7 research outputs found
Another Look at Normal Approximations in Cryptanalysis
Statistical analysis of attacks on symmetric ciphers often require assuming the normal behaviour of a test statistic.
Typically such an assumption is made in an asymptotic sense. In this work, we consider concrete versions of some important
normal approximations that have been made in the literature. To do this, we use the Berry-Esséen theorem to derive
explicit bounds on the approximation errors. Analysing these error bounds in the cryptanalytic context throws up several
surprising results. One important implication is that this puts in doubt the applicability of the order statistics
based approach for analysing key recovery attacks on block ciphers. This approach has been earlier used to obtain several
results on the data complexities of (multiple) linear and differential cryptanalysis. The non-applicability of the order
statistics based approach puts a question mark on the data complexities obtained using this approach. Fortunately, we
are able to recover all of these results by utilising the hypothesis testing framework. Detailed consideration of the
error in normal approximation also has implications for and the log-likelihood ratio (LLR) based test statistics.
The normal approximation of the test statistics has some serious and counter-intuitive restrictions. One such
restriction is that for multiple linear cryptanalysis as the number of linear approximations grows so does the requirement
on the number of plaintext-ciphertext pairs for the approximation to be proper. The issue of satisfactorily addressing the
problems with the application of the test statistics remains open. For the LLR test statistics, previous work
used a normal approximation followed by another approximation to simplify the parameters of the normal approximation. We
derive the error bound for the normal approximation which turns out to be difficult to interpret. We show that the approximation
required for simplifying the parameters restricts the applicability of the result. Further, we argue that this approximation
is actually not required. More generally, the message of our work is that all cryptanalytic attacks should properly derive and
interpret the error bounds for any normal approximation that is made
Another Look at Key Randomisation Hypotheses
In the context of linear cryptanalysis of block ciphers, let (resp. ) be the probability that a particular linear approximation holds for the right (resp. a wrong) key choice. The standard right key randomisation hypothesis states that is a constant and the standard wrong key randomisation hypothesis states that . Using these hypotheses, the success probability of the attack can be expressed in terms of the data complexity . The resulting expression for is a monotone increasing function of .
Building on earlier work by Daemen and Rijmen (2007), Bogdanov and Tischhauser (2014) argued that should be considered to be a random variable. They postulated the adjusted wrong key randomisation hypothesis which states that follows a normal distribution. A non-intuitive consequence was that the resulting expression for is no longer
a monotone increasing function of . A later work by Blondeau and Nyberg (2017) argued that should also be considered to be a random variable and they postulated the adjusted right key randomisation hypothesis which states that follows a normal distribution.
In this work, we revisit the key randomisation hypotheses. While the argument that and should be considered to
be random variables is indeed valid, we consider the modelling of their distributions by normal to be inappropriate. Being
probabilities, the support of the distributions of and should be subsets of which does not hold for normal distributions. We show that if and follow any distributions with supports which are subsets of , and and , then the expression for that is obtained is exactly the same as the one obtained using the standard key randomisation hypotheses. Consequently, is a monotone increasing function of even when and are considered to be random variables
A New Test Statistic for Key Recovery Attacks Using Multiple Linear Approximations
The log-likelihood ratio (LLR) and the chi-squared distribution based test statistics have been proposed in the literature for
performing statistical analysis of key recovery attacks on block ciphers. A limitation of the LLR test statistic is that its
application requires the full knowledge of the corresponding distribution. Previous work using the chi-squared approach required
{\em approximating} the distribution of the relevant test statistic by chi-squared and normal distributions. Problematic issues
regarding such approximations have been reported in the literature.
Perhaps more importantly, both the LLR and the chi-squared based methods are applicable only if the success probability is
greater than 0.5. On the other hand, an attack with success probability less than is also of considerable interest.
This work proposes a new test statistic for key recovery attacks which has the following features.
Its application does not require the full knowledge of the underlying distribution; it is possible to carry out an analysis using this
test statistic without using any approximations; the method applies for all values of the success probability.
The statistical analysis of the new test statistic follows the hypothesis testing framework and uses Hoeffding\u27s inequalities to
bound the probabilities of Type-I and Type-II errors
Multiple Differential Cryptanalysis: A Rigorous Analysis
Statistical analyses of multiple differential attacks are considered in this paper. Following the work of Blondeau
and GĂ©rard, the most general situation of multiple differential attack where there are no restrictions on the set of differentials
is studied. We obtain closed form bounds on the data complexity in terms of the success probability and the advantage
of an attack. This is done under two scenarios -- one, where an independence assumption used by Blondeau and GĂ©rard is assumed
to hold and second, where no such assumption is made. The first case employs the Chernoff bounds while the second case
uses the Hoeffding bounds from the theory of concentration inequalities. In both cases, we do not make use of any approximations in
our analysis. As a consequence, the results are more generally applicable compared to previous works. The analysis without the
independence assumption is the first of its kind in the literature. We believe that the current work places the statistical
analysis of multiple differential attack on a more rigorous foundation than what was previously known
Rigorous Upper Bounds on Data Complexities of Block Cipher Cryptanalysis
Statistical analysis of symmetric key attacks aims to obtain an expression for the data complexity which is the number of plaintext-ciphertext pairs needed to achieve the parameters of the attack.
Existing statistical analyses invariably use some kind of approximation, the most common being the approximation of the distribution of a sum of random variables by a normal distribution.
Such an approach leads to expressions for data complexities which are {\em inherently approximate}.
Prior works do not provide any analysis of the error involved in such approximations.
In contrast, this paper takes a rigorous approach to analysing attacks on block ciphers.
In particular, no approximations are used. Expressions for upper bounds on the data complexities of several basic and advanced attacks are obtained.
The analysis is based on the hypothesis testing framework. Probabilities of Type-I and Type-II errors are upper bounded using standard tail inequalities.
In the cases of single linear and differential cryptanalysis, we use the Chernoff bound.
For the cases of multiple linear and multiple differential cryptanalysis, Hoeffding bounds are used.
This allows bounding the error probabilities and obtaining expressions for data complexities.
We believe that our method provides important results for the attacks considered here and more generally, the techniques that we develop should have much wider applicability
Success Probability of Multiple/Multidimensional Linear Cryptanalysis Under General Key Randomisation Hypotheses
This work considers statistical analysis of attacks on block ciphers using several linear approximations. A general and unified
approach is adopted. To this end, the general key randomisation hypotheses for multidimensional and multiple linear cryptanalysis
are introduced. Expressions for the success probability in terms of the data complexity and the advantage are obtained using the
general key randomisation hypotheses for both multidimensional and multiple linear cryptanalysis and under the settings where the
plaintexts are sampled with or without replacement. Particularising to standard/adjusted key randomisation hypotheses gives rise
to success probabilities in 16 different cases out of which in only five cases expressions for success probabilities have been previously
reported. Even in these five cases, the expressions for success probabilities that we obtain are more general than what was previously
obtained. A crucial step
in the analysis is the derivation of the distributions of the underlying test statistics. While we carry out the analysis formally
to the extent possible, there are certain inherently heuristic assumptions that need to be made. In contrast to previous works which
have implicitly made such assumptions, we carefully highlight these and discuss why they are unavoidable. Finally, we provide a complete
characterisation of the dependence of the success probability on the data complexity
Another Look at Success Probability in Linear Cryptanalysis
This work studies the success probability of key recovery attacks based on using a single linear approximation. Previous works had analysed success probability under different hypotheses on the distributions of correlations for the right and wrong key choices.
This work puts forward a unifying framework of general key randomisation hypotheses. All previously used key randomisation hypotheses as also zero correlation attacks can be seen to special cases of the general framework. Derivations of expressions for the success probability are carried out under both the settings of the plaintexts being sampled with and without replacements.
Compared to previous analysis, we uncover several new cases which have not been considered in the literature. For most of the cases which
have been considered earlier, we provide complete expressions for the respective success probabilities. Finally, the complete picture of the
dependence of the success probability on the data complexity is revealed. Compared to the extant literature, our work provides a deeper and more thorough understanding of the success probability of single linear cryptanalysis