Abstract
We propose an improved and extended approach of the multiple linear cryptanalysis presented by A. Biryukov et al. at CRYPTO 2004 that exploits dominant and statistically independent linear trails. While they presented only rank based attacks with success probability 1, we present threshold based attacks as well as rank based ones using newly introduced statistic that is a linear combination of the component statistics for the trails and is an approximation of the LLR statistic. The rank based Algorithm 1 style attack yields the same estimate for the gain with Biryukov et al.’s Algorithm 1 style attack. For each of the threshold based Algorithm 1 style and Algorithm 2 style attacks, we provide a formula for its advantage in terms of the correlations of the trails, the data complexity, and the success probability in case the aimed success probability is not 1. Combining the threshold based attacks with the rank based ones, we get attacks each of which has better estimates for the advantage compared to the threshold based one in case the aimed success probability is close to 1. We then extend the methods to get a new framework of multiple linear attacks exploiting close-to-dominant linear trails that may not be statistically independent. We apply the methods to full DES and get linear attacks using 4 linear trails with about the same or better complexity compared to those presented at ASIACRYPT 2017 that use 4 additional trails. With data complexity less than 241, the attack has better complexity than existing attacks on DES.
Highlights
Since first introduced by Matsui [Mat93], the linear attack has been regarded as one of the most important attacks against block ciphers
Since 2 is a constant and j τjI (D)2/N 2 is a constant for given data D, the rank of β with respect to their statistic is exactly the same as its rank with respect to ours. It seems that the existence of the added quadratic term j τjI (D)2/N 2 makes it hard to get a threshold based variant using their statistic
We use a small number of linear trails that are close-to-dominant so we think that our models do not contradict their observations
Summary
Since first introduced by Matsui [Mat93], the linear attack has been regarded as one of the most important attacks against block ciphers. Biryukov et al.[BCQ04] presented Algorithm 1 style and Algorithm 2 style attacks that use independent and dominant linear trails, not imposing such condition on the parity bits Their attack is based on a maximum likelihood approach and they provided a formula for the gain or advantage of the attack in terms of the sum of the squared correlations of the linear approximations and the data complexity. We introduce a new statistic that is a linear combination of the component statistics for the trails and apply it in three versions of Algorithm 1 style and Algorithm 2 style attacks It is an approximation of the LLR statistic and enables us to get an explicit formula for the estimate of the advantage for each attack in terms of the correlations of the trails, the data size and the success probability for each of the versions.
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
