Counting Active S-Boxes is not Enough

摘要

Inspired by the works of Nyberg and Knudsen, the wide trail strategy suggests to ensure that the number of active S-boxes in a differential characteristic or a linear approximation is sufficiently high, thus, offering security against differential and linear attacks. Many cipher designers are relying on this strategy, and most new designs include analysis based on counting the number of active S-boxes. Unfortunately, this analysis is not always accurate and needs to be performed in a very delicate manner. To counter the common approach, we give an example of a 4-round Feistel construction with a very large number of active S-boxes that is expected to resist differential and linear cryptanalysis. However, we show that S-box counting arguments are insufficient in cases where one can find many differential characteristics with the same input and output difference. Namely, we show for a "prov-ably" secure 128-bit block, 4-round Feistel with at least 36 active AES S-boxes, that one can construct differential characteristics with probability 2~(-118) much higher than the bound of 2~(-216). Even if we compare this 4-round Feistel construction to a random permutation we obtain a 10x factor in the probability of the characteristic.