<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <link href="/css/dist/css/bootstrap.min.css" rel="stylesheet"> <title>Search results</title> <link rel="stylesheet" href="/css/eprint.css?v=10"> <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" /> <link rel="apple-touch-icon" href="/img/apple-touch-icon-180x180.png" /> <style> input { background-color: #e8e8e8 !important; } mark { font-weight: 600; padding: .2em 0px .2em 0px; color: black; } span.term { font-weight: 700 !important; font-family: var(--bs-font-monospace), monospace !important; } form { background-color:#fff; } @media (min-width: 768px) { form { position:sticky;top:6rem; } } </style> <meta name="description" content="Search the Cryptology ePrint Archive"> </head> <body> <noscript> <h1 class="text-center">What a lovely hat</h1> <h4 class="text-center">Is it made out of <a href="https://iacr.org/tinfoil.html">tin foil</a>?</h4> </noscript> <div class="fixed-top" id="topNavbar"> <nav class="navbar navbar-custom navbar-expand-lg"> <div class="container px-0 justify-content-between justify-content-lg-evenly"> <div class="order-0 align-items-center d-flex"> <button class="navbar-toggler btnNoOutline" type="button" data-bs-toggle="collapse" data-bs-target="#navbarContent" aria-controls="navbarContent" aria-expanded="false"> <span class="icon-bar top-bar"></span> <span class="icon-bar middle-bar"></span> <span class="icon-bar bottom-bar"></span> </button> <a class="d-none me-5 d-lg-inline" href="https://iacr.org/"><img class="iacrlogo" src="/img/iacrlogo_small.png" alt="IACR Logo" style="max-width:6rem;"></a> </div> <a class="ePrintname order-1" href="/"> <span class="longNavName">Cryptology ePrint Archive</span> </a> <div class="collapse navbar-collapse order-3" id="navbarContent"> <ul class="navbar-nav me-auto ms-2 mb-2 mb-lg-0 justify-content-end w-100"> <li class="ps-md-3 nav-item dropdown"> <a class="nav-link dropdown-toggle" href="#" id="navbarDropdown" role="button" data-bs-toggle="dropdown" aria-expanded="false"> Papers </a> <ul class="dropdown-menu me-3" aria-labelledby="navbarDropdown"> <span class="text-dark mx-3" style="white-space:nowrap;">Updates from the last:</span> <li><a class="dropdown-item ps-custom" href="/days/7">7 days</a></li> <li><a class="dropdown-item ps-custom" href="/days/31">31 days</a></li> <li><a class="dropdown-item ps-custom" href="/days/183">6 months</a></li> <li><a class="dropdown-item ps-custom" href="/days/365">365 days</a></li> <li><hr class="dropdown-divider"></li> <li><a class="dropdown-item" href="/byyear">Listing by year</a></li> <li><a class="dropdown-item" href="/complete">All papers</a></li> <li><a class="dropdown-item" href="/complete/compact">Compact view</a></li> <li><a class="dropdown-item" href="https://www.iacr.org/news/subscribe">Subscribe</a></li> <li><hr class="dropdown-divider"></li> <li><a class="dropdown-item" href="/citation.html">How to cite</a></li> <li><hr class="dropdown-divider"></li> <li><a class="dropdown-item" href="/rss">Harvesting metadata</a></li> </ul> </li> <li class="ps-md-3 nav-item dropdown"> <a class="nav-link dropdown-toggle" href="#" id="submissionsDropdown" role="button" data-bs-toggle="dropdown" aria-expanded="false"> Submissions </a> <ul class="dropdown-menu me-3" aria-labelledby="submissionsDropdown"> <li><a class="dropdown-item" href="/submit">Submit a paper</a></li> <li><a class="dropdown-item" href="/revise">Revise or withdraw a paper</a></li> <li><a class="dropdown-item" href="/operations.html">Acceptance and publishing conditions</a></li> </ul> </li> <li class="ps-md-3 nav-item dropdown"> <a class="nav-link dropdown-toggle" href="#" id="aboutDropdown" role="button" data-bs-toggle="dropdown" aria-expanded="false"> About </a> <ul class="dropdown-menu me-3" aria-labelledby="aboutDropdown"> <li><a class="dropdown-item" href="/about.html">Goals and history</a></li> <li><a class="dropdown-item" href="/news.html">News</a></li> <li><a class="dropdown-item" href="/stats">Statistics</a></li> <li><a class="dropdown-item" href="/contact.html">Contact</a></li> </ul> </li> </ul> </div> <div class="dropdown ps-md-2 text-right order-2 order-lg-last"> <button class="btn btnNoOutline" type="button" id="dropdownMenuButton1" data-bs-toggle="dropdown" aria-expanded="false"> <img src="/img/search.svg" class="searchIcon" alt="Search Button"/> </button> <div id="searchDd" class="dropdown-menu dropdown-menu-end p-0" aria-labelledby="dropdownMenuButton1"> <form action="/search" method="GET"> <div class="input-group"> <input id="searchbox" name="q" type="search" class="form-control" autocomplete="off"> <button class="btn btn-secondary border input-group-append ml-2"> Search </button> </div> </form> <div class="ms-2 p-1 d-none"><a href="/search">Advanced search</a></div> </div> </div> </div> </nav> </div> <main id="eprintContent" class="container px-3 py-4 p-md-4"> <div class="row"> <div class="col-12 col-lg-4"> <form class="p-2 pt-md-4 align-items-end needs-validation" novalidate onsubmit="return validateForm()" method="GET" action="/search"> <label for="anything" class="mt-2 form-label">Match anything</label> <input type="text" name="q" class="form-control form-control-sm" id="anything" aria-label="Match anything" value="SAT"> <label for="title" class="mt-4 form-label">Match title</label> <input type="text" name="title" class="form-control form-control-sm" id="title" aria-label="Match title" value=""> <label for="authors" class="mt-4 form-label">Match authors</label> <input type="text" name="authors" class="form-control form-control-sm" id="authors" aria-label="Match authors" value=""> <label for="category" class="mt-4 form-label">Category</label><br> <select class="form-select form-select-sm" id="category" name="category" aria-label="Category"> <option value="">All categories</option> <option value="APPLICATIONS" >Applications</option> <option value="PROTOCOLS" >Cryptographic protocols</option> <option value="FOUNDATIONS" >Foundations</option> <option value="IMPLEMENTATION" >Implementation</option> <option value="SECRETKEY" >Secret-key cryptography</option> <option value="PUBLICKEY" >Public-key cryptography</option> <option value="ATTACKS" >Attacks and cryptanalysis</option> </select> <div class="row d-none d-lg-flex"> <div class="col-6"> <label for="submittedafter" class="mt-4 form-label">Submitted after</label><br> <input class="form-control form-control-sm" type="number" min="1996" id="submittedafter" name="submittedafter" aria-label="Submitted after" value="None" placeholder="Enter a year"> </div> <div class="col-6"> <label for="submittedbefore" class="mt-4 form-label">Submitted before</label><br> <input class="form-control form-control-sm" type="number" min="1996" id="submittedbefore" name="submittedbefore" aria-label="Submitted before" value="None" placeholder="Enter a year"> <div class="invalid-feedback"> Dates are inconsistent </div> </div> </div> <div class="row d-none d-lg-flex"> <div class="col-6"> <label for="revisedafter" class="mt-4 form-label">Revised after</label><br> <input class="form-control form-control-sm" type="number" min="1996" id="revisedafter" name="revisedafter" aria-label="Revised after" placeholder="Enter a year" value="None"> <div class="invalid-feedback"> Dates are inconsistent </div> </div> <div class="col-6"> <label for="revisedbefore" class="mt-4 form-label">Revised before</label><br> <input class="form-control form-control-sm" type="number" min="1996" id="revisedbefore" name="revisedbefore" aria-label="Revised before" value="None" placeholder="Enter a year"> </div> </div> <div class="d-none d-lg-flex mt-3"> <div class="form-check"> <input type="checkbox" id="relevance" name="relevance" > <label for="relevance" class="form-check-label ms-2">Sort by relevance</label> </div> </div> <div class="mt-3 d-flex"> <button class="btn btn-primary btn-sm" type="submit">Search</button> <button id="clearButton" class="btn btn-secondary btn-sm ms-2" type="button">Clear</button> <button id="helpButton" class="btn btn-info btn-sm ms-auto" type="button" data-bs-toggle="modal" data-bs-target="#helpModal">Help</button> </div> </form> <div class="modal" tabindex="-1" id="helpModal"> <div class="modal-dialog modal-lg"> <div class="modal-content"> <div class="modal-header"> <h4 class="modal-title">Search Help</h4> <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button> </div> <div class="modal-body"> <p> You can search for a phrase by enclosing it in double quotes, e.g., <span class="term text-nowrap"><a href="/search?q=%22differential%20privacy%22">"differential privacy"</a></span>. </p> <p> You can require or exclude specific terms using + and -. For example, to search for papers that contain the term elliptic but not the term factoring, use <span class="term text-nowrap"><a href="/search?q=%2Belliptic%20-factoring">+elliptic -factoring</a></span> </p> <p> To search in a title or for author name, use <span class="term text-nowrap"><a href="/search?q=title%3Aisogeny%20author%3Aboneh">title:isogeny author:boneh</a></span>. If you want to require both, you can use <span class="term text-nowrap"><a href="/search?q=title%3Aisogeny%20AND%20author%3Aboneh">title:isogeny AND author:boneh</a></span> because it recognizes logical operators <span class="term">AND</span> and <span class="term">OR</span>. This is equivalent to <a href="/search?title=isogeny&authors=boneh">using the individual fields</a> for author and title. You can also use NOT to negate a condition, as with <span class="term text-nowrap"><a href="/search?q=title%3Aisogeny%20AND%20NOT%20author%3Aboneh">title:isogeny AND NOT author:boneh</a></span> to search for papers with an author other than Boneh. </p> <p> To find documents containing a term starting with the string <span class="term">differe</span>, use <span class="term"><a href="/search?q=differe%2A">differe*</a></span>. This will match the terms difference, different, and differential </p> <p> Note that search applies stemming, so that if you search for <span class="term">yield</span> it will also match terms <span class="term">yields</span> and <span class="term">yielding</span>. If you want to disable stemming, capitalize the term. A search for <span class="term">Adam</span> will not match the term 'Adams'. </p> <p> The system attempts to recognize possible misspellings. This is perhaps a source of amusement more than anything else. </p> <p> This currently searches the text in titles, authors, abstracts, and keywords, but does not search in the PDF or PS itself. </p> </div> <div class="modal-footer"> <button type="button" class="btn btn-secondary" data-bs-dismiss="modal">Close</button> </div> </div> </div> </div> <!-- Parsed query: Query((sat@1 AND_MAYBE PostingSource(Xapian::ValueWeightPostingSource(slot=2)))) --> </div> <div class="col-12 col-lg-8" style="min-height:80vh"> <h4 class="mt-3 ms-4">179 results sorted by ID</h5> <div class="alert alert-info ms-lg-4">Possible spell-corrected query: <a href="/search?q=at">at</a></div> <div class="ms-lg-4 mt-3 results"> <div class="mb-4"> <div class="d-flex"><a title="2025/466" class="paperlink" href="/2025/466">2025/466</a> <span class="ms-2"><a href="/2025/466.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-12</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Algebraic Cryptanalysis of Small-Scale Variants of Stream Cipher E0</strong> <div class="mt-1"><span class="fst-italic">Jan Dolejš, Martin Jureček</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">This study explores the algebraic cryptanalysis of small-scale variants of the E0 stream cipher, a legacy cipher used in the Bluetooth protocol. By systematically reducing the size of the linear feedback shift registers (LFSRs) while preserving the cipher’s core structure, we investigate the relationship between the number of unknowns and the number of consecutive keystream bits required to recover the internal states of the LFSRs. Our work demonstrates an approximately linear relationship...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/462" class="paperlink" href="/2025/462">2025/462</a> <span class="ms-2"><a href="/2025/462.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-12</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Practical Key Collision on AES and Kiasu-BC</strong> <div class="mt-1"><span class="fst-italic">Jianqiang Ni, Yingxin Li, Fukang Liu, Gaoli Wang</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">The key collision attack was proposed as an open problem in key-committing security in Authenticated Encryption (AE) schemes like $\texttt{AES-GCM}$ and $\texttt{ChaCha20Poly1305}$. In ASIACRYPT 2024, Taiyama et al. introduce a novel type of key collision—target-plaintext key collision ($\texttt{TPKC}$) for $\texttt{AES}$. Depending on whether the plaintext is fixed, $\texttt{TPKC}$ can be divided into $\texttt{fixed-TPKC}$ and $\texttt{free-TPKC}$, which can be directly converted into...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/433" class="paperlink" href="/2025/433">2025/433</a> <span class="ms-2"><a href="/2025/433.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-06</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>MIDAS: an End-to-end CAD Framework for Automating Combinational Logic Locking</strong> <div class="mt-1"><span class="fst-italic">Akashdeep Saha, Siddhartha Chowdhury, Rajat Subhra Chakraborty, Debdeep Mukhopadhyay</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-IMPLEMENTATION">Implementation</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Logic locking has surfaced as a notable safeguard against diverse hazards that pose a risk to the integrated circuit (IC) supply chain. Existing literature on logic locking largely encompasses the art of proposing new constructions, on the one hand, and unearthing weaknesses in such algorithms on the other. Somehow, in this race of make and break, the stress on automation of adopting such techniques on real-life circuits has been rather limited. For the first time, we present a...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/386" class="paperlink" href="/2025/386">2025/386</a> <span class="ms-2"><a href="/2025/386.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-28</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>How Small Can S-boxes Be</strong> <div class="mt-1"><span class="fst-italic">Chenhao Jia, Tingting Cui, Qing Ling, Yan He, Kai Hu, Yu Sun, Meiqin Wang</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">S-boxes are the most popular nonlinear building blocks used in symmetric-key primitives. Both cryptographic properties and implementation cost of an S-box are crucial for a good cipher design, especially for lightweight ones. This paper aims to determine the exact minimum area of optimal 4-bit S-boxes (whose differential uniform and linearity are both 4) under certain standard cell library. Firstly, we evaluate the upper and lower bounds upon the minimum area of S-boxes, by...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2025/185" class="paperlink" href="/2025/185">2025/185</a> <span class="ms-2"><a href="/2025/185.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-03-12</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>AutoDiVer: Automatically Verifying Differential Characteristics and Learning Key Conditions</strong> <div class="mt-1"><span class="fst-italic">Marcel Nageler, Shibam Ghosh, Marlene Jüttler, Maria Eichlseder</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Differential cryptanalysis is one of the main methods of cryptanalysis and has been applied to a wide range of ciphers. While it is very successful, it also relies on certain assumptions that do not necessarily hold in practice. One of these is the hypothesis of stochastic equivalence, which states that the probability of a differential characteristic behaves similarly for all keys. Several works have demonstrated examples where this hypothesis is violated, impacting the attack complexity...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2024/2079" class="paperlink" href="/2024/2079">2024/2079</a> <span class="ms-2"><a href="/2024/2079.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2024-12-26</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Solving AES-SAT Using Side-Channel Hints: A Practical Assessment</strong> <div class="mt-1"><span class="fst-italic">Elena Dubrova</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Side-channel attacks exploit information leaked through non-primary channels, such as power consumption, electromagnetic emissions, or timing, to extract sensitive data from cryptographic devices. Over the past three decades, side-channel analysis has evolved into a mature research field with well-established methodologies for analyzing standard cryptographic algorithms like the Advanced Encryption Standard (AES). However, the integration of side-channel analysis with formal methods remains...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2024/2003" class="paperlink" href="/2024/2003">2024/2003</a> <span class="ms-2"><a href="/2024/2003.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2024-12-12</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Exploring the Optimal Differential Characteristics of SM4 (Full Version): Improving Automatic Search by Including Human Insights</strong> <div class="mt-1"><span class="fst-italic">Bingqing Li, Ling Sun</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">This study aims to determine the complete and precise differential properties of SM4, which have remained unknown for over twenty years after the cipher was initially released. A Boolean Satisfiability Problem (SAT) based automatic search approach is employed to achieve the objective. To improve the limited efficiency of the search focused on differential probabilities, we want to investigate the feasibility of integrating human expertise into an automatic approach to enhance the search...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2024/1743" class="paperlink" href="/2024/1743">2024/1743</a> <span class="ms-2"><a href="/2024/1743.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2024-10-25</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>The Window Heuristic: Automating Differential Trail Search in ARX Ciphers with Partial Linearization Trade-offs</strong> <div class="mt-1"><span class="fst-italic">Emanuele Bellini, David GERAULT, Juan Grados, Thomas Peyrin</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">The search for optimal differential trails for ARX ciphers is known to be difficult and scale poorly as the word size (and the branching through the carries of modular additions) increases.To overcome this problem, one may approximate the modular addition with the XOR operation, a process called linearization. The immediate drawback of this approach is that many valid and good trails are discarded. In this work, we explore different partial linearization trade-offs to model the modular...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2024/1008" class="paperlink" href="/2024/1008">2024/1008</a> <span class="ms-2"><a href="/2024/1008.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2025-02-21</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Impossible Boomerang Distinguishers Revisited</strong> <div class="mt-1"><span class="fst-italic">Xichao Hu, Lin Jiao, Dengguo Feng, Yonglin Hao, Xinxin Gong, Yongqiang Li, Siwei Sun</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">The Impossible Boomerang Attack (IBA) has shown significant power in evaluating the security of block ciphers, such as AES. However, current studies still lack foundational theory, user guild and universal method for constructing IBDs. This paper addresses these gaps through comprehensive research. Theoretically, we establish a new framework for constructing a series of IBDs by differential propagation, state propagation, and generalized boomerang tables. We rigorously prove their inclusion...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2024/637" class="paperlink" href="/2024/637">2024/637</a> <span class="ms-2"><a href="/2024/637.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2024-04-25</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Towards Permissionless Consensus in the Standard Model via Fine-Grained Complexity</strong> <div class="mt-1"><span class="fst-italic">Marshall Ball, Juan Garay, Peter Hall, Aggelos Kiayias, Giorgos Panagiotakos</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PROTOCOLS">Cryptographic protocols</small> </div> </div> <p class="mb-0 mt-1 search-abstract">We investigate the feasibility of permissionless consensus (aka Byzantine agreement) under standard assumptions. A number of protocols have been proposed to achieve permissionless consensus, most notably based on the Bitcoin protocol; however, to date no protocol is known that can be provably instantiated outside of the random oracle model. In this work, we take the first steps towards achieving permissionless consensus in the standard model. In particular, we demonstrate that worst-case...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2024/620" class="paperlink" href="/2024/620">2024/620</a> <span class="ms-2"><a href="/2024/620.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2024-04-22</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>New SAT-based Model for Quantum Circuit Decision Problem: Searching for Low-Cost Quantum Implementation</strong> <div class="mt-1"><span class="fst-italic">Jingwen Chen, Qun Liu, Yanhong Fan, Lixuan Wu, Boyun Li, Meiqin Wang</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-IMPLEMENTATION">Implementation</small> </div> </div> <p class="mb-0 mt-1 search-abstract">In recent years, quantum technology has been rapidly developed. As security analyses for symmetric ciphers continue to emerge, many require an evaluation of the resources needed for the quantum circuit implementation of the encryption algorithm. In this regard, we propose the quantum circuit decision problem, which requires us to determine whether there exists a quantum circuit for a given permutation f using M ancilla qubits and no more than K quantum gates within the circuit depth D....</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2024/565" class="paperlink" href="/2024/565">2024/565</a> <span class="ms-2"><a href="/2024/565.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2024-04-12</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>On the construction of quantum circuits for S-boxes with different criteria based on the SAT solver</strong> <div class="mt-1"><span class="fst-italic">Da Lin, Chunli Yang, Shengyuan Xu, Shizhu Tian, Bing Sun</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-IMPLEMENTATION">Implementation</small> </div> </div> <p class="mb-0 mt-1 search-abstract">The substitution box (S-box) is often used as the only nonlinear component in symmetric-key ciphers, leading to a significant impact on the implementation performance of ciphers in both classical and quantum application scenarios by S-box circuits. Taking the Pauli-X gate, the CNOT gate, and the Toffoli gate (i.e., the NCT gate set) as the underlying logic gates, this work investigates the quantum circuit implementation of S-boxes based on the SAT solver. Firstly, we propose encoding methods...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2024/350" class="paperlink" href="/2024/350">2024/350</a> <span class="ms-2"><a href="/2024/350.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2024-02-27</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Automating Collision Attacks on RIPEMD-160</strong> <div class="mt-1"><span class="fst-italic">Yingxin Li, Fukang Liu, Gaoli Wang</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">As an ISO/IEC standard, the hash function RIPEMD-160 has been used to generate the Bitcoin address with SHA-256. However, due to the complex double-branch structure of RIPEMD-160, the best collision attack only reaches 36 out of 80 steps of RIPEMD-160, and the best semi-free-start (SFS) collision attack only reaches 40 steps. To improve the 36-step collision attack proposed at EUROCRYPT 2023, we explored the possibility of using different message differences to increase the number of...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2024/349" class="paperlink" href="/2024/349">2024/349</a> <span class="ms-2"><a href="/2024/349.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2024-02-27</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>New Records in Collision Attacks on SHA-2</strong> <div class="mt-1"><span class="fst-italic">Yingxin Li, Fukang Liu, Gaoli Wang</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">The SHA-2 family including SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA512/256 is a U.S. federal standard pub- lished by NIST. Especially, there is no doubt that SHA-256 is one of the most important hash functions used in real-world applications. Due to its complex design compared with SHA-1, there is almost no progress in collision attacks on SHA-2 after ASIACRYPT 2015. In this work, we retake this challenge and aim to significantly improve collision attacks on the SHA-2...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2024/309" class="paperlink" href="/2024/309">2024/309</a> <span class="ms-2"><a href="/2024/309.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2024-02-23</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>NiLoPher: Breaking a Modern SAT-Hardened Logic-Locking Scheme via Power Analysis Attack</strong> <div class="mt-1"><span class="fst-italic">Prithwish Basu Roy, Johann Knechtel, Akashdeep Saha, Saideep Sreekumar, Likhitha Mankali, Mohammed Nabeel, Debdeep Mukhopadhyay, Ramesh Karri, Ozgur Sinanoglu</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">LoPher brings, for the first time, cryptographic security promises to the field of logic locking in a bid to break the game of cat-and-mouse seen in logic locking. Toward this end, LoPher embeds the circuitry to lock within multiple rounds of a block cipher, by carefully configuring all the S-Boxes. To realize general Boolean functionalities and to support varying interconnect topologies, LoPher also introduces additional layers of MUXes between S-Boxes and the permutation operations. The...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2024/298" class="paperlink" href="/2024/298">2024/298</a> <span class="ms-2"><a href="/2024/298.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2024-02-21</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>New Models for the Cryptanalysis of ASCON</strong> <div class="mt-1"><span class="fst-italic">Mathieu Degré, Patrick Derbez, Lucie Lahaye, André Schrottenloher</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">This paper focuses on the cryptanalysis of the ASCON family using automatic tools. We analyze two different problems with the goal to obtain new modelings, both simpler and less computationally heavy than previous works (all our models require only a small amount of code and run on regular desktop computers). The first problem is the search for Meet-in-the-middle attacks on reduced-round ASCON-Hash. Starting from the MILP modeling of Qin et al. (EUROCRYPT 2023 &amp; ePrint 2023), we rephrase...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2024/105" class="paperlink" href="/2024/105">2024/105</a> <span class="ms-2"><a href="/2024/105.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2024-01-24</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Differential cryptanalysis with SAT, SMT, MILP, and CP: a detailed comparison for bit-oriented primitives</strong> <div class="mt-1"><span class="fst-italic">Emanuele Bellini, Alessandro De Piccoli, Mattia Formenti, David Gerault, Paul Huynh, Simone Pelizzola, Sergio Polese, Andrea Visconti</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">SAT, SMT, MILP, and CP, have become prominent in the differential cryptanalysis of cryptographic primitives. In this paper, we review the techniques for constructing differential characteristic search models in these four formalisms. Additionally, we perform a systematic comparison encompassing over 20 cryptographic primitives and 16 solvers, on both easy and hard instances of optimisation, enumeration and differential probability estimation problems.</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2023/1914" class="paperlink" href="/2023/1914">2023/1914</a> <span class="ms-2"><a href="/2023/1914.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2023-12-13</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Efficient Low-Latency Masking of Ascon without Fresh Randomness</strong> <div class="mt-1"><span class="fst-italic">Srinidhi Hari Prasad, Florian Mendel, Martin Schläffer, Rishub Nagpal</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-IMPLEMENTATION">Implementation</small> </div> </div> <p class="mb-0 mt-1 search-abstract">In this work, we present the first low-latency, second-order masked hardware implementation of Ascon that requires no fresh randomness using only $d+1$ shares. Our results significantly outperform any publicly known second-order masked implementations of AES and Ascon in terms of combined area, latency and randomness requirements. Ascon is a family of lightweight authenticated encryption and hashing schemes selected by NIST for standardization. Ascon is tailored for small form factors. It...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2023/1831" class="paperlink" href="/2023/1831">2023/1831</a> <span class="ms-2"><a href="/2023/1831.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2023-11-29</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>A CP-based Automatic Tool for Instantiating Truncated Differential Characteristics - Extended Version</strong> <div class="mt-1"><span class="fst-italic">François Delobel, Patrick Derbez, Arthur Gontier, Loïc Rouquette, Christine Solnon</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">An important criteria to assert the security of a cryptographic primitive is its resistance against differential cryptanalysis. For word-oriented primitives, a common technique to determine the number of rounds required to ensure the immunity against differential distinguishers is to consider truncated differential characteristics and to count the number of active S-boxes. Doing so allows one to provide an upper bound on the probability of the best differential characteristic with a reduced...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2023/1721" class="paperlink" href="/2023/1721">2023/1721</a> <span class="ms-2"><a href="/2023/1721.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2023-11-07</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Optimizing S-box Implementations Using SAT Solvers: Revisited</strong> <div class="mt-1"><span class="fst-italic">Fuxin Zhang, Zhenyu Huang</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-IMPLEMENTATION">Implementation</small> </div> </div> <p class="mb-0 mt-1 search-abstract">We propose a new method to encode the problems of optimizing S-box implementations into SAT problems. By considering the inputs and outputs of gates as Boolean functions, the fundamental idea of our method is representing the relationships between these inputs and outputs according to their algebraic normal forms. Based on this method, we present several encoding schemes for optimizing S-box implementations according to various criteria, such as multiplicative complexity, bitslice gate...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2023/1353" class="paperlink" href="/2023/1353">2023/1353</a> <span class="ms-2"><a href="/2023/1353.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2023-09-11</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Automatic Search Model for Related-Tweakey Impossible Differential Cryptanalysis</strong> <div class="mt-1"><span class="fst-italic">Huiqin Chen, Yongqiang Li, Xichao Hu, Zhengbin Liu, Lin Jiao, Mingsheng Wang</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">The design and analysis of dedicated tweakable block ciphers constitute a dynamic and relatively recent research field in symmetric cryptanalysis. The assessment of security in the related-tweakey model is of utmost importance owing to the existence of a public tweak. This paper proposes an automatic search model for identifying related-tweakey impossible differentials based on the propagation of states under specific constraints, which is inspired by the research of Hu et al. in ASIACRYPT...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2023/1266" class="paperlink" href="/2023/1266">2023/1266</a> <span class="ms-2"><a href="/2023/1266.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2023-08-22</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Automatic Preimage Attack Framework on \ascon Using a Linearize-and-Guess Approach</strong> <div class="mt-1"><span class="fst-italic">Huina Li, Le He, Shiyao Chen, Jian Guo, Weidong Qiu</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">\ascon is the final winner of the lightweight cryptography standardization competition $(2018-2023)$. In this paper, we focus on preimage attacks against round-reduced \ascon. The preimage attack framework, utilizing the linear structure with the allocating model, was initially proposed by Guo \textit{et al.} at ASIACRYPT 2016 and subsequently improved by Li \textit{et al.} at EUROCRYPT 2019, demonstrating high effectiveness in breaking the preimage resistance of \keccak. In this...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2023/1227" class="paperlink" href="/2023/1227">2023/1227</a> <span class="ms-2"><a href="/2023/1227.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2023-08-13</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Parallel SAT Framework to Find Clustering of Differential Characteristics and Its Applications</strong> <div class="mt-1"><span class="fst-italic">Kosei Sakamoto, Ryoma Ito, Takanori Isobe</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">The most crucial but time-consuming task for differential cryptanalysis is to find a differential with a high probability. To tackle this task, we propose a new SAT-based automatic search framework to efficiently figure out a differential with the highest probability under a specified condition. As the previous SAT methods (e.g., the Sun et al’s method proposed at ToSC 2021(1)) focused on accelerating the search for an optimal single differential characteristic, these are not optimized for...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2023/1023" class="paperlink" href="/2023/1023">2023/1023</a> <span class="ms-2"><a href="/2023/1023.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2023-07-03</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>An STP-based model toward designing S-boxes with good cryptographic properties</strong> <div class="mt-1"><span class="fst-italic">Zhenyu Lu, Sihem Mesnager, Tingting Cui, Yanhong Fan, Meiqin Wang</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">The substitution box (S-box) is an important nonlinear component in most symmetric cryptosystems and thus should have good properties. Its difference distribution table (DDT) and linear approximation table (LAT) affect the security of the cipher against differential and linear cryptanalysis. In most previous work, differential uniformity and linearity of an S-box are two primary cryptographic properties to impact the resistance against differential and linear attacks. In some cases, the...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2023/674" class="paperlink" href="/2023/674">2023/674</a> <span class="ms-2"><a href="/2023/674.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2023-05-12</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>An Efficient Strategy to Construct a Better Differential on Multiple-Branch-Based Designs: Application to Orthros</strong> <div class="mt-1"><span class="fst-italic">Kazuma Taka, Tatusya Ishikawa, Kosei Sakamoto, Takanori Isobe</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">As low-latency designs tend to have a small number of rounds to decrease latency, the differential-type cryptanalysis can become a significant threat to them. In particular, since a multiple-branch-based design, such as Orthros can have the strong clustering effect on differential attacks due to its large internal state, it is crucial to investigate the impact of the clustering effect in such a design. In this paper, we present a new SAT-based automatic search method for evaluating the...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2023/622" class="paperlink" href="/2023/622">2023/622</a> <span class="ms-2"><a href="/2023/622.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2023-06-01</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>CLAASP: a Cryptographic Library for the Automated Analysis of Symmetric Primitives</strong> <div class="mt-1"><span class="fst-italic">Emanuele Bellini, David Gerault, Juan Grados, Yun Ju Huang, Mohamed Rachidi, Sharwan Tiwari, Rusydi H. Makarim</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">This paper introduces CLAASP, a Cryptographic Library for the Automated Analysis of Symmetric Primitives. The library is designed to be modular, extendable, easy to use, generic, efficient and fully automated. It is an extensive toolbox gathering state-of-the-art techniques aimed at simplifying the manual tasks of symmetric primitive designers and analysts. CLAASP is built on top of Sagemath and is open-source under the GPLv3 license. The central input of CLAASP is the description of a...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2023/496" class="paperlink" href="/2023/496">2023/496</a> <span class="ms-2"><a href="/2023/496.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2023-04-05</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Evaluating the Security of Block Ciphers Against Zero-correlation Linear Attack in the Distinguishers Aspect</strong> <div class="mt-1"><span class="fst-italic">Xichao Hu, Yongqiang Li, Lin Jiao, Zhengbin Liu, Mingsheng Wang</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Zero-correlation linear attack is a powerful attack of block ciphers, the lower number of rounds (LNR) which no its distinguisher (named zero-correlation linear approximation, ZCLA) exists reflects the ability of a block cipher against the zero-correlation linear attack. However, due to the large search space, showing there are no ZCLAs exist for a given block cipher under a certain number of rounds is a very hard task. Thus, present works can only prove there no ZCLAs exist in a small...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2023/300" class="paperlink" href="/2023/300">2023/300</a> <span class="ms-2"><a href="/2023/300.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2023-02-28</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>CNF Characterization of Sets over $\mathbb{Z}_2^n$ and Its Applications in Cryptography</strong> <div class="mt-1"><span class="fst-italic">Hu Xiaobo, Xu Shengyuan, Tu Yinzi, Feng Xiutao</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">In recent years, the automatic search has been widely used to search differential characteristics and linear approximations with high probability/correlation. Among these methods, the automatic search with the Boolean Satisfiability Problem (SAT, in short) gradually becomes a powerful cryptanalysis tool in symmetric ciphers. A key problem in the automatic search method is how to fully characterize a set $S \subseteq \{0,1\}^n$ with as few Conjunctive Normal Form (CNF, in short) clauses as...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2023/285" class="paperlink" href="/2023/285">2023/285</a> <span class="ms-2"><a href="/2023/285.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2023-02-28</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>New Records in Collision Attacks on RIPEMD-160 and SHA-256</strong> <div class="mt-1"><span class="fst-italic">Yingxin Li, Fukang Liu, Gaoli Wang</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">RIPEMD-160 and SHA-256 are two hash functions used to generate the bitcoin address. In particular, RIPEMD-160 is an ISO/IEC standard and SHA-256 has been widely used in the world. Due to their complex designs, the progress to find (semi-free-start) collisions for the two hash functions is slow. Recently at EUROCRYPT 2023, Liu et al. presented the first collision attack on 36 steps of RIPEMD-160 and the first MILP-based method to find collision-generating signed differential characteristics....</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2023/202" class="paperlink" href="/2023/202">2023/202</a> <span class="ms-2"><a href="/2023/202.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2023-02-15</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>SAT-aided Automatic Search of Boomerang Distinguishers for ARX Ciphers (Long Paper)</strong> <div class="mt-1"><span class="fst-italic">Dachao Wang, Baocang Wang, Siwei Sun</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">In Addition-Rotation-Xor (ARX) ciphers, the large domain size obstructs the application of the boomerang connectivity table. In this paper, we explore the problem of computing this table for a modular addition and the automatic search of boomerang characteristics for ARX ciphers. We provide dynamic programming algorithms to efficiently compute this table and its variants. These algorithms are the most efficient up to now. For the boomerang connectivity table, the execution time is $4^2(n −...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2023/109" class="paperlink" href="/2023/109">2023/109</a> <span class="ms-2"><a href="/2023/109.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2023-01-28</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>SoK: Modeling for Large S-boxes Oriented to Differential Probabilities and Linear Correlations (Long Paper)</strong> <div class="mt-1"><span class="fst-italic">Ling Sun, Meiqin Wang</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Automatic methods for differential and linear characteristic search are well-established at the moment. Typically, the designers of novel ciphers also give preliminary analytical findings for analysing the differential and linear properties using automatic techniques. However, neither MILP-based nor SAT/SMT-based approaches have fully resolved the problem of searching for actual differential and linear characteristics of ciphers with large S-boxes. To tackle the issue, we present three...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2022/1641" class="paperlink" href="/2022/1641">2022/1641</a> <span class="ms-2"><a href="/2022/1641.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2023-03-13</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>AlgSAT --- a SAT Method for Search and Verification of Differential Characteristics from Algebraic Perspective</strong> <div class="mt-1"><span class="fst-italic">Huina Li, Haochen Zhang, Guozhen Liu, Kai Hu, Jian Guo, Weidong Qiu</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">A good differential is a start for a successful differential attack. However, a differential might be invalid, i.e., there is no right pair following the differential, due to some contradictions in the conditions imposed by the differential. This paper presents a novel and handy method for searching and verifying differential trails from an algebraic perspective. From this algebraic perspective, exact Boolean expressions of differentials over a cryptographic primitive can be conveniently...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2022/1549" class="paperlink" href="/2022/1549">2022/1549</a> <span class="ms-2"><a href="/2022/1549.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2023-02-11</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>The SAT-Based Automatic Searching and Experimental Verification for Differential Characteristics with Application to Midori64</strong> <div class="mt-1"><span class="fst-italic">Yingying Li, Qichun Wang</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">In this paper, we show that it is inaccurate to apply the hypothesis of independent round keys to search for differential characteristics of a block cipher with a simple key schedule. Therefore, the derived differential characteristics may be invalid. We develop a SAT-based algorithm to verify the validity of differential characteristics. Furthermore, we take the key schedule into account and thus put forward an algorithm to directly find the valid differential characteristics. All...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2022/1377" class="paperlink" href="/2022/1377">2022/1377</a> <span class="ms-2"><a href="/2022/1377.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2022-10-20</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Improved Differential and Linear Trail Bounds for ASCON</strong> <div class="mt-1"><span class="fst-italic">Solane El Hirch, Silvia Mella, Alireza Mehrdad, Joan Daemen</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">ASCON is a family of cryptographic primitives for authenticated encryption and hashing introduced in 2015. It is selected as one of the ten finalists in the NIST Lightweight Cryptography competition. Since its introduction, ASCON has been extensively cryptanalyzed, and the results of these analyses can indicate the good resistance of this family of cryptographic primitives against known attacks, like differential and linear cryptanalysis. Proving upper bounds for the differential...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2022/1247" class="paperlink" href="/2022/1247">2022/1247</a> <span class="ms-2"><a href="/2022/1247.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2023-01-16</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Peek into the Black-Box: Interpretable Neural Network using SAT Equations in Side-Channel Analysis</strong> <div class="mt-1"><span class="fst-italic">Trevor Yap, Adrien Benamira, Shivam Bhasin, Thomas Peyrin</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-IMPLEMENTATION">Implementation</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Deep neural networks (DNN) have become a significant threat to the security of cryptographic implementations with regards to side-channel analysis (SCA), as they automatically combine the leakages without any preprocessing needed, leading to a more efficient attack. However, these DNNs for SCA remain mostly black-box algorithms that are very difficult to interpret. Benamira \textit{et al.} recently proposed an interpretable neural network called Truth Table Deep Convolutional Neural Network...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2022/787" class="paperlink" href="/2022/787">2022/787</a> <span class="ms-2"><a href="/2022/787.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2022-06-18</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Block Cipher&#39;s Substitution Box Generation Based on Natural Randomness in Underwater Acoustics and Knight&#39;s Tour Chain</strong> <div class="mt-1"><span class="fst-italic">Muhammad Fahad Khan, Khalid Saleem, Tariq Shah, Mohmmad Mazyad Hazzazi, Ismail Bahkali, Piyush Kumar Shukla</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">The protection of confidential information is a global issue and block encryption algorithms are the most reliable option for securing data. The famous information theorist, Claude Shannon has given two desirable characteristics that should exist in a strong cipher which are substitution and permutation in their fundamental research on &#34;Communication Theory of Secrecy Systems.” block ciphers strictly follow the substitution and permutation principle in an iterative manner to generate a...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2022/774" class="paperlink" href="/2022/774">2022/774</a> <small class="ms-auto">Last updated: 2022-06-17</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Complexity Analysis of the SAT Attack on Logic Locking</strong> <div class="mt-1"><span class="fst-italic">Yadi Zhong, Ujjwal Guin</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-APPLICATIONS">Applications</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Due to the adoption of the horizontal business model with the globalization of semiconductor manufacturing, the overproduction of integrated circuits (ICs) and the piracy of intellectual properties (IPs) have become a significant threat to the semiconductor supply chain. Logic locking has emerged as a primary design-for-security measure to counter these threats. In logic locking, ICs become fully functional after fabrication only when unlocked with the correct key. However, Boolean...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2022/729" class="paperlink" href="/2022/729">2022/729</a> <span class="ms-2"><a href="/2022/729.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2024-06-07</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Integral Cryptanalysis of WARP based on Monomial Prediction</strong> <div class="mt-1"><span class="fst-italic">Hosein Hadipour, Maria Eichlseder</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">WARP is a 128-bit block cipher published by Banik et al. at SAC 2020 as a lightweight alternative to AES. It is based on a generalized Feistel network and achieves the smallest area footprint among 128-bit block ciphers in many settings. Previous analysis results include integral key-recovery attacks on 21 out of 41 rounds. In this paper, we propose integral key-recovery attacks on up to 32 rounds by improving both the integral distinguisher and the key-recovery approach substantially....</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2022/695" class="paperlink" href="/2022/695">2022/695</a> <span class="ms-2"><a href="/2022/695.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2022-07-18</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Yet Another Algebraic Cryptanalysis of Small Scale Variants of AES</strong> <div class="mt-1"><span class="fst-italic">Marek Bielik, Martin Jureček, Olha Jurečková, Róbert Lórencz</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-ATTACKS">Attacks and cryptanalysis</small> </div> </div> <p class="mb-0 mt-1 search-abstract">This work presents new advances in algebraic cryptanalysis of small scale derivatives of AES. We model the cipher as a system of polynomial equations over GF(2), which involves only the variables of the initial key, and we subsequently attempt to solve this system using Gröbner bases. We show, for example, that one of the attacks can recover the secret key for one round of AES-128 under one minute on a contemporary CPU. This attack requires only two known plaintexts and their corresponding...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2022/672" class="paperlink" href="/2022/672">2022/672</a> <span class="ms-2"><a href="/2022/672.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2023-10-21</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>CENSOR: Privacy-preserving Obfuscation for Outsourcing SAT formulas</strong> <div class="mt-1"><span class="fst-italic">Tassos Dimitriou, Khazam Alhamdan</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-APPLICATIONS">Applications</small> </div> </div> <p class="mb-0 mt-1 search-abstract">We propose a novel obfuscation technique that can be used to outsource hard satisfiability (SAT) formulas to the cloud. Servers with large computational power are typically used to solve SAT instances that model real-life problems in task scheduling, AI planning, circuit verification and more. However, outsourcing data to the cloud may lead to privacy and information breaches since satisfying assignments may reveal considerable information about the underlying problem modeled by SAT. In...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2022/626" class="paperlink" href="/2022/626">2022/626</a> <span class="ms-2"><a href="/2022/626.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2023-07-14</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>New method for combining Matsui’s bounding conditions with sequential encoding method</strong> <div class="mt-1"><span class="fst-italic">Senpeng Wang, Dengguo Feng, Bin Hu, Jie Guan, Kai Zhang, Tairong Shi</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">As the first generic method for finding the optimal differential and linear characteristics, Matsui&#39;s branch and bound search algorithm has played an important role in evaluating the security of symmetric ciphers. By combining Matsui&#39;s bounding conditions with automatic search models, search efficiency can be improved. In this paper, by studying the properties of Matsui&#39;s bounding conditions, we give the general form of bounding conditions that can eliminate all the impossible solutions...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2022/548" class="paperlink" href="/2022/548">2022/548</a> <span class="ms-2"><a href="/2022/548.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2022-05-10</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Non-Interactive Zero-Knowledge Proofs with Fine-Grained Security</strong> <div class="mt-1"><span class="fst-italic">Yuyu Wang, Jiaxin Pan</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-FOUNDATIONS">Foundations</small> </div> </div> <p class="mb-0 mt-1 search-abstract">We construct the first non-interactive zero-knowledge (NIZK) proof systems in the fine-grained setting where adversaries’ resources are bounded and honest users have no more resources than an adversary. More concretely, our setting is the NC1-fine-grained setting, namely, all parties (including adversaries and honest participants) are in NC1. Our NIZK systems are for circuit satisfiability (SAT) under the worst-case assumption, NC1 being unequal to Parity-L/poly. As technical contributions,...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2022/402" class="paperlink" href="/2022/402">2022/402</a> <span class="ms-2"><a href="/2022/402.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2022-03-31</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Improved Rotational-XOR Cryptanalysis of Simon-like Block Ciphers</strong> <div class="mt-1"><span class="fst-italic">Jinyu Lu, Yunwen Liu, Tomer Ashur, Bing Sun, Chao Li</span></div> </div> </div> <p class="mb-0 mt-1 search-abstract">Rotational-XOR (RX) cryptanalysis is a cryptanalytic method aimed at finding distinguishable statistical properties in ARX-C ciphers, i.e., ciphers that can be described only by using modular addition, cyclic rotation, XOR, and the injection of constants. In this paper we extend RX-cryptanalysis to AND-RX ciphers, a similar design paradigm where the modular addition is replaced by vectorial bitwise AND; such ciphers include the block cipher families Simon and Simeck. We analyze the...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2022/387" class="paperlink" href="/2022/387">2022/387</a> <span class="ms-2"><a href="/2022/387.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2024-02-25</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Phase-shift Fault Analysis of Grain-128</strong> <div class="mt-1"><span class="fst-italic">HRIDYA P R, Jimmy Jose</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Phase-shift fault attack is a type of fault attack used for cryptanalysis of stream ciphers. It involves clocking a cipher’s feedback shift registers out of phase, in order to generate faulted keystream. Grain- 128 cipher is a 128-bit modification of the Grain cipher which is one of the finalists in the eSTREAM project. In this work, we propose a phase-shift fault attack against Grain-128 loaded with key-IV pairs that result in an all-zero LFSR after initialisation. We frame equations...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2022/194" class="paperlink" href="/2022/194">2022/194</a> <span class="ms-2"><a href="/2022/194.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2022-03-30</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Finding Collisions against 4-round SHA3-384 in Practical Time</strong> <div class="mt-1"><span class="fst-italic">Senyang Huang, Orna Agmon Ben-Yehuda, Orr Dunkelman, Alexander Maximov</span></div> </div> </div> <p class="mb-0 mt-1 search-abstract">The Keccak sponge function family, designed by Bertoni et al. in 2007, was selected by the U.S. National Institute of Standards and Technology (NIST) in 2012 as the next generation of Secure Hash Algorithm (SHA-3). Due to its theoretical and practical importance, cryptanalysis against SHA-3 has attracted an increasing attention. To the best of our knowledge, the most powerful collision attack on SHA-3 up till now is the linearisation technique proposed by Jian Guo et al. However, that...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2022/184" class="paperlink" href="/2022/184">2022/184</a> <span class="ms-2"><a href="/2022/184.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2022-09-20</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Exploring SAT for Cryptanalysis: (Quantum) Collision Attacks against 6-Round SHA-3 (Full Version)</strong> <div class="mt-1"><span class="fst-italic">Jian Guo, Guozhen Liu, Ling Song, Yi Tu</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">In this work, we focus on collision attacks against instances of SHA-3 hash family in both classical and quantum settings. Since the 5-round collision attacks on SHA3-256 and other variants proposed by Guo et al. at JoC~2020, no other essential progress has been published. With a thorough investigation, we identify that the challenges of extending such collision attacks on SHA-3 to more rounds lie in the inefficiency of differential trail search. To overcome this obstacle, we develop a...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2022/151" class="paperlink" href="/2022/151">2022/151</a> <span class="ms-2"><a href="/2022/151.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2022-02-12</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Addendum to Linear Cryptanalyses of Three AEADs with GIFT-128 as Underlying Primitives</strong> <div class="mt-1"><span class="fst-italic">Ling Sun, Wei Wang, Meiqin Wang</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">In ToSC 2021(2), Sun et al. implemented an automatic search with the Boolean satisfiability problem (SAT) method on GIFT-128 and identified a 19-round linear approximation with the expected linear potential being $2^{-117.43}$, which is utilised to launch a 24-round attack on the cipher. In this addendum, we discover a new 19-round linear approximation with a lower expected linear potential. However, in the attack, one more round can be appended after the distinguisher. As a result, we...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2022/135" class="paperlink" href="/2022/135">2022/135</a> <span class="ms-2"><a href="/2022/135.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2022-02-09</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Do NOT Misuse the Markov Cipher Assumption - Automatic Search for Differential and Impossible Differential Characteristics in ARX Ciphers</strong> <div class="mt-1"><span class="fst-italic">Zheng Xu, Yongqiang Li, Lin Jiao, Mingsheng Wang, Willi Meier</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Firstly, we improve the evaluation theory of differential propagation for modular additions and XORs, respectively. By introducing the concept of $additive$ $sums$ and using signed differences, we can add more information of value propagation to XOR differential propagation to calculate the probabilities of differential characteristics more precisely. Based on our theory, we propose the first modeling method to describe the general ARX differential propagation, which is not based on the...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2022/016" class="paperlink" href="/2022/016">2022/016</a> <span class="ms-2"><a href="/2022/016.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2022-08-08</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>An algebraic attack to the Bluetooth stream cipher E0</strong> <div class="mt-1"><span class="fst-italic">Roberto La Scala, Sergio Polese, Sharwan K. Tiwari, Andrea Visconti</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">In this paper we study the security of the Bluetooth stream cipher E0 from the viewpoint it is a “difference stream cipher”, that is, it is defined by a system of explicit difference equations over the finite field GF(2). This approach highlights some issues of the Bluetooth encryption such as the invertibility of its state transition map, a special set of 14 bits of its 132-bit state which when guessed implies linear equations among the other bits and finally a small number of spurious...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2021/1644" class="paperlink" href="/2021/1644">2021/1644</a> <span class="ms-2"><a href="/2021/1644.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2022-04-09</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Pushing the Limits: Searching for Implementations with the Smallest Area for Lightweight S-Boxes</strong> <div class="mt-1"><span class="fst-italic">Zhenyu Lu, Weijia Wang, Kai Hu, Yanhong Fan, Lixuan Wu, Meiqin Wang</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-IMPLEMENTATION">Implementation</small> </div> </div> <p class="mb-0 mt-1 search-abstract">The area is one of the most important criteria for an S-box in hardware implementation when designing lightweight cryptography primitives. The area can be well estimated by the number of gate equivalent (GE). However, to our best knowledge, there is no efficient method to search for an S-box implementation with the least GE. Previous approaches can be classified into two categories, one is a heuristic that aims at finding an implementation with a satisfying but not necessarily the smallest...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2021/1640" class="paperlink" href="/2021/1640">2021/1640</a> <span class="ms-2"><a href="/2021/1640.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2022-02-27</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>New Differential Cryptanalysis Results for the Lightweight Block Cipher BORON</strong> <div class="mt-1"><span class="fst-italic">Je Sen Teh, Li Jing Tham, Norziana Jamil, Wun-She Yap</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">BORON is a 64-bit lightweight block cipher based on the substitution-permutation network that supports an 80-bit (BORON-80) and 128-bit (BORON-128) secret key. In this paper, we revisit the use of differential cryptanalysis on BORON in the single-key model. Using an SAT/SMT approach, we look for differentials that consist of multiple differential characteristics with the same input and output differences. Each characteristic that conforms to a given differential improves its overall...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2021/1584" class="paperlink" href="/2021/1584">2021/1584</a> <span class="ms-2"><a href="/2021/1584.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2022-08-12</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>ppSAT: Towards Two-Party Private SAT Solving</strong> <div class="mt-1"><span class="fst-italic">Ning Luo, Samuel Judson, Timos Antonopoulos, Ruzica Piskac, Xiao Wang</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PROTOCOLS">Cryptographic protocols</small> </div> </div> <p class="mb-0 mt-1 search-abstract">We design and implement a privacy-preserving Boolean satisfiability (ppSAT) solver, which allows mutually distrustful parties to evaluate the conjunction of their input formulas while maintaining privacy. We first define a family of security guarantees reconcilable with the (known) exponential complexity of SAT solving, and then construct an oblivious variant of the classic DPLL algorithm which can be integrated with existing secure two-party computation (2PC) techniques. We further observe...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2021/1529" class="paperlink" href="/2021/1529">2021/1529</a> <span class="ms-2"><a href="/2021/1529.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2024-06-16</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Autoguess: A Tool for Finding Guess-and-Determine Attacks and Key Bridges</strong> <div class="mt-1"><span class="fst-italic">Hosein Hadipour, Maria Eichlseder</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">The guess-and-determine technique is one of the most widely used techniques in cryptanalysis to recover unknown variables in a given system of relations. In such attacks, a subset of the unknown variables is guessed such that the remaining unknowns can be deduced using the information from the guessed variables and the given relations. This idea can be applied in various areas of cryptanalysis such as finding the internal state of stream ciphers when a sufficient amount of output data is...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2021/1329" class="paperlink" href="/2021/1329">2021/1329</a> <span class="ms-2"><a href="/2021/1329.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2021-11-19</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Trail Search with CRHS Equations</strong> <div class="mt-1"><span class="fst-italic">John Petter Indrøy, Håvard Raddum</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Evaluating a block cipher’s strength against differential or linear cryptanalysis can be a difficult task. Several approaches for finding the best differential or linear trails in a cipher have been proposed, such as using mixed integer linear programming or SAT solvers. Recently a different approach was suggested, modelling the problem as a staged, acyclic graph and exploiting the large number of paths the graph contains. This paper follows up on the graph-based approach and models the...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2021/1285" class="paperlink" href="/2021/1285">2021/1285</a> <span class="ms-2"><a href="/2021/1285.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2021-11-30</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Convexity of division property transitions: theory, algorithms and compact models</strong> <div class="mt-1"><span class="fst-italic">Aleksei Udovenko</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Integral cryptanalysis is a powerful tool for attacking symmetric primitives, and division property is a state-of-the-art framework for finding integral distinguishers. This work describes new theoretical and practical insights into traditional bit-based division property. We focus on analyzing and exploiting monotonicity/convexity of division property and its relation to the graph indicator. In particular, our investigation leads to a new compact representation of propagation, which allows...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2021/1245" class="paperlink" href="/2021/1245">2021/1245</a> <span class="ms-2"><a href="/2021/1245.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2022-07-25</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>SeqL+: Secure Scan-Obfuscation with Theoretical and Empirical Validation</strong> <div class="mt-1"><span class="fst-italic">Seetal Potluri, Shamik Kundu, Akash Kumar, Kanad Basu, Aydin Aysu</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-IMPLEMENTATION">Implementation</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Existing logic-locking attacks are known to successfully decrypt a functionally correct key of a locked combinational circuit. Extensions of these attacks to real-world Intellectual Properties (IPs, which are sequential circuits) have been demonstrated through the scan-chain by selectively initializing the combinational logic and analyzing the responses. In this paper, we propose SeqL+ to mitigate a broad class of such attacks. The key idea is to lock selective functional-input/scan-output...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2021/1103" class="paperlink" href="/2021/1103">2021/1103</a> <span class="ms-2"><a href="/2021/1103.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2021-08-31</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Exploring Differential-Based Distinguishers and Forgeries for ASCON</strong> <div class="mt-1"><span class="fst-italic">David Gerault, Thomas Peyrin, Quan Quan Tan</span></div> </div> </div> <p class="mb-0 mt-1 search-abstract">Automated methods have become crucial components when searching for distinguishers against symmetric-key cryptographic primitives. While MILP and SAT solvers are among the most popular tools to model ciphers and perform cryptanalysis, other methods with different performance profiles are appearing. In this article, we explore the use of Constraint Programming (CP) for differential cryptanalysis on the ASCON authenticated encryption family (first choice of the CAESAR lightweight applications...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2021/1099" class="paperlink" href="/2021/1099">2021/1099</a> <span class="ms-2"><a href="/2021/1099.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2021-08-26</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>MILP modeling of Boolean functions by minimum number of inequalities</strong> <div class="mt-1"><span class="fst-italic">Aleksei Udovenko</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">This work presents techniques for modeling Boolean functions by mixed-integer linear inequalities (MILP) on binary variables in-place (without auxiliary variables), reaching minimum possible number of inequalities for small functions and providing meaningful lower bounds on the number of inequalities when reaching the minimum is infeasible. While the minimum number of inequalities does not directly translate to best performance in MILP applications, it nonetheless provides a useful...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2021/1047" class="paperlink" href="/2021/1047">2021/1047</a> <span class="ms-2"><a href="/2021/1047.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2022-02-09</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>A Correlation Attack on Full SNOW-V and SNOW-Vi</strong> <div class="mt-1"><span class="fst-italic">Zhen Shi, Chenhui Jin, Jiyan Zhang, Ting Cui, Lin Ding, Yu Jin</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">In this paper, a method for searching correlations between the binary stream of Linear Feedback Shift Register (LFSR) and the keystream of SNOW-V and SNOW-Vi is presented based on the technique of approximation to composite functions. With the aid of the linear relationship between the four taps of LFSR input into Finite State Machine (FSM) at three consecutive clocks, we present an automatic search model based on the SAT/SMT technique and search out a series of linear approximation trails...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2021/1017" class="paperlink" href="/2021/1017">2021/1017</a> <span class="ms-2"><a href="/2021/1017.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2021-08-06</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Improve Neural Distinguisher for Cryptanalysis</strong> <div class="mt-1"><span class="fst-italic">Zezhou Hou, Jiongjiong Ren, Shaozhen Chen</span></div> </div> </div> <p class="mb-0 mt-1 search-abstract">At CRYPTO&#39;19, Gohr built a bridge between deep learning and cryptanalysis. Based on deep neural networks, he trained neural distinguishers of Speck32/64 using a plaintext difference and single ciphertext pair. Compared with purely differential distinguishers, neural distinguishers successfully use features of the ciphertext pairs. Besides, with the help of neural distinguishers, he attacked 11-round Speck32/64 using Bayesian optimization. At EUROCRYPTO&#39;21, Benamira proposed a detailed...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2021/965" class="paperlink" href="/2021/965">2021/965</a> <span class="ms-2"><a href="/2021/965.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2021-07-22</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Automatic Search for Bit-based Division Property</strong> <div class="mt-1"><span class="fst-italic">Shibam Ghosh, Orr Dunkelman</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Division properties, introduced by Todo at Eurocrypt 2015, are extremely useful in cryptanalysis, are an extension of square attack (also called saturation attack or integral cryptanalysis). Given their im- portance, a large number of works tried to offer automatic tools to find division properties, primarily based on MILP or SAT/SMT. This paper studies better modeling techniques for finding division properties using the Constraint Programming and SAT/SMT-based automatic tools. We use the...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2021/842" class="paperlink" href="/2021/842">2021/842</a> <span class="ms-2"><a href="/2021/842.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2021-06-21</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>PCPs and Instance Compression from a Cryptographic Lens</strong> <div class="mt-1"><span class="fst-italic">Liron Bronfman, Ron D. Rothblum</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-FOUNDATIONS">Foundations</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Modern cryptography fundamentally relies on the assumption that the adversary trying to break the scheme is computationally bounded. This assumption lets us construct cryptographic protocols and primitives that are known to be impossible otherwise. In this work we explore the effect of bounding the adversary&#39;s power in other information theoretic proof-systems and show how to use this assumption to bypass impossibility results. We first consider the question of constructing succinct PCPs....</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2021/791" class="paperlink" href="/2021/791">2021/791</a> <span class="ms-2"><a href="/2021/791.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2021-06-14</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Open Sesame: A Novel Non-SAT-Attack against CAS-Lock</strong> <div class="mt-1"><span class="fst-italic">Akashdeep Saha, Urbi Chatterjee, Debdeep Mukhopadhyay, Rajat Subhra Chakraborty</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-IMPLEMENTATION">Implementation</small> </div> </div> <p class="mb-0 mt-1 search-abstract">CAS-Lock (proposed in CHES2020), is an advanced logic locking technique that harnesses the concept of single-point function in providing SAT-attack resiliency. It is claimed to be powerful and efficient enough in mitigating state-of-the-art attacks against logic locking techniques. Despite the security robustness of CAS-Lock as claimed by the authors, we expose a serious vulnerability by exploiting the same and device a novel attack algorithm. The proposed attack can reveal the correct key...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2021/661" class="paperlink" href="/2021/661">2021/661</a> <span class="ms-2"><a href="/2021/661.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2021-05-25</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Linear Cryptanalyses of Three AEADs with GIFT-128 as Underlying Primitives</strong> <div class="mt-1"><span class="fst-italic">Ling Sun, Wei Wang, Meiqin Wang</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">This paper considers the linear cryptanalyses of Authenticated Encryptions with Associated Data (AEADs) GIFT-COFB, SUNDAE-GIFT, and HyENA. All of these proposals take GIFT-128 as underlying primitives. The automatic search with the Boolean satisfiability problem (SAT) method is implemented to search for linear approximations that match the attack settings concerning these primitives. With the newly identified approximations, we launch key-recovery attacks on GIFT-COFB, SUNDAE-GIFT, and HyENA...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2021/656" class="paperlink" href="/2021/656">2021/656</a> <span class="ms-2"><a href="/2021/656.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2021-05-27</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Automated Search Oriented to Key Recovery on Ciphers with Linear Key Schedule: Applications to Boomerangs in SKINNY and ForkSkinny</strong> <div class="mt-1"><span class="fst-italic">Lingyue Qin, Xiaoyang Dong, Xiaoyun Wang, Keting Jia, Yunwen Liu</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Automatic modelling to search distinguishers with high probability covering as many rounds as possible, such as MILP, SAT/SMT, CP models, has become a very popular cryptanalysis topic today. In those models, the optimizing objective is usually the probability or the number of rounds of the distinguishers. If we want to recover the secret key for a round-reduced block cipher, there are usually two phases, i.e., finding an efficient distinguisher and performing key-recovery attack by...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2021/643" class="paperlink" href="/2021/643">2021/643</a> <span class="ms-2"><a href="/2021/643.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2021-05-17</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>On MILP-based Automatic Search for Bit-Based Division Property for Ciphers with (large) Linear Layers</strong> <div class="mt-1"><span class="fst-italic">Muhammad ElSheikh, Amr M. Youssef</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">With the introduction of the division trail, the bit-based division property (BDP) has become the most efficient method to search for integral distinguishers. The notation of the division trail allows us to automate the search process by modelling the propagation of the DBP as a set of constraints that can be solved using generic Mixed-integer linear programming (MILP) and SMT/SAT solvers. The current models for the basic operations and Sboxes are efficient and accurate. In contrast, the two...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2021/581" class="paperlink" href="/2021/581">2021/581</a> <span class="ms-2"><a href="/2021/581.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2021-05-03</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Breaking CAS-Lock and Its Variants by Exploiting Structural Traces</strong> <div class="mt-1"><span class="fst-italic">Abhrajit Sengupta, Nimisha Limaye, Ozgur Sinanoglu</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-IMPLEMENTATION">Implementation</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Logic locking is a prominent solution to protect against design intellectual property theft. However, there has been a decade-long cat-and-mouse game between defenses and attacks. A turning point in logic locking was the development of miter-based Boolean satisfiability (SAT) attack that steered the research in the direction of developing SAT-resilient schemes. These schemes, however achieved SAT resilience at the cost of low output corruption. Recently, cascaded locking (CAS-Lock) was...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2021/452" class="paperlink" href="/2021/452">2021/452</a> <small class="ms-auto">Last updated: 2021-08-02</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>SAT-based Method to Improve Neural Distinguisher and Applications to SIMON</strong> <div class="mt-1"><span class="fst-italic">Zezhou Hou, Jiongjiong Ren, Shaozhen Chen</span></div> </div> </div> <p class="mb-0 mt-1 search-abstract">Cryptanalysis based on deep learning has become a hotspot in the international cryptography community since it was proposed. The key point of differential cryptanalysis based on deep learning is to find a neural differential distinguisher with longer rounds or higher probability. Therefore it is important to research how to improve the accuracy and the rounds of neural differential distinguisher. In this paper, we design SAT-based algorithms to find a good input difference so that the...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2021/442" class="paperlink" href="/2021/442">2021/442</a> <span class="ms-2"><a href="/2021/442.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2021-04-06</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>How to Backdoor a Cipher</strong> <div class="mt-1"><span class="fst-italic">Raluca Posteuca, Tomer Ashur</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Newly designed block ciphers are required to show resistance against known attacks, e.g., linear and differential cryptanalysis. Two widely used methods to do this are to employ an automated search tool (e.g., MILP, SAT/SMT, etc.) and/or provide a wide-trail argument. In both cases, the core of the argument consists of bounding the transition probability of the statistical property over an isolated non-linear operation, then multiply it by the number of such operations (e.g., number of...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2021/436" class="paperlink" href="/2021/436">2021/436</a> <span class="ms-2"><a href="/2021/436.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2021-04-06</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Algebraic Differential Fault Analysis on SIMON block cipher</strong> <div class="mt-1"><span class="fst-italic">Duc-Phong Le, Sze Ling Yeo, Khoongming Khoo</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">An algebraic differential fault attack (ADFA) is an attack in which an attacker combines a differential fault attack and an algebraic technique to break a targeted cipher. In this paper, we present three attacks using three different algebraic techniques combined with a differential fault attack in the bit-flip fault model to break the SIMON block cipher. First, we introduce a new analytic method that is based on a differential trail between the correct and faulty ciphertexts. This method is...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2021/362" class="paperlink" href="/2021/362">2021/362</a> <span class="ms-2"><a href="/2021/362.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2021-03-18</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Cryptanalysis of Round-Reduced SIMON32 Based on Deep Learning</strong> <div class="mt-1"><span class="fst-italic">Zezhou Hou, Jiongjiong Ren, Shaozhen Chen</span></div> </div> </div> <p class="mb-0 mt-1 search-abstract">Deep learning has played an important role in many fields. It shows significant potential to cryptanalysis. Differential cryptanalysis is an important method in the field of block cipher cryptanalysis. The key point of differential cryptanalysis is to find a differential distinguisher with longer rounds or higher probability. Firstly, we describe how to construct the ciphertext pairs required for differential cryptanalysis based on deep learning. Based on this, we train 9-round and...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2021/252" class="paperlink" href="/2021/252">2021/252</a> <span class="ms-2"><a href="/2021/252.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2021-03-02</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>A Resource Binding Approach to Logic Obfuscation</strong> <div class="mt-1"><span class="fst-italic">Michael Zuzak, Yuntao Liu, Ankur Srivastava</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-IMPLEMENTATION">Implementation</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Logic locking has been proposed to counter security threats during IC fabrication. Such an approach restricts unauthorized use by injecting sufficient module level error to derail application level IC functionality. However, recent research has identified a trade-off between the error rate of logic locking and its resilience to a Boolean satisfiablity (SAT) attack. As a result, logic locking often cannot inject sufficient error to impact an IC while maintaining SAT resilience. In this work,...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2021/213" class="paperlink" href="/2021/213">2021/213</a> <span class="ms-2"><a href="/2021/213.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2021-03-02</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Accelerating the Search of Differential and Linear Characteristics with the SAT Method</strong> <div class="mt-1"><span class="fst-italic">Ling Sun, Wei Wang, Meiqin Wang</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">The introduction of the automatic search boosts the cryptanalysis of symmetric-key primitives to some degree. However, the performance of the automatic search is not always satisfactory for the search of long trails or ciphers with large state sizes. Compared with the extensive attention on the enhancement for the search with the mixed integer linear programming (MILP) method, few works care for the acceleration of the automatic search with the Boolean satisfiability problem (SAT) or...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2021/109" class="paperlink" href="/2021/109">2021/109</a> <span class="ms-2"><a href="/2021/109.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2021-02-01</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Sequential Logic Encryption Against Model Checking Attack</strong> <div class="mt-1"><span class="fst-italic">Amin Rezaei, Hai Zhou</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-APPLICATIONS">Applications</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Due to high IC design costs and emergence of countless untrusted foundries, logic encryption has been taken into consideration more than ever. In state-of-the-art logic encryption works, a lot of performance is sold to guarantee security against both the SAT-based and the removal attacks. However, the SAT-based attack cannot decrypt the sequential circuits if the scan chain is protected or if the unreachable states encryption is adopted. Instead, these security schemes can be defeated by the...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2021/022" class="paperlink" href="/2021/022">2021/022</a> <span class="ms-2"><a href="/2021/022.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2021-01-06</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Increasing Precision of Division Property</strong> <div class="mt-1"><span class="fst-italic">Patrick Derbez, Pierre-Alain Fouque</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">In this paper we propose new techniques related to division property. We describe for the first time a practical algorithm for computing the propagation tables of 16-bit Super-Sboxes, increasing the precision of the division property by removing a lot of false division trails. We also improve the complexity of the procedure introduced by Lambin et al. (Design, Codes and Cryptography, 2020) to extend a cipher with linear mappings and show how to decrease the number of transitions to look for....</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2020/1586" class="paperlink" href="/2020/1586">2020/1586</a> <span class="ms-2"><a href="/2020/1586.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2022-04-08</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>CirC: Compiler infrastructure for proof systems, software verification, and more</strong> <div class="mt-1"><span class="fst-italic">Alex Ozdemir, Fraser Brown, Riad S. Wahby</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-IMPLEMENTATION">Implementation</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Cryptographic tools like proof systems, multi-party computation, and fully homomorphic encryption are usually applied to computations expressed as systems of arithmetic constraints. In practice, this means that these applications rely on compilers from high-level programming languages (like C) to such constraints. This compilation task is challenging, but not entirely new: the software verification community has a rich literature on compiling programs to logical constraints (like SAT or...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2020/1402" class="paperlink" href="/2020/1402">2020/1402</a> <span class="ms-2"><a href="/2020/1402.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2020-11-15</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>SKINNY with Scalpel - Comparing Tools for Differential Analysis</strong> <div class="mt-1"><span class="fst-italic">Stéphanie Delaune, Patrick Derbez, Paul Huynh, Marine Minier, Victor Mollimard, Charles Prud&#39;homme</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Evaluating resistance of ciphers against differential cryptanalysis is essential to define the number of rounds of new designs and to mount attacks derived from differential cryptanalysis. In this paper, we compare existing automatic tools to find the best differential characteristic on the SKINNY block cipher. As usually done in the literature, we split this search in two stages denoted by Step 1 and Step 2. In Step 1, each difference variable is abstracted with a Boolean variable and we...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2020/1093" class="paperlink" href="/2020/1093">2020/1093</a> <span class="ms-2"><a href="/2020/1093.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2024-09-30</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Mind the Propagation of States New Automatic Search Tool for Impossible Differentials and Impossible Polytopic Transitions (Full Version)</strong> <div class="mt-1"><span class="fst-italic">Xichao Hu, Yongqiang Li, Lin Jiao, Shizhu Tian, Mingsheng Wang</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Impossible differentials cryptanalysis and impossible polytopic cryptanalysis are the most effective approaches to estimate the security of block ciphers. However, the previous automatic search methods of their distinguishers, impossible differentials and impossible polytopic transitions, neither consider the impact of key schedule in the single-key setting and the differential property of large S-boxes, nor apply to the block ciphers with variable rotations. Thus, unlike previous methods...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2020/911" class="paperlink" href="/2020/911">2020/911</a> <span class="ms-2"><a href="/2020/911.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2020-07-28</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Lossy Correlation Intractability and PPAD Hardness from Sub-exponential LWE</strong> <div class="mt-1"><span class="fst-italic">Ruta Jawale, Dakshita Khurana</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-FOUNDATIONS">Foundations</small> </div> </div> <p class="mb-0 mt-1 search-abstract">We introduce a new cryptographic primitive, a lossy correlation-intractable hash function, and use it to soundly instantiate the Fiat-Shamir transform for the general interactive sumcheck protocol, assuming sub-exponential hardness of the Learning with Errors (LWE) problem. By combining this with the result of Choudhuri et al. (STOC 2019), we show that $\#\mathsf{SAT}$ reduces to end-of-line, which is a $\mathsf{PPAD}$-complete problem, assuming the sub-exponential hardness of LWE.</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2020/860" class="paperlink" href="/2020/860">2020/860</a> <span class="ms-2"><a href="/2020/860.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2020-07-12</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>SNARGs for Bounded Depth Computations from Sub-Exponential LWE</strong> <div class="mt-1"><span class="fst-italic">Yael Tauman Kalai, Rachel Zhang</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PROTOCOLS">Cryptographic protocols</small> </div> </div> <p class="mb-0 mt-1 search-abstract">We construct a succinct non-interactive publicly-verifiable delegation scheme for any log-space uniform circuit under the sub-exponential $\mathsf{LWE}$ assumption, a standard assumption that is believed to be post-quantum secure. For a circuit of size $S$ and depth $D$, the prover runs in time poly$(S)$, and the verifier runs in time $(D + n) \cdot S^{o(1)}$, where $n$ is the input size. We obtain this result by slightly modifying the $\mathsf{GKR}$ protocol and proving that the...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2020/668" class="paperlink" href="/2020/668">2020/668</a> <span class="ms-2"><a href="/2020/668.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2020-06-05</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>On Subversion-Resistant SNARKs</strong> <div class="mt-1"><span class="fst-italic">Behzad Abdolmaleki, Helger Lipmaa, Janno Siim, Michał Zając</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PROTOCOLS">Cryptographic protocols</small> </div> </div> <p class="mb-0 mt-1 search-abstract">While NIZK arguments in the CRS model are widely studied, the question of what happens when the CRS was subverted has received little attention. In ASIACRYPT 2016, Bellare, Fuchsbauer, and Scafuro showed the first negative and positive results in the case of NIZK, proving also that it is impossible to achieve subversion soundness and (even non-subversion) zero-knowledge at the same time. On the positive side, they constructed an involved sound and subversion-zero-knowledge (Sub-ZK)...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2020/591" class="paperlink" href="/2020/591">2020/591</a> <span class="ms-2"><a href="/2020/591.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2020-09-22</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Automatic Verification of Differential Characteristics: Application to Reduced Gimli (Full Version)</strong> <div class="mt-1"><span class="fst-italic">Fukang Liu, Takanori Isobe, Willi Meier</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Since Keccak was selected as the SHA-3 standard, more and more permutation-based primitives have been proposed. Different from block ciphers, there is no round key in the underlying permutation for permutation-based primitives. Therefore, there is a higher risk for a differential characteristic of the underlying permutation to become incompatible when considering the dependency of difference transitions over different rounds. However, in most of the MILP or SAT based models to search for...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2020/547" class="paperlink" href="/2020/547">2020/547</a> <span class="ms-2"><a href="/2020/547.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2020-05-15</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Finding Bit-Based Division Property for Ciphers with Complex Linear Layer</strong> <div class="mt-1"><span class="fst-italic">Kai Hu, Qingju Wang, Meiqin Wang</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">The bit-based division property (BDP) is the most effective technique for finding integral characteristics of symmetric ciphers. Recently, automatic search tools have become one of the most popular approaches to evaluating the security of designs against many attacks. Constraint-aided automatic tools for the BDP have been applied to many ciphers with simple linear layers like bit-permutation. Constructing models of complex linear layers accurately and efficiently remains hard. A...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2020/530" class="paperlink" href="/2020/530">2020/530</a> <span class="ms-2"><a href="/2020/530.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2020-05-06</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Determining the Multiplicative Complexity of Boolean Functions using SAT</strong> <div class="mt-1"><span class="fst-italic">Mathias Soeken</span></div> </div> </div> <p class="mb-0 mt-1 search-abstract">We present a constructive SAT-based algorithm to determine the multiplicative complexity of a Boolean function, i.e., the smallest number of AND gates in any logic network that consists of 2-input AND gates, 2-input XOR gates, and inverters. In order to speed-up solving time, we make use of several symmetry breaking constraints; these exploit properties of XAGs that may be useful beyond the proposed SAT-based algorithm. We further propose a heuristic post-optimization algorithm to reduce the...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2020/441" class="paperlink" href="/2020/441">2020/441</a> <span class="ms-2"><a href="/2020/441.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2020-04-19</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Modeling for Three-Subset Division Property without Unknown Subset</strong> <div class="mt-1"><span class="fst-italic">Yonglin Hao, Gregor Leander, Willi Meier, Yosuke Todo, Qingju Wang</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">A division property is a generic tool to search for integral distinguishers, and automatic tools such as MILP or SAT/SMT allow us to evaluate the propagation efficiently. In the application to stream ciphers, it enables us to estimate the security of cube attacks theoretically, and it leads to the best key-recovery attacks against well-known stream ciphers. However, it was reported that some of the key-recovery attacks based on the division property degenerate to distinguishing attacks due...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2020/395" class="paperlink" href="/2020/395">2020/395</a> <span class="ms-2"><a href="/2020/395.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2020-06-02</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Cryptography from Information Loss</strong> <div class="mt-1"><span class="fst-italic">Marshall Ball, Elette Boyle, Akshay Degwekar, Apoorvaa Deshpande, Alon Rosen, Vinod Vaikuntanathan, Prashant Nalini Vasudevan</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-FOUNDATIONS">Foundations</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Reductions between problems, the mainstay of theoretical computer science, efficiently map an instance of one problem to an instance of another in such a way that solving the latter allows solving the former. The subject of this work is ``lossy&#39;&#39; reductions, where the reduction loses some information about the input instance. We show that such reductions, when they exist, have interesting and powerful consequences for lifting hardness into ``useful&#39;&#39; hardness, namely cryptography. Our...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2020/324" class="paperlink" href="/2020/324">2020/324</a> <span class="ms-2"><a href="/2020/324.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2020-03-17</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Defeating CAS-Unlock</strong> <div class="mt-1"><span class="fst-italic">Bicky Shakya, Xiaolin Xu, Mark Tehranipoor, Domenic Forte</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-APPLICATIONS">Applications</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Recently, a logic locking approach termed `CAS-Lock&#39; was proposed to simultaneously counter Boolean satisfiability (SAT) and bypass attacks. The technique modifies the AND/OR tree structure in Anti-SAT to achieve non-trivial output corruptibility while maintaining resistance to both SAT and bypass attacks. An attack against CAS-Lock (dubbed `CAS-Unlock&#39;) was also recently proposed on a naive implementation of CAS-Lock. It relies on setting key values to all 1&#39;s or 0&#39;s to break CAS-Lock. In...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2020/202" class="paperlink" href="/2020/202">2020/202</a> <span class="ms-2"><a href="/2020/202.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2020-02-19</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Strong Anti-SAT: Secure and Effective Logic Locking</strong> <div class="mt-1"><span class="fst-italic">Yuntao Liu, Michael Zuzak, Yang Xie, Abhishek Chakraborty, Ankur Srivastava</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Logic locking has been proposed as strong protection of intellectual property (IP) against security threats in the IC supply chain especially when the fabrication facility is untrusted. Such techniques use additional locking circuitry to inject incorrect behavior into the digital functionality when the key is incorrect. A family of attacks known as &#34;SAT attacks&#34; provides a strong mathematical formulation to find the correct key of locked circuits. Many conventional SAT-resilient logic...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2020/165" class="paperlink" href="/2020/165">2020/165</a> <span class="ms-2"><a href="/2020/165.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2020-10-19</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Subsampling and Knowledge Distillation On Adversarial Examples: New Techniques for Deep Learning Based Side Channel Evaluations</strong> <div class="mt-1"><span class="fst-italic">Aron Gohr, Sven Jacob, Werner Schindler</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">This paper has four main goals. First, we show how we solved the CHES 2018 AES challenge in the contest using essentially a linear classifier combined with a SAT solver and a custom error correction method. This part of the paper has previously appeared in a preprint by the current authors (e-print report 2019/094) and later as a contribution to a preprint write-up of the solutions by the three winning teams (e-print report 2019/860). Second, we develop a novel deep neural network...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2019/1463" class="paperlink" href="/2019/1463">2019/1463</a> <span class="ms-2"><a href="/2019/1463.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2019-12-18</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Rescuing Logic Encryption in Post-SAT Era by Locking &amp; Obfuscation</strong> <div class="mt-1"><span class="fst-italic">Amin Rezaei, Yuanqi Shen, Hai Zhou</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-APPLICATIONS">Applications</small> </div> </div> <p class="mb-0 mt-1 search-abstract">The active participation of external entities in the manufacturing flow has produced numerous hardware security issues in which piracy and overproduction are likely to be the most ubiquitous and expensive ones. The main approach to prevent unauthorized products from functioning is logic encryption that inserts key-controlled gates to the original circuit in a way that the valid behavior of the circuit only happens when the correct key is applied. The challenge for the security designer is to...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2019/1443" class="paperlink" href="/2019/1443">2019/1443</a> <span class="ms-2"><a href="/2019/1443.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2019-12-12</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>CAS-Unlock: Unlocking CAS-Lock without Access to a Reverse-Engineered Netlist</strong> <div class="mt-1"><span class="fst-italic">Abhrajit Sengupta, Ozgur Sinanoglu</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-IMPLEMENTATION">Implementation</small> </div> </div> <p class="mb-0 mt-1 search-abstract">CAS-Lock (cascaded locking) is a SAT-resilient locking technique, which can simultaneously thwart SAT and bypass attack, while maintaining non-trivial output corruptibility. Despite all of its theoretical guarantees, in this report we expose a serious flaw in its design that can be exploited to break CAS-Lock. Further, this attack neither requires access to a reverse-engineered netlist, nor it requires a working oracle with the correct key loaded onto the chip&#39;s memory. We demonstrate that...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2019/1190" class="paperlink" href="/2019/1190">2019/1190</a> <span class="ms-2"><a href="/2019/1190.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2020-09-23</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Improving Matsui&#39;s Search Algorithm for the Best Differential/Linear Trails and its Applications for DES, DESL and GIFT</strong> <div class="mt-1"><span class="fst-italic">Fulei Ji, Wentao Zhang, Tianyou Ding</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-SECRETKEY">Secret-key cryptography</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Automatic search methods have been widely used for cryptanalysis of block ciphers, especially for the most classic cryptanalysis methods -- differential and linear cryptanalysis. However, the automatic search methods, no matter based on MILP, SMT/SAT or CP techniques, can be inefficient when the search space is too large. In this paper, we improve Matsui&#39;s branch-and-bound search algorithm which is known as the first generic algorithm for finding the best differential and linear trails by...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2019/1062" class="paperlink" href="/2019/1062">2019/1062</a> <span class="ms-2"><a href="/2019/1062.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2021-01-12</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Local Proofs Approaching the Witness Length</strong> <div class="mt-1"><span class="fst-italic">Noga Ron-Zewi, Ron D. Rothblum</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-FOUNDATIONS">Foundations</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Interactive oracle proofs (IOPs) are a hybrid between interactive proofs and PCPs. In an IOP the prover is allowed to interact with a verifier (like in an interactive proof) by sending relatively long messages to the verifier, who in turn is only allowed to query a few of the bits that were sent (like in a PCP). In this work we construct, for a large class of NP relations, IOPs in which the communication complexity approaches the witness length. More precisely, for any NP relation for which...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2019/1040" class="paperlink" href="/2019/1040">2019/1040</a> <span class="ms-2"><a href="/2019/1040.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2019-09-18</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Hardware-Software Co-Design Based Obfuscation of Hardware Accelerators</strong> <div class="mt-1"><span class="fst-italic">Abhishek Chakraborty, Ankur Srivastava</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-IMPLEMENTATION">Implementation</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Existing logic obfuscation approaches aim to protect hardware design IPs from SAT attack by increasing query count and output corruptibility of a locked netlist. In this paper, we demonstrate the ineffectiveness of such techniques to obfuscate hardware accelerator platforms. Subsequently, we propose a Hardware/software co-design based Accelerator Obfuscation (HSCAO) scheme to provably safeguard the IP of such designs against SAT as well as removal/bypass type of attacks while still...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2019/1037" class="paperlink" href="/2019/1037">2019/1037</a> <span class="ms-2"><a href="/2019/1037.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2019-11-22</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Card-based Cryptography Meets Formal Verification</strong> <div class="mt-1"><span class="fst-italic">Alexander Koch, Michael Schrempp, Michael Kirsten</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-PROTOCOLS">Cryptographic protocols</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Card-based cryptography provides simple and practicable protocols for performing secure multi-party computation (MPC) with just a deck of cards. For the sake of simplicity, this is often done using cards with only two symbols, e.g., clubs and hearts. Within this paper, we target the setting where all cards carry distinct symbols, catering for use-cases with commonly available standard decks and a weaker indistinguishability assumption. As of yet, the literature provides for only three...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2019/975" class="paperlink" href="/2019/975">2019/975</a> <small class="ms-auto">Last updated: 2019-12-07</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Ci-Lock: Cipher Induced Logic Locking Resistant Against SAT Attacks</strong> <div class="mt-1"><span class="fst-italic">Akashdeep Saha, Sayandeep Saha, Debdeep Mukhopadhyay, Bhargab Bikram Bhattacharya</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-IMPLEMENTATION">Implementation</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Protection of intellectual property (IP) cores is one of the most practical security concern for modern integrated circuit (IC) industry. Albeit being well-studied from a practical perspective, the problem of safeguarding gate-level netlists from IP-theft is still an open issue. State-of-the-art netlist protection schemes, popularly known as logic locking, are mostly ad-hoc and their security claims are based on experimental evidences and the power of heuristics used for security evaluation....</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2019/958" class="paperlink" href="/2019/958">2019/958</a> <span class="ms-2"><a href="/2019/958.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2022-04-04</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Using SMT Solvers to Automate Chosen Ciphertext Attacks</strong> <div class="mt-1"><span class="fst-italic">Gabrielle Beck, Maximilian Zinkus, Matthew Green</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-APPLICATIONS">Applications</small> </div> </div> <p class="mb-0 mt-1 search-abstract">In this work we investigate the problem of automating the development of adaptive chosen ciphertext attacks on systems that contain vulnerable format oracles. Unlike previous attempts, which simply automate the execution of known attacks, we consider a more challenging problem: to programmatically derive a novel attack strategy, given only a machine-readable description of the plaintext verification function and the malleability characteristics of the encryption scheme. We present a new set...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2019/946" class="paperlink" href="/2019/946">2019/946</a> <span class="ms-2"><a href="/2019/946.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2019-08-19</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Dynamically Obfuscated Scan Chain To Resist Oracle-Guided Attacks On Logic Locked Design</strong> <div class="mt-1"><span class="fst-italic">M Sazadur Rahman, Adib Nahiyan, Sarah Amir, Fahim Rahman, Farimah Farahmandi, Domenic Forte, Mark Tehranipoor</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-APPLICATIONS">Applications</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Logic locking has emerged as a promising solution against IP piracy and modification by untrusted entities in the integrated circuit design process. However, its security is challenged by boolean satisfiability (SAT) based attacks. Criteria that are critical to SAT attack success on obfuscated circuits includes scan architecture access to the attacker and/or that the circuit under attack is combinational. To address this issue, we propose a dynamically-obfuscated scan chain (DOSC) technique...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2019/918" class="paperlink" href="/2019/918">2019/918</a> <span class="ms-2"><a href="/2019/918.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2019-08-13</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>Resolving the Trilemma in Logic Encryption</strong> <div class="mt-1"><span class="fst-italic">Hai Zhou, Amin Rezaei, Yuanqi Shen</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-IMPLEMENTATION">Implementation</small> </div> </div> <p class="mb-0 mt-1 search-abstract">Logic encryption, a method to lock a circuit from unauthorized use unless the correct key is provided, is the most important technique in hardware IP protection. However, with the discovery of the SAT attack, all traditional logic encryption algorithms are broken. New algorithms after the SAT attack are all vulnerable to structural analysis unless a provable obfuscation is applied to the locked circuit. But there is no provable logic obfuscation available, in spite of some vague resorting to...</p> </div> </div> <div class="mb-4"> <div class="d-flex"><a title="2019/796" class="paperlink" href="/2019/796">2019/796</a> <span class="ms-2"><a href="/2019/796.pdf">(PDF)</a></span> <small class="ms-auto">Last updated: 2019-10-16</small> </div> <div class="ms-md-4"> <div class="d-flex flex-column flex-md-row justify-content-between"> <div> <strong>The End of Logic Locking? A Critical View on the Security of Logic Locking</strong> <div class="mt-1"><span class="fst-italic">Susanne Engels, Max Hoffmann, Christof Paar</span></div> </div> <div class="float-end mt-1 ms-md-3"> <small class="badge category category-FOUNDATIONS">Foundations</small> </div> </div> <p class="mb-0 mt-1 search-abstract">With continuously shrinking feature sizes of integrated circuits, the vast majority of semiconductor companies have become fabless, i.e., chip manufacturing has been outsourced to foundries across the globe. However, by outsourcing critical stages of IC fabrication, the design house puts trust in entities which may have malicious intents. This exposes the design industry to a number of threats, including piracy via unauthorized overproduction and subsequent reselling on the black market. One...</p> </div> </div> <div class="w-75 mx-auto"> <ul class="pagination mt-5 mb-5"> <li class="page-item active"><span class="page-link">1</span></li> <li class="page-item"><a rel="nofollow" class="page-link" href="/search?q=SAT&amp;offset=100">2</a></li> <li class="page-item"> <a rel="nofollow" class="page-link" href="/search?q=SAT&amp;offset=100">Next »</a> </li> </ul> </div> </div> </div> </div> <script> document.getElementById('clearButton').addEventListener('click', function(ev) { document.querySelectorAll('input').forEach(el => { el.value = ''; }); document.getElementById('category').selectedIndex = "0"; }); function validateForm() { // check that dates are compatible. let submittedAfter = document.getElementById('submittedafter'); let submittedBefore = document.getElementById('submittedbefore'); let revisedAfter = document.getElementById('revisedafter'); let revisedBefore = document.getElementById('revisedbefore'); if (submittedAfter.value && submittedBefore.value && submittedAfter.value > submittedBefore.value) { submittedAfter.classList.add('is-invalid'); submittedBefore.classList.add('is-invalid'); return false; } if (revisedAfter.value && revisedBefore.value && revisedAfter.value > revisedBefore.value) { revisedAfter.classList.add('is-invalid'); revisedBefore.classList.add('is-invalid'); return false; } if (revisedBefore.value && submittedAfter.value && revisedBefore.value < submittedAfter.value) { revisedBefore.classList.add('is-invalid'); submittedAfter.classList.add('is-invalid'); return false; } return true; } </script> <script src="/js/mark.min.js"></script> <script> var instance = new Mark("div.results"); let urlParams = new URLSearchParams(window.location.search); if (urlParams.get('q')) { instance.mark(urlParams.get('q')); } if (urlParams.get('title')) { instance.mark(urlParams.get('title')); } if (urlParams.get('authors')) { instance.mark(urlParams.get('authors')); } </script> <!-- --> </main> <div class="container-fluid mt-auto" id="eprintFooter"> <a href="https://iacr.org/"> <img id="iacrlogo" src="/img/iacrlogo_small.png" class="img-fluid d-block mx-auto" alt="IACR Logo"> </a> <div class="colorDiv"></div> <div class="alert alert-success w-75 mx-auto"> Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content. </div> </div> <script src="/css/bootstrap/js/bootstrap.bundle.min.js"></script> <script> var topNavbar = document.getElementById('topNavbar'); if (topNavbar) { document.addEventListener('scroll', function(e) { if (window.scrollY > 100) { topNavbar.classList.add('scrolled'); } else { topNavbar.classList.remove('scrolled'); } }) } </script> </body> </html>