Improved Impossible Differentials and Zero-Correlation Linear Hulls of New Structure III

Impossible differential cryptanalysis and zero-correlation linear cryptanalysis are two kinds of most effective tools for evaluating the security of block ciphers. In those attacks, the core step is to construct a distinguisher as long as possible. In this paper, we focus on the security of New Structure III, which is a kind of block cipher structure with excellent resistance against differential and linear attacks. While the best previous result can only exploit one-round linear layer P to construct impossible differential and zero-correlation linear distinguishers, we try to exploit more rounds to find longer distinguishers. Combining the Miss-in-theMiddle strategy and the characteristic matrix method proposed at EUROCRYPT 2016, we could construct 23-round impossible differentials and zero-correlation linear hulls when the linear layer P satisfies some restricted conditions. To our knowledge, both of them are 1 round longer than the best previous works concerning the two cryptanalytical methods. Furthermore, to show the effectiveness of our distinguishers, the linear layer of the round function is specified to the permutation matrix of block cipher SKINNY which was proposed at CRYPTO 2016. Our results indicate that New Structure III has weaker resistance against impossible differential and zero-correlation linear attacks, though it possesses good differential and linear properties.


Introduction
Block cipher structures are regarded as the backbones of block ciphers. When designing a new block cipher, the first step is to choose a proper structure. From the implementation aspect, the structures will significantly influence the implementation cost and latency of the block cipher. From the security part, the structures will affect the diffusion and interaction among different components and give guidance of the parameters of block cipher such as the number of iterated rounds accordingly. erefore, cryptanalysis of block cipher structures also deserves much attention [1][2][3][4].
So far, one of the most popular block cipher structures is the Feistel structure. It divides the input into two halves and updates one half every time. Since decryption of Feistel structures does not involve the inverse of round functions, the encryption and decryption enjoy similar structure and components, making its design more flexible, versatile, and economical. Its randomness [5] and resistance against Meet-inthe-Middle [6], yoyo [7], and quantum [8] attacks were widely considered. In [9], generalized Feistel structure (GFS) was proposed. While GFS preserves the advantages of Feistel structures, its branch size and round functions are lighter and more portable. GFS is further extended and classified into Type-II GFS, unbalanced GFS, and so on. As shown in Figure 1, Type-II GFS updates one half of branches and follows by a branch-wise circular shift, while unbalanced GFS uses a contracting or expanding round functions. Examples of those GFSs are CLEFIA [10], HIGHT [11], SMS4 [2], MARS [3], GMiMC [12], etc. ose schemes possess relatively high diffusion while keeping portable round function design. e security of GFS has undergone careful evaluation. After its publication, the diffusion and security regarding differential and linear attacks of Type-II GFS were evaluated by counting the number of active S-boxes. At SAC 2010, the lower bound of active S-boxes with SP type round functions was evaluated [13]. en, similar studies with respect to SPS and SPSP type round functions were performed [14,15]. e impossible differential cryptanalysis and zero-correlation linear and integral cryptanalysis have also been taken into consideration. Based on the Miss-in-the-Middle strategy, Kim et al. [16] analyzed the impossible differential property using a matrix-based method. Yang et al. [17] and Zhang and Wu [18] proposed a search method for zero-correlation linear and integral distinguishers, respectively. At FSE 2015, Blondeau and Minier [19] noticed the links among the three analytical methods for Type-II GFS and performed systematic key recovery attacks. In addition, the security against Meet-in-the-Middle attack [20], known key attack [21], and quantum attack [22] has also been evaluated.
With the improvement of generic analytical techniques, some new variants of GFS are proposed. At ACISP 2009, Choy et al. combined the generalized unbalanced Feistel networks with the MISTY structure and named it GF-NLFSR [23]. GF-NLFSR possess better security in the sense of differential and linear probability bounds. In 2011, Wu and Wang [24] put forward a unified method to assess the lower bounds of the minimal number of differential active S-boxes for block cipher structures. With this method, they presented 4 new structures, namely, New Structure I/II/III/ IV. Among them, New Structure III features better properties against differential and linear attacks than other wellknown structures like Type-I/II GFS, Skipjack structures, GF-NLFSR, and so on.
Apart from the resistance against differential and linear cryptanalysis, the security evaluation of New Structure family mainly concentrates on the impossible differential and zero-correlation linear attacks. In [25], Cui  Inspired by the characteristic matrix method used at EUROCRYPT 2016 [27], we also study the security against impossible differential and zero-correlation linear attacks of New Structures III with SP type round functions in this paper. e distinguishers are constructed in two steps. We first derive the differential and linear propagation patterns.
en, contradictions are detected by adding some constraints to the linear layer of the round function. Taking advantage of the characteristic matrix method, more information of some rounds of linear layer P can be exploited instead of only one round. erefore, more rounds of impossible differentials and zero-correlation linear hulls will be constructed. In this paper, we improve the best previous results of New Structure III by 1 round. ose results are summarized in Table 1. e rest of this paper is organized as follows. In Section 2, some notations and concepts will be introduced. Impossible differentials and zero-correlation linear hulls of New Structure III will be constructed in Sections 3 and 4, respectively. Section 5 concludes this paper.

Preliminary
In this section, we will introduce the impossible differentials and zero-correlation linear hulls. en, detailed description of New Structure III will be depicted. Before that, we will first introduce some notations that will be used throughout this paper.

Notations.
e state of the round function is regarded as a d-dimensional column vector v, and its i-th element is denoted as v i . e transpose of v is denoted as v T . Moreover, e i denotes the d-dimensional unit vector whose i-th element is nonzero and others are zero. Similarly, for a d × d matrix M, the element in row i and column j is defined as M i,j . M −1 and M T are the inverse and transpose operations of M, respectively.
In [27], a characteristic matrix method is proposed to evaluate the impossible differentials and zero-correlation linear hulls of SPN ciphers. e definition of a characteristic matrix is given below.
Definition 1 (characteristic matrix) (see [27]). Let P be a linear mapping, and it can be expressed as a d × d matrix; the characteristic matrix of P � (p i,j ) d×d is defined as e characteristic matrix is used to express the dependency between the input and output. For a characteristic matrix M, when M i,j � 0, it means the i-th element of the output is independent of the j-th element of the input. Otherwise, M i,j � 1. Based on this characteristic matrix method, the round function of SPN ciphers could be reflected as matrix multiplication. Denote M t as the tth power of M, and the multiplication of matrix is defined as (2) where "|" is the bitwise OR operation. Given that the nonlinear bijective function S [28] does not change the differential/mask pattern, if there exists one zero element in row i and column j of M t , it means that the i-th element of the output is independent of the j-th element of the input for t-round SPN ciphers. In addition, if M works on a column vector v, it is also defined as

Impossible
Differentials. e impossible differential attack is a variant of differential attack, and it was proposed by Knudsen [29] and Biham et al. [30] independently. Different from differential attack which uses differential with high probability, impossible differential attack exploits differentials which occur with probability 0 instead. For an n-bit block cipher E k with input difference α and output difference β, its differential probability is defined as the percentage of right inputs: If the above probability equals zero, i.e., the differential from α to β is regarded to be impossible. At FSE 1999, Biham et al. [31] systematically introduced the Miss-in-the-Middle approach which is still the most commonly used strategy in searching for impossible differentials so far. It propagates the input difference of some rounds from the encryption direction with probability 1 and some rounds for the output difference from the decryption direction similarly. en, the intermediate state is tested whether there is a contradiction. If detected, then an impossible differential is found.

Zero-Correlation Linear Hulls.
e zero-correlation linear attack is a novel extension of linear cryptanalysis. It was first formalized by Bogdanov et al. in 2011 [32]. e zero-correlation linear attack utilizes linear hull whose correlation is zero. For a block cipher E k , its linear approximation p(α, β) is defined as the percentage of inputs X that satisfy α·X � β·E k (X), i.e., where "·" means the inner product and α, β are the input mask and output mask, respectively. en, the correlation of linear hull (α, β) is defined as Linear cryptanalysis employs linear hulls with high correlation, while zero-correlation linear cryptanalysis uses that with correlation c(α, β) � 0.
Similar to the impossible differentials, the Miss-in-the-Middle approach could also be applied to the construction of zero-correlation linear hulls. e procedure is similar. e input mask propagates some rounds forward and the output mask propagates some rounds backward with probability 1. en, the correlation of this linear hull is zero once the intermediate states are checked for the contradiction. e New Structure families are specified to be 4 branches, and only one-round function is employed in a single round. e diffusion and confusion are achieved by different combination of XOR, branch-wise circular shift, and nonlinear part. e schematic diagram is shown in Figure 2.
For New Structure III, its leftmost branch is first nonlinearly transformed by the round function F. en, the nonlinearly transformed state is XORed to its right branch. Finally, the branches are left circular shifted by 1. Assume that the input and output are (x 0 , x 1 , x 2 , x 3 ) and (y 0 , y 1 , y 2 , y 3 ), respectively; then, one-round transformation of New Structure III is For GFS and its extension, the round functions are flexible, versatile, and not necessarily bijective. However, round functions adopting Substitution-Permutation (SP) type structures are preferable. Since SP structure features better diffusion property and well-understood security, many block ciphers employing GFS use SP type round functions such as SMS4 [2], CLEFIA [10], and so on. e SP type round function consists of nonlinear layer S and linear layer P, where S is made up of d parallel s-bit S-boxes and P could be expressed as a d × d matrix operating on sd bits with word length s. It should be pointed out that both of the nonlinear layer S and linear layer P in this paper are bijective. To describe the differential/mask propagation through the linear layer, the proposition is shown below.
Proposition 1 (see [33]). Let P be a linear bijective layer; then, (i) For any input-output difference Δ in ⟶ Δ out , if the differential probability is nonzero, we always have Δ out � PΔ in . (ii) For any input-output mask Λ in ⟶ Λ out , if the correlation is nonzero, we always have Λ out � (P −1 ) T Λ in .

Impossible Differentials of New Structure III
In this section, we first give one-round differential propagation and then construct 23-round impossible differential distinguishers of New Structure III by the Miss-in-the-Middle method if the linear layer P satisfies some extra conditions. To describe the differential properties better, we first give some notations. ΔF(a) represents all possible output differences of the nonlinear function F when the input difference is a. Similarly, ΔF r (a) represents all possible output differences of the continuous r-round F when the input difference is a, and ΔF -r (a) represents all possible output differences of the continuous r-round F −1 (inverse of F) when the input difference is a.
To construct impossible differentials, one-round differential propagation should be presented firstly. e property is given below.
Proposition 2 (see [25,26]). For one-round encryption of New Structure III, let (a 0 , a 1 , a 2 , a 3 ) and (b 0 , b 1 , b 2 , b 3 ) be the input and output difference, respectively, and we have One-round differential propagation is given in Figure 3, and we will study how to construct longer impossible differentials. e following theorem shows the impossible differential distinguisher.

Theorem 1.
For New Structure III with SP type round functions, if there exist i, j such that (P * ) 4 i, j � 0 and P −1 i, i � 0, the following 23-round differential is impossible: where α � e j , β � Pe i , and P * denotes the characteristic matrix of the linear layer P.
Proof. e 23-round differential propagation of New Structure III is depicted in Figure 4. It consists of 13-round encryption and 10-round decryption, whose last round is marked by red color and blue color, respectively. e details of differential propagation are given in Table 2, where ? denotes the unknown difference.

Security and Communication Networks
For the left part of equation (13), according to the characteristic matrix method, the condition (P * ) 4 i, j � 0 indicates that the i-th element of the output ΔPSPSPSPS(α) is not influenced by the j-th element of α. Furthermore, if α � e j which means only the j-th element of α is nonzero, the i-th element of ΔPSPSPSPS(α) is zero.
For the right part of equation (13), when β � Pe i , it becomes Given that the nonlinear bijective S −1 does not change the difference pattern, it means that ΔS −1 (e i ) � e i . So, is zero. Furthermore, the i-th element of ΔS −1 P −1 (e i ) and e i ⊕ΔS −1 P −1 (e i ) is zero and nonzero, respectively.
For the two parts of equation (13), the i-th element of the left and the right is zero and nonzero, respectively. us, equation (13) cannot be established when the restricted conditions of P are satisfied. erefore, the 23-round impossible differential is constructed.
To achieve the above 23-round impossible differentials, some extra limits of the linear layer P need to be satisfied according to eorem 1. In fact, they can be achieved. For example, the permutation layer of block cipher SKINNY which was designed at CRYPTO 2016 [34] is Table 2: 23-round differential propagation of New Structure III. ?

Zero-Correlation Linear Hulls of New Structure III
In this section, we first give one-round linear propagation and then construct 23-round zero-correlation linear hulls of New Structure III similarly by constructing impossible differentials. To describe the linear properties better, we first give some notations. ΛF(a) represents all possible output masks of the nonlinear function F when the input mask is a. Similarly, ΛF r (a) represents all possible output masks of the continuous r-round F when the input mask is a, and ΛF -r (a) represents all possible output masks of the continuous rround F −1 (inverse of F) when the input mask is a.
To construct zero-correlation linear hulls, one-round linear propagation should be presented firstly. e property is given below.
Proposition 3 (see [26]). For one round of New Structure III, let (a 0 , a 1 , a 2 , a 3 ) and (b 0 , b 1 , b 2 , b 3 ) be the input mask and output mask, respectively, and we have e above proposition can be easily proved with the linear propagation rules referred to [26]. One-round linear Security and Communication Networks 7 propagation is shown in Figure 5, and we will study how to construct longer zero-correlation linear hulls.
e following theorem shows the zero-correlation linear hulls.
where α � e i , β � (P −1 ) T e j , and P * denotes the characteristic matrix of the linear layer P.
Proof. e 23-round linear propagation of New Structure III is depicted in Figure 6. It consists of 10-round encryption and 13round decryption, whose last round is marked by red color and blue color, respectively. e details of the linear propagation are given in Table 3, where ? denotes the unknown mask.
For the right part of equation (24), according to Proposition 1, when the mask β � (P −1 ) T e j , the mask will be e j through P −1 . Furthermore, we have Since ((P * ) 4 ) T i, j � 0, according to the definition of the characteristic matrix and Proposition 1, the i-th element of erefore, for the two parts of equation (24), the i-th element of the left and the right is zero and nonzero, respectively. So, equation (24) cannot be established when the restricted conditions of P are satisfied. erefore, the 23round zero-correlation linear hulls are constructed.
To achieve the above 23-round zero-correlation linear hulls, some extra limits of the linear layer P need to be satisfied according to eorem 2. Note that they can be achieved as well. For example, for the permutation layer of block cipher SKINNY which is described in Section 3, (P * ) 4 and P − 1 are presented in equations (16) and (17), respectively. Also, they can easily satisfy the conditions in eorem 2.

Conclusions
In this paper, we improved impossible differentials and zerocorrelation linear hulls of New Structure III to 23 rounds. Both of them are 1 round longer than the best previous works. Firstly, through careful analysis of its differential and linear propagation rules, the intermediate states were derived after some rounds of encryption and decryption. en, a contradiction was detected by exploiting the details of the permutation layer which should satisfy some constraints. To show the effectiveness of our constructions, P is specified to the permutation matrix of block cipher SKINNY and 64 distinguishers are detected. From the point of the length of distinguishers, our results indicate that New Structure III has weaker resistance against impossible differential and zerocorrelation linear attacks than other GFSs such as SMS4 and MARS-like structures whose length of constructed distinguishers was only 12 rounds so far. Although a block cipher structure or concrete cipher may be designed to possess optimal resistance against one attack, it might be vulnerable to other cryptanalysis techniques since different attack methods start from differential perspective of view. erefore, dedicated and comprehensive efforts will be necessary.

Data Availability
e data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this paper.