[Resource Topic] 2022/720: A Model Set Method to Search Integral Distinguishers Based on Division Property for Block Ciphers

Resource Secret-key cryptography
#1

Welcome to the resource topic for 2022/720

Title:
A Model Set Method to Search Integral Distinguishers Based on Division Property for Block Ciphers

Authors: Huawei Liu, Zilong Wang, and Liu Zhang

Abstract:

Division property is a generalized integral property proposed by Todo at EUROCRYPT 2015. Subsequently, Todo and Morii extended division property to the bit level and proposed conventional bit-based division property (CBDP) and bit-based division property using three subsets (BDPT). At ASIACRYPT 2016, Xiang et al. applied MILP technique to model the CBDP propagation for the first time. To construct an automatic search model for BDPT propagation, Hu et al. characterized a variant BDPT based on SMT/SAT. Later at ASIACRYPT 2019, Wang et al. characterized the BDPT based MILP. However, the above two automatic search models have some limitations. In this paper, we focus on constructing an automatic search model that can more accurately characterize the BDPT propagation. Firstly, we define a new notion named BDPT Trail, which divides the BDPT propagation into three parts: the division trail for K, division trail for L, and Key-Xor operation. Secondly, we improve the insufficiency of the previous methods of calculating division trails and propose an effective algorithm that can obtain more valid division trails for L of the S-box operation. Thirdly, we propose a new algorithm that models each Key-Xor operation based on MILP technique for the first time. Based on this, we can accurately characterize the Key-Xor operation by solving these MILP models. After that, by selecting appropriate initial BDPT and stopping rules, we construct an automatic search model that more accurately characterizes the BDPT propagation. As a result, our automatic search model is applied to search integral distinguishers for some block ciphers. For GIFT-64, we find a 11-round integral distinguisher which is one more round than the previous best results. For Rectangle, we find a better 10-round integral distinguisher with 9 balanced bits, which has eight more bits than the previous best results. For Simon64, we can find more balanced bits than the previous longest distinguishers. For Present, we find a better 9-round integral distinguisher with less active bits.

ePrint: https://eprint.iacr.org/2022/720

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .