Bounds in Shallows and in Miseries

  • Céline Blondeau
  • Andrey Bogdanov
  • Gregor Leander
Conference paper

DOI: 10.1007/978-3-642-40041-4_12

Part of the Lecture Notes in Computer Science book series (LNCS, volume 8042)
Cite this paper as:
Blondeau C., Bogdanov A., Leander G. (2013) Bounds in Shallows and in Miseries. In: Canetti R., Garay J.A. (eds) Advances in Cryptology – CRYPTO 2013. Lecture Notes in Computer Science, vol 8042. Springer, Berlin, Heidelberg


Proving bounds on the expected differential probability (EDP) of a characteristic over all keys has been a popular technique of arguing security for both block ciphers and hash functions. In fact, to a large extent, it was the clear formulation and elegant deployment of this very principle that helped Rijndael win the AES competition. Moreover, most SHA-3 finalists have come with explicit upper bounds on the EDP of a characteristic as a major part of their design rationale. However, despite the pervasiveness of this design approach, there is no understanding of what such bounds actually mean for the security of a primitive once a key is fixed — an essential security question in practice.

In this paper, we aim to bridge this fundamental gap. Our main result is a quantitative connection between a bound on the EDP of differential characteristics and the highest number of input pairs that actually satisfy a characteristic for a fixed key. This is particularly important for the design of permutation-based hash functions such as sponge functions, where the EDP value itself is not informative for the absence of rekeying. We apply our theoretical result to revisit the security arguments of some prominent recent block ciphers and hash functions. For most of those, we have good news: a characteristic is followed by a small number of pairs only. For Keccak, though, currently much more rounds would be needed for our technique to guarantee any reasonable maximum number of pairs.

Thus, our work — for the first time — sheds light on the fixed-key differential behaviour of block ciphers in general and substitution-permutation networks in particular which has been a long-standing fundamental problem in symmetric-key cryptography.


block cipher hash function differential cryptanalysis differential characteristic expected differential probability Grøstl 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  • Céline Blondeau
    • 1
  • Andrey Bogdanov
    • 2
  • Gregor Leander
    • 3
  1. 1.School of ScienceAalto UniversityFinland
  2. 2.Technical University of DenmarkDenmark
  3. 3.Ruhr University BochumGermany

Personalised recommendations