Provable Security Evaluation of Structures Against Impossible Differential and Zero Correlation Linear Cryptanalysis

Abstract

Impossible differential and zero correlation linear cryptanalysis are two of the most important cryptanalytic vectors. To characterize the impossible differentials and zero correlation linear hulls which are independent of the choices of the non-linear components, Sun et al. proposed the structure deduced by a block cipher at CRYPTO 2015. Based on that, we concentrate in this paper on the security of the SPN structure and Feistel structure with SP-type round functions. Firstly, we prove that for an SPN structure, if \(\alpha _1\rightarrow \beta _1\) and \(\alpha _2\rightarrow \beta _2\) are possible differentials, \(\alpha _1|\alpha _2\rightarrow \beta _1|\beta _2\) is also a possible differential, i.e., the OR “|” operation preserves differentials. Secondly, we show that for an SPN structure, there exists an r-round impossible differential if and only if there exists an r-round impossible differential \(\alpha \not \rightarrow \beta \) where the Hamming weights of both \(\alpha \) and \(\beta \) are 1. Thus for an SPN structure operating on m bytes, the computation complexity for deciding whether there exists an impossible differential can be reduced from \(\mathcal O(2^{2m})\) to \(\mathcal O(m^2)\). Thirdly, we associate a primitive index with the linear layers of SPN structures. Based on the matrices theory over integer rings, we prove that the length of impossible differentials of an SPN structure is upper bounded by the primitive index of the linear layers. As a result we show that, unless the details of the S-boxes are considered, there do not exist 5-round impossible differentials for the AES and ARIA. Lastly, based on the links between impossible differential and zero correlation linear hull, we projected these results on impossible differentials to zero correlation linear hulls. It is interesting to note some of our results also apply to the Feistel structures with SP-type round functions.

The work in this paper is supported by the National Natural Science Foundation of China (No: 61303258, 61379139, 61402515, 61572026, 11526215), National Basic Research Program of China (973 Program) (2013CB338002), the Strategic Priority Research Program of the Chinese Academy of Science under Grant No. XDA06010701 and the Research Fund KU Leuven, OT/13/071. Part of the work was done while the first author was visiting Nanyang Technological University in Singapore.

1 Introduction

Block ciphers are the vital elements in constructing many symmetric cryptographic schemes and the core security of these schemes depends on the resistance of the underlying block ciphers to known cryptanalytic techniques. Differential cryptanalysis [4] and linear cryptanalysis [20] are among the most famous cryptanalytic tools. Nowadays, most block ciphers are designed to be resilient to these two attacks. To prove the security of a block cipher against differential/linear attack, a common way is to give an upper bound on the rounds of the differential characteristics/linear trails that can distinguish a round-reduced cipher from a random permutation. Or equivalently, one can show when the number of the rounds of a block cipher is more than a certain r, there do not exist any useful differential characteristics or linear trails. However, the security margin of the ciphers against extended differential and linear cryptanalysis, such as impossible differential [3, 13] and zero correlation linear cryptanalysis [6], may not be yet well studied and formulated. To some extend, the success of such attacks relies mainly on the attackers’ intensive analysis of the structures used in each individual designs.

In differential cryptanalysis, one usually finds differential characteristics with high probability and then uses statistical methods to sieve the right keys. However, the main idea of impossible differential cryptanalysis, which was independently proposed by Knudsen [13] and Biham et al. [3], is to use differentials that hold with probability zero to discard the wrong keys. So far, impossible differential cryptanalysis has received lots of attention and been used to attack a variety of well-known block ciphers [5, 7, 16, 22].

The first step in impossible differential cryptanalysis is to construct some impossible differentials that cover as many rounds as possible. For any function \(F: \mathbb F_{2^b}\rightarrow \mathbb F_{2^b}\), we can always find some \(\alpha \) and \(\beta \) such that \(\alpha \rightarrow \beta \) is an impossible differential of F. However, when b is large and we know little about the algebraic structure of F, it is hard to determine whether \(\alpha \rightarrow \beta \) is a possible differential or an impossible one. A block cipher \(E(\cdot ,k)\) may exhibit a differential \(\alpha \rightarrow \beta \) that is a possible differential for some key k while it is impossible for the rest. In practice, such differentials are difficult to determine in most of the cases. Generally, in a search for impossible differentials it is difficult to guarantee completeness. Therefore, from the practical point of view, we are more interested in the impossible differentials that are independent of the secret keys. Since in most cases the non-linear transformations applied to x can be written as \(S(x\oplus k)\), we always employ impossible differentials that are independent of the S-boxes, which are called truncated impossible differentials, i.e., we only detect whether there are differences on some bytes and we do not care about the values of the differences. Usually, an impossible differential is constructed by the miss-in-the-middle technique, i.e., trace the properties of input and output differences from the encryption and decryption directions, respectively, if there are some contradictions in the middle, an impossible differential is then found. Several automatic approaches have been proposed to derive truncated impossible differentials of a block cipher effectively such as the \(\mathcal {U}\)-method [12], \(\textit{UID}\)-method [18] and the extended tool of the former two methods generalized by Wu and Wang [24] (WW-method). It has been proved in [21] that the WW-method can find all impossible differentials of a structure, or equivalently, it can find all impossible differentials of a block cipher which are independent of the choices of the non-linear components. Similar ideas have found applications in cryptanalysis against hash functions BMW [10] and BLAKE [2].

In linear cryptanalysis, one uses linear characteristics with high correlations. Zero correlation cryptanalysis is a novel technique for cryptanalysis of block ciphers [6]. The distinguishing property used in zero correlation cryptanalysis is the zero correlation linear approximations, i.e., those linear approximations that hold with a probability \(p=1/2\), that is, strictly unbiased approximations having a correlation \(c = 2p-1\) equal to 0. As in impossible differential cryptanalysis, we are more interested in the zero correlation linear hulls that are independent of the choices of the non-linear layers.

In CRYPTO 2015, Sun et al. proposed the concept of structure to characterize what “being independent of the choices of the S-boxes” means, and proposed dual structure to study the link between impossible differentials and zero correlation linear hulls [21]. One of the basic statements in [21] is that constructing impossible differentials of a structure is equivalent to constructing zero correlation linear hulls of the dual structure. Therefore, all the known methods to construct impossible differentials of structures can also be used to construct zero correlation linear hulls.

Despite the known 4-/4-/8-round impossible differentials for the AES, ARIA and Camellia without \(FL/FL^{-1}\) layers [1, 9, 14, 17, 19, 25], effort to find new impossible differentials of these ciphers that cover more rounds has never stopped. On the other hand, we already have some novel techniques such as the wide trail strategy [8] and the decorrelation theory [23] to prove that a cipher is resilient to differential and linear attacks. However, the provable security of block ciphers against impossible differential and zero correlation linear cryptanalysis is still missing. Noting that for a dedicated iterated block cipher, there always exist impossible differentials for any rounds with some keys, we wonder that if we consider the impossible differentials that are independent of the choices of the S-boxes, there may exist an integer R such that there does not exist any impossible differentials that cover more than R rounds, which can give some insights on provable security of block ciphers against impossible differential and zero correlation linear cryptanalysis, i.e., R is the upper bound of such attacks. Furthermore, since the WW-method can only determine whether a given differential/mask is an impossible differential/zero correlation linear hull or not, though it can theoretically find all impossible differentials/zero correlation linear hulls of a structure, it is impractical to exhaust all the differentials/masks to determine whether there exist r-round impossible differentials/zero correlation linear hulls or not. Therefore, finding new techniques to solve these problems in a practical way remains as an open problem.

Our Contributions. Inspired by the provable security of differential and linear cryptanalysis, this paper mainly concentrates on the provable security of block ciphers against impossible differential/zero correlation linear cryptanalysis and we aim at determining an upper bound for the longest rounds of impossible differentials/zero correlation linear hulls of SPN structures and Feistel structures with SPN round functions. The main results of this paper are as follows:

1. (1)

   For SPN structures, we prove that if \(\alpha _1\rightarrow \beta _1\) and \(\alpha _2\rightarrow \beta _2\) are possible differentials, then \(\alpha _1|\alpha _2\rightarrow \beta _1|\beta _2\) is also a possible differential, based on which we conclude that there exists an r-round impossible differential if and only if there exists an impossible differential \(\alpha \rightarrow \beta \) where the Hamming weight of both \(\alpha \) and \(\beta \) is 1. Therefore, for an SPN structure with m bytes, the complexity of testing whether there exist r-round impossible differentials is reduced significantly from \(\mathcal O(2^{2m})\) to \(\mathcal O(m^2)\).

2. (2)

   For Feistel structures with SP-type round functions, we prove that if \(\alpha _1\rightarrow \beta _1\) and \(\alpha _2\rightarrow \beta _2\) are independent possible differentials (we will define it later), then \(\alpha _1|\alpha _2\rightarrow \beta _1|\beta _2\) is also an independent possible differential, then similar result as in (1) applies.

3. (3)

   For any matrix over finite fields, we can always define two polynomials to calculate an upper bound on the highest possible rounds of impossible differentials of SPN structures and independent impossible differentials of Feistel structures with SP-type round functions. Our results show that, unless we take the details of the S-boxes into consideration, there do not exist 5-round impossible differentials of the AES and ARIA, and 9-round independent impossible differentials of Camellia without \(FL/FL^{-1}\) layers.

4. (4)

   Since the zero correlation linear hull of a structure is equivalent to the impossible differential of its dual structure, our results on impossible differentials cryptanalysis also apply to zero correlation linear cryptanalysis.

From the theoretical point of view, our results demonstrate some direct insight to the longest possible rounds of truncated impossible differentials and zero correlation linear hulls. And from the practical point of view, our results could reduce the work effort to find impossible differentials and zero correlation linear hulls of a structure.

Organization. The rest of this paper is organized as follows. Section 2 will introduce some definitions that will be used throughout this paper. In Sect. 3, we give some new features of the structures. We investigate on the SPN structures and Feistel structures with SP-type round functions in Sects. 4 and 5, respectively. Section 6 concludes the paper.

Fig. 1.

Feistel structure with SP-type round functions

2 Preliminaries

2.1 Block Ciphers

SPN Ciphers. The SPN structure is widely used in constructing cryptographic primitives. It iterates some SP-type round functions to achieve confusion and diffusion. Specifically, the SP-type function \(f: \mathbb F_{2^b}^m\rightarrow \mathbb F_{2^b}^m\) used in this paper is defined as follows where \(\mathbb F_{2^b}\) is the finite field with \(2^b\) elements.

Assume the input x is divided into m pieces \(x=(x_0,\ldots ,x_{m-1})\), where \(x_i\) is a b-bit byte. First, apply the non-linear transformation \(s_i\) to \(x_i\),

$$y=S(x)\triangleq (s_0(x_0),\ldots ,s_{m-1}(x_{m-1}))\in \mathbb F_{2^b}^m.$$

Then, apply a linear transformation \(P: \mathbb F_{2^b}^m\rightarrow \mathbb F_{2^b}^m\) to y, and Py is the output of f. Notice that the linear transformation in the last round of an r-round SPN structure is omitted, i.e., an r-round SPN cipher is simply denoted as \((SP)^{r-1}S\).

Feistel Ciphers. An r-round Feistel cipher E is defined as follows: Let \((L_0,R_0)\) \(\in \mathbb F_2^{2m}\) be the input of E. Iterate the following transformation r times:

$$\begin{aligned} {\left\{ \begin{array}{ll}L_{i+1}=F_i(L_i)\oplus R_i\\ R_{i+1}=L_i \end{array}\right. } 0\le i \le r-1, \end{aligned}$$

where \(L_i, R_i \in \mathbb F_2^{m}\), see Fig. 1. The output of E is defined as the output of the r-th iteration. In this paper, we will focus on the case that \(F_i\)’s are defined as SP-type functions.

2.2 Vectors and Matrices

Assume \(\alpha ,\beta \in \mathbb F_{2^b}^m\), where \(\mathbb F_{2^b}^m\) is the vector space over \(\mathbb F_{2^b}\) with dimension m. Then \(\alpha |\beta \) is defined as the bit-wise OR operation of \(\alpha \) and \(\beta \). Let \(\theta :\mathbb F_{2^b}\rightarrow \mathbb F_2\) be defined as

$$\begin{aligned} \theta (x)={\left\{ \begin{array}{ll}0\quad x=0,\\ 1\quad x\ne 0. \end{array}\right. } \end{aligned}$$

Then, for \(X=(x_0,\ldots ,x_{m-1})\in \mathbb F_{2^b}^m\), the truncated characteristic of X is defined as

$$\chi (X)\triangleq (\theta (x_0),\ldots ,\theta (x_{m-1}))\in \mathbb F_2^m.$$

The Hamming weight of X is defined as the number of non-zero elements of the vector, i.e. \(H(X)=\#\{i|x_i\ne 0, i=0,1,\ldots ,m-1\}.\)

For \(P=(p_{ij})\in \mathbb F_{2^b}^{m\times m}\), denote by \(\mathbb Z\) the integer ring, the characteristic matrix of P is defined as \(P^*=(p_{ij}^*)\in \mathbb Z^{m\times m}\), where \(p_{ij}^*=0\) if \(p_{ij}=0\) and \(p_{ij}^*=1\) otherwise. A matrix \(M\in \mathbb Z^{m\times m}\) is non-negative if all elements of M are non-negative, and positive if all elements of M are positive. Therefore, the characteristic matrix is always non-negative.

Definition 1

Let \(P\in \mathbb F_{2^b}^{m\times m}\), \(P^*\) be the characteristic matrix of P, and

$$\begin{aligned}&f_t(x)=x^t,\\&g_t(x)={\left\{ \begin{array}{ll}\mathop {\sum \nolimits _{i=0}^{h}} x^{2i}\qquad t=2h,\\ \mathop {\sum \nolimits _{i=1}^{h}} x^{2i-1}\quad t=2h-1. \end{array}\right. } \end{aligned}$$

Then the minimal integer t such that \(f_t(P^*)\) is a positive matrix is called type 1 primitive index of P, and the minimal integer t such that \(g_t(P^*)\) is positive is called type 2 primitive index of P.

If the input X to the linear layer P is viewed as a column vector, then the output Y can also be viewed as a column vector which is computed as \(Y=PX\). According to the definition of characteristic matrix, \(p_{ij}^*=0\) means the i-th output byte of the first round is independent of the j-th input byte. Generally, let \(f_t(P^*)=(P^*)^t=(q_{ij})\), then \(q_{ij}=0\) means the i-th output byte of the t-round SPN cipher is independent of the j-th input byte. Furthermore, let \((P^*)^{t_1}+(P^*)^{t_2}=(u_{ij})\), then \(u_{ij}=0\) means the i-th output bytes of both the \(t_1\)-round and \(t_2\)-round SPN cipher are independent of j-th input byte. Similarly, let \(g_t(P^*)=(w_{ij})\), then \(w_{ij}=0\) means the i-th output byte of the t-round Feistel cipher is independent of the j-th input byte.

2.3 Impossible Differentials and Zero Correlation Linear Hulls

Given a function \(G: \mathbb F^n_2\rightarrow \mathbb F_2\), the correlation c of G is defined by

$$c(G(x))\triangleq \frac{1}{2^n}\sum _{x\in \mathbb F_2^n}(-1)^{G(x)}.$$

Given a function \(G: \mathbb F^n_2\rightarrow \mathbb F^k_2\), the correlation c of the linear approximation for a k-bit output mask b and an n-bit input mask a is defined by

$$c(ax\oplus bG(x))=\frac{1}{2^n}\sum _{x\in \mathbb F_2^n}(-1)^{ax\oplus bG(x)}.$$

If \(c(ax\oplus bG(x))=0\), then \((a\rightarrow b)\) is called a zero correlation linear hull of G. This definition can be extended as follows: let \(A\subseteq \mathbb F_2^n\), \(B\subseteq \mathbb F_2^k\), if for all \(a\in A\) and \(b\in B\), \(c(ax\oplus bG(x))=0\), then \((A\rightarrow B)\) is also called a zero correlation linear hull of G.

Let \(\delta \in \mathbb F_2^n\) and \(\varDelta \in \mathbb F_2^k\). The differential probability of \(\delta \rightarrow \varDelta \) is defined as

$$p(\delta \rightarrow \varDelta )\triangleq \frac{\#\{x\in \mathbb F_2^n|G(x)\oplus G(x\oplus \delta )=\varDelta \}}{2^n}.$$

If \(p(\delta \rightarrow \varDelta )=0\), then \(\delta \rightarrow \varDelta \) is called an impossible differential of G, this definition follows that in [3, 13]. Let \(A\subseteq \mathbb F_2^n\), \(B\subseteq \mathbb F_2^k\). If for all \(a\in A\) and \(b\in B\), \(p(a\rightarrow b)=0\), \(A\rightarrow B\) is called an impossible differential of G.

3 Differential Properties of Structures

In many cases, when constructing impossible differentials and zero correlation linear hulls, we are only interested in detecting whether there is a difference (mask) in an S-box or not, regardless of the actual value of the difference (mask) which leads to the following definition:

Definition 2

[21]. Let \(E: \mathbb F_2^n\rightarrow \mathbb F_2^n\) be a block cipher with bijective S-boxes as the basic non-linear components.

1. (1)

   A structure \(\mathcal E^E\) on \(\mathbb F_2^n\) is defined as a set of block ciphers \(E'\) which is exactly the same as E except that the S-boxes can take all possible bijective transformations on the corresponding domains.

2. (2)

   Let \(\alpha ,\beta \in \mathbb F_2^n\). If for any \(E' \in \mathcal E^E\), \(\alpha \not \rightarrow \beta \) is an impossible differential (zero correlation linear hull) of \(E'\), \(\alpha \not \rightarrow \beta \) is called an impossible differential (zero correlation linear hull) of \(\mathcal E^E\).

Thus the structure deduced by a single S layer can be written as \(\mathcal E^S\); the structure deduced by a single S layer followed by a P layer can be written as \(\mathcal E^{SP}\). If \(\alpha \rightarrow \beta \) is not an impossible differential of \(\mathcal E^E\), i.e., there exist some x and \(E'\in \mathcal E^E\) such that \(E'(x)\oplus E'(x\oplus \alpha )=\beta \), we call it a possible differential of \(\mathcal E^E\).

Definition 3

Let \(\mathcal E\) be a structure and \(\alpha \not \rightarrow \beta \) an impossible differential of \(\mathcal E\). If for all \(\alpha ^*\) and \(\beta ^*\) satisfying \(\chi (\alpha ^*)=\chi (\alpha )\) and \(\chi (\beta ^*)=\chi (\beta )\), \(\alpha ^*\not \rightarrow \beta ^*\) are impossible differentials, we call \(\alpha \not \rightarrow \beta \) an independent impossible differential of \(\mathcal E\). Otherwise, we call it a dependent impossible differential of \(\mathcal E\).

As shown in [25], for any \(\alpha \ne 0\) and \(\beta \ne 0\),

$$(0|0|0|0|0|0|0|0, \alpha |0|0|0|0|0|0|0)\not \rightarrow (\beta |0|0|0|0|0|0|0, 0|0|0|0|0|0|0|0)$$

is an 8-round impossible differential of Camellia without \(FL/FL^{-1}\) layers. According to the definition, such an impossible differential is an independent impossible differential of Camellia without \(FL/FL^{-1}\) layers.

A dependent impossible differential means that there are some constraints on actual differences of both the input and output bytes. For example, for any given \(\alpha \), \((0,\alpha )\not \rightarrow (0,\alpha )\) is a 5-round impossible differential of Feistel structures with bijective round functions. However, we cannot determine that \((0,\alpha )\not \rightarrow (0,\beta )\) is an impossible differential for any \(\alpha \ne \beta \). Thus, \((0,\alpha )\not \rightarrow (0,\alpha )\) is a dependent impossible differential of 5-round Feistel structure with bijective round functions.

Usually, we have many different ways to define a linear transformation, which means we have many different ways to express the matrix of the linear transformation. However, no matter which one we use, the transformation is always linear over \(\mathbb F_2\), thus the bit-wise matrix representation of a linear transformation is call the primitive representation. The definition of dual structure is proposed to study the link between impossible differential and zero correlation linear hulls:

Definition 4

[21]. Let \(\mathcal F_{SP}\) be a Feistel structure with SP-type round function, and let the primitive representation of the linear transformation be P. Let \(\sigma \) be the operation that exchanges the left and right halves of a state. Then the dual structure \(\mathcal F_{SP}^\bot \) of \(\mathcal F_{SP}\) is defined as \(\sigma \circ \mathcal F_{P^TS}\circ \sigma \).

Let \(\mathcal E_{SP}\) be an SPN structure with primitive representation of the linear transformation being P. Then the dual structure \(\mathcal E_{SP}^\bot \) of \(\mathcal E_{SP}\) is defined as \(\mathcal E_{S(P^{-1})^T}\).

Next, we are going to give some statements on the differential properties of structures while they may not hold for dedicated block ciphers.

Let \(\mathcal E^{(r)}\) be an r-round iterated structure. If \(\alpha \rightarrow \beta \) is a possible differential of \(\mathcal E^{(r_1)}\), then for any x, there always exists \(E_{1}\in \mathcal E^{(r_1)}\) such that \(E_1(x)\oplus E_1(x\oplus \alpha )=\beta \). If \(\beta \rightarrow \gamma \) is a possible differential of \(\mathcal E^{(r_2)}\), for \(y=E_2(x)\), there always exists \(E_2\in \mathcal E^{(r_2)}\) such that \(E_2(y)\oplus E_2(y\oplus \beta )=\gamma \). Let \(E=E_2\circ E_1\), we have \(E(x)\oplus E(x\oplus \alpha )=\gamma \) which means \(\alpha \rightarrow \gamma \) is a possible differential \(\mathcal E^{(r_1+r_2)}\). See (1) for the procedures. Accordingly, for a structure \(\mathcal E\), if there do not exist r-round impossible differentials, there do not exist R-round impossible differentials for any \(R\ge r\).

$$\begin{aligned} \begin{array}{ccccccc} &{}x &{} \mathop {\longrightarrow }\limits ^{E_1} &{} y &{} \mathop {\longrightarrow }\limits ^{E_2}&{}z\\ E:\quad &{}| &{} &{} | &{} &{}|\\ &{}x\oplus \alpha &{} \mathop {\longrightarrow }\limits ^{E_1} &{} y\oplus \beta &{} \mathop {\longrightarrow }\limits ^{E_2}&{} z\oplus \gamma \end{array} \end{aligned}$$

(1)

Next we show that \(\alpha \rightarrow \beta \) is a possible differential of a single S layer \(\mathcal E^S\) if and only if \(\chi (\alpha )=\chi (\beta )\). Firstly, we cannot construct a bijective S-box such that a zero difference causes a non-zero difference. Secondly, let \(\alpha =(\alpha _0,\ldots ,\alpha _{m-1}), \beta =(\beta _0,\ldots ,\beta _{m-1})\in \mathbb F_{2^b}^m\). If \(\chi (\alpha )=\chi (\beta )\), for any \(x=(x_0,\ldots ,x_{m-1})\in \mathbb F_{2^b}^m\), we can always construct an \(S=(s_0,\ldots ,s_{m-1})\) where \(s_i: \mathbb F_{2^b}\rightarrow \mathbb F_{2^b}\), such that \(S(x)\oplus S(x\oplus \alpha )=\beta \), i.e., \(s_i(x_i)\oplus s_i(x_i\oplus \alpha _i)=\beta _i\), \(i=0,\ldots ,m-1\).

4 Cryptanalysis of SPN Structures

In this section, we will simply use \(\mathcal E_{SP}^{(r)}\) to denote an r-round SPN structure.

4.1 How to Check Whether a Differential is Impossible or Not

Assume \(\alpha \rightarrow \beta \) is a possible differential of \(\mathcal E_{SP}^{(r)}\). Then, there always exist some \(\alpha '\) and \(\beta '\) such that

$$\alpha \overset{\mathcal E^S}{\longrightarrow }\alpha '\overset{\mathcal E ^{PS\cdots SP}}{\longrightarrow }\beta '\overset{\mathcal E^S}{\longrightarrow }\beta $$

is a possible differential of \(\mathcal E_{SP}^{(r)}\). Thus for any \(\alpha ^*\) and \(\beta ^*\) such that \(\chi (\alpha ^*)=\chi (\alpha )\), \(\chi (\beta ^*)=\chi (\beta )\),

$$\alpha ^*\overset{\mathcal E^S}{\longrightarrow }\alpha '\overset{\mathcal E ^{PS\cdots SP}}{\longrightarrow }\beta '\overset{\mathcal E^S}{\longrightarrow }\beta ^*$$

is still a possible differential. In other words, impossible differentials of SPN structures are independent impossible differentials.

Therefore, for an SPN structure, to check whether there exists an r-round impossible differential or not, one needs to test \((2^m-1)\times (2^m-1)\approx 2^{2m}\) candidates. However, this complexity could be further reduced as illustrated in the following.

Lemma 1

Assume \(m\le 2^{b-1}-1\). If \(\alpha _1\rightarrow \beta _1\) and \(\alpha _2\rightarrow \beta _2\) are possible differentials of \(\mathcal E^{SP}\), then there always exist \(\alpha \) and \(\beta \) such that

$$\begin{aligned} {\left\{ \begin{array}{ll}\chi (\alpha )=\chi (\alpha _1)|\chi (\alpha _2),\\ \chi (\beta )=\chi (\beta _1)|\chi (\beta _2), \end{array}\right. } \end{aligned}$$

and \(\alpha \rightarrow \beta \) is a possible differential of \(\mathcal E^{SP}\).

The proof of this lemma is shown in Appendix A. In the following, we always assume \(m\le 2^{b-1}-1\) which fits well with most cases. Furthermore, since the last round only has the S layer, we have:

Corollary 1

If \(\alpha _1\rightarrow \beta _1\) and \(\alpha _2\rightarrow \beta _2\) are possible differentials of \(\mathcal E_{SP}^{(r)}\), \(\alpha _1|\alpha _2\rightarrow \beta _1|\beta _2\) is also a possible differential of \(\mathcal E_{SP}^{(r)}\).

Assume \((x_0,0,\ldots ,0)\rightarrow (y_0,0,\ldots ,0)\) and \((0,x_1,0,\ldots ,0)\rightarrow (0,y_1,0,\ldots ,0)\) are possible differentials of \(\mathcal E_{SP}\), where \(x_0, x_1, y_0, y_1\) are non-zero. Then according to Corollary 1, \((x_0,x_1,0,\ldots ,0)\rightarrow (y_0,y_1,0,\ldots ,0)\) is a possible differential. In other words, if \((x_0,x_1,0,\ldots ,0)\rightarrow (y_0,y_1,0,\ldots ,0)\) is an impossible differential of \(\mathcal E_{SP}\), either \((x_0,0,\ldots ,0)\rightarrow (y_0,0,\ldots ,0)\) or \((0,x_1,0,\ldots ,0)\rightarrow (0,y_1,0,\ldots ,0)\) is an impossible differential. Generally, we have the following theorem:

Theorem 1

There exists an impossible differential of \(\mathcal E_{SP}^{(r)}\) if and only if there exists an impossible differential \(\alpha \not \rightarrow \beta \) of \(\mathcal E_{SP}^{(r)}\), where \(H(\alpha ) = H(\beta ) = 1\), with H(x) denoting the Hamming weight of x.

Thus with the help of Theorem 1, for every SPN structure, and any \((\alpha ,\beta )\) where \(H(\alpha )=H(\beta )=1\), we can use the WW-method to check whether \(\alpha \rightarrow \beta \) is a possible differential or not. Therefore, we could reduce the complexities of checking whether there exists an impossible differential of an SPN structure from \(\mathcal O(2^{2m})\) to \(\mathcal O(m^2)\).

Since the zero correlation linear hull of \(\mathcal E_{SP}\) is the impossible differential of \(\mathcal E_{S(P^{-1})^T}\) which is also an SPN structure, we have the following:

Corollary 2

There exists a zero correlation linear hull of \(\mathcal E_{SP}^{(r)}\) if and only if there exists a zero correlation linear hull \(\alpha \not \rightarrow \beta \) of \(\mathcal E_{SP}^{(r)}\) where \(H(\alpha )=H(\beta )=1\).

4.2 An Upper Bound for the Rounds of Impossible Differentials

As discussed above, we can use the WW-method to determine the maximal length of impossible differentials for an SPN structure. In the following, we are going to show an upper bound for the length of impossible differentials for an SPN structure, which only uses the property of the P layer. To characterize the longest impossible differential of an SPN cipher, we first recall that if \(\beta =P\alpha \), then there always exist \(\alpha _0\) and \(\beta _0\) such that \(\chi (\alpha _0)=\chi (\alpha )\), \(\chi (\beta _0)=\chi (\beta )\) and \(\alpha _0\rightarrow \beta _0\) is a possible differential of a single round of SPN structure. Then according to Corollary 1, the following theorem holds.

Theorem 2

Let \(R_1(P)\) and \(R_{-1}(P)\) be the type 1 primitive indexes of P and \(P^{-1}\) respectively. Then there does not exist any impossible differential or zero correlation linear hull of \(\mathcal E_{SP}^{(r)}\) for \(r\ge R_{1}(P)+R_{-1}(P)+1\).

Fig. 2.

Constructing \((R_1(P)+R_{-1}(P)+1)\)-round differential for \(\mathcal E_{SP}\)

Proof

See Fig. 2. Firstly, for any \(\alpha _1\ne 0\), \(H(\alpha _1)=1\), according to Lemma 1, there always exist some \(\beta _1\) where \(H(\beta _1)=m\) such that \(\alpha _1\rightarrow \beta _1\) is a possible differential of \(R_1(P)\)-round \(\mathcal E_{SP}\). Secondly, for any \(\alpha _2\ne 0\), \(H(\alpha _2)=1\), according to Lemma 1, there always exist some \(\beta _2\) where \(H(\beta _2)=m\) such that \(\alpha _2\rightarrow \beta _2\) is a possible differential of \(R_{-1}(P)\)-round decryption of \(\mathcal E_{SP}\).

Since \(\chi (\beta _1)=\chi (\beta _2)\), \(\beta _1\rightarrow \beta _2\) is a possible differential of the single S layer \(\mathcal E^S\), we conclude that \(\alpha _1\rightarrow \alpha _2\) is a possible differential of \((R_1(P)+R_{-1}(P)+1)\)-round \(\mathcal E_{SP}\). By Theorem 1, there does not exist any impossible differential or zero correlation linear hull of \(\mathcal E_{SP}^{(r)}\) for \(r\ge R_1(P)+R_{-1}(P)+1\).\(\square \)

4.3 Applications

The Advanced Encryption Standard (AES) is one of the most popular SPN ciphers up to date. Firstly, if we consider the \(4\times 4\) state as a vector in \(\mathbb F_{2^8}^{16}\), the composition of the ShiftRows and MixColumns can be written as the following \(16\times 16\) matrix over \(\mathbb F_{2^8}\):

$$\begin{aligned}{P = \left( \begin{array}{@{}c@{}c@{}c@{}c@{}c@{}c@{}c@{}c@{}c@{}c@{}c@{}c@{}c@{}c@{}c@{}c@{}} 2\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 3\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\\ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 2\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 3\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\\ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 2\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 3\\ 3\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 2\\ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 2\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 3\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\\ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 2\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 3\ &{} \ 0\\ 0\ &{} \ 0\ &{} \ 0\ &{} \ 3\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 2\ &{} \ 0\\ 0\ &{} \ 0\ &{} \ 0\ &{} \ 2\ &{} \ 3\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\\ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 2\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 3\ &{} \ 0\ &{} \ 0\\ 0\ &{} \ 0\ &{} \ 3\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 2\ &{} \ 0\ &{} \ 0\\ 0\ &{} \ 0\ &{} \ 2\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 3\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\\ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 2\ &{} \ 3\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\\ 0\ &{} \ 3\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 2\ &{} \ 0\ &{} \ 0\ &{} \ 0\\ 0\ &{} \ 2\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 3\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\\ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 2\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 3\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\\ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 2\ &{} \ 3\ &{} \ 0\ &{} \ 0\ &{} \ 0\\ \end{array}\right) .} \end{aligned}$$

Therefore, the characteristic matrix of P is

$$\begin{aligned}{P ^*= \left( \begin{array}{@{}c@{}c@{}c@{}c@{}c@{}c@{}c@{}c@{}c@{}c@{}c@{}c@{}c@{}c@{}c@{}c@{}} 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\\ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\\ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\\ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\\ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\\ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\\ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\\ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\\ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\\ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\\ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\\ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\\ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\\ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\\ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\\ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 0\ &{} \ 1\ &{} \ 1\ &{} \ 0\ &{} \ 0\ &{} \ 0\\ \end{array}\right) .} \end{aligned}$$

Since

$$\begin{aligned}{ (P ^*)^2= \left( \begin{array}{@{}c@{}c@{}c@{}c@{}c@{}c@{}c@{}c@{}c@{}c@{}c@{}c@{}c@{}c@{}c@{}c@{}} 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\\ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\\ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\\ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\\ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\\ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\\ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\\ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\\ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\\ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\\ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\\ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\\ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\\ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\\ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\\ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\ &{} \ 1\\ \end{array}\right) ,} \end{aligned}$$

we get \(R_1(P)=2\). Similarly, we can get \(R_{-1}(P)=2\). Therefore, we have

Proposition 1

There does not exist any impossible differential or zero correlation linear hull of \(\mathcal E^{\text {AES}}\) which covers \(r\ge 5\) rounds. Or equivalently, there does not exist any 5-round impossible differential or zero correlation linear hull of the AES unless the details of the S-boxes are considered.

ARIA is another famous SPN cipher which uses a linear transformation P such that \(P=P^{-1}\). Since

$$\begin{aligned}(P^*)^2=\left( \begin{array}{cccccccccccccccc} 7\ &{}2\ &{}2\ &{}2\ &{}2\ &{}4\ &{}2\ &{}4\ &{}2\ &{}2\ &{}4\ &{}4\ &{}2\ &{}4\ &{}4\ &{}2\\ 2\ &{}7\ &{}2\ &{}2\ &{}4\ &{}2\ &{}4\ &{}2\ &{}2\ &{}2\ &{}4\ &{}4\ &{}4\ &{}2\ &{}2\ &{}4\\ 2\ &{}2\ &{}7\ &{}2\ &{}2\ &{}4\ &{}2\ &{}4\ &{}4\ &{}4\ &{}2\ &{}2\ &{}4\ &{}2\ &{}2\ &{}4\\ 2\ &{}2\ &{}2\ &{}7\ &{}4\ &{}2\ &{}4\ &{}2\ &{}4\ &{}4\ &{}2\ &{}2\ &{}2\ &{}4\ &{}4\ &{}2\\ 2\ &{}4\ &{}2\ &{}4\ &{}7\ &{}2\ &{}2\ &{}2\ &{}2\ &{}4\ &{}4\ &{}2\ &{}2\ &{}2\ &{}4\ &{}4\\ 4\ &{}2\ &{}4\ &{}2\ &{}2\ &{}7\ &{}2\ &{}2\ &{}4\ &{}2\ &{}2\ &{}4\ &{}2\ &{}2\ &{}4\ &{}4\\ 2\ &{}4\ &{}2\ &{}4\ &{}2\ &{}2\ &{}7\ &{}2\ &{}4\ &{}2\ &{}2\ &{}4\ &{}4\ &{}4\ &{}2\ &{}2\\ 4\ &{}2\ &{}4\ &{}2\ &{}2\ &{}2\ &{}2\ &{}7\ &{}2\ &{}4\ &{}4\ &{}2\ &{}4\ &{}4\ &{}2\ &{}2\\ 2\ &{}2\ &{}4\ &{}4\ &{}2\ &{}4\ &{}4\ &{}2\ &{}7\ &{}2\ &{}2\ &{}2\ &{}2\ &{}4\ &{}2\ &{}4\\ 2\ &{}2\ &{}4\ &{}4\ &{}4\ &{}2\ &{}2\ &{}4\ &{}2\ &{}7\ &{}2\ &{}2\ &{}4\ &{}2\ &{}4\ &{}2\\ 4\ &{}4\ &{}2\ &{}2\ &{}4\ &{}2\ &{}2\ &{}4\ &{}2\ &{}2\ &{}7\ &{}2\ &{}2\ &{}4\ &{}2\ &{}4\\ 4\ &{}4\ &{}2\ &{}2\ &{}2\ &{}4\ &{}4\ &{}2\ &{}2\ &{}2\ &{}2\ &{}7\ &{}4\ &{}2\ &{}4\ &{}2\\ 2\ &{}4\ &{}4\ &{}2\ &{}2\ &{}2\ &{}4\ &{}4\ &{}2\ &{}4\ &{}2\ &{}4\ &{}7\ &{}2\ &{}2\ &{}2\\ 4\ &{}2\ &{}2\ &{}4\ &{}2\ &{}2\ &{}4\ &{}4\ &{}4\ &{}2\ &{}4\ &{}2\ &{}2\ &{}7\ &{}2\ &{}2\\ 4\ &{}2\ &{}2\ &{}4\ &{}4\ &{}4\ &{}2\ &{}2\ &{}2\ &{}4\ &{}2\ &{}4\ &{}2\ &{}2\ &{}7\ &{}2\\ 2\ &{}4\ &{}4\ &{}2\ &{}4\ &{}4\ &{}2\ &{}2\ &{}4\ &{}2\ &{}4\ &{}2\ &{}2\ &{}2\ &{}2\ &{}7 \end{array}\right) \end{aligned}$$

we have \(R_1(P)=R_{-1}(P)=2\). Therefore, we have

Proposition 2

There does not exist any impossible differential or zero correlation linear hull of \(\mathcal E^{\text {ARIA}}\) which covers \(r\ge 5\) rounds. Or equivalently, there does not exist any 5-round impossible differential or zero correlation linear hull of the ARIA unless the details of the S-boxes are considered.

Since we already have 4-round impossible differential and 4-round zero correlation linear hull of \(\mathcal E^{AES}\) and \(\mathcal E^{ARIA}\), unless we investigate on the details of the S-boxes, with respect to the rounds, we cannot find neither better impossible differentials nor zero correlation linear hulls for the AES and ARIA.

5 Cryptanalysis of Feistel Structures with SP-Type Round Functions

In the following, we simply use \(\mathcal F_{SP}^{(r)}\) to denote an r-round Feistel structure with SP-type round functions. Since the techniques to study the Feistel structure with SPN round functions are almost the same, we only give the results as follows.

Lemma 2

Assume \(m\le 2^{b-1}-1\). If \((\alpha _1,\beta _1)\rightarrow (\gamma _1,\alpha _1)\) and \((\alpha _2,\beta _2)\rightarrow (\gamma _2,\alpha _2)\) are possible differentials of \(\mathcal F_{SP}^{(1)}\). Then, there always exist \(\alpha \), \(\beta \) and \(\gamma \), such that \(\chi (\alpha )=\chi (\alpha _1)|\chi (\alpha _2)\), \(\chi (\beta )=\chi (\beta _1)|\chi (\beta _2)\), \(\chi (\gamma )=\chi (\gamma _1)|\chi (\gamma _2)\), and \((\alpha ,\beta )\rightarrow (\gamma ,\alpha )\) is a possible differential of \(\mathcal F_{SP}^{(1)}\).

We have shown that all impossible differentials of an SPN structure are independent impossible differentials. However, this does not hold for the Feistel structure. In the following, we only consider the independent impossible differentials of a Feistel structure which fits well with most of the practical cases.

Lemma 3

If \(\alpha _1\rightarrow \beta _1\) and \(\alpha _2\rightarrow \beta _2\) are independent possible differentials of \(\mathcal F_{SP}^{(r)}\), \((\alpha _1|\alpha _2)\rightarrow (\beta _1|\beta _2)\) is also an independent possible differential.

Theorem 3

There exists an independent impossible differential of \(\mathcal F_{SP}^{(r)}\) if and only if there exists an impossible differential \(\alpha \not \rightarrow \beta \) of \(\mathcal F_{SP}^{(r)}\) where \(H(\alpha )=H(\beta )=1\).

Therefore, checking whether there exists an r-round independent impossible differential of a Feistel structure with SP-type round functions can also be reduced to checking whether there exists an r-round independent impossible differential with the Hamming weights of both the input and output difference being 1. Since the dual structure of \(\mathcal F_{SP}\) is \(\sigma \circ \mathcal F_{P^TS}\circ \sigma \), the results on impossible differentials cannot be applied to zero correlation linear hulls directly. However, in case P is invertible, we always have

$$\begin{aligned} \mathcal F_{P^TS}=\left( (P^{T})^{-1},(P^{T})^{-1}\right) \circ \mathcal F_{SP^{T}}\circ \left( P^T,P^T\right) \triangleq P_{\text {in}}\circ \mathcal F_{SP^{T}}\circ P_{\text {out}}, \end{aligned}$$

which indicates that despite some linear transformations applied to the input and output masks, respectively, both \(\mathcal F_{SP}\) and \(\mathcal F_{SP}^\bot \) are Feistel structures with SPN round functions. We use the following definition of independent zero correlation linear hulls for \(\mathcal F_{SP}\).

Definition 5

Let \(\alpha \not \rightarrow \beta \) be a zero correlation linear hull of \(\mathcal F_{SP}\). If for all \(\alpha ^*\) and \(\beta ^*\) satisfying \(\chi (P_\mathrm{in}\alpha ^*)=\chi (P_\mathrm{in}\alpha )\) and \(\chi (P_\mathrm{out}\beta ^*)=\chi (P_\mathrm{out}\beta )\), \(\alpha ^*\not \rightarrow \beta ^*\) are zero correlation linear hulls, we call \(\alpha \not \rightarrow \beta \) an independent zero correlation linear hull of \(\mathcal F_{SP}\). Otherwise, we call it a dependent zero correlation linear hull of \(\mathcal F_{SP}\).

Then based on the links between impossible differentials and zero correlation linear hulls, we have:

Corollary 3

There exists an independent zero correlation linear hull of \(\mathcal F_{SP}^{(r)}\) if and only if there exists an independent zero correlation linear hull \(\alpha \not \rightarrow \beta \) of \(\mathcal F_{SP}^{(r)}\) where \(H(P_\mathrm{in}\alpha )=H(P_\mathrm{out}\beta )=1.\)

Theorem 4

Let \(R_2(P)\) be the type 2 primitive indexes of P. Then, there does not exist any independent impossible differential or zero correlation linear hull of \(\mathcal F_{SP}^{(r)}\) for \(r\ge 2R_2(P)+5\).

The proof is similar with the SPN structures. The key point is that, as in the proof of Lemma 1, we can always choose \(\beta _1, \beta _2, \gamma _1, \gamma _2\) and \(\varphi \), where \(H(\beta _1)=H(\beta _2)=H(\varphi )=m\) such that the differential shown in Fig. 3 is a possible one.

Fig. 3.

Constructing \((2R_2(P)+5)\)-round differential for \(\mathcal F_{SP}\)

To avoid some potential attack, an \(FL/FL^{-1}\) layer is inserted to the Feistel structure every 6 rounds in Camellia. Denote by \(\mathcal E^{Camellia*}\) the structure deduced by Camellia without the \(FL/FL^{-1}\) layer. Since

$$\begin{aligned}(P^*)^2+I=\left( \begin{array}{cccccccc} 4 &{} 3 &{} 5 &{} 4 &{} 5 &{} 5 &{} 4 &{} 4\\ 4 &{} 4 &{} 3 &{} 5 &{} 4 &{} 5 &{} 5 &{} 4\\ 5 &{} 4 &{} 4 &{} 3 &{} 4 &{} 4 &{} 5 &{} 5\\ 3 &{} 5 &{} 4 &{} 4 &{} 5 &{} 4 &{} 4 &{} 5\\ 3 &{} 2 &{} 3 &{} 4 &{} 5 &{} 3 &{} 4 &{} 4\\ 4 &{} 3 &{} 2 &{} 3 &{} 4 &{} 5 &{} 3 &{} 4\\ 3 &{} 4 &{} 3 &{} 2 &{} 4 &{} 4 &{} 5 &{} 3\\ 2 &{} 3 &{} 4 &{} 3 &{} 3 &{} 4 &{} 4 &{} 5 \end{array}\right) , \end{aligned}$$

where I is the identity matrix, we have \(R_2(P)=2\). Therefore, we obtain the following proposition:

Proposition 3

There does not exist any independent impossible differential of \(\mathcal E^{\text {Camellia*}}\) which covers \(r\ge 9\) rounds. Or equivalently, there does not exist any 9-round independent impossible differential of Camellia without \(FL/FL^{-1}\) unless the details of the S-boxes are considered.

In other words, unless we investigate the details of the S-boxes, the known independent impossible differentials of Camellia without \(FL/FL^{-1}\) cannot be improved with respect to the rounds.

Zodiac is another Feistel cipher with SP-type round function. Please refer to [11, 15] for more details of Zodiac. Since we have \(R_2(P)=6\), if we do not exploit the details of the S-boxes, there does not exist any \(2\times 6+5=17\) independent impossible differential of Zodiac, while the longest impossible differential of Zodiac is 16 rounds [22].

Although there may exist some dependent impossible differentials of Feistel structures with SP-type round functions, we believe that the bound given above is also applicable to all impossible differentials.

6 Conclusion

In this paper, we mainly investigated the security of structures against impossible differential and zero correlation linear cryptanalysis. Our approach is to determine an upper bound for the longest impossible differentials for a structure. We first reduced the problem whether there exists an r-round impossible differential to the problem whether there exists an r-round impossible differential where the Hamming weights of the input and output differentials are 1. Therefore, we reduced the time complexity of checking whether there exists an impossible differential of an SPN structure or an independent impossible differential of a Feistel structure with SP-type round functions from \(\mathcal O(2^{2m})\) to \(\mathcal O(m^2)\). Then, by using the structures and dual structures, as well as the matrices theory, we have given an upper bound for the rounds of impossible differentials and zero correlation linear hulls for both SPN structures and Feistel structures with SP-type round functions.

Table 1. Known results for some block ciphers

As in the provable security of differential and linear cryptanalysis, we gave an upper bound on the longest rounds of the impossible differentials that are independent of the choice of the non-linear components. Although we are only interested in the truncated impossible differentials, we believe that this kind of impossible differentials cover most of the known cases. Therefore, they not only have theoretical significance, but also have practical significance. As a result, see Table 1, we show that unless the details of the non-linear layer are considered, there does not exist any 5-round impossible differentials of the AES or ARIA, and there does not exist any 9-round independent impossible differentials of the Camellia without \(FL/FL^{-1}\) layer.

A Proof of Lemma 1

Firstly, \(\alpha _1\rightarrow \beta _1\) and \(\alpha _2\rightarrow \beta _2\) are possible differentials of \(\mathcal E^{SP}\) implies that there exist some \(\alpha _1^*, \alpha _2^*\), \(\chi (\alpha _1^*)=\chi (\alpha _1)\), \(\chi (\alpha _2^*)=\chi (\alpha _2)\), such that the following differentials hold:

$$\begin{aligned} {\left\{ \begin{array}{ll} \alpha _1\overset{\mathcal S}{\rightarrow }\alpha _1^*\overset{P}{\rightarrow }\beta _1,\\ \alpha _2\overset{\mathcal S}{\rightarrow }\alpha _2^*\overset{P}{\rightarrow }\beta _2. \end{array}\right. } \end{aligned}$$

For any \(\lambda \in \mathbb F_{2^b}^*\), since \(\chi (\lambda \alpha _2^*)=\chi (\alpha _2)\), \(\alpha _2\overset{\mathcal S}{\rightarrow }\lambda \alpha _2^*\overset{P}{\rightarrow }\lambda \beta _2\) is also a possible differential of \(\mathcal E^{SP}\).

Without loss of generality, let

$$\begin{aligned} {\left\{ \begin{array}{ll} \alpha _1^*=(x^{(1)}_{w_1},x^{(1)}_{r_1},0_{m-r_1-w_1})\\ \alpha _2^*=(x^{(2)}_{w_1},0_{r_1},x^{(2)}_{m-r_1-w_1})\\ \beta _1=(y^{(1)}_{w_2},y^{(1)}_{r_2},0_{m-r_2-w_2})\\ \beta _2=(y^{(2)}_{w_2},0_{r_2},y^{(2)}_{m-r_2-w_2}) \end{array}\right. } \end{aligned}$$

where \(0_t=\underset{t}{\underbrace{0\cdots 0}}\), \(x^{(i)}_{r},y^{(i)}_{r}\in (\mathbb F_{2^b}^*)^{r}\). Let

$$\begin{aligned} {\left\{ \begin{array}{ll} x^{(1)}_{w_1}=(a_0^{(1)},\ldots ,a_{w_1-1}^{(1)})\\ x^{(2)}_{w_1}=(a_0^{(2)},\ldots ,a_{w_1-1}^{(2)})\\ y^{(1)}_{w_2}=(b_0^{(1)},\ldots ,b_{w_2-1}^{(1)})\\ y^{(2)}_{w_2}=(b_0^{(2)},\ldots ,b_{w_2-1}^{(2)}) \end{array}\right. } \end{aligned}$$

and let

$$\begin{aligned} \varLambda =\left\{ \frac{a_0^{(1)}}{a_0^{(2)}},\ldots ,\frac{a_{w_1-1}^{(1)}}{a_{w_1-1}^{(2)}},\frac{b_0^{(1)}}{b_0^{(2)}},\ldots ,\frac{b_{w_2-1}^{(1)}}{b_{w_2-1}^{(2)}}\right\} . \end{aligned}$$

Since \(\#\varLambda \le w_1+w_2\le m+m=2m\le 2\times (2^{b-1}-1)=2^b-2\), \(\mathbb F_{2^b}^*\setminus \varLambda \) is a non-empty set. Therefore, for \(\lambda \in \mathbb F_{2^b}^*\setminus \varLambda \), we always have

$$\begin{aligned} {\left\{ \begin{array}{ll} \chi (\alpha _1^*\oplus \lambda \alpha _2^*)=\chi (\alpha _1^*|\alpha _2^*)\\ \chi (\beta _1\oplus \lambda \beta _2)=\chi (\beta _1|\beta _2), \end{array}\right. } \end{aligned}$$

which implies that

$$\begin{aligned} \alpha _1|\alpha _2\overset{\mathcal S}{\rightarrow }\alpha _1^*\oplus \lambda \alpha _2^*\overset{P}{\rightarrow }\beta _1\oplus \lambda \beta _2 \end{aligned}$$

is a possible differential of \(\mathcal E^{SP}\).