Multidimensional linear cryptanalysis with key difference invariant bias for block ciphers

For block ciphers, Bogdanov et al. found that there are some linear approximations satisfying that their biases are deterministically invariant under key difference. This property is called key difference invariant bias. Based on this property, Bogdanov et al. proposed a related-key statistical distinguisher and turned it into key-recovery attacks on LBlock and TWINE-128. In this paper, we propose a new related-key model by combining multidimensional linear cryptanalysis with key difference invariant bias. The main theoretical advantage is that our new model does not depend on statistical independence of linear approximations. We demonstrate our cryptanalysis technique by performing key recovery attacks on LBlock and TWINE-128. By using the relations of the involved round keys to reduce the number of guessed subkey bits. Moreover, the partial-compression technique is used to reduce the time complexity. We can recover the master key of LBlock up to 25 rounds with about 2(60.4) distinct known plaintexts, 2(78.85) time complexity and 2(61) bytes of memory requirements. Our attack can recover the master key of TWINE-128 up to 28 rounds with about 2(61.5) distinct known plaintexts, 2(126.15) time complexity and 2(61) bytes of memory requirements. The results are the currently best ones on cryptanalysis of LBlock and TWINE-128.