1 Introduction

Automatic tools for cryptanalysis play a more and more important role in the design and cryptanalysis of symmetric ciphers. One common direction to construct automatic tools is to transform the searching problems into some mathematical problems, so that some existing solvers can be invoked. The involved mathematical problems can be roughly divided into three categories, which are Boolean Satisfiability Problem (SAT)/Satisfiability Modulo Theories (SMT) problem [7, 16, 24, 32], Mixed Integer Linear Programming (MILP) problem [10, 25, 39, 45], and Constraint Programming (CP) problem [12, 38]. At the very start, the researches on automatic search of distinguishers concentrated on detecting differential and linear characteristics, since differential [4] and linear [20] cryptanalysis are two of the most powerful techniques in cryptanalysis of symmetric-key primitives. Recently, with the advent of division property [41], which is a generalized integral property, some researches about automatic searching for division property arose.

Division property was proposed by Todo [41] at Eurocrypt 2015, which was originally used to search integral distinguishers of block cipher structures. Due to the newly identified division property, at Crypto 2015, MISTY1 [21] was broken by Todo for the first time. Later, Todo and Morii [42] introduced the bit-based division property at FSE 2016, which propagates each bit independently, and a 14-round integral distinguisher for SIMON32 [3] was detected. Depending on the partition of the internal state, the methods behind the obtained distinguishers can be divided into three categories. (1) state-based division property: evaluate the division properties of some generalized structures. Todo [41] finished the extensive research for 2-branch Feistel structure and SPN on the whole state. Related works were provided in [5]. (2) word-based division property: evaluate the division properties of some specific ciphers at the word level. Todo [41] implemented the search for a variety of AES-like ciphers with 4-bit S-boxes, and the 6-round integral distinguisher [40] for MISTY1 was obtained based on this method. Some works on this topic were introduced in [34, 35, 46]. (3) bit-based division property: evaluate the propagation of division property at the bit level. Note that it is more likely to obtain better distinguishers under a more subtle partition since more information can be taken into account. All published automatic tools of integral distinguishers based on division property focused on the bit level. At Asiacrypt 2016, Xiang et al. [45] applied MILP method to search integral distinguishers with bit-based division property. Soon after, the automatic search of integral distinguishers based on MILP method for ARX ciphers was proposed in [36]. Many other automatic tools relying on MILP and CP can be found in [37, 38, 47].

ARX ciphers constitute a broad class of symmetric-key cryptographic algorithms, and are composed of a small set of simple operations such as modular addition, bit rotation, bit shift and XOR. To claim the security of ARX ciphers, one way is to prove the security bounds just as Dinu et al. showed in [9], where a long trail design strategy for ARX ciphers with provable bounds was proposed. The other is to estimate the maximum number of rounds of the detectable distinguishers which heavily relied on automatic tools, and the searching of distinguishers is converted into an SAT/SMT problem or MILP problem. The results show that SAT/SMT based methods [18, 24, 32] outperform MILP based methods [10] in the search of differential/linear characteristics for ARX ciphers. Hence, for bit-based division property, it is worth exploring whether automatic tools based on SAT/SMT method can be constructed and provide better performance for ARX primitives.

Although the search of bit-based division property can take advantage of more details, it is infeasible to trace the division property propagation at the bit level for some ciphers with large state and complicated operations, such as Rijndael [8] with 256-bit block size. In order to get the tradeoff between accuracy and practicability as we detect the division property, we also consider building automatic tool to search integral distinguishers on account of word-based division property.

Our Contributions. For the integral cryptanalysis, we construct automatic searching tools of bit-based division property for ARX ciphers and word-based division property for some specific ciphers. The key point is to translate the propagation of division property into an SAT/SMT problem and control the function calls. Specifically, the contributions can be summarized as follows:

Table 1. Summary of integral distinguishers.
Full size table

  • For ARX ciphers, we propose automatic tools to search integral distinguishers using bit-based division property. First, we model the division property propagations of the three basic operations, i.e., Copy, AND, and XOR, and present formulas in Conjunctive Normal Form (CNF) for them. Then, the concrete equations for the modular addition operation to depict bit-based division property propagation can be achieved. The initial division property and stopping rule are transformed to logical equations, too. At last, the propagation of division property for ARX cipher is described by a system of logical equations in CNF, where some logical formulas can be dynamically adjusted according to different initial division properties of the input multi-set and final division properties of the output multi-set, and the others corresponding to r-round propagations remain the same.

  • For integral cryptanalysis, it is better to adopt distinguishers with less data requirements, and our approach can efficiently identify some optimalFootnote 1 distinguishers which require less chosen plaintexts among the distinguishers with the same length. Our searching approach is composed of two algorithms. The first one restricts the search scope of initial division property and determines the maximum number of rounds of distinguishers achieved in our model. The second one optimizes the distinguishers based on the first algorithm’s output.

  • For word-based division property, we construct automatic tool based on SMT method. We first study how to model division property propagations of basic operations by logical formulas. Moreover, by exclusion method, we construct formulas to depict the possible propagations calculated by the Substitution rule. With some available solvers, we can efficiently search integral distinguishers by setting initial division property and stopping rule rationally. Finally, the problem of searching division property can be transformed into an SMT problem.

  • New integral distinguishers are detected for some ARX ciphers, such as SHACAL-2 [13], LEA [14], and HIGHT [15]. With the two algorithms mentioned above, the number of initial division properties required to be evaluated for SHACAL-2 is reduced from \(2^{79.24}\) to 410, so that we can easily obtain a 17-round integral distinguisher with data complexity \(2^{241}\) chosen plaintexts, which achieves four more rounds than previous work. For LEA, an 8-round distinguisher is identified, which covers one more round than the one found by MILP method [36]. For HIGHT, although the lengths and data requirements of the newly obtained distinguishers are not improved, some of them have more zero-sum bits than those proposed in [36].

  • New word-based division properties are presented for some specific ciphers. For CLEFIA [31], we discover 10-round distinguishers, which attain one more round than the one proposed in [19]. With the newly obtained distinguishers for CLEFIA, we can improve the previous integral attacks by one round. The data requirements of 4/5-round integral distinguishers for the internal block cipher of Whirlpool [1] are reduced. As to Rijndael-192 and Rijndael-256 [8], 6-round distinguishers are proposed, which cover two more rounds than the previous work.

Our main results and the comparisons are listed in Tables 1 and 3.

The rest of the paper is organized as follows. In Sect. 2, some notations and background are introduced. Section 3 focuses on the automatic search of integral distinguishers with bit-based division property for ARX ciphers. The automatic method relying on SMT to search integral distinguishers in accordance with word-based division property is provided in Sect. 4. Section 5 presents some applications of the developed automatic tools. We conclude the paper in Sect. 6.

2 Preliminary

2.1 Notations

For any \(a \in \mathbb {F}_{2}^{n}\), its i-th element is denoted as a[i], where the bit positions are labeled in big-endian, and the Hamming weight w(a) is calculated by \(w(a) = \sum \limits _{i=0}^{n-1} a[i]\). For any \(\varvec{a} = (a_{0}, a_{1}, \ldots , a_{m-1}) \in \mathbb {F}_{2}^{\ell _{0}} \times \mathbb {F}_{2}^{\ell _{1}} \times \cdots \times \mathbb {F}_{2}^{\ell _{m-1}}\), the vectorial Hamming weight of \(\varvec{a}\) is defined as \(W(\varvec{a}) = \left( w(a_{0}), w(a_{1}), \ldots , w(a_{m-1})\right) \in \mathbb {Z}^{m}\). For any \(\varvec{k} \in \mathbb {Z}^{m}\) and \(\varvec{k'} \in \mathbb {Z}^{m}\), we define \(\varvec{k} \succeq \varvec{k'}\) if \(k_{i} \ge k_{i}'\) for all i. Otherwise, \(\varvec{k} \nsucceq \varvec{k'}\).

For any set \(\mathbb {K}\), \(|\mathbb {K}|\) denotes the number of elements in \(\mathbb {K}\). \(\emptyset \) stands for an empty set. Denote \(\mathbb {Z}_{m}\) the set \(\{0, 1, \ldots , m\}\).

Definition 1

(Bit Product Function). Assume \(u \in \mathbb {F}_{2}^{n}\) and \(x \in \mathbb {F}_{2}^{n}\). The Bit Product Function \(\pi _{u}\) is defined as

$$\begin{aligned} \pi _{u}(x) = \prod _{i=0}^{n-1}x[i]^{u[i]}. \end{aligned}$$

For \(\varvec{u} = (u_{0}, u_{1}, \ldots , u_{m-1}) \in \mathbb {F}_{2}^{\ell _{0}} \times \mathbb {F}_{2}^{\ell _{1}} \times \cdots \times \mathbb {F}_{2}^{\ell _{m-1}}\), let \(\varvec{x} = (x_{0}, x_{1}, \ldots , x_{m-1}) \in \mathbb {F}_{2}^{\ell _{0}} \times \mathbb {F}_{2}^{\ell _{1}} \times \cdots \times \mathbb {F}_{2}^{\ell _{m-1}}\) be the input, the Bit Product Function \(\pi _{\varvec{u}}\) is defined as

$$\begin{aligned} \pi _{\varvec{u}}(\varvec{x}) = \prod _{i=0}^{m-1}\pi _{u_{i}}(x_{i}). \end{aligned}$$

2.2 Division Property

The original integral distinguishers mainly focus on the propagation of ALL and BALANCE properties [17]. While, the division property, proposed by Todo at Eurocrypt 2015 [41], is a generalized integral property, which traces the implicit properties between traditional ALL and BALANCE properties. First, a set of plaintexts, whose division property follows initial division property, is chosen. Then, the division property of the set of texts encrypted over one round is deduced from the propagation rules. And so on, we can exploit the division property over several rounds, and determine the existence of the integral distinguishers. In the following, we briefly recall the definition of division property, and propagation rules for basic operations involved in the encryption process.

Definition 2

(Division Property [41]). Let \(\mathbb {X}\) be a multi-set whose elements take values from \(\mathbb {F}_{2}^{\ell _{0}} \times \mathbb {F}_{2}^{\ell _{1}} \times \cdots \times \mathbb {F}_{2}^{\ell _{m-1}}\). When the multi-set \(\mathbb {X}\) has the division property \(\mathcal {D}_{\mathbb {K}}^{\ell _{0}, \ell _{1}, \ldots , \ell _{m-1}}\), where \(\mathbb {K}\) denotes a set of m-dimensional vectors whose i-th element takes a value between 0 and \(\ell _{i}\), it fulfills the following conditions:

$$\begin{aligned} \bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{u}}(\varvec{x}) = \left\{ \begin{array}{ll} \text {unknown }&{}\text {if there is }\varvec{k} \in \mathbb {K}{} \textit{ s.t. }W(\varvec{u}) \succeq \varvec{k},\\ 0 &{}\text {otherwise.}\\ \end{array} \right. \end{aligned}$$

Remark 1

Note that \(\ell _{0}\), \(\ell _{1}\), \(\ldots \), \(\ell _{m-1}\) are restricted to 1 when we consider bit-based division property.

Propagation Rules for Division Property.

Rule 1

(Substitution [41]). Let F be a function that consists of m S-boxes, where the bit length and the algebraic degree of the i-th S-box is \(\ell _{i}\) and \(d_{i}\) bits, respectively. The input and the output take values from \(\mathbb {F}_{2}^{\ell _{0}} \times \mathbb {F}_{2}^{\ell _{1}} \times \cdots \times \mathbb {F}_{2}^{\ell _{m-1}}\), and \(\mathbb {X}\) and \(\mathbb {Y}\) denote the input and output multi-sets, respectively. Assuming that \(\mathbb {X}\) has division property \(\mathcal {D}_{\mathbb {K}}^{\ell _{0}, \ell _{1}, \ldots , \ell _{m-1}}\), where \(\mathbb {K}\) denotes a set of m-dimensional vectors whose i-th element takes a value between 0 and \(\ell _{i}\), the division property of \(\mathbb {Y}\) is \(\mathcal {D}_{\mathbb {K}'}^{\ell _{0}, \ell _{1}, \ldots , \ell _{m-1}}\), whereFootnote 2

$$\begin{aligned} \mathbb {K}' = \left\{ \left( \left\lceil \frac{k_{0}}{d_{0}}\right\rceil , \left\lceil \frac{k_{1}}{d_{1}}\right\rceil , \cdots , \left\lceil \frac{k_{m-1}}{d_{m-1}}\right\rceil \right) \bigg | \varvec{k} = (k_{0}, k_{1}, \ldots , k_{m-1}) \in \mathbb {K} \right\} . \end{aligned}$$

Rule 2

(Copy [41]). Let F be a copy function, where the input x takes value from \(\mathbb {F}_{2}^{n}\) and the output is calculated as \((y_{0}, y_{1}) = (x, x)\). Let \(\mathbb {X}\) and \(\mathbb {Y}\) be the input and output multi-sets, respectively. Assuming that \(\mathbb {X}\) has the division property \(\mathcal {D}_{\{k\}}^{n}\), the division property of \(\mathbb {Y}\) is \(\mathcal {D}_{\mathbb {K}'}^{n,n}\), where

$$\begin{aligned} \mathbb {K}' = \left\{ (k-i, i) | 0 \leqslant i \leqslant k\right\} . \end{aligned}$$

Rule 3

\(\mathbf{(\mathtt {XOR}}\) [41]). Let F be an XOR function, where the input \((x_{0}, x_{1})\) takes value from \(\mathbb {F}_{2}^{n} \times \mathbb {F}_{2}^{n}\) and the output is calculated as \(y = x_{0} \oplus x_{1}\). Let \(\mathbb {X}\) and \(\mathbb {Y}\) be the input and output multi-sets, respectively. Assuming that \(\mathbb {X}\) has division property \(\mathcal {D}_{\mathbb {K}}^{n,n}\), the division property of \(\mathbb {Y}\) is \(\mathcal {D}_{\{k'\}}^{n}\), where

$$\begin{aligned} k' = \min \left\{ k_{0} + k_{1} | (k_{0},k_{1}) \in \mathbb {K}\right\} . \end{aligned}$$

Here, if \(k'\) is larger than n, the propagation characteristic of division property is aborted. Namely, a value of \(\bigoplus \limits _{y \in \mathbb {Y}}\pi _{v}(y)\) is 0 for all \(v \in \mathbb {F}_{2}^{n}\).

Rule 4

(Split [41]). Let F be a split function, where the input x is an element belonging to \(\mathbb {F}_{2}^{n}\) and the output is calculated as \(y_{0} \Vert y_{1} = x\), where \((y_{0}, y_{1})\) takes value from \(\mathbb {F}_{2}^{n_{0}} \times \mathbb {F}_{2}^{n-n_{0}}\). Let \(\mathbb {X}\) and \(\mathbb {Y}\) be the input and output multi-sets, respectively. Assuming that \(\mathbb {X}\) has the division property \(\mathcal {D}_{\{k\}}^{n}\), the division property of \(\mathbb {Y}\) is \(\mathcal {D}_{\mathbb {K}'}^{n_{0}, n-n_{0}}\), where

$$\begin{aligned} \mathbb {K}' = \left\{ (k-i, i) | 0 \leqslant i \leqslant k, k-i \leqslant n_{0}, i \leqslant n-n_{0} \right\} . \end{aligned}$$

Rule 5

(Concatenation [41]). Let F be a concatenation operation, where the input \((x_{0}, x_{1})\) takes value from \(\mathbb {F}_{2}^{n_{0}} \times \mathbb {F}_{2}^{n_{1}}\) and the output is calculated as \(y = x_{0} \Vert x_{1}\). Let \(\mathbb {X}\) and \(\mathbb {Y}\) be the input and output multi-sets, respectively. Assuming that \(\mathbb {X}\) has the division property \(\mathcal {D}_{\mathbb {K}}^{n_{0}, n_{1}}\), the division property of \(\mathbb {Y}\) is \(\mathcal {D}_{\{k'\}}^{n_{0}+n_{1}}\), where

$$\begin{aligned} k' = \min \{ k_{0} + k_{1} | (k_{0}, k_{1}) \in \mathbb {K}\}. \end{aligned}$$

The above rules are defined at the word level, while, when it comes to bit-based division property, Copy and XOR rules can be applied, naturally. Another important propagation rule under bit-based division property is AND, which is stated in the following.

Rule 6

(Bit-based \(\mathtt {AND}\) [42]). Let F be an AND function, where the input \((x_{0}, x_{1})\) takes value from \(\mathbb {F}_{2} \times \mathbb {F}_{2}\), and the output is calculated as \(y = x_{0} \wedge x_{1}\). Let \(\mathbb {X}\) and \(\mathbb {Y}\) be the input and output multi-sets, respectively. Assuming that \(\mathbb {X}\) has division property \(\mathcal {D}_{\mathbb {K}}^{1,1}\), the division property of \(\mathbb {Y}\) is \(\mathcal {D}_{\mathbb {K}'}^{1}\), where

$$\begin{aligned} \mathbb {K}' = \left\{ \left\lceil \frac{k_{0}+k_{1}}{2}\right\rceil \bigg | \varvec{k} = (k_{0}, k_{1}) \in \mathbb {K}\right\} . \end{aligned}$$

Similar to differential/linear characteristic in differential/linear cryptanalysis, the concatenation of r division properties of the internal states constitutes an r-round division trail, which is formally defined in the following.

Definition 3

(Division Trail [45]). Let f be the round function of an iterated block cipher. Assume that the input multi-set has division property \(\mathcal {D}_{\{\varvec{k}\}}^{\ell _{0}, \ell _{1}, \cdots , \ell _{m-1}}\), and the internal state after i rounds has division property \(\mathcal {D}_{\mathbb {K}_{i}}^{\ell _{0}, \ell _{1}, \cdots , \ell _{m-1}}\). Thus we have the following chain of division property propagations:

$$\begin{aligned} \{\varvec{k}\} \triangleq \mathbb {K}_{0} \xrightarrow {f} \mathbb {K}_{1} \xrightarrow {f} \mathbb {K}_{2} \xrightarrow {f} \cdots \xrightarrow {f} \mathbb {K}_{r}. \end{aligned}$$

Moreover, for any vector \(\varvec{k}_{i}^{*} \in \mathbb {K}_{i}\) \((i \geqslant 1)\), there must exist a vector \(\varvec{k}_{i-1}^{*} \in \mathbb {K}_{i-1}\) such that \(\varvec{k}_{i-1}^{*}\) can propagate to \(\varvec{k}_{i}^{*}\) by propagation rules. Furthermore, for \((\varvec{k}_{0}, \varvec{k}_{1}, \ldots , \varvec{k}_{r}) \in \mathbb {K}_{0} \times \mathbb {K}_{1} \times \cdots \times \mathbb {K}_{r}\), if \(\varvec{k}_{i-1}\) can propagate to \(\varvec{k}_{i}\) for all \(i \in \{1, 2, \ldots , r\}\), we call \((\varvec{k}_{0}, \varvec{k}_{1}, \ldots , \varvec{k}_{r})\) an r-round division trail.

The propagation of division property round by round will eventually lead to a multi-set without integral property. The following proposition can be used to detect whether a set has integral property or not, which helps us to decide when to stop propagating.

Proposition 1

(Set without Integral Property [45]). Assume \(\mathbb {X}\) is a multi-set satisfying division property \(\mathcal {D}_{\mathbb {K}}^{\ell _{0}, \ell _{1}, \cdots , \ell _{m-1}}\), then \(\mathbb {X}\) does not have integral property if and only if \(\mathbb {K}\) contains all vectors with vectorial Hamming weight 1.

Distinguishing Attacks with Division Property.

Suppose the output division property of an integral distinguisher has balanced property on b bits. Once the sum for each of the b bits is zero, the distinguisher \(\mathcal {D}\) outputs ‘1’; otherwise, outputs ‘0’. The success rate of the distinguishing attack p is composed of two cases: one is \(\mathcal {D}\) outputs ‘1’ when the oracle \(\mathcal {O}\) is a concrete cipher \(\mathcal {F}\) actually, the other is \(\mathcal {D}\) outputs ‘0’ when \(\mathcal {O}\) is a random permutation \(\mathcal {RP}\). For \(\mathcal {F}\), the balanced property holds with probability 1, while for \(\mathcal {RP}\) is \(2^{-b}\). Assuming that the probability of whether the oracle is \(\mathcal {F}\) or \(\mathcal {RP}\) is 0.5, it is clear that \(p = 0.5 \cdot 1 + 0.5 \cdot (1-2^{-b}) = 1-2^{-b-1}\), which is 0.75 for \(b = 1\), and is count for distinguishing attack.

In order to increase the success rate, we can repeat the distinguishing attack with different chosen-plaintext structures. For an n-bit cipher, suppose that the input division property requires that t bits need to be traversed. Then, the number of times the distinguishers can be replayed is at most \(2^{n-t}\). The data complexity of the distinguishing attack need to be discussed accordingly.

2.3 SAT and SMT Problems

In computer science, the Boolean Satisfiability Problem (SAT) [6] is the problem of determining if there exists an interpretation that satisfies a given Boolean formula. In other words, it discusses whether the variables involved in a given Boolean formula can be consistently replaced by the value True or False so that the formula is evaluated to be True. If this is the case, the formula is called satisfiable.

The Satisfiability Modulo Theories (SMT) [2] problem is a decision problem for logical formulas expressed in classical first-order logic with equality. An SMT instance is a generalization of SAT instance in which various sets of variables are replaced by predicates from a variety of underlying theories. SMT formulas provide a much richer modeling language than is possible with SAT formulas.

To solve SAT and SMT problems, there are many openly available solvers, and we use CryptoMiniSatFootnote 3 and STPFootnote 4, respectively. In order to search integral distinguishers efficiently, we adopt the C++ interface of CryptoMiniSat and the Python interface of STP.

3 Automatic Search of Bit-Based Division Property for ARX Ciphers

For ARX ciphers, since SAT/SMT method [18, 24, 32] is more suitable to search for differential/linear characteristics than MILP method [10], we construct the automatic searching tool relying on SAT instead of MILP. First, we model the division property propagations of three basic operations, i.e., Copy, AND, and XOR, and construct formulas in Conjunctive Normal Form (CNF) for them. Then, the model used to describe bit-based division property propagation for the modular addition operation is constructed based on the three basic models. By setting initial division property and stopping rule appropriately, the problem of searching integral distinguishers using bit-based division property for ARX ciphers can be converted into an SAT problem, and settled efficiently.

3.1 Models of Basic Operations at the Bit Level

We consider the division property propagations of the three basic operations (Copy, AND and XOR) at the bit level, and the input and output are composed of bit variables which take a value of 0 or 1. Then the division trails of each operation correspond to vectors formed by the input and output variables. To depict the propagations of these operations, we translate the rules in Sect. 2.2 into formulas in CNF, of which the solutions correspond to all the possible division trails. More specifically, we first determine all the vectors corresponding to division trails, and then exclude those impossible vector values by logical formulas. We call this idea the exclusion method. By analyzing all the possible division trails of bit-based Copy, AND and XOR operations, we construct models to describe bit-based division property propagations for them.

Model 1

(Bit-based Copy). Denote a division trail of Copy operation, the following logical equations are sufficient to depict the propagation of bit-based division property,

$$\begin{aligned} \left\{ \begin{array}{ll} \overline{b_{0}} \vee \overline{b_{1}} = 1\\ a \vee b_{0} \vee \overline{b_{1}} = 1\\ a \vee \overline{b_{0}} \vee b_{1} = 1\\ \overline{a} \vee b_{0} \vee b_{1} = 1 \end{array} \right. . \end{aligned}$$

Proof: Let \((a, b_{0}, b_{1})\) be the 3-bit vector composed of the input and output division properties. For an arbitrary 3-bit vector, it has eight possible values, which are

$$\begin{aligned} {\mathbf {(0, 0, 0)}}, \text {(0, 0, 1)}, \text {(0, 1, 0)}, \text {(0, 1, 1)}, \text {(1, 0, 0)}, {\mathbf {(1, 0, 1)}}, {\mathbf {(1, 1, 0)}}, \text {(1, 1, 1)}. \end{aligned}$$

When restricting to Copy operation, there are three division trails corresponding to the values in bold above. Thus, \((*, 1, 1)\), (0, 0, 1), (0, 1, 0), and (1, 0, 0) are impossible cases required to be excluded, where \(*\) can take 0 or 1.

In order to eliminate \((*, 1, 1)\), we assert \(\overline{b_{0}} \vee \overline{b_{1}} = 1\). With this assertion, \((a, b_{0}, b_{1})\) cannot take values of the form \((*, 1, 1)\). Then, after eliminating all impossible cases in a similar way, we obtain the set of formulas in CNF to describe bit-based division property propagation of Copy operation.    \(\square \)

When it comes to bit-based AND operation, similar to the procedure for Copy operation, we consider all the possible division trails. Denote \((a_{0}, a_{1})\) the bit variables representing the input division property of AND operation, and let b be the bit variable standing for the output division property. Obviously, there are four division trails for AND operation, which are \((0, 0) \rightarrow (0)\), \((1, 0) \rightarrow (1)\), \((0, 1) \rightarrow (1)\), and \((1, 1) \rightarrow (1)\). Therefore, the set of logical equations have four solutions corresponding to \((a_{0}, a_{1}, b)\), i.e., (0, 0, 0), (0, 1, 1), (1, 0, 1), and (1, 1, 1). Thus, we need to delete the impossible ones as follows.

Model 2

(Bit-based \(\mathtt {AND}{} \mathbf{).}\) Denote \((a_{0}, a_{1}) \xrightarrow {\texttt {AND}} (b)\) a division trail of AND function, the following logical equations are sufficient to describe bit-based division property propagation of AND operation,

$$\begin{aligned} \left\{ \begin{array}{ll} \overline{a_{1}} \vee b = 1\\ a_{0} \vee a_{1} \vee \overline{b} = 1\\ \overline{a_{0}} \vee b = 1\\ \end{array} \right. . \end{aligned}$$

For bitwise XOR operation, only three division trails are possible, which are (0, 0, 0), (0, 1, 1), (1, 0, 1), and the model can be constructed in a similar way.

Model 3

(Bit-based \(\mathtt {XOR}{} \mathbf{).}\) Denote \((a_{0}, a_{1}) \xrightarrow {\texttt {XOR}} (b)\) a division trail of XOR function, the following logical equations are sufficient to evaluate the bit-based division property through XOR operation,

$$\begin{aligned} \left\{ \begin{array}{ll} \overline{a_{0}} \vee \overline{a_{1}} = 1\\ a_{0} \vee a_{1} \vee \overline{b}= 1\\ a_{0} \vee \overline{a_{1}} \vee b= 1\\ \overline{a_{0}} \vee a_{1} \vee b= 1\\ \end{array} \right. . \end{aligned}$$

For specific ciphers, such as HIGHT [15], TEA [44], and XTEA [26], we also encounter cases where the number of output branches for Copy operation or the number of input branches for XOR operation is more than 2. The exclusion method can be generalized accordingly, and we omit it for space limitation.

Let \(\varvec{x} = (x_{0}, x_{1}, \ldots , x_{n-1})\), \(\varvec{y} = (y_{0}, y_{1}, \ldots , y_{n-1})\), and \(\varvec{z} = (z_{0}, z_{1}, \ldots , z_{n-1})\), which is the modular addition of \(\varvec{x}\) and \(\varvec{y}\), be n-bit vectors. Then the Boolean function of \(z_{i}\) can be iteratively expressed as followsFootnote 5.

$$\begin{aligned} \begin{aligned}&z_{n-1} = x_{n-1} \oplus y_{n-1} \oplus c_{n-1}\text {, } c_{n-1} = 0,\\&z_{i} = x_{i} \oplus y_{i} \oplus c_{i}\text {, } c_{i} = x_{i+1} \cdot y_{i+1} \oplus (x_{i+1} \oplus y_{i+1})\cdot c_{i+1},\\&i = n-2, n-3, \ldots , 0. \end{aligned} \end{aligned}$$
(1)

In this way, the modular addition can be decomposed into Copy, AND, and XOR operations, and the model to depict its propagation is summarized as follows.

Model 4

(Modular Addition). Let \((a_{0}, \ldots , a_{n-1}, b_{0}, \ldots , b_{n-1}, d_{0}, \ldots , d_{n-1})\) be a division trail of n-bit modular addition operation, to describe the division property propagation, the Copy, AND, and XOR models should be applied in the order specified as follows,

figure a

where \(a_{i,j}\), \(b_{i,j}\), \(v_{i}\), \(m_{i}\), \(g_{i}\), \(r_{i}\), \(q_{i}\), and \(w_{i}\) are intermediate variables, and their usage is illustrated in Table 2. In this model, \((12n - 19)\) intermediate variables are introduced in total, which include \((3n-4)\) \(a_{i,j}\)’s, \((3n-4)\) \(b_{i,j}\)’s, \((n-1)\) \(v_{i}\)’s, \((n-2)\) \(m_{i}\)’s, \((n-2)\) \(g_{i}\)’s, \((n-2)\) \(r_{i}\)’s, \((n-2)\) \(q_{i}\)’s, and \((n-2)\) \(w_{i}\)’s.

Table 2. Illustration of Intermediate Variables for Modular Addition Operation.
Full size table

Model 4 deals with the case where the two input branches of the modular addition operation are variables. When it comes to the modular addition of a variable and an unknown constant (subkey), the corresponding propagation models can be deduced similarly as discussed in [36], and we omit it due to space limitation.

To sum up, the bit-based division property propagations through all kinds of basic operations in ARX ciphers are converted into sets of logical equations. We first construct SAT model which characterizes one round bit-based division property propagation, then an SAT problem depicting r-round division trails can be obtained by repeating this procedure for r times.

3.2 Initial Division Property and Stopping Rule

We propose a ‘dynamic’ searching, which can set the initial division property and stopping rule more efficiently. In the C++ interface of CryptoMiniSat, there is a function called , which takes ‘assumptions’ as parameter, so that we can adjust the ‘assumptions’, instead of the original model, and invoke calls to search for integral distinguishers under different initial division properties and output division properties automatically. In our model, ‘assumptions’ are composed of two parts of logical equations: one is determined by the initial division property, and another is deduced from the stopping rule.

Initial Division Property. Denote \((a_{0}, a_{1}, \ldots , a_{n-1})\) the variables representing bit-based division property of the input multi-set. For example, suppose that the initial division property is \(\varvec{k}_{0} = (0, \underbrace{1, \ldots , 1}_{n-1})\). To evaluate the propagation under \(\varvec{k}_{0}\), we set the first part of the assumptions by logical equations, i.e., \(a_{0} = 0\), \(a_{1} = 1\), \(\ldots \), \(a_{n-1} = 1\). If we want to test division property under another initial division property, only logical equations involved in the assumptions need to be changed.

Stopping Rule. The stopping rule is formulated according to Proposition 1. When it comes to the bit-based division property, a multi-set \(\mathbb {X}\), whose elements take values from \(\mathbb {F}_{2}^{n}\), does not have integral property if and only if its division property contains all the n unit vectors. Hence, we need to check all the n unit vectors one by one. Denote \((b_{0}, b_{1}, \ldots , b_{n-1})\) the variables representing bit-based division property of the output multi-set after r rounds. For each \(i \in \{0, 1, \ldots , n-1\}\), we set the second part of the assumptions by \(b_{i} = 1\) and \(b_{j} = 0\) \((j \ne i)\). Together with the initial division property, the two parts of parameters are determined for the function, and the searching algorithm can be transformed into an SAT problem. If it is ‘satisfiable’ for the i-th unit vector, it means that the output division property contains the i-th unit vector. Once it is satisfiable for each unit vector, the output division property contains all unit vectors, and the corresponding multi-set, i.e., the outputs of the r-th round, does not have any integral property, and the propagation should stop and an \((r-1)\)-round distinguisher is obtained. Only if there is at least one index j, such that the problem is not satisfiable for the j-th unit vector, we proceed to the \((r+1)\)-th round and evaluate the division property in a similar way.

3.3 Algorithms to Find Optimal Distinguishers

According to the discussion of the above subsections, the propagation of division property for ARX cipher is depicted by a system of logical equations in CNF. Some logical formulas can be dynamically adjusted according to different initial division properties of the input set and final division properties of the output set, while the others corresponding to r-round propagations remain the same. To obtain an optimal integral distinguisher, many candidates of initial division properties need to be tested. However, we could not afford such computations for too many candidates in practice.

In order to break through the difficulty, we put forward an efficient searching approach, which is composed of two algorithms. The first one restricts the search scope of initial division property and detects the number of rounds of the optimal distinguisher achieved under our model. For the instance of SHACAL-2, the search scope is significantly reduced from 256 bits to 17 bits. The second one detects the concrete optimal distinguishers efficiently based on the first algorithm’s output. With these two algorithms, we drastically reduce the number of initial division properties required to be evaluated. For example, for the 17-round distinguisher with data complexity \(2^{241}\) chosen plaintexts for SHACAL-2, which is provided in Sect. 5.1, the direct search requires us to test \(\sum \limits _{i=1}^{256-241}\left( \begin{array}{c}256 \\ i \\ \end{array}\right) \approx 2^{79.24}\) initial division properties. While in our algorithms, only 410 initial division properties are tested, and the distinguisher is identified.

The design of the two algorithms is based on the embedded property below. For different initial division properties \(\varvec{k}_0\) and \(\varvec{k}_1\) s.t., \(\varvec{k}_{0} \succeq \varvec{k}_{1}\), there in no need to test \(\varvec{k}_1\), if the output multi-set under \(\varvec{k}_0\) does not have integral property, likewise, it is not necessary to test \(\varvec{k}_0\), if the output multi-set under \(\varvec{k}_1\) has integral property.

Proposition 2

(Embedded Property). Let \(E_{r}\) be an r-round iterated encryption algorithm, f be the round function, which only composes of Substitution, Copy, XOR, Split, and Concatenation operations. Suppose that the input and the output take values from \(\mathbb {F}_{2}^{n} = \mathbb {F}_{2}^{\ell _{0}} \times \mathbb {F}_{2}^{\ell _{1}} \times \cdots \times \mathbb {F}_{2}^{\ell _{m-1}}\), \(\varvec{k}_{0}\) and \(\varvec{k}_{1}\) are two initial division properties with \(W(\varvec{k}_{0}) \succeq W(\varvec{k}_{1})\). If the output multi-set under \(\varvec{k}_{0}\) does not have integral property, then the output multi-set under \(\varvec{k}_{1}\) has no integral property.

Proof: Define

$$\begin{aligned} \mathbb {S}_{\varvec{k}}^{n} = \left\{ \varvec{a} = (a_{0}, a_{1}, \ldots , a_{m-1}) | W(\varvec{a}) \succeq W(\varvec{k}) \right\} , \end{aligned}$$

and

$$\begin{aligned} \mathbb {S}_{\mathbb {K}}^{n} = \bigcup _{\varvec{k} \in \mathbb {K}}\mathbb {S}_{\varvec{k}}^{n}. \end{aligned}$$

Suppose that there are two sets \(\mathbb {K}_{0}\) and \(\mathbb {K}_{1}\) belonging to \(\mathbb {Z}_{\ell _{0}} \times \mathbb {Z}_{\ell _{1}} \times \cdots \times \mathbb {Z}_{\ell _{m-1}}\), with \(\mathbb {S}_{\mathbb {K}_{0}}^{n} \subseteq \mathbb {S}_{\mathbb {K}_{1}}^{n}\). \(\mathcal {D}_{\mathbb {K}_{0}}^{n} \xrightarrow {f} \mathcal {D}_{\mathbb {K}_{0}'}^{n}\) and \(\mathcal {D}_{\mathbb {K}_{1}}^{n} \xrightarrow {f} \mathcal {D}_{\mathbb {K}_{1}'}^{n}\) stand for the division property propagations through one round. By the definition of division property, it is sufficient to prove that \(\mathbb {S}_{\mathbb {K}_{0}'}^{n} \subseteq \mathbb {S}_{\mathbb {K}_{1}'}^{n}\), which can be accomplished by separately proving for every basic operation. We take the substitution operation as an example, and the other operations can be proved similarly.

Now, denote \(\mathcal {D}_{\mathbb {K}_{0}}^{n} \xrightarrow {\text {S}} \mathcal {D}_{\mathbb {K}_{0}'}^{n}\) and \(\mathcal {D}_{\mathbb {K}_{1}}^{n} \xrightarrow {\text {S}} \mathcal {D}_{\mathbb {K}_{1}'}^{n}\) the division property propagations through substitution layer, where \(\mathbb {S}_{\mathbb {K}_{0}}^{n} \subseteq \mathbb {S}_{\mathbb {K}_{1}}^{n}\). For every \(\varvec{k}_{0}' \in \mathbb {K}_{0}'\), there exists \(\varvec{k}_{0} \in \mathbb {K}_{0}\), such that \((\varvec{k}_{0}, \varvec{k}_{0}')\) constitutes a division trail of the substitution operation. Since \(\mathbb {S}_{\mathbb {K}_{0}}^{n} \subseteq \mathbb {S}_{\mathbb {K}_{1}}^{n}\), there will be a \(\varvec{k}_{1} \in \mathbb {K}_{1}\) with \(W(\varvec{k}_{0}) \succeq W(\varvec{k}_{1})\). By Rule 1, we have \(W(\varvec{k}_{0}') \succeq W(\varvec{k}_{1}')\), which implies that \(\mathbb {S}_{\varvec{k}_{0}'}^{n} \subseteq \mathbb {S}_{\varvec{k}_{1}'}^{n}\). Thus,

$$\begin{aligned} \mathbb {S}_{\mathbb {K}_{0}'}^{n} = \bigcup _{\varvec{k}_{0}' \in \mathbb {K}_{0}'} \mathbb {S}_{\varvec{k}_{0}'}^{n} \subseteq \bigcup _{\varvec{k}_{1}' \in \mathbb {K}_{1}'} \mathbb {S}_{\varvec{k}_{1}'}^{n} = \mathbb {S}_{\mathbb {K}_{1}'}^{n}. \end{aligned}$$

   \(\square \)

Algorithm 1: Detecting the Maximum Number of Rounds and Restricting the Search Scope. Denote the n vectors with Hamming weight \(n-1\) as \(\varvec{in}_{i} = (\underbrace{1, \ldots , 1}_{i}, 0, \underbrace{1, \ldots , 1}_{n-i-1})\), \(0 \leqslant i \leqslant n-1\). Let \(\varvec{out}_{j} = (\underbrace{0, \ldots , 0}_{j}, 1, \underbrace{0, \ldots , 0}_{n-j-1})\), \(0 \leqslant j \leqslant n-1\), be the n unit vectors. For \(0 \leqslant i \leqslant n-1\), we evaluate the bit-based division property propagation under the initial division property \(\varvec{in}_{i}\), and check whether the output division property of the r-th round contains all n unit vectors, i.e., the problem is satisfiable for each \(\varvec{out}_{j}\) \((0 \leqslant j \leqslant n-1)\) under the fixed \(\varvec{in}_{i}\). If for all \(\varvec{in}_{i}\) \((0 \leqslant i \leqslant n-1)\) and \(\varvec{out}_{j}\) \((0 \leqslant j \leqslant n-1)\), the problem is satisfiable, we conclude that \((r - 1)\) is the maximum number of rounds based on our model. Otherwise, we proceed to the \((r+1)\)-th round and evaluate the division property in a similar way. When the maximum number of rounds \(r_{m}\) is determined, the index i of the corresponding \(\varvec{in}_{i}\) leading to the longest distinguisher is stored in a set \(\mathbb {S}\). The output of Algorithm 1 is the maximum number of round \(r_{m}\) and an index set \(\mathbb {S}\).

Although we have detected \(r_{m}\)-round distinguishers, the data requirement to implement the integral cryptanalysis is \(2^{n-1}\). And the distinguisher with lower data complexity is more interesting, so we proceed Algorithm 2 to optimize the distinguishers obtained in Algorithm 1.

figure b
figure c

Algorithm 2: Detecting the Optimal Distinguisher. Let the index set \(\mathbb {S} = \{j_{0}, j_{1}, \ldots , j_{|\mathbb {S}|-1}\}\) be the output of Algorithm 1. With Proposition 2, we claim that the elements in the complementary set \(\overline{\mathbb {S}} = \{0, 1, \ldots , n-1\} \backslash \mathbb {S}\) of \(\mathbb {S}\) refer to the ‘necessary’ bit indexes to obtain an \(r_{m}\)-round integral distinguisher. In other words, if any bit whose index belongs to \(\overline{\mathbb {S}}\) is set to ‘0’ in the initial division property, the division property after \(r_{m}\)-round propagation will have no integral property. In this sense, we call \(\overline{\mathbb {S}}\) the necessary set, whose elements are called necessary indexes, and the corresponding bit must be fixed to ‘1’, while, \(\mathbb {S}\) is called the sufficient set, and the elements in \(\mathbb {S}\) are called sufficient indexes.

To reduce the data complexity, we need to analyze whether the bits with sufficient indexes can be set to ‘0’. The possibility of reducing data complexity lies in the size of \(\mathbb {S}\). If \(|\mathbb {S}| = 1\), there is no margin to further reduce the data complexity, and we obtain integral distinguishers with data complexity \(2^{n-1}\) chosen plaintexts. In case of \(|\mathbb {S}| > 1\), we firstly set all bits corresponding to \(\overline{\mathbb {S}}\) in initial division property to ‘1’ while the other bits are set to ‘0’, and check whether there is zero-sum bit after \(r_{m}\)-round propagation. If it is indeed the case, we get an integral distinguisher with data complexity \(2^{n-|\mathbb {S}|}\) chosen plaintexts. Otherwise, we gradually increase the number of ‘1’s in the positions indicated by the sufficient indexes, and check whether zero-sum bit exists or not. The concrete description of this procedure can be found in Algorithm 2. After executing this algorithm, the return value will be the optimal distinguishers under our model.

Remark 2

Note that Step 8 in Algorithm 2 requests us to check out \(\frac{|\mathbb {S}|!}{(|\mathbb {S}|-t)! \cdot t!}\) different initial division properties. When \(|\mathbb {S}|\) is very large, the time taken to perform this for loop gradually increases with t growing. But, for all the ciphers analyzed in this paper, \(|\mathbb {S}|\) is not very large and the runtime is acceptable.

4 Automatic Search of Word-Based Division Property

When the state of the cipher is very large, such as 256-bit, and the involved operations are very complicated, it is hard to trace the division property propagation at the bit level. In this section, we concentrate on automatic search of word-based division property efficiently. First, we study how to model division property propagations of basic operations by logical formulas at the word level. Secondly, by exclusion method, we construct formulas to depict the possible propagations calculated by Substitution rule. By setting initial division property and stopping rule rationally, the problem of searching division property can be transformed into an SMT problem, which is a generalization of SAT and can be efficiently settled with some openly available solvers.

4.1 Models of Basic Operations at the Word Level

We study the division property propagations of the basic operations at the word level. Different from Sect. 3, the input and output are variables in \(\mathbb {F}_{2}^{n}\), and more kinds of formulas, such as inequalities, can be handled by SMT, so that the translation from the rules introduced in Sect. 2.2 to constraints are more flexible. We just list the models as follows.

Model 5

(Word-based Copy). Denote a division trail of an n-bit Copy function, the following constraints are sufficient to describe the division property propagation of Copy operation,

$$\begin{aligned} \left\{ \begin{array}{ll} a \leqslant n \\ b_{0} \leqslant n\\ b_{1} \leqslant n\\ a=b_{0}+b_{1} \end{array} \right. . \end{aligned}$$

Model 6

(Word-based \(\mathtt {XOR}{} \mathbf{).}\) Denote \((a_{0}, a_{1}) \xrightarrow {\texttt {XOR}} (b)\) a division trail of n-bit XOR operation, the following constraints are sufficient to depict the division property propagation of XOR operation,

$$\begin{aligned} \left\{ \begin{array}{ll} a_{0} \leqslant n \\ a_{1} \leqslant n\\ b \leqslant n\\ a_{0} + a_{1} = b \end{array} \right. . \end{aligned}$$

Model 7

(Split). Let F be the split function in Rule 4. Denote \((a) \xrightarrow {F} (b_{0}, b_{1})\) a division trail of F, the following constraints are sufficient to describe the division property propagation of Split operation,

$$\begin{aligned} \left\{ \begin{array}{ll} a \leqslant n \\ b_{0} \leqslant n_{0}\\ b_{1} \leqslant n - n_{0}\\ a=b_{0} + b_{1} \end{array} \right. . \end{aligned}$$

Model 8

(Concatenation). Let F be the concatenation function in Rule 5. Denote \((a_{0}, a_{1}) \xrightarrow {F} (b)\) a division trail of F, the following constraints are sufficient to depict the division property propagation of Concatenation operation,

$$\begin{aligned} \left\{ \begin{array}{ll} a_{0} \leqslant n_{0} \\ a_{1} \leqslant n_{1}\\ b \leqslant n_{0} + n_{1}\\ a_{0} + a_{1} = b \end{array} \right. . \end{aligned}$$

Many ciphers take Maximum Distance Separable (MDS) matrices over finite field as linear mappings, such as the MixColumn operation for AES [28]. Todo [41] proposed a dedicated function called Partition to handle the division property propagation through MixColumn operation. We generalize it into SMT model in order to deal with some ciphers involving MDS matrices.

Model 9

( Partition/MixColumn ). Let \(F(x) = M \cdot x\), where M is an MDS matrix over \((\mathbb {F}_{2}^{m})^{s}\). Denote \((a_{0}, a_{1}, \ldots , a_{s-1}) \xrightarrow {F} (b_{0}, b_{1}, \ldots , b_{s-1})\) a division trail, the following constraints are sufficient to propagate the division property,

$$\begin{aligned} \left\{ \begin{array}{ll} a_{i} \leqslant m, i = 0, 1, \ldots , s-1\\ b_{j} \leqslant m, j = 0, 1, \ldots , s-1\\ a_{0} + a_{1} + \cdots + a_{s-1} = b_{0} + b_{1} + \cdots + b_{s-1} \end{array} \right. . \end{aligned}$$

4.2 Modelling S-Box

Since conventional division property is propagated at the word level, we do not need to precisely depict S-box, and use Rule 1 instead. By Rule 1, we find that the output multi-set follows \(\mathcal {D}_{\lceil \frac{k}{d} \rceil }^{m}\) if the input multi-set satisfies \(\mathcal {D}_{k}^{m}\) for an m-bit S-box with degree d. Accordingly, we deduce possible propagations for S-box, which are converted into SMT model by exclusion method mentioned in Sect. 3.

Model 10

(4-bit S-box with Degree 3). Denote \((x) \xrightarrow {S_{(4)}} (y)\) a division trail of 4-bit S-box \(S_{(4)}\), whose algebraic degree is 3, where \(x = (x[0], x[1], x[2])\) and \(y = (y[0], y[1], y[2])\) are supposed to be 3-bit vectors. Then, the following constraints are sufficient to describe the propagation of division property,

$$\begin{aligned} \left\{ \begin{array}{ll} x \leqslant 4\\ y \leqslant 4\\ x[0] \vee \overline{y[0]} = 1\\ \overline{x[0]} \vee x[1] \vee x[2] \vee y[0] = 1\\ \overline{y[1]} = 1\\ x[0] \vee \overline{x[1]} \vee y[0] \vee y[1] \vee y[2] = 1\\ x[0] \vee x[1] \vee \overline{x[2]} \vee y[0] \vee y[1] \vee y[2] = 1\\ x[0] \vee x[1] \vee x[2] \vee y[0] \vee y[1] \vee \overline{y[2]} = 1 \end{array} \right. . \end{aligned}$$

Proof: Note that for a 4-bit S-box with algebraic degree 3, the possible propagations are \((0) \xrightarrow {S_{(4)}} (0)\), \((1) \xrightarrow {S_{(4)}} (1)\), \((2) \xrightarrow {S_{(4)}} (1)\), \((3) \xrightarrow {S_{(4)}} (1)\), and \((4) \xrightarrow {S_{(4)}} (4)\), and the natural constraints deduced from Rule 1 are \(x \leqslant 4\) and \(y \leqslant 4\). After adding these two natural constraints, the number of possible combinations of (x[0], x[1], x[2], y[0], y[1], y[2]) reduces to 25, which are

$$\begin{aligned}&{\mathbf {(0,0,0,0,0,0)}}, \text {(0,0,0,0,0,1)}, \text {(0,0,0,0,1,0)}, \text {(0,0,0,0,1,1)}, \text {(0,0,0,1,0,0)},\\&\text {(0,0,1,0,0,0)}, {\mathbf {(0,0,1,0,0,1)}}, \text {(0,0,1,0,1,0)}, \text {(0,0,1,0,1,1)}, \text {(0,0,1,1,0,0)},\\&\text {(0,1,0,0,0,0)}, {\mathbf {(0,1,0,0,0,1)}}, \text {(0,1,0,0,1,0)}, \text {(0,1,0,0,1,1)}, \text {(0,1,0,1,0,0)},\\&\text {(0,1,1,0,0,0)}, {\mathbf {(0,1,1,0,0,1)}}, \text {(0,1,1,0,1,0)}, \text {(0,1,1,0,1,1)}, \text {(0,1,1,1,0,0)},\\&\text {(1,0,0,0,0,0)}, \text {(1,0,0,0,0,1)}, \text {(1,0,0,0,1,0)}, \text {(1,0,0,0,1,1)}, {\mathbf {(1,0,0,1,0,0)}}. \end{aligned}$$

The five vectors in bold are what we expect. After observation, \((0, *, *, 1, *, *)\), \((1, 0, 0, 0, *, *)\), \((*, *, *, *, 1, *)\), \((0, 1, *, 0, 0, 0)\), (0, 0, 1, 0, 0, 0) and (0, 0, 0, 0, 0, 1) are impossible cases, where \(*\) takes 0 or 1.

In order to eliminate \((0, *, *, 1, *, *)\), we assert \(x[0] \vee \overline{y[0]} = 1\). With this assertion, (x[0], x[1], x[2], y[0], y[1], y[2]) cannot take values of the form \((0, *, *, 1, *, *)\). After eliminating all impossible cases one by one, we obtain the set of logical formulas to describe division property propagation of \(S_{(4)}\).    \(\square \)

For 8-bit S-box with degree 7, possible propagations are \((0) \rightarrow (0)\), \((1) \rightarrow (1)\), \((2) \rightarrow (1)\), \((3) \rightarrow (1)\), \((4) \rightarrow (1)\), \((5) \rightarrow (1)\), \((6) \rightarrow (1)\), \((7) \rightarrow (1)\), and \((8) \rightarrow (8)\), and the model can be constructed in a similar way.

Model 11

(8-bit S-box with Degree 7). Denote \((x) \xrightarrow {S_{(8)}} (y)\) a division trail of 8-bit S-box \(S_{(8)}\), whose algebraic degree is 7, where \(x = (x[0], x[1], x[2], x[3])\) and \(y = (y[0], y[1], y[2], y[3])\) are supposed to be 4-bit vectors. Then, the following constraints are sufficient to describe the possible propagations,

$$\begin{aligned} \left\{ \begin{array}{ll} x \leqslant 8\\ y \leqslant 8\\ \overline{x[0]} \vee y[0] = 1\\ x[0] \vee \overline{y[0]} = 1\\ y[1] = 0\\ y[2] = 0\\ \overline{x[3]} \vee y[0] \vee y[1] \vee y[2] \vee y[3] = 1\\ \overline{x[2]} \vee y[0] \vee y[1] \vee y[2] \vee y[3] = 1\\ \overline{x[1]} \vee y[0] \vee y[1] \vee y[2] \vee y[3] = 1\\ x[0] \vee x[1] \vee x[2] \vee x[3] \vee y[0] \vee y[1] \vee y[2] \vee \overline{y[3]} = 1 \end{array} \right. . \end{aligned}$$

For other types of S-boxes, exclusion method can be applied and constraints to depict division property propagations can be constructed similarly.

4.3 Initial Division Property and Stopping Rule

Just as in Sect. 3, to make the searching algorithm dynamic, the initial division property and stopping rule are inserted into assumptions. In the Python interface of STP, the function, which accepts ‘assumptions’ as parameter, is called .

Denote \((a_{0}, a_{1}, \ldots , a_{m-1})\) the variables representing division property of the input multi-set. For example, suppose that the initial division property is \(\varvec{k}= (k_{0}, k_{1}, \ldots , k_{m-1})\). To propagate division property under \(\varvec{k}\), we set the first part of the assumptions by logical formulas, i.e., \(a_{0} = k_{0}\), \(a_{1} = k_{1}\), \(\ldots \), and \(a_{m-1} = k_{m-1}\). Only logical formulas involved in the assumptions are required to be replaced if we want to test division property under another initial division property.

Restricted to conventional division property, Proposition 1 claims that a multi-set \(\mathbb {X} \in \mathbb {F}_{2}^{n} = \mathbb {F}_{2}^{\ell _{0}} \times \mathbb {F}_{2}^{\ell _{1}} \times \cdots \times \mathbb {F}_{2}^{\ell _{m-1}}\) does not have integral property if and only if its division property contains all vectors with vectorial Hamming weight being 1. In order to determine whether r-round integral property exists or not under a fixed initial division property, we make m calls to test m vectors with vectorial Hamming weight 1. If all the corresponding SMT problems are satisfiable, the r-round output set has no integral property and an \((r-1)\)-round distinguisher is obtained. Otherwise, we go on to the \((r+1)\)-th round and evaluate the division property in a similar way.

5 Applications

In this section, we provide some new distinguishers based on the searching methods proposed in Sects. 3 and 4. We first present results for some ARX ciphers, whose integral distinguishers are obtained by evaluating bit-based division property, and then turn to the word-based division property of some specific ciphers.

Fig. 1.
figure 1

The round function of SHACAL-2.

Full size image

5.1 Bit-Based Division Properties for ARX Ciphers

Application to SHACAL-2. SHACAL-2 [13] is a 256-bit block cipher and has been selected as one of the four block ciphers by NESSIE. Its round function is based on the compression function of the hash function SHA-2 [27], and is iterated for 64 times. SHACAL-2 supports variable key lengths up to 512 bits, yet it should not be used with a key shorter than 128 bits. An illustration of the round function can be found in Fig. 1, where \(K^{r}\) and \(W^{r}\) are round key and round constant, Maj, Ch, \(\sum _{0}\), and \(\sum _{1}\) are defined as follows,

$$\begin{aligned} Maj(X, Y, Z)= & {} (X \cdot Y) \oplus (X \cdot Z) \oplus (Y \cdot Z),\\ Ch(X, Y, Z)= & {} (X \cdot Y) \oplus (\overline{X} \cdot Z),\\ {\sum }_{0}(X)= & {} (X \ggg 2) \oplus (X \ggg 13) \oplus (X \ggg 22),\\ {\sum }_{1}(X)= & {} (X \ggg 6) \oplus (X \ggg 11) \oplus (X \ggg 25). \end{aligned}$$

Since the values of \(K^{r}\) and \(W^{r}\) do not influence the bit-based division property propagation, and we will not introduce them here. For more information, please refer to [13].

Firstly, Algorithm 1 in Sect. 3.3 is implemented and we find that the longest distinguisher under our model can achieve 17 rounds. At the same time, we obtain the sufficient set \(\mathbb {S} = \{22-31, 153-159\}\). Then, for \(r = 17\) and \(\mathbb {S}\), Algorithm 2 is performed. Finally, we obtain a 17-round integral distinguisher with data complexity \(2^{241}\) chosen plaintexts, which is

$$\begin{aligned} \text {Inactive Bits: }\{23 - 31, 154 - 159\} \xrightarrow {\text {17 Rounds}} \text {Zero-sum Bits: }\{249 - 255\}, \end{aligned}$$

where the bit indexes for the input and output are labeled as 0, 1, \(\ldots \), 255 from left to right, and the bit indexes are labeled in a similar way in the remaining of this subsection. In order to identify this distinguisher, we try 256 initial division properties when implementing Algorithm 1, and \(1+\left( \begin{array}{c} 17 \\ 1 \\ \end{array}\right) +\left( \begin{array}{c} 17 \\ 2 \\ \end{array}\right) = 154\) initial division properties are evaluated when performing Algorithm 2. In total, with 410 tests under different initial division properties, we obtain the optimal distinguisher, while \(\sum \limits _{i=1}^{256-241}\left( \begin{array}{c}256 \\ i \\ \end{array}\right) \approx 2^{79.24}\) initial division properties are required to be tested for the direct search instead of using Algorithms 1 and 2.

As far as we know, the best integral distinguisher in the literature is the 13-round one proposed in [30], and the newly obtained one covers four more rounds.

Applications to Other ARX Ciphers. Besides SHACAL-2, many ARX ciphers are analyzed, including LEA [14], HIGHT [15], and SPECK family of block ciphers [3], and we only list the results for space limitation.

For LEA, we obtain an 8-round integral distinguisher with data complexity \(2^{118}\) chosen plaintexts, which is

$$\begin{aligned} \text {Inactive Bits: }\{27 - 31, 59 - 63\} \xrightarrow {\text {8 Rounds}} \text {Zero-sum Bits: }\{36\}. \end{aligned}$$

Comparing to the 7-round distinguishers based on MILP method provided in [36], we gain one more round.

Six integral distinguishers with data complexity \(2^{63}\) chosen plaintexts are detected for HIGHT, which are

$$\begin{aligned}&\text {Inactive Bits: }\{14\} \xrightarrow {\text {18 Rounds}} \text {Zero-sum Bits: }\{6, 7\},\\&\text {Inactive Bits: }\{15\} \xrightarrow {\text {18 Rounds}} \text {Zero-sum Bits: }\{6, 7\},\\&\text {Inactive Bits: }\{31\} \xrightarrow {\text {18 Rounds}} \text {Zero-sum Bits: }\{7\},\\&\text {Inactive Bits: }\{46\} \xrightarrow {\text {18 Rounds}} \text {Zero-sum Bits: }\{38, 39\},\\&\text {Inactive Bits: }\{47\} \xrightarrow {\text {18 Rounds}} \text {Zero-sum Bits: }\{38, 39\},\\&\text {Inactive Bits: }\{63\} \xrightarrow {\text {18 Rounds}} \text {Zero-sum Bits: }\{39\}. \end{aligned}$$

Note that the third one and the last one are same to the 18-round distinguishers in [36], which are obtained under MILP method. And the other four distinguishers we identified have more zero-sum bits under the same data requirement.

For all versions of SPECK family of block ciphers, we obtain 6-round integral distinguishers. The data requirements are \(2^{31}\) for SPECK32, \(2^{45}\) for SPECK48, \(2^{61}\) for SPECK64, \(2^{93}\) for SPECK96, and \(2^{125}\) for SPECK128.

All of the experiments are conducted on a server, and we use at most four 2.30 GHz Intel\(^{\circledR }\) Xeon\(^{\circledR }\) CPU E5-2670 v3 processors. All the SAT based experiments are implemented by the C++ interface of CryptoMiniSat5, using at most 4 threads. The runtimes to obtain the optimal distinguishers for SHACAL-2, LEA, and HIGHT are 6 h, 30 min, and 15 min, respectively, and the runtimes for all variants of SPECK take less than 6 min.

5.2 Word-Based Division Property for Some Specific Ciphers

Application to CLEFIA. CLEFIA [31] is a 128-bit block cipher supporting key lengths of 128, 192, and 256 bits, and it has been adopted as one of the ISO/IEC international standards in lightweight cryptography. The number of rounds, are 18, 22 and 26 for 128-bit, 192-bit and 256-bit keys, respectively. The round function follows a 4-branch Type-2 Generalized Feistel Network [48] with two parallel F functions \((F_{0}, F_{1})\). The 128-bit state value can be regarded as concatenation of four 32-bit words, and the input of the r-th round is denoted by \((X^{r}[0], X^{r}[1], X^{r}[2], X^{r}[3])\). One round of encryption is illustrated in Fig. 2, where \(RK^{r}[0]\) and \(RK^{r}[1]\) denote round keys.

Aiming at searching integral distinguishers for CLEFIA as long as possible, we first evaluate the division property under 16 initial division properties \(\varvec{in}_{i}\), \(0 \leqslant i \leqslant 15\), whose i-th element is set to 7, and the others are set to 8. Then, we obtain eight 10-round integral distinguishers with data complexity \(2^{127}\) chosen plaintexts. We also evaluate the division property under another 16 initial division properties \(\varvec{in}_{i}'\), \(0 \leqslant i \leqslant 15\), whose i-th element is set to 6, and the others are set to 8. However, there is no integral property after 10-round propagation under \(\varvec{in}_{i}'\). Besides, 120 initial division properties with two elements being 7 and the others being 8 are also considered, and no integral property is detected. Thus, the 10-round integral distinguishers with data complexity \(2^{127}\) chosen plaintexts probably are the best integral distinguishers using word-based division property. The initial division properties of these 10-round distinguishers are listed as follows.

$$\begin{aligned}&(7,8,8,8\text {, }8,8,8,8\text {, }8,8,8,8\text {, }8,8,8,8), (8,7,8,8\text {, }8,8,8,8\text {, }8,8,8,8\text {, }8,8,8,8),\\&(8,8,7,8\text {, }8,8,8,8\text {, }8,8,8,8\text {, }8,8,8,8), (8,8,8,7\text {, }8,8,8,8\text {, }8,8,8,8\text {, }8,8,8,8),\\&(8,8,8,8\text {, }8,8,8,8\text {, }7,8,8,8\text {, }8,8,8,8), (8,8,8,8\text {, }8,8,8,8\text {, }8,7,8,8\text {, }8,8,8,8),\\&(8,8,8,8\text {, }8,8,8,8\text {, }8,8,7,8\text {, }8,8,8,8), (8,8,8,8\text {, }8,8,8,8\text {, }8,8,8,7\text {, }8,8,8,8). \end{aligned}$$

After 10-round propagation, all the 10-round distinguishers have eight zero-sum bytes, which are labeled as \(\{4 - 7, 12 - 15\}\), and the bytes are labeled as 0, 1, \(\ldots \), 15 from left to right.

Fig. 2.
figure 2

Round function of CLEFIA.

Full size image

To our knowledge, the longest integral distinguishers for CLEFIA cover 9 rounds [19, 29], and these newly found distinguishers achieve one more round. With the 10-round distinguishers, we can recover the key of 13-round CLEFIA-128 with one more round than [19], where the precomputation, partial sum technique and exhaustive search can be adopted similarly. The data, time and memory complexities are \(2^{127}\) chosen plaintexts, \(2^{120}\) encryptions and \(2^{100}\) bytes, respectively. The integral attacks for CLEFIA-192 and CLEFIA-256 can be improved by one round, too.

Applications to Other Ciphers. We also implement the method in Sect. 4 to search integral distinguishers for many other ciphers.

For the internal block cipher of Whirlpool [1], comparing to the results given by Todo [41], we improve the data complexities of integral distinguishers for different rounds, which can be found in Table 3. For Rijndael-192 and Rijndael-256 [8], we extend the length of distinguishers comparing to the best results proposed by Todo [41], and the experimental results can be found in Table 3. The integral distinguishers for Whirlpool, Rijndael-192, and Rijndael-256 are provided in Appendix A.

Table 3. Data requirements to construct r-round integral distinguishers.
Full size table

We also implement our automatic tool to search integral distinguishers for MISTY1, MISTY2 [21], and KASUMI [33]. For MISTY1, we obtain the same distinguisher found by Todo [40]. As to MISTY2, a 7-round integral distinguisher with data complexity \(2^{32}\) chosen plaintexts is found, which is same to the best one proposed in [34]. A 5-round integral distinguisher starting from the second round with data complexity \(2^{48}\) chosen plaintexts is obtained for KASUMI. Comparing to the best 5-round one proposed in [35] with data complexity \(2^{53}\) chosen plaintexts by using division property, our newly found distinguisher requires less data.

All the SMT based tests are implemented in the Python interface of STP2.0, using single thread. The runtimes for all the ciphers analyzed in this section only take few minutes.

6 Conclusion

In this paper, we propose the automatic searching tools for the integral distinguishers based on bit-based division property for ARX ciphers and word-based division property. For ARX ciphers, the automatic searching tool relying on SAT instead of MILP is constructed, since SAT method is more suitable in the search of ARX ciphers’ differential/linear characteristics. First, the models, which are composed of logical formulas in CNF, to describe bit-based division property propagations for three basic operations, i.e., Copy, AND, and XOR, are provided by exclusion method. Then, we give the model of the modular addition based on the three basic models. After setting initial division property and stopping rule appropriately, the problem of searching integral distinguishers using bit-based division property for ARX ciphers can be converted into an SAT problem. Besides, to get the optimal distinguisher, two algorithms are proposed. The first one restricts the search scope of initial division property and detects the round of optimal distinguisher achieved under our model. The second one detects the concrete optimal distinguishers efficiently based on the first algorithm’s output.

We realize the automatic search of word-based division property with SMT method. We first show how to model division property propagations of basic operations by logical formulas. Moreover, by exclusion method, we construct formulas to depict the possible propagations calculated by Substitution rule. By setting initial division property and stopping rule rationally, the problem of searching division property can be transformed into an SMT problem, and we can efficiently search integral distinguishers with some openly available solvers.

As a result, we improve the previous integral distinguishers for SHACAL-2, LEA, CLEFIA, Rijndael-192, and Rijndael-256 according to the number of rounds. Moreover, the integral attacks for CLEFIA are improved by one round with the newly obtained distinguishers.

Discussion on the superiority to MILP method. We think it is hard to give a comprehensive comparison between MILP and SAT, and try to reflect the efficiency of SAT for ARX ciphers by recording the time spent on the search for the same distinguisher with a fixed initial division property under the same computation resource. The experimental results show that SAT model performs better than MILP model. As an illustration, for the optimal distinguisher of SHACAL-2, CryptoMiniSat returns the result after about 24 s, while MILP optimizer (Gurobi 7.0.2) takes about 44000 s, which is almost 1650 times as long as the SAT solver. Thus, it seems that SAT model is more suitable to search division properties for ARX ciphers.

Discussion on the optimality and completeness of the search. We confirm that the integral distinguishers are optimal under the search strategies defined in this paper. However, we cannot guarantee the completeness. If a more dedicated model for the modular addition is proposed, better integral distinguishers for ARX ciphers may be detected, which will be a future work.