Abstract
Division property is a cryptanalysis method that proves to be very efficient on block ciphers. Computer-aided techniques such as MILP have been widely and successfully used to study various cryptanalysis techniques, and it especially led to many new results for the division property. Nonetheless, we claim that the previous techniques do not consider the full search space. We show that even if the previous techniques fail to find a distinguisher based on the division property over a given function, we can potentially find a relevant distinguisher over a linearly equivalent function. We show that the representation of the block cipher heavily influences the propagation of the division property, and exploiting this, we give an algorithm to efficiently search for such linear mappings. As a result, we exhibit a new distinguisher over 10 rounds of RECTANGLE, while the previous best was over 9 rounds, and rule out such a distinguisher over more than 9 rounds of PRESENT. We also give some insight about the construction of an S-box to strengthen a block cipher against our technique. We prove that using an S-box satisfying a certain criterion is optimal in term of resistance against classical division property. Accordingly, we exhibit stronger variants of RECTANGLE and PRESENT, improving the resistance against division property based distinguishers by 2 rounds.
Highlights
Division property is a distinguishing property which was first presented by Todo at Eurocrypt’15 [15]
We show that while the previous search methods were able to efficiently find some integral distinguishers based on the division property, the search space explored by these methods does not cover all possibilities
We provide an algorithm to find such distinguisher, and successfully apply it to the block cipher RECTANGLE, on which we found an integral distinguisher over 10 rounds, requiring 263 data and leading to 1 balanced bit
Summary
Division property is a distinguishing property which was first presented by Todo at Eurocrypt’15 [15]. They built MILP models for several block ciphers which they efficiently solved using a third-party MILP solver As a result they obtained the best known division property distinguishers on SIMON, SIMECK, PRESENT and RECTANGLE. As a result we improve the best known division property distinguisher against RECTANGLE by one round and show that the previous best known distinguisher against PRESENT cannot be improved with this technique We emphasize that this is an advantage of our algorithm, as it allows us to prove that a given cipher is resistant to our technique, as proving negative results is in general harder than findings attacks since we have to check all such attacks. In [4], Boura et al provide new insights into the division property, presenting a new approach to it In particular they show several interesting results concerning the resistance of S-box-based block ciphers against division property. We made our implementation available at https://github.com/ExtendDivProp/ExtendDivProp
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
