integral cryptanalysis of reduced-round sand-64 based on bit-based division property

Conventional bit-based division property (cbdp), as a generalization of integral property, has been a powerful tool for integral cryptanalysis of many block ciphers. exploiting a mixed integral linear programming (milp) optimizer, an alternative approach to searching integral distinguishers was proposed, which has overcome the bottleneck of the cipher block length. the milp-aided method starts by modeling cbdp propagation by a system of linear inequalities. then by choosing an appropriate objective function, the problem of searching distinguisher transforms into an milp problem. as an application of this technique, we focused on a newly proposed lightweight block cipher sand. sand is a family of two and-rx block ciphers sand-64 and sand-128, which was designed to overcome the difficulty regarding securityevaluation. for sand-64, we found a 12-round distinguisher with 23 balanced bits and a data complexity of 2^63, with the superiority of a higher number of balanced bits than the designers’ one. furthermore, we applied an integral attack on a 15 and 16-round sand-64, including the key recovery step which resulted in time complexity of 2105 and 2109.91 and memory complexity of 252 and 2^85 bytes, respectively.