Division Property: Efficient Method to Estimate Upper Bound of Algebraic Degree

We proposed the division property, which is a new method to find integral characteristics, at EUROCRYPT 2015. In this paper, we expound the division property, its effectiveness, and follow-up results. Higher-Order Differential and Integral Cryptanalyses. After the proposal of the differential cryptanalysis [1], many extended cryptanalyses have been proposed. The higher-order differential cryptanalysis is one of such extensions. The concept was first introduced by Lai [6] and the advantage over the classical differential cryptanalysis was studied by Knudsen [4]. Assuming the algebraic degree of the target block cipher Ek is upper-bounded by d for any k, the dth order differential is always constant. Then, we can distinguish the target cipher Ek as ideal block ciphers because it is unlikely that ideal block ciphers have such property, and we call this property the higher-order differential characteristics in this paper. The similar technique to the higher-order differential cryptanalysis was used as the dedicated attack against the block cipher Square [3], and the dedicated attack was later referred to the square attack. In 2002, Knudsen and Wagner formalized the square attack as the integral cryptanalysis [5]. In the integral cryptanalysis, attackers first prepare N chosen plaintexts. If the XOR of all corresponding ciphertexts is 0, we say that the cipher has an integral characteristic with N chosen plaintexts. The integral characteristic is found by evaluating the propagation of four integral properties: A, C, B, and U . Division Property. Before the introduction of the division property, it is important to understand the difference between the higher-order differential and integral cryptanalyses. Actually, we can regard both cryptanalyses as the same cryptanalysis. Nevertheless, the higher-order differential and integral characteristics are constructed by completely different methods, and either of both methods has its own advantages and disadvantages. Moreover, there are some experimental characteristics that cannot be proven by either of both methods. These observation causes significant motivation that we develop the division property. At Eurocrypt 2015, we proposed the division property, which is a novel technique to find integral (higher-order differential) characteristics [8]. This technique is the generalization of the integral property that can also exploit the algebraic degree at the same time. As a result, the division property can find integral characteristics that cannot be found by the two conventional methods. Let X be a subset whose elements take n-bit values, and assume that the set fulfills the division property D k . Then, ⊕ x∈X πu(x) is 0 and unknown when w(u) < k and w(u) ≥ k, respectively, where w(u) denotes the Hamming weight of u ∈ F2 . The division properties D n, D 2 , and D 1 correspond to the integral properties A, B, and U , respectively. Clearly, the division properties from D 3 to D n−1 are not used in the integral property. Moreover, let us consider the set S(X) whose elements are computed by applying the S-box S for elements in X. Then, if the algebraic degree of the S-box is at most d, the propagation of the division property is D k → D dk/de. The proposal paper of the division property at EUROCRYPT2015 only shows the usefulness of generic attacks against Feistel and Substitution-Permutation networks. To insist the usefulness of the division property, we applied the new technique to the cryptanalysis on full MISTY1 at CRYPTO2015 [7]. Then, many follow-up results have been reported [11, 9, 2, 10], and nowadays, new ciphers that discuss the security for the analysis using the division property in advance have been proposed.