This repository includes the source code of tools we used in our paper entitled Integral Analysis of WARP Based on Monomial Prediction, which was accepted in FSE 2023 (ToSC-2022-2).
Our tools to find integral distinguishers are located in distinguisher. We have provided different tools based on three popular encoding methods: SAT, Constraint Programming (CP), and Mixed Integer Linear Programming (MILP).
We have used Python to implement our tools to find distinguishers ad C language to experimentally verify our discovered practical distinguishers. The requirements of our tools to find the distinguishers are as follows:
For Debian-based Linux distributions, you can install the requirements by executing install.sh.
Our tool based on SAT solver is located in distinguisher/sat. To see a brief help concerning the usage of this tool, see:
python3 satmp.py --helpFor example, to find integral distinguishers for 21 rounds of WARP, you can run the following command:
python3 satmp.py -nr 21 -sl minisat22In addition, to find an integral distinguisher corresponding to a given cube, you can use checkcube.py. For example, let input nibbles [24, 25, 26, 27] be fixed, and the remaining 12 nibbles take all possible values. To see if this cube results in an integral distinguisher after 21 rounds of WARP, run the following command:
python3 checkcube.py -nr 21 -fi 24 25 26 27 -sl cadicalOur SAT-based tool supports almost all of the state-of-the-art SAT solvers such as Minisat, CaDiCaL, Lingeling and Glucose and Mergesat.
Our tool based on Constraint Programming (CP) is located in distinguisher/cp. To see brief documentation of the parameters, navigate into distinguisher/cp and run the following command:
python3 cpmp.py --helpOur tool based on MILP is located in distinguisher/milp. Navigate into distinguisher/milp and run the following command to see a brief manual for this tool:
python3 milpmp.py --helpThe required codes to experimentally verify our practical integral distinguishers are located in verification. To compile our C codes, we have provided Makefiles. For example, to verify our practical 14-round distinguisher, navigate into verification/warp14r, and then run the following commands:
make
./checkOur key-recovery tool is located in keyrecovery.
Our key-recovery tool requires the following softwares:
- SageMath to generate code
- lualatex and a few standard LaTeX packages to compile code
- latexmk to build (can be replaced by just calling
lualatexdirectly)
keyrecovery_plot.py generates key-recovery DAGs for WARP.
For a brief documentation of parameters, see
sage -python keyrecovery_plot.py --help
The graphs in the paper (without postprocessing for the left branch) can be generated as follows:
Figure 4 (cipher overview of both branches):
sage -python keyrecovery_plot.py -c -n 5 -r 23 -R 9 > WARP.tex
latexmk WARP.tex
Figure 5 (DAG for right branch):
sage -python keyrecovery_plot.py -gs -n 25 -r 25 -R 7 > DAG_left.tex
latexmk DAG_left.tex
Figure 6 (DAG for right left):
sage -python keyrecovery_plot.py -gs -n 1 -r 24 -R 8 > DAG_right.tex
latexmk DAG_right.tex
While the DAG framework could be reused or extended for other ciphers, the implementation is currently focused on WARP and on the cases encountered in the 9-round attack. The reported key size is the size of the keyspace (taking linear dependency into account), not the potentially larger number of key nodes; depending on how well the dependencies can be exploited, the complexity will be between these two. Thus, the reported number of additions for the left branch is lower than the actual number in the paper.
Bug: In some cases, the code omits
If you use our codes in a project resulting in an academic publication, please acknowledge it by citing our paper:
@article{Hadipour_Eichlseder_2022,
title={Integral Analysis of WARP Based on Monomial Prediction},
volume={2022},
url={https://tosc.iacr.org/index.php/ToSC/article/view/9715},
DOI={10.46586/tosc.v2022.i2.92-112},
number={2},
journal={IACR Transactions on Symmetric Cryptology},
author={Hadipour, Hosein and Eichlseder, Maria},
year={2022},
month={10},
pages={92--112}
}
Our tool is released under the MIT license.