[Resource Topic] 2023/259: A MIQCP-Based Automatic Search Algorithm for Differential-Linear Trails of ARX Ciphers(Long Paper)

Resource Attacks and cryptanalysis
#1

Welcome to the resource topic for 2023/259

Title:
A MIQCP-Based Automatic Search Algorithm for Differential-Linear Trails of ARX Ciphers(Long Paper)

Authors: Guangqiu Lv, Chenhui Jin, Ting Cui

Abstract:

Differential-linear (DL) cryptanalysis has undergone remarkable advancements since it was first proposed by Langford and Hellman \cite{langford1994differential} in 1994. At CRYPTO 2022, Niu et al. studied the (rotational) DL cryptanalysis of n-bit modulo additions with 2 inputs, i.e., \boxplus_2, and presented a technique for evaluating the (rotational) DL correlation of ARX ciphers. However, the problem of how to automatically search for good DL trails on ARX with solvers was left open, which is the focus of this work.

In this paper, we solve this open problem through some techniques to reduce complexity and a transformation technique from matrix multiplication chain to Mixed Integer Quadratically-Constrained Programs (MIQCP).
First, the computational complexity of the DL correlation of \boxplus_2 is reduced to approximately one-eighth of the state of art, which can be computed by a 2\times2 matrix multiplication chain of the same length as before.
Some methods to further reduce complexity in special cases have been studied.
Additionally, we present how to compute the extended (rotational) DL correlations of \boxplus_k for k\ge 2, where two output linear masks of the cipher pairs can be different.
Second, to ensure that the existing solver Gurobi\footnote{The solver used in this paper is Gurobi, and some ready-made functions in Gurobi are also used, such as LOG_2 and ABS. The source code is available at \url{https://}.
} can compute DL correlations of \boxplus_2,
we propose a method to transform an arbitrary matrix multiplication chain into a MIQCP, which forms the foundation of our automatic search of DL trails in ARX ciphers.
Third, in ARX ciphers, we use a single DL trail under some explicit conditions to give a good estimate of the correlation,
which avoids the exhaustion of intermediate differences.
We then derive an automatic method for evaluating the DL correlations of ARX, which we apply to Alzette and some versions of SPECK.
Experimentally verified results confirm the validity of our method, with the predicted correlations being close to the experimental ones.
To the best of our knowledge, this method finds the best DL distinguishers for these ARX primitives currently.
Furthermore, we presented the lowest time-complexity attacks against 12-14 rounds of SPECK32 to date.

ePrint: https://eprint.iacr.org/2023/259

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .