Multiple Differential Cryptanalysis: A Rigorous Analysis

Statistical analyses of multiple differential attacks are considered in this paper. Following the work of Blondeau and Gérard, the most general situation of multiple differential attack where there are no restrictions on the set of differentials is studied. We obtain closed form bounds on the data complexity in terms of the success probability and the advantage of an attack. This is done under two scenarios -- one, where an independence assumption used by Blondeau and Gérard is assumed to hold and second, where no such assumption is made. The first case employs the Chernoff bounds while the second case uses the Hoeffding bounds from the theory of concentration inequalities. In both cases, we do not make use of any approximations in our analysis. As a consequence, the results are more generally applicable compared to previous works. The analysis without the independence assumption is the first of its kind in the literature. We believe that the current work places the statistical analysis of multiple differential attack on a more rigorous foundation than what was previously known

Success Probability of Multiple/Multidimensional Linear Cryptanalysis Under General Key Randomisation Hypotheses

This work considers statistical analysis of attacks on block ciphers using several linear approximations. A general and unified approach is adopted. To this end, the general key randomisation hypotheses for multidimensional and multiple linear cryptanalysis are introduced. Expressions for the success probability in terms of the data complexity and the advantage are obtained using the general key randomisation hypotheses for both multidimensional and multiple linear cryptanalysis and under the settings where the plaintexts are sampled with or without replacement. Particularising to standard/adjusted key randomisation hypotheses gives rise to success probabilities in 16 different cases out of which in only five cases expressions for success probabilities have been previously reported. Even in these five cases, the expressions for success probabilities that we obtain are more general than what was previously obtained. A crucial step in the analysis is the derivation of the distributions of the underlying test statistics. While we carry out the analysis formally to the extent possible, there are certain inherently heuristic assumptions that need to be made. In contrast to previous works which have implicitly made such assumptions, we carefully highlight these and discuss why they are unavoidable. Finally, we provide a complete characterisation of the dependence of the success probability on the data complexity

Another Look at Normal Approximations in Cryptanalysis

Statistical analysis of attacks on symmetric ciphers often require assuming the normal behaviour of a test statistic. Typically such an assumption is made in an asymptotic sense. In this work, we consider concrete versions of some important normal approximations that have been made in the literature. To do this, we use the Berry-Esséen theorem to derive explicit bounds on the approximation errors. Analysing these error bounds in the cryptanalytic context throws up several surprising results. One important implication is that this puts in doubt the applicability of the order statistics based approach for analysing key recovery attacks on block ciphers. This approach has been earlier used to obtain several results on the data complexities of (multiple) linear and differential cryptanalysis. The non-applicability of the order statistics based approach puts a question mark on the data complexities obtained using this approach. Fortunately, we are able to recover all of these results by utilising the hypothesis testing framework. Detailed consideration of the error in normal approximation also has implications for $\chi^2$ and the log-likelihood ratio (LLR) based test statistics. The normal approximation of the $\chi^2$ test statistics has some serious and counter-intuitive restrictions. One such restriction is that for multiple linear cryptanalysis as the number of linear approximations grows so does the requirement on the number of plaintext-ciphertext pairs for the approximation to be proper. The issue of satisfactorily addressing the problems with the application of the $\chi^2$ test statistics remains open. For the LLR test statistics, previous work used a normal approximation followed by another approximation to simplify the parameters of the normal approximation. We derive the error bound for the normal approximation which turns out to be difficult to interpret. We show that the approximation required for simplifying the parameters restricts the applicability of the result. Further, we argue that this approximation is actually not required. More generally, the message of our work is that all cryptanalytic attacks should properly derive and interpret the error bounds for any normal approximation that is made

Distinguishing Error of Nonlinear Invariant Attacks

Linear cryptanalysis considers correlations between linear input and output combiners for block ciphers and stream ciphers. Daeman and Rijmen (2007) had obtained the distributions of the correlations between linear input and output combiners of uniform random functions and uniform random permutations. Our first contribution is to generalise these results to obtain the distributions of the correlations between arbitrary input and output combiners of uniform random functions and uniform random permutations. Recently, Todo et al. (2018) have proposed nonlinear invariant attacks which consider correlations between nonlinear input and output combiners for a key-alternating block cipher. In its basic form, a nonlinear invariant attack is a distinguishing attack. The second and the main contribution of this paper is to obtain precise expressions for the errors of nonlinear invariant attacks in distinguishing a key-alternating cipher from either a uniform random function or a uniform random permutation

Rigorous Upper Bounds on Data Complexities of Block Cipher Cryptanalysis

Statistical analysis of symmetric key attacks aims to obtain an expression for the data complexity which is the number of plaintext-ciphertext pairs needed to achieve the parameters of the attack. Existing statistical analyses invariably use some kind of approximation, the most common being the approximation of the distribution of a sum of random variables by a normal distribution. Such an approach leads to expressions for data complexities which are {\em inherently approximate}. Prior works do not provide any analysis of the error involved in such approximations. In contrast, this paper takes a rigorous approach to analysing attacks on block ciphers. In particular, no approximations are used. Expressions for upper bounds on the data complexities of several basic and advanced attacks are obtained. The analysis is based on the hypothesis testing framework. Probabilities of Type-I and Type-II errors are upper bounded using standard tail inequalities. In the cases of single linear and differential cryptanalysis, we use the Chernoff bound. For the cases of multiple linear and multiple differential cryptanalysis, Hoeffding bounds are used. This allows bounding the error probabilities and obtaining expressions for data complexities. We believe that our method provides important results for the attacks considered here and more generally, the techniques that we develop should have much wider applicability

Correlations Between (Nonlinear) Combiners of Input and Output of Random Functions and Permutations

Linear cryptanalysis considers correlations between linear input and output combiners for block ciphers and stream ciphers. Daemen and Rijmen (2007) had obtained the distributions of the correlations between linear input and output combiners of uniform random functions and uniform random permutations. The present work generalises these results to obtain the distributions of the correlations between arbitrary input and output combiners of uniform random functions and uniform random permutations

Can Large Deviation Theory be Used for Estimating Data Complexity?

Statistical analysis of attacks on block ciphers have mostly used normal approximations. A few recent works have proposed doing away with normal approximations and instead use Chernoff and Hoeffding bounds to obtain rigorous bounds on data complexities of several attacks. This opens up the question of whether even better general bounds can be obtained using the statistical theory of large deviations. In this note we examine this question. Our conclusion is that while in theory this is indeed possible, in general obtaining meaningful expressions for data complexity presents several difficulties. This leaves open the question of whether this can be done for specific attacks

Concrete Analysis of Approximate Ideal-SIVP to Decision Ring-LWE Reduction

A seminal 2013 paper by Lyubashevsky, Peikert, and Regev proposed basing post-quantum cryptography on ideal lattices and supported this proposal by giving a polynomial-time security reduction from the approximate Shortest Independent Vectors Problem (SIVP) to the Decision Learning With Errors (DLWE) problem in ideal lattices. We give a concrete analysis of this multi-step reduction. We find that the tightness gap in the reduction is so great as to vitiate any meaningful security guarantee, and we find reasons to doubt the feasibility in the foreseeable future of the quantum part of the reduction. In addition, when we make the reduction concrete it appears that the approximation factor in the SIVP problem is far larger than expected, a circumstance that causes the corresponding approximate-SIVP problem most likely not to be hard for proposed cryptosystem parameters. We also discuss implications for systems such as Kyber and SABER that are based on module-DLWE