A block cipher, which is an important cryptographic primitive, is a bijective mapping from {0, 1} N to {0, 1} N (N is called the block size), parameterized by a key. In the true random cipher, each key results in a distinct mapping, and every mapping is realized by some key-this is generally taken to be the ideal cipher model. We consider a fundamental block cipher architecture called a substitution-permutation network (SPN). Specifically, we investigate expected linear probability (ELP) values

more »

... for SPNs, which are the basis for a powerful attack called linear cryptanalysis. We show that if the substitution components (s-boxes) of an SPN are randomly selected, then the expected value of any ELP entry converges to the corresponding value for the true random cipher, as the number of encryption rounds is increased. This gives quantitative support to the claim that the SPN structure is a practical approximation of the true random cipher. focus of increased attention. This is due in part to the selection of the SPN Rijndael as the U.S. Government Advanced Encryption Standard (AES) [7] . We consider SPNs in which the substitution components (s-boxes) are selected independently from the uniform distribution on the set of all possible s-boxes (the LT component remains fixed). The ideal cipher model is generally taken to be the true random cipher [19] , in which each key value results in a distinct bijective mapping from {0, 1} N to {0, 1} N , and each such mapping is realized by some key. It is desirable to quantify aspects of a block cipher's behavior which approximate that of the true random cipher. In this work we consider expected linear probability (ELP) values, which are the basis for a powerful attack called linear cryptanalysis (LC), with the goal of investigating the relationship between expected ELP values for an SPN with randomly selected s-boxes (where the outer expectation is over all SPNs generated by this random selection of s-boxes), and the corresponding values for the true random cipher. The contributions of this work are twofold. First, we derive a general formula for the expected value of a fixed ELP entry over all SPNs with randomly selected s-boxes. This can be applied for any choice of the LT component of the SPN. Second, we compute this formula for an SPN with a practical block size and a specific well-known LT, and demonstrate that the resulting values converge to what would be expected if the SPN were replaced by the true random cipher, as the number of encryption rounds is increased. We conjecture that this convergence can be shown analytically. Conventions The Hamming weight of a binary vector x is written wt(x). If Z is a random variable, E [Z] denotes the expected value of Z. And we use #A to indicate the number of elements in the set A. Substitution-Permutation Networks An SPN encrypts a plaintext through a series of R simpler encryption steps called rounds. The input to round r (1 ≤ r ≤ R) is first bitwise XOR'd with an N -bit subkey, denoted k r , which is typically derived from the key, k, via a separate key-scheduling algorithm. The substitution stage then partitions the resulting vector into M subblocks of size n (N = M n), which become the inputs to a row of bijective n × n substitution boxes (s-boxes)-bijective mappings from {0, 1} n to {0, 1} n . Finally, the permutation stage applies an invertible linear transformation (LT) to the output of the s-boxes (classically, this was a bitwise permutation). Often the permutation stage is omitted from the last round, as its presence here adds no cryptographic strength. A final subkey, k R+1 , is XOR'd with the output of round R to form the ciphertext. Figure 1 depicts an example SPN with N = 16, M = n = 4, and R = 3. We assume the most general situation for the key, namely, that k is an independent key [2], a concatenation of (R + 1) subkeys chosen independently from the uniform distribution on {0, 1} Nsymbolically, k = k 1 , k 2 , . . . , k R+1 . i.e., k ∈ {0, 1} N (R+1) . Definition 2.1. Let K denote the set of all independent keys. From the above, K has the uniform distribution.