## On the Data Complexity of Statistical Attacks Against Block Ciphers (2009)

Venue: | In Cryptology ePrint |

Citations: | 4 - 2 self |

### BibTeX

@INPROCEEDINGS{Blondeau09onthe,

author = {Céline Blondeau and Benoît Gérard and Inria Rocquencourt},

title = {On the Data Complexity of Statistical Attacks Against Block Ciphers},

booktitle = {In Cryptology ePrint},

year = {2009}

}

### OpenURL

### Abstract

Abstract. Many attacks on iterated block ciphers rely on statistical considerations using plaintext/ciphertext pairs to distinguish some part of the cipher from a random permutation. We provide here a simple formula for estimating the amount of plaintext/ciphertext pairs which is needed for such distinguishers and which applies to a lot of different scenarios (linear cryptanalysis, differentiallinear cryptanalysis, differential/truncated differential/impossible differential cryptanalysis). The asymptotic data complexities of all these attacks are then derived. Moreover, we give an efficient algorithm for computing the data complexity accurately.

### Citations

530 | Differential cryptanalysis of DES-like cryptosystems
- Biham, Shamir
(Show Context)
Citation Context ...variety of statistical attacks covers a huge number of possibilities for (p∗, p). For instance, in linear cryptanalysis [TCG92,Mat93,Mat94], p∗ is close to p = 1 2 while in differential cryptanalysis =-=[BS91]-=-, p is small and p∗ is quite larger than p. Explicit formulae for the data complexity are wellknown in both cases but there is a lack of such formulae for hybrid cases, for instance for truncated diff... |

443 |
cryptanalysis method for DES cipher
- MATSUI, Linear
- 1993
(Show Context)
Citation Context ... is obtained by using a Poisson approximation for binomial law, leading to a number of chosen plaintexts n of the form: n ≈ 1 . But this approximation holds for small p∗ only. In linear cryptanalysis =-=[Mat93]-=-, a Gaussian approximation provides 1 n ≈ . (p∗ − p) 2 p∗1.1 Related work Ideally, we would like to have an approximation that can be used on the whole space of parameters. Actually, error probabilit... |

129 |
The ¯rst experimental cryptanalysis of the Data Encryption Standard
- Matsui
- 1994
(Show Context)
Citation Context ...0) 26.61 26.30 (−0.01) 26.42 (+0.11) The parameters p∗ and p considered are : Fig. 3. Some experiments for some values of parameters β, p and p∗. – L : DES linear cryptanalysis recovering 26 key bits =-=[Mat94]-=-. – DL : DES differential-linear cryptanalysis [LH94]. – D : DES differential cryptanalysis [BS93]. – Dgfn : Generalized Feistel networks differential cryptanalysis presented in this paper. – TDgfn : ... |

114 | Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials
- Biham, Biryukov, et al.
- 1999
(Show Context)
Citation Context ...cryptanalysis, p∗ and p are small but close to each other. This leads to 1 D (p∗||p) ≈ p . (p∗ − p) 2 Impossible differential. This case is a particular one. The impossible differential cryptanalysis =-=[BBS99]-=- relies on the fact that some event cannot occur in the output of the key dependent permutation. We have always assumed that p∗ > p but in this case it is not true anymore (p∗ = 0). However, the formu... |

101 | Truncated and higher order differentials
- Knudsen
- 1994
(Show Context)
Citation Context ...that p∗ > p but in this case it is not true anymore (p∗ = 0). However, the formula holds in this case too: ( ) 1 1 = log−1 ≈ p D (0||p) 1 − p −1 . Higher order differential. This attack introduced in =-=[Knu94]-=- is a generalization of differential cryptanalysis. It exploits the fact that a k-th order differential of the cipher is constant (i.e independent from the plaintext and the key). A typical case is wh... |

91 | Differential Cryptanalysis of the Full 16-Round DES
- Biham, Shamir
- 1992
(Show Context)
Citation Context ...nts for some values of parameters β, p and p∗. – L : DES linear cryptanalysis recovering 26 key bits [Mat94]. – DL : DES differential-linear cryptanalysis [LH94]. – D : DES differential cryptanalysis =-=[BS93]-=-. – Dgfn : Generalized Feistel networks differential cryptanalysis presented in this paper. – TDgfn : Generalized Feistel networks truncated differential cryptanalysis presented in this paper. 118 Co... |

38 | How far can we go beyond linear cryptanalysis
- Baignères, Junod, et al.
- 2004
(Show Context)
Citation Context ...= 2−ND(p∗||p) . = 2−NC(p∗,p) . The last equality is directly derived from the definition of the Kullback-Leibler divergence. So we also find the same exponent as in [BV08] in this particular case. In =-=[BJV04]-=-, a polynomial factor is taken into account but it is only suitable where the Gaussian approximation of binomial tails can be used. For instance, this formula gives a bad estimate in the case of diffe... |

38 |
Differential-Linear Cryptanalysis
- Langford, Hellman
- 1994
(Show Context)
Citation Context ...p∗/p). However, the commonly used result requires some restrictions on the ratio p∗/p so it is natural that such a dependency appears. 9 p∗Differential-linear cryptanalysis. This attack presented in =-=[LH94]-=- combines a 3-round differential characteristic of probability 1 with a 3-round linear approximation. This gives p = 0.5 and p∗ = 0.576. This case is very similar to linear cryptanalysis since we obse... |

36 | Decorrelation: A Theory for Block Cipher Security
- Vaudenay
(Show Context)
Citation Context ...se sum follows a binomial distribution of parameters (N, p) in the case of a random permutation and (N, p∗) in the other case. Such attacks are referred as non-adaptative iterated attacks by Vaudenay =-=[Vau03]-=-. The problem addressed by all these attacks is to determine whether a sample results from a binomial distribution of parameter p∗ or p. The variety of statistical attacks covers a huge number of poss... |

17 |
Biçak: On probability of success in linear and differential cryptanalysis
- Selçuk, A
- 2002
(Show Context)
Citation Context ...both cases but there is a lack of such formulae for hybrid cases, for instance for truncated differential attacks where both p and p∗ are small and p/p∗ is close to one. Selçuk sums up the problem in =-=[Sel08]-=-: to express error probabilities, one has to calculate tails of binomial distributions which are not easy to manipulate. It is desirable to use an approximation of them. Actually, in differential cryp... |

15 | Enhancing differential-linear cryptanalysis - Biham, Dunkelman, et al. - 2001 |

15 | Optimal key ranking procedures in a statistical cryptanalysis - Junod, Vaudenay - 2003 |

13 | On the complexity of Matsui's attack - Junod |

12 | On the optimality of linear, differential and sequential distinguishers - Junod |

11 |
Generalized Feistel Networks
- Nyberg
- 1996
(Show Context)
Citation Context ...l cryptanalysis the probabilities p∗ and p are slightly larger than in a differential cryptanalysis but the ratio p∗/p is closer to 1. Hereafter we present both attacks on generalized Feistel network =-=[Nyb96]-=- defined in Appendix A.1. As a toy example, we study a generalized Feistel network with four S-boxes and ten rounds. The S-boxes are all the same and defined in the field GF (2 8 ) by the power permut... |

8 |
Tutorial on large deviations for the binomial distribution
- Arratia, Gordon
- 1989
(Show Context)
Citation Context ...1 − p . 1 − q 0 We use the convention (based on continuity arguments) that 0 log2 p = 0 and p log2 p 0 = ∞. Later, we will denote by log the base 2 logarithm. Our main tool is a theorem borrowed from =-=[AG89]-=- which captures exactly the exponential behavior of the binomial tails together with the right polynomial factor. Recall that SN,p = ∑N i=1 Xi where the Xi’s follow a Bernoulli distribution of paramet... |

6 | A known plaintext attack of FEAL-4 and FEAL6 - Tardy-Corfdir, Gilbert - 1992 |

4 | S.: The complexity of distinguishing distributions
- Baignères, Vaudenay
- 2008
(Show Context)
Citation Context ... α vanishes. Thus, max(α, β) = β . = 2−ND(p∗||p) . = 2−NC(p∗,p) . The last equality is directly derived from the definition of the Kullback-Leibler divergence. So we also find the same exponent as in =-=[BV08]-=- in this particular case. In [BJV04], a polynomial factor is taken into account but it is only suitable where the Gaussian approximation of binomial tails can be used. For instance, this formula gives... |

4 | Cryptanalyse Statistique des Algorithmes de Chiffrement et Sécurité des Schémas d’Authentification, Thèse de Doctorat de l’Université de Paris 11 - Gilbert - 1997 |

4 | Statistical cryptanalysis of block ciphers, Ecole polytechnique fédérale de - Junod |

2 |
Information theory. Wiley series in communications
- Cover, Thomas
- 1991
(Show Context)
Citation Context ...bout hypothesis testing it follows that X ∈ {0; 1} N , SN = ∑N is an optimal acceptance region for some integer 0 ≤ T ≤ N. The meaning of optimal is stated in the following lemma. i=1 Xi ≥ T Lemma 1. =-=[CT91]-=-Neyman-Pearson lemma : If distinguishing between two hypotheses Hgood and Hbad with N samples (X1, . . . , XN) using a test of the form : P (X1, . . . , XN|Hgood) ≥ t P (X1, . . . , XN|Hbad) gives err... |