Abstract
Bias analysis is an important problem in cryptanalysis. When the critical bias can be expressed by the XOR of many terms, it is well-known that we can compute the bias of their sum by the famous Piling-up lemma assuming all the terms are independent. In this paper, we consider the terms of the sum are dependent and we study above bias problem. More precisely, let each term be a Boolean function of a variable over GF(2)n. We assume the distribution D of the XOR of k variables is known, each variable is uniformly distributed individually, and moreover, the XOR of k variables and (k − 1) variables all are independent. We give a simple expression for the bias of the sum of k Boolean functions. It takes time O(kn·2n) to compute the bias, while under the independence assumption, it takes time O(k·2n) to compute by Piling-up lemma. We further compare the general bias in our problem with the bias in the independent case. It is remarkable to note that the former can differ significantly from the latter. As application, we apply our results to cryptanalysis of two real examples, Bluetooth encryption standard E0 and Shannon cipher, which show a strongly biased and weakly biased D respectively. For E0, our analysis allows to make the best known key-recovery attack with precomputation, time and data complexities O(237). For Shannon cipher, our analysis verifies the validity of the estimated complexity O(2107) of the previous distinguishing attack [5]. As comparison, we also studied a variant of Shannon cipher, which shows much stronger dependency within the internal states. We gave a distinguishing attack on the Shannon variant with reduced complexity O(293).
Chapter PDF
Similar content being viewed by others
References
Armknecht, F., Krause, M.: Algebraic attacks on combiners with memory. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 162–175. Springer, Heidelberg (2003)
Bluetooth specification, http://www.bluetooth.org
Canteaut, A., Naya-Plasencia, M.: Computing the biases of parity-check relations (2009), http://arxiv.org/abs/0904.4412
Courtois, N.T.: Fast algebraic attacks on stream ciphers with linear feedback. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 176–194. Springer, Heidelberg (2003)
Hakala, R.M., Nyberg, K.: Linear distinguishing attack on shannon. In: Mu, Y., Susilo, W., Seberry, J. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 297–305. Springer, Heidelberg (2008)
Kukorelly, Z.: The piling-up lemma and dependent random variables. In: Walker, M. (ed.) Cryptography and Coding 1999. LNCS, vol. 1746, pp. 186–190. Springer, Heidelberg (1999)
Lu, Y., Vaudenay, S.: Faster correlation attack on bluetooth keystream generator E0. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 407–425. Springer, Heidelberg (2004)
Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)
Molland, H., Helleseth, T.: An improved correlation attack against irregular clocked and filtered keystream generators. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 373–389. Springer, Heidelberg (2004)
Qualcomm, http://www.qualcomm.com/
Rose, G., Hawkes, P., Paddon, M., McDonald, C., Vries, M.: Design and Primitive Specification for Shannon, Symmetric Cryptography (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Lu, Y., Desmedt, Y. (2011). Bias Analysis of a Certain Problem with Applications to E0 and Shannon Cipher. In: Rhee, KH., Nyang, D. (eds) Information Security and Cryptology - ICISC 2010. ICISC 2010. Lecture Notes in Computer Science, vol 6829. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-24209-0_2
Download citation
DOI: https://doi.org/10.1007/978-3-642-24209-0_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-24208-3
Online ISBN: 978-3-642-24209-0
eBook Packages: Computer ScienceComputer Science (R0)