Advertisement

Links Among Impossible Differential, Integral and Zero Correlation Linear Cryptanalysis

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9215)

Abstract

As two important cryptanalytic methods, impossible differential and integral cryptanalysis have attracted much attention in recent years. Although relations among other cryptanalytic approaches have been investigated, the link between these two methods has been missing. The motivation in this paper is to fix this gap and establish links between impossible differential cryptanalysis and integral cryptanalysis.

Firstly, by introducing the concept of structure and dual structure, we prove that \(a\rightarrow b\) is an impossible differential of a structure \(\mathcal E\) if and only if it is a zero correlation linear hull of the dual structure \(\mathcal E^\bot \). Meanwhile, our proof shows that the automatic search tool presented by Wu and Wang could find all impossible differentials of both Feistel structures with SP-type round functions and SPN structures. Secondly, by establishing some boolean equations, we show that a zero correlation linear hull always indicates the existence of an integral distinguisher. With this observation we improve the number of rounds of integral distinguishers of Feistel structures, CAST-256, SMS4 and Camellia. Finally, we conclude that an r-round impossible differential of \(\mathcal E\) always leads to an r-round integral distinguisher of the dual structure \(\mathcal E^\bot \). In the case that \(\mathcal E\) and \(\mathcal E^\bot \) are linearly equivalent, we derive a direct link between impossible differentials and integral distinguishers of \(\mathcal E\).

Our results could help to classify different cryptanalytic tools and facilitate the task of evaluating security of block ciphers against various cryptanalytic approaches.

Keywords

Impossible differential Integral Zero correlation linear Feistel SPN Camellia CAST-256 SMS4 PRESENT PRINCE ARIA 

1 Introduction

Block ciphers are considered vital elements in constructing many symmetric cryptographic schemes such as encryption algorithms, hash functions, authentication schemes and pseudo-random number generators. The core security of these schemes depends on the resistance of the underlying block ciphers to known cryptanalytic techniques. So far a variety of cryptanalytic techniques have been proposed such as impossible differential cryptanalysis [1, 2], integral cryptanalysis [3], zero correlation linear cryptanalysis [4], etc.

Impossible differential cryptanalysis was independently proposed by Knudsen [1] and Biham [2]. One of the most popular impossible differentials is called a truncated impossible differential. It is independent of the choices of the S-boxes. Several approaches have been proposed to derive truncated impossible differentials of a block cipher/structure effectively such as the \(\mathcal {U}\)-method [5], \(\textit{UID}\)-method [6] and the extended tool of the former two methods generalized by Wu and Wang in Indocrypt 2012 [7]. Integral cryptanalysis [3] was first proposed by Knudsen and Wagner, and a number of these ideas have been exploited, such as square attack [8], saturation attack [9], multi-set attack [10], and higher order differential attack [11, 12]. With some special inputs, we check whether the sum of the corresponding ciphertexts is zero or not. Usually, we do not need to investigate the details of the S-boxes and only view the S-boxes as some bijective transformations over finite fields. Zero correlation linear cryptanalysis, proposed by Bogdanov and Rijmen in [4], tries to construct some linear hulls with correlation exactly zero. In most cases, as in impossible differential and integral cryptanalysis, we do not need to investigate the details of the S-boxes. Generally, though there has been lots of work concentrating on the design and cryptanalysis of S-boxes [13], most cryptanalytic results by using impossible differential, integral and zero correlation linear cryptanalysis are independent of the choices of the S-boxes. If we choose some other S-boxes in a cipher, the corresponding cryptanalytic results will remain almost the same.

Along with the growing of the list of cryptanalytic tools, the question whether there are direct links or any connections among different tools has drawn much attention of the cryptographic research community, since such relations can be used to compare the effectiveness of different tools as well as to improve cryptanalytic results on block ciphers.

Efforts to find and build the links among different cryptanalytic techniques were initiated by Chabaud and Vaudenay in [14], where a theoretical link between differential and linear cryptanalysis was presented. After that, many attempts have been made to establish further relations among various cryptanalytic tools. In [15], Sun et al. proved that from an algebraic view, integral cryptanalysis can be seen as a special case of the interpolation attack. In [16], Leander stated that statistical saturation distinguishers are averagely equivalent to multidimensional linear distinguishers. In [17], Bogdanov et al. showed that an integral implies a zero correlation linear hull unconditionally, a zero correlation linear hull indicates an integral distinguisher under certain conditions, and a zero correlation linear hull is actually a special case of multidimensional linear distinguishers. In [18], Blondeau and Nyberg further analyzed the link between differential and linear cryptanalysis and demonstrated some new insights on this link to make it more applicable in practice. They established new formulas between the probability of truncated differentials and the correlation of linear hulls. This link was later applied in [19] to provide an exact expression of the bias of a differential-linear approximation. Moreover, they claimed that the existence of a zero correlation linear hull is equivalent to the existence of an impossible differential in some specific cases [18]. As shown in [20], this link is usually not practical for most known impossible differential or zero correlation linear distinguishers, since the sum of the dimensions of input and output of each distinguisher is always the block size of the cipher, which means if the dimension parameter for one type is small, it will be infeasibly large for the other type. Blondeau et al. proposed a practical relation between these two distinguishers for Feistel-type and Skipjack-type ciphers and showed some equivalence between impossible differentials and zero correlation linear hulls with respect to Feistel-type and Skipjack-type ciphers [20]. In [21], Blondeau and Nyberg gave the link between truncated differential and multidimensional linear approximation, and then applied this link to explore the relations between the complexities of chosen-plaintext and known-plaintext distinguishing/key recovery attacks of differential and linear types. Moreover, they showed that statistical saturation cryptanalysis is indeed equivalent to truncated differential cryptanalysis, which could be used to estimate the data requirement of the statistical saturation key recovery attack.

Contributions. Although there have been intriguing results with respect to the relations among some important cryptanalytic approaches, the link between impossible differential cryptanalysis and integral cryptanalysis is still missing. In this paper, we aim to explore the link between these two cryptanalytic methods. Since the fundamental step in statistical cryptanalysis of block ciphers is to construct effective distinguishers, we focus on building the links among impossible differential, zero correlation linear and integral cryptanalysis from the aspect of distinguishers. Our main contributions are as follows (see Fig. 1).
Fig. 1.

Links among Impossible Differential, Integral and Zero Correlation Linear Cryptanalysis, where \(\mathcal E\) is a structure and \(\mathcal E^\bot \) is the dual structure of \(\mathcal E\), \(A_1\) and \(A_2\) are linear transformations applied before the input and after the output of \(\mathcal E\).

  1. 1.

    We characterize what “being independent of the choices of S-boxes” means by proposing the definition of structure \(\mathcal E\), which is a set containing some ciphers that are “similar” to each other. Then, by introducing the dual structure \(\mathcal E^\bot \), we prove that \(a\rightarrow b\) is an impossible differential of \(\mathcal E\) if and only if it is a zero correlation linear hull of \(\mathcal E^\bot \). More specifically, let \(P^T\) and \(P^{-1}\) denote the transpose and inverse of P respectively. Then for a Feistel structure with SP-type round functions where P is invertible, denoted as \(\mathcal F_{SP}\), constructing an r-round zero correlation linear hull is equivalent to constructing an impossible differential of \(\mathcal F_{SP^T}\), which is the same structure as \(\mathcal F_{SP}\) with \(P^T\) instead of P; For an SPN structure \(\mathcal E_{SP}\), constructing an r-round zero correlation linear hull of \(\mathcal E_{SP}\) is equivalent to constructing an impossible differential of \(\mathcal E_{S(P^{-1})^T}\), which is the same structure as \(\mathcal E_{SP}\) with \((P^{-1})^T\) instead of P. Based on this result, we find 8-round zero correlation linear hulls of Camellia without \(FL/FL^{-1}\) layer and 4-round zero correlation linear hulls of ARIA.

     
  2. 2.

    We show that the automatic search tool, presented by Wu and Wang in Indocrypt 2012, could find all impossible differentials of a cipher that are independent of the choices of the S-boxes. This can be used in provable security of block ciphers against impossible differential cryptanalysis.

     
  3. 3.

    We find that a zero correlation linear hull always implies the existence of an integral distinguisher, which means the conditions used for deriving integral distinguisher from zero correlation linear hull in [17] can be removed. Meanwhile, we observe that the statement “integral unconditionally implies zero correlation linear hull” in [17] is correct only under the definition that integral property is a balanced vectorial boolean function, while it does not hold for the general case. For example, up to date we cannot use the integral distinguisher for 4-round AES (with extra MixColumns) [4, 8] to construct a zero correlation linear hull.

     
  4. 4.

    Following the results given above, we build the link between impossible differential cryptanalysis and integral cryptanalysis, i.e., an r-round impossible differential of a structure \(\mathcal E\) always implies the existence of an r-round integral distinguisher of \(\mathcal E^\bot \). Moreover, in the case that \(\mathcal E^\bot =A_2\mathcal E A_1\) where \(A_1\) and \(A_2\) are linear transformations, we could get direct links between impossible differential cryptanalysis and integral cryptanalysis of \(\mathcal E\). Specifically, an r-round impossible differential of SPN structure which adopts bit permutation as the linear layer, always leads to an r-round integral distinguisher.

     
  5. 5.

    We improve the integrals of Feistel structures by 1 round, build a 24-round integral of CAST-256, present a 12-round integral of SMS4 which is 2-round longer than previously best known ones, and construct an 8-round integral for Camellia without \(FL/FL^{-1}\) layers. These distinguishers could not be obtained by the known methods for constructing integral distinguishers or by using the link given in [17]. As an example, the best known key recovery attack on reduced round CAST-256 in non-weak key model is given to show the effectiveness of the newly constructed distinguishers.

     
Organization. The remainder of this paper is organized as follows. Section 2 introduces the notations and concepts that will be used throughout the paper. In Sect. 3, we establish the new links between impossible differential and zero correlation linear cryptanalysis. Section 4 shows the refined link between integral and zero correlation linear cryptanalysis. The link between impossible differential and integral cryptanalysis is presented in Sect. 5. Then in Sect. 6, we give some examples to show the effectiveness of the newly established links in constructing new distinguishers of block ciphers. Finally, Sect. 7 concludes this paper.

2 Preliminaries

2.1 Boolean Functions

This section recalls the notations and concepts [22] which will be used throughout this paper. Let \(\mathbb F_2\) denote the finite field with two elements, and \(\mathbb F_2^n\) be the vector space over \(\mathbb F_2\) with dimension n. Let \(a=(a_1,\ldots ,a_n), b=(b_1,\ldots ,b_n)\in \mathbb F_2^n\). Then
$$a\cdot b\triangleq a_1b_1\oplus \cdots \oplus a_nb_n$$
denotes the inner product of a and b. Note that the inner product of a and b can be written as \(ab^T\) where \(b^T\) stands for the transpose of b and the multiplication is defined as matrix multiplication. Given a function \(G: \mathbb F^n_2\rightarrow \mathbb F_2\), the correlation of G is defined by
$$c(G(x))\triangleq \frac{\#\{x\in \mathbb F_2^n|G(x)=0\}-\#\{x\in \mathbb F_2^n|G(x)=1\}}{2^n}=\frac{1}{2^n}\sum _{x\in \mathbb F_2^n}(-1)^{G(x)}.$$
Given a vectorial function \(H: \mathbb F^n_2\rightarrow \mathbb F^k_2\), the correlation of the linear approximation for a k-bit output mask b and an n-bit input mask a is defined by
$$c(a\cdot x\oplus b\cdot H(x))\triangleq \frac{1}{2^n}\sum _{x\in \mathbb F_2^n}(-1)^{a\cdot x\oplus b\cdot H(x)}.$$
If \(c(a\cdot x\oplus b\cdot H(x))=0\), then \(a\rightarrow b\) is called a zero correlation linear hull of H [4]. This definition can be extended as follows: Let \(A\subseteq \mathbb F_2^n\), \(B\subseteq \mathbb F_2^k\). If for all \(a\in A\), \(b\in B\), \(c(a\cdot x\oplus b\cdot H(x))=0\), then \(A\rightarrow B\) is called a zero correlation linear hull of H. In the case that H is a permutation on \(\mathbb F_2^n\), for any \(b\ne 0\), \(c(b\cdot H(x))=0\) and for any \(a\ne 0\), \(c(a\cdot x)=0\). We call \(0\rightarrow b\) and \(a\rightarrow 0\) trivial zero correlation linear hulls of H where \(a\ne 0\) and \(b\ne 0\). Let \(A\subseteq \mathbb F_2^n\). If the size of the set
$$H_A^{-1}(y)\triangleq \{x\in A|H(x)=y\}$$
is independent of \(y\in \mathbb F_2^k\), we say H is balanced on A. Specifically, if \(A=\mathbb F_2^n\), we say H is a balanced function. If the sum of all images of H is 0, i.e.
$$\sum _{x\in \mathbb F_2^n}H(x)=0,$$
we say H has an integral-balanced (zero-sum) property [3]. Let \(\delta \in \mathbb F_2^n\) and \(\varDelta \in \mathbb F_2^k\). The differential probability of \(\delta \rightarrow \varDelta \) is defined as
$$p(\delta \rightarrow \varDelta )\triangleq \frac{\#\{x\in \mathbb F_2^n|H(x)\oplus H(x\oplus \delta )=\varDelta \}}{2^n}.$$
If \(p(\delta \rightarrow \varDelta )=0\), then \(\delta \rightarrow \varDelta \) is called an impossible differential of H [1, 2]. Let \(A\subseteq \mathbb F_2^n\), \(B\subseteq \mathbb F_2^k\). If for all \(a\in A\) and \(b\in B\), \(p(a\rightarrow b)=0\), \(A\rightarrow B\) is called an impossible differential of H. We recall the following property of balanced boolean functions: a function \(G:\mathbb F_2^n\rightarrow \mathbb F_2\) is balanced if and only if \(c(G(x))=0\).

2.2 Block Ciphers

Feistel Ciphers. An r-round Feistel cipher E is defined as follows: Let \((L_0,R_0)\in \mathbb F_2^{2n}\) be the input of E. Iterate the following transformation r times:
$$\begin{aligned} {\left\{ \begin{array}{ll}L_{i+1}=F_i(L_i)\oplus R_i\\ R_{i+1}=L_i \end{array}\right. }\quad 0\le i \le r-1, \end{aligned}$$
where \(L_i, R_i \in \mathbb F_2^{n}\). The output of the r-th iteration is defined as the output of E. In this paper, we will focus on the case that \(F_i\)’s are SP-type functions which will be defined in the following.

SPN Ciphers. The SPN structure is widely used in constructing cryptographic primitives. It iterates some SP-type round functions to achieve confusion and diffusion. Specifically, the SP-type function \(f: \mathbb F_2^{s\times t}\rightarrow \mathbb F_2^{s\times t}\) used in this paper is defined as follows: Assume the input x is divided into t pieces \(x=(x_0,\ldots ,x_{t-1})\), and each of the \(x_i\)’s is an s-bit word. Then apply the nonlinear transformation \(S_i\) to \(x_i\) and let \(y=(S_0(x_0),\ldots ,S_{t-1}(x_{t-1}))\in \mathbb F_2^{s\times t}\). At last, apply a linear transformation P to y, and Py is the output of f.

The following strategies are popular in designing the diffusion layer P of a cipher:
  1. (1)
    P is a bit-wise permutation of \(\mathbb F_2^{s\times t}\) as in PRESENT [23]. PRESENT adopts bit permutation as the diffusion layer P, which can be defined as a permutation matrix \(P=(P_{i,j})_{64\times 64}\):
    $$\begin{aligned} P_{i,j}={\left\{ \begin{array}{ll}~~1\qquad \text {if j=16i mod 63}\\ ~~0\qquad {\text {otherwise}}. \end{array}\right. }\end{aligned}$$
     
  2. (2)

    Each bit of Py is a sum of some bits of y as in PRINCE [24]. Firstly, we will define SR and \(M'\) as follows:

    SR permutes the 16 nibbles, therefore it is a permutation of 64 bits and we could write SR as a permutation matrix in \(\mathbb F_2^{64\times 64}\).

    To construct \(M'\), we first define
    $$\begin{aligned} \hat{M}^{(0)}=\small \begin{pmatrix}M_0&{}M_1&{}M_2&{}M_3\\ M_1&{}M_2&{}M_3&{}M_0\\ M_2&{}M_3&{}M_0&{}M_1\\ M_3&{}M_0&{}M_1&{}M_2 \end{pmatrix},\quad \hat{M}^{(1)}=\begin{pmatrix} M_1&{}M_2&{}M_3&{}M_0\\ M_2&{}M_3&{}M_0&{}M_1\\ M_3&{}M_0&{}M_1&{}M_2\\ M_0&{}M_1&{}M_2&{}M_3 \end{pmatrix} \end{aligned}$$
    where
    $$\begin{aligned} M_0=\begin{pmatrix}0&{}0&{}0&{}0\\ 0&{}1&{}0&{}0\\ 0&{}0&{}1&{}0\\ 0&{}0&{}0&{}1\end{pmatrix}, M_1=\begin{pmatrix}1&{}0&{}0&{}0\\ 0&{}0&{}0&{}0\\ 0&{}0&{}1&{}0\\ 0&{}0&{}0&{}1\end{pmatrix}, M_2=\begin{pmatrix}1&{}0&{}0&{}0\\ 0&{}1&{}0&{}0\\ 0&{}0&{}0&{}0\\ 0&{}0&{}0&{}1\end{pmatrix}, M_3=\begin{pmatrix}1&{}0&{}0&{}0\\ 0&{}1&{}0&{}0\\ 0&{}0&{}1&{}0\\ 0&{}0&{}0&{}0\end{pmatrix}, \end{aligned}$$
    and then we define \(M'=\text {diag}(\hat{M}^{(0)},\hat{M}^{(1)},\hat{M}^{(1)},\hat{M}^{(0)})\), which is a \(64\times 64\) block diagonal matrix.

    \(M'\) is used as the linear transformation of the middle round. The transformations \(M=SR\circ M'\) and \(M^{-1}\) are used before and after the middle round, respectively.

     
  3. (3)
    Each word of Py is a sum of some words of y as in Camellia [25] and ARIA [26]. The block cipher Camellia was recommended in the NESSIE block cipher portfolio in 2003 and selected as a new international standard by ISO/IEC in 2005. ARIA is a 128-bit block cipher established as a Korean Standard by the Ministry of Commerce, Industry and Energy in 2004. The linear transformations \(P_{\text {C}}\) and \(P_{\text {A}}\) of Camellia and ARIA could be written as follows:
    $$\begin{aligned} P_{\text {C}}=\small \begin{pmatrix} E&{}0&{}E&{}E&{}0&{}E&{}E&{}E&{}\\ E&{}E&{}0&{}E&{}E&{}0&{}E&{}E&{}\\ E&{}E&{}E&{}0&{}E&{}E&{}0&{}E&{}\\ 0&{}E&{}E&{}E&{}E&{}E&{}E&{}0&{}\\ E&{}E&{}0&{}0&{}0&{}E&{}E&{}E&{}\\ 0&{}E&{}E&{}0&{}E&{}0&{}E&{}E&{}\\ 0&{}0&{}E&{}E&{}E&{}E&{}0&{}E&{}\\ E&{}0&{}0&{}E&{}E&{}E&{}E&{}0&{} \end{pmatrix}\quad P_{\text {A}}=\small \left( \begin{array}{cccccccccccccccc} 0&{}0&{}0&{}E&{}E&{}0&{}E&{}0&{}E&{}E&{}0&{}0&{}0&{}E&{}E&{}0\\ 0&{}0&{}E&{}0&{}0&{}E&{}0&{}E&{}E&{}E&{}0&{}0&{}E&{}0&{}0&{}E\\ 0&{}E&{}0&{}0&{}E&{}0&{}E&{}0&{}0&{}0&{}E&{}E&{}E&{}0&{}0&{}E\\ E&{}0&{}0&{}0&{}0&{}E&{}0&{}E&{}0&{}0&{}E&{}E&{}0&{}E&{}E&{}0\\ E&{}0&{}E&{}0&{}0&{}E&{}0&{}0&{}E&{}0&{}0&{}E&{}0&{}0&{}E&{}E\\ 0&{}E&{}0&{}E&{}E&{}0&{}0&{}0&{}0&{}E&{}E&{}0&{}0&{}0&{}E&{}E\\ E&{}0&{}E&{}0&{}0&{}0&{}0&{}E&{}0&{}E&{}E&{}0&{}E&{}E&{}0&{}0\\ 0&{}E&{}0&{}E&{}0&{}0&{}E&{}0&{}E&{}0&{}0&{}E&{}E&{}E&{}0&{}0\\ E&{}E&{}0&{}0&{}E&{}0&{}0&{}E&{}0&{}0&{}E&{}0&{}0&{}E&{}0&{}E\\ E&{}E&{}0&{}0&{}0&{}E&{}E&{}0&{}0&{}0&{}0&{}E&{}E&{}0&{}E&{}0\\ 0&{}0&{}E&{}E&{}0&{}E&{}E&{}0&{}E&{}0&{}0&{}0&{}0&{}E&{}0&{}E\\ 0&{}0&{}E&{}E&{}E&{}0&{}0&{}E&{}0&{}E&{}0&{}0&{}E&{}0&{}E&{}0\\ 0&{}E&{}E&{}0&{}0&{}0&{}E&{}E&{}0&{}E&{}0&{}E&{}E&{}0&{}0&{}0\\ E&{}0&{}0&{}E&{}0&{}0&{}E&{}E&{}E&{}0&{}E&{}0&{}0&{}E&{}0&{}0\\ E&{}0&{}0&{}E&{}E&{}E&{}0&{}0&{}0&{}E&{}0&{}E&{}0&{}0&{}E&{}0\\ 0&{}E&{}E&{}0&{}E&{}E&{}0&{}0&{}E&{}0&{}E&{}0&{}0&{}0&{}0&{}E \end{array}\right) \end{aligned}$$
    where E and 0 denote \(8\times 8\) identity and zero matrices, respectively.
     
  4. (4)

    Each word of Py, seen as an element of some extension fields of \(\mathbb F_2\), is a linear combination of some other words of y as in the AES. In the following, we will use the matrix expression of finite fields to show how to write the linear layer of AES as a \(128\times 128\) binary matrix:

    Since ShiftRows is a permutation on 16 bytes, it is also a permutation on 128 bits. Therefore, as in the discussion above, we can represent ShiftRows as a permutation matrix \(M_{SR}\) in \(\mathbb F_2^{128\times 128}\). Let \(\mathbb F_{2^8}=\mathbb F_2[x]/<f(x)>\) where \(\mathbb F_2[x]\) is the polynomial ring over \(\mathbb F_2\), \(f(x)=x^8+x^4+x^3+x+1\in \mathbb F_2[x]\) is the defining polynomial of \(\mathbb F_{2^8}\). Then \(1=(00000001)\in \mathbb F_{2^8}\) can be written as the \(8\times 8\) identity matrix E, \(2=(00000010)\in \mathbb F_{2^8}\) can be written as the following \(8\times 8\) matrix:
    $$\begin{aligned} M_2=\small \begin{pmatrix} 0&{}0&{}0&{}0&{}0&{}0&{}0&{}1\\ 1&{}0&{}0&{}0&{}0&{}0&{}0&{}1\\ 0&{}1&{}0&{}0&{}0&{}0&{}0&{}0\\ 0&{}0&{}1&{}0&{}0&{}0&{}0&{}1\\ 0&{}0&{}0&{}1&{}0&{}0&{}0&{}1\\ 0&{}0&{}0&{}0&{}1&{}0&{}0&{}0\\ 0&{}0&{}0&{}0&{}0&{}1&{}0&{}0\\ 0&{}0&{}0&{}0&{}0&{}0&{}1&{}0 \end{pmatrix} \end{aligned}$$
    and the matrix representation of \(3=(00000011)\) is \(M_3=E\oplus M_2\). If we substitute 1, 2 and 3 in MixColumns by E, \(M_2\) and \(M_3\), respectively, we get a \(128\times 128\) binary matrix \(M_{MC}\) and the linear layer of AES can be written as \(M_{MC}M_{SR}\) which is a \(128\times 128\) matrix over \(\mathbb F_2\).

    Generally, no matter which linear transformation a cipher adopts, it is always linear over \(\mathbb F_2\). Therefore, P can always be written as a multiplication by a matrix which leads to the following definition:

     

Definition 1

Let P be a linear transformation over \(\mathbb F_2^m\) for some positive integer m. The matrix representation of P over \(\mathbb F_2\) is called the primitive representation of P.

2.3 Structure and Dual Structure

In many cases, when constructing impossible differentials and zero correlation linear hulls, we are only interested in detecting whether there is a difference (mask) of an S-box or not, regardless of the value of this difference (mask). For example, the truncated impossible differential and zero correlation linear hull of AES in [4, 27] and Camellia in [28, 29]. In other words, if these ciphers adopt some other S-boxes, these distinguishers still hold. This leads to the following definition:

Definition 2

Let \(E: \mathbb F_2^n\rightarrow \mathbb F_2^n\) be a block cipher with bijective S-boxes as the basic non-linear components.

  1. (1)

    A structure \(\mathcal E^E\) on \(\mathbb F_2^n\) is defined as a set of block ciphers \(E'\) which is exactly the same as E except that the S-boxes can take all possible bijective transformations on the corresponding domains.

     
  2. (2)

    Let \(a,b\in \mathbb F_2^n\). If for any \(E' \in \mathcal E^E\), \(a\rightarrow b\) is an impossible differential (zero correlation linear hull) of \(E'\), \(a\rightarrow b\) is called an impossible differential (zero correlation linear hull) of \(\mathcal E^E\).

     

Note. In the definition of \(\mathcal E^E\), if E uses bijective S-boxes, then the S-boxes in \(\mathcal E^E\) should be bijective. However, if S-boxes used in E are not necessarily bijective, then \(\mathcal E^E\) could be defined as a set of block ciphers \(E'\) which is exactly the same as E except that the S-boxes can take all possible transformations on the corresponding domains. As discussed above, the truncated impossible differentials and zero correlation linear hulls of AES and Camellia found so far are actually the impossible differentials and zero correlation linear hulls of \(\mathcal E^{\text {AES}}\) and \(\mathcal E^{\text {Camellia}}\).

Definition 3

Let \(\mathcal F_{SP}\) be a Feistel structure with SP-type round function, and let the primitive representation of the linear transformation be P. Let \(\sigma \) be the operation that exchanges the left and right halves of a state. Then the dual structure \(\mathcal F_{SP}^\bot \) of \(\mathcal F_{SP}\) is defined as \(\sigma \circ \mathcal F_{P^TS}\circ \sigma \).

Let \(\mathcal E_{SP}\) be an SPN structure with primitive representation of the linear transformation being P. Then the dual structure \(\mathcal E_{SP}^\bot \) of \(\mathcal E_{SP}\) is defined as \(\mathcal E_{S(P^{-1})^T}\).

Fig. 2.

Differential Propagation of \(\mathcal F_{SP}\) and Linear Propagation of \(\mathcal F_{SP}^{\bot }\)

3 Links Between Impossible Differential and Zero Correlation Linear Cryptanalysis

In this section, we will show the equivalence between impossible differentials and zero correlation linear hulls of a structure, which will be used to establish the link between impossible differential and integral cryptanalysis in Sect. 5. The next theorem is stated without proof in [17].

Theorem 1

\(a\rightarrow b\) is an r-round impossible differential of \(\mathcal F_{SP}\) if and only if it is an r-round zero correlation linear hull of \(\mathcal F_{SP}^\bot \).

Proof

The proof can be divided into the following two parts (See Fig. 2):

Part (I). We prove that for \((\delta _0,\delta _1)\rightarrow (\delta _r,\delta _{r+1})\), if one can find \(E\in \mathcal F_{SP}^{\bot }\) such that \(c((\delta _0,\delta _1)\cdot x\oplus (\delta _r,\delta _{r+1})\cdot E(x))\ne 0\), then one can find \(E'\in \mathcal F_{SP}\) such that \(p((\delta _1,\delta _0)\rightarrow (\delta _{r+1},\delta _r))>0\).

Assume that \((\delta _0,\delta _1)\rightarrow (\delta _{r},\delta _{r+1})\) is a linear hull with non-zero correlation for some \(E\in \mathcal F_{SP}^{\bot }\), and the input to the round function could be divided into t pieces, each of which is an s-bit word. Then there exists a linear characteristic with non-zero correlation:
$$(\delta _0,\delta _1)\rightarrow \cdots (\delta _{i-1},\delta _i)\rightarrow \cdots \rightarrow (\delta _{r},\delta _{r+1}),$$
where \(\delta _i\in (\mathbb F_2^{s})^t\). In this characteristic, the output mask of \(S_i=(S_{i,1},\ldots ,S_{i,t})\) is \(\delta _i=(\delta _{i,1},\ldots ,\delta _{i,t})\in (\mathbb F_2^s)^t\), and let the input mask of \(S_i\) be \(\beta _i=(\beta _{i,1},\ldots ,\beta _{i,t})\in (\mathbb F_2^s)^t\). Since for \(\gamma \ne \beta _iP\), \(c(\gamma \cdot x\oplus \beta _i\cdot (xP^T))=0\), \(\delta _{i+1}=\delta _{i-1}\oplus \beta _iP\).

In the following, for any \((x_L,x_R)=(x_{L,1},\ldots ,x_{L,t},x_{R,1},\ldots ,x_{R,t})\in (\mathbb F_2^{s})^{t}\times (\mathbb F_2^{s})^{t}\), we will construct an r-round cipher \(E_r\in \mathcal F_{SP}\), such that \(E_r(x_L,x_R)\oplus E_r(x_L\oplus \delta _1,x_R\oplus \delta _0)=(\delta _{r+1},\delta _r)\).

If \(r=1\), for \(j\in \{1,\ldots ,t\}\): if \(\delta _{1,j}=0\), we can define \(S_{1,j}\) as any possible transformation on \(\mathbb F_2^s\), and if \(\delta _{1,j}\ne 0\), we can define
$$S_{1,j}(x_{L,j})=x_{L,j},\quad S_{1,j}(x_{L,j}\oplus \delta _{1,j})=x_{L,j}\oplus \beta _{1,j},$$
then for \(E_1\in \mathcal F_{SP}\) which adopts such S-boxes,
$$E_1(x_L,x_R)\oplus E_1(x_L\oplus \delta _1,x_R\oplus \delta _0)=(\delta _0\oplus \beta _1P,\delta _1)=(\delta _2,\delta _1).$$
Suppose that we have constructed \(E_{r-1}\) such that \(E_{r-1}(x_L,x_R)\oplus E_{r-1}(x_L\oplus \delta _1,x_R\oplus \delta _0)=(\delta _{r},\delta _{r-1})\). Denote by \((y_L,y_R)=(y_{L,1},\ldots ,y_{L,t},y_{R,1},\ldots ,y_{R,t})\) the output of \(E_{r-1}(x_L,x_R)\). Then in the r-th round, if \(\delta _{r,j}=0\), we can define \(S_{r,j}\) as any possible transformation on \(\mathbb F_2^s\), otherwise, define \(S_{r,j}\) as follows:
$$S_{r,j}(y_{L,j})=y_{L,j},\quad S_{r,j}(y_{L,j}\oplus \delta _{r,j})=y_{L,j}\oplus \beta _{r,j}.$$
Therefore \(E_r(x_L,x_R)\oplus E_r(x_L\oplus \delta _1,x_R\oplus \delta _0)=(\delta _{r-1}\oplus \beta _rP,\delta _r)=(\delta _{r+1},\delta _r)\).

Part (II). We prove that for \((\delta _1,\delta _0)\rightarrow (\delta _{r+1},\delta _r)\), if one can find some \(E\in \mathcal F_{SP}\) such that \(p((\delta _1,\delta _0)\rightarrow (\delta _{r+1},\delta _r))>0\), one can find some \(E'\in \mathcal F_{SP}^{\bot }\) such that \(c((\delta _0,\delta _1)\cdot x\oplus (\delta _{r},\delta _{r+1})\cdot E'(x))\ne 0\).

Assume that \((\delta _1,\delta _0)\rightarrow (\delta _{r+1},\delta _r)\) is a differential of \(E\in \mathcal F_{SP}\). Then there exists a differential characteristic with positive probability:
$$(\delta _1,\delta _0)\rightarrow \cdots (\delta _{i+1},\delta _{i})\rightarrow \cdots \rightarrow (\delta _{r+1},\delta _r),$$
where \(\delta _i\in (\mathbb F_2^{s})^t\). In this characteristic, the input difference of \(S_i=(S_{i,1},\ldots ,S_{i,t})\) is \(\delta _i=(\delta _{i,1},\ldots ,\delta _{i,t})\in (\mathbb F_2^s)^t\), and let the output difference of \(S_i\) be \(\beta _i=(\beta _{i,1},\ldots ,\beta _{i,t})\in (\mathbb F_2^s)^t\), then \(\delta _{i+1}=\delta _{i-1}\oplus (\beta _i P)\).

Taking the following fact into consideration: for \((\delta _{i,j},\beta _{i,j})\), where \(\delta _{i,j}\ne 0\), there always exists an \(s\times s\) binary matrix \(M_{i,j}\) such that \(\beta _{i,j}=\delta _{i,j}M_{i,j}^T\), then for \(S_{i,j}(x)=xM_{i,j}\), \(c(\beta _{i,j}\cdot x\oplus \delta _{i,j}\cdot S_{i,j}(x))=1\).

Now we construct an r-round cipher \(E_r\in \mathcal F_{SP}^{\bot }\) such that \(c((\delta _0,\delta _1)\cdot x\oplus (\delta _{r},\delta _{r+1})\cdot E_r(x))\ne 0\). If \(r=1\), let \(S_{1,j}(x)=xM_{1,j}\) for \(\delta _{1,j}\ne 0\) and any linear transformation on \(\mathbb F_2^s\) otherwise. Then all operations in \(E_1\in \mathcal F_{SP}^\bot \) are linear over \(\mathbb F_2\), which implies that there exists a \(2st\times 2st\) binary matrix \(M_1\) such that \(E_1(x)=xM_1\), and
$$c((\delta _0,\delta _1)\cdot x\oplus (\delta _{1},\delta _2)\cdot E_1(x))=1.$$
Assume that we have constructed \(E_{r-1}(x)=xM_{r-1}\) with \(M_{r-1}\) being a \(2st\times 2st\) binary matrix such that
$$c((\delta _0,\delta _1)\cdot x\oplus (\delta _{r-1},\delta _{r})\cdot E_{r-1}(x))=1,$$
and we can define \(S_{r,j}(x)\) in the r-th round similarly, then \(E_r(x)=xM_r\) for some \(2st\times 2st\) binary matrix \(M_r\), and
$$c((\delta _0,\delta _1)\cdot x\oplus (\delta _{r},\delta _{r+1})\cdot E_r(x))=1,$$
which ends our proof.   \(\square \)
Note. In the proof of Theorem 1, the S-boxes we constructed are not necessarily bijective. If we add the bijective condition, Theorem 1 still holds. Since for a bijective S-box, if the correlation is non-zero, \(\delta _{1,j}\ne 0\) implies \(\beta _{1,j}\ne 0\). Therefore, in Part(I) of the proof, we can further define \(S_{1,j}\) as
$$\begin{aligned} S_{1,j}(x)={\left\{ \begin{array}{ll}x_{L,j}\oplus \delta _{1,j}\quad &{}x=x_{L,j}\oplus \beta _{1,j},\\ x_{L,j}\oplus \beta _{1,j}\quad &{}x=x_{L,j}\oplus \delta _{1,j},\\ ~~~x\quad &{}{\text {others,}} \end{array}\right. } \end{aligned}$$
and a similar definition can also be given to \(S_{r,j}\). In this case, the S-boxes are invertible. Moreover, for a bijective S-box, if the differential probability is positive, \(\delta _{i,j}\ne 0\) implies \(\beta _{i,j}\ne 0\), thus in Part (II) of the proof, we can always find a non-singular binary matrix \(M_{i,j}\) such that \(\beta _{i,j}=\delta _{i,j}M_{i,j}^T\).

Similarly, we can prove the following theorem:

Theorem 2

\(a\rightarrow b\) is an r-round impossible differential of \(\mathcal E_{SP}\) if and only if it is an r-round zero correlation linear hull of \(\mathcal E_{SP}^\bot \).

Definition 2 implies that the “impossibility” of an impossible differential of a structure can be caused only by a differential \(\delta _1\rightarrow \delta _2\) where either \(\delta _1 = 0\) or \(\delta _2 = 0\) (but not both) over an invertible S-box, or by a differential \(0 \rightarrow \delta _2\) over a non-invertible S-box. Otherwise, according to the proof of Theorem 1, we can always find an S-box such that \(\delta _1\rightarrow \delta _2\) is a possible differential. Therefore, we have the following corollary:

Corollary 1

The method presented in [7] finds all impossible differentials of \(\mathcal F_{SP}\) and \(\mathcal E_{SP}\).

As a matter of fact, this corollary can be used in the provable security of block ciphers against impossible differential cryptanalysis, since with the help of this corollary, the longest impossible differentials of a given structure could be given.

In case P is invertible, according to the definition of equivalent structures given in [30], we have
$$\begin{aligned} \mathcal F_{P^TS}=\left( (P^{T})^{-1},(P^{T})^{-1}\right) \mathcal F_{SP^{T}}\left( P^T,P^T\right) , \end{aligned}$$
(1)
which indicates:

Corollary 2

Let \(\mathcal F_{SP}\) be a Feistel structure with SP-type round function, and let the primitive representation of the linear transformation be P. If P is invertible, finding zero correlation linear hulls of \(\mathcal F_{SP}\) is equivalent to finding impossible differentials of \(\mathcal F_{SP^T}\).

Example 1

(8-Round Zero Correlation Linear Hull of Camellia Without \(\mathbf{FL/FL ^{-1}}\) ). Let Camellia* denote the cipher which is exactly the same as Camellia without \(FL/FL^{-1}\) layer except that \(P^{T}\) is used instead of P. Then we find that, for example:
$$\begin{aligned} ((0,0,0,0,0,0,0,0),(0,0,0,0,a,0,0,0)) \rightarrow&((0,0,0,0,0,0,0,h),(0,0,0,0,0,0,0,0)) \end{aligned}$$
is an 8-round impossible differential of Camellia*, where a and h denote any non-zero values. Therefore, we can derive an 8-round zero correlation linear distinguisher of Camellia without \(FL/FL^{-1}\) layer as shown below:
$$\begin{aligned} ((a,a,0,0,a,0,a,a),(0,0,0,0,0,0,0,0)) \rightarrow&((0,0,0,0,0,0,0,0),(h,0,0,h,0,h,h,h)). \end{aligned}$$

Furthermore, if \(\mathcal F_{SP}=\mathcal F_{SP^T}\) and \(\mathcal E_{SP}=\mathcal E_{S(P^{-1})^T}\), we have:

Corollary 3

For a Feistel structure \(\mathcal F_{SP}\) with SP-type round function, if P is invertible and \(P=P^T\), there is a one-to-one correspondence between impossible differentials and zero correlation linear hulls.

For an SPN structure \(\mathcal E_{SP}\), if \(P^T P=E\), \(a\rightarrow b\) is an impossible differential if and only if it is a zero correlation linear hull.

Example 2

(4-Round Zero Correlation Linear Hull of ARIA). Since the linear layer P of ARIA satisfies \(P^T P=E\), any impossible differential of \(\mathcal E^{\text {ARIA}}\) is automatically a zero correlation linear hull of \(\mathcal E^{\text {ARIA}}\). Therefore, the impossible differentials of 4-round ARIA shown in [28] are also zero correlation linear hulls of 4-round ARIA.

4 Links Between Integral and Zero Correlation Linear Cryptanalysis

Firstly, we give two fundamental statements that give links between integral cryptanalysis and zero correlation linear cryptanalysis:

Lemma 1

Let A be a subspace of \(\mathbb F_2^n\), \(A^{\bot }=\{x\in \mathbb F_2^n|a\cdot x=0,a\in A\}\) be the dual space of A and \(F: \mathbb F_2^n\rightarrow \mathbb F_2^n\) be a function on \(\mathbb F_2^n\). For any \(\lambda \in \mathbb F_2^n\), \(T_\lambda : A^{\bot }\rightarrow \mathbb F_2^n\) is defined as \(T_\lambda (x)=F(x\oplus \lambda )\), then for any \(b\in \mathbb F_2^n\),
$$\begin{aligned} \sum _{a\in A}(-1)^{a\cdot \lambda }c(a\cdot x\oplus b\cdot F(x))=c(b\cdot T_\lambda (x)). \end{aligned}$$

Proof

$$\begin{aligned}&\sum _{a\in A}(-1)^{a\cdot \lambda }c(a\cdot x\oplus b\cdot F(x))=\sum _{a\in A}(-1)^{a\cdot \lambda }\frac{1}{2^n}\sum _{x\in \mathbb F_2^n}(-1)^{a\cdot x\oplus b\cdot F(x)}\\= & {} \frac{1}{2^n}\sum _{x\in \mathbb F_2^n}(-1)^{b\cdot F(x)}\sum _{a\in A}(-1)^{a\cdot (\lambda \oplus x)}=\frac{1}{2^n}\sum _{x\in \mathbb F_2^n}(-1)^{b\cdot F(x)}|A|\delta _{A^{\bot }}(\lambda \oplus x)\\= & {} \frac{1}{|A^{\bot }|}\sum _{y\in A^{\bot }}(-1)^{b\cdot T_\lambda (y)}=c(b\cdot T_\lambda (x)), \end{aligned}$$
where \(\delta _{A^{\bot }}(x)={\left\{ \begin{array}{ll}1 \quad x\in A^{\bot }\\ 0 \quad x\notin A^{\bot }.\end{array}\right. } \quad \) \(\square \)

Lemma 2

Let A be a subspace of \(\mathbb F_2^n\), \(F: \mathbb F_2^n\rightarrow \mathbb F_2^n\), and let \(T_\lambda : A^{\bot }\rightarrow \mathbb F_2^n\) be defined as \(T_\lambda (x)=F(x\oplus \lambda )\) where \(\lambda \in \mathbb F_2^n\). Then for any \(b\in \mathbb F_2^n\),
$$\begin{aligned} \frac{1}{2^n}\sum _{\lambda \in \mathbb F_2^n}(-1)^{b\cdot F(\lambda )}c(b\cdot T_\lambda (x))=\sum _{a\in A}c^2(a\cdot x\oplus b\cdot F(x)). \end{aligned}$$

The proof of Lemma 2 is given in the full version of this paper [31]. The conclusion of [17] that integral unconditionally implies zero correlation linear hull, is correct only under their definition of integral, which requires that \(c(b\cdot T_{\lambda }(x))=0\). Under the original, more general definition for an integral distinguisher [3], this conclusion may not hold.

From Lemma 1, we can deduce the following:

Corollary 4

Let \(F: \mathbb F_2^n\rightarrow \mathbb F_2^n\) be a function on \(\mathbb F_2^n\), and let A be a subspace of \(\mathbb F_2^n\) and \(b\in \mathbb F_2^n\setminus \{0\}\). Suppose that \(A\rightarrow b\) is a zero correlation linear hull of F, then for any \(\lambda \in \mathbb F_2^n\), \(b\cdot F(x\oplus \lambda )\) is balanced on \(A^{\bot }\).

This corollary states that if the input masks of a zero correlation linear hull form a subspace, then a zero correlation linear hull implies an integral distinguisher. Furthermore, the condition that input masks form a subspace can be removed, which leads to the following result:

Theorem 3

A nontrivial zero correlation linear hull of a block cipher always implies the existence of an integral distinguisher.

Proof

Assume that \(A\rightarrow B\) is a non-trivial zero correlation linear hull of a block cipher E. Then we can choose \(0\ne a\in A, 0\ne b\in B\), such that \(\{0,a\}\rightarrow b\) is also a zero correlation linear hull of E.

Since \(V=\{0,a\}\) forms a subspace on \(\mathbb F_2\), according to Corollary 4, \(b\cdot E(x)\) is balanced on \(V^{\bot }\). This implies an integral distinguisher of E.   \(\square \)

Moreover, in the proof of Theorem 3, we can always assume that \(0\in A\). Then
  1. 1.

    If A forms a subspace, an integral distinguisher can be constructed from \(A\rightarrow b\);

     
  2. 2.

    If A does not form a subspace, we can choose some \(A_1\subset A\) such that \(A_1\) forms a subspace, then an integral distinguisher can be constructed from \(A_1\rightarrow b\).

     

It was stated in [17] that a zero correlation linear hull indicates the existence of an integral distinguisher under certain conditions, while Theorem 3 shows that these conditions can be removed. This results in a more applicable link between zero correlation linear cryptanalysis and integral cryptanalysis.

It can be seen that Theorem 3 also gives us a new approach to find integral distinguishers of block ciphers. More specifically, an r-round zero correlation linear hull can be used to construct an r-round integral distinguisher.

5 Links Between Impossible Differential and Integral Cryptanalysis

According to the links given in the previous sections, we establish a link between impossible differential cryptanalysis and integral cryptanalysis:

Theorem 4

Let \(\mathcal E\in \{\mathcal F_{SP}, \mathcal E_{SP}\}\). Then an impossible differential of \(\mathcal E\) always implies the existence of an integral of \(\mathcal E^\bot \).

Proof

This can be deduced from the following facts:
  • A zero correlation linear hull of \(\mathcal E^\bot \) always implies the existence of an integral of \(\mathcal E^\bot \);

  • A zero correlation linear hull of \(\mathcal E^\bot \) could be constructed by constructing an impossible differential of \(\mathcal E\).   \(\square \)

In case \(\mathcal E^\bot =A_2\mathcal E A_1\) where \(A_1\) and \(A_2\) are linear transformations, we get the direct links between impossible differential and integral cryptanalysis:

Corollary 5

Let \(\mathcal F_{SP}\) be a Feistel structure with SP-type round function, and let the primitive representation of the linear transformation be P. If P is invertible and there exists a permutation \(\pi \) on t elements such that for any \((x_0,\ldots ,x_{t-1})\in \mathbb F_{2}^{s\times t}\),
$$P(x_0,\ldots ,x_{t-1})=\pi ^{-1} P^{T} \pi (x_0,\ldots ,x_{t-1}), $$
then for \(\mathcal F_{SP}\), an impossible differential always implies the existence of an integral distinguisher.

Example 3

SNAKE(2) is a Feistel cipher proposed by Lee and Cha at JW-ISC’97, please refer to [32, 33] for details. According to [30], the round function of SNAKE(2) can be seen as an SP-type one with the primitive presentation of the matrix being defined as
$$\begin{aligned} P=\begin{pmatrix} E&{}E&{}E&{}E\\ E&{}0&{}E&{}E\\ E&{}0&{}0&{}E\\ E&{}0&{}0&{}0 \end{pmatrix}, \end{aligned}$$
where E and 0 are the identity and zero matrices of \(\mathbb F_2^{8\times 8}\), respectively. Let
$$\begin{aligned} \pi =\begin{pmatrix} 1&{}0&{}0&{}0\\ 0&{}0&{}0&{}1\\ 0&{}0&{}1&{}0\\ 0&{}1&{}0&{}0 \end{pmatrix}. \end{aligned}$$
Then we have \(P=\pi ^{-1}P^T\pi \), therefore, an impossible differential of SNAKE(2), which is independent of the details of the S-boxes, always implies the existence of an integral distinguisher of SNAKE(2).

Corollary 6

Let \(\mathcal E_{SP}\) be an SPN structure with the primitive representation of the linear transformation being P. If \(P^T P=\text {diag}(Q_1,\ldots ,Q_t)\), where \(Q_i\in \mathbb F_2^{s\times s}\), then for \(\mathcal E_{SP}\), an impossible differential always implies the existence of an integral distinguisher.

Proof

Firstly, according to Theorem 4, if \(P^T P=E\), an impossible differential of \(\mathcal E_{SP}\) always implies the existence of an integral.

Secondly, for the S-layer of \(\mathcal E_{SP}\), if we substitute S by applying \(Q_i\) to the i-th S-box, according to definition 2, the structure stays identical. Since
$$P\circ (\text {diag}(Q_1,\ldots ,Q_t)\circ S)=(P\circ \text {diag}(Q_1,\ldots ,Q_t))\circ S,$$
an SPN structure \(\mathcal E_{SP}\) is equivalent to an SPN structure \(\mathcal E_{S(P\circ \text {diag}(Q_1,\ldots ,Q_t))}\).

Based on the above two points, we can get the conclusion.   \(\square \)

To show applications of these links, we recall that, an \(n\times n\) matrix P is called orthogonal if and only if \(P^T P=E\), where E is the \(n\times n\) identity matrix.

Example 4

We can check that, SR and \(M'\) used in PRINCE are orthogonal matrices, therefore
$$\begin{aligned} M^T M=(SR\circ M')^T(SR\circ M')=E, \end{aligned}$$
where E is the \(64\times 64\) identity matrix. So all the linear layers used in different rounds of PRINCE are orthogonal based on which we could conclude that any r-round impossible differential of PRINCE which is independent of the choices of the S-boxes implies the existence of an r-round integral distinguisher.

Example 5

Since the linear layer P of ARIA is both symmetric and involutional, e.g. \(P=P^{-1}=P^T\), any impossible differential of ARIA which is independent of the choices of S-boxes implies the existence of an integral distinguisher.

Example 6

We can check that P used in PRESENT satisfies \(P=(P^{-1})^T\), therefore, an impossible differential, which is independent of the details of the S-boxes, always leads to the existence of an integral distinguisher. In fact, since a permutation matrix P is always orthogonal, we have the following Corollary:

Corollary 7

For an SPN structure which adopts bit permutation as the diffusion layer, the existence of an r-round impossible differential implies the existence of an r-round integral distinguisher.

6 New Integrals for Block Ciphers/Structures

6.1 New Integrals for Feistel Structures

Let \(\mathcal E_r\) be an r-round Feistel structure \(\mathcal F_{SP}\). Then for any \(a\ne 0\), \(b\ne a\), \((a,0)\rightarrow (0,b)\) is a zero correlation linear hull of \(\mathcal E_3\); and if the round functions are bijective, then for any \(a\ne 0\), \((a,0)\rightarrow (0,a)\) is a zero correlation linear hull of \(\mathcal E_5\).

So far the longest integral distinguisher known for a Feistel structure with bijective round functions counts 4 rounds, and the longest integral distinguisher for a Feistel structure with general round functions counts 2 rounds. We improve these distinguishers by 1 round using Theorem 3.

Proposition 1

Let \(\mathcal E_r\) be an r-round Feistel structure defined on \(\mathbb F_2^{2n}\). Then
  1. 1.

    If the \(F_i\)’s are bijective, then for any \(c \in \mathbb F_2^n\), \(c \ne 0\), \(c \cdot R_5\) is balanced on \(\{(0,0),(c,0)\}^{\bot }\) with respect to \(\mathcal E_5\).

     
  2. 2.

    If the \(F_i\)’s are not necessarily bijective, then let \(\{\alpha _0,\ldots ,\alpha _{n-1}\}\) be a base of \(\mathbb F_2^n\) over \(\mathbb F_2\). Then \(\alpha _{n-1}\cdot R_3\) is balanced on \(\{(0,\sum _{i=0}^{n-2}c_i\alpha _i)|c_i\in \mathbb F_2\}^\bot \) with respect to \(\mathcal E_3\).

     

As a matter of fact, for any \(c \in \mathbb F_2^n\), \(c \ne 0\), \((c,0)\rightarrow (0,c)\) is a zero correlation linear hull of \(\mathcal E_5\). Thus according to Theorem 3, we can construct an integral distinguisher of \(\mathcal E_5\), i.e., let \((L_0,R_0)\) take all values in \(\{(0,0),(c,0)\}^{\bot }\), then \(c \cdot R_5\) is balanced.

6.2 24-Round Integral for CAST-256

The block cipher CAST-256 was proposed as a first-round AES candidate, and we refer to [34] for details. Firstly, we recall the following zero correlation linear property given in [17].

Property 1

\((0,0,0,L_1) \rightarrow (0,0,0,L_2)\) is a zero correlation linear hull of the 24-round CAST-256 (from the 13-th round to the 36-th round of CAST-256), where \(L_1 \ne 0\), \(L_2 \ne 0\) and \(L_1 \ne L_2\).

Let \(L_1^*=\{(l_1,l_2,\ldots ,l_{31},0)|l_i \in \mathbb F_2\}\) and \(L_2 = (0,\ldots ,0,1)\). Then we obtain a zero correlation linear hull \((0,0,0,L_1^*) \rightarrow (0,0,0,L_2)\) for the 24-round CAST-256. According to Theorem 3, we can get the following result:

Proposition 2

Let \(V=\{(x_1,x_2,x_3,0^{31}y)|x_i\in \mathbb F_2^{32}, y\in \mathbb F_2\}\). If the input takes all values in V, and let the output of the 24-round be \((C_0,C_1,C_2,C_3)\in \mathbb F_2^{32\times 4}\)(from the 13-th round to 36-th round). Then \((0,\ldots ,0,1) \cdot C_3\) is balanced.

Based on this integral distinguisher, we present a key recovery attack on 28-round CAST-256 which is the best known attack on CAST-256 in the non-weak key model. The details of the attack are listed the full version of this paper [31].

6.3 12-Round Integral for SMS4

The SMS4 [35] block cipher is designed by the Chinese government as part of their WAPI standard for wireless networks. Up to date, the longest known integral distinguisher of SMS4 covers 10 rounds [36]. The details of SMS4 and the proof of the following propositions are listed in the full version of this paper [31].

Proposition 3

Let \(V=\{v\in (\mathbb F_2^8)^4|HW(v\mathcal L^T)=1\}\), where \(HW(x_1,x_2,x_3,x_4)=\#\{x_i\ne 0,i=1,2,3,4\}\). For any \(d\in V\), \((0,0,0,d)\rightarrow (d,0,0,0)\) is a 12-round zero correlation linear hull of SMS4.

Proposition 4

Let \(V=\{v\in (\mathbb F_2^8)^4|HW(v\mathcal L^T)=1\}\), \(V_d=\{w\in (\mathbb F_2^{32})^4|(0,0,0,d)\cdot w = 0\}\), and let \((c_0,c_1,c_2,c_3)\) be the output of 12-round SMS4. Then for any \(d\in V\), when the input takes all possible values in \(V_d\), we have
$$\#\{d\cdot c_0=0\}=\#\{d\cdot c_0=1\}.$$

Note that most of the known integral distinguishers are independent of the choices of the S-boxes. However, the integral distinguisher presented above is highly related with the S-boxes, since for different S-boxes, we would find different zero correlation linear hulls which lead to different integral distinguishers of SMS4.

6.4 8-Round Integral for Camellia Without \(FL/FL^{-1}\) Layer

Based on the 8-round zero correlation linear hull presented in Example 1, we get the following 8-round integral of Camellia without \(FL/FL^{-1}\) layer:

Proposition 5

Let V be defined as
$$V=\{((x_1,\ldots ,x_8),(x_9,\ldots ,x_{16}))|x_1\oplus x_2 \oplus x_5 \oplus x_7 \oplus x_8 = 0,x_i\in \mathbb F_2^8\}.$$
For any \(h\in \mathbb F_2^8\), \(h \ne 0\), \((h,0,0,h,0,h,h,h)\cdot R_{i+8}\) is balanced on V with respect to 8-round Camellia without \(FL/FL^{-1}\) layer.

7 Conclusion

In this paper, we have investigated the link between impossible differential and integral cryptanalysis. To do this, we have introduced the concept of structure \(\mathcal E\) and dual structure \(\mathcal E^\bot \) and established the link in the following steps:
  • We derived the relation between impossible differential of \(\mathcal E\) and zero correlation linear hull of \(\mathcal E^\bot \). We have shown that for a Feistel structure \(\mathcal F_{SP}\) with SP-type round functions where P is invertible, constructing a zero correlation linear hull of \(\mathcal F_{SP}\) is equivalent to constructing an impossible differential of \(\mathcal F_{SP^T}\), which is the same structure as \(\mathcal F_{SP}\) with \(P^T\) instead of P. For an SPN structure \(\mathcal E_{SP}\), constructing a zero correlation linear hull of \(\mathcal E_{SP}\) is equivalent to constructing an impossible differential of \(\mathcal E_{S(P^{-1})^T}\), which is the same structure as \(\mathcal E_{SP}\) with \((P^{-1})^T\) instead of P.

  • We presented the relation between zero correlation linear hull and integral distinguisher of block ciphers. As proven in Sect. 4, a zero correlation linear hull always implies the existence of an integral distinguisher, while such statement only holds under certain conditions in [17]. Meanwhile, we have observed that the statement “integral unconditionally implies zero correlation linear hull” in [17] is correct only under the definition that integral property is a balanced vectorial boolean function, while it does not hold for the general case (i.e., integral defined in [3] is a zero-sum property).

  • We built the link between impossible differential of \(\mathcal E\) and integral distinguisher of \(\mathcal E^\bot \). We have demonstrated that an r-round impossible differential of \(\mathcal E\) always leads to an r-round integral distinguisher of \(\mathcal E^\bot \). In the case that \(\mathcal E\) and \(\mathcal E^\bot \) are linearly equivalent, we obtained some direct links between impossible differential and integral distinguisher of \(\mathcal E\). Specifically, an r-round impossible differential of an SPN structure, which adopts bit permutation as the linear layer, always indicates the existence of an r-round integral distinguisher.

The results and links presented in this paper not only allow to achieve a better understanding and classifying of impossible differential cryptanalysis, integral cryptanalysis and zero correlation linear cryptanalysis, but also provide some new insights with respect to these cryptanalytic approaches as shown below:
  • The automatic search tool presented by Wu and Wang in Indocrypt 2012 finds all impossible differentials of both Feistel structures with SP-type round functions and SPN structures, which is useful in provable security of block ciphers against impossible differential cryptanalysis.

  • Our statement “zero correlation linear hull always implies the existence of an integral distinguisher” provides a novel way for constructing integral distinguisher of block ciphers. With this observation, we have improved the integral of Feistel structures by 1 round, built a 24-round integral of CAST-256, proposed a 12-round integral of SMS4 which is 2-round longer than previously best known ones, and present an 8-round integral of Camellia without \(FL/FL^{-1}\) layers. These distinguishers could not be obtained by either the previously known methods for constructing integral distinguishers or by using the link given in [17]. Moreover, we have presented the best known key recovery attack on CAST-256 in non-weak key model to show that the new links can also be used to improve cryptanalytic results of some concrete ciphers.

By using the matrix representation given in [37], the concept of dual structure can be extended to generalized Feistel structures, and we can get similar results for these structures. Furthermore, we have focused on the links among the distinguishers used in impossible differential, integral and zero correlation linear cryptanalysis since distinguishers are the essential points in the evaluation of security margins of a block cipher against various cryptanalytic tools, and our results can be helpful in designing a block cipher from this point of view.

References

  1. 1.
    Knudsen, L.R.: DEAL – A 128-bit Block Cipher. Department of Informatics, University of Bergen, Norway. Technical report (1998)Google Scholar
  2. 2.
    Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 12–23. Springer, Heidelberg (1999) Google Scholar
  3. 3.
    Knudsen, L.R., Wagner, D.: Integral cryptanalysis. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 112–127. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  4. 4.
    Bogdanov, A., Rijmen, V.: Linear hulls with correlation zero and linear cryptanalysis of block ciphers. Des. Codes Crypt. 70(3), 369–383 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  5. 5.
    Kim, J., Hong, S., Lim, J.: Impossible differential cryptanalysis using matrix method. Discrete Math. 310(5), 988–1002 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Luo, Y., Lai, X., Wu, Z., Gong, G.: A unified method for finding impossible differentials of block cipher structures. Inf. Sci. 263(1), 211–220 (2014)CrossRefGoogle Scholar
  7. 7.
    Wu, S., Wang, M.: Automatic search of truncated impossible differentials for word-oriented block ciphers. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 283–302. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  8. 8.
    Daemen, J., Knudsen, L.R., Rijmen, V.: The block cipher SQUARE. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 149–165. Springer, Heidelberg (1997) CrossRefGoogle Scholar
  9. 9.
    Lucks, S.: The saturation attack - a bait for twofish. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 1–15. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  10. 10.
    Biryukov, A., Shamir, A.: Structural cryptanalysis of SASAS. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 394–405. Springer, Heidelberg (2001) Google Scholar
  11. 11.
    Lai, X.: Higher order derivatives and differential cryptanalysis. In: Blahut, R.E., Costello Jr.., D.J., Maurer, U., Mittelholzer, T. (eds.) Communications and Cryptography: Two Sides of One Tapestry, vol. 276, pp. 227–233. Springer, USA (1994)CrossRefGoogle Scholar
  12. 12.
    Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, Bart (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995) CrossRefGoogle Scholar
  13. 13.
    Picek, S., Batina, L., Jakobović, D., Ege, B., Golub, M.: S-box, SET, match: a toolbox for S-box analysis. In: Naccache, D., Sauveron, D. (eds.) WISTP 2014. LNCS, vol. 8501, pp. 140–149. Springer, Heidelberg (2014) Google Scholar
  14. 14.
    Chabaud, F., Vaudenay, S.: Links between differential and linear cryptanalysis. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 356–365. Springer, Heidelberg (1995) CrossRefGoogle Scholar
  15. 15.
    Sun, B., Li, R., Qu, L., Li, C.: SQUARE attack on block ciphers with low algebraic degree. Sci. China Inf. Sci. 53(10), 1988–1995 (2010)MathSciNetCrossRefGoogle Scholar
  16. 16.
    Leander, G.: On linear hulls, statistical saturation attacks, PRESENT and a cryptanalysis of PUFFIN. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 303–322. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  17. 17.
    Bogdanov, A., Leander, G., Nyberg, K., Wang, M.: Integral and multidimensional linear distinguishers with correlation zero. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 244–261. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  18. 18.
    Blondeau, C., Nyberg, K.: New links between differential and linear cryptanalysis. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 388–404. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  19. 19.
    Blondeau, C., Leander, G., Nyberg, K.: Differential-linear cryptanalysis revisited. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 411–430. Springer, Heidelberg (2015) Google Scholar
  20. 20.
    Blondeau, C., Bogdanov, A., Wang, M.: On the (In)equivalence of impossible differential and zero-correlation distinguishers for Feistel- and Skipjack-type ciphers. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 271–288. Springer, Heidelberg (2014) Google Scholar
  21. 21.
    Blondeau, C., Nyberg, K.: Links between truncated differential and multidimensional linear properties of block ciphers and underlying attack complexities. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 165–182. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  22. 22.
    Carlet, C.: Boolean Functions for Cryptography and Error Correcting Codes. Cambridge University Press, Cambridge (2006)Google Scholar
  23. 23.
    Bogdanov, A.A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  24. 24.
    Borghoff, J., Canteaut, A., Güneysu, T., Kavun, E.B., Knezevic, M., Knudsen, L.R., Leander, G., Nikov, V., Paar, C., Rechberger, C., Rombouts, P., Thomsen, S.S., Yalçın, T.: PRINCE – a low-latency block cipher for pervasive computing applications. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 208–225. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  25. 25.
    Aoki, K., Ichikawa, T., Kanda, M., Matsui, M., Moriai, S., Nakajima, J., Tokita, T.: \(Camellia\): a 128-bit block cipher suitable for multiple platforms - design and analysis. In: Stinson, D.R., Tavares, S. (eds.) SAC 2000. LNCS, vol. 2012, pp. 39–56. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  26. 26.
    Kwon, D., et al.: New block cipher: ARIA. In: Lim, Jong-In, Lee, Dong-Hoon (eds.) ICISC 2003. LNCS, vol. 2971, pp. 432–445. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  27. 27.
    Mala, H., Dakhilalian, M., Rijmen, V., Modarres-Hashemi, M.: Improved impossible differential cryptanalysis of 7-round AES-128. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 282–291. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  28. 28.
    Wu, W., Zhang, W., Feng, D.: Impossible differential cryptanalysis of round-reduced ARIA and camellia. J. Comput. Sci. Technol. 22(3), 449–456 (2007)CrossRefGoogle Scholar
  29. 29.
    Bogdanov, A., Geng, H., Wang, M., Wen, L., Collard, B.: Zero-correlation linear cryptanalysis with FFT and improved attacks on ISO standards camellia and CLEFIA. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 306–323. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  30. 30.
    Lei, D., Chao, L., Feng, K.: New observation on camellia. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 51–64. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  31. 31.
    Sun, B., Liu, Z., Rijmen, V., Li, R., Cheng, L., Wang, Q., Alkhzaimi, H., Li, C.: Links among Impossible Differential, Integral and Zero Correlation Linear Cryptanalysis. http://eprint.iacr.org/2015/181.pdf
  32. 32.
    Lee, C., Cha, Y.: The block cipher: SNAKE with provable resistance against DC and LC attacks. In: Proceedings of 1997 Korea-Japan Joint Workshop on Information Security and Cryptology (JW-ISC 1997), pp. 3–17 (1997)Google Scholar
  33. 33.
    Moriai, S., Shimoyama, T., Kaneko, T.: Interpolation attacks of the block cipher: SNAKE. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 275–289. Springer, Heidelberg (1999) CrossRefGoogle Scholar
  34. 34.
  35. 35.
    Specification of SMS4, Block Cipher for WLAN Products – SMS4 (in Chinese). http://www.oscca.gov.cn/UpFile/200621016423197990.pdf
  36. 36.
    Zhang, W., Su, B., Wu, W., Feng, D., Wu, C.: Extending higher-order integral: An efficient unified algorithm of constructing integral distinguishers for block ciphers. In: Bao, F., Samarati, P., Zhou, J. (eds.) ACNS 2012. LNCS, vol. 7341, pp. 117–134. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  37. 37.
    Berger, T.P., Minier, M., Thomas, G.: Extended generalized feistel networks using matrix representation. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 289–305. Springer, Heidelberg (2014) CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  1. 1.College of ScienceNational University of Defense TechnologyChangshaChina
  2. 2.Department of Computer Science and EngineeringShanghai Jiao Tong UniversityShanghaiChina
  3. 3.Department of Electrical Engineering (ESAT)KU Leuven and iMindsLeuvenBelgium
  4. 4.College of Electronic Science and EngineeringNational University of Defense TechnologyChangshaChina
  5. 5.Technical University of DenmarkKongens LyngbyDenmark

Personalised recommendations