A Link Between Integrals and Higher-Order Integrals of SPN Ciphers

Transcription

1 Link Between Integrals and Higher-Order Integrals of SPN Ciphers Ruilin Li, Bing Sun, and Chao Li Integral cryptanalysis, which is based on the existence of (higher-order) integral distinguishers, is a powerful cryptographic ethod that can be used to ealuate the security of odern block ciphers In this paper, we focus on substitution-perutation network (SPN) ciphers and propose a criterion to characterize how an r-round integral distinguisher can be extended to an (r+)-round higher-order integral distinguisher This criterion, which builds a link between integrals and higher-order integrals of SPN ciphers, is in fact based on the theory of direct decoposition of a linear space defined by the linear apping of the cipher It can be directly utilized to unify the procedure for finding 4-round higher-order integral distinguishers of ES and RI and can be further extended to analyze higher-order integral distinguishers of arious block cipher structures We hope that the criterion presented in this paper will benefit the cryptanalysts and ay thus lead to better cryptanalytic results Keywords: Cryptanalysis, block ciphers, SPN, ES, RI, integral, higher-order integral Manuscript receied Oct 6, 0; reised pr 9, 0; accepted May 3, 0 The work in this paper is supported by the National Natural Science Foundation of China (No: 6039, 60705), the Progra for Changjiang Scholars and Innoatie Research Tea in Uniersity of Ministry of Education of China (No: IRT0), and the Fund for Creatie Research Groups of the Natural Science Foundation of Hunan Proince, China (No: FH00) Ruilin Li (phone: , securitylrl@gailco) is with the School of Electronic Science and Engineering, National Uniersity of Defense Technology, Changsha, China Bing Sun (securitylrl@gailco) is with the Departent of Matheatics and Syste Science, Science College, National Uniersity of Defense Technology, Changsha, China Chao Li (lichao_nudt@sinaco) is with the Departent of Matheatics and Syste Science, Science College, and also with the School of Coputer, National Uniersity of Defense Technology, Changsha, China I Introduction Backgrounds Integral cryptanalysis, which considers the propagation of the sus of any alues, was forally introduced by Knudsen and Wagner in [] s they pointed out [], it is especially well suited for analyzing ciphers with priarily bijectie coponents and is, in fact, a ore generalized for of any specific attacks, including the square attack [], saturation attack [3], and ultiset attack [4] These specific ethods exploit the siultaneous relationships between any encryptions, in contrast to differential cryptanalysis [5], in which only pairs of encryptions are considered Consequently, integral cryptanalysis can apply to a lot of block ciphers that are not ulnerable to differential cryptanalysis These features hae ade integral cryptanalysis an increasingly popular tool in the field of cryptanalysis The substitution-perutation network (SPN) structure is one of the ost widely used block cipher structures Exaples of algoriths that use the SPN structure are the well-known block cipher algoriths ES [6] and RI [7] The SPN structure iterates the cobination of a substitution and a perutation (or a linear transforation), and, thus, its resistance against differential and linear cryptanalysis [8] is well understood (for exaple, see [9]-[]) To apply integral cryptanalysis, adersaries should firstly find a (higher-order) integral distinguisher of the reduced-round cipher to distinguish it fro a rando perutation The ost well-known integral distinguisher of an SPN cipher is the 3-round integral distinguisher [] of ES This kind of distinguisher needs a special structure of 8 plaintexts with the property that one byte of input is actie (takes all possible 56 alues), while all the other 5 bytes are constants Feeding these 8 plaintexts into a 3-round ES encryption procedure ETRI Journal, Volue 35, Nuber, February Ruilin Li et al 3

2 will result in ciphertexts with the property that the bit-wise exclusie OR (XOR) of all alues in any byte position is zero This 3-round distinguisher can be used to attack ES reduced to four, fie, and six rounds new distinguishing property between the 4-round ES and a rando perutation was constructed in [3], which enables 7-round attacks on ES In [4], another obseration was ade on the 4-round ES, which led to an iproeent in the running tie of the attack The ain obseration is that if one can obtain the 3 plaintexts that take all possible alues in the diagonal four bytes, then after one round of ES encryption, those 3 plaintexts will correspond to another 3 interediate alues, which for 4 copies for the input of a 3-round integral distinguisher in the forthcoing 3-round encryption process (round to round 4) Since the text in each integral sus to zero in any byte after the fourth round, so does the su of all 3 texts This kind of distinguisher was later foralized in [] and referred to as a 4-round higherorder (4th-order) integral distinguisher ccordingly, the original 3-round integral distinguisher can be treated as a st-order integral distinguisher Let n be the nuber of words (subblocks) in the plaintext and ciphertext and be the nuber of bits in a word In the original paper [], a higher-order integral is defined according to the nuber of actie words d-th-order ( d n ) integral is the su of ciphertexts whose corresponding plaintexts contain just d actie words (range oer all possible d alues in the d-tuple position), while the traditional integral with one actie word can be treated as a st-order integral This kind of notation is suitable when explaining the 3/4-round integral distinguisher of ES as introduced in the preious paragraphs Besides, the authors in [] also deonstrated the feasibility of using higher-order integrals to analyze two block cipher structures: Nyberg s generalized Feistel networks and the Skipjack structure Motiation, Merit, and Outline of This Paper Now that a 3-round st-order integral distinguisher of ES can be easily extended to a 4-round 4th-order integral distinguisher, what about other SPN ciphers? Consider the block cipher RI, whose design is ery siilar to ES The designers of RI belieed that no integral distinguisher exists with ore than two rounds due to the better aalanche effect of the diffusion layer In fact, if the nuber of actie bytes is liited to one, it is correct that there only exist -round distinguishers Howeer, these -round storder integral distinguishers can be extended to any 3-round d-th-order integral distinguishers with d 7 (as will be shown in subsection III4) Unfortunately, these 3-round distinguishers are not the best ones since, in [5], 44 3-round 3rd-order integral distinguishers ) of RI were found using the technique of counting ethod Therefore, one ay wonder whether this kind of 3-round integral distinguisher could be further extended to soe 4-round distinguishers Howeer, it sees difficult to utilize the direct approach to extend the distinguisher of RI in a siilar way to the distinguisher of ES This proble was studied in [6], in which the 3-round 3rd-order integral distinguishers were odified to 3-round 4th-order integral distinguishers, and 4 4-round th-order integral distinguishers were thus obtained It should be noted that these 4-round th-order integral distinguishers were used to ount a 7-round attack on RI [6], while the 3-round 3rd-order integral distinguishers only led to a 6-round attack [5] s has been obsered, higher-order integral distinguishers hae been widely used to analyze any faous SPN ciphers, but there exist soe related, yet unsoled, probles general proble is as follows ssue there is an r-round u-th-order integral (the basic integral) distinguisher of an SPN cipher, can this basic integral distinguisher be extended to soe (r+)-round -th-order ( u) integral (the extended higher-order integral) distinguisher? If so, how can we extend it? To the best of our knowledge, no general solution to this proble is known, and preious techniques see to be ore epirical In this paper, we borrow fro linear algebra with the theory of direct decoposition of a linear space to build a link between the integrals and the higher-order integrals of SPN ciphers We show that if the atrix of the linear transforation in the diffusion layer satisfies a rank property, then the basic integral distinguisher can be directly extended to a higher-order integral distinguisher ) This proposed criterion can be used to unify the procedure for finding 4-round higher-order integral distinguishers of ES and RI, and it can further be adopted to analyze higher-order integral distinguishers for arious block cipher structures The reaining content of this paper is diided into four sections brief description of SPN ciphers is gien in section II The ain result concerning the relationship between integral and higher-order integral distinguishers of SPN ciphers with application to ES and RI is presented in section III Section IV extends the ain result to other block cipher structures Finally, section V contains the conclusion ) In fact, there are in total 76 integral distinguishers of the 3-round RI when the nuber of actie bytes of the inputs is fixed to 3 ong these distinguishers, only 44 are listed in [5] ) It should be ephasized that not all (extended) higher-order distinguishers of SPN ciphers can be obtained directly fro the (basic) integral distinguishers only through a linear transforation For instance, the -round first-order integral distinguishers [7] of RI cannot be directly extended to the 3-round third-order integral distinguishers [5], which are found by the counting ethod 3 Ruilin Li et al ETRI Journal, Volue 35, Nuber, February 03

3 II SPN Ciphers The class of SPN cipher considered in this paper iterates the cobination of a substitution (a nonlinear transforation) and a linear transforation Its block length is n-bit (or -word with a word being n-bit), and the round function consists of three basic operations: a substitution layer γ, a diffusion layer θ, and a round key addition layer σ Let us denote F as the finite field with eleents 0 and We briefly describe the three layers, as well as the whole cipher, as follows Substitution Layer γ The substitution layer γ is a nonlinear word-oriented substitution that applies parallel nonlinear bijectie appings on t the i-th round, γ F F is defined as F i : n n γ ( x, x,, x ) = ( s ( x ), s ( x ),, s ( x )), i n i, i, i, n n where each si, jis an -bit nonlinear substitution and the s i,j s are not necessarily identical Diffusion Layer θ The diffusion layer θ is an inertible linear transforation on n n n F that can be represented by an inertible atrix P F That is, gien an input X, the output can be obtained through Y=P(X) 3 Round Key ddition Layer σ The round key additional layer σ is defined siply by the bitwise XOR of the input and the round key Thus, at the i-th round, σ i( x) = X Ki, where X is the input and K i is the nbit round key and ay be generated fro the key schedule of the cipher 4 Whole Cipher typical r-round SPN cipher firstly applies a round key addition (also called the whitening ), and then iterates the round function r ties; the last round is the sae but excludes the diffusion layer We can describe the encryption procedure by r ( = ) E () = σ γ σ θ γ σ () k r r i i i i 0 RI is a good exaple that belongs to the aboe SPN ciphers For ES, the round function coprises SubBytes, ShiftRows, MixColuns, and RoundKeydditions If we define a new linear transforation as the coposition of ShiftRows and MixColuns, then ES could also be regarded as the kind of SPN ciphers described aboe III Link Between Integrals and Higher-Order Integrals of SPN Ciphers In this section, we first gie soe preliinaries, particularly the definitions of integral and higher-order integral, and then we present the ain result that builds a link between an r-round integral (basic integral) and an (r+)-round higherorder integral of an SPN cipher We end this section by applying the result to the block cipher ES and RI Integrals and Higher-Order Integrals n integral distinguisher considers the propagation of sus of any alues, and, in general, it takes a special structure of plaintexts as input, in which each coponent (subblock or word) is actie or passie (see definitions below) and its output has siilar properties, that is, soe coponents of the ciphertexts are actie, passie, or balanced Definition set { ai ai F,0 i } is actie if for all 0 i < j, a i a j set {,0 ai ai F } i is passie or constant if for all 0<i, a i =a 0 set { ai ai F,0 i } is balanced if the bit-wise XOR su of all eleents of the set is 0, that is, i= 0 a i = 0 We use to denote an actie set, C to denote a passie or constant set, and B to denote a balanced set The aboe notation of actie is defined for one word, and it can be extended to a ore generalized case For exaple, when referring to d actie words, it eans a set of d alues d that range oer F in the d-tuple position ccording to this conention, we introduce the following definition of (higherorder) integral, as in [] Definition d-th-order integral of a block cipher is the su of the ciphertexts whose corresponding plaintexts for a special structure with just d actie words Definition 3 d-th-order integral distinguisher of a block cipher takes a special structure with d actie words as input; its output for is a d-th-order integral that can be predicted, that is, soe coponents of the ciphertext are actie, constant, or balanced For conenience, we will soeties use (higher-order) integral as the short notation for (higher-order) integral distinguisher Let { i, i,, id},{ j, j,, jk} {,,, n} Then, a typical d-th-order integral distinguisher of a block cipher can be represented by B i, i,, i j, j,, j, d k where i denotes that there are d actie words of the, i,, id input (plaintexts) with indices i, i,, i d, and B j, j,, j k ETRI Journal, Volue 35, Nuber, February 03 Ruilin Li et al 33

4 denotes that the words of the output (ciphertexts) with indices j, j,, jk are all balanced s for an r-round block cipher, seeral (higher-order) integral distinguishers ay exist, and the following definition is essential Definition 4 n r-round (higher-order) integral distinguisher of a block cipher is called optial if the nuber of actie words of the inputs is the iniu aount needed In the next subsection, we will sole the following proble: gien an r-round u-th-order integral of an SPN cipher, which is referred to as the r-round basic integral, how can this r-round basic integral be extended to an (r+)-round -th-order ( u) integral? Main Result We show the ain theore of this paper, which proides an approach to show how an r-round basic integral distinguisher of SPN ciphers can be extended to an (r+)-round higher-order one The link between a basic integral and a higher-order integral is built through the atrix of the linear transforation in the diffusion layer and is based on the decoposition of the linear space defined by the linear apping of the block cipher Let us denote the atrix of the linear transforation of an SPN cipher by P = ( p i, j) n n, where p i, j is the (i, j)-entry of the atrix Let P, B be the atrix obtained fro P by selecting the rows fro and the coluns fro B Since there is a correspondence between the ector space F and the finite field F, we thus denote the bit-wise XOR between the eleents siply by + The ain result is the following theore Theore Gien an r-round u-th-order integral (as the basic integral) distinguisher of an SPN cipher, for which the actie word indices of the input for the set U={r,r,,r u }, let and If U n U s s sn u = {,,, } = {,,, }, V = { t, t,, t }, u, P ( ps, t ) = a b ( n u) rank( P ) = u, (**) then there will exist an (r+)-round -th-order integral (extended higher-order integral) distinguisher with the associated set fored by the actie word indices of the inputs equal to V Proof Let us consider a structure of plaintexts in the (r+)- round SPN cipher, with actie word positions t, t,, t (and all the other n words are passie) Thus, this structure consists of plaintexts fter the initial key whitening, these plaintexts will pass through a nonlinear bijectie transforation Let us denote these interediate alues by X = (, X,, X,, X, ), t t t where the entries Xt, Xt,, Xt range oer F and the other n entries are constants These alues will then be fed into the linear transforation whose output can be represented by Y=PX Note that n indices of the constant coponents of X for a set, V = {,,, n} V ; thus, Y = PX = P X + P X P X + C, () j j j j tb tb j V j V b= T where P j is the j-th colun ector of P, X j is the j-th n coponent of X, and C F is a constant ector Let ( Xt, X and t,, X t ) = Z ( Z, Z,, Z ) F PV = ( p i, t ) or, equialently, is the subatrix of P b n P V coposed of the colun ectors Pt, P,, ; then, () t P t becoes Y = P Z + C W + C V Equation () iplies that all alues of Y will for an affine space Y defined by Y = W+ C = { W + C W = P Z, Z F }, n where W F is a linear space oer F defined by W = { W W = PV Z, Z F }, and C is the offset Regarding linear space W, one can see that di ( W) = since di( W) = rank( P V ), and the result follows fro the fact that P is inertible, leading to the independent property of the colun ectors of PV Next, we will show that the linear space W is a direct su ( + ) of two other linear spaces, W and W, with diensions u and u, respectiely Linear spaces W and W can be constructed as follows Let P = ( p r, ) a tb u and set W = {( α, α,, α n )}, where each α i is defined as pit, Z,if, b b i U αi = b= 0, if i U Let P ( p,, ) UV sa tb ( n u) = and set W = {( β, β,, β n )}, where each β is defined as i pit, Z,if b b i β i = b= 0, if i U V U, () 34 Ruilin Li et al ETRI Journal, Volue 35, Nuber, February 03

5 ccording to the aboe definitions, W and W are linear spaces (subspaces of W ) Since U U = {,, n}, and U U =, we hae W W = {0}, which iplies that W+ W W is a direct su of two linear spaces Further, we know that P can be generated fro p V and ; thus, P rank( P ) rank( P ) + rank( P ) U V ccording to the condition, and, as preiously established, which results in Note that the atrix It is concluded that Now, we get Thus, which proes that V U, V, rank( P ) = u, rank( PV ) =, rank( P ) ( u) = u P has u rows and, thus, rank( P ) rank( P ) u = u di( W ) = rank( PUV, ) = u, di( W ) = rank( PUV, ) = u di( W) = di( W ) + di( W ), W = W+ W Since Y = W+C, we hae Y = ( W + W ) + C (3) Noting that # Y =, # W = u ( ), and # W = u, (3) eans that all ( u) alues in Y can be diided into (fixing each alue in C W + C ) disjoint affine spaces W + C, that is, Y = W + C C W + C This property is surely aintained for those alues after Y passes the round key addition layer in the first round In total, the aboe analysis shows that, after these special plaintexts pass through the initial key whitening stage and the first round encryption, their corresponding interediate states can be diided into ( u) disjoint affine spaces (each with u eleents) containing u actie words and (n u) constant words, and the indices of these u actie words for the set U Reeber that there exists an r-round integral distinguisher whose inputs possess the sae actie set U; thus, each affine space fors the inputs for the r-round u-th-order integral distinguisher Since each u-th-order integral distinguisher iplies soe predictable coponents of the ciphertexts after r rounds, so are the ciphertexts for the -th-order integral after (r+) rounds Thus, we get an (r+)-round -th-order integral distinguisher, which ends the proof Theore tells us that, gien an r-round known basic integral of an SPN cipher, let U represent the actie indices of inputs; then, if one can find a set V such that the rank condition rank( PUV, ) = u = # V # U is satisfied, then one will obtain an (r+)-round extended higher-order integral whose actie indices of the inputs for the set V Note that such rank condition can be siply checked with the Gaussian eliination ethod, either anually or autoatically In the next two subsections, we will apply the criteria established in theore to the well-known block ciphers ES and RI, showing how to extend basic integral distinguishers to higher-order integral distinguishers Note that when discussing integral distinguishers for these two exaple SPN ciphers, their last round function does not oit the diffusion layer 3 pplication to ES ccording to [], [3], there exists a 4-round 4th-order integral of ES In the following, we characterize the existence of these higher-order integrals by checking the rank of the subatrix chosen fro the atrix P of the linear transforation ccording to [], for all i, j 6, there exists the following for of a 3-round st-order integral of ES: B i j The atrix of the linear transforation of ES is P = ETRI Journal, Volue 35, Nuber, February 03 Ruilin Li et al 35

6 Now, if we choose U= {} and V= {, 6,, 6}, then U = {, 3, 4, 5, 6, 7, 8, 9, 0,,, 3, 4,5,6} and the subatrix P is thus Since P ( PUV, ) = rank = 3 = 4 = # V # U, it is concluded that the 3-round integral B j can be extended to a 4-round higher-order integral: B,6,,6 j Fro the definition of P, we can further find the following 4-round higher-order integrals:,7,,3 B j, 3,8,9,4 B j, and 4,5,0,5 B j Reark The 4-round 4th-order integral distinguisher can be intuitiely obtained fro the 3-round st-order integral distinguisher; hence, it sees unnecessary to use a large atrix P to check the rank condition Howeer, this siple deduction follows fro the special structure of ShiftRows and MixColuns; it would not work for a ore coplex atrix P, for exaple, the one used in RI In this case, the rank condition is ery useful, as deonstrated below 4 pplication to RI In this subsection, we apply the criterion to the 3/4-round RI Fro -Round st-order Integral to 3-Round 7th-Order Integral ccording to [7], for all i, j 6, there exists a -round st-order integral of RI of the following for: i B The atrix of the linear transforation of RI is j P = Now, if we choose U= {9} and V= {,, 5, 8,, 4, 6}, then U = {,,3,4,5,6,7,8,0,,,3,4,5,6} and the subatrix P is thus Since P = ( PUV, ) rank = 6 = 7 = # V # U, it is concluded that the -round st-order integral B j can be extended to a 3-round 7th-order integral:,,5,8,,4,6 j B With the rank condition (**), we can find any other 3-round d-th-order integrals of RI based on the -round st-order integrals Our results show that d 7, and these 3-round 7th-order integrals are listed in Table Reark These 3-round 7th-order integrals of RI are optial under the hypothesis that these 3-round higher-order integrals are liited to be constructed fro -round st-order integrals Howeer, they ay not be optial copared with other kinds of 3-round integrals found by other techniques See the exaple in [5], where the inputs of 3-round integrals hae only three actie bytes 36 Ruilin Li et al ETRI Journal, Volue 35, Nuber, February 03

7 Table 3-round 7th-order integrals of RI No ctie bytes index U ctie bytes index V Balanced bytes index {,, 5, 8,, 4, 6} {,, 6, 7,, 3, 5} {, 3, 6, 9,, 5, 6} {, 3, 8, 0,, 3, 4} {, 4, 5, 6, 0,, 5} {, 4, 7, 8, 9,, 4} {, 6, 8,,, 4, 5} {, 3, 5, 6, 9,, 6} {, 3, 7, 8, 0,, 3} {, 4, 5, 0,, 5, 6} {, 4, 7, 9,, 3, 4} {, 5, 7,,, 3, 6} {3, 4, 5, 8, 0, 3, 5} {3, 4, 6, 7, 9, 4, 6} {3, 6, 8, 9, 0, 3, 6} {4, 5, 7, 9, 0, 4, 5} Reark 3 These 3-round 7th-order integrals of RI can be further extended to any (6 in total) 4-round 5th-order integrals of the for B {} i j, where{} i = {,,,6} { i} Yet, as will be explained later, copared with the 4-round thorder integrals, they are not optial B Fro 3-Round 3rd Order Integral to 4-Round th-order Integral ccording to [5], there exists the following for of a 3-round 3rd-order integral of RI: B 9,,4 0,,3,5 Now, if we choose U= {9,, 4} and V= {,, 3, 4, 5, 6, 7, 8, 9,, 4, 6}, then U = {,,3,4,5,6,7,8,0,,3, 5,6} and the subatrix P is thus Since P = ( PUV, ) rank = 9 = 3 = # V # U, it is concluded that the 3-round 3rd-order integral 9,,4 B0,,3,5 can be extended to a 4-round th-order integral: B,,3,4,5,6,7,8,9,,4,6 0,,3,5 ccording to the definition of P and the 3-round integral distinguisher of RI in [5], we can find any 4-round higher-order integrals of RI, aong which there exist 36 th-order integrals, as listed in Table These 36 integral distinguishers contain the 4 4-round integral distinguishers found in [6] Reark 4 We point out that by testing the rank condition, these 4-round integrals of ES or RI cannot be further extended to 5-round integrals IV pplication to Other Block Cipher Structures The authors in [7], [8] deeloped the U-ethod as an autoated tool to find ipossible differentials for arious kinds of block cipher structures They also pointed out that such a ethod can be conerted to a tool for finding st-order integrals of block cipher structures In this section, we show that by adopting the notation of the encryption atrix as introduced in [7], [8], we can apply our proposed criterion to find higher-order integrals of other block cipher structures Currently, we do not list all possible results on arious kinds of block cipher structures; we present only the cryptanalytic results of Nyberg s generalized Feistel ETRI Journal, Volue 35, Nuber, February 03 Ruilin Li et al 37

8 Table 4-round th-order integrals of RI No ctie bytes index U ctie bytes index V Balanced bytes index {9,, 4} {9,, 6} {9, 4, 6} {, 4, 6} {0,, 3} {0,, 5} {0, 3, 5} {, 3, 5} {5, 6, 5} {5, 6, 6} {5, 5, 6} {6, 5, 6} {6, 7, 9} {6, 7, } {6, 9, } {7, 9, } {5, 8, 0} {5, 8, } {5, 0, } {8, 0, } {7, 8, 3} {7, 8, 4} {7, 3, 4} {8, 3, 4} {3, 5, 0} {3, 5, 6} {3, 0, 6} {5, 0, 6} {, 7, 9} {, 7, 6} {, 9, 6} {7, 9, 6} {4, 5, 9} {4, 5, 6} {4, 9, 6} {5, 9, 6} {3, 7, 9} {3, 7, 3} {3, 9, 3} {7, 9, 3} {, 5, 0} {, 5, 3} {, 0, 3} {5, 0, 3} {4, 7, 0} {4, 7, 3} {4, 0, 3} {7, 0, 3} {, 8, 0} {, 8, 5} {, 0, 5} {8, 0, 5} {3, 6, 0} {3, 6, 5} {3, 0, 5} {6, 0, 5} {4, 6, 9} {4, 6, 5} {4, 9, 5} {6, 9, 5} {, 6, 9} {, 6, 4} {, 9, 4} {6, 9, 4} {3, 8, 9} {3, 8, 4} {3, 9, 4} {8, 9, 4} {4, 8, 0} {4, 8, 4} {4, 0, 4} {8, 0, 4} {3, 4, 9} {3, 4, 0} {3, 9, 0} {4, 9, 0} {, 5, } {, 5, 5} {,, 5} {5,, 5} {, 5, } {, 5, 5} {,, 5} {5,, 5} {4, 7, } {4, 7, 5} {4,, 5} {7,, 5} {, 7, } {, 7, 4} {,, 4} {7,, 4} {, 7, } {, 7, 4} {,, 4} {7,, 4} {4, 5, } {4, 5, 4} {4,, 4} {5,, 4} {, 4, 5} {, 4, 7} {, 5, 7} {4, 5, 7} {, 4, 4} {, 4, 5} {, 4, 5} {4, 4, 5} {, 6, } {, 6, 6} {,, 6} {6,, 6} {3, 8, } {3, 8, 6} {3,, 6} {8,, 6} {, 6, } {, 6, 6} {,, 6} {6,, 6} {, 8, } {, 8, 3} {,, 3} {8,, 3} {3, 6, } {3, 6, 3} {3,, 3} {6,, 3} {, 8, } {, 8, 3} {,, 3} {8,, 3} {, 3, 3} {, 3, 6} {, 3, 6} {3, 3, 6} {, 3, 6} {, 3, 8} {, 6, 8} {3, 6, 8} {,, } {,, } {,, } {,, } {,, 3, 4, 5, 6, 7, 8, 9,, 4, 6} {,, 3, 4, 5, 6, 7, 8, 0,, 3, 5} {,, 3, 4, 5, 6, 9, 0,,, 5, 6} {,, 3, 4, 5, 8, 0,, 3, 4, 5, 6} {,, 3, 4, 6, 7, 9,, 3, 4, 5, 6} {,, 3, 4, 7, 8, 9, 0,,, 3, 4} {,, 3, 5, 6, 7, 9,,, 3, 5, 6} {,, 3, 5, 6, 8, 9, 0,, 3, 4, 6} {,, 3, 5, 6, 8, 9,,, 4, 5, 6} {,, 3, 5, 7, 8, 0,,, 3, 4, 6} {,, 3, 6, 7, 8, 9, 0,, 3, 5, 6} {,, 3, 6, 7, 8, 0,,, 3, 4, 5} {,, 4, 5, 6, 7, 9, 0,, 3, 4, 5} {,, 4, 5, 6, 7, 0,,, 3, 5, 6} {,, 4, 5, 6, 8, 0,,, 4, 5, 6} {,, 4, 5, 7, 8, 9, 0,, 4, 5, 6} {,, 4, 5, 7, 8, 9,,, 3, 4, 6} {,, 4, 6, 7, 8, 9,,, 3, 4, 5} {,, 5, 6, 7, 8,,, 3, 4, 5, 6} {, 3, 4, 5, 6, 7, 9, 0,, 4, 5, 6} {, 3, 4, 5, 6, 8, 9, 0,, 3, 5, 6} {, 3, 4, 5, 6, 8, 0,,, 3, 4, 5} {, 3, 4, 5, 7, 8, 9, 0,, 3, 4, 5} {, 3, 4, 6, 7, 8, 9, 0,, 3, 4, 6} {, 3, 4, 6, 7, 8, 9,,, 4, 5, 6} {, 3, 6, 8, 9, 0,,, 3, 4, 5, 6} {, 4, 5, 6, 7, 8, 9, 0,,, 4, 5} {, 3, 4, 5, 6, 7, 9, 0,, 4, 5, 6} {, 3, 4, 5, 6, 7, 9,,, 3, 4, 6} {, 3, 4, 5, 6, 8, 9, 0,, 3, 5, 6} {, 3, 4, 5, 7, 8, 9, 0,, 3, 4, 5} {, 3, 4, 5, 7, 8, 0,,, 3, 5, 6} {, 3, 4, 6, 7, 8, 9, 0,, 3, 4, 6} {, 3, 5, 6, 7, 8, 9, 0,,, 3, 6} {, 4, 5, 7, 9, 0,,, 3, 4, 5, 6} {3, 4, 5, 6, 7, 8, 9, 0, 3, 4, 5, 6} {0,, 3, 5} {9,, 4, 6} {7, 8, 3, 4} {6, 7, 9, } {5, 8, 0, } {5, 6, 5, 6} {, 6,, 6} {3, 8,, 6} {4, 7, 0, 3} {4, 6, 9, 5} {4, 5,, 4} {, 8,, 3} {4, 7,, 5} {3, 8, 9, 4} {, 5,, 5} {3, 6,, 3} {, 7,, 4} {3, 5, 0, 6} {3, 4, 9, 0} {, 8,, 3} {3, 6, 0, 5} {, 7, 9, 6} {4, 8, 0, 4} {, 5,, 5} {, 6, 9, 4} {, 4, 5, 7} {, 3, 3, 6} {4, 5, 9, 6} {, 8, 0, 5} {, 7,, 4} {, 6,, 6} {, 5, 0, 3} {3, 7, 9, 3} {, 4, 4, 5} {, 3, 6, 8} {,,, } network [9] and the generalized Feistel-nonlinear feedback shift register (GF-NLFSR) [0] as exaples The idea is to introduce a substitution layer and a diffusion layer for block cipher structures The substitution layer is just an identity transforation, while the diffusion layer can adopt the encryption atrix Once these two layers are introduced, we can apply the criterion to extend a basic integral to a higherorder integral, as we do for SPN ciphers Considering the definition of the encryption atrix for a block cipher structure introduced in [7], [8], assue a block cipher structure with round function F (or any different F s) has n data subblocks, and the input and the output of a round are (X 0, X, X n- ) and (Y 0, Y, Y n- ), respectiely We hae the following definition: Definition 5 [7], [8] For a block cipher structure, the n n encryption atrix M is defined as follows If Y j is affected by X i (affected eans Y j = X i b, where b is a certain alue), the (i,j)- entry of M is set to In particular, if Y j is affected by F(X i ) or F (X i ), the (i,j)-entry of M is set to F instead of If Y j is not affected by X i, the (i,j)-entry of M is set to 0 significant difference between the notation for the encryption atrix in this paper and that in [7], [8] is the definition of the ultiplication of a ector and the atrix M In [7], [8], a ector is treated as a row-ector, and the 38 Ruilin Li et al ETRI Journal, Volue 35, Nuber, February 03

9 F F F F 3 F 4 Fig Nyberg s generalized Feistel network with eight subblocks Fig GF-NLFSR structure with eight subblocks ultiplication is thus defined by the product of a row-ector ties the atrix M Howeer, using our approach, a ector is treated as a colun-ector, and the ultiplication is defined by the product of the atrix M ties a colun-ector This difference leads to the fact that the encryption atrix of a block cipher structure in this paper is the transpose of the corresponding atrix in [7], [8] The definition of the rank for such an encryption atrix is iportant Note that there are three kinds of eleents in the encryption atrix: 0,, and F In fact, as the definition of ultiplication between a ector and a atrix, we can treat 0 and as the traditional alues, while treating the eleent F as a non-zero and non-one alue Meanwhile, for different round functions F, the alue F should be different ccording to the aboe conention, the rank of an encryption atrix can be defined as the traditional rank is defined nalysis of Nyberg s Generalized Feistel Network generalized Feistel network was proposed by Nyberg in [9], and it could proide proable security against differential and linear cryptanalysis n ealuation of the security of this structure with eight subblocks against integral cryptanalysis [] clais the existence of a 5-round 6th-order integral (the concrete distinguisher is not gien) In this subsection, we show how to use our proposed criterion to construct the 5-round 6th-order integral The encryption procedure of Nyberg s generalized Feistel network structure with eight subblocks is described in Fig, and the encryption atrix is F F P = F F Let us consider the 3-round nd-order integral of the for,8 B, as shown in [] Now, choose U= {, 8} and V= {,, 7, 8}; then, the subatrix is 0 0 F 4 0 F 0 3 P = Since rank( P ) = = 4 = # V # U, we get a 4-round 4th-order integral of the for,,7,8 B Based on the aboe 4-round 4th-order integral, let us further choose U= {,, 7, 8} and V= {,, 3, 6, 7, 8}; then, we will obtain the subatrix P F F = The fact that rank( PUV, ) = = 6 4 = # V # U explains why there exists a 5-round 6th-order integral of the B for,,3,6,7,8 nalysis of GF-NLFSR The GF-NLFSR structure was proposed by Choy and others in [0] Siilar to Nyberg s generalized Feistel network, it can proide proable security against differential and linear cryptanalysis The security of the GF-NLFSR containing n subblocks against integral cryptanalysis was carefully studied in [], which presents an n -round st-order integral and further an (n +n )-round (n )th-order integral In this subsection, we consider the GF-NLFSR with eight subblocks as an exaple and show how the first-order integral of the GF-NLFSR can be easily extended to higher-order integrals by using theore The encryption procedure of the GF-NLFSR with eight subblocks is described in Fig, and the encryption atrix is ETRI Journal, Volue 35, Nuber, February 03 Ruilin Li et al 39

10 P = F Fro [], there exists a 64-round st-order integral of the for 8, where 8 eans that the XOR su of the eight words of the ciphertexts is actie ccording to the encryption atrix P, for any d 6, let U= {,,, d} and V= {,,, d, d+}, and we can then proe rank( PUV, ) = = d + d This obseration shows that the aboe 64-round st-order integral can be iterated to construct a (64+d)-round (d+)th-order integral Thus, at last, we get the 70-round 7th-order integral: B,,,,7 8 where B 8 eans that the XOR su of the eight words of the ciphertexts is balanced V Conclusion In this paper, we built a link between integrals and higherorder integrals of SPN ciphers We showed that if the atrix of the linear transforation in the diffusion layer satisfies a rank condition that iplies a direct decoposition of a linear space, then an r-round (basic) integral can be extended to an (r+)- round higher-order integral This proposed criterion unifies the procedure for finding 4-round higher-order integrals of the ES and RI dditionally, it is suitable for detecting higherorder integrals of other block cipher structures We hope that the criterion presented in this paper will benefit the cryptanalysts, and ay thus lead to better cryptanalytic results Reference [] LR Knudsen and D Wagner, Integral Cryptanalysis, FSE, LNCS, ol 365, Springer, 00, pp -7 [] J Daeen, LR Knudsen, and V Rijen, The Block Cipher SQURE, FSE, LNCS, ol 67, Springer, 997, pp [3] S Lucks, The Saturation ttack Bait for Twofish, FSE, LNCS, ol 355, Springer, 00, pp -5 [4] Biryuko and Shair, Structural Cryptanalysis of SSS, J Cryptology, ol 3, Springer, 00, pp [5] E Biha and Shair Differential Cryptanalysis of DES-like Cryptosystes, J Cryptology, LNCS, ol 537, Springer, 99, pp - [6] FIPS Publication 97, Specification for the danced Encryption Standard (ES), US Departent of Coerce, National Institute of Standards and Technology (NIST), Inforation Technology Laboratory (ITL), Gaithersburg, MD, US, 00 [7] D Kwon et al, New Block Cipher: RI, ICISC, LNCS, ol 97, Springer, 004, pp [8] M Matsui, Linear Cryptanalysis Method for DES Cipher, EuroCrypt, LNCS 765, Springer, 994, pp [9] S Hong et al, Proable Security gainst Differential and Linear Cryptanalysis for the SPN Structure, FSE, LNCS, ol 978, Springer, 00, pp [0] J-S Kang et al, Practical and Proable Security gainst Differential and Linear Cryptanalysis for Substitution- Perutation Networks, ETRI J, ol 3, no 4, Dec 00, pp [] S Park et al, Iproing the Upper Bound on the Maxiu Differential and the Maxiu Linear Hull Probability for SPN Structures and ES, FSE, LNCS, ol 887, Springer, 003, pp [] J Daeen and V Rijen, The Design of Rijndael: ES - The danced Encryption Standard, Springer-Verlag, 00 [3] H Gilbert and M Minier, Collision ttack on 7 Rounds of Rijndael, 3rd d Encryption Standard Candidate Conf, 000, pp 30-4 [4] N Ferguson et al, Iproed Cryptanalysis of Rijndael, FSE, LNCS, ol 978, Springer, 00, pp 3-30 [5] P Li, B Sun, and C Li, Integral Cryptanalysis of RI, INSCRYPT, LNCS, ol 65, Springer, 0, pp -4 [6] Y Li, W Wu, and L Zhang Integral ttacks on Reduced- Round RI Block Cipher, ISPEC, LNCS, ol 6047, Springer, 00, pp 9-9 [7] J Ki et al, Ipossible Differential Cryptanalysis for Block Cipher Structures, INDOCRYPT, LNCS, ol 904, Springer, 003, pp 8-96 [8] J Ki, S Hong, and J Li, Ipossible Differential Cryptanalysis Using Matrix Method, Discrete Matheatics, ol 30, no 5, Elseier, 00, pp [9] K Nyberg, Generalized Feistel Networks, SICRYPT, LNCS, ol 63, Springer, 996, pp 9-04 [0] J Choy et al, Cryptographic Properties and pplication of a Generalized Unbalanced Feistel Network Structure, CISP, LNCS, ol 5594, Springer, 009, pp [] R Li et al, Cryptanalysis of a Generalized Unbalanced Feistel Network Structure, CISP, LNCS, ol 668, Springer, 00, pp Ruilin Li et al ETRI Journal, Volue 35, Nuber, February 03

11 Ruilin Li receied his BS, MS, PhD in applied atheatics fro the National Uniersity of Defense Technology, Changsha, Hunan, China, in 005, 007, and 0, respectiely He is currently a lecturer with the School of Electronic Science and Engineering at the National Uniersity of Defense Technology His research fields include cryptography and inforation security Bing Sun receied his MS and PhD in applied atheatics fro the National Uniersity of Defense Technology, Changsha, Hunan, China, in 005 and 009, respectiely He is now a lecturer with the Departent of Matheatics and Syste Science at the National Uniersity of Defense Technology His research fields include cryptography and inforation security Chao Li receied his BS in atheatics in 987 fro the Uniersity of Inforation Engineering, Zhengzhou, Henan, China, his MS in atheatics in 990 fro the Uniersity of Science and Technology of China, Hefei, nhui, China, and his PhD in engineering in 00 fro the National Uniersity of Defense Technology, Changsha, Hunan, China Since Deceber 00, he has been a professor with the Departent of Matheatics and Syste Science at the National Uniersity of Defense Technology His research fields include coding theory, sequences, cryptography, and inforation security ETRI Journal, Volue 35, Nuber, February 03 Ruilin Li et al 4