2017
DOI: 10.46586/tosc.v2017.i1.281-306
|View full text |Cite
|
Sign up to set email alerts
|

Analysis of AES, SKINNY, and Others with Constraint Programming

Abstract: Search for different types of distinguishers are common tasks in symmetrickey cryptanalysis. In this work, we employ the constraint programming (CP) technique to tackle such problems. First, we show that a simple application of the CP approach proposed by Gerault et al. leads to the solution of the open problem of determining the exact lower bound of the number of active S-boxes for 6-round AES-128 in the related-key model. Subsequently, we show that the same approach can be applied in searching for integral d… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1
1

Citation Types

0
17
0

Year Published

2018
2018
2020
2020

Publication Types

Select...
6
3

Relationship

1
8

Authors

Journals

citations
Cited by 45 publications
(17 citation statements)
references
References 21 publications
0
17
0
Order By: Relevance
“…In the related-key setting, we only considered differential cryptanalysis, as there is no cancellation of active S-boxes between subkeys and the state in linear approximations. In [ 73 ], it is shown that in the related-key setting, there are at least 21 active S-boxes in consecutive 6 rounds of AES-128, and the optimal 6-round differential has probability . Therefore, no useful related-key differential characteristic covering more than can be found no matter whether there is a difference in the tweak or not.…”
Section: Concrete Proposalsmentioning
confidence: 99%
“…In the related-key setting, we only considered differential cryptanalysis, as there is no cancellation of active S-boxes between subkeys and the state in linear approximations. In [ 73 ], it is shown that in the related-key setting, there are at least 21 active S-boxes in consecutive 6 rounds of AES-128, and the optimal 6-round differential has probability . Therefore, no useful related-key differential characteristic covering more than can be found no matter whether there is a difference in the tweak or not.…”
Section: Concrete Proposalsmentioning
confidence: 99%
“…On top of that, designers also assume that the probability of a differential (∆ p , ∆ c ) is close to the probability of the best characteristic (∆ p → • • • → ∆ c ), and they prove a cipher is secure against differential cryptanalysis by showing that characteristics with high probability cannot cover most rounds of the cipher. While these assumptions do not always hold, currently this is the best systematic approach to argue security against differential cryptanalysis, and this heuristic approach is widely used for ARX ciphers in practice [18,19,23,25,33,34]. SMT solvers.…”
Section: Differential Cryptanalysismentioning
confidence: 99%
“…Even if they have been used to mount attacks in the related-key settings [6], the key schedules are in most cases merely involved in the key recovery attack to reduce the guessing complexity by exploring the relations among the round keys. As a matter of fact, the key schedules are considered irrelevant to the distinguishers themselves in the single-key setting, such as the search of differential characteristics with an automated tool [32] and the differential enumerating technique developed for improving the meet-in-the-middle attack [14].…”
Section: Block Ciphers and Differential Cryptanalysismentioning
confidence: 99%