Provable Security Evaluation of Structures Against Impossible Differential and Zero Correlation Linear Cryptanalysis

  • Bing Sun
  • Meicheng Liu
  • Jian Guo
  • Vincent Rijmen
  • Ruilin Li
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9665)


Impossible differential and zero correlation linear cryptanalysis are two of the most important cryptanalytic vectors. To characterize the impossible differentials and zero correlation linear hulls which are independent of the choices of the non-linear components, Sun et al. proposed the structure deduced by a block cipher at CRYPTO 2015. Based on that, we concentrate in this paper on the security of the SPN structure and Feistel structure with SP-type round functions. Firstly, we prove that for an SPN structure, if \(\alpha _1\rightarrow \beta _1\) and \(\alpha _2\rightarrow \beta _2\) are possible differentials, \(\alpha _1|\alpha _2\rightarrow \beta _1|\beta _2\) is also a possible differential, i.e., the OR “|” operation preserves differentials. Secondly, we show that for an SPN structure, there exists an r-round impossible differential if and only if there exists an r-round impossible differential \(\alpha \not \rightarrow \beta \) where the Hamming weights of both \(\alpha \) and \(\beta \) are 1. Thus for an SPN structure operating on m bytes, the computation complexity for deciding whether there exists an impossible differential can be reduced from \(\mathcal O(2^{2m})\) to \(\mathcal O(m^2)\). Thirdly, we associate a primitive index with the linear layers of SPN structures. Based on the matrices theory over integer rings, we prove that the length of impossible differentials of an SPN structure is upper bounded by the primitive index of the linear layers. As a result we show that, unless the details of the S-boxes are considered, there do not exist 5-round impossible differentials for the AES and ARIA. Lastly, based on the links between impossible differential and zero correlation linear hull, we projected these results on impossible differentials to zero correlation linear hulls. It is interesting to note some of our results also apply to the Feistel structures with SP-type round functions.


Impossible differential Zero correlation linear SPN structure Feistel structure AES Camellia ARIA 



The authors would like to thank the anonymous reviewers for their useful comments, and Shaojing Fu, Lei Cheng and Xuan Shen for fruitful discussions.


  1. 1.
    Aoki, K., Ichikawa, T., Kanda, M., Matsui, M., Moriai, S., Nakajima, J., Tokita, T.: \(Camellia\): a 128-bit block cipher suitable for multiple platforms - design and analysis. In: Stinson, D.R., Tavares, S. (eds.) SAC 2000. LNCS, vol. 2012, pp. 39–56. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  2. 2.
    Aumasson, J.-P., Guo, J., Knellwolf, S., Matusiewicz, K., Meier, W.: Differential and invertibility properties of BLAKE. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 318–332. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  3. 3.
    Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 12–23. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  4. 4.
    Biham, E., Shamir, A.: Differential Cryptanalysis of the Data Encryption Standard. Springer, New York (1993)CrossRefzbMATHGoogle Scholar
  5. 5.
    Blondeau, C.: Impossible differential attack on 13-round Camellia-192. Inf. Process. Lett. 115(9), 660–666 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Bogdanov, A., Rijmen, V.: Linear hulls with correlation zero and linear cryptanalysis of block ciphers. Des. Codes Crypt. 70(3), 369–383 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Boura, C., Naya-Plasencia, M., Suder, V.: Scrutinizing and improving impossible differential attacks: applications to CLEFIA, Camellia, LBlock and Simon. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 179–199. Springer, Heidelberg (2014)Google Scholar
  8. 8.
    Daemen, J., Rijmen, V.: AES and the wide trail design strategy. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 108–109. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  9. 9.
    Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Information Security and Cryptography. Springer, Berlin (2002)CrossRefzbMATHGoogle Scholar
  10. 10.
    Guo, J., Thomsen, S.S.: Deterministic differential properties of the compression function of BMW. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 338–350. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  11. 11.
    Hong, D., Sung, J., Moriai, S., Lee, S.-J., Lim, J.-I.: Impossible differential cryptanalysis of Zodiac. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 300–311. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. 12.
    Kim, J., Hong, S., Lim, J.: Impossible differential cryptanalysis using matrix method. Discrete Math. 310(5), 988–1002 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Knudsen, L.R.: DEAL - A 128-bit Block Cipher. Technical report, Department of Informatics, University of Bergen, Norway (1998)Google Scholar
  14. 14.
    Kwon, D., Kim, J., Park, S., Sung, S.H., Sohn, Y., Song, J.H., Yeom, Y., Yoon, E., et al.: New block cipher: ARIA. In: Lim, J.-I., Lee, D.-H. (eds.) ICISC 2003. LNCS, vol. 2971, pp. 432–445. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  15. 15.
    Lee, C., Jun, K., Jung, M.S., Park, S., Kim, J.: Zodiac version 1.0 (revised) architecture and specification. In: Standardization Workshop on Information Security Technology 2000, Korean Contribution on MP18033, ISO/IEC JTC1/SC27 N2563 (2000).
  16. 16.
    Li, R., Sun, B., Li, C.: Impossible differential cryptanalysis of SPN ciphers. IET Inf. Secur. 5(2), 111–120 (2011)CrossRefGoogle Scholar
  17. 17.
    Lu, J., Dunkelman, O., Keller, N., Kim, J.-S.: New impossible differential attacks on AES. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 279–293. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  18. 18.
    Luo, Y., Lai, X., Wu, Z., Gong, G.: A unified method for finding impossible differentials of block cipher structures. Inf. Sci. 263, 211–220 (2014)CrossRefzbMATHGoogle Scholar
  19. 19.
    Mala, H., Dakhilalian, M., Rijmen, V., Modarres-Hashemi, M.: Improved impossible differential cryptanalysis of 7-round AES-128. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 282–291. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  20. 20.
    Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  21. 21.
    Sun, B., Liu, Z., Rijmen, V., Li, R., Cheng, L., Wang, Q., AlKhzaimi, H., Li, C.: Links among impossible differential, integral and zero correlation linear cryptanalysis. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 95–115. Springer, Berlin (2015)CrossRefGoogle Scholar
  22. 22.
    Sun, B., Zhang, P., Li, C.: Impossible differential and integral cryptanalysis of Zodiac. J. Softw. 22(8), 1911–1917 (2011)MathSciNetCrossRefGoogle Scholar
  23. 23.
    Vaudenay, S.: Provable security for block ciphers by decorrelation. In: Meinel, C., Morvan, M., Krob, D. (eds.) STACS 1998. LNCS, vol. 1373, pp. 249–275. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  24. 24.
    Wu, S., Wang, M.: Automatic search of truncated impossible differentials for word-oriented block ciphers. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 283–302. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  25. 25.
    Wu, W., Zhang, W., Feng, D.: Impossible differential cryptanalysis of reduced-round ARIA and Camellia. J. Comput. Sci. Technol. 22(3), 449–456 (2007)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  • Bing Sun
    • 1
    • 2
    • 4
  • Meicheng Liu
    • 2
    • 3
  • Jian Guo
    • 2
  • Vincent Rijmen
    • 5
  • Ruilin Li
    • 6
  1. 1.College of ScienceNational University of Defense TechnologyChangshaPeople’s Republic of China
  2. 2.Nanyang Technological UniversitySingaporeSingapore
  3. 3.State Key Laboratory of Information SecurityInstitute of Information Engineering, Chinese Academy of SciencesBeijingPeople’s Republic of China
  4. 4.State Key Laboratory of CryptologyBeijingPeople’s Republic of China
  5. 5.Department of Electrical Engineering (ESAT)KU Leuven and iMindsLeuvenBelgium
  6. 6.College of Electronic Science and EngineeringNational University of Defense TechnologyChangshaPeople’s Republic of China

Personalised recommendations