At SAC 2004, Junod and Vaudenay designed the FOX family based on the LaiMassey scheme. They noted that it was impossible to find any useful differential characteristic or linear trail after 8 rounds of FOX64 or FOX128. In this paper, we provide the lower bound of differentially active
S
boxes in consecutive rounds of the LaiMassey scheme that has SPS as its
F
function, and we propose the necessary conditions for the reachability of the lower bound. We demonstrate that similar results can be obtained with respect to the lower bound of linearly active
S
boxes by proving the duality in the LaiMassey scheme. Finally, we apply these results to FOX64 and FOX128 and prove that it is impossible to find any useful differential characteristics or linear trail after 6 rounds of FOX64. We provide a more precise security bound for FOX128.
1. Introduction
One of the most important parts of the block cipher is the high level, as it will directly affect the implementation performance and choice of round numbers. Among all of the high levels, the LaiMassey scheme is well known for its simplicity and security. This scheme was first proposed by Lai and Massey in 1991, and it was used in the design of IDEA
[1]
. Since its inception, the LaiMassey scheme has attracted considerable attention worldwide. In Asiacrypt ’99, Vaudenay added a simple function σ, which has the orthomorphic or αalmost orthomorphic property, to one branch of each round (
Fig. 1
)
[2]
. Junod and Vaudenay adopted this modified scheme and designed the FOX family (
Fig. 2
)
[3]
. In 2005, FOX was announced by MediaCrypt under the name of IDEA NXT.
The (extended) LaiMassey Scheme
The Outline of FOX
Various attack methods have been applied to FOX
[4

8]
. The bestknown attacks against block ciphers are the differential cryptanalysis
[9]
and the linear cryptanalysis
[10]
. Designers should evaluate the security of any new proposed ciphers against these two cryptanalyses because they are the most powerful approaches available for attacking many symmetric block ciphers. In
[11]
, Kanda et al. noted that the security of a cipher could be evaluated against these two cryptanalyses by upperbounding the maximum differential characteristic and linear trail probabilities. For most block ciphers, the only nonlinear part is the
S
boxes, and thus, the upper bounds of the maximum differential characteristic and linear trail probabilities are due to the lower bounds of the differentially and linearly active
S
boxes in some consecutive rounds.
For SPS structures, Rijmen et al. introduced the branch number
[12]
, which is the lower bound of differentially (or linearly) active
S
boxes. Because the basic framework of the round function in FOX is an SPS structure, Junod and Vaudenay proposed the lower bound of differential (or linear)
S
boxes in FOX via providing the lower bound of differentially (or linearly) active round functions
[3]
. However, according to our observations, the lower bound provided by
[3]
cannot be obtained when the round number is greater than 3, indicating that the lower bound provided by
[3]
could be improved.
This paper focuses on finding a tighter bound of active
S
boxes in some consecutive rounds of the LaiMassey scheme with an SPS
F
–function, and then, this result is used to improve the lower bound provided in
[3]
. Thus, we improve the results stated in
[3]
by Junod and Vaudenay, who mentioned that at least 8 rounds of FOX64 can provide resistance against traditional differential and linear cryptanalyses. However, the result obtained here indicates that 6 rounds are sufficient for FOX64.
This paper is organized as follows. Section 2 introduces some notations and definitions, Section 3 studies the lower bound of differentially active
S
boxes in the LaiMassey scheme with an SPS
F
function, and Section 4 provides the duality in the LaiMassey scheme and obtains the lower bound of its linearly active
S
boxes. In addition, we apply these results to FOX64 and FOX128 in Section 4. Finally, the conclusions of this study are provided in Section 5.
2. Preliminaries
This section presents some notations and definitions.

Throughout this paper, we will use the following symbols:

Å XOR operation;

+ addition over the real number space;

+Gthe addition operation over groupG;

Gthe inverse operation of +G;

Hw(x)the number of nonzero components in vectorx;

PTthe transpose of matrixP;

the parity of the bitwise XOR of vectorsαandb;

P1the inverse of matrixP.
Definition 1
[2]
Let (
G
, +
_{G}
) be a group, let
F
_{1}
,
F
_{2}
,…,
F_{r}
be
r
functions on
G
, and let
σ
be a permutation on
G
. We define an
r
round LaiMassey scheme as a permutation Λ
^{σ}
(
F
_{1}
,
F
_{2}
,…,
F_{r}
) on
G
^{2}
by
and
in which the last
σ
is omitted.
In the sequel, we assume the group is ({0,1}
^{n}
,⊕). For convenience, we denote
F
_{1}
,
F
_{2}
,…,
F_{r}
as
F
such that the round function can be written as
Definition 2
[13]
Let
f
:{0,1}
^{n}
→ {0,1}
^{m}
, and let
α
∈ {0,1}
^{n}
,
β
∈ {0,1}
^{m}
. Then,
and
are called the probabilities of the differential
α
→
β
for
f
and the linear approximation
α
→
β
for
f
respectively.
Definition 3
[2]
Let
f
:{0,1}
^{n}
→ {0,1}
^{n}
be a mapping. Then,
f
is called an orthomorphism if both
f
(
x
) and
g
(
x
) =
f
(
x
)⊕
x
are bijective.
Definition 4
[14]
An
S
box (resp.
F
) is called differentially active if its input difference is nonzero, and an
S
box (resp.
F
) is called linearly active if its output mask value is nonzero.
Note:
When an
S
box is bijective, an
S
box with a nonzero output difference is also a differentially active
S
box. Similarly, when an
F
box is bijective, it is linearly active if it has a nonzero input mask value.
Definition 5
Let
σ
(
x
) =
Mx
⊕
C
be an orthomorphism. Then, the LaiMassey scheme with
σ_{D}
(
x
)=(
M
^{1}
)
^{T} x
⊕
C
as its σ is called the dual scheme for the LaiMassey scheme with
σ
(
x
)=
Mx
⊕
C
as its σ.
Definition 6
[12]
For the diffusion layer P, the relationship between the input difference and output difference is represented by matrix
P
, i.e., Δ
y
=
P
Δ
x
. Furthermore, the relationship between the output and input mask values is represented by
P^{T}
; thus, Г
x
=
P^{T}
Г
y
. In addition, the values
are called the differential branch number and linear branch number, respectively.
3. Lower Bound of Differentially Active Sboxes in the LaiMassey Scheme with an SPS Ffunction
First, we will study the relationship between the differential of the round function and the differentials of the
F
function and σ permutation.
Theorem 1
The probability of the differential (
α,β
)→(
A,B
) of the round function
Q
is nonzero iff the differentials for
F
and
σ
are
α
⊕
β
→
β
⊕
B
and
α
⊕
β
⊕
B
→
A
, respectively, and the probabilities of these two differentials are both nonzero. Moreover,
In particular, if
σ
(
x
)=
δ
(
x
)⊕
σ
(0) is affine, then the output difference of
F
is
β
⊕
B
=
α
⊕
δ
^{1}
(
A
).
Proof
See Appendix A.
For the SPS structure, according to
[13]
, the lower bound of the active
S
boxes is listed in lemma 1.
Lemma 1
[13]
In the SPS structure, let
S
be bijective and let the differential branch and linear branch of
P
be
B_{d}
and
B_{l}
, respectively. The number of differentially active
S
boxes is at least
B_{d}
if the input difference is nonzero, and the number of linearly active
S
boxes is at least
B_{l}
if the output mask is nonzero.
For the LaiMassey scheme, the lower bound of the active
F
functions is given in lemma 2 below.
Lemma 2
Let
σ
be an orthomorphism. Then, a consecutive 2round differential characteristic for the LaiMassey scheme with nonzero probability contains at least one active
F
function.
Proof
Let (
α,β
)→(
A,B
)→(
u,v
) be a consecutive 2round differential characteristic for the LaiMassey scheme. Lemma 1 indicates that the differentials for
F
and
σ
in the first round are
α
⊕
β
→
β
⊕
B
and
α
⊕
β
⊕
B
→
A
, respectively, and the differentials for
F
and
σ
in the second round are
A
⊕
B
→
B
⊕
v
and
A
⊕
B
⊕
v
→
u
, respectively.
If the
F
function is not active in the first round, then
α = β
and
α = β = B
; if
F
is not active in the second round, then
A = B
and
A = B = v
. Therefore, the differential for
F
in the first round’s function is
A → A
. Because (
A,B
) ≠ (0,0) and
A = B
,
A
≠ 0 ,
p_{σ}
(
A→A
) = 0 if
σ
is an orthomorphism according to lemma 1. Moreover, theorem 1 indicates that
p_{Q}
((
α,β
)→(
A,B
)) = 0, which contradicts the fact that the probability is nonzero. Therefore, a consecutive tworound differential characteristic with nonzero probability contains at least one active
F
function.
Q.E.D
For the LaiMassey scheme with an SPS
F
function, the corollary below follows from lemmas 1 and 2 because there are at least
B_{d}
differentially (
B_{l}
linearly) active
S
boxes in one active
F
function.
Corollary
For the LaiMassey scheme with an SPS
F
function, let the differential and linear branches of
P
be
B_{d}
and
B_{l}
, respectively. Then, there are at least
nB_{d}
differential (
nB_{l}
linear) active
S
boxes in 2
n
consecutive rounds.
Remarks:
Let
B_{d}
and
B_{l}
be odd. Then, for the nontrivial differential (linear approximation)
α→α
of an SPS structure, there are at least
B_{d}
+1 (
B_{l}
+1)
S
boxes that will be active after a
P
permutation. Based on this fact, we make some improvement on the corollary of lemma 2. First, we consider the number of active
S
boxes in 3 consecutive rounds, where
B_{d}
≥ 3 and
B_{l}
≥ 3.
Theorem 2
For the LaiMassey scheme with an SPS
F
function, let
B_{d}
be odd and let
σ
(
x
)=
δ
(
x
)⊕
σ
(0) be an affine orthomorphsim. Then, there are at least
B_{d}
+1 active
S
boxes in a 3round differential characteristic iff the structure is
and the corresponding differentials for
F
are 0→0,
δ
(
α
)⊕
α
→
δ
(
α
)⊕
α
, and 0→0, respectively. Here,
Hw
(
δ
(
α
)⊕
α
) = (
B_{d}
+1)/2.
Proof
If there are at least two active
F
functions in the 3round differential characteristic, this chain contains at least 2
B_{d}
active
S
boxes according to lemma 2. If there is only one active
F
function in the 3round differential characteristic, the structure of this differential characteristic is
and the corresponding differentials for
F
are 0→0,
δ
(
α
)⊕
α
→
δ
(
α
)⊕
α
, and 0→0, respectively, where
α
≠ 0, according to theorem 1. Because
B_{d}
is odd, the differential
δ
(
α
)⊕
α
→
δ
(
α
)⊕
α
for the SPS structure contains at least
B_{d}
+1 active
S
boxes, where
Hw
(
δ
(
α
)⊕
α
) = (
B_{d}
+1)/2.
Q.E.D.
In the sequel,
AS
^{(a→b)}
denotes the number of active
S
boxes in the differential characteristic from the
a
th to
b
th round, and
AS
^{(a)}
denotes the number of active
S
boxes in the
a
th round.
Theorem 3
For the LaiMassey scheme with an SPS
F
function, let
B_{d}
≥ 3 be odd and let
σ
(
x
)=
δ
(
x
)⊕
σ
(0) be an affine orthomorphsim.
(1) There are at least
active
S
boxes in an
r
round differential characteristic, where
(2) If the number of active
S
boxes is
in the
r
round differential characteristic, then the
F
functions in the first and last rounds are nonactive.
Proof
According to theorem 2, this theorem is true for
r
= 3 . Next, we use induction to prove this theorem.
Suppose that (1) and (2) are true for
r
≤ 2
m
+1. For
r
= 2
m
+2, the number of active
S
boxes in the first round is at least
B_{d}
if the
F
function in the first round is active. By inductive supposition we have that
AS
^{(2→2m+2)}
≥
m
(
B_{d}
+1). Hence,
A similar proof can be provided for the case in which the
F
function in the last round is active, i.e., that
AS
^{(1→2m+2)}
˃ (
m
1)(
B_{d}
+1)+2
B_{d}
. Therefore, (2) is true for
r
= 2
m
+2 .
We now consider the case that the
F
function is active in neither the first nor last round. Two cases are stated below based on whether the
F
function in the
m
+2 th round is active or not.
Case 1:
Suppose that
F
is not active in the
m
+2 th round; then, we have
Therefore,
AS
^{(1→2m+2)}
=
AS
^{(1→m+2)}
+
AS
^{(m+3→2m+2)}
=
AS
^{(1→m+2)}
+
AS
^{(m+2→2m+2)}
.
If
m
is odd,
AS
^{(m+2→2m+2)}
= [(
m
+1)/2–2])(
B_{d}
+1)+2
B_{d}
and
AS
^{(1→m+2)}
≥(
m
+1)(
B_{d}
+1)/2 by inductive supposition; therefore,
If
m
is even,
AS
^{(1→m+2)}
≥(
m
/2–1)(
B_{d}
+1)+2
B_{d}
and
AS
^{(m+2→2m+2)}
≥(
m
/2)(
B_{d}
+1) by the supposition; therefore
This result indicates that (1) is true for
r
= 2
m
+2 when the
F
function in the
m
+2 th round is nonactive.
Case 2:
Suppose that the
F
function in the
m
+2 th round is active. Then, we can demonstrate that
AS
^{(2m+2)}
=
AS
^{(1→m+1)}
+
AS
^{(m+2)}
+
AS
^{(m+3→2m+2)}
.
If
m
is odd, then by the inductive supposition,
If
AS
^{(1→m+1)}
= [(
m
+1) / 2–2](
B_{d}
+1)+2
B_{d}
and
AS
^{(m+3→2m+2)}
= (
m
1)(
B_{d}
+1)/2, then
AS
^{(m+1)}
=
AS
^{(m+3)}
= 0 by (2) in the supposition. Moreover, considering the implications of theorem 2, we have
AS
^{(m+2)}
=
AS
^{(m+1→m+3)}
≥
B_{d}
+1 ; thus,
If
AS
^{(1→m+1)}
and
AS
^{(m+3→2m+1)}
cannot reach the minimum number simultaneously, then
Because the
F
function in the
m
+ 2 th round is active, we have
AS
^{(m+2)}
≥
B_{d}
. Hence,
Thus, (1) is true for
r
= 2
m
+ 2 when
m
is odd.
If
m
is even, then by the inductive supposition,
If
AS
^{(1→m+1)}
= (
m
/2)(
B_{d}
+1) and
AS
^{(m+3→2m+2)}
= (
m
/2–2)(
B_{d}
+1)+2
B_{d}
, then
AS
^{(m+1)}
=
AS
^{(m+3)}
= 0 by (2) in the supposition. Moreover,
AS
^{(m+2)}
=
AS
^{(m+1→m+3)}
≥
B_{d}
+1 according to theorem 2. Hence,
If
AS
^{(1→m+1)}
and
AS
^{(m+3→2m+1)}
cannot reach the minimum number simultaneously, then
Because the
F
function in the
m
+ 2 th round is active, we have
AS
^{(m+2)}
≥
B_{d}
Hence,
Thus, (1) is true for
r
= 2
m
+ 2 when
m
is even. Therefore, (1) is true for
r
= 2
m
+ 2 if the
F
function in the
m
+ 2 th round is active.
Cases 1 and 2 demonstrate that (1) is true for
r
= 2
m
+ 2 if it is true for
r
≤ 2
m
+ 1.
Next, suppose that (1) and (2) are true for
r
≤ 2
m
. For
r
= 2
m
+ 1,
AS
^{(1)}
≥
B_{d}
if the
F
function in the first round is active, and
AS
^{(2→2m+1)}
≥ (
m
2)(
B_{d}
+1)+2
B_{d}
according to (2) in the inductive supposition. As a result,
Similarly,
AS
^{(1→2m+1)}
˃
m
(
B_{d}
+1) if the
F
function in the last round is active. Therefore, (2) is true for
r
= 2
m
+ 1.
Next, we consider the case in which neither the
F
function in the first round nor the
F
function in the last round is active. Two cases are listed below according to whether the
F
function in the
m
+ 2 th round is active or not.
Case 1:
Suppose that
F
in the
m
+ 2 th round is not active. Then, we have
therefore,
AS
^{(1→2m+1)}
=
AS
^{(1→m+2)}
+
AS
^{(m+2→2m+1)}
.
If
m
is odd, then
AS
^{(m+2→2m+1)}
≥ (
m
1)(
B_{d}
+1)/2 and
AS
^{(1→m+2)}
≥ (
m
+1)(
B_{d}
+1)/2 by inductive supposition. Therefore,
If
m
is even, then, by the supposition, we have
Thus,
Moreover, as (
m
2)(
B_{d}
+1)+4
B_{d}
≥
m
(
B_{d}
+1) is equivalent to
B_{d}
≥3, then
AS
^{(1→2m+1)}
≥ (
m
3)(
B_{d}
+1)+4
B_{d}
≥
m
(
B_{d}
+1), which indicates that (1) is true for
r
= 2
m
+ 1
Case 2:
If the
F
function in the
m
+2 th round is active, then
AS
^{(2m+1)}
=
AS
^{(1→m+1)}
+
AS
^{(m+2)}
+
AS
^{(m+3→2m+1)}
.
If
m
is odd, by inductive supposition,
If
AS
^{(1→m+1)}
and
AS
^{(m+3→2m+1)}
make the equality true simultaneously, then
AS
^{(m+1)}
=
AS
^{(m+3)}
= 0 by (2) in the inductive supposition. Moreover,
AS
^{(m+2)}
=
AS
^{(m+1→m+3)}
≥
B_{d}
+1 according to theorem 2. Hence,
If
AS
^{(1→m+1)}
and
AS
^{(m+3→2m+1)}
cannot make the equality true simultaneously, then
AS
^{(m+2)}
≥
B_{d}
because the
F
function in
m
+2 th round is active; therefore,
This result indicates that when
m
is odd, (1) is true for
r
= 2
m
+1.
If
m
is even, by inductive supposition, we have
If
AS
^{(1→m+1)}
and
AS
^{(m+3→2m+1)}
make the equality true simultaneously, we obtain
AS
^{(m+1)}
=
AS
^{(m+3)}
= 0 by (2) in the supposition, and thus,
AS
^{(m+2)}
=
AS
^{(m+1→m+3)}
≥
B_{d}
+1 according to theorem 2. Hence,
If
AS
^{(1→m+1)}
and
AS
^{(m+3→2m+2)}
do not make the desired equality true simultaneously, then
Because
F
in the
m
+2 th round is active, we have
AS
^{(m+2)}
≥
B_{d}
and
This result demonstrates that (1) is true for
r
= 2
m
+1 when m is even. Therefore, (1) is true for
r
= 2
m
+1 if
F
in round
m
+2 is active.
Cases 1 and 2 demonstrate that (1) and (2) are true for
r
= 2
m
+1 if (1) and (2) are true for
r
≤ 2
m
.
Therefore, inductive supposition indicates that this theorem is true for
r
≥ 3.
Q.E.D.
We can obtain corresponding results for the 5round differential characteristic in the LaiMassey scheme with an SPS
F
function according to theorem 3.
Corollary
For the LaiMassey scheme with an SPS
F
function, let
B_{d}
≥ 3 be odd and let
σ
(
x
) =
δ
(
x
)⊕
σ
(0) be an affine orthomorphsim. Then, there are at least 2
B_{d}
+2 active
S
boxes in a 5round differential characteristic, and the lower bound is reached iff the structure of the 5round differential characteristic is
for some
α
≠ 0 with
Hw
(
δ
(
α
)⊕
α
) =
Hw
(
δ
^{2}
(
α
)⊕
δ
(
α
)) = (
B_{d}
+1)/2. The corresponding differentials for
F
are 0→0,
δ
(
α
)⊕
α
→
δ
(
α
)⊕
α
, 0→0,
δ
^{2}
(
α
)⊕
δ
(
α
) →
δ
^{2}
(
α
)⊕
δ
(
α
), and 0→0, respectively.
Theorem 4
For the LaiMassey scheme with an SPS
F
function, let
B_{d}
≥ 3 be odd and let
σ
(
x
)=
δ
(
x
)⊕
σ
(0) be an affine orthomorphism.
is the lower bound in the corollary of lemma 2.
is defined as in theorem 3, then we have
Proof
according to lemma 2; thus, according to theorem 3, we have
Q.E.D.
Theorem 3 provides the lower bound of the differentially active
S
boxes in the LaiMassey scheme with an SPS
F
function, which is larger than the results obtained by the multiplication of the differential branch number and the number of active
F
functions. Moreover, theorem 4 demonstrates that the increment has no relationship with
B_{d}
, where
B_{d}
is odd.
4. Lower Bound of Linearly Active Sboxes in the LaiMassey Scheme with an SPS Ffunction
Next, we focus on the lower bound of linearly active
S
boxes in the LaiMassey scheme with an SPS
F
function. Based on the duality of the structure between the differential characteristic and linear trail, the lower bound of the linearly active
S
boxes in the LaiMassey scheme under consideration can be easily obtained.
Theorem 5
Let
σ
(
x
) =
Mx
⊕
C
be affine, then the linear approximation (
α,β
)→(
A,B
) for the round function
Q
has nonzero coefficient
ρ
iff
α
⊕
β
⊕
B
⊕
M^{T} A
= 0. Besides, the linear approximation for
F
is
β
⊕
B
→
α
⊕
β
, and the coefficient is
ρ
×(–1)
^{A·C}
.
Proof
See Appendix B.
Theorem 6
(The dual theorem between the differential characteristic and linear trail in the LaiMassey scheme.)
Let
σ
be an affine orthomorphism. Then, the
n
round differential characteristic (
a
_{0,1}
,
a
_{0,2}
)→(
a
_{1,1}
,
a
_{1,2}
)→…→(
a
_{n,1}
,
a
_{n,2}
) has nonzero probability, and the corresponding differentials of
F
are
a
_{0,1}
⊕
a
_{0,2}
→
c
_{o}
,
a
_{1,1}
⊕
a
_{1,2}
→
c
_{1}
,...,
a
_{n1,1}
⊕
a
_{n1,2}
→
c
_{n1}
iff (
a
_{0,1}
,
a
_{0,2}
)→(
a
_{1,1}
,
a
_{1,2}
)→…→(
a
_{n,1}
,
a
_{n,2}
) is an
n
round linear trail of its dual LaiMassey scheme with a nonzero correlation coefficient and the corresponding linear approximations of the
F
function are
c
_{o}
→
a
_{0,1}
⊕
a
_{0,2}
,
c
_{1}
→
a
_{1,1}
⊕
a
_{1,2}
,...,
c
_{n1}
→
a
_{n1,1}
⊕
a
_{n1,2}
.
Proof
See Appendix C.
Based on the duality, similar results can be obtained with respect to linearly active
S
boxes, which are stated in the following theorems 7 and 8.
Theorem 7
For the LaiMassey scheme with an SPS
F
function, let
B_{l}
≥ 3 be odd and let
σ
(
x
) =
Mx
⊕
C
be an affine orthomorphsim. Then, the following statements are true:
(1) There are at least
active
S
boxes in an
r
round linear trail, where
(2) If the number of active
S
boxes is
in the
r
round linear trail, then
F
is active neither in the first nor last round.
Theorem 8
For the LaiMassey scheme with an SPS
F
function, let
B_{l}
≥ 3 be odd and let
σ
(
x
) =
Mx
⊕
C
be an affine orthomorphsim, where
r
≥ 3.
is the lower bound in the corollary of lemma 2 and
is as defined as in theorem 7, then
For FOX64,
B_{d}
=
B_{l}
=5 ; for FOX128,
B_{d}
=
B_{l}
=9. By combining theorems 4 and 8, we can obtain the lower bound of differentially active
S
boxes ranging from 3 rounds of FOX64 to 12 rounds of FOX64. Similarly, we can obtain the lower bound of linearly active
S
boxes ranging from 3 rounds of FOX128 to 12 rounds of FOX128.
Table 1
compares the results of this study with those presented in
[3]
.
The number of activeSboxes in FOX64 and FOX128
The number of active Sboxes in FOX64 and FOX128
The above table illustrates that the results obtained here are superior to the results in
[3]
.
Theorem 9
It is impossible to find any useful differential of the linear characteristic after 6 rounds of FOX64.
Proof
From
[3]
,
We can conclude that this theorem is correct from
Table 1
.
Q.E.D.
Junod and Vaudenay proved that it is impossible to find any useful differential characteristic or linear trail after 8 rounds of either FOX64 or FOX128
[3]
. This paper demonstrates that a smaller number of rounds of FOX64 can resist a differential and linear attack. For FOX128, although we do not decrease the number of rounds from 8, we obtain a more precise bound on the lower bound of the active
S
boxes, illustrating that FOX128 is safer than previously thought.
5 Conclusions
This paper focuses on the lower bounds of differentially and linearly active
S
boxes in a set number of consecutive rounds of the LaiMassey scheme with an SPS
F
function. First, we provide the lower bound of the differentially active
S
boxes, and similar results are obtained for linearly active
S
boxes based on the duality in the LaiMassey scheme. Finally, we apply our results to FOX and provide a tighter bound on the lower bound of active
S
boxes. This paper demonstrates that it is impossible to find any useful differential characteristic or linear trail after 6 rounds of FOX64, rather than the 8 rounds used by Junod and Vaudenay at SAC 2004. In addition, the corollaries in this paper have practical uses because the
P
permutations that we use in block ciphers typically have the maximum branch number, and the dimension of
P
is even, which means that the differential branch number and linear branch number of
P
are odd.
BIO
Lishi Fu was born in 1989. She is currently pursuing for the Ph.D degree in the Information Science and Technology Institute. Her current research interest is the analysis of block cipher. Email: fulishi123@sohu.com
Chenhui Jin was born in 1965. Currently, he is a professor in the Information Science and Technology Institute. His current research interests are cryptography and information security. Email: jinchenhui @126.com
Lai X.
,
Massey J.
1990
“A proposal for a new block encryption standard,”
Advances in CryptologyEUROCRYPT'90, LNCS
473
389 
404
Vaudenay S.
1999
“On the LaiMassey scheme,”
Advances in Cryptology ASIACRYPT' 99, LNCS
1716
8 
19
Junod P.
,
Vaudenay S.
2004
“FOX: a new family of block ciphers,”
SAC 2004, LNCS
SpringerVerlag
2595
131 
146
Wu Wenling
,
Zhang Wentao
,
Feng Dengguo
2006
“Integral Cryptanalysis of Reduced FOX Block Cipher,”
Information Security and Cryptology  ICISC 2005, LNCS
3935
229 
241
Wu Zhongming
,
Lai Xuejia
,
Zhu Bo
,
Luo Yiyuan
“Impossible differential cryptanalysis of FOX,” Cryptology ePrint /2009/357.
http://eprint.iacr.org/
Wei Yuechuan
,
Sun Bing
,
Li. Chao
2010
“Impossible differential attacks on FOX,”
Journal on Communications
http://wenku.baidu.com/link?url=FizBvRdaVTvrwY7qKYgUvyjAMD0ZLHOQdTOhylmSTCgkSgad7xQXVTSiL_kffes0HBRCu8C3kTHQd9fk_QjJV3mg3kiJOcDto9HZ4bIAusO
9
24 
29
Wu Wenling
,
Wei Hongru
2005
“Collisionintegral attack of reducedround FOX,”
Journal of Electronics & Information Technology
http://wenku.baidu.com/link?url=dpxdjBQPKYOHIGmBBEhqoMp__aD_RJj3__OF9TD1vKhoBtXVzYvoih57uRqcPx9s03YhSkermtAeEa26lgALGfcaz5rfkARDmvwaaGuIp7
7
1307 
1310
Li Ruilin
,
You Jianxiong
,
Sun Bing
2013
“Fault analysis study of the block cipher FOX64,”
Multimedia Tools and Applications
63
(3)
691 
708
DOI : 10.1007/s110420110895x
Biham E.
,
Shamir. A.
1991
“Differential cryptanalysis of DESlike cryptosystems”.
Journal of Cryptology
14
(1)
3 
72
DOI : 10.1007/BF00630563
Matsui M.
1993
“Linear cryptanalysis method for DES cipher,”
In Advances in Cryptology EurocryptLNCS
3788
386 
397
Kanda M.
,
Takashima Y.
,
Matsumoto T.
,
Aoki K.
,
Ohta K.
1999
“A Strategy for Constructing Fast Round Functions with Practical Security against Differential and Linear Cryptanalysis,”
Selected Areas in Cryptography, LNCS
1556
264 
279
Rijmen V.
,
Daemon J.
,
Preneel B.
,
Bosselaers A.
,
Win E. D.
1996
“The cipher SHARK,”
Fast Software Encryption — Third International Workshop, LNCS
1039
99 
111
Jin Chenhui
,
Zheng Haoran
,
Zhang Shaowu
2009
Cryptology.
Higher Education Press
Hong S.
,
Lee S.
,
Lim J.
,
Sung J.
,
Cheon D.
,
Cho I.
2001
“Provable security against differential and linear cryptanalysis for the SPN structure”[C].
FSE 2000. LNCS
1978
273 
283