Bit-wise Cryptanalysis on AND-RX Permutation Friet-PC

. This paper presents three attack vectors of bit-wise crypt-analysis including rotational, bit-wise diﬀerential, and zero-sum distinguishing attacks on the AND-RX permutation Friet-PC , which is implemented in a lightweight authenticated encryption scheme Friet . First, we propose a generic procedure for a rotational attack on AND-RX cipher with round constants. By applying the proposed attack to Friet-PC , we can construct an 8-round rotational distinguisher with a time complexity of 2 102 . Next, we explore single-and dual-bit diﬀerential biases, which are inspired by the existing study on Salsa and ChaCha, and observe the best bit-wise diﬀerential bias with 2 − 9 . 552 . This bias allows us to practically construct a 9-round bit-wise diﬀerential distinguisher with a time complexity of 2 20 . 044 . Finally, we construct 13, 15-, 17, and 30-round zero-sum distinguishers with time complexities of 2 31 , 2 63 , 2 127 , and 2 383 , respectively. To summarize our study, we apply three attack vectors of bit-wise cryptanalysis to Friet-PC and show their superiority as eﬀective attacks on AND-RX ciphers.


Background
Friet, which was proposed by Simon et al. at EUROCRYPT 2020 [26], is a lightweight authenticated encryption scheme with a 128-bit security level that is resistant to side channel and fault injection attacks. It adopts the authenticated encryption mode SpongeWrap based on the duplex construction [5]. The SpongeWrap mode is based on the concept of efficiently building an authenticated encryption scheme from cryptographic permutation; thus, designers who adopt SpongeWrap as the authenticated encryption mode have an important task of designing a lightweight cryptographic permutation with a high security level. The designers of Friet proposed a new design technique for ciphers with efficient fault-detecting implementations, and then designed new cryptographic permutations called Friet-PC and Friet-P for implementation in Friet.
A previous version of the Friet-PC permutation, called Frit, was proposed by the same designers in 2018 [25]. It adopts the AND-Rotation-XOR (AND-RX) construction, which is much similar to the Addition-Rotation-XOR (ARX) construction. Shortly thereafter, Dobraunig et al. performed a key recovery attack against the full-round version in the use case of Frit as an Even-Mansour block cipher [9]. In addition, Qin et al. applied a cube attack on the reduced-round version in the use case of Frit as a duplex-based authenticated encryption mode [23]. Friet-PC was designed considering these attacks.
The designers evaluated the security of Friet-PC against differential and linear attacks [26]. They first investigated the propagation properties to determine the minimum weights of differential and linear trails, and then experimentally obtained a 6-round differential trail with weight 59 and an 8-round linear trail with weight 80. These trails can be extended to a 6-round differential distinguisher with a time complexity of 2 59 and an 8-round linear distinguisher with a time complexity of 2 80 . As a security evaluation by a third party, Liu et al. proposed a new framework called a rotational differential-linear attack [19], which is inspired from the differential-linear attack proposed by Langford and Hellman [17]. Their proposed attack significantly improved the security evaluation by the designers, and allowed us to construct a 13-round rotational differential-linear distinguisher with a time complexity of 2 117.81 . To the best of our knowledge, the security evaluation for Friet-PC by a third party has not been reported except for that by Liu et al.; thus, the best attack on Friet-PC is the 13-round rotational differential-linear distinguisher.

Our Contribution
In this study, we evaluate the security of Friet-PC with three attack vectors of bit-wise cryptanalysis: rotational, bit-wise differential, and zero-sum distinguishing attacks. Although these vectors are widely used as generic attacks against ARX and AND-RX ciphers, no study appears to have applied these attacks to evaluate the security of Friet-PC as yet. If an adversary can efficiently perform these attacks on Friet-PC, they may threaten the security of not only the permutation Friet-PC but also the authenticated encryption scheme Friet. Table 1 summarizes the results of previous security evaluations and the evaluation in this study for Friet-PC. The proposed security evaluations sufficiently improve the existing best attack by Liu et al.; thus, we show their superiority as effective attacks on AND-RX ciphers. We remark that the proposed attacks are no practical threat to Friet-PC, however, it is recommended to use these attack vectors of bit-wise cryptanalysis to evaluate the security of AND-RX ciphers when designing the AND-RX ciphers in the future. The details of the proposed security evaluations are given in the following text.  [26] Rotational Differential-Linear/Distinguisher 8 2 17.81 [19] Rotational Differential-Linear/Distinguisher 9 2 29.81 [19] Rotational Differential-Linear/Distinguisher 13 2 117.81 [19] Algorithm 1 Friet-PC end for 10: return (a, b, c) 11: end procedure input patterns, we succeed in constructing 13-, 15-, 17-, and 30-round zero-sum distinguishers [3] with time complexities of 2 31 , 2 63 , 2 127 , and 2 383 , respectively. To the best of our knowledge, these are the best distinguishers for reduced-round Friet-PC, given that the attacker has a full control over the internal state, which is a common assumption to analyze the security of a public permutation.

Organization of the Paper
The rest of the paper is organized as follows. In Section 2, we briefly describe the specification of the Friet-PC permutation. In Section 3, we first review the existing techniques for the rotational attacks, and propose a generic attack procedure for a rotational attack on AND-RX ciphers with round constants. Based on the proposed attack procedure, we provide a rotational distinguisher for the 8round Friet-PC. In Section 4, we first introduce the existing techniques for the bit-wise differential attacks, and then provide a bit-wise differential distinguisher for the 9-round Friet-PC. In Section 5, we first describe the how to search for integral distinguishers with the bit-based division property, and then provide the zero-sum distinguishers for the 13-, 15-, 17-, and 30-round Friet-PC. Finally, Section 6 concludes the paper.

Specifications of Friet-PC Permutation
Friet-PC has three limbs (a, b, c) ∈ {0, 1} 128 , and its round function consists of the following six steps: a round constant addition step δ i that is a limb adaptation, two non-native limb transposition steps τ 1 and τ 2 , two mixing steps µ 1 and µ 2 that are limb adaptations, and a nonlinear step ξ that is also a limb adaptation.  We describe the procedure of the Friet-PC permutation as shown in Algorithm 1 and Fig. 1, and use the following notation for this procedure: x ⊕ y is the exclusive or (XOR) of two limbs x and y, x ∧ y is the bit-wise logical and (AND) of two limbs x and y, x ≪ n is the left rotation by n bits of a limb x, and rc i is the i-th round constant as listed in Table 2.
We use this notation throughout the remainder of this paper.

Rotational Distinguisher
We analyze the security of Friet-PC against a rotational attack, which has been applied to ARX and AND-RX ciphers, such as block ciphers Threefish [13], Speck [1,18], Simon [20] and Simeck [20]; stream ciphers Salsa [12] and ChaCha [4]; hash functions Keccak [22], BLAKE2 [10,14] and Skein [14,15]; and message authentication code algorithm Chaskey [16]. In this section, we first review the generic techniques for the rotational attacks and subsequently explain a new technique for a rotational attack on AND-RX ciphers with round constants. Then, we describe the application of the proposed technique to Friet-PC and finally show a rotational distinguisher for the 8-round Friet-PC with a time complexity of 2 102 .

Rotational Attacks
In 2010, Khovratovich and Nikolić [13] explored the propagation of a rotational pair (X, X ≪ r) or (X, X ≫ r) throughout an ARX cipher, and generalized a new technique called rotational attack. In the following text, we discuss only the propagation of the rotation pair (X, X ≪ r), as the propagation of the rotation pair (X, X ≫ r) can be explained similarly. A rotational attack on an ARX or AND-RX cipher allows an adversary to analyze the rotational probability of the entire cipher by multiplying the individual rotational probabilities of all operations used in the cipher. In other words, the adversary can properly perform the rotational attack on an ARX or AND-RX cipher by computing the rotational probabilities of four distinct operations, i.e., modular addition, AND, rotation, and XOR. The rotational probabilities of AND, rotation, and XOR are given by while the rotational probability of modular addition is given by the following lemma.

Lemma 1 ([8, Corollary 4.12]).
If we suppose an n-bit word X to be fixed and an n-bit word Y to be chosen uniformly at random, then we obtain where X L = (x n−1 , . . . , x n−r ) and X R = (x n−r−1 , . . . , x 0 ) for X.
On the other hand, if we suppose two n-bit words X and Y to be chosen uniformly at random, then we obtain It should be noted here that all inputs to an ARX or AND-RX must be rotational pair for the rotational attack to perform well, claimed by Khovratovich and Nikolić [13]. According to them, we cannot perform a proper rotational attack on an ARX or AND-RX cipher with round constants such as Friet-PC, because it is practically difficult to obtain a rotational pair of round constants. To solve this problem, some studies explored a rotational attack against ARX and AND-RX block ciphers Speck [1,18] and Simon [20] with constants that actually correspond to round keys. However, no study on a rotational attack against an ARX or AND-RX cipher with round constants specified in the specification, such as Friet-PC, has been reported as yet.

Rotational Attack on AND-RX Ciphers with Round Constants
To properly perform a rotational attack on an AND-RX cipher with round constants, we first demonstrate that the XOR operation in the presence of round constants can preserve the propagation of a rotational pair with a probability of one by introducing a XOR masking technique into a rotational attack. Then, we establish the rotational probability of the AND operation in the presence of round constants. Finally, we propose a generic attack procedure for a rotational attack on AND-RX ciphers with round constants. In the following text, we describe a rotational pair as (X, ← − X ) instead of (X, X ≪ r).

XOR Masking Technique for the XOR Operation with Constants.
We first introduce a XOR masking technique so that the XOR operation in the presence of round constants rc expressed in the form satisfies the equality. The left side of (6) is not XOR masked as it satisfies the same form as the left side of Eq.(3). Then, it can be seen from Eq.(3) that (6) satisfies the equality with a probability of one when In summary, the XOR operation in the presence of round constants can preserve the propagation of a rotational pair with a probability of one by XORing the mask value mask 1 = rc ⊕ ← − rc. Note that the XOR masking technique can be applied to both the input and output values of the target cipher. For example, when the adversary applies the XOR masking technique to the input value, he/she must choose (X, ← − X ⊕ mask 1 ) as the input rotational pair.

XOR Masking Technique for the AND Operation with Constants.
We examine whether the AND operation in the presence of a round constants, rc 1 and rc 2 , expressed in the form satisfies the equality. To reveal the differences between both sides of (8), we use Eqs.
(1) and (3) to transform (8) to We then apply the XOR masking technique to the input value so that the AND operation in the presence of round constants expressed in the form satisfies the equality. Here, (10) satisfies the equality with a probability of one when (mask 2 , mask 3 This implies that the adversary must choose [(X, ] as the input rotational pair when he/she applies the XOR masking technique to the input value.
Similarly, we apply the XOR masking technique to the output value corresponding to the input rotational pairs so that the AND operation in the presence of round constants expressed in the form satisfies the equality. However, it is practically difficult to determine the appropriate mask values so that (12) satisfies the equality. We will explain the reason after providing the following two examples. Let x i , y i , rc 1,i , and rc 2,i be the i-th bit of X, Y , rc 1 , and rc 2 , respectively.
Example 1. We focus on the AND operation of the i-th bit in (9). We assume that either rc 1,i ⊕ ← − − rc 1,i = 1 or rc 2,i ⊕ ← − − rc 2,i = 1 holds. In this example, we assume that rc 1,i ⊕ ← − − rc 1,i = 1 holds for the sake of simplicity. Table 3 provides a truth table corresponding to (9). This table shows that the AND operation of the i-th bit holds with a probability of 2 −1 .

Example 2.
We also focus on the AND operation of the i-th bit in (9). In this example, we assume that both rc 1,i ⊕ ← − − rc 1,i = 1 and rc 2,i ⊕ ← − − rc 2,i = 1 hold. Table  4 provides a truth table corresponding to (9). This table shows that the AND operation of the i-th bit holds with a probability of 2 −1 .
These examples show that the AND operation of the i-th bit in (9) holds with a probability of 2 −1 when at least either rc 1,i ⊕ ← − − rc 1,i = 1 or rc 2,i ⊕ ← − − rc 2,i = 1 holds. Moreover, these examples show bitwise independent events since (9) is a bit-wise operation; thus, we can compute a probability that the AND operation expressed in (9) satisfies the equality by simply counting the number of bits for which either rc 1,i ⊕ ← − − rc 1,i = 1 or rc 2,i ⊕ ← − − rc 2,i = 1 holds for each bit. These facts lead to the following theorem.
be two rotational pairs where symbol '← −' represents the left rotation by r bits, and let rc 1 and rc 2 be round constants. Then, the rotational probability of the AND operation in the presence of round constants is given as follows: where hw[·] represents the hamming weight.
Proof. As discussed earlier, the AND operation of the i-th bit in (9) holds with a probability of 2 −1 when at least either rc 1,i ⊕ ← − − rc 1,i = 1 or rc 2,i ⊕ ← − − rc 2,i = 1 holds. Moreover, we can compute a probability that the AND operation expressed in (9) satisfies the equality by simply counting the number of bits for which either rc 1,i ⊕ ← − − rc 1,i = 1 or rc 2,i ⊕ ← − − rc 2,i = 1 holds for each bit. We can achieve this by calculating the hamming weight such as hw[(rc 1 In summary, the rotational probability of the AND operation in the presence of round constants is given as shown in Eq. (13). Now, we explain why it is practically difficult to determine the appropriate mask values so that (12) satisfies the equality. This is because the mask values cannot be uniquely determined unless the adversary knows the correct values of X and Y , which are usually the intermediate information of the target cipher and are not available to the adversary (with exceptions). For example, from Table 3, if the values of ← − y i ⊕ ← − − rc 2,i and ← − y i ⊕ rc 2,i are 1, the adversary must apply the XOR mask to satisfy the equality, but he/she cannot decide whether to apply the XOR mask without knowing the value of ← − y i . Therefore, we should evaluate a rotational probability of the AND operation in the presence of round constants according to Theorem 1 without applying the XOR masking technique to the output value corresponding to the input rotational pairs. Attack Procedure. Based on the discussed XOR masking technique, we propose a generic attack procedure for a rotational attack on AND-RX ciphers with round constants. The proposed attack consists of offline and online phases. In the offline phase, we perform the following procedure: Step 1. We analyze the input and output mask values for the i-th round function of the target AND-RX cipher. In this step, we apply the XOR masking technique to the input rotational pair so that the influence of the round constant does not propagate to the output rotational pair. As shown in Fig.  2 (a), the input rotational pair is masked with a specific value X to cancel the influence of the round constant; then, we do not need to apply the XOR masking technique to the output rotational pair.
Step 2. We explore the input mask value for the (i − r 1 )-th round function of the target AND-RX cipher by going back r 1 rounds from the i-th round function of the cipher. This is feasible because we can easily construct the inverse function of the AND-RX cipher. As shown in Fig. 2 (b), we obtain the input mask value W for the (i − r 1 )-th round function such that the output mask value of the (i − 1)-th round function becomes X.
Step 3. We investigate the output mask value for the (i + r 2 )-th round function of the target AND-RX cipher. As shown in Fig. 2 (c), the input mask value of the (i + 1)-th round function is 0, as obtained in Step 1; then, we can obtain the output mask value Y for the (i + r 2 )-th round function by analyzing the influence of the round constants through the r 2 rounds of the target AND-RX cipher.
We finally obtain the input mask value W and the output mask value Y for the (r 1 +r 2 +1)-round version of the target AND-RX cipher. Thereafter, in the online phase, by utilizing these mask values, we can construct a rotational distinguisher for the target AND-RX cipher in a manner similar to that in existing studies [1,4,10,12,13,14,15,16,18,20,22].

Application to Friet-PC
We apply the proposed attack procedure to Friet-PC. We first perform the offline phase of the proposed attack procedure on Friet-PC and obtain the input/output mask values for each round. Then, we examine the techniques for mitigating the influence of the round constants. Finally, we perform the online phase of the proposed attack procedure on Friet-PC, and demonstrate a rotational distinguisher for the 8-round Friet-PC with a time complexity of 2 102 .
c ) be the input mask variables for the r-round limbs (a, b, c), or the output mask variables for the (r − 1)-round limbs (a, b, c), respectively; let RC ≪t Based on the offline phase in the proposed attack procedure, we obtain the input/output mask values for each round of Friet-PC as follows: Step 1. We need to mask the i-round input rotational pair with a specific value to cancel the influence of the round constant. Algorithm 1 shows that the round constant rc i is used for the first operation in the round function of Friet-PC, such as c ← c ⊕ rc i ; thus, we can obtain the i-round input/output mask values (mask holds with a probability of one. The influence of the round constant is cancelled completely by using these input mask values.
Step 2. We need to mask the (i−r 1 )-round input rotational pair with a specific value such that the output mask value of the (i − 1)-th round function becomes (mask ; thus, by going back r 1 rounds from the i-th round function of Friet-PC, we can obtain the (i−r 1 )round input mask value. Table 5 lists the input mask values by going back up to (i − 3) rounds.
Step 3. In Step 1, we have obtained the i-round output mask value (mask , mask (i+1) c ) = (0, 0, 0), which is the (i + 1)-round input mask value. Thus, by analyzing the influence of the round constants through the r 2 rounds of Friet-PC, we can obtain the (i+r 2 )-round output mask values. Table 5 lists the output mask values by going up to (i + 4) rounds.
Further Discussion for the Online Phase. According to Theorem 1, the lower the hamming weight in the rotational pair associated with the influence of the round constants, the higher is the rotation probability of the AND operation in the presence of round constants; thus, if we mitigate the influence of the round constants as much as possible, we can perform the online phase in the proposed attack procedure with a high probability. To mitigate the influence of the round constants in the online phase, we deliberate over the following three questions: Q1. Should we select the pattern (X, ← − X ) or (X, − → X ) as a rotational pair? Q2. What value should we select as a rotational amount r? Q3. How should we decide the target rounds?
To answer these questions, we analyze the round constants of Friet-PC by using the following four examples: Example 3. We consider the case where exactly one bit is 1 in the round constants of Friet-PC, such as rc 9 , rc 10 , rc 11 . In this example, we use rc 9 for the sake of simplicity. Then, the hamming weight of [rc 9 ⊕ ← − rc 9 ] can be minimized regardless of the selection of the rotational pair and rotational amount, i.e., hw[rc 9 ⊕ ← − rc 9 ] = 2.
Example 4. We consider the case where two or more bits are 1 in the round constants of Friet-PC and all of the bit strings 1 are continuous in hexadecimal notation, such as rc 0 , rc 1 , rc 6 . In this example, we use rc 0 for the sake of simplicity. Then, the hamming weight of [rc 0 ⊕ ← − rc 0 ] can be minimized when the rotational amount is selected as r = 4, regardless of the selection of the rotational pair, i.e., hw[rc 0 ⊕ ← − rc 0 ] = 2. If the rotational amount is selected as r = 1, the hamming weight of [rc 0 ⊕ ← − rc 0 ] can be maximized, e.g., hw[rc 0 ⊕ ← − rc 0 ] = 8.

Example 5.
We consider the case where two bits are 1 in the round constants of Friet-PC and the bit strings 1 are not continuous in hexadecimal notation, such as rc 3 , rc 4 , rc 8 . In this example, we use rc 3 and rc 8 for the sake of simplicity. In one case, the hamming weight of [rc 3 ⊕ ← − rc 3 ] can be minimized when the rotational amount is selected as r = 8, regardless of the selection of the rotational pair, i.e., hw[rc 3 ⊕ ← − rc 3 ] = 2. In another case, the hamming weight of [rc 8 ⊕ ← − rc 8 ] can be minimized when the rotational amount is selected as r = 12, regardless of the selection of the rotational pair, i.e., hw[rc 8 ⊕ ← − rc 8 ] = 2. Therefore, the distance between 2-bit strings 1 is the optimum rotational amount. Example 6. We consider the case where three or more bits are 1 in the round constants of Friet-PC and the bit strings 1 are not continuous in hexadecimal notation, such as rc 2 , rc 5 , rc 17 . In this example, we use rc 2 for the sake of simplicity. Then, the hamming weight of [rc 2 ⊕ ← − rc 2 ] can be minimized when the rotational amount is selected as r = 4, regardless of the selection of the rotational pair, i.e., hw[rc 2 ⊕ ← − These examples show that to mitigate the influence of the round constant, we need to change the rotational amount according to the value of the round constant though we can freely select the rotational pair; however, it is impossible to change the rotational amount while performing a rotational attack. Hence, we need to decide the target round that can mitigate the influence of the round constants without changing the rotational amount. Consequently, we choose the 9th to 16th round of Friet-PC as the target rounds in order to efficiently perform the online phase in the proposed attack on the 8-round Friet-PC. As discussed in Examples 3 and 4, for the round constants in the target rounds, the hamming weight can be minimized by selecting the rotational amount as r = 4. In addition, we select the pattern (X, ← − X ) as the rotational pair. Complexity Estimation. As discussed in Section 3.2, to perform a rotational attack on Friet-PC properly, we need to evaluate the rotational probability of the AND operation in the presence of round constants. When focusing on the round function of Friet-PC, only the output limb a is influenced by the AND operation. Further, according to Algorithm 1, the AND operation is executed in the final step of the round function of Friet-PC, and the output limbs (b, c) in each round become the input of its AND operation; thus, this situation implies that the output mask values (mask ) for the r-th round output limbs (b, c) influence a rotational probability of the AND operation in each round.
Based on Theorem 1, we estimate a rotational probability of the AND operation in the round function of Friet-PC by calculating the hamming weight from (mask Table 6 lists the minimum hamming weights for the AND operation in the target round of Friet-PC. As discussed earlier, we can estimate the minimum hamming weights for each mask values, such as hw[RC ≪0 i ] = 2, by selecting the rotational amount as r = 4. To confirm the accuracy of our estimation, we have conducted an experiment to compute the rotational probability of the 10th to 14th round of Friet-PC; then, we have confirmed that the rotational probability of the target round can be approximated to 2 −38 . Herein, we explain that the minimum hamming weight in the 16th round of Friet-PC is 0. This is because the output limbs (b, c) in each round are not influenced by the AND operation; thus, when a complete rotational pair holds for all input limbs (a, b, c) in each round, a rotational distinguisher can be performed with a probability of one by masking properly the output limbs (b, c) with the mask values listed in Table 5 (experimentally verified over 2 32 trials).
To summarize our results, we choose the 9th to 16th round of Friet-PC as the target rounds, and have demonstrated a rotational distinguisher for the 8-round Friet-PC with a time complexity of 2 102 . However, we cannot demonstrate a rotational distinguisher for 9 or more rounds of Friet-PC because it provides a 128-bit security level.

Bit-wise Differential Distinguisher
In this section, we investigate the security of Friet-PC against a bit-wise differential attack, which has been mainly applied to ARX ciphers, such as stream ciphers Salsa and ChaCha [2,6,24]. Specifically, we focus on single-and dualbit differential attacks, reported by Choudhuri and Maitra [6], and demonstrate a practical bit-wise differential distinguisher for the 9-round Friet-PC with a time complexity of 2 20.044 .

Single-and Dual-bit Differential Attacks
be an associated bit with the difference ∆x for r = 0 and the output difference ∆x (r) i for r > 0 are referred to as ID and OD, respectively. We note that x (r) 0 and x (r) 127 are the least significant bit (LSB) and most significant bit (MSB), respectively. For all possible choices of input limbs, single-and dual-bit differential probabilities are defined by where ϵ d denotes the bias of the OD.
To distinguish the r-round limb x (r) computed by the reduced-round Friet-PC from true random number sequences, we use the following theorem proved by Mantin and Shamir [21].

Theorem 2 ([21, Theorem 2]). Let X and Y be two distributions, and suppose that the event e occurs in X with a probability p and Y with a probability p·(1+q).
Then, for small p and q, O( 1 p·q 2 ) samples suffice to distinguish X from Y with a constant probability of success.
Let X be a distribution of OD of true random number sequences, and let Y be a distribution of OD of the reduced-round Friet-PC. Based on single-bit and dual-bit differential probabilities, the number of samples to distinguish X and Y is O( 2 ϵ 2 d ) since p and q are equal to 1 2 and ϵ d , respectively.

Experimental Results
To find bit-wise differential biases of the reduced-round Friet-PC, we have conducted experiments with 2 28 randomly chosen samples. Our experimental environment is as follows: five Linux machines with 40-core Intel(R) Xeon(R) CPU E5-2660 v3 (2.60 GHz), 128.0 GB of main memory, a gcc 7.2.0 compiler, and the C programming language. Tables 7-9 list the single-and dual-bit differential biases for the 9-, 10-, and 11-round Friet-PC. As shown in Table 7, we obtain the best bit-wise differential bias for the 9-round Friet-PC, such that ID is ∆b (0) 40 , OD is ∆a (9) 121 ⊕ ∆c (9) 54 , and ϵ d is approximately 2 −9.360 . To obtain a more precise differential bias in this ID-OD pair, we have conducted an additional experiment with 2 36 randomly chosen samples. Thus, we obtain a more precise differential bias for the 9-round Friet-PC, such that ϵ d is approximately 2 −9.522 . According to Theorem 2, 2 20.044 samples are sufficient for distinguishing the 9-round Friet-PC from a true random number generator with a constant probability of success. For the 9-round Friet-PC, the best dual-bit differential bias, i.e., ϵ d = 2 −9.522 , provides a practical bit-wise differential distinguisher when ID is ∆b (0) 40 and OD Table 7. Single-and dual-bit differential biases (log 2 ) for the 9-round Friet-PC.

Single-bit
Dual-bit  Table 8. Single-and dual-bit differential biases (log 2 ) for the 10-round Friet-PC. is ∆a (9) 121 ⊕ ∆c (9) 54 . Similarly, as shown in Tables 8 and 9, we obtain the best bit-wise differential biases for the 10-and 11-round Friet-PC, such that ϵ d are approximately 2 −11.501 and 2 −11.596 , respectively. These experimental results may indicate insufficient accuracy because the best differential biases for the 10-and 11-round Friet-PC are approximately equal. To obtain a more precise differential bias for the 10-round Friet-PC, we have conducted an additional experiment with 2 38 randomly chosen samples when ID is ∆a (0) 118 and OD is ∆b (10) 122 ⊕ ∆c (10) 45 . This is the best ID-OD pair for the 10-round Friet-PC. Consequently, we obtain the more precise differential bias for the 10-round Friet-PC, such that ϵ d is approximately 2 −18.634 ; thus, at least 2 38.268 samples are sufficient for distinguishing the 10-round Friet-PC from a true random number generator with a constant probability of success. In summary, our experiments have revealed that the practical bit-wise differential distinguisher for Friet-PC performs properly up to 9 rounds (out of 24 rounds in the original version). Table 9. Single-and dual-bit differential biases (log 2 ) for the 11-round Friet-PC.

Zero-sum Distinguisher and Division Property
The zero-sum distinguisher [3] a widely-utilized tool to evaluate the security of a public permutation, though it has never influenced the security of the corresponding hash or encryption schemes as far as we know. A critical reason exists in the attackers' capacity to control the whole internal state, which is impossible in the schemes adopting the sponge structure. However, it is still interesting if one could identify a non-trivial zero-sum distinguisher with better time complexity than those obtained with trivial algebraic degree evaluations.
The bit-based division property [27] is a powerful technique to compute the increase of algebraic degrees for a bit-oriented public permutation, especially when combined with the automatic search method [28]. However, the usage of division property has not been discussed in the proposal of Friet [26] and we believe this is essential if non-trivial increase of algebraic degrees could be identified. Consequently, in the following part, we briefly introduce bit-based division property [27] and then report our findings.
First, define the following functions before defining the division property.
Then, the bit-based division property [27] can be defined as follows: Definition 2 (Bit-Based Division Property). Let X be a multiset whose elements takes a value of F n 2 . When the multiset X has the division property D 1 n K , where K denotes a set of n-dimensional vectors whose i-th element takes 0 or 1, it fulfills the following conditions: wt(u) is the hamming weight of u. If there k ∈ K and k ′ ∈ K satisfying k ⪰ k ′ in the division property D 1 n K , k can be removed from K because it is redundant. When we utilize MILP method to evaluate the division property propagation, we need to focus on the elements of K. Xiang et al. proposed new notations [28] called division trail to illustrate division property propagation, which can be defined as follows:

Definition 3 (Division Trail). Let f r denote the round function of an iterated block cipher. Assume the input multiset to the block cipher has initial division property D n,m k , and denote the division property after i-round propagation through f r by D n,m
Ki . Thus, we have the following chain of division property propagations: Moreover, for any vector k * i in K i (i ≥ 1), there must exist an vector k * i−1 in K i−1 such that k * i−1 can propagate to k * i by division property propagation rules. Furthermore, for (k 0 , k 1 , · · · , k r ) ∈ K 0 × K 1 × · · · × K r , if k i−1 can propagate to k i for all i ∈ {1, 2, · · · , r}, we call (k 0 , k 1 , · · · , k r ) an r-round division trail.

Proposition 1. Denote the division property of input mulitset to an iterated block cipher by D n,m
k , let f r be the round function. Denote the r-round division property propagation. Thus, the set of the last vectors of all r-round division trails which start with k is equal to K r .
In general, we need to show that the Hamming weight of any vector of K r derived from the division property D K0 of input multiset is not less than or equal to 1, and then we need to prove that the division trail where K r is unknown does not exist.

MILP Modeling
In this subsection, we describe the MILP-based methods to search for the integral distinguishers [7] and explain how to express the division property propagation through the basic operations of Friet-PC based on the method proposed by Xiang et al. [28].
When evaluating the propagation of division property, it is necessary to consider the basic operations of a block cipher such as COPY and XOR. In the following, we will introduce the bit-based division property propagation through these basic operations and how to express the division property propagation through these operations as linear inequalities.
Modeling COPY. COPY operation is the basic operation used in Feistel ciphers. A portion of the input copied into two equal parts, one of which is fed to the round function. Denote F an function taking x ∈ F 2 as input and (y 0 , y 1 ) = (x, x) as output. If the input multiset X has division property D n k , the output multiset Y will have division property D n,n K ′ , where Since we consider the bit-based division property, we only need to consider the division property propagation where k = 1. Thus, the division trails are (0) copy → (0, 0), (1) copy → (0, 1) and (1) copy → (1, 0). Let (a) copy → (b 0 , b 1 ) be the division trails through the COPY operation, the following inequalities are sufficient to describe the division property propagation of COPY [28].
Modeling XOR. Denote F an function taking (x 0 , x 1 ) ∈ F 2 × F 2 as input and y = x 0 ⊕ x 1 as output. If the input multiset X has division property D n,n K , the output multiset Y will have division property D n k ′ , where k ′ = min . Let (a 0 , a 1 ) XOR → (b) be the division trails through the XOR operation, the following inequalities are sufficient to describe the division property propagation of XOR [28]: Modeling AND. Denote F an function taking (x 0 , x 1 ) ∈ F 2 × F 2 as input and y = x 0 ∧ x 1 as output. If the input multiset X has division property D n,n K , the output multiset Y will have division property D n k ′ , where  (1). Let (a 0 , a 1 ) AN D → (b) be the division trails through the AND operation, the following inequalities are sufficient to describe the division property propagation of AND [28]: The Initial Division Property. Since we search for integral distinguishers based on bit-based division property, it is necessary to set the input division property to ALL (A) or CONSTANT (C) for each bit independently. Assuming we have 2 s plaintext, we can set s bits in the initial division property as ALL (A).
Stopping Rule. Let (a 0 n−1 , · · · , a 0 0 ) → · · · → (a r n−1 , · · · , a r 0 ) be a r-round division trail. If the trail where the output division property with only i-th bit (0 ≤ i < n) being 1 and the rest being 0 for a given initial division property does not exist, the i-th bit holds the BALANCE (B) property. We can check whether i-th bit holds BALANCE (B) or UNKNOWN (U) by checking if such a trail exists. This can be easily evaluated with MILP [28]. Specifically, if the model is infeasible for the given constraints, there is no such trail, and vice versa.

Our Search
We modeled the operations of the Friet-PC round as the MILP constraints and optimized the models using the MILP solver. All the models are solved with the Gurobi solver [11]. All the searches are performed on a machine equipped with an Intel(R) Core(TM) i9-9900K CPU @ 3.60GHz with HyperThreading enabled.
From Fig. 1, it is clear that the input of limb b will not pass through the AND operation, which is the only non-linear transformation part in the round function. Therefore, for zero-sum distinguisher with a low time complexity, it is always better to choose as many active bits from limb b as possible. The obtained integral distinguishers are shown in Table 10.

Zero-sum Distinguishers
The above integral distinguisher can be converted into zero-sum distinguishers with a start-from-the-middle method as in [3]. Specifically, we view an internal state in a middle round as input and search for integral distinguishers in both backward and forward directions. As a result, the following four zero-sum distinguishers can be constructed: -30-round zero-sum distinguisher with 2 383 time and data complexity. In summary, a practical 13-round zero-sum distinguisher and a theoretical 17-round zero-sum distinguisher with time complexity below 2 128 are obtained. However, the full-round zero-sum distinguisher requires half of the total input space, i.e., it requires 2 383 time and data.
Remark. It is in general difficult to compare distinguishers on a public permutation if the attacker has a control over the full internal state, as this is always impossible in schemes constructed with a public permutation and the sponge structure. Notice that the distinguishing attacks reported in [19] also require the capability to control the whole internal state of Friet-PC.

Conclusion
In this study, we evaluated the security of the Friet-PC permutation against bit-wise cryptanalysis including rotational, bit-wise differential, and integral attacks. First, we provided a generic procedure for a rotational attack on AND-RX ciphers with round constants and applied it to the Friet-PC permutation. Subsequently, we demonstrated an 8-round rotational distinguisher with a time complexity of 2 102 . Second, we explored single-and dual-bit differential biases of the reduced-round Friet-PC and extended one of them to a 9-round bit-wise differential distinguisher with a time complexity of 2 20.044 . Finally, we found 7-, 8-, 9-, and 15-round integral characteristics and extended these characteristics to 13-, 15-, 17-, and 30-round zero-sum distinguishers with time complexities of 2 31 , 2 63 , 2 127 , and 2 383 , respectively. We thus improved the best existing attack, which was evaluated by Liu et al. [19], against the reduced-round Friet-PC. We remark that the proposed attacks are no practical threat to Friet-PC, however, it is recommended to use these attack vectors of bit-wise cryptanalysis to evaluate the security of AND-RX ciphers when designing the AND-RX ciphers in the future.