This preview shows page 1. Sign up to view the full content.
Unformatted text preview: mple of this design. However, this approach can sometimes aid in differential cryptanalysis [172]. Actually, a better approach is making sure that the maximum differential is as small as possible. Kwangjo Kim proposed five criteria for the construction of Sboxes [834], similar to the design criteria for the DES Sboxes. Choosing good Sboxes is not an easy task; there are many competing ideas on how to do it. Four general approaches can be identified. 1. Choose randomly. It is clear that small random Sboxes are insecure, but large random Sboxes may be good enough. Random Sboxes with eight or more inputs are quite strong [1186,1187]. Twelvebit Sboxes are better. Even more strength is added if the Sboxes are both random and keydependent. IDEA uses both large and keydependent Sboxes. 2. Choose and test. Some ciphers generate random Sboxes and then test them for the requisite properties. See [9,729] for examples of this approach. 3. Manmade. This technique uses little mathematics: Sboxes are generated using more intuitive techniques. Bart Preneel stated that “...theoretically interesting criteria are not sufficient [for choosing Boolean functions for Sboxes]...” and that “...ad hoc design criteria are required” [1262]. 4. Mathmade. Generate Sboxes according to mathematical principles so that they have proven security against differential and linear cryptanalysis, and good diffusive properties. See [1179] for an excellent example of this approach. There has been some call for a combination of the “mathmade” and “manmade” approaches [1334], but the real debate seems to be between randomly chosen Sboxes and Sboxes with certain properties. Certainly the latter approach has the advantage of being optimal against known attacks—linear and differential cryptanalysis—but it offers unknown protection against unknown attacks. The designers of DES knew about differential cryptanalysis, and its Sboxes were optimized against it. They did not seem to know about linear cryptanalysis, and the DES Sboxes are very...
View
Full
Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details