New Algorithm For Modeling S-Box In Milp Based Differential And Division Trail Search

This paper studies an automated differential-trail search against block ciphers in which the problem of finding the optimal trail is converted to one of finding the optimal solution in a mixed-integer-linear programming (MILP). The most difficult part is representing differential properties of an S-box, known as differential distribution table (DDT), with a system of inequalities. Previous work builds the system by using a general-purpose mathematical tool, SAGE Math. However, the generated system for general-purpose contains a lot of redundant inequalities for the purpose of differential-trail search, thus inefficient. Hence, an auxiliary algorithm was introduced to minimize the number of inequalities by hoping that it minimizes the runtime to solve the MILP. This paper proposes a new algorithm to improve this auxiliary algorithm. The main advantage is that while the previous algorithm does not ensure the minimum number of inequalities, the proposed algorithm does ensure it. Moreover it enables the users to choose the number of inequalities in the system. In addition, this paper experimentally shows that the above folklore "minimizing the number of inequalities minimizes the runtime" is not always correct. The proposed algorithm can also be used in the MILP-based division-trail search, which evaluates the bit-based division property for integral attacks.