Automatic Generation of Declarative Models For Differential Cryptanalysis

When designing a new symmetric block cipher, it is necessary to evaluate its robustness against differential attacks. This is done by computing Truncated Differential Characteristics (TDCs) that provide bounds on the complexity of these attacks. TDCs are often computed by using declarative approaches such as CP (Constraint Programming), SAT, or ILP (Integer Linear Programming). However, designing accurate and efficient models for these solvers is a difficult, error-prone and time-consuming task, and it requires advanced skills on both symmetric cryptography and solvers. In this paper, we describe a tool for automatically generating these models, called Tagada (Tool for Automatic Generation of Abstraction-based Differential Attacks). The input of Tagada is an operational description of the cipher by means of black-box operators and bipartite Directed Acyclic Graphs (DAGs). Given this description, we show how to automatically generate constraints that model operator semantics, and how to generate MiniZinc models. We experimentally evaluate our approach on two different kinds of differential attacks (e.g., single-key and related-key) and four different symmetric block ciphers (e.g., the AES (Advanced Encryption Standard), Craft, Midori, and Skinny). We show that our automatically generated models are competitive with state-of-the-art approaches. These automatically generated models constitute a new benchmark composed of eight optimization problems and eight enumeration problems, with instances of increasing size in each problem. We experimentally compare CP, SAT, and ILP solvers on this new benchmark

Mind the Gap - A Closer Look at the Security of Block Ciphers against Differential Cryptanalysis

Resistance against differential cryptanalysis is an important design criteria for any modern block cipher and most designs rely on finding some upper bound on probability of single differential characteristics. However, already at EUROCRYPT'91, Lai et al. comprehended that differential cryptanalysis rather uses differentials instead of single characteristics. In this paper, we consider exactly the gap between these two approaches and investigate this gap in the context of recent lightweight cryptographic primitives. This shows that for many recent designs like Midori, Skinny or Sparx one has to be careful as bounds from counting the number of active S-boxes only give an inaccurate evaluation of the best differential distinguishers. For several designs we found new differential distinguishers and show how this gap evolves. We found an 8-round differential distinguisher for Skinny-64 with a probability of 2−56.932−56.93, while the best single characteristic only suggests a probability of 2−722−72. Our approach is integrated into publicly available tools and can easily be used when developing new cryptographic primitives. Moreover, as differential cryptanalysis is critically dependent on the distribution over the keys for the probability of differentials, we provide experiments for some of these new differentials found, in order to confirm that our estimates for the probability are correct. While for Skinny-64 the distribution over the keys follows a Poisson distribution, as one would expect, we noticed that Speck-64 follows a bimodal distribution, and the distribution of Midori-64 suggests a large class of weak keys

abstractXOR: A global constraint dedicated to differential cryptanalysis

International audienceConstraint Programming models have been recently proposed to solve cryptanalysis problems for symmetric block ciphers such as AES. These models are more efficient than dedicated approaches but their design is difficult: straightforward models do not scale well and it is necessary to add advanced constraints derived from cryptographic properties. We introduce a global constraint which simplifies the modelling step and improves efficiency. We study its complexity, introduce propagators and experimentally evaluate them on two cryptanalysis problems (single-key and related-key) for two block ciphers (AES and Midori)

STP Models of Optimal Differential and Linear Trail for S-box Based Ciphers

Automatic tools have played an important role in designing new cryptographic primitives and evaluating the security of ciphers. Simple Theorem Prover constraint solver (STP) has been used to search for differential/linear trails of ciphers. This paper proposes general STP-based models searching for differential and linear trails with the optimal probability and correlation for S-box based ciphers. In order to get trails with the best probability or correlation for ciphers with arbitrary S-box, we give an efficient algorithm to describe probability or correlation of S-Box. Based on the algorithm we present a search model for optimal differential and linear trails, which is efficient for ciphers with S-Boxes whose DDTs/LATs contain entities not equal to the power of two. Meanwhile, the STP-based model for single-key impossible differentials considering key schedule is proposed, which traces the propagation of values from plaintext to ciphertext instead of propagations of differences. And we found that there is no 5-round AES-128 single-key truncated impossible differential considering key schedule, where input and output differences have only one active byte respectively. Finally, our proposed models are utilized to search for trails of bit-wise ciphers GIFT-128, DES, DESL and ICEBERG and word-wise ciphers ARIA, SM4 and SKINNY-128. As a result, improved results are presented in terms of the number of rounds or probabilities/correlations

Quantum Multi-Collision Distinguishers

In EUROCRYPT~2020, Hosoyamada and Sasaki find differential paths with probability $2^{-2n/3}$ can be useful in quantum collision attacks, v.s. $2^{-n/2}$ for classical collision attacks. This observation led to attacks for more rounds on some AES-like hash functions. In this paper, we quantize the multi-collision distinguisher proposed by Biryukov, Khovratovich, and Nikolic̈ at CRYPTO~2009, and propose quantum multi-collision distinguishers. Compared against the tight bound $2^{\frac{n}{2} \cdot(1-\frac{1}{2^{q}-1})}$ for quantum multi-collision on ideal functions by Liu and Zhang in EUROCRYPT~2019, we find the probability of useful differential paths can be as low as $2^{-n}$. This leads to even more attacked rounds than both classical multi-collision distinguishers and quantum collision attacks. To demonstrate the effectiveness, we applied the attack model to AES, Rijndael, and the post-quantum block cipher design Saturnin. Distinguishing attacks are found on the full version of AES-192, AES-256, Rijndael-128-160, and Rijndael-128-224. Other results include 8-round AES-128, 11-round Rijndael-160-192, 12-round Rijndael-160-256, and 10-round Saturnin-256

A CP-based Automatic Tool for Instantiating Truncated Differential Characteristics - Extended Version

An important criteria to assert the security of a cryptographic primitive is its resistance against differential cryptanalysis. For word-oriented primitives, a common technique to determine the number of rounds required to ensure the immunity against differential distinguishers is to consider truncated differential characteristics and to count the number of active S-boxes. Doing so allows one to provide an upper bound on the probability of the best differential characteristic with a reduced computational cost. However, in order to design very efficient primitives, it might be needed to evaluate the probability more accurately. This is usually done in a second step, during which one tries to instantiate truncated differential characteristics with actual values and computes its corresponding probability. This step is usually done either with ad-hoc algorithms or with CP, SAT or MILP models that are solved by generic solvers. In this paper, we present a generic tool for automatically generating these models to handle all word-oriented ciphers. Furthermore the running times to solve these models are very competitive with all the previous dedicated approaches

Chosen-Key Distinguishing Attacks on Full AES-192, AES-256, Kiasu-BC, and More

At CRYPTO 2020, Liu et al. find that many differentials on Gimli are actually incompatible. On the related-key differential of AES, the incompatibilities also exist and are handled in different ad-hoc ways by adding respective constraints into the searching models. However, such an ad-hoc method is insufficient to rule out all the incompatibilities and may still output false positive related-key differentials. At CRYPTO 2022, a new approach combining a Constraint Programming (CP) tool and a triangulation algorithm to search for rebound attacks against AES- like hashing was proposed. In this paper, we combine and extend these techniques to create a uniform related-key differential search model, which can not only generate the related-key differentials on AES and similar ciphers but also immediately verify the existence of at least one key pair fulfilling the differentials. With the innovative automatic tool, we find new related-key differentials on full-round AES-192, AES-256, Kiasu-BC, and round-reduced Deoxys-BC. Based on these findings, full- round limited-birthday chosen-key distinguishing attacks on AES-192, AES-256, and Kiasu-BC are presented, as well as the first chosen-key dis- tinguisher on reduced Deoxys-BC. Furthermore, a limited-birthday dis- tinguisher on 9-round Kiasu-BC with practical complexities is found for the first time

MILP-aided Cryptanalysis of Some Block Ciphers

Symmetric-key cryptographic primitives, such as block ciphers, play a pivotal role in achieving confidentiality, integrity, and authentication – which are the core services of information security. Since symmetric-key primitives do not rely on well-defined hard mathematical problems, unlike public-key primitives, there are no formal mathematical proofs for the security of symmetric-key primitives. Consequently, their security is guaranteed only by measuring their immunity against a set of predefined cryptanalysis techniques, e.g., differential, linear, impossible differential, and integral cryptanalysis. The attacks based on cryptanalysis techniques usually include searching in an exponential space of patterns, and for a long time, cryptanalysts have performed this task manually. As a result, it has been hard, time-consuming, and an error-prone task. Indeed, the need for automatic tools becomes more pressing. This thesis is dedicated to investigating the security of symmetric-key cryptographic primitives, precisely block ciphers. One of our main goals is to utilize Mixed Integer Linear Programming (MILP) to automate the evaluation and the validation of block cipher security against a wide range of cryptanalysis techniques. Our contributions can be summarized as follows. First, we investigate the security of two recently proposed block ciphers, CRAFT and SPARX-128/256 against two variants of differential cryptanalysis. We utilize the simple key schedule of CRAFT to construct several repeatable 2-round related-key differential characteristics with the maximum differential probability. Consequently, we are able to mount a practical key recovery attack on full-round CRAFT in the related-key setting. In addition, we use impossible differential cryptanalysis to assess SPARX-128/256 that is provable secure against single-trail differential and linear cryptanalysis. As a result, we can attack 24 rounds similar to the internal attack presented by the designers. However, our attack is better than the integral attack regarding the time and memory complexities. Next, we tackle the limitation of the current Mixed Integer Linear Programming (MILP) model to automate the search for differential distinguishers through modular additions. The current model assumes that the inputs to the modular addition and the consecutive rounds are independent. However, we show that this assumption does not necessarily hold and the current model might lead to invalid attacks. Accordingly, we propose a more accurate MILP model that takes into account the dependency between consecutive modular additions. As a proof of the validity and efficiency of our model, we use it to analyze the security of Bel-T cipher—the standard of the Republic of Belarus. Afterwards, we shift focus to another equally important cryptanalysis technique, i.e., integral cryptanalysis using the bit-based division property (BDP). We present MILP models to automate the search for the BDP through modular additions with a constant and modular subtractions. Consequently, we assess the security of Bel-T block cipher against the integral attacks. Next, we analyze the security of the tweakable block cipher T-TWINE. We present key recovery attacks on 27 and 28 rounds of T-TWINE-80 and T-TWINE-128, respectively. Finally, we address the limitation of the current MILP model for the propagation of the bit-based division property through large non-bit-permutation linear layers. The current models are either inaccurate, which might lead to missing some balanced bits, or inefficient in terms of the number of constraints. As a proof of the effectiveness of our approach, we improve the previous 3- and 4-round integral distinguishers of the Russian encryption standard—Kuznyechik, and the 4-round one of PHOTON’s internal permutation (P288). We also report a 4-round integral distinguisher for the Ukrainian standard Kalyna and a 5-round integral distinguisher for PHOTON’s internal permutation (P288)

Cryptanalysis of Block Ciphers with New Design Strategies

Block ciphers are among the mostly widely used symmetric-key cryptographic primitives, which are fundamental building blocks in cryptographic/security systems. Most of the public-key primitives are based on hard mathematical problems such as the integer factorization in the RSA algorithm and discrete logarithm problem in the DiffieHellman. Therefore, their security are mathematically proven. In contrast, symmetric-key primitives are usually not constructed based on well-defined hard mathematical problems. Hence, in order to get some assurance in their claimed security properties, they must be studied against different types of cryptanalytic techniques. Our research is dedicated to the cryptanalysis of block ciphers. In particular, throughout this thesis, we investigate the security of some block ciphers constructed with new design strategies. These new strategies include (i) employing simple round function, and modest key schedule, (ii) using another input called tweak rather than the usual two inputs of the block ciphers, the plaintext and the key, to instantiate different permutations for the same key. This type of block ciphers is called a tweakable block cipher, (iii) employing linear and non-linear components that are energy efficient to provide low energy consumption block ciphers, (iv) employing optimal diffusion linear transformation layer while following the AES-based construction to provide faster diffusion rate, and (v) using rather weak but larger S-boxes in addition to simple linear transformation layers to provide provable security of ARX-based block ciphers against single characteristic differential and linear cryptanalysis. The results presented in this thesis can be summarized as follows: Initially, we analyze the security of two lightweight block ciphers, namely, Khudra and Piccolo against Meet-in-the-Middle (MitM) attack based on the Demirci and Selcuk approach exploiting the simple design of the key schedule and round function. Next, we investigate the security of two tweakable block ciphers, namely, Kiasu-BC and SKINNY. According to the designers, the best attack on Kiasu-BC covers 7 rounds. However, we exploited the tweak to present 8-round attack using MitM with efficient enumeration cryptanalysis. Then, we improve the previous results of the impossible differential cryptanalysis on SKINNY exploiting the tweakey schedule and linear transformation layer. Afterwards, we study the security of new low energy consumption block cipher, namely, Midori128 where we present the longest impossible differential distinguishers that cover complete 7 rounds. Then, we utilized 4 of these distinguishers to launch key recovery attack against 11 rounds of Midori128 to improve the previous results on this cipher using the impossible differential cryptanalysis. Then, using the truncated differential cryptanalysis, we are able to attack 13 rounds of Midori128 utilizing a 10-round differential distinguisher. We also analyze Kuznyechik, the standard Russian federation block cipher, against MitM with efficient enumeration cryptanalysis where we improve the previous results on Kuznyechik, using MitM attack with efficient enumeration, by presenting 6-round attack. Unlike the previous attack, our attack exploits the exact values of the coefficients of the MDS transformation that is used in the cipher. Finally, we present key recovery attacks using the multidimensional zero-correlation cryptanalysis against SPARX-128, which follows the long trail design strategy, to provide provable security of ARX-based block ciphers against single characteristic differential and linear cryptanalysis