Chapter

Advances in Cryptology - ASIACRYPT 2013

Volume 8269 of the series Lecture Notes in Computer Science pp 357-376

Key Difference Invariant Bias in Block Ciphers

  • Andrey BogdanovAffiliated withTechnical University of Denmark
  • , Christina BouraAffiliated withTechnical University of Denmark
  • , Vincent RijmenAffiliated withESAT/SCD/COSIC, KU LeuveniMinds
  • , Meiqin WangAffiliated withKey Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University
  • , Long WenAffiliated withKey Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University
  • , Jingyuan ZhaoAffiliated withKey Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University

* Final gross prices may vary according to local VAT.

Get Access

Abstract

In this paper, we reveal a fundamental property of block ciphers: There can exist linear approximations such that their biases ε are deterministically invariant under key difference. This behaviour is highly unlikely to occur in idealized ciphers but persists, for instance, in 5-round AES. Interestingly, the property of key difference invariant bias is independent of the bias value ε itself and only depends on the form of linear characteristics comprising the linear approximation in question as well as on the key schedule of the cipher.

We propose a statistical distinguisher for this property and turn it into an key recovery. As an illustration, we apply our novel cryptanalytic technique to mount related-key attacks on two recent block ciphers — LBlock and TWINE. In these cases, we break 2 and 3 more rounds, respectively, than the best previous attacks.

Keywords

block ciphers key difference invariant bias linear cryptanalysis linear hull key-alternating ciphers LBlock TWINE