Improved Impossible Differentials and Zero-Correlation Linear Hulls of New Structure III

He, Jun; Shen, Xuan; Liu, Guoqiang

doi:https://doi.org/10.1155/2021/6515844

Security and Communication Networks

On this page

Abstract Introduction Conclusions Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2021 | Article ID 6515844 | https://doi.org/10.1155/2021/6515844

Improved Impossible Differentials and Zero-Correlation Linear Hulls of New Structure III

Jun He,¹Xuan Shen,¹and Guoqiang Liu^2,3

Academic Editor: Majid Khan

Received30 May 2021

Revised27 Aug 2021

Accepted25 Sept 2021

Published06 Oct 2021

Abstract

Impossible differential cryptanalysis and zero-correlation linear cryptanalysis are two kinds of most effective tools for evaluating the security of block ciphers. In those attacks, the core step is to construct a distinguisher as long as possible. In this paper, we focus on the security of New Structure III, which is a kind of block cipher structure with excellent resistance against differential and linear attacks. While the best previous result can only exploit one-round linear layer P to construct impossible differential and zero-correlation linear distinguishers, we try to exploit more rounds to find longer distinguishers. Combining the Miss-in-the-Middle strategy and the characteristic matrix method proposed at EUROCRYPT 2016, we could construct 23-round impossible differentials and zero-correlation linear hulls when the linear layer P satisfies some restricted conditions. To our knowledge, both of them are 1 round longer than the best previous works concerning the two cryptanalytical methods. Furthermore, to show the effectiveness of our distinguishers, the linear layer of the round function is specified to the permutation matrix of block cipher SKINNY which was proposed at CRYPTO 2016. Our results indicate that New Structure III has weaker resistance against impossible differential and zero-correlation linear attacks, though it possesses good differential and linear properties.

1. Introduction

Block cipher structures are regarded as the backbones of block ciphers. When designing a new block cipher, the first step is to choose a proper structure. From the implementation aspect, the structures will significantly influence the implementation cost and latency of the block cipher. From the security part, the structures will affect the diffusion and interaction among different components and give guidance of the parameters of block cipher such as the number of iterated rounds accordingly. Therefore, cryptanalysis of block cipher structures also deserves much attention [1–4].

So far, one of the most popular block cipher structures is the Feistel structure. It divides the input into two halves and updates one half every time. Since decryption of Feistel structures does not involve the inverse of round functions, the encryption and decryption enjoy similar structure and components, making its design more flexible, versatile, and economical. Its randomness [5] and resistance against Meet-in-the-Middle [6], yoyo [7], and quantum [8] attacks were widely considered. In [9], generalized Feistel structure (GFS) was proposed. While GFS preserves the advantages of Feistel structures, its branch size and round functions are lighter and more portable. GFS is further extended and classified into Type-II GFS, unbalanced GFS, and so on. As shown in Figure 1, Type-II GFS updates one half of branches and follows by a branch-wise circular shift, while unbalanced GFS uses a contracting or expanding round functions. Examples of those GFSs are CLEFIA [10], HIGHT [11], SMS4 [2], MARS [3], GMiMC [12], etc. Those schemes possess relatively high diffusion while keeping portable round function design.

(a)

(b)

(c)

The security of GFS has undergone careful evaluation. After its publication, the diffusion and security regarding differential and linear attacks of Type-II GFS were evaluated by counting the number of active S-boxes. At SAC 2010, the lower bound of active S-boxes with SP type round functions was evaluated [13]. Then, similar studies with respect to SPS and SPSP type round functions were performed [14, 15]. The impossible differential cryptanalysis and zero-correlation linear and integral cryptanalysis have also been taken into consideration. Based on the Miss-in-the-Middle strategy, Kim et al. [16] analyzed the impossible differential property using a matrix-based method. Yang et al. [17] and Zhang and Wu [18] proposed a search method for zero-correlation linear and integral distinguishers, respectively. At FSE 2015, Blondeau and Minier [19] noticed the links among the three analytical methods for Type-II GFS and performed systematic key recovery attacks. In addition, the security against Meet-in-the-Middle attack [20], known key attack [21], and quantum attack [22] has also been evaluated.

With the improvement of generic analytical techniques, some new variants of GFS are proposed. At ACISP 2009, Choy et al. combined the generalized unbalanced Feistel networks with the MISTY structure and named it GF-NLFSR [23]. GF-NLFSR possess better security in the sense of differential and linear probability bounds. In 2011, Wu and Wang [24] put forward a unified method to assess the lower bounds of the minimal number of differential active S-boxes for block cipher structures. With this method, they presented 4 new structures, namely, New Structure I/II/III/IV. Among them, New Structure III features better properties against differential and linear attacks than other well-known structures like Type-I/II GFS, Skipjack structures, GF-NLFSR, and so on.

Apart from the resistance against differential and linear cryptanalysis, the security evaluation of New Structure family mainly concentrates on the impossible differential and zero-correlation linear attacks. In [25], Cui and Jin constructed the first impossible differentials for New Structure family. They showed that there exist 15/∞/19/16-round impossible differentials for New Structure I/II/III/IV, respectively. Recently, in 2018, Fu et al. [26] further extended the results by exploiting the information of the round function. They constructed 16/∞/22/16-round impossible differentials by considering the SP type round functions. Moreover, 16/∞/22/16-round zero-correlation linear distinguishers were also built by similar methods. Compared with the above results, the impossible differentials of New Structure III were significantly improved.

Inspired by the characteristic matrix method used at EUROCRYPT 2016 [27], we also study the security against impossible differential and zero-correlation linear attacks of New Structures III with SP type round functions in this paper. The distinguishers are constructed in two steps. We first derive the differential and linear propagation patterns. Then, contradictions are detected by adding some constraints to the linear layer of the round function. Taking advantage of the characteristic matrix method, more information of some rounds of linear layer P can be exploited instead of only one round. Therefore, more rounds of impossible differentials and zero-correlation linear hulls will be constructed. In this paper, we improve the best previous results of New Structure III by 1 round. Those results are summarized in Table 1.

The rest of this paper is organized as follows. In Section 2, some notations and concepts will be introduced. Impossible differentials and zero-correlation linear hulls of New Structure III will be constructed in Sections 3 and 4, respectively. Section 5 concludes this paper.

2. Preliminary

In this section, we will introduce the impossible differentials and zero-correlation linear hulls. Then, detailed description of New Structure III will be depicted. Before that, we will first introduce some notations that will be used throughout this paper.

2.1. Notations

The state of the round function is regarded as a d-dimensional column vector , and its i-th element is denoted as . The transpose of is denoted as . Moreover, e_i denotes the d-dimensional unit vector whose i-th element is nonzero and others are zero. Similarly, for a d × d matrix M, the element in row i and column j is defined as M_i,j. M⁻¹ and M^T are the inverse and transpose operations of M, respectively.

In [27], a characteristic matrix method is proposed to evaluate the impossible differentials and zero-correlation linear hulls of SPN ciphers. The definition of a characteristic matrix is given below.

Definition 1 (characteristic matrix) (see [27]). Let P be a linear mapping, and it can be expressed as a d × d matrix; the characteristic matrix of is defined as , whereThe characteristic matrix is used to express the dependency between the input and output. For a characteristic matrix M, when M_i,j = 0, it means the i-th element of the output is independent of the j-th element of the input. Otherwise, M_i,j = 1. Based on this characteristic matrix method, the round function of SPN ciphers could be reflected as matrix multiplication. Denote M^t as the t-th power of M, and the multiplication of matrix is defined aswhere “|” is the bitwise OR operation. Given that the nonlinear bijective function S [28] does not change the differential/mask pattern, if there exists one zero element in row i and column j of M^t, it means that the i-th element of the output is independent of the j-th element of the input for t-round SPN ciphers. In addition, if M works on a column vector , it is also defined as

2.2. Impossible Differentials

The impossible differential attack is a variant of differential attack, and it was proposed by Knudsen [29] and Biham et al. [30] independently. Different from differential attack which uses differential with high probability, impossible differential attack exploits differentials which occur with probability 0 instead. For an n-bit block cipher E_k with input difference α and output difference β, its differential probability is defined as the percentage of right inputs:

If the above probability equals zero, i.e.,the differential from α to β is regarded to be impossible.

At FSE 1999, Biham et al. [31] systematically introduced the Miss-in-the-Middle approach which is still the most commonly used strategy in searching for impossible differentials so far. It propagates the input difference of some rounds from the encryption direction with probability 1 and some rounds for the output difference from the decryption direction similarly. Then, the intermediate state is tested whether there is a contradiction. If detected, then an impossible differential is found.

2.3. Zero-Correlation Linear Hulls

The zero-correlation linear attack is a novel extension of linear cryptanalysis. It was first formalized by Bogdanov et al. in 2011 [32]. The zero-correlation linear attack utilizes linear hull whose correlation is zero. For a block cipher E_k, its linear approximation p(α, β) is defined as the percentage of inputs X that satisfy α⋅X = β⋅E_k(X), i.e.,where “⋅” means the inner product and α, β are the input mask and output mask, respectively. Then, the correlation of linear hull (α, β) is defined as

Linear cryptanalysis employs linear hulls with high correlation, while zero-correlation linear cryptanalysis uses that with correlation c(α, β) = 0.

Similar to the impossible differentials, the Miss-in-the-Middle approach could also be applied to the construction of zero-correlation linear hulls. The procedure is similar. The input mask propagates some rounds forward and the output mask propagates some rounds backward with probability 1. Then, the correlation of this linear hull is zero once the intermediate states are checked for the contradiction.

2.4. The New Structure Series of Block Cipher Structures

The New Structure series of block cipher structures were proposed by Wu et al. in 2011. They provided a generalized approach using integer programming to estimate the lower bound of the minimal active S-boxes for various structures. With this approach in hand, they are able to search for new structures with good immune against differential and linear attacks. The New Structure series were designed in this way. They could provide 22 active S-boxes with 25/22/21/24 rounds.

The New Structure families are specified to be 4 branches, and only one-round function is employed in a single round. The diffusion and confusion are achieved by different combination of XOR, branch-wise circular shift, and nonlinear part. The schematic diagram is shown in Figure 2.

For New Structure III, its leftmost branch is first nonlinearly transformed by the round function F. Then, the nonlinearly transformed state is XORed to its right branch. Finally, the branches are left circular shifted by 1. Assume that the input and output are (x₀, x₁, x₂, x₃) and (y₀, y₁, y₂, y₃), respectively; then, one-round transformation of New Structure III is

For GFS and its extension, the round functions are flexible, versatile, and not necessarily bijective. However, round functions adopting Substitution-Permutation (SP) type structures are preferable. Since SP structure features better diffusion property and well-understood security, many block ciphers employing GFS use SP type round functions such as SMS4 [2], CLEFIA [10], and so on. The SP type round function consists of nonlinear layer S and linear layer P, where S is made up of d parallel s-bit S-boxes and P could be expressed as a d × d matrix operating on sd bits with word length s. It should be pointed out that both of the nonlinear layer S and linear layer P in this paper are bijective.

To describe the differential/mask propagation through the linear layer, the proposition is shown below.

Proposition 1 (see [33]). Let P be a linear bijective layer; then,(i)For any input-output difference , if the differential probability is nonzero, we always have .(ii)For any input-output mask , if the correlation is nonzero, we always have .

3. Impossible Differentials of New Structure III

In this section, we first give one-round differential propagation and then construct 23-round impossible differential distinguishers of New Structure III by the Miss-in-the-Middle method if the linear layer P satisfies some extra conditions. To describe the differential properties better, we first give some notations. ΔF(a) represents all possible output differences of the nonlinear function F when the input difference is a. Similarly, ΔF^r(a) represents all possible output differences of the continuous r-round F when the input difference is a, and ΔF^-r(a) represents all possible output differences of the continuous r-round F⁻¹ (inverse of F) when the input difference is a.

To construct impossible differentials, one-round differential propagation should be presented firstly. The property is given below.

Proposition 2 (see [25, 26]). For one-round encryption of New Structure III, let (a₀, a₁, a₂, a₃) and (b₀, b₁, b₂, b₃) be the input and output difference, respectively, and we have

One-round differential propagation is given in Figure 3, and we will study how to construct longer impossible differentials. The following theorem shows the impossible differential distinguisher.

Theorem 1. For New Structure III with SP type round functions, if there exist i, j such that ()⁴_{i, j} = 0 and P⁻¹_{i, i} = 0, the following 23-round differential is impossible:where α = e_j, β = Pe_i, and denotes the characteristic matrix of the linear layer .

Proof. The 23-round differential propagation of New Structure III is depicted in Figure 4. It consists of 13-round encryption and 10-round decryption, whose last round is marked by red color and blue color, respectively. The details of differential propagation are given in Table 2, where ? denotes the unknown difference.
From the encryption direction, the input difference (0, α, 0, 0) propagates 13 rounds and the middle difference becomes (?, α₄, ?, ?), where α₄ = ΔF⁴(α). From the decryption direction, the output difference (β, 0, 0, β) is decrypted by 10 rounds to (?, β₁⊕β₂, ?, ?), where β₁ = ΔF⁻¹(β) and β₂ = ΔF⁻²(β). If the middle differences could match each other, there must beIt indicates thatConsidering the fact that the round functions are SP type,For the left part of equation (13), according to the characteristic matrix method, the condition ()⁴_{i, j} = 0 indicates that the i-th element of the output ΔPSPSPSPS(α) is not influenced by the j-th element of α. Furthermore, if α = e_j which means only the j-th element of α is nonzero, the i-th element of ΔPSPSPSPS(α) is zero.
For the right part of equation (13), when β = Pe_i, it becomesGiven that the nonlinear bijective S⁻¹ does not change the difference pattern, it means that ΔS⁻¹(e_i) = e_i. So, ΔS⁻¹(e_i)⊕ΔS⁻¹P^–1S⁻¹(e_i) = e_i⊕ΔS⁻¹P⁻¹(e_i). Moreover, when P⁻¹_i,i = 0, the i-th element of P⁻¹(e_i) is zero. Furthermore, the i-th element of ΔS⁻¹P⁻¹(e_i) and e_i⊕ΔS⁻¹P⁻¹(e_i) is zero and nonzero, respectively.
For the two parts of equation (13), the i-th element of the left and the right is zero and nonzero, respectively. Thus, equation (13) cannot be established when the restricted conditions of are satisfied. Therefore, the 23-round impossible differential is constructed.
To achieve the above 23-round impossible differentials, some extra limits of the linear layer need to be satisfied according to Theorem 1. In fact, they can be achieved. For example, the permutation layer of block cipher SKINNY which was designed at CRYPTO 2016 [34] isBy calculating the characteristic matrix, ()⁴ and P⁻¹ are presented below. For P⁻¹, every i (0 ≤ i ≤ 15) satisfies P⁻¹_{i, i} = 0. Therefore, those (i, j) pairs that make P⁴_{i, j} = 0 will satisfy the condition in Theorem 1. There are 64 possible (i, j) pairs in total.

4. Zero-Correlation Linear Hulls of New Structure III

In this section, we first give one-round linear propagation and then construct 23-round zero-correlation linear hulls of New Structure III similarly by constructing impossible differentials. To describe the linear properties better, we first give some notations. ΛF(a) represents all possible output masks of the nonlinear function F when the input mask is a. Similarly, ΛF^r(a) represents all possible output masks of the continuous r-round F when the input mask is a, and ΛF^-r(a) represents all possible output masks of the continuous r-round F⁻¹ (inverse of F) when the input mask is a.

To construct zero-correlation linear hulls, one-round linear propagation should be presented firstly. The property is given below.

Proposition 3 (see [26]). For one round of New Structure III, let (a₀, a₁, a₂, a₃) and (b₀, b₁, b₂, b₃) be the input mask and output mask, respectively, and we have

The above proposition can be easily proved with the linear propagation rules referred to [26]. One-round linear propagation is shown in Figure 5, and we will study how to construct longer zero-correlation linear hulls. The following theorem shows the zero-correlation linear hulls.

Theorem 2. For New Structure III with SP type round functions, if there exist i, j such that (()⁴)^T_{i, j} = 0 and (P⁻¹)^T_{i, i} = 0, the following 23-round linear hulls are zero-correlation linear hulls:where α = e_i, β = (P⁻¹)^Te_j, and denotes the characteristic matrix of the linear layer .

Proof. The 23-round linear propagation of New Structure III is depicted in Figure 6. It consists of 10-round encryption and 13-round decryption, whose last round is marked by red color and blue color, respectively. The details of the linear propagation are given in Table 3, where ? denotes the unknown mask.
From the encryption direction, the input mask (0, 0, α, 0) will propagate to (α₁⊕α₂, ?, ?, ?) after 10 rounds with probability 1, where α₁ = ΛF(α) and α₂ = ΛF²(α). From the decryption direction, the output mask (β, β, β, β) is decrypted to (β₄, ?, ?, ?) after 13 rounds with probability 1, where β₄ = ΛF⁻⁴(β). If the intermediate masks could match each other, there must beIt indicates thatConsidering the fact that the round functions are SP type, the above equation becomesFurthermore, equation (22) can also become the following equation:Given that P is linear bijective, equation (23) becomesNote that the nonlinear bijective S does not change the mask pattern. Thus, for the left part of equation (24), if α = e_i, ΛS(α)⊕ΛSPS(α) = ΛS(e_i)⊕ΛSPS(e_i) = e_i⊕ΛSP(e_i). When (P⁻¹)^T_i,i = 0, the i-th element of ΛSP(e_i) and e_i⊕ΛSP(e_i) is zero and nonzero, respectively. Thus, it can be obtained that the i-th element of the left part for equation (24) is nonzero.
For the right part of equation (24), according to Proposition 1, when the mask β = ()^Te_j, the mask will be e_j through . Furthermore, we haveSince (()⁴)^T_{i, j} = 0, according to the definition of the characteristic matrix and Proposition 1, the i-th element of ΛP⁻¹S–¹P–¹S–¹P–¹S⁻¹(e_j) is zero.
Therefore, for the two parts of equation (24), the i-th element of the left and the right is zero and nonzero, respectively. So, equation (24) cannot be established when the restricted conditions of are satisfied. Therefore, the 23-round zero-correlation linear hulls are constructed.
To achieve the above 23-round zero-correlation linear hulls, some extra limits of the linear layer need to be satisfied according to Theorem 2. Note that they can be achieved as well. For example, for the permutation layer of block cipher SKINNY which is described in Section 3, ()⁴ and are presented in equations (16) and (17), respectively. Also, they can easily satisfy the conditions in Theorem 2.

5. Conclusions

In this paper, we improved impossible differentials and zero-correlation linear hulls of New Structure III to 23 rounds. Both of them are 1 round longer than the best previous works. Firstly, through careful analysis of its differential and linear propagation rules, the intermediate states were derived after some rounds of encryption and decryption. Then, a contradiction was detected by exploiting the details of the permutation layer which should satisfy some constraints. To show the effectiveness of our constructions, P is specified to the permutation matrix of block cipher SKINNY and 64 distinguishers are detected. From the point of the length of distinguishers, our results indicate that New Structure III has weaker resistance against impossible differential and zero-correlation linear attacks than other GFSs such as SMS4 and MARS-like structures whose length of constructed distinguishers was only 12 rounds so far. Although a block cipher structure or concrete cipher may be designed to possess optimal resistance against one attack, it might be vulnerable to other cryptanalysis techniques since different attack methods start from differential perspective of view. Therefore, dedicated and comprehensive efforts will be necessary.

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Acknowledgments

This study was funded by the National Natural Science Foundation of China (nos. 62002370, 61772545, and 61702537), Scientific Research Plan of National University of Defense Technology (no. ZK21-36), and State Key Laboratory of Information Security (2020-MS-02).

References

H. Wang, W. Ma, L. Liao, Y. Li, and L. Zheng, “Impossible differential distinguishers of two generalized feistel structures,” Security and Communication Networks, vol. 2020, no. 1, Article ID 8828504, 9 pages, 2020.
View at: Publisher Site | Google Scholar
L. Cheng, B. Sun, and C. Li, “Revised cryptanalysis for SMS4,” Science China Information Sciences, vol. 60, no. 12, Article ID 122101, 2017.
View at: Publisher Site | Google Scholar
L. Cheng and C. Li, “Revisiting impossible differentials of MARS‐like structures,” IET Information Security, vol. 11, no. 5, pp. 273–276, 2017.
View at: Publisher Site | Google Scholar
A. H. ., H. M. Ismail, M. I. Waseem, S. S. Jamal, and M. Khan, “Quantum spin half algebra and generalized megrelishvili protocol for confidentiality of digital images,” International Journal of Theoretical Physics, vol. 60, pp. 1720–1741, 2021.
View at: Publisher Site | Google Scholar
J. Patarin, “Security of random feistel schemes with 5 or more rounds,” Advances in Cryptology - CRYPTO 2004, LNCS, vol. 3152, Springer, Berlin, Germany, 2004.
View at: Publisher Site | Google Scholar
I. Dinur, O. Dunkelman, N. Keller, and A. Shamir, “New attacks on feistel structures with improved memory complexities,” Lecture Notes in Computer Science, Springer, Berlin, Germany, 2015.
View at: Publisher Site | Google Scholar
A. Biryukov, G. Leurent, and L. Perrin, “Cryptanalysis of feistel networks with secret round functions,” Selected Areas in Cryptography-SAC 2015, Springer, Berlin, Germany, 2015.
View at: Google Scholar
X. Dong and X. Wang, “Quantum key-recovery attack on Feistel structures,” Science China Information Sciences, vol. 61, no. 10, Article ID 102501, 2018.
View at: Publisher Site | Google Scholar
K. Nyberg, “Generalized feistel networks,” Lecture Notes in Computer Science, Springer, Berlin, Germany, 1996.
View at: Publisher Site | Google Scholar
T. Shirai, K. Shibutani, T. Akishita, S. Moriai, and T. Iwata, “The 128-bit blockcipher CLEFIA (extended abstract),” Fast Software Encryption, Springer, Berlin, Germany, 2007.
View at: Publisher Site | Google Scholar
D. Hong, J. Sung, S. Hong et al., “HIGHT: a new block cipher suitable for low-resource device,” Lecture Notes in Computer Science, Springer, Berlin, Germany, 2006.
View at: Publisher Site | Google Scholar
M. R. Albrecht, L. Grassi, L. Perrin et al., “Feistel structures for MPC, and more,” Lecture Notes in Computer Science, Springer, Berlin, Germany, 2019.
View at: Publisher Site | Google Scholar
K. Shibutani, “On the diffusion of generalized feistel structures regarding differential and linear cryptanalysis,” Selected Areas in Cryptography-SAC 2010, Springer, Berlin, Germany, 2011.
View at: Google Scholar
A. Bogdanov and K. Shibutani, “Generalized Feistel networks revisited,” Designs, Codes and Cryptography 66, no. 1-3, Springer, Berlin, Germany, 2013.
View at: Publisher Site | Google Scholar
A. Bogdanov and K. Shibutani, “Double SP-functions: enhanced generalized feistel networks,” in Information Security and Privacy, acisp 2011, lncs 6812, U. Parampalli and P. Hawkes, Eds., pp. 106–119, Springer, Berlin, Germany, 2011.
View at: Publisher Site | Google Scholar
J. Kim, S. Hong, and J. Lim, “Impossible differential cryptanalysis using matrix method,” Discrete Mathematics, vol. 310, no. 5, pp. 988–1002, 2010.
View at: Publisher Site | Google Scholar
D. Yang, W.-F. Qi, and H.-J. Chen, “Provable security against impossible differential and zero correlation linear cryptanalysis of some feistel structures,” Designs, Codes and Cryptography, vol. 87, no. 11, pp. 2683–2700, 2019.
View at: Publisher Site | Google Scholar
H. Zhang and W. Wu, “Structural evaluation for generalized feistel structures and applications to LBlock and TWINE,” Progress in Cryptology -- INDOCRYPT 2015, Springer, Berlin, Germany, 2015.
View at: Publisher Site | Google Scholar
C. Blondeau and M. Minier, “Analysis of impossible, integral and zero-correlation attacks on type-II generalized feistel networks using the matrix method,” Fast Software Encryption, Springer, Berlin, Germany, 2015.
View at: Google Scholar
L. Lin, W. Wu, and Y. Zheng, “Improved meet-in-the-middle distinguisher on feistel schemes,” in Selected Areas In Cryptography – SAC 2015, O. Dunkelman and L. Keliher, Eds., pp. 122–142, Springer, Lecture Notes in Computer Science, Berlin, Germany, 2016.
View at: Publisher Site | Google Scholar
L. Dong, Y. Wang, W. Wu, and J. Zou, “Known‐key distinguishers on 15‐round 4‐branch type‐2 generalised Feistel networks with single substitution-permutation functions and near‐collision attacks on its hashing modes,” IET Information Security, vol. 9, no. 5, pp. 277–283, 2015.
View at: Publisher Site | Google Scholar
X. Dong, Z. Li, and X. Wang, “Quantum cryptanalysis on some generalized Feistel schemes,” Science China Information Sciences, vol. 62, no. 2, Article ID 22501, 2019.
View at: Publisher Site | Google Scholar
J. Choy, G. Chew, K. Khoo, and H. Yap, “Cryptographic properties and application of a generalized unbalanced feistel network structure,” Information Security and Privacy, vol. 5594, pp. 73–89, 2009.
View at: Publisher Site | Google Scholar
S. Wu and M. Wang, “Security Evaluation against Differential Cryptanalysis for Block Cipher Structures,” 2011, http://eprint.iacr.org/2011/551.
View at: Google Scholar
T. Cui and C. Jin, “Impossible differential evaluations for new-structure series,” Chinese Journal of Electronics, vol. 23, no. 2, pp. 357–360, 2014.
View at: Google Scholar
L. Fu, T. Cui, and C. Jin, “Zero correlation linear approximations and impossible differentials of new-structure series with SP networks,” Acta Electronica Sinica, vol. 45, no. 6, pp. 1367–1374, 2017.
View at: Google Scholar
B. Sun, M. Liu, J. Guo, V. Rijmen, and R. Li, “Provable security evaluation of structures against impossible differential and zero correlation linear cryptanalysis,” Advances in Cryptology - EUROCRYPT 2016, Springer, Berlin, Germany, 2016.
View at: Publisher Site | Google Scholar
M. Khan, A. H. Ismail, I. Ishaque, and H. Iqtadar, “New combination of simple additive and entropy weighting criteria for the selection of best substitution box,” Journal of Intelligent and Fuzzy Systems, vol. 3, pp. 1–14, 2021.
View at: Publisher Site | Google Scholar
L. Knudsen, “DEAL - A 128-bit Block Cipher,” Technical report, University of Bergen, Bergen, Norway, 1998.
View at: Google Scholar
E. Biham, A. Biryukov, and A. Shamir, “Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials,” in Advances In Cryptology — EUROCRYPT 1999, J. Stern, Ed., pp. 12–23, Springer, Berlin, Germany, 1999.
View at: Publisher Site | Google Scholar
E. Biham, A. Biryukov, and A. Shamir, “Miss in the middle attacks on IDEA and khufu,” in Fast Software Encryption-FSE 1999, L. Knudsen, Ed., pp. 124–138, Springer, Berlin, Germany, 1999.
View at: Publisher Site | Google Scholar
A. Bogdanov and V. Rijmen, “Linear hulls with correlation zero and linear cryptanalysis of block ciphers,” Designs, Codes and Cryptography, vol. 70, no. 3, pp. 369–383, 2014.
View at: Publisher Site | Google Scholar
B. Sun, M. Liu, J. Guo, L. Qu, and V. Rijmen, “New insights on AES-like SPN ciphers,” Advances in Cryptology - CRYPTO 2016, Springer, Berlin, Germany, 2016.
View at: Publisher Site | Google Scholar
C. Beierle, J. Jean, S. Kölbl et al., “The SKINNY family of block ciphers and its low-latency variant MANTIS,” Advances in Cryptology - CRYPTO 2016, Springer, Berlin, Germany, 2016.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2021 Jun He et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies