Results 1  10
of
13
Refined analysis of bounds related to linear and differential cryptanalysis for the AES
 Fourth Conference on the Advanced Encryption Standard  AES4, volume 3373 of LNCS
, 2005
"... Abstract. The best upper bounds on the maximum expected linear probability (MELP) and the maximum expected differential probability (MEDP) for the AES, due to Park et al. [23], are 1.075 × 2 −106 and 1.144 × 2 −111, respectively, for T ≥ 4 rounds. These values are simply the 4 th powers of the best ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
Abstract. The best upper bounds on the maximum expected linear probability (MELP) and the maximum expected differential probability (MEDP) for the AES, due to Park et al. [23], are 1.075 × 2 −106 and 1.144 × 2 −111, respectively, for T ≥ 4 rounds. These values are simply the 4 th powers of the best upper bounds on the MELP and MEDP for T = 2 [3, 23]. In our analysis we first derive nontrivial lower bounds on the 2round MELP and MEDP, thereby trapping each value in a small interval; this demonstrates that the best 2round upper bounds are quite good. We then prove that these same 2round upper bounds are not tight—and therefore neither are the corresponding upper bounds for T ≥ 4. Finally, we show how a modified version of the KMT2 algorithm (or its dual, KMT2DC), due to Keliher et al. (see [8]), can potentially improve any existing upper bound on the MELP (or MEDP) for any SPN. We use the modified version of KMT2 to improve the upper bound on the AES MELP to 1.778 × 2 −107, for T ≥ 8.
Exact Maximum Expected Differential and Linear Probability for 2Round Advanced Encryption Standard (AES)
 Standard (AES),” Technical Report, IACR ePrint Archive (http://eprint.iacr.org, Paper
, 2005
"... Provable security of a block cipher against di#erential / linear cryptanalysis is based on the maximum expected di#erential / linear probability (MEDP / MELP) over T 2 core rounds. Over the past few years, several results have provided increasingly tight upper and lower bounds in the case T = ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
Provable security of a block cipher against di#erential / linear cryptanalysis is based on the maximum expected di#erential / linear probability (MEDP / MELP) over T 2 core rounds. Over the past few years, several results have provided increasingly tight upper and lower bounds in the case T = 2 for the Advanced Encryption Standard (AES).
Probability distributions of correlation and differentials in block ciphers. Cryptology ePrint Archive, Report 2005/212
, 2005
"... In this paper, we derive the probability distributions of difference propagation probabilities and inputoutput correlations for random functions and block ciphers, for several of them for the first time. We show that these parameters have distributions that are wellstudied in the field of probabil ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
In this paper, we derive the probability distributions of difference propagation probabilities and inputoutput correlations for random functions and block ciphers, for several of them for the first time. We show that these parameters have distributions that are wellstudied in the field of probability such as the normal, Poisson, Gamma and extreme value distributions. For Markov ciphers there exists a solid theory that expresses bounds on the complexity of differential and linear cryptanalysis in terms of average difference propagation probabilities and average correlations, where the average is taken over the keys. The propagation probabilities and correlations exploited in differential and linear cryptanalysis actually depend on the key and hence so does the attack complexity. The theory of Markov ciphers does not make statements on the distributions of these fixedkey properties but rather makes the assumption that their values will be close to the average for the vast majority of keys. This assumption is made explicit in the form of the hypothesis of stochastic equivalence.
Linear cryptanalysis of substitutionpermutation networks
, 2003
"... The subject of this thesis is linear cryptanalysis of substitutionpermutation networks (SPNs). We focus on the rigorous form of linear cryptanalysis, which requires the concept of linear hulls. First, we consider SPNs in which the sboxes are selected independently and uniformly from the set of al ..."
Abstract

Cited by 4 (3 self)
 Add to MetaCart
The subject of this thesis is linear cryptanalysis of substitutionpermutation networks (SPNs). We focus on the rigorous form of linear cryptanalysis, which requires the concept of linear hulls. First, we consider SPNs in which the sboxes are selected independently and uniformly from the set of all bijective n × n sboxes. We derive an expression for the expected linear probability values of such an SPN, and give evidence that this expression converges to the corresponding value for the true random cipher. This adds quantitative support to the claim that the SPN structure is a good approximation to the true random cipher. We conjecture that this convergence holds for a large class of SPNs. In addition, we derive a lower bound on the probability that an SPN with randomly selected sboxes is practically secure against linear cryptanalysis after a given number of rounds. For common block sizes, experimental evidence indicates that this probability rapidly approaches 1 with an increasing number of rounds.
High Probability Linear Hulls in Q
, 2001
"... In this paper, we demonstrate that the linear hull effect is significant for the Q cipher. The designer of Q performs preliminary linear cryptanalysis by discussing linear characteristics involving only a single active bit at each stage [13]. We present a simple algorithm which combines all such lin ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
In this paper, we demonstrate that the linear hull effect is significant for the Q cipher. The designer of Q performs preliminary linear cryptanalysis by discussing linear characteristics involving only a single active bit at each stage [13]. We present a simple algorithm which combines all such linear characteristics with identical first and last masks into a linear hull. The expected linear probability of the best such linear hull over 7.5 rounds (8 full rounds minus the first S substitution) is 2 \Gamma90:1 . In contrast, the best known expected differential probability over the same rounds is 2 \Gamma110:5 [2]. Choosing a sequence of linear hulls, we get a straightforward attack which can recover a 128bit key with success rate 98.4%, using 2 97 known hplaintext; ciphertexti pairs and no trial encryptions.
P.A.: Automatic Search of Attacks on RoundReduced AES and Applications
 CRYPTO 2011. LNCS
, 2011
"... Abstract. In this paper, we describe versatile and powerful algorithms for searching guessanddetermine and meetinthemiddle attacks on byteoriented symmetric primitives. To demonstrate the strengh of these tool, we show that they allows to automatically discover new attacks on roundreduced AES ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
Abstract. In this paper, we describe versatile and powerful algorithms for searching guessanddetermine and meetinthemiddle attacks on byteoriented symmetric primitives. To demonstrate the strengh of these tool, we show that they allows to automatically discover new attacks on roundreduced AES with very low data complexity, and to find improved attacks on the AESbased MACs AlphaMAC and PelicanMAC, and also on the AESbased stream cipher LEX. Finally, the tools can be used in the context of fault attacks. These algorithms exploit the algebraically simple byteoriented structure of the AES. When the attack found by the tool are practical, they have been implemented and validated. 1
Proving the security of AES substitutionpermutation network
 Selected Areas in Cryptography, SAC 05, volume 3897 of LNCS
, 2006
"... Abstract. In this paper we study the substitutionpermutation network (SPN) on which AES is based. We introduce AES ∗ , a SPN identical to AES except that fixed Sboxes are replaced by random and independent permutations. We prove that this construction resists linear and differential cryptanalysis ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
Abstract. In this paper we study the substitutionpermutation network (SPN) on which AES is based. We introduce AES ∗ , a SPN identical to AES except that fixed Sboxes are replaced by random and independent permutations. We prove that this construction resists linear and differential cryptanalysis with 4 inner rounds only, despite the huge cumulative effect of multipath characteristics that is induced by the symmetries of AES. We show that the DP and LP terms both tend towards 1/(2 128 −1) very fast when the number of round increases. This proves a conjecture by Keliher, Meijer, and Tavares. We further show that AES ∗ is immune to any iterated attack of order 1 after 10 rounds only, which substantially improves a previous result by Moriai and Vaudenay.
Statistics of Correlation and Differentials in Block Ciphers
, 2005
"... In this paper, we derive the statistical distributions of difference propagation probabilities and inputoutput correlations for random functions and block ciphers, for most of them for the first time. We show that these parameters have distributions that are wellstudied in the field of statistics ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
In this paper, we derive the statistical distributions of difference propagation probabilities and inputoutput correlations for random functions and block ciphers, for most of them for the first time. We show that these parameters have distributions that are wellstudied in the field of statistics such as the normal, Poisson, Gamma and extreme value distributions. For Markov ciphers...
Completion of computation of improved upper bound on the maximum average linear hull probability for Rijndael
 Technical Report, IACR ePrint Archive (http://eprint.iacr.org, Paper # 2004/074
"... Abstract. This report presents the results from the completed computation of an algorithm introduced by the authors in [11] for evaluating the provable security of the AES (Rijndael) against linear cryptanalysis. This algorithm, later named KMT2, can in fact be applied to any SPN [8]. Preliminary re ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Abstract. This report presents the results from the completed computation of an algorithm introduced by the authors in [11] for evaluating the provable security of the AES (Rijndael) against linear cryptanalysis. This algorithm, later named KMT2, can in fact be applied to any SPN [8]. Preliminary results in [11] were based on 43 % of total computation, estimated at 200,000 hours on our benchmark machine at the time, a Sun Ultra 5. After some delay, we obtained access to the necessary computational resources, and were able to run the algorithm to completion. In addition to the above, this report presents the results from the dual version of our algorithm (KMT2DC) as applied to the AES.