{"id":45705520,"url":"https://github.com/hadipourh/zeroplus","last_synced_at":"2026-02-25T00:17:07.883Z","repository":{"id":226911554,"uuid":"705564863","full_name":"hadipourh/zeroplus","owner":"hadipourh","description":"Improved Search for Integral, Impossible Differential and Zero-Correlation Attacks: Application to Ascon, ForkSKINNY, SKINNY, MANTIS, PRESENT and QARMAv2","archived":false,"fork":false,"pushed_at":"2025-07-30T17:51:41.000Z","size":3660,"stargazers_count":14,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-10-10T07:22:18.219Z","etag":null,"topics":["ascon","constraint-programming","cryptanalysis","cryptography","forkskinny-block-cipher","impossible-differential","integral-cryptanalysis","mantis","milp","present-block-cipher","qarmav2","skinny-block-cipher","symmetric-key-cryptography","zero-correlation-cryptanalysis"],"latest_commit_sha":null,"homepage":"https://ia.cr/2023/1701","language":"MiniZinc","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hadipourh.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-10-16T09:04:58.000Z","updated_at":"2025-08-28T15:22:12.000Z","dependencies_parsed_at":"2024-04-18T17:08:37.190Z","dependency_job_id":"c4843386-477c-4ed7-a5cf-a9d70ad1d3a3","html_url":"https://github.com/hadipourh/zeroplus","commit_stats":null,"previous_names":["hadipourh/zeroplus"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/hadipourh/zeroplus","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hadipourh%2Fzeroplus","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hadipourh%2Fzeroplus/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hadipourh%2Fzeroplus/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hadipourh%2Fzeroplus/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hadipourh","download_url":"https://codeload.github.com/hadipourh/zeroplus/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hadipourh%2Fzeroplus/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29806149,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-24T22:43:48.403Z","status":"ssl_error","status_checked_at":"2026-02-24T22:43:18.536Z","response_time":75,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ascon","constraint-programming","cryptanalysis","cryptography","forkskinny-block-cipher","impossible-differential","integral-cryptanalysis","mantis","milp","present-block-cipher","qarmav2","skinny-block-cipher","symmetric-key-cryptography","zero-correlation-cryptanalysis"],"created_at":"2026-02-25T00:17:06.501Z","updated_at":"2026-02-25T00:17:07.511Z","avatar_url":"https://github.com/hadipourh.png","language":"MiniZinc","readme":"# Zeroplus\n\n[![MIT License](https://img.shields.io/badge/license-MIT-blue.svg)](https://opensource.org/licenses/MIT)\n[![Python](https://img.shields.io/badge/Python-3.x-blue.svg)](https://www.python.org/)\n[![MiniZinc](https://img.shields.io/badge/MiniZinc-2.8.5+-orange.svg)](https://www.minizinc.org/)\n[![Gurobi](https://img.shields.io/badge/Gurobi-Optimization-red.svg)](https://www.gurobi.com/)\n[![Or-Tools](https://img.shields.io/badge/Or--Tools-CP--SAT-green.svg)](https://developers.google.com/optimization)\n[![Latexmk](https://img.shields.io/badge/Latexmk-Tikz-purple.svg)](https://www.ctan.org/pkg/latexmk)\n\n![logo](miscellaneous/zeroplus.svg)\n\nThis repository contains the source code for the tools utilized in our paper, accepted in ToSC 2024/1 ([FSE 2024](https://fse.iacr.org/2024/)): [Improved Search for Integral, Impossible-Differential, and Zero-Correlation Attacks: Applications to Ascon, ForkSKINNY, SKINNY, MANTIS, PRESENT, and QARMAv2](https://tosc.iacr.org/index.php/ToSC/article/view/11408).\n\n## Table of Contents\n\n- [Zeroplus](#zeroplus)\n - [Table of Contents](#table-of-contents)\n - [Requirements](#requirements)\n - [Installation](#installation)\n - [Structure of Our Tool](#structure-of-our-tool)\n - [Usage](#usage)\n - [Searching for Integral Distinguishers](#searching-for-integral-distinguishers)\n - [SKINNY](#skinny)\n - [ForkSKINNY](#forkskinny)\n - [Experimental Verification of Integral Distinguishers](#experimental-verification-of-integral-distinguishers)\n - [QARMAv2](#qarmav2)\n - [Searching for a Complete Integral Attack](#searching-for-a-complete-integral-attack)\n - [Partial-sum Technique](#partial-sum-technique)\n - [Searching for ID/ZC Distinguishers](#searching-for-idzc-distinguishers)\n - [SKINNY](#skinny-1)\n - [ForkSKINNY](#forkskinny-1)\n - [PRESENT](#present)\n - [Ascon](#ascon)\n - [Searching for Complete ID Attacks](#searching-for-complete-id-attacks)\n - [ForkSKINNY](#forkskinny-2)\n - [Paper and Presentation](#paper-and-presentation)\n - [Disclaimer](#disclaimer)\n - [Citation](#citation)\n - [License ](#license-)\n\n## Requirements\n\nOur tool requires the following software:\n\n- [Python3](https://www.python.org/downloads/)\n- [MiniZinc](https://www.minizinc.org/) to compile and solve our CP models\n- [latexmk](https://www.latex-project.org/) to build the `.tex` file and generate the shapes of our attacks (can be replaced by just calling lualatex directly)\n- [Or-Tools](https://developers.google.com/optimization)\n to solve our CP models.\n- [Gurobi](https://www.gurobi.com/downloads/gurobi-software/) to count the number of ID distinguishers for ForkSKINNY and SKINNY.\n\n## Installation\n\nMany CP solvers are bundled with MiniZinc and can be used without any further installation.\nWe use Or-Tools as the CP solver.\nFortunately, `OR Tools CP-SAT` is bundled with MiniZinc after version 2.8.0. Thus, by installing the latest version of MiniZinc, one can use `OR Tools CP-SAT` without any further installation.\nAdditionally, we need the Python package named `minizinc` to work with MiniZinc in Python.\nTo install the required software in Ubuntu, one can use the following commands:\n\n```bash\n#!/bin/bash\n# Update and upgrade system packages\napt update -y\napt upgrade -y\n\n# Install system dependencies\napt install -y python3-full python3-pip python3-venv git wget curl\n\n# Download and extract the latest MiniZinc release\nLATEST_MINIZINC_VERSION=$(curl -s https://api.github.com/repos/MiniZinc/MiniZincIDE/releases/latest | grep -oP '\"tag_name\": \"\\K(.*)(?=\")')\nwget \"https://github.com/MiniZinc/MiniZincIDE/releases/download/${LATEST_MINIZINC_VERSION}/MiniZincIDE-${LATEST_MINIZINC_VERSION}-bundle-linux-x86_64.tgz\"\nmkdir -p \"$HOME/minizinc\"\ntar -xvzf \"MiniZincIDE-${LATEST_MINIZINC_VERSION}-bundle-linux-x86_64.tgz\" -C \"$HOME/minizinc\" --strip-components=1\nrm \"MiniZincIDE-${LATEST_MINIZINC_VERSION}-bundle-linux-x86_64.tgz\"\n\n# Create a wrapper script to call MiniZinc with proper LD_LIBRARY_PATH\necho '#!/bin/bash' \u003e /usr/local/bin/minizinc\necho \"exec env LD_LIBRARY_PATH=\\$HOME/minizinc/lib:\\$LD_LIBRARY_PATH \\$HOME/minizinc/bin/minizinc \\\"\\$@\\\"\" \u003e\u003e /usr/local/bin/minizinc\nchmod +x /usr/local/bin/minizinc\n\n# Create a Python virtual environment\npython3 -m venv \"$HOME/zerovenv\"\nsource \"$HOME/zerovenv/bin/activate\"\n\n# Install Python packages\npip install --upgrade pip\npip install minizinc\n```\n\nThe above script is included in the [install.sh](install.sh) script, which can be executed to set up the environment by running the following command:\n\n```bash\nbash install.sh\n```\n\n## Structure of Our Tool\n\nOur tool's main components are the CP models saved in `.mzn` format, built using the methods explained in our paper. You can solve these `.mzn` files independently with MiniZinc.\n\nTo make using our tool even more convenient, we have included a Python interface for each application. Thus you'll discover `.mzn` files for each application, along with some handy Python tools.\n\n## Usage\n\nUsing our tool is straightforward. Simply specify the number of attacked rounds or the length of distinguisher and choose the solver. Our tool will then identify the attack and visualize its shape.\n\nFor a quick guide on each application, run the following command:\n\n```bash\npython3 \u003capplication_name\u003e.py --help\n```\n\nWe provide examples for each application below.\n\n## Searching for Integral Distinguishers\n\n### SKINNY\n\nAssume that we want to search for a (ZC-based) integral distinguisher for SKINNY-n-3n. Navigate into [this folder](forkskinny/integral) and run the following command:\n\n```bash\npython3 distinguisher.py -v 3 -RD 16\n```\n\nThe `-v` switch specifies the variant of SKINNY, and the `-RD` switch specifies the length of the distinguisher (see `python3 distinguisher --help`).\nThe following field shows the output of running the above command on a regular laptop with an `11th Gen Intel(R) Core(TM) i7-1165G7 @ 2.80GHz` CPU and 16GB of RAM:\n\n```bash\n#######################################################\nSearching for an attack with the following parameters\nVariant: 3\nRD: 16\nRi: 0\nR0: 0\nSkip S-box: False\nCP solver: ortools\nNo. of threads: 8\nTime limit: 4000\n#######################################################\nElapsed time: 13.56 seconds\n#######################################################\nDistinguisher parameters:\nLength of distinguisher: 16\nVariant: 03\nRi: 0\nR0: 0\nTweakey cells that are active at most 03 times:\nTK[02] \n#######################################################\n#######################################################\n```\n\nAs can be seen, it takes about 14 seconds to find the distinguisher.\nOur tool also generates the `output.tex` file which contains the shape of the distinguisher in `Tikz` format. Run `latexmk -pdf ./output.tex` to see the shape of the distinguisher in `pdf` format:\n\n![int_skinny_64_192_18r](miscellaneous/int_skinny_64_192_18r.svg)\n\n### ForkSKINNY\n\nAs another example, you can navigat into [this folder](forkskinny/integral) and run the following command to find a 17-round integral distinguisher for ForkSKINNY-64-192:\n\n```bash\npython3 distinguisher.py -v 3 -RD 17 -Ri 6 -R0 23\n```\n\nThe `-Ri` switch specifies the number of rounds before the fork point and the `-R0` switch specifies the number of rounds in the first branch after the fork point (see `python3 distinguisher --help` for more details).\nThe following field shows the output of running the above command:\n\n```bash\n#######################################################\nSearching for an attack with the following parameters\nVariant: 3\nRD: 17\nRi: 6\nR0: 23\nSkip S-box: False\nCP solver: ortools\nNo. of threads: 8\nTime limit: 4000\n#######################################################\nElapsed time: 14.43 seconds\n#######################################################\nDistinguisher parameters:\nLength of distinguisher: 17\nVariant: 03\nRi: 6\nR0: 23\nTweakey cells that are active at most 03 times:\nTK[01] \n#######################################################\n#######################################################\n```\n\nThe following figure, generated by `latexmk -pdf ./output.tex`, shows the shape of the distinguisher in `pdf` format:\n\n![int_forkskinny_64_192_17r](miscellaneous/int_forkskinny_64_192_17r.svg)\n\n### Experimental Verification of Integral Distinguishers\n\nTo increase the confidence in the correctness of our implementations, here we generate a practical integral distinguisher for ForkSKINNY-64-192 and then verify it experimentally. For this pupose, we have provided a `C++` implemenation of ForkSKINNY in [this folder](forkskinny/integral/verifications/skinnytk.cpp).\nFor example, to generate a practical distinguisher, run the following command:\n\n```bash\npython3 distinguisher.py -v 3 -RD 14 -Ri 7 -R0 27\n```\n\nAfter running the above command successfully, we run `latexmk -pdf ./output.tex` to get the shape of the distinguisher in `pdf` format as follows:\n\n![int_forkskinny_64_192_14r](miscellaneous/int_forkskinny_64_192_14r.svg)\n\nAs seen in the above figure, only one input cell (position 14) at the input state is active in the corresponding integral distinguisher.\nTogether with 3 active tweakey cells in position `0xf` of the 3 tweakey states, we have 4 active cells in total. Therefore, the complexity of the distinguisher is `2^16`.\nAccordingly, we modify the `main()` function in [this file](forkskinny/zero-correlation/verification/skinnyrtk.cpp) as follows to build a practical distinguisher:\n\n```c\n// #############################################################################\n// Number of rounds\nint R = 14;\n// Fork point (Rinit)\nuint8_t Ri = 7;\n// The length of C0 branch (R0)\nuint8_t R0 = 27; \n// Number of active cells in the plaintext\nint nap = 1;\n// Position of active cells in the plaintext\nint ap[1] = {14};\n// Number of active cells in tweakey\nint ntk = 3;\n// Position of active cells in the tweakey\nint atk = 0xf;\n// Number of involved cells in ciphertext\nint nb = 2;\n// Position of involved cells in ciphertext\nint balanced_positions[2] = {3, 15}; \n// #############################################################################\n```\n\nFinally we compile and run the `C++` code as follows:\n\n```bash\nmake\n./check\n```\n\nThe output of the above command is as follows:\n\n```bash\n[x] PRNG initialized by 4 random bytes: 0xDD70F077\n42bb890058b508e8\n267557f24c5a981e\n42bb890058b508e8\nEncryption and decryption are consistent. Test passed.\nNumber of plaintexts: 16\nTarget sum: 0\nRandom sum: 3\n```\n\nIf you run `./check` multiple times, the `Target sum` is always zero, whereas the `Random sum` may vary. It confirms that our discovered integral distinguisher works in practice.\n\n### QARMAv2\n\nTo see the source codes for QARMAv2, please refer to [this repository](https://github.com/hadipourh/QARMAnalysis).\n\n## Searching for a Complete Integral Attack\n\nHere, we provide an example of searching for a complete integral attack, by only specifying the length of the attack.\nLet's say we are looking for a 23-round integral attack for ForkSKINNY-128-256.\nNavigate into [this folder](forkskinny/integral) and run the following command:\n\n```bash\npython3 attack.py -v 2 -RB 1 -RD 15 -RF 7 -Ri 9 -R0 27\n```\n\nThe parameters `-RB`, `-RD`, `-RF`, specify the number of key recovery rounds before the distinguisher, the length of the distinguisher, and the number of key recovery rounds after the distinguisher, respectively (see `python3 attack --help` for more details). The parameter `-Ri` specifies the number of rounds before the fork point and `-R0` specifies the number of rounds in the first branch after the fork point. The output is as follows:\n\n```bash\n#######################################################\nSearching for an attack with the following parameters\nVariant: 2\nRB: 1\nRD: 15\nRF: 7\nRi: 9\nR0: 27\nSkip S-box: False\nCP solver: ortools\nNo. of threads: 8\nTime limit: 3600\n#######################################################\nElapsed time: 6.29 seconds\n#######################################################\nDistinguisher parameters:\nLength of distinguisher: 15\nVariant: 02\nRi: 9\nR0: 27\nTweakey cells that are active at most 02 times:\nTK[15] \nMax number of involved tweakey cells in key recovery: 24\n#######################################################\n```\n\nAs can be seen, it takes about 6 seconds to find the attack. You can run `latexmk -pdf ./output.tex` to get the shape of the attack in `pdf` format as follows.\n\n![int_forkskinny_128_256_23r](miscellaneous/int_forkskinny_128_256_23r.svg)\n\nNote that the above model does not include the partial-sum technique.\nThe advnatge of the above model is that it is quite fast.\nIn the next section we show how to use our CP-based model for the partial-sum technique.\nIt is possible to combine the CP model of partial-sum techique with the above model to find a complete attack considering the partial-sum technique, or use the partial-sum technique as a standalone module.\n\n## Partial-sum Technique\n\nGiven an integral distinguisher for Skinny, as obtained in the previous section, we can now optimize the order of partial-sum guessing. It's important to note that our CP models, including the distinguisher and partial-sum optimizations, can be combined into a unified CP model, which we have successfully created. However, our tool is modular, allowing the distinguisher and key recovery parts to be used separately. In this section, we demonstrate the usage of the key recovery part as a standalone module for simplicity.\n\nNavigate into [this folder](partial_sum_optimization) and run the following example command:\n\n```bash\npython3 pso.py 1 18 15 5 4 9 32\n```\n\nThe parameter of this tool are in order\n\n- `tweakey_setting: Specify version of Skinny used`\n- `final_round: Final round of the key recovery`\n- `start_round: Start round of the key recovery`\n- `tweakey_cell: Specify which tweakey cell is controlled by the attacker`\n- `balanced_cell: Specify the balanced cell from the output of the distinguisher`\n- `input_active: Specify how many cell are active at the input of the distinguisher`\n- `scale: Scale the time complexity, must be used since many solver only support limited data types`\n- `s [STEPS], --steps [STEPS] Specify the maximum number of steps, default are the involved subtweakey cells`\n\nThis tool derives the order of guessing the sub-tweakeys in the partial-sum techinque, and\nsaves the output in a json file. For example, the above command saves the output in `1_18_15_5_4_9.json`.\n\nIn order to visualize the partial-sum technique, we can use the following command.\n\n```bash\npython3 psvisu.py 1_18_15_5_4_9.json -n -p\n```\n\nThe parameter of this tool are in order\n\n- `-c, --color Use different color for every step`\n- `-s, --steps Visualize each step individually`\n- `-n, --step-number Put the step number in each cell except the stk`\n- `-m, --memory Mark which states have to be stored in memory`\n- `-p, --pdf Run latex and output pdf`\n- `input: json file with key guess order (output of autopsy2)`\n\nThis tool outputs a latex file. With the `-p` option, it also runs latexmk to generate a pdf file (see `python3 psvisu.py --help` for more details). The above example leads to the following figure.\n![ps_skinny](miscellaneous/1_18_15_5_4_9.svg)\n\n## Searching for ID/ZC Distinguishers\n\nIn this section, we provide examples of searching for ID/ZC distinguishers for different ciphers.\n\n### SKINNY\n\nLet's say we are looking for an ID distinguisher for\n15 rounds of SKINNY-64-128 in the related-tweakey setting.\nWith only specifying the length of the distinguisher, i.e., `RD`, we can find the distinguisher as follows.\nnavigate into [this folder](skinny/impossible) and run the following command:\n\n```bash\npython3 attack.py -v 2 -RD 15\n```\n\nThe switch `-v` specifies the variant of SKINNY (see `python3 attack --help`), and the switch `-RD` specifies the length of the distinguisher.\nThe following output shows the result of running the above command:\n\n```bash\n#######################################################\nSearching for an attack with the following parameters\nVariant: 2\nCell size: 4\nRB: 0\nRD: 15\nRF: 0\nRzero: 0\nRone: 0\nSkip S-box: True\nRelated-Tweakey: True\nCP solver: ortools\nNo. of threads: 8\nTime limit: 4000\n#######################################################\nElapsed time: 34.51 seconds\nGenerating the MILP model ...\nMILP model was written into 50d3d88e-1de5-471d-af1e-ae9f81cc44f2.lp\n\nSet parameter Username\nAcademic license - for non-commercial use only - expires 2024-06-10\nRead LP format model from file 50d3d88e-1de5-471d-af1e-ae9f81cc44f2.lp\nReading time = 0.01 seconds\n: 4627 rows, 2400 columns, 11064 nonzeros\nSet parameter TimeLimit to value 4000\nSet parameter PoolSearchMode to value 2\nSet parameter PoolSolutions to value 2000000000\nElapsed time: 0.01 seconds\nNumber of solutions: 15\nDistinguisher parameters:\nLength of distinguisher: 15\nVariant: 02\nRzero: 0\nRone: 0\nContradiction happens in the following rounds: [7, 8, 9]\n#######################################################\n\nNumber of distinguishers: 15\n#######################################################\n```\n\nAs can be seen, our tool enumerates the number of ordinary ID distinguishers within the cluster of identified (truncated) ID distinguisher. We ran the above command on a laptop with an `Intel Corei7-1165G7 @ 2.80GHz` and it took about 34 seconds when using `Or-Tools` as the solver in multi-thread mode utilizing 8 threads on our laptop.\n\nOur tool also generates the `output.tex` file which contains the shape of the attack in `Tikz` format. We can compile it using `latexmk` to get the shape of the attack in `pdf` format:\n\n```bash\nlatexmk -pdf output.tex\n```\n\n![id_skinny_tk2_rtk_16r](miscellaneous/id_skinny_tk2_rtk_16r.svg)\n\n### ForkSKINNY\n\nLet's say we are looking for an ID distinguisher for 18 rounds of ForkSKINNY-128-256 in the related-tweakey setting. Navigate into [this folder](forkskinny/impossible) and run the following command:\n\n```bash\npython3 attack.py -v 2 -cs 8 -RD 18 -Ri 10 -R0 17\n```\n\nIn the above command, the switch `-cs` specifies the cell size, the switch `-Ri` specifies the number of rounds before the fork point and\n`-R0` specifies the number of rounds in the branch after the fork point.\nThe following output shows the result of running the above command:\n\n```bash\n#######################################################\nSearching for an attack with the following parameters\nVariant: 2\nCell size: 8\nRB: 0\nRD: 18\nRF: 0\nRi: 10\nR0: 17\nSkip S-box: True\nRelated-Tweakey: True\nCP solver: ortools\nNo. of threads: 8\nTime limit: 4000\n#######################################################\nElapsed time: 43.86 seconds\nGenerating the MILP model ...\nMILP model was written into 787f5f64-4aba-4988-b80a-b9cdf8c085e8.lp\n\nSet parameter Username\nAcademic license - for non-commercial use only - expires 2024-06-10\nRead LP format model from file 787f5f64-4aba-4988-b80a-b9cdf8c085e8.lp\nReading time = 0.03 seconds\n: 20848 rows, 11200 columns, 49488 nonzeros\nSet parameter TimeLimit to value 4000\nSet parameter PoolSearchMode to value 2\nSet parameter PoolSolutions to value 2000000000\nElapsed time: 0.05 seconds\nNumber of solutions: 15\nDistinguisher parameters:\nLength of distinguisher: 18\nVariant: 02\nRi: 10\nR0: 17\nContradiction happens in the following rounds: [8]\n#######################################################\n\nNumber of distinguishers: 15\n#######################################################\n```\n\nAs can be seen, it takes about 44 seconds running on a regular laptop.\nRun `latexmk -pdf ./output.tex` to see the shape of the distinguisher in `pdf` format.\n\n![id_forkskinny_128_256_rtk_18r](miscellaneous/id_forkskinny_128_256_rtk_18r.svg)\n\n### PRESENT\n\nAssume that we want to search for ZC distinguishers for 6 rounds of PRESENT. Navigate into [this folder](present/zero-correlation) and run the following command:\n\n```bash\npython3 distinguisher.py -RD 6\n```\n\nThe following output shows the result of running the above command:\n\n```bash\nSearching for a distinguisher for 6 rounds of PRESENT ...\nTime used to find a distinguisher: 1.56 seconds\nSolver status: OPTIMAL_SOLUTION\nAttack summary:\nSetting: RD: 6\n################################################################################\nContradiction locations: [(3, 53), (3, 55), (3, 61), (3, 63)]\n################################################################################\ninput: \n0000000000000000000000000000000000000000000000000000000000000001;\n################################################################################\noutput: \n0000000100000000000000000000000000000001000000000000000100000000;\n################################################################################\nNumber of non-fixed input bits: 0\nNumber of non-fixed output bits: 0\n```\n\nAs can be seen, it takes about 1.56 seconds running on a regular laptop. Run `latexmk -pdf ./output.tex` to see the shape of the distinguisher in `pdf` format.\n\n![zc_present_6r](miscellaneous/zc_present_6r.svg)\n\n### Ascon\n\nSuppose that we aim to search for ZC distinguishers for 5 rounds of Ascon. Navigate into [this folder](ascon/zero-correlation) and run the following command:\n\n```bash\npython3 distinguisher.py -RD 5\n```\n\nThe following field shows the output of running the above command:\n\n```bash\nSearching for a distinguisher for 5 rounds of Ascon ...\nTime used to find a distinguisher: 402.05 seconds\nSolver status: OPTIMAL_SOLUTION\nAttack summary:\nSetting: RD: 5\n##################################################\ninput.: \ninput[0] = ?0000??0?0???00????0?????0000000?0?0?00??01?000?00?0??0??000???0;\ninput[1] = ?0000??0?0???00????0?????0000000?0?0?00??00?000?00?0??0??000???0;\ninput[2] = ?0000??0?0???00????0?????0000000?0?0?00??00?000?00?0??0??000???0;\ninput[3] = ?0000??0?0???00????0?????0000000?0?0?00??01?000?00?0??0??000???0;\ninput[4] = ?0000??0?0???00????0?????0000000?0?0?00??01?000?00?0??0??000???0;\n##################################################\noutput: \noutput[0] = 0000000000000000000001000000000000000000000000000000000000000000;\noutput[1] = 0000000000000000000001000000000000000000000000000000000000000000;\noutput[2] = 0000000000000000000000000000000000000000000000000000000000000000;\noutput[3] = 0000000000000000000000000000000000000000000000000000000000000000;\noutput[4] = 0000000000000000000001000000000000000000000000000000000000000000;\n##################################################\nNumber of non-fixed input bits: 155\nNumber of non-fixed output bits: 0\n```\n\nAs can be seen, it takes about 7 minutes running on a regular laptop. Run `latexmk -pdf ./output.tex` to see the shape of the distinguisher in `pdf` format.\n\n![zc_ascon_5r](miscellaneous/zc_ascon_5r.svg)\n\n## Searching for Complete ID Attacks\n\nHere we provide an example of searching for a complete ID attack.\n\n### ForkSKINNY\n\nLet's say we are looking for a complete ID attack for 32 rounds of ForkSKINNY-64-192 in the related-tweakey setting. Navigate into [this folder](forkskinny/impossible) and run the following command:\n\n```bash\npython3 attack.py -v 3 -cs 4 -RB 5 -RD 22 -RF 5 -Ri 11 -R0 15\n```\n\nIn the above command, `-v` specifies the variant of SKINNY, `-cs` specifies the cell size `-RD` is the number of rounds for distinguisher, and `-RB`, and `-RF` are the number of key recovery rounds before and after the distinguisher, respectively.\nThe switch `-Ri` specifies the number of rounds before the fork point and `-R0` specifies the number of rounds in the first branch after the fork point (see `python3 attack --help` for more details).\n\nThe following field shows the output of running the above command on a regular laptop with an `11th Gen Intel(R) Core(TM) i7-1165G7 @ 2.80GHz` CPU and 16GB of RAM:\n\n```bash\n#######################################################\nSearching for an attack with the following parameters\nVariant: 3\nCell size: 4\nRB: 5\nRD: 22\nRF: 5\nRi: 11\nR0: 15\nSkip S-box: True\nRelated-Tweakey: True\nCP solver: ortools\nNo. of threads: 8\nTime limit: 4000\n#######################################################\nElapsed time: 441.53 seconds\nGenerating the MILP model ...\nMILP model was written into 95c5b170-e557-4949-89af-06ab790b4965.lp\n\nSet parameter Username\nAcademic license - for non-commercial use only - expires 2024-06-10\nRead LP format model from file 95c5b170-e557-4949-89af-06ab790b4965.lp\nReading time = 0.02 seconds\n: 24699 rows, 10528 columns, 74836 nonzeros\nSet parameter TimeLimit to value 4000\nSet parameter PoolSearchMode to value 2\nSet parameter PoolSolutions to value 2000000000\nElapsed time: 0.34 seconds\nNumber of solutions: 15\n#######################################################\nAttack parameters:\n#Attacked rounds = \t32\nRB + RD + RF = \t05 + 22 + 05 = 32\nRi = \t11\nR0 = \t15\nVariant = \t03\nCell size = \t04\ndata_complexity[0] = \t58.00\ndata_complexity[1] = \t64.00\ndata_complexity[2] = \t58.00\ndata_complexity[3] = \t65.00\ng = \t012\nlog2(g) - 0.53 = \t4.00\nt_complexity[0] = \t65.00\nt_complexity[1] = \t116.00\nt_complexity[2] = \t180.00\nt_complexity[3] = \t180.00\n#######################################################\n#involved key cells = \t44\nCB = \t12\nCF = \t16\nWB = \t13\nWF = \t16\ntime complexity = \t180.00\ndata_complexity = \t64.00\nmemory complexity = \t116.00\n#######################################################\n\nNumber of distinguishers: 15\n#######################################################\n```\n\nAs seen, it takes about 7 minutes on a regular laptop to find the complete attack.\nAfter successfully running the above command, we run `latexmk -pdf ./output.tex` to get the shape of the attack in `pdf` format as follows:\n\n![id_forkskinny_64_192_192_32r](miscellaneous/id_forkskinny_64_192_192_32r.svg)\n\n---\n\n## Paper and Presentation\n\nTo see the details about our method, please refer to our [paper](https://ia.cr/2023/1701).\nWe present this work in [FSE 2024](https://fse.iacr.org/2024/):\n\n- [Video](https://youtu.be/xzKnzFDCMes?t=2597)\n- [Slides](https://iacr.org/submit/files/slides/2024/fse/fse2024/2024_1_41/slides.pdf)\n- [Latex Sources of Our Slides](https://github.com/hadipourh/talks/tree/main/20240326-FSE-2024)\n- [Full Version of Paper](https://ia.cr/2023/1701)\n\nIf you have any questions or comments, please feel free to open an issue in this repository or reach out to [Hosein Hadipour](mailto:hsn.hadipour@gmail.com) directly.\n\n## Disclaimer\n\nThe solvers used in this tool are not entirely deterministic and may generate different outputs based on the configuration of the host machine.\nIn addition, the same problem can have multiple optimal solutions.\n\nPlease note that we have only verified the attacks documented in our paper.\nTherefore, it is essential to thoroughly review and validate any output of the tool before making claims related to our paper. We hope this tool is useful for the community.\n\n---\n\n## Citation\n\nIf you use our tool in your work, please acknowledge it by citing our paper:\n\n```\n@article{zeroplus_hadipouretal_tosc_2024,\nauthor = {Hosein Hadipour and \n Simon Gerhalter and \n Sadegh Sadeghi and \n Maria Eichlseder},\n title = {Improved Search for Integral, Impossible-Differential and Zero-Correlation Attacks: Application to {Ascon}, {ForkSKINNY}, {SKINNY}, {MANTIS}, {PRESENT} and {QARMAv2}},\n journal = {IACR Trans. Symmetric Cryptol.},\n volume = {2024},\n number = {1},\n year = {2024},\n pages = {234-325},\n doi = {10.46586/tosc.v2024.i1.234-325}\n}\n```\n\n---\n\n## License ![MIT License](https://img.shields.io/badge/license-MIT-blue.svg)\n\nThis project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhadipourh%2Fzeroplus","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhadipourh%2Fzeroplus","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhadipourh%2Fzeroplus/lists"}