The Key-Dependent Capacity in Multidimensional Linear Cryptanalysis

The capacity is an important parameter in multidimensional linear attack. In this paper, we firstly explore the distribution of the key-dependent capacity. Based on the magnitude of the correlation contributions, we divide the linear approximations subspace into two sets: one set consists of the strong linear approximations, and the other set consists of the weak linear approximations. We construct two statistics using the linear approximations in the two sets, respectively. Under reasonable assumptions, both of the two statistics follow Gamma distribution. Thus, the capacity is the sum of two statistics that follow Gamma distribution. Secondly, the accuracy of the model is verified by experiments on SMALLPRESENT[4]. Our experimental results show that this model can estimate the variance of the key-dependent capacity more accurately. Thus, we obtain more precise knowledge of the data complexity of the multidimensional linear attack. We derive the upper bound of the data complexity for multidimensional linear attack. Finally, based on our theoretical results, we explore the data complexity of Cho's multidimensional linear attack on PRESENT. Our results are the smallest data complexity for the same round attack so far.