{"title":"How to search linear approximation for large non-surjective S-box","authors":"Yue Sun, Meiqin Wang, Qiumei Sun","doi":"10.1145/1966913.1966979","DOIUrl":null,"url":null,"abstract":"Linear cryptanalysis is a general form of cryptanalysis based on identifying the linear approximations of a cipher. It is one of the two most widely used attacks on block ciphers. In order to resist the differential cryptanalysis, the S-box with large output bit number is applied in block cipher, for example CAST-128 and CAST-256 use the 8 × 32 S-boxes. In addition, the S-boxes are often constructed based on bent functions to resist the linear cryptanalysis and the S-boxes are non-surjective mapping. Therefore, for the large non-surjective S-box, to identify the best linear approximation with zero input mask and nonzero output mask is difficult due to the unaccepted computation time. In this paper, we will give an efficient computing method to find such best linear approximations for the non-surjective large S-boxes using parallel computation in practical time. This computing method can help to estimate the resistant property for some kind of linear cryptanalysis of block ciphers with this kind of S-box.","PeriodicalId":72308,"journal":{"name":"Asia CCS '22 : proceedings of the 2022 ACM Asia Conference on Computer and Communications Security : May 30-June 3, 2022, Nagasaki, Japan. ACM Asia Conference on Computer and Communications Security (17th : 2022 : Nagasaki-shi, Japan ; ...","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2011-03-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Asia CCS '22 : proceedings of the 2022 ACM Asia Conference on Computer and Communications Security : May 30-June 3, 2022, Nagasaki, Japan. ACM Asia Conference on Computer and Communications Security (17th : 2022 : Nagasaki-shi, Japan ; ...","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/1966913.1966979","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 3
Abstract
Linear cryptanalysis is a general form of cryptanalysis based on identifying the linear approximations of a cipher. It is one of the two most widely used attacks on block ciphers. In order to resist the differential cryptanalysis, the S-box with large output bit number is applied in block cipher, for example CAST-128 and CAST-256 use the 8 × 32 S-boxes. In addition, the S-boxes are often constructed based on bent functions to resist the linear cryptanalysis and the S-boxes are non-surjective mapping. Therefore, for the large non-surjective S-box, to identify the best linear approximation with zero input mask and nonzero output mask is difficult due to the unaccepted computation time. In this paper, we will give an efficient computing method to find such best linear approximations for the non-surjective large S-boxes using parallel computation in practical time. This computing method can help to estimate the resistant property for some kind of linear cryptanalysis of block ciphers with this kind of S-box.