Provable security of block ciphers against linear cryptanalysis: a mission impossible?

In this paper, we are concerned with the security of block ciphers against linear cryptanalysis and discuss the distance between the so-called practical security approach and the actual theoretical security provided by a given cipher. For this purpose, we present a number of illustrative experiments performed against small (i.e. computationally tractable) ciphers. We compare the linear probability of the best linear characteristic and the actual best linear probability (averaged over all keys). We also test the key equivalence hypothesis. Our experiments illustrate both that provable security against linear cryptanalysis is not achieved by present design strategies and the relevance of the practical security approach. Finally, we discuss the (im)possibility to derive actual design criteria from the intuitions underlined in these experiments.

[1]  Dieter Gollmann,et al.  Computer Security – ESORICS 2004 , 2004, Lecture Notes in Computer Science.

[2]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[3]  David A. Wagner,et al.  The Boomerang Attack , 1999, FSE.

[4]  Alex Biryukov,et al.  On Multiple Linear Approximations , 2004, IACR Cryptol. ePrint Arch..

[5]  Vincent Rijmen,et al.  Probability distributions of correlation and differentials in block ciphers , 2007, J. Math. Cryptol..

[6]  Vincent Rijmen,et al.  The Wide Trail Design Strategy , 2001, IMACC.

[7]  Pascal Junod,et al.  On the Optimality of Linear, Differential, and Sequential Distinguishers , 2003, EUROCRYPT.

[8]  Alfredo De Santis,et al.  Advances in Cryptology — EUROCRYPT'94 , 1994, Lecture Notes in Computer Science.

[9]  Ali Aydin Selçuk New Results in Linear Cryptanalysis of RC5 , 1998, FSE.

[10]  Lars R. Knudsen Fast software encryption : 6th International Workshop, FSE'99, Rome, Italy, March 24-26, 1999 : proceedings , 1999, FSE 1999.

[11]  Kaisa Nyberg,et al.  Linear Approximation of Block Ciphers , 1994, EUROCRYPT.

[12]  Ross Anderson,et al.  Fast Software Encryption, Cambridge Security Workshop , 1993 .

[13]  Lars R. Knudsen,et al.  Practically Secure Feistel Ciphers , 1994 .

[14]  Xuejia Lai,et al.  Markov Ciphers and Differential Cryptanalysis , 1991, EUROCRYPT.

[15]  Dieter Gollmann,et al.  Fast software encryption : Third International Workshop, Cambridge, UK, February 21-23, 1996 : proceedings , 1996, FSE 1996.

[16]  Mitsuru Matsui,et al.  The First Experimental Cryptanalysis of the Data Encryption Standard , 1994, CRYPTO.

[17]  Bahram Honary,et al.  Cryptography and Coding: 8th IMA International Conference Cirencester, UK, December 17-19, 2001 Proceedings , 2002 .

[18]  A. D. Santis Advances in cryptology, EUROCRYPT '94 : Workshop on the Theory and Application of Cryptographic Techniques, Perugia, Italy, May 9-12, 1994 : proceedings , 1995 .

[19]  H. Levene Robust tests for equality of variances , 1961 .

[20]  Henk Meijer,et al.  New Method for Upper Bounding the Maximum Average Linear Hull Probability for SPNs , 2001, EUROCRYPT.

[21]  Lars R. Knudsen,et al.  Practically Secure Feistel Cyphers , 1993, FSE.

[22]  Donald W. Davies,et al.  Advances in Cryptology — EUROCRYPT ’91 , 2001, Lecture Notes in Computer Science.

[23]  Vincent Rijmen,et al.  On the Decorrelated Fast Cipher (DFC) and Its Theory , 1999, FSE.

[24]  Carlo Harpes,et al.  A Generalization of Linear Cryptanalysis and the Applicability of Matsui's Piling-Up Lemma , 1995, EUROCRYPT.

[25]  Serge Vaudenay,et al.  On the Security of CS-Cipher , 1999, FSE.

[26]  C. Moler,et al.  Advances in Cryptology , 2000, Lecture Notes in Computer Science.

[27]  Elisa Bertino,et al.  Computer Security — ESORICS 96 , 1996, Lecture Notes in Computer Science.

[28]  Joos Vandewalle,et al.  Linear Cryptanalysis of RC5 and RC6 , 1999, FSE.

[29]  Ali Aydin Selçuk On Bias Estimation in Linear Cryptanalysis , 2000, INDOCRYPT.

[30]  Serge Vaudenay,et al.  Decorrelation: A Theory for Block Cipher Security , 2003, Journal of Cryptology.

[31]  Lars R. Knudsen,et al.  On the Role of Key Schedules in Attacks on Iterated Ciphers , 2004, ESORICS.

[32]  Lars R. Knudsen,et al.  Provable security against a differential attack , 1994, Journal of Cryptology.

[33]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[34]  Mitsuru Matsui,et al.  New Structure of Block Ciphers with Provable Security against Differential and Linear Cryptanalysis , 1996, FSE.