1 Introduction

Finding different types of distinguishers is the key step to evaluate the security of block ciphers. The automatic search methods are the main choices. Most of the early automatic search methods were based on special algorithms implemented from scratch in general purpose programming language. This kinds of methods may be more efficient in some specific cases but they are much more difficult to implement. Recently, the search problem is described as an SAT, MILP, or CP models which can be automatically solved with the corresponding solvers. Among them, the automatic search method based on MILP is simple and practical which has become a popular tool.

The MILP method was first proposed by Mouha et al. [1] which used for counting minimum number of differential (or linear) active s-boxes for word-oriented block ciphers. In Asiacrypt 2014, Sun et al. [2] proposed a extended framework for bit-oriented block ciphers. The key idea of [2] is to exact the inequalities from the H-representation of the convex hull of all possible differential patterns of the s-box. The linear inequalities describing the differential properties of up to 5-bit s-boxes can be obtained by using the SAGE [3] software and a greedy algorithm. Recently, the tools using the MILP method to searching integral distinguishers [4] based on division property and impossible differentials [5] have also been proposed. Usually, the MILP instances are be described with the LP format and solved with the optimizer Gurobi [6] which is the most efficient commercial solver currently. The MILP method is powerful, but there are some inherent drawbacks. In this paper, we mainly simplify the scale of MILP models and accelerate the search of (related-key) differential characteristics and impossible differentials for bit-oriented block ciphers.

Our Contributions. We proposes the OPB file format to describe the MILP models. Compared to the LP file format, this is more concise and more suitable for constructing models for bit-oriented block ciphers. By setting the parameter MIPFocus of Gurobi reasonably, the solution time can be greatly reduced. For the impossible differentials search, we give the simply linear inequalities of differential propagation of the modular addition without considering the differential probability. This helps reduce the number of variables and constraints in MILP models and speed up searches. As applications, we give the exact lower bounds of the number of related-key differential active s-boxes for LBlock and the impossible differentials for the SPECK family.

Organization. The remainder of the paper is organized as follows. In Sect. 2, we give a brief introduction to the automatic search tools based on MILP and Gurobi for bit-oriented block ciphers. And then we propose some techniques to improve the tools of (related-key) differentials and impossible differentials. As applications, we search the exact lower bounds of the number of related-key differential active s-boxes of LBlock and the impossible differentials of the SPECK family in Sect. 3. We conclude in Sect. 4.

2 The Automatic Search Tool Based on MILP and Gurobi

2.1 The (Related-Key) Differential Automatic Search Method for Bit-Oriented Block Ciphers

In this section, we give a brief introduction of Sun et al. [2] framework to find the exact lower bounds of the number of (related-key) differential active s-boxes for bit-oriented block ciphers. The details as follow.

Objective Function. We need introduce a 0–1 variable \(A_{i}\) to mark every s-box in the encryption process and the key schedule algorithm, such that:

$$\begin{aligned} A_{i}=\left\{ {\begin{array}{*{20}{lr}} 1,if\ the\ input\ word\ of\ the\ sbox\ is\ nonzero\\ 0,otherwise \end{array}} \right. \end{aligned}$$
(1)

So, the objective function is \(\sum _{i}A_{i}\).

Constraints. For the XOR operation, the bit-level input differences are ab and the bit-level output difference is c. Then the constraints are:

$$\begin{aligned} \left\{ {\begin{array}{*{20}{lr}} d_{\oplus }\ge a,d_{\oplus }\ge b,d_{\oplus }\ge c\\ a+b+c\ge d_{\oplus }\\ a+b+c\le 2 \end{array}} \right. \end{aligned}$$
(2)

where \(d_{\oplus }\) is a dummy variable.

For the \(w\times v \) s-box marked by \(A_{i}\), the input difference is \((x_{i0},x_{i1},\cdots ,x_{i(w-1)})\), the output difference is \((y_{i0},y_{i1},\cdots ,y_{i(v-1)})\), then:

$$\begin{aligned} \left\{ {\begin{array}{*{20}{lr}} A_{t}-x_{ik}\ge 0,k\in \{0,\cdots ,w-1\}\\ -A_{t}+\sum _{j=0}^{w-1}x_{ij}\ge 0 \end{array}} \right. \end{aligned}$$
(3)

For an bijective s-box, we have:

$$\begin{aligned} \left\{ {\begin{array}{*{20}{lr}} w\sum _{j=0}^{v-1}y_{ij}-\sum _{j=0}^{w-1}x_{ij}\ge 0\\ v\sum _{j=0}^{w-1}x_{ij}-\sum _{j=0}^{v-1}y_{ij}\ge 0 \end{array}} \right. \end{aligned}$$
(4)

In order to make use of the differential distribution table of the s-box, Sun et al. used the inequality-generator() function in the sage.geometry.polyhedron class of the SAGE software to obtain the convex hull of all possible differential patterns of the s-box. The number of this linear inequalities can be effectively reduced by using the greedy algorithm. After defining the objective function and the constraints, we need to construct a MILP instances in the LP format. Then we can employ the optimizer Gurobi to solve the MILP instances.

2.2 Improved Tools for Bit-Oriented Block Ciphers

We propose a new file format OPB to describe the MILP models for bit-oriented block ciphers. Gurobi can solve a variety of file format models, such as MPS, LP, OPB and so on. Among them, the MPS format is the most common, the LP format is more readable than MPS. The common method to describe the MILP models is the LP file format using Python or C++ language. The OPB format is used to store pseudo-Boolean satisfaction and pesudo-boolean optimization models which contains only boolean variables 0 or 1. So the OPB file format is more suitable to build MILP models for bit-oriented block ciphers. Compared to the LP file format, the OPB format is more concise, easy to read and write. The key words and contents of the two file formats are different, as shown in Table 1. First, the OPB format does not need to specify the variables and their types in particular because all of them have been default to Boolean variables. In addition, we can easy to describe the constraints of the differential propagation of the XOR operation in this format. As the bit-level input differences are aband the bit-level output difference is c. Then the constraint is:

$$\begin{aligned} c-a-b+2ab=0 \end{aligned}$$
(5)
Table 1. The comparison between the LP and OPB file format
Full size table

Many optimization parameters are provided by Gurobi to modify your high-level solution strategy, in which the parameter MIPFocus is one of the most important. MIPFocus = 1 means that you are more interested in good quality feasible solution. If the solver is having no trouble finding the optimal solution, select MIPFocus = 2. If the best objective bound is moving very slowly (or not at all), try MIPFocus = 3. So setting parameters properly can effectively reduce the solution time of the model. When solving the model of the number of (related-key) differential of active s-boxes, we can set MIPFocus = 1 to find a higher quality solution that can effectively shorten the solution time. The experimental results in Sect. 3.1 show that the solution time of the optimized models described with the OPB format are reduced greatly.

In addition, we propose a new simple linear inequalities of differential property of modular addition used in the search of impossible differentials. In [7], Fu et al. appended which is used to compute the differential probability to the vector and obtained 13 linear inequalities to describe the differential propagation of modular addition in bit-level. In [8, 9], this linear inequalities are used to the impossible differential search for ARX ciphers directly. In fact, it is not necessary to compute the differential probability of modular addition in the impossible differential search. We only need to give the linear inequalities of the 56 possible difference patterns of modular addition. By using the inequality-generator() function in the SAGE and the greedy algorithm, we only need 8 linear inequalities of all possible patterns of modular addition in bit-level which are listed below.

$$\begin{aligned} \left\{ {\begin{array}{*{20}{lr}} -\alpha [i]-\beta [i]-\gamma [i]+\alpha [i+1]+\beta [i+1]+\gamma [i+1]\ge -2\\ \quad \alpha [i]+\beta [i]+\gamma [i]-\alpha [i+1]-\beta [i+1]-\gamma [i+1]\ge -2\\ \quad \alpha [i]+\beta [i]+\gamma [i]+\alpha [i+1]+\beta [i+1]-\gamma [i+1]\ge 0\\ \quad \alpha [i]+\beta [i]+\gamma [i]+\alpha [i+1]-\beta [i+1]+\gamma [i+1]\ge 0\\ \quad \alpha [i]+\beta [i]+\gamma [i]-\alpha [i+1]+\beta [i+1]+\gamma [i+1]\ge 0\\ -\alpha [i]-\beta [i]-\gamma [i]+\alpha [i+1]-\beta [i+1]-\gamma [i+1]\ge -4\\ -\alpha [i]-\beta [i]-\gamma [i]-\alpha [i+1]+\beta [i+1]-\gamma [i+1]\ge -4\\ -\alpha [i]-\beta [i]-\gamma [i]-\alpha [i+1]-\beta [i+1]+\gamma [i+1]\ge -4\\ \end{array}} \right. \end{aligned}$$
(6)

As application, we use this linear inequalities of differential property of modular addition to construct the models of the impossible differential search for the SPECK family with the OPB format in Sect. 3.2.

3 Applications

3.1 Application to LBlock

Lblock is a lightweight block cipher designed by Wu and Zhang at ACNS [10]. Since the shift operation number of the key schedule of LBlock is 29, we can only use the bit-oriented MILP model in related-key differential search. The models based on the LP format and the OPB format are solved respectively. The size of models described by the OPB format are less than the LP format, so the solution time is more faster usually. By setting the parameter MIPFocus = 1, the solution time of the models is further shortened. The results are shown in Table 2. We improved the results of 9\(\sim \)11 rounds LBlock which show that 9/10/11 rounds exact lower bounds is 7/9/11 active s-boxes. In [11], Sun et al. needed about 4 days to find the 11-round exact lower bounds of the number of differential active s-boxes of LBlock in the related-key model. We only needed about 2 days. To the best of our knowledge, the 12-round exact lower bounds of the number of differential active s-boxes of LBlock is first obtained using about 3 weeks.

The computations are performed on PC (Intel(R) Core(TM) i3-4160 CPU, 3.60 GHz, 4.00 GB RAM, 4 cores, window7) with the optimizer Gurobi7.0.1.

Table 2. The exact lower bounds of the number of differential active s-boxes for round-reduced variants of LBlock in the related-key model
Full size table

3.2 Application to SPECK

SPECK is a family of lightweight block ciphers publicly released by National Security Agency (NSA) in June 2013 [12]. Cui et al. [8] proposed an algorithm for finding impossible differentials for block ciphers and obtained four 17-round impossible differentials for HIGHT. In [9], Lee et al. found 157 6-round impossible differentials for SPECK-64 by using the same method. All of them used the same linear inequalities of differential property of modular addition provided by [7]. We applied the improved model to the full versions of the SPECK family and limited the input and output differences to only 1 active bit. The results of the experiments are shown in the Table 3. The input or output difference is expressed by the position of non-zero bit. The position of the leftmost bit is 0.

The computations are performed on PC (Intel(R) Core(TM) i7-7500U CPU, 2.70 GHz, 8.00 GB RAM, 4 cores, window10) with the optimizer Gurobi7.0.1.

Table 3. Summary of impossible differentials on the SPECK family
Full size table

In addition, the modular addition exists a differential with probability 1 that the leftmost bit of one of input differences is active and the leftmost bit of the output difference is active. This difference can be propagate to the round function of SPECK. \(56 \nrightarrow 56\) and \(57 \nrightarrow 56\) are the 7-round impossible differentials for SPECK-128. We can append one round at the bottom and obtain two 8-round impossible differentials \(56 \nrightarrow 0, 64\) and \(57 \nrightarrow 0, 64\) for SPECK-128.

4 Conclusion

Our work provides a new OPB file format to describe the MILP models for bit-oriented block ciphers and also through setting the parameter MIPFocus = 1 to accelerate the search. In addition, we give a system of simple linear inequalities of differential patterns propagation of modular addition used in impossible differential search. We applied our techniques to LBlock and SPECK.