Exact maximum expected differential and linear probability for two ...

Exact maximum expected differential and linear probability for two-round Advanced Encryption Standard L. Keliher and J. Sui Abstract: The current standard approach to demonstrate provable security of a block cipher against differential and linear cryptanalysis is based on the maximum expected differential and linear probability (MEDP and MELP) over a sequence of core cipher rounds. Often information about these values for a small number of rounds leads to significant insights concerning the security of the cipher for larger numbers of rounds, including the full cipher. Recent results have tightened the bounds on the MEDP and MELP for the two-round Advanced Encryption Standard (AES), but no previous approach has determined them exactly. An algorithm that computes the exact MEDP and MELP for the two-round AES is presented, and the computational results of our algorithm are provided. In addition to resolving this outstanding question for the AES, these exact values also lead to improved upper bounds on the MEDP and MELP for four or more AES rounds.

1

Introduction

Several recent papers have dealt with provable security against differential [1] and linear cryptanalyses [2] for block ciphers based on the substitution-permutation network (SPN) structure [3 – 11]. Most of these results apply directly to the Advanced Encryption Standard (AES) [12] (originally named Rijndael). The current standard approach to demonstrate provable security against differential cryptanalysis (respectively, linear cryptanalysis) involves proving that the maximum expected differential probability (MEDP) [respectively, maximum expected linear probability (MELP)] is sufficiently small over T core rounds [13] – this is because the corresponding estimate of the data complexity of the attack (the number of plaintext-ciphertext pairs required) is proportional to the inverse of the MEDP (respectively, MELP). (An even more rigorous approach takes into consideration the keydependent behaviour of the cipher, specifically the distribution of differential and linear probability (DP and LP) values over the space of keys. This appears to be a difficult problem that few researchers have tackled. For one notable recent result, see [14], which treats issues similar to those of the current paper, but from a different direction.) Since in general it is difficult to compute the MEDP or MELP exactly, researchers have focused on bounds. A series of progressively smaller upper bounds have been obtained for the AES – the best of these are 1.161
22111 (MEDP) and 1.064
22106 (MELP), for T  4 [10]. [The upper bounds as stated in [10] (and cited in [6]) are # The Institution of Engineering and Technology 2007 doi:10.1049/iet-ifs:20060161 Paper first received 11th November 2006 and in revised form 16th February 2007 L. Keliher is with AceCrypt, Department of Mathematics and Computer Science, Mount Allison University, Sackville, New Brunswick, Canada E4L 1E6 J. Sui is with the School of Computer Science, University of Waterloo, Waterloo, Ontario, Canada N2L 3G1 E-mail: [email protected] IET Inf. Secur., 2007, 1, (2), pp. 53– 57

1.144
22111 (MEDP) and 1.075
22106 (MELP). The difference here is because of rounding; the values in the current paper are more accurate.] Many such bounds are based on careful examination of the case T ¼ 2. Prior to this paper, the two-round AES MEDP was known to lie between 53/234 and 79/234, and the two-round AES MELP was known to lie between 109, 953, 193/254 and 192, 773, 764/254 [3, 6, 10]; in both cases, the upper bound had been shown not to be tight [6]. We employ a new algorithm to prove that the two-round AES MEDP and MELP are in fact equal to these respective lower bounds. This immediately yields improved upper bounds for four or more AES rounds (hence for the full AES), namely (53/234)4 ’ 1.881
22114 (MEDP) and (109, 953, 193/254)4 ’ 1.802
22110 (MELP). There is a well-known duality between differential and linear cryptanalyses that often allows results for one attack to be translated into corresponding results for the other [15]. Since this is applicable to what follows, we focus on differential cryptanalysis; the modifications relevant to linear cryptanalysis are outlined in Section 5. Note: An early version of this paper was posted as technical report 2005/321 in the IACR ePrint Archive (eprint.iacr.org). 2

Background concepts

Let N denote the cipher block size. An SPN consists of a sequence of rounds, each of which involves: (a) exclusive or (XOR) with an N-bit subkey (key-mixing stage), (b) parallel application of M bijective n
n s-boxes, where M ¼ N/n (substitution stage), (c) processing through an invertible linear transformation L: f0,1gN ! f0,1gN (linear transformation stage). For simplification of analysis, we assume that the subkeys are chosen uniformly and independently from f0,1gN (a common assumption). We number the s-boxes in any substitution stage 1, . . . , M, left to right. Let B: f0,1gd ! f0,1gd, let Dx, Dy [ f0,1gd be fixed, and let X [ f0,1gd be a uniformly distributed random variable. The differential probability DP(Dx, Dy) is defined as ProbX {B(X )  B(X  Dx) ¼ Dy} 53

We refer to Dx/Dy as input/output differences. It is natural to view the DP values as entries in a 2d
2d table. If B is parameterised by a key, k, we write DP(Dx, Dy; k), and the expected differential probability EDP(Dx, Dy) is EK[DP(Dx, Dy; K)], where E[ ] denotes expectation and K is a random variable uniformly distributed over the space of keys. For T core cipher rounds, the MEDP is given by EDP(Dx, Dy)

max

Dx,Dy[{0,1}N n0

We adopt the convention that an R-round block cipher is provably secure against differential cryptanalysis if, for certain values of T  R, the MEDP is sufficiently small that the corresponding data complexity is prohibitive [13] (for SPNs, we often use T ¼ R 2 2). It is easy to show that adding one or more rounds to those under consideration can never increase the MEDP. A particularly useful relationship exists for the AES and related SPNs: if m is an upper bound on the two-round MEDP (or MELP), then m4 is an upper bound on the MEDP (MELP) for T  4 [10, 11]. Hereafter, all references to rounds are relative to T  2 core rounds under consideration; often T will be implicit in the notation we use. A differential characteristic is a vector V ¼ kDx1, Dx2, . . ., DxTþ1l, where Dxt and Dxtþ1 are input/output differences for round t (1  t  T ). It follows that Dx t and Dyt ¼ L21(Dx tþ1) are input/output differences for the substitution stage of round t, yielding input/output differences for each s-box Stm in round t, denoted by Dxtm/Dytm (1  m  M ). If Dxtm and Dytm are both zero or both non-zero for every s-box, V is called consistent [16]; it suffices to limit consideration to consistent characteristics. For a given characteristic V, an s-box with non-zero input/output differences is called active. The expected differential characteristic probability EDCP(V) is defined as T Y M Y

t

DPSm (Dxtm , Dytm )

t¼1 m¼1 Stm

where DP (., .) is a DP value for s-box Stm. A non-active s-box always has a DP value of 1. The differential DIFF(Dx, Dy) is the set of all characteristics whose first difference is Dx and whose last difference is Dy. The following well-known equality is central to our analysis [17]: X EDP(Dx, Dy) ¼ EDCP(V) (1) V[DIFF(Dx, Dy) N

For any difference Dz [ f0,1g , the pattern gDz ¼ g1 g 2 . . . gM [ f0,1gM is defined as follows: partition Dz into M consecutive sub-blocks of length n; set gm ¼ 0 if the mth sub-block is zero, and gm ¼ 1 otherwise (1  m  M). It follows that if Dz is an input or output difference for a substitution stage (taken from a characteristic), then gDz is the corresponding pattern of active s-boxes. 3

Analysis of two-round SPN MEDP

Consider two consecutive SPN rounds; without loss of generality, omit the linear transformation from round 2. The minimum number of active s-boxes in these two rounds for any characteristic (excluding the all-zero characteristic) is called the differential branch number, Bd – this is determined by L. The following table of values, also determined 54

by L, is particularly useful. For g, gˆ [ f0,1gM def

Wd [g, gˆ ] ¼ #{Dx [ {0,1}N : gDx ¼ g, gL(Dx) ¼ gˆ } This table captures relationships between the inputs and outputs of L in a coarse-grained way. Specifically, Wd[g, gˆ] is the number of inputs to L with pattern g that produce outputs with pattern gˆ. It follows that if g, gˆ [ f0,1gM\0, and if Dx, Dy [ f0,1gN\0 are differences satisfying gDx ¼ g, gDy ¼ gˆ, then Wd[g, gˆ] is the number of characteristics in DIFF(Dx, Dy). Let g, gˆ, Dx, Dy be as above. Enumerate the active s-boxes over the two rounds as S1 , S2 , . . . , SA , where A ¼ wt(g) þ wt(gˆ). Let W ¼ Wd[g, gˆ], and for each Vw [ DIFF(Dx, Dy) (1  w  W ) and each Sa (1  a  A), let 1wa be the ‘inner’ difference for Sa extracted from Vw (an inner difference is either an output difference for a round 1 s-box, or an input difference for a round 2 s-box), and define the vector Vw ¼ k1w1 , 1w2 , . . . , 1wA l; note that each 1wa is an element of f0,1gn\0. Clearly, fVwgW w¼1 depends only on g, gˆ, not on the specific values of Dx, Dy. Lemma 1 ([10]): For g, gˆ [ f0,1gM\0, let W ¼ Wd[g, gˆ], and form the set of vectors fVwgW w¼1. (Case I) If wt(g) þ wt(gˆ) ¼ Bd , then all the values in any one vector position are distinct. (Case II) If wt(g) þ wt(gˆ) . Bd , isolate any wt(g) þ wt(gˆ) 2 Bd vector positions, and fix a value in f0,1gn\0 for each such position. Form the subset V # fVwg consisting of all vectors containing the fixed values in the specified positions. Then for each position whose value was not fixed, all the values in that position are distinct as we range over V. Definition 1: A Bd-list is a set of vectors, each of length Bd , that has been derived in one of two ways: 1. by selecting any g, gˆ [ f0,1gM\0 satisfying wt(g) þ wt(gˆ) ¼ Bd , and forming the set fVwg; 2. by selecting any not-yet-selected pair g, gˆ [ f0,1gM \0 satisfying wt(g) þ wt(gˆ) . Bd , forming the set fVwg, isolating wt(g) þ wt(gˆ) 2 Bd vector positions, and then forming all possible subsets V # fVwg in accordance with Case II of Lemma 1 (that is, by using all possible assignments of fixed values from f0,1gn\0 to the isolated positions); each such V yields a Bd-list by ‘shrinking’ the vectors in V to length Bd via removal of the positions with fixed values. Let Bd-LIST(i) be the set of all Bd-lists formed by Option i above, for i ¼ 1,2, and let Bd -LIST ¼ Bd -LIST(1) < Bd -LIST(2) Note that Bd-LIST(2) is not uniquely defined. Also note that our definition of Bd-LIST(2) differs from [6]. Here, given g, gˆ [ f0,1gM\0 in Option 2, each Bd-list is formed from the same (arbitrary) choice of positions to be assigned fixed values. In [6], all such choices are used, but this is not necessary for our purposes (neither is it necessary for the results in [6]). For any Z [ Bd-LIST, let d(Z) denote the number of vectors in Z. Lemma 1 implies that d(Z)  (2n 2 1). For any vector kz1 , z2 , . . . , zBdl in any Bd-list, if zj is an output difference for a round 1 s-box, let aj be any input difference for the s-box, and let DP (aj , zj) ¼ DP(aj , zj). If zj is an input difference for a round 2 s-box, let aj be any output difference for the s-box, and let DP (aj , zj) ¼ DP(zj, aj). (For simplicity, the specific s-box is implicit in the notation.) IET Inf. Secur., Vol. 1, No. 2, June 2007

Definition 2: Let Z [ Bd-LIST. Define s(Z) as 0 1 Bd max Y X a1 , . . . , aBd [ {0,1}n n0@ DP (aj , zj )A

this choice of a1 , . . . , aJ , that is, if 1  J , 5, then

sˆ ðZ, J ) ¼

kz1 ,,zBd l[Z j¼1

For any Bd -list Z, let g, gˆ be the patterns used in Definition 1 for the derivation of Z. If wt(g) þ wt(gˆ) ¼ Bd , then s (Z) is the maximum value EDP(Dx, Dy) over all input/output differences Dx/Dy with patterns g/gˆ (clearly exactly Bd s-boxes are active). If wt(g) þ wt(gˆ) . Bd , the intuitive explanation is more complicated. We can view the formation of Z in the following way. Choose any input/ output differences Dx/Dy with patterns g/gˆ, and take the subset of DIFF(Dx, Dy) specified by fixing inner differences for wt(g) þ wt(gˆ) 2 Bd of the active s-boxes (recall that DIFF(Dx, Dy) was defined to be a set); think of Z as this subset, absent the fixed information. If C is the product of the DP values for the s-boxes whose input and output differences are now fixed, it follows that the contribution of Z to EDP(Dx, Dy) in (1) is at most C . s(Z). Theorem 1 ([6]): The two-round MEDP is lower bounded by

max

aJ þ1 , ..., a5 [f0,1gn n0

sˆ (Z, J ) ¼

d(Z) Y 5 X

DP (aj , Z[i, j])

NowQform the sequence S ¼ ks1 , s2 , . . . , sd(Z)l, where si ¼ Jj¼1 DP (aj , Z[i, j]). Since Z[i, .] contains some or all of the inner differences for certain two-round characteristics (depending on whether Z [ Bd -LIST(2) or Z [ Bd -LIST(1), respectively), si is a partially or fully formed EDCP value (fully formed if Bd -LIST(1) and J ¼ 5). These ‘certain characteristics’ are those with input/output patterns g/gˆ that are the same as the patterns used in Definition 1 for the derivation of Z. Sort the sequence S in non-increasing order to obtain S ¼ ks¯1 , s¯2 , . . ., s¯d(Z)l. It follows from a generalised version of Lemma 5 in [7] that def

sˆ (Z, J )  Q(S, J ) ¼

d(Z) X

s¯i dið5J Þ

(2)

i¼1

and therefore Q(S, J ) can be used as an easily computed ‘lookahead’ value for pruning purposes. (Note that the unsorted S is passed to Q.) Clearly equality holds in (2) when J ¼ 5, since Q(S, 5) ¼

d(Z) X i¼1

s
i ¼

d(Z) X

si ¼ sˆ (Z, 5)

i¼1

Exact two-round MEDP for the AES

The AES is an SPN with N ¼ 128, n ¼ 8, and all s-boxes identical [12]. The mapping L consists of a bytewise permutation followed by four identical 32-bit linear transformations applied in parallel. It is well known that analysis of the two-round AES reduces to analysis of the simplified structure in Fig. 1 for certain attacks – this is the case for differential (and linear) cryptanalysis. The branch number for the 32-bit linear transformation is Bd ¼ 5; hereafter, we refer to 5-lists. 4.1

DP (aj , Z[i, j])

i¼1 j¼1

i¼1 j¼1

max s ðZÞ Z [ Bd -LIST 4

! 

and (trivially) if J ¼ 5, then

max s ðZÞ Z [ Bd -LISTð1Þ Theorem 2 ([6]): The two-round MEDP is upper bounded by

d(Z) Y 5 X

New algorithm

Our basic strategy for determining the exact value of the two-round AES MEDP is to show that the lower bound of Theorem 1 and the upper bound of Theorem 2 are equal. Since computing s(Z) for a single 5-list Z involves a maximum over approximately 240 terms, we use a pruning search to reduce complexity. (It is easy to show that 5-LIST(1) has size 56, requiring a maximum over 56 . 240 ’ 246 terms, which is easily handled, but 5-LIST(2) has size approximately 224, requiring a maximum over 264 terms, which presents a computational challenge.) We use the fact that all non-trivial rows and columns of the AES s-box DP table have the same distribution of values [10], given in the non-increasing sequence kd1 , d2 , . . ., d256l, where d1 ¼ 226, d2 , . . . , d127 ¼ 227, and d128 , . . ., d256 ¼ 0. View any 5-list Z as a table of size d(Z)
5 (each entry is a non-zero byte). Suppose we have selected values a1 , . . . , aJ in Definition 2, with 1  J  5. Let sˆ(Z, J ) be the largest value possible for the maximum s(Z) given IET Inf. Secur., Vol. 1, No. 2, June 2007

For any positive integer L, let 1L be the sequence k1, . . . , 1l of length L. The heart of our algorithm is the recursive function F given in the following pseudocode, which uses a global variable E. F (Z, j, ks1 , . . . , sd(Z)l) 1. j 0 ¼ j þ 1 2. For each a [ f0,1gn\0 3. S0 ¼ ks 10 , . . ., sd0 (Z)l, where si0 ¼ si
DP (a, Z[i, j 0 ]) 4. If (( j 0 , 5) and (Q(S0 , j 0 ) . E)) 5. F (Z, j 0 , S0 ) 6. Else if (( j 0 ¼ 5) and (Q(S0 , j 0 ) . E )) 7. E ¼ Q(S0 , j 0 ) Phase I of algorithm: Initialise E to 0. For each Z [ 5-LIST(1), call F(Z, 0, 1d(Z)). It is easy to see that if s(Z) . E prior to the call to F, then E ¼ s(Z) afterwards; otherwise, E is unchanged. It follows that when this phase is complete, E is equal to the lower bound of Theorem 1. Phase II of algorithm: Retain the value of E from Phase I, and call F(Z, 0, 1d(Z)) for each Z [ 5-LIST(2). The final value of E is the upper bound of Theorem 2. If this upper bound is equal to the lower bound from Phase I, then E is the exact two-round MEDP. 4.2

Results (MEDP)

Phase I of the above algorithm produced the lower bound 53/234, a known result [3, 6]. What is new is that Phase II 55

Table 3: Input/output masks achieving two-round MELP

Fig. 1

Reduced two-round AES

Table 1: Input/output differences achieving two-round MEDP Dx

Dy

(00, 00, 00, 75)

(D8, D8, B7, F7)

(00, 00, 75, 00)

(D8, B7, F7, D8)

(00, 75, 00, 00)

(B7, F7, D8, D8)

(75, 00, 00, 00)

(F7, D8, D8, B7)

(00, 00, 75, 75)

(00, F7, D8, B7)

(00, 75, 75, 00)

(F7, D8, B7, 00)

(75, 75, 00, 00)

(D8, B7, 00, F7)

(75, 00, 00, 75)

(B7, 00, F7, D8)

(00, 75, 75, 75)

(B7, 00, 00, F7)

(75, 75, 75, 00)

(00, 00, F7, B7)

(75, 75, 00, 75)

(00, F7, B7, 00)

(75, 00, 75, 75)

(F7, B7, 00, 00)

b

(00, 00, 00, 34)

(19, 62, 4D, D7)

(00, 00, 34, 00)

(62, 4D, D7, 19)

(00, 34, 00, 00)

(4D, D7, 19, 62)

(34, 00, 00, 00)

(D7, 19, 62, 4D)

the transpose of L when L is represented as an N
N binary matrix (and column vectors are used). † Consistent differential characteristics are replaced by consistent linear characteristics, which are identically structured, but whose constituent vectors from f0,1gN are interpreted as masks. EDCP is replaced by ELCP. † The concept of linearly active s-boxes parallels that of differentially active s-boxes. Differential branch number is replaced by linear branch number, Bl . † Differentials DIFF(Dx, Dy) are replaced by linear hulls HULL(a, b), consisting of all linear characteristics (over T core rounds) having input mask a and output mask b. The equation corresponding to (1) is given in [18]: X ELP(a, b) ¼ ELCP(V) V[HULL(a,b)

did not increase the value of E, and therefore the exact two-round AES MEDP is equal to 53/234 ’ 1.656
2229. Further, using the fact that the fourth power of an upper bound on the AES MEDP for T ¼ 2 is an upper bound for T  4 (see Section 2), we obtain a new upper bound on the AES MEDP for four or more rounds, namely (53/234)4 ’ 1.881
22114. There are 12 pairs of input/output differences (Dx, Dy) for the two-round structure in Fig. 1 whose EDP is equal to the MEDP. These are given in Table 1 (individual bytes are in hexadecimal). Notice the rotational symmetry, which is also observed in [14]. 5

a

† An input or output mask, z, for a substitution stage determines a pattern of active s-boxes, gz [ f0,1gM, just as in the differential setting. The table Wd[., .] is replaced by Wl[., .], where for g, gˆ [ f0,1gM ˆ ¼ # {y [ {0,1}N : gx ¼ g, gy ¼ g, ˆ Wl [g, g]

† All non-trivial rows and columns of the AES s-box LP table have the same distribution of values, given in Table 2 (ri is a distinct value, and fi is the frequency with which it occurs) [7]. The sequence kd1 , d2 , . . . , d256l is modified accordingly.

5.1

Application to linear cryptanalysis

The duality between differential and linear cryptanalyses allows us to apply our algorithm, mutatis mutandis, to compute the exact two-round AES MELP. The significant changes are as follows: † Differential probability is replaced by LP, and EDP by ELP. For B: f0,1gd ! f0,1gd and masks a, b [ f0,1gd LP(a, b) ¼ (2  ProbX {a † X ¼ b † B(X )}  1)2 where † denotes the inner product. † Given input/output masks for round t, at/atþ1, the output mask for the substitution stage is bt ¼ L0 (atþ1) where L0 is

x ¼ L0 y}

where

Results (MELP)

For the linear cryptanalysis version of our algorithm, Phase I produced the known lower bound, 109, 953, 193/254 ’ 1.638
2228 [3, 6]. And, as in the differential setting, Phase II did not increase this value, and therefore we conclude that this is the exact two-round AES MELP. In addition, we use the relationship stated in Section 2 to obtain a new upper bound on the AES MELP for four or more rounds, namely (109, 953, 193/254)4 ’ 1.802
22110. There are four pairs of input/output masks (a, b) for the two-round structure in Fig. 1 whose ELP is equal to the MELP. These are given in Table 3 (individual bytes are in hexadecimal). We see the same rotational symmetry as in Table 1.

Table 2: Distribution of LP values for the AES s-box i

ri fi 56

1

2

3

4

5

6

7

8


8 2


7 2


6 2


5 2


4 2


3 2


2 2


1 2

64

64

64

64

64

64

64

64

5

16

36

24

34

40

36

48

9 0 17

IET Inf. Secur., Vol. 1, No. 2, June 2007

6

Conclusion

Numerous papers have tackled the problem of bounding the two-round MEDP and MELP for the AES. We have presented a pruning search algorithm that determines these values exactly: 53/234 ’ 1.656
2229 (MEDP) and 109, 953, 193/254 ’ 1.638
2228 (MELP). This immediately yields new upper bounds on the AES MEDP and MELP for four or more rounds, namely (53/234)4 ’ 1.881
22114 and (109, 953, 193/254)4 ’ 1.802
22110, respectively. 7

Acknowledgments

This work was funded by the Natural Sciences and Engineering Research Council of Canada (NSERC), and by the Marjorie Young Bell Foundation. The authors are grateful to the anonymous reviewers for comments that contributed to the completeness and clarity of the final paper. 8

References

7

8

9

10

11

12 13

1 Biham, E., and Shamir, A.: ‘Differential cryptanalysis of DES-like cryptosystems’, J. Cryptol., 1991, 4, (1), pp. 3–72 2 Matsui, M.: ‘Linear cryptanalysis method for DES cipher’. Proc. Advances in Cryptology –EUROCRYPT’93, LNCS, 765, 1994, edited by Helleseth, T., (Springer), pp. 386– 397 3 Chun, K., Kim, S., Lee, S., Sung, S.H., and Yoon, S.: ‘Differential and linear cryptanalysis for 2-round SPNs’, Inf. Process. Lett., 2003, 87, (5), pp. 277–282 4 Hong, S., Lee, S., Lim, J., Sung, J., and Cheon, D.: ‘Provable security against differential and linear cryptanalysis for the SPN structure’. Proc. Fast Software Encryption (FSE 2000), LNCS, 1978, 2001, edited by Schneier, B., (Springer), pp. 273–283 5 Kang, J.-S., Hong, S., Lee, S., Yi, O., Park, C., and Lim, J.: ‘Practical and provable security against differential and linear cryptanalysis for substitution-permutation networks’, ETRI J., 2001, 23, (4), pp. 158–167 6 Keliher, L.: ‘Refined analysis of bounds related to linear and differential cryptanalysis for the AES’. Proc. 4th Conf. on The

IET Inf. Secur., Vol. 1, No. 2, June 2007

14

15 16 17

18

Advanced Encryption Standard (AES4), LNCS, 3373, 2005, edited by Dobbertin, H., Rijmen, V., and Sowa, A., (Springer), pp. 42– 57 Keliher, L., Meijer, H., and Tavares, S.: ‘New method for upper bounding the maximum average linear hull probability for SPNs’. Proc. Advances in Cryptology– EUROCRYPT 2001, LNCS, 2045, 2001, edited by Pfitzmann, B., (Springer), pp. 420– 436 Keliher, L., Meijer, H., and Tavares, S.: ‘Improving the upper bound on the maximum average linear hull probability for Rijndael’. Proc. Workshop on Selected Areas in Cryptography (SAC 2001), LNCS, 2259, 2001, edited by Vaudenay, S., and Youssef, A., (Springer), pp. 112– 128 Park, S., Sung, S.H., Chee, S., Yoon, E.-J., and Lim, J.: ‘On the security of Rijndael-like structures against differential and linear cryptanalysis’. Proc. Advances in Cryptology (ASIACRYPT 2002), LNCS, 2501, 2002, edited by Zheng, Y., (Springer), pp. 176– 191 Park, S., Sung, S.H., Lee, S., and Lim, J.: ‘Improving the upper bound on the maximum differential and the maximum linear hull probability for SPN structures and AES’. Proc. Fast Software Encryption (FSE 2003), LNCS, 2887, 2003, edited by Johansson, T., (Springer), pp. 247– 260 Sano, F., Ohkuma, K., Shimizu, H., and Kawamura, S.: ‘On the security of nested SPN cipher against the differential and linear cryptanalysis’, IEICE Trans. Fundam. Electron. Commun. Comp. Sci., 2003, E86-A, (1), pp. 37–46 Daemen, J., and Rijmen, V.: ‘The design of Rijndael: AES– the Advanced Encryption Standard’ (Springer, 2002) Nyberg, K., and Knudsen, L.: ‘Provable security against a differential attack’, J. Cryptol., 1995, 8, (1), pp. 27–37 Daemen, J., and Rijmen, V.: ‘Understanding two-round differentials in AES’. Proc. Security and Cryptography for Networks (SCN 2006), LNCS, 4116, 2006, edited by De Prisco, R., and Yung, M., (Springer), pp. 78–94 Biham, E.: ‘On Matsui’s linear cryptanalysis’. Proc. Advances in Cryptology –EUROCRYPT’94, LNCS, 950, 1995, edited by De Santis, A., (Springer), pp. 341– 355 Vaudenay, S.: ‘On the security of CS-Cipher’. Proc. Fast Software Encryption (FSE’99), LNCS, 1636, 1999, edited by Knudsen, L., (Springer), pp. 260– 274 Lai, X., Massey, J., and Murphy, S.: ‘Markov ciphers and differential cryptanalysis’. Proc. Advances in Cryptology– EUROCRYPT’91, LNCS, 547, 1991, edited by Davies, D.W., (Springer), pp. 17–38 Nyberg, K.: ‘Linear approximation of block ciphers’. Proc. Advances in Cryptology –EUROCRYPT’94, LNCS, 950, 1995, edited by De Santis, A., (Springer), pp. 439– 444

57