Designs, Codes and Cryptography

, Volume 59, Issue 1–3, pp 3–34 | Cite as

Accurate estimates of the data complexity and success probability for various cryptanalyses

  • Céline Blondeau
  • Benoît Gérard
  • Jean-Pierre Tillich


Many attacks on encryption schemes rely on statistical considerations using plaintext/ciphertext pairs to find some information on the key. We provide here simple formulae for estimating the data complexity and the success probability which can be applied to a lot of different scenarios (differential cryptanalysis, linear cryptanalysis, truncated differential cryptanalysis, etc.). Our work does not rely here on Gaussian approximation which is not valid in every setting but use instead a simple and general approximation of the binomial distribution and asymptotic expansions of the beta distribution.


Statistical cryptanalysis Success probability Data complexity 

Mathematics Subject Classification (2000)



Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Vaudenay S.: Decorrelation: a theory for block cipher security. J. Cryptol. 16, 249–286 (2003)MathSciNetCrossRefMATHGoogle Scholar
  2. 2.
    Tardy-Corfdir A., Gilbert H.: A known plaintext attack of FEAL-4 and FEAL-6. In: CRYPTO ’91. LNCS, vol. 576, pp. 172–181. Springer-Verlag, Heidleberg (1992).Google Scholar
  3. 3.
    Matsui M.: Linear cryptanalysis method for DES cipher. In: EUROCRYPT ’93. LNCS, vol. 765, pp. 386–397. Springer-Verlag, Heidlberg (1993).Google Scholar
  4. 4.
    Matsui M.: The first experimental cryptanalysis of the data encryption standard. In: CRYPTO ’94. LNCS, vol. 839, pp. 1–11. Springer-Verlag, Heidleberg (1994).Google Scholar
  5. 5.
    Biham E., Shamir A.: Differential cryptanalysis of DES-like cryptosystems. J. Cryptol. 4, 3–72 (1991)MathSciNetCrossRefMATHGoogle Scholar
  6. 6.
    Selçuk A.A.: On probability of success in linear and differential cryptanalysis. J. Cryptol. 21, 131–147 (2008)CrossRefMATHGoogle Scholar
  7. 7.
    Lai X., Massey J.L., Murphy S.: Markov Ciphers and differential cryptanalysis. In: LNCS, vol. 547, pp. 17–38. Springer, Heidleberg (1991).Google Scholar
  8. 8.
    Knudsen L.R.: Truncated and higher order differentials. In: FSE ’94. LNCS, vol. 1008, pp. 196–211. Springer-Verlag, Heidleberg (1994).Google Scholar
  9. 9.
    Junod P.: On the optimality of linear, differential, and sequential distinguishers. In: EUROCRYPT ’03. LNCS, vol. 2656, pp. 17–32. Springer-Verlag, Heidleberg (2003).Google Scholar
  10. 10.
    Baignères T., Junod P., Vaudenay S.: How far can we go beyond linear cryptanalysis? In: ASIACRYPT ’04. LNCS, vol. 3329, pp. 432–450. Springer-Verlag, Heidleberg (2004).Google Scholar
  11. 11.
    Baignères T., Vaudenay S.: The complexity of distinguishing distributions. In: ICITS ’08. LNCS, vol. 5155, pp. 210–222. Springer-Verlag, Heidleberg (2008).Google Scholar
  12. 12.
    Junod P.: On the complexity of Matsui’s attack. In: SAC ’01. LNCS, vol. 2259, pp. 199–211. Springer-Verlag, Heidleberg (2001).Google Scholar
  13. 13.
    Junod P., Vaudenay S.: Optimal key ranking procedures in a statistical cryptanalysis. In: FSE ’03. LNCS, vol. 2887, pp. 235–246. Springer-Verlag, Heidleberg (2003).Google Scholar
  14. 14.
    Nyberg K.: Generalized Feistel networks. In: ASIACRYPT ’96. LNCS, vol. 1163, pp. 91–104. Springer-Verlag, Heidleberg (1996).Google Scholar
  15. 15.
    Harpes C., Kramer G., Massey J.: A generalization of linear cryptanalysis and the applicability of Matsui’s piling-up lemma. In: EUROCRYPT ’95. LNCS, vol. 921, pp. 24–38. Springer-Verlag, Heidleberg (1995).Google Scholar
  16. 16.
    Cover T., Thomas J.: Information theory. Wiley series in communications. Wiley, New York (1991)Google Scholar
  17. 17.
    Arriata R., Gordon L.: Tutorial on large deviations for the binomial distribution. Bull. Math. Biol. 51, 125–131 (1989)MathSciNetGoogle Scholar
  18. 18.
    Langford S.K., Hellman M.E.: Differential-linear cryptanalysis. In: CRYPTO ’94. LNCS, vol. 839, pp. 17–25. Springer-Verlag, Heidleberg (1994).Google Scholar
  19. 19.
    Biham E., Shamir A.: Differential cryptanalysis of the full 16-round DES. In: CRYPTO’92. LNCS, vol. 740, pp. 487–496. Springer-Verlag, Heidleberg (1993).Google Scholar
  20. 20.
    Biham E., Biryukov A., Shamir A.: Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials. In: EUROCRYPT ’99. LNCS, vol. 1592, pp. 12–23. Springer-Verlag, Heidleberg (1999).Google Scholar
  21. 21.
    David H., Nagaraja H.: Order Statistics, third edn. Wiley series in Probability Theory. Wiley, New York (2003)Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2010

Authors and Affiliations

  • Céline Blondeau
    • 1
  • Benoît Gérard
    • 1
  • Jean-Pierre Tillich
    • 1
  1. 1.INRIA project-team SECRETLe Chesnay CedexFrance

Personalised recommendations