On the distribution of characteristics in bijective mappings

Differential cryptanalysis is a method of attacking iterated mappings based on differences known as characteristics. The probability of a given characteristic is derived from the XOR tables associated with the iterated mapping. If π is a mapping π: Z2m, then for each Δ, X, ΔY ε Z2mthe XOR table for π gives the number of input pairs of difference ΔX=X+X′ for which gp(X)+π(X′)=ΔY.The complexity of a differential attack depends upon two properties of the XOR tables: the density of zero entries in the table, and the size of the largest entry in the table. In this paper we present the first results on the expected values of these properties for a general class of mappings π. We prove that if π: Z2m→ Z2mis a bijective mapping, then the expected size of the largest entry in the XOR table for π is bounded by 2m, while the fraction of the XOR table that is zero approaches e−1/2=0.60653. We are then able to demonstrate that there are easily constructed classes of iterated mappings for which the probability of a differential-like attack succeeding is very small.

[1]  Micha Hofri,et al.  Probabilistic Analysis of Algorithms , 1987, Texts and Monographs in Computer Science.

[2]  Xuejia Lai,et al.  A Proposal for a New Block Encryption Standard , 1991, EUROCRYPT.

[3]  Eli Biham,et al.  Differential Cryptanalysis of the Full 16-Round DES , 1992, Annual International Cryptology Conference.

[4]  E. Reingold,et al.  Combinatorial Algorithms: Theory and Practice , 1977 .

[5]  Shoji Miyaguchi,et al.  Fast Data Encipherment Algorithm FEAL , 1987, EUROCRYPT.

[6]  Kaisa Nyberg,et al.  Perfect Nonlinear S-Boxes , 1991, EUROCRYPT.

[7]  Cunsheng Ding,et al.  On Almost Perfect Nonlinear Permutations , 1994, EUROCRYPT.

[8]  Lars R. Knudsen,et al.  Cryptanalysis of LOKI , 1991, ASIACRYPT.

[9]  Kaisa Nyberg,et al.  Differentially Uniform Mappings for Cryptography , 1994, EUROCRYPT.

[10]  H. Feistel Cryptography and Computer Privacy , 1973 .

[11]  Jennifer Seberry,et al.  LOKI - A Cryptographic Primitive for Authentication and Secrecy Applications , 1990, AUSCRYPT.

[12]  J. A. Gordon,et al.  Are Big S-Boxes Best? , 1982, EUROCRYPT.

[13]  Luke O'Connor,et al.  On the Distribution of Characteristics in Composite Permutations , 1993, CRYPTO.

[14]  Carlisle M. Adams,et al.  On Immunity Against Biham and Shamir's "Differential Cryptanalysis" , 1992, Information Processing Letters.

[15]  Eli Biham,et al.  Differential Cryptanalysis of Snefru, Khafre, REDOC-II, LOKI and Lucifer , 1991, CRYPTO.

[16]  Xuejia Lai,et al.  On the design and security of block ciphers , 1992 .

[17]  Ronald L. Graham,et al.  Concrete mathematics - a foundation for computer science , 1991 .

[18]  Ralph C. Merkle,et al.  Fast Software Encryption Functions , 1990, CRYPTO.

[19]  Stafford E. Tavares,et al.  Constructing Large Cryptographically Strong S-boxes , 1992, AUSCRYPT.

[20]  Lars R. Knudsen,et al.  Provable Security Against Differential Cryptanalysis , 1992, CRYPTO.

[21]  Jennifer Seberry,et al.  Improving Resistance to Differential Cryptanalysis and the Redesign of LOKI , 1991, ASIACRYPT.

[22]  Thomas W. Cusick,et al.  The REDOC II Cryptosystem , 1990, CRYPTO.

[23]  Luke O'Connor,et al.  Enumerating Nondegenerate Permutations , 1991, EUROCRYPT.

[24]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.