Hosein Hadipour
Graz University of Technology

Patrick Derbez
Univ Rennes, Inria, CNRS, IRISA

Maria Eichlseder
Graz University of Technology

Keywords: Differential-linear analysis, DLCT, UDLCT, LDLCT, EDLCT, DDLCT, AES, Ascon, SKINNY, SERPENT, PRESENT, KNOT, WARP, LBlock, Simeck, TWINE

Abstract

In 1994, Langford and Hellman introduced differential-linear (DL) cryptanalysis, with the idea of decomposing the block cipher E into two parts, E_u and E_ℓ, such that E_u exhibits a high-probability differential trail, while E_ℓ has a high-correlation linear trail. Combining these trails forms a distinguisher for E, assuming independence between E_u and E_ℓ. The dependency between the two parts of DL distinguishers remained unaddressed until EUROCRYPT 2019, where Bar-On et al. [3] introduced the DLCT framework, resolving the issue up to one Sbox layer. However, extending the DLCT framework to formalize the dependency between the two parts for multiple rounds remained an open problem. In this paper, we first tackle this problem from the perspective of boomerang analysis. By examining the relationships between DLCT, DDT, and LAT, we introduce a set of new tables facilitating the formulation of dependencies between the two parts of the DL distinguisher across multiple rounds. Then, we introduce a highly versatile and easy-to-use automatic tool for exploring DL distinguishers, inspired by automatic tools for boomerang distinguishers. This tool considers the dependency between differential and linear trails across multiple rounds. We apply our tool to various symmetric-key primitives, and in all applications, we either present the first DL distinguishers or enhance the best-known ones. We achieve successful results against Ascon, AES, SERPENT, PRESENT, SKINNY, TWINE, CLEFIA, WARP, LBlock, Simeck, and KNOT. Furthermore, we demonstrate that, in some cases, DL distinguishers outperform boomerang distinguishers significantly.