Cryptology ePrint Archive: Report 2020/547

Finding Bit-Based Division Property for Ciphers with Complex Linear Layer

Kai Hu and Qingju Wang and Meiqin Wang

Abstract: The bit-based division property (BDP) is the most effective technique for finding integral characteristics of symmetric ciphers. Recently, automatic search tools have become one of the most popular approaches to evaluating the security of designs against many attacks. Constraint-aided automatic tools for the BDP have been applied to many ciphers with simple linear layers like bit-permutation. Constructing models of complex linear layers accurately and efficiently remains hard. A straightforward method proposed by Sun \etal (called the \s method), decomposes a complex linear layer into basic operations like \texttt{COPY} and \texttt{XOR}, then models them one by one. However, this method can easily insert invalid division trails into the solution pool, which results in a quicker loss of the balanced property than the cipher itself would. In order to solve this problem, Zhang and Rijmen propose the \zr method to link every valid trail with an invertible sub-matrix of the matrix corresponding to the linear layer, and then generate linear inequalities to represent all the invertible sub-matrices. Unfortunately, the \zr method is only applicable to invertible binary matrices (defined in Definition 3).

To avoid generating a huge number of inequalities for all the sub-matrices, we build a new model that only includes that the sub-matrix corresponding to a valid trail should be invertible. The computing scale of our model can be tackled by most of SMT/SAT solvers, which makes our method practical. For applications, we improve the previous BDP for LED and MISTY1. We also give the 7-round BDP results for Camellia with $FL/FL^{-1}$, which is the longest to date.

Furthermore, we remove the restriction of the \zr method that the matrix has to be invertible, which provides more choices for future designs. Thanks to this, we also reproduce 5-round key-dependent integral distinguishers proposed at Crypto 2016 which cannot be obtained by either the \s or \zr methods.

Category / Keywords: secret-key cryptography / Complex linear layer, Non-binary matrix, Bit-based division property, SMT/SAT, Invertible

Original Publication (with minor differences): IACR-FSE-2020

Date: received 10 May 2020, last revised 10 May 2020

Contact author: hukai at mail sdu edu cn,qingju wang@uni lu,mqwang@sdu edu cn

Available format(s): PDF | BibTeX Citation

Version: 20200515:094523 (All versions of this report)

Short URL: ia.cr/2020/547


[ Cryptology ePrint archive ]