Abstract
SAT, SMT, MILP, and CP, have become prominent in the differential cryptanalysis of cryptographic primitives. In this paper, we review the techniques for constructing differential characteristic search models in these four formalisms. Additionally, we perform a systematic comparison encompassing over 20 cryptographic primitives and 16 solvers, on both easy and hard instances of optimisation, enumeration and differential probability estimation problems.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
It should be noted that the entries of this table are not always integers, as a DDT might contain entries that are not powers of 2.
- 2.
As an example, we selected, respectively, three small state block ciphers, (one AndRX, one ARX, one S-Box based), one large state permutation (384 bits) and one large state ARX hash (512 bits).
References
Abdelkhalek, A., Sasaki, Y., Todo, Y., Tolba, M., Youssef, A.M.: MILP modeling for (large) s-boxes to optimize probability of differential characteristics. IACR Trans. Symmetric Cryptol. 2017(4), 99–129 (2017)
Abed, F., List, E., Lucks, S., Wenzel, J.: Differential cryptanalysis of round-reduced Simon and Speck. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 525–545. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46706-0_27
Ankele, R., Kölbl, S.: Mind the gap - a closer look at the security of block ciphers against differential cryptanalysis. In: Cid, C., Jacobson Jr, M. (eds.) SAC 2018. LNCS, vol. 11349, pp. 163–190. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-10970-7_8
Audemard, G., Simon, L.: Glucose and syrup: nine years in the sat competitions. In: Proceedings of SAT Competition, pp. 24–25 (2018)
Bellini, E., Gérault, D., Protopapa, M., Rossi, M.: Monte Carlo tree search for automatic differential characteristics search: application to SPECK. In: Isobe, T., Sarkar, S. (eds.) INDOCRYPT 2022. LNCS, vol. 13774, pp. 373–397. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-22912-1_17
Bestuzheva, K., et al.: The SCIP Optimization Suite 8.0. ZIB-Report 21–41, Zuse Institute Berlin (2021)
Biere, A., Fazekas, K., Fleury, M., Heisinger, M.: CaDiCaL, Kissat, Paracooba, Plingeling and Treengeling entering the SAT Competition 2020. In: Balyo, T., Froleyks, N., Heule, M., Iser, M., Järvisalo, M., Suda, M. (eds.) Proceedings of the SAT Competition 2020 - Solver and Benchmark Descriptions. Department of Computer Science Report Series B, vol. B-2020-1, pp. 51–53. University of Helsinki (2020)
Biere, A., Heule, M., van Maaren, H., Walsh, T. (eds.): Handbook of Satisfiability, Frontiers in Artificial Intelligence and Applications, vol. 185. IOS Press (2009)
Biham, E., Shamir, A.: Differential cryptanalysis of des-like cryptosystems. J. Cryptol. 4(1), 3–72 (1991)
Boura, C., Coggia, D.: Efficient MILP modelings for sboxes and linear layers of SPN ciphers. IACR Trans. Symmetric Cryptol. 2020(3), 327–361 (2020)
Brayton, R.K., Hachtel, G.D., McMullen, C.T., Sangiovanni-Vincentelli, A.L.: Logic Minimization Algorithms for VLSI synthesis, The Kluwer International Series in Engineering and Computer Science, vol. 2. Springer, Heidelberg (1984)
Chu, G., Stuckey, P.J., Schutt, A., Ehlers, T., Gange, G., Francis, K.: Chuffed, a lazy clause generation solver. https://github.com/chuffed/chuffed. Accessed 19 Mar 2023
Cimatti, A., Griggio, A., Schaafsma, B.J., Sebastiani, R.: The MathSAT5 SMT solver. In: Piterman, N., Smolka, S.A. (eds.) TACAS 2013. LNCS, vol. 7795, pp. 93–107. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36742-7_7
Dantzig, G.B.: Maximization of a linear function of variables subject to linear inequalities. Act. Anal. Prod. Allocat. 13, 339–347 (1951)
Davis, M., Logemann, G., Loveland, D.W.: A machine program for theorem-proving. Commun. ACM 5(7), 394–397 (1962)
Davis, M., Putnam, H.: A computing procedure for quantification theory. J. ACM 7(3), 201–215 (1960)
Delaune, S., Derbez, P., Huynh, P., Minier, M., Mollimard, V., Prud’homme, C.: SKINNY with scalpel - comparing tools for differential analysis. IACR Cryptol. ePrint Arch. 1402 (2020)
Delaune, S., Derbez, P., Huynh, P., Minier, M., Mollimard, V., Prud’homme, C.: Efficient methods to search for best differential characteristics on SKINNY. In: Sako, K., Tippenhauer, N.O. (eds.) ACNS 2021. LNCS, vol. 12727, pp. 184–207. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-78375-4_8
Dutertre, B.: Yices 2.2. In: Biere, A., Bloem, R. (eds.) Computer Aided Verification - 26th International Conference, CAV 2014, Held as Part of the Vienna Summer of Logic, VSL 2014, Vienna, Austria, 18–22 July 2014. Proceedings. LNCS, vol. 8559, pp. 737–744. Springer, Cham (2014)
Eén, N., Sörensson, N.: An extensible SAT-solver. In: Giunchiglia, E., Tacchella, A. (eds.) SAT 2003. LNCS, vol. 2919, pp. 502–518. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24605-3_37
Fu, K., Wang, M., Guo, Y., Sun, S., Hu, L.: MILP-based automatic search algorithms for differential and linear trails for speck. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 268–288. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-52993-5_14
Ganesh, V., Dill, D.L.: A Decision procedure for bit-vectors and arrays. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 519–531. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73368-3_52
Gérault, D., Lafourcade, P., Minier, M., Solnon, C.: Revisiting AES related-key differential attacks with constraint programming. Inf. Process. Lett. 139, 24–29 (2018)
Gérault, D., Lafourcade, P., Minier, M., Solnon, C.: Computing AES related-key differential characteristics with constraint programming. Artif. Intell. 278, 103183 (2020)
Google: Or-tools - google optimization tools. https://developers.google.com/optimization. Accessed 19 Mar 2023
Gurobi Optimization, LLC: Gurobi Optimizer Reference Manual (2023)
Heule, M., Iser, M., Jarvisalo, M., Suda, M., Balyo, T.: Sat competition 2022. https://satcompetition.github.io/2022/results.html. Accessed 2 Mar 2023
Kölbl, S., Leander, G., Tiessen, T.: Observations on the SIMON block cipher family. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 161–185. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_8
Land, A.H., Doig, A.G.: An automatic method for solving discrete programming problems. In: Jünger, M., et al. (eds.) 50 Years of Integer Programming 1958-2008, pp. 105–132. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-540-68279-0_5
Li, T., Sun, Y.: Superball: a new approach for MILP modelings of Boolean functions. IACR Trans. Symmetric Cryptol. 2022(3), 341–367 (2022)
Lipmaa, H., Moriai, S.: Efficient algorithms for computing differential properties of addition. IACR Cryptol. ePrint Arch. 1 (2001)
Liu, Y.: Techniques for Block Cipher Cryptanalysis. Ph.D. thesis, KU Leuven, Faculty of Engineering Science (2018). https://www.esat.kuleuven.be/cosic/publications/thesis-306.pdf
Liu, Z., Li, Y., Wang, M.: Optimal differential trails in Simon-like ciphers. IACR Cryptol. ePrint Arch. 178 (2017)
Matsui, M., Yamagishi, A.: A new method for known plaintext attack of FEAL cipher. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 81–91. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-47555-9_7
McCluskey, E.J.: Minimization of Boolean functions. Bell Syst. Tech. J. 35, 1417–1444 (1956)
MiniZinc: Minizinc challenge 2022 results. https://www.minizinc.org/challenge2022/results2022.html. Accessed 2 Mar 2023
Mouha, N., Wang, Q., Gu, D., Preneel, B.: Differential and linear cryptanalysis using mixed-integer linear programming. In: Wu, C.-K., Yung, M., Lin, D. (eds.) Inscrypt 2011. LNCS, vol. 7537, pp. 57–76. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34704-7_5
de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78800-3_24
Nethercote, N., Stuckey, P.J., Becket, R., Brand, S., Duck, G.J., Tack, G.: MiniZinc: towards a standard CP modelling language. In: Bessière, C. (ed.) CP 2007. LNCS, vol. 4741, pp. 529–543. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74970-7_38
Niemetz, A., Preiner, M., Biere, A.: Boolector 2.0. J. Satisf. Boolean Model. Comput. 9(1), 53–58 (2014)
Oki, E.: GLPK (gnu linear programming kit) (2012)
Padberg, M., Rinaldi, G.: A branch-and-cut algorithm for the resolution of large-scale symmetric traveling salesman problems. SIAM Rev. 33(1), 60–100 (1991)
Prud’homme, C., Godet, A., Fages, J.G.: choco-solver. https://github.com/chocoteam/choco-solver. Accessed 19 Mar 2023
Quine, W.V.: The problem of simplifying truth functions. Amer. Math. Monthly 59, 521–531 (1952)
Quine, W.V.: A way to simplify truth functions. Amer. Math. Monthly 62, 627–631 (1955)
Rossi, F., van Beek, P., Walsh, T. (eds.): Handbook of Constraint Programming, Foundations of Artificial Intelligence, vol. 2. Elsevier (2006)
Schulte, C., Tack, G., Lagerkvyst, M.Z.: Gecode. https://www.gecode.org/index.html. Accessed 19 Mar 2023
Silva, J.P.M., Sakallah, K.A.: GRASP: a search algorithm for propositional satisfiability. IEEE Trans. Comput. 48(5), 506–521 (1999)
Soos, M., Nohl, K., Castelluccia, C.: Extending SAT solvers to cryptographic problems. In: Kullmann, O. (ed.) SAT 2009. LNCS, vol. 5584, pp. 244–257. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02777-2_24
Sun, L., Wang, W., Wang, M.: Accelerating the search of differential and linear characteristics with the SAT method. IACR Trans. Symmetric Cryptol. 2021(1), 269–315 (2021)
Sun, S., et al.: Analysis of AES, SKINNY, and others with constraint programming. IACR Trans. Symmetric Cryptol. 2017(1), 281–306 (2017)
Sun, S., Hu, L., Wang, P., Qiao, K., Ma, X., Song, L.: Automatic security evaluation and (related-key) differential characteristic search: application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 158–178. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_9
Xu, S., Feng, X., Wang, Y.: On two factors affecting the efficiency of MILP models in automated cryptanalyses. IACR Cryptol. ePrint Arch. 196 (2023)
Zhou, C., Zhang, W., Ding, T., Xiang, Z.: Improving the MILP-based security evaluation algorithm against differential/linear cryptanalysis using a divide-and-conquer approach. IACR Trans. Symmetric Cryptol. 2019(4), 438–469 (2019)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Differential Cryptanalysis
Differential cryptanalysis, first proposed by Biham and Shamir in 1990 [9], is a statistical cryptanalysis technique, very effective against many cryptographic primitives, such as block or stream ciphers or hash functions. Given two inputs to the primitive with difference \(\varDelta x\) through a chosen operation (we use the XOR, the most common) the technique studies how this value propagates through the iterated operations to reach an output difference \(\varDelta y\).
The differential probability of a given input/output pair of differences for a vectorial Boolean function is the probability for that pair to yield over all the possible pairs of inputs with said input difference. For a function f and two differences \(\varDelta x\) and \(\varDelta y\), we will denote this probability with \(\textsf{dp}^f(\varDelta x \rightarrow \varDelta y)\).
It is currently infeasible to compute the output difference for a block cipher for all the possible pairs of inputs, considering its large size, and building the table with all the frequencies for each pair of input/output difference (that is called Difference Distribution Table, in short DDT). To facilitate the analysis, we can use the fact that block ciphers are often iterative functions, i.e. they are the composition \(f_{r-1} \circ \ldots \circ f_0\) of simpler keyed round functions \(f_i\)’s.
We define a r-round differential trail (or characteristic) for an iterative function \(f = f_{r-1} \circ \ldots \circ f_1 \circ f_0\), as a sequence of differences
and a differential as a pair of input/output differences. In the case of the whole composite primitive, the differential
has probability equal to the sum of the probabilities of all the differential characteristics with \(\varDelta _0=\varDelta x\) and \(\varDelta _r=\varDelta y\), where the probability of the characteristic is usually computed as the product of the probabilities of each intermediate differential of the chain. In particular, one can rely on the assumption of independence between each differential so that the resulting probability, when considering the composition of vectorial Boolean functions, is computed by the following:
Proposition 2
Let \(f_1\) and \(f_2\) be two vectorial Boolean functions
and let \(\varDelta \vec {x} \in \{0,1\}^l\), \(\varDelta \vec {y} \in \{0,1\}^m\) and \(\varDelta \vec {z} \in \{0,1\}^n\) be three differences such that
Then, we have
To simplify the search for the most probable differential trail, it is common to search for the best differential characteristic instead, assuming its probability to be a good approximation of the target one, even if this is not always true [3].
In general, there is no efficient way to compute the precise probability of a differential characteristics. To do so, some fundamental assumptions on block ciphers are commonly used, such as the Markov cipher assumption, the Hypothesis of stochastic equivalence and the Hypothesis of independent round keys (see e.g. [32, Section 2.2.1]).
B Formalisms
In order to search for differential trails having the highest possible probability, we will make use of several constraints problems solvers adopting 4 different formalisms. The problem underlying the search of differential trails can be set from a general point of view.
Problem 1
Given a set of variables (unknown elements with a fixed domain) and a set of constraints (e.g. relations representing the propagation of the difference through the cipher), it is required to find an assignment of the variables to values in their domains, that is a mapping associating to each variable a value in its domain, that satisfies all the constraints.
We will call the resolution process procedure. In the following, we specialize the general terminology for each of the 4 formalisms we have used.
1.1 B.1 Satisfiability (SAT)
The terminology is as follows:
-
variables are Boolean unknowns; a literal is either an unknown Boolean quantity \(v_i\) or its negation \(\lnot v_i\);
-
constraints are clauses; a clause is a disjunction of literals, \(\bigvee _{i=0}^{n-1} x_i\); the set of clauses is called Conjunctive Normal Form (CNF) and it is the conjunction of all the clauses, \(\bigwedge _{j=0}^{m-1} \left( \bigvee _{i=0}^{n_j} x_{ij}\right) \);
-
the main procedures are DPLL [15, 16] or CDCL [48], improved in the actual implementations.
1.2 B.2 Satisfiability Modulo Theories (SMT)
The terminology is as follows:
-
variables are unknown Booleans \(x_i\) coming from the quantifier free theory, i.e. the Boolean logic;
-
constraints are formulae in the chosen theory involving Boolean symbols;
-
the main procedures are Lazy or Eager [8]; due to the simplicity of implementation, Lazy is the most widely implemented.
1.3 B.3 Mixed-Integer Linear Programming (MILP)
The terminology is as follows:
-
variables are unknown quantities \(x_i\) that can either be booleans, integers (\(\mathbb {Z}\)) or continuous (\(\mathbb {R}\));
-
constraints are linear inequalities of the form \(a_{0}x_0 + a_{1}x_1 + \cdots + a_{n-1}x_{n-1} \le b\) with \(a_i,b \in \mathbb {Q}\); moreover we have an objective function of the form \(z = c_0x_0 + c_1x_1 + \cdots + c_{n-1}x_{n-1}\) to be maximized or minimized, with \(c_i \in \mathbb {Q}\);
-
the main procedures are the Simplex algorithm [14], Branch-and-bound [29] and Branch-and-cut [42].
1.4 B.4 Constraint Programming (CP)
The terminology is as follows:
-
variables are unknown quantities belonging to a specific domain, i.e. pairs \((x_i, D_i)\). In our models we will either have Boolean variables (\(D_i=\{ 0,1\} \)) or more generic integer variables (\(D_i\subseteq \mathbb N\));
-
constraints are relations which involve a subset of the variables. There are several types of constraints that can be used to model CP problems; in our models we used linear equations of integer variables (eventually modulo 2), logical combinations of linear equations of integer variables through the usual operators (AND, OR, NOT) and table constraints.
-
the main procedures are Backtracking search, Local Search and Dynamic programming [46].
C Experimental Results Tables
In Table 5, we use the following notation: BT = Building Time, ST = Solving Time, NR = Number of Rounds, W = Weight, and similarly in Tables 6, 7, 8 and 9.
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Bellini, E. et al. (2023). Differential Cryptanalysis with SAT, SMT, MILP, and CP: A Detailed Comparison for Bit-Oriented Primitives. In: Deng, J., Kolesnikov, V., Schwarzmann, A.A. (eds) Cryptology and Network Security. CANS 2023. Lecture Notes in Computer Science, vol 14342. Springer, Singapore. https://doi.org/10.1007/978-981-99-7563-1_13
Download citation
DOI: https://doi.org/10.1007/978-981-99-7563-1_13
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-7562-4
Online ISBN: 978-981-99-7563-1
eBook Packages: Computer ScienceComputer Science (R0)