Abstract. The best upper bounds on the maximum expected linear probability (MELP) and the maximum expected differential probability (MEDP) for the AES, due to Park et al. [23], are 1.075 × 2 −106 and 1.144 × 2 −111, respectively, for T ≥ 4 rounds. These values are simply the 4 th powers of the best upper bounds on the MELP and MEDP for T = 2 [3, 23]. In our analysis we first derive nontrivial lower bounds on the 2-round MELP and MEDP, thereby trapping each value in a small interval; this demonstrates that the best 2-round upper bounds are quite good. We then prove that these same 2-round upper bounds are not tight—and therefore neither are the corresponding upper bounds for T ≥ 4. Finally, we show how a modified version of the KMT2 algorithm (or its dual, KMT2-DC), due to Keliher et al. (see [8]), can potentially improve any existing upper bound on the MELP (or MEDP) for any SPN. We use the modified version of KMT2 to improve the upper bound on the AES MELP to 1.778 × 2 −107, for T ≥ 8.

Abstract. This report presents the results from the completed computation of an algorithm introduced by the authors in [11] for evaluating the provable security of the AES (Rijndael) against linear cryptanalysis. This algorithm, later named KMT2, can in fact be applied to any SPN [8]. Preliminary results in [11] were based on 43 % of total computation, estimated at 200,000 hours on our benchmark machine at the time, a Sun Ultra 5. After some delay, we obtained access to the necessary computational resources, and were able to run the algorithm to completion. In addition to the above, this report presents the results from the dual version of our algorithm (KMT2-DC) as applied to the AES.

We present a new algorithm that evaluates provable security against differential and linear cryptanalysis for Feistel ciphers with invertible substitution-diffusion (SD)-based round functions. This algorithm computes an upper bound on the maximum expected differential or linear probability (MEDP or MELP) based on the number of rounds. We then apply our algorithm to Camellia (minus FL/FL −1). Previously, the best upper bounds for Camellia were 2 −12 (both MEDP and MELP) for 3+ rounds. Our algorithm improves these bounds to 1.065 × 2 −28 (MEDP) and 1.161 × 2 −27 (MELP) for 6+ rounds. This is a first step toward establishing the provable security of Camellia and related ciphers against differential and linear cryptanalysis.

SPNs (Substitution Permutation Networks) are one of the important architectures used for designing block ciphers. In our study, we applied differential cryptanalysis method for a 3-round SPN. We have used a 16-bit input as plaintext and 16-bit output as ciphertext and chosen the first row of the third S-box of DES (Data Encryption Standard) for the necessary S-box and ShiftRows transformation which is used to permute bytes in AES (Advanced Encryption Standard) for permutation of bits for our SPN. As a result, we have obtained 12-bit key of 16-bit key from the last round of the cipher using differential cryptanalysis method. I.