Practical and Provable Security against Differential and Linear Cryptanalysis for Substitution-Permutation Networks

Size: px

Start display at page:

Download "Practical and Provable Security against Differential and Linear Cryptanalysis for Substitution-Permutation Networks"

Loren Hopkins
5 years ago
Views:

1 Practcal ad Provable Securty agast Dfferetal ad ear Cryptaalyss for Substtuto-Perutato Networks Ju-Sug Kag, Seokhe Hog, Sagj ee, Okyeo Y, Choosk Park, ad Jog We exae the dffuso layers of soe block cphers referred to as substtuto-perutato etworks. We vestgate the practcal ad provable securty of these dffuso layers agast dfferetal ad lear cryptaalyss. Frst, ters of practcal securty, we show that the u uber of dfferetally actve S-boxes ad that of learly actve S-boxes are geerally ot detcal ad propose soe specal codtos whch those are detcal. We also study the optal dffuso effect for soe dffuso layers accordg to ther costrats. Secod, we obta the results that the cosecutve two rouds of SPN structure provde provable securty agast dfferetal ad lear cryptaalyss,.e., we prove that the probablty of each dfferetal (resp. lear hull) of the cosecutve two rouds of SPN structure wth a axal dffuso layer s bouded by p (resp. q ) ad that of each dfferetal (resp. lear hull) of the SDS fucto wth a se-axal dffuso layer s bouded by p - (resp. q - ), where p ad q are axu dfferetal ad lear probabltes of the substtuto layer, respectvely. auscrpt receved ay 4, 2; revsed Aug. 7, 2 ad Oct. 9, 2. Ju-Sug Kag (phoe: , e-al: jskag@etr.re.kr) s wth Iforato Securty Research Dvso, ETRI, Daejeo, Korea. Seokhe Hog (e-al: hsh@cst.korea.ac.kr), Sagj ee (e-al: saj@tger.korea.ac.kr), ad Jog (e-al: jl@tger.korea.ac.kr) are wth Ceter for Iforato Securty Techologes, Korea Uversty, Seoul, Korea. Okyeo Y (e-al: oyy@ku.kook.ac.kr) s wth the Departet of atheatcs, Kook Uversty, Seoul, Korea. Choosk Park (e-al: csp@etr.re.kr) s wth Natoal Securty Research Isttute, ETRI, Daejeo, Korea. I. INTRODUCTION. Itroducto to SPN Structure ad Dffuso ayer Shao suggested that practcal ad secure product cphers aybe costructed by usg a xg trasforato cosstg of a uber of layers or rouds of cofuso ad dffuso []. The cofuso copoet s a olear substtuto o a sall subblock ad the dffuso copoet s a lear xg of the subblock coectos. The Substtuto- Perutato Networks (SPN) structure s drectly based o the cocepts of cofuso ad dffuso. Oe roud of a SPN structure geerally cossts of three layers of substtuto, perutato, ad key addto. A substtuto layer s ade up of sall olear substtutos referred to as S-boxes easly pleeted by table lookup for cofuso effect. A perutato layer s a lear trasforato that dffuses the cryptographc characterstcs of the substtuto layer. A key addto layer plats roud subkeys of the cpher ad the posto of ths layer s varable accordg to cphers. Due to eory requreets, ost block cpher desgers use sall S-boxes, e.g. wth 4 or 8 put bts. Thus, the dffuso of S-box outputs by a perutato layer plays a great role provdg resstace to varous attacks cludg dfferetal ad lear cryptaalyss. O the other had, perutato layers of ost oder block cphers are ot sple bt-wse posto perutatos or traspostos but lear trasforatos o soe vector spaces over varous fte felds. Hece ths paper, we refer to a perutato layer as a dffuso layer for the sake of clarty. ost dffuso layers have approprate atrx represetatos, sce they are lear trasforatos over 58 Ju-Sug Kag et al. ETRI Joural, Volue 23, Nuber 4, Deceber 2

2 soe fte felds ad have oe-to-oe correspodece to a approprate atrx. Wth these atrx represetatos, we study the practcal ad provable securty agast dfferetal ad lear cryptaalyss. 2. Related Works ad Our Results The ost well kow ethod of aalyzg block cphers today s the dfferetal cryptaalyss (DC), proposed by Bha ad Shar [2], [3] 99. DC s a chose platext attack whch the attacker chooses soe platexts of certa wellcosdered dffereces. Bha ad Shar used the oto of characterstc, whle a, assey ad urphy [4] showed that the oto dfferetal strctly reflects the stregth of a cpher agast DC. Roughly speakg, a dfferetal s a collecto of characterstcs. Aother ethod of aalyzg block cphers s the lear cryptaalyss (C) publshed by atsu [5] 993. The attacks based o C are kow platext attacks ad the attack o the DES s faster tha the attack by DC. The frst verso of C appled lear approxato to a attack of block cphers, but Nyberg [6] has cosdered a collecto of lear approxato, whch she called a lear hull for strct evaluato of the stregth agast C. Kada et al. [7] classfed four easures to evaluate the securty of a cpher agast DC ad C as follows: Precse easure: The axu average of dfferetal ad lear hull probabltes [4], [6]. Theoretcal easure: The upper bouds of the axu average of dfferetal ad lear hull probabltes [8]-[]. Heurstc easure: The axu average of dfferetal characterstc ad lear approxato probabltes [2], [3], [5]. Practcal easure: The upper bouds of the axu average of dfferetal characterstc ad lear approxato probabltes [2]-[4]. DC ad C are the ost powerful attacks to ost syetrc block cphers. Accordgly, t s a basc requste for the desger to evaluate the securty of ay ew proposed cpher agast DC ad C, ad to prove that t s suffcetly resstat agast the. I ths paper, we cosder a practcal easure ad theoretcal easure out of the above four easures. Nyberg ad Kudse [] stated that Festel cphers evaluated wth the theoretcal easure are provably secure agast DC ad C. Therefore, a block cpher s called to have provable securty agast DC ad C, where the upper bouds of the axu average of dfferetal ad lear hull probabltes are suffcetly sall. eawhle, Kudse [3] oted that Festel cphers evaluated wth the practcal easure are practcally secure agast DC ad C. Thus, a block cpher s called to have practcal securty agast DC ad C f the upper bouds of the axu average of dfferetal characterstc ad lear approxato probabltes are suffcetly sall. Frst, we show that ters of practcal securty, the u uber of dfferetally actve S-boxes ad that of learly actve S-boxes are geerally ot detcal ad propose soe specal codtos whch those are detcal. We also show that all dffuso layers of E2, Crypto ad Rjdael have acheved optal dffuso effects accordg to ther each costrat of usg operatos. Secod, the cosecutve two rouds of SPN structure are show to provde provable securty agast dfferetal ad lear cryptaalyss, where the dffuso layer has a axal or se-axal dffuso effect,.e., we prove that the probablty of each dfferetal (resp. lear hull) of the cosecutve two rouds of SPN structure wth a axal dffuso layer s bouded by p (resp. q ) ad that of each dfferetal (resp. lear hull) of the SDS fucto wth a seaxal dffuso layer s bouded by p - (resp. q - ), where p ad q are axu dfferetal ad lear probabltes of the substtuto layer, respectvely. Ths paper s the refed verso of [5] ad [6]. II. PREIINARIES. Basc Deftos et S be a S-box wth put ad output bts,.e., S : Z 2 Z 2. Dfferetal ad lear probabltes of S are defed as the followg defto. Defto For ay gve x, y; Γx; Γy Z 2, defe dfferetal ad lear probabltes of S by ad S ( x y) = (/2 ) ( # {x Z 2 : S(x) S(x x) = y }) P S (Γy Γx) = [ (/2 - ) ( # {x Z 2 : Γx x = Γy S(x) }) ] 2, respectvely, where a b deotes the party ( or ) of bt-wse product of a ad b. S ad P S for a strog S-box S should be sall eough for ay put dfferece x ad output ask value Γy. Therefore, we defe paraeters that represet resstace to DC ad C of a S-box ad each substtuto layer of a SPN structure as the followg defto. ETRI Joural, Volue 23, Nuber 4, Deceber 2 Ju-Sug Kag et al. 59

3 Defto 2 The axu dfferetal ad lear probabltes of S are defed by ad respectvely. S ax = ax x, y S ( x y) P S ax = ax Γx, Γy P S (Γy Γx), 2. Dfferetally ad early Actve S-Boxes Evaluato of securty for a block cpher of SPN structure by a practcal easure begs wth the cocept of a actve S-box. The followg fve deftos ad oe theore of ths subsecto are already wrtte soe prevous works [7], [4], [6], [7]. At ths pot, we slghtly revse soe deftos order to descrbe our results. Defto 3 A dfferetally actve S-box s defed as a S-box gve a o-zero put dfferece ad a learly actve S-box as a S-box gve a ozero output ask value. By coputg the u uber of dfferetally ad learly actve S-boxes, we ca evaluate securty of a block cpher ters of practcal securty agast DC ad C [2]- [4], [7]. We ca obta upper bouds of the axu dfferetal characterstc ad lear approxato probabltes fro the u uber of actve S-boxes. Thus, the case of a SPN structure, t s portat to aalyze the creasg aouts of u uber of actve S-boxes by cosderg a dffuso layer cosecutve two rouds. Note that we ca ot the key addto layer to copute the uber of actve S-boxes sce ths layer has o fluece uder the assupto that the key addto layer s perfored by bt-wse EXORs. Defe the SDS fucto wth three layers of substtuto-dffuso-substtuto for aalyzg the role of a dffuso layer to crease the uber of actve S-boxes cosecutve two rouds of a SPN structure (Fg. ). Throughout ths paper, we cosder the SDS fucto wth -bt put ad output values ad assue that all S-boxes the substtuto layer are ad bjectve. If a S-box s bjectve ad dfferetally/learly actve, the t has a o-zero output dfferece/put ask value []. Therefore, whe all S- boxes substtuto layer are bjectve, we ca defe the u uber of actve S-boxes of the SDS fucto. Deote the dffuso layer of SDS fucto as D, put dfferece of D as x = x x*, output dfferece as y = y y* = D(x) D(x*), ad put ad output ask value as Γx ad Γy, respectvely. Defto 4 The u uber of dfferetally ad learly actve S-boxes of the SDS fucto are defed by ad S S 2 S 3 S Substtuto(S-boxes) Dffuso layer S S 2 S 3 S Substtuto(S-boxes) Fg.. SDS fucto. β d (D) = x { H c ( x) + H c ( y) } β l (D) = Γy { H c (Γx) + H c (Γy) }, respectvely, where, for each x = (x, x 2,, x ) (Z 2 ) or GF(2 ), the copoet Hag weght of x s defed by H c (x) = # { : x }. β d (D) ad β l (D) are lower bouds for the uber of actve S-boxes two cosecutve rouds of a dfferetal characterstc ad lear approxato, respectvely. O the other had, fro the alty, we ca see that β d (D) ad β l (D) are at ost + by cosderg H c ( x) = H c (Γy) =. So a dffuso layer s called axal f the β d (D) ad β l (D) are +. Now we ca defe dfferetal characterstc ad lear approxato probabltes of the SDS fucto lke the deftos for S-boxes. See Fgs. 2 ad 3. Defto 5 For ay gve x, y, Γx, Γy Z 2, defe the dfferetal characterstc ad lear approxato probabltes of the SDS fucto by ad DCP SDS = ax AP SDS = ax w y) = ( Γy Γx) Γz = P S S ( Γy ) Γz ) P S S ( D( w ) y ) ( D ( Γz) Γx ), respectvely, where x = ( x,, x ) (Z 2 ) ad y, w, Γx, Γy, Γz are deoted the sae way as x.. Here, D( w) = (D( w),, D( w) ) ad D - (Γz) = (D - (Γz),, D - (Γz) ) deote the output dfferece ad put ask value of the dffuso layer D wth probablty, respectvely. Defto 6 The axu dfferetal characterstc ad l- 6 Ju-Sug Kag et al. ETRI Joural, Volue 23, Nuber 4, Deceber 2

4 ear approxato probabltes of the SDS fucto are defed by DCP SDS ax = ax x, y DCP SDS ( x y) ad AP SDS ax = ax Γx, Γy AP SDS (Γy Γx), respectvely. Defto 7 Assue that the substtuto layer of a SDS fucto cossts of S-boxes S, S 2,, S. The axu dfferetal ad lear probabltes of the substtuto layer are defed by p = ax S ax ad q = ax P S ax, respectvely. Theore The axu dfferetal characterstc ad lear approxato probabltes DCP SDS ax ad AP SDS ax of the SDS fucto hold for DCP SDS ax p β d (D) ad AP SDS ax q β l (D). The above theore s obtaed easly by the axalty of p(or q) ad the alty of β d (D) (or β l (D)). Evaluato of practcal securty agast DC ad C s based o ths theore. III. PRACTICA SECURITY AGAINST DC AND C. atrx Represetato of a Dffuso ayer ost dffuso layers of oder block cphers of a SPN structure are lear trasforatos o the vector space GF(2 ) ad have oe-to-oe correspodece to a approprate atrx. That s, ost dffuso layers have approprate atrx represetatos. If we use ths atrx represetato for a dffuso layer, the we obta the relatoshp betwee put ad output dffereces (or ask values). Throughout ths paper, we assue that the dffuso layer D of the SDS fucto ca be represeted by a atrx = ( j ), where j GF(2 ). Hece we oly eed to vestgate the atrx to aalyze the role of the dffuso layer D. To beg, we descrbe soe otatos ad deftos. Wthout loss of geeralty, we ay assue GF(2 ) = { a + a γ + a 2 γ a - γ - a {,}} for soe γ GF(2 ). I geeral, we ca regard the fte feld GF(2 ) as the -desoal vector space over GF(2) ad GF(2 ) as the -desoal vector space over GF(2). We wll use a otato a GF(2) as the colu vector corre- spodg to a GF(2 ) ad ξ GF(2) as the colu vector correspodg to ξ GF(2 ). By assupto of dffuso layer, we ca rewrte β d (D) as follows: β d (D) = x { H c ( x) + H c ( x) }. Now, we cosder β l (D). et's defe a ap φ fro GF(2 ) to GF(2) as follows: φ (a) = = - a, where a = Σ = - a γ, a {,}. ea There exsts a uque bary vertble atrx B so that φ(a b) = a t B b for all a, b GF(2 ), where t suffx deotes trasposto of a vector. Proof: et a = Σ = - a γ ad b = Σ = - b γ be two geeral eleets GF(2 ) ad c be a b = Σ = - c γ. The c k = (,j) I a - k b j for soe dex set I k ad φ(c) = = c = (,j) I a b j where I = - k= I k except ts eleets eed ot be dstct. et j be the repetto uber of (,j) I ad b j j od 2. Cosder a atrx B whose th row ad jth colu s b j. By defto of B, φ(a b) = a t B b. It reas to prove B s vertble. Suppose B s ot vertble the there exsts a ozero eleet a GF(2 ) so that a t B =. φ(a a - ) = a t B a - = but t s a cotradcto to the fact φ(a a - ) = φ() =. Hece B s vertble. et ξ = (ξ, ξ ) t, η = (η, η ) t GF(2 ). A scalar product o GF(2 ) over GF(2 ) ad over GF(2) are deoted by <, > ad <, >, respectvely ad defed by: <, > : GF(2 ) GF(2 ) GF(2 ) (ξ, η) ξ η + + ξ η <, > : GF(2 ) GF(2 ) GF(2) (ξ, η) ξ t η. As a atter of coveece we deote the feld eleet correspodg to Ba r GF(2) by Ba. et ~ η = (Bη, Bη ) GF(2 ) ad ηˆ = (B - η, B - η ) GF(2 ). By deftos of <, >, <, > ad φ, t < ξ, η > = ξ BB = φ = φ = < ( < ξ, ˆ η > ) t ( < ξ, ˆ η > ) η ~ t ξ, ˆ η > Hece we obta the followg lea.. t ξ BB η ETRI Joural, Volue 23, Nuber 4, Deceber 2 Ju-Sug Kag et al. 6

5 ea 2 et Γy be a output ask value of dffuso layer D ~ the the put ask value becoes t Γ ˆ y. It s dcated fro ea 2 that f s a bary atrx, Γx = t Γy, ad ths result s show [7]. Corollary The u uber of learly actve S- boxes s Γy { H c ( t Γy) + H c (Γy) }. Proof: Ths corollary follows fro ea 2 ad the fact that there exst oe-to-oe correspodeces betwee η, ηˆ, ad ηˆ ad H c (η) = H c (ηˆ ) = H c (η ~ ) for ay η GF(2 ). It s possble that we copute the u ubers of dfferetally ad learly actve S-boxes (β d (D) ad β l (D)) of the SDS fucto by usg the above atrx represetato. However, the u ubers of dfferetally ad learly actve S-boxes are ot detcal geeral. I the ext subsecto, we wll show that β d (D) β l (D) by proposg a couterexaple. O the other had, the u ubers of dfferetally ad learly actve S-boxes are detcal for the specal types of represetato atrx as the followg two theores. Theore 2 et the dffuso layer D of the SDS fucto be represeted as atrx. If s a syetrc or orthogoal atrx, the β d (D) = β l (D). Proof: Observe that β d (D) = x { H c ( x) + H c ( x) }, β l (D) = Γy { H c ( t Γy) + H c (Γy) }. Fro ths, we ca easly see that β d (D) = β l (D) f s a syetrc atrx where t =. eawhle, f s a orthogoal atrx that - = t, the Γx = t Γy ples that Γy = Γx, ad the codto Γy = Γx s detcal to Γx sce s a vertble atrx. Thus so β d (D) = β l (D). β l (D) = Γx { H c (Γx) + H c (Γx) }, Theore 3 If t s obtaed fro by applyg operatos of exchagg row or colu vectors, the β d (D) = β l (D). Proof: The operato of exchagg row vectors of results chagg the order of copoets of output dfferece y, ad ths operato does ot affect the copoet Hag weght H c ( y). O the other had, t s clear that H c ( y) s detered by colu vectors of but ot by ther locato. Thus, the operato of exchagg colu vectors of also does ot affect the copoet Hag weght H c ( y). Sce a row(colu) vector of s a colu(row) vector of t, operatos of exchagg row or colu vectors of does ot affect the copoet Hag weght. Therefore, f t s obtaed fro by those operatos, β d (D) = β l (D). It s easy to see that the dffuso layer of block cpher CRYPTON [8] s represeted as a syetrc atrx. Hece, we obta β d (D) = β l (D) by Theore 2, ths case [6]. O the other had, [6] authors also showed that for the dffuso layers of block cpher Rjdael [9] ad E2 [2], Theore 3 ca be appled. 2. Optal Dffuso Effects of Dffuso ayers uder Soe Costrats Assue that puts of the SDS fucto are learly trasfored to outputs per -bt ad the dffuso layer s costructed wth just btwse EXORs. The dffuso layer s represeted as a atrx where all etres are zero or oe as follows: y = j= µ j x j = µ j = x j, where x = (x, x 2,, x ) (Z 2 ) s a put, y = (y, y 2,, y ) s the output, ad = (µ j ). Kada et al. [7] studed dffuso propertes of the dffuso layer wth ths atrx represetato. Ther study was based o the relatoshp betwee the atrx for dfferetal characterstc ad lear approxato. However, they ade two cojectures to ufold ther theory. The Cojecture [7] s correct sce ths s a specal case of Theore 2, but the Cojecture 2 [7] s a wrog opo. We dsprove ths cojecture by proposg a couterexaple. Cojecture 2 of [7] I the SDS fucto, the u uber of dfferetally actve S-boxes s equal to the u uber of leally actve S-boxes. That s, β d (D) = β l (D), where s the represetato atrx of the dffuso layer D. Couterexaple for the Cojecture 2 of [7]: Suppose that the dffuso layer of SDS fucto wth =4 be represeted by the followg vertble atrx: =, t =. If H c ( x) =, the H c ( y) 2 sce H c ( y) s detered by a colu vector of ad Hag weght of each colu vector s at least 2. H c ( y) s detered by the EXORs betwee 62 Ju-Sug Kag et al. ETRI Joural, Volue 23, Nuber 4, Deceber 2

6 ay dfferet two colu vectors f H c ( x) = 2. Ay EXOR betwee two colu vectors has the Hag weght of at least. Thus, the u uber of dfferetally actve S-boxes s β d (D) =3. O the other had, ea 2, the relatoshp betwee output ad put ask values s represeted as the traspose atrx t of. Note that the Hag weght of the fourth colu vector of t s. Cosder the output ask value of the for b = (,,, b 4 ), b 4, ad =, 4 4 b b the correspodg put ask value a = (,, b 4, ). Fro ths we ca obta β l (D) = 2. Cosequetly we kow that β d (D) β l (D) for the above 4 4 atrx. I the block cpher E2, desgers cosdered the SDS fucto wth = 8. Kada et al. [7] suggested a ethod of deterg a 8 8 atrx yeldg the axu value of β d (D) usg the search algorth. Usg ths search algorth, they foud that there s o atrx wth β d (D) 6, ad that there are soe caddate atrces wth β d (D) = 5. Here, we gve a theoretcal proof for the fact that β d (D) = 5 s optal ad also that β l (D) 5, where s a 8 8 bary vertble atrx. Theore 4 Assue that the uber of S-boxes the substtuto layer of the SDS fucto s 8(=8). If the represetato atrx of the dffuso layer s a 8 8 bary vertble atrx, the β d (D), β l (D) 5. Proof: Sce s a 8 8 bary vertble atrx, eght colu vectors, 2,, 8 are learly depedet. Thus, the uber of colus wth the Hag weght 8 s at ost oe. Note that β d (D) s closely related to the Hag weghts of colu vectors of. We separate the proof to four cases. Here, the Hag weght H c ( j ) of a colu vector j s the uber of etres wth j. Case If j 8 H c ( j ) = 7, for ay two colu vectors j ad k, H c ( j k ) 2. By cosderg x such that H c ( x) = 2, we obta that β d (D) = 4. Case 2 Suppose that j 8 H c ( j ) = 6. If there exsts a colu vector wth Hag weght 8, the H c ( y) 2 for soe x such that H c ( x) = 2. If there exsts a colu vector wth Hag weght 7, the u value of H c ( y) s at ost 3, sce we ca cosder the EXORs betwee the colus wth Hag weght 6 ad 7, where H c ( x) = 2. Fally, f the Hag weght of all colu vectors s 6, the although soe dfferet four colu vectors clude etres dstct rows, the Hag weght of EXORs betwee oe of ths four colus ad aother ffth colu vector s 2. Cosequetly, we obta that β d (D) 5. Case 3 Assue that j 8 H c ( j ) = 6. If there exsts a colu vector wth the Hag weght 8, the H c ( y) 3 for soe x so that H c ( x) = 2. If there exsts a colu vector wth the Hag weght 7 or 6, by a slar aalyss as Case 2, we ca obta what we wat. I the case that the Hag weght of each colu vectors s 5, although etres of soe dfferet fve colu vectors are arraged optally, aother sxth colu vector ad oe of these fve colus have coo at least two etres at the sae rows. Thus, H c ( y) s at ost 2 where H c ( x) = 2. Therefore, β d (D) 5 also holds ths case. Case 4 Assue that j 8 H c ( j ) 4. Cosder oly x such that H c ( x) =. The, we easly obta β d (D) 5 sce there exsts a colu wth the Hag weght 4. By Cases to 4, we obta that β d (D) 5 always holds wheever s a 8 8 bary vertble atrx. O the other had, by Theore 2, β l (D) s related to t. Thus, we ca also obta the sae result for β l (D) by cosderg the Hag weght of row vectors stead of colu vectors of. The dffuso layer of block cpher CRYPTON [8] cossts of btwse EXOR ad AND logc. I ths case, we ca also theoretcally show that the optalty of the dffuso layer by the slar process of the proof of Theore 4. O the other had, the block cpher Rjdael, the axal dffuso layer s used. It was show that the axalty of ths dffuso layer was obtaed by usg a axal dstace separable code [4]. Ths fact also ca be show by the slar ethods used the proof of Theore 4. Sce the addtve operato of the fte feld GF(2 ) s the bt-wse EXOR, the Hag weghts of EXORs aog colu vectors of the atrx are reflected to copute β d. See [6] for the detals. IV. PROVABE SECURITY AGAINST DC AND C FOR THE AXIA DIFFUSION AYER I ths secto we wll gve a provable securty for the SDS fucto wth a axal dffuso layer agast DC ad C. Recall that a dffuso layer s called axal f β d (D) = β l (D) = +. By Theore, we kow that the practcal securty for the SDS fucto wth a axal dffuso layer ca be estated as DCP SDS ax p + ad AP SDS ax q +. However, ths does ot gve provable securty o the vewpot of theoretc easure. ETRI Joural, Volue 23, Nuber 4, Deceber 2 Ju-Sug Kag et al. 63

7 Now we cosder the provable securty agast DC ad C o the pot of vew of dfferetal ad lear hull. et us call ' a s k subatrx of f ' s of the followg for: ' = j 2 j k j j2 2 j2 k j2 O jk 2 jk. k jk The, we say that cotas ' as a s k subatrx. ea 3 et be the atrx represetg a dffuso layer D. The β d (D) = + f ad oly f the rak of each k k subatrx of s k for all k. Proof: Ths lea was prove [2]. Corollary 2 If β d (D) s equal to +, β l (D) s also + ad vce versa. Proof: Ths ca be draw by the fact that the rak of equals that of t for ay atrx. I [22], t was show how a axal dffuso layer over GF(2 ) ca be costructed fro a axu dstace separable code. If G e = [I B ] s the echelo for of the geerator atrx of (2,, +) RS-code, the D : GF(2 ) GF(2 ) x a Bx s a axal dffuso layer by ea 3. It s ot ecessary to fx the values of teredate dffereces whe we cosder dfferetals of SDS fucto. Therefore, the dfferetal characterstc of SDS fucto wth put dfferece x ad output dfferece y s defed by SDS y) = w,..., w [ = = S S ( z ) ] y ), () where w ca have ay output dfferece value the frst substtuto layer ad z s D( w). By slar arguet, we ca defe lear hull probablty wth put ask value Γx ad output ask value Γy as follows: P = SDS ( Γy Γx) S S [ = P ( Γy Γz ) = P ( Γw Γx )], Γz,..., Γz where Γz s every possble put ask value of secod substtuto layer ad Γw = D - (Γz). Δx = Δx Δx 2 Δx S S 2 Δw = Δw Δw 2 Δw Dffuso layer S Δz = Δz Δz 2 Δz S S 2 S Δy = Δy Δy 2 Δy Fg. 2. Dfferetal of SDS fucto. Гx = Гx Гx 2 Гx S S 2 Гw = Гw Гw 2 Гw Dffuso layer Fg. 3. ear hull of SDS fucto. S Гz = Гz Гz 2 Гz S S 2 S Гy = Гy Гy 2 Гy Defto 8 The axu dfferetal ad lear hull probabltes of the SDS fucto are defed by ad respectvely. SDS ax = ax x, y SDS ( x y) P SDS ax = ax Γx, Γy P SDS (Γy Γx), ea 4 et be the atrx represetg a dffuso layer D ad β d (D) = +. I Fg. 2, f H c ( x) = k ad H c ( y) = -s+ ( s k ), the there s a dex set {,, s- } such that x,, x s- ad { w,, w s- } are detered by the other w 's. Proof: Wthout loss of geeralty we ay assue y =,, y s- = (or equvaletly z =,, z s- = ). 64 Ju-Sug Kag et al. ETRI Joural, Volue 23, Nuber 4, Deceber 2

8 et w = ( w,, w k ) t be the collecto of all o-zero copoets w = ( w,, w ) t. That s, w j for all j k ad w = f t {,, k }. et = s O s s s s s s O k s k By the deftos of ad w ad the assupto o y, w =. et us dvde w to two parts, w I ad w II, ad to I ad II as followgs: ad w I = ( w,, w s- ) t, w II = ( w s,, w k ) t, I II = s = O s s s s s s O k s k Fro w =, we get I w I + II w II = (or equvaletly I w I = II w II ). Sce I s a vertble atrx by ea 3, we have the equato: w I = I II w II. Hece { w,, w s- } are detered by { w s,, w k }. ea 4 eas that the suato () s ot take for all w,, w but take for all w k j,, w jk-s+ for soe dex set {j,, j k-s+ } {,, k }. Now, we are ready to prove the followg theore. Theore 5 If β d (D) = +, SDS ax of the SDS fucto s bouded by p. Proof: Cosder the dfferetal as depcted Fg. 2. et H c ( x) = k ad H c ( y) = -s+ (s k), the wthout loss of geeralty we ay assue. x,, x k (2) (equvaletly, w,, w k ) ad y j,, y j-s+ (3) (equvaletly, z j,, z j-s+ ). The, = = = SDS = p y) w,..., w w,..., w k [ [ = k = w,..., wk s+ w,..., wk s+ s+ = [ S S [ k = w,..., wk s+ s+ t = k s+ l= [ ) ) S j S k s+ l= ( z Sl j S j ) ( z = y Sl t j )] y ( z )] ) p t j t S j s y )] p (4) (5) s+ ] )] p (6) Equato (4) follows fro assuptos (2) ad (3), (5) follows fro ea 4, ad the equalty (6) follows fro the defto of p. We apply slar arguet to C. Therefore, we ca coclude the followg theore. Theore 6 If β l (D) = +, P SDS ax of the SDS fucto s bouded by q. Proof: A proof of ths theore s very slar to that of Theore 5. V. PROVABE SECURITY AGAINST DC AND C FOR THE SEI-AXIA DIFFUSION AYER I ths secto, we show that the probablty of each dfferetal (resp. lear hull) s bouded by p - (resp. q - ) whe β d (D) (resp. β l (D)) s equal to. A dffuso layer s called seaxal wth respect to DC (resp. C) whe β d (D) (resp. β l (D)) equals. Also we say that a dffuso layer s seaxal f β d (D) ad β l (D) are equal to. ea 5 If β d (D) =, the the rak of each k k subatrx of s greater tha or equal to k- for all k ad there exsts at least oe s s subatx wth rak s- for soe s. Proof: et β d (D) = ad suppose that there exsts a k k subatrx k of whose rak s less tha k-. That s, there exst at least two depedet vectors v, w GF(2 ) k so that k v = k w =. We ca ake a vector x GF(2 ) k wth H c (x) k- ad k x = by a lear cobato of v ad w over GF(2 ). Fro x ad k, we ca get a vector X GF(2 ) such that H c (X) k- ad H c (X) -k. Ths cotradcts to the fact that β d (D) s equal to. Hece the rak of t ETRI Joural, Volue 23, Nuber 4, Deceber 2 Ju-Sug Kag et al. 65

9 each k k subatrx of s greater tha or equal to k- for all k. By ea 3, there exsts at least oe s s subatrx wth rak s-. We also gve a stateet slar to ea 4. et be the atrx represetg a dffuso layer D ad β d (D) =. I Fg. 2, f H c ( x) = k ad H c ( y) = -s (s k), there s a dex set {,, s- } such that { w,, w s- } are represeted by the other w s. A proof of ths stateet s slar to that of ea 4. Theore 7 If β d (D) =, SDS ax of the SDS fucto s bouded by p -. Proof: We use the sae otatos as used the proof of Theore 5. There s oly oe dfferece betwee the proof of Theore 5 ad that of ths theore; H c ( y) s ot -s+ but -s. Thus SDS ( x y) goes up by p -. Hece we have SDS ax p -. Corollary 3 If β l (D) =, P SDS ax of the SDS fucto s bouded by q -. We ca geeralze Theore 7 ad Corollary 3 ad get the followg theore. Theore 8 If β d (D) = -t (or β l (D) = -t), SDS ax (or P SDS ax ) of the SDS fucto s bouded by p -(t+) (or q -(t+) ). Sketch of Proof: Note that a u v atrx wth a rak w cotas a w w vertble subatrx. It ca be easly checked that f β d (D) = -t, the the rak of each k k subatrx of s greater tha or equal to k-t- for all t+ k. I Fg. 2, let H c ( x) = k ad H c ( y) = -s (s k). The, we ca prove there s a dex set {,, s- } such that { w,, w s- } are represeted by the other w s. By slar arguet to the proof of Theore 7, t ca be show that SDS ax p -(t+). VI. CONCUSION We exaed the dffuso layers of soe block cphers referred to as substtuto-perutato etworks. We vestgated the practcal securty of dffuso layers agast dfferetal ad lear cryptaalyss by usg the oto of actve S-boxes. We showed that the u uber of dfferetally actve S- boxes ad that of learly actve S-boxes were geerally ot detcal ad proposed soe specal codtos whch those were detcal. The optal dffuso effects for soe dffuso layers accordg to ther each costrat were also studed. I ters of provable securty, we proved that the probablty of each dfferetal (resp. lear hull) of the SDS fucto wth a axal dffuso layer was bouded by p (resp. q ) ad that of each dfferetal (resp. lear hull) of the SDS fucto wth a se-axal dffuso layer was bouded by p - (resp. q - ), where p ad q were axu dfferetal ad lear probabltes of the substtuto layer, respectvely. REFERENCES [] C.E. Shao, Coucato Theory of Secrecy Systes, Bell Syste Tech. J., 28, 949, pp [2] E. Bha ad A. Shar, Dfferetal Cryptaalyss of DES-ke Cryptosystes, Advaces Cryptology-CRYPTO'9, NCS 537, Sprger-Verlag, 99, pp [3] E. Bha ad A. Shar, Dfferetal Cryptaalyss of DES-ke Cryptosystes, J. of Cryptology, o. 4, 99, pp [4] X. a, J.. assey, ad S. urphy, arkov Cphers ad Dfferetal Cryptaalyss, Advaces Cryptology-Eurocrypt'9, NCS 547, Sprger-Verlag, 99, pp [5]. atsu, ear Cryptaalyss ethod for DES Cpher, Advaces Cryptology-Eurocrypt'93, NCS 765, Sprger-Verlag, 993, pp [6] K. Nyberg, ear Approxato of Block Cphers, Advaces Cryptology-Eurocrypt'94, NCS 95, Sprger-Verlag, 994, pp [7]. Kada, Y. Takasha, T. atsuoto, K. Aok, ad K. Ohta, A Strategy for Costructg Fast Roud Fuctos wth Practcal Securty agast Dfferetal ad ear Cryptaalyss, Selected Areas Cryptography, NCS 556, 999, pp [8] K. Aok ad K. Ohta, Strct Evaluato of the axu Average of Dfferetal Probablty ad the axu Average of ear Probablty, IEICE TRANS. FUNDAENTAS, o., 997, pp [9] Y. Kaeko, F. Sao, ad K. Sakura, O Provable Securty a- gast Dfferetal ad ear Cryptaalyss Geeralzed Festel Cphers wth ultple Rado Fuctos, Proc. of SAC'97, 997, pp []. atsu, New Structure of Block Cphers wth Provable Securty agast Dfferetal ad ear Cryptalayss, Fast Software Ecrypto, NCS 39, Sprger-Verlag, 996, pp [] K. Nyberg ad.r. Kudse, Provable Securty agast Dfferetal Cryptaalyss, J. of Cryptology, o. 8, (), 995, pp [2] J. Daee,.R. Kudse, ad V. Rje, The Block Cpher SQUARE, Fast Software Ecrypto, NCS 267, Sprger- Verlag, 997, pp [3].R. Kudse, Practcally Secure Festel Cphers, Fast Software Ecrypto, NCS 89, 994, pp [4] V. Rje, J. Daee, B. Preeel, A. Bosselaers, ad E.D. W, 66 Ju-Sug Kag et al. ETRI Joural, Volue 23, Nuber 4, Deceber 2

The Cpher SHARK, Fast Software Ecrypto, NCS 39, Sprger-Verlag, 996, pp. 99-2. [5] S.H. Hog, S.J. ee, J.I., J.C. Sug, ad D.H. Choe, Provable Securty agast Dfferetal ad ear Cryptaayss for the SPN structure, Proc.

of ICISC'99, NCS 787, Sprger- Verlag, 999, pp. 38-52. [7].

10 The Cpher SHARK, Fast Software Ecrypto, NCS 39, Sprger-Verlag, 996, pp [5] S.H. Hog, S.J. ee, J.I., J.C. Sug, ad D.H. Choe, Provable Securty agast Dfferetal ad ear Cryptaayss for the SPN structure, Proc. of FSE2, NCS Sprger- Verlag, 978, pp [6] J.S. Kag, C.S. Park, S.J. ee, ad J.I., O the Optal Dffuso ayer wth Practcal Securty agast Dfferetal ad ear Cryptaalyss, Proc. of ICISC'99, NCS 787, Sprger- Verlag, 999, pp [7]. Kada, Practcal Securty Evaluato agast Dfferetal ad ear Cryptaalyses for Festel Cphers wth SPN Roud Fucto, Selected Areas Cryptography, NCS 22, Sprger- Verlag, 2, pp [8] C.H., CRYPTON: A New 28-Bt Block Cpher, AES Proposal, 998. [9] J. Daee ad V. Rje, The Rjdael Block Cpher, AES Proposal, 998. [2] NTT-Nppo Telegraph ad Telephoe Corporato, E2: Effcet Ecrypto Algorth, AES Proposal, 998. [2] F.J. acwllas ad N.J.A. Sloa, The Theory of Error- Correctg Codes, NorthHollad, Asterda, 977. [22] J. Daee, R. Govaerts, ad J. Vadewalle, Correlato atrces, Fast Software Ecrypto, NCS 8, Sprger-Verlag, 994, pp Ju-Sug Kag receved the B.S.,.S., ad Ph.D. degrees atheatcs fro Korea Uversty, Seoul, Korea 989, 99, ad 996, respectvely. He joed ETRI 997, ad he s curretly wth Iforato Securty Dvso of ETRI. Hs curret research terests clude cryptographc algorths ad protocols. Seokhe Hog receved the B.S. ad.s. degrees atheatcs fro Korea Uversty. 995 ad 997, respectvely. He also receved the Ph.D. degree atheatcs fro Korea Uversty 2. Sce 2, he has bee wth Ceter for Iforato Securty Techologes (CIST) Korea Uversty. Hs curret research terests clude block cpher aalyss ad publc key cryptosyste. Sagj ee receved the B.S. ad.s. degrees atheatcs fro Korea Uversty 987 ad 989, respectvely. He also receved the Ph.D. degree atheatcs fro Korea Uversty 994. Fro 989 to 998, he was a Techcal Staff eber at ETRI. Fro 999 to 2, he was a faculty eber of atheatcs Departet at Korea Uversty, ad sce 2, he has bee a Assocate Professor of Graduate School of Iforato Securty. Hs curret research terests clude strea cpher ad block cpher. Okyeo Y receved the B.S. ad.s. degrees Korea Uversty, Seoul, Korea 988 ad 99, respectvely. He also receved the Ph.D. degree atheatcs fro Uversty of Ketucky, KY, USA 996. He s curretly teachg atheatcs ad cryptology at the Departet of atheatcs Kook Uversty, Seoul, Korea. Hs curret research terests clude ellptc curve cryptography ad forato securty IT-2. Choosk Park receved the B.S. degree fro Kwagwoo Uversty ad the.s. fro Hayag Uversty, Seoul, Korea 98 ad 983, respectvely, ad the Dr. Eg. degree electroc egeerg fro Tokyo Isttute of Techology, Tokyo, Japa 995. Sce jog Codg Techology ad Research Secto of ETRI 982, he has bee egaged research ad developet o forato securty. Hs research terests are forato securty ad cryptographc protocols. Jog receved the B.S. ad.s. degrees atheatcs fro Korea Uversty 98 ad 982, respectvely. He also receved the Ph.D. degree atheatcs fro Korea Uversty 986. Sce jog Korea Uversty 986, he was a Professor of atheatcs Departet utl 2, ad sce 2, he has bee a Professor of Graduate School of Iforato Securty. Hs curret research terests clude block cpher ad publc key cryptosyste. ETRI Joural, Volue 23, Nuber 4, Deceber 2 Ju-Sug Kag et al. 67

Some Different Perspectives on Linear Least Squares

Some Different Perspectives on Linear Least Squares Soe Dfferet Perspectves o Lear Least Squares A stadard proble statstcs s to easure a respose or depedet varable, y, at fed values of oe or ore depedet varables. Soetes there ests a deterstc odel y f (,,