Extending Higher-order Integral: An Efficient
Unified Algorithm of Constructing Integral
Distinguishers for Block Ciphers
Wentao Zhang1, Bozhan Su2, Wenling Wu1
Dengguo Feng2, Chuankun Wu1
1
State Key Laboratory of Information Security, Institute
of Information Engineering, Chinese Academy of Sciences
2 Institute of Software, Chinese Academy of Sciences
Outline
1. Introduction – Integral Cryptanalysis
2. Basic Ideas
3. A Unified Algorithm of Constructing Integral
Distinguishers for Block Ciphers
4. Experimental Results
5. Summary and Discussion
1. Introduction – Integral Cryptanalysis
Integral Cryptanalysis is originally proposed by
L.R.Knudsen and D.Wagner as a dedicated attack
against Square block cipher, so is firstly known as
Square attack.
Afterwards, the original idea has been extended
and given different names, including saturation
attack, collision attack, multiset attack and
integral cryptanalysis.
1. Introduction – Integral Cryptanalysis
Integral cryptanalysis is of particular significance
for its applicability to AES


6-round AES is resistant to differential and linear attack
6-round AES can be broken using integral cryptanalysis,
only with 6·232 chosen plaintexts and 244 time
1. Introduction – Integral Cryptanalysis
Basic principles of Integral cryptanalysis
Integral cryptanalysis is a chosen-plaintext attack,
it considers the propagation of sums of many
values after a certain number of encryption
rounds.
Assume a block cipher has n data subblocks.
When mounting an integral attack:

First, the attacker typically chooses one or several
specific subblocks, which take on all possible values in
these subblocks, and have constant values in the other
subblocks.
1. Introduction – Integral Cryptanalysis

Then, the attacker tries to predict the properties of some
subblock(s) after a certain number of encryption rounds.
Customarily, the following 4 properties are considered:
(i) Constant: every data in this subblock has the same
constant value.
(ii) Active: the data can be divided into some disjoint
subsets. For each subset, the data in this subblock
are all different and have constant values in the other
subblocks.
(iii) Balanced: the sum (usually XOR sum) of all values in
this subblock is zero.
(iv) Unkown: no information can be derived.
1. Introduction – Integral Cryptanalysis
First-order integral and higher-order integral
(L.R.Knudsen and D.Wagner, FSE’2002 )
First-order integral: Consider a set of 2m elements,
which differ only in one particular subblock, such that
each of the 2m possible values occurs exactly once, the
sum over the elements of this set is called a first-order
integral
Higher-order integral: Consider next a set of 2d×m
elements, which differ in d subblocks, such that each of
the 2d×m possible values for the d-tuple of values from
these subblocks occurs exactly once, the sum of this set
is called a dth-order integral. A dth-order integral is
called a higher-order integral when d > 1.
1. Introduction – Integral Cryptanalysis
Factors that affect the security of a block
cipher against integral cryptanalysis
Main Factors:




the length of integral distinguishers
specific input/output forms
the strength of one-round encryption/decryption.
key schedule
Among them, the design of integral distinguishers
is the most important.
1. Introduction – Integral Cryptanalysis
In spite of a long time study of integral cryptanalysis
on block ciphers, integral distinguishers have often
been designed based on ad hoc approaches and the
experience of cryptanalysts. There is no common
method of designing integral distinguishers so far.
1. Introduction – Integral Cryptanalysis
Our contribution:
We give an extension of the concept of higher-order
integral. This new extension takes linear relations
among different subblocks into account.
Based on the new extension, we present a unified
algorithm to the design of higher-order integral
distinguishers. Applying this algorithm, our
experimental results show that better integral
distinguishers can be derived for some block ciphers.
2. Basic Ideas
1). Expression of the state of data in subblock
2). Matrix Characterization of a block cipher (structure)
3). Inside-out approach
4). An extension of higher-order integral
2. Basic Ideas
（1）Expression of the state of data in subblock:

Traditionally, 4 kinds:
 Active, Constant, Balanced, Unknown

Ours :
 Any constant state is denoted as a single letter “C”;
 A balanced state is denoted as a sum of some active
states;
 Hence, the state in subblock can be expressed either
as “C”, or a sum of some active states and some
unknown states.
2. Basic Ideas
（2）Matrix Characterization of a block cipher (structure):
 Inspired by the work of J.Kim et al [13, 14], more
simpler
 Assume a block cipher has n data subblocks, it can be
characterized by n x n characteristic Matrices.
 Each entry of the characteristic matrices has only one
of the three values: 0, 1 or 2.
2. Basic Ideas
Y0  Fk ( X 0 )  X1 , Y1  X 0 ,
One-round Feistel
 Y0   2 1  X 0 
 
 
1
0
Y
  X1 
 1 
characteristic matrix
2. Basic Ideas
（3）Inside-out approach:


Traditionally, integral distinguishers are designed
from top to bottom, an attacker only tries to predict
the behavior of a set of carefully chosen plaintexts
after a certain number of encryption rounds.
By contrast, we adopt the inside-out approach,
trying to predict the behavior of a set of carefully
intermediate data, not only after a certain number
of encryption rounds, but also after a certain
number of decryption rounds.
2. Basic Ideas

As a result, we make an extension of the concept
of higher-order integral.
2. Basic Ideas
（4）An extension of higher-order integral
 In the original definition, a d th-order integral is


related to a set of 2d×m elements, which differ only
in d subblocks.
However, there can be some linear relations among
different subblocks.
Taking these linear relations into account, we give
an extension of higher-order integral, a d th-order
integral is also related to 2d×m elements, but they
can differ in d∗ subblocks, where d∗ ≥ d.
2. Basic Ideas

This new extension can lead to more effective integral
distinguishers for some block ciphers (structures).
3. A Unified Algorithm of Constructing
Integral Distinguishers for Block Ciphers
Expression of data

state in subblock
 “C”, or a sum of some active states and some unknown
states.

state in block
 n data subblocks
 (α0 , α1 ,· · · ,αn−1), where αi denotes the state in the ith subblock, 0 ≤ i ≤ n−1.
Expression of block cipher (structures)

Characteristic matrices: each entry has one of the 3
values: 0, 1 or 2
3. A Unified Algorithm of Constructing
Integral Distinguishers for Block Ciphers
Rules for Applying Encryption/Decryption
Characteristic Matrices to state in block


Rules for applying 0,1,2 to a state in subblock
Rules for applying characteristic matrices to a state
in block
 like matrix multiplication
3. A Unified Algorithm of Constructing
Integral Distinguishers for Block Ciphers
A case: symbolic computation and constraint solving


For a given set of intermediate data, we can calculate the
state in block after one-round encryption/decryption.
 Theoretically, such a process can be iterated for
arbitrary number of rounds, either along encryption
direction, or along decryption direction.
However, we must give some restrictions to terminate
the process for deriving useful integral distinguishers.
3. A Unified Algorithm of Constructing
Integral Distinguishers for Block Ciphers
Finishing Conditions for Calculus
 Along encryption direction: after some encryption
rounds, considering each subblock and each
possible linear combination of the subblocks, if
every state includes some unknown information,
then nothing can be derived from the
corresponding data. The attacker should terminate
the process.
3. A Unified Algorithm of Constructing
Integral Distinguishers for Block Ciphers
Finishing Conditions for Calculus (continued)
 Along decryption direction: after some decryption
rounds, if the amount of the corresponding data
equals to (or exceeds) the maximum, i.e., 2l, where
l is the block length. The attacker should terminate
the process.
3. A Unified Algorithm of Constructing
Integral Distinguishers for Block Ciphers
A unified algorithm

Based on the above, we propose a unified algorithm
of constructing integral distinguishers for block
ciphers.
 See Algorithm 1 for details
3. A Unified Algorithm of Constructing
Integral Distinguishers for Block Ciphers
4. Experimental Results
Gen-SMS4
Gen-Fourcell
Present
4. Experimental Results
Gen-SMS4


SMS4 is a 128-bit block cipher used in the WAPI
standard for wireless networks in China, it uses a
kind of generalized Feistel structure
Using Alg.1, we derive 256 10-round integral
distinguishers
 previous result: 8-round integral distinguisher,
Liu, F., et al., ACISP’2007
4. Experimental Results
Gen-Fourcell


Fourcell is a 128-bit block cipher proposed at
ACISP’2009, it also uses a kind of generalized
Feistel structure
Using Alg.1, we derive 56 18-round integral
distinguishers
 previous result: 18-round integral distinguisher,
Li, R. et al., ACISP’2007
4. Experimental Results
Present


Present is a 64-bit block cipher proposed at
CHES’2007, it uses SP network and bit-oriented
Using Alg.1, we derive many 5-round integral
distinguishers
 previous result: 3-round integral distinguisher,
M.Zaba et al., FSE’2008
5. Conclusions and outlook
Summary


We give an extension of the concept of higher-order
integral, which can lead to better higher-order integral
distinguishers for some block ciphers (structures).
We present a unified algorithm of searching for the
best possible higher-order integral distinguishers for
block ciphers:
 inside-out method
 matrix method
 extended higher-order concept
 carefully-obtained finishing conditions in both encryption
and decryption direction
5. Conclusions and outlook

We expect that the algorithm can be used as a
support tool for efficiently evaluating the security
of block ciphers against integral cryptanalysis.
5. Conclusions and outlook
Discussion


General and specific: Algorithm 1 can be applicable
to many block ciphers. For a specific cipher, one
can possibly derive better results if taking its
specific features into account.
Find a block cipher, the application of Algorithm 1
can lead to a better distinguisher among all types
of distinguishers.
Thank You
!
Question ?