Key Difference Invariant Bias in Block Ciphers
- Cite this paper as:
- Bogdanov A., Boura C., Rijmen V., Wang M., Wen L., Zhao J. (2013) Key Difference Invariant Bias in Block Ciphers. In: Sako K., Sarkar P. (eds) Advances in Cryptology - ASIACRYPT 2013. ASIACRYPT 2013. Lecture Notes in Computer Science, vol 8269. Springer, Berlin, Heidelberg
In this paper, we reveal a fundamental property of block ciphers: There can exist linear approximations such that their biases ε are deterministically invariant under key difference. This behaviour is highly unlikely to occur in idealized ciphers but persists, for instance, in 5-round AES. Interestingly, the property of key difference invariant bias is independent of the bias value ε itself and only depends on the form of linear characteristics comprising the linear approximation in question as well as on the key schedule of the cipher.
We propose a statistical distinguisher for this property and turn it into an key recovery. As an illustration, we apply our novel cryptanalytic technique to mount related-key attacks on two recent block ciphers — LBlock and TWINE. In these cases, we break 2 and 3 more rounds, respectively, than the best previous attacks.
Keywordsblock ciphers key difference invariant bias linear cryptanalysis linear hull key-alternating ciphers LBlock TWINE
Unable to display preview. Download preview PDF.