More Accurate Differential Properties of LED64 and Midori64

In differential cryptanalysis, a differential is more valuable than the single trail belonging to it in general. The traditional way to compute the probability of the differential is to sum the probabilities of all trails within it. The automatic tool for the search of differentials based on Mixed Integer Linear Programming (MILP) has been proposed and realises the task of finding multiple trails of a given differential. The problem is whether it is reliable to evaluate the probability of the differential traditionally. In this paper, we focus on two lightweight block ciphers – LED64 and Midori64 and show the more accurate estimation of differential probability considering the key schedule. Firstly, an automated tool based on Boolean Satisfiability Problem (SAT) is put forward to accomplish the automatic search of differentials for ciphers with S-boxes and is applied to LED64 and Midori64. Secondly, we provide an automatic approach to detect the right pairs following a given differential, which can be exploited to calculate the differential property. Applying this technique to the STEP function of LED64, we discover some differentials with enhanced probability. As a result, the previous attacks relying upon high probability differentials can be improved definitely. Thirdly, we present a method to compute an upper-bound of the weak-key ratio for a given differential, which is utilised to analyse 4-round differentials of Midori64. We detect two differentials whose weak-key ratios are much lower than the expected 50%. More than 78% of the keys will make these two differentials being impossible differentials. The idea of the estimation for an upper-bound of the weak-key ratio can be employed for other ciphers and allows us to launch differential attacks more reliably. Finally, we introduce how to compute the enhanced differential probability and evaluate the size of keys achieving the improved probability. Such a property may incur an efficient weak-key attack. For a 4-round differential of Midori64, we obtain an improved differential property for a portion of keys.

[1]  Amr M. Youssef,et al.  MILP Modeling for (Large) S-boxes to Optimize Probability of Differential Characteristics , 2017, IACR Trans. Symmetric Cryptol..

[2]  Xuejia Lai,et al.  Markov Ciphers and Differential Cryptanalysis , 1991, EUROCRYPT.

[3]  Willard Van Orman Quine,et al.  A Way to Simplify Truth Functions , 1955 .

[4]  Lei Hu,et al.  Analysis of AES, SKINNY, and Others with Constraint Programming , 2017, IACR Trans. Symmetric Cryptol..

[5]  Thomas Peyrin,et al.  The LED Block Cipher , 2011, IACR Cryptol. ePrint Arch..

[6]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[7]  Yishay Mansour,et al.  A construction of a cipher from a single pseudorandom permutation , 1997, Journal of Cryptology.

[8]  Gregory V. Bard,et al.  Efficient Methods for Conversion and Solution of Sparse Systems of Low-Degree Multivariate Polynomials over GF(2) via SAT-Solvers , 2007, IACR Cryptol. ePrint Arch..

[9]  Mitsuru Matsui,et al.  New Block Encryption Algorithm MISTY , 1997, FSE.

[10]  Carsten Sinz,et al.  Towards an Optimal CNF Encoding of Boolean Cardinality Constraints , 2005, CP.

[11]  E. McCluskey Minimization of Boolean functions , 1956 .

[12]  Lei Hu,et al.  Automatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-Oriented Block Ciphers , 2014, ASIACRYPT.

[13]  Vincent Rijmen,et al.  Differential Analysis of the LED Block Cipher , 2012, IACR Cryptol. ePrint Arch..

[14]  Vincent Rijmen,et al.  Automatic Search of Linear Trails in ARX with Applications to SPECK and Chaskey , 2016, ACNS.

[15]  Vincent Rijmen,et al.  Links Among Impossible Differential, Integral and Zero Correlation Linear Cryptanalysis , 2015, CRYPTO.

[16]  Alex Biryukov,et al.  Distinguisher and Related-Key Attack on the Full AES-256 , 2009, CRYPTO.

[17]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[18]  Vincent Rijmen,et al.  Probability distributions of correlation and differentials in block ciphers , 2007, J. Math. Cryptol..

[19]  Vincent Rijmen,et al.  Computational aspects of the expected differential probability of 4-round AES and AES-like ciphers , 2009, Computing.

[20]  Kyoji Shibutani,et al.  Security Analysis of the Lightweight Block Ciphers XTEA, LED and Piccolo , 2012, ACISP.

[21]  Qianqian Yang,et al.  Automatic Differential Analysis of ARX Block Ciphers with Application to SPECK and LEA , 2016, IACR Cryptol. ePrint Arch..

[22]  Martin R. Albrecht,et al.  Cold Boot Key Recovery by Solving Polynomial Systems with Noise , 2011, ACNS.

[23]  Robert K. Brayton,et al.  Logic Minimization Algorithms for VLSI Synthesis , 1984, The Kluwer International Series in Engineering and Computer Science.

[24]  Kaisa Nyberg,et al.  Differentially Uniform Mappings for Cryptography , 1994, EUROCRYPT.

[25]  Stephen A. Cook,et al.  The complexity of theorem-proving procedures , 1971, STOC.

[26]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[27]  Stefan Kölbl,et al.  Observations on the SIMON Block Cipher Family , 2015, CRYPTO.

[28]  Shuang Wu,et al.  Cryptanalysis of Round-Reduced LED , 2015, IACR Cryptol. ePrint Arch..