CryptoSAT: a tool for SAT‐based cryptanalysis

Lafitte, Frédéric

doi:10.1049/iet-ifs.2017.0176

Cited by 8 publications

(6 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Encoding table constraints with SAT. In [Laf18], Lafitte describes how to encode a relation R ⊆ {0, 1} n (such that R is composed of k words of {0, 1} n ) as a SAT formula with 2 n − k clauses: Each of these clauses is a disjunction of n litterals which forbids one word of {0, 1} n \ R. This encoding may be used to model the S-box differential relation and, in this case, we have 33150 clauses for each byte that passes through an active S-box. In [SWW18], Sun et al show how to reduce the number of clauses by using the same approach as in [AST + 17].…”

Section: Methodsmentioning

confidence: 99%

“…In [Wal00], Walsh shows that enforcing arc consistency on a binary constraint filters more values than unit propagation on the kind of SAT encoding proposed in [Laf18,SWW18]. This explains why SAT solvers on this encoding are usually outperformed by CP solvers.…”

Section: Methodsmentioning

confidence: 99%

“…Similarly to ILP, non linear operations such as SubBytes are not straightforward to model by means of clauses. In [Laf18], Lafitte shows how to encode a relation associated with a non linear operation into a set of clauses and, in [SWW18], Sun et al show how to reduce the number of clauses of this kind of encoding by using the same approach as in [AST + 17]. [LCM + 17] for modeling algebraic sidechannel attack on AES and in [RSM + 11] to design the non-linear part of a block cipher with good properties.…”

Section: Declarative Approaches For Cryptanalytic Problemsmentioning

confidence: 99%

See 2 more Smart Citations

Computing AES related-key differential characteristics with constraint programming

Gerault

Lafourcade

Minier

et al. 2020

Artificial Intelligence

View full text Add to dashboard Cite

Cryptanalysis aims at testing the properties of encryption processes, and this usually implies solving hard optimization problems. In this paper, we focus on related-key differential attacks for the Advanced Encryption Standard (AES), which is the encryption standard for block ciphers. To mount these attacks, cryptanalysts need to solve the optimal related-key differential characteristic problem. Dedicated approaches do not scale well for this problem, and need weeks to solve its hardest instances. In this paper, we improve existing Constraint Programming (CP) approaches for computing optimal related-key differential characteristics: we add new constraints that detect inconsistencies sooner, and we introduce a new decomposition of the problem in two steps. These improvements allow us to compute all optimal related-key differential characteristics for AES-128, AES-192 and AES-256 in a few hours.

show abstract

Section: Methodsmentioning

confidence: 99%

Section: Methodsmentioning

confidence: 99%

Section: Declarative Approaches For Cryptanalytic Problemsmentioning

confidence: 99%

See 1 more Smart Citation

Computing AES related-key differential characteristics with constraint programming

Gerault

Lafourcade

Minier

et al. 2020

Artificial Intelligence

View full text Add to dashboard Cite

show abstract

“…As soon as R1 or R2 can be chosen,weak states can be reached for reduced round versions, although the numberof satisfiable instances decreases as a function of the number of rounds. Theseweak state have no concern to the security feature of ZUC [6] [7].…”

Section: Guess-and-determine Attack[5]mentioning

confidence: 99%

Review on LTE Cryptography Algorithm ZUC and its Attacks

Lawange¹,

Narnaware²

2018

IJERMT

View full text Add to dashboard Cite

Abstract:ecurity is the important when it comes to wireless communication, and as the expectations of people increased, the data service now arrived at LTE. The faster data access and communication with high priority security. ZUC is the algorithm adopted to provide security under third set of LTE i.e. EEA3 and EIA3. The algorithms are used for confidentiality and integrity protection over the air. To analyze the security level of the algorithm different attacks were published in literature. The aim of this paper is to discuss the working of ZUC algorithm in detail. Also different attacks are listed in the last section.Keywords: LTE; ZUC; Cryptanalysis; SAT; Chosen IV; TMTO I. INTRODUCTIONThe data and voice communication happens over the air thus security algorithms were introduced. As the stream ciphers are computationally efficient, stream ciphers are preferred over block ciphers for security. For the GSM, A5 family of algorithms are used, for 3G KASUMI, SNOW 3G are used. As the algorithms were analyzed, the need for more efficient security algorithm is arrived. Cellular technology plays an important role in society, it becomes the primary source to the Internet for most of the population. The deployment of 4G LTE technology makes the data accessibility fast and still evolving. ZUC is a stream cipher based security algorithm designed by Data Assurance and Communication Security Research Center (DACAS) at Chinese Academy of Sciences. It is used in the confidentiality and integrity algorithm 128-EEA3 and 128-EIA3 [1] of 3GPP standard as their core component for 4G. LTE is the dominant over the air interface technology across the world.LTE security [12] involves authentication, confidentiality, hardware security and network security, however this report is mostly focused on software related security. The cryptographic algorithms used to secure the air interface and perform subscriber authentication functions were not publicly disclosed for the 2G GSM systems. The GSM makes uses of A3, A5, and A8 algorithm, A5 provides confidentiality, and A3 and A8 is for authentication. The UEA and UIA algorithms are used within UMTS for security. A 128-bit block cipher called KASUMI UEA1 is used for 3G security. UIA1 is a message authentication code based on KASUMI. UEA2 is a stream cipher related to SNOW 3G, and UIA2 computes a MAC using SNOW for authentication. In mobile communication networks, authentication refers to the process of determining whether a user is an authorized subscriber to the network that he/she is trying to access. Among various authentication procedures available in such networks, EPS AKA (Authentication and Key Agreement) procedure is used in LTE networks for mutual authentication between users and networks. The EPS AKA procedure consists of two steps.1. First, an HSS (Home Subscriber Server) generates EPS authentication vector(s) (RAND, AUTN, XRES, KASME) and delivers them to an MME. 2. Then in the second step, the MME selects one of the authentication vectors and uses it for mutual authentication with ...

show abstract

“…Similarly to ILP, non linear operations such as SubBytes are not straight-forward to model by means of clauses. In [18], Lafitte shows how to encode a relation associated with a non linear operation into a set of clauses and, in [24], Sun et al show how to reduce the number of clauses by using the same approach as in [1]. However, the resulting SAT model does not scale well and cannot solve Step2 for AES, for example.…”

mentioning

confidence: 99%

abstractXOR: A global constraint dedicated to differential cryptanalysis

Rouquette

Solnon

2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Constraint Programming models have been recently proposed to solve cryptanalysis problems for symmetric block ciphers such as AES. These models are more efficient than dedicated approaches but their design is difficult: straightforward models do not scale well and it is necessary to add advanced constraints derived from cryptographic properties. We introduce a global constraint which simplifies the modelling step and improves efficiency. We study its complexity, introduce propagators and experimentally evaluate them on two cryptanalysis problems (single-key and related-key) for two block ciphers (AES and Midori). 1 Motivations Symmetric bloc ciphers use a secret key K to cipher an input text X 0 into a cipher text X r in such a way that X r can be deciphered back into X 0 with the same key K. Differential cryptanalysis aims at evaluating if we can guess K by studying difference propagation during ciphering [6]. These differences are obtained by applying a XOR (bitwise exclusive or, denoted ⊕) between two input texts. In the related-key attack [5], differences are also introduced in keys. For mounting these attacks, we must compute Maximum Differential Characteristics (MDCs), i.e., most probable differences. A widely used symmetric block cipher is AES [10]. However, AES is rather time consuming, and lighter ciphers must be designed for devices with limited computational resources. Each time a new cipher is designed, we must compute MDCs to evaluate its robustness with respect to differential attacks. In this section, we illustrate MDCs on Midori128 [2], which is a lighweight cipher simpler to explain than AES. However, all models can be extended to AES and to other existing symmetric block ciphers, and we experimentally evaluate our approach on both Midori and AES. Midori128. The ciphering iterates r rounds and each round is composed of four operations: SubBytes replaces every byte with another byte according to a given lookup table; ShuffleCells moves bytes; and MixColumns and AddKey perform XORs. For each round i ∈ [0, r − 1], X i denotes the text state at the beginning of round i, and S i , Y i , and Z i denote intermediate text states after each operation: S i is the result of applying Sub-Bytes on X i ; Y i is the result of applying ShuffleCells on S i ; Z i is the result of applying MixColumns on Y i ; and X i+1 is the result of applying AddKey on Z i and K. The goal of the MDC problem is to compute differences. We denote δK the differences in the key (i.e., δK is the result of applying a XOR between two keys), and δX i

show abstract

CryptoSAT: a tool for SAT‐based cryptanalysis

Cited by 8 publications

References 19 publications

Computing AES related-key differential characteristics with constraint programming

Computing AES related-key differential characteristics with constraint programming

Review on LTE Cryptography Algorithm ZUC and its Attacks

abstractXOR: A global constraint dedicated to differential cryptanalysis

Contact Info

Product

Resources

About