Abstract
The log-likelihood ratio (LLR) and the chi-squared distribution based test statistics have been proposed in the literature for performing statistical analysis of key recovery attacks on block ciphers. A limitation of the LLR test statistic is that its application requires the full knowledge of the corresponding distribution. Previous work using the chi-squared approach required approximating the distribution of the relevant test statistic by chi-squared and normal distributions. Problematic issues regarding such approximations have been reported in the literature. Perhaps more importantly, both the LLR and the chi-squared based methods are applicable only if the success probability \(P_S\) is greater than 0.5. On the other hand, an attack with success probability less than 0.5 is also of considerable interest. This work proposes a new test statistic for key recovery attacks which has the following features. Its application does not require the full knowledge of the underlying distribution; it is possible to carry out an analysis using this test statistic without using any approximations; the method applies for all values of the success probability. The statistical analysis of the new test statistic follows the hypothesis testing framework and uses Hoeffding’s inequalities to bound the probabilities of Type-I and Type-II errors.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Baignères, T., Junod, P., Vaudenay, S.: How far can we go beyond linear cryptanalysis? In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 432–450. Springer, Heidelberg (2004). doi:10.1007/978-3-540-30539-2_31
Baignères, T., Sepehrdad, P., Vaudenay, S.: Distinguishing distributions using chernoff information. In: Heng, S.-H., Kurosawa, K. (eds.) ProvSec 2010. LNCS, vol. 6402, pp. 144–165. Springer, Heidelberg (2010). doi:10.1007/978-3-642-16280-0_10
Biryukov, A., De Cannière, C., Quisquater, M.: On multiple linear approximations. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 1–22. Springer, Heidelberg (2004). doi:10.1007/978-3-540-28628-8_1
Blondeau, C., Gérard, B., Nyberg, K.: Multiple differential cryptanalysis using, and \(X^2\) statistics. In: Visconti, I., Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 343–360. Springer, Heidelberg (2012). doi:10.1007/978-3-642-32928-9_19
Blondeau, C., Nyberg, K.: Joint data and key distribution of simple, multiple, and multidimensional linear cryptanalysis test statistic and its impact to data complexity. Des. Codes Crypt. 1–31 (2016). doi:10.1007/s10623-016-0268-6, ISSN: 1573-7586
Bogdanov, A., Tischhauser, E.: On the wrong key randomisation and key equivalence hypotheses in Matsui’s algorithm 2. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 19–38. Springer, Heidelberg (2014). doi:10.1007/978-3-662-43933-3_2
Collard, B., Standaert, F.-X., Quisquater, J.-J.: (2008). http://www.dice.ucl.ac.be/fstandae/PUBLIS/50b.zip. Accessed 30 July 2014
Collard, B., Standaert, F.-X., Quisquater, J.-J.: Experiments on the multiple linear cryptanalysis of reduced round serpent. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 382–397. Springer, Heidelberg (2008). doi:10.1007/978-3-540-71039-4_24
Daemen, J., Rijmen, V.: Probability distributions of correlation and differentials in block ciphers. J. Math. Crypt. JMC 1(3), 221–242 (2007)
Gérard, B., Tillich, J.-P.: On linear cryptanalysis with many linear approximations. In: Parker, M.G. (ed.) IMACC 2009. LNCS, vol. 5921, pp. 112–132. Springer, Heidelberg (2009). doi:10.1007/978-3-642-10868-6_8
Handschuh, H., Gilbert, H.: \(\chi ^2\) cryptanalysis of the SEAL encryption algorithm. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 1–12. Springer, Heidelberg (1997). doi:10.1007/BFb0052330
Harpes, C., Kramer, G.G., Massey, J.L.: A generalization of linear cryptanalysis and the applicability of Matsui’s piling-up lemma. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 24–38. Springer, Heidelberg (1995). doi:10.1007/3-540-49264-X_3
Hermelin, M., Cho, J.Y., Nyberg, K.: Multidimensional linear cryptanalysis of reduced round serpent. In: Mu, Y., Susilo, W., Seberry, J. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 203–215. Springer, Heidelberg (2008). doi:10.1007/978-3-540-70500-0_15
Hermelin, M., Cho, J.Y., Nyberg, K.: Multidimensional extension of Matsui’s Algorithm 2. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 209–227. Springer, Heidelberg (2009). doi:10.1007/978-3-642-03317-9_13
Hermelin, M., Cho, J.Y., Nyberg, K.: Statistical tests for key recovery using multidimensional extension of Matsui’s Algorithm 1. In: Handschuh, H., Lucks, S., Preneel, B., Rogaway, P. (ed.) Symmetric Cryptography, number 09031 in Dagstuhl Seminar Proceedings, Dagstuhl, Germany. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, Germany (2009). http://drops.dagstuhl.de/opus/volltexte/2009/1954, ISSN: 1862–4405
Johansson, T., Maximov, A.: A linear distinguishing attack on scream. In: Proceedings 2003 IEEE International Symposium on Information Theory, p. 164. IEEE (2003)
Junod, P.: On the complexity of Matsui’s attack. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 199–211. Springer, Heidelberg (2001). doi:10.1007/3-540-45537-X_16
Junod, P.: On the Optimality of linear, differential, and sequential distinguishers. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 17–32. Springer, Heidelberg (2003). doi:10.1007/3-540-39200-9_2
Junod, P., Vaudenay, S.: Optimal key ranking procedures in a statistical cryptanalysis. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 235–246. Springer, Heidelberg (2003). doi:10.1007/978-3-540-39887-5_18
Kaliski, B.S., Robshaw, M.J.B.: Linear cryptanalysis using multiple approximations. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 26–39. Springer, Heidelberg (1994). doi:10.1007/3-540-48658-5_4
Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994). doi:10.1007/3-540-48285-7_33
Matsui, M.: The first experimental cryptanalysis of the data encryption standard. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 1–11. Springer, Heidelberg (1994). doi:10.1007/3-540-48658-5_1
Mitzenmacher, M., Upfal, E.: Probability and Computing: Randomized Algorithms and Probabilistic Analysis. Cambridge University Press, Cambridge (2005)
Murphy, S.: The independence of linear approximations in symmetric cryptanalysis. IEEE Trans. Inform. Theory 52(12), 5510–5518 (2006)
Nyberg, K., Hermelin, M.: Multidimensional walsh transform and a characterization of bent functions. In: Proceedings of the 2007 IEEE Information Theory Workshop on Information Theory for Wireless Networks, pp. 83–86 (2007)
Samajder, S., Sarkar, P.: Rigorous upper bounds on data complexities of block cipher cryptanalysis. IACR Cryptology ePrint Archive, 2015:916 (2015). http://eprint.iacr.org/2015/916
Samajder, S., Sarkar, P.: Another Look at Normal Approximations in Cryptanalysis. J. Math. Crypt. (2016). doi:10.1515/jmc-2016-0006
Samajder, S., Sarkar, P.: Can large deviation theory be used for estimating data complexity? Cryptology ePrint Archive, Report 2016/465 (2016). http://eprint.iacr.org/
Selçuk, A.A.: On probability of success in linear and differential cryptanalysis. J. Cryptol. 21(1), 131–147 (2008)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Hoeffding Inequality
We briefly recall Hoeffding’s inequality for sum of independent random variables. The result can be found in standard texts such as [23].
Theorem 1
(Hoeffding Inequality). Let, \(X_{1}, X_{2}, \ldots , X_{\lambda }\) be a finite sequence of independent random variables, such that for all \(i = 1, \ldots , \lambda \), there exists real numbers \(a_{i}, b_{i} \in \mathbb {R}\), with \(a_{i} < b_{i}\) and \(a_{i} \le X_{i} \le b_{i}\). Let \(X = \sum _{i = 1}^{\lambda } X_{i}\). Then for any positive \(t > 0\),
where \(D_{\lambda } = \sum _{i = 1}^{\lambda } (b_{i} - a_{i})^{2}\).
B Proof of Propositon 1
We provide the proof for the case \(\mu _{0} > \mu _{1}\) with the other case being similar. Recall that \(\underline{X}_{\kappa , 1}^{d}, \ldots , \underline{X}_{\kappa , N}^{d}\) are N independently and identically distributed random variables such that for all \(j = 1, \ldots , N\)
Let, \(\upsilon = \upsilon _{\max } - \upsilon _{\min } = (2^{\ell } - 1)^{d}\). Thus Hoeffding bounds (see Sect. A) can be used on the sum of independently and identically distributed random variables \(T_{\kappa } = \sum _{j = 1}^{N} \underline{X}^{d}_{\kappa , j}\); where \(D_{N} = N\upsilon ^{2}\).
The probabilities of Type-I and Type-II errors are then given by
Let,
Then, using the fact that \(\mu _{1}< t < \mu _{0}\), we get
Eliminating t from the above two equations and using the expressions for \(\mu _0\), \(\mu _1\) and \(\upsilon \), we get the expression given by the right hand side of (9). For any N greater than this value, the probabilities of Type-I and Type-II errors will be at most \(\alpha \) and \(\beta \) respectively. \(\square \)
C Choice of d
There are two factors that need to be kept in mind while choosing a appropriate value of d.
-
1.
The value of d has an effect on the data complexity. So, one should try to choose a value of d which minimises the data complexity.
-
2.
For the chosen value of d, it should be possible to obtain an estimate of \(\mu _0\) through the analysis of the block cipher.
Regarding the first point, there does not seem to be a way to formally prove that one particular value of d will minimise the data complexity. Instead, we provide intuitive explanations and experimental evidence.
The statistic \(T_{\kappa }=\sum _{j=1}^N\underline{X}_{\kappa ,j}^d\). As d goes to zero, \(X_{\kappa ,j}^d\) goes to 1 and so the effect of \(X_{\kappa ,j}\) diminishes. Further, as \(d\rightarrow 0\), \((2^{\ell }-1)^d\rightarrow 1\) and \(\underline{\eta }^d\rightarrow 1\) for all \(\eta \in \{0,1\}^{\ell }\). So, the numerator of the data complexity expression given by (9) goes to a constant and the denominator goes to \(\sum _{\eta \in \{0,1\}^{\ell }}\epsilon _{\eta }\). By definition, the later sum is 0. So, as \(d\rightarrow 0\), the data complexity expression given by (9) goes to infinity. Experiments confirm this behaviour.
Based on the above, we do not consider values of \(d<1\). For values of \(d=1,\ldots ,100\), we have run experiments with the known linear approximations of SERPENT and have observed that the minimum data complexity is attained for \(d=1\) and \(d=2\). The values are shown in Table 3. To decide between these two values, we consider the second point mentioned above. Intuitively, it is easier to obtain the value of \(\mu _0\) for \(d=1\) than for \(d=2\). So, we suggest using \(d=1\) for defining the test statistic \(T_{\kappa }\).
Negative Values of d : Most of the theory that has been developed also works for negative values of d. The only problem is that for \(\underline{\eta }=0\), the value of \(\underline{\eta }^d\) is undefined. This defect can be rectified by defining \(T_{\kappa }\) to be \(\sum _{j=1}^N(1+\underline{X}_{\kappa ,j})^d\). Working out the details of this test statistic leads to \(\upsilon =|2^{\ell d}-1|\) and \(|\mu _0-\mu _1|=\sum _{\eta \in \{0,1\}^{\ell }}(1+\underline{\eta })^d\epsilon _{\eta }\). The value of \(\upsilon \) does not depend on the sign of d. Suppose \(d>0\), then the value of \(|\mu _0-\mu _1|\) with d is greater than the value of \(|\mu _0-\mu _1|\) with \(-d\). As a result, the data complexity with d is lesser compared to the data complexity for \(-d\). Due to this reason, we have not considered negative values of d.
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Samajder, S., Sarkar, P. (2017). A New Test Statistic for Key Recovery Attacks Using Multiple Linear Approximations. In: Phan, RW., Yung, M. (eds) Paradigms in Cryptology – Mycrypt 2016. Malicious and Exploratory Cryptology. Mycrypt 2016. Lecture Notes in Computer Science(), vol 10311. Springer, Cham. https://doi.org/10.1007/978-3-319-61273-7_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-61273-7_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-61272-0
Online ISBN: 978-3-319-61273-7
eBook Packages: Computer ScienceComputer Science (R0)