Proving the Security of AES Substitution-Permutation Network

In this paper we study the substitution-permutation network (SPN) on which AES is based. We introduce AES*, a SPN identical to AES except that fixed S-boxes are replaced by random and independent permutations. We prove that this construction resists linear and differential cryptanalysis with 4 inner rounds only, despite the huge cumulative effect of multipath characteristics that is induced by the symmetries of AES. We show that the DP and LP terms both tend towards 1/(2128−1) very fast when the number of round increases. This proves a conjecture by Keliher, Meijer, and Tavares. We further show that AES*. is immune to any iterated attack of order 1 after 10 rounds only, which substantially improves a previous result by Moriai and Vaudenay.

[1]  Serge Vaudenay,et al.  Links Between Differential and Linear Cryptanalysis , 1994, EUROCRYPT.

[2]  Xuejia Lai,et al.  Markov Ciphers and Differential Cryptanalysis , 1991, EUROCRYPT.

[3]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[4]  Kaisa Nyberg,et al.  Perfect Nonlinear S-Boxes , 1991, EUROCRYPT.

[5]  Ali Esmaili,et al.  Probability and Random Processes , 2005, Technometrics.

[6]  Ralph Wernsdorf,et al.  Markov Ciphers and Alternating Groups , 1994, EUROCRYPT.

[7]  Luke O'Connor,et al.  Properties of Linear Approximation Tables , 1994, FSE.

[8]  Mitsuru Matsui,et al.  New Structure of Block Ciphers with Provable Security against Differential and Linear Cryptanalysis , 1996, FSE.

[9]  Seokhie Hong,et al.  Provable Security against Differential and Linear Cryptanalysis for the SPN Structure , 2000, FSE.

[10]  Ralph Wernsdorf,et al.  The Round Functions of RIJNDAEL Generate the Alternating Group , 2002, FSE.

[11]  W. Cary Huffman,et al.  Fundamentals of Error-Correcting Codes , 1975 .

[12]  Joachim von zur Gathen,et al.  Modern Computer Algebra , 1998 .

[13]  Henk Meijer,et al.  New Method for Upper Bounding the Maximum Average Linear Hull Probability for SPNs , 2001, EUROCRYPT.

[14]  D. Chaum,et al.  Di(cid:11)erential Cryptanalysis of the full 16-round DES , 1977 .

[15]  Mitsuru Matsui,et al.  The First Experimental Cryptanalysis of the Data Encryption Standard , 1994, CRYPTO.

[16]  Stafford E. Tavares,et al.  Toward Provable Security of Substitution-Permutation Encryption Networks , 1998, Selected Areas in Cryptography.

[17]  Joan Daemen,et al.  AES Proposal : Rijndael , 1998 .

[18]  Liam Keliher,et al.  Refined Analysis of Bounds Related to Linear and Differential Cryptanalysis for the AES , 2004, AES Conference.

[19]  Jongin Lim,et al.  On the Security of Rijndael-Like Structures against Differential and Linear Cryptanalysis , 2002, ASIACRYPT.

[20]  Sangjin Lee,et al.  Improving the Upper Bound on the Maximum Differential and the Maximum Linear Hull Probability for SPN Structures and AES , 2003, FSE.

[21]  Howard M. Heys,et al.  Substitution-permutation networks resistant to differential and linear cryptanalysis , 1996, Journal of Cryptology.

[22]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[23]  Serge Vaudenay,et al.  On the Security of CS-Cipher , 1999, FSE.

[24]  David A. Wagner Towards a Unifying View of Block Cipher Cryptanalysis , 2004, FSE.

[25]  Serge Vaudenay,et al.  On the Need for Multipermutations: Cryptanalysis of MD4 and SAFER , 1994, FSE.

[26]  Henk Meijer,et al.  Improving the Upper Bound on the Maximum Average Linear Hull Probability for Rijndael , 2001, Selected Areas in Cryptography.

[27]  G. Grimmett,et al.  Probability and random processes , 2002 .

[28]  Marine Minier,et al.  New Results on the Pseudorandomness of Some Blockcipher Constructions , 2001, FSE.

[29]  Serge Vaudenay,et al.  Decorrelation: A Theory for Block Cipher Security , 2003, Journal of Cryptology.

[30]  S. Tavares,et al.  Toward the True Random Cipher: On Expected Linear Probability Values for SPNS with Randomly Selected S-Boxes , 2003 .

[31]  Kaisa Nyberg,et al.  Linear Approximation of Block Ciphers , 1994, EUROCRYPT.

[32]  Serge Vaudenay,et al.  On the Lai-Massey Scheme , 1999, ASIACRYPT.

[33]  Olle Häggström Finite Markov Chains and Algorithmic Applications , 2002 .

[34]  R. Gregory Taylor,et al.  Modern computer algebra , 2002, SIGA.

[35]  Ueli Maurer,et al.  The Security of Many-Round Luby-Rackoff Pseudo-Random Permutations , 2003, EUROCRYPT.

[36]  Michael Luby,et al.  How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1986, CRYPTO.

[37]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[38]  H. Feistel Cryptography and Computer Privacy , 1973 .

[39]  Jacques Patarin,et al.  Security of Random Feistel Schemes with 5 or More Rounds , 2004, CRYPTO.

[40]  Eli Biham,et al.  Differential Cryptanalysis of the Full 16-Round DES , 1992, CRYPTO.

[41]  Serge Vaudenay,et al.  How Far Can We Go Beyond Linear Cryptanalysis? , 2004, ASIACRYPT.

[42]  Serge Vaudenay,et al.  On the Pseudorandomness of Top-Level Schemes of Block Ciphers , 2000, ASIACRYPT.