State value propagation and milp-based impossible differential distinguisher search method

By combining state value propagation with MILP technology, the problem of low search efficiency in existing methods is solved, achieving more efficient impossible differential distinguisher search, applicable to various block ciphers, and improving search efficiency and key recovery convenience.

CN120074796BActive Publication Date: 2026-06-26GUILIN UNIV OF ELECTRONIC TECH

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
GUILIN UNIV OF ELECTRONIC TECH
Filing Date
2025-02-28
Publication Date
2026-06-26

AI Technical Summary

Technical Problem

Existing impossible differential discriminator search methods cannot cover all cases when considering input-output differences, resulting in low search efficiency and inability to effectively utilize S-box details.

Method used

A method based on state value propagation and mixed integer linear programming (MILP) is adopted. By characterizing the state value propagation mode in the cryptographic algorithm, it is divided into ra rounds of encryption and rb rounds of decryption. State value propagation constraints are added, and contradiction points are set in the MILP model to improve search efficiency.

Benefits of technology

It improves the efficiency of impossible differential distinguisher search, is applicable to block-based and bit-based cryptography, and the model output includes differential values ​​and state values, which can be easily integrated with key recovery processes and shorten the solution time.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN120074796B_ABST
    Figure CN120074796B_ABST
Patent Text Reader

Abstract

The application discloses a search method of impossible differential distinguisher based on state value propagation and MILP. The method describes the propagation of bit-level state value, divides the distinguisher into two sections of rounds, adds the constraint condition of the propagation of state value in each round in the MILP model, adds a new constraint condition at the first round to check the contradiction point, and judges the validity of the distinguisher according to the solvability of the model. The model solving speed of the Gurobi solver in searching the impossible differential distinguisher is improved by dividing the state value propagation mode of the S-box and generating more efficient inequalities. In addition, when describing the relatively complex nonlinear layer operation, the number of inequalities required for describing the nonlinear layer is reduced by dividing the propagation mode into subsets and optimizing the inequalities. Furthermore, the algorithm is used to reduce the inequality coefficient and reduce the solution space required by the solver, thereby improving the overall solving speed of the model.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of information security, specifically to an impossible differential discriminator search method based on state value propagation theory and MILP technology. Background Technology

[0002] Differential analysis [1] uses high-probability differentials to attack block ciphers. It is impossible for differential analysis to be proposed independently by Biham [2] and Knudsen [3]. It is the opposite of differential analysis, using differential attacks with a probability of 0. It is widely used in the analysis of various block ciphers. If the probability of the input difference of the cryptographic algorithm being Δin and the output difference being Δout after r rounds is 0, then A single r-round differential sequence is impossible. Let the block cipher E have a block length of n and a key length of k. The process of plaintext passing through this cipher to produce the corresponding ciphertext can be represented as follows: If for all possible plaintext x and key k, the probability that the input difference Δin will be the output difference Δout after r rounds is 0, that is... If there is no solution, an r-round discriminator can be used. Perform impossible difference analysis.

[0003] Search-based differential discriminators typically employ an intermediate phase shift method to encrypt the input difference Δin, propagating r with a probability of 1. a A gets the turn and decrypts the output difference Δout, propagating r with a probability of 1. b If it's B's turn, and a≠b, then r is obtained. a +r b Wheel cannot differ

[0004] In recent years, with the development of automated search technology, the use of automated tools to search for impossible difference distinguishers has become a current trend, and various automated search tools for impossible differences have gradually replaced traditional manual calculations. In 2003, Kim et al.[4] first proposed the first automated search tool for impossible differences. The article studies the impossible differentials of block ciphers with bijective round functions and proposes an algorithm for finding the maximum length of the impossible differential discriminator using this method. Luo et al. [5] studied this in 2014. The method was expanded and a new approach was proposed. This method relaxes the restrictions on round functions and has higher search efficiency. The two automated search methods mentioned above cannot consider the details of the S-box in the search, resulting in a large amount of useful information being ignored, making it impossible to search for longer discriminators. With the method proposed by Sun et al. [6] in 2014 to use a system of linear inequalities to characterize the difference properties of the S-box, automated search tools have become more accurate and efficient in searching for impossible difference discriminators.

[0005] In existing impossible difference search methods, most studies focus on the relationship between the input difference value Δin and the output difference value Δout. However, Hu et al. [7] proposed to directly characterize the propagation of state values ​​in the model, which can then be applied to the search of impossible difference discriminators. The state value refers to the relationship between x and Δin. This method studies the state values ​​from input to E. k (x) and The article describes the value propagation of operations such as S-boxes using the STP tool and proposes a new impossible differential discriminant search algorithm. This algorithm found the longest impossible differential discriminant for the GIFT64 cipher at the time, and for the MISTY1 cipher, it found a new discriminant that previous methods had not discovered.

[0006] [1]Biham E, Shamir A. Differential cryptanalysis of DES-likecryptosystems[J]. Journal of CRYPTOLOGY, 1991, 4: 3-72.

[0007] [2]Biham E, Biryukov A, Shamir A. Cryptanalysis of skipjack reduced to 31rounds using impossible differentials[J]. Journal of Cryptology, 2005, 18: 291-311.

[0008] [3]Knudsen L.DEAL-a 128-bit block cipher[J].complexity,1998,258(2):216.

[0009] [4] Kim J, Hong S, Sung J, et al. Impossible differential cryptanalysis for block cipher structures [C] / / Progress in Cryptology-INDOCRYPT 2003: 4thInternational Conference on Cryptology in India, New Delhi, India, December 8-10, 2003. Proceedings 4. Springer Berlin Heidelberg, 2003: 82-96.

[0010] [5]Luo Y,Lai X,Wu Z,et al.Aunified method for finding impossibledifferentials of block cipher structures[J].Information Sciences,2014,263:211-220。

[0011] [6]Sun S,Hu L,Wang P,et al.Automatic security evaluation and(related-key)differential characteristic search:application to SIMON,PRESENT,LBlock,DES(L)and other bit-oriented block ciphers[C] / / Advances in Cryptology-ASIACRYPT 2014:20th International Conference on the Theory and Application ofCryptology and Information Security,Kaoshiung,December 7-11,2014.Proceedings,Part I 20.Springer Berlin Heidelberg,2014:158-178。

[0012] [7]Hu I 26. Springer International Publishing, 2020: 415-445. Summary of the Invention

[0013] The impossible difference distinguisher search method proposed in this invention improves upon the shortcomings of the method in reference [7]. The tool used by Hu et al. requires pre-fixing the input-output difference values ​​when searching for impossible differences, and then judging whether the input-output difference is a valid r-round impossible difference. For a cipher with a block length of n, considering only the case where the Hamming weight of the input-output difference is 1, a total of n solutions are required. 2 If a CVC file has an input and output Hamming weight of 2, then it needs to be solved (C n 2 ) 2 Because it involves multiple files, this method cannot account for all possible input and output scenarios under real-world conditions.

[0014] The purpose of this invention is to propose an impossible differential distinguisher search method based on state value propagation theory and MILP technology. This method characterizes the propagation of bit-level state values ​​and divides the distinguisher into r... a Wheel and r b The two stages of the wheel are used to add constraints to the MILP model regarding the propagation of state values ​​in each wheel, and on the r-th wheel... a New constraints are added at each stage to check for inconsistencies, and the effectiveness of the discriminator is determined by the model's solvability. By partitioning the state propagation patterns of the S-box and generating more efficient inequalities, the model solving speed of the Gurobi solver is improved when searching for impossible difference discriminators.

[0015] The technical solution to achieve the objective of this invention is:

[0016] The impossible-discriminator differential search method based on state value propagation and MILP includes the following steps:

[0017] (1) Establish the difference value constraint conditions:

[0018] Assuming that the impossible difference discriminator has a pair of input state values ​​i0 and i1 and an output pair of state values ​​o0 and o1, in order to directly obtain the searched impossible difference discriminator, it is necessary to establish the constraint conditions between the input difference Δin and the input state values ​​i0 and i1, and the constraint conditions between the output difference Δout and the output state values ​​o0 and o1 in the MILP model.

[0019] (2) State value propagation modeling:

[0020] The entire discriminator is divided into two parts, front and back, which encrypt the input and output state values ​​respectively. a Wheel and Decryption r b The model incorporates the constraints that characterize the cryptographic operations in each round into the MILP model. Cryptographic operations can be divided into linear operations and nonlinear operations. The MILP model mainly characterizes operations such as shift, XOR, and S-box.

[0021] (3) Setting up points of conflict:

[0022] To ensure that the found discriminator is a valid impossible differential discriminator, it is necessary to ensure that there are contradictions in the discriminator; firstly, the input and output state values ​​of the discriminator are encrypted respectively. a Wheel and Decryption r b Then, ensure that at least one contradiction occurs at the corresponding position of the difference value in the intermediate wheel, in other words, ensure that on the r-th wheel... a -1 round output difference and rth round a The input difference of the wheel corresponds to at least one contradiction, and constraints on the contradiction points are added to the model;

[0023] (4) Model solution:

[0024] If you want to obtain as many discriminators as possible that meet the conditions, you do not need to set the objective function. If you want the obtained discriminators to be able to extend for more rounds at both ends of the extension phase, you should set the model objective function to make the Hamming weight of the input-output difference of the discriminator as small as possible. Use the Gurobi solver to solve the MILP model generated by the above method. If the model has a solution, return the specific values ​​of the input difference Δin and the output difference Δout in step (1). The result is the input-output difference of the impossible difference discriminator.

[0025] This invention describes a method for characterizing cryptographic state propagation using MILP technology. Unlike previous models that characterize difference values, the core of this invention's MILP model lies in directly characterizing the internal state of the cryptosystem and using a system of linear inequalities to describe the changes in state values ​​through linear and nonlinear layers. The model divides the r-round impossible difference distinguisher into r... a +r b The two parts of the wheel describe a pair of input states r. a Round encryption and output state r b In the round of decryption, at the rth... a-1 If there is a contradiction between the upper encrypted output difference value A and the lower decrypted output difference value B at the middle position of the output, then the input-output differences Δin and Δout obtained by the solver constitute r. a +r b The impossibility of the wheel.

[0026] The beneficial effects of this invention are:

[0027] (1) Since the state propagation is characterized by bits, the method of the present invention is applicable to both block-based and bit-based cryptography. In addition, the model output includes differential values ​​and state values, and the model has a solution search discriminator, which is convenient to combine with the key recovery process.

[0028] (2) Since the state value input and output of the S-box has far fewer possible patterns than the difference value input and output of the S-box, and the present invention greatly improves the model execution efficiency by dividing possible points into subsets, generating new inequalities, and reducing inequality coefficients. Attached Figure Description

[0029] Figure 1 A flowchart illustrating the state value propagation search impossible differential distinguisher process for the method of this invention;

[0030] Figure 2 The flowchart illustrates the S-box characterization process of the present invention. Detailed Implementation

[0031] The present invention will be further described below with reference to the embodiments and accompanying drawings, but this is not intended to limit the scope of the invention.

[0032] Example

[0033] Based on the state value propagation and MILP-based impossible-discriminator differential search method, refer to Figure 1 It includes the following steps:

[0034] (1) Establish the difference value constraint conditions:

[0035] Assuming that the impossible difference discriminator has a pair of input state values ​​i0 and i1 and an output pair of state values ​​o0 and o1, in order to directly obtain the searched impossible difference discriminator, it is necessary to establish the constraint conditions between the input difference Δin and the input state values ​​i0 and i1, and the constraint conditions between the output difference Δout and the output state values ​​o0 and o1 in the MILP model.

[0036] (2) State value propagation modeling:

[0037] The entire discriminator is divided into two parts, front and back, which encrypt the input and output state values ​​respectively. a Wheel and Decryption r b The model incorporates the constraints that characterize the cryptographic operations in each round into the MILP model. The operations in cryptographic algorithms can be divided into linear operations and nonlinear operations. The operations characterized in the MILP model are mainly shift, XOR, and S-box.

[0038] (3) Setting up points of conflict:

[0039] To ensure that the found discriminator is a valid impossible differential discriminator, it is necessary to ensure that there are contradictions in the discriminator; firstly, the input and output state values ​​of the discriminator are encrypted respectively. a Wheel and Decryption r b Then, ensure that at least one contradiction occurs at the corresponding position of the difference value in the intermediate wheel, in other words, ensure that on the r-th wheel... a -1 round output difference and rth round a The input difference of the wheel corresponds to at least one contradiction, and constraints on the contradiction points are added to the model;

[0040] (4) Model solution:

[0041] If you want to obtain as many discriminators as possible that meet the conditions, you do not need to set the objective function. If you want the obtained discriminators to be able to extend for more rounds at both ends of the extension phase, you should set the model objective function to make the Hamming weight of the input-output difference of the discriminator as small as possible. Use the Gurobi solver to solve the MILP model generated by the above method. If the model has a solution, return the specific values ​​of the input difference Δin and the output difference Δout in step (1). The result is the input-output difference of the impossible difference discriminator.

[0042] This invention directly characterizes the propagation of state values ​​rather than the propagation of difference values ​​when searching for impossible differential distinguishers.

[0043] Furthermore, the constraint relationship between the state values ​​and the difference values ​​in the model established in step (1) is specifically as follows: Let the two input state values ​​of the cryptographic algorithm be i0 and i1, then the input difference is defined as... The relationship between the output difference Δout and the output state values ​​o0 and o1 is similar. Since differential analysis cannot study the relationship between the input and output differences, the constraints of all bits of the input and output differences Δin[0~blocksize-1] and Δout[0~blocksize-1] should be added to the model before characterizing the propagation of state values. Here, blocksize represents the block size of the cipher. The constraints of the XOR operation are shown in step (2.1) below.

[0044] After characterizing the relationship between the input / output difference values ​​and the state values, step (2) is to characterize the propagation of the state values ​​in the cryptographic algorithm. The specific steps are as follows:

[0045] (2.1) First, divide the distinguisher into groups of r with different numbers of rounds. a Wheel and r b The two parts of the wheel, and then the r values ​​of state values ​​i0 and i1 are characterized. a The round encryption process, and the r of state values ​​o0 and o1 b In the round-by-round decryption process, the constraints of the operations in each round are added to the model. The operations in the cryptographic algorithm are divided into linear and non-linear operations. The following section first introduces the characterization method of linear operations.

[0046] Linear operations include shifting and XOR operations. A shifting operation, such as the p-permutation in the PRESENT algorithm, results in the state value remaining the same before and after the shift operation. Therefore, the constraint is:

[0047] s[y]-t[p[y]]=0 (Equation 1);

[0048] Where s and t represent the state values ​​before and after the shift operation, respectively, and p[y] represents the array of shift operations;

[0049] The constraints for characterizing the XOR operation of state values ​​are similar to those for characterizing the XOR operation of difference values. Assume there exists an XOR operation between state values. The corresponding constraints are:

[0050]

[0051] Other linear operations, such as column confusion operations in the SKINNY cryptographic algorithm, can be represented as a combination of XOR and shift operations, so they will not be elaborated here.

[0052] (2.2) The method for characterizing state values ​​using the S-box in the MILP model is as follows, refer to... Figure 2Based on the input and output values ​​of the n-bit S-box, the output values ​​corresponding to all input values ​​are transformed into points of dimension 2n. For example, suppose that when the input of the 4-bit S-box is 1, the output is 10. Then, the point (0,0,0,1,1,0,1,0) is added to the set of possible points S, and the other 15 points (0,0,0,1,0,0,0,0),...,(0,0,0,0,1,1,1,1) are added to the set of impossible points S. * middle;

[0053] The number of linear inequalities in the system of inequalities L is called the size of L. For an S-box larger than 4 bits, the size of the system of inequalities describing the S-box is much larger than the size of the system of inequalities describing linear operations. In order to speed up the execution of the model, optimization is mainly carried out in two aspects: the size and coefficients of the system of linear inequalities L.

[0054] The convex hull method uses a system of linear inequalities to characterize a point set. In a point set S containing a large number of points, there may exist a subset s of n points, such that for all points in set s, there exists a sequence p0,...,p n-1 , making Where d(p) i-1 ,p i ) represents point p i-1 and p i The Hamming distances between points p0,...,p of a subset s are such that the points p0,...,p are... n-1 It can be expressed by a linear inequality l s Characterization involves dividing a large set of points S into several smaller subsets s. i This can effectively reduce the number of inequalities required to characterize S, as shown in the reference. Figure 2 Find several subsets s from S that satisfy the following conditions. i :

[0055] 1) Initialize the point set S = {p0,...,p} n-1}, a set used to hold subsets

[0056] 2) Create a set s0, add p0 to s0, and search the remaining n-1 members of the point set S to check if point p exists. i Satisfying d(p0,p) i If ) = 1, then p that meets the condition will be... i Add to s0 and remove p from S i If point p is found successfully i Then continue searching for the condition in S. point

[0057] 3) Repeat step 2) until no point in S can be found that satisfies the condition. And Join middle;

[0058] 4) Repeat the above steps until all points in S have been moved to l sets s0,...,s l-1 And joined Remove Find members of length 1 (i.e., points for which no corresponding sequence can be found) and return the final result.

[0059] After obtaining the set back, Each point set s i Points in It can be described using only a single linear inequality, thus greatly reducing the amount of description required. The number of inequalities required for all points.

[0060] Reference Figure 2 To depict The system of inequalities is To obtain each subset s i Characterization of inequalities The specific coefficients can be determined using the method of undetermined coefficients. Let the inequality be... Represented as:

[0061]

[0062] To ensure the inequality Perfectly depicts the collection s i All points in , i.e., set s i All points are inequalities A valid solution is found at all impossible points. If the solution is invalid, the following constraints can be added to the MILP model and all coefficients a can be solved. i and b:

[0063]

[0064] Where x i s i All points in the middle, This represents all impossible points.

[0065] The above method can yield a system of inequalities smaller in scale than traditional characterization methods. for Points beyond this need further characterization. When using linear inequalities to characterize point sets, inequalities that eliminate more impossible points are often more efficient. Using efficient inequalities can reduce the number of inequalities required for characterization. (Refer to...) Figure 2 Use SageMath to generate point sets The characterization of the system of inequalities L t To generate more efficient linear inequalities, follow these steps:

[0066] 1) Initialize the system of inequalities L t dot set Generate a set of inequalities

[0067] 2) From L t Choose any two linear inequalities and make Traverse the points in T If satisfied Then the new inequality Join middle;

[0068] 3) Repeat step 2), from L t Choose any two linear inequalities, and iterate through all possible combinations. Combine and return a set.

[0069] Reference Figure 2 The set of primitive inequalities describing the S-box Using MILP Reduction The smallest system of inequalities L is obtained through the following steps:

[0070] 1) For the system of inequalities Each linear inequality uses a binary variable l i Let l represent the inequality, if l i =1 indicates that the inequality will remain in L, otherwise it means that the inequality is discarded;

[0071] 2) For each impossible point turn up The inequalities at that point can be eliminated.

[0072] 3) To ensure that each inequality in the system of inequalities L can be eliminated And |L| takes the minimum value, therefore the constraint is: in This indicates that points can be excluded. All linear inequalities, with the objective function being

[0073] 4) Add the above objective function and constraints to the MILP model and solve it using Gurobi to obtain the system of inequalities L.

[0074] Furthermore, in the MILP model, if the coefficients of the inequalities are smaller, the solver needs to search a smaller possible solution space, resulting in a faster solution speed. Therefore, to accelerate the model's solution speed, it is necessary to obtain an equivalent set of inequalities with smaller coefficients for L. Suppose that inequality l in the system of inequalities L is:

[0075]

[0076] To ensure that the solution set of the inequality remains unchanged after the coefficients are reduced, we use x and x * Let and represent the solution set and complement of the solution set, respectively. Then, the constraint conditions for solving the minimum coefficient MILP model are:

[0077]

[0078] To obtain the inequality l with the minimum coefficients, constraints including the objective function and limiting coefficients are added to the model:

[0079] Minimize M

[0080]

[0081] Furthermore, the setting of contradiction points in step (3) involves setting r... a Wheel and r b After all the constraints of the operations in the round are added to the model, constraints on the points of conflict are added to the model.

[0082] Suppose the input state values ​​i0 and i1 pass through r a After the round is encrypted, it is obtained and The output state values ​​o0 and o1 are processed by r b After decryption, the following is obtained and To ensure that there is a contradiction between them, let's use A and B respectively. and The difference and and The difference value;

[0083] An indicator variable f is introduced to indicate whether there is a contradiction between corresponding bits of A and B. Establish constraints:

[0084]

[0085] Since the existence of even one contradiction in A and B proves that the input-output difference Δin and Δout constitutes a valid impossible difference, the constraint condition for the indicator variable f is:

[0086]

[0087] Impossible differential analysis is mainly divided into two parts: discriminator search and key recovery. The model solution described in step (4) requires an objective function if the goal is to select the best discriminator from as many effective discriminators as possible. However, if the goal is to extend the discriminator to more rounds during the key recovery phase, a smaller Hamming weight for the impossible differential discriminator's input-output difference is needed. Therefore, the objective function of the model is set as follows:

[0088]

[0089] After adding all the above constraints and objective function to the MILP model, the model is solved using the Gurobi solver, and the values ​​of Δin and Δout are returned. The result is the input-output difference of the impossible difference discriminator.

[0090] This invention's search method characterizes the propagation of state values ​​in the encryption process Δin→A and the decryption process Δout→B within a unified MILP model. Furthermore, by incorporating contradictory constraints between A and B into the model, it eliminates the need to pre-fix the input-output difference; the solution model directly yields the discriminator's input-output difference values, thus improving search efficiency. In addition, based on the time consumption patterns of the Gurobi solver when solving models, this invention reduces the number of inequalities required to characterize relatively complex nonlinear layer operations by partitioning the points of the propagation mode and optimizing inequalities. Moreover, it uses algorithms to reduce inequality coefficients, shrinking the solution space required for the solver to search and improving the overall solution speed of the model.

Claims

1. A differential search method for an impossible distinguisher based on state value propagation and MILP, characterized in that, Includes the following steps: (1) Establish the difference value constraint conditions: Assume that the pair of state values ​​input to the impossible differential discriminator are respectively and The output pair of state values ​​are respectively and To directly derive the impossible difference discriminator found through the search, it is necessary to establish an input difference in the MILP model. With input state value The constraints between them, and the establishment of output difference With output status value Constraints between them; (2) State value propagation modeling: The entire discriminator is divided into two parts, front and back, which encrypt the input and output state values ​​respectively. Wheel and Decryption The model incorporates rounds and adds constraints that characterize the cryptographic operations in each round into the MILP model. Operations in cryptographic algorithms can be divided into linear operations and nonlinear operations. The operations described in the MILP model mainly involve shifting, XOR, and S-boxes. (3) Setting up points of conflict: To ensure that the found discriminator is a valid impossible differential discriminator, it is necessary to ensure that there are contradictions in the discriminator; firstly, the input and output state values ​​of the discriminator are encrypted respectively. Wheel and Decryption Then, ensure that at least one contradiction occurs at the corresponding position of the difference value in the intermediate wheel, in other words, ensure that in the th wheel... Output differential of the first round The input difference of the wheel corresponds to at least one inconsistency point, and constraints on the inconsistency point are added to the MILP model; (4) Solving the MILP model: If you want to obtain as many discriminators as possible that meet the conditions, you do not need to set an objective function; if you want the obtained discriminators to be able to extend for more rounds at both ends of the extension phase, you should set the objective function of the MILP model to minimize the Hamming weight of the input-output difference of the discriminator. Use the Gurobi solver to solve the MILP model generated by the above method. If the MILP model has a solution, return to step (1) to input the difference. Output difference The specific value of is obtained as the input-output difference of the impossible differential discriminator.

2. The differential search method for an impossible distinguisher based on state value propagation and MILP according to claim 1, characterized in that: Step (1) involves establishing the constraint relationship between state values ​​and difference values ​​in the MILP model. Specifically, this means: let the two input state values ​​of the cryptographic algorithm be... and The input difference is defined as follows: Output difference With output status value and The relationship between them is similar. Since differential analysis cannot study the relationship between input and output differences, all bits of the input-output differences should be analyzed before characterizing state value propagation. The constraints are added to the MILP model, where Indicates the block size of the password.

3. The differential search method for an impossible distinguisher based on state value propagation and MILP according to claim 1, characterized in that: The state value propagation modeling described in step (2) is as follows: (2.1) First, divide the distinguisher into rounds with the following numbers: Wheel and The wheel has two parts, and then the state values ​​are depicted. and of Round encryption process, and state values and of In the round-by-round decryption process, the constraints of the operations in each round are added to the MILP model. The operations in the cryptographic algorithm are divided into linear and non-linear operations. The following section first introduces the characterization method of linear operations. Linear operations include shifting and XOR. When using the p-permutation shift operation in the PRESENT algorithm, the corresponding state values ​​before and after the shift operation are equal. Therefore, the constraint is: (Equation 1); in and These represent the state values ​​before and after the shift operation, respectively. An array representing shift operations; The constraints for characterizing the XOR operation of state values ​​are similar to those for characterizing the XOR operation of difference values. Assume there exists an XOR operation between state values. The corresponding constraint conditions are: (Equation 2); (2.2) The method for characterizing state values ​​using the S-box in the MILP model is as follows: based on... The input and output values ​​of the bit S-box are transformed into a single dimension by converting the output values ​​corresponding to all input values. Given a 4-bit S-box, if the input is 1 and the output is 10, then the point... Add to the set of possible points In, and will also A total of 15 points were added to the impossible point set. middle; system of inequalities The number of linear inequalities in a given context is called the number of linear inequalities in a given context. For S-boxes larger than 4 bits, the size of the system of inequalities describing the S-box is much larger than the size of the system of inequalities describing linear operations. To speed up the execution of the MILP model, optimization is mainly done in two aspects: the system of linear inequalities. Scale and coefficients; The convex hull method uses a system of linear inequalities to characterize a point set, while in a point set containing a large number of points... In, there may be a combination of A subset consisting of points , subset All points in the sequence exist. , making ,in Point and The Hamming distance between them forms such a subset. point It can be expressed by a linear inequality Characterization, which involves taking a large set of points Divide into several smaller subsets This can effectively reduce the amount of detail. The required number of inequalities is determined by the following steps from Find several subsets that satisfy the conditions. : 1) Initialize the point set A set used to hold subsets ; 2) Create a collection ,Will Put in In the search point set The remaining Each member checks if a point exists. satisfy Those that meet the conditions Join From and Remove from If the point is found successfully Then continue searching. China satisfies point ; 3) Repeat step 2) until... No points satisfying the conditions can be found. and will Join middle; 4) Repeat the above steps until... All points in the middle were moved to a set And joined Remove Find members of length 1 and return the final result. .

4. The differential search method for an impossible distinguisher based on state value propagation and MILP according to claim 3, characterized in that: After obtaining the set back, Each point set Points in It can be described using only a single linear inequality, thus greatly reducing the amount of description required. The number of inequalities required for all points; To depict The system of inequalities is In order to obtain each subset Characterization of inequalities The specific coefficients are determined using the method of undetermined coefficients. Let the inequality be... Represented as: (Equation 3); To ensure the inequality A collection that can be perfectly depicted All points in the set All points are inequalities A valid solution is found at all impossible points. If the solution is invalid, the following constraints can be added to the MILP model and all coefficients can be solved. and : (Equation 4); in express All points in the middle, This represents all impossible points.

5. The differential search method for an impossible distinguisher based on state value propagation and MILP according to claim 4, characterized in that: for Points beyond the initial point set require further characterization. When using linear inequalities to characterize the point set, inequalities that eliminate more impossible points are often more efficient. Using efficient inequalities can reduce the number of inequalities required for characterization. Sage Math can be used to generate the point set. The system of inequalities To generate more efficient linear inequalities, follow these steps: 1) Initialize the system of inequalities dot set Generate a set of inequalities ; 2) From Choose any two linear inequalities and ,make traversal Points in If satisfied Then the new inequality Join middle; 3) Repeat step 2), from Choose any two linear inequalities, and iterate through all possible combinations. Combine and return a set. The system of primitive inequalities describing the S-box Using MILP reduction This yields the smallest system of inequalities. The specific steps are as follows: 1) For the system of inequalities Each linear inequality uses a binary variable. Let represent the inequality, if This means that the inequality will remain in In the middle, the opposite indicates that the inequality is discarded; 2) For each impossible point ,turn up The inequalities at that point can be eliminated. 3) To ensure the system of inequalities The inequalities in can eliminate each and The minimum value is taken, therefore the constraint is: ,in This indicates that points can be excluded. All linear inequalities, with the objective function being ; 4) Add the above objective function and constraints to the MILP model and solve it using Gurobi to obtain the system of inequalities. .

6. The differential search method for an impossible distinguisher based on state value propagation and MILP according to claim 5, characterized in that: In MILP models, smaller inequality coefficients mean a smaller solution space that the solver needs to search, resulting in faster solution speed. Therefore, to accelerate the solution speed of MILP models, it is necessary to obtain... A system of equivalent inequalities with smaller coefficients ; Assume a system of inequalities Inequality for: (Equation 5); To ensure that the solution set of the inequality remains unchanged after the coefficients are reduced, we use and They represent Given the solution set and its complement, the constraint conditions for solving the minimum coefficient MILP model are: (Formula 6); In order to obtain the inequality with the smallest coefficient Add constraints, including the objective function and constraint coefficients, to the MILP model: (Equation 7).

7. The differential search method for an impossible distinguisher based on state value propagation and MILP according to claim 1, characterized in that: Step (3) describes setting the point of conflict, in which... Wheel and After all the constraints of the operations in the round are added to the MILP model, then the constraints of the contradiction points are added to the MILP model. Let the input state value be... and go through After the round is encrypted, it is obtained and Output status value and go through After decryption, the following is obtained and To ensure that there are points of contradiction among them, use respectively and express and The difference and and The difference value; Introducing indicator variables express and Are there any contradictions between the corresponding bits? Establish constraints: (Equation 8); Because in and If there is even one contradiction, then the input-output difference can be proven. and The two variables form an effective impossible difference, therefore the indicator variable The constraints are: (Equation 9).

8. The differential search method for an impossible distinguisher based on state value propagation and MILP according to claim 1, characterized in that: In solving the MILP model in step (4), if the goal is to select the best from as many effective discriminators as possible, then no objective function is needed. However, if a smaller differential Hamming weight is required to extend the discriminator to more rounds during the key recovery phase, then the objective function of the MILP model is set as follows: (Equation 10); After adding all constraints and the objective function to the MILP model, the Gurobi solver is used to solve the MILP model and returns the solution. and The value of is obtained as the input-output difference of the impossible differential discriminator.