Results 1 
4 of
4
Linear cryptanalysis of substitutionpermutation networks
, 2003
"... The subject of this thesis is linear cryptanalysis of substitutionpermutation networks (SPNs). We focus on the rigorous form of linear cryptanalysis, which requires the concept of linear hulls. First, we consider SPNs in which the sboxes are selected independently and uniformly from the set of al ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
The subject of this thesis is linear cryptanalysis of substitutionpermutation networks (SPNs). We focus on the rigorous form of linear cryptanalysis, which requires the concept of linear hulls. First, we consider SPNs in which the sboxes are selected independently and uniformly from the set of all bijective n × n sboxes. We derive an expression for the expected linear probability values of such an SPN, and give evidence that this expression converges to the corresponding value for the true random cipher. This adds quantitative support to the claim that the SPN structure is a good approximation to the true random cipher. We conjecture that this convergence holds for a large class of SPNs. In addition, we derive a lower bound on the probability that an SPN with randomly selected sboxes is practically secure against linear cryptanalysis after a given number of rounds. For common block sizes, experimental evidence indicates that this probability rapidly approaches 1 with an increasing number of rounds.
Linear (Hull) and Algebraic Cryptanalysis of the Block Cipher PRESENT
"... The contributions of this paper include the first linear hull and a revisit of the algebraic cryptanalysis of reducedround variants of the block cipher PRESENT, under knownplaintext and ciphertextonly settings. We introduce a pure algebraic cryptanalysis of 5round PRESENT and in one of our attac ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
The contributions of this paper include the first linear hull and a revisit of the algebraic cryptanalysis of reducedround variants of the block cipher PRESENT, under knownplaintext and ciphertextonly settings. We introduce a pure algebraic cryptanalysis of 5round PRESENT and in one of our attacks we recover half of the bits of the key in less than three minutes using an ordinary desktop PC. The PRESENT block cipher is a design by Bogdanov et al., announced in CHES 2007 and aimed at RFID tags and sensor networks. For our linear attacks, we can attack 25round PRESENT with the whole code book, 2 96.68 25round PRESENT encryptions, 2 40 blocks of memory and 0.61 success rate. Further we can extend the linear attack to 26round with small success rate. As a further contribution of this paper we computed linear hulls in practice for the original PRESENT cipher, which corroborated and even improved on the predicted bias (and the corresponding attack complexities) of conventional linear relations based on a single linear trail.
KEYDEPENDENT APPROXIMATIONS IN CRYPTANALYSIS. AN APPLICATION OF MULTIPLE Z4 AND NONLINEAR APPROXIMATIONS.
"... Linear cryptanalysis is a powerful cryptanalytic technique that makes use of a linear approximation over some rounds of a cipher, combined with one (or two) round(s) of key guess. This key guess is usually performed by a partial decryption over every possible key. In this paper, we investigate a par ..."
Abstract
 Add to MetaCart
Linear cryptanalysis is a powerful cryptanalytic technique that makes use of a linear approximation over some rounds of a cipher, combined with one (or two) round(s) of key guess. This key guess is usually performed by a partial decryption over every possible key. In this paper, we investigate a particular class of nonlinear boolean functions that allows to mount keydependent approximations of sboxes. Replacing the classical key guess by these keydependent approximations allows to quickly distinguish a set of keys including the correct one. By combining different relations, we can make up a system of equations whose solution is the correct key. The resulting attack allows larger flexibility and improves the success rate in some contexts. We apply it to the block cipher Q. In parallel, we propose a chosenplaintext attack against Q that reduces the required number of plaintextciphertext pairs from 2 97 to 2 87. 1.