Automatic Search of Bit-Based Division

Property for ARX Ciphers and Word-Based

Division Property

Ling Sun1,2 , Wei Wang1 , Meiqin Wang?1,2,3

1
Key Laboratory of Cryptologic Technology and Information Security,
Ministry of Education, Shandong University, Jinan, 250100, China
2
Science and Technology on Communication Security Laboratory,
Chengdu 610041, China
3
State Key Laboratory of Cryptology, P.O. Box 5159, Beijing, 100878, China
[email protected]; [email protected]; [email protected]

Abstract. Division property is a generalized integral property proposed

by Todo at Eurocrypt 2015. Previous tools for automatic searching are
mainly based on the Mixed Integer Linear Programming (MILP) method
and trace the division property propagation at the bit level. In this paper,
we propose automatic tools to detect ARX ciphers’ division property at
the bit level and some specific ciphers’ division property at the word
level.
For ARX ciphers, we construct the automatic searching tool relying
on Boolean Satisfiability Problem (SAT) instead of MILP, since SAT
method is more suitable in the search of ARX ciphers’ differential/linear
characteristics. The propagation of division property is translated into a
system of logical equations in Conjunctive Normal Form (CNF). Some
logical equations can be dynamically adjusted according to different ini-
tial division properties and stopping rule, while the others corresponding
to r-round propagations remain the same. Moreover, our approach can
efficiently identify some optimized distinguishers with lower data com-
plexity. As a result, we obtain a 17-round distinguisher for SHACAL-2,
which gains four more rounds than previous work, and an 8-round dis-
tinguisher for LEA, which covers one more round than the former one.
For word-based division property, we develop the automatic search based
on Satisfiability Modulo Theories (SMT), which is a generalization of
SAT. We model division property propagations of basic operations and
S-boxes by logical formulas, and turn the searching problem into an
SMT problem. With some available solvers, we achieve some new dis-
tinguishers. For CLEFIA, 10-round distinguishers are obtained, which
cover one more round than the previous work. For the internal block ci-
pher of Whirlpool, the data complexities of 4/5-round distinguishers are
improved. For Rijndael-192 and Rijndael-256, 6-round distinguishers are
presented, which attain two more rounds than the published ones. Be-
sides, the integral attacks for CLEFIA are improved by one round with
the newly obtained distinguishers.
Keywords: Automatic search, Division property, ARX, SAT/SMT
?
Corresponding Author
1 Introduction
Automatic tools for cryptanalysis play a more and more important role in
the design and cryptanalysis of symmetric ciphers. One common direction to
construct automatic tools is to transform the searching problems into some
mathematical problems, so that some existing solvers can be invoked. The in-
volved mathematical problems can be roughly divided into three categories,
which are Boolean Satisfiability Problem (SAT)/Satisfiability Modulo Theories
(SMT) problem [7, 16, 24, 32], Mixed Integer Linear Programming (MILP) prob-
lem [10, 25, 39, 45], and Constraint Programming (CP) problem [12, 38]. At the
very start, the researches on automatic search of distinguishers concentrated
on detecting differential and linear characteristics, since differential [4] and lin-
ear [20] cryptanalysis are two of the most powerful techniques in cryptanalysis
of symmetric-key primitives. Recently, with the advent of division property [41],
which is a generalized integral property, some researches about automatic search-
ing for division property arose.
Division property was proposed by Todo [41] at Eurocrypt 2015, which was
originally used to search integral distinguishers of block cipher structures. Due to
the newly identified division property, at Crypto 2015, MISTY1 [21] was broken
by Todo for the first time. Later, Todo and Morii [42] introduced the bit-based
division property at FSE 2016, which propagates each bit independently, and a
14-round integral distinguisher for SIMON32 [3] was detected. Depending on the
partition of the internal state, the methods behind the obtained distinguishers
can be divided into three categories. 1) state-based division property: evaluate
the division properties of some generalized structures. Todo [41] finished the
extensive research for 2-branch Feistel structure and SPN on the whole state.
Related works were provided in [5]. 2) word-based division property: evaluate
the division properties of some specific ciphers at the word level. Todo [41]
implemented the search for a variety of AES-like ciphers with 4-bit S-boxes,
and the 6-round integral distinguisher [40] for MISTY1 was obtained based on
this method. Some works on this topic were introduced in [34, 35, 46]. 3) bit-
based division property: evaluate the propagation of division property at the bit
level. Note that it is more likely to obtain better distinguishers under a more
subtle partition since more information can be taken into account. All published
automatic tools of integral distinguishers based on division property focused
on the bit level. At Asiacrypt 2016, Xiang et al. [45] applied MILP method to
search integral distinguishers with bit-based division property. Soon after, the
automatic search of integral distinguishers based on MILP method for ARX
ciphers was proposed in [36]. Many other automatic tools relying on MILP and
CP can be found in [37, 38, 47].
ARX ciphers constitute a broad class of symmetric-key cryptographic algo-
rithms, and are composed of a small set of simple operations such as modular
addition, bit rotation, bit shift and XOR. To claim the security of ARX ciphers,
one way is to prove the security bounds just as Dinu et al. showed in [9], where a
long trail design strategy for ARX ciphers with provable bounds was proposed.
The other is to estimate the maximum number of rounds of the detectable distin-

2
guishers which heavily relied on automatic tools, and the searching of distinguish-
ers is converted into an SAT/SMT problem or MILP problem. The results show
that SAT/SMT based methods [18,24,32] outperform MILP based methods [10]
in the search of differential/linear characteristics for ARX ciphers. Hence, for
bit-based division property, it is worth exploring whether automatic tools based
on SAT/SMT method can be constructed and provide better performance for
ARX primitives.
Although the search of bit-based division property can take advantage of
more details, it is infeasible to trace the division property propagation at the
bit level for some ciphers with large state and complicated operations, such as
Rijndael [8] with 256-bit block size. In order to get the tradeoff between accuracy
and practicability as we detect the division property, we also consider building
automatic tool to search integral distinguishers on account of word-based division
property.

Our Contributions. For the integral cryptanalysis, we construct automatic

searching tools of bit-based division property for ARX ciphers and word-based
division property for some specific ciphers. The key point is to translate the
propagation of division property into an SAT/SMT problem and control the
function calls. Specifically, the contributions can be summarized as follows:

– For ARX ciphers, we propose automatic tools to search integral distinguish-

ers using bit-based division property. First, we model the division property
propagations of the three basic operations, i.e., Copy, AND, and XOR, and
present formulas in Conjunctive Normal Form (CNF) for them. Then, the
concrete equations for the modular addition operation to depict bit-based
division property propagation can be achieved. The initial division prop-
erty and stopping rule are transformed to logical equations, too. At last, the
propagation of division property for ARX cipher is described by a system
of logical equations in CNF, where some logical formulas can be dynami-
cally adjusted according to different initial division properties of the input
multi-set and final division properties of the output multi-set, and the others
corresponding to r-round propagations remain the same.
– For integral cryptanalysis, it is better to adopt distinguishers with less data
requirements, and our approach can efficiently identify some optimal4 distin-
guishers which require less chosen plaintexts among the distinguishers with
the same length. Our searching approach is composed of two algorithms. The
first one restricts the search scope of initial division property and determines
the maximum number of rounds of distinguishers achieved in our model. The
second one optimizes the distinguishers based on the first algorithm’s output.
– For word-based division property, we construct automatic tool based on SMT
method. We first study how to model division property propagations of basic
operations by logical formulas. Moreover, by exclusion method, we construct
4
The integral distinguishers are optimal under the search strategies defined in this
paper.

3
 formulas to depict the possible propagations calculated by the Substitution
rule. With some available solvers, we can efficiently search integral distin-
guishers by setting initial division property and stopping rule rationally.
Finally, the problem of searching division property can be transformed into
an SMT problem.
– New integral distinguishers are detected for some ARX ciphers, such as
SHACAL-2 [13], LEA [14], and HIGHT [15]. With the two algorithms men-
tioned above, the number of initial division properties required to be eval-
uated for SHACAL-2 is reduced from 279.24 to 410, so that we can easily
obtain a 17-round integral distinguisher with data complexity 2241 chosen
plaintexts, which achieves four more rounds than previous work. For LEA,
an 8-round distinguisher is identified, which covers one more round than the
one found by MILP method [36]. For HIGHT, although the lengths and data
requirements of the newly obtained distinguishers are not improved, some of
them have more zero-sum bits than those proposed in [36].
– New word-based division properties are presented for some specific ciphers.
For CLEFIA [31], we discover 10-round distinguishers, which attain one more
round than the one proposed in [19]. With the newly obtained distinguishers
for CLEFIA, we can improve the previous integral attacks by one round. The
data requirements of 4/5-round integral distinguishers for the internal block
cipher of Whirlpool [1] are reduced. As to Rijndael-192 and Rijndael-256 [8],
6-round distinguishers are proposed, which cover two more rounds than the
previous work.
Our main results and the comparisons are listed in Table 1 and Table 3.
The rest of the paper is organized as follows. In Section 2, some notations
and background are introduced. Section 3 focuses on the automatic search of
integral distinguishers with bit-based division property for ARX ciphers. The
automatic method relying on SMT to search integral distinguishers in accordance
with word-based division property is provided in Section 4. Section 5 presents
some applications of the developed automatic tools. We conclude the paper in
Section 6.

2 Preliminary
2.1 Notations
For any a ∈ Fn2 , its i-th element is denoted as a[i], where the bit positions are
labeled in big-endian, and the Hamming weight w(a) is calculated by w(a) =
n−1
`
a[i]. For any a = (a0 , a1 , . . . , am−1 ) ∈ F`20 × F`21 × · · · × F2m−1 , the vectorial
P
i=0
Hamming weight of a is defined as W (a) = (w(a0 ), w(a1 ), . . . , w(am−1 )) ∈ Zm .
For any k ∈ Zm and k0 ∈ Zm , we define k  k0 if ki ≥ ki0 for all i. Otherwise,
k  k0 .
For any set K, |K| denotes the number of elements in K. ∅ stands for an
empty set. Denote Zm the set {0, 1, . . . , m}.

4
Definition 1 (Bit Product Function). Assume u ∈ Fn2 and x ∈ Fn2 . The Bit
Product Function πu is defined as
n−1
Y
πu (x) = x[i]u[i] .
i=0

`
For u = (u0 , u1 , . . . , um−1 ) ∈ F`20 ×F`21 ×· · ·×F2m−1 , let x = (x0 , x1 , . . . , xm−1 ) ∈
`
F`20 × F`21 × · · · × F2m−1 be the input, the Bit Product Function πu is defined as
m−1
Y
πu (x) = πui (xi ).
i=0

2.2 Division Property

The original integral distinguishers mainly focus on the propagation of ALL and
BALANCE properties [17]. While, the division property, proposed by Todo at
Eurocrypt 2015 [41], is a generalized integral property, which traces the im-
plicit properties between traditional ALL and BALANCE properties. First, a
set of plaintexts, whose division property follows initial division property, is cho-
sen. Then, the division property of the set of texts encrypted over one round
is deduced from the propagation rules. And so on, we can exploit the division
property over several rounds, and determine the existence of the integral distin-
guishers. In the following, we briefly recall the definition of division property,
and propagation rules for basic operations involved in the encryption process.

Definition 2 (Division Property [41]). Let X be a multi-set whose elements

`
take values from F`20 × F`21 × · · · × F2m−1 . When the multi-set X has the division
` ,` ,...,`m−1
property DK0 1 , where K denotes a set of m-dimensional vectors whose
i-th element takes a value between 0 and `i , it fulfills the following conditions:

M unknown if there is k ∈ K s.t. W (u)  k,
πu (x) =
0 otherwise.
x∈X

Remark 1. Note that `0 , `1 , . . ., `m−1 are restricted to 1 when we consider bit-

based division property.

Propagation Rules for Division Property.

Rule 1 (Substitution [41]) Let F be a function that consists of m S-boxes,

where the bit length and the algebraic degree of the i-th S-box is `i and di bits,
`
respectively. The input and the output take values from F`20 × F`21 × · · · × F2m−1 ,
and X and Y denote the input and output multi-sets, respectively. Assuming that
` ,` ,...,`m−1
X has division property DK0 1 , where K denotes a set of m-dimensional

5
 Table 1: Summary of Integral Distinguishers.
Block Balanced
Cipher Key Size Round† Length‡ log2 (Data) Reference
Size Bits
12 1 32 [43]
SHACAL-2 256 128 ∼ 512 64 13 32 1 [30]
17 241 7 Section 5.1
6 32 1 [14]
6 32 2 [36]
LEA 128 128/192/256 24/28/32
7 96 1 [36]
8 118 1 Section 5.1
6 32 32 [31]
8 96 32 [31]
CLEFIA 128 128/192/256 18/22/26 9 112 32 [19]
9 105 24 [29]
10 127 64 Section 5.2
4 24 160 [23]
192 128/192/256 12/12/14 4 176 192 [41]
6 160 64 Section 5.2
Rijndael
4 24 64 [11, 23]
256 128/192/256 14 4 232 256 [41]
6 160 64 Section 5.2
4 64 512 [22]
Whirlpool 512 - 10 5 488 512 [41]
5 384 512 Section 5.2
†
the number of encryption rounds.
‡
the number of rounds covered by the distinguisher.

vectors whose i-th element takes a value between 0 and `i , the division property
` ,` ,...,`m−1
of Y is DK00 1 , where5
      
0 k0 k1 km−1
K = , ,··· , k = (k0 , k1 , . . . , km−1 ) ∈ K .
d0 d1 dm−1
Rule 2 (Copy [41]) Let F be a copy function, where the input x takes value
from Fn2 and the output is calculated as (y0 , y1 ) = (x, x). Let X and Y be the input
and output multi-sets, respectively. Assuming that X has the division property
n n,n
D{k} , the division property of Y is DK 0 , where

K0 = {(k − i, i)|0 6 i 6 k} .
5
The same vector is not inserted twice, similarly hereinafter.

6
Rule 3 (XOR [41]) Let F be an XOR function, where the input (x0 , x1 ) takes
value from Fn2 × Fn2 and the output is calculated as y = x0 ⊕ x1 . Let X and Y
be the input and output multi-sets, respectively. Assuming that X has division
n,n n
property DK , the division property of Y is D{k 0 } , where

k 0 = min {k0 + k1 |(k0 , k1 ) ∈ K} .

Here, if k 0 is larger than n, the

L propagation characteristic of division property is
aborted. Namely, a value of πv (y) is 0 for all v ∈ Fn2 .
y∈Y

Rule 4 (Split [41]) Let F be a split function, where the input x is an element
belonging to Fn2 and the output is calculated as y0 ky1 = x, where (y0 , y1 ) takes
value from Fn2 0 × Fn−n
2
0
. Let X and Y be the input and output multi-sets, respec-
n
tively. Assuming that X has the division property D{k} , the division property of
n0 ,n−n0
Y is DK0 , where

K0 = {(k − i, i)|0 6 i 6 k, k − i 6 n0 , i 6 n − n0 } .

Rule 5 (Concatenation [41]) Let F be a concatenation operation, where the

input (x0 , x1 ) takes value from Fn2 0 × Fn2 1 and the output is calculated as y =
x0 kx1 . Let X and Y be the input and output multi-sets, respectively. Assuming
n0 ,n1 n0 +n1
that X has the division property DK , the division property of Y is D{k 0} ,
where

k 0 = min{k0 + k1 |(k0 , k1 ) ∈ K}.

The above rules are defined at the word level, while, when it comes to bit-
based division property, Copy and XOR rules can be applied, naturally. Another
important propagation rule under bit-based division property is AND, which is
stated in the following.

Rule 6 (Bit-based AND [42]) Let F be an AND function, where the input (x0 , x1 )
takes value from F2 × F2 , and the output is calculated as y = x0 ∧ x1 . Let X and
Y be the input and output multi-sets, respectively. Assuming that X has division
1,1 1
property DK , the division property of Y is DK 0 , where

  
0 k0 + k1
K = k = (k0 , k1 ) ∈ K .
2

Similar to differential/linear characteristic in differential/linear cryptanaly-

sis, the concatenation of r division properties of the internal states constitutes
an r-round division trail, which is formally defined in the following.

Definition 3 (Division Trail [45]). Let f be the round function of an iterated

`0 ,`1 ,··· ,`m−1
block cipher. Assume that the input multi-set has division property D{k} ,

7
 ` ,`1 ,··· ,`m−1
and the internal state after i rounds has division property DK0i . Thus
we have the following chain of division property propagations:
f f f f
{k} , K0 −
→ K1 −
→ K2 −
→ ··· −
→ Kr .

Moreover, for any vector ki∗ ∈ Ki (i > 1), there must exist a vector ki−1 ∗
∈
∗ ∗
Ki−1 such that ki−1 can propagate to ki by propagation rules. Furthermore,
for (k0 , k1 , . . . , kr ) ∈ K0 × K1 × · · · × Kr , if ki−1 can propagate to ki for all
i ∈ {1, 2, . . . , r}, we call (k0 , k1 , . . . , kr ) an r-round division trail.

The propagation of division property round by round will eventually lead to

a multi-set without integral property. The following proposition can be used to
detect whether a set has integral property or not, which helps us to decide when
to stop propagating.
Proposition 1 (Set without Integral Property [45]). Assume X is a multi-
` ,` ,··· ,`m−1
set satisfying division property DK0 1 , then X does not have integral prop-
erty if and only if K contains all vectors with vectorial Hamming weight 1.

Distinguishing Attacks with Division Property.

Suppose the output division property of an integral distinguisher has bal-
anced property on b bits. Once the sum for each of the b bits is zero, the dis-
tinguisher D outputs ‘1’; otherwise, outputs ‘0’. The success rate of the distin-
guishing attack p is composed of two cases: one is D outputs ‘1’ when the oracle
O is a concrete cipher F actually, the other is D outputs ‘0’ when O is a random
permutation RP. For F, the balanced property holds with probability 1, while
for RP is 2−b . Assuming that the probability of whether the oracle is F or RP
is 0.5, it is clear that p = 0.5 · 1 + 0.5 · (1 − 2−b ) = 1 − 2−b−1 , which is 0.75 for
b = 1, and is count for distinguishing attack.
In order to increase the success rate, we can repeat the distinguishing attack
with different chosen-plaintext structures. For an n-bit cipher, suppose that the
input division property requires that t bits need to be traversed. Then, the
number of times the distinguishers can be replayed is at most 2n−t . The data
complexity of the distinguishing attack need to be discussed accordingly.

2.3 SAT & SMT Problems

In computer science, the Boolean Satisfiability Problem (SAT) [6] is the problem
of determining if there exists an interpretation that satisfies a given Boolean
formula. In other words, it discusses whether the variables involved in a given
Boolean formula can be consistently replaced by the value True or False so
that the formula is evaluated to be True. If this is the case, the formula is called
satisfiable.
The Satisfiability Modulo Theories (SMT) [2] problem is a decision problem
for logical formulas expressed in classical first-order logic with equality. An SMT
instance is a generalization of SAT instance in which various sets of variables

8
are replaced by predicates from a variety of underlying theories. SMT formulas
provide a much richer modeling language than is possible with SAT formulas.
To solve SAT and SMT problems, there are many openly available solvers,
and we use CryptoMiniSat6 and STP7 , respectively. In order to search integral
distinguishers efficiently, we adopt the C++ interface of CryptoMiniSat and the
Python interface of STP.

3 Automatic Search of Bit-Based Division Property for

ARX Ciphers
For ARX ciphers, since SAT/SMT method [18, 24, 32] is more suitable to search
for differential/linear characteristics than MILP method [10], we construct the
automatic searching tool relying on SAT instead of MILP. First, we model the di-
vision property propagations of three basic operations, i.e., Copy, AND, and XOR,
and construct formulas in Conjunctive Normal Form (CNF) for them. Then, the
model used to describe bit-based division property propagation for the modular
addition operation is constructed based on the three basic models. By setting
initial division property and stopping rule appropriately, the problem of search-
ing integral distinguishers using bit-based division property for ARX ciphers can
be converted into an SAT problem, and settled efficiently.

3.1 Models of Basic Operations at the Bit Level

We consider the division property propagations of the three basic operations
(Copy, AND and XOR) at the bit level, and the input and output are composed
of bit variables which take a value of 0 or 1. Then the division trails of each
operation correspond to vectors formed by the input and output variables. To
depict the propagations of these operations, we translate the rules in Section 2.2
into formulas in CNF, of which the solutions correspond to all the possible
division trails. More specifically, we first determine all the vectors corresponding
to division trails, and then exclude those impossible vector values by logical
formulas. We call this idea the exclusion method. By analyzing all the possible
division trails of bit-based Copy, AND and XOR operations, we construct models
to describe bit-based division property propagations for them.
Copy
Model 1 (Bit-based Copy) Denote (a) −−−→ (b0 , b1 ) a division trail of Copy
operation, the following logical equations are sufficient to depict the propagation
of bit-based division property,


 b0 ∨ b1 = 1
a ∨ b0 ∨ b1 = 1

.

 a ∨ b0 ∨ b1 = 1
a ∨ b0 ∨ b1 = 1


6
https://github.com/msoos/cryptominisat
7
http://stp.github.io/

9
Proof: Let (a, b0 , b1 ) be the 3-bit vector composed of the input and output
division properties. For an arbitrary 3-bit vector, it has eight possible values,
which are

(0, 0, 0), (0, 0, 1), (0, 1, 0), (0, 1, 1), (1, 0, 0), (1, 0, 1), (1, 1, 0), (1, 1, 1).

When restricting to Copy operation, there are three division trails corresponding
to the values in bold above. Thus, (∗, 1, 1), (0, 0, 1), (0, 1, 0), and (1, 0, 0) are
impossible cases required to be excluded, where ∗ can take 0 or 1.
In order to eliminate (∗, 1, 1), we assert b0 ∨ b1 = 1. With this assertion,
(a, b0 , b1 ) cannot take values of the form (∗, 1, 1). Then, after eliminating all
impossible cases in a similar way, we obtain the set of formulas in CNF to
describe bit-based division property propagation of Copy operation.
When it comes to bit-based AND operation, similar to the procedure for Copy
operation, we consider all the possible division trails. Denote (a0 , a1 ) the bit
variables representing the input division property of AND operation, and let b
be the bit variable standing for the output division property. Obviously, there
are four division trails for AND operation, which are (0, 0) → (0), (1, 0) → (1),
(0, 1) → (1), and (1, 1) → (1). Therefore, the set of logical equations have four
solutions corresponding to (a0 , a1 , b), i.e., (0, 0, 0), (0, 1, 1), (1, 0, 1), and (1, 1, 1).
Thus, we need to delete the impossible ones as follows.

AND
Model 2 (Bit-based AND) Denote (a0 , a1 ) −−→ (b) a division trail of AND func-
tion, the following logical equations are sufficient to describe bit-based division
property propagation of AND operation,

 a1 ∨ b = 1
a ∨ a1 ∨ b = 1 .
 0
a0 ∨ b = 1

For bitwise XOR operation, only three division trails are possible, which are
(0, 0, 0), (0, 1, 1), (1, 0, 1), and the model can be constructed in a similar way.

XOR
Model 3 (Bit-based XOR) Denote (a0 , a1 ) −−→ (b) a division trail of XOR func-
tion, the following logical equations are sufficient to evaluate the bit-based divi-
sion property through XOR operation,


 a0 ∨ a1 = 1
a0 ∨ a1 ∨ b = 1

.
a ∨ a1 ∨ b = 1
 0


a0 ∨ a1 ∨ b = 1

For specific ciphers, such as HIGHT [15], TEA [44], and XTEA [26], we also
encounter cases where the number of output branches for Copy operation or
the number of input branches for XOR operation is more than 2. The exclusion
method can be generalized accordingly, and we omit it for space limitation.

10
Table 2: Illustration of Intermediate Variables for Modular Addition Operation.
Distribution of Intermediate Variables
zn−1 = xn−1 ⊕ yn−1
| {z } | {z }
an−1,0 bn−1,0

zn−2 = xn−2 ⊕ yn−2 ⊕ cn−2 cn−2 = xn−1 yn−1

| {z } | {z } | {z } | {z } | {z } | {z }
an−2,0 bn−2,0 g0 v0 an−1,1 bn−1,1

q0
z }| {
v1 m0 r
z }| { z }| { z }|0 {
zn−3 = xn−3 ⊕ yn−3 ⊕ cn−3 cn−3 = xn−2 yn−2 ⊕ ( xn−2 ⊕ yn−2 ) cn−2
| {z } | {z } | {z } | {z } | {z } | {z } | {z } | {z }
an−3,0 bn−3,0 g1 w0 an−2,1 bn−2,1 an−2,2 bn−2,2
q1
z }| {
v2 m1 r1
z }| { z }| { z }| {
zn−4 = xn−4 ⊕ yn−4 ⊕ cn−4 cn−4 = xn−3 yn−3 ⊕ ( xn−3 ⊕ yn−3 ) cn−3
| {z } | {z } | {z } | {z } | {z } | {z } | {z } | {z }
an−4,0 bn−4,0 g1 w1 an−3,1 bn−3,1 an−3,2 an−3,2

··· ···
qn−4
z }| {
vn−3 mn−4 rn−4
z }| { z }| { z}|{
z1 = x1 ⊕ y1 ⊕ c1 c1 = x2 y2 ⊕ ( x2 ⊕ y2 ) c2
|{z} |{z} |{z} |{z} |{z} |{z} |{z} |{z}
a1,0 b1,0 gn−3 wn−4 a2,1 b2,1 a2,2 b2,2
qn−3
z }| {
vn−2 mn−3 rn−3
z }| { z }| { z}|{
z0 = x0 ⊕ y0 ⊕ c0 c0 = x1 y1 ⊕ ( x1 ⊕ y1 ) c1
|{z} |{z} |{z} |{z} |{z}
wn−3 a1,1 b1,1 a1,2 b1,2

Let x = (x0 , x1 , . . . , xn−1 ), y = (y0 , y1 , . . . , yn−1 ), and z = (z0 , z1 , . . . , zn−1 ),

which is the modular addition of x and y, be n-bit vectors. Then the Boolean
function of zi can be iteratively expressed as follows8 .

zn−1 = xn−1 ⊕ yn−1 ⊕ cn−1 , cn−1 = 0,

zi = xi ⊕ yi ⊕ ci , ci = xi+1 · yi+1 ⊕ (xi+1 ⊕ yi+1 ) · ci+1 , (1)
i = n − 2, n − 3, . . . , 0.

In this way, the modular addition can be decomposed into Copy, AND, and XOR
operations, and the model to depict its propagation is summarized as follows.

Model 4 (Modular Addition) Let (a0 , . . . , an−1 , b0 , . . . , bn−1 , d0 , . . . , dn−1 ) be

a division trail of n-bit modular addition operation, to describe the division prop-
erty propagation, the Copy, AND, and XOR models should be applied in the order
8
Note that the bit positions are labeled in big-endian.

11
specified as follows,

 Copy


 (an−1 ) −−−→ (an−1,0 , an−1,1 )
 Copy
(bn−1 ) −−−→ (bn−1,0 , bn−1,1 )




 XOR
 (an−1,0 , bn−1,0 ) −

 −→ (dn−1 )

 AND



 (an−1,1 , bn−1,1 ) −−→ (v0 )
 Copy
(v0 ) −−−→ (g0 , r0 )




 Copy
(an−2 ) −−−→ (an−2,0 , an−2,1 , an−2,2 )




 Copy
(bn−2 ) −−−→ (bn−2,0 , bn−2,1 , bn−2,2 )



 
 XOR
(a , b , g ) −
− → (d )

 n−i,0 n−i,0 i−2 n−i
 

 
 AND 
(a , b ) − − → (v )
 
n−i,1 n−i,1 i−1

 

 
 XOR 
(a , b ) − − → (m )
 
 n−i,2 n−i,2
 i−2 


AND
−− →

(m i−2 , r i−2 ) (q i−2 ) 

 XOR iterated for i = 2, . . . , n − 2,



 (vi−1 , qi−2 ) −−→ (wi−2 ) 

Copy
 
(wi−2 ) −−−→ (gi−1 , ri−1 )
 


 


Copy
 

(a ) − −− → (a , a , a )
 
n−i−1 n−i−1,0 n−i−1,1 n−i−1,2 

 
 
 Copy 
(b ) −− − → (b , b , b )
 
n−i−1 n−i−1,0 n−i−1,1 n−i−1,2



 XOR
(a1,0 , b1,0 , gn−3 ) −−→ (d1 )




 AND
(a1,1 , b1,1 ) −−→ (vn−2 )




 XOR
 (a1,2 , b1,2 ) −

 −→ (mn−3 )

 AND



 (mn−3 , rn−3 ) −−→ (qn−3 )
XOR
(vn−2 , qn−3 ) −−→ (wn−3 )




XOR

(a0 , b0 , wn−3 ) −−→ (d0 )


where ai,j , bi,j , vi , mi , gi , ri , qi , and wi are intermediate variables, and their

usage is illustrated in Table 2. In this model, (12n − 19) intermediate variables
are introduced in total, which include (3n − 4) ai,j ’s, (3n − 4) bi,j ’s, (n − 1) vi ’s,
(n − 2) mi ’s, (n − 2) gi ’s, (n − 2) ri ’s, (n − 2) qi ’s, and (n − 2) wi ’s.

Model 4 deals with the case where the two input branches of the modular
addition operation are variables. When it comes to the modular addition of
a variable and an unknown constant (subkey), the corresponding propagation
models can be deduced similarly as discussed in [36], and we omit it due to space
limitation.
To sum up, the bit-based division property propagations through all kinds
of basic operations in ARX ciphers are converted into sets of logical equations.
We first construct SAT model which characterizes one round bit-based division
property propagation, then an SAT problem depicting r-round division trails
can be obtained by repeating this procedure for r times.

12
3.2 Initial Division Property and Stopping Rule
We propose a ‘dynamic’ searching, which can set the initial division property
and stopping rule more efficiently. In the C++ interface of CryptoMiniSat, there
is a function called solver() , which takes ‘assumptions’ as parameter, so
that we can adjust the ‘assumptions’, instead of the original model, and in-
voke solver() calls to search for integral distinguishers under different initial
division properties and output division properties automatically. In our model,
‘assumptions’ are composed of two parts of logical equations: one is determined
by the initial division property, and another is deduced from the stopping rule.

Initial Division Property. Denote (a0 , a1 , . . . , an−1 ) the variables represent-

ing bit-based division property of the input multi-set. For example, suppose that
the initial division property is k0 = (0, 1, . . . , 1). To evaluate the propagation un-
| {z }
n−1
der k0 , we set the first part of the assumptions by logical equations, i.e., a0 = 0,
a1 = 1, . . ., an−1 = 1. If we want to test division property under another initial
division property, only logical equations involved in the assumptions need to be
changed.

Stopping Rule. The stopping rule is formulated according to Proposition 1.

When it comes to the bit-based division property, a multi-set X, whose elements
take values from Fn2 , does not have integral property if and only if its division
property contains all the n unit vectors. Hence, we need to check all the n
unit vectors one by one. Denote (b0 , b1 , . . . , bn−1 ) the variables representing bit-
based division property of the output multi-set after r rounds. For each i ∈
{0, 1, . . . , n − 1}, we set the second part of the assumptions by bi = 1 and bj = 0
(j 6= i). Together with the initial division property, the two parts of parameters
are determined for the solver() function, and the searching algorithm can be
transformed into an SAT problem. If it is ‘satisfiable’ for the i-th unit vector, it
means that the output division property contains the i-th unit vector. Once it
is satisfiable for each unit vector, the output division property contains all unit
vectors, and the corresponding multi-set, i.e., the outputs of the r-th round,
does not have any integral property, and the propagation should stop and an
(r − 1)-round distinguisher is obtained. Only if there is at least one index j, such
that the problem is not satisfiable for the j-th unit vector, we proceed to the
(r + 1)-th round and evaluate the division property in a similar way.

3.3 Algorithms to Find Optimal Distinguishers

According to the discussion of the above subsections, the propagation of division
property for ARX cipher is depicted by a system of logical equations in CNF.
Some logical formulas can be dynamically adjusted according to different initial
division properties of the input set and final division properties of the output
set, while the others corresponding to r-round propagations remain the same.

13
To obtain an optimal integral distinguisher, many candidates of initial division
properties need to be tested. However, we could not afford such computations
for too many candidates in practice.
In order to break through the difficulty, we put forward an efficient searching
approach, which is composed of two algorithms. The first one restricts the search
scope of initial division property and detects the number of rounds of the opti-
mal distinguisher achieved under our model. For the instance of SHACAL-2, the
search scope is significantly reduced from 256 bits to 17 bits. The second one de-
tects the concrete optimal distinguishers efficiently based on the first algorithm’s
output. With these two algorithms, we drastically reduce the number of initial
division properties required to be evaluated. For example, for the 17-round distin-
guisher with data complexity 2241 chosen plaintexts for SHACAL-2,  which is pro-
256−241 256
≈ 279.24
P
vided in Section 5.1, the direct search requires us to test
i=1 i
initial division properties. While in our algorithms, only 410 initial division prop-
erties are tested, and the distinguisher is identified.
The design of the two algorithms is based on the embedded property below.
For different initial division properties k0 and k1 s.t., k0  k1 , there in no need
to test k1 , if the output multi-set under k0 does not have integral property,
likewise, it is not necessary to test k0 , if the output multi-set under k1 has
integral property.
Proposition 2 (Embedded Property). Let Er be an r-round iterated en-
cryption algorithm, f be the round function, which only composes of Substi-
tution, Copy, XOR, Split, and Concatenation operations. Suppose that the
`
input and the output take values from Fn2 = F`20 × F`21 × · · · × F2m−1 , k0 and k1
are two initial division properties with W (k0 )  W (k1 ). If the output multi-set
under k0 does not have integral property, then the output multi-set under k1 has
no integral property.
Proof: Define

Snk = {a = (a0 , a1 , . . . , am−1 )|W (a)  W (k)} ,

and [
SnK = Snk .
k∈K

Suppose that there are two sets K0 and K1 belonging to Z`0 × Z`1 × · · · × Z`m−1 ,
f f
with SnK0 ⊆ SnK1 . DK
n
0
−
→ DK n
0 and DK
n
1
−
→ DK n
0 stand for the division property
0 1
propagations through one round. By the definition of division property, it is
sufficient to prove that SnK0 ⊆ SnK0 , which can be accomplished by separately
0 1
proving for every basic operation. We take the substitution operation as an
example, and the other operations can be proved similarly.
n S n n S n
Now, denote DK 0
−
→ DK 0 and DK
1
−
→ DK 0 the division property propaga-
0 1
tions through substitution layer, where SK0 ⊆ SnK1 . For every k00 ∈ K00 , there
n

exists k0 ∈ K0 , such that (k0 , k00 ) constitutes a division trail of the substitution

14
operation. Since SnK0 ⊆ SnK1 , there will be a k1 ∈ K1 with W (k0 )  W (k1 ). By
Rule 1, we have W (k00 )  W (k10 ), which implies that Snk0 ⊆ Snk0 . Thus,
0 1

[ [
SnK00 = Snk00 ⊆ Snk10 = SnK01 .
k00 ∈K00 k10 ∈K01

Algorithm 1: Detecting the Maximum Number of Rounds & Restrict-

ing the Search Scope. Denote the n vectors with Hamming weight n − 1 as
ini = (1, . . . , 1, 0, 1, . . . , 1), 0 6 i 6 n − 1. Let outj = (0, . . . , 0, 1, 0, . . . , 0),
| {z } | {z } | {z } | {z }
i n−i−1 j n−j−1
0 6 j 6 n − 1, be the n unit vectors. For 0 6 i 6 n − 1, we evaluate the bit-
based division property propagation under the initial division property ini , and
check whether the output division property of the r-th round contains all n unit
vectors, i.e., the problem is satisfiable for each outj (0 6 j 6 n − 1) under the
fixed ini . If for all ini (0 6 i 6 n − 1) and outj (0 6 j 6 n − 1), the problem
is satisfiable, we conclude that (r − 1) is the maximum number of rounds based
on our model. Otherwise, we proceed to the (r + 1)-th round and evaluate the
division property in a similar way. When the maximum number of rounds rm is
determined, the index i of the corresponding ini leading to the longest distin-
guisher is stored in a set S. The output of Algorithm 1 is the maximum number
of round rm and an index set S.
Although we have detected rm -round distinguishers, the data requirement to
implement the integral cryptanalysis is 2n−1 . And the distinguisher with lower
data complexity is more interesting, so we proceed Algorithm 2 to optimize the
distinguishers obtained in Algorithm 1.

Algorithm 2: Detecting the Optimal Distinguisher. Let the index set

S = {j0 , j1 , . . . , j|S|−1 } be the output of Algorithm 1. With Proposition 2, we
claim that the elements in the complementary set S = {0, 1, . . . , n − 1}\S of S
refer to the ‘necessary’ bit indexes to obtain an rm -round integral distinguisher.
In other words, if any bit whose index belongs to S is set to ‘0’ in the initial
division property, the division property after rm -round propagation will have no
integral property. In this sense, we call S the necessary set, whose elements are
called necessary indexes, and the corresponding bit must be fixed to ‘1’, while,
S is called the sufficient set, and the elements in S are called sufficient indexes.
To reduce the data complexity, we need to analyze whether the bits with
sufficient indexes can be set to ‘0’. The possibility of reducing data complexity
lies in the size of S. If |S| = 1, there is no margin to further reduce the data
complexity, and we obtain integral distinguishers with data complexity 2n−1
chosen plaintexts. In case of |S| > 1, we firstly set all bits corresponding to S
in initial division property to ‘1’ while the other bits are set to ‘0’, and check
whether there is zero-sum bit after rm -round propagation. If it is indeed the case,
we get an integral distinguisher with data complexity 2n−|S| chosen plaintexts.

15
 Algorithm 1: Detecting the Maximum Number of Rounds & Restricting
the Search Scope
Input: Objective algorithm E
Output: The maximum number of rounds rm of integral distinguisher, the
index set S
1 r = 0, S = ∅, f lag = 1, rm = 0;
2 while f lag==1 do
3 r = r + 1;
4 f lag = 0;
5 for i = 0; i < n do
6 let the initial division property be ini ;
7 for j = 0; j < n do
8 let the output division property be outj ;
9 solve the r-round SAT problem under the assumptions;
10 if the problem is not satisfiable then
11 f lag=1;
12 break;

13 if f lag == 1 then
14 break;

15 r = r − 1, rm = r;
16 if rm == 0 then
17 return rm , S;
18 for i = 0; i < n do
19 let the initial division property be ini ;
20 evaluate its division property after rm -round propagation;
21 if there is zero-sum bit then
22 S = S ∪ {i};
23 continue;

24 return rm , S;

Otherwise, we gradually increase the number of ‘1’s in the positions indicated by

the sufficient indexes, and check whether zero-sum bit exists or not. The concrete
description of this procedure can be found in Algorithm 2. After executing this
algorithm, the return value will be the optimal distinguishers under our model.
|S|!
Remark 2. Note that Step 8 in Algorithm 2 requests us to check out (|S|−t)!·t!
different initial division properties. When |S| is very large, the time taken to
perform this for loop gradually increases with t growing. But, for all the ciphers
analyzed in this paper, |S| is not very large and the runtime is acceptable.

4 Automatic Search of Word-Based Division Property

When the state of the cipher is very large, such as 256-bit, and the involved
operations are very complicated, it is hard to trace the division property prop-

16
agation at the bit level. In this section, we concentrate on automatic search of
word-based division property efficiently. First, we study how to model division
property propagations of basic operations by logical formulas at the word level.
Secondly, by exclusion method, we construct formulas to depict the possible
propagations calculated by Substitution rule. By setting initial division prop-
erty and stopping rule rationally, the problem of searching division property can
be transformed into an SMT problem, which is a generalization of SAT and can
be efficiently settled with some openly available solvers.

4.1 Models of Basic Operations at the Word Level

We study the division property propagations of the basic operations at the word
level. Different from Section 3, the input and output are variables in Fn2 , and
more kinds of formulas, such as inequalities, can be handled by SMT, so that
the translation from the rules introduced in Section 2.2 to constraints are more
flexible. We just list the models as follows.
Copy
Model 5 (Word-based Copy) Denote (a) −−−→ (b0 , b1 ) a division trail of
an n-bit Copy function, the following constraints are sufficient to describe the
division property propagation of Copy operation,

a 6 n

b0 6 n

.

 b1 6 n
a = b0 + b1


XOR
Model 6 (Word-based XOR) Denote (a0 , a1 ) −−→ (b) a division trail of n-bit
XOR operation, the following constraints are sufficient to depict the division prop-
erty propagation of XOR operation,


 a0 6 n
a1 6 n

.

 b6n
a0 + a1 = b


F
Model 7 (Split) Let F be the split function in Rule 4. Denote (a) − → (b0 , b1 ) a
division trail of F , the following constraints are sufficient to describe the division
property propagation of Split operation,


 a6n
b0 6 n 0

.

 b1 6 n − n 0
a = b0 + b1


Model 8 (Concatenation) Let F be the concatenation function in Rule 5. De-

F
note (a0 , a1 ) −
→ (b) a division trail of F , the following constraints are sufficient

17
 Algorithm 2: Detecting the Optimal Distinguisher
Input: Objective algorithm E, the maximum number of rounds rm , the
sufficient set S
Output: A list List representing Optimal integral distinguishers
1 f lag = 0, List = ∅, k0 = (0, 0, . . . , 0);
2 k0 = 0, k1 = 0, . . ., kn−1 = 0;
3 for i = 0; i < n do
4 if i ∈
/ S then
5 ki = 1;

6 t = 0;
7 while f lag == 0 do
8 for every t-tuple (i0 , i1 , . . . , it−1 ) of S do
9 for i ∈ S do
10 if i ∈ {i0 , i1 , . . . , it−1 } then
11 ki = 1;
12 else if i ∈ S\{i0 , i1 , . . . , it−1 } then
13 ki = 0;

14 let the initial division property be k0 = (k0 , k1 , . . . , kn−1 );

15 evaluate its bit-based division property after rm -round propagation;
16 if there is zero-sum bit then
17 f lag = 1;
18 break;

19 t = t + 1;
20 t = t − 1;
21 for every t-tuple (i0 , i1 , . . . , it−1 ) of S do
22 InActive = S\{i0 , i1 , . . . , it−1 };
23 for i ∈ S do
24 if i ∈ {i0 , i1 , . . . , it−1 } then
25 ki = 1;
26 else if i ∈ S\{i0 , i1 , . . . , it−1 } then
27 ki = 0;

28 let the initial division property be k0 = (k0 , k1 , . . . , kn−1 );

29 evaluate its bit-based division property after rm -round propagation;
30 ZeroSum = ∅;
31 for i = 0; i < n do
32 if the i-th output bit satisfies zero-sum property then
33 ZeroSum = ZeroSum ∪ {i};

34 if ZeroSum 6= ∅ then
35 List = List ∪ {InActive, ZeroSum};

36 return List;

18
to depict the division property propagation of Concatenation operation,


 a0 6 n0
a1 6 n1

.

 b 6 n0 + n1
a0 + a1 = b


Many ciphers take Maximum Distance Separable (MDS) matrices over finite
field as linear mappings, such as the MixColumn operation for AES [28]. Todo [41]
proposed a dedicated function called Partition to handle the division property
propagation through MixColumn operation. We generalize it into SMT model in
order to deal with some ciphers involving MDS matrices.

Model 9 (Partition/MixColumn) Let F (x) = M · x, where M is an MDS

F
matrix over (Fm s
2 ) . Denote (a0 , a1 , . . . , as−1 ) −
→ (b0 , b1 , . . . , bs−1 ) a division trail,
the following constraints are sufficient to propagate the division property,

 ai 6 m, i = 0, 1, . . . , s − 1
bj 6 m, j = 0, 1, . . . , s − 1 .
a0 + a1 + · · · + as−1 = b0 + b1 + · · · + bs−1


4.2 Modelling S-box

Since conventional division property is propagated at the word level, we do not
need to precisely depict S-box, and use Rule 1 instead. By Rule 1, we find
that the output multi-set follows Ddmk e if the input multi-set satisfies Dkm for
d
an m-bit S-box with degree d. Accordingly, we deduce possible propagations for
S-box, which are converted into SMT model by exclusion method mentioned in
Section 3.
S(4)
Model 10 (4-bit S-box with Degree 3) Denote (x) −−→ (y) a division trail
of 4-bit S-box S(4) , whose algebraic degree is 3, where x = (x[0], x[1], x[2]) and
y = (y[0], y[1], y[2]) are supposed to be 3-bit vectors. Then, the following con-
straints are sufficient to describe the propagation of division property,


 x64
y64




x[0] ∨ y[0] = 1





 x[0] ∨ x[1] ∨ x[2] ∨ y[0] = 1
.

 y[1] = 1
x[0] ∨ x[1] ∨ y[0] ∨ y[1] ∨ y[2] = 1








 x[0] ∨ x[1] ∨ x[2] ∨ y[0] ∨ y[1] ∨ y[2] = 1
x[0] ∨ x[1] ∨ x[2] ∨ y[0] ∨ y[1] ∨ y[2] = 1


Proof: Note that for a 4-bit S-box with algebraic degree 3, the possible propaga-
S(4) S(4) S(4) S(4) S(4)
tions are (0) −−→ (0), (1) −−→ (1), (2) −−→ (1), (3) −−→ (1), and (4) −−→ (4),

19
and the natural constraints deduced from Rule 1 are x 6 4 and y 6 4. After
adding these two natural constraints, the number of possible combinations of
(x[0], x[1], x[2], y[0], y[1], y[2]) reduces to 25, which are
(0,0,0,0,0,0), (0,0,0,0,0,1), (0,0,0,0,1,0), (0,0,0,0,1,1), (0,0,0,1,0,0),
(0,0,1,0,0,0), (0,0,1,0,0,1), (0,0,1,0,1,0), (0,0,1,0,1,1), (0,0,1,1,0,0),
(0,1,0,0,0,0), (0,1,0,0,0,1), (0,1,0,0,1,0), (0,1,0,0,1,1), (0,1,0,1,0,0),
(0,1,1,0,0,0), (0,1,1,0,0,1), (0,1,1,0,1,0), (0,1,1,0,1,1), (0,1,1,1,0,0),
(1,0,0,0,0,0), (1,0,0,0,0,1), (1,0,0,0,1,0), (1,0,0,0,1,1), (1,0,0,1,0,0).

The five vectors in bold are what we expect. After observation, (0, ∗, ∗, 1, ∗, ∗),
(1, 0, 0, 0, ∗, ∗), (∗, ∗, ∗, ∗, 1, ∗), (0, 1, ∗, 0, 0, 0), (0, 0, 1, 0, 0, 0) and (0, 0, 0, 0, 0, 1)
are impossible cases, where ∗ takes 0 or 1.
In order to eliminate (0, ∗, ∗, 1, ∗, ∗), we assert x[0]∨y[0] = 1. With this asser-
tion, (x[0], x[1], x[2], y[0], y[1], y[2]) cannot take values of the form (0, ∗, ∗, 1, ∗, ∗).
After eliminating all impossible cases one by one, we obtain the set of logical
formulas to describe division property propagation of S(4)
For 8-bit S-box with degree 7, possible propagations are (0) → (0), (1) → (1),
(2) → (1), (3) → (1), (4) → (1), (5) → (1), (6) → (1), (7) → (1), and (8) → (8),
and the model can be constructed in a similar way.
S(8)
Model 11 (8-bit S-box with Degree 7) Denote (x) −−→ (y) a division trail
of 8-bit S-box S(8) , whose algebraic degree is 7, where x = (x[0], x[1], x[2], x[3])
and y = (y[0], y[1], y[2], y[3]) are supposed to be 4-bit vectors. Then, the following
constraints are sufficient to describe the possible propagations,


 x68
y 68




x[0] ∨ y[0] = 1








 x[0] ∨ y[0] = 1
 y[1] = 0
y[2] = 0 .


 x[3] ∨ y[0] ∨ y[1] ∨ y[2] ∨ y[3] = 1



 x[2] ∨ y[0] ∨ y[1] ∨ y[2] ∨ y[3] = 1







 x[1] ∨ y[0] ∨ y[1] ∨ y[2] ∨ y[3] = 1
x[0] ∨ x[1] ∨ x[2] ∨ x[3] ∨ y[0] ∨ y[1] ∨ y[2] ∨ y[3] = 1


For other types of S-boxes, exclusion method can be applied and constraints
to depict division property propagations can be constructed similarly.

4.3 Initial Division Property and Stopping Rule

Just as in Section 3, to make the searching algorithm dynamic, the initial division
property and stopping rule are inserted into assumptions. In the Python inter-
face of STP, the function, which accepts ‘assumptions’ as parameter, is called
check() .

20
 Denote (a0 , a1 , . . . , am−1 ) the variables representing division property of the
input multi-set. For example, suppose that the initial division property is k =
(k0 , k1 , . . . , km−1 ). To propagate division property under k, we set the first
part of the assumptions by logical formulas, i.e., a0 = k0 , a1 = k1 , . . ., and
am−1 = km−1 . Only logical formulas involved in the assumptions are required
to be replaced if we want to test division property under another initial division
property.
Restricted to conventional division property, Proposition 1 claims that a
`
multi-set X ∈ Fn2 = F`20 × F`21 × · · · × F2m−1 does not have integral property if
and only if its division property contains all vectors with vectorial Hamming
weight being 1. In order to determine whether r-round integral property exists
or not under a fixed initial division property, we make m check() calls to
test m vectors with vectorial Hamming weight 1. If all the corresponding SMT
problems are satisfiable, the r-round output set has no integral property and an
(r − 1)-round distinguisher is obtained. Otherwise, we go on to the (r + 1)-th
round and evaluate the division property in a similar way.

5 Applications
In this section, we provide some new distinguishers based on the searching meth-
ods proposed in Section 3 and 4. We first present results for some ARX ciphers,
whose integral distinguishers are obtained by evaluating bit-based division prop-
erty, and then turn to the word-based division property of some specific ciphers.

5.1 Bit-Based Division Properties for ARX Ciphers

Application to SHACAL-2. SHACAL-2 [13] is a 256-bit block cipher and
has been selected as one of the four block ciphers by NESSIE. Its round function
is based on the compression function of the hash function SHA-2 [27], and is
iterated for 64 times. SHACAL-2 supports variable key lengths up to 512 bits,
yet it should not be used with a key shorter than 128 bits. An illustration of
r r
the round function can be found
P in Fig. P 1, where K and W are round key and
round constant, M aj, Ch, 0 , and 1 are defined as follows,

M aj(X, Y, Z) = (X · Y ) ⊕ (X · Z) ⊕ (Y · Z),
Ch(X, Y, Z) = (X · Y ) ⊕ (X · Z),
X
(X) = (X ≫ 2) ⊕ (X ≫ 13) ⊕ (X ≫ 22),
X0
(X) = (X ≫ 6) ⊕ (X ≫ 11) ⊕ (X ≫ 25).
1

Since the values of K and W r do not influence the bit-based division property
r

propagation, and we will not introduce them here. For more information, please
refer to [13].
Firstly, Algorithm 1 in Section 3.3 is implemented and we find that the
longest distinguisher under our model can achieve 17 rounds. At the same time,

21
we obtain the sufficient set S = {22 − 31, 153 − 159}. Then, for r = 17 and S,
Algorithm 2 is performed. Finally, we obtain a 17-round integral distinguisher
with data complexity 2241 chosen plaintexts, which is
17 Rounds
Inactive Bits: {23 − 31, 154 − 159} −−−−−−→ Zero-sum Bits: {249 − 255},

where the bit indexes for the input and output are labeled as 0, 1, . . ., 255 from
left to right, and the bit indexes are labeled in a similar way in the remaining of
this subsection. In order to identify this distinguisher,
 wetry256 initial division
17 17
properties when implementing Algorithm 1, and 1 + + = 154 initial
1 2
division properties are evaluated when performing Algorithm 2. In total, with
410 tests under differentinitial division properties, we obtain the optimal dis-
256−241 256
≈ 279.24 initial division properties are required
P
tinguisher, while
i=1 i
to be tested for the direct search instead of using Algorithm 1 and Algorithm 2.
As far as we know, the best integral distinguisher in the literature is the
13-round one proposed in [30], and the newly obtained one covers four more
rounds.

Applications to Other ARX Ciphers. Besides SHACAL-2, many ARX ci-

phers are analyzed, including LEA [14], HIGHT [15], and SPECK family of block
ciphers [3], and we only list the results for space limitation.
For LEA, we obtain an 8-round integral distinguisher with data complexity
2118 chosen plaintexts, which is
8 Rounds
Inactive Bits: {27 − 31, 59 − 63} −−−−−−→ Zero-sum Bits: {36}.

Comparing to the 7-round distinguishers based on MILP method provided in

[36], we gain one more round.
Six integral distinguishers with data complexity 263 chosen plaintexts are
detected for HIGHT, which are
18 Rounds
Inactive Bits: {14} −−−−−−→ Zero-sum Bits: {6, 7},
18 Rounds
Inactive Bits: {15} −−−−−−→ Zero-sum Bits: {6, 7},
18 Rounds
Inactive Bits: {31} −−−−−−→ Zero-sum Bits: {7},
18 Rounds
Inactive Bits: {46} −−−−−−→ Zero-sum Bits: {38, 39},
18 Rounds
Inactive Bits: {47} −−−−−−→ Zero-sum Bits: {38, 39},
18 Rounds
Inactive Bits: {63} −−−−−−→ Zero-sum Bits: {39}.

Note that the third one and the last one are same to the 18-round distinguishers
in [36], which are obtained under MILP method. And the other four distinguish-
ers we identified have more zero-sum bits under the same data requirement.

22
 For all versions of SPECK family of block ciphers, we obtain 6-round integral
distinguishers. The data requirements are 231 for SPECK32, 245 for SPECK48,
261 for SPECK64, 293 for SPECK96, and 2125 for SPECK128.
All of the experiments are conducted on a server, and we use at most four
2.30GHz Intelr Xeonr CPU E5-2670 v3 processors. All the SAT based experi-
ments are implemented by the C++ interface of CryptoMiniSat5, using at most
4 threads. The runtimes to obtain the optimal distinguishers for SHACAL-2,
LEA, and HIGHT are 6 hours, 30 minutes, and 15 minutes, respectively, and
the runtimes for all variants of SPECK take less than 6 minutes.

Ar Br Cr Dr Er Fr Gr Hr
Wr
0 Maj 1 Ch Kr

Ar 1 B r 1 C r 1 D r 1 E r 1 F r 1 G r 1 H r 1

Fig. 1: The Round Function of SHACAL-2.

5.2 Word-Based Division Property for Some Specific Ciphers

Application to CLEFIA. CLEFIA [31] is a 128-bit block cipher supporting
key lengths of 128, 192, and 256 bits, and it has been adopted as one of the
ISO/IEC international standards in lightweight cryptography. The number of
rounds, are 18, 22 and 26 for 128-bit, 192-bit and 256-bit keys, respectively. The
round function follows a 4-branch Type-2 Generalized Feistel Network [48] with
two parallel F functions (F0 , F1 ). The 128-bit state value can be regarded as
concatenation of four 32-bit words, and the input of the r-th round is denoted
by (X r [0], X r [1], X r [2], X r [3]). One round of encryption is illustrated in Fig. 2,
where RK r [0] and RK r [1] denote round keys.
Aiming at searching integral distinguishers for CLEFIA as long as possible,
we first evaluate the division property under 16 initial division properties ini ,
0 6 i 6 15, whose i-th element is set to 7, and the others are set to 8. Then, we
obtain eight 10-round integral distinguishers with data complexity 2127 chosen
plaintexts. We also evaluate the division property under another 16 initial divi-
sion properties in0i , 0 6 i 6 15, whose i-th element is set to 6, and the others are
set to 8. However, there is no integral property after 10-round propagation under
in0i . Besides, 120 initial division properties with two elements being 7 and the
others being 8 are also considered, and no integral property is detected. Thus,
the 10-round integral distinguishers with data complexity 2127 chosen plaintexts
probably are the best integral distinguishers using word-based division prop-
erty. The initial division properties of these 10-round distinguishers are listed as
follows.
(7, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8), (8, 7, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8),

23
 (8, 8, 7, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8), (8, 8, 8, 7, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8),
(8, 8, 8, 8, 8, 8, 8, 8, 7, 8, 8, 8, 8, 8, 8, 8), (8, 8, 8, 8, 8, 8, 8, 8, 8, 7, 8, 8, 8, 8, 8, 8),
(8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 7, 8, 8, 8, 8, 8), (8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 7, 8, 8, 8, 8).
After 10-round propagation, all the 10-round distinguishers have eight zero-sum
bytes, which are labeled as {4 − 7, 12 − 15}, and the bytes are labeled as 0, 1,
. . ., 15 from left to right.
To our knowledge, the longest integral distinguishers for CLEFIA cover 9
rounds [19, 29], and these newly found distinguishers achieve one more round.
With the 10-round distinguishers, we can recover the key of 13-round CLEFIA-
128 with one more round than [19], where the precomputation, partial sum
technique and exhaustive search can be adopted similarly. The data, time and
memory complexities are 2127 chosen plaintexts, 2120 encryptions and 2100 bytes,
respectively. The integral attacks for CLEFIA-192 and CLEFIA-256 can be im-
proved by one round, too.
X r [0] X r [1] X r [2] X r [3]

S0 S1
RK r [0] RK r [1]
S1 S0
M0 M1
S0 S1

S1 S0

X r 1[0] X r 1[1] X r 1[2] X r 1[3]

Fig. 2: Round Function of CLEFIA.

Applications to Other Ciphers. We also implement the method in Section 4

to search integral distinguishers for many other ciphers.
For the internal block cipher of Whirlpool [1], comparing to the results given
by Todo [41], we improve the data complexities of integral distinguishers for
different rounds, which can be found in Table 3. For Rijndael-192 and Rijndael-
256 [8], we extend the length of distinguishers comparing to the best results
proposed by Todo [41], and the experimental results can be found in Table 3.
The integral distinguishers for Whirlpool, Rijndael-192, and Rijndael-256 are
provided in Appendix A.
We also implement our automatic tool to search integral distinguishers for
MISTY1, MISTY2 [21], and KASUMI [33]. For MISTY1, we obtain the same
distinguisher found by Todo [40]. As to MISTY2, a 7-round integral distinguisher
with data complexity 232 chosen plaintexts is found, which is same to the best
one proposed in [34]. A 5-round integral distinguisher starting from the second
round with data complexity 248 chosen plaintexts is obtained for KASUMI. Com-
paring to the best 5-round one proposed in [35] with data complexity 253 chosen
plaintexts by using division property, our newly found distinguisher requires less
data.

24
 Table 3: Data Requirements to Construct r-Round Integral Distinguishers.
log2 (Data)
Cipher Reference
r=3r=4r=5r=6
8 24 64 160 Section 5.2
Rijndael-192
56 176 - - [41]
8 16 32 160 Section 5.2
Rijndael-256
56 232 - - [41]
8 56 384 - Section 5.2
Whirlpool
56 344 488 - [41]

All the SMT based tests are implemented in the Python interface of STP2.0,
using single thread. The runtimes for all the ciphers analyzed in this section only
take few minutes.

6 Conclusion
In this paper, we propose the automatic searching tools for the integral distin-
guishers based on bit-based division property for ARX ciphers and word-based
division property. For ARX ciphers, the automatic searching tool relying on SAT
instead of MILP is constructed, since SAT method is more suitable in the search
of ARX ciphers’ differential/linear characteristics. First, the models, which are
composed of logical formulas in CNF, to describe bit-based division property
propagations for three basic operations, i.e., Copy, AND, and XOR, are provided
by exclusion method. Then, we give the model of the modular addition based on
the three basic models. After setting initial division property and stopping rule
appropriately, the problem of searching integral distinguishers using bit-based
division property for ARX ciphers can be converted into an SAT problem. Be-
sides, to get the optimal distinguisher, two algorithms are proposed. The first
one restricts the search scope of initial division property and detects the round
of optimal distinguisher achieved under our model. The second one detects the
concrete optimal distinguishers efficiently based on the first algorithm’s output.
We realize the automatic search of word-based division property with SMT
method. We first show how to model division property propagations of basic
operations by logical formulas. Moreover, by exclusion method, we construct
formulas to depict the possible propagations calculated by Substitution rule.
By setting initial division property and stopping rule rationally, the problem of
searching division property can be transformed into an SMT problem, and we
can efficiently search integral distinguishers with some openly available solvers.
As a result, we improve the previous integral distinguishers for SHACAL-
2, LEA, CLEFIA, Rijndael-192, and Rijndael-256 according to the number of
rounds. Moreover, the integral attacks for CLEFIA are improved by one round
with the newly obtained distinguishers.

25
 Discussion on the superiority to MILP method. We think it is hard
to give a comprehensive comparison between MILP and SAT, and try to re-
flect the efficiency of SAT for ARX ciphers by recording the time spent on the
search for the same distinguisher with a fixed initial division property under the
same computation resource. The experimental results show that SAT model per-
forms better than MILP model. As an illustration, for the optimal distinguisher
of SHACAL-2, CryptoMiniSat returns the result after about 24 seconds, while
MILP optimizer (Gurobi 7.0.2) takes about 44000 seconds, which is almost 1650
times as long as the SAT solver. Thus, it seems that SAT model is more suitable
to search division properties for ARX ciphers.
Discussion on the optimality and completeness of the search. We
confirm that the integral distinguishers are optimal under the search strategies
defined in this paper. However, we cannot guarantee the completeness. If a more
dedicated model for the modular addition is proposed, better integral distin-
guishers for ARX ciphers may be detected, which will be a future work.

Acknowledgements. The authors would like to thank the anonymous review-

ers of Asiacrypt 2017 for their helpful comments. This work was supported by
the 973 Program (No. 2013CB834205), NSFC Projects (No. 61572293), Sci-
ence and Technology on Communication Security Laboratory of China (No.
9140c110207150c11050), as well as Chinese Major Program of National Cryp-
tography Development Foundation (No. MMJJ20170102).

References

1. P. S. Barreto and V. Rijmen. The Whirlpool hashing function. In First open

NESSIE Workshop, Leuven, Belgium, volume 13, page 14, 2000.
2. C. W. Barrett, R. Sebastiani, S. A. Seshia, and C. Tinelli. Satisfiability modulo
theories. Handbook of satisfiability, 185:825–885, 2009.
3. R. Beaulieu, D. Shors, J. Smith, S. Treatman-Clark, B. Weeks, and L. Wingers. The
SIMON and SPECK lightweight block ciphers. In Proceedings of the 52nd Annual
Design Automation Conference, San Francisco, CA, USA, June 7-11, 2015, pages
175:1–175:6, 2015.
4. E. Biham and A. Shamir. Differential cryptanalysis of DES-like cryptosystems.
In Advances in Cryptology - CRYPTO ’90, 10th Annual International Cryptology
Conference, Santa Barbara, California, USA, August 11-15, 1990, Proceedings,
pages 2–21, 1990.
5. A. Biryukov, D. Khovratovich, and L. Perrin. Multiset-algebraic cryptanalysis of
reduced Kuznyechik, Khazad, and secret SPNs. IACR Trans. Symmetric Cryptol.,
2016(2):226–247, 2016.
6. S. A. Cook. The complexity of theorem-proving procedures. In Proceedings of
the third annual ACM symposium on Theory of computing, pages 151–158. ACM,
1971.
7. N. Courtois and G. V. Bard. Algebraic cryptanalysis of the data encryption stan-
dard. In Cryptography and Coding, 11th IMA International Conference, Cirences-
ter, UK, December 18-20, 2007, Proceedings, pages 152–169, 2007.

26
 8. J. Daemen and V. Rijmen. The Design of Rijndael: AES - The Advanced Encryp-
tion Standard. Information Security and Cryptography. Springer, 2002.
9. D. Dinu, L. Perrin, A. Udovenko, V. Velichkov, J. Großschädl, and A. Biryukov.
Design strategies for ARX with provable bounds: Sparx and LAX. In Advances
in Cryptology - ASIACRYPT 2016 - 22nd International Conference on the Theory
and Application of Cryptology and Information Security, Hanoi, Vietnam, Decem-
ber 4-8, 2016, Proceedings, Part I, pages 484–513, 2016.
10. K. Fu, M. Wang, Y. Guo, S. Sun, and L. Hu. MILP-based automatic search algo-
rithms for differential and linear trails for SPECK. In Fast Software Encryption -
23rd International Conference, FSE 2016, Bochum, Germany, March 20-23, 2016,
Revised Selected Papers, pages 268–288, 2016.
11. S. Galice and M. Minier. Improving integral attacks against Rijndael-256 up to
9 rounds. In Progress in Cryptology - AFRICACRYPT 2008, First International
Conference on Cryptology in Africa, Casablanca, Morocco, June 11-14, 2008. Pro-
ceedings, pages 1–15, 2008.
12. D. Gerault, M. Minier, and C. Solnon. Constraint programming models for chosen
key differential cryptanalysis. In Principles and Practice of Constraint Program-
ming - 22nd International Conference, CP 2016, Toulouse, France, September 5-9,
2016, Proceedings, pages 584–601, 2016.
13. H. Handschuh and D. Naccache. SHACAL: a family of block ciphers. Submission
to the NESSIE project, 2002.
14. D. Hong, J. Lee, D. Kim, D. Kwon, K. H. Ryu, and D. Lee. LEA: A 128-bit block
cipher for fast encryption on common processors. In Information Security Appli-
cations - 14th International Workshop, WISA 2013, Jeju Island, Korea, August
19-21, 2013, Revised Selected Papers, pages 3–27, 2013.
15. D. Hong, J. Sung, S. Hong, J. Lim, S. Lee, B. Koo, C. Lee, D. Chang, J. Lee,
K. Jeong, H. Kim, J. Kim, and S. Chee. HIGHT: A new block cipher suitable for
low-resource device. In Cryptographic Hardware and Embedded Systems - CHES
2006, 8th International Workshop, Yokohama, Japan, October 10-13, 2006, Pro-
ceedings, pages 46–59, 2006.
16. A. A. Kamal and A. M. Youssef. Applications of SAT solvers to AES key recovery
from decayed key schedule images. In Fourth International Conference on Emerg-
ing Security Information Systems and Technologies, SECURWARE 2010, Venice,
Italy, July 18-25, 2010, pages 216–220, 2010.
17. L. R. Knudsen and D. Wagner. Integral cryptanalysis. In Fast Software Encryp-
tion, 9th International Workshop, FSE 2002, Leuven, Belgium, February 4-6, 2002,
Revised Papers, pages 112–127, 2002.
18. S. Kölbl, G. Leander, and T. Tiessen. Observations on the SIMON block cipher
family. In Advances in Cryptology - CRYPTO 2015 - 35th Annual Cryptology
Conference, Santa Barbara, CA, USA, August 16-20, 2015, Proceedings, Part I,
pages 161–185, 2015.
19. Y. Li, W. Wu, and L. Zhang. Improved integral attacks on reduced-round CLE-
FIA block cipher. In Information Security Applications - 12th International Work-
shop, WISA 2011, Jeju Island, Korea, August 22-24, 2011. Revised Selected Papers,
pages 28–39, 2011.
20. M. Matsui. Linear cryptanalysis method for DES cipher. In Advances in Cryptology
- EUROCRYPT ’93, Workshop on the Theory and Application of of Cryptographic
Techniques, Lofthus, Norway, May 23-27, 1993, Proceedings, pages 386–397, 1993.
21. M. Matsui. New block encryption algorithm MISTY. In Fast Software Encryp-
tion, 4th International Workshop, FSE ’97, Haifa, Israel, January 20-22, 1997,
Proceedings, pages 54–68, 1997.

27
22. F. Mendel, C. Rechberger, M. Schläffer, and S. S. Thomsen. The rebound attack:
Cryptanalysis of reduced Whirlpool and Grøstl. In Fast Software Encryption,
16th International Workshop, FSE 2009, Leuven, Belgium, February 22-25, 2009,
Revised Selected Papers, pages 260–276, 2009.
23. M. Minier, R. C. Phan, and B. Pousse. Distinguishers for ciphers and known
key attack against Rijndael with large blocks. In Progress in Cryptology -
AFRICACRYPT 2009, Second International Conference on Cryptology in Africa,
Gammarth, Tunisia, June 21-25, 2009. Proceedings, pages 60–76, 2009.
24. N. Mouha and B. Preneel. Towards finding optimal differential characteristics for
ARX: Application to Salsa20. Technical report, Cryptology ePrint Archive, Report
2013/328, 2013.
25. N. Mouha, Q. Wang, D. Gu, and B. Preneel. Differential and linear cryptanalysis
using Mixed-Integer Linear Programming. In Information Security and Cryptol-
ogy - 7th International Conference, Inscrypt 2011, Beijing, China, November 30 -
December 3, 2011. Revised Selected Papers, pages 57–76, 2011.
26. R. M. Needham and D. J. Wheeler. TEA extensions. Report, Cambridge Univer-
sity, Cambridge, UK (October 1997), 1997.
27. PUB. FIPS 180-2: Secure hash standard (SHS). US Department of Commerce,
National Institute of Standards and Technology (NIST), 2012.
28. V. Rijmen and J. Daemen. Advanced Encryption Standard. Proceedings of Federal
Information Processing Standards Publications, National Institute of Standards and
Technology, pages 19–22, 2001.
29. N. Shibayama and T. Kaneko. A new higher order differential of CLEFIA. IEICE
Transactions, 97-A(1):118–126, 2014.
30. Y. Shin, J. Kim, G. Kim, S. Hong, and S. Lee. Differential-linear type attacks on re-
duced rounds of SHACAL-2. In Information Security and Privacy: 9th Australasian
Conference, ACISP 2004, Sydney, Australia, July 13-15, 2004. Proceedings, pages
110–122, 2004.
31. T. Shirai, K. Shibutani, T. Akishita, S. Moriai, and T. Iwata. The 128-bit blockci-
pher CLEFIA (extended abstract). In Fast Software Encryption, 14th International
Workshop, FSE 2007, Luxembourg, Luxembourg, March 26-28, 2007, Revised Se-
lected Papers, pages 181–195, 2007.
32. L. Song, Z. Huang, and Q. Yang. Automatic differential analysis of ARX block
ciphers with application to SPECK and LEA. In Information Security and Privacy
- 21st Australasian Conference, ACISP 2016, Melbourne, VIC, Australia, July 4-6,
2016, Proceedings, Part II, pages 379–394, 2016.
33. K. Specification. Specification of the 3GPP confidentiality and integrity algorithms.
Version, 1:8–17.
34. N. Sugio, Y. Igarashi, and T. Kaneko. Integral characteristics of MISTY2 derived
by division property. In 2016 International Symposium on Information Theory
and Its Applications, ISITA 2016, Monterey, CA, USA, October 30 - November 2,
2016, pages 151–155, 2016.
35. N. Sugio, Y. Igarashi, T. Kaneko, and K. Higuchi. New integral characteristics
of KASUMI derived by division property. In Information Security Applications -
17th International Workshop, WISA 2016, Jeju Island, Korea, August 25-27, 2016,
Revised Selected Papers, pages 267–279, 2016.
36. L. Sun, W. Wang, R. Liu, and M. Wang. MILP-aided bit-based division property
for ARX-based block cipher. IACR Cryptology ePrint Archive, 2016:1101, 2016.
37. L. Sun, W. Wang, and M. Wang. MILP-aided bit-based division property for prim-
itives with non-bit-permutation linear layers. IACR Cryptology ePrint Archive,
2016:811, 2016.

28
38. S. Sun, D. Gerault, P. Lafourcade, Q. Yang, Y. Todo, K. Qiao, and L. Hu. Anal-
ysis of AES, SKINNY, and others with constraint programming. IACR Trans.
Symmetric Cryptol., 2017(1):281–306, 2017.
39. S. Sun, L. Hu, P. Wang, K. Qiao, X. Ma, and L. Song. Automatic security eval-
uation and (related-key) differential characteristic search: Application to SIMON,
PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In Advances in
Cryptology - ASIACRYPT 2014 - 20th International Conference on the Theory and
Application of Cryptology and Information Security, Kaoshiung, Taiwan, R.O.C.,
December 7-11, 2014. Proceedings, Part I, pages 158–178, 2014.
40. Y. Todo. Integral cryptanalysis on full MISTY1. In Advances in Cryptology -
CRYPTO 2015 - 35th Annual Cryptology Conference, Santa Barbara, CA, USA,
August 16-20, 2015, Proceedings, Part I, pages 413–432, 2015.
41. Y. Todo. Structural evaluation by generalized integral property. In Advances in
Cryptology - EUROCRYPT 2015 - 34th Annual International Conference on the
Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26-30,
2015, Proceedings, Part I, pages 287–314, 2015.
42. Y. Todo and M. Morii. Bit-based division property and application to SIMON
family. In Fast Software Encryption - 23rd International Conference, FSE 2016,
Bochum, Germany, March 20-23, 2016, Revised Selected Papers, pages 357–377,
2016.
43. L. Wen and M. Wang. Integral zero-correlation distinguisher for ARX block cipher,
with application to SHACAL-2. In Information Security and Privacy - 19th Aus-
tralasian Conference, ACISP 2014, Wollongong, NSW, Australia, July 7-9, 2014.
Proceedings, pages 454–461, 2014.
44. D. J. Wheeler and R. M. Needham. TEA, a tiny encryption algorithm. In Fast
Software Encryption: Second International Workshop. Leuven, Belgium, 14-16 De-
cember 1994, Proceedings, pages 363–366, 1994.
45. Z. Xiang, W. Zhang, Z. Bao, and D. Lin. Applying MILP method to searching
integral distinguishers based on division property for 6 lightweight block ciphers.
In Advances in Cryptology - ASIACRYPT 2016 - 22nd International Conference
on the Theory and Application of Cryptology and Information Security, Hanoi,
Vietnam, December 4-8, 2016, Proceedings, Part I, pages 648–678, 2016.
46. H. Zhang and W. Wu. Structural evaluation for generalized feistel structures and
applications to LBlock and TWINE. In Progress in Cryptology - INDOCRYPT
2015 - 16th International Conference on Cryptology in India, Bangalore, India,
December 6-9, 2015, Proceedings, pages 218–237, 2015.
47. W. Zhang and V. Rijmen. Division cryptanalysis of block ciphers with a binary
diffusion layer. IACR Cryptology ePrint Archive, 2017:188, 2017.
48. Y. Zheng, T. Matsumoto, and H. Imai. On the construction of block ciphers
provably secure and not relying on any unproved hypotheses. In Advances in
Cryptology - CRYPTO ’89, 9th Annual International Cryptology Conference, Santa
Barbara, California, USA, August 20-24, 1989, Proceedings, pages 461–480, 1989.

A Integral Distinguishers of Whirlpool and Rijndael

A.1 Integral Distinguishers of Whirlpool

Note the intermediate state of the internal block cipher of Whirlpool can be
represented by an 8 × 8 matrix of bytes, and the indexes of the involved bytes
are illustrated in Fig. 3.
29
 0 1 2 3 4 5 6 7

8 9 10 11 12 13 14 15

16 17 18 19 20 21 22 23 0 4 8 12 16 20 24 28
24 25 26 27 28 29 30 31 1 5 9 13 17 21 25 29
32 33 34 35 36 37 38 39 2 6 10 14 18 22 26 30
40 41 42 43 44 45 46 47 3 7 11 15 19 23 27 31

48 49 50 51 52 53 54 55
192-bit Block Size
56 57 58 59 60 61 62 63 256-bit Block Size

Fig. 3: Indexes for Whirlpool. Fig. 4: Indexes for Rijndael-192 and

Rijndael-256.

The integral distinguishers obtained in the paper are illustrated as follows.

3 Rounds
Active Bytes: {0} −−−−−−→ Zero-sum Bytes: {0 − 63},
4 Rounds
Active Bytes: {0, 22, 29, 36, 43, 50, 57} −−−−−−→ Zero-sum Bytes: {0 − 63},
Active Bytes: {0 − 5, 8 − 12, 15 − 19, 22 − 26, 29 − 33,
36 − 40, 43 − 47, 50 − 55, 57 − 62}
5 Rounds
−−−−−−→ Zero-sum Bytes: {0 − 63}.

A.2 Integral Distinguishers of Rijndael

For Rijndael family of block ciphers, the internal state can be treated as a 4 × Nb
matrix of bytes, where Nb is the number of 32-bit words in the block. The indexes
for the matrix is shown in Fig. 4.
The integral distinguishers for Rijndael-192 mentioned in the paper are listed
as follows:
3 Rounds
Active Bytes: {0} −−−−−−→ Zero-sum Bytes: {0 − 23},
4 Rounds
Active Bytes: {0, 5, 10} −−−−−−→ Zero-sum Bytes: {16 − 23},
5 Rounds
Active Bytes: {0, 4, 5, 9, 10, 14, 15, 19} −−−−−−→ Zero-sum Bytes: {12 − 19},
Active Bytes: {0 − 7, 9 − 12, 14 − 17, 19 − 22}
6 Rounds
−−−−−−→ Zero-sum Bytes: {0 − 7}.
And the distinguishers we found for Rijndael-256 are presented below:
3 Rounds
Active Bytes: {0} −−−−−−→ Zero-sum Bytes: {0 − 31},
4 Rounds
Active Bytes: {0, 5} −−−−−−→ Zero-sum Bytes: {8 − 11, 20 − 31},
5 Rounds
Active Bytes: {0, 5, 14, 19} −−−−−−→ Zero-sum Bytes: {8 − 11, 24 − 27},
Active Bytes: {0, 3 − 5, 8, 9, 12 − 14, 16 − 19, 21 − 23, 26, 27, 30, 31}
6 Rounds
−−−−−−→ Zero-sum Bytes: {8 − 11, 24 − 27}.

30