Cryptology ePrint Archive: Report 2016/667

Multivariate Linear Cryptanalysis: The Past and Future of PRESENT

Andrey Bogdanov and Elmar Tischhauser and Philip S. Vejre

Abstract: Extensions of linear cryptanalysis making use of multiple approximations such as multidimensional linear cryptanalysis are an important tool in symmetric-key cryptanalysis, among others being responsible for the best known attacks on ciphers such as Serpent and PRESENT. At CRYPTO 2015, Huang et al. provided a refined analysis of the key-dependent capacity leading to a refined key equivalence hypothesis, however at the cost of additional assumptions. Their analysis was recently extended by Blondeau and Nyberg to also cover an updated wrong key randomization hypothesis, using similar assumptions. As a consequence, the effectiveness of multidimensional linear attacks seems significantly reduced, e.g. to only 24 rounds for PRESENT. It is therefore an important open problem how to take key dependent behaviour for both right and wrong keys into account without introducing other limiting assumptions in the process.

In this paper, we address this issue by proposing multivariate linear cryptanalysis as a new technique for using multiple linear approximations. Based on multivariate statistics and featuring a novel distinguishing technique based on quadratic discriminant analysis, it allows more realistic modelling of key dependence, while not relying on the limiting assumptions of previous work. Furthermore, it comes with a flexible signal/noise decomposition approach to allow for a realistic estimation of correlations. As an application of multivariate linear cryptanalysis, we provide attacks on 26 and 27 rounds (the latter marginally faster than exhaustive search) of PRESENT under much more realistic assumptions than previous work.

Category / Keywords: secret-key cryptography / linear cryptanalysis, multivariate, multidimensional cryptanalysis, key variance, PRESENT, key recovery, discriminant analysis, statistical attack

Date: received 29 Jun 2016, last revised 5 Jul 2016

Contact author: psve at dtu dk

Available format(s): PDF | BibTeX Citation

Note: Added acknowledgements and fixed minor typos.

Version: 20160705:125337 (All versions of this report)

Short URL: ia.cr/2016/667

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]