Integral Zero-Correlation Distinguisher for ARX Block Cipher, with Application to SHACAL-2

At ASIACRYPT’12, Bogdanov et al. revealed the identity of integral distinguishers and zero-correlation linear approximations where the mask consists of two parts: one part should take any non-zero value and the other part should be fixed to zero. For zero-correlation linear approximations of some ARX block ciphers, one bit of input mask usually is fixed to one, which do not conform to zero-correlation linear approximations considered by Bogdanov et al.. Can they also be converted to an integral distinguisher? In this paper, we show that such zero-correlation linear approximations can be transformed to an integral distinguisher too. As an application, we give the attack on SHACAL-2 which is one of the four selected block ciphers by NESSIE. Namely, a attack on 32-round SHACAL-2 is reported. As an integral attack, our attack is much better than the previous integral attack on 28-round SHACAL-2 in terms of the number of rounds. In the classical single-key setting, our attack could break as many rounds as the previous best attack, but with significant improvements in data complexity and memory complexity.