Cryptology ePrint Archive: Report 2015/181

Links among Impossible Differential, Integral and Zero Correlation Linear Cryptanalysis

Bing Sun and Zhiqiang Liu and Vincent Rijmen and Ruilin Li and Lei Cheng and Qingju Wang and Hoda Alkhzaimi and Chao Li

Abstract: As two important cryptanalytic methods, impossible differential cryptanalysis and integral cryptanalysis have attracted much attention in recent years. Although relations among other important cryptanalytic approaches have been investigated, the link between these two methods has been missing. The motivation in this paper is to fix this gap and establish links between impossible differential cryptanalysis and integral cryptanalysis.

Firstly, by introducing the concept of structure and dual structure, we prove that $a\rightarrow b$ is an impossible differential of a structure $\mathcal E$ if and only if it is a zero correlation linear hull of the dual structure $\mathcal E^\bot$. More specifically, constructing a zero correlation linear hull of a Feistel structure with $SP$-type round function where $P$ is invertible, is equivalent to constructing an impossible differential of the same structure with $P^T$ instead of $P$. Constructing a zero correlation linear hull of an SPN structure is equivalent to constructing an impossible differential of the same structure with $(P^{-1})^T$ instead of $P$. Meanwhile, our proof shows that the automatic search tool presented by Wu and Wang could find all impossible differentials of both Feistel structures with $SP$-type round functions and SPN structures, which is useful in provable security of block ciphers against impossible differential cryptanalysis.

Secondly, by establishing some boolean equations, we show that a zero correlation linear hull always indicates the existence of an integral distinguisher while a special integral implies the existence of a zero correlation linear hull. With this observation we improve the integral distinguishers of Feistel structures by $1$ round, build a $24$-round integral distinguisher of CAST-$256$ based on which we propose the best known key recovery attack on reduced round CAST-$256$ in the non-weak key model, present a $12$-round integral distinguisher of SMS4 and an $8$-round integral distinguisher of Camellia without $FL/FL^{-1}$. Moreover, this result provides a novel way for establishing integral distinguishers and converting known plaintext attacks to chosen plaintext attacks.

Finally, we conclude that an $r$-round impossible differential of $\mathcal E$ always leads to an $r$-round integral distinguisher of the dual structure $\mathcal E^\bot$. In the case that $\mathcal E$ and $\mathcal E^\bot$ are linearly equivalent, we derive a direct link between impossible differentials and integral distinguishers of $\mathcal E$. Specifically, we obtain that an $r$-round impossible differential of an SPN structure, which adopts a bit permutation as its linear layer, always indicates the existence of an $r$-round integral distinguisher. Based on this newly established link, we deduce that impossible differentials of SNAKE(2), PRESENT, PRINCE and ARIA, which are independent of the choices of the $S$-boxes, always imply the existence of integral distinguishers.

Our results could help to classify different cryptanalytic tools. Furthermore, when designing a block cipher, the designers need to demonstrate that the cipher has sufficient security margins against important cryptanalytic approaches, which is a very tough task since there have been so many cryptanalytic tools up to now. Our results certainly facilitate this security evaluation process.

Category / Keywords: Impossible Differential, Integral, Zero Correlation Linear, Feistel, SPN, Camellia, CAST-256, SMS4, SNAKE(2), PRESENT, PRINCE, ARIA

Original Publication (with major differences): IACR-CRYPTO-2015

Date: received 2 Mar 2015, last revised 3 Jun 2015

Contact author: happy_come at 163 com

Available format(s): PDF | BibTeX Citation

Version: 20150603:142719 (All versions of this report)

Short URL: ia.cr/2015/181

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]