MILP-aided Method of Searching Division Property Using Three Subsets and Applications

Abstract

Division property is a generalized integral property proposed by Todo at EUROCRYPT 2015, and then conventional bit-based division property (CBDP) and bit-based division property using three subsets (BDPT) were proposed by Todo and Morii at FSE 2016. At the very beginning, the two kinds of bit-based division properties once couldn’t be applied to ciphers with large block size just because of the huge time and memory complexity. At ASIACRYPT 2016, Xiang et al. extended Mixed Integer Linear Programming (MILP) method to search integral distinguishers based on CBDP. BDPT can find more accurate integral distinguishers than CBDP, but it couldn’t be modeled efficiently.

This paper focuses on the feasibility of searching integral distinguishers based on BDPT. We propose the pruning techniques and fast propagation of BDPT for the first time. Based on these, an MILP-aided method for the propagation of BDPT is proposed. Then, we apply this method to some block ciphers. For SIMON64, PRESENT, and RECTANGLE, we find more balanced bits than the previous longest distinguishers. For LBlock, we find a better 16-round integral distinguisher with less active bits. For other block ciphers, our results are in accordance with the previous longest distinguishers.

Cube attack is an important cryptanalytic technique against symmetric cryptosystems, especially for stream ciphers. And the most important step in cube attack is superpoly recovery. Inspired by the CBDP based cube attack proposed by Todo at CRYPTO 2017, we propose a method which uses BDPT to recover the superpoly in cube attack. We apply this new method to round-reduced Trivium. To be specific, the time complexity of recovering the superpoly of 832-round Trivium at CRYPTO 2017 is reduced from \(2^{77}\) to practical, and the time complexity of recovering the superpoly of 839-round Trivium at CRYPTO 2018 is reduced from \(2^{79}\) to practical. Then, we propose a theoretical attack which can recover the superpoly of Trivium up to 841 round.

Appendix

Table 7. The \(\mathbb {L}\) propagation of BDPT for the core operation of SIMON

Experimental Verification

Example 1. For 591-round Trivium and cube set \(C_{I_v,J_v,K_v}\), where \(I_v=\{13,23,\) \(33,43,53,63,73,83\}\), \(J_v=\{14,29,32,205,206,207\}\) and \(K_v=\{0,1,\cdots ,207\}-I_v-J_v\), we can get that the involved secret variables are \(\{x_{22},x_{23},x_{24},x_{66}\}\), the degree of superpoly is not larger than 2. Then, we use Algorithm 3 to recover all the ANF coefficients of the superpoly, which is in accordance with the practically recovered superpoly as follows:

$$\begin{aligned} p_{I_v,J_v,K_v}\left( \varvec{x}\right) =x_{66}+x_{24}+x_{23}x_{22}+1. \end{aligned}$$

Example 2. For 591-round Trivium and cube set \(C_{I_v,J_v,K_v}\), where \(I_v=\{13,23,\) \(33,43,53,63,73,83\}\), \(J_v=\{29,32,82,205,206,207\}\), and \(K_v=\{0,1,\cdots ,207\}-I_v-J_v\), we can get that the involved secret variables are \(\{x_{22},x_{23},x_{24},x_{65},x_{66}\}\), the degree of superpoly is not larger than 3. Then, we use Algorithm 3 to recover the superpoly, which is in accordance with the practically recovered superpoly as follows:

$$\begin{aligned} p_{I_v,J_v,K_v}\left( \varvec{x}\right) =x_{65}x_{23}x_{22}+x_{65}x_{24}+x_{66}x_{65}+x_{65}. \end{aligned}$$