## CryptoDB

### Stafford E. Tavares

#### Publications

**Year**

**Venue**

**Title**

2004

EPRINT

Completion of Computation of Improved Upper Bound on the Maximum Average Linear Hull Probabilty for Rijndael
Abstract

This report presents the results from the completed computation of an algorithm introduced by the authors in [11] for evaluating the provable security of the AES (Rijndael) against linear cryptanalysis. This algorithm, later named KMT2, can in fact be applied to any SPN [8]. Preliminary results in [11] were based on 43\% of total computation, estimated at 200,000 hours on our benchmark machine at the time, a Sun Ultra 5. After some delay, we obtained access to the necessary computational resources, and were able to run the algorithm to completion. In addition to the above, this report presents the results from the dual version of our algorithm (KMT2-DC) as applied to the AES.

2002

EPRINT

On Some Algebraic Structures in the AES Round Function
Abstract

In this paper, we show that all the coordinate functions of the
Advanced Encryption Standard (AES) round function are equivalent under an affi
ne transformation of the input to the round function. In other words, let $f_i$
and $f_j$ be any two distinct output coordinates of the AES round function, then
there exists a nonsingular matrix $A_{ji}$ over $GF(2)$ such that
$f_j(A_{ji} x) + b_{ji}= f_i(x), b_{ji} \in GF(2)$.
We also show that such linear relations will always exist if the Rijndael s-b
ox is replaced by any bijective monomial over $GF(2^8)$.
%We also show that replacing the s-box by any bijective monomial will not change
this property.

2001

EPRINT

Dual of New Method for Upper Bounding the Maximum Average Linear Hull Probability for SPNs
Abstract

In [3], we present a new algorithm for computing an upper bound on
the maximum average linear hull probability (MALHP) for the SPN
symmetric cipher structure, a value required to make claims about
provable security against linear cryptanalysis. This algorithm
improves on existing work in that the resulting upper bound is a
function of the number of encryption rounds (other upper bounds
known to the authors are not), and moreover, it can be computed
for an SPN with any linear transformation layer (the best previous
result, that of Hong et.al [4], applies only to SPNs with highly
diffusive linear transformations).
It is well known that there exists a duality between linear
cryptanalysis and differential cryptanalysis which allows certain
results related to one of the attacks to be translated into the
corresponding results for the other attack [1,5]. Since this
duality applies to our work in [3], we immediately obtain an
algorithm for upper bounding the maximum average differential
probability (MADP) for SPNs (required to make claims about
provable security against differential cryptanalysis).
Note: In what follows, we assume familiarity with the notation
and results of [3].

1991

EUROCRYPT

1982

CRYPTO

#### Program Committees

#### Coauthors

- Carlisle M. Adams (2)
- G. M. Avis (1)
- Gerald C. Chick (1)
- M. H. Dawson (1)
- John Detombe (1)
- Howard M. Heys (1)
- Liam Keliher (3)
- A. K. Leung (1)
- Henk Meijer (3)
- T. E. Moore (1)
- Benjamin B. Nieh (1)
- Glenn A. Orton (2)
- Lloyd E. Peppard (3)
- M. P. Roy (1)
- P. A. Scott (1)
- M. Sivabalan (1)
- A. F. Webster (1)
- Amr M. Youssef (1)