Skip to main content
SpringerLink
Log in

Another Look at Differential-Linear Attacks

  • Conference paper
  • First Online:
Selected Areas in Cryptography (SAC 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13742))

Included in the following conference series:

  • 13 Accesses

Abstract

Differential-Linear (DL) cryptanalysis is a well known cryptanalytic technique that combines differential and linear cryptanalysis. Over the years, multiple techniques were proposed to increase its strength. Two recent ones are: The partitioning technique by Leurent and the use of neutral bits adapted by Beierle et al. to DL cryptanalysis.

In this paper we compare these techniques and discuss the possibility of using them together to achieve the best possible DL attacks. We study the combination of these two techniques and show that in many cases they are indeed compatible. We demonstrate the strength of the combination in two ways. First, we present the first DL attack on 4-round Xoodyak and an extension to 5-round in the related key model. We show that the attacks are possible only by using these two techniques simultaneously. In addition, using the combination of the two techniques we improve a DL attack on 9-round DES. We show that the partitioning technique mainly reduces the time complexity, and the use of neutral bits mainly reduces the data complexity, while the combination of them reduces both the time and data complexities.

The first author was supported in part by the Center for Cyber, Law, and Policy in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office and by the Israeli Science Foundation through grants No. 880/18 and 3380/19.

The second author was supported by the European Research Council under the ERC starting grant agreement n. 757731 (LightCrypt), by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office, and by the President Scholarship for Ph.D. students at the Bar-Ilan University.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 109.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 74.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    We note that some works divide the cipher into three sub-ciphers \(E=E_1\circ E_m\circ E_0\) (e.g., [3, 11,12,13, 25, 26]). This is mostly done to better understand the transition between the two main sub-ciphers \(E_0,E_1\) and most importantly the dependencies between the two sub-ciphers. The emphasis of this paper is the external rounds (rather the internal rounds and the transition). Our results are independent of these works and thus we use the simpler description of DL attacks. We note that both partition and neutral bits may still result in subtle dependencies which may impact the transition, and hence we experimentally verified our results whenever possible.

  2. 2.

    A similar idea is used in the chosen-plaintext linear attack of Knudsen and Mathiassen on DES [20].

  3. 3.

    More precisely, we show that each subset in the partitioning (which is defined according to the key material) determines a good value for the non-neutral bits. Without the combination, the distinguisher cannot be used for a key recovery attack.

  4. 4.

    The partitioning can be applied to plaintexts, ciphertexts, or any other criteria. For example, in [22] the partitioning is performed also according to the values of the ciphertexts.

  5. 5.

    It should be noted that not always all the vectors in the linear subspace are neutral (see [7] that discusses such examples). However, in all of the cases discussed here this is the scenario.

  6. 6.

    Similar issue also affected chosen-plaintext linear cryptanalysis [20].

  7. 7.

    The probability should be significantly higher than the differential’s probability.

  8. 8.

    This idea was used in [20].

  9. 9.

    Liu et al. [24] present a 4-round rotational DL distinguisher, with the highest possible bias of \(\frac{1}{2}\), without any attack that uses it. We give in the ePrint version the rotational DL distinguisher used by Liu et al. and recall that rotational DL distinguisher is not a DL distinguisher.

  10. 10.

    In detail, for each \(0\le i<128\), when the input difference is \((0,e_i,e_i)\), the best results occurs for the output mask \((0,e_{32\cdot \lfloor \frac{i}{32}\rfloor + (15+i\pmod {32})},0)\). It should be noted that since the mask is in the second plane and only the first 64 bits of this plane are visible, we can not use all the 128 characteristics, but only the 64 characteristics for which \(0\le i<64\). However, this fact does not impact our analysis.

  11. 11.

    All the experiments can be found in https://github.com/ArielWeizman/AW/blob/master/Xoodoo.

  12. 12.

    In detail, for each \(0\le i < 128\), when the input difference is \((e_i,0,e_i)\), the best results occur for the output mask \((e_i,0,0)\).

  13. 13.

    We note that the time complexity is about \(2^{12.82}\cdot 2\cdot 2^6\) one S-box evaluations, which are equivalent to about \(2^{13.82}\) 8-round encryptions.

  14. 14.

    All the experiments can be found in https://github.com/ArielWeizman/AW/blob/master/DES..

  15. 15.

    For attacks that needed more plaintext pairs, we refer the reader to the chosen plaintext linear cryptanalysis techniques suggested Knudsen and Mathiassen [20].

  16. 16.

    Since each plaintext pair passes the differential characteristic has zero difference in the bits masked by \(\lambda _M\) (i.e., \((P\oplus P')\cdot \lambda _M = \varOmega _M \cdot \lambda _M = 0\)), the sign of the bias is necessarily positive.

References

  1. Data Encryption Standard, Federal Information Processing Standards publications no. 46, 1977

    Google Scholar 

  2. Aumasson, J.-P., Fischer, S., Khazaei, S., Meier, W., Rechberger, C.: New features of Latin dances: analysis of salsa, ChaCha, and rumba. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 470–488. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-71039-4_30

    Chapter  Google Scholar 

  3. Bar-On, A., Dunkelman, O., Keller, N., Weizman, A.: DLCT: a new tool for differential-linear cryptanalysis. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 313–342. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_11

    Chapter  Google Scholar 

  4. Beierle, C., Leander, G., Todo, Y.: Improved differential-linear attacks with applications to ARX ciphers. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 329–358. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_12

    Chapter  Google Scholar 

  5. Bernstein, D.J.: The Salsa20 family of stream ciphers. In: Robshaw, M., Billet, O. (eds.) New Stream Cipher Designs. LNCS, vol. 4986, pp. 84–97. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-68351-3_8

    Chapter  Google Scholar 

  6. Biham, E., Carmeli, Y.: An improvement of linear cryptanalysis with addition operations with applications to FEAL-8X. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 59–76. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13051-4_4

    Chapter  Google Scholar 

  7. Biham, E., Chen, R.: Near-collisions of SHA-0. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 290–305. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_18

    Chapter  Google Scholar 

  8. Biham, E., Dunkelman, O., Keller, N.: Enhancing differential-linear cryptanalysis. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 254–266. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36178-2_16

    Chapter  Google Scholar 

  9. Biham, E., Dunkelman, O., Keller, N.: The rectangle attack — rectangling the serpent. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 340–357. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_21

    Chapter  Google Scholar 

  10. Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. J. Cryptol. 4(1), 3–72 (1991)

    Article  MathSciNet  Google Scholar 

  11. Blondeau, C., Leander, G., Nyberg, K.: Differential-linear cryptanalysis revisited. J. Cryptol. 30(3), 859–888 (2017)

    Article  MathSciNet  Google Scholar 

  12. Blondeau, C., Nyberg, K.: New links between differential and linear cryptanalysis. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 388–404. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_24

    Chapter  Google Scholar 

  13. Chabaud, F., Vaudenay, S.: Links between differential and linear cryptanalysis. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 356–365. Springer, Heidelberg (1995). https://doi.org/10.1007/BFb0053450

    Chapter  Google Scholar 

  14. Daemen, J., Hoffert, S., Van Assche, G., Van Keer, R.: The design of Xoodoo and Xoofff. IACR Trans. Symmetric Cryptol. 2018(4), 1–38 (2018)

    Article  Google Scholar 

  15. Daemen, J., Hoffert, S., Peeters, M., Van Assche, G., Van Keer, R.: Xoodyak, a lightweight cryptographic scheme. IACR Trans. Symmetric Cryptol. 2020(1), 60–87 (2020)

    Article  Google Scholar 

  16. Daemen, J., Rijmen, V.: The wide trail design strategy. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 222–238. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45325-3_20

    Chapter  Google Scholar 

  17. Dey, S., Garai, H.K., Sarkar, S., Sharma, N.K.: Revamped differential-linear cryptanalysis on reduced round ChaCha. In: Dunkelman, O., Dziembowski, S. (eds.) Advances in Cryptology – EUROCRYPT 2022. EUROCRYPT 2022. LNCS, vol. 13277, pp. 86–114. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-07082-2_4

  18. Dunkelman, O., Keller, N., Shamir, A.: A practical-time related-key attack on the KASUMI cryptosystem used in GSM and 3G telephony. J. Cryptol. 27(4), 824–849 (2014)

    Article  MathSciNet  Google Scholar 

  19. Kelsey, J., Kohno, T., Schneier, B.: Amplified boomerang attacks against reduced-round MARS and serpent. In: Goos, G., Hartmanis, J., van Leeuwen, J., Schneier, B. (eds.) FSE 2000. LNCS, vol. 1978, pp. 75–93. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44706-7_6

    Chapter  Google Scholar 

  20. Knudsen, L.R., Mathiassen, J.E.: A chosen-plaintext linear attack on DES. In: Goos, G., Hartmanis, J., van Leeuwen, J., Schneier, B. (eds.) FSE 2000. LNCS, vol. 1978, pp. 262–272. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44706-7_18

    Chapter  Google Scholar 

  21. Langford, S.K., Hellman, M.E.: Differential-linear cryptanalysis. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 17–25. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_3

    Chapter  Google Scholar 

  22. Leurent, G.: Improved differential-linear cryptanalysis of 7-round Chaskey with partitioning. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 344–371. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_14

    Chapter  Google Scholar 

  23. Liu, F., Isobe, T., Meier, W., Yang, Z.: Algebraic Attacks on Round-Reduced Keccak/Xoodoo. IACR Cryptol. ePrint Arch., p. 346 (2020)

    Google Scholar 

  24. Liu, Y., Sun, S., Li, C.: Rotational cryptanalysis from a differential-linear perspective. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12696, pp. 741–770. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_26

    Chapter  Google Scholar 

  25. Liu, Z., Gu, D., Zhang, J., Li, W.: Differential-multiple linear cryptanalysis. In: Bao, F., Yung, M., Lin, D., Jing, J. (eds.) Inscrypt 2009. LNCS, vol. 6151, pp. 35–49. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-16342-5_3

    Chapter  Google Scholar 

  26. Jiqiang, L.: A methodology for differential-linear cryptanalysis and its applications. Des. Codes Cryptogr. 77(1), 11–48 (2015)

    Article  MathSciNet  Google Scholar 

  27. Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (eds.) Advances in Cryptology — EUROCRYPT ’93. EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Berlin, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_33

  28. Miyaguchi, S.: The FEAL cipher family. In: Menezes, A.J., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 628–638. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-38424-3_46

    Chapter  Google Scholar 

  29. Mouha, N., Mennink, B., Van Herrewege, A., Watanabe, D., Preneel, B., Verbauwhede, I.: Chaskey: an efficient MAC algorithm for 32-bit microcontrollers. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 306–323. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13051-4_19

    Chapter  Google Scholar 

  30. Nyberg, K., Knudsen, L.R.: Provable security against differential cryptanalysis. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 566–574. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_41

    Chapter  Google Scholar 

  31. Selcuk, A.A.: On probability of success in linear and differential cryptanalysis. J. Cryptol. 21(1), 131–147 (2008)

    Google Scholar 

  32. Wagner, D.: The boomerang attack. In: Knudsen, L. (ed.) FSE 1999. LNCS, vol. 1636, pp. 156–170. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48519-8_12

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Science Department, University of Haifa, Haifa, Israel

    Orr Dunkelman

  2. Department of Mathematics, Bar-Ilan University, Ramat Gan, Israel

    Ariel Weizman

Authors
  1. Orr Dunkelman
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ariel Weizman
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ariel Weizman .

Editor information

Editors and Affiliations

  1. Inria and École Polytechnique, Institut Polytechnique de Paris, Palaiseau, France

    Benjamin Smith

  2. Electrical and Computer Engineering, University of Windsor, Windsor, ON, Canada

    Huapeng Wu

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Dunkelman, O., Weizman, A. (2024). Another Look at Differential-Linear Attacks. In: Smith, B., Wu, H. (eds) Selected Areas in Cryptography. SAC 2022. Lecture Notes in Computer Science, vol 13742. Springer, Cham. https://doi.org/10.1007/978-3-031-58411-4_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-58411-4_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-58410-7

  • Online ISBN: 978-3-031-58411-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation