## Linear cryptanalysis of substitution-permutation networks (2003)

Citations: | 6 - 3 self |

### BibTeX

@TECHREPORT{Keliher03linearcryptanalysis,

author = {Liam Keliher},

title = {Linear cryptanalysis of substitution-permutation networks},

institution = {},

year = {2003}

}

### OpenURL

### Abstract

The subject of this thesis is linear cryptanalysis of substitution-permutation networks (SPNs). We focus on the rigorous form of linear cryptanalysis, which requires the concept of linear hulls. First, we consider SPNs in which the s-boxes are selected independently and uni-formly from the set of all bijective n × n s-boxes. We derive an expression for the expected linear probability values of such an SPN, and give evidence that this ex-pression converges to the corresponding value for the true random cipher. This adds quantitative support to the claim that the SPN structure is a good approximation to the true random cipher. We conjecture that this convergence holds for a large class of SPNs. In addition, we derive a lower bound on the probability that an SPN with ran-domly selected s-boxes is practically secure against linear cryptanalysis after a given number of rounds. For common block sizes, experimental evidence indicates that this probability rapidly approaches 1 with an increasing number of rounds.

### Citations

3072 | New Directions in Cryptography - Diffie, Hellman - 1976 |

2811 | Handbook of Applied Cryptography
- Menezes, Oorschot, et al.
- 1996
(Show Context)
Citation Context ...nicating parties 6sCHAPTER 2. BACKGROUND AND PREVIOUS RESEARCH 7 2.1.1 Information Security Services Cryptography is the study of mathematical techniques used to provide information security services =-=[81, 111]-=-. A large number of information security services can be identified, but the following four are widely considered to be foundational. 1. Secrecy (also called privacy or confidentiality)—the assurance ... |

891 |
Communication theory of secrecy systems
- Shannon
- 1949
(Show Context)
Citation Context ... plaintexts, x1, x2, . . . , xi−1 [112].sCHAPTER 2. BACKGROUND AND PREVIOUS RESEARCH 12 2.4 Block Cipher Architectures Modern block ciphers can trace their roots to a landmark paper by Claude Shannon =-=[107]-=- in which the principles of confusion and diffusion were outlined. Confusion is the obscuring of the relationship between the plaintext and the ciphertext. Diffusion involves “spreading out” patterns ... |

820 | Introduction to Algorithms,‖ Second Edition
- Cormen, Leiserson, et al.
- 2001
(Show Context)
Citation Context ... of the SPN. In Section 7.1.1 we show that it is feasible to compute these values for the AES. 2 Here we assume the use of a comparison sort, for which a complexity lower bound of Ω(n log n) is known =-=[22]-=- (n is the number of elements being sorted). ˜v ˆγ i � ,sCHAPTER 6. PROVABLE SECURITY 105 6.4 The KMT1 Algorithm As stated earlier, in order to complete the descriptions of the KMT1 and KMT2 � � . For... |

758 |
Cryptography Theory and Practice
- Stinson
- 2005
(Show Context)
Citation Context ...is information. Public-key ciphers provide an elegant solution to the key distribution problem. However public-key ciphers are typically much slower than symmetric-key ciphers (e.g., 1/1000 the speed =-=[112]-=-), and in many cases require much longer keys to achieve the same level of security (an issue in bandwidth-limited environments). As a result, hybrid techniques incorporating symmetric-key and public-... |

717 |
Cryptography and Network Security: Principles and Practice, 2nd ed. Upper Saddle River
- Stallings
- 1999
(Show Context)
Citation Context ...nicating parties 6sCHAPTER 2. BACKGROUND AND PREVIOUS RESEARCH 7 2.1.1 Information Security Services Cryptography is the study of mathematical techniques used to provide information security services =-=[81, 111]-=-. A large number of information security services can be identified, but the following four are widely considered to be foundational. 1. Secrecy (also called privacy or confidentiality)—the assurance ... |

584 | Differential Cryptanalysis of the DES-like Cryptosystems
- Biham, Shamir
- 1993
(Show Context)
Citation Context ...n the remainder of this thesis we focus on linear cryptanalysis of SPNs. 2.7.3 Differential Cryptanalysis Differential cryptanalysis is a chosen-plaintext attack presented by Biham and Shamir in 1990 =-=[11, 12, 13, 14]-=-. (A differential-like attack was also published by Murphy in 1990, and applied to FEAL [84].) Differential cryptanalysis was the first attack able to break DES faster than exhaustive key search, with... |

481 |
Linear cryptanalysis method for DES cipher
- Matsui
(Show Context)
Citation Context ...riticism [27]). The publication of DES marked the beginning of the widespread study of block ciphers. Many cryptanalytic attacks have been developed in the context of trying to find weaknesses in DES =-=[14, 66, 71, 74, 113]-=-. In addition, many DES-like block ciphers have since been proposed and studied [2, 18, 64, 108]. 2.5.2 The Advanced Encryption Standard (AES) In September 1997, NIST began a process to select a repla... |

380 |
Differential Cryptanalysis of the Data Encryption Standard
- Biham, Shamir
- 1993
(Show Context)
Citation Context ...riticism [27]). The publication of DES marked the beginning of the widespread study of block ciphers. Many cryptanalytic attacks have been developed in the context of trying to find weaknesses in DES =-=[14, 66, 71, 74, 113]-=-. In addition, many DES-like block ciphers have since been proposed and studied [2, 18, 64, 108]. 2.5.2 The Advanced Encryption Standard (AES) In September 1997, NIST began a process to select a repla... |

184 | Description of a New Variable-Length Key, 64-Bit Block Cipher (Blowfish
- Schneier
- 2013
(Show Context)
Citation Context ...are randomly selected is relevant in light of the fact that several block ciphers with pseudorandomly generated (key-dependent) s-boxes have been proposed and analyzed, including Khufu [82], Blowfish =-=[102]-=-, and Twofish [105]. Some researchers argue for the advantage of this approach, based on the fact that randomly selected s-boxes of sufficient size (e.g., 8 × 8) possess goodsCHAPTER 4. EXPECTED LINEA... |

180 | New Types of Cryptanalytic Attacks Using Related Keys
- Biham
- 1994
(Show Context)
Citation Context ...apters. However, it is worth noting that a poorly designed key-scheduling algorithm may introduce significant weaknesses into a cipher, opening the door for certain attacks (e.g., related-key attacks =-=[9]-=-). Many cipher designers build cryptographically strong key-scheduling algorithms by incorporating features of the cipher itself—this approach is used by the AES [25], Camellia [6], Twofish [105], and... |

165 | A proposal for a new block encryption standard
- Lai, Massey
- 1991
(Show Context)
Citation Context ...of ciphers that do not adhere to either structure. However, most retain the basic concept of constructing a cipher from repeated rounds. We mention a couple of examples here. In the block cipher IDEA =-=[69, 70]-=-, which has a 64-bit block size and consists of 8sCHAPTER 2. BACKGROUND AND PREVIOUS RESEARCH 18 rounds, the round input is split into four 16-bit words, and these are combined with each other and wit... |

149 |
Differentially uniform mappings for cryptography
- Nyberg
- 1994
(Show Context)
Citation Context ... our attack on the Q cipher in Section 7.2), or at least to predictability of behavior that may be exploited in the future. Much research has been devoted to individual properties of Boolean mappings =-=[17, 20, 83, 88, 89, 93, 94, 115]-=-, as well as to interrelationships among these properties (good surveys are given in [80, 92, 106]). As this subject is vast, we limit our consideration to a small number of properties here (those tha... |

148 |
Cryptography and computer privacy
- Feistel
- 1973
(Show Context)
Citation Context ...ed that confusion and diffusion could be achieved through the use of substitution and linear transformation, 2 respectively. The two main block cipher architectures, substitution-permutation networks =-=[28]-=- and Feistel networks [29], both use substitution and linear transformation to implement Shannon’s principles. Both also are examples of product ciphers—ciphers that are constructed by composing two o... |

146 |
Practical Cryptography
- Ferguson, Schneier
- 2003
(Show Context)
Citation Context ...ould require a key of astronomical length (approximately N × 2 N bits) [81]. However, the true random cipher is important theoretically, and is generally considered to be the ideal block cipher model =-=[31]-=-. 2.5 Block Cipher Standards In the history of modern block ciphers, standardization initiatives by governments and by various national and international bodies have played a significant role. We brie... |

144 |
The First Experimental Cryptanalysis of the Data Encryption Standard
- Matsui
(Show Context)
Citation Context ...ntext attack (ciphertext-only in certain cases) that is considered to be one of the most powerful attacks on block ciphers. Linear cryptanalysis was the first attack actually implemented to break DES =-=[76]-=-—Matsui carried out this experimental break using 2 43 known 〈plaintext, ciphertext〉 pairs and time complexity 2 30 . A precursor to linear cryptanalysis was introduced in 1992 by Matsui and Yamagishi... |

134 | The Block Cipher Square
- Daemen, Knudsen, et al.
- 1997
(Show Context)
Citation Context ...ists of the parallel application of four 32-bit invertible linear transformations, θ = (θ1, θ2, θ3, θ4), with the condition that each θi is maximally diffusive (see Remark 3.3.12). The ciphers Square =-=[24]-=- and CRYPTON [72] are examples of AES-like SPNs.sCHAPTER 2. BACKGROUND AND PREVIOUS RESEARCH 22 2.5.3 The NESSIE Project NESSIE was a three-year project within the European Commission’s Information So... |

129 | Nonlinearity Criteria for Cryptographic Functions - Meier, Staffelbach - 1990 |

119 | S.: Markov ciphers and differential cryptanalysis
- Lai, Massey, et al.
- 1991
(Show Context)
Citation Context ...of ciphers that do not adhere to either structure. However, most retain the basic concept of constructing a cipher from repeated rounds. We mention a couple of examples here. In the block cipher IDEA =-=[69, 70]-=-, which has a 64-bit block size and consists of 8sCHAPTER 2. BACKGROUND AND PREVIOUS RESEARCH 18 rounds, the round input is split into four 16-bit words, and these are combined with each other and wit... |

119 | On the design of S-boxes - Webster, Tavares - 1986 |

117 | Wagner D.: Tweakable block ciphers
- Liskov, Rivest
- 2002
(Show Context)
Citation Context ...16 from different algebraic groups. IDEA has been extensively analyzed and widely implemented [104]; it appears that this mixing of algebraic groups is a good source of security. The block cipher RC6 =-=[100]-=- has a 128-bit block size and consists of 20 rounds. RC6 can essentially be viewed as two 64-bit Feistel networks operating in parallel, with interactions occurring in each round. RC6 makes extensive ... |

95 | How to protect DES against exhaustive key search
- Kilian, Rogaway
- 1996
(Show Context)
Citation Context ... Many cryptanalytic attacks have been developed in the context of trying to find weaknesses in DES [14, 66, 71, 74, 113]. In addition, many DES-like block ciphers have since been proposed and studied =-=[2, 18, 64, 108]-=-. 2.5.2 The Advanced Encryption Standard (AES) In September 1997, NIST began a process to select a replacement for DES, to be called the Advanced Encryption Standard (AES) [86]. Candidates for the AES... |

82 |
The design of Rijndael: AES–the advanced encryption standard
- Daemen, Rijmen
- 2002
(Show Context)
Citation Context ...attacks (e.g., related-key attacks [9]). Many cipher designers build cryptographically strong key-scheduling algorithms by incorporating features of the cipher itself—this approach is used by the AES =-=[25]-=-, Camellia [6], Twofish [105], and Serpent [4], among others. Unless stated otherwise, we assume the most general situation for the key, namely that k is an independent key [10], a concatenation of (t... |

79 | Camellia: A 128-bit block cipher suitable for multiple platforms - design and analysis
- Aoki, Ichikawa, et al.
- 2000
(Show Context)
Citation Context ...related-key attacks [9]). Many cipher designers build cryptographically strong key-scheduling algorithms by incorporating features of the cipher itself—this approach is used by the AES [25], Camellia =-=[6]-=-, Twofish [105], and Serpent [4], among others. Unless stated otherwise, we assume the most general situation for the key, namely that k is an independent key [10], a concatenation of (the appropriate... |

77 |
Perfect nonlinear S-boxes
- Nyberg
- 1994
(Show Context)
Citation Context ... our attack on the Q cipher in Section 7.2), or at least to predictability of behavior that may be exploited in the future. Much research has been devoted to individual properties of Boolean mappings =-=[17, 20, 83, 88, 89, 93, 94, 115]-=-, as well as to interrelationships among these properties (good surveys are given in [80, 92, 106]). As this subject is vast, we limit our consideration to a small number of properties here (those tha... |

77 | Propagation characteristics of Boolean functions
- Preneel, Leekwijck, et al.
- 1991
(Show Context)
Citation Context ...erations, respectively. ThissCHAPTER 2. BACKGROUND AND PREVIOUS RESEARCH 27 is called the algebraic normal form of f, and can be obtained by a simple matrix operation (the algebraic normal transform) =-=[98]-=-. The degree of a term in the algebraic normal form of f is the number of distinct xi in the term. The degree of f, denoted deg(f), is the highest degree of any term with a nonzero coefficient (this i... |

72 | Robshaw M. Essential Algebraic Structure within the AES
- Murphy
(Show Context)
Citation Context ... to store and manipulate. At this time, there is no practical algorithm for solving such an equation, but the existence of such a (relatively) simple representation is significant. Murphy and Robshaw =-=[85]-=- prove that the AES can be embedded within a new block cipher (the BES) that consists exclusively of operations in GF (2 8 ). This allows an AES encryption to be written as a system of 5248 equations,... |

70 |
Linear Approximation of Block Ciphers
- Nyberg
- 1995
(Show Context)
Citation Context ... by this method is prohibitive [65]. For certain ciphers, the approximation in (3.8) is very good—this happens to be the case for DES [46]. However, by introducing the concept of linear hulls, Nyberg =-=[90]-=- showed that the approximation in (3.8) can result in an overestimation of the data complexity required for a given success rate—clearly this is advantageous for an attacker, but problematic for a cip... |

66 | L.R.: The Interpolation Attack on Block Ciphers
- Jakobsen, Knudsen
- 1997
(Show Context)
Citation Context ...g certain subkey bits (these equations are greatly simplified by the low algebraic degree), and then using exhaustive search to determine the correct values of these subkey bits. Jakobsen and Knudsen =-=[44, 45]-=- demonstrate that ciphers that are secure against traditional differential cryptanalysis may be vulnerable to higher-order differential cryptanalysis.sCHAPTER 2. BACKGROUND AND PREVIOUS RESEARCH 32 2.... |

65 |
Higher order derivatives and differential cryptanalysis
- Lai
- 1994
(Show Context)
Citation Context ...ng subkeys from the known subkey(s)). 2.7.4 Higher-Order Differential Cryptanalysis Higher-order differential cryptanalysis makes use of the concept of the derivative of a Boolean mapping, due to Lai =-=[68]-=-. Definition 2.7.2. Let B : {0, 1} d → {0, 1} d , and let a ∈ {0, 1} d . The derivative of B at a is the mapping ∆aB : {0, 1} d → {0, 1} d , given by ∆aB(x) def = B(x ⊕ a) ⊕ B(x) . The ith derivative ... |

63 |
LOKI - A Cryptographic Primitive for Authentication and Secrecy Applications
- Brown, Pieprzyk, et al.
- 1990
(Show Context)
Citation Context ... Many cryptanalytic attacks have been developed in the context of trying to find weaknesses in DES [14, 66, 71, 74, 113]. In addition, many DES-like block ciphers have since been proposed and studied =-=[2, 18, 64, 108]-=-. 2.5.2 The Advanced Encryption Standard (AES) In September 1997, NIST began a process to select a replacement for DES, to be called the Advanced Encryption Standard (AES) [86]. Candidates for the AES... |

63 | Unbalanced Feistel networks and block cipher design
- Schneier, Kesley
- 1996
(Show Context)
Citation Context ...approach), only the order of the subkeys needs to be reversed. This eliminates the need to generate/store inverse components. Schneier and Kelsey introduced the concept of unbalanced Feistel networks =-=[103]-=-, or UFNs. In a UFN, x r L and xr R are called balanced in [103]). If the lengths of x r L and xr R are not equal in size (conventional Feistel networks are s and t bits, respectively (s + t = N), the... |

58 | Linear Cryptanalysis Using Multiple Approximations and
- Jr, Robshaw
- 1995
(Show Context)
Citation Context ...3.4.2 Multiple Linear Approximations Kaliski and Robshaw investigate the use of multiple linear approximations to improve the success rate of linear cryptanalysis and/or to reduce the data complexity =-=[48, 49]-=-. The basic idea is to use multiple pairs of 〈input, output〉 masks for the T rounds being approximated, 〈a1, b1〉 , 〈a2, b2〉 , 〈a3, b3〉 , . . ., such that each pair 〈ai, bi〉 attacks the same effective ... |

56 |
Data Encryption Standard. Federal Information Processing Standards Publication 46-3
- FIPS
- 1999
(Show Context)
Citation Context ...a block cipher called Lucifer [110], developed by IBM in the late 1960s and early 1970s. On January 15, 1977, the NBS published a modified version of Lucifer called the Data Encryption Standard (DES) =-=[32]-=-. DES is a 16-round Feistel network with a 64-bit block size and a 56-bit key (from the beginning, the small key size was a source of criticism [27]). The publication of DES marked the beginning of th... |

55 |
Structured Design of Substitution-Permutation Encryption Networks
- Kam, Davida
- 1979
(Show Context)
Citation Context ... (Algorithm 2) . . . . . . . . . . . . . 37 4.1 Distribution of LP values for random bijective 8 × 8 s-box . . . . . . 57 4.2 SPN with M = n = 4 (N = 16), R = 3, and the permutation of Kam and Davida =-=[50]-=- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . � 65 4.3 ESPN ELP [1...T ] � (a, b) for M = n = 4 and a = D000(hex), b = 0050(hex) � . . . . . . . . . . . . . . . . . . . . . . . . . . . ... |

47 |
Exhaustive Cryptanalysis of the NBS
- Diffie, Hellman
- 1979
(Show Context)
Citation Context ...f Lucifer called the Data Encryption Standard (DES) [32]. DES is a 16-round Feistel network with a 64-bit block size and a 56-bit key (from the beginning, the small key size was a source of criticism =-=[27]-=-). The publication of DES marked the beginning of the widespread study of block ciphers. Many cryptanalytic attacks have been developed in the context of trying to find weaknesses in DES [14, 66, 71, ... |

46 | A generalization of linear cryptanalysis and the applicability of Matsui’s piling-up lemma
- Harpes, Kramer, et al.
- 1995
(Show Context)
Citation Context ... that for almost all values of ˜ k, LP [1...T ] (a, b; ˜k) ≈ ELP [1...T ] (a, b) . (3.4) Harpes et al. call this the Hypothesis of Fixed-Key Equivalence, and present an argument for its effectiveness =-=[36]-=-. The data complexity of Algorithm 2 in (3.2) is now taken to be NL = c ELP [1...T ] (a, b) . (3.5) For the purpose of this thesis, we will adopt the assumption in (3.4). In Section 8.2 a closer exami... |

46 |
Fast Data Encipherment Algorithm FEAL
- Shimizu, Miyaguchi
- 1988
(Show Context)
Citation Context ... Many cryptanalytic attacks have been developed in the context of trying to find weaknesses in DES [14, 66, 71, 74, 113]. In addition, many DES-like block ciphers have since been proposed and studied =-=[2, 18, 64, 108]-=-. 2.5.2 The Advanced Encryption Standard (AES) In September 1997, NIST began a process to select a replacement for DES, to be called the Advanced Encryption Standard (AES) [86]. Candidates for the AES... |

44 | On Matsui's Linear Cryptanalysis
- Biham
- 1995
(Show Context)
Citation Context ...ach is used by the AES [25], Camellia [6], Twofish [105], and Serpent [4], among others. Unless stated otherwise, we assume the most general situation for the key, namely that k is an independent key =-=[10]-=-, a concatenation of (the appropriate number of) subkeys chosen independently from the uniform distribution on {0, 1} N . This assumption has the advantage of simplifying many kinds of analysis. It ge... |

44 | Fast Software Encryption Functions
- Merkle
- 1990
(Show Context)
Citation Context ...ch the s-boxes are randomly selected is relevant in light of the fact that several block ciphers with pseudorandomly generated (key-dependent) s-boxes have been proposed and analyzed, including Khufu =-=[82]-=-, Blowfish [102], and Twofish [105]. Some researchers argue for the advantage of this approach, based on the fact that randomly selected s-boxes of sufficient size (e.g., 8 × 8) possess goodsCHAPTER 4... |

40 | S.K.Langford, Differential-linear cryptanalysis - Hellman - 1994 |

39 |
On correlation between the order of s-boxes and the strength of des
- Matsui
- 1995
(Show Context)
Citation Context ...lly runs a straightforward search algorithm to find the T -round characteristic, ˆ Ω, for which ELCP( ˆ Ω) is maximal; such a characteristic (not necessarily unique) is called the best characteristic =-=[75]-=-. If ˆ Ω = � a 1 , a 2 , . . . , a T , a T +1� , and if the input and output masks used in Algorithm 2 are taken to be a = a 1 and b = a T +1 , respectively, then the value ELP [1...T ] (a, b), which ... |

38 | An Experiment on DES - Statistical Cryptanalysis
- Vaudenay
- 1996
(Show Context)
Citation Context ...riticism [27]). The publication of DES marked the beginning of the widespread study of block ciphers. Many cryptanalytic attacks have been developed in the context of trying to find weaknesses in DES =-=[14, 66, 71, 74, 113]-=-. In addition, many DES-like block ciphers have since been proposed and studied [2, 18, 64, 108]. 2.5.2 The Advanced Encryption Standard (AES) In September 1997, NIST began a process to select a repla... |

36 |
Secure hash standard,’ Federal Information Processing Standards Publication 180-1
- FIPS
- 1995
(Show Context)
Citation Context ...istel network with a block size of 64 bits; Camellia is a Feistel network with a block size of 128 bits; SHACAL-2 has a block size of 160 bits and is based directly on the Secure Hash Algorithm (SHA) =-=[34]-=-. The final NESSIE portfolio was also augmented with five existing standard primitives—the single block cipher added was the AES. In Section 7.2 we describe our analysis of one of the NESSIE candidate... |

34 | Provable security against a differential attack - Nyberg, Knudsen - 1995 |

30 | Substitution-permutation networks resistant to differential and linear cryptanalysis, volume 9
- Heys, Tavares
- 1996
(Show Context)
Citation Context ...CH 21 to the AES instead of to Rijndael. Prior to the announcement of the AES, Feistel networks were generally more widely studied than SPNs, although many important results about SPNs were published =-=[1, 7, 8, 21, 38, 39, 40, 41, 109, 117, 118]-=-. (The two architectures, although similar, are sufficiently different that results may not translate readily from one to the other.) With the adoption of Rijndael as the AES, there has been an increa... |

30 | 2000); The Twofish Encryption Algorithm – A 128-bit Block Cipher - Schneier, Kelsey, et al. - 1999 |

28 | Provable security against differential and linear cryptanalysis for the SPN structure
- Hong, Lee, et al.
- 2000
(Show Context)
Citation Context ...CH 21 to the AES instead of to Rijndael. Prior to the announcement of the AES, Feistel networks were generally more widely studied than SPNs, although many important results about SPNs were published =-=[1, 7, 8, 21, 38, 39, 40, 41, 109, 117, 118]-=-. (The two architectures, although similar, are sufficiently different that results may not translate readily from one to the other.) With the adoption of Rijndael as the AES, there has been an increa... |

28 | Practically Secure Feistel Ciphers
- Knudsen
- 1993
(Show Context)
Citation Context ...hers against linear cryptanalysis [39, 51, 75, 114]. Knudsen calls a block ciphersCHAPTER 3. LINEAR CRYPTANALYSIS 43 practically secure if the data complexity determined by this method is prohibitive =-=[65]-=-. For certain ciphers, the approximation in (3.8) is very good—this happens to be the case for DES [46]. However, by introducing the concept of linear hulls, Nyberg [90] showed that the approximation ... |

27 | A Simple Algebraic Representation of Rijndael
- Ferguson, Schroeppel, et al.
- 2001
(Show Context)
Citation Context ...ffine mapping), and the 32-bit linear transformation inside the 128-bit AES linear transformation (Figure 2.6) consists of multiplication by a 4 × 4 matrix of elements from GF (2 8 ). Ferguson et al. =-=[30]-=- show that any AES ciphertext byte can be written as an equation involving plaintext and key bytes with the operations addition, multiplication, and inversion in GF (2 8 ). This equation contains appr... |