Cryptology ePrint Archive: Report 2017/162

Analysis of AES, SKINNY, and Others with Constraint Programming

Siwei Sun and David Gerault and Pascal Lafourcade and Qianqian Yang and Yosuke Todo and Kexin Qiao and Lei Hu

Abstract: Search for different types of distinguishers are common tasks in symmetric-key cryptanalysis. In this work, we employ the constraint programming (CP) technique to tackle such problems. First, we show that a simple application of the CP approach proposed by Gerault \Dengdeng~leads to the solution of the open problem of determining the exact lower bound of the number of active S-boxes for 6-round AES-128 in the related-key model. Subsequently, we show that the same approach can be applied in searching for integral distinguishers, impossible differentials, zero-correlation linear approximations, in both the single-key and related-(twea)key model. We implement the method using the open source constraint solver Choco and apply it to the block ciphers PRESENT, SKINNY, and HIGHT (ARX construction). As a result, we find 16 related-tweakey impossible differentials for 12-round SKINNY-64-128 based on which we construct an 18-round attack on SKINNY-64-128 (one target version for the crypto competition \url{https://sites.google.com/site/skinnycipher} announced at ASK 2016). Moreover, we show that in some cases, when equipped with proper strategies (ordering heuristic, restart and dynamic branching strategy), the CP approach can be very efficient. Therefore, we suggest that the constraint programming technique should become a convenient tool at hand of the symmetric-key cryptanalysts

Category / Keywords: Differential Cryptanalysis, Integral Cryptanalysis, Constraint Programming, AES, SKINNY

Original Publication (in the same form): IACR-FSE-2017

Date: received 19 Feb 2017, last revised 23 Feb 2017

Contact author: sunsiwei at iie ac cn

Available format(s): PDF | BibTeX Citation

Version: 20170224:031314 (All versions of this report)

Short URL: ia.cr/2017/162

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]