Provable Security against Differential and Linear
Cryptanalysis for the SPN Structure
Seokhie Hong1⋆ , Sangjin Lee, Jongin Lim, Jaechul Sung, Donghyeon Cheon,
and Inho Cho
Center for Information and Security Technologies(CIST),
Korea University, Seoul, KOREA,
hsh@semi.korea.ac.kr
Abstract. In the SPN (Substitution-Permutation Network) structure,
it is very important to design a diffusion layer to construct a secure
block cipher against differential cryptanalysis and linear cryptanalysis.
The purpose of this work is to prove that the SPN structure with a
maximal diffusion layer provides a provable security against differential
cryptanalysis and linear cryptanalysis in the sense that the probability of
each differential (respectively linear hull) is bounded by pn (respectively
q n ), where p (respectively q) is the maximum differential (respectively
liner hull) probability of n S-boxes used in the substitution layer. We will
also give a provable security for the SPN structure with a semi-maximal
diffusion layer against differential cryptanalysis and linear cryptanalysis.
1
Introduction and Motivation
The Feistel structure has been used widely in the iterated block cipher. In this
structure, the input to each round is divided into two halves. The right half is
transformed by some nonlinear function and then xored to the left half and the
two halves are swapped except for the last round. On the other hand, the SPN
structure is designed using round function on the whole data block. Nowadays,
the SPN structure is also attracting interest because it is highly parallelizable
and easy to analyze the security against differential cryptanalysis(DC) and linear
cryptanalysis(LC).
The most well known attacks on block ciphers are DC[1,2,3] and LC[6,7]. In
DC, one uses characteristic which describes the behavior of input and output
differences for some number of consecutive rounds. But it may not be necessary
to fix the values of input and output differences for the intermediate rounds in
a characteristic, so naturally the notion of differential was introduced[15]. The
same statements can be applied to LC, so that of linear hull was introduced[11].
However it seems computationally infeasible to compute the maximum probabilities of differential and linear hull if the number of rounds increases.
⋆
The authors wish to acknowledge the financial support of the Korea Research Foundation made in the program year of 1998.
B. Schneier (Ed.): FSE 2000, LNCS 1978, pp. 273–283, 2001.
c Springer-Verlag Berlin Heidelberg 2001
�
�274
S. Hong et al.
In [9], K. Nyberg and L.R. Knudsen showed that the r-round differential
probability is bounded by 2p2 if the maximal differential probability of round
function is p and r ≥ 4. Furthermore, the probability can be reduced to p2
if the round function is bijective. These results provide a provable security for
the Feistel structure against DC. M. Matsui proposed a new block cipher of
a Feistel network, MISTY[8] for which security can be shown by the existing
results for Feistel structures. The round function of MISTY is itself a Feistel
network which is proven secure. From this round function with small S-boxes,
he provided sufficiently large and strong S-boxes with proven security.
Fig. 1. One round of a SPN structure
In the SPN structure the diffusion layer provides an avalanche effect, both
in the contexts of differences and linear approximation, so the notion of branch
number was introduced[16]. The branch number of a diffusion layer has been
determined to be very important. A cipher with the low branch number may have
a fatal weakness even though a substitution layer consists of S-boxes resistant
against DC and LC. In this paper we will give a provable security for the SPN
structure with a maximal branch number by theorem 1.
This paper proceeds as follows; In section 2 we will introduce some notations
and definitions. In section 3 a provable security for the SPN structure with a
maximal diffusion layer against DC will be given. Provable security against LC
will be given in section 4. Other results will be described in section 5.
2
Preliminaries
In this section we define some notations and definitions. Throughout this paper
we consider an SPN structure with mn-bit round function. Let Si be an m × m
�Provable Security against Differential and Linear Cryptanalysis
275
bijective S-box, i.e.,
m
Si : Zm
2 → Z2 (1 ≤ i ≤ n).
Definition 1. For any given ∆x, ∆y, Γ x, Γ y ∈ Zm
2 , the differential and linear
probability of each Si are defined as follows;
#{x ∈ Zm
2 |Si (x) ⊕ Si (x ⊕ ∆x) = ∆y}
2m
�
�2
#{x ∈ Zm
2 |Γ x · x = Γ y · Si (x)}
Si
−1
LP (Γ x → Γ y) =
2m−1
DP Si (∆x → ∆y) =
where Γ x · x denotes the parity of bitwise xor of Γ x and x.
Definition 2. The maximal differential and linear probability of Si are defined
by
Si
DPmax
= max DP Si (∆x → ∆y)
∆x�=0,∆y
and
Si
=
LPmax
max LP Si (Γ x → Γ y),
Γ x,Γ y�=0
respectively.
Si
Si
and LPmax
are small enough and a
In general, Si is called strong if DPmax
Si
Si
substitution layer is called strong if DPmax and LPmax
are small enough for all
Si
Si
1 ≤ i ≤ n. Let us denote by p and q the maximal value of DPmax
and LPmax
for 1 ≤ i ≤ n, respectively. That is,
Si
Si
, q = max LPmax
.
p = max DPmax
1≤i≤n
1≤i≤n
Even though p and q are small enough, this does not guarantee a secure SPN
structure against DC and LC. Hence the role of the diffusion layer is very important. The purpose of the diffusion layer is to provide an avalanche effect, both
in the contexts of differences and linear approximations.
Definition 3. Differentially active S-box is defined as an S-box given a non-zero
input difference and linearly active S-box as an S-box given a non-zero output
mask value[5].
The number of differentially active S-boxes has an effect on probabilities of differential characteristics or differentials. Hence the concept of active S-box plays
an important role in giving a provable security for the SPN structure. Conversely
differentially(resp. linearly) inactive S-boxes have a zero input xor(resp. output
mask value). Consequently they have always a zero output xor(resp. input mask
value) with probability 1.
Let x = (x1 , · · · , xn )t ∈ GF (2m )n then the Hamming weight of x is denoted
by
Hw(x) = #{i|xi = 0}.
�276
S. Hong et al.
Note “Hamming weight of X” does not count the number of nonzero bits but
count the number of non-zero m-bit characters.
Throughout this paper we assume that the round keys, which are xored
with the input data at each round, are independent and uniformly random. By
assumption on round keys, key addition layer in Fig.1 has no influence on the
number of active S-boxes. Now we define a SDS function with three layer of
substitution-diffusion-substitution as depicted in Fig.2.
Fig. 2. SDS function
Denote diffusion layer of this SDS function by D, input difference by ∆x =
x⊕x∗ , output difference by ∆y = y ⊕y ∗ = D(x)⊕D(x∗ ), and finally input mask
value and output mask values by Γ x and Γ y, respectively. The minimum number
of differentially and linearly active S-boxes of the SDS function are defined as
follows;
nd (D) = min Hw(∆x) + Hw(∆y)
∆x�=0
and
nl (D) = min Hw(Γ x) + Hw(Γ y),
Γ y�=0
respectively[12]. nd (D) and nl (D) are lower bounds for the number of active Sboxes in two consecutive rounds of a differential characteristic and linear approximation, respectively. A diffusion layer is called maximal if the nd (D)(equivalently nl (D)) is n + 1.
�Provable Security against Differential and Linear Cryptanalysis
3
277
Provable Security against DC
In this section we will give a provable security for the SPN structure with a
maximal diffusion layer against DC. Throughout this paper we assume that the
diffusion layer D of the SDS function can be represented by an n × n matrix
M = (mij )n×n , where mij ∈ GF (2m ). That is,
m11 · · · m1n
M = ... . . . ... .
mn1 · · · mnn
J. Daemen et. al [4] showed that, for the diffusion layer D, the relation between
input difference(resp. output mask value) and output difference(resp. input mask
value) is represented by the matrix M (resp.M t ). That is to say,
∆y = M ∆x (resp. Γ x = M t Γ y).
So we can redefine nd (D) and nl (D) as follows;
nd (D) = min {Hw(∆x) + Hw(M ∆x)},
∆x�=0
nl (D) = min {Hw(Γ y) + Hw(M t Γ y)}.
Γ y�=0
Hence we only need to investigate the matrix M to analyze the role of the
diffusion layer D. Let us call M ′ an s×k submatrix of M if M ′ is of the following
form;
mi1 j1 mi1 j2 · · · mi1 jk
mi2 j1 mi2 j2 · · · mi2 jk
M′ = .
..
..
..
..
.
.
.
mis j1 mis j2 · · · mis jk
Then we say that M contains M ′ as an s × k submatrix.
The following lemma shows the necessary and sufficient condition for a diffusion layer to be maximal.
Lemma 1. Let M be the n × n matrix representing a diffusion layer D. Then
nd (D) = n + 1 if and only if the rank of each k × k submatrix of M is k for all
1 ≤ k ≤ n.
Proof Assume that nd = n + 1 and there exists a k × k submatrix Mk of M
such that the rank of Mk is less than k for some 1 ≤ k ≤ n. Without loss of
generality we may assume that
m11 · · · m1k
Mk = ... . . . ... .
mk1 · · · mkk
�278
S. Hong et al.
By assumption there exists (x1 , · · · , xk ) = (0, · · · , 0) such that
m11 · · · m1k
x1
0
.. . . .. .. ..
.
. . . = . .
mk1 · · · mkk
xk
(1)
0
Let x = (x1 , · · · , xk , 0, · · · , 0)t . By equation (1),
x1
0
m11 · · · m1k mik+1 · · · m1n
..
.. .. ..
..
..
..
..
.
.
.
.
.
.
. .
mk1 · · · mkk mkk+1 · · · mkn xk 0
Mx =
mk+11 · · · mk+1k mk+1k+1 · · · mk+1n 0 = δk+1 .
.
.. .. ..
..
..
..
..
..
.
.
.
.
.
.
.
mn1 · · · mnk
mnk+1 · · · mnn
(2)
δn
0
By the definition of nd (D),
nd (D) ≤ Hw(x) + Hw(M x) ≤ k + n − k = n.
This is a contradiction to nd = n+1. Therefore we obtained a sufficient condition.
Assume that the rank of each k × k submatrix of M is k for all 1 ≤ k ≤ n
and nd < n + 1. Since nd < n + 1, there exists x = (x1 , · · · , xn )t ∈ GF (2m )n
such that
Hw(x) + Hw(M x) ≤ n.
Without loss of generality we may assume that x1 , · · · , xs are all nonzero and
xj = 0 for all j > s. Let y = M x, then Hw(y) ≤ n − s. In other words, the
number of zero components in y is greater than or equal to s, so we can assume
yi1 = · · · = yis = 0. We can easily check equation (3).
mi 1 1 · · · mi 1 s
x1
y i1
0
.. . .
.. .. = .. = .. .
(3)
.
. . . . .
mis 1 · · · mis s
xs
y is
0
Hence we can get an s×s submatrix of M with rank less than s. It is a contradiction to the fact that the rank of each k × k submatix of M is k for all 1 ≤ k ≤ n.
�
In [12], it was shown how a maximal diffusion layer over GF (2m )n can be
constructed from a maximum distance separable code. If Ge = [In×n Bn×n ] is
the echelon form of the generator matrix of (2n, n, n + 1) RS-code, then
D : GF (2m )n → GF (2m )n
x → Bx
is a maximal diffusion layer by lemma 1.
�Provable Security against Differential and Linear Cryptanalysis
279
Fig. 3. Differential of SDS function
Consider the differential with input difference ∆α = (∆α1 , · · · , ∆αn ) and
output difference ∆β = (∆β1 , · · · , ∆βn ) as depicted in Fig.3.
Then the probability of this differential is like that;
DP (∆α → ∆β)
n
n
DP Si (∆γi → ∆βi |∆α)
DP Si (∆αi → ∆δi )
=
∆δ1 ,···,∆δn
i=1
(4)
i=1
Lemma 2. Let M be the n × n matrix representing a diffusion layer D and
nd (D) = n + 1. In Fig.3, if Hw(∆α) = k and Hw(∆β) = n − s + 1(s ≤
k), there is a index set {i1 , · · · , is−1 } so that ∆αi1 = 0, · · · , ∆αis−1 = 0 and
{∆δi1 , · · · , ∆δis−1 } are determined by the other ∆δi ’s.
Note Since nd (D) = n + 1, s must be less than or equal to k. A index set
{i1 , · · · , is−1 } depends on the location of the nonzero ∆α and ∆β.
Proof Without loss of generality we may assume
∆β1 = 0, · · · , ∆βs−1 = 0 (or equivalently∆γ1 = 0, · · · , ∆γs−1 = 0).
Let ∆δ ′ = (∆δi1 · · · , ∆δik )t be the collection of all non-zero components in ∆δ =
(∆δ1 , · · · , ∆δn )t . That is, ∆δij = 0 for all 1 ≤ j ≤ k and ∆δt = 0 if t ∈
/
{i1 , · · · , ik }. Let
m1i1 · · · m1is−1 m1is · · · m1ik
..
..
..
..
..
..
M′ =
.
.
.
.
.
.
.
ms−1i1 · · · ms−1is−1 ms−1is · · · ms−1ik
�280
S. Hong et al.
By the definitions of M ′ and ∆δ ′ and the assumption on ∆β, M ′ ∆δ ′ equals 0.
Let’s divide ∆δ ′ into two parts, ∆δI and ∆δII , and M ′ into MI and MII as
followings;
∆δI = (∆δi1 · · · , ∆δis−1 )t , ∆δII = (∆δis · · · , ∆δik )t ,
m1is
m1i1 · · · m1is−1
.
.
.
.
..
..
..
MI =
and MII = ..
ms−1is
ms−1i1 · · · ms−1is−1
From M ′ ∆δ ′ = 0, we get the equation
· · · m1ik
..
..
.
.
.
· · · ms−1ik
MI ∆δI + MII ∆δII = 0(or equivalently MI ∆δI = MII ∆δII ).
Since MI is an invertible matrix by lemma 1, we have the equation
∆δI = MI−1 MII δII .
Hence {∆δi1 · · · , ∆δis−1 } are determined by {∆δis · · · , ∆δik } �
Lemma 2 means that the summation in (4) is not taken for all ∆δi1 , · · · , ∆δik
but taken for all ∆δj1 , · · · , ∆δjk−s+1 for some index set {j1 , · · · jk−s+1 } ⊂ {i1 , · · · ,
ik }. Now, we are ready to prove our main theorem.
Theorem 1. Assume that the round keys, which are xored to the input data at
each round, are independent and uniformly random. If nd = n+1, the probability
of each differential of SDS function is bounded by pn .
Proof
Consider the differential as depicted in Fig.3. Let Hw(∆α) = k and
Hw(∆β) = n − s + 1 (s ≤ k), then without loss of generality we may assume
∆α1 = 0, · · · , ∆αk = 0
(5)
(equivalently, ∆δ1 = 0, · · · , ∆δk = 0) and
∆βj1 = 0, · · · , ∆βjn−s+1 = 0.
(6)
( equivalently, ∆γj1 = 0, · · · , ∆γjn−s+1 = 0). Then,
DP (∆α → ∆β)
n
n
DP Si (∆γi → ∆βi |∆α)
DP Si (∆αi → ∆δi )
=
∆δ1 ,···,∆δn
i=1
i=1
n
n
DP Si (∆γi → ∆βi )
DP Si (∆αi → ∆δi )
=
∆δ1 ,···,∆δn
n−s+1
k
DP Sji (∆γji → ∆βji )
DP Si (∆αi → ∆δi )
=
∆δ1 ,···,∆δk
i=1
(7)
i=1
i=1
i=1
(8)
�Provable Security against Differential and Linear Cryptanalysis
n−s+1
k
DP Sji (∆γji → ∆βji ) (9)
Si
=
DP (∆αi → ∆δi )
∆δi1 �=0,··,∆δik−s+1 �=0
281
i=1
i=1
k−s+1
DP Sit (∆αit → ∆δit )ps−1 pn−s+1
≤
∆δi1 �=0,···,∆δik−s+1 �=0
(10)
t=1
k−s+1
= pn
DP Sit (∆αit → ∆δit )
∆δi1 �=0,···,∆δik−s+1 �=0
t=1
n
≤p
Equation (7) follows from the assumption on round keys; equation (8) follows
from assumptions (5) and (6); equation (9) follows from lemma 2; and equation
(10) follows from the definition of p. �
This theorem gives a provable security for the SPN structure.
For example, consider a 128-bit SPN structure with 16 substitution boxes,
S1 , · · · S16 , and a maximal diffusion layer. If we let
Si : GF (28 ) → GF (28 ) (1 ≤ i ≤ n)
x
→ x−1
we can take p = 2−6 , so that the maximum differential probability of this SDS
function is bounded by p16 = (2−6 )16 = 2−96 . Hence one gets a SPN structure
which gives proven resistance of order 2−96 against DC.
4
Provable Security against LC
In this section we will give a provable security for the SPN structure with a
maximal diffusion layer against LC. We know that the rank of M equals that of
M t for any matrix M and so applying lemma 1 and 2 gives the following result;
If nd (D) is equal to n + 1, nl (D) is also n + 1 and vice versa. Therefore we have
the following theorem.
Theorem 2. If nl (D) = n + 1(or equivalently nd (D) = n + 1), the probability
of each linear hull of SDS function is bounded by q n .
5
Provable Security against DC and LC with a
Semi-maximal Diffusion Layer
In this section we will show that the probability of each differential is bounded
by pn−1 when nd (D) is equal to n. A diffusion layer is called semi-maximal with
respect to DC(resp. LC) when nd (D)(resp. nl (D)) equals n. In general nd (D)
is not equal to nl (D) but there are sufficient conditions that nl (D) is equal to
nd (D)[14]. A diffusion layer is called semi − maximal if nd (D) and nl (D) are
equal to n.
�282
S. Hong et al.
Lemma 3. If nd (D) = n, the rank of each k × k submatrix of M is greater than
or equal to k − 1 for all 1 ≤ k ≤ n and there exists at least one s × s submatrix
with rank s − 1 for some 1 ≤ s ≤ n.
Proof Let nd (D) = n and suppose that there exists a k × k submatrix Mk of
M whose rank is less than k − 1. That is, there exist at least two independent
vectors v, w ∈ GF (2m )k so that Mk v = Mk w = 0. We can make a vector
x ∈ GF (2m )k with Hw(x) ≤ k − 1 and Mk x = 0 by a linear combination of v
and w over GF (2m ). From x and Mk we can get a vector X ∈ GF (2m )n such
that Hw(X) ≤ k − 1 and Hw(M X) ≤ n − k. This is contradiction to the fact
that nd (D) is equal to n. Hence the rank of each k × k submatrix of M is greater
than or equal to k − 1 for all 1 ≤ k ≤ n. By lemma 1 there exists at least one
s × s submatrix with rank s − 1. �
We also state a statement similar to lemma 2; Let M be the n × n matrix representing a diffusion layer D and nd (D) = n. In Fig.3, if Hw(∆α) =
k and Hw(∆β) = n − s(s ≤ k), there is a index set {ii , · · · , is−1 } so that
{∆δi1 , · · · , ∆δis−1 } are represented by the other ∆δi ’s. The proof of this statement is similar to that of the lemma 2.
Theorem 3. Assume that the round keys, which are xored to the input data at
each round, are independent and uniformly random. If nd = n, the probability of
each differential of SDS function is bounded by pn−1 .
Proof
We use the same notations as used in the proof of theorem 1. There
is only one difference between the proof of theorem 3 and that of this theorem;
Hw(∆β) is not n − s + 1 but n − s. Thus DP (∆α → ∆β) goes up by p−1 . Hence
we have
DP (∆α → ∆β) ≤ pn−1 �
We can easily check that if nl (D) = n, the probability of linear hull of SDS
function is bounded by q n−1 .
6
Conclusion
In the SPN structure, it is very important to design a diffusion layer with good
properties as well as a substitution layer. Even though a substitution layer is
strong against DC and LC, this does not guarantee a secure SPN structure
against DC and LC if a diffusion layer does not provide an avalanche effect,
both in the context of differences and linear approximations.
In this paper we give the necessary and sufficient condition for diffusion layer
to be maximal or semi-maximal. Also we proved that the probability of each
differential(resp. linear hull) of the SDS function with a maximal diffusion layer is
bounded by pn (resp. q n ) and that of each differential(resp. linear hull) of the SDS
function with a semi-maximal diffusion layer is bounded by pn−1 (resp. q n−1 ).
These results give a provable security for the SPN structure against DC and LC
with a maximal diffusion layer or a semi-maximal diffusion layer. Therefore we
�Provable Security against Differential and Linear Cryptanalysis
283
expect to obtain a SPN structure with a higher resistance against DC and LC
and a smaller number of rounds.
References
1. E. Biham and A. Shamir, Differential Cryptanalysis of DES-like Cryptosystem,
Journal of Cryptoloy, Vol.4, pp. 3-72, 1991.
2. E. Biham and A. Shamir, Differential Cryptanalysis of Snefru, Khafre, REDOC-II,
LOKI and Lucifer, Advanced in cryptology-CRYPTO’91, pp. 156-171, SpringerVerlag, 1991.
3. E. Biham, On Matsui’s Linear Cryptanalysis, Advanced in cryptologyEUROCRYPT’94, pp. 341-355, Springer-Verlag, 1994.
4. J. Daemen, R. Govaerts and J. Vandewalle, Correlation Matrices, Proceedings of
the first international workshop of the Fast Software Encryption, LNCS 1008, pp.
275-285, Springer-Verlag, 1994.
5. M. Kanda, Y. Takashima, T. Matsumoto, K. Aoki and K. Ohta, A Strategy for
Constructing Fast Functions with Practical Security against Differential and Linear
Cryptanalysis, Proceedings of SAC’98, 1998.
6. M. Matsui, Linear cryptanalysis method for DES cipher, Advanced in cryptologyEUROCRYPT’ 93, pp. 386-397, Springer-Verlag, 1993.
7. M. Matsui, The first Experimental cryptanalysis of DES, Advanced in cryptologyCRYPTO’94, pp. 1-11, Springer-Verlag, 1994.
8. M. Matsui, New Block Encryption Algorithm MISTY, Proceedings of the fourth
international workshop of Fast Software Encryption, Springer-Verlag, pp. 53-67,
1997.
9. K. Nyberg and L. R. Knudsen, Provable security against a differential attack, Advanced in cryptology-CRYPTO’92, pp. 566-574, Springer-Verlag, 1992.
10. K. Nyberg, Differentially uniform mappings for cryptography, Advanced in
cryptology-EUROCRYPT’93, pp. 55-64, Springer-Verlag, 1993.
11. K. Nyberg, Linear Approximation of block ciphers, Advanced in cryptologyEUROCRYPT’94, pp. 439-444, Springer-Verlag, 1994.
12. V. Rijmen, J.Daemen et al, The cipher SHARK, Proceedings of the fourth international workshop of Fast Software Encryption, pp. 137-151, Springer-Verlag,
1997.
13. J. Daemen and V. Rijmen, The Rijdael block cipher, AES proposal, 1998.
14. J. Kang, C. Park, S. Lee and J. Lim, On the optimal diffusion layer with practical
security against Differential and Linear Cryptanalysis, Preproceedings of ICISC’99,
pp. 13-20, 1999.
15. X. Lai, J. L. Massey and S. Murphy Markov Ciphers and Differential Cryptanalysis,
Advances in Cryptology-EUROCRYPT’91, pp 17-38, Springer-Verlag, 1992.
16. J. Daemen, Cipher and hash function design strategies based on linear and differential cryptanalysis, Doctoral Dissertation, March 1995, K.U. Leuven.
17. K. Aoki and K. Ohta, Strict Evaluation of the Maximum Average of Differential
Probability and the Maximum Average of Linear Probability, IEICE Transactions
Fundamentals of Electronics, Communications and Computer Science, Vol. E80A,
No. 1, pp. 2-8, 1997.
�
Jaechul Sung