"Provable" Security against Differential and Linear Cryptanalysis

In this invited talk, a brief survey on the developments of countermeasures against differential and linear cryptanalysis methods is presented. 1 Nonlinearity of S-boxes Throughout the eighties the unpublished design criteria of the DES had inspired various authors to invent formal nonlinearity criteria for S-boxes such as the strict avalanche criterion [30] and the propagation criterion [27]. At the same time, correlation attacks on combination generators inspired definitions of correlation immunity [29] and perfect nonlinearity [21] of Boolean functions. W. Meier and O. Staffelbach realized that perfect nonlinear Boolean functions had been invented before under the name bent functions [28,12]. Then the discovery of the differential cryptanalysis method [4] lead to the notion of perfect nonlinear S-boxes [22], with the property that for any non-zero input difference the output differences are uniformly distributed. In particular, the output difference zero would occur with the same probability as the non-zero output differences and would significantly improve the probability of the two-round iterative characteristic for a Feistel cipher as pointed out to the author by E. Biham at Eurocrypt 1991. It also means that perfect nonlinear S-boxes cannot be bijective, even worse, the number of input bits must be at least twice the number of output bits [22]. It was clear that the requirement of perfect nonlinearity must be relaxed. But it was not sufficient to take care that the output bits were highly nonlinear Boolean functions as in [26], but also all non-zero linear combinations of the output bits should be highly nonlinear as noted in [23], where the definition of nonlinearity of a vector Boolean function was formulated. The importance of nonlinearity as a cryptographic criterion was highlighted even more as the linear cryptanalysis method was presented by M. Matsui in 1993 [20]. The relationship between nonlinearity (resistance against linear cryptanalysis) and differential uniformity (resistance against differential cryptanalysis) was established in [8]. Since then H. Dobbertin and C. Carlet followed by many other authors have contributed with combinatorial designs and constructions that are almost perfect nonlinear (APN) or satisfy other nonlinearity criteria of S-boxes.