SAT-Based Security Evaluation for WARP against Linear Cryptanalysis

Abstract

WARP, an efficient lightweight block cipher presented by Banik et al., offers a viable alternative to AES with its 128-bit block and a 128-bit key. It adopts a 32-nibble type-II generalized Feistel network (GFN) structure, incorporating a nibble permutation optimized for both security and efficiency. Notably, WARP has achieved the lowest hardware implementation among 128-bit block ciphers. Its bit-serial encryption-only circuit is only 763 gate equivalents (GEs). Consequently, WARP has received significant attention since its inception. The designers evaluated the number of active Sboxes for linear trails in WARP to establish its security. To further investigate WARP’s resistance against linear attacks, we employed an automated model to analyze the optimal linear trails/hulls of WARP. To achieve this, the problem will be transformed into a Boolean satisfiability problem (SAT). The constraints in conjunctive normal form (CNF) are used to describe the mask propagation of WARP and invoke the SAT solver to find valid solutions. The results allowed us to obtain the optimal correlation of the initial 21-round linear trails for WARP. Furthermore, by enumerating the linear trails within a linear hull, the distribution of linear trails is revealed, and the probability of the linear hull is improved to be more accurate. This work extends the linear distinguisher from 18 to 21 rounds. Additionally, the first independent analysis of WARP’s linear properties is presented, offering a more precise evaluation of its resistance against linear cryptanalysis.