Abstract
Security against differential and linear cryptanalysis is an essential requirement for modern block ciphers. This measure is usually evaluated by finding a lower bound for the minimum number of active S-boxes. The 128-bit block cipher AES which was adopted by National Institute of Standards and Technology (NIST) as a symmetric encryption standard in 2001 is a member of Rijndael family of block ciphers. For Rijndael, the block length and the key length can be independently specified to 128, 192 or 256 bits. It has been proved that for all variants of Rijndael the lower bound of the number of active S-boxes for any 4-round differential or linear trail is 25, and for 4r (\(r \ge 1\)) rounds 25r active S-boxes is a tight bound only for Rijndael with block length 128. In this paper, a new counting method is introduced to find tighter lower bounds for the minimum number of active S-boxes for several consecutive rounds of Rijndael with larger block lengths. The new method shows that 12 and 14 rounds of Rijndael with 192-bit block length have at least 87 and 103 active S-boxes, respectively. Also the corresponding bounds for Rijndael with 256-bit block are 105 and 120, respectively. Additionally, a modified version of Rijndael-192 is proposed for which the minimum number of active S-boxes is more than that of Rijndael-192. Moreover, we extend the method to obtain a better lower bound for the number of active S-boxes for the block cipher 3D. Our counting method shows that, for example, 20 and 22 rounds of 3D have at least 185 and 205 active S-boxes, respectively.
Similar content being viewed by others
References
Biham E., Shamir A.: Differential cryptanalysis of DES-like cryptosystems. In: CRYPTO’90. LNCS, vol. 537, pp. 2–21. Springer, Heidelberg (1990).
Bogdanov A., Knudsen L.R., Leander G., Paar C., Poschmann A., Robshaw M.J., Seurin Y., Vikkelsoe C.: Present: an ultra-lightweight block cipher. In: CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007).
Daemen J.: Cipher and hash function design strategies based on linear and differential cryptanalysis. Ph.D. thesis, Elektrotechniek Katholieke Universiteit Leuven, Belgium (1995).
Daemen J., Rijmen V.: The Design of Rijndael: AES—The Advanced Encryption Standard. Springer, Berlin (2002).
Kanda M.: Practical security evaluation against differential and linear cryptanalysis for Feistel ciphers with SPN round function. In: SAC 2000. LNCS, vol. 2012, pp. 324-338. Springer, Heidelberg (2001).
Kanda M., Moriai S., Aoki K., Ueda H., Takashima Y., Ohta K., Matsumoto T.: E2-A New 128-bit block cipher. IEICE Trans. Fundam. Electron. Commun. Comput. Sci E83–A(1), 48–59 (2000).
Matsui M.: Linear cryptanalysis method for DES cipher. In EUROCRYPT’93, vol. 765, pp. 386–397. Springer, Berlin (1993).
Matsui M.: Differential path search of the block cipher E2. Technical Report ISEC99-19, IEICE (1999). (written in Japanese)
Mouha N., Wang Q., Gu D., Preneel B.: Differential and linear cryptanalysis using mixed-integer linear programming. In: Information Security and Cryptology, pp. 57–76. Springer, Berlin (2012).
Nakahara J.: 3D: A three-dimensional block cipher. In: CANS 2008. LNCS, vol. 5339, pp 252–267. Springer, Berlin (2008).
Shibutani K.: On the diffusion of generalized Feistel structures regarding differential and linear cryptanalysis. In: SAC 2010. LNCS, vol. 6544, pp. 211–228. Springer, Heidelberg (2011).
Shirai T., Araki K.: On generalized Feistel structures using the diffusion switching mechanism. IEICE Trans. Fundam. Electron. Commun. Comput. Sci E91A(8), 2120–2129 (2008).
Shirai T., Kanamaru S., Abe G.: Improved upper bounds of differential and linear characteristic probability for Camellia. In: FSE02. LNCS, vol. 2365, pp. 128–142. Springer, Heidelberg (2002).
Shirai T., Shibutani K.: On Feistel structures using a diffusion switching mechanism. In: Robshaw M. (ed.) FSE’06. LNCS, vol. 4047, pp. 41–56. Springer, Heidelberg (2006).
Sun S., Hu L., Song L., Xie Y., Wang P.: Automatic security evaluation of block ciphers with S-bp structures against related-key differential attacks. Cryptology ePrint Archive, Report 2013/547 (2013). http://eprint.iacr.org/.
Wu S., Wang M.: Security evaluation against differential cryptanalysis for block cipher structures. Cryptology ePrint Archive, Report 2013/551 (2013). http://eprint.iacr.org/.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by C. Cid.
Rights and permissions
About this article
Cite this article
Sajadieh, M., Mirzaei, A., Mala, H. et al. A new counting method to bound the number of active S-boxes in Rijndael and 3D. Des. Codes Cryptogr. 83, 327–343 (2017). https://doi.org/10.1007/s10623-016-0217-4
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-016-0217-4