Results 1  10
of
15
Probability distributions of correlation and differentials in block ciphers. Cryptology ePrint Archive, Report 2005/212
, 2005
"... In this paper, we derive the probability distributions of difference propagation probabilities and inputoutput correlations for random functions and block ciphers, for several of them for the first time. We show that these parameters have distributions that are wellstudied in the field of probabil ..."
Abstract

Cited by 16 (1 self)
 Add to MetaCart
(Show Context)
In this paper, we derive the probability distributions of difference propagation probabilities and inputoutput correlations for random functions and block ciphers, for several of them for the first time. We show that these parameters have distributions that are wellstudied in the field of probability such as the normal, Poisson, Gamma and extreme value distributions. For Markov ciphers there exists a solid theory that expresses bounds on the complexity of differential and linear cryptanalysis in terms of average difference propagation probabilities and average correlations, where the average is taken over the keys. The propagation probabilities and correlations exploited in differential and linear cryptanalysis actually depend on the key and hence so does the attack complexity. The theory of Markov ciphers does not make statements on the distributions of these fixedkey properties but rather makes the assumption that their values will be close to the average for the vast majority of keys. This assumption is made explicit in the form of the hypothesis of stochastic equivalence.
Exact Maximum Expected Differential and Linear Probability for 2Round Advanced Encryption Standard (AES)
 Standard (AES),” Technical Report, IACR ePrint Archive (http://eprint.iacr.org, Paper
, 2005
"... Provable security of a block cipher against di#erential / linear cryptanalysis is based on the maximum expected di#erential / linear probability (MEDP / MELP) over T 2 core rounds. Over the past few years, several results have provided increasingly tight upper and lower bounds in the case T = ..."
Abstract

Cited by 16 (1 self)
 Add to MetaCart
Provable security of a block cipher against di#erential / linear cryptanalysis is based on the maximum expected di#erential / linear probability (MEDP / MELP) over T 2 core rounds. Over the past few years, several results have provided increasingly tight upper and lower bounds in the case T = 2 for the Advanced Encryption Standard (AES).
On the security of Rijndaellike structures against differential and linear cryptanalysis
 ASIACRYPT 2002, volume 2501 of LNCS
, 2002
"... Abstract. Rijndaellike structure is a special case of SPN structure. The linear transformation of Rijndaellike structures consists of linear transformations of two types, the one is byte permutation π and the other is linear transformation θ = (θ1, θ2, θ3, θ4), where each of θi separately operates ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Rijndaellike structure is a special case of SPN structure. The linear transformation of Rijndaellike structures consists of linear transformations of two types, the one is byte permutation π and the other is linear transformation θ = (θ1, θ2, θ3, θ4), where each of θi separately operates on each of the four columns of a state. Furthermore, π and θ have some interesting properties. In this paper, we present a new method for upper bounding the maximum differential probability and the maximum linear hull probability for Rijndaellike structures. By applying our method to Rijndael, we obtain that the maximum differential probability and the maximum linear hull probability for 4 rounds of Rijndael are bounded by 1.06 × 2 −96. 1
Linear cryptanalysis of substitutionpermutation networks
, 2003
"... The subject of this thesis is linear cryptanalysis of substitutionpermutation networks (SPNs). We focus on the rigorous form of linear cryptanalysis, which requires the concept of linear hulls. First, we consider SPNs in which the sboxes are selected independently and uniformly from the set of al ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
(Show Context)
The subject of this thesis is linear cryptanalysis of substitutionpermutation networks (SPNs). We focus on the rigorous form of linear cryptanalysis, which requires the concept of linear hulls. First, we consider SPNs in which the sboxes are selected independently and uniformly from the set of all bijective n × n sboxes. We derive an expression for the expected linear probability values of such an SPN, and give evidence that this expression converges to the corresponding value for the true random cipher. This adds quantitative support to the claim that the SPN structure is a good approximation to the true random cipher. We conjecture that this convergence holds for a large class of SPNs. In addition, we derive a lower bound on the probability that an SPN with randomly selected sboxes is practically secure against linear cryptanalysis after a given number of rounds. For common block sizes, experimental evidence indicates that this probability rapidly approaches 1 with an increasing number of rounds.
Refined analysis of bounds related to linear and differential cryptanalysis for the AES
 Fourth Conference on the Advanced Encryption Standard  AES4, volume 3373 of LNCS
, 2005
"... Abstract. The best upper bounds on the maximum expected linear probability (MELP) and the maximum expected differential probability (MEDP) for the AES, due to Park et al. [23], are 1.075 × 2 −106 and 1.144 × 2 −111, respectively, for T ≥ 4 rounds. These values are simply the 4 th powers of the best ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
(Show Context)
Abstract. The best upper bounds on the maximum expected linear probability (MELP) and the maximum expected differential probability (MEDP) for the AES, due to Park et al. [23], are 1.075 × 2 −106 and 1.144 × 2 −111, respectively, for T ≥ 4 rounds. These values are simply the 4 th powers of the best upper bounds on the MELP and MEDP for T = 2 [3, 23]. In our analysis we first derive nontrivial lower bounds on the 2round MELP and MEDP, thereby trapping each value in a small interval; this demonstrates that the best 2round upper bounds are quite good. We then prove that these same 2round upper bounds are not tight—and therefore neither are the corresponding upper bounds for T ≥ 4. Finally, we show how a modified version of the KMT2 algorithm (or its dual, KMT2DC), due to Keliher et al. (see [8]), can potentially improve any existing upper bound on the MELP (or MEDP) for any SPN. We use the modified version of KMT2 to improve the upper bound on the AES MELP to 1.778 × 2 −107, for T ≥ 8.
Experimenting Linear Cryptanalysis
 Advanced Linear Cryptanalysis of Block and Stream Ciphers, vol, 7 of Cryptology and Information Security Series. IOS
, 2011
"... Since the publication of linear cryptanalysis in the early 1990s, the precise understanding of the statistical properties involved in such attacks has proven to be a challenging and computationally intensive problem. As a consequence, a number of strategies have been developed, in order to design b ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Since the publication of linear cryptanalysis in the early 1990s, the precise understanding of the statistical properties involved in such attacks has proven to be a challenging and computationally intensive problem. As a consequence, a number of strategies have been developed, in order to design block ciphers secure against
High Probability Linear Hulls in Q
, 2001
"... In this paper, we demonstrate that the linear hull effect is significant for the Q cipher. The designer of Q performs preliminary linear cryptanalysis by discussing linear characteristics involving only a single active bit at each stage [13]. We present a simple algorithm which combines all such lin ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
In this paper, we demonstrate that the linear hull effect is significant for the Q cipher. The designer of Q performs preliminary linear cryptanalysis by discussing linear characteristics involving only a single active bit at each stage [13]. We present a simple algorithm which combines all such linear characteristics with identical first and last masks into a linear hull. The expected linear probability of the best such linear hull over 7.5 rounds (8 full rounds minus the first S substitution) is 2 \Gamma90:1 . In contrast, the best known expected differential probability over the same rounds is 2 \Gamma110:5 [2]. Choosing a sequence of linear hulls, we get a straightforward attack which can recover a 128bit key with success rate 98.4%, using 2 97 known hplaintext; ciphertexti pairs and no trial encryptions.
Statistics of Correlation and Differentials in Block Ciphers
, 2005
"... In this paper, we derive the statistical distributions of difference propagation probabilities and inputoutput correlations for random functions and block ciphers, for most of them for the first time. We show that these parameters have distributions that are wellstudied in the field of statistics ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
In this paper, we derive the statistical distributions of difference propagation probabilities and inputoutput correlations for random functions and block ciphers, for most of them for the first time. We show that these parameters have distributions that are wellstudied in the field of statistics such as the normal, Poisson, Gamma and extreme value distributions. For Markov ciphers...
Proving the security of AES substitutionpermutation network
 Selected Areas in Cryptography, SAC 05, volume 3897 of LNCS
, 2006
"... Abstract. In this paper we study the substitutionpermutation network (SPN) on which AES is based. We introduce AES ∗ , a SPN identical to AES except that fixed Sboxes are replaced by random and independent permutations. We prove that this construction resists linear and differential cryptanalysis ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we study the substitutionpermutation network (SPN) on which AES is based. We introduce AES ∗ , a SPN identical to AES except that fixed Sboxes are replaced by random and independent permutations. We prove that this construction resists linear and differential cryptanalysis with 4 inner rounds only, despite the huge cumulative effect of multipath characteristics that is induced by the symmetries of AES. We show that the DP and LP terms both tend towards 1/(2 128 −1) very fast when the number of round increases. This proves a conjecture by Keliher, Meijer, and Tavares. We further show that AES ∗ is immune to any iterated attack of order 1 after 10 rounds only, which substantially improves a previous result by Moriai and Vaudenay.