In this paper, we propose an accurate security evaluation methodology for block ciphers with a binary diffusion layers against division cryptanalysis. We illustrate the division property by the independence of variables, and exploit a one-toone mapping between division trails and invertible sub-matrices. We give a new way to model the propagation of division property of linear diffusion layers by the smallest amount of inequalities which are generated from linear combinations of row vectors of the diffusion matrix. The solutions of these inequalities are exactly the division trails of linear transformation. Hence the description is compact and optimal. As applications of our methodology, we first present a 10-round integral distinguisher for Skinny, proposed at CRYPTO 2016 which is of one round more than that found by using the previous method. For Midori, proposed at ASIACRYPT 2015, the designers have obtained a 3.5-round integral characteristic. Surprisingly, we find 7-round integral distinguishers both for Midori64 and Midori128. Most importantly, we obtain the longest integral distinguishers for block ciphers with a binary diffusion layer. It seems that any more improvement of this kind of integral distinguishers using the division property is impossible. Therefore, the technique can be used to prove security against division cryptanalysis, and we can hopefully expect it to become a useful technique for designers.Keywords: Binary diffusion layer · Skinny block cipher · Midori block cipher · MILP · Division property · Integral attack
IntroductionRecently, in order to optimize the energy consumed by the circuit per bit in the encryption or decryption process, block cipher designers started using binary matrices on finite fields as the diffusion layer. The most typical examples are Midori[1], proposed at ASIACRYPT 2015 and Skinny [2], proposed at CRYPTO 2016. With their reputation of reaching the requirements of low latency in an unrolled implementation as well as fast diffusion[2], it is of great importance to evaluate the resistance of ciphers using binary matrixes to known cryptanalysis and to give a proof of their security.The division property [12] is a generalized integral property initially proposed by Todo at EUROCRYPT 2015. At FSE 2016, Todo and Morri proposed the bit-based division property and applied it to find a 14-round integral distinguisher for SIMON32 [13]. At CRYPTO 2016, Christina Boura and Anne Canteaut came up with a new approach[4] by introducing the notion of parity sets, permitting people to formulate and characterize the division property of any order in a simple way, specially for the construction of the division trails of S-boxes. At ASIACRYPT 2016, Xiang et al. proposed a method