Optimal Key Ranking Procedures in a Statistical Cryptanalysis

  • Pascal Junod
  • Serge Vaudenay
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2887)


Hypothesis tests have been used in the past as a tool in a cryptanalytic context. In this paper, we propose to use this paradigm and define a precise and sound statistical framework in order to optimally mix information on independent attacked subkey bits obtained from any kind of statistical cryptanalysis. In the context of linear cryptanalysis, we prove that the best mixing paradigm consists of sorting key candidates by decreasing weighted Euclidean norm of the bias vector.


Key ranking statistical cryptanalysis Neyman-Pearson lemma linear cryptanalysis 


  1. [CHJ02]
    Coppersmith, D., Halevi, S., Jutla, C.: Cryptanalysis of stream ciphers with linear masking. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 515–532. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  2. [DES77]
    National Bureau of Standards. Data Encryption Standard. U. S. Department of Commerce (1977)Google Scholar
  3. [FM01]
    Fluhrer, S.R., McGrew, D.A.: Statistical analysis of the alleged RC4 keystream generator. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 19–30. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  4. [GM]
    Golić, J.D., Menicocci, R.: Edit probability correlation attacks on stop/go clocked keystream generators. To appear in the Journal of CryptologyGoogle Scholar
  5. [HKM95]
    Harpes, C., Kramer, G., Massey, J.L.: A generalization of linear cryptanalysis and the applicability of Matsui’s piling-up lemma. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 24–38. Springer, Heidelberg (1995)Google Scholar
  6. [Jun01]
    Junod, P.: On the complexity of Matsui’s attack. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 199–211. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  7. [Jun03]
    Junod, P.: On the optimality of linear, differential and sequential distinguishers. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656. Springer, Heidelberg (2003) (to appear)CrossRefGoogle Scholar
  8. [KM01]
    Knudsen, L.R., Mathiassen, J.E.: A chosen-plaintext linear attack on DES. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 262–272. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  9. [KR94]
    Kaliski, B.S., Robshaw, M.J.B.: Linear cryptanalysis using multiple approximations. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 26–39. Springer, Heidelberg (1994)Google Scholar
  10. [Mat93]
    Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)Google Scholar
  11. [Mat94]
    Matsui, M.: The first experimental cryptanalysis of the Data Encryption Standard. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 1–11. Springer, Heidelberg (1994)Google Scholar
  12. [Mir02]
    Mironov, I.: (Not so) random shuffles of RC4. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 304–319. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  13. [MPWW95]
    Murphy, S., Piper, F., Walker, M., Wild, P.: Likelihood estimation for block cipher keys. Technical report, Information Security Group, University of London, England (1995)Google Scholar
  14. [SK98]
    Shimoyama, T., Kaneko, T.: Quadratic relation of s-box and its application to the linear attack of full round DES. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 200–211. Springer, Heidelberg (1998)Google Scholar
  15. [Vau96]
    Vaudenay, S.: An experiment on DES statistical cryptanalysis. In: 3rd ACM Conference on Computer and Communications Security, pp. 139–147. ACM Press, New York (1996)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Pascal Junod
    • 1
  • Serge Vaudenay
    • 1
  1. 1.Swiss Federal Institute of TechnologySecurity and Cryptography LaboratoryLausanneSwitzerland

Personalised recommendations