• Title/Summary/Keyword: linearly active S-boxes

Search Result 2, Processing Time 0.016 seconds

Practical Security Evaluation against Differential and Linear Cryptanalyses for the Lai-Massey Scheme with an SPS F-function

  • Fu, Lishi;Jin, Chenhui
    • KSII Transactions on Internet and Information Systems (TIIS)
    • /
    • v.8 no.10
    • /
    • pp.3624-3637
    • /
    • 2014
  • At SAC 2004, Junod and Vaudenay designed the FOX family based on the Lai-Massey scheme. They noted that it was impossible to find any useful differential characteristic or linear trail after 8 rounds of FOX64 or FOX128. In this paper, we provide the lower bound of differentially active S-boxes in consecutive rounds of the Lai-Massey scheme that has SPS as its F-function, and we propose the necessary conditions for the reachability of the lower bound. We demonstrate that similar results can be obtained with respect to the lower bound of linearly active S-boxes by proving the duality in the Lai-Massey scheme. Finally, we apply these results to FOX64 and FOX128 and prove that it is impossible to find any useful differential characteristics or linear trail after 6 rounds of FOX64. We provide a more precise security bound for FOX128.

Practical and Provable Security against Differential and Linear Cryptanalysis for Substitution-Permutation Networks

  • Kang, Ju-Sung;Hong, Seok-Hie;Lee, Sang-Jin;Yi, Ok-Yeon;Park, Choon-Sik;Lim, Jong-In
    • ETRI Journal
    • /
    • v.23 no.4
    • /
    • pp.158-167
    • /
    • 2001
  • We examine the diffusion layers of some block ciphers referred to as substitution-permutation networks. We investigate the practical and provable security of these diffusion layers against differential and linear cryptanalysis. First, in terms of practical security, we show that the minimum number of differentially active S-boxes and that of linearly active S-boxes are generally not identical and propose some special conditions in which those are identical. We also study the optimal diffusion effect for some diffusion layers according to their constraints. Second, we obtain the results that the consecutive two rounds of SPN structure provide provable security against differential and linear cryptanalysis, i.e., we prove that the probability of each differential (resp. linear hull) of the consecutive two rounds of SPN structure with a maximal diffusion layer is bounded by $p^n(resp.q^n)$ and that of each differential (resp. linear hull) of the SDS function with a semi-maximal diffusion layer is bounded by $p^{n-1}(resp. q^{n-1})$, where p and q are maximum differential and linear probabilities of the substitution layer, respectively.

  • PDF