Keywords

1 Introduction

Division property was first proposed by Todo \(et\ al.\) [1] at Eurocrypt 2015 to find integral distinguishers of block cipher. Todo studied the division property rules through basic components and proposed searching algorithm. With the technique, Todo found a 6-round integral distinguisher for MISTY1 and provided the first theoretical integral attack for full round MISTY1 at Crypto 2015 [2]. Also 5-round gap exist between the proved and experimental one [3] for SIMON32. Later on, Todo \(et\ al.\) [4] proposed bit-based division property at FSE 2016.

Xiang \(et\ al.\) [5] studied the propagation rules of division property through components and applied MILP method to search integral distinguisher of 6 block ciphers. Sun \(et\ al.\) [6, 7] applied division property to ARX block ciphers. By modeling the propagation through Addition Modulo, Rotation and XOR of bit-based division property in bit-level, Sun \(et\ al.\) proposed wonderful results for ARX block ciphers.

At FSE 2016, Todo \(et\ al.\) proposed a precise method to describe the integral namely bit-based division property using three subsets. With this method, Todo \(et\ al.\) found 14-round integral distinguisher for SIMON32, which matched the experimental one. Unfortunately, it can not be applied to find exact integrals but “provable security” boundaries for SIMON family block ciphers with block size larger than 32-bits. Moreover, there is still no automatical method for finding integrals of ARX block ciphers with division property using three subsets.

Our Contribution. In this paper, we propose a generic method with SAT/SMT solver to search the integral distinguishers based on division property using three subsets for ARX block ciphers. Our contributions are summarized as follows.

  1. 1.

    We study the propagation rules of conventional division property through basic components (Copy, Xor, Rotation) of ARX block cipher carefully and propose corresponding rules of division property using three subsets in bit-vector mode.

  2. 2.

    Combining with division property using three subsets through basic components, we model the propagation rules of division property using three subsets through Addition Modulo \(2^n\).

  3. 3.

    With SAT/SMT solver, we apply division property using three subsets to search integral distinguisher for some ARX block ciphers. For SIMON family block ciphers, we propose 15,16,18,22,26-round integral distinguishers automatically and verify the results proposed by Todo \(et\ al.\) [4]. For SPECK32, we find one more 6-round integral distinguisher, which can not be found with conventional division property.

Moreover, we confirm the integral distinguisher for some other ARX block cipher like SIMECK [8], HIGHT [9], LEA [10], TEA [11] and XTEA found by conventional division property without using three subsets. Some comparison between our results and exist results can be found in Table 1.

Table 1. Results for some ARX block ciphers.
Full size table

Organization. The remainder of this paper is organized as follows. In Sect. 2, we present important notations throughout the paper. Section 3 covers construction of division property using Three Subsets through basic primitives of ARX block ciphers and searching algorithm. In Sect. 4, we apply the method to some ARX block ciphers. Finally, we conclude the paper in Sect. 5.

2 Preliminaries

2.1 Notations

Let \(\mathbb {F}_2^n\) denote n-bit length vector over \(\mathbb {F}_2\). \(\oplus ,\wedge \) and \(\lnot \) denote n-bit bitwise Xor, And and Negation respectively. Let \(\varvec{0}\) denote the vector with n consecutive zero-bits, \(\varvec{1}\) denote the vector with n consecutive one-bits. For any \(a\in \mathbb {F}^n_2\), \(a_{[i]}\) denote the i-th bit of a, \(a_{[n-1]}\) is the least significant bit(LSB). Let \(e_i\) denote n-bit length unit vector, where the i-th bit equals 1. wt(a) denote the hamming weight of a, which is calculated as \(\sum ^{n-1}_{i=0}a_{[i]}\). For any \(\varvec{a}=(a_0, a_1, ..., a_{m-1})\in \mathbb {F}^{n_0}_2 \times \mathbb {F}^{n_1}_2 \times \cdots \times \mathbb {F}^{n_{m-1}}_2\), the vectorial hamming weight of \(\varvec{a}\) is defined as \(Wt(\varvec{a})=(wt(a_0), wt(a_1), ...wt(a_{m-1}))\in \mathbb {Z}^m\). For any \(\varvec{k}=(k_0, k_1,..., k_{m-1})\in \mathbb {Z}^m\) and \(\varvec{k}'=(k_0', k_1', ..., k_{m-1}')\in \mathbb {Z}^m\), we define \(\varvec{k}\succeq \varvec{k}'\) if \(k_i\ge k_i'\) for all \(i\in \{0,1, ..., m-1\}\). Otherwise, \(\varvec{k}\nsucceq \varvec{k}'\).

2.2 Division Property

Division property is a new method to find integral characteristics. In this section, we define the integral division propagation rules.

2.2.1 Bit Product Function.

Let \(\pi _u:\mathbb {F}^n_2\rightarrow \mathbb {F}_2\) be a bit product function for any \(u\in \mathbb {F}^n_2\). Let \(x\in \mathbb {F}^n_2\) be the input, and \(\pi _u(x)\) is the AND of x[i] satisfying \(u[i]=1\), i.e., it is defined as

$$\begin{aligned} \pi _u(x):=\prod ^{n-1}_{i=0}x[i]^{u[i]}. \end{aligned}$$

Let \(\pi _u:(\mathbb {F}_2^{n_0} \times \mathbb {F}_2^{n_1} \times \cdots \times \mathbb {F}_2^{n_{m-1}})\rightarrow \mathbb {F}_2\) be a bit product function for any \(\varvec{u}\in (\mathbb {F}_2^{n_0} \times \mathbb {F}_2^{n_1} \times \cdots \times \mathbb {F}_2^{n_{m-1}})\). Let \(\varvec{x}\in (\mathbb {F}_2^{n_0} \times \mathbb {F}_2^{n_1} \times \cdots \times \mathbb {F}_2^{n_{m-1}})\) be the input, and \(\pi _{\varvec{u}}(\varvec{x})\) is defined as

$$\begin{aligned} \pi _{\varvec{u}}(\varvec{x}):=\prod ^{m-1}_{i=0}\pi _{u_i}(x_i). \end{aligned}$$

Definition 1

(Division Property [1]). Let \(\mathbb {X}\) be a multiset whose elements in \((\mathbb {F}_2^{n_0} \times \mathbb {F}_2^{n_1} \times \cdots \times \mathbb {F}_2^{n_{m-1}})\). If \(\mathbb {X}\) has the division property \(\mathcal {D}_{\mathbb {K}}^{n_0, n_1, ..., n_{m-1}}\), it fulfills the following conditions:

$$\begin{aligned} \bigoplus _{x\in \mathbb {X}}\pi _{\varvec{u}}(\varvec{x})=\left\{ \begin{array}{ll} unknown &{} \ if \ there\ is\ \varvec{k}\in \mathbb {K}\ s.t.\ Wt(\varvec{u})\succeq \varvec{k}, \\ 0 &{} \ otherwise. \end{array} \right. \end{aligned}$$

Todo proved the propagation rules for division property through basic components of block ciphers and these rules were summarized in [2].

2.3 Conventional Bit-Based Division Property

Conventional bit-based division property [4] is a special case of division property, whose division property propagate in bit level. Xiang \(et\ al.\) [5] proposed the propagation rules of bit-based division property through Copy, And and Xor operations by linear conditions. Sun \(et\ al.\) generalized the model of Copy and Xor in [6].

Theorem 1

(Generalized Copy [6]). Denote \((a)\rightarrow (b_0, b_1, ..., b_{m-1})\) a division propagation through Copy operation, the following conditions describe the propagation rule.

$$\begin{aligned} \left\{ \begin{array}{l} a-b_0-b_1-\cdots -b_{m-1}=0 \\ a,b_0,b_1,...,b_{m-1}\ are\ binaries. \end{array} \right. \end{aligned}$$

Theorem 2

(Generalized Xor [6]). Denote \((a_0, a_1, ..., a_{m-1})\rightarrow (b)\) a division propagation through Xor operation, the following conditions describe the propagation rule.

$$\begin{aligned} \left\{ \begin{array}{l} a_0+a_1+\cdots +a_{m-1}-b=0\\ a_0, a_1, ..., a_{m-1}, b\ are\ binaries. \end{array} \right. \end{aligned}$$

Theorem 3

(And [5]). Denote \((a_0, a_1)\rightarrow (b)\) a division propagation through And operation, the following conditions describe the propagation rule.

$$\begin{aligned} \left\{ \begin{array}{l} b-a_0\geqslant 0\\ b-a_1\geqslant 0\\ b-a_0-a_1\leqslant 0\\ a_0, a_1, b\ are\ binaries. \end{array} \right. \end{aligned}$$

2.4 Bit-Based Division Property Using Three Subsets

Conventional division property uses \(\mathbb {K}\) set to represent the subset of u fulfilling \(\bigoplus _{x\in \mathbb {X}}\pi _u(x)\) is unknown. The bit-based division property using three subsets use another \(\mathbb {L}\) set to represent the subset of u such that \(\bigoplus _{x\in \mathbb {X}}\pi _u(x)=1\).

Definition 2

(Division Property using Three Subsets [1]). Let \(\mathbb {X}\) be a multiset whose elements in \((\mathbb {F}_2^{n_0} \times \mathbb {F}_2^{n_1} \times \cdots \times \mathbb {F}_2^{n_{m-1}})\). If \(\mathbb {X}\) has the division property using three subsets \(\mathcal {D}_{\mathbb {K},\mathbb {L}}^{n_0, n_1, ..., n_{m-1}}\), it fulfills the following conditions:

$$\begin{aligned} \bigoplus _{x\in \mathbb {X}}\pi _{\varvec{u}}(\varvec{x})=\left\{ \begin{array}{ll} unknown &{} \ if \ there\ is\ \varvec{k}\in \mathbb {K}\ s.t.\ Wt(\varvec{u})\succeq \varvec{k},\\ 1 &{} \ else \ if \ there\ is\ \varvec{l}\in \mathbb {L}\ s.t.\ Wt(\varvec{u})=\varvec{l},\\ 0 &{} \ otherwise. \end{array} \right. \end{aligned}$$

Assuming that \(\mathbb {X}\) has division property using three subsets \(\mathbb {D}^m_{\mathbb {K},\mathbb {L}}\). The propagation rules for \(\mathbb {K}\)-set of division property using three subsets is the same as the conventional \(\mathbb {K}\)-set do. Moreover, the propagation rule for \(\mathbb {L}\)-set through Xor function is the same as the conventional \(\mathbb {K}\)-set of division property do.

Proposition 1

Denote \((a)\xrightarrow {Copy}(b_0, b_1, ..., b_{m-1})\) one division propagation through Copy operation, the following conditions describe the propagation rule for \(\mathbb {L}\)-set of bit-based division property using three subsets through Copy operation.

$$\begin{aligned} \left\{ \begin{array}{l} a-b_0-\cdots -b_{m-1}+ab_0+\cdots +ab_{m-1}+\bar{a}\bar{b_0}\cdots \bar{b_{m-1}}=1\\ a, b_0, b_1, ..., b_{m-1}\ are\ binaries. \end{array} \right. \end{aligned}$$

Proposition 2

Denote \((a_0, a_1)\xrightarrow {And}(b)\) a division propagation through And operation, the following conditions describe the propagation rule for \(\mathbb {L}\)-set of bit-based division property using three subsets through And operation.

$$\begin{aligned} \left\{ \begin{array}{l} b+ba_0+ba_1+\bar{a_0}\bar{a_1}=1\\ b, a_0, a_1\ are\ binaries. \end{array} \right. \end{aligned}$$

2.5 Bit-Vector Based Division Property Using Three Subsets

We propose an equivalent form of division property using three subsets in bit-vector level. In this section, we introduce the propagation rules of bit-vector based division property using three subsets through basic components and propose the proof for division property using three subsets through Copy function in Appendix A.

Proposition 3

Denote \((x)\rightarrow (y0, y1, ..., y(m-1))\) a division propagation through Copy operation using three subsets, \(\mathbb {K}\)-set and \(\mathbb {L}\)-set propagation rule satisfy Theorem 1 and Proposition 1 respectively.

$$\begin{aligned} DP3_{\mathbb {K}}(x \rightarrow y0, y1)=\lnot x \wedge \lnot y0 \wedge \lnot y1 \oplus x \wedge (y0 \oplus y1)= \varvec{1}. \end{aligned}$$
$$\begin{aligned} DP3_{\mathbb {K}}(x\rightarrow y0, y1, y2)=\lnot y1 \wedge \lnot y2 \wedge (y0\oplus \lnot x) \oplus \lnot y0\wedge x \wedge (y1 \oplus y2)=\varvec{1}. \end{aligned}$$

We define \(\mathbb {L}\)-set through general Copy operation as

$$\begin{aligned} DP3_{\mathbb {L}}(x\rightarrow y0, y1,\cdots , y(m-1))=x \oplus \lnot y0 \wedge \lnot y1 \wedge \cdots \wedge \lnot y(m-1)=\varvec{1}. \end{aligned}$$

Proposition 4

Denote \((x0, x1, ..., x(m-1))\rightarrow (y)\) a division propagation through Xor operation using three subsets, \(\mathbb {K}\)-set and \(\mathbb {L}\)-set propagation rule satisfy Theorem 2 and satisfy the same propagation rule.

$$\begin{aligned} DP3(x0, x1\rightarrow y)=\lnot y \wedge \lnot x0 \wedge \lnot x1 \oplus y \wedge (x0 \oplus x1)=\varvec{1}. \end{aligned}$$
$$\begin{aligned} DP3(x0,x1, x2\rightarrow y)=\lnot x1 \wedge \lnot x2 \wedge (x0\oplus \lnot y) \oplus \lnot x0\wedge y \wedge (x1 \oplus x2)=\varvec{1}. \end{aligned}$$

Proposition 5

Denote \((x0, x1)\rightarrow (y)\) a division propagation through And operation using three subsets, \(\mathbb {K}\)-set and \(\mathbb {L}\)-set propagation rule satisfy Theorem 3 and Proposition 2 respectively.

$$\begin{aligned} DP3_{\mathbb {K}}(x0, x1\rightarrow y)=y\oplus \lnot x0\wedge \lnot x1=\varvec{1}. \end{aligned}$$
$$\begin{aligned} DP3_{\mathbb {L}}(x0, x1\rightarrow y)=y\oplus x0\oplus x1\oplus x0\wedge x1\oplus y\wedge x0\oplus y\wedge x1=\varvec{0}. \end{aligned}$$

In [4], Todo \(et\ al.\) proposed the dependencies between \(\mathbb {K}\)-set and \(\mathbb {L}\)-set of division property using three subsets when propagating through “Xor Round Key” function.

Theorem 4

(Dependencies between \(\mathbb {K}\)-set and \(\mathbb {L}\)-set). Let \(\mathbb {X}\) and \(\mathbb {Y}\) be the input and output multiset of operation \(y=x\oplus rk\), where rk is round key. Let \(\mathcal {D}^n_{\mathbb {K},\mathbb {L}}\) and \(\mathcal {D}^n_{\mathbb {K'},\mathbb {L'}}\) be the division property using three subsets of \(\mathbb {X}\) and \(\mathbb {Y}\), respectively. For any vector \(\varvec{l}=(l_0, l_1,\ldots , l_{n-1})\in \mathbb {L}\) and all \(l_i=0\), where \(i\in [0, n-1].\) \(\mathbb {K'}\) is computed as

$$\begin{aligned} \mathbb {K'}\leftarrow (l_0,\ldots , l_i\vee 1, ..., l_{n-1}). \end{aligned}$$

3 Modeling Division Property Using Three Subsets Through Addition Modulo \(2^n\)

Addition Module \(2^n\) is the only nonlinear component of ARX block ciphers. Assuming that \(\varvec{x}=(x_{[0]}, x_{[1]}, ..., x_{[n-1]})\), \(\varvec{y}=(y_{[0]}, y_{[1]}, ..., y_{[n-1]})\), \(\varvec{c}=(c_{[0]}, c_{[1]}, ...,c_{[n-1]})\) and \(\varvec{z}=(z_{[0]}, z_{[1]}, ...,z_{[n-1]})\) are n-bit length vectors in \(\mathbb {F}^n_2\). For ARX block ciphers like SPECK, LEA etc., the operation has the form \(z=x\boxplus y\), where the input parameters x, y are mid-states of block cipher and z is the output state associated with x and y. For HIGHT etc., the operation has the form \(z=x\boxplus rk\), where x is the mid-state of block cipher, rk is a constant (round key) value and z is the output state associated with x and c.

3.1 General Addition Modulo \(2^n\)

Assuming that \(\varvec{x}=(x_{[0]}, x_{[1]}, ..., x_{[n-1]})\), \(\varvec{y}=(y_{[0]}, y_{[1]}, ..., y_{[n-1]})\), \(\varvec{z}=(z_{[0]}, z_{[1]}, ..., z_{[n-1]})\) are n-bit length vectors in \(\mathbb {F}^n_2\) and \(\varvec{z}=\varvec{x}\boxplus \varvec{y}\). Addition Modulo \(2^n\) can be expressed bit-by-bit as

$$\begin{aligned} \left\{ \begin{array}{lcl} z_{[n-1]} &{} = &{} x_{[n-1]}\oplus y_{[n-1]} \\ z_{[n-2]} &{} = &{} x_{[n-2]}\oplus y_{[n-2]}\oplus c_{[n-2]}, c_{[n-2]}=x_{[n-1]} y_{[n-1]} \\ z_{[n-3]} &{} = &{} x_{[n-3]}\oplus y_{[n-3]}\oplus c_{[n-3]},\\ &{}&{}c_{[n-3]}=x_{[n-2]} y_{[n-2]}\oplus (x_{[n-2]}\oplus y_{[n-2]}) c_{[n-2]} \\ &{}\vdots &{}\\ z_{[0]}&{} = &{} x_{[0]} \oplus y_{[0]}\oplus c_{[0]}, c_{[0]}=x_{[0]} y_{[0]}\oplus (x_{[0]}\oplus y_{[0]}) c_{[0]}. \end{array} \right. \end{aligned}$$

\(c_{[i]}=x_{[i]}+y_{[i]}+c_{[i+1]}\) and \(c_{[n-1]}=0\).

3.1.1 \(\mathbb {K}\)-set Propagation Rule.

Some variables are introduced to describe the propagation rule of \(\mathbb {K}\)-set for bit-vector based division property using three subsets through general Addition Modulo \(2^n\). The division propagation of \(\mathbb {K}\)-set through general Addition Modulo \(2^n\) is shown in Appendix B.1. The propagation system of \(\mathbb {K}\)-set for bit-vector based division property using three subsets through Addition Modulo \(2^n\) denoted \(\mathcal {S}_{DP3_{\mathbb {K}}}(kx, ky\xrightarrow {\boxplus } kz)\) can be described as

$$\begin{aligned} \left\{ \begin{array}{lcl} DP3_{\mathbb {K}}(kx1, ky1, kc1\xrightarrow {Xor} kz) &{} = &{} \varvec{1} \\ DP3_{\mathbb {K}}(kx\xrightarrow {Copy} kx1, kx2, kx3) &{} = &{} \varvec{1} \\ DP3_{\mathbb {K}}(ky\xrightarrow {Copy} ky1, ky2, ky3) &{} = &{} \varvec{1} \\ DP3_{\mathbb {K}}(kc2\xrightarrow {Copy} kc1, kc2) &{} = &{} \varvec{1} \\ DP3_{\mathbb {K}}(kx2, ky2\xrightarrow {And} ku) &{} = &{} \varvec{1} \\ DP3_{\mathbb {K}}(kx3, ky3\xrightarrow {Xor} kv) &{} = &{} \varvec{1} \\ DP3_{\mathbb {K}}(kv, kc3\xrightarrow {And} kw) &{} = &{} \varvec{1} \\ DP3_{\mathbb {K}}(ku\ll 1, kw\ll 1\xrightarrow {Xor} kc2) &{} = &{} \varvec{1} \\ \end{array} \right. \end{aligned}$$

3.1.2 \(\mathbb {L}\)-set Propagation Rule.

Some variables are introduced to describe the propagation rule of \(\mathbb {L}\)-set for bit-vector based division property using three subsets through general Addition Modulo \(2^n\). Similarly, the propagation system of \(\mathbb {L}\)-set for bit-vector based division property using three subsets through Addition Modulo \(2^n\) denoted \(\mathcal {S}_{DP3_{\mathbb {L}}}(lx, ly\xrightarrow {\boxplus } lz)\) can be described as

$$\begin{aligned} \left\{ \begin{array}{lcl} DP3_{\mathbb {L}}(lx1, ly1, lc1\xrightarrow {Xor} lz) &{} = &{} \varvec{1} \\ DP3_{\mathbb {L}}(lx\xrightarrow {Copy} lx1, lx2, lx3) &{} = &{} \varvec{1} \\ DP3_{\mathbb {L}}(ly\xrightarrow {Copy} ly1, ly2, ly3) &{} = &{} \varvec{1} \\ DP3_{\mathbb {L}}(lc2\xrightarrow {Copy} lc1, lc2) &{} = &{} \varvec{1} \\ DP3_{\mathbb {L}}(lx2, ly2\xrightarrow {And} lu) &{} = &{} \varvec{0} \\ DP3_{\mathbb {L}}(lx3, ly3\xrightarrow {Xor} lv) &{} = &{} \varvec{1} \\ DP3_{\mathbb {L}}(lv, lc3\xrightarrow {And} lw) &{} = &{} \varvec{0} \\ DP3_{\mathbb {L}}(lu\ll 1, lw\ll 1\xrightarrow {Xor} lc2) &{} = &{} \varvec{1} \\ \end{array} \right. \end{aligned}$$

3.2 Addition Modulo \(2^n\) with Constant

Assuming that \(\varvec{x}=(x_{[0]},x_{[1]},...,x_{[n-1]})\), \(\varvec{rk}=(rk_{[0]},rk_{[1]},...,rk_{[n-1]})\), \(\varvec{z}=(z_{[0]},z_{[1]},...,z_{[n-1]})\) are n-bit length vectors in \(\mathbb {F}^n_2\) and \(\varvec{z}=\varvec{x}\boxplus \varvec{rk}\). Addition Modulo \(2^n\) with constant can be expressed bit-by-bit as

$$\begin{aligned} \left\{ \begin{array}{lcl} z_{[n-1]} &{} = &{} x_{[n-1]}\oplus rk_{[n-1]} \\ z_{[n-2]} &{} = &{} x_{[n-2]}\oplus rk_{[n-2]}\oplus c_{[n-2]}, c_{[n-2]}=x_{[n-1]} rk_{[n-1]} \\ z_{[n-3]} &{} = &{} x_{[n-3]}\oplus rk_{[n-3]}\oplus c_{[n-3]},\\ &{}&{}c_{[n-3]}=x_{[n-2]} rk_{[n-2]}\oplus (x_{[n-2]}\oplus rk_{[n-2]}) c_{[n-2]} \\ &{}\vdots &{} \\ z_{[0]} &{} = &{} x_{[0]} \oplus rk_{[0]}\oplus c_{[0]}, c_{[0]}=x_{[0]} rk_{[0]}\oplus (x_{[0]}\oplus rk_{[0]}) c_{[0]}. \end{array} \right. \end{aligned}$$

3.2.1 \(\mathbb {K}\)-set Propagation Rule.

Some variables are introduced to describe the propagation rule of \(\mathbb {K}\)-set for bit-vector based division property using three subsets through Addition Modulo \(2^n\) with constant. The division propagation of \(\mathbb {K}\)-set through Addition Modulo \(2^n\) with constant is shown in Appendix B.2. The propagation system of \(\mathbb {K}\)-set for bit-vector based division property through Addition Modulo \(2^n\) with constant denoted \(\mathcal {S}_{DP3_{\mathbb {K}}}(kx, rk\xrightarrow {\boxplus }kz)\) can be described as

$$\begin{aligned} \left\{ \begin{array}{lcl} DP3_{\mathbb {K}}(kx1, kc1\xrightarrow {Xor} kz) &{} = &{} \varvec{1} \\ DP3_{\mathbb {K}}(kx\xrightarrow {Copy} kx1, kx2, kx3) &{} = &{} \varvec{1} \\ DP3_{\mathbb {K}}(kc2\xrightarrow {Copy} kc1, kc3) &{} = &{} \varvec{1} \\ DP3_{\mathbb {K}}(kx3, kc3\xrightarrow {And} ku) &{} = &{} \varvec{1} \\ DP3_{\mathbb {K}}(kx2\ll 1, ku\ll 1\xrightarrow {Xor} kc2) &{} = &{} \varvec{1} \\ \end{array} \right. \end{aligned}$$

3.2.2 \(\mathbb {L}\)-set Propagation Rule.

Some variables are introduced to describe the propagation rule of \(\mathbb {L}\)-set for bit-vector based division property using three subsets through Addition Modulo \(2^n\) with constant. Similarly, the propagation system of \(\mathbb {L}\)-set for bit-vector based division property using three subsets through Addition Modulo \(2^n\) with constant denoted \(\mathcal {S}_{DP3_{\mathbb {L}}}(lx, rk\xrightarrow {\boxplus } lz)\) can be described as

$$\begin{aligned} \left\{ \begin{array}{lcl} DP3_{\mathbb {L}}(lx1, lc1\xrightarrow {Xor} lz) &{} = &{} \varvec{1} \\ DP3_{\mathbb {L}}(lx\xrightarrow {Copy} lx1, lx2, lx3) &{} = &{} \varvec{1} \\ DP3_{\mathbb {L}}(lc2\xrightarrow {Copy} lc1, lc3) &{} = &{} \varvec{1} \\ DP3_{\mathbb {L}}(lx3, lc3\xrightarrow {And} lu) &{} = &{} \varvec{0} \\ DP3_{\mathbb {L}}(lx2\ll 1, lu\ll 1\xrightarrow {Xor} lc2) &{} = &{} \varvec{1} \\ \end{array} \right. \end{aligned}$$

3.3 Searching Algorithm

We construct r-round reduced propagation system of bit-vector based division property using three subsets. With the syntax rules of SAT/SMT solver, we turn r-round propagation system into problem, which the solver can recognize. Given one constant input division property using three subsets denoted \(\mathcal {D}^{n}_{k, l}\) where kl are non-zero bit-vector in \(\mathbb {F}^n_2\). The SAT/SMT solver can calculate the \(\mathbb {K}\)-set of division property after r-rounds propagation denoted \(\mathbb {K}_r\). If \(\mathbb {K}_r\) contains all the n unit vectors \(e_i\in \mathbb {K}_r\), for all \(i\in \{0,1, ..., n-1\}\). As for any bit-vector \(u\in \mathbb {F}^n_2\), it always holds that \(u\succeq e_i\). There exists no bit-vector u can fulfill the equation \(\bigoplus _{x\in \mathbb {X}}\pi _{u}(x)=0\), so no balanced sum bits exist. Otherwise, if some unit vector \(e_i\) for some \(i\in \{0,1, ..., n-1\}\) is not in \(\mathbb {K}_r\), it holds that \(e_i\nsucceq k\) for all \(k\in \mathbb {K}\). Therefore, \(\bigoplus _{x\in \mathbb {K}}\pi _{e_i}(x)=0\) and the i-th bit is zero-sum bit. As for division property using three subsets \(\mathcal {D}^{n}_{\mathbb {K}_r,\mathbb {L}_r}\), we check whether all the n unit vectors are in \(\mathbb {K}_r\). If so, there is no r-round integral distinguisher with input division property using three subsets \(\mathcal {D}^{n}_{k, l}\). Otherwise, some r-round integral distinguishers exist with input division property using three subsets. By exhausting all possible division property using three subsets, we can judge whether some r-round integral distinguishers exist.

4 Apply to ARX Block Ciphers

Our experiment platform is established with Python 3.4.3 and STP [12] (a SMT solver) on a virtual machine with Intel(R) Core(TM) CPU i5-4210M(2.60GHz, 1GB RAM, Ubuntu 14.04.1).

4.1 Apply to SPECK Family Block Ciphers

4.1.1 Brief Description.

The SPECK-2n encryption maps make use of bitwise Xor, Addition Modulo \(2^n\), left and right circular shift \((S^j, S^{-j})\) by j bits on n-bit word. As the round key is Xored with internal state, it has no effect on the propagation of division property. Division propagation through SPECK round function is shown as Fig. 1. With shift amounts \(\alpha =7\) and \(\beta =2\) if \(n=16\), \(\alpha =8\) and \(\beta =3\) otherwise.

Fig. 1.
figure 1

Division propagation through SPECK round function

Full size image

4.1.2 Modeling Round Function.

\((x_{i-1}, y_{i-1}),(x_{i}, y_{i})\) are the input and output of i-th round respectively. \((x_{in}, y_{in})\) are the input of Addition Modulo \(2^n\) and z is the output of Addition Modulo \(2^n\). \((y_{i-1}, z_{in})\) propagate through Copy function to \((y_{in}, r_{in}),(z_{out}, x_i)\) respectively. \((r_{out}, z_{out})\) are Xored to \(y_i\). \((x_{i-1}, r_{in})\) propagate through cyclic shift function to \((x_{in}, r_{out})\). z propagate through Xored round key function to \(z_{in}\) and every possible value for lz affect \(kz_{in}\). With the propagation rules of bit-vector based division property using three subsets, we model \(\mathbb {K}\)-set propagation system of bit-vector based division property using three subsets as

$$\begin{aligned} \left\{ \begin{array}{l} \mathcal {S}_{DP3_{\mathbb {K}}}(kx_{in}, ky_{in}\xrightarrow {\boxplus } kz) \\ (kx_{i-1}\ggg \alpha )\oplus kx_{in} = \varvec{0}\\ (kr_{in}\lll \beta )\oplus kr_{out} = \varvec{0}\\ DP3_{\mathbb {K}}(kz_{in}\xrightarrow {Copy} kz_{out}, kx_i) = \varvec{1} \\ DP3_{\mathbb {K}}(ky_{i-1}\xrightarrow {Copy} ky_{in}, kr_{in}) = \varvec{1} \\ DP3_{\mathbb {K}}(kr_{out}, kz_{out}\xrightarrow {Xor} ky_i) = \varvec{1}. \end{array} \right. \end{aligned}$$

Similarly, we model the \(\mathbb {L}\)-set propagation system of bit-vector based division property using three subsets as

$$\begin{aligned} \left\{ \begin{array}{l} \mathcal {S}_{DP3_{\mathbb {L}}}(lx_{in}, ly_{in}\xrightarrow {\boxplus } lz) \\ (lx_{i-1}\ggg \alpha )\oplus lx_{in} = \varvec{0}\\ (lr_{in}\lll \beta )\oplus lr_{out} = \varvec{0}\\ DP3_{\mathbb {K}}(lz\xrightarrow {Copy} lz_{out}, lx_i) = \varvec{1} \\ DP3_{\mathbb {K}}(ly_{i-1}\xrightarrow {Copy} ly_{in}, lr_{in}) = \varvec{1} \\ DP3_{\mathbb {K}}(lr_{out}, lz_{out}\xrightarrow {Xor} ly_i) = \varvec{1}. \end{array} \right. \end{aligned}$$

Construct the dependencies between variables lz and \(kz_{in}\). As Theorem 4 shown, for any possible value \(l=(l_0, l_1, ..., l_{n-1})\in lz\), we set value \((l_0, ..., l_i\vee 1, l_{n-1})\) to \(kz_{in}\) for all \(l_i= 0\), where \(i\in [0, n-1]\).

4.1.3 Results for SPECK.

We find one more 6-round integral distinguishers for SPECK32 than the conventional division property can find. It is interesting that no more integral distinguishers are found for other variants. The results are summarized in Table 2. In Appendix C.1, we propose the detailed integral distinguishers for SPECK family block ciphers.

Table 2. Results for SPECK family block ciphers.
Full size table

4.2 Apply to SIMON Family Block Ciphers

4.2.1 Brief Description.

SIMON is a family of lightweight block ciphers proposed by NSA in 2013 [13]. It is a Feistel like cipher with block sizes 32, 48, 64, 96, 128 bits. The variant operating on 2n-bit state, where n is the word size and \(n \in \{16, 24, 32,48,64\}\), is referred to as SIMON2n, which have an efficient implementation in hardware with rotational constants (1, 8, 2). The subkeys are derived from a master key by key scheduling. For detailed description and refer the reader to [13]. Division propagation through SIMON round function is shown as Fig. 2.

Fig. 2.
figure 2

Division Propagation through SIMON Round Function

Full size image

4.2.2 Modeling Round Function.

\((x_{i-1}, y_{i-1}),(x_{i}, y_{i})\) are the input and output of i-th round respectively. \(x_{i-1}\) propagate through Copy function to \((u,v,w,y_i)\). \((u\lll 1, v\lll 8)\) are compressed by And operation to z. \((y_{i-1}, z),(w\lll 2, t)\) are Xored to th respectively. h propagate through Xored round key function to \(x_i\) and every possible value for lh affect \(kx_i\). With the propagation rules of bit-vector based division property using three subsets through ARX round components, we model the \(\mathbb {K}\)-set propagation system of bit-vector based division property using three subsets through SIMON-2n round function as

$$\begin{aligned} \left\{ \begin{array}{l} DP3_{\mathbb {K}}(kx_{i}\xrightarrow {Copy} ku, kv, kg) = \varvec{1} \\ DP3_{\mathbb {K}}(kg\xrightarrow {Copy} kw, ky_{i}) = \varvec{1} \\ DP3_{\mathbb {K}}(ku\lll 1, kv\lll 8\xrightarrow {And} kz) = \varvec{1} \\ DP3_{\mathbb {K}}(ky_{i-1}, kz\xrightarrow {Xor} kt) = \varvec{1} \\ DP3_{\mathbb {K}}(kw\lll 2, kt\xrightarrow {Xor} kh) = \varvec{1}. \end{array} \right. \end{aligned}$$

Similarly, we model the \(\mathbb {L}\)-set propagation system of bit-vector based division property using three subsets through SIMON-2n round function as

$$\begin{aligned} \left\{ \begin{array}{l} DP3_{\mathbb {L}}(lx_{i}\xrightarrow {Copy} lu, lv, lg) = \varvec{1} \\ DP3_{\mathbb {L}}(lg\xrightarrow {Copy} lw, ly_{i}) = \varvec{1} \\ DP3_{\mathbb {L}}(lu\lll 1, lv\lll 8\xrightarrow {And} lz) = \varvec{0} \\ DP3_{\mathbb {L}}(ly_{i-1}, lz\xrightarrow {Xor} lt) = \varvec{1} \\ DP3_{\mathbb {L}}(lw\lll 2, lt\xrightarrow {Xor} lx_i) = \varvec{1}. \end{array} \right. \end{aligned}$$

Construct the dependencies between variables lh and \(kx_{i}\). As Theorem 4 shown, for any possible value\(l=(l_0, l_1, ..., l_{n-1})\in lh\), we set value \((l_0, ..., l_i\vee 1, l_{n-1})\) to \(kx_{i}\) for all \(l_i= 0\), where \(i\in [0, n-1]\).

4.2.3 Results for SIMON.

For SIMON-2n family block cipher with block size 32, 48, 64, 96 and 128, we propose 15-, 16-, 18-, 22- and 26-round integral distinguishers respectively. For SIMON32, we propose 15-round integral distinguishers with division property using three subsets automatically, which erase the one round gap found by conventional division property without using three subsets. For SIMON48/64/96/128, we verify the margin Todo proposed in [4] with the strategy of “Lazy propagation”. The results are summarized in Table 3. In Appendix C.2, we propose some detailed integral distinguishers for SIMON family block ciphers.

Table 3. Results for SIMON family block ciphers.
Full size table

5 Conclusion and Future Work

In this paper, we propose a SAT/SMT based method for searching integral distinguishers of ARX block ciphers with bit-vector based division property using three subsets. We apply the method to search some ARX block ciphers including SPECK, SIMON, SIMECK, HIGHT, LEA, TEA and XTEA \(et\ al\). For SPECK family block ciphers, we present 6-, 6-, 6-, 6- and 6-round integral distinguishers. Interestingly that, we find one more integral distinguisher for SPECK32, which can not be found with conventional division property. Unfortunately, we can not find longer integral distinguisher with bit-vector based division property using three subsets. For SIMON32, we find 15-round integral distinguishers with bit-vector based division property using three subsets automatically. For other variants of SIMON family block ciphers, we verify the secure margin Todo proposed. Moreover, we apply our method to SIMECK, HIGHT, LEA, TEA and XTEA \(et\ al\). Unfortunately, we find no new results. In the future, we will apply bit-vector based division property using three subsets technique to S-box based block ciphers.