MILP-Aided Bit-Based Division Property for ARX-Based Block Cipher

The huge time and memory complexities of utilizing bitbased division property, which was first presented by Todo and Morri at FSE 2016, bothered cryptographers for quite some time and it had been solved by Xiang et al. at ASIACRYPT 2016. They applied MILP method to search integral distinguisher based on division property, and used it to analyze six lightweight block ciphers. Later on, Sun et al. handled the feasibility of MILP-aided bit-based division property for primitives with non-bit-permutation linear layers. Although MILP-aided bit-based division property has gave many perfect results since its appearance, there still are many left problems when we want to develop its further applications. In this paper, we focus on the feasibility of MILP-aided bit-based division property for ARX-based primitive. More specifically, we consider the construction of MILP models for some components of ARX-based structure. Firstly, the Modulo model is proposed by using its iterated expression and introducing some auxiliary variables. Then, to propagate the operations of AND and OR with a constant (or a subkey), we prove that the known-region deduced by the input division property is always included in the known-region derived from the output division property, which allows us to ignore these operations. Furthermore, with its help, we also handle the Modulo operation with a constant (or a subkey). As a result, these new models are exploited to search integral distinguishers for some ARX-based block ciphers. For HIGHT and LEA, the lengths of the distinguishers both are improved by one round. Some 15-round integral distinguishers for TEA/XTEA are presented. Comparing with the existing one transformed by utilizing the equivalence between zerocorrelation and integral cryptanalysis, our newly obtained distinguishers either reduces the data requirement or increases the number of zerosum bits. Moreover, the bit-based division properties for KATAN and KTANTAN families of block ciphers are also provided.