Results 1 
6 of
6
Exact Maximum Expected Differential and Linear Probability for 2Round Advanced Encryption Standard (AES)
 Standard (AES),” Technical Report, IACR ePrint Archive (http://eprint.iacr.org, Paper
, 2005
"... Provable security of a block cipher against di#erential / linear cryptanalysis is based on the maximum expected di#erential / linear probability (MEDP / MELP) over T 2 core rounds. Over the past few years, several results have provided increasingly tight upper and lower bounds in the case T = ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
(Show Context)
Provable security of a block cipher against di#erential / linear cryptanalysis is based on the maximum expected di#erential / linear probability (MEDP / MELP) over T 2 core rounds. Over the past few years, several results have provided increasingly tight upper and lower bounds in the case T = 2 for the Advanced Encryption Standard (AES).
Computational aspects of the expected differential probability of 4round AES and AESlike ciphers
 Computing
, 2009
"... Although symmetric key primitives such as block ciphers are ubiquitously deployed throughout all cryptosystems, they do not come with a formal proof of security. This makes a continuous analysis and evaluation a necessity. In 2001, the block cipher Rijndael [2] has become the new Advanced Encryption ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Although symmetric key primitives such as block ciphers are ubiquitously deployed throughout all cryptosystems, they do not come with a formal proof of security. This makes a continuous analysis and evaluation a necessity. In 2001, the block cipher Rijndael [2] has become the new Advanced Encryption Standard (AES) by NIST. Therefore, it has been subjected to various modern cryptanalytic techniques such as differential cryptanalysis [1, 6] and linear cryptanalysis [7]. In this talk we want to focus on the security of AES against differential cryptanalysis. Provable security against differential cryptanalysis of so called SubstitutionPermutationNetworks (SPNs) (of which the AES is the most prominent example) has been investigated recently in [4, 5, 9, 10]. The goal of this talk is to show how to improve on the results achieved so far. A differential (cf. [6]) of a function f: {0, 1}n → {0, 1}n is a pair (a, b) ∈ {0, 1}n×{0, 1}n such that f(x) ⊕ f(x ⊕ a) = b for some x. We call a the input difference and b the output difference. The differential probability DP (a, b) of a differential (a, b) (with respect to f) is defined as DP (a, b) = 2−n ·#{x ∈ {0, 1}n  f(x ⊕ a) ⊕ f(x) = b}. If f is a function parameterized by a key k, we can also define the differential probability DP [k](a, b) in a straightforward manner.
Proving the security of AES substitutionpermutation network
 Selected Areas in Cryptography, SAC 05, volume 3897 of LNCS
, 2006
"... Abstract. In this paper we study the substitutionpermutation network (SPN) on which AES is based. We introduce AES ∗ , a SPN identical to AES except that fixed Sboxes are replaced by random and independent permutations. We prove that this construction resists linear and differential cryptanalysis ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we study the substitutionpermutation network (SPN) on which AES is based. We introduce AES ∗ , a SPN identical to AES except that fixed Sboxes are replaced by random and independent permutations. We prove that this construction resists linear and differential cryptanalysis with 4 inner rounds only, despite the huge cumulative effect of multipath characteristics that is induced by the symmetries of AES. We show that the DP and LP terms both tend towards 1/(2 128 −1) very fast when the number of round increases. This proves a conjecture by Keliher, Meijer, and Tavares. We further show that AES ∗ is immune to any iterated attack of order 1 after 10 rounds only, which substantially improves a previous result by Moriai and Vaudenay.
Provable Security in Cryptography
, 2007
"... These lecture notes are a compilation of some of my readings while I was preparing two lectures given at EPFL on provable security in cryptography. They are essentially based on a book chapter from David Pointcheval called “Provable Security for Public Key Schemes ” [24], on Victor Shoup’s tutorial ..."
Abstract
 Add to MetaCart
(Show Context)
These lecture notes are a compilation of some of my readings while I was preparing two lectures given at EPFL on provable security in cryptography. They are essentially based on a book chapter from David Pointcheval called “Provable Security for Public Key Schemes ” [24], on Victor Shoup’s tutorial on game playing techniques [30], on Coron’s Crypto’00 paper on the exact security of the Full Domain Hash [9], and on Victor Shoup’s Journal of Cryptology paper on OAEP+ [28, 29]. 1 Provable Security Although the origin of cryptography seems to date back to the invention of writing, no provably secure cryptosystem (a notion that will be made clearer later) was known before Rabin’s cryptosystem, published in 1979 [18, 25]. Yet, several cryptosystems designed during the past 30 years provide very little (not to say no) security proofs. Some of these algorithms are widely used in nowadays secure applications. For example, if it was not for the work of Keliher [15], the AES [10] (the block cipher adopted as an encryption standard by the U.S. government) would not provide any (convincing) security proof against linear cryptanalysis [20] (a very powerful, yet very specific attack). The strongest argument in favor of the security of the AES is that, until now, none of the smart cryptanalytic attempts to break it was successful. This fact, added to the very nice design rationales on which the AES relies, are often
DOI 10.1007/s006070090034y Computational aspects of the expected differential probability of 4round AES and AESlike ciphers
"... Abstract In this paper we study the security of the Advanced Encryption Standard (AES) and AESlike block ciphers against differential cryptanalysis. Differential cryptanalysis is one of the most powerful methods for analyzing the security of block ciphers. Even though no formal proofs for the secur ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract In this paper we study the security of the Advanced Encryption Standard (AES) and AESlike block ciphers against differential cryptanalysis. Differential cryptanalysis is one of the most powerful methods for analyzing the security of block ciphers. Even though no formal proofs for the security of AES against differential cryptanalysis have been provided to date, some attempts to compute the maximum expected differential probability (MEDP) for two and four rounds of AES have been presented recently. In this paper, we will improve upon existing approaches in order to derive better bounds on the EDP for two and four rounds of AES based on a slightly simplified Sbox. More precisely, we are able to provide the complete distribution of the EDP for two rounds of this AES variant with five active Sboxes and methods to improve the estimates for the EDP in the case of six active Sboxes.