Noname manuscript No.
(will be inserted by the editor)
Variants of Differential and Linear Cryptanalysis
Mehak Khurana · Meena Kumari
Received: date / Accepted: date
Abstract Block cipher is in vogue due to its require-
ment for integrity, confidentiality and authentication.
Differential and Linear cryptanalysis are the basic tech-
niques on block cipher and till today many cryptana-
lytic attacks are developed based on these. Each variant
of these have different methods to find distinguisher and
based on the distinguisher, the method to recover key.
This paper illustrates the steps to find distinguisher and
steps to recover key of all variants of differential and lin-
ear attacks developed till today. This is advantageous
to cryptanalyst and cryptographer to apply various at-
tacks simultaneously on any crypto algorithm.
Keywords Boomerang · Differential Cryptanalysis ·
Higher Order · Impossible · Integral · Linear crypt-
analysis · Rectangle · Related Key · Truncated · Zero
Correlation
1 Introduction
Block cipher is one of the cryptographic techniques which
are used for integrity, confidentiality and authentica-
tion mechanism. Designing a cipher which is secure
and immune to all present day attacks is a challenging
task. Cryptanalyst has to find statistical and algebraic
technique based on mathematical weakness in design
with the aim to recover the secret key. Cryptanalytic
method consists of analyzing mathematical properties
of encryption algorithms with the aim to find the dis-
tinguishers which distinguishes the output distribution
ITM University
Gurgaon, India
E-mail: [email protected] based on the concept of higher order derivatives. Knud-
ITM University
Gurgaon, India
E-mail: [email protected] rest part is varied with all possibilities. In 1998 Eli Bi-
of cryptographic algorithms from uniform distribution.
Based on this property one finds the distinguisher which
distinguishes it from randomness and exploits this to
find the key. Attack is said to be theoretically success-
ful if cryptanalyst breaks the cipher with less key com-
plexity than exhaustive search. It may not be practi-
cally feasible to break with lesser key complexity than
exhaustive search. But lesser key complexity than brute
force attack shows that the cipher design has some flaws
or weakness which can be exploited in future with ad-
vent of new attacks.
There are various types of cryptanalytic attacks; based
on the attackers access such as ciphertext only attack,
known plaintext attack or attacker access to encryption
system to generate chosen plaintext and its ciphertext
or decryption process to generate plaintexts of chosen
ciphertexts. The success of attack can be measured us-
ing number of plaintext-ciphertext pairs or operations
required to recover secret key or partial key. When for
the attack the number of operations required is less
than 2n where n is size of secret key, the cipher is said
to be broken.
Biham and Shamir [1][2] proposed the basic differential
cryptanalytic technique based on DES, which is proba-
bilistic chosen plaintext attack. Many modifications and
extensions have been proposed and analyzed to improve
the attacks on various crypto algorithms. In 1993 Bi-
ham [3] proposed new types of cryptanalytic attacks
using related key. In 1994, Lars Knudsen[4] proposed
truncated differential which predicts only part of the
difference in a pair of texts after each round of encryp-
tion. In same year he proposed higher order differential
sen and Wagner [5] in 1997 proposed integral cryptanal-
ysis where some part of plaintext is kept constant and
2 Mehak Khurana, Meena Kumari
ham, Alex Biryukov, and Adi Shamir used impossible
differential to break IDEA and Skipjack block ciphers
[6] by exploiting differentials that never occurs. In 1999
Boomerang attack was developed by Wagner [7] which
states, attack is possible even if no differentials with
high or low probability is present for whole cipher. This
attack was modified and named as Rectangle attack [8]
in 2001. Related Key attack can be combined with other
variants of differential cryptanalysis where knowledge of
difference in keys may allow to attack more number of
rounds [9].
Linear cryptanalysis was developed by Matsui [10] in
1993 to exploit linear approximation with high proba-
bility i.e. greater than 21 . Zero correlation is a variant
of linear cryptanalysis developed by Bogdanov and Rij-
men [11] which tries to construct atleast one non trivial
linear hull with no linear trail i.e. with correlation C ex-
actly zero. This attack is countermeasure of impossible
differential attack.
To attack a cipher using integral, impossible or zero
correlation attack details of S-Box is not required as it
is independent of the choice of S-Box. Choosing another
S-Box for a cipher will result in almost same cryptan-
alytic results. Fig. 1 illustrates the different types of
attacks developed till today.
Fig. 1 Types of Cryptanalytic Attacks
Differential and Linear cryptanalysis or its variants have
been applied on almost all the block ciphers developed
till today. The fig. 2 shows various differential and lin-
ear based attacks which are developed and their com-
binations. Block cipher which is resistant to one attack
can be attacked by its variants or some combinations of
variants. To ease the process of applying these attacks
to check resistance to present day cryptanalytic attacks,
the simplified steps of each attack are described in next
sections.
Fig. 2 Variants of Cryptanalysis
The basic differential cryptanalytic technique is explained
in section II and the steps to find distinguisher and
steps to recover key for each variant of differential crypt-
analysis is explained in section 3. In section 4 linear
cryptanalysis is illustrated and the steps to find dis-
tinguisher and steps to recover key for the latest vari-
ant of linear cryptanalysis is explained in section 5. We
conclude in section 6 by describing unification of these
attacks and how this work is advantageous to the crypt-
analyst.
2 Differential Cryptanalysis
In differential cryptanalysis, one attacks by exploiting
the fact that for some fixed plaintext difference ∆P =
P ⊕ P 0 , certain differences in the ciphertext ∆C =
C ⊕ C 0 appear more often than one would expect for
secured design and this high probability of occurrence
is used to find secret key, where P and P 0 are two plain-
texts and C and C 0 are corresponding ciphertexts. To
apply differential cryptanalysis, one needs to find the
high probability of differentials in each S-Box used in
block cipher based on Substitution Permutation Net-
work (SPN) and then find products of high probabilities
of differential of S-boxes which lead the given plaintext
difference ∆P = P ⊕ P 0 to the ciphertext difference
∆C = C ⊕ C 0 . So in order to determine the differ-
ential characteristic, Difference distribution tables are
constructed for each S-Box for input difference ∆X and
output difference ∆Y . Due to the weakness in S-Box
(nxm), we may get high probabilities of difference pair
(∆X, ∆Y ) instead of 21n as in the case of ideal S-Box,
which is not achievable. All difference pairs of input X
and output Y of an S-Box can be examined and the high
probabilities of input output pairs (∆X, ∆Y ) of each
S-Boxes are traversed and combined from first round
to second last round treating S-Boxes as independent.
Variants of Differential and Linear Cryptanalysis
Once the differential characteristic for second last round
with a suitably large enough probability pD is discov-
ered, it is easy to attack cipher to recover some bits of
last round subkey by ex-oring all the possible combina-
tions of all influenced nonzero difference bits TPS (Tar-
get Partial Subkeys) entering last round with the ci-
phertext and running one round backwards through S-
boxes. The number of chosen plaintext-ciphertext pairs
required for attack will be 1/pD .
Differential cryptanalysis is divided into two steps: i)
Finding the Distinguisher and ii) Steps for Key Recov-
ery.
i) Finding the Distinguisher
1. Difference distribution table is constructed for each
S-Box (nxm) which contains the number of occur-
rences of corresponding output difference ∆Y for
each given input difference ∆X.
2. Find the probability of the each value of input out-
put difference by dividing it by 2n (number of input
bits)
3. Mark S-box difference pairs from round to round
so that the nonzero output difference bits from one
round correspond to the nonzero input difference
bits of the next round with highest probability. There-
fore traversing the active S-Box (i.e. non-zero dif-
ferential with high probability) difference pair from
first round till second last round of the cipher. The
highest probabilities of input output pairs of active
S-boxes are multiplied, to get the differential proba-
bility pD till second last round of the cipher [10].
4. So the differential probability pD is the distinguisher
During the cryptanalysis process, many pairs of plain-
texts for which ∆P will be encrypted. With high prob-
ability, the differential characteristic ∆C will occur. We
term such pairs for (∆P, ∆C) as right pairs. Plaintext
difference pairs for which the characteristic does not oc-
cur are referred to as wrong pairs.
ii) Steps for Key Recovery
1. Generate N plaintext/ciphertext pairs with given
∆P .
2. If kr (TPS) is l − bit. There are 2l possibilities. For
each TPS value (say TPS*) do the following
i Set count=0
ii For each Ciphertext(i) for i = 1toN do
the partial decryption
(a) Ciphertext(i) ⊕ T P S∗
(b) Run backward through S-boxes
to obtain bits into the last
round
(c) Check the input difference to
the final round determined by
partial decryption is the same
3
as expected from the differ-
ential characteristic
(d) If same, increment count
The partial subkey value with largest count is con-
sidered for each TPS*
3. Obtain a table of partial subkey values and corre-
sponding prob = count/N .
4. If probability (prob) as calculated in step 3 is equal
to pD (as expected)⇒ Correct TPS is determined
For fast implementation, discard those wrong cipher-
text pairs of which zeros do not appear in appropriate
subblock of the ciphertext difference.
3 Variants Of Differential Cryptanalysis
In this section variants of differential cryptanalysis are
described by illustrating the steps to formulate the dis-
tinguisher and steps to recover key.
3.1 Truncated Differential Cryptanalysis
In case of differential cryptanalysis, one exploits the
probability of fixed plaintext difference of two plain-
texts that produces the predicted Ciphertext difference
of the respective ciphertexts, but in case of truncated
differential, instead of getting the exact differential in
plaintext and Ciphertext, one exploits the probability
of subset of plaintext differences and subset of predicted
Ciphertext differences [12]. Wherever the value in the
difference is not as predicted in Differential cryptanaly-
sis we denote by 0 ?0 (don’t care), So the predicted prob-
ability of truncated differential increases the number of
plaintext and Ciphertext pairs to be counted in the dis-
tinguisher, which in turn increases the probability of
recovering the key [13]. The attack is as follows:
i)Finding the Distinguisher
1. Let ∆Pα be the subset of non trivial difference ∆P
of two inputs to encryption function f : GF (2n ) →
GF (2n ) upto r rounds, for which only fraction of
output difference ∆C i.e. ∆Cδ occurs after r rounds.
The truncated differentials ∆Pα → ∆Cδ
2. Let T be a table of size 2n which is initialized to zero
for all entries.
3. For all possible value of input x, x ∈ GF (2n ), com-
pute the table T by putting 1 at position f (x) ⊕
f (x ⊕ ∆Pα ), which gives truncated output ∆Cδ cor-
responding truncated input ∆Pα , i.e. T [f (x)+f (x+
∆Pα )] = 1. Therefore all possible output differen-
tials corresponding to the truncated differential are
marked and known.
4 Mehak Khurana, Meena Kumari

ii)Steps for Key Recovery called impossible differential pair. We eliminate or dis-
In order to recover last round key kr , if we get truncated card keys for which impossible differential characteristic
differentials and table T values of function f of r round β 6= γ holds for the subkey of that key.
1. Generate N pair of plaintext P, P 0 and their corre-
sponding ciphertext C, C 0 respectively.
2. For all possible value of the last round key kr , do the
following:
i Decrypt one round backwards C, C 0 us-
ing kr , and obtain the intermediate ci-
phertexts M, M 0
3. For all possible value of the second last round key,
kr − 1 do the following:
i Calculate t1 = f (M +kr −1), t2 = f (M 0 +
kr − 1)
ii If T [t1 + t2 + M + M 0 ] > 0, then pair of Fig. 3 Miss in Middle
keys kr − 1 and kr are right keys. Here,
we are measuring if the truncated differ-
ential was seen.
4. By repeating the attack N number of times only one
unique pair of keys kr − 1 and kr , the right key will i)Finding the Distinguisher
be suggested. Then output the values of kr − 1 and To obtain impossible differentials (α 9 δ)
kr . 1. Obtain the input differential α = N ⊕ N 0 , encrypt
5. Output the subkeys for last and second last round N, N 0 by r1 rounds to obtain differential β of the
kr and kr − 1 respectively. outputs i.e. P r(α → β) = 1
2. For the differential δ = M ⊕ M 0 , decrypt M, M 0
by r2 rounds to obtain values with differential γ i.e.
P r(δ → γ) = 1.
3.2 Impossible Differential Cryptanalysis
3. If β 6= γ then α 9 δ is impossible
4. Repeat above 4 steps for different values (α, δ) to ob-
Biham et.al. in 1998 developed variant of a truncated
tain a set ID i.e. ID = (α1 , δ1 ), (α2 , δ2 ), . . . , (αn , δn ).
differential cryptanalysis called impossible differential
ii)Filtering and Key Elimination
cryptanalysis [14][15][16] by formulating distinguisher
For each key, obtain subkey after x rounds and y rounds.
based on the fact that certain differentials never occur
Do the following to rule out the invalid subkeys
(i.e. the differentials with zero probability). It can be
1. For input-output pairs (N, M ) and (N 0 , M 0 ). Check
applied to the cipher, whose non-linear round function
N ⊕ N 0 = α and M ⊕ M 0 = δ i.e. (α, δ) ∈ ID
is bijective. To apply impossible differential attack, we
2. Find the differential β of the values after encrypting
need to find impossible differential pair (α 9 δ) which
N and N 0 by r1 round
can be used as distinguisher the differential α can be
3. Find differential γ of the value after decrypting M, M 0
∆P the difference of two plaintext P and P 0 or it can
by r2 rounds
be the difference of two inputs N and N 0 after encryp-
4. Check β 6= γ then subkey is invalid.
tion of x rounds of P and P 0 and the differential δ can
5. Rejecting the invalid keys, the total key space is re-
be ∆C the difference of two ciphertext C and C 0 or
duced.
it can be the difference of two outputs M and M 0 af-
ter decryption of y rounds of C and C 0 . The difference
α after r1 + r2 rounds produces the output difference 3.3 Integral Cryptanalysis
δ. An impossible differential with miss in middle tech-
nique works as a distinguisher to rule out the incorrect In 1997, Daemen, Knudsen and Rijmen published new
keys, where miss in middle technique uses combination block cipher called SQUARE, and later discovered an
of two differentials both of which hold with probabil- attack on it and named as Square Attack which could
ity one and do not meet in middle i.e. for r1 rounds not be able to attack large number of rounds. This
of partial encryption α becomes β and for partial de- attack was later on named as Saturation Attack. Fi-
cryption of r2 rounds δ becomes γ (see Fig 3). If β 6= γ nally in 2002, Knudsen and Wagner came up with many
the difference α 9 δ after r1 + r2 rounds of encryption improvements and modifications by combining differ-
is impossible because α → β 6= γ ← δ and (α, δ) is ent techniques and named it as Integral Cryptanaly-
 Variants of Differential and Linear Cryptanalysis
sis[17]. Block ciphers which uses bijective components
are proneR to integral
P cryptanalysis. The integral is de-
fined as R = B∈R B, where B = b1 , b2 . . . , bn is a
state vector where each bi ∈ GF (2n ). R is a multiset of
state vectors. In integral 0 n0 represents the number of
words in the plaintext and ciphertext, for example in
AES the state vector is of 16 words each of 8 bits. In this
attack, attacker tries to predict the values in the inte-
gral after certain number of rounds of encryption. The
following properties can be observed in output of cipher
rounds which play an important role to construct ba-
sic model of integral distinguisher to distinguish several
rounds of block cipher from random permutation.
(a) All ith words are equal i.e. bi = c for all B ∈ R,
denoted by symbol 0 C 0 Where c ∈ GF (2n ), are some
fixed values (constants).
(b) All ith words are different bi : B ∈ R = GF (2n ), de-
noted by symbol 0 A0 .
(c) All ith Lwords sum to certain value predicted in ad-
0 0 0
vance B∈R bi = c , denoted by symbol S (bal-
0 n
anced) Where c ∈ GF (2 ), are some fixed values
(constants)
(d) The sum of words that cannot be predicted i.e. no
information can be derived are denoted by symbol
‘?0
Fig. 4 Integral Attack
i) Finding the Distinguisher
1. Choose an input multiset R which consists of 2n cho-
sen plaintexts which have above property such that
plaintext with some certain words being A and rest
of the words being C. e.g. P = (CCCC; CCCC), P 0 =
(ACCC; CCCC).
2. Encrypt the multiset, after a few rounds r1 of en-
cryption check if all the sum (usually exclusive-or)
at some word is zero (balanced) i.e. some bytes of
output will have state 0 S 0 (balanced) with proba-
bility one which works as a distinguisher that can
distinguish few rounds of cipher from random per-
mutation, see fig. 4.
5
3. Thus by changing the position of 0 A0 in chosen plain-
text we can obtain different distinguisher.
ii) Steps for Key Recovery
1. Obtain all the possible combination of subkey kr
(TPS).
2. Do the partial decryptions (for r2 rounds) upto the
output of integral distinguisher.
3. If decryption gives exclusive-or sum of the states as
zero i.e. balanced, store that subkey.
Otherwise, repeat the steps for other possible sub-
keys.
4. Repeat step 1-3 number of times for all multiset,
subkey with maximum count is the correct subkey.
3.4 Higher Order Differential Cryptanalysis
Knudsen introduced higher order differential cryptanal-
ysis based on the concept of higher order derivative pro-
posed by Lai [18] that are applicable to those ciphers
that can be expressed by multivariable Boolean func-
tions with low degree [19].
The derivative of function f : GF (2n ) → GF (2m ) at
the point a is ∆a f (x) = f (x + a) − f (x) where a ∈
GF (2n ). For ith derivative of f at the point (a1 , a2 , .., ai ) ∈
(i) (i−1)
GF (2n ) is defined as ∆a1 ,...,ai f (x) = ∆ai (∆a1 ,...,ai −1 )f (x),
(i−1)
where ∆a1 ,. . . ,ai −1 f (x) is the (i − 1)th derivative of f at
(a1 , a2 , . . . , ai−1 ), the 0th derivative of f is defined to be
f (x) itself, also deg(∆a f (x)) 6 deg(f (x)) − 1. For any
x ∈ GF (2n ), let L[a1 , . . . , ai ] be the list of all 2i possible
(i)
combinations of a1 , . . . , ai [20]. Then ∆a1 ,. . . ,ai f (x) =
L
v∈L[a1 ,. . . ,.ai ] f (x ⊕ v) If ai is linearly independent
(i)
of (a1 , . . . , ai − 1), then ∆a1 ,. . . ,ai f (x) = 0. In iter-
ated block cipher of block size n and r rounds, Attack
is possible, when we know the total degree deg(f ) of
the output of the (r − 1)th round. To attack (r − 1)
rounds of cipher, we find the order of (r − 1) rounds for
which derivative ∆a1 ,a2 ,. . . ,ar−1 f (x) = c(constant)∀x ∈
GF (2n ) i.e. independent of round keys k1 , k2 , . . . , kr−1 .
The steps to find the order are given in[21]. The attack
is based on the property that the dth derivative of a
multivariate polynomials f with degree d is a constant
and (d + 1)th derivative is zero.
i)Finding the Distinguisher
1. Randomly choose a plaintext P ∈ GF (2n )
2. Encrypt plaintexts P ⊕v, ∀v ∈ L[a1 , . . . , ai ] to obtain
their corresponding
L ciphertexts cv .
3. Compute v∈L[a1 ,. . . ,ai ] f (x ⊕ v)
4. If v∈L[a1 ,. . . ,ai ] f (x⊕v) = c(constant)∀x ∈ GF (2n ),
L
for (r−1) round with any round keys k1 , k2 , . . . , kr−1 .This
will work as a distinguisher to recover the key.
ii)Steps for Key Recovery
6 Mehak Khurana, Meena Kumari

1. Generate N plaintext randomly. For each plaintext

P , do the following
2. For all the possible combination of last round in-
fluenced bits kr (TPS), if kr is l-bits, there are 2l
possibilities for each kr value, for each value of TPS
(say TPS*) Do the following
i Decrypt all ciphertexts cv one round
backwards using TPS*
ii L
The value of TPS* for which
−1
v∈L[a1 ,. . . ,ai ] fkr (cv ) becomes
constant ∀v ∈ L[a1 , . . . , ai ], store that
TPS* value in a table T and reject
TPS* if
L −1
v∈L[a1 ,. . . ,ai ] fkr cv , ∀v ∈ L[a1 , . . . , ai ]
is not constant.
3. Repeat the step 2 for N plaintexts and the key in
the table T with highest probability is the correct
last round key. Output that key kr .
Higher order cryptanalysis can be applied to maximum
5 feistel rounds of cipher i.e. cannot defeat ciphers with
large or more than 6 rounds.
3.5 Boomerang Differential Attack
In 1999, Boomerang was developed by Wagner which
states that even if there is no differential with either
high or low probability for whole cipher, it may still be
vulnerable to Boomerang attack. It is an adaptive cho-
sen plaintext/Ciphertext attack in which attacker finds
two short differentials with high probabilities instead of
one whole differential with low probability.
n k
The block cipher encryption E : (0, 1) X(0, 1) = (0, 1)
is decomposed into two halves E = E0 ◦ E1 where E0
represents first half and E1 represents second half. Dif-
ferential characteristic for E0 is α → β with proba-
bility p and for E1−1 the differential characteristic is
δ → γ with probability q. In boomerang attack, to find
all plaintexts sharing a desired difference that depends
on the choice of the differential is the distinguisher [22].
i) Finding the Distinguisher
1. The attacker randomly chooses two plaintexts P, P 0
and computes α = P 0 ⊕ P
2. Encrypt P and P 0 by E0 to obtain middle cipher-
text M = E0 (P ) and M 0 = E0 (P 0 ) and further en-
crypt for E1 to obtain ciphertext C = E1 (M ), C 0 =
E1 (M 0 ).
3. Obtain new ciphertexts D, D0 from ciphertexts C, C 0
with difference δ i.e. D = C ⊕δ and D0 = C 0 ⊕δ such
that when we decrypt C, C 0 by E1−1 and D, D0 by
E1−1 we get the difference γ i.e. E1−1 (C) ⊕ E1−1 (D) =
E1−1 (C 0 ) ⊕ E1−1 (D0 ) = γ
Fig. 5 Structure of Boomerang Attack
4. Decrypt these Ciphertext D and D0 for E1−1 partially
to get N, N 0 and further decrypt it for E0−1 to get O
and O0 i.e. O = E0−1 (N ) and O0 = E0−1 (N 0 ).
5. Finally for each pair (O, O0 ) check whether O and
O0 differ by same differential α i.e. O ⊕ O0 = α. If
this condition is satisfied, it means it has formed a
right quartet (P, P 0 , O, O0 ). If so, store the quartet.
6. Repeat these steps with other set of plaintext to find
other pairs that form right quartets and store it in
a table (Boomerang distinguisher).
ii) Steps of Key Recovery
n 1. From set of boomerang distinguisher, for each ob-
tained right quartets (P, P 0 , O, O0 )
2. Find all possible values for nonzero influenced dif-
ference bits entering last round (TPS).
3. For all the possible values TPS (kr ) i.e. if kr is l-
bits, there are 2l possibilities for each kr value, Do
the following
i Set count=0
ii Encrypt (P, P 0 , O, O0 ) and obtain the cor-
responding ciphertext quartet (C, C 0 , D, D0 )
respectively
iii Then do the one round partial decryp-
tion dk under key kr
0
(a) C = dkr (C), C = dkr (C 0 )
0
and D = dkr (D), D = dkr (D0 )
(b) Check the difference by par-
0
tial decryption C ⊕ C and
0
D ⊕ D is the same as ex-
pected from the differential
characteristic.
Variants of Differential and Linear Cryptanalysis
(c) If difference is same in both
the pairs then increment the
count
4. Value of TPS which has maximum count for right
quartet is correct TPS and output that value.
3.6 Rectangle Attack
Boomerang uses adaptive chosen plaintext/ciphertext
due to which many of the ciphers that were developed
through the years cannot be attacked by boomerang
distinguishers and key recovery attack cannot be ap-
plied, which led to the development of its chosen plain-
text variant called amplified attack [23]. This was later
modified and named as rectangle attack. The Rectangle
attack is divided into two steps: 1) Finding the distin-
guisher 2) Key Recovery (same as Boomerang) [24]
i) Finding the Distinguisher
1. The attacker randomly chooses two plaintext pairs
(P, P 0 ), (O, O0 ) with same difference α such that α =
P 0 ⊕ P and α = O0 ⊕ O.
2. Encrypt (P, P 0 ) and (O, O0 ) to obtain middle cipher-
texts i.e. M = E0 (P ) and M 0 = E0 (P 0 ) and N =
E0 (O) and N 0 = E0 (O0 ), we are interested in the
cases where M ⊕ M 0 = β, N ⊕ N 0 = β and M ⊕ N =
γ, which leads to M 0 ⊕ N 0 = (M ⊕ β) ⊕ (N ⊕ β) = γ.
3. We receive two pairs (M ⊕ N andM 0 ⊕ N 0 ) each with
the difference γ. When encrypting (M, M 0 ), (N, N 0 )
by E1 , i.e. C = E1 (M ), C 0 = E1 (M 0 ) and D =
E1 (N ), D0 = E1 (N 0 ) then in some of the cases γ
becomes δ. And we look for those cases where both
difference become C ⊕ D = δ and C 0 ⊕ D0 = δ after
E1 . The quartet satisfying these differential require-
ments forms a right quartet.
4. Repeat these steps to find the pairs that form right
quartets (P, P 0 , O, O0 ) and save it in a table (distin-
guisher).
ii) Steps of Key Recovery
1. From set of distinguisher, for each obtained right
quartet (P, P 0 , O, O0 )
2. Find all possible values for nonzero influenced dif-
ference bits entering last round (TPS).
3. For all the possible values TPS (kr ) i.e. if kr is l-
bits, there are 2l possibilities for each kr value, Do
the following for each right quartet,
i Set count=0
ii Do the partial decryption by one round.
iii Check the input difference by partial decryption
is the same as expected from the differential
characteristic.
iv If same, increment count for that TPS.
4. TPS which has maximum count value for right quar-
tet that is correct and output that value.
7
3.7 Related Key Attack
In key schedule algorithm of block cipher, if the re-
lations between pairs of keys in different rounds exist
then all the subkeys can be shifted one round backward
and a new set of subkeys can be obtained, these key re-
lations can be used to attack the block ciphers. The
attack where keys are unknown, but relation is known
to the attacker is called chosen key attacks. The attacks
are not dependent on number of rounds of a cipher [25].
The Chosen Key Attacks
Several plaintexts are encrypted by these related keys.
After encryption the corresponding ciphertexts are ob-
tained under these related keys which have some rela-
tion between them, this relation is used by attacker to
find both the keys. Chosen Key attack can be further
divided into
• Chosen Key Known Plaintext Attack
• Chosen Key Chosen Plaintext Attack
In chosen key known plaintext attack, attacker exploits
only relation between the keys and in chosen key chosen
plaintext attack, the relation between keys and plain-
text are exploited by the attacker. The process of re-
covering the keys is almost same in both cases.
i) Steps for Key Recovery
1. The attacker chooses such a plaintext pair P and
P ∗ such that right half of P equals the left of P ∗ i.e.
PR = PL∗ .
2. P is encrypted with key K and result of encryption
of P is obtained before next round which may be the
same as P ∗ encrypted with key K ∗ after first round.
3. For plaintexts P and P ∗ corresponding ciphertext C
and C ∗ is obtained after encryption after all rounds
and if these ciphertexts satisfies the relation CL =
∗
CR , then it has high probability to find expected pair
(by birthday paradox).
4. If attacker find such pairs then P, P ∗ , C, C ∗ and K, K ∗
can be used to recover secret key bits with less trails
than brute force attack.
n
For chosen plaintext attack 2 4 Chosen plaintexts are
n
required and for known plaintext attack 2 2 known plain-
texts are required.
4 Linear Cryptanalysis
Matsui in 1993 developed linear attack to attack DES
by exploiting linear approximation with high probabil-
ity of input and second last round output of DES cipher
by known plaintext approach. In this attack linear ex-
pression of u bits of input and v bits of output which
holds high or low probability is exploited to find the key.
The bias probability (ε = |pL − 12 |) is amount it deviates
8 Mehak Khurana, Meena Kumari
from probability 21 where pL is the probability of hold-
ing the linear expression. The higher the magnitude of
the bias |pL − 21 |, poorer the randomization ability of the
0 cipher and weak is the system, so with fewer known
plaintext this attack can be applied. If PL > 12 expres-
sion Xi1 ⊕Xi2 ⊕Xi3 . . . ⊕Xiu ⊕Yi1 ⊕Yi2 ⊕Yi3 . . . ⊕Yv = 0
between u input bits and v output bits of second last
round is called linear approximation and if pL < 12 it
is called affine approximation. Distinguisher for the at-
tack is the bias probability of holding the linear attack
of plaintext bits and the second last round of cipher;
following are the steps to find distinguisher of SPN ci-
pher with r rounds.
i) Finding the Distinguisher
1. Generate the linear approximation table of order
2n x2m for each S-Box of size nxm by
i Form a table for each nxm S-Box where
the elements of the table represent the
number coincides between linear relation
a.x = a1 x1 ⊕ a2 x2 ⊕ . . . ⊕ an xn of input
and the linear relation b.y = b1 y1 ⊕b2 y2 ⊕
. . . ⊕ bm ym of the output where a, b rep-
resents n and m bit numbers respectively
for 0 ≤ a ≤ 2n−1 and 0 ≤ b ≤ 2m−1 . In
a table the binary value of a1 a2 a3 . . . an
(a1 the MSB) represents row no, the bi-
nary value of b1 b2 b3 . . . bm (b1 the MSB)
represents column no.
ii Calculate the coincidence probability pL
by dividing the elements of linear ap-
proximation table by 2n (number of in-
put bits).
iii Calculate the bias probability e for each
high coincidence probability pL of each
S-Box for each round by using formula
ε = |pL − 12 |.
2. Mark the linear trail for the whole cipher by con-
sidering those elements of S-Boxes with highest bias
probability e in each round till second last round.
3. Calculate the expected bias probability pD of hold-
ing the linear expression between input and the last
round cipher by using pilling up lemma, considering
all S-Boxes as independent. For each round function
the linear expression which hold with high coinci-
dence probability and calculate bias probability by
subtracting from 12 and combine this linear expres-
sion with next round linear expression with high-
est coincidence probability and go on calculating εi
for each round and at last probability of pD (x1 ⊕
= 0) = 12 + 2k−1 i=1tok εi where
Q
x2 ⊕ . . . ⊕ xn Q
ε1,2. . . k = 2k−1 i=1tok ε.
ii) Steps to Recover Key
1. Generate N plaintext/ciphertext pairs
2. If TPS is l-bit. There are 2l possibilities
3. For each TPS value (say TPS*) do the following
i Set count=0
ii For each ciphertext(i) for i = 1 to N do
the partial decryption
(a) ciphertext(i)⊕ TPS*
(b) Run backward through S-boxes
to obtain bits into the last
round
(c) XOR the Bits of plaintext (i)
with XOR of the bits obtained
in step (b)
(d) If expression in (c) is zero
(e) Increment count
iii |Bias| = |count– N2 |
4. Obtain a Table of partial subkey values and corre-
sponding |Bias|
5. If |Bias| = 0 ⇒ IncorrectT P S
If |Bias| ≈ Expectedvalue ⇒ CorrectT P S
5 Variants Of Linear Cryptanalysis
5.1 Zero Correlation Linear Cryptanalysis
Zero correlation linear cryptanalysis was proposed by
Bogdanov and Rijmen for an iterative block cipher is
a counterpart of impossible differential cryptanalysis.
This attack exploits the linear approximation a → b of
the cryptographic function f of the cipher of r rounds
where a and b are input sum and
output sum selection
pattern. The probability p = Pxr (ax = bf (x)) for lin-
ear approximation a → b over all input x is exactly 12
which amounts to correlation C zero because C = 2p−1
with a 6= 0, b 6= 0. The linear approximation a → b for
an iterative block cipher from fixed input a to fixed
output b is called a Linear Hull which contains all pos-
sible sequences of linear approximation. These set of
sequences are called Linear Trails [26]. See fig 5, where
fi is the function of ith round and ui ’s are intermediate
values.
Fig. 6 Linear Trail
According to pilling up lemma, the total correlation
contribution CU over a cipher of a linear trail U is a
computed by identifying strong linear approximation
trail by concatenating approximations from round to
Variants of Differential and Linear Cryptanalysis
round and calculated by doing product ofQ these correla-
r
tion for all rounds and is defined as CU = i=1 Cufii−1 ,ui ,
where Cufii−1 ,ui is correlation for each intermediate value
ui−1 → ui . For a linear hull a → b, total correlation
over a cipher is computed by summing the correlation
contribution CU of all its possible linear trails U .
X
C= CU
U =u0 =a,u1 ,u2 ,. . . ,ur =b
To construct zero correlation (C = 0) linear hull, input
a and output b is selected in such a way that no linear
trail exists with non-zero correlation contribution CU
i.e. if correlation contribution CU = 0 for each linear
trail, then correlation over the entire iterative cipher
is exactly zero, C = 0 and it is denoted by a 9 b.
For correlation contribution to be zero CU = 0 for
each trail, construct each trail with at least one inter-
mediate Cufii−1 ,ui linear approximation ui−1 → ui over
the rounds to be zero since the product of all corre-
lation values with intermediate zero correlation value
will result in zero correlation C=0 for this linear hull.
If Cufii−1 ,ui = 0 for a linear trail U , the pair of selection
pattern ui−1 and ui for a trail is called incompatible.
If even one zero correlation linear hull (distinguisher)
exists, the cipher can be attacked.
Fig. 7 Zero correlation Linear Cryptanalysis Structure
The basic steps for constructing an attack on ciphers
are
i)Finding the Distinguisher
1. Choose plaintext and ciphertext pairs with fixed un-
known key K.
2. Construct linear distinguisher with correlation zero
C(a 9 b) = 0 by using miss in middle technique.
9
This can be done by encrypting fixed input a to ob-
tain output β for r1 rounds of cipher, decrypting
fixed output b to obtain γ for r2 rounds of cipher.
3. Obtain the partial trails with non zero correlation
contribution. If both the partial trails do not match
in middle β 6= γ, this contradiction ensures the cor-
relation zero therefore r1 +r2 rounds must be a zero-
correlation linear hull i.e. C = 0. Thus correlation of
linear hull is exactly zero and linear distinguisher
(a, b) is obtained.
ii) Steps to Recover Key
1. Obtain all the possible combination of subkey kr
(TPS) to compute encryption and decryption.
2. For each possible subkey, partially encrypt each plain-
text (for r1 rounds) and partial decrypt each ci-
phertext (for r2 rounds) upto the input and output
boundaries of the distinguisher (zero correlation lin-
ear approximation boundaries)
3. Evaluate the correlation for partial encryption de-
cryption of all linear approximations for each possi-
ble subkey by counting number of times ax⊕bf (x) =
0
4. If the correlation C is 0, the subkey guess is correct
We evaluate the correlation for distinct linear hulls to
reduce the error probability.
6 Conclusion
Cryptographers as well as cryptanalysts all over the
world have been applying the latest attacks to already
published or newly designed crypto algorithm. To de-
sign a highly secure block ciphers which are immune
to the present day attacks, one needs to analyze the
possibility of any weakness in the design which can be
exploited by all the variants of differential and linear
attacks. The steps described in this paper, to find the
distinguisher and to recover the key of each cryptana-
lytic attack will be of great help to cryptanalyst. With
the advent of High Performance Computing(HPC) and
Distributed computing, these attacks will make crypt-
analysis efficient. All the attacks described in this paper
can be applied on SPN, feistel and generalized feistel
structure with the additional condition that the round
function should be bijective for impossible, integral and
zero correlation. The following Table 1 consolidates the
ciphers which have been attacked by variants of linear
and differential cryptanalysis till today.
The proposed work, helps to apply simultaneously all
the variants of differential attacks to a block ciphers.
These steps of finding distinguisher and steps to re-
cover key eases the task of cryptanalysts to apply the
attack on cipher simultaneously. The steps of key re-
covery described in this paper on the latest zero corre-
10 Mehak Khurana, Meena Kumari

Table 1 List of Attacks and ciphers 13. Lars R. Knudsen, Matthew J.B. Robshaw, The Block Ci-
pher Companion, Springer-Verlag (2011).
14. Y. Liu, D. Gu, Z. Liu, Wei Li, “Impossible Differential At-
tacks on Reduced Round LBlock,” in ISPEC 2012, LNCS
7232, pp. 97–108, 2012, Springer-Verlag Berlin Heidel-
berg (2012).
15. C. Boura, M. Naya-Plasencia, V. Suder, “Scrutinizing
and Improving Impossible Differential Attacks: Appli-
cations to CLEFIA, Camellia, LBlock and Simon” Asi-
acrypt 2014, LNCS Volume 8873, 2014, pp 179-199,
Springer-Verlg (2014).
16. R. Li1, B. Sun1 and C. Li, ”Impossible Dif-
ferential Cryptanalysis of SPN Ciphers,”
https://eprint.iacr.org/2010/307.pdf (2010).
17. Y. Yeom, “Integral Cryptanalysis and Higher Order Dif-
ferential Attack,” in Trends in Mathematics, Information
Center for Mathematical Sciences, Volume 8, Number 1,
June, Pages 101-118 (2005).
lation attack which is a variant of linear cryptanalysis 18. M. Duan, X. Lai, ”Higher Order Differential Cryptanal-
will also help to check the weakness in the design. Our ysis Framework and its Applications,” in International
Conference on Information Science and Technology, Nan-
futurist work is to apply these attacks on various algo-
jing, Jiangsu, China, March 26-28, (2011).
rithms and to do comparison on basis of time and data 19. M. Duan, X. Lai, Mohan Yang, X. Sun, B. Zhu, “Dis-
complexity. tinguishing Properties of Higher Order Derivatives of
Boolean Functions,” in IEEE Transactions on Informa-
tion Theory, Jul (2010).
20. A. Canteaut, M.Videau, “Degree of Composition of
References
Highly Nonlinear Functions and Applications to Higher
Order Differential Cryptanalysis,” in L.R. Knudsen
1. E. Biham, A. Shamir, “Differential Cryptanalysis of DES-
(Ed.): EUROCRYPT 2002, LNCS 2332, pp. 518–533,
like Cryptosystems,” Journal of Cryptology, Vols.4, no.1,
2002, Springer-Verlag (2002).
pp. 3-72 (1991).
21. Francois-Xavier Standaert, Gilles Piret, Jean-
2. E. Biham, A. Shamir, Differential Cryptanalysis of the
Jacques Quisquater, “Cryptananlysis of Block
Data Encryption Standard, Springer Verlag (1993).
Ciphers: A Survey,” UCL, Groupe Crypto,
3. E. Biham, ”New Types of Cryptanalytic Attacks Using
http://www.dice.ucl.ac.be/crypto/, Belgium (2003).
Related Keys,” Journal of Cryptology, vol. 7, no. No. 4,
22. E. Biham, O. Dunkelman, N. Keller, ”New Results and
p. 229–246, Springer-Verlag (1994).
boomerang and rectangle attack,” in Proceeding of Fast
4. L. Knudsen, ”Truncated and higher order differentials,”
Software Encryption, LNCS 2365, pp 1-16 Springer verlag
in In B.Preneel,editor, FSE, LNCS 1008, pp.196-211,
(2002).
Springer-verlag (1995).
23. J. Kelsey, T. Kohno, B. Schneier, Amplified Boomerang
5. L. Knudsen, D. Wagner, “Integral Cryptanalysis (Ex-
Attacks Against Reduced-Round MARS and Serpent,
tended Abstract),” in FSE 2002, LNCS 2365, pp.
New York : FSE 2000, pp. 75–93, Springer-Verlag (2000).
112–127, Springer-Verlag (2002).
24. E. Fleischmann, M. Gorski, S. Lucks, ”Attack-
6. E. Biham, A. Biryukov, A. Shamir, “Cryptanalysis of
ing Reduced Rounds of the ARIA Block Cipher,”
Skipjack Reduced to 31 Rounds using Impossible Differ-
https://eprint.iacr.org/2009/334.pdf, Germany (2009).
entials,” in Advances in Cryptology: EUROCRYPT’99
25. E. Biham, “New Types of Cryptanalytic Attacks Using
LNCS 1592, pp. 12-23, Springer Verlag (1999).
Related Keys,” Journal of Cryptology, , vol. 7, no. No. 4,
7. D. Wagner, ”The Boomerang Attack,” in Fast Soft-
p. 229–246, Springer-Verlag (1994).
ware Encryption, FSE’99 (L. R.Knudsen, ed.) Springer-
26. A. Bogdanov and V. Rijmen, “Linear hulls with corre-
Verlag, vol. 1636 of Lecture Notes in Computer Science,
lation zero and linear cryptanalysis of block ciphers,”
p. 156–170 (1999).
Designs, Codes and Cryptography, vol. 70 , no. 3, pp.
8. E. Biham, O. Dunkelman, N. Keller, ”The Rectan- 369-383, March (2014) .
gle Attack - Rectangling the Serpent,” EUROCRYPT
2001 LNCS,, vol. 2045, pp. 340-357, Springer, Heidelberg
(2001).
9. E. Biham, O. Dunkelman, N. Keller, ”Related-Key
Boomerang and Rectangle Attacks.,” EUROCRYPT
2005, LNCS, vol. 3494, pp. 507-525, Springer, Heidelberg,
(2005).
10. Howard M. Heys, A Tutorial on Linear and Differential
Cryptanalysis.
11. A. Bogdanov, V. Rijmen, “Zero Correlation Linear
Cryptanalysis of Block Ciphers,” IACR Eprint Archive
Report 2011/123, March (2011).
12. C. Swenson, Modern Cryptanalysis: Techniques and Ad-
vanced Code Breaking, Indianapolis: Wiley Publishing
(2008).