Improved Search for Integral, Impossible Differential and Zero-Correlation Attacks

Application to Ascon, ForkSKINNY, SKINNY, MANTIS, PRESENT and QARMAv2

Authors

  • Hosein Hadipour Graz University of Technology, Graz, Austria
  • Simon Gerhalter Graz University of Technology, Graz, Austria
  • Sadegh Sadeghi Department of Mathematics, Institute for Advanced Studies in Basic Sciences (IASBS), Zanjan 45137-66731, Iran
  • Maria Eichlseder Graz University of Technology, Graz, Austria

DOI:

https://doi.org/10.46586/tosc.v2024.i1.234-325

Keywords:

Integral attacks, Partial-sum technique, Impossible differential attacks, Zero-correlation attacks, Ascon, SKINNY, SKINNYe, ForkSKINNY, QARMAv2, MANTIS, PRESENT

Abstract

Integral, impossible-differential (ID), and zero-correlation (ZC) attacks are three of the most important attacks on block ciphers. However, manually finding these attacks can be a daunting task, which is why automated methods are becoming increasingly important. Most automatic tools regarding integral, ZC, and ID attacks have focused only on finding distinguishers rather than complete attacks. At EUROCRYPT 2023, Hadipour et al. proposed a generic and efficient constraint programming (CP) model based on satisfiability for finding ID, ZC, and integral distinguishers. This new model can be extended to a unified CP model for finding full key recovery attacks. However, it has limitations, including determining the contradiction location beforehand and a cell-wise model unsuitable for weakly aligned ciphers like Ascon and PRESENT. They also deferred developing a CP model for the partial-sum technique in key recovery as future work.
In this paper, we enhance Hadipour et al.’s method in several ways. First, we remove the limitation of determining the contradiction location in advance. Second, we show how to extend the distinguisher model to a bit-wise model, considering the internal structure of S-boxes and keeping the model based on satisfiability. Third, we introduce a CP model for the partial-sum technique for the first time. To show the usefulness and versatility of our approach, we apply it to various designs, from strongly aligned ones like ForkSKINNY and QARMAv2 to weakly aligned ones such as Ascon and PRESENT, yielding significantly improved results. To mention a few of our results, we improve the integral distinguisher of QARMAv2-128 (resp. QARMAv2-64) by 7 (resp. 5) rounds, and the integral distinguisher of ForkSKINNY by 1 round, only thanks to our cell-wise distinguisher modelings. By using our new bit-wise modeling, our tool can find a group of 2155 5-round ID and ZC distinguishers for Ascon in only one run, taking a few minutes on a regular laptop. The new CP model for the partial-sum technique enhances integral attacks on all SKINNY variants, notably improving the best attack on SKINNY-n-n in the single-key setting by 1 round. We also enhance ID attacks on ForkSKINNY and provide the first analysis of this cipher in a limited reduced-round setting. Our methods are generic and applicable to other block ciphers.

Downloads

Published

2024-03-01

Issue

Section

Articles

How to Cite

Improved Search for Integral, Impossible Differential and Zero-Correlation Attacks: Application to Ascon, ForkSKINNY, SKINNY, MANTIS, PRESENT and QARMAv2. (2024). IACR Transactions on Symmetric Cryptology, 2024(1), 234-325. https://doi.org/10.46586/tosc.v2024.i1.234-325