Communications, Information and Network Security pp 123-146 | Cite as

# Toward the True Random Cipher: On Expected Linear Probability Values for SPNS with Randomly Selected S-Boxes

## Abstract

A block cipher, which is an important cryptographic primitive, is a bijective mapping from {0, 1}^{ N } to {0,1}^{ N } (*N* is called the *block size*), parameterized by a key. In the *true random cipher*, each key results in a distinct mapping, and every mapping is realized by some key—this is generally taken to be the ideal cipher model. This chapter considers a fundamental block cipher architecture called a *substitution-permutation network* (SPN). Specifically, *expected linear probability* (ELP) values for SPNs, which are the basis for a powerful attack called *linear cryptanalysis*, are investigated. It is shown that if the substitution components (*s-boxes*) of an SPN are randomly selected, then the expected value of any ELP entry converges to the corresponding value for the true random cipher, as the number of encryption rounds is increased. This gives quantitative support to the claim that the SPN structure is a practical approximation of the true random cipher.

## Keywords

Linear Transformation Block Cipher Network Security Advance Encryption Standard Bijective Mapping## Preview

Unable to display preview. Download preview PDF.

## References

- [1]C. M. Adams, A
*Formal and Practical Design Procedure for Substitution-permutation Network Cryptosystems*, Ph.D. Thesis, Queen’s University, Kingston, Canada, 1990.Google Scholar - [2]E. Biham,
*On Matsui’s linear cryptanalysis*, Advances in Cryptology EUROCRYPT’94, LNCS 950, Springer-Verlag, pp. 341–355, 1995.Google Scholar - [3]E. Biham and A. Shamir,
*Differential cryptanalysis of DES-like cryptosystems*, Journal of Cryptology, Vol. 4, No. 1, pp. 3–72, 1991.MathSciNetMATHCrossRefGoogle Scholar - [4]Z. G. Chen and S.E. Tavares,
*Towards provable security of substitution-permutation encryption networks*, Fifth Annual International Workshop on Selected Areas in Cryptography (SAC’98), LNCS 1556, Springer-Verlag, pp. 43–56, 1999.Google Scholar - [5]J. Daemen, R. Govaerts, and J. Vandewalle,
*Correlation matrices*, Fast Software Encryption : Second International Workshop, LNCS 1008, Springer-Verlag, pp. 275–285, 1995.Google Scholar - [6]H. Feistel,
*Cryptography and computer privacy*, Scientific American, Vol. 228, No. 5, pp. 15–23, May 1973.CrossRefGoogle Scholar - [7]H. Feistel,
*Advanced Encryption Standard (AES)*, Federal Information Processing Standards Publication 197, U.S. Department of Commerce, National Institute of Standards and Technology, Information Technology Laboratory, Gaithersburg, Maryland, 2001.Google Scholar - [8]H. M. Heys and S. E. Tavares,
*Substitution-permutation networks resistant to differential and linear cryptanalysis*, Journal of Cryptology, Vol. 9, No. 1, pp. 1–19, 1996.MathSciNetMATHCrossRefGoogle Scholar - [9]S. Hong, S. Lee, J. Lim, J. Sung, and D. Cheon,
*Provable security against differential and linear cryptanalysis for the SPN structure*, Fast Software Encryption (FSE 2000), LNCS 1978, Springer-Verlag, pp. 273–283, 2001.Google Scholar - [10]J. B. Kam and G. I. Davida,
*Structured design of substitutionpermutation encryption networks*, IEEE Transactions on Computers, Vol. C-28, No. 10, pp. 747–753, October 1979.MathSciNetCrossRefGoogle Scholar - [11]L. Keliher, H. Meijer, and S. Tavares,
*Modeling linear characteristics of substitution-permutation networks*, Sixth Annual International Workshop on Selected Areas in Cryptography (SAC’99), LNCS 1758, Springer-Verlag, pp. 78–91, 2000.Google Scholar - [12]L. Keliher, H. Meijer, and S. Tavares,
*New method for upper bounding the maximum average linear hull probability for SPNs*, Advances in Cryptology-EUROCRYPT 2001, LNCS 2045, Springer-Verlag, pp. 420–436, 2001.Google Scholar - [13]M. G. Kendall,
*The Advanced Theory of Statistics, Volume I*, Charles Griffin*&*Company Limited, 1943.Google Scholar - [14]L. R. Knudsen,
*Practically secure Feistel ciphers*, Fast Software Encryption, LNCS 809, Springer-Verlag, pp. 211–221, 1994.Google Scholar - [15]X. Lai, J. Massey, and S. Murphy,
*Markov ciphers and differential cryptanalysis*, Advances in Cryptology EUROCRYPT’91, LNCS 547, Springer-Verlag, pp. 17–38, 1991.Google Scholar - [16]M. Matsui,
*Linear cryptanalysis method for DES cipher*, Advances in Cryptology EUROCRYPT’93, LNCS 765, SpringerVerlag, pp. 386–397, 1994.Google Scholar - [17]M. Matsui,
*On correlation between the order of s-boxes and the strength of DES*, Advances in Cryptology EUROCRYPT’94, LNCS 950, Springer-Verlag, pp. 366–375, 1995.Google Scholar - [18]W. Meier and O. Staffelbach,
*Nonlinearity criteria for cryptographic functions*, Advances in Cryptology EUROCRYPT’89, LNCS 434, Springer-Verlag, pp. 549–562, 1990.Google Scholar - [19]A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone,
*Handbook of Applied Cryptography*, CRC Press, 1996.CrossRefGoogle Scholar - [20]K. Nyberg,
*Linear approximation of block ciphers*, Advances in Cryptology EUROCRYPT’94, LNCS 950, Springer-Verlag, pp. 439–444, 1995.Google Scholar - [21]L. O’Connor,
*Properties of linear approximation tables*, Fast Software Encryption : Second International Workshop, LNCS 1008, Springer-Verlag, pp. 131–136, 1995.Google Scholar - [22]C. E. Shannon,
*Communication theory of secrecy systems*, Bell System Technical Journal, Vol. 28, no. 4, pp. 656–715, 1949.MathSciNetMATHGoogle Scholar - [23]S. Vaudenay,
*On the security of CS-Cipher*, Fast Software Encryption (FSE’99), LNCS 1636, Springer-Verlag, pp. 260–274, 1999.Google Scholar - [24]A. M. Youssef,
*Analysis and Design of Block Ciphers*, Ph.D. Thesis, Queen’s University, Kingston, Canada, 1997.Google Scholar - [25]A. M. Youssef and S.E. Tavares,
*Resistance of balanced s-boxes to linear and differential cryptanalysis*, Information Processing Letters, Vol. 56, pp. 249–252, 1995.MATHCrossRefGoogle Scholar