By Antoine Joux (auth.), Eli Biham (eds.)

This publication constitutes the refereed complaints of the overseas convention at the concept and purposes of Cryptographic thoughts, EUROCRYPT 2003, held in Warsaw, Poland in might 2003.

The 37 revised complete papers provided including invited papers have been conscientiously reviewed and chosen from 156 submissions. The papers are geared up in topical sections on cryptanalysis, safe multi-party communique, zero-knowledge protocols, foundations and complexity-theoretic protection, public key encryption, new primitives, elliptic curve cryptography, electronic signatures, information-theoretic cryptography, and staff signatures.

N} : u ≥ n · 1 + 2 2 (9) Using a precise version of Chernoff’s theorem 1, we can bound the advantage of the best linear distinguisher as follows (see [14] for a detailed proof): Theorem 3. Let m be the block size of the involved permutations. For any distinguisher in the model of Algorithm 1 1− (n + 1) 1 ≤ BestAdvnδlin (C, C ∗ ) ≤ 1 − nν−1 2 (n + 1) · 2nν−1 (10) where ν = C(D0 , D1 ) is the Chernoff information between D0 , a binary distribution having a bias equal to max{ 2m1−1 , } such that ELPC (a, b) = 4 2 and the uniform binary distribution D1 .

For this purpose, one defines a so-called decision rule, which is a function δ : X → {0, 1} taking a sample of X as input and defining what should be the guess for each possible x ∈ X . Associated to this decision rule are two different types of error probabilities: α PrX0 [δ(x) = 1] and β PrX1 [δ(x) = 0]. e. A ∪ A = X ; A is called the acceptance region of δ. e. which gives the optimal decision region A. Lemma 1 (Neyman-Pearson). Let X be a random variable drawn according to a probability distribution D and let be the decision problem corresponding to hypotheses X ← D0 and X ← D1 .

A. Rice, Mathematical statistics and data analysis, Duxbury Press, 1995. 27. D. Siegmund, Sequential analysis – tests and confidence intervals, Springer-Verlag, 1985. 28. S. ch. 29. , An experiment on DES statistical cryptanalysis, 3rd ACM Conference on Computer and Communications Security, ACM Press, 1996, pp. 139–147. 30. , Resistance against general iterated attacks, Advances in Cryptology – EUROCRYPT’99, LNCS, vol. 1592, Springer-Verlag, 1999, pp. 255–271. A Toolbox for Cryptanalysis: Linear and Affine Equivalence Algorithms Alex Biryukov, Christophe De Canni`ere , An Braeken , and Bart Preneel Katholieke Universiteit Leuven, Dept.

