## Substitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis (1996)

### Cached

### Download Links

- [m4dch4t.effraie.org]
- [www.computacao.br]
- [www.engr.mun.ca]
- DBLP

### Other Repositories/Bibliography

Venue: | JOURNAL OF CRYPTOLOGY |

Citations: | 30 - 10 self |

### BibTeX

@ARTICLE{Heys96substitution-permutationnetworks,

author = {Howard M. Heys and Stafford E. Tavares},

title = {Substitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis},

journal = {JOURNAL OF CRYPTOLOGY},

year = {1996},

volume = {9},

pages = {1--19}

}

### OpenURL

### Abstract

In this paper we examine a class of product ciphers referred to as substitution-permutation networks. We investigate the resistance of these cryptographic networks to two important attacks: differential cryptanalysis and linear cryptanalysis. In particular, we develop upper bounds on the differential characteristic probability and on the probability of a linear approximation as a function of the number of rounds of substitutions. Further, it is shown that using large S-boxes with good diffusion characteristics and replacing the permutation between rounds by an appropriate linear transformation is effective in improving the cipher security in relation to these two attacks.

### Citations

850 |
Communication theory of secrecy systems
- Shannon
- 1990
(Show Context)
Citation Context ...tution-permutation network, S-box, Differential cryptanalysis, Linear cryptanalysis. 1. Introduction The class of product ciphers considered in this paper is based on principles introduced by Shannon =-=[28]-=-. Shannon suggested that secure, practical product ciphers may be constructed using a “mixing transformation” consisting of a number of layers or rounds of “confusion” and “diffusion”. The confusion c... |

544 | Differential Cryptanalysis of DES-like Cryptosystems
- Biham, Shamir
- 1991
(Show Context)
Citation Context ...a notable effect on the perceived security of many product ciphers. For example, DES has been found to be theoretically cryptanalyzable by differential cryptanalysis using a chosen plaintext approach =-=[5]-=- and by linear cryptanalysis using a known plaintext approach [18]. In this paper we examine the security of SPNs with respect to these two powerful cryptanalysis techniques and suggest structures tha... |

453 |
Linear Cryptanalysis Method for DES Cipher,” Eurocrypt
- Matsui
- 1993
(Show Context)
Citation Context ...s. For example, DES has been found to be theoretically cryptanalyzable by differential cryptanalysis using a chosen plaintext approach [5] and by linear cryptanalysis using a known plaintext approach =-=[18]-=-. In this paper we examine the security of SPNs with respect to these two powerful cryptanalysis techniques and suggest structures that aid in resisting the attacks. In particular, we develop upper bo... |

144 |
Cryptography and Computer Privacy
- Feistel
- 1973
(Show Context)
Citation Context ...onfusion component is a nonlinear substitution on a small subblock and the diffusion component is a linear mixing of the subblock connections in order to diffuse the statistics of the system. Feistel =-=[13]-=- and Feistel et al. [14] were the first to introduce a practical architecture based on Shannon’s concepts with a network structure consisting of a sequence of rounds of small substitutions (referred t... |

144 |
Differentially Uniform Mappings for Cryptography
- Nyberg
- 1994
(Show Context)
Citation Context ...r approximation has α = R and satisfies � �pL − 1 � � ≤ 2 2 R−1 � �pε − 1 � � 2 R ≤ 2 R−1 � n−1 �R 2 − NLmin . (22) 2 It is known that there are n × n bijective mappings for which NL(S) ≥ 2n−1 − 2n/2 =-=[23]-=-. Assuming that S-boxes are used that have NL(S) = 2n−1 − 2n/2 , combining (9) and (22) we see that the number of known plaintexts required to determine one bit of key is at least 2nR−2(R−1) . For exa... |

126 | Nonlinearity criteria for cryptographic functions, in - Meier, Staffelbach - 1990 |

113 | On the Design of S-boxes
- Webster, Tavares
- 1985
(Show Context)
Citation Context ...n order is bidirectional, i.e., the inverse S-box S−1 satisfies the same diffusion order as S-box S. Other properties related to the diffusiveness of an S-box are the strict avalanche criterion (SAC) =-=[31]-=- and the propagation criterion [27] (also referred to as higher-order SAC [1]). An S-box satisfies SAC if, given that a single input bit is complemented, the probability that each output bit changes i... |

93 | Differential Cryptanalysis of the Full 16-Round
- Biham, Shamir
- 1993
(Show Context)
Citation Context ...of Cryptanalysis In this section we discuss two important classes of cryptanalysis which have had significant success against product ciphers. (a) Differential Cryptanalysis In a series of papers [5]–=-=[8]-=- Biham and Shamir successfully demonstrate the susceptibility of several product ciphers to differential cryptanalysis. Notably, differential cryptanalysis has been successful in breaking weakened ver... |

74 |
Perfect nonlinear S-boxes
- NYBERG
- 1991
(Show Context)
Citation Context ...s an SPN. Many papers have examined the cryptographically desirable properties of SPNs and their components. Acknowledged design criteria for the network S-boxes include nonlinearity [26], [19], [3], =-=[21]-=- and information-theoretic properties [15], [12]. Preferred permutation structures promote the influence of input bits [16], [4], [11]. Of particular importance to our discussion is the notion of nonl... |

73 | Propagation characteristics of Boolean functions
- Preneel, Leekwijck, et al.
- 1991
(Show Context)
Citation Context ... inverse S-box S−1 satisfies the same diffusion order as S-box S. Other properties related to the diffusiveness of an S-box are the strict avalanche criterion (SAC) [31] and the propagation criterion =-=[27]-=- (also referred to as higher-order SAC [1]). An S-box satisfies SAC if, given that a single input bit is complemented, the probability that each output bit changes is exactly 1 . Similarly, an S-box s... |

61 |
LOKI { a cryptographic primitive for authentication and secrecy applications
- Brown, Pieprzyk, et al.
- 1990
(Show Context)
Citation Context ... E. Tavares referred to as substitution-permutation networks or SPNs. The fundamental principles of an SPN form the foundation for many modern product ciphers, including DES [20], FEAL [29], and LOKI =-=[10]-=-. Recent cryptanalysis techniques have had a notable effect on the perceived security of many product ciphers. For example, DES has been found to be theoretically cryptanalyzable by differential crypt... |

53 |
A Structured Design of Substitution-Permutation Encryption Networks
- Kam, Davida
- 1979
(Show Context)
Citation Context ...esign criteria for the network S-boxes include nonlinearity [26], [19], [3], [21] and information-theoretic properties [15], [12]. Preferred permutation structures promote the influence of input bits =-=[16]-=-, [4], [11]. Of particular importance to our discussion is the notion of nonlinearity and we use the following nonlinearity measures when referring to a boolean function or an S-box. The nonlinearity ... |

46 |
Fast data encipherment algorithm FEAL
- Shimizu, Miyaguchi
- 1987
(Show Context)
Citation Context ... M. Heys and S. E. Tavares referred to as substitution-permutation networks or SPNs. The fundamental principles of an SPN form the foundation for many modern product ciphers, including DES [20], FEAL =-=[29]-=-, and LOKI [10]. Recent cryptanalysis techniques have had a notable effect on the perceived security of many product ciphers. For example, DES has been found to be theoretically cryptanalyzable by dif... |

44 |
Some cryptographic techniques for machine-to-machine data communications
- Feistel, Notz, et al.
- 1975
(Show Context)
Citation Context ...nonlinear substitution on a small subblock and the diffusion component is a linear mixing of the subblock connections in order to diffuse the statistics of the system. Feistel [13] and Feistel et al. =-=[14]-=- were the first to introduce a practical architecture based on Shannon’s concepts with a network structure consisting of a sequence of rounds of small substitutions (referred to as S-boxes), easily im... |

40 |
On the Construction of Highly Nonlinear Permutations
- Nyberg
- 1993
(Show Context)
Citation Context ... all Wi�=0 NL i=1 � n� i=1 Wi fi � , (2) where fi represents the n-input function of the ith output of the S-box. Letting S −1 represent the inverse of S-box S, it can be shown that NL(S −1 ) = NL(S) =-=[22]-=-. 3. Two Important Classes of Cryptanalysis In this section we discuss two important classes of cryptanalysis which have had significant success against product ciphers. (a) Differential Cryptanalysis... |

31 | Differential Cryptanalysis of Feal and NHash - Biham, Shamir - 1991 |

29 |
The structured design of cryptographically good Sboxes
- Adams, Tavares
- 1990
(Show Context)
Citation Context ...ure as an SPN. Many papers have examined the cryptographically desirable properties of SPNs and their components. Acknowledged design criteria for the network S-boxes include nonlinearity [26], [19], =-=[3]-=-, [21] and information-theoretic properties [15], [12]. Preferred permutation structures promote the influence of input bits [16], [4], [11]. Of particular importance to our discussion is the notion o... |

28 | Differential Cryptanalysis of Snefru - Biham, Shamir - 1992 |

26 | On the distribution of characteristics in bijective mappings
- O'Connor
- 1994
(Show Context)
Citation Context ...elated the informationtheoretic and nonlinear (bentness) properties of S-boxes to minimizing pδ and suggest that S-boxes based on these principles provide resistance to differential cryptanalysis. In =-=[25]-=- O’Connor shows that, for large n, the S-box XOR pair probability is expected to be at most n/2n−1 . Hence, the expected maximum XOR pair probability decreases as the size of the S-box is increased. F... |

23 |
An expanded set of S-box design criteria based on information theory
- Dawson, Tavares
- 1991
(Show Context)
Citation Context ...aphically desirable properties of SPNs and their components. Acknowledged design criteria for the network S-boxes include nonlinearity [26], [19], [3], [21] and information-theoretic properties [15], =-=[12]-=-. Preferred permutation structures promote the influence of input bits [16], [4], [11]. Of particular importance to our discussion is the notion of nonlinearity and we use the following nonlinearity m... |

17 |
A formal and practical design procedure for substitution-permutation network cryptosystems
- Adams
- 1990
(Show Context)
Citation Context ...sion order as S-box S. Other properties related to the diffusiveness of an S-box are the strict avalanche criterion (SAC) [31] and the propagation criterion [27] (also referred to as higher-order SAC =-=[1]-=-). An S-box satisfies SAC if, given that a single input bit is complemented, the probability that each output bit changes is exactly 1 . Similarly, an S-box satis2 fies the propagation criterion order... |

17 |
G.: Towards effective nonlinear cryptosystem design
- Pieprzyk, Finkelstein
- 1988
(Show Context)
Citation Context ...al architecture as an SPN. Many papers have examined the cryptographically desirable properties of SPNs and their components. Acknowledged design criteria for the network S-boxes include nonlinearity =-=[26]-=-, [19], [3], [21] and information-theoretic properties [15], [12]. Preferred permutation structures promote the influence of input bits [16], [4], [11]. Of particular importance to our discussion is t... |

14 |
On Immunity Against Biham and Shamir's `Differential Cryptanalysis
- Adams
- 1992
(Show Context)
Citation Context ...st likely S-box XOR pair (other than (�X = 0,�Y=0)) be pδ. Characteristics derived from S-box XOR pairs with high probabilities will typically occur with high probability. Several authors [12], [21], =-=[2]-=- have related the informationtheoretic and nonlinear (bentness) properties of S-boxes to minimizing pδ and suggest that S-boxes based on these principles provide resistance to differential cryptanalys... |

11 |
On the designs of SP networks from an information theoretic point of view
- Tavares, Sivabalan, et al.
- 1992
(Show Context)
Citation Context ...2 may actually be considered as a special case of method 1. Method 2, however, ensures that all mappings in the set of possible mappings for an S-box are from the same cryptographic equivalence class =-=[30]-=-. We shall assume in our discussion that the network is keyed using XOR mask keying by XORing x bits of key (as determined by the key scheduling algorithm) before the first substitution, after the las... |

9 |
Methods and Instruments for Designing S-boxes
- Forr'e
- 1990
(Show Context)
Citation Context ...yptographically desirable properties of SPNs and their components. Acknowledged design criteria for the network S-boxes include nonlinearity [26], [19], [3], [21] and information-theoretic properties =-=[15]-=-, [12]. Preferred permutation structures promote the influence of input bits [16], [4], [11]. Of particular importance to our discussion is the notion of nonlinearity and we use the following nonlinea... |

9 |
An analysis of product ciphers based on the properties of Boolean functions
- O'Connor
- 1992
(Show Context)
Citation Context ... one bit of key is at least 2nR−2(R−1) . For example, if an eight-round SPN was constructed using 8 × 8 S-boxes with NL(S) = 112, it would take about 250 known plaintexts to determine one key bit. In =-=[24]-=- O’Connor shows that, as n gets larger, the expected distance of a randomly selected n-bit function (not necessarily balanced) from the nearest affine function increases and pε approaches the ideal va... |

8 |
The design of complete encryption networks using cryptographically equivalent permutations
- Ayoub
- 1982
(Show Context)
Citation Context ...criteria for the network S-boxes include nonlinearity [26], [19], [3], [21] and information-theoretic properties [15], [12]. Preferred permutation structures promote the influence of input bits [16], =-=[4]-=-, [11]. Of particular importance to our discussion is the notion of nonlinearity and we use the following nonlinearity measures when referring to a boolean function or an S-box. The nonlinearity of an... |

7 | On the Design of Permutation P in DES Type Cryptosystems
- Brown, Seberry
- 1989
(Show Context)
Citation Context ...ria for the network S-boxes include nonlinearity [26], [19], [3], [21] and information-theoretic properties [15], [12]. Preferred permutation structures promote the influence of input bits [16], [4], =-=[11]-=-. Of particular importance to our discussion is the notion of nonlinearity and we use the following nonlinearity measures when referring to a boolean function or an S-box. The nonlinearity of an n-inp... |

7 |
Iterative Characteristics of DES and s 2 -DES
- Knudsen
- 1992
(Show Context)
Citation Context ...d maximum XOR pair probability satisfies pδ ≤ 2−4 . High probability characteristics will also occur when poor diffusion of bit changes results in a characteristic involving a small number of S-boxes =-=[17]-=-, [25]. Consider, for example, a four-round characteristic for an SPN with 4×4 S-boxes that have a maximum XOR pair probability of pδ = 1 4 . It is possible that a characteristic might exist with only... |

1 |
On the design of SP networks from an informationtheoretic point of view
- Sivabalan, Tavares, et al.
- 1993
(Show Context)
Citation Context ...2 may actually be considered as a special case of method 1. Method 2, however, ensures that all mappings in the set of possible mappings for an S-box are from the same cryptographic equivalence class =-=[30]-=-. We assume in our discussion that the network is keyed using XOR mask keying by XORing N bits of key (as determined by the key-scheduling algorithm) before the first substitution, after the last subs... |