Fast Computation of Large Distributions and Its Cryptographic Applications

Let X1,X2,..., Xk be independent n bit random variables. If they have arbitrary distributions, we show how to compute distributions like Pr{X1⊕X2⊕...⊕Xk} and Pr$\{X_1 \boxplus X_2 \boxplus ...\boxplus X_k\}$ in complexity O(kn 2n). Furthermore, if X1,X2,..., Xk are uniformly distributed we demonstrate a large class of functions F(X1,X2,..., Xk), for which we can compute their distributions efficiently. These results have applications in linear cryptanalysis of stream ciphers as well as block ciphers. A typical example is the approximation obtained when additions modulo 2n are replaced by bitwise addition. The efficiency of such an approach is given by the bias of a distribution of the above kind. As an example, we give a new improved distinguishing attack on the stream cipher SNOW 2.0.

[1]  Thomas Johansson,et al.  A New Version of the Stream Cipher SNOW , 2002, Selected Areas in Cryptography.

[2]  Shiho Moriai,et al.  Efficient Algorithms for Computing Differential Properties of Addition , 2001, FSE.

[3]  Thomas Johansson,et al.  Distinguishing Attacks on SOBER-t16 and t32 , 2002, FSE.

[4]  Thomas Johansson,et al.  SNOW - A new stream cipher , 2000 .

[5]  Jovan Dj. Golic,et al.  Vectorial fast correlation attacks , 2004, IACR Cryptol. ePrint Arch..

[6]  Adi Shamir,et al.  A New Class of Invertible Mappings , 2002, CHES.

[7]  Nigel P. Smart,et al.  Cryptography: An Introduction , 2004 .

[8]  Alexander Maximov On Linear Approximation of Modulo Sum , 2004, FSE.

[9]  Philip Hawkes,et al.  Vectorial Approach to Fast Correlation Attacks , 2005, Des. Codes Cryptogr..

[10]  Helger Lipmaa On Differential Properties of Pseudo-Hadamard Transform and Related Mappings , 2002, INDOCRYPT.

[11]  Pascal Junod,et al.  On the Optimality of Linear, Differential, and Sequential Distinguishers , 2003, EUROCRYPT.

[12]  Shai Halevi,et al.  Scream: A Software-Efficient Stream Cipher , 2002, FSE.

[13]  Shai Halevi,et al.  Cryptanalysis of Stream Ciphers with Linear Masking , 2002, CRYPTO.

[14]  Clifford Stein,et al.  Introduction to Algorithms, 2nd edition. , 2001 .

[15]  Alexander Maximov,et al.  A Linear Distinguishing Attack on Scream , 2007, IEEE Transactions on Information Theory.

[16]  Jovan Dj. Golic Linear Models for Keystream Generators , 1996, IEEE Trans. Computers.

[17]  Alex Biryukov,et al.  A Distinguishing Attack of SNOW 2.0 with Linear Masking Method , 2003, Selected Areas in Cryptography.

[18]  Philippe Dumas,et al.  On the Additive Differential Probability of Exclusive-Or , 2004, FSE.