SAT-Based Security Evaluation for WARP against Linear Cryptanalysis

Shi, Jiali; Liu, Guoqiang; Li, Chao

doi:https://doi.org/10.1049/2023/5323380

IET Information Security

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2023 | Article ID 5323380 | https://doi.org/10.1049/2023/5323380

SAT-Based Security Evaluation for WARP against Linear Cryptanalysis

Jiali Shi,¹Guoqiang Liu,¹and Chao Li¹

Academic Editor: Qichun Wang

Received02 Sept 2023

Revised30 Oct 2023

Accepted10 Nov 2023

Published06 Dec 2023

Abstract

WARP, an efficient lightweight block cipher presented by Banik et al., offers a viable alternative to AES with its 128-bit block and a 128-bit key. It adopts a 32-nibble type-II generalized Feistel network (GFN) structure, incorporating a nibble permutation optimized for both security and efficiency. Notably, WARP has achieved the lowest hardware implementation among 128-bit block ciphers. Its bit-serial encryption-only circuit is only 763 gate equivalents (GEs). Consequently, WARP has received significant attention since its inception. The designers evaluated the number of active Sboxes for linear trails in WARP to establish its security. To further investigate WARP’s resistance against linear attacks, we employed an automated model to analyze the optimal linear trails/hulls of WARP. To achieve this, the problem will be transformed into a Boolean satisfiability problem (SAT). The constraints in conjunctive normal form (CNF) are used to describe the mask propagation of WARP and invoke the SAT solver to find valid solutions. The results allowed us to obtain the optimal correlation of the initial 21-round linear trails for WARP. Furthermore, by enumerating the linear trails within a linear hull, the distribution of linear trails is revealed, and the probability of the linear hull is improved to be more accurate. This work extends the linear distinguisher from 18 to 21 rounds. Additionally, the first independent analysis of WARP’s linear properties is presented, offering a more precise evaluation of its resistance against linear cryptanalysis.

1. Introduction

1.1. Background

Linear cryptanalysis, as presented by Matsui [1], stands as a prominent method employed in the analysis of symmetric-key ciphers. By identifying linear trails with high correlation, it becomes possible to conduct attacks more efficiently, achieving a lower complexity compared to brute-force searching. Consequently, resistance to linear cryptanalysis emerges as a critical aspect to be considered by both designers and potential attackers.

The development of search methods for differential [2, 3] and linear trails is closely intertwined. This is because the propagation of difference pairs and linear masks in branching and XOR operations exhibit a dual nature [4]. Matsui’s branch-and-bound method, initially introduced at EUROCRYPT 1994 for searching differential trails with optimal probability, is also commonly employed for searching linear trails with optimal correlation. Although this method is powerful, it demands strong programming skills. In recent years, the automated models like mixed integer linear programming (MILP) [5, 6], constraint programming (CP) [7], satisfiability modulo theories (SMT) [8], and Boolean satisfiability problem (SAT) [9, 10] have exhibited remarkable performance in discovering various distinguishers in cryptanalysis. However, for long trails or ciphers with 128-bit block, these models still struggle to return solutions within a reasonable time. By integrating the strengths of both approaches, researchers have made significant progress in improving the efficiency of trail search algorithms, as demonstrated in works such as those by Sun et al. [10] and Zhang et al. [11].

It is crucial for symmetric-key cryptography to prioritize resistance against distinguishing attacks as a fundamental security requirement. WARP with a 128-bit block was specifically designed for efficient hardware implementation [12]. It has undergone a preliminary security evaluation, encompassing a range of attacks such as the differential, linear, impossible differential, and integral attacks. Regarding impossible differentials cryptanalysis, the designers obtained a 21-round impossible differential distinguisher using the approach outlined in a study by Sasaki and Todo [13]. Independently, other researchers discovered a 21-round zero-correlation distinguisher [14, 15]. For integral attacks, the designers found a 20-round integral distinguisher utilizing the MILP model provided in a study by Xiang et al. [16], and a 24-round generalized integral distinguisher was subsequently proposed by observing the properties of WARP’s construction [14]. Additionally, an extension of the model led to the discovery of a 23-round boomerang distinguisher [17]. To assess security against differential and linear attacks, designers employed a MILP-based automated model [5] to obtain lower bounds for the number of active Sboxes. In the presence of the clustering effect, a 20-round differential distinguisher was identified in a study by Teh and Biryukov [18]. However, until now, no investigation has been conducted to explore actual linear distinguisher in WARP. This gap in research leaves room for further exploration of WARP.

1.2. Contribution

In this paper, the main objective is to identify distinguishers, which are instrumental in understanding the structural properties and the security of the underlying components in WARP. The analysis in this paper has yielded several important findings and results, which are summarized as follows:(1)Using the constructed SAT model, we have successfully validated the lower bounds for the number of active Sboxes required for the initial 19 rounds of linear trails in WARP, as stated in the design documentation. Furthermore, the lower bound for the number of active Sboxes in the 20-, 21-, and 22-round linear trails is determined to be 70, 75, and 79, respectively.(2)We have successfully identified the first 21-round linear trails with optimal correlation, which align with the upper bound estimated using the lower bound for the number of active Sboxes. Notably, the findings reveal that the 18-round linear trails in WARP have the optimal correlation , indicating that WARP is not able to withstand the linear trail-based distinguishing attack.(3)Moreover, the 20-round linear trail with optimal probability is obtained. With the help of the automated model, 186,856 trails are found to contribute to the same 20-round linear hull, and the probability of the 20-round linear hull is improved from to , which is lower than , thereby extending the distinguishers from 18 to 20 rounds. As far as our knowledge goes, these results represent the current optimal linear distinguishers for WARP. Table 1 shows a comprehensive overview of the single-key distinguishers for WARP, and the bold information is the result obtained in this paper.

1.3. Organization

This paper is structured as follows. We present the necessary definitions related to linear cryptanalysis and provide a concise overview of WARP in Section 2. Section 3 outlines the SAT model employed in the search for linear trails in WARP. The identification of linear trails with lower bounds for the number of active Sboxes and optimal correlations is presented in Section 4. Section 5 focuses on the discovery of optimal linear distinguishers for WARP. Finally, a summary of this work can be found in Section 6.

2. Preliminaries

Let us begin by introducing the notations that will be utilized throughout this paper. Subsequently, a concise overview of the concepts related to linear cryptanalysis will be presented. Moving forward, we provide a detailed description of the WARP specification, which is the primary focus of our study.

2.1. Notions

To maintain consistency and clarity, we employ specific notations to analyze and discuss the linear cryptanalysis of WARP. The meanings of these notations are summarized in Table 2.

2.2. Linear Cryptanalysis

Linear cryptanalysis is widely recognized as a powerful technique for analyzing symmetric-key primitives, especially block ciphers [1]. It has gained widespread recognition and has been extensively applied in the field, with several extensions proposed over time. In the subsequent sections, we introduce a collection of definitions and notations, which will be consistently employed in this paper. These definitions and notations aim to facilitate our discussions and analysis.

Definition 1. Let denotes an iterative block cipher, where represents the input and denotes the master key. The round function of the block cipher is recorded as . For a given pair of linear masks , we can express the linear approximation expression of as . Similarly, for the block cipher , the linear approximation expression is given by .

Linear cryptanalysis is a well-known method utilized for analyzing block ciphers. Its primary goal is to distinguish a block cipher from a random permutation by discovering a probabilistic linear approximation expression that establishes a correlation between the plaintext and ciphertext. This technique serves as the foundation for key recovery attacks.

For block cipher, by analyzing the biases and correlations of the linear approximation expressions, cryptanalysts can identify potential distinguishers to exploit the linear trails. In linear cryptanalysis, let denotes the mask of the input and represents the mask of the output . The probability of the linear approximation expression is represented as . The bias of this expression quantifies the deviation from a balanced distribution and is defined as the difference between the probability of the expression holding and the ideal probability . The linear approximation bias is given by , and it ranges from to . The correlation measures the strength of the linear relationship between the input and output masks. It is calculated as follows:where . Usually, in the distinguish phase, linear cryptanalysis mainly focuses on linear trails with optimal correlation.

Definition 2. For a block cipher, a -round linear trail is concatenated linear approximations of a single round , where .

Definition 3. (The correlation of the linear trail [23]) Given a -round linear trail , its correlation is computed by taking the product of the individual correlations along the trail, i.e.:

When constructing a distinguisher, the adversary’s primary concern is the probability of the linear hull rather than individual intermediate masks. Consequently, the adversary aims to gather all trails having the same masks . By collecting a larger number of trails, the adversary can obtain a more accurate estimation of probability associated with the specific linear hull.

Definition 4. (Linear hull [24]) A linear hull is a construct utilized in linear cryptanalysis that consists of a collection of linear trails. These trails share identical masks for both the masks . Essentially, a linear hull represents a specific linear approximation for a given block cipher.

Definition 5. The potential of a linear hull is measured by the average linear probability (ALP) over the key space . This measure, denoted as , is defined as the average of the squared correlations between the input and output masks , , considering all possible keys in , i.e.:

2.3. Description of WARP

WARP is a lightweight block cipher with the aim of achieving 128-bit security while keeping the implementation footprint small [12]. It applies the type-II generalized Feistel network (GFN) [25] structure, which is a well-known construction in the field of symmetric-key cryptography. It takes a 128-bit plaintext denoted as and the 128-bit master key written as as inputs. Through a series of 41 encryption rounds, WARP transforms the plaintext into a 128-bit ciphertext represented as .

2.3.1. Round Function

For WARP, the internal state in the rth round operates on 32 nibbles denoted as , where , and each denotes the ith nibble. The round key is expressed as 16 nibbles , where , . The round function of WARP, as shown in Figure 1, employs 4-bit Sbox operations, nibble XOR operations, and shuffle operations applied to the 32 nibbles. These operations are performed as follows.

Sbox: To fulfill the design objectives of WARP, such as a compact circuit, low path delay, and efficient energy utilization. WARP utilizes the 4-bit Sbox from MIDORI [26]. The Sbox is defined by the values, as shown in Table 3.

Add round key: XOR operation is performed bitwise between the 16 nibbles of the Sbox output, the 16 nibbles of the even branches , and the 16 nibbles round key , where and .

Add round constant: The round constants, represented by 2 nibbles , are XOR-ed with the first and third nibbles of the intermediate state.

Shuffle operation: WARP employs a 32-branch permutation that exhibits strong diffusion properties and resistance against major attacks. The input state, composed of 32 nibbles, is represented as . The output state is obtained by applying the permutation such that , where . The specific permutation is shown in Table 4. It is worth mentioning that the permutation operation is not performed in the final round.

The paper does not specifically investigate the influence of adding the round constants on the attack’s validity, and it does not delve into the discussion of the key schedule. Banik et al. [12] showed a more comprehensive understanding of WARP and its specific details.

3. SAT-Based Model to Search Linear Trail for WARP

As far as cryptanalysis is concerned, many problems such as the search for linear trails can be reformulated as systems of equations, and SAT solvers are commonly employed to solve equation-based problems. In this section, the SAT-based automated model introduced in a study by Sun et al. [10] is utilized to assess the resistance of WARP against linear attacks. This systematic approach allows us to efficiently identify the optimal linear trails for WARP.

3.1. Boolean Satisfiability Problem

The algebraic normal form (ANF) is a commonly employed representation in cryptography for describing symmetric ciphers. By converting ANF equations with Boolean variables into the conjunctive normal form (CNF), SAT solvers can be effectively employed since CNF serves as their standard input format. This transformation enables the utilization of SAT solvers to analyze and solve cryptographic problems based on equations. In CNF, the Boolean function is represented as a conjunction of clauses , where each clause consists of a disjunction of literals. This form is equivalent to the product-of-sum representation of Boolean functions, where the function is expressed as a conjunction of terms, and each term is a disjunction of literals. Russell and Norvig [27] postulated a more detailed information on CNF and its relation to Boolean functions.

Cook [28] established that the SAT is a computationally challenging problem that has been proven to be nondeterministic polynomial (NP) complete. This means that finding a satisfying assignment for a given set of Boolean clauses is computationally challenging. However, despite its theoretical complexity, modern SAT solvers have made significant advancements and can effectively handle problems with millions of variables. The solver, Cryptominisat5 [29], is an example of a universal and efficient SAT solver. It is specifically designed to handle large-scale SAT instances and offers support for XOR and Gaussian elimination techniques. This solver employs advanced algorithms and heuristics to improve performance and optimize the search for satisfying assignments. With the capabilities of SAT solvers like Cryptominisat5, it is possible to tackle complex cryptanalysis problems by formulating them as SAT instances and utilizing the solver’s efficient solving techniques.

3.2. SAT Models for the Linear Approximation of WARP

When utilizing SAT solvers to search for linear trails, it is necessary to translate this problem into a set of clauses that capture the linear propagation properties within WARP. By the findings in a study by Sun et al. [4], the linear propagation of the XOR operation is equivalent to the differences propagation for the XOR operation. Next, we will present a concise overview of the SAT models employed for some fundamental operations used in WARP. However, for a more comprehensive understanding, we recommend referring to [9, 10, 30] for detailed information.

3.2.1. Three-Fork Branching

Consider the XOR operation, where represents the input mask and and denote the two output masks. The nontrivial propagation is valid if and only if the masks , , and satisfy all the conditions outlined as follows:

3.2.2. XOR

The propagation of the two input masks and , along with the output mask , should fulfill all the conditions described as follows:

3.2.3. Sbox

The linear propagation of Sbox is often characterized using a linear approximation table (LAT). The input mask of the Sbox is denoted as and the output mask is written as , then, Table 5 shows LAT of Sbox, which includes values of . The corresponding absolute correlations of the linear approximation fall within the range . Two Boolean variables and are used to encode the correlation of the linear propagation for the Sbox. To describe the correlation for valid linear propagation, and follow the following rule as follows:

Note that represents the opposite number of the binary logarithm of , i.e., . To capture the valid linear propagation with correlation , we define a 10-bit Boolean function as follows:

Following that, the constraint conditions are reduced using Logic Friday (https://web.archive.org/web/20131022021257/http:/www.sontrak.com/), and the results showed that the nontrivial linear mask propagations with correlation for WARP’s Sbox can be described by 53 clauses, as shown in Table 6. Similarly, a Boolean variable is utilized to indicate the activeness of the Sbox. If the input and output masks of Sbox are nonzero, it is called an active Sbox, then . Conversely, when , it denotes an inactive Sbox. As a result, 40 clauses, as shown in Table 7, are used to describe the valid linear mask propagations of the WARP’s Sbox. These clauses capture the conditions under which the linear propagation holds for the Sbox.

3.3. Modeling the Objective Function

When analyzing primitives that rely on Sboxes as fundamental components, automated searches for linear trails aim to achieve the following two kinds of objectives:(1)The first kind of objective is to minimize the number of active Sboxes in the trails. To achieve this, auxiliary variables are introduced for each Sbox in each round, where and . The number of active Sboxes is limited at most , where is a positive integer; the objective function is defined as follows:(2)The second kind of objective is to discover linear trails with optimal correlation. To achieve this, auxiliary variables and are introduced for each Sbox in each round, where and . The objective is to find linear trails with correlation no more than , i.e., , where is a positive integer. The objective function indicates the opposite number of the binary logarithm of the correlation, that is:

Indeed, the objective functions mentioned in Equations (8) and (9) can be expressed as cardinality constraints of the form , where is a nonnegative integer. The sequential encoding method proposed in a study by Sinz [31] can be employed to convert these constraints into Boolean expressions [9, 10, 30, 32]. When , the constraint is simply for , which is trivial. However, for , additional Boolean variables are introduced to construct the following clauses, where and .

Algorithm 1 explains the process of searching for the -round linear trails. The search model mainly consists of two steps: constructing the linear mask propagations of the -round function for WARP and setting the corresponding objective function based on the threshold. The objective function of linear analysis is generally in these two forms, as shown in Equation (8) or Equation (9). Invoke the solver to solve the search model. If the model has a solution, it indicates that the model has a feasible solution. For example, when searching for the -round linear trails with the optimal correlation , if the objective function in Equation (9) is set to and the model has no solution, and the objective function in Equation (9) is set to and the model has a solution, it is considered that the solver has found a -round linear trail with the optimal correlation of .

Input:-round, predefined threshold of the correlation (the number of active Sboxes ),
().
Output: If (), return a linear trail with optimal correlation (lower bound for the number of active Sboxes).
1: /Step 1: Construct the SAT model./
2: For to do
3: For to 32 do
4: Add the constraints in Equation (4) to describe the mask propagations of three-fork branching.
5: If :
6: If :
7: Add the constraints in Table 6 to describe the mask propagations of Sbox with correlations.
8: If :
9: Add the constraints in Table 7 to describe the mask propagations of the activeness of Sbox.
10: Add the constaints in Equation (5) to describe the mask propagations of XOR operation and operation.
11: / Step 2: Find a linear trail./
12: If then
13: , set the objective function to Equation (9).
14: If then
15: , set the objective function to Equation (8).
16: For to do
17: Add the constraints to describe the objective function.
18: Invoke the solver to solve the model.
19: If solver finds a solution then
20: Return the -round linear trail.
21: Else
22: .

3.4. Modeling the Conditions for Branch-and-Bound Method with Sequential Encoding Method

The branch-and-bound method is a popular approach that finds applications in solving integer programming problems. It is an effective method for systematically exploring the solution space and identifying the optimal solutions. In the context of cryptanalysis, the branch-and-bound method has been successfully utilized to search for optimal solutions, such as differential trails with optimal probabilities [33]. The core concept behind the branch-and-bound method is to break down the solution space into smaller subsets by employing branching techniques. By iteratively branching and calculating bounds, the algorithm progressively narrows down the search space until an optimal solution is found.

In the context of cryptanalysis, let’s consider a scenario where we have an initial correlation estimate for -round trails. The information about the optimal correlation of the -round linear trails is known, where . Assuming that the linear trails of the first rounds have been obtained, the correlation of each round is expressed as , where and . The question is whether this partial trail has the potential to extend and become a better -round trail. We can determine this by checking this equation as follows:

This condition serves as a criterion for pruning. If a partial trail does not meet this condition, it is unnecessary to explore it further as it cannot lead to a better solution. By pruning such partial trails, the search space is pruned, reducing the computational effort required. The branch-and-bound method, combined with the pruning condition, allows for an efficient search for optimal linear trails in cryptanalysis.

The following equations are utilized to describe the bounding conditions in the branch-and-bound method:where is the total number of Boolean variables represented as . Referring to the method described in a study by Sun et al. [10], the Equation (12) can be encoded into three cases according to the values of and . These cases are as follows:

The number of clauses in the three cases is as follows: clauses for the first case, clauses for the second case, and clauses for the third case. By encoding the conditions in these cases into clauses, the branch-and-bound method can be applied effectively in cryptanalysis to explore and prune partial trails.

4. Linear Trails of WARP

In this section, with a primary focus on identifying optimal linear trails, the findings from applying the SAT model to WARP are presented. The goal is to uncover trails that either have the minimum number of active Sboxes or optimal correlations.

4.1. Linear Trail with Minimum Number of Active Sboxes

Through the utilization of the SAT model, we have made significant progress in identifying the optimal linear trail in WARP that requires the minimum number of active Sboxes. It is worth noting that the designer of WARP initially provided the minimum number of active Sboxes for linear trails up to 19 rounds [12]. However, this approach has enabled us to extend this analysis and determine the minimum number of active Sboxes for linear trails up to 22 rounds.

Table 8 shows the comprehensive summary of the minimum number of active Sboxes for the linear trails of round-reduced WARP. These findings confirm the results presented in the referenced work. Specifically, the results marked with bold information indicate that the minimum number of active Sboxes of the 20-round, 21-round, and 22-round linear trails are 70, 75, and 79, respectively. Additionally, the 18-round linear trail with 61 active Sboxes is shown in Table 9. This further contributes to the understanding of the cryptographic and analysis of WARP.

4.2. Linear Trail with Optimal Correlation for WARP

To derive the constraints for the linear approximation of WARP, we begin by setting the objective function to describe the optimal correlation for the -round linear trails. Through analysis, the optimal correlations of the linear trails up to the first 21 rounds are successfully determined. The results show that the optimal correlation of linear trails can reach the upper bound of the active Sbox estimation. More specifically, for -round linear trail, if the lower bound of the active Sbox is , the trails with correlation can be discovered, where and .

Generally, there is a focus on finding linear trails with input and output masks characterized by lower hamming weight. This preference stems from their potential advantages in terms of key recovery, such as involving fewer keys or extending to more rounds. However, it has been observed that linear trails, without additional constraints, may exhibit high hamming weights according to research findings [9, 20]. To address this, the cardinality constraints introduced are used to limit their hamming weights and obtain trails with the lowest hamming weight. Due to the fact that the WARP is nibble based, the main focus here is on nibble-oriented activity. The process resembles the search for optimal trails and involves a series of steps as follows:(1)Within the framework of the model for discovering trails with optimal correlation, we incorporate additional constraints that describe the activeness of the input and output masks for trails. The activeness of a nibble is represented by constraints with Boolean variables. For a nibble mask written as , introduce a Boolean variable to indicate its activeness. When the nibble mask is nonzero, i.e., , then the nibble is called an active nibble, represented by , and in other cases, it is called an inactive nibble, denoted as . The constraints can be formulated as follows:(2)Add an objective function to limit the active nibbles for the input and output masks of trails.(3)Start by setting an initial number of the input and output mask nibbles of the obtained optimal trials.(4)Query whether there is a solution that satisfies this target value.(5)Reduce the number of the input and output mask nibbles for linear trails, iterating the process until no solution is obtained.

By employing this approach, the linear trails with the optimal correlation and the fewest active input and output mask nibbles can be identified.

The minimum active input and output masks of linear trails with optimal correlation are denoted as , and that of differential trails are denoted as . The analysis of the results reveals an observation: . This equivalence holds for the first 20 rounds of both differential and linear trails, i.e., for . Detailed results are shown in Table 3 in a study by Shi et al. [20]. For instance, the optimal correlations of the 18-, 19-, and 20-round linear trails are , , and , respectively. The specific details of these trails are shown in Tables 10–12, respectively.

5. Improved Linear Distinguishers of WARP

Modern block ciphers are specifically designed to provide resistance against linear cryptanalysis, and their security is often supported by provable limitations on the correlation of linear trails. While many automated tools focus on searching for linear trails, the exploration of linear hulls is equally important. This is due to the intentional design of modern block ciphers to mitigate the presence of dominant trails, thereby enhancing their resistance against linear cryptanalysis. However, by employing advanced automated tools capable of searching for linear hulls, we can analyze multiple trails within a single linear hull. By identifying these trails contributed to a hull, the optimal linear hulls for WARP are successfully discovered.

The estimation of probability for linear hulls often relies on the dominant linear trails. However, the research findings in a study by Teh and Biryukov [18] and Shi et al. [20] indicate a notable distinction between the probabilities of differential trails and differentials in WARP. This phenomenon arises due to the multiple trails being present in a differential and similarly, the linear hull may also contain multiple linear trails. Consequently, further investigation into the linear analysis of WARP is required to enhance the estimation of linear hull’s probability . The approach involves enumeration of the linear trails to improve the accuracy of the probability estimation.

The Cryptominisat5 solver [29] is employed to achieve the automated search of linear hulls. This solver is specifically designed to handle XOR operations and solve XOR equation systems using Gaussian elimination. The process involves finding multiple solutions while keeping the input and output masks fixed. However, directly outputting all solutions using the solver may lead to duplicate solutions. To ensure correctness and efficiency, we follow the approach outlined in a study by Kölbl et al. [8] and Liu et al. [9], which involves enumerating multiple solutions step by step.(1)Step 1: Incorporate the SAT-based model used for searching linear trails.(2)Step 2: Introduce constraints that fix the input and output masks and .(3)Step 3: Execute the Cryptominisat5 solver to find a solution representing trail belonging to the linear hull .(4)Step 4: Add a new clause describing the obtained solution to the current CNF model to exclude the trail .(5)Step 5: Reiterate the process by asking the solver to find a new solution. Repeat steps 3 and 4 until the solver returns unsatisfiable, indicating that all possible solutions within the linear hull have been enumerated.

As shown in Table 13 we present the linear hulls with a clustering effect for the first 20 rounds of WARP. The “” column represents the optimal correlation of the dominant trails within each linear hull. The “Trails” column indicates the number of trails searched for within the linear hull. Then, the averaged linear probability of the linear hull is calculated by utilizing these trails. Upon analyzing the findings, as shown in Table 13, it is evident that the linear hulls of the first 9 rounds have only one dominant differential trail, indicating a limited clustering effect. The number of active Sboxes for short trails is relatively small. However, starting from the 10th round, multiple trails appear within the linear hulls. The number of trails within the 13-round linear hulls increases significantly, with the longest-round linear hulls exhibiting the most prominent clustering effect. For instance, the 28,527, 149,447, and 186,856 trails improve the ALP of the 18-round, 19-round, and 20-round linear hulls from , , and to , , and , respectively. We further analyze the distribution of the trails within the linear hulls from 10 to 20 rounds, as shown in Table 14. For example, considering the 13-round linear hull with the given input and output masks as follows:

It is found that one trail with correlation and 664 trails with correlation . A total of 1800 trails are found to improve the ALP of this 13-round linear hull. The symbols “” in Table 14 indicates not all linear trails with fixed correlation within the linear hull have been found. For example, for the 20-round linear hull with the given input and output masks:

The results show that there are at least 64,242 trails within the linear hull with a fixed correlation . These findings provide insights into the clustering effect and distribution of trails within linear hulls for different rounds of WARP.

6. Conclusion

This paper presents a comprehensive investigation into the linear cryptanalysis of WARP. The analysis covers a thorough examination of the cipher’s behavior for the first 19 rounds, along with a validation of the lower bound on the number of active Sboxes as stated in the design documentation. Notably, the complexity of finding linear trails escalates as the number of rounds increased, especially considering its 128-bit block size. We leverage the power of the SAT model to efficiently identify optimal linear trails. It was discovered that the correlation of the 18-round linear trails was . Additionally, recognizing that a linear hull can consist of multiple trails, the researchers found that the probability of the 20-round linear hull improved from to . This is the current optimal linear distinguisher for WARP. These findings contribute to the understanding of the vulnerabilities and resistance of WARP against linear cryptanalysis. The next step of the research will further explore the cryptographic properties of WARP or use other attack methods such as differential attacks and meet-in-the-middle attacks to improve the attack results of WARP that provide a more comprehensive security evaluation for WARP.

Data Availability

The data that support the findings of this study are available from the corresponding author upon reasonable request.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This study is supported by the National Natural Science Foundation of China (grant nos. 61702537 and 62172427).

References

M. Matsui, “Linear cryptanalysis method for DES cipher,” in Advances in Cryptology — EUROCRYPT ’93, T. Helleseth, Ed., vol. 765 of Lecture Notes in Computer Science, pp. 386–397, Springer, Berlin, Heidelberg, 1993.
View at: Publisher Site | Google Scholar
E. Biham and A. Shamir, “Differential cryptanalysis of des-like cryptosystems,” in Advances in Cryptology - CRYPTO ’90, 10th Annual International Cryptology Conference, Santa Barbara, California, USA, August 11-15, 1990, Proceedings, A. Menezes and S. A. Vanstone, Eds., vol. 537 of Lecture Notes in Computer Science, pp. 2–21, Springer, Santa Barbara, California, USA, 1990.
View at: Google Scholar
X. Dong and Y. Shen, Cryptanalysis of Reduced-Round Midori64 Block Cipher, IACR Cryptology ePrint Archive, 2016, 676.
B. Sun, Z. Liu, V. Rijmen et al., “Links among impossible differential, integral and zero correlation linear cryptanalysis,” in Advances in Cryptology - CRYPTO 2015 - 35th Annual Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2015, Proceedings, Part I, R. Gennaro and M. Robshaw, Eds., vol. 9215 of Lecture Notes in Computer Science, pp. 95–115, Springer, Santa Barbara, CA, USA, 2015.
View at: Google Scholar
N. Mouha, Q. Wang, D. Gu, and B. Preneel, “Differential and linear cryptanalysis using mixed-integer linear programming,” in Information Security and Cryptology - 7th International Conference, Inscrypt 2011, Beijing, China, November 30 - December 3, 2011. Revised Selected Papers, C. Wu, M. Yung, and D. Lin, Eds., vol. 7537 of Lecture Notes in Computer Science, pp. 57–76, Springer, Beijing, China, 2011.
View at: Google Scholar
S. Sun, L. Hu, P. Wang, K. Qiao, X. Ma, and L. Song, “Automatic security evaluation and (related-key) differential characteristic search: Application to simon, present, lblock, DES(L) and other bit-oriented block ciphers,” in Advances in Cryptology - ASIACRYPT 2014 - 20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, R.O.C., December 7-11, 2014. Proceedings, Part I, P. Sarkar and T. Iwata, Eds., vol. 8873 of Lecture Notes in Computer Science, pp. 158–178, Springer, Kaoshiung, Taiwan, R.O.C, 2014.
View at: Google Scholar
S. Sun, D. Gerault, P. Lafourcade et al., “Analysis of aes, skinny, and others with constraint programming,” IACR Transactions on Symmetric Cryptology, vol. 2017, no. 1, pp. 281–306, 2017.
View at: Google Scholar
S. Kölbl, G. Leander, and T. Tiessen, “Observations on the SIMON block cipher family,” in Advances in Cryptology - CRYPTO 2015 - 35th Annual Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2015, Proceedings, Part I, volume 9215 of Lecture Notes in Computer Science, R. Gennaro and M. Robshaw, Eds., vol. 9215 of Lecture Notes in Computer Science, pp. 161–185, Springer, Santa Barbara, CA, USA, 2015.
View at: Google Scholar
Y. Liu, Q. Wang, and V. Rijmen, “Automatic search of linear trails in ARX with applications to SPECK and chaskey,” in Applied Cryptography and Network Security - 14th International Conference, ACNS 2016, Guildford, UK, June 19-22, 2016. Proceedings, M. Manulis, A.-R. Sadeghi, and S. A. Schneider, Eds., vol. 9696 of Lecture Notes in Computer Science, pp. 485–499, Springer, Guildford, UK, 2016.
View at: Google Scholar
L. Sun, W. Wang, and M. Wang, “Accelerating the search of differential and linear characteristics with the SAT method,” IACR Transactions on Symmetric Cryptology, vol. 2021, no. 1, pp. 269–315, 2021.
View at: Google Scholar
Y. Zhang, S. Sun, J. Cai, and L. Hu, “Speeding up MILP aided differential characteristic search with matsui’s strategy,” in Information Security - 21st International Conference, ISC 2018, Guildford, UK, September 9-12, 2018, Proceedings, L. Chen, M. Manulis, and S. A. Schneider, Eds., vol. 11060 of Lecture Notes in Computer Science, pp. 101–115, Springer, Guildford, UK, 2018.
View at: Google Scholar
S. Banik, Z. Bao, T. Isobe et al., “Revisiting GFN for lightweight 128-bit block cipher,” in Selected Areas in Cryptography - SAC 2020 - 27th International Conference, Halifax, NS, Canada (Virtual Event), October 21-23, 2020, Revised Selected Papers, O. Dunkelman, M. J. Jacobson Jr., and C. O’Flynn, Eds., vol. 12804 of Lecture Notes in Computer Science, pp. 535–564, Springer, Halifax, NS, Canada (Virtual Event), 2020.
View at: Google Scholar
Y. Sasaki and Y. Todo, “New impossible differential search tool from design and cryptanalysis aspects - revealing structural properties of several ciphers,” in Advances in Cryptology - EUROCRYPT 2017 - 36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Paris, France, April 30 - May 4, 2017, Proceedings, Part III, J.-S. Coron and J. B. Nielsen, Eds., vol. 10212 of Lecture Notes in Computer Science, pp. 185–215, NTT Secure Platform Laboratories, 2017.
View at: Google Scholar
H. Hadipour and M. Eichlseder, “Integral cryptanalysis of WARP based on monomial prediction,” IACR Transactions on Symmetric Cryptology, vol. 2022, no. 2, pp. 92–112, 2022.
View at: Google Scholar
L. Sun, W. Wang, and M. Wang, Key-Recovery Attacks on CRAFT and WARP (full version), IACR Cryptology ePrint Archive, 2022.
Z. Xiang, W. Zhang, Z. Bao, and D. Lin, “Applying MILP method to searching integral distinguishers based on division property for 6 lightweight block ciphers,” in Advances in Cryptology - ASIACRYPT 2016 - 22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, December 4-8, 2016, Proceedings, Part I, J. H. Cheon and T. Takagi, Eds., vol. 10031 of Lecture Notes in Computer Science, pp. 648–678, 2016.
View at: Google Scholar
S. Delaune, P. Derbez, and M. Vavrille, “Catching the fastest boomerangs application to SKINNY,” IACR Transactions on Symmetric Cryptology, vol. 2020, no. 4, pp. 104–129, 2020.
View at: Google Scholar
J. S. Teh and A. Biryukov, “Differential cryptanalysis of WARP,” Journal of Information Security and Applications, vol. 70, Article ID 103316, 2022.
View at: Publisher Site | Google Scholar
M. Kumar and T. Yadav, “MILP based differential attack on round reduced WARP,” in Security, Privacy, and Applied Cryptography Engineering - 11th International Conference, SPACE 2021, Kolkata, India, December 10-13, 2021, Proceedings, L. Batina, S. Picek, and M. Mondal, Eds., vol. 13162 of Lecture Notes in Computer Science, pp. 42–59, Springer, Kolkata, India, 2021.
View at: Google Scholar
J. Shi, G. Liu, and C. Li, “Improved the automated evaluation algorithm against differential attacks and its application to warp,” 2022, EasyChair Preprint no. 8736, EasyChair.
View at: Google Scholar
J. Shi, G. Liu, and C. Li, “Constructing the impossible differential of type-ii gfn with boolean function and its application to WARP,” Chinese Journal of Electronics, vol. 32, Article ID 1, 2022.
View at: Google Scholar
H. Hadipour, M. Nageler, and M. Eichlseder, “Throwing boomerangs into feistel structures application to clefia, warp, lblock, lblock-s and TWINE,” IACR Transactions on Symmetric Cryptology, vol. 2022, no. 3, pp. 271–302, 2022.
View at: Google Scholar
J. Daemen, R. Govaerts, and J. Vandewalle, “Correlation matrices,” in Fast Software Encryption: Second International Workshop. Leuven, Belgium, 14-16 December 1994, Proceedings, B. Preneel, Ed., vol. 1008 of Lecture Notes in Computer Science, pp. 275–285, Springer, Leuven, Belgium, 1994.
View at: Google Scholar
K. Nyberg, “Linear approximation of block ciphers,” in Advances in Cryptology - EUROCRYPT ’94, Workshop on the Theory and Application of Cryptographic Techniques, Perugia, Italy, May 9-12, 1994, Proceedings, A. De Santis, Ed., vol. 950 of Lecture Notes in Computer Science, pp. 439–444, Springer, Perugia, Italy, 1994.
View at: Google Scholar
Y. Zheng, T. Matsumoto, and H. Imai, “On the construction of block ciphers provably secure and not relying on any unproved hypotheses,” in Advances in Cryptology - CRYPTO ’89, 9th Annual International Cryptology Conference, Santa Barbara, California, USA, August 20-24, 1989, Proceedings, G. Brassard, Ed., vol. 435 of Lecture Notes in Computer Science, pp. 461–480, Springer, Santa Barbara, California, USA, 1989.
View at: Google Scholar
S. Banik, A. Bogdanov, T. Isobe et al., “Midori: A block cipher for low energy,” in Advances in Cryptology - ASIACRYPT 2015 - 21st International Conference on the Theory and Application of Cryptology and Information Security, Auckland, New Zealand, November 29 - December 3, 2015, Proceedings, Part II, T. Iwata and J. Cheon, Eds., vol. 9453 of Lecture Notes in Computer Science, pp. 411–436, Springer, Auckland, New Zealand, 2015.
View at: Google Scholar
S. J. Russell and P. Norvig, Artificial Intelligence - A Modern Approach, Third International Edition, Pearson Education, 2010.
S. A. Cook, “The complexity of theorem-proving procedures,” in Proceedings of the 3rd Annual ACM Symposium on Theory of Computing, May 3-5, 1971, Shaker Heights, Ohio, USA, M. A. Harrison, R. B. Banerji, and J. D. Ullman, Eds., pp. 151–158, Association for Computing Machinery, Ohio, USA, 1971.
View at: Google Scholar
M. Soos, K. Nohl, and C. Castelluccia, “Extending SAT solvers to cryptographic problems,” in Theory and Applications of Satisfiability Testing - SAT 2009, 12th International Conference, SAT 2009, Swansea, UK, June 30 - July 3, 2009. Proceedings, O. Kullmann, Ed., vol. 5584 of Lecture Notes in Computer Science, pp. 244–257, Springer, Swansea, UK, 2009.
View at: Google Scholar
S. Wang, D. Feng, B. Hu, J. Guan, T. Shi, and K. Zhang, “The simplest sat model of combining matsui’s bounding conditions with sequential encoding method,” 2022, Cryptology ePrint Archive, Paper 2022/626.
View at: Google Scholar
C. Sinz, “Towards an optimal CNF encoding of boolean cardinality constraints,” in Principles and Practice of Constraint Programming - CP 2005, 11th International Conference, CP 2005, Sitges, Spain, October 1-5, 2005, Proceedings, P. van Beek, Ed., vol. 3709 of Lecture Notes in Computer Science, pp. 827–831, Springer, Sitges, Spain, 2005.
View at: Google Scholar
L. Sun, W. Wang, and M. Wang, “More accurate differential properties of LED64 and midori64,” IACR Transactions on Symmetric Cryptology, vol. 2018, no. 3, pp. 93–123, 2018.
View at: Google Scholar
M. Matsui, “On correlation between the order of s-boxes and the strength of DES,” in Advances in Cryptology - EUROCRYPT ’94, Workshop on the Theory and Application of Cryptographic Techniques, Perugia, Italy, May 9-12, 1994, Proceedings, A. De Santis, Ed., vol. 950 of Lecture Notes in Computer Science, pp. 366–375, Springer, Perugia, Italy, 1994.
View at: Google Scholar

Copyright

Copyright © 2023 Jiali Shi et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies