A methodology for differential-linear cryptanalysis and its applications

Abstract

Differential and linear cryptanalyses are powerful techniques for analysing the security of a block cipher. In 1994 Langford and Hellman published a combination of differential and linear cryptanalysis under two default independence assumptions, known as differential-linear cryptanalysis, which is based on the use of a differential-linear distinguisher constructed by concatenating a linear approximation with a (truncated) differential with probability 1. In 1995 Langford gave a general version of differential-linear cryptanalysis, so that a differential with a probability smaller than 1 can also be used to construct a differential-linear distinguisher; the general version was published in 2002 by Biham, Dunkelman and Keller with an elaborate explanation using an additional assumption. In this paper, we introduce a new methodology for differential-linear cryptanalysis under the original two assumptions, without using the additional assumption of Biham et al. The new methodology is more reasonable and more general than Langford and Biham et al.'s methodology; and apart from this advantage it can lead to some better cryptanalytic results than Langford and Biham et al.'s methodology and Langford and Hellman's methodology. As examples, we apply it to 13 rounds of the DES block cipher, 10 rounds of the CTC2 block cipher and 12 rounds of the Serpent block cipher. The new methodology can be used to cryptanalyse other block ciphers, and block cipher designers should pay attention to this new methodology when designing a block cipher.