Advertisement

Journal of Cryptology

, Volume 9, Issue 1, pp 1–19 | Cite as

Substitution-permutation networks resistant to differential and linear cryptanalysis

  • Howard M. Heys
  • Stafford E. Tavares
Article

Abstract

In this paper we examine a class of product ciphers referred to as substitution-permutation networks. We investigate the resistance of these cryptographic networks to two important attacks: differential cryptanalysis and linear cryptanalysis. In particular, we develop upper bounds on the differential characteristic probability and on the probability of a linear approximation as a function of the number of rounds of substitutions. Further, it is shown that using large S-boxes with good diffusion characteristics and replacing the permutation between rounds by an appropriate linear transformation is effective in improving the cipher security in relation to these two attacks.

Keywords

Product cipher Substitution-permutation network S-box Differential cryptanalysis Linear cryptanalysis 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [1]
    C. M. Adams. A Formal and Practical Design Procedure for Substitution-Permutation Network Cryptosystems. Ph.D. thesis, Queen's University, Kingston, Ontario, 1990.Google Scholar
  2. [2]
    C. M. Adams. On immunity against Biham and Shamir's differential cryptanalysis.Information Processing Letters, 41(2):77–80, 1992.CrossRefGoogle Scholar
  3. [3]
    C. M. Adams and S. E. Tavares. The structured design of cryptographically good S-boxes.Journal of Cryptology, 3(1):27–41, 1990.CrossRefGoogle Scholar
  4. [4]
    F. Ayoub. The design of complete encryption networks using cryptographically equivalent permutations.Computers and Security, 2:261–267, 1982.CrossRefGoogle Scholar
  5. [5]
    E. Biham and A. Shamir. Differential cryptanalysis of DES-like cryptosystems.Journal of Cryptology, 4(1):3–72, 1991.CrossRefGoogle Scholar
  6. [6]
    E. Biham and A. Shamir. Differential cryptanalysis of FEAL and N-Hash.Advances in Cryptology: Proceedings of EUROCRYPT '91, Springer-Verlag, Berlin, pages 1–16, 1991.Google Scholar
  7. [7]
    E. Biham and A. Shamir. Differential cryptanalysis of Snefru, Khafre, REDOC-II, LOKI, and Lucifer.Advances in Cryptology: Proceedings of CRYPTO '91, Springer-Verlag, Berlin, pages 156–171, 1992.Google Scholar
  8. [8]
    E. Biham and A. Shamir. Differential cryptanalysis of the full 16-round DES.Advances in Cryptology: Proceedings of CRYPTO '92, Springer-Verlag, Berlin, pages 487–496, 1993.Google Scholar
  9. [9]
    E. F. Brickell, J. H. Moore, and M. R. Purtill. Structures in the S-boxes of DES.Advances in Cryptology: Proceedings of CRYPTO '86, Springer-Verlag, Berlin, pages 3–8, 1987.Google Scholar
  10. [10]
    L. Brown, J. Pieprzyk, and J. Seberry. LOKI—a cryptographic primitive for authentication and secrecy applications.Advances in Cryptology: Proceedings of AUSCRYPT '90, Springer-Verlag, Berlin, pages 229–236, 1990.Google Scholar
  11. [11]
    L. Brown and J. R. Seberry. On the design of permutation P in DES type cryptosystems.Advances in Cryptology: Proceedings of EUROCRYPT '89, Springer-Verlag, Berlin, pages 696–705, 1989.Google Scholar
  12. [12]
    M. H. Dawson and S. E. Tavares. An expanded set of S-box design criteria based on information theory and its relation to differential-like attacks.Advances in Cryptology: Proceedings of EUROCRYPT '91, Springer-Verlag, Berlin, pages 352–367, 1991.Google Scholar
  13. [13]
    H. Feistel. Cryptography and computer privacy.Scientific American, 228(5):15–23, 1973.PubMedGoogle Scholar
  14. [14]
    H. Feistel, W. A. Notz, and J. L. Smith. Some cryptographic techniques for machine-to-machine data communications.Proceedings of the IEEE, 63(11):1545–1554, 1975.Google Scholar
  15. [15]
    R. Forré. Methods and instruments for designing S-boxes.Journal of Cryptology, 2(3):115–130, 1990.CrossRefGoogle Scholar
  16. [16]
    J. B. Kam and G. I. Davida. A structured design of substitution-permutation encryption networks.IEEE Transactions on Computers, 28(10):747–753, 1979.Google Scholar
  17. [17]
    L. R. Knudsen. Iterative characteristics of DES and s2-DES.Advances in Cryptology: Proceedings of CRYPTO '92, Springer-Verlag, Berlin, pages 497–511, 1993.Google Scholar
  18. [18]
    M. Matsui. Linear cryptanalysis method for DES cipher.Advances in Cryptology: Proceedings of EUROCRYPT '93, Springer-Verlag, Berlin, pages 386–397, 1994.Google Scholar
  19. [19]
    W. Meier and O. Staffelbach. Nonlinearity criteria for cryptographic functions.Advances in Cryptology: Proceedings of EUROCRYPT '89, Springer-Verlag, Berlin, pages 549–562, 1990.Google Scholar
  20. [20]
    National Bureau of Standards.Data Encryption Standard (DES). Federal Information Processing Standard Publication 46, U.S. Department of Commerce, January 1977.Google Scholar
  21. [21]
    K. Nyberg. Perfect nonlinear S-boxes.Advances in Cryptology: Proceedings of EUROCRYPT '91, Springer-Verlag, Berlin, pages 378–386, 1991.Google Scholar
  22. [22]
    K. Nyberg. On the construction of highly nonlinear permutations.Advances in Cryptology: Proceedings of EUROCRYPT '92, Springer-Verlag, Berlin, pages 92–98, 1992.Google Scholar
  23. [23]
    K. Nyberg. Differentially uniform mappings for cryptography.Advances in Cryptology: Proceedings of EUROCRYPT '93, Springer-Verlag, Berlin, pages 55–64, 1994.Google Scholar
  24. [24]
    L. O'Connor. An Analysis of Product Ciphers Based on the Properties of Boolean Functions. Ph.D. thesis, University of Waterloo, Ontario, 1992.Google Scholar
  25. [25]
    L. J. O'Connor. On the distribution of characteristics in bijective mappings.Advances in Cryptology: Proceedings of EUROCRYPT '93, Springer-Verlag, Berlin, pages 360–370, 1994.Google Scholar
  26. [26]
    J. Pieprzyk and G. Finkelstein. Towards effective nonlinear cryptosystem design.IEE Proceedings, Part E, 135(6):325–335, 1988.Google Scholar
  27. [27]
    B. Preneel, W. Van Leekwijck, R. Goevarts, and J. Vanderwalle. Propagation characteristics of boolean functions.Advances in Cryptology: Proceedings of EUROCRYPT '90, Springer-Verlag, Berlin, pages 161–173, 1991.Google Scholar
  28. [28]
    C. E. Shannon. Communication theory of secrecy systems.Bell System Technical Journal, 28:656–715, 1949.Google Scholar
  29. [29]
    A. Shimizu and S. Miyaguchi. Fast data encipherment algorithm: FEAL.Advances in Cryptology: Proceedings of EUROCRYPT '87, Springer-Verlag, Berlin, pages 267–278, 1988.Google Scholar
  30. [30]
    M. Sivabalan, S. E. Tavares, and L. E. Peppard. On the design of SP networks from an information-theoretic point of view.Advances in Cryptology: Proceedings of CRYPTO '92, Springer-Verlag, Berlin, pages 260–279, 1993.Google Scholar
  31. [31]
    A. F. Webster and S. E. Tavares. On the design of S-boxes.Advances in Cryptology: Proceedings of CRYPTO '85, Springer-Verlag, Berlin, pages 523–534, 1986.Google Scholar

Copyright information

© International Association for Cryptologic Research 1996

Authors and Affiliations

  • Howard M. Heys
    • 1
  • Stafford E. Tavares
    • 1
  1. 1.Department of Electrical and Computer EngineeringQueen's UniversityKingstonCanada

Personalised recommendations