On the Distribution of Characteristics in Bijective Mappings [chapter]

Luke O'Connor
Advances in Cryptology — EUROCRYPT '93  
Differential cryptanalysis is a method of attacking iterated mappings which has been applied with varying success to a number of product ciphers and hash functions [ l , 31. The attack is based on predicting a series of differences AY1, AYz,. . . , AY, known as a characteristic R. Partial information about the key can be derived when the differences are correctly predicted. The probability of a given characteristic R correctly predicting differences is derived from the XOR tables associated
more » ... the iterated mapping. Even though differential cryptanalysis has been applied successfully to a number of specific iterated mappings such as DES, FEAL and LOKI, the effectiveness of the attack against an arbitrary iterated mapping has not been considered. In this paper we derive the exact distribution of characteristics in XOR tables, and determine an upper bound on the probability of the most likely characteristic n in a product cipher constructed from randomly selected S-boxes that are bijective mappings. From this upper bound we are then able to construct product ciphers for which all characteristics R occur with low probability.
doi:10.1007/3-540-48285-7_31 dblp:conf/eurocrypt/OConnor93 fatcat:jdfsbnmdlbhvtgfckll2fcwrtm