Integral cryptanalysis, which is based on the existence of (higher-order) integral distinguishers, is a powerful cryptographic method that can be used to evaluate the security of modern block ciphers. In this paper, we focus on substitution-permutation network (SPN) ciphers and propose a criterion to characterize how an r-round integral distinguisher can be extended to an (r+1)-round higher-order Integral distinguisher. This criterion, which builds a link between integrals and higher-order integrals of SPN ciphers, is in fact based on the theory of direct decomposition of a linear space defined by the linear mapping of the cipher. It can be directly utilized to unify the procedure for finding 4-round higher-order integral distiunguishers of AES and ARIA and can be further extended to analyze higher-order integral distinguishers of various block cipher structures. We hope that the criterion presented in this paper will benefit the cryptanalysts and may thus lead to better cryptanalytic results.

• 出版日期2013-2
• 单位中国人民解放军国防科学技术大学