Multidimensional linear cryptanalysis with key difference invariant bias for block ciphers

For block ciphers, Bogdanov et al. found that there are some linear approximations satisfying that their biases are deterministically invariant under key difference. This property is called key difference invariant bias. Based on this property, Bogdanov et al. proposed a related-key statistical distinguisher and turned it into key-recovery attacks on LBlock and TWINE-128. In this paper, we propose a new related-key model by combining multidimensional linear cryptanalysis with key difference invariant bias. The main theoretical advantage is that our new model does not depend on statistical independence of linear approximations. We demonstrate our cryptanalysis technique by performing key recovery attacks on LBlock and TWINE-128. By using the relations of the involved round keys to reduce the number of guessed subkey bits. Moreover, the partial-compression technique is used to reduce the time complexity. We can recover the master key of LBlock up to 25 rounds with about 260.4 distinct known plaintexts, 278.85 time complexity and 261 bytes of memory requirements. Our attack can recover the master key of TWINE-128 up to 28 rounds with about 261.5 distinct known plaintexts, 2126.15 time complexity and 261 bytes of memory requirements. The results are the currently best ones on cryptanalysis of LBlock and TWINE-128.


Introduction
Linear cryptanalysis introduced by Matsui in 1993 has become one of the most important cryptanalysis method of block ciphers. After being introduced a quarter of a century ago, linear cryptanalysis has been extended to various more evolved statistical attacks, including multiple linear cryptanalysis (Kaliski and Robshaw 1994) and multidimensional linear cryptanalysis Hermelin et al. 2009;Cho et al. 2008;Blondeau and Nyberg 2017). Various authors have previously presented different approaches to exploit multiple linear approximations to enhance linear cryptanalysis. In multiple linear cryptanalysis, a fundamental assumption was that the approximations are statistically independent. The theoretically restrictive assumption of independence of linear approximations was removed in the multidimensional linear cryptanalysis on the cost of taking into account a family of linear approximations which covers a linear space excluding zero. In Hermelin et al. (2009), presented the log-likelihood ratio and 2 statistical distinuishers that can be used to perform key recovery attacks. The aim of a statistical key-recovery attack is to search the right value for some bits of the round-key based on a known statistical property of the cipher. This property is expected to be detected only for the right key candidate, while wrong key candidates which are far from satisfying the property can be discarded. To estimate the data complexity of a statistical attack, the probability distributions of the involved random variables for the right and wrong keys are analyzed. These distributions depend on both the data sample used to compute it as well as the encryption key and the key candidate. Selçuk gave a formal probabilistic model in linear and differential cryptanalysis in Selçuk and Biçak (2002). The probabilistic model provided efficient formulations that can be used to estimate the success probability of a given attack or to find the data complexity to achieve a certain success level.
In Bogdanov et al. (2013), revealed a fundamental property of block ciphers: there can exist linear approximations such that their biases are deterministically invariant under key difference. This property is called key difference invariant bias. They proposed a statistical related-key distinguisher for this property and turned it into key recovery attacks on LBlock and TWINE-128. Under some basic independency assumptions, they computed the sample biases of a set of approximations with this property for two keys, and constructed an efficiently statistical related-key distinguisher. In their model, a fundamental assumption was that the linear approximations are statistically independent. But this assumption is hard to verify in practice. In this paper, we propose a multidimensional related-key distinguisher for the key difference invariant bias property, which can remove the independence assumption on the linear approximations.
To decrease key set-up time and to reduce the cost of hardware, the key schedule of lightweight ciphers are usually simple. As is known to us, the diffusion of the key schedule plays an important role on the security of the block cipher, so we should spend more effort on the key schedules of lightweight block ciphers. Wang et al. improved multidimensional zero-correlation linear attack in Wang and Wu (2014). They have taken the key schedule into consideration and used the relations that existed in the involved round keys of key recovery attack to reduce the number of round keys that need to be guessed. They carefully chose the order of guessing keys and guessed each subkey nibble one after another. By using the partialcompression technique to reduce the time complexity.
In Blondeau and Nyberg (2017), developed distinctknown-plaintext (DKP) that was first introduced in the context of multidimensional zero-correlation attacks [11]. The DKP sample can improve the data complexity of multiple linear attacks, multidimensional linear attacks and key difference invariant bias attacks.

Our contributions
The contributions of this paper are as follows.

New model with key difference invariant bias
In this paper, we take into account multidimensional cryptanalysis with key difference invariant bias. The main motivation of this method is that the dependencies of linear approximations need not be measured explicity. We present a multidimensional statistical related-key distin-guisher for the key difference invariant bias property of key-alternating block ciphers. Our new model has the two following advantages: (1). Does not assume statistical independence of linear approximations, i.e. the assumption about statistical independence of linear approximations can be removed.
(2). Consider all linear approximations of linear subspace with key difference invariant bias property excluding zero. The new model can increase the freedom of the model, thus the data complexity is reduced.
We analyze the probability distribution of the new relatedkey statistic Q both in the right-key and wrong-key case and derive the formula of the data complexity for given attack. In addition, the new statistical model takes into account whether the data sample is obtained by the usually known plaintext (KP) sampling or the considered distinct known plaintext (DKP) sampling.

Key Recovery Attack for LBlock and TWINE-128
By using the new related-key statistic Q, we give the first key-recovery attack on 25-round LBlock. We put the 16-round 8-dimensional linear approximations with key difference invariant bias in round 5 to 20. We partially encrypt the first 4 rounds and partially decrypt the last 5 rounds. The attack is affected by 32 bits of a plaintext, 48 bits of a ciphertext and 76 bits of round keys. Because the attack involves too many plaintext bits, ciphertext bits and round key bits, the data complexity and time complexity are both too huge. In order to reduce the data complexity and the time complexity, we take the key schedule of LBlock into consideration and obtain the relations that exist in the involved round keys. Thus the involved round keys can reduce 17 bits key information that need to be guessed. We carefully choose the order of guessing key bits and use partial-compression technique to reduce the time complexity. Our attack can recover the 80-bit master key of LBlock with about 2 60.4 distinct known plaintexts, 2 78.85 time complexity and 2 61 bytes of memory requirements. Similary, using the same multidimensional linear approximation, we can give 24-round attack on LBlock which is better than that in Bogdanov et al. (2013). In Table 1, we present a comparison of our attack results and the best known ones. We apply the new related-key model to perform a 28-round attack on TWINE-128. We put the 17-round 8-dimensional linear approximations with key difference invariant bias in round 6 to 22. We partially encrypt the first 5 rounds and partially decrypt the last 6 rounds. We take the key schedule of TWINE-128 into consideration and obtain the relations that exist in the involved round keys. By using the partial-compression technique to reduce the time complexity. Our attack can recover the  (Wang et al. 2016) 128-bit master key of TWINE-128 with about 2 61.5 distinct known plaintexts, 2 126.15 time complexity and 2 61 bytes of memory requirements, with success probability 0.85. Similary, using the same multidimensional linear approximation, we can give 27-round attack on TWINE-128 which is better than that in Bogdanov et al. (2013). In addition, we combine all differential paths of the 15 key differences that satisfy the property of invariant bias. So we propose a combined model and perform the 27round attack on TWINE-128 with about 2 60.44 distinct known plaintexts, 2 119.5 time complexity and 15 2 61 bytes of memory requirements. Our attacks are compared to previous attacks on TWINE-128 in Table 2.

Linear cryptanalysis with key difference invariant bias
In Bogdanov et al. (2013), analysed the fundamental question of how the bias of the entire linear approximation behaves under a change of key. They revealed a property for many block ciphers, namely, that the bias of a linear approximation can be actually invariant with a modified key. Based on the fact, they proposed a statistical related-key distinguisher and demonstrated that it can be used to efficiently distinguish the cipher from an idealized cipher under some basic independency assumptions. As an illustration, they applied the cryptanalytic technique of key difference invariant bias to LBlock and TWINE-128.
In this section, we introduce some definitions and main results in Bogdanov et al. (2013). Consider an n-bit block cipher f with a k-bit key. Linear cryptanalysis is based on a linear approximation determined by input mask a and output mask b. The bias of the linear approximation a, b of f is defined by The value c a, b 2 a, b is called correlation of the linear approximation a, b . A linear approximation a, b of an iterative block cipher is called a linear hull. The linear hull contains all possible sequences of the linear approximations over individual rounds with input mask a and  (Wang and Wu 2014) output mask b. These sequences are called linear trails which we denote by . Given a linear hull a, b , a linear trail is the concatenation of an input mask a 0 before the first round, an output mask b r after the last round, and r 1 intermediate masks i between rounds i 1 and i: 0 , 1 , ..., r . Thus, each linear trail consists of r 1 n-bit masks. The bias of the linear trail is defined as the scaled product of the individual biases i 1 , i over each round, Key alternating block ciphers form a special but important subset of modern block ciphers. Its definition is as follows.
Definition 1 ( (Daemen and Rijmen 2002)). Let each round i, 1 i r, of a block cipher have its own n-bit subkey k i . This block cipher is key alternating, if the key material in round i is introduced by XORing the subkey k i to the state at the end of the round. Additionally, the subkey k 0 is XORed with the plaintext before the first round.
The r round subkeys K 0 , K 1 , . . . , K r , build the expanded key K (of length n r 1 bits) which is derived from the master key using a key-schedule algorithm . From Daemen and Rijmen (2002), for a key-alternating block cipher, the bias a, b of the linear hull a, b is where d is a key-independent constant .
In an n-bit key-alternating block cipher, let be key schedule, K and K be the expanded keys corresponding to two master keys and , K and K satisfying K K , where the difference describes a connection between K and K . Let and are two biases under two keys and , with , then When does the equality hold? The equality holds if d K d K , that is, 0. In the following, we give a short summary of the contributions in Bogdanov et al. (2013). Theorem 1 ( (Bogdanov et al. 2013), Key difference invariant bias for key-alternating ciphers). Let a, b be a nontrivial linear approximation of a key-alternating block cipher. Its biases for expanded key K and for expanded key K with K K have exactly equal values , if 0 for each linear characteristic of the linear hull a, b with 0.
Given a linear approximation a, b , we denote by j , j 1, ..., n r 1 the j-th bit of linear characteristics . If bit positions j such that j 0 for all with 0. We call such positions zero positions. Otherwise, a position is called a nonzero. Next we give a more explicit sufficient condition for keeping 0. Corollary 1. [(Bogdanov et al. 2013), Condition 1, Sufficient condition for key difference invariant bias] For a fixed non-trivial linear approximation a, b of a keyalternating block cipher, the relation between a pair of the user-supplied keys and is such that the expanded key difference K K chooses an arbitrary number of zero positions and no nonzero positions in the linear characteristics of the linear approximation, with 0. For random block ciphers and block sizes n 5, the bias of a linear approximation follows a normal distribution with mean 0 and variance 2 n 2 from Daemen and Rijmen (2007), that is, 0, 2 n 2 . Then, the probability for biases with two different keys to be equal is Pr Given N plaintext-ciphertext pairs and linear approximations under a pair of expanded keys K, K , K K , satisfies the condition 1 for key difference invariant bias. For each of these linear approximations we allocate counters S i and S i , i 1, ..., , which account for the number of times that these linear approximations are satisfied under K and K for each of the N known-plaintexts. The statistic s is as follows: Assume the counters S i and S i , i 1, ..., , are all independent, s approximately follows normal distribution with mean 2N and variance 2N 2 for the right key, that is, Similarly, s approximately follows normal distribution for the wrong key as follows: In the two above cases, we have seen that the statistic s follows two different normal distributions. When testing the key candidates, the cryptanalysts face with the task of statistical hypothesis. Consider two normal distributions 0 , 2 0 and 1 , 2 1 . Without loss of generality, assume that 0 1 . A sample t is drawn from either 0 , 2 0 or 1 , 2 1 . The hypothesis test is performed to determine which distribution the sample comes from. Compare the value t with some threshold value , if t , the test returns t 0 , 2 0 ; if t , the test returns t 1 , 2 1 . There are two types error of probabilities. The type I error is the probability of the sample t comes from 1 , 2 1 when t actually comes from 0 , 2 0 . The type II error is the probability of the sample t comes from 0 , 2 0 when t actually comes from 1 , 2 1 . The two errors are denoted by 0 and 1 as follows.
The decision threshold is 0 0 q 1 0 1 1 q 1 1 , where q 1 1 and q 1 0 are the quantiles of the standard normal distribution 0, 1 . Corollary 2 ( (Bogdanov et al. 2013), Data Complexity of Distinguisher). Using the s distributions for the right and wrong key, we obtain the following equation that determines the amount of data needed by the distinguisher s: where 0 is the probability to reject the right key, whereas 1 is the probability to accept a wrong key.
The statistical cryptanalysis attack also depends on the way to obtain the data sample. In known plaintext (KP) attack, the plaintext-ciphertext pair (P, C) is done with replacement. If the plaintext-ciphertext pairs are sampled randomly without replacement, the attack is called distinct-known-plaintext (DKP) attack. Suppose N plaintext-ciphertext pairs are sampled randomly, let us denote by Z the random variable corresponding to the number of plaintext-ciphertext pairs that satisfy linear approximation equation. In the cases of KP and DKP sampling, the variable Z follows a binomial and hypergeometric distributions, respectively. The two distributions have the same expectation Np, but variance is BNp 1 p , where p is the probability that the linear approximation holds, the constant B is defined by

Multidimensional approximation of boolean functions
In this section, we introduce two lemmas of multidimensional linear cryptanalysis ) that will be needed in next section. Let f : V n V l be a vector Boolean function, and binary vectors v i V l and u i V n , i 1, 2, ..., m, be linear masks such that the paired masks u i , v i are linearly independent. Define functions g i by : v i f u i and assume g i have correlations c i , i 1, ..., m. We will call these correlations base-correlations, and the corresponding linear approximations of f the base-approximations.
We want to find the probability distribution of the mdimensional linear approximation .., u m and g g 1 , ..., g m . Let the probability distribution of g be p p 0 , ..., p M , M 2 m 1. Assume that we have the correlations c a of all the linear mappings a g of g, We will call the correlations c a the combined correlations of f and the corresponding approximations the combined approximations. Definition 2. The capacity between two probability distributions p and q is defined by Let us consider m-dimensional linear attack whose m base approximations construct an m-dimensional vectorial boolean function f . Let p p 0 , ..., p 2 m 1 denote the probability distribution of f , and is the discrete uniform distribution, the capacity of the m-dimensional linear approximations as below: For simplicity, let C p denotes the capacity of the probability distribution of m-dimensional linear approximations. Lemma 1.
Note 1. If a random variable X has the 2 distribution with l degrees of freedom, then X approximately follows normal distribution with mean l and variance 2l when l is sufficiently large, that is, X l, 2l .
Note 2. Suppose X is d-dimensional normal random vector with mean vector and covariance , X d , , then X T 1 X follows a 2 distribution with r degrees of freedom, r rank .
We will need the above results in next section where we study how multidimensional linear statistic is applied in key difference invariant bias linear cryptanalysis.

Improved statistical distinguisher with key difference invariant bias
In this section, we firstly consider multidimensional linear attacks with key difference invariant bias and present a new statistic Q. Then we analyse the probability distribution of statistic Q for the right/wrong key guess, and give the data complexity of an attack to achieve a certain success level under KP and DKP cases, respectively. Finally, the key recovery attack procedure which uses our new model is described.

A new statistical distinguisher
We analyse the relation between correlations and probability distributions of multidimensional linear approximation under two distinct round keys. Suppose a block cipher f : F n 2 F n 2 , we consider m-dimension linear cryptanalysis of f . Assume the base-approximations of mdimensional linear approximation is g g 1 , ..., g m . Let us denote by c a and c a the correlations of a g under master keys and , respectively, and denote by p and p the probability distributions of g under master keys and , respectively. We can obtain the next lemma. Proof According to Lemma 2, we have: So it suffices to show that Using Lemma 1, we have: Substituting p and p in (1) as follows: Thus, the Eq. (1) holds, the Lemma 3 as desired.
Thus we can present a new statistic based on the key difference invariant bias property by using an m-dimensional linear approximation for an n-bit block cipher. Suppose the data sample is randomly selected, the sample size is N. V and V , 0, ..., 2 m 1, denote the number of occurrences of value of the observed data distribution for master keys and with the N plaintexts. We propose a new statistic Q: As we aim to perform a key recovery attack with this statiatic Q, we will derive the distribution of Q for the right key guess and for the wrong key guess.
In the case of right key guess, we obtain the following result.
and V suggest empirical probability p V N and p V N respectively. Let p k p 0 , ..., p l 1 T , p p 0 , ..., p l 1 T , for sufficiently large N, the random vector p approximately follows l-dimensional normal distribution with mean vector p p 0 , ..., p l 1 T and covariance matrix N 1 2 m I l 2 m E , where I l is an identity matrix, E is a l l matrix with all entries are equal one, that is, Similarly, p l p , . The expanded keys K and K satisfying K K , satisfies the condition 1 for key difference invariant bias, so p p . Then, p p l 0, 2 . From Note 2, we know Thus we obtain Q 2 N 2 l . Using the Note 1, the following approximate distribution holds for sufficiently large N and m: In the case of DKP sample, the random vector V 0 , ..., V l T follows a multivariate hypergeometric distribution. The variance of V i is 2 n N 2 n 1 Np i 1 p i 2 n N 2 n 1 N2 m 1 2 m . The covariance of V i and V j is The following steps of the proof are similar to those in the KP case.
In the case of wrong key guess, we base upon the hypothesis that for a wrong key, i.e., the cipher is a permutation drawn at random. Suppose the m-dimensional linear approximation with the probability distribution p k , 0, ..., 2 m 1, independent and identical distribution to a normal distribution 2 m , 2 . According to Lemma 1, for a 0, we have c a k 0, 2 m 2 . In Daemen and Rijmen (2007), Daemen and Rijmen show that the correlation distribution of an ideal cipher is normal with mean zero and variance 2 n , i.e., c a k 0, 2 n . So we obtain 2 m 2 2 n , p k 2 m , 2 m n . Then we have the following proposition for the distribution of Q.

Proposition 2. [Distribution of Statistic Q for the Wrong Key] Consider an m-dimensional linear approximation for two randomly drawn permutations. Let N is the number of KP or DKP pairs, V
and V are the frequency of value of the observed data distribution for two permutations, respectively, and m is high enough. Then the following approximate distribution holds for sufficiently large N and n: The proof of proposition 2 is similar to proposition 1. In the two above cases, we have seen that the statistic Q will follow two different normal distributions. Using statistical hypothesis, we obtain the following data complexity under KP and DKP data sample, respectively.

N KP
2 n 0.5 q 1 0 q 1 1 l 2 q 1 1 ; ( 2 ) N DKP 2 n 0.5 q 1 0 q 1 1 where 0 is the probability to reject the right key, 1 is the probability to accept a wrong key.

Procedure of key recovery attack
We describe the key recovery attack procedure which uses the statistic Q. The attack procedure is as follows: Step1: For all related-key differential paths a, b with a difference on the master-key that satisfy key difference invariant bias condition. We collect N plaintext-ciphertext pairs (P, C) under the keys and .
Step4: If Q , then the guessed subkey is a possible right subkey candidate.
Step5: Do exhaustive search for all right subkey candidates.

Attack on LBlock
In this section, we will evaluate the security of LBlock against multidimensional linear attack with key difference invariant bias by using the new statistic Q.

A brief description of LBlock
Encryption Algorithm. The general structure of LBlock is a variant of Feistel Network. The number of iterative rounds is 32. The round function of LBlock includes three basic functions: AddRoundKey, confusion function S and diffusion function P. The confusion function S consists of eight 4 4 S-boxes in parallel. The diffusion function P is defined as a permutation of eight 4-bit nibbles (see Wu and Zhang (2011)

Multidimensional linear approximations with key difference invariant bias for LBlock
Let K and K be the expanded keys corresponding to two master keys and , K and K for key schedule , such that K K . Firstly, we introduce the notations that need to be used. S k 14:17 S k 14:17 S k 14:17 , and analogously, the other difference notation can be similarly represented; r , 5 r 20 : input mask value for the S-boxes in round r; K r , 5 r 20 : the subkey difference in round r; K i r , 5 r 20 : the i-th nibble of subkey difference in round r, the 0-th nibble is the leftmost nibble; In masks, '0 , '1 and ' denote zero, nonzero and arbitrary mask for a nibble, respectively; In differences, '0 , '1 and ' denote zero, nonzero and arbitrary difference for a nibble, respectively.
In Bogdanov et al. (2013), Bogdanov et al. found 16-round linear approximations that satisfy key difference invariant bias property. But they didn't identify the master key difference such that condition 1. In this section, we find the master key difference that satisfy invariant bias for 16-round 8-dimensional linear approximations. The 16 rounds 8-dimensional linear approximations with 4-bit input and 4-bit output. We put the 16 rounds 8-dimensional linear approximation in round 5 to 20. The input mask of the 5-th round is 0000 00000000000 and the output mask of the 20-th round is 000000000 000000 , , 0. Next, we determine the master key difference that satisfy condition 1.
For all cases of input mask r , 5 r 20, if the relations r K r 0 hold, then, the sufficient condition for key difference invariant bias is fulfilled according to the condition 1 in corollary 1. Now we determine all the related-key differential paths, that is, we find the spectific master key difference that satisfy the sufficient condition of invariant bias.

Key recovery for 25-Round LBlock
In order to attack 25-round LBlock, we follow the multidimensional linear cryptanalysis with key difference invariant bias property. The attack utilizes the 16-round key difference invariant bias linear approximations described in the above section from round 5 to 20. We append 4 rounds at the top of the distinguisher and add 5 rounds at the bottom of the distinguisher. After collecting sufficient plaintext-ciphertext pairs, we guess corresponding subkeys for the first four rounds and the last five rounds and compute the statistic Q of the linear approximations. Next, we decide if the guessed key is right or not. Finally, we exhaustively search all right subkey candidates. If we directly guess the subkeys bits involved in the key recovery process, then the time complexity will be greater than exhaustive search. Therefore, in order to reduce the time complexity, we express the two target values of attack by using the related round keys and plaintexts or ciphertexts, then, we use the partial-compression technique to reduce the time complexity significantly. The attack process is shown as the following Fig. 1. Let X 0 denote the 64 bits plaintext, X j r denote the 4-bit nibble of the r-th ciphertext, the 0-th nibble is the leftmost nibble. As shown in Fig. 2, the nibble X 4 4 is affected by 32 bits of plaintext X 0 and 28 bits of round keys and the expression can be shown:  K 2 25 has 2 3 possible values. According to these relations, the involved 76 bits round keys can reduce 17 bits information of subkeys, then we just need guess 59 bits subkey in the key recovery attack.
Assuming that N distinct known plaintext-ciphertext pairs are sampled, the partial encryption and decryption using the partial-compression technique are proceeded as  Table 4. Under master key and , the subkey nibbles that have to be guessed in the second column. The Step 2's time complexity that is measured in S-box access in the third column. The "Obtained States" are saved during the encryption and decryption process in the fourth colum. Let x i and x i 1 i 14 denote the possible obtained states under the master key and , respectively, the counter N i [x i ] and N i x i will record how many plaintext-ciphertext pairs can produce the corresponding intermediate state x i and x i , respectively. The counter size for x i and x i is shown in the last column.
To be more clear, we explain some steps in Table 4 in detail.
Step 1. In the process of attack, the target values X 4 4 X 9 20 are affected by 32 bits of plaintext and 48 bits of ciphertext. They are represented by The 80-bit x 0 and x 0 can be reduced to 60-bit x 1 and x 1 after guessing the 18 bits round keys. We allocate two 60bit counters N 1 [ x 1 ] and N 1 [ x 1 ] for the master key and , respectively, and initialize them to zero. We then guess 18-bit keys and partially decrypt N ciphertexts to compute x 1 and x 1 under master key and , respectively, and increment the corresponding counters.
Step 2. We first allocate 56-bit counter N 2 [x 2 ] and N 2 x 2 for the master key and , respectively, and initialize them to zero. We then guess 4-bit K 4 1 for the master key and , respectively, and partially encrypt x 1 and x 1 to compute x 2 and x 2 , respectively, and increment the corresponding counters. As the equation X 6 1

Table 4 Partial encryption and decryption on 25-round LBlock
Step Guess Time Obtained States Size 1 K 6 25 , K 7 25 N 2 18 10 x 1 x 1 X 0 0 X 14 0 X 5 0 X 9 0 X 6 0 X 1 0 X 8 0 X 4 0 2 60 2 K 2 23 [ 2 : 3] X 3 25 X 10 25 X 13 25 X 7 23 X 6 25 X 12 25 X 5 21 K 1 24 , K 3 25 2 K 4 1 2 60 2 18 4 2 x 2 x 2 X 0 0 X 14 0 X 5 0 X 9 0 X 6 0 X 1 0 X 6 1 2 56 2 X 3 25 X 10 25 X 13 25 X 7 23 X 6 25 X 12 25 X 5 21 3 K 6 2 2 56 2 22 4 2 x 3 x 3 X 0 0 X 14 0 X 5 0 X 9 0 X 6 0 X 7 2 X 3 25 2 52 2 X 10 25 X 13 25 X 7 23 X 6 25 X 12 25 X 5 21 4 K 7 24 2 52 2 26 3 2 x 4 x 4 X 0 0 X 14 0 X 5 0 X 9 0 X 6 0 X 7 2 X 3 25 2 48 2 2 3 possible values X 10 25 X 7 22 X 6 25 X 12 25 X 5 21 5 K 6 1 2 48 2 29 4 2 x 5 x 5 X 0 0 X 14 0 X 5 0 X 7 1 X 7 2 X 3 25 X 10 25 2 44 2 X 7 22 X 6 25 X 12 25 X 5 21 6 K 7 3 2 44 2 33 1 2 Because the following steps are similar to the above two steps, we do not explain in details. Besides, we note that the numbers of guessed keys in step 8 of Table 4 is 4 bits. However, the numbers of known keys are 8 bits, that is because the key in the "( )" can be obtained by using the relations of round keys. To recover the secret key, the following steps are performed: After processding of attack procedure from step 1 to 5, if we can not succeed, this means that the value of the right key does not belong to the values corresponding to the related-key differential path tested. We can then use another related-key differential path to proceed the above attack. All possible values of the master key bits k 14:17 and S 9 k 18:21 3 are covered by the related-key differential paths, so we could always find the right key where in the worst case, all the related-key differential paths have to be tested. For example, we choose master key difference 14:17 0111, then k 14:17 and S 9 k 18:21 3 have 8 possible values. We need to guess one by one and determine which one is the right key. The average number of guesses is 1 8 1 2 3 4 5 6 7 8 4.5. Similarly, when 14:17 1100, 0100, 1111 or 1011 the average number of guesses is 2.5; when 14:17 1010, 0110, 1001 or 0101, the average number of guesses is 1.5. The key difference 14:17 has 9 possible values, its probability distribution of 14:17 is as follows (see Table 3 According to the above discussion, then,the total average number of guesses is 4. Complexity Now we evaluate the time complexity of the key recovery on 25-round LBlock. By setting 0 2 2.7 , 1 0.5, we have q 1 0 1.02 and q 1 1 0. Since n 64 and l 255, then according to Eq. (3), the data complexity N DKP 2 60.4 . Now we evaluate the time complexity of the key recovery on 25-round LBlock. We start by evaluating the complexity of step 1 to step 14 in the process of partial computation(see Table 4), the time complexity is T 1 N 2 19 5 2 2 83 2 2 82 2 2 79 2 80 2 78 3 2 75 2 2 72 2 84.89 S-box access, which is about T T 1

Key recovery for 24-Round LBlock
Similarly, we can perform key recover attack on 24-round LBlock by using the same linear approximations from round 5 to 20. We append 4 rounds at the top of the distinguisher and add 4 rounds at the bottom of the distinguisher.
We express the two target values of attack by using the related round keys and plaintexts or ciphertexts, then use the partial-compression technique to reduce the time complexity significantly (see Table 5). The nibble X 4 4 is affected by 32 bits of plaintext X 0 and 28 bits of round keys and the expression can be shown: Similarly, the nibble X 9 20 is affected by 32 bits of ciphertext X 24 and 28 bits of round keys and the expression can be shown:

Attack on TWINE-128
In this section, we will evaluate the security of TWINE-128 against multidimensional linear attack with key difference invariant bias by using the new distinguisher Q.

A brief description of TWINE
TWINE is a 64-bit lightweight block cipher with 80 or 128-bit key. It was proposed by Suzaki et al in 2012. The structure of TWINE is a modified Type-2 generalized Feistel network. Its round function consists of AddRoundkey, 4-bit S-boxes and a diffusion layer. This round function is iterated for 36 times for both TWINE-80 and TWINE-128, where the diffusion layer of the last round is omitted.
The key schedule of TWINE is quite simple. S-boxes, XOR operations and a series of constants are used in the key schedule. Due to the page limit, see the specific key schedule algorithms in Suzaki et al. (2012).

Key recovery for 28-round TWINE-128
We consider 17-round (from round 6 to round 22) linear approximations with key difference invariant bias for TWINE-128 that have been identified in Bogdanov et al. (2013). The input mask of the 6-th round is 000000000000 000 and the output mask of the 22-th round is 0000000 00000000 , , 0. Let K and K be the expanded keys corresponding to two the master keys and , K and K for key schedule , such that K K . Let us denote by the difference of masker keys and . Let K r and r denote the subkey difference and input mask value for the S-boxes in round r, respectively. To make the relations r K r 0, 6 r 22 (6) hold, it suffices to let 20:23 0000, j 0, j 0, 1, ..., 79 and j 20, 21, 22, 23. Thus sufficient condition for key difference invariant bias is satisfied. There are 15 possible nonzero values 20:23 that satisfy the Eq. (6). We can choose any nonzero 20:23 , and j 0, j 0, 1, ..., 79 and j 20, 21, 22, 23, to obtain the differential path which covers all the possible key values and is sufficient to recovery the right key value.
We utilize the 17-round distinguisher to attack 28 rounds of TWINE-128. The initial five rounds from 1 to round 5 are added before the distinguisher and the finial six rounds from 23 to round 28 are appended after the distinguisher. Similary, we express the two target values and then guess the keys one nibble after another to reduce the time complexity of partial computation. The nibble X 12 5 is affected by 48 bits of plaintext X 0 and 48 bits of round keys and the expression can be shown as: Similarly, the nibble X 7 22 is affected by 60 bits of ciphertext X 28 and 76 bits of round keys: The following relations exist in the related round keys: K 1 24 . Thus, we just need guess 116 bits subkeys in the attack.
Assuming that N distinct known plaintexts are used, the partial encryption and decryption using the partialcompression technique are proceeded as in Table 6.
Complexity We set 0 2 2.7 , 1 2 3 , so we have q 1 0 1.02 and q 1 1 1.15. Since n 64 and l 255, then according to Eq. (3), the data complexity N DKP 2 61.5 . Now we evaluate the time complexity of the key recovery on 28-round TWINE-128. We start by evaluating the complexity of step 1 to step 14 in the process of partial-compression (see Table 6), the time complexity is T 1 N 2 65 17 12 2 129 2 130 2 133.09 S-box access, which is about T T 1 1 8 1 28 2 125.28 28-round TEINE-128 encryptions. Note that the time complexity of Step 3, 4 is negligible. The time complexity of Step 5 of key recovery attack is about 2 128 1 2 125 times of 25-round encryption. Therefore, the total time complexity is about 2 125 2 125.28 2 126.15 28-round TWINE encryptions. The memory requirements are about 2 61 bytes.

Key recovery for 27-round TWINE-128
We use the 17-round 8-dimension linear approximations with key difference invariant bias to give an attack on 27round TWINE-128. By putting the 17-round 8-dimension 2 12 2 112 4 2 y 14 y 14 X 12 5 X 7 22 2 8 2 linear approximations in round 6 to 22, we can perform key recovery attack on 27-round TWINE-128. Similary, we can express the two target values X 12 5 and X 7 22 , the values X 12 5 is the same as (7), the nibble X 7 22 can be shown as: The nibble X 12 5 is affected by 48 bits of plaintext X 0 and 48 bits of round keys, the nibble X 7 22 is affected by 48 bits of ciphertext X 27 and 48 bits of round keys. The following relations exist in the related round keys: Assuming that N distinct known plaintexts are used, the partial encryption and decryption using the partialcompression technique are proceeded as in Table 7.
Complexity We set 0 2 2.7 , 1 2 8.5 , according to Eq. Combined Model. In order to reduced the data complexity of attacks, we can perform 27-round key recovery attack which use all differential paths of 15 key difference 2 12 2 88 4 2 X 12 5 X 7 22 2 8 2 that satisfy condition of key difference invariant bias together. Let i , 1 i 15 denote the i-th master key difference that satisfy condition of key difference invariant bias. V i and V i , 0, ..., 2 m 1 denote the number of occurrences of value of the observed data distribution for master keys and such that i with the N texts. Let Q i be the i-th i 1, ..., 15 statistic under master key difference i , then Define statistic T 15 i 1 Q i , then, for the right key guess, T approximately follows the normal distribution for sufficiently large N and n: Then, under the KP and DKP cases, the amount of data needed by the distinguisher T are N KP 2 n 0.5 q 1 0 q 1 1 15l 2 q 1 1 , N DKP 2 n 0.5 q 1 0 q 1 1 15l 2 q 1 0 (8) Complexity By setting 0 2 2.7 , 1 2 8.5 , according to Eq. (8), the data complexity N DKP 2 60.44 , the total time complexity is about 2 119.5 27-round TWINE encryptions, and the memory requirements are about 15 2 61 bytes.

Conclution
In this paper, we propose a new statistical related-key distinguisher under the scenario of key difference invariant bias for multidimensional linear cryptanalysis. Compared with the model in Bogdanov et al. (2013), our new model has the following two main advantages: One is that the assumption about statistical independence of linear approximations can be removed, and the other is that our model considers all linear approximations of linear subspace with key difference invariant bias property excluding zero, so our new model can increase the freedom. Moreover partial-compression technique is used to reduce the time complexity. We carefully choose the order of guessing keys and guess each subkey nibble one after another. Besides, we take the key schedule into consideration and use the relations in the related round keys to reduce the number of round keys that need to be guessed. In order to illustrate the new attack model, we evaluate the security of LBlock and TWINE-128 block ciphers against our cryptanalysis technique. For LBlock cipher, based on 16-round key difference invariant bias distinguisher, we present a 25-round key recovery attack. For TWINE-128 cipher, we apply 17-round key difference invariant bias distinguisher to 28-round key recovery attack. We attack more rounds than the best previous cryptanalysis. While previous attack can break 24-round LBlock and 27-round TWINE-128, our attack break the same number of rounds that use the less time complexity and data complexity.