Applying MILP Method To Searching Integral Distinguishers Based On Division Property For Block Ciphers

Todo presented the concept of division property by improving the tra-ditional integral cryptanalysis at RUROCRYPT2015?Division property can clearly describe the underlying property between "ALL" and "BALANCE",so it is also suitable for some block ciphers with non-bijective or low-degree functions and bit-oriented structures.In CRYPTO2015,Todo took the S-box of MISTY1 as a public function,and firstly proposed a key recovery attack on the full cryptographic algorithm successfully.Todo and Morri introduced the bit-based division property which treated each bit independently and used more information about the cipher at FSE2016.Then,Sun and Wang com-bined the ANF of S-box and the notion of division property,and then presented the box-aided division property.Xiang applied the MILP method for search-ing integral distinguishers based on division property.Sun considered complex linear layers and analyzed division property of modulo operation which made this method can also be brought to the analysis of more SPN ciphers and ARX-based algorithms,further expanding the attack range of this cryptanalysis.This paper mainly researches bit-based division property of three block ci-phers.According to the known results,the paper firstly studies the Kuznyechik and Chaskey with division property,and finds the integral distinguishers which both have 4 rounds.As for SPARX,its designer has taken the division prop-erty.This paper presents the cryptanalysis with division property,and gets the same results with the design document.Results indicate that bit-based division property may not be better than division property for some ciphers.Kuznyechik has the SPN structure,whose S-box is an 8-bit substitution table and whose linear layer is the multiplication in finite field.Chaskey and SPARX have the ARX structure,and include module,rotation and xor.This paper applies MILP method to searching the integral distinguishers by analyzing the propagation in these modules.Besides that,this paper has a key-recovery at-tack to PRESENT,Serpent and NOEKEON reduced up to 12,9 and 7 rounds,respectively.These block ciphers already have good integral distinguishers in the published paper.