New automatic tool for finding impossible differentials and zero-correlation linear approximations

Tingting Cui, Shiyao Chen, Kai Fu, Meiqin Wang, Keting Jia
2020 Science China Information Sciences  
Dear editor, Impossible differential cryptanalysis and zero-correlation linear cryptanalysis are two powerful methods in the block cipher field. Herein, we present an automatic tool to find impossible differentials (IDs) and zero-correlation linear approximations (ZCLAs) for both ARX and S-box-based ciphers. Similar to the idea of using mixed-integer linear programming (MILP) models for differential cryptanalysis in [1], we first use linear inequalities to describe all the target cipher's
more » ... ents exactly. However, we are indifferent to the objective function and only interested in knowing whether a solution to the whole system of inequalities for given input and output differences (masks) is present. If not, these input and output differences can yield an ID (ZCLA), as expected. Herein, we describe the search process in detail for IDs, but the process for finding ZCLAs is similar. First, we describe all the target cipher's components exactly using linear inequalities. Herein, we focus on describing the differential patterns for modular addition and omit the linear operation and S-box descriptions [1, 2]. Because we are not interested in the probabilities of each differential pattern for non-linear components, we rewrite the modular addition constraints in terms of eight linear inequalities, about 40% fewer than the number proposed by Fu et al. [2] to search differentials. Assume that there is a differential (α, β → γ) on the modular addition operation. To determine whether this differential is possible, we have two step according to the Theorem 1 in [2] . Firstly, to satisfy the condition on the least significant bit, α 0 ⊕ β 0 ⊕ γ 0 = 0, we use the following equality: where d ⊕ is a dummy bit variable. Secondly, for each i ∈ [1, n − 1], there are 56 possible patterns for (α i , β i , γ i , α i+1 , β i+1 , γ i+1 ). Herein, we use the following eight linear inequalities, whose solution set comprises exactly these 56 possible patterns. Thirdly, by representing the input and output differences of each target cipher operation using corresponding binary variables and constructing a suitable system of linear inequalities involving these variables, we can exactly describe all possible differential patterns for each operation. Taken together, the complete inequality system perfectly describes the target cipher's differential propagation process, and every solution is a differential characteristic. If the inequality system is infeasible for the given input and output differences, it indicates that the differential is impossible. By traversing a special set of input/output differences using the MILP model, we can confirm whether there is an ID within the set for a certain reduced-round cipher. Notably, covering all possible input/output differences is difficult owing to the time complexity; thus, this special set must be carefully selected, and it always depends on the features of the given cipher. Without loss of generality, we denote such a set as (∆ → Γ), where ∆ and Γ are the chosen sets of input and output differences, respectively. Algorithm 1 illustrates how the ID search process is implemented. Using this new method, we cannot directly identify where the contradiction appears or even determine whether the in-
doi:10.1007/s11432-018-1506-4 fatcat:st3llsjndnfspcfvzjppqnvheu