On the Distribution of Linear Biases: Three Instructive Examples

Abdelraheem, Mohamed Ahmed; Ågren, Martin; Beelen, Peter; Leander, Gregor

doi:10.1007/978-3-642-32009-5_4

Cited by 23 publications

(26 citation statements)

References 21 publications

(33 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Then, by considering many trails in one approximation [24,25], the linear hull effect raises interesting discussions about fixed-key behaviors in single linear approximations [22,21]. Daemen et al gave a fixed-key probability distribution for single linear correlations [13], leading to subsequent works on e.g., fundamental assumptions [9], the effect of key schedules [1] and measures for data complexity [19], all for single linear attacks. However, we still do not understand the situation in multidimensional linear cryptanalysis.…”

Section: Introductionmentioning

confidence: 99%

Capacity and Data Complexity in Multidimensional Linear Attack

Huang

Vaudenay

Lai

et al. 2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Multidimensional linear attacks are one of the most powerful variants of linear cryptanalytic techniques now. However, there is no knowledge on the key-dependent capacity and data complexity so far. Their values were assumed to be close to the average value for a vast majority of keys. This assumption is not accurate. In this paper, under a reasonable condition, we explicitly formulate the capacity as a Gamma distribution and the data complexity as an Inverse Gamma distribution, in terms of the average linear probability and the dimension. The capacity distribution is experimentally verified on the 5-round PRESENT. Regarding to complexity, we solve the problem of estimating the average data complexity, which was difficult to estimate because of the existence of zero correlations. We solve the problem of using the median complexity in multidimensional linear attacks, which is an open problem since proposed in Eurocrypt 2011. We also evaluate the difference among the median complexity, the average complexity and a lower bound of the average complexity -the reciprocal of average capacity. In addition, we estimate more accurately the key equivalent hypothesis, and reveal the fact that the average complexity only provides an accurate estimate for less than half of the keys no matter how many linear approximations are involved. Finally, we revisit the so far best attack on PRESENT based on our theoretical result.

show abstract

Section: Introductionmentioning

confidence: 99%

Capacity and Data Complexity in Multidimensional Linear Attack

Huang

Vaudenay

Lai

et al. 2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Thus, since its maximum square correlation is limited to 2 −n+1 (cf. for example [AÅBL12] for details), any linear trail of the cubing function will have negligible potential after a few rounds.…”

Section: Security Analysismentioning

confidence: 99%

MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity

Albrecht

Grassi

Rechberger

et al. 2016

Advances in Cryptology – ASIACRYPT 2016

130

View full text Add to dashboard Cite

Abstract. We explore cryptographic primitives with low multiplicative complexity. This is motivated by recent progress in practical applications of secure multi-party computation (MPC), fully homomorphic encryption (FHE), and zero-knowledge proofs (ZK) where primitives from symmetric cryptography are needed and where linear computations are, compared to non-linear operations, essentially "free". Starting with the cipher design strategy "LowMC" from Eurocrypt 2015, a number of bitoriented proposals have been put forward, focusing on applications where the multiplicative depth of the circuit describing the cipher is the most important optimization goal. Surprisingly, albeit many MPC/FHE/ZK-protocols natively support operations in GF(p) for large p, very few primitives, even considering all of symmetric cryptography, natively work in such fields. To that end, our proposal for both block ciphers and cryptographic hash functions is to reconsider and simplify the round function of the Knudsen-Nyberg cipher from 1995. The mapping F (x) := x 3 is used as the main component there and is also the main component of our family of proposals called "MiMC". We study various attack vectors for this construction and give a new attack vector that outperforms others in relevant settings.Due to its very low number of multiplications, the design lends itself well to a large class of new applications, especially when the depth does not matter but the total number of multiplications in the circuit dominates all aspects of the implementation. With a number of rounds which we deem secure based on our security analysis, we report on significant performance improvements in a representative use-case involving SNARKs.

show abstract

“…Then, the major parameter investigated in this paper is the variance of the distribution of the correlation, which corresponds to the average square correlation. The way it affects the complexity of linear cryptanalysis is discussed for instance in [40,19,38,33,1].…”

Section: Substitution-permutation Networkmentioning

confidence: 99%

On the Behaviors of Affine Equivalent Sboxes Regarding Differential and Linear Attacks

Canteaut

Roué

2015

Advances in Cryptology -- EUROCRYPT 2015

View full text Add to dashboard Cite

To cite this version:Anne Canteaut, Joëlle Roué. On the behaviors of affine equivalent Sboxes regarding differential and linear attacks. Abstract. This paper investigates the effect of affine transformations of the Sbox on the maximal expected differential probability MEDP and linear potential MELP over two rounds of a substitution-permutation network, when the diffusion layer is linear over the finite field defined by the Sbox alphabet. It is mainly motivated by the fact that the 2-round MEDP and MELP of the AES both increase when the AES Sbox is replaced by the inversion in F 2 8 . Most notably, we give new upper bounds on these two quantities which are not invariant under affine equivalence. Moreover, within a given equivalence class, these new bounds are maximal when the considered Sbox is an involution. These results point out that different Sboxes within the same affine equivalence class may lead to different two-round MEDP and MELP. In particular, we exhibit some examples where the basis chosen for defining the isomorphism between F m 2 and F2m affects these values. For Sboxes with some particular properties, including all Sboxes of the form A(x s ) as in the AES, we also derive some lower and upper bounds for the 2-round MEDP and MELP which hold for any MDS linear layer.

show abstract

On the Distribution of Linear Biases: Three Instructive Examples

Cited by 23 publications

References 21 publications

Capacity and Data Complexity in Multidimensional Linear Attack

Capacity and Data Complexity in Multidimensional Linear Attack

MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity

On the Behaviors of Affine Equivalent Sboxes Regarding Differential and Linear Attacks

Contact Info

Product

Resources

About