Improved nonlinear invariant attack

Dear editor,In Asiacrypt 2016, Todo et al. [1] proposed a nonlinear invariant attack, a new type of distinguisher that covers any number of rounds for a substitution-permutation network（SPN） cipher under weak keys. The main idea of the nonlinear invariant attack is to find a Boolean function g : F 2 n → F2 such that the evaluation of g（x） ⊕ g（E k （x）） is constant for any x, where Ek（x） is a block cipher. The function g is called the nonlinear invariant of Ekand the keys k that satisfy the condition are called weak keys.