Jennifer Seberry and Xian-Mo Zhang and Yuliang Zheng, \Systematic Generation of Cryptographically Robust S-boxes," 1 st Conference Computer and Communication Security, VA, USA, 1993, pp. 171-182.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....; fm ) Then, not only each component function f i but also their linear combinations should satisfy cryptographic criteria. From this point of view, extensions of some cryptographic criteria of scalar output Boolean functions to vector output Boolean functions have been studied recently [3, 4, 13, 18]. For example, it is known that F is uniformly distributed if and only if all nonzero linear combinations of component functions f i are balanced [4, 11, 20] f satisfies perfect nonlinear if f(x) Phi f(x Phi ff) is balanced for any ff j = 0. F = f 1 ; fm ) satisfies perfect nonlinear ....

J. Seberry, X. M. Zhang, and Y. Zheng. Systematic generation of cryptographically robust S-boxes. In Proceedings of 7 the First ACM Conference on Computer and Communications Security, pp. 171--182. The Association for Computing Machinery, November 1993.

....sk Abstract. Boolean functions play an important role in cryptography. They are elementary building blocks for various cryptographic algorithms stream ciphers, block ciphers, hash functions, etc. The most common usage for Boolean functions is the construction of larger blocks substitution boxes [4, 5, 6]. Boolean functions used in these constructions ought to satisfy certain criteria in order to resist various attacks. Mutual fulfilment of several criteria makes find ing cryptographically strong Boolean functions an interesting problem. There are methods (besides others, more analytical ones) ....

J. Seberry and X.-M. Zhang and Y. Zheng. Systematic Generation of Cryptographically Robust S-boxes, The Proceedings of the First ACM Conference on Computer and Communication Security, Fairfax, USA, 1993.

....[2] are powerful cryptanalytic attacks on private key block ciphers. The complexity of differential cryptanalysis depends on the size of the largest entry in the XOR table, the total number of zeroes in the XOR table, and the number of nonzero entries in the first column in that table [1] [3]. The complexity of linear cryptanalysis depends on the size of the largest entry in the linear approximation table (LAT) 2] One way to reduce the size of the largest entry in the XOR table is to use injective substitution boxes (s boxes) such that the number of output bits of the s box is ....

J. Seberry, X. Zhang, and Y. Zheng. Systematic generation of cryptographically robust s- boxes. 1st ACM Conference on Computer and Communications Security, Fairfax, Virginia, pp. 172-182, November, 1993.

....[7] are powerful cryptanalytic attacks on private key block ciphers. The complexity of differential cryptanalysis depends on the size of the largest entry in the XOR table, the total number of zeroes in the XOR table, and the number of nonzero entries in the first column in that table [3] [12]. The complexity of linear cryptanalysis depends on the size of the largest entry in the linear approximation table (LAT) 8] One way to reduce the size of the largest entry in the XOR table is to use injective substitution boxes (s boxes) such that the number of output bits of the s box is ....

J. Seberry, X. Zhang, and Y. Zheng. Systematic generation of cryptographically robust s-boxes. 1st ACM Conference on Computer and Communications Security, Fairfax, Virginia, pp.172-182, November, 1993.

....block ciphers and one way hash functions. There are sveral methods how to construct cryptographically strong S boxes. Small, regular (n Theta m) S boxes (n m) with n 6 can be generated by exhaustive search. Larger, SAC satisfying S boxes can be constructed by means of methods presented in [SZZ93a] or by expanding smaller S boxes according to [KMI90] Another approach, introduced in [P91, N93] yields cryptographically strong S boxes which do not satisfy SAC. But the resulting S boxes can be modified by transforming their inputs by a suitable linear transformation [SZZ93b] into SAC ....

....various kinds of cryptosystems. It is based on approximation of outputs of S boxes by linear (or affine) functions. To achieve immunity against linear cryptanalysis it is sufficient to use (construct) S boxes with high nonlinearity of every nonzero linear combination of their functions see [SZZ93a]. 3. General construction The main idea of our construction is to split the input vector into two parts one of them is used as input variables of an S box S; while the other controls a transformation T , modifying the output of the S box. The elementary building block (EBB) is depicted in ....

Seberry J., Zhang X.-M., Zheng Y., Systematic Generation of Cryptographically Robust S-boxes, The Proceedings of the First ACM Conference on Computer and Communication Security, Fairfax, Virginia, USA, 1993.

....be over 18. We measured the differential characteristics of a S box as shown in Table 2. The uniformity of s 3 DES and s 5 DES in XOR distribution tables could be said to be worse than that of DES and s 2 DES but s 3 DES was verified to be stronger than DES and s 2 DES from DC attack. In [13], Seberry et al. proposed a new measure of checking the robustness of S box against DC attack. As defined in Section 3, let d denote the largest value in the XOR distribution table of DES like S box and N denote the number of nonzero entries in the first column of the table. In either case the ....

J.Seberry, X.Zhang, and Y.Zheng, "Systematic Generation of Cryptographically Robust S-boxes", Proc. of the 1st ACM Conf. on Comp. and Comm. Security, pp.172--182, ACM, 1993.

....3.62 16 75.39 3.99 20 73.54 4.08 18 S8 77.15 3.82 16 82.81 3.54 16 75.20 4.01 20 75.0 4.04 18 The uniformity of s 3 DES and s 5 DES in XOR distribution tables could be said to be worse than that of DES and s 2 DES but s 3 DES was verified to be stronger than DES and s 2 DES from DC. In [7], Seberry et al. proposed a new measure of checking the robustness of S box against DC. As defined in Section 3, let d denote the largest value in the XOR distribution table of DES like S box and N denote the number of nonzero entries in the first column of the table. In either case the value 2 ....

J. Seberry, X. Zhang, and Y. Zheng, "Systematic Generation of Cryptographically Robust S-boxes", Proc. of the 1st ACM Conf. on Comp. and Comm. Security, pp.172--182, ACM, 1993.

....the most powerful cryptanalytic attacks on private key block ciphers. The complexity of differential cryptanalysis depends on the size of the largest entry in the XOR table, the total number of zeroes in the XOR table, and the number of nonzero entries in the first column in that table [1] [8]. The complexity of linear cryptanalysis depends on the size of the largest entry in the linear approximation table (LAT) One requirement in s box design is to have a balanced s box (also known as a regular s box) This means that each output symbol should appear an equal number of times when the ....

J. Seberry, X. Zhang, and Y. Zheng. Systematic generation of cryptographically robust s-boxes. 1st ACM Conference on Computer and Communications Security, Fairfax, Virginia, pp.172--182, November, 1993.

....condition for immunity to differential attacks. This is shown by the fact that S boxes constructed in [1, 9] which have a flat difference distribution table, are extremely weak to differential attacks, despite that they achieve the lowest possible differential uniformity ffi = 2 n Gammas [4, 5, 15]. A more complete measurement that takes into account the number of nonzero entries in the first column of a difference distribution table is the robustness introduced in [15] Definition 3. Let F = f 1 ; f s ) be an n Theta s S box, where f i is a function on Vn , i = 1; s, and ....

.... to differential attacks, despite that they achieve the lowest possible differential uniformity ffi = 2 n Gammas [4, 5, 15] A more complete measurement that takes into account the number of nonzero entries in the first column of a difference distribution table is the robustness introduced in [15]. Definition 3. Let F = f 1 ; f s ) be an n Theta s S box, where f i is a function on Vn , i = 1; s, and n s. Denote by L the largest value in the difference distribution table of F , and by N the number of nonzero entries in the first column of the table. In either case the ....

[Article contains additional citation context not shown here]

Seberry, J., Zhang, X. M., Zheng, Y.: Systematic generation of cryptographically robust S-boxes. In Proceedings of the first ACM Conference on Computer and Communications Security (1993) The Association for Computing Machinery, New York pp. 172 -- 182

....1 ; fm ) Then, not only each component function f i but also their linear combinations should satisfy cryptographic criteria. From this point of view, extensions of some cryptographic criteria of scalar output Boolean functions to vector output Boolean functions have been studied recently [3, 4, 13, 18]. For example, it is known that F is uniformly distributed if and only if all nonzero linear combinations of component functions f i are balanced [4, 11, 20] f satisfies perfect nonlinear if f(x) Phi f(x Phi ff) is balanced for any ff 6= 0. F = f 1 ; fm ) satisfies perfect nonlinear ....

J. Seberry, X. M. Zhang, and Y. Zheng. Systematic generation of cryptographically robust S-boxes. In Proceedings of the First ACM Conference on Computer and Communications Security, pages 171--182. The Association for Computing Machinery, November 1993.

.... Note that the nonlinearity of balanced functions is always smaller than the nonlinearity of bent functions which attain the maximum nonlinearity and satisfy SAC [53] The tradeoff between nonlinearity and the propagation criterion (including the SAC) for balanced functions is discussed in [57] and [58] Charnes and Pieprzyk [10] studied the relation between the nonlinearity and the linear nonequivalence. They showed that it is not possible to select five balanced, SAC satisfying, linear nonequivalent functions in five boolean variables without reduction of nonlinearity. Nyberg [37] ....

....selected S boxes can then be verified against a collection of the S box criteria. O Connor [41] analysed a class of such algorithms and concluded that they are infeasible for relatively small sizes of S boxes. Systematic design of S boxes is a growing area of the S box theory (see for example [37] [57]) It produces a single good S box. There is a trend to design a family of crypto algorithms with a security parameter n instead of a single algorithm for fixed n. The parameter n usually specifies the size (in bits) of the input and output. To claim that some security features hold for the ....

J. Seberry, X.M. Zhang, and Y. Zheng. Systematic generation of cryptographically robust S-boxes. Proceedings of the 1st ACM Conference on Computer and Communication Security, November 1993.

No context found.

J. Seberry, X. M. Zhang, and Y. Zheng. Systematic generation of cryptographically robust S-boxes. In Proceedings of the first ACM Conference on Computer and Communications Security, pages 172 -- 182. The Association for Computing Machinery, New York, 1993.

No context found.

J. Seberry, X. M. Zhang, and Y. Zheng. Systematic generation of cryptographically robust S-boxes. In Proceedings of the first ACM Conference on Computer and Communications Security, pages 172 -- 182. The Association for Computing Machinery, New York, 1993.

.... s , j = 0; 1. Hence and 0 ) Gamma Delta 2 m Gamma1 (ff i Thus there is a j 0 2 s 0 for 0 s 0 Gamma 1 and j 0 = 0 or 1, such that Recall that Delta 0 (ff) 2 for all ff 2 V n . So we have Delta 2 m Gamma1 (ff i According to Section 5. 3 of [21], the differential uniformity of F is invariant under a nonsingular linear transformation on the variables of F . Thus by choosing an appropriate nonsingular linear transformation on the variables of F , we have ut 9 Examining the new lower bound of 2 Delta M on the ....

....a regular S box, one prefers both a large t nz and a large T nz . It should be pointed out, however, that other factors should be taken into account too. Examples of such factors include successful attacks that exploit non zero entries in the leftmost column of a difference distribution table [4, 5, 21], and high order differential attacks recently developed in [10] Before closing this section, we note that a paper by Chabaud and Vaudenay [6] is a prior work most relevant to this research. A main result in [6] is their Theorem 4 which is equivalent to stating that for every mapping from V n to ....

Seberry, J., Zhang, X. M., and Zheng, Y. Systematic generation of cryptographically robust S-boxes. In Proceedings of the first ACM Conference on Computer and Communications Security (1993), The Association for Computing Machinery, New York, pp. 172 -- 182.

.... Gamma 1 and j 0 = 0 or 1, such that k j 0 2 q s 0 = 2 Gammam ( Delta 0 (ff i 0 ) Delta 2 m Gamma1 (ff i 0 ) Recall that Delta 0 (ff) 2 n for all ff 2 V n . So we have k j 0 2 q s 0 = 2 Gammam (2 n Delta 2 m Gamma1 (ff i 0 ) According to Section 5. 3 of [21], the differential uniformity of F is invariant under a nonsingular linear transformation on the variables of F . Thus by choosing an appropriate nonsingular linear transformation on the variables of F , we have k j 0 2 q s 0 = 2 n Gammam 2 Gammam Delta M and hence ffi = 2 ....

....a regular S box, one prefers both a large t nz and a large T nz . It should be pointed out, however, that other factors should be taken into account too. Examples of such factors include successful attacks that exploit non zero entries in the leftmost column of a difference distribution table [4, 5, 21], and high order differential attacks recently developed in [10] Before closing this section, we note that a paper by Chabaud and Vaudenay [6] is a prior work most relevant to this research. A main result in [6] is their Theorem 4 which is equivalent to stating that for every mapping from V n to ....

Seberry, J., Zhang, X. M., and Zheng, Y. Systematic generation of cryptographically robust S-boxes. In Proceedings of the first ACM Conference on Computer and Communications Security (1993), The Association for Computing Machinery, New York, pp. 172 -- 182.

....Matsui [10, 11] have further made it explicit that nonlinearity is not just important, but essential to DES like block encryption algorithms. Linear cryptanalysis exploits the low nonlinearity of S boxes employed by a block cipher, and it has been successfully applied in attacking FEAL and DES. In [21], it has been shown that to immunize an S box against linear cryptanalysis, it suffices for the Hamming distance between each nonzero linear combination of the component functions and each affine function not to deviate too far from 2 n Gamma1 , namely, an S box is immune to linear ....

....(a small ffi) is only a necessary, but not a sufficient condition for immunity to differential attacks. This is shown by the fact that S boxes constructed in [13, 1] are extremely weak to differential attacks, despite that they achieve the lowest possible differential uniformity ffi = 2 n Gammas [4, 5, 21]. A more complete measurement is the robustness introduced in [21] The reader is directed to that paper for a comprehensive treatment of this subject. Note that an n Theta s S box achieves the lowest possible differential uniformity ffi = 2 n Gammas if and only if it has a flat difference ....

[Article contains additional citation context not shown here]

J. Seberry, X. M. Zhang, and Y. Zheng. Systematic generation of cryptographically robust S-boxes. In Proceedings of the first ACM Conference on Computer and Commnications Security, pages 172 -- 182. The Association for Computing Machinery, New York, 1993.

....condition for immunity to differential attacks. This is shown by the fact that S boxes constructed in [1, 9] which have a flat difference distribution table, are extremely weak to differential attacks, despite that they achieve the lowest possible differential uniformity ffi = 2 n Gammas [4, 5, 15]. A more complete measurement that takes into account the number of nonzero entries in the first column of a difference distribution table is the robustness introduced in [15] Definition 3 Let F = f 1 ; f s ) be an n Theta s S box, where f i is a function on V n , i = 1; s, ....

.... to differential attacks, despite that they achieve the lowest possible differential uniformity ffi = 2 n Gammas [4, 5, 15] A more complete measurement that takes into account the number of nonzero entries in the first column of a difference distribution table is the robustness introduced in [15]. Definition 3 Let F = f 1 ; f s ) be an n Theta s S box, where f i is a function on V n , i = 1; s, and n = s. Denote by L the largest value in the difference distribution table of F , and by N the number of nonzero entries in the first column of the table. In either case ....

[Article contains additional citation context not shown here]

J. Seberry, X. M. Zhang, and Y. Zheng. Systematic generation of cryptographically robust Sboxes. In Proceedings of the first ACM Conference on Computer and Communications Security, pages 172 -- 182. The Association for Computing Machinery, New York, 1993.

.... such as the design of strong substitution boxes (S boxes) often require that when input coordinates of a Boolean function are selected independently, at random, the output of the function must behave as a uniformly distributed random variable (Kam Davida, 1979; Adams Tavares, 1990a; Seberry et al. 1993). In other words, the function has to be balanced. Some practical applications need Boolean functions with an odd number of input coordinates. This paper studies properties and constructions of nonlinear, balanced functions. We present a number of methods for constructing highly nonlinear balanced ....

....integer. Applications of bent functions to digital communications, coding theory and cryptography can be found in such as (Adams Tavares, 1990b; Detombe Tavares, 1993; Lempel Cohn, 1982; Losev, 1987; MacWilliams Sloane, 1978; Meier Staffelbach, 1990; Nyberg, 1991; Olsen et al. 1982; Seberry et al. 1993). The following result can be found in an excellent survey of bent functions by Dillon (1972) Lemma 3 Let f be a function on V n , and let be the sequence of f . Then the following four statements are equivalent: i) f is bent. ii) h ; i = Sigma2 1 2 n for any affine sequence of length ....

[Article contains additional citation context not shown here]

Seberry, J., Zhang, X. M., & Zheng, Y. 1993. Systematic Generation of Cryptographically Robust S-boxes. Pages 172 -- 182 of: Proceedings of the first ACM Conference on Computer and Communications Security. The Association for Computing Machinery, New York.

....Matsui [10, 11] have further made it explicit that nonlinearity is not just important, but essential to DES like block encryption algorithms. Linear cryptanalysis exploits the low nonlinearity of S boxes employed by a block cipher, and it has been successfully applied in attacking FEAL and DES. In [21], it has been shown that to immunize an S box against linear cryptanalysis, it suffices for the Hamming distance between each nonzero linear combination of the component functions and each affine function not to deviate too far from 2 n Gamma1 , namely, an S box is immune to linear cryptanalysis ....

....ffi) is only a necessary , but not a sufficient condition for immunity to differential attacks. This is shown by the fact that S boxes constructed in [13, 1] are extremely weak to differential attacks, despite that they achieve the lowest possible differential uniformity ffi = 2 n Gammas [4, 5, 21]. A more complete measurement is the robustness introduced in [21] The reader is directed to that paper for a comprehensive treatment of this subject. Note that an n Theta s S box achieves the lowest possible differential uniformity ffi = 2 n Gammas if and only if it has a flat difference ....

[Article contains additional citation context not shown here]

J. Seberry, X. M. Zhang, and Y. Zheng. Systematic generation of cryptographically robust S-boxes. In Proceedings of the first ACM Conference on Computer and Commnications Security, pages 172 -- 182. The Association for Computing Machinery, New York, 1993.

....for immunity to differential attacks. This is shown by the fact that S boxes constructed in [1, 15] which have a flat difference distribution table, are extremely weak to differential attacks, despite the fact that they achieve the lowest possible differential uniformity ffi = 2 n Gammam [5, 6, 22]. We are particularly interested in n Theta m S boxes that have the following property: for each nonzero vector ff 2 V n , F (x) Phi F (x Phi ff) runs through 2 m Gammat , 1 = t = m, of the vectors in Vm , each 2 n Gammam t times, but not through the other 2 m Gamma 2 m Gammat ....

.... Gamma 1 and j 0 = 0 or 1, such that k j 0 2 q s 0 = 2 Gammam ( Delta 0 (ff i 0 ) Delta 2 m Gamma1 (ff i 0 ) Recall that Delta 0 (ff) 2 n for all ff 2 V n . So we have k j 0 2 q s 0 = 2 Gammam (2 n Delta 2 m Gamma1 (ff i 0 ) According to Section 5. 3 of [22], the differential uniformity of F is invariant under a nonsingular linear transformation on the variables of F . Thus by choosing an appropriate nonsingular linear transformation on the variables of F , we have k j 0 2 q s 0 = 2 n Gammam 2 Gammam Delta M and hence ffi = 2 ....

Seberry, J., Zhang, X. M., and Zheng, Y. Systematic generation of cryptographically robust S-boxes. In Proceedings of the first ACM Conference on Computer and Communications Security (1993), The Association for Computing Machinery, New York, pp. 172 -- 182.

.... design criteria for S boxes now has to include an extended measure of nonlinearity of S boxes; in particular this measure must be consistent with the measure introduced by Nyberg in [4] Some preliminary comments about the influence of linear cryptanalysis on the design of S boxes can be found in [9]. 2 Background We denote by x 2 f0; 1g n = X n a binary string of length n. A Boolean function f is defined as a mapping f : X n Gamma X: The set of all n variable linear Boolean functions is L n = ff j f : X n X; f = a 1 x 1 Phi : Phi a n x n g; where a i 2 f0; 1g and x i 2 ....

J. Seberry, X.M. Zhang, and Y. Zheng. Systematic generation of cryptographically robust S-boxes. Proceedings of the 1st ACM Conference on C0mputer and Communication Security, November 1993.

....properties mentioned in Theorem 3 and Corollary 2. These functions can be used in many cryptographic designs. In particular, results shown in this section have been successfully employed by the authors in systematically constructing cryptographically robust substitution boxes (S boxes) [13]. 6 Example Example 1 By using Theorem 3, we now construct 4 functions of 6 variables. Let k = 4 and n = 6 in Theorem 3. Choose x 4 x 1 as the primitive polynomial. Let be a root of x 4 x 1 = 0. i , j = 0; 1; 2 4 Gamma 1 form a sequence: 1; 2 ; 3 ; 1 ; ....

J. Seberry, X. M. Zhang, and Y. Zheng. Systematic generation of cryptographically robust S-boxes. In Proceedings of the First ACM Conference on Computer and Communications Security, pages 171--182, New York, November 1993. The Association for Computing Machinery.

.... criterion is also invariant under the transformation [SZZ93a] In the case of S boxes (tuples of functions) the profile of its difference distribution table, which measures the strength against the differential cryptanalysis [BS91, BS93] also remains invariant under such a transformation [SZZ93c] Thus Theorem 1 provides us with a very useful tool to improve the strict avalanche characteristics of cryptographic functions. In the following we consider two applications of the theorem. Application 1 Our first application shows that a SAC fulfilling function on a higher dimensional space ....

....of the component functions of an S box. The profile of the difference distribution table of the S box, and the number of nonzero vectors with respect to which the component functions satisfy the propagation criterion are not altered either. This technique has been successfully applied in [SZZ93c] to design S boxes that possess many desirable cryptographic properties, which include the high nonlinearity, the SAC, the balancedness and the robustness against differential cryptanalysis. As is shown below, the technique can also be applied to other approaches to the construction of S boxes. ....

J. Seberry, X. M. Zhang, and Y. Zheng. Systematic generation of cryptographically robust S-boxes. In Proceedings of the First ACM Conference on Computer and Communications Security, November 1993. to appear.

.... design criteria for S boxes now has to include an extended measure of nonlinearity of S boxes; in particular this measure must be consistent with the measure introduced by Nyberg in [4] Some preliminary comments about the influence of linear cryptanalysis on the design of S boxes can be found in [9]. 2 Background We denote by x 2 f0; 1g n = X n a binary string of length n. A Boolean function f is defined as a mapping f : X n Gamma X: The set of all n variable linear Boolean functions is L n = ff j f : X n X; f = a 1 x 1 Phi : Phi a n x n g; where a i 2 f0; 1g and x i 2 ....

J. Seberry, X.M. Zhang, and Y. Zheng. Systematic generation of cryptographically robust S-boxes. Proceedings of the 1st ACM Conference on Computer and Communication Security, November 1993.

.... of a function is unchanged under a linear transformation of coordinates [13] In the case of S boxes (tuples of functions) the profile of its XOR distribution table, which measures the strength against the differential cryptanalysis [2] also remains invariant under such a transformation [10]. Thus Theorem 1 provides us a powerful tool to improve the strict avalanche characteristics of cryptographic functions. In the following we consider two applications of the theorem. Application 1 Our first application shows that a SAC fulfilling function on a higher dimensional space can be ....

....n Gamma1 Gamma #B 0. Therefore, we can always find a nondegenerate matrix A such that f i (x) Phi f i (x Phi fl j ) is balanced for every 1 = i = m and 1 = j = n. By Theorem 1, 1 (x) f 1 (xA) m (x) fm (xA) all satisfy the SAC. ut Theorem 2 has been applied in [10] to design S boxes that possess many desirable cryptographic properties, which include the high nonlinearity, the SAC, the balanced5 ness and the robustness against differential cryptanalysis. As is shown below, the transformation technique can also be applied to other approaches to the ....

J. Seberry, X. M. Zhang, and Y. Zheng. Systematic generation of cryptographically robust S-boxes. In Proceedings of the First ACM Conference on Computer and Communications Security, November 1993. to appear.

....for immunity to differential attacks. This is shown by the fact that S boxes constructed in [Ada92, Nyb91] which have a flat difference distribution table, are extremely weak to differential attacks, despite that they achieve the lowest possible differential uniformity ffi = 2 n Gammas [BS93, BKPS93, SZZ93]. A more complete measurement that takes into account the number of nonzero entries in the first column of a difference distribution table is the robustness introduced in [SZZ93] Definition3. Let F = f 1 ; f s ) be an n Theta s S box, where f i is a function on Vn , i = 1; s, ....

.... attacks, despite that they achieve the lowest possible differential uniformity ffi = 2 n Gammas [BS93, BKPS93, SZZ93] A more complete measurement that takes into account the number of nonzero entries in the first column of a difference distribution table is the robustness introduced in [SZZ93]. Definition3. Let F = f 1 ; f s ) be an n Theta s S box, where f i is a function on Vn , i = 1; s, and n s. Denote by L the largest value in the difference distribution table of F , and by N the number of nonzero entries in the first column of the table. In either case the ....

[Article contains additional citation context not shown here]

J. Seberry, X. M. Zhang, and Y. Zheng. Systematic generation of cryptographically robust S-boxes. In Proceedings of the first ACM Conference on Computer and Communications Security, pages 172 -- 182. The Association for Computing Machinery, New York, 1993.

....forward by Matsui [9] have made it explicit that nonlinearity is not just important, but essential to DESlike block encryption algorithms. Linear cryptanalysis exploits the low nonlinearity of S boxes employed by a block cipher, and it has been successfully applied in attacking FEAL and DES. In [16], it has been shown that to immunize an S box against linear cryptanalysis, it suffices for the Hamming distance between each nonzero linear combination of the component functions and each affine function not to deviate too far from 2 n Gamma1 , namely, an S box is immune to linear cryptanalysis ....

....uniformity of f . Extensive research has been conducted in constructing differentially ffi uniform S boxes with a low ffi [10, 1, 11, 13, 12, 2] Some constructions, in particular those based on permutation polynomials on finite fields, are simple and elegant. However, as pointed in [4, 5, 16], cautions must be taken with Definition 5. In particular, it should be noted that low differential uniformity (a small ffi ) is only a necessary, but not sufficient condition for immunity to differential attacks. A more complete measurement is the robustness introduced in [16] The reader is ....

[Article contains additional citation context not shown here]

J. Seberry, X. M. Zhang, and Y. Zheng. Systematic generation of cryptographically robust S-boxes. In Proceedings of the first ACM Conference on Computer and Communications Security, pages 172 -- 182. The Association for Computing Machinery, New York, 1993.

No context found.

Jennifer Seberry and Xian-Mo Zhang and Yuliang Zheng, \Systematic Generation of Cryptographically Robust S-boxes," 1 st Conference Computer and Communication Security, VA, USA, 1993, pp. 171-182.

No context found.

Seberry J., Zhang X.-M., Zheng Y., Systematic Generation of Cryptographically Robust S-boxes, The Proceedings of the First ACM Conference on Computer and Communication Security, Fairfax, Virginia, USA, 1993.

No context found.

J. Seberry and X.-M. Zhang and Y. Zheng. Systematic Generation of Cryptographically Robust S-boxes, The Proceedings of the First ACM Conference on Computer and Communication Security, Fairfax, USA, 1993.

No context found.

J. Seberry, X. M. Zhang, and Y. Zheng. Systematic generation of cryptographically robust S-boxes. In Proceedings of the first ACM Conference on Computer and Commnications Security, pages 172 -- 182. The Association for Computing Machinery, New York, 1993.

No context found.

Seberry, J., Zhang, X. M., Zheng, Y.: Systematic generation of cryptographically robust S-boxes. In Proceedings of the first ACM Conference on Computer and Communications Security (1993) The Association for Computing Machinery, New York pp. 172 -- 182

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC