SAT-Based Security Evaluation for WARP against Linear Cryptanalysis

,


Introduction
1.1.Background.Linear cryptanalysis, as presented by Matsui [1], stands as a prominent method employed in the analysis of symmetric-key ciphers.By identifying linear trails with high correlation, it becomes possible to conduct attacks more efficiently, achieving a lower complexity compared to brute-force searching.Consequently, resistance to linear cryptanalysis emerges as a critical aspect to be considered by both designers and potential attackers.
The development of search methods for differential [2,3] and linear trails is closely intertwined.This is because the propagation of difference pairs and linear masks in branching and XOR operations exhibit a dual nature [4].Matsui's branch-andbound method, initially introduced at EUROCRYPT 1994 for searching differential trails with optimal probability, is also commonly employed for searching linear trails with optimal correlation.Although this method is powerful, it demands strong programming skills.In recent years, the automated models like mixed integer linear programming (MILP) [5,6], constraint programming (CP) [7], satisfiability modulo theories (SMT) [8], and Boolean satisfiability problem (SAT) [9,10] have exhibited remarkable performance in discovering various distinguishers in cryptanalysis.However, for long trails or ciphers with 128-bit block, these models still struggle to return solutions within a reasonable time.By integrating the strengths of both approaches, researchers have made significant progress in improving the efficiency of trail search algorithms, as demonstrated in works such as those by Sun et al. [10] and Zhang et al. [11].
It is crucial for symmetric-key cryptography to prioritize resistance against distinguishing attacks as a fundamental security requirement.WARP with a 128-bit block was specifically designed for efficient hardware implementation [12].It has undergone a preliminary security evaluation, encompassing a range of attacks such as the differential, linear, impossible differential, and integral attacks.Regarding impossible differentials cryptanalysis, the designers obtained a 21-round impossible differential distinguisher using the approach outlined in a study by Sasaki and Todo [13].Independently, other researchers discovered a 21-round zero-correlation distinguisher [14,15].For integral attacks, the designers found a 20-round integral distinguisher utilizing the MILP model provided in a study by Xiang et al. [16], and a 24-round generalized integral distinguisher was subsequently proposed by observing the properties of WARP's construction [14].Additionally, an extension of the model led to the discovery of a 23-round boomerang distinguisher [17].To assess security against differential and linear attacks, designers employed a MILP-based automated model [5] to obtain lower bounds for the number of active Sboxes.In the presence of the clustering effect, a 20-round differential distinguisher was identified in a study by Teh and Biryukov [18].However, until now, no investigation has been conducted to explore actual linear distinguisher in WARP.This gap in research leaves room for further exploration of WARP.
1.2.Contribution.In this paper, the main objective is to identify distinguishers, which are instrumental in understanding the structural properties and the security of the underlying components in WARP.The analysis in this paper has yielded several important findings and results, which are summarized as follows: (1) Using the constructed SAT model, we have successfully validated the lower bounds for the number of active Sboxes required for the initial 19 rounds of linear trails in WARP, as stated in the design documentation.Furthermore, the lower bound for the number of active Sboxes in the 20-, 21-, and 22-round linear trails is determined to be 70, 75, and 79, respectively.(2) We have successfully identified the first 21-round linear trails with optimal correlation, which align with the upper bound estimated using the lower bound for the number of active Sboxes.Notably, the findings reveal that the 18-round linear trails in WARP have the optimal correlation 2 −61 , indicating that WARP is not able to withstand the linear trail-based distinguishing attack.(3) Moreover, the 20-round linear trail with optimal probability 2 −140 is obtained.With the help of the automated model, 186,856 trails are found to contribute to the same 20-round linear hull, and the probability of the 20-round linear hull is improved from 2 −140 to 2 −127:27 , which is lower than 2 −128 , thereby extending the distinguishers from 18 to 20 rounds.As far as our knowledge goes, these results represent the current optimal linear distinguishers for WARP.Table 1 shows a comprehensive overview of the single-key distinguishers for WARP, and the bold information is the result obtained in this paper.
1.3.Organization.This paper is structured as follows.We present the necessary definitions related to linear cryptanalysis and provide a concise overview of WARP in Section 2. Section 3 outlines the SAT model employed in the search for linear trails in WARP.The identification of linear trails with lower bounds for the number of active Sboxes and optimal correlations is presented in Section 4. Section 5 focuses on the discovery of optimal linear distinguishers for WARP.
Finally, a summary of this work can be found in Section 6.

Preliminaries
Let us begin by introducing the notations that will be utilized throughout this paper.Subsequently, a concise overview of the concepts related to linear cryptanalysis will be presented.
Moving forward, we provide a detailed description of the WARP specification, which is the primary focus of our study.

Notions.
To maintain consistency and clarity, we employ specific notations to analyze and discuss the linear cryptanalysis of WARP.The meanings of these notations are summarized in Table 2.
Linear cryptanalysis is a well-known method utilized for analyzing block ciphers.Its primary goal is to distinguish a block cipher from a random permutation by discovering a probabilistic linear approximation expression that establishes a correlation between the plaintext and ciphertext.This technique serves as the foundation for key recovery attacks.
For block cipher, by analyzing the biases and correlations of the linear approximation expressions, cryptanalysts can identify potential distinguishers to exploit the linear trails.In linear cryptanalysis, let Γ in denotes the mask of the input X and Γ out represents the mask of the output f ðXÞ.The probability of the linear approximation expression The bias of this expression quantifies the deviation from a balanced distribution and is defined as the difference between the probability of the expression holding and the ideal probability 1=2.The linear approximation bias is given by εðΓ in ; Γ out Þ ¼ pðΓ in ; Γ out Þ − 1=2, and it ranges from − 1=2 to 1=2.The correlation measures the strength of the linear relationship between the input and output masks.It is calculated as follows: where Cor ðΓ in ; Γ out Þ 2 ½ − 1; 1. Usually, in the distinguish phase, linear cryptanalysis mainly focuses on linear trails with optimal correlation.Definition 2. For a block cipher, a r-round linear trail ðΓ 0 ; Γ 1 ; …; Γ r−1 Þ is concatenated linear approximations ðΓ i ; Γ iþ1 Þ of a single round f i ðX; KÞ, where 0 ≤ i ≤ r − 1.
Definition 3. (The correlation of the linear trail [23]) Given a r-round linear trail ðΓ 0 ; Γ 1 ; …; Γ r−1 Þ, its correlation is computed by taking the product of the individual correlations along the trail, i.e.: When constructing a distinguisher, the adversary's primary concern is the probability of the linear hull rather than individual intermediate masks.Consequently, the adversary aims to gather all trails having the same masks Γ in ; Γ out .By collecting a larger number of trails, the adversary can obtain a more accurate estimation of probability associated with the specific linear hull.Definition 4. (Linear hull [24]) A linear hull ðΓ in ; Γ out Þ is a construct utilized in linear cryptanalysis that consists of a collection of linear trails.These trails share identical masks for both the masks ðΓ in ; Γ out Þ. Essentially, a linear hull represents a specific linear approximation ðΓ in ; Γ out Þ for a given block cipher.
Definition 5.The potential of a linear hull ðΓ in ; Γ out Þ is measured by the average linear probability (ALP) over the key space K.This measure, denoted as ALPðΓ in ; Γ out Þ, is defined as the average of the squared correlations between the input and output masks Γ in , Γ out , considering all possible keys k in K, i.e.: 2.3.Description of WARP.WARP is a lightweight block cipher with the aim of achieving 128-bit security while keeping the implementation footprint small [12].It applies the type-II generalized Feistel network (GFN) [25] structure, which is a well-known construction in the field of symmetric-key cryptography.It takes a 128-bit plaintext denoted as M and the 128bit master key written as K as inputs.Through a series of 41 encryption rounds, WARP transforms the plaintext into a 128bit ciphertext represented as C.
2.3.1.Round Function.For WARP, the internal state in the rth round operates on 32 nibbles denoted as X r i ¼ X r 0 kX r 1 jj…kX r

31
, where 0 ≤ r ≤ 40, and each X r i 2 f0; 1g 4 denotes the ith nibble.The round key is expressed as 16 nibbles k r ¼ k r 0 kk r 1 jj…kk r 15 , where k r j 2 f0; 1g 4 , 0 ≤ j ≤ 15.The round function of WARP, as shown in Figure 1, employs 4-bit Sbox operations, nibble XOR operations, and shuffle operations applied to the 32 nibbles.These operations are performed as follows.
Sbox: To fulfill the design objectives of WARP, such as a compact circuit, low path delay, and efficient energy The inner product of a and b utilization.WARP utilizes the 4-bit Sbox from MIDORI [26].
The Sbox is defined by the values, as shown in Table 3. Add round key: XOR operation is performed bitwise between the 16 nibbles S r i−1 2 of the Sbox output, the 16 nibbles of the even branches X r i , and the 16 nibbles round key k r j , where i mod 2 ¼ 1 and j ¼ i−1 2 .Add round constant: The round constants, represented by 2 nibbles c r 0 kc r 1 , are XOR-ed with the first and third nibbles of the intermediate state.
Shuffle operation: WARP employs a 32-branch permutation that exhibits strong diffusion properties and resistance against major attacks.The input state, composed of 32 nibbles, is represented as Y r ¼ Y r 0 kY r 1 jj…kY r 31 .The output state is obtained by applying the permutation π such that X rþ1 πðiÞ ¼ Y r i , where 0 ≤ i ≤ 31.The specific permutation π is shown in Table 4.It is worth mentioning that the permutation operation π is not performed in the final round.
The paper does not specifically investigate the influence of adding the round constants on the attack's validity, and it does not delve into the discussion of the key schedule.Banik et al. [12] showed a more comprehensive understanding of WARP and its specific details.

SAT-Based Model to Search Linear Trail for WARP
As far as cryptanalysis is concerned, many problems such as the search for linear trails can be reformulated as systems of equations, and SAT solvers are commonly employed to solve equation-based problems.In this section, the SAT-based automated model introduced in a study by Sun et al. [10] is utilized to assess the resistance of WARP against linear attacks.This systematic approach allows us to efficiently identify the optimal linear trails for WARP.C ij consists of a disjunction of literals.This form is equivalent to the product-of-sum representation of Boolean functions, where the function is expressed as a conjunction of terms, and each term is a disjunction of literals.Russell and Norvig [27] postulated a more detailed information on CNF and its relation to Boolean functions.Cook [28] established that the SAT is a computationally challenging problem that has been proven to be nondeterministic polynomial (NP) complete.This means that finding a satisfying assignment for a given set of Boolean clauses is computationally challenging.However, despite its theoretical complexity, modern SAT solvers have made significant advancements and can effectively handle problems with millions of variables.The solver, Cryptominisat5 [29], is an example of a universal and efficient SAT solver.It is specifically designed to handle large-scale SAT instances and offers support for XOR and Gaussian elimination techniques.This solver employs advanced algorithms and heuristics to improve performance and optimize the search for satisfying assignments.With the capabilities of SAT solvers like Cryp-tominisat5, it is possible to tackle complex cryptanalysis problems by formulating them as SAT instances and utilizing the solver's efficient solving techniques.

4
IET Information Security

SAT Models for the Linear Approximation of WARP.
When utilizing SAT solvers to search for linear trails, it is necessary to translate this problem into a set of clauses that capture the linear propagation properties within WARP.By the findings in a study by Sun et al. [4], the linear propagation of the XOR operation is equivalent to the differences propagation for the XOR operation.Next, we will present a concise overview of the SAT models employed for some fundamental operations used in WARP.However, for a more comprehensive understanding, we recommend referring to [9,10,30] for detailed information.
3.2.1.Three-Fork Branching.Consider the XOR operation, where Γ 0 represents the input mask and Γ 1 and Γ 2 denote the two output masks.The nontrivial propagation is valid if and only if the masks Γ 0 , Γ 1 , and Γ 2 satisfy all the conditions outlined as follows: 3.2.2.XOR.The propagation of the two input masks Γ 0 and Γ 1 , along with the output mask Γ 2 , should fulfill all the conditions described as follows: 3.2.3.Sbox.The linear propagation of Sbox is often characterized using a linear approximation table (LAT).The input mask of the Sbox is denoted as Γ in ¼ Γ 0 kΓ 1 jjΓ 2 kΓ 3 and the output mask is written as Γ out ¼ Γ 4 kΓ 5 jjΓ 6 kΓ 7 , then, Table 5 shows LAT of Sbox, which includes values of 0; AE2; AE4; 8.The corresponding absolute correlations of the linear approximation fall within the range f0; 2 −2 ; 2 −1 ; 1g.Two Boolean variables c 0 and c 1 are used to encode the correlation of the linear propagation for the Sbox.To describe the correlation for valid linear propagation, CorðΓ in ; Γ out Þ and c 0 kc 1 follow the following rule as follows: Note that c 0 þ c 1 represents the opposite number of the binary logarithm of CorðΓ in ; Γ out Þ, i.e., − log 2 ðjCorðΓ in ; To capture the valid linear propagation with correlation 2 −ðc 0 þc 1 Þ , we define a 10-bit Boolean function gðΓ in kΓ out jjc 0 kc 1 Þ as follows: Following that, the constraint conditions are reduced using Logic Friday (https://web.archive.org/web/20131022021257/http:/www.sontrak.com/),and the results showed that the nontrivial linear mask propagations with correlation for WARP's Sbox can be described by 53 clauses, as shown in Table 6.Similarly, a Boolean variable w is utilized to indicate the activeness of the Sbox.If the input and output masks of Sbox are nonzero, it is called an active Sbox, then w ¼ 1. Conversely, when w ¼ 0, it denotes an inactive Sbox.As a result, 40 clauses, as shown in Table 7, are used to describe the valid linear mask propagations of the WARP's Sbox.These clauses capture the conditions under which the linear propagation holds for the Sbox.

Modeling the Objective Function.
When analyzing primitives that rely on Sboxes as fundamental components, automated searches for linear trails aim to achieve the following two kinds of objectives: (1) The first kind of objective is to minimize the number of active Sboxes in the trails.To achieve this, auxiliary variables w ði; jÞ are introduced for each Sbox in each round, where 0 ≤ i ≤ r − 1 and 0 ≤ j ≤ 31.The number of active Sboxes is limited at most ξ, where ξ is a positive integer; the objective function is defined as follows: (2) The second kind of objective is to discover linear trails with optimal correlation.To achieve this, auxiliary variables c The constraints used to describe the nontrivial mask propagations for the activeness of Sbox. No.

Clause
No.

Clause
No. Clause 1 Indeed, the objective functions mentioned in Equations ( 8) and ( 9) can be expressed as cardinality constraints of the form ∑ n−1 i¼0 x i ≤ η, where η is a nonnegative integer.The sequential encoding method proposed in a study by Sinz [31] can be employed to convert these constraints into Boolean expressions [9,10,30,32].When η ¼ 0, the constraint is simply x i ¼ 1 for 0 ≤ i ≤ n − 1, which is trivial.However, for η>0, additional Boolean variables μ i; j are introduced to construct the following clauses, where 0 ≤ i ≤ n − 2 and 0 ≤ j ≤ η − 1.
x 0 ∨ μ 0;0 ¼ 1; ; x n−1 ∨ μ n−2;η−1 ¼ 1: Algorithm 1 explains the process of searching for the rround linear trails.The search model mainly consists of two steps: constructing the linear mask propagations of the rround function for WARP and setting the corresponding objective function based on the threshold.The objective function of linear analysis is generally in these two forms, as shown in Equation (8) or Equation (9).Invoke the solver to solve the search model.If the model has a solution, it indicates that the model has a feasible solution.For example, when searching for the r-round linear trails with the optimal correlation 2 −τ , if the objective function in Equation ( 9) is set to τ − 1 and the model has no solution, and the objective function in Equation ( 9) is set to τ and the model has a solution, it is considered that the solver has found a r-round linear trail with the optimal correlation of 2 −τ .

Modeling the Conditions for Branch-and-Bound Method
with Sequential Encoding Method.The branch-and-bound method is a popular approach that finds applications in solving integer programming problems.It is an effective method for systematically exploring the solution space and identifying the optimal solutions.In the context of cryptanalysis, the branch-and-bound method has been successfully utilized to search for optimal solutions, such as differential trails with optimal probabilities [33].The core concept behind the branch-and-bound method is to break down the solution space into smaller subsets by employing branching techniques.

5:
If i mod 2 ¼ 0: 6: If flag ¼ 0: 7: Add the constraints in Table 6 to describe the mask propagations of Sbox with correlations.8: If flag ¼ 1: 9: Add the constraints in Table 7 to describe the mask propagations of the activeness of Sbox.10: Add the constaints in Equation ( 5) to describe the mask propagations of XOR operation and π operation.Add the constraints to describe the objective function.

18:
Invoke the solver to solve the model.

19:
If solver finds a solution then 20: Return the r-round linear trail.21: ALGORITHM 1: The SAT model for searching the linear trails with optimal correlation/lower bound for the number of active Sboxes of WARP

IET Information Security
By iteratively branching and calculating bounds, the algorithm progressively narrows down the search space until an optimal solution is found.
In the context of cryptanalysis, let's consider a scenario where we have an initial correlation estimate Cor ini ðRÞ for Rround trails.The information about the optimal correlation Cor opt ðiÞ of the i-round linear trails is known, where 1 ≤ i ≤ R − 1.Assuming that the linear trails ðΓ 0 ; Γ 1 ; …; Γ r Þ of the first r rounds have been obtained, the correlation of each round is expressed as CorðΓ i ; Γ iþ1 Þ, where 1 ≤ r ≤ R and 0 ≤ i ≤ r.The question is whether this partial trail has the potential to extend and become a better R-round trail.We can determine this by checking this equation as follows: This condition serves as a criterion for pruning.If a partial trail does not meet this condition, it is unnecessary to explore it further as it cannot lead to a better solution.By pruning such partial trails, the search space is pruned, reducing the computational effort required.The branch-andbound method, combined with the pruning condition, allows for an efficient search for optimal linear trails in cryptanalysis.
The following equations are utilized to describe the bounding conditions in the branch-and-bound method: where n is the total number of Boolean variables represented as x γ .Referring to the method described in a study by Sun et al. [10], the Equation ( 12) can be encoded into three cases according to the values of e 1 and e 2 .These cases are as follows: The number of clauses in the three cases is as follows: e 2 clauses for the first case, η − m clauses for the second case, and 2ðη − mÞ þ 1 clauses for the third case.By encoding the conditions in these cases into clauses, the branch-and-bound method can be applied effectively in cryptanalysis to explore and prune partial trails.

Linear Trails of WARP
In this section, with a primary focus on identifying optimal linear trails, the findings from applying the SAT model to WARP are presented.The goal is to uncover trails that either have the minimum number of active Sboxes or optimal correlations.

Linear Trail with Minimum Number of Active Sboxes.
Through the utilization of the SAT model, we have made significant progress in identifying the optimal linear trail in WARP that requires the minimum number of active Sboxes.It is worth noting that the designer of WARP initially provided the minimum number of active Sboxes for linear trails up to 19 rounds [12].However, this approach has enabled us to extend this analysis and determine the minimum number of active Sboxes for linear trails up to 22 rounds.
Table 8 shows the comprehensive summary of the minimum number of active Sboxes for the linear trails of roundreduced WARP.These findings confirm the results presented in the referenced work.Specifically, the results marked with bold information indicate that the minimum number of active Sboxes of the 20-round, 21-round, and 22-round linear trails are 70, 75, and 79, respectively.Additionally, the 18-round linear trail with 61 active Sboxes is shown in Table 9.This further contributes to the understanding of the cryptographic and analysis of WARP.

Linear Trail with Optimal Correlation for WARP.
To derive the constraints for the linear approximation of WARP, we begin by setting the objective function to describe the optimal correlation for the r-round linear trails.Through analysis, the optimal correlations of the linear trails up to the first 21 rounds are successfully determined.The results show that the optimal correlation of linear trails can reach the upper bound of the active Sbox estimation.More specifically, for r-round linear trail, if the lower bound of the active Sbox is m, the trails with correlation 2 −m can be discovered, where 0 ≤ r ≤ 20 and 0 ≤ m ≤ 75.
Generally, there is a focus on finding linear trails with input and output masks characterized by lower hamming weight.This preference stems from their potential advantages in terms of key recovery, such as involving fewer keys or extending to more rounds.However, it has been observed that linear trails, without additional constraints, may exhibit high hamming weights according to research findings [9,20].To address this, the cardinality constraints introduced are used to limit their hamming weights and obtain trails with

IET Information Security
the lowest hamming weight.Due to the fact that the WARP is nibble based, the main focus here is on nibble-oriented activity.The process resembles the search for optimal trails and involves a series of steps as follows: (1) Within the framework of the model for discovering trails with optimal correlation, we incorporate additional constraints that describe the activeness of the input and output masks for trails.The activeness of a nibble is represented by constraints with Boolean variables.For a nibble mask written as Γ 0 kΓ 1 jj Γ 2 kΓ 3 , introduce a Boolean variable to indicate its activeness.When the nibble mask is nonzero, i.e., Γ 0 kΓ 1 jjΓ 2 kΓ 3 ≠0, then the nibble is called an active nibble, represented by a ¼ 1, and in other cases, it is called an inactive nibble, denoted as a ¼ 0. The constraints can be formulated as follows: (2) Add an objective function to limit the active nibbles for the input and output masks of trails.(3) Start by setting an initial number of the input and output mask nibbles of the obtained optimal trials.(4) Query whether there is a solution that satisfies this target value.
(5) Reduce the number of the input and output mask nibbles for linear trails, iterating the process until no solution is obtained.
By employing this approach, the linear trails with the optimal correlation and the fewest active input and output mask nibbles can be identified.
The minimum active input and output masks of linear trails with optimal correlation are denoted as N r c , and that of differential trails are denoted as N r d .The analysis of the results reveals an observation: N r c ¼ N r d .This equivalence holds for the first 20 rounds of both differential and linear trails, i.e., N r c ¼ N r d for 1 ≤ r ≤ 20.Detailed results are shown in Table 3 in a study by Shi et al. [20].For instance, the optimal correlations of the 18-, 19-, and 20-round linear trails are 2 −61 , 2 −66 , and 2 −70 , respectively.The specific details of these trails are shown in Tables 10-12, respectively.

Improved Linear Distinguishers of WARP
Modern block ciphers are specifically designed to provide resistance against linear cryptanalysis, and their security is often supported by provable limitations on the correlation of linear trails.While many automated tools focus on searching for linear trails, the exploration of linear hulls is equally important.This is due to the intentional design of modern block ciphers to mitigate the presence of dominant trails, thereby enhancing their resistance against linear cryptanalysis.However, by employing advanced automated tools capable of searching for linear hulls, we can analyze multiple trails within a single linear hull.By identifying these trails contributed to a hull, the optimal linear hulls for WARP are successfully discovered.

IET Information Security
The estimation of probability for linear hulls ðΓ in ; Γ out Þ often relies on the dominant linear trails.However, the research findings in a study by Teh and Biryukov [18] and Shi et al. [20] indicate a notable distinction between the probabilities of differential trails and differentials in WARP.This phenomenon arises due to the multiple trails being present in a differential and similarly, the linear hull may also contain multiple linear trails.Consequently, further investigation into the linear analysis of WARP is required to enhance the estimation of linear hull's probability ALPðΓ in ; Γ out Þ.The approach involves enumeration of the linear trails to improve the accuracy of the probability estimation.

IET Information Security 11
The results show that there are at least 64,242 trails within the linear hull with a fixed correlation 2 −72 .These findings provide insights into the clustering effect and distribution of trails within linear hulls for different rounds of WARP.

Conclusion
This paper presents a comprehensive investigation into the linear cryptanalysis of WARP.The analysis covers a thorough examination of the cipher's behavior for the first 19 rounds, along with a validation of the lower bound on the number of active Sboxes as stated in the design documentation.Notably, the complexity of finding linear trails escalates as the number of rounds increased, especially considering its 128-bit block size.We leverage the power of the SAT model to efficiently identify optimal linear trails.It was discovered that the correlation of the 18-round linear trails was 2 −61 .Additionally, recognizing that a linear hull can consist of multiple trails, the researchers found that the probability of the 20-round linear hull improved from 2 −140 to 2 −127:27 .This is the current optimal linear distinguisher for WARP.These findings contribute to the understanding of the vulnerabilities and resistance of WARP against linear cryptanalysis.The next step of the research will further explore the cryptographic properties of WARP or use other attack methods such as differential attacks and meet-in-the-middle attacks to improve the attack results of WARP that provide a more comprehensive security evaluation for WARP.The asterisk " * " indicates not all linear trails with fixed correlation within the linear hull have been found.
12 IET Information Security

3. 1 .
Boolean Satisfiability Problem.The algebraic normal form (ANF) is a commonly employed representation in cryptography for describing symmetric ciphers.By converting ANF equations with Boolean variables into the conjunctive normal form (CNF), SAT solvers can be effectively employed since CNF serves as their standard input format.This transformation enables the utilization of SAT solvers to analyze and solve cryptographic problems based on equations.In CNF, the Boolean function is represented as a conjunction of clauses ⋀
1 are introduced for each Sbox in each round, where 0 ≤ i ≤ r − 1 and 0 ≤ j ≤ 31.The objective is to find linear trails with correlation no more than 2 −τ , i.e., 2 −τ ≤ 2 −ðc ði; jÞ 0 þc ði; jÞ 1 Þ , where τ is a positive integer.The objective function indicates the opposite number of the binary logarithm of the correlation, that is:

( 1 )
Step 1: Incorporate the SAT-based model used for searching linear trails.(2) Step 2: Introduce constraints that fix the input and output masks Γ in and Γ out .(3) Step 3: Execute the Cryptominisat5 solver to find a solution representing trail t belonging to the linear hull ðΓ in ; Γ out Þ. (4) Step 4: Add a new clause describing the obtained solution to the current CNF model to exclude the trail t. (5) Step 5: Reiterate the process by asking the solver to find a new solution.Repeat steps 3 and 4 until the solver returns unsatisfiable, indicating that all possible solutions within the linear hull have been enumerated.

TABLE 1 :
Summary of distinguishers in the single key scenarios for WARP.
Bold values refers to the new results obtained in this article, and explanations have been added in the paper.Definition 1.Let E K ðXÞ denotes an iterative block cipher, where X represents the input and K denotes the master key.The round function of the block cipher is recorded as f ðX; KÞ.For a given pair of linear masks ðΓ in ; Γ out Þ, we can express the linear approximation expression of f ðX; KÞ as Γ in ⋅ X ⊕ Γ out ⋅ f ðX; KÞ.Similarly, for the block cipher E K ðXÞ, the linear approximation expression is given by

TABLE 6 :
The constraints used to describe the nontrivial mask propagations with correlation for Sbox.

TABLE 8 :
The minimum number of active linear Sboxes.

TABLE 9 :
The 18-round linear trial with 61 active Sboxes for WARP.

TABLE 13 :
The probability of the linear distinguishers with clustering effect for WARP.