New Applications of Differential Bounds of the SDS Structure

  • Authors:

  • Jiali Choy;Khoongming Khoo

  • Affiliations:

  • DSO National Laboratories, , Singapore 118230;DSO National Laboratories, , Singapore 118230

  • Venue:
  • ISC '08 Proceedings of the 11th international conference on Information Security
  • Year:
  • 2008

Quantified Score

Hi-index 0.00

Visualization

Abstract

In this paper, we present some new applications of the bounds for the differential probability of a SDS (Substitution-Diffusion-Substitution) structure by Park et al. at FSE 2003. Park et al. have applied their result on the AES cipher which uses the SDS structure based on MDS matrices. We shall apply their result to practical ciphers that use SDS structures based on {0,1}-matrices of size n×n. These structures are useful because they can be efficiently implemented in hardware. We prove a bound on {0,1}-matrices to show that they cannot be MDS and are almost-MDS only when n= 2,3, or 4. Thus we have to apply Park's result whenever {0,1}-matrices where n茂戮驴 5 are used because previous results only hold for MDS and almost-MDS diffusion matrices. Based on our bound, we also show that the {0,1}-matrices used in E2, Camellia, and MCrypton are optimal or almost-optimal among {0,1}-matrices. Using Park's result, we prove differential bounds for the E2 and MCrypton ciphers, from which we can deduce their security against boomerang attack and some of its variants. At ICCSA 2006, Khoo and Heng constructed block cipher-based universal hash functions, from which they derived Message Authentication Codes (MACs) which are faster than CBC-MAC. Park's result provides us with the means to obtain a more accurate bound for their universal hash function. With this bound, we can restrict the number of MAC's performed before a change of MAC key is needed.