1. Introduction
One of the most important parts of the block cipher is the high level, as it will directly affect the implementation performance and choice of round numbers. Among all of the high levels, the Lai-Massey scheme is well known for its simplicity and security. This scheme was first proposed by Lai and Massey in 1991, and it was used in the design of IDEA [1]. Since its inception, the Lai-Massey scheme has attracted considerable attention worldwide. In Asiacrypt ’99, Vaudenay added a simple function σ, which has the orthomorphic or α-almost orthomorphic property, to one branch of each round (Fig. 1) [2]. Junod and Vaudenay adopted this modified scheme and designed the FOX family (Fig. 2) [3]. In 2005, FOX was announced by MediaCrypt under the name of IDEA NXT.
Fig. 1.The (extended) Lai-Massey Scheme
Fig. 2.The Outline of FOX
Various attack methods have been applied to FOX [4-8]. The best-known attacks against block ciphers are the differential cryptanalysis [9] and the linear cryptanalysis [10]. Designers should evaluate the security of any new proposed ciphers against these two cryptanalyses because they are the most powerful approaches available for attacking many symmetric block ciphers. In [11], Kanda et al. noted that the security of a cipher could be evaluated against these two cryptanalyses by upper-bounding the maximum differential characteristic and linear trail probabilities. For most block ciphers, the only nonlinear part is the S-boxes, and thus, the upper bounds of the maximum differential characteristic and linear trail probabilities are due to the lower bounds of the differentially and linearly active S-boxes in some consecutive rounds.
For SPS structures, Rijmen et al. introduced the branch number [12], which is the lower bound of differentially (or linearly) active S-boxes. Because the basic framework of the round function in FOX is an SPS structure, Junod and Vaudenay proposed the lower bound of differential (or linear) S-boxes in FOX via providing the lower bound of differentially (or linearly) active round functions [3]. However, according to our observations, the lower bound provided by [3] cannot be obtained when the round number is greater than 3, indicating that the lower bound provided by [3] could be improved.
This paper focuses on finding a tighter bound of active S-boxes in some consecutive rounds of the Lai-Massey scheme with an SPS F–function, and then, this result is used to improve the lower bound provided in [3]. Thus, we improve the results stated in [3] by Junod and Vaudenay, who mentioned that at least 8 rounds of FOX64 can provide resistance against traditional differential and linear cryptanalyses. However, the result obtained here indicates that 6 rounds are sufficient for FOX64.
This paper is organized as follows. Section 2 introduces some notations and definitions, Section 3 studies the lower bound of differentially active S-boxes in the Lai-Massey scheme with an SPS F-function, and Section 4 provides the duality in the Lai-Massey scheme and obtains the lower bound of its linearly active S-boxes. In addition, we apply these results to FOX64 and FOX128 in Section 4. Finally, the conclusions of this study are provided in Section 5.
2. Preliminaries
This section presents some notations and definitions.
Definition 1[2] Let (G, +G) be a group, let F1, F2,…, Fr be r functions on G, and let σ be a permutation on G. We define an r-round Lai-Massey scheme as a permutation Λσ (F1, F2,…, Fr) on G2 by
and
in which the last σ is omitted.
In the sequel, we assume the group is ({0,1}n,⊕). For convenience, we denote F1, F2,…, Fr as F such that the round function can be written as
Definition 2[13] Let f :{0,1}n → {0,1}m, and let α ∈ {0,1}n, β ∈ {0,1}m. Then,
and
are called the probabilities of the differential α → β for f and the linear approximation α → β for f respectively.
Definition 3[2] Let f :{0,1}n → {0,1}n be a mapping. Then, f is called an orthomorphism if both f(x) and g(x) = f(x)⊕x are bijective.
Definition 4[14] An S-box (resp. F) is called differentially active if its input difference is nonzero, and an S-box (resp. F) is called linearly active if its output mask value is nonzero.
Note: When an S-box is bijective, an S-box with a non-zero output difference is also a differentially active S-box. Similarly, when an F-box is bijective, it is linearly active if it has a non-zero input mask value.
Definition 5 Let σ(x) = Mx⊕C be an orthomorphism. Then, the Lai-Massey scheme with σD(x)=(M-1)T x⊕C as its σ is called the dual scheme for the Lai-Massey scheme with σ(x)=Mx⊕C as its σ.
Definition 6[12] For the diffusion layer P, the relationship between the input difference and output difference is represented by matrix P, i.e., Δy = PΔx. Furthermore, the relationship between the output and input mask values is represented by PT ; thus, Гx = PTГy. In addition, the values are called the differential branch number and linear branch number, respectively.
3. Lower Bound of Differentially Active S-boxes in the Lai-Massey Scheme with an SPS F-function
First, we will study the relationship between the differential of the round function and the differentials of the F-function and σ permutation.
Theorem 1 The probability of the differential (α,β)→(A,B) of the round function Q is nonzero iff the differentials for F and σ are α⊕β → β⊕B and α⊕β⊕B → A, respectively, and the probabilities of these two differentials are both nonzero. Moreover,
In particular, if σ(x)=δ(x)⊕σ(0) is affine, then the output difference of F is β⊕B=α⊕δ-1(A).
Proof See Appendix A.
For the SPS structure, according to [13], the lower bound of the active S-boxes is listed in lemma 1.
Lemma 1[13] In the SPS structure, let S be bijective and let the differential branch and linear branch of P be Bd and Bl, respectively. The number of differentially active S-boxes is at least Bd if the input difference is nonzero, and the number of linearly active S-boxes is at least Bl if the output mask is nonzero.
For the Lai-Massey scheme, the lower bound of the active F-functions is given in lemma 2 below.
Lemma 2 Let σ be an orthomorphism. Then, a consecutive 2-round differential characteristic for the Lai-Massey scheme with nonzero probability contains at least one active F -function.
Proof Let (α,β)→(A,B)→(u,v) be a consecutive 2-round differential characteristic for the Lai-Massey scheme. Lemma 1 indicates that the differentials for F and σ in the first round are α⊕β → β⊕B and α⊕β⊕B → A, respectively, and the differentials for F and σ in the second round are A⊕B → B⊕v and A⊕B⊕v → u, respectively.
If the F-function is not active in the first round, then α = β and α = β = B ; if F is not active in the second round, then A = B and A = B = v. Therefore, the differential for F in the first round’s function is A → A. Because (A,B) ≠ (0,0) and A = B, A ≠ 0 , pσ(A→A) = 0 if σ is an orthomorphism according to lemma 1. Moreover, theorem 1 indicates that pQ((α,β)→(A,B)) = 0, which contradicts the fact that the probability is nonzero. Therefore, a consecutive two-round differential characteristic with nonzero probability contains at least one active F -function.
Q.E.D
For the Lai-Massey scheme with an SPS F-function, the corollary below follows from lemmas 1 and 2 because there are at least Bd differentially (Bl linearly) active S-boxes in one active F-function.
Corollary For the Lai-Massey scheme with an SPS F -function, let the differential and linear branches of P be Bd and Bl, respectively. Then, there are at least nBd differential (nBl linear) active S-boxes in 2n consecutive rounds.
Remarks: Let Bd and Bl be odd. Then, for the nontrivial differential (linear approximation) α→α of an SPS structure, there are at least Bd +1 (Bl+1) S-boxes that will be active after a P-permutation. Based on this fact, we make some improvement on the corollary of lemma 2. First, we consider the number of active S-boxes in 3 consecutive rounds, where Bd ≥ 3 and Bl ≥ 3.
Theorem 2 For the Lai-Massey scheme with an SPS F-function, let Bd be odd and let σ(x)=δ(x)⊕σ(0) be an affine orthomorphsim. Then, there are at least Bd+1 active S-boxes in a 3-round differential characteristic iff the structure is
and the corresponding differentials for F are 0→0, δ(α)⊕α → δ(α)⊕α, and 0→0, respectively. Here, Hw(δ(α)⊕α) = (Bd+1)/2.
Proof If there are at least two active F-functions in the 3-round differential characteristic, this chain contains at least 2Bd active S-boxes according to lemma 2. If there is only one active F-function in the 3-round differential characteristic, the structure of this differential characteristic is and the corresponding differentials for F are 0→0, δ(α)⊕α → δ(α)⊕α, and 0→0, respectively, where α ≠ 0, according to theorem 1. Because Bd is odd, the differential δ(α)⊕α → δ(α)⊕α for the SPS structure contains at least Bd+1 active S-boxes, where Hw(δ(α)⊕α) = (Bd+1)/2.
Q.E.D.
In the sequel, AS(a→b) denotes the number of active S-boxes in the differential characteristic from the ath to bth round, and AS(a) denotes the number of active S-boxes in the ath round.
Theorem 3 For the Lai-Massey scheme with an SPS F-function, let Bd ≥ 3 be odd and let σ(x)=δ(x)⊕σ(0) be an affine orthomorphsim.
(1) There are at least active S-boxes in an r-round differential characteristic, where
(2) If the number of active S-boxes is in the r-round differential characteristic, then the F-functions in the first and last rounds are non-active.
Proof According to theorem 2, this theorem is true for r = 3 . Next, we use induction to prove this theorem.
Suppose that (1) and (2) are true for r ≤ 2m+1. For r = 2m+2, the number of active S-boxes in the first round is at least Bd if the F-function in the first round is active. By inductive supposition we have that AS(2→2m+2) ≥ m(Bd+1). Hence,
A similar proof can be provided for the case in which the F-function in the last round is active, i.e., that AS(1→2m+2) ˃ (m-1)(Bd+1)+2Bd. Therefore, (2) is true for r = 2m+2 .
We now consider the case that the F-function is active in neither the first nor last round. Two cases are stated below based on whether the F-function in the m+2 th round is active or not.
Case 1: Suppose that F is not active in the m+2 th round; then, we have
Therefore, AS(1→2m+2) = AS(1→m+2) + AS(m+3→2m+2) = AS(1→m+2) + AS(m+2→2m+2).
If m is odd, AS(m+2→2m+2) = [(m+1)/2–2])(Bd+1)+2Bd and AS(1→m+2)≥(m+1)(Bd+1)/2 by inductive supposition; therefore,
If m is even, AS(1→m+2)≥(m/2–1)(Bd+1)+2Bd and AS(m+2→2m+2)≥(m/2)(Bd+1) by the supposition; therefore
This result indicates that (1) is true for r = 2m+2 when the F-function in the m+2 th round is non-active.
Case 2: Suppose that the F-function in the m+2 th round is active. Then, we can demonstrate that AS(2m+2) = AS(1→m+1) + AS(m+2) + AS(m+3→2m+2).
If m is odd, then by the inductive supposition,
If AS(1→m+1) = [(m+1) / 2–2](Bd+1)+2Bd and AS(m+3→2m+2) = (m-1)(Bd+1)/2, then AS(m+1) = AS(m+3) = 0 by (2) in the supposition. Moreover, considering the implications of theorem 2, we have AS(m+2) = AS(m+1→m+3) ≥ Bd+1 ; thus,
If AS(1→m+1) and AS(m+3→2m+1) cannot reach the minimum number simultaneously, then
Because the F-function in the m + 2 -th round is active, we have AS(m+2) ≥ Bd. Hence,
Thus, (1) is true for r = 2m + 2 when m is odd.
If m is even, then by the inductive supposition,
If AS(1→m+1) = (m/2)(Bd+1) and AS(m+3→2m+2) = (m/2–2)(Bd+1)+2Bd, then AS(m+1) = AS(m+3) = 0 by (2) in the supposition. Moreover, AS(m+2) = AS(m+1→m+3) ≥ Bd+1 according to theorem 2. Hence,
If AS(1→m+1) and AS(m+3→2m+1) cannot reach the minimum number simultaneously, then
Because the F-function in the m + 2 th round is active, we have AS(m+2) ≥ Bd Hence,
Thus, (1) is true for r = 2m + 2 when m is even. Therefore, (1) is true for r = 2m + 2 if the F-function in the m + 2 th round is active.
Cases 1 and 2 demonstrate that (1) is true for r = 2m + 2 if it is true for r ≤ 2m + 1.
Next, suppose that (1) and (2) are true for r ≤ 2m. For r = 2m + 1, AS(1) ≥ Bd if the F-function in the first round is active, and AS(2→2m+1) ≥ (m-2)(Bd+1)+2Bd according to (2) in the inductive supposition. As a result,
Similarly, AS(1→2m+1) ˃ m(Bd+1) if the F-function in the last round is active. Therefore, (2) is true for r = 2m + 1.
Next, we consider the case in which neither the F-function in the first round nor the F-function in the last round is active. Two cases are listed below according to whether the F-function in the m + 2 th round is active or not.
Case 1: Suppose that F in the m + 2 th round is not active. Then, we have
therefore, AS(1→2m+1) = AS(1→m+2) + AS(m+2→2m+1).
If m is odd, then AS(m+2→2m+1) ≥ (m-1)(Bd+1)/2 and AS(1→m+2) ≥ (m+1)(Bd+1)/2 by inductive supposition. Therefore,
If m is even, then, by the supposition, we have
Thus,
Moreover, as (m-2)(Bd+1)+4Bd ≥ m(Bd+1) is equivalent to Bd ≥3, then AS(1→2m+1) ≥ (m-3)(Bd+1)+4Bd ≥ m(Bd+1), which indicates that (1) is true for r = 2m + 1
Case 2: If the F-function in the m+2 th round is active, then AS(2m+1) = AS(1→m+1) + AS(m+2) + AS(m+3→2m+1).
If m is odd, by inductive supposition,
If AS(1→m+1) and AS(m+3→2m+1) make the equality true simultaneously, then AS(m+1) = AS(m+3) = 0 by (2) in the inductive supposition. Moreover, AS(m+2) = AS(m+1→m+3) ≥ Bd+1 according to theorem 2. Hence,
If AS(1→m+1) and AS(m+3→2m+1) cannot make the equality true simultaneously, then
AS(m+2) ≥ Bd because the F-function in m+2 th round is active; therefore,
This result indicates that when m is odd, (1) is true for r = 2m+1.
If m is even, by inductive supposition, we have
If AS(1→m+1) and AS(m+3→2m+1) make the equality true simultaneously, we obtain AS(m+1) = AS(m+3) = 0 by (2) in the supposition, and thus, AS(m+2) = AS(m+1→m+3) ≥ Bd+1 according to theorem 2. Hence,
If AS(1→m+1) and AS(m+3→2m+2) do not make the desired equality true simultaneously, then
Because F in the m+2 th round is active, we have AS(m+2) ≥ Bd and
This result demonstrates that (1) is true for r = 2m+1 when m is even. Therefore, (1) is true for r = 2m+1 if F in round m+2 is active.
Cases 1 and 2 demonstrate that (1) and (2) are true for r = 2m+1 if (1) and (2) are true for r ≤ 2m.
Therefore, inductive supposition indicates that this theorem is true for r ≥ 3.
Q.E.D.
We can obtain corresponding results for the 5-round differential characteristic in the Lai-Massey scheme with an SPS F-function according to theorem 3.
Corollary For the Lai-Massey scheme with an SPS F-function, let Bd ≥ 3 be odd and let σ(x) = δ(x)⊕σ(0) be an affine orthomorphsim. Then, there are at least 2Bd+2 active S-boxes in a 5-round differential characteristic, and the lower bound is reached iff the structure of the 5-round differential characteristic is
for some α ≠ 0 with Hw(δ(α)⊕α) = Hw(δ2(α)⊕δ(α)) = (Bd+1)/2. The corresponding differentials for F are 0→0, δ(α)⊕α → δ(α)⊕α, 0→0, δ2(α)⊕δ(α) → δ2(α)⊕δ(α), and 0→0, respectively.
Theorem 4 For the Lai-Massey scheme with an SPS F-function, let Bd ≥ 3 be odd and let σ(x)=δ(x)⊕σ(0) be an affine orthomorphism. is the lower bound in the corollary of lemma 2. is defined as in theorem 3, then we have
Proof according to lemma 2; thus, according to theorem 3, we have
Q.E.D.
Theorem 3 provides the lower bound of the differentially active S-boxes in the Lai-Massey scheme with an SPS F-function, which is larger than the results obtained by the multiplication of the differential branch number and the number of active F-functions. Moreover, theorem 4 demonstrates that the increment has no relationship with Bd, where Bd is odd.
4. Lower Bound of Linearly Active S-boxes in the Lai-Massey Scheme with an SPS F-function
Next, we focus on the lower bound of linearly active S-boxes in the Lai-Massey scheme with an SPS F-function. Based on the duality of the structure between the differential characteristic and linear trail, the lower bound of the linearly active S-boxes in the Lai-Massey scheme under consideration can be easily obtained.
Theorem 5 Let σ(x) = Mx⊕C be affine, then the linear approximation (α,β)→(A,B) for the round function Q has nonzero coefficient ρ iff α⊕β⊕B⊕MT A = 0. Besides, the linear approximation for F is β⊕B → α⊕β, and the coefficient is ρ×(–1)A·C.
Proof See Appendix B.
Theorem 6 (The dual theorem between the differential characteristic and linear trail in the Lai-Massey scheme.)
Let σ be an affine orthomorphism. Then, the n-round differential characteristic (a0,1,a0,2)→(a1,1,a1,2)→…→(an,1,an,2) has nonzero probability, and the corresponding differentials of F are a0,1⊕a0,2 → co, a1,1⊕a1,2 → c1,..., an-1,1⊕an-1,2 → cn-1 iff (a0,1,a0,2)→(a1,1,a1,2)→…→(an,1,an,2) is an n-round linear trail of its dual Lai-Massey scheme with a nonzero correlation coefficient and the corresponding linear approximations of the F-function are co → a0,1⊕a0,2, c1 → a1,1⊕a1,2,..., cn-1 → an-1,1⊕an-1,2.
Proof See Appendix C.
Based on the duality, similar results can be obtained with respect to linearly active S-boxes, which are stated in the following theorems 7 and 8.
Theorem 7 For the Lai-Massey scheme with an SPS F-function, let Bl ≥ 3 be odd and let σ(x) = Mx⊕C be an affine orthomorphsim. Then, the following statements are true:
(1) There are at least active S-boxes in an r-round linear trail, where
(2) If the number of active S-boxes is in the r-round linear trail, then F is active neither in the first nor last round.
Theorem 8 For the Lai-Massey scheme with an SPS F-function, let Bl ≥ 3 be odd and let σ(x) = Mx⊕C be an affine orthomorphsim, where r ≥ 3. is the lower bound in the corollary of lemma 2 and is as defined as in theorem 7, then
For FOX64, Bd=Bl=5 ; for FOX128, Bd=Bl=9. By combining theorems 4 and 8, we can obtain the lower bound of differentially active S-boxes ranging from 3 rounds of FOX64 to 12 rounds of FOX64. Similarly, we can obtain the lower bound of linearly active S-boxes ranging from 3 rounds of FOX128 to 12 rounds of FOX128. Table 1 compares the results of this study with those presented in [3].
Table 1.The number of active S-boxes in FOX64 and FOX128
The above table illustrates that the results obtained here are superior to the results in [3].
Theorem 9 It is impossible to find any useful differential of the linear characteristic after 6 rounds of FOX64.
Proof From [3], We can conclude that this theorem is correct from Table 1.
Q.E.D.
Junod and Vaudenay proved that it is impossible to find any useful differential characteristic or linear trail after 8 rounds of either FOX64 or FOX128 [3]. This paper demonstrates that a smaller number of rounds of FOX64 can resist a differential and linear attack. For FOX128, although we do not decrease the number of rounds from 8, we obtain a more precise bound on the lower bound of the active S-boxes, illustrating that FOX128 is safer than previously thought.
5 Conclusions
This paper focuses on the lower bounds of differentially and linearly active S-boxes in a set number of consecutive rounds of the Lai-Massey scheme with an SPS F-function. First, we provide the lower bound of the differentially active S-boxes, and similar results are obtained for linearly active S-boxes based on the duality in the Lai-Massey scheme. Finally, we apply our results to FOX and provide a tighter bound on the lower bound of active S-boxes. This paper demonstrates that it is impossible to find any useful differential characteristic or linear trail after 6 rounds of FOX64, rather than the 8 rounds used by Junod and Vaudenay at SAC 2004. In addition, the corollaries in this paper have practical uses because the P permutations that we use in block ciphers typically have the maximum branch number, and the dimension of P is even, which means that the differential branch number and linear branch number of P are odd.
References
- X. Lai and J. Massey. "A proposal for a new block encryption standard," Advances in Cryptology- EUROCRYPT'90, LNCS, vol. 473, pp.389-404, 1990. Article (CrossRef Link)
- S.Vaudenay, "On the Lai-Massey scheme," Advances in Cryptology - ASIACRYPT' 99, LNCS, vol. 1716, pp. 8-19, 1999. Article (CrossRef Link)
- P. Junod and S.Vaudenay , "FOX: a new family of block ciphers," SAC 2004, LNCS, vol. 2595, pp. 131-146, Springer-Verlag, 2004. Article (CrossRef Link)
- Wenling Wu, Wentao Zhang and Dengguo Feng, "Integral Cryptanalysis of Reduced FOX Block Cipher," Information Security and Cryptology - ICISC 2005, LNCS, vol. 3935, pp. 229-241, 2006. Article (CrossRef Link)
- Zhongming Wu, Xuejia Lai, Bo Zhu, and Yiyuan Luo, "Impossible differential cryptanalysis of FOX," Cryptology ePrint /2009/357. http://eprint.iacr.org/
- Yuechuan Wei, Bing Sun, and Chao Li. "Impossible differential attacks on FOX," Journal on Communications, vol. 9, pp. 24-29, 2010. http://wenku.baidu.com/link?url=FizBvRdaVTvrwY7qKYgUvyjAMD0ZLHOQdTOhylmSTCgkSgad7xQXVTSiL_kffes0HBRCu8C3kTHQd9fk_QjJV3mg3kiJOcDto9HZ4bIAusO
- Wenling Wu, Hongru Wei. "Collision-integral attack of reduced-round FOX," Journal of Electronics & Information Technology, vol. 7, pp. 1307-1310, 2005. http://wenku.baidu.com/link?url=dpxdjBQPKYOHIGmBBEhqoMp__aD_RJj3__OF9TD1vKhoBtXVzYvoih57uRqcPx9s03YhSk-ermtAeEa26lgALGfcaz5rfkARDmvwaaGuIp7
- Ruilin Li, Jianxiong You, Bing Sun, et al., "Fault analysis study of the block cipher FOX64," Multimedia Tools and Applications, vol. 63, no. 3, pp. 691-708, 2013. Article (CrossRef Link) https://doi.org/10.1007/s11042-011-0895-x
- E.Biham and A.Shamir. "Differential cryptanalysis of DES-like cryptosystems". Journal of Cryptology, vol. 14, no. 1, pp. 3-72, 1991. Article (CrossRef Link)
- M.Matsui "Linear cryptanalysis method for DES cipher," In Advances in Cryptology -Eurocrypt LNCS, vol. 3788, pp. 386-397, 1993. Article (CrossRef Link)
- M. Kanda, Y. Takashima, T. Matsumoto, K. Aoki, and K. Ohta, "A Strategy for Constructing Fast Round Functions with Practical Security against Differential and Linear Cryptanalysis," Selected Areas in Cryptography, LNCS, vol. 1556, pp. 264-279, 1999. Article (CrossRef Link)
- V. Rijmen, J. Daemon, B. Preneel, A. Bosselaers, and E. D. Win, "The cipher SHARK," Fast Software Encryption - Third International Workshop, LNCS, vol.1039, pp.99-111, 1996. Article (CrossRef Link)
- Chenhui Jin, Haoran Zheng, Shaowu Zhang, et al.. Cryptology. Higher Education Press, 2009.
- S. Hong, S. Lee, J. Lim, J. Sung, D. Cheon, and I. Cho. "Provable security against differential and linear cryptanalysis for the SPN structure"[C]. FSE 2000. LNCS, vol.1978, pp 273-283, 2001. Article (CrossRef Link)