Differential Attacks Against SPN: A Thorough Analysis

  • Anne Canteaut
  • Joëlle Roué
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9084)


This work aims at determining when the two-round maximum expected differential probability in an SPN with an MDS diffusion layer is achieved by a differential having the fewest possible active Sboxes. This question arises from the fact that minimum-weight differentials include the best differentials for the AES and several variants. However, we exhibit some SPN for which the two-round MEDP is achieved by some differentials involving a number of active Sboxes which exceeds the branch number of the linear layer. On the other hand, we also prove that, for some particular families of Sboxes, the two-round MEDP is always achieved for minimum-weight differentials.


Differential cryptanalysis Linear layer MDS codes AES 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Augot, D., Finiasz, M.: Direct Construction of Recursive MDS Diffusion Layers using Shortened BCH Codes. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 3–17. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  2. 2.
    Bending, T.D., Fon-Der-Flaass, D.: Crooked Functions, Bent Functions, and Distance Regular Graphs. Electr. J. Comb. 5 (1998)Google Scholar
  3. 3.
    Berger, T.P.: Construction of recursive MDS diffusion layers from Gabidulin codes. In: Paul, G., Vaudenay, S. (eds.) INDOCRYPT 2013. LNCS, vol. 8250, pp. 274–285. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  4. 4.
    Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. Journal of Cryptology, 3–72 (1991)Google Scholar
  5. 5.
    Bogdanov, A.A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M., Seurin, Y., Vikkelsoe, C.: PRESENT: An ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  6. 6.
    Brinkmann, M., Leander, G.: On the classification of APN functions up to dimension five. Designs, Codes and Cryptography 49(1-3), 273–288 (2008)CrossRefzbMATHMathSciNetGoogle Scholar
  7. 7.
    Canteaut, A., Charpin, P.: Decomposing bent functions. IEEE Transactions on Information Theory 49(8), 2004–2019 (2003)CrossRefzbMATHMathSciNetGoogle Scholar
  8. 8.
    Canteaut, A., Roué, J.: On the behaviors of affine equivalent sboxes regarding differential and linear attacks. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 45–74. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  9. 9.
    Chun, K., Kim, S., Lee, S., Sung, S.H., Yoon, S.: Differential and linear cryptanalysis for 2-round SPNs. Inf. Process. Lett. 87(5), 277–282 (2003)CrossRefzbMATHMathSciNetGoogle Scholar
  10. 10.
    Daemen, J.: Cipher and hash function design strategies based on linear and differential cryptanalysis. Ph.D. thesis, K.U. Leuven (1995)Google Scholar
  11. 11.
    Daemen, J., Rijmen, V.: The Wide Trail Design Strategy. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 222–238. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  12. 12.
    Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Information Security and Cryptography. Springer (2002)Google Scholar
  13. 13.
    Daemen, J., Rijmen, V.: Understanding Two-Round Differentials in AES. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 78–94. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  14. 14.
    Daemen, J., Rijmen, V.: Correlation Analysis in GF(2n). In: Advanced Linear Cryptanalysis of Block and Stream Ciphers. Cryptology and information security, pp. 115–131. IOS Press (2011)Google Scholar
  15. 15.
    Hong, S.H., Lee, S.-J., Lim, J.-I., Sung, J., Cheon, D.H., Cho, I.: Provable Security against Differential and Linear Cryptanalysis for the SPN Structure. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 273–283. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  16. 16.
    Kavun, E.B., Lauridsen, M.M., Leander, G., Rechberger, C., Schwabe, P., Yalçın, T.: Prøst v1.1. Submission to the CAESAR competition (2014),
  17. 17.
    Keliher, L., Sui, J.: Exact maximum expected differential and linear probability for two-round Advanced Encryption Standard. IET Information Security 1(2), 53–57 (2007)CrossRefGoogle Scholar
  18. 18.
    Kyureghyan, G.M.: Crooked maps in \({F}_{2^n}\). Finite Fields and Their Applications 13(3), 713–726 (2007)CrossRefzbMATHMathSciNetGoogle Scholar
  19. 19.
    Lai, X., Massey, J.L., Murphy, S.: Markov ciphers and differential cryptanalysis. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 17–38. Springer, Heidelberg (1991)CrossRefGoogle Scholar
  20. 20.
    MacWilliams, F., Sloane, N.: The Theory of Error-Correcting Codes, vol. 16. North-Holland (1977)Google Scholar
  21. 21.
    Park, S., Sung, S.H., Lee, S.-J., Lim, J.-I.: Improving the Upper Bound on the Maximum Differential and the Maximum Linear Hull Probability for SPN Structures and AES. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 247–260. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  22. 22.
    Sajadieh, M., Dakhilalian, M., Mala, H., Sepehrdad, P.: Efficient recursive diffusion layers for block ciphers and hash functions. J. Cryptology 28(2), 240–256 (2015)CrossRefMathSciNetGoogle Scholar
  23. 23.
    Shibutani, K., Bogdanov, A.: Towards the optimality of Feistel ciphers with substitution-permutation functions. Des. Codes Cryptography 73(2), 667–682 (2014), CrossRefzbMATHMathSciNetGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Inria, project-team SECRET, RocquencourtParisFrance

Personalised recommendations