Results 1  10
of
20
New method for upper bounding the maximum average linear hull probability for SPNs
 Advances in Cryptology— EUROCRYPT 2001, LNCS 2045
, 2001
"... Abstract. We present a new algorithm for upper bounding the maximum average linear hull probability for SPNs, a value required to determine provable security against linear cryptanalysis. The best previous result (Hong et al. [9]) applies only when the linear transformation branch number (B) is M or ..."
Abstract

Cited by 21 (9 self)
 Add to MetaCart
Abstract. We present a new algorithm for upper bounding the maximum average linear hull probability for SPNs, a value required to determine provable security against linear cryptanalysis. The best previous result (Hong et al. [9]) applies only when the linear transformation branch number (B) is M or (M + 1) (maximal case), where M is the number of sboxes per round. In contrast, our upper bound can be computed for any value of B. Moreover, the new upper bound is a function of the number of rounds (other upper bounds known to the authors are not). When B = M, our upper bound is consistently superior to [9]. When B = (M + 1), our upper bound does not appear to improve on [9]. On application to Rijndael (128bit block size, 10 rounds), we obtain the upper bound UB = 2 −75, corresponding to a lower bound on the data 8 complexity of UB = 278 (for 96.7 % success rate). Note that this does not demonstrate the existence of a such an attack, but is, to our knowledge, the first such lower bound.
Improving the Upper Bound on the Maximum Average Linear Hull Probability for Rijndael
, 2001
"... In [15], Keliher et al. present a new method for upper bounding the maximum average linear hull probability (MALHP) for SPNs, a value which is required to make claims about provable security against linear cryptanalysis. Application of this method to Rijndael (AES) yields an upper bound of UB = 2 \ ..."
Abstract

Cited by 15 (6 self)
 Add to MetaCart
In [15], Keliher et al. present a new method for upper bounding the maximum average linear hull probability (MALHP) for SPNs, a value which is required to make claims about provable security against linear cryptanalysis. Application of this method to Rijndael (AES) yields an upper bound of UB = 2 \Gamma75 when 7 or more rounds are approximated, corresponding to a lower bound on the data complexity of 32 UB = 2 80 (for a 96.7% success rate). In the current paper, we improve this upper bound for Rijndael by taking into consideration the distribution of linear probability values for the (unique) Rijndael 8 \Theta 8 sbox. Our new upper bound on the MALHP when 9 rounds are approximated is 2 \Gamma92 , corresponding to a lower bound on the data complexity of 2 97 (again for a 96.7% success rate). [This is after completing 43% of the computation; however, we believe that values have stabilizedsee Section 7.] Keywords: linear cryptanalysis, maximum average linear hull probability, provable security, Rijndael, AES 1
Practical and Provable Security against Differential And Linear Cryptanalysis for SubstitutionPermutation Networks
 ETRI Journal
, 2001
"... this paper, we refer to a permutation layer as a "diffusion layer' for the sake of clarity. Most diffusion layers have appropriate matrix representations, since they are linear transformations over 158 JuSung Kang et aL ETRI Journal, Volume 23, Number 4, December 2001 some finite fields and have on ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
this paper, we refer to a permutation layer as a "diffusion layer' for the sake of clarity. Most diffusion layers have appropriate matrix representations, since they are linear transformations over 158 JuSung Kang et aL ETRI Journal, Volume 23, Number 4, December 2001 some finite fields and have onetoone correspondence to an appropriate matrix. With these matrix representations, we study the practical and provaNe security against differential and linear cryptanalysis
Refined analysis of bounds related to linear and differential cryptanalysis for the AES
 Fourth Conference on the Advanced Encryption Standard  AES4, volume 3373 of LNCS
, 2005
"... Abstract. The best upper bounds on the maximum expected linear probability (MELP) and the maximum expected differential probability (MEDP) for the AES, due to Park et al. [23], are 1.075 × 2 −106 and 1.144 × 2 −111, respectively, for T ≥ 4 rounds. These values are simply the 4 th powers of the best ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
Abstract. The best upper bounds on the maximum expected linear probability (MELP) and the maximum expected differential probability (MEDP) for the AES, due to Park et al. [23], are 1.075 × 2 −106 and 1.144 × 2 −111, respectively, for T ≥ 4 rounds. These values are simply the 4 th powers of the best upper bounds on the MELP and MEDP for T = 2 [3, 23]. In our analysis we first derive nontrivial lower bounds on the 2round MELP and MEDP, thereby trapping each value in a small interval; this demonstrates that the best 2round upper bounds are quite good. We then prove that these same 2round upper bounds are not tight—and therefore neither are the corresponding upper bounds for T ≥ 4. Finally, we show how a modified version of the KMT2 algorithm (or its dual, KMT2DC), due to Keliher et al. (see [8]), can potentially improve any existing upper bound on the MELP (or MEDP) for any SPN. We use the modified version of KMT2 to improve the upper bound on the AES MELP to 1.778 × 2 −107, for T ≥ 8.
Exact Maximum Expected Differential and Linear Probability for 2Round Advanced Encryption Standard (AES)
 Standard (AES),” Technical Report, IACR ePrint Archive (http://eprint.iacr.org, Paper
, 2005
"... Provable security of a block cipher against di#erential / linear cryptanalysis is based on the maximum expected di#erential / linear probability (MEDP / MELP) over T 2 core rounds. Over the past few years, several results have provided increasingly tight upper and lower bounds in the case T = ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
Provable security of a block cipher against di#erential / linear cryptanalysis is based on the maximum expected di#erential / linear probability (MEDP / MELP) over T 2 core rounds. Over the past few years, several results have provided increasingly tight upper and lower bounds in the case T = 2 for the Advanced Encryption Standard (AES).
Linear cryptanalysis of substitutionpermutation networks
, 2003
"... The subject of this thesis is linear cryptanalysis of substitutionpermutation networks (SPNs). We focus on the rigorous form of linear cryptanalysis, which requires the concept of linear hulls. First, we consider SPNs in which the sboxes are selected independently and uniformly from the set of al ..."
Abstract

Cited by 4 (3 self)
 Add to MetaCart
The subject of this thesis is linear cryptanalysis of substitutionpermutation networks (SPNs). We focus on the rigorous form of linear cryptanalysis, which requires the concept of linear hulls. First, we consider SPNs in which the sboxes are selected independently and uniformly from the set of all bijective n × n sboxes. We derive an expression for the expected linear probability values of such an SPN, and give evidence that this expression converges to the corresponding value for the true random cipher. This adds quantitative support to the claim that the SPN structure is a good approximation to the true random cipher. We conjecture that this convergence holds for a large class of SPNs. In addition, we derive a lower bound on the probability that an SPN with randomly selected sboxes is practically secure against linear cryptanalysis after a given number of rounds. For common block sizes, experimental evidence indicates that this probability rapidly approaches 1 with an increasing number of rounds.
High Probability Linear Hulls in Q
, 2001
"... In this paper, we demonstrate that the linear hull effect is significant for the Q cipher. The designer of Q performs preliminary linear cryptanalysis by discussing linear characteristics involving only a single active bit at each stage [13]. We present a simple algorithm which combines all such lin ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
In this paper, we demonstrate that the linear hull effect is significant for the Q cipher. The designer of Q performs preliminary linear cryptanalysis by discussing linear characteristics involving only a single active bit at each stage [13]. We present a simple algorithm which combines all such linear characteristics with identical first and last masks into a linear hull. The expected linear probability of the best such linear hull over 7.5 rounds (8 full rounds minus the first S substitution) is 2 \Gamma90:1 . In contrast, the best known expected differential probability over the same rounds is 2 \Gamma110:5 [2]. Choosing a sequence of linear hulls, we get a straightforward attack which can recover a 128bit key with success rate 98.4%, using 2 97 known hplaintext; ciphertexti pairs and no trial encryptions.
Dual of New Method for Upper Bounding the Maximum Average Linear Hull Probability for SPNs
 Technical Report, IACR ePrint Archive (http://eprint.iacr.org, Paper # 2001/033
, 2001
"... Introduction In [3], we present a new algorithm for computing an upper bound on the maximum average linear hull probability (MALHP) for the SPN symmetric cipher structure, a value required to make claims about provable security against linear cryptanalysis. This algorithm improves on existing work ..."
Abstract

Cited by 4 (3 self)
 Add to MetaCart
Introduction In [3], we present a new algorithm for computing an upper bound on the maximum average linear hull probability (MALHP) for the SPN symmetric cipher structure, a value required to make claims about provable security against linear cryptanalysis. This algorithm improves on existing work in that the resulting upper bound is a function of the number of encryption rounds (other upper bounds known to the authors are not), and moreover, it can be computed for an SPN with any linear transformation layer (the best previous result, that of Hong et. al [4], applies only to SPNs with highly diffusive linear transformations). It is well known that there exists a duality between linear cryptanalysis and differential cryptanalysis which allows certain results related to one of the attacks to be translated into the corresponding results for the other attack [1, 5]. Since this duality applies to our work in [3], we immediately obtain an algorithm for upper boundin
Toward the true random cipher: On expected linear probability values for SPNs with randomly selected sboxes, chapter
 in Communications, Information and Network
, 2003
"... A block cipher, which is an important cryptographic primitive, is a bijective mapping from {0, 1} N to {0, 1} N (N is called the block size), parameterized by a key. In the true random cipher, each key results in a distinct mapping, and every mapping is realized by some key—this is generally taken t ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
A block cipher, which is an important cryptographic primitive, is a bijective mapping from {0, 1} N to {0, 1} N (N is called the block size), parameterized by a key. In the true random cipher, each key results in a distinct mapping, and every mapping is realized by some key—this is generally taken to be the ideal cipher model. We consider a fundamental block cipher architecture called a substitutionpermutation network (SPN). Specifically, we investigate expected linear probability (ELP) values for SPNs, which are the basis for a powerful attack called linear cryptanalysis. We show that if the substitution components (sboxes) of an SPN are randomly selected, then the expected value of any ELP entry converges to the corresponding value for the true random cipher, as the number of encryption rounds is increased. This gives quantitative support to the claim that the SPN structure is a practical approximation of the true random cipher.