SCIENCE CHINA Information Sciences . LETTER . January 2018, Vol. 61 019101:1–019101:3 doi: 10.1007/s11432-016-9184-y Integral cryptanalysis of SPN ciphers with binary permutations Hailong SONG1,2 & Yuechuan WEI3* 1School of Information Science and Engineering, Central South University, Changsha 410083, China; 2School of Information Science and Engineering, Jishou University, Jishou 416000, China; 3Electronics Technology Department, Engineering University of Armed Police Force, Xi’an 710086, China Received 22 December 2016/Revised 20 March 2017/Accepted 21 June 2017/Published online 3 November 2017 Citation Song H L, Wei Y C. Integral cryptanalysis of SPN ciphers with binary permutations. Sci China Inf Sci, 2018, 61(1): 019101, doi: 10.1007/s11432-016-9184-y Dear editor, is. In some papers, many people believe that the As one of the most powerful cryptanalytic vectors, branch number can also be used to evaluate the se- integral cryptanalysis [1] exploits the simultaneous curity against integral attack. However, it seems relationship between multiple encryptions. In [1], that the branch number cannot characterize the the integral of f(x) over some subset V (V is not security of block ciphers against integral crypt- necessarily but often a linear subspace) is defined analysis. For example, since the branch number of as follows: the linear layer of ARIA is 8, the designers believe that there does not exist any integral distinguisher f = f (x) . which covers more than 3 rounds [5]. However, ZV xX∈V 3-round and 4-round integral distinguishers were As the expansion of integral, several concepts such constructed in [6] and [7], respectively. as bit-pattern-based integral [2], higher order in- In this letter, we mainly discuss the security tegral and higher degree integral [3] are proposed of SPN ciphers with binary permutations against respectively. Integrals are especially well-suited in integral cryptanalysis. Firstly, it is pointed that analyzing ciphers with primarily bijective compo- the branch number of the linear transformations nents. Consequently, they are applied to a lot of cannot properly characterize the security of ci- (round-reduced) ciphers which are not vulnerable phers against integral cryptanalysis, and we pro- to differential and linear cryptanalysis. pose the integral branch number of binary linear At EUROCRYPT 2016, Sun et al. [4] proved transformations to evaluate the immunity of ci- that the length of the impossible differential of an phers against integral cryptanalysis and these re- SPN cipher is upper bounded by the sum of the sults can be successfully used to explain the exis- primitive indexes of both the diffusion layer and its tence of integrals of SPN ciphers such as ARIA. inverse. This inspires us to characterize the inte- Secondly, some combinational properties of inte- grals of ciphers using properties of diffusion layers. gral branch number are studied, we show that for Branch number of diffusion layer plays an im- an n × n non-singular binary matrix, the integral portant role in evaluating the security of block ci- branch number is upper bounded by n − 2 and phers against differential and linear cryptanalysis. construction of binary matrix with optimal inte- The larger a branch number is, the more resistant gral branch number is discussed. Note that this to differential and linear cryptanalysis the cipher letter only presents the results, and the details of * Corresponding author (email: [email protected]) The authors declare that they have no conflict of interest. c Science China Press and Springer-Verlag Berlin Heidelberg 2017 info.scichina.com link.springer.com Song H L, et al. Sci China Inf Sci January 2018 Vol. 61 019101:2 the proof refer to the supplemental file. the times that ai appears in B. Then the proba- Many block ciphers are designed based on the bility that SPN structure. Let the input to a cipher E be X = T Fn (a0)B ≡ (a1)B ≡ · · · ≡ (aN−1)B ≡ 0 mod 2 (X0,...,Xn−1) ∈ 2t , and the input and output of the ith round be X(i) = (X(i),...,X(i) )T ∈ is 0 n−1 N−1 n (i+1) (i+1) (i+1) T n CM+N−1 F t and X = (X ,...,X ) ∈ F t , re- 2 0 n−1 2 Pe (N, 2M) = N−1 . (i) (i) (i) T Fn C2M+N−1 spectively. Let K = (K0 ,...,Kn−1) ∈ 2t be Definition 5. Fn the ith round key. If the procedure of the round The Hamming Weight of X ∈ 2t function is defined as follows, E is named as an is defined as the number of non-zero components SPN cipher: of X: T w (X) = # i X = (x0, . , xn−1) , xi = 0 . X(i+1) = PS X(i) ⊕ K(i) , n o Definition 6. Let L be a linear transformation Fn where over 2t , then the branch number of L is defined as T T ,...,T B (L) = min n {w (X) + w (L (X))}. S ( 0 n−1) 0= X∈F 2t T = (S0 (T0) ,...,Sn−1 (Tn−1)) Definition 7. T Fn Let X = (x0, . , xn−1) ∈ 2t , T n Y y , . , y F t X Y and Si (0 6 i 6 n − 1) are nonlinear bijec- = ( 0 n−1) ∈ 2 . Then ⊗ is defined T as tive transformations; P (T0,...,Tn−1) = T T P (T0,...,Tn−1) is a linear transformation where X ⊗ Y = (x0y0, . , xiyi, . , xn−1yn−1) . Fn×n P ∈ 2 . Definition 8. Let P be an invertible element of The following definitions are essential in com- n×n F t P 6 i 6 n i P puting the integrals of f (x) over some subsets. 2 ,( )i (0 − 1) be the th column of and P T be the transpose of P . Then the Integral Definition 1. A multi-set A = {a |a ∈ F n , 0 6 i i 2 Branch Number of P is defined as i 6 2n − 1} is active, if for any 0 6 i < j 6 2n − 1, F t T ai = aj. A polynomial p (x) ∈ 2 [x] is active if I (P ) = min w (P )i ⊗ P . 06i,j6n−1 j p (x) is a permutation over F2t . n o Definition 2. A multi-set C = {ai|ai ∈ F2n , 0 6 To evaluate the security of ciphers against inte- i 6 2n − 1} is passive, if for any 0 < i 6 2n − 1, gral cryptanalysis, the following Theorem holds. ai = a0. A polynomial p (x) ∈ F2t [x] is passive if Theorem 3. Let E be an iterated SPN block n n F t F × p (x) is a constant over 2 . cipher. Let P ∈ 2 be the binary linear trans- Definition 3. A multi-set B = {ai|ai ∈ F2n , 0 6 formation that used in E, and the confusion layer n n 2 −1 is defined as i 6 2 −1} is balanced, if i=0 ai = 0. A polyno- mial p (x) ∈ F t [x] is balancedP if F p (x) = 0. T 2 x∈ 2t S (X)=(S0 (X0) ,...,Si (Xi) ,...,Sn−1 (Xn−1)) , Definition 4. For an iteratedP cipher E, denote where S s are nonlinear function over F t . As- by D (i, j, r) an r-round integral distinguisher with i 2 sume I (P ) = 2, and the corresponding 2 non-zero only the ith byte of the input being active and the positions are m and m . If S = S , then jth byte of the output being balanced. 0 1 m0 m1 D (m0, m1) is an integral distinguisher of SPSPS. In some cases, if r is known from the context, By Theorem 3, when designing an SPN cipher, D (i, j, r) can be simplified by D (i, j). I (P ) should be 3 at least. However, this theo- Theorem 1. Let S be a bijective transforma- rem does not imply that a larger integral branch F t F t tion over 2 , α, β ∈ 2 , and T (x) = S (x ⊕ α) ⊕ number gives better security bound against inte- S (x ⊕ β). Then different values of T (x) appear gral attack. even times, thus S (T (x)) is balanced. Theorem 3 can be directly applied to SPN F For a random function f (x) ∈ q[x], the prob- ciphers. The main observation of [6] is some −1 ability that x∈V f (x) = 0 is q . However, the 2.5-round integral distinguishers of ARIA, one of following theoremP tells that the probability that which can be simply denoted by [0, (6, 9, 15)]. By any different element appear even times is much using Theorem 3, we can list all possible values −1 lower than q : where [a, (b, c, d)] means that if only the ath byte F 8 Theorem 2. Let A = {a0, . , aN−1} be a set of input takes all values of 2 and other bytes with N different elements, B be a multi-set with are constants, then Z3,b,Z3,c and Z3,d are bal- 2M elements which are from A. Denote by (ai)B anced. In [8], a 32 × 32 matrix is designed and Song H L, et al. Sci China Inf Sci January 2018 Vol. 61 019101:3 the authors proposed that there could not exist non-singular matrices with optimal integral branch some integral distinguishers which cover more than number is discussed. However, though the integral 2 rounds, if the designer uses such 32 × 32 ma- branch number is optimal, the branch number is trix. However, by Theorem 3, we find that if only 4. This tells that maybe we can construct Sm1 = Sm2 , then some 2.5-round distinguishers some binary matrices whose integral branch num- D (i, j) of SPSPS could be found.