Speeding Up the Search Algorithm for the Best Differential and Best Linear Trails

For judging the resistance of a block cipher to differential cryptanalysis or linear cryptanalysis it is necessary to establish an upper bound on the probability of the best differential or the bias of the best linear approximation. However, getting a tight upper bound is not a trivial problem. We attempt it by searching for the best differential and the best linear trails, which is a challenging task in itself. Based on some previous works, new strategies are proposed to speed up the search algorithm, which are called starting from the narrowest point, concretizing and grouping search patterns, and trialling in minimal changes order strategies. The efficiency of the resulting improved algorithms allows us to state that the probability (bias) of the best 4-round differential (linear) trail in NOEKEON is \(2^{-51}\) (\(2^{-25}\)) and the probability (bias) of the best 10-round (11-round) differential (linear) trail is at most \(2^{-131}\) (\(2^{-71}\)). For SPONGENT, the best differential trails for certain number of rounds in the permutation functions with width \(b\in \{88, 136, 176, 240\}\) are found. That allows us to update some results presented by its designers.

[1]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[2]  Dawu Gu,et al.  Differential and Linear Cryptanalysis Using Mixed-Integer Linear Programming , 2011, Inscrypt.

[3]  Thomas Peyrin,et al.  Structural Evaluation of AES and Chosen-Key Distinguisher of 9-Round AES-128 , 2013, CRYPTO.

[4]  Elisabeth Oswald,et al.  The Myth of Generic DPA...and the Magic of Learning , 2014, CT-RSA.

[5]  Aggelos Kiayias,et al.  Traceable Signatures , 2004, EUROCRYPT.

[6]  Gideon Ehrlich,et al.  Loopless Algorithms for Generating Permutations, Combinations, and Other Combinatorial Configurations , 1973, JACM.

[7]  Andrey Bogdanov,et al.  SPONGENT: The Design Space of Lightweight Cryptographic Hashing , 2011, IEEE Transactions on Computers.

[8]  Donald E. Knuth,et al.  The Art of Computer Programming, Volume 4, Fascicle 0: Introduction to Combinatorial Algorithms and Boolean Functions (Art of Computer Programming) , 2008 .

[9]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[10]  Alex Biryukov,et al.  Automatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers: Application to AES, Camellia, Khazad and Others , 2010, EUROCRYPT.

[11]  Kazumaro Aoki,et al.  Best Differential Characteristic Search of FEAL , 1996, FSE.

[12]  Donald Ervin Knuth,et al.  The Art of Computer Programming , 1968 .

[13]  Alex Biryukov,et al.  Automatic Search for Differential Trails in ARX Ciphers , 2014, CT-RSA.

[14]  Ran Canetti,et al.  Advances in Cryptology – CRYPTO 2013 , 2013, Lecture Notes in Computer Science.

[15]  Jean-Jacques Quisquater,et al.  Improved and Multiple Linear Cryptanalysis of Reduced Round Serpent , 2007, Inscrypt.

[16]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[17]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[18]  Mitsuru Matsui,et al.  On Correlation Between the Order of S-boxes and the Strength of DES , 1994, EUROCRYPT.

[19]  Henri Gilbert,et al.  Advances in Cryptology - EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Monaco / French Riviera, May 30 - June 3, 2010. Proceedings , 2010, EUROCRYPT.

[20]  Gaëtan Leurent,et al.  Construction of Differential Characteristics in ARX Designs Application to Skein , 2013, CRYPTO.

[21]  Ingrid Verbauwhede,et al.  Cryptographic hardware and embedded systems : CHES 2007 : 9th International Workshop, Vienna, Austria, September 10-13, 2007 : proceedings , 2007 .

[22]  Kazuo Ohta,et al.  Improving the Search Algorithm for the Best Linear Expression , 1995, CRYPTO.

[23]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.