Abstract
For judging the resistance of a block cipher to differential cryptanalysis or linear cryptanalysis it is necessary to establish an upper bound on the probability of the best differential or the bias of the best linear approximation. However, getting a tight upper bound is not a trivial problem. We attempt it by searching for the best differential and the best linear trails, which is a challenging task in itself. Based on some previous works, new strategies are proposed to speed up the search algorithm, which are called starting from the narrowest point, concretizing and grouping search patterns, and trialling in minimal changes order strategies. The efficiency of the resulting improved algorithms allows us to state that the probability (bias) of the best 4-round differential (linear) trail in NOEKEON is \(2^{-51}\) (\(2^{-25}\)) and the probability (bias) of the best 10-round (11-round) differential (linear) trail is at most \(2^{-131}\) (\(2^{-71}\)). For SPONGENT, the best differential trails for certain number of rounds in the permutation functions with width \(b\in \{88, 136, 176, 240\}\) are found. That allows us to update some results presented by its designers.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
We index the rounds begin with 1, i.e. \(1\le r\le n\), where \(n\) is the number of rounds of a block cipher.
- 2.
When using the starting from the narrowest point strategy, we index the rounds relatively to the narrowest point.
- 3.
For simplicity, we sometimes address search patterns with the term patterns.
- 4.
The number is up to rotation equivalence for NOEKEON.
- 5.
For simplicity, we use the number in square bracket to represent the root node (eg. \([3]\) is the shortening of \(\genfrac(){0.0pt}0{[3]}{\{6,7,8,9\}_{0}}\)).
References
Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 2–21. Springer, Heidelberg (1991)
Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)
Ohta, K., Moriai, S., Aoki, K.: Improving the search algorithm for the best linear expression. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 157–170. Springer, Heidelberg (1995)
Collard, B., Standaert, F.-X., Quisquater, J.-J.: Improved and multiple linear cryptanalysis of reduced round serpent. In: Pei, D., Yung, M., Lin, D., Wu, C. (eds.) Information Security and Cryptology. LNCS, vol. 4990, pp. 51–65. Springer, Heidelberg (2008)
Daemen, J., Rijmen, V.: The Design of Rijndael - AES - The Advanced Encryption Standard. Springer, Heidelberg (2002)
Daemen, J., Peeters, M., Van Assche, G., Rijmen, V.: Nessie Proposal: The Block Cipher NOEKEON. Nessie submission (2000)
Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007)
Biryukov, A., Nikolić, I.: Automatic search for related-key differential characteristics in byte-oriented block ciphers: application to AES, Camellia, Khazad and others. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 322–344. Springer, Heidelberg (2010)
Mouha, N., Wang, Q., Gu, D., Preneel, B.: Differential and linear cryptanalysis using mixed-integer linear programming. In: Wu, C.-K., Yung, M., Lin, D. (eds.) Inscrypt 2011. LNCS, vol. 7537, pp. 57–76. Springer, Heidelberg (2012)
Fouque, P.-A., Jean, J., Peyrin, T.: Structural evaluation of AES and chosen-key distinguisher of 9-round AES-128. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 183–203. Springer, Heidelberg (2013)
Matsui, M.: On correlation between the order of S-boxes and the strength of DES. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 366–375. Springer, Heidelberg (1995)
Aoki, K., Kobayashi, K., Moriai, S.: Best differential characteristic search of FEAL. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 41–53. Springer, Heidelberg (1997)
Leurent, G.: Construction of differential characteristics in ARX designs application to skein. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 241–258. Springer, Heidelberg (2013)
Biryukov, A., Velichkov, V.: Automatic search for differential trails in ARX ciphers. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 227–250. Springer, Heidelberg (2014)
Daemen, J.: Cipher and hash function design strategies based on linear and differential cryptanalysis. Doctoral Dissertation, March 1995, K.U.Leuven (1995)
Bogdanov, A., Knezevic, M., Leander, G., Toz, D., Varici, K., Verbauwhede, I.: SPONGENT: the design space of lightweight cryptographic hashing. IEEE Trans. Comput. 62(10), 2041–2053 (2013)
Ehrlich, G.: Loopless Algorithms for Generating Permutations, Combinations, and Other Combinatorial Configurations. Journal of the ACM 20(3), 500–513 (1973)
Knuth, D.E.: The Art of Computer Programming. Introduction to Combinatorial Algorithms and Boolean Functions, vol. 4. Addison Wesley, Upper Saddle River (2008)
Acknowledgement
Many thanks go to the anonymous reviewers for many useful comments and suggestions. The research presented in this paper is supported by the National Natural Science Foundation of China (No.61379138), the “Strategic Priority Research Program” of the Chinese Academy of Sciences (No.XDA06010701).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Our Search Algorithm
B Examples of Best Trails
A best 4-round differential trail with weight 51 in NOEKEON
A best 6-round linear trail with bias \(2^{-40}\) in NOEKEON
A best 15-round differential trial with weight 96 in SPONGENT with \(b=136\)
A best 10-round differential trial with weight 46 in SPONGENT with \(b=176\)
A best 17-round differential trial with weight 86 in SPONGENT with \(b=88\)
A best 44-round differential trial with weight 196 in SPONGENT with \(b=240\)
A best 18-round differential trial with weight 99 in SPONGENT with \(b=176\)
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Bao, Z., Zhang, W., Lin, D. (2015). Speeding Up the Search Algorithm for the Best Differential and Best Linear Trails. In: Lin, D., Yung, M., Zhou, J. (eds) Information Security and Cryptology. Inscrypt 2014. Lecture Notes in Computer Science(), vol 8957. Springer, Cham. https://doi.org/10.1007/978-3-319-16745-9_15
Download citation
DOI: https://doi.org/10.1007/978-3-319-16745-9_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-16744-2
Online ISBN: 978-3-319-16745-9
eBook Packages: Computer ScienceComputer Science (R0)