Miia Hermelin

Multidimensional Extension of Matsui's Algorithm 2

Matsuis one-dimensional Alg. 2 can be used for recovering bits of the last round key of a block cipher. In this paper a truly multidimensional extension of Alg. 2 based on established statistical theory is presented. Two possible methods, an optimal method based on the log-likelihood ratio and a ? 2-based goodness-of-fit test are compared in theory and by practical experiments on reduced round Serpent. The theory of advantage by Selcuk is generalised in multiple dimensions and the advantages and data, time and memory complexities for both methods are derived.

Multidimensional Linear Cryptanalysis of Reduced Round Serpent

Various authors have previously presented different approaches how to exploit multiple linear approximations to enhance linear cryptanalysis. In this paper we present a new truly multidimensional approach to generalise Matsuis Algorithm 1. We derive the statistical framework for it and show how to calculate multidimensional probability distributions based on correlations of one-dimensional linear approximations. The main advantage is that the assumption about statistical independence of linear approximations can be removed. Then we apply these new techniques to four rounds of the block cipher Serpent and show that the multidimensional approach is more effective in recovering key bits correctly than the previous methods that use a multiple of one-dimensional linear approximations.

Correlation Properties of the Bluetooth Combiner

In its intended usage the lengths of the key stream sequences produced by the Bluetooth stream cipher E 0 are strictly limited. In this paper the importance of this limitation is proved by showing that the Bluetooth stream cipher with 128 bit key can be broken in \(\mathcal{O}(2^{64})\) steps given an output key stream segment of length \(\mathcal{O}(2^{64})\). We also show how the correlation properties of the E 0 combiner can be improved by making a small modification in the memory update function.

Dependent linear approximations: the algorithm of biryukov and others revisited

Biryukov, et al., showed how it is possible to extend Matsuis Algorithm 1 to find several bits of information about the secret key of a block cipher. Instead of just one linear approximation, they used several linearly independent approximations that were assumed to be statistically independent. Biryukov, et al., also suggested a heuristic enhancement to their method by adding more linearly and statistically dependent approximations. We study this enhancement and show that if all linearly dependent approximations with non-negligible correlations are used, the method of Biryukov, et al., is the same as the convolution method presented in this paper. The data complexity of the convolution method can be derived without the assumption of statistical independence. Moreover, we compare the convolution method with the optimal ranking statistic log-likelihood ratio, and show that their data complexities have the same order of magnitude in practice. On the other hand, we show that the time complexity of the convolution method is smaller than for the other two methods.

A New Technique for Multidimensional Linear Cryptanalysis with Applications on Reduced Round Serpent

In this paper, we present a new technique for Matsuis algorithm 2 using multidimensional linear approximation. We show that the data complexity of the attack can be reduced significantly by our method even when the linear hull effect is present. We apply our method to the key recovery attack on 5-round Serpent and demonstrate that our attack is superior to previous attacks. We present evidence that it is theoretically possible to reduce the data complexity of the linear attack against 10 round Serpent by factor of 220 when multiple approximations are used.

Multidimensional Walsh Transform and a Characterization of Bent Functions

In this paper, a multidimensional Walsh transform is used to obtain a characterization of vector-valued bent function in terms of the value distributions of the translates of the function by linear functions.

Multidimensional linear distinguishing attacks and Boolean functions

Linear cryptanalysis and linear approximation methods in general are among the most important cryptanalysis methods of symmetric ciphers and their components. Recently, these methods have been extended to efficiently exploit multiple linear approximations simultaneously. It is known that high nonlinearity of Boolean functions and S-boxes is a desirable property and that the bent functions offer the strongest resistance against cryptanalysis using single linear approximations. The goal of this paper is to investigate to which extent resistance against the multidimensional extension of the linear cryptanalysis method can be achieved. For this purpose some common highly nonlinear Boolean functions as well as a basic LFSR based key stream generator using a nonlinear filter function are investigated.

Improved linear cryptanalysis of SOSEMANUK

The SOSEMANUK stream cipher is one of the finalists of the eSTREAM project. In this paper, we improve the linear cryptanalysis of SOSEMANUK presented in Asiacrypt 2008. We apply the generalized linear masking technique to SOSEMANUK and derive many linear approximations holding with the correlations of up to 2-25.5. We show that the data complexity of the linear attack on SOSEMANUK can be reduced by a factor of 210 if multiple linear approximations are used. Since SOSEMANUK claims 128-bit security, our attack would not be a real threat on the security of SOSEMANUK.