scholarly journals Accelerating the Search of Differential and Linear Characteristics with the SAT Method

2021 ◽  
pp. 269-315
Author(s):  
Ling Sun ◽  
Wei Wang ◽  
Meiqin Wang
Keyword(s):  
Satisfiability Modulo Theories ◽  
Mixed Integer ◽  
Key Recovery ◽  
Differential Probability ◽  
Boolean Satisfiability Problem ◽  
Boolean Formulas ◽  
Automatic Search ◽  
Key Recovery Attack ◽  
Original Objective ◽  
Encoding Method

The introduction of the automatic search boosts the cryptanalysis of symmetric-key primitives to some degree. However, the performance of the automatic search is not always satisfactory for the search of long trails or ciphers with large state sizes. Compared with the extensive attention on the enhancement for the search with the mixed integer linear programming (MILP) method, few works care for the acceleration of the automatic search with the Boolean satisfiability problem (SAT) or satisfiability modulo theories (SMT) method. This paper intends to fill this vacancy. Firstly, with the additional encoding variables of the sequential counter circuit for the original objective function in the standard SAT method, we put forward a new encoding method to convert the Matsui’s bounding conditions into Boolean formulas. This approach does not rely on new auxiliary variables and significantly reduces the consumption of clauses for integrating multiple bounding conditions into one SAT problem. Then, we evaluate the accelerating effect of the novel encoding method under different sets of bounding conditions. With the observations and experience in the tests, a strategy on how to create the sets of bounding conditions that probably achieve extraordinary advances is proposed. The new idea is applied to search for optimal differential and linear characteristics for multiple ciphers. For PRESENT, GIFT-64, RECTANGLE, LBlock, TWINE, and some versions in SIMON and SPECK families of block ciphers, we obtain the complete bounds (full rounds) on the number of active S-boxes, the differential probability, as well as the linear bias. The acceleration method is also employed to speed up the search of related-key differential trails for GIFT-64. Based on the newly identified 18-round distinguisher with probability 2−58, we launch a 26-round key-recovery attack with 260.96 chosen plaintexts. To our knowledge, this is the longest attack on GIFT-64. Lastly, we note that the attack result is far from threatening the security of GIFT-64 since the designers recommended users to double the number of rounds under the related-key attack setting.

scholarly journals Linear Cryptanalyses of Three AEADs with GIFT-128 as Underlying Primitives

2021 ◽  
pp. 199-221
Author(s):  
Ling Sun ◽  
Wei Wang ◽  
Meiqin Wang
Keyword(s):  
Linear Approximation ◽  
Boolean Satisfiability ◽  
Satisfiability Problem ◽  
Linear Cryptanalysis ◽  
Key Recovery ◽  
Boolean Satisfiability Problem ◽  
Automatic Search ◽  
Key Recovery Attack ◽  
Key Recovery Attacks ◽  
Associated Data

This paper considers the linear cryptanalyses of Authenticated Encryptions with Associated Data (AEADs) GIFT-COFB, SUNDAE-GIFT, and HyENA. All of these proposals take GIFT-128 as underlying primitives. The automatic search with the Boolean satisfiability problem (SAT) method is implemented to search for linear approximations that match the attack settings concerning these primitives. With the newly identified approximations, we launch key-recovery attacks on GIFT-COFB, SUNDAE-GIFT, and HyENA when the underlying primitives are replaced with 16-round, 17-round, and 16-round versions of GIFT-128. The resistance of GIFT-128 against linear cryptanalysis is also evaluated. We present a 24-round key-recovery attack on GIFT-128 with a newly obtained 19-round linear approximation. We note that the attack results in this paper are far from threatening the security of GIFT-COFB, SUNDAE-GIFT, HyENA, and GIFT-128.

scholarly journals Automatic Search of Cubes for Attacking Stream Ciphers

2021 ◽  
pp. 100-123
Author(s):  
Yao Sun
Keyword(s):  
Heuristic Method ◽  
Stream Ciphers ◽  
Divide And Conquer ◽  
Key Recovery ◽  
Cube Attack ◽  
Automatic Search ◽  
The Common ◽  
Key Recovery Attack ◽  
First Time ◽  
Key Recovery Attacks

Cube attack was proposed by Dinur and Shamir, and it has become an important tool for analyzing stream ciphers. As the problem that how to recover the superpolys accurately was resolved by Hao et al. in EUROCRYPT 2020, another important problem is how to find “good” superpolys, which is equivalent to finding “good” cubes. However, there are two difficulties in finding “good” cubes. Firstly, the number of candidate cubes is enormous and most of the cubes are not “good”. Secondly, it is costly to evaluate whether a cube is “good”.In this paper, we present a new algorithm to search for a kind of “good” cubes, called valuable cubes. A cube is called valuable, if its superpoly has (at least) a balanced secret variable. A valuable cube is “good”, because its superpoly brings in 1 bit of information about the key. More importantly, the superpolys of valuable cubes could be used in both theoretical and practical analyses. To search for valuable cubes, instead of testing a set of cubes one by one, the new algorithm deals with the set of cubes together, such that the common computations can be done only once for all candidate cubes and duplicated computations are avoided. Besides, the new algorithm uses a heuristic method to reject useless cubes efficiently. This heuristic method is based on the divide-and-conquer strategy as well as an observation.For verifications of this new algorithm, we applied it to Trivium and Kreyvium, and obtained three improvements. Firstly, we found two valuable cubes for 843-round Trivium, such that we proposed, as far as we know, the first theoretical key-recovery attack against 843-round Trivium, while the previous highest round of Trivium that can be attacked was 842, given by Hao et al. in EUROCRYPT 2020. Secondly, by finding many small valuable cubes, we presented practical attacks against 806- and 808-round Trivium for the first time, while the previous highest round of Trivium that can be attacked practically was 805. Thirdly, based on the cube used to attack 892-round Kreyvium in EUROCRYPT 2020, we found more valuable cubes and mounted the key-recovery attacks against Kreyvium to 893-round.

scholarly journals Cryptanalysis of Reduced round SKINNY Block Cipher

2018 ◽  
pp. 124-162 ◽  
Author(s):  
Sadegh Sadeghi ◽  
Tahereh Mohammadi ◽  
Nasour Bagheri
Keyword(s):  
Mixed Integer Linear Programming ◽  
Block Cipher ◽  
Mixed Integer ◽  
Differential Attack ◽  
Key Recovery ◽  
Zero Correlation ◽  
Impossible Differential ◽  
Key Recovery Attack ◽  
Correlation Attacks ◽  
Impossible Differential Cryptanalysis

SKINNY is a family of lightweight tweakable block ciphers designed to have the smallest hardware footprint. In this paper, we present zero-correlation linear approximations and the related-tweakey impossible differential characteristics for different versions of SKINNY .We utilize Mixed Integer Linear Programming (MILP) to search all zero-correlation linear distinguishers for all variants of SKINNY, where the longest distinguisher found reaches 10 rounds. Using a 9-round characteristic, we present 14 and 18-round zero correlation attacks on SKINNY-64-64 and SKINNY- 64-128, respectively. Also, for SKINNY-n-n and SKINNY-n-2n, we construct 13 and 15-round related-tweakey impossible differential characteristics, respectively. Utilizing these characteristics, we propose 23-round related-tweakey impossible differential cryptanalysis by applying the key recovery attack for SKINNY-n-2n and 19-round attack for SKINNY-n-n. To the best of our knowledge, the presented zero-correlation characteristics in this paper are the first attempt to investigate the security of SKINNY against this attack and the results on the related-tweakey impossible differential attack are the best reported ones.

scholarly journals Automatic Search for the Linear (Hull) Characteristics of ARX Ciphers: Applied to SPECK, SPARX, Chaskey, and CHAM-64

2020 ◽  
Vol 2020 ◽  
pp. 1-14 ◽  
Author(s):  
Mingjiang Huang ◽  
Liming Wang
Keyword(s):  
Evaluation Method ◽  
Search Algorithm ◽  
Search Space ◽  
Linear Potential ◽  
Linear Hull ◽  
Key Recovery ◽  
Large Correlation ◽  
Optimal Linear ◽  
Automatic Search ◽  
Key Recovery Attack

Linear cryptanalysis is an important evaluation method for cryptographic primitives against key recovery attack. In this paper, we revisit the Walsh transformation for linear correlation calculation of modular addition, and an efficient algorithm is proposed to construct the input-output mask space of specified correlation weight. By filtering out the impossible large correlation weights in the first round, the search space of the first round can be substantially reduced. We introduce a concept of combinational linear approximation table (cLAT) for modular addition with two inputs. When one input mask is fixed, another input mask and the output mask can be obtained by the Splitting-Lookup-Recombination approach. We first split the n-bit fixed input mask into several subvectors and then find the corresponding bits of other masks, and in the recombination phase, pruning conditions can be used. By this approach, a large number of search branches in the middle rounds can be pruned. With the combination of the optimization strategies and the branch-and-bound search algorithm, we can improve the search efficiency for linear characteristics on ARX ciphers. The linear hulls for SPECK32/48/64 with a higher average linear potential (ALP) than existing results have been obtained. For SPARX variants, an 11-round linear trail and a 10-round linear hull have been found for SPARX-64 and a 10-round linear trail and a 9-round linear hull are obtained for SPARX-128. For Chaskey, a 5-round linear trail with a correlation of 2−61 has been obtained. For CHAM-64, 34/35-round optimal linear characteristics with a correlation of 2−31/2−33 are found.

scholarly journals More Accurate Differential Properties of LED64 and Midori64

2018 ◽  
pp. 93-123
Author(s):  
Ling Sun ◽  
Wei Wang ◽  
Meiqin Wang
Keyword(s):  
Upper Bound ◽  
Step Function ◽  
Differential Property ◽  
Mixed Integer ◽  
Accurate Estimation ◽  
Differential Probability ◽  
Boolean Satisfiability Problem ◽  
Automatic Tool ◽  
The Right ◽  
Differential Properties

In differential cryptanalysis, a differential is more valuable than the single trail belonging to it in general. The traditional way to compute the probability of the differential is to sum the probabilities of all trails within it. The automatic tool for the search of differentials based on Mixed Integer Linear Programming (MILP) has been proposed and realises the task of finding multiple trails of a given differential. The problem is whether it is reliable to evaluate the probability of the differential traditionally. In this paper, we focus on two lightweight block ciphers – LED64 and Midori64 and show the more accurate estimation of differential probability considering the key schedule. Firstly, an automated tool based on Boolean Satisfiability Problem (SAT) is put forward to accomplish the automatic search of differentials for ciphers with S-boxes and is applied to LED64 and Midori64. Secondly, we provide an automatic approach to detect the right pairs following a given differential, which can be exploited to calculate the differential property. Applying this technique to the STEP function of LED64, we discover some differentials with enhanced probability. As a result, the previous attacks relying upon high probability differentials can be improved definitely. Thirdly, we present a method to compute an upper-bound of the weak-key ratio for a given differential, which is utilised to analyse 4-round differentials of Midori64. We detect two differentials whose weak-key ratios are much lower than the expected 50%. More than 78% of the keys will make these two differentials being impossible differentials. The idea of the estimation for an upper-bound of the weak-key ratio can be employed for other ciphers and allows us to launch differential attacks more reliably. Finally, we introduce how to compute the enhanced differential probability and evaluate the size of keys achieving the improved probability. Such a property may incur an efficient weak-key attack. For a 4-round differential of Midori64, we obtain an improved differential property for a portion of keys.

scholarly journals Cryptanalysis of Loiss Stream Cipher-Revisited

2014 ◽  
Vol 2014 ◽  
pp. 1-7
Author(s):  
Lin Ding ◽  
Chenhui Jin ◽  
Jie Guan ◽  
Qiuyan Wang
Keyword(s):  
Time Complexity ◽  
Stream Cipher ◽  
Linear Equations ◽  
Data Complexity ◽  
Secret Key ◽  
Key Recovery ◽  
Systems Of Linear Equations ◽  
Key Recovery Attack ◽  
Better Than

Loiss is a novel byte-oriented stream cipher proposed in 2011. In this paper, based on solving systems of linear equations, we propose an improved Guess and Determine attack on Loiss with a time complexity of 2231and a data complexity of 268, which reduces the time complexity of the Guess and Determine attack proposed by the designers by a factor of 216. Furthermore, a related key chosenIVattack on a scaled-down version of Loiss is presented. The attack recovers the 128-bit secret key of the scaled-down Loiss with a time complexity of 280, requiring 264chosenIVs. The related key attack is minimal in the sense that it only requires one related key. The result shows that our key recovery attack on the scaled-down Loiss is much better than an exhaustive key search in the related key setting.

scholarly journals A Formal Approach for Cautious Reasoning in Answer Set Programming (Extended Abstract)

2020 ◽  
Author(s):  
Giovanni Amendola ◽  
Carmine Dodaro ◽  
Marco Maratea
Keyword(s):  
Answer Set Programming ◽  
Satisfiability Modulo Theories ◽  
Propositional Satisfiability ◽  
Formal Approach ◽  
Boolean Formulas ◽  
Reasoning Tasks ◽  
Answer Set

The issue of describing in a formal way solving algorithms in various fields such as Propositional Satisfiability (SAT), Quantified SAT, Satisfiability Modulo Theories, Answer Set Programming (ASP), and Constraint ASP, has been relatively recently solved employing abstract solvers. In this paper we deal with cautious reasoning tasks in ASP, and design, implement and test novel abstract solutions, borrowed from backbone computation in SAT. By employing abstract solvers, we also formally show that the algorithms for solving cautious reasoning tasks in ASP are strongly related to those for computing backbones of Boolean formulas. Some of the new solutions have been implemented in the ASP solver WASP, and tested.

Sign in / Sign up

Export Citation Format

Share Document