Y. Ast-+-17-;-ahmed-abdelkhalek, Y. Sasaki, M. Todo, A. M. Tolba, and . Youssef, MILP modeling for (large) s-boxes to optimize probability of differential characteristics, IACR Trans. Symmetric Cryptol, vol.2017, issue.4, pp.99-129, 2017.

F. Bacchus, Gac via unit propagation, Principles and Practice of Constraint Programming, pp.133-147, 2007.

A. Biere, Yet another local search solver and lingeling and friends entering the sat competition, vol.01, pp.39-40, 2014.

E. Biham, New types of cryptoanalytic attacks using related keys (extended abstract), Advances in Cryptology -EURO-CRYPT '93, vol.765, pp.398-409, 1993.

J. Bjk-+-16]-christof-beierle, S. Jean, G. Kölbl, A. Leander, T. Moradi et al., The SKINNY family of block ciphers and its low-latency variant MANTIS, Advances in Cryptology -CRYPTO 2016 Part II, vol.9815, pp.123-153

. Springer, , 2016.

A. Biryukov, D. Khovratovich, and I. Nikolic, Distinguisher and related-key attack on the full AES-256, Advances in Cryptology -CRYPTO 2009, vol.5677, pp.231-249, 2009.

A. Biryukov and I. Nikolic, Automatic search for relatedkey differential characteristics in byte-oriented block ciphers: Application to aes, camellia, khazad and others, Advances in Cryptology -EUROCRYPT 2010, vol.6110, pp.322-344, 2010.

R. E. Bryant, Graph-based algorithms for boolean function manipulation, IEEE Trans. Computers, vol.35, issue.8, pp.677-691, 1986.

E. Biham and A. Shamir, Differential cryptoanalysis of feal and n-hash, Advances in Cryptology -EUROCRYPT '91, vol.547, pp.1-16, 1991.

R. King-brayton, A. L. Sangiovanni-vincentelli, C. T. Mcmullen, and G. D. Hachtel, Logic Minimization Algorithms for VLSI Synthesis, 1984.

T. Carlos-cid, T. Huang, Y. Peyrin, L. Sasaki, and . Song, Boomerang connectivity table: A new cryptanalysis tool, Advances in Cryptology -EUROCRYPT 2018, vol.10821, pp.683-714, 2018.

G. Chu and P. J. Stuckey, Chuffed solver description, 2014.

C. K. Kenil, . Cheng, H. C. Roland, and . Yap, An mdd-based generalized arc consistency algorithm for positive and negative table constraints and some global constraints, Constraints, vol.15, issue.2, pp.265-304, 2010.

R. Dhl-+-16]-jordan-demeulenaere, C. Hartert, G. Lecoutre, L. Perez, J. Perron et al., Compact-table: Efficiently filtering table constraints with reversible sparse bit-sets, Michel Rueher, editor, Principles and Practice of Constraint Programming -22nd International Conference, vol.9892, pp.207-223, 2016.

J. Daemen and V. Rijmen, The design of Rijndael: AES-the advanced encryption standard, 2013.

N. Eén and N. Sörensson, Translating pseudo-boolean constraints into SAT, JSAT, vol.2, issue.1-4, pp.1-26, 2006.

, Advanced Encryption Standard. Federal Information Processing Standards Publication 197, FIPS 197, 2001.

J. Pierre-alain-fouque, T. Jean, and . Peyrin, Structural evaluation of AES and chosen-key distinguisher of 9-round AES-128, Advances in Cryptology -CRYPTO 2013 -Part I, vol.8042, pp.183-203, 2013.

G. Team and . Gecode, Generic constraint development environment, 2006.

D. Gérault and P. Lafourcade, Related-key cryptanalysis of midori, Progress in Cryptology -INDOCRYPT 2016, vol.10095, pp.287-304, 2016.

D. Gérault, P. Lafourcade, M. Minier, and C. Solnon, Revisiting AES related-key differential attacks with constraint programming, Cryptology ePrint Archive, vol.139, 2017.

D. Gérault, P. Lafourcade, M. Minier, and C. Solnon, Revisiting AES related-key differential attacks with constraint programming, Inf. Process. Lett, vol.139, pp.24-29, 2018.

D. Gérault, M. Minier, and C. Solnon, Constraint programming models for chosen key differential cryptanalysis, Principles and Practice of Constraint Programming -CP 2016, vol.9892, pp.584-601, 2016.

S. Kölbl, G. Leander, and T. Tiessen, Observations on the SIMON block cipher family, Advances in Cryptology -CRYPTO 2015 -35th Annual Cryptology Conference, vol.9215, pp.161-185, 2015.

L. R. Knudsen, Truncated and higher order differentials, Fast Software Encryption, pp.196-211, 1995.

F. Lafitte, Cryptosat: a tool for sat-based cryptanalysis, IET Information Security, vol.12, issue.6, pp.463-474, 2018.

. +-17]-fanghui, W. Liu, C. Cruz, G. Ma, L. Johnson et al., A tolerant algebraic side-channel attack on AES using CP, Principles and Practice of Constraint Programming -23rd International Conference, vol.2017, pp.189-205, 2017.

E. J. Mccluskey, Minimization of boolean functions*, Bell System Technical Journal, vol.35, issue.6, pp.1417-1444, 1956.

N. Mouha and B. Preneel, A proof that the ARX cipher salsa20 is secure against differential cryptanalysis. IACR Cryptology ePrint Archive, p.328, 2013.

J. Florence, N. Macwilliams, and . Sloane, The theory of error-correcting codes, vol.16, 1977.

M. Minier, C. Solnon, and J. Reboul, Solving a Symmetric Key Cryptographic Problem with Constraint Programming, 13th International Workshop on Constraint Modelling and Reformulation (ModRef ), in conjunction with CP'14, pp.1-13, 2014.

N. Mouha, Q. Wang, D. Gu, and B. Preneel, Differential and linear cryptanalysis using mixed-integer linear programming, Information Security and Cryptology, pp.57-76, 2012.

N. Nethercote, P. J. Stuckey, R. Becket, S. Brand, G. J. Duck et al., Minizinc: Towards a standard CP modelling language. In Principles and Practice of Constraint Programming -CP, LNCS, vol.4741, pp.529-543, 2007.

, Gurobi optimizer reference manual, 2018.

C. Prud'homme, J. Fages, X. Lorca, . Choco-documentation, . Tasc et al., , 2016.

W. V. Quine, A way to simplify truth functions, The American Mathematical Monthly, vol.62, issue.9, pp.627-631, 1955.

F. Rossi, T. Peter-van-beek, and . Walsh, Handbook of Constraint Programming (Foundations of Artificial Intelligence), 2006.

M. Rsm-+-11]-venkatesh-ramamoorthy, T. Silaghi, K. Matsui, M. Hirayama, and . Yokoo, The design of cryptographic s-boxes using csps. In Principles and Practice of Constraint Programming -CP 2011 -17th International Conference, Lecture Notes in Computer Science, vol.6876, pp.54-68, 2011.

. Sgl-+-17]-siwei, D. Sun, P. Gérault, Q. Lafourcade, Y. Yang et al., Analysis of aes, skinny, and others with constraint programming, 24th International Conference on Fast Software Encryption, 2017.

L. +-14]-siwei-sun, P. Hu, K. Wang, X. Qiao, L. Ma et al., Automatic security evaluation and (related-key) differential characteristic search: Application to simon, present, lblock, DES(L) and other bit-oriented block ciphers, Advances in Cryptology -ASIACRYPT 2014 Part I, vol.8873, pp.158-178, 2014.

R. Singleton, Maximum distance -nary codes, IEEE Trans. Inf. Theor, vol.10, issue.2, pp.116-118, 2006.

M. Soos, K. Nohl, and C. Castelluccia, Extending SAT solvers to cryptographic problems, Theory and Applications of Satisfiability Testing -SAT 2009, 12th International Conference, vol.5584, pp.244-257, 2009.

Y. Sasaki and Y. Todo, New impossible differential search tool from design and cryptanalysis aspects -revealing structural properties of several ciphers, Advances in Cryptology -EU-ROCRYPT 2017, vol.10212, pp.185-215, 2017.

L. Sun, W. Wang, and M. Wang, Automatic search of bit-based division property for ARX ciphers and word-based division property, Advances in Cryptology -ASIACRYPT 2017, pp.128-157, 2017.

L. Sun, W. Wang, and M. Wang, More accurate differential properties of led64 and midori64, IACR Transactions on Symmetric Cryptology, vol.2018, issue.3, pp.93-123, 2018.

Y. Todo, T. Isobe, Y. Hao, and W. Meier, Cube attacks on non-blackbox polynomials based on division property, Advances in Cryptology -CRYPTO 2017, vol.10403, pp.250-279

. Springer, , 2017.

H. Verhaeghe, C. Lecoutre, and P. Schaus, Compact-mdd: Efficiently filtering (s)mdd constraints with reversible sparse bit-sets, Proceedings of the Twenty-Seventh International Joint Conference on Artificial Intelligence, IJCAI 2018, pp.1383-1389, 2018.

T. W. Sat and . Csp, Principles and Practice of Constraint Programming, vol.1894, pp.441-456, 2000.

N. Zhou and H. Kjellerstrand, Optimizing SAT encodings for arithmetic constraints, Principles and Practice of Constraint Programming -23rd International Conference, vol.10416, pp.671-686, 2017.

N. Zhou, H. Kjellerstrand, and J. Fruhman, Definition of diffBytes l and Sboxes l when l ? {192, p.256, 2015.

, AES-192

, Definition of constraints related to KS for Step 1 when l ? {192, 256} Constraints (C 7 ) and (C 8 ) of Fig. 2 correspond to the key schedule for AES-128. For AES-192 and AES-256

, AES-192