We propose a differential attack on tree-structured substitution-permutation networks. The number of chosen plaintexts required for the differential attack to succeed is called the complexity. Our main result is to show that the expected complexity of the attack is linear in the size of the network. This is the first rigorous result concerning the complexity of a differential attack for a general class of product ciphers.
展开▼