Results 1  10
of
11
SubstitutionPermutation Networks Resistant to Differential and Linear Cryptanalysis
 JOURNAL OF CRYPTOLOGY
, 1996
"... In this paper we examine a class of product ciphers referred to as substitutionpermutation networks. We investigate the resistance of these cryptographic networks to two important attacks: differential cryptanalysis and linear cryptanalysis. In particular, we develop upper bounds on the differenti ..."
Abstract

Cited by 29 (10 self)
 Add to MetaCart
In this paper we examine a class of product ciphers referred to as substitutionpermutation networks. We investigate the resistance of these cryptographic networks to two important attacks: differential cryptanalysis and linear cryptanalysis. In particular, we develop upper bounds on the differential characteristic probability and on the probability of a linear approximation as a function of the number of rounds of substitutions. Further, it is shown that using large Sboxes with good diffusion characteristics and replacing the permutation between rounds by an appropriate linear transformation is effective in improving the cipher security in relation to these two attacks.
Designing SBoxes For Ciphers Resistant To Differential Cryptanalysis
 PROCEEDINGS OF THE 3RD SYMPOSIUM ON STATE AND PROGRESS OF RESEARCH IN CRYPTOGRAPHY
, 1993
"... This paper examines recent work in the area of bentfunctionbased substitution boxes in order to refine the relationship between sbox construction and immunity to the differential cryptanalysis attack described by Biham and Shamir. It is concluded that mxn sboxes, m
Abstract

Cited by 24 (1 self)
 Add to MetaCart
This paper examines recent work in the area of bentfunctionbased substitution boxes in order to refine the relationship between sbox construction and immunity to the differential cryptanalysis attack described by Biham and Shamir. It is concluded that mxn sboxes, m<n, which are partially bentfunctionbased are the most appropriate choice for privatekey cryptosystems constructed as substitutionpermutation networks (SPNs). Since sboxes of this dimension and with this property have received little attention in the open literature, this paper provides a description of their construction and shows how they can be incorporated in a design procedure for a family of SPN cryptosystems with desirable cryptographic properties.
Constructing symmetric ciphers using the CAST design procedure
 DESIGNS, CODES, AND CRYPTOGRAPHY
, 1997
"... This paper describes the CAST design procedure for constructing a family of DESlike SubstitutionPermutation Network (SPN) cryptosystems which appear to have good resistance to differential cryptanalysis, linear cryptanalysis, and relatedkey cryptanalysis, along with a number of other desirable ..."
Abstract

Cited by 21 (1 self)
 Add to MetaCart
This paper describes the CAST design procedure for constructing a family of DESlike SubstitutionPermutation Network (SPN) cryptosystems which appear to have good resistance to differential cryptanalysis, linear cryptanalysis, and relatedkey cryptanalysis, along with a number of other desirable cryptographic properties. Details of the design choices in the procedure are given, including those regarding the component substitution boxes (sboxes), the overall framework, the key schedule, and the round function. An example CAST cipher, an output of this design procedure, is presented as an aid to understanding the concepts and to encourage detailed analysis by the cryptologic community.
On the security of CSCipher
 Fast Software Encryption (FSE’99), LNCS 1636
, 1999
"... Abstract. CSCipher is a block cipher which has been proposed at FSE 1998. It is a Markov cipher in which diffusion is performed by multipermutations. In this paper we first provide a formal treatment for differential, linear and truncated differential cryptanalysis, and we apply it to CSCipher in ..."
Abstract

Cited by 17 (4 self)
 Add to MetaCart
Abstract. CSCipher is a block cipher which has been proposed at FSE 1998. It is a Markov cipher in which diffusion is performed by multipermutations. In this paper we first provide a formal treatment for differential, linear and truncated differential cryptanalysis, and we apply it to CSCipher in order to prove that there exists no good characteristic for these attacks. This holds under the approximation that all round keys of CSCipher are uniformly distributed and independent. For this we introduce some new technique for counting active Sboxes in computational networks by the FloydWarshall algorithm. Since the beginning of modern public research in symmetric encryption, block ciphers are designed with fixed computational networks: we draw a network and put some computation boxes on. The Feistel scheme [13] is a popular design which enables to make an invertible function with a random function. Its main advantage is that decryption and encryption are fairly similar because we only have to reverse the order of operations.
Improving the Upper Bound on the Maximum Average Linear Hull Probability for Rijndael
, 2001
"... In [15], Keliher et al. present a new method for upper bounding the maximum average linear hull probability (MALHP) for SPNs, a value which is required to make claims about provable security against linear cryptanalysis. Application of this method to Rijndael (AES) yields an upper bound of UB = 2 \ ..."
Abstract

Cited by 15 (6 self)
 Add to MetaCart
In [15], Keliher et al. present a new method for upper bounding the maximum average linear hull probability (MALHP) for SPNs, a value which is required to make claims about provable security against linear cryptanalysis. Application of this method to Rijndael (AES) yields an upper bound of UB = 2 \Gamma75 when 7 or more rounds are approximated, corresponding to a lower bound on the data complexity of 32 UB = 2 80 (for a 96.7% success rate). In the current paper, we improve this upper bound for Rijndael by taking into consideration the distribution of linear probability values for the (unique) Rijndael 8 \Theta 8 sbox. Our new upper bound on the MALHP when 9 rounds are approximated is 2 \Gamma92 , corresponding to a lower bound on the data complexity of 2 97 (again for a 96.7% success rate). [This is after completing 43% of the computation; however, we believe that values have stabilizedsee Section 7.] Keywords: linear cryptanalysis, maximum average linear hull probability, provable security, Rijndael, AES 1
Resistance of a CASTLike Encryption Algorithm to Linear and Differential Cryptanalysis
, 1997
"... Linear cryptanalysis and differential cryptanalysis are two recently introduced, powerful methodologies for attacking privatekey block ciphers. In this paper, we examine the application of these two cryptanalysis techniques to a CASTlike encryption algorithm based on randomly generated sboxes. It ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
Linear cryptanalysis and differential cryptanalysis are two recently introduced, powerful methodologies for attacking privatekey block ciphers. In this paper, we examine the application of these two cryptanalysis techniques to a CASTlike encryption algorithm based on randomly generated sboxes. It is shown that, when randomly generated substitution boxes (sboxes) are used in a CASTlike algorithm, the resulting cipher is resistant to both the linear attack and the differential attack. 1 Introduction As the need for privacy and authentication is now generally recognized by the telecommunications community, a widely adopted privatekey encryption algorithm is becoming an increasingly important objective in the development and analysis of cryptographic algorithms. For some time, the Data Encryption Standard (DES) [16] has been the most widely used and trusted encryption algorithm. However, DES is about twenty years old and has recently become vulnerable to cryptanalysis due to its smal...
Linear cryptanalysis of substitutionpermutation networks
, 2003
"... The subject of this thesis is linear cryptanalysis of substitutionpermutation networks (SPNs). We focus on the rigorous form of linear cryptanalysis, which requires the concept of linear hulls. First, we consider SPNs in which the sboxes are selected independently and uniformly from the set of al ..."
Abstract

Cited by 4 (3 self)
 Add to MetaCart
The subject of this thesis is linear cryptanalysis of substitutionpermutation networks (SPNs). We focus on the rigorous form of linear cryptanalysis, which requires the concept of linear hulls. First, we consider SPNs in which the sboxes are selected independently and uniformly from the set of all bijective n × n sboxes. We derive an expression for the expected linear probability values of such an SPN, and give evidence that this expression converges to the corresponding value for the true random cipher. This adds quantitative support to the claim that the SPN structure is a good approximation to the true random cipher. We conjecture that this convergence holds for a large class of SPNs. In addition, we derive a lower bound on the probability that an SPN with randomly selected sboxes is practically secure against linear cryptanalysis after a given number of rounds. For common block sizes, experimental evidence indicates that this probability rapidly approaches 1 with an increasing number of rounds.
An analysis of a class of algorithms for Sbox construction
"... We analyze a very general class of algorithms for constructing mbit invertible Sboxes called bitbybit methods. The method builds an Sbox one entry at a time, and has been proposed by Adams and Tavares [2], and Forr'e [11] to construct Sboxes that satisfy certain cryptographic properties such ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
We analyze a very general class of algorithms for constructing mbit invertible Sboxes called bitbybit methods. The method builds an Sbox one entry at a time, and has been proposed by Adams and Tavares [2], and Forr'e [11] to construct Sboxes that satisfy certain cryptographic properties such as nonlinearity and the strict avalanche criterion. We will prove, both theoretically and empirically, that that the bitbybit method is infeasible for m ? 6. Keywords: Product ciphers, Sboxes, permutations. 1 The author is currently employed by the Distributed System Technology Center (DSTC) Brisbane, Australia. Correspondence should be sent to DSTC, Level 12, ITE Building, QUT, Gardens Point, 2 George Street, GPO Box 2434, Brisbane Q 4001, Australia; email oconnor@dstc.edu.au. 1 Introduction Most modern conventional key cryptosystems are based on the notion of product ciphers [31] which represent a class of cryptosystems that iterate a composite operation to map plaintext to ciphert...
Toward the true random cipher: On expected linear probability values for SPNs with randomly selected sboxes, chapter
 in Communications, Information and Network
, 2003
"... A block cipher, which is an important cryptographic primitive, is a bijective mapping from {0, 1} N to {0, 1} N (N is called the block size), parameterized by a key. In the true random cipher, each key results in a distinct mapping, and every mapping is realized by some key—this is generally taken t ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
A block cipher, which is an important cryptographic primitive, is a bijective mapping from {0, 1} N to {0, 1} N (N is called the block size), parameterized by a key. In the true random cipher, each key results in a distinct mapping, and every mapping is realized by some key—this is generally taken to be the ideal cipher model. We consider a fundamental block cipher architecture called a substitutionpermutation network (SPN). Specifically, we investigate expected linear probability (ELP) values for SPNs, which are the basis for a powerful attack called linear cryptanalysis. We show that if the substitution components (sboxes) of an SPN are randomly selected, then the expected value of any ELP entry converges to the corresponding value for the true random cipher, as the number of encryption rounds is increased. This gives quantitative support to the claim that the SPN structure is a practical approximation of the true random cipher.
Fast Attacks on TreeStructured Ciphers
 University
, 1994
"... Treestructures have been proposed for both the construction of block ciphers by Kam and Davida [7], and selfsynchronous stream ciphers by Kuhn [9]. Attacks on these ciphers have been given by Anderson [2] and Heys and Tavares [6]. In this paper it is demonstrated that a more efficient attack can b ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Treestructures have been proposed for both the construction of block ciphers by Kam and Davida [7], and selfsynchronous stream ciphers by Kuhn [9]. Attacks on these ciphers have been given by Anderson [2] and Heys and Tavares [6]. In this paper it is demonstrated that a more efficient attack can be conducted when the underlying Boolean functions for the cells are known. It is shown that this attack requires less then 1 3 the chosen ciphertext of Anderson's original attack on Kuhn's cipher. We also comment on an improved version of Kuhn's cipher that was modified in light of Anderson's original attack. The work in this paper has been funded in part by the Cooperative Research Centres program through the Department of the Prime Minister and Cabinet of Australia. 1 Introduction This paper deals with the cryptanalysis of ciphers which can be reduced to a boolean function which has a treestructure, such as the cipher proposed by Kuhn [9], and Kam and Davida's construction [7] of ...