Abstract. We present a new algorithm for upper bounding the maximum average linear hull probability for SPNs, a value required to determine provable security against linear cryptanalysis. The best previous result (Hong et al. [9]) applies only when the linear transformation branch number (B) is M or (M + 1) (maximal case), where M is the number of s-boxes per round. In contrast, our upper bound can be computed for any value of B. Moreover, the new upper bound is a function of the number of rounds (other upper bounds known to the authors are not). When B = M, our upper bound is consistently superior to [9]. When B = (M + 1), our upper bound does not appear to improve on [9]. On application to Rijndael (128-bit block size, 10 rounds), we obtain the upper bound UB = 2 −75, corresponding to a lower bound on the data 8 complexity of UB = 278 (for 96.7 % success rate). Note that this does not demonstrate the existence of a such an attack, but is, to our knowledge, the first such lower bound.

Much of the security of a block cipher based on the Feistel network depends on the properties of the substitution boxes (s-boxes) used in the round function. Although many desirable properties have been studied, relatively little work has been done to determine to what degree these properties are achievable in practice. This paper presents one effort to construct large, cryptographically secure s-boxes, contrasting theoretical and practical limitations, and highlighting areas for future research.

: In this paper, we present a detailed tutorial on linear cryptanalysis and differential cryptanalysis, the two most significant attacks applicable to symmetric-key block ciphers. The intent of the paper is to present a lucid explanation of the attacks, detailing the practical application of the attacks to a cipher in a simple, conceptually revealing manner for the novice cryptanalyst. The tutorial is based on the analysis of a simple, yet realistically structured, basic Substitution-Permutation Network cipher. Understanding the attacks as they apply to this structure is useful, as the Rijndael cipher, recently selected for the Advanced Encryption Standard (AES), has been derived from the basic SPN architecture. As well, experimental data from the attacks is presented as confirmation of the applicability of the concepts as outlined.

: Recently, Pieprzyk and Finkelstein described a construction procedure for the substitution boxes (s-boxes) of Substitution-Permutation Network cryptosystems which yielded s-boxes of high nonlinearity. Shortly afterward, in seemingly unrelated work, Yarlagadda and Hershey discussed the analysis and synthesis of binary bent sequences of length 4 k , for k a positive integer. In this paper, we report on work which not only extends the results of both of these papers, but also combines them through the concept of "higher orders" of the Strict Avalanche Criterion for Boolean functions. We discuss the implications for s-box design and the use of such s-boxes in the construction of DES-like cryptosystems. 1 The authors are with the Department of Electrical Engineering, Queen's University at Kingston, Ontario, K7L 3N6 2 The Use of Bent Sequences to Achieve HigherOrder Strict Avalanche Criterion in S-Box Design 1 Introduction Substitution boxes (s-boxes) are a critical component of ...

Abstract. By considering the role of non-linear approximations in linear cryptanalysis we obtain a generalization of Matsui’s linear cryptanalytic techniques. This approach allows the cryptanalyst greater flexibility in mounting a linear cryptanalytic attack and we demonstrate the effectiveness of our non-linear techniques with some simple attacks on LOKI91. These attacks potentially allow for the recovery of seven additional bits of key information with less than 1/4 of the plaintext that is required using current linear cryptanalytic methods. 1

In [15], Keliher et al. present a new method for upper bounding the maximum average linear hull probability (MALHP) for SPNs, a value which is required to make claims about provable security against linear cryptanalysis. Application of this method to Rijndael (AES) yields an upper bound of UB = 2 \Gamma75 when 7 or more rounds are approximated, corresponding to a lower bound on the data complexity of 32 UB = 2 80 (for a 96.7% success rate). In the current paper, we improve this upper bound for Rijndael by taking into consideration the distribution of linear probability values for the (unique) Rijndael 8 \Theta 8 s-box. Our new upper bound on the MALHP when 9 rounds are approximated is 2 \Gamma92 , corresponding to a lower bound on the data complexity of 2 97 (again for a 96.7% success rate). [This is after completing 43% of the computation; however, we believe that values have stabilized---see Section 7.] Keywords: linear cryptanalysis, maximum average linear hull probability, provable security, Rijndael, AES 1

With the expiration of the Data Encryption Standard (DES) in 1998, the Advanced Encryption Standard (AES) development process is well underway. It is hoped that the result of the AES process will be the specification of a new nonclassified encryption algorithm that will have the global acceptance achieved by DES as well as the capability of longterm protection of sensitive information. The technical analysis used in determining which of the potential AES candidates will be selected as the Advanced Encryption Algorithm includes e#ciency testing of both hardware and software implementations of candidate algorithms. Reprogrammable devices such as Field Programmable Gate Arrays (FPGAs) are highly attractive options for hardware implementations of encryption algorithms as they provide cryptographic algorithm agility, physical security, and potentially much higher performance than software solutions. This contribution investigates the significance of an FPGA implementation of Serpent, one of the Advanced Encryption Standard candidate algorithms. Multiple architecture options of the Serpent algorithm will be explored with a strong focus being placed on a high speed implementation within an FPGA in order to support security for current and future high bandwidth applications. One of the main findings is that Serpent can be implemented with encryption rates beyond 4 Gbit/s on current FPGAs.

This paper describes a new type of attack on tamper-resistant cryptographic hardware. We show that by locally observing the value of a few RAM or adress bus bits (possibly a single one) during the execution of a cryptographic algorithm, typically by the mean of a probe (needle), an attacker could easily recover information on the secret key being used; our attacks apply to public-key cryptosystems such as RSA or El Gamal, as well as to secret-key encryption schemes including DES and RC5.

In this paper, we present how to construct DES-like S-boxes based on Boolean functions satisfying the Strict Avalanche Criterion and compare their cryptographic properties with those of DES S-boxes in various points of view. We found that our designed DES-like S-boxes exhibit better cryptographical properties than those of DES S-boxes.

. In this paper we study the resistance of a block cipher against any general iterated attack. This class of attacks includes differential and linear cryptanalysis. We prove that we can upper bound the complexity of the attack by using Vaudenay's decorrelation technique. Our main theorem enables to prove the security of some recently proposed block ciphers COCONUT98 and PEANUT98. Since public-key cryptography has been discovered in the late 70s, proving the security of cryptographic protocols has been a challenging problem. Recently, the random oracle model and the generic algorithm techniques have introduced new tools for validating cryptographic algorithms. Although much older, the area of symmetric cryptography did not get so many tools. In the early 90s, Biham and Shamir [2] introduced the notion of differential cryptanalysis and Matsui [7, 8] introduced the notion of linear cryptanalysis, which was a quite general model of attack. Since then many authors tried to formalize these a...