Toward the True Random Cipher: On Expected Linear Probability Values for SPNS with Randomly Selected S-Boxes

TLDR: If the substitution components of an SPN are randomly selected, then the expected value of any ELP entry converges to the corresponding value for the true random cipher, as the number of encryption rounds is increased, giving quantitative support to the claim that the SPN structure is a practical approximation of thetrue random cipher.

Abstract: A block cipher, which is an important cryptographic primitive, is a bijective mapping from {0, 1} N to {0,1} N (N is called the block size), parameterized by a key. In the true random cipher, each key results in a distinct mapping, and every mapping is realized by some key—this is generally taken to be the ideal cipher model. This chapter considers a fundamental block cipher architecture called a substitution-permutation network (SPN). Specifically, expected linear probability (ELP) values for SPNs, which are the basis for a powerful attack called linear cryptanalysis, are investigated. It is shown that if the substitution components (s-boxes) of an SPN are randomly selected, then the expected value of any ELP entry converges to the corresponding value for the true random cipher, as the number of encryption rounds is increased. This gives quantitative support to the claim that the SPN structure is a practical approximation of the true random cipher.