Content deleted Content added
m Adding correct URL for PDF of the paper. |
|||
Line 27:
The AES non-linear function has a maximum differential probability of 4/256 (most entries however are either 0 or 2). Meaning that in theory one could determine the key with half as much work as brute force, however, the high branch of AES prevents any high probability trails from existing over multiple rounds. In fact, the AES cipher would be just as immune to differential and linear attacks with a much ''weaker'' non-linear function. The incredibly high branch (active S-box count) of 25 over 4R means that over 8 rounds no attack involves fewer than 50 non-linear transforms, meaning that the probability of success does not exceed Pr[attack] ≤ Pr[best attack on S-box]<sup>50</sup>. For example, with the current S-box AES emits no fixed differential with a probability higher than (4/256)<sup>50</sup> or 2<sup>−300</sup> which is far lower than the required threshold of 2<sup>−128</sup> for a 128-bit block cipher. This would have allowed room for a more efficient S-box, even if it is 16-uniform the probability of attack would have still been 2<sup>−200</sup>.
There exist no bijections for even sized inputs/outputs with 2-uniformity. They exist in odd fields (such as GF(2<sup>7</sup>)) using either cubing or inversion (there are other exponents that can be used as well). For instance S(x) = x<sup>3</sup> in any odd binary field is immune to differential and linear cryptanalysis. This is in part why the [[MISTY]] designs use 7- and 9-bit functions in the 16-bit non-linear function. What these functions gain in immunity to differential and linear attacks they lose to algebraic attacks. {{why}} That is, they are possible to describe and solve via a SAT solver. This is in part why AES (for instance) has an affine mapping after the inversion.
==Specialized types==
| |||