. Our and . .. Models,

, A different two-step decomposition

.. .. Conclusion,

, we present the methods and results of our related key cryptanalysis on it using constraint programming. Using the methods described in the previous chapter

.. .. Results,

. .. Midori, 126 8.6.1 Related-Key Differential Attacks

.. .. Conclusion,

. Banik, While several attack models are discussed by the authors of Midori, the authors made no claims concerning the security of Midori against related-key differential attacks. Its structure is very close to that of the AES, so that we can apply our CP methods to search for optimal relatedkey differential characteristics on Midori. This permits us to find full-round related-key differential characteristics for both versions of Midori, Midori is a lightweight block cipher with 2 versions, Midori64 and Midori128, which was introduced in, 2015.

. Bibliography-[bellare, Foundations of group signatures: Formal definitions, simplified requirements, and a construction based on general assumptions, p.14, 2003.

M. Bellare and C. Namprempre, Authenticated encryption: Relations among notions and analysis of the generic composition paradigm, 2000.

[. Bellare, Foundations of group signatures: The case of dynamic groups, CT-RSA 2005, p.15, 2005.

[. Bengio, Secure implementation of identification systems, Journal of Cryptology, issue.3, 1991.

[. Bertoni, EUROCRYPT 2013, p.18, 2013.

T. Beth and Y. Desmedt, Identification tokens -or: Solving the chess grandmaster problem, CRYPTO 1990, 1991.

A. Biere, Yet another local search solver and lingeling and friends entering the sat competition, vol.86, p.103, 2014.

E. Biham, New types of cryptoanalytic attacks using related keys (extended abstract), EUROCRYPT 1993, p.78, 1993.

S. Biham, E. Biham, and A. Shamir, Differential cryptoanalysis of feal and n-hash, vol.7, p.82, 1991.

S. Biham, E. Biham, and A. Shamir, Differential Cryptanalysis of the Data Encryption Standard, p.126, 1993.

[. Biryukov, A. Khovratovich-;-biryukov, and D. Khovratovich, Related-key cryptanalysis of the full AES-192 and AES-256, vol.90, p.110, 2009.

[. Biryukov, . Nikolic, A. Biryukov, and I. Nikolic, Automatic search for related-key differential characteristics in byte-oriented block ciphers: Application to aes, camellia, khazad and others, EUROCRYPT 2010, vol.8, p.110, 2010.

J. Black and P. Rogaway, A block-cipher mode of operation for parallelizable message authentication, p.78, 2002.

B. Blanchet, CryptoVerif: A computationally sound mechanized prover for cryptographic protocols. In Dagstuhl seminar "Formal Protocol Verification Applied, p.64, 2007.

[. Bogdanov, Biclique cryptanalysis of the full aes, p.89, 2011.

J. Bonneau, Robust final-round cache-trace attacks against aes. jbon-neau@stanford, p.79, 2006.

[. Boureanu, Fine-grained and application-ready distance-bounding security, Cryptology ePrint Archive, vol.67, p.131, 2018.

[. Boureanu, Breaking and fixing the HB+DB protocol, 2017.
URL : https://hal.archives-ouvertes.fr/hal-01588562

. Bibliography-[boureanu, On the pseudorandom function assumption in (secure) distance-bounding protocols, LATINCRYPT 2012, vol.27, p.70, 2012.

[. Boureanu, Towards secure distance bounding, FSE 2013, vol.26, p.43, 2013.

[. Boureanu, Practical and provably secure distance-bounding, ISC 2013, vol.70, p.71, 2015.

V. Boureanu, I. Boureanu, and S. Vaudenay, Optimal proximity proofs, vol.27, p.70, 2014.

[. Boussemart, Boosting systematic search by weighting constraints, ECAI, p.107, 2004.

S. Brands and D. Chaum, Distance-bounding protocols, EUROCRYPT 1993, vol.29, p.30, 1994.

[. Brassard, Minimum disclosure proofs of knowledge, Journal Computer System Sciences, vol.18, 1988.

[. Brelurut, Survey of distance bounding protocols and threats, FPS 2015. Springer. 6, 7, 9, vol.21, p.77, 2016.
URL : https://hal.archives-ouvertes.fr/hal-01588557

. Bultel, Verifiable private polynomial evaluation, p.10, 2017.
URL : https://hal.archives-ouvertes.fr/hal-01689825

. Bultel, A prover-anonymous and terrorist-fraud resistant distance-bounding protocol, WISEC 2016. ACM. 7, 8, 9, vol.44, p.65, 2016.
URL : https://hal.archives-ouvertes.fr/hal-01510800

B. Bussard, L. Bussard, and W. Bagga, Distance-bounding proof of knowledge to avoid real-time attacks, IFIP SEC 2005, vol.29, p.44, 2005.

W. Chen, Z. Chen, and X. Wang, Impossible differential cryptanalysis of midori. IACR Cryptology ePrint Archive, p.114, 2016.

S. Chu, G. Chu, and P. J. Stuckey, Chuffed solver description, vol.86, p.103, 2014.

J. Conway, On numbers and games, 1976.

. Cremers, Distance hijacking attacks on distance bounding protocols, S&P 2012, vol.25, p.131, 2012.

J. Daemen-and-rijmen-;-daemen and V. Rijmen, The Design of Rijndael, vol.8, p.105, 2002.

[. Danev, Attacks on physical-layer identification, 2010.

[. Debant, Proving physical proximity using symbolic models, vol.64, p.131, 2018.
URL : https://hal.archives-ouvertes.fr/hal-01708336

. Denning, D. Sacco-;-denning, and G. Sacco, Timestamps in key distribution protocols, 1981.

F. Derbez, P. Derbez, and P. Fouque, Automatic search of meet-in-themiddle and impossible differential attacks, vol.8, p.77, 2016.

Y. Desmedt, Major security problems with the "unforgeable" (feife-)fiatshamir proof of identity and how to overcome them, SEDEP Paris France, vol.6, p.25, 1988.

[. Desmedt, Special uses and abuses of the fiat-shamir passport protocol, 1987.

Y. Dolev, D. Dolev, and A. C. Yao, On the security of public key protocols, 1981.

S. Dong, X. Dong, and Y. Shen, Cryptanalysis of reduced-round midori64 block cipher, Cryptology ePrint Archive, 2016.

[. Dürholz, A formal approach to distance-bounding rfid protocols, vol.41, p.70, 2011.

O. Fischlin, M. Fischlin, and C. Onete, Terrorism in distance bounding: Modeling terrorist-fraud resistance, ACNS 2013. Springer. 7, 27, vol.36, p.67, 2013.

O. Fischlin, M. Fischlin, and C. Onete, Terrorism in distance bounding: Modeling terrorist-fraud resistance, ACNS 2013, vol.27, p.43, 2013.

[. Fouque, Structural evaluation of AES and chosen-key distinguisher of 9-round AES-128, CRYPTO 2013, vol.8, p.110, 2013.
URL : https://hal.archives-ouvertes.fr/hal-01094302

[. Francillon, Relay attacks on passive keyless entry and start systems in modern cars, 2011.

[. Gambs, The not-so-distant future: Distance-bounding protocols on smartphones, p.130, 2015.
URL : https://hal.archives-ouvertes.fr/hal-01244606

[. Gambs, Prover anonymous and deniable distance-bounding authentication, WISEC 2014, vol.38, p.44, 2014.
URL : https://hal.archives-ouvertes.fr/hal-01089793

, Gecode: Generic constraint development environment, vol.86, p.103, 2006.

D. Gérault and P. Lafourcade, Related-key cryptanalysis of midori, vol.8, p.9, 2016.

[. Gerault, Combining solvers to solve a cryptanalytic problem, CP 2017 -Doctoral program, vol.9, p.104, 2017.

[. Gerault, Constraint programming models for chosen key differential cryptanalysis, vol.9, p.110, 2016.
URL : https://hal.archives-ouvertes.fr/hal-01331222

[. Gerault, Using constraint programming to solve a cryptanalytic problem, Proceedings of the Twenty-Sixth International Joint Conference on Artificial Intelligence, 2017.
URL : https://hal.archives-ouvertes.fr/hal-01528272

[. Gildas, Security of distance-bounding: A survey, ACM Computing Surveys, vol.6, p.28, 2017.

O. Goldreich, Foundations of Cryptography, vol.1, p.12, 2006.

[. Goldreich, How to construct random functions, J. ACM, issue.4, p.17, 1986.

[. Goldwasser, The knowledge complexity of interactive proof systems, SIAM Journal on Computing, vol.18, 1989.

[. Goldwasser, Strong signature schemes, STOC'1983, p.15, 1983.

[. Gorjón, X. T. Van-iterson-;-gorjón, and P. Van-iterson, Protecting against relay attacks forging increased distance reports, 2015.

[. Guo, Invariant subspace attack against midori64 and the resistance criteria for s-box designs, IACR Trans. Symmetric Cryptol, issue.1, p.114, 2016.

, Gurobi optimizer reference manual, p.79, 2016.

[. Gérault, Revisiting aes related-key differential attacks with constraint programming, Information Processing Letters, issue.9, 2018.

G. P. Hancke, Distance-bounding for rfid: Effectiveness of 'terrorist fraud' in the presence of bit errors, 2012.

. Hancke, G. P. Kuhn-;-hancke, and M. G. Kuhn, An rfid distance bounding protocol, SECURECOMM 2005, p.23, 2005.

. Hermans, Efficient, secure, private distance bounding without key updates, 2013.

. Hermans, Efficient, secure, private distance bounding without key updates, WISEC 2013, vol.43, p.44, 2013.

M. Igier and S. Vaudenay, Distance bounding based on puf, CANS 2016. Springer. 7, 68, vol.70, p.73, 2016.

A. Juels, Rfid security and privacy: a research survey, IEEE Journal on Selected Areas in Communications, vol.24, issue.2, p.4, 2006.

O. Kallenberg, Foundations of modern probability, vol.18, 2002.

H. [kilinand-vaudenay-;-kilin and S. Vaudenay, Optimal proximity proofs revisited, Lecture Notes in Computer Science, vol.24, 2015.

. K?l?nç, H. Vaudenay-;-k?l?nç, and S. Vaudenay, Efficient public-key distance bounding protocol, ASIACRYPT 2016, p.44, 2016.

[. Kim, The swiss-knife rfid distance bounding protocol, vol.43, p.44, 2008.

[. Kleber, Terrorist fraud resistance of distance bounding protocols employing physical unclonable functions, NETSYS 2015, vol.24, p.73, 2015.

J. Krumm, A survey of computational location privacy, Personal Ubiquitous Comput, vol.4, issue.6, p.43, 2009.

H. Krumm, J. Krumm, and E. Horvitz, Locadio: inferring motion and location from wi-fi signal strengths, IEEE, vol.6, 2004.

[. Lecoutre, Reasoning from last conflict(s) in constraint programming, Artif. Intell, issue.18, p.107, 2009.
URL : https://hal.archives-ouvertes.fr/hal-00868108

. Lin, L. Wu-;-lin, and W. Wu, Meet-in-the-middle attacks on reduced-round midori-64, Cryptology ePrint Archive, 1165.

[. Liu, A tolerant algebraic side-channel attack on aes using cp, p.79, 2017.

S. Lucks, R. Maes, and I. Verbauwhede, The sum of prps is a secure prf, Physically Unclonable Functions: A Study on the State of the Art and Future Research Directions, p.24, 2000.

F. Massacci, Using walk-sat and rel-sat for cryptographic key search, IJCAI, p.79, 1999.

, Contactless paypass reader specifications v3.1,. not publically available, p.70, 2017.

M. Matsui, Linear cryptanalysis method for des cipher, 1993.

M. Matsui, On correlation between the order of s-boxes and the strength of des, p.90, 1994.

[. Mauw, Distancebounding protocols: Verification without time and location, S&P 2018, vol.64, p.131, 2018.

[. Meadows, Distance bounding protocols: Authentication logic analysis and collusion attacks. In Secure Localization and Time Synchronization for Wireless Sensor and Ad Hoc Networks, p.22, 2007.

[. Meier, The tamarin prover for the symbolic analysis of security protocols, p.64, 2013.

R. C. Merkle, Secrecy, Authentication, and Public Key Systems, 1979.

[. Minier, Solving a Symmetric Key Cryptographic Problem with Constraint Programming, vol.86, p.93, 2014.
URL : https://hal.archives-ouvertes.fr/hal-01092574

[. Mironov, I. Zhang-;-mironov, and L. Zhang, Applications of sat solvers to cryptanalysis of hash functions, p.79, 2006.

[. Mouha, Differential and linear cryptanalysis using mixed-integer linear programming, ICISC 2012, vol.8, p.79, 2012.

S. ;. Needham, R. M. Needham, and M. D. Schroeder, Using encryption for authentication in large networks of computers, Communications of the ACM, issue.12, p.4, 1978.

. Bibliography-[nethercote, Minizinc: Towards a standard CP modelling language, vol.79, p.122, 2007.

[. Oren, Algebraic side-channel analysis in the presence of errors, CHES 2010, p.79, 2010.

. Prud'homme, Choco Documentation. TASC, INRIA Rennes, LINA CNRS UMR 6241, COSLING S.A.S, vol.86, p.107, 2016.

[. Ramamoorthy, The design of cryptographic s-boxes using csps, 2011.

C. Rasmussen, K. B. Rasmussen, and S. Capkun, Implications of radio fingerprinting on the security of sensor networks, 2007.

[. Reid, Detecting relay attacks with timing-based protocols, vol.29, p.31, 2007.

[. Rossi, Handbook of Constraint Programming (Foundations of Artificial Intelligence), p.82, 2006.

Y. Sasaki and Y. Todo, New impossible differential search tool from design and cryptanalysis aspects, p.79, 2017.

A. A. Selçuk, On probability of success in linear and differential cryptanalysis, Journal of Cryptology, vol.126, issue.1, p.127, 2008.

[. Shahmirzadi, Impossible differential cryptanalysis of reduced-round midori64 block cipher, ISeCure, issue.1, p.114, 2018.

V. Shoup, Sequences of games: a tool for taming complexity in security proofs, Cryptology ePrint Archive, vol.33, p.39, 2004.

. Sun, Analysis of aes, skinny, and others with constraint programming, IACR Transactions on Symmetric Cryptology, vol.10, issue.1, p.131, 2017.
URL : https://hal.archives-ouvertes.fr/hal-01615487

. Sun, Automatic security evaluation and (related-key) differential characteristic search: Application to simon, present, lblock, des(l) and other bit-oriented block ciphers, vol.8, p.79, 2014.

B. Tao and H. Wu, Improving the biclique cryptanalysis of aes, p.89, 2015.

[. Tolba, Improved multiple impossible differential cryptanalysis of midori128, IEICE Transactions, vol.114, 2017.

. Tripathi, R. Tripathi, and S. Agrawal, Comparative study of symmetric and asymmetric cryptography techniques, p.77, 2014.

. Trujillo-rasua, Distancebounding facing both mafia and distance frauds: Technical report, 2014.

P. Urien and S. Piramuthu, Elliptic curve-based rfid/nfc authentication with temperature sensor input for relay attacks, Decis. Support Syst, issue.6, 2014.

S. Vaudenay, On privacy models for RFID, p.33, 2007.

S. Vaudenay, Private and secure public-key distance bounding: Application to NFC payment, vol.43, p.130, 2015.

S. Vaudenay, Sound proof of proximity of knowledge, vol.43, p.67, 2015.

R. Vila, J. Vila, and R. J. Rodríguez, Practical experiences on nfc relay attacks with android, Radio Frequency Identification, 2015.

[. Wheeler, D. J. Needham-;-wheeler, and R. M. Needham, Tea, a tiny encryption algorithm, 1994.

W. ;. Wu, S. Wu, and M. Wang, Security evaluation against differential cryptanalysis for block cipher structures. IACR Cryptology ePrint Archive, p.79, 2011.

, New xbox security cracked by linux fans, 2002.

[. Zhou, Constraint Solving and Planning with Picat, vol.86, p.103, 2015.