Results 1 
8 of
8
On Multiple Linear Approximations
 in the proceedings of Crypto 2004, Lecture Notes in Computer Science, vol 3152
, 2004
"... In this paper we study the long standing problem of information extraction from multiple linear approximations. We develop a formal statistical framework for block cipher attacks based on this technique and derive explicit and compact gain formulas for generalized versions of Matsui's Algorithm 1 ..."
Abstract

Cited by 21 (0 self)
 Add to MetaCart
In this paper we study the long standing problem of information extraction from multiple linear approximations. We develop a formal statistical framework for block cipher attacks based on this technique and derive explicit and compact gain formulas for generalized versions of Matsui's Algorithm 1 and Algorithm 2. The theoretical framework allows both approaches to be treated in a unified way, and predicts significantly improved attack complexities compared to current linear attacks using a single approximation. In order to substantiate the theoretical claims, we benchmarked the attacks against reducedround versions of DES and observed a clear reduction of the data and time complexities, in almost perfect correspondence with the predictions. The complexities are reduced by several orders of magnitude for Algorithm 1, and the significant improvement in the case of Algorithm 2 suggests that this approach may outperform the currently best attacks on the full DES algorithm.
Optimal key ranking procedures in a statistical cryptanalysis
 Advances in Cryptology  Eurocrypt’03, volume 2656 of LNCS
, 2003
"... Abstract. Hypothesis tests have been used in the past as a tool in a cryptanalytic context. In this paper, we propose to use this paradigm and define a precise and sound statistical framework in order to optimally mix information on independent attacked subkey bits obtained from any kind of statisti ..."
Abstract

Cited by 14 (6 self)
 Add to MetaCart
Abstract. Hypothesis tests have been used in the past as a tool in a cryptanalytic context. In this paper, we propose to use this paradigm and define a precise and sound statistical framework in order to optimally mix information on independent attacked subkey bits obtained from any kind of statistical cryptanalysis. In the context of linear cryptanalysis, we prove that the best mixing paradigm consists of sorting key candidates by decreasing weighted Euclidean norm of the bias vector. Keywords: Key ranking, statistical cryptanalysis, NeymanPearson lemma, linear cryptanalysis 1
Multidimensional linear cryptanalysis of reduced round Serpent
 ACISP 2008. LNCS
, 2008
"... Various authors have previously presented different approaches how to exploit multiple linear approximations to enhance linear cryptanalysis. In this paper we present a new truly multidimensional approach to generalise Matsui’s Algorithm 1. We derive the statistical framework for it and show how to ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
Various authors have previously presented different approaches how to exploit multiple linear approximations to enhance linear cryptanalysis. In this paper we present a new truly multidimensional approach to generalise Matsui’s Algorithm 1. We derive the statistical framework for it and show how to calculate multidimensional probability distributions based on correlations of onedimensional linear approximations. The main advantage is that the assumption about statistical independence of linear approximations can be removed. Then we apply these new techniques to four rounds of the block cipher Serpent and show that the multidimensional approach is more effective in recovering key bits correctly than the previous methods that use a multiple of onedimensional linear approximations.
Linear cryptanalysis of substitutionpermutation networks
, 2003
"... The subject of this thesis is linear cryptanalysis of substitutionpermutation networks (SPNs). We focus on the rigorous form of linear cryptanalysis, which requires the concept of linear hulls. First, we consider SPNs in which the sboxes are selected independently and uniformly from the set of al ..."
Abstract

Cited by 4 (3 self)
 Add to MetaCart
The subject of this thesis is linear cryptanalysis of substitutionpermutation networks (SPNs). We focus on the rigorous form of linear cryptanalysis, which requires the concept of linear hulls. First, we consider SPNs in which the sboxes are selected independently and uniformly from the set of all bijective n × n sboxes. We derive an expression for the expected linear probability values of such an SPN, and give evidence that this expression converges to the corresponding value for the true random cipher. This adds quantitative support to the claim that the SPN structure is a good approximation to the true random cipher. We conjecture that this convergence holds for a large class of SPNs. In addition, we derive a lower bound on the probability that an SPN with randomly selected sboxes is practically secure against linear cryptanalysis after a given number of rounds. For common block sizes, experimental evidence indicates that this probability rapidly approaches 1 with an increasing number of rounds.
On the Data Complexity of Statistical Attacks Against Block Ciphers
 In Cryptology ePrint
, 2009
"... Abstract. Many attacks on iterated block ciphers rely on statistical considerations using plaintext/ciphertext pairs to distinguish some part of the cipher from a random permutation. We provide here a simple formula for estimating the amount of plaintext/ciphertext pairs which is needed for such dis ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
Abstract. Many attacks on iterated block ciphers rely on statistical considerations using plaintext/ciphertext pairs to distinguish some part of the cipher from a random permutation. We provide here a simple formula for estimating the amount of plaintext/ciphertext pairs which is needed for such distinguishers and which applies to a lot of different scenarios (linear cryptanalysis, differentiallinear cryptanalysis, differential/truncated differential/impossible differential cryptanalysis). The asymptotic data complexities of all these attacks are then derived. Moreover, we give an efficient algorithm for computing the data complexity accurately.
An FPGA Implementation of the Linear Cryptanalysis
 In 12th International Conference on Field Programmable Logic and Applications (FPL 2002
, 2002
"... This paper deals with cryptographic concepts. It presents a hardware FPGA implementation of linear cryptanalysis of DES. Linear cryptanalysis is the best attack known able to break DES faster than exhaustive search. Matsui's original attack [4, 5] could not be applied as such, and we had to implemen ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
This paper deals with cryptographic concepts. It presents a hardware FPGA implementation of linear cryptanalysis of DES. Linear cryptanalysis is the best attack known able to break DES faster than exhaustive search. Matsui's original attack [4, 5] could not be applied as such, and we had to implement a modified attack [1] to face hardware constraints. The resulting attack is less efficient than Matsui's attack, but fits in our hardware and breaks a DES key in 1215 hours on one single FPGA, therefore becoming the first practical implementation to our knowledge. As a comparison, the fastest implementation known so far used the idle time of 18 Intel Pentium III MMX, and broke a DES key in 4.32 days. Our fast implementation...
On Measuring Resistance to Linear Cryptanalysis
"... Abstract. Linear cryptanalysis against cryptographic primitives C is known to rely on some LP C max term. But most of studies so far are purely heuristic and only provide an argument on why linear cryptanalysis works. Other works provide an asymptotic bound without any clue where it is applicable fo ..."
Abstract
 Add to MetaCart
Abstract. Linear cryptanalysis against cryptographic primitives C is known to rely on some LP C max term. But most of studies so far are purely heuristic and only provide an argument on why linear cryptanalysis works. Other works provide an asymptotic bound without any clue where it is applicable for practical parameters. So there is still some doubt for the designer on whether making a low LPmax term is enough or not. In this paper we formally demonstrate that the efficiency of linear cryptanalysis is uniformly bounded, on average, by MAXELP(C) which is the maximum of the expected value of the linear probability LP C. We further discuss on how pairwise independent random primitives can provably resist to these attacks. This result provides insurance for the designer that making a primitive pairwise independent, or with a low MAXELP measure is enough to protect against linear cryptanalysis. It also provides a quantitative evaluation tool for security evaluation. 1