Abstract:Abstract. In this paper, we study linear cryptanalysis of the ARX structure by means of automatic search. To evaluate the security of ARX designs against linear cryptanalysis, it is crucial to find (round-reduced) linear trails with maximum correlation. We model the problem of finding optimal linear trails by the boolean satisfiability problem (SAT), translate the propagation of masks through ARX operations into bitwise expressions and constraints, and then solve the problem using a SAT solver. We apply the me… Show more
“…Finally, we do not know how to apply our method to ARX based constructions. (15,2,13,4,11,6,3,8,1,10,5,0,7,12,9,14) 7 (7,2,13,4,15,6,1,8,5,10,3,0,11,12,9,14) 2 (15,2,9,4,1,6,11,8,3,10,13,0,7,12,5,14) 8 (7,2,11,4,9,…”
Section: Conclusion and Discussionmentioning
confidence: 99%
“…One paradigm for automatic symmetric-key cryptanalysis getting increasing popularity in recent years is to model the problem by means of constraints, which includes the methods based on SAT/SMT (satisfiability modulo theory) [6][7][8], MILP (mixed-integer linear programming) [9][10][11][12][13], and classical constraint programming [14,15]. In this paper, these methods are collectively referred to as the general constraint programming (CP) based approach, or just CP based approach for short.…”
Section: Introductionmentioning
confidence: 99%
“…The bytes in Guess(E 0 ) and Guess(E 2 ) are marked with red color. From the input state of round 0, we know thatĀ = [0,2,3,4,5,6,7,8,9,10,13,14]. Hence, the data complexity is 2 8×12 = 2 96 .…”
Cryptanalysis with SAT/SMT, MILP and CP has increased in popularity among symmetric-key cryptanalysts and designers due to its high degree of automation. So far, this approach covers differential, linear, impossible differential, zero-correlation, and integral cryptanalysis. However, the Demirci-Selçuk meet-in-the-middle (DS-MITM) attack is one of the most sophisticated techniques that has not been automated with this approach. By an in-depth study of Derbez and Fouque's work on DS-MITM analysis with dedicated search algorithms, we identify the crux of the problem and present a method for automatic DS-MITM attack based on general constraint programming, which allows the cryptanalysts to state the problem at a high level without having to say how it should be solved. Our method is not only able to enumerate distinguishers but can also partly automate the key-recovery process. This approach makes the DS-MITM cryptanalysis more straightforward and easier to follow, since the resolution of the problem is delegated to offthe-shelf constraint solvers and therefore decoupled from its formulation. We apply the method to SKINNY, TWINE, and LBlock, and we get the currently known best DS-MITM attacks on these ciphers. Moreover, to demonstrate the usefulness of our tool for the block cipher designers, we exhaustively evaluate the security of 8! = 40320 versions of LBlock instantiated with different words permutations in the F functions. It turns out that the permutation used in the original LBlock is one of the 64 permutations showing the strongest resistance against the DS-MITM attack. The whole process is accomplished on a PC in less than 2 hours. The same process is applied to TWINE, and similar results are obtained.
“…Finally, we do not know how to apply our method to ARX based constructions. (15,2,13,4,11,6,3,8,1,10,5,0,7,12,9,14) 7 (7,2,13,4,15,6,1,8,5,10,3,0,11,12,9,14) 2 (15,2,9,4,1,6,11,8,3,10,13,0,7,12,5,14) 8 (7,2,11,4,9,…”
Section: Conclusion and Discussionmentioning
confidence: 99%
“…One paradigm for automatic symmetric-key cryptanalysis getting increasing popularity in recent years is to model the problem by means of constraints, which includes the methods based on SAT/SMT (satisfiability modulo theory) [6][7][8], MILP (mixed-integer linear programming) [9][10][11][12][13], and classical constraint programming [14,15]. In this paper, these methods are collectively referred to as the general constraint programming (CP) based approach, or just CP based approach for short.…”
Section: Introductionmentioning
confidence: 99%
“…The bytes in Guess(E 0 ) and Guess(E 2 ) are marked with red color. From the input state of round 0, we know thatĀ = [0,2,3,4,5,6,7,8,9,10,13,14]. Hence, the data complexity is 2 8×12 = 2 96 .…”
Cryptanalysis with SAT/SMT, MILP and CP has increased in popularity among symmetric-key cryptanalysts and designers due to its high degree of automation. So far, this approach covers differential, linear, impossible differential, zero-correlation, and integral cryptanalysis. However, the Demirci-Selçuk meet-in-the-middle (DS-MITM) attack is one of the most sophisticated techniques that has not been automated with this approach. By an in-depth study of Derbez and Fouque's work on DS-MITM analysis with dedicated search algorithms, we identify the crux of the problem and present a method for automatic DS-MITM attack based on general constraint programming, which allows the cryptanalysts to state the problem at a high level without having to say how it should be solved. Our method is not only able to enumerate distinguishers but can also partly automate the key-recovery process. This approach makes the DS-MITM cryptanalysis more straightforward and easier to follow, since the resolution of the problem is delegated to offthe-shelf constraint solvers and therefore decoupled from its formulation. We apply the method to SKINNY, TWINE, and LBlock, and we get the currently known best DS-MITM attacks on these ciphers. Moreover, to demonstrate the usefulness of our tool for the block cipher designers, we exhaustively evaluate the security of 8! = 40320 versions of LBlock instantiated with different words permutations in the F functions. It turns out that the permutation used in the original LBlock is one of the 64 permutations showing the strongest resistance against the DS-MITM attack. The whole process is accomplished on a PC in less than 2 hours. The same process is applied to TWINE, and similar results are obtained.
“…In 2013, Schulte-Geers used CCZ equivalence to improve the explicit formula for the calculation of linear correlation of modular addition [17]. Based on the improved formula and SAT solver model, Liu et al obtained better linear characteristics for SPECK [18], the optimal linear trails for SPECK32/48/64 with correlation close to the security boundary (2 − n/2 ) were obtained, and the 9/10-round linear hull with a potential of 2 − 29.1 /2 − 32.1 for SPECK32 was obtained.…”
Linear cryptanalysis is an important evaluation method for cryptographic primitives against key recovery attack. In this paper, we revisit the Walsh transformation for linear correlation calculation of modular addition, and an efficient algorithm is proposed to construct the input-output mask space of specified correlation weight. By filtering out the impossible large correlation weights in the first round, the search space of the first round can be substantially reduced. We introduce a concept of combinational linear approximation table (cLAT) for modular addition with two inputs. When one input mask is fixed, another input mask and the output mask can be obtained by the Splitting-Lookup-Recombination approach. We first split the n-bit fixed input mask into several subvectors and then find the corresponding bits of other masks, and in the recombination phase, pruning conditions can be used. By this approach, a large number of search branches in the middle rounds can be pruned. With the combination of the optimization strategies and the branch-and-bound search algorithm, we can improve the search efficiency for linear characteristics on ARX ciphers. The linear hulls for SPECK32/48/64 with a higher average linear potential (ALP) than existing results have been obtained. For SPARX variants, an 11-round linear trail and a 10-round linear hull have been found for SPARX-64 and a 10-round linear trail and a 9-round linear hull are obtained for SPARX-128. For Chaskey, a 5-round linear trail with a correlation of 2−61 has been obtained. For CHAM-64, 34/35-round optimal linear characteristics with a correlation of 2−31/2−33 are found.
“…The main target of ShiftBits is to avoid trivial propagations of differences through the MixColumns operation where the modular additions are not effectively activated. The difference propagation through modular addition can be efficiently modelled with a SAT/SMT language similar to the techniques in [11,12]. As a result, we track the propagation of the differences through the round function, and obtain that when the rotational offset r is 3, an optimal differential characteristic of 4 rounds has a probability 2 −42 .…”
Section: Nonlinear Diffusion Function ρ and ψmentioning
In the practice of block cipher design, there seems to have grown a consensus about the diffusion function that designers choose linear functions with large branch numbers to achieve provable bounds against differential and linear cryptanalysis. In this paper, we propose two types of nonlinear functions as alternative diffusing components. One is based on a nonlinear code with parameters (16,256,6) which is known as a Kerdock code. The other is a general construction of nonlinear functions based on the T-functions, in particular, two automatons with modular addition operations. We show that the nonlinear functions possess good diffusion properties; specifically, the nonlinear function based on a Kerdock code has a better branch number than any linear counterparts, while the automatons achieve the same branch number as a linear near-MDS matrix. The advantage of adopting nonlinear diffusion layers in block ciphers is that, those functions provide extra confusion effect while a comparable performance in the diffusion effect is maintained. As an illustration, we show the application of the nonlinear diffusion functions in two example ciphers, where a 4-round differential characteristic with the optimal number of active Sboxes has a probability significantly lower (2 16 and 2 10 times, respectively) than that of a similar cipher with a linear diffusion layer. As a result, it sheds light upon an alternative strategy of designing lightweight building blocks.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.