 Research
 Open Access
 Published:
Multidimensional linear cryptanalysis with key difference invariant bias for block ciphers
Cybersecurity volume 4, Article number: 32 (2021)
Abstract
For block ciphers, Bogdanov et al. found that there are some linear approximations satisfying that their biases are deterministically invariant under key difference. This property is called key difference invariant bias. Based on this property, Bogdanov et al. proposed a relatedkey statistical distinguisher and turned it into keyrecovery attacks on LBlock and TWINE128. In this paper, we propose a new relatedkey model by combining multidimensional linear cryptanalysis with key difference invariant bias. The main theoretical advantage is that our new model does not depend on statistical independence of linear approximations. We demonstrate our cryptanalysis technique by performing key recovery attacks on LBlock and TWINE128. By using the relations of the involved round keys to reduce the number of guessed subkey bits. Moreover, the partialcompression technique is used to reduce the time complexity. We can recover the master key of LBlock up to 25 rounds with about 2^{60.4} distinct known plaintexts, 2^{78.85} time complexity and 2^{61} bytes of memory requirements. Our attack can recover the master key of TWINE128 up to 28 rounds with about 2^{61.5} distinct known plaintexts, 2^{126.15} time complexity and 2^{61} bytes of memory requirements. The results are the currently best ones on cryptanalysis of LBlock and TWINE128.
Introduction
Linear cryptanalysis introduced by Matsui in 1993 has become one of the most important cryptanalysis method of block ciphers. After being introduced a quarter of a century ago, linear cryptanalysis has been extended to various more evolved statistical attacks, including multiple linear cryptanalysis (Kaliski and Robshaw 1994) and multidimensional linear cryptanalysis (Hermelin et al. 2008; Hermelin et al. 2009; Cho et al. 2008; Blondeau and Nyberg 2017). Various authors have previously presented different approaches to exploit multiple linear approximations to enhance linear cryptanalysis. In multiple linear cryptanalysis, a fundamental assumption was that the approximations are statistically independent. The theoretically restrictive assumption of independence of linear approximations was removed in the multidimensional linear cryptanalysis on the cost of taking into account a family of linear approximations which covers a linear space excluding zero. In Hermelin et al. (2009), presented the loglikelihood ratio and χ^{2} statistical distinuishers that can be used to perform key recovery attacks. The aim of a statistical keyrecovery attack is to search the right value for some bits of the roundkey based on a known statistical property of the cipher. This property is expected to be detected only for the right key candidate, while wrong key candidates which are far from satisfying the property can be discarded. To estimate the data complexity of a statistical attack, the probability distributions of the involved random variables for the right and wrong keys are analyzed. These distributions depend on both the data sample used to compute it as well as the encryption key and the key candidate. Selçuk gave a formal probabilistic model in linear and differential cryptanalysis in Selçuk and Biçak (2002). The probabilistic model provided efficient formulations that can be used to estimate the success probability of a given attack or to find the data complexity to achieve a certain success level.
In Bogdanov et al. (2013), revealed a fundamental property of block ciphers: there can exist linear approximations such that their biases are deterministically invariant under key difference. This property is called key difference invariant bias. They proposed a statistical relatedkey distinguisher for this property and turned it into key recovery attacks on LBlock and TWINE128. Under some basic independency assumptions, they computed the sample biases of a set of approximations with this property for two keys, and constructed an efficiently statistical relatedkey distinguisher. In their model, a fundamental assumption was that the linear approximations are statistically independent. But this assumption is hard to verify in practice. In this paper, we propose a multidimensional relatedkey distinguisher for the key difference invariant bias property, which can remove the independence assumption on the linear approximations.
To decrease key setup time and to reduce the cost of hardware, the key schedule of lightweight ciphers are usually simple. As is known to us, the diffusion of the key schedule plays an important role on the security of the block cipher, so we should spend more effort on the key schedules of lightweight block ciphers. Wang et al. improved multidimensional zerocorrelation linear attack in Wang and Wu (2014). They have taken the key schedule into consideration and used the relations that existed in the involved round keys of key recovery attack to reduce the number of round keys that need to be guessed. They carefully chose the order of guessing keys and guessed each subkey nibble one after another. By using the partialcompression technique to reduce the time complexity.
In Blondeau and Nyberg (2017), developed distinctknownplaintext (DKP) that was first introduced in the context of multidimensional zerocorrelation attacks[11]. The DKP sample can improve the data complexity of multiple linear attacks, multidimensional linear attacks and key difference invariant bias attacks.
Our contributions
The contributions of this paper are as follows.
New model with key difference invariant bias
In this paper, we take into account multidimensional cryptanalysis with key difference invariant bias. The main motivation of this method is that the dependencies of linear approximations need not be measured explicity. We present a multidimensional statistical relatedkey distinguisher for the key difference invariant bias property of keyalternating block ciphers. Our new model has the two following advantages:

(1).
Does not assume statistical independence of linear approximations, i.e. the assumption about statistical independence of linear approximations can be removed.

(2).
Consider all linear approximations of linear subspace with key difference invariant bias property excluding zero. The new model can increase the freedom of the model, thus the data complexity is reduced.
We analyze the probability distribution of the new relatedkey statistic Q both in the rightkey and wrongkey case and derive the formula of the data complexity for given attack. In addition, the new statistical model takes into account whether the data sample is obtained by the usually known plaintext (KP) sampling or the considered distinct known plaintext (DKP) sampling.
Key Recovery Attack for LBlock and TWINE128
By using the new relatedkey statistic Q, we give the first keyrecovery attack on 25round LBlock. We put the 16round 8dimensional linear approximations with key difference invariant bias in round 5 to 20. We partially encrypt the first 4 rounds and partially decrypt the last 5 rounds. The attack is affected by 32 bits of a plaintext, 48 bits of a ciphertext and 76 bits of round keys. Because the attack involves too many plaintext bits, ciphertext bits and round key bits, the data complexity and time complexity are both too huge. In order to reduce the data complexity and the time complexity, we take the key schedule of LBlock into consideration and obtain the relations that exist in the involved round keys. Thus the involved round keys can reduce 17 bits key information that need to be guessed. We carefully choose the order of guessing key bits and use partialcompression technique to reduce the time complexity. Our attack can recover the 80bit master key of LBlock with about 2^{60.4} distinct known plaintexts, 2^{78.85} time complexity and 2^{61} bytes of memory requirements. Similary, using the same multidimensional linear approximation, we can give 24round attack on LBlock which is better than that in Bogdanov et al. (2013). In Table 1, we present a comparison of our attack results and the best known ones.
We apply the new relatedkey model to perform a 28round attack on TWINE128. We put the 17round 8dimensional linear approximations with key difference invariant bias in round 6 to 22. We partially encrypt the first 5 rounds and partially decrypt the last 6 rounds. We take the key schedule of TWINE128 into consideration and obtain the relations that exist in the involved round keys. By using the partialcompression technique to reduce the time complexity. Our attack can recover the 128bit master key of TWINE128 with about 2^{61.5} distinct known plaintexts, 2^{126.15} time complexity and 2^{61} bytes of memory requirements, with success probability 0.85. Similary, using the same multidimensional linear approximation, we can give 27round attack on TWINE128 which is better than that in Bogdanov et al. (2013). In addition, we combine all differential paths of the 15 key differences that satisfy the property of invariant bias. So we propose a combined model and perform the 27round attack on TWINE128 with about 2^{60.44} distinct known plaintexts, 2^{119.5} time complexity and 15·2^{61} bytes of memory requirements. Our attacks are compared to previous attacks on TWINE128 in Table 2.
Preliminaries
Linear cryptanalysis with key difference invariant bias
In Bogdanov et al. (2013), analysed the fundamental question of how the bias of the entire linear approximation behaves under a change of key. They revealed a property for many block ciphers, namely, that the bias of a linear approximation can be actually invariant with a modified key. Based on the fact, they proposed a statistical relatedkey distinguisher and demonstrated that it can be used to efficiently distinguish the cipher from an idealized cipher under some basic independency assumptions. As an illustration, they applied the cryptanalytic technique of key difference invariant bias to LBlock and TWINE128. In this section, we introduce some definitions and main results in Bogdanov et al. (2013).
Consider an nbit block cipher f with a kbit key. Linear cryptanalysis is based on a linear approximation determined by input mask a and output mask b. The bias of the linear approximation (a,b) of f is defined by
The value c(a,b)=2ε(a,b) is called correlation of the linear approximation (a,b). A linear approximation (a,b) of an iterative block cipher is called a linear hull. The linear hull contains all possible sequences of the linear approximations over individual rounds with input mask a and output mask b. These sequences are called linear trails which we denote by θ. Given a linear hull (a,b), a linear trail θ is the concatenation of an input mask a=θ_{0} before the first round, an output mask b=θ_{r} after the last round, and r−1 intermediate masks θ_{i} between rounds i−1 and i:
Thus, each linear trail consists of (r+1)nbit masks. The bias ε_{θ} of the linear trail θ is defined as the scaled product of the individual biases \( \varepsilon _{\theta _{i1}, \theta _{i}} \) over each round,
Key alternating block ciphers form a special but important subset of modern block ciphers. Its definition is as follows.
Definition 1 ((Daemen and Rijmen 2002)).
Let each round i,1≤i≤r, of a block cipher have its own nbit subkey k_{i}. This block cipher is key alternating, if the key material in round i is introduced by XORing the subkey k_{i} to the state at the end of the round. Additionally, the subkey k_{0} is XORed with the plaintext before the first round.
The r round subkeys K_{0},K_{1},..., K_{r}, build the expanded key K (of length n(r+1) bits) which is derived from the master key κ using a keyschedule algorithm φ. From Daemen and Rijmen (2002), for a keyalternating block cipher, the bias ε(a,b) of the linear hull (a,b) is
where d_{θ} is a keyindependent constant.
In an nbit keyalternating block cipher, let φ be key schedule, K and K^{′} be the expanded keys corresponding to two master keys κ and κ^{′},K=φ(κ) and K^{′}=φ(κ^{′}) satisfying K=K^{′}⊕Δ, where the difference Δ describes a connection between K and K^{′}. Let ε and ε^{′} are two biases under two keys κ and κ^{′}, with κ≠κ^{′}, then
When does the equality ε=ε^{′} hold? The equality holds if d_{θ}⊕θ·K=d_{θ}⊕θ·K^{′}, that is, θ·Δ=0. In the following, we give a short summary of the contributions in Bogdanov et al. (2013).
Theorem 1 ((Bogdanov et al. 2013), Key difference invariant bias for keyalternating ciphers).
Let (a,b) be a nontrivial linear approximation of a keyalternating block cipher. Its biases ε for expanded key K and ε^{′} for expanded key K^{′} with K^{′}=K⊕Δ have exactly equal values ε=ε^{′}, if θ·Δ=0 for each linear characteristic θ of the linear hull (a,b) with ε_{θ}≠0.
Given a linear approximation (a,b), we denote by θ_{j},j=1,...,n(r+1) the jth bit of linear characteristics θ. If bit positions j such that θ_{j}=0 for all θ with ε_{θ}≠0. We call such positions zero positions. Otherwise, a position is called a nonzero. Next we give a more explicit sufficient condition for keeping θ·Δ=0.
Corollary 1.
[(Bogdanov et al. 2013), Condition 1, Sufficient condition for key difference invariant bias] For a fixed nontrivial linear approximation (a,b) of a keyalternating block cipher, the relation between a pair of the usersupplied keys κ and κ^{′} is such that the expanded key difference Δ=K⊕K^{′} chooses an arbitrary number of zero positions and no nonzero positions in the linear characteristics θ of the linear approximation, with ε_{θ}≠0.
For random block ciphers and block sizes n≥5, the bias ε of a linear approximation follows a normal distribution with mean 0 and variance 2^{−n−2} from Daemen and Rijmen (2007), that is, \( \varepsilon \sim \mathcal {N}(0,2^{n2}) \). Then, the probability for biases with two different keys to be equal is \( Pr \{\varepsilon =\varepsilon '\kappa \neq \kappa ' \} \approx \frac {1}{\sqrt {2 \pi }}2^{\frac {3n}{2}} \).
Given N plaintextciphertext pairs and λ linear approximations under a pair of expanded keys K,K^{′},Δ=K⊕K^{′},Δ satisfies the condition 1 for key difference invariant bias. For each of these linear approximations we allocate counters S_{i} and Si′,i=1,...,λ, which account for the number of times that these linear approximations are satisfied under K and K^{′} for each of the N knownplaintexts. The statistic s is as follows:
Assume the counters S_{i} and Si′,i=1,...,λ, are all independent, s approximately follows normal distribution with mean \( \frac {\lambda }{2 N} \) and variance \( \frac {\lambda }{2 N^{2}} \) for the right key, that is,
Similarly, s approximately follows normal distribution for the wrong key as follows:
In the two above cases, we have seen that the statistic s follows two different normal distributions. When testing the key candidates, the cryptanalysts face with the task of statistical hypothesis. Consider two normal distributions \( \mathcal {N} \left (\mu _{0}, \sigma _{0}^{2}\right)\) and \(\mathcal {N} \left (\mu _{1}, \sigma _{1}^{2}\right)\). Without loss of generality, assume that μ_{0}<μ_{1}. A sample t is drawn from either \( \mathcal {N} \left (\mu _{0}, \sigma _{0}^{2}\right)\) or \( \mathcal {N} \left (\mu _{1}, \sigma _{1}^{2}\right)\). The hypothesis test is performed to determine which distribution the sample comes from. Compare the value t with some threshold value τ, if t≤τ, the test returns \( t\in \mathcal {N}\left (\mu _{0},\sigma _{0}^{2}\right) \); if t>τ, the test returns \( t\in \mathcal {N}\left (\mu _{1},\sigma _{1}^{2}\right) \). There are two types error of probabilities. The type I error is the probability of the sample t comes from \(\mathcal {N} \left (\mu _{1}, \sigma _{1}^{2}\right)\) when t actually comes from \( \mathcal {N} \left (\mu _{0}, \sigma _{0}^{2}\right)\). The type II error is the probability of the sample t comes from \( \mathcal {N} \left (\mu _{0}, \sigma _{0}^{2}\right)\) when t actually comes from \(\mathcal {N} \left (\mu _{1}, \sigma _{1}^{2}\right)\). The two errors are denoted by α_{0} and α_{1} as follows.
The decision threshold is \(\phantom {\dot {i}\!}\tau =\mu _{0}+\sigma _{0} q_{1\alpha _{0}}=\mu _{1}\sigma _{1} q_{1\alpha _{1}}\), where \(\phantom {\dot {i}\!}q_{1\alpha _{1}}\) and \(q_{1\alpha _{0}}\) are the quantiles of the standard normal distribution \(\mathcal {N} (0, 1)\).
Corollary 2 ((Bogdanov et al. 2013), Data Complexity of Distinguisher).
Using the s distributions for the right and wrong key, we obtain the following equation that determines the amount of data needed by the distinguisher s:
where α_{0} is the probability to reject the right key, whereas α_{1} is the probability to accept a wrong key.
The statistical cryptanalysis attack also depends on the way to obtain the data sample. In known plaintext (KP) attack, the plaintextciphertext pair (P, C) is done with replacement. If the plaintextciphertext pairs are sampled randomly without replacement, the attack is called distinctknownplaintext (DKP) attack. Suppose N plaintextciphertext pairs are sampled randomly, let us denote by Z the random variable corresponding to the number of plaintextciphertext pairs that satisfy linear approximation equation. In the cases of KP and DKP sampling, the variable Z follows a binomial and hypergeometric distributions, respectively. The two distributions have the same expectation Np, but variance is BNp(1−p), where p is the probability that the linear approximation holds, the constant B is defined by
Multidimensional approximation of boolean functions
In this section, we introduce two lemmas of multidimensional linear cryptanalysis (Hermelin et al. 2008) that will be needed in next section.
Let f:V_{n}→V_{l} be a vector Boolean function, and binary vectors v_{i}∈V_{l} and u_{i}∈V_{n},i=1,2,...,m, be linear masks such that the paired masks (u_{i},v_{i}) are linearly independent. Define functions g_{i} by
and assume g_{i} have correlations c_{i},i=1,...,m. We will call these correlations basecorrelations, and the corresponding linear approximations of f the baseapproximations. We want to find the probability distribution of the mdimensional linear approximation
where V=(v_{1},...,v_{m}),U=(u_{1},...,u_{m}) and g=(g_{1},...,g_{m}). Let the probability distribution of g be p=(p_{0},...,p_{M}),M=2^{m}−1. Assume that we have the correlations c(a) of all the linear mappings a·g of g, We will call the correlations c(a) the combined correlations of f and the corresponding approximations the combined approximations.
Definition 2.
The capacity between two probability distributions p and q is defined by
Let us consider mdimensional linear attack whose m base approximations construct an mdimensional vectorial boolean function f. Let \(\phantom {\dot {i}\!} p=(p_{0},...,p_{2^{m}1}) \) denote the probability distribution of f, and γ is the discrete uniform distribution, the capacity of the mdimensional linear approximations as below:
For simplicity, let C(p) denotes the capacity of the probability distribution of mdimensional linear approximations.
Lemma 1.
[(Hermelin et al. 2008)] Let \( g:F_{2}^{n}\rightarrow F_{2}^{m} \) be a Boolean function with probability distribution p and onedimensional correlations c(a) of a·g. Then
Lemma 2.
[(Hermelin et al. 2008)] Let \( g:F_{2}^{n}\rightarrow F_{2}^{m} \) be the Boolean function with probability distribution p. Then the capacity C(p) of p such that
Note 1. If a random variable X has the χ^{2} distribution with l degrees of freedom, then X approximately follows normal distribution with mean l and variance 2l when l is sufficiently large, that is, \( X\rightarrow \mathcal {N}(l, 2l) \).
Note 2. Suppose X is ddimensional normal random vector with mean vector μ and covariance \( \Sigma, X \sim \mathcal {N}_{d}(\mu, \Sigma) \), then (X−μ)^{T}Σ^{−1}(X−μ) follows a χ^{2} distribution with r degrees of freedom, r=rank(Σ).
We will need the above results in next section where we study how multidimensional linear statistic is applied in key difference invariant bias linear cryptanalysis.
Improved statistical distinguisher with key difference invariant bias
In this section, we firstly consider multidimensional linear attacks with key difference invariant bias and present a new statistic Q. Then we analyse the probability distribution of statistic Q for the right/wrong key guess, and give the data complexity of an attack to achieve a certain success level under KP and DKP cases, respectively. Finally, the key recovery attack procedure which uses our new model is described.
A new statistical distinguisher
We analyse the relation between correlations and probability distributions of multidimensional linear approximation under two distinct round keys. Suppose a block cipher \( f:F_{2}^{n}\rightarrow F_{2}^{n} \), we consider mdimension linear cryptanalysis of f. Assume the baseapproximations of mdimensional linear approximation is g=(g_{1},...,g_{m}). Let us denote by c(a) and c^{′}(a) the correlations of a·g under master keys κ and κ^{′}, respectively, and denote by p_{η} and \(p^{\prime }_{\eta }\) the probability distributions of g under master keys κ and κ^{′}, respectively. We can obtain the next lemma.
Lemma 3.
Proof
According to Lemma 2, we have:
So it suffices to show that
Using Lemma 1, we have:
Substituting p_{η} and pη′ in (1) as follows:
Because
therefore,
Similarly,
Thus, the Eq. (1) holds, the Lemma 3 as desired. □
Thus we can present a new statistic based on the key difference invariant bias property by using an mdimensional linear approximation for an nbit block cipher. Suppose the data sample is randomly selected, the sample size is N. V(η) and V^{′}(η),η=0,...,2^{m}−1, denote the number of occurrences of value η of the observed data distribution for master keys κ and κ^{′} with the N plaintexts. We propose a new statistic Q:
As we aim to perform a key recovery attack with this statiatic Q, we will derive the distribution of Q for the right key guess and for the wrong key guess.
In the case of right key guess, we obtain the following result.
Proposition 1.
[Distribution of Statistic Q for the Right Key] Consider an mdimensional linear approximation for a block cipher under a pair of expanding keys (K,K^{′}) connected by Δ conforming to condition 1. Let N is the number of KP or DKP pairs, V(η) and V^{′}(η) are the frequency of value η of the observed data distribution for K and K^{′}, respectively, and m is high enough. Then the following approximate distribution holds for sufficiently large N and m:
where l=2^{m}−1, \( B= \left \{\begin {array}{l} 1, \textmd { \quad \ \ for KP} \\ \frac {2^{n}N}{2^{n}1}, \textmd {for DKP} \\ \end {array} \right. \).
Proof
We first consider KP case. For mdimensional linear attack, let l=2^{m}−1,N is the number of random KP pairs, V(η) and V^{′}(η),η=0,...,2^{m}−1, denote the number of occurrences of value η of the observed data distribution for master keys κ and κ^{′}. The random vector (V(0),...,V(l))^{T} follows a multinomial distribution with parameter N and p(κ), where p(κ)=(p_{0}(κ),...,p_{l}(κ)) with \( \sum _{\eta =0}^{l}p_{\eta }(\kappa)=1 \). The variance of V(i) is Np_{i}(κ)(1−p_{i}(κ))≈N2^{−m}(1−2^{−m}). The covariance of V(i) and V(j) is Cov(V(i),V(j))=−Np_{i}(κ)p_{j}(κ))≈N2^{−2m}. The counters V(η) and V^{′}(η) suggest empirical probability \(\hat {p}_{\eta }(\kappa)=\frac {V(\eta)}{N}\) and \(\hat {p}_{\eta }(\kappa ^{\prime })=\frac {V^{\prime }(\eta)}{N}\) respectively. Let \( \hat {p} (k)=(\hat {p}_{0}(\kappa),..., \hat {p}_{l1}(\kappa))^{T}, \hat {p} (\kappa ^{\prime })=(\hat {p}_{0}(\kappa ^{\prime }),..., \hat {p}_{l1}(\kappa ^{\prime }))^{T}\), for sufficiently large N, the random vector \( \hat {p} (\kappa) \) approximately follows ldimensional normal distribution with mean vector p(κ)=(p_{0}(κ),...,p_{l−1}(κ))^{T} and covariance matrix Σ=N^{−1}2^{−m}(I_{l}−2^{−m}E), where I_{l} is an identity matrix, E is a l×l matrix with all entries are equal one, that is,
Similarly, \( \hat {p} (\kappa ^{\prime }) \sim \mathcal {N}_{l}(p(\kappa ^{\prime }), \Sigma) \).
The expanded keys K=φ(κ) and K^{′}=φ(κ^{′}) satisfying K=K^{′}⊕Δ,Δ satisfies the condition 1 for key difference invariant bias, so p(κ)=p(κ^{′}). Then, \( \hat {p} (\kappa)\hat {p} (\kappa ^{\prime }) \sim \mathcal {N}_{l}(0, 2\Sigma). \) From Note 2, we know
Because Σ^{−1}=N2^{m}(I_{l}+E), therefore,
Thus we obtain \( Q \sim \frac {2}{N} \chi ^{2}(l) \). Using the Note 1, the following approximate distribution holds for sufficiently large N and m:
In the case of DKP sample, the random vector (V(0),...,V(l))^{T} follows a multivariate hypergeometric distribution. The variance of V(i) is \(\frac {2^{n}N}{2^{n}1} Np_{i}(\kappa)(1p_{i}(\kappa)) \approx \frac {2^{n}N}{2^{n}1}N2^{m}(12^{m}) \). The covariance of V(i) and V(j) is
The following steps of the proof are similar to those in the KP case. □
In the case of wrong key guess, we base upon the hypothesis that for a wrong key, i.e., the cipher is a permutation drawn at random. Suppose the mdimensional linear approximation with the probability distribution p_{η}(k),η=0,...,2^{m}−1, independent and identical distribution to a normal distribution \(\mathcal {N} \left (2^{m}, \sigma ^{2}\right)\). According to Lemma 1, for a≠0,
we have \( c_{a}(k) \sim \mathcal {N} \left (0,2^{m} \sigma ^{2}\right).\) In Daemen and Rijmen (2007), Daemen and Rijmen show that the correlation distribution of an ideal cipher is normal with mean zero and variance 2^{−n}, i.e., \(c_{a}(k) \sim \mathcal {N} \left (0, 2^{n}\right)\). So we obtain \(2^{m}\sigma ^{2}=2^{n}, p_{\eta }(k) \sim \mathcal {N} \left (2^{m}, 2^{mn}\right).\) Then we have the following proposition for the distribution of Q.
Proposition 2.
[Distribution of Statistic Q for the Wrong Key] Consider an mdimensional linear approximation for two randomly drawn permutations. Let N is the number of KP or DKP pairs, V(η) and V^{′}(η) are the frequency of value η of the observed data distribution for two permutations, respectively, and m is high enough. Then the following approximate distribution holds for sufficiently large N and n:
where \( l=2^{m}1, B= \left \{\begin {array}{l} 1, \textmd { \quad \ \ for KP} \\ \frac {2^{n}N}{2^{n}1}, \textmd {for DKP} \\ \end {array} \right. \).
The proof of proposition 2 is similar to proposition 1.
In the two above cases, we have seen that the statistic Q will follow two different normal distributions. Using statistical hypothesis, we obtain the following data complexity under KP and DKP data sample, respectively.
where α_{0} is the probability to reject the right key, α_{1} is the probability to accept a wrong key.
Procedure of key recovery attack
We describe the key recovery attack procedure which uses the statistic Q. The attack procedure is as follows:Step1: For all relatedkey differential paths (a,b) with a difference δ=κ⊕κ^{′} on the masterkey that satisfy key difference invariant bias condition. We collect N plaintextciphertext pairs (P, C) under the keys κ and κ^{′}=κ⊕δ.Step2: Partially encrypt r_{top} rounds and partially decrypt r_{bot} rounds, obtain partial state values x and x^{′} covered by the input/output masks of (a,b) under κ and κ^{′}, respectively. Compute the number of times N[x] and N[x^{′}] that partial state values occur.Step3: For all state values of x and x^{′}, we compute the value η and allocate counters V(η) and V^{′}(η) and set their initial values to zero. If the value η occurs, then add N[x] and N[x^{′}] to V(η) and V^{′}(η), respectively. Compute
Step4: If Q<τ, then the guessed subkey is a possible right subkey candidate.Step5: Do exhaustive search for all right subkey candidates.
Attack on LBlock
In this section, we will evaluate the security of LBlock against multidimensional linear attack with key difference invariant bias by using the new statistic Q.
A brief description of LBlock
Encryption Algorithm. The general structure of LBlock is a variant of Feistel Network. The number of iterative rounds is 32. The round function of LBlock includes three basic functions: AddRoundKey, confusion function S and diffusion function P. The confusion function S consists of eight 4×4 Sboxes in parallel. The diffusion function P is defined as a permutation of eight 4bit nibbles (see Wu and Zhang (2011)).
Key Schedule Algorithm. The key schedule of LBlock is rather simple. The 80bit master key κ is stored in a key register, denoted by κ=k_{79}k_{78}...k_{1}k_{0}. At round i, the leftmost 32 bits of current contents of register κ are output as the round key K_{i}, i.e., K_{i}=k_{79}k_{78}...k_{48}. The key schedule of LBlock can be shown as follows:1. K_{1}=κ[79,78,...,48];2. For i←2 to 32, (a) κ=κ<<<29 (b) κ[79,78,77,76]=S_{9}(κ[79,78,77,76]), κ[75,74,73,72]=S_{8}(κ[75,74,73,72]); (c) κ[50,49,48,47,46]=κ[50,49,48,47,46]⊕[i]_{2}; (d) K_{i}=κ[79,78,...,48].
Multidimensional linear approximations with key difference invariant bias for LBlock
Let K and K^{′} be the expanded keys corresponding to two master keys κ and κ^{′},K=φ(κ) and K^{′}=φ(κ^{′}) for key schedule φ, such that K=K^{′}⊕Δ. Firstly, we introduce the notations that need to be used. i:j denotes an integer range from i to j; δ=κ⊕κ^{′}: the difference of master key κ and κ^{′}; δ_{14:17} denotes a 4bit nibble of δ, the bit position is j=14:17; k_{14:17} denotes a 4bit nibble of κ, the bit position is j=14:17; \(k^{\prime }_{14:17}\) denotes a 4bit nibble of κ^{′}, the bit position is j=14:17; k_{18:21} denotes a 4bit nibble of κ, the bit position is j=18:21\(k^{\prime }_{18:21}\) denotes a 4bit nibble of κ^{′}, the bit position is j=18:21 ; S(x)=(S(x)^{0},S(x)^{1},S(x)^{2},S(x)^{3}),S_{8}(k_{14:17})=S_{8}(k_{17},k_{16},k_{15},k_{14}); ΔS(k_{14:17})=S(k_{14:17})⊕S(k14:17′), and analogously, the other difference notation can be similarly represented; Γ_{r},5≤r≤20 : input mask value for the Sboxes in round r; ΔK_{r},5≤r≤20 : the subkey difference in round r; \( \Delta K_{r}^{i}, 5 \leq r \leq 20\) : the ith nibble of subkey difference in round r, the 0th nibble is the leftmost nibble;
In masks, `0^{′},`1^{′} and `∗^{′} denote zero, nonzero and arbitrary mask for a nibble, respectively; In differences, `0^{′},`1^{′} and `∗^{′} denote zero, nonzero and arbitrary difference for a nibble, respectively.
In Bogdanov et al. (2013), Bogdanov et al. found 16round linear approximations that satisfy key difference invariant bias property. But they didn’t identify the master key difference such that condition 1. In this section, we find the master key difference that satisfy invariant bias for 16round 8dimensional linear approximations. The 16 rounds 8dimensional linear approximations with 4bit input and 4bit output. We put the 16 rounds 8dimensional linear approximation in round 5 to 20. The input mask of the 5th round is (0000α00000000000) and the output mask of the 20th round is (000000000β000000),(α,β)≠0. Next, we determine the master key difference that satisfy condition 1.
For all cases of input mask Γ_{r},5≤r≤20, if the relations Γ_{r}·ΔK_{r}=0 hold, then, the sufficient condition for key difference invariant bias is fulfilled according to the condition 1 in corollary 1. Now we determine all the relatedkey differential paths, that is, we find the spectific master key difference δ that satisfy the sufficient condition of invariant bias.
We get all the input mask Γ_{r},5≤r≤20 from (Bogdanov et al. 2013). Because Γ_{12}=∗∗11∗∗11,Γ_{13}=∗1∗1∗1∗1,Γ_{11}=∗1101111, let \( \Delta K_{12}=00000000, \Delta K_{13}=00000000, \Delta K_{11}^{i}=0,i=0, 1, 2, 4, 5, 6, 7 \). According to the key schedule of LBlock, round keys \( K_{12}, K_{13}, K_{11}^{i} \) are functions of master key k_{j},j∈(0:79),j≠14,15,16,17. So the master key difference δ satisfy δ_{14:17}≠0000,δ_{j}=0,j∈(0:79),j≠14,15,16,17. Next, we determine the value of δ_{14:17}.
According to the propagation property of the linear mask, the 14round and 16round input masks are obtained (see Bogdanov et al. (2013)), Γ_{14}=101111∗1,Γ_{16}=11000001. In order for the equations Γ_{r}·ΔK_{r}=0 hold, let \( \Gamma _{r}^{j} \cdot \Delta K_{r}^{j}=0, j=0,1,...,7 \). On the basis of key schedule, the key \( \Delta K_{14}^{2}, \Delta K_{16}^{7} \) are functions of the master key k_{14:17}, so we just need the next equation holds.
Equation (4) can be turned to
For every value of k_{14:17} and S_{9}(k_{18:21})^{3}, we can obtain only single nonzero difference δ_{14:17} by solving the Eq. (5) (see in Table 3). So we get all the key difference that satisfy the condition 1 in Corollary 1.
Key recovery for 25Round LBlock
In order to attack 25round LBlock, we follow the multidimensional linear cryptanalysis with key difference invariant bias property. The attack utilizes the 16round key difference invariant bias linear approximations described in the above section from round 5 to 20. We append 4 rounds at the top of the distinguisher and add 5 rounds at the bottom of the distinguisher. After collecting sufficient plaintextciphertext pairs, we guess corresponding subkeys for the first four rounds and the last five rounds and compute the statistic Q of the linear approximations. Next, we decide if the guessed key is right or not. Finally, we exhaustively search all right subkey candidates. If we directly guess the subkeys bits involved in the key recovery process, then the time complexity will be greater than exhaustive search. Therefore, in order to reduce the time complexity, we express the two target values of attack by using the related round keys and plaintexts or ciphertexts, then, we use the partialcompression technique to reduce the time complexity significantly. The attack process is shown as the following Fig. 1.
Let X_{0} denote the 64 bits plaintext, \( X_{r}^{j} \) denote the 4bit nibble of the rth ciphertext, the 0th nibble is the leftmost nibble. As shown in Fig. 2, the nibble \(X_{4}^{4}\) is affected by 32 bits of plaintext X_{0} and 28 bits of round keys and the expression can be shown:
Similarly, the nibble \(X_{20}^{9}\) is affected by 48 bits of ciphertext X_{25} and 48 bits of round keys and the expression can be shown:
After analyzing the key schedule of LBlock, we find the following relations in the round keys:\(K_{24}^{0} \Rightarrow K_{23}^{7}[1:3]\); \(K_{24}^{0}, K_{24}^{1}, K_{1}^{6} \Rightarrow K_{4}^{5}[0,2,3]\); \(K_{25}^{7} \Rightarrow K_{23}^{2}[0:1]\);\(K_{25}^{3} \Rightarrow K_{22}^{5}[0:2]\); \(K_{25}^{4} \Rightarrow K_{22}^{5}[3]\); \(K_{23}^{2}, K_{25}^{6}, K_{25}^{7} \Rightarrow K_{3}^{7}\) only has two possible values; \(K_{2}^{6} \Rightarrow K_{24}^{7}\) has 2^{3} possible values; \(k_{14:17}, S_{9}\left (k_{18:21}\right)^{3} \Rightarrow K_{25}^{2}\) has 2^{3} possible values. According to these relations, the involved 76 bits round keys can reduce 17 bits information of subkeys, then we just need guess 59 bits subkey in the key recovery attack.
Assuming that N distinct known plaintextciphertext pairs are sampled, the partial encryption and decryption using the partialcompression technique are proceeded as in Table 4. Under master key κ and κ^{′}, the subkey nibbles that have to be guessed in the second column. The Step 2’s time complexity that is measured in Sbox access in the third column. The “Obtained States” are saved during the encryption and decryption process in the fourth colum. Let x_{i} and \(x^{\prime }_{i} (1 \leq i \leq 14)\) denote the possible obtained states under the master key κ and κ^{′}, respectively, the counter N_{i}[x_{i}] and N_{i}[xi′] will record how many plaintextciphertext pairs can produce the corresponding intermediate state x_{i} and \(x^{\prime }_{i}\), respectively. The counter size for x_{i} and \(x^{\prime }_{i}\) is shown in the last column.
To be more clear, we explain some steps in Table 4 in detail.
Step 1. In the process of attack, the target values \(X_{4}^{4}X_{20}^{9}\) are affected by 32 bits of plaintext and 48 bits of ciphertext. They are represented by
We guess 18 bits subkeys \(K_{25}^{7}\left K_{25}^{3}\right  K_{25}^{6}\left K_{24}^{1}\right  K_{23}^{2}[2:3]\) for the master key κ and κ^{′} respectively. The following two equtions are true for LBlock.
So we can update the expression of \(X_{20}^{9}\):
The 80bit x_{0} and x0′ can be reduced to 60bit x_{1} and \(x^{\prime }_{1}\) after guessing the 18 bits round keys. We allocate two 60bit counters N_{1}[x_{1}] and N_{1}[x1′] for the master key κ and κ^{′}, respectively, and initialize them to zero. We then guess 18bit keys and partially decrypt N ciphertexts to compute x_{1} and \(x^{\prime }_{1}\) under master key κ and κ^{′}, respectively, and increment the corresponding counters.
Step 2. We first allocate 56bit counter N_{2}[x_{2}] and N_{2}[x2′] for the master key κ and κ^{′}, respectively, and initialize them to zero. We then guess 4bit \(K_{1}^{4}\) for the master key κ and κ^{′}, respectively, and partially encrypt x_{1} and \(x^{\prime }_{1}\) to compute x_{2} and \(x^{\prime }_{2}\), respectively, and increment the corresponding counters. As the equation \( X_{1}^{6}=X_{0}^{8}\oplus S\left (X_{0}^{4}\oplus K_{1}^{4}\right) \) holds, the expression of \( X_{4}^{4} \) is update as:
Because the following steps are similar to the above two steps, we do not explain in details. Besides, we note that the numbers of guessed keys in step 8 of Table 4 is 4 bits. However, the numbers of known keys are 8 bits, that is because the key in the “()” can be obtained by using the relations of round keys. To recover the secret key, the following steps are performed:1. Allocate two counters V[η] and V^{′}[η] for 8bit \(X_{4}^{4}X_{20}^{9}=\eta \).2. For 2^{8} values of x_{14} and \(x^{\prime }_{14}\):(a) Evaluate all 8 basis masks on x_{14} and \(x^{\prime }_{14}\) and get η;(b) Update the counters V(η) and V^{′}(η) by V(η)=V(η)+N_{14}[x_{14}] and V^{′}(η)=V^{′}(η)+N_{14}[x_{14}].3. For each guessing key, compute
4. If Q≤τ, then the guessed subkey values are possible right subkey candidates.5. Do exhaustive search for all right candidates.
After processding of attack procedure from step 1 to 5, if we can not succeed, this means that the value of the right key does not belong to the values corresponding to the relatedkey differential path tested. We can then use another relatedkey differential path to proceed the above attack. All possible values of the master key bits k_{14:17} and S_{9}(k_{18:21})^{3} are covered by the relatedkey differential paths, so we could always find the right key where in the worst case, all the relatedkey differential paths have to be tested. For example, we choose master key difference δ_{14:17}=0111, then k_{14:17} and S_{9}(k_{18:21})^{3} have 8 possible values. We need to guess one by one and determine which one is the right key. The average number of guesses is \( \frac {1}{8}(1+2+3+4+5+6+7+8)=4.5 \). Similarly, when δ_{14:17}=1100,0100,1111 or 1011 the average number of guesses is 2.5; when δ_{14:17}=1010,0110,1001 or 0101, the average number of guesses is 1.5. The key difference δ_{14:17} has 9 possible values, its probability distribution of δ_{14:17} is as follows (see Table 3).
δ_{14:17}  1100,  0111,  1010,  0110,  0100,  1111,  1011,  1001,  0101 

p  \(\frac {4}{32},\)  \(\frac {8}{32},\)  \(\frac {2}{32},\)  \(\frac {2}{32},\)  \(\frac {4}{32},\)  \(\frac {4}{32},\)  \(\frac {4}{32},\)  \(\frac {2}{32},\)  \(\frac {2}{32}\) 
According to the above discussion, then,the total average number of guesses is \( 4.5 \cdot \frac {8}{32}+2.5 \cdot \frac {4 \times 4}{32}+1.5 \cdot \frac {2 \times 4}{32}=\frac {88}{32} \).
Complexity Now we evaluate the time complexity of the key recovery on 25round LBlock. By setting α_{0}=2^{−2.7},α_{1}=0.5, we have \(q_{1\alpha _{0}} \approx 1.02 \) and \(q_{1\alpha _{1}} =0 \). Since n=64 and l=255, then according to Eq. (3), the data complexity N^{DKP}≈2^{60.4}. Now we evaluate the time complexity of the key recovery on 25round LBlock. We start by evaluating the complexity of step 1 to step 14 in the process of partial computation(see Table 4), the time complexity is T_{1}=N·2^{19}·5+2·2^{83}+2·2^{82}+2·2^{79}+2^{80}+2^{78}+3·2^{75}+2·2^{72}≈2^{84.89} Sbox access, which is about \(T=T_{1} \cdot \frac {1}{8} \cdot \frac {1}{25}=2^{77.25}\) 25round LBlock encryptions. Under each relatedkey differential path,the values k_{14:17} and S_{9}(k_{18:21})^{3} are known, so the time complexity of Step 5 of key recovery attack is about 2^{75}·α_{1}=2^{74} times of 25round encryption. Therefore, the total time complexity is about 2^{74}+2^{77.25}≈2^{77.39} 25round LBlock encryptions. Since the given value k_{14:17} and S_{9}(k_{18:21})^{3} may not be the right key, the average number of guesses to the value of k_{14:17} and S_{9}(k_{18:21})^{3} is \( \frac {88}{32} \), so the expected time complexity of our attack on 25round LBlock is about \(2^{77.39} \cdot \frac {88}{32} \approx 2^{78.85}\) 25round encryptions. The memory requirements are about 2^{61} bytes.
Key recovery for 24Round LBlock
Similarly, we can perform key recover attack on 24round LBlock by using the same linear approximations from round 5 to 20. We append 4 rounds at the top of the distinguisher and add 4 rounds at the bottom of the distinguisher.
We express the two target values of attack by using the related round keys and plaintexts or ciphertexts, then use the partialcompression technique to reduce the time complexity significantly (see Table 5). The nibble \(X_{4}^{4}\) is affected by 32 bits of plaintext X_{0} and 28 bits of round keys and the expression can be shown:
Similarly, the nibble \(X_{20}^{9}\) is affected by 32 bits of ciphertext X_{24} and 28 bits of round keys and the expression can be shown:
After analyzing the key schedule of LBlock, we find the following relations in the round keys: \(K_{24}^{0} \Rightarrow K_{23}^{7}[1:3]; K_{24}^{0}, K_{24}^{1}, K_{1}^{6} \Rightarrow K_{4}^{5}[0,2,3].\)
Assuming that N distinct known plaintexts are used, the partial encryption and decryption using the partialcompression technique are proceeded as in Table 5. The process can be referred to 25round attack on LBlock.
Complexity By setting α_{0}=2^{−2.7},α_{1}=2^{−8.5}, then according to Eq. (2), the data complexity is N^{KP}≈2^{62.83}, the time complexity is about 2^{68.08} 24round LBlock encryptions and the memory requirements are about 2^{61} bytes.
In the DKP case, we set α_{0}=2^{−2.7},α_{1}=2^{−8.5}, then according to Eq. (3), the data complexity is N^{DKP}≈2^{62.3}, the time complexity is about 2^{68.07} 24round LBlock encryptions and the memory requirements are about 2^{61} bytes. Figure 3 depicts different possible data time tradeoffs with α_{0}=2^{−2.7}.
Attack on TWINE128
In this section, we will evaluate the security of TWINE128 against multidimensional linear attack with key difference invariant bias by using the new distinguisher Q.
A brief description of TWINE
TWINE is a 64bit lightweight block cipher with 80 or 128bit key. It was proposed by Suzaki et al in 2012. The structure of TWINE is a modified Type2 generalized Feistel network. Its round function consists of AddRoundkey, 4bit Sboxes and a diffusion layer. This round function is iterated for 36 times for both TWINE80 and TWINE128, where the diffusion layer of the last round is omitted.
The key schedule of TWINE is quite simple. Sboxes, XOR operations and a series of constants are used in the key schedule. Due to the page limit, see the specific key schedule algorithms in Suzaki et al. (2012).
Key recovery for 28round TWINE128
We consider 17round (from round 6 to round 22) linear approximations with key difference invariant bias for TWINE128 that have been identified in Bogdanov et al. (2013). The input mask of the 6th round is (000000000000α000) and the output mask of the 22th round is (0000000β00000000),(α,β)≠0. Let K and K^{′} be the expanded keys corresponding to two the master keys κ and κ^{′},K=φ(κ) and K^{′}=φ(κ^{′}) for key schedule φ, such that K=K^{′}⊕Δ. Let us denote by δ=κ⊕κ^{′} the difference of masker keys κ and κ^{′}. Let ΔK_{r} and Γ_{r} denote the subkey difference and input mask value for the Sboxes in round r, respectively. To make the relations
hold, it suffices to let δ_{20:23}≠0000, δ_{j}=0,j=0,1,...,79 and j≠20,21,22,23.Thus sufficient condition for key difference invariant bias is satisfied. There are 15 possible nonzero values δ_{20:23} that satisfy the Eq. (6). We can choose any nonzero δ_{20:23}, and δ_{j}=0,j=0,1,...,79 and j≠20,21,22,23, to obtain the differential path which covers all the possible key values and is sufficient to recovery the right key value.
We utilize the 17round distinguisher to attack 28 rounds of TWINE128. The initial five rounds from 1 to round 5 are added before the distinguisher and the finial six rounds from 23 to round 28 are appended after the distinguisher. Similary, we express the two target values and then guess the keys one nibble after another to reduce the time complexity of partial computation. The nibble \(X_{5}^{12}\) is affected by 48 bits of plaintext X_{0} and 48 bits of round keys and the expression can be shown as:
Similarly, the nibble \(X_{22}^{7}\) is affected by 60 bits of ciphertext X_{28} and 76 bits of round keys:
The following relations exist in the related round keys:
Thus, we just need guess 116 bits subkeys in the attack.
Assuming that N distinct known plaintexts are used, the partial encryption and decryption using the partialcompression technique are proceeded as in Table 6.
Complexity We set α_{0}=2^{−2.7},α_{1}=2^{−3}, so we have \(q_{1\alpha _{0}} \approx 1.02 \) and \(q_{1\alpha _{1}} =1.15 \). Since n=64 and l=255, then according to Eq. (3), the data complexity N^{DKP}≈2^{61.5}. Now we evaluate the time complexity of the key recovery on 28round TWINE128. We start by evaluating the complexity of step 1 to step 14 in the process of partialcompression (see Table 6), the time complexity is T_{1}=N·2^{65}·17+12·2^{129}+2^{130}≈2^{133.09} Sbox access, which is about \(T=T_{1} \cdot \frac {1}{8} \cdot \frac {1}{28}=2^{125.28}\) 28round TEINE128 encryptions. Note that the time complexity of Step 3, 4 is negligible. The time complexity of Step 5 of key recovery attack is about 2^{128}·α_{1}=2^{125} times of 25round encryption. Therefore, the total time complexity is about 2^{125}+2^{125.28}≈2^{126.15} 28round TWINE encryptions. The memory requirements are about 2^{61} bytes.
Key recovery for 27round TWINE128
We use the 17round 8dimension linear approximations with key difference invariant bias to give an attack on 27round TWINE128. By putting the 17round 8dimension linear approximations in round 6 to 22, we can perform key recovery attack on 27round TWINE128. Similary, we can express the two target values \(X_{5}^{12}\) and \(X_{22}^{7}\), the values \(X_{5}^{12}\) is the same as (7), the nibble \(X_{22}^{7}\) can be shown as:
The nibble \(X_{5}^{12}\) is affected by 48 bits of plaintext X_{0} and 48 bits of round keys, the nibble \(X_{22}^{7}\) is affected by 48 bits of ciphertext X_{27} and 48 bits of round keys. The following relations exist in the related round keys:
Assuming that N distinct known plaintexts are used, the partial encryption and decryption using the partialcompression technique are proceeded as in Table 7.
Complexity We set α_{0}=2^{−2.7},α_{1}=2^{−8.5}, according to Eq. (3), the data complexity N^{DKP}≈2^{62.3}. The time complexity of partial computation about is 2^{107.27} Sbox access, which is about \(2^{107.27} \cdot \frac {1}{8} \cdot \frac {1}{27}=2^{99.52}\) 27round TEINE128 encryptions. The number of remaining key candidates is about 2^{128}·α_{1}=2^{119.5} times of 27round encryption. Thus, the total time complexity is about 2^{99.52}+2^{119.5}≈2^{119.5} 27round TWINE encryptions. Meanwhile, the memory requirements are about 2^{61} bytes. Figure 4 depicts different possible data time tradeoffs with α_{0}=2^{−2.7}.
Combined Model. In order to reduced the data complexity of attacks, we can perform 27round key recovery attack which use all differential paths of 15 key difference that satisfy condition of key difference invariant bias together. Let δ^{(i)},1≤i≤15 denote the ith master key difference that satisfy condition of key difference invariant bias. V_{i}(η) and Vi′(η),η=0,...,2^{m}−1 denote the number of occurrences of value η of the observed data distribution for master keys κ and κ^{′} such that κ⊕κ^{′}=δ^{(i)} with the N texts. Let Q^{(i)} be the ith i=1,...,15 statistic under master key difference δ^{(i)}, then
Define statistic \(T=\sum _{i=1}^{15}{Q^{(i)}}\), then, for the right key guess, T approximately follows the normal distribution for sufficiently large N and n:
Similary, for the wrong key guess, we have:
Then, under the KP and DKP cases, the amount of data needed by the distinguisher T are
Complexity By setting α_{0}=2^{−2.7},α_{1}=2^{−8.5}, according to Eq. (8), the data complexity N^{DKP}≈2^{60.44}, the total time complexity is about 2^{119.5} 27round TWINE encryptions, and the memory requirements are about 15·2^{61} bytes.
Conclution
In this paper, we propose a new statistical relatedkey distinguisher under the scenario of key difference invariant bias for multidimensional linear cryptanalysis. Compared with the model in Bogdanov et al. (2013), our new model has the following two main advantages: One is that the assumption about statistical independence of linear approximations can be removed, and the other is that our model considers all linear approximations of linear subspace with key difference invariant bias property excluding zero, so our new model can increase the freedom. Moreover partialcompression technique is used to reduce the time complexity. We carefully choose the order of guessing keys and guess each subkey nibble one after another. Besides, we take the key schedule into consideration and use the relations in the related round keys to reduce the number of round keys that need to be guessed. In order to illustrate the new attack model, we evaluate the security of LBlock and TWINE128 block ciphers against our cryptanalysis technique. For LBlock cipher, based on 16round key difference invariant bias distinguisher, we present a 25round key recovery attack. For TWINE128 cipher, we apply 17round key difference invariant bias distinguisher to 28round key recovery attack. We attack more rounds than the best previous cryptanalysis. While previous attack can break 24round LBlock and 27round TWINE128, our attack break the same number of rounds that use the less time complexity and data complexity.
Availability of data and materials
Not applicable.
References
Blondeau, C, Nyberg K (2017) Joint data and key distribution of simple, multiple, and multidimensional linear cryptanalysis test statistic and its impact to data complexity. Des Codes Crypt 82(12):319–349.
Bogdanov, A, Boura C, Rijmen V, Wang M, Wen L, Zhao J (2013) Key difference invariant bias in block ciphers. In: Sako K Sarkar P (eds)19th International Conference on the Theory and Application of Cryptology and Information Security, 357–376.. Springer, Berlin, Heidelberg.
Boztas, Ö, Karakoç F, Çoban M (2013) Multidimensional meetinthemiddle attacks on reducedround TWINE128. In: Avoine G Kara O (eds)Second International Workshop Lightweight Cryptography for Security and Privacy, 55–67.. Springer, Berlin, Heidelberg.
Cho, JY, Hermelin M, Nyberg K (2008) A new technique for multidimensional linear cryptanalysis with applications on reduced round serpent. In: Lee PJ Cheon JH (eds)11th International Conference Information Security and Cryptology, 383–398.. Springer, Berlin, Heidelberg.
Daemen, J, Rijmen V (2002) The Design of Rijndael: AES  The Advanced Encryption Standard. Springer, Berlin, Heidelberg.
Daemen, J, Rijmen V (2007) Probability distributions of correlation and differentials in block ciphers. J Math Cryptol 1(3):221–242.
Hermelin, M, Cho JY, Nyberg K (2008) Multidimensional linear cryptanalysis of reduced round serpent. In: Mu Y, Susilo W, Seberry J (eds)13th Australasian Conference Information Security and Privacy, 203–215.. Springer, Berlin, Heidelberg.
Hermelin, M, Cho JY, Nyberg K (2009) Multidimensional extension of Matsui’s algorithm 2. In: Dunkelman O (ed)Fast Software Encryption, 209–227.. Springer, Berlin, Heidelberg.
Kaliski, BS, Robshaw MJB (1994) Linear cryptanalysis using multiple approximations. In: Desmedt Y (ed)14th Annual International Cryptology Conference, 26–39.. Springer, Berlin, Heidelberg.
Liu, S, Gong Z, Wang L (2012) Improved relatedkey differential attacks on reducedround LBlock. In: Chim TW Yuen TH (eds)14th International Conference Information and Communications Security, 58–69.. Springer, Berlin, Heidelberg.
Matsui, M (1993) Linear cryptanalysis method for DES cipher. In: Helleseth T (ed)Advances in Cryptology  EUROCRYPT ’93, 386–397.. Springer, Berlin, Heidelberg.
Minier, M, NayaPlasencia M (2012) A related key impossible differential attack against 22 rounds of the lightweight block cipher lblock. Inf Process Lett 112(16):624–629.
Sasaki, Y, Wang L (2013) Meetinthemiddle technique for integral attacks against feistel ciphers. In: Knudsen LR Wu H (eds)Selected Areas in Cryptography, 234–251.. Springer, Berlin, Heidelberg.
Sasaki, Y, Wang L (2013) Comprehensive study of integral analysis on 22round lblock. In: Kwon T, Lee MK, Kwon D (eds)Information Security and Cryptology – ICISC 2012, 156–169.. Springer, Berlin, Heidelberg.
Selçuk, AA, Biçak A (2002) On probability of success in linear and differential cryptanalysis. In: Cimato S, Galdi C, Persiano G (eds)Third International Conference Security in Communication Networks, 174–185.. Springer, Berlin, Heidelberg.
Soleimany, H, Nyberg K (2014) Zerocorrelation linear cryptanalysis of reducedround lblock. Des Codes Crypt 73(2):683–698.
Suzaki, T, Minematsu K, Morioka S, Kobayashi E (2012) TWINE: A lightweight block cipher for multiple platforms. In: Knudsen LR Wu H (eds)19th International Conference Selected Areas in Cryptography, 339–354.. Springer, Berlin, Heidelberg.
Wang, N, Wang X, Jia K (2016) Improved impossible differential attack on reducedround lblock. In: Kwon S Yun A (eds)Information Security and Cryptology  ICISC 2015, 136–152.. Springer International Publishing, Berlin, Heidelberg.
Wang, Y, Wu W (2014) Improved multidimensional zerocorrelation linear cryptanalysis and applications to lblock and TWINE. In: Susilo W Mu Y (eds)19th Australasian Conference Information Security and Privacy, 1–16.. Springer, Berlin, Heidelberg.
Wen, L, Wang MQ, Zhao JY (2014) Relatedkey impossible differential attack on reducedround lblock. J Comput Sci Technol 29(1):165–176.
Wu, W, Zhang L (2011) LBlock: A lightweight block cipher. In: López J Tsudik G (eds)9th International Conference Applied Cryptography and Network Security, 327–344.
Acknowledgements
Not applicable.
Funding
This work was supported by the National Natural Science Foundation of China (Grant No.61379138).
Author information
Authors and Affiliations
Contributions
The first author conceived the idea of the study and wrote the paper; both authors discussed the results and revised the final manuscript. Both authors read and approved the final manuscript.
Corresponding author
Ethics declarations
Competing interests
The authors declare that they have no competing interests.
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Cao, W., Zhang, W. Multidimensional linear cryptanalysis with key difference invariant bias for block ciphers. Cybersecur 4, 32 (2021). https://doi.org/10.1186/s42400021000964
Received:
Accepted:
Published:
DOI: https://doi.org/10.1186/s42400021000964
Keywords
 Keyalternating cipher
 Key difference invariant bias
 Multidimensional linear cryptanalysis
 LBlock
 TWINE