Paper 2023/725

On Perfect Linear Approximations and Differentials over Two-Round SPNs

Christof Beierle, Ruhr University Bochum
Patrick Felke, University of Applied Sciences Emden Leer
Gregor Leander, Ruhr University Bochum
Patrick Neumann, Ruhr University Bochum
Lukas Stennes, Ruhr University Bochum

Recent constructions of (tweakable) block ciphers with an embedded cryptographic backdoor relied on the existence of probability-one differentials or perfect (non-)linear approximations over a reduced-round version of the primitive. In this work, we study how the existence of probability-one differentials or perfect linear approximations over two rounds of a substitution-permutation network can be avoided by design. More precisely, we develop criteria on the s-box and the linear layer that guarantee the absence of probability-one differentials for all keys. We further present an algorithm that allows to efficiently exclude the existence of keys for which there exists a perfect linear approximation.

Available format(s)
Secret-key cryptography
Publication info
A major revision of an IACR publication in CRYPTO 2023
differential cryptanalysislinear cryptanalysisdecompositionboomerang connectivity tableweak keys
Contact author(s)
christof beierle @ rub de
patrick felke @ hs-emden-leer de
gregor leander @ rub de
patrick neumann @ rub de
lukas stennes @ rub de
2023-05-22: approved
2023-05-19: received
See all versions
Short URL
Creative Commons Attribution


      author = {Christof Beierle and Patrick Felke and Gregor Leander and Patrick Neumann and Lukas Stennes},
      title = {On Perfect Linear Approximations and Differentials over Two-Round {SPNs}},
      howpublished = {Cryptology ePrint Archive, Paper 2023/725},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.