For block ciphers, Bogdanov et al. found that there are some linear approximations satisfying that their biases are deterministically invariant under key difference. This property is called key difference invariant bias. Based on this property, Bogdanov et al. proposed a related-key statistical distinguisher and turned it into key-recovery attacks on LBlock and TWINE-128. In this paper, we propose a new related-key model by combining multidimensional linear cryptanalysis with key difference invariant bias. The main theoretical advantage is that our new model does not depend on statistical independence of linear approximations. We demonstrate our cryptanalysis technique by performing key recovery attacks on LBlock and TWINE-128. By using the relations of the involved round keys to reduce the number of guessed subkey bits. Moreover, the partial-compression technique is used to reduce the time complexity. We can recover the master key of LBlock up to 25 rounds with about 2^{60.4} distinct known plaintexts, 2^{78.85} time complexity and 2^{61} bytes of memory requirements. Our attack can recover the master key of TWINE-128 up to 28 rounds with about 2^{61.5} distinct known plaintexts, 2^{126.15} time complexity and 2^{61} bytes of memory requirements. The results are the currently best ones on cryptanalysis of LBlock and TWINE-128.

Introduction

Linear cryptanalysis introduced by Matsui in 1993 has become one of the most important cryptanalysis method of block ciphers. After being introduced a quarter of a century ago, linear cryptanalysis has been extended to various more evolved statistical attacks, including multiple linear cryptanalysis (Kaliski and Robshaw 1994) and multidimensional linear cryptanalysis (Hermelin et al. 2008; Hermelin et al. 2009; Cho et al. 2008; Blondeau and Nyberg 2017). Various authors have previously presented different approaches to exploit multiple linear approximations to enhance linear cryptanalysis. In multiple linear cryptanalysis, a fundamental assumption was that the approximations are statistically independent. The theoretically restrictive assumption of independence of linear approximations was removed in the multidimensional linear cryptanalysis on the cost of taking into account a family of linear approximations which covers a linear space excluding zero. In Hermelin et al. (2009), presented the log-likelihood ratio and χ^{2} statistical distinuishers that can be used to perform key recovery attacks. The aim of a statistical key-recovery attack is to search the right value for some bits of the round-key based on a known statistical property of the cipher. This property is expected to be detected only for the right key candidate, while wrong key candidates which are far from satisfying the property can be discarded. To estimate the data complexity of a statistical attack, the probability distributions of the involved random variables for the right and wrong keys are analyzed. These distributions depend on both the data sample used to compute it as well as the encryption key and the key candidate. Selçuk gave a formal probabilistic model in linear and differential cryptanalysis in Selçuk and Biçak (2002). The probabilistic model provided efficient formulations that can be used to estimate the success probability of a given attack or to find the data complexity to achieve a certain success level.

In Bogdanov et al. (2013), revealed a fundamental property of block ciphers: there can exist linear approximations such that their biases are deterministically invariant under key difference. This property is called key difference invariant bias. They proposed a statistical related-key distinguisher for this property and turned it into key recovery attacks on LBlock and TWINE-128. Under some basic independency assumptions, they computed the sample biases of a set of approximations with this property for two keys, and constructed an efficiently statistical related-key distinguisher. In their model, a fundamental assumption was that the linear approximations are statistically independent. But this assumption is hard to verify in practice. In this paper, we propose a multidimensional related-key distinguisher for the key difference invariant bias property, which can remove the independence assumption on the linear approximations.

To decrease key set-up time and to reduce the cost of hardware, the key schedule of lightweight ciphers are usually simple. As is known to us, the diffusion of the key schedule plays an important role on the security of the block cipher, so we should spend more effort on the key schedules of lightweight block ciphers. Wang et al. improved multidimensional zero-correlation linear attack in Wang and Wu (2014). They have taken the key schedule into consideration and used the relations that existed in the involved round keys of key recovery attack to reduce the number of round keys that need to be guessed. They carefully chose the order of guessing keys and guessed each subkey nibble one after another. By using the partial-compression technique to reduce the time complexity.

In Blondeau and Nyberg (2017), developed distinct-known-plaintext (DKP) that was first introduced in the context of multidimensional zero-correlation attacks[11]. The DKP sample can improve the data complexity of multiple linear attacks, multidimensional linear attacks and key difference invariant bias attacks.

Our contributions

The contributions of this paper are as follows.

New model with key difference invariant bias

In this paper, we take into account multidimensional cryptanalysis with key difference invariant bias. The main motivation of this method is that the dependencies of linear approximations need not be measured explicity. We present a multidimensional statistical related-key distinguisher for the key difference invariant bias property of key-alternating block ciphers. Our new model has the two following advantages:

(1).

Does not assume statistical independence of linear approximations, i.e. the assumption about statistical independence of linear approximations can be removed.

(2).

Consider all linear approximations of linear subspace with key difference invariant bias property excluding zero. The new model can increase the freedom of the model, thus the data complexity is reduced.

We analyze the probability distribution of the new related-key statistic Q both in the right-key and wrong-key case and derive the formula of the data complexity for given attack. In addition, the new statistical model takes into account whether the data sample is obtained by the usually known plaintext (KP) sampling or the considered distinct known plaintext (DKP) sampling.

Key Recovery Attack for LBlock and TWINE-128

By using the new related-key statistic Q, we give the first key-recovery attack on 25-round LBlock. We put the 16-round 8-dimensional linear approximations with key difference invariant bias in round 5 to 20. We partially encrypt the first 4 rounds and partially decrypt the last 5 rounds. The attack is affected by 32 bits of a plaintext, 48 bits of a ciphertext and 76 bits of round keys. Because the attack involves too many plaintext bits, ciphertext bits and round key bits, the data complexity and time complexity are both too huge. In order to reduce the data complexity and the time complexity, we take the key schedule of LBlock into consideration and obtain the relations that exist in the involved round keys. Thus the involved round keys can reduce 17 bits key information that need to be guessed. We carefully choose the order of guessing key bits and use partial-compression technique to reduce the time complexity. Our attack can recover the 80-bit master key of LBlock with about 2^{60.4} distinct known plaintexts, 2^{78.85} time complexity and 2^{61} bytes of memory requirements. Similary, using the same multidimensional linear approximation, we can give 24-round attack on LBlock which is better than that in Bogdanov et al. (2013). In Table 1, we present a comparison of our attack results and the best known ones.

We apply the new related-key model to perform a 28-round attack on TWINE-128. We put the 17-round 8-dimensional linear approximations with key difference invariant bias in round 6 to 22. We partially encrypt the first 5 rounds and partially decrypt the last 6 rounds. We take the key schedule of TWINE-128 into consideration and obtain the relations that exist in the involved round keys. By using the partial-compression technique to reduce the time complexity. Our attack can recover the 128-bit master key of TWINE-128 with about 2^{61.5} distinct known plaintexts, 2^{126.15} time complexity and 2^{61} bytes of memory requirements, with success probability 0.85. Similary, using the same multidimensional linear approximation, we can give 27-round attack on TWINE-128 which is better than that in Bogdanov et al. (2013). In addition, we combine all differential paths of the 15 key differences that satisfy the property of invariant bias. So we propose a combined model and perform the 27-round attack on TWINE-128 with about 2^{60.44} distinct known plaintexts, 2^{119.5} time complexity and 15·2^{61} bytes of memory requirements. Our attacks are compared to previous attacks on TWINE-128 in Table 2.

Preliminaries

Linear cryptanalysis with key difference invariant bias

In Bogdanov et al. (2013), analysed the fundamental question of how the bias of the entire linear approximation behaves under a change of key. They revealed a property for many block ciphers, namely, that the bias of a linear approximation can be actually invariant with a modified key. Based on the fact, they proposed a statistical related-key distinguisher and demonstrated that it can be used to efficiently distinguish the cipher from an idealized cipher under some basic independency assumptions. As an illustration, they applied the cryptanalytic technique of key difference invariant bias to LBlock and TWINE-128. In this section, we introduce some definitions and main results in Bogdanov et al. (2013).

Consider an n-bit block cipher f with a k-bit key. Linear cryptanalysis is based on a linear approximation determined by input mask a and output mask b. The bias of the linear approximation (a,b) of f is defined by

The value c(a,b)=2ε(a,b) is called correlation of the linear approximation (a,b). A linear approximation (a,b) of an iterative block cipher is called a linear hull. The linear hull contains all possible sequences of the linear approximations over individual rounds with input mask a and output mask b. These sequences are called linear trails which we denote by θ. Given a linear hull (a,b), a linear trail θ is the concatenation of an input mask a=θ_{0} before the first round, an output mask b=θ_{r} after the last round, and r−1 intermediate masks θ_{i} between rounds i−1 and i:

Thus, each linear trail consists of (r+1)n-bit masks. The bias ε_{θ} of the linear trail θ is defined as the scaled product of the individual biases \( \varepsilon _{\theta _{i-1}, \theta _{i}} \) over each round,

Let each round i,1≤i≤r, of a block cipher have its own n-bit subkey k_{i}. This block cipher is key alternating, if the key material in round i is introduced by XORing the subkey k_{i} to the state at the end of the round. Additionally, the subkey k_{0} is XORed with the plaintext before the first round.

The r round subkeys K_{0},K_{1},..., K_{r}, build the expanded key K (of length n(r+1) bits) which is derived from the master key κ using a key-schedule algorithm φ. From Daemen and Rijmen (2002), for a key-alternating block cipher, the bias ε(a,b) of the linear hull (a,b) is

In an n-bit key-alternating block cipher, let φ be key schedule, K and K^{′} be the expanded keys corresponding to two master keys κ and κ^{′},K=φ(κ) and K^{′}=φ(κ^{′}) satisfying K=K^{′}⊕Δ, where the difference Δ describes a connection between K and K^{′}. Let ε and ε^{′} are two biases under two keys κ and κ^{′}, with κ≠κ^{′}, then

When does the equality ε=ε^{′} hold? The equality holds if d_{θ}⊕θ·K=d_{θ}⊕θ·K^{′}, that is, θ·Δ=0. In the following, we give a short summary of the contributions in Bogdanov et al. (2013).

Theorem 1 ((Bogdanov et al. 2013), Key difference invariant bias for key-alternating ciphers).

Let (a,b) be a non-trivial linear approximation of a key-alternating block cipher. Its biases ε for expanded key K and ε^{′} for expanded key K^{′} with K^{′}=K⊕Δ have exactly equal values ε=ε^{′}, if θ·Δ=0 for each linear characteristic θ of the linear hull (a,b) with ε_{θ}≠0.

Given a linear approximation (a,b), we denote by θ_{j},j=1,...,n(r+1) the j-th bit of linear characteristics θ. If bit positions j such that θ_{j}=0 for all θ with ε_{θ}≠0. We call such positions zero positions. Otherwise, a position is called a nonzero. Next we give a more explicit sufficient condition for keeping θ·Δ=0.

Corollary 1.

[(Bogdanov et al. 2013), Condition 1, Sufficient condition for key difference invariant bias] For a fixed non-trivial linear approximation (a,b) of a key-alternating block cipher, the relation between a pair of the user-supplied keys κ and κ^{′} is such that the expanded key difference Δ=K⊕K^{′} chooses an arbitrary number of zero positions and no nonzero positions in the linear characteristics θ of the linear approximation, with ε_{θ}≠0.

For random block ciphers and block sizes n≥5, the bias ε of a linear approximation follows a normal distribution with mean 0 and variance 2^{−n−2} from Daemen and Rijmen (2007), that is, \( \varepsilon \sim \mathcal {N}(0,2^{-n-2}) \). Then, the probability for biases with two different keys to be equal is \( Pr \{\varepsilon =\varepsilon '|\kappa \neq \kappa ' \} \approx \frac {1}{\sqrt {2 \pi }}2^{\frac {3-n}{2}} \).

Given N plaintext-ciphertext pairs and λ linear approximations under a pair of expanded keys K,K^{′},Δ=K⊕K^{′},Δ satisfies the condition 1 for key difference invariant bias. For each of these linear approximations we allocate counters S_{i} and Si′,i=1,...,λ, which account for the number of times that these linear approximations are satisfied under K and K^{′} for each of the N known-plaintexts. The statistic s is as follows:

Assume the counters S_{i} and Si′,i=1,...,λ, are all independent, s approximately follows normal distribution with mean \( \frac {\lambda }{2 N} \) and variance \( \frac {\lambda }{2 N^{2}} \) for the right key, that is,

In the two above cases, we have seen that the statistic s follows two different normal distributions. When testing the key candidates, the cryptanalysts face with the task of statistical hypothesis. Consider two normal distributions \( \mathcal {N} \left (\mu _{0}, \sigma _{0}^{2}\right)\) and \(\mathcal {N} \left (\mu _{1}, \sigma _{1}^{2}\right)\). Without loss of generality, assume that μ_{0}<μ_{1}. A sample t is drawn from either \( \mathcal {N} \left (\mu _{0}, \sigma _{0}^{2}\right)\) or \( \mathcal {N} \left (\mu _{1}, \sigma _{1}^{2}\right)\). The hypothesis test is performed to determine which distribution the sample comes from. Compare the value t with some threshold value τ, if t≤τ, the test returns \( t\in \mathcal {N}\left (\mu _{0},\sigma _{0}^{2}\right) \); if t>τ, the test returns \( t\in \mathcal {N}\left (\mu _{1},\sigma _{1}^{2}\right) \). There are two types error of probabilities. The type I error is the probability of the sample t comes from \(\mathcal {N} \left (\mu _{1}, \sigma _{1}^{2}\right)\) when t actually comes from \( \mathcal {N} \left (\mu _{0}, \sigma _{0}^{2}\right)\). The type II error is the probability of the sample t comes from \( \mathcal {N} \left (\mu _{0}, \sigma _{0}^{2}\right)\) when t actually comes from \(\mathcal {N} \left (\mu _{1}, \sigma _{1}^{2}\right)\). The two errors are denoted by α_{0} and α_{1} as follows.

The decision threshold is \(\phantom {\dot {i}\!}\tau =\mu _{0}+\sigma _{0} q_{1-\alpha _{0}}=\mu _{1}-\sigma _{1} q_{1-\alpha _{1}}\), where \(\phantom {\dot {i}\!}q_{1-\alpha _{1}}\) and \(q_{1-\alpha _{0}}\) are the quantiles of the standard normal distribution \(\mathcal {N} (0, 1)\).

Using the s distributions for the right and wrong key, we obtain the following equation that determines the amount of data needed by the distinguisher s:

where α_{0} is the probability to reject the right key, whereas α_{1} is the probability to accept a wrong key.

The statistical cryptanalysis attack also depends on the way to obtain the data sample. In known plaintext (KP) attack, the plaintext-ciphertext pair (P, C) is done with replacement. If the plaintext-ciphertext pairs are sampled randomly without replacement, the attack is called distinct-known-plaintext (DKP) attack. Suppose N plaintext-ciphertext pairs are sampled randomly, let us denote by Z the random variable corresponding to the number of plaintext-ciphertext pairs that satisfy linear approximation equation. In the cases of KP and DKP sampling, the variable Z follows a binomial and hypergeometric distributions, respectively. The two distributions have the same expectation Np, but variance is BNp(1−p), where p is the probability that the linear approximation holds, the constant B is defined by

Multidimensional approximation of boolean functions

In this section, we introduce two lemmas of multidimensional linear cryptanalysis (Hermelin et al. 2008) that will be needed in next section.

Let f:V_{n}→V_{l} be a vector Boolean function, and binary vectors v_{i}∈V_{l} and u_{i}∈V_{n},i=1,2,...,m, be linear masks such that the paired masks (u_{i},v_{i}) are linearly independent. Define functions g_{i} by

and assume g_{i} have correlations c_{i},i=1,...,m. We will call these correlations base-correlations, and the corresponding linear approximations of f the base-approximations. We want to find the probability distribution of the m-dimensional linear approximation

$$g(\xi) :=V f(\xi)+U \xi $$

where V=(v_{1},...,v_{m}),U=(u_{1},...,u_{m}) and g=(g_{1},...,g_{m}). Let the probability distribution of g be p=(p_{0},...,p_{M}),M=2^{m}−1. Assume that we have the correlations c(a) of all the linear mappings a·g of g, We will call the correlations c(a) the combined correlations of f and the corresponding approximations the combined approximations.

Definition 2.

The capacity between two probability distributions p and q is defined by

Let us consider m-dimensional linear attack whose m base approximations construct an m-dimensional vectorial boolean function f. Let \(\phantom {\dot {i}\!} p=(p_{0},...,p_{2^{m}-1}) \) denote the probability distribution of f, and γ is the discrete uniform distribution, the capacity of the m-dimensional linear approximations as below:

For simplicity, let C(p) denotes the capacity of the probability distribution of m-dimensional linear approximations.

Lemma 1.

[(Hermelin et al. 2008)] Let \( g:F_{2}^{n}\rightarrow F_{2}^{m} \) be a Boolean function with probability distribution p and one-dimensional correlations c(a) of a·g. Then

[(Hermelin et al. 2008)] Let \( g:F_{2}^{n}\rightarrow F_{2}^{m} \) be the Boolean function with probability distribution p. Then the capacity C(p) of p such that

Note 1. If a random variable X has the χ^{2} distribution with l degrees of freedom, then X approximately follows normal distribution with mean l and variance 2l when l is sufficiently large, that is, \( X\rightarrow \mathcal {N}(l, 2l) \).

Note 2. Suppose X is d-dimensional normal random vector with mean vector μ and covariance \( \Sigma, X \sim \mathcal {N}_{d}(\mu, \Sigma) \), then (X−μ)^{T}Σ^{−1}(X−μ) follows a χ^{2} distribution with r degrees of freedom, r=rank(Σ).

We will need the above results in next section where we study how multidimensional linear statistic is applied in key difference invariant bias linear cryptanalysis.

Improved statistical distinguisher with key difference invariant bias

In this section, we firstly consider multidimensional linear attacks with key difference invariant bias and present a new statistic Q. Then we analyse the probability distribution of statistic Q for the right/wrong key guess, and give the data complexity of an attack to achieve a certain success level under KP and DKP cases, respectively. Finally, the key recovery attack procedure which uses our new model is described.

A new statistical distinguisher

We analyse the relation between correlations and probability distributions of multidimensional linear approximation under two distinct round keys. Suppose a block cipher \( f:F_{2}^{n}\rightarrow F_{2}^{n} \), we consider m-dimension linear cryptanalysis of f. Assume the base-approximations of m-dimensional linear approximation is g=(g_{1},...,g_{m}). Let us denote by c(a) and c^{′}(a) the correlations of a·g under master keys κ and κ^{′}, respectively, and denote by p_{η} and \(p^{\prime }_{\eta }\) the probability distributions of g under master keys κ and κ^{′}, respectively. We can obtain the next lemma.

Thus, the Eq. (1) holds, the Lemma 3 as desired. □

Thus we can present a new statistic based on the key difference invariant bias property by using an m-dimensional linear approximation for an n-bit block cipher. Suppose the data sample is randomly selected, the sample size is N. V(η) and V^{′}(η),η=0,...,2^{m}−1, denote the number of occurrences of value η of the observed data distribution for master keys κ and κ^{′} with the N plaintexts. We propose a new statistic Q:

As we aim to perform a key recovery attack with this statiatic Q, we will derive the distribution of Q for the right key guess and for the wrong key guess.

In the case of right key guess, we obtain the following result.

Proposition 1.

[Distribution of Statistic Q for the Right Key] Consider an m-dimensional linear approximation for a block cipher under a pair of expanding keys (K,K^{′}) connected by Δ conforming to condition 1. Let N is the number of KP or DKP pairs, V(η) and V^{′}(η) are the frequency of value η of the observed data distribution for K and K^{′}, respectively, and m is high enough. Then the following approximate distribution holds for sufficiently large N and m:

$$Q \sim \mathcal{N} \left(\frac{2 B l}{N}, \frac{8 B^{2} l}{N^{2}}\right) $$

We first consider KP case. For m-dimensional linear attack, let l=2^{m}−1,N is the number of random KP pairs, V(η) and V^{′}(η),η=0,...,2^{m}−1, denote the number of occurrences of value η of the observed data distribution for master keys κ and κ^{′}. The random vector (V(0),...,V(l))^{T} follows a multinomial distribution with parameter N and p(κ), where p(κ)=(p_{0}(κ),...,p_{l}(κ)) with \( \sum _{\eta =0}^{l}p_{\eta }(\kappa)=1 \). The variance of V(i) is Np_{i}(κ)(1−p_{i}(κ))≈N2^{−m}(1−2^{−m}). The covariance of V(i) and V(j) is Cov(V(i),V(j))=−Np_{i}(κ)p_{j}(κ))≈N2^{−2m}. The counters V(η) and V^{′}(η) suggest empirical probability \(\hat {p}_{\eta }(\kappa)=\frac {V(\eta)}{N}\) and \(\hat {p}_{\eta }(\kappa ^{\prime })=\frac {V^{\prime }(\eta)}{N}\) respectively. Let \( \hat {p} (k)=(\hat {p}_{0}(\kappa),..., \hat {p}_{l-1}(\kappa))^{T}, \hat {p} (\kappa ^{\prime })=(\hat {p}_{0}(\kappa ^{\prime }),..., \hat {p}_{l-1}(\kappa ^{\prime }))^{T}\), for sufficiently large N, the random vector \( \hat {p} (\kappa) \) approximately follows l-dimensional normal distribution with mean vector p(κ)=(p_{0}(κ),...,p_{l−1}(κ))^{T} and covariance matrix Σ=N^{−1}2^{−m}(I_{l}−2^{−m}E), where I_{l} is an identity matrix, E is a l×l matrix with all entries are equal one, that is,

In the case of DKP sample, the random vector (V(0),...,V(l))^{T} follows a multivariate hypergeometric distribution. The variance of V(i) is \(\frac {2^{n}-N}{2^{n}-1} Np_{i}(\kappa)(1-p_{i}(\kappa)) \approx \frac {2^{n}-N}{2^{n}-1}N2^{-m}(1-2^{-m}) \). The covariance of V(i) and V(j) is

The following steps of the proof are similar to those in the KP case. □

In the case of wrong key guess, we base upon the hypothesis that for a wrong key, i.e., the cipher is a permutation drawn at random. Suppose the m-dimensional linear approximation with the probability distribution p_{η}(k),η=0,...,2^{m}−1, independent and identical distribution to a normal distribution \(\mathcal {N} \left (2^{-m}, \sigma ^{2}\right)\). According to Lemma 1, for a≠0,

we have \( c_{a}(k) \sim \mathcal {N} \left (0,2^{m} \sigma ^{2}\right).\) In Daemen and Rijmen (2007), Daemen and Rijmen show that the correlation distribution of an ideal cipher is normal with mean zero and variance 2^{−n}, i.e., \(c_{a}(k) \sim \mathcal {N} \left (0, 2^{-n}\right)\). So we obtain \(2^{m}\sigma ^{2}=2^{-n}, p_{\eta }(k) \sim \mathcal {N} \left (2^{-m}, 2^{-m-n}\right).\) Then we have the following proposition for the distribution of Q.

Proposition 2.

[Distribution of Statistic Q for the Wrong Key] Consider an m-dimensional linear approximation for two randomly drawn permutations. Let N is the number of KP or DKP pairs, V(η) and V^{′}(η) are the frequency of value η of the observed data distribution for two permutations, respectively, and m is high enough. Then the following approximate distribution holds for sufficiently large N and n:

The proof of proposition 2 is similar to proposition 1.

In the two above cases, we have seen that the statistic Q will follow two different normal distributions. Using statistical hypothesis, we obtain the following data complexity under KP and DKP data sample, respectively.

$$ N^{D K P}=\frac{2^{n+0.5}\left(q_{1-\alpha_{0}}+q_{1-\alpha_{1}}\right)}{\sqrt{l}+\sqrt{2} \cdot q_{1-\alpha_{0}}}. $$

(3)

where α_{0} is the probability to reject the right key, α_{1} is the probability to accept a wrong key.

Procedure of key recovery attack

We describe the key recovery attack procedure which uses the statistic Q. The attack procedure is as follows:Step1: For all related-key differential paths (a,b) with a difference δ=κ⊕κ^{′} on the master-key that satisfy key difference invariant bias condition. We collect N plaintext-ciphertext pairs (P, C) under the keys κ and κ^{′}=κ⊕δ.Step2: Partially encrypt r_{top} rounds and partially decrypt r_{bot} rounds, obtain partial state values x and x^{′} covered by the input/output masks of (a,b) under κ and κ^{′}, respectively. Compute the number of times N[x] and N[x^{′}] that partial state values occur.Step3: For all state values of x and x^{′}, we compute the value η and allocate counters V(η) and V^{′}(η) and set their initial values to zero. If the value η occurs, then add N[x] and N[x^{′}] to V(η) and V^{′}(η), respectively. Compute

Step4: If Q<τ, then the guessed subkey is a possible right subkey candidate.Step5: Do exhaustive search for all right subkey candidates.

Attack on LBlock

In this section, we will evaluate the security of LBlock against multidimensional linear attack with key difference invariant bias by using the new statistic Q.

A brief description of LBlock

Encryption Algorithm. The general structure of LBlock is a variant of Feistel Network. The number of iterative rounds is 32. The round function of LBlock includes three basic functions: AddRoundKey, confusion function S and diffusion function P. The confusion function S consists of eight 4×4 S-boxes in parallel. The diffusion function P is defined as a permutation of eight 4-bit nibbles (see Wu and Zhang (2011)).

Key Schedule Algorithm. The key schedule of LBlock is rather simple. The 80-bit master key κ is stored in a key register, denoted by κ=k_{79}k_{78}...k_{1}k_{0}. At round i, the leftmost 32 bits of current contents of register κ are output as the round key K_{i}, i.e., K_{i}=k_{79}k_{78}...k_{48}. The key schedule of LBlock can be shown as follows:1. K_{1}=κ[79,78,...,48];2. For i←2 to 32, (a) κ=κ<<<29 (b) κ[79,78,77,76]=S_{9}(κ[79,78,77,76]), κ[75,74,73,72]=S_{8}(κ[75,74,73,72]); (c) κ[50,49,48,47,46]=κ[50,49,48,47,46]⊕[i]_{2}; (d) K_{i}=κ[79,78,...,48].

Multidimensional linear approximations with key difference invariant bias for LBlock

Let K and K^{′} be the expanded keys corresponding to two master keys κ and κ^{′},K=φ(κ) and K^{′}=φ(κ^{′}) for key schedule φ, such that K=K^{′}⊕Δ. Firstly, we introduce the notations that need to be used. i:j denotes an integer range from i to j; δ=κ⊕κ^{′}: the difference of master key κ and κ^{′}; δ_{14:17} denotes a 4-bit nibble of δ, the bit position is j=14:17; k_{14:17} denotes a 4-bit nibble of κ, the bit position is j=14:17; \(k^{\prime }_{14:17}\) denotes a 4-bit nibble of κ^{′}, the bit position is j=14:17; k_{18:21} denotes a 4-bit nibble of κ, the bit position is j=18:21\(k^{\prime }_{18:21}\) denotes a 4-bit nibble of κ^{′}, the bit position is j=18:21 ; S(x)=(S(x)^{0},S(x)^{1},S(x)^{2},S(x)^{3}),S_{8}(k_{14:17})=S_{8}(k_{17},k_{16},k_{15},k_{14}); ΔS(k_{14:17})=S(k_{14:17})⊕S(k14:17′), and analogously, the other difference notation can be similarly represented; Γ_{r},5≤r≤20 : input mask value for the S-boxes in round r; ΔK_{r},5≤r≤20 : the subkey difference in round r; \( \Delta K_{r}^{i}, 5 \leq r \leq 20\) : the i-th nibble of subkey difference in round r, the 0-th nibble is the leftmost nibble;

In masks, `0^{′},`1^{′} and `∗^{′} denote zero, nonzero and arbitrary mask for a nibble, respectively; In differences, `0^{′},`1^{′} and `∗^{′} denote zero, nonzero and arbitrary difference for a nibble, respectively.

In Bogdanov et al. (2013), Bogdanov et al. found 16-round linear approximations that satisfy key difference invariant bias property. But they didn’t identify the master key difference such that condition 1. In this section, we find the master key difference that satisfy invariant bias for 16-round 8-dimensional linear approximations. The 16 rounds 8-dimensional linear approximations with 4-bit input and 4-bit output. We put the 16 rounds 8-dimensional linear approximation in round 5 to 20. The input mask of the 5-th round is (0000α00000000000) and the output mask of the 20-th round is (000000000β000000),(α,β)≠0. Next, we determine the master key difference that satisfy condition 1.

For all cases of input mask Γ_{r},5≤r≤20, if the relations Γ_{r}·ΔK_{r}=0 hold, then, the sufficient condition for key difference invariant bias is fulfilled according to the condition 1 in corollary 1. Now we determine all the related-key differential paths, that is, we find the spectific master key difference δ that satisfy the sufficient condition of invariant bias.

We get all the input mask Γ_{r},5≤r≤20 from (Bogdanov et al. 2013). Because Γ_{12}=∗∗11∗∗11,Γ_{13}=∗1∗1∗1∗1,Γ_{11}=∗1101111, let \( \Delta K_{12}=00000000, \Delta K_{13}=00000000, \Delta K_{11}^{i}=0,i=0, 1, 2, 4, 5, 6, 7 \). According to the key schedule of LBlock, round keys \( K_{12}, K_{13}, K_{11}^{i} \) are functions of master key k_{j},j∈(0:79),j≠14,15,16,17. So the master key difference δ satisfy δ_{14:17}≠0000,δ_{j}=0,j∈(0:79),j≠14,15,16,17. Next, we determine the value of δ_{14:17}.

According to the propagation property of the linear mask, the 14-round and 16-round input masks are obtained (see Bogdanov et al. (2013)), Γ_{14}=101111∗1,Γ_{16}=11000001. In order for the equations Γ_{r}·ΔK_{r}=0 hold, let \( \Gamma _{r}^{j} \cdot \Delta K_{r}^{j}=0, j=0,1,...,7 \). On the basis of key schedule, the key \( \Delta K_{14}^{2}, \Delta K_{16}^{7} \) are functions of the master key k_{14:17}, so we just need the next equation holds.

For every value of k_{14:17} and S_{9}(k_{18:21})^{3}, we can obtain only single nonzero difference δ_{14:17} by solving the Eq. (5) (see in Table 3). So we get all the key difference that satisfy the condition 1 in Corollary 1.

Key recovery for 25-Round LBlock

In order to attack 25-round LBlock, we follow the multidimensional linear cryptanalysis with key difference invariant bias property. The attack utilizes the 16-round key difference invariant bias linear approximations described in the above section from round 5 to 20. We append 4 rounds at the top of the distinguisher and add 5 rounds at the bottom of the distinguisher. After collecting sufficient plaintext-ciphertext pairs, we guess corresponding subkeys for the first four rounds and the last five rounds and compute the statistic Q of the linear approximations. Next, we decide if the guessed key is right or not. Finally, we exhaustively search all right subkey candidates. If we directly guess the subkeys bits involved in the key recovery process, then the time complexity will be greater than exhaustive search. Therefore, in order to reduce the time complexity, we express the two target values of attack by using the related round keys and plaintexts or ciphertexts, then, we use the partial-compression technique to reduce the time complexity significantly. The attack process is shown as the following Fig. 1.

Let X_{0} denote the 64 bits plaintext, \( X_{r}^{j} \) denote the 4-bit nibble of the r-th ciphertext, the 0-th nibble is the leftmost nibble. As shown in Fig. 2, the nibble \(X_{4}^{4}\) is affected by 32 bits of plaintext X_{0} and 28 bits of round keys and the expression can be shown:

After analyzing the key schedule of LBlock, we find the following relations in the round keys:\(K_{24}^{0} \Rightarrow K_{23}^{7}[1:3]\); \(K_{24}^{0}, K_{24}^{1}, K_{1}^{6} \Rightarrow K_{4}^{5}[0,2,3]\); \(K_{25}^{7} \Rightarrow K_{23}^{2}[0:1]\);\(K_{25}^{3} \Rightarrow K_{22}^{5}[0:2]\); \(K_{25}^{4} \Rightarrow K_{22}^{5}[3]\); \(K_{23}^{2}, K_{25}^{6}, K_{25}^{7} \Rightarrow K_{3}^{7}\) only has two possible values; \(K_{2}^{6} \Rightarrow K_{24}^{7}\) has 2^{3} possible values; \(k_{14:17}, S_{9}\left (k_{18:21}\right)^{3} \Rightarrow K_{25}^{2}\) has 2^{3} possible values. According to these relations, the involved 76 bits round keys can reduce 17 bits information of subkeys, then we just need guess 59 bits subkey in the key recovery attack.

Assuming that N distinct known plaintext-ciphertext pairs are sampled, the partial encryption and decryption using the partial-compression technique are proceeded as in Table 4. Under master key κ and κ^{′}, the subkey nibbles that have to be guessed in the second column. The Step 2’s time complexity that is measured in S-box access in the third column. The “Obtained States” are saved during the encryption and decryption process in the fourth colum. Let x_{i} and \(x^{\prime }_{i} (1 \leq i \leq 14)\) denote the possible obtained states under the master key κ and κ^{′}, respectively, the counter N_{i}[x_{i}] and N_{i}[xi′] will record how many plaintext-ciphertext pairs can produce the corresponding intermediate state x_{i} and \(x^{\prime }_{i}\), respectively. The counter size for x_{i} and \(x^{\prime }_{i}\) is shown in the last column.

To be more clear, we explain some steps in Table 4 in detail.

Step 1. In the process of attack, the target values \(X_{4}^{4}|X_{20}^{9}\) are affected by 32 bits of plaintext and 48 bits of ciphertext. They are represented by

We guess 18 bits subkeys \(K_{25}^{7}\left |K_{25}^{3}\right | K_{25}^{6}\left |K_{24}^{1}\right | K_{23}^{2}[2:3]\) for the master key κ and κ^{′} respectively. The following two equtions are true for LBlock.

The 80-bit x_{0} and x0′ can be reduced to 60-bit x_{1} and \(x^{\prime }_{1}\) after guessing the 18 bits round keys. We allocate two 60-bit counters N_{1}[x_{1}] and N_{1}[x1′] for the master key κ and κ^{′}, respectively, and initialize them to zero. We then guess 18-bit keys and partially decrypt N ciphertexts to compute x_{1} and \(x^{\prime }_{1}\) under master key κ and κ^{′}, respectively, and increment the corresponding counters.

Step 2. We first allocate 56-bit counter N_{2}[x_{2}] and N_{2}[x2′] for the master key κ and κ^{′}, respectively, and initialize them to zero. We then guess 4-bit \(K_{1}^{4}\) for the master key κ and κ^{′}, respectively, and partially encrypt x_{1} and \(x^{\prime }_{1}\) to compute x_{2} and \(x^{\prime }_{2}\), respectively, and increment the corresponding counters. As the equation \( X_{1}^{6}=X_{0}^{8}\oplus S\left (X_{0}^{4}\oplus K_{1}^{4}\right) \) holds, the expression of \( X_{4}^{4} \) is update as:

Because the following steps are similar to the above two steps, we do not explain in details. Besides, we note that the numbers of guessed keys in step 8 of Table 4 is 4 bits. However, the numbers of known keys are 8 bits, that is because the key in the “()” can be obtained by using the relations of round keys. To recover the secret key, the following steps are performed:1. Allocate two counters V[η] and V^{′}[η] for 8-bit \(X_{4}^{4}|X_{20}^{9}=\eta \).2. For 2^{8} values of x_{14} and \(x^{\prime }_{14}\):(a) Evaluate all 8 basis masks on x_{14} and \(x^{\prime }_{14}\) and get η;(b) Update the counters V(η) and V^{′}(η) by V(η)=V(η)+N_{14}[x_{14}] and V^{′}(η)=V^{′}(η)+N_{14}[x_{14}].3. For each guessing key, compute

4. If Q≤τ, then the guessed subkey values are possible right subkey candidates.5. Do exhaustive search for all right candidates.

After processding of attack procedure from step 1 to 5, if we can not succeed, this means that the value of the right key does not belong to the values corresponding to the related-key differential path tested. We can then use another related-key differential path to proceed the above attack. All possible values of the master key bits k_{14:17} and S_{9}(k_{18:21})^{3} are covered by the related-key differential paths, so we could always find the right key where in the worst case, all the related-key differential paths have to be tested. For example, we choose master key difference δ_{14:17}=0111, then k_{14:17} and S_{9}(k_{18:21})^{3} have 8 possible values. We need to guess one by one and determine which one is the right key. The average number of guesses is \( \frac {1}{8}(1+2+3+4+5+6+7+8)=4.5 \). Similarly, when δ_{14:17}=1100,0100,1111 or 1011 the average number of guesses is 2.5; when δ_{14:17}=1010,0110,1001 or 0101, the average number of guesses is 1.5. The key difference δ_{14:17} has 9 possible values, its probability distribution of δ_{14:17} is as follows (see Table 3).

δ_{14:17}

1100,

0111,

1010,

0110,

0100,

1111,

1011,

1001,

0101

p

\(\frac {4}{32},\)

\(\frac {8}{32},\)

\(\frac {2}{32},\)

\(\frac {2}{32},\)

\(\frac {4}{32},\)

\(\frac {4}{32},\)

\(\frac {4}{32},\)

\(\frac {2}{32},\)

\(\frac {2}{32}\)

According to the above discussion, then,the total average number of guesses is \( 4.5 \cdot \frac {8}{32}+2.5 \cdot \frac {4 \times 4}{32}+1.5 \cdot \frac {2 \times 4}{32}=\frac {88}{32} \).

Complexity Now we evaluate the time complexity of the key recovery on 25-round LBlock. By setting α_{0}=2^{−2.7},α_{1}=0.5, we have \(q_{1-\alpha _{0}} \approx 1.02 \) and \(q_{1-\alpha _{1}} =0 \). Since n=64 and l=255, then according to Eq. (3), the data complexity N^{DKP}≈2^{60.4}. Now we evaluate the time complexity of the key recovery on 25-round LBlock. We start by evaluating the complexity of step 1 to step 14 in the process of partial computation(see Table 4), the time complexity is T_{1}=N·2^{19}·5+2·2^{83}+2·2^{82}+2·2^{79}+2^{80}+2^{78}+3·2^{75}+2·2^{72}≈2^{84.89} S-box access, which is about \(T=T_{1} \cdot \frac {1}{8} \cdot \frac {1}{25}=2^{77.25}\) 25-round LBlock encryptions. Under each related-key differential path,the values k_{14:17} and S_{9}(k_{18:21})^{3} are known, so the time complexity of Step 5 of key recovery attack is about 2^{75}·α_{1}=2^{74} times of 25-round encryption. Therefore, the total time complexity is about 2^{74}+2^{77.25}≈2^{77.39} 25-round LBlock encryptions. Since the given value k_{14:17} and S_{9}(k_{18:21})^{3} may not be the right key, the average number of guesses to the value of k_{14:17} and S_{9}(k_{18:21})^{3} is \( \frac {88}{32} \), so the expected time complexity of our attack on 25-round LBlock is about \(2^{77.39} \cdot \frac {88}{32} \approx 2^{78.85}\) 25-round encryptions. The memory requirements are about 2^{61} bytes.

Key recovery for 24-Round LBlock

Similarly, we can perform key recover attack on 24-round LBlock by using the same linear approximations from round 5 to 20. We append 4 rounds at the top of the distinguisher and add 4 rounds at the bottom of the distinguisher.

We express the two target values of attack by using the related round keys and plaintexts or ciphertexts, then use the partial-compression technique to reduce the time complexity significantly (see Table 5). The nibble \(X_{4}^{4}\) is affected by 32 bits of plaintext X_{0} and 28 bits of round keys and the expression can be shown:

After analyzing the key schedule of LBlock, we find the following relations in the round keys: \(K_{24}^{0} \Rightarrow K_{23}^{7}[1:3]; K_{24}^{0}, K_{24}^{1}, K_{1}^{6} \Rightarrow K_{4}^{5}[0,2,3].\)

Assuming that N distinct known plaintexts are used, the partial encryption and decryption using the partial-compression technique are proceeded as in Table 5. The process can be referred to 25-round attack on LBlock.

Complexity By setting α_{0}=2^{−2.7},α_{1}=2^{−8.5}, then according to Eq. (2), the data complexity is N^{KP}≈2^{62.83}, the time complexity is about 2^{68.08} 24-round LBlock encryptions and the memory requirements are about 2^{61} bytes.

In the DKP case, we set α_{0}=2^{−2.7},α_{1}=2^{−8.5}, then according to Eq. (3), the data complexity is N^{DKP}≈2^{62.3}, the time complexity is about 2^{68.07} 24-round LBlock encryptions and the memory requirements are about 2^{61} bytes. Figure 3 depicts different possible data time trade-offs with α_{0}=2^{−2.7}.

Attack on TWINE-128

In this section, we will evaluate the security of TWINE-128 against multidimensional linear attack with key difference invariant bias by using the new distinguisher Q.

A brief description of TWINE

TWINE is a 64-bit lightweight block cipher with 80 or 128-bit key. It was proposed by Suzaki et al in 2012. The structure of TWINE is a modified Type-2 generalized Feistel network. Its round function consists of AddRoundkey, 4-bit S-boxes and a diffusion layer. This round function is iterated for 36 times for both TWINE-80 and TWINE-128, where the diffusion layer of the last round is omitted.

The key schedule of TWINE is quite simple. S-boxes, XOR operations and a series of constants are used in the key schedule. Due to the page limit, see the specific key schedule algorithms in Suzaki et al. (2012).

Key recovery for 28-round TWINE-128

We consider 17-round (from round 6 to round 22) linear approximations with key difference invariant bias for TWINE-128 that have been identified in Bogdanov et al. (2013). The input mask of the 6-th round is (000000000000α000) and the output mask of the 22-th round is (0000000β00000000),(α,β)≠0. Let K and K^{′} be the expanded keys corresponding to two the master keys κ and κ^{′},K=φ(κ) and K^{′}=φ(κ^{′}) for key schedule φ, such that K=K^{′}⊕Δ. Let us denote by δ=κ⊕κ^{′} the difference of masker keys κ and κ^{′}. Let ΔK_{r} and Γ_{r} denote the subkey difference and input mask value for the S-boxes in round r, respectively. To make the relations

hold, it suffices to let δ_{20:23}≠0000, δ_{j}=0,j=0,1,...,79 and j≠20,21,22,23.Thus sufficient condition for key difference invariant bias is satisfied. There are 15 possible nonzero values δ_{20:23} that satisfy the Eq. (6). We can choose any nonzero δ_{20:23}, and δ_{j}=0,j=0,1,...,79 and j≠20,21,22,23, to obtain the differential path which covers all the possible key values and is sufficient to recovery the right key value.

We utilize the 17-round distinguisher to attack 28 rounds of TWINE-128. The initial five rounds from 1 to round 5 are added before the distinguisher and the finial six rounds from 23 to round 28 are appended after the distinguisher. Similary, we express the two target values and then guess the keys one nibble after another to reduce the time complexity of partial computation. The nibble \(X_{5}^{12}\) is affected by 48 bits of plaintext X_{0} and 48 bits of round keys and the expression can be shown as:

Thus, we just need guess 116 bits subkeys in the attack.

Assuming that N distinct known plaintexts are used, the partial encryption and decryption using the partial-compression technique are proceeded as in Table 6.

Complexity We set α_{0}=2^{−2.7},α_{1}=2^{−3}, so we have \(q_{1-\alpha _{0}} \approx 1.02 \) and \(q_{1-\alpha _{1}} =1.15 \). Since n=64 and l=255, then according to Eq. (3), the data complexity N^{DKP}≈2^{61.5}. Now we evaluate the time complexity of the key recovery on 28-round TWINE-128. We start by evaluating the complexity of step 1 to step 14 in the process of partial-compression (see Table 6), the time complexity is T_{1}=N·2^{65}·17+12·2^{129}+2^{130}≈2^{133.09} S-box access, which is about \(T=T_{1} \cdot \frac {1}{8} \cdot \frac {1}{28}=2^{125.28}\) 28-round TEINE-128 encryptions. Note that the time complexity of Step 3, 4 is negligible. The time complexity of Step 5 of key recovery attack is about 2^{128}·α_{1}=2^{125} times of 25-round encryption. Therefore, the total time complexity is about 2^{125}+2^{125.28}≈2^{126.15} 28-round TWINE encryptions. The memory requirements are about 2^{61} bytes.

Key recovery for 27-round TWINE-128

We use the 17-round 8-dimension linear approximations with key difference invariant bias to give an attack on 27-round TWINE-128. By putting the 17-round 8-dimension linear approximations in round 6 to 22, we can perform key recovery attack on 27-round TWINE-128. Similary, we can express the two target values \(X_{5}^{12}\) and \(X_{22}^{7}\), the values \(X_{5}^{12}\) is the same as (7), the nibble \(X_{22}^{7}\) can be shown as:

The nibble \(X_{5}^{12}\) is affected by 48 bits of plaintext X_{0} and 48 bits of round keys, the nibble \(X_{22}^{7}\) is affected by 48 bits of ciphertext X_{27} and 48 bits of round keys. The following relations exist in the related round keys:

$$K_{1}^{3} \Leftrightarrow K_{4}^{1}. $$

Assuming that N distinct known plaintexts are used, the partial encryption and decryption using the partial-compression technique are proceeded as in Table 7.

Complexity We set α_{0}=2^{−2.7},α_{1}=2^{−8.5}, according to Eq. (3), the data complexity N^{DKP}≈2^{62.3}. The time complexity of partial computation about is 2^{107.27} S-box access, which is about \(2^{107.27} \cdot \frac {1}{8} \cdot \frac {1}{27}=2^{99.52}\) 27-round TEINE-128 encryptions. The number of remaining key candidates is about 2^{128}·α_{1}=2^{119.5} times of 27-round encryption. Thus, the total time complexity is about 2^{99.52}+2^{119.5}≈2^{119.5} 27-round TWINE encryptions. Meanwhile, the memory requirements are about 2^{61} bytes. Figure 4 depicts different possible data time trade-offs with α_{0}=2^{−2.7}.

Combined Model. In order to reduced the data complexity of attacks, we can perform 27-round key recovery attack which use all differential paths of 15 key difference that satisfy condition of key difference invariant bias together. Let δ^{(i)},1≤i≤15 denote the i-th master key difference that satisfy condition of key difference invariant bias. V_{i}(η) and Vi′(η),η=0,...,2^{m}−1 denote the number of occurrences of value η of the observed data distribution for master keys κ and κ^{′} such that κ⊕κ^{′}=δ^{(i)} with the N texts. Let Q^{(i)} be the i-th i=1,...,15 statistic under master key difference δ^{(i)}, then

Define statistic \(T=\sum _{i=1}^{15}{Q^{(i)}}\), then, for the right key guess, T approximately follows the normal distribution for sufficiently large N and n:

Complexity By setting α_{0}=2^{−2.7},α_{1}=2^{−8.5}, according to Eq. (8), the data complexity N^{DKP}≈2^{60.44}, the total time complexity is about 2^{119.5} 27-round TWINE encryptions, and the memory requirements are about 15·2^{61} bytes.

Conclution

In this paper, we propose a new statistical related-key distinguisher under the scenario of key difference invariant bias for multidimensional linear cryptanalysis. Compared with the model in Bogdanov et al. (2013), our new model has the following two main advantages: One is that the assumption about statistical independence of linear approximations can be removed, and the other is that our model considers all linear approximations of linear subspace with key difference invariant bias property excluding zero, so our new model can increase the freedom. Moreover partial-compression technique is used to reduce the time complexity. We carefully choose the order of guessing keys and guess each subkey nibble one after another. Besides, we take the key schedule into consideration and use the relations in the related round keys to reduce the number of round keys that need to be guessed. In order to illustrate the new attack model, we evaluate the security of LBlock and TWINE-128 block ciphers against our cryptanalysis technique. For LBlock cipher, based on 16-round key difference invariant bias distinguisher, we present a 25-round key recovery attack. For TWINE-128 cipher, we apply 17-round key difference invariant bias distinguisher to 28-round key recovery attack. We attack more rounds than the best previous cryptanalysis. While previous attack can break 24-round LBlock and 27-round TWINE-128, our attack break the same number of rounds that use the less time complexity and data complexity.

Availability of data and materials

Not applicable.

References

Blondeau, C, Nyberg K (2017) Joint data and key distribution of simple, multiple, and multidimensional linear cryptanalysis test statistic and its impact to data complexity. Des Codes Crypt 82(1-2):319–349.

Bogdanov, A, Boura C, Rijmen V, Wang M, Wen L, Zhao J (2013) Key difference invariant bias in block ciphers. In: Sako K Sarkar P (eds)19th International Conference on the Theory and Application of Cryptology and Information Security, 357–376.. Springer, Berlin, Heidelberg.

Boztas, Ö, Karakoç F, Çoban M (2013) Multidimensional meet-in-the-middle attacks on reduced-round TWINE-128. In: Avoine G Kara O (eds)Second International Workshop Lightweight Cryptography for Security and Privacy, 55–67.. Springer, Berlin, Heidelberg.

Cho, JY, Hermelin M, Nyberg K (2008) A new technique for multidimensional linear cryptanalysis with applications on reduced round serpent. In: Lee PJ Cheon JH (eds)11th International Conference Information Security and Cryptology, 383–398.. Springer, Berlin, Heidelberg.

Hermelin, M, Cho JY, Nyberg K (2008) Multidimensional linear cryptanalysis of reduced round serpent. In: Mu Y, Susilo W, Seberry J (eds)13th Australasian Conference Information Security and Privacy, 203–215.. Springer, Berlin, Heidelberg.

Hermelin, M, Cho JY, Nyberg K (2009) Multidimensional extension of Matsui’s algorithm 2. In: Dunkelman O (ed)Fast Software Encryption, 209–227.. Springer, Berlin, Heidelberg.

Liu, S, Gong Z, Wang L (2012) Improved related-key differential attacks on reduced-round LBlock. In: Chim TW Yuen TH (eds)14th International Conference Information and Communications Security, 58–69.. Springer, Berlin, Heidelberg.

Matsui, M (1993) Linear cryptanalysis method for DES cipher. In: Helleseth T (ed)Advances in Cryptology - EUROCRYPT ’93, 386–397.. Springer, Berlin, Heidelberg.

Minier, M, Naya-Plasencia M (2012) A related key impossible differential attack against 22 rounds of the lightweight block cipher lblock. Inf Process Lett 112(16):624–629.

Sasaki, Y, Wang L (2013) Meet-in-the-middle technique for integral attacks against feistel ciphers. In: Knudsen LR Wu H (eds)Selected Areas in Cryptography, 234–251.. Springer, Berlin, Heidelberg.

Sasaki, Y, Wang L (2013) Comprehensive study of integral analysis on 22-round lblock. In: Kwon T, Lee M-K, Kwon D (eds)Information Security and Cryptology – ICISC 2012, 156–169.. Springer, Berlin, Heidelberg.

Selçuk, AA, Biçak A (2002) On probability of success in linear and differential cryptanalysis. In: Cimato S, Galdi C, Persiano G (eds)Third International Conference Security in Communication Networks, 174–185.. Springer, Berlin, Heidelberg.

Suzaki, T, Minematsu K, Morioka S, Kobayashi E (2012) TWINE: A lightweight block cipher for multiple platforms. In: Knudsen LR Wu H (eds)19th International Conference Selected Areas in Cryptography, 339–354.. Springer, Berlin, Heidelberg.

Wang, N, Wang X, Jia K (2016) Improved impossible differential attack on reduced-round lblock. In: Kwon S Yun A (eds)Information Security and Cryptology - ICISC 2015, 136–152.. Springer International Publishing, Berlin, Heidelberg.

Wang, Y, Wu W (2014) Improved multidimensional zero-correlation linear cryptanalysis and applications to lblock and TWINE. In: Susilo W Mu Y (eds)19th Australasian Conference Information Security and Privacy, 1–16.. Springer, Berlin, Heidelberg.

Wu, W, Zhang L (2011) LBlock: A lightweight block cipher. In: López J Tsudik G (eds)9th International Conference Applied Cryptography and Network Security, 327–344.

This work was supported by the National Natural Science Foundation of China (Grant No.61379138).

Author information

Authors and Affiliations

State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, No. 89 Minzhuang Road, Haidian District, Beijing, 100093, China

Wenqin Cao & Wentao Zhang

School of Cyber Security, University of Chinese Academy of Sciences, No. 19 Yuquan Road, Shijingshan District, Beijing, 100049, China

Wenqin Cao & Wentao Zhang

School of Mathematics and Statistics, Shandong University of Technology, No. 266Xincunxi Road, Zhangdian District, Zibo, Shandong, 255000, China

The first author conceived the idea of the study and wrote the paper; both authors discussed the results and revised the final manuscript. Both authors read and approved the final manuscript.

The authors declare that they have no competing interests.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Cao, W., Zhang, W. Multidimensional linear cryptanalysis with key difference invariant bias for block ciphers.
Cybersecur4, 32 (2021). https://doi.org/10.1186/s42400-021-00096-4