Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

2008 ◽  
pp. 382-397 ◽  
Author(s):  
Baydoin Collard ◽  
François-Xavier Standaert ◽  
Jean-Jacques Quisquater
Keyword(s):  
Linear Cryptanalysis ◽  
Multiple Linear Cryptanalysis

Multiple Linear Cryptanalysis Using Linear Statistics

2020 ◽  
pp. 369-406
Author(s):  
Jung-Keun Lee ◽  
Woo-Hwan Kim
Keyword(s):  
Linear Combination ◽  
Success Probability ◽  
Linear Cryptanalysis ◽  
Data Complexity ◽  
Linear Statistics ◽  
Extended Approach ◽  
Multiple Linear Cryptanalysis ◽  
New Framework

We propose an improved and extended approach of the multiple linear cryptanalysis presented by A. Biryukov et al. at CRYPTO 2004 that exploits dominant and statistically independent linear trails. While they presented only rank based attacks with success probability 1, we present threshold based attacks as well as rank based ones using newly introduced statistic that is a linear combination of the component statistics for the trails and is an approximation of the LLR statistic. The rank based Algorithm 1 style attack yields the same estimate for the gain with Biryukov et al.’s Algorithm 1 style attack. For each of the threshold based Algorithm 1 style and Algorithm 2 style attacks, we provide a formula for its advantage in terms of the correlations of the trails, the data complexity, and the success probability in case the aimed success probability is not 1. Combining the threshold based attacks with the rank based ones, we get attacks each of which has better estimates for the advantage compared to the threshold based one in case the aimed success probability is close to 1. We then extend the methods to get a new framework of multiple linear attacks exploiting close-to-dominant linear trails that may not be statistically independent. We apply the methods to full DES and get linear attacks using 4 linear trails with about the same or better complexity compared to those presented at ASIACRYPT 2017 that use 4 additional trails. With data complexity less than 241, the attack has better complexity than existing attacks on DES.

Results of Linear Cryptanalysis Using Linear Sieve Methods

2009 ◽  
Vol E92-A (5) ◽  
pp. 1347-1355
Author(s):  
Yukiyasu TSUNOO ◽  
Hiroki NAKASHIMA ◽  
Hiroyasu KUBO ◽  
Teruo SAITO ◽  
Takeshi KAWABATA
Keyword(s):  
Linear Cryptanalysis ◽  
Sieve Methods

Immunity of Lightweight DES Algorithm (DESL) Against Linear Cryptanalysis Attack

2019 ◽  
Vol 28 (1) ◽  
pp. 381-387
Author(s):  
Bassam Aboshsha ◽  
Mohamed Dessouky ◽  
Rabie Ramadan ◽  
Ayman EL-SAYED
Keyword(s):  
Linear Cryptanalysis

Zero-Correlation Linear Cryptanalysis of Reduced-Round SIMON

2015 ◽  
Vol 30 (6) ◽  
pp. 1358-1369 ◽  
Author(s):  
Xiao-Li Yu ◽  
Wen-Ling Wu ◽  
Zhen-Qing Shi ◽  
Jian Zhang ◽  
Lei Zhang ◽  
...  
Keyword(s):  
Linear Cryptanalysis ◽  
Zero Correlation

scholarly journals Crypto-Archaeology: unearthing design methodology of DES s-boxes

2017 ◽  
Author(s):  
Sankhanil Dey ◽  
Ranjan Ghosh
Keyword(s):  
Boolean Function ◽  
Boolean Functions ◽  
Design Methodology ◽  
Block Cipher ◽  
Block Ciphers ◽  
Public Domain ◽  
Differential Cryptanalysis ◽  
Linear Cryptanalysis ◽  
Strict Avalanche Criterion ◽  
Independence Criterion

US defence sponsored the DES program in 1974 and released it in 1977. It remained as a well-known and well accepted block cipher until 1998. Thirty-two 4-bit DES S-Boxes are grouped in eight each with four and are put in public domain without any mention of their design methodology. S-Boxes, 4-bit, 8-bit or 32-bit, find a permanent seat in all future block ciphers. In this paper, while looking into the design methodology of DES S-Boxes, we find that S-Boxes have 128 balanced and non-linear Boolean Functions, of which 102 used once, while 13 used twice and 92 of 102 satisfy the Boolean Function-level Strict Avalanche Criterion. All the S-Boxes satisfy the Bit Independence Criterion. Their Differential Cryptanalysis exhibits better results than the Linear Cryptanalysis. However, no S-Boxes satisfy the S-Box-level SAC analyses. It seems that the designer emphasized satisfaction of Boolean-Function-level SAC and S-Box-level BIC and DC, not the S-Box-level LC and SAC.

scholarly journals Multidimensional linear cryptanalysis with key difference invariant bias for block ciphers

Cybersecurity ◽  
2021 ◽  
Vol 4 (1) ◽  
Author(s):  
Wenqin Cao ◽  
Wentao Zhang
Keyword(s):  
Time Complexity ◽  
Block Ciphers ◽  
Linear Cryptanalysis ◽  
Compression Technique ◽  
Key Recovery ◽  
Linear Approximations ◽  
Theoretical Advantage ◽  
Multidimensional Linear ◽  
Multidimensional Linear Cryptanalysis ◽  
Key Recovery Attacks

AbstractFor block ciphers, Bogdanov et al. found that there are some linear approximations satisfying that their biases are deterministically invariant under key difference. This property is called key difference invariant bias. Based on this property, Bogdanov et al. proposed a related-key statistical distinguisher and turned it into key-recovery attacks on LBlock and TWINE-128. In this paper, we propose a new related-key model by combining multidimensional linear cryptanalysis with key difference invariant bias. The main theoretical advantage is that our new model does not depend on statistical independence of linear approximations. We demonstrate our cryptanalysis technique by performing key recovery attacks on LBlock and TWINE-128. By using the relations of the involved round keys to reduce the number of guessed subkey bits. Moreover, the partial-compression technique is used to reduce the time complexity. We can recover the master key of LBlock up to 25 rounds with about 260.4 distinct known plaintexts, 278.85 time complexity and 261 bytes of memory requirements. Our attack can recover the master key of TWINE-128 up to 28 rounds with about 261.5 distinct known plaintexts, 2126.15 time complexity and 261 bytes of memory requirements. The results are the currently best ones on cryptanalysis of LBlock and TWINE-128.

Sign in / Sign up

Export Citation Format

Share Document