Optimizing Guessing Strategies for Algebraic Cryptanalysiswith Applications to EPCBC

Michael Walter1, Stanislav Bulygin2,3, and Johannes Buchmann2,3

1 University of California, San Diego, Department of Computer Science and Engineering9500 Gilman Drive, Mail code 0404, La Jolla, CA 92093-5004, USA

miwalter@eng.ucsd.edu∗

2 Technische Universitat Darmstadt, Department of Computer ScienceHochschulstraße 10, 64289 Darmstadt, Germanybuchmann@cdc.informatik.tu-darmstadt.de

3 Center for Advanced Security Research Darmstadt - CASEDMornewegstraße 32, 64293 Darmstadt, Germany

Stanislav.Bulygin@cased.de†

Abstract. In this paper we demonstrate how to use Mixed Integer Linear Programming tooptimize guessing strategies for algebraic cryptanalysis with applications to the block cipherEPCBC. Using our optimized guessing strategy we are able to attack 5 rounds of EPCBC-96 and 8 rounds of EPCBC-48 faster than brute force using one and two known plaintextsresp. Finally, we are able to identify a class of weak keys for which the attack is faster thanbrute force for up to 7 rounds of EPCBC-96. Alongside results on EPCBC we believe that theproposed technique of optimized guessing is a useful tool in a more general context of algebraiccryptanalysis.

Keywords: Algebraic Cryptanalysis, Lightweight Cryptography, Guessing Strategies, MixedInteger Linear Programming

1 Introduction

Recent years have seen a drastic increase in the importance of embedded systems. More andmore objects in the world around us are being equipped with some circuitry, giving rise toa seemingly endless potential of intelligent and convenient solutions to today’s problems. Asa consequence, small and cheap hardware, like RFID tags or printed integrated circuits, isbeing developed. However, for many applications these low resource devices need to be able toprovide security properties, like privacy and authenticity. This is achieved by employing cryp-tographic algorithms. Many “classical” algorithms have not been designed to be implementedon small devices and are thus not suitable for this purpose. For this reason, the relativelyyoung field of lightweight cryptography tries to cater to that need by designing cryptographicprimitives that can be implemented with a small hardware footprint, while still preservingsecurity.

The main challenge in lightweight cryptography – to reduce the hardware footprint as faras possible while maintaining acceptable performance and security levels – requires carefulanalysis of every new cryptosystem that is being proposed. While the proposals tend to get

∗Supported in part by NSF grant CNS-1117936.†Supported by the grant DFG BU630/22-1.

2

smaller and smaller in terms of hardware footprint, one needs to make sure that these primi-tives still meet the claimed security properties. It seems plausible that algebraic cryptanalysiscould be a powerful approach to the analysis of lightweight primitives, since the restrictionson the hardware footprint also pose restrictions on the algebraic complexity of these prim-itives. The crucial step in algebraic cryptanalysis is solving an algebraic system describingthe primitive in question. There are several techniques available to tackle this problem. Sofar one of the most efficient methods has been the SAT solving, due to the vast amounts ofresearch during the past decades regarding solving the satisfiability problem in propositionallogic. It has been employed in the analysis of several primitives [1, 5, 8, 9, 19]. We will followthis methodology and also employ SAT solving.

In this work we will analyze a recently proposed lightweight primitive, the block cipherEPCBC [22], which follows the design principles of the PRESENT [2] block cipher. We willfocus on attacks with a low data complexity. We are aware of the success of statistical attackson PRESENT (e.g. [6]) and that they are probably applicable to EPCBC with similarsuccess due to the similarity to PRESENT. However, these attacks require a large amountof known (or chosen) plain-/ciphertext pairs. This might not always be a realistic scenario.The authors of [22] describe a possible application of their cipher that involves a libraryusing RFID tags to manage their books and someone borrowing a book on cancer treatment,which is obviously very private information. There should be no illegitimate way to read outthe Electronic Production Code (EPC) used to identify the book. While in this case it maybe possible to walk into the library and obtain a large amount of plain-/ciphertext pairs tomount a statistical attack, there are several scenarios where this is not true. For example,it is plausible that a hospital manages their medical devices using RFID tags. In this caseit is doubtful that it is easy to obtain enough plain-/ciphertext pairs to mount a statisticalattack. In contrast, a successful attack with low data complexity would enable an adversaryto gain knowledge of who is walking out of the hospital, for example with a catheter. So inthis context, algebraic attacks with low data complexity, although generally breaking fewerrounds, should be considered as a complement to cryptanalysis tools, rather than a competitorto statistical attacks. Moreover, studying attacks with low data complexity is important torule out the temptation to use less rounds in a scenario, where gathering large amount of datais (practically) impossible. An interesting approach for low data complexity attacks on AESis described in [16].

Our contribution goes beyond the analysis of a specific block cipher. We introduce a noveltechnique to optimize guessing strategies in algebraic cryptanalysis using Mixed Integer LinearProgramming (MILP). Guessing strategies play an important role in algebraic cryptanalysis toestimate the complexity of theoretical attacks or demonstrate certain weaknesses [1,10,17]. Atfirst sight it is not clear how a guessing strategy should be selected, as there is no establishedapproach yet. We address this problem by introducing a clear criterion based on informationpropagation for guessing strategies and introduce a new technique to select a guessing strategythat optimizes this criterion. We show how this new technique can be applied to EPCBC andhow it can even be used to identify classes of weak keys. While we demonstrate the techniqueusing a specific block cipher, this approach is applicable, and should be considered, in a moregeneral context.

MILP has been used as a tool for cryptanalysis for some time now, either as a solvingtechnique [4] or as a tool of finding useful differential properties [14]. In this work we useMILP to facilitate algebraic cryptanalysis.

3

The next section gives a brief overview of the primitive under consideration and Section 3outlines our results of an algebraic attack applied to EPCBC without guessing. We introducethe concept of guessing strategies in Section 4, where we also demonstrate how to optimizeguessing strategies for EPCBC and give our results for both versions of EPCBC. Finally,we summarize our results in Section 5 and outline some future work.

2 Description of EPCBC

EPCBC is a lightweight block cipher proposed by Yap et al. in 2011 [22]. The design ofthis cipher is mainly driven by two objectives. Firstly, being a lightweight cipher, EPCBC issupposed to provide a maximum of security with a very low hardware footprint. Secondly, thecipher is designed for a specific purpose, namely to provide secure encryption for ElectronicProduct Codes (EPC). EPCs are codes with a bit length of 96 in their smallest variant. Theauthors of [22] observed that so far there are no lightweight block ciphers with a suitableblock size for EPCs. To remedy this they propose two ciphers, one with block size b = 48 andone with block size b = 96. Both variants have a key length of 96 bits. We will denote themby EPCBC-48 and EPCBC-96, respectively.

The cipher is heavily inspired by PRESENT. Accordingly, the key schedule and theencryption algorithm exhibit very strong structural similarities to the encryption algorithmof PRESENT. This has the advantage that some security proofs for PRESENT directlycarry over to EPCBC.

2.1 Key schedule

Both versions of EPCBC run in 32 rounds with a final key addition at the end resultingin 33 subkeys. The key schedules are outlined in Algorithm 1 and 2, largely following theterminology of [22]. Note, that for EPCBC-48 the key schedule is built of 8 separate 4-roundPRESENT-like and very similar permutations, which have a block size of 48 and relatedinitial values, and only differ in the constant addition. This will be useful during our attack,where we will denote each of these permutations as a block. The following are the layers ofthe key schedule algorithm:

Algorithm 1 EPCBC-48 key schedule(LKeystate,RKeystate) = 96-bit keySubkey[0]← LKeystatefor i = 0→ 7 do

temp← LKeystate⊕ RKeystatefor j = 0→ 3 do

RKeystate← sBoxLayer(RKeystate)RKeystate← pLayer(RKeystate)RKeystate← RKeystate⊕ (4i + j)Subkey[4i + j + 1]← RKeystate

end forLKeystate← RKeystateRKeystate← temp

end for

4

Algorithm 2 EPCBC-96 key scheduleKeystate = 96-bit keySubkey[0]← Keystatefor i = 0→ r − 1 do

Keystate← sBoxLayer(Keystate)Keystate← pLayer(Keystate)Keystate← Keystate⊕ iSubkey[i + 1]← Keystate

end for

sBoxLayer The substitution layer of EPCBC and PRESENT are identical up to the num-ber of S-Boxes. For completeness, the definition of the 4-bit S-Box is given in Table 1.

input 0 1 2 3 4 5 6 7 8 9 A B C D E F

output C 5 6 B 9 0 A D 3 E F 8 4 7 1 2

Table 1. EPCBC S-Box (hex)

pLayer The permutation layer also strongly resembles the one of PRESENT. Bit j is movedto position P (j) with

P (j) =

{j · b4 mod b− 1 if 0 ≤ j ≤ b− 2 ,

b− 1 if j = b− 1 .

2.2 Encryption

The encryption process is mainly borrowed from PRESENT and is described by Algorithm3 for both versions of EPCBC. The STATE is initialized with the plaintext and subsequentlythe round function is applied r times to it. Finally, the last subkey is added, after which STATEcontains the ciphertext. For both versions of EPCBC r is 32. The functions sBoxLayer andpLayer are identical to the ones of the key schedule described in the previous section. Oneround of EPCBC-48 is depicted in Figure 1, where si is the i-th state, ki the i-th subkey andsi+1 the next state. Note, that the encryption process and the key schedule exhibit a strongstructural symmetry, which allows for significant information flow, as we will see below.

Algorithm 3 EPCBC Encryptionfor i = 0→ r − 1 do

STATE← STATE⊕ Subkey[i]STATE← sBoxLayer(STATE)STATE← pLayer(STATE)

end forSTATE← STATE⊕ Subkey[r]

5

Fig. 1. One round of EPCBC-48

3 Algebraic Attack without Guessing

Since EPCBC is a recently proposed block cipher, the analytic effort targeting this cipher isvery limited so far. As far as we know, the only cryptanalysis to date is the preliminary analysisin the proposal itself [22]. The authors comment on algebraic cryptanalysis but use a moreor less rule-of-thumb estimation to argue that EPCBC is secure against algebraic attacks.This estimation is partially justified, since it is mainly based on results due to analysis ofPRESENT, but a more thorough examination is necessary to ensure that the cipher meetsthe claimed security properties. The authors of [22] estimate the number of variables in thepolynomial system corresponding to the encryption and key schedule of EPCBC-48 to beat least 6240 and the number of equations to 16380 (12480 and 32760 for EPCBC-96). Thismight be a valid estimation if restricting the degree of the equations to 2, which can makesense for certain solving algorithms. However, when employing SAT solving, this may not betrue. Our algebraic representation consists of 4656 variables and 4608 equations for EPCBC-48, and 6240 and 6144 for EPCBC-96. In both cases, a quarter of the equations has degreetwo and the rest degree three, because the degree of the equations is determined by therepresentation of the S-Box operation (cf. Equations (1) to (4)).

For the algebraic attack we generated the polynomials in the Boolean polynomial ringrelating the inputs and outputs to each other, with additional variables for each intermediatestate in the key schedule and encryption. The crucial part of the equation generation is the waythe S-Box operation is represented as it is the only non-linear operation. As pointed out by theauthors of [22], the S-Box operation can be represented by 21 equations of degree two. Usingthese equations and Grobner basis techniques, we generated four explicit equations describingfor each output variable yi its dependence on the input variables xi, i.e. yi = fi(x0, x1, x2, x3):

y0 = x0 + x1 · x2 + x2 + x3 (1)

y1 = x0 · x1 · x2 + x0 · x1 · x3 + x0 · x2 · x3 + x1 · x3 + x1 + x2 · x3 + x3 (2)

y2 = x0 · x1 · x3 + x0 · x1 + x0 · x2 · x3 + x0 · x3 + x1 · x3 + x2 + x3 + 1 (3)

y3 = x0 · x1 · x2 + x0 · x1 · x3 + x0 · x2 · x3 + x0 + x1 · x2 + x1 + x3 + 1 (4)

We generated the polynomial system for EPCBC-48 and EPCBC-96, respectively, with suc-cessively increasing round numbers r starting with r = 1 using the open source mathematicssoftware system SAGE [20]. In theory, substituting the values of the known plain-/ciphertextpairs into the system and solving the system recovers the key. To solve the system we con-

6

verted it into an instance of the satisfiability problem using the PolyBoRi CNF converter1

and applied the SAT solver CryptoMiniSat [18] to it. We implemented and evaluated thealgebraic attack (without guessing) on round reduced versions of EPCBC-b for b ∈ {48, 96}in the known plaintext scenario. If not stated otherwise, throughout this paper our attacksuse the minimal number of known plain-/ciphertext pairs to uniquely determine the key, i.e.one known pair for EPCBC-96 and two for EPCBC-48. We evaluated the approach for eachversion and r using the following experiment 100 times. First, we chose a key and plaintext(s)at random and computed the corresponding ciphertext(s). Then, we set the variables corre-sponding to the plain-/ciphertext pairs in the polynomial system accordingly and attemptedto solve the system. The average solving times and standard deviations are listed in Table2 for 1 ≤ r ≤ 3. The attack was practically infeasible for larger r with our resources, whichconsisted of a test server with processors of type Quad-Core AMD Opteron(tm) Processor8356 operating at a frequency of 2.3 GHz and using a 64-bit Linux kernel in version 2.6.32.Only one core was used for the experiments.

r 1 2 3

avg in s 0.0077 0.27 458.3stdev in s 0.004 0.013 866.4

r 1 2 3

avg in s 0.017 0.28 556.7stdev in s 0.005 0.014 2282.7

Table 2. Standard algebraic known plaintext attack on EPCBC-48 (left) and EPCBC-96 (right)

4 Guessing Strategies

Despite the problems caused by the lack of efficiency of algebraic cryptanalysis, results formany primitives can often still be obtained by employing guessing strategies. For this, acertain number of variables of the polynomial system is fixed to either correct values or aguess and thus yielding a practically solvable system. To explore the implications of resultsobtained by following a guessing strategy, consider a block cipher with a key of length b. Wedenote the expected time required to find a solution of the corresponding polynomial systemas tbtrue . To denote the expected time required to prove that such a system does not havea solution, we use tbfalse . Finally, we will denote the time needed to encrypt a plaintext byteval . Typically, results from guessing strategies involve one of the two scenarios. In the firstscenario we assume part of the key is revealed to the adversary by some oracle. For a goodcryptographic primitive there should be no way to recover the rest of the key faster than bybrute-forcing the remaining key bits. This means, if we can show that for a block cipher anda set of k revealed secret bits

tb−ktrue < 2b−k−1 · teval (5)

holds, we have demonstrated a weakness in the primitive. Practical examples of this scenarioare side-channel attacks, where additional information is available to the adversary due tothe exploitation of physical properties of an implementation [12,15].

In the second scenario guessing is used to estimate the complexity of an algebraic attackwithout assuming any knowledge of the secret. Any algorithm that recovers the key fasterthan the brute-force attack is considered to be an attack, even if it is practically infeasible, in

1 https://bitbucket.org/malb/algebraic_attacks/src/ce81112bbce4/polybori-cnf-converter.py

7

which case it is of theoretical nature. So, assume that we can show by sufficiently samplingtb−kfalse and tb−k

true , that

2k−1 · tb−kfalse + tb−k

true < 2b−1 · teval (6)

tb−kfalse +

tb−ktrue

2k−1< 2b−k · teval (7)

holds for a given primitive. Note that the left hand side of (6) is the expected time neededto find a solution to the polynomial system by repeatedly guessing k out of the b secret bitsand solving the reduced system. Indeed, we expect to run through half of the possible guesses(2k−1 · tb−k

false) before we hit the correct guess (tb−ktrue). It follows that in this case we have found

a theoretical attack for the given primitive employing algebraic techniques, even though wemight not be able to estimate tbtrue . For sufficiently large k the inequality can be simplifiedfurther, since the term involving tb−k

true is negligible, yielding an upper bound for tb−kfalse only.

Note that in the second scenario the attacker is free to choose the variables for whichhe will guess values. Not surprisingly, it may happen that Equation (7) holds for one choiceof k variables, but does not for another. So in the former case we have a successful attack,whereas in the latter we do not. Therefore, the question arises which variables to guess. Inthis work we call a set of variables, where the guessing will take place, a guessing strategy.While employing guessing strategies is a standard approach in algebraic analysis, there isno established method in selecting a strategy. We want to remedy this by defining a clearcriterion for the quality of a guessing strategy and showing how to optimize this criterion ina systematic way.

4.1 Information Propagation

EPCBC is an iterative block cipher. This means that the next state in the encryption andthe key schedule is computed from the previous state via a round function. A round functionis almost the same for all rounds of a cipher (up to maybe adding some round-dependentconstants and the like). It follows that some information about a state can be deduced wheninformation about the previous state is known. In algebraic cryptanalysis the states usuallycorrespond to certain variables in the polynomial system, so information about some variablescan propagate to other variables. For example, consider Figure 2 which depicts one round ofthe key schedule in EPCBC-48 (neglecting the constant addition). The figure shows a set ofS-Boxes at the top and at the bottom, and in between the permutation layer is illustrated.The old state is the input of the S-Boxes at the top and the new state is the input of the S-Boxes at the bottom. If we know the input of one of the S-Boxes at the top, we obviously alsoknow the output of this specific S-Box and thus four of the bits of the new state. On the otherhand, if we had known four bits at random positions at four different S-Boxes of the inputstate, we could not have deduced the values of any bits of the new state. This is obvious whenconsidering Equations (1) to (4): no matter which x-variable is known, we cannot deducethe value of any y-variables. In contrast, if the values of x1, x2, and x3 are all known tobe 0, then we know for sure that y1 = 0. It follows, that revealing the values of differentbits yields different information gain, which can even depend on the values of the variables.The same holds for guesses: guessing bits at the input of the round may impose values forbits in the new state and thus decrease the number of unknowns in the system. Since thedifference between actually known bits, i.e. bits revealed to the adversary, and guessed bits is

8

irrelevant for information propagation, we will use these terms in this work interchangeablyin the context of information propagation.

The difference in the number of inferable bits is even magnified when considering morerounds and a larger number of known or guessed bits. So, guessing k variables of a polynomialsystem can reduce the number of variables in the system by far more than only k variables.We show in this work that solvers can benefit from this propagated information – the moreinformation inferable from the guesses the shorter the solving times. Although we do not claimthat the amount of propagated information is the only factor that influences the solving timesfor different guessing strategies, our experiments suggest that it is definitely an important one.Consequentially, our goal is to find guessing strategies that maximize the information gain inorder to optimize solving times for the reduced polynomial systems.

Fig. 2. One round of the key schedule of EPCBC-48

4.2 Optimizing Information Flow using MILP

We introduce two MILP models that compute guessing strategies in order to maximize theinformation flow for EPCBC-96. We will address EPCBC-48 in the next subsection. For anintroduction to MILP, see for example [7] or any other book on Mathematical Programming.Recall that for a given c ∈ Rn, A ∈ Rm×n, b ∈ Rm, and p ∈ {0, · · · , n} an MILP is defined as:

maxx{cTx|Ax ≤ b, x ∈ Zp × Rn−p} (8)

Note that for the purpose of information flow maximization we can neglect the constantaddition of the key schedule, since the constants are publicly known. Furthermore, we cancircumvent the key addition as well, due to the strong symmetry of the key schedule and theencryption process. When guessing bits only in the first state of the key schedule, i.e. in themaster key, all of these bits correspond to known bits in the plaintext and the knowledge isthus propagated through the first key addition layer of the encryption process. As this is truefor all guessed key bits, every propagated bit in the key schedule corresponds to a knownbit in the encryption process. So, if bits are only guessed in the input of the key schedule,the information flow in the key schedule and encryption process are identical. It follows thatwe only have to model the key schedule without the constant addition, i.e. a network ofinterleaved substitution and permutation layers, and maximize the information flow.

Simple Propagation Model First we introduce a simple model in the sense that we assumethat the output bits of a certain S-Box can only be learned if all of its input bits are known.For this, let us assume a network consisting of r rounds of the EPCBC-96 key schedule

9

(without constant addition). The state width is denoted by b. For the model we introduce aBoolean decision variable xi,j for every bit of the state in each round with the semantics thatxi,j = 1 iff the j-th bit is known after round i. Accordingly, the model will contain b variablesfor each round that is modeled and b additional variables for the initial state. The objectivefunction is now straight-forward:

maxr∑

i=0

b−1∑j=0

xi,j . (9)

Similarly, we can easily limit the number of bits we want to guess to an arbitrary integer k:

b−1∑j=0

x0,j ≤ k. (10)

Finally, we have to translate the semantics of the decision variables into our model. Forthis consider an arbitrary S-Box in round i and let xi,j0 , xi,j1 , xi,j2 , xi,j3 be the variablescorresponding to the input bits of this S-Box. Note, that the variables corresponding to theoutput bits of the S-Box are xi+1,P (j0), xi+1,P (j1), xi+1,P (j2), xi+1,P (j3). This is illustratedin Figure 3. To model the propagation of information through this S-Box, we include the

Fig. 3. Decision variables for one S-Box

following set of constraints:

xi+1,P (jt) ≤ xi,js for all t, s ∈ {0, · · · , 3}. (11)

This set of constraints ensures that an output bit of the S-Box is only known, i.e. xi+1,P (jt) = 1,if all the input bits are known. This is ensured by the fact that we maximize the sum ofknown/learned bits. Including this set of constraints for every S-Box in every round modelsthe information flow for the whole network. This will result in 16 · 24 = 384 constraints foreach round that is modeled.

We solved this MILP using a MILP solver2 for r = 4 rounds and k = 64 guesses. Adrawback of our method is that the model is increasingly hard to solve for more rounds.However, our result showed that information propagation does not extend beyond round

2 IBM ILOG CPLEX V12.1 under the academic license

10

three, so the solutions is optimal for all rounds larger than three. One result is depicted inAppendix A. It consists of guessing the leftmost 64 bits of the master key. There are twomore optimal solutions: one is guessing the rightmost 64 bits, and the other one is guessingthe leftmost 32 and the rightmost 32 bits. By guessing according to one of these strategieswe are able to infer at least z = 160 additional bits. Accounting for the bits propagated inthe encryption, this sums up to reducing the polynomial system by at least 384 variables.The estimations of t32true and t32false resulting from averaging the results of 100 runs each usingthe strategy in Appendix A can be found in Table 3. To estimate a lower bound for teval weaccounted one processor cycle for each substitution and each constant or key addition layerduring the encryption of a plaintext and the key schedule and assumed the same processorspeed as our experiments were run with (cf. Section 3). The results show that the algebraicattack using our guessing strategy (or having the corresponding bits revealed) is significantlyfaster than the brute-force attack up to r = 5. Specifically, we were able to achieve a speed-upfactor of nearly 90 for the 5-round version of EPCBC-96 for t32false .

r 4 5 6

231 · teval in s 14.9 18.7 22.4avg in s 0.12 0.39 1687.5stdev in s 0.006 0.023 2941.1

r 4 5 6

232 · teval in s 29.9 37.3 44.8avg in s 0.062 0.42 4324.7stdev in s 0.040 0.038 5614.7

Table 3. Comparison of t32true (left) and t32false (right) for EPCBC-96 with the brute-force attack

We compared our strategy with 10 random strategies. For each of these strategies weselected 16 out of the 24 S-Boxes of the first substitution layer of the key schedule randomlyand selected their input bits as a guessing strategy. Running the same experiment with themas we did for our optimized strategy showed that 8 of the 10 strategies yield attacks thatare slower than the brute-force attack. For 2 of the strategies the attack is also faster thanbrute-force, but the speed-up factor is less than 3.

Remark 1. It seems intuitive to apply a meet-in-the-middle attack, where bits in the first andin the last subkey are guessed and the propagated information “overlaps” in the middle. Thiscan serve to quickly reject a large portion of incorrect guesses if the overlapping informationdoes not match. However, using MILP techniques we were able to show that for r = 6 it is notpossible to achieve overlapping information with less than k = 100 guessed bits. Furthermore,we were able to show that at least k = 80 guessed bits are needed to achieve this for r = 5.With k = 80 and r = 5 a maximum of 6 overlapping bits is possible, which means that thenumber of guesses can be reduced from 280 to 274. We carried out experiments and appliedthe same bounds we used throughout this paper. The results strongly suggest that a meet-in-the-middle attack does not work in this context.

S-Box Adjusted Propagation Model For many S-Boxes some information about theoutput can still be inferred even if the input is only partially known. For example, if thesecond, third, and fourth bits of the input of the S-Box used in EPCBC are known or assumedto have the value 0, then the second and third bit of the output must have the values 0 and1, respectively (cf. Equations (1) to (4)). We will denote such relations as masks. The bitscorrespond directly to variables in the algebraic system, which represent their values and

11

thus the terms bit and algebraic variable can be used interchangeably in certain context. Incontrast, recall that the values of the decision variables of the MILP only represent knowledgeof the values of the corresponding bits, not the values of the bits themselves. To clarify thisdistinction we will use the terms algebraic variable and decision variable in the following.

Again, consider an arbitrary S-Box in round i with the input bits corresponding to thedecision variables xi,j0 , xi,j1 , xi,j2 , xi,j3 and output bits to the decision variables xi+1,P (j0),xi+1,P (j1), xi+1,P (j2), xi+1,P (j3). The concatenation of the values these variables take on can beseen as 8-dimensional binary vectors and the constraints in (11) describe a 0/1-polytope in 8-dimensional space that contains all points that represent a valid information flow through an S-Box. For example, this polytope contains the points (1, 1, 1, 1, 1, 1, 1, 1) and (1, 0, 1, 0, 0, 0, 0, 0),which represent the information flow with fully known input propagated to the output andpartial input that is not propagated, respectively. The polytope does not contain the point(0, 1, 1, 1, 0, 1, 1, 0), as would be desired for the example of the EPCBC S-Box mask above. Toremedy this we can construct the polytope using its vertex representation, i.e. we constructthe polytope as the convex hull of the set of points that all describe a valid information flow.Subsequently, the vertex representation can be converted into a set of equations and inequal-ities describing the same polytope using the Double Description Method3 [13]. Including thisset of constraints into the MILP instead of the constraints in (11) for every S-Box yields anMILP that models the information flow for a specific S-Box and specific values.

We are aware that this method neglects the fact that only certain values for partiallyknown inputs of an S-Box actually yield information about certain output bits. This canresult in an invalid information propagation being computed if several partial inputs are usedin subsequent rounds. A conceivable example using aforementioned EPCBC S-Box relationis depicted in Figure 4. Here the partial input is used to infer that the second and thirdoutput bit of an S-Box are 0 and 1. Furthermore, the third output bit is part of partiallyknown input of an S-Box in the subsequent round itself, but assumed to be 0 in order toallow for further information to be gained. This yields a conflict and thus the informationpropagation is invalid. This is due to the MILP model using Boolean decision variables andonly distinguishing known and unknown bits, but not their values. We will explain how wedealt with conflicts when discussing the solution.

The set of vertices (comprising values of decision variables) corresponding to masks (com-prising values of algebraic variables) for the EPCBC S-Box, which can be found by brute-force, is listed in Appendix B. To this set we added the vertex representing full informationflow (1, 1, 1, 1, 1, 1, 1, 1) and the vertices for partially known inputs that do not yield a mask,i.e. where the information is lost. Applying the Double Description Method to the resultingset yielded 181 inequalities. As they need to be included for each S-Box, this results in 4344constraints for each round that is modeled. The number of decision variables is still the sameas for the simple model. We solved the MILP for r = 5 and the result is depicted in AppendixC.4 The information flow is invalid as it contains several conflicts as explained above. How-ever, close inspection of the result reveals, that there is a set of crucial S-Boxes that allowsfor significant information propagation, if the mask conditions are satisfied for the algebraicvariables corresponding to these S-Box inputs. In the illustration in Appendix C these are theS-Boxes with the numbers, which represent the values the algebraic variables need to have for

3 Fukuda’s cddlib (http://www.ifor.math.ethz.ch/~fukuda/cdd_home/) accessed through the SAGE in-terface

4 For readability the lines representing known bits in the permutation layer of round two and three are drawnin light gray. This has no special meaning.

12

0 0 0

0 00

0 1

0 1

Fig. 4. Example of conflict in EPCBC network

the respective S-Box to yield the depicted information flow. A “+” means that either valueworks. For the key schedule to take advantage of this S-Box adjusted information flow, thereare 55 algebraic variables at the output of round 2 that need to have a specific value each. Wewill denote the corresponding bits by active bits. A key will be denoted as weak, if the keyschedule applied to it results in inner states, i.e. subkeys, meeting these requirements. Theremust be 241 weak keys since two rounds of the key schedule yield a 96-bit permutation.

Known Plaintext Attack on Weak Keys We simulated the attack on EPCBC-96 with r = 6rounds and a random known plain-/ciphertext pair for each of the 29 guesses. Specifically,we fixed the bits in the third round of the key schedule to the required values (the values inAppendix C), enumerated all possible values for the bits with the “+”, and for each of themobtained the values for our guess by inverting the two rounds of the key schedule for this set ofbits only. In the simple model we had the luxury of achieving the same information flow in thekey schedule and the encryption, as the flow was independent of the values of the variables. Theinformation flow now under consideration is dependent of the values of the variables and sincethe weakness of the keys only ensures the correct values for the key schedule, the informationflow does not hold for the encryption. There is still information being propagated, but it isunlikely to be as much as during the key schedule. However, relying on the high informationflow during the key schedule, we were able to reduce the number variables of the system by440 on average. The result is shown in Table 4 and shows speed-up factors of 23.6 and 24.2

compared to the brute-force attacks. The attack was practically infeasible for r = 7.

r 6

231 · teval in s 22.4avg in s 1.85stdev in s 2.93

r 6

232 · teval in s 44.8avg in s 2.42stdev in s 3.11

Table 4. Comparison of t32true (left) and t32false (right) for weak keys and random plaintext to brute-force attackfor EPCBC-96

13

Chosen Plaintext Attack on Weak Keys The attack can be sped up by also maximizing theinformation flow for the encryption process. Due to the symmetry of the key schedule andthe encryption process, we need the algebraic variables corresponding to partial inputs of thesame set of S-Boxes to have the same values as the ones in the key schedule. Due to thekey addition layer, these active bits are required to be 0 during the encryption. Given a key,such a plaintext can be constructed easily by fixing the 55 active bits to 0, choosing arbitraryvalues for the remaining bits and applying two rounds of decryption to this constructed state.Note that the choice of the plaintext is dependent on the choice of the guess. This is not aproblem in case the correct values of the key bits are known, since an attacker can simplychoose the plaintext as just explained. However, in case the key bits are not known and needto be guessed, this would mean the adversary would have to choose a new plaintext for eachguess. This obviously results in a very high data complexity, which we are trying to avoid.For this reason, we propose to choose a plaintext for one of the guesses and reuse the sameplaintext for each following guess. The hope here, which is confirmed by our experiments, isthat due to the structural similarity of all the weak keys the chosen plaintext is still relativelyweak for all of them.

Now it is possible to construct a chosen plaintext attack under the assumption that thekey is weak. After selecting the first guess, we can choose a plaintext as outlined above andrun our attack. We applied the attack to EPCBC-96 for r ∈ {6, 7} with 100 randomly chosenweak keys each, guessing correctly and randomly (but also weak). The polynomial systemwas reduced by 497 variables on average in case the key bits are known, and by 470 variablesin case they are guessed. The results are listed in Table 5. Again, our estimation of t32true is onthe left and the one of t32false is on the right. The estimations show that when given a set of 64weak key bits, for r = 6 recovering the remaining 32 bits in a chosen plaintext scenario is moreefficient using the algebraic attack than using a brute-force attack (in which we accounted forthe weak key assumption), exhibiting a speed-up factor of more than 25. Also, recovering thekey under the assumption that it is weak by enumerating the 29 sets of weak key bits andsolving the reduced system is more efficient than brute-forcing all 241 weak keys by a factorof more than 26.5.

r 6 7

231 · teval in s 22.4 26.1avg in s 0.5 71.0stdev in s 0.037 86.4

r 6 7

232 · teval in s 44.8 52.3avg in s 0.47 7968.8stdev in s 0.039 15194.2

Table 5. Comparison of t32true (left) and t32false (right) for weak keys and chosen plaintext to brute-force attackfor EPCBC-96

The results also show that this attack is not faster than the brute-force for r = 7. However,we experimented with using more plaintexts. The results for the case that the correct valuesof the key bits are known are shown in Figure 5. The horizontal line in the figure representsthe upper bound imposed by the brute-force attack. The results show that the attack on 7rounds is faster than brute-force with a speed-up factor of up to 2.7 if using more than oneplaintext. In the case where the key bits are guessed the attack was also drastically sped upby using multiple plaintexts, but not enough to yield an attack faster than the brute-forceattack. For this reason we neglect the results here.

14

1 2 3 4 5 6

# of plaintexts

0

10

20

30

40

50

60

70

80

t_tr

ue in s

Fig. 5. Comparison of t32true for weak keys of EPCBC-96 with r = 7 and several numbers of known plaintextsto brute-force attack

In this attack we only considered one optimal solution returned by the MILP solver tothe information flow maximization problem. Preliminary tests showed that there are multipleoptimal solutions, which might lead to further classes of weak keys. Some of these might evenmake attacks on more rounds of EPCBC-96 possible. To explore more sets of weak keys someautomation of the attack is necessary, especially in the handling of conflicts. In this work wedid this manually – how to do this algorithmically remains open for future work.

Finally, we want to remark on the drastic difference of observed average hardness of thepolynomial system when guessing 64 bits of general keys in contrast to the weak keys justdiscussed. In Table 3 (left) for r = 6 the average solving time is reported to be 1687.5swith a standard deviation of 2941.1s. Obviously, different instances that were tested exhibita large inhomogeneity regarding their hardness. Very low corresponding average solving timeand standard deviation for weak keys in Table 5 for r = 6 suggest that the hardness of theinstances is at least related to the amount of propagated information. As a consequence, apartfrom identifying a class of weak keys, this section serves as support for the claim made inSection 4.1: the more information can be inferred by guessing a set of bits, the easier theproblem is to solve.

4.3 EPCBC-48

We also employed guessing strategies to obtain results for EPCBC-48 for r > 3. Whilethe approach outlined above for EPCBC-96 is also applicable to EPCBC-48 with minormodifications, the difference in the key schedule of EPCBC-48 (cf. Algorithm 1) allows foranother approach. Observe that a 4-block permutation is carried out on RKeystate to obtainthe next four subkeys. While RKeystate is initialized with the right part of the key, after eachblock of the key schedule RKeystate is updated using temp. The first value temp takes on isthe sum of the left part and the right part of the key. In consequence, if the left and rightparts of the key are known to have a certain difference, the second block of the key schedule isinitialized with this known difference vector and we can easily compute the subkeys number5 to 8. Attacking 8 rounds of EPCBC-48 under the assumption that the difference vector ofthe key is known should not be harder than attacking 4 rounds under the same assumption.Thus, we can either assume an oracle to reveal the 48-bit difference vector to the adversaryor guess the difference vector.

15

Naturally, a brute-force adversary can also take advantage of this property. If an adversaryobtains a plain-/ciphertext pair encrypted under a key of which he knows the difference vector,he only has to brute-force at most 248 different keys. Note, that even when attacking EPCBC-48 with 4 < r ≤ 8 the adversary only has to encrypt 4 rounds for each potential key, since hecan precompute the last subkeys and thus compute the inner state of the encryption at the endof round 4 using the ciphertext. To sum up, assuming the knowledge of the difference vector,the expected time to recover the key for r ≤ 8 is: 247·min{r, 4}·tr, where tr denotes the runtimeof one round of the cipher. Again, we accounted one processor cycle for each substitution andeach addition layer and assumed the same processor speed as for our experiments. With theseassumptions a brute-force attack recovering the remaining 48 bits when the difference vectoris revealed takes almost 17 days for 4 ≤ r ≤ 8, providing the upper bound for t48true . The upperbound for t48false is twice as large.

We tested this approach assuming knowledge of the correct difference vector and thenguessing the difference vector randomly. The results are listed in Table 6. As expected, thehardness of the problem does not increase with increasing r for 4 ≤ r ≤ 8 and the 8-roundversion of EPCBC-48 exhibits weaknesses here. With our estimations of t48true (Table 6, left)we achieve a speed-up factor of more than 212 in case the correct difference vector is knownand more than 210 (Table 6, right) in case it is guessed randomly, compared to the brute-force adversary. We did also test a different approach where we applied the optimizationtechniques above, but guessing the difference vector outperformed any optimized strategy weobtained. However, the complexity of the algebraic attack increases steeply for r = 9. Thisis not surprising, since the internal state of the encryptions cannot be computed because thelast subkey is not known (or guessed), even though four intermediate subkeys are still known.

r 4 5 6 7 8

avg in s 175.0 156.4 283.0 164.7 142.1stdev in s 291.3 247.3 605.1 250.0 250.5

r 4 5 6 7 8

avg in s 1133.9 817.8 826.9 1296.3 1236.7stdev in s 1630.4 1051.8 1318.8 2699.9 1850.7

Table 6. Algebraic known plaintext attack on EPCBC-48 with known (left) and guessed (right) differencevector

This approach suggests a generalization to guessing the initial value of the last block ofthe key schedule for arbitrary r. Due to this structural weakness of the key schedule, wecan reduce breaking the r-round cipher faster than a brute-force attack on the 96-bit key tobreaking the (r − 4)-round cipher faster than a brute-force attack on 48 bits of the key.

5 Conclusion

In this work we introduced a novel technique to improve guessing strategies in the algebraiccryptanalysis of PRESENT-like primitives using Mixed Integer Linear Programming on theexample of EPCBC. In addition to introducing a systematic approach to optimizing guessingstrategies, we also showed how to use these techniques to identify classes of weak keys. Weanalyzed both versions of EPCBC using algebraic methods with the following results:

– We found practical attacks for EPCBC-48 and EPCBC-96 with up to 3 out of the 32rounds.

16

– We presented a theoretical attack on EPCBC-48 with up to 8 rounds.– We presented a theoretical attack on EPCBC-96 with up to 5 rounds.– We identified a class of 241 weak keys for EPCBC-96 with up to 7 rounds.

Our attacks mainly exploit two structural weaknesses of the cipher. In both versions of thecipher the encryption process and the key schedule exhibit a strong symmetry. This allowsfor a lot of information propagation. Furthermore, the way the 96-bit key is processed inEPCBC-48 to produce the subkeys allows for a very efficient guessing strategy, where wholeblocks of successive subkeys can be computed from known or guessed bits. Even though ourattacks do not yet threaten the full cipher, we recommend avoiding such weaknesses in thedesign of block ciphers. Especially in light of side-channel attacks these weaknesses can proveto be fatal to the security of a cipher.

One might argue that at least for the simple model the use of MILP is an overkill sincean exhaustive search of all guessing strategies that guess at 4-bit blocks corresponding to S-Boxes in the first round could have achieved the same result. However, this is only true in thisparticular case, since the choice of 4-bit blocks is relatively obvious. In contrast, the MILPapproach is very flexible. For example, using exhaustive search it would not have been thateasy to rule out meet-in-the-middle attacks (cf. Remark 1). Furthermore, an exhaustive searchfails when considering primitives for which it does not make sense to restrict the guessing tothe first round. For example, the permutation of SPONGENT [3] does not involve a keyaddition layer, but rather a constant addition layer. It follows that guessing does not need tobe restricted to the first round when attacking SPONGENT algebraically.

The techniques introduced in this work are not limited to the application to EPCBC orSPONGENT. In fact, they are not even limited to PRESENT-like primitives. The methodof optimizing guessing strategies can be employed in the algebraic analysis of any primi-tive, where information about known variables may propagate through the algebraic system.Depending on the nature of the targeted primitive this only requires modifications to theMILP model. It would be interesting to apply our techniques to other primitives, for exampleLBlock [21] or SPONGENT.

Our analysis of weak keys could be improved by extending the MILP approach to takeinto account the values of the known bits, not only whether they are known or unknown. Thiscould avoid conflicts as they were observed in Section 4.2 and thus aid the automation of theprocess of identifying weak keys. This, in turn, bears the potential of recovering more classesof weak keys of EPCBC-96, which we believe have a relatively high information flow and aretherefore linked to solutions of the corresponding MILP model.

Moreover, our technique suffers from the complexity of the MILP model. We were onlyable to solve the model for up to certain round numbers. In some cases and for small k thisdoes not compromise optimality since information does not extend any further but for largerk or other primitives this might not hold anymore. Our analysis could profit from advancesin MILP in general and improvements of the model itself.

Finally, there is room for improvement when choosing the guessing parameter k – the num-ber of variables to guess. While our decisions regarding this parameter were mainly driven byconsiderations about the practicality of our experiments, other decisions might yield a betteroverall complexity of the attack by improving the trade-off between available information andnumber of values to guess.

17

References

1. Gregory V. Bard, Nicolas Courtois, Jorge Nakahara, Pouyan Sepehrdad, and Bingsheng Zhang. Alge-braic, AIDA/Cube and Side Channel Analysis of KATAN Family of Block Ciphers. In Guang Gong andKishan Chand Gupta, editors, Indocrypt 2010, volume 6498 of Lecture Notes in Computer Science, pages176–196. Springer, 2010.

2. A. Bogdanov, L. R. Knudsen, G. Le, C. Paar, A. Poschmann, M. J. B. Robshaw, Y. Seurin, and C. Vikkel-soe. PRESENT: An Ultra-Lightweight Block Cipher. In CHES 2007, volume 4727 of Lecture Notes inComputer Science, pages 450–466. Springer, 2007.

3. Andrey Bogdanov, Miroslav Knezevic, Gregor Leander, Deniz Toz, Kerem Varici, and Ingrid Verbauwhede.SPONGENT: A Lightweight Hash Function. In Bart Preneel and Tsuyoshi Takagi, editors, CHES, volume6917 of Lecture Notes in Computer Science, pages 312–325. Springer, 2011.

4. Julia Borghoff, Lars R. Knudsen, and Mathias Stolpe. Bivium as a mixed-integer linear programmingproblem. In IMA Int. Conf., volume 5921 of Lecture Notes in Computer Science, pages 133–152, 2009.

5. Stanislav Bulygin and Johannes Buchmann. Algebraic Cryptanalysis of the Round-Reduced and SideChannel Analysis of the Full PRINTCipher-48. In Lin et al. [11], pages 54–75.

6. B. Collard and F.-X. Standaert. A Statistical Saturation Attack against the Block Cipher PRESENT. InProceedings of CT-RSA, 2009.

7. Antonio J Conejo, Enrique Castillo, Roberto Minguez, and Raquel Garcia-Bertrand. Decomposition tech-niques in mathematical programming. Springer-Verlag, Berlin, 2006. Engineering and science applications.

8. Nicolas Courtois and Gregory V. Bard. Algebraic Cryptanalysis of the Data Encryption Standard. InSteven D. Galbraith, editor, IMA Int. Conf., volume 4887 of Lecture Notes in Computer Science, pages152–169. Springer, 2007.

9. Nicolas Courtois, Gregory V. Bard, and David Wagner. Algebraic and Slide Attacks on KeeLoq. In KaisaNyberg, editor, FSE, volume 5086 of Lecture Notes in Computer Science, pages 97–115. Springer, 2008.

10. Blandine Debraize and Louis Goubin. Guess-and-determine algebraic attack on the self-shrinking gen-erator. In Kaisa Nyberg, editor, Fast Software Encryption, pages 235–252, Berlin, Heidelberg, 2008.Springer-Verlag.

11. Dongdai Lin, Gene Tsudik, and Xiaoyun Wang, editors. Cryptology and Network Security - 10th Interna-tional Conference, CANS 2011, Sanya, China, December 10-12, 2011. Proceedings, volume 7092 of LectureNotes in Computer Science. Springer, 2011.

12. Mohamed Saied Emam Mohamed, Stanislav Bulygin, Michael Zohner, Annelie Heuser, Michael Walter,and Johannes Buchmann. Improved algebraic side-channel attack on aes. In IEEE HOST 2012, pages146–151, 2012.

13. T.S. Motzkin, H. Raiffa, G. L. Thompson, and R. M. Thrall. The Double Description Method. In H. W.Kuhn and A. W. Tucker, editors, Contributions to the Theory of Games II. Princeton University Press,1953.

14. Nicky Mouha, Qingju Wang, Dawu Gu, and Bart Preneel. Differential and linear cryptanalysis usingmixed-integer linear programming. In Inscrypt, volume 7537 of Lecture Notes in Computer Science, pages57–76, 2011.

15. Yossef Oren, Mathieu Renauld, Francois-Xavier Standaert, and Avishai Wool. Algebraic side-channelattacks beyond the hamming weight leakage model. In CHES 2012, volume 7428 of Lecture Notes inComputer Science, pages 140–154, 2012.

16. Phillip Rogaway, editor. Advances in Cryptology - CRYPTO 2011 - 31st Annual Cryptology Conference,Santa Barbara, CA, USA, August 14-18, 2011. Proceedings, volume 6841 of Lecture Notes in ComputerScience. Springer, 2011.

17. Ilaria Simonetti, Jean-Charles Faugre, and Ludovic Perret. Algebraic Attack Against Trivium. In FirstInternational Conference on Symbolic Computation and Cryptography, SCC 08, LMIB, pages 95–102,Beijing, China, April 2008.

18. M. Soos. Cryptominisat 2.5.0. In SAT Race competitive event booklet, July 2010.19. Mate Soos. Grain of Salt – an Automated Way to Test Stream Ciphers through SAT Solvers. In Tools’10:

Proceedings of the Workshop on Tools for Cryptanalysis 2010, pages 1–2, 2010.20. W. A. Stein et al. Sage Mathematics Software (Version 4.7.2). The Sage Development Team, 2011.

http://www.sagemath.org.21. Wenling Wu and Lei Zhang. LBlock: A lightweight block cipher. In Javier Lopez and Gene Tsudik, editors,

ACNS, volume 6715 of Lecture Notes in Computer Science, pages 327–344, 2011.22. Huihui Yap, Khoongming Khoo, Axel Poschmann, and Matt Henricksen. EPCBC - A Block Cipher

Suitable for Electronic Product Code Encryption. In Lin et al. [11], pages 76–97.

18

A Solution of the simple propagation model for EPCBC-96

19

B Information flow in EPCBC S-Box

mask vertex

*000 → *01* (0, 1, 1, 1, 0, 1, 1, 0)*001 → *1** (0, 1, 1, 1, 0, 1, 0, 0)*010 → *00* (0, 1, 1, 1, 0, 1, 1, 0)*011 → **10 (0, 1, 1, 1, 0, 0, 1, 1)*100 → *1** (0, 1, 1, 1, 0, 1, 0, 0)*101 → ***1 (0, 1, 1, 1, 0, 0, 0, 1)*110 → ***1 (0, 1, 1, 1, 0, 0, 0, 1)*111 → **00 (0, 1, 1, 1, 0, 0, 1, 1)

0*00 → 0*1* (1, 0, 1, 1, 1, 0, 1, 0)0*01 → 11** (1, 0, 1, 1, 1, 1, 0, 0)0*10 → **01 (1, 0, 1, 1, 0, 0, 1, 1)0*11 → *0*0 (1, 0, 1, 1, 0, 1, 0, 1)1*00 → 1*** (1, 0, 1, 1, 1, 0, 0, 0)1*01 → 0**1 (1, 0, 1, 1, 1, 0, 0, 1)1*10 → *0** (1, 0, 1, 1, 0, 1, 0, 0)1*11 → *1*0 (1, 0, 1, 1, 0, 1, 0, 1)

mask vertex

00*0 → *0*1 (1, 1, 0, 1, 0, 1, 0, 1)00*1 → ***0 (1, 1, 0, 1, 0, 0, 0, 1)01*0 → 01** (1, 1, 0, 1, 1, 1, 0, 0)01*1 → 1*** (1, 1, 0, 1, 1, 0, 0, 0)10*0 → *0*0 (1, 1, 0, 1, 0, 1, 0, 1)10*1 → *11* (1, 1, 0, 1, 0, 1, 1, 0)11*0 → 1**1 (1, 1, 0, 1, 1, 0, 0, 1)11*1 → 0*0* (1, 1, 0, 1, 1, 0, 1, 0)

001* → *0** (1, 1, 1, 0, 0, 1, 0, 0)010* → *11* (1, 1, 1, 0, 0, 1, 1, 0)011* → **0* (1, 1, 1, 0, 0, 0, 1, 0)100* → **1* (1, 1, 1, 0, 0, 0, 1, 0)101* → ***0 (1, 1, 1, 0, 0, 0, 0, 1)110* → **01 (1, 1, 1, 0, 0, 0, 1, 1)

**11 → ***0 (0, 0, 1, 1, 0, 0, 0, 1)*0*0 → *0** (0, 1, 0, 1, 0, 1, 0, 0)

20

C Solution of the S-Box adjusted model for EPCBC-96

0+

0

0+

0 0

0

10 1

11

0+

0

0+

0 0

0

+0 0

0 +

0+

0

0+

0 0

0

10 1

11

0+

0

0+

0 0

0

10 1

11

0+

0

0+

0 0

0

10 1

11

0+

0

0+

0 0

0

10 1

11

0+

0

0+

0+

0

0+

0 0

0

0 0

0

10 1

11

10 1

11