{"id":45705516,"url":"https://github.com/hadipourh/zero","last_synced_at":"2026-02-25T00:17:09.224Z","repository":{"id":167177268,"uuid":"622964866","full_name":"hadipourh/zero","owner":"hadipourh","description":"An Automatic Tool to Search for Full Impossible-Differential, Zero-Correlation and Integral Attacks","archived":false,"fork":false,"pushed_at":"2024-11-12T01:08:11.000Z","size":2853,"stargazers_count":11,"open_issues_count":1,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-10-10T07:22:18.197Z","etag":null,"topics":["block-cipher","craft-block-cipher","cryptanalysis","impossible-differential","integral-analysis","skinny-block-cipher","symmetric-key-cryptography","zero-correlation"],"latest_commit_sha":null,"homepage":"https://link.springer.com/chapter/10.1007/978-3-031-30634-1_5","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hadipourh.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-04-03T12:27:36.000Z","updated_at":"2025-04-27T11:17:15.000Z","dependencies_parsed_at":"2023-09-22T09:38:29.838Z","dependency_job_id":"80f5ff39-1c58-4629-a1b2-d5954c0dafcf","html_url":"https://github.com/hadipourh/zero","commit_stats":null,"previous_names":["hadipourh/zero"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/hadipourh/zero","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hadipourh%2Fzero","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hadipourh%2Fzero/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hadipourh%2Fzero/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hadipourh%2Fzero/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hadipourh","download_url":"https://codeload.github.com/hadipourh/zero/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hadipourh%2Fzero/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29806149,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-24T22:43:48.403Z","status":"ssl_error","status_checked_at":"2026-02-24T22:43:18.536Z","response_time":75,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["block-cipher","craft-block-cipher","cryptanalysis","impossible-differential","integral-analysis","skinny-block-cipher","symmetric-key-cryptography","zero-correlation"],"created_at":"2026-02-25T00:17:03.881Z","updated_at":"2026-02-25T00:17:08.581Z","avatar_url":"https://github.com/hadipourh.png","language":"Python","readme":"# **Finding the Impossible** [![MIT License](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)\n\n\u003c!-- \u003cdiv style=\"display: flex; justify-content: center;\"\u003e\n  \u003cimg src=\"miscellaneous/zero.svg\" alt=\"Your SVG\" style=\"width: 10%;\"\u003e\n\u003c/div\u003e --\u003e\n\n![logo](miscellaneous/zero.svg)\n\n\nThis repository contains the implementation of our method first introduced at [EUROCRYPT 2023](https://eurocrypt.iacr.org/2023/program.php) for finding the impossible-differential, zero-correlation, and integral attacks on block ciphers:\n\n  - **Hosein Hadipour**, Sadegh Sadeghi, Maria Eichlseder: [Finding the Impossible: Automated Search for Full Impossible Differential, Zero-Correlation, and Integral Attacks](https://eprint.iacr.org/2022/1147). EUROCRYPT 2023. https://doi.org/10.1007/978-3-031-30634-1_5\n\nAn enhanced version of our method has been accepted to  [ToSC 2024/1 (FSE 2024)](https://fse.iacr.org/2024/) under the title of [Improved Search for Integral, Impossible Differential and Zero-Correlation Attacks](https://tosc.iacr.org/index.php/ToSC/article/view/11408). \nTo see the source code of our new tool, please refer [zeroplus](https://github.com/hadipourh/zeroplus).\n\n---\n\n## Tool Overview\n\n***Zero*** is a tool for finding the full impossible differential, full zero-correlation and full integral attacks on block ciphers. In this tool we convert the problem of finding these attacks to a constraint optimization problem  (COP) as described in [our paper](https://doi.org/10.1007/978-3-031-30634-1_5). Next we use the state-of-the-art constraint programming (CP) solvers to solve it. We employ [MiniZinc](https://www.minizinc.org/) to describe the COP problem and use [Or-Tools](https://developers.google.com/optimization) and [Gurobi](https://www.gurobi.com/) as the CP solvers.\n\n---\n\n- [**Finding the Impossible** ](#finding-the-impossible-)\n  - [Tool Overview](#tool-overview)\n  - [Structure of Our Tool](#structure-of-our-tool)\n  - [Requirements](#requirements)\n  - [Installation](#installation)\n  - [Usage](#usage)\n    - [Impossible-Differential Attacks](#impossible-differential-attacks)\n    - [Zero-Correlation Attacks](#zero-correlation-attacks)\n    - [Integral Attacks](#integral-attacks)\n    - [Integral Distinguishers with Minimum Data Complexity](#integral-distinguishers-with-minimum-data-complexity)\n  - [Paper and Presentation](#paper-and-presentation)\n  - [Disclaimer](#disclaimer)\n  - [Citation](#citation)\n  - [License ](#license-)\n\n---\n## Structure of Our Tool\n\nThe main components of our tool are the constraint programming (CP) models in the `.mzn` format, created according to the methods described in our paper. These `.mzn` files serve as templates for the CP models and can be solved independently.\n\nTo simplify the tool's usage for each application discussed in our paper, we provide a Python interface. This interface allows users to instantiate, solve, and interpret the solutions of the CP models based on the `.mzn` templates using Python.\n\nWe have organized our tool into separate folders based on each attack type within the root directory. Within each attack type folder, you will find individual folders for different ciphers. These cipher folders contain `.mzn` files along with a Python tool.\n\nTo locate the specific attack or application you are interested in, navigate to the corresponding folder and execute the Python tool:\n\n- [impossible](impossible): Impossible-differential attacks\n- [zerocorrelation](zerocorrelation): Zero-correlation attacks\n- [integral](integral): Integral attacks\n- [autopsy](autopsy): Post-processor of integral attacks leveraging the partial sum technique\n\nThe root directory also contains the following folders:\n- [tikzstyles](tikzstyles): Includes the `TiKz` styles, that are necessary to generate the shape of the attacks\n- [miscellaneous](miscellaneous): Contains some auxiliary files, e.g., logo (not necessary for running the tool)\n\n## Requirements\n\nOur tool requires the following software:\n\n- [Python3](https://www.python.org/downloads/) to run our Python tools\n- [MiniZinc](https://www.minizinc.org/) to compile and solve our CP models\n- [latexmk](https://www.latex-project.org/) to generate the shape of the attacks\n\nWe also use two solvers to solve our CP models:\n\n- [Or-Tools](https://developers.google.com/optimization)\n- [Gurobi](https://www.gurobi.com/)\n\n---\n## Installation\n\nMany CP solvers are integrated into MiniZinc, but we use Or-Tools and Gurobi in our tool, which are not integrated into MiniZinc. \nHowever, MiniZinc supports these solvers, and one should link these solvers to MiniZinc by following the instructions in [MiniZinc's documentation](https://www.minizinc.org/doc-2.3.0/en/solvers.html).\n\n\nFor simplicity, we have provided a script [`install.sh`](install.sh) using which one can install MiniZinc, Or-Tools, and then link Or-Tools to MiniZinc. To install Gurobi, please follow the installation recipe provided by [Gurobi](https://www.gurobi.com/documentation/9.5/quickstart_linux/software_installation_guid.html).\n\nTo install the required Python modules run the following command:\n\n```bash\npython3 -m pip install -r pyrequirements.txt\n```\n---\n## Usage\n\nThe usage of our tool is simple. \nThe user needs to specify the number of attacked rounds and choose the solver. \nOur tool then finds the attack, generates its shape, and provides a rough estimation of the attack's complexity.\nWe have provided a short guide for each application, and you can access it by running the following command:\n\n```bash\npython3 \u003capplication_name\u003e.py --help\n```\n\nThe following examples clarify the usage of our tool. \n\n### Impossible-Differential Attacks\n\nOur tools for ID attacks are located in this folder: [impossible](impossible). Here, we show the usage of our tool for finding full impossible-differential attacks on SKINNY cipher. \n\nYou can find our tool for single-tweakey ID attack on SKINNY here:[impossible/single-tweakey](impossible/single-tweakey). Below, you'll see an example command for discovering a full ID attack on 21 rounds of SKINNY-TK3 in the single-tweakey setting:\n\n```bash\npython3 attack.py -RB 5 -RU 6 -RL 5 -RF 5 -v 3 -sl ortools -p 8 -o output.tex\n```\n\nIn the above command, `RU` and `RL` denote the length of the upper and lower parts of the distinguisher, respectively. Similarly, `RB` and `RF` represent the number of rounds before and after the distinguisher in the key-recovery process. The parameter `v` identifies the SKINNY variant, which in this case is `TK3`, and `sl` sets the solver, which we've chosen to be `ortools` here. The parameter `-p` specifies the number of threads used by the solver, and `-o` sets the output file name. You can also use `Gurobi` as the solver, but the running time may be much longer. So we recommend using `ortools` in multi-thread mode.\n\nExecuting the above command typically takes less than 5 seconds on a laptop equipped with an `Intel Corei7-1165G7 @ 2.80GHz`. The output will be a summary of attack parameters, a rough estimate of time, memory and data coplexities, along with attack's shape in `TiKz` format. By running `latexmk output.tex` you can compile it into a `pdf` file as shown below:\n\n\u003cdiv style=\"display: flex; justify-content: center;\"\u003e\n  \u003cimg src=\"miscellaneous/id_skinny_tk3_21r_stk.svg\" alt=\"Your SVG\" style=\"width: 70%;\"\u003e\n\u003c/div\u003e\n\n\n\nWe have provided tools for related-tweakey ID attack on SKINNY, SKINNYee, and CRAFT in the [impossible/related-tweakey](impossible/related-tweakey) as well.\n\nAs another example of ID attack, you can navigate into [impossible/related-tweakey/SKINNYee](impossible/related-tweakey/SKINNYee), and run the following command to find a 27-round ID attack on SKINNYee in the related-tweakey setting:\n\n```bash\npython3 attack.py -RB 5 -RU 12 -RL 6 -RF 4\n```\n\nRunning the above command typically takes less than 5 seconds on a regular laptop. The generated shape is stored in `output.tex` file by default. The following figure illustrates the shape of the attack:\n\n\u003cdiv style=\"display: flex; justify-content: center;\"\u003e\n  \u003cimg src=\"miscellaneous/id_skinnyee_27r_rtk.svg\" alt=\"Your SVG\" style=\"width: 70%;\"\u003e\n\u003c/div\u003e\n\n### Zero-Correlation Attacks\n\nHere we show an example of finding the zero-correlation attack on CRAFT using our tool. First, navigate into [zerocorrelation/CRAFT](zerocorrelation/CRAFT), and then run the following command:\n\n```bash\npython3 attack.py -RB 3 -RU 7 -RL 6 -RF 4 -sl ortools\n```\n\nBy compiling the output file `output.tex` using `latexmk -pdf output.tex`, you will get the following shape of the attack:\n\n\u003cdiv style=\"display: flex; justify-content: center;\"\u003e\n  \u003cimg src=\"miscellaneous/zc_craft_20r.svg\" alt=\"Your SVG\" style=\"width: 70%;\"\u003e\n\u003c/div\u003e\n\n### Integral Attacks\n\nFor integral attack, we have provided two tools. \nOne is a CP-based tool that finds the full integral attack optimized for key-recovery taking the meet-in-the-middle technique into account. \nThe other tool, [autopsy](autopsy), applies a post-processing step to the output of the first tool leveraging the partial-sum technique in key-recovery. \nHere we show the tool's usage for finding a full integral attack on SKINNY-n-3n.\n\nFirst, navigate into [integral/SKINNY](integral/SKINNY). \nThen, run the following command to find the full integral attack optimized for key-recovery:\n\n```bash\npython3 attack.py -v 3 -RB 1 -RU 6 -RL 10 -RF 9 -sl ortools\n```\n\nRunning the above command typically takes less than 5 seconds on a regular laptop.\nIf you successfully run the above command, the tool generates the `output.tex` file, which contains the shape of the attack in `Tikz` format. You can compile it using `latexmk -pdf output.tex` command to obtain a shape similar to the following:\n\n\u003cdiv style=\"display: flex; justify-content: center;\"\u003e\n  \u003cimg src=\"miscellaneous/int_skinny_tk3_26r_ct.svg\" alt=\"Your SVG\" style=\"width: 70%;\"\u003e\n\u003c/div\u003e\n\nNext, to apply the key-recovery taking the partial-sum technique into account, navigate into our [autopsy](autopsy) tool's folder and feed this tool with the parameter of the discovered integral attack.\n\nFor example, if you want to reproduce our 26-round integral key-recovery attack on SKINNY-n-3n, modify the end of `autopsy/autopsy.py` file as follows:\n\n```python\ntex_autopsy(cipher=\"skinny\", tksetting=3, final_round=26, start_round=18 tk_cell=14, balanced_cell=1, label=\"blue\", input_active=4)\ntex_autopsy(cipher=\"skinny\", tksetting=3, final_round=26, start_round=18 tk_cell=14, balanced_cell=13, label=\"green\", input_active=4)\n```\n\nNext, run `python autopsy.py` command to generate the key-recovery similar to the following:\n\n\u003cdiv style=\"display: flex; justify-content: center;\"\u003e\n  \u003cimg src=\"miscellaneous/skinny_tk3_26R_14_blue.svg\" alt=\"Your SVG\" style=\"width: 70%;\"\u003e\n\u003c/div\u003e\n\n\u003cdiv style=\"display: flex; justify-content: center;\"\u003e\n  \u003cimg src=\"miscellaneous/skinny_tk3_26R_14_green.svg\" alt=\"Your SVG\" style=\"width: 70%;\"\u003e\n\u003c/div\u003e\n\nTo understand how we interpret the table above, please refer to our [paper](https://ia.cr/2022/1147).\n\n\n### Integral Distinguishers with Minimum Data Complexity\n\nHere, we show how to find integral distinguishers with minimum data complexity on SKINNY.\nThe objective function of this problem is minimizing the data complexity of integral distinguishers.\nFor example, if you want to reproduce our practical integral distinguisher for 12 rounds of SKINNY-n-3n, navigate into [integral/SKINNY](integral/SKINNY), and run the following command:\n\n```bash\npython3 distinguisher.py -RU 4 -RL 8 -v 3 -sl ortools\n```\n\nWe have also provided a `C` implementation to experimentally verify the distinguisher, which can be found here: [integral/SKINNY/EmpericalVerification](integral/SKINNY/EmpericalVerification)\n\n---\n## Paper and Presentation\n\nTo see the details about our method, please refer to our [paper](https://ia.cr/2022/1147). \nWe presented this work in [EUROCRYPT 2023](https://eurocrypt.iacr.org/2023/):\n\n- [Video](https://youtu.be/_DajyWvK_qU?t=1349)\n- [Slides](https://iacr.org/submit/files/slides/2023/eurocrypt/eurocrypt2023/212/slides.pdf)\n- [Latex Sources of Our Slides](https://github.com/hadipourh/talks/tree/main/20230424-EUROCRYPT-2023)\n- [Full Version of Paper](https://ia.cr/2022/1147)\n\nIf you have any questions or comments, please feel free to open an issue in this repository or reach out to [Hosein Hadipour](mailto:hsn.hadipour@gmail.com) directly.\n\n---\n## Disclaimer\n\nThe solvers used in this tool are not entirely deterministic and may generate different outputs based on the configuration of the host machine. \nIn addition, the same problem can have multiple optimal solutions.\n\nPlease note that we have only verified the attacks documented in our paper. \nTherefore, it is essential to thoroughly review and validate any output of the tool before making claims related to our paper. We hope this tool is useful for the community.\n\n---\n## Citation\n\nIf you use our tool in your work, please acknowledge it by citing our paper:\n\n```\n@inproceedings{eurocrypt_HadipourSE23,\n  author       = {Hosein Hadipour and\n                  Sadegh Sadeghi and\n                  Maria Eichlseder},\n  title        = {Finding the Impossible: Automated Search for Full Impossible-Differential,\n                  Zero-Correlation, and Integral Attacks},\n  booktitle    = {{EUROCRYPT} 2023},\n  series       = {LNCS},\n  volume       = {14007},\n  pages        = {128--157},\n  publisher    = {Springer},\n  year         = {2023},\n  doi          = {10.1007/978-3-031-30634-1_5}\n}\n```\n---\n## License ![MIT License](https://img.shields.io/badge/license-MIT-blue.svg)\n\nThis project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhadipourh%2Fzero","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhadipourh%2Fzero","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhadipourh%2Fzero/lists"}