Abstract
Statistical saturation attack takes advantage of a set of plaintext with some bits fixed while the others vary randomly, and then track the evolution of a non-uniform plaintext distribution through the cipher. Previous statistical saturation attacks are all implemented under single-key setting, and there is no public attack models under related-key/tweak setting. In this paper, we propose a new cryptanalytic method which can be seen as related-key/tweak statistical saturation attack by revealing the link between the related-key/tweak statistical saturation distinguishers and KDIB (Key Difference Invariant Bias) / TDIB (Tweak Difference Invariant Bias) ones. KDIB cryptanalysis was proposed by Bogdanov et al. at ASIACRYPT’13 and utilizes the property that there can exist linear trails such that their biases are deterministically invariant under key difference. And this method can be easily extended to TDIB distinguishers if the tweak is also alternated. The link between them provides a new and more efficient way to find related-key/tweak statistical saturation distinguishers in ciphers. Thereafter, an automatic searching algorithm for KDIB/TDIB distinguishers is also given in this paper, which can be implemented to find word-level KDIB distinguishers for S-box based key-alternating ciphers. We apply this algorithm to QARMA-64 and give related-tweak statistical saturation attack for 10-round QARMA-64 with outer whitening key. Besides, an 11-round attack on QARMA-128 is also given based on the TDIB technique. Compared with previous public attacks on QARMA including outer whitening key, all attacks presented in this paper are the best ones in terms of the number of rounds.
Highlights
Linear cryptanalysis [Mat93], proposed by Matsui at Eurocrypt’93, has been playing an important role in evaluating the security of block ciphers
Since the probability of the linear approximation is related to the value of user-supplied key κ used in the target cipher, the bias ε is dependent on κ
We prove that this setting is equivalent to a related-key/tweak statistical saturation distinguisher where fixing the first n − s bits in the input leads to identical distribution for the first t bits output under different z and z
Summary
Linear cryptanalysis [Mat93], proposed by Matsui at Eurocrypt’, has been playing an important role in evaluating the security of block ciphers. 3, we introduce this new cryptanalytic method, where one fixes a part of the plaintext and takes all possible values for the other plaintext bits and considers the value distribution of a part of ciphertext under related-key/tweak pairs (z, z ) To obtain this related-key/tweak invariant distribution, we reveal the conditional equivalent property between KDIB/TDIB and related-key/tweak statistical saturation attack. Consider a KDIB/TDIB distinguisher for an n-bit block cipher where (without loss of generality) each composed linear hull has non-zero input mask with zeros in the last s bits and non-zero output mask with zeros in the last n − t bits, and the bias is invariant under different z and z We prove that this setting is equivalent to a related-key/tweak statistical saturation distinguisher where fixing the first n − s bits in the input leads to identical distribution for the first t bits output under different z and z. CPT/KPT: Chosen/Known Plaintext-Tweak Pairs. #tks: the number of different tweaks used in the corresponding attack. ∗ Evaluated by encryption units
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
