Protecting Against Multidimensional Linear and Truncated Differential Cryptanalysis by Decorrelation
Abstract
The decorrelation theory provides a different point of view on the security of block cipher primitives. Results on some statistical attacks obtained in this context can support or provide new insight on the security of symmetric cryptographic primitives. In this paper, we study, for the first time, the multidimensional linear attacks as well as the truncated differential attacks in this context. We show that the cipher should be decorrelated of order two to be resistant against some multidimensional linear and truncated differential attacks. Previous results obtained with this theory for linear, differential, differentiallinear and boomerang attacks are also resumed and improved in this paper.
Keywords
Decorrelation theory Multidimensional linear cryptanalysis Truncated differential cryptanalysis1 Introduction
In the last 25 years many statistical attacks have been proposed and implemented on different symmetric key cryptographic primitives. Nowadays, new symmetric primitives are not considered secure until evaluation by the community. But it is often difficult to evaluate the security of a cipher due to the large number of known attacks.
In 1998, Vaudenay [18, 21] introduced the decorrelation theory to prevent this long and tedious security evaluation. When a cipher is designed and proved secure up to a certain degree of decorrelation, it is secure against a wide range of statistical attacks. Among statistical attacks, differential cryptanalysis [8], linear cryptanalysis [17] and their generalizations have been prominent. For instance, we know that a cipher decorrelated of order two is resistant to the classical differential and linear cryptanalysis. Recently [7], it has been shown that the primitives should be decorrelated of order four to be protected against differentiallinear [3, 13] and boomerang [22] attacks.
Understanding the similitude of the different statistical attacks is of great importance to simplify the security analysis of the symmetric cryptographic primitives. While different works in that direction have been presented in the last couple of years [4, 9, 10, 16], part of this unification can also be obtained by determining the order of decorrelation of the new presented attacks. However, the question of measuring the advantage of taking the information from different differentials or linear approximations has not yet been studied in the context of decorrelation theory. In this paper, we study the decorrelation order of the multidimensional linear and truncated differential attacks. In particular, we show that a cipher is protected against multidimensional linear attacks if it is decorrelated of order two. Some elements of the proof are related to the link between multidimensional linear attacks and truncated differential attacks which was discovered by Blondeau and Nyberg [9, 10]. Using the result obtained for a special truncated differential distinguisher, we have been able to determine that the truncated differential attacks involving a large number of input differences are also decorrelated of order two. Using the decorrelation theory, in this paper, we provide for the first time an intuition on the power of truncated differential and multidimensional linear attacks as a function of the number of involved differential or linear approximations used in the attack.
Outline. In Sect. 2, we recall some basic definitions and previous works in the context of the decorrelation theory. In Sect. 3 we study the multidimensional linear attack in this context. In Sect. 4, we study the decorrelation order of the truncated differential attack. In Sect. 5, we provide some improvement of the previous results for the well known differential, linear, differentiallinear and boomerang attacks. Section 6 concludes this paper.
2 Preliminaries
2.1 Statistical Attacks
We recall in this section some basic definitions related to the statistical attacks studied in this paper.
Through this paper, the square correlation at point \(v=(\alpha ,\beta )\in \mathbb {F}_2^{2\ell }\) will be denoted by \(\mathsf {LP}^\mathsf {Enc}(v)\) and corresponds to \(\mathsf {LP}^\mathsf {Enc}(v)=\mathsf {cor}^2(\alpha ,\beta )\).
For the generalizations of linear cryptanalysis, such as multidimensional linear cryptanalysis [14], a quantity C, called capacity, is used for evaluating the nonuniformity of the set of linear approximations.
Theorem 1
Proof
2.2 The Decorrelation Theory
We consider a permutation \(\mathsf {Enc}\) over \(\{0,1\}^\ell \). Sometimes, \(\mathsf {Enc}\) will be a random permutation with uniform distribution and will be denoted by \(C^*\). Sometimes, it will be a permutation defined by a random key K and will be denoted by \(C_K\).
Theorem 2
(Best advantage and decorrelation, Theorem 10–11 of [21]). The \(\Vert \cdot \Vert _{\infty }\)decorrelation of order d of \(C_K\), \(\Vert [C_K]^d[C^*]^d\Vert _{\infty }\), is twice the best advantage of a nonadaptive unbounded distinguisher between \(C_K\) and \(C^*\) which is allowed to make d encryption queries.
The \(\Vert \cdot \Vert _a\)decorrelation of order d of \(C_K\), \(\Vert [C_K]^d[C^*]^d\Vert _a\), is twice the best advantage of an adaptive unbounded distinguisher between \(C_K\) and \(C^*\) which is allowed to make d encryption queries.
For instance, decorrelation of order \(d=2\) corresponds to that \(\Pr [y_1=C_K(x_1),y_2=C_K(x_2)]\) is always close to \(\frac{1}{2^\ell (2^\ell 1)}\) for \(x_1\ne x_2\) and \(y_1\ne y_2\). This is the notion of pairwise independence by Wegman and Carter [23].
We review some general security results below.
Theorem 3
Note that it was proven in [6, 7] that we cannot have a general security result when \(\delta \) is high or when we only have a decorrelation of order \(2d1\).
Theorem 3 was generalized in [19] to the case where the range of T has s elements instead of 2:
Theorem 4
Theorem 5
In what follows we give tighter results for specific classes of iterated attacks for which we can get rid of \(\delta \) and sometimes rely on a lower decorrelation order.
2.3 Previous Results in the Context of Decorrelation Theory
To obtain the decorrelation order as well as the order of the different statistical attacks we have to describe the distinguishers we are working with. In this section, we describe the differential, linear, differentiallinear and boomerang attacks, and recall the different results obtained for these distinguishers. A comparison with the results obtained for the multidimensional linear and truncated differential attacks will be presented later in this paper.
Theorem 6
Theorem 7
Theorem 8
This results say that if a cipher is decorrelation to the order 4, it is protected against differential linear cryptanalysis. It was further proven in [1, pp. 77–78] that some ciphers decorrelated to the order 3 can have a high advantage with DL. Which means that the decorrelation of order 4 is really what is needed.
Remark 9
The result from [7] was stated for a function f based on a counter \(b_1+\cdots +b_n\) but it is easy to see that the proof holds for a more general f as it is very similar to that of Theorem 7.
Theorem 10
It was further proven in [1, pp. 79–80] that some ciphers decorrelated to the order 3 can have a high advantage with Boo. We deduce that decorrelation of order 4 is really what is needed.
A summary of the results presented in this section (and new ones) is given in Table 1.
3 Multidimensional Linear Cryptanalysis
For \(\mathsf {Enc}\) fixed, all vectors \(b_i\) are independent and identically distributed. We let \(D_\mathsf {Enc}\) be the distribution of the vector \(b_i\).
We let V be the vector space spanned by the \((\alpha _j,\beta _j)\) masks. We recall that k denotes the dimension of V.
We note that if \(k>\ell \), there exists a Boolean function \(\mathsf {bit}(y)\) on the ciphertext and a mapping from \(b_i=(b_{i,1},\ldots ,b_{i,k})\) to \((x,\mathsf {bit}(y))\). For n relatively small, the vectors \((b_1,\ldots ,b_n)\) uniquely identify the key K. So, there exists a function f (maybe with high complexity) leading to a very high advantage. Hence, we cannot prove any security without assuming any complexity on f.
For \(k=\ell \mathsf {cste}\), we could have cases in which there is a mapping from \(b_i\) to \((x_1,\ldots ,x_{k1},\mathsf {bit}(y))\) so \(2^{\mathsf {cste}+1}\) possible values for x. We can eliminate keys for which none of these x lead to \(\mathsf {bit}(y)\). This eliminates a fraction \(2^{2^{\mathsf {cste}+1}}\) of the keys. So, for n within the order of magnitude of \(2^{2^{\mathsf {cste}+1}}\), we uniquely determine the key. So, no informationtheoretic security is feasible for these values of n.
Remark 11
(Relation with [14] and [10, 11]). In [14], the function f used to evaluate the multidimensional linear approximation is based on \(\mathrm {LLR}\) or \(\chi ^2\) statistical test. In [10, 11], where the relation between the truncated differential and multidimensional linear keyrecovery attacks is derived, the function f is based on the \(\chi ^2\) test.
Lemma 12
Proof
Lemma 13
Proof
Lemma 14
Proof
Thanks to Theorem 2, we have \(p^\mathsf {ML}_\mathsf {Enc}p^\mathsf {ML}_{\mathsf {Enc}^*}\le \frac{1}{2}\Vert D_\mathsf {Enc}^{\otimes n}D_{\mathsf {Enc}^*}^{\otimes n}\Vert _1\). Then, we have \(\Vert D_\mathsf {Enc}^{\otimes n}D_{\mathsf {Enc}^*}^{\otimes n}\Vert _1\le n\Vert D_\mathsf {Enc}D_{\mathsf {Enc}^*}\Vert _1\) due to Lemma 13. Next, we use \(\Vert D_\mathsf {Enc}D_{\mathsf {Enc}^*}\Vert _1\le 2^{\frac{k}{2}}\Vert D_\mathsf {Enc}D_{\mathsf {Enc}^*}\Vert _2\) due to the CauchySchwarz Inequality. \(\square \)
Remark 15
Lemma 16
Proof
We apply Theorem 1, Lemma 12, Lemma 14, and the triangular inequality \(\Vert D_\mathsf {Enc}D_{\mathsf {Enc}^*}\Vert _2\le \Vert D_\mathsf {Enc}U\Vert _2+\Vert D_{\mathsf {Enc}^*}U\Vert _2\). \(\square \)
Lemma 17
Proof
\(E(p^\mathsf {STD}_{C_K})E(p^\mathsf {STD}_{C^*})\) expresses as the advantage of \(\mathsf {STD}\), a nonadaptive distinguisher limited to two queries. We conclude by using Theorem 2. \(\square \)
Lemma 18
Proof
Theorem 19
Proof
4 Truncated Differential Attack
Lemma 20
Proof
Theorem 21
Proof
Remark 22
The critical term for ML in Theorem 19 is \(n^22^{k1}\Vert [C_K]^2[C^*]^2\Vert _{\infty }\). The one for TD in Theorem 21 is \(n2^{s1}\Vert [C_K]^2[C^*]^2\Vert _{\infty }\). Presumably, we have lost a factor n in Theorem 19 and the difference between ML and TD should only be k vs. s, the dimension of V vs. the one of \(V_\mathsf {in}\).
Remark 23
For \(s=\ell 1\) and \(q=1\), \(V_\mathsf {in}^\perp \) has a single nonzero vector (which can be seen as a difference vector \(\varDelta \)) and \(V_\mathsf {out}\) has a single nonzero vector (which can be seen as a mask \(\varGamma \)). However, our bound is useless in that case since \(2^{1+s\ell }=1\). Here, we used again the loose bound of Lemma 13, but changing n into \(\sqrt{n}\) would not change this fact. Actually, TD becomes equivalent to DL in this case, and it is known that 4decorrelation is needed to protect against DL [1]. Since our TDsecurity results uses 2decorrelation, improving this bound to get a more useful one in the case of DL would require to use 4decorrelation. Except for the equivalence to DL, these observations extend to all values of q.
5 Improvement of Previous Results
5.1 Improvement in the Linear and DifferentialLinear Contexts
If \(\Vert [C_K]^2[C^*]^2\Vert _{\infty }\approx 2^{\ell }\), the bound derived in Theorem 7, for linear attacks, is approximately equal to \(3(1+\root 3 \of {2})\root 3 \of {n2^{\ell }}\) and is useful only if the attacker can take advantage of up to \(2^\ell /311\) plaintextciphertext pairs. For a 64bit cipher, it would corresponds to attacks with data complexity less than \(2^{55.71}\). In this section we provide a new bound, for linear attacks, useful for n up to \(2^\ell /24\) which is \(2^{59.42}\).
Theorem 7, which is given in Sect. 2.1, has been originally derived in 2003 [21]. The following result consists of an improvement of the upper bound of \(E(p^\mathsf {LC}_{C_K})E(p^\mathsf {LC}_{C^*})\). This improvement is obtained thanks to the Jensen equality.
Theorem 24
Proof
Based on [21, Lemma 15], we know that there is some \(p_0\) such that for every \(\mathsf {Enc}\), we have \(p^\mathsf {Enc}p_0\le 2\sqrt{n\mathsf {LP}^\mathsf {Enc}(a,b)}\).
To prove Theorem 7, the method used in [21] consisted in getting for any A that^{1} \(E(p^\mathsf {LC}_\mathsf {Enc})p_0\le 2\cdot A \sqrt{n}+\frac{1}{A^2}E(\mathsf {LP}^\mathsf {Enc}(\alpha ,\beta ))\) and then in minimizing the sum in terms of A. In [21], \(A=n^{\frac{1}{6}}\root 3 \of {E(\mathsf {LP}^\mathsf {Enc}(\alpha ,\beta ))}\) was taken, to get \(E(p^\mathsf {LC}_\mathsf {Enc})p_0\le 3\root 3 \of {nE(\mathsf {LP}^\mathsf {Enc}(\alpha ,\beta ))}\).
To derive the improved bound, instead, we use the Jensen inequality to obtain \(E(p^\mathsf {Enc})p_0\le 2\sqrt{nE(\mathsf {LP}^\mathsf {Enc}(\alpha ,\beta ))}\).
In the same way the bound derived for the differentiallinear attack, in Theorem 8 is approximately equal to \(3(\root 3 \of {3}+\root 3 \of {2})\root 3 \of {n2^{\ell }}\) and is useful for an attacker which can take advantage to up to \(2^\ell /532\) plaintextciphertext pairs. Using the same technique, meaning the Jensen inequality, we can improve Theorem 8 and derive a new bound in the differentiallinear context which is valid for any attack using up to \(2^{\ell }/39\) plaintextciphertext pairs.
Theorem 25
5.2 In the Context of Differential and Boomerang Attacks, Extension of Theorems 6 and 10
Lemma 26
. Let \(p_\mathsf {Enc}\) be a probability depending on a cipher \(\mathsf {Enc}\). We have \(E(p^\mathsf {Dist}_\mathsf {C_K})E(p^\mathsf {Dist}_\mathsf {C^*}) \le n.\max (E(p_{C_K}),E(p_{C^*}))\).
Proof
If \(f(0,\ldots ,0)=0\), then \(p^\mathsf {Dist}_\mathsf {Enc}\le np_\mathsf {Enc}\) and \(E(p^\mathsf {Dist}_{C_K})E(p^\mathsf {Dist}_{C^*})\le E(p^\mathsf {Dist}_{C_K})\le nE(p_{C_K})\). Similarly, we have \(E(p^\mathsf {Dist}_{C^*})E(p^\mathsf {Dist}_{C_K})\le E(p^\mathsf {Dist}_{C^*})\le nE(p_{C^*})\), and the result holds in this case.
If \(f(0,\ldots ,0)=1\), we change f to \(1f\) without changing \(E(p^\mathsf {Dist}_{C^*})E(p^\mathsf {Dist}_{C_K})\) and go back to the previous case. \(\square \)
Differential Distinguisher. In Sect. 2.1, the differential distinguisher is defined for a given Boolean function f corresponding to \(f(b_1,\cdots b_n)=\max _ib_i\). In practice, for many differential attacks more than one valid pair is necessary to distinguish the cipher from a random permutation. In this section we generalize this distinguisher to any Boolean function f.
Theorem 27
Proof
The proof is similar to the proof of Theorem 6 which can be found in [21, Theorem 13]. The difference is that we use Lemma 26 to get rid of the arbitrary f.
Boomerang Distinguisher. In the same way, we can improve the boomerang distinguisher by considering any Boolean function f. As for Theorem 10, we can prove the following result.
Theorem 28
6 Conclusion

we improved the bounds for the linear and differentiallinear distinguishers (Theorems 7 and 8 are improved by Theorems 24 and 25, respectively);

we generalized the differential and boomerang distinguishers to allow an arbitrary function f (Theorems 6 and 10 are improved by Theorems 27 and 28, respectively);

we proved the security for multidimensional linear and truncated differential with decorrelation (Theorems 19 and 21).
The decorrelation order of some statistical attacks.
Attack  Decorrelation order  Type of attack  Attack order  Maximal n 

Linear \(\mathsf {LC}\)  2  iterative  1  \(2^\ell \) 
Differential \(\mathsf {DC}\)  2  iterative  2  \(2^\ell \) 
Differentiallinear \(\mathsf {DL}\)  4  iterative  2  \(2^{\ell 1}\) 
Boomerang \(\mathsf {Boo}\)  4  adaptive, iterative  4  \(2^{\ell 1}\) 
Multidimensional linear \(\mathsf {ML}\)  2  vectoriterative  1  \(2^{\frac{\ell k}{2}}\) 
Truncated differential \(\mathsf {TD}\)  2  iterative  2  \(2^{\ell s1}\) 
Footnotes
References
 1.A. Bay. Provable Security of Block Ciphers and Cryptanalysis. PhD thesis no. 6220, EPFL (2014) http://library.epfl.ch/theses/?nr=6220
 2.Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 12–23. Springer, Heidelberg (1999) CrossRefGoogle Scholar
 3.Biham, E., Dunkelman, O., Keller, N.: Enhancing differentiallinear cryptanalysis. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 254–266. Springer, Heidelberg (2002) CrossRefGoogle Scholar
 4.Bogdanov, A., Leander, G., Nyberg, K., Wang, M.: Integral and multidimensional linear distinguishers with correlation zero. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 244–261. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 5.Bay, A., Mashatan, A., Vaudenay, S.: Resistance against adaptive plaintextciphertext iterated distinguishers. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 528–544. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 6.Bay, A., Mashatan, A., Vaudenay, S.: Resistance against iterated attacks by decorrelation revisited. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 741–757. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 7.Bay, A., Mashatan, A., Vaudenay, S.: Revisiting iterated attacks in the context of decorrelation. Crypt. Commun. 6, 279–311 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
 8.Biham, E., Shamir, A.: Differential cryptanalysis of DESlike cryptosystems. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 2–21. Springer, Heidelberg (1991) Google Scholar
 9.Blondeau, C., Nyberg, K.: New links between differential and linear cryptanalysis. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 388–404. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 10.Blondeau, C., Nyberg, K.: Links between truncated differential and multidimensional linear properties of block ciphers and underlying attack complexities. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 165–182. Springer, Heidelberg (2014) CrossRefGoogle Scholar
 11.Blondeau, C., Leander, G., Nyberg, K.: Differentiallinear cryptanalysis revisited. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 411–430. Springer, Heidelberg (2015) Google Scholar
 12.Chabaud, F., Vaudenay, S.: Links between differential and linear cryptanalysis. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 356–365. Springer, Heidelberg (1995) CrossRefGoogle Scholar
 13.Langford, S.K., Hellman, M.E.: Differentiallinear cryptanalysis. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 17–25. Springer, Heidelberg (1994) Google Scholar
 14.Hermelin, M., Cho, J.Y., Nyberg, K.: Multidimensional extension of Matsui’s algorithm 2. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 209–227. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 15.Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008. Springer, Heidelberg (1995) CrossRefGoogle Scholar
 16.Leander, G.: On linear hulls, statistical saturation attacks, PRESENT and a cryptanalysis of PUFFIN. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 303–322. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 17.Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994) CrossRefGoogle Scholar
 18.Vaudenay, S.: Provable security for block ciphers by decorrelation. In: Morvan, M., Meinel, C., Krob, D. (eds.) STACS 1998. LNCS, vol. 1373. Springer, Heidelberg (1998) CrossRefGoogle Scholar
 19.Vaudenay, S.: Resistance against general iterated attacks. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 255–271. Springer, Heidelberg (1999) CrossRefGoogle Scholar
 20.Vaudenay, S.: Adaptiveattack norm for decorrelation and superpseudorandomness. In: Heys, H.M., Adams, C.M. (eds.) SAC 1999. LNCS, vol. 1758, pp. 49–61. Springer, Heidelberg (2000) CrossRefGoogle Scholar
 21.Vaudenay, S.: Decorrelation: a theory for block cipher security. J. Crypt. 16(4), 249–286 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
 22.Wagner, D.: The boomerang attack. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, p. 156. Springer, Heidelberg (1999) CrossRefGoogle Scholar
 23.Wegman, M.N., Carter, J.L.: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22, 265–279 (1981)MathSciNetCrossRefzbMATHGoogle Scholar