On the Wrong Key Randomisation and Key Equivalence Hypotheses in Matsui’s Algorithm 2

  • Andrey Bogdanov
  • Elmar Tischhauser
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8424)


This paper aims to improve the understanding of the complexities for Matsui’s Algorithm 2 — one of the most well-studied and powerful cryptanalytic techniques available for block ciphers today.

We start with the observation that the standard interpretation of the wrong key randomisation hypothesis needs adjustment. We show that it systematically neglects the varying bias for wrong keys. Based on that, we propose an adjusted statistical model and derive more accurate estimates for the success probability and data complexity of linear attacks which are demonstrated to deviate from all known estimates. Our study suggests that the efficiency of Matsui’s Algorithm 2 has been previously somewhat overestimated in the cases where the adversary attempts to use a linear approximation with a low bias, to attain a high computational advantage over brute force, or both. These cases are typical since cryptanalysts always try to break as many rounds of the cipher as possible by pushing the attack to its limit.

Surprisingly, our approach also reveals the fact that the success probability is not a monotonously increasing function of the data complexity, and can decrease if more data is used. Using less data can therefore result in a more powerful attack.

A second assumption usually made in linear cryptanalysis is the key equivalence hypothesis, even though due to the linear hull effect, the bias can heavily depend on the key. As a further contribution of this paper, we propose a practical technique that aims to take this into account.

All theoretical observations and techniques are accompanied by experiments with small-scale ciphers.


Block ciphers Linear cryptanalysis Data complexity Wrong key randomisation hypothesis Key equivalence Linear hull effect 



The authors would like to thank Vincent Rijmen for fruitful discussions and the anonymous referees for their constructive comments.


  1. 1.
    Aoki, K., Ichikawa, T., Kanda, M., Matsui, M., Moriai, S., Nakajima, J., Tokita, T.: \(Camellia\): A 128-bit block cipher suitable for multiple platforms - design and analysis. In: Stinson, D.R., Tavares, S. (eds.) SAC 2000. LNCS, vol. 2012, pp. 39–56. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  2. 2.
    Baignères, T., Junod, P., Vaudenay, S.: How far can we go beyond linear cryptanalysis? In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 432–450. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  3. 3.
    Baignères, T., Vaudenay, S.: The complexity of distinguishing distributions (invited talk). In: Safavi-Naini, R. (ed.) ICITS 2008. LNCS, vol. 5155, pp. 210–222. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  4. 4.
    Biham, E.: On Matsui’s linear cryptanalysis. In: De Santis [12], pp. 341–355Google Scholar
  5. 5.
    Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. J. Cryptology 4(1), 3–72 (1991)CrossRefMATHMathSciNetGoogle Scholar
  6. 6.
    Blondeau, C., Gérard, B., Tillich, J.P.: Accurate estimates of the data complexity and success probability for various cryptanalyses. Des. Codes Crypt. 59(1–3), 3–34 (2011)CrossRefMATHGoogle Scholar
  7. 7.
    Bogdanov, A., Tischhauser, E.: On the wrong key randomisation and key equivalence hypotheses in Matsuis algorithm 2. IACR ePrint Archive (2013)Google Scholar
  8. 8.
    Daemen, J., Govaerts, R., Vandewalle, J.: Correlation matrices. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 275–285. Springer, Heidelberg (1995) CrossRefGoogle Scholar
  9. 9.
    Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Springer, New York (2002)CrossRefGoogle Scholar
  10. 10.
    Daemen, J., Rijmen, V.: Probability distributions of correlation and differentials in block ciphers. Technical report 212, IACR eprint Report 2005/212 (2005).
  11. 11.
    Daemen, J., Rijmen, V.: Probability distributions of correlations and differentials in block ciphers. J. Math. Cryptology 1(3), 221–242 (2007)CrossRefMATHMathSciNetGoogle Scholar
  12. 12.
    De Santis, A. (ed.): EUROCRYPT 1994. LNCS, vol. 950. Springer, Heidelberg (1995)MATHGoogle Scholar
  13. 13.
    Feistel, H.: Cryptography and computer privacy. Sci. Am. 228, 15–23 (1973)CrossRefGoogle Scholar
  14. 14.
    3rd Generation Partnership Project: Technical specification group services and system aspects, 3G security, specification of the 3GPP confidentiality and integrity algorithms; document 2: KASUMI specification, v3.1.1 (2001)Google Scholar
  15. 15.
    Harpes, C., Kramer, G.G., Massey, J.L.: A generalization of linear cryptanalysis and the applicability of Matsui’s piling-up lemma. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 24–38. Springer, Heidelberg (1995) CrossRefGoogle Scholar
  16. 16.
    Hermelin, M., Cho, J.Y., Nyberg, K.: Multidimensional extension of Matsui’s algorithm 2. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 209–227. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  17. 17.
    Hermelin, M., Nyberg, K.: Dependent linear approximations: the algorithm of Biryukov and others revisited. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 318–333. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  18. 18.
    Hermelin, M., Nyberg, K.: Linear cryptanalysis using multiple linear approximations. In: Junod, P., Canteaut, A. (eds.) Advanced Linear Cryptanalysis of Block and Stream Ciphers. IOS Press (2011)Google Scholar
  19. 19.
    Junod, P.: On the complexity of Matsui’s attack. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 199–211. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  20. 20.
    Junod, P.: On the optimality of linear, differential, and sequential distinguishers. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 17–32. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  21. 21.
    Junod, P., Vaudenay, S.: Optimal key ranking procedures in a statistical cryptanalysis. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 235–246. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  22. 22.
    Leander, G.: Small scale variants of the block cipher PRESENT. Technical report 143, IACR eprint Report 2010/143 (2010).
  23. 23.
    Leander, G.: On linear hulls, statistical saturation attacks, PRESENT and a cryptanalysis of PUFFIN. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 303–322. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  24. 24.
    Beijing Data Security Technology Co. Ltd: Specification of SMS4 (in Chinese) (2006).
  25. 25.
    Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994) CrossRefGoogle Scholar
  26. 26.
    Matsui, M.: The first experimental cryptanalysis of the data encryption standard. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 1–11. Springer, Heidelberg (1994) Google Scholar
  27. 27.
    Murphy, S.: The effectiveness of the linear hull effect. Technical report RHUL-MA-2009-19, Royal Holloway (2009)Google Scholar
  28. 28.
    Nyberg, K.: Linear approximations of block ciphers. In: De Santis [12], pp. 439–444Google Scholar
  29. 29.
    Nyberg, K.: Correlation theorems in cryptanalysis. Discrete Appl. Math. 111(1–2), 177–188 (2001)CrossRefMATHMathSciNetGoogle Scholar
  30. 30.
    Ohkuma, K.: Weak keys of reduced-round PRESENT for linear cryptanalysis. In: Jacobson Jr, M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 249–265. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  31. 31.
    Rivest, R., Robshaw, M., Sidney, R., Yin, Y.L.: The RC6 block cipher. In: First Advanced Encryption Standard (AES) Conference, p. 16 (1998)Google Scholar
  32. 32.
    Röck, A., Nyberg, K.: Exploiting linear hull in Matsui’s Algorithm 1. In: The Seventh International Workshop on Coding and Cryptography, WCC, April 2011 (to appear)Google Scholar
  33. 33.
    Selçuk, A.A.: On probability of success in linear and differential cryptanalysis. J. Cryptology 21(1), 131–147 (2008)CrossRefMATHMathSciNetGoogle Scholar
  34. 34.
    Shibutani, K., Isobe, T., Hiwatari, H., Mitsuda, A., Akishita, T., Shirai, T.: Piccolo: an ultra-lightweight blockcipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 342–357. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  35. 35.
    Shirai, T., Shibutani, K., Akishita, T., Moriai, S., Iwata, T.: The 128-Bit blockcipher CLEFIA (extended abstract). In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 181–195. Springer, Heidelberg (2007) CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  1. 1.Technical University of DenmarkKongens LyngbyDenmark
  2. 2.KU Leuven and iMindsLeuvenBelgium

Personalised recommendations