Keywords

1 Introduction

Non-S-box-based ciphers have been proposed for the demand on lightweight cryptosystems [2, 3]. Such ciphers are superior in lightweight environments because they are implemented by logical operations and do not have a lookup table like S-boxes. In 2013, the NSA proposed a lightweight block cipher family, called the Simon family, that follows this design principle [3]. However, it is too difficult to guarantee the security against several cryptanalyses because we cannot use many useful techniques for S-box-based ciphers. Therefore, many cryptanalyses have been proposed against the Simon family, e.g., [1, 5, 6, 10, 15, 18], and the designers recently summarized cryptanalyses in [4]. In this paper, we investigate the security of non-S-box-based ciphers against integral cryptanalyses and illustrate our methods on the Simon family.

Division Property. Very recently, the division property, which is a new technique to find integral characteristics [9], was proposed in Eurocrypt 2015 [17]. The new technique permitted us to find a 6-round integral characteristic on MISTY1 in CRYPTO 2015, leading to the first complete theoretical cryptanalysis of the full MISTY1 [16]. Moreover, this technique was applied to generalized Feistel structures in [20], leading to improved integral cryptanalyses against LBlock and TWINE. The division property also proves integral characteristics on the Simon family in [17], and Simon32, 48, 64, 96, and 128 have 9-, 11-, 11-, 13-, 13-round integral characteristics, respectivelyFootnote 1. However, the round function is regarded as any function of degree 2. Therefore, we can expect that integral characteristics can be extended to more rounds if one is able to exploit the concrete structure of the round function. In fact, the experimental integral characteristic, which possibly does not work for all keys, covers 15 rounds [18], and there is a large gap between the proved characteristic and experimental one.

Table 1. Integral characteristics on Simon32
Full size table

Our Contribution. The round function of the Simon family is regarded as any function of degree 2 in [17] because we cannot decompose the round function into several sub blocks like S-boxes. However, we can decompose the round function into every bit, and we call the division property that focuses on every bit a bit-based division property.

First, we apply the conventional bit-based division property to Simon32, which is not against the definition of the division property. Therefore, we can directly use the propagation rules of the division property. As a result, the conventional bit-based division property proves that Simon32 has a 14-round integral characteristic. However, there is still a gap of one round between the proof and experiment. Namely, this means that either the experimental 15-round characteristic does not work for all keys or the conventional bit-based division property cannot find the accurate characteristic. As a result, we conclude that the conventional bit-based division property is insufficient to find the accurate characteristic. The conventional division property divides the set of \(\varvec{u}\) according to whether the parity becomes 0 or unknown [17]. However, we should divide the set of \(\varvec{u}\) according to whether the parity becomes 0, 1, or unknown because we can also exploit the fact that the parity is not only 0 but also 1. To exploit this fact, we newly introduce a variant of the bit-based division property, which divides the set of \(\varvec{u}\) into three subsets. Since the variant is completely different from the definition of the conventional division property, we show the propagation characteristic also. Finally, we apply the variant to Simon32 and show that the experimental 15-round characteristic always works for all keys. The proved characteristic is the completely same as the experimental one including the position of balanced bits. Table 1 shows the comparison of integral characteristics, where balanced and unknown bits are labeled as b and ?, respectively.

Table 2. Provable secure number of rounds for the Simon family
Full size table

Although the bit-based division property can find more accurate integral characteristics, their propagations require much time and memory complexity. When we evaluate the propagation for n-bit block ciphers, it roughly requires \(2^n\) complexity because the bit-based division property has to manage the set of n-dimensional vectors whose elements take values in \(\mathbb {F}_2\). This is feasible for Simon32 because the block length is 32 bits, but it is infeasible for other Simon family members. Therefore, we introduce a new technique, which is useful for designers but is not useful for attackers. We call this technique a lazy propagation, where we evaluate only a part of all propagations. The lazy propagation cannot find the integral characteristic, but it can evaluate the number of rounds that the bit-based division property cannot find integral characteristics even if we can evaluate the accurate propagation. Namely, the technique shows “provable security” for the integral cryptanalysis using the division property, and we expect that it becomes a useful technique for designers. Our provable security guarantees the security against only the integral cryptanalysis using the division property, and it does not always guarantee the security against all integral-like cryptanalyses. However, for Simon32, the bit-based division property can find the accurate integral characteristic. Therefore, we expect that it also finds the best integral characteristic for the other Simon family if it is feasible. Table 2 shows the number of rounds of Simon48, 64, 96, and 128, where the division property never finds integral characteristics. As a result, we expect that Simon48, 64, 96, and 128 do not have 17-, 20-, 25-, and 29-round integral characteristics, respectivelyFootnote 2. Moreover, as the comparison, Table 2 also shows the number of rounds that Simon48, 64, 96, and 128 have integral characteristics [21].

2 Preliminaries

2.1 Notations

We make the distinction between the addition of \(\mathbb {F}_2^n\) and addition of \(\mathbb {Z}\), and we use \(\oplus \) and \(+\) as the addition of \(\mathbb {F}_2^n\) and addition of \(\mathbb {Z}\), respectively. For any \(a \in \mathbb {F}_2^n\), the ith element is expressed in a[i], and the Hamming weight w(a) is calculated as \(w(a) = \sum _{i=1}^{n} a[i]\). For any \(\varvec{a} \in (\mathbb {F}_2^{n_1} \times \mathbb {F}_2^{n_2} \times \cdots \times \mathbb {F}_2^{n_m})\), the vectorial Hamming weight of \(\varvec{a}\) is defined as \(W(\varvec{a})=(w(a_1), w(a_2), \ldots , w(a_m)) \in \mathbb {Z}^m\). Moreover, for any \(\varvec{k} \in \mathbb {Z}^m\) and \(\varvec{k}' \in \mathbb {Z}^m\), we define \(\varvec{k} \succeq \varvec{k}'\) if \(k_i \ge k'_i\) for all i. Otherwise, \(\varvec{k} \nsucceq \varvec{k}'\). In this paper, we often treat the set of \(\varvec{k}\), and \(\mathbb {K}\) denotes this set. Then, let \(|\mathbb {K}|\) be the number of vectors. We simply write \(\mathbb {K} \leftarrow \varvec{k}\) when \(\mathbb {K} := \mathbb {K} \cup \{\varvec{k}\}\). Moreover, we simply write \(\mathbb {K} \mathop {\leftarrow }\limits ^\mathtt{x} \varvec{k}\), where the new \(\mathbb {K}\) computed as

$$\begin{aligned} \mathbb {K} := {\left\{ \begin{array}{ll} \mathbb {K} \cup \{\varvec{k}\} &{} \text{ if } \text{ the } \text{ original } \mathbb {K} \text{ does } \text{ not } \text{ include } \varvec{k}, \\ \mathbb {K} \setminus \{\varvec{k}\} &{} \text{ if } \text{ the } \text{ original } \mathbb {K} \text{ includes } \varvec{k}. \end{array}\right. } \end{aligned}$$

2.2 Integral Attack

The integral attack was first introduced by Daemen et al. to evaluate the security of Square [7], and then it was formalized by Knudsen and Wagner [9]. Attackers first prepare N chosen plaintexts and encrypt them R rounds. If the XOR of all encrypted texts becomes 0, we say that the cipher has an R-round integral characteristic with N chosen plaintexts. Finally, we analyze the entire cipher by using the integral characteristic. Therefore, it is very important to find integral characteristic. There are two main approaches to find integral characteristics. The first one is the propagation of the integral property [9] and the second one is based on the degree estimation [8, 11].

2.3 Division Property

The division property, which was proposed in [17], is a new method to find integral characteristics. This section briefly shows the definition and propagation rules. Please refer to [17] in detail.

Bit Product Function. The division property of a multiset is evaluated by using the bit product function defined as follows. Let \(\pi _u : \mathbb {F}_2^n \rightarrow \mathbb {F}_2\) be a bit product function for any \(u \in \mathbb {F}_2^n\). Let \(x \in \mathbb {F}_2^n\) be the input, and \(\pi _u(x)\) is the AND of x[i] satisfying \(u[i]=1\), i.e., it is defined as

$$\begin{aligned} \pi _u(x) := \prod _{i=1}^{n} x[i]^{u[i]}. \end{aligned}$$

Notice that \(x[i]^1=x[i]\) and \(x[i]^0=1\). Let \(\pi _{\varvec{u}} : (\mathbb {F}_2^{n_1} \times \mathbb {F}_2^{n_2} \times \cdots \times \mathbb {F}_2^{n_m}) \rightarrow \mathbb {F}_2\) be a bit product function for any \({\varvec{u}} \in (\mathbb {F}_2^{n_1} \times \mathbb {F}_2^{n_2} \times \cdots \times \mathbb {F}_2^{n_m})\). Let \(\varvec{x} \in (\mathbb {F}_2^{n_1} \times \mathbb {F}_2^{n_2} \times \cdots \times \mathbb {F}_2^{n_m})\) be the input, and \(\pi _{\varvec{u}}({\varvec{x}})\) is defined as

$$\begin{aligned} \pi _{\varvec{u}}({\varvec{x}}) := \prod _{i=1}^{m} \pi _{u_i}(x_i). \end{aligned}$$

The bit product function also appears in the Algebraic Normal Form (ANF) of a Boolean function. The ANF of a Boolean function f is represented as

$$\begin{aligned} f( x ) = \bigoplus _{u \in \mathbb {F}_2^n} a_u^f \left( \prod _{i=1}^{n} x[i]^{u[i]} \right) = \bigoplus _{u \in \mathbb {F}_2^n} a_u^f \pi _{u}(x), \end{aligned}$$

where \(a_u^f \in \mathbb {F}_2\) is a constant value depending on f and u.

Definition of Division Property 

Definition 1

(Division Property [17]). Let \(\mathbb {X}\) be a multiset whose elements take a value of \((\mathbb {F}_2^{n_1} \times \mathbb {F}_2^{n_2} \times \cdots \times \mathbb {F}_2^{n_m})\). When the multiset \(\mathbb {X}\) has the division property \(\mathcal{D}_{\mathbb {K}}^{{n}_1, {n}_2, \ldots , {n}_{m}}\), where \(\mathbb {K}\) denotes a set of m-dimensional vectors whose ith element takes a value between 0 and \(n_i\), it fulfils the following conditions:

$$\begin{aligned} \bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{u}}(\varvec{x}) = {\left\{ \begin{array}{ll} unknown &{}\text{ if } \text{ there } \text{ are } \varvec{k} \in \mathbb {K} \text{ s.t. } W(\varvec{u}) \succeq \varvec{k}, \\ 0 &{}\text{ otherwise }. \end{array}\right. } \end{aligned}$$

See [17] to better understand the concept in detail, and [14] and [16] help readers understand the division property. In this paper, the division property for \((\mathbb {F}_2^n)^m\) is referred to as \(\mathcal{D}_{\mathbb {K}}^{n^m}\) for the simplicityFootnote 3. If there are \(\varvec{k} \in \mathbb {K}\) and \(\varvec{k}' \in \mathbb {K}\) satisfying \(\varvec{k} \succeq \varvec{k}'\) in the division property \(\mathcal{D}_{\mathbb {K}}^{{n}_1, {n}_2, \ldots , {n}_{m}}\), \(\varvec{k}\) can be removed from \(\mathbb {K}\) because the vector \(\varvec{k}\) is redundant.

Propagation Rules of Division Property. Some propagation rules for the division property are proven in [17], and the rules are summarized in [16] as follows.

  • Rule 1 (Substitution). Let F be a function that consists of m S-boxes, where the bit length and the algebraic degree of the ith S-box is \(n_i\) bits and \(d_i\), respectively. The input and output take a value of \((\mathbb {F}_2^{n_1} \times \mathbb {F}_2^{n_2} \times \cdots \times \mathbb {F}_2^{n_m})\), and \(\mathbb {X}\) and \(\mathbb {Y}\) denote the input multiset and output multiset, respectively. Assuming that the multiset \(\mathbb {X}\) has the division property \(\mathcal{D}_{\mathbb {K}}^{{n}_1, {n}_2, \ldots , {n}_{m}}\), the division property of the multiset \(\mathbb {Y}\) is \(\mathcal{D}_{\mathbb {K}'}^{{n}_1, {n}_2, \ldots , {n}_{m}}\) as

    $$\begin{aligned} \mathbb {K}' \leftarrow \left( \left\lceil \frac{k_1}{d_1} \right\rceil , \left\lceil \frac{k_2}{d_2} \right\rceil , \ldots , \left\lceil \frac{k_m}{d_m} \right\rceil \right) ,~~\forall \varvec{k} \in \mathbb {K}. \end{aligned}$$

    Here, when the ith S-box is bijective and \(k_i=n_i\), the ith element of the propagated property becomes \(n_i\) not \(\lceil n_i/d_i \rceil \).

  • Rule 2 (Copy). Let F be a copy function, where the input x takes a value of \(\mathbb {F}_2^{n}\) and the output is calculated as \((y_1,y_2)=(x,x)\). Let \(\mathbb {X}\) and \(\mathbb {Y}\) be the input multiset and output multiset, respectively. Assuming that the multiset \(\mathbb {X}\) has the division property \(\mathcal{D}_k^n\), the division property of the multiset \(\mathbb {Y}\) is \(\mathcal{D}_{\mathbb {K}'}^{n, n}\) as

    $$\begin{aligned} \mathbb {K}' \leftarrow (k-i, i),~~\mathrm{for}~0 \le i \le k. \end{aligned}$$

  • Rule 3 (Compression by XOR). Let F be a function compressed by an XOR, where the input \((x_1,x_2)\) takes a value of \((\mathbb {F}_2^{n} \times \mathbb {F}_2^{n})\) and the output is calculated as \(y=x_1\oplus x_2\). Let \(\mathbb {X}\) and \(\mathbb {Y}\) be the input multiset and output multiset, respectively. Assuming that the multiset \(\mathbb {X}\) has the division property \(\mathcal{D}_{\mathbb {K}}^{n, n}\), the division property of the multiset \(\mathbb {Y}\) is \(\mathcal{D}_{k'}^{n}\) as

    $$\begin{aligned} k' = \min _{(k_1,k_2) \in \mathbb {K}}\{ k_1 + k_2\}. \end{aligned}$$

    Here, if the minimum value of \(k'\) is larger than n, the propagation characteristic of the division property is aborted. Namely, a value of \(\oplus _{y \in \mathbb {Y}} \pi _v(y)\) is 0 for all \(v \in \mathbb {F}_2^n\).

  • Rule 4 (Split). Let F be a split function, where the input x takes a value of \(\mathbb {F}_2^{n}\) and the output is calculated as \(x=y_1 \Vert y_2\), where \((y_1,y_2)\) takes a value of \((\mathbb {F}_2^{n_1} \times \mathbb {F}_2^{n-n_1})\). Let \(\mathbb {X}\) and \(\mathbb {Y}\) be the input multiset and output multiset, respectively. Assuming that the multiset \(\mathbb {X}\) has the division property \(\mathcal{D}_{k}^{n}\), the division property of the multiset \(\mathbb {Y}\) is \(\mathcal{D}_{\mathbb {K}'}^{n_1,n-n_1}\) as

    $$\begin{aligned} \mathbb {K}' \leftarrow (k-i, i),~~ \mathrm{for}~0 \le i \le k. \end{aligned}$$

    Here, \((k-i)\) is less than or equal to \(n_1\), and i is less than or equal to \(n-n_1\).

  • Rule 5 (Concatenation). Let F be a concatenation function, where the input \((x_1,x_2)\) takes a value of \((\mathbb {F}_2^{n_1} \times \mathbb {F}_2^{n_2})\) and the output is calculated as \(y=x_1 \Vert x_2\). Let \(\mathbb {X}\) and \(\mathbb {Y}\) be the input multiset and output multiset, respectively. Assuming that the multiset \(\mathbb {X}\) has the division property \(\mathcal{D}_{\mathbb {K}}^{n_1,n_2}\), the division property of the multiset \(\mathbb {Y}\) is \(\mathcal{D}_{k'}^{n_1+n_2}\) as

    $$\begin{aligned} k' = \min _{(k_1,k_2) \in \mathbb {K}}\{ k_1 + k_2\}. \end{aligned}$$

2.4 Simon Family

The Simon family is a lightweight block cipher family [3] based on the Feistel construction. Let Simon2n be the Simon block ciphers with 2n-bit block length, where n is chosen from 16, 24, 32, 48, and 64. Moreover, Simon2n with mn-bit secret key is referred to as Simon2n / mn. Since we only care about integral characteristics on the Simon family, this paper only uses Simon2n.

Fig. 1.
figure 1

Round function of Simon2n

Full size image

The output of the ith round function is denoted by \((L_i, R_i)\) and is calculated as

$$\begin{aligned} (L_{i}, R_{i}) = (L_{i-1}^{\lll 1} \wedge L_{i-1}^{\lll 8}) \oplus L_{i-1}^{\lll 2} \oplus R_{i-1} \oplus k_i, L_{i-1}), \end{aligned}$$

where \(L^{\lll j}\) denotes the j-bit left rotation of L, and \(k_i\) denotes the ith round key. Moreover, \((L_0, R_0)\) denotes a plaintext. The round function consists of and, rotation, and xor, and Fig. 1 shows the round function. For more details, please refer to [3].

2.5 Known Integral Characteristic on Simon Family

It is difficult to find effective integral characteristics on ciphers which consist of and, rotation, and xor. In [18], authors experimentally showed that Simon32 has the 15-round integral characteristic with \(2^{31}\) chosen plaintexts. Since their characteristic is confirmed under \(2^{13}\) secret keys, they expected that the success probability of this characteristic is at least \(1-2^{-13}\). Therefore, this approach does not guarantee that the characteristic works for all secret keys. Moreover, it is practically infeasible to find integral characteristics of other Simon family members because the block length is too large for proceeding to an experimental evaluation.

Integral characteristics proved under all secret keys are shown in [17], but in this approach the round function of Simon2n is seen as any n-bit function of degree 2. Therefore, the detailed structure of the round function is not exploited. As a result, it shows that Simon32, 48, 64, 96, and 128 has 9-, 11-, 11-, 13-, and 13-round integral characteristic, respectively. Since the round key is XORed after the round function, we can trivially get one-round extended integral characteristics using the same technique in [18]. Therefore, 10-, 12-, 12-, 14-, and 14-round integral characteristics are proved in Simon32, 48, 64, 96, and 128, respectively. Thus, there is a 5-round gap between the proved characteristic and experimental one.

3 Conventional Bit-Based Division Property

This paper introduces a bit-based division property. When n-bit block ciphers are analyzed, the conventional division property uses \(\mathcal{D}_{\mathbb {K}}^{\ell _1, \ell _2, \ldots , \ell _m}\), where \(\ell _i\) and m are chosen by attackers in the range of \(n= \sum _{i=1}^m \ell _i\). This section considers the conventional bit-based division property, i.e., \(\mathcal{D}_{\mathbb {K}}^{1^n}\). Since it is not against the definition of the conventional division property, we can directly use the five propagation rules shown in Sect. 2.3.

Fig. 2.
figure 2

Core operation of the Simon family.

Full size image

3.1 Comparison Between Conventional Bit-Based Division Property and Solving Algebraic Equations

Before the introduction of the conventional bit-based division property, we roughly show the relation between the bit-based division property and the resolution of algebraic equations by brute force. When entire ciphers are represented by algebraic equations, such equations involve both the plaintext and secret key. Therefore, if we solve such equations for an n-bit block cipher with a k-bit secret key, this roughly requires \(2^{k+n}\) complexity. On the other hand, XORing with a constant value does not change the conventional bit-based division property because such XORing is a linear function [16]. Therefore, the propagation of the conventional bit-based division property does not involve the secret key. It may miss some useful cryptographic properties, but it dramatically reduces the complexity.

3.2 Propagation for Core Operation of Simon

As an example, we analyze Simon2n by using the conventional bit-based division property. We focus on only one bit of the right half in Simon2n. The core operation of the round function is represented by Fig. 2. Since the input and output bit length is 4 bits, we use the division property \(\mathcal{D}_{\mathbb {K}}^{1^4}\).

We consider the propagation characteristic. For instance, let assume that the input multiset has \(\mathcal{D}_{[k_1, k_2, k_3, 1]}^{1^4}\), where \(k_i\) denotes any value, i.e., 0 or 1. Then, if the multiset of \((y_1, y_2, y_3, w_5, x_4)\) has \(\mathcal{D}_{[*, *, *, 1, 1]}^{1^5}\), where \(*\) is propagated values, the propagation always abort in the XOR, \(x_4 \oplus w_5\). Consequently, the bit-based division property of \((y_1,y_2,y_3,y_4)\) is the same as that of \((x_1,x_2,x_3,x_4)\). On the other hand, assuming that the input multiset has \(\mathcal{D}_{[k_1,k_2,k_3,0]}^{1^4}\), the output property is different from the input one.

Let \(\mathcal{D}_{\mathbb {K}}^{1^4}\) and \(\mathcal{D}_{\mathbb {K'}}^{1^4}\) be the division property of the input and output, respectively. When we get \(\mathbb {K'}\) from \(\mathbb {K}\), we first independently calculate vectors belonging to \(\mathbb {K'}\) by evaluating the propagation from every vector in \(\mathbb {K}\). Then, \(\mathbb {K'}\) is represented as the union of all calculated vectors. Finally, if there are \(\varvec{k} \in \mathbb {K'}\) and \(\varvec{k}' \in \mathbb {K'}\) such that \(\varvec{k} \succeq \varvec{k}'\), \(\varvec{k}\) is removed from \(\mathbb {K'}\) because the vector is redundant.

Table 3. Propagation of the conventional bit-based division property for the core operation in the Simon family
Full size table

Table 3 summarizes the propagation characteristics from \(\mathcal{D}_{\varvec{k}}^{1^4}\) to \(\mathcal{D}_{\mathbb {K}}^{1^4}\). The round function of Simon2n repeats the core operation for all n-bit values in the right half. Therefore, we use \(\mathcal{D}_{\mathbb {K}}^{1^{2n}}\). In every core operation, we only focus on four bits and evaluate the propagation independent of other \((2n-4)\) bits.

Table 4. Size of \(\mathbb {K}\) in \(\mathcal{D}_{\mathbb {K}}^{1^{32}}\) for the integral characteristic on Simon32
Full size table

3.3 Application to Simon32

We evaluate the propagation characteristic of the conventional bit-based division property on Simon32. We prepare chosen plaintexts such that the first bit is constant and the others are active. Then, the set of chosen plaintexts has the division property \(\mathcal{D}_{\mathbb {K}}^{1^{32}}\), where \(\mathbb {K} = \{[0,1,1,\ldots , 1]\}\). Table 4 shows \(|\mathbb {K}|\), which is the number of vectors, in every round, where we perfectly remove redundant vectors from \(\mathbb {K}\). The output of the 14th round function has the division property \(\mathcal{D}_{\mathbb {K}}^{1^{32}}\), where \(\mathbb {K}\) has 32 distinct vectors whose Hamming weight is one. Therefore, the conventional bit-based division property cannot show whether or not the output of the 14th round function is balanced. On the other hand, the output of the 13th round function has the division property \(\mathcal{D}_{\mathbb {K}}^{1^{32}}\), where \(\mathbb {K}\) is represented as 16 vectors, whose Hamming weight of the left half is 1 and that of the right half is 0, and 120 \((=\genfrac(){0.0pt}1{16}{2})\) vectors, whose Hamming weight of the left half is 0 and that of the right half is 2. This division property means that the output of the 13th round function takes the following integral property

$$\begin{aligned} \text{(????,????,????,????, } \text{ bbbb,bbbb,bbbb,bbbb) }, \end{aligned}$$

where balanced and unknown bits are labeled as b and ?, respectively. In the Simon family, since round keys are XORed with the right half only after the round function is applied to the left half, we can easily get a 14-round integral characteristic from the 13-round one. The same technique is used in [18]. Therefore, we conclude that 14-round Simon32 has the integral characteristic with \(2^{31}\) chosen plaintexts.

4 Bit-Based Division Property Using Three Subsets

4.1 Motivation

The conventional bit-based division property proved the existence of the 14-round integral characteristic of Simon32. However, the experimental characteristic covers 15 rounds [18], and there is still a one-round gap between the experiment and proof. In [18], the authors experimentally confirm the characteristic by randomly choosing \(2^{13}\) secret keys. Therefore, they concluded that the success probability of the characteristic is at least \(1 - 2^{-13}\). Thus, we consider that this gap derives from either the experimental result does not work for all keys or the conventional bit-based division property cannot find the accurate characteristic.

We first show that the conventional bit-based division property is insufficient to find integral characteristics on Simon32, and we then introduce a new variant of the bit-based division property. The conventional bit-based division property focuses on that the parity \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{u}}(\varvec{x})\) is 0 or unknown. On the other hand, the new variant focuses on that the parity \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{u}}(\varvec{x})\) is 0, 1, or unknown. Therefore we call the new variant the bit-based division property using three subsets. The new variant can find more accurate integral characteristics and prove that the experimental characteristic shown in [18] works for all keys.

4.2 Characteristic that Conventional Bit-Based Division Property Cannot Find

The conventional division property divides the set of \(\varvec{u}\) according to whether the parity becomes 0 or unknown [17]. However, it sometimes overlooks useful characteristics. We show it by using a simple example.

We again evaluate the propagation of the conventional bit-based division property for the circuit in Fig. 2, and \(F : \mathbb {F}_2^4 \rightarrow \mathbb {F}_2^4\) denotes the circuit. Moreover, let \(\mathbb {X}\) and \(\mathbb {Y}\) be the input and output multiset, respectively. Assuming that \(\mathbb {X}\) has \(\mathcal{D}_{\{[1,1,0,0], [0,0,1,0]\}}^{1^4}\), \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{[1,1,0,0]}(\varvec{x})\) and \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{[0,0,1,0]}(\varvec{x})\) are unknown. Then, the output multiset \(\mathbb {Y}\) has \(\mathcal{D}_{\{[1,1,0,0], [0,0,1,0], [0,0,0,1]\}}^{1^4}\) from Table 3.

Let us assume that both \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{[1,1,0,0]}(\varvec{x})\) and \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{[0,0,1,0]}(\varvec{x})\) are 1. Even if we know the parity is always one, the division property of \(\mathbb {X}\) is \(\mathcal{D}_{\{[1,1,0,0], [0,0,1,0]\}}^{1^4}\). However, we can get the following equation.

$$\begin{aligned} \bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{[0,0,0,1]}(F(\varvec{x}))&= \bigoplus _{\varvec{x} \in \mathbb {X}} (x_1 x_2 \oplus x_3 \oplus x_4) \\&= \bigoplus _{\varvec{x} \in \mathbb {X}} (x_1 x_2) \bigoplus _{\varvec{x} \in \mathbb {X}} (x_3) \bigoplus _{\varvec{x} \in \mathbb {X}}(x_4) \\&= \bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{[1,1,0,0]}(\varvec{x}) \bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{[0,0,1,0]}(\varvec{x}) \bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{[0,0,0,1]}(\varvec{x}) \\&= 1 \oplus 1 \oplus 0 = 0. \end{aligned}$$

Therefore, \(\oplus _{\varvec{x} \in \mathbb {X}} \pi _{[0,0,0,1]}(F(\varvec{x}))\) is always 0 not unknown, and the division property of \(\mathbb {Y}\) becomes \(\mathcal{D}_{\{[1,1,0,0], [0,0,1,0], [0,1,0,1], [1,0,0,1]\}}^{1^4}\) not \(\mathcal{D}_{\{[1,1,0,0], [0,0,1,0], [0,0,0,1]\}}^{1^4}\).

Since the conventional division property focuses on the case the parity becomes 0, it cannot find characteristics that appear by cancelling like the above example. Therefore, we newly introduce a variant of the bit-based division property to exploit this fact. The variant divides the set of \(\varvec{u}\) into three subsets, i.e., 0, 1, and unknown.

4.3 Definition of Bit-Based Division Property Using Three Subsets

The conventional division property uses the set \(\mathbb {K}\) to represent the subset of \(\varvec{u}\) such that \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{u}}(\varvec{x})\) is unknown. The bit-based division property using three subsets needs to represent not only the subset of \(\varvec{u}\) such that \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{u}}(\varvec{x})\) is unknown but also the subset of \(\varvec{u}\) such that \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{u}}(\varvec{x})\) is one. Therefore, we use the set \(\mathbb {K}\) to represent the subset of \(\varvec{u}\) such that \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{u}}(\varvec{x})\) is unknown, and we also use the set \(\mathbb {L}\) to represent the subset of \(\varvec{u}\) such that \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{u}}(\varvec{x})\) is one.

Definition 2

(Bit-based Division Property Using Three Subsets). Let \(\mathbb {X}\) be a multiset whose elements take a value of \((\mathbb {F}_2)^m\), and \(\varvec{k}\) is an m-dimensional vector whose ith element takes 0 or 1. When the multiset \(\mathbb {X}\) has the bit-based division property using three subsets \(\mathcal{D}_{\mathbb {K}, \mathbb {L}}^{1^m}\), it fulfils the following conditions:

$$\begin{aligned} \bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{u}}(\varvec{x}) = {\left\{ \begin{array}{ll} \mathrm{unknown} &{}\text{ if } \text{ there } \text{ are } \varvec{k} \in \mathbb {K} \text{ s.t. } W(\varvec{u}) \succeq \varvec{k}, \\ 1 &{}\text{ else } \text{ if } \text{ there } \text{ is } \varvec{\ell }\in \mathbb {L} \text{ s.t. } W(\varvec{u}) = \varvec{\ell }, \\ 0 &{}\text{ otherwise }. \end{array}\right. } \end{aligned}$$

If there are \(\varvec{k} \in \mathbb {K}\) and \(\varvec{k}' \in \mathbb {K}\) satisfying \(\varvec{k} \succeq \varvec{k}'\), \(\varvec{k}\) can be removed from \(\mathbb {K}\) because the vector \(\varvec{k}\) is redundant. Moreover, when there is \(\varvec{k} \in \mathbb {K}\) satisfying \(W(\varvec{u}) \succeq \varvec{k}\), \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{u}}(\varvec{x})\) is unknown even if there is \(\varvec{\ell }\in \mathbb {L}\) satisfying \(W(\varvec{u}) = \varvec{\ell }\). Therefore, if there are \(\varvec{\ell }\in \mathbb {L}\) and \(\varvec{k} \in \mathbb {K}\) satisfying \(\varvec{\ell }\succeq \varvec{k}\), the vector \(\varvec{\ell }\) is redundant. Notice that redundant vectors in \(\mathbb {K}\) and \(\mathbb {L}\) do not affect whether \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{u}}(\varvec{x})\) becomes 0, 1, or unknown for any \(\varvec{u}\).

Example 1

Let \(\mathbb {X}\) be a multiset whose elements take a value of \((\mathbb {F}_2)^4\). Assume the multiset \(\mathbb {X}\) has the bit-based division property \(\mathcal{D}_{\mathbb {K}, \mathbb {L}}^{1^4}\), where \(\mathbb {K}=\{ [0,0,0,1], [0,1,1,0] \}\) and \(\mathbb {L}=\{[1,0,0,0], [1,0,1,0], [0,0,1,0], [0,0,1,1]\}\). Then, every parity satisfies the following, where the value of \(\varvec{u}\) is represented as hexadecimal notation of \((u_1\Vert u_2\Vert u_3\Vert u_4)\).

figure a

Notice that the parity of \(\pi _{[0,0,1,1]}(\varvec{x})\) over all \(\varvec{x} \in \mathbb {X}\) is unknown because there is \([0,0,0,1] \in \mathbb {K}\) and \(W([0,0,1,1]) \succeq W([0,0,0,1])\). Thus, \([0,0,1,1] \in \mathbb {L}\) is redundant.

4.4 Propagation Rules

We show propagation rules for the bit-based division property using three subsets. There rules are very similar to those of the conventional division property. Here, we show three rules, “Copy,” “Compression by AND,” and “Compression by XOR,” because any Boolean function can be evaluated by using these three rules. We omit the proof of three propagation rules in this paper because of the page limit, and please see the full version of this paper.

  • Rule 1 (Copy). Let F be a copy function, where the input \((x_1, x_2, \ldots , x_m)\) takes values of \((\mathbb {F}_2)^m\), and the output is calculated as \((x_1, x_1, x_2, x_3, \ldots , x_m)\). Let \(\mathbb {X}\) and \(\mathbb {Y}\) be the input multiset and output multiset, respectively. Assuming that \(\mathbb {X}\) has \(\mathcal{D}_{\mathbb {K}, \mathbb {L}}^{1^m}\), \(\mathbb {Y}\) has \(\mathcal{D}_{\mathbb {K}', \mathbb {L}'}^{1^{m+1}}\), where \(\mathbb {K}'\) and \(\mathbb {L}'\) are computed as

    $$\begin{aligned} \mathbb {K}'&\leftarrow {\left\{ \begin{array}{ll} (0, 0, k_2, \ldots , k_m), &{} \text{ if } k_1=0 \\ (1, 0, k_2, \ldots , k_m), (0, 1, k_2, \ldots , k_m), &{} \text{ if } k_1=1 \end{array}\right. }, \\ \mathbb {L}'&\leftarrow {\left\{ \begin{array}{ll} (0, 0, \ell _2, \ldots , \ell _m), &{} \text{ if } \ell _1=0 \\ (1, 0, \ell _2, \ldots , \ell _m), (0, 1, \ell _2, \ldots , \ell _m), (1, 1, \ell _2, \ldots , \ell _m) &{} \text{ if } \ell _1=1 \end{array}\right. }. \end{aligned}$$

    from all \(\varvec{k} \in \mathbb {K}\) and all \(\varvec{\ell }\in \mathbb {L}\), respectively.

  • Rule 2 (Compression by AND). Let F be a function compressed by an AND, where the input \((x_1, x_2, \ldots , x_m)\) takes values of \((\mathbb {F}_2)^m\), and the output is calculated as \((x_1 \wedge x_2, x_3, \ldots , x_m)\). Let \(\mathbb {X}\) and \(\mathbb {Y}\) be the input multiset and output multiset, respectively. Assuming that \(\mathbb {X}\) has \(\mathcal{D}_{\mathbb {K}, \mathbb {L}}^{1^m}\), \(\mathbb {Y}\) has \(\mathcal{D}_{\mathbb {K}', \mathbb {L}'}^{1^{m-1}}\), where \(\mathbb {K}'\) is computed from all \(\varvec{k} \in \mathbb {K}\) as

    $$\begin{aligned} \mathbb {K}'&\leftarrow \left( \left\lceil \frac{k_1+k_2}{2}\right\rceil , k_3, k_4, \ldots , k_m \right) . \end{aligned}$$

    Moreover, \(\mathbb {L}'\) is computed from all \(\varvec{\ell }\in \mathbb {L}\) s.t. \((\ell _1,\ell _2)=(0,0)\) or (1, 1) as

    $$\begin{aligned} \mathbb {L}'&\leftarrow \left( \left\lceil \frac{\ell _1+\ell _2}{2}\right\rceil , \ell _3, \ell _4, \ldots , \ell _m \right) . \end{aligned}$$

  • Rule 3 (Compression by XOR). Let F be a function compressed by an XOR, where the input \((x_1, x_2, \ldots , x_m)\) takes values of \((\mathbb {F}_2)^m\), and the output is calculated as \((x_1 \oplus x_2, x_3, \ldots , x_m)\). Let \(\mathbb {X}\) and \(\mathbb {Y}\) be the input multiset and output multiset, respectively. Assuming that \(\mathbb {X}\) has \(\mathcal{D}_{\mathbb {K}, \mathbb {L}}^{1^m}\), \(\mathbb {Y}\) has \(\mathcal{D}_{\mathbb {K}', \mathbb {L}'}^{1^{m-1}}\), where \(\mathbb {K}'\) is computed from all \(\varvec{k} \in \mathbb {K}\) s.t. \((k_1, k_2) = (0,0)\), (1, 0), or (0, 1) as

    $$\begin{aligned} \mathbb {K}'&\leftarrow (k_1+k_2, k_3, k_4, \ldots , k_m). \end{aligned}$$

    Moreover, \(\mathbb {L'}\) is computed from all \(\varvec{\ell }\in \mathbb {L}\) s.t. \((\ell _1,\ell _2)=(0,0)\), (1, 0), or (0, 1) as

    $$\begin{aligned} \mathbb {L}'&\mathop {\leftarrow }\limits ^\mathtt{x} \left( \ell _1+\ell _2, \ell _3, \ell _4, \ldots , \ell _m \right) . \end{aligned}$$

4.5 Dependencies Between \(\mathbb {K}\) and \(\mathbb {L}\)

Propagation for Public Function. In the propagation rules shown in Sect. 4.4, \(\mathbb {K'}\) and \(\mathbb {L'}\) are computed from \(\mathbb {K}\) and \(\mathbb {L}\), respectively. Therefore, we can evaluate the propagation from \(\mathbb {K}\) and that from \(\mathbb {L}\) independently. However, independent propagations generate many redundant vectors in \(\mathbb {K'}\) and \(\mathbb {L'}\). Note that redundant vectors in \(\mathbb {K'}\) and \(\mathbb {L'}\) do not affect whether the parity becomes 0, 1, or unknown for any \(\varvec{u}\). Therefore, when we consider the propagation for public functions, we do not need to care about the dependencies between \(\mathbb {K}\) and \(\mathbb {L}\). On the other hand, if there are many redundant vectors, the propagation requires much time complexity. Therefore, we should remove redundant vectors if possible because of the reason of only complexity.

XORing with Secret Round Key. For the public function, the propagation from \(\mathbb {K}\) and that from \(\mathbb {L}\) are independently evaluated. However, if the secret round key is XORed, every vector in \(\mathbb {L}\) affects \(\mathbb {K}\).

Let \(\mathbb {X}\) and \(\mathbb {Y}\) be the input and output multiset, respectively. Then, \(\varvec{y} \in \mathbb {Y}\) is computed as \(\varvec{y} = \varvec{x} \oplus \varvec{rk}\) for \(\varvec{x} \in \mathbb {X}\), where \(\varvec{rk}\) is the secret round key. Moreover, let \(\mathcal{D}_{\mathbb {K}, \mathbb {L}}^{1^m}\) and \(\mathcal{D}_{\mathbb {K'}, \mathbb {L'}}^{1^m}\) be the bit-based division property using three subsets on \(\mathbb {X}\) and \(\mathbb {Y}\), respectively. We want to get \(\mathbb {K'}\) and \(\mathbb {L'}\) from \(\mathbb {K}\) and \(\mathbb {L}\). We cannot know the secret round key. Therefore, the parity \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{v}}(\varvec{x} \oplus \varvec{rk})\) satisfying \(\varvec{v} \succ \varvec{\ell }\) becomes unknown because the parity depends on the secret round key.

In many ciphers, round keys are XORed with a part of entire bits. Assuming a round key is XORed with the ith bit, \(\mathbb {K'}\) is computed as

$$\begin{aligned} \mathbb {K'} \leftarrow (\ell _1, \ell _2, \ldots , \ell _i \vee 1 ,\ldots , \ell _m) \end{aligned}$$

for all \(\varvec{\ell }\in \mathbb {L}\) satisfying \(\ell _i=0\).

4.6 Propagation for Core Operation of Simon

We search for integral characteristics on Simon32 by the bit-based division property using three subsets. Similar to the conventional bit-based division property, we focus on only one bit of the right half and consider the core operation of the Simon family (see Fig. 2).

Table 5. Propagation of the bit-based division property using three subsets for the core operation in the Simon family
Full size table
Table 6. Sizes of \(\mathbb {K}\) and \(\mathbb {L}\) in \(\mathcal{D}_{\mathbb {K},\mathbb {L}}^{1^{32}}\) for the integral characteristic on Simon32
Full size table

The core operation is a public function and it does not involve any secret information. Therefore, we can evaluate the propagation from \(\mathbb {K}\) and that from \(\mathbb {L}\) independently. Table 5 summarizes the propagation characteristics from \(\mathcal{D}_{\mathbb {K}, \{\varvec{\ell }\}}^{1^4}\) to \(\mathcal{D}_{\mathbb {K'}, \mathbb {L'}}^{1^4}\), where the propagation from \(\mathbb {K}\) to \(\mathbb {K'}\) is the same as that in Table 3. Next, the propagation on the round function can be evaluated by repeating for all bits of the right half. Finally, when round keys are XORed with the right half, new vectors are generated from \(\mathbb {L}\), and the new vectors are inserted into \(\mathbb {K}\).

4.7 Application to Simon32

We evaluate the propagation characteristic of the bit-based division property using three subsets on Simon32. We prepare chosen plaintexts such that the first bit is constant and the others are active, and the set of chosen plaintexts has \(\mathcal{D}_{\{[1,1,1,\ldots ,1]\}, \{[0,1,1,\ldots ,1]\}}^{1^{32}}\).

Table 6 shows \(|\mathbb {K}|\) and \(|\mathbb {L}|\) in every round, where we perfectly remove redundant vectors from \(\mathbb {K}\) and \(\mathbb {L}\). As a result, the output of the 14th round function has \(\mathcal{D}_{\mathbb {K}, \phi }^{1^{32}}\), where vector in \(\mathbb {K}\) are represented by hexadecimal notation as

figure b

and \(\phi \) denotes the empty set. This division property means that the output of the 14th round function takes the following integral property

$$\begin{aligned} \text{(????,????,????,????, } \text{?b??,????,b???,???b) }, \end{aligned}$$

where balanced and unknown bits are labeled as b and ?, respectively. In the Simon family, we can easily get a 15-round integral characteristic from the 14-round one, and this proved integral characteristic is completely the same as the experimental one. Therefore, we conclude that the experimental characteristic is not probabilistic characteristic, and it works for all keys.

4.8 Application to Simeck32

Simeck was recently proposed in [19], and its round function is very similar to that of Simon. Let \((L_i, R_i)\) be the output of the ith round function, and it is calculated as

$$\begin{aligned} (L_{i}, R_{i}) = (L_{i-1} \wedge L_{i-1}^{\lll 5}) \oplus L_{i-1}^{\lll 1} \oplus R_{i-1} \oplus k_i, L_{i-1}). \end{aligned}$$

The rotation number is changed from (1, 8, 2) to (0,5,1). Similar to Simon, Simeck has different parameters according to the block length. Let Simeck2n be the Simeck block ciphers with 2n-bit block length, where n is chosen from 16, 24, and 32.

We also evaluated the propagation of the bit-based division property using three subsets against Simeck32. As a result, the output of the 14th round function has \(\mathcal{D}_{\mathbb {K}, \phi }^{1^{32}}\), where vectors in \(\mathbb {K}\) are represented by hexadecimal notation as

figure c

This division property means that the output of the 14th round function takes the following integral property

$$\begin{aligned} \text{(????,????,????,????, } \text{ bb??,?bb?,??bb,???b) }. \end{aligned}$$

Since round keys are XORed after the round function in Simeck, we can trivially get the 15-round integral characteristic. Here, \(2^{31}\) plaintexts are chosen as \((L_0, F(L_0) \oplus R_0)\), where the first bit of \(R_0\) is constant and the others are active.

5 Provable Security Against Integral Cryptanalysis

We introduced the bit-based division property using three subsets in Sect. 4, and we proved that this method can find more accurate integral characteristics than those found by the conventional division property. In particular, we showed that the new method can discover the tight characteristic on Simon32. However, a problem is left about the feasibility, i.e., the propagation of the division property requires much time and memory complexity. For instance, if we want to evaluate the propagation of the division property \(\mathcal{D}_{\mathbb {K}}^{n^m}\), the time and memory complexity is upper-bounded by \((n+1)^m\). Therefore, if the upper bound is too large, e.g., \((n+1)^m \gg 2^{32}\), it is difficult to evaluate the propagation Footnote 4. In the bit-based division property, the time and memory complexity is upper-bounded by \(2^n\), where n denotes the block length. Moreover, the bit-based division property using three subsets requires more complexity than that using two subsets. Therefore, we cannot apply the bit-based division property to the Simon family except for Simon32.

5.1 Provable Security for Designers

We cannot apply the bit-based division property to the Simon family except for Simon32, but we can show the “provable security” alternatively. When we design new symmetric-key primitives, we have to guarantee the security against several cryptanalyses. Provable security has been discussed in detail for differential and linear cryptanalyses [12, 13], but such tools do not exist for integral cryptanalysis.

Let \(\mathcal{D}_{\mathbb {K}_i,\mathbb {L}_i}^{1^m}\) denotes the division property of the output set of the ith round function. We want to find R-round integral characteristics. Then, for any \(\varvec{u}\) with \(w(\varvec{u})=1\), we have to evaluate that there are not \(\varvec{k} \in \mathbb {K}_R\) satisfying \(W(\varvec{u}) \succeq \varvec{k}\) and \(\varvec{\ell }\in \mathbb {L}_R\) satisfying \(W(\varvec{u}) = \varvec{\ell }\). Therefore, we have to get all vectors in \(\mathbb {K}_R\) and \(\mathbb {L}_R\), and such vectors are searched by an algorithm like breadth-first search. On the other hand, we want to show that an R-round integral characteristic cannot exist. Then, it is enough to show that \(\mathbb {K}_R\) has m distinct vectors whose Hamming weight is one, i.e., there is not balanced bits, and such vectors are searched by an algorithm like depth-first search. In our provable security, we aim to get such number of rounds efficiently, and a lazy propagation is useful to find such number of rounds.

Definition 3

(Lazy Propagation). Let \(\mathcal{D}_{\mathbb {K}_{i-1},\mathbb {L}_{i-1}}^{1^m}\) be the bit-based division property of the input set of the ith round function. The ith round function is applied, and let \(\mathcal{D}_{\bar{\mathbb {K}}_i, \bar{\mathbb {L}}_i}^{1^m}\) be the bit-based division property from the lazy propagation. Then, \(\bar{\mathbb {K}}_i\) is computed from only a part of vectors in \(\mathbb {K}_{i-1}\), and \(\bar{\mathbb {L}}_i\) always becomes the empty set \(\phi \).

The lazy propagation first removes all vectors from \(\mathbb {L}_{i-1}\). Moreover, it only evaluates the propagation from vectors with low Hamming weight in \(\mathbb {K}_{i-1}\) because such vectors are more close to unknown. Therefore, it is more efficiently evaluated than the accurate propagation.

Let us consider the meaning of the lazy propagation. Assuming the input set of the \((i-1)\)th round function has \(\mathcal{D}_{\mathbb {K}_{i-1}, \mathbb {L}_{i-1}}^{1^m}\), we get \(\mathcal{D}_{\mathbb {K}_i, \mathbb {L}_i}^{1^m}\) and \(\mathcal{D}_{\bar{\mathbb {K}}_i, \phi }^{1^m}\) by the accurate propagation and the lazy propagation, respectively. Then, the set of \(\varvec{u}\) that the parity is unknown is represented as

$$\begin{aligned} \mathbb {S}_\mathbb {K} := \left\{ \varvec{u} \in (\mathbb {F}_2)^m \mid \text{ there } \text{ are } \varvec{k} \in \mathbb {K}_i \text{ satisfying } W(\varvec{u}) \succeq \varvec{k} \right\} . \end{aligned}$$

On the other hand, \(\mathbb {S}_{\bar{\mathbb {K}}_i}\) cannot completely represent the set of \(\varvec{u}\) that the parity is unknown. However, \(\mathbb {S}_{\bar{\mathbb {K}}_i} \subseteq \mathbb {S}_{\mathbb {K}_i}\) always holds.

Next, we repeat the lazy propagation, and we assume that \(\mathcal{D}_{\bar{\mathbb {K}}_{i+1}, \phi }^{1^m}\) is propagated from \(\mathcal{D}_{\bar{\mathbb {K}}_{i}, \phi }^{1^m}\) by the lazy propagation. Similarly, assuming that \(\mathcal{D}_{\mathbb {K}_{i+1}, \mathbb {L}_{i+1}}^{1^m}\) is the division property from \(\mathcal{D}_{\mathbb {K}_{i}, \mathbb {L}_{i}}^{1^m}\) by the accurate propagation, \(\mathbb {S}_{\bar{\mathbb {K}}_{i+1}} \subseteq \mathbb {S}_{\mathbb {K}_{i+1}}\) always holds because \(\mathbb {S}_{\bar{\mathbb {K}}_{i}} \subseteq \mathbb {S}_{\mathbb {K}_{i}}\). Therefore, if the lazy propagation creates \(\mathcal{D}_{\bar{\mathbb {K}}_R, \phi }^{1^m}\), where \(\bar{\mathbb {K}}_R\) has m distinct vectors whose Hamming weight is one, the accurate propagation also creates the same m distinct vectors in the same round.

Table 7. Accurate propagations up to six rounds
Full size table
Table 8. Lazy propagation of the bit-based division property for the Simon family
Full size table

5.2 Application to Simon Family

We evaluate the lazy propagation of the bit-based division property on Simon48, Simon64, Simon96, and Simon128. Here, we only evaluate integral characteristics when they use chosen plaintexts that only one bit of the left half is constant and the other bits are active. We calculate the accurate propagation up to 6 roundsFootnote 5 Table 7 shows \(\min _w(\mathbb {L})\) and \(\min _w(\mathbb {K})\) in the accurate propagation of \(\mathcal{D}_{\mathbb {K}, \mathbb {L}}^{1^{2n}}\) up to 6 rounds, where \(\min _w(\mathbb {L})\) and \(\min _w(\mathbb {K})\) are calculated as

$$\begin{aligned} \mathrm{min}_w(\mathbb {K}) = \min _{\varvec{k} \in \mathbb {K}} \left( \sum _{i=1}^{2n} w(k_i) \right) , ~~\mathrm{min}_w(\mathbb {L}) = \max _{\varvec{\ell }\in \mathbb {L}} \left( \sum _{i=1}^{2n} w(\ell _i) \right) . \end{aligned}$$

From the 7th round function, we repeat the lazy propagation. We first remove all vectors from \(\mathbb {L}\), and then the bit-based division property is represented as \(\mathcal{D}_{\mathbb {K},\phi }^{1^{2n}}\), where \(\phi \) denotes the empty set. Moreover, we remove vectors with high Hamming weight from \(\mathbb {K}\). Table 8 shows the lazy propagation of the bit-based division property \(\mathcal{D}_{\mathbb {K}, \phi }^{1^{2n}}\), where we only store vectors \(\varvec{k} \in \mathbb {K}\) satisfying

$$\begin{aligned} \mathrm{min}_w(\mathbb {K}) \le \sum _{i=1}^{2n}w(k_i) \le \mathrm{Limit}. \end{aligned}$$

Here, \(\mathtt{u}\) means that the \(\mathbb {K}\) has 2n distinct vectors whose Hamming weight is one, and then, we simply say that the propagation reaches the unknown.

Even if there is a vector \(\varvec{k} \in \mathbb {K}\) satisfying \(\mathrm{Limit} < \sum _{i=1}^{2n}w(k_i)\), we do not evaluate the propagation from the \(\varvec{k}\). Therefore, if the propagation from the removed vector \(\varvec{k}\) immediately reaches the unknown, there is a gap between the accurate propagation and the lazy propagation. However, if the lazy propagation reaches the unknown in a specific number of rounds, the accurate propagation at least reaches the unknown in the same number of rounds. Therefore, the lazy propagation is not useful for attackers, but it guarantees the number of rounds that the bit-based division property cannot find integral characteristics.

As a result, the lazy propagation shows that 16-, 19-, 24-, and 28-round Simon48, 64, 96, and 128 probably do not have integral characteristics, respectively. However, we can get \((r+1)\)-round integral characteristics from r-round integral characteristics because round keys are XORed after the round function. Therefore, we expect that 17-, 20-, 25-, and 29-round Simon48, 64, 96, and 128 probably do not have integral characteristics, respectively.

5.3 Characteristics that Bit-Based Division Property Cannot Find

We consider characteristics that the bit-based division property cannot find. Our provable security supposes that all round keys are randomly and secretly chosen. However, practical ciphers generate round keys from the secret key using the key scheduling algorithm. Therefore, our provable security does not suppose integral characteristics that exploit the key scheduling algorithm.

The bit-based division property using three subsets focuses on the parity \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{u}}(\varvec{x})\), and divide the set of \(\varvec{u}\) into three subsets. Then, the propagation simply regard \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{u}_1}(\varvec{x}) \oplus \pi _{\varvec{u}_2}(\varvec{x})\) as unknown if either \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{u}_1}(\varvec{x})\) or \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{u}_2}(\varvec{x})\) is unknown. For instance, if \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{u}_1}(\varvec{x}) \oplus \pi _{\varvec{u}_2}(\varvec{x})\) is always 0 or 1 although \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{u}_1}(\varvec{x})\) and \(\bigoplus _{\varvec{x} \in \mathbb {X}} \pi _{\varvec{u}_2}(\varvec{x})\) are unknown, the bit-based division property cannot exploit such property.

6 Conclusions

The division property is a useful technique to find integral characteristics, but it has not been applied to non-S-box-based ciphers effectively. This paper focused on the bit-based division property. More precisely, this paper proposed a new variant using three subsets. The conventional bit-based division property divides the set of \(\varvec{u}\) into two subsets, but the new variant divides the set of \(\varvec{u}\) into three subsets. The bit-based division property using three subsets can prove that the experimental integral characteristic for Simon32 shown in [18] works for all keys. Moreover, we focused on the propagation of the division property. Then, we showed that the lazy propagation is useful to guarantee the security against integral cryptanalyses using the division property. As a result, we showed that 17-, 20-, 25-, and 29-round Simon48, 64, 96, and 128 probably do not have integral characteristics, respectively.