Dependent Linear Approximations: The Algorithm of Biryukov and Others Revisited

  • Miia Hermelin
  • Kaisa Nyberg
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5985)


Biryukov, et al., showed how it is possible to extend Matsui’s Algorithm 1 to find several bits of information about the secret key of a block cipher. Instead of just one linear approximation, they used several linearly independent approximations that were assumed to be statistically independent. Biryukov, et al., also suggested a heuristic enhancement to their method by adding more linearly and statistically dependent approximations.

We study this enhancement and show that if all linearly dependent approximations with non-negligible correlations are used, the method of Biryukov, et al., is the same as the convolution method presented in this paper. The data complexity of the convolution method can be derived without the assumption of statistical independence. Moreover, we compare the convolution method with the optimal ranking statistic log-likelihood ratio, and show that their data complexities have the same order of magnitude in practice. On the other hand, we show that the time complexity of the convolution method is smaller than for the other two methods.


Matsui’s Algorithm 1 linear cryptanalysis multidimensional cryptanalysis method of Biryukov convolution method 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Matsui, M.: Linear Cryptanalysis Method for DES Cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)Google Scholar
  2. 2.
    Burton, S., Kaliski, J., Robshaw, M.J.B.: Linear Cryptanalysis Using Multiple Approximations. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 26–39. Springer, Heidelberg (1994)Google Scholar
  3. 3.
    Biryukov, A., Cannière, C.D., Quisquater, M.: On Multiple Linear Approximations. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 1–22. Springer, Heidelberg (2004)Google Scholar
  4. 4.
    Murphy, S.: The Independence of Linear Approximations in Symmetric Cryptology. IEEE Transactions on Information Theory 52(12), 5510–5518 (2006)CrossRefMathSciNetGoogle Scholar
  5. 5.
    Hermelin, M., Nyberg, K., Cho, J.Y.: Multidimensional Linear Cryptanalysis of Reduced Round Serpent. In: Mu, Y., Susilo, W., Seberry, J. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 203–215. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  6. 6.
    Hermelin, M., Cho, J.Y., Nyberg, K.: Statistical Tests for Key Recovery Using Multidimensional Extension of Matsui’s Algorithm 1. In: Joux, A. (ed.) EUROCRYPT 2009 - POSTER SESSION. LNCS, vol. 5479. Springer, Heidelberg (2009)Google Scholar
  7. 7.
    Vaudenay, S.: An experiment on DES statistical cryptanalysis. In: CCS 1996: Proceedings of the 3rd ACM conference on Computer and communications security, pp. 139–147. ACM, New York (1996)CrossRefGoogle Scholar
  8. 8.
    Hermelin, M., Cho, J.Y., Nyberg, K.: Multidimensional Extension of Matsui’s Algorithm 2. In: Dunkelman, O. (ed.) Fast Software Encryption. LNCS, vol. 5665, pp. 209–227. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  9. 9.
    Gérard, B., Tillich, J.: On linear cryptanalysis with many linear approximations (2009)Google Scholar
  10. 10.
    Hermelin, M., Nyberg, K.: Multidimensional Linear Distinguishing Attacks and Boolean Functions. In: Fourth International Workshop on Boolean Functions: Cryptography and Applications (2008)Google Scholar
  11. 11.
    Cover, T.M., Thomas, J.A.: 11. Wiley Series in Telecommunications and Signal Processing. In: Elements of Information Theory, 2nd edn. Wiley Interscience, Hoboken (2006)Google Scholar
  12. 12.
    McDonough, R.N., Whalen, A.D.: 5. In: Detection of Signals in Noise, 2nd edn. Academic Press, London (1995)Google Scholar
  13. 13.
    Collard, B., Standaert, F.X., Quisquater, J.J.: Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 382–397. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  14. 14.
    Baignères, T., Vaudenay, S.: The Complexity of Distinguishing Distributions (Invited Talk). In: Safavi-Naini, R. (ed.) ICITS 2008. LNCS, vol. 5155, pp. 210–222. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  15. 15.
    Baignères, T., Junod, P., Vaudenay, S.: How Far Can We Go Beyond Linear Cryptanalysis? In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 432–450. Springer, Heidelberg (2004)Google Scholar
  16. 16.
    Biham, E., Anderson, R., Knudsen, L.: Serpent: A New Block Cipher Proposal. In: Vaudenay, S. (ed.) FSE 1998. LNCS, vol. 1372, pp. 222–238. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  17. 17.
    Selçuk, A.A.: On probability of success in linear and differential cryptanalysis. Journal of Cryptology 21(1), 131–147 (2008)zbMATHCrossRefMathSciNetGoogle Scholar
  18. 18.
    Xiao, G.Z., Massey, J.L.: A Spectral Characterization of Correlation-Immune Combining Functions. IEEE Transactions on Information Theory 34(3), 569–571 (1988)zbMATHCrossRefMathSciNetGoogle Scholar
  19. 19.
    Rohatgi, V.K.: 6.7. Wiley Series in Probability and Mathematical Statistics. In: Statistical Inference, 1st edn. John Wiley & Sons, New York (1984)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Miia Hermelin
    • 1
  • Kaisa Nyberg
    • 1
    • 2
  1. 1.School of Science and TechnologyAalto University 
  2. 2.NokiaFinland

Personalised recommendations