Key Difference Invariant Bias in Block Ciphers

  • Andrey Bogdanov
  • Christina Boura
  • Vincent Rijmen
  • Meiqin Wang
  • Long Wen
  • Jingyuan Zhao
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8269)


In this paper, we reveal a fundamental property of block ciphers: There can exist linear approximations such that their biases ε are deterministically invariant under key difference. This behaviour is highly unlikely to occur in idealized ciphers but persists, for instance, in 5-round AES. Interestingly, the property of key difference invariant bias is independent of the bias value ε itself and only depends on the form of linear characteristics comprising the linear approximation in question as well as on the key schedule of the cipher.

We propose a statistical distinguisher for this property and turn it into an key recovery. As an illustration, we apply our novel cryptanalytic technique to mount related-key attacks on two recent block ciphers — LBlock and TWINE. In these cases, we break 2 and 3 more rounds, respectively, than the best previous attacks.


block ciphers key difference invariant bias linear cryptanalysis linear hull key-alternating ciphers LBlock TWINE 


  1. 1.
    Abdelraheem, M.A., Ågren, M., Beelen, P., Leander, G.: On the Distribution of Linear Biases: Three Instructive Examples. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 50–67. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  2. 2.
    Bogdanov, A., Boura, C., Rijmen, V., Wang, M., Wen, L., Zhao, J.: Key Difference Invariant Bias in Block Ciphers. IACR Eprint report (2013)Google Scholar
  3. 3.
    Bogdanov, A., Rijmen, V.: Linear Hulls with Correlation Zero and Linear Cryptanalysis of Block Ciphers. Accepted to Designs, Codes and Cryptography. Springer (2012) (in press)Google Scholar
  4. 4.
    Bogdanov, A., Wang, M.: Zero Correlation Linear Cryptanalysis with Reduced Data Complexity. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 29–48. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  5. 5.
    Bogdanov, A., Leander, G., Nyberg, K., Wang, M.: Integral and Multidimensional Linear Distinguishers with Correlation Zero. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 244–261. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  6. 6.
    Cho, J.Y.: Linear Cryptanalysis of Reduced-Round PRESENT. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 302–317. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  7. 7.
    Collard, B., Standaert, F.-X.: Experimenting Linear Cryptanalysis. In: Junod, P., Canteaut, A. (eds.) Advanced Linear Cryptanalysis of Block and Stream Ciphers. ISO Press (2011)Google Scholar
  8. 8.
    Daemen, J., Govaerts, R., Vandewalle, J.: Correlation Matrices. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 275–285. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  9. 9.
    Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Springer (2002) ISBN 3-540-42580-2Google Scholar
  10. 10.
    Daemen, J., Rijmen, V.: Probability Distributions of Correlations and Differentials in Block Ciphers. Journal of Mathematical Cryptology 1(3), 221–242 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Daemen, J., Rijmen, V.: Probability Distributions of Correlation and Differentials in Block Ciphers. Tech. Rep. 212, IACR ePrint Report 2005/212 (2005),
  12. 12.
    Feller, W.: An Introduction to Probability Theory and Its Applications (1971)Google Scholar
  13. 13.
    Hermelin, M., Cho, J.Y., Nyberg, K.: Multidimensional Extension of Matsui’s Algorithm 2. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 209–227. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  14. 14.
    Junod, P.: On the Complexity of Matsui’s Attack. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 199–211. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  15. 15.
    Kaliski Jr., B.S., Robshaw, M.: Linear Cryptanalysis Using Multiple Approximations. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 26–39. Springer, Heidelberg (1994)Google Scholar
  16. 16.
    Karakoç, F., Demirci, H., Harmancı, A.E.: Impossible Differential Cryptanalysis of Reduced-Round LBlock. In: Askoxylakis, I., Pöhls, H.C., Posegga, J. (eds.) WISTP 2012. LNCS, vol. 7322, pp. 179–188. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  17. 17.
    Karakoç, F., Demirci, H., Harmanci, A.: Biclique Cryptanalysis of LBlock and TWINE. Inf. Process. Lett. 113(12), 423–429 (2013)CrossRefGoogle Scholar
  18. 18.
    Keliher, L., Sui, J.: Exact Maximum Expected Differential and Linear Probability for Two-Round Advanced Encryption Standard. IET Information Security 1(2), 53–57 (2007)CrossRefGoogle Scholar
  19. 19.
    Kim, J.: Combined Differential, Linear and Related-Key Attacks on Block Ciphers and MAC Algorithms. Ph.D. thesis, K.U.Leuven (2006)Google Scholar
  20. 20.
    Li, Y.: Integral Cryptanalysis on Block Ciphers. Institute of Software, Chinese Academy of Sciences, Beijing (2012) (in Chinese)Google Scholar
  21. 21.
    Liu, Y., Gu, D., Liu, Z., Li, W.: Impossible Differential Attacks on Reduced-Round LBlock. In: Ryan, M.D., Smyth, B., Wang, G. (eds.) ISPEC 2012. LNCS, vol. 7232, pp. 97–108. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  22. 22.
    Liu, S., Gong, Z., Wang, L.: Improved Related-Key Differential Attacks on Reduced-Round LBlock. In: Chim, T.W., Yuen, T.H. (eds.) ICICS 2012. LNCS, vol. 7618, pp. 58–69. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  23. 23.
    Matsui, M.: Linear Cryptanalysis Method for DES Cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  24. 24.
    Matsui, M.: The First Experimental Cryptanalysis of the Data Encryption Standard. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 1–11. Springer, Heidelberg (1994)Google Scholar
  25. 25.
    Matsui, M., Yamagishi, A.: A New Method for Known Plaintext Attack of FEAL Cipher. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 81–91. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  26. 26.
    Minier, M., Naya-Plasencia, M.: A Related Key Impossible Differential Attack against 22 Rounds of the Lightweight Block Cipher LBlock. Inf. Process. Lett. 112(16), 624–629 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
  27. 27.
    Murphy, S.: The Effectiveness of the Linear Hull Effect. J. Mathematical Cryptology 6(2), 137–147 (2012)zbMATHGoogle Scholar
  28. 28.
    Nyberg, K., Hakala, R.: A Key-Recovery Attack on SOBER-128, Symmetric Cryptography Dagstuhl Seminar No. 07021 (2007)Google Scholar
  29. 29.
    Nyberg, K.: Linear Approximation of Block Ciphers. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 439–444. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  30. 30.
    Nyberg, K.: Linear Cryptanalysis Using Multiple Linear Approximations. In: Early Symmetric Crypto (ESC 2010) Seminar, Remich, Luxembourg (2011),
  31. 31.
    O’Connor, L.: Properties of Linear Approximation Tables. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 131–136. Springer, Heidelberg (1995)Google Scholar
  32. 32.
    Röck, A., Nyberg, K.: Generalization of Matsui’s Algorithm 1 to Linear Hull for Key-Alternating Block Ciphers. Designs, Codes and Cryptography 66(1-3), 175–193 (2013)CrossRefzbMATHGoogle Scholar
  33. 33.
    Sasaki, Y., Wang, L.: Meet-in-the-Middle Technique for Integral Attacks against Feistel Ciphers. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 234–251. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  34. 34.
    Sasaki, Y., Wang, L.: Comprehensive Study of Integral Analysis on 22-Round LBlock. In: Kwon, T., Lee, M.-K., Kwon, D. (eds.) ICISC 2012. LNCS, vol. 7839, pp. 156–169. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  35. 35.
    Selçuk, A.A.: On Probability of Success in Linear and Differential Cryptanalysis. Journal of Cryptology 21(1), 131–147 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  36. 36.
    Soleimany, H., Nyberg, K.: Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock. Accepted to WCC 2013 (2012) (to appear),
  37. 37.
    Suzaki, T., Minematsu, K., Morioka, S., Kobayashi, E.: TWINE: A Lightweight Block Cipher for Multiple Platforms. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 339–354. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  38. 38.
    Wagner, D.: The Boomerang Attack. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 156–170. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  39. 39.
    Wu, W., Zhang, L.: LBlock: A Lightweight Block Cipher. In: Lopez, J., Tsudik, G. (eds.) ACNS 2011. LNCS, vol. 6715, pp. 327–344. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  40. 40.
    Wang, Y., Wu, W., Yu, X., Zhang, L.: Security on LBlock against Biclique Cryptanalysis. In: Lee, D.H., Yung, M. (eds.) WISA 2012. LNCS, vol. 7690, pp. 1–14. Springer, Heidelberg (2012)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Andrey Bogdanov
    • 1
  • Christina Boura
    • 1
  • Vincent Rijmen
    • 2
    • 3
  • Meiqin Wang
    • 4
  • Long Wen
    • 4
  • Jingyuan Zhao
    • 4
  1. 1.Technical University of DenmarkDenmark
  2. 2.ESAT/SCD/COSICKU LeuvenBelgium
  3. 3.iMindsBelgium
  4. 4.Key Laboratory of Cryptologic Technology and Information Security, Ministry of EducationShandong UniversityJinanChina

Personalised recommendations