Vol.:(0123456789) SN Computer Science (2020) 1:169 https://doi.org/10.1007/s42979-020-00181-4 SN Computer Science ORIGINAL RESEARCH SMT Solver‑Based Cryptanalysis of Block Ciphers Harish Kumar Sahu 1  · N. Rajesh Pillai 1  · Indivar Gupta 1  · R. K. Sharma 2 Received: 20 May 2019 / Accepted: 23 April 2020 © Springer Nature Singapore Pte Ltd 2020 Abstract Satisfability modulo theories (SMT) is a power ful framework for solving constraint satisfaction problem expressed in frst-order logic and mainly used for software and hardware verifcation. In this article, we demonstrate the power of SMT solvers in cryptanalysis. We propose an algorithm for cryptanalysis of block ciphers using SMT solvers. In the cryptanalytic attack, we represent a block cipher in terms of Boolean equations and convert them into a suitable format (i.e. SMT-LIB). Finally, we use SMT solvers to fnd the key. An important feature of our attack is that it requires a few plaintext-ciphertext pairs to recover the secret key. We use the propose algorithm to demonstrate the cryptanalysis of International Data Encryption Algorithm (IDEA). We use various serial and parallel SMT solvers to apply known plaintext attack on IDEA and compare their performances. SMT solver can recover full key for three round of IDEA and 32 unknown key bits for full IDEA cipher, assuming 96 key bits are known. Furthermore, we compare our results with existing attacks on IDEA. Keywords IDEA · Block cipher · Cryptanalysis · Satisfability · SMT solver · Z3 · Boolector Mathematics Subject Classifcation 11T71 Introduction International Data Encryption Algorithm (IDEA) is a block cipher which was developed by Xuejia Lai and James Mas- sey in year 1990 [1]. The IDEA cipher was proposed to replace DES (Data Encryption Standard). It is being used in PGP (Pretty Good Privacy) [2] for confdentiality. IDEA resisted an exceptional number of cryptanalysis attempts, e.g. Meet in the Middle, Linear, Square Attacks. Some of the important attacks on IDEA are discussed later in Sect. 2.3. As on date, SMT solver-based attacks have not been reported on IDEA. Satisfability modulo theories (SMT) is viewed as generalization of satisfability (SAT). Some of the popular SMT solvers are Z3, Boolector, Yices, Sonolar, SMT-RAT, etc. [3–6]. In this paper, we explore the power of SMT solvers in cryptanalysis. SMT Solvers and Its Common Application Satisfability is the basic and ubiquitous problem of deter- mining if a formula expressing a constraint has a model or a solution. Many of practical problems can be encoded by Boolean formulas and solved using Boolean satisfability (SAT) solvers. Other problems require the added expressive- ness of equality, uninterpreted function symbols, arithmetic, arrays, datatype operations, and quantifers. Such problems can be handled by satisfability modulo theories (SMT). SMT solvers have a wide range of applications in hard- ware and software verifcation [7], extended static checking, constraint solving, planning, scheduling, test case genera- tion, and computer security [8]. SMT solvers has also been used in automatic verifcation of cryptographic implementa- tions by Tomb [9] and Bond et al. [10]. * Indivar Gupta indivargupta@sag.drdo.in; indivar_gupta@yahoo.com Harish Kumar Sahu harish.sahu@gmail.com N. Rajesh Pillai rajesh.tech@gmail.com R. K. Sharma rksharma@maths.iitd.ac.in 1 SAG, DRDO, Metcalfe House Campus, Delhi 110054, India 2 Department of Mathematics, Indian Institute of Technology, Delhi, Hauz Khas, Delhi 110016, India