On MILP-based Automatic Search for Bit-Based Division Property for Ciphers with (large) Linear Layers

With the introduction of the division trail, the bit-based division property (BDP) has become the most efficient method to search for integral distinguishers. The notation of the division trail allows us to automate the search process by modelling the propagation of the DBP as a set of constraints that can be solved using generic Mixed-integer linear programming (MILP) and SMT/SAT solvers. The current models for the basic operations and Sboxes are efficient and accurate. In contrast, the two approaches to model the propagation of the BDP for the non-bit-permutation linear layer are either inaccurate or inefficient. The first approach relies on decomposing the matrix multiplication of the linear layer into COPY and XOR operations. The model obtained by this approach is efficient, in terms of the number of the constraints, but it is not accurate and might add invalid division trails to the search space, which might lead to missing the balanced property of some bits. The second approach employs a one-to-one map between the valid division trails through the primitive matrix represented the linear layer and its invertible sub-matrices. Despite the fact that the current model obtained by this approach is accurate, it is inefficient, i.e., it produces a large number of constraints for large linear layers like the one of Kuznyechik. In this paper, we address this problem by utilizing the one-to-one map to propose a new MILP model and a search procedure for large non-bit-permutation layers. As a proof of the effectiveness of our approach, we improve the previous 3and 4-round integral distinguishers of Kuznyechik and the 4-round one of PHOTON’s internal permutation (P288). We also report, for the fist time, a 4-round integral distinguisher for Kalyna block cipher and a 5-round integral distinguisher for PHOTON’s internal permutation

[1]  David A. Wagner,et al.  Integral Cryptanalysis , 2002, FSE.

[2]  Thomas Peyrin,et al.  GIFT: A Small Present , 2017, IACR Cryptol. ePrint Arch..

[3]  Yosuke Todo,et al.  Structural Evaluation by Generalized Integral Property , 2015, EUROCRYPT.

[4]  Vincent Rijmen,et al.  New Insights on AES-Like SPN Ciphers , 2016, CRYPTO.

[5]  Roman Oliynykov,et al.  A New Encryption Standard of Ukraine: The Kalyna Block Cipher , 2015, IACR Cryptol. ePrint Arch..

[6]  Yosuke Todo,et al.  Bit-Based Division Property and Application to Simon Family , 2016, FSE.

[7]  Dongdai Lin,et al.  Applying MILP Method to Searching Integral Distinguishers Based on Division Property for 6 Lightweight Block Ciphers , 2016, ASIACRYPT.

[8]  Alex Biryukov,et al.  Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs , 2017, IACR Trans. Symmetric Cryptol..

[9]  Thomas Peyrin,et al.  The PHOTON Family of Lightweight Hash Functions , 2011, IACR Cryptol. ePrint Arch..

[10]  Amr M. Youssef,et al.  Integral Attacks on Round-Reduced Bel-T-256 , 2018, SAC.

[11]  Amr M. Youssef,et al.  Integral Cryptanalysis of Reduced-Round Tweakable TWINE , 2020, IACR Cryptol. ePrint Arch..

[12]  Amr M. Youssef,et al.  A cautionary note on the use of Gurobi for cryptanalysis , 2020, IACR Cryptol. ePrint Arch..

[13]  Wei Wang,et al.  MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers , 2016, IACR Cryptol. ePrint Arch..

[14]  Yosuke Todo,et al.  Integral Cryptanalysis on Full MISTY1 , 2015, Journal of Cryptology.

[15]  Vasily Dolmatov GOST R 34.12-2015: Block Cipher "Kuznyechik" , 2016, RFC.

[16]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[17]  Vincent Rijmen,et al.  Division Cryptanalysis of Block Ciphers with a Binary Diffusion Layer , 2017, IACR Cryptol. ePrint Arch..

[18]  Meiqin Wang,et al.  Finding Bit-Based Division Property for Ciphers with Complex Linear Layer , 2020, IACR Cryptol. ePrint Arch..