Improving the Upper Bound on the Maximum Differential and the Maximum Linear Hull Probability for SPN Structures and AES Sangwoo Park 1 , Soo Hak Sung 2 , Sangjin Lee 3 , and Jongin Lim 3 1 National Security Research Institute, Korea psw@etri.re.kr 2 Department of Applied Mathematics Pai Chai University, Korea sungsh@woonam.paichai.ac.kr 3 Center for Information Security Technologies(CIST) Korea University, Korea {sangjin,jilim}@cist.korea.ac.kr Abstract. We present a new method for upper bounding the maxi- mum differential probability and the maximum linear hull probability for 2 rounds of SPN structures. Our upper bound can be computed for any value of the branch number of the linear transformation and by in- corporating the distribution of differential probability values and linear probability values for S-box. On application to AES, we obtain that the maximum differential probability and the maximum linear hull probabil- ity for 4 rounds of AES are bounded by 1.144 × 2 -111 and 1.075 × 2 -106 , respectively. 1 Introduction Differential cryptanalysis [2] and linear cryptanalysis [12] are the most well- known methods of analysing the security of block ciphers. Accordingly, the de- signer of block ciphers should evaluate the security of any proposed block cipher against differential cryptanalysis and linear cryptanalysis and prove that it is sufficiently invulnerable against them. SPN(Substitution and Permutation Network) structure is one of the most commonly used structure in block ciphers. SPN structure is based on Shannon’s principles of confusion and diffusion [3] and these principles are implemented through the use of substitution and linear transformation, respectively. AES [6, 14], Crypton [11], and Square [5] are block ciphers composed of SPN structures. The security of SPN structures against differential cryptanalysis and linear cryptanalysis depends on the maximum differential probability and the maxi- mum linear hull probability. Hong et al. proved the upper bound on the maxi- mum differential and the maximum linear hull probability for 2 rounds of SPN structures with highly diffusive linear transformation [7]. Kang et al. generalized their result for any value of the branch number of the linear transformation [8]. In [10], Keliher et al. proposed a method for finding the upper bound on the maximum average linear hull probability for SPN structures. Application of T. Johansson (Ed.): FSE 2003, LNCS 2887, pp. 247–260, 2003. c  International Association for Cryptologic Research 2003