Abstract
Linear cryptanalysis is considered to be one of the strongest techniques in the cryptanalyst’s arsenal. In most cases, Matsui’s Algorithm 2 is used for the key recovery part of the attack. The success rate analysis of this algorithm is based on an assumption regarding the bias of a linear approximation for a wrong key, known as the wrong-key-randomization hypothesis. This hypothesis was refined by Bogdanov and Tischhauser to take into account the stochastic nature of the bias for a wrong key. We provide further refinements to the analysis of Matsui’s Algorithm 2 by considering sampling without replacement. This paper derives the distribution of the observed bias for wrong keys when sampling is done without replacement and shows that less data are required in this scenario. It also develops formulas for the success probability and the required data complexity when this approach is taken. The formulas predict that the success probability may reach a peak and then decrease as more pairs are considered. We provide a new explanation for this behavior and derive the conditions for encountering it. We empirically verify our results and compare them to previous work.
Similar content being viewed by others
Notes
Note that, by the coupon collector’s problem, it is likely that every plaintext/ciphertext pair has been sampled at least once when \(N > n2^n\) for sampling with replacement.
This follows from the observation that \(\varvec{X} - \varvec{\mu }\sim {\mathcal {N}}\left( 0, \sigma _1^2\right) \) is independent of \(\varvec{\mu }\).
In the non-monotonic case, their algorithm returns the lowest data complexity corresponding to the given success probability.
More precisely, the continuity correction in Lemma 5 is non-negligible.
References
M.A. Abdelraheem, M. Ågren, P. Beelen, G. Leander, On the Distribution of Linear Biases: Three Instructive Examples (Springer, Berlin, 2012), pp. 50–67. https://doi.org/10.1007/978-3-642-32009-5_4
R. Beaulieu, D. Shors, J. Smith, S. Treatman-Clark, B. Weeks, L. Wingers, The SIMON and SPECK families of lightweight block ciphers. Cryptology ePrint Archive, Report 2013/404 (2013). https://eprint.iacr.org/2013/404
A. Biryukov, C.D. Cannière, M. Quisquater, On multiple linear approximations, in M.K. Franklin, editor, Advances in Cryptology—CRYPTO 2004, 24th Annual International Cryptology Conference, Santa Barbara, California, USA, August 15–19, 2004, Proceedings. Lecture Notes in Computer Science, vol. 3152 (Springer, 2004), pp. 1–22. https://doi.org/10.1007/978-3-540-28628-8_1
C. Blondeau, B. Gérard, J. Tillich, Accurate estimates of the data complexity and success probability for various cryptanalyses. Des. Codes Cryptogr. 59(1-3), 3–34 (2011). https://doi.org/10.1007/s10623-010-9452-2
C. Blondeau, K. Nyberg, Joint data and key distribution of simple, multiple, and multidimensional linear cryptanalysis test statistic and its impact to data complexity. Des. Codes Cryptogr. 82(1), 319–349 (2017). https://doi.org/10.1007/s10623-016-0268-6
A. Bogdanov, E.B. Kavun, E. Tischhauser, T. Yalçin, Large-scale high-resolution computational validation of novel complexity models in linear cryptanalysis. J. Comput. Appl. Math. 259, 592–598 (2014). https://doi.org/10.1016/j.cam.2013.10.020
A. Bogdanov, V. Rijmen, Zero-correlation linear cryptanalysis of block ciphers. IACR Cryptology ePrint Archive 2011, 123 (2011). http://eprint.iacr.org/2011/123
A. Bogdanov, V. Rijmen, Linear hulls with correlation zero and linear cryptanalysis of block ciphers. Des. Codes Cryptogr. 70(3), 369–383 (2014). https://doi.org/10.1007/s10623-012-9697-z
A. Bogdanov, E. Tischhauser, On the wrong key randomisation and key equivalence hypotheses in Matsui’s algorithm 2, in S. Moriai, editor, Fast Software Encryption—20th International Workshop, FSE 2013, Singapore, March 11–13, 2013. Revised Selected Papers. Lecture Notes in Computer Science, vol. 8424 (Springer, 2013), pp. 19–38. https://doi.org/10.1007/978-3-662-43933-3_2
A. Bogdanov, E. Tischhauser, P.S. Vejre, Multivariate linear cryptanalysis: the past and future of present. IACR Cryptology ePrint Archive 2016, 667 (2016). http://eprint.iacr.org/2016/667
J. Daemen, V. Rijmen, Probability distributions of correlation and differentials in block ciphers. J. Math. Cryptol. 1(3), (2007) 221–242. https://doi.org/10.1515/JMC.2007.011
W. Feller, An Introduction to Probability Theory and Its Applications, vol. 1 (Wiley, 1967), exercise 10
K. Fu, M. Wang, Y. Guo, S. Sun, L. Hu, Milp-based automatic search algorithms for differential and linear trails for speck, in International Conference on Fast Software Encryption (Springer, 2016), pp. 268–288
C. Harpes, G.G. Kramer, J.L. Massey, A generalization of linear cryptanalysis and the applicability of Matsui’s piling-up lemma, in Advances in Cryptology—EUROCRYPT ’95, International Conference on the Theory and Application of Cryptographic Techniques, Saint-Malo, France, May 21–25, 1995, Proceeding. Lecture Notes in Computer Science, vol. 921 (Springer, 1995), pp. 24–38
C. Harpes, J.L. Massey, Partitioning cryptanalysis, in E. Biham, editor, Fast Software Encryption, 4th International Workshop, FSE ’97, Haifa, Israel, January 20–22, 1997, Proceedings. Lecture Notes in Computer Science, vol. 1267 (Springer, 1997), pp. 13–27. https://doi.org/10.1007/BFb0052331
M. Hermelin, J.Y. Cho, K. Nyberg, Multidimensional linear cryptanalysis of reduced round serpent, in Y. Mu, W. Susilo, J. Seberry, editors, Information Security and Privacy, 13th Australasian Conference, ACISP 2008, Wollongong, Australia, July 7–9, 2008, Proceedings. Lecture Notes in Computer Science, vol. 5107 (Springer, 2008), pp. 203–215. https://doi.org/10.1007/978-3-540-70500-0_15
P. Junod, S. Vaudenay, Optimal key ranking procedures in a statistical cryptanalysis, in T. Johansson, editor, Fast Software Encryption, 10th International Workshop, FSE 2003, Lund, Sweden, February 24–26, 2003, Revised Papers. Lecture Notes in Computer Science, vol. 2887 (Springer, 2003), pp. 235–246. https://doi.org/10.1007/978-3-540-39887-5_18
Z. Liu, Y. Li, M. Wang, The security of SIMON-like ciphers against linear cryptanalysis. Cryptology ePrint Archive, Report 2017/576 (2017). https://eprint.iacr.org/2017/576
M. Matsui, Linear cryptanalysis method for DES cipher, in T. Helleseth, editor, Advances in Cryptology—EUROCRYPT ’93, Workshop on the Theory and Application of of Cryptographic Techniques, Lofthus, Norway, May 23–27, 1993, Proceedings. Lecture Notes in Computer Science, vol. 765 (Springer, 1993), pp. 386–397. https://doi.org/10.1007/3-540-48285-7_33
W. Molenaar, Approximations to the Poisson, Binomial and Hypergeometric Distribution Functions. Ph.D. thesis, Mathematisch Centrum Amsterdam (1970)
K. Nyberg, Linear approximation of block ciphers, in A.D. Santis, editor, Advances in Cryptology—EUROCRYPT ’94, Workshop on the Theory and Application of Cryptographic Techniques, Perugia, Italy, May 9–12, 1994, Proceedings. Lecture Notes in Computer Science, vol. 950 (Springer, 1994), pp. 439–444. https://doi.org/10.1007/BFb0053460
M.A. Pinsky, The normal approximation to the hypergeometric distribution. Unpublished manuscript. https://www.dartmouth.edu/~chance/teaching_aids/books_articles/probability_book/pinsky-hypergeometric.pdf
A.A. Selçuk, On probability of success in linear and differential cryptanalysis. J. Cryptol. 21(1), 131–147 (2008). https://doi.org/10.1007/s00145-007-9013-7
Acknowledgements
Tomer Ashur is an FWO postdoctoral fellow under Grant No. 12ZH420N. Tim Beyne is supported by a PhD Fellowship from the Research Foundation—Flanders (FWO).
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Kenneth G. Paterson.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendices
Alternative Derivation of Lemma 4
In this section, the exact values of the mean and variance of \(\varvec{T}_\mathrm{w}\) are computed. This leads to an alternative derivation of Lemma 4. The first two central moments of \(\varvec{R} = 2^n(\varvec{\epsilon }_\mathrm{w} + 1/2)\) are given by
Hence, the expected value of \(\varvec{T}_\mathrm{w}\) is given by
For the variance of \(T_\mathrm{w}\), we have
If n is sufficiently large, it is reasonable to assume that \(2^{2n - 2} - 2^{n-2} \approx 2^{2n - 2}\). This gives
Assuming that the distribution of \(\varvec{T}_\mathrm{w}\) can be approximated using a normal distribution, we also obtain Lemma 4.
Data Complexity
This section provides the calculations in the proof of Theorem 3. The objective is to solve the equation
Letting \(\alpha = \varPhi ^{-1}(1 - 2^{-a-1})\) and \(\beta = \varPhi ^{-1}(P_\mathrm{S})\), and squaring yields
Grouping terms appropriately, we obtain
This equation is quadratic in \(\sqrt{N}\) and has the solutions
Maximum of \({\varvec{P}}_\mathbf{S}({\varvec{N}})\)
In the proof of Corollary 1, it is mentioned that the maximum is obtained by solving
Note that
such that we obtain the equivalent equation
This is readily simplified to
and further
Finally, we obtain the result:
Rights and permissions
About this article
Cite this article
Ashur, T., Beyne, T. & Rijmen, V. Revisiting the Wrong-Key-Randomization Hypothesis. J Cryptol 33, 567–594 (2020). https://doi.org/10.1007/s00145-020-09343-2
Received:
Revised:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00145-020-09343-2