Differential Cryptanalysis with SAT, SMT, MILP, and CP: A Detailed Comparison for Bit-Oriented Primitives

Abstract

SAT, SMT, MILP, and CP, have become prominent in the differential cryptanalysis of cryptographic primitives. In this paper, we review the techniques for constructing differential characteristic search models in these four formalisms. Additionally, we perform a systematic comparison encompassing over 20 cryptographic primitives and 16 solvers, on both easy and hard instances of optimisation, enumeration and differential probability estimation problems.

Appendices

A Differential Cryptanalysis

Differential cryptanalysis, first proposed by Biham and Shamir in 1990 [9], is a statistical cryptanalysis technique, very effective against many cryptographic primitives, such as block or stream ciphers or hash functions. Given two inputs to the primitive with difference \(\varDelta x\) through a chosen operation (we use the XOR, the most common) the technique studies how this value propagates through the iterated operations to reach an output difference \(\varDelta y\).

The differential probability of a given input/output pair of differences for a vectorial Boolean function is the probability for that pair to yield over all the possible pairs of inputs with said input difference. For a function f and two differences \(\varDelta x\) and \(\varDelta y\), we will denote this probability with \(\textsf{dp}^f(\varDelta x \rightarrow \varDelta y)\).

It is currently infeasible to compute the output difference for a block cipher for all the possible pairs of inputs, considering its large size, and building the table with all the frequencies for each pair of input/output difference (that is called Difference Distribution Table, in short DDT). To facilitate the analysis, we can use the fact that block ciphers are often iterative functions, i.e. they are the composition \(f_{r-1} \circ \ldots \circ f_0\) of simpler keyed round functions \(f_i\)’s.

We define a r-round differential trail (or characteristic) for an iterative function \(f = f_{r-1} \circ \ldots \circ f_1 \circ f_0\), as a sequence of differences

$$ \varDelta _0 \xrightarrow {f_0} \varDelta _1 \xrightarrow {f_1} \ldots \rightarrow \varDelta _{r-1} \xrightarrow {f_{r-1}} \varDelta _r $$

and a differential as a pair of input/output differences. In the case of the whole composite primitive, the differential

$$ \varDelta x \xrightarrow {f_0 \circ \ldots \circ f_{r-1}} \varDelta y. $$

has probability equal to the sum of the probabilities of all the differential characteristics with \(\varDelta _0=\varDelta x\) and \(\varDelta _r=\varDelta y\), where the probability of the characteristic is usually computed as the product of the probabilities of each intermediate differential of the chain. In particular, one can rely on the assumption of independence between each differential so that the resulting probability, when considering the composition of vectorial Boolean functions, is computed by the following:

Proposition 2

Let \(f_1\) and \(f_2\) be two vectorial Boolean functions

$$\begin{aligned} f_1:\{0,1\}^l \rightarrow \{0,1\}^m \,,\quad f_2:\{0,1\}^m \rightarrow \{0,1\}^n. \end{aligned}$$

and let \(\varDelta \vec {x} \in \{0,1\}^l\), \(\varDelta \vec {y} \in \{0,1\}^m\) and \(\varDelta \vec {z} \in \{0,1\}^n\) be three differences such that

$$\begin{aligned} \textsf{dp}^{f_1}(\varDelta \vec {x} \rightarrow \varDelta \vec {y}) = p_1 \quad \,\, \textsf{dp}^{f_2}(\varDelta \vec {y} \rightarrow \varDelta \vec {z}) = p_2. \end{aligned}$$

Then, we have

$$\begin{aligned} \textsf{dp}^{f_2 \circ f_1}(\varDelta \vec {x} \rightarrow \varDelta \vec {z}) = p_1 \cdot p_2. \end{aligned}$$

To simplify the search for the most probable differential trail, it is common to search for the best differential characteristic instead, assuming its probability to be a good approximation of the target one, even if this is not always true [3].

In general, there is no efficient way to compute the precise probability of a differential characteristics. To do so, some fundamental assumptions on block ciphers are commonly used, such as the Markov cipher assumption, the Hypothesis of stochastic equivalence and the Hypothesis of independent round keys (see e.g. [32, Section 2.2.1]).

B Formalisms

In order to search for differential trails having the highest possible probability, we will make use of several constraints problems solvers adopting 4 different formalisms. The problem underlying the search of differential trails can be set from a general point of view.

Problem 1

Given a set of variables (unknown elements with a fixed domain) and a set of constraints (e.g. relations representing the propagation of the difference through the cipher), it is required to find an assignment of the variables to values in their domains, that is a mapping associating to each variable a value in its domain, that satisfies all the constraints.

We will call the resolution process procedure. In the following, we specialize the general terminology for each of the 4 formalisms we have used.

1.1 B.1 Satisfiability (SAT)

The terminology is as follows:

• variables are Boolean unknowns; a literal is either an unknown Boolean quantity \(v_i\) or its negation \(\lnot v_i\);

• constraints are clauses; a clause is a disjunction of literals, \(\bigvee _{i=0}^{n-1} x_i\); the set of clauses is called Conjunctive Normal Form (CNF) and it is the conjunction of all the clauses, \(\bigwedge _{j=0}^{m-1} \left( \bigvee _{i=0}^{n_j} x_{ij}\right) \);

• the main procedures are DPLL [15, 16] or CDCL [48], improved in the actual implementations.

1.2 B.2 Satisfiability Modulo Theories (SMT)

The terminology is as follows:

• variables are unknown Booleans \(x_i\) coming from the quantifier free theory, i.e. the Boolean logic;

• constraints are formulae in the chosen theory involving Boolean symbols;

• the main procedures are Lazy or Eager [8]; due to the simplicity of implementation, Lazy is the most widely implemented.

1.3 B.3 Mixed-Integer Linear Programming (MILP)

The terminology is as follows:

• variables are unknown quantities \(x_i\) that can either be booleans, integers (\(\mathbb {Z}\)) or continuous (\(\mathbb {R}\));

• constraints are linear inequalities of the form \(a_{0}x_0 + a_{1}x_1 + \cdots + a_{n-1}x_{n-1} \le b\) with \(a_i,b \in \mathbb {Q}\); moreover we have an objective function of the form \(z = c_0x_0 + c_1x_1 + \cdots + c_{n-1}x_{n-1}\) to be maximized or minimized, with \(c_i \in \mathbb {Q}\);

• the main procedures are the Simplex algorithm [14], Branch-and-bound [29] and Branch-and-cut [42].

1.4 B.4 Constraint Programming (CP)

The terminology is as follows:

• variables are unknown quantities belonging to a specific domain, i.e. pairs \((x_i, D_i)\). In our models we will either have Boolean variables (\(D_i=\{ 0,1\} \)) or more generic integer variables (\(D_i\subseteq \mathbb N\));

• constraints are relations which involve a subset of the variables. There are several types of constraints that can be used to model CP problems; in our models we used linear equations of integer variables (eventually modulo 2), logical combinations of linear equations of integer variables through the usual operators (AND, OR, NOT) and table constraints.

• the main procedures are Backtracking search, Local Search and Dynamic programming [46].

C Experimental Results Tables

In Table 5, we use the following notation: BT = Building Time, ST = Solving Time, NR = Number of Rounds, W = Weight, and similarly in Tables 6, 7, 8 and 9.

Table 5. Comparison results on Simon 32/64

Table 6. Comparison results on Speck 32/64

Table 7. Comparison results on Blake 512

Table 8. Comparison results on Gimli 384

Table 9. Comparison results on Present 64/80