Protecting against Multidimensional Linear and Truncated Differential Cryptanalysis by Decorrelation

The decorrelation theory provides a different point of view on the security of block cipher primitives. Results on some statistical attacks obtained in this context can support or provide new insight on the security of symmetric cryptographic primitives. In this paper, we study, for the first time, the multidimensional linear attacks as well as the truncated differential attacks in this context. We show that the cipher should be decorrelated of order two to be resistant against some multidimensional linear and truncated differential attacks. Previous results obtained with this theory for linear, differential, differential-linear and boomerang attacks are also resumed and improved in this paper

Protecting against Multidimensional Linear and Truncated Differential Cryptanalysis by Decorrelation

The decorrelation theory provides a different point of view on the security of block cipher primitives. Results on some statistical attacks obtained in this context can support or provide new insight on the security of symmetric cryptographic primitives. In this paper, we study, for the first time, the multidimensional linear attacks as well as the truncated differential attacks in this context. We show that the cipher should be decorrelated of order two to be resistant against some multidimensional linear and truncated differential attacks. Previous results obtained with this theory for linear, differential, differential-linear and boomerang attacks are also resumed and improved in this paper

Sublinear bounds on the distinguishing advantage for multiple samples

The maximal achievable advantage of a (computationally unbounded) distinguisher to determine whether a source Z is distributed according to distribution $$P:0$$ or $$P:1$$, when given access to one sample of Z, is characterized by the statistical distance $$d(P:0,P_1)$$. Here, we study the distinguishing advantage when given access to several i.i.d. samples of Z. For n samples, the advantage is then naturally given by $$d(P:0^{\otimes n},P_1^{\otimes n})$$, which can be bounded as $$d(P:0^{\otimes n},P_1^{\otimes n}) \le n \cdot d(P_0,P_1)$$. This bound is tight for some choices of $$P:0$$ and $$P:1$$; thus, in general, a linear increase in the distinguishing advantage is unavoidable. In this work, we show new and improved bounds on $$d(P:0^{\otimes n},P_1^{\otimes n})$$ that circumvent the above pessimistic observation. Our bounds assume, necessarily, certain additional information on $$P:0$$ and/or $$P:1$$ beyond, or instead of, a bound on $$d(P:0,P_1)$$; in return, the bounds grow as $$\sqrt{n}$$, rather than linearly in n. Thus, whenever applicable, our bounds show that the number of samples necessary to distinguish the two distributions is substantially larger than what the standard bound would suggest. Such bounds have already been suggested in previous literature, but our new bounds are more general and (partly) stronger, and thus applicable to a larger class of instances. In a second part, we extend our results to a modified setting, where the distinguisher only has indirect access to the source Z. By this we mean that instead of obtaining samples of Z, the distinguisher now obtains i.i.d. samples that are chosen according to a probability distribution that depends on the (one) value produced by the source Z. Finally, we offer applications of our bounds to the area of cryptography. We show on a few examples from the cryptographic literature how our bounds give rise to improved results. For instance, importing our bounds into the analyses of Blondeau et al. for the security of block ciphers against multidimensional linear and truncated differential attacks, we obtain immediate improvements to their results