Revisiting the Wrong-Key-Randomization Hypothesis

Abstract

Linear cryptanalysis is considered to be one of the strongest techniques in the cryptanalyst’s arsenal. In most cases, Matsui’s Algorithm 2 is used for the key recovery part of the attack. The success rate analysis of this algorithm is based on an assumption regarding the bias of a linear approximation for a wrong key, known as the wrong-key-randomization hypothesis. This hypothesis was refined by Bogdanov and Tischhauser to take into account the stochastic nature of the bias for a wrong key. We provide further refinements to the analysis of Matsui’s Algorithm 2 by considering sampling without replacement. This paper derives the distribution of the observed bias for wrong keys when sampling is done without replacement and shows that less data are required in this scenario. It also develops formulas for the success probability and the required data complexity when this approach is taken. The formulas predict that the success probability may reach a peak and then decrease as more pairs are considered. We provide a new explanation for this behavior and derive the conditions for encountering it. We empirically verify our results and compare them to previous work.

Appendices

Alternative Derivation of Lemma 4

In this section, the exact values of the mean and variance of \(\varvec{T}_\mathrm{w}\) are computed. This leads to an alternative derivation of Lemma 4. The first two central moments of \(\varvec{R} = 2^n(\varvec{\epsilon }_\mathrm{w} + 1/2)\) are given by

$$\begin{aligned}&{\mathsf {E}}\left[ \varvec{R}\right] = 2^{n - 1} \\&\mathsf {Var}\left[ \varvec{R}\right] = 2^{2n}\mathsf {Var}\left[ {\hat{\epsilon }}_\mathrm{w} + 1/2\right] = 2^{n - 2}. \end{aligned}$$

Hence, the expected value of \(\varvec{T}_\mathrm{w}\) is given by

$$\begin{aligned} {\mathsf {E}}\left[ \varvec{T}_\mathrm{w}\right] = {\mathsf {E}}\left[ {\mathsf {E}}\left[ \varvec{T}_\mathrm{w}~|~\varvec{R}\right] \right] = {\mathsf {E}}\left[ N \varvec{R}\,2^{-n}\right] = N/2. \end{aligned}$$

For the variance of \(T_\mathrm{w}\), we have

$$\begin{aligned} \mathsf {Var}\left[ \varvec{T}_\mathrm{w}\right]&= {\mathsf {E}}\left[ \mathsf {Var}\left[ \varvec{T}_\mathrm{w}~|~\varvec{R}\right] \right] + \mathsf {Var}\left[ {\mathsf {E}}\left[ \varvec{T}_\mathrm{w}~|~\varvec{R}\right] \right] \nonumber \\&= {\mathsf {E}}\left[ N \frac{\varvec{R}}{2^n} \frac{2^n - \varvec{R}}{2^n} \frac{2^n - N}{2^n - 1}\right] + \mathsf {Var}\left[ N \frac{\varvec{R}}{2^n}\right] \nonumber \\&= \frac{N(2^n - N)}{2^{2n}(2^n - 1)}{\mathsf {E}}\left[ \varvec{R}(2^n - \varvec{R})\right] + \mathsf {Var}\left[ N \frac{\varvec{R}}{2^n}\right] \nonumber \\&= \frac{N(2^n - N)}{2^{2n}(2^n - 1)}\left( 2^n{\mathsf {E}}\left[ \varvec{R}\right] - {\mathsf {E}}\left[ \varvec{R}^2\right] \right) + \frac{N^2}{2^{2n}}\mathsf {Var}\left[ R\right] \nonumber \\&= \frac{N(2^n - N)}{2^{2n}(2^n - 1)}\left( 2^n{\mathsf {E}}\left[ \varvec{R}\right] - \mathsf {Var}\left[ \varvec{R}\right] - {\mathsf {E}}\left[ \varvec{R}\right] ^2\right) + \frac{N^2}{2^{2n}}\mathsf {Var}\left[ \varvec{R}\right] \nonumber \\&= \frac{N(2^n - N)}{2^{2n}(2^n - 1)}\left( 2^{2n - 2} - 2^{n-2}\right) + \frac{N^2}{2^{n + 2}}. \end{aligned}$$

If n is sufficiently large, it is reasonable to assume that \(2^{2n - 2} - 2^{n-2} \approx 2^{2n - 2}\). This gives

$$\begin{aligned} \mathsf {Var}\left[ \varvec{T}_\mathrm{w}\right] \approx \frac{N(2^n - N)}{2^{n + 2} - 1/4} + \frac{N^2}{2^{n + 2}} \approx \frac{N}{4}. \end{aligned}$$

Assuming that the distribution of \(\varvec{T}_\mathrm{w}\) can be approximated using a normal distribution, we also obtain Lemma 4.

Data Complexity

This section provides the calculations in the proof of Theorem 3. The objective is to solve the equation

$$\begin{aligned} \varPhi ^{-1}(P_\mathrm{S})\sqrt{1 - \frac{N}{2^n}} = 2\sqrt{N}|\epsilon _0| - \alpha . \end{aligned}$$

Letting \(\alpha = \varPhi ^{-1}(1 - 2^{-a-1})\) and \(\beta = \varPhi ^{-1}(P_\mathrm{S})\), and squaring yields

$$\begin{aligned} \beta ^2\left( 1 - 2^{-n}N\right) = 4N|\epsilon _0|^2 - 4\sqrt{N}|\epsilon _0|\alpha + \alpha ^2. \end{aligned}$$

Grouping terms appropriately, we obtain

$$\begin{aligned} (4|\epsilon _0|^2 + 2^{-n}\beta ^2)N - 4\sqrt{N}|\epsilon _0|\alpha + \alpha ^2 - \beta ^2 = 0. \end{aligned}$$

This equation is quadratic in \(\sqrt{N}\) and has the solutions

$$\begin{aligned} \sqrt{N}&= \frac{2|\epsilon _0|\alpha \pm \sqrt{(2\epsilon _0\alpha )^2 - (\alpha ^2 - \beta ^2)(2^{-n}\beta ^2 + 4|\epsilon _0|^2)}}{4|\epsilon _0|^2 + 2^{-n}\beta ^2}. \end{aligned}$$

Maximum of \({\varvec{P}}_\mathbf{S}({\varvec{N}})\)

In the proof of Corollary 1, it is mentioned that the maximum is obtained by solving

$$\begin{aligned} \frac{\mathrm{d}}{\mathrm{d}N}\left( \frac{2\sqrt{N}|\epsilon _0| - \varPhi ^{-1}(1 - 2^{-a-1})}{\sqrt{1 - \frac{N}{2^n}}}\right) = 0. \end{aligned}$$

Note that

$$\begin{aligned} \frac{\mathrm{d}}{\mathrm{d}N}\left( \frac{1}{\sqrt{1 - \frac{N}{2^n}}}\right) = \frac{1}{2^{n + 1}\sqrt{\left( 1 - \frac{N}{2^n}\right) ^3}}, \end{aligned}$$

such that we obtain the equivalent equation

$$\begin{aligned} \frac{|\epsilon _0|}{\sqrt{N\left( 1 - \frac{N}{2^n}\right) }} = \frac{\varPhi ^{-1}(1 - 2^{-a-1}) - 2\sqrt{N}|\epsilon _0|}{2^{n + 1} \sqrt{\left( 1 - \frac{N}{2^n}\right) ^3}}. \end{aligned}$$

This is readily simplified to

$$\begin{aligned} |\epsilon _0|\left( 1 - \frac{N}{2^n}\right) = \sqrt{N}2^{-n-1}\varPhi ^{-1}(1 - 2^{-a-1}) - 2^{-n}N|\epsilon _0|, \end{aligned}$$

and further

$$\begin{aligned} |\epsilon _0| = \sqrt{N}2^{-n-1}\varPhi ^{-1}(1 - 2^{-a-1}). \end{aligned}$$

Finally, we obtain the result:

$$\begin{aligned} N = \left( \frac{|\epsilon _0|2^{n + 1}}{\varPhi ^{-1}(1 - 2^{-a-1})}\right) ^2. \end{aligned}$$