Skip to main content
SpringerLink
Log in

A methodology for differential-linear cryptanalysis and its applications

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

Differential and linear cryptanalyses are powerful techniques for analysing the security of a block cipher. In 1994 Langford and Hellman published a combination of differential and linear cryptanalysis under two default independence assumptions, known as differential-linear cryptanalysis, which is based on the use of a differential-linear distinguisher constructed by concatenating a linear approximation with a (truncated) differential with probability 1. In 1995 Langford gave a general version of differential-linear cryptanalysis, so that a differential with a probability smaller than 1 can also be used to construct a differential-linear distinguisher; the general version was published in 2002 by Biham, Dunkelman and Keller with an elaborate explanation using an additional assumption. In this paper, we introduce a new methodology for differential-linear cryptanalysis under the original two assumptions, without using the additional assumption of Biham et al. The new methodology is more reasonable and more general than Langford and Biham et al.’s methodology; and apart from this advantage it can lead to some better cryptanalytic results than Langford and Biham et al.’s methodology and Langford and Hellman’s methodology. As examples, we apply it to 13 rounds of the DES block cipher, 10 rounds of the CTC2 block cipher and 12 rounds of the Serpent block cipher. The new methodology can be used to cryptanalyse other block ciphers, and block cipher designers should pay attention to this new methodology when designing a block cipher.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Similar content being viewed by others

Notes

  1. A more general condition is \(\beta \odot \gamma =c\), where \(c \in \{0,1\}\) is a constant. Without loss of generality, we consider the case with \(c=0\) throughout this paper.

  2. We note that Biham et al. used a different assumption when reviewing the enhanced version in a few other papers, [13] say, where they assumed that \(\mathbb {E}_0(P) \odot \gamma = \mathbb {E}_0(P \oplus \alpha ) \odot \gamma \) holds with half a chance for the cases where \(\mathbb {E}_0(P) \oplus \mathbb {E}_0(P \oplus \alpha ) \ne \beta \), yielding the same probability value \(\frac{1}{2} + 2p\epsilon ^2\) as under Assumption 3. We treat this assumption as Assumption 3, though they are different.

  3. Note that here a differential-linear distinguisher is treated as a linear approximation, so that we can use Theorem 1 for a differential-linear attack, but here we can replace \(m+1\) in Theorem 1 with \(m\), (since the term on the XOR of concerned key bits is cancelled in a differential-linear distinguisher). The same statement applies to the subsequent attacks, although we do not make any further explicit statements.

  4. Note that there is a typo in the input mask of Round 7 of the 9-round linear approximation in [9], where the input mask should be \(0x00000010000A00000000000000000000\).

References

  1. Anderson R., Biham E., Knudsen L.R.: Serpent: a new block cipher proposal. In: FSE 1998. Lecture Notes in Computer Science, vol. 1372, pp. 222–238. Springer, Heidelberg (1998).

  2. Anderson R., Biham E., Knudsen L.R.: Serpent: a proposal for the Advanced Encryption Standard, NISTY AES Proposal (1998).

  3. Biham E.: New types of cryptanalytic attacks using related keys. J. Cryptol. 7(4), 229–246 (1994).

  4. Biham E., Biryukov A.: An improvement of Davies’ attack on DES. J. Cryptol. 10(3), 195–206 (1997).

  5. Biham E., Shamir A.: Differential cryptanalysis of DES-like cryptosystems. In: CRYPTO 1990. Lecture Notes in Computer Science, vol. 537, pp. 2–21. Springer, Heidelberg (1990).

  6. Biham E., Shamir A.: Differential cryptanalysis of DES-like cryptosystems. J. Cryptol. 4(1), 3–72 (1991).

  7. Biham E., Shamir A.: Differential cryptanalysis of the full 16-round DES. In: CRYPTO 1992. Lecture Notes in Computer Science, vol. 740, pp. 487–496. Springer, Heidelberg (1993).

  8. Biham E., Dunkelman O., Keller N.: The rectangle attack—rectangling the Serpent. In: EUROCRYPT 2001. Lecture Notes in Computer Science, vol. 2045, pp. 340–357. Springer, Heidelberg (2001).

  9. Biham E., Dunkelman O., Keller N.: Linear cryptanalysis of reduced round Serpent. In: FSE 2001. Lecture Notes in Computer Science, vol. 2355, pp. 16–27. Springer, Heidelberg (2002).

  10. Biham E., Dunkelman O., Keller N.: Enhancing differential-linear cryptanalysis. In: ASIACRYPT 2002. Lecture Notes in Computer Science, vol. 2501, pp. 254–266. Springer, Heidelberg (2002).

  11. Biham E., Dunkelman O., Keller N.: New results on boomerang and rectangle attacks. In: FSE 2002. Lecture Notes in Computer Science, vol. 2365, pp. 1–16. Springer, Heidelberg (2002).

  12. Biham E., Dunkelman O., Keller N.: Differential-linear cryptanalysis of Serpent. In: FSE 2003. Lecture Notes in Computer Science, vol. 2887, pp. 9–21. Springer, Heidelberg (2003).

  13. Biham E., Dunkelman O., Keller N.: New combined attacks on block ciphers. In: FSE 2005. Lecture Notes in Computer Science, vol. 3557, pp. 126–144. Springer, Heidelberg (2005).

  14. Collard B., Standaert F.-X., Quisquater J.-J.: Improved and multiple linear cryptanalysis of reduced round Serpent. In: Inscrypt 2007. Lecture Notes in Computer Science, vol. 4990, pp. 51–65. Springer, Heidelberg (2008).

  15. Collard B., Standaert F.-X., Quisquater J.-J.: Improved and multiple linear cryptanalysis of reduced round Serpent—description of the linear approximations. http://perso.uclouvain.be/fstandae/PUBLIS/47b.

  16. Courtois N.T.: CTC2 and fast algebraic attacks on block ciphers revisited. IACR ePrint report 2007/152 (2007).

  17. Courtois N.T., Pieprzyk J.: Cryptanalysis of block ciphers with overdefined systems of equations. In: ASIACRYPT 2002. Lecture Notes in Computer Science, vol. 2501, pp. 267–287. Springer, Heidelberg (2002).

  18. Daemen J., Rijmen V.: AES proposal: Rijndael. In: Proceedings of the First Advanced Encryption Standard Candidate Conference, NIST, Ventura, CA (1998).

  19. Davies, D.: Investigation of a potential weakness in the DES algorithm (1987) (unpublished manuscript).

  20. Davies D., Murphy S.: Pairs and triplets of DES S-boxes. J. Cryptol. 8(1), 1–25 (1995).

  21. Dunkelman O.: Techniques for cryptanalysis of block ciphers. Ph.D. thesis, Technion-Israel Institute of Technology, Israel (2006).

  22. Dunkelman O., Keller N.: Cryptanalysis of CTC2. In: CT-RSA 2009. Lecture Notes in Computer Science, vol. 5473, pp. 226–239. Springer, Heidelberg (2009).

  23. Dunkelman O., Indesteege S., Keller N.: A differential-linear attack on 12-round Serpent. In: INDOCRYPT 2008. Lecture Notes in Computer Science, vol. 5365, pp. 308–321. Springer, Heidelberg (2008).

  24. GNU Project, http://www.gnupg.org/oids.html.

  25. Handschuh H., Naccache D.: SHACAL. In: Proceedings of the First Open NESSIE Workshop (2000).

  26. Hawkes P.: Differential-linear weak key classes of IDEA. In: EUROCRYPT 1998. Lecture Notes in Computer Science, vol. 1403, pp. 112–126. Springer, Heidelberg (1998).

  27. Kelsey J., Schneier B., Wagner D.: Key-schedule cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES. In: CRYPTO 1996. Lecture Notes in Computer Science, vol. 1109, pp. 237–251. Springer, Heidelberg (1996).

  28. Kelsey J., Kohno T., Schneier B.: Amplified boomerang attacks against reduced-round MARS and Serpent. In: FSE 2000. Lecture Notes in Computer Science, vol. 1978, pp. 75–93. Springer, Heidelberg (2001).

  29. Kim J.: Combined differential, linear and related-key attacks on block ciphers and MAC algorithms. Ph.D. thesis, Katholieke Universiteit Leuven, Belgium (2006).

  30. Knudsen L.R.: Cryptanalysis of LOKI91. In: ASIACRYPT 1992. Lecture Notes in Computer Science, vol. 718, pp. 196–208. Springer, Heidelberg (1993).

  31. Knudsen L.R.: Trucated and higher order differentials. In: FSE 1994. Lecture Notes in Computer Science, vol. 1008, pp. 196–211. Springer, Heidelberg (1995).

  32. Knudsen L.R., Mathiassen J.E.: A chosen-plaintext linear attack on DES. In: FSE 2000. Lecture Notes in Computer Science, vol. 1978, pp. 262–272. Springer, Heidelberg (2001).

  33. Kohno T., Kelsey J., Schneier B.: Preliminary cryptanalysis of reduced-round Serpent. In: Proceedings of the Third AES Candidate Conference (2000).

  34. Kunz-Jacques S., Muller F.: New improvements of Davies-Murphy cryptanalysis. In: ASIACRYPT 2005. Lecture Notes in Computer Science, vol. 3788, pp. 425–442. Springer, Heidelberg (2005).

  35. Lai X., Massey J.L., Murphy S.: Markov ciphers and differential cryptanalysis. In: EUROCRYPT 1991. Lecture Notes in Computer Science, vol. 547, pp. 17–38. Springer, Heidelberg (1991).

  36. Langford S.K.: Differential-linear cryptanalysis and threshold signatures. Ph.D. thesis, Stanford University, USA (1995).

  37. Langford S.K., Hellman M.E.: Differential-linear cryptanalysis. In: CRYPTO 1994. Lecture Notes in Computer Science, vol. 839, pp. 17–25. Springer, Heidelberg (1994).

  38. Lu J.: Cryptanalysis of block ciphers. Ph.D. thesis, University of London, UK (2008).

  39. Lu J.: New methodologies for differential-linear cryptanalysis and its extensions. Cryptology ePrint Archive, Report 2010/025 (2010). http://eprint.iacr.org/2010/025.

  40. Lu J.: A methodology for differential-linear cryptanalysis and its applications (extended abstract). In: FSE 2012. Lecture Notes in Computer Science, vol. 7549, pp. 69–89. Springer, Heidelberg (2012).

  41. Matsui M.: Linear cryptanalysis method for DES cipher. In: EUROCRYPT 1993. Lecture Notes in Computer Science, vol. 765, pp. 386–397. Springer, Heidelberg (1994).

  42. Matsui M.: The first experimental cryptanalysis of the Data Encryption Standard. In: CRYPTO 1994. Lecture Notes in Computer Science, vol. 839, pp. 1–11. Springer, Heidelberg (1994).

  43. Matsui M., Yamagishi A.: A new method for known plaintext attack of FEAL cipher. In: EUROCRYPT 1992. Lecture Notes in Computer Science, vol. 658, pp. 81–91. Springer, Heidelberg (1993).

  44. National Bureau of Standards (NBS), Data Encryption Standard (DES), FIPS-46 (1977).

  45. National Institute of Standards and Technology (NIST), Advanced Encryption Standard (AES), FIPS-197 (2001).

  46. Selçuk A.A.: On probability of success in linear and differential cryptanalysis. J. Cryptol. 21(1), 131–147 (2008).

  47. Vaudenay S.: Provable security for block ciphers by decorrelation. In: STACS 1998. Lecture Notes in Computer Science, vol. 1373, pp. 249–275. Springer, Heidelberg (1998).

  48. Wagner D.: The boomerang attack. In: FSE 1999. Lecture Notes in Computer Science, vol. 1636, pp. 156–170. Springer, Heidelberg (1999).

  49. Wang X.Y., Hui L.C.K., Chow K.P., Chong C.F., Tsang W.W., Chan H.W.: The differential cryptanalysis of an AES finalist - Serpent. Technical report TR-2000-04, Department of Computer Science and Information Systems, The University of Hong Kong, China (2000). http://www.cs.hku.hk/research/techreps/document/TR-2000-04.

Download references

Acknowledgments

The author is very grateful to Orr Dunkelman and Nathan Keller for their discussions on the flaw about CTC2 and to several anonymous referees for their comments on earlier versions of the paper, particularly the one who pointed out that the second methodology appeared earlier in Langford’s PhD thesis and that the flaw on CTC2 might be because a wrong linear operation was used and thus the 3.5-round linear approximation from reference [22] might be flawed, too.

Author information

Authors and Affiliations

  1. Institute for Infocomm Research, Agency for Science, Technology and Research, 1 Fusionopolis Way, Singapore , 138632, Singapore

    Jiqiang Lu

Authors
  1. Jiqiang Lu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jiqiang Lu.

Additional information

Communicated by V. Rijmen and C. Mitchell.

An earlier version of this work appeared in the pre-proceedings of the 19th International Workshop on Fast Software Encryption (FSE 2012, Washington, USA, 19–21 March 2012), an extended abstract of which was published in the post-proceedings of FSE 2012 [40]; and an even earlier version of this work appeared in 2010 as part of Cryptology ePrint Archive Report 2010/025 [39] while the author was with Eindhoven University of Technology (The Netherlands).

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Lu, J. A methodology for differential-linear cryptanalysis and its applications. Des. Codes Cryptogr. 77, 11–48 (2015). https://doi.org/10.1007/s10623-014-9985-x

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-014-9985-x

Keywords

Mathematics Subject Classification

Search

Navigation