## Linear Cryptanalysis of Non Binary Ciphers with an Application to SAFER

Citations: | 2 - 1 self |

### BibTeX

@MISC{Baignères_linearcryptanalysis,

author = {Thomas Baignères and Jacques Stern and Serge Vaudenay},

title = {Linear Cryptanalysis of Non Binary Ciphers with an Application to SAFER},

year = {}

}

### OpenURL

### Abstract

Abstract. In this paper we re-visit distinguishing attacks. We show how to generalize the notion of linear distinguisher to arbitrary sets. Our thesis is that our generalization is the most natural one. We compare it with the one by Granboulan et al. from FSE’06 by showing that we can get sharp estimates of the data complexity and cumulate characteristics in linear hulls. As a proof of concept, we propose a better attack on their toy cipher TOY100 than the one that was originally suggested and we propose the best known plaintext attack on SAFER K/SK so far. This provides new directions to block cipher cryptanalysis even in the binary case. On the constructive side, we introduce DEAN18, a toy cipher which encrypts blocks of 18 decimal digits and we study its security. 1

### Citations

2467 | S.: Handbook of Applied Cryptography
- Menezes, Oorschot, et al.
- 1996
(Show Context)
Citation Context ... that the text space is made of binary strings. In the literature, a block cipher over a finite set M is commonly defined as a set of permutations Ck : M → M indexed by a key k ∈ K, with M = {0, 1} ℓ =-=[36]-=-. This restriction is quite questionable though, as it is easy to think of specific settings in which it could be desirable to adapt the block size to the data being encrypted. For example, when consi... |

2045 |
An introduction to probability theory and its applications, volume I
- Feller
- 1968
(Show Context)
Citation Context ...The law of large numbers gives 1 �d d j=1Xj + i · 1 �d d j=1Yj → EZ∈DsG(χ(Z)) when d → ∞. Considering complex numbers as bidimensional vectors, we obtain √ from the multivariate central limit theorem =-=[11]-=- that the distribution of � 1 d d( d j=1 (Xj + iYj) − EZ(χ(Z))) tends to the bivariate normal distribution with zero expectation and appropriate covariance matrix Σ. We can show that � 1 Σ = 2 0 0 1 �... |

494 | Differential Cryptanalysis of DES‐like Cryposys‐ tems
- Biham, Shamir
- 1991
(Show Context)
Citation Context ...ning a block cipher with an arbitrary block space can be particularly challenging since the state of the art concerning alternate group structures is very limited. Although differential cryptanalysis =-=[5]-=- (through the theory of Markov ciphers [29]) can be specified over an arbitrary group, linear cryptanalysis [34] is based on a metric (the linear probability) that sticks to bit strings. Applying it t... |

261 |
Mathematical Statistics and Data Analysis
- Rice
- 1995
(Show Context)
Citation Context ...nsequently, ( √ √d2 � Xj) 2 and ( √ � √d2 Yj) 2 both follow a chi-square distribution with 1 degree of freedom and � Xj) 2 +( √ � √d2 Yj) 2 follows a chi-square distribution with 2 degrees of freedom =-=[44]-=-. Hence, Pr U d[2 · d · lp(Z d ; χ) < α] −−−→ d→∞ 1 2 � α 0 e −u/2 α − du = 1 − e 2 . (3) On the other hand, by making the heuristic approximation that the covariance matrix is the same in the case wh... |

146 | A proposal for a new block encryption standard
- Lai, Massey
- 1990
(Show Context)
Citation Context ...nary sets, use a mixture of ⋆ Supported by the Swiss National Science Foundation, 200021-107982/1s2 Thomas Baignères, Jacques Stern, and Serge Vaudenay group laws over the same set. For example, IDEA =-=[30]-=- combines three group structures: exclusive bit or, addition modulo 2 16 and a tweaked multiplication modulo 2 16 + 1. Designing a block cipher with an arbitrary block space can be particularly challe... |

123 |
The first experimental cryptanalysis of the data encryption standard
- Matsui
- 1994
(Show Context)
Citation Context ...ncerning alternate group structures is very limited. Although differential cryptanalysis [5] (through the theory of Markov ciphers [29]) can be specified over an arbitrary group, linear cryptanalysis =-=[34]-=- is based on a metric (the linear probability) that sticks to bit strings. Applying it to a non-binary block cipher would at least require to generalize this notion. Although several generalizations o... |

114 | Markov ciphers and differential cryptanalysis
- Lai, Massey, et al.
- 1991
(Show Context)
Citation Context ...k space can be particularly challenging since the state of the art concerning alternate group structures is very limited. Although differential cryptanalysis [5] (through the theory of Markov ciphers =-=[29]-=-) can be specified over an arbitrary group, linear cryptanalysis [34] is based on a metric (the linear probability) that sticks to bit strings. Applying it to a non-binary block cipher would at least ... |

99 | Truncated and higher order differentials
- Knudsen
- 2011
(Show Context)
Citation Context ... Massey in [32], where it is argued that 5 rounds are sufficient to resist to this attack. It is shown by Knudsen and Berson [26,27] that 5 rounds can actually be broken using truncated differentials =-=[25]-=-, a result which is extended to 6 rounds by Wu et al. in [52]. In [15], Harpes et al. apply a generalization of linear cryptanalysis [34] to SAFER K-64 but do not manage to find an effective homomorph... |

67 |
approximation of block ciphers
- Nyberg
- 1995
(Show Context)
Citation Context ...d that we have LP Si max ≤ λ for all boxes we obtain that LPCmax is heuristically bounded by λb for single-path characteristics. For multipath characteristics, we easily obtain the linear hull effect =-=[41]-=-. Theorem 16. Given finite Abelian groups G0 . . . , Gr, let C = Cr ◦ · · · ◦ C1 be a product cipher of independent Markov ciphers Ci : Gi−1 −→ Gi. For any χ0 ∈ � G0 and χr ∈ � Gr we have ELP C (χ0, χ... |

65 | Links between Differential and Linear Cryptanalysis
- Chabaud, Vaudenay
- 1995
(Show Context)
Citation Context ...he statistical bias of this bit, it is sometimes possible to infer whether Ds = U (in which case, the bias should be close to 0) or Ds = D (in which case, the bias may be large). Chabaud and Vaudenay =-=[8]-=- adopted the linear probability (LP) [35] defined by LPD(u) = (2 Pr X∈D{0,1} ℓ[u • X = 0] − 1) 2 = (E X∈D{0,1} ℓ((−1)u •X )) 2 as a fundamental measure for linear cryptanalysis. Given the fact that th... |

50 | Linear Cryptanalysis Using Multiple Approximations and FEAL
- Kaliski, Robshaw
- 1994
(Show Context)
Citation Context ..., if we use k independent characteristics of same bias we can best hope to decrease the data complexity by a factor within the order of magnitude of k. This generalizes results by Kaliski and Robshaw =-=[23]-=- and by Biryukov et al. [6]. We can easily deduce useful results for computing the SEI of combinations of independent sources. Namely, for two independent random variables A and B, ∆(A + B) ≤ ∆(A)∆(B)... |

47 | K-64: A Byte-Oriented Block-Ciphering Algorithm
- Massey, SAFER
- 1994
(Show Context)
Citation Context ...nce being that the recommended number of iteration of thiss16 Thomas Baignères, Jacques Stern, and Serge Vaudenay Fig.2. The ith encryption round function of SAFER. round function is 6 for SAFER K-64 =-=[31]-=-, 8 for SAFER SK-64 [33], and 10 for both 128-bit versions of SAFER [31,33]. The round function is represented on Figure 2. An r-round version of SAFER encrypts 8 bytes of text by applying the round f... |

44 | On Matsui’s Linear Cryptanalysis
- Biham
(Show Context)
Citation Context ...n G1 and G2 respectively, we denote by χ1�χ2 : G1 × G2 → C × the character mapping (a, b) ∈ G1 × G2 on χ1(a)χ2(b). We assume that the cryptanalyst constructs a linear characteristic in a reversed way =-=[4]-=- (i.e., starting from the end of the block cipher towards the beginning), his objective being to Fig.1. Typical Building Blocks of Block Ciphers.sLinear Cryptanalysis Non Binary Ciphers 13 carefully c... |

44 | A generalization of linear cryptanalysis and the applicability of Matsui’s piling-up lemma
- Harpes, Kramer, et al.
- 1995
(Show Context)
Citation Context ...sist to this attack. It is shown by Knudsen and Berson [26,27] that 5 rounds can actually be broken using truncated differentials [25], a result which is extended to 6 rounds by Wu et al. in [52]. In =-=[15]-=-, Harpes et al. apply a generalization of linear cryptanalysis [34] to SAFER K-64 but do not manage to find an effective homomorphic threefold sum for 1.5 rounds or more. Nakahara et al. showed in [39... |

39 |
New structure of block ciphers with provable security against differential and linear cryptanalysis
- Matsui
- 1996
(Show Context)
Citation Context ...ometimes possible to infer whether Ds = U (in which case, the bias should be close to 0) or Ds = D (in which case, the bias may be large). Chabaud and Vaudenay [8] adopted the linear probability (LP) =-=[35]-=- defined by LPD(u) = (2 Pr X∈D{0,1} ℓ[u • X = 0] − 1) 2 = (E X∈D{0,1} ℓ((−1)u •X )) 2 as a fundamental measure for linear cryptanalysis. Given the fact that the source is not necessarily binary, it se... |

37 | How far can we go beyond linear cryptanalysis
- Baignères, Junod, et al.
- 2004
(Show Context)
Citation Context ...f this paper, we re-visit distinguishing attacks on random sources (like stream ciphers or pseudo-random generators) and on random permutations (like block ciphers), in the spirit of Baignères et al. =-=[3]-=-, but without assuming that domains are vector spaces. Consequently, the only structure we can consider on these sets is that of finite Abelian groups. In particular, we reconsider linear, optimal, an... |

36 | An experiment on DES statistical cryptanalysis - Vaudenay - 1996 |

24 | modn cryptanalysis, with applications against RC5P and M6 - Kelsey, Schneier, et al. - 1999 |

21 | M.: On multiple linear approximations
- Biryukov, Canni‘ere, et al.
- 2004
(Show Context)
Citation Context ...aracteristics of same bias we can best hope to decrease the data complexity by a factor within the order of magnitude of k. This generalizes results by Kaliski and Robshaw [23] and by Biryukov et al. =-=[6]-=-. We can easily deduce useful results for computing the SEI of combinations of independent sources. Namely, for two independent random variables A and B, ∆(A + B) ≤ ∆(A)∆(B) (Piling-up Lemma) and ∆(A|... |

21 | Truncated differentials of SAFER
- Knudsen, Berson
(Show Context)
Citation Context ...CPA 2 49 SAFER K/SK-64 5 CPA 2 46 SAFER K/SK 5 KPA 2 59 SAFER K/SK-64 6 CPA 2 61 2 13 2 13 2 12 2 36 2 28 2 47 2 58 2 39 2 44 2 38 2 59 2 53 This paper This paper [39] This paper [39] This paper [39] =-=[26,27]-=- [26,27] [52] This paper • SAFER K-64: The jth round key byte (1 ≤ j ≤ 8) only depends on the jth main secret key byte. For example, guessing the third byte of the main secret key allows to derive the... |

19 | Partitioning cryptanalysis - Harpes, Massey - 1997 |

19 | Non-linear approximations in linear cryptanalysis - Knudsen, Robshaw - 1996 |

17 | FOX: a new family of block ciphers
- Junod, Vaudenay
- 2004
(Show Context)
Citation Context ... be to encode the data prior encryption, the loss in terms of simplicity (inevitably affecting the security analysis) and of efficiency would be unfortunate. Although most modern block ciphers (e.g., =-=[1, 2, 9, 21, 48]-=-) are defined on a binary set, practical and efficient examples of block ciphers defined on a set of arbitrary size exist (see for example Schroeppel’s “omnicipher” Hasty Pudding [45]). Some others, a... |

17 | On the security of CS-cipher
- Vaudenay
- 1999
(Show Context)
Citation Context ...ng such that for any δ ∈ G and δ ′ ∈ G ′ the probability Pr[C(x + δ) = C(x) + δ ′ ] does not depend on x.s14 Thomas Baignères, Jacques Stern, and Serge Vaudenay A straightforward proof is provided in =-=[51]-=- for the binary case. We only have to rephrase it using characters. As a classical result (see e.g. [29]) we easily obtain EDP C (δ0, δr) = � δ1∈G1 · · · � δr−1∈Gr−1 � r i=1 EDPCi (δi−1, δi). Then we ... |

14 | Optimal key ranking procedures in a statistical cryptanalysis - Junod, Vaudenay - 2003 |

14 | Quadratic relation of S-Box and its application to the linear attack of full round - Shimoyama, Kaneko - 1998 |

12 |
On the need for multipermutations
- Vaudenay
(Show Context)
Citation Context ...braic analysis of the 2-PHT layer, showing in particular that by considering the message space as a Z-module, one can find a particular submodule which is an invariant of the 2-PHT transformation. In =-=[49]-=-, Vaudenay shows that by replacing the original substitution boxes in a 4 round version of SAFER by random permutations, one obtains in 6.1% of the [52]s18 Thomas Baignères, Jacques Stern, and Serge V... |

11 | On the Optimality of Linear, Differential and Sequential Distinguishers - Junod - 2003 |

11 |
Elementary Methods in Number Theory, Grad
- NATHANSON
- 2000
(Show Context)
Citation Context ... 1(a) = 1 for all a ∈ G is the neutral element for this operation. Clearly, χ−1 = χ. The set � G of all characters of G is the dual group of G and is isomorphic to G. Lemma 1 (Theorems 4.6 and 4.7 in =-=[40]-=-). Let G be a finite Abelian group of order n, and let � G be its dual group. If χ ∈ � G (resp. a ∈ G) then � � n if χ = 1, χ(a) = resp. 0 otherwise, � � n if a = 1, χ(a) = 0 otherwise. a∈G If χ1, χ2 ... |

9 | Higher-order cryptanalysis of block ciphers - Jakobsen - 1999 |

7 |
A Detailed Analysis of SAFER K
- Knudsen
(Show Context)
Citation Context ...CPA 2 49 SAFER K/SK-64 5 CPA 2 46 SAFER K/SK 5 KPA 2 59 SAFER K/SK-64 6 CPA 2 61 2 13 2 13 2 12 2 36 2 28 2 47 2 58 2 39 2 44 2 38 2 59 2 53 This paper This paper [39] This paper [39] This paper [39] =-=[26,27]-=- [26,27] [52] This paper • SAFER K-64: The jth round key byte (1 ≤ j ≤ 8) only depends on the jth main secret key byte. For example, guessing the third byte of the main secret key allows to derive the... |

7 | K-64: One year later
- Massey
- 1994
(Show Context)
Citation Context ...ution. Previous Cryptanalysis (see Table 2). Known attacks against SAFER are summarized in Table 2. The resistance of SAFER against differential cryptanalysis [5] was extensively studied by Massey in =-=[32]-=-, where it is argued that 5 rounds are sufficient to resist to this attack. It is shown by Knudsen and Berson [26,27] that 5 rounds can actually be broken using truncated differentials [25], a result ... |

6 | Stochastic cryptanalysis of Crypton - Minier, Gilbert |

6 | An analysis of SAFER
- Murphy
- 1998
(Show Context)
Citation Context ... 2 = 2 58 known plaintexts on five rounds). The diffusion properties of the linear layer of SAFER have also been widely studied and, compared to the confusion layer, seem to be its major weakness. In =-=[38]-=-, Murphy proposes an algebraic analysis of the 2-PHT layer, showing in particular that by considering the message space as a Z-module, one can find a particular submodule which is an invariant of the ... |

6 | Linear Cryptanalysis of Reduced-Round
- Jr, Preneel, et al.
- 2000
(Show Context)
Citation Context ...2 58 SAFER K 5 CPA 2 61 SAFER K-64 5 CPA 2 49 SAFER K/SK-64 5 CPA 2 46 SAFER K/SK 5 KPA 2 59 SAFER K/SK-64 6 CPA 2 61 2 13 2 13 2 12 2 36 2 28 2 47 2 58 2 39 2 44 2 38 2 59 2 53 This paper This paper =-=[39]-=- This paper [39] This paper [39] [26,27] [26,27] [52] This paper • SAFER K-64: The jth round key byte (1 ≤ j ≤ 8) only depends on the jth main secret key byte. For example, guessing the third byte of ... |

5 |
CAST256: a submission for the Advanced Encryption Standard
- Adams, Heys, et al.
- 1998
(Show Context)
Citation Context ... be to encode the data prior encryption, the loss in terms of simplicity (inevitably affecting the security analysis) and of efficiency would be unfortunate. Although most modern block ciphers (e.g., =-=[1, 2, 9, 21, 48]-=-) are defined on a binary set, practical and efficient examples of block ciphers defined on a set of arbitrary size exist (see for example Schroeppel’s “omnicipher” Hasty Pudding [45]). Some others, a... |

5 | Perfect Diffusion Primitives for Block Ciphers Building Efficient
- Junod, Vaudenay
(Show Context)
Citation Context ... b, −a) (resp. 1 · (a, b) = (a, b)). 5 One can easily see that this defines a structure on Z 2 10 or Z 3 10 that is isomorphic to GF(4) ×GF(25) or GF(8) × GF(125) on which the matrix is an MDS matrix =-=[22,49]-=-. The branch number of the matrix multiplication is 4, i.e., the total number of non-zero elements of the input and output columns is either 0 or 4 or more. Consequently, given a non-trivial character... |

4 | Non-uniformity measures for generalized linear cryptanalysis and partitioning cryptanalysis - Jakobsen, Harpes - 1996 |

4 |
Strengthened key schedule for the cipher SAFER. Posted on USENET newsgroup sci.crypt
- Massey
- 1995
(Show Context)
Citation Context ...mended number of iteration of thiss16 Thomas Baignères, Jacques Stern, and Serge Vaudenay Fig.2. The ith encryption round function of SAFER. round function is 6 for SAFER K-64 [31], 8 for SAFER SK-64 =-=[33]-=-, and 10 for both 128-bit versions of SAFER [31,33]. The round function is represented on Figure 2. An r-round version of SAFER encrypts 8 bytes of text by applying the round function r times followed... |

4 | Generalized S-Box linearity - Parker - 2003 |

4 | Keydependent approximations in cryptanalysis: an application of multiple Z4 and non-linear approximations - Standaert, Rouvroy, et al. - 2003 |

3 |
Dial C for Cipher
- Baignères, Finiasz
- 2006
(Show Context)
Citation Context ... be to encode the data prior encryption, the loss in terms of simplicity (inevitably affecting the security analysis) and of efficiency would be unfortunate. Although most modern block ciphers (e.g., =-=[1, 2, 9, 21, 48]-=-) are defined on a binary set, practical and efficient examples of block ciphers defined on a set of arbitrary size exist (see for example Schroeppel’s “omnicipher” Hasty Pudding [45]). Some others, a... |

3 | Pseudorandom Permutation Families over Abelian Groups
- Granboulan, Levieil, et al.
- 2006
(Show Context)
Citation Context ...generalizations of linear cryptanalysis exist [15–20,23,24,28,37,42,46,47,50], to the best of our knowledge, none easily applies to, say, modulo 10-based block ciphers. So far, only Granboulan et al. =-=[13]-=- provide a sound treatment on non-binary cipher but mostly address differential cryptanalysis. We show that, for linear cryptanalysis, their data complexity cannot be precisely estimated. Furthermore,... |

2 |
Improved truncated differential attacks on SAFER
- Wu, Bao, et al.
- 1998
(Show Context)
Citation Context .../SK-64 5 CPA 2 46 SAFER K/SK 5 KPA 2 59 SAFER K/SK-64 6 CPA 2 61 2 13 2 13 2 12 2 36 2 28 2 47 2 58 2 39 2 44 2 38 2 59 2 53 This paper This paper [39] This paper [39] This paper [39] [26,27] [26,27] =-=[52]-=- This paper • SAFER K-64: The jth round key byte (1 ≤ j ≤ 8) only depends on the jth main secret key byte. For example, guessing the third byte of the main secret key allows to derive the third byte o... |

1 |
On the SAFER cryptosystem
- Brincat, Meijer
(Show Context)
Citation Context ...as Baignères, Jacques Stern, and Serge Vaudenay cases a construction that can be broken by linear cryptanalysis. This also lead Brincat and Meijer to explore potential alternatives of the 2-PHT layer =-=[7]-=-. The other major weakness of SAFER K is indubitably its key schedule. The analysis proposed in [26,38] lead Massey to choose the one proposed by Knudsen in [26] for SAFER SK. 5.2 Linear Cryptanalysis... |

1 |
pudding cipher specification
- Hasty
- 1998
(Show Context)
Citation Context ...g., [1, 2, 9, 21, 48]) are defined on a binary set, practical and efficient examples of block ciphers defined on a set of arbitrary size exist (see for example Schroeppel’s “omnicipher” Hasty Pudding =-=[45]-=-). Some others, although still defined on binary sets, use a mixture of ⋆ Supported by the Swiss National Science Foundation, 200021-107982/1s2 Thomas Baignères, Jacques Stern, and Serge Vaudenay grou... |

1 | 10. Advances in Cryptology - Eurocrypt'94, volume 950 of LNCS - Proposal - 1998 |

1 | A proposal for a new block encryption standard - Baign`eres, Stern, et al. - 1991 |

1 | series on discrete mathematics and its applications. CRC-Press - Minier, Gilbert - 1997 |

1 | Cryptanalysis Non Binary Ciphers 27 - Linear |