Differential and Linear Cryptanalysis using

Mixed-Integer Linear Programming⋆

Nicky Mouha1,2,⋆⋆ , Qingju Wang1,2,3 , Dawu Gu3 , and Bart Preneel1,2

1
Department of Electrical Engineering ESAT/SCD-COSIC,
Katholieke Universiteit Leuven. Kasteelpark Arenberg 10, B-3001 Heverlee, Belgium.
2
Interdisciplinary Institute for BroadBand Technology (IBBT), Belgium.
3
Department of Computer Science and Engineering, Shanghai Jiao Tong University,
Shanghai, China.
{Nicky.Mouha,Qingju.Wang}@esat.kuleuven.be

Abstract. Differential and linear cryptanalysis are two of the most pow-
erful techniques to analyze symmetric-key primitives. For modern ci-
phers, resistance against these attacks is therefore a mandatory design
criterion. In this paper, we propose a novel technique to prove security
bounds against both differential and linear cryptanalysis. We use mixed-
integer linear programming (MILP), a method that is frequently used in
business and economics to solve optimization problems. Our technique
significantly reduces the workload of designers and cryptanalysts, be-
cause it only involves writing out simple equations that are input into
an MILP solver. As very little programming is required, both the time
spent on cryptanalysis and the possibility of human errors are greatly
reduced. Our method is used to analyze Enocoro-128v2, a stream cipher
that consists of 96 rounds. We prove that 38 rounds are sufficient for secu-
rity against differential cryptanalysis, and 61 rounds for security against
linear cryptanalysis. We also illustrate our technique by calculating the
number of active S-boxes for AES.
Keywords: Differential cryptanalysis, Linear Cryptanalysis, Mixed-Integer
Linear Programming, MILP, Enocoro, AES, CPLEX

1 Introduction
Differential cryptanalysis [1] and linear cryptanalysis [22] have shown to be two
of the most important techniques in the analysis of symmetric-key cryptographic
primitives. For block ciphers, differential cryptanalysis analyzes how input differ-
ences in the plaintext lead to output differences in the ciphertext. Linear crypt-
analysis studies probabilistic linear relations between plaintext, ciphertext and
⋆
This work was supported in part by the Research Council K.U.Leuven: GOA
TENSE, the IAP Program P6/26 BCRYPT of the Belgian State (Belgian Science
Policy), and in part by the European Commission through the ICT program un-
der contract ICT-2007-216676 ECRYPT II, and is funded by the National Natural
Science Foundation of China (No. 61073150).
⋆⋆
This author is funded by a research grant of the Institute for the Promotion of
Innovation through Science and Technology in Flanders (IWT-Vlaanderen).
key. If a cipher behaves differently from a random cipher for differential or linear
cryptanalysis, this can be used to build a distinguisher or even a key-recovery
attack.
For stream ciphers, differential cryptanalysis can be used in the context of a
resynchronization attack [13]. In one possible setting, the same data is encrypted
several times with the same key, but using a different initial value (IV). This
is referred to as the standard (non-related-key) model, where the IV value is
assumed to be under control of the attacker. An even stronger attack model
is the related-key setting, where the same data is encrypted with different IVs
and different keys. Not only the IV values, but also the differences between the
keys are assumed to be under control of the attacker. Similar to differential
cryptanalysis, linear cryptanalysis can also be used to attack stream ciphers in
both the standard and related-key model. In the case of stream ciphers, linear
cryptanalysis amounts to a known-IV attack instead of a chosen-IV attack.
Resistance against linear and differential cryptanalysis is a standard design
criterion for new ciphers. For the block cipher AES [15], provable security against
linear and differential cryptanalysis follows from the wide trail design strat-
egy [14]. In this work, we apply a similar strategy. After proving a lower bound
on the number of active S-boxes for both differential and linear cryptanalysis,
we use the maximum differential probability (MDP) of the S-boxes to derive an
upper bound for the probability of the best characteristic. We assume (as is com-
monly done) that the probability of the differential can accurately be estimated
by the probability of the best characteristic. Several works focus on calculat-
ing the minimum number of active S-boxes for both Substitution-Permutation
Networks (SPNs) [14] and (Generalized) Feistel Structures (GFSs) [5, 6, 19, 27].
Unfortunately, it seems that a lot of time and effort in programming is required to
apply those techniques. This may explain why many related constructions have
not yet been thoroughly analyzed. In this paper, we introduce a novel technique
using mixed-integer linear programming in order to overcome these problems.
Linear programming (LP) is the study of optimizing (minimizing or maximiz-
ing) a linear objective function f (x1 , x2 , . . . , xn ), subject to linear inequalities
involving decision variables xi , 1 ≤ i ≤ n. For many such optimization problems,
it is necessary to restrict certain decision variables to integer values, i.e. for some
values of i, we require xi ∈ Z. Methods to formulate and solve such programs
are called mixed-integer linear programming (MILP). If all decision variables xi
must be integer, the term (pure) integer linear programming (ILP) is used. MILP
techniques have found many practical applications in the fields of economy and
business, but their application in cryptography has so far been limited. For a
good introductory level text on LP and (M)ILP, we refer to Schrage [26].
In [7], Borghoff et al. transformed the quadratic equations describing the
stream cipher Bivium into a MILP problem. The commercial solver package
CPLEX [17] was then used to solve the resulting MILP problem, which cor-
responds to recovering the internal state of Bivium. In the case of Bivium A,
solving this MILP problem takes less than 4.5 hours, which is faster than Rad-
dum’s approach (about a day) [25], but much slower than using MiniSAT (21
seconds) [9].
For the hash function SIMD, Bouillaguet et al. [8] used an ILP solver to find
a differential characteristic based on local collisions. Using the SYMPHONY
solver [10], they could not find the optimal solution, but found lower bounds for
both SIMD-256 and SIMD-512. The computation for SIMD-512 took one month
on a dual quad-core computer.
In [5, 6], Bogdanov calculated the minimum number of linearly and differ-
entially active S-boxes of unbalanced Feistel networks with contracting MDS
diffusion. He proved that some truncated difference weight distributions are im-
possible or equivalent to others. For the remaining truncated difference weight
distributions, he constructed an MILP program which he then solved using the
MAGMA [11] Computational Algebra System [4]. Compared to Bogdanov’s tech-
nique, the fully automated method in this paper is much simpler to apply: Bog-
danov’s approach requires a significant amount of manual work, and the con-
struction of not one but several ILP programs. We will show how this can be
avoided by introducing extra dummy variables into the MILP program.
We apply our technique to the stream cipher Enocoro-128v2 [29, 30], in or-
der to obtain bounds against differential and linear cryptanalysis. We consider
both the standard and related-key model. All MILP programs are solved us-
ing the IBM ILOG CPLEX Optimizer [17]. There are 96 initialization rounds in
Enocoro-128v2. We prove that 38 rounds are sufficient for security against differ-
ential cryptanalysis, and 61 rounds against linear cryptanalysis. These security
bounds are obtained after 52.68 and 228.94 seconds respectively. We also calcu-
late the minimum number of active S-boxes for up to 14 rounds of AES, which
takes at most 0.40 seconds for each optimization program. Our experiments are
performed on a 24-core Intel Xeon X5670 Processor, with 16 GB of RAM.
This paper is organized as follows. Sect. 2 explains how to find the minimum
number of active S-boxes for a cryptographic primitive by solving an MILP
program. A brief description of Enocoro-128v2 is given in Sect. 3. In Sect. 4
and Sect. 5, we construct an MILP program to prove that Enocoro-128v2 is
secure against differential cryptanalysis and linear cryptanalysis respectively.
We provide some ideas for future work in Sect. 6, and conclude the paper in
Sect. 7. In App. A, we calculate the minimum number of active S-boxes for AES
using our technique, and provide the full source code of our program.

2 Constructing an MILP Program to Calculate the

Minimum Number of Active S-boxes

We now explain a technique to easily prove the security of many ciphers against
differential and linear cryptanalysis. Our method is based on counting the mini-
mum number of active S-boxes. To illustrate our technique, we use Enocoro-128v2
and AES as test cases in this paper. The equations we describe are not specific
to these ciphers, but can easily be applied to any cipher constructed using S-
box operations, linear permutation layers, three-forked branches and/or XOR
operations.

2.1 Differential Cryptanalysis

We consider truncated differences, that is, every byte in our analysis can have
either a zero or a non-zero difference. More formally, we define the following
difference vector:

Definition 1 Consider a string ∆ consisting of n bytes ∆ = (∆0 , ∆1 , . . . , ∆n−1 ).

Then, the difference vector x = (x0 , x1 , . . . , xn−1 ) corresponding to ∆ is defined
as (
0 if ∆i = 0 ,
xi =
1 otherwise .

Equations Describing the XOR Operation. Let the input difference vector
for the XOR operation be (x⊕ ⊕
in1 , xin2 ) and the corresponding output difference
⊕
vector be xout . The differential branch number is defined as the minimum number
of input and output bytes that contain differences, excluding the case where there
are no differences in inputs nor outputs. For XOR, the differential branch number
is 2. In order to express this branch number in equations, we need to introduce a
new binary dummy variable d⊕ .4 If and only if all of the three variables x⊕ ⊕
in1 ,xin2
and x⊕ ⊕
out are zero, d is zero, otherwise it should be one. Therefore we obtain the
following linear equations (in binary variables) to describe the relation between
the input and output difference vectors:

x⊕ ⊕ ⊕
in1 + xin2 + xout ≥ 2d
⊕
,
d⊕ ≥ x⊕
in1 ,
d⊕ ≥ x⊕
in2 ,
d⊕ ≥ x⊕
out .

Equations Describing the Linear Transformation. The equations for a

linear transformation L can be described as follows. Assume L transforms the
input difference vector (xL L L
in1 , xin2 , · · · , xinM ) to the output difference vector
(xL L L
out1 , xout2 , · · · , xoutM ). Given the differential branch number BD , a binary
dummy variable dL is again needed to describe the relation between the in-
put and output difference vectors. The variable dL is equal to 0 if all variables
xL L L L L L
in1 , xin2 , · · · , xinM , xout1 , xout2 , · · · , xoutM are 0, and 1 otherwise. Therefore

4
Note that this extra variable was not added in [5, 6], which is why Bogdanov had to
solve several ILP programs instead of only one.
the linear transformation L can be constrained by the following linear equa-
tions:

xL L L L L L
in1 + xin2 + · · · + xinM + xout1 + xout2 + · · · + xoutM ≥ BD d
L
,
dL ≥ xL
in1 ,

dL ≥ xL
in2 ,
······
dL ≥ xL
inM ,

dL ≥ xL
out1 ,

dL ≥ xL
out2 ,
······
dL ≥ xL
outM .

The Objective Function. The objective function that has to be minimized, is

the number of active S-boxes. This function is equal to the sum of all variables
that correspond to the S-box inputs.

Additional Constraints. An extra linear equation is added to ensure that

at least one S-box is active: this avoids the trivial solution where the mini-
mum active S-boxes is zero. If all d-variables and all x-variables are restricted
to be binary, the resulting program is a pure ILP (Integer Linear Programming)
problem. If all d-variables are restricted to be binary, but only the x-variables
corresponding to the input (plaintext), the equations ensure that the optimal so-
lution for all other x-variables will be binary as well. This is similar to Borghoff’s
suggestion in [7], and results in an MILP (Mixed-Integer Linear Programming)
problem that may be solved faster.

2.2 Linear Cryptanalysis

For linear cryptanalysis, we define a linear mask vector as follows:

Definition 2 Given a set of linear masks Γ = (Γ0 , Γ1 , . . . , Γn−1 ), the linear

mask vector y = (y0 , y1 , . . . , yn−1 ) corresponding to Γ is defined as
(
0 if Γi = 0 ,
yi =
1 otherwise .

The duality between differential and linear cryptanalysis was already pointed
out by Matsui [23]. The equations describing a linear function are the same as
in the case for differential cryptanalysis, however the differential branch number
BD is replaced by the linear branch number BL . The linear branch number is
the minimum number of non-zero linear masks for the input and output of a
function, excluding the all-zero case. No extra equations are introduced for the
XOR operations, because the input and output linear masks are the same.
For a three-forked branch, we proceed as follows. Let the input linear mask
⊢
vector for the three-forked branch be yin , and the corresponding output lin-
ear mask vector be (yout1 , yout2 ). We introduce a binary dummy variable l⊢ to
⊢ ⊢

generate the following linear equations for the three-forked branch:

⊢ ⊢ ⊢
yin + yout1
+ yout2
≥ 2l⊢ ,
l⊢ ≥ yin
⊢
,
l⊢ ≥ yout
⊢
1
,
l⊢ ≥ yout
⊢
2
.

3 Description of Enocoro-128v2
The first Enocoro specification was given in [28]. Enocoro is a stream cipher,
inspired by the Panama construction [12]. Two versions of Enocoro were speci-
fied: Enocoro-80v1 with a key size of 80 bits, and Enocoro-128v1 with a key size
of 128 bits. Later, a new version for the 128-bit key size appeared in [18]. It is re-
ferred to as Enocoro-128v1.1. We now give a short description of Enocoro-128v2.
For more details, we refer to the design document [29, 30].

Internal state. The internal state of Enocoro-128v2 is composed of a buffer

b consisting of 32 bytes (b0 , b1 , . . . , b31 ) and a state a consisting of two bytes
(a0 , a1 ). The initial state is loaded with a 128-bit key K and a 64-bit IV I as
follows:
(−96)
bi = Ki , 0 ≤ i < 16 ,
(−96)
bi+16 = Ii , 0≤i<8 .
All other internal state bytes are loaded with predefined constants.

Update Function. The update function N ext uses functions ρ and λ to update
the internal state as follows:
(a(t+1) , b(t+1) ) = N ext(S (t) ) = (ρ(a(t) , b(t) ), λ(a(t) , b(t) )) .

An schematic overview of this function is given in Fig. 1.

Function ρ. The function ρ updates the state a. It consists of an 8-bit S-box

operation, a linear transformation L and XORs. The transformation L is defined
as a linear transformation with a 2-by-2 matrix over GF(28 ):
    
v0 11 u0
= L(u0 , u1 ) = , d ∈ GF(28 ) ,
v1 1d u1
 (t) (t) (t) (t)
where d = 0x02, u0 = a0 ⊕ S[b2 ] and u1 = a1 ⊕ S[b7 ]. The updated state
(t+1) (t+1)
(a0 , a1 ) is then calculated as follows:

(t+1) (t)
a0 = v0 ⊕ S[b16 ] ,
(t+1) (t)
a1 = v1 ⊕ S[b29 ] .

Function λ. The λ function of Enocoro-128v2 consists of XOR operations and

a byte-wise rotation of the buffer b. It is defined as follows:
 (t) (t)

 b31 ⊕ a0 , if i = 0 ,
(t) (t)

b2 ⊕ b6 , if i = 3 ,



(t+1)
bi = b7 ⊕ b(t)
(t)
15 , if i = 8 ,
(t) (t)

b ⊕ b , if i = 17 ,



 16 28
 (t)

bi−1 otherwise .

Output function Out. After 96 initialization rounds, the Enocoro-128v2 out-

put function outputs the lower byte of the state.
(t)
Out(S (t) ) = a1 .

0 2 6 7 15 16 28 29 31 0 1

S
S

S
S

0 3 7 8 16 17 29 30 31 0 1

Fig. 1. State Update during the Initialization of Enocoro-128v2. Indices of buffer (on
the left) refer to b-variables, indices of the state (on the right) refer to a-variables.

Several results [16, 20, 21, 24, 30] on differential and linear cryptanalysis have
already been published for different versions of Enocoro. In this paper, we con-
sider the most recent version Enocoro-128v2 [29, 30] as an example to illustrate
our technique. Watanabe et al. already showed that at least 2177.8 chosen IVs
are required for a differential attack on Enocoro-128v2 [30]. For a linear attack,
Konosu et al. [21] showed that 2216 known IVs are required for an attack on the
64-round variant Enocoro-128v1.1. Although these results are already sufficient
to prove the security of Enocoro-128v2 against linear and differential cryptanal-
ysis, we explain in this paper how to prove the security against these attacks in
a much easier way.

4 Differential Cryptanalysis of Enocoro-128v2

Our technique is now used to find the minimum number of active S-boxes
for the stream cipher Enocoro-128v2. We will consider an idealized variant of
Enocoro-128v2, for which the minimum number of active S-boxes is a lower
bound for the real Enocoro-128v2. In this idealized variant of Enocoro-128v2,
the S-boxes can map any non-zero input difference to any non-zero output dif-
ference. The same holds for the L-function, with the restriction that the branch
number is 3.
For this idealized variant of Enocoro-128v2, we have written a program to
calculate the minimum number of active S-boxes. We present our problem as
a mixed-integer linear programming (MILP) problem, and use CPLEX [17] to
solve it. The solution corresponds to the minimum number of differentially active
S-boxes for Enocoro-128v2. It is used to prove the security of the cipher against
differential cryptanalysis, using a similar proof as for the block cipher AES [14,
15]. Note that an actual characteristic with the given number of active S-boxes
may or may not exist, depending on the specific S-box and L-function that is
used. This is not a concern for us, as our goal is to prove a security bound against
differential cryptanalysis.

4.1 Constructing the MILP Program

Enocoro-128v2 has eight XOR operations and one linear transformation L in

each round. We represent the differential behavior of each of these operations
by a set of linear equations, as described in Sect. 2. Let us take the first round
of Enocoro-128v2 as an example. The initial difference vector in the buffer and
states is represented by the binary variables (x0 , x1 , . . . , x31 ) and (x32 , x33 ) re-
spectively. Let us consider the XOR operation which has the rightmost byte
of buffer b, i.e. b31 , and state byte a0 as inputs. These correspond to binary
variables x31 and x32 respectively, the input difference vector for this XOR op-
eration. From the update function, we can obtain the corresponding value of
the leftmost byte of buffer b, i.e. b0 , after the first round. Let the corresponding
output difference vector be x34 , which is the first new binary variable that we
introduce. After introducing a binary dummy variable d0 , this XOR operation
can be described by the equations:
x31 + x32 + x34 ≥ 2d0 ,
d0 ≥ x31 ,
d0 ≥ x32 ,
d0 ≥ x34 .
We now consider the second XOR operation, for which buffer b2 (input to
the first S-box) and the state a0 are the inputs. Because the S-box is bijective,
it is not only the case that the zero input difference results in a zero output
difference, but also that a non-zero input difference results in a non-zero output
difference. We find that (x2 , x32 ) is the difference vector of the second XOR
operation. The second new variable, x35 , will be the output difference vector for
this second XOR operation. Similarly, for the third XOR operation, the input
difference vector is (x7 , x33 ) (corresponding to (b7 , a1 )), and the output difference
vector is x36 . Given two binary dummy variables d1 and d2 for the second and
third XOR operation respectively, we again obtain four linear equations for every
XOR operation.
From the structure of the linear transformation of Enocoro-128v2, we know
that (x35 , x36 ) is the input difference vector for the linear transformation L in
the first round. By introducing a new binary variable d3 , the relations between
the output difference vector (x37 , x38 ) and the input difference vector (x35 , x36 )
are easily described by the following equations:
x35 + x36 + x37 + x38 ≥ 3d3 ,
d3 ≥ x35 ,
d3 ≥ x36 ,
d3 ≥ x37 ,
d3 ≥ x38 .
The other five XORs in the first round are represented in a similar way. The
new variables x39 , x40 , x41 , x42 and x43 are shown in Fig. 2. These equations
result in the binary dummy variables d4 , d5 , d6 , d7 , d8 . For all the eight XORs
and one linear transformation L, ten new binary variables x34 , x35 , . . . , x43 and
nine binary dummy variables d0 , d1 , . . . , d8 are required. Therefore, a system of
4 · 8 + 5 · 1 = 37 equations is obtained to describe all the nine operations in the
first round (and also every subsequent round) of Enocoro-128v2. The detailed
input and output vectors for all the nine operations are shown in Fig. 2.
After one round the difference vector for buffer and state will be
(x34 , x0 , x1 , x41 , x3 , . . . , x6 , x42 , x8 , . . . , x15 , x43 , x17 , . . . , x30 )

and (x39 , x40 ) respectively. All binary xi -variables obtained for the first round
are illustrated in Fig. 3. Therefore, using this technique we can represent the
differential update of Enocoro-128v2 for any round with a system of linear equa-
tions.
 x31 x32 x33 x35 x36

? ? ? ? ?
h x32 x2 - h x7 - h L

? ? ? ? ?
x34 x35 x36 x37 x38

x37 x38 x2 x7 x16

? ? ? ? ?
x16 - h x29 - h  x6
h h
 x15 h
 x28

? ? ? ? ?
x39 x40 x41 x42 x43

Fig. 2. Difference Vectors for Nine Operations in the First Round

0 1 2 6 7 15 16 28 29 31 32 33

S
S
35 36
34 L
37 38
S
S

34 0 1 41 3 6 42 8 15 43 17 28 29 30 39 40

Fig. 3. Differential State Update during the Initialization of Enocoro-128v2. The in-
dices refer to x-variables.

4.2 The Minimum Number of Active S-boxes for Differential

Cryptanalysis

We now focus on the variables that represent the S-box inputs in every round.
Note that x2 , x7 , x16 , and x29 correspond to the input differences of the S-
boxes, and therefore determine if the S-box is active or not. Let Di include the
four indices of variables that represent the four S-box inputs in the i-th round
(1 ≤ i ≤ 96). The 96 sets include the indices for variables that represent the four
S-box inputs in each round. They can easily be obtained from Sect. 4.1, and are
as follows:

D1 = {2, 7, 16, 29} ,

D2 = {1, 6, 15, 28} ,
D3 = {0, 5, 14, 27} ,
D4 = {34, 4, 13, 26} ,
D5 = {44, 3, 12, 25} ,
..
.
D96 = {954, 941, 902, 863} .

Let kN be the number of active S-boxes for N rounds of Enocoro-128v2. If

[
IN = Di ,
1≤i≤N

then X
kN = xi
i∈IN

will be the number of active S-boxes in N rounds of Enocoro-128v2. To avoid

the trivial case where no S-boxes are active, we add an extra linear constraint
to specify
P that least one S-box is active. If we can minimize the linear function
kN = i∈IN xi , it will give us the minimum number of active S-boxes for N
rounds of Enocoro-128v2. This will provide a security bound for Enocoro-128v2
P
against differential cryptanalysis. The objective function kN = i∈IN xi is a
linear function, constrained by a system of 37N linear equations. If all variables
must be binary variables, this corresponds to an ILP program.
It is easy to verify that the maximum differential probability for the 8-bit
S-box of Enocoro-128v2 is 2−4.678 . As the IV is limited to 64 bits, there are at
most 264 IV pairs for any given difference (if the key is fixed). Because there
exists a generic attack with a data complexity of 264 IV s (obtaining the entire
codebook under one key), attacks requiring 264 IV s or more should not be
feasible. Therefore, we do not consider attacks using more than 264 IV s, even
in the related-key setting. If the number of active S-boxes in the initialization
rounds is at least 14 > 64/4.678, we consider the cipher to be resistant against
differential cryptanalysis. Because we allow differences in both the key and the
IV, our results hold both in the single-key and in the related-key setting. We
note that typically, differential and linear cryptanalysis are used to attack a few
more rounds than the number of rounds of the characteristic. The cipher must
also be resistant against other types of attacks and add extra rounds to provide
a security margin. For these reasons, more rounds should be used than suggested
by our analysis.
In order to optimize the MILP program, we use CPLEX. The experiments are
implemented on a 24-core Intel Xeon X5670 @ 2.93 GHz, with 16 GB of RAM.
Because this computer is shared with other users, execution times may be longer
than necessary, which is why we do not give timing information for all problem
instances. We found that it takes about 52.68 seconds to show that the minimum
number of active S-boxes for 38 rounds of Enocoro-128v2 is 14. Therefore, 38
rounds of Enocoro-128v2 or more are secure against differential cryptanalysis.
The minimum number of active S-boxes for each round of Enocoro-128v2 are
listed in Table 1.
We would like to point out to the reader, that the seemingly complex book-
keeping of variable indices should not be a concern for the cryptanalyst who
wishes to use this technique. The MILP linear equations can be generated by a
small computer program. This program keeps track of the next unused x- and
d-variables. It is then easy to replace every XOR and L function operation in
the reference implementation of the cipher by a function to generate the corre-
sponding equations, and every S-box application by a function that constructs
the objective function. For a typical cipher, this should not require more than
half an hour of work for a minimally experienced programmer.
If all d-variables are restricted to binary variables, as well as variables x0 up
to x33 , the equations ensure that the optimal solution for all other xi -variables
will be binary as well. Therefore, similar to Borghoff’s suggestion in [7], we
might solve an MILP program where only the d-variables and x0 up to x33
are binary variables, instead of a pure ILP program. We find that Borghoff’s
observation can give dramatic speed-ups in some cases: for 72 rounds, it takes
5,808.15 seconds using an MILP, compared 342,747.78 seconds using a pure ILP.
However, our MILP program for 38 rounds takes longer: 75.68 seconds instead
of 52.68 seconds. Explaining this phenomenon seems to be a useful direction for
future work.

5 Linear Cryptanalysis of Enocoro-128v2

We will use our technique to analyze an ideal variant of Enocoro-128v2 for linear
cryptanalysis. Similarly as for differential cryptanalysis, the real Enocoro-128v2
will have at least as many linearly active S-boxes as the idealized one, and
therefore can be used to prove a security bound.

5.1 Constructing the MILP Program

We now illustrate our technique by presenting the equations for the first round of
the stream cipher Enocoro-128v2 for linear cryptanalysis. For the initial state,
let the linear mask vector for the buffer be (y0 , y1 , . . . , y31 ), and for the state
be (y32 , y33 ). Consider the three-forked branch, which has the state byte a0
as the input linear mask and buffer byte b31 as one output linear mask. We
obtain the first new binary variable y34 as the other output vector. The input
and output linear mask vector for this three-forked branch are then y32 and
(y31 , y34 ) respectively. By introducing the binary dummy variable l0 , the four
Table 1. Minimum Number of Differentially Active S-boxes min(kN ) for N rounds of
Enocoro-128v2

N min(kN ) N min(kN ) N min(kN ) N min(kN ) N min(kN )

1 0 21 2 41 16 61 25 81 39
2 0 22 3 42 17 62 26 82 39
3 0 23 3 43 18 63 27 83 40
4 0 24 3 44 18 64 27 84 40
5 0 25 4 45 18 65 28 85 40
6 0 26 5 46 19 66 29 86 41
7 0 27 7 47 20 67 30 87 42
8 0 28 8 48 20 68 30 88 43
9 0 29 8 49 21 69 30 89 43
10 0 30 8 50 22 70 31 90 44
11 0 31 8 51 22 71 32 91 44
12 0 32 9 52 22 72 34 92 45
13 1 33 9 53 22 73 35 93 45
14 1 34 10 54 22 74 35 94 46
15 1 35 11 55 22 75 36 95 47
16 1 36 12 56 22 76 37 96 47
17 1 37 13 57 23 77 37
18 1 38 14 58 23 78 38
19 1 39 15 59 24 79 38
20 2 40 15 60 24 80 38

equations describing the three-forked branch can be described as follows:

y31 + y32 + y34 ≥ 2l0 ,

l0 ≥ y31 ,
l0 ≥ y32 ,
l0 ≥ y34 .

For the XOR operation, the two inputs and the output all have the same
linear mask. The bijectiveness of the S-box implies the linear mask at the output
will be non-zero if and only if the input mask is non-zero. Therefore, the linear
transformation L has an input linear mask vector of (y34 , y33 ), and an output
linear mask vector of (y35 , y36 ). Using a new binary dummy variable l1 , the
equations describing the L transformation are:

y34 + y33 + y35 + y36 ≥ 3l1 ,

l1 ≥ y34 ,
l1 ≥ y33 ,
l1 ≥ y35 ,
l1 ≥ y36 .
 y32 y34 y33 y2 y6
? ?
y31  L - y34 y37 
? ? ? ? ?
y34 y35 y36 y37 y38

y7 y15 y16 y28 y29

- y33 y39  - y35 y41  - y36

? ? ? ? ?
y39 y40 y41 y42 y43

Fig. 4. Linear Mask Vectors for Nine Operations in the First Round

0 2 6 7 8 14 15 16 17 27 28 29 31 32 33

31
34
S
S
34 33
L
35 36
S
S

31 0 1 37 3 5 38 39 8 14 40 41 17 27 42 43 30 35 36

Fig. 5. Linear Masks Vectors Update during the Initialization of Enocoro-128v2. The
indices refer to y-variables.

As an Enocoro-128v2 round contains eight three-forked branch operations and

one linear transformation L, ten new binary variables y34 , y35 , . . . , y43 , as well as
nine binary dummy variables l0 , l1 , . . . , l8 are introduced. Therefore, 4 · 8 + 5 · 1 =
37 equations are required to describe the propagation of linear masks for the
first round (as well as any subsequent round) of Enocoro-128v2. The input and
output linear mask vectors for all nine operations in the first round are shown
in Fig. 4. The linear mask vector for the buffer and state after one round are

(y31 , y0 , y1 , y37 , y3 , · · · , y5 , y38 , y39 , y8 , · · · , y14 , y40 , y41 , y17 , · · · , y27 , y42 , y43 , y30 )

and (y35 , y36 ) respectively. They are shown in Fig. 5.

5.2 The Minimum Number of Active S-boxes for Linear
Cryptanalysis
Using the technique in the previous section, we can represent any number of
rounds of Enocoro-128v2. We now explain how to calculate the number of active
S-boxes. Let Li include all indices of the four variables representing the input
linear mask vector of S-boxes in the i-th round (1 ≤ i ≤ 96). We then obtain
the following 96 sets:

L1 = {34, 33, 35, 36} ,

L2 = {44, 36, 45, 46} ,
L3 = {54, 46, 55, 56} ,
L4 = {64, 56, 65, 66} ,
L5 = {74, 66, 75, 76} ,
..
.
L96 = {984, 976, 985, 986} .

Let mN be the number of active S-boxes for N rounds of Enocoro-128v2. If

[
JN = Lj ,
1≤j≤N

then X
mN = yj
j∈JN

will be the number of active S-boxes for N rounds of Enocoro-128v2. By min-

imizing the linear objective function mN , we obtain the minimum number of
linearly active S-boxes for N rounds of Enocoro-128v2.
The maximum linear probability (MLP) of the 8-bit S-box of Enocoro-128v2
is 2−3 . For the same reasons as for differential cryptanalysis, we limit the number
of IV s to 264 . Assuming the number of active S-boxes is a, from Matsui’s Piling-
Up Lemma [22], we know the bias ε is 2a−1 · (2−3 )a . From the limit on the
number of IV s, we find that resistance against linear cryptanalysis requires:
1 1
= a−1 > 264 .
ε2 (2 · (2−3 )a )2
This inequality is satisfied for a > 15.5. Therefore, if the number of linearly
active S-boxes is at least 16, Enocoro-128v2 can be considered to be resistant
against linear cryptanalysis (in both the single-key and related-key setting).
If we solve the resulting MILP problem using CPLEX, we find that the min-
imum number of active S-boxes is 18 for 61 rounds of Enocoro-128v2. This result
was obtained after 227.38 seconds. Therefore, we can conclude that Enocoro-128v2
with 96 initialization rounds is secure against linear cryptanalysis (in both the
single-key and related-key setting). The minimum number of active S-boxes for
Enocoro-128v2 are listed in Table 2.
Table 2. Minimum Number of Linearly Active S-boxes min(mN ) for Enocoro-128v2

N min(mN ) N min(mN ) N min(mN ) N min(mN ) N min(mN )

1 0 21 0 41 6 61 18 81 24
2 0 22 0 42 9 62 18 82 27
3 0 23 0 43 9 63 18 83 27
4 0 24 0 44 9 64 18 84 27
5 0 25 0 45 12 65 18 85 27
6 0 26 0 46 12 66 18 86 27
7 0 27 0 47 12 67 18 87 27
8 0 28 0 48 12 68 21 88 27
9 0 29 0 49 12 69 21 89 27
10 0 30 0 50 12 70 21 90 27
11 0 31 0 51 12 71 21 91 27
12 0 32 0 52 15 72 21 92 27
13 0 33 3 53 15 73 21 93 30
14 0 34 6 54 15 74 21 94 30
15 0 35 6 55 15 75 21 95 33
16 0 36 6 56 15 76 24 96 33
17 0 37 6 57 15 77 24
18 0 38 6 58 15 78 24
19 0 39 6 59 15 79 24
20 0 40 6 60 15 80 24

6 Future Work

It is interesting to investigate how the internal parameters of CPLEX can be

fine-tuned to calculate bounds against linear and differential cryptanalysis in
the fastest possible time. If there are symmetries in the round function, these
may be used to speed up the search as well. Similarly, the attacker may improve
a given (suboptimal) lower bound for a particular cipher by clocking the round
functions forward or backward in order to obtain a lower number of S-boxes. To
obtain a rough lower bound for a large number of rounds, the “split approach”
(see for example [3]) may be used. For example, if r rounds of a cipher contain
at least a active S-boxes, then kr rounds of a cipher must contain at least ka
active S-boxes. It is useful to explore how these observations can be applied when
CPLEX takes a very long time to execute. Otherwise, the shorter solving time
does not compensate for the additional time to construct the program.
The technique in this paper is quite general, and may also be used for trun-
cated differentials, higher-order differentials, impossible differentials, saturation
attacks,... It can also be applied to all ciphers constructed using S-box opera-
tions, linear permutation layers, three-forked branches and/or XOR operations.
We leave the exploration of these topics to future work as well.
7 Conclusion
In this paper, we introduced a simple technique to calculate the security of many
ciphers against linear and differential cryptanalysis. The only requirement is that
the cipher is composed of a combination of S-box operations, linear permutation
layers and/or XOR operations. Our technique involves writing a simple program
to generate a mixed-integer linear programming (MILP) problem. The objective
function of the MILP program is the number of linearly or differentially active S-
boxes, which we want to minimize. This MILP problem can then easily be solved
using an off-the-shelf optimization package, for example CPLEX. The result can
be used to prove the security of a cryptosystem against linear and differential
cryptanalysis.
Our technique can be applied to a wide variety of cipher constructions.
As an example, we apply the technique in this paper to the stream cipher
Enocoro-128v2. We prove that for Enocoro-128v2 38 rounds are sufficient for
security against differential cryptanalysis, and 61 rounds against linear crypt-
analysis. These results are valid both in the single-key and related-key models.
As Enocoro-128v2 consists of 96 initialization rounds, this proves the security of
Enocoro-128v2 against linear and differential cryptanalysis.
We would like to point out that only little programming is required to ob-
tain this result. A minimally experienced programmer can modify the reference
implementation of a cipher, in order to generate the required MILP program
in about half an hour. In the case of Enocoro-128v2, it takes CPLEX less than
one minute on a 24-core Intel Xeon X5670 processor to prove security against
differential cryptanalysis, and less than four minutes to prove security against
linear cryptanalysis. We note that because very little programming is required,
both the time spent on cryptanalysis and the possibility of making errors are
greatly reduced.

A Number of Active S-boxes for AES

The four-round propagation theorem of AES [15] proves that the number of
active S-boxes in a differential or linear characteristic of four AES rounds is at
least 25. Combined with the properties of the AES S-box, this result was used in
the AES design document to prove the resistance against linear and differential
attacks. In this section, we illustrate our technique by applying it to the block
cipher AES. We not only confirm the four-round propagation theorem, but also
determine the minimum number of active S-boxes for up to 14 rounds in Table 4.
An AES round update consists of four operations: AddRoundKey (AR), Sub-
Bytes (SB), ShiftRows (SR) and MixColumns (MC). The update of the first AES
round is shown in Table 3. Every variable corresponds to a byte of the AES state.
The variable is 1 if the difference is non-zero, and 0 if the difference is zero. All
variables corresponding to the inputs of the SubByte operations are summed in
the objective function, this corresponds to the number of active S-boxes. The
linear function used in the MixColumns operation has a differential as well as a
linear branch number of 5.
 Table 3. The Variables in the First Round Update of AES
2 3 2 3 2 3 2 3
x0 x4 x8 x12 x0 x4 x8 x12 x0 x4 x8 x12 x16 x20 x24 x28
6 x1 x5 x9 x13 7 6 x1 x5 x9 x13 7 6 x5 x9 x13 x1 7 6 x17 x21 x25 x29 7
4 x2 x6 x10 x14 5 SB
6 7 6 7 SR 6 7 MC 6 7
−
→ 4 x2 x6 x10 x14 5 −→ 4 x10 x14 x2 x6 5 −−→ 4 x18 x22 x26 x30 5
x3 x7 x11 x15 x3 x7 x11 x15 x15 x3 x7 x11 x19 x23 x27 x31

Table 4. Minimum Number of Differentially or Linearly Active S-boxes min(kN ) for

N rounds of AES

N 1 2 3 4 5 6 7 8 9 10 11 12 13 14
min(kN ) 1 5 9 25 26 30 34 50 51 55 59 75 76 80

A program was written in C to generate the equations for this optimization

problem in the CPLEX LP format. To illustrate the simplicity of our technique,
we provide this program (including source code comments) below in full. None
of the optimization problems in Table 4 took longer than 0.40 seconds to solve,
using only a single core of our 24-core Intel Xeon X5670 processor.

#include <stdio.h>

int i,j,r;
const int ROUNDS = 4; /* number of rounds */
int next = 0; /* next unused state variable index */
int dummy = 0; /* next unused dummy variable index */

void ShiftRows(int a[4][4]) {

int tmp[4];
for(i=1; i < 4; i++) {
for(j = 0; j < 4; j++) tmp[j] = a[i][(j + i) % 4];
for(j = 0; j < 4; j++) a[i][j] = tmp[j];
}
}

void MixColumn(int a[4][4]) {

for(j = 0; j < 4; j++) {
for (i = 0; i < 4; i++) printf("x%i + ",a[i][j]);
for (i = 0; i < 3; i++) printf("x%i + ",next+i);
printf("x%i - 5 d%i >= 0\n",next+3,dummy);

for(i = 0; i < 4; i++)

printf("d%i - x%i >= 0\n",dummy,a[i][j]);
for(i = 0; i < 4; i++)
printf("d%i - x%i >= 0\n",dummy,a[i][j]=next++);
dummy++;
}
}

int main() {
 int a[4][4]; /* the bytes of the AES state */

for (i = 0; i < 4; i++)

for (j = 0; j < 4; j++)
a[i][j] = next++; /* initialize variable indices */

printf("Minimize\n"); /* print objective function */

for (i = 0; i < ROUNDS*16-1; i++) printf("x%i + ",i);
printf("x%i\n\n",ROUNDS*16-1);

printf("Subject To\n"); /* round function constraints */

for (r = 0; r<ROUNDS; r++) {
ShiftRows(a);
MixColumn(a);
}

/* at least one S-box must be active */

for (i = 0; i < ROUNDS*16-1; i++) printf("x%i + ",i);
printf("x%i >= 1\n\n",ROUNDS*16-1);

printf("Binary\n"); /* binary constraints */

for (i = 0; i < 16; i++) printf("x%i\n",i);
for (i = 0; i < dummy; i++) printf("d%i\n",i);
printf ("End\n");
return 0;
}

References
1. Biham, E., Shamir, A.: Differential Cryptanalysis of DES-like Cryptosystems. J.
Cryptology 4(1), 3–72 (1991)
2. Biryukov, A., Gong, G., Stinson, D.R. (eds.): Selected Areas in Cryptography -
17th International Workshop, SAC 2010, Waterloo, Ontario, Canada, August 12-
13, 2010, Revised Selected Papers, LNCS, vol. 6544. Springer (2011)
3. Biryukov, A., Nikolić, I.: Search for Related-key Differential Characteristics in
DES-like ciphers. In: Joux, A. (ed.) FSE. LNCS, vol. 6733, pp. 342–358. Springer
(2011)
4. Bodganov, A.: Personal Communication (2011)
5. Bogdanov, A.: Analysis and Design of Block Cipher Constructions. Ph.D. thesis,
Ruhr University Bochum (2009)
6. Bogdanov, A.: On unbalanced Feistel networks with contracting MDS diffusion.
Des. Codes Cryptography 59(1-3), 35–58 (2011)
7. Borghoff, J., Knudsen, L.R., Stolpe, M.: Bivium as a Mixed-Integer Linear Pro-
gramming Problem. In: Parker, M.G. (ed.) IMA Int. Conf. LNCS, vol. 5921, pp.
133–152. Springer (2009)
8. Bouillaguet, C., Fouque, P.A., Leurent, G.: Security Analysis of SIMD. In: Biryukov
et al. [2], pp. 351–368
9. Cameron McDonald, Chris Charnes, J.P.: An Algebraic Analysis of Trivium Ci-
phers based on the Boolean Satisfiability Problem. Cryptology ePrint Archive,
Report 2007/129 (2007), http://eprint.iacr.org/
10. COIN-OR: SYMPHONY. http://projects.coin-or.org/SYMPHONY
11. Computational Algebra Group, School of Mathematics and Statistics, University
of Sydney: Magma Computational Algebra System. http://magma.maths.usyd.
edu.au
12. Daemen, J., Clapp, C.S.K.: Fast Hashing and Stream Encryption with PANAMA.
In: Vaudenay, S. (ed.) FSE. LNCS, vol. 1372, pp. 60–74. Springer (1998)
13. Daemen, J., Govaerts, R., Vandewalle, J.: Resynchronization Weaknesses in Syn-
chronous Stream Ciphers. In: EUROCRYPT. pp. 159–167 (1993)
14. Daemen, J., Rijmen, V.: The Wide Trail Design Strategy. In: Honary, B. (ed.) IMA
Int. Conf. LNCS, vol. 2260, pp. 222–238. Springer (2001)
15. Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption
Standard. Springer (2002)
16. Hell, M., Johansson, T.: Security Evaluation of Stream Cipher Enocoro-128v2.
CRYPTREC Technical Report (2010)
17. IBM: IBM ILOG CPLEX Optimizer. http://www.ibm.com/software/
integration/optimization/cplex-optimizer/
18. K. Muto, D.W., Kaneko, T.: Strength evaluation of Enocoro-128 against LDA and
its Improvement. In: Symposium on Cryptography and Information Security. pp.
4A1–1 (2008), (in Japanese)
19. Kanda, M.: Practical Security Evaluation against Differential and Linear Crypt-
analyses for Feistel Ciphers with SPN Round Function. In: Stinson, D.R., Tavares,
S.E. (eds.) Selected Areas in Cryptography. LNCS, vol. 2012, pp. 324–338. Springer
(2000)
20. Kazuto Okamoto, K.M., Kaneko, T.: Security evaluation of Pseudorandom Number
Generator Enocoro-80 against Differential/Linear Cryptanalysis (II). In: Sympo-
sium on Cryptography and Information Security. pp. 20–23 (2009), (in Japanese)
21. Konosu, K., Muto, K., Furuichi, H., Watanabe, D., Kaneko, T.: Security evaluation
of Enocoro-128 ver.1.1 against resynchronization attack. IEICE Technical Report,
ISEC2007-147 (2008), (in Japanese)
22. Matsui, M.: Linear Cryptoanalysis Method for DES Cipher. In: EUROCRYPT.
pp. 386–397 (1993)
23. Matsui, M.: On Correlation Between the Order of S-boxes and the Strength of
DES. In: EUROCRYPT. pp. 366–375 (1994)
24. Muto, K., Watanabe, D., Kaneko, T.: Security evaluation of Enocoro-80 against
linear resynchronization attack. Symposium on Cryptography and Information Se-
curity (2008), (in Japanese)
25. Raddum, H.: Cryptanalytic Results on Trivium. eSTREAM report 2006/039
(2006), http://www.ecrypt.eu.org/stream/triviump3.html
26. Schrage, L.: Optimization Modeling with LINGO. Lindo Systems (1999), availabe
on-line: http://www.lindo.com
27. Shibutani, K.: On the Diffusion of Generalized Feistel Structures Regarding Dif-
ferential and Linear Cryptanalysis. In: Biryukov et al. [2], pp. 211–228
28. Watanabe, D., Kaneko, T.: A construction of light weight Panama-like keystream
generator. In: IEICE Technical Report, ISEC2007-78 (2007), (in Japanese)
29. Watanabe, D., Okamoto, K., Kaneko, T.: A Hardware-Oriented Light Weight
Pseudo-Random Number Generator Enocoro-128v2. In: The Symposium on Cryp-
tography and Information Security. pp. 3D1–3 (2010), (in Japanese)
30. Watanabe, D., Owada, T., Okamoto, K., Igarashi, Y., Kaneko, T.: Update on
Enocoro Stream Cipher. In: ISITA. pp. 778–783. IEEE (2010)