Speeding up MILP Aided Differential Characteristic Search with Matsui's Strategy

Being the first generic algorithm for finding the best differential and linear characteristics, Matsui’s branch and bound search algorithm (EUROCRYPT 1994) and its variants have played an important role in the security analysis of symmetric-key primitives. However, Matsui’s algorithm is difficult to implement, optimize, and be applied to different ciphers with reusable code. Another approach getting popular in recent years is to encode the search problem as a Mixed Integer Linear Programming (MILP) model which can be solved by open-source or commercially available optimizers. In this work, we show how to tweak the objective functions of the MILP models for finding differential characteristics such that a set of constraints derived from the bounding condition of Matsui’s algorithm can be incorporated into the models. We apply the new modeling strategy to PRESENT (S-box based SPN design), SIMON (Feistel structure), and SPECK (ARX construction). For PRESENT, the resolution time is significantly reduced. For example, the time to prove that the exact lower bound of the probabilities of the differential characteristics for 7-round PRESENT is reduced from 48638 s to 656 s. For SIMON, obvious acceleration is also observed, and for the ARX cipher SPECK, the new model is unable to speed up the resolution. In the future, it is interesting to investigate how to integrate other search heuristics proposed in the literature of symmetric-key cryptanalysis into the MILP models, and how to accelerate the resolution of MILP models for finding characteristics of ARX ciphers.

[1]  Mingsheng Wang,et al.  Security Evaluation against Differential Cryptanalysis for Block Cipher Structures , 2011, IACR Cryptol. ePrint Arch..

[2]  Dawu Gu,et al.  Differential and Linear Cryptanalysis Using Mixed-Integer Linear Programming , 2011, Inscrypt.

[3]  Xuejia Lai,et al.  Markov Ciphers and Differential Cryptanalysis , 1991, EUROCRYPT.

[4]  Kazumaro Aoki,et al.  Best Differential Characteristic Search of FEAL , 1996, FSE.

[5]  Jean-Jacques Quisquater,et al.  Improved and Multiple Linear Cryptanalysis of Reduced Round Serpent , 2007, Inscrypt.

[6]  Thomas Peyrin,et al.  The SKINNY Family of Block Ciphers and its Low-Latency Variant MANTIS , 2016, IACR Cryptol. ePrint Arch..

[7]  Yu Sasaki,et al.  New Impossible Differential Search Tool from Design and Cryptanalysis Aspects - Revealing Structural Properties of Several Ciphers , 2017, EUROCRYPT.

[8]  Jason Smith,et al.  The SIMON and SPECK Families of Lightweight Block Ciphers , 2013, IACR Cryptol. ePrint Arch..

[9]  Lei Hu,et al.  Analysis of AES, SKINNY, and Others with Constraint Programming , 2017, IACR Trans. Symmetric Cryptol..

[10]  Keting Jia,et al.  New Automatic Search Tool for Impossible Differentials and Zero-Correlation Linear Approximations , 2016, IACR Cryptol. ePrint Arch..

[11]  Bart Preneel,et al.  A Proof that the ARX Cipher Salsa20 is Secure against Differential Cryptanalysis , 2013, IACR Cryptol. ePrint Arch..

[12]  Dongdai Lin,et al.  Applying MILP Method to Searching Integral Distinguishers Based on Division Property for 6 Lightweight Block Ciphers , 2016, ASIACRYPT.

[13]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[14]  Alex Biryukov,et al.  State of the Art in Lightweight Symmetric Cryptography , 2017, IACR Cryptol. ePrint Arch..

[15]  Samuel Neves,et al.  Analysis of NORX: Investigating Differential and Rotational Properties , 2014, LATINCRYPT.

[16]  Florian Mendel,et al.  Branching Heuristics in Differential Collision Search with Applications to SHA-512 , 2014, FSE.

[17]  Mitsuru Matsui,et al.  On Correlation Between the Order of S-boxes and the Strength of DES , 1994, EUROCRYPT.

[18]  Amr M. Youssef,et al.  MILP Modeling for (Large) S-boxes to Optimize Probability of Differential Characteristics , 2017, IACR Trans. Symmetric Cryptol..

[19]  Lei Hu,et al.  MILP-Based Automatic Search Algorithms for Differential and Linear Trails for Speck , 2016, FSE.

[20]  Dongdai Lin,et al.  Speeding Up the Search Algorithm for the Best Differential and Best Linear Trails , 2014, Inscrypt.

[21]  Bannier Arnaud,et al.  Automatic Search for a Maximum Probability Differential Characteristic in a Substitution-Permutation Network , 2015, HICSS 2015.

[22]  Bin Zhang,et al.  Automatic Search for Linear Trails of the SPECK Family , 2015, ISC.

[23]  Alex Biryukov,et al.  Automatic Search for the Best Trails in ARX: Application to Block Cipher Speck , 2016, FSE.

[24]  Lei Hu,et al.  Automatic Enumeration of (Related-key) Differential and Linear Characteristics with Predefined Properties and Its Applications , 2014, IACR Cryptol. ePrint Arch..

[25]  Chunhua Su,et al.  Towards Accurate Statistical Analysis of Security Margins: New Searching Strategies for Differential Attacks , 2017, IEEE Transactions on Computers.

[26]  Florian Mendel,et al.  Heuristic Tool for Linear Cryptanalysis with Applications to CAESAR Candidates , 2015, IACR Cryptol. ePrint Arch..

[27]  Kazuo Ohta,et al.  Improving the Search Algorithm for the Best Linear Expression , 1995, CRYPTO.

[28]  Lei Hu,et al.  Automatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-Oriented Block Ciphers , 2014, ASIACRYPT.

[29]  Florian Mendel,et al.  Rasta: A cipher with low ANDdepth and few ANDs per bit , 2018, IACR Cryptol. ePrint Arch..

[30]  Marine Minier,et al.  Constraint Programming Models for Chosen Key Differential Cryptanalysis , 2016, CP.