Efficient MILP Modelings for Sboxes and Linear Layers of SPN ciphers

• Main Authors: Christina Boura, Daniel Coggia
• Format: Article
• Language: English
• Published: Ruhr-Universität Bochum 2020-09-01
• Series: IACR Transactions on Symmetric Cryptology
• Subjects: MILP; Sbox; Linear Layer; Impossible Differential
• Online Access: https://tosc.iacr.org/index.php/ToSC/article/view/8705

Mixed Integer Linear Programming (MILP) solvers are regularly used by designers for providing security arguments and by cryptanalysts for searching for new distinguishers. For both applications, bitwise models are more refined and permit to analyze properties of primitives more accurately than word-oriented models. Yet, they are much heavier than these last ones. In this work, we first propose many new algorithms for efficiently modeling any subset of Fn2 with MILP inequalities. This permits, among others, to model differential or linear propagation through Sboxes. We manage notably to represent the differential behaviour of the AES Sbox with three times less inequalities than before. Then, we present two new algorithms inspired from coding theory to model complex linear layers without dummy variables. This permits us to represent many diffusion matrices, notably the ones of Skinny-128 and AES in a much more compact way. To demonstrate the impact of our new models on the solving time we ran experiments for both Skinny-128 and AES. Finally, our new models allowed us to computationally prove that there are no impossible differentials for 5-round AES and 13-round Skinny-128 with exactly one input and one output active byte, even if the details of both the Sbox and the linear layer are taken into account.