Zero-Correlation Linear Cryptanalysis with Equal Treatment for Plaintexts and Tweakeys

Abstract

The original zero-correlation linear attack on a tweakable block cipher \(E_{K, T}\) (\(E_{K, T}\) is an ordinary block cipher when \(|T| = 0\)) with key K and tweak T exploits linear approximations \(\langle \alpha , x \rangle \oplus \langle \beta , E_{K,T}(x) \rangle \) with correlation zero for any fixed K and T, where the correlation is computed over all possible plaintexts x. Obviously, the plaintexts, keys, and tweaks are not treated equally. In this work, we regard the tweakable block cipher as a vectorial Boolean function \(F: \mathbb {F}_2^{ n+m+l } \rightarrow \mathbb {F}_2^{n}\) mapping \((x, K, T) \in \mathbb {F}_2^{ n+m+l }\) to \(E_{K,T}(x) \in \mathbb F_2^n\), and try to find zero-correlation linear approximations of F of the form $$ \langle \alpha , x \rangle \oplus \langle \gamma , K \rangle \oplus \langle \lambda , T \rangle \oplus \langle \beta , F(K, T, x) \rangle , $$ where the correlation is computed over all possible (x, K, T)’s. Standard tools based on SAT and SMT can be employed to search for this type of zero-correlation linear approximations under a unified framework of which Ankele et al.’s work on zero-correlation analysis at ToSC 2019 by taking tweaks into account can be seen as a special case with linear tweak schedules and \(\gamma = 0\). Due to the links between zero-correlation linear approximations and integral distinguishers, we can convert the new type of zero-correlation linear distinguishers into related-tweakey integral distinguishers. We apply our method to TWINE, LBlock, and SKINNY with both linear and nonlinear tweakey schedules. As a result, we obtain the longest distinguishers for TWINE and longer zero-correlation linear distinguishers for LBlock and SKINNY when considering key/tweak schedule. The correctness of our method is verified by recovering the results of Ankele et al. and experiments on a toy cipher.