Integral and Multidimensional Linear Distinguishers with Correlation Zero

  • Andrey Bogdanov
  • Gregor Leander
  • Kaisa Nyberg
  • Meiqin Wang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7658)


Zero-correlation cryptanalysis uses linear approximations holding with probability exactly 1/2. In this paper, we reveal fundamental links of zero-correlation distinguishers to integral distinguishers and multidimensional linear distinguishers. We show that an integral implies zero-correlation linear approximations and that a zero-correlation linear distinguisher is actually a special case of multidimensional linear distinguishers. These observations provide new insight into zero-correlation cryptanalysis which is illustrated by attacking a Skipjack variant and round-reduced CAST-256 without weak key assumptions.


zero-correlation cryptanalysis integral distinguishers multidimensional linear distinguishers Skipjack CAST-256 


  1. 1.
    Baignères, T., Junod, P., Vaudenay, S.: How Far Can We Go Beyond Linear Cryptanalysis? In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 432–450. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  2. 2.
    Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 12–23. Springer, Heidelberg (1999)Google Scholar
  3. 3.
    Biham, E., Biryukov, A., Shamir, A.: Miss in the Middle Attacks on IDEA and Khufu. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 124–138. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  4. 4.
    Biryukov, A., De Cannière, C., Quisquater, M.: On Multiple Linear Approximations. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 1–22. Springer, Heidelberg (2004)Google Scholar
  5. 5.
    Biryukov, A., Shamir, A.: Structural Cryptanalysis of SASAS. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 394–405. Springer, Heidelberg (2001)Google Scholar
  6. 6.
    Bogdanov, A., Leander, G., Nyberg, K., Wang, M.: Integral and Multidimensional Linear Distinguishers with Correlation Zero. IACR ePrint Archive report (2012)Google Scholar
  7. 7.
    Bogdanov, A., Rijmen, V.: Linear Hulls with Correlation Zero and Linear Cryptanalysis of Block Ciphers. Designs, Codes and Cryptography. Springer (to appear, 2012); preprint available as Cryptology ePrint Archive: Report 2011/123,
  8. 8.
    Bogdanov, A., Wang, M.: Zero Correlation Linear Cryptanalysis with Reduced Data Complexity. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 29–48. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  9. 9.
    Borst, J., Knudsen, L.R., Rijmen, V.: Two Attacks on Reduced IDEA. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 1–13. Springer, Heidelberg (1997)Google Scholar
  10. 10.
    Carlet, C.: Vectorial (multi-output) Boolean Functions for Cryptography. Cambridge University Press (to appear)Google Scholar
  11. 11.
    Carlet, C.: Boolean Functions for Cryptography and Error Correcting Codes. Cambridge University Press (to appear), preliminary version,
  12. 12.
    Daemen, J., Knudsen, L.R., Rijmen, V.: The Block Cipher SQUARE. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 149–165. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  13. 13.
    Englund, H., Maximov, A.: Attack the Dragon. In: Maitra, S., Veni Madhavan, C.E., Venkatesan, R. (eds.) INDOCRYPT 2005. LNCS, vol. 3797, pp. 130–142. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  14. 14.
    Ferguson, N., Kelsey, J., Lucks, S., Schneier, B., Stay, M., Wagner, D., Whiting, D.: Improved Cryptanalysis of Rijndael. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 213–230. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  15. 15.
    Hermelin, M., Cho, J.Y., Nyberg, K.: Multidimensional Extension of Matsui’s Algorithm 2. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 209–227. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  16. 16.
    Hermelin, M., Nyberg, K.: Linear cryptanalysis using multiple linear approximations. In: Junod, P., Canteaut, A. (eds.) Advanced Linear Cryptanalysis of Block and Stream Ciphers. IOS Press (2011)Google Scholar
  17. 17.
    Hermelin, M., Cho, J.Y., Nyberg, K.: Multidimensional Linear Cryptanalysis of Reduced Round Serpent. In: Mu, Y., Susilo, W., Seberry, J. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 203–215. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  18. 18.
    Kaliski Jr., B.S., Robshaw, M.J.B.: Linear Cryptanalysis Using Multiple Approximations. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 26–39. Springer, Heidelberg (1994)Google Scholar
  19. 19.
    Knudsen, L.R., Robshaw, M.J.B., Wagner, D.: Truncated Differentials and Skipjack. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 165–180. Springer, Heidelberg (1999)Google Scholar
  20. 20.
    Knudsen, L.R., Wagner, D.: On the structure of Skipjack. Discrete Applied Mathematics 111(1-2), 103–116 (2001)MathSciNetzbMATHCrossRefGoogle Scholar
  21. 21.
    Knudsen, L.R., Wagner, D.: Integral Cryptanalysis. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 112–127. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  22. 22.
    Leander, G.: On Linear Hulls, Statistical Saturation Attacks, PRESENT and a Cryptanalysis of PUFFIN. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 303–322. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  23. 23.
    Lucks, S.: The Saturation Attack - A Bait for Twofish. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 1–15. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  24. 24.
    Seki, H., Kaneko, T.: Differential Cryptanalysis of CAST-256 Reduced to Nine Quad-rounds. IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences E84A(4), 913–918 (2001)Google Scholar
  25. 25.
    Skipjack and KEA Algorithm Specifications, Version 2.0, (May 29, 1998); The National Institute of Standards and Technology’s web page,
  26. 26.
    Wagner, D.: The Boomerang Attack. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 156–170. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  27. 27.
    Wang, M., Wang, X., Hu, C.: New Linear Cryptanalytic Results of Reduced-Round of CAST-128 and CAST-256. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 429–441. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  28. 28.
    Wang, Q., Chen, J.: 18-Round Impossible Differential for CAST-256 (2012)Google Scholar

Copyright information

© International Association for Cryptologic Research 2012

Authors and Affiliations

  • Andrey Bogdanov
    • 1
  • Gregor Leander
    • 2
  • Kaisa Nyberg
    • 3
  • Meiqin Wang
    • 4
  1. 1.ESAT/SCD/COSIC and IBBTKU LeuvenBelgium
  2. 2.Technical University of DenmarkDenmark
  3. 3.Aalto UniversityFinland
  4. 4.Key Laboratory of Cryptologic Technology and Information Security, Ministry of EducationShandong UniversityJinanChina

Personalised recommendations