Revisiting the Extension of Matsui’s Algorithm 1 to Linear Hulls: Application to TinyJAMBU
At EUROCRYPT ’93, Matsui introduced linear cryptanalysis. Both Matsui’s Algorithm 1 and 2 use a linear approximation involving certain state bits. Algorithm 2 requires partial encryptions or decryptions to obtain these state bits after guessing extra key bits. For ciphers where only part of the stat...
Saved in:
| Published in | IACR Transactions on Symmetric Cryptology Vol. 2022; no. 2; pp. 161 - 200 |
|---|---|
| Main Authors | , , , |
| Format | Journal Article |
| Language | English |
| Published |
Ruhr-Universität Bochum
10.06.2022
|
| Subjects | |
| Online Access | Get full text |
| ISSN | 2519-173X 2519-173X |
| DOI | 10.46586/tosc.v2022.i2.161-200 |
Cover
| Abstract | At EUROCRYPT ’93, Matsui introduced linear cryptanalysis. Both Matsui’s Algorithm 1 and 2 use a linear approximation involving certain state bits. Algorithm 2 requires partial encryptions or decryptions to obtain these state bits after guessing extra key bits. For ciphers where only part of the state can be obtained, like some stream ciphers and authenticated encryption schemes, Algorithm 2 will not work efficiently since it is hard to implement partial encryptions or decryptions. In this case, Algorithm 1 is a good choice since it only involves these state bits, and one bit of key information can be recovered using a single linear approximation trail. However, when there are several strong trails containing the same state bits, known as the linear hull effect, recovering key bits with Algorithm 1 is infeasible. To overcome this, Röck and Nyberg extended Matsui’s Algorithm 1 to linear hulls. However, Röck and Nyberg found that their theoretical estimates are quite pessimistic for low success probabilities and too optimistic for high success probabilities. To deal with this, we construct new statistical models where the theoretical success probabilities are in a good accordance with experimental ones, so that we provide the first accurate analysis of the extension of Matsui’s Algorithm 1 to linear hulls. To illustrate the usefulness of our new models, we apply them to one of the ten finalists of the NIST Lightweight Cryptography (LWC) Standardization project: TinyJAMBU. We provide the first cryptanalysis under the nonce-respecting setting on the full TinyJAMBU v1 and the round-reduced TinyJAMBU v2, where partial key bits are recovered. Our results do not violate the security claims made by the designers. |
|---|---|
| AbstractList | At EUROCRYPT ’93, Matsui introduced linear cryptanalysis. Both Matsui’s Algorithm 1 and 2 use a linear approximation involving certain state bits. Algorithm 2 requires partial encryptions or decryptions to obtain these state bits after guessing extra key bits. For ciphers where only part of the state can be obtained, like some stream ciphers and authenticated encryption schemes, Algorithm 2 will not work efficiently since it is hard to implement partial encryptions or decryptions. In this case, Algorithm 1 is a good choice since it only involves these state bits, and one bit of key information can be recovered using a single linear approximation trail. However, when there are several strong trails containing the same state bits, known as the linear hull effect, recovering key bits with Algorithm 1 is infeasible. To overcome this, Röck and Nyberg extended Matsui’s Algorithm 1 to linear hulls. However, Röck and Nyberg found that their theoretical estimates are quite pessimistic for low success probabilities and too optimistic for high success probabilities. To deal with this, we construct new statistical models where the theoretical success probabilities are in a good accordance with experimental ones, so that we provide the first accurate analysis of the extension of Matsui’s Algorithm 1 to linear hulls. To illustrate the usefulness of our new models, we apply them to one of the ten finalists of the NIST Lightweight Cryptography (LWC) Standardization project: TinyJAMBU. We provide the first cryptanalysis under the nonce-respecting setting on the full TinyJAMBU v1 and the round-reduced TinyJAMBU v2, where partial key bits are recovered. Our results do not violate the security claims made by the designers. |
| Author | Wang, Meiqin Li, Muzhou Sun, Ling Mouha, Nicky |
| Author_xml | – sequence: 1 givenname: Muzhou surname: Li fullname: Li, Muzhou – sequence: 2 givenname: Nicky surname: Mouha fullname: Mouha, Nicky – sequence: 3 givenname: Ling surname: Sun fullname: Sun, Ling – sequence: 4 givenname: Meiqin surname: Wang fullname: Wang, Meiqin |
| BookMark | eNqFkEtKBDEQhoMo-LyC5AI9JpVMplvcjOKTEUFGcCGEdB5jpO0MSRTdeQ2v50mMMwrixlUVVfX__PVtotU-9BahXUoGXAxrsZdD0oNnIAADDwMqaAWErKANGNKmoiN2u_qrX0c7KT0QQqBumODNBrq7ts8--ez7Gc73Fh-_ZNsnH3ocHL5UOT35j7f3hMfdLESf7x8xxTngie-tivjsqevSPh7P553XKn_JynLq-9eL8eXhzTZac6pLdue7bqGbk-Pp0Vk1uTo9PxpPKs1Ek6u6ddqMnHVOtNS2LQWheWlKbAGONWZELXCiyp0yYDQXoAyrWUtMA6wesS10vvQ1QT3IefSPKr7KoLxcDEKcSRWz152VotjRdtho44BrSlrHWwNcscYRDowVr4Oll44hpWid1D4vXstR-U5SIhfg5Rd4uQAvPcgCXhbwRS7-yH_i_CP8BFjYjfE |
| CitedBy_id | crossref_primary_10_1186_s42400_023_00188_3 crossref_primary_10_3390_electronics11244199 |
| ContentType | Journal Article |
| DBID | AAYXX CITATION DOA |
| DOI | 10.46586/tosc.v2022.i2.161-200 |
| DatabaseName | CrossRef DOAJ Directory of Open Access Journals |
| DatabaseTitle | CrossRef |
| DatabaseTitleList | CrossRef |
| Database_xml | – sequence: 1 dbid: DOA name: DOAJ Directory of Open Access Journals url: https://www.doaj.org/ sourceTypes: Open Website |
| DeliveryMethod | fulltext_linktorsrc |
| EISSN | 2519-173X |
| EndPage | 200 |
| ExternalDocumentID | oai_doaj_org_article_639d1b59cdf24c10bf4bd24a39f04233 10_46586_tosc_v2022_i2_161_200 |
| GroupedDBID | AAYXX ADBBV ALMA_UNASSIGNED_HOLDINGS BCNDV CITATION GROUPED_DOAJ |
| ID | FETCH-LOGICAL-c369t-8bfcd7feff6b1ebb126c41eb25162f39d71e240a8bfad2dc462ad383b0d923873 |
| IEDL.DBID | DOA |
| ISSN | 2519-173X |
| IngestDate | Wed Aug 27 01:31:04 EDT 2025 Tue Jul 01 05:19:55 EDT 2025 Thu Apr 24 22:53:25 EDT 2025 |
| IsDoiOpenAccess | true |
| IsOpenAccess | true |
| IsPeerReviewed | true |
| IsScholarly | true |
| Issue | 2 |
| Language | English |
| License | http://creativecommons.org/licenses/by/4.0 |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-c369t-8bfcd7feff6b1ebb126c41eb25162f39d71e240a8bfad2dc462ad383b0d923873 |
| OpenAccessLink | https://doaj.org/article/639d1b59cdf24c10bf4bd24a39f04233 |
| PageCount | 40 |
| ParticipantIDs | doaj_primary_oai_doaj_org_article_639d1b59cdf24c10bf4bd24a39f04233 crossref_citationtrail_10_46586_tosc_v2022_i2_161_200 crossref_primary_10_46586_tosc_v2022_i2_161_200 |
| ProviderPackageCode | CITATION AAYXX |
| PublicationCentury | 2000 |
| PublicationDate | 2022-06-10 |
| PublicationDateYYYYMMDD | 2022-06-10 |
| PublicationDate_xml | – month: 06 year: 2022 text: 2022-06-10 day: 10 |
| PublicationDecade | 2020 |
| PublicationTitle | IACR Transactions on Symmetric Cryptology |
| PublicationYear | 2022 |
| Publisher | Ruhr-Universität Bochum |
| Publisher_xml | – name: Ruhr-Universität Bochum |
| SSID | ssj0002893649 |
| Score | 2.1995165 |
| Snippet | At EUROCRYPT ’93, Matsui introduced linear cryptanalysis. Both Matsui’s Algorithm 1 and 2 use a linear approximation involving certain state bits. Algorithm 2... |
| SourceID | doaj crossref |
| SourceType | Open Website Enrichment Source Index Database |
| StartPage | 161 |
| SubjectTerms | Linear Hull Matsui’s Algorithm 1 TinyJAMBU |
| Title | Revisiting the Extension of Matsui’s Algorithm 1 to Linear Hulls: Application to TinyJAMBU |
| URI | https://doaj.org/article/639d1b59cdf24c10bf4bd24a39f04233 |
| Volume | 2022 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwrV3LSsNAFB2kKzeiqFhfzMJt2mQymTTuWmkpQl1IC10IYZ4aqYmYVHTnb_h7fol3JrHWVTfuQjIThsNl7jnMnXMRuqARjxMmtacNizwaCelxJZXXk8SIUNo2cPY28uSGjWf0eh7N11p92Zqw2h64Bq4LGVQFIkqkMoTKwBeGCkUoDxNjSzqcz6ef-Gti6rE-PgsZTeorwRSyLOtWRSk7r6D1SScjHSA6NkD-ZKM1036XXUa7aKehhbhfL2cPbel8H93duqvftjAZA0_DwzdXbl7kuDB4wqtymX19fJa4v7gvQOM_POEAVwUGeQnhi8cgLstL3P89obYfp1n-DhvtYHaAZqPh9GrsNd0QPBmypPJ6wkgVG20ME4EWIiBMUngAgsKIAZTiQEN65jCOK6IkZYQr0J_CV0DienF4iFp5kesjhAU3wDOkL3VIqQ4JT7jSodZECkuAojaKflBJZWMVbjtWLFKQDA7N1KKZOjTTjKSApu1n2Ubd1bzn2ixj44yBBX012ppduxcQAmkTAummEDj-j5-coG27NlsFFvinqFW9LPUZ8I1KnLvQ-gac0dUF |
| linkProvider | Directory of Open Access Journals |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Revisiting+the+Extension+of+Matsui%E2%80%99s+Algorithm+1+to+Linear+Hulls%3A+Application+to+TinyJAMBU&rft.jtitle=IACR+Transactions+on+Symmetric+Cryptology&rft.au=Li%2C+Muzhou&rft.au=Mouha%2C+Nicky&rft.au=Sun%2C+Ling&rft.au=Wang%2C+Meiqin&rft.date=2022-06-10&rft.issn=2519-173X&rft.eissn=2519-173X&rft.spage=161&rft.epage=200&rft_id=info:doi/10.46586%2Ftosc.v2022.i2.161-200&rft.externalDBID=n%2Fa&rft.externalDocID=10_46586_tosc_v2022_i2_161_200 |
| thumbnail_l | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=2519-173X&client=summon |
| thumbnail_m | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=2519-173X&client=summon |
| thumbnail_s | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=2519-173X&client=summon |