Key Difference Invariant Bias in Block Ciphers

In this paper, we reveal a fundamental property of block ciphers: There can exist linear approximations such that their biases e are deterministically invariant under key difference. This behaviour is highly unlikely to occur in idealized ciphers but persists, for instance, in 5-round AES. Interestingly, the property of key difference invariant bias is independent of the bias value e itself and only depends on the form of linear characteristics comprising the linear approximation in question as well as on the key schedule of the cipher. We propose a statistical distinguisher for this property and turn it into an key recovery. As an illustration, we apply our novel cryptanalytic technique to mount related-key attacks on two recent block ciphers -- LBlock and TWINE. In these cases, we break 2 and 3 more rounds, respectively, than the best previous attacks.

[1]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[2]  Kaisa Nyberg,et al.  Multidimensional Extension of Matsui's Algorithm 2 , 2009, FSE.

[3]  Mitsuru Matsui,et al.  The First Experimental Cryptanalysis of the Data Encryption Standard , 1994, CRYPTO.

[4]  Yu Sasaki,et al.  Comprehensive Study of Integral Analysis on 22-Round LBlock , 2012, ICISC.

[5]  Patel,et al.  Information Security: Theory and Practice , 2008 .

[6]  Zheng Gong,et al.  Improved Related-Key Differential Attacks on Reduced-Round LBlock , 2012, ICICS.

[7]  P. Junod,et al.  Advanced Linear Cryptanalysis of Block and Stream Ciphers (Cryptology and Information Security) , 2011 .

[8]  Ali Aydin Selçuk,et al.  On Probability of Success in Linear and Differential Cryptanalysis , 2008, Journal of Cryptology.

[9]  Xiaoli Yu,et al.  Security on LBlock against Biclique Cryptanalysis , 2012, WISA.

[10]  Josef Pieprzyk Topics in Cryptology - CT-RSA 2010, The Cryptographers' Track at the RSA Conference 2010, San Francisco, CA, USA, March 1-5, 2010. Proceedings , 2010, CT-RSA.

[11]  Dawu Gu,et al.  Impossible Differential Attacks on Reduced-Round LBlock , 2012, ISPEC.

[12]  A. E. Harmanci,et al.  Impossible Differential Cryptanalysis of Reduced-Round LBlock , 2012, WISTP.

[13]  Vincent Rijmen,et al.  Linear hulls with correlation zero and linear cryptanalysis of block ciphers , 2014, Des. Codes Cryptogr..

[14]  Tor Helleseth,et al.  Advances in Cryptology — EUROCRYPT ’93 , 2001, Lecture Notes in Computer Science.

[15]  Martijn Stam,et al.  Understanding Adaptivity: Random Systems Revisited , 2012, ASIACRYPT.

[16]  Matthew J. B. Robshaw,et al.  Linear Cryptanalysis Using Multiple Approximations , 1994, CRYPTO.

[17]  Gregor Leander,et al.  On The Distribution of Linear Biases: Three Instructive Examples , 2012, IACR Cryptol. ePrint Arch..

[18]  Jongsung Kim Combined Differential, Linear and Related-Key Attacks on Block Ciphers and MAC Algorithms , 2006, IACR Cryptol. ePrint Arch..

[19]  Feller William,et al.  An Introduction To Probability Theory And Its Applications , 1950 .

[20]  Jianying Zhou,et al.  Information and Communications Security , 2013, Lecture Notes in Computer Science.

[21]  Kazuhiko Minematsu,et al.  $\textnormal{\textsc{TWINE}}$ : A Lightweight Block Cipher for Multiple Platforms , 2012, Selected Areas in Cryptography.

[22]  Vincent Rijmen,et al.  Probability distributions of correlation and differentials in block ciphers , 2007, J. Math. Cryptol..

[23]  Kaisa Nyberg,et al.  Linear Cryptanalysis Using Multiple Linear Approximations , 2011, IACR Cryptol. ePrint Arch..

[24]  Aggelos Kiayias,et al.  Polynomial Reconstruction Based Cryptography , 2001, Selected Areas in Cryptography.

[25]  Joos Vandewalle,et al.  Correlation Matrices , 1994, FSE.

[26]  Andrey Bogdanov,et al.  Zero Correlation Linear Cryptanalysis with Reduced Data Complexity , 2012, FSE.

[27]  William Feller,et al.  An Introduction to Probability Theory and Its Applications , 1967 .

[28]  Charles M. Grinstead,et al.  Introduction to probability , 1999, Statistics for the Behavioural Sciences.

[29]  Daesung Kwon,et al.  Information Security and Cryptology – ICISC 2012 , 2012, Lecture Notes in Computer Science.

[30]  Liam Keliher,et al.  Exact maximum expected differential and linear probability for two-round Advanced Encryption Standard , 2007, IET Inf. Secur..

[31]  Alfredo De Santis,et al.  Advances in Cryptology — EUROCRYPT'94 , 1994, Lecture Notes in Computer Science.

[32]  Yu Sasaki,et al.  Meet-in-the-Middle Technique for Integral Attacks against Feistel Ciphers , 2012, Selected Areas in Cryptography.

[33]  David A. Wagner,et al.  The Boomerang Attack , 1999, FSE.

[34]  Andrey Bogdanov,et al.  Integral and Multidimensional Linear Distinguishers with Correlation Zero , 2012, ASIACRYPT.

[35]  Ran Canetti,et al.  Advances in Cryptology – CRYPTO 2012 , 2012, Lecture Notes in Computer Science.

[36]  Pascal Junod On the Complexity of Matsui's Attack , 2001, Selected Areas in Cryptography.

[37]  Kaisa Nyberg,et al.  Zero-correlation linear cryptanalysis of reduced-round LBlock , 2012, Des. Codes Cryptogr..

[38]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[39]  Risto M. Hakala,et al.  A Key-Recovery Attack on SOBER-128 , 2007, Symmetric Cryptography.

[40]  Rainer A. Rueppel Advances in Cryptology — EUROCRYPT’ 92 , 2001, Lecture Notes in Computer Science.

[41]  Luke O'Connor,et al.  Properties of Linear Approximation Tables , 1994, FSE.

[42]  Marine Minier,et al.  A related key impossible differential attack against 22 rounds of the lightweight block cipher LBlock , 2012, Inf. Process. Lett..

[43]  Baudoin Collard,et al.  Experimenting Linear Cryptanalysis , 2011 .

[44]  Yvo Desmedt,et al.  Advances in Cryptology — CRYPTO ’94 , 2001, Lecture Notes in Computer Science.

[45]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[46]  Kaisa Nyberg,et al.  Generalization of Matsui’s Algorithm 1 to linear hull for key-alternating block ciphers , 2013, Des. Codes Cryptogr..

[47]  Mitsuru Matsui,et al.  A New Method for Known Plaintext Attack of FEAL Cipher , 1992, EUROCRYPT.

[48]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[49]  Joo Yeon Cho,et al.  Linear Cryptanalysis of Reduced-Round PRESENT , 2010, CT-RSA.

[50]  L. Dworsky An Introduction to Probability , 2008 .

[51]  Wenling Wu,et al.  LBlock: A Lightweight Block Cipher , 2011, ACNS.

[52]  Kaisa Nyberg,et al.  Linear Approximation of Block Ciphers , 1994, EUROCRYPT.

[53]  A. Emre Harmanci,et al.  Biclique cryptanalysis of LBlock and TWINE , 2013, Inf. Process. Lett..

[54]  Sean Murphy,et al.  The effectiveness of the linear hull effect , 2012, J. Math. Cryptol..