Improvements for Finding Impossible Differentials of Block Cipher Structures

Luo, Yiyuan; Lai, Xuejia

doi:https://doi.org/10.1155/2017/5980251

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Applications Conclusion Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2017 | Article ID 5980251 | https://doi.org/10.1155/2017/5980251

Improvements for Finding Impossible Differentials of Block Cipher Structures

Yiyuan Luo¹and Xuejia Lai^2,3

Academic Editor: Jesús Díaz-Verdejo

Received30 Mar 2017

Accepted17 Jul 2017

Published29 Aug 2017

Abstract

We improve Wu and Wang’s method for finding impossible differentials of block cipher structures. This improvement is more general than Wu and Wang’s method where it can find more impossible differentials with less time. We apply it on Gen-CAST256, Misty, Gen-Skipjack, Four-Cell, Gen-MARS, SMS4, MIBS, , LBlock, E2, and SNAKE block ciphers. All impossible differentials discovered by the algorithm are the same as Wu’s method. Besides, for the 8-round MIBS block cipher, we find 4 new impossible differentials, which are not listed in Wu and Wang’s results. The experiment results show that the improved algorithm can not only find more impossible differentials, but also largely reduce the search time.

1. Introduction

Impossible differential cryptanalysis, introduced by Biham et al. [1] and Knudsen [2] independently, is a special case of differential cryptanalysis that uses differentials with probability zero to sieve the right keys from the wrong keys. It is one of the most powerful attacks for block ciphers and is considered in many block cipher designs [3–10]. The best cryptanalytic results for some block ciphers are obtained by impossible differential cryptanalysis [1, 11]. For example, the currently best attack on the 31-round Skipjack is still the impossible differential cryptanalysis by Biham et al. [1].

The key step in impossible differential cryptanalysis of a block cipher is to find the longest impossible differential. Given two variables , the difference of and is usually denoted as . An impossible differential for an -subblock block cipher is in the form , where and . means the probability of the output difference is after rounds of a block cipher for an input difference is zero. At the first glance, impossible differentials are obtained manually by observing the block cipher structure. However, since the emergence of impossible differential cryptanalysis, automated techniques for finding impossible differentials have been introduced.

The first automated technique is called the Shrinking method introduced by Biham et al. [1]. This method is simple but very useful. It only considers truncated differentials whose differences distinguish only between zero and arbitrary nonzero difference. Given a block cipher, the adversary first designs a mini version of this block cipher, which scales down the block cipher but preserves the global structure. Then the adversary exhaustively searches for this mini cipher and obtains some truncated impossible differentials. Usually these truncated impossible differentials of the mini cipher remain impossible differentials in the normal version. This method can deal with most block ciphers in the real world. However, it becomes very slow if the number of subblocks of a block cipher is as large as , since exhaustive search on the mini version of this type of cipher is still a heavy load for most computers.

The second automated technique is based on the miss in the middle approach. This method combines two differentials, one from the input and the other from the output, both with probability 1. However, these two differentials cannot meet in the middle since they can never be equal in the middle. The method [12, 13] and the UID method [14] both belong to this category. In the method and the UID method, the adversary first represents the block cipher structure as a matrix; then given a differential pair , he calculates the -round intermediate difference from forwardly and the -round intermediate difference from backwardly by the matrix method. If there is a contradiction for these two intermediate differences, then an impossible differential is verified. Representing a block cipher by the matrix has been a popular method in impossible differential and integral and zero correlation linear cryptanalysis [8, 10, 15–20].

In [21], Wu and Wang extend the -method and UID method to a more generalized method which does not use the miss in the middle approach. They treat the -round block cipher structure as a system of equations, which describe the propagation behavior of differences in the inner primitives, especially sbox permutations or branch swapping of the block cipher structure. To judge if a truncated differential is impossible, they predict information about unknown variables from the known ones iteratively. Finally a truncated differential is verified by checking the constrained conditions in the system. This method is similar to a linear programming method for solving optimization problems.

In [22], Sun et al. show that Wu and Wang’s automatic search method can find all impossible differentials of a cipher that are independent of the choices of the inner primitives. However, Wu and Wang’s method can only find all truncated impossible differentials since the choice of truncated difference may result in missing some impossible differentials. Wu and Wang’s method only considers differences and , where and are zero or nonzero values. They assign an indicator to indicate the choice of and , representing by a subblock without difference and by 1 a subblock with a difference. The relationships between nonzero differences have been omitted. For example, may be equal to some , where . If some linear constraints between nonzero variables in and are needed, Wu and Wang claimed their method could still work by translating all linear constraints into the system of equations. However, this method increases the run complexity and implementation of the search method. Since it changes the equation system for every value of and if the relationship between and is complicated, the matrix will be very large.

The idea of the UID method is that it represents the differential with symbols and utilizes the propagation property of the linear accumulated symbols. The idea of the Wu-Wang method is to utilize solving linear equations to determine an impossible differential. We show that the Wu-Wang method can be improved by combining the idea of the UID method and Wu-Wang method. Instead of using 1 to represent the nonzero difference, we use a letter symbol to represent a difference and different symbols represent different nonzero values. This method can represent more relationships between these subblocks. For example, if and for a 4-subblock structure where and are different nonzero values, then we have and . In our method, the matrix of the system does not need to be changed with . We also improve the Wu-Wang method by simplifying the test of whether there are solutions for linear systems. Since the most time consuming part is the matrix operation, our improved method can find more impossible differentials in less time.

We implement the method in java language and apply it to many block cipher structures, including Gen-CAST256 [15], Gen-Skipjack [23], Four-Cell [24], Gen-MARS [12], Gen-RC6 [23], SMS4 [14], Misty [25], MIBS [26], [27], LBlock [28], E2 [29], and SNAKE [30] ones. For these block ciphers, we rediscover all known impossible differentials. Especially for the 8-round MIBS cipher, we find 4 new impossible differentials, which are not listed in Wu and Wang’s work. Our improvement largely reduced the run time for finding impossible differentials. In [31], the results for MIBS, LBlock, and E2 are obtained in a few hours on a 2.66 GHz processor with MAGMA package. However, our results for MIBS, LBlock, and E2 are obtained within 10 seconds on a 2.20 GHz processor.

2. Preliminaries

In this section we introduce some basic concepts and notions used in this paper. We first introduce the block cipher structures. Next we review the solvability of a system of linear equations.

2.1. Block Cipher Structures

There are mainly two block cipher structures, which are the Feistel structure and its generalizations and the substitute permutation network (SPN). The round function of most of those structures consists of three basic operations: the sbox look-up, the exclusive-or addition (Xor), and the branch swapping, where the only nonlinear component is the sbox look-up operation. In differential cryptanalysis, the Xor differences of plaintext/ciphertext pairs are considered; we omit the key and constant addition since they have no relevance to our analysis. We assume that a block cipher structure has subblocks (branches), and the input and output differences are denoted by and , respectively.

2.2. The Solvability of a Linear System

Now we review the basics in linear algebra of determining the solvability of a system of linear equations. Let , be two positive integers, ; let be a system of linear equations with variables, where is matrix over ; and and are two bit vectors; then the augmented matrix can determine the solvability of the linear system.

A regular method is to deduce the reduced row echelon form (a.k.a. row canonical form) of matrix by Gauss-Jordan elimination algorithm. The reduced row echelon form of a matrix is unique and denoted by . One starts to check from the last row to the first, to see if there exists a row in which the first entries are zeros and the last entry is nonzero. If there are such rows, then the linear system has no solution. For example, if the augmented matrix of a linear system in reduced row echelon form is where is nonzero, then the linear system has no solution.

3. Mathematical Models for Finding IDs of Block Cipher Structures

Our improvement is based on Wu and Wang’s method. If the nonlinear sbox in a block cipher structure is a permutation, then there is a constraint on the input difference and output difference for ; that is, and can only both be zero or both be nonzero, denoted by . The intermediate value of a block cipher structure is called the state. The state is updated with the round structure. In order to find impossible differential for an -round block cipher structure, we first set differential variables for the states and then transform the -round block cipher structure into a system of linear equations and constraints, denoted by . Then for a given differential , where and , we can check if it is impossible by solving with initial values ; if has no solution, then .

Here we take the 5-round Feistel structure as an example. We first assign differential variables for 5-round Feistel structure. In Figure 1, , are permutations; the output difference of for input difference is ; thus . According to the computation graph of 5-round Feistel structure, we obtain the following system of equations and constraints: In order to check if is an impossible differential where is a nonzero value, we solve the above system with , , , and . Since and we have and . From linear equations of , we get ; thus since ; next from linear equations we obtain ; however and ; thus the system has no solution and is an impossible differential for 5-round Feistel structure.

Now we want to find all impossible differentials for 5-round Feistel structure; we enumerate all the possible differential pairs , where and are two different nonzero values. For each value of , we judge if it is an impossible differential; after all cases are tested, we will find all impossible differentials.

Thus the general algorithm for finding all -round impossible differentials for a block cipher structure is outlined as follows:(1)Generate all the possible differential pairs in a set .(2)Assign differential variables according to the computation figure of the -round block cipher structure. Generate the system of linear equations and constraints with the differential variables.(3)For each , solve the system with initial value and check if has no solution. If there is no solution, then is an impossible differential. After all cases are checked we obtain all impossible differentials.

4. The Detailed Algorithm

In this section we describe the detailed algorithm and implementation details.

4.1. Generate All Possible Differential Pairs

We use symbols , , , to denote different as the nonzero values. For a block cipher structure, the input difference is , where , and the output difference is , where . Note that the input difference and output difference will not be zero since this will be trivial in differential cryptanalysis. Thus there are total differential pairs. This value is large for many block cipher structures.

However, an impossible differential for a block cipher structure is usually simple; that is, there are very few nonzero values in and . Since the input or output differential are complicate, it will propagate fast due to the round structure of the cipher. Thus it is reasonable to consider simple differential pairs. Actually all the impossible differentials found for block cipher structures in the literature are simple.

In this paper we only consider the input difference , where , and the output difference , where . Thus there are total differential pairs that need to be checked.

4.2. Generate the System

Given a block cipher structure, we first need to draw the computational figure and assign differential variables, as introduced in the analysis of 5-round Feistel structure. This step is varying according to different block cipher structures. However, since most block cipher structures iterate the same round structure for several times, these variables are regular and easy to implement in a computer program. As in the analysis of 5-round Feistel structure, the input difference of a nonlinear permutation is denoted by variable and the output difference is denoted by variable . Thus if we see a variable , it must be some output difference of a nonlinear permutation.

For a block cipher structure with rounds, there are variables , , and numbers of variables , . The numbers and are determined by the round structure and the round number . For the -round Feistel structure, and . We first denote all variables in a variable vector as and then linear equations in system can be written as , where is a matrix over and 0 is a -dimensional zero vector, where is the number of linear equations in one round of the block cipher structure. The augmented matrix of these linear equations is . For the 5-round Feistel structure, the augmented matrix is denoted in Table 1.

The set of constraints in can be maintained as a map . Let denote the index of the variable in vector ; given a constraint , we add into the map . For the 5-round Feistel structure, . In the real implementation, it is noted that, for most block cipher structures, the distance between constraints and is fixed and determined by the round structure and the round number; that is, is a constant. For example, the distance of constraints and for a -round Feistel structure is . Thus the map is not needed to be implemented but only the fixed index distance is needed. This observation facilitates the real implementation of the algorithm.

4.3. Determine the Solvability of

In the beginning, we assign a symbol “?” to each variable in the variable vector , which means every variable is undetermined. Given a differential pair , we need to check if there exist solutions of the system with the initial value . We first need to initialize the variable vector according to . As in the 5-round Feistel structure, for a differential pair , , the variable vector is initialized as follows:


a	0	?	?	?	0	a	?	?	?	?	?

For a constraint , the algorithm updates and detects contradictions as follows.(i)The value is updated:(a)If and ?, then is set to 0.(b)If is a nonzero symbol and ?, then is set to the nonzero symbol “.”(c)If and is an nonzero symbol, then we obtain a contradiction.(ii)The value is updated:(a)If and ?, then is set to 0.(b)If and is an nonzero symbol, then we obtain a contradiction.

We use to denote the symmetrical difference (Xor) of and . For example, if and , then ; if and , then ; if and , then .

The function UpdateMatrix() updates the augmented matrix according to the variable vector . If the th variable in is 0, then the corresponding th column of is set to a zero vector. As in [21], this method keeps solutions of the augmented matrix unchanged. If is not in the set , we check each row of ; if the value of the th column at the th row is , then we set Xor to the last element of the th row of and set to (Algorithm 1).

// Update the augmented matrix according to the variable vector
(1) the size of ;
(2) for to do
(3) ;
(4) if is then
(5) Every element of the th column of is set to .
(6) else if is not “?” and is not “” then
(7) the number of rows of ;
(8) for to do
(9) if is then
(10) ;
(11) ;
(12) end
(13) end
(14) end
(15) end

The function UpdateVector() updates the th variable with the value ; at the same time all constraints in are maintained. As described in the beginning of this subsection, the function updates with the value by checking each constraint in and returns true if it succeeds or false if there is a contradiction. There are many subcases, as described in the detailed algorithm. During the updating process, there may be contradictions. For example, if and which means , there is a contradiction since can never be . If is but the corresponding variable which is the sbox output of is nonzero or is but the corresponding variable which is the sbox input of is nonzero, there will be contradictions (Algorithm 2).

// Update the variable vector according to the variable where is the value
of the th variable in . is the array of constraints.
input: the variable vector , the constraint array , .
output: A boolean flag indicates if the update procedure success.
(1) flag true;
(2) foreach do
(3) ; ;
(4) if is equal to then
(5) if is not 0 then
(6) flag false; // Ex. but , a contradiction.
(7) return flag;
(8) else if is 0 and is ? then
(9) if is not 0 then flag false;
(10) return flag;
(11) end
(12) ; ;
(13) else if is a nonzero value then
(14) ; ;
(15) end
(16) else if is equal to then
(17) if is not 0 then flag false
(18) return flag;
(19) else if is ? and is 0 then
(20) ; ;
(21) end
(22) end
(23) end
(24) return flag;

The function ReducedRowEchelon() transforms the matrix into the reduced row echelon form by Gauss-Elimination algorithm. Note that every element in the first columns of is in , while elements in the last column of are represented by a set of symbols. Thus the Xor operation in the last column of is the symmetrical difference operation. The readers can refer to [32] for the detailed algorithm of transforming a matrix into the reduced row echelon form.

The detailed algorithm for checking if a differential is impossible is described in Algorithm 3. In Algorithm 3, the variable vector is first initialized according to the differential pair and the constraint array . Then the algorithm continues checks if there is a contradiction with a loop test until and are not updated any more. During the loop the algorithm first updates according to by the UpdateMatrix() function and then transforms into the reduced row echelon form by the ReducedRowEchelon function to see if has solutions. If has no solutions, the algorithm obtains a contradiction and stops. Otherwise if there exists a solution for a variable from the reduced row echelon form, the index and the value of the variable are denoted as . The algorithm updates the variable vector with by the UpdateVector() function; if the updating process returns false, a contradiction is obtained and the algorithm stops; otherwise, the algorithm continues to run.

input: A differential pair and the system
output: A boolean flag indicates if is an impossible differential
(1) is the augmented matrix of ;
(2) is the dimension variable vector;
(3) is the map of constraints of ;
(4) flagfalse;
(5) indextrue;
(6) Initialize every variable in according to and the constraints in ;
(7) while index do
(8) UpdateMatrix (, ) // Update according to ;
Transform into the reduced-row-echelon form by Gauss-Jordan Elimination
(9) ReducedRowEchelon ();
(10) if has no solution then
(11) flagtrue;
(12) break;
(13) else
(14) index false;
(15) count 0;
(16) for to 1 do
(17) Row of ;
(18) if the sum of the first elements of is 1 then
(19) the index of the element in ;
(20) the last element of ; // the solution of the th variable in
(21) update the variable vector with and return true if there is
no contradiction and return false otherwise.
(22) UpdateVector (, , , );
(23) if is false then
(24) flag true;
(25) return flag;
(26) else
(27) index true;
(28) end
(29) end
(30) end
(31) end
(32) end
(33) return flag;

4.4. Complexity

For the matrix and the dimension vector , the time complexity of the function UpdateMatrix is , the time complexity of the function ReducedRowEchelon is , and the time complexity of the function UpdateVector is a constant , while loop continues running times since there at most values in and in each loop either 2 variables are updated or there is a contradiction. Thus the total complexity of the algorithm is , where is a small constant. The space complexity is dominated by storing the matrix and is about The time complexity of the Wu-Wang method is and this is much larger than our . The Wu-Wang method stores 3 matrices; thus its space complexity is at least triple our method.

4.5. Comparison with Previous Method

In [31], Wu and Wang proved that the -method and the UID method are specific cases of the Wu-Wang method. They found that their method can find longer impossible differential for the MIBS cipher than by -method and the UID method. However, in the UID method, for an impossible differential pair , the relationship between input variables and output variables is considered since UID method uses symbols to denote values. For example, the UID method considers the relation between and and checks if they are equal; however the -method and Wu-Wang method only use and to denote zero and nonzero values, which omit the relationship between input and output differentials.

Our improved method combines the advantages of the UID method and Wu-Wang method. Every impossible differential found by the UID method and Wu-Wang method can be found by our improved method. As Wu and Wang’s method, impossible differentials found by our improved method must be correct if the algorithm is implemented correctly. Compared with Wu and Wang’s method, our improved method is more complete. The symbol representation of a difference can represent more relationships between different difference values. Thus it can find more impossible differentials and the matrix does not change with different values of in the beginning of the algorithm, while, in the Wu-Wang method, to add linear relationships between nonzero values in , the matrix must change with different values of . This will consume more time during the run of the algorithm.

The most time consuming part in the algorithm is the matrix operation. To check if the augmented matrix has any solutions, the Wu-Wang method needs to compute the rank of the matrices and . We show that this step is not required since we can check the solvability of the system from the reduced row echelon form of the matrix , as introduced in the preliminaries section. Thus our improvement largely reduces the search time of finding impossible differentials of a block cipher structure.

5. Applications and Experiment Results

We implement the algorithm in java language and apply it to many block cipher structures, including Gen-CAST256 [33], Misty [25], Gen-Skipjack [23], Four-Cell [24], Gen-MARS [33], Gen-RC6 [33], SMS4 [34], MIBS [26], [27, 31], LBlock [28], E2 [29], and SNAKE [30]. We present the java code of this algorithm and complete impossible differential results in GitHub [35]. To reduce the space of this paper, we present some of the impossible differential results in Table 2. The file Impossible Differential.txt in [35] lists the complete impossible differential results for these block cipher structures. Most impossible differentials discovered by our algorithm are the same as the Wu-Wang method.

Moreover, for the 8-round MIBS, we find new 4 impossible differentials, which are not found by the Wu-Wang method since these 4 new impossible differentials are not simple truncated impossible differentials. MIBS is a 16-subblock Feistel structure with substitution and permutation (SP) round function. In the SP round function, the 8 subblocks are first substituted by 8 sboxes; then an matrix is applied as the permutation. The permutation matrix is There are total 10 impossible differentials found for 8-round MIBS by our improved algorithm. The new four 8-round impossible differentials found are listed in Table 3.

Compare with Wu and Wang’s algorithm, this improvement is more general since it not only finds more impossible differentials for a block cipher structures, but also has better efficiency. The results for MIBS are obtained on a 2.66 GHz processor with MAGMA package in a few hours by Wu and Wang’s algorithm [31]. However, our results for MIBS are obtained on a 2.20 GHz processor in java language in less than 10 seconds. Thus, the algorithm presented in this paper is more efficient than Wu and Wang’s algorithm.

6. Conclusion

In this paper we improve Wu and Wang’s algorithm for finding impossible differentials of block cipher structures. The improved method is more general than Wu and Wang’s method where it can find more impossible differentials with less time. We apply this method to many block cipher structures. The experiment results show that this improvement can largely reduce the search time for the impossible differentials of a block cipher, since there are known relationships between impossible differential and integral and zero correlation linear cryptanalysis [22, 36, 37]. This method can be used as a cryptanalytic tool to evaluate the security of a block cipher against these kinds of cryptanalysis.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

Yiyuan Luo was supported by NSFC (61402280) and Academic Discipline Project of Shanghai Dianji University (16YSXK04). Xuejia Lai was supported by NSFC (61272440, 61472251, and U1536101), China Postdoctoral Science Foundation (2013M531174, 2014T70417), National Cryptography Development Fund MMJJ20170105, and Science and Technology on Communication Security Laboratory.

References

E. Biham, A. Biryukov, and A. Shamir, “Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials,” Journal of Cryptology. The Journal of the International Association for Cryptologic Research, vol. 18, no. 4, pp. 291–311, 2005.
View at: Publisher Site | Google Scholar | MathSciNet
L. R. Knudsen, “DEAL-A 128-bit block cipher,” Tech. Rep. 151, Department of Informatics, University of Bergen, 1998.
View at: Google Scholar
R. Zong, X. Dong, and X. Wang, “Impossible Differential Attack on Simpira v2,” Science China Information Sciences, 2017.
View at: Publisher Site | Google Scholar
L. Cheng, B. Sun, and C. Li, “Revised cryptanalysis for sms4,” Science China Information Sciences, vol. 60, no. 12, article 122101, 2017.
View at: Google Scholar
Y. Dai and S. Chen, “Cryptanalysis of full PRIDE block cipher,” Science China. Information Sciences, vol. 60, no. 5, 052108, 12 pages, 2017.
View at: Publisher Site | Google Scholar | MathSciNet
W. Zhang, Z. Bao, D. Lin, V. Rijmen, B. Yang, and I. Verbauwhede, “RECTANGLE: a bit-slice lightweight block cipher suitable for multiple platforms,” Science China Information Sciences, pp. 1–15, 2015.
View at: Publisher Site | Google Scholar
G.-Q. Liu and C.-H. Jin, “Algebraic techniques in slender-set differential cryptanalysis of PRESENT-like cipher,” Science China Information Sciences, vol. 59, no. 9, Article ID 99104, 2016.
View at: Publisher Site | Google Scholar
T. Lin, X. Lai, W. Xue, and G. Huang, “Discussion on the theoretical results of white-box cryptography,” Science China Information Sciences, vol. 59, no. 11, Article ID 112101, 2016.
View at: Publisher Site | Google Scholar
Y. Ding, J. Zhao, L. Li, and H. Yu, “Impossible differential analysis on round-reduced PRINCE,” Journal of Information Science and Engineering, vol. 33, no. 4, pp. 1041–1053, 2017.
View at: Google Scholar
W. Wu, L. Zhang, and X. Yu, “The DBlock family of block ciphers,” Science China Information Sciences, vol. 58, no. 3, 2015.
View at: Publisher Site | Google Scholar
C. Boura, M. a. Naya-Plasencia, and V. Suder, “Scrutinizing and improving impossible differential attacks: applications to CLEFIA, Camellia, LBlock and Simon,” in Advances in cryptology—ASIACRYPT 2014. Part I, vol. 8873 of Lecture Notes in Comput. Sci., pp. 179–199, Springer, Berlin, Germany, 2014.
View at: Publisher Site | Google Scholar | MathSciNet
J. Kim, S. Hong, J. Sung, S. Lee, J. Lim, and S. Sung, “Impossible differential cryptanalysis for block cipher structures,” in Progress in cryptology—INDOCRYPT 2003, vol. 2904 of Lecture Notes in Comput. Sci., pp. 82–96, Springer, Berlin, Germany, 2003.
View at: Publisher Site | Google Scholar | MathSciNet
J. Kim, S. Hong, and J. Lim, “Impossible differential cryptanalysis using matrix method,” Discrete Mathematics, vol. 310, no. 5, pp. 988–1002, 2010.
View at: Publisher Site | Google Scholar | MathSciNet
Y. Luo, X. Lai, Z. Wu, and G. Gong, “A unified method for finding impossible differentials of block cipher structures,” Information Sciences, vol. 263, pp. 211–220, 2014.
View at: Publisher Site | Google Scholar
H. Yap, “Impossible differential characteristics of extended feistel networks with provable security against differential cryptanalysis,” Communications in Computer and Information Science, vol. 29, pp. 103–121, 2009.
View at: Publisher Site | Google Scholar
G. Liu, C. Jin, and Z. Kong, “Key recovery attack for PRESENT using slender-set linear cryptanalysis,” Science China Information Sciences, vol. 59, no. 3, Article ID 32110, 2016.
View at: Publisher Site | Google Scholar
R. Zhao, R. Zhang, Y. Li, and B. Wu, “Construction of MDS block diffusion matrices for block ciphers and hash functions,” Science China. Information Sciences, vol. 59, no. 9, Article ID 99101, 099101, 3 pages, 2016.
View at: Publisher Site | Google Scholar | MathSciNet
T. P. Berger, M. Minier, and G. Thomas, “Extended generalized Feistel networks using matrix representation,” in Selected areas in cryptography—SAC 2013, vol. 8282 of Lecture Notes in Comput. Sci., pp. 289–305, Springer, Berlin, Germany, 2014.
View at: Publisher Site | Google Scholar | MathSciNet
T. P. Berger and M. Minier, “Some results using the matrix methods on impossible, integral and zero-correlation distinguishers for Feistel-like ciphers,” in Progress in cryptology—INDOCRYPT 2015, vol. 9462 of Lecture Notes in Comput. Sci., pp. 180–197, Springer, 2015.
View at: Publisher Site | Google Scholar | MathSciNet
C. Blondeau and M. Minier, “Analysis of impossible, integral and zero-correlation attacks on type-II generalized feistel networks using the matrix method,” Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 9054, pp. 92–113, 2015.
View at: Publisher Site | Google Scholar
S. Wu and M. Wang, “Automatic search of truncated impossible differentials for word-oriented block ciphers,” in Progress in cryptology---{INDOCRYPT} 2012, vol. 7668 of Lecture Notes in Comput. Sci., pp. 283–302, Springer, Heidelberg, 2012.
View at: Publisher Site | Google Scholar | MathSciNet
B. Sun, Z. Liu, V. Rijmen et al., “Links among impossible differential, integral and zero correlation linear cryptanalysis,” in Advances in cryptology—CRYPTO 2015. Part I, vol. 9215 of Lecture Notes in Comput. Sci., pp. 95–115, Springer, Berlin, Germany, 2015.
View at: Publisher Site | Google Scholar | MathSciNet
J. Sung, S. Lee, J. Lim, S. Hong, and S. Park, “Provable security for the Skipjack-like structure against differential cryptanalysis and linear cryptanalysis,” in Advances in cryptology—ASIACRYPT 2000 (Kyoto), vol. 1976 of Lecture Notes in Comput. Sci., pp. 274–288, Springer, Berlin, Germany, 2000.
View at: Publisher Site | Google Scholar | MathSciNet
J. Choy, G. Chew, K. Khoo, and H. Yap, “Cryptographic properties and application of a generalized unbalanced feistel network structure,” Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 5594, pp. 73–89, 2009.
View at: Publisher Site | Google Scholar
M. Matsui, “New block encryption algorithm MISTY,” in Fast Software Encryption, vol. 1267 of Lecture Notes in Computer Science, pp. 54–68, Springer-Verlag, 1997.
View at: Publisher Site | Google Scholar
M. Izadi, B. Sadeghiyan, S. S. Sadeghian, and H. A. Khanooki, “MIBS: A new lightweight block cipher,” Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 5888, pp. 334–348, 2009.
View at: Publisher Site | Google Scholar
K. Aoki, T. Ichikawa, M. Kanda et al., “Camellia: a 128-bit block cipher suitable for multiple platforms—design and analysis,” in Selected areas in cryptography (Waterloo, ON, 2000), vol. 2012 of Lecture Notes in Comput. Sci., pp. 39–56, Springer, Berlin, Germany, 2001.
View at: Publisher Site | Google Scholar | MathSciNet
W. Wu and L. Zhang, “LBlock: A lightweight block cipher,” Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 6715, pp. 327–344, 2011.
View at: Publisher Site | Google Scholar
M. Kanda, S. Moriai, K. Aoki et al., “E2-A new 128-bit block cipher,” IEICE Transactions Fundamentals - Special Section on Cryptography and Information Security, vol. E83-A, no. 1, pp. 48–59, 2000.
View at: Google Scholar
C. Lee and Y. Cha, “The block cipher: SNAKE with provable resistance against DC and LC attacks,” in JW-ISC 1997, pp. 3–17, 1997.
View at: Google Scholar
S. Wu and M. Wang, “Automatic search of truncated impossible differentials for word-oriented block ciphers,” http://eprint.iacr.org/2012/214.pdf.
View at: Google Scholar
RosettacodeOrg. How to compute the reduced row echelon form of a matrix. http://rosettacode.org/wiki/Reduced_row_echelon_form.
S. Moriai and S. Vaudenay, “On the pseudorandomness of top-level schemes of block ciphers,” in Advances in cryptology—ASIACRYPT 2000 (Kyoto), vol. 1976 of Lecture Notes in Comput. Sci., pp. 289–302, Springer, Berlin, Germany, 2000.
View at: Publisher Site | Google Scholar | MathSciNet
SMS4. Specication of SMS4, block cipher for WLAN products SMS4. Avaiable at: http://www.oscca.gov.cn/UpFile/200621016423197990.pdf.
Y. Luo, Source codes and results for finding impossible differentials for block cipher structures. https://github.com/ianroo/impossibledifferential.
A. Bogdanov, L. R. Knudsen, G. Leander, F.-X. Standaert, J. Steinberger, and E. Tischhauser, “Key-alternating ciphers in a provable setting: encryption using a small number of public permutations (extended abstract),” in Advances in cryptology—EUROCRYPT 2012, vol. 7237 of Lecture Notes in Comput. Sci., pp. 45–62, Springer, Berlin, Germany, 2012.
View at: Publisher Site | Google Scholar | MathSciNet
C. Blondeau, A. Bogdanov, and M. Wang, “On the (in)equivalence of impossible differential and zero-correlation distinguishers for Feistel- and Skipjack-type ciphers,” in Applied Cryptography and Network Security, vol. 8479 of Lecture Notes in Computer Science, pp. 271–288, Springer-Verlag, 2014.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2017 Yiyuan Luo and Xuejia Lai. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1161

Downloads

937

Citations