Algebraic degree estimation for integral attack by randomized algorithm

Abstract

Integral attack is a powerful method to recover some round keys of block ciphers by exploiting the characteristic that a set of outputs after several rounds encryption has (integral distinguisher). Recently, Todo proposed a new algorithm to construct integral distinguisher with division property. However, the existence of integral distinguisher which holds in additional rounds can not be denied by the algorithm. On the contrary, our approach is to obtain the number of rounds which integral distinguisher does not hold. The approach is based on algebraic degree estimation. We execute a random search for a term which has a degree equals the number of all inputted variables. We propose two algorithms and apply them to PRESENT and RECTANGLE. Then, we confirm that there exists no 8-round integral distinguisher in PRESENT and no 9-round integral distinguisher in RECTANGLE. From these facts, it is infeasible to attack more than 11-round and 13-round of PRESENT and RECTANGLE, respectively.