## Modeling Linear Characteristics of Substitution-Permutation Networks (2000)

Venue: | Sixth Annual International Workshop on Selected Areas in Cryptography (SAC’99), LNCS 1758 |

Citations: | 3 - 3 self |

### BibTeX

@INPROCEEDINGS{Keliher00modelinglinear,

author = {Liam Keliher and Henk Meijer and Stafford Tavares},

title = {Modeling Linear Characteristics of Substitution-Permutation Networks},

booktitle = {Sixth Annual International Workshop on Selected Areas in Cryptography (SAC’99), LNCS 1758},

year = {2000},

pages = {78--91},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

In this paper we present a model for the bias values associated with linear characteristics of substitution-permutation networks (SPN's). The first iteration of the model is based on our observation that for sufficiently large s-boxes, the best linear characteristic usually involves one active s-box per round. We obtain a result which allows us to compute an upper bound on the probability that linear cryptanalysis using such a characteristic is feasible, as a function of the number of rounds. We then generalize this result, upper bounding the probability that linear cryptanalysis is feasible when any linear characteristic may be used (no restriction on the number of active s-boxes). The work of this paper indicates that the basic SPN structure provides good security against linear cryptanalysis based on linear characteristics after a reasonably small number of rounds. 1

### Citations

849 |
Communication theory of secrecy systems
- Shannon
- 1949
(Show Context)
Citation Context ... a reasonably small number of rounds. 1 Introduction A substitution-permutation network (SPN) is a basic cryptosystem architecture which implements Shannon's principles of "confusion" and &q=-=uot;diffusion" [15]-=-, and which was first proposed by Feistel [4]. An SPN is in some sense the simplest implementation of Shannon's principles. Its basic structural elements of substitution and linear transformation are ... |

453 |
Linear Cryptanalysis Method for DES Cipher,” Eurocrypt
- Matsui
- 1993
(Show Context)
Citation Context ...Theta n s-boxes. In addition, we make the assumption that the input to each encryption round is uniformly and independently distributed over f0; 1g N . This allows the use of Matsui's Piling-up Lemma =-=[9]-=- in Sections 4 and 5. This assumption does in fact hold if we observe the inputs to the various rounds while varying over all plaintexts and all keys K 2 f0; 1g N(R+1) . However, in practice, K is fix... |

144 |
Cryptography and Computer Privacy
- Feistel
- 1973
(Show Context)
Citation Context ...uction A substitution-permutation network (SPN) is a basic cryptosystem architecture which implements Shannon's principles of "confusion" and "diffusion" [15], and which was first =-=proposed by Feistel [4]-=-. An SPN is in some sense the simplest implementation of Shannon's principles. Its basic structural elements of substitution and linear transformation are the foundation of many modern block ciphers, ... |

134 |
The ¯rst experimental cryptanalysis of the Data Encryption Standard
- Matsui
- 1994
(Show Context)
Citation Context ...known-plaintext attack (ciphertext-only under certain conditions) which was introduced by Matsui in 1993 [9]. Matsui demonstrated that linear cryptanalysis could break DES using 2 43 known plaintexts =-=[11]-=-. Here we present linear cryptanalysis in the context of SPN's where (absent the complexities of DES) the basic concepts are more easily stated. Linear cryptanalysis of SPN's has been considered to so... |

69 |
Linear approximations of block ciphers
- Nyberg
- 1994
(Show Context)
Citation Context ...however, that to achieve "provable security" against linear cryptanalysis, resistance to linear hulls, the counterpart of differentials in differential cryptanalysis, must be demonstrated (s=-=ee Nyberg [13]-=-). 2 Substitution-Permutation Networks A substitution-permutation network processes an N-bit plaintext through a series of R rounds, each round consisting of a substitution stage followed by a permuta... |

53 |
A Structured Design of Substitution-Permutation Encryption Networks
- Kam, Davida
- 1979
(Show Context)
Citation Context ...ize n \Theta n (ns2) in each round (therefore N = n 2 ), and an interround permutations: f0; 1g N ! f0; 1g N which connects output bit j of s-box i in round r to input bit i of s-box j in round r + 1 =-=[8]-=-, as in Figure 1. (We use the convention that all numbering proceeds from left to right, beginning at 1.) In our model, each s-box in the SPN is chosen uniformly and independently from the set of all ... |

44 | On Matsui's Linear Cryptanalysis
- Biham
- 1995
(Show Context)
Citation Context ...with the current block before round r, and subkey K R+1 is XOR'd with the output of the last round to form the ciphertext. For the purpose of what follows, we will assume that K is an independent key =-=[2]-=-, a concatenation of (R + 1) N-bit subkeys which are not necessarily derivable from some master key via a key-scheduling algorithm (therefore K 2 f0; 1g N(R+1) ). Decryption is accomplished by running... |

36 |
On Correlation between the Order of S-Boxes and the Strength of
- Matsui
- 1994
(Show Context)
Citation Context ...round linear characteristic of a given SPN, for varying values of n and R. The program, tailored to the SPN structure, is based on Matsui's algorithm which finds the best linear characteristic of DES =-=[10]-=-. We quickly observed that the best characteristic almost always involved one active s-box in each round (i.e., it belonged to L R R ), especially as the s-box dimension was increased. In fact, when 5... |

30 | Substitution-permutation networks resistant to differential and linear cryptanalysis, volume 9
- Heys, Tavares
- 1996
(Show Context)
Citation Context ...uses a straight SPN structure [1]). Viewing the basic SPN architecture as a "canonical " cryptosystem has provided a useful model for study, yielding a range of analytical and experimental r=-=esults [6][7]-=-[17]. In this paper we consider the linear cryptanalysis of SPN's, developing a model which allows us to bound the probability that a linear attack based on linear characteristics will succeed. The re... |

15 | Serpent: A Flexible Block Cipher With Maximum Assurance
- Anderson, Biham, et al.
- 1998
(Show Context)
Citation Context ... elements of substitution and linear transformation are the foundation of many modern block ciphers, as can be seen from the current AES candidates (for example, Serpent uses a straight SPN structure =-=[1]). Viewing-=- the basic SPN architecture as a "canonical " cryptosystem has provided a useful model for study, yielding a range of analytical and experimental results [6][7][17]. In this paper we conside... |

14 |
The Design of Substitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis
- Heys, Tavares
- 1994
(Show Context)
Citation Context ...ox (s-box), i.e., a bijective function mapping f0; 1g n ! f0; 1g n . This is followed by a permutation stage, originally a bit-wise permutation, but more generally an invertible linear transformation =-=[5]-=-[7]. The permutation stage is usually omitted from the last round. An example of an SPN with N = 16, M = n = 4, and R = 3 is shown in Figure 1. Incorporation of key bits typically involves the derivat... |

11 | Resistance of Balanced S-Boxes to Linear and Differential
- Youssef, Tavares
- 1995
(Show Context)
Citation Context ...duct of the Piling-up Lemma (see (6)). In this section, in keeping with the above observation, we derive information about the distribution of values of B R R . We begin with the following result [14]=-=[16]-=-: Lemma 1. Let S be a bijective n \Theta n s-box, ns2, and let ff; fi 2 f0; 1g n , with ff; fi 6= 0. Then the set of possible values for the bias associated with LAT[ff; fi] is ae \Sigma2` 2 n : ` an ... |

10 |
Avalanche Characteristics of Substitution-Permutation Encryption Networks
- Heys, Tavares
- 1995
(Show Context)
Citation Context ...nt uses a straight SPN structure [1]). Viewing the basic SPN architecture as a "canonical " cryptosystem has provided a useful model for study, yielding a range of analytical and experimenta=-=l results [6]-=-[7][17]. In this paper we consider the linear cryptanalysis of SPN's, developing a model which allows us to bound the probability that a linear attack based on linear characteristics will succeed. The... |

5 |
Towards provable security of substitution-permutation encryption networks
- Chen, Tavares
- 1999
(Show Context)
Citation Context ...racteristic\Omega 2 LR , is small for Rs12 (computed over all SPN's, as per our model). This evidence of resistance to linear cryptanalysis is especially interesting when compared to a result of Chen =-=[3]-=-, who showed that under certain assumptions about the XOR tables of the s-boxes, the same 64-bit SPN is also resistant to differential cryptanalysis for Rs12. 7 Conclusion In this paper we have presen... |

5 |
Properties of linear approximation tables, Fast Software Encryption
- O’Connor
- 1995
(Show Context)
Citation Context ... product of the Piling-up Lemma (see (6)). In this section, in keeping with the above observation, we derive information about the distribution of values of B R R . We begin with the following result =-=[14]-=-[16]: Lemma 1. Let S be a bijective n \Theta n s-box, ns2, and let ff; fi 2 f0; 1g n , with ff; fi 6= 0. Then the set of possible values for the bias associated with LAT[ff; fi] is ae \Sigma2` 2 n : `... |

3 |
Analysis and design of block ciphers
- Youssef
- 1997
(Show Context)
Citation Context ...s a straight SPN structure [1]). Viewing the basic SPN architecture as a "canonical " cryptosystem has provided a useful model for study, yielding a range of analytical and experimental resu=-=lts [6][7][17]-=-. In this paper we consider the linear cryptanalysis of SPN's, developing a model which allows us to bound the probability that a linear attack based on linear characteristics will succeed. The result... |