Accelerating the Search of Differential and Linear Characteristics with the SAT Method

Accelerating the Search of Differential and Linear Characteristics with the SAT Method

The introduction of the automatic search boosts the cryptanalysis of symmetric-key primitives to some degree. However, the performance of the automatic search is not always satisfactory for the search of long trails or ciphers with large state sizes. Compared with the extensive attention on the enh...

Full description

Bibliographic Details
Main Authors: Ling Su, Wei Wang, Meiqin Wang
Format: Article
Language:English
Published: Ruhr-Universität Bochum 2021-03-01
Series:IACR Transactions on Symmetric Cryptology
Subjects:
Automatic search
SAT method
Differential cryptanalysis
Linear cryptanalysis
Matsui’s bounding condition
Online Access:https://tosc.iacr.org/index.php/ToSC/article/view/8840
id doaj-de7acb012b524244aac7b5186fd96f30
record_format Article
spelling doaj-de7acb012b524244aac7b5186fd96f302021-03-20T13:57:47ZengRuhr-Universität BochumIACR Transactions on Symmetric Cryptology2519-173X2021-03-012021110.46586/tosc.v2021.i1.269-315Accelerating the Search of Differential and Linear Characteristics with the SAT MethodLing Su0Wei Wang1Meiqin Wang2Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, China; School of Cyber Science and Technology, Shandong University, Qingdao, ChinaKey Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, China; School of Cyber Science and Technology, Shandong University, Qingdao, ChinaKey Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, China; School of Cyber Science and Technology, Shandong University, Qingdao, China The introduction of the automatic search boosts the cryptanalysis of symmetric-key primitives to some degree. However, the performance of the automatic search is not always satisfactory for the search of long trails or ciphers with large state sizes. Compared with the extensive attention on the enhancement for the search with the mixed integer linear programming (MILP) method, few works care for the acceleration of the automatic search with the Boolean satisfiability problem (SAT) or satisfiability modulo theories (SMT) method. This paper intends to fill this vacancy. Firstly, with the additional encoding variables of the sequential counter circuit for the original objective function in the standard SAT method, we put forward a new encoding method to convert the Matsui’s bounding conditions into Boolean formulas. This approach does not rely on new auxiliary variables and significantly reduces the consumption of clauses for integrating multiple bounding conditions into one SAT problem. Then, we evaluate the accelerating effect of the novel encoding method under different sets of bounding conditions. With the observations and experience in the tests, a strategy on how to create the sets of bounding conditions that probably achieve extraordinary advances is proposed. The new idea is applied to search for optimal differential and linear characteristics for multiple ciphers. For PRESENT, GIFT-64, RECTANGLE, LBlock, TWINE, and some versions in SIMON and SPECK families of block ciphers, we obtain the complete bounds (full rounds) on the number of active S-boxes, the differential probability, as well as the linear bias. The acceleration method is also employed to speed up the search of related-key differential trails for GIFT-64. Based on the newly identified 18-round distinguisher with probability 2−58, we launch a 26-round key-recovery attack with 260.96 chosen plaintexts. To our knowledge, this is the longest attack on GIFT-64. Lastly, we note that the attack result is far from threatening the security of GIFT-64 since the designers recommended users to double the number of rounds under the related-key attack setting. https://tosc.iacr.org/index.php/ToSC/article/view/8840Automatic searchSAT methodDifferential cryptanalysisLinear cryptanalysisMatsui’s bounding condition
collection DOAJ
language English
format Article
sources DOAJ
author Ling Su
Wei Wang
Meiqin Wang
spellingShingle Ling Su
Wei Wang
Meiqin Wang
Accelerating the Search of Differential and Linear Characteristics with the SAT Method
IACR Transactions on Symmetric Cryptology
Automatic search
SAT method
Differential cryptanalysis
Linear cryptanalysis
Matsui’s bounding condition
author_facet Ling Su
Wei Wang
Meiqin Wang
author_sort Ling Su
title Accelerating the Search of Differential and Linear Characteristics with the SAT Method
title_short Accelerating the Search of Differential and Linear Characteristics with the SAT Method
title_full Accelerating the Search of Differential and Linear Characteristics with the SAT Method
title_fullStr Accelerating the Search of Differential and Linear Characteristics with the SAT Method
title_full_unstemmed Accelerating the Search of Differential and Linear Characteristics with the SAT Method
title_sort accelerating the search of differential and linear characteristics with the sat method
publisher Ruhr-Universität Bochum
series IACR Transactions on Symmetric Cryptology
issn 2519-173X
publishDate 2021-03-01
description The introduction of the automatic search boosts the cryptanalysis of symmetric-key primitives to some degree. However, the performance of the automatic search is not always satisfactory for the search of long trails or ciphers with large state sizes. Compared with the extensive attention on the enhancement for the search with the mixed integer linear programming (MILP) method, few works care for the acceleration of the automatic search with the Boolean satisfiability problem (SAT) or satisfiability modulo theories (SMT) method. This paper intends to fill this vacancy. Firstly, with the additional encoding variables of the sequential counter circuit for the original objective function in the standard SAT method, we put forward a new encoding method to convert the Matsui’s bounding conditions into Boolean formulas. This approach does not rely on new auxiliary variables and significantly reduces the consumption of clauses for integrating multiple bounding conditions into one SAT problem. Then, we evaluate the accelerating effect of the novel encoding method under different sets of bounding conditions. With the observations and experience in the tests, a strategy on how to create the sets of bounding conditions that probably achieve extraordinary advances is proposed. The new idea is applied to search for optimal differential and linear characteristics for multiple ciphers. For PRESENT, GIFT-64, RECTANGLE, LBlock, TWINE, and some versions in SIMON and SPECK families of block ciphers, we obtain the complete bounds (full rounds) on the number of active S-boxes, the differential probability, as well as the linear bias. The acceleration method is also employed to speed up the search of related-key differential trails for GIFT-64. Based on the newly identified 18-round distinguisher with probability 2−58, we launch a 26-round key-recovery attack with 260.96 chosen plaintexts. To our knowledge, this is the longest attack on GIFT-64. Lastly, we note that the attack result is far from threatening the security of GIFT-64 since the designers recommended users to double the number of rounds under the related-key attack setting.
topic Automatic search
SAT method
Differential cryptanalysis
Linear cryptanalysis
Matsui’s bounding condition
url https://tosc.iacr.org/index.php/ToSC/article/view/8840
work_keys_str_mv AT lingsu acceleratingthesearchofdifferentialandlinearcharacteristicswiththesatmethod
AT weiwang acceleratingthesearchofdifferentialandlinearcharacteristicswiththesatmethod
AT meiqinwang acceleratingthesearchofdifferentialandlinearcharacteristicswiththesatmethod
_version_ 1724211497450602496

Similar Items