In this paper, a new method for constructing a Mixed Integer Linear Programming (MILP) model on conditional differential cryptanalysis of the nonlinear feedback shift register- (NLFSR-) based block ciphers is proposed, and an approach to detecting the bit with a strongly biased difference is provided. The model is successfully applied to the block cipher KATAN32 in the single-key scenario, resulting in practical key-recovery attacks covering more rounds than the previous. In particular, we present two distinguishers for 79 and 81 out of 254 rounds of KATAN32. Based on the 81-round distinguisher, we recover 11 equivalent key bits of 98-round KATAN32 and 13 equivalent key bits of 99-round KATAN32. The time complexity is less than encryptions of 98-round KATAN32 and less than encryptions of 99-round KATAN32, respectively. Thus far, our results are the best known practical key-recovery attacks for the round-reduced variants of KATAN32 regarding the number of rounds and the time complexity. All the results are verified experimentally.

中文翻译：

---

基于MILP的基于NLFSR的分组密码KATAN32的改进条件差分分析

本文提出了一种基于非线性反馈移位寄存器（NLFSR）的分组密码的条件差分密码分析的混合整数线性规划（MILP）模型的新方法，并提出了一种对强偏置比特进行检测的方法。提供了区别。该模型已成功应用于单密钥方案中的分组密码KATAN32，导致实际的密钥恢复攻击比以前的攻击涵盖了更多的回合。特别是，我们提出了254轮KATAN32中79和81的两个区分器。基于第81轮区分符，我们恢复了98轮KATAN32的11个等效密钥位和99轮KATAN32的13个等效密钥位。时间复杂度小于98轮KATAN32的加密，并且小于分别对99轮KATAN32进行加密。到目前为止，我们的结果是就回合数量和时间复杂度而言，对于经过回合缩减的KATAN32变体而言，是最为人熟知的实用密钥恢复攻击。所有结果均通过实验验证。