## Provable Security Against a Differential Attack (1995)

Venue: | Journal of Cryptology |

Citations: | 33 - 2 self |

### BibTeX

@ARTICLE{Nyberg95provablesecurity,

author = {Kaisa Nyberg and Lars Ramkilde Knudsen},

title = {Provable Security Against a Differential Attack},

journal = {Journal of Cryptology},

year = {1995},

volume = {8},

pages = {27--37}

}

### Years of Citing Articles

### OpenURL

### Abstract

. The purpose of this paper is to show that there exist DESlike iterated ciphers, which are provably resistant against differential attacks. The main result on the security of a DES-like cipher with independent round keys is Theorem 1, which gives an upper bound to the probability of s-round differentials, as defined in [4] and this upper bound depends only on the round function of the iterated cipher. Moreover, it is shown that there exist functions such that the probabilities of differentials are less than or equal to 2 3\Gamman , where n is the length of the plaintext block. We also show a prototype of an iterated block cipher, which is compatible with DES and has proven security against differential attacks. Key words. DES-like ciphers, Differential cryptanalysis, Almost perfect nonlinear permutations, Markov Ciphers. 1 Introduction A DES-like cipher is a block cipher based on iterating a function, called F, several times. Each iteration is called a round. The input to each rou...

### Citations

502 | Differential Cryptanalysis of DES-like Cryptosystems
- Biham, Shamir
- 1991
(Show Context)
Citation Context ...(modulo 2) to the left half of the input and the two halves are swapped except for the last round. The plaintext is the input to the first round and the ciphertext is the output of the last round. In =-=[1]-=- E. Biham and A. Shamir introduced differential cryptanalysis of DESlike ciphers. In their attacks they make use of characteristics, which describe the behaviour of input and output differences for so... |

138 |
Differentially Uniform Mappings for Cryptography
- Nyberg
- 1994
(Show Context)
Citation Context ... suggest at least six rounds for the block cipher. All round keys should be independent, therefore we need at least 198 key bits. More examples of permutations f for which pmax is low can be found in =-=[9]-=-. The examples include the inverses of x 7! x 2 k +1 and the mappings x 7! x \Gamma1 , whose coordinate functions are of higher nonlinear order than quadratic. 6 Acknowledgements We would like to than... |

118 |
Nonlinearity criteria for cryptographic functions
- Meier, Staffelbach
- 1990
(Show Context)
Citation Context ...is 2 \Gamman . Mappings attaining this lower bound were investigated in [7], where they are called perfect nonlinear generalizing the definition of perfect nonlinearity given for Boolean functions in =-=[6]-=-. It was shown in [7] that perfect nonlinear mappings from GF (2) m ! GF (2) n only exist for m even and ms2n. Hence they can be adapted for use in DES-like ciphers only with expansion mappings that d... |

114 | Markov ciphers and differential cryptanalysis
- Lai, Massey, et al.
- 1991
(Show Context)
Citation Context ...ferential attacks. The main result on the security of a DES-like cipher with independent round keys is Theorem 1, which gives an upper bound to the probability of s-round differentials, as defined in =-=[4]-=- and this upper bound depends only on the round function of the iterated cipher. Moreover, it is shown that there exist functions such that the probabilities of differentials are less than or equal to... |

113 |
Finite fields, Encyclopedia of mathematics and its applications
- Lidl, Niederreiter
- 1983
(Show Context)
Citation Context ...the values. We shall call the permutations with p f = 2 1\Gamman almost perfect nonlinear. The purpose of this section is to show that such permutations exist. For unexplained terminology we refer to =-=[5]-=-. Let m = nd, where n is odd. In [8] permutations f of GF (2 m ) = GF (2 d ) n were constructed to satisfy the following property: (P) Every nonzero linear combination of the components of f is a nond... |

90 | Differential Cryptanalysis of the full 16-round DES
- Biham, Shamir
(Show Context)
Citation Context ... two 32-bit halves L and R. The plaintext expansion is an affine mapping E : GF (2) 32 ! GF (2) 33 : Each round take a 32 bit input and a 33 bit key. The round function is LkR 7! RkL+ f (E(R) +K): In =-=[2]-=- E. Biham and A. Shamir introduced an improved differential attack on 16-round DES. This means, that in general for an r-round DES-like cipher the existence of an (r \Gamma 2)-round differential with ... |

83 |
Partially-Bent Functions
- Carlet
- 1993
(Show Context)
Citation Context ... quadratic form in n indeterminates over GF (2) such that rank(A +A t ) = n \Gamma 1. Then f is nondegenerate if and only if f(w) 6= 0 for the nonzero linear structures w of f (see also Lemma 4.1. in =-=[3]-=-). Proof: Let '(x 1 ; : : : ; xn ) = x 1 x 2 + : : : + xn\Gamma2 xn\Gamma1 + ffi x 2 n ffi = 0 or 1, be the quadratic forms to which all quadratic forms f(x) = x t Ax with rank(A +A t ) = n \Gamma 1 a... |

39 |
On the construction of highly nonlinear permutations
- Nyberg
- 1993
(Show Context)
Citation Context ...ations with p f = 2 1\Gamman almost perfect nonlinear. The purpose of this section is to show that such permutations exist. For unexplained terminology we refer to [5]. Let m = nd, where n is odd. In =-=[8]-=- permutations f of GF (2 m ) = GF (2 d ) n were constructed to satisfy the following property: (P) Every nonzero linear combination of the components of f is a nondegenerate quadratic form x t Cx in n... |

1 |
Perfect nonlinear S-boxes. Advances in Cryptology
- Nyberg
- 1991
(Show Context)
Citation Context ...oted K + E(X) by Y . If K is uniformly distributed then so is Y . For a mapping f : GF (2) m ! GF (2) n the lower bound for p f is 2 \Gamman . Mappings attaining this lower bound were investigated in =-=[7]-=-, where they are called perfect nonlinear generalizing the definition of perfect nonlinearity given for Boolean functions in [6]. It was shown in [7] that perfect nonlinear mappings from GF (2) m ! GF... |