On the (in)equivalence of impossible differential and zero-correlation distinguishers for Feistel- and Skipjack-type ciphers

Celine Blondeau; Andrey Bogdanov; Meiqin Wang

doi:10.1007/978-3-319-07536-5-17

On the (in)equivalence of impossible differential and zero-correlation distinguishers for Feistel- and Skipjack-type ciphers

Celine Blondeau, Andrey Bogdanov, Meiqin Wang

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Scientific › peer-review

17 Citations (Scopus)

Abstract

For many word-oriented block ciphers, impossible differential (ID) and zero-correlation linear (ZC) cryptanalyses are among the most powerful attacks. Whereas ID cryptanalysis makes use of differentials which never occur, the ZC cryptanalysis relies on linear approximations with correlations equal to zero. While the key recovery parts of ID and ZC attacks may differ and are often specific to the target cipher, the underlying distinguishing properties frequently cover the same number of rounds. However, in some cases, the discrepancy between the best known IDs and ZC approximations is rather significant. At EUROCRYPT'13, a link between these two distinguishers has been presented. However, though being independent of the underling structure of the cipher, it is usually not useful for most known ID or ZC distinguishers. So despite the relevance of those attacks, the question of their equivalence or inequivalence has not been formally addressed so far in a constructive practical way. In this paper, we aim to bridge this gap in the understanding of the links between the ID and ZC properties. We tackle this problem at the example of two wide classes of ciphers, namely, Feistel- and Skipjack-type ciphers. As our major contribution, for those ciphers, we derive conditions for impossible differentials and zero-correlation approximations to cover the same number of rounds. Using the conditions, we prove an equivalence between ID and ZC distinguishers for type-I and type-II Feistel-type ciphers, for Rule-A and Rule-B Skipjack-type ciphers, as well as for TWINE and LBlock. Moreover, we show this equivalence for the Extended Generalised Feistel construction presented at SAC'13. We also use our theoretical results to argue for an inequivalence between ID and ZC distinguishers for a range of Skipjack-type ciphers.

Original language	English
Title of host publication	International Conference on Applied Cryptography and Network Security, ACNS '14, June 10-13, 2014, Switzerland
Editors	Ioana Boureanu, Philippe Owezarski, Serge Vaudenay
Pages	271-288
Number of pages	18
Volume	8479 LNCS
DOIs	https://doi.org/10.1007/978-3-319-07536-5-17
Publication status	Published - 2014
MoE publication type	A4 Article in a conference publication
Event	International Conference on Applied Cryptography and Network Security - Lausanne, Switzerland Duration: 10 Jun 2014 → 13 Jun 2014 Conference number: 12

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	8479 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	International Conference on Applied Cryptography and Network Security
Abbreviated title	ACNS
Country	Switzerland
City	Lausanne
Period	10/06/2014 → 13/06/2014

Keywords

Feistel-type ciphers
impossible differential
Skipjack-type ciphers
zero-correlation

Access to Document

10.1007/978-3-319-07536-5-17

Link to publication in Scopus

Fingerprint Dive into the research topics of 'On the (in)equivalence of impossible differential and zero-correlation distinguishers for Feistel- and Skipjack-type ciphers'. Together they form a unique fingerprint.

Cite this

Blondeau, C., Bogdanov, A., & Wang, M. (2014). On the (in)equivalence of impossible differential and zero-correlation distinguishers for Feistel- and Skipjack-type ciphers. In I. Boureanu, P. Owezarski, & S. Vaudenay (Eds.), International Conference on Applied Cryptography and Network Security, ACNS '14, June 10-13, 2014, Switzerland (Vol. 8479 LNCS, pp. 271-288). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 8479 LNCS). https://doi.org/10.1007/978-3-319-07536-5-17

Blondeau, Celine ; Bogdanov, Andrey ; Wang, Meiqin. / On the (in)equivalence of impossible differential and zero-correlation distinguishers for Feistel- and Skipjack-type ciphers. International Conference on Applied Cryptography and Network Security, ACNS '14, June 10-13, 2014, Switzerland. editor / Ioana Boureanu ; Philippe Owezarski ; Serge Vaudenay. Vol. 8479 LNCS 2014. pp. 271-288 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{9eaa24055ff54ba99a8144cf3d9a9c99,

title = "On the (in)equivalence of impossible differential and zero-correlation distinguishers for Feistel- and Skipjack-type ciphers",

abstract = "For many word-oriented block ciphers, impossible differential (ID) and zero-correlation linear (ZC) cryptanalyses are among the most powerful attacks. Whereas ID cryptanalysis makes use of differentials which never occur, the ZC cryptanalysis relies on linear approximations with correlations equal to zero. While the key recovery parts of ID and ZC attacks may differ and are often specific to the target cipher, the underlying distinguishing properties frequently cover the same number of rounds. However, in some cases, the discrepancy between the best known IDs and ZC approximations is rather significant. At EUROCRYPT'13, a link between these two distinguishers has been presented. However, though being independent of the underling structure of the cipher, it is usually not useful for most known ID or ZC distinguishers. So despite the relevance of those attacks, the question of their equivalence or inequivalence has not been formally addressed so far in a constructive practical way. In this paper, we aim to bridge this gap in the understanding of the links between the ID and ZC properties. We tackle this problem at the example of two wide classes of ciphers, namely, Feistel- and Skipjack-type ciphers. As our major contribution, for those ciphers, we derive conditions for impossible differentials and zero-correlation approximations to cover the same number of rounds. Using the conditions, we prove an equivalence between ID and ZC distinguishers for type-I and type-II Feistel-type ciphers, for Rule-A and Rule-B Skipjack-type ciphers, as well as for TWINE and LBlock. Moreover, we show this equivalence for the Extended Generalised Feistel construction presented at SAC'13. We also use our theoretical results to argue for an inequivalence between ID and ZC distinguishers for a range of Skipjack-type ciphers.",

keywords = "Feistel-type ciphers, impossible differential, Skipjack-type ciphers, zero-correlation",

author = "Celine Blondeau and Andrey Bogdanov and Meiqin Wang",

note = "VK: crypto; International Conference on Applied Cryptography and Network Security , ACNS ; Conference date: 10-06-2014 Through 13-06-2014",

year = "2014",

doi = "10.1007/978-3-319-07536-5-17",

language = "English",

isbn = "978-3-319-07535-8",

volume = "8479 LNCS",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

pages = "271--288",

editor = "Ioana Boureanu and Philippe Owezarski and Serge Vaudenay",

booktitle = "International Conference on Applied Cryptography and Network Security, ACNS '14, June 10-13, 2014, Switzerland",

}

Blondeau, C, Bogdanov, A & Wang, M 2014, On the (in)equivalence of impossible differential and zero-correlation distinguishers for Feistel- and Skipjack-type ciphers. in I Boureanu, P Owezarski & S Vaudenay (eds), International Conference on Applied Cryptography and Network Security, ACNS '14, June 10-13, 2014, Switzerland. vol. 8479 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 8479 LNCS, pp. 271-288, International Conference on Applied Cryptography and Network Security , Lausanne, Switzerland, 10/06/2014. https://doi.org/10.1007/978-3-319-07536-5-17

On the (in)equivalence of impossible differential and zero-correlation distinguishers for Feistel- and Skipjack-type ciphers. / Blondeau, Celine; Bogdanov, Andrey; Wang, Meiqin.

International Conference on Applied Cryptography and Network Security, ACNS '14, June 10-13, 2014, Switzerland. ed. / Ioana Boureanu; Philippe Owezarski; Serge Vaudenay. Vol. 8479 LNCS 2014. p. 271-288 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 8479 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Scientific › peer-review

TY - GEN

T1 - On the (in)equivalence of impossible differential and zero-correlation distinguishers for Feistel- and Skipjack-type ciphers

AU - Blondeau, Celine

AU - Bogdanov, Andrey

AU - Wang, Meiqin

N1 - Conference code: 12

PY - 2014

Y1 - 2014

N2 - For many word-oriented block ciphers, impossible differential (ID) and zero-correlation linear (ZC) cryptanalyses are among the most powerful attacks. Whereas ID cryptanalysis makes use of differentials which never occur, the ZC cryptanalysis relies on linear approximations with correlations equal to zero. While the key recovery parts of ID and ZC attacks may differ and are often specific to the target cipher, the underlying distinguishing properties frequently cover the same number of rounds. However, in some cases, the discrepancy between the best known IDs and ZC approximations is rather significant. At EUROCRYPT'13, a link between these two distinguishers has been presented. However, though being independent of the underling structure of the cipher, it is usually not useful for most known ID or ZC distinguishers. So despite the relevance of those attacks, the question of their equivalence or inequivalence has not been formally addressed so far in a constructive practical way. In this paper, we aim to bridge this gap in the understanding of the links between the ID and ZC properties. We tackle this problem at the example of two wide classes of ciphers, namely, Feistel- and Skipjack-type ciphers. As our major contribution, for those ciphers, we derive conditions for impossible differentials and zero-correlation approximations to cover the same number of rounds. Using the conditions, we prove an equivalence between ID and ZC distinguishers for type-I and type-II Feistel-type ciphers, for Rule-A and Rule-B Skipjack-type ciphers, as well as for TWINE and LBlock. Moreover, we show this equivalence for the Extended Generalised Feistel construction presented at SAC'13. We also use our theoretical results to argue for an inequivalence between ID and ZC distinguishers for a range of Skipjack-type ciphers.

AB - For many word-oriented block ciphers, impossible differential (ID) and zero-correlation linear (ZC) cryptanalyses are among the most powerful attacks. Whereas ID cryptanalysis makes use of differentials which never occur, the ZC cryptanalysis relies on linear approximations with correlations equal to zero. While the key recovery parts of ID and ZC attacks may differ and are often specific to the target cipher, the underlying distinguishing properties frequently cover the same number of rounds. However, in some cases, the discrepancy between the best known IDs and ZC approximations is rather significant. At EUROCRYPT'13, a link between these two distinguishers has been presented. However, though being independent of the underling structure of the cipher, it is usually not useful for most known ID or ZC distinguishers. So despite the relevance of those attacks, the question of their equivalence or inequivalence has not been formally addressed so far in a constructive practical way. In this paper, we aim to bridge this gap in the understanding of the links between the ID and ZC properties. We tackle this problem at the example of two wide classes of ciphers, namely, Feistel- and Skipjack-type ciphers. As our major contribution, for those ciphers, we derive conditions for impossible differentials and zero-correlation approximations to cover the same number of rounds. Using the conditions, we prove an equivalence between ID and ZC distinguishers for type-I and type-II Feistel-type ciphers, for Rule-A and Rule-B Skipjack-type ciphers, as well as for TWINE and LBlock. Moreover, we show this equivalence for the Extended Generalised Feistel construction presented at SAC'13. We also use our theoretical results to argue for an inequivalence between ID and ZC distinguishers for a range of Skipjack-type ciphers.

KW - Feistel-type ciphers

KW - impossible differential

KW - Skipjack-type ciphers

KW - zero-correlation

UR - http://www.scopus.com/inward/record.url?scp=84903648186&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-07536-5-17

DO - 10.1007/978-3-319-07536-5-17

M3 - Conference contribution

SN - 978-3-319-07535-8

VL - 8479 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 271

EP - 288

BT - International Conference on Applied Cryptography and Network Security, ACNS '14, June 10-13, 2014, Switzerland

A2 - Boureanu, Ioana

A2 - Owezarski, Philippe

A2 - Vaudenay, Serge

T2 - International Conference on Applied Cryptography and Network Security

Y2 - 10 June 2014 through 13 June 2014

ER -

Blondeau C, Bogdanov A, Wang M. On the (in)equivalence of impossible differential and zero-correlation distinguishers for Feistel- and Skipjack-type ciphers. In Boureanu I, Owezarski P, Vaudenay S, editors, International Conference on Applied Cryptography and Network Security, ACNS '14, June 10-13, 2014, Switzerland. Vol. 8479 LNCS. 2014. p. 271-288. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-319-07536-5-17