## Multidimensional linear cryptanalysis of reduced round Serpent (2008)

Venue: | ACISP 2008. LNCS |

Citations: | 6 - 3 self |

### BibTeX

@INPROCEEDINGS{Hermelin08multidimensionallinear,

author = {Miia Hermelin and Joo Yeon Cho and Kaisa Nyberg},

title = { Multidimensional linear cryptanalysis of reduced round Serpent},

booktitle = {ACISP 2008. LNCS},

year = {2008},

pages = {203--215},

publisher = {Springer}

}

### OpenURL

### Abstract

Various authors have previously presented different approaches how to exploit multiple linear approximations to enhance linear cryptanalysis. In this paper we present a new truly multidimensional approach to generalise Matsui’s Algorithm 1. We derive the statistical framework for it and show how to calculate multidimensional probability distributions based on correlations of onedimensional linear approximations. The main advantage is that the assumption about statistical independence of linear approximations can be removed. Then we apply these new techniques to four rounds of the block cipher Serpent and show that the multidimensional approach is more effective in recovering key bits correctly than the previous methods that use a multiple of one-dimensional linear approximations.

### Citations

123 |
The rst experimental cryptanalysis of the Data Encryption Standard
- Matsui
- 1994
(Show Context)
Citation Context ...: Algorithm 1 which determines one bit from the secret key and Algorithm 2 which recovers a part of the last (or first) round key bits. Originally, only one approximative linear relation was used. In =-=[2]-=-, two approximations were used to reduce the amount of data needed for the attack. This idea was developed further by Kaliski and Robshaw in [3], and later by Biryukov, et al., in [4], where the goal ... |

104 | L.R.: Serpent: A Proposal for the Advanced Encryption Standard
- Anderson, Biham, et al.
- 1998
(Show Context)
Citation Context ...fication for using combined approximations. More importantly, no assumption about statistical independence of the approximations is needed. 4 Multidimensional Linear Attack on 4-Round Serpent Serpent =-=[12]-=- is one of the block ciphers proposed to the Advanced Encryption Standard (AES) competition. It was selected to be among the five finalists [13]. The best known linear approximation of 9-round Serpent... |

50 | Linear Cryptanalysis Using Multiple Approximations and FEAL
- Kaliski, Robshaw
- 1994
(Show Context)
Citation Context ...ly, only one approximative linear relation was used. In [2], two approximations were used to reduce the amount of data needed for the attack. This idea was developed further by Kaliski and Robshaw in =-=[3]-=-, and later by Biryukov, et al., in [4], where the goal was to use several linear approximations simultaneously in order to recover more key bits with equal amount of data. In both [3] and [4] the fun... |

37 | How far can we go beyond linear cryptanalysis
- Baignères, Junod, et al.
- 2004
(Show Context)
Citation Context ...alue of the statistic when the correct key is used, is given by Nkey≈ 4 log2 |Z| min j�0 C(p0 , p j . (9) )Proof. For each key k we must distinguish pk from p j , for all j�k. Using Proposition 3 in =-=[5]-=-, the probability that we choose j when k is true is ( √ Pr(H j|Hk)=Φ − Nk jC(pk , p j ) )/2 , whereΦis the distribution function of the normed normal distribution. Let the probability of successfully... |

22 | M.: On Multiple Linear Approximations
- Biryukov, Canni‘ere, et al.
- 2004
(Show Context)
Citation Context ...ion was used. In [2], two approximations were used to reduce the amount of data needed for the attack. This idea was developed further by Kaliski and Robshaw in [3], and later by Biryukov, et al., in =-=[4]-=-, where the goal was to use several linear approximations simultaneously in order to recover more key bits with equal amount of data. In both [3] and [4] the fundamental assumption was that the approx... |

21 |
J.A.: Elements of Information Theory, 2nd edn
- Cover, Thomas
- 2006
(Show Context)
Citation Context ...ultidimensional Linear Distinguishers In this section we will present the general statistical framework of multidimensional approximation. The theory of hypothesis testing can be found for example in =-=[10]-=-. Here we will restrict to the most essential parts of the theory. Assume we have two p.d’s p and q, q� p and consider two hypotheses: H0 states that the experimental data z N of N words is derived fr... |

12 | On the Complexity of Matsui’s Attack
- Junod
- 2001
(Show Context)
Citation Context ...istinguish z N from a random sequence isλ/ρ 2 , whereλdepends on the level and the power of the test. It was already noted in [1] that the data complexity N1 is proportional to 1/ρ 2 . For proof, see =-=[11]-=-. Note that the bias used in [1] is the correlation divided by two. The data complexity of the attack in [4] using multiple linear approximations, was shown to be proportional to N s.i. , where N s.i.... |

10 | Towards a unifying view of block cipher cryptanalysis
- Wagner
- 2004
(Show Context)
Citation Context ...iple approximations, less data is needed to have the same level of test as with only one approximation. However, their target system was a block cipher, which was assumed to have a Markovian property =-=[6]-=-. Consequently, no practical way of building the probability distributions for the purposes of Matsui’s Algorithm 1 can be found. In [7] Englund and Maximov calculated directly the multidimensional pr... |

9 | Linear Cryptanalysis of Reduced Round Serpent, proceedings of Fast Software Encryption 8
- Biham, Dunkelman, et al.
- 2001
(Show Context)
Citation Context ...he Advanced Encryption Standard (AES) competition. It was selected to be among the five finalists [13]. The best known linear approximation of 9-round Serpent was reported by Biham et al. in FSE 2001 =-=[14]-=-. Recently, experimental results on multiple linear cryptanalysis of 4-round Serpent were presented by Collard, et al., in [8]. In this section, we will apply the multidimensional linear attack to the... |

5 |
cryptanalysis method for DES cipher. In: EUROCRYPT ’93: Workshop on the theory and application of cryptographic techniques
- Matsui
- 1993
(Show Context)
Citation Context ... is more effective in recovering key bits correctly than the previous methods that use a multiple of one-dimensional linear approximations. 1 Introduction Linear cryptanalysis introduced by Matsui in =-=[1]-=- has become one of the most important cryptanalysis methods for symmetric ciphers. Matsui analysed the DES block cipher using a linear approximation of the known data bits, which holds with a large co... |

5 | Attack the Dragon
- Englund, Maximov
(Show Context)
Citation Context ... a block cipher, which was assumed to have a Markovian property [6]. Consequently, no practical way of building the probability distributions for the purposes of Matsui’s Algorithm 1 can be found. In =-=[7]-=- Englund and Maximov calculated directly the multidimensional probability distribution needed for the distinguisher. However, their calculations become infeasiblefor systems with word-size of 64 or m... |

5 | Improved and multiple linear cryptanalysis of reduced round Serpent - description of the linear approximations
- Collard, Standaert, et al.
- 2007
(Show Context)
Citation Context ...covery attack by generalising Algorithm 1 to the multidimensional case. This algorithm will be compared with the method suggested by Biryukov, et al., in [4] and the experimental results presented in =-=[8]-=-. The structure of this paper is as follows: In Sect. 2 the notation and the theoretical basics needed in this paper are given. Section 3 starts with showing how linear one-dimensional approximations ... |

4 | M.: Multidimensional Walsh Transform and a Characterization of Bent Functions
- Nyberg, Hermelin
- 2007
(Show Context)
Citation Context ...success probability POK, the lower bound Nkey for the amount of data needed to give the smallest value of the statistic when the correct key is used, is given by Nkey≈ 4 log2 |Z| min j�0 C(p0 , p j . =-=(9)-=- )Proof. For each key k we must distinguish pk from p j , for all j�k. Using Proposition 3 in [5], the probability that we choose j when k is true is ( √ Pr(H j|Hk)=Φ − Nk jC(pk , p j ) )/2 , whereΦi... |

1 |
http://www.dice.ucl.ac.be/fstandae/PUBLIS/50b.zip (2008) A Brief Description of Serpent Algorithm We use the notation of [12]. Each intermediate value of round i is denoted by ˆBi (a 128-bit value). Each ˆBi is treated as four 32-bit words X0, X1, X2, X3
- Collard, Standaert, et al.
(Show Context)
Citation Context ...4-round Serpent In [8], authors used maximum m ′ = 64 linear approximations to perform Matsui’s Algorithm 1 type -attack on 4-round Serpent. The detailed description of approximations can be found in =-=[15]-=-. Those 64 linear approximations used in the attack are not linearly independent. Hence, strictly speaking, the attack in [8] is not consistent with the technique in [4] which assumes that multiple ap... |