Another View of the Division Property

Boura, Christina; Canteaut, Anne

doi:10.1007/978-3-662-53018-4_24

“…Definition 1 (Division property [12,4]). A set X ⊆ F n 2 has the division property D n k for some 1 ≤ k ≤ n, if the sum over all vectors x in X of the product x u equals 0, for all vectors u that have a hamming weight less than k, i.e.…”

Section: Division Property and Division Trailmentioning

confidence: 99%

“…"=⇒" By [4,Proposition 7], if (x, y) is one of the division trails of an order n linear transformation, then the monomial ∏ i∈Ix x i appears in the expansion of ∏ j∈Iy y j = (a j1,1 x 1 + · · · + a j1,n x n ) · · · (a j wt(x) ,1 x 1 + · · · + a j wt(x) ,n x n ).…”

Section: A Compact Theoretical Descriptionmentioning

confidence: 99%

Division cryptanalysis of block ciphers with a binary diffusion layer

Zhang

¹

,

Rijmen

²

2019

IET Information Security

View full text Add to dashboard Cite

In this paper, we propose an accurate security evaluation methodology for block ciphers with a binary diffusion layers against division cryptanalysis. We illustrate the division property by the independence of variables, and exploit a one-toone mapping between division trails and invertible sub-matrices. We give a new way to model the propagation of division property of linear diffusion layers by the smallest amount of inequalities which are generated from linear combinations of row vectors of the diffusion matrix. The solutions of these inequalities are exactly the division trails of linear transformation. Hence the description is compact and optimal. As applications of our methodology, we first present a 10-round integral distinguisher for Skinny, proposed at CRYPTO 2016 which is of one round more than that found by using the previous method. For Midori, proposed at ASIACRYPT 2015, the designers have obtained a 3.5-round integral characteristic. Surprisingly, we find 7-round integral distinguishers both for Midori64 and Midori128. Most importantly, we obtain the longest integral distinguishers for block ciphers with a binary diffusion layer. It seems that any more improvement of this kind of integral distinguishers using the division property is impossible. Therefore, the technique can be used to prove security against division cryptanalysis, and we can hopefully expect it to become a useful technique for designers.Keywords: Binary diffusion layer · Skinny block cipher · Midori block cipher · MILP · Division property · Integral attack IntroductionRecently, in order to optimize the energy consumed by the circuit per bit in the encryption or decryption process, block cipher designers started using binary matrices on finite fields as the diffusion layer. The most typical examples are Midori[1], proposed at ASIACRYPT 2015 and Skinny [2], proposed at CRYPTO 2016. With their reputation of reaching the requirements of low latency in an unrolled implementation as well as fast diffusion[2], it is of great importance to evaluate the resistance of ciphers using binary matrixes to known cryptanalysis and to give a proof of their security.The division property [12] is a generalized integral property initially proposed by Todo at EUROCRYPT 2015. At FSE 2016, Todo and Morri proposed the bit-based division property and applied it to find a 14-round integral distinguisher for SIMON32 [13]. At CRYPTO 2016, Christina Boura and Anne Canteaut came up with a new approach[4] by introducing the notion of parity sets, permitting people to formulate and characterize the division property of any order in a simple way, specially for the construction of the division trails of S-boxes. At ASIACRYPT 2016, Xiang et al. proposed a method

show abstract

“…More recently, Todo [34,35] generalized the integral cryptanalysis approach by taking the integral sum on the low-order polynomial subsets of all the elements in the output multisets, such that due to the higher-order dierential type property linked to the algebraic normal form (ANF) representation of the cipher component, a zero sum is obtained; so-called the division property. The approach was then formalised by Boura and Canteaut [46] in relation to Reed-Muller codes, based on parity computation across dierent multiple bits of each multiset element, which is related to the ANF representation of functions and the algebraic degree. In contrast, our proposed approach considers each bitslice channel independently and the focus is on the internal ordering of such bitslice elements rather than on their integral sum.…”

Section: Introductionmentioning

confidence: 99%

Tuple Cryptanalysis: Slicing and Fusing Multisets

Minier

¹

,

Phan

²

2017

Lecture Notes in Computer Science

0

View full text Add to dashboard Cite

In this paper, we revisit the notions of Square, saturation, integrals, multisets, bit patterns and tuples, and propose a new Slice & Fuse paradigm to better exploit multiset type properties of block ciphers, as well as relations between multisets and constituent bitslice tuples. With this rened analysis, we are able to improve the best bounds proposed in such contexts against the following block ciphers: Threesh, Prince, Present and Rectangle.

show abstract

“…More recently, Todo [34,35] generalized the integral cryptanalysis approach by taking the integral sum on the low-order polynomial subsets of all the elements in the output multisets, such that due to the higher-order dierential type property linked to the algebraic normal form (ANF) representation of the cipher component, a zero sum is obtained; so-called the division property. The approach was then formalised by Boura and Canteaut [46] in relation to Reed-Muller codes, based on parity computation across dierent multiple bits of each multiset element, which is related to the ANF representation of functions and the algebraic degree. In contrast, our proposed approach considers each bitslice channel independently and the focus is on the internal ordering of such bitslice elements rather than on their integral sum.…”

Section: Introductionmentioning

confidence: 99%

Paradigms in Cryptology – Mycrypt 2016. Malicious and Exploratory Cryptology

2017

Lecture Notes in Computer Science

0

View full text Add to dashboard Cite

In this paper, we revisit the notions of Square, saturation, integrals, multisets, bit patterns and tuples, and propose a new Slice & Fuse paradigm to better exploit multiset type properties of block ciphers, as well as relations between multisets and constituent bitslice tuples. With this rened analysis, we are able to improve the best bounds proposed in such contexts against the following block ciphers: Threesh, Prince, Present and Rectangle.

show abstract

Another View of the Division Property

Cited by 43 publications

References 21 publications

Division cryptanalysis of block ciphers with a binary diffusion layer

Division cryptanalysis of block ciphers with a binary diffusion layer

Tuple Cryptanalysis: Slicing and Fusing Multisets

Paradigms in Cryptology – Mycrypt 2016. Malicious and Exploratory Cryptology

Contact Info

Product

Resources

About