Improved Division Property for Ciphers with Complex Linear Layers

Abstract

The division property proposed by Todo at EUROCRYPT 2015 as a generalized integral property has been applied to many symmetric ciphers. Automatic search methods of the division property assisted by modeling technique, such as Mixed Integer Linear Programming (MILP) and Boolean Satisfiability Problem (SAT), have become the most popular approach to searching integral distinguishers. The accuracy of the model in searching algorithms has an effect on the search results of integral distinguishers. For the block cipher, constructing an accurate and efficient model of the division property propagation on complex linear layers remains hard. This paper observes that the non-independent propagations of the bit-based division property (BDP) on complex linear layers can generate redundant division trails, which will affect the accuracy of the model if it is not taken into account in modeling. Based on this, we propose a method that can build a more accurate model by handling matrices containing non-independent propagations in the linear layer. To verify the effectiveness of our method, we apply the method to two block ciphers uBlock-128 and MIBS. For uBlock-128, our results improve the previous 8-round integral distinguisher by more balanced bits. For MIBS, a 9-round integral distinguisher is given for the first time, which is 4 rounds longer than the previous best.

Appendices

A Linear Inequalities for S-Boxes in uBlock-128

The following inequalities are the 12 inequalities used to describe uBlock S-box in MILP model of BDP, and \((a_{3},a_{2},a_{1},a_{0})\rightarrow (b_{3},b_{2},b_{1},b_{0})\) denotes a division trail of S-box.

$$\begin{aligned} \left\{ \begin{aligned}&a_3+a_2+a_1+a_0-b_3-b_2-b_1-b_0\ge 0\\&-3a_3-a_2-2a_1-4a_0+3b_3+b_2+2b_1-b_0\ge -5\\&2a_3-a_0-2b_3-b_2-b_1+b_0\ge -2\\&-4a_3-3a_2-2a_1-2a_0-b_3+3b_2+b_1+2b_0\ge -6\\&-a_1+2a_0-b_3-b_2+b_1-2b_0\ge -2\\&-a_3-a_2-2a_0+b_3+2b_2+3b_1+2b_0\ge 0\\&a_3+a_0+b_3-2b_2-2b_1-b_0\ge -2\\&a_1+2a_0-b_3-b_2-b_1-b_0\ge -1\\&a_3-b_1-b_0\ge -1\\&-a_3-a_1+b_3+2b_2+b_1+b_0\ge 0\\&a_1-b_3-b_1\ge -1\\&a_2-b_2-b_1\ge -1\\ \end{aligned} \right. \end{aligned}$$

B Linear Inequalities for S-Boxes in MIBS

The following inequalities are the 12 inequalities used to describe MIBS S-box in MILP model of BDP, and \((d_{3},d_{2},d_{1},d_{0})\rightarrow (b_{3},b_{2},b_{1},b_{0})\) denotes a division trail of S-box.

$$\begin{aligned} \left\{ \begin{aligned}&d_3 + d_2 + 4 d_1 + d_0 - 2 b_3 - 2 b_2 - 2 b_1 - 2 b_0 \ge -1\\&3 d_2 - b_3 - b_2 - b_1 - b_0 \ge -1\\&-d_3 - 2 d_2 - 2 d_1 - d_0 - b_3 - 2 b_2 + 4 b_1 - b_0 \ge -6\\&-d_3 - 2 d_2 - 2 d_1 - d_0 + 5 b_3 + 4 b_2 + 5 b_1 + 5 b_0 \ge 0\\&-d_3 - d_2 - d_1- b_3 + 3 b_2 - 2 b_1 - b_0 \ge -4\\&-d_3 - d_0 - 2 b_3 - b_2 - b_1 + 3 b_0 \ge -3\\&d_3 + b_3 - b_2 - b_1 - b_0 \ge -1\\&-d_3 - d_2 - d_0 + b_3 + 2 b_2 + 2 b_1 + b_0 \ge -1\\&- d_1 - b_3 - b_2 + 2 b_1 - b_0 \ge -2\\ \end{aligned} \right. \end{aligned}$$