Exact Maximum Expected Differential and Linear Probability for 2-Round Advanced Encryption Standard (AES)

Provable security of a block cipher against differential / linear cryptanalysis is based on the maximum expected differential / linear probability (MEDP / MELP) over T ≥ 2 core rounds. Over the past few years, several results have provided increasingly tight upper and lower bounds in the case T = 2 for the Advanced Encryption Standard (AES). We show that the exact value of the 2-round MEDP / MELP for the AES is equal to the best known lower bound: 53/2 ≈ 1.656 × 2−29 / 109, 953, 193/2 ≈ 1.638 × 2−28. This immediately yields an improved upper bound on the AES MEDP / MELP for T ≥ 4, namely (53/234)4 ≈ 1.881× 2−114 / (109, 953, 193/254)4 ≈ 1.802× 2−110.