Advanced
Practical Security Evaluation against Differential and Linear Cryptanalyses for the Lai-Massey Scheme with an SPS F-function
Practical Security Evaluation against Differential and Linear Cryptanalyses for the Lai-Massey Scheme with an SPS F-function
KSII Transactions on Internet and Information Systems (TIIS). 2014. Oct, 8(10): 3624-3637
Copyright © 2014, Korean Society For Internet Information
  • Received : October 29, 2012
  • Accepted : July 21, 2014
  • Published : October 28, 2014
Download
PDF
e-PUB
PubReader
PPT
Export by style
Share
Article
Author
Metrics
Cited by
TagCloud
About the Authors
Lishi Fu
Information Science and Technology Institute Zhengzhou, 450001, China
Chenhui Jin
Information Science and Technology Institute Zhengzhou, 450001, China

Abstract
At SAC 2004, Junod and Vaudenay designed the FOX family based on the Lai-Massey scheme. They noted that it was impossible to find any useful differential characteristic or linear trail after 8 rounds of FOX64 or FOX128. In this paper, we provide the lower bound of differentially active S -boxes in consecutive rounds of the Lai-Massey scheme that has SPS as its F -function, and we propose the necessary conditions for the reachability of the lower bound. We demonstrate that similar results can be obtained with respect to the lower bound of linearly active S -boxes by proving the duality in the Lai-Massey scheme. Finally, we apply these results to FOX64 and FOX128 and prove that it is impossible to find any useful differential characteristics or linear trail after 6 rounds of FOX64. We provide a more precise security bound for FOX128.
Keywords
1. Introduction
One of the most important parts of the block cipher is the high level, as it will directly affect the implementation performance and choice of round numbers. Among all of the high levels, the Lai-Massey scheme is well known for its simplicity and security. This scheme was first proposed by Lai and Massey in 1991, and it was used in the design of IDEA [1] . Since its inception, the Lai-Massey scheme has attracted considerable attention worldwide. In Asiacrypt ’99, Vaudenay added a simple function σ, which has the orthomorphic or α-almost orthomorphic property, to one branch of each round ( Fig. 1 ) [2] . Junod and Vaudenay adopted this modified scheme and designed the FOX family ( Fig. 2 ) [3] . In 2005, FOX was announced by MediaCrypt under the name of IDEA NXT.
PPT Slide
Lager Image
The (extended) Lai-Massey Scheme
PPT Slide
Lager Image
The Outline of FOX
Various attack methods have been applied to FOX [4 - 8] . The best-known attacks against block ciphers are the differential cryptanalysis [9] and the linear cryptanalysis [10] . Designers should evaluate the security of any new proposed ciphers against these two cryptanalyses because they are the most powerful approaches available for attacking many symmetric block ciphers. In [11] , Kanda et al. noted that the security of a cipher could be evaluated against these two cryptanalyses by upper-bounding the maximum differential characteristic and linear trail probabilities. For most block ciphers, the only nonlinear part is the S -boxes, and thus, the upper bounds of the maximum differential characteristic and linear trail probabilities are due to the lower bounds of the differentially and linearly active S -boxes in some consecutive rounds.
For SPS structures, Rijmen et al. introduced the branch number [12] , which is the lower bound of differentially (or linearly) active S -boxes. Because the basic framework of the round function in FOX is an SPS structure, Junod and Vaudenay proposed the lower bound of differential (or linear) S -boxes in FOX via providing the lower bound of differentially (or linearly) active round functions [3] . However, according to our observations, the lower bound provided by [3] cannot be obtained when the round number is greater than 3, indicating that the lower bound provided by [3] could be improved.
This paper focuses on finding a tighter bound of active S -boxes in some consecutive rounds of the Lai-Massey scheme with an SPS F –function, and then, this result is used to improve the lower bound provided in [3] . Thus, we improve the results stated in [3] by Junod and Vaudenay, who mentioned that at least 8 rounds of FOX64 can provide resistance against traditional differential and linear cryptanalyses. However, the result obtained here indicates that 6 rounds are sufficient for FOX64.
This paper is organized as follows. Section 2 introduces some notations and definitions, Section 3 studies the lower bound of differentially active S -boxes in the Lai-Massey scheme with an SPS F -function, and Section 4 provides the duality in the Lai-Massey scheme and obtains the lower bound of its linearly active S -boxes. In addition, we apply these results to FOX64 and FOX128 in Section 4. Finally, the conclusions of this study are provided in Section 5.
2. Preliminaries
This section presents some notations and definitions.
  • Throughout this paper, we will use the following symbols:
  • Å XOR operation;
  • + addition over the real number space;
  • +Gthe addition operation over groupG;
  • -Gthe inverse operation of +G;
  • Hw(x)the number of nonzero components in vectorx;
  • PTthe transpose of matrixP;
  • the parity of the bitwise XOR of vectorsαandb;
  • P-1the inverse of matrixP.
Definition 1 [2] Let ( G , + G ) be a group, let F 1 , F 2 ,…, Fr be r functions on G , and let σ be a permutation on G . We define an r -round Lai-Massey scheme as a permutation Λ σ ( F 1 , F 2 ,…, Fr ) on G 2 by
PPT Slide
Lager Image
and
PPT Slide
Lager Image
in which the last σ is omitted.
In the sequel, we assume the group is ({0,1} n ,⊕). For convenience, we denote F 1 , F 2 ,…, Fr as F such that the round function can be written as
PPT Slide
Lager Image
Definition 2 [13] Let f :{0,1} n → {0,1} m , and let α ∈ {0,1} n , β ∈ {0,1} m . Then,
PPT Slide
Lager Image
and
PPT Slide
Lager Image
are called the probabilities of the differential α β for f and the linear approximation α β for f respectively.
Definition 3 [2] Let f :{0,1} n → {0,1} n be a mapping. Then, f is called an orthomorphism if both f ( x ) and g ( x ) = f ( x )⊕ x are bijective.
Definition 4 [14] An S -box (resp. F ) is called differentially active if its input difference is nonzero, and an S -box (resp. F ) is called linearly active if its output mask value is nonzero.
Note: When an S -box is bijective, an S -box with a non-zero output difference is also a differentially active S -box. Similarly, when an F -box is bijective, it is linearly active if it has a non-zero input mask value.
Definition 5 Let σ ( x ) = Mx C be an orthomorphism. Then, the Lai-Massey scheme with σD ( x )=( M -1 ) T x C as its σ is called the dual scheme for the Lai-Massey scheme with σ ( x )= Mx C as its σ.
Definition 6 [12] For the diffusion layer P, the relationship between the input difference and output difference is represented by matrix P , i.e., Δ y = P Δ x . Furthermore, the relationship between the output and input mask values is represented by PT ; thus, Г x = PT Г y . In addition, the values
PPT Slide
Lager Image
are called the differential branch number and linear branch number, respectively.
3. Lower Bound of Differentially Active S-boxes in the Lai-Massey Scheme with an SPS F-function
First, we will study the relationship between the differential of the round function and the differentials of the F -function and σ permutation.
Theorem 1 The probability of the differential ( α,β )→( A,B ) of the round function Q is nonzero iff the differentials for F and σ are α β β B and α β B A , respectively, and the probabilities of these two differentials are both nonzero. Moreover,
PPT Slide
Lager Image
In particular, if σ ( x )= δ ( x )⊕ σ (0) is affine, then the output difference of F is β B = α δ -1 ( A ).
Proof See Appendix A.
For the SPS structure, according to [13] , the lower bound of the active S -boxes is listed in lemma 1.
Lemma 1 [13] In the SPS structure, let S be bijective and let the differential branch and linear branch of P be Bd and Bl , respectively. The number of differentially active S -boxes is at least Bd if the input difference is nonzero, and the number of linearly active S -boxes is at least Bl if the output mask is nonzero.
For the Lai-Massey scheme, the lower bound of the active F -functions is given in lemma 2 below.
Lemma 2 Let σ be an orthomorphism. Then, a consecutive 2-round differential characteristic for the Lai-Massey scheme with nonzero probability contains at least one active F -function.
Proof Let ( α,β )→( A,B )→( u,v ) be a consecutive 2-round differential characteristic for the Lai-Massey scheme. Lemma 1 indicates that the differentials for F and σ in the first round are α β β B and α β B A , respectively, and the differentials for F and σ in the second round are A B B v and A B v u , respectively.
If the F -function is not active in the first round, then α = β and α = β = B ; if F is not active in the second round, then A = B and A = B = v . Therefore, the differential for F in the first round’s function is A → A . Because ( A,B ) ≠ (0,0) and A = B , A ≠ 0 , pσ ( A→A ) = 0 if σ is an orthomorphism according to lemma 1. Moreover, theorem 1 indicates that pQ (( α,β )→( A,B )) = 0, which contradicts the fact that the probability is nonzero. Therefore, a consecutive two-round differential characteristic with nonzero probability contains at least one active F -function.
Q.E.D
For the Lai-Massey scheme with an SPS F -function, the corollary below follows from lemmas 1 and 2 because there are at least Bd differentially ( Bl linearly) active S -boxes in one active F -function.
Corollary For the Lai-Massey scheme with an SPS F -function, let the differential and linear branches of P be Bd and Bl , respectively. Then, there are at least nBd differential ( nBl linear) active S -boxes in 2 n consecutive rounds.
Remarks: Let Bd and Bl be odd. Then, for the nontrivial differential (linear approximation) α→α of an SPS structure, there are at least Bd +1 ( Bl +1) S -boxes that will be active after a P -permutation. Based on this fact, we make some improvement on the corollary of lemma 2. First, we consider the number of active S -boxes in 3 consecutive rounds, where Bd ≥ 3 and Bl ≥ 3.
Theorem 2 For the Lai-Massey scheme with an SPS F -function, let Bd be odd and let σ ( x )= δ ( x )⊕ σ (0) be an affine orthomorphsim. Then, there are at least Bd +1 active S -boxes in a 3-round differential characteristic iff the structure is
PPT Slide
Lager Image
and the corresponding differentials for F are 0→0, δ ( α )⊕ α δ ( α )⊕ α , and 0→0, respectively. Here, Hw ( δ ( α )⊕ α ) = ( Bd +1)/2.
Proof If there are at least two active F -functions in the 3-round differential characteristic, this chain contains at least 2 Bd active S -boxes according to lemma 2. If there is only one active F -function in the 3-round differential characteristic, the structure of this differential characteristic is
PPT Slide
Lager Image
and the corresponding differentials for F are 0→0, δ ( α )⊕ α δ ( α )⊕ α , and 0→0, respectively, where α ≠ 0, according to theorem 1. Because Bd is odd, the differential δ ( α )⊕ α δ ( α )⊕ α for the SPS structure contains at least Bd +1 active S -boxes, where Hw ( δ ( α )⊕ α ) = ( Bd +1)/2.
Q.E.D.
In the sequel, AS (a→b) denotes the number of active S -boxes in the differential characteristic from the a th to b th round, and AS (a) denotes the number of active S -boxes in the a th round.
Theorem 3 For the Lai-Massey scheme with an SPS F -function, let Bd ≥ 3 be odd and let σ ( x )= δ ( x )⊕ σ (0) be an affine orthomorphsim.
(1) There are at least
PPT Slide
Lager Image
active S -boxes in an r -round differential characteristic, where
PPT Slide
Lager Image
(2) If the number of active S -boxes is
PPT Slide
Lager Image
in the r -round differential characteristic, then the F -functions in the first and last rounds are non-active.
Proof According to theorem 2, this theorem is true for r = 3 . Next, we use induction to prove this theorem.
Suppose that (1) and (2) are true for r ≤ 2 m +1. For r = 2 m +2, the number of active S -boxes in the first round is at least Bd if the F -function in the first round is active. By inductive supposition we have that AS (2→2m+2) m ( Bd +1). Hence,
PPT Slide
Lager Image
A similar proof can be provided for the case in which the F -function in the last round is active, i.e., that AS (1→2m+2) ˃ ( m -1)( Bd +1)+2 Bd . Therefore, (2) is true for r = 2 m +2 .
We now consider the case that the F -function is active in neither the first nor last round. Two cases are stated below based on whether the F -function in the m +2 th round is active or not.
Case 1: Suppose that F is not active in the m +2 th round; then, we have
PPT Slide
Lager Image
Therefore, AS (1→2m+2) = AS (1→m+2) + AS (m+3→2m+2) = AS (1→m+2) + AS (m+2→2m+2) .
If m is odd, AS (m+2→2m+2) = [( m +1)/2–2])( Bd +1)+2 Bd and AS (1→m+2) ≥( m +1)( Bd +1)/2 by inductive supposition; therefore,
PPT Slide
Lager Image
If m is even, AS (1→m+2) ≥( m /2–1)( Bd +1)+2 Bd and AS (m+2→2m+2) ≥( m /2)( Bd +1) by the supposition; therefore
PPT Slide
Lager Image
This result indicates that (1) is true for r = 2 m +2 when the F -function in the m +2 th round is non-active.
Case 2: Suppose that the F -function in the m +2 th round is active. Then, we can demonstrate that AS (2m+2) = AS (1→m+1) + AS (m+2) + AS (m+3→2m+2) .
If m is odd, then by the inductive supposition,
PPT Slide
Lager Image
If AS (1→m+1) = [( m +1) / 2–2]( Bd +1)+2 Bd and AS (m+3→2m+2) = ( m -1)( Bd +1)/2, then AS (m+1) = AS (m+3) = 0 by (2) in the supposition. Moreover, considering the implications of theorem 2, we have AS (m+2) = AS (m+1→m+3) Bd +1 ; thus,
PPT Slide
Lager Image
If AS (1→m+1) and AS (m+3→2m+1) cannot reach the minimum number simultaneously, then
PPT Slide
Lager Image
Because the F -function in the m + 2 -th round is active, we have AS (m+2) Bd . Hence,
PPT Slide
Lager Image
Thus, (1) is true for r = 2 m + 2 when m is odd.
If m is even, then by the inductive supposition,
PPT Slide
Lager Image
If AS (1→m+1) = ( m /2)( Bd +1) and AS (m+3→2m+2) = ( m /2–2)( Bd +1)+2 Bd , then AS (m+1) = AS (m+3) = 0 by (2) in the supposition. Moreover, AS (m+2) = AS (m+1→m+3) Bd +1 according to theorem 2. Hence,
PPT Slide
Lager Image
If AS (1→m+1) and AS (m+3→2m+1) cannot reach the minimum number simultaneously, then
PPT Slide
Lager Image
Because the F -function in the m + 2 th round is active, we have AS (m+2) Bd Hence,
PPT Slide
Lager Image
Thus, (1) is true for r = 2 m + 2 when m is even. Therefore, (1) is true for r = 2 m + 2 if the F -function in the m + 2 th round is active.
Cases 1 and 2 demonstrate that (1) is true for r = 2 m + 2 if it is true for r ≤ 2 m + 1.
Next, suppose that (1) and (2) are true for r ≤ 2 m . For r = 2 m + 1, AS (1) Bd if the F -function in the first round is active, and AS (2→2m+1) ≥ ( m -2)( Bd +1)+2 Bd according to (2) in the inductive supposition. As a result,
PPT Slide
Lager Image
Similarly, AS (1→2m+1) ˃ m ( Bd +1) if the F -function in the last round is active. Therefore, (2) is true for r = 2 m + 1.
Next, we consider the case in which neither the F -function in the first round nor the F -function in the last round is active. Two cases are listed below according to whether the F -function in the m + 2 th round is active or not.
Case 1: Suppose that F in the m + 2 th round is not active. Then, we have
PPT Slide
Lager Image
therefore, AS (1→2m+1) = AS (1→m+2) + AS (m+2→2m+1) .
If m is odd, then AS (m+2→2m+1) ≥ ( m -1)( Bd +1)/2 and AS (1→m+2) ≥ ( m +1)( Bd +1)/2 by inductive supposition. Therefore,
PPT Slide
Lager Image
If m is even, then, by the supposition, we have
PPT Slide
Lager Image
Thus,
PPT Slide
Lager Image
Moreover, as ( m -2)( Bd +1)+4 Bd m ( Bd +1) is equivalent to Bd ≥3, then AS (1→2m+1) ≥ ( m -3)( Bd +1)+4 Bd m ( Bd +1), which indicates that (1) is true for r = 2 m + 1
Case 2: If the F -function in the m +2 th round is active, then AS (2m+1) = AS (1→m+1) + AS (m+2) + AS (m+3→2m+1) .
If m is odd, by inductive supposition,
PPT Slide
Lager Image
If AS (1→m+1) and AS (m+3→2m+1) make the equality true simultaneously, then AS (m+1) = AS (m+3) = 0 by (2) in the inductive supposition. Moreover, AS (m+2) = AS (m+1→m+3) Bd +1 according to theorem 2. Hence,
PPT Slide
Lager Image
If AS (1→m+1) and AS (m+3→2m+1) cannot make the equality true simultaneously, then
PPT Slide
Lager Image
AS (m+2) Bd because the F -function in m +2 th round is active; therefore,
PPT Slide
Lager Image
This result indicates that when m is odd, (1) is true for r = 2 m +1.
If m is even, by inductive supposition, we have
PPT Slide
Lager Image
If AS (1→m+1) and AS (m+3→2m+1) make the equality true simultaneously, we obtain AS (m+1) = AS (m+3) = 0 by (2) in the supposition, and thus, AS (m+2) = AS (m+1→m+3) Bd +1 according to theorem 2. Hence,
PPT Slide
Lager Image
If AS (1→m+1) and AS (m+3→2m+2) do not make the desired equality true simultaneously, then
PPT Slide
Lager Image
Because F in the m +2 th round is active, we have AS (m+2) Bd and
PPT Slide
Lager Image
This result demonstrates that (1) is true for r = 2 m +1 when m is even. Therefore, (1) is true for r = 2 m +1 if F in round m +2 is active.
Cases 1 and 2 demonstrate that (1) and (2) are true for r = 2 m +1 if (1) and (2) are true for r ≤ 2 m .
Therefore, inductive supposition indicates that this theorem is true for r ≥ 3.
Q.E.D.
We can obtain corresponding results for the 5-round differential characteristic in the Lai-Massey scheme with an SPS F -function according to theorem 3.
Corollary For the Lai-Massey scheme with an SPS F -function, let Bd ≥ 3 be odd and let σ ( x ) = δ ( x )⊕ σ (0) be an affine orthomorphsim. Then, there are at least 2 Bd +2 active S -boxes in a 5-round differential characteristic, and the lower bound is reached iff the structure of the 5-round differential characteristic is
PPT Slide
Lager Image
for some α ≠ 0 with Hw ( δ ( α )⊕ α ) = Hw ( δ 2 ( α )⊕ δ ( α )) = ( Bd +1)/2. The corresponding differentials for F are 0→0, δ ( α )⊕ α δ ( α )⊕ α , 0→0, δ 2 ( α )⊕ δ ( α ) → δ 2 ( α )⊕ δ ( α ), and 0→0, respectively.
Theorem 4 For the Lai-Massey scheme with an SPS F -function, let Bd ≥ 3 be odd and let σ ( x )= δ ( x )⊕ σ (0) be an affine orthomorphism.
PPT Slide
Lager Image
is the lower bound in the corollary of lemma 2.
PPT Slide
Lager Image
is defined as in theorem 3, then we have
PPT Slide
Lager Image
Proof
PPT Slide
Lager Image
according to lemma 2; thus, according to theorem 3, we have
PPT Slide
Lager Image
Q.E.D.
Theorem 3 provides the lower bound of the differentially active S -boxes in the Lai-Massey scheme with an SPS F -function, which is larger than the results obtained by the multiplication of the differential branch number and the number of active F -functions. Moreover, theorem 4 demonstrates that the increment has no relationship with Bd , where Bd is odd.
4. Lower Bound of Linearly Active S-boxes in the Lai-Massey Scheme with an SPS F-function
Next, we focus on the lower bound of linearly active S -boxes in the Lai-Massey scheme with an SPS F -function. Based on the duality of the structure between the differential characteristic and linear trail, the lower bound of the linearly active S -boxes in the Lai-Massey scheme under consideration can be easily obtained.
Theorem 5 Let σ ( x ) = Mx C be affine, then the linear approximation ( α,β )→( A,B ) for the round function Q has nonzero coefficient ρ iff α β B MT A = 0. Besides, the linear approximation for F is β B α β , and the coefficient is ρ ×(–1) A·C .
Proof See Appendix B.
Theorem 6 (The dual theorem between the differential characteristic and linear trail in the Lai-Massey scheme.)
Let σ be an affine orthomorphism. Then, the n -round differential characteristic ( a 0,1 , a 0,2 )→( a 1,1 , a 1,2 )→…→( a n,1 , a n,2 ) has nonzero probability, and the corresponding differentials of F are a 0,1 a 0,2 c o , a 1,1 a 1,2 c 1 ,..., a n-1,1 a n-1,2 c n-1 iff ( a 0,1 , a 0,2 )→( a 1,1 , a 1,2 )→…→( a n,1 , a n,2 ) is an n -round linear trail of its dual Lai-Massey scheme with a nonzero correlation coefficient and the corresponding linear approximations of the F -function are c o a 0,1 a 0,2 , c 1 a 1,1 a 1,2 ,..., c n-1 a n-1,1 a n-1,2 .
Proof See Appendix C.
Based on the duality, similar results can be obtained with respect to linearly active S -boxes, which are stated in the following theorems 7 and 8.
Theorem 7 For the Lai-Massey scheme with an SPS F -function, let Bl ≥ 3 be odd and let σ ( x ) = Mx C be an affine orthomorphsim. Then, the following statements are true:
(1) There are at least
PPT Slide
Lager Image
active S -boxes in an r -round linear trail, where
PPT Slide
Lager Image
(2) If the number of active S -boxes is
PPT Slide
Lager Image
in the r -round linear trail, then F is active neither in the first nor last round.
Theorem 8 For the Lai-Massey scheme with an SPS F -function, let Bl ≥ 3 be odd and let σ ( x ) = Mx C be an affine orthomorphsim, where r ≥ 3.
PPT Slide
Lager Image
is the lower bound in the corollary of lemma 2 and
PPT Slide
Lager Image
is as defined as in theorem 7, then
PPT Slide
Lager Image
For FOX64, Bd = Bl =5 ; for FOX128, Bd = Bl =9. By combining theorems 4 and 8, we can obtain the lower bound of differentially active S -boxes ranging from 3 rounds of FOX64 to 12 rounds of FOX64. Similarly, we can obtain the lower bound of linearly active S -boxes ranging from 3 rounds of FOX128 to 12 rounds of FOX128. Table 1 compares the results of this study with those presented in [3] .
The number of activeS-boxes in FOX64 and FOX128
PPT Slide
Lager Image
The number of active S-boxes in FOX64 and FOX128
The above table illustrates that the results obtained here are superior to the results in [3] .
Theorem 9 It is impossible to find any useful differential of the linear characteristic after 6 rounds of FOX64.
Proof From [3] ,
PPT Slide
Lager Image
We can conclude that this theorem is correct from Table 1 .
Q.E.D.
Junod and Vaudenay proved that it is impossible to find any useful differential characteristic or linear trail after 8 rounds of either FOX64 or FOX128 [3] . This paper demonstrates that a smaller number of rounds of FOX64 can resist a differential and linear attack. For FOX128, although we do not decrease the number of rounds from 8, we obtain a more precise bound on the lower bound of the active S -boxes, illustrating that FOX128 is safer than previously thought.
5 Conclusions
This paper focuses on the lower bounds of differentially and linearly active S -boxes in a set number of consecutive rounds of the Lai-Massey scheme with an SPS F -function. First, we provide the lower bound of the differentially active S -boxes, and similar results are obtained for linearly active S -boxes based on the duality in the Lai-Massey scheme. Finally, we apply our results to FOX and provide a tighter bound on the lower bound of active S -boxes. This paper demonstrates that it is impossible to find any useful differential characteristic or linear trail after 6 rounds of FOX64, rather than the 8 rounds used by Junod and Vaudenay at SAC 2004. In addition, the corollaries in this paper have practical uses because the P permutations that we use in block ciphers typically have the maximum branch number, and the dimension of P is even, which means that the differential branch number and linear branch number of P are odd.
BIO
Lishi Fu was born in 1989. She is currently pursuing for the Ph.D degree in the Information Science and Technology Institute. Her current research interest is the analysis of block cipher. E-mail: fulishi123@sohu.com
Chenhui Jin was born in 1965. Currently, he is a professor in the Information Science and Technology Institute. His current research interests are cryptography and information security. E-mail: jinchenhui @126.com
References
Lai X. , Massey J. 1990 “A proposal for a new block encryption standard,” Advances in Cryptology-EUROCRYPT'90, LNCS 473 389 - 404
Vaudenay S. 1999 “On the Lai-Massey scheme,” Advances in Cryptology -ASIACRYPT' 99, LNCS 1716 8 - 19
Junod P. , Vaudenay S. 2004 “FOX: a new family of block ciphers,” SAC 2004, LNCS Springer-Verlag 2595 131 - 146
Wu Wenling , Zhang Wentao , Feng Dengguo 2006 “Integral Cryptanalysis of Reduced FOX Block Cipher,” Information Security and Cryptology - ICISC 2005, LNCS 3935 229 - 241
Wu Zhongming , Lai Xuejia , Zhu Bo , Luo Yiyuan “Impossible differential cryptanalysis of FOX,” Cryptology ePrint /2009/357. http://eprint.iacr.org/
Wei Yuechuan , Sun Bing , Li. Chao 2010 “Impossible differential attacks on FOX,” Journal on Communications http://wenku.baidu.com/link?url=FizBvRdaVTvrwY7qKYgUvyjAMD0ZLHOQdTOhylmSTCgkSgad7xQXVTSiL_kffes0HBRCu8C3kTHQd9fk_QjJV3mg3kiJOcDto9HZ4bIAusO 9 24 - 29
Wu Wenling , Wei Hongru 2005 “Collision-integral attack of reduced-round FOX,” Journal of Electronics & Information Technology http://wenku.baidu.com/link?url=dpxdjBQPKYOHIGmBBEhqoMp__aD_RJj3__OF9TD1vKhoBtXVzYvoih57uRqcPx9s03YhSk-ermtAeEa26lgALGfcaz5rfkARDmvwaaGuIp7 7 1307 - 1310
Li Ruilin , You Jianxiong , Sun Bing 2013 “Fault analysis study of the block cipher FOX64,” Multimedia Tools and Applications 63 (3) 691 - 708    DOI : 10.1007/s11042-011-0895-x
Biham E. , Shamir. A. 1991 “Differential cryptanalysis of DES-like cryptosystems”. Journal of Cryptology 14 (1) 3 - 72    DOI : 10.1007/BF00630563
Matsui M. 1993 “Linear cryptanalysis method for DES cipher,” In Advances in Cryptology -EurocryptLNCS 3788 386 - 397
Kanda M. , Takashima Y. , Matsumoto T. , Aoki K. , Ohta K. 1999 “A Strategy for Constructing Fast Round Functions with Practical Security against Differential and Linear Cryptanalysis,” Selected Areas in Cryptography, LNCS 1556 264 - 279
Rijmen V. , Daemon J. , Preneel B. , Bosselaers A. , Win E. D. 1996 “The cipher SHARK,” Fast Software Encryption — Third International Workshop, LNCS 1039 99 - 111
Jin Chenhui , Zheng Haoran , Zhang Shaowu 2009 Cryptology. Higher Education Press
Hong S. , Lee S. , Lim J. , Sung J. , Cheon D. , Cho I. 2001 “Provable security against differential and linear cryptanalysis for the SPN structure”[C]. FSE 2000. LNCS 1978 273 - 283