Towards the Links of Cryptanalytic Methods on MPC/FHE/ZK-Friendly Symmetric-Key Primitives

. Symmetric-key primitives designed over the prime field F p with odd characteristics, rather than the traditional F n 2 , are becoming the most popular choice for MPC/FHE/ZK-protocols for better efficiencies. However, the security of F p is less understood as there are highly nontrivial gaps when extending the cryptanalysis tools and experiences built on F n 2 in the past few decades to F p . At CRYPTO 2015, Sun et al . established the links among impossible differential, zero-correlation linear, and integral cryptanalysis over F n 2 from the perspective of distinguishers. In this paper, following the definition of linear correlations over F p by Baignères, Stern and Vaudenay at SAC 2007, we successfully establish comprehensive links over F p , by reproducing the proofs and offering alternatives when necessary. Interesting

Motivations.MPC/FHE/ZK have been one of the most popular lines of research in recent years, which brings researchers in different subareas of cryptography together.With many innovative and efficient symmetric-key primitives having been proposed, all these explorations may pose some potential threats to the security of these novel designs.Naturally, developing new collections of symmetric cryptanalytic tools over the prime field F p is in urgent need, which could facilitate the design and cryptanalysis for researchers with a variety of backgrounds.The links of these symmetric cryptanalytic techniques have been important tools and well studied over F n 2 with many dedicated works [CV94, BN13, Lea11, BLNW12, SLR + 15, BN14], among which linear cryptanalysis and its variants are the connections between these cryptanalytic methods to some extent.When considering the linear correlation over F n 2 , parity-check is extensively used for its fast calculation, however, this is different for the correlation over F p , which is introduced and defined over a complex plane by Baignères et al. [BSV07] for better estimates but also more complicated.Therefore, full links among some popular symmetric cryptanalytic techniques over F p are still missing.Beyne [Bey21] has recently provided new insights into linear cryptanalysis over abelian groups and generalized the link between zero-correlation and integral attacks, which are obtained by introducing a geometric approach.So, we wonder whether comprehensive links among these symmetric cryptanalytic methods over F p can be built in a more popular way such as Bogdanov et al.'s work [BLNW12], and whether different or similar properties between F p and F n 2 can be identified from the establishment of these links.
Contributions.In this paper, from the aspect of distinguishers, we establish the comprehensive links among impossible differential, zero-correlation linear and integral cryptanalysis over F p , for the very first time.From developments of the theories over F p behind these links, similar and different properties are both identified, which will bring clearer and easier understanding of security of these MPC/FHE/ZK-friendly primitives.Then, as bonus and also applications, by using the proposed links, improved different types of distinguishers for GMiMC, a family of symmetric-key primitives proposed at ESORICS 2019 by Albrecht et al. [AGP + 19b], are obtained.For the sake of simplicity, we will use DC, LC, IDC, ZC and INT to denote corresponding distinguishers or cryptanalytic methods for differential, linear, impossible differential, zero-correlation linear and integral cryptanalysis respectively in the rest of the paper.Our contributions are detailed as follows.
Comprehensive links among IDC, ZC and INT over F p .In Section 3, the links between IDC and ZC over F p are established first.Then from the basic definition of linear correlation over F p , an alternative proof of the links between ZC and INT is presented, and we find that a ZC not always implies the existence of an INT over F p , however this is always possible over F n 2 proved in [SLR + 15], which exhibits a difference between F p and F n 2 .Meanwhile, for another direction, we prove that an INT can lead to a ZC, if and only if it is a balanced integral distinguisher.Besides, to the best of our knowledge, there is no related works about the statistical complexity model of ZC over F p , and our proposed links just provide a temporary solution when one wants to make use of ZC over F p for further attack.With these formal treatments on the conditions and properties over F p , IDC and INT can be naturally linked, also including the difference between F p and F n 2 .When establishing these links, not only do we cover as many cipher constructions as possible, but also utilize the inverse structure E −1 , together with the structure E and its dual E ⊥ introduced in [BBW14, SLR + 15], to explore more refined links with the potential equivalent relations of these structures.Finally, the comprehensive links among these symmetric cryptanalytic methods over F p are established (abstracted in Figure 1), which facilitates to investigate more constructions but with less cryptanalysis efforts, and could be fundamental tools at hand for future design and cryptanalysis over F p .

Improvements of IDC, ZC and INT for all GMiMC constructions.
To showcase the established links, we then apply to GMiMC and obtain improved distinguishers of IDC, ZC and INT for all GMiMC constructions in Section 4, summarized in Table 1 and Table 2.For unbalanced Feistel constructions GMiMC erf and GMiMC crf , improved IDC, ZC and INT are obtained by using the equation-based method and the established links.With the condition t ≡ 1 mod p, any number of rounds of DC, LC, IDC, ZC and INT can be even constructed, from which a gap between F p and F n 2 is also identified.Although this case is limited due to the large branches t and small field F p , it still fits some potential instantiations (e.g., two instances GMiMC erf -(p = 5, t = 86, r = 261) 1 and GMiMC erf -(p = 17, t = 52, r = 160) provided in [AGP + 19b, Table 6 and 7]) intended to compete with LowMC in post-quantum signatures, especially for the use-cases requiring full-data security where GMiMC will be used as a block cipher with 256-bit block/key size in Davies-Meyer construction to obtain a collision-resistant hash function.It should be noted that for low-data setting2 in [CDG + 17], except the LC with probability 1 that can be used to reduce 1-bit information of the preimage, these statistical distinguisher cannot be applied due to the limited data access where the chosen plaintext model is not suitable.As for two balanced Feistel GMiMC constructions, we reveal some underlying equivalent relations for both GMiMC Nyb and GMiMC mrf , then by using our refined links, one-to-one correspondences between IDC, ZC and INT can be obtained.Finally combined with the equation-based methods, improved IDC, ZC and INT are also achieved for these two constructions.⋆ For GMiMCNyb and GMiMCmrf, the number of branch t is even and t ≥ 4. ⋆⋆ Λ(t) = 2⌈log 2 (t)⌉, the minimum number of rounds to reach full diffusion.

Comparisons to previous works on GMiMC.
There are some prior dedicated cryptanalysis results [Bon19, BCD + 20, BL22] on GMiMC.In [Bon19], Bonnetain observed that there exists special slide attacks on GMiMC with key size log 2 p, that is the univariate case which will be introduced later in Section 2.2.Thus, due to the weaknesses found for rounds (d is the degree of the power map) is constructed with the dedicated degreebased method and only works for the permutation used in hash function, which will reduce to 2t − 3 + log d (p − 2) rounds for block cipher usage due to subkeys added for the first 2t − 2 rounds.Thus, our method provides a convenient way to derive the structural distinguishers that can capture the underlying structural properties for the target construction, which will be basic and convenient tools for both designers and cryptanalysts.
• DC.We note that truncated differential cryptanalysis seems more powerful than other statistical attacks on GMiMC to date.However, on the one hand, we would like to emphasize that the comprehensive links established in this paper are among IDC, ZC and INT over F p , to apply our links, it is mainly expected to improve these three kinds of distinguishers first, which could show the convenience and effectiveness of our method.On the other hand, from the view of designers, all attack vectors should be taken into consideration, thus it is still necessary to explore bounds of different kinds of distinguishers, such as IDC, INT improvements provided in [BCD + 20].
Besides, to establish these refined links over F p , we focus more on different kinds of constructions and structural distinguishers (i.e.IDC, ZC and INT).Hence, mounting preimage/collision 3 or key-recovery attacks on some concrete ciphers are not our goals, which could be left for future works.

Preliminaries
In this section, we give some preliminaries, including the differential, linear and integral properties, and structure, dual structure and inverse structure of symmetric-key primitives, which will be used in the proofs of the links over F p in Section 3, and we mainly consider the prime field F p with odd characteristic in this paper.For the later applications in Section 4, GMiMC ciphers are also briefly introduced.

Differential, Linear and Integral Cryptanalysis over F p
Differential cryptanalysis over F p : The differential probability of the function F over F t p can be easily generalized as below where α, β, x ∈ F t p .Considering the commonly used key addition in symmetric-key primitives over F p , the modular subtraction difference is adopted here.
Linear cryptanalysis over F p : Baignères et al. [BSV07] have developed the correlation analysis of primitives that operate on the prime field, which has been recently used to evaluate the security of Ciminion [DGGK21] against linear attacks.The core idea is that a character is an additive homomorphism from F t p into S p = {z ∈ C : z p = 1} and any character is of the form The following definition of the correlation over F p is introduced.Definition 1 (Correlation over F p [BSV07]).Given a function F : F t p → F s p , for a linear mask pair (u, v), where u ∈ F t p and v ∈ F s p , then the correlation of the linear approximation (u, v) of F is defined as 3 IDC, ZC and INT are not suitable for preimage/collision attacks.
According to this definition, the correlation over F p can be evaluated by a complex number with its norm located in [0, 1], and the general linear probability can be defined as follows.
Definition 2 (Linear probability over F p [BSV07]).lprob Zero-correlation linear hull has been introduced by Bogdanov and Rijmen [BR14], based on the linear correlation defined over F p , it can be naturally generalized to F p .Definition 3 (Zero-correlation linear hull over F p ).Given a function F : F t p → F s p , for the mask pair (u, v) where u ∈ F t p and v ∈ F s p , then (u, v) is called a zero-correlation linear hull of F , if and only if cor F (u, v) = 0. Given the definitions above, the propagations of linear mask over F p of some basic operations can be obtained.Similarly to F n 2 , for the branching operation x → (x, x) where x ∈ F p , for the linear masks a → (b, c), it must have a = b + c; For the addition operation, x + y = z where x, y, z ∈ F p , for the linear masks (a, b) → c, it must have a = b = c.For more detailed proofs and other operations, we refer the reader to [DGGK21, Appendix C.2].Furthermore, the following properties over F p can be deduced.

Proposition 1. For any fixed non-zero
Proof.As a is non-zero, for the complex number e 2πi p a = cos( 2π p a) + sin( 2π p a)i, we have e 2πi p a ̸ = 1.Considering the complex multiplication, .
Proposition 1 can be directly generalized to dimension t as follows.
Corollary 1.For any fixed non-zero a ∈ F t p , cor(a Due to non-zero a, there must be at least one a i ̸ = 0.According to Proposition 1, it will lead to cor(a T i • x i ) = 0, which ends our proof.Integral cryptanalysis over F p : The notion of integral attacks has been introduced by Knudsen and Wagner [KW02], which captures several variants including high-order differential attack [Lai94] and saturation attack [Luc01].Higher-order differentials over F p can also make use of a generalized notion of differentiation as analyzed by Lai in [Lai94] (also refer to [AP11]).Recently, Beyne et al. show that the same technique can be used over F p , which further can be extended to multiplicative subgroups (see [Bey21, Proposition 1, Corollary 1, Proposition 2]), and this kind of degree-based integral distinguisher may not have the balanced property defined as below.
Definition 4 (Balanced property over F p ).Given a function F : F t p → F s p , let A be a subspace of F t p , if the size of the set F A (y) ≜ {x ∈ A|F (x) = y} is independent of y ∈ F s p , we say F is balanced on A.
It can be observed that if F is balanced on A, then it has the balanced integral (zerosum) property, i.e.
x∈A F (x) = 0.It should be noted that in this paper we will focus more on this kind of balanced integral distinguisher, which could reveal more underlying structure properties of the ciphers.

Specifications of GMiMC
GMiMC is a family of symmetric-key primitives designed by Albrecht et al. [AGP + 19b]  based on several generalized (unbalanced and balanced) Feistel networks using power maps S(x) := x d as the non-linear component of the round function, e.g., GMiMC erf with expanding round function, GMiMC crf with contracting round function, GMiMC Nyb with Nyberg's GFN structure and GMiMC mrf with a new structure named Multi-Rotating by the designers, where different rotation parameters s r are chosen for different rounds to change the positions of these S-boxes (please see Figure 2(d)).As these permutations of GMiMC can be used to construct both hash functions and block ciphers, we just depict the round functions of the corresponding permutations in Figure 2.For block cipher usage, GMiMC block cipher supports two key sizes: univariate case log 2 (p) and multivariate case t • log 2 (p).The rounds are numbered starting from 1, and the branches are numbered from 1 to t where Branch 1 is the leftmost branch.For example, the state of Branch 1 and round r of GMiMC erf is represented by x 1 r in Figure 2(a) and x 1 r ∈ F p for the chosen prime p.Thus, we denote the concrete instance of GMiMC permutation by GMiMC-(p, t, R) where R is the total number of rounds.For more details of GMiMC, we refer the reader to the design paper [AGP + 19b].
The round function of GMiMCerf.
The round function of GMiMCcrf.
The round function of GMiMCNyb.
The round function of GMiMCmrf.

Structure, Dual Structure and Inverse Structure of Symmetric-Key Primitives over F p
The structure and dual structure of block ciphers over F n 2 have been introduced in [BBW14] to obtain the equivalence between different structures, which are also used in [SLR + 15].Together with the inverse structure utilized in this paper, we adapt these definitions to symmetric-key primitives over F p .Definition 5. Let E : F t p → F t p be a permutation, which can be decomposed into S-boxes (the non-linear part) and linear transformations (the linear part).The internal state of E is represented by t elements of F p .
(1) A structure E E over F t p is defined as a set of primitives, which is exactly same as E except that S-boxes can take all possible transformations on corresponding domains. ( If E using bijective S-boxes, then S-boxes adopted in E E should also be bijective.However, if S-boxes used in E are not limited to bijective, then E E is defined as a set of the permutation E ′ which is exactly same as E except that S-boxes can take all possible transformations.Now, we adapt the definition of dual structure in [SLR + 15] to F p and cover the generalized Feistel structure in [BMT13].Definition 6.We give the dual structure of classical balanced Feistel structure, generalized Feistel structure, SPN structure and two unbalanced Feistel structures as below.
• Let F SP be a Feistel structure with SP-type round function, the state of which first passes the non-linear layer S then the linear transformation P .By abuse of notation, we also use P as the matrix representation for the linear layer in the rest of the paper, whose transpose and inverse are P T and P −1 respectively.Let σ be the operation that exchanges the left and right halves of a state.Then the dual structure F ⊥ SP of F SP is defined as σ • F P T S • σ, the state of which passes σ operation, the linear transformation P T , the non-linear S and σ operation.
• Let GF F P be a Generalized Feistel structure (including the Extended Generalized Feistel structure) defined in [BMT13], where F is the non-linear part of the round function and adopts the matrix representation used in [BMT13], P is the linear transformation.Then the dual structure GF ⊥ F P of GF F P is defined as GF F T (P −1 ) T .• Let E SP be an SPN structure with the non-linear S first and followed by the linear transformation P .Then the dual structure E ⊥ SP is defined as E S(P −1 ) T .• Let E erf be a structure E GMiMCerf and E crf be a structure E GMiMCcrf .Then structures E erf and E crf are dual with each other.
Since we do not consider the details of the S-box, by abuse of notation, S in structures is just to signify the order of the S-box layer and it is not a concrete S-Box layer.A demonstration of the structure (see Figure 3(a)) and its dual structure (see Figure 3(b)) are given for the classical Feistel structure.It should be noted that GMiMC Nyb and GMiMC mrf are covered by GF F P and F SP respectively, for the sake of simplicity, notations E N yb , E mrf and their dual structures will also be used in the rest of the paper.The inverse structure is introduced as follows.Definition 7. We give the inverse structure of classical balanced Feistel structure, generalized Feistel structure, SPN structure and two unbalanced Feistel structures as below.
• Let F SP be a Feistel structure with SP-type round function, and let the primitive representation of the linear transformation be P .Let σ be the operation that exchanges the left and right halves of a state.Then the inverse structure • Let GF F P be a Generalized Feistel structure (including the Extended Generalized Feistel structure) defined in [BMT13], where F is the non-linear part of the round function and followed by the linear transformation P .Then the inverse structure • Let E SP be an SPN structure with the non-linear S first and followed by the linear transformation P .Then the inverse structure E −1 SP is defined as E P −1 S .
• Let E erf be a structure E GMiMCerf and E crf be a structure E GMiMCcrf .Then the corresponding inverse structures are E −1 erf and E −1 crf respectively.

Links among Impossible differential, Zero-correlation linear and Integral Cryptanalysis over F p
We start by giving the links between IDC and ZC over F p , and more refined links are obtained by covering more constructions and some equivalent relations.Then, we build the links between ZC and INT over F p , from which differences between F p and F n 2 are observed.Finally, with the bridge between previous links (from IDC to ZC and ZC to INT), we provide the links between IDC and INT over F p .It should be noted that some basic properties of differential and linear over F p are employed in a nontrivial way, and unlike the analogue on F n 2 , addition on F p is not involutional and the only nontrivial linear subspace over F p is itself.Due to these, ZC/IDC does not always imply INT, and we need to characterize the sufficient conditions, which exhibits the essential difference of the links between F p and F n 2 .As we consider the structure, dual structure and inverse structure, if not specified, the S-box adopted in these structures will be regarded as the ideal S-box, that is, any active input difference (mask) will lead to any active output difference (mask) and inactive input difference (mask) only produces inactive output difference (mask).

Links between IDC and ZC over F p
Similar to the proofs by Sun et al. [SLR + 15], the transformations over F p between IDC and ZC are proved in following two lemmas from two directions, which are also extended to more constructions and structures.
Lemma 1.For a linear hull Proof.As (δ 0 , δ 1 ) → (δ r , δ r+1 ) is a linear hull of some E ∈ F ⊥ SP with non-zero correlation, also see Figure 3(b).Then, according to definitions of linear probability of linear characteristic and linear hull over F p [BSV07, Section 3.2], there must be a linear characteristic with non-zero correlation where the input of the round function can be divided into t pieces of F p elements, that is δ i ∈ F t p .Considering this linear characteristic, the output mask of the non-linear layer While for the linear layer P T , denoting its input mask is If γ i ̸ = P β i , according to Corollary 1, cor((γ i − P β i ) T • x i ) = 0, which is contradicted with the non-zero correlation of this linear characteristic.Thus, δ i−1 = δ i+1 + γ i = δ i+1 + P β i must hold.Now focusing on the dual structure, for any plaintext (x L , x R ), we can construct an r-round cipher When r = 1, for j ∈ {1, ..., t}: if δ j 1 = 0, we can define S ′ j 1 as any possible transformation over F p , and if δ j 1 ̸ = 0, we can define the following Then for E 1 ∈ F SP which adopts such S-boxes, there will be Suppose that we have constructed E r−1 such that and let (y Then in the r-th round, if δ j r = 0, we can define S ′ j r as any possible transformation over F p , otherwise, define S ′ j r as follows Proof.As (δ 1 , δ 0 ) → (δ r+1 , δ r ) is a differential of some E ∈ F SP with non-zero differential probability, also see Figure 3(a), then there must exist a differential characteristic with non-zero probability, denoted as where δ i ∈ F t p .For this differential characteristic, the input difference of the non-linear layer Considering the following fact: for mask pair (β j i , δ j i ), where δ j i ̸ = 0, there always exists an element a j i ∈ F p such that β j i = a j i δ j i , then for S j i (x) = a j i x, we have cor(( x for δ j 1 ̸ = 0 and any linear transformation over F p otherwise.Then all operations in E 1 ∈ F ⊥ SP are linear over F p , which implies that there exists an affine transformation We then define S r,j (x) in the r-th and have E r (x) = L r x = A r x + B r where A r is a 2t × 2t matrix over F p and B r is a 2t-dimensional vector over F p such that cor((δ 0 , δ 1 ) Proof.We consider the following two parts.
(1) Assume a → b is an impossible differential of F SP , if it is not a zero-correlation linear hull of F ⊥ SP .Then, according to Lemma 1, there must be some (2) Similarly, assume a → b is a zero-correlation linear hull of F ⊥ SP , if it is not an impossible differential of F SP .Then, according to Lemma 2, then must be Note that to focus more on the proofs of the structures in Lemma 1 and Lemma 2, we do not limit the constructed S-box to be a bijective one.If the adopted S-box is bijective, these two lemmas still hold.In Lemma 1, for a bijective S-box, if the correlation is non-zero, then the output mask δ j i ̸ = 0 implies the input mask β j i ̸ = 0. We have the following S-box S ′ j r to satisfy the bijective condition and difference transitions.
While in Lemma 2, for a bijective S-box, if the differential probability is non-zero, then the input difference δ j i ̸ = 0 implies the output difference −β j i ̸ = 0. Thus, we can define the S-box S j r (x) = a j r x (a j r ̸ = 0 and −β j i = a j r δ j r ), which satisfies the bijective condition and linear mask propagations.
For the above proofs of the classical Feistel network with the SP-type round function, an abstract of the S-box layer S and the matrix representation of linear layer P are used.When considering the proofs of this kind of SP-type round function for other constructions, similar theorems can be obtained as follows for the SPN construction and Generalized Feistel Networks introduced in [BMT13], where generic matrix representations for both non-linear and linear layers have been proposed.Still similar to the proofs of Lemma 1 and Lemma 2, we can prove the following theorem for the structure E erf and its dual E crf for GMiMC, see Figure 4(a) and Figure 4(b).These two unbalanced Feistel structures are not covered by the definitions in [BMT13], and the detailed proof of Theorem 4 is provided in Appendix A.

Theorem 4. a → b is an impossible differential (zero-correlation linear hull) of E erf if and only if it is a zero-correlation linear hull (impossible differential) of E crf .
Corollary 2. Let F SP be a Feistel structure with SP-type round function, and the linear transformation be P .If P is invertible, an impossible differential of F SP is equivalent to a zero-correlation linear hull of F SP T .

P T S
(a) Structure of F P T S .Proof.As P is invertible, according to the definition of equivalent structures given in [LLF05], which are depicted in Figure 5(a) and Figure 5(b), we have

S P T P
Thus, combining with Theorem 1, we can end the proof.
Corollary 3.For a Feistel structure F SP with SP-type round function, if P is invertible and there exists a permutation π operating on t elements such that where (x 0 , . . ., x t−1 ) ∈ F t p , then there is a one-to-one correspondence between impossible differentials and zero-correlation linear hulls for the structure F SP .
Proof.As the permutation π makes P and P T equivalent, we can transform the structure F SP by using P T and permutation π, which is depicted in Figure 5(c).According Corollary 2, F P T S is equivalent to F SP T with invertible P .Naturally, F SP is equivalent to F ⊥ SP .By using Theorem 1, we can end the proof.
Corollary 4. For an SPN structure E SP , if then there is a one-to-one correspondence between impossible differentials and zero-correlation linear hulls for the structure E SP .
Proof.As P = Q(P −1 ) T , for structure E SP , if substituting S by applying Q −1 i before the i-th S-box of S ′ , we have the following equivalent relation Based on Definition 6, we have E SP equivalent to its dual structure E S(P −1 ) T .
Corollary 5.For a structure GF F P , if there exits a permutation π on t elements such that then there is a one-to-one correspondence between impossible differentials and zero-correlation linear hulls for the structure GF F P .
Proof.According to the definition of equivalence relations in [BMT13, Definition 2, Theorem 3] and Theorem 3, we can end the proof.
When taking Corollary 3, 4, 5 and the inverse structure into consideration, we propose more refined links as follows, also depicted in Figure 6.We note that Theorem 5 works for both F n 2 and F p , it explains why some constructions have the same number of rounds in terms of the longest IDC and ZC.
to the structure E or its inverse structure E −1 , then there is a one-to-one correspondence between impossible differentials and zero-correlation linear hulls for the structure E.
Inspired by the link between IDC and ZC, the similar link for Prob-one DC and LC can be obtained as below.
Proof.For a given structure E, Prob-one DC (LC) means no differential (linear) active S-box in the trail for all E ∈ E. Then for a given Prob-one DC of E, it always leads to a Prob-one LC of its dual E ⊥ , because the input differences for all S-boxes in the cipher structure E are all zero and a Prob-one LC can be derived from this trail for E ⊥ .Vice versa.

An Alternative Proof of Links between ZC and INT over F p
Recently, from a geometrical point of view of linear cryptanalysis, Beyne [Bey21] generalizes the links between zero-correlation and integral attacks, which is discovered by Bogdanov et al. [BLNW12] and also discussed by Sun et al. [SLR + 15].In this section, we explore the detailed conditions and properties of the transformation, and present alternative proofs of links between ZC and INT over F p .Before presenting the links, we explain the independency of input and output masks (differences) by the following definition.Definition 8. We say that the input mask (difference) set A and output mask (difference) set B are independent, if and only if, for any a ∈ A and any b ∈ B, a → b is a zerocorrelation linear hull (impossible differential).Lemma 3. Let A be a subspace of F t p , its orthogonal space Proof.For the subspace A of F t p , the equation below can be firstly deduced Then according to the Definition 1, it has the following Thus, we have cor With the input mask space A for ZC, the input space A ⊥ for INT and the defined function G λ to cancel the effect of constants, the transformation from ZC to INT over F p can be naturally obtained.

Theorem 7. If there exists a subspace
p for any a ∈ A, then according to Lemma 3, we can end the proof.
Theorem 7 reveals the relation from ZC to INT and the exact form of the transformed INT.Furthermore, as required in [BLNW12], "input and output linear masks in zerocorrelation approximations are independent", this condition over F n 2 later can be relaxed in [SLR + 15].However, from Lemma 3 and Theorem 7 presented above, it requires a subspace A for the input mask, that means for any a ∈ A, a → b is a zero-correlation linear hull.It can be observed that this independent condition over F t p for the input and output masks of zero-correlation linear hull cannot be removed, because the smallest nontrivial subspace of F t p has the size of p, and it has (p − 1) nontrivial zero-correlation linear hulls.While over F n 2 , it only needs any one nontrivial zero-correlation linear hull a → b then {a, 0} forms a nontrivial subspace of F n 2 , which exhibits the gap between F p and F n 2 .In the following, we focus on the specific conditions and properties of INT that can lead to ZC.The detailed proof of Lemma 4 is provided in Appendix B, then combined with Theorem 7, Theorem 8 is obtained.
Theorem 8. Let E(x) : F t p → F t p be a function over F t p , A be a nontrivial subspace of F t p and its orthogonal space Then an integral distinguisher of E can lead to a zero-correlation linear hull with input masks A and nonzero output mask b, if and only if it is a balanced integral distinguisher with b T • G λ (x) balanced on the subspace A ⊥ .Proof.We consider following two parts.
• If an integral distinguisher can be transformed into a zero-correlation linear hull with input masks A, then for non-zero output mask b, we obtain According to Theorem 7, for any λ • For an integral distinguisher that b T • G λ (x) is balanced on the subspace A ⊥ , then according to Lemma 4, we have the following which leads to a zero-corelation linear hull A → b.
As claimed.

Links between IDC and INT over F p
According to the links presented above, now the links between IDC and INT over F p can be easily established, which also has the independent conditions brought from the links of ZC and INT over F p .As indicated in Theorem 7, the input space A ⊥ for INT is the orthogonal space of the input mask space A for ZC, we do not specify the distinguishers in this subsection.
Theorem 9. Let E ∈ {F SP , GF F P , E SP , E erf , E crf }, then an impossible differential of E always implies the existence of an integral of E ⊥ , if its input and output differences are independent as defined in Definition 8.
Proof.The transformation from IDC to INT can be divided into two parts: 1) from IDC to ZC (Theorem 1-4); 2) from ZC to INT (Theorem 7).
In case E ⊥ = π • E • π ′ where π and π ′ are linear transformations, some more refined links are presented as follows.
Corollary 6.Let F SP be a Feistel structure with SP-type round function, and let the linear transformation be P .If P is invertible and there exists a permutation π operating on t elements such that P (x 0 , . . ., x t−1 ) = π −1 • P T • π(x 0 , . . ., x t−1 ), where (x 0 , . . ., x t−1 ) ∈ F t p .Then for F SP , an impossible differential always implies the existence of an integral distinguisher, if its input and output differences are independent.
Proof.Based on Corallary 3 from IDC to ZC, it has from ZC to INT by Theorem 9.
Corollary 7. Let E SP be an SPN structure with the linear transformation being P .If , where Q i ∈ F p \{0}, then for E SP , an impossible differential always implies the existence of an integral distinguisher, if its input and output differences are independent.
Proof.Based on Corallary 4 from IDC to ZC, it has from ZC to INT by Theorem 9.
Corollary 8. Let GF F P be a Generalized Feistel structure, if there exits a permutation π on t elements such that F T = π −1 • F • π and (P −1 ) T = π −1 • P • π, then an impossible differential always implies the existence of an integral distinguisher, if its input and output differences are independent.Similarly, when considering all the structure, its dual and inverse structures, we have the following refined links, also as shown in Figure 7.
Theorem 10.For a structure E ∈ {F SP , GF F P , E SP , E erf , E crf }, if its dual structure E ⊥ is equivalent to the structure E or its inverse E −1 , then for E, an impossible differential always implies the existence of an integral distinguisher, if its input and output differences are independent.

Equation-based Method of Finding IDC/ZC and Applications of Links for GMiMC
In this section, as applications of the comprehensive links presented in previous section, we first utilize the equation-based method to find impossible differential and/or zerocorrelation linear hull for GMiMC, then different types of improved distinguishers that are derived from the links can be achieved for all GMiMC constructions.

Impossible differential of GMiMC erf over F p
For GMiMC erf with number of branches t, intuitively, to have more deterministic rounds, its IDC can be divided into three parts, • Forward: the first (t − 1) rounds with probability one; • Middle: the middle r 1 + r 2 (1 ≤ r 1 , r 2 ≤ t) rounds with contradictions; • Backward: the last (t − 1) rounds with probability one.
Considering the first part (an example of t = 4 is depicted in Figure 8(a)), we denote the input difference by ∆ f orward Similarly, for the last part (an example of t = 4 is depicted in Figure 8(b)), it has (t − 1) free rounds backwards,  For the middle part (an example of t = 4 is depicted in Figure 9), after r 1 (1 ≤ r 1 ≤ t) rounds forwards, the input difference ∆ middle Naturally, for a valid differential trail, the output difference ∆ middle 1+r1 and the input difference ∇ middle 1+r2 meeting in the middle part should be equal, Conversely, if we find some contradictions in the equation system (1), it will lead to an IDC with (2t − 2 + r 1 + r 2 ) rounds for GMiMC erf .Over Fp, (3t − 3)-round IDC.
Proof.If we have α 3 appearing in the equation system (1), that is 2 ≤ r 1 and 3 ≤ r 1 + r 2 .Considering the rightmost (r 1 + 1) consecutive blocks in the output difference ∆ middle 1+r1 and the rightmost (t − r 2 ) consecutive blocks in the input difference ).
Proof.We consider the following three cases, where the conditions that α 1 = β 1 and t ̸ ≡ 1 mod p are used in the last two cases.
• Case 3. When r 1 + r 2 = t + 1, the blocks in the output difference ∆ middle 1+r1 can be divided into three parts as below, and also for the input difference ∇ middle 1+r2 , ).
An example of this difference propagation and equation system is depicted in Figure 10.Over Fp, with α1 = β1, (3t − 1)-round IDC.

IDC of GMiMC erf with an arbitrary number of rounds
Different from (3t − 1) and (3t − 3) rounds IDC of GMiMC erf presented above, we now present a special case over F p provided in Lemma 7, which can lead to an arbitrary number of rounds IDC of GMiMC erf and only works over F p .Although it has the limited condition that t ≡ 1 mod p, it shows the difference between F n 2 and F p .To be specific, this can be attributed to that However, this will be different over F p , α 1 = −β 1 combined with α 1 = β 1 will lead to α 1 = β 1 = 0, which can be used to construct an arbitrary number of rounds IDC of GMiMC erf with input difference (0, • • • , 0, α 1 ) and output difference (β 1 , 0, • • • , 0), where α 1 = −β 1 ̸ = 0. Lemma 7. When α 1 = −β 1 and t ≡ 1 mod p, for any r 1 , r 2 (1 ≤ r 1 , r 2 ), the equation system (1) will lead to α 1 = β 1 = 0.

Transformation from IDC to ZC and INT of GMiMC crf
With these three IDCs of GMiMC erf presented above, now by using the link proposed in Theorem 4, we can directy obtain the corresponding ZCs of GMiMC crf over F p as below , where a 1 = b 1 ̸ = 0 and t ̸ ≡ 1 mod p.
• Arbitrary number of rounds: (0, Then, by using the link given in Theorem 9, a (3t − 3)-round INT of GMiMC crf over

Zero-correlation Linear Hull of GMiMC erf over F p
Linear Trail with Probability One.Before presenting the ZC of GMiMC erf over F p , we first discuss the possible free rounds of its linear trail.As shown in Figure 11, the input masks are denoted by the same element a 1 ∈ F p \{0}.Then, for one free round passing, the input and masks of a non-linear permutation S will be both zero.Based on the propagation rules of linear mask introduced in Section 2.1, a free (t − 1)-round linear trail of GMiMC erf can be obtained with input mask (a 1 , • • • , a 1 , (2 − t)a 1 ) and output mask ((2 − t)a 1 , a 1 , • • • , a 1 ).In fact, this is same as the linear relation proposed in [BCD + 20], which can be also interpreted from the view of linear mask propagation.Now, similar to the IDC of GMiMC erf , if having the limited condition on the number of branch, that is t ≡ 1 mod p, then the input and output mask of (t − 1)-round linear trail are both (a 1 , • • • , a 1 ), which is iterative and will lead to a linear trail with an arbitrary number of rounds.By using Theorem 6, these two linear trails with probability one can be also transformed into Prob-one differential trails of GMiMC crf .
Figure 11: One free round of linear trail of GMiMC erf with t branches.Now we briefly explain three parts of ZC of GMiMC erf as below, which is similar to that of IDC.
The input mask Γ f orward Similarly, we have free (t − 1) free rounds backwards Naturally, for a valid linear trail, the output mask Γ middle 1+r1 and the input mask Λ middle 1+r2 meeting in the middle part should be equal Conversely, if we find some contradictions in the equation system (8), it will lead to a ZC with (2t − 2 + r 1 + r 2 ) rounds for GMiMC erf .

ZC of GMiMC erf with an arbitrary number of rounds
With the probability one linear trail given above, whose input mask Γ in and output mask Γ out are both (a 1 , • • • , a 1 ), we can obtain two kinds of ZC of GMiMC erf with an arbitrary number of rounds, nevertheless only for the very limited case t ≡ 1 mod p.One with input mask Γ in and output mask Γ ′ out where Γ ′ out ̸ = {Γ out , 0}, another one with output mask Γ out and input mask Γ ′ in where Γ ′ in ̸ = {Γ in , 0}.
Proof.If it has a 3 appearing in the equation system (8), that is 2 ≤ r 1 and 3 ≤ r 1 + r 2 .Considering the rightmost (r 1 + 1) consecutive blocks in the output mask Γ middle 1+r1 , ), and the rightmost (t − r 2 ) consecutive blocks in the input mask Λ middle 1+r2 , ). If ) equations in the system (8) will be Then, it has a 3 = 0 deduced from the first and third equations of (9), Similarly, if it has b 3 in the system (8), can also deduce that b 3 = 0.
An example of this linear mask propagation and equation system is depicted in Figure 12.Over Fp, (3t − 3)-round ZC.

ZC of GMiMC erf with (3t − 1) Rounds
Similarly, according to Lemma 9, we can extend two more rounds for ZC of GMiMC erf .
Proof.We consider the following three cases, where the condition a 1 = b 1 is used in the last two cases.
• Case 2. When r 1 + r 2 = t + 1, the blocks in the output mask Γ middle 1+r1 can be divided into three parts as below ), and similar for the input mask Λ middle 1+r2 , (b ).
• Case 3. When r 1 + r 2 = t, that is r 1 = t − r 2 and r 2 = t − r 1 , we have the following equations, Thus, a 3 = 0 can be deduced.In the same way, if r 1 = 1 and r 2 = t − 1, it has b 3 = 0. Now for 2 ≤ r 1 , r 2 , we have the following equations, Still, a 3 = b 3 = 0 can be easily deduced.
Considering three cases above, it has a 3 = 0 or b 3 = 0.
An example of this linear mask propagation and equation system is depicted in Figure 13.Over Fp, with a1 = b1, (3t − 1)-round ZC.

Transformation from ZC to IDC of GMiMC crf
With all these three kinds of ZC of GMiMC erf presented above, by using the link proposed in Theorem 4, we can obtain the corresponding IDCs of GMiMC crf as below.

Transformation from ZC to INT of GMiMC erf
Similarly, by using the link given in Theorem 7, we have the corresponding INTs of GMiMC erf as below.
• (3t − 3)-round: • Arbitrary number of rounds: • Arbitrary number of rounds: Remark: It should be noted that these probability one differential or linear trails with an arbitrary number of rounds presented above are trivial 5 for unbalanced Feistel networks, if the branch t is chosen improperly.However, in this paper, by using the equation-based methods and our proposed links, we show that bad choices of t will also lead to nontrivial IDC/ZC/INT with an arbitrary number of rounds for GMiMC.There are also some potential instantiations, for example the concrete instances with 256-bit block size and key size, GMiMC erf -(p = 5, t = 86, r = 261) and GMiMC erf -(p = 17, t = 52, r = 160)) of GMiMC erf provided in [AGP + 19b, Table 6 and 7], which aim to achieve smaller signature size when intended to be deployed in post-quantum signatures with low-data scenario [CDG + 17] or even full-data scenario [BEF19], and the odd number of branch has been avoided for instances over F n 2 .We stress that considering the limited access to data, these statistical distinguishers are more suitable for the full-data setting, e.g., collisionresistant hash function [BEF19].Nevertheless we hope these presented distinguishers could provide a guidance for future designs when considering related constructions.For the balanced Feistel construction GMiMC Nyb , we mainly focus on the underlying equivalent relations of its different structures.Specifically, we are dedicated to obtaining the one-to-one correspondence of IDC/ZC/INT for GMiMC Nyb in the following, which has already been mentioned as an example when explaining Figure 1.

Equation-based Method for GMiMC
One round differential propagation of GMiMC Nyb is depicted in Figure 14.The IDC of GMiMC Nyb consists of forward r 1 (1 ≤ r 1 ≤ t + 2) rounds and backward r 2 (1 ≤ r 2 ≤ t + 2) rounds.The input difference ∆ f orward where τ j r denotes the output difference of the j-th S-box of the r-th round.Similarly, it has the output difference where τ ′ j r denotes the output difference of the j-th S-box of the r-th round.Besides, if r 2 < t, another choice for the output difference ).
For a valid differential trail, the output difference and the input difference meeting in the middle should be equal, thus it has the following Naturally, if we find some contradictions in the above equation systems, it will lead to an IDC with (r 1 + r 2 ) rounds for GMiMC Nyb .

Transformation from IDC to ZC and INT of GMiMC Nyb
We first reveal an equivalent relation between dual structure and inverse structure of E N yb , which is given in Lemma 12.
Lemma 12.The inverse structure E −1 N yb and dual structure E ⊥ N yb are equivalent.Proof.For the Nyber's generalized Feistel structure E N yb , following the similar representation in [BMT13], its i-th round function can be represented by using t × t matrix P • F i as below where F −1 i = F i and P T = P −1 .For the dual structure of E N yb , we have Now, consider two permutation π 1 and π 2 as below , where Π = Π −1 and ΠP Π = P T = P −1 .Now, for n rounds E ⊥ N yb , it can be expanded as where A = π −1 2 P Π and With this underlying equivalent relation of these structures for E N yb , according to Theorem 5, we know there is a one-to-one correspondence between IDC and ZC for E N yb .Then, we can transform two IDCs presented above to its corresponding ZCs of GMiMC Nyb .
As for integral, we can obtain the transformed (2t − 1)-round INT for GMiMC Nyb by using Theorem 10, let

Equation-based Method for GMiMC mrf
For another balanced Feistel construction GMiMC mrf with t branches, its full diffusion rounds is Λ(t) = 2⌈log 2 (t)⌉, which is achieved by its Multi-Rotating round function.In this section, we only focus on the case where t is exactly power of two, and the round index of the distinguisher starts from 1 (due to the different rotation constant s r for each round).Similarly, its IDC consists of the forward r 1 (Λ(t) − 2 ≤ r 1 ≤ Λ(t) + 2) rounds and backward r 2 (Λ(t) − 2 ≤ r 2 ≤ Λ(t) + 2) rounds.
For the round function of GMiMC mrf , the input difference ∆ f orward ).Similarly, the output difference ).
Then for a valid differential trail, the output difference and the input difference meeting in the middle should be equal, and it has the following Naturally, if we find some contradictions in the above equation systems, it will lead to an IDC with (r 1 + r 2 ) rounds for GMiMC mrf .Before presenting the IDC of GMiMC mrf , some properties are first prepared for constructing its IDC.

IDC of the Dual Structure E ⊥ mrf
Now, we consider the IDC of the dual structure E ⊥ mrf , which is depicted in Figure 16(a), and its equivalent structure is depicted in Figure 16(b).As can be observed in E ⊥ mrf , the rotation in each round is reversed, that is −s r .
Lemma 15.For E ⊥ mrf with the power-of-two branch t, if r 1 + r 2 = 2Λ(t) + 1 and α Proof.As Property 2, 3, 8 and 9 still hold when having the reversed rotation −s r , the same result can be deduced like in Lemma 13.

Conclusion
In this paper, we have established the comprehesive links between impossible differential, zero-correlation linear and integral cryptanalysis over the prime field F p , for the very first time.The links between zero-correlation linear and integral cryptanalysis are also proved in an alternative way, through which we find that the independent conditions of the input and output masks (differences) cannot be removed when deriving an integral distinguisher from a zero-correlation linear hull (impossible differential) over F p , this exhibits a difference of these cryptanalytic methods between F p and F n 2 .To showcase our refined links, we apply to GMiMC and obtain different type of improved distinguishers for all GMiMC constructions, from which the gaps of symmetric cryptanalytic methods between F p and F n 2 are also demonstrated in terms of attacked rounds, even distinguishers with an arbitrary number of rounds for some special and limited cases.The establishment of the theories over F p behind these links, and properties identified (be it similar or different) will bring clearer and easier understanding of security of MPC/FHE/ZK-friendly symmetric-key primitives, which could facilitate the future design and cryptanalysis.
Further discussions.Considering only the characteristic p is relevant and the isomorphism from F p t to F t p , for the proposed works in this paper, there is possible generalization to F q where q = p t , which could be used for the potential MPC/FHE/ZK-friendly designs over F q in the future.Secondly, the statistical cryptanalytic method is still missing for zero-correlation linear cryptanalysis over F p , thus more dedicated statistical model should be developed to evaluate the detailed complexity of the attack.Thirdly, according to our proposed links over F p , an integral distinguisher arising from low-degree S-box (i.e.zero-sum property) does not imply any impossible differential or zero-correlation linear hull, this also has been observed in [SLR + 15] for the links over F n 2 , which still needs to be investigated further.As claimed.

C Experiments of ZC, INT of GMiMC
We now present the details of the experiments on GMiMC's ZC and INT over F p as below.
For GMiMC erf : • ZC for 9-round GMiMC erf -(p = 11, t = 4): We check the following ZC where its correlation over F p is zero.

Figure 1 :
Figure 1: The IDC/ZC/INT transformations between the structure, its dual and inverse.(This figure abstracts the established comprehensive links, which could be intuitively explained by results on GMiMC Nyb in Section 4.3 later.To put it simply, with IDC of the structure E N yb , it can be transformed into ZC/INT of the dual structure E ⊥ N yb , as E ⊥ N yb is equivalent to the inverse structure E −1 N yb , it finally will lead to ZC/INT back for E N yb .) )i .Then according to the property of the geometric sequence, it has the following cor(a • x)

Figure 3 :
Figure 3: Different and linear trails of F SP and F ⊥ SP .

Figure 4 :
Figure 4: Differential and linear trails of E erf and E crf .

Figure 5 :
Figure 5: Structures of F P T S , F SP T and F SP .

Figure 6 :
Figure 6: IDC and ZC transformations between the structure, its dual and inverse.(This figure covers the IDC and ZC part of Figure 1.)

Proof.Figure 7 :
Figure 7: IDC and INT transformation between the structure, its dual and inverse.(This figure covers the IDC and INT part of Figure 1.) Backward (t − 1) rounds.

Figure 8 :
Figure 8: First and last parts of IDC of GMiMC erf with t = 4.

Figure 9 :
Figure 9: Middle part of IDC of GMiMC erf with t = 4.

Figure 14 :
Figure 14: Differential of GMiMC Nyb 's r-th round function with t branches.

Figure 15 :
Figure 15: Differential of GMiMC mrf 's r-th round function with t branches.
The round function ofE ⊥ mrf .S r ≪ s r (b) Equivalent structure of E ⊥ mrf .

Figure 17 :
Figure 17: Transformation from IDC of E ⊥ mrf to ZC/INT of E mrf .

inppp
Singapore under Grants RG91/20, the National Key Research and Development Program of China (Grant No. 2018YFA0704702), the National Natural Science Foundation of China (Grant No. 62032014), the Major Basic Research Project of Natural Science Foundation of Shandong Province, China (Grant No. ZR202010220025), the National Key R&D Program of China (Grant No. 2022YFB2701700), Shandong Provincial Natural Science Foundation (Grant No. ZR2020MF053) and the National Natural Science Foundation of China (Grant No. 62002202).Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not reflect the views of National Research Foundation, Singapore.Now, let θ = x − λ b T •F (λ)−b T •F (λ+θ) b T •F (λ)−b T •F (λ+θ) (b T •F (λ)) cor(−b T • G λ (θ)).

Table 1 :
Comparisons of different distinguishers of GMiMC erf and GMiMC crf .
As said in [AGP + 19b], "...attacks that do not depend on the round function, become competitive.Still, for practical use cases we show that a high number of branches can be meaningful...", compared to the dedicated degree-based method, our link-based method covers both keyed and unkeyed settings and is independent of the round function (i.e. the power map x d and the field F GMiMC univariate case, we only consider GMiMC permutations or block ciphers with full key size (multivariate case) in this paper.Later, Beyne et al. [BCD + 20] focused on GMiMC permutations adopted in sponge-based construction where no key materials are involved, and they finally proposed improved INT, IDC and DC for GMiMC erf .Recently, Beyne et al. [BL22] also provided elaborate truncated differential cryptanalysis on GMiMC crf .Some of these results are listed in Table 1, and below we detail some comparisons.• INT.p ), which could reveal underlying structural properties.While in [BCD + 20], an INT with 3t − 4 + log d (p − 2)