## On the complexity of Matsui’s attack (2001)

Venue: | in Selected Areas in Cryptography, SAC 2001 |

Citations: | 12 - 2 self |

### BibTeX

@INPROCEEDINGS{Junod01onthe,

author = {Pascal Junod},

title = {On the complexity of Matsui’s attack},

booktitle = {in Selected Areas in Cryptography, SAC 2001},

year = {2001},

pages = {199--211},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. Linear cryptanalysis remains the most powerful attack against DES at this time. Given 2 43 known plaintext-ciphertext pairs, Matsui expected a complexity of less than 2 43 DES evaluations in 85 % of the cases for recovering the key. In this paper, we present a theoretical and experimental complexity analysis of this attack, which has been simulated 21 times using the idle time of several computers. The experimental results suggest a complexity upper-bounded by 2 41 DES evaluations in 85 % of the case, while more than the half of the experiments needed less than 2 39 DES evaluations. In addition, we give a detailed theoretical analysis of the attack complexity.

### Citations

427 |
cryptanalysis method for DES cipher
- Matsui, Linear
- 1993
(Show Context)
Citation Context ...s. In addition, we give a detailed theoretical analysis of the attack complexity. Keywords: linear cryptanalysis, DES 1 Introduction Linear cryptanalysis against DES [9] has been introduced by Matsui =-=[6, 7]-=- and remains at this time the most powerful attack against this cipher. A single experimental implementation [7] has been carried out. During this attempt, Matsui managed to break a DES key in about 5... |

217 | Probability Theory - Rényi - 1970 |

123 | The first experimental cryptanalysis of the data encryption standard - Matsui - 1994 |

67 | approximation of block ciphers - Nyberg - 1995 |

60 | A fast new DES implementation in software - Biham - 1997 |

44 | A generalization of linear cryptanalysis and the applicability of Matsui’s piling-up lemma
- Harpes, Kramer, et al.
- 1995
(Show Context)
Citation Context ...ear cryptanalysis of DES, given 2 43 known plaintext-ciphertext pairs, has a success probability of 85 % within a complexity of 2 43 DES evaluations, it was conjectured that this value is pessimistic =-=[10, 3]-=-. Motivated by this fact, by the parallel implementation concept of Biham [1] and the actual 64-bit processor performances, we propose in this paper a theoretical ⋆ Reprint from: P. Junod. On the comp... |

36 | An experiment on DES statistical cryptanalysis - Vaudenay - 1996 |

29 | A Fast New DES Implementation - Biham - 1997 |

14 | Quadratic relation of S-Box and its application to the linear attack of full round - Shimoyama, Kaneko - 1998 |

6 | National Bureau of Standards. Data Encryption Standard - S - 1977 |

5 |
Problems with the linear cryptanalysis of DES using more than one active S-box per round
- Blocher, Dichtl
- 1994
(Show Context)
Citation Context ...(a, b) = (2 Pr[a · x = b · f(x)] − 1) 2 , where a and b are the masks selecting the plaintext and ciphertext bits, respectively. In this paper, we will refer to the bias ɛ for simplicity reasons. (1) =-=(2)-=-sAssumption 1 (Wrong-key randomization hypothesis [3]). For any linear expression L operating on n rounds for which � � � �Pr � L = 0 | K (1) = k (1) , . . . , K (n) = k (n)� − 1 � � � 2� is large for... |

4 | An implementation of bitsliced DES on the pentium MMX TM processor - May, Penna, et al. - 2000 |

3 |
A fast new DES implementation in software, Fast Software Encryption
- Biham
- 1997
(Show Context)
Citation Context ...ess probability of 85 % within a complexity of 2 43 DES evaluations, it was conjectured that this value is pessimistic [10, 3]. Motivated by this fact, by the parallel implementation concept of Biham =-=[1]-=- and the actual 64-bit processor performances, we propose in this paper a theoretical ⋆ Reprint from: P. Junod. On the complexity of Matsui’s attack. In S. Vaudenay and A. Youssef, editors, Selected A... |

3 |
The piling-up lemma and dependent random variables. IMA—Crypto & Coding’99
- Kukorelly
- 1999
(Show Context)
Citation Context ...0 ≤ y ≤ +∞, the bias densities in case of wrong and right subkey candidates are respectively given by with � � Ckr µr = E = N 1 + κɛr µw 2 σ 2 � � Ckr r = Var ≈ N 1 4N fW (x) = f (µw,σ2 w ) (x, 1 2 ) =-=(4)-=- fR(x) = f (µr,σ2 r ) (x, 1) (5) 2 � Ckw � = E = N 1 + κɛw 2 σ 2 � � Ckw w = Var ≈ N 1 4N where κ ∈ {−1, +1} depends of the unknown key bits and Ckr (Ckw) is the random variable modeling the value of ... |

3 | Reducing the gate count of bitslice DES - Kwan - 2000 |

2 | Bureau of Standards, Data Encryption - National - 1977 |

1 |
Reducing the gate count of bitslice
- Kwan
- 2000
(Show Context)
Citation Context ...-bit registers at disposal. Although this platform has several drawbacks regarding a bitsliced implementation [8], it has the advantage of being very common. Kwan’s gate representation of the S-boxes =-=[5]-=- builds the core of the implementation, the other parts of the cipher (key schedule, permutations, ...) being hardcoded. By eliminating parts of the cipher unrelated to the attack and by using advance... |

1 | An implementation of bitsliced DES on the pentium - May, Penna, et al. - 2000 |