Links Among Impossible Differential, Integral and Zero Correlation Linear Cryptanalysis
 30 Citations
 3.4k Downloads
Abstract
As two important cryptanalytic methods, impossible differential and integral cryptanalysis have attracted much attention in recent years. Although relations among other cryptanalytic approaches have been investigated, the link between these two methods has been missing. The motivation in this paper is to fix this gap and establish links between impossible differential cryptanalysis and integral cryptanalysis.
Firstly, by introducing the concept of structure and dual structure, we prove that \(a\rightarrow b\) is an impossible differential of a structure \(\mathcal E\) if and only if it is a zero correlation linear hull of the dual structure \(\mathcal E^\bot \). Meanwhile, our proof shows that the automatic search tool presented by Wu and Wang could find all impossible differentials of both Feistel structures with SPtype round functions and SPN structures. Secondly, by establishing some boolean equations, we show that a zero correlation linear hull always indicates the existence of an integral distinguisher. With this observation we improve the number of rounds of integral distinguishers of Feistel structures, CAST256, SMS4 and Camellia. Finally, we conclude that an rround impossible differential of \(\mathcal E\) always leads to an rround integral distinguisher of the dual structure \(\mathcal E^\bot \). In the case that \(\mathcal E\) and \(\mathcal E^\bot \) are linearly equivalent, we derive a direct link between impossible differentials and integral distinguishers of \(\mathcal E\).
Our results could help to classify different cryptanalytic tools and facilitate the task of evaluating security of block ciphers against various cryptanalytic approaches.
Keywords
Impossible differential Integral Zero correlation linear Feistel SPN Camellia CAST256 SMS4 PRESENT PRINCE ARIA1 Introduction
Block ciphers are considered vital elements in constructing many symmetric cryptographic schemes such as encryption algorithms, hash functions, authentication schemes and pseudorandom number generators. The core security of these schemes depends on the resistance of the underlying block ciphers to known cryptanalytic techniques. So far a variety of cryptanalytic techniques have been proposed such as impossible differential cryptanalysis [1, 2], integral cryptanalysis [3], zero correlation linear cryptanalysis [4], etc.
Impossible differential cryptanalysis was independently proposed by Knudsen [1] and Biham [2]. One of the most popular impossible differentials is called a truncated impossible differential. It is independent of the choices of the Sboxes. Several approaches have been proposed to derive truncated impossible differentials of a block cipher/structure effectively such as the \(\mathcal {U}\)method [5], \(\textit{UID}\)method [6] and the extended tool of the former two methods generalized by Wu and Wang in Indocrypt 2012 [7]. Integral cryptanalysis [3] was first proposed by Knudsen and Wagner, and a number of these ideas have been exploited, such as square attack [8], saturation attack [9], multiset attack [10], and higher order differential attack [11, 12]. With some special inputs, we check whether the sum of the corresponding ciphertexts is zero or not. Usually, we do not need to investigate the details of the Sboxes and only view the Sboxes as some bijective transformations over finite fields. Zero correlation linear cryptanalysis, proposed by Bogdanov and Rijmen in [4], tries to construct some linear hulls with correlation exactly zero. In most cases, as in impossible differential and integral cryptanalysis, we do not need to investigate the details of the Sboxes. Generally, though there has been lots of work concentrating on the design and cryptanalysis of Sboxes [13], most cryptanalytic results by using impossible differential, integral and zero correlation linear cryptanalysis are independent of the choices of the Sboxes. If we choose some other Sboxes in a cipher, the corresponding cryptanalytic results will remain almost the same.
Along with the growing of the list of cryptanalytic tools, the question whether there are direct links or any connections among different tools has drawn much attention of the cryptographic research community, since such relations can be used to compare the effectiveness of different tools as well as to improve cryptanalytic results on block ciphers.
Efforts to find and build the links among different cryptanalytic techniques were initiated by Chabaud and Vaudenay in [14], where a theoretical link between differential and linear cryptanalysis was presented. After that, many attempts have been made to establish further relations among various cryptanalytic tools. In [15], Sun et al. proved that from an algebraic view, integral cryptanalysis can be seen as a special case of the interpolation attack. In [16], Leander stated that statistical saturation distinguishers are averagely equivalent to multidimensional linear distinguishers. In [17], Bogdanov et al. showed that an integral implies a zero correlation linear hull unconditionally, a zero correlation linear hull indicates an integral distinguisher under certain conditions, and a zero correlation linear hull is actually a special case of multidimensional linear distinguishers. In [18], Blondeau and Nyberg further analyzed the link between differential and linear cryptanalysis and demonstrated some new insights on this link to make it more applicable in practice. They established new formulas between the probability of truncated differentials and the correlation of linear hulls. This link was later applied in [19] to provide an exact expression of the bias of a differentiallinear approximation. Moreover, they claimed that the existence of a zero correlation linear hull is equivalent to the existence of an impossible differential in some specific cases [18]. As shown in [20], this link is usually not practical for most known impossible differential or zero correlation linear distinguishers, since the sum of the dimensions of input and output of each distinguisher is always the block size of the cipher, which means if the dimension parameter for one type is small, it will be infeasibly large for the other type. Blondeau et al. proposed a practical relation between these two distinguishers for Feisteltype and Skipjacktype ciphers and showed some equivalence between impossible differentials and zero correlation linear hulls with respect to Feisteltype and Skipjacktype ciphers [20]. In [21], Blondeau and Nyberg gave the link between truncated differential and multidimensional linear approximation, and then applied this link to explore the relations between the complexities of chosenplaintext and knownplaintext distinguishing/key recovery attacks of differential and linear types. Moreover, they showed that statistical saturation cryptanalysis is indeed equivalent to truncated differential cryptanalysis, which could be used to estimate the data requirement of the statistical saturation key recovery attack.
 1.
We characterize what “being independent of the choices of Sboxes” means by proposing the definition of structure \(\mathcal E\), which is a set containing some ciphers that are “similar” to each other. Then, by introducing the dual structure \(\mathcal E^\bot \), we prove that \(a\rightarrow b\) is an impossible differential of \(\mathcal E\) if and only if it is a zero correlation linear hull of \(\mathcal E^\bot \). More specifically, let \(P^T\) and \(P^{1}\) denote the transpose and inverse of P respectively. Then for a Feistel structure with SPtype round functions where P is invertible, denoted as \(\mathcal F_{SP}\), constructing an rround zero correlation linear hull is equivalent to constructing an impossible differential of \(\mathcal F_{SP^T}\), which is the same structure as \(\mathcal F_{SP}\) with \(P^T\) instead of P; For an SPN structure \(\mathcal E_{SP}\), constructing an rround zero correlation linear hull of \(\mathcal E_{SP}\) is equivalent to constructing an impossible differential of \(\mathcal E_{S(P^{1})^T}\), which is the same structure as \(\mathcal E_{SP}\) with \((P^{1})^T\) instead of P. Based on this result, we find 8round zero correlation linear hulls of Camellia without \(FL/FL^{1}\) layer and 4round zero correlation linear hulls of ARIA.
 2.
We show that the automatic search tool, presented by Wu and Wang in Indocrypt 2012, could find all impossible differentials of a cipher that are independent of the choices of the Sboxes. This can be used in provable security of block ciphers against impossible differential cryptanalysis.
 3.
We find that a zero correlation linear hull always implies the existence of an integral distinguisher, which means the conditions used for deriving integral distinguisher from zero correlation linear hull in [17] can be removed. Meanwhile, we observe that the statement “integral unconditionally implies zero correlation linear hull” in [17] is correct only under the definition that integral property is a balanced vectorial boolean function, while it does not hold for the general case. For example, up to date we cannot use the integral distinguisher for 4round AES (with extra MixColumns) [4, 8] to construct a zero correlation linear hull.
 4.
Following the results given above, we build the link between impossible differential cryptanalysis and integral cryptanalysis, i.e., an rround impossible differential of a structure \(\mathcal E\) always implies the existence of an rround integral distinguisher of \(\mathcal E^\bot \). Moreover, in the case that \(\mathcal E^\bot =A_2\mathcal E A_1\) where \(A_1\) and \(A_2\) are linear transformations, we could get direct links between impossible differential cryptanalysis and integral cryptanalysis of \(\mathcal E\). Specifically, an rround impossible differential of SPN structure which adopts bit permutation as the linear layer, always leads to an rround integral distinguisher.
 5.
We improve the integrals of Feistel structures by 1 round, build a 24round integral of CAST256, present a 12round integral of SMS4 which is 2round longer than previously best known ones, and construct an 8round integral for Camellia without \(FL/FL^{1}\) layers. These distinguishers could not be obtained by the known methods for constructing integral distinguishers or by using the link given in [17]. As an example, the best known key recovery attack on reduced round CAST256 in nonweak key model is given to show the effectiveness of the newly constructed distinguishers.
2 Preliminaries
2.1 Boolean Functions
2.2 Block Ciphers
SPN Ciphers. The SPN structure is widely used in constructing cryptographic primitives. It iterates some SPtype round functions to achieve confusion and diffusion. Specifically, the SPtype function \(f: \mathbb F_2^{s\times t}\rightarrow \mathbb F_2^{s\times t}\) used in this paper is defined as follows: Assume the input x is divided into t pieces \(x=(x_0,\ldots ,x_{t1})\), and each of the \(x_i\)’s is an sbit word. Then apply the nonlinear transformation \(S_i\) to \(x_i\) and let \(y=(S_0(x_0),\ldots ,S_{t1}(x_{t1}))\in \mathbb F_2^{s\times t}\). At last, apply a linear transformation P to y, and Py is the output of f.
 (1)P is a bitwise permutation of \(\mathbb F_2^{s\times t}\) as in PRESENT [23]. PRESENT adopts bit permutation as the diffusion layer P, which can be defined as a permutation matrix \(P=(P_{i,j})_{64\times 64}\):$$\begin{aligned} P_{i,j}={\left\{ \begin{array}{ll}~~1\qquad \text {if j=16i mod 63}\\ ~~0\qquad {\text {otherwise}}. \end{array}\right. }\end{aligned}$$
 (2)
Each bit of Py is a sum of some bits of y as in PRINCE [24]. Firstly, we will define SR and \(M'\) as follows:
SR permutes the 16 nibbles, therefore it is a permutation of 64 bits and we could write SR as a permutation matrix in \(\mathbb F_2^{64\times 64}\).
To construct \(M'\), we first definewhere$$\begin{aligned} \hat{M}^{(0)}=\small \begin{pmatrix}M_0&{}M_1&{}M_2&{}M_3\\ M_1&{}M_2&{}M_3&{}M_0\\ M_2&{}M_3&{}M_0&{}M_1\\ M_3&{}M_0&{}M_1&{}M_2 \end{pmatrix},\quad \hat{M}^{(1)}=\begin{pmatrix} M_1&{}M_2&{}M_3&{}M_0\\ M_2&{}M_3&{}M_0&{}M_1\\ M_3&{}M_0&{}M_1&{}M_2\\ M_0&{}M_1&{}M_2&{}M_3 \end{pmatrix} \end{aligned}$$and then we define \(M'=\text {diag}(\hat{M}^{(0)},\hat{M}^{(1)},\hat{M}^{(1)},\hat{M}^{(0)})\), which is a \(64\times 64\) block diagonal matrix.$$\begin{aligned} M_0=\begin{pmatrix}0&{}0&{}0&{}0\\ 0&{}1&{}0&{}0\\ 0&{}0&{}1&{}0\\ 0&{}0&{}0&{}1\end{pmatrix}, M_1=\begin{pmatrix}1&{}0&{}0&{}0\\ 0&{}0&{}0&{}0\\ 0&{}0&{}1&{}0\\ 0&{}0&{}0&{}1\end{pmatrix}, M_2=\begin{pmatrix}1&{}0&{}0&{}0\\ 0&{}1&{}0&{}0\\ 0&{}0&{}0&{}0\\ 0&{}0&{}0&{}1\end{pmatrix}, M_3=\begin{pmatrix}1&{}0&{}0&{}0\\ 0&{}1&{}0&{}0\\ 0&{}0&{}1&{}0\\ 0&{}0&{}0&{}0\end{pmatrix}, \end{aligned}$$\(M'\) is used as the linear transformation of the middle round. The transformations \(M=SR\circ M'\) and \(M^{1}\) are used before and after the middle round, respectively.
 (3)Each word of Py is a sum of some words of y as in Camellia [25] and ARIA [26]. The block cipher Camellia was recommended in the NESSIE block cipher portfolio in 2003 and selected as a new international standard by ISO/IEC in 2005. ARIA is a 128bit block cipher established as a Korean Standard by the Ministry of Commerce, Industry and Energy in 2004. The linear transformations \(P_{\text {C}}\) and \(P_{\text {A}}\) of Camellia and ARIA could be written as follows:where E and 0 denote \(8\times 8\) identity and zero matrices, respectively.$$\begin{aligned} P_{\text {C}}=\small \begin{pmatrix} E&{}0&{}E&{}E&{}0&{}E&{}E&{}E&{}\\ E&{}E&{}0&{}E&{}E&{}0&{}E&{}E&{}\\ E&{}E&{}E&{}0&{}E&{}E&{}0&{}E&{}\\ 0&{}E&{}E&{}E&{}E&{}E&{}E&{}0&{}\\ E&{}E&{}0&{}0&{}0&{}E&{}E&{}E&{}\\ 0&{}E&{}E&{}0&{}E&{}0&{}E&{}E&{}\\ 0&{}0&{}E&{}E&{}E&{}E&{}0&{}E&{}\\ E&{}0&{}0&{}E&{}E&{}E&{}E&{}0&{} \end{pmatrix}\quad P_{\text {A}}=\small \left( \begin{array}{cccccccccccccccc} 0&{}0&{}0&{}E&{}E&{}0&{}E&{}0&{}E&{}E&{}0&{}0&{}0&{}E&{}E&{}0\\ 0&{}0&{}E&{}0&{}0&{}E&{}0&{}E&{}E&{}E&{}0&{}0&{}E&{}0&{}0&{}E\\ 0&{}E&{}0&{}0&{}E&{}0&{}E&{}0&{}0&{}0&{}E&{}E&{}E&{}0&{}0&{}E\\ E&{}0&{}0&{}0&{}0&{}E&{}0&{}E&{}0&{}0&{}E&{}E&{}0&{}E&{}E&{}0\\ E&{}0&{}E&{}0&{}0&{}E&{}0&{}0&{}E&{}0&{}0&{}E&{}0&{}0&{}E&{}E\\ 0&{}E&{}0&{}E&{}E&{}0&{}0&{}0&{}0&{}E&{}E&{}0&{}0&{}0&{}E&{}E\\ E&{}0&{}E&{}0&{}0&{}0&{}0&{}E&{}0&{}E&{}E&{}0&{}E&{}E&{}0&{}0\\ 0&{}E&{}0&{}E&{}0&{}0&{}E&{}0&{}E&{}0&{}0&{}E&{}E&{}E&{}0&{}0\\ E&{}E&{}0&{}0&{}E&{}0&{}0&{}E&{}0&{}0&{}E&{}0&{}0&{}E&{}0&{}E\\ E&{}E&{}0&{}0&{}0&{}E&{}E&{}0&{}0&{}0&{}0&{}E&{}E&{}0&{}E&{}0\\ 0&{}0&{}E&{}E&{}0&{}E&{}E&{}0&{}E&{}0&{}0&{}0&{}0&{}E&{}0&{}E\\ 0&{}0&{}E&{}E&{}E&{}0&{}0&{}E&{}0&{}E&{}0&{}0&{}E&{}0&{}E&{}0\\ 0&{}E&{}E&{}0&{}0&{}0&{}E&{}E&{}0&{}E&{}0&{}E&{}E&{}0&{}0&{}0\\ E&{}0&{}0&{}E&{}0&{}0&{}E&{}E&{}E&{}0&{}E&{}0&{}0&{}E&{}0&{}0\\ E&{}0&{}0&{}E&{}E&{}E&{}0&{}0&{}0&{}E&{}0&{}E&{}0&{}0&{}E&{}0\\ 0&{}E&{}E&{}0&{}E&{}E&{}0&{}0&{}E&{}0&{}E&{}0&{}0&{}0&{}0&{}E \end{array}\right) \end{aligned}$$
 (4)
Each word of Py, seen as an element of some extension fields of \(\mathbb F_2\), is a linear combination of some other words of y as in the AES. In the following, we will use the matrix expression of finite fields to show how to write the linear layer of AES as a \(128\times 128\) binary matrix:
Since ShiftRows is a permutation on 16 bytes, it is also a permutation on 128 bits. Therefore, as in the discussion above, we can represent ShiftRows as a permutation matrix \(M_{SR}\) in \(\mathbb F_2^{128\times 128}\). Let \(\mathbb F_{2^8}=\mathbb F_2[x]/<f(x)>\) where \(\mathbb F_2[x]\) is the polynomial ring over \(\mathbb F_2\), \(f(x)=x^8+x^4+x^3+x+1\in \mathbb F_2[x]\) is the defining polynomial of \(\mathbb F_{2^8}\). Then \(1=(00000001)\in \mathbb F_{2^8}\) can be written as the \(8\times 8\) identity matrix E, \(2=(00000010)\in \mathbb F_{2^8}\) can be written as the following \(8\times 8\) matrix:and the matrix representation of \(3=(00000011)\) is \(M_3=E\oplus M_2\). If we substitute 1, 2 and 3 in MixColumns by E, \(M_2\) and \(M_3\), respectively, we get a \(128\times 128\) binary matrix \(M_{MC}\) and the linear layer of AES can be written as \(M_{MC}M_{SR}\) which is a \(128\times 128\) matrix over \(\mathbb F_2\).$$\begin{aligned} M_2=\small \begin{pmatrix} 0&{}0&{}0&{}0&{}0&{}0&{}0&{}1\\ 1&{}0&{}0&{}0&{}0&{}0&{}0&{}1\\ 0&{}1&{}0&{}0&{}0&{}0&{}0&{}0\\ 0&{}0&{}1&{}0&{}0&{}0&{}0&{}1\\ 0&{}0&{}0&{}1&{}0&{}0&{}0&{}1\\ 0&{}0&{}0&{}0&{}1&{}0&{}0&{}0\\ 0&{}0&{}0&{}0&{}0&{}1&{}0&{}0\\ 0&{}0&{}0&{}0&{}0&{}0&{}1&{}0 \end{pmatrix} \end{aligned}$$Generally, no matter which linear transformation a cipher adopts, it is always linear over \(\mathbb F_2\). Therefore, P can always be written as a multiplication by a matrix which leads to the following definition:
Definition 1
Let P be a linear transformation over \(\mathbb F_2^m\) for some positive integer m. The matrix representation of P over \(\mathbb F_2\) is called the primitive representation of P.
2.3 Structure and Dual Structure
In many cases, when constructing impossible differentials and zero correlation linear hulls, we are only interested in detecting whether there is a difference (mask) of an Sbox or not, regardless of the value of this difference (mask). For example, the truncated impossible differential and zero correlation linear hull of AES in [4, 27] and Camellia in [28, 29]. In other words, if these ciphers adopt some other Sboxes, these distinguishers still hold. This leads to the following definition:
Definition 2
Let \(E: \mathbb F_2^n\rightarrow \mathbb F_2^n\) be a block cipher with bijective Sboxes as the basic nonlinear components.
 (1)
A structure \(\mathcal E^E\) on \(\mathbb F_2^n\) is defined as a set of block ciphers \(E'\) which is exactly the same as E except that the Sboxes can take all possible bijective transformations on the corresponding domains.
 (2)
Let \(a,b\in \mathbb F_2^n\). If for any \(E' \in \mathcal E^E\), \(a\rightarrow b\) is an impossible differential (zero correlation linear hull) of \(E'\), \(a\rightarrow b\) is called an impossible differential (zero correlation linear hull) of \(\mathcal E^E\).
Note. In the definition of \(\mathcal E^E\), if E uses bijective Sboxes, then the Sboxes in \(\mathcal E^E\) should be bijective. However, if Sboxes used in E are not necessarily bijective, then \(\mathcal E^E\) could be defined as a set of block ciphers \(E'\) which is exactly the same as E except that the Sboxes can take all possible transformations on the corresponding domains. As discussed above, the truncated impossible differentials and zero correlation linear hulls of AES and Camellia found so far are actually the impossible differentials and zero correlation linear hulls of \(\mathcal E^{\text {AES}}\) and \(\mathcal E^{\text {Camellia}}\).
Definition 3
Let \(\mathcal F_{SP}\) be a Feistel structure with SPtype round function, and let the primitive representation of the linear transformation be P. Let \(\sigma \) be the operation that exchanges the left and right halves of a state. Then the dual structure \(\mathcal F_{SP}^\bot \) of \(\mathcal F_{SP}\) is defined as \(\sigma \circ \mathcal F_{P^TS}\circ \sigma \).
Let \(\mathcal E_{SP}\) be an SPN structure with primitive representation of the linear transformation being P. Then the dual structure \(\mathcal E_{SP}^\bot \) of \(\mathcal E_{SP}\) is defined as \(\mathcal E_{S(P^{1})^T}\).
3 Links Between Impossible Differential and Zero Correlation Linear Cryptanalysis
In this section, we will show the equivalence between impossible differentials and zero correlation linear hulls of a structure, which will be used to establish the link between impossible differential and integral cryptanalysis in Sect. 5. The next theorem is stated without proof in [17].
Theorem 1
\(a\rightarrow b\) is an rround impossible differential of \(\mathcal F_{SP}\) if and only if it is an rround zero correlation linear hull of \(\mathcal F_{SP}^\bot \).
Proof
The proof can be divided into the following two parts (See Fig. 2):
Part (I). We prove that for \((\delta _0,\delta _1)\rightarrow (\delta _r,\delta _{r+1})\), if one can find \(E\in \mathcal F_{SP}^{\bot }\) such that \(c((\delta _0,\delta _1)\cdot x\oplus (\delta _r,\delta _{r+1})\cdot E(x))\ne 0\), then one can find \(E'\in \mathcal F_{SP}\) such that \(p((\delta _1,\delta _0)\rightarrow (\delta _{r+1},\delta _r))>0\).
In the following, for any \((x_L,x_R)=(x_{L,1},\ldots ,x_{L,t},x_{R,1},\ldots ,x_{R,t})\in (\mathbb F_2^{s})^{t}\times (\mathbb F_2^{s})^{t}\), we will construct an rround cipher \(E_r\in \mathcal F_{SP}\), such that \(E_r(x_L,x_R)\oplus E_r(x_L\oplus \delta _1,x_R\oplus \delta _0)=(\delta _{r+1},\delta _r)\).
Part (II). We prove that for \((\delta _1,\delta _0)\rightarrow (\delta _{r+1},\delta _r)\), if one can find some \(E\in \mathcal F_{SP}\) such that \(p((\delta _1,\delta _0)\rightarrow (\delta _{r+1},\delta _r))>0\), one can find some \(E'\in \mathcal F_{SP}^{\bot }\) such that \(c((\delta _0,\delta _1)\cdot x\oplus (\delta _{r},\delta _{r+1})\cdot E'(x))\ne 0\).
Taking the following fact into consideration: for \((\delta _{i,j},\beta _{i,j})\), where \(\delta _{i,j}\ne 0\), there always exists an \(s\times s\) binary matrix \(M_{i,j}\) such that \(\beta _{i,j}=\delta _{i,j}M_{i,j}^T\), then for \(S_{i,j}(x)=xM_{i,j}\), \(c(\beta _{i,j}\cdot x\oplus \delta _{i,j}\cdot S_{i,j}(x))=1\).
Similarly, we can prove the following theorem:
Theorem 2
\(a\rightarrow b\) is an rround impossible differential of \(\mathcal E_{SP}\) if and only if it is an rround zero correlation linear hull of \(\mathcal E_{SP}^\bot \).
Definition 2 implies that the “impossibility” of an impossible differential of a structure can be caused only by a differential \(\delta _1\rightarrow \delta _2\) where either \(\delta _1 = 0\) or \(\delta _2 = 0\) (but not both) over an invertible Sbox, or by a differential \(0 \rightarrow \delta _2\) over a noninvertible Sbox. Otherwise, according to the proof of Theorem 1, we can always find an Sbox such that \(\delta _1\rightarrow \delta _2\) is a possible differential. Therefore, we have the following corollary:
Corollary 1
The method presented in [7] finds all impossible differentials of \(\mathcal F_{SP}\) and \(\mathcal E_{SP}\).
As a matter of fact, this corollary can be used in the provable security of block ciphers against impossible differential cryptanalysis, since with the help of this corollary, the longest impossible differentials of a given structure could be given.
Corollary 2
Let \(\mathcal F_{SP}\) be a Feistel structure with SPtype round function, and let the primitive representation of the linear transformation be P. If P is invertible, finding zero correlation linear hulls of \(\mathcal F_{SP}\) is equivalent to finding impossible differentials of \(\mathcal F_{SP^T}\).
Example 1
Furthermore, if \(\mathcal F_{SP}=\mathcal F_{SP^T}\) and \(\mathcal E_{SP}=\mathcal E_{S(P^{1})^T}\), we have:
Corollary 3
For a Feistel structure \(\mathcal F_{SP}\) with SPtype round function, if P is invertible and \(P=P^T\), there is a onetoone correspondence between impossible differentials and zero correlation linear hulls.
For an SPN structure \(\mathcal E_{SP}\), if \(P^T P=E\), \(a\rightarrow b\) is an impossible differential if and only if it is a zero correlation linear hull.
Example 2
(4Round Zero Correlation Linear Hull of ARIA). Since the linear layer P of ARIA satisfies \(P^T P=E\), any impossible differential of \(\mathcal E^{\text {ARIA}}\) is automatically a zero correlation linear hull of \(\mathcal E^{\text {ARIA}}\). Therefore, the impossible differentials of 4round ARIA shown in [28] are also zero correlation linear hulls of 4round ARIA.
4 Links Between Integral and Zero Correlation Linear Cryptanalysis
Firstly, we give two fundamental statements that give links between integral cryptanalysis and zero correlation linear cryptanalysis:
Lemma 1
Proof
Lemma 2
The proof of Lemma 2 is given in the full version of this paper [31]. The conclusion of [17] that integral unconditionally implies zero correlation linear hull, is correct only under their definition of integral, which requires that \(c(b\cdot T_{\lambda }(x))=0\). Under the original, more general definition for an integral distinguisher [3], this conclusion may not hold.
From Lemma 1, we can deduce the following:
Corollary 4
Let \(F: \mathbb F_2^n\rightarrow \mathbb F_2^n\) be a function on \(\mathbb F_2^n\), and let A be a subspace of \(\mathbb F_2^n\) and \(b\in \mathbb F_2^n\setminus \{0\}\). Suppose that \(A\rightarrow b\) is a zero correlation linear hull of F, then for any \(\lambda \in \mathbb F_2^n\), \(b\cdot F(x\oplus \lambda )\) is balanced on \(A^{\bot }\).
This corollary states that if the input masks of a zero correlation linear hull form a subspace, then a zero correlation linear hull implies an integral distinguisher. Furthermore, the condition that input masks form a subspace can be removed, which leads to the following result:
Theorem 3
A nontrivial zero correlation linear hull of a block cipher always implies the existence of an integral distinguisher.
Proof
Assume that \(A\rightarrow B\) is a nontrivial zero correlation linear hull of a block cipher E. Then we can choose \(0\ne a\in A, 0\ne b\in B\), such that \(\{0,a\}\rightarrow b\) is also a zero correlation linear hull of E.
Since \(V=\{0,a\}\) forms a subspace on \(\mathbb F_2\), according to Corollary 4, \(b\cdot E(x)\) is balanced on \(V^{\bot }\). This implies an integral distinguisher of E. \(\square \)
 1.
If A forms a subspace, an integral distinguisher can be constructed from \(A\rightarrow b\);
 2.
If A does not form a subspace, we can choose some \(A_1\subset A\) such that \(A_1\) forms a subspace, then an integral distinguisher can be constructed from \(A_1\rightarrow b\).
It was stated in [17] that a zero correlation linear hull indicates the existence of an integral distinguisher under certain conditions, while Theorem 3 shows that these conditions can be removed. This results in a more applicable link between zero correlation linear cryptanalysis and integral cryptanalysis.
It can be seen that Theorem 3 also gives us a new approach to find integral distinguishers of block ciphers. More specifically, an rround zero correlation linear hull can be used to construct an rround integral distinguisher.
5 Links Between Impossible Differential and Integral Cryptanalysis
According to the links given in the previous sections, we establish a link between impossible differential cryptanalysis and integral cryptanalysis:
Theorem 4
Let \(\mathcal E\in \{\mathcal F_{SP}, \mathcal E_{SP}\}\). Then an impossible differential of \(\mathcal E\) always implies the existence of an integral of \(\mathcal E^\bot \).
Proof

A zero correlation linear hull of \(\mathcal E^\bot \) always implies the existence of an integral of \(\mathcal E^\bot \);

A zero correlation linear hull of \(\mathcal E^\bot \) could be constructed by constructing an impossible differential of \(\mathcal E\). \(\square \)
In case \(\mathcal E^\bot =A_2\mathcal E A_1\) where \(A_1\) and \(A_2\) are linear transformations, we get the direct links between impossible differential and integral cryptanalysis:
Corollary 5
Example 3
Corollary 6
Let \(\mathcal E_{SP}\) be an SPN structure with the primitive representation of the linear transformation being P. If \(P^T P=\text {diag}(Q_1,\ldots ,Q_t)\), where \(Q_i\in \mathbb F_2^{s\times s}\), then for \(\mathcal E_{SP}\), an impossible differential always implies the existence of an integral distinguisher.
Proof
Firstly, according to Theorem 4, if \(P^T P=E\), an impossible differential of \(\mathcal E_{SP}\) always implies the existence of an integral.
Based on the above two points, we can get the conclusion. \(\square \)
To show applications of these links, we recall that, an \(n\times n\) matrix P is called orthogonal if and only if \(P^T P=E\), where E is the \(n\times n\) identity matrix.
Example 4
Example 5
Since the linear layer P of ARIA is both symmetric and involutional, e.g. \(P=P^{1}=P^T\), any impossible differential of ARIA which is independent of the choices of Sboxes implies the existence of an integral distinguisher.
Example 6
We can check that P used in PRESENT satisfies \(P=(P^{1})^T\), therefore, an impossible differential, which is independent of the details of the Sboxes, always leads to the existence of an integral distinguisher. In fact, since a permutation matrix P is always orthogonal, we have the following Corollary:
Corollary 7
For an SPN structure which adopts bit permutation as the diffusion layer, the existence of an rround impossible differential implies the existence of an rround integral distinguisher.
6 New Integrals for Block Ciphers/Structures
6.1 New Integrals for Feistel Structures
Let \(\mathcal E_r\) be an rround Feistel structure \(\mathcal F_{SP}\). Then for any \(a\ne 0\), \(b\ne a\), \((a,0)\rightarrow (0,b)\) is a zero correlation linear hull of \(\mathcal E_3\); and if the round functions are bijective, then for any \(a\ne 0\), \((a,0)\rightarrow (0,a)\) is a zero correlation linear hull of \(\mathcal E_5\).
So far the longest integral distinguisher known for a Feistel structure with bijective round functions counts 4 rounds, and the longest integral distinguisher for a Feistel structure with general round functions counts 2 rounds. We improve these distinguishers by 1 round using Theorem 3.
Proposition 1
 1.
If the \(F_i\)’s are bijective, then for any \(c \in \mathbb F_2^n\), \(c \ne 0\), \(c \cdot R_5\) is balanced on \(\{(0,0),(c,0)\}^{\bot }\) with respect to \(\mathcal E_5\).
 2.
If the \(F_i\)’s are not necessarily bijective, then let \(\{\alpha _0,\ldots ,\alpha _{n1}\}\) be a base of \(\mathbb F_2^n\) over \(\mathbb F_2\). Then \(\alpha _{n1}\cdot R_3\) is balanced on \(\{(0,\sum _{i=0}^{n2}c_i\alpha _i)c_i\in \mathbb F_2\}^\bot \) with respect to \(\mathcal E_3\).
As a matter of fact, for any \(c \in \mathbb F_2^n\), \(c \ne 0\), \((c,0)\rightarrow (0,c)\) is a zero correlation linear hull of \(\mathcal E_5\). Thus according to Theorem 3, we can construct an integral distinguisher of \(\mathcal E_5\), i.e., let \((L_0,R_0)\) take all values in \(\{(0,0),(c,0)\}^{\bot }\), then \(c \cdot R_5\) is balanced.
6.2 24Round Integral for CAST256
The block cipher CAST256 was proposed as a firstround AES candidate, and we refer to [34] for details. Firstly, we recall the following zero correlation linear property given in [17].
Property 1
\((0,0,0,L_1) \rightarrow (0,0,0,L_2)\) is a zero correlation linear hull of the 24round CAST256 (from the 13th round to the 36th round of CAST256), where \(L_1 \ne 0\), \(L_2 \ne 0\) and \(L_1 \ne L_2\).
Let \(L_1^*=\{(l_1,l_2,\ldots ,l_{31},0)l_i \in \mathbb F_2\}\) and \(L_2 = (0,\ldots ,0,1)\). Then we obtain a zero correlation linear hull \((0,0,0,L_1^*) \rightarrow (0,0,0,L_2)\) for the 24round CAST256. According to Theorem 3, we can get the following result:
Proposition 2
Let \(V=\{(x_1,x_2,x_3,0^{31}y)x_i\in \mathbb F_2^{32}, y\in \mathbb F_2\}\). If the input takes all values in V, and let the output of the 24round be \((C_0,C_1,C_2,C_3)\in \mathbb F_2^{32\times 4}\)(from the 13th round to 36th round). Then \((0,\ldots ,0,1) \cdot C_3\) is balanced.
Based on this integral distinguisher, we present a key recovery attack on 28round CAST256 which is the best known attack on CAST256 in the nonweak key model. The details of the attack are listed the full version of this paper [31].
6.3 12Round Integral for SMS4
The SMS4 [35] block cipher is designed by the Chinese government as part of their WAPI standard for wireless networks. Up to date, the longest known integral distinguisher of SMS4 covers 10 rounds [36]. The details of SMS4 and the proof of the following propositions are listed in the full version of this paper [31].
Proposition 3
Let \(V=\{v\in (\mathbb F_2^8)^4HW(v\mathcal L^T)=1\}\), where \(HW(x_1,x_2,x_3,x_4)=\#\{x_i\ne 0,i=1,2,3,4\}\). For any \(d\in V\), \((0,0,0,d)\rightarrow (d,0,0,0)\) is a 12round zero correlation linear hull of SMS4.
Proposition 4
Note that most of the known integral distinguishers are independent of the choices of the Sboxes. However, the integral distinguisher presented above is highly related with the Sboxes, since for different Sboxes, we would find different zero correlation linear hulls which lead to different integral distinguishers of SMS4.
6.4 8Round Integral for Camellia Without \(FL/FL^{1}\) Layer
Based on the 8round zero correlation linear hull presented in Example 1, we get the following 8round integral of Camellia without \(FL/FL^{1}\) layer:
Proposition 5
7 Conclusion

We derived the relation between impossible differential of \(\mathcal E\) and zero correlation linear hull of \(\mathcal E^\bot \). We have shown that for a Feistel structure \(\mathcal F_{SP}\) with SPtype round functions where P is invertible, constructing a zero correlation linear hull of \(\mathcal F_{SP}\) is equivalent to constructing an impossible differential of \(\mathcal F_{SP^T}\), which is the same structure as \(\mathcal F_{SP}\) with \(P^T\) instead of P. For an SPN structure \(\mathcal E_{SP}\), constructing a zero correlation linear hull of \(\mathcal E_{SP}\) is equivalent to constructing an impossible differential of \(\mathcal E_{S(P^{1})^T}\), which is the same structure as \(\mathcal E_{SP}\) with \((P^{1})^T\) instead of P.

We presented the relation between zero correlation linear hull and integral distinguisher of block ciphers. As proven in Sect. 4, a zero correlation linear hull always implies the existence of an integral distinguisher, while such statement only holds under certain conditions in [17]. Meanwhile, we have observed that the statement “integral unconditionally implies zero correlation linear hull” in [17] is correct only under the definition that integral property is a balanced vectorial boolean function, while it does not hold for the general case (i.e., integral defined in [3] is a zerosum property).

We built the link between impossible differential of \(\mathcal E\) and integral distinguisher of \(\mathcal E^\bot \). We have demonstrated that an rround impossible differential of \(\mathcal E\) always leads to an rround integral distinguisher of \(\mathcal E^\bot \). In the case that \(\mathcal E\) and \(\mathcal E^\bot \) are linearly equivalent, we obtained some direct links between impossible differential and integral distinguisher of \(\mathcal E\). Specifically, an rround impossible differential of an SPN structure, which adopts bit permutation as the linear layer, always indicates the existence of an rround integral distinguisher.

The automatic search tool presented by Wu and Wang in Indocrypt 2012 finds all impossible differentials of both Feistel structures with SPtype round functions and SPN structures, which is useful in provable security of block ciphers against impossible differential cryptanalysis.

Our statement “zero correlation linear hull always implies the existence of an integral distinguisher” provides a novel way for constructing integral distinguisher of block ciphers. With this observation, we have improved the integral of Feistel structures by 1 round, built a 24round integral of CAST256, proposed a 12round integral of SMS4 which is 2round longer than previously best known ones, and present an 8round integral of Camellia without \(FL/FL^{1}\) layers. These distinguishers could not be obtained by either the previously known methods for constructing integral distinguishers or by using the link given in [17]. Moreover, we have presented the best known key recovery attack on CAST256 in nonweak key model to show that the new links can also be used to improve cryptanalytic results of some concrete ciphers.
By using the matrix representation given in [37], the concept of dual structure can be extended to generalized Feistel structures, and we can get similar results for these structures. Furthermore, we have focused on the links among the distinguishers used in impossible differential, integral and zero correlation linear cryptanalysis since distinguishers are the essential points in the evaluation of security margins of a block cipher against various cryptanalytic tools, and our results can be helpful in designing a block cipher from this point of view.
References
 1.Knudsen, L.R.: DEAL – A 128bit Block Cipher. Department of Informatics, University of Bergen, Norway. Technical report (1998)Google Scholar
 2.Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 12–23. Springer, Heidelberg (1999) Google Scholar
 3.Knudsen, L.R., Wagner, D.: Integral cryptanalysis. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 112–127. Springer, Heidelberg (2002) CrossRefGoogle Scholar
 4.Bogdanov, A., Rijmen, V.: Linear hulls with correlation zero and linear cryptanalysis of block ciphers. Des. Codes Crypt. 70(3), 369–383 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
 5.Kim, J., Hong, S., Lim, J.: Impossible differential cryptanalysis using matrix method. Discrete Math. 310(5), 988–1002 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
 6.Luo, Y., Lai, X., Wu, Z., Gong, G.: A unified method for finding impossible differentials of block cipher structures. Inf. Sci. 263(1), 211–220 (2014)CrossRefGoogle Scholar
 7.Wu, S., Wang, M.: Automatic search of truncated impossible differentials for wordoriented block ciphers. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 283–302. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 8.Daemen, J., Knudsen, L.R., Rijmen, V.: The block cipher SQUARE. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 149–165. Springer, Heidelberg (1997) CrossRefGoogle Scholar
 9.Lucks, S.: The saturation attack  a bait for twofish. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 1–15. Springer, Heidelberg (2002) CrossRefGoogle Scholar
 10.Biryukov, A., Shamir, A.: Structural cryptanalysis of SASAS. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 394–405. Springer, Heidelberg (2001) Google Scholar
 11.Lai, X.: Higher order derivatives and differential cryptanalysis. In: Blahut, R.E., Costello Jr.., D.J., Maurer, U., Mittelholzer, T. (eds.) Communications and Cryptography: Two Sides of One Tapestry, vol. 276, pp. 227–233. Springer, USA (1994)CrossRefGoogle Scholar
 12.Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, Bart (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995) CrossRefGoogle Scholar
 13.Picek, S., Batina, L., Jakobović, D., Ege, B., Golub, M.: Sbox, SET, match: a toolbox for Sbox analysis. In: Naccache, D., Sauveron, D. (eds.) WISTP 2014. LNCS, vol. 8501, pp. 140–149. Springer, Heidelberg (2014) Google Scholar
 14.Chabaud, F., Vaudenay, S.: Links between differential and linear cryptanalysis. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 356–365. Springer, Heidelberg (1995) CrossRefGoogle Scholar
 15.Sun, B., Li, R., Qu, L., Li, C.: SQUARE attack on block ciphers with low algebraic degree. Sci. China Inf. Sci. 53(10), 1988–1995 (2010)MathSciNetCrossRefGoogle Scholar
 16.Leander, G.: On linear hulls, statistical saturation attacks, PRESENT and a cryptanalysis of PUFFIN. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 303–322. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 17.Bogdanov, A., Leander, G., Nyberg, K., Wang, M.: Integral and multidimensional linear distinguishers with correlation zero. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 244–261. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 18.Blondeau, C., Nyberg, K.: New links between differential and linear cryptanalysis. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 388–404. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 19.Blondeau, C., Leander, G., Nyberg, K.: Differentiallinear cryptanalysis revisited. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 411–430. Springer, Heidelberg (2015) Google Scholar
 20.Blondeau, C., Bogdanov, A., Wang, M.: On the (In)equivalence of impossible differential and zerocorrelation distinguishers for Feistel and Skipjacktype ciphers. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 271–288. Springer, Heidelberg (2014) Google Scholar
 21.Blondeau, C., Nyberg, K.: Links between truncated differential and multidimensional linear properties of block ciphers and underlying attack complexities. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 165–182. Springer, Heidelberg (2014) CrossRefGoogle Scholar
 22.Carlet, C.: Boolean Functions for Cryptography and Error Correcting Codes. Cambridge University Press, Cambridge (2006)Google Scholar
 23.Bogdanov, A.A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultralightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007) CrossRefGoogle Scholar
 24.Borghoff, J., Canteaut, A., Güneysu, T., Kavun, E.B., Knezevic, M., Knudsen, L.R., Leander, G., Nikov, V., Paar, C., Rechberger, C., Rombouts, P., Thomsen, S.S., Yalçın, T.: PRINCE – a lowlatency block cipher for pervasive computing applications. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 208–225. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 25.Aoki, K., Ichikawa, T., Kanda, M., Matsui, M., Moriai, S., Nakajima, J., Tokita, T.: \(Camellia\): a 128bit block cipher suitable for multiple platforms  design and analysis. In: Stinson, D.R., Tavares, S. (eds.) SAC 2000. LNCS, vol. 2012, pp. 39–56. Springer, Heidelberg (2001) CrossRefGoogle Scholar
 26.Kwon, D., et al.: New block cipher: ARIA. In: Lim, JongIn, Lee, DongHoon (eds.) ICISC 2003. LNCS, vol. 2971, pp. 432–445. Springer, Heidelberg (2004) CrossRefGoogle Scholar
 27.Mala, H., Dakhilalian, M., Rijmen, V., ModarresHashemi, M.: Improved impossible differential cryptanalysis of 7round AES128. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 282–291. Springer, Heidelberg (2010) CrossRefGoogle Scholar
 28.Wu, W., Zhang, W., Feng, D.: Impossible differential cryptanalysis of roundreduced ARIA and camellia. J. Comput. Sci. Technol. 22(3), 449–456 (2007)CrossRefGoogle Scholar
 29.Bogdanov, A., Geng, H., Wang, M., Wen, L., Collard, B.: Zerocorrelation linear cryptanalysis with FFT and improved attacks on ISO standards camellia and CLEFIA. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 306–323. Springer, Heidelberg (2014) CrossRefGoogle Scholar
 30.Lei, D., Chao, L., Feng, K.: New observation on camellia. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 51–64. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 31.Sun, B., Liu, Z., Rijmen, V., Li, R., Cheng, L., Wang, Q., Alkhzaimi, H., Li, C.: Links among Impossible Differential, Integral and Zero Correlation Linear Cryptanalysis. http://eprint.iacr.org/2015/181.pdf
 32.Lee, C., Cha, Y.: The block cipher: SNAKE with provable resistance against DC and LC attacks. In: Proceedings of 1997 KoreaJapan Joint Workshop on Information Security and Cryptology (JWISC 1997), pp. 3–17 (1997)Google Scholar
 33.Moriai, S., Shimoyama, T., Kaneko, T.: Interpolation attacks of the block cipher: SNAKE. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 275–289. Springer, Heidelberg (1999) CrossRefGoogle Scholar
 34.First AES Candidate Conference. http://csrc.nist.gov/archive/aes/round1/conf1/aes1conf.htm
 35.Specification of SMS4, Block Cipher for WLAN Products – SMS4 (in Chinese). http://www.oscca.gov.cn/UpFile/200621016423197990.pdf
 36.Zhang, W., Su, B., Wu, W., Feng, D., Wu, C.: Extending higherorder integral: An efficient unified algorithm of constructing integral distinguishers for block ciphers. In: Bao, F., Samarati, P., Zhou, J. (eds.) ACNS 2012. LNCS, vol. 7341, pp. 117–134. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 37.Berger, T.P., Minier, M., Thomas, G.: Extended generalized feistel networks using matrix representation. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 289–305. Springer, Heidelberg (2014) CrossRefGoogle Scholar