The autocorrelation of a Boolean function possesses the capability to reflect such characteristics as linear structure, Strict Avalanche Criterion(SAC) and Propagation Criterion(PC)of degree k. But it can do nothing i...The autocorrelation of a Boolean function possesses the capability to reflect such characteristics as linear structure, Strict Avalanche Criterion(SAC) and Propagation Criterion(PC)of degree k. But it can do nothing in determining the order of SAC or PC. A calculating table for the autocorrelation is constructed in this paper so as to show what is beyond the autocorrelation and how the three cryptographic characteristics are exhibited. A deeper study on the calculating table in a similar way has helped us to develop a new concept, named as the general autocorrelation, to address efficiently the problem how to determine the orders of SAC and PC. The application on the Advanced Encryption Standard(AES) shows the SAC and PC characteristics of Boolean functions of AES S-box.展开更多
The famous Square attacks against the Rijndael algorithm have taken advantage of the change of the balance of some bytes. Further study shows that the change of activity always happens before the change of balance, wh...The famous Square attacks against the Rijndael algorithm have taken advantage of the change of the balance of some bytes. Further study shows that the change of activity always happens before the change of balance, which builds the foundation for a new activity attack presented in this paper. In the activity attack, the round in which the activity changes is executed in an equivalent form to avoid the obstructive restriction of the subkeys of that round.The existence of the birthday paradox guarantees much fewer plaintexts necessary for activity attacks comparing with that for corresponding Square attacks. But no benefit may result from the new attacks performed independently because the activity attacks guess four instead of one key byte once. Only when both the balance property and the activity property are exploited at the same time can much better performance be obtained. The better performance in the simulation shows that the consuming time and chosen plaintexts necessary are both reduced to one tenth of those of the corresponding Square attacks. So the activity attacks could be viewed as an efficient supplement to the Square attacks.展开更多
基金Partially supported by the National 973 Project(G1999035803)National 863 Project (2002AA143021)the National Cryptography Development Funds for the Tenth Fiveyear Project
文摘The autocorrelation of a Boolean function possesses the capability to reflect such characteristics as linear structure, Strict Avalanche Criterion(SAC) and Propagation Criterion(PC)of degree k. But it can do nothing in determining the order of SAC or PC. A calculating table for the autocorrelation is constructed in this paper so as to show what is beyond the autocorrelation and how the three cryptographic characteristics are exhibited. A deeper study on the calculating table in a similar way has helped us to develop a new concept, named as the general autocorrelation, to address efficiently the problem how to determine the orders of SAC and PC. The application on the Advanced Encryption Standard(AES) shows the SAC and PC characteristics of Boolean functions of AES S-box.
基金the National 973 Project(G1999035803)National 863 Grand Project(2002AA143021)and the National Cryptography Development Funds for the Tenth Five-year Project
文摘The famous Square attacks against the Rijndael algorithm have taken advantage of the change of the balance of some bytes. Further study shows that the change of activity always happens before the change of balance, which builds the foundation for a new activity attack presented in this paper. In the activity attack, the round in which the activity changes is executed in an equivalent form to avoid the obstructive restriction of the subkeys of that round.The existence of the birthday paradox guarantees much fewer plaintexts necessary for activity attacks comparing with that for corresponding Square attacks. But no benefit may result from the new attacks performed independently because the activity attacks guess four instead of one key byte once. Only when both the balance property and the activity property are exploited at the same time can much better performance be obtained. The better performance in the simulation shows that the consuming time and chosen plaintexts necessary are both reduced to one tenth of those of the corresponding Square attacks. So the activity attacks could be viewed as an efficient supplement to the Square attacks.
