Abstract. We present a new algorithm for upper bounding the maximum average linear hull probability for SPNs, a value required to determine provable security against linear cryptanalysis. The best previous result (Hong et al. [9]) applies only when the linear transformation branch number (B) is M or (M + 1) (maximal case), where M is the number of s-boxes per round. In contrast, our upper bound can be computed for any value of B. Moreover, the new upper bound is a function of the number of rounds (other upper bounds known to the authors are not). When B = M, our upper bound is consistently superior to [9]. When B = (M + 1), our upper bound does not appear to improve on [9]. On application to Rijndael (128-bit block size, 10 rounds), we obtain the upper bound UB = 2 −75, corresponding to a lower bound on the data 8 complexity of UB = 278 (for 96.7 % success rate). Note that this does not demonstrate the existence of a such an attack, but is, to our knowledge, the first such lower bound.

In [15], Keliher et al. present a new method for upper bounding the maximum average linear hull probability (MALHP) for SPNs, a value which is required to make claims about provable security against linear cryptanalysis. Application of this method to Rijndael (AES) yields an upper bound of UB = 2 \Gamma75 when 7 or more rounds are approximated, corresponding to a lower bound on the data complexity of 32 UB = 2 80 (for a 96.7% success rate). In the current paper, we improve this upper bound for Rijndael by taking into consideration the distribution of linear probability values for the (unique) Rijndael 8 \Theta 8 s-box. Our new upper bound on the MALHP when 9 rounds are approximated is 2 \Gamma92 , corresponding to a lower bound on the data complexity of 2 97 (again for a 96.7% success rate). [This is after completing 43% of the computation; however, we believe that values have stabilized---see Section 7.] Keywords: linear cryptanalysis, maximum average linear hull probability, provable security, Rijndael, AES 1

Abstract. The best upper bounds on the maximum expected linear probability (MELP) and the maximum expected differential probability (MEDP) for the AES, due to Park et al. [23], are 1.075 × 2 −106 and 1.144 × 2 −111, respectively, for T ≥ 4 rounds. These values are simply the 4 th powers of the best upper bounds on the MELP and MEDP for T = 2 [3, 23]. In our analysis we first derive nontrivial lower bounds on the 2-round MELP and MEDP, thereby trapping each value in a small interval; this demonstrates that the best 2-round upper bounds are quite good. We then prove that these same 2-round upper bounds are not tight—and therefore neither are the corresponding upper bounds for T ≥ 4. Finally, we show how a modified version of the KMT2 algorithm (or its dual, KMT2-DC), due to Keliher et al. (see [8]), can potentially improve any existing upper bound on the MELP (or MEDP) for any SPN. We use the modified version of KMT2 to improve the upper bound on the AES MELP to 1.778 × 2 −107, for T ≥ 8.

this paper, we refer to a permutation layer as a "diffusion layer' for the sake of clarity. Most diffusion layers have appropriate matrix representations, since they are linear transformations over 158 Ju-Sung Kang et aL ETRI Journal, Volume 23, Number 4, December 2001 some finite fields and have one-to-one correspondence to an appropriate matrix. With these matrix representations, we study the practical and provaNe security against differential and linear cryptanalysis

Provable security of a block cipher against di#erential / linear cryptanalysis is based on the maximum expected di#erential / linear probability (MEDP / MELP) over T 2 core rounds. Over the past few years, several results have provided increasingly tight upper and lower bounds in the case T = 2 for the Advanced Encryption Standard (AES).

The subject of this thesis is linear cryptanalysis of substitution-permutation networks (SPNs). We focus on the rigorous form of linear cryptanalysis, which requires the concept of linear hulls. First, we consider SPNs in which the s-boxes are selected independently and uni-formly from the set of all bijective n × n s-boxes. We derive an expression for the expected linear probability values of such an SPN, and give evidence that this ex-pression converges to the corresponding value for the true random cipher. This adds quantitative support to the claim that the SPN structure is a good approximation to the true random cipher. We conjecture that this convergence holds for a large class of SPNs. In addition, we derive a lower bound on the probability that an SPN with ran-domly selected s-boxes is practically secure against linear cryptanalysis after a given number of rounds. For common block sizes, experimental evidence indicates that this probability rapidly approaches 1 with an increasing number of rounds.

In this paper, we demonstrate that the linear hull effect is significant for the Q cipher. The designer of Q performs preliminary linear cryptanalysis by discussing linear characteristics involving only a single active bit at each stage [13]. We present a simple algorithm which combines all such linear characteristics with identical first and last masks into a linear hull. The expected linear probability of the best such linear hull over 7.5 rounds (8 full rounds minus the first S substitution) is 2 \Gamma90:1 . In contrast, the best known expected differential probability over the same rounds is 2 \Gamma110:5 [2]. Choosing a sequence of linear hulls, we get a straightforward attack which can recover a 128-bit key with success rate 98.4%, using 2 97 known hplaintext; ciphertexti pairs and no trial encryptions.

Introduction In [3], we present a new algorithm for computing an upper bound on the maximum average linear hull probability (MALHP) for the SPN symmetric cipher structure, a value required to make claims about provable security against linear cryptanalysis. This algorithm improves on existing work in that the resulting upper bound is a function of the number of encryption rounds (other upper bounds known to the authors are not), and moreover, it can be computed for an SPN with any linear transformation layer (the best previous result, that of Hong et. al [4], applies only to SPNs with highly diffusive linear transformations). It is well known that there exists a duality between linear cryptanalysis and differential cryptanalysis which allows certain results related to one of the attacks to be translated into the corresponding results for the other attack [1, 5]. Since this duality applies to our work in [3], we immediately obtain an algorithm for upper boundin

A block cipher, which is an important cryptographic primitive, is a bijective mapping from {0, 1} N to {0, 1} N (N is called the block size), parameterized by a key. In the true random cipher, each key results in a distinct mapping, and every mapping is realized by some key—this is generally taken to be the ideal cipher model. We consider a fundamental block cipher architecture called a substitution-permutation network (SPN). Specifically, we investigate expected linear probability (ELP) values for SPNs, which are the basis for a powerful attack called linear cryptanalysis. We show that if the substitution components (s-boxes) of an SPN are randomly selected, then the expected value of any ELP entry converges to the corresponding value for the true random cipher, as the number of encryption rounds is increased. This gives quantitative support to the claim that the SPN structure is a practical approximation of the true random cipher.

Abstract not found