Cryptography and Communications

, Volume 1, Issue 1, pp 47–69 | Cite as

New criteria for linear maps in AES-like ciphers

  • Joan Daemen
  • Vincent Rijmen


In this paper, we study a class of linear transformations that are used as mixing maps in block ciphers. We address the question which properties of the linear transformation affect the probability of differentials and characteristics over Super boxes. Besides the expected differential probability (EDP), we also study the fixed-key probability of characteristics, denoted by DP[k]. We define plateau characteristics, where the dependency on the value of the key is very structured. Our results show that the distribution of the key-dependent probability is not narrow for characteristics in the AES Super box and hence the widely made assumption that it can be approximated by the EDP, is not justified. Finally, we introduce a property of linear maps which hasn’t been studied before. We call this property related differentials. Related differentials don’t influence the EDP of characteristics, but instead they affect the distribution of their DP[k] values.


AES-like ciphers Linear maps EDP 


  1. 1.
    Specification for the Advanced Encryption Standard (AES). Federal Information Processing Standards Publication 197 (2001)Google Scholar
  2. 2.
    American Mathematical Society. Algebra, ISBN 0821816462 (1999)Google Scholar
  3. 3.
    Anderson, R.A., Biham, E., Knudsen, L.R.: Serpent. Proc. of the 1st AES candidate conference, CD-1: Documentation, August 20–22, Ventura (1998)Google Scholar
  4. 4.
    Aoki, K.: Maximum non-averaged differential probability. Selected Areas in Cryptography SAC ’98, LNCS 1556, pp. 118–130. Springer-Verlag (1998)Google Scholar
  5. 5.
    Aoki, K., Ichikawa, T., Kanda, M., Matsui, M., Moriai, S., Nakajima, J., Tokita, T.: Camellia: a 128-bit block cipher suitable for multiple platforms—Design and analysis. In: Stinson, D., Tavares, S. (eds.) Selected Areas in Cryptography 2000, LNCS 2012, pp. 39–56. Springer-Verlag (2000)Google Scholar
  6. 6.
    Barreto, P., Rijmen, V.: The Anubis block cipher. First open NESSIE Workshop, Leuven, November 13–14, (2000)
  7. 7.
    Biham, E., Shamir, A.: Differential cryptanalysis of DES-like Cryptosystems. J. Cryptol. 4(1), 3–72 (1991)zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    Ben-Aroya, I., Biham, E.: Differential cryptanalysis of Lucifer. In: Stinson, D. (ed.) Advances in Cryptology, Proc. Crypto’93, LNCS 773, pp. 187–199. Springer-Verlag (1994)Google Scholar
  9. 9.
    Canteaut, A.: Differential cryptanalysis of Feistel ciphers and differentially δ-uniform mappings. Workshop record of Selected Areas in Cryptography SAC ’97, pp. 172–184 (1997)Google Scholar
  10. 10.
    Daemen, J., Govaerts, R., Vandewalle, J.: Weak keys of IDEA. In: Stinson, D. (ed.) Advances in Cryptology, Proc. Crypto’93, LNCS 773, pp. 224–231. Springer-Verlag (1994)Google Scholar
  11. 11.
    Daemen, J., Govaerts, R., Vandewalle, J.: A new approach to block cipher design. In: Anderson, R. (ed.) Proc. of Fast Software Encryption 1993, LNCS 809, pp. 18–32. Springer-Verlag (1994)Google Scholar
  12. 12.
    Daemen, J.: Cipher and hash function design. Strategies based on linear and differential cryptanalysis. Ph.D. thesis, Katholieke Universiteit Leuven (1995)Google Scholar
  13. 13.
    Daemen, J., Knudsen, L.R. Rijmen, V.: The block cipher square. In: Biham, E. (ed.) Fast Software Encryption ’97, LNCS 1267, pp. 149–165. Springer-Verlag (1997)Google Scholar
  14. 14.
    Daemen, J., Peeters, M., Van Assche G., Rijmen, V.: Nessie proposal: the block cipher Noekeon. (Submitted to Nessie)Google Scholar
  15. 15.
    Daemen, J., Rijmen, V.: The Design of Rijndael—AES, The Advanced Encryption Standard. Springer-Verlag (2002)Google Scholar
  16. 16.
    Daemen, J., Rijmen, V.: Understanding two-round differentials in AES. Security and Cryptography for Networks 2006 (SCN 2006), LNCS 4116, pp. 78–94. Springer-Verlag (2006)Google Scholar
  17. 17.
    Daemen, J., Rijmen, V.: Plateau characteristics. IET Inf. Secur. 1(1), 11–18 (2007)CrossRefMathSciNetGoogle Scholar
  18. 18.
    Keliher, L.: Refined analysis of bounds related to linear and differential cryptanalysis for the AES. Advanced Encryption Standard—AES, 4th international conference (AES 2004), LNCS 3373, pp. 42–57. Springer-Verlag (2005)Google Scholar
  19. 19.
    Keliher, L., Sui, J.: Exact maximum expected differential and linear probability for 2-round advanced encryption standard (AES). IET Inf. Secur. 1(2), 53–57 (2007)CrossRefGoogle Scholar
  20. 20.
    Knudsen, L.R.: Iterative characteristics of DES and s2-DES. In: Brickell, E.F. (ed.) Advances in Cryptology, Proc. CRYPTO’92, LNCS 746, pp. 497–511. Springer-Verlag (1993)Google Scholar
  21. 21.
    Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) Fast Software Encryption ’94, LNCS 1008, pp. 196–211. Springer-Verlag (1995)Google Scholar
  22. 22.
    Knudsen, L.R., Mathiassen, J.E.: On the role of key schedules in attacks on iterated ciphers. ESORICS 2004, LNCS 3193, pp. 322–334. Springer-Verlag (2004)Google Scholar
  23. 23.
    Lai, X., Massey, J.L., Murphy, S.: Markov ciphers and differential cryptanalysis. In: Davies, D.W. (ed.) Advances in Cryptology, Proc. Eurocrypt’91, LNCS 547, pp. 17–38. Springer-Verlag (1991)Google Scholar
  24. 24.
    Lidl, R., Niederreiter, H.: Introduction to Finite Fields and Their Applications. Cambridge University Press, 1986 (Reprinted 1988)Google Scholar
  25. 25.
    Matsui, M.: New block encryption algorithm misty. In: Biham, E. (ed.) Fast Software Encryp tion ’97, LNCS 1267, pp. 64–74. Springer-Verlag (1997)Google Scholar
  26. 26.
    Nyberg, K.: Differentially uniform mappings for cryptography. In: Helleseth, T. (ed.) Advances in Cryptology, Proc. Eurocrypt’93, LNCS 765, pp. 55-64. Springer-Verlag (1993)Google Scholar
  27. 27.
    Nyberg, K., Knudsen, L.R.: Provable security against a differential attack. J. Cryptol. 8(1), 27–38 (1995)zbMATHCrossRefMathSciNetGoogle Scholar
  28. 28.
    Park, S., Sung, S.H., Chee, S., E-J. Yoon, Lim, J.: On the security of Rijndael-like structures against differential and linear cryptanalysis. In: Zheng, Y. (ed.) Advances in Cryptology, Proceedings of Asiacrypt ’02, LNCS 2501, pp. 176–191. Springer-Verlag (2002)Google Scholar
  29. 29.
    Park, S., Sung, S.H., Lee, S., Lim, J.: Improving the upper bound on the maximum differential and the maximum linear hull probability for SPN structures and AES. In: Johansson, T. (ed.) Fast Software Encryption ’03, LNCS 2887, pp. 247–260. Springer-Verlag (2003)Google Scholar
  30. 30.
    Rijmen, V.: Cryptanalysis and design of iterated block ciphers. Doctoral Dissertation, October 1997, K.U. LeuvenGoogle Scholar
  31. 31.
    Rijmen, V., Daemen, J., Preneel, B., Bosselaers, A., De Win E.: The cipher SHARK. In: Gollmann, D. (ed.) Fast Software Encryption ’96, LNCS 1039, pp. 99–111. Springer-Verlag (1996)Google Scholar
  32. 32.
    Vaudenay, S.: On the need for multipermutations: cryptanalysis of MD4 and SAFER. In: Preneel, B. (ed.) Fast Software Encryption ’94, LNCS 1008, pp. 286–297. Springer-Verlag (1995)Google Scholar
  33. 33.
    Zheng, Y., Zhang, X.M.: Plateaued functions. Advances in Cryptology, ICICS ’99, LNCS 1726, pp. 284–300. Springer-Verlag (1999)Google Scholar

Copyright information

© Springer Science + Business Media, LLC 2008

Authors and Affiliations

  1. 1.STMicroelectronicsZaventemBelgium
  2. 2.IAIKGraz University of TechnologyGrazAustria
  3. 3.ESAT/COSICK.U.LeuvenBelgium

Personalised recommendations