Applying MILP Method to Searching Integral

Distinguishers Based on Division Property for 6

Lightweight Block Ciphers

Zejun Xiang1,2 , Wentao Zhang1,2(B) , Zhenzhen Bao1,2 , and Dongdai Lin1,2

1
State Key Laboratory of Information Security, Institute of Information
Engineering, Chinese Academy of Sciences, Beijing, China
{xiangzejun,zhangwentao,baozhenzhen,ddlin}@iie.ac.cn
2
University of Chinese Academy of Sciences, Beijing, China

Abstract. Division property is a generalized integral property proposed

by Todo at EUROCRYPT 2015, and very recently, Todo et al. proposed
bit-based division property and applied to SIMON32 at FSE 2016. How-
ever, this technique can only be applied to block ciphers with block size
no larger than 32 due to its high time and memory complexity. In this
paper, we extend Mixed Integer Linear Programming (MILP) method,
which is used to search differential characteristics and linear trails of
block ciphers, to search integral distinguishers of block ciphers based on
division property with block size larger than 32.
Firstly, we study how to model division property propagations of
three basic operations (copy, bitwise AND, XOR) and an Sbox oper-
ation by linear inequalities, based on which we are able to construct a
linear inequality system which can accurately describe the division prop-
erty propagations of a block cipher given an initial division property.
Secondly, by choosing an appropriate objective function, we convert a
search algorithm under Todo’s framework into an MILP problem, and
we use this MILP problem appropriately to search integral distinguish-
ers. As an application of our technique, we have searched integral distin-
guishers for SIMON, SIMECK, PRESENT, RECTANGLE, LBlock and
TWINE. Our results show that we can find 14-, 16-, 18-, 22- and 26-round
integral distinguishers for SIMON32, 48, 64, 96 and 128 respectively.
Moreover, for two SP-network lightweight block ciphers PRESENT and
RECTANGLE, we found 9-round integral distinguishers for both ciphers
which are two more rounds than the best integral distinguishers in the
literature [22, 29]. For LBlock and TWINE, our results are consistent
with the best known ones with respect to the longest distinguishers.

Keywords: MILP · Division property · Integral cryptanalysis ·

SIMON · SIMECK · PRESENT · RECTANGLE · LBlock · TWINE

1 Introduction
Programming problem is a mathematical optimization which aims to achieve the
minimal or maximal value of an objective function under certain constraints, and
c International Association for Cryptologic Research 2016
J.H. Cheon and T. Takagi (Eds.): ASIACRYPT 2016, Part I, LNCS 10031, pp. 648–678, 2016.
DOI: 10.1007/978-3-662-53887-6 24
 Applying MILP Method to Searching Integral Distinguishers 649

it has a wide range of applications from industry to academic community. Mixed

Integer Linear Programming (MILP) is a kind of programming problem whose
objective function and constraints are linear, and all or some of the variables
involved in the problem are restricted to be integers. In recent years, MILP
has found its applications in cryptographic community. Mouha et al. [11] and
Wu et al. [21] applied MILP method to automatically count differential and
linear active Sboxes for word-based block ciphers, which can be used to evalu-
ate the resistance of block ciphers against differential and linear attacks. Later
Sun et al. [13] extended this technique to count active Sboxes of SP-network
block ciphers whose linear layer is a bit permutation.
Recently, this technique was improved [15] to search differential character-
istics and linear trails with a minimal number of active Sboxes. They con-
structed the MILP model by a small number of linear inequalities chosen from
the H-Representation of the convex hull of a set of points which are derived from
the difference distribution (resp. linear approximation) table of Sbox. However,
this method may result in invalid differential characteristics (resp. linear trails).
Moreover, differential characteristic (resp. linear trail) with a minimal number
of active Sboxes does not alway result in differential characteristic (resp. linear
trail) with highest probability. To solve these problems, Sun et al. [14] encoded
the probability of differentials (resp. linear approximations) of Sbox into the
MILP model and they proved that it is always feasible to choose a set L of lin-
ear inequalities from the H-Representation of the convex hull of a set of points A,
such that the feasible solutions of L are exactly the points in A. Thus, by adding
L into the model and setting the probability as objective function, the MILP
optimizer will always return (if the MILP problem can be solved in limited time)
a valid differential characteristic (resp. linear trail) with highest probability.
Division property is a generalized integral property introduced by Todo [18]
at EUROCRYPT 2015 to search integral distinguishers of block cipher struc-
tures which is the core part of integral cryptanalysis [4,7,8,10]. Todo studied
propagation rules of division property through different block cipher operations
and presented generalized algorithms to search integral distinguishers which only
exploits the algebraic degree of nonlinear components of the block cipher. By
using division property, Todo presented 10-, 12-, 12-, 14- and 14-round1 integral
distinguishers for SIMON32, 48, 64, 96 and 128 respectively. For PRESENT
cipher a 6-round integral distinguisher was found. Later at CRYPTO 2015
Todo [17] proposed a full-round integral attack of MISTY1 based on a 6-round
integral distinguisher. Sun et al. [12] revisited division property, and they studied
the property of a set (multiset) satisfying certain division property. At CRYPTO
2016, Boura and Canteaut [6] proposed a new notion which they called parity
set to study division property, based on which they found better integral distin-
guisher for PRESENT cipher.

1
Since the round key is Xored into the state after the round function, we can easily
extend one more round before the distinguisher by using the technique proposed
in [20].
650 Z. Xiang et al.

Very recently, Todo et al. [19] introduced bit-based division property at FSE
2016 which treats each bit independently in order to find better integral distin-
guishers. They applied this technique to SIMON32, and as a result a 14-round
integral distinguisher for SIMON32 was found. However, as pointed out in [19],
searching integral distinguisher by bit-based division property required much
more time and memory. For a block cipher with block size n, the time and mem-
ory complexity is upper bounded by 2n . Thus, bit-based division property can
only apply to block ciphers with block size at most 32. For block ciphers with
a much larger block size, searching integral distinguisher by bit-based division
property under Todo et al.’s framework would be computationally infeasible.
Thus, Xiang et al. [24] proposed a state partition to get a tradeoff between
the time-memory complexity and the accuracy of the integral distinguisher, and
they improved distinguishers of SIMON48 and SIMON64 by one round for both
variants.

1.1 Our Contributions

In this paper, we present a novel technique to search integral distinguishers
based on bit-based division property by using MILP method. First we propose
a new notion that we call division trail to illustrate division property propa-
gation. We show that each division property propagation can be represented
by division trails, furthermore, we have proved that it is sufficient to check the
last vectors of all division trails in order to estimate whether a useful distin-
guisher exists. Based on this observation we construct a linear inequality system
for a given block cipher such that all feasible solutions of this linear inequality
system are exactly all the division trails. Thus, the constructed linear inequal-
ity system is sufficient to describe the division property propagations. Then,
we study the stopping rule in division property propagation. The stopping rule
determines whether the resulting division property can be propagated further
to find a longer integral distinguisher. It is observed that for a division property
propagation, if the resulting vectors for the first time contain all the vectors of
Hamming weight one after propagating r + 1 rounds, the propagation procedure
should terminate and an r-round distinguisher can be derived. Hence, we set the
sum of the coordinates of the last vector of r-round division trail as objective
function. By combining this objective function and the linear inequality system
derived from the division trails, we construct an MILP problem and present an
algorithm to estimate whether r-round distinguisher exists given some initial
division property. To illustrate our new technique, we run experiments (all the
MILP problems in our experiments are solved by the openly available software
Gurobi [1]) on SIMON, SIMECK, PRESENT, RECTANGLE, TWINE, LBlock:
1. For SIMON [3] family block ciphers, we first model division property propa-
gations through Copy, And and Xor operations by linear inequalities, since
those operations are the basic operations in SIMON family. By using these
inequalities we construct an MILP problem and serve it in our search algo-
rithm. As a result we found 14-, 16-, 18-, 22- and 26-round integral distin-
guishers for SIMON32, 48, 64, 96 and 128 respectively. For SIMON48, 64,
 Applying MILP Method to Searching Integral Distinguishers 651

96 and 128, our results are 2, 1, 1 and 1 more rounds than the previous
results in [27]. SIMECK [25] is a family of lightweight block ciphers whose
round function is very similar to SIMON except the rotation constants. We
applied our search technique to SIMECK and we found 15-, 18- and 21-round
distinguishers for SIMECK32, 48 and 64 respectively.
2. PRESENT [5] and RECTANGLE [28] are two SP-network lightweight block
ciphers whose linear layers are bit permutations. Unlike SIMON, these two
ciphers are Sbox-based block ciphers. In [17,18], Sbox is treated as a whole,
that is for an n-bit Sbox the input value to the Sbox is viewed as a value
of Fn2 . In this paper we study bit-based division property propagation of
Sbox, and we present an algorithm to compute division trails of Sbox. We
observed that, considering bit-based division property could preserve more
integral property along with division property propagation through Sbox. By
converting division trails of Sbox layer into a set of linear inequalities we
construct MILP models for PRESENT and RECTANGLE, as a result, we
found 9-round distinguishers for both ciphers which are two more rounds
than the best integral distinguishers in the literature.
3. TWINE [16] and LBlock [23] are two generalized Feistel structure block
ciphers. By modeling Sbox, Copy and Xor with linear inequalities, we apply
our technique to these two ciphers and we found 16-round distinguishers which
are in accordance with the results in [26].
Our results are listed in Table 1. All the ciphers explored above except
SIMON32 have a block size larger than 32, and searching integral distinguish-
ers by bit-based division property under Todo’s framework is computationally
infeasible for those ciphers. Note that all our experiments are conducted on a
desktop and the consuming time varies from seconds to minutes which is very
efficient, the details are listed in Table 1. Moreover, by converting the search
algorithm into MILP problems, we can find better integral distinguishers for
SIMON48/64/96/128, SIMECK48/64, PRESENT and RECTANGLE.
The rest of the paper is organized as follows: In Sect. 2 we introduce some
basic background which will be used later. Section 3 studies how to model some
basic operations and components used in block cipher, and to construct a lin-
ear inequality system to accurately describe the division property propagations.
Section 4 studies the stopping rule and a search algorithm will be presented in
this section. Section 5 shows some applications of the technique, and we conclude
in Sect. 6.

2 Preliminaries
2.1 Notations
Let F2 denote the finite field with only two elements and Fn2 denote the n-bit
string over F2 . Let Z and Zn denote the integer ring and the set of all vectors
whose coordinates are integers respectively. For any a ∈ Fn2 , let a[i] denote the
n−1
i-th bit of a, and the Hamming weight of a is calculated as i=0 a[i]. For any
652 Z. Xiang et al.

Table 1. Results on some block ciphers.

Cipher Block Round Round Data Balanced time

size (Previous) (Sect. 5) bits
SIMON32 32 15 [19] 14 31 16 4.1 s
SIMON48 48 14 [27] 16 47 24 48.2 s
SIMON64 64 17 [27] 18 63 22 6.7 m
SIMON96 96 21 [27] 22 95 5 17.4 m
SIMON128 128 25 [27] 26 127 3 58.4 m
SIMECK32 32 15 [19] 15 31 7 6.5 s
SIMECK48 48 12 [18] 18 47 5 56.6 s
SIMECK64 64 12 [18] 21 63 5 3.0 m
PRESENT 64 7 [22] 9 60 1 3.4 m
RECTANGLE 64 7 [28] 9 60 16 4.1 m
LBlock 64 16 [26] 16 63 32 4.9 m
TWINE 64 16 [26] 16 63 32 2.6 m
For SIMON and SIMECK family block ciphers, since the round key is Xored
into the state after the round function, we can add one more round before
the distinguishers using the technique in [20]. The results presented in the
third and fourth columns have been added by one round.

n
a = (a0 , · · · , am−1 ) ∈ Fn2 0 × · · · × F2 m−1 , the vectorial Hamming weight of a is
defined as W (a) = (w(a0 ), · · · , w(am−1 )) where w(ai ) is the Hamming weight
of ai . Let k = (k0 , k1 , · · · , km−1 ) and k∗ = (k0∗ , k1∗ , · · · , km−1
∗
) be two vectors in
∗ ∗
Z . Define k  k if ki ≥ ki holds for all i = 0, 1, · · · , m − 1. Otherwise we
m

write k  k∗ .
Bit Product Function πu (x) and πu (x): For any u ∈ Fn2 , let πu (x) be a
function from Fn2 to F2 . For any x ∈ Fn2 , define πu (x) as follows:


n−1
πu (x) = x[i]u[i]
i=0

n
Let πu (x) be a function from (Fn2 0 ×Fn2 1 ×· · ·×F2 m−1 ) to F2 for all u ∈ (Fn2 0 ×
n
F2 ×, · · · , ×F2 m−1 ). For any u = (u0 , u1 , · · · , um−1 ), x = (x0 , x1 , · · · , xm−1 ) ∈
n1
n
(Fn2 0 × Fn2 1 ×, · · · , ×F2 m−1 ), define πu (x) as follows:


m−1
πu (x) = πui (xi )
i=0

2.2 Division Property

Division property [18] is a generalized integral property which can exploit the
properties hidden between traditional integral properties A and B. Thus, by
 Applying MILP Method to Searching Integral Distinguishers 653

propagating division property we desire to get some better distinguishers. In

the following we will introduce division property and present some propagation
rules.
Definition 1 (Division Property [17]). Let X be a multiset whose elements
take a value of (Fn2 )m , and k be an m-dimensional vector whose coordinates
take values between 0 and n. When the multiset X has the division property
Dkn,m
(0) ,k(1) ,··· ,k(q−1) , it fulfills the following conditions: The parity of πu (x) over

all x ∈ X is always even when

 
u ∈ (u0 , u1 , · · · , um−1 ) ∈ (Fn2 )m |W (u)  k(0) , · · · , W (u)  k(q−1)

Proposition 1 (Copy [17]). Denote X an input multiset whose elements belong

to Fn2 , and let x ∈ X. The copy function creates (y0 , y1 ) from x where y0 =
x, y1 = x. Assuming the input multiset has division property Dkn , let Y be the
n,2
corresponding output multiset, then Y has division property D(0,k),(1,k−1),··· ,(k,0) .

Proposition 2 (Compression by And [24]). Denote X an input multiset

whose elements belong to Fn2 × Fn2 , let (x0 , x1 ) ∈ X be an input to the com-
pression function and denote the ouput value by y where y = x0 &x1 . Let Y be
the corresponding output multiset. If input multiset X has division property Dkn,2
where k = (k0 , k1 ), then the division property of Y is Dkn where k = max{k0 , k1 }.
Proposition 3 (Compression by Xor [17]). Denote X an input multiset
whose elements belong to Fn2 × Fn2 , let (x0 , x1 ) ∈ X be an input to the com-
pression function and denote the ouput value by y where y = x0 ⊕ x1 . Let Y be
the corresponding output multiset. If input multiset X has division property Dkn,2
where k = (k0 , k1 ), then the division property of Y is Dkn0 +k1 .
Proposition 4 (Substitution [17]). Denote X an input multiset whose ele-
ments belong to Fn2 1 , let F be a substitution function (Sbox) with algebraic degree
d and F maps an element in Fn2 1 to an element in Fn2 2 , denote Y the correspond-
ing output multiset F (X). Assuming the input multiset has division property Dkn1 ,
then the output multiset has division property Dn2k . Moreover, if n1 = n2 and
d
the substitution function is bijective, assuming the input multiset has division
property Dnn11 , then the output multiset has division property Dnn11
For more details regarding division property we refer the readers to [17–19].

2.3 Modeling a Subset in {0, 1}n by Linear Inequalities

Convex Hull and H-Representation: The convex hull of a set A of points is
the smallest convex set that contains A, and the H-Representation of a convex
set is a set of linear inequalities L corresponding to the intersection of some
halfspaces such that the feasible solutions of L are exactly the convex set.
In [14,15] Sun et al. treat a differential (xu−1 , · · · , x0 ) → (yv−1 , · · · , y0 ) of
an u × v Sbox as an (u + v)-dimensional vector (xu−1 , · · · , x0 , yv−1 , · · · , y0 ).
654 Z. Xiang et al.

By computing the H-Representation of the convex hull of all possible input-

output differential pairs of an Sbox, a set of linear inequalities will be returned to
characterize the differential propagation. Moreover, they proved that for a given
subset A of {0, 1}n , it is always feasible to choose a set of linear inequalities L
from the H-Representation of the convex hull of A, such that A represents all
feasible solutions of L restricted in {0, 1}n .
Theorem 1 ([14]). Let A be a subset of {0, 1}n , and denote Conv(A) the convex
hull of A. For any x ∈ {0, 1}n , x ∈ Conv(A) if and only if x ∈ A.
Thus, they first computed a set of vectors A which is composed of all differential
pairs of a given Sbox, and then calculated the H-Representation of the convex
hull of A by using the inequality generator() function in the Sage [2] software,
and this will return a set of linear inequalities L which are the H-presentation of
Conv(A). According to Theorem 1, L is an accurate description of the difference
propagations of the given Sbox, that is, all feasible solutions of L restricted
in {0, 1}n are exactly A. Since L is the H-Representation of Conv(A), each
possible differential characteristic corresponds to a point in A, thus, each possible
differential characteristic satisfies the linear inequalities in L. On the other hand,
for any impossible differential characteristic id, there always exists at least one
linear inequality in L such that id does not satisfy this inequality. Otherwise, if
id satisfies all the inequalities in L which indicates id belongs to Conv(A), and
this is equivalent to id ∈ A.
Since L is an accurate description of A, adding all the linear inequalities
in L into the MILP problem when searching differential characteristics of a
block cipher, it will always return valid differential characteristics. However, the
number of linear inequalities in the H-Representation of Conv(A) is often very
large such that adding all the inequalities into the MILP model will make the
problem computationally infeasible. Thus, Sun et al. [14] proposed a greedy
algorithm (See Algorithm 1) to select a subset of L whose feasible solutions
restricted in {0, 1}n are exactly A. This algorithm can greatly reduce the number
of inequalities required to accurately describe A.
In order to illustrate the procedure of this section, we present a toy example
in Appendix A.

3 Modeling Division Property Propagations of Basic

Operations and Sbox by Linear Inequalities
In [18] Todo introduced division property by using some vectors in Zm , and the
propagation of division property through a round function of the block cipher
is actually a transition of the vectors. Given an initial division property Dkn,m ,
let fr denote the round function of a block cipher, the division property of the
state after one round fr can be computed from Dkn,m by the rules introduced
n,m
in [17,18], and denote the division property after one round fr by DK where
K is a set of vectors in Z . Thus, the division property propagation through
m

fr is actually the transition from k to the vectors in K. Traditionally, if two

 Applying MILP Method to Searching Integral Distinguishers 655

Algorithm 1. Select a subset of linear inequalities from L

Input : L: the set of all inequalities in the H-Representation of Conv(A) with
A a subset of {0, 1}n
Output: A subset L∗ of L whose feasible solutions restricted in {0, 1}n are A
1 begin
2 L∗ = ∅
3 B = {0, 1}n \ A
4 L̄ = L
5 while B = ∅ do
6 l ← The inequality in L̄ which maximizes the number of points in B
that do not satisfy this inequality (choose the first one if there are
multiple such inequalities).
7 B ∗ ← The points in B that do not satisfy l.
8 L∗ = L∗ ∪ {l}
9 L̄ = L̄ \ {l}
10 B = B \ B∗
11 end
12 return L∗
13 end

vectors k1 and k2 in K satisfying that k1  k2 , then k1 is redundant and will

be removed from K. However, since the redundant vectors do not influence the
division property, in this paper we do not remove redundant vectors in K, that
is for any vector derived from k by using the propagation rules we add this
vector into K. Moreover, for any vector k̄ in K, we call that k can propagate to
k̄ through fr .

Definition 2 (Division Trail). Let fr denote the round function of an iter-

ated block cipher. Assume the input multiset to the block cipher has initial divi-
sion property Dkn,m , and denote the division property after i-round propagation
n,m
through fr by DK i
. Thus, we have the following chain of division property prop-
agations:
def fr fr fr
{k} = K0 −→ K1 −→ K2 −→ · · ·
Moreover, for any vector ki∗ in Ki (i ≥ 1), there must exist an vector ki−1 ∗
in
∗ ∗
Ki−1 such that ki−1 can propagate to ki by division property propagation rules.
Furthermore, for (k0 , k1 , · · · , kr ) ∈ K0 × K1 × · · · × Kr , if ki−1 can propagate to
ki for all i ∈ {1, 2, · · · , r}, we call (k0 , k1 , · · · , kr ) an r-round division trail.

Proposition 5. Denote the division property of input multiset to an iterated

block cipher by Dkn,m , let fr be the round function. Denote
def fr fr fr fr
{k} = K0 −→ K1 −→ K2 −→ · · · −→ Kr

the r-round division property propagation. Thus, the set of the last vectors of all
r-round division trails which start with k is equal to Kr .
656 Z. Xiang et al.

Generally, given an initial division property Dkn,m , and if one would like to
check whether there exists useful integral property after r-round encryption, we
n,m
have to propagate the initial division property for r rounds to get DK r
and
check all the vectors in Kr . According to Proposition 5, it is equivalent to find
all r-round division trails which start with k, and check the last vectors in the
division trails to judge if any exploitable distinguisher can be extracted. Based
on this observation, in the following we focus on how to accurately describe all
division trails.
A linear inequality system will be adopted to describe division property prop-
agations, that is we will construct a linear inequality system such that the feasible
solutions represent all division trails. Since division property propagation is a
deterministic procedure, the constructed linear inequality system must satisfy:

– For each division trail, it must satisfy all linear inequalities in the linear
inequality system. That is each division trail corresponds to a feasible solution
of the linear inequality system.
– Each feasible solution of the linear inequality system corresponds to a division
trail. That is all feasible solutions of the linear inequality system do not
contain any impossible division trail.

A linear inequality system satisfying the above two conditions is an accurate

description of division property propagation. In the rest of the paper, we only
consider bit-based division property. We start by modeling bit-based division
property propagation of some basic operations and Sbox in block ciphers.

3.1 Modeling Copy, And and Xor

In this subsection, we show how to model bit-wise Copy, And and Xor operations
by linear inequalities.

Modeling Copy. Copy operation is the basic operation used in Feistel block
cipher. The left half of the input is copied into two equal parts, one of which
is fed to the round function. Since we consider bit-based division property, the
division property propagation of each bit is independent of each other. Thus, we
consider only a single bit.
Let X be an input multiset whose elements take a value of F2 . The copy
function creates y = (y0 , y1 ) from x ∈ X where y0 = x and y1 = x. Assuming the
input multiset has division property Dk1 , then the corresponding output multiset
has division property D(0,k),···
1
,(k,0) from Proposition 1. Since we consider bit-
based division property, the input multiset division property Dk1 must satisfy
k ≤ 1. If k = 0, the output multiset has division property D(0,0) 1
, otherwise if
copy
k = 1, the output multiset has division property D(0,1),(1,0)
1
. Thus, (0) −→ (0, 0)
copy
is the only division trail given the initial division property D01 , and (1) −→ (0, 1),
copy
(1) −→ (1, 0) are the two division trails given the initial division property D11 .
 Applying MILP Method to Searching Integral Distinguishers 657

Now we are ready to give a linear inequality description of these division

copy
trails. Denote (a) −→ (b0 , b1 ) a division trail of Copy function, the following
inequality2 is sufficient to describe the division propagation of Copy.

a − b 0 − b1 = 0
(1)
a, b0 , b1 are binaries

Apparently, all feasible solutions of the inequalities in (1) corresponding to

(a, b0 , b1 ) are (0, 0, 0), (1, 0, 1) and (1, 1, 0), which are exactly the three division
trails of Copy function described above.

Modeling And. Bit-wise And operation is a basic nonlinear function, it is the

only nonlinear operation for SIMON family. Similar to the modeling procedure
of Copy function, we can express its division property propagation as a set of
linear inequalities.
Let X be an input multiset whose elements take a value of F2 × F2 . The
And function creates y = x0 &x1 from x = (x0 , x1 ) ∈ X. Assuming the input
multiset has division property Dk1,2 where k = (k0 , k1 ), the division property of
the corresponding output multiset is Dk1 where k = max{k0 , k1 } according to
Proposition 2. Since we consider bit-based division property here, k = (k0 , k1 )
must satisfy 0 ≤ k0 , k1 ≤ 1. Thus, there are four division trails for And function
Xor Xor Xor Xor
which are (0, 0) −→ (0), (0, 1) −→ (1), (1, 0) −→ (1) and (1, 1) −→ (1). Denote
and
(a0 , a1 ) −→ (b) a division trail of And function, the following linear inequalities
are sufficient to describe this propagation features.
⎧
⎪
⎪ b − a0 ≥ 0
⎪
⎨b − a ≥ 0
1
(2)
⎪
⎪ b − a0 − a1 ≤ 0
⎪
⎩
a0 , a1 , b are binaries

It is easy to check that all feasible solutions of the inequalities in (2) cor-
responding to (a0 , a1 , b) are (0, 0, 0), (0, 1, 1), (1, 0, 1) and (1, 1, 1), which are
exactly the four division trails of And function described above.

Modeling Xor. Bit-wise Xor is another basic operation used in block ciphers.
Similarly, a linear inequality system can be constructed to describe the division
property propagation through Xor function.
Let X denote an input multiset whose elements take a value of F2 × F2 . The
Xor function creates y = x0 ⊕ x1 from x = (x0 , x1 ) ∈ X. Assuming the input
multiset X has division property Dk1,2 where k = (k0 , k1 ), thus, the corresponding
output multiset Y has division property Dk10 +k1 . Since we consider bit-based
2
In this paper we do not make a distinction between equality and inequality, since
the MILP problem use both equalities and inequalities as constraints.
658 Z. Xiang et al.

division property here, k = (k0 , k1 ) must satisfy 0 ≤ k0 , k1 ≤ 1. Moreover, the

element of Y takes a value in F2 , the division property Dk10 +k1 of Y must satisfy
k0 + k1 ≤ 1. That is, if (k0 , k1 ) = (1, 1), the division property propagation will
Xor Xor
abort. Thus, there are three valid division trails: (0, 0) −→ (0), (0, 1) −→ (1) and
Xor Xor
(1, 0) −→ (1). Let (a0 , a1 ) −→ (b) denote a division trail through Xor function,
the following inequality can describe the division trail through Xor function.

a0 + a1 − b = 0
(3)
a0 , a1 , b are binaries

We can check that all the feasible solutions of inequality (3) corresponding to
(a0 , a1 , b) are (0, 0, 0), (0, 1, 1) and (1, 0, 1), which are exactly the division trails
described above.

3.2 Modeling Sbox

Sbox is an important component of block ciphers, for a lot of block ciphers it is

the only non-linear part. In [17,18], the Sbox is treated as a whole and the divi-
sion property is considered while the element in the input multiset taking a value
in Fn2 for an n-bit Sbox. In [19] Todo et al. introduced bit-based division prop-
erty, but they only applied their technique to non-Sbox based ciphers SIMON
and SIMECK. In this section, we study bit-based division property propagation
through Sbox.
Assume we are dealing with an n-bit Sbox, the input and output of the Sbox
are elements in (F2 )n . Suppose that the input multiset X has division property
Dk1,n where k = (k0 , k1 , · · · , kn−1 ), that is for any u ∈ (F2 )n the parity of πu (x)
over X is even only if W (u)  k. Note that for bit-based division property it
holds W (u) = u, thus, we do not make a distinction between W (u) and u in
the following. To compute the division property of the output multiset Y, we
first consider a naive approach.

Previous Approach. First by Concatenation function, each element in X can

be converted into an element in Fn2 . Denote output multiset of Concatenation
function as X∗ , thus, the division property of X∗ is Dkn0 +k1 +···+kn−1 according to
Rule 5 in [17]. Secondly, we pass each element in X∗ to the Substitution function
Sbox, and denote the output multiset by Y∗ whose elements take a value of Fn2 .
According to Proposition 4, the division property of Y∗ is Dnk0 +k1 +···+kn−1 
d

where d is the algebraic degree of the Sbox. At last, for any value y ∗ =
y0 ||y1 || · · · ||yn−1 in Y∗ , a Split function creates y = (y0 , y1 , · · · , yn−1 ) from y ∗ .
Apparently, the output multiset of Split function equals to Y. According to Rule
i
4 in [17], the division property of Y is Dk1,n 0 ,k1 ,··· where k = (k0i , k1i , · · · , kn−1
i
)
k0 +k1 +···+kn−1
(i ≥ 0) denote all solutions of x0 + x1 + · · · , xn−1 = d .
 Applying MILP Method to Searching Integral Distinguishers 659

Example: Take the Sbox used in PRESENT as an example. The PRESENT

Sbox is a 4 × 4 Sbox with algebraic degree three. Assume that the input multiset
1,4
to the Sbox has division property D(0,1,1,1) . To compute the output multiset
division property, we can proceed in three steps as described above: First by
a concatenation function we convert the input multiset into another multiset
X∗ whose elements take a value in F42 , thus the division property of X∗ is D34 .
Secondly, make each value in X∗ pass through the Sbox operation and this will
result in a multiset Y∗ with division property D4 3 = D14 . Finally, we split each
3
value in Y∗ into a value in (F2 )4 , and we will get a multiset Y with division
1,4
property D(0,0,0,1),(0,0,1,0),(0,1,0,0),(1,0,0,0) . Thus, we have obtained four division
Sbox Sbox Sbox
trails of Sbox: (0, 1, 1, 1) −→ (0, 0, 0, 1), (0, 1, 1, 1) −→ (0, 0, 1, 0), (0, 1, 1, 1) −→
Sbox
(0, 1, 0, 0) and (0, 1, 1, 1) −→ (1, 0, 0, 0).
Note that only the algebraic degree is exploited to calculate the division
trails of Sbox in this naive approach. From the example illustrated above, if the
1,4
input multiset to the Sbox has division property D(0,1,1,1) , the corresponding
output multiset does not balance on any of the four output bits. However, this is
not actually true. Denote the input to PRESENT Sbox as x = (x3 , x2 , x1 , x0 ),
and the corresponding output as y = (y3 , y2 , y1 , y0 ), the algebraic normal form
(ANF) of PRESENT Sbox is listed as follows:
⎧
⎪
⎪ y3 = 1 ⊕ x0 ⊕ x1 ⊕ x3 ⊕ x1 x2 ⊕ x0 x1 x2 ⊕ x0 x1 x3 ⊕ x0 x2 x3
⎪
⎨y = 1 ⊕ x ⊕ x ⊕ x x ⊕ x x ⊕ x x ⊕ x x x ⊕ x x x
2 2 3 0 1 0 3 1 3 0 1 3 0 2 3
(4)
⎪
⎪ y = x ⊕ x ⊕ x x ⊕ x x ⊕ x x x ⊕ x x x ⊕ x x2 x3
⎪
⎩
1 1 3 1 3 2 3 0 1 2 0 1 3 0
y0 = x0 ⊕ x2 ⊕ x3 ⊕ x1 x2

Thus,
π(0,0,0,1) ((y3 , y2 , y1 , y0 )) = y0
and

π(0,0,0,1) ((y3 , y2 , y1 , y0 ))
x∈X

= y0
x∈X

= (x0 ⊕ x2 ⊕ x3 ⊕ x1 x2 )
x∈X

= π(0,0,0,1) (x) ⊕ π(0,1,0,0) (x) ⊕ π(1,0,0,0) (x) ⊕ π(0,1,1,0) (x)

x∈X x∈X x∈X x∈X
=0+0+0+0
=0

As illustrated above, the least significant bit y0 of the output y is balanced.

Similarly, we can check that y2 and y0 y2 are all balanced. Furthermore, it can
be observed that the expressions of y1 and y3 all contain monomial x0 x1 x2
660 Z. Xiang et al.

whose parity over X is undetermined according to the initial division property

1,4
D(0,1,1,1) , thus y1 and y3 are not balanced. Based on these observations, the
1,4
division property of Y should be D(0,0,1,0),(1,0,0,0) . In this case we obtain two
division trails of PRESENT Sbox, and what is more important is that y0 , y2 and
y0 y2 are all balanced under this approach.

Our Improved Approach. Now we present a generalized algorithm to cal-

culate division trails of an Sbox based on bit-based division property. In
Algorithm 2, x = (xn−1 , · · · , x0 ) and y = (yn−1 , · · · , y0 ) denote the input and
output to an n-bit Sbox respectively, and yi is expressed as a boolean function
of (xn−1 , · · · , x0 ).

Algorithm 2. Calculating division trails of an Sbox

Input : The input division property of an n-bit Sbox Dk1,n where
k = (kn−1 , · · · , k0 )
Output: A set K of vectors such that the output multiset has division
property DK1,n
1 begin
2 S̄ = {k̄ | k̄  k}
3 F (X) = {πk̄ (x) | k̄ ∈ S̄}
4 K̄ = ∅
5 for u ∈ (F2 )n do
6 if πu (y) contains any monomial in F (X) then
7 K̄ = K̄ ∪ {u}
8 end
9 end
10 K = SizeReduce(K̄)
11 return K
12 end

We explain Algorithm 2 line by line:

Line 2–3 According to input division property Dk1,n , the parity of monomial
πk̄ (x) with k̄  k over X is undetermined, and we store these monomials in
F (X). Thus, the parity of any monomial that does not belong to F (X) is
zero.
Line 4 Initialize K as an empty set.
Line 5–9 For any possible u, if boolean function πu (y) contains any monomial
in F (X), the parity of πu (y) over X is undetermined, and we store all these
vectors in K̄.
Line 10 SizeReduce() function removes all redundant vectors in K̄. Since we
are interested in finding a set K such that for any u ∈ {u|u  k for all k ∈
K}, the parity of πu (y) is zero. Note that for any vector u ∈ (F2 )n \K̄,
the parity of πu (y) is zero, thus, we must have {u | u  k for all
 Applying MILP Method to Searching Integral Distinguishers 661

k ∈ K} ⊂ (F2 )n \K̄, and if we let K= SizeReduce(K̄) it will meet this

condition. Otherwise, if there exists a vector u ∈ {u | u  k for all k ∈ K}
such that u ∈ / (F2 )n \K̄, thus, we have u ∈ K̄, which meants either u ∈ K or
there exists a vector u∗ ∈ K such that u  u∗ since K = SizeReduce(K̄). In
either case it won’t happen u ∈ {u | u  k for all k ∈ K}, which leads to a
contradiction. Therefore, K is sufficient to characterize the division property
of output multiset.
Line 11 Return K as output.
Given an Sbox and an initial division property Dk1,n , Algorithm 2 returns the
output division property DK 1,n
. Thus for any vector k∗ ∈ K, (k, k∗ ) is a division
trail of the Sbox. If we try all the 2n possible input multiset division property,
we will get a full list of division trails. Table 4 in Appendix B presents a complete
list of all the 47 division trails of PRESENT Sbox.
Note that bit-based division property of an Sbox is closely related with Boura
and Canteaut’s work [6]. However, Boura and Canteaut’s work is established on
parity set, while our results are directly deduced from bit-based division property.

Representing the Division Trails of Sbox as Linear Inequalities. Each

division trail of an n-bit Sbox can be viewed as a 2n-dimensional vector in
{0, 1}2n ⊂ R2n where R is the real numbers field. Thus, all division trails form
a subset P of {0, 1}2n . Next, we compute the H-Representation of Conv(P ) by
using the inequality generator() function in the Sage [2] software, and this will
return a set of linear inequalities L. However, L contains too many inequalities
which will make the size of corresponding MILP problem too large to solve.
Fortunately, we can select a subset L∗ of L by Algorithm 1 such that the feasible
solutions of L∗ restricted in {0, 1}2n are exactly P .
Example: PRESENT Sbox contains 47 division trails which forms a subset P of
{0, 1}8 . By using the inequality generator() function in the Sage software, a set of
122 linear inequalities will be returned. Furthermore, this set can be reduced by
Algorithm 1 and we will get a set L∗ of only 11 inequalities. The 11 inequalities
for PRESENT Sbox are listed in Appendix C. In order to get the solutions of
L∗ restricted in {0, 1}8 , we only need to specify that all variables can only take
values in {0, 1}.
So far, we have studied calculating and modeling division trails of basic oper-
ations and Sbox, thus, for block ciphers based on these operations and (or) Sbox,
we can construct a set of linear inequalities which characterize one round divi-
sion property propagation. By repeating this procedure r times, we can get a
linear inequality system L such that all feasible solutions of L are all r-round
division trails.

3.3 Initial Division Property

Integral distinguisher search algorithm often has a given initial division property
Dk1,n . Even though L is able to describe all division trails, we are interested in
662 Z. Xiang et al.

division trails starting from the given initial division property. Thus, we have
to model the initial division property into the linear inequality system. Denote
(a0n−1 , · · · , a00 ) → · · · → (arn−1 , · · · , ar0 ) an r-round division trail, L is thus a
linear inequality system defined on variables aji (i = 0, · · · , n − 1. j = 0, · · · , r)
and some auxiliary variables. Let Dk1,n denote the initial input division property
with k = (kn−1 , · · · , k0 ), we need to add a0i = ki (i = 0, · · · n − 1) into L, and
thus all feasible solutions of L are division trails which start from vector k.

4 Stopping Rule and Search Algorithm

In this section we first study the stopping rule in the search of integral distin-
guishers based on division property, and then we convert this stopping rule into
an objective function of the MILP problem. At last, we propose an algorithm to
determine whether an r-round integral distinguisher exists.
In the division property propagation, we note that only zero vector can prop-
agate to zero vector. Thus if the given initial division property is Dk1,n with k a
non-zero vector, and we denote the division property after r-round propagation
1,n
by DK r
, then it holds that Kr does not contain zero vector. In the following, we
always assume k = 0, since k = 0 does not imply any integral property on the
input multiset.

4.1 Stopping Rule

1,n
Let’s first consider a set X with division property DK . If X does not have any
useful integral property, that is the Xor-sum of X does not balance on any bit,
thus we have x∈X πu (x) is unknown for any unit vector u ∈ (F2 )n . Since X
1,n
has division property DK , there must exist a vector k ∈ K such that u  k.
Note that u is a unit vector, thus u = k, which means K contains all the n unit
vectors. On the other hand, if K contains all the n unit vectors, then for any
= u ∈ (F2 ) there must exist a unit vector e ∈ K such that u  e, that is
n
0
x∈X πu (x) is unknown. Thus, X does not have any integral property.

Proposition 6 (Set without Integral Property). Assume X is a multiset

1,n
with division property DK , then X does not have integral property if and only
if K contains all the n unit vectors.
1,n
Denote the output division property after i-round encryption by DK i
, and
def
the initial input division property by Dk1,n = DK 1,n
0
. If Kr+1 for the first time
contains all the n unit vectors, the division property propagation should stop
1,n
and an r-round distinguisher can be derived from DK r
. In this case, Kr does
not contain all n unit vectors, thus we can always find a unit vector e such that
e∈/ Kr . Since e is a unit vector, it holds e  k for all k ∈ Kr . Therefore, the
parity of πe (x) over r-round outputs is even which is a zero-sum property, thus
a balanced bit of the output is found. By repeating this process, all balanced
bits can be found.
 Applying MILP Method to Searching Integral Distinguishers 663

Based on this observation, we only need to detect whether Kr contains all

unit vectors. According to Proposition 5, in order to check the vectors in Kr ,
it is equivalent to check the last vectors of all r-round division trails. Denote
(a0n−1 , · · · , a00 ) → · · · → (arn−1 , · · · , ar0 ) an r-round division trail, and let L
denote a linear inequality system whose feasible solutions are all division trails
which start with the given initial division property. It is clear that L is a linear
inequality system defined on variables aji (i = 0, · · · , n − 1. j = 0, · · · , r) and
some auxiliary variables. Thus, we can set the objective function as:

Obj : M in{ar0 + ar1 + · · · arn−1 } (5)

Now we get a complete MILP problem by setting L as constraints and Obj

as objective function. Note that Ki does not contain zero vector, in this case, the
objective function will never take a value of zero, and the MILP problem will
return an objective value greater than zero (if the MILP problem has feasible
solutions). In the following we show how to determine whether r-round integral
distinguisher exists based on this MILP problem.

4.2 Search Algorithm

Denote L a linear inequality description of all r-round division trails with the
given initial input division property Dk1,n . Let the sum of the coordinates of
the last vector in the division trail be the objective function Obj as in Eq. (5).
Denote M (L, Obj) the MILP problem composed of L and Obj. Algorithm 3 will
return whether r-round integral distinguisher exists.
Our MILP problems are solved by the openly available MILP optimizer
Gurobi [1], Algorithm 3 is presented with some Gurobi syntax. We denote the
set of last vectors of all division trails by Kr .

Line 2 Initialize S as all possible output bit positions.

Line 3–24 For an n-bit block cipher, check how many unit vectors there are in
Kr . Moreover, we remove the bit position marked by the unit vectors in Kr
from S, and return S as the output of the algorithm.
Line 4 Check whether the MILP problem has a feasible solution. Note that
the initial MILP problem always has feasible solutions. However, along with
the execution of the procedure, it will add some constraints (Line 13) in the
model which will possibly make the MILP problem unsolvable.
Line 5 Optimize the MILP problem M by Gurobi.
Line 6–18 M.ObjV al is Gurobi syntax which returns the current value of the
objective function after M has been optimized. M.ObjV al = 1 means we
have found a division trail which ends up with a unit vector e, thus e ∈ Kr .
M.getObjective() is a Gurobi function which returns the objective function
of the model, which is ar0 + · · · + arn−1 in our case. The functionality of Line
8–17 is to choose which variable of (ar0 , · · · , arn−1 ) is equal to one in e and
add a new constraint var = 0 into M , here var denotes the variable taking a
value of one. obj.getV ar(i) is used to return the i-th variable of obj which is
664 Z. Xiang et al.

Algorithm 3. Return whether r-round distinguisher exists

Input : M = M (L, Obj).
Output: A set S of balanced bit positions.
1 begin
2 S = {ar0 , · · · , arn−1 }
3 for i in range(0,n) do
4 if M has feasible solutions then
5 M.optimize()
6 if M.ObjV al = 1 then
7 obj = M.getObjective()
8 for i in range(0,n) do
9 var = obj.getV ar(i)
10 val = var.getAttr( x )
11 if val = 1 then
12 S \ {var}
13 M.addConstr(var = 0)
14 M.update()
15 break
16 end
17 end
18 else
19 return S
20 end
21 else
22 return S
23 end
24 end
25 return S
26 end

ari in this case. var.getAttr( x ) retrieves the value of var under the current
solution. Line 12 removes var from S, since we have found e ∈ Kr whose
nonzero position is var which means var can’t be a balanced bit position.
M.addConstr(var = 0) adds a new constraints var = 0 into M , and this is
used to rule out e from Kr . Line 14 updates the model since we have added
a new constraint.
Line 19 This step returns S, the execution of this step means the objective
value of M is larger than one, that is we can no longer find a division trail
with the last vector being a unit vector. In this case, we have found all unit
vectors in Kr which represent undetermined bit positions, and thus we have
ruled out all unbalanced bits and get an integral distinguisher.
Line 22 M do not have any feasible solutions means we have ruled out all units
vectors of Kr and made Kr an empty set along with the execution. In this
case, we can return S as output since we have checked all vectors.
Line 25 If the for loop do not make the procedure exit, return S as output.
Usually, in this case S is an empty set which means no distinguisher found.
 Applying MILP Method to Searching Integral Distinguishers 665

Algorithm 3 always returns a set S indicating balanced bit positions. For

a block cipher with a given initial division property Dk1,n , we can construct an
r-round linear description of division property propagations and use Algorithm 3
to check whether a distinguisher exists. If for the first time the (r + 1)-round
model returns an empty set, then the longest distinguisher for the given initial
division property is r-round.

5 Applications to SIMON, SIMECK, PRESENT,

RECTANGLE, LBlock and TWINE

In this section, we show some applications of our technique. All the source
codes are avaiable at https://github.com/xiangzejun/MILP Division Property.
We applied our algorithm to SIMON, SIMECK, PRESENT, RECTANGLE,
LBlock and TWINE block ciphers. The results are listed in Table 1. The Round
(Previous) column and Round (Sect. 5) column list the number of rounds of the
distinguishers of previous and our results. The Data column represents the num-
ber of active bits of the input pattern of the integral distinguisher, the data com-
plexity of the distinguisher is determined by the initial input division property.
Balanced bits column represents the number of balanced bits of the distinguisher
we found. Time presents the time used by Algorithm 3 for searching the corre-
sponding distinguishers, among which s is short for second and m is short for
minute. All the experiments are conducted on the following platform: Intel Core
i7-2600 CPU @3.40 GHz, 8.00G RAM, 64-bit Windows 7 system. Moreover, the
distinguishes listed in Table 1 are presented in Appendix E. The table shows
that we get improved distinguishers for SIMON48/64/96/128, SIMECK48/64,
PRESENT and RECTANGLE. For SIMECK32, LBlock and TWINE our results
are consistent with the previous best results. The result of SIMON32 is one round
less than the result in [19]. However, we only use bit-based division property here,
the 15-round distinguisher found in [19] for SIMON32 used bit-based division
property using three subset. If bit-based division property is the only technique
adopted, 14-round distinguisher is the longest distinguisher we can find.

5.1 Applications to SIMON and SIMECK

SIMON [3] is a family of lightweight block ciphers published by the U.S. National
Security Agency (NSA) in 2013. SIMON adopts Fesitel structure and it has a
very compact round function which only involves bit-wise And, Xor and circular
shift operations. The structure of one round SIMON encryption is depicted in
Fig. 1 where S i denotes left circular shift by i bits.
1-round Description of SIMON: Denote one round division trail of
SIMON2n by (ai0 , · · · , ain−1 , bi0 , · · · , bin−1 ) → (ai+1 0 , · · · , an−1 , b0 , · · · , bn−1 ).
i+1 i+1 i+1

In order to get a linear description of all possible division trails of one

round SIMON, we introduce four vectors of auxiliary variables which are
(ui0 , · · · , uin−1 ), (v0i , · · · , vn−1
i
), (w0i , · · · , wn−1
i
) and (ti0 , · · · , tin−1 ). We denote
666 Z. Xiang et al.

Fig. 1. Feistel structure of SIMON round function

(ui0 , · · · , uin−1 ) the input division property of S 1 . Similarly, denote (v0i , · · · , vn−1
i
)
and (w0i , · · · , wn−1 i
) the input division property of S 8 and S 2 respectively. Let
(ti0 , · · · , tin−1 ) denote the output division property of bit-wise And operation.
Subsection 3.1 has modeled Copy, And and Xor functions. According to Eq. (1),
the following inequalities are sufficient to model the Copy operation used in
SIMON2n:

L1 : aij − uij − vji − wji − bi+1

j = 0 for j ∈ {0, 1, · · · , n − 1}

Since we consider bit-based division property, division property propagation

through circular shift is just a circular shift of the coordinates of the vector. Thus,
the division property of the output of S 1 is (ui1 , · · · , uin−1 , ui0 ). Similarly, the divi-
sion property of the output of S 8 and S 2 are (v8i , · · · , v6i , v7i ) and (w2i , · · · , w0i , w1i )
respectively. We can model bit-wise And operation used in SIMON by the fol-
lowing inequalities according to Eq. (2):
⎧ i
⎪ t − uij+1 ≥ 0 for j ∈ {0, 1, · · · , n − 1}
⎨ j
L2 : tij − vj+8
i
≥0 for j ∈ {0, 1, · · · , n − 1}
⎪
⎩ i
tj − uj+1 − vj+8
i i
≤0 for j ∈ {0, 1, · · · , n − 1}

At last, the Xor operations in SIMON2n can be modeled by the following inequal-
ities according to Eq. (3):

L3 : ai+1
j − bij − tij − wj+2
i
= 0 for j ∈ {0, 1, · · · , n − 1}

So far, we have modeled all operations used in SIMON, and get an accurate
description {L1 , L2 , L3 } of 1-round division trails. By repeating this procedure
r times, we can get a linear inequality system L for r-round division prop-
erty propagation. Given some initial division property, we can add the corre-
sponding constrains into L and estimate whether a useful distinguisher exists by
Algorithm 3. The results for SIMON family are listed in Table 1.
 Applying MILP Method to Searching Integral Distinguishers 667

For SIMON48/64/96/128, we found the best distinguishers so far. Note

that by using bit-based division property under the framework of [19], it is
computationally impractical to search distinguishers for these versions. Using
Algorithm 3, distinguishers can be searched in practical time.
SIMECK [25] is a family of lightweight block cipher proposed at CHES 2015.
The round function of SIMECK is very like SIMON except the rotation con-
stants. We applied our technique to SIMECK, and 15-, 18- and 21-round dis-
tinguishers are found for SIMECK32, SIMECK48 and SIMECK64 respectively,
which shows that SIMON has better security than SIMECK with respect to
division property based integral cryptanalysis.
We found that the 14-round distinguisher of SIMON32 we found is the same
as the 14-round distinguisher of SIMON32 in [19] based on bit-based division
property. Surprisingly, the 15-round distinguisher for SIMECK32 in [19] is found
by bit-based division property using three subsets, however, we also find the same
distinguisher for SIMECK32 by only using bit-based division property.
In [9], the authors investigated the differential and linear behavior of SIMON
family regarding rotation parameters, and they presented some interesting alter-
native parameters among which (1, 0, 2) is optimal for the differential and linear
characteristics with the restriction that the second rotation parameter is zero. In
this paper, we investigated the integral property of this parameter by our tech-
nique. The results are listed in Table 2 (h in the time column represents hour).
The third column lists the rounds of the distinguishers we found. The results
show that (1, 0, 2) is a very bad choice with respect to division property based
integral cryptanalysis.

Table 2. Results on SIMON(1,0,2).

Cipher Block size Round Data Balanced bits Time

SIMON32(1,0,2) 32 20 31 1 34.1s
SIMON48(1,0,2) 48 28 47 1 3.2m
SIMON64(1,0,2) 64 36 63 1 10.3m
SIMON96(1,0,2) 96 52 95 3 6.4h
SIMON128(1,0,2) 128 68 127 3 24h

5.2 Applications to PRESENT and RECTANGLE

PRESENT [5] and RECTANGLE [28] are two SP-network block ciphers, of
which the linear layers are bit permutations. Figure 2 illustrates one round
encryption of PRESENT.
1-round Description of PRESENT: Denote one round division trail of
PRES-ENT by (ai63 , · · · , ai0 ) → (ai+1
63 , · · · , a0 ). We first model the division
i+1
668 Z. Xiang et al.

Fig. 2. One round SP structure of PRESENT

property propagation of Sbox layer. Denote the division property of the output
of Sbox by (bi63 , · · · , bi0 ). Subsection 3.2 has studied how to calculate the division
trails of Sbox and model those trails by linear inequalities. Appendix C shows
the 11 inequalities of PRESENT Sbox. For each of the 16 Sboxes of PRESENT,
we introduce 11 inequalities and thus the Sbox layer of PRESENT can be mod-
eled by 11 × 16 = 176 inequalities which is denoted by L1 . The linear layer of
PRESENT is a bit permutation, thus, the division property propagation through
linear layer is just a permutation of the coordinates of the vector, that is
 i+1
a16j mod 63 = bij j ∈ {0, 1, · · · , 62}
L2 :
ai+1
j = bij j = 63

Note that L1 is a linear inequality system defined on variables (ai63 , · · · , ai0 ) and
(bi63 , · · · , bi0 ), we can use the equalities in L2 to replace the variables (bi63 , · · · , bi0 )
in L1 in order to save auxiliary variables.
Now we have get a linear inequality system to describe one round divi-
sion propagation of PRESENT. By repeating this procedure, an r-round linear
inequality system can be constructed. For a given initial division property Dk1,64 ,
we add this information into the linear inequality system and use Algorithm 3
to estimate whether there exists an integral distinguisher.
The result for PRESENT is listed in Table 1. We found a 9-round integral
distinguisher for PRESENT which is two more rounds than the previous best
results in [22].
The modeling procedure of RECTANGLE is very like to PRESENT, we
only list the result here in Table 1. The previous longest integral distinguisher of
RECTANGLE is found by the designers, and they gave a 7-round distinguisher.
In this paper we find a 9-round distinguisher which is two more rounds.

5.3 Applications to LBlock and TWINE

This subsection applies our technique to two generalized Feistel block cipher
LBlock and TWINE. The round function of these two ciphers are alike, and the
round function composed of Copy, Sbox and Xor operations. We have showed
how to model Copy and Xor operations in SIMON and Sbox in PRESENT,
thus, we omit the details for these two ciphers due to the limit of space. The
 Applying MILP Method to Searching Integral Distinguishers 669

number of division trails and linear inequalities required to describe those divi-
sion trails of LBlock and TWINE Sboxes are presented in Table 3. The {D.C}
column represents the number of division trails of the corresponding Sbox, and
the {Ine} column represents the number of linear inequalities we found to accu-
rately describe the division trails. Note that we chose the first inequality in the
sixth line of Algorithm 1, however, other choice rather than the first one may
result in different set of inequlities.

Table 3. Sbox properties regrading division trails.

Sbox {D.C} {Ine}

PRESENT Sbox 47 11
RECTANGLE Sbox 49 17
LBlock S0 44 11
LBlock S1 44 12
Lblock S2 44 12
LBlock S3 44 11
LBlock S4 44 13
LBlock S5 44 10
LBlock S6 44 12
LBlock S7 44 12
TWINE Sbox 47 11

Our experimental results regarding LBlock and TWINE are listed in Table 1.
The distinguishers found in this paper are the same as the distinguishers found
for these two ciphers in [26].
Experiments. To illustrate the validity of the technique proposed in this paper, we
presented some integral distinguishers found by our technique with a small num-
ber of active bits, and we run experiments on these distinguishers. The exper-
iments are presented at Appendix D. Our experiments showed that the distin-
guishers found by our technique are sound. Moreover, the results on PRESENT
and RECTANGLE illustrate that our technique can find quite accurate distin-
guishers, that is the balanced bits found by Algorithm 3 are exactly in accordance
with experimental results. For PRESENT cipher, we retrieved and improved the
5-round distinguisher found in [22], our technique found all the four balanced
bits of the outputs of the fifth round given the same input pattern as in [22],
while Wu et al. could only prove the balancedness of only one bit.

6 Summary and Discussion

In this paper we introduced a new technique to search integral distinguishers
based on bit-based division property. We first proposed a new notion division
670 Z. Xiang et al.

trail and used this new notion to characterize the division property propagation,
then we showed that it is sufficient to check the last vectors of all r-round division
trails in order to estimate whether an r-round distinguisher exists.
Based on the observations on division trails, we proposed to construct a
linear inequality system to characterize the division property propagations. We
first studied how to model division property propagations of Copy, And and
Xor operations by linear inequalities. For another basic component Sbox used
in block ciphers, we studied the bit-based division property propagations for
the first time, and we proposed an algorithm to compute the division trails
of an Sbox. Moreover, we used those division trails to derive a set of linear
inequalities whose feasible solutions are exactly all division trails. Thus, for a
block cipher we can construct a linear inequality system whose solutions are all
r-round division trails of the cipher, and we used this linear inequality system
as constraints of the MILP problem. Then, the stopping rule in the search of
integral distinguisher were studied and we converted it into an objective function
of an MILP problem. To be specific, we set the sum of the coordinates of the
last vector in an r-round division trail as objective function. Thus, we can get a
complete MILP problem, based on which we presented an algorithm to estimate
whether an r-round integral distinguisher exists by checking how many unit
vectors are contained in the last vectors of all division trails.
We applied our technique to SIMON, SIMECK, PRESENT, RECTANGLE,
LBlock and TWINE. For SIMON48/64/96/128, SIMECK48/64, PRESENT and
RECTANGLE, we get much longer distinguishers than previous results based
on division property in the open literature. Moreover, our results on PRESENT
and RECTANGLE show that we can get better integral distinguishers by using
the algebraic normal form of the Sboxes. Our results show that, by using our
technique, we can search integral distinguishers based on bit-based division prop-
erty in practical time for block ciphers with block size larger than 32, which is
impractical under the traditional framework.
In [19], Todo et al. also introduced bit-based division property using three
subsets, and they found 15-round distinguisher for SIMON32. However, we have
not found a way to model this framework by an MILP problem at present. A
surprising result is, by using our technique we also derived the 15-round dis-
tinguisher of SIMECK32 which are constructed by bit-based division property
using three subsets [19]. We also used our technique on some Sbox-based block
ciphers such as PRESENT and RECTANGLE, note that their linear layers are
all bit permutations. However, this technique can be easily extended to arbitrary
linear layers as pointed out by the reviewers, since any linear layer can be viewed
as bit-level linear layer which can be treated as bit-wise copy and Xor.

Acknowledgements. We are very grateful to the anonymous reviewers. This work

was supported by the National Natural Science Foundation of China (Grant No.
61379138), the “Strategic Priority Research Program” of the Chinese Academy of Sci-
ences (Grant No. XDA06010701).
 Applying MILP Method to Searching Integral Distinguishers 671

A An Example
Let’s consider a simple example in this section. Suppose that A =
{(0, 1), (1, 0), (1, 1)} is a subset of {0, 1}2 with three points, and we would like
to get a linear inequality system L such that all feasible solutions of L restricted
in {0, 1}2 are A.
We proceed by using inequality generator() function in the Sage software to
compute the H-Representation of Conv(A). The following is the source code.
Points = [ [ 0 , 1 ] , [ 1 , 0 ] , [ 1 , 1 ] ]
t r i a n g l e = Polyhedron ( v e r t i c e s = P o i n t s )
f o r l in t r i a n g l e . i n e q u a l i t y g e n e r a t o r ( ) :
print l
As a result, Sage returns three inequalities:
⎧
⎪
⎨x + y − 1 ≥ 0
L = −y + 1 ≥ 0 (6)
⎪
⎩
−x + 1 ≥ 0
It is easy to check that the feasible solutions of L form a triangle with A being
its three vertices, and the set of all feasible solutions of L restricted in {0, 1}2 is
exactly A. Thus, Eq. 6 is a description of A.
However, we can use Algorithm 1 to reduce the number of inequalities
required. We apply Algorithm 1 to this example and we find that only one
inequality is sufficient to accurately describe A:

L∗ = {x + y − 1 ≥ 0} (7)

It is easy to check that all solutions of L∗ restricted in {0, 1}2 are (0, 1) ,(1, 0)
and (1, 1) as expected.

B Division trails of PRESENT and RECTANGLE Sbox

Tables 4 and 5 present the division trails of PRESENT and RECTANGLE

Sboxes respectively.

C Linear inequalities description of PRESENT and

RECTANGLE Sbox

The following inequalities are the 11 inequalities used to describe PRESENT

Sbox whose feasible solutions are exactly the 47 division trails of PRESENT
672 Z. Xiang et al.

Table 4. Division trails of PRESENT Sbox

Input Dk1,4 Output DK1,4

(0,0,0,0) (0,0,0,0)
(0,0,0,1) (0,0,0,1) (0,0,1,0) (0,1,0,0) (1,0,0,0)
(0,0,1,0) (0,0,0,1) (0,0,1,0) (0,1,0,0) (1,0,0,0)
(0,0,1,1) (0,0,1,0) (0,1,0,0) (1,0,0,0)
(0,1,0,0) (0,0,0,1) (0,0,1,0) (0,1,0,0) (1,0,0,0)
(0,1,0,1) (0,0,1,0) (0,1,0,0) (1,0,0,0)
(0,1,1,0) (0,0,0,1) (0,0,1,0) (1,0,0,0)
(0,1,1,1) (0,0,1,0) (1,0,0,0)
(1,0,0,0) (0,0,0,1) (0,0,1,0) (0,1,0,0) (1,0,0,0)
(1,0,0,1) (0,0,1,0) (0,1,0,0) (1,0,0,0)
(1,0,1,0) (0,0,1,0) (0,1,0,0) (1,0,0,0)
(1,0,1,1) (0,0,1,0) (0,1,0,0) (1,0,0,0)
(1,1,0,0) (0,0,1,0) (0,1,0,0) (1,0,0,0)
(1,1,0,1) (0,0,1,0) (0,1,0,0) (1,0,0,0)
(1,1,1,0) (0,1,0,1) (1,0,1,1) (1,1,1,0)
(1,1,1,1) (1,1,1,1)

Table 5. Division trails of RECTANGLE Sbox

Input Dk1,4 Output DK1,4

(0,0,0,0) (0,0,0,0)
(0,0,0,1) (0,0,0,1) (0,0,1,0) (0,1,0,0) (1,0,0,0)
(0,0,1,0) (0,0,0,1) (0,0,1,0) (0,1,0,0) (1,0,0,0)
(0,0,1,1) (0,0,0,1) (0,1,0,0) (1,0,1,0)
(0,1,0,0) (0,0,0,1) (0,0,1,0) (0,1,0,0) (1,0,0,0)
(0,1,0,1) (0,0,1,1) (0,1,0,0) (1,0,0,0)
(0,1,1,0) (0,0,1,1) (0,1,0,0) (1,0,0,0)
(0,1,1,1) (0,0,1,1) (0,1,0,0) (1,0,0,1)
(1,0,0,0) (0,0,0,1) (0,0,1,0) (0,1,0,0) (1,0,0,0)
(1,0,0,1) (0,0,1,1) (0,1,0,1) (0,1,1,0) (1,0,0,0)
(1,0,1,0) (0,0,1,0) (0,1,0,1) (1,0,0,0)
(1,0,1,1) (0,1,1,0) (1,0,1,1) (1,1,0,1)
(1,1,0,0) (0,0,1,1) (0,1,0,0) (1,0,0,0)
(1,1,0,1) (0,1,1,0) (1,0,1,0) (1,1,0,1)
(1,1,1,0) (0,0,1,1) (0,1,0,1) (1,0,0,0)
(1,1,1,1) (1,1,1,1)
 Applying MILP Method to Searching Integral Distinguishers 673

Sbox where (a3 , a2 , a1 , a0 ) −→ (b3 , b2 , b1 , b0 ) denotes a division trail.

⎧
⎪
⎪ a3 + a2 + a1 + a0 − b3 − b2 − b1 − b0 ≥ 0
⎪
⎪
⎪
⎪ −a2 − a1 − 2a0 + b3 + b1 − b0 + 3 ≥ 0
⎪
⎪
⎪
⎪ −a − a1 − 2a0 + 4b3 + 3b2 + 4b1 + 2b0 ≥ 0
⎪
⎪ 2
⎪
⎪
⎪−2a3 − a2 − a1 + 2b3 + 2b2 + 2b1 + b0 + 1 ≥ 0
⎪
⎪
⎪
⎪
⎪
⎪ −2a3 − a2 − a1 + 3b3 + 3b2 + 3b1 + 2b0 ≥ 0
⎪
⎨−b + b − b + b + 1 ≥ 0
L∗ =
3 2 1 0
(8)
⎪
⎪ −2a3 − 2a2 − 2a1 − 4a0 + b3 + 4b2 + b1 − 3b0 + 7 ≥ 0
⎪
⎪
⎪
⎪ a3 + a2 + a1 + a0 − 2b3 − 2b2 + b1 − 2b0 + 1 ≥ 0
⎪
⎪
⎪
⎪
⎪
⎪ −4a2 − 4a1 − 2a0 + b3 − 3b2 + b1 + 2b0 + 9 ≥ 0
⎪
⎪
⎪
⎪ −2a 0 − b3 − b2 − b1 + 2b0 + 3 ≥ 0
⎪
⎪
⎪
⎪a0 + b3 − b2 − 2b1 − b0 + 2 ≥ 0
⎪
⎪
⎩
a3 , a2 , a1 , a0 , b3 , b2 , b1 , b0 are binaries
The following inequalities are the 17 inequalities used to describe RECTAN-
GLE Sbox whose feasible solutions are exactly the 49 division trails of REC-
TANGLE Sbox where (a3 , a2 , a1 , a0 ) −→ (b3 , b2 , b1 , b0 ) denotes a division trail.
⎧
⎪
⎪ −a3 − a2 − 2a1 − 3a0 − 2b3 + b1 + 2b0 + 6 ≥ 0
⎪
⎪
⎪
⎪ −b3 − b2 + b0 + 1 ≥ 0
⎪
⎪
⎪
⎪
⎪a3 + a2 + a1 + a0 − b3 − b2 − b1 − b0 ≥ 0
⎪
⎪
⎪
⎪ 3a3 + a2 − b3 − 2b2 − b1 − 2b0 + 2 ≥ 0
⎪
⎪
⎪
⎪
⎪
⎪ a2 + a0 − b2 − 2b1 − b0 + 2 ≥ 0
⎪
⎪
⎪
⎪ −a2 − a1 − a0 + b3 + 2b2 + 2b0 + 1 ≥ 0
⎪
⎪
⎪
⎪
⎪
⎪ −2a3 − a1 − a0 + b3 + 2b1 + b0 + 2 ≥ 0
⎪
⎪
⎪
⎪ −3a3 − a2 − a1 − 2a0 + b3 + 2b2 + 2b1 − b0 + 4 ≥ 0
⎪
⎪
⎨−a − a + b + b + b + 1 ≥ 0
L∗ =
2 1 3 2 1
(9)
⎪−3a3 − a2 − a1 − 2a0 + 3b3 + 2b2 + 2b1 + b0 + 2 ≥ 0
⎪
⎪
⎪
⎪
⎪ 2a2 + 3a1 − 3b3 − b2 − 2b1 − b0 + 3 ≥ 0
⎪
⎪
⎪
⎪
⎪
⎪ −a 3 − a2 − a0 + 2b3 + 2b2 + b1 + b0 ≥ 0
⎪
⎪
⎪
⎪ −2a2 − a1 − a0 + 3b3 + 4b2 + 2b1 + 2b0 ≥ 0
⎪
⎪
⎪
⎪ a3 + a2 + a1 + a0 − 2b3 − 2b0 + 1 ≥ 0
⎪
⎪
⎪
⎪
⎪2a0 − b3 − b2 − b1 + 1 ≥ 0
⎪
⎪
⎪
⎪
⎪ 3a3 − 4a2 − a1 − a0 − 2b3 − b2 − 3b1 + 2b0 + 7 ≥ 0
⎪
⎪
⎪
⎪
⎪
⎪ a3 + a1 + a0 + b3 − 3b2 − 2b1 − 2b0 + 3 ≥ 0
⎪
⎩
a3 , a2 , a1 , a0 , b3 , b2 , b1 , b0 are binaries

D Experiments on PRESENT and RECTANGLE

For SIMON family block ciphers, we found a 14-round distinguisher of SIMON32
which is in accordance with the distinguisher presented in [19]. For Lblock and
674 Z. Xiang et al.

TWINE the distinguisher found in this paper are in accordance with the dis-
tinguishers presented in [26]. Thus, we believe that the distinguishers found for
SIMON, SIMECK, Lblock and TWINE are sound. In the following we only
conduct some experiments on PRESENT and RECTANGLE.
PRESENT : We found the following 5-round distinguisher for PRESENT. If we
fix the left most 60 bits as random constant and vary the right most 4 bits, then
after five round encryption, the four right most bits of the state are balanced.

Input:(ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccaaaa)
Output:(????????????????????????????????????????????????????????????bbbb)
c: constant bit, a: active bit, ?: unknown bit, b: balanced bit

We run experiment on this distinguisher 212 times. The experimental result

returns the four right most bits as balanced bits which is in accordance with our
theoretical result.
Note that in [22] Wu el at. found a 5-round distinguisher for PRESENT which
has the same input pattern with the distinguisher presented here. However, they
only proved that the right most bit is balanced. By using our technique, we can
find all the four balanced bits.
RECTANGLE : We found the following 6-round distinguisher for RECTANGLE.
The input of the distinguisher has 23 active bits, that is the right most six bits
of the first, third and fourth rows, and the five right most bits of the second row
are active. The output of six rounds encryption will be balanced on 40 bits, that
is the first two rows, the two right most bits of the third row and the six left
most bits of the last row.
⎛ ⎞ ⎛ ⎞
ccccccccccaaaaaa bbbbbbbbbbbbbbbb
⎜ cccccccccccaaaaa ⎟ ⎜ bbbbbbbbbbbbbbbb ⎟
Input : ⎜ ⎟ ⎜
⎝ ccccccccccaaaaaa ⎠ −→ Output : ⎝ ??????????????bb ⎠
⎟

ccccccccccaaaaaa bbbbbb??????????

We run experiment on this distinguisher 210 times. The experimental result

returns 40 balanced bits which is in accordance with our theoretical result.

E Integral Distinguishers listed in Table 1

For SIMON and SIMECK family block ciphers, all distinguisher can be extended
one more round by the technique in [20].

E.1 SIMON32’s 13-Round Distinguisher

Input:(caaaaaaaaaaaaaaa,aaaaaaaaaaaaaaaa)
Output:(????????????????,bbbbbbbbbbbbbbbb)
 Applying MILP Method to Searching Integral Distinguishers 675

E.2 SIMON48’s 15-Round Distinguisher

Input:(caaaaaaaaaaaaaaaaaaaaaaa,aaaaaaaaaaaaaaaaaaaaaaaa)
Output:(????????????????????????,bbbbbbbbbbbbbbbbbbbbbbbb)

E.3 SIMON64’s 17-Round Distinguisher

Input:(caaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa,aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa)
Output:(????????????????????????????????,bbbbbbbbbbb?????b?????bbbbbbbbbb)

E.4 SIMON96’s 21-Round Distinguisher

Input:(caaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa,
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa)
Output:(????????????????????????????????????????????????,
b?b????b?????????????????????????????????b????b?)

E.5 SIMON128’s 25-Round Distinguisher

Input:(caaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa,
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa)
Output:(????????????????????????????????????????????????????????????????,
b?b???????????????????????????????????????????????????????????b?)

E.6 SIMECK32’s 14-Round Distinguisher

Input:(caaaaaaaaaaaaaaa,aaaaaaaaaaaaaaaa)
Output:(????????????????,bb???bb???bb???b)

E.7 SIMECK48’s 17-Round Distinguisher

Input:(caaaaaaaaaaaaaaaaaaaaaaa,aaaaaaaaaaaaaaaaaaaaaaaa)
Output:(????????????????????????,b???bb?????????????bb???)

E.8 SIMECK64’s 20-Round Distinguisher

Input:(caaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa,aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa)
Output:(????????????????????????????????,bb???b?????????????????????b???b)
676 Z. Xiang et al.

E.9 PRESENT’s 9-Round Distinguisher

Input:(aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaacccc)
Output:(???????????????????????????????????????????????????????????????b)

E.10 RECTANGLE’s 9-Round Distinguisher

⎛ ⎞ ⎛ ⎞
caaaaaaaaaaaaaaa bbb?b?bbbbbbbbbb
⎜ caaaaaaaaaaaaaaa ⎟ ⎜ ?????????????b?b ⎟
Input : ⎜ ⎟ ⎜ ⎟
⎝ caaaaaaaaaaaaaaa ⎠ −→ Output : ⎝ ???????????????? ⎠
caaaaaaaaaaaaaaa ????????????????

E.11 LBlock’s 16-Round Distinguisher

Input:(caaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa,aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa)
Output:(????????????????????????????????,bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb)

E.12 TWINE’s 16-Round Distinguisher

Input:(caaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa,aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa)
Output:(????bbbb????bbbb????bbbb????bbbb,????bbbb????bbbb????bbbb????bbbb)

References
1. http://www.gurobi.com/
2. http://www.sagemath.org/
3. Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.:
The SIMON and SPECK families of lightweight block ciphers. IACR Cryptology
ePrint Archive 2013, 404 (2013)
4. Biryukov, A., Shamir, A.: Structural cryptanalysis of SASAS. In: Pfitzmann, B.
(ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 395–405. Springer, Heidelberg
(2001). doi:10.1007/3-540-44987-6 24
5. Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw,
M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher.
In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466.
Springer, Heidelberg (2007). doi:10.1007/978-3-540-74735-2 31
6. Boura, C., Canteaut, A.: Another view of the division property. In: Robshaw, M.,
Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 654–682. Springer, Heidelberg
(2016). doi:10.1007/978-3-662-53018-4 24
7. Daemen, J., Knudsen, L., Rijmen, V.: The block cipher Square. In: Biham, E. (ed.)
FSE 1997. LNCS, vol. 1267, pp. 149–165. Springer, Heidelberg (1997). doi:10.1007/
BFb0052343
8. Knudsen, L., Wagner, D.: Integral cryptanalysis. In: Daemen, J., Rijmen, V. (eds.)
FSE 2002. LNCS, vol. 2365, pp. 112–127. Springer, Heidelberg (2002). doi:10.1007/
3-540-45661-9 9
 Applying MILP Method to Searching Integral Distinguishers 677

9. Kölbl, S., Leander, G., Tiessen, T.: Observations on the SIMON block cipher fam-
ily. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp.
161–185. Springer, Heidelberg (2015). doi:10.1007/978-3-662-47989-6 8
10. Lucks, S.: The saturation attack — a bait for twofish. In: Matsui, M. (ed.)
FSE 2001. LNCS, vol. 2355, pp. 1–15. Springer, Heidelberg (2002). doi:10.1007/
3-540-45473-X 1
11. Mouha, N., Wang, Q., Gu, D., Preneel, B.: Differential and linear cryptanalysis
using mixed-integer linear programming. In: Wu, C.-K., Yung, M., Lin, D. (eds.)
Inscrypt 2011. LNCS, vol. 7537, pp. 57–76. Springer, Heidelberg (2012). doi:10.
1007/978-3-642-34704-7 5
12. Sun, B., Hai, X., Zhang, W., Cheng, L., Yang, Z.: New observation on division
property. Science China Information Science (2016). http://eprint.iacr.org/2015/
459
13. Sun, S., Hu, L., Song, L., Xie, Y., Wang, P.: Automatic security evaluation of
block ciphers with S-bP structures against related-key differential attacks. In: Lin,
D., Xu, S., Yung, M. (eds.) Inscrypt 2013. LNCS, vol. 8567, pp. 39–51. Springer,
Heidelberg (2014). doi:10.1007/978-3-319-12087-4 3
14. Sun, S., Hu, L., Wang, M., Wang, P., Qiao, K., Ma, X., Shi, D., Song, L., Fu,
K.: Towards finding the best characteristics of some bit-oriented block ciphers
and automatic enumeration of (related-key) differential and linear characteristics
with predefined properties. Technical report, Cryptology ePrint Archive, Report
2014/747 (2014)
15. Sun, S., Hu, L., Wang, P., Qiao, K., Ma, X., Song, L.: Automatic security evalu-
ation and (Related-key) differential characteristic search: application to SIMON,
PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In: Sarkar, P.,
Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 158–178. Springer, Hei-
delberg (2014). doi:10.1007/978-3-662-45611-8 9
16. Suzaki, T., Minematsu, K., Morioka, S., Kobayashi, E.: TWINE : a lightweight
block cipher for multiple platforms. In: Knudsen, L.R., Wu, H. (eds.) SAC
2012. LNCS, vol. 7707, pp. 339–354. Springer, Heidelberg (2013). doi:10.1007/
978-3-642-35999-6 22
17. Todo, Y.: Integral cryptanalysis on full MISTY1. In: Gennaro, R., Robshaw, M.
(eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 413–432. Springer, Heidelberg (2015).
doi:10.1007/978-3-662-47989-6 20
18. Todo, Y.: Structural evaluation by generalized integral property. In: Oswald, E.,
Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 287–314. Springer,
Heidelberg (2015). doi:10.1007/978-3-662-46800-5 12
19. Todo, Y., Morii, M.: Bit-based division property and application to SIMON family.
Cryptology ePrint Archive, Report 2016/285 (2016). http://eprint.iacr.org/
20. Wang, Q., Liu, Z., Varıcı, K., Sasaki, Y., Rijmen, V., Todo, Y.: Cryptanalysis of
reduced-round SIMON32 and SIMON48. In: Meier, W., Mukhopadhyay, D. (eds.)
INDOCRYPT 2014. LNCS, vol. 8885, pp. 143–160. Springer, Heidelberg (2014).
doi:10.1007/978-3-319-13039-2 9
21. Wu, S., Wang, M.: Security evaluation against differential cryptanalysis for block
cipher structures. IACR Cryptology ePrint Archive 2011, 551 (2011)
22. Wu, S., Wang, M.: Integral attacks on reduced-round PRESENT. In: Qing, S.,
Zhou, J., Liu, D. (eds.) ICICS 2013. LNCS, vol. 8233, pp. 331–345. Springer,
Heidelberg (2013). doi:10.1007/978-3-319-02726-5 24
23. Wu, W., Zhang, L.: LBlock: a lightweight block cipher. In: Lopez, J., Tsudik, G.
(eds.) ACNS 2011. LNCS, vol. 6715, pp. 327–344. Springer, Heidelberg (2011).
doi:10.1007/978-3-642-21554-4 19
678 Z. Xiang et al.

24. Xiang, Z., Zhang, W., Lin, D.: On the division property of SIMON48 and
SIMON64. International Workshop on Security (2016)
25. Yang, G., Zhu, B., Suder, V., Aagaard, M.D., Gong, G.: The Simeck fam-
ily of lightweight block ciphers. In: Güneysu, T., Handschuh, H. (eds.) CHES
2015. LNCS, vol. 9293, pp. 307–329. Springer, Heidelberg (2015). doi:10.1007/
978-3-662-48324-4 16
26. Zhang, H., Wu, W.: Structural evaluation for generalized feistel structures
and applications to LBlock and TWINE. In: Biryukov, A., Goyal, V. (eds.)
INDOCRYPT 2015. LNCS, vol. 9462, pp. 218–237. Springer, Heidelberg (2015).
doi:10.1007/978-3-319-26617-6 12
27. Zhang, H., Wu, W., Wang, Y.: Integral attack against bit-oriented block ciphers.
In: Kwon, S., Yun, A. (eds.) ICISC 2015. LNCS, vol. 9558, pp. 102–118. Springer,
Heidelberg (2016). doi:10.1007/978-3-319-30840-1 7
28. Zhang, W., Bao, Z., Lin, D., Rijmen, V., Yang, B., Verbauwhede, I.: Rectangle:
a bit-slice lightweight block cipher suitable for multiple platforms. Sci. China Inf.
Sci. 58(12), 1–15 (2015)
29. Zhang, W., Su, B., Wu, W., Feng, D., Wu, C.: Extending higher-order integral: an
efficient unified algorithm of constructing integral distinguishers for block ciphers.
In: Bao, F., Samarati, P., Zhou, J. (eds.) ACNS 2012. LNCS, vol. 7341, pp. 117–134.
Springer, Heidelberg (2012). doi:10.1007/978-3-642-31284-7 8