Advertisement

Proving the Security of AES Substitution-Permutation Network

  • Thomas Baignères
  • Serge Vaudenay
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3897)

Abstract

In this paper we study the substitution-permutation network (SPN) on which AES is based. We introduce AES *, a SPN identical to AES except that fixed S-boxes are replaced by random and independent permutations. We prove that this construction resists linear and differential cryptanalysis with 4 inner rounds only, despite the huge cumulative effect of multipath characteristics that is induced by the symmetries of AES. We show that the DP and LP terms both tend towards 1/(2128− 1) very fast when the number of round increases. This proves a conjecture by Keliher, Meijer, and Tavares. We further show that AES *. is immune to any iterated attack of order 1 after 10 rounds only, which substantially improves a previous result by Moriai and Vaudenay.

Keywords

Differential Cryptanalysis Linear Cryptanalysis Differentials Linear Hulls Provable Security AES 

References

  1. 1.
    Baignères, T., Junod, P., Vaudenay, S.: How far can we go beyond linear cryptanalysis? In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 432–450. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  2. 2.
    Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. Journal of Cryptology 4, 3–72 (1991)MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    Biham, E., Shamir, A.: Differential cryptanalysis of the full 16-round DES. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 487–496. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  4. 4.
    Chabaud, F., Vaudenay, S.: Links between differential and linear cryptanalysis. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 356–365. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  5. 5.
    Chen, Z.G., Tavares, S.E.: Towards provable security of substitution-permutation encryption networks. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 43–56. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  6. 6.
    Daemen, J., Rijmen, V.: AES proposal: Rijndael. NIST AES Proposal (1998)Google Scholar
  7. 7.
    Daemen, J., Rijmen, V.: The Design of Rijndael. In: Information Security and Cryptography. Springer, Heidelberg (2002)Google Scholar
  8. 8.
    Feistel, H.: Cryptography and computer privacy. Scientific American 228, 15–23 (1973)CrossRefGoogle Scholar
  9. 9.
    Gilbert, H., Minier, M.: New results on the pseudorandomness of some blockcipher constructions. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 248–266. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  10. 10.
    GMP. GNU Multiple Precision arithmetic library, http://www.swox.com/gmp
  11. 11.
    Grimmett, G., Stirzaker, D.: Probability and Random Processes, 3rd edn. Oxford University Press, Oxford (2001)zbMATHGoogle Scholar
  12. 12.
    Häggström, O.: Finite Markov Chains and Algorithmic Applications. London Mathematical Society Student Texts. Cambridge University Press, Cambridge (2002)CrossRefzbMATHGoogle Scholar
  13. 13.
    Heys, H.M., Tavares, S.E.: Substitution-permutation networks resistant to differential and linear cryptanalysis. Journal of Cryptology 9(1), 1–19 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    Hong, S., Lee, S., Lim, J., Sung, J., Cheon, D., Cho, I.: Provable security against differential and linear cryptanalysis for the SPN structure. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 273–283. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  15. 15.
    Hornauer, G., Stephan, W., Wernsdorf, R.: Markov ciphers and alternating groups. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 453–460. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  16. 16.
    Huffman, W.C., Pless, V.S.: Fundamentals of Error-Correcting Codes. Cambridge University Press, Cambridge (2003)CrossRefzbMATHGoogle Scholar
  17. 17.
    Keliher, L.: Refined analysis of bounds related to linear and differential cryptanalysis for the AES. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 2005. LNCS, vol. 3373, pp. 42–57. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  18. 18.
    Keliher, L., Meijer, H., Tavares, S.E.: Improving the upper bound on the maximum average linear hull probability for Rijndael. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 112–128. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  19. 19.
    Keliher, L., Meijer, H., Tavares, S.E.: New method for upper bounding the maximum average linear hull probability for sPNs. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 420–436. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  20. 20.
    Keliher, L., Meijer, H., Tavares, S.E.: Toward the true random cipher: On expected linear probability values for SPNs with randomly selected S-boxes. In: Bhargava, V., Poor, H.V., Tarokh, V., Yoon, S. (eds.) Communication, Information and Network Security, pp. 123–146. Kluwer Academic Publishers, Dordrecht (2003)CrossRefGoogle Scholar
  21. 21.
    Lai, X., Massey, J., Murphy, S.: Markov ciphers and differential cryptanalysis. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 17–38. Springer, Heidelberg (1991)CrossRefGoogle Scholar
  22. 22.
    Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM Journal on Computing 17(2), 373–386 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    Maplesoft. Maple 9, http://www.maplesoft.com/
  24. 24.
    Matsui, M.: The first experimental cryptanalysis of the Data Encryption Standard. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 1–11. Springer, Heidelberg (1994)Google Scholar
  25. 25.
    Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  26. 26.
    Matsui, M.: New structure of block ciphers with provable security against differential and linear cryptanalysis. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 205–218. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  27. 27.
    Maurer, U., Pietrzak, K.: The security of many-round Luby-Rackoff pseudorandom permutations. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 544–561. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  28. 28.
    Moriai, S., Vaudenay, S.: On the pseudorandomness of top-level schemes of block ciphers. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 289–302. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  29. 29.
    Naor, M., Reingold, O.: On the construction of pseudorandom permutations: Luby-Rackoff revisited. Journal of Cryptology 12(1), 29–66 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  30. 30.
    Nyberg, K.: Perfect nonlinear S-boxes. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 378–386. Springer, Heidelberg (1991)CrossRefGoogle Scholar
  31. 31.
    Nyberg, K.: Linear approximation of block ciphers. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 439–444. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  32. 32.
    O’Connor, L.: Properties of linear approximation tables. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 131–136. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  33. 33.
    Park, S., Sung, S.H., Chee, S., Yoon, E.-J., Lim, J.: On the security of Rijndaellike structures against differential and linear cryptanalysis. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 176–191. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  34. 34.
    Park, S., Sung, S.H., Lee, S., Lim, J.: Improving the upper bound on the maximum differential and the maximum linear hull probability for SPN structures and AES. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 247–260. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  35. 35.
    Patarin, J.: Security of random Feistel schemes with 5 or more rounds. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 106–122. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  36. 36.
    Vaudenay, S.: On the need for multipermutations: Cryptanalysis of MD4 and SAFER. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 286–297. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  37. 37.
    Vaudenay, S.: On the security of CS-cipher. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 260–274. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  38. 38.
    Vaudenay, S.: On the Lai-Massey scheme. In: Kwok Yan, L., Eiji, O., Chaoping, X. (eds.) ASIACRYPT 1999. LNCS, vol. 1716, pp. 8–19. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  39. 39.
    Vaudenay, S.: Decorrelation: a theory for block cipher security. Journal of Cryptology 16(4), 249–286 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  40. 40.
    von zur Gathen, J., Gerhard, J.: Modern Computer Algebra, 2nd edn. Cambridge University Press, Cambridge (2003); First published 1999zbMATHGoogle Scholar
  41. 41.
    Wagner, D.: Towards a unifying view of block cipher cryptanalysis. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 16–33. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  42. 42.
    Wernsdorf, R.: The round functions of Rijndael generate the alternating group. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 143–148. Springer, Heidelberg (2002)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Thomas Baignères
    • 1
  • Serge Vaudenay
    • 1
  1. 1.EPFLSwitzerland

Personalised recommendations