Linear Cryptanalysis of Non Binary Ciphers with an Application to SAFER Thomas Baigneres?1, Jacques Stern2, and Serge Vaudenay1 1 EPFL CH-1015 Lausanne – Switzerland , 2 Ecole normale superieure Departement d'Informatique 45, rue d'Ulm 75230 Paris Cedex 05, France Abstract. In this paper we re-visit distinguishing attacks. We show how to generalize the notion of linear distinguisher to arbitrary sets. Our thesis is that our generalization is the most natural one. We compare it with the one by Granboulan et al. from FSE'06 by showing that we can get sharp estimates of the data complexity and cumulate characteristics in linear hulls. As a proof of concept, we propose a better attack on their toy cipher TOY100 than the one that was originally suggested and we propose the best known plaintext attack on SAFER K/SK so far. This provides new directions to block cipher cryptanalysis even in the binary case. On the constructive side, we introduce DEAN18, a toy cipher which encrypts blocks of 18 decimal digits and we study its security. 1 Introduction and Mathematical Background In the digital age, information is always seen as a sequence of bits and, naturally, most practical block ciphers and cryptanalytic tools assume that the text space is made of binary strings.
- group
- ecole normale
- sical linear
- linear distinguisher
- complex-valued functions
- block cipher
- nonzero complex
- normal distribution