Programming the Demirci-Selçuk Meet-in-the-Middle Attack with Constraints
Advances in Industrial Control
Cryptanalysis with SAT/SMT, MILP and CP has increased in popularity among symmetric-key cryptanalysts and designers due to its high degree of automation. So far, this approach covers differential, linear, impossible differential, zero-correlation, and integral cryptanalysis. However, the Demirci-Selçuk meet-in-the-middle (DS-MITM) attack is one of the most sophisticated techniques that has not been automated with this approach. By an in-depth study of Derbez and Fouque's work on DS-MITM
... with dedicated search algorithms, we identify the crux of the problem and present a method for automatic DS-MITM attack based on general constraint programming, which allows the cryptanalysts to state the problem at a high level without having to say how it should be solved. Our method is not only able to enumerate distinguishers but can also partly automate the key-recovery process. This approach makes the DS-MITM cryptanalysis more straightforward and easier to follow, since the resolution of the problem is delegated to offthe-shelf constraint solvers and therefore decoupled from its formulation. We apply the method to SKINNY, TWINE, and LBlock, and we get the currently known best DS-MITM attacks on these ciphers. Moreover, to demonstrate the usefulness of our tool for the block cipher designers, we exhaustively evaluate the security of 8! = 40320 versions of LBlock instantiated with different words permutations in the F functions. It turns out that the permutation used in the original LBlock is one of the 64 permutations showing the strongest resistance against the DS-MITM attack. The whole process is accomplished on a PC in less than 2 hours. The same process is applied to TWINE, and similar results are obtained. Cryptanalysis of block ciphers is a highly technical, time consuming and errorprone process. On the one hand, the attackers have to perform a variety of cryptanalytic techniques, including differential attack , linear attack , integral attack    , etc., to see which technique leads to the best attack. On the other hand, the designers need to repeat all these different attacks again and again to identify the optimal choices of parameters and building blocks which meet the security and implementation requirements. Therefore, automatic tools are indispensable to the community, which significantly reduce the manual work and make a thorough exploration of the design/analysis space possible. One paradigm for automatic symmetric-key cryptanalysis getting increasing popularity in recent years is to model the problem by means of constraints, which includes the methods based on SAT/SMT (satisfiability modulo theory) [6-8], MILP (mixed-integer linear programming) [9-13], and classical constraint programming [14, 15] . In this paper, these methods are collectively referred to as the general constraint programming (CP) based approach, or just CP based approach for short. So far, the CP based approach covers a wide range of symmetrickey cryptanalysis techniques. For instance, we can determine the minimum number of differentially or linearly active S-boxes of a block cipher with MILP ; we can search for actual differential characteristics, linear characteristics, and integral distinguishers with SAT/SMT, MILP or classical constraint programming [8, 10, 11, 14] ; and we can search for impossible differentials and zero-correlation linear approximations [12, 16] in a similar way. Compared with search algorithms implemented from scratch in general purpose programming languages         , the CP based approach allows the cryptanalysts to state the problem very naturally, and at a high level without having to say how it should be solved. The resolution of the problem is delegated to generic solvers, and therefore decoupled from the formulation of the problem. As Eugene C. Freuder stated : Constraint programming represents one of the closest approaches computer science has yet made to the Holy Grail of programming : the user states the problem, the computer solves it. However, the Demirci-Selçuk meet-in-the-middle attack (DS-MITM) attack , introduced by Demirci and Selçuk at FSE 2008 to attack the famous Advanced Encryption Standard (AES)  , is one of the cryptanalytic techniques which has not been automated with general constraint programming due to its extraordinary sophistication. After a series of improvements of the attack with various creative techniques [28-32], the DS-MITM attack reaches the best known attack on 7-round AES-128, 9-round AES-256 and 10-round AES-256 in the single-key model. The attack has been applied to several specific block ciphers     as well as on generic balanced Feistel constructions . Most recently, Guo et al. show generic attacks on unbalanced Feistel ciphers based on the DS-MITM technique which penetrate a large number of rounds of some specific class of unbalanced Feistels . Note that despite sharing the same name with the traditional MITM attacks in some literature (the attacks on some block ciphers [39, 40] and on a number of hash functions, e.g. [41, 42] ), the DS-MITM attack concerned in this paper follows a different and a more complex strategy. Related work and our contribution. In [30, 31] , Derbez and Fouque presented a tool implemented in C/C++ for finding the DS-MITM attack with dedicated search algorithm. In this paper, we present the first CP-based tool for finding the DS-MITM attack automatically. Our approach is based on a novel modelling technique in which we introduce several different types of variables for every input/output word of all operations, and impose constraints on these variables such that from a solution of these variables satisfying all the constraints we can deduce a DS-MITM distinguisher or DS-MITM attack. Compared with Derbez and Fouque's tool [30, 31] which was implemented in the general purpose programming language C/C++, the CP based method allows the cryptanalysts to state the problem at a high level very naturally, without considering how to maintain the relationships between the variables explicitly with dedicated algorithms. Therefore, our tool should be very useful in fast prototyping in the process of block cipher design. In , Lin et al. modeled the problem of searching for DS-MITM distinguishers as an integer programming model. However, their integer programming model is incomplete and is solved by a dedicated search algorithm. Secondly, Lin et al. 's work only focuses on the distinguisher part. Our CP based approach can not only enumerate distinguishers but also partly automate the key-recovery process of the attack. Moreover, by applying our CP based approach to LBlock, the same cipher targeted in , we show it finds better distinguishers as well as better attacks. To demonstrate the effectiveness of our approach, we apply it to SKINNY , TWINE , and LBlock  . We produce so far the best DS-MITM attacks on these well-known ciphers automatically. For LBlock, we can not only find an 11-round DS-MITM distinguisher which is 2 rounds longer than the one(s) presented in  , but also construct the first DS-MITM attack on 21-round LBlock. We also rediscover the same attack on TWINE-128 given in  , and identify the first DS-MITM attack on 20round TWINE-80. In addition, we report the first concrete DS-MITM analysis of SKINNY. A remarkable fact is that our tool identify an 10.5-round DS-MITM distinguisher in a few seconds, while its designers expect an upper-bound of 10 rounds against such distinguishers in  . A summary of these results are given in Table 1 . We also show how helpful our tool can be in the block cipher design process by searching for the best choices of block shuffles in LBlock and TWINE. We scan over 40320 variants of LBlock, and 887040 variants of TWINE. We identify permutations which are potentially stronger than the permutations in the original designs. We make the source code of this work publicly available at https://github.com/siweisun/MITM. In addition, all supplementary materials referred later on are provided in an extended version of this paper at https://eprint.iacr.org/2018/813.