• PDF / 370,218 Bytes
• 18 Pages / 439.363 x 666.131 pts Page_size
• 2 Downloads / 191 Views

DOWNLOAD

REPORT

invention of the differential and linear cryptanalyses several extensions and related statistical cryptanalysis methods for block ciphers have been presented. The need for a common framework for statistical attacks that would facilitate their P.Q. Nguyen and E. Oswald (Eds.): EUROCRYPT 2014, LNCS 8441, pp. 165–182, 2014. c International Association for Cryptologic Research 2014 

166

C. Blondeau and K. Nyberg

comparison has been raised in the literature at least by Vaudenay [1] and Wagner [2], who also put forward such frameworks. While the former aims at providing provable security against all statistical attacks, the latter takes a high level view on the iterated Markov ciphers. In this paper, we propose a more pragmatic approach to show that, no matter whether we use a linear or differential characteristic to identify some non-random behavior, it can be exploited for a knownplaintext (KP) attack and a chosen-plaintext (CP) attack. Previously, many mathematical relationships between statistical cryptanalysis methods have been established. They concern the computation of the main statistic of the cryptanalysis method under consideration. In [3], Leander studied relations between the statistical saturation (SS) attack [4] and the multidimensional linear (ML) cryptanalysis using the χ2 statistical test [5]. In the former the strength of the distinguishing property is measured by the non-uniformity of the distribution of partial ciphertext values when part of the plaintext is fixed. In the latter, the non-uniformity of the joint distribution of plaintext parts and ciphertext parts is under consideration. Leander showed that the non-uniformities computed in the SS attack are on average equal to the non-uniformity of the distribution considered in the ML attack. Later more links were established in [6] and also applied in practice. For example, an efficient zero-correlation (ZC) property was found on a variant of Skipjack. Using the mathematical link it was then transformed to an integral property to launch an efficient CP attack on 31 rounds of this cipher. The question arises, whether it would have been possible to use the ZC property directly. Or would it have consumed essentially more data, time, or memory to exploit the ZC property directly in this attack? The purpose of this paper is to give an exhaustive answer to such questions in the more general setting of truncated differential (TD) [7] and ML attacks. Building on the link proposed by Chabaud and Vaudenay [8] and applied by Blondeau and Nyberg [9], we establish now a more general mathematical link between differential and linear statistical properties of block ciphers. This link provides a unified view on statistical distinguishers of block ciphers that measure the uniformity of a distribution of pairs of partial plaintext and ciphertext values and covers any TD and ML distinguishers. It allows for examination and comparison of the corresponding KP and CP distinguishing attacks and the related statistical models. In this paper, we will make a detailed comparison bet

Recommend Documents

Preventing Differential Fault Analysis Attack on AEGIS Family of Ciphers

187 29 19MB

Tweaking Key-Alternating Feistel Block Ciphers

139 40 10MB

Computing Expected Differential Probability of (Truncated) Differentials and Expected Linear Potential of (Multidimensio

123 40 32MB

Truncated and Infinite Power Series in the Role of Coefficients of Linear Ordinary Differential Equations

139 73 28MB

Linear and Differential Cryptanalysis

182 93 14MB

Lower Bounds on the Degree of Block Ciphers

177 73 22MB

Historical Links Between Psychiatry and Sexual Medicine

116 51 7MB

How to Build Optimally Secure PRFs Using Block Ciphers

165 13 22MB

Truncated Predictor Feedback for General Linear Systems

148 54 7MB

Linear size MIP formulation of Max-Cut: new properties, links with cycle inequalities and computational results

115 15 392KB

Proving the biases of Salsa and ChaCha in differential attack

155 83 654KB

Beyond Partial Differential Equations On Linear and Quasi-Linear Abs

233 107 4MB