Multidimensional Linear Cryptanalysis

Linear cryptanalysis introduced by Matsui is a statistical attack which exploits a binary linear relation between plaintext, ciphertext and key, either in Algorithm 1 for recovering one bit of information of the secret key of a block cipher, or in Algorithm 2 for ranking candidate values for a part of the key. The statistical model is based on the expected and observed bias of a single binary value. Multiple linear approximations have been used with the goal to make the linear attack more efficient. More bits of information of the key can potentially be recovered possibly using less data. But then also more elaborated statistical models are needed to capture the joint behaviour of several not necessarily independent binary variables. Also more options are available for generalising the statistics of a single variable to several variables. The multidimensional extension of linear cryptanalysis to be introduced in this paper considers using multiple linear approximations that form a linear subspace. Different extensions of Algorithm 1 and Algorithm 2 will be presented and studied. The methods will be based on known statistical tools such as goodness-of-fit test and log-likelihood ratio. The efficiency of the different methods will be measured and compared in theory and experiments using the concept of advantage introduced by Selçuk. The block cipher Serpent with a reduced number of rounds will be used as test bed. The multidimensional linear cryptanalysis will also be compared with previous methods that use biasedness of multiple linear approximations. It will be shown in the simulations that the multidimensional method is potentially more powerful. Its main theoretical advantage is that the statistical model can be given without the assumption about statistical independence of the linear approximations.

[1]  Serge Vaudenay A Classical Introduction To Cryptography , 2005 .

[2]  Serge Vaudenay,et al.  How Far Can We Go Beyond Linear Cryptanalysis? , 2004, ASIACRYPT.

[3]  Alex Biryukov,et al.  On Multiple Linear Approximations , 2004, IACR Cryptol. ePrint Arch..

[4]  Serge Vaudenay,et al.  Optimal Key Ranking Procedures in a Statistical Cryptanalysis , 2003, FSE.

[5]  Martin Boesgaard,et al.  Rabbit: A New High-Performance Stream Cipher , 2003, FSE.

[6]  Nicolas Courtois Fast Algebraic Attacks on Stream Ciphers with Linear Feedback , 2003, CRYPTO.

[7]  O. S. Rothaus,et al.  On "Bent" Functions , 1976, J. Comb. Theory, Ser. A.

[8]  Jean-Jacques Quisquater,et al.  Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent , 2008, FSE.

[9]  Kaisa Nyberg,et al.  Dependent Linear Approximations: The Algorithm of Biryukov and Others Revisited , 2010, CT-RSA.

[10]  Andrey Bogdanov,et al.  Integral and Multidimensional Linear Distinguishers with Correlation Zero , 2012, ASIACRYPT.

[11]  Mitsuru Matsui,et al.  The First Experimental Cryptanalysis of the Data Encryption Standard , 1994, CRYPTO.

[12]  Claudia Biermann,et al.  Mathematical Methods Of Statistics , 2016 .

[13]  Alexander Maximov,et al.  Attack the Dragon , 2005, INDOCRYPT.

[14]  Carlo Harpes,et al.  A Generalization of Linear Cryptanalysis and the Applicability of Matsui's Piling-Up Lemma , 1995, EUROCRYPT.

[15]  Ronald Christensen,et al.  Testing Fisher, Neyman, Pearson, and Bayes , 2005 .

[16]  Kaisa Nyberg,et al.  Joint data and key distribution of simple, multiple, and multidimensional linear cryptanalysis test statistic and its impact to data complexity , 2017, Des. Codes Cryptogr..

[17]  Alexander Maximov,et al.  Fast Computation of Large Distributions and Its Cryptographic Applications , 2005, ASIACRYPT.

[18]  Serge Vaudenay,et al.  The Complexity of Distinguishing Distributions , 2008 .

[19]  Matthew J. B. Robshaw,et al.  Linear Cryptanalysis Using Multiple Approximations , 1994, CRYPTO.

[20]  Claude E. Shannon,et al.  Communication theory of secrecy systems , 1949, Bell Syst. Tech. J..

[21]  Jean-Jacques Quisquater,et al.  Improving the Time Complexity of Matsui's Linear Cryptanalysis , 2007, ICISC.

[22]  Kaisa Nyberg,et al.  Links Between Truncated Differential and Multidimensional Linear Properties of Block Ciphers and Underlying Attack Complexities , 2014, IACR Cryptol. ePrint Arch..

[23]  Kaisa Nyberg Affine linear cryptanalysis , 2018, Cryptography and Communications.

[24]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[25]  Pascal Junod On the Complexity of Matsui's Attack , 2001, Selected Areas in Cryptography.

[26]  H. Wold,et al.  Some Theorems on Distribution Functions , 1936 .

[27]  Joo Yeon Cho,et al.  Linear Cryptanalysis of Reduced-Round PRESENT , 2010, CT-RSA.

[28]  Serge Vaudenay,et al.  An experiment on DES statistical cryptanalysis , 1996, CCS '96.

[29]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[31]  S. Murphy,et al.  The Independence of Linear Approximations in Symmetric Cryptanalysis , 2006, IEEE Transactions on Information Theory.

[32]  Kaisa Nyberg,et al.  Linear Approximation of Block Ciphers , 1994, EUROCRYPT.

[33]  Anne Canteaut,et al.  Sosemanuk, a Fast Software-Oriented Stream Cipher , 2008, The eSTREAM Finalists.

[34]  Thomas Johansson,et al.  A New Version of the Stream Cipher SNOW , 2002, Selected Areas in Cryptography.

[35]  Serge Vaudenay,et al.  The Complexity of Distinguishing Distributions (Invited Talk) , 2008, ICITS.

[36]  Pascal Junod,et al.  On the Optimality of Linear, Differential, and Sequential Distinguishers , 2003, EUROCRYPT.

[37]  Subhabrata Chakraborti,et al.  Nonparametric Statistical Inference , 2011, International Encyclopedia of Statistical Science.

[38]  Kaisa Nyberg,et al.  Correlation Theorems in Cryptanalysis , 2001, Discret. Appl. Math..

[39]  Philip Hawkes,et al.  On the Applicability of Distinguishing Attacks Against Stream Ciphers , 2002, IACR Cryptol. ePrint Arch..

[40]  Matthew J. B. Robshaw,et al.  New Stream Cipher Designs: The eSTREAM Finalists , 2008 .

[41]  Harald Niederreiter,et al.  Introduction to finite fields and their applications: List of Symbols , 1986 .

[42]  Dongdai Lin,et al.  Further results on the nonlinearity of maximum-length NFSR feedbacks , 2015, Cryptography and Communications.

[43]  H. Niederreiter,et al.  Introduction to finite fields and their applications: Factorization of Polynomials , 1994 .

[44]  Ramarathnam Venkatesan,et al.  Progress in Cryptology - INDOCRYPT 2005, 6th International Conference on Cryptology in India, Bangalore, India, December 10-12, 2005, Proceedings , 2005, INDOCRYPT.

[45]  Wilbert C.M. Kallenberg,et al.  Power Approximations to Multinomial Tests of Fit , 1989 .

[46]  Kaisa Nyberg,et al.  Multidimensional linear distinguishing attacks and Boolean functions , 2011, Cryptography and Communications.

[47]  Robert N. McDonough,et al.  Detection of signals in noise , 1971 .

[48]  Kaisa Nyberg,et al.  Improved Linear Distinguishers for SNOW 2.0 , 2006, FSE.

[49]  Andrey Bogdanov,et al.  On the Wrong Key Randomisation and Key Equivalence Hypotheses in Matsui's Algorithm 2 , 2013, FSE.

[50]  Jean-Pierre Tillich,et al.  On Linear Cryptanalysis with Many Linear Approximations , 2009, IMACC.

[51]  Ali Aydin Selçuk,et al.  On Probability of Success in Linear and Differential Cryptanalysis , 2008, Journal of Cryptology.

[52]  Serge Vaudenay,et al.  Capacity and Data Complexity in Multidimensional Linear Attack , 2015, CRYPTO.

[53]  Alexander Maximov,et al.  A Linear Distinguishing Attack on Scream , 2007, IEEE Transactions on Information Theory.

[54]  E. Lehmann Testing Statistical Hypotheses. , 1997 .

[55]  E. Ziegel Beta Mathematics Handbook , 1991 .

[56]  Josef Pieprzyk Topics in Cryptology - CT-RSA 2010, The Cryptographers' Track at the RSA Conference 2010, San Francisco, CA, USA, March 1-5, 2010. Proceedings , 2010, CT-RSA.

[57]  Allan S. Y. Grady,et al.  Beta : Mathematics Handbook , 1991, The Mathematical Gazette.

[58]  Alexander Maximov,et al.  Cryptanalysis of Grain , 2006, FSE.

[59]  Timothy R. C. Read,et al.  Multinomial goodness-of-fit tests , 1984 .

[60]  Herbert A. David,et al.  Order Statistics , 2011, International Encyclopedia of Statistical Science.

[61]  SelçukAli Aydın On Probability of Success in Linear and Differential Cryptanalysis , 2008 .

[62]  Thomas Siegenthaler,et al.  Correlation-immunity of nonlinear combining functions for cryptographic applications , 1984, IEEE Trans. Inf. Theory.

[63]  Kaisa Nyberg,et al.  Multidimensional Linear Cryptanalysis of Reduced Round Serpent , 2008, ACISP.

[64]  Dong Hoon Lee,et al.  Cryptanalysis of Sosemanuk and SNOW 2.0 Using Linear Masks , 2008, ASIACRYPT.