MILP‐aided bit‐based division property for primitives with non‐bit‐permutation linear layers

Sun, L.; Wang, Wei; Wang, Meiqin Q.

doi:10.1049/iet-ifs.2018.5283

Cited by 42 publications

(53 citation statements)

References 28 publications

(31 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We describe exactly all division trails of their linear layers without any extra unreasonable one. We find a 10-round integral distinguisher for Skinny, which is one more round than the integral distinguisher found by using the method in [9]. The designers of Skinny mention in their security analysis that the division property can probably be used to slightly extend their results.…”

Section: Our Contributionsmentioning

confidence: 80%

“…Division trails are vectors which show the propagation path of the division property in the process of encryption, showing the balancedness of intermediate states. [12,9]). Let f r be the round function of an iterated block cipher.…”

Section: Division Property and Division Trailmentioning

confidence: 99%

“…They successfully extended the MILP method to XOR based and ARX-based structures by introducing some intermediate variables among the linear layer, building 2n inequalities for the n-bit linear layers, based on which they claimed their inequalities to be "sufficient". However, we found that the solutions of linear inequalities in [9] contain some impossible division trails, which may eventually lead the integral-trail searching to come to a premature end and result in a shorter integral distinguisher.…”

mentioning

confidence: 94%

“…They left the feasibility of MILP method applied to ciphers with diffusion layers that are not bit permutations as a future work. Soon after, Sun et al handled the feasibility of MILP-aided division property for primitives with non-bit-permutation linear layers [9,8]. They successfully extended the MILP method to XOR based and ARX-based structures by introducing some intermediate variables among the linear layer, building 2n inequalities for the n-bit linear layers, based on which they claimed their inequalities to be "sufficient".…”

mentioning

confidence: 99%

“…Secondly we collect enough inequalities to describe the characters of division property propagates of round functions, including the inequalities for the S-box and the inequalities for liner layer. At present, the description of S-box is almost perfect[15, 9,8]. But the description of general diffusion layers is still far from satisfactory.…”

mentioning

confidence: 99%

See 4 more Smart Citations

Division cryptanalysis of block ciphers with a binary diffusion layer

Zhang

Rijmen

2019

IET Information Security

View full text Add to dashboard Cite

In this paper, we propose an accurate security evaluation methodology for block ciphers with a binary diffusion layers against division cryptanalysis. We illustrate the division property by the independence of variables, and exploit a one-toone mapping between division trails and invertible sub-matrices. We give a new way to model the propagation of division property of linear diffusion layers by the smallest amount of inequalities which are generated from linear combinations of row vectors of the diffusion matrix. The solutions of these inequalities are exactly the division trails of linear transformation. Hence the description is compact and optimal. As applications of our methodology, we first present a 10-round integral distinguisher for Skinny, proposed at CRYPTO 2016 which is of one round more than that found by using the previous method. For Midori, proposed at ASIACRYPT 2015, the designers have obtained a 3.5-round integral characteristic. Surprisingly, we find 7-round integral distinguishers both for Midori64 and Midori128. Most importantly, we obtain the longest integral distinguishers for block ciphers with a binary diffusion layer. It seems that any more improvement of this kind of integral distinguishers using the division property is impossible. Therefore, the technique can be used to prove security against division cryptanalysis, and we can hopefully expect it to become a useful technique for designers.Keywords: Binary diffusion layer · Skinny block cipher · Midori block cipher · MILP · Division property · Integral attack IntroductionRecently, in order to optimize the energy consumed by the circuit per bit in the encryption or decryption process, block cipher designers started using binary matrices on finite fields as the diffusion layer. The most typical examples are Midori[1], proposed at ASIACRYPT 2015 and Skinny [2], proposed at CRYPTO 2016. With their reputation of reaching the requirements of low latency in an unrolled implementation as well as fast diffusion[2], it is of great importance to evaluate the resistance of ciphers using binary matrixes to known cryptanalysis and to give a proof of their security.The division property [12] is a generalized integral property initially proposed by Todo at EUROCRYPT 2015. At FSE 2016, Todo and Morri proposed the bit-based division property and applied it to find a 14-round integral distinguisher for SIMON32 [13]. At CRYPTO 2016, Christina Boura and Anne Canteaut came up with a new approach[4] by introducing the notion of parity sets, permitting people to formulate and characterize the division property of any order in a simple way, specially for the construction of the division trails of S-boxes. At ASIACRYPT 2016, Xiang et al. proposed a method

show abstract

Section: Our Contributionsmentioning

confidence: 80%

Section: Division Property and Division Trailmentioning

confidence: 99%

mentioning

confidence: 94%

mentioning

confidence: 99%

mentioning

confidence: 99%

See 3 more Smart Citations