Estimating Resistance against Multidimensional Linear Attacks: An Application on DEAN

摘要

In this paper, we investigate an algorithm which can be used to compute improved estimates of squared correlations of linear approximations over key-alternating block ciphers. The algorithm was previously used by Cho to compute estimates of expected squared correlations and capacities of multidimensional linear approximations of PRESENT. The goal of this paper is to investigate the applicability and usefulness of this algorithm for a nonbinary AES-like symmetric key-alternating block cipher DEAN designed by Baigneres et al. who estimated that the best LLR-based distinguisher will require the full code book of about 260 known plaintext blocks to succeed over four rounds of DEAN. We give evidence that there is an LLR-based multidimensional linear distinguisher with estimated data complexity 2~(50) over six rounds of DEAN. Turning this to a (partial) key-recovery attack over the full eight-round DEAN is likely to succeed.