TY - GEN
T1 - A General Framework for the Related-Key Linear Attack Against Block Ciphers with Linear Key Schedules
AU - Lee, Jung Keun
AU - Koo, Bonwook
AU - Kim, Woo Hwan
N1 - Publisher Copyright:
© 2020, Springer Nature Switzerland AG.
PY - 2020
Y1 - 2020
N2 - We present a general framework for the related-key linear attack that can be applied to iterative block ciphers with linear key schedules. The attack utilizes a newly introduced related-key linear approximation that is obtained directly from a linear trail. The attack makes use of a known related-key data consisting of triplets of a plaintext, a ciphertext, and a key difference such that the ciphertext is the encrypted value of the plaintext under the key that is the xor of the key to be recovered and the specified key difference. If such a block cipher has a linear trail with linear correlation it admits attacks with related-key data of size just as in the case of classical Matsui’s Algorithms. But since the attack makes use of a related-key data, the attacker can use a linear trail with the squared correlation less than n being the block size, in case the key size is larger than n. Moreover, the standard key hypotheses seem to be appropriate even when the trail is not dominant as validated by experiments. The attack can be applied in two ways. First, using a linear trail with squared correlation smaller than one can get an effective attack covering more rounds than existing attacks against some ciphers, such as Simon48/96, Simon64/128 and Simon128/256. Secondly, using a trail with large squared correlation, one can use related-key data for key recovery even when the data is not suitable for existing linear attacks.
AB - We present a general framework for the related-key linear attack that can be applied to iterative block ciphers with linear key schedules. The attack utilizes a newly introduced related-key linear approximation that is obtained directly from a linear trail. The attack makes use of a known related-key data consisting of triplets of a plaintext, a ciphertext, and a key difference such that the ciphertext is the encrypted value of the plaintext under the key that is the xor of the key to be recovered and the specified key difference. If such a block cipher has a linear trail with linear correlation it admits attacks with related-key data of size just as in the case of classical Matsui’s Algorithms. But since the attack makes use of a related-key data, the attacker can use a linear trail with the squared correlation less than n being the block size, in case the key size is larger than n. Moreover, the standard key hypotheses seem to be appropriate even when the trail is not dominant as validated by experiments. The attack can be applied in two ways. First, using a linear trail with squared correlation smaller than one can get an effective attack covering more rounds than existing attacks against some ciphers, such as Simon48/96, Simon64/128 and Simon128/256. Secondly, using a trail with large squared correlation, one can use related-key data for key recovery even when the data is not suitable for existing linear attacks.
KW - Linear cryptanalysis
KW - Linear key schedule
KW - Related-key attack
KW - Simon
UR - http://www.scopus.com/inward/record.url?scp=85079535798&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-38471-5_9
DO - 10.1007/978-3-030-38471-5_9
M3 - Conference contribution
AN - SCOPUS:85079535798
SN - 9783030384708
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 194
EP - 224
BT - Selected Areas in Cryptography – SAC 2019 - 26th International Conference, Revised Selected Papers
A2 - Paterson, Kenneth G.
A2 - Stebila, Douglas
PB - Springer
T2 - 26th International Conference on Selected Areas in Cryptography, SAC 2019
Y2 - 12 August 2019 through 16 August 2019
ER -