Integral Distinguishers of the Full-Round Lightweight Block Cipher SAT_Jo

Integral cryptanalysis based on division property is a powerful cryptanalytic method whose range of successful applications was recently extended through the use of Mixed-Integer Linear Programming (MILP). Although this technique was demonstrated to be efficient in specifying distinguishers of reduced round versions of several families of lightweight block ciphers (such as SIMON, PRESENT, and few others), we show that this method provides distinguishers for a full-round block cipher SAT_Jo. SAT_Jo cipher is very similar to the well-known PRESENT block cipher, which has successfully withstood the known cryptanalytic methods. ,e main difference compared to PRESENT, which turns out to induce severe weaknesses of SAT_Jo algorithm, is its different choice of substitution boxes (S-boxes) and the bit-permutation layer for the reasons of making the cipher highly resource-efficient. Even though the designers provided a security analysis of this scheme against some major generic cryptanalytic methods, an application of the bit-division property in combination with MILP was not considered. By specifying integral distinguishers for the full-round SAT_Jo algorithm using this method, we essentially disapprove its use in intended applications. Using a 30-round distinguisher, we also describe a subkey recovery attack on the SAT_Jo algorithm whose time complexity is about 266 encryptions (noting that SAT_Jo is designed to provide 80 bits of security). Moreover, it seems that the choice of bitpermutation induces weak division properties since replacing the original bit-permutation of SAT_Jo by the one used in PRESENT immediately renders integral distinguishers inefficient.


Introduction
Lightweight block ciphers play an important role in providing the security in various constrained environments (referring to different applications of Internet of ings). In recent years, many resource-efficient block ciphers have been proposed, such as MIDORI [1], PICCOLO [2], MIBS [3], PRIDE [4], PRESENT [5], and LBLOCK [6]. Recently, many new lightweight ciphers (candidates) in the second round of NIST's lightweight cryptography standardization process were also proposed [7]. However, because of restricted design rationales, certain lightweight designs sometimes fail to deliver a reasonable resistance to certain cryptanalytic methods. Although designers of new schemes provide a security analysis against the well-known attacks (e.g., integral attacks [8], differential attacks [9], and linear attacks [10]), it may happen that not all attacks are taken into consideration.
In this work, we consider a lightweight block cipher SAT_Jo [11] (proposed in 2018) and search for integral distinguishers based on division property using the MILP technique [12] introduced in [13]. Before describing the contribution of this work in more detail, we briefly summarize a development of integral attack and division property.
Namely, in 1997, Daemen et al. [14] proposed a square attack on block cipher SQUARE. In 2001, Lucks et al. [15] proposed a saturation attack on TWOFISH cipher, which generalizes the square attack. Biryukov et al. [16] introduced a multiset attack on the SPN-based block ciphers. en, in 2002, Knudsen et al. [8] proposed the so-called integral analysis, which generalizes the previous three attacks. In fact, from the point of view of Boolean functions, this attack is also closely related to higher-order differential attack proposed in [17]. Some further versions of this attack have been derived in 2008 by Z'aba et al. [18], who proposed the bitpattern-based integral attack. It has been shown that one can derive integral distinguishers by analyzing the propagation of the integral property, where one tracks the positions of active, constant, and balanced bits. More specifically, the opponent selects a set of plaintexts having a portion of bits fixed at certain positions (called constant bits), whereas the remaining bits can take all possible values and are called active. Moreover, the XOR sum of their corresponding ciphertexts is computed (alternatively, a suitable subset is considered). Now, if the XOR sum at certain positions is always 0, regardless of the choice of secret key, such bits are called balanced. On the other hand, if the XOR sum changes at some positions (depending on the secret key value), such bits are commonly called unknown. is integral property can then be used to distinguish the real encryption algorithm form a random permutation.
A further generalization of integral attacks has been introduced by Todo [19] at EUROCRYPT 2015, by developing a cryptanalytic framework based on the so-called division property. Later, Todo and Morii [20] proposed bitbased division property, which was utilized for construction of a 15-round integral distinguisher for SIMON32 [21]. Finally, at ASIACRYPT 2016, Xiang et al. [13] proposed a method which combines the bit-based division property and searches for the division trails by employing the MILP method. Consequently, this combination successfully overcomes the main issue of the bit-based division property reflected in relatively high time and memory complexity which is bounded above by 2 n , where n is the block length. In what follows, we describe the contribution and structure of the subsequent sections.
Our contribution: in this paper, we analyze the lightweight block cipher SAT_Jo, which is built as a substitutionpermutation (SP) network and processes plaintext blocks of length 64 bits through an iterative application of 31 identical rounds, using the secret key of size 80 bits. We emphasize that the designers of this algorithm provided the security evaluation [22] of the cipher by considering some main cryptanalytic tools such as differential and linear cryptanalysis, as well as the resistance against algebraic attacks. However, to the best of our knowledge, the robustness of this scheme with respect to integral attacks has not been evaluated so far.
We consider the three basic operations used in the SAT_Jo algorithm which then give rise to a set of linear inequalities that characterize the propagation of bit-based division property for SAT_Jo algorithm. Similar to the analysis performed in [13], by employing the open-source Gurobi MILP solver, an automated search for integral distinguishers is performed. Most notably, this MILP solver returns an integral distinguisher for the full-round SAT_Jo algorithm within a few seconds on a standard personal computer. Consequently, the bit-permutation of SAT_Jo algorithm (linear layer) appears not to be well designed and its increased efficiency turns out to be traded-off against lower security margins. ough our cryptanalysis does not substantially differ from the security evaluation in [13] (performed on SIMON, PRESENT, and a few more lightweight block ciphers), the results are quite dramatic due to the possibility of specifying integral distinguishers for a fullround block cipher which is not quite common. Moreover, we show that an efficient subkey recovery attack, whose time complexity corresponds to 2 66 encryptions, can be easily mounted using our distinguisher.
Outline of the paper: Section 2 mainly introduces notations and definitions related to the division property. In Section 3, we discuss the MILP method and propagation rules of division property. In Section 4, an MILP model for SAT_Jo algorithm is derived, and its application is summarized in Section 5. In Section 6, the conclusion is given.

Preliminaries
By F n 2 , we denote the binary vector space of all n-tuples denotes the i-th coordinate of x. roughout this work, the following definitions will be used.
Here, we have that Definition 2 (algebraic normal form (ANF) [19]). A Boolean function f: F n 2 ⟶ F 2 can be uniquely represented by its algebraic normal form (ANF) as where a f u ∈ F 2 are the binary constants that depend on u and specify f.
In 2015, Todo [19] introduced the division property (as a generalization of the integral property), which was utilized to efficiently construct integral distinguishers (mainly applicable to S-box-oriented block ciphers). is concept was later refined in [20] by introducing the bit-based division property, which applies to block ciphers that do not necessarily employ S-boxes. e following definitions capture the essence of the bit-based division property.
Definition 3 (ordering ″ ≺ ″ ). For two binary vectors k � (k 1 , . . . , k n ) ∈ F n 2 and k * � (k * 1 , . . . , k * n ) ∈ F n 2 , the inequality ″ ≺ ″ between k and k * is defined as k ≺ k * if and only if Definition 4 (bit-based division property [20]). Let X be a multiset whose elements belong to the space F n 2 . en, X is said to satisfy the division property D 1 n k (0) ,k (1) ,...,k (q− 1) , if the parity of π u (x) for all x ∈ X is always even. Equivalently, the following conditions must be satisfied: By 1 n , we denote the binary all-one vector of size n (i.e., 1 n � (1, 1, . . . , 1)), where for simplicity, the all-one vector of size one will be simply denoted by 1 instead of 1 1 . To provide more clarity about the bit-based division property, we give the following example.
is exactly equal to 0 for any u ∈ 0000, 1000, 0100, 0010, 0001, 1001, 0110, 0101 { }. In addition, the propagation rules for the bit-division property in SPN schemes were also derived in [19,20]. Nevertheless, since these rules are not relevant in our context, we omit their specification.
Definition 5 (division trail [13]). Let f r denote a round function of an iterated block cipher. Assume that an input multiset to the block cipher has initial division property D 1 n k { } , and denote the division property after propagating through f r for i rounds by D 1 n K i . us, we have the following chain of division property propagations: Moreover, for any vector k * i ∈ K i (i ≥ 1), there must exist a vector k * i−1 ∈ K i−1 such that k * i-1 can propagate to k * i by division property propagation rules. Furthermore, for Example 2 (Proposition 5 in [13]). Denote by D 1 n k { } the division property of the input multiset of an iterated block cipher, and let f r be its round function. Denote also by the r-round propagation of division property. us, the set of the last vectors in this chain of all r-round division trails which start with k is equal to K r .

A Brief Overview of the MILP Method.
Many classical cryptanalytic methods can be converted into optimization problems, where the main goal is to achieve an optimal solution (minimum or maximum) of the objective function under certain constraints. e mixed-integer linear programming is a well-known optimization method also used in the field of cryptanalysis and in particular for finding division trails in block ciphers [13,20]. In general, the objective function can be defined as where the linear constraints (including the requirement on variables x i ) are given as follows: Notice that the MILP problem can be transformed into an integer programming (IP) problem if I � n − 1. In particular, it has been verified that IP problems, in general, are somewhat easier to solve than MILP problems of similar kind [12].
For our purpose, the parameters involved in the MILP method are all positive integers. An MILP model is denoted by M, the variables involved are denoted by M.var, the constraints are denoted by M.con, and the objective function is denoted by M.obj. A simple example of an MILP instance can be described as follows. e set of linear inequalities, denoted by L, is given by where x, y, z ∈ Z + and the objective function is q � x + y + 2z. e goal is then to find the maximum value of q. In this example, the domain of the objective function is determined by the two inequalities and constraints that x, y, z ∈ Z + , and then the feasible solutions of the objective function in this domain are obtained. e maximum value of q is 3, and it corresponds to (x, y, z) � (1, 0, 1). On the other hand, a closely related problem is to provide a set of points, say A, and to obtain the set of linear inequalities L (using for instance the inequality_generator () function in the Sage software) for which all the solutions satisfying L are included in this set of points A. For further details on how this method works, the reader is referred to Appendix A in [13], where a detailed example is elaborated. As noticed in [13], the main problem with this approach is that the number of linear inequalities returned can be quite large which then makes the MILP instance computationally infeasible. e solution to this was provided by Sun et al. through a greedy algorithm which selects a subset of linear inequalities in L that still efficiently describes A (see [23] and Algorithm 1 in [13]). Usually, the goal of an MILP problem is to quickly find a feasible (or optimal) solution to the given problem. In the context of bit-based division property, one constructs an MILP model such that it describes the propagation trails of the integral property.
is procedure then represents an automatic search for integral distinguishers, where solutions of the MILP problem are interpreted as follows (see also [13]): Security and Communication Networks (i) Each feasible solution to the system of linear inequalities corresponds to a division trail. In other words, these feasible solutions do not contain any impossible division trail. (ii) Conversely, each division trail must satisfy all linear inequalities in the system. at is, each division trail corresponds to a feasible solution of the linear inequality system.
Note that, in our work, the constructed MILP model will be solved by the open-source mathematical optimization software Gurobi (https://www.gurobi.com).

Bit-Based Division Property in terms of MILP.
e main reason behind the use of MILP tools in context of the bitbased division property is to improve the time complexity when searching for division trails. In essence, a division trail of an encryption algorithm is obtained by converting the basic operations (involved in the round function) into corresponding linear inequalities, which satisfy the propagation rules of the division property.
Initial division property and stopping rule: let us consider a multiset X with division property D 1 n K and let e i denote the vector of length n (also called a unit vector) whose i-th coordinate is the only nonzero coordinate. In [13], it was illustrated how to determine the existence of r-round integral distinguisher by checking whether K r+1 contains all e i (i ∈ 1, 2, . . . , n { }). More precisely, if one can find all the unit vectors e i in the set K r+1 (thus, each e i ∈ K r+1 ), then it means that there does not exist any r-round division trail. Equivalently, if there exists e i such that e i ∈K r+1 , then it means that one can find an r-round integral distinguisher. In terms of Definition 4, the previously described termination test (condition) for the division property can be explained as follows. Let Y denote the output of r encryption rounds performed on the input set X. If Y does not have any useful integral property, then the XOR sum of all vectors of Y is unknown for each bit position. is means that ⊕ y∈Y π e i (y) is unknown for any unit vector e i ∈ F n 2 , where i ∈ 1, 2, . . . , n { }. On the contrary, if there exists at least one unit vector e i which does not belong to K, then the value at the i-th position of ⊕ y∈Y π e i (y) is always equal to zero, i.e., we can find an r-round integral distinguisher.
For an iterated block cipher with a round function f r , let D 1 n k { } denote the division property of an input multiset. Also, let be the r-round division property propagation, where K r denotes the set of vectors of all r-round division trails which start with k. Now, if we denote an r-round division trail by (a 0 0 , . . . , a 0 n−1 ) ⟶ · · · ⟶ (a r 0 , . . . , a r n−1 ), then the set of linear inequalities (which constitute the MILP model) depends on variables a j i ∈ F 2 (i ∈ [0, n − 1], j ∈ [0, r]). In addition, the objective function is set to be Obj: Min a r 0 + a r 1 + · · · + a r n−1 .
Notice that feasible solutions of the given MILP model are all division trails, and furthermore, if K i does not contain allzero vector, then the objective function will never take the zero value. At the end of the search, the balanced and unknown positions of the integral distinguisher can be determined. More precisely, those unit vectors e i which are not in K r will indicate the balanced positions in the distinguisher.
When performing integral analysis on a given block cipher based on the division property and using the MILP model (whose round functions consist of a composition of the S-box and linear layer), the search for effective integral distinguisher is the main goal of the attack. In general, this analysis can be roughly divided into the following three steps: Step 1: determine the division property of the initial input, that is, the specific number of active and constant bits of the input.
Step 2: using the division property mentioned in Step 1, the MILP model of the division path through the round function is constructed according to the structural characteristics of the cryptographic algorithm itself, including both linear and nonlinear layer.
Step 3: let the bit-based division property of r identical encryption rounds of a given block cipher, using the MILP model, be denoted by M. In order to obtain M, one needs to consider r-round propagation of the bitbased division property in the MILP model of the single round function operation. is is basically done by using the division trail specified by (a 0 0 , . . . , a 0 n−1 ) ⟶ · · · ⟶ (a r 0 , . . . , a r n−1 ). As previously mentioned, the system of linear inequalities L will depend on the binary variables a j i , where i � 0, . . . , n − 1 and j � 0, . . . , n − 1 (thus, MILP becomes a 0-1 integer programming problem). However, many of these variables are automatically removed (assigned to a constant value 0) when running Algorithm 3 in [13]. is algorithm uses the set of inequalities L and the objective function to find feasible solutions of the MILP instance M and is constantly updated by adding new constraints with respect to a j i , more precisely by setting a j i � 0 when needed. e reader is referred to [13] for further details on how Algorithm 3 works. Notice, however, that the MILP instance that models the search for bit-based distinguishers is executed several times (this is an intrinsic property of Algorithm 3 in [13]) since we need to check whether all the unit vectors are included in K r+1 , as a stopping rule. Finally, if the solver can find a feasible solution for a particular MILP instance, then the existence of an r-round distinguisher for a given cipher is established (in our case for the SAT_Jo encryption algorithm).
Since some specific cryptographic operations such as key addition and adding a round constant do not affect the propagation of division property, these operations will not be considered here.

An MILP Model of SAT_Jo Algorithm
In this section, we describe the process of modelling SAT_Jo algorithm as an MILP instance for the purpose of specifying integral distinguishers.

A Description of SAT_Jo.
e schematic structure of SAT_Jo block cipher is shown in Figure 1, whereas a precise description of its encryption process is given in Algorithm 1. e round function of SAT_Jo is similar to the one in the PRESENT block cipher, and it is defined as a composition of the S-box layer (applying 16 times the S-box defined in Table 1) and the bit-permutation function defined in Table 2. As mentioned earlier, SAT_Jo iterates the round function 31 times, where in addition the round key is applied at the end (as a postwhitening step). We omit the definition of the newRoundKey function because it is not important for the division property.

Remark 1.
Notice that the permutation layer uses a simple rule P(x + i) � P(x) + 8i mod 64 which simplifies design but at the same time induces serious security issues (bad diffusion properties).

An Integral Attack on SAT_Jo Using Division Property.
In order to apply the MILP method, one firstly has to derive a set of linear inequalities Ax ≤ b (defined in Section 3.1, where A � [a ij ]) to describe the propagation of division property based on the structure of the round function. We note that both the S-box and permutation layer (P-box) affect the division property when deriving the MILP model. On the other hand, the division property is not affected by the AddRoundKey step in Algorithm 1, and thus the MILP model of a round function is constructed without considering this operation.

Modelling S-Box of
SAT_Jo. Now, in order to derive the set of inequalities for the S-box layer of SAT_Jo, we only have to consider the S-box defined in Table 1. Let x � (x 0 , x 1 , x 2 , x 3 ) denote the input of this S-box and y � (y 0 , y 1 , y 2 , y 3 ) denote its corresponding output. e ANF of the Sbox (given in Table 1) is given by where modulo two addition is performed. en, utilizing Algorithm 2 in [13], we obtain 45 division trails (shown in Table 3) of the SAT_Jo S-box.
Each division trail of a 4-bit S-box can be viewed as an 8dimensional vector in F 8 2 .
us, 45 division trails form a subset T of F 8 2 . Next, by taking T as an input to the in-equality_ generator () function of SageMath software, a set of 162 linear inequalities is returned. e following SageMath software code is used for this purpose:   [23]. If the division path through the S-box is described by (a 0 , a 1 , a 2 , a 3 , these 10 inequalities are given as follows:

Security and Communication Networks
In order to obtain the solutions of linear inequalities restricted to F 8 2 , we only need to specify that all variables can only take values in {0, 1}.

Modelling the Permutation Layer of SAT_Jo.
In order to describe the permutation layer as an MILP instance, some intermediate variables are introduced to describe the basic operations in the permutation layer. Since the design of the permutation layer of the SAT_Jo encryption algorithm is relatively simple and described on the bit level in [5] (the bit i of the internal state is moved to bit position j in accordance with Table 2 and follows the rule given in Remark 1), the division path of input/output    through the permutation layer is easily embedded in the MILP model.

A Search Algorithm for Integral Distinguishers for SAT_Jo Algorithm.
To summarize the whole procedure, an automatic search algorithm for integral distinguishers of SAT_Jo is given by Algorithm 2 (which is similar to Algorithm 3 in [13]). Note that the notation M(L, Obj) (used in Algorithm 2) denotes the MILP model M for r rounds composed of the set of inequalities L and an objective function Obj. Also, the set of output bits after r rounds is denoted by S � a r 0 , . . . , a r 63 .

The Results
By specifying and solving the MILP instance that models the full-round SAT_Jo algorithm (having 31 encryption rounds), we can specify different integral distinguishers. Table 4 shows how many active bits can be set in the input and how many balanced bits are obtained in the output for the SAT_Jo algorithm. Note that all these results are practically confirmed on a personal computer within a few seconds. Moreover, integral distinguishers could be found for up to 151 encryption rounds, which indicates a serious design flow regarding the choice of bit-permutation employed in the SAT_Jo algorithm.
Recall that, for active bits at the input, denoted by "a," we essentially take all possible input values at these positions. For instance, if we have 5 active bits in the input, then in total we require 2 5 plaintexts that cover all the possible values at these specific positions. Other input bits that are kept fixed are denoted by "c." e balanced bits at the output, denoted by "b," simply correspond to those positions of the ciphertext having the same number of zeros and ones, whereas unbalanced cases are denoted by "?." Table 5 shows other cryptanalytic results for SAT_Jo. e key recovery attack on SAT_Jo: in order to perform a key recovery attack on the full-round SAT_Jo cipher, one can use the 30-round distinguisher specified in the first row in Table 4. More precisely, a set of 2 2 plaintexts which satisfies the input of the integral distinguisher is selected. Moreover, one needs to guess the last round subkey bits (64 bits in total) which are then used together with the ciphertexts to calculate the output of the 30 th round (the socalled one round partial decryption). For a guessed 64 bit subkey k 31 , if the XOR sum of the state bits at the output of the 30 th round is zero, then it is considered as a valid candidate for the correct subkey; otherwise, the guessed value is considered incorrect. In order to achieve the correct one among these candidates, one selects another set of four plaintexts P 1 , . . . , P 4 (again varying the first two bits) and obtains the corresponding ciphertexts C 1 , . . . , C 4 . For each candidate subkey, the decryption of the Obj � obj. Objective ()//obj.Objective represents the objective function of the returned model (6) for r � 0; r ≤ 31; r + + do (7) var � obj.getValue (i)//Return the i-th variable of the objective function (8) value � obj.getAttr ( ′ x ′ )//Get the var value of the current solution (9) if value � 1 then (10) delete/{var}in S//Delete the var value in S (11) M.addConstraint (var � 0) (12) M.update () (13) break (14) end if (15) end for (16) end if (17) end if (18) end for (19) return S all //Represent the S value of all outputs ALGORITHM 2: An automatic search of integral distinguishers for SAT_Jo algorithm. Step 1: after 31 rounds of encryption are performed on the 4 selected plaintexts according to the 30-round integral distinguisher, the opponent can attain 4 ciphertexts.
Step 3: similarly, the opponent guesses the 4-bit k 0∼1 , k 2∼3 so that she can decrypt the 30 th -round data status. In this case, she can further calculate the XOR sum of the state bits at the output of the 30 th round.
is attack requires 8 chosen plaintexts, and its time complexity is about 2 64+2 � 2 66 encryption operations. e success rate of this attack is 1. Notice that the master key is of length 80 bits, and after recovering 64 bits of k 31 , the similar procedure can be performed to retrieve other subkeys.

Remark 2.
e simulations have been conducted using the computer with the following specification: Intel(R) Core (T-M) i5-8300H CPU@ 2.30 GHz, RAM-8 GB, x64 Windows 10. In addition, the Python programming language, Sage software, and Gurobi solver have been used to implement the search algorithm.

Conclusion
We remark that the choice of bit-permutation used in the SAT_Jo algorithm appears to be the main reason for the existence of full-round integral distinguishers. Indeed, replacing the bit-permutation used in the SAT_Jo algorithm by the one employed in the PRESENT block cipher implies that there are no integral distinguishers for the full-round SAT_Jo. In particular, if the original permutation layer of SAT_Jo is replaced by the bit-permutation given in Table 6, one can verify that the SAT_Jo variant cipher achieves quite good integral property. More precisely, an integral distinguisher can then be specified for at most 9 encryption rounds. e main weakness of SAT_Jo algorithm, as already mentioned in Remark 1, is an inappropriate choice of its bitpermutation which does not provide sufficient diffusion. e permutation layer uses a simple rule P(x + i) � P(x) + 8i mod 64 for SAT_Jo, which simplifies design but at the same time induces serious security issues (bad diffusion properties). However, the new permutation layer (see Table 6) uses the different rule P(x + i) � P(x) + 4i mod 64).

Data Availability
e data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
e authors declare that there are no conflicts of interest.