Accelerating the Search of Differential and Linear Characteristics with the SAT Method
The introduction of the automatic search boosts the cryptanalysis of symmetric-key primitives to some degree. However, the performance of the automatic search is not always satisfactory for the search of long trails or ciphers with large state sizes. Compared with the extensive attention on the enha...
Saved in:
| Published in | IACR Transactions on Symmetric Cryptology Vol. 2021; no. 1; pp. 269 - 315 |
|---|---|
| Main Authors | , , |
| Format | Journal Article |
| Language | English |
| Published |
Ruhr-Universität Bochum
01.01.2021
|
| Subjects | |
| Online Access | Get full text |
Cover
Loading…
| Abstract | The introduction of the automatic search boosts the cryptanalysis of symmetric-key primitives to some degree. However, the performance of the automatic search is not always satisfactory for the search of long trails or ciphers with large state sizes. Compared with the extensive attention on the enhancement for the search with the mixed integer linear programming (MILP) method, few works care for the acceleration of the automatic search with the Boolean satisfiability problem (SAT) or satisfiability modulo theories (SMT) method. This paper intends to fill this vacancy. Firstly, with the additional encoding variables of the sequential counter circuit for the original objective function in the standard SAT method, we put forward a new encoding method to convert the Matsui’s bounding conditions into Boolean formulas. This approach does not rely on new auxiliary variables and significantly reduces the consumption of clauses for integrating multiple bounding conditions into one SAT problem. Then, we evaluate the accelerating effect of the novel encoding method under different sets of bounding conditions. With the observations and experience in the tests, a strategy on how to create the sets of bounding conditions that probably achieve extraordinary advances is proposed. The new idea is applied to search for optimal differential and linear characteristics for multiple ciphers. For PRESENT, GIFT-64, RECTANGLE, LBlock, TWINE, and some versions in SIMON and SPECK families of block ciphers, we obtain the complete bounds (full rounds) on the number of active S-boxes, the differential probability, as well as the linear bias. The acceleration method is also employed to speed up the search of related-key differential trails for GIFT-64. Based on the newly identified 18-round distinguisher with probability 2−58, we launch a 26-round key-recovery attack with 260.96 chosen plaintexts. To our knowledge, this is the longest attack on GIFT-64. Lastly, we note that the attack result is far from threatening the security of GIFT-64 since the designers recommended users to double the number of rounds under the related-key attack setting. |
|---|---|
| AbstractList | The introduction of the automatic search boosts the cryptanalysis of symmetric-key primitives to some degree. However, the performance of the automatic search is not always satisfactory for the search of long trails or ciphers with large state sizes. Compared with the extensive attention on the enhancement for the search with the mixed integer linear programming (MILP) method, few works care for the acceleration of the automatic search with the Boolean satisfiability problem (SAT) or satisfiability modulo theories (SMT) method. This paper intends to fill this vacancy. Firstly, with the additional encoding variables of the sequential counter circuit for the original objective function in the standard SAT method, we put forward a new encoding method to convert the Matsui’s bounding conditions into Boolean formulas. This approach does not rely on new auxiliary variables and significantly reduces the consumption of clauses for integrating multiple bounding conditions into one SAT problem. Then, we evaluate the accelerating effect of the novel encoding method under different sets of bounding conditions. With the observations and experience in the tests, a strategy on how to create the sets of bounding conditions that probably achieve extraordinary advances is proposed. The new idea is applied to search for optimal differential and linear characteristics for multiple ciphers. For PRESENT, GIFT-64, RECTANGLE, LBlock, TWINE, and some versions in SIMON and SPECK families of block ciphers, we obtain the complete bounds (full rounds) on the number of active S-boxes, the differential probability, as well as the linear bias. The acceleration method is also employed to speed up the search of related-key differential trails for GIFT-64. Based on the newly identified 18-round distinguisher with probability 2−58, we launch a 26-round key-recovery attack with 260.96 chosen plaintexts. To our knowledge, this is the longest attack on GIFT-64. Lastly, we note that the attack result is far from threatening the security of GIFT-64 since the designers recommended users to double the number of rounds under the related-key attack setting. |
| Author | Wang, Wei Sun, Ling Wang, Meiqin |
| Author_xml | – sequence: 1 givenname: Ling surname: Sun fullname: Sun, Ling – sequence: 2 givenname: Wei surname: Wang fullname: Wang, Wei – sequence: 3 givenname: Meiqin surname: Wang fullname: Wang, Meiqin |
| BookMark | eNqFkF1LwzAYhYMoOOf-guQPtCZpmibgzZhfg4kXTvEuvE3TNaM2kgbFf2_cFMQbr877wTkcnhN0OPjBInRGSc5FKcV59KPJ3xhhNHc0Z0JlBS0P0ISVVGW0Kp4Pf83HaDaOW0IIk6oQXE3Q09wY29sA0Q0bHDuLHywE02Hf4kvXtjbYITroMQwNXrkhPfGigwAm2uDG6MyI313s9tb5Gt_Z2PnmFB210I929q1T9Hh9tV7cZqv7m-VivspMIVTM6rYgwirCmCCk4qpKaoBJawjlUjJLOCVCpbUuatlwXsiSNU2lqFRQtaaYouU-t_Gw1a_BvUD40B6c3h182GgIqWRvdWMrMDWhrC4ZZ5wDmKouqRRto0TqkbIu9lkm-HEMttXGxcTFDzGA6zUleodcfyHXO-TaUZ2Q64Q82cUf-0-df4yf18KJbg |
| CitedBy_id | crossref_primary_10_1007_s10623_025_01611_1 crossref_primary_10_23919_cje_2021_00_415 crossref_primary_10_1016_j_jisa_2025_104016 crossref_primary_10_1049_2024_5574862 crossref_primary_10_1007_s12095_024_00708_z crossref_primary_10_1016_j_jisa_2021_103087 crossref_primary_10_23919_cje_2022_00_313 crossref_primary_10_1587_transfun_2023EAP1149 crossref_primary_10_1007_s13389_022_00298_7 crossref_primary_10_1007_s10623_023_01259_9 crossref_primary_10_1016_j_jisa_2022_103129 crossref_primary_10_1049_2024_8315115 crossref_primary_10_1360_SSI_2023_0189 crossref_primary_10_62056_a3n59qgxq crossref_primary_10_1186_s42400_023_00184_7 crossref_primary_10_1007_s10623_024_01527_2 crossref_primary_10_1007_s11424_024_3168_2 crossref_primary_10_1049_2023_5323380 crossref_primary_10_1007_s10623_022_01034_2 crossref_primary_10_1587_transfun_2023EAP1098 crossref_primary_10_1002_int_23078 crossref_primary_10_1016_j_jisa_2024_103773 crossref_primary_10_1109_ACCESS_2021_3116468 crossref_primary_10_1007_s00145_024_09499_1 crossref_primary_10_1016_j_jisa_2024_103737 crossref_primary_10_1093_comjnl_bxab213 crossref_primary_10_3390_electronics13163141 crossref_primary_10_1109_ACCESS_2023_3270396 crossref_primary_10_1016_j_jisa_2022_103316 crossref_primary_10_1049_ise2_12119 crossref_primary_10_1093_comjnl_bxac169 crossref_primary_10_1093_comjnl_bxac102 crossref_primary_10_1007_s10623_025_01571_6 crossref_primary_10_1093_comjnl_bxad071 crossref_primary_10_1109_ACCESS_2024_3434594 |
| ContentType | Journal Article |
| DBID | AAYXX CITATION DOA |
| DOI | 10.46586/tosc.v2021.i1.269-315 |
| DatabaseName | CrossRef DOAJ Directory of Open Access Journals |
| DatabaseTitle | CrossRef |
| DatabaseTitleList | CrossRef |
| Database_xml | – sequence: 1 dbid: DOA name: Directory of Open Access Journals (DOAJ) url: https://www.doaj.org/ sourceTypes: Open Website |
| DeliveryMethod | fulltext_linktorsrc |
| EISSN | 2519-173X |
| EndPage | 315 |
| ExternalDocumentID | oai_doaj_org_article_de7acb012b524244aac7b5186fd96f30 10_46586_tosc_v2021_i1_269_315 |
| GroupedDBID | AAYXX ADBBV ALMA_UNASSIGNED_HOLDINGS BCNDV CITATION GROUPED_DOAJ |
| ID | FETCH-LOGICAL-c369t-bf306e90226007497260ca28ec014882e041069ec0b3b8d443852dd79189a7fc3 |
| IEDL.DBID | DOA |
| ISSN | 2519-173X |
| IngestDate | Wed Aug 27 01:12:54 EDT 2025 Tue Jul 01 03:41:35 EDT 2025 Thu Apr 24 23:06:07 EDT 2025 |
| IsDoiOpenAccess | true |
| IsOpenAccess | true |
| IsPeerReviewed | true |
| IsScholarly | true |
| Issue | 1 |
| Language | English |
| License | http://creativecommons.org/licenses/by/4.0 |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-c369t-bf306e90226007497260ca28ec014882e041069ec0b3b8d443852dd79189a7fc3 |
| OpenAccessLink | https://doaj.org/article/de7acb012b524244aac7b5186fd96f30 |
| PageCount | 47 |
| ParticipantIDs | doaj_primary_oai_doaj_org_article_de7acb012b524244aac7b5186fd96f30 crossref_citationtrail_10_46586_tosc_v2021_i1_269_315 crossref_primary_10_46586_tosc_v2021_i1_269_315 |
| ProviderPackageCode | CITATION AAYXX |
| PublicationCentury | 2000 |
| PublicationDate | 2021-01-01 |
| PublicationDateYYYYMMDD | 2021-01-01 |
| PublicationDate_xml | – month: 01 year: 2021 text: 2021-01-01 day: 01 |
| PublicationDecade | 2020 |
| PublicationTitle | IACR Transactions on Symmetric Cryptology |
| PublicationYear | 2021 |
| Publisher | Ruhr-Universität Bochum |
| Publisher_xml | – name: Ruhr-Universität Bochum |
| SSID | ssj0002893649 |
| Score | 2.4504037 |
| Snippet | The introduction of the automatic search boosts the cryptanalysis of symmetric-key primitives to some degree. However, the performance of the automatic search... |
| SourceID | doaj crossref |
| SourceType | Open Website Enrichment Source Index Database |
| StartPage | 269 |
| SubjectTerms | Automatic search Differential cryptanalysis Linear cryptanalysis Matsui’s bounding condition SAT method |
| Title | Accelerating the Search of Differential and Linear Characteristics with the SAT Method |
| URI | https://doaj.org/article/de7acb012b524244aac7b5186fd96f30 |
| Volume | 2021 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwrV07T8MwELZQJxYEAkR5yQNr2qZ-j6VQVUhlalE3y744qKhKEQR-P-c4oHbqwhQljiPnu8R3nx_fEXKnVYiycy5zTrOMB-EyDSAy4Zh0jIOEQdyNPHuW0wV_WorlVqqvuCYsyQMn4PpFUA48dqNexJ0M3DlQXuRaloWRJWvYOvq8LTL1lqbPmOQmbQnm6GVlv958Qu8buX7eWyExlAa7H7HjjbZE-xvvMjkmR21YSEepOSfkIFSn5GUEgF4h2qh6pRip0bQ4mG5K-tAmNsEfdE1dVVAklVhIx7sCzDSOs6aqozmdNemiz8hi8jgfT7M2D0IGTJo68_iaMhj0tlFMnhuFR3BDHSAOB-phGHAkdgZPPfO64JxpMSwKZXJtnCqBnZNOtanCBaEQGJYrBco5Xhpk0h4touSggBwGheoS8YuHhVYkPOaqWFskCw2ONuJoGxztKreIo0Ucu6T_V-89yWTsrXEf4f67O8pcNxfQ-LY1vt1n_Mv_eMgVOYxtS-Mq16RTf3yFG4w0an_bfFQ_9u7QSg |
| linkProvider | Directory of Open Access Journals |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Accelerating+the+Search+of+Differential+and+Linear+Characteristics+with+the+SAT+Method&rft.jtitle=IACR+Transactions+on+Symmetric+Cryptology&rft.au=Sun%2C+Ling&rft.au=Wang%2C+Wei&rft.au=Wang%2C+Meiqin&rft.date=2021-01-01&rft.issn=2519-173X&rft.eissn=2519-173X&rft.spage=269&rft.epage=315&rft_id=info:doi/10.46586%2Ftosc.v2021.i1.269-315&rft.externalDBID=n%2Fa&rft.externalDocID=10_46586_tosc_v2021_i1_269_315 |
| thumbnail_l | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=2519-173X&client=summon |
| thumbnail_m | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=2519-173X&client=summon |
| thumbnail_s | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=2519-173X&client=summon |