Algebraic Degree Estimation of Block Ciphers Using Randomized Algorithm; Upper-bound Integral Distinguisher

Integral attack is a powerful method to recover the secret key of block cipher by exploiting a characteristic that a set of outputs after several rounds encryption has ( integral distinguisher). Recently, Todo proposed a new algorithm to construct integral distinguisher with division property. However, the existence of integral distinguisher which holds in additional rounds can not be denied by the algorithm. On the contrary, we take an approach to obtain the number of rounds which integral distinguisher does not hold ( upper-bound integral distinguisher). The approach is based on algebraic degree estimation. We execute a random search for a term which has a degree equals the number of all inputted variables. We propose an algorithm and apply it to PRESENT and RECTANGLE. Then, we confirm that there exists no 8-round integral distinguisher in PRESENT and no 9-round integral distinguisher in RECTANGLE. From the facts, integral attack for more than 11-round and 13-round of PRESENT and RECTANGLE is infeasible, respectively.