Paper 2015/085

On the behaviors of affine equivalent Sboxes regarding differential and linear attacks

Anne Canteaut and Joëlle Roué

Abstract

This paper investigates the effect of affine transformations of the Sbox on the maximal expected differential probability MEDP and linear potential MELP over two rounds of a substitution-permutation network, when the diffusion layer is linear over the finite field defined by the Sbox alphabet. It is mainly motivated by the fact that the 2-round MEDP and MELP of the AES both increase when the AES Sbox is replaced by the inversion in $GF(2^8)$. Most notably, we give new upper bounds on these two quantities which are not invariant under affine equivalence. Moreover, within a given equivalence class, these new bounds are maximal when the considered Sbox is an involution. These results point out that different Sboxes within the same affine equivalence class may lead to different two-round MEDP and MELP. In particular, we exhibit some examples where the basis chosen for defining the isomorphism between $GF(2)^m$ and $GF(2^m)$ affects these values. For Sboxes with some particular properties, including all Sboxes of the form $A(x^s)$ as in the AES, we also derive some lower and upper bounds for the 2-round MEDP and MELP which hold for any MDS linear layer.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published by the IACR in EUROCRYPT 2015
Keywords
Sboxesaffine equivalencedifferential cryptanalysislinear cryptanalysisAES.
Contact author(s)
Anne Canteaut @ inria fr
History
2015-02-14: received
Short URL
https://ia.cr/2015/085
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2015/085,
      author = {Anne Canteaut and Joëlle Roué},
      title = {On the behaviors of affine equivalent Sboxes regarding differential and linear attacks},
      howpublished = {Cryptology {ePrint} Archive, Paper 2015/085},
      year = {2015},
      url = {https://eprint.iacr.org/2015/085}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.