K. Nyberg and L. R. Knudsen. Provable security against differential cryptanalysis. In Advances in Cryptology - CRYPTO'92, volume Lecture Notes in Computer Science. Springer-Verlag, Berlin, Heidelberg, New York, 1992. to appear.  Home/Search   Document Not in Database   Summary   Related Articles   Check

.... four measures to evaluate the security of a cipher against DC and LC as follows: Precise measure: The maximum average of differential and linear hull probabilities [4] 6] Theoretical measure: The upper bounds of the maximum average of differential and linear hull probabilities [8] [ 11]. Heuristic measure: The maximum average of differential characteristic and linear approximation probabilities [2] 3] 51. Practical measure: The upper bounds of the maximum average of differential characteristic and linear approximation probabilities [ 12] 14] DC and LC are the most ....

....it is a basic requisite for the designer to evaluate the security of any new proposed cipher against DC and LC, and to prove that it is sufficiently resistant against them. In this paper, we consider a practical measure and theoretical measure out of the above four measures. Nyberg and Knudsen [11] stated that Feistel ciphers evaluated with the theoretical measure are provably secure against DC and LC. Therefore, a block cipher is called to have provable security against DC and LC, where the upper bounds of the maximum average of differential and linear hull probabilities are sufficiently ....

K. Nyberg and L.R. Knudsen, "Provable Security against Differential Cryptanalysis,"./.. of Cryptology, no. 8, (1), 1995, pp. 27- 37.

....characteristic is greater than or equal to d. The results are obtained by assuming that all the round keys are independent. The number of chosen plaintext ciphertext pairs required for differential cryptanalysis of an R round SPN (based on the best characteristic and not the best differential [10], 6] may be approximated by [1] 4] ND (P ffi ) 9) where P ffi n and R 2 0 1: 10) Similarly, the number of known plaintexts required for the basic linear cryptanalysis (algorithm 1 in [9] may be approximated by [4] N L j2 ff01 P ffl (11) P ffl = n01 0NL ; ....

K. Nyberg and L.R. Knudsen. Provable security against differential cryptanalysis. Advances in Crytology: Proc. of CRYPTO '92, Springer-Verlag, pp. 566--574, 1993.

....[6] and the concept of higher order differentials was introduced. As a special case binary functions were considered, which is relevant for cryptanalysis of block ciphers. The cryptographic significance of higher order differentials was discussed, but no applications given. Knudsen and Nyberg [8] showed that block ciphers exist secure against a differential attack using first order differentials, as proposed by Biham and Shamir. Basic Research in Computer Science, Centre of the Danish National Research Foundation In this paper we introduce the concept of partial differentials, i.e. ....

....n, i.e. the highest probability of a non trivial one round differential is 2=2 and 4=2 respectively. In both cases the nonlinear order of the outputs is n Gamma 1 [7] As an example consider a 5 round cipher using as round function f(x; k) x Phi k) for n odd. From the results of [8] this cipher is highly resistant against differential attacks using full differentials, since any 3 round differential has a probability of at most 2 according to Th. 2 of [8] that is, using differentials, where full n bit differences are used. In an attack counting on the round key of the ....

[Article contains additional citation context not shown here]

K. Nyberg and L.R. Knudsen. Provable security against differential cryptanalysis. In E.F. Brickell, editor, Advances in Cryptology - Proc. Crypto'92, LNCS 740, pages 566--574. Springer Verlag, 1993. 23

....the S boxes used in DES with another function which resists both differential and linear cryptanalysis. In this paper we study the round permutations (which play the same role as the S boxes) which ensure that the corresponding Feistel cipher is secure against differential cryptanalysis. In [NK93] Nyberg and Knudsen gave a condition under which a Feistel cipher resists differential cryptanalysis in average . They actually gave an upper bound on the probability of any r round differential of a Feistel cipher, for r 3, but this bound only holds when the round keys are independent and ....

....n 2 Theta F n 2 F n 2 Theta F n 2 (L; R) 7 (R; L f(R K i ) where denotes the exclusive or operation, K i 2 F n 2 is the i th round key and f is a permutation over F n 2 , called the round permutation. Using the particular structure of this round function Nyberg and Knudsen [NK93] gave an upper bound on the probability of any r round differential for r 3 when the round keys are independent and uniformly random. They actually proved the following result: Proposition 1 [NK93] For a Feistel cipher with block size 2n, with round permutation f and with independent uniformly ....

[Article contains additional citation context not shown here]

K. Nyberg and L.R. Knudsen. Provable security against differential cryptanalysis. In Advances in Cryptology - CRYPTO'92, number 740 in Lecture Notes in Computer Science, pages 566--574. SpringerVerlag, 1993.

....key search) ## ## ###,# (differential cryptanalysis) 4, 5, 6] # 6# ### ,#(linear cryptanalysis) 6, 7, 8] # # # #9L### ffi # j UW # ae #j . #ae. #,#### ###ffi AE ffi # # # #chim ## ###,# ###9L ffi # # ,#ae #### ffi #### 8 im## #p #UW ###### :L ## ffi)i [9, 10, 11], ffi ae # # f h [12, 13, 14]ffi ae #### UW #j . U[ #HL, 8 im## #p #UW ######### ###ae,#chim UW #### # # #,#9L### ffi # ae # U[ # # # #9L 4 # #ae.#,#### ##ffi # ffi,####### #cgim # j . f # # # f h ### CBC f h ###### ### # # #,#9L### #ae.# ae # AE ae.# OE #CK# ....

Kaisa Nyberg, Lars Ramkilde Knudsen, "Provable Security against differential cryptanalysis", Advances in CryptologyCRYPTO '92, Lecture Notes on Computer Science", 740, pp. 566--574, 1993.

....a finer grained diffusion, instead of a 4 by 4 MDS matrix over GF(2 8 ) the former would have been no slower on a Pentium but at least twice as slow on a low memory smart card. 6. 2 Conservative Design There has been considerable research in designing ciphers to be resistant to known attacks [Nyb91, Nyb93, OCo94a, OCo94b, OCo94c, Knu94a, Knu94b, Nyb94, DGV94b, Nyb95, NK95, Mat96, Nyb96], such as differential [BS93] linear [Mat94] and related key cryptanalysis [Bih94, KSW96, KSW97] This research has culminated in strong cipher designs CAST 128 [Ada97a] and MISTY [Mat97] are probably the most noteworthy as well as some excellent cryptanalytic theory. However, it is ....

....well as some excellent cryptanalytic theory. However, it is dangerous to rely solely on theory when designing ciphers. Ciphers provably secure against differential cryptanalysis have been attacked with higher order differentials [Lai94, Knu95b] or the interpolation attack [JK97] KN cipher [NK95] was attacked in [JK97, SMK98] Kiefer [Kie96] in [JK97] and a version of CAST in [MSK98a] The CAST cipher cryptanalyzed in [MSK98a] is not CAST 128, but it does illustrate that while the CAST design procedure [AT93, HT94] can create ciphers resistant to differential and linear cryptanalysis, it ....

K. Nyberg and L.R. Knudsen, "Provable Security Against Differential Cryptanalysis," Journal of Cryptology, v. 8, n. 1, 1995, pp. 27--37.

....an attack on. The Data Encryption Standard [1] initiated an important open research area, and some important cryptanalysis methods emerged, namely Biham and Shamir s differential cryptanalysis [4] and Matsui s linear cryptanalysis [11] as well as further generalizations. Nyberg and Knudsen [14] showed how to build toy block ciphers which provably resist differential cryptanalysis (and linear cryptanalysis as well as has been shown afterward [3] This paradigm has successfully been used by Matsui in the MISTY cipher [12, 13] However Nyberg and Knudsen s method does not provide much ....

K. Nyberg, L. R. Knudsen. Provable security against a differential cryptanalysis. Journal of Cryptology, vol. 8, pp. 27--37, Springer-Verlag, 1995.

....assume that the subkeys are random and independent. In particular, if this chain converges to the uniform distribution, this is considered to be strong evidence that the cipher becomes resistant to differential attacks, which is true for DES [5] and most likely for IDEA [6] Knudsen and Nyberg [11] have derived a general upper bound on the probability of a differential in terms of the most likely one round difference. Extending the Markov approach, we will show that almost all round functions F have corresponding Markov chains for differentials that converge to the uniform distribution, ....

K. Nyberg and L. R. Knudsen. Provable security against differential cryptanalysis. Advances in Cryptology, CRYPTO 92, Lecture Notes in Computer Science, vol. 740, E. F. Brickell ed., Springer-Verlag, pages 566--574, 1993.

....and accordingly, ffi is called the differential uniformity of f . Obviously the differential uniformity ffi of an n Theta s S box is constrained by 2 n Gammas = ffi = 2 n . Extensive research has been carried out in constructing differentially ffi uniform S boxes with a low ffi [13, 1, 14, 16, 15, 2]. Some constructions, in particular those based on permutation polynomials on finite fields, are simple and elegant. However, caution must be taken with Definition 5. In particular, it should be noted that low differential uniformity (a small ffi) is only a necessary, but not a sufficient ....

....while x runs through V n . Although there are many question marks regarding the applicability of differentially 2 uniform quadratic n Theta n S boxes in computer security practices, primarily due to their low algebraic degree, these S boxes have received extensive research in the past years [17, 16, 6, 2, 15] and hence deserve our special attention. These S boxes appear in various forms and researchers have employed different techniques, some of which are rather sophisticated, to prove their nonlinearity characteristics. By refining our proof techniques described in Section 2, we will show in this ....

[Article contains additional citation context not shown here]

K. Nyberg and L. R. Knudsen. Provable security against differential cryptanalysis. In Advances in Cryptology - CRYPTO'92, volume Lecture Notes in Computer Science. Springer-Verlag, Berlin, Heidelberg, New York, 1992. to appear.

....and accordingly, ffi is called the differential uniformity of F . Obviously the differential uniformity ffi of an n Theta s S box is constrained by 2 n Gammas = ffi = 2 n . Extensive research has been carried out in constructing differentially ffi uniform S boxes with a low ffi [1, 13, 2, 9, 10, 11, 12]. Some constructions, in particular those based on permutation polynomials on finite fields, are simple and elegant. However, caution must be taken with Definition 2. In particular, it should be noted that low differential uniformity (a small ffi) is only a necessary, but not a sufficient ....

....of 2 n Gammas 1 . In Theorem 3 of [17] it has been proved that for quadratic S boxes, 2 n Gammas 1 is the lower bound on differential uniformity. Note that a differentially 2 uniform permutation is also a permutation with a UHODDT, and vice versa. These permutations have many nice properties [13, 2, 9, 10, 11, 12]. In particular, they achieve the highest possible robustness against the differential attack. The concept of n Theta s S boxes with a UHODDT can be viewed as a generalization of differentially 2 uniform permutations. Hence n Theta s S boxes with a UHODDT are very appealing and have received ....

[Article contains additional citation context not shown here]

K. Nyberg and L. R. Knudsen. Provable security against differential cryptanalysis. In Advances in Cryptology - CRYPTO'92, volume 740, Lecture Notes in Computer Science, pages 566--574. Springer-Verlag, Berlin, Heidelberg, New York, 1993.

....an attack on. The Data Encryption Standard [1] initiated an important open research area, and some important cryptanalysis methods emerged, namely Biham and Shamir s differential cryptanalysis [7] and Matsui s linear cryptanalysis [13] as well as further generalizations. Nyberg and Knudsen [16] showed how to build toy block ciphers which provably resist differential cryptanalysis (and linear cryptanalysis as well as has been shown afterward [4] This paradigm has successfully been used by Matsui in the MISTY cipher [14, 15] However Nyberg and Knudsen s method does not provide much ....

K. Nyberg, L. R. Knudsen. Provable security against a differential cryptanalysis. Journal of Cryptology, vol. 8, pp. 27--37, 1995.

....K p K p defined as F (x; y) x Theta (y) f(y) where Theta is the multiplication over GF (2 p ) is Bent. For p 2q, we have to look for other bounds. III Almost Perfect Functions 6 III Almost Perfect Functions III 1 ffi Almost Perfect Nonlinear functions Definition 5 ([NK93]) We have Delta F 2. The functions such that Delta F = 2 are called Almost Perfect Nonlinear (APN) As Delta F 2 p Gammaq , the APN functions can exist only when q p (the case (p; q) 2; 1) is trivial) In this case, the differential resistant functions are the APN functions. III 2 ....

K. Nyberg and L. Ramkilde Knudsen. Provable security against differential cryptanalysis. In Lecture Notes in Computer Science, Advances in Cryptology -- CRYPTO '92, volume 740, pages 566--574. Springer-Verlag, 1993.

....ffi uniform, and accordingly, ffi is called the differential uniformity of f . Obviously the differential uniformity ffi of an n Theta s S box is constrained by 2 n Gammas ffi 2 n . Extensive research has been carried out in constructing differentially ffi uniform S boxes with a low ffi [13, 1, 14, 16, 15, 2]. Some constructions, in particular those based on permutation polynomials on finite fields, are simple and elegant. However, caution must be taken with Definition 7. In particular, it should be noted that low differential uniformity (a small ffi) is only a necessary , but not a sufficient ....

....while x runs through Vn . Although there are many question marks regarding the applicability of differentially 2 uniform quadratic n Theta n S boxes in computer security practices, primarily due to their low algebraic degree, these S boxes have received extensive research in the past years [17, 16, 6, 2, 15] and hence deserve our special attention. These S boxes appear in various forms and researchers have employed different techniques, some of which are rather sophisticated, to prove their nonlinearity characteristics. By refining our proof techniques described in Section 2, we will show in this ....

[Article contains additional citation context not shown here]

K. Nyberg and L. R. Knudsen. Provable security against differential cryptanalysis. In Advances in Cryptology - CRYPTO'92, volume Lecture Notes in Computer Science. Springer-Verlag, Berlin, Heidelberg, New York, 1992. to appear.

....ky r : Then the S box S 1 is derived from S 0 as (see Figure 5) S 1 (x) S 0 (x) Gamma1 for x = 0; 1; Delta Delta Delta ; 255. This technique to generate a larger S box from smaller S boxes was first introduced in MISTY [17] and also used in CS cipher [21] According to Nyberg and Knudsen [19], the S boxes constructed as above will have DPS i 2p 2 (LPS i 2p 2 , resp. if each P i is bijective with DPP i p (DPP i p, resp. P0 P1 P2 P2 P1 P0 S0 S1 Figure 5: Construction of 8 Theta 8 S boxes S 0 and S 1 from 4 Theta 4 S boxes P j (j = 0; 1; 2) The 4 Theta 4 S boxes shown in ....

K. Nyberg and L.Knudsen, Provable security against differential cryptanalysis, J. Cryptology, Vol.8, No. 1, 1995, pp.27-37.

....into the design of the block cipher. Their work introduced the idea of differentials which are a broader version of characteristics; only the input and output differences are specified while the differences at intermediate rounds are not considered. 12 Block Ciphers Nyberg and Knudsen [116, 117] make note of the duality between these concepts. They point out that to make a successful differential cryptanalytic attack on a DES like iterated cipher, the existence of good characteristics is sufficient. To prove the resistance of a cipher against differential attacks however, differentials ....

K. Nyberg and L.R. Knudsen. Provable security against differential cryptanalysis. In E.F. Brickell, editor, Advances in Cryptology --- Crypto '92, volume 740 of Lecture Notes in Computer Science, pages 566--574, New York, 1993. Springer-Verlag.

....as suggested by Lai [16] It may be the case that all characteristics are unlikely but there exist high probability differentials. A deeper analysis using Markov chains will be required to bound the probability of the most likely differential in a cipher. Notwithstanding, Knudsen and Nyberg [21] have shown that the probability of any differential is bounded from above by 2 Delta (p Omega ) 2 , regardless of the number of rounds. ACKNOWLEDGEMENTS I would like to thank Prabahkar Ragde for his assistance is developing the results in this thesis. I would also like to thank the referees ....

K. Nyberg and L. R. Knudsen. Provable security against differential cryptanalysis, August, 1992. talk given at the Rump Session of CRYPTO '92.

.... table (UHODDT) i.e. S boxes whose differential distribution tables contain an equal number of zero and identical non zero entries in each of their rows (not taking into account the top row) Previous works directly or indirectly related to this line of research include, but not limited to, [1, 3, 15, 16, 17, 18, 19]. Defying efforts by a number of researchers, no n Theta m S box with a UHODDT has emerged. This has led to a conjecture which states that for all n m, there exists no n Theta m S box with a UHODDT. Some progress in proving the conjecture was made in [29] where it was shown that when n or m ....

....an S box is defined as the largest value in the differential distribution table of the S box (not taking into account the top row) Clearly ffi is constrained by 2 n Gammam = ffi = 2 n . Extensive research has been carried out to construct differentially ffi uniform S boxes with low ffi [1, 3, 15, 16, 17, 18, 19]. Some constructions, in particular those based on permutation polynomials on finite fields, are simple and elegant. However, caution must be taken with Definition 3. In particular, it should be noted that low differential uniformity (a small ffi) is only a necessary, but not a sufficient ....

[Article contains additional citation context not shown here]

Nyberg, K., and Knudsen, L. R. Provable security against differential cryptanalysis. In Advances in Cryptology - CRYPTO'92 (1993), vol. 740, Lecture Notes in Computer Science, Springer-Verlag, Berlin, Heidelberg, New York, pp. 566--574.

....applies also to other cryptographic primitives such as one way hash functions. Since differential cryptanalysis was introduced, researchers have devoted a large number of efforts to designing substitution boxes (S boxes) in order to strengthen the security of a block cipher against the attack [14, 1, 15, 17, 16, 2]. Although these S boxes are interesting in terms of their security against differential cryptanalysis, they bear a number of shortcomings which render them unattractive in practice. These shortcomings will be fully addressed in Section 3. Here we mention briefly two of them: 1) The S boxes are ....

....(1 Gamma 2 Gamman 1 ) The maximum robustness is attained by a permutation with the following difference distribution table: except for the first row, half of the entries in a row contain the value 2 while the other half contain the value 0. Such S boxes have been extensively investigated in [15, 17, 16, 2]. These S boxes, however, suffer some or all of the drawbacks described below, which render them unattractive in practice. 1. Their component functions are quadratic. This is true for all the permutations in [18, 17] the first type of permutations in [16] and some of the permutations in [2] A ....

[Article contains additional citation context not shown here]

Nyberg, K., and Knudsen, L. R. Provable security against differential cryptanalysis. In Advances in Cryptology - CRYPTO'92 (1992), vol. Lecture Notes in Computer Science, Springer-Verlag, Berlin, Heidelberg, New York. to appear.

....an attack on. The Data Encryption Standard [1] initiated an important open research area, and some important cryptanalysis methods emerged, namely Biham and Shamir s differential cryptanalysis [4] and Matsui s linear cryptanalysis [10] as well as further generalizations. Nyberg and Knudsen [13] showed how to build toy block ciphers which provably resist differential cryptanalysis (and linear cryptanalysis as well as has been shown afterward [3] This paradigm has successfully been used by Matsui in the MISTY cipher [11, 12] However Nyberg and Knudsen s method does not provide much ....

K. Nyberg, L. R. Knudsen. Provable security against a differential cryptanalysis. Journal of Cryptology, vol. 8, pp. 27--37, 1995.

....(and all its refinements due to Patarin [36 38] and Pieprzyk [39] can be used. This applies to the Deal AES candidate [35, 23] assuming that DES looks like a random permutation (see below however) six rounds of a Feistel network with DES round functions are secure. The Nyberg Knudsen Theorem [33, 34] and all its extensions due to Aoki and Ohta [5] have been used in the Misty cipher [31, 32] One problem with this approach is that it does not allow much freedom in the design, and the designer is actually limited by some algebraic properties. In some simple cases, this is dangerous, as shown by ....

K. Nyberg, L. R. Knudsen. Provable Security against a Differential Cryptanalysis. Journal of Cryptology, vol. 8, pp. 27--37, 1995.

....[6] and the concept of higher order differentials was introduced. As a special case binary functions were considered, which is relevant for cryptanalysis of block ciphers. The cryptographic significance of higher order differentials was discussed, but no applications given. Knudsen and Nyberg [8] showed that block ciphers exist secure against a differential attack using first order differentials, as proposed by Biham and Shamir. In this paper we introduce the concept of truncated differentials, i.e. differentials where only a part of the difference in the ciphertexts (after a number of ....

....probability of a non trivial one round differential is 2=2 n and 4=2 n respectively. In both cases the nonlinear order of the outputs is n Gamma 1 [7] As an example consider a 5 round cipher using as round function f(x;k) x Phi k) Gamma1 in GF(2 n ) for n odd. From the results of [8] this cipher is highly resistant against differential attacks using full differentials, since any 3 round differential has a probability of at most 2 3 Gamma2n according to Th. 2 of [8] that is, using differentials, where full n bit differences are used. In an attack counting on the round key ....

[Article contains additional citation context not shown here]

K. Nyberg and L.R. Knudsen. Provable security against differential cryptanalysis. In E.F. Brickell, editor, Advances in Cryptology - Proc. Crypto'92, LNCS 740, pages 566--574. Springer Verlag, 1993.

No context found.

K. Nyberg and L. R. Knudsen. Provable security against differential cryptanalysis. In Advances in Cryptology - CRYPTO'92, volume Lecture Notes in Computer Science. Springer-Verlag, Berlin, Heidelberg, New York, 1992. to appear.

No context found.

Nyberg, K., and Knudsen, L. R. Provable security against differential cryptanalysis. In Advances in Cryptology - CRYPTO'92 (1993), vol. 740, Lecture Notes in Computer Science, Springer-Verlag, Berlin, Heidelberg, New York, pp. 566--574.

No context found.

K. Nyberg and L. R. Knudsen. Provable security against differential cryptanalysis. In Advances in Cryptology - CRYPTO'92, volume 740, Lecture Notes in Computer Science, pages 566--574. Springer-Verlag, Berlin, Heidelberg, New York, 1993.

No context found.

Nyberg, K., Knudsen, L. R.: Provable security against differential cryptanalysis. In Advances in Cryptology - CRYPTO'92 (1993) vol. 740, Lecture Notes in Computer Science Springer-Verlag, Berlin, Heidelberg, New York pp. 566--574

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC