Provable security of substitution-permutation encryption networks against linear cryptanalysis

Abstract

Block ciphers are an important class of cryptographic algorithms, often used for the efficient encryption of large volumes of information. They can serve as cryptographic primitives in larger security frameworks, for example, the systems used to conduct secure e-commerce over the Internet. A block cipher is a objective mapping from N bits to N bits (N is called the block size) parameterized by a bitstring called a key, denoted k. Typically k is secret, known only to the communicating parties. Common block sizes are 64 and 128 bits. The input to a block cipher is called a plaintext, and the output is called a ciphertext. We consider a fundamental block cipher architecture known as a substitution-permutation network (SPN). Specifically, we investigate the resistance of SPNs to linear cryptanalysis, one of the most powerful attacks on block ciphers. Previous work on linear cryptanalysis of SPNs has been based on approximations known as linear characteristics, and has made use of two assumptions which do not hold in general. In order to demonstrate provable security of a block cipher against linear cryptanalysis, it is necessary to remove these two assumptions. This requires considering linear cryptanalysis based on families of approximations known as approximate linear hulls. The main contribution of this work is the derivation of the expected resistance of SPNs to linear cryptanalysis based on approximate linear hulls. Values computed from our result show that an SPN with a practical block size is expected to be secure against this attack after a reasonably small number of rounds.