TY - GEN
T1 - Automatic Search for Bit-Based Division Property
AU - Ghosh, Shibam
AU - Dunkelman, Orr
N1 - Publisher Copyright: © 2021, Springer Nature Switzerland AG.
PY - 2021
Y1 - 2021
N2 - Division properties, introduced by Todo at Eurocrypt 2015, are an extension of square attack (also called saturation attack or integral cryptanalysis). Given their importance, a large number of works tried to offer automatic tools to find division properties, primarily based on MILP or SAT/SMT. This paper studies better modeling techniques for finding division properties using the Constraint Programming and SAT/SMT-based automatic tools. We use the fact that the Quine-McCluskey algorithm produces a concise CNF representation corresponding to the division trail table of an Sbox. As a result, we can offer significantly more compact models, which allow SAT and Constraint Programming tools to outperform previous results. To show the strength of our new approach, we look at the NIST lightweight candidate KNOT and Ascon. We show several new distinguishers with a lower data complexity for 17-round KNOT-256, KNOT-384 and 19-round KNOT-512. In addition, for the 5-round Ascon, we get a lower data distinguisher than the previous division-based results. Finally, we revisit the method to extend the integral distinguisher by composing linear layers at the input and output. We provide a formulation to find the optimal number of linear combinations that need to be considered. As a result of this new formulation, we prove that 18-round KNOT-256 and KNOT-384 have no integral distinguisher using conventional division property and we show this more efficiently than the previous methods.
AB - Division properties, introduced by Todo at Eurocrypt 2015, are an extension of square attack (also called saturation attack or integral cryptanalysis). Given their importance, a large number of works tried to offer automatic tools to find division properties, primarily based on MILP or SAT/SMT. This paper studies better modeling techniques for finding division properties using the Constraint Programming and SAT/SMT-based automatic tools. We use the fact that the Quine-McCluskey algorithm produces a concise CNF representation corresponding to the division trail table of an Sbox. As a result, we can offer significantly more compact models, which allow SAT and Constraint Programming tools to outperform previous results. To show the strength of our new approach, we look at the NIST lightweight candidate KNOT and Ascon. We show several new distinguishers with a lower data complexity for 17-round KNOT-256, KNOT-384 and 19-round KNOT-512. In addition, for the 5-round Ascon, we get a lower data distinguisher than the previous division-based results. Finally, we revisit the method to extend the integral distinguisher by composing linear layers at the input and output. We provide a formulation to find the optimal number of linear combinations that need to be considered. As a result of this new formulation, we prove that 18-round KNOT-256 and KNOT-384 have no integral distinguisher using conventional division property and we show this more efficiently than the previous methods.
KW - Ascon
KW - Constraint programming
KW - Division property
KW - Integral cryptanalysis
KW - KNOT
UR - http://www.scopus.com/inward/record.url?scp=85116917058&partnerID=8YFLogxK
U2 - https://doi.org/10.1007/978-3-030-88238-9_13
DO - https://doi.org/10.1007/978-3-030-88238-9_13
M3 - منشور من مؤتمر
SN - 9783030882372
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 254
EP - 274
BT - Progress in Cryptology – LATINCRYPT 2021 - 7th International Conference on Cryptology and Information Security in Latin America, Proceedings
A2 - Longa, Patrick
A2 - Ràfols, Carla
PB - Springer Science and Business Media Deutschland GmbH
T2 - 7th International Conference on Cryptology and Information Security in Latin America, LATINCRYPT 2021
Y2 - 6 October 2021 through 8 October 2021
ER -