Exact maximum expected differential and linear probability for two-round Advanced Encryption Standard
The current standard approach to demonstrate provable security of a block cipher against differential and linear cryptanalysis is based on the maximum expected differential and linear probability (MEDP and MELP) over a sequence of core cipher rounds. Often information about these values for a small number of rounds leads to significant insights concerning the security of the cipher for larger numbers of rounds, including the full cipher. Recent results have tightened the bounds on the MEDP and MELP for the two-round Advanced Encryption Standard (AES), but no previous approach has determined them exactly. An algorithm that computes the exact MEDP and MELP for the two-round AES is presented, and the computational results of our algorithm are provided. In addition to resolving this outstanding question for the AES, these exact values also lead to improved upper bounds on the MEDP and MELP for four or more AES rounds.