Efficient MILP Modelings for Sboxes and Linear Layers of SPN ciphers

Mixed Integer Linear Programming (MILP) solvers are regularly used by designers for providing security arguments and by cryptanalysts for searching for new distinguishers. For both applications, bitwise models are more refined and permit to analyze properties of primitives more accurately than word-oriented models. Yet, they are much heavier than these last ones. In this work, we first propose many new algorithms for efficiently modeling any subset of F2 with MILP inequalities. This permits, among others, to model differential or linear propagation through Sboxes. We manage notably to represent the differential behaviour of the AES Sbox with three times less inequalities than before. Then, we present two new algorithms inspired from coding theory to model complex linear layers without dummy variables. This permits us to represent many diffusion matrices, notably the ones of Skinny-128 and AES in a much more compact way. To demonstrate the impact of our new models on the solving time we ran experiments for both Skinny-128 and AES. Finally, our new models allowed us to computationally prove that there are no impossible differentials for 5-round AES and 13-round Skinny-128 with exactly one input and one output active byte, even if the details of both the Sbox and the linear layer are taken into account.

[1]  Vincent Rijmen,et al.  Provable Security Evaluation of Structures Against Impossible Differential and Zero Correlation Linear Cryptanalysis , 2016, EUROCRYPT.

[2]  Sabrina Hirsch,et al.  Logic Minimization Algorithms For Vlsi Synthesis , 2016 .

[3]  Daesung Kwon,et al.  New Block Cipher: ARIA , 2003, ICISC.

[4]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[5]  Matthew J. B. Robshaw,et al.  PRINTcipher: A Block Cipher for IC-Printing , 2010, CHES.

[6]  Willard Van Orman Quine,et al.  The Problem of Simplifying Truth Functions , 1952 .

[7]  David A. Wagner,et al.  The Boomerang Attack , 1999, FSE.

[8]  Guang Gong,et al.  A unified method for finding impossible differentials of block cipher structures , 2014, Inf. Sci..

[9]  Lei Hu,et al.  Automatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-Oriented Block Ciphers , 2014, ASIACRYPT.

[10]  Yu Sasaki,et al.  New Algorithm for Modeling S-box in MILP Based Differential and Division Trail Search , 2017, SECITC.

[11]  Thomas Peyrin,et al.  The SKINNY Family of Block Ciphers and its Low-Latency Variant MANTIS , 2016, IACR Cryptol. ePrint Arch..

[12]  Chenhui Jin,et al.  More accurate results on the provable security of AES against impossible differential cryptanalysis , 2019, Designs, Codes and Cryptography.

[13]  Nripendra N. Biswas,et al.  Minimization of Boolean Functions , 1971, IEEE Transactions on Computers.

[14]  Guido Bertoni,et al.  Keccak sponge function family main document , 2009 .

[15]  Dawu Gu,et al.  Differential and Linear Cryptanalysis Using Mixed-Integer Linear Programming , 2011, Inscrypt.

[16]  Lei Hu,et al.  Towards Finding the Best Characteristics of Some Bit-oriented Block Ciphers and Automatic Enumeration of ( Related-key ) Differential and Linear Characteristics with Predefined Properties , 2015 .

[17]  Thomas Peyrin,et al.  GIFT: A Small Present - Towards Reaching the Limit of Lightweight Encryption , 2017, CHES.

[18]  Jongsung Kim,et al.  Impossible Differential Cryptanalysis for Block Cipher Structures , 2003, INDOCRYPT.

[19]  Eli Biham,et al.  Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials , 1999, Journal of Cryptology.

[20]  Anne Canteaut,et al.  Saturnin: a suite of lightweight symmetric algorithms for post-quantum security , 2020, IACR Trans. Symmetric Cryptol..

[21]  Mingsheng Wang,et al.  Security Evaluation against Differential Cryptanalysis for Block Cipher Structures , 2011, IACR Cryptol. ePrint Arch..

[22]  Andrey Bogdanov,et al.  Fides: Lightweight Authenticated Cipher with Side-Channel Resistance for Constrained Hardware , 2013, CHES.

[23]  Amr M. Youssef,et al.  MILP Modeling for (Large) S-boxes to Optimize Probability of Differential Characteristics , 2017, IACR Trans. Symmetric Cryptol..

[24]  Kazuhiro Yokoyama,et al.  The Block Cipher SC2000 , 2001, FSE.

[25]  Mingsheng Wang,et al.  Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers , 2012, INDOCRYPT.

[26]  Willard Van Orman Quine,et al.  A Way to Simplify Truth Functions , 1955 .

[27]  Yu Sasaki,et al.  New Impossible Differential Search Tool from Design and Cryptanalysis Aspects - Revealing Structural Properties of Several Ciphers , 2017, EUROCRYPT.