Linear cryptanalysis method for DES cipher
EUROCRYPT '93 Workshop on the theory and application of cryptographic techniques on Advances in cryptology
The Design of Rijndael
Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA
ICICS '97 Proceedings of the First International Conference on Information and Communication Security
On the Complexity of Matsui's Attack
SAC '01 Revised Papers from the 8th Annual International Workshop on Selected Areas in Cryptography
On the Construction of Block Ciphers Provably Secure and Not Relying on Any Unproved Hypotheses
CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
Differential Cryptanalysis of DES-like Cryptosystems
CRYPTO '90 Proceedings of the 10th Annual International Cryptology Conference on Advances in Cryptology
The First Experimental Cryptanalysis of the Data Encryption Standard
CRYPTO '94 Proceedings of the 14th Annual International Cryptology Conference on Advances in Cryptology
Key-Schedule Cryptoanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES
CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
Impossible Differential Cryptanalysis of Reduced Round XTEA and TEA
FSE '02 Revised Papers from the 9th International Workshop on Fast Software Encryption
On Probability of Success in Linear and Differential Cryptanalysis
Journal of Cryptology
A Meet-in-the-Middle Attack on 8-Round AES
Fast Software Encryption
Impossible Differential Cryptanalysis of CLEFIA
Fast Software Encryption
New Impossible Differential Attacks on AES
INDOCRYPT '08 Proceedings of the 9th International Conference on Cryptology in India: Progress in Cryptology
Chai-Tea, Cryptographic Hardware Implementations of xTEA
INDOCRYPT '08 Proceedings of the 9th International Conference on Cryptology in India: Progress in Cryptology
An Improved Impossible Differential Attack on MISTY1
ASIACRYPT '08 Proceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Related-key rectangle attack on 36 rounds of the XTEA block cipher
International Journal of Information Security
EUROCRYPT'97 Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques
Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials
EUROCRYPT'99 Proceedings of the 17th international conference on Theory and application of cryptographic techniques
Improving the time complexity of Matsui's linear cryptanalysis
ICISC'07 Proceedings of the 10th international conference on Information security and cryptology
Improving the efficiency of impossible differential cryptanalysis of reduced Camellia and MISTY1
CT-RSA'08 Proceedings of the 2008 The Cryptopgraphers' Track at the RSA conference on Topics in cryptology
Another look at complementation properties
FSE'10 Proceedings of the 17th international conference on Fast software encryption
On unbiased linear approximations
ACISP'10 Proceedings of the 15th Australasian conference on Information security and privacy
Meet-in-the-middle attacks on reduced-round XTEA
CT-RSA'11 Proceedings of the 11th international conference on Topics in cryptology: CT-RSA 2011
A weak key class of XTEA for a related-key rectangle attack
VIETCRYPT'06 Proceedings of the First international conference on Cryptology in Vietnam
Related-Key impossible differential attacks on 8-round AES-192
CT-RSA'06 Proceedings of the 2006 The Cryptographers' Track at the RSA conference on Topics in Cryptology
Biclique cryptanalysis of the full AES
ASIACRYPT'11 Proceedings of the 17th international conference on The Theory and Application of Cryptology and Information Security
The 128-bit blockcipher CLEFIA
FSE'07 Proceedings of the 14th international conference on Fast Software Encryption
Impossible differential cryptanalysis of the lightweight block ciphers TEA, XTEA and HIGHT
AFRICACRYPT'12 Proceedings of the 5th international conference on Cryptology in Africa
Security analysis of the lightweight block ciphers XTEA, LED and piccolo
ACISP'12 Proceedings of the 17th Australasian conference on Information Security and Privacy
Generalization of Matsui's Algorithm 1 to linear hull for key-alternating block ciphers
Designs, Codes and Cryptography
Generalized Feistel networks revisited
Designs, Codes and Cryptography
Integral and multidimensional linear distinguishers with correlation zero
ASIACRYPT'12 Proceedings of the 18th international conference on The Theory and Application of Cryptology and Information Security
Linear hulls with correlation zero and linear cryptanalysis of block ciphers
Designs, Codes and Cryptography
Information Processing Letters
| Hi-index | 0.00 |
Zero correlation linear cryptanalysis is a novel key recovery technique for block ciphers proposed in [5]. It is based on linear approximations with probability of exactly 1/2 (which corresponds to the zero correlation). Some block ciphers turn out to have multiple linear approximations with correlation zero for each key over a considerable number of rounds. Zero correlation linear cryptanalysis is the counterpart of impossible differential cryptanalysis in the domain of linear cryptanalysis, though having many technical distinctions and sometimes resulting in stronger attacks. In this paper, we propose a statistical technique to significantly reduce the data complexity using the high number of zero correlation linear approximations available. We also identify zero correlation linear approximations for 14 and 15 rounds of TEA and XTEA. Those result in key-recovery attacks for 21-round TEA and 25-round XTEA, while requiring less data than the full code book. In the single secret key setting, these are structural attacks breaking the highest number of rounds for both ciphers. The findings of this paper demonstrate that the prohibitive data complexity requirements are not inherent in the zero correlation linear cryptanalysis and can be overcome. Moreover, our results suggest that zero correlation linear cryptanalysis can actually break more rounds than the best known impossible differential cryptanalysis does for relevant block ciphers. This might make a security re-evaluation of some ciphers necessary in the view of the new attack.