hold or a eistel cipher. We nevertheless prove that the bound given by Nyberg and Knudsen still holds or any round keys. This stronger result implies

Transcription

1 Dierential cryptanalysis o eistel ciphers and dierentially uniorm mappings Anne Canteaut INRIA Projet codes Domaine de Voluceau BP Le Chesnay Cedex rance Abstract In this paper we study the round permutations (or Sboxes) which provide to eistel ciphers the best resistance against dierential cryptanalysis. We prove that a eistel cipher with any round keys and with at least 5 rounds resists any dierential attack i its round permutation is dierentially uniorm or a small. This improves an earlier result due to Nyberg and Knudsen which only held or independent and uniormly random round keys. We also give some necessary conditions or a mapping to be almost perect nonlinear (i.e. dierentially 2uniorm). 1 Introduction The underlying motivation o this work is the design o a eistel cipher which resists all classical attacks. The DES cipher seems to have this property since no cryptanalysis is really more ecient than an exhaustive search or the key. But it would be very important to nd a new secure DESlike cipher because the size o the secretkey used in DES makes a bruteorce attack easible. The main problem is thereore to replace the Sboxes used in DES with another unction which resists both dierential and linear cryptanalysis. In this paper we study the round permutations (which play the same role as the Sboxes) which ensure that the corresponding eistel cipher is secure against dierential cryptanalysis. In [NK93] Nyberg and Knudsen gave a condition under which a eistel cipher resists dierential cryptanalysis \in average". They actually gave an upper bound on the probability o any rround dierential o a eistel cipher, or r 3, but this bound only holds when the round keys are independent and uniormly random. This result does thereore not rule out the existence o some weak round keys or which a dierential attack would be easible. A lower bound on the complexity o a practical dierential attack can then only be deduced i it is additionally assumed that the hypothesis o stochastic equivalence [LMM91] is satised, i.e. i the dierentials have roughly the same probabilities or all round keys. But we here show that this urther assumption does usually not On leave at Institute or Signal and Inormation Processing, ETH Zurich, Switzerland 1

2 hold or a eistel cipher. We nevertheless prove that the bound given by Nyberg and Knudsen still holds or any round keys. This stronger result implies that a eistel cipher resists any dierential attack i the round permutation is dierentially uniorm or a small. The resistance o a eistel cipher against dierential cryptanalysis does thereore not require any urther assumption on the round keys or on the key scheduling algorithm. We rst briey recall in Section 2 how dierential cryptanalysis works. Section 3 is then devoted to the complexity o a dierential attack o a eistel cipher: we show why NybergKnudsen's result does not suce to ensure that some eistel ciphers are practically secure against dierential cryptanalysis. We aterwards improve this result since we show that a eistel cipher with any round keys resists dierential cryptanalysis as ar as its round permutation is dierentially uniorm or a small. Section 4 gives some general properties o dierentially uniorm mappings and some necessary conditions or a permutation to be almost perect nonlinear (APN), i.e. dierentially 2uniorm. ollowing a result due to Carlet, Charpin and Zinoviev [CCZ97] we also prove that the smallest value o or which a power polynomial is dierentially uniorm is strongly related to the number o codewords o Hamming weight 3 and 4 in some binary cyclic codes with 2 zeroes. 2 Dierential cryptanalysis o iterated ciphers In an iterated block cipher with r rounds the ciphertext is obtained by iterating r times an invertible unction, called the round unction, depending on a secret parameter K called the round key. The r round keys are usually obtained rom a unique secret key by a key scheduling algorithm. A dierential attack [BS91] o such an iterated cipher consists in encrypting some plaintexts which only dier rom a xed value. The dierence between two plaintexts X and X 0 is here dened by a group operation on the set o plaintexts: X = X X 0?1 where X 0?1 denotes the inverse o X 0 with respect to the group operation. This attack exploits the act that the round unction o an iterated cipher is usually cryptographically weak. This means that the value o the round key K can usually be determined rom the knowledge o the dierence between the inputs o the unction, X, and rom both outputs Y and Y 0. The basic idea o a dierential attack thereore consists in submitting two dierent plaintexts X and X 0 = X or encryption and in estimating the value o the input dierence o the last round Y (r? 1) (see igure 1). I the round unction is cryptographically weak, it is then possible to recover the value o the lastround key K r. Dierential cryptanalysis will then be successul i there exists an (r? 1) round dierential (; ) such that P = P [Y (r? 1) = jy (0) = ; K 1 = k 1 ; : : : ; K r?1 = k r?1 ] (1)

3 Y (0) = m 6 Y (1). Y (r? 1) 6 Y (r) = c Y (0) = K 1 = k 1 K 2 = k 2 Y (r? 1) = K r = k r? Y 0 (0) = m 0 Y 0 (1).? Y 0 (r? 1) Y 0 (r) = c 0 igure 1: Dierential cryptanalysis o an iterated cipher is high. As soon as such an (r? 1)round dierential is known, the attack consists in iterating the ollowing procedure: Choose a plaintext m uniormly at random and submit m and m or encryption. Suppose that Y (r? 1) = and determine all corresponding possible values or K r. Ater many steps one value or K r will occur signicantly more oten than the other ones. The number o such iterations required or recovering the value o the lastround key is then at least [LMM91] 1 P? 1 2 n?1 where P is given by Equation (1) and n is the plaintext size.. An iterated cipher then resists dierential cryptanalysis i, or a xed plaintext dierence, the probability distribution o the output dierence at the lastbutone round is close to the uniorm distribution. The main problem in this attack is to estimate the probability o a dierential as expressed in Equation (1) since the rst (r? 1) round keys are unknown. In most cases we are actually only able to compute the probability o a dierential when the round keys are independent and uniormly random, i.e. P [Y (r? 1) = jy (0) = ]. I we want to deduce rom this probability whether a dierential attack is easible, we have to assume that the probability o a dierential is roughly the same or almost all round keys. This additional condition called the hypothesis o stochastic equivalence was pointed out by Lai, Massey and Murphy [LMM91]. Denition 1 (Hypothesis o stochastic equivalence) or an (r?1)round dierential (; ), P [Y (r? 1) = jy (0) = ; K 1 = k 1 ; : : : ; K r?1 = k r?1 ] ' P [Y (r? 1) = jy (0) = ] or almost all round keys k 1 ; : : : k r?1.

4 I this hypothesis is not satised, a dierential may have a low probability in average but its probability may nevertheless be high or some particular round keys. This would mean that some round keys would be weak in the sense that the corresponding cipher would not resist dierential cryptanalysis. 3 Resistance o eistel ciphers against dierential cryptanalysis We are now interested in the complexity o a dierential attack o a eistel cipher when the dierence is dened by the bitwise XOR denoted by An upper bound on the average probability o any dierential We here only consider eistel ciphers with block size 2n without expansion. In this case, the round permutation is designed as ollows: : n 2 n 2! n 2 n 2 (L; R) 7! (R; L + (R + K i )) where + denotes the exclusiveor operation, K i 2 n 2 is the ith round key and is a permutation over n 2, called the round permutation. Using the particular structure o this round unction Nyberg and Knudsen [NK93] gave an upper bound on the probability o any rround dierential or r 3 when the round keys are independent and uniormly random. They actually proved the ollowing result: Proposition 1 [NK93] or a eistel cipher with block size 2n, with round permutation and with independent uniormly random round keys, the probability o any rround dierential (; ), 6= 0, or r 3 satises where = max P [Y (r) = jy (0) = ] 2 max jx 2 n 2 ; (X + ) + (X) = gj 6=0 This proposition then implies that any eistel cipher with at least 5 rounds resists dierential cryptanalysis i the round permutation is such that is small and i the hypothesis o stochastic equivalence is satised. In order to use this theoretical result in practice, Knudsen [Knu94] called a eistel cipher a practically secure eistel cipher i it resists dierential cryptanalysis under the assumption o independent uniormly random round keys. But it unortunately seems that the hypothesis o stochastic equivalence does not hold in general or a eistel cipher.

5 3.2 Hypothesis o stochastic equivalence or eistel ciphers As an example we here show that the hypothesis o stochastic equivalence is not satised or a small eistel cipher with block size 8. The round permutation o this cipher is dened by : 2 4! 2 4 x 7! x 7 where the vector space 4 2 is identied with the nite eld with 16 elements. or this small eistel cipher, we give the probabilities o two dierent 3round dierentials (; ) = and = When the round keys are independent and uniormly random, we obtain P [Y (3) = jy (0) = ] = 9:8 10?3 But when the rst 3 round keys are xed, we get P [Y (3) = jy (0) = ; K 1 = k 1 ; K 2 = k 2 ; K 3 = k 3 ] = 0 or 50 % o the keys = 7:8 10?3 or 25 % o the keys = 3:12 10?2 or 25 % o the keys = and = When the round keys are independent and uniormly random, this 3round dierential has probability P [Y (3) = jy (0) = ] = 1:56 10?2 But or xed round keys this probability actually equals P [Y (3) = jy (0) = ; K 1 = k 1 ; K 2 = k 2 ; K 3 = k 3 ] = 0 or 75 % o the keys = 6:25 10?2 or 25 % o the keys It then turns out that or this particular eistel cipher the hypothesis o stochastic equivalence does not hold. urthermore the computation o the probability o some 3round dierentials or many dierent small eistel ciphers leads to similar results. This then implies that the result given by Nyberg and Knudsen does not allow to deduce i a dierential attack o a eistel cipher is easible in practice. 3.3 A practical result on the resistance o eistel ciphers against dierential cryptanalysis The hypothesis o stochastic equivalence is nevertheless satised or any eistel cipher in some particular cases. We here denote by (; ) the number o solutions X 2 n 2 o the equation (X + ) + (X) =

6 Proposition 2 or any eistel cipher with block size 2n, the hypothesis o stochastic equivalence exactly holds or any 2round dierential (; ). Moreover we have or any L ; R ; L ; R 2 n 2 and or any round keys k 1 and k 2, P [Y (2) = ( L ; R )jy (0) = ( L ; R ); K 1 = k 1 ; K 2 = k 2 ] = P [Y (2) = ( L ; R )jy (0) = ( L ; R )] = ( R ; L + L ) ( L ; R + R ) Proo. We denote by R(i) the right hal o the input o the (i + 1)th round. SimilarlyZ(i) = (R(i)+K i+1 ). When the round keys are xed, the probability o a 2round dierential can be decomposed as ollows: P = P [Y (2) = ( L ; R )jy (0) = ; K 1 = k 1 ; K 2 = k 2 ] = P [Z(1) = R + R jr(1) = L ; Y (0) = ( L ; R ); K 1 = k 1 ; K 2 = k 2 ] P [Z(0) = L + L jy (0) = ( L ; R ); K 1 = k 1 ] Since R(0) is uniormly random, we obviously have that P [Z(0) = L + L jy (0) = ( L ; R ); K 1 = k 1 ] = ( R ; L + L ) 2 n On the other hand, we have X P [Z(1) = R + R jr(1) = L ; Y (0) = ( L ; R ); K 1 = k 1 ; K 2 = k 2 ] =? P [Z(1) = R + R jr(1) = L ; R(1) + k 2 = r] r P [R(1) + k 2 = rjr(1) = L ; Y (0) = ( L ; R ); K 1 = k 1 ] Since R(1) = (R(0) + k 1 ) + L(0) and since L(0) is uniormly distributed, the random variable R(1) is uniormly distributed even i R(1) and Y (0) are xed. We then obtain that P [Z(1) = R + R jr(1) = L ; Y (0) = ( L ; R ); K 1 = k 1 ; K 2 = k 2 ] = P [Z(1) = R + R jr(1) = L ] = ( L ; R + R ) 2 n 2 The hypothesis o stochastic equivalence is also satised or some 3round dierentials as asserted in the ollowing proposition. Proposition 3 or any eistel cipher with block size 2n, the hypothesis o stochastic equivalence exactly holds or any 3round dierential (( L ; R ); ( L ; R )) such that R = 0 or L = R. We additionally have that or any round keys k 1 ; k 2 and k 3, P [Y (3) = ( L ; R )jy (0) = ( L ; 0); (K 1 ; K 2 ; K 3 ) = (k 1 ; k 2 ; k 3 )] = ( L ; L ) ( L ; R + L ) P [Y (3) = ( R ; R )jy (0) = ( L ; R ); (K 1 ; K 2 ; K 3 ) = (k 1 ; k 2 ; k 3 )] = ( R ; L ) ( R ; R )

7 Proo. R = 0. In this case, the rst round o the cipher is a trivial round. Thus R(1) = L with probability 1. The random variable R(1) is then uniormly distributed when L(0) and R(0) are uniormly random. We then obtain P [Y (3) = ( L ; R )jy (0) = ( L ; 0); (K 1 ; K 2 ; K 3 ) = (k 1 ; k 2 ; k 3 )] = P [Y (3) = ( L ; R )jy (1) = ( R ; L ); (K 2 ; K 3 ) = (k 2 ; k 3 )] = ( L ; L ) ( L ; R + L ) where the last equality is deduced rom Proposition 2. L = R In this case Z(1) = 0. Since is a permutation, this can only occur when R(1) = 0. This implies that the second round o the cipher is here a trivial round. We then have P [Y (3) = ( R ; R )jy (0) = ( L ; R ); K 1 = k 1 ; K 2 = k 2 ; K 3 = k 3 ] = ( R ; L ) 2 n P [Z(2) = R jr(2) = R ; Y (0) = ( L ; R ); K 1 = k 1 ; K 2 = k 2 ; K 3 = k 3 ] On the other hand the random variable R(2) is uniormly distributed in this case even i the dierences R(2), Y (0) and the rst two round keys are xed. This implies that P [Z(2) = R jr(2) = R ; Y (0) = ( L ; R ); K 1 = k 1 ; K 2 = k 2 ; K 3 = k 3 ] = and we thereore conclude that P [Z(2) = R jr(2) = R ] P [Y (3) = ( R ; R )jy (0) = ( L ; R ); (K 1 ; K 2 ; K 3 ) = (k 1 ; k 2 ; k 3 )] = ( R ; L ) ( R ; R ) 2 Using that the hypothesis is always satised in these both cases, we now prove that the upper bound on the probability o a dierential given by Nyberg and Knudsen still holds or any round keys. Theorem 1 or a eistel cipher with block size 2n, with round permutation and with any round keys k 1 ; : : : ; k r, the probability o any rround dierential (; ), 6= 0, or r 3, satises P [Y (r) = jy (0) = ; K 1 = k 1 ; : : : ; K r = k r ] 2 where = max max jx 2 2 n; (X + ) + (X) = gj 6=0

8 Proo. We rst prove this result or any 3round dierential (( L ; R ); ( L ; R )) with ( L ; R ) 6= (0; 0). The probability o any 3round dierential (; ) can be decomposed as ollows: P = P X [Y (3) = ( L ; R )jy (0) = ( L ; R ); K 1 = k 1 ; K 2 = k 2 ; K 3 = k 3 ] = P [Z(2) = R + djr(2) = L ; Y (0) = ( L ; R ); K 1 = k 1 ; K 2 = k 2 ; K 3 = k 3 ] d ( R ; d + L ) (d; L + R ) I R 6= L, R(1) cannot be zero. I R 6= 0, we conclude that P [Y (3) = ( L ; R )jy (0) = ( L ; R ); K 1 = k 1 ; K 2 = k 2 ; K 3 = k 3 ] 2 2 X d6=0 P [Z(2) = R + djr(2) = L ; Y (0) = ( L ; R ); K 1 = k 1 ; K 2 = k 2 ; K 3 = k 3 ] I R = 0, the previous proposition gives P [Y (3) = ( L ; R )jy (0) = ( L ; 0); K 1 = k 1 ; K 2 = k 2 ; K 3 = k 3 ] = 2 ( L ; L ) ( L ; R + L ) since L = 0 would imply that L = 0 and hence that = 0. I R = L, the previous proposition gives P [Y (3) = ( R ; R )jy (0) = ( L ; R ); K 1 = k 1 ; K 2 = k 2 ; K 3 = k 3 ] = since R = 0 would imply that L = 0. 2 ( R ; L ) ( R ; R ) We now obtain the same upper bound or any rround dierential or r > 3 by induction on r. 2 This new theorem implies that a eistel cipher with any round keys is secure against dierential cryptanalysis as ar as the round permutation is such that is small. This only depends on the ollowing property o the round permutation dened by Nyberg and Knudsen [NK93]: Denition 2 A unction over n 2 n 2, 6= 0, and or all 2 n 2, is dierentially uniorm i, or all 2 jx 2 n 2 ; (X + ) + (X) = gj

9 Using [LMM91, Theorem 1] we obtain a lower bound on the complexity o a dierential attack o a eistel cipher, i.e. the number o encryptions it requires. Corollary 1 Let us consider a eistel cipher with block size 2n, with at least 5 rounds and with a dierentially uniorm round permutation. The complexity o a dierential attack against this cipher is at least 2(22n?1) 2?1. 4 Dierentially uniorm permutations The number o solutions o (X + ) + (X) = is obviously even. This implies that the smallest possible value such that a permutation is dierentially uniorm is = 2. Dierentially 2uniorm permutations are also called almost perect nonlinear (APN) permutations. They correspond to the round permutations which provide the best resistance against dierential cryptanalysis. 4.1 APN permutations over 2 n or even n rom now on we identiy the vectorspace n 2 with the nite eld 2n. Any permutation o 2 n can be expressed as a unique polynomial o 2 n[x] o degree at most 2 n? 1. We rst give a necessary condition or a polynomial to be APN when n is even. P 2 Proposition 4 Let n be an even integer. The mapping : x 7! n?1 i=0 a i X i is not APN over 2 n i 2 n?1 3X j=1 a 3j = 0 Proo. We rst notice that 0 and 1 are two solutions o Equation (X + 1) + (X) = X 2 n?1 i=0 a i (2) Let now x = u where is a primitive element in 2 n and u = 2n?1. Since 3 x 4 = x, x is in P 4 and x 62 0; 1g. It then satises x 2 + x + 1 = 0. We then 2 n?1 3 obtain that i j=1 a 3j = 0, x = u is another solution o Equation 2. 2 This result notably implies that no power polynomial permutation, i.e. (x) = x t with gcd(t; 2 n? 1) = 1, is APN when n is even. 4.2 Dierentially uniorm power polynomials and cyclic codes with two zeroes We now only consider the mappings on 2 n which can be expressed as a power polynomial X t. In this case we only have to examine or t a representative o each cyclotomic coset modulo 2 n? 1. When is a power polynomial, the dierentially uniorm property can be characterized as ollows:

10 Proposition 5 The power polynomial mapping : x 7! x t is dierentially uniorm i and only i or all c 2 2 n, c 6= 0, the equation (X + 1) t + X t = c has at most solutions in 2 n. In [CCZ97] it is proved that the power polynomial unction x 7! x t is APN over 2 n i and only i the cyclic code C 1;t o length 2 n? 1 with dening set 1; tg has minimum distance 5. The link between dierentially uniorm power polynomials and cyclic codes is still tighter since the number o solutions o the equations (X + 1) t + X t = c is related to the number o codewords o weight 3 and 4 in C 1;t. Proposition 6 Let C 1;t denote the cyclic code o length 2 n? 1 with dening set 1; tg and let c be the number o roots in 2 n o polynomial P c (X) = (X + 1) t + X t + c. The number A 3 (resp. A 4 ) o codewords with Hamming weight 3 (resp. 4) in C 1;t is given by A 3 = (2n? 1) 6 A 4 = (2n? 1) 24 ( 1? 2) X c2 2 n 2 c? 2 n+1? 4( 1? 2) Proo. A binary vector x = (x 0 ; : : : ; x 2?2) belongs to C n 1;t i and only i its syndrome is zero. The word with support i 1 ; i 2 ; i 3 ; i 4 g then lies in C 1;t i and only i, or x j = i j, there exists (a; b) 2 2 n 2 n, a 6= 0 such that (x 1 + a) t + x t 1 = b = (x 3 + a) t + x t 3 i.e. x 1 a?1 ; x 1 a?1 + 1; x 3 a?1 ; x 3 a?1 + 1 are 4 distinct roots o P c with c = b. a t Since 0 is a root o P c i and only i c = 1, we obtain that the codewords o Hamming weight 3 o C 1;t exactly correspond to the 3tuples (x; y; x + y) with nonzero distinct coordinates such that x(x + y)?1 and x(x + y)?1 + 1 are nonzero roots o P 1. Similarly the codewords o weight 4 in C 1;t exactly correspond to the 4tuples (x; y; z; x + y + z) with nonzero distinct coordinates such that x(x + y)?1, x(x + y)?1 + 1, z(x + y)?1 and z(x + y)?1 + 1 are 4 distinct roots o P c. 2 Note that i n is odd and i the minimum distance o C 1;t is 3, the smallest possible value or such that x 7! x t is dierentially uniorm is 8 since 1 2 mod 6. Some cyclic codes with 2 zeroes and with minimum distance 3 were examined in [CTZ97]. 4.3 Some APN power polynomials Table 1 lists all known exponents t (up to equivalence) such that x 7! x t is APN. But the only APN power polynomials X t amongst these 4 amilies which can be used as a round permutation o a eistel cipher are those corresponding to t 2 K i with i 6. It was actually proved that the mapping x 7! x t with t 2 I is not secure against linear cryptanalysis [LW90, CV95]. The power polynomials corresponding to t 2 Q i or t 2 W can neither be used since a dierential 1 A

11 exponent smallest value o such that notation or the corresponding re. is dierentially uniorm cyclotomic coset 2 i gcd(n;i) Q i [Nyb93] 2 n? 2 i? 1 2 i n is odd I [Nyb93, BD93] 4 i n is even 2 2i? 2 i i n is odd and gcd(n; i) = 1 K i [Kas71] 2 n? i n is odd W [Dob] Table 1: Minimum value o or some power polynomials on 2 n. attack using higher order dierentials is easible when the Hamming weight o t is small [JK97]. This attack exploits the act that any ciphertext bit can be expressed as a polynomial in all plaintext bits o degree at most d = w(t) r?3 where r denotes the number o rounds 4.4 A lower bound on the degree o APN power polynomials over 2 n Janwa, McGuire and Wilson [JW93, JMW95] proved that or most values o t, the code C 1;t o length 2 n? 1 does not have minimum distance 5 or innitely many values o n. Their proo relies on Weil's theorem which gives a lower bound on the number o rational points on an absolutely irreducible curve over 2 n. We here use a similar argument or proving that or a xed n the mapping x 7! x t is not APN as ar as t exceeds a certain value. Theorem 2 Suppose that the curve g t (X; Y ) = X t + Y t + (X + Y + 1) t (X + Y )(X + 1)(Y + 1) is absolutely irreducible over 2. The mapping x 7! x t is not APN over 2 n, n 5, i t 2 n 4 + 4:5 Janwa, McGuire and Wilson [JMW95] proved that g t (X; Y ) is absolutely irreducible or any t 3 mod 4, t > 3 and or some values such that t 1 mod 4. They actually conjectured that this curve is absolutely irreducible or all values o t except those lying in the cyclotomic cosets Q i and K i (see Table 1). This statement also holds or any t < 100. We thereore give in Table 2 some values o t or which x 7! x t is not APN. 5 Concluding remarks We here proved that a eistel cipher without expansion with any round keys resists dierential cryptanalysis i its round permutation is dierentially uniorm

12 n t min Table 2: Bound t min such that x 7! x t is not APN over 2 n or all t t min, t 62 Q i [ K i or a small. But the only (up to equivalence) known APN permutation which can be used in a eistel cipher is the power polynomial unction over 2 n de ned by x 7! x 22i?2 i +1 where n is odd and gcd(n; i) = 1. It nevertheless appears that any new result concerning either the number o roots o polynomials over a nite eld or the weight distribution o some cyclic codes would have some important consequences or the design o new provably secure eistel ciphers. It is however important to note that the resistance o eistel ciphers against a dierential attack is still an open problem when the dierence is not dened by the bitwise exclusiveor but by another group operation on the set o plaintexts. Reerences [BD93] [BS91] [CCZ97] [CTZ97] T. Beth and C. Ding. On almost perect nonlinear permutations. In Advances in Cryptology EUROCRYPT'93, number 765 in Lecture Notes in Computer Science, pages 65{76. SpringerVerlag, E. Biham and A. Shamir. Dierential cryptanalysis o DESlike cryptosystems. Journal o Cryptology, 4(1):3{72, C. Carlet, P. Charpin, and V. Zinoviev. Cyclic codes and permutations suitable or DESlike cryptosystems. In 1997 IEEE Inormation Theory Workshop, Norway, July To be presented. P. Charpin, A. Tietavainen, and V. Zinoviev. On binary cyclic codes with d = 3. Problems o Inormation Transmission, To appear. [CV95]. Chabaud and S. Vaudenay. Links between dierential and linear cryptanalysis. In Advances in Cryptology EUROCRYPT'94, number 950 in Lecture Notes in Computer Science, pages 356{365. SpringerVerlag, [Dob] [JK97] H. Dobbertin. Private Communication. T. Jakobsen and L.R. Knudsen. The interpolation attack on block ciphers. In ast Sotware Encryption 97, January [JMW95] H. Janwa, G. McGuire, and R.M. Wilson. Doubleerror correcting cyclic codes and absolutely irreducible polynomials over G(2). Journal o Algebra, (178):665{676, [JW93] H. Janwa and R.M. Wilson. Hyperplane sections o ermat varieties in P 3 in char. 2 and some applications to cyclic codes. In Applied

13 Algebra, Algebraic Algorithms and Errorcorrecting Codes Proceedings AAECC10, number 673 in Lecture Notes in Computer Science, pages 180{194. SpringerVerlag, [Kas71] [Knu94] T. Kasami. The weight enumerators or several classes o subcodes o the second order binary ReedMuller codes. Inormation and Control, (18):369{394, L.R. Knudsen. Practically secure eistel ciphers. In ast Sotware Encryption 93, number 809 in Lecture Notes in Computer Science, pages 211{221. SpringerVerlag, [LMM91] X. Lai, J.L. Massey, and S. Murphy. Markov ciphers and dierential cryptanalysis. In Advances in Cryptology EUROCRYPT'91, number 547 in Lecture Notes in Computer Science, pages 17{38. Springer Verlag, [LW90] G. Lachaud and J. Wolmann. The weights o the orthogonal o the extended quadratic binary Goppa codes. IEEE Transactions on Inormation Theory, 36(3):686{692, [NK93] K. Nyberg and L.R. Knudsen. Provable security against dierential cryptanalysis. In Advances in Cryptology CRYPTO'92, number 740 in Lecture Notes in Computer Science, pages 566{574. Springer Verlag, [Nyb93] K. Nyberg. Dierentially uniorm mappings or cryptography. In Advances in Cryptology EUROCRYPT'93, number 765 in Lecture Notes in Computer Science, pages 55{64. SpringerVerlag, 1993.