Abstract
Division property is a cryptanalysis method that proves to be very efficient on block ciphers. Computeraided techniques such as MILP have been widely and successfully used to study various cryptanalysis techniques, and it especially led to many new results for the division property. Nonetheless, we claim that the previous techniques do not consider the full search space. We show that even if the previous techniques fail to find a distinguisher based on the division property over a given function, we can potentially find a relevant distinguisher over a linearly equivalent function. We show that the representation of the block cipher heavily influences the propagation of the division property, and exploiting this, we give an algorithm to efficiently search for such linear mappings. As a result, we exhibit a new distinguisher over 10 rounds of RECTANGLE, while the previous best was over 9 rounds, and rule out such a distinguisher over more than 9 rounds of PRESENT. We also give some insight about the construction of an Sbox to strengthen a block cipher against our technique. We prove that using an Sbox satisfying a certain criterion is optimal in term of resistance against classical division property. Accordingly, we exhibit stronger variants of RECTANGLE and PRESENT, improving the resistance against division property based distinguishers by 2 rounds.
1 Introduction
Division property is a distinguishing property which was first presented by Todo at Eurocrypt’15 [15]. This cryptanalysis technique quickly became a hot topic in the community, especially since it led to the first theoretical attack against full MISTY1 [14]. This property can be seen as a generalization of integral and higherorder differential distinguishers. At Crypto’16, Boura et al. [4] provided a simpler formulation of the division property, especially for the construction of the division trails of Sboxes. Recently, division property was used to improve cube attacks and allowed to improve the best known results against several stream ciphers including ACORN, Trivium, Grain128a and Kreyvium [17]. The idea of the division property is the same as in integral, higherorder differential and cubeattacks, namely, proving that if one encrypts a set of plaintexts with a certain structure, then the resulting set of ciphertexts will have some balanced bits, i.e. bits which sum to zero with probability 1 when going through the whole set of ciphertexts. The main difference between these different techniques comes from how one can prove this property. Division property is a more finegrained property: it mainly comes down to tracking which monomials may or may not appear in the Algebraic Normal Form (ANF) of the whole block cipher, so that, for a set of ciphertexts \(\mathbb {X}\), we can predict with probability 1 the result of \(\bigoplus _{{\varvec{x}} \in \mathbb {X}}{\varvec{x^k}}\), where \(\varvec{k}\) represents the indicator vector defining the value of the monomial \({\varvec{x^k}}=\prod _i x_i^{k_i}\). The distinguisher begins by generating a set of plaintexts where c bits are fixed to an arbitrary constant, resulting in \(nc\) variables which then take all possible values (thus generating an affine space of dimension \(nc\)). We want to know whether a monomial of degree \(nc\), i.e. implying all variables, exists in each coordinate of the ANF of the block cipher. If no such monomials appear in the ith coordinate, this coordinate is of degree \(< nc\). Consequently, when we sum the ith bit through the whole corresponding set of ciphertexts, the sum will be zero, as we compute the sum of a function of degree \(< nc\) over a space of dimension \(nc\). Essentially, the division property defines a set \(\mathbb {K}\subset \mathbb {F}_2^n\) of monomials which divides \(\mathbb {F}_2^n\) into two parts. For one part \(\overline{\mathbb {K}} = \{{\varvec{k}}  \exists {\varvec{\bar{k}}} \in \mathbb {K}\textit{ s.t. } {\varvec{\bar{k}}} \preceq {\varvec{k}}\}\), for \(\preceq \) the usual preceding order, we cannot predict the result of this sum. However, for any \({\varvec{k}} \in \mathbb {F}_2^n\setminus \overline{\mathbb {K}}\), we know that \(\bigoplus _{{\varvec{x}} \in \mathbb {X}}{\varvec{x^k}} = 0\), i.e. we track which monomials we know to be summing to zero.
Automatic tools Studying the propagation of an initial division property through a block cipher is a challenging task requiring to be computeraided. At Asiacrypt’16, Xiang et al. [18] showed how to model the division property propagation of the three basic operations copy, AND and XOR, as well as the propagation through an Sbox, by a system of linear inequalities. Hence they built MILP models for several block ciphers which they efficiently solved using a thirdparty MILP solver. As a result they obtained the best known division property distinguishers on SIMON, SIMECK, PRESENT and RECTANGLE. In [20], Zhang et al. gave a new way to model the propagation of division property through linear diffusion layers by the smallest amount of inequalities which are generated from linear combinations of row vectors of the diffusion matrix. Using this new description, they found the best known distinguishers for both PRINCE and MIDORI. Finally, at Asiacrypt’17, Sun et al. [12] presented two new automatic search tools: one dedicated to ARX ciphers based on a SAT solver and one dedicated to wordbased division property based on SMT (Satisfiability Modulo Theories) solver. Those tools are much faster than previous MILPbased works and were able to study primitives with large internal state such as CLEFIA, WHIRLPOOL and RIJNDAEL.
Our contributions In this paper we show that the search space considered by previous automatic search tools dedicated to division property is incomplete as they do not exhaust all the search space. More precisely, propagating an initial division property through a block cipher requires decomposing the block cipher into small components such as AND, XOR, Sboxes, \(\ldots \) for which we can compute division property propagation. However, contrary to differential and linear cryptanalysis, the result highly depends on how the block cipher is represented. Indeed, linearly equivalent Sboxes do not change the propagation of differentials, while it is not the case for the division property. For instance, in Sect. 3.1 we give two Sboxes \(S_1\) and \(S_2\) such that \(S_2 = S_1 \circ L\), where L is linear, such that propagating division property through L then \(S_1\) leads to a completely different result than propagating it directly through \(S_2\). Hence, given an Sbox based block cipher, it is not clear which representation should be preferred since replacing any internal Sbox with a linearly equivalent one could possibly lead to a different result. The main issue is that the number of distinguishers is significantly higher than one can be thinking and looking efficiently for the best distinguisher boils down to efficiently finding the best decomposition.
In this paper we solved a subcase of this problem. Mounting an attack against a block cipher E most often requires to split E in three parts as \(E~=~E_2 \circ E_1 \circ E_0\) and to find a distinguisher on \(E_1\). Usually, \(E_0\), \(E_1\) and \(E_2\) are roundreduced versions of E. However it is not the only way to split E and, for any linear operations \(L_{in}\) and \(L_{out}\), E can be split as:
This kind of carving was for instance used in [6] by Derbez et al. to provide several new meetinthemiddle attacks against AES. However, the division property is different from differential and linear cryptanalysis. Hence, one of the main problems we solved in this paper is to answer the question of how to find \(L_{in}\) and \(L_{out}\) such that there exists a division property distinguisher through \(L_{out} \circ E_1 \circ L_{in}\). We focused on linear mappings \(L_{in}, L_{out}\) which are block diagonal, of block size m, where m is the size of the Sbox. In a nutshell, we first show how to highly reduce the number of candidates for both \(L_{in}\) and \(L_{out}\), and then present how to efficiently check the remaining candidates without performing a complete search on each of them. We severely reduce the complexity of the search. Indeed, to search for a distinguisher over r rounds, a naive algorithm would need about \(ms^32^{2m^2}\) (where s in the number of Sboxes) calls to the MILP solver with a model representing r rounds of the blockcipher. However in our case, we only need about \(s^22^{2m}\) calls to the solver, on a model representing \(r2\) rounds which is thus much more efficient to solve. As a result we improve the best known division property distinguisher against RECTANGLE by one round and show that the previous best known distinguisher against PRESENT cannot be improved with this technique. We emphasize that this is an advantage of our algorithm, as it allows us to prove that a given cipher is resistant to our technique, as proving negative results is in general harder than findings attacks since we have to check all such attacks.
The second result presented in this paper concerns the design of Sboxes that would offer maximal resistance against division property. In [4], Boura et al. provide new insights into the division property, presenting a new approach to it. In particular they show several interesting results concerning the resistance of Sboxbased block ciphers against division property. Here we prove that if an Sbox satisfies a specific criterion (which is close to the one in [4]), then this Sbox is optimal in term of resistance against classical division property (i.e. without our extension technique). We define optimality in the sense that if one uses such a perfect Sbox and can find a distinguisher on at most \(r^\star \) rounds, then using any other Sbox will lead to a distinguisher on r rounds with \(r^\star \le r\). To our knowledge, this is the first time that such a result is given for division property, and could be considered as a new criterion for designing Sboxes. Our criterion is the following : if each coordinate of the ANF of an nbit Sbox contains all monomials of degree \(n1\), then this Sbox is optimal. Note that our criterion is equivalent to a very specific structure for the division property propagation table, and this table is a major component in the existing search algorithms [18, 20]. Compared to the criterion in [4], we have two major differences. The first is that any Sbox satisfying our criterion does not satisfy the one in [4]. Indeed, their criterion is that any nontrivial linear combination of the coordinates of the ANF must be of degree \(n1\). In our case, since all monomials of degree \(n1\) appear in each coordinate, the sum of any two coordinates will be of degree \(n2\). Nonetheless, the second difference is that our criterion leads to an optimality proof, whereas their criterion is more of an indication that an Sbox satisfying it should be good enough.
According to this criterion on Sboxes, we try to strengthen both RECTANGLE and PRESENT against our technique. Note that when considering our technique, the criterion mentioned above does not seem to guarantee optimality. However, in regards to our experiments, it still seems to be the best choice. Indeed, to preserve some differential and linear property of the original Sboxes, we chose to only consider Sboxes which are linearly equivalent to the original ones. Unfortunately, for both RECTANGLE and PRESENT, it was not possible to generate a perfect Sbox from linearly equivalent Sboxes, however, we found many almost perfect Sboxes. Trying all of them allowed us to find a linearly equivalent Sbox for RECTANGLE such that the best distinguisher is over 7 rounds for classical division property, and 8 rounds when using our technique, while the best distinguisher we found with our technique is over 10 rounds of RECTANGLE when using the original Sbox. Doing the same for PRESENT, we found an Sbox such that the classical division property could only lead to a distinguisher on up to 6 rounds, and up to 7 rounds with our technique, while the best know division property based distinguisher for PRESENT is over 9 rounds. Furthermore, on nontablebased implementations, the extra cost of the new Sboxes is only 2 extra XORs per Sbox for PRESENT and 5 extra XORs per Sbox for RECTANGLE. These experiments show that our new search process finds distinguishers against one extra round than classical search, highlighting again its interest, and also confirms that our strategy to choose these new Sboxes seems promising, as it improves the resistance of both algorithms by 2 rounds. We made our implementation available at https://github.com/ExtendDivProp/ExtendDivProp.
2 Background
2.1 Notations
We will use the following notations in the paper. We denote \({\varvec{x}} = (x_0,\ldots ,x_{n1}) \in \mathbb {F}_2^n\) an nbit vector over \(\mathbb {F}_2\), where \(x_0\) is the least significant bit. We will often write \(x_0x_1\dots x_{n1}\) instead of \((x_0,\ldots ,x_{n1})\). We denote \(w({\varvec{x}})\) the hamming weight of \({\varvec{x}} \in \mathbb {F}_2^n\). We denote \({\varvec{e}}_i\) the ith unit vector, and \(\mathbb {E}_m\) denotes the set of all unit vectors of size m, i.e. vectors of hamming weight 1. For \({\varvec{x}},{\varvec{u}} \in \mathbb {F}_2^n\), we denote by \({\varvec{x}}^{\varvec{u}}\) the bit product
For \({\varvec{x}},{\varvec{y}} \in \mathbb {F}_2^n\), we define \({\varvec{x}} \succeq {\varvec{y}}\) if \(x_i \ge y_i\) for all i, where \(x_i\) and \(y_i\) are considered as integers. We denote \(\mathcal {P}_m\) the set of all permutations over m elements. We denote \(GL_m(\mathbb {F}_2)\) the set of all invertible matrices of size \(m\times m\) over \(\mathbb {F}_2\).
2.2 Division property and division trails
The division property was introduced by Todo [15] as a generalization of integral cryptanalysis, and later at FSE’16 [16], Todo and Morii defined a more refined version of it, called bitbased division property. Here, we only consider the bitbased division property, and will often refer to it directly as division property. As it is not relevant for this paper, we refer the reader to the original articles for further details about the differences.
Definition 1
(Bitbased division property [16]) A set \(\mathbb {X} \subset \mathbb {F}_2^n\) has the division property \(D_\mathbb {K}^n\), where \(\mathbb {K}\subset \mathbb {F}_2^n\) is a set, if for all \({\varvec{u}} \in \mathbb {F}_2^n\), we have
Note that if there are some vectors \({\varvec{k}},{\varvec{k'}}\in \mathbb {K}\) such that \({\varvec{k}} \succeq {\varvec{k'}}\), then \({\varvec{k}}\) can be removed from \(\mathbb {K}\) because it is redundant.
A common way to study division property for a block cipher is to study the division trails of this cipher, which show the propagation of the division property through the basic operations composing the block cipher.
Definition 2
(Division trails [18]) Let f denote the round function of an iterated block cipher. Assume the input set to the block cipher has initial division property \(D_{\{{\varvec{k}}\}}^n\), and denote the division property after propagating through i rounds of the block cipher (i.e. i applications of f) by \(D_{\mathbb {K}^i}^n\). Thus, we have the following chain of division property propagations :
Moreover, for any vector \({\varvec{k}}^i\) in \(\mathbb {K}^i (i \ge 1)\), there must exist a vector \({\varvec{k}}^{i1}\) in \(\mathbb {K}^{i1}\) such that \({\varvec{k}}^{i1}\) can propagate to \({\varvec{k}}^i\) by the division property propagation rules. Furthermore, for \(({\varvec{k}}^0,{\varvec{k}}^1,\ldots ,{\varvec{k}}^r) \in \mathbb {K}^0\times \mathbb {K}^1\times \cdots \times \mathbb {K}^r\), if \({\varvec{k}}^{i1}\) can propagate to \({\varvec{k}}^i\) for all \(i \in \{1,2,\ldots ,r\}\), we call \(({\varvec{k}}^0,{\varvec{k}}^1,\ldots ,{\varvec{k}}^r)\) an rround division trail.
In the rest of the paper, we will denote \({\varvec{k}} \overset{f}{\rightarrow } {\varvec{k'}}\) if the vector \({\varvec{k}} \in \mathbb {F}_2^n\) can propagate to a vector \({\varvec{k'}} \in \mathbb {F}_2^n\) through the function f. In the same way, \({\varvec{k}} \overset{f}{\rightarrow } \mathbb {K}\) denotes that for all \({\varvec{k'}} \in \mathbb {K}\), we have \({\varvec{k}} \overset{f}{\rightarrow } {\varvec{k'}}\).
Given the set \(\mathbb {K}^r\) resulting of the propagation of an initial division property \(D_{\{{\varvec{k}}\}}^n\), we can find whether \(D_{\{{\varvec{k}}\}}^n\) allows to build an integral distinguisher using the following proposition. We recall that a given set \(\mathbb {X} \subset \mathbb {F}_2^n\) has an integral property if there exists \(0 \le i \le n1\) such that
Proposition 1
([18]) Assume \(\mathbb {X}\) is a set with division property \(D_{\mathbb {K}}^n\), then \(\mathbb {X}\) does not have any integral property if and only if \(\mathbb {K}\) contains all the n unit vectors. As a result, if \({\varvec{e}}_i \not \in \mathbb {K}\), then the ith bit is balanced.
Proof
Suppose that the vector \({\varvec{e}}_i\) belongs to \(\mathbb {K}\). Then according to the definition of the division property, this implies that the result of the sum
is unknown since \({\varvec{e}}_i \succeq {\varvec{e}}_i\) and \({\varvec{e}}_i \in \mathbb {K}\), i.e. the ith bit is not balanced. On the other hand, if we suppose that the ith bit is balanced, i.e.
then by definition of the division property \({\varvec{e}}_i \not \in \mathbb {K}\), as it would otherwise mean that the ith bit is in an unknown state, which contradicts the fact that the ibit is balanced. \(\square \)
For example, we can make a parallel with the well known Square attack on AES [5]. In this attack, the set of plaintexts has one byte taking all possible values while the others are constant. In term of division property, this would translate to the set of plaintexts having a division property \(D_{{\varvec{k}}}^{128}\), where
Then, it is shown in [5] that after 3 rounds of AES, such a set of plaintexts has all its bits balanced. According to Proposition 1, this means that the resulting set has a division property \(D_{{\mathbb {K}}}^{128}\), where \(\mathbb {K}\) does not contain any unit vector.
Hence, to study whether we can build an integral distinguisher over a block cipher from a given initial division property \(\mathbb {K}^0\), we need to propagate \(\mathbb {K}^0\) through the different operations of the block cipher. Fortunately, propagation rules were defined in [16] for most basic operations in a block cipher, namely Copy, AND and XOR. However, for SPN block ciphers, there are two main components that, while they can be described using only these operations, should have their own way to propagate the division property vectors. These components are linear layers and Sboxes. For linear layers, while [11] proposed to use only the Copy and XOR operations to propagate division property vectors, it has been shown in [20] that this is actually not the right way to propagate through linear layers, as it looses some information and is not able to recover all possible integral distinguishers. We thus refer the reader to [20] for the correct way to propagate division property vectors through a given linear layer.
For Sboxes, again using only the basic operations might result in a loss of information. Hence, [18] proposed an algorithm of complexity \(\mathcal {O}\left( 2^{2m}\right) \) to compute all possible pairs \({\varvec{k}} \overset{S}{\rightarrow } {\varvec{k'}}\) for a given mbit Sbox S.
2.3 Searching for division property based integral distinguishers
While Todo and Morii proposed a way to search for integral distinguishers based on the division property [16], its complexity is quite hard to estimate, and the authors gave an upper bound of \(2^n\), where n is the block size of the block cipher. In practice, they said that their algorithm is not suitable for block ciphers with block size over 32 bits, and thus especially for standard block size of 64 and 128 bits. However, a lot of work has been done towards efficiently searching such distinguishers, based on either MILP [10, 18, 20] or SAT/SMT solvers [7, 12]. We refer the reader to these papers for further details about the modeling, and will only give a brief description of the idea behind it for MILP. Note that using SAT/SMT solvers is very similar to using MILP, and mostly differs in efficiency when considering different primitives. For example searching division property based integral distinguishers on ARX ciphers seems to be easier with SAT solvers. First we briefly recall what is MILP.
Definition 3
An MILP problem is formulated as follows. Given a matrix \(A \in \mathbb {R}^{m\times n}, b \in \mathbb {R}^m\) and \(c \in \mathbb {R}^n\), find a vector \(x \in \mathbb {Z}^k\times \mathbb {R}^{nk}\) with \(Ax \le b\) which minimize (or maximize) the value of
Here, f is called the objective function of the MILP problem.
2.3.1 Modelizing division property propagation with MILP
The idea of using MILP to search for integral distinguishers is first to modelize the set of all possible division trails by an MILP problem. That is, building a set of linear inequalities such that [18]:

1.
each division trail must satisfy all linear inequalities in the linear equality system, i.e. each division trail corresponds to a feasible solution of the linear inequality system;

2.
each feasible solution of the linear inequality system corresponds to a division trail, i.e. the set of all feasible solutions of the linear inequality system does not contain any impossible division trail.
We can thus build an MILP model satisfying the previous conditions using [18] for basic operations and Sboxes, [20] for linear layers and [10] for ARX block ciphers. Note that this step is not totally free.
For Sboxes, we first compute the set of all possible propagations through a given mbit Sbox, which has complexity \(\mathcal {O}\left( 2^{2m}\right) \). Then, we need to compute a set of linear inequalities which represents these possible propagations, according to the two previous rules. To do so, [18] proposed to first use the function inequality_generator() from the Sagemath [13] software to get such a set of inequalities, and then use a greedy algorithm to reduce their number. While this works for small Sboxes (e.g. 4bit Sboxes), this approach fails when considering bigger Sboxes (e.g. 8bit Sboxes) as the complexity of generating the initial set of inequalities is too high. However, Abdelkhalek et al. showed a new method in [1] to tackle this problem, and thus proposed a way to modelize 8bit Sboxes in MILP. Note that while this allows us to modelize 8bit Sboxes, it often leads to a lot of inequalities, thus the resulting model can be quite huge and this can result in a high solving time.
For linear layers, Zhang et al. [20] showed that the previous method [11] proposed to modelize linear layers does not actually fulfill the above rules, as it introduces some impossible propagations, resulting in some integral distinguishers being omitted. Hence, they proposed a new way to modelize such layers, and proved that their way was optimal, i.e. removing any one inequality will result in some fraudulent propagations. To modelize a given linear layer L, the number of inequalities generated is given by \(n(2^s1)\), where s is the size of the smallest square matrix M such that M is the representation of L over the field \(\mathbb {F}_{2^n}\) and M is binary. For example, the matrix used in SKINNY64 [2] is a binary matrix of size 4 over \(\mathbb {F}_{2^4}\), thus needs \(4(2^41) = 60\) inequalities. However, if we take the matrix used in AES, which is described as a nonbinary matrix of size 4 over \(\mathbb {F}_{2^8}\), the amount of inequalities is much higher. Indeed, since the multiplication over \(\mathbb {F}_{2^8}\) corresponds to a linear operation over \(\mathbb {F}_2^8\), the matrix used in AES can be represented as a matrix of size 32 over \(\mathbb {F}_2\), which is obviously binary. This is the smallest way to represent this operation with a binary matrix, and thus, it would need \(2^{32}1\) inequalities to modelize only one propagation through this linear layer, which would result in a very huge model which cannot be solved in practical time. Hence, not all linear layers can be modelized in an exact way, and complex linear layers may lead to a model which is much harder to solve. Note however that if the linear layer is only a permutation, such as in PRESENT [3] or RECTANGLE [19], then the above formula does not apply, as we can just reorder the different variables, and thus we can always modelize such kind of linear layers.
2.3.2 Searching for a distinguisher
As a result of the previous section, when modelizing an nbit block cipher over r rounds, we have a set of variables \(\{\mathbf {k}_i^j, i \in \{0,\cdots ,n1\}, j \in \{0,\cdots ,r\}\}\) such that, for a given solution of the MILP problem, the corresponding values of these variables give a division trail \(({\varvec{k}}^0,{\varvec{k}}^1,\ldots ,{\varvec{k}}^r)\) with \({\varvec{k}}^i = (\mathbf {k}_0^i,\ldots ,\mathbf {k}_{n1}^i)\). In particular, this allows us to see whether each unit vector belongs to \(\mathbb {K}^r\). Indeed, once we have the MILP model for r rounds of a given block cipher, we can set the objective function to \(\mathbf {k}_0^r + \cdots + \mathbf {k}_{n1}^r\). Then we set the initial division property using equality constraints, i.e. if the initial division property is \({\varvec{a}} \in \mathbb {F}_2^n\), we add the constraints
and then ask the solver (e.g. Gurobi [8]) to solve this problem by minimizing the value of the objective function. If the solver finds a solution of value 1, there is a vector \({\varvec{k}}^r\) of weight 1 (i.e. a unit vector) that belongs to \(\mathbb {K}^r\). We can then add a linear constraint to remove this vector \({\varvec{k}}^r\) from the set of solutions, and solve the problem again. Once there are no more solutions of value 1, we found all unit vectors belonging to \(\mathbb {K}^r\), hence we can easily see whether or not there are some balanced bits using Proposition 1. Note that we do not need to stop after finding all solutions of value 1. Indeed, we can keep going until the problem does not have any remaining solutions, and we will thus have computed the whole \(\mathbb {K}^r\) set. This will be useful later in the paper, and will be accompanied with a bit more details.
3 Extended division property using linear mappings
3.1 First observations
Several integral distinguishers were found using the previously described method. However, we claim that this method does not actually search through the whole space of all possible integral distinguishers based on the division property. Indeed, we show that for a given block cipher E, we can instead consider \(L_{out} \circ E \circ L_{in}\), where both \(L_{out}\) and \(L_{in}\) are linear mappings, and this results in integral distinguishers previously unknown. We now explain the main idea behind using \(L_{out}\) and \(L_{in}\). For \(L_{out}\), while all bits could be unbalanced after E, it might occur however that a linear combination of some bits is balanced. This was already mentioned by Todo and Morii in [16] when they introduced the division property using three subsets.
For \(L_{in}\), the idea is very close. The initial division property \({\varvec{k}}^0\) basically sets some constant bits. That is, if the set \(\mathbb {X}\) has division property \(D_{{\varvec{k}}^0}^n\), through all the set, each bit i such that \({\varvec{k}}^0_i = 0\) has a constant value, and if \({\varvec{k}}^0_i = 1\), the bit i takes all possible values through the set. For example, the following set has division property \(D^4_{0011}\)
Hence, the idea behind \(L_{in}\) is to get a set such that a linear combination of some bits is constant, while those bits are not necessarily constant.
Finally, we can see that considering \(L_{out} \circ E \circ L_{in}\) instead of E is still meaningful. Classically, when an attacker uses a distinguisher to mount an attack, he basically splits the cipher E into \(E = E_2 \circ E_1 \circ E_0\), where he has a distinguisher over \(E_1\). In that case, \(E_1\) can be seen as a reduced version of E, containing only a certain number of rounds of E. However, we could also rewrite E as
In that case, the attacker would search a distinguisher over \(L_{out} \circ E_1 \circ L_{in}\), and could still use it to mount an attack. Indeed, the attacker starts with a set \(\mathbb {X}\) respecting a given initial division property (according to the distinguisher over \(L_{out} \circ E_1 \circ L_{in}\)) and compute \(\mathbb {X}' = E_0^{1} \circ L_{in}(\mathbb {X})\) by guessing part of the key. He then asks for the encryption of \(\mathbb {X}'\) through E to get a set of ciphertexts \(\mathbb {Y}\), compute \(\mathbb {Y}' = L_{out} \circ E_2^{1}(\mathbb {Y})\) using some other key guesses and check whether \(\mathbb {Y}'\) has some balanced bits (according to the distinguisher over \(L_{out} \circ E_1 \circ L_{in}\)). If that is the case, the key guesses are supposed to be correct. Note that this idea was already successfully used in the past, for example in [6].
So considering \(E' = L_{out} \circ E \circ L_{in}\) instead of E could lead to some new integral distinguishers. In the following, E is an SPN block cipher, i.e. the round function of E is \(f = \mathcal {L} \circ \mathcal {S}\), where \(\mathcal {L}\) is linear and \(\mathcal {S}\) is the parallel application of an Sbox S over the state. Note that we omit \(\mathcal {L}\) in the last round. Now our goal is to search if \(E'\) has an integral distinguisher based on the division property using MILP. Classically, we study the following propagation chain
Basically, we model independently the propagation through the linear layers and the Sbox layers, especially for \(L_{in}\) and the first Sbox layer, and for \(L_{out}\) and the last Sbox layer. However, this might actually not be the best way to modelize this, and we see this through an example.
3.1.1 Merging linear mappings and Sboxes
Let \(S_1\) and \(S_2\) be two Sboxes over \(\mathbb {F}_2^4\) such that
x  0  1  2  3  4  5  6  7  8  9  10  11  12  13  14  15 
\(S_1(x)\)  12  13  11  9  6  0  5  10  3  2  8  4  15  7  14  1 
\(S_2(x)\)  12  11  14  15  1  7  13  9  10  0  2  4  3  8  5  6 
where \(S_2\) is obtained as \(S_2 = S_1 \circ L\) with
We can use the algorithm from [18] to compute all possible propagations through \(S_1, S_2\) and L. Using this, if we look at the propagation of \({\varvec{x}} = 0111\) through L and \(S_1\) independently, we have the following trail
However, if we now consider L and \(S_1\) together, i.e. by looking at the propagation of 0111 through \(S_2 = S_1 \circ L\), then we have the trail
As we can see, the resulting division property set is completely different, yet comes from the same initial division property, and goes through the same function. Moreover, this is not just a local change, and not only \(\mathbb {K}'\) is a set which was not reachable through only \(S_1\), but the whole propagation tables of \(S_1\) and \(S_2\) are different, as we can see in Fig. 1.
This clearly shows that considering both the Sbox and the linear mapping together gives way more information about the propagation of the division property. Note that we give this example by putting a linear mapping at the input of the Sbox, but similar observations can be made when considering S and \(L \circ S\) for some Sbox S and linear mapping L. Moreover, not only this gives more information about the propagation, but this could, and will, actually help us to find new distinguishers when considering \(L_{out} \circ E \circ L_{in}\) instead of E.
We can see that, except when we have either the full zero or the full one vector, if we consider a division property chain \(\mathbb {K}^0 \rightarrow \cdots \rightarrow \mathbb {K}^r\) of a block cipher, the weight of the vectors in each \(\mathbb {K}^i\) can only decrease (or remain constant, but in practice, this is rarely the case, see Fig. 1). Recall that if the set \(\mathbb {K}^r\) contains all unit vectors (i.e. of weight 1), no integral distinguisher can be built from it. Thus, intuitively, if we want to find an integral distinguisher, we would like to have vectors of relatively high weight in each set \(\mathbb {K}^i\) as long as possible.
Now consider a block cipher E such that the first layer of Sboxes contains only \(S_1\) as defined previously. Then from the propagation table in Fig. 1, we can see that the output of each Sbox will always be of weight 1 (except for 0000 and 1111). So after the first round, if the weight at the input of any Sbox is different from 0 and 4, we will already only have vectors of weight 1 at the output of the Sbox. However, if we now consider \(E \circ \mathcal {M}\), where \(\mathcal {M} = (M,\ldots ,M)\) apply the linear mapping M on all Sbox’s input before the first round, then this is the same as considering the first layer of Sboxes to be built as \((S_2,\ldots ,S_2)\). This time, if one carefully chooses the input division property of the Sbox, he can now only have vectors of weight 2, which could result in a better propagation through the remaining layers of the cipher.
Clearly, considering \(L_{out} \circ E \circ L_{in}\) instead of E, and considering the propagation of the division property vectors through \(M \circ S\) (or \(S \circ M\)) as a whole instead of independently through M and S, could result in better distinguishers, and thus in the next section, we focus on the search of such distinguishers.
3.2 Searching for extended division property
In this paper, we will only consider SPN block ciphers, i.e. the round function is \(f = \mathcal {L} \circ \mathcal {S}\), where \(\mathcal {L}\) is linear and \(\mathcal {S}\) is built as the concatenation of s Sboxes of size m applied in parallel on the state, hence the block cipher has block size \(n = s \cdot m\). Moreover, we will consider that all Sboxes are the same. This is to get an easier analysis, but we can extend this with different Sboxes.
3.2.1 Reducing the search space of \(L_{in}\) and \(L_{out}\).
Given a block cipher E which does not have any integral distinguisher based on the division property, we want to find two linear mappings \(L_{in}\) and \(L_{out}\) such that \(L_{out} \circ E \circ L_{in}\) has an integral distinguisher based on the division property which is supported by the previous observations. Moreover, we also would like to exploit the fact that we have a more precise propagation when considering the propagation of division property vectors through \(S \circ M\) as a single function, instead of independently through M then S. Note that, theoretically, we could consider the whole round function of the block cipher as a single function (or even the whole block cipher), and thus get more precise information about the propagation of division property vectors. However, computing the propagation table of division vectors needs \(\mathcal {O}(2^{2n})\) operations, where n is the size of the function. Hence for classical block ciphers with 64 or 128 bits block size, this is clearly impractical.
This also means that we cannot choose any \(L_{in}\) and \(L_{out}\), as we want to somehow merge \(L_{in}\) with the first Sbox layer and, respectively, merge \(L_{out}\) with the last Sbox layer. Hence, we will focus our search on linear maps \(L_{in}\) and \(L_{out}\) which are block diagonal, of block size m. Consequently we want to put an invertible linear map \(L_{in}^i\) (resp. \(L_{out}^i\)) before (resp. after) each Sbox of the first (resp. last) round. By doing so, we will denote by \(S_{in}^i = S \circ L_{in}^i\) and \(S_{out}^i = L_{out}^i \circ S\) the modified Sboxes.
First, we give the following proposition to show that we do not need to consider every possible choice for each block \(L_{in}^i\) and \(L_{out}^i\).
Proposition 2
Let S be an invertible mbit Sbox and P an mbit permutation. Let \(S_1 = S \circ P\) and \(S_2 = P \circ S\), and \({\varvec{k}} \overset{S}{\rightarrow } {\varvec{k}}'\) be any valid division property propagation through S with \({\varvec{k}},{\varvec{k}}' \in \mathbb {F}_2^m\). Then both propagations \(P^{1}({\varvec{k}}) \overset{S_1}{\longrightarrow } {\varvec{k}}'\) and \({\varvec{k}} \overset{S_2}{\longrightarrow } P({\varvec{k}}')\) are always valid.
Proof
This directly comes from the fact that \(S_1\) is obtained by just permuting the input variables of S, and respectively \(S_2\) is obtained by permuting the output bits of S. \(\square \)
Hence, if we search an integral distinguisher for any given block \(L_{in}^i\), we do not need to do the search for all \(L_{in}^i \circ P\) where P goes through all possible permutations, as we could obtain the same result from the search using \(L_{in}^i\) by just permuting the initial division property with P. For example, if we have the set \(\mathbb {K}^r\) from a given initial division property \({\varvec{k}}\) through \(L_{out} \circ E \circ L_{in}\), and we consider \(L'_{out} \circ E \circ L'_{in}\) where \(L'_{in} = L_{in} \circ (P_{in}^0,\ldots ,P_{in}^{s1})\) and \(L'_{out} = (P_{out}^0,\ldots ,P_{out}^{s1}) \circ L_{out}\), where each \(P_{in}^i\) and \(P_{out}^i\) is a permutation over m bits, we directly have that the initial division property \((P_{in}^0,\ldots ,P_{in}^{s1})^{1}({\varvec{k}})\) propagates to the set \((P_{out}^0,\ldots ,P_{out}^{s1})(\mathbb {K}^r)\). In particular, if we have an integral distinguisher for \(L_{out} \circ E \circ L_{in}\), so do we for \(L'_{out} \circ E \circ L'_{in}\) (and viceversa if \(L_{out} \circ E \circ L_{in}\) does not have any integral distinguisher).
This allows us to restrict the search space for each block \(L_{in}^i\) to a set \(\mathbb {L}_{in}\) containing a representative of each equivalence class
and in the same way, to restrict the search space of each \(L_{out}^i\) to a set \(\mathbb {L}_{out}\) containing a representative of each equivalence class
The size of these spaces \(\mathbb {L}_{in}\) and \(\mathbb {L}_{out}\) can be obtained by
as it is the total number of invertible matrices of size m divided by the number of permutations over m elements. Note that this is much lower than the total number of matrices of size \(m\times m\) over \(\mathbb {F}_2\) which is \(2^{m^2}\), and for example if \(m = 4\), then there are only 840 matrices to consider.
3.2.2 Reducing the amount of work for \(L_{in}\)
Let us focus on finding a distinguisher over \(E \circ L_{in}\). We will see later that we can use the idea of this section together with the next section to search for a distinguisher over \(L_{out} \circ E \circ L_{in}\). Note that our goal is to exhibit a distinguisher on \(E \circ L_{in}\), not necessarily the best one. As such, we focus on finding a distinguisher requiring \(2^{n1}\) data, i.e. the initial division property will be \(\mathbb {K}^0 = {\varvec{k}}^0\) with \(w({\varvec{k}}^0) = n1\). By doing so, we focus our search on only one modified Sbox \(S_{in}^i\) and set the others to S. Indeed, if \(w({\varvec{k}}^0) = n1\), there is only one specific Sbox \(S_{in}^i\) which has an input of weight \(m1\), while all the others Sboxes \(S_{in}^j\) with \(j \ne i\) have \(1\ldots 1\) has input. Note that if a set \(\mathbb {X}\) has division property \({\varvec{k}} = 1\ldots 1\), all bits takes all possibles values through the set, i.e. \(\mathbb {X} = \mathbb {F}_2^m\). Hence, since we are considering bijective Sboxes, we have \(S_{in}^j(\mathbb {X}) = \mathbb {F}_2^m\) for all \(j \ne i\), and thus the resulting division property set is \(\mathbb {K}= \{1\ldots 1\}\).
From the previous remark, we only need to look at each matrix from \(\mathbb {L}_{in}\). However, we can reduce even further the amount of propagation we need to compute. Since the input of the Sbox \(S_{in}^i\) is \({\varvec{k}}^0_i\) with \(w({\varvec{k}}^0_i) = m1\), we know that this can only result in at most \(2^m2\) possible vectors (by excluding the fullzero and fullone vectors) after the application of \(S_{in}^i\). Thus, to search for a distinguisher over \(E' = E \circ L_{in}\) with E containing r rounds with round function \(f = \mathcal {L} \circ \mathcal {S}\), we first decompose \(E'\) as
This leads to the following chain of division property propagation
where
We first define the set \(\mathcal {K}_{in}^S\) as
Computing \(\mathcal {K}_{in}^S\) allows to build all possible \(\widetilde{\mathbb {K}}^0\) since there exists a set \(\mathbb {K}\in \mathcal {K}_{in}^S\) such that every vector \({\varvec{\tilde{k}}}^0\) of \(\widetilde{\mathbb {K}}^0\) is of the form
Hence, instead of trying all possible \(L_{in}^i \in \mathbb {L}_{in}\), we skip the first propagation through \(\mathcal {S}_{in}\) and directly consider that the propagation starts at \(\widetilde{\mathbb {K}}^0\).
We now need to test each set in \(\mathcal {K}_{in}^S\). Recall that \(\widetilde{\mathbb {K}}^0\) can only be built from \(2^m2\) vectors \({\varvec{\tilde{k}}}^0\). We propagate each of those vectors through the remaining layers of the cipher, i.e. the following chain of propagation
Thus, for each \({\varvec{\tilde{k}}}^0\), we deduce a set \(\mathbb {S}_{{\varvec{\tilde{k}}}^0}\) of balanced bits using MILP. We then consider each set \(\widetilde{\mathbb {K}}^0 \in \mathcal {K}_{in}^S\), and compute
If there is one nonempty \(\mathbb {S}_{\widetilde{\mathbb {K}}^0}\), \(\widetilde{\mathbb {K}}^0\) will lead to a set of balanced bits, given by \(\mathbb {S}_{\widetilde{\mathbb {K}}^0}\).
Finally, using a precomputed table \(\mathcal {T}_{in}^S\) defined as
we deduce a linear map \(L_{in}^i \in \mathbb {L}_{in}\) and a vector \({\varvec{k}}^0\) such that we get an integral distinguisher over \(E \circ L_{in}\) starting from the initial division property \({\varvec{k}}^0\).
In summary, we first propagate each of the \(2^m2\) vectors through \(f \circ \cdots \circ f \circ \mathcal {L}\). Then, for each set \(\widetilde{\mathbb {K}}^0 \in \mathcal {K}_S\), we check if each vector of \(\widetilde{\mathbb {K}}^0\) lead to the same balanced bits through \(f \circ \cdots \circ f \circ \mathcal {L}\). If so, then using \(\mathcal {T}_{in}^S\) we can easily deduce a linear map \(L_{in}\) and an initial division property which results in an integral distinguisher.
3.2.3 Reducing the amount of work for \(L_{out}\)
Again, we first only consider \(L_{out} \circ E\), and will see in the next part how to combine this with the previous section to get a distinguisher over \(L_{out} \circ E \circ L_{in}\). For \(L_{out}\), if we search naively, we need to try each possible matrix from \(\mathbb {L}_{out}\). However, this is actually not necessary. Indeed, recall that there is an integral distinguisher if and only if the last division property set \(\mathbb {K}^r\) does not contain all unit vectors, and thus we only need to check if each unit vector belongs to \(\mathbb {K}^r\). Now consider a division property vector \({\varvec{k}}\) which is sent to such a unit vector \({\varvec{e}}_i\) through the last (modified) Sbox layer. That is, we have \({\varvec{k}} \overset{\mathcal {S}_{out}}{\longrightarrow } {\varvec{e}}_i\) where \(\mathcal {S}_{out} = (S_{out}^0,\ldots ,S_{out}^{s1})\). In that case, all Sboxes except one have an output division property vector equal to \(0\dots 0\). Again, since we are using bijective Sboxes, this means that the output set is constant, and thus the input set is also constant, leading to a corresponding input vector \(0\dots 0\). Hence, \({\varvec{k}}\) will be of the form
where \({\varvec{\tilde{k}}}\) is a nonzero vector of \(\mathbb {F}_2^m\).
Consequently, we first compute, for each \(L_{out} \in \mathbb {L}_{out}\), all possible sets \(\mathbb {K}\) such that \(\mathbb {K}\overset{S_{out}}{\longrightarrow } \mathbb {K}'\), with \(S_{out} = L_{out} \circ S\) and \(\mathbb {K}'\) does not contain all unit vectors over m bits. According to those notations, denote by \(\mathcal {K}_{out}^S\) the set
We can write the division property propagation chain
However, we do not know which \(L_{out}\) to use, and thus cannot propagate through \(S_{out}\). But instead, we compute a subset \(\widetilde{\mathbb {K}}\) of \(\mathbb {K}^{r1}\) such that for every vector \({\varvec{k}}\) of \(\widetilde{\mathbb {K}}\), the nonzeros elements of \({\varvec{k}}\) all belong to a single Sbox block, i.e. \({\varvec{k}}\) is of the form
with \({\varvec{\tilde{k}}}\) a nonzero vector of \(\mathbb {F}_2^m\). Thus, if there is a propagation \({\varvec{k}} \overset{\mathcal {S}_{out}}{\longrightarrow } {\varvec{e}}\) where \({\varvec{e}}\) is a unit vector, then we must have \({\varvec{k}} \in \widetilde{\mathbb {K}}\). Now from \(\widetilde{\mathbb {K}}\), build the following sets for each \(i \in \{0,\ldots ,s1\}\)
These sets \(\mathbb {K}^{r1}_i\) allow us to see if we can get a distinguisher. Indeed, if for at least one \(i \in \{0,\ldots ,s1\}\) we have \(\mathbb {K}^{r1}_i \in \mathcal {K}_{out}^S\), then we can get a distinguisher over \(L_{out} \circ E\). Then, using a precomputed table \(\mathcal {T}_{out}^S\) defined as
we know that there exists a linear map \(L_{out}^i \in \mathcal {T}_{out}^S[\mathbb {K}^{r1}_i]\) and a unit vector \({\varvec{e}} \in \mathbb {F}_2^m\) such that \(\mathbb {K}^{r1}_i \overset{S_{out}^i}{\longrightarrow } \mathbb {K}'\) where \({\varvec{e}} \not \in \mathbb {K}'\). Hence, the unit vector \(0\dots 0{\varvec{e}}0\dots 0 \in \mathbb {F}_2^n\) will not belong to \(\mathbb {K}^r\), which means that we have at least one balanced bit. In summary, to search for each block \(L_{out}^i\), we just need to compute all sets \(\mathbb {K}^{r1}_i\) and check if at least one of them belongs to \(\mathcal {K}_{out}^S\). If so, we can deduce from \(\mathcal {T}_{out}^S\) which block \(L_{out}^i\) to use such that this results in an integral distinguisher.
3.2.4 Putting everything together
We can now combine the two previous sections to search for a distinguisher over \(L_{out} \circ E \circ L_{in}\). The overall idea is given in Fig. 2. We first write \(L_{out} \circ E \circ L_{in}\) as
and get the following propagation chain
where \(w({\varvec{k}}^0) = n1\). According to the two previous sections, we first start by computing \(\mathcal {K}_{in}^S, \mathcal {T}_{in}^S, \mathcal {K}_{out}^S\) and \(\mathcal {T}_{out}^S\). Then, for each Sbox block i of the first layer, and for each of the \(2^m2\) initial division property vectors \({\varvec{\tilde{k}}}^0_i\), we use an MILP solver to compute all the sets \(\mathbb {K}^{r1}_j, j \in \{0,\ldots ,s1\}\) through \(f \circ \cdots \circ f \circ \mathcal {L}\), where there are \(r2\) applications of f. We denote by \(\mathbb {K}_{{\varvec{\tilde{k}}}^0_i}^j\) these sets to tie them with \({\varvec{\tilde{k}}}^0_i\).
Next for each set \(\widetilde{\mathbb {K}}^0 \in \mathcal {K}_{in}^S\), we compute the following union for each \(j \in \{0,\ldots ,s1\}\) :
Now if at least one \(\mathbb {K}^j_{\widetilde{\mathbb {K}}^0}\) belongs to \(\mathcal {K}_{out}^S\), then we can get a distinguisher. Indeed, \(\mathbb {K}^j_{\widetilde{\mathbb {K}}^0}\) is the set of division property vectors that can lead to a unit vectors after the application of \(S_{out}^j\). Thus by definition of \(\mathcal {K}_{out}^S\), if \(\mathbb {K}^j_{\widetilde{\mathbb {K}}^0} \in \mathcal {K}_{out}^S\) we know that at least one unit vector will not appear after the application of \(S_{out}^j\), i.e. \(\mathbb {K}^r\) does not contains all unit vectors. We then put any map from \(\mathcal {T}_{out}^S[\mathbb {K}^j_{\widetilde{\mathbb {K}}^0}]\) after the jth Sbox in the last layer, and any map from \(\mathcal {T}_{in}^S[\widetilde{\mathbb {K}}^0]\) before the ith Sbox in the first layer, which thus gives us our new distinguisher. Note that we can easily see that
Indeed, a linear mapping lead to at least one balanced bit from \(\widetilde{\mathbb {K}}^0\) if and only if it lead to at least one balanced bit from each \({\varvec{\tilde{k}}}^0_i \in \widetilde{\mathbb {K}}_0\). This will be used later on to even further reduce the work needed with an earlyabort strategy. The whole procedure is summarized in Algorithm 1.
Complexity Overall, the number of calls to the MILP solver can be upper bounded as follow. First, we need to compute all \(\mathbb {K}_{{\varvec{\tilde{k}}}^0_i}^j\) for each of the \(s(2^m2)\) possible \({\varvec{\tilde{k}}}^0\). Then, each set \(\mathbb {K}_{{\varvec{\tilde{k}}}^0_i}^j\) can contain at most \(2^m\) vectors, and getting one vector of any of these sets cost one call to the MILP solver. Since there are s of those sets, we need \(s2^m\) calls to the MILP solver. Note however that in practice, this is much lower, as we do not need to recover the redundant vectors. This means that for example, the sets \(\{0001,0011\}\) and \(\{0001\}\) are considered to be equivalent, as 0011 is redundant in the first set and thus can be removed. If we go through all sets with \(m = 4\), the maximum size of any set \(\mathbb {K}_{{\varvec{\tilde{k}}}^0_i}^j\) is 6, and there are only 167 possible sets (compared to, in theory, a maximum size of 16, and \(2^{16}\) possible sets). In total, we need at most \(s^2(2^m2)2^m\) calls to the MILP solver for a model over \(r2\) rounds, and the factor \(2^m\) is actually much lower in practice.
This can be compared to the complexity of a naive algorithm. In such an algorithm, one would need to try every possible invertible matrix for each Sbox at the first round, so about \(s2^{m^2}\) cases (a bit less as there are less than \(2^{m^2}\) invertible matrices). For each of those case, we need to try again every possible matrix for each Sbox at the last round, so this add another factor \(s2^{m^2}\). This generate \(s^22^{2m^2}\) models, and then for each of those, we need to check if there is a distinguisher. At most, it costs \(n=sm\) calls to the MILP solver, as one call can retrieve one vector of weight 1, and there are n of them. So in total, a naive algorithm would need about \(ms^32^{2m^2}\) calls to the MILP solver, and each model is over r rounds which is much more expensive to solve.
Moreover for our technique, if we go through each of the \(2^m2\) vectors \({\varvec{\tilde{k}}}_i^0\) in a clever way, we can often reduce further the number of calls to the MILP solver. Indeed, if we first go through all vectors of weight \(m1\) and compute all corresponding \(\mathbb {K}_{{\varvec{\tilde{k}}}^0_i}^j\), we are left with two cases :

All sets \(\mathcal {T}_{out}^S[\mathbb {K}_{{\varvec{\tilde{k}}}^0_i}^j]\) for all vectors \({\varvec{\tilde{k}}}_i^0\) of weight \(m1\) are empty, and thus we do not need to go further. Indeed, this means that no linear mapping lead to at least one balanced bit from any initial vector of weight \(m1\). Moreover, for any vector \({\varvec{k}}\) such that \(w({\varvec{k}}) < m1\), we know that there is a vector \({\varvec{\tilde{k}}}_i^0\) of weight \(m1\) such that \({\varvec{\tilde{k}}}_i^0 \succeq {\varvec{k}}\). Hence, since there is no balanced bit from all vectors \({\varvec{\tilde{k}}}_i^0\) of weight \(m1\), then we cannot have any balanced bit from any vector of weight strictly lower than \(m1\) (see [12, Proposition 2]).

Otherwise, we first check if there is any set \(\widetilde{\mathbb {K}}^0 \in \mathcal {K}_{in}\) built only from vectors of weight \(m1\). If so, we apply Algorithm 1 from line 11 to line 22 to check if we can find a distinguisher. If no distinguisher exists, or if none of the set of \(\mathcal {K}_{in}\) are built only from vectors of weight \(m1\), then we go through all vectors of weight \(m2\) and do the same procedure and so on.
We can even go further by looking at all the possible transitions \({\varvec{k}} \overset{\mathcal {S}^i_{in}}{\longrightarrow } \mathbb {K}\) with \(w({\varvec{k}}) = m1\) when we go through all linear mappings in \(\mathbb {L}_{in}\). Suppose that the two following transitions are possible (and possibly with different linear mappings), \({\varvec{k}} \overset{\mathcal {S}^i_{in}}{\longrightarrow } \mathbb {K}\quad \text { and } \quad {\varvec{k'}} \overset{\mathcal {S}^{\prime i}_{in}}{\longrightarrow } \mathbb {K}'\), with \(w({\varvec{k}}) = w({\varvec{k'}}) = m1\). If for all vectors \({\varvec{\widetilde{k'}}} \in \mathbb {K}'\), there exists a vector \({\varvec{\widetilde{k}}} \in \mathbb {K}\) such that \({\varvec{\widetilde{k'}}} \preceq {\varvec{\widetilde{k}}}\), it is not useful to consider \(\mathcal {S}^{\prime i}_{in}\). Indeed, in that case, if \(\mathcal {S}^{\prime i}_{in}\) would lead to a distinguisher, then so would \(\mathcal {S}^{i}_{in}\). Such a transition \({\varvec{k'}} \overset{\mathcal {S}^{\prime i}_{in}}{\longrightarrow } \mathbb {K}'\) is thus redundant and does not need be examined. We can thus build all possible transitions \({\varvec{k}} \overset{\mathcal {S}^i_{in}}{\longrightarrow } \mathbb {K}\) which are not redundant. If there is a vector \({\varvec{\widetilde{k}}}\) which never belongs to \(\mathbb {K}\) among all such nonredundant transitions, we never have to examine the propagation of this vector. This essentially reduces even further the space of all the vectors \({\varvec{\tilde{k}}}_i^0\) we need to consider. In practice, this allows to significantly reduce the time required to find a distinguisher, or even prove that no such distinguisher exists, and this will be detailed in the next section.
4 Applications
4.1 Division property against 10round RECTANGLE
RECTANGLE [19] is a lightweight block cipher designed for fast implementation using bitslice techniques. It is a 64bit block cipher, using 4bit Sboxes and a permutation as the linear layer. There are 80bit and 128bit key sizes, and the total number of rounds in 25 in both cases. The best known division property based integral distinguisher is from [18] over 9 rounds, using \(2^{60}\) data and resulting in 16 balanced bits. By applying the previous algorithm, we were able to find a distinguisher over 10 rounds, using \(2^{63}\) data and resulting in 1 balanced bit. The distinguisher is built on \(L_{out} \circ E \circ L_{in}\), where the block 0 of \(L_{in}\) is
and \(L_{out}\) is the identity. This results in the following distinguisher, where c denotes a constant bit, a denotes a bit taking all possible values through the set, b denotes a balanced bit and ? denotes a bit in an unknown state.
Overall, the time needed to compute all \(\mathbb {K}_{{\varvec{\tilde{k}}}_i^0}^j\) for a given \({\varvec{\tilde{k}}}_i^0\) is about 400 seconds in average. The reason this distinguisher exists is that when considering \(S' = S \circ L_{in}^0\) where S is the Sbox of RECTANGLE, the transition \(1101 \overset{S'}{\longrightarrow } \{0101, 1110\}\) is now possible, while the set \(\{0101, 1110\}\) was not reachable from the original Sbox S. Note that this distinguisher does not depend on the key size, and thus is applicable to both the 80bit and the 128bit key variants.
4.2 Strengthening RECTANGLE
According to our observations in Sect. 3.1, it is natural to think that the resistance of an Sboxbased cipher against division property is highly related to the number of weight 1 vectors in the division property propagation table of the Sbox. As such we study how the choice of the Sbox affects the resistance of RECTANGLE against division property. We first give some generic insights about the design of an Sbox to resist classical division property (i.e. without using our extension technique). Before going further, let us recall how the division property propagation table is built.
Proposition 3
([18]) Let S be an nbit Sbox with \(y = (y_0,\dots ,y_{n1})\) the ANF of S , where each \(y_i\) is a polynomial in the input variables \(x = (x_0,\dots ,x_{n1})\) of S. For some \({\varvec{k}} \in \mathbb {F}_2^n\), let \(\mathbb {U}_{{\varvec{k}}} = \{{\varvec{\bar{k}}} \in \mathbb {F}_2^n  {\varvec{k}} \preceq {\varvec{\bar{k}}}\}\) and \(F_{{\varvec{k}}} = \{x^{{\varvec{\bar{k}}}}  {\varvec{\bar{k}}} \in \mathbb {U}_{{\varvec{k}}}\}\). Then we have the transition \({\varvec{k}} \overset{S}{\longrightarrow } {\varvec{k'}}\) if and only if \(y^{{\varvec{k'}}}\) contains a monomial in \(F_{{\varvec{k}}}\).
Intuitively, an Sbox such that all vectors in the propagation table are of weight 1 should provide a good resistance against division property. This leads us to define a perfect Sbox, where the choice of the word perfect will be justified in Theorem 1.
Definition 4
Let S be an nbit Sbox. We say that S is perfect (w.r.t division property) if its division property propagation table is of the following form :

\(0\dots 0 \overset{S}{\longrightarrow } \mathbb {K}= \{0\dots 0\}\),

\(1\dots 1 \overset{S}{\longrightarrow } \mathbb {K}= \{1\dots 1\}\),

For any other \({\varvec{k}} \in \mathbb {F}_2^n\), \({\varvec{k}} \overset{S}{\longrightarrow } \mathbb {E}_n\).
Note that, from Proposition 3 this also means that if S is a perfect Sbox, for any \({\varvec{k}} \in \mathbb {F}_2^n\setminus \{0\dots 0, 1\dots 1\}\), the transition \({\varvec{k}} \overset{S}{\longrightarrow } {\varvec{k'}}\) is always valid for any \({\varvec{k'}} \in \mathbb {F}_2^n\setminus \{0\dots 0\}\). However, most vectors will be redundant, i.e. vectors \({\varvec{k'}}, {\varvec{k''}} \in \mathbb {F}_2^n\) such that \({\varvec{k}} \overset{S}{\longrightarrow } {\varvec{k'}}\), \({\varvec{k}} \overset{S}{\longrightarrow } {\varvec{k''}}\) and \({\varvec{k'}} \preceq {\varvec{k''}}\). Since we do not need to consider redundant vectors in the division property propagation table, we still write \({\varvec{k}} \overset{S}{\longrightarrow } \mathbb {E}_n\).
One can wonder whether such Sbox exists, and consequently, we give a clear characterization for perfect Sboxes.
Proposition 4
Let S be an nbit Sbox with \(y = (y_0,\dots ,y_{n1})\) the ANF of S, where each \(y_i\) is a polynomial in the input variables \(x = (x_0,\dots ,x_{n1})\) of S. S is perfect if and only if each \(y_i\) contains all monomials of degree \(n1\). An example of such an Sbox over 4 bits is the following :
Proof
Let S be an nbit Sbox satisfying the characterization above. Since S is invertible, we know that we already have
We first study the case \({\varvec{k}} \overset{S}{\longrightarrow } \mathbb {K}\) where \(w({\varvec{k}}) = n1\). In that case, we have \(\mathbb {U}_{{\varvec{k}}} = \{{\varvec{k}}, 1\dots 1\}\) and thus \(F_{{\varvec{k}}} = \{x^{{\varvec{k}}}, x_0\dots x_{n1}\}\). Then if \({\varvec{k'}} \in \mathbb {K}\), from Proposition 3 this means that either \(x^{{\varvec{k}}}\) or \(x_0\dots x_{n1}\) appears in the expression of \(y^{{\varvec{k'}}}\). Especially, for S to be perfect, this needs to hold for every \({\varvec{k'}} \in \mathbb {E}_n\), thus for every \(i \in \{0,\dots ,n1\}\), \(x^{{\varvec{k}}}\) or \(x_0\dots x_{n1}\) must appear in the expression of \(y_i\).
However, since S must be invertible, it is well known that each component of its ANF must have a degree at most \(n1\), hence \(x_0\dots x_{n1}\) cannot appear in any \(y_i\). To summarize, to have \({\varvec{k}} \overset{S}{\longrightarrow } \mathbb {K}= \mathbb {E}_n\) for every \({\varvec{k}}\) such that \(w({\varvec{k}}) = n1\), then for every such \({\varvec{k}}\), \(x^{{\varvec{k}}}\) must appear in the expression of each and every \(y_i, i \in \{0,\dots ,n1\}\), which exactly means that each \(y_i\) contains all monomials of degree \(n1\).
Now for every remaining case, i.e. \(1 \le w({\varvec{k}}) \le n2\), \(\mathbb {U}_{{\varvec{k}}}\) always contains at least one \(\bar{{\varvec{k}}}\) such that \(w(\bar{{\varvec{k}}}) = n1\), and thus \(F_{{\varvec{k}}}\) contains at least one monomial of degree \(n1\). If we want to have \({\varvec{k}} \overset{S}{\longrightarrow } \mathbb {E}_n\), this means that every \(y_i\) must contain at least one monomial from \(F_{{\varvec{k}}}\). However, each \(y_i\) contains all monomials of degree \(n1\), and \(F_{{\varvec{k}}}\) contains at least one such monomial, and thus \({\varvec{k}} \overset{S}{\longrightarrow } \mathbb {E}_n\) holds, which leads to the fact that S is then a perfect Sbox. \(\square \)
This characterization is very similar to the property that an Sbox should verify to have a good resistance against division property given in [4]. However, their representation is a bit different, and we show that choosing a perfect Sbox for an SPN block cipher is actually the optimal choice when considering classical division property. First, we need the two following lemmas.
Lemma 1
Let S be an nbit Sbox, and \({\varvec{k}},{\varvec{k'}} \in \mathbb {F}_2^n\) such that \({\varvec{k}} \preceq {\varvec{k'}}\). Let \({\varvec{\widetilde{k}}} \in \mathbb {F}_2^n\) such that \({\varvec{k'}} \overset{S}{\longrightarrow } {\varvec{\widetilde{k}}}\). Then we have \({\varvec{k}} \overset{S}{\longrightarrow } {\varvec{\widetilde{k}}}\).
Proof
From \({\varvec{k}} \preceq {\varvec{k'}}\), we know that \(\mathbb {U}_{{\varvec{k'}}} \subseteq \mathbb {U}_{{\varvec{k}}}\), and as such, \(F_{{\varvec{k'}}} \subseteq F_{{\varvec{k}}}\). Since \({\varvec{k'}} \overset{S}{\longrightarrow } {\varvec{\widetilde{k}}}\), we know that \(y^{{\varvec{\widetilde{k}}}}\) contains a monomial in \(F_{{\varvec{k'}}}\). However, since \(F_{{\varvec{k'}}} \subseteq F_{{\varvec{k}}}\), we also have that \(y^{{\varvec{\widetilde{k}}}}\) contains a monomial in \(F_{{\varvec{k}}}\), which exactly means \({\varvec{k}} \overset{S}{\longrightarrow } {\varvec{\widetilde{k}}}\). \(\square \)
Lemma 2
Let \(\mathcal {S}^\star \) be an Sbox layer such that \(\mathcal {S}^\star = (S^\star ,\dots ,S^\star )\) where \(S^\star \) is a perfect Sbox. Let \(\mathcal {S}\) be another Sbox layer such that \(\mathcal {S} = (S,\dots ,S)\) where S is any nonperfect Sbox. Let \({\varvec{k}}, {\varvec{\widetilde{k'}}}\) such that \({\varvec{k}} \overset{\mathcal {S}}{\longrightarrow } {\varvec{\widetilde{k'}}}\). Then we can always find \({\varvec{\widetilde{k}}} \in \mathbb {F}_2^n\) such that \({\varvec{k}} \overset{\mathcal {S^\star }}{\longrightarrow } {\varvec{\widetilde{k}}}\) and \({\varvec{\widetilde{k}}} \preceq {\varvec{\widetilde{k'}}}\).
Proof
Denote by \({\varvec{k}}_i\) the ith block of \({\varvec{k}}\) which goes through the ith Sbox, i.e. \({\varvec{k}}_i \overset{S}{\longrightarrow } {\varvec{\widetilde{k'}}}_i\). Note that \({\varvec{k}} \preceq {\varvec{k'}}\) is equivalent to \({\varvec{k}}_i \preceq {\varvec{k'}}_i\) for all i. We can build each block \({\varvec{\widetilde{k}}}_i\) of \({\varvec{\widetilde{k}}}\) such that \({\varvec{k}} \overset{\mathcal {S^\star }}{\longrightarrow } {\varvec{\widetilde{k}}}\) and \({\varvec{\widetilde{k}}} \preceq {\varvec{\widetilde{k'}}}\) as follow :

If \({\varvec{\widetilde{k'}}}_i = 0\dots 0\), then \({\varvec{\widetilde{k}}}_i = 0\dots 0\),

If \({\varvec{\widetilde{k'}}}_i = 1\dots 1\), then \({\varvec{\widetilde{k}}}_i = 1\dots 1\),

Otherwise, since \(S^\star \) is perfect, we can choose \({\varvec{\widetilde{k}}}_i = {\varvec{e}}\), where \({\varvec{e}}\) is a unit vector such that \({\varvec{e}} \preceq {\varvec{\widetilde{k'}}}_i\).
By building \({\varvec{\widetilde{k}}}_i\) as described, it is clear that for all i we have \({\varvec{k}}_i \overset{\mathcal {S^\star }}{\longrightarrow } {\varvec{\widetilde{k}}}_i\) and \({\varvec{\widetilde{k}}}_i \preceq {\varvec{\widetilde{k'}}}_i\). As such, \({\varvec{k}} \overset{\mathcal {S^\star }}{\longrightarrow } {\varvec{\widetilde{k}}}\) and \({\varvec{\widetilde{k}}} \preceq {\varvec{\widetilde{k'}}}\). \(\square \)
We are now ready to prove the following theorem, which shows that using a perfect Sbox is the optimal choice for classical division property (i.e. without using our extension technique).
Theorem 1
For a given nbit blockcipher where only the Sbox remained to be determined (i.e. the linear layer \(\mathcal {L}\) is fixed), using an Sbox layer \(\mathcal {S}^\star \) built with a perfect Sbox \(S^\star \) is optimal in terms of resistance against classical division property. We define optimal in the sense that if we denote by \(r^\star \) (resp. r) the smallest number of round such that \(\mathbb {K}_{r^\star } = \mathbb {E}_n\) (resp. \(\mathbb {K}_r = \mathbb {E}_n\)) when using a perfect Sbox \(S^\star \) (resp. any other Sbox S), then we always have \(r^\star \le r\). This basically means that using a perfect Sbox always gives the best resistance against classical division property.
Proof
Let the following be a division trail when using a nonperfect Sbox :
where \({\varvec{k}}^r \in \mathbb {E}_n\). We can build the following division trail when using a perfect Sbox :
For this division trail to be valid, we use the two previous lemma :

Using Lemma 2, since \({\varvec{k}}^i \overset{\mathcal {S}}{\longrightarrow } {\varvec{\widehat{k}}}^{i}\) we can build \({\varvec{\widetilde{k}}}^{i}\) such that \({\varvec{k}}^i \overset{\mathcal {S^\star }}{\longrightarrow } {\varvec{\widetilde{k}}}^{i}\) and \({\varvec{\widetilde{k}}}^{i} \preceq {\varvec{\widehat{k}}}^{i}\).

Since \({\varvec{\widetilde{k}}}^{i} \preceq {\varvec{\widehat{k}}}^{i}\) and \({\varvec{\widehat{k}}}^{i} \overset{\mathcal {L}}{\longrightarrow } {\varvec{k}}^{i+1}\), using Lemma 1 we know that \({\varvec{\widetilde{k}}}^{i} \overset{\mathcal {L}}{\longrightarrow } {\varvec{k}}^{i+1}\) is a valid transition.
Hence, for any unit vector \({\varvec{e}}\), there is a valid division trail over r rounds which ends with \({\varvec{e}}\) when using a perfect Sbox, i.e. we have \(\mathbb {K}_{r} = \mathbb {E}_n\). By definition, \(r^\star \) is the smallest number of rounds which should verify this condition, thus \(r^\star \le r\). Moreover, by definition, the best distinguisher we can build when using a perfect Sbox (resp. any other Sbox) is over \(r^\star 1\) rounds (resp. \(r1\) rounds). Hence why using a perfect Sbox gives the best resistance against division property. \(\square \)
Thus when considering classical division property, choosing the best Sbox in regards to security is pretty clear. Note however that such an Sbox has a very peculiar behavior with our technique. Indeed, since every monomial of degree \(n1\) appears in every coordinate of the ANF, this property cannot still hold when we consider either \(L\circ S\) or \(S \circ L\) where L is a linear mapping (different from a permutation). As such, if a perfect Sbox is used, when considering our technique, the first and last round will be somewhat weaker, as the Sbox will not be perfect for these rounds. However, every other round will still use this perfect Sbox, thus in a way, the behavior “in the middle” of the cipher would still be good.
We decided to search for a better Sbox to use for RECTANGLE, in the hope that it would lead to a better resistance against our technique. Since the rational behind Sbox design highly depends on potential applications of the resulting block cipher, we restrict the search space to Sboxes linearly equivalent to the original RECTANGLE Sbox. Indeed, linearly equivalent Sboxes have similar structures regarding differential and linear properties. Given two mbit Sboxes S and \(S'\) such that \(S' = B \circ S \circ A\), if there is a differential \((\varDelta _i, \varDelta _o) \in \mathbb {F}_2^{2m}\) such that \(S(x) \oplus S(x \oplus \varDelta _i) = \varDelta _o\) holds with probability p, then since A and B are linear and invertible, there is a differential \((\varDelta '_i, \varDelta '_o) = (A^{1}.\varDelta _i, B.\varDelta _o)\) of the same probability for \(S'\). Hence the DDT is essentially the same, and we expect that it should not drastically change the resistance against differential attacks compared to using the original Sbox, and the same kind of observations can be made for linear attacks.
For 4bit Sboxes, as there are about \(2^{14.3}\) invertible matrices of size 4, the main issue we are facing is the high complexity of trying all the \(2^{28.6}\) candidates for (A, B). Indeed, many hours are required to search for a division property distinguisher, making the whole search infeasible. Hence, we propose to use several heuristics to select which pairs (A, B) to try.
Selecting good Sboxes Our first idea was to compute the division property propagations tables of all candidates (A, B). This required to perform \(2^{28.6} \times 2^{2\times 4} = 2^{36.6}\) non trivial operations and took approximately 80h on a Xeon E52695 (72 cores). Among all those linearly equivalent Sboxes, none of them were perfect. However we found 56 almost perfect Sboxes, i.e. with 13 (instead of 14) transitions \(k \rightarrow \{1000,0100,0010,0001\}\). Note that many pairs lead to the same table but the division property only depends on the table. Hence it is enough to try only one representative per table. Since some implementations of block ciphers do not use a table to store the Sbox, we believe it makes sense to select the representative which would add less extra XORs. Hence, for each of the 56 tables we selected the couple (A, B) with the lower XOR count and ran our new automated search tool. As a result, we found that by using
which results in only 5 XOR, and replacing all Sboxes of RECTANGLE by \(S' = B \circ S \circ A\) where S is the original Sbox of RECTANGLE, then even when using our technique, there is no distinguisher over 9 rounds of this variant of RECTANGLE. We were however able to find a distinguisher over 8 rounds of this variant, using our technique where \(L_{in}\) is built with \(L_{in}^0\) as defined below, others \(L_{in}^i\) for \(i \ne 0\) are the identity, and each block \(L_{out}^i\) of \(L_{out}\) are the same
This results in a distinguisher of data complexity \(2^{63}\) resulting in 14 balanced bits. Note that the classic search algorithm for division property distinguishers lead to no distinguisher even over 8 rounds, which shows again that our extension technique can find new distinguishers. Moreover, even when using a perfect Sbox (such as the one given in Proposition 4), the best distinguisher using the classic search algorithm is also over 7 rounds, which shows that our choice of Sbox, even though it is not a perfect one, is optimal with respect to the classic division property.
We believe that this could lead to a new criterion when designing Sboxes, as for the case of RECTANGLE, it improves the resistance against division property based distinguishers by 2 rounds. We would thus first build the Sbox according to classical criteria (differential and linear resistance, etc.), then look at the linear equivalent Sboxes and take the one with the best division property propagation table. According to our experiment, while we do not have the same optimality proof as for classical division property, using an Sbox with a division property propagation table as close as possible to the one of a perfect Sbox seems to be the best choice.
About golden Sboxes In 2007, Leander and Poschmann [9] analyzed all 4bit Sboxes up to linear equivalence and exhibited a set of 16 equivalence classes leading to optimal Sboxes (called golden Sboxes) with respect to both differential and linear cryptanalysis. We went through all members of each of these equivalences classes to see if any of them is a perfect Sbox. Indeed, recall that division property is not invariant through linear equivalence. As a result, it turns out that there is no Sbox among all of these that is a perfect Sbox, thus we cannot have an Sbox which is optimal for both linear, differential and division property based cryptanalysis . However, four of these classes have some almost perfect Sboxes among them, i.e. with 55 transitions \({\varvec{k}} \rightarrow {\varvec{k'}}\) with \(w({\varvec{k'}}) = 1\) (instead of the maximum of \(4\times 14=56\)), namely classes \(G_0, G_1, G_2\) and \(G_8\). We give one example for each of these classes in “Appendix”, as well as an example with the maximum number of such transitions for each other class. We also give the number of Sboxes reaching that maximum number of transitions across each class. We want to emphasize that this clearly show that using an Sbox satisfying our criterion will not lead to the best resistance against different kinds of attacks, and more research is needed in that area. However as mentioned at the end of the previous paragraph, it turns out that using Sboxes which are very close to our criterion can still reach the same security against division property as an Sbox satisfying our criterion.
4.3 Division property against PRESENT
PRESENT [3] is a 64bit lightweight block cipher, using either 80 bits or 128 bits keys, with a round function very similar to RECTANGLE and using 4bit Sboxes. The best known division property based integral distinguisher is from [18] over 9 rounds, requiring \(2^{60}\) data and resulting in 1 balanced bit. We applied our previous algorithm to this block cipher, and were actually able to show that our technique cannot lead to a distinguisher over 10 rounds of PRESENT. Indeed, as mentioned at the end of the previous section, if we go through all vectors \({\varvec{\tilde{k}}}_i^0\) of weight 2, then all of the resulting sets \(\mathcal {T}_{out}^S[\mathbb {K}_{{\varvec{\tilde{k}}}^0_i}^j]\) are empty, meaning that if there is at least one vector of weight 2 or lower in \(\widetilde{\mathbb {K}}^0\), then this cannot result in some balanced bits after 10 rounds. Moreover, if we go through all linear mappings \(L \in \mathbb {L}_{in}\) and compute all possibles propagations \({\varvec{k}} \overset{S'}{\longrightarrow } \mathbb {K}\) where \(w({\varvec{k}}) = 3\) and \(S' = S \circ L\) with S the Sbox of PRESENT, then \(\mathbb {K}\) will always contains at least one vector of weight 2, or at least one vector of weight 1. Hence, no matter which linear map we take from \(\mathbb {L}_{in}\), after the first Sbox layer, there will always be a vector of weight either 1 or 2, which lead to a set \(\mathbb {K}^{10}\) containing all unit vectors, and thus no distinguisher over 10 rounds can be built using our technique.
4.4 Strengthening PRESENT
As for RECTANGLE, we search for another Sbox to use which is linear equivalent to the Sbox of PRESENT such that it would improve the resistance against division property based distinguishers. By using \(S' = B \circ S \circ A\) with
instead of S for all Sboxes of PRESENT, we do not have any division property based distinguisher over 8 rounds of this variant of PRESENT even when using our extension technique. However, we found a distinguisher over 7 rounds with data complexity \(2^{63}\) and with all 64 bits being balanced using our technique, with \(L_{out}\) being the identity and \(L_{in}\) being built with
and \(L_{in}^i\) as the identity for \(i \ne 0\). The classical search algorithm was only able to find a distinguisher on up to 6 rounds, and again, this choice is optimal for classic division property, as a perfect Sbox also gives a classic division property based distinguisher over 6 rounds. This again highlights that our extension technique allows to find better distinguishers than the classical search. Note that, for non tablebased implementation, the new Sbox we propose only requires two extra XORs compared to the original Sbox of PRESENT.
5 Conclusion
We studied further the division property and the distinguishers that are built from it. We show that while the previous search methods were able to efficiently find some integral distinguishers based on the division property, the search space explored by these methods does not actually cover all possibilities. As such, we show that for r rounds of a block cipher E, considering \( E' = L_{out} \circ E \circ L_{in}\) instead of E, where \(L_{out}\) and \(L_{in}\) are block diagonal linear maps, can lead to some integral distinguisher over \(E'\), while E does not have any. We provide an algorithm to find such distinguisher, and successfully apply it to the block cipher RECTANGLE, on which we found an integral distinguisher over 10 rounds, requiring \(2^{63}\) data and leading to 1 balanced bit. This is one more round than the previously known distinguishers. The design of our algorithm also allows us to prove that our technique cannot extend the best distinguisher on PRESENT over one more round. Finally, we give a criterion on Sboxes which allows to prove that if an Sbox verifies this criterion, it will provide the best resistance against division property. To our knowledge, this is the first time that such an optimality result is given and formally proven for division property. According to our observations, we were able to exhibit some variants of RECTANGLE and PRESENT which have a better resistance against integral distinguisher based on the division property. Namely the maximum number of round on which we could find an integral distinguisher over our variant of RECTANGLE and PRESENT is 2 rounds lower than when using the original Sbox. This might give a new design criterion for Sboxes and further research about this criterion and its interaction with criteria for the design of Sboxes will be needed.
We believe that overall, this technique could open up a lot of questions and possibilities. Indeed, we basically decomposed a block cipher E as
and merged \(L_{in}\) and \(L_{out}\) with the first Sbox layer. But could we use the same technique at a lower level, i.e. decomposing the round function as \(f = \mathcal {L} \circ L^{1} \circ L \circ \mathcal {S}\), merging L with \(\mathcal {S}\) for example? In a more general view, the question is : what is the best representation of a block cipher to propagate the division property? Also, our algorithm focuses on finding any distinguisher over an SPN block cipher. Thus, how could we find an optimal distinguisher (in terms of data) using this technique, as applying our algorithm when more than one Sbox has an input division property which differs from \(1\dots 1\) seems quite hard in term of complexity. The same issue comes up when considering 8bit Sboxes, as we need more calls to the solver, and the resulting MILP models are way more complicated, and thus takes a longer time to be solved. Finally, could this also apply to other constructions such as Feistel block ciphers or permutation based block ciphers? Indeed, our algorithm is efficient because we can basically only study the propagation from after the first Sbox layer to before the last Sbox layer.
References
Abdelkhalek A., Sasaki Y., Todo Y., Tolba M., Youssef A.M.: MILP modeling for (large) Sboxes to optimize probability of differential characteristics. IACR Trans. Symmetric Cryptol. 2017(4), 99–129 (2017).
Beierle C., Jean J., Kölbl S., Leander G., Moradi A., Peyrin T., Sasaki Y., Sasdrich P., Sim S.M.: The SKINNY family of block ciphers and its lowlatency variant MANTIS. In: Advances in Cryptology—CRYPTO 2016—36th Annual International Cryptology Conference, Santa Barbara, CA, August 14–18, 2016, Proceedings, Part II, pp. 123–153 (2016).
Bogdanov A., Knudsen L.R., Leander G., Paar C., Poschmann A., Robshaw M.J.B., Seurin Y., Vikkelsoe C.: PRESENT: an ultralightweight block Cipher. In: Cryptographic Hardware and Embedded Systems—CHES 2007, 9th International Workshop, Vienna, Austria, September 10–13, 2007, Proceedings, pp. 450–466 (2007).
Boura C., Canteaut A.: Another view of the division property. In: Advances in Cryptology—CRYPTO 2016—36th Annual International Cryptology Conference, Santa Barbara, CA, August 14–18, 2016, Proceedings, Part I, pp. 654–682 (2016).
Daemen J., Rijmen V.: AES proposal: Rijndael (1999).
Derbez P., Fouque P.: Exhausting DemirciSelçuk meetinthemiddle attacks against reducedround AES. In: Fast Software Encryption—20th International Workshop, FSE 2013, Singapore, March 11–13, 2013. Revised Selected Papers, pp. 541–560 (2013).
Eskandari Z., Kidmose A.B., Kölbl S., Tiessen T.: Finding integral distinguishers with ease. In: IACR Cryptology ePrint Archive (Accepted at SAC2018), vol. 2018, p. 688 (2018).
Gurobi Optimization L.: Gurobi optimizer reference manual. http://www.gurobi.com (2018).
Leander G., Poschmann A.: On the classification of 4 bit sboxes. In: Arithmetic of Finite Fields, First International Workshop, WAIFI 2007, Madrid, Spain, June 21–22, 2007, Proceedings, pp. 159–176 (2007). https://doi.org/10.1007/9783540730743_13.
Sun L., Wang W., Liu R., Wang M.: MILPaided bitbased division property for ARXbased Block Cipher. IACR Cryptol. ePrint Arch. 2016, 1101 (2016).
Sun L., Wang W., Wang M.: MILPaided bitbased division property for primitives with nonbitpermutation linear layers. IACR Cryptol. ePrint Arch. 2016, 811 (2016).
Sun L., Wang W., Wang M.: Automatic search of bitbased division property for ARX Ciphers and wordbased division property. In: Advances in Cryptology—ASIACRYPT 2017—23rd International Conference on the Theory and Applications of Cryptology and Information Security, Hong Kong, China, December 3–7, 2017, Proceedings, Part I, pp. 128–157 (2017).
The Sage Developers: SageMath, the Sage Mathematics Software System (Version 8.0). http://www.sagemath.org (2017).
Todo Y.: Integral cryptanalysis on full MISTY1. In: Advances in Cryptology–CRYPTO 2015—35th Annual Cryptology Conference, Santa Barbara, CA, USA, August 16–20, 2015, Proceedings, Part I, pp. 413–432 (2015). https://doi.org/10.1007/9783662479896_20.
Todo Y.: Structural evaluation by generalized integral property. In: Advances in Cryptology—EUROCRYPT 2015—34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26–30, 2015, Proceedings, Part I, pp. 287–314 (2015).
Todo Y., Morii M.: Bitbased division property and application to Simon family. In: Fast Software Encryption—23rd International Conference, FSE 2016, Bochum, Germany, March 20–23, 2016, Revised Selected Papers, pp. 357–377 (2016).
Wang Q., Hao Y., Todo Y., Li C., Isobe T., Meier W.: Improved division property based cube attacks exploiting algebraic properties of superpoly. In: Advances in Cryptology—CRYPTO 2018—38th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19–23, 2018, Proceedings, Part I, pp. 275–305 (2018). https://doi.org/10.1007/9783319968841_10.
Xiang Z., Zhang W., Bao Z., Lin D.: Applying MILP method to searching integral distinguishers based on division property for 6 lightweight Block Ciphers. In: Advances in Cryptology—ASIACRYPT 2016—22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, December 4–8, 2016, Proceedings, Part I, pp. 648–678 (2016).
Zhang W., Bao Z., Lin D., Rijmen V., Yang B., Verbauwhede I.: RECTANGLE: a bitslice lightweight block cipher suitable for multiple platforms. Sci. China Inf. Sci. 58(12), 1–15 (2015).
Zhang W., Rijmen V.: Division cryptanalysis of block Ciphers with a binary diffusion layer. IACR Cryptol. ePrint Arch. 2017, 188 (2017).
Acknowledgements
Open Access funding provided by Projekt DEAL.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by P. Charpin.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Baptiste Lambin was supported by the Direction Générale de l’Armement (Pôle de Recherche CYBER). Patrick Derbez was supported by the French Agence Nationale de la Recherche through the CryptAudit Project under Contract ANR17CE390003. PierreAlain Fouque was supported by the French Agence Nationale de la Recherche through the BRUTUS Project under Contract ANR14CE280015.
Appendix: Almost perfect Sboxes among golden Sboxes
Appendix: Almost perfect Sboxes among golden Sboxes
The following table gives an example of an Sbox with the maximum number of transitions \({\varvec{k}} \rightarrow {\varvec{k'}}\) with \(w({\varvec{k'}}) = 1\) among its class and the number of Sboxes reaching that maximum number of transitions, for each golden Sbox class. Note that according to Proposition 2, this number of transition is invariant by permutation equivalence, i.e. for a given Sbox S with \(n_1\) such transitions, then for any permutations \(P,P'\), \(S' = P \circ S \circ P'\) also has \(n_1\) such transitions. We can thus reduce the number of member of each class to examine by picking one member S and examining all Sboxes built as \(L_2 \circ S \circ L_1\) with \(L_1 \in \mathbb {L}_{in}\) and \(L_2 \in \mathbb {L}_{out}\), where \(\mathbb {L}_{in}\) and \(\mathbb {L}_{out}\) are the spaces defined in Sect. 3.2.1. The number of Sboxes given here is thus computed when considering that equivalence relation, but this shows that there are actually a decent amount of choice of Sboxes if one wants to consider other criterion than differential, linear and division property cryptanalysis for choosing an Sbox. It is worth noting however that two Sboxes that are permutation equivalent do not necessarily lead to the same result for a given block cipher.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Lambin, B., Derbez, P. & Fouque, PA. Linearly equivalent Sboxes and the division property. Des. Codes Cryptogr. 88, 2207–2231 (2020). https://doi.org/10.1007/s10623020007734
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623020007734
Keywords
 Cryptanalysis
 Division Property
 RECTANGLE
Mathematics Subject Classification
 94A60