Linearly equivalent S-boxes and the division property

Division property is a cryptanalysis method that proves to be very efficient on block ciphers. Computer-aided techniques such as MILP have been widely and successfully used to study various cryptanalysis techniques, and it especially led to many new results for the division property. Nonetheless, we claim that the previous techniques do not consider the full search space. We show that even if the previous techniques fail to find a distinguisher based on the division property over a given function, we can potentially find a relevant distinguisher over a linearly equivalent function. We show that the representation of the block cipher heavily influences the propagation of the division property, and exploiting this, we give an algorithm to efficiently search for such linear mappings. As a result, we exhibit a new distinguisher over 10 rounds of RECTANGLE , while the previous best was over 9 rounds, and rule out such a distinguisher over more than 9 rounds of PRESENT . We also give some insight about the construction of an S-box to strengthen a block cipher against our technique. We prove that using an S-box satisfying a certain criterion is optimal in term of resistance against classical division property. Accordingly, we exhibit stronger variants of RECTANGLE and PRESENT , improving the resistance against division property based distinguishers by 2 rounds.

[1]  Pierre-Alain Fouque,et al.  Exhausting Demirci-Selçuk Meet-in-the-Middle Attacks against Reduced-Round AES , 2013, IACR Cryptol. ePrint Arch..

[2]  Yosuke Todo Integral Cryptanalysis on Full MISTY1 , 2015, CRYPTO.

[3]  Yosuke Todo,et al.  Structural Evaluation by Generalized Integral Property , 2015, EUROCRYPT.

[4]  Peng Liu,et al.  Using full duplex relaying in device-to-device (D2D) based wireless multicast services: a two-user case , 2014, Science China Information Sciences.

[5]  Vincent Rijmen,et al.  Division Cryptanalysis of Block Ciphers with a Binary Diffusion Layer , 2017, IACR Cryptol. ePrint Arch..

[6]  Wei Wang,et al.  Automatic Search of Bit-Based Division Property for ARX Ciphers and Word-Based Division Property , 2017, ASIACRYPT.

[7]  Dongdai Lin,et al.  Applying MILP Method to Searching Integral Distinguishers Based on Division Property for 6 Lightweight Block Ciphers , 2016, ASIACRYPT.

[8]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[9]  Amr M. Youssef,et al.  MILP Modeling for (Large) S-boxes to Optimize Probability of Differential Characteristics , 2017, IACR Trans. Symmetric Cryptol..

[10]  Noen Given RECTANGLE : A Bit-slice Lightweight Block Cipher Suitable for Multiple Platforms , 2015 .

[11]  Anne Canteaut,et al.  Another View of the Division Property , 2016, CRYPTO.

[12]  Yosuke Todo,et al.  Bit-Based Division Property and Application to Simon Family , 2016, FSE.

[13]  Thomas Peyrin,et al.  The SKINNY Family of Block Ciphers and its Low-Latency Variant MANTIS , 2016, IACR Cryptol. ePrint Arch..

[14]  Wei Wang,et al.  MILP-Aided Bit-Based Division Property for ARX-Based Block Cipher , 2016, IACR Cryptol. ePrint Arch..

[15]  Yosuke Todo,et al.  Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly , 2018, IEEE Transactions on Computers.

[16]  Wei Wang,et al.  MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers , 2016, IACR Cryptol. ePrint Arch..

[17]  Stefan Kölbl,et al.  Finding Integral Distinguishers with Ease , 2018, IACR Cryptol. ePrint Arch..

[18]  Gregor Leander,et al.  On the Classification of 4 Bit S-Boxes , 2007, WAIFI.