Conclusion and Further Work

Example 26. We can use the parameters m= 64, r = 9, d = 2, and p = 2³²+15. We obtain that[C]²−[C^∗]²a≤ 2⁻⁷⁶. Therefore from Theorems 13 and 17 no differential or linear distinguisher can be efficient. The PEANUT98 cipher has been proposed with these parameters in [64].

Example 27. In an earlier version of this work [63], we proposed a similar construc-tion (called PEANUT97) based on the NUT-III decorrelaconstruc-tion module which uses prime numbers smaller than 2^m/2. However, the result above does not hold with the·anorm, but rather with the·2one. The drawback is that this norm has less friendly theorems for constructing Feistel ciphers, and in particular we need more rounds to make the cipher provably secure. (See [65].)

Example 28. The AES candidate DFC was proposed based on the PEANUT construc-tion (see [17], [18], and [20]). Nominal parameters are m = 128, r = 8, d = 2, and

p= 2⁶⁴+ 13, so we have [C]²− [C^∗]²a ≤ 2⁻¹¹⁵.

8.3. WALNUT: An Alternate Design The Feistel cipher is based on a round mapping defined by

(xL, xR) → (xR, xL⊕ F(xR)).

The Feistel scheme benefits from the Luby–Rackoff lemma which enables building a PEANUT cipher with a provably low decorrelation bias. Instead, we can use the Lai–

Massey scheme on which IDEA relies and which is based on the round mapping (xL, xR) → (O(xL+ F(xL− xR)), xR+ F(xL− xR))

as illustrated by Fig. 7 where + is any group addition law, − is the corresponding subtraction, and O is an orthomorphism for the group, i.e. a permutation such that x → O(x) − x is also a permutation. As shown in [69], the Luby–Rackoff lemma holds for this scheme as well with the same bound and same number of rounds. We can thus construct the WALNUT cipher is the same way as the PEANUT cipher, but with the Lai–Massey scheme instead of the Feistel one.

9. Conclusion and Further Work

Decorrelation modules are cheap and friendly tools which can strengthen the security of block ciphers. Actually, we can quantify their security against a class of cryptanaly-sis which includes differential and linear cryptanalycryptanaly-sis. To illustrate this paradigm, we

❄ ❄ r ✲ ✛ r−

r ✲

+✛ +

O

❄ ❄

r ✲ ✛ r− r ✲

+✛ +

O

❄ ❄

r ✲ ✛ r− r ✲

+✛ +

❄ ❄

f₁

f2

f3

Fig. 7. Lai-Massey scheme.

proposed prototype ciphers PEANUT97 [63], COCONUT98 and PEANUT98 [64], and DFCv2 [20].

One problem with the COCONUT, PEANUT, or WALNUT constructions is that they require a long key (in order to make the internal random functions independent). In real-life examples we can generate this long key by using a pseudorandom generator fed with a short key, but the results on the security based on decorrelation are no longer valid. However, provided that the pseudorandom generator produces outputs which are indistinguishable from truly random sequences, we can still prove the security. This approach has been developed in [17], [18], and [20] with the submission of DFC to the Advanced Encryption Standard process.

Security against some other generic models of attacks is still open. In particular, we may investigate security against the Boomerang attack [72], the rectangle attack [5], or the linear-differential attack [6], [38]. Although we can directly use results from Section 6.3 with a high order of decorrelation it is not quite clear at this time what the minimal order of decorrelation required is. Extensions of Theorem 18 to adaptive attacks is also open. It is further not quite sure that 2d-decorrelation is necessary for getting provable security against iterated attacks of order d, although we have proven it is sufficient and that d-decorrelation is not.

It is further problematic to estimate the decorrelation bias of concrete ciphers like DES or AES candidates unless we approximate them to an ideal model [47].

Acknowledgments

I thank the anonymous referees, Eli Biham, Ueli Maurer, David Wagner, and Thomas Baign`eres for helpful comments, as well as Pascal Junod for interesting discussions and a pointer to (6). My gratitude also goes to my co-authors from [17], [18], [20], and [57], Henri Gilbert, Marc Girault, Louis Granboulan, Philippe Hoogvorst, Phong Nguyen,

Fabrice Noilhan, Thomas Pornin, Guillaume Poupard, Jacques Stern, and from [4]

and [47], Kazumaro Aoki and Shiho Moriai.

Appendix A. Proof of Theorem 6

Proof. We consider the best adaptive distinguisherA between F and F^∗. Without loss of generality we can assume that it is deterministic and it never asks the same query twice. Let xi = fi(y1, . . . , yi−1), x = (x1, . . . , xd), and y = (y1, . . . , yd). Let A be the set of accepted y by the distinguisher. The decorrelation distance is simply twice its advantage, hence

[F]^d− [F^∗]^da= 2

y∈A

([F]^dx,y− [F^∗]^d_x,y).

Obviously this sum is maximal whenA consists of all y for which we have [F]^dx,y >

[F^∗]^d_x,y. Since the full sum is zero, we have

[F]^d− [F^∗]^da =

y

[F]^d_x,y− [F^∗]^d_x,y.

The sample space for F has cardinality 2^md. Hence for any multi-point y the probability [F]^d_x,ycan be written j· 2^−mdfor some integer j which is at most 2^md. Let x be a multi-point. Let Nj be the number of y multi-points such that [F]^d_x,y = j · 2^−md. Note that [F^∗]^d_x,y= 2^−mdsince all xiare pairwise different. We have

[F]^d − [F^∗]^da =

2^md



j=0

Nj| j − 1|2^−md.

Since we have

jNj = 2^md and



j

Nj· j2^−md=

y

[F]^d_x,y = 1

we obtain

jNj| j − 1|2^−md= 2N02^−md. Hence

[F]^d− [F^∗]^da = 2N02^−md.

So we only need to count the number of y so that [F]^d_x,y= 0, i.e. the number of unreached multi-points y by the(K1, . . . , Kd) → y mapping.

Let zi = K1+ K2xi+ · · · + Kdx_i^d−1 mod p and z = (z1, . . . , zd). We have yi = zi mod 2^mso z is a lift of y. If y is unreached, it means that none of its lift are reached. We can thus map at least one (unreached) z(y) in an injective way to any unreached y multi-point. Hence we have at least N0 unreached multi-points z by the(K1, . . . , Kd) → z mapping. We notice that this mapping has no collision: if K = (K1, . . . , Kd) and K^= (K₁^, . . . , Kd^) lead to the same z, they lead to the same y, therefore to the same x, so we must have K = K^due to interpolation reasons. Hence at least 2^md multi-points z are reached, so we have 2^md + N0 ≤ p^d. So N0 is less than p^d − 2^md and we have

[F]^d− [F^∗]^da ≤ 2((1 + δ)^d− 1).

Parameters: functions f1, . . . , fd, a setA Oracle: permutations c and c⁻¹

1: select a fixed direction and message(B1, Z₁⁰) = f1() and get Z₁¹ = c(Z₁⁰) if B1 = 0 or Z₁¹= c⁻¹(Z1⁰) otherwise

2: calculate a direction and a message(B2, Z⁰2) = f2(Z1¹) and get Z¹2 = c(Z⁰2) if B2 = 0 or Z₂¹= c⁻¹(Z2⁰) otherwise

3: . . .

4: calculate a direction and a message(Bd, Z_d⁰) = fd(Z¹₁, . . . , Z_d−1¹ ) and get Z¹_d = c(Z⁰_d) if Bd = 0 or Zd¹= c⁻¹(Z⁰d) otherwise

5: if(Z₁¹, . . . , Z_d¹) ∈ A, output 1, otherwise output 0

Fig. 8. A general d-limited distinguisher with chosen inputs or outputs.

Appendix B. On Super-Pseudorandomness

Super-pseudorandomness addresses the distinguishability of random permutations with distinguishers which can submit inputs or outputs to the oracle and get the corresponding output or input in return. Figure 8 depicts a general distinguisher limited to d queries which are either chosen inputs or chosen outputs. For completeness we state here the results without a proof.

In the same way that we define the · a norm with (4), we define a · s norm on R^Md×Mdby

As= max

b₁∈{0,1}max

z⁰₁



z¹₁

· · · max

b_d∈{0,1}max

z⁰_d



z¹_d

|A_(zb1

1,...,z^bd_d ),(z¹₁^−b1,...,z¹_d^−bd)|.

We can transform the matrix A into a matrix ¯A on R^Md1×MdwhereM1= {0, 1} × M by

¯A_((b1,z⁰

1),...,(bd,z⁰d)),(z¹1,...,z¹d)= A_(zb1

1,...,z^bd_d ),(z¹₁^−b1,...,z_d^1−bd). Then we haveAs=  ¯Aa. We easily deduce that

(i)  · sis actually a matrix norm,

(ii) we have|A|∞≤ Aa ≤ Asfor any A, (iii) the following equivalent of Theorem 9 holds.

Theorem 29 [70]. Let d be an integer and let C be a cipher. The best d-limited distin-guisher (as depicted in Fig. 8) for C is such that

AdvFig. 8=¹₂[C]^d− [C^∗]^ds, where C^∗is the perfect cipher.

The equivalent of Lemma 22 is as follows.

Lemma 30 [68]. Let d be an integer. Let C be a random permutation on a setM. We letX be the subset of M^d of all(x1, . . . , xd) with pairwise different entries. We let C^∗ be a uniformly distributed random permutation onM. We know that for all x, y ∈ X , the value [C^∗]^d_x,yis a constant p₀. If there exists a positive real valueε such that

∀x, y ∈ X , [C]^d_x,y≥ p0(1 − ε),

then we have[C]^d− [C^∗]^ds≤ 2ε. Similarly, if there exists a positive real value ε such that

∀x, y ∈ X , [C]^d_x,y ≥ 1− ε

#M^d, then we have[C]^d− [C^∗]^ds ≤ 2ε + d²/#M.

Lemma 19 can also be stated in terms of super-pseudorandomness.

Lemma 31 [40]. Let F1, F2, F3, F4be four independent uniformly distributed random functions onM0and let d be an integer. We consider the cipher C = (F1, F2, F3, F4) onM = M02and we compare it with the perfect cipher C^∗. For any distinguisherA between(F1, F2, F3, F4) and C^∗which is limited to d chosen inputs or outputs, we have

Adv_A≤ d²

√#M.

The consequence is the following equivalent of Theorem 21.

Theorem 32 [70]. Let F₁, . . . , Fr be r independent random functions on M0 such that[Fi]^d− [F^∗]^da ≤ ε (i = 1, . . . , r) where F^∗is a uniformly distributed random function onM0. We consider the cipher C = (F1, . . . , Fr) on M = M02and we compare it with the perfect cipher C^∗. Let k≥ 4 be an integer. For any distinguisher A between C and C^∗which is limited to d chosen inputs or outputs, we have

Adv_A≤ 1 2

kε + 2d²

√#M _r/k

.

Finally, Theorem 25 extends as follows.

Theorem 33. Let C be a cipher in the PEANUT family with parameters(m, r, d, p).

We have

[C]^d− [C^∗]^ds ≤ ((1 + 2(p^d2^−md/2− 1))⁴− 1 + 2d²/2^m/2)^r/4, where C^∗is the perfect cipher.

The parameters of PEANUT98 lead to[C]²− [C^∗]²s≤ 2⁻⁴⁸. The parameters of DFC lead to[C]²− [C^∗]²s≤ 2⁻¹¹².

References

[1] Data Encryption Standard. Federal Information Processing Standard Publication 46, U.S. National Bureau of Standards, 1977.

[2] ETSI. Universal Mobile Telecommunications System (UMTS); specification of the 3GPP confidentiality and integrity algorithms. Document 2: Kasumi algorithm specification (3GPP TS 35.202 version 3.1.2 Release 1999). http://www.etsi.org/

[3] K. Aoki, K. Ohta. Strict Evaluation of the Maximum Average of Differential Probability and the Maximum Average of Linear Probability. IEICE Transactions on Fundamentals, vol. E80-A, pp. 1–8, 1997.

[4] K. Aoki, S. Vaudenay. On the Use of GF-Inversion as a Cryptographic Primitive. To appear in Selected Areas in Cryptography ’03, Ottawa, Ontario, Canada, Lecture Notes in Computer Science, Springer-Verlag, Berlin.

[5] E. Biham, O. Dunkelman, N. Keller. The Rectangle Attack—Rectangling the Serpent. In Advances in Cryptology, EUROCRYPT ’01, Innsbruck, Austria, Lecture Notes in Computer Science 2045, pp. 340–

357, Springer-Verlag, Berlin, 2001.

[6] E. Biham, O. Dunkelman, N. Keller. Enhancing Differential-Linear Cryptanalysis. In Advances in Cryp-tology, ASIACRYPT ’02, Queenstown, New Zealand, Lecture Notes in Computer Science 2501, pp. 254–

266, Springer-Verlag, Berlin, 2002.

[7] E. Biham, A. Shamir. Differential Cryptanalysis of DES-Like Cryptosystems. In Advances in Cryptology, CRYPTO ’90, Santa Barbara, California, U.S.A., Lecture Notes in computer Science 537, pp. 2–21, Springer-Verlag, Berlin, 1991.

[8] E. Biham, A. Shamir. Differential Cryptanalysis of DES-Like Cryptosystems. Journal of Cryptology, vol. 4, pp. 3–72, 1991.

[9] E. Biham, A. Shamir. Differential Cryptanalysis of the Full 16-Round DES. In Advances in Cryptology, CRYPTO ’92, Santa Barbara, California, U.S.A., Lecture Notes in Computer Science 740, pp. 487–496, Springer-Verlag, Berlin, 1993.

[10] E. Biham, A. Shamir. Differential Cryptanalysis of the Data Encryption Standard, Springer-Verlag, Berlin, 1993.

[11] J. L. Carter, M. N. Wegman. Universal Classes of Hash Functions. Journal of Computer and System Sciences, vol. 18, pp. 143–154, 1979.

[12] F. Chabaud, S. Vaudenay. Links between Differential and Linear Cryptanalysis. In Advances in Cryptol-ogy, EUROCRYPT ’94, Perugia, Italy, Lecture Notes in Computer Science 950, pp. 356–365, Springer-Verlag, Berlin, 1995.

[13] D. H. Cheon, S. J. Lee, J. I. Lim, S. J. Lee. New Block Cipher DONUT Using Pairwise Perfect Decorre-lation. In Progress in Cryptology, INDOCRYPT ’00, Calcutta, India, Lecture Notes in Computer Science 1997, pp. 262–270, Springer-Verlag, Berlin, 2000.

[14] H. Feistel. Cryptography and Computer Privacy. Scientific American, vol. 228, pp. 15–23, 1973.

[15] H. Gilbert. Cryptanalyse Statistique des Algorithmes de Chiffrement et S´ecurit´e des Sch´emas d’Authentification,Th`ese de Doctorat de l’Universit´e de Paris 11, 1997.

[16] H. Gilbert, G. Chass´e. A Statistical Attack of the FEAL-8 Cryptosystem. In Advances in Cryptology, CRYPTO ’90, Santa Barbara, California, U.S.A. Lecture Notes in Computer Science 537, pp. 22–33, Springer-Verlag, Berlin, 1991.

[17] H. Gilbert, M. Girault, P. Hoogvorst, F. Noilhan, T. Pornin, G. Poupard, J. Stern, S. Vaudenay. Decor-related Fast Cipher: an AES Candidate. (Extended Abstract.) In Proceedings from the First Advanced Encryption Standard Candidate Conference, National Institute of Standards and Technology (NIST), Ventura, California, U.S.A., August 1998.

[18] H. Gilbert, M. Girault, P. Hoogvorst, F. Noilhan, T. Pornin, G. Poupard, J. Stern, S. Vaudenay. Decor-related Fast Cipher: an AES Candidate. Submitted to the Advanced Encryption Standard process. In CD-ROM “AES CD-1: Documentation”, National Institute of Standards and Technology (NIST), August 1998.

[19] H. Gilbert, M. Minier. New Results on the Pseudorandomness of Some Blockcipher Constructions. In Fast Software Encryption ’01, Yokohama, Japan, Lecture Notes in Computer Science 2355, pp. 248–266, Springer-Verlag, Berlin, 2002.

[20] L. Granboulan, P. Nguyen, F. Noilhan, S. Vaudenay. DFCv2. In Selected Areas in Cryptography ’00, Waterloo, Ontario, Canada, Lecture Notes in Computer Science 2012, pp. 57–71, Springer-Verlag, Berlin, 2001.

[21] S. Halevi, H. Krawczyk. MMH: Software Message Authentication in the Gbit/second Rates. In Fast Software Encryption ’97, Haifa, Israel, Lecture Notes in Computer Science 1267, pp. 172–189, Springer-Verlag, Berlin, 1997.

[22] H. M. Heys. The Design of Substitution-Permutation Network Ciphers Resistant to Cryptanalysis, Ph.D.

Thesis of Queen’s University, Kingston, Ontario, Canada 1994.

[23] H. M. Heys, S. E. Tavares. Substitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis. Journal of Cryptology, vol. 9, pp. 1–19, 1996.

[24] T. Iwata, K. Kurosawa. On the Pseudorandomness of the AES Finalists—RC6 and Serpent. In Fast Software Encryption ’00, New York, U.S.A., Lecture Notes in Computer Science 1978, pp. 231–243, Springer-Verlag, Berlin, 2001.

[25] T. Iwata, T. Yoshino, T. Yuasa, K. Kurosawa. Round Security and Super-Pseudorandomness of MISTY Type Structure. In Fast Software Encryption ’01, Yokohama, Japan, Lecture Notes in Computer Science 2355, pp. 233–247, Springer-Verlag, Berlin, 2002.

[26] T. Jakobsen, L. R. Knudsen. The Interpolation Attack on Block Ciphers. In Fast Software Encryption

’97, Haifa, Israel, Lecture Notes in Computer Science 1267, pp. 28–40, Springer-Verlag, Berlin, 1997.

[27] P. Junod. On the Complexity of Matsui’s Attack. In Selected Areas in Cryptography ’01, Toronto, Ontario, Canada, Lecture Notes in Computer Science 2259, pp. 199-211, Springer-Verlag, Berlin, 2001.

[28] P. Junod, S. Vaudenay. Optimal Key Ranking Procedures in a Statistical Cryptanalysis. To appear in Fast Software Encryption ’03, Lund, Sweden, Lecture Notes in Computer Science, Springer-Verlag, Berlin.

[29] P. Junod. On the Optimality of Linear, Differential and Sequential Distinguishers. In Advances in Cryptol-ogy, EUROCRYPT ’03, Warsaw, Poland, Lecture Notes in Computer Science 2656, pp. 17–32, Springer-Verlag, Berlin, 2003.

[30] B. R. Kaliski Jr., M. J. B. Robshaw. Linear Cryptanalysis Using Multiple Approximations. In Advances in Cryptology, CRYPTO ’94, Santa Barbara, California, U.S.A., Lecture Notes in Computer Science 839, pp. 26–39, Springer-Verlag, Berlin, 1994.

[31] J.-S. Kang, S.-U. Shin, D. Hong, O. Yi. Provable Security of KASUMI and 3GPP Encryption Mode f8.

In Advances in Cryptology, ASIACRYPT ’00, Brisbane, Australia, Lecture Notes in Computer Science 2248, pp. 255–271, Springer-Verlag, Berlin, 2001.

[32] L. Keliher, H. Meijer, S. Tavares. New Method for Upper Bounding the Maximum Average Linear Hull Probability for SPNs. In Advances in Cryptology, EUROCRYPT ’01, Innsbruck, Austria, Lecture Notes in Computer Science 2045, pp. 420–436, Springer-Verlag, Berlin, 2001.

[33] L. Keliher, H. Meijer, S. Tavares. Improving the Upper Bound on the Maximum Average Linear Hull Probability for Rijndael. In Selected Areas in Cryptography ’01, Toronto, Ontario, Canada, Lecture Notes in Computer Science 2259, pp. 112–128, Springer-Verlag, Berlin, 2001.

[34] A. Kerckhoffs. La Cryptographie Militaire, Librairie militaire de L. Baudouin & Cie., Paris 1883.

[35] L. R. Knudsen. Block Ciphers—Analysis, Design and Applications, Aarhus University 1994.

[36] X. Lai. On the Design and Security of Block Ciphers, ETH Series in Information Processing, vol. 1, Hartung-Gorre Verlag Konstanz, 1992.

[37] X. Lai, J. L. Massey, S. Murphy. Markov Ciphers and Differential Cryptanalysis. In Advances in Cryp-tology, EUROCRYPT ’91, Brighton, England, Lecture Notes in Computer Science 547, pp. 17–38, Springer-Verlag, Berlin, 1991.

[38] S. K. Langford, M. E. Hellman Differential-linear Cryptanalysis. In Advances in Cryptology, CRYPTO

’94, Santa Barbara, California, U.S.A., Lecture Notes in Computer Science 839, pp. 17–25, Springer-Verlag, Berlin, 1994.

[39] M. Luby, C. Rackoff. Pseudo-Random Permutation Generators and Cryptographic Composition. In Pro-ceedings of the 17th ACM Symposioum on Theory of Computing, Providence, Rhode Island, U.S.A., pp. 363–365, AMC Press, New York, 1985.

[40] M. Luby, C. Rackoff. How to Construct Pseudorandom Permutations from Pseudorandom Functions.

vol. 17, pp. 373–386, 1988.

[41] M. Matsui. Linear Cryptanalysis Methods for DES Cipher. In Advances in Cryptology, EUROCRYPT

’93, Lofthus, Norway, Lecture Notes in Computer Science 765, pp. 386–397, Springer-Verlag, Berlin, 1994.

[42] M. Matsui. The First Experimental Cryptanalysis of the Data Encryption Standard. In Advances in Cryptology, CRYPTO ’94, Santa Barbara, California, U.S.A., Lecture Notes in Computer Science 839, pp. 1–11, Springer-Verlag, Berlin, 1994.

[43] M. Matsui. New Structure of Block Ciphers with Provable Security against Differential and Linear Cryptanalysis. In Fast Software Encryption’96, Cambrige, England, Lecture Notes in Computer Science 1039, pp. 205–218, Springer-Verlag, Berlin, 1996.

[44] M. Matsui. New Block Encryption Algorithm MISTY. In Fast Software Encryption ’97, Haifa, Israel, Lecture Notes in Computer Science 1267, pp. 54–68, Springer-Verlag, Berlin, 1997.

[45] U. M. Maurer, J. L. Massey. Cascade Ciphers: The Importance of Being First. Journal of Cryptology vol. 6, pp. 55–61, 1993.

[46] U. Maurer, K. Pietrzak. The Security of Many-Round Luby–Rackoff Pseudo-Random Permutations.

In Advances in Cryptology, Eurocrypt ’03, Warsaw, Poland, Lecture Notes in Computer Science 2656, pp. 544–561, Springer-Verlag, Berlin, 2003.

[47] S. Moriai, S. Vaudenay. On the Pseudorandomness of Top-Level Schemes of Block Ciphers. In Advances in Cryptology, ASIACRYPT ’00, Kyoto, Japan, Lecture Notes in Computer Science 1976, pp. 289–302, Springer-Verlag, Berlin, 2000.

[48] S. Murphy, F. Piper, M. Walker, P. Wild. Likelihood Estimation for Block Cipher Keys. Unpublished.

[49] M. Naor, O. Reingold. On the Construction of Pseudorandom Permutations: Luby–Rackoff Revisited.

Journal of Cryptology, vol. 12, pp. 29–66, 1999.

[50] K. Nyberg. Perfect Nonlinear S-Boxes. In Advances in Cryptology, EUROCRYPT ’91, Brighton, England, Lecture Notes in Computer Science 547, pp. 378–385, Springer-Verlag, Berlin, 1991.

[51] K. Nyberg, L. R. Knudsen. Provable Security against a Differential Cryptanalysis. In Advances in Cryptol-ogy, CRYPTO ’94, Santa Barbara, California, U.S.A., Lecture Notes in Computer Science 839, pp. 566–

574, Springer-Verlag, Berlin, 1994.

[52] K. Nyberg, L. R. Knudsen. Provable Security against a Differential Cryptanalysis. Journal of Cryptology, vol. 8, pp. 27–37, 1995.

[53] S. Park, S. H. Sung, S. Chee, E-J. Yoon, J. Lim On the Security of Rijndael-Like Structures against Differential and Linear Cryptanalysis. In Advances in Cryptology, ASIACRYPT ’02, Queenstown, New Zealand, Lecture Notes in Computer Science 2501, pp. 176–191, Springer-Verlag, Berlin, 2002.

[54] S. Park, S. H. Sung, S. Lee, J. Lim. Improving the Upper Bound on the Maximum Differential and Max-imum Linear Hull Probability for SPN Structures and AES. To appear in Fast Software Encryption ’03, Lund, Sweden, Lecture Notes in Computer Science, Springer-Verlag, Berlin.

[55] J. Patarin. Etude des G´en´erateurs de Permutations Bas´es sur le Sch´ema du D.E.S., Th`ese de Doctorat de l’Universit´e de Paris 6, 1991.

[56] J. Patarin. About Feistel Schemes with Six (or More) Rounds. In Fast Software Encryption’98, Paris France, Lecture Notes in Computer Science 1372, pp. 103–121, Springer-Verlag, Berlin, 1998.

[57] G. Poupard, S. Vaudenay. Decorrelated Fast Cipher: an AES Candidate Well Suited for Low Cost Smart Cards Applications. In CARDIS ’98, Louvain-la-Neuve, Belgium, Lecture Notes in Computer Science 1820, pp. 254–264, Springer-Verlag, Berlin, 2000.

[58] A. R´enyi. Probability Theory, Elsevier, Amsterdam, 1970.

[59] C. E. Shannon. Communication Theory of Secrecy Systems. Bell System Technical Journal, vol. 28, pp. 656–715, 1949.

[60] A. Tardy-Corfdir, H. Gilbert. A Known Plaintext Attack of FEAL-4 and FEAL-6. In Advances in Cryptol-ogy, CRYPTO ’91, Santa Barbara, California, U.S.A., Lecture Notes in Computer Science 576, pp. 172–

181, Springer-Verlag, Berlin, 1992

[61] S. Vaudenay. La S´ecurit´e des Primitives Cryptographiques, Th`ese de Doctorat de l’Universit´e de Paris 7, Technical Report LIENS-95-10 of the Laboratoire d’Informatique de l’Ecole Normale Sup´erieure, 1995.

[62] S. Vaudenay. An Experiment on DES—Statistical Cryptanalysis. In Proceedings of the 3rd ACM Con-ference on Computer and Communications Security, New Delhi, India, pp. 139–147, ACM Press, New York, 1996.

[63] S. Vaudenay. A Cheap Paradigm for Block Cipher Security Strengthening. Technical Report LIENS-97-3, 1997.

[64] S. Vaudenay. Provable Security for Block Ciphers by Decorrelation. in STACS ’98 Paris, France, Lecture Notes in Computer Science 1373 pp. 249–275, Springer-Verlag, Berlin, 1998.

[65] S. Vaudenay. Feistel Ciphers with L2-Decorrelation. In Selected Areas in Cryptography ’98, Kingston, Ontario, Canada, Lecture Notes in Computer Science 1556, pp. 1–14, Springer-Verlag, Berlin, 1999.

[66] S. Vaudenay. The Decorrelation Technique Home-Page. URL: http://lasecwww.epfl.ch/

decorrelation.shtml

[67] S. Vaudenay. Resistance against General Iterated Attacks. In Advances in Cryptology, EUROCRYPT

’99, Prague, Czech Republic, Lecture Notes in Computer Science 1592, pp. 255–271, Springer-Verlag, Berlin, 1999.

[68] S. Vaudenay. On Provable Security for Conventional Cryptography. Invited talk. In Information Security and Cryptography ICISC ’99, Seoul, Korea, Lecture Notes in Computer Science 1787, pp. 1–16, Springer-Verlag, Berlin, 1999.

[69] S. Vaudenay. On the Lai–Massey Scheme. In Advances in Cryptology, ASIACRYPT ’99, Singapore, Lecture Notes in Computer Science 1716, pp. 8–19, Springer-Verlag, Berlin, 2000.

[70] S. Vaudenay. Adaptive-Attack Norm for Decorrelation and Super-Pseudorandomness. In Selected Areas in Cryptography ’99, Kingston, Ontario, Canada, Lecture Notes in Computer Science 1758, pp. 49–61, Springer-Verlag, Berlin, 2000.

[71] G. S. Vernam. Cipher Printing Telegraph Systems for Secret Wire and Radio Telegraphic communications.

Journal of the American Institute of Electrical Engineers, vol. 45, pp. 109–115, 1926.

[72] D. Wagner. The Boomerang Attack. In Fast Software Encryption ’99, Rome, Italy, Lecture Notes in Computer Science 1636, pp. 156–170, Springer-Verlag, Berlin, 1999.

[73] M. N. Wegman, J. L. Carter. New Hash Functions and Their Use in Authentication and Set Equality.

Journal of Computer and System Sciences, vol. 22, pp. 265–279, 1981.

In document Decorrelation: A Theory for Block Cipher Security (Page 30-38)