Linear cryptanalysis is considered to be one of the strongest techniques in the cryptanalyst’s arsenal. In most cases, Matsui’s Algorithm 2 is used for the key recovery part of the attack. The success rate analysis of this algorithm is based on an assumption regarding the bias of a linear approximation for a wrong key, known as the wrong-key-randomization hypothesis. This hypothesis was refined by Bogdanov and Tischhauser to take into account the stochastic nature of the bias for a wrong key. We provide further refinements to the analysis of Matsui’s Algorithm 2 by considering sampling without replacement. This paper derives the distribution of the observed bias for wrong keys when sampling is done without replacement and shows that less data are required in this scenario. It also develops formulas for the success probability and the required data complexity when this approach is taken. The formulas predict that the success probability may reach a peak and then decrease as more pairs are considered. We provide a new explanation for this behavior and derive the conditions for encountering it. We empirically verify our results and compare them to previous work.

中文翻译：

---

重新审视错误密钥随机化假设

线性密码分析被认为是密码分析者的武器库中最强大的技术之一。大多数情况下，Matsui 的算法 2 用于攻击的密钥恢复部分。该算法的成功率分析基于关于错误密钥的线性近似偏差的假设，称为错误密钥随机化假设。Bogdanov 和 Tischhauser 改进了这个假设，以考虑到错误键的偏差的随机性。我们通过考虑无替换采样，对 Matsui 算法 2 的分析进行了进一步的改进。本文推导出了在没有替换的情况下进行采样时错误键的观察偏差分布，并表明在这种情况下需要的数据较少。它还为采用这种方法时的成功概率和所需的数据复杂性开发了公式。这些公式预测成功概率可能会达到峰值，然后随着考虑更多对而降低。我们为这种行为提供了新的解释，并推导出遇到它的条件。我们凭经验验证我们的结果并将它们与以前的工作进行比较。