Abstract
Multidimensional linear cryptanalysis of block ciphers is improved in this work by introducing a number of new ideas. Firstly, formulae is given to compute approximate multidimensional distributions of the encryption algorithm internal bits. Conventional statistics like LLR (Logarithmic Likelihood Ratio) do not fit to work in Matsui’s Algorithm 2 for large dimension data, as the observation may depend on too many cipher key bits. So, secondly, a new statistic which reflects the structure of the cipher round is constructed instead. Thirdly, computing the statistic values that will fall into a critical region is presented as an optimisation problem for which an efficient algorithm is suggested. The algorithm works much faster than brute forcing all relevant key bits to compute the statistic. An attack for 16-round DES was implemented. We got an improvement over Matsui’s attack on DES in data and time complexity keeping success probability the same. With 241.81 plaintext blocks and success rate 0.83 (computed theoretically) we found 241.46 (which is close to the theoretically predicted number 241.81) key-candidates to 56-bit DES key. Search tree to compute the statistic values which fall into the critical region incorporated 245.45 nodes in the experiment and that is at least theoretically inferior in comparison with the final brute force. To get success probability 0.85, which is a fairer comparison to Matsui’s results, we would need 241.85 data and to brute force 241.85 key-candidates. That compares favourably with 243 achieved by Matsui.
Highlights
Linear Cryptanalysis is a statistical approach in the cryptanalysis of symmetric ciphers
Linear Cryptanalysis exploits the fact that an xor of certain plaintext, ciphertext and key bits is zero with some a priori computed probability p different from 1/2
By solving a particular optimisation problem one finds a set of size 240 of 53-bit key-candidates at price ≈ 240 computations, that is without brute forcing 253 values of the statistic
Summary
Linear Cryptanalysis is a statistical approach in the cryptanalysis of symmetric ciphers. Similar ideas were earlier used to compute joint probability distributions of some particular bits and study how those distributions depend on the cipher key for DES in [5, 9] and for PRESENT in [8] Those methods are based on a number of heuristic assumptions and simplifications. The attack uses 10 best 14-round "linear approximations", considered statistically independent The distributions of those "linear approximations" and observations on them depend on 53 DES key bits. By solving a particular optimisation problem (stated in its generality in Section 8 of the present work) one finds a set of size 240 of 53-bit key-candidates at price ≈ 240 computations, that is without brute forcing 253 values of the statistic. We implemented our method and got improvement over Matsui’s result on 16-round DES in data and time complexity while success probability remains the same, see Section 4
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.