Designs, Codes and Cryptography

, Volume 70, Issue 3, pp 369–383 | Cite as

Linear hulls with correlation zero and linear cryptanalysis of block ciphers

  • Andrey BogdanovEmail author
  • Vincent Rijmen


Linear cryptanalysis, along with differential cryptanalysis, is an important tool to evaluate the security of block ciphers. This work introduces a novel extension of linear cryptanalysis: zero-correlation linear cryptanalysis, a technique applicable to many block cipher constructions. It is based on linear approximations with a correlation value of exactly zero. For a permutation on n bits, an algorithm of complexity 2 n-1 is proposed for the exact evaluation of correlation. Non-trivial zero-correlation linear approximations are demonstrated for various block cipher structures including AES, balanced Feistel networks, Skipjack, CLEFIA, and CAST256. As an example, using the zero-correlation linear cryptanalysis, a key-recovery attack is shown on 6 rounds of AES-192 and AES-256 as well as 13 rounds of CLEFIA-256.


Block ciphers Correlation Linear cryptanalysis 

Mathematical Subject Classification



Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Biham E.: On Matsui’s linear cryptanalysis. In: EUROCRYPT’94, vol. 950, Lecture Notes in Computer Science, pp. 341–355. Springer, Heidelberg (1995).Google Scholar
  2. 2.
    Biham E., Biryukov A., Shamir A.: Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials. In: EUROCRYPT’99, LNCS, pp. 12–23. Springer, Heidelberg (1999).Google Scholar
  3. 3.
    Biham E., Keller N.: Cryptanalysis of reduced variants of rijndael. (1999). Accessed Oct 2011
  4. 4.
    Biham E., Shamir A.: Differential cryptanalysis of DES-like cryptosystems. In: Alfred, M., Scott, A.V. (eds) CRYPTO’90, LNCS, vol. 537, pp. 2–21. Springer, Heidelberg (1990)Google Scholar
  5. 5.
    Bogdanov A., Wang M.: Zero correlation linear cryptanalysis with reduced data complexity. In: FSE’12, LNCS. Springer, Heidelberg (2012).Google Scholar
  6. 6.
    Borst J, Knudsen L.R., Rijmen V.: Two attacks on reduced IDEA. In: Fumy, W. (ed.) EUROCRYPT’97, LNCS, pp. 1–13. Springer, Heidelberg (1997)Google Scholar
  7. 7.
    Choy J., Yap H.: Impossible boomerang attack for block cipher structures. In: Tsuyoshi, T., Masahiro, M. (eds.) IWSEC’09, LNCS, vol. 5824, pp. 22–37. Springer, Heidelberg (2009)Google Scholar
  8. 8.
    Collard B., Standaert F.-X.: Experimenting linear cryptanalysis. In: Junod, P., Canteaut, A. (eds.) Advanced Linear Cryptanalysis of Block and Stream Ciphers, Cryptology and Information Security Series, vol. 7, IOS Press, Amsterdam (2011)Google Scholar
  9. 9.
    Daemen J., Govaerts R., Vandewalle J.: Correlation matrices. In: Preneel, B. (ed.) Fast Software Encryption, LNCS, vol. 1008, pp. 275–285. Springer, Heidelberg (1994)Google Scholar
  10. 10.
    Daemen J., Rijmen V.: The design of rijndael: AES—the advanced encryption standard. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  11. 11.
    Daemen J., Rijmen V.: Probability distributions of correlation and differentials in block ciphers. J. Math. Cryptol. 1(3), 221–242 (2007)CrossRefzbMATHMathSciNetGoogle Scholar
  12. 12.
    Etrog J., Robshaw M.J.B.: On unbiased linear approximations. In: ACISP’10, LNCS, vol. 6168, pp. 74–86. Springer, Heidelberg (2010).Google Scholar
  13. 13.
    FIPS: Advanced Encryption Standard. Publication 197. National Bureau of Standards, U.S. Department of Commerce, (2001).Google Scholar
  14. 14.
    Lu J., Dunkelman O., Keller N., Kim J.: New impossible differential attacks on AES. In: INDOCRYPT’08, LNCS, pp. 279–293. Springer, Heidelberg (2008).Google Scholar
  15. 15.
    Matsui M.: Linear cryptoanalysis method for DES cipher. In: EUROCRYPT’93, LNCS, pp. 386–397. Springer, Heidelberg, (1993).Google Scholar
  16. 16.
    Matyas S.M., Meyer C.H., Oseas J.: Generating strong one-way functions with cryptographic algorithm. IBM Tech. Discl. Bull. 27, 5658–5659 (1985)Google Scholar
  17. 17.
    Nyberg K.: Linear approximation of block ciphers. In: EUROCRYPT’94, LNCS, pp. 439–444. Springer, Heidelberg (1994).Google Scholar
  18. 18.
    Nyberg K.: Correlation theorems in cryptanalysis. Discret. Appl. Math. 111(1–2), 177–188 (2001)CrossRefzbMATHMathSciNetGoogle Scholar
  19. 19.
    O’Connor L.: Properties of linear approximation tables. In: Preneel B. (ed.) FSE. LNCS, vol. 1008, pp. 131–136 (1994).Google Scholar
  20. 20.
    Röck A., Nyberg K.: Exploiting linear hull in Matsui’s algorithm vol. 1, (2011).Google Scholar
  21. 21.
    Shirai T., Shibutani K., Akishita T., Moriai S., Iwata T.: The 128-Bit Blockcipher CLEFIA (Extended Abstract). In: FSE’07, LNCS, pp. 181–195. Springer, Heidelberg (2007).Google Scholar
  22. 22.
    Sung J., Lee S., Lim Jong I., Hong S., Park S.: Provable security for the skipjack-like structure against differential cryptanalysis and linear cryptanalysis. In: Okamoto T. (ed.) ASIACRYPT2000, LNCS, pp. 274–288 (1976).Google Scholar
  23. 23.
    Tsunoo Y., Tsujihara E., Shigeri M., Saito T., Suzaki T., Kubo H.: Impossible differential cryptanalysis of CLEFIA. In: FSE’08, LNCS, pp. 398–411. Springer, Heidelberg (2008).Google Scholar
  24. 24.
    Vaudenay S.: Decorrelation: A theory for block cipher security. J. Cryptol. 16(4), 249–286 (2003)CrossRefzbMATHMathSciNetGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC 2012

Authors and Affiliations

  1. 1.Department of ESAT and IBBT Security DepartmentKU LeuvenHeverleeBelgium

Personalised recommendations