Research On Integral Attacks Of Block Ciphers Based On Division Property

Integral attack is one of the most important and effective attacks on block ciphers.Division property is a new generalized integral property proposed by Todo at Eurocrypt 2015.Up to now,many researches have been done on the theory of division property,many longer integral distinguishers have been found and many improved integral attacks have been presented based on division property.For a non-empty subsetof₂⁹)with division property₆)⁹),Boura and Canteaut showed at CRYPTO 2015 that||?2⁶),and||=2⁶)if and only ifis a6)-dimensional affine subspace.Using MILP method,Xiang et al.found 9-round integral distinguishers for PRESENT and RECTANGLE,and by considering linear transformation of the cipher,Derbez et al.obtained a 10-round integral distinguisher of RECTANFLE.In this paper,we further study the integral attacks of block ciphers based on division property.The main results obtained are as follows:(1)The algebraic structure of non-empty set satisfying certain division property is characterized with symmetric difference.It is shown that a non-empty setsatisfies the division property₆)⁹)if and only ifcan be decomposed as the symmetric difference of several6)-dimensional affine subspace of₂⁹).The algebraic structures of non-empty sets satisfying certain vector division propertyor collective division propertyare also characterized,their equivalent relationship with the affine subspaces are presented.For a non-empty setsatisfying vector division property,the lower bound on the number ofis presented and the detailed structure ofis characterized when the lower bound is reached.(2)Based on the work of Derbez et al.,an improved integral attack is proposed on Generalized Feistel ciphers.For a Generalized Feistel cipher?,the linear equivalent cipher?of?with respect to the linear transformationis constructed.The equivalence on the integral distinguishers of?and?is shown and the method how to construct an integral distinguisher of?from that of?is also presented.Based on the propagation of the division property of the round function and S-boxes,a method is proposed to choose fine linear transformations more efficiently.Taking the 16-branch generalized Feistel ciphers with 4-bit S-boxes as examples,we find many instances such that the improved method can find longer integral distinguishers than traditional method.(3)Using the technique of partial-sum and the relationship between subkey bits,integral attacks on PRESENT,RECTANGLE and TANGRAM are proposed.Based on a 9-round integral distinguisher of PRESENT,integral attacks on 11-round PRESENT-80 and 12-round PRESENT-128 are presented.Based on a 10-round integral distinguisher of RECTANGLE,integral attacks on 13-round RECTANGLE-80 and 14-round RECTANGLE-128 are presented.A 16-round integral attack is presented based on a 12-round integral distinguisher of TANGRAM 128/256,and a 20-round integral attack is presented based on a 16-round integral distinguisher of TANGRAM 256/256.