On the behaviors of affine equivalent Sboxes regarding differential and linear attacks.

*(English)*Zbl 1365.94411
Oswald, Elisabeth (ed.) et al., Advances in cryptology – EUROCRYPT 2015. 34th annual international conference on the theory and applications of cryptographic techniques, Sofia, Bulgaria, April 26–30, 2015. Proceedings. Part I. Berlin: Springer (ISBN 978-3-662-46799-2/pbk; 978-3-662-46800-5/ebook). Lecture Notes in Computer Science 9056, 45-74 (2015).

Summary: This paper investigates the effect of affine transformations of the Sbox on the maximal expected differential probability \(\mathrm {MEDP}\) and linear potential \(\mathrm {MELP}\) over two rounds of a substitution-permutation network, when the diffusion layer is linear over the finite field defined by the Sbox alphabet. It is mainly motivated by the fact that the \(2\)-round \(\mathrm {MEDP}\) and \(\mathrm {MELP}\) of the AES both increase when the AES Sbox is replaced by the inversion in \(\mathbf {F}_{2^8}\). Most notably, we give new upper bounds on these two quantities which are not invariant under affine equivalence. Moreover, within a given equivalence class, these new bounds are maximal when the considered Sbox is an involution. These results point out that different Sboxes within the same affine equivalence class may lead to different two-round \(\mathrm {MEDP}\) and \(\mathrm {MELP}\). In particular, we exhibit some examples where the basis chosen for defining the isomorphism between
\(\mathbf {F}_2^m\) and \(\mathbf {F}_{2^m}\) affects these values. For Sboxes with some particular properties, including all Sboxes of the form \(A(x^s)\) as in the AES, we also derive some lower and upper bounds for the \(2\)-round \(\mathrm {MEDP}\) and \(\mathrm {MELP}\) which hold for any MDS linear layer.

For the entire collection see [Zbl 1321.94010].

For the entire collection see [Zbl 1321.94010].

##### MSC:

94A60 | Cryptography |