Resistance against Iterated Attacks by Decorrelation Revisited

  • Aslı BayEmail author
  • Atefeh Mashatan
  • Serge Vaudenay
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7417)


Iterated attacks are comprised of iterating adversaries who can make d plaintext queries, in each iteration to compute a bit, and are trying to distinguish between a random cipher C and the ideal random cipher \(C^*\) based on all bits. In EUROCRYPT ’99, Vaudenay showed that a 2d-decorrelated cipher resists to iterated attacks of order d when iterations make almost no common queries. Then, he first asked what the necessary conditions are for a cipher to resist a non-adaptive iterated attack of order d. Secondly, he speculated that repeating a plaintext query in different iterations does not provide any advantage to a non-adaptive distinguisher. We close here these two long-standing open problems.

We show that, in order to resist non-adaptive iterated attacks of order d, decorrelation of order \(2d-1\) is not sufficient. We do this by providing a counterexample consisting of a cipher decorrelated to the order \(2d-1\) and a successful non-adaptive iterated attack of order d against it.

Moreover, we prove that the aforementioned claim is wrong by showing that a higher probability of having a common query between different iterations can translate to a high advantage of the adversary in distinguishing C from \(C^*\). We provide a counterintuitive example consisting of a cipher decorrelated to the order 2d which can be broken by an iterated attack of order 1 having a high probability of common queries.


Random Function Block Cipher Linear Cryptanalysis Probabilistic Encryption Newton Formula 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [AGM02]
    Alon, N., Goldreich, O., Mansour, Y.: Almost k-wise independence versus k-wise independence. Electronic Colloquium on Computational Complexity (ECCC) 9(048) (2002)Google Scholar
  2. [BF06a]
    Baignères, T., Finiasz, M.: Dial \({\sf C}\) for Cipher. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 76–95. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  3. [BF06b]
    Baignères, T., Finiasz, M.: \(\sf {KFC}\) - The Krazy Feistel Cipher. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 380–395. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. [BV05]
    Baignères, T., Vaudenay, S.: Proving the Security of AES Substitution-Permutation Network. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 65–81. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  5. [CV94]
    Chabaud, F., Vaudenay, S.: Links between Differential and Linear Cryptanalysis. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 356–365. Springer, Heidelberg (1995)Google Scholar
  6. [CW79]
    Carter, L., Wegman, M.N.: Universal Classes of Hash Functions. Journal of Computer and System Sciences 18(2), 143–154 (1979)Google Scholar
  7. [CW81]
    Carter, L., Wegman, M.N.: New Hash Functions and Their Use in Authentication and Set Equality. Journal of Computer and System Sciences 22(3), 265–279 (1981)Google Scholar
  8. [Hoe62]
    Hoeffding, W.: Probability Inequalities For Sums of Bounded Random Variables (1962)Google Scholar
  9. [LR85]
    Luby, M., Rackoff, C.: How to Construct Pseudo-random Permutations from Pseudo-random Functions. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, p. 447. Springer, Heidelberg (1986)Google Scholar
  10. [LR86]
    Luby, M., Rackoff, C.: Pseudo-random Permutation Generators and Cryptographic Composition. In: Hartmanis, J. (ed.) STOC, pp. 356–363. ACM (1986)Google Scholar
  11. [Lub86]
    Luby, M.: A Simple Parallel Alogarithm for the Maxial Independent Set Problem. SIAM J. Comput. 15(4), 1036–1053 (1986)Google Scholar
  12. [NN90]
    Naor, J., Naor, M.: Small-bias probability spaces: Efficient constructions and applications. In: Ortiz, H. (ed.) STOC, pp. 213–223. ACM (1990)Google Scholar
  13. [Nyb91]
    Nyberg, K.: Perfect Nonlinear S-Boxes. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 378–386. Springer, Heidelberg (1991)CrossRefGoogle Scholar
  14. [PV98]
    Poupard, G., Vaudenay, S.: Decorrelated Fast Cipher: An AES Candidate Well Suited for Low Cost Smart Card applications. In: Quisquater, J.-J., Schneier, B. (eds.) CARDIS 1998. LNCS, vol. 1820, pp. 254–264. Springer, Heidelberg (2000)Google Scholar
  15. [Vau98a]
    Vaudenay, S.: Feistel Ciphers with L\({_2}\)-Decorrelation. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 1–14. Springer, Heidelberg (1999)Google Scholar
  16. [Vau98b]
    Vaudenay, S.: Provable Security for Block Ciphers by Decorrelation. In: Morvan, M., Meinel, C., Krob, D. (eds.) STACS 1998. LNCS, vol. 1373, pp. 249–275. Springer, Heidelberg (1998)Google Scholar
  17. [Vau99a]
    Vaudenay, S.: On Probable Security for Conventional Cryptography. In: Song, J.S. (ed.) ICISC 1999. LNCS, vol. 1787, pp. 1–16. Springer, Heidelberg (2000)Google Scholar
  18. [Vau99b]
    Vaudenay, S.: Resistance Against General Iterated Attacks. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 255–271. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  19. [Vau00]
    Vaudenay, S.: Adaptive-Attack Norm for Decorrelation and Super-Pseudorandomness. In: Heys, H.M., Adams, C.M. (eds.) SAC 1999. LNCS, vol. 1758, pp. 49–61. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  20. [Vau03]
    Vaudenay, S.: Decorrelation: A Theory for Block Cipher Security. J. Cryptology 16(4), 249–286 (2003)Google Scholar

Copyright information

© International Association for Cryptologic Research 2012 2012

Authors and Affiliations

  1. 1.EPFLLausanneSwitzerland

Personalised recommendations