- Author: Laura Winnen
- Download: http://www.ecrypt.eu.org/tools/uploads/sage_sbox_milp.zip

This toolkit can be used to prove the security of cryptographic ciphers against linear and differential cryptanalysis. The toolkit generates a Mixed-Integer Linear Programming problem which counts the minimum number of (linearly or differentially) active S-boxes for a given cipher and solves this using a MILP solver in Sage.

The toolkit includes the implementation in Sage for AES, small AES, Present, Led, mCrypton, Klein and Enocoro.

]]>- Authors: Guido Bertoni, Joan Daemen, Michaël Peeters, Gilles Van Assche
- Download: http://keccak.noekeon.org/KeccakTools-3.3.zip
- Documentation: http://keccak.noekeon.org/KeccakTools-doc/

KeccakTools is a set of C++ classes aimed at helping analyze the sponge function family Keccak. Version 3.3 is a major update, as it adds important classes and methods related to differential and linear cryptanalysis. These classes and methods were used to obtain the results reported in the paper *Differential propagation anaylsis of Keccak* presented at FSE 2012 (also available as ePrint 2012/163).

- Author: Nicky Mouha
- Download: http://www.ecrypt.eu.org/tools/uploads/sbox-milp.zip
- Documentation: http://www.cosic.esat.kuleuven.be/publications/article-2080.pdf

This toolkit can be used to prove the security of cryptographic ciphers against linear and differential cryptanalysis. The toolkit generates a Mixed-Integer Linear Programming (MILP) problem which counts the minimum number of (linearly or differentially) active S-boxes for a given cipher. Currently, AES and xAES are implemented (both in the single-key and related-key setting), as well as Enocoro-128v2 (in the related-key setting). The technique is very general, and can be adapted to other ciphers with little effort.

]]>- Author: Marc Stevens
- Website: http://code.google.com/p/hashclash/

This framework contains tools for the constructions of differential paths for MD5 and SHA-1, including chosen-prefix collisions for MD5.

]]>- Author: Gaëtan Leurent
- Website: http://www.di.ens.fr/~leurent/arxtools.html

The ARX toolkit was presented at the SHA-3 conference in March 2012 in Washington, DC.

]]>- Authors: ISD dev team
- Website: https://github.com/isd-dev/isd/downloads

This library, written in C++, is reasonably efficient at finding low weight codewords of a linear code using information set decoding.

]]>- Authors: Nicky Mouha, Vesselin Velichkov, Christophe De CanniÃ¨re, Bart Preneel
- Download: http://www.ecrypt.eu.org/tools/uploads/s-function_toolkit_v2.zip
- Documentation: http://www.cosic.esat.kuleuven.be/publications/article-1473.pdf

**Note: v2 fixes a bug in the probability calculation. This bug does not affect the matrices that are output by the program.**

An increasing number of cryptographic primitives use operations such as addition modulo 2^{n}, multiplication by a constant and bitwise Boolean functions as a source of non-linearity. In NIST’s SHA-3 competition, this applies to 6 out of the 14 second-round candidates. We generalize such constructions by introducing the concept of S-functions. An S-function is a function that calculates the i-th output bit using only the inputs of the i-th bit position and a finite state S[i]. Although S-functions have been analyzed before, our toolkit is the first to present a fully general and efficient framework to determine their differential properties. A precursor of this framework was used in the cryptanalysis of SHA-1. We show how to calculate the probability that given input differences lead to given output differences, as well as how to count the number of output differences with non-zero probability. Our methods are rooted in graph theory, and the calculations can be efficiently performed using matrix multiplications. The toolkit also provides a general algorithm to efficiently list the output differences with the highest probability, for a given type of difference and operation.

- Authors: Paweł Morawiecki, Marian Srebrny, and Mateusz Srebrny
- Website: http://www.pawelmorawiecki.pl/cryptlogver

CryptLogVer is a toolkit that can be used to mount SAT-based attacks on cryptographic primitives (block ciphers, stream ciphers, hash functions). The main advantage of CryptLogVer is that it greatly simplifies the creation of CNF out of a given crypto primitive. CNF formulas coding crypto primitives are usually very challenging for a SAT solver. Therefore CryptLogVer could be also helpful for SAT community in providing hard CNF instances.

]]>- Author: Bingsheng Zhang
- Download: http://www.ecrypt.eu.org/tools/uploads/present-linear-hull.zip
- Documentation: http://dx.doi.org/10.1007/978-3-642-10433-6_5

This tool computes linear hulls for the original PRESENT cipher. It confirms and even improves on the predicted bias (and the corresponding attack complexities) of conventional linear relations based on a single linear trail.

]]>- Author: Paul Stankovski
- Website: http://www.eit.lth.se/index.php?id=260&uhpuid=dhs.pas&hpuid=584&L=1

A simple tool for the automatic algebraic cryptanalysis of a large array of stream- and block ciphers. Three tests have been implemented and the best results have led to continued work on a computational cluster. Our best results show nonrandomness in Trivium up to 1070 rounds (out of 1152), and in the full Grain-128 with 256 rounds.

]]>