Mathematical Problems of Computer Science 45, 111—121, 2016. 111 Linear Cryptanalysis of Modified SAFER + Algorithm Melsik K Kyureghyan, Knarik M. Kyuregyan Institute for Informatics and Automation Problems of NAS RA e-mail: melsik@ipia.sci.am, knarikyuregyan@gmail.com Abstract In paper [1] a modified SAFER+ [2] algorithm was presented. It was shown that those modifications made it possible to speed up a modified algorithm implementation about 1,7 times and obtain the same security level as compared with SAFER+ in terms of differential analysis. In this paper a linear cryptanalysis of modified SAFER+ algorithm is presented and it is shown that it has the same resistance against linear cryptanalysis as compared with an original SAFER+. Keywords: Block cipher, Linear cryptanalysis, Balanced function. 1. Introduction Linear cryptanalysis is one of the powerful cryptanalyses against iterated block ciphers. It was introduced by Matsui as a theoretical attack on DES and it is in fact a known-plaintext attack: that is a cryptanalyst has an access to the set of some plaintexts and their corresponding ciphertexts. Matsui exploits a cipher’s weakness that he quantifies in terms of “unbalanced linear expression” that involves plaintext bits, ciphertext bits (actually bits from the second last round output) and subkey bits. A linear expression is unbalanced if the equation is satisfied with the probability different from 1 2⁄ when the plaintext and the keys are uniformly random and independent. The cryptanalyst applies the last round attack using this linear expression for the entire cipher excluding the last round. He or she guesses wrong keys and by processing a large number of plaintext/ciphertext pairs and tries to find the last round key. The success of linear cryptanalysis depends on the original linear expression being more imbalanced than the linear expression obtained with wrong keys. In this paper we will consider a linear cryptanalysis of modified SAFER+ [1], whose round function is depicted in Fig. 1. Let X = X1X2 … X16 be the 16 bytes input of the 𝑖-th round. The round function consist of the following four layers: mailto:melsik@ipia.sci.am,%20%20knarikyuregyan@gmail.com Linear Cryptanalysis of Modified SAFER+ Algorithm 112 1. XOR/ADD, first round key is “added” to the round input either modulo 2 ( XOR) or modulo 256 (ADD): U = XOR/ADD(X, K2i−1). 2. Non-Linear (NL), where each byte is subjected to either the non-linear function EXP: x → 45xmodulo257 (except that 45128 is taken as 0 rather than −1 = 257) or its inverse function LOG: V = NL(U). 3. ADD/XOR, by this layer the second round key is inserted: W = ADD/XOR(V, K2i). Invertible Linear Transform or Pseudo-Hadamard Transform (PHT) consisting of four times applied 𝐴𝑟𝑚𝑒𝑛𝑖𝑎𝑛 𝑠ℎ𝑢𝑓𝑓𝑙𝑒 and four times applied eight 2-PHT boxes: Y = PHT(W), is equivalent to  .256mod 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 1814122212112141 11624142422124181 1418114212211221 24116218214411422 1221111221441812 22412114228411614 1211181111224422 14121162121248442 2122421418111112 41248224116211214 2212112141181214 24141241811162224 1142221824121111 12822411644142121 4111241112122218 81214412142224116 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1                                                                                                                                                         W W W W W W W W W W W W W W W W Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y 2. Preliminaries In this paper we follow the terminology and notation in [3]. A binary-valued function is said to be 𝑏𝑎𝑙𝑎𝑛𝑐𝑒𝑑 if it takes on the value 0 for exactly half of its possible arguments and the value 1, otherwise. An 𝐼/𝑂 𝑠𝑢𝑚 for the 𝑖𝑡ℎ round, denoted by 𝑆(𝑖), is a modulo-two sum of balanced binary-valued function 𝑓𝑖 of the round input 𝑋 (𝑖) = 𝑌(𝑖−1) and a balanced binary-valued function 𝑔𝑖 of the round output 𝑌 (𝑖), that is 𝑆(𝑖) ∶= 𝑓𝑖 (𝑌 (𝑖−1)) ⊕ 𝑔𝑖 (𝑌 (𝑖 )), where ⊕ denotes modulo two addition, i.e., the XOR operation. The functions 𝑓𝑖 and 𝑔𝑖 are called the 𝑖𝑛𝑝𝑢𝑡 𝑓𝑢𝑛𝑐𝑡𝑖𝑜𝑛 and the 𝑜𝑢𝑡𝑝𝑢𝑡 𝑓𝑢𝑛𝑐𝑡𝑖𝑜𝑛, respectively, of the I/O sum 𝑆 (𝑖). I/O sums for successive rounds are said to be 𝑙𝑖𝑛𝑘𝑒𝑑 if the output function of each of these I/O sums, except the last, coincides with the input function of the following I/O sum (i.e., 𝑔𝑖 = 𝑓𝑖+1). When 𝑆 (1), 𝑆(2), … , 𝑆(𝜌)are linked, then their modulo-two sum is also I/O sum, namely 𝑆(1…𝜌) ∶= ⨁ 𝑆(𝑖) 𝜌 𝑖=1 = 𝑓1(𝑌 (1)) ⊕ 𝑔𝜌(𝑌 (𝜌)), where 𝑌(1) = 𝑋(1) = 𝑋 is the input to the first round, and is called a 𝜌-𝑟𝑜𝑢𝑛𝑑 𝐼/𝑂 𝑠𝑢𝑚. M. Kyureghyan, K. Kyuregyan 113 Fig. 1. Design of the 𝑖-th round of modified SAFER+. Linear cryptanalysis depends critically on the notation of “𝑖𝑚𝑏𝑎𝑙𝑎𝑛𝑐𝑒” for binary-valued random variables. The 𝑖𝑚𝑏𝑎𝑙𝑎𝑛𝑐𝑒 𝐼(𝑉) of a binary-valued random variable 𝑉 is the real number |2𝑃[𝑉 = 0] − 1|, where 𝑃[𝑉 = 0] is the probability that 𝑉 takes on the value 0. Note that 0 ≤ 𝐼(𝑉) ≤ 1 𝑅𝑜𝑢𝑛𝑑 𝐼𝑛𝑝𝑢𝑡 (16 𝐵𝑦𝑡𝑒𝑠) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 xor xor xor xor add add add add xor xor xor xor add add add add exp exp exp exp log log log log exp exp exp exp log log log log add add add add xor xor xor xor add add add add xor xor xor xor NL half round 𝐾2𝑖−1 𝐾2𝑖 2-PHT 2-PHT 2-PHT 2-PHT 2-PHT 2-PHT 2-PHT 2-PHT Modified SAFER+ specific 𝐴𝑟𝑚𝑒𝑛𝑖𝑎𝑛 𝑆ℎ𝑢𝑓𝑓𝑙𝑒 [7 12 9 14 5 8 13 10 11 4 3 6 15 2 1 16] PHT half round Modified SAFER+ specific 𝐴𝑟𝑚𝑒𝑛𝑖𝑎𝑛 𝑆ℎ𝑢𝑓𝑓𝑙𝑒 [7 12 9 14 5 8 13 10 11 4 3 6 15 2 1 16] 2-PHT 2-PHT 2-PHT 2-PHT 2-PHT 2-PHT 2-PHT 2-PHT Modified SAFER+ specific 𝐴𝑟𝑚𝑒𝑛𝑖𝑎𝑛 𝑆ℎ𝑢𝑓𝑓𝑙𝑒 [7 12 9 14 5 8 13 10 11 4 3 6 15 2 1 16] 2-PHT 2-PHT 2-PHT 2-PHT 2-PHT 2-PHT 2-PHT 2-PHT Modified SAFER+ specific 𝐴𝑟𝑚𝑒𝑛𝑖𝑎𝑛 𝑆ℎ𝑢𝑓𝑓𝑙𝑒 [7 12 9 14 5 8 13 10 11 4 3 6 15 2 1 16] 2-PHT 2-PHT 2-PHT 2-PHT 2-PHT 2-PHT 2-PHT 2-PHT Linear Cryptanalysis of Modified SAFER+ Algorithm 114 with equality on the left if and only if 𝑉 is constant random variable and with equality on the right if and only if 2𝑃[𝑉 = 0] = 1 2⁄ . In linear cryptanalysis we always assume that the plaintext and all round keys are independent and uniformly random over the appropriate sets. In practice, however, the full key is usually produced from a user selected secret key by key scheduling algorithm. Sometimes we explicitly fix keys by specifying e. g., 𝐾(1…𝜌) = 𝑘(1…𝜌), which implies that the statistics of the random experiment are the conditional statistics given that 𝐾 (1…𝜌) = 𝑘(1…𝜌). A round iterated block cipher of block-size 𝑛 encrypts a plaintext X by 𝜌 successive application of a keyed round function with different key in each round. The full key will be denoted by 𝐾(1…𝜌) = (𝐾(1), 𝐾(2), … , 𝐾(𝜌)), where 𝐾(𝑖) is the round key applied in the 𝑖-th round for 𝑖 = 1,2, … , 𝜌. Note that, in the ciphers of SAFER family, 𝐾(𝑖) = (𝐾2𝑖−1, 𝐾2𝑖 ). The 𝑘𝑒𝑦-𝑑𝑒𝑝𝑒𝑛𝑑𝑒𝑛𝑡 𝑖𝑚𝑏𝑎𝑙𝑎𝑛𝑐𝑒 𝐼(𝑆(1…𝜌)|𝐾(1…𝜌)) of the I/O sum 𝑆 (1…𝜌) is the random variable whose value when 𝐾(1…𝜌)=𝑘(1…𝜌) is the key-dependent imbalance of 𝑆(1…𝜌), i.e., 𝐼(𝑆(1…𝜌)|𝑘(1…𝜌)). The 𝑎𝑣𝑒𝑟𝑎𝑔𝑒-𝑘𝑒𝑦 𝑖𝑚𝑏𝑎𝑙𝑎𝑛𝑐𝑒 𝐼(̅𝑆(1…𝜌)) of the I/O sum 𝑆(1…𝜌) is the expectation of this key-dependent imbalance computed under the assumption that the round keys are chosen independently and uniformly at random, i.e., 𝐼(̅𝑆(1…𝜌)) ∶= 𝐸[𝐼(𝑆(1…𝜌)|𝐾(1…𝜌))] = 1 |𝒦 𝜌| ∑ 𝐼(𝑆(1…𝜌)|𝑘(1…𝜌))𝑘(1…𝜌)∈𝒦 𝜌 , where |𝒦𝜌| denotes the cardinality of the set of full keys. An I/O sum is said to be 𝑒𝑓𝑓𝑒𝑐𝑡𝑖𝑣𝑒 if it has a “large” average-key imbalance, and is said to be 𝑔𝑢𝑎𝑟𝑎𝑛𝑡𝑒𝑒𝑑 if its average-key imbalance is 1, the maximum possible. A 𝑡ℎ𝑟𝑒𝑒𝑓𝑜𝑙𝑑 𝑠𝑢𝑚 𝑇(𝑖) for the 𝑖-th round is a modulo-two sum of three terms: the first, a balanced binary-valued function 𝑓𝑖 of the round input 𝑋 (𝑖) = 𝑌(𝑖−1); the second, a balanced binary-valued function 𝑔𝑖 of the round output 𝑌 (𝑖); the third, some binary-valued function ℎ𝑖 of the round key 𝐾(𝑖), i.e., 𝑇 (𝑖) = 𝑓𝑖 (𝑌 (𝑖−1)) ⊕ 𝑔𝑖 (𝑌 (𝑖 )) ⊕ ℎ𝑖 (𝐾 (𝑖 )). The function ℎ𝑖 is the 𝑘𝑒𝑦 𝑓𝑢𝑛𝑐𝑡𝑖𝑜𝑛 of the threefold sum 𝑇 (𝑖) and 𝑆(𝑖) = 𝑓𝑖 (𝑌 (𝑖−1)) ⊕ 𝑔𝑖 (𝑌 (𝑖 )) is the 𝑝𝑎𝑟𝑒𝑛𝑡 𝐼/𝑂 𝑠𝑢𝑚 for 𝑇 (𝑖). Theorem 1.1: (Threefold sum imbalance and I/O sum average-key imbalance) Let 𝑇(1…𝜌) = 𝑆(1…𝜌) ⊕ ℎ𝑖 (𝐾 (1…𝜌)) be a threefold sum. Then the average-key imbalance of the parent I/O sum 𝑆(1…𝜌) is lower bounded by the threefold sum imbalance, i.e., 𝐼(̅𝑆(1…𝜌)) ≥ 𝐼(𝑇 (1…𝜌)). Moreover, equality holds if and only if ℎ is equal to { 0 𝑖𝑓 𝑃[𝑆 = 0/𝐾 = 0] > 1 2⁄ 1 𝑖𝑓 𝑃[𝑆 = 0/𝐾 = 0] < 1 2⁄ 𝑎𝑟𝑏𝑖𝑡𝑟𝑎𝑟𝑦 𝑖𝑓 𝑃[𝑆 = 0/𝐾 = 0] = 1 2⁄ (in this case the function ℎ is called a maximizing key function for 𝑇(1…𝜌)) or is the complement of such a function. A threefold sum is said to be 𝑔𝑢𝑎𝑟𝑎𝑛𝑡𝑒𝑒𝑑 if it has imbalance 1. It follows from Theorem 1.1 that 𝑇(1…𝜌) = 𝑆(1…𝜌) ⊕ ℎ(𝐾(1…𝜌)) is guaranteed if only if the parent I/O sum 𝑆 (1…𝜌) is guaranteed and ℎ is a maximizing key function. Lemma 1.1: (Matsui’s Piling-up Lemma) The imbalance of a modulo-two sum of independent binary-valued variables 𝑉(1), 𝑉(2), … , 𝑉 (𝜌) is the product of their imbalance, i.e., M. Kyureghyan, K. Kyuregyan 115 𝐼 (⨁ 𝑉(𝑖) 𝜌 𝑖=1 ) = ⨅(𝐼(𝑉)(𝑖)) 𝜌 𝑖=1 . Remark 1.1: If 𝑇(1), 𝑇(2), … , 𝑇(𝜌) are independent threefold sums, then it follows from lemma 1 that 𝐼 (⨁ 𝑇(𝑖) 𝜌 𝑖=1 ) = ⨅(𝐼(𝑇)(𝑖)), 𝜌 𝑖=1 where ⨁ 𝑇(𝑖) 𝜌 𝑖=1 is 𝜌-round threefold sum provided that 𝑇 (1), 𝑇(2), … , 𝑇(𝜌) are linked. The round functions of our cipher can be written as 𝑌(𝑖 ) = 𝑅 𝐾(𝑖) (𝑖) (𝑌(𝑖−1 )) = 𝜙(𝑌(𝑖−1 ) ⊗𝑖 𝐾2𝑖−1, 𝐾2𝑖 ), where ⊗𝑖 is the group operation by which one of the round keys is inserted in the 𝑖-th round (Fig. 1). We will show that this structure guarantees the independence of any “homomorphic” one-round threefold sum and the input to that round. Definition 1.1: Consider an iterated block cipher whose 𝑖-th round function inserts the key 𝐾2𝑖−1 with a group operation ⊗𝑖 at the input to each round (Fig. 1). Let 𝐵 𝑛 denote the set of binary 𝑛- tuples, very often considered as 𝐵𝑛 = {0, 1, 2, … , 2𝑛 − 1}. A homomorphism from a group (𝐵𝑛, ⨂) onto the group (𝐵, ⨁) is called 𝑏𝑖𝑛𝑎𝑟𝑦-𝑣𝑎𝑙𝑢𝑒𝑑 ℎ𝑜𝑚𝑜𝑚𝑜𝑟𝑝ℎ𝑖𝑠𝑚 𝑓𝑜𝑟 ⨂1. An I/O sum for the rounds 𝑖 to 𝑗 (𝑖 ≤ 𝑗) is homomorphic if the input function is a binary-valued homomorphism for ⊗𝑖 and the output function is a binary-valued homomorphism for ⊗𝑗+1. A threefold sum is ℎ𝑜𝑚𝑜𝑚𝑜𝑟𝑝ℎ𝑖𝑐 if the parent I/O sum is homomorphic. If for all rounds 𝑖, the operation ⊗𝑖 is the bitwise XOR operation in 𝐵 𝑛, then the only binary- valued homomorphisms are the linear function 𝑙𝑎(𝑥) = 𝑎 ∘ 𝑥 for 𝑥 in 𝐵 𝑛, where 𝑎 is a non zero 𝑛-tuple and 𝑎 ∘ 𝑥 denotes the scalar product with operations of 𝐺𝐹(2). An I/O sum (or a threefold sum) whose input and output functions are 𝑙𝑎 and 𝑙𝑏, respectively, will be called 𝑙𝑖𝑛𝑒𝑎𝑟 with 𝑙𝑖𝑛𝑒𝑎𝑟 𝑚𝑎𝑠𝑘 (𝑎, 𝑏). Theorem 1.2: Consider the cascade of 𝜌 rounds with round functions 𝑅(1), 𝑅(2), … , 𝑅(𝜌) for which 𝑌(𝑖 ) = 𝑅 𝐾(𝑖) (𝑖) (𝑌(𝑖−1 )) = 𝜙𝑖 (𝑌 (𝑖−1 ) ⊗𝑖 𝐾2𝑖−1, 𝐾2𝑖 ), where ⊗𝑖 denotes a group operation in 𝐵 𝑛 and where 𝜙𝑖 (. , 𝑘2𝑖 ) is a bijection on 𝐵 𝑛 for all 𝑘2𝑖 (Fig. 1). Let 𝑇 (𝑖) = 𝑓𝑖 (𝑌 (𝑖−1)) ⊕ 𝑓𝑖+1(𝑌 (𝑖)) ⊕ (𝑓𝑖 (𝐾2𝑖−1) ⊕ ℎ𝑖 (𝐾2𝑖 )) (1) be a homomorphic threefold sum for the 𝑖-th round, so that 𝑇(1), 𝑇(2), … , 𝑇(𝜌) are linked. Then, the average-key imbalance for the parent I/O sum 𝑆(1…𝜌) of the threefold sum 𝑇(1…𝜌) ≔ ⨁ 𝑇(𝑖) 𝜌 𝑖=1 is lower bounded by the product of the one-round threefold sum imbalance, i.e., 𝐼(̅𝑆(1…𝜌)) ≥ ∏ 𝐼(𝑇(𝑖)). 𝜌 𝑖=1 (2) Note that, as 𝜙𝑖 (. , 𝑘2𝑖 ) is a bijection and 𝑋 is uniformly distributed, 𝑌 (0), 𝑌(1), … , 𝑌(𝜌−1) are uniformly distributed. Thus, 𝐼(𝑇(𝑖)) for 𝑖 = 2, 3, … , 𝜌 can be computed quite easily. For a given 𝑆(1…𝜌) we can evaluate the right side of (2) for many choices of linked homomorphic one-round threefold sums whose sum has 𝑆(1…𝜌) as its parent I/O sum. We can then use the maximum such threefold-sum imbalance as an approximation 𝐼(̅𝑆(1…𝜌)), i.e., 1 𝑓 is such homomorphism if, for all 𝑈, 𝑉 ∈ 𝐵𝑛 𝑓(𝑈⨂𝑉) = 𝑓(𝑈)⨁𝑓(𝑉) and if 𝑓 is not identically zero. Linear Cryptanalysis of Modified SAFER+ Algorithm 116 𝐼(̅𝑆(1…𝜌)) ≈ max 𝑓2,…,𝑓𝜌 ℎ1,…,ℎ𝜌 ∏ 𝐼(𝑇(𝑖)), 𝜌 𝑖=1 (3) where 𝑇(𝑖) is given by (1). The following is an effective procedure for finding this maximum. 𝑃𝑟𝑜𝑐𝑒𝑑𝑢𝑟𝑒 𝑓𝑜𝑟 𝑓𝑖𝑛𝑑𝑖𝑛𝑔 𝑎𝑛 𝑒𝑓𝑓𝑒𝑐𝑡𝑖𝑣𝑒 𝜌-𝑟𝑜𝑢𝑛𝑑 ℎ𝑜𝑚𝑜𝑚𝑜𝑟𝑝ℎ𝑖𝑐 𝐼/𝑂 𝑠𝑢𝑚 𝑓𝑜𝑟 𝑎 𝑐𝑖𝑝ℎ𝑒𝑟 𝑤ℎ𝑜𝑠𝑒 𝑟𝑜𝑢𝑛𝑑 𝑓𝑢𝑛𝑐𝑡𝑖𝑜𝑛𝑠 𝑖𝑛𝑠𝑒𝑟𝑡 𝑎 𝑘𝑒𝑦 𝑏𝑦 𝑢𝑠𝑖𝑛𝑔 𝑎 𝑔𝑟𝑜𝑢𝑝 𝑜𝑝𝑒𝑟𝑎𝑡𝑖𝑜𝑛 𝑎𝑡 𝑡ℎ𝑒 𝑖𝑛𝑝𝑢𝑡. 1. For 𝑖 = 1,2, … , 𝜌 + 1 find the set ℋ𝑖 of all binary-valued functions on 𝐵 𝑛 that are binary- valued homomorphisms for ⊗𝑖. 2. For 𝑖 = 1,2, … , 𝜌 find the imbalance of all 𝑖-th round homomorphic threefold sums with input function 𝑓𝑖 in ℋ𝑖 , output function 𝑓𝑖+1 in ℋ𝑖+1, and maximizing key function. Discard the threefold sums with small imbalance. 3. Consider each possible choice of 𝜌 linked threefold sums containing one of the threefold sums found in step 2 in each round. Use the right side of (3) as an estimate of the imbalance of the 𝜌-round I/O sums. Output the 𝜌-round I/O sums having the largest estimated imbalance. 3. Linear Cryptanalysis of Modified SAFER+ Now we will find effective homomorphic I/O sums to a cascade of half-rounds of modified SAFER+ algorithm. We first find all binary-valued homomorphisms for ADD/XOR and for XOR/ADD. There are 28 − 1 binary-valued homomorphisms for 8 bit XOR, namely the functions defined as 𝑙𝑎2(𝑉2) ∶= 𝑎2 ∘ 𝑉2, where 𝑎2 is a non-zero binary 8-tuple " ∘ " operation denotes the modulo two “dot product”. There is only one binary-valued homomorphism for modulo 256 addition, namely the function 𝑙𝑎1 where 𝑎1 = 0000 0001 = 01 (hex notation of byte). Thus, there exist 272 − 1 balanced homomorphisms for ADD/XOR, namely the functions 𝑙𝑎 defined as 𝑙𝑎(𝑉) = 𝑎 ∘ 𝑉 where 𝑎 lies in the set of 128-tuples. 𝒜 = {𝑎: 𝑎 ∈ {0,1}128\{00}; 𝑎1, 𝑎2, 𝑎3, 𝑎4, 𝑎9, 𝑎10, 𝑎11, 𝑎12} ∈ {00, 01}}. Similarly, there are 272 − 1 balanced homomorphism for XOR/ADD, namely the functions 𝑙𝑏 (𝑉) = 𝑏 ∗ 𝑉, where 𝑏 lies in the set ℬ = {𝑏: 𝑏 ∈ {0,1}128\{00}; 𝑏5, 𝑏6, 𝑏7, 𝑏8, 𝑏13, 𝑏14, 𝑏15, 𝑏16} ∈ {00, 01}}. The set of all homomorphic functions for XOR/ADD and the set of all homomorphic functions for ADD/XOR are subsets of the set of all linear binary-valued functions. We now consider the part of round (half-round) containing the PHT function. The following lemma specifies all homomorphic I/O sums that have non-zero imbalance. The input function must be balanced and homomorphic for ADD/XOR; the output function must be balanced and homomorphic for XOR/ ADD. There are (272 − 1)2 such I/O sums, namely S𝑎,𝑏 PHT−hr ∶= 𝑙𝑎(V)⨁𝑙𝑏 (Y) 𝑎 ∈ 𝒜 , 𝑏 ∈ ℬ. Lemma 2.1: For the 𝑃𝐻𝑇-half-round, the only homomorphic I/O sums that have non-zero imbalance are the 216 − 1 guaranteed I/O sums obtained by 𝑋𝑂𝑅-ing together any positive number of the 16 guaranteed I/O sums listed in Table 1. M. Kyureghyan, K. Kyuregyan 117 Table 1. Effective I/O sums for the PHT-function. Since 𝐼(𝑆𝑎,𝑏 PHT−hr|𝑘2𝑖 ) = 𝐼(𝑆𝑎,𝑏 PHT) for any 𝑘2𝑖 ∈ {0,1} 128, where 𝑆𝑎,𝑏 PHT ∶= 𝑙𝑎(𝑊)⨁ 𝑙𝑏(𝑌), (𝑎 ∈ 𝒜 and 𝑏 ∈ ℬ) is an I/O sum for the PHT function alone, we will look for I/O sums 𝑆𝑎,𝑏 PHT with non-zero imbalance instead of looking for 𝑆𝑎,𝑏 PHT−hr with non-zero imbalance. So our main purpose is to find 𝑎 ∈ 𝒜 and 𝑏 ∈ ℬ such that 𝑆𝑎,𝑏 PHT sum has the form 𝑊𝛼 ⨁𝜙(𝑊127, … , 𝑊𝛼−1, 𝑊𝛼+1, …, 𝑊0) for some input bit 𝑊𝛼, since this implies that the I/O sum imbalance is 0. First we consider PHT function. Table 2 shows three kind of dependences for some input and output bits. For example, for 𝑌102 we conclude that 𝑌102 = 𝑊11⨁𝑊22⨁𝑊92⨁𝑊102⨁𝑊111⨁𝑊121⨁ 𝜙(𝑊21, 𝑊91, 𝑊101; 𝑊10, 𝑊20, 𝑊30, 𝑊40, 𝑊90, 𝑊100, 𝑊110, 𝑊120; 𝑊5, 𝑊6, 𝑊7, 𝑊8, 𝑊13, 𝑊14, 𝑊15, 𝑊16) for some function 𝜙. (𝑎, 𝑏) 𝑙𝑏 (𝑌) 𝑙𝑎(𝑊) 𝐼(𝑆𝑎,𝑏 PHT) (0100000101001010, 1000000000000000) 𝑌10 𝑊20⨁𝑊80⨁𝑊100⨁𝑊130⨁𝑊150 1 (0100010111001110, 0100000000000000) 𝑌20 𝑊20⨁𝑊60⨁𝑊80⨁𝑊90⨁𝑊100⨁𝑊110⨁ 𝑊130⨁𝑊140⨁𝑊150 1 (1010010001000001, 0010000000000000) 𝑌30 𝑊10⨁𝑊30⨁𝑊60⨁𝑊100⨁𝑊160 1 (1111010001000011, 0001000000000000) 𝑌40 𝑊10⨁𝑊20⨁𝑊30⨁𝑊40⨁𝑊60⨁𝑊100⨁ 𝑊150⨁𝑊160 1 (0000011010010100, 0000100000000000) 𝑌50 𝑊60⨁𝑊70⨁𝑊90⨁𝑊120⨁𝑊140 1 (0101011010110100, 0000010000000000) 𝑌60 𝑊20⨁𝑊40⨁𝑊60⨁𝑊70⨁𝑊90⨁𝑊110⨁ 𝑊120⨁𝑊140 1 (0101100100000010, 0000001000000000) 𝑌70 𝑊20⨁𝑊40⨁𝑊50⨁𝑊80⨁𝑊150 1 (0111110101000010, 0000000100000000) 𝑌80 𝑊20⨁𝑊30⨁𝑊40⨁𝑊50⨁𝑊60⨁𝑊80⨁ 𝑊100⨁𝑊150 1 (0000001010010101, 0000000010000000) 𝑌90 𝑊70⨁𝑊90⨁𝑊120⨁𝑊140⨁𝑊160 1 (0000001111011101, 0000000001000000) 𝑌100 𝑊70⨁𝑊80⨁𝑊90⨁𝑊100⨁𝑊120⨁ 𝑊130⨁𝑊140⨁𝑊160 1 (0101000001101000, 0000000000100000) 𝑌110 𝑊20⨁𝑊40⨁𝑊100⨁𝑊110⨁𝑊130 1 (0101001001111001, 0000000000010000) 𝑌120 𝑊20⨁𝑊40⨁𝑊70⨁𝑊100⨁𝑊110⨁𝑊120⨁ 𝑊130⨁𝑊160 1 (0001100100100100, 0000000000001000) 𝑌130 𝑊40⨁𝑊50⨁𝑊80⨁𝑊110⨁𝑊140 1 (1001100100110101, 0000000000000100) 𝑌140 𝑊10⨁𝑊40⨁𝑊50⨁𝑊80⨁𝑊110⨁𝑊120⨁ 𝑊140⨁𝑊160 1 (1010010000010001, 0000000000000010) 𝑌150 𝑊10⨁𝑊30⨁𝑊60⨁𝑊60⨁𝑊120⨁𝑊160 1 (1010110100010101, 0000000000000001) 𝑌160 𝑊10⨁𝑊30⨁𝑊50⨁𝑊60⨁𝑊80⨁𝑊120⨁ 𝑊140⨁𝑊160 1 Linear Cryptanalysis of Modified SAFER+ Algorithm 118 Table 2. Dependencies for certain bits of the PHT output 𝑌 on certain bits of the PHT input 𝑊 "0"-no dependence, "1"-binary linear dependence (i.e., complementing this input bit complements the corresponding output bit), "n"- non-linear binary dependence. Input bit Output bit 𝑊1 7 6 5 4 3 2 1 𝑊2 7 6 5 4 3 2 1 𝑊3 7 6 5 4 3 2 1 𝑊4 7 6 5 4 3 2 1 𝑊9 7 6 5 4 3 2 1 𝑊10 7 6 5 4 3 2 1 𝑊11 7 6 5 4 3 2 1 𝑊12 7 6 5 4 3 2 1 𝑌1 7 6 5 4 3 2 1 0 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 n n n n n n 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 n n n n n n 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 𝑌2 7 6 5 4 3 2 1 0 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 n n n n n n 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 n n n n n n 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 n n n n n n 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 𝑌3 7 6 5 4 3 2 1 0 1 n n n n n n 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 n n n n n n 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 n n n n n n 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 𝑌4 7 6 5 4 3 2 1 0 1 n n n n n n 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 n n n n n n 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 n n n n n n 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 n n n n n n 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 n n n n n n 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 𝑌5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 𝑌6 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 𝑌7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 𝑌8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 𝑌9 7 6 5 4 3 2 1 0 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 n n n n n n 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 n n n n n n 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 𝑌10 7 6 5 4 3 2 1 0 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 n n n n n n 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 n n n n n n 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 n n n n n n 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 𝑌11 7 6 5 4 3 2 1 0 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 n n n n n n 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 n n n n n n 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 n n n n n n 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 n n n n n n 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 𝑌12 7 6 5 4 3 2 1 0 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 n n n n n n 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 n n n n n n 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 n n n n n n 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 n n n n n n 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 n n n n n n 0 1 n n n n n 0 0 1 n n n n 0 0 0 1 n n n 0 0 0 0 1 n n 0 0 0 0 0 1 n 0 0 0 0 0 0 1 0 0 0 0 0 0 0 𝑌13 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 𝑌14 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 𝑌15 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 𝑌16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 M. Kyureghyan, K. Kyuregyan 119 Secondly, 𝑆𝑎,𝑏 PHT depends linearly on some 𝑊𝛼 if 𝑙𝑏 (𝑌) depends linearly on 𝑊𝛼 and 𝑎𝛼 = 0. Since 𝑎 ∈ 𝒜 , then the rows of Table 2 contain input bits that cannot appear in 𝑙𝑎(𝑊). Whenever 𝑙𝑏 (𝑌) contains an output bit that depends linearly on such a 𝑊𝛼 and contain no other output bit that depends on 𝑊𝛼 𝐼(𝑆𝑎,𝑏 PHT) = 0. By using Table 2 we can iteratively show that I/O sums 𝑆𝑎,𝑏 PHT with none-zero imbalance cannot contain any of the output bit 𝑌𝑖𝑗 , where 𝑖 = 1,2,3,4,9,10,11,12 and 𝑗 = 1,2,3,4,5,6,7. Finally, we consider the 216 − 1 balanced output functions obtained as linear combinations of the remaining 16 output bits that might occur if 𝑏 ∈ ℬ. For each of these output functions, we found all input functions such that 𝑆𝑎,𝑏 PHT doesn’t depend linearly on any input bit. It is easy to show that ((𝑎, 𝑏); 𝑎, 𝑏 ∈ {0,1}128, 𝐼(S𝑎,𝑏 PHT) = 1) is a subgroup of (𝒜 × ℬ, ⨁256bits). (In fact if 𝐼(S𝑎,𝑏 PHT) = 1 and 𝐼(S 𝑎′,𝑏′ PHT ) = 1 for some 128 tuples 𝑎′ and 𝑏′, then 𝐼(S 𝑎⨁𝑎′,𝑏⨁𝑏′ PHT ) = 𝐼(S𝑎,𝑏 PHT⨁S 𝑎′,𝑏′ PHT ) = 𝐼(S𝑎,𝑏 PHT) ∙ 𝐼(S 𝑎′,𝑏′ PHT ) = 1 as well, whch shows that 𝒜 × ℬ is closed under "⨁".) Thus, we obtain all I/O sums with non-zero imbalance, as is done in the statement of the lemma. We next consider the half round containing the nonlinear function NL and find homomorphic I/O sums for NL that have non-zero imbalance. Here the input function is homomorphic for XOR/ADD and the output function is homomorphic for ADD/XOR. Such I/O sums can be obtained by summing I/O sums for its EXP and LOG blocks. For the function EXP with the input byte U1 and output byte V1, the only homomorphic I/O sums are 𝑆𝑎1,𝑏1 EXP = 𝑙𝑎1(𝑈1)⨁ 𝑙𝑏1(𝑉1), for 𝑎1 ∈ 𝐵 8\{00}; 𝑏1 = 01. The most effective ones are obtained when (𝑎1, 𝑏1) is equal to (𝑐𝑑, 01) or (𝑓𝑓, 01) (the imbalance being 28 128 ) or to (86,01), (𝑏𝑓, 01), (𝑐0, 01) or (𝑓7,01) (the imbalance being 24 128 ). Computing all these I/O sums for EXP , establishes the following. Remark 2.1: 𝐼(𝑆01,01 EXP ) = 𝐼(𝑆02,01 EXP ) = 𝐼(𝑆03,01 EXP ) = 0. Furthermore, for all 𝑎1 and 𝑏1 in 𝐵8, if 𝑎17 = 0, then 𝐼(𝑆𝑎1,𝑏1 𝐸𝑋𝑃 ) = 0. For the function LOG with the input U2 and output V2, the only homomorphic I/O sums are 𝑆𝑎2,𝑏2 LOG = 𝑙𝑎2(U2)⨁ 𝑙𝑏2(V2), for 𝑎2 = 01; 𝑏2 ∈ 𝐵 8\{00}. Their imbalance is easily deduced since 𝐼(𝑆𝑎1,𝑏1 EXP ) = 𝐼(𝑆𝑏1,𝑎1 LOG ). Remark 2.2: For all 𝑎1 and 𝑏1 in 𝐵8, if 𝑏17 = 0, then 𝐼(𝑆𝑎1,𝑏1 LOG ) = 0. Finally we have link I/O sums for successive half rounds. Theorem 2.1: The procedure for finding effective homomorphic I/O sums doesn’t find an I/O sum with non-zero imbalance for cascade of half rounds taken in the same order as they are used in modified SAFER+ and containing at least two PHT-layers. Proof: Let 𝑇𝑎,𝑏 PHT−hr, 𝑇𝑏,𝑐 NL and 𝑇𝑐,𝑑 PHT−hr be linked homomorphic half-round threefold sums with maximizing key function. If 𝑇𝑎,𝑏 PHT−hr and 𝑇𝑐,𝑑 PHT−hr have none zero imbalance, the 128 bit none zero masks a, b, c, d, can have a 1 only in the two least significant bits of each byte (bits of byte are numbered from 7 for the most significant bit to 0 for the least significant bit) (Lemma 2.1). Then 𝐼(𝑇𝑏,𝑐 NL) = 0 since the I/O sum average key imbalance is also 0 (Remark 2.1) Therefore, the sum of the three half-round threefold sums has imbalance 0. One of the most effective I/O sums is 𝑆𝑎,𝑏 NL−PHT−NL, where 𝑎2, 𝑎4, 𝑎11 and 𝑏5, 𝑏6 are either 𝑐𝑑 or 𝑓𝑓and other bytes of 𝑎 and 𝑏 are zero. Their imbalance is ( 28 128 ) 5 , because Linear Cryptanalysis of Modified SAFER+ Algorithm 120 𝐼(𝑆𝑓𝑓,01 EXP ) = 𝐼(𝑆𝑐𝑑,01 EXP ) = 𝐼(𝑆01,𝑓𝑓 LOG ) = 𝐼(𝑆01,𝑐𝑑 LOG ) = 28 128 and because 𝐼(𝑆𝑎,𝑏 PHT) = 𝐼(𝑆𝑎1⨁𝑎2,𝑏1⨁𝑏2 PHT ) = 𝐼(𝑆𝑎1,𝑏1 PHT ) ∙ 𝐼(𝑆𝑎2,𝑏2 PHT ) = 1, if 𝑎1⨁𝑎2 = (00 00 00 00 00 01 01 00 01 00 00 01 00 01 00 00)⨁ (00 01 00 01 00 01 01 00 01 00 01 01 00 01 00 00) = (00 01 00 01 00 00 00 00 00 00 01 00 00 00 00 00) = 𝑎 (hex notation), 𝑏1⨁𝑏2 = ( 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00)⨁ (00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00) = (00 00 00 00 01 01 00 00 00 00 00 00 00 00 00 00) = 𝑏 (hex notation). 4. Conclusion We have proved that the procedure for finding effective homomorphic I/O sums, cannot find an I/O sum with none-zero imbalance for two rounds of modified SAFER+. Thus, as in the case with regular SAFER+, a modified SAFER+ is also secure against linear cryptanalysis after only three of its suggested six rounds. Acknowledgement The authors are thankful to Prof. Gurgen Khachatrian for very useful discussions and comments. References [1] K. Kyuregyan, “Some Modifications of SAFER+”, In Reports of NAS RA, vol. 115, no 1, pp. 33--39, Yerevan, Armenia, 2015. [2] J. L. Massey, G. Khachatrian and M Kyuregian, “Nomination of SAFER+ as candidate algorithm for the advanced encryption standard”, (AES). NIST AES Proposal, 1998. [3] Carlo H.: Cryptanalysis of iterated Block Ciphers, ETH Series In Information Processing (Ed Massey), v. 7, Konstanz: Hartung-Gorre Verlag, 1996. Submitted 05.11.2016, accepted 03.02.2016 M. Kyureghyan, K. Kyuregyan 121 Ձևափոխած SAFER+ ալգորիթմի գծային վերլուծությունը Մ Կյուրեղյան, Ք.Կյուրեղյան Ամփոփում [2] հոդվածում ներկայացված են SAFER+ համակարգի ձևափոխությունները, որոնք ալգորիթմի արագագործությունը բարելավում են մոտավորապես 1,7 անգամ, դիֆերենցիալ վերլուծության նկատմամբ ապահովելով նույն կրիպտոկայունությունը, ինչ՝ SAFER+ համակարգի ալգորիթմը: Այս հոդվածում ներկայացված է ձևափոխված SAFER+ համակարգի կրիպտոկայունությունը բլոկային ծածկագրական համակարգերի մյուս ամենաարդյունավետ կրիպտովերլուծության, գծային վերլուծության նկատմամբ: Ցույց է տրվել, որ SAFER+ համակարգը ձևափոխություններից հետո (ձևափոխած SAFER+) գծային վերլուծության նկատմամբ ևս ունի միևնույն կրիպտոկայունությունը, ինչ՝ SAFER+ համակարգը: Линейнный криптоанализ модифицированного алгоритма SAFER+ М. Кюрегян, К. Кюрегян Аннотация В статье [2] представлены некоторые модификации системы SAFER+, которые примерно в 1,7 раза увеличивают скорость алгоритма, обеспечивая такую же криптостойкость по отношению к дифференциальному анализу, как алгоритм системы SAFER+. В этой статье представлена криптостойкость модифицированной системы SAFER+ по отношению к линейному анализу, который являетса одним из эффективных аттак против итеративных блочных шифров. Было доказано, что после модификации система SAFER+ (модифицированный SAFER+) имеет ту же криптостойкость по отношению к линейному анализу, что и система SAFER+.