Modeling Linear Characteristics of Substitution-Permutation Networks

In this paper we present a model for the bias values associated with linear characteristics of substitution-permutation networks (SPN's). The first iteration of the model is based on our observation that for sufficiently large s-boxes, the best linear characteristic usually involves one active s-box per round. We obtain a result which allows us to compute an upper bound on the probability that linear cryptanalysis using such a characteristic is feasible, as a function of the number of rounds. We then generalize this result, upper bounding the probability that linear cryptanalysis is feasible when any linear characteristic may be used (no restriction on the number of active s-boxes). The work of this paper indicates that the basic SPN structure provides good security against linear cryptanalysis based on linear characteristics after a reasonably small number of rounds.

[1]  Luke O'Connor,et al.  Properties of Linear Approximation Tables , 1994, FSE.

[2]  Howard M. Heys,et al.  Avalanche Characteristics of Substitution-Permutation Encryption Networks , 1995, IEEE Trans. Computers.

[3]  Claude E. Shannon,et al.  Communication theory of secrecy systems , 1949, Bell Syst. Tech. J..

[4]  Eli Biham,et al.  Serpent: A Flexible Block Cipher With Maximum Assurance , 1998 .

[5]  Yvo Desmedt,et al.  Advances in Cryptology — CRYPTO ’94 , 2001, Lecture Notes in Computer Science.

[6]  H. Feistel Cryptography and Computer Privacy , 1973 .

[7]  Mitsuru Matsui,et al.  The First Experimental Cryptanalysis of the Data Encryption Standard , 1994, CRYPTO.

[8]  Stafford E. Tavares,et al.  Analysis and design of block ciphers , 1998 .

[9]  Eli Biham,et al.  On Matsui's Linear Cryptanalysis , 1994, EUROCRYPT.

[10]  Kaisa Nyberg,et al.  Linear Approximation of Block Ciphers , 1994, EUROCRYPT.

[11]  Amr M. Youssef,et al.  Resistance of Balanced s-Boxes to Linear and Differential Cryptanalysis , 1995, Inf. Process. Lett..

[12]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[13]  John B. Kam,et al.  Structured Design of Substitution-Permutation Encryption Networks , 1979, IEEE Transactions on Computers.

[14]  青木 和麻呂 Analysis and Design of Block Ciphers , 2001 .

[15]  Alfredo De Santis,et al.  Advances in Cryptology — EUROCRYPT'94 , 1994, Lecture Notes in Computer Science.

[16]  Stafford E. Tavares,et al.  Toward Provable Security of Substitution-Permutation Encryption Networks , 1998, Selected Areas in Cryptography.

[17]  Mitsuru Matsui,et al.  On Correlation Between the Order of S-boxes and the Strength of DES , 1994, EUROCRYPT.