How Much Can Complexity of Linear Cryptanalysis Be Reduced?

The linear cryptanalysis proposed by Matsui is one of the most effective attacks on block ciphers, and he demonstrated an experimental cryptanalysis against DES at CRYPTO 1994. In this paper, we show how to optimize the linear cryptanalysis on modern microprocessors. Nowadays, there are two methods of implementing the linear cryptanalysis. Method 1 reduces the time complexity by reducing the number of computations of round functions, and Method 2 applies the fast Fourier transform (FFT). We implement both methods optimized for modern microprocessors and compare them in terms of computation time so as to discover which method is more appropriate for practical cryptanalysis. From the results of comparative experiments, we show that the fastest implementation depends on the number of given known plaintexts (KPs) and that of guessed key bits. These results clarify the criteria for selecting the method to implement the linear cryptanalysis. Taking the experimental results into account, we implement the linear cryptanalysis on FEAL-8X. In 2014, Biham and Carmeli showed an implementation of linear cryptanalysis that was able to recover the secret key with \(2^{14}\) KPs. Our implementation breaks FEAL-8X with \(2^{12}\) KPs and is the best attack on FEAL-8X in terms of data complexity.

[1]  Rainer A. Rueppel Advances in Cryptology — EUROCRYPT’ 92 , 2001, Lecture Notes in Computer Science.

[2]  Hongjun Wu,et al.  Improving the Algorithm 2 in Multidimensional Linear Cryptanalysis , 2011, ACISP.

[3]  Information Security and Privacy , 1996, Lecture Notes in Computer Science.

[4]  Shoji Miyaguchi,et al.  The FEAL Cipher Family , 1990, CRYPTO.

[5]  Eli Biham,et al.  An Improvement of Linear Cryptanalysis with Addition Operations with Applications to FEAL-8X , 2014, Selected Areas in Cryptography.

[6]  Tor Helleseth,et al.  Advances in Cryptology — EUROCRYPT ’93 , 2001, Lecture Notes in Computer Science.

[7]  Andrey Bogdanov,et al.  Zero-Correlation Linear Cryptanalysis with FFT and Improved Attacks on ISO Standards Camellia and CLEFIA , 2013, Selected Areas in Cryptography.

[8]  Yosuke Todo,et al.  FFT Key Recovery for Integral Attack , 2014, CANS.

[9]  Yvo Desmedt,et al.  Advances in Cryptology — CRYPTO ’94 , 2001, Lecture Notes in Computer Science.

[10]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[11]  Mark Manulis,et al.  Cryptology and Network Security , 2012, Lecture Notes in Computer Science.

[12]  Huaxiong Wang,et al.  On Multidimensional Linear Cryptanalysis , 2010, ACISP.

[13]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[14]  Mitsuru Matsui,et al.  A New Method for Known Plaintext Attack of FEAL Cipher , 1992, EUROCRYPT.

[15]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[16]  Matthew J. B. Robshaw,et al.  Linear Cryptanalysis Using Multiple Approximations and FEAL , 1994, FSE.

[17]  Kristin E. Lauter,et al.  Selected Areas in Cryptography -- SAC 2013 , 2013, Lecture Notes in Computer Science.

[18]  Jean-Jacques Quisquater,et al.  Improving the Time Complexity of Matsui's Linear Cryptanalysis , 2007, ICISC.

[19]  Kil-Hyun Nam,et al.  Information Security and Cryptology - ICISC 2007, 10th International Conference, Seoul, Korea, November 29-30, 2007, Proceedings , 2007, ICISC.

[20]  Mitsuru Matsui,et al.  The First Experimental Cryptanalysis of the Data Encryption Standard , 1994, CRYPTO.

[21]  Matthew J. B. Robshaw,et al.  Linear Cryptanalysis Using Multiple Approximations , 1994, CRYPTO.

[22]  Josef Pieprzyk Topics in Cryptology - CT-RSA 2010, The Cryptographers' Track at the RSA Conference 2010, San Francisco, CA, USA, March 1-5, 2010. Proceedings , 2010, CT-RSA.

[23]  Kaisa Nyberg,et al.  Dependent Linear Approximations: The Algorithm of Biryukov and Others Revisited , 2010, CT-RSA.

[24]  Amr M. Youssef,et al.  Selected Areas in Cryptography -- SAC 2014 , 2014, Lecture Notes in Computer Science.