A New Criterion for Nonlinearity of Block Ciphers

  • Orr Dunkelman
  • Nathan Keller
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3860)


For years, the cryptographic community has searched for good nonlinear functions. Bent functions, almost perfect nonlinear functions, and similar constructions have been suggested as a good base for cryptographic applications due to their highly nonlinear nature. In the first part of this paper we study these functions as block ciphers, and present several distinguishers between almost perfect nonlinear permutations and random permutations. The data complexity of the best distinguisher is O(2 n/3) and its time complexity is O(22n/3) for an n-bit block size, independent of the key size.

In the second part of the paper we suggest a criterion to measure the effective linearity of a given block cipher. We devise a distinguisher for general block ciphers based on their effective linearity. Finally, we show that for several constructions, our distinguishing attack is better than previously known techniques.


Almost perfect nonlinear permutations highly nonlinear functions effective linearity differential cryptanalysis 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aoki, K., Vaudenay, S.: On the Use of GF-Inversion as a Cryptographic Primitive. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 234–247. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  2. 2.
    Baretto, P.S.L.M., Rijmen, V.: The Khazad Block Cipher, Submitted to NESSIE, available online, at
  3. 3.
    Beth, T., Ding, C.: Almost Perfect Nonlinear Permutations. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 65–76. Springer, Heidelberg (1994)Google Scholar
  4. 4.
    Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of Skipjack reduced to 31 rounds. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 12–23. Springer, Heidelberg (1999)Google Scholar
  5. 5.
    Biham, E., Shamir, A.: Differential Cryptanalysis of the Data Encryption Standard. Springer, Heidelberg (1993)zbMATHGoogle Scholar
  6. 6.
    Daemen, J., Govaerts, R., Vandewalle, J.: Weak Keys for IDEA. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 224–231. Springer, Heidelberg (1994)Google Scholar
  7. 7.
    Daemen, J., Rijmen, V.: The design of Rijndael: AES — the Advanced Encryption Standard. Springer, Heidelberg (2002)zbMATHGoogle Scholar
  8. 8.
    Even, S., Mansour, Y.: A Construction of a Cipher from a Single Pseudorandom Permutation. Journal of Cryptology 10(4), 151–162 (1997)zbMATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    Hawkes, P., Rose, G.G.: Primitive Specification for SOBER-t16 Submission to NESSIE and Primitive Specification for SOBER-t32 Submission to NESSIE, Submitted to NESSIE, available online at
  10. 10.
    Luby, M., Rackoff, C.: How to Construct Pseudorandom Permutations from Pseudorandom Functions. SIAM journal of Computing 17(2), 373–386 (1988)zbMATHCrossRefMathSciNetGoogle Scholar
  11. 11.
    Matsui, M.: Linear Cryptanalysis Method for DES Cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)Google Scholar
  12. 12.
    Meier, W., Staffelbach, O.: Nonlinearity Criteria for Cryptographic Functions. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 549–562. Springer, Heidelberg (1990)Google Scholar
  13. 13.
    Meier, W., Staffelbach, O.: Fast Correlation Attacks on Stream Ciphers (Extended Abstract). In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 300–315. Springer, Heidelberg (1988)Google Scholar
  14. 14.
    US National Bureau of Standards, Data Encryption Standard, Federal Information Processing Standards Publications No. 46, (1977)Google Scholar
  15. 15.
    Nyberg, K.: Perfect nonlinear S-boxes. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 378–386. Springer, Heidelberg (1991)Google Scholar
  16. 16.
    Nyberg, K.: On the construction of highly nonlinear permutations. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 92–98. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  17. 17.
    Nyberg, K.: Differentially uniform mappings for cryptography. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 55–64. Springer, Heidelberg (1994)Google Scholar
  18. 18.
    Nyberg, K., Knudsen, L.R.: Provable Security Against Differential Cryptanalysis. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 566–578. Springer, Heidelberg (1993)Google Scholar
  19. 19.
    Rothaus, O.S.: On Bent Functions. Journal of Combinatorial Theory, Series A 20, 305–310 (1976)CrossRefMathSciNetGoogle Scholar
  20. 20.
    Seberry, J., Zhang, X.-M., Zheng, Y.: Relationships Among Nonlinearity Criteria (Extended Abstract). In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 376–388. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  21. 21.
    Seberry, J., Zhang, X.-M., Zheng, Y.: Pitfalls in Designing Substitution Boxes (Extended Abstract). In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 383–396. Springer, Heidelberg (1994)Google Scholar
  22. 22.
    Vaudenay, S.: Provable Security for Block Ciphers by Decorrelation. Journal of Cryptology 4, 249–286 (2003)CrossRefMathSciNetGoogle Scholar
  23. 23.
    Wagner, D.: The Boomerang Attack. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 156–170. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  24. 24.
    Wagner, D.: A Generalized Birthday Problem (Extended Abstract). In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 288–304. Springer, Heidelberg (2002)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Orr Dunkelman
    • 1
  • Nathan Keller
    • 2
  1. 1.Computer Science DepartmentTechnionHaifaIsrael
  2. 2.Einstein Institute of MathematicsHebrew UniversityJerusalemIsrael

Personalised recommendations