Practical and provable security against differential and linear cryptanalysis for substitution-permutation networks

We examine the diffusion layers of some block ciphers referred to as substitution-permutation networks. We investigate the practical and provable security of these diffusion layers against differential and linear cryptanalysis. First, in terms of practical security, we show that the minimum number of differentially active S-boxes and that of linearly active S-boxes are generally not identical and propose some special conditions in which those are identical. We also study the optimal diffusion effect for some diffusion layers according to their constraints. Second, we obtain the results that the consecutive two rounds of SPN structure provide provable security against differential and linear cryptanalysis, i.e., we prove that the probability of each differential (resp. linear hull) of the consecutive two rounds of SPN structure with a maximal diffusion layer is bounded by pⁿ (resp. qⁿ) and that of each differential (resp. linear hull) of the SDS function with a semi-maximal diffusion layer is bounded by p^n-1 (resp. q^n-1), where p and q are maximum differential and linear probabilities of the substitution layer, respectively.