A Novel Automatic Technique Based on MILP to Search for Impossible Differentials

Abstract

The Mixed Integer Linear Programming (MILP) is a common method of searching for impossible differentials (IDs). However, the optimality of the distinguisher should be confirmed by an exhaustive search of all input and output differences, which is clearly computationally infeasible due to the huge search space.

In this paper, we propose a new technique that uses two-dimensional binary variables to model the input and output differences and characterize contradictions with constraints. In our model, the existence of IDs can be directly obtained by checking whether the model has a solution. In addition, our tool can also detect any contradictions between input and output differences by changing the position of the contradictions. Our method is confirmed by applying it to several block ciphers, and our results show that we can find 6-, 13-, and 12-round IDs for Midori-64, CRAFT, and SKINNY-64 within a few seconds, respectively. Moreover, by carefully analyzing the key schedule of Midori-64, we propose an equivalent key transform technique and construct a complete MILP model for an 11-round impossible differential attack (IDA) on Midori-64 to search for the minimum number of keys to be guessed. Based on our automatic technique, we present a new 11-round IDA on Midori-64, where 23 nibbles of keys need to be guessed, which reduces the time complexity compared to previous work. The time and data complexity of our attack are \(2^{116.59}\) and \(2^{60}\), respectively. To the best of our knowledge, this is the best IDA on Midori-64 at present.

Appendices

A The Example IDs of 13-Round CRAFT and 12-Round SKINNY-64

Fig. 5.

Impossible differential of 13-round CRAFT

Fig. 6.

Impossible differential of 12-round SKINNY-64

B The Proof of Theorem 1

Proof

We denote the key nibbles guessing way of Theorem 1 as Strategy-1 (S1) and assume that the number of keys to be guessed is \(r_1\). Without loss of generality, we assume that there is a different key nibbles guessing way (denoted as Strategy-2 (S2)) that only converts the equivalent key nibbles \(RK_{8}^{\prime }\) in the S1 into original key nibbles \(RK_{8}\), i.e., the equivalent key nibbles \(RK_{9}^{\prime }\), original key nibbles WK, \(RK_0\), and \(RK_{8}\) need to be guessed in the S2. Let the GKM of S2 be \(\mathbb {K}'\), the number of keys to be guessed is \(r_2\). In the following, we prove that

$$\begin{aligned} r_1 \le r_2. \end{aligned}$$

Since some key nibbles of \(RK_{8}^{\prime }\) and \(RK_{8}\) can be calculated according to the linear relations between WK, \(K_1'\), \(K_0\), and \(K_0'\), thus they do not need to be guessed. We denote the key nibbles of \(RK_{8}^{\prime }\) in \(\mathbb {K}\) and \(RK_{8}\) in \(\mathbb {K}'\) that can be calculated as Calculable Key Nibbles (CKN), and we denote the number of CKNs in S1 and S2 as \(|\texttt {CKN}_1|\) and \(|\texttt {CKN}_2|\), respectively. Thus, the linear relations between WK, \(K_1'\), \(K_0\), and \(K_0'\) should be considered to calculate \(r_1\) and \(r_2\). In the following, we denote

$$\mathcal {C}^i = \{(i+1)\bmod 4, (i+2)\bmod 4, (i+3)\bmod 4\},$$

where \(0 \le i \le 3\). Then

$$\begin{aligned} K_0'[i] = \bigoplus _{j\in \mathcal {C}^i} K_0[j]. \end{aligned}$$

(2)

$$\begin{aligned} K_0[i] = \bigoplus _{j\in \mathcal {C}^i} K_0'[j]. \end{aligned}$$

(3)

We take the key nibbles in the first column of \(RK_{8}^{\prime }\) (\(K_0'[0],\ldots ,K_0'[3]\)) and \(RK_{8}\) (\(K_0[0],\ldots ,K_0[3]\)) as an example to discuss the calculation process of \(r_1\) and \(r_2\).

Before Considering the CKN of \(RK_{8}^{\prime }\) and \(RK_{8}\) :

1. 1.

   If there are 0 nibbles of the first column of \(RK_{8}^{\prime }\) need to be guessed in S1, there are 0 nibbles in the first column of \(RK_{8}\) need to be guessed in S2.

2. 2.

   If there is 1 nibble of the first column of \(RK_{8}^{\prime }\) that needs to be guessed in S1, without loss of generality, we assume that \(K_0'[0]\), which satisfies Eq. 2, needs to be guessed in S1. Then there are 3 nibbles in the first column of \(RK_{8}\) that need to be guessed in S2.

3. 3.

   If there are at least 2 nibbles of the first column of \(RK_{8}^{\prime }\) that need to be guessed in S1, without loss of generality, we assume that \(K_0'[0], \ldots , K_0'[n-1]\) (\(2 \le n \le 4\)), which satisfy Eq. 2, need to be guessed in S1. Then there are 4 nibbles in the first column of \(RK_{8}\) need to be guessed in S2.

After Considering the CKN of \(RK_{8}^{\prime }\) and \(RK_{8}\) :

1. 1.

   If there are 4 nibbles in the first column of \(RK_{8}\) that need to be guessed in S2, and \(|\texttt {CKN}_2|= m\) \((m \le 4)\), without loss of generality, we assume that \(K_0[0],\ldots , K_0[m-1]\), which satisfy Eq. 3, are CKNs, and after considering the linear relations between WK, \(K_1'\), \(K_0\), and \(K_0'\), \(K_0[m],\ldots , K_0[3]\) are keys that still need to be guessed in S2. Then, we need to guess at most \(4-m\) nibbles in the first column of \(RK_{8}^{\prime }\) in S1, since if \(K_0[i]\) (\(0 \le i \le 3\)) is CKN, we only need to guess at most any 2 nibbles in \(\{K_0'[j] \mid j\in \mathcal {C}^i\}\). For example, when \(m=3\), without loss of generality, we assume that \(K_0[0], K_0[1], K_0[2]\), which satisfy Eq. 3, are CKNs, that is, \(\bigoplus _{j \in \mathcal {C}^0}K_0'[j]\), \(\bigoplus _{j \in \mathcal {C}^1}K_0'[j]\), and \(\bigoplus _{j \in \mathcal {C}^2}K_0'[j]\) are known, so we only need to guess at most \(4-m=1\) nibble in \(\{K_0'[j] \mid j=0,1,2,3\}\) in S1.

2. 2.

   If there are n (\(1 \le n \le 3\)) nibbles in the first column of \(RK_{8}\) need to be guessed in S2, and \(|\texttt {CKN}_2|= m\) \((m \le n)\), without loss of generality, we assume that \(K_0[0],\ldots , K_0[m-1]\), which satisfy Eq. 3, are CKNs, and after considering the linear relations between WK, \(K_1'\), \(K_0\), and \(K_0'\), \(K_0[m],\ldots , K_0[n-1]\) are keys that still need to be guessed in S2. Then, we need to guess at most 1 nibble in the first column of \(RK_{8}^{\prime }\) in S1. In particular, when \(n=m=3\), without loss of generality, we assume that \(K_0[0], K_0[1], K_0[2]\), which satisfy Eq. 3, are CKNs. Then, we need to guess 0 nibbles in the first column of \(RK_{8}^{\prime }\) in S1, since we can calculate \(K_0'[3]\) by \(K_0'[3] = \bigoplus _{j \in \mathcal {C}^3}K_0[j]\).

3. 3.

   If there are 0 nibbles in the first column of \(RK_{8}\) need to be guessed in S2, and \(|\texttt {CKN}_2|= 0\). Then, we need to guess 0 nibbles in the first column of \(RK_{8}^{\prime }\) in S1.

Therefore, after considering the CKN of \(RK_{8}^{\prime }\) and \(RK_{8}\), the number of key nibbles that need to be guessed in the first column of \(RK_{8}^{\prime }\) in S1 must be less than or equal to the number of key nibbles that need to be guessed in the first column of \(RK_{8}\) in S2. Similarly, we can get the same conclusion when considering other columns of \(RK_{8}\) and \(RK_{8}^{\prime }\). Thus,

$$\begin{aligned} r_1 \le r_2. \end{aligned}$$