Improved Integral Cryptanalysis of Block Ciphers BORON and Khudra

Abstract

Integral cryptanalysis is one of the frequently-used cryptanalytic methods of symmetric-key primitives. With the help of division property and the adoption of the automatic tool Mixed Integer Linear Programming (MILP), integral distinguishers can be found more efficiently. This paper uses MILP models to find integral distinguishers based on bit-based division property for block ciphers BORON and Khudra. It is worth noting that we used a combined technique to generate the according inequality set when describing the available division property propagation through the non-linear operation S-box. For one thing, we generate a larger inequality set based on the original set generated by the convex hull computation method. For another, we select a small but sufficient inequality subset from the larger set in the previous step. The numbers of linear constraints that describe the available division property propagation through S-boxes of BORON and Khudra are both reduced from 11 to 7 by our methods. Besides, the best 7-round integral distinguisher for BORON, and the best 9-round integral distinguisher with the smallest data complexity for Khudra are found based on the smaller scale of the whole MILP searching model.

A Appendix

1.1 A.1 Division Trail Search Model

Initial Setting and Stopping Rule. Since the propagation rules through all the basic operations used in the cipher can be expressed by linear inequalities. So the integral search problem can completely described by a linear inequality system.

We denote a t-round division trail as \(\left( a_{n - 1}^0, \cdots , a_0^0\right) {\mathop {\rightarrow }\limits ^{f}}\cdots {\mathop {\rightarrow }\limits ^{f}}\left( a_{n - 1}^t, \cdots , a_0^t\right) \). f is the round function.

An integral distinguisher search model always starts with an initial setting, and the presence of an available solution indicates the presence of an integral distinguisher. Thus, we should add the initial setting in the model. For example, if the initial input division property is \(D_{\boldsymbol{k}}^{1,n}\), where \(\boldsymbol{k}=(k_{n-1}, \cdots , k_0)\). When searching for a t-round division trail denoted as \(\left( a_{n - 1}^0, \cdots , a_0^0\right) \rightarrow \cdots \rightarrow \left( a_{n - 1}^t, \cdots , a_0^t\right) \), we put the initial setting \(a_{i}^0 = k_i \left( i=0,1, \cdots , n- 1\right) \). In this way, the model will output all available division trails which starts from input division property \(\boldsymbol{k}\).

Theorem 5

(Set without Integral Property [19]). If the multiset \(\mathbb {X}\) is with division property \({D}_{\mathbb {K}}^{1,n}\), then \(\mathbb {X}\) has no integral property if and only if \(\mathbb {K}\) contains all the n unit vectors: \(\boldsymbol{e_1},\boldsymbol{e_2},\cdots ,\boldsymbol{e_n}\).

We denote the output division property after t-round encryption by \( {D}_{\mathbb {K}_t}^{1,n}\). If \(\mathbb {K}_{t+1}\) for the first time contains all the n unit vectors while \(\mathbb {K}_{t}\) does not, the search progress can terminate, and we obtain an r-round distinguisher. Therefore, we only need to focus on detecting whether \(\mathbb {K}_i\) contains all the n unit vectors during every round, and it is equal to check every tail-end vector of all t-round division trails. So we set the objective function as:

$$\text {Min} (a_0^t + a_1^t + \cdots + a_{n - 1}^t).$$

Division Trail Search Algorithm. From the above description, we can get a MILP model with a constraint set and an objective function. Note that \(\mathbb {K}_i\) does not contain a zero vector during every round. Thus, there is no probability that the objective function takes a zero value. The MILP problem will return an objective value greater than zero when feasible. We use the algorithm proposed in [6]. Details are shown in Algorithm 3.

1.2 A.2 BORON and Khudra’s Structure

Fig. 2.

The round function of BORON.

Fig. 3.

The outer structure of Khudra

Fig. 4.

The inner structure of Khudra