Paper 2023/1701

Improved Search for Integral, Impossible-Differential and Zero-Correlation Attacks: Application to Ascon, ForkSKINNY, SKINNY, MANTIS, PRESENT and QARMAv2

Hosein Hadipour, Graz University of Technology
Simon Gerhalter, Graz University of Technology
Sadegh Sadeghi, Institute for Advanced Studies in Basic Sciences
Maria Eichlseder, Graz University of Technology

Integral, impossible-differential (ID), and zero-correlation (ZC) attacks are three of the most important attacks on block ciphers. However, manually finding these attacks can be a daunting task, which is why automated methods are becoming increasingly important. Most automatic tools regarding integral, ZC, and ID attacks have focused only on finding distinguishers rather than complete attacks. At EUROCRYPT 2023, Hadipour et al. proposed a generic and efficient constraint programming (CP) model based on satisfiability for finding ID, ZC, and integral distinguishers. This new model can be extended to a unified CP model for finding full key recovery attacks. However, it has limitations, including determining the contradiction location beforehand and a cell-wise model unsuitable for weakly aligned ciphers like Ascon and PRESENT. They also deferred developing a CP model for the partial-sum technique in key recovery as future work. In this paper, we enhance Hadipour et al.'s method in several ways. First, we remove the limitation of determining the contradiction location in advance. Second, we show how to extend the distinguisher model to a bit-wise model, considering the internal structure of S-boxes and keeping the model based on satisfiability. Third, we introduce a CP model for the partial-sum technique for the first time. To show the usefulness and versatility of our approach, we apply it to various designs, from strongly aligned ones like ForkSKINNY and QARMAv2 to weakly aligned ones such as Ascon and PRESENT, yielding significantly improved results. To mention a few of our results, we improve the integral distinguisher of QARMAv2-128 (resp. QARMAv2-64) by 7 (resp. 5) rounds, and the integral distinguisher of ForkSKINNY by 1 round, only thanks to our cell-wise distinguishe modelings. By using our new bit-wise modeling, our tool can find a group of $2^{155}$ 5-round ID and ZC distinguishers for Ascon in only one run, taking a few minutes on a regular laptop. The new CP model for the partial-sum technique enhances integral attacks on all SKINNY variants, notably improving the best attack on SKINNY-$n$-$n$ in the single-key setting by 1 round. We also enhance ID attacks on ForkSKINNY and provide the first analysis of this cipher in a limited reduced-round setting. Our methods are generic and applicable to other block ciphers.

Note: The source code of our tool is available at

Available format(s)
Attacks and cryptanalysis
Publication info
A minor revision of an IACR publication in TOSC 2024
Integral attacksPartial-sum techniqueIDZCAsconSKINNYSKINNYeForkSKINNYQARMAv2MANTISPRESENT
Contact author(s)
hossein hadipour @ iaik tugraz at
s gerhalter @ student tugraz at
s sadeghi khu @ gmail com
maria eichlseder @ tugraz at
2024-04-04: last of 6 revisions
2023-11-02: received
See all versions
Short URL
Creative Commons Attribution


      author = {Hosein Hadipour and Simon Gerhalter and Sadegh Sadeghi and Maria Eichlseder},
      title = {Improved Search for Integral, Impossible-Differential and Zero-Correlation Attacks: Application to Ascon, ForkSKINNY, SKINNY, MANTIS, PRESENT and QARMAv2},
      howpublished = {Cryptology ePrint Archive, Paper 2023/1701},
      year = {2023},
      doi = {10.46586/tosc.v2024.i1.234-325},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.