This website contains a collection of tools related to cryptography. See the overview page for a list of all tools. The about page contains more information on this initiative, and instructions for submitting your own tool. Recently added tools are listed below.

**Extension of the Toolkit for Counting Active S-boxes using Mixed-Integer Linear Programming (MILP)**

This toolkit can be used to prove the security of cryptographic ciphers against linear and differential cryptanalysis. The toolkit generates a Mixed-Integer Linear Programming problem which counts the minimum number of (linearly or differentially) active S-boxes for a given cipher and solves this using a MILP solver in Sage.

The toolkit includes the implementation in Sage for AES, small AES, Present, Led, mCrypton, Klein and Enocoro.

**A set of documented C++ classes to help analyze Keccak-f**

KeccakTools is a set of C++ classes aimed at helping analyze the sponge function family Keccak. Version 3.3 is a major update, as it adds important classes and methods related to differential and linear cryptanalysis. These classes and methods were used to obtain the results reported in the paper *Differential propagation anaylsis of Keccak* presented at FSE 2012 (also available as ePrint 2012/163).

**Toolkit for Counting Active S-boxes using Mixed-Integer Linear Programming (MILP)**

This toolkit can be used to prove the security of cryptographic ciphers against linear and differential cryptanalysis. The toolkit generates a Mixed-Integer Linear Programming (MILP) problem which counts the minimum number of (linearly or differentially) active S-boxes for a given cipher. Currently, AES and xAES are implemented (both in the single-key and related-key setting), as well as Enocoro-128v2 (in the related-key setting). The technique is very general, and can be adapted to other ciphers with little effort.

**Framework for MD5 & SHA-1 Differential Path Construction and Chosen-Prefix Collisions for MD5**

This framework contains tools for the constructions of differential paths for MD5 and SHA-1, including chosen-prefix collisions for MD5.

**The ARX toolkit is a set of tools to study ARX ciphers and hash functions**

The ARX toolkit was presented at the SHA-3 conference in March 2012 in Washington, DC.

**A tool for information set decoding**

This library, written in C++, is reasonably efficient at finding low weight codewords of a linear code using information set decoding.

**Toolkit for the differential cryptanalysis of S-functions**

**Note: v2 fixes a bug in the probability calculation. This bug does not affect the matrices that are output by the program.**

An increasing number of cryptographic primitives use operations such as addition modulo 2^{n}, multiplication by a constant and bitwise Boolean functions as a source of non-linearity. In NIST’s SHA-3 competition, this applies to 6 out of the 14 second-round candidates. We generalize such constructions by introducing the concept of S-functions. An S-function is a function that calculates the i-th output bit using only the inputs of the i-th bit position and a finite state S[i]. Although S-functions have been analyzed before, our toolkit is the first to present a fully general and efficient framework to determine their differential properties. A precursor of this framework was used in the cryptanalysis of SHA-1. We show how to calculate the probability that given input differences lead to given output differences, as well as how to count the number of output differences with non-zero probability. Our methods are rooted in graph theory, and the calculations can be efficiently performed using matrix multiplications. The toolkit also provides a general algorithm to efficiently list the output differences with the highest probability, for a given type of difference and operation.

**Toolkit for SAT-based attacks on cryptographic primitives**

CryptLogVer is a toolkit that can be used to mount SAT-based attacks on cryptographic primitives (block ciphers, stream ciphers, hash functions). The main advantage of CryptLogVer is that it greatly simplifies the creation of CNF out of a given crypto primitive. CNF formulas coding crypto primitives are usually very challenging for a SAT solver. Therefore CryptLogVer could be also helpful for SAT community in providing hard CNF instances.

**A tool to compute linear hulls for PRESENT**

This tool computes linear hulls for the original PRESENT cipher. It confirms and even improves on the predicted bias (and the corresponding attack complexities) of conventional linear relations based on a single linear trail.

**A simple tool for the automatic algebraic cryptanalysis of a large array of stream- and block ciphers**

A simple tool for the automatic algebraic cryptanalysis of a large array of stream- and block ciphers. Three tests have been implemented and the best results have led to continued work on a computational cluster. Our best results show nonrandomness in Trivium up to 1070 rounds (out of 1152), and in the full Grain-128 with 256 rounds.