Linear cryptanalysis method for DES cipher
EUROCRYPT '93 Workshop on the theory and application of cryptographic techniques on Advances in cryptology
An experiment on DES statistical cryptanalysis
CCS '96 Proceedings of the 3rd ACM conference on Computer and communications security
Detection of Signals in Noise
Linear Cryptanalysis Using Multiple Approximations
CRYPTO '94 Proceedings of the 14th Annual International Cryptology Conference on Advances in Cryptology
Serpent: A New Block Cipher Proposal
FSE '98 Proceedings of the 5th International Workshop on Fast Software Encryption
Elements of Information Theory (Wiley Series in Telecommunications and Signal Processing)
Elements of Information Theory (Wiley Series in Telecommunications and Signal Processing)
On Probability of Success in Linear and Differential Cryptanalysis
Journal of Cryptology
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent
Fast Software Encryption
Multidimensional Linear Cryptanalysis of Reduced Round Serpent
ACISP '08 Proceedings of the 13th Australasian conference on Information Security and Privacy
The Complexity of Distinguishing Distributions (Invited Talk)
ICITS '08 Proceedings of the 3rd international conference on Information Theoretic Security
Multidimensional Extension of Matsui's Algorithm 2
Fast Software Encryption
The Independence of Linear Approximations in Symmetric Cryptanalysis
IEEE Transactions on Information Theory
Improving the algorithm 2 in multidimensional linear cryptanalysis
ACISP'11 Proceedings of the 16th Australasian conference on Information security and privacy
Cryptographic analysis of all 4 × 4-bit s-boxes
SAC'11 Proceedings of the 18th international conference on Selected Areas in Cryptography
Generalization of Matsui's Algorithm 1 to linear hull for key-alternating block ciphers
Designs, Codes and Cryptography
| Hi-index | 0.00 |
Biryukov, et al., showed how it is possible to extend Matsui's Algorithm 1 to find several bits of information about the secret key of a block cipher. Instead of just one linear approximation, they used several linearly independent approximations that were assumed to be statistically independent. Biryukov, et al., also suggested a heuristic enhancement to their method by adding more linearly and statistically dependent approximations. We study this enhancement and show that if all linearly dependent approximations with non-negligible correlations are used, the method of Biryukov, et al., is the same as the convolution method presented in this paper. The data complexity of the convolution method can be derived without the assumption of statistical independence. Moreover, we compare the convolution method with the optimal ranking statistic log-likelihood ratio, and show that their data complexities have the same order of magnitude in practice. On the other hand, we show that the time complexity of the convolution method is smaller than for the other two methods.