Professional Documents
Culture Documents
Yosuke Todo1,2(B)
1
NTT Secure Platform Laboratories, Tokyo, Japan
todo.yosuke@lab.ntt.co.jp
2
Kobe University, Kobe, Japan
1 Introduction
Higher-Order Differential Cryptanalysis. After the proposal of the differ-
ential cryptanalysis [6], many extended cryptanalyses have been proposed like
the impossible differential [5,20], integral [22], and meet-in-the-middle attacks
[15]. The higher-order differential cryptanalysis is one of such extensions. The
concept was first introduced by Lai [23] and the advantage over the conventional
differential cryptanalysis was studied by Knudsen [21]. Assuming the algebraic
degree of the target block cipher Ek is upper-bounded by d for all k, the dth order
differential is always constant and the (d + 1)th order differential is always zero.
Then, we can distinguish the target cipher Ek as ideal block ciphers because it
is unlikely that ideal block ciphers have this property, and we call this property
04 the higher-order differential characteristics in this paper.
c Springer International Publishing AG 2017
Md Rasid Ali R.C.-W. Phan and M. Yung (Eds.): LNCS 10311, Mycrypt 2016, pp. 553–571, 2017.
DOI: 10.1007/978-3-319-61273-7 30
554 Y. Todo
the security for the analysis using the division property in advance have been
proposed like SKINNY [4], Mysterion [19], and Sparx and LAX [16].
for all round key rk, where the function T is observing function and the simple
truncation function is often used. The probability that Eq. (1) holds for ideal
ciphers is negligible. Therefore, we can execute a distinguishing attack by con-
struction the integral characteristic.
The integral cryptanalysis additionally append a key recovery step to the
integral characteristic. Assuming that block ciphers has an r-round integral
characteristics, attackers guess round keys used in the last s rounds and attack
(r +s) rounds. If guessed round keys are correct, Eq. (1) always holds. Therefore,
if Eq. (1) does not hold, the guessed round key is incorrect. By repeating this
06 procedure, attackers recover the correct round keys used in the last s rounds.
Md Rasid Ali
2.4 What is Different Between Integral and Higher-Order
Differential Cryptanalyses
The definition of the higher-order differential cryptanalysis is different from that
of the integral cryptanalysis. However, they are often regarded as the same crypt-
analysis. To achieve high performance under computer, almost all operations of
Division Property: Efficient Method to Estimate Upper Bound 557
block ciphers are defined using bit operations like XOR and bit-oriented AND.
Then, both additions of the integral cryptanalysis and differences become XOR.
For example, the 2nd order differential is represented as
Md Rasid Ali Theorem 1 [9]. Let S be a function from Fn2 into Fn2 corresponding to the
concatenation of m smaller S-boxes, defined over Fn2 0 . Let δk be the maximal
degree of the product of any k bits of anyone of these S-boxes. Then, for any
function G from Fn2 into F2 , we have
n − deg(G)
15-16 deg(G ◦ S) ≤ n − ,
γ
2 notes:
558 Y. Todo
A C C C A C C C A C C C A A A A B B B B
C A C C C C C C A C C C A A A A B B B B
C C A C C C C C A C C C A A A A B B B B
C C C A C C C C A C C C A A A A B B B B
224 sets 224 sets 224 sets 224 sets
where
n0 − i
γ= max .
1≤i≤n0 −1 n0 − δi
For example, let us consider SPN ciphers using four 4-bit S-boxes. Since the
algebraic degree of 4-bit S-boxes is at most 3, the algebraic degree of the
2-round cipher is at most 32 = 9. When we use the classical method, the alge-
braic degree of the 3-round cipher is at most min(15, 33 = 27) = 15 but it is not
tight. On the other hand, Theorem 1 shows that the algebraic degree is at most
3 = 13. Boura et al. showed integral distinguishers on Keccak [12]
16 − 16−9
and Luffa [10] by using this theorem. We cannot apply Theorem 1 to non-SPN
ciphers, and real block ciphers have more complicated round function. Therefore,
this method is still far from the tight lower bound.
Since the theoretical estimation of the algebraic degree is difficult, a brute-
17-18
2 notes:
force method is often used [31], i.e., all algebraic equations are resolved. The
accurate algebraic degree is evaluated by using this method, but it generally
requires practically infeasible time complexity. Therefore, the application is very
limited.
Knudsen and Wagner showed that AES has the 4-round integral distinguisher
with 232 chosen plaintexts [22] (see Fig. 2).
Unfortunately, the integral property does not find effective characteristics if
21-22 block ciphers consist of non-bijective functions, e.g., DES [1] and Simon[3] con-
2 notes:sist of non-bijection functions. Moreover, since the propagation does not clearly
exploit the algebraic degree of block ciphers, it tends not to construct effective
23 characteristics on block ciphers with low-degree round functions.
Md Rasid Ali
Division Property: Efficient Method to Estimate Upper Bound 559
Observations 1 and 2 implies that each of the two methods has its own advan-
tages and disadvantages. Specifically, S-boxes are regarded as black boxes in the
propagation of the integral property, i.e., it constructs integral characteristics
by mainly exploiting the diffusion part of block ciphers. On the other hand,
the degree estimation can exploit the algebraic degree of S-boxes but is difficult
to well exploit the diffusion part, i.e., it constructs integral characteristics by
mainly exploiting the confusion part of block ciphers. Therefore, it is natural
that the method that can exploit both diffusion and confusion parts of block
24 ciphers is desirable.
Md Rasid Ali
3 Division Property
The division property is a novel technique to find integral (higher-order differ-
ential) characteristics and is the generalization of the integral property that can
25 also exploit the algebraic degree at the same time. Let us consider the properties
of input and output multisets for one bijective S-box with degree d. If an input
Md Rasid Ali
multiset has A, the output multiset also has A. If an input multiset has B, the
output multiset has U. Moreover, we can prepare the set of 2d+1 input texts
26-27 that the output multiset has B because the algebraic degree of the S-box is d,
2 notes: but just using the integral property does not exploit this property. To exploit
useful properties between A and B, we redefine A and B by the same notation
28 and then introduce the division property by generalizing the redefinition.
Md Rasid Ali
Redefinition of A. Let X be a multiset whose elements take an n-bit value. We
first consider features of the multiset X satisfying A. If we choose one bit from
29-32 n bits and calculate the XOR of the chosen bit in the multiset, the calculated
4 notes:
value is always 0. Moreover, if we choose at most (n − 1) bits from n bits and
calculate the XOR of the AND of chosen bits in the multiset, the calculated
560 Y. Todo
value is also always 0. However, if we choose all bits from n bits and calculate
the XOR of the AND of n bits in the multiset, the calculated value is unknown1 .
These features are summarized as
0 w(u) < n,
πu (x) =
33-34 unknown w(u) = n,
2 notes:
x∈X
n
where πu is the bit product function defined as πu (x) := i=1 x[i]u[i] and w(u)
is the Hamming weight of u ∈ Fn2 . Assuming the multiset has A, the parity is
always even for any u satisfying w(u) < n. On the other hand, the parity is
unknown for u = 1n .
Redefinition of B. We next consider features of the multiset X satisfying B.
If we choose one bit from n bits and calculate the XOR of the chosen bit in the
multiset, the calculated value is always 0. However, if we choose at least two bits
from n bits and calculate the XOR of the AND of chosen bits in the multiset,
the calculated value becomes unknown. These features are summarized as
0 w(u) < 2,
πu (x) =
x∈X
unknown w(u) ≥ 2,
Assuming the multiset has B, the parity is always even for any u satisfying
w(u) < 2. On the other hand, the parity is unknown for any u satisfying w(u) ≥ 2.
u πu (x) πu (x) u πu (x) πu (x)
0000 10 0 1000 4 0
0001 6 0 1001 2 0
0010 6 0 1010 2 0
0011 4 0 1011 1 1
0100 4 0 1100 2 0
0101 2 0 1101 1 1
0110 2 0 1110 1 1
0111 0 0 1111 0 0
For all u satisfying wu < 3, x∈X πu (x) is 0. Therefore, the multiset has the
division property D34 .
Each definition of B and U is essentially the same as that of D2n and D1n ,
respectively. However, the definition of A is different from that of Dnn . The mul-
tiset satisfying A always has the division property Dnn but not vice versa. For
instance, the multiset satisfying the EVEN property, which is defined that the
number of occurrences is even for all values [28], does not always have A, but
it has Dnn . In this paper, we use only Dnn instead of A because it is sufficient to
use Dnn from the viewpoint of the construction of integral characteristics.
Set of u D Set of u
D
s
x 0 1 2 3 4 5 6 7 8 9 A B C D E F
s(x) 8 C 0 B 9 D E 5 A 1 2 6 4 F 3 7
The S-box is bijective and the algebraic degree is 2. We now prepare the input
multiset X as
X := {0x0, 0x3, 0x3, 0x3, 0x5, 0x6, 0x8, 0xB, 0xD, 0xE},
which is the same as Example 1 and the division property is D34 . The output
multiset is calculated as
S(X) := {0x8, 0xB, 0xB, 0xB, 0xD, 0xE, 0xA, 0x6, 0xF, 0x3},
and a following table calculates the summation of πv (y).
v πv (y) πv (y) v πv (y) πv (y)
0000 10 0 1000 8 0
0001 6 0 1001 5 1
0010 8 0 1010 6 0
0011 5 1 1011 4 0
0100 4 0 1100 3 1
0101 2 0 1101 2 0
0110 3 1 1110 2 0
0111 1 1 1111 1 1
For all v satisfying wv < 2, y∈Y πv (y) becomes 0. Therefore, the multiset Y
has the division property D24 .
Figure 3 shows the outline of the propagation of the division property. Let
X and S(X) be input and output multisets, respectively. First, the size of the
set of uthat x∈X πu (x) is unknown is small. However, the size of the set of
u that x∈X πu (s(x)) is unknown expands. If the size expands to the universal
set except for 0n , we regard that the output multiset is indistinguishable from
the multiset of random texts.
Division Property: Efficient Method to Estimate Upper Bound 563
First, we define vectorial division property to accept an S-box layer, where mul-
tiple S-boxes are applied in parallel.
Only vectorizing the division property is still insufficient to represent the subset
of u that the parity is unknown. For simplicity, we consider a multiset X whose
elements take a value of (F82 )2 . Assume that the number of elements in X is 256,
and two elements of x take all values from 0 to 255 independently. Then, we
consider the set of u that the parity of πu (x) for all x ∈ X is unknown.
– The parity is unknown if W (u)
(8, 0).
– The parity is unknown if W (u)
(0, 8).
– The parity is unknown if W (u)
(1, 1).
– Otherwise, the parity is always even.
We can not express this feature by only using the vectorial division property.
Therefore, we collect several vectorial division properties.
564 Y. Todo
It is obvious that the collective division property with |K| = 1 is the same as
the vectorial division property.
If there are k ∈ K and k ∈ K satisfying k
k , k can be removed from K
because it is redundant. Assume that the multiset X has the division property
n1 ,n2 ,...,nm
DK ej in K, where ej is a vector whose
. If there is not an unit vector
jth element is 1 and the others are 0, x∈X xj is 0.
Copy. Let F be a copy function, where the input x takes a value of Fn2 and
the output is calculated as [y1 , y2 ] = [x, x]. Let X and S(X) be the input
multiset and the output multiset, respectively. Assuming that the multiset
X has the division property Dkn , the multiset S(X) has the division property
n,n
DK , where K is calculated as follows: First, K is initialized to an empty
K = K ∪ [k − i, i],
is calculated.
Compression by XOR. Let F be a function compressed by an XOR, where
the input [x1 , x2 ] takes a value of (Fn2 × Fn2 ) and the output is calculated as
y = x1 ⊕ x2 . Let X and S(X) be the input multiset and the output multiset,
n,n
respectively. Assuming that the multiset X has the division property DK ,
the division property of the multiset S(X) is Dk as n
k = min {k1 + k2 }.
[k1 ,k2 ]∈K
Assuming that the multiset X has the division property Dkn , the multiset S(X)
has the division property DK n1 ,n−n1
, where K is calculated as follows: First,
K is initialized to φ. Then, for all i (0 ≤ i ≤ k),
K = K ∪ [k − i, i],
k = min {k1 + k2 }.
[k1 ,k2 ]∈K
5 Follow-Up Works
and S7 used in MISTY1 and found the propagation for S7 can be improved.
Thanks to this improvement, we can find the 6-round integral characteristic on
MISTY1 and attack full MISTY1 by guessing round keys that are used in last
two rounds. At CRYPTO2016, Bar-On and Keller improved the key recovery
step of the integral cryptanalysis, and the security of full MISTY1 decreases to
about 70 bits [2].
was first introduced by Mouha et al. for evaluating the lower bound of the num-
ber of active S-boxes on word-oriented ciphers, [26]. However, several ciphers do
not have word-oriented structure. Therefore, Sun et al. then developed a method
to model all possible differential propagations bit by bit even for the S-box [29].
At ASIACRYPT2016, Xiang et al. first introduced the division trail. To analyze
r-round ciphers, the following propagation of the division property
K0 → K1 → · · · → Kr
is evaluated, where DKi−1 is the division property for the input of ith round
function. Then, for (k0 , k1 , . . . , kr ) ∈ (K0 × K1 × · · · × Kr ), if ki−1 can propagate
to ki for all i ∈ {1, 2, . . . , r}, (k0 , k1 , . . . , kr ) is called r-round division trail.
If there is a division trail that r-round output becomes unknown, the r-round
output is unknown. They developed a method to model the propagation rules for
the division property and showed that all division trails are effectively evaluated
using MILP. As a result, they get new integral characteristics on Simon family,
Simeck family, PRESENT, and RECTANGLE2 .
About 1.5 years has passed since the proposal of the division property, and many
applications are already reported. We summarize all results as far as we know
in Table 1.
Integral characteristics on generic structure for symmetric-key ciphers were
evaluated in [33], where ( , d, m)-SPN and ( , d, m)-AES are defined as follows.
Definition 4 (( , d, m)-SPN). The round function consists of an S-Layer and
P-Layer, where m -bit S-boxes are parallelly applied in the S-Layer, and their
outputs are diffused by the P-Layer. ( , d, m)-SPN is the set of ciphers that the
algebraic degree of S-boxes in the S-Layer is at most d and the P-Layer is any
linear function.
2
We also independently evaluated the propagation of the division property on
PRESENT in [35] and get the same integral characteristics. In that paper, we intro-
duced the compact representation for the division property to evaluate the propa-
gation efficiently.
568 Y. Todo
6 Conclusion
This paper explained the division property, which is recent technique to find
integral characteristics. The motivation why we introduced the division property
and its concept are explained. After the proposal of the division property at
EUROCRYPT 2015, many follow-up works including technical improvement and
wide applications have been proposed, and we summarized their follow-up works.
We who are the developer of the division property hope that many follow-up
works will be proposed in future.
References
1. Data Encryption Standard (DES). National Bureau of Standards (1977). Federal
Information Processing Standards Publication 46
2. Bar-On, A., Keller, N.: A 270 attack on the full MISTY1. In: Robshaw, M., Katz, J.
(eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 435–456. Springer, Heidelberg (2016).
doi:10.1007/978-3-662-53018-4 16
Division Property: Efficient Method to Estimate Upper Bound 569
3. Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The
SIMON and SPECK families of lightweight block ciphers (2013). http://eprint.iacr.
org/2013/404
4. Beierle, C., et al.: The SKINNY family of block ciphers and its low-latency variant
MANTIS. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp.
123–153. Springer, Heidelberg (2016). doi:10.1007/978-3-662-53008-5 5
5. Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of skipjack reduced to 31
rounds using impossible differentials. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS,
vol. 1592, pp. 12–23. Springer, Heidelberg (1999). doi:10.1007/3-540-48910-X 2
6. Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. In:
Menezes, A.J., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 2–21.
Springer, Heidelberg (1991). doi:10.1007/3-540-38424-3 1
7. Biryukov, A., Shamir, A.: Structural cryptanalysis of SASAS. In: Pfitzmann, B.
(ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 395–405. Springer, Heidelberg
(2001). doi:10.1007/3-540-44987-6 24
8. Boura, C., Canteaut, A.: Another view of the division property. In: Robshaw, M.,
Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 654–682. Springer, Heidelberg
(2016). doi:10.1007/978-3-662-53018-4 24
9. Boura, C., Canteaut, A., Cannière, C.: Higher-order differential properties of
Keccak and Luffa. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 252–269.
Springer, Heidelberg (2011). doi:10.1007/978-3-642-21702-9 15
10. Cannière, C.D., Sato, H., Watanabe, D.: Hash function Luffa - a SHA-3 candi-
date (2008). http://hitachi.com/rd/yrl/crypto/luffa/round1archive/Luffa Specifi
cation.pdf
11. Canteaut, A., Videau, M.: Degree of composition of highly nonlinear functions
and applications to higher order differential cryptanalysis. In: Knudsen, L.R. (ed.)
EUROCRYPT 2002. LNCS, vol. 2332, pp. 518–533. Springer, Heidelberg (2002).
doi:10.1007/3-540-46035-7 34
12. Daemen, J., Bertoni, G., Peeters, M., Assche, G.V.: The Keccak reference version
3.0 (2011)
13. Daemen, J., Knudsen, L., Rijmen, V.: The block cipher Square. In: Biham, E. (ed.)
FSE 1997. LNCS, vol. 1267, pp. 149–165. Springer, Heidelberg (1997). doi:10.1007/
BFb0052343
14. Demirci, H.: Square-like attacks on reduced rounds of IDEA. In: Nyberg, K., Heys,
H. (eds.) SAC 2002. LNCS, vol. 2595, pp. 147–159. Springer, Heidelberg (2003).
doi:10.1007/3-540-36492-7 11
15. Demirci, H., Selçuk, A.A.: A meet-in-the-middle attack on 8-round AES. In:
Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 116–126. Springer, Heidelberg
(2008). doi:10.1007/978-3-540-71039-4 7
16. Dinu, D., Perrin, L., Udovenko, A., Velichkov, V., Groschdl, J., Biryukov, A.:
Design strategies for ARX with provable bounds: SPARX and LAX (full version)
(2016). http://eprint.iacr.org/2016/984, (Accepted to ASIACRYPT 2016)
17. Gilbert, H., Minier, M.: A collision attack on 7 rounds of Rijndael. In: AES Can-
didate Conference, pp. 230–241 (2000)
18. He, Y., Qing, S.: Square attack on reduced camellia cipher. In: Qing, S., Okamoto,
T., Zhou, J. (eds.) ICICS 2001. LNCS, vol. 2229, pp. 238–245. Springer, Heidelberg
(2001). doi:10.1007/3-540-45600-7 27
19. Journault, A., Standaert, F.X., Varici, K.: Improving the security and effi-
ciency of block ciphers based on LS-designs. Des. Codes Crypt. 82, 1–15 (2016).
http://dx.doi.org/10.1007/s10623-016-0193-8
570 Y. Todo
20. Knudsen, L.: DEAL - a 128-bit block cipher. Technical report no. 151. Department
of Informatics, University of Bergen, Norway, February 1998
21. Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE
1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995). doi:10.1007/
3-540-60590-8 16
22. Knudsen, L.R., Wagner, D.: Integral cryptanalysis. In: Daemen, J., Rijmen, V.
(eds.) FSE 2002. LNCS, vol. 2365, pp. 112–127. Springer, Heidelberg (2002). doi:10.
1007/3-540-45661-9 9
23. Lai, X.: Higher order derivatives and differential cryptanalysis. In: Blahut, R.E.,
Costello Jr., D.J., Maurer, U., Mittelholzer, T. (eds.) Communications and Cryp-
tography. The Springer International Series in Engineering and Computer Science,
vol. 276, pp. 227–233. Springer, Heidelberg (1994)
24. Li, Y., Wu, W., Zhang, L.: Improved integral attacks on reduced-round CLEFIA
block cipher. In: Jung, S., Yung, M. (eds.) WISA 2011. LNCS, vol. 7115, pp. 28–39.
Springer, Heidelberg (2012). doi:10.1007/978-3-642-27890-7 3
25. Lucks, S.: The saturation attack - a bait for twofish. In: Matsui, M. (ed.)
FSE 2001. LNCS, vol. 2355, pp. 1–15. Springer, Heidelberg (2002). doi:10.1007/
3-540-45473-X 1
26. Mouha, N., Wang, Q., Gu, D., Preneel, B.: Differential and linear cryptanalysis
using mixed-integer linear programming. In: Wu, C.-K., Yung, M., Lin, D. (eds.)
Inscrypt 2011. LNCS, vol. 7537, pp. 57–76. Springer, Heidelberg (2012). doi:10.
1007/978-3-642-34704-7 5
27. Sasaki, Y., Todo, Y.: New differential bounds and division property of lilliput:
block cipher with extended generalized Feistel network. In: SAC (2016, in press)
28. Shibayama, N., Kaneko, T.: A peculiar higher order differential of CLEFIA. In:
ISITA, pp. 526–530. IEEE (2012)
29. Sun, S., Hu, L., Wang, P., Qiao, K., Ma, X., Song, L.: Automatic security eval-
uation and (related-key) differential characteristic search: application to SIMON,
PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In: Sarkar, P.,
Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 158–178. Springer,
Heidelberg (2014). doi:10.1007/978-3-662-45611-8 9
30. Suzaki, T., Minematsu, K., Morioka, S., Kobayashi, E.: TWINE: a lightweight
block cipher for multiple platforms. In: Knudsen, L.R., Wu, H. (eds.) SAC
2012. LNCS, vol. 7707, pp. 339–354. Springer, Heidelberg (2013). doi:10.1007/
978-3-642-35999-6 22
31. Tanaka, H., Hisamatsu, K., Kaneko, T.: Strength of ISTY1 without FL function
for higher order differential attack. In: Fossorier, M., Imai, H., Lin, S., Poli, A.
(eds.) AAECC 1999. LNCS, vol. 1719, pp. 221–230. Springer, Heidelberg (1999).
doi:10.1007/3-540-46796-3 22
32. Todo, Y.: Integral cryptanalysis on full MISTY1. In: Gennaro, R., Robshaw, M.
(eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 413–432. Springer, Heidelberg (2015).
doi:10.1007/978-3-662-47989-6 20
33. Todo, Y.: Structural evaluation by generalized integral property. In: Oswald, E.,
Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 287–314. Springer,
Heidelberg (2015). doi:10.1007/978-3-662-46800-5 12
34. Todo, Y., Morii, M.: Bit-based division property and application to Simon family.
In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 357–377. Springer, Heidelberg
(2016). doi:10.1007/978-3-662-52993-5 18
35. Todo, Y., Morii, M.: Compact representation for division property. In: Foresti,
S., Persiano, G. (eds.) CANS 2016. LNCS, vol. 10052, pp. 19–35. Springer, Cham
(2016). doi:10.1007/978-3-319-48965-0 2
Division Property: Efficient Method to Estimate Upper Bound 571
36. Wang, Q., Liu, Z., Varıcı, K., Sasaki, Y., Rijmen, V., Todo, Y.: Cryptanalysis of
reduced-round SIMON32 and SIMON48. In: Meier, W., Mukhopadhyay, D. (eds.)
INDOCRYPT 2014. LNCS, vol. 8885, pp. 143–160. Springer, Cham (2014). doi:10.
1007/978-3-319-13039-2 9
37. Wu, W., Zhang, L.: LBlock: a lightweight block cipher. In: Lopez, J., Tsudik, G.
(eds.) ACNS 2011. LNCS, vol. 6715, pp. 327–344. Springer, Heidelberg (2011).
doi:10.1007/978-3-642-21554-4 19
38. Xiang, Z., Zhang, W., Bao, Z., Lin, D.: Applying MILP method to searching inte-
gral distinguishers based on division property for 6 lightweight block ciphers (2016).
https://eprint.iacr.org/2016/857, (Accepted to ASIACRYPT 2016)
39. Yeom, Y., Park, S., Kim, I.: On the security of CAMELLIA against the square
attack. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 89–99.
Springer, Heidelberg (2002). doi:10.1007/3-540-45661-9 7
40. Z’aba, M.R., Raddum, H., Henricksen, M., Dawson, E.: Bit-pattern based integral
attack. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 363–381. Springer,
Heidelberg (2008). doi:10.1007/978-3-540-71039-4 23
41. Zhang, H., Wu, W.: Structural evaluation for generalized feistel structures
and applications to LBlock and TWINE. In: Biryukov, A., Goyal, V. (eds.)
INDOCRYPT 2015. LNCS, vol. 9462, pp. 218–237. Springer, Cham (2015). doi:10.
1007/978-3-319-26617-6 12
42. Zheng, Y., Matsumoto, T., Imai, H.: On the construction of block ciphers prov-
ably secure and not relying on any unproved hypotheses. In: Brassard, G. (ed.)
CRYPTO 1989. LNCS, vol. 435, pp. 461–480. Springer, New York (1990). doi:10.
1007/0-387-34805-0 42
Annotations