Characterizations of the Degraded Boolean Function and Cryptanalysis of the SAFER Family

This paper investigates the degradation properties of Boolean functions from the aspects of the distributions of differences and linear masks, and shows two characterizations of the degraded Boolean function. One is that there exists a linear space of the input differences, where the differentials with the zero output difference have probability 1; Another one is that the input linear masks of the nonzero-correlation linear approximations are included in a linear space. Those two linear spaces are orthogonal spaces. Moreover, the degradation properties are showed about the exponentiation type S-box of the SAFER block ciphers, which are applied to reduce the compute complexity in the zero-correlation linear attacks on 5-round SAFER SK/128, 4(5)-round SAFER+/128(256) and 5(6)-round SAFER++/128(256). In the attacks, some of the linear properties of PHT employed as the linear layer by the SAFER block ciphers are investigated and some zero-correlation approximations for SAFER SK, SAFER+, and SAFER++ are identified, when only the least one or two significant bits are considered. The results show that more rounds of some of the SAFER block ciphers can be attacked, by considering the degradation properties and the zero-correlation linear relations.