Integral Cryptanalysis of Reduced-Round SAND-64 Based on Bit-Based Division Property

Conventional Bit-based Division Property (CBDP), as a generalization of integral property, has been a powerful tool for integral cryptanalysis of many block ciphers. Exploiting a Mixed Integral Linear Programming (MILP) optimizer, an alternative approach of searching integral distinguishers was proposed, which has overcome the bottleneck of cipher block length. The MILP-aided method starts from modeling CBDP propagation by a system of linear inequalities. Then by choosing an appropriate objective function, the problem of searching distinguisher transforms to an MILP problem. As an application of this technique, we focused on a newly proposed lightweight block cipher SAND. SAND is a family of two AND-XR block ciphers SAND-64 and SAND-128, which was designed to overcome the difficulty regarding security evaluation. For SAND-64, we found a 12-round distinguisher with 23 balanced bits and a data complexity of (2^{63}), with the superiority of higher number of balanced bits than the designers one. Furthermore, we applied an integral attack on a 15 and 16-round SAND-64, including the key recovery step which resulted in time complexity of (2^{105}) and (2^{109.91}) and memory complexity of (2^{52}) and (2^{85}) bytes, respectively.