Linear hulls with correlation zero and linear cryptanalysis of block ciphers

Linear cryptanalysis, along with differential cryptanalysis, is an important tool to evaluate the security of block ciphers. This work introduces a novel extension of linear cryptanalysis: zero-correlation linear cryptanalysis, a technique applicable to many block cipher constructions. It is based on linear approximations with a correlation value of exactly zero. For a permutation on n bits, an algorithm of complexity 2n-1 is proposed for the exact evaluation of correlation. Non-trivial zero-correlation linear approximations are demonstrated for various block cipher structures including AES, balanced Feistel networks, Skipjack, CLEFIA, and CAST256. As an example, using the zero-correlation linear cryptanalysis, a key-recovery attack is shown on 6 rounds of AES-192 and AES-256 as well as 13 rounds of CLEFIA-256.

[1]  Luke O'Connor,et al.  Properties of Linear Approximation Tables , 1994, FSE.

[2]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[3]  Andrey Bogdanov,et al.  Zero Correlation Linear Cryptanalysis with Reduced Data Complexity , 2012, FSE.

[4]  Vincent Rijmen,et al.  Two Attacks on Reduced IDEA , 1997, EUROCRYPT.

[5]  Jongsung Kim,et al.  New Impossible Differential Attacks on AES , 2008, INDOCRYPT.

[6]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[7]  Eli Biham,et al.  Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials , 1999 .

[8]  Matthew J. B. Robshaw,et al.  On Unbiased Linear Approximations , 2010, ACISP.

[9]  Kyoji Shibutani,et al.  The 128-Bit Blockcipher CLEFIA (Extended Abstract) , 2007, FSE.

[10]  P. Junod,et al.  Advanced Linear Cryptanalysis of Block and Stream Ciphers (Cryptology and Information Security) , 2011 .

[11]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[12]  Kaisa Nyberg,et al.  Correlation Theorems in Cryptanalysis , 2001, Discret. Appl. Math..

[13]  Yukiyasu Tsunoo,et al.  Impossible Differential Cryptanalysis of CLEFIA , 2008, FSE.

[14]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[15]  Kaisa Nyberg,et al.  Exploiting Linear Hull in Matsui's Algorithm 1 (extended version) , 2011, IACR Cryptol. ePrint Arch..

[16]  B. Preneel Fast Software Encryption: Second International Workshop, Leuven, Belgium, December 14-16, 1994. Proceedings , 1995 .

[17]  Eli Biham,et al.  Cryptanalysis of reduced variants of RIJNDAEL , 2000 .

[18]  Kaisa Nyberg,et al.  Linear Approximation of Block Ciphers , 1994, EUROCRYPT.

[19]  Vincent Rijmen,et al.  Probability distributions of correlation and differentials in block ciphers , 2007, J. Math. Cryptol..

[20]  Seokhie Hong,et al.  Provable Security for the Skipjack-like Structure against Differential Cryptanalysis and Linear Cryptanalysis , 2000, ASIACRYPT.

[21]  Serge Vaudenay,et al.  Decorrelation: A Theory for Block Cipher Security , 2003, Journal of Cryptology.

[22]  Masanobu Katagi,et al.  The 128-Bit Blockcipher CLEFIA , 2007, RFC.

[23]  Joos Vandewalle,et al.  Correlation Matrices , 1994, FSE.

[24]  H. Feistel Cryptography and Computer Privacy , 1973 .

[25]  Eli Biham,et al.  On Matsui's Linear Cryptanalysis , 1994, EUROCRYPT.

[26]  Serge Vaudenay,et al.  On the Pseudorandomness of Top-Level Schemes of Block Ciphers , 2000, ASIACRYPT.