Siwei Sun

Automatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-oriented Block Ciphers

We propose two systematic methods to describe the differential property of an S-box with linear inequalities based on logical condition modelling and computational geometry respectively. In one method, inequalities are generated according to some conditional differential properties of the S-box; in the other method, inequalities are extracted from the H-representation of the convex hull of all possible differential patterns of the S-box. For the second method, we develop a greedy algorithm for selecting a given number of inequalities from the convex hull. Using these inequalities combined with Mixed-integer Linear Programming (MILP) technique, we propose an automatic method for evaluating the security of bit-oriented block ciphers against the (related-key) differential attack with several techniques for obtaining tighter security bounds, and a new tool for finding (related-key) differential characteristics automatically for bit-oriented block ciphers.

Automatic Security Evaluation of Block Ciphers with S-bP Structures Against Related-Key Differential Attacks

Counting the number of active S-boxes is a common way to evaluate the security of symmetric key cryptographic schemes against differential attack. Based on Mixed Integer Linear Programming (MILP), Mouha et al. proposed a method to accomplish this task automatically for word-oriented symmetric-key ciphers with SPN structures. However, this method can not be applied directly to block ciphers of SPN structures with bitwise permutation diffusion layers (S-bP structures), due to its ignorance of the diffusion effect derived collaboratively by nonlinear substitution layers and bitwise permutation layers. In this paper we extend Mouha et al.’s method for S-bP structures by introducing new representations for exclusive-or (XOR) differences to describe bit/word level differences simultaneously and by taking the collaborative diffusion effect of S-boxes and bitwise permutations into account. Our method is applied to the block cipher PRESENT-80, an international standard for lightweight symmetric key cryptography, to automatically evaluate its security against differential attacks. We obtain lower bounds on the numbers of active S-boxes in the single-key model for full 31-round PRESENT-80 and in related-key model for round-reduced PRESENT-80 up to 12 rounds, and therefore automatically prove that the full-round PRESENT-80 is secure against single-key differential attack, and the cost of related-key differential attack on the full-round PRESENT-80 is close to that of an exhaustive search: the best related-key differential characteristic for full PRESENT-80 is upper bounded by \(2^{-72}\).

MILP-Based Automatic Search Algorithms for Differential and Linear Trails for Speck

In recent years, Mixed Integer Linear Programming MILP has been successfully applied in searching for differential characteristics and linear approximations in block ciphers and has produced the significant results for some ciphers such as SIMON a family of lightweight and hardware-optimized block ciphers designed by NSA etc. However, in the literature, the MILP-based automatic search algorithm for differential characteristics and linear approximations is still infeasible for block ciphers such as ARX constructions. In this paper, we propose an MILP-based method for automatic search for differential characteristics and linear approximations in ARX ciphers. By researching the properties of differential characteristic and linear approximation of modular addition in ARX ciphers, we present a method to describe the differential characteristic and linear approximation with linear inequalities under the assumptions of independent inputs to the modular addition and independent rounds. We use this representation as an input to the publicly available MILP optimizer Gurobi to search for differential characteristics and linear approximations for ARX ciphers. As an illustration, we apply our method to Speck, a family of lightweight and software-optimized block ciphers designed by NSA, which results in the improved differential characteristics and linear approximations compared with the existing ones. Moreover, we provide the improved differential attacks on Speck48, Speck64, Speck96 and Speck128, which are the best attacks on them in terms of the number of rounds.

Analysis of AES, SKINNY, and Others with Constraint Programming

Search for different types of distinguishers are common tasks in symmetrickey cryptanalysis. In this work, we employ the constraint programming (CP) technique to tackle such problems. First, we show that a simple application of the CP approach proposed by Gerault et al. leads to the solution of the open problem of determining the exact lower bound of the number of active S-boxes for 6-round AES-128 in the related-key model. Subsequently, we show that the same approach can be applied in searching for integral distinguishers, impossible differentials, zero-correlation linear approximations, in both the single-key and related-(twea)key model. We implement the method using the open source constraint solver Choco and apply it to the block ciphers PRESENT, SKINNY, and HIGHT (ARX construction). As a result, we find 16 related-tweakey impossible differentials for 12-round SKINNY-64-128 based on which we construct an 18-round attack on SKINNY-64-128 (one target version for the crypto competition https://sites.google.com/site/skinnycipher announced at ASK 2016). Moreover, we show that in some cases, when equipped with proper strategies (ordering heuristic, restart and dynamic branching strategy), the CP approach can be very efficient. Therefore, we suggest that the constraint programming technique should become a convenient tool at hand of the symmetric-key cryptanalysts.

Improved Differential Analysis of Block Cipher PRIDE

In CRYPTO 2014 Albrecht et al. brought in a 20-round iterative lightweight block cipher PRIDE which is based on a good linear layer for achieving a tradeoff between security and efficiency. A recent analysis is presented by Zhao et al. Inspired by their work, we use an automatic search method to find out 56 iterative differential characteristics of PRIDE, containing 24 1-round iterative characteristics, based on three of them we construct a 15-round differential and perform a differential attack on the 19-round PRIDE, with data, time and memory complexity of 262, 263 and 271 respectively.

Differential Analysis on Simeck and SIMON with Dynamic Key-Guessing Techniques

In CHES 2015, a new lightweight block cipher Simeck was proposed that combines good design components of SIMON and SPECK, two lightweight ciphers designed by NSA. As a great tool to improve differential attack, dynamic key-guessing techniques were proposed by Wang et al. that work well on SIMON. In this paper, we convert the dynamic key-guessing techniques to a program that can automatically give out the data in dynamic key-guessing procedure. With our tool, the differential security evaluation of SIMON and Simeck like block ciphers becomes very convenient. We apply the method to Simeck and four members of SIMON family. With a differential of lower Hamming weight we find by Mixed Integer Linear Programming method and differentials in Kolbl et al.’s work, we launch attacks on 21, 22-round Simeck32, 28-round Simeck48 and 34, 35-round Simeck64. Besides, by use of newly proposed differentials in CRYPTO 2015 we get new attack results on 22-round SIMON32/64, 24-round SIMON48/96, 28, 29-round SIMON64/96 and 29, 30-round SIMON64/128. As far as we are concerned, our results on SIMON64 are currently the best results.

Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON

摘要创新点密码算法的不同部件具有相同输入时的线性逼近的相关度计算不能应用堆积引理, 其计算是一个对线性分析结果有重要影响的难题。 充分考虑了 SIMON 分组密码算法不同运算的相关性, 通过化标准二次型的方法准确计算了轮函数线性逼近的相关度, 得到精确的线性分析结果。 基于混合整数线性规划建模, 找到了 SIMON 算法的多个版本的更好的线性迹和线性闭包, 给出了 SIMON 的更好的密钥恢复攻击结果。

Related-Key Impossible Differential Analysis of Full Khudra

Khudra is a block cipher proposed by Souvik Kolay and Debdeep Mukhopadhyay in the SPACE 2014 conference which is applicable to Field Programmable Gate Arrays (FPGAs). It is an 18-round lightweight cipher based on recursive Feistel structure, with a 64-bit block size and 80-bit key size. The designers indicated that 18 rounds of Khudra provide sufficient security margin for related key attacks. But in this paper, we obtain \(2^{16}\) 14-round related-key impossible differentials of Khudra, and based on these related-key impossible differentials for 32 related keys, we launch an attack on the full Khudra with data complexity of \(2^{63}\) related-key chosen-plaintexts, time complexity of about \(2^{68.46}\) encryptions and memory complexity of \(2^{64}\). This is the first known attack on full Khudra.

Extending the Applicability of the Mixed-Integer Programming Technique in Automatic Differential Cryptanalysis

We focus on extending the applicability of the mixed-integer programming MIP based method in differential cryptanalysis such that more work can be done automatically. Firstly, we show how to use the MIP-based technique to obtain almost all high probability 2-round iterative related-key differential characteristics of PRIDE a block cipher proposed in CRYPTO 2014 automatically by treating the