Mixed-integer Linear Programming in the Analysis of Trivium and Ktantan

Abstract. In this paper we present a rather new approach to apply mixed-integer optimization to the cryptanalysis of cryptographic primitives. We focus on the stream cipher Trivium, that has been recommended by the eSTREAM stream cipher project, and the lightweight block cipher Ktantan. Using these examples we explain how the problem of solving a non-linear multivariate Boolean equation system can be formulated as a mixed-integer linear programming problem. Our main focus is the formulation of the mixed-integer programming model (MIP model), which includes amongst others the choice of a conversion method to convert the Boolean equations into equations over the reals, different guessing strategies and the selection of binary variables. We apply the commercial solver Cplex to our problems. The results and further possible features of the approach are discussed.

Cryptanalysis of the Light-Weight Cipher A2U2 - Reduced draft version

At IEEE RFID 2011, David et al. proposed a new cryptographic primitive for use with RFID [2]. The design is a stream cipher called A2U2. Shortly afterwards, an attack was published on IACR Eprint by Chai et al. [1], claiming to break the cipher in a chosen-plaintext attack using extremely little computational resources. Regrettably, this attack is wrong since it works with an erroneous description of the cipher. In this paper, we show why the attack is wrong and how it can be repaired. Furthermore, we describe a guess-and-determine attack which applies in a known plaintext scenario. A special design feature of A2U2 is that the number of initialization rounds varies and depends on an internal counter. The number of rounds varies from 9 to 126. We proposed a differential-style attack which enables us to find the counter value determining the number of initialization rounds. Moreover, we present an attack that recovers the masterkey in the case that only 9 initialization rounds are used

PRINCE – A Low-latency Block Cipher for Pervasive Computing Applications Full version

Abstract. This paper presents a block cipher that is optimized with respect to latency when implemented in hardware. Such ciphers are desirable for many future pervasive applications with real-time security needs. Our cipher, named PRINCE, allows encryption of data within one clock cycle with a very competitive chip area compared to known solutions. The fully unrolled fashion in which such algorithms need to be implemented calls for innovative design choices. The number of rounds must be moderate and rounds must have short delays in hardware. At the same time, the traditional need that a cipher has to be iterative with very similar round functions disappears, an observation that increases the design space for the algorithm. An important further requirement is that realizing decryption and encryption results in minimum additional costs. PRINCE is designed in such a way that the overhead for decryption on top of encryption is negligible. More precisely for our cipher it holds that decryption for one key corresponds to encryption with a related key. This property we refer to as α-reflection is of independent interest and we prove its soundness against generic attacks.