Multiple Linear Cryptanalysis Using Linear Statistics

2020 ◽  
pp. 369-406
Author(s):  
Jung-Keun Lee ◽  
Woo-Hwan Kim
Keyword(s):  
Linear Combination ◽  
Success Probability ◽  
Linear Cryptanalysis ◽  
Data Complexity ◽  
Linear Statistics ◽  
Extended Approach ◽  
Multiple Linear Cryptanalysis ◽  
New Framework

We propose an improved and extended approach of the multiple linear cryptanalysis presented by A. Biryukov et al. at CRYPTO 2004 that exploits dominant and statistically independent linear trails. While they presented only rank based attacks with success probability 1, we present threshold based attacks as well as rank based ones using newly introduced statistic that is a linear combination of the component statistics for the trails and is an approximation of the LLR statistic. The rank based Algorithm 1 style attack yields the same estimate for the gain with Biryukov et al.’s Algorithm 1 style attack. For each of the threshold based Algorithm 1 style and Algorithm 2 style attacks, we provide a formula for its advantage in terms of the correlations of the trails, the data complexity, and the success probability in case the aimed success probability is not 1. Combining the threshold based attacks with the rank based ones, we get attacks each of which has better estimates for the advantage compared to the threshold based one in case the aimed success probability is close to 1. We then extend the methods to get a new framework of multiple linear attacks exploiting close-to-dominant linear trails that may not be statistically independent. We apply the methods to full DES and get linear attacks using 4 linear trails with about the same or better complexity compared to those presented at ASIACRYPT 2017 that use 4 additional trails. With data complexity less than 241, the attack has better complexity than existing attacks on DES.

scholarly journals Separable Statistics and Multidimensional Linear Cryptanalysis

2018 ◽  
pp. 79-110
Author(s):  
Stian Fauskanger ◽  
Igor Semaev
Keyword(s):  
Critical Region ◽  
Time Complexity ◽  
Success Probability ◽  
Search Tree ◽  
Encryption Algorithm ◽  
Linear Cryptanalysis ◽  
Brute Force ◽  
New Ideas ◽  
Multidimensional Linear ◽  
Multidimensional Linear Cryptanalysis

Multidimensional linear cryptanalysis of block ciphers is improved in this work by introducing a number of new ideas. Firstly, formulae is given to compute approximate multidimensional distributions of the encryption algorithm internal bits. Conventional statistics like LLR (Logarithmic Likelihood Ratio) do not fit to work in Matsui’s Algorithm 2 for large dimension data, as the observation may depend on too many cipher key bits. So, secondly, a new statistic which reflects the structure of the cipher round is constructed instead. Thirdly, computing the statistic values that will fall into a critical region is presented as an optimisation problem for which an efficient algorithm is suggested. The algorithm works much faster than brute forcing all relevant key bits to compute the statistic. An attack for 16-round DES was implemented. We got an improvement over Matsui’s attack on DES in data and time complexity keeping success probability the same. With 241.81 plaintext blocks and success rate 0.83 (computed theoretically) we found 241.46 (which is close to the theoretically predicted number 241.81) key-candidates to 56-bit DES key. Search tree to compute the statistic values which fall into the critical region incorporated 245.45 nodes in the experiment and that is at least theoretically inferior in comparison with the final brute force. To get success probability 0.85, which is a fairer comparison to Matsui’s results, we would need 241.85 data and to brute force 241.85 key-candidates. That compares favourably with 243 achieved by Matsui.

scholarly journals Improved Parameter Estimates for Correlation and Capacity Deviates in Linear Cryptanalysis

2017 ◽  
pp. 162-191
Author(s):  
Céline Blondeau ◽  
Kaisa Nyberg
Keyword(s):  
Success Probability ◽  
Parameter Estimates ◽  
Linear Cryptanalysis ◽  
Test Statistic ◽  
Key Recovery ◽  
Sample Correlation ◽  
Mean And Variance ◽  
Multidimensional Linear ◽  
Linear Attack ◽  
Multidimensional Linear Cryptanalysis

Statistical attacks form an important class of attacks against block ciphers. By analyzing the distribution of the statistics involved in the attack, cryptanalysts aim at providing a good estimate of the data complexity of the attack. Recently multiple papers have drawn attention to how to improve the accuracy of the estimated success probability of linear key-recovery attacks. In particular, the effect of the key on the distribution of the sample correlation and capacity has been investigated and new statistical models developed. The major problem that remains open is how to obtain accurate estimates of the mean and variance of the correlation and capacity. In this paper, we start by presenting a solution for a linear approximation which has a linear hull comprising a number of strong linear characteristics. Then we generalize this approach to multiple and multidimensional linear cryptanalysis and derive estimates of the variance of the test statistic. Our simplest estimate can be computed given the number of the strong linear approximations involved in the offline analysis and the resulting estimate of the capacity. The results tested experimentally on SMALLPRESENT-[4] show the accuracy of the estimated variance is significantly improved. As an application we give more realistic estimates of the success probability of the multidimensional linear attack of Cho on 26 rounds of PRESENT.

Multiple differential-zero correlation linear cryptanalysis of reduced-round CAST-256

2017 ◽  
Vol 11 (2) ◽  
Author(s):  
Massoud Hadian Dehkordi ◽  
Roghayeh Taghizadeh
Keyword(s):  
Block Cipher ◽  
Advanced Encryption Standard ◽  
Linear Cryptanalysis ◽  
Data Complexity ◽  
Zero Correlation ◽  
Key Block ◽  
Symmetric Key ◽  
Linear Attack

AbstractCAST-256 (or CAST6) is a symmetric-key block cipher published in June 1998. It was submitted as a candidate for Advanced Encryption Standard (AES). In this paper, we will propose a new chosen text attack, the multiple differential-zero correlation linear attack, to analyze the CAST-256 block cipher. Our attack is the best-known attack on CAST-256 according to the number of rounds without the weak-key assumption. We first construct a 30-round differential-zero correlation linear distinguisher. Based on the distinguisher, we propose a first 33-round attack on CAST-256 with data complexity of

Sign in / Sign up

Export Citation Format

Share Document