Accelerating the Search of Differential and Linear Characteristics with the SAT Method release_sfdtcdt3cbhdjmoozh5qjasawy

by Ling Sun, Wei Wang, Meiqin Wang

Published in IACR Transactions on Symmetric Cryptology by Universitatsbibliothek der Ruhr-Universitat Bochum.

2021   p269-315


The introduction of the automatic search boosts the cryptanalysis of symmetric-key primitives to some degree. However, the performance of the automatic search is not always satisfactory for the search of long trails or ciphers with large state sizes. Compared with the extensive attention on the enhancement for the search with the mixed integer linear programming (MILP) method, few works care for the acceleration of the automatic search with the Boolean satisfiability problem (SAT) or satisfiability modulo theories (SMT) method. This paper intends to fill this vacancy. Firstly, with the additional encoding variables of the sequential counter circuit for the original objective function in the standard SAT method, we put forward a new encoding method to convert the Matsui's bounding conditions into Boolean formulas. This approach does not rely on new auxiliary variables and significantly reduces the consumption of clauses for integrating multiple bounding conditions into one SAT problem. Then, we evaluate the accelerating effect of the novel encoding method under different sets of bounding conditions. With the observations and experience in the tests, a strategy on how to create the sets of bounding conditions that probably achieve extraordinary advances is proposed. The new idea is applied to search for optimal differential and linear characteristics for multiple ciphers. For PRESENT, GIFT-64, RECTANGLE, LBlock, TWINE, and some versions in SIMON and SPECK families of block ciphers, we obtain the complete bounds (full rounds) on the number of active S-boxes, the differential probability, as well as the linear bias. The acceleration method is also employed to speed up the search of related-key differential trails for GIFT-64. Based on the newly identified 18-round distinguisher with probability 2−58, we launch a 26-round key-recovery attack with 260.96 chosen plaintexts. To our knowledge, this is the longest attack on GIFT-64. Lastly, we note that the attack result is far from threatening the security of GIFT-64 since the designers recommended users to double the number of rounds under the related-key attack setting.
In application/xml+jats format

Archived Files and Locations

application/pdf  1.7 MB
file_fnnoid6cpvfzfjoxtifh6jrzfa (publisher) (webarchive)
Read Archived PDF
Preserved and Accessible
Type  article-journal
Stage   published
Date   2021-03-19
Container Metadata
Open Access Publication
Not in Keepers Registry
ISSN-L:  2519-173X
Work Entity
access all versions, variants, and formats of this works (eg, pre-prints)
Catalog Record
Revision: 64ea122b-efb7-46f3-bc29-a0135a545444