MILP Modeling for (Large) S-boxes to Optimize Probability of Differential Characteristics

Abdelkhalek, Ahmed; Sasaki, Yasutsuna; Todo, Yosuke; Tolba, Mohamed F.; Youssef, Amr M.

doi:10.46586/tosc.v2017.i4.99-129

Cited by 44 publications

(20 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Moreover, to search the best probability of the truncated differential characteristic, we use the idea of [19] to separate the DDT to pd‐ DDT according to the probability. We use the new method to obtain the inequalities for each pd‐ DDT.…”

Section: New Methods To Generate the Inequalities For Large S‐boxesmentioning

confidence: 99%

See 1 more Smart Citation

New method to describe the differential distribution table for large S‐boxes in MILP and its application

Zhang

et al. 2019

IET Information Security

View full text Add to dashboard Cite

Section: New Methods To Generate the Inequalities For Large S‐boxesmentioning

confidence: 99%

“…Abdelkhalek et al . [19] first proposed a method to generate the inequalities of the DDT for the large S‐boxes. They converted the problem of generating constraints in logic condition modelling into the problem of minimising the product‐of‐sum of Boolean functions which is a well‐studied problem.…”

Section: Introductionmentioning

confidence: 99%

New method to describe the differential distribution table for large S‐boxes in MILP and its application

Zhang

et al. 2019

IET Information Security

View full text Add to dashboard Cite

“…This section aims to provide the first analysis of the linear properties of the Gimli permutation and its components. We use a Mixed Integer Linear Programming (MILP) modelization of the operations constructed according to [1], and then solve it with the SCIP software [17,18] to search for linear trails with optimal correlation. Linear trails of the (double) SP-box We begin by studying the linear trails of the SP-Box.…”

Section: Linear Cryptanalysismentioning

confidence: 99%

“…The 23-round distinguisher could be extended by 1 round for free if the rounds were shifted. 1 Using similar guess-and-determine ideas, we increase to 12 the number of rounds susceptible to collision attacks on Gimli-Hash. A reduced-round version of this attack has been implemented.…”

Section: Introductionmentioning

confidence: 99%

New Results on Gimli: Full-Permutation Distinguishers and Improved Collisions

Gutierrez

Leurent

Naya-Plasencia

et al. 2020

Advances in Cryptology – ASIACRYPT 2020

View full text Add to dashboard Cite

Gimli is a family of cryptographic primitives (both a hash function and an AEAD scheme) that has been selected for the second round of the NIST competition for standardizing new lightweight designs. The candidate Gimli is based on the permutation Gimli, which was presented at CHES 2017. In this paper, we study the security of both the permutation and the constructions that are based on it. We exploit the slow diffusion in Gimli and its internal symmetries to build, for the first time, a distinguisher on the full permutation of complexity 2 64 . We also provide a practical distinguisher on 23 out of the full 24 rounds of Gimli that has been implemented. Next, we give (full state) collision and semi-free-start collision attacks on Gimli-Hash, reaching respectively up to 12 and 18 rounds. On the practical side, we compute a collision on 8-round Gimli-Hash. In the quantum setting, these attacks reach 2 more rounds. Finally, we perform the first study of linear trails in the permutation, and we propose differentiallinear cryptanalysis that reach up to 17 rounds of Gimli.

show abstract

“…8-bit S-boxes) as the complexity of generating the initial set of inequalities is too high. However, Abdelkhalek et al showed a new method in [1] to tackle this problem, and thus proposed a way to modelize 8-bit S-boxes in MILP. Note that while this allows us to modelize 8-bit S-boxes, it often leads to a lot of inequalities, thus the resulting model can be quite huge and this can result in a high solving time.…”

Section: Modelizing Division Property Propagation With Milpmentioning

confidence: 99%

Linearly equivalent S-boxes and the division property

Lambin

Derbez

Fouque

2020

Des. Codes Cryptogr.

View full text Add to dashboard Cite

Division property is a cryptanalysis method that proves to be very efficient on block ciphers. Computer-aided techniques such as MILP have been widely and successfully used to study various cryptanalysis techniques, and it especially led to many new results for the division property. Nonetheless, we claim that the previous techniques do not consider the full search space. We show that even if the previous techniques fail to find a distinguisher based on the division property over a given function, we can potentially find a relevant distinguisher over a linearly equivalent function. We show that the representation of the block cipher heavily influences the propagation of the division property, and exploiting this, we give an algorithm to efficiently search for such linear mappings. As a result, we exhibit a new distinguisher over 10 rounds of , while the previous best was over 9 rounds, and rule out such a distinguisher over more than 9 rounds of . We also give some insight about the construction of an S-box to strengthen a block cipher against our technique. We prove that using an S-box satisfying a certain criterion is optimal in term of resistance against classical division property. Accordingly, we exhibit stronger variants of and , improving the resistance against division property based distinguishers by 2 rounds.

show abstract

MILP Modeling for (Large) S-boxes to Optimize Probability of Differential Characteristics

Cited by 44 publications

References 14 publications

New method to describe the differential distribution table for large S‐boxes in MILP and its application

New method to describe the differential distribution table for large S‐boxes in MILP and its application

New Results on Gimli: Full-Permutation Distinguishers and Improved Collisions

Linearly equivalent S-boxes and the division property

Contact Info

Product

Resources

About