Skip to main content
SpringerLink
Log in

Zero-correlation attacks: statistical models independent of the number of approximations

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

Multiple and multidimensional zero-correlation linear cryptanalysis have been two of the most powerful cryptanalytic techniques for block ciphers, and it has been shown that the differentiating factor of these two statistical models is whether distinct plaintexts are assumed or not. Nevertheless, questions remain regarding how these analyses can be universalized without any limitations and can be used to accurately estimate the data complexity and the success probability. More concretely, the current models for multiple zero-correlation (MPZC) and multidimensional zero-correlation (MDZC) cryptanalysis are not valid in the setting with a limited number of approximations and the accuracy of the estimation for data complexity can not be guaranteed. Besides, in a lot of cases, using too many approximations may cause an exhaustive search when we want to launch key-recovery attacks. In order to generalize the original models using the normal approximation of the \(\chi ^2\)-distribution, we provide a more accurate approach to estimate the data complexity and the success probability for MPZC and MDZC cryptanalysis without such approximation. Since these new models directly rely on the \(\chi ^{2}\)-distribution, we call them the \(\chi ^{2}\) MPZC and MDZC models. An interesting thing is that the chi-square-multiple zero-correlation (\(\chi ^{2}\)-MPZC) model still works even though we only have a single zero-correlation linear approximation. This fact puts an end to the situation that the basic zero-correlation linear cryptanalysis requires the full codebook under the known-plaintext attack setting. As an illustration, we apply the \(\chi ^{2}\)-MPZC model to analyze TEA and XTEA. These new attacks cover more rounds than the previous MPZC attacks. Moreover, we reconsider the multidimensional zero-correlation (MDZC) attack on 14-round CLEFIA-192 by utilizing less zero-correlation linear approximations. In addition, some other ciphers which already have MDZC analytical results are reevaluated and the data complexities under the new model are all less than or equal to those under the original model. Some experiments are conducted in order to verify the validity of the new models, and the experimental results convince us that the new models provide more precise estimates of the data complexity and the success probability.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

Notes

  1. This is due to the fact that Bogdanov and Rijmen [7] reduced the data requirement by one-half under chosen-plaintext setting.

  2. For example, in [8], the authors provide two families of zero-correlation linear approximations for TEA/XTEA. Just like the case of TEA/XTEA, using a large number of zero-correlation linear approximations indeed may shorten the number of rounds covered by the distinguisher.

  3. The elimination of the independence assumption uses a method similar to the treatment in multidimensional linear cryptanalysis.

  4. A similar idea of removing normal approximations in the context of linear cryptanalysis had also been adopted by Huang et al. [12] at CRYPTO’15. They eliminated the normal approximation and presented the data complexity of multidimensional linear attack as a function of the \(\Gamma \)-distribution.

  5. Note that both attacks use two independent zero-correlation linear approximations, which does not violate the independence assumption.

  6. The ‘quantile’ used in this paper is actually lower quantile.

  7. For different zero-correlation linear approximations, the involved subkey bits in the key-recovery procedure may be different. Since MPZC and MDZC linear cryptanalysis use many different zero-correlation linear approximations, we will avoid involving the whole master key by shortening the number of attacked rounds.

  8. It is important to note that, in a real attack, the number of independent zero-correlation linear approximations is too small to satisfy the two assumptions simultaneously since all classes of zero-correlation linear approximations known so far are actually truncated.

  9. In order to distinguish the degree of freedom for a \(\chi ^{2}\)-distribution and its quantiles in one symbol, we always put the degree of freedom in parentheses in this paper.

  10. We remark here that the data complexities computed by using two models (\(\chi ^{2}\)-MDZC and MDZC) still have some gaps even when \(\ell \) is larger than 50. This results from the tiny difference between \(\chi ^{2}(\ell )\) and \({\mathcal {N}}(\ell ,\,\sqrt{2\ell }).\) We will discuss it in Sect. 4.

  11. Note that we only test the cases with \(\ell \) smaller than nine, since there are only eight independent zero-correlation linear approximations in our test setting.

  12. http://www.maplesoft.com/.

References

  1. Biham E., Biryukov A., Shamir A.: Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials. In: Stem J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 12–23. Springer, Berlin (1999).

  2. Biham E., Shamir A.: Differential cryptanalysis of DES-like cryptosystems. J. Cryptol. 4(1), 3–72 (1991).

    Article  MathSciNet  MATH  Google Scholar 

  3. Blondeau C., Nyberg K.: On distinct known plaintext attacks. http://users.ics.aalto.fi/~blondeau/PDF/WCC_2015.pdf.

  4. Blondeau C., Nyberg K.: Joint data and key distribution of simple, multiple, and multidimensional linear cryptanalysis test statistic and its impact to data complexity. Des. Codes Cryptogr. 82(1), 319–349 (2017).

    Article  MathSciNet  MATH  Google Scholar 

  5. Bogdanov A., Geng H., Wang M., Wen L., Collard B.: Zero-correlation linear cryptanalysis with FFT and improved attacks on ISO standards Camellia and CLEFIA. In: Lange T., Lauter K., Lisoněk P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 306–323. Springer, Heidelberg (2014).

  6. Bogdanov A., Leander G., Nyberg K., Wang M.: Integral and multidimensional linear distinguishers with correlation zero. In: Wang X., Sako K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 244–261. Springer, Heidelberg (2012).

  7. Bogdanov A., Rijmen V.: Linear hulls with correlation zero and linear cryptanalysis of block ciphers. Des. Codes Cryptogr. 70(3), 369–383 (2014).

    Article  MathSciNet  MATH  Google Scholar 

  8. Bogdanov A., Wang M.: Zero correlation linear cryptanalysis with reduced data complexity. In: Canteaut A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 29–48. Springer, Heidelberg (2012).

  9. Bogdanov A., Boura C., Rijmen V., Wang M., Wen L., Zhao J.: Key difference invariant bias in block ciphers. In: Salo K., Sarkar P. (eds.) ASIACRYPT 2013. LNCS, vol. 8269, pp. 357–376. Springer, Heidelberg (2013).

  10. Chen J., Wang M., Preneel B.: Impossible differential cryptanalysis of the lightweight block ciphers TEA, XTEA and HIGHT. In: Progress in Cryptology—AFRICACRYPT 2012, pp. 117–137. Springer, Heidelberg (2012).

  11. Hong S., Hong D., Ko Y., Chang D., Lee W., Lee S.: Differential cryptanalysis of TEA and XTEA. In: Lim J., Lee D. (eds.) ICISC 2003. LNCS, vol. 2971, pp. 402–417. Springer, Berlin (2004).

  12. Huang J., Vaudenay S., Lai X., Nyberg K.: Capacity and data complexity in multidimensional linear attack. In: Advances in Cryptology—CRYPTO 2015, pp. 141–160. Springer, Berlin (2015).

  13. Isobe T., Shibutani K.: Security analysis of the lightweight block ciphers XTEA, LED and Piccolo. In: Susilo W., Mu Y., Seberry J. (eds.) IACISP 2012. LNCS, vol. 7372, pp. 71–86. Springer, Heidelberg (2012).

  14. Kelsey J., Schneier B., Wagner D.: Key-schedule cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES. In: Kobitz N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 237–251. Springer, Heidelberg (1996).

  15. Knudsen L.: DEAL—A 128-Bit Block Cipher. NIST AES Proposal (1998).

  16. Matsui M.: Linear cryptanalysis method for DES cipher. In: Helleseth T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Berlin (1994).

  17. Moon D., Hwang K., Lee W., Lee S., Lim J.: Impossible differential cryptanalysis of reduced round XTEA and TEA. In: Daemon J., Rijmen V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 49–60. Springer, Berlin (2002).

  18. Needham R.M., Wheeler D.J.: TEA, a tiny encryption algorithm. In: Preneel B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 363–366 (1995).

  19. Needham R.M., Wheeler D.J.: TEA Extensions. Report. Cambridge University, Cambridge (1997).

    Google Scholar 

  20. Phan R.C.W.: Mini advanced encryption standard (Mini-AES): a testbed for cryptanalysis students. Cryptologia 26(4), 283–306 (2002).

    Article  Google Scholar 

  21. Sasaki Y., Wang L., Sakai Y., Sakiyama K., Ohta K.: Three-subset meet-in-the-middle attack on reduced XTEA. In: Mitrokotsa A., Vaudenay S. (eds.) AFRICACRYPT 2012. LNCS, vol. 7374, pp. 138–154. Springer, Heidelberg (2012).

  22. Sekar G., Mouha N., Velichkov V., Preneel B.: Meet-in-the-middle attacks on reduced-round XTEA. In: Kiayias A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 250–267. Springer, Heidelberg (2011).

  23. Soleimany H., Nyberg K.: Zero-correlation linear cryptanalysis of reduced-round LBlock. Des. Codes Cryptogr. 73(2), 683–698 (2014).

    Article  MathSciNet  MATH  Google Scholar 

  24. Wang Y., Wu W.: Improved multidimensional zero-correlation linear cryptanalysis and applications to LBlock and TWINE. In: Susilo W., Mu Y. (eds.) ACISP 2014. LNCS, vol. 8544, pp. 1–16. Springer, Cham (2014).

  25. Wen L., Wang M., Bogdanov A.: Multidimensional zero-correlation linear cryptanalysis of E2. In: Pointcheval D., Vergnaud D. (eds.) AFRICACRYPT 2014. LNCS, vol. 8649, pp. 147–164. Springer, Cham (2014).

  26. Wen L., Wang M., Bogdanov A., Chen H.: General application of FFT in cryptanalysis and improved attack on CAST-256. In: Meier W., Mukhopadhyay D. (eds.) INDOCRYPT 2014. LNCS, vol. 8885, pp. 161–176. Springer, Cham (2014).

Download references

Acknowledgements

Funding was provided by 973 Program (Grant No. 2013CB834205), NSFC Projects (Grant No. 61133013), Program for New Century Excellent Talents in University of China (Grant No. NCET-13-0350), Science and Technology on Communication Security Laboratory of China (No. 9140c110207150c11050), and Chinese Major Program of National Cryptography Development Foundation (No. MMJJ20170102).

Author information

Authors and Affiliations

  1. Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, 250100, China

    Ling Sun, Huaifeng Chen & Meiqin Wang

Authors
  1. Ling Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Huaifeng Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Meiqin Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Meiqin Wang.

Additional information

Communicated by V. Rijmen.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Sun, L., Chen, H. & Wang, M. Zero-correlation attacks: statistical models independent of the number of approximations. Des. Codes Cryptogr. 86, 1923–1945 (2018). https://doi.org/10.1007/s10623-017-0430-9

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-017-0430-9

Keywords

Mathematics Subject Classification

Search

Navigation