Improved Linear Key Recovery Attacks \ stacker news ~crypto

PRESENT is an ultra-lightweight block cipher designed by Bogdanov et al., and has been widely studied since its proposal. It supports 80-bit and 128-bit keys, which are referred as PRESENT-80 and PRESENT-128, respectively. Up to now, linear cryptanalysis is the most effective method on attacking this cipher, especially when accelerated with the pruned Walsh transform. Combing pruned Walsh transform with multiple linear attacks, one can recover the right key for 28-round PRESENT-80 and -128. Later, this method is further improved with affine pruned Walsh transform by adding more zeros in the Walsh spectrum through rejecting some data. This leads to the 29-round attack on PRESENT-128 with full codebook.

In this paper, we follow the affine pruned Walsh transform accelerated linear method, and propose 29-round attacks on both PRESENT-80 and PRESENT-128 without using full codebook. Both attacks rely on a statistical model depicting distributions of the experimental correlation when some data are artificially rejected in its computation. Besides, detailed analysis of complexity reduction for each linear hull used in attacking PRESENT is also provided and supported by an automatic tool. Our 29-round attack on PRESENT-80 mainly benefits from this tool. According to our knowledge, both attacks are the best ones on PRESENT so far.

30 sats \ 1 reply \ @Fabs 26 Jan

And what have they achieved with this so far?

0 sats \ 0 replies \ @jakoyoh629 OP 26 Jan

With this newly proposed statistical models, we can construct the accurate relation between data complexity and success probability, which gives the chance to make further trade-offs. Based on our statistical models, we can mount 29-round attacks on PRESENT-80 and PRESENT-128 without using full-codebook. Both attacks are the best ones so far. In future, there are plenty of interesting works. On the one hand, further applications on other ciphers using this technique with our statistical models are encouraged. On the other hand, statistical behaviors behind this technique when combing with other variants of linear attacks are worth to be discovered, such as for the multidimensional linear attacks or multivariate ones, or even for linear attacks using (multiple) zero-correlation linear hulls.