
For FullText PDF, please login, if you are a member of IEICE,
or go to Pay Per View on menu list, if you are a nonmember of IEICE.

Improved MILP Modeling for Automatic Security Evaluation and Application to FOX
Kexin QIAO Lei HU Siwei SUN Xiaoshuang MA Haibin KAN
Publication
IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences
Vol.E98A
No.1
pp.7280 Publication Date: 2015/01/01
Online ISSN: 17451337
DOI: 10.1587/transfun.E98.A.72
Type of Manuscript: Special Section PAPER (Special Section on Cryptography and Information Security) Category: Symmetric Key Based Cryptography Keyword: FOX block cipher, differential attack, active Sbox, mixedinteger linear programming,
Full Text: PDF(1.7MB)>>
Summary:
Counting the number of differentially active Sboxes is of great importance in evaluating the security of a block cipher against differential attack. Mouha et al. proposed a technique based on MixedInteger Linear Programming (MILP) to automatically calculate a lower bound of the number of differentially active Sboxes for wordoriented block ciphers, and applied it to symmetric ciphers AES and Enocoro128v2. Later Sun et al. extended the method by introducing bitlevel representations for Sboxes and new constraints in the MILP problem, and applied the extended method to PRESENT80 and LBlock. This kind of methods greatly depends on the constraints in the MILP problem describing the differential propagation of the block cipher. A more accurate description of the differential propagation leads to a tighter bound on the number of differentially active Sboxes. In this paper, we refine the constraints in the MILP problem describing XOR operations, and apply the refined MILP modeling to determine a lower bound of the number of active Sboxes for the LaiMassey type block cipher FOX in the model of singlekey differential attack, and obtain a tighter bound in FOX64 than existing results. Experimental results show that 6, instead of currently known 8, rounds of FOX64 is strong enough to resist against basic singlekey differential attack since the differential characteristic probability is upper bounded by 2^{64}, and thus the maximum differential characteristic probability of 12round FOX64 is upper bounded by 2^{128}, where 128 is the keylength of FOX64. We also get the lower bound of the number of differentially active Sboxes for 5round FOX128, and proved the security of the fullround FOX128 with respect to singlekey differential attack.

