H. Heys, S. Tavares, Substitution-Permutation Network Resistant to Differential and Linear Cryptanalysis, Journal of Cryptology, Vol. 9, No. 1, pp.1-19, 1996  Home/Search   Document Not in Database   Summary   Related Articles   Check

....characteristics up to 8 rounds since that will be sufficient to show the resistance of CRYPTON to differential cryptanalysis. First note that the probability of any characteristic in CRYPTON can be completely determined by the number of active S boxes and their char. probabilities (e.g. see [10]) Since the number of active S boxes involved in any 8 round characteristic is at least 32, we can obtain the most rough upper bound for the best 8 round char. probability as pC 8 = p 32 d = 2 Gamma149:7 under the assumption of independent and uniform distribution for plaintexts and round ....

H.M.Heys and S.E.Tavares, Substitution-permutation networks resistant to differential and linear cryptanalysis, J. Cryptology, 9(1), 1996, pp.1-19.

....as fE e [3] E e [2] E e [1] E e [0]g fE e [0] b 6 ; E e [3] b 6 ; E e [2] 16 ; E e [1] 24 g and compute the round keys for round r as K e [4r i] E e [i] Phi C e [r] Phi MC i for 0 i 3. 2 2. for odd rounds, update the second 4 expanded keys as fE e [7] E e [6] E e [5]; E e [4]g fE e [6] 16 ; E e [5] 8 ; E e [4] b 2 ; E e [7] b 2 g and compute the round keys for round r as K e [4r i] E e [i 4] Phi C e [r] Phi MC i for 0 i 3. 2.3.3 Generating decryption round keys For efficient decryption key schedule, we first observe that the ....

....[0]g fE e [0] b 6 ; E e [3] b 6 ; E e [2] 16 ; E e [1] 24 g and compute the round keys for round r as K e [4r i] E e [i] Phi C e [r] Phi MC i for 0 i 3. 2 2. for odd rounds, update the second 4 expanded keys as fE e [7] E e [6] E e [5] E e [4]g fE e [6] 16 ; E e [5] 8 ; E e [4] b 2 ; E e [7] b 2 g and compute the round keys for round r as K e [4r i] E e [i 4] Phi C e [r] Phi MC i for 0 i 3. 2.3.3 Generating decryption round keys For efficient decryption key schedule, we first observe that the transformations OE o = ffi o ffi ....

[Article contains additional citation context not shown here]

H.M.Heys and S.E.Tavares, Substitution-permutation networks resistant to differential and linear cryptanalysis, J. Cryptology, 9(1), 1996, pp.1-19.

....DWORD is used in C source code) A number is usually represented in hexadecimal (with prefix 0x ) ffl We follow the little endian convention for byte ordering in char string word conversion. That is, the first character is always placed in the least significant position. ffl We write A = A[3]; A[2] A[1] A[0] t when the data variable A represent a 4 Theta 4 byte array, where A[i] 0 i 3) is a 4 byte word represented by A[i] a i3 k a i2 k a i1 k a i0 . Here k denote concatenation of two bit strings and the superscript t in a vector or array denotes transposition. ffl ....

....rounds. ffl S box transformation fl o for odd rounds (i.e. rounds 1, 3, etc. B = fl o (A) defined by B[0] S 1 (a 03 ) k S 0 (a 02 ) k S 1 (a 01 ) k S 0 (a 00 ) B[1] S 0 (a 13 ) k S 1 (a 12 ) k S 0 (a 11 ) k S 1 (a 10 ) B[2] S 1 (a 23 ) k S 0 (a 22 ) k S 1 (a 21 ) k S 0 (a 20 ) B[3] S 0 (a 33 ) k S 1 (a 32 ) k S 0 (a 31 ) k S 1 (a 30 ) ffl S box transformation fl e for even rounds (i.e. rounds 2, 4, etc. B = fl e (A) defined by B[0] S 0 (a 03 ) k S 1 (a 02 ) k S 0 (a 01 ) k S 1 (a 00 ) B[1] S 1 (a 13 ) k S 0 (a 12 ) k S 1 (a 11 ) k S 0 (a 10 ) B[2] S 0 (a ....

[Article contains additional citation context not shown here]

H.M.Heys and S.E.Tavares, Substitution-permutation networks resistant to differential and linear cryptanalysis, J. Cryptology, 9(1), 1996, pp.1-19.

....we can study how to make 1 So far, the best known attack was an improvement of exhaustive search which requires on average 2 54 DES computations. internal computation boxes resistant against both attacks. This can be used in a heuristic way by usual active s boxes counting tricks (e.g. see [13, 15]) This has also been used to provide provable security against both attacks by Nyberg and Knudsen [27] but in an unsatisfactory way which introduce some algebraic properties which lead to other attacks as shown by Jakobsen and Knudsen [16] In this presentation, we introduce a new way to protect ....

H. M. Heys, S. E. Tavares. Substitution-Permutation Networks resistant to differential and linear cryptanalysis. Journal of Cryptology, vol. 9, pp. 1--19, 1996.

.... be a = a 1 and b = b T , respectively, then ET [a; b] used to determine NL = c ET [a;b] is approximated by ET [a; b] LCP( Omega ) 8) 5 Provable Security Against Linear Cryptanalysis The approximation in (8) has been widely used to evaluate the security of block ciphers against LC [8]. Knudsen calls a block cipher practically secure if the data complexity determined by this method is prohibitive [10] However, in 1994 Nyberg demonstrated that this approach underestimates the success of LC [14] We state Nyberg s results in the context of SPNs. 5.1 Approximate Linear Hulls ....

H.M. Heys and S.E. Tavares, Substitution-permutation networks resistant to differential and linear cryptanalysis, Journal of Cryptology, Vol. 9, No. 1, pp. 1--19, 1996.

....success rate) This is after completing 43 of the computation; however, we believe that values have stabilized see Section 7. Keywords: linear cryptanalysis, maximum average linear hull probability, provable security, Rijndael, AES 1 Introduction The substitution permutation network (SPN) [9, 1, 12] is a fundamental block cipher architecture based on Shannon s principles of confusion and diffusion [22] These principles are implemented through substitution and linear transformation (LT) respectively. Recently, SPNs have been the focus of increased attention. This is due in part to the ....

.... and output masks used in Algorithm 2 are taken to be a = a 1 and b = a T 1 , respectively, then ELP T (a; b) used to determine NL in (3) is approximated by ELP T (a; b) ELCP( Omega ) 4) The approximation in (4) has been widely used to evaluate the security of block ciphers against LC [12, 14]. Knudsen calls a block cipher practically secure if the data complexity determined by this method is prohibitive [16] However, by introducing the concept of linear hulls, Nyberg demonstrated that the above approach can underestimate the success of LC [21] 4.5 Linear Hulls Definition 3 (Nyberg) ....

H.M. Heys and S.E. Tavares, Substitution-permutation networks resistant to differential and linear cryptanalysis, Journal of Cryptology, Vol. 9, No. 1, pp. 1--19, 1996.

.... of many modern block ciphers, as can be seen from the current AES candidates (for example, Serpent uses a straight SPN structure [1] Viewing the basic SPN architecture as a canonical cryptosystem has provided a useful model for study, yielding a range of analytical and experimental results [6][7][17] In this paper we consider the linear cryptanalysis of SPN s, developing a model which allows us to bound the probability that a linear attack based on linear characteristics will succeed. The result is of interest because, in practice, linear cryptanalysis often relies on carefully chosen ....

....viewed as M n bit subblocks, each of which is fed into a bijective n Theta n substitution box (s box) i.e. a bijective function mapping f0; 1g n f0; 1g n . This is followed by a permutation stage, originally a bit wise permutation, but more generally an invertible linear transformation [5][7]. The permutation stage is usually omitted from the last round. An example of an SPN with N = 16, M = n = 4, and R = 3 is shown in Figure 1. Incorporation of key bits typically involves the derivation round 1 round 2 round 3 plaintext ciphertext s boxes Fig. 1. Example SPN with N = 16, M = n = 4, ....

[Article contains additional citation context not shown here]

H.M. Heys and S.E. Tavares, Substitution-permutation networks resistant to differential and linear cryptanalysis, Journal of Cryptology, Vol. 9, No. 1, pp. 1--19, 1996.

....somewhat realistic) cipher structure to study the most basic concepts of the two attacks. Other more formal discussions exist on the topic. For example, overviews of the attacks as applied to Substitution Permutation Networks (the cipher structured to be considered in this paper) are presented in [8] and [9] For a general introduction to block ciphers and their analysis, see [10] The need for a tutorial on the attacks arises from the very difficult nature of both attacks and the lack of simplified, yet detailed, reference material describing the attacks. Conventional cryptographic ....

....of linear and differential cryptanalysis to ciphers proposed before the existence of the attacks was known. As well, many techniques in cipher design have been proposed to make the application of the attacks difficult, focusing on the constructions of cipher components such as S boxes [25][8] and the interconnection between layers of S boxes [8] 26] 27] As a result, the attacks and their extensions are now very well understood and proposals such as Rijndael [7] have been especially constructed with security against the attacks in mind. Finally, we note that our presentation of the ....

[Article contains additional citation context not shown here]

H.M. Heys and S.E. Tavares, "Substitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis", Journal of Cryptology, vol. 9, no.1, pp. 1-19, 1996.

No context found.

H. Heys, S. Tavares, Substitution-Permutation Network Resistant to Differential and Linear Cryptanalysis, Journal of Cryptology, Vol. 9, No. 1, pp.1-19, 1996

No context found.

H. Heys, S. Tavares, Substitution-Permutation Network Resistant to Differential and Linear Cryptanalysis, Journal of Cryptology, Vol. 9, No. 1, pp.1-19, 1996

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC