Security Analysis Of Lightweight Block Cipher Based On MILP Method

With the rapid development of information technology and Internet of Things,RFID（Radio Frequency Identification）technology has been widely used in some fields.To achieve reliable data transmission,the corresponding security service must be provided based on the cryptographic algorithm.Therefore,the corresponding cryptographic algorithm research is one of the key technologies to ensure the safe operation of the Internet of Things.It is necessary for us to evaluate the security against differential attacks when designing secure block ciphers.An effective way to achieve this is to find the minimum number of active S-boxes,or find the lower bound of active S-boxes.Based on MILP,Mouha et al’s proposed a novel method which can automatically analyse the security of block cipher.This method can significantly reduce the workload of designers and cryptanalysts.However,this method can not be applied directly to block ciphers of SPN structures with permutation diffusion layers（S-bP structures）,due to its ignorance of the diffusion effect derived collaboratively by nonlinear substitution layers and bitwise permutation layers.Moreover,the MILP constrains presented in Mouha et al’s method are not enough to describe the differential propagation behaviour of a linear diffusion layer.In this paper we extend Mouha et al’s method for S-bP structures by introducing new representations for exclusive-or（XOR）differences to describe bit/word level differences simultaneously and by taking the collaborative diffusion effect of S-boxes and bitwise permutations into account.We applied this improved method to the block cipher of EPCBC and PRESENT-80.As responses,we obtain some results.For EPCBC,we proved that 32 rounds of EPCBC are secure enough for resisting.For PRESENT-80,we obtain lower bounds on the numbers of active S-boxes in the single-key model for full 31-round PRESENT-80 and in related-key model for round-reduced PRESENT-80 up to 12 rounds,and therefore automatically prove that the ful-round PRESENT-80 is secure against single-key differential attack,and the cost of related-key differential attack on the ful-round PRESENT-80 is close to that of an exhaustive search:the best related-key differential characteristic for full PRESENT-80 is upper bounded by2^-72However,it is computationally infeasible to solve an MILP model generated by an r-round block cipher with reasonably large r.In such case,we can turn to the so called simple split approach.We point out that this simple“split strategy”can be improved to obtain tighter security bound by exploiting more information of a differential characteristic.We applied this method to the block cipher of LBlock.We proved that the upper bound of the probability of any related key differential characteristic of the full round LBlock is2^-60.For the LBlock,the safety margin(2^-60)which obtained by the improved method is more tight than the safety limit(2^-56)which obtained by the previous method for the related key difference attack.