Joint Data and Key Distribution of Simple, Multiple, and Multidimensional Linear Cryptanalysis Test Statistic and Its Impact to Data Complexity

The power of a statistical attack is inversely proportional to the number of plaintexts needed to recover information on the encryption key. By analyzing the distribution of the random variables involved in the attack, cryptographers aim to provide a good estimate of the data complexity of the attack. In this paper, we analyze the hypotheses made in simple, multiple, and multidimensional linear attacks that use either non-zero or zero correlations, and provide more accurate estimates of the data complexity of these attacks. This is achieved by taking, for the first time, into consideration the key variance of the statistic for both the right and wrong keys. For the family of linear attacks considered in this paper, we differentiate between the attacks which are performed in the known-plaintext and those in the distinct-known-plaintext model

On the Data Complexity of Statistical Attacks Against Block Ciphers (full version)

Many attacks on iterated block ciphers rely on statistical considerations using plaintext/ciphertext pairs to distinguish some part of the cipher from a random permutation. We provide here a simple formula for estimating the amount of plaintext/ciphertext pairs which is needed for such distinguishers and which applies to a lot of different scenarios (linear cryptanalysis, differential-linear cryptanalysis, differential/truncated differential/impossible differential cryptanalysis). The asymptotic data complexities of all these attacks are then derived. Moreover, we give an efficient algorithm for computing the data complexity accurately

Links Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT

Recent iterated ciphers have been designed to be resistant to differential cryptanalysis. This implies that cryptanalysts have to deal with differentials having so small probabilities that, for a fixed key, the whole codebook may not be sufficient to detect it. The question is then, do these theoretically computed small probabilities have any sense? We propose here a deep study of differential and differential trail probabilities supported by experimental results obtained on a reduced version of PRESENT

Multiple Differential Cryptanalysis: Theory and Practice (Corrected)

Differential cryptanalysis is a well-known statistical attack on block ciphers. We present here a generalisation of this attack called multiple differential cryptanalysis. We study the data complexity, the time complexity and the success probability of such an attack and we experimentally validate our formulas on a reduced version of PRESENT. Finally, we propose a multiple differential cryptanalysis on 18-round PRESENT for both 80-bit and 128-bit master keys

Cryptanalysis of ARMADILLO2

Abstract. ARMADILLO2 is the recommended variant of a multi-purpose cryptographic primitive dedicated to hardware which has been proposed by Badel et al. in [1]. In this paper, we describe a meet-in-themiddle technique relying on the parallel matching algorithm that allows us to invert the ARMADILLO2 function. This makes it possible to perform a key recovery attack when used as a FIL-MAC. A variant of this attack can also be applied to the stream cipher derived from the PRNG mode. Finally we propose a (second) preimage attack when used as a hash function. We have validated our attacks by implementing cryptanalysis on scaled variants. The experimental results match the theoretical complexities. In addition to these attacks, we present a generalization of the parallel matching algorithm, which can be applied in a broader context than attacking ARMADILLO2

Differential properties of functions x↦x2t−1x \mapsto x^{2^t-1} -- extended version

We provide an extensive study of the differential properties of the functions $x\mapsto x^{2^t-1}$ over \F, for $2 \leq t \leq n-1$. We notably show that the differential spectra of these functions are determined by the number of roots of the linear polynomials $x^{2^t}+bx^2+(b+1)x$ where $b$ varies in \F.We prove a strong relationship between the differential spectra of $x\mapsto x^{2^t-1}$ and $x\mapsto x^{2^{s}-1}$ for $s= n-t+1$. As a direct consequence, this result enlightens a connection between the differential properties of the cube function and of the inverse function. We also determine the complete differential spectra of $x \mapsto x^7$ by means of the value of some Kloosterman sums, and of $x \mapsto x^{2^t-1}$ for $t \in \{\lfloor n/2\rfloor, \lceil n/2\rceil+1, n-2\}$

Differential Attacks: Using Alternative Operations

Is it possible that a block cipher apparently immune to classical differential cryptanalysis can be attacked considering a different operation on the message space? Recently Calderini and Sala showed how to effectively compute alternative operations on a vector space which can serve as message space for a block cipher such that the resulting structure is still a vector space. The latter were used to mount a linearisation attack against a toy cipher. Here we investigate the possibility to design a block cipher which appears to be secure w.r.t. classical differential cryptanalysis, but weaker with respect to our attack which make use of alternative operations. Furthermore we compare the success probabilities of a distinguishing attack

Multiple Differential Cryptanalysis using \LLR and χ2\chi^2 Statistics

Recent block ciphers have been designed to be resistant against differential cryptanalysis. Nevertheless it has been shown that such resistance claims may not be as tight as wished due to recent advances in this field. One of the main improvements to differential cryptanalysis is the use of many differentials to reduce the data complexity. In this paper we propose a general model for understanding multiple differential cryptanalysis and propose new attacks based on tools used in multidimensional linear cryptanalysis (namely \LLR and \CHI statistical tests). Practical cases are considered on a reduced version of the cipher PRESENT to evaluate different approaches for selecting and combining the differentials considered. We also consider the tightness of the theoretical estimates corresponding to these attacks