly reduces the workload of designers and cryptanalysts, because it only involves writing out simple equations that are input into an MILP solver. As very little programming is required, both the time spent on cryptanalysis and the possibility of human errors are greatly reduced. Our method is used to analyze Enocoro-128v2, a stream cipher that consists of 96 rounds. We prove that 38 rounds are sufficient for security against differential cryptanalysis, and 61 rounds for security against linear cryptanalysis. We also illustrate our technique by calculating the number of active S-boxes for AES.

Yiyuan Luo,Xuejia Lai,Zhongming Wu,Guang Gong

DOI: https://doi.org/10.1155/2017/5980251

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:In this paper, we propose a systematic method for finding impossible differentials for block cipher structures, which we call the unified impossible differential finding method or UID-method. It is more effective than the U-method introduced by Kim et al. We apply the UID-method to some well-known block cipher structures. Using it, we find a 16-round impossible differential for Gen-Skipjack and a 19-round impossible differential for Gen-CAST256. By this result we can disprove Sung’s long standing conjecture that no such differential is possible for 16 or more rounds. On Gen-MARS and SMS4, the impossible differentials found by the UID-method are much longer than those found by the U-method. On the Four-Cell and Gen-RC6 block ciphers, our results are the same as the best results previously obtained.

Kai Hu,Siwei Sun,Meiqin Wang,Qingju Wang

DOI: https://doi.org/10.1007/978-3-030-64837-4_15

2020-01-01

Abstract:Since it was proposed in 2015 as a generalization of integral properties, the division property has evolved into a powerful tool for probing the structures of Boolean functions whose algebraic normal forms are not available. We capture the most essential elements for the detection of division properties from a pure algebraic perspective, proposing a technique named as monomial prediction , which can be employed to determine the presence or absence of a monomial in any product of the coordinate functions of a vectorial Boolean function f by counting the number of the so-called monomial trails across a sequence of simpler functions whose composition is f . Under the framework of the monomial prediction, we formally prove that most algorithms for detecting division properties in literature raise no false alarms but may miss. We also establish the equivalence between the monomial prediction and the three-subset bit-based division property without unknown subset presented at EUROCRYPT 2020, and show that these two techniques are perfectly accurate. The monomial prediction technique can be regarded as a purification of the definitions of the division properties without resorting to external multisets. This algebraic formulation gives more insights into division properties and inspires new search strategies. With the monomial prediction, we obtain the exact algebraic degrees of Trivium up to 834 rounds for the first time. In the context of cube attacks, we are able to explore a larger search space in limited time and recover the exact algebraic normal forms of complex superpolies with the help of a divide-and-conquer strategy. As a result, we identify more cubes with smaller dimensions, leading to improvements of some near-optimal attacks against 840-, 841- and 842-round Trivium.

Cui Tingting,Chen Shiyao,Fu Kai,Wang Meiqin,Jia Keting

DOI: https://doi.org/10.1007/s11432-018-1506-4

2020-01-01

Science China Information Sciences

Abstract:Impossible differential and zero-correlation linear cryptanalysis are two of the most powerful cryptanalysis methods in the field of symmetric key cryptography. There are several automatic tools to search such trails for ciphers with S-boxes. These tools focus on the properties of linear layers, and idealize the underlying S-boxes, i.e., assume any input and output difference pairs are possible. In reality, such S-box never exists, and the possible output differences with any fixed input difference can be at most half of the entire space. Hence, some of the possible differential trails under the ideal world become impossible in reality, possibly resulting in impossible differential trails for more rounds. In this paper, we firstly take the differential and linear properties of non-linear components such as S-box into consideration and propose a new automatic tool to search impossible differential trails for ciphers with S-box. We then generalize the tool to modulo addition, and apply it to ARX ciphers. To demonstrate the usefulness of the tool, we apply it to HIGHT, SHACAL-2, LEA, LBlock. As a result, it improves the best existing results of each cipher. keywords Impossible differential cryptanalysis, zero-correlation linear cryptanalysis, MILP, automatic tool

Yiran Xing,Hailun Yan,Xuejia Lai

DOI: https://doi.org/10.1145/3207677.3278003

2018-01-01

Abstract:Division(1) property is a generalized integral property proposed by Todo at Eurocrypt 2015, which has been used in the analysis of various symmetric-key algorithms. At Asiacrypt 2017, Sun et al. proposed automatic tools based on Boolean Satisfiability Problem (SAT) to detect the division property of ARX ciphers. In this paper, we first exploit Karnaugh map to simplify the logical SAT expressions given by Sun et al., thereby reducing the number of variables and expressions used in modeling the division property propagation of Copy, AND and XOR, as well as other complicated operations based on these three basic operations. Then, we show how to model the division property propagation against the modular multiplication operation. Note that the modular multiplication operation has not been handled in previous work but used in some block ciphers like IDEA.

Lele Chen,Gaoli Wang,GuoYan Zhang

DOI: https://doi.org/10.1093/comjnl/bxz076

2019-10-15

The Computer Journal

Abstract:Abstract The rectangle attack is the extension of the traditional differential attack and is evolved from the boomerange attack. It has been widely used to attack several existing ciphers. In this article, we study the security of lightweight block ciphers GIFT, Khudra and MIBS against related-key rectangle attack. We use Mixed-Integer Linear Programming-aided cryptanalysis to search rectangle distinguishers by taking into account the effect of the ladder switch technique. For GIFT, we build a 19-round related-key rectangle distinguisher and attack on 23-round GIFT-64, which requires 260 chosen plaintexts and 2107 encryptions. For Khudra, a 14-round related-key rectangle distinguisher can be built, which leads us to a 17-round rectangle attack. Our attack on 17-round Khudra requires a data complexity of 262.9 chosen plaintexts and a time complexity of 273.9 encryptions. For MIBS, we construct a 13-round related-key rectangle distinguisher and propose an attack on 15-round MIBS-64 with time complexity of 259 and data complexity of 245. Compared to the previous best related-key rectangle attack, we can attack one more round on Khudra and MIBS-64 than before.