Toward the True Random Cipher: On Expected Linear Probability Values for SPNS with Randomly Selected S-Boxes

  • Liam Keliher
  • Henk Meijer
  • Stafford Tavares
Part of the The Springer International Series in Engineering and Computer Science book series (SECS, volume 712)


A block cipher, which is an important cryptographic primitive, is a bijective mapping from {0, 1} N to {0,1} N (N is called the block size), parameterized by a key. In the true random cipher, each key results in a distinct mapping, and every mapping is realized by some key—this is generally taken to be the ideal cipher model. This chapter considers a fundamental block cipher architecture called a substitution-permutation network (SPN). Specifically, expected linear probability (ELP) values for SPNs, which are the basis for a powerful attack called linear cryptanalysis, are investigated. It is shown that if the substitution components (s-boxes) of an SPN are randomly selected, then the expected value of any ELP entry converges to the corresponding value for the true random cipher, as the number of encryption rounds is increased. This gives quantitative support to the claim that the SPN structure is a practical approximation of the true random cipher.


Linear Transformation Block Cipher Network Security Advance Encryption Standard Bijective Mapping 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    C. M. Adams, A Formal and Practical Design Procedure for Substitution-permutation Network Cryptosystems, Ph.D. Thesis, Queen’s University, Kingston, Canada, 1990.Google Scholar
  2. [2]
    E. Biham, On Matsui’s linear cryptanalysis, Advances in Cryptology EUROCRYPT’94, LNCS 950, Springer-Verlag, pp. 341–355, 1995.Google Scholar
  3. [3]
    E. Biham and A. Shamir, Differential cryptanalysis of DES-like cryptosystems, Journal of Cryptology, Vol. 4, No. 1, pp. 3–72, 1991.MathSciNetMATHCrossRefGoogle Scholar
  4. [4]
    Z. G. Chen and S.E. Tavares, Towards provable security of substitution-permutation encryption networks, Fifth Annual International Workshop on Selected Areas in Cryptography (SAC’98), LNCS 1556, Springer-Verlag, pp. 43–56, 1999.Google Scholar
  5. [5]
    J. Daemen, R. Govaerts, and J. Vandewalle, Correlation matrices, Fast Software Encryption : Second International Workshop, LNCS 1008, Springer-Verlag, pp. 275–285, 1995.Google Scholar
  6. [6]
    H. Feistel, Cryptography and computer privacy, Scientific American, Vol. 228, No. 5, pp. 15–23, May 1973.CrossRefGoogle Scholar
  7. [7]
    H. Feistel, Advanced Encryption Standard (AES), Federal Information Processing Standards Publication 197, U.S. Department of Commerce, National Institute of Standards and Technology, Information Technology Laboratory, Gaithersburg, Maryland, 2001.Google Scholar
  8. [8]
    H. M. Heys and S. E. Tavares, Substitution-permutation networks resistant to differential and linear cryptanalysis, Journal of Cryptology, Vol. 9, No. 1, pp. 1–19, 1996.MathSciNetMATHCrossRefGoogle Scholar
  9. [9]
    S. Hong, S. Lee, J. Lim, J. Sung, and D. Cheon, Provable security against differential and linear cryptanalysis for the SPN structure, Fast Software Encryption (FSE 2000), LNCS 1978, Springer-Verlag, pp. 273–283, 2001.Google Scholar
  10. [10]
    J. B. Kam and G. I. Davida, Structured design of substitutionpermutation encryption networks, IEEE Transactions on Computers, Vol. C-28, No. 10, pp. 747–753, October 1979.MathSciNetCrossRefGoogle Scholar
  11. [11]
    L. Keliher, H. Meijer, and S. Tavares, Modeling linear characteristics of substitution-permutation networks, Sixth Annual International Workshop on Selected Areas in Cryptography (SAC’99), LNCS 1758, Springer-Verlag, pp. 78–91, 2000.Google Scholar
  12. [12]
    L. Keliher, H. Meijer, and S. Tavares, New method for upper bounding the maximum average linear hull probability for SPNs, Advances in Cryptology-EUROCRYPT 2001, LNCS 2045, Springer-Verlag, pp. 420–436, 2001.Google Scholar
  13. [13]
    M. G. Kendall, The Advanced Theory of Statistics, Volume I, Charles Griffin & Company Limited, 1943.Google Scholar
  14. [14]
    L. R. Knudsen, Practically secure Feistel ciphers, Fast Software Encryption, LNCS 809, Springer-Verlag, pp. 211–221, 1994.Google Scholar
  15. [15]
    X. Lai, J. Massey, and S. Murphy, Markov ciphers and differential cryptanalysis, Advances in Cryptology EUROCRYPT’91, LNCS 547, Springer-Verlag, pp. 17–38, 1991.Google Scholar
  16. [16]
    M. Matsui, Linear cryptanalysis method for DES cipher, Advances in Cryptology EUROCRYPT’93, LNCS 765, SpringerVerlag, pp. 386–397, 1994.Google Scholar
  17. [17]
    M. Matsui, On correlation between the order of s-boxes and the strength of DES, Advances in Cryptology EUROCRYPT’94, LNCS 950, Springer-Verlag, pp. 366–375, 1995.Google Scholar
  18. [18]
    W. Meier and O. Staffelbach, Nonlinearity criteria for cryptographic functions, Advances in Cryptology EUROCRYPT’89, LNCS 434, Springer-Verlag, pp. 549–562, 1990.Google Scholar
  19. [19]
    A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone, Handbook of Applied Cryptography, CRC Press, 1996.CrossRefGoogle Scholar
  20. [20]
    K. Nyberg, Linear approximation of block ciphers, Advances in Cryptology EUROCRYPT’94, LNCS 950, Springer-Verlag, pp. 439–444, 1995.Google Scholar
  21. [21]
    L. O’Connor, Properties of linear approximation tables, Fast Software Encryption : Second International Workshop, LNCS 1008, Springer-Verlag, pp. 131–136, 1995.Google Scholar
  22. [22]
    C. E. Shannon, Communication theory of secrecy systems, Bell System Technical Journal, Vol. 28, no. 4, pp. 656–715, 1949.MathSciNetMATHGoogle Scholar
  23. [23]
    S. Vaudenay, On the security of CS-Cipher, Fast Software Encryption (FSE’99), LNCS 1636, Springer-Verlag, pp. 260–274, 1999.Google Scholar
  24. [24]
    A. M. Youssef, Analysis and Design of Block Ciphers, Ph.D. Thesis, Queen’s University, Kingston, Canada, 1997.Google Scholar
  25. [25]
    A. M. Youssef and S.E. Tavares, Resistance of balanced s-boxes to linear and differential cryptanalysis, Information Processing Letters, Vol. 56, pp. 249–252, 1995.MATHCrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media New York 2003

Authors and Affiliations

  • Liam Keliher
    • 1
  • Henk Meijer
    • 2
  • Stafford Tavares
    • 3
  1. 1.Department of Mathematics and Computer ScienceMount Allison UniversitySackvilleCanada
  2. 2.School of ComputingQueen’s UniversityKingstonCanada
  3. 3.Department of Electrical and Computer EngineeringQueen’s UniversityKingstonCanada

Personalised recommendations