Provable Security Evaluation of Structures Against Impossible Differential and Zero Correlation Linear Cryptanalysis

Impossible differential and zero correlation linear cryptanalysis are two of the most important cryptanalytic vectors. To characterize the impossible differentials and zero correlation linear hulls which are independent of the choices of the non-linear components, Sun et al. proposed the structure deduced by a block cipher at CRYPTO 2015. Based on that, we concentrate in this paper on the security of the SPN structure and Feistel structure with SP-type round functions. Firstly, we prove that for an SPN structure, if α1 → β1 and α2 → β2 are possible differentials, α1|α2 → β1|β2 is also a possible differential, i.e., the OR “|” operation preserves differentials. Secondly, we show that for an SPN structure, there exists an r-round impossible differential if and only if there exists an r-round impossible differential α 6→ β where the Hamming weights of both α and β are 1. Thus for an SPN structure operating on m bytes, the computation complexity for deciding whether there exists an impossible differential can be reduced from O(2) to O(m). Thirdly, we associate a primitive index with the linear layers of SPN structures. Based on the matrices theory over integer rings, we prove that the length of impossible differentials of an SPN structure is upper bounded by the primitive index of the linear layers. As a result we show that, unless the details of the S-boxes are considered, there do ⋆ The work in this paper is supported by the National Natural Science Foundation of China(No: 61303258, 61379139, 61402515, 61572026, 11526215), National Basic Research Program of China (973 Program) (2013CB338002), the Strategic Priority Research Program of the Chinese Academy of Science under Grant No. XDA06010701 and the Research Fund KU Leuven, OT/13/071. Part of the work was done while the first author was visiting Nanyang Technological University in Singapore.