Cryptology ePrint Archive: Report 2015/085

On the behaviors of affine equivalent Sboxes regarding differential and linear attacks

Anne Canteaut and Joëlle Roué

Abstract: This paper investigates the effect of affine transformations of the Sbox on the maximal expected differential probability MEDP and linear potential MELP over two rounds of a substitution-permutation network, when the diffusion layer is linear over the finite field defined by the Sbox alphabet. It is mainly motivated by the fact that the 2-round MEDP and MELP of the AES both increase when the AES Sbox is replaced by the inversion in $GF(2^8)$. Most notably, we give new upper bounds on these two quantities which are not invariant under affine equivalence. Moreover, within a given equivalence class, these new bounds are maximal when the considered Sbox is an involution. These results point out that different Sboxes within the same affine equivalence class may lead to different two-round MEDP and MELP. In particular, we exhibit some examples where the basis chosen for defining the isomorphism between $GF(2)^m$ and $GF(2^m)$ affects these values. For Sboxes with some particular properties, including all Sboxes of the form $A(x^s)$ as in the AES, we also derive some lower and upper bounds for the 2-round MEDP and MELP which hold for any MDS linear layer.

Category / Keywords: secret-key cryptography / Sboxes, affine equivalence, differential cryptanalysis, linear cryptanalysis, AES.

Original Publication (in the same form): IACR-EUROCRYPT-2015

Date: received 4 Feb 2015

Contact author: Anne Canteaut at inria fr

Available format(s): PDF | BibTeX Citation

Version: 20150214:084825 (All versions of this report)

Short URL: ia.cr/2015/085

Discussion forum: Show discussion | Start new discussion