3

How can I calculate the minimum number of active s_boxes for block cipher algorithms such as present algorithm? I have read in that, but I couldn't understand the meaning of branch number.

Maha Ibrahim
  • 101
  • 3

1 Answers1

2

Present cipher is bit based permutation cipher. The branch number is calculated based on the minimum number of hamming weight sum of input and output in the difference distribution table(DDT) or linearity approximation table (LAT) of the sbox. in case of present cipher the 4-bit sbox , the differential branch number (BR) is 3.

to apply the differential BR on the whole present cipher , I advice you to apply mixed integer linear programming. this link contains the MILP model of different ciphers including present in sage, you can start from here.

hardyrama
  • 2,126
  • 1
  • 16
  • 40
  • Thank you .I want to understand the meaning of active s_boxes.and how can I calculate it manually, as I read here , it can be measured by running the algorithm with two plain texts which differ in just few bits, and then if s_box result in different output that means it is an active s box ? That, what I want to understand – Maha Ibrahim Jul 25 '18 at 18:20
  • manual calculation of number of active sbox will be mathematical proof. I recommend you to start with AES cipher as a fundamental understanding of branch number of MDS matrix ( note the active S-box is calculated based on bytes/cells unlike the present cipher the s-box is activated even with one bit input). – hardyrama Jul 27 '18 at 05:13
  • 1
    active s-box in differential BR means non-zero difference input to the sbox , overall , you need to find the trail over n-rounds that contains the minimum active s-box, in present cipher the differential trail over 5 rounds is like : 2-1-1-3-3 (10 active sbox in total). – hardyrama Jul 27 '18 at 05:29
  • Yes, that is what I am asking about, if I want to calculate the number of active s_boxes by finding the trail over n rounds, like your example for present.how did you do this calculation and found the number of active s_boxes after each round(2_1_1_3_3)?that is what I am trying to do, but what difference should I notice to say that is an active s_box , should I run the present algorithm with two different plain text, with just few bit different, and notice the output of the s_box – Maha Ibrahim Jul 27 '18 at 14:14
  • Differential number of active s_boxes after 2_4_6__8 rounds , calculation such as in that paper https://dl.acm.org/citation.cfm?id=2659662&dl=ACM&coll=DL. , That is I am trying to understand .and thank you very much – Maha Ibrahim Jul 27 '18 at 14:32
  • how did you do this calculation and found the number of active s_boxes after each round(2_1_1_3_3) I used Mixed integer linear programming. i suggest you develop a c code that iterates of two non-zero difference S-box and print out 0(not active S-box) or 1 (active S-box) over 5 rounds. this is time-expensive but at least will give you understanding of active sbox propagation. – hardyrama Jul 28 '18 at 03:45
  • Differential number of active s_boxes after 2_4_6__8 rounds ? the propagation trails does not have to be the same between ,for example, 8 and 10 rounds. at the end we are looking for the minimum active sbox for each round respectively. – hardyrama Jul 28 '18 at 03:50
  • my mistake up 5-rounds trail: it is 2-1-1-2-4. ∆ = 0000000000007070 →000000000000000A →0001000000000000 →0000000010001000 →0000000000880088 – hardyrama Jul 28 '18 at 03:56
  • I am studying mixed integer linear programming as you suggested, thanks all lot. – Maha Ibrahim Jul 28 '18 at 15:50
  • I am studying mixed integer linear programming as you suggested, from the paper"differential and linear cryptanalysis using mixed integer linear programming", and I learned great information , thanks a lot, I am now trying to run the example programs in the link you provided, the extension of the files are . sage, which program should I download to run it ? Ilog cplex optimization studio? – Maha Ibrahim Jul 28 '18 at 15:56
  • Let us continue this discussion in chat. – Maha Ibrahim Jul 28 '18 at 16:05
  • The link you referred does not exist anymore – hola Dec 22 '18 at 01:22
  • Can you update the link that contains the MILP model of different ciphers? @hardyrama – NB_1907 Jan 13 '22 at 11:37