On the Wrong Key Randomisation and Key Equivalence Hypotheses in Matsui’s Algorithm 2
This paper aims to improve the understanding of the complexities for Matsui’s Algorithm 2 — one of the most well-studied and powerful cryptanalytic techniques available for block ciphers today.
We start with the observation that the standard interpretation of the wrong key randomisation hypothesis needs adjustment. We show that it systematically neglects the varying bias for wrong keys. Based on that, we propose an adjusted statistical model and derive more accurate estimates for the success probability and data complexity of linear attacks which are demonstrated to deviate from all known estimates. Our study suggests that the efficiency of Matsui’s Algorithm 2 has been previously somewhat overestimated in the cases where the adversary attempts to use a linear approximation with a low bias, to attain a high computational advantage over brute force, or both. These cases are typical since cryptanalysts always try to break as many rounds of the cipher as possible by pushing the attack to its limit.
Surprisingly, our approach also reveals the fact that the success probability is not a monotonously increasing function of the data complexity, and can decrease if more data is used. Using less data can therefore result in a more powerful attack.
A second assumption usually made in linear cryptanalysis is the key equivalence hypothesis, even though due to the linear hull effect, the bias can heavily depend on the key. As a further contribution of this paper, we propose a practical technique that aims to take this into account.
All theoretical observations and techniques are accompanied by experiments with small-scale ciphers.
KeywordsBlock ciphers Linear cryptanalysis Data complexity Wrong key randomisation hypothesis Key equivalence Linear hull effect
The authors would like to thank Vincent Rijmen for fruitful discussions and the anonymous referees for their constructive comments.
- 1.Aoki, K., Ichikawa, T., Kanda, M., Matsui, M., Moriai, S., Nakajima, J., Tokita, T.: \(Camellia\): A 128-bit block cipher suitable for multiple platforms - design and analysis. In: Stinson, D.R., Tavares, S. (eds.) SAC 2000. LNCS, vol. 2012, pp. 39–56. Springer, Heidelberg (2001) CrossRefGoogle Scholar
- 4.Biham, E.: On Matsui’s linear cryptanalysis. In: De Santis , pp. 341–355Google Scholar
- 7.Bogdanov, A., Tischhauser, E.: On the wrong key randomisation and key equivalence hypotheses in Matsuis algorithm 2. IACR ePrint Archive (2013)Google Scholar
- 10.Daemen, J., Rijmen, V.: Probability distributions of correlation and differentials in block ciphers. Technical report 212, IACR eprint Report 2005/212 (2005). http://eprint.iacr.org/2005/212
- 14.3rd Generation Partnership Project: Technical specification group services and system aspects, 3G security, specification of the 3GPP confidentiality and integrity algorithms; document 2: KASUMI specification, v3.1.1 (2001)Google Scholar
- 18.Hermelin, M., Nyberg, K.: Linear cryptanalysis using multiple linear approximations. In: Junod, P., Canteaut, A. (eds.) Advanced Linear Cryptanalysis of Block and Stream Ciphers. IOS Press (2011)Google Scholar
- 22.Leander, G.: Small scale variants of the block cipher PRESENT. Technical report 143, IACR eprint Report 2010/143 (2010). http://eprint.iacr.org/2010/143
- 24.Beijing Data Security Technology Co. Ltd: Specification of SMS4 (in Chinese) (2006). http://www.oscca.gov.cn/UpFile/200621016423197990.pdf
- 26.Matsui, M.: The first experimental cryptanalysis of the data encryption standard. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 1–11. Springer, Heidelberg (1994) Google Scholar
- 27.Murphy, S.: The effectiveness of the linear hull effect. Technical report RHUL-MA-2009-19, Royal Holloway (2009)Google Scholar
- 28.Nyberg, K.: Linear approximations of block ciphers. In: De Santis , pp. 439–444Google Scholar
- 31.Rivest, R., Robshaw, M., Sidney, R., Yin, Y.L.: The RC6 block cipher. In: First Advanced Encryption Standard (AES) Conference, p. 16 (1998)Google Scholar
- 32.Röck, A., Nyberg, K.: Exploiting linear hull in Matsui’s Algorithm 1. In: The Seventh International Workshop on Coding and Cryptography, WCC, April 2011 (to appear)Google Scholar