Designs, Codes and Cryptography

, Volume 66, Issue 1–3, pp 175–193 | Cite as

Generalization of Matsui’s Algorithm 1 to linear hull for key-alternating block ciphers

  • Andrea Röck
  • Kaisa Nyberg


We consider linear approximations of an iterated block cipher in the presence of several strong linear approximation trails. While the effect of such trails in Matsui’s Algorithm 2, also called the linear hull effect, has been previously studied by a number of authors, their effect on Matsui’s Algorithm 1 has not been investigated until now. The goal of this paper is to fill this gap and examine how to generalize Matsui’s Algorithm 1 to work also on linear hulls. We restrict to key-alternating ciphers and develop a mathematical framework for this kind of attacks. The complexity of the attack increases with the number of linear trails that have significant contribution to the correlation. We show how to reduce the number of trails and thus the complexity using related keys. Further, we illustrate our theory by experimental results on a reduced round version of the block cipher PRESENT.


Block cipher Linear cryptanalysis Linear hull Key recovery Matsui’s Algorithm 1 

Mathematics Subject Classification



Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abramowitz M., Stegun I.A.: Handbook of Mathematical Functions With Formulas, Graphs, and Mathematical Tables, 10th edn. Dover, New York (1972)MATHGoogle Scholar
  2. 2.
    Baignères T., Vaudenay S.: The complexity of distinguishing distributions. In: Safavi-Naini, R. (ed.) ICITS 2008. LNCS., pp. 210–222. Springer, Heidelberg (2008)Google Scholar
  3. 3.
    Biham E., Anderson R., Knudsen L.: Serpent: A new block cipher proposal. In: Vaudenay, S. (ed.) FSE 1998. LNCS, vol. 1372, pp. 222–238. Springer, Heidelberg (1998)Google Scholar
  4. 4.
    Biryukov A., De Cannière C., Quisquater M.: On multiple linear approximations. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 1–22. Springer, Heidelberg (2004)Google Scholar
  5. 5.
    Bogdanov A., Wang M.: Zero correlation linear cryptanalysis with reduced data complexity. In: Anne Canteaut (ed.) FSE 2012. LNCS. Springer, to appear (2012).Google Scholar
  6. 6.
    Bogdanov A., Knudsen L.R., Leander G., Paar C., Poschmann A., Robshaw M.J.B., Seurin Y., Vikkelsoe C.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds) CHES 2007. LNCS, vol 4727, pp. 450–466. Springer, Heidelberg (2007)Google Scholar
  7. 7.
    Collard B., Standaert F.X.: Experimenting linear cryptanalysis. In: Junod P., Canteaut A. (eds.) Advanced Linear Cryptanalysis of Block and Stream Ciphers. IOS Press (2011).
  8. 8.
    Cover T.M., Thomas J.A.: Elements of Information Theory. Wiley-Interscience, New York (1991)MATHCrossRefGoogle Scholar
  9. 9.
    Daemen J., Rijmen V.: The wide trail design strategy. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 222–238. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  10. 10.
    Daemen J., Rijmen V.: The Design of Rijndael: AES—The Advanced Encryption Standard. Springer, Heidelberg (2002)MATHGoogle Scholar
  11. 11.
    Daemen J., Govaerts R., Vandewalle J.: Correlation matrices. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 275–285. Springer, Heidelberg (1995)Google Scholar
  12. 12.
    Hermelin M., Nyberg K.: Dependent linear approximations—the algorithm of Biryukov and others revisited. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 318–333. Springer, Heidelberg (2010)Google Scholar
  13. 13.
    Leander G.: On linear hulls, statistical saturation attacks, present and a cryptanalysis of puffin. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 303–322. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  14. 14.
    Levy B.C.: Principles of Signal Detection and Parameter Estimation. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  15. 15.
    Matsui M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EURORYPT 1993 LNCS, vol 765., pp. 386–397. Springer, Heidelberg (1994)Google Scholar
  16. 16.
    Murphy S.: The effectiveness of the linear hull effect. Report RHUL-MA-2009-19. Departmental Technical Report (2009).Google Scholar
  17. 17.
    Nyberg K.: Linear approximation of block ciphers. In: De Santis, A. (ed.) EUROCRYPT 1994 LNCS, vol 950., pp. 439–444. Springer, Heidelberg (1995)Google Scholar
  18. 18.
    Nyberg K.: Linear cryptanalysis using multiple linear approximations. Early Symmetric Crypto (ESC 2010) seminar, Remich, Luxembourg, 11–15 January 2010 (2011).
  19. 19.
    Nyberg K., Hakala R.: A key-recovery attack on SOBER-128. In: Biham E., Handschuh H., Lucks S., Rijmen V. (eds.) Symmetric Cryptography, No. 07021 in Dagstuhl Seminar Proceedings. Internationales Begegnungs- und Forschungszentrum für Informatik (IBFI), Schloss Dagstuhl, Germany (2007).
  20. 20.
    Shannon C.E., Weaver W.: The Mathematical Theory of Communication. University of Illinois Press, Urbana (1949)MATHGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC 2012

Authors and Affiliations

  1. 1.Department of Information and Computer ScienceAalto University School of ScienceAaltoFinland
  2. 2.Nokia Research CenterNokia GroupFinland

Personalised recommendations