International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Analysis of AES, SKINNY, and Others with Constraint Programming

Authors:
Siwei Sun , State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences; Data Assurance and Communication Security Research Center, Chinese Academy of Sciences; School of Cyber Security, University of Chinese Academ
David Gerault , LIMOS, University Clermont Auvergne
Pascal Lafourcade , LIMOS, University Clermont Auvergne
Qianqian Yang , State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences; Data Assurance and Communication Security Research Center, Chinese Academy of Sciences
Yosuke Todo , NTT Secure Platform Laboratories
Kexin Qiao , State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences; Data Assurance and Communication Security Research Center, Chinese Academy of Sciences
Lei Hu , State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences; Data Assurance and Communication Security Research Center, Chinese Academy of Sciences; School of Cyber Security, University of Chinese Academ
Download:
DOI: 10.13154/tosc.v2017.i1.281-306
URL: http://tosc.iacr.org/index.php/ToSC/article/view/595
Search ePrint
Search Google
Abstract: Search for different types of distinguishers are common tasks in symmetrickey cryptanalysis. In this work, we employ the constraint programming (CP) technique to tackle such problems. First, we show that a simple application of the CP approach proposed by Gerault et al. leads to the solution of the open problem of determining the exact lower bound of the number of active S-boxes for 6-round AES-128 in the related-key model. Subsequently, we show that the same approach can be applied in searching for integral distinguishers, impossible differentials, zero-correlation linear approximations, in both the single-key and related-(twea)key model. We implement the method using the open source constraint solver Choco and apply it to the block ciphers PRESENT, SKINNY, and HIGHT (ARX construction). As a result, we find 16 related-tweakey impossible differentials for 12-round SKINNY-64-128 based on which we construct an 18-round attack on SKINNY-64-128 (one target version for the crypto competition https://sites.google.com/site/skinnycipher announced at ASK 2016). Moreover, we show that in some cases, when equipped with proper strategies (ordering heuristic, restart and dynamic branching strategy), the CP approach can be very efficient. Therefore, we suggest that the constraint programming technique should become a convenient tool at hand of the symmetric-key cryptanalysts.
BibTeX
@article{tosc-2017-28112,
  title={Analysis of AES, SKINNY, and Others with Constraint Programming},
  journal={IACR Trans. Symmetric Cryptol.},
  publisher={Ruhr-Universität Bochum},
  volume={2017, Issue 1},
  pages={281-306},
  url={http://tosc.iacr.org/index.php/ToSC/article/view/595},
  doi={10.13154/tosc.v2017.i1.281-306},
  author={Siwei Sun and David Gerault and Pascal Lafourcade and Qianqian Yang and Yosuke Todo and Kexin Qiao and Lei Hu},
  year=2017
}