Linear Statistics Jung-Keun Lee and Woo-Hwan Kim ETRI Our - - PowerPoint PPT Presentation

linear statistics
SMART_READER_LITE
LIVE PREVIEW

Linear Statistics Jung-Keun Lee and Woo-Hwan Kim ETRI Our - - PowerPoint PPT Presentation

Oct 15, 2022 406 likes •718 views

FSE 2020 Multiple Linear Cryptanalysis Using Linear Statistics Jung-Keun Lee and Woo-Hwan Kim ETRI Our contribution improved and extended approach of multiple linear cryptanalysis[BCQ04] (exploit dominant statistically independent linear

slide-1
SLIDE 1

FSE 2020

Multiple Linear Cryptanalysis Using Linear Statistics

Jung-Keun Lee and Woo-Hwan Kim ETRI

slide-2
SLIDE 2

Our contribution

  • improved and extended approach of multiple linear cryptanalysis[BCQ04]

(exploit dominant statistically independent linear trails)

  • Algorithm 1 and Algorithm 2 style attacks
  • threshold based, rank based, combined
  • provide formulas for success probability and advantage

in terms of data size, correlations of the trails, and threshold parameter

  • under some hypotheses on statistical independence of wrong key & right key statistics
  • application to full DES, exploiting 4 linear trails
  • get attacks with complexity better than or comparable with existing linear attacks
  • n DES
  • provide strong experimental verification

2

slide-3
SLIDE 3

Organization

  • Introduction and Preliminaries
  • Our multiple linear attacks
  • Application to DES
  • Generalization
  • Conclusion

3

slide-4
SLIDE 4

Linear Trails and Linear Hulls

4

  • key-alternating iterative block cipher
  • linear trail Γ = [Γ0, … , Γ𝑆]: sequence of linear masks
  • linear hull H(𝛿, 𝛿′): the set of linear trails with the initial mask 𝛿 and

final mask 𝛿′

Γ Γ

1

Γ

1

Γ

2

Γ

𝑆−1

Γ

𝑆

long key cipher 𝐹

slide-5
SLIDE 5

Linear Correlations

  • 𝜁 𝛿, 𝛿′; 𝐺 ≔

1 2𝑚 𝑦 −1 𝛿,𝑦 ⊕ 𝛿′,𝐺 𝑦

  • 𝜁 𝛿, 𝛿′;

𝐹, 𝑠𝑙 ≔ 𝜁 𝛿, 𝛿′; 𝐹 𝑠𝑙,⋅

  • 𝐷 Γ;

𝐹 = 𝑗=0

𝑆−1 𝜁(Γ𝑗, Γ𝑗+1; 𝐺𝑗+1)

  • 𝜁 𝛿, 𝛿′;

𝐹, 𝑠𝑙, 𝐸 ≔

1 |𝐸| 𝑄,𝐷 ∈𝐸 −1 𝛿,𝑄 ⊕ 𝛿′,𝐷

5

linear correlation of 𝐺: 𝔾2

𝑚 → 𝔾2 𝑛 w.r.t. pair of masks (𝛿, 𝛿’)

linear correlation of a linear hull for a given long key 𝑠𝑙 (key-independent) linear correlation of a trail undersampled correlation 𝐸: data (consisting of plaintext-ciphertext pairs) 𝐺 𝛿 𝛿′ 𝐹(𝑠𝑙,⋅) 𝛿 𝛿′

slide-6
SLIDE 6

Linear Correlations

  • Γ: a dominant trail
  • 𝜁 𝛿, 𝛿′; 𝑠𝑙 ≈ −1 ⊕𝑗=0

𝑆−1 Γ𝑗,𝑠𝑙𝑗 𝐷(Γ), or

  • −1 ⊕𝑗=0

𝑆−1 Γ𝑗,𝑠𝑙𝑗 𝜁 𝛿, 𝛿′; 𝑠𝑙 ≈ 𝐷(Γ)

6

regardless of 𝑠𝑙

𝜁 𝛿, 𝛿′; 𝐹, 𝑠𝑙 = Λ∈H 𝛿,𝛿′ −1 ⊕𝑗=0

𝑆−1 Λ𝑗,𝑠𝑙𝑗 𝐷(Λ;

𝐹)

parity bit determined by Λ and 𝑠𝑙

Unless mentioned otherwise, we assume:-

  • Γ, Γ𝑘: dominant, fixed
  • 𝑂 = |𝐸| ≪ 2𝑜, 𝑜: block size
  • 𝐷 Γ , |𝐷 Γ𝑘 | ≫ 2−𝑜/2
  • 𝐿∗ and 𝑠𝑙∗(correct key, long key): fixed
slide-7
SLIDE 7

Algorithm 1

  • Use a single dominant trail Γ = [Γ0, … , Γ𝑆]
  • try to recover the parity bit

𝛾∗ =⊕𝑗=0

𝑆−1 Γ 𝑗, 𝑠𝑙𝑗 ∗

  • Given a sample or data 𝐸,

compute the undersampled correlation 𝜁 Γ0, Γ𝑆−1; 𝑠𝑙∗, 𝐸

  • determine 𝛾∗ to be 0

iff 𝜁 Γ

0, Γ 𝑆−1; 𝑠𝑙∗, 𝐸 𝐷 Γ >0

7

Γ𝑆 𝐺𝑆 Γ0 𝐺2 𝐺

1

𝐷 𝑄 𝑠𝑙0

𝑠𝑙1

𝑠𝑙𝑆−1

Γ

1

Γ𝑆−1 𝜁 𝛿, 𝛿′; 𝑠𝑙, 𝐸 ≔ 1 |𝐸|

𝑄,𝐷 ∈𝐸

−1

𝛿,𝑄 ⊕ 𝛿′,𝐷

slide-8
SLIDE 8

Algorithm 1

  • Right Key Hypothesis
  • Γ: dominant trail
  • Success Probability
  • 𝑄S =

Pr

𝑌~N(𝜗,1/𝑂)(𝜗𝑌 > 0) = Φ

𝑂 𝜗

8

𝛾∗ =⊕𝑗=0

𝑆−1 Γ𝑗, 𝑠𝑙𝑗 ∗

𝜗 = 𝐷(Γ)

⇒ 𝑌 = −1 𝛾∗ 𝜁 𝛿, 𝛿′; 𝑠𝑙∗, 𝐸 : random variable letting 𝐸 vary with 𝐸 = 𝑂 𝑌~N(𝜗, 1/𝑂)

slide-9
SLIDE 9

Algorithm 2

  • Add outer rounds to a trail Γ = [Γ𝑡, … , Γ𝑡+𝑠]

for the inner cipher 𝐹|𝑡

𝑡+𝑠

  • recover a parity bit and some outer round key bits
  • Given 𝐸,
  • Use the statistic −1 𝛾

𝜁 Γ, 𝑠𝑙∗, 𝜆, 𝐸 to pick out candidates for (𝛾∗, 𝜆∗)

  • Proceed with trial encryption

9

𝜆: bit string obtained by concatenating outer round key bits involved in the outer round computation of Γ𝑡, 𝑌𝑡 ⊕ Γ𝑡+𝑠, 𝑌𝑡+𝑠 Γ𝑡+𝑠 𝐺𝑡+𝑠 𝑄 𝐷 𝜆 Γ𝑡 𝐺𝑡+2 𝐺𝑡+1 𝑌𝑡+𝑠 𝑌𝑡

𝐹

𝑡 𝑡+𝑠

Γ𝑡+1 Γ𝑡+𝑠−1 Γ𝑡, 𝑌𝑡 ⊕ Γ𝑡+𝑠+1, 𝑌𝑡+𝑠+1 = 𝑕(𝜆, 𝑄, 𝐷) 𝜁 Γ, 𝑠𝑙∗, 𝜆, 𝐸 ≔ 1 𝐸

𝑄,𝐷 ∈𝐸

−1 𝑕 𝜆,𝑄,𝐷 𝛾∗ =⊕𝑗=𝑡

𝑡+𝑠−1 Γ𝑗, 𝑠𝑙𝑗 ∗

𝛾: indeterminate, binary undersampled correlation gotten from 𝜆, 𝐸 threshold based or rank based

slide-10
SLIDE 10

Algorithm 2

10

  • Right Key Hypothesis (on the distribution of right key statistic)
  • −1 𝛾∗

𝜁 Γ, 𝜆∗, 𝐸 ~N(𝜗,

1 𝑂)

  • Wrong Key Hypothesis (on the distribution of wrong key statistic)
  • 𝜁 Γ, 𝜆, 𝐸 ~N(0,

1 𝑂)

  • Hypothesis on independence [Sel08]
  • the order statistics for the wrong key statistics & the right key statistic

are independent

as 𝐸 varies with |𝐸| = 𝑂 as (𝜆, 𝐸) varies with 𝜆 ≠ 𝜆∗

success probability, advantage can be estimated for threshold/rank based methods

slide-11
SLIDE 11

Algorithm 2 style attacks (multiple appr.)

  • Γ1, Γ2, … , Γ𝑛: dominant, statistically independent trails
  • 𝜗𝑘 = 𝐷(Γ𝑘) (𝑘 = 1, … , 𝑛), 𝜗 =

𝑘 𝜗𝑘

2

  • Given data 𝐸, recover 𝝀∗, 𝜸∗ ,
  • 𝝀∗: correct value of the outer key 𝝀
  • 𝜸∗ = 𝛾1

∗, … , 𝛾𝑛 ∗ , 𝛾𝑘 ∗ =⊕𝑗=𝑡 𝑡+𝑠−1 ⟨Γ 𝑗 𝑘, 𝑠𝑙∗⟩

  • Use the statistic 𝑈 𝝀, 𝜸, 𝐸 ≔ 𝑘 −1 𝛾𝑘𝜗𝑘𝜐𝑘 𝜆𝑘, 𝐸

11

𝜐𝑘 𝜆𝑘, 𝐸 ≔ 𝑂 𝜁(Γj, 𝜆𝑘, 𝐸) Γ𝑡+𝑠

𝑘

𝐺𝑡+𝑠 𝑄 𝐷 𝜆𝑘 Γ𝑡

𝑘

𝐺𝑡+2 𝐺𝑡+1 𝑌𝑡+𝑠 𝑌𝑡

𝐹

𝑡 𝑡+𝑠

𝜆𝑘: bit string obtained by concatenating outer round key bits involved in the outer round computation of Γ𝑡

𝑘, 𝑌𝑡 ⊕ Γ𝑡+𝑠 𝑘

, 𝑌𝑡+𝑠

𝝀: bit string obtained by combining of 𝜆𝑘’s (removing redundancy)

assume for simplicity that bits of 𝜆𝑘’s are either identical or independent

𝜸 = (𝛾1, … , 𝛾𝑛): any binary vector

slide-12
SLIDE 12

Algorithm 2 style attacks (multiple appr.)

  • Algorithm 2MT (Threshold based):

Pick out (𝝀, 𝜸)’s with 𝑈 𝝀, 𝜸, 𝐸 ≥ 𝜄 = 𝑢𝑂2

  • Algorithm 2MR (Rank based):

Rank (𝝀, 𝜸)’s according to 𝑈 𝝀, 𝜸, 𝐸

  • Algorithm 2MC (Combined):

Pick out candidates (𝝀, 𝜸)’s with 𝑈 𝝀, 𝜸, 𝐸 ≥ 𝜄 and then rank them

  • yields better advantage than Algorithm 2MT for 𝑄S ≈ 1

12

𝑈 𝝀, 𝜸, 𝐸 ≔

𝑘

−1 𝛾𝑘𝜗𝑘𝜐𝑘 𝜆𝑘, 𝐸

slide-13
SLIDE 13

Algorithm 2 style attacks (multiple appr.)

  • Wrong key types
  • For 𝐾𝑃 ⊊ 1, … , 𝑛 ,

𝝀 is said to have the wrong key type 𝐾𝑃 if {𝑘: 𝜆𝑘= 𝜆𝑘

∗} = 𝐾𝑃

  • For 𝐾𝑃, 𝐾𝐽 ⊂ 1, … , 𝑛 s.t. 𝐾𝑃 ≠ 1, … , 𝑛 or 𝐾𝐽 ≠ 1, … , 𝑛 ,

(𝝀, 𝜸) is said to have the wrong key type (𝐾𝑃, 𝐾𝐽) if

  • 𝝀 has the wrong key type 𝐾𝑃 and 𝜸 has the type 𝐾𝐽

13

𝑋 𝐾𝑃 : the set of 𝝀’s having the wrong key type 𝐾𝑃 𝑋 𝐾𝑃, 𝐾𝐽 : the set of (𝝀, 𝜸)’s having the wrong key type 𝐾𝑃, 𝐾𝐽

For 𝐾 ⊂ 1, … , 𝑛 , 𝜸 is said to have the type 𝐾 if 𝑘: 𝛾𝑘 = 𝛾𝑘

∗ = 𝐾

If 𝜸 has the type 𝐾 , denote it by 𝜸𝐾

slide-14
SLIDE 14

Multivariate Normal Distributions

  • An 𝑛-variate random variable 𝒀 is said to have the normal distribution

with mean vector 𝝂 and covariance matrix 𝚻 if it has the p.d.f. 𝒚 ↦ 1 2𝜌 𝑛/2 det 𝚻

1/2 𝑓− 𝒚−𝝂 𝑈𝚻−1 𝒚−𝝂 2

  • Probability that an 𝑛-variate normal random variable satisfies a linear

inequality

  • 𝒀~N(𝝂, 𝚻), 𝒃 ∈ ℝ𝑛, 𝒃 ≠ 0, 𝑐 ∈ ℝ
  • Pr

𝒀 ( 𝒃, 𝒀 + 𝑐 ≥ 0) = Φ( 𝒃,𝝂 +𝑐 𝝉𝑈𝒃 )

14

𝚻 = 𝝉𝝉𝑈 Φ: c.d.f. of the std normal distribution 𝝂 ∈ ℝ𝑛, 𝚻: positive definite 𝑛 × 𝑛 matrix over ℝ

𝒀~N(𝝂, 𝚻),

slide-15
SLIDE 15

Algorithm 2 style attacks (multiple appr.)

  • 𝒀𝐾𝑃 : vector-valued random variable having the distribution determined

by the values ( −1 𝛾1

∗𝜗1𝜐1 𝜆1, 𝐸 , … , −1 𝛾𝑛 ∗ 𝜗𝑛𝜐𝑛 𝜆𝑛, 𝐸 )

  • Hypothesis: 𝒀𝐾𝑃 ∼ N(𝝂𝐾𝑃, 𝚻𝐾𝑃)
  • 𝝂𝐾𝑃 =

𝜈1, … , 𝜈𝑛 ; 𝜈𝑘 = 𝑂𝜗𝑘

2 for 𝑘 ∈ 𝐾𝑃, 𝜈𝑘 = 0 for 𝑘 ∉ 𝐾𝑃

  • 𝚻𝐾𝑃 = diag(𝑂𝜗1

2, … , 𝑂𝜗𝑛 2 )

15

For each 𝐾𝑃 ⊂ {1, … , 𝑛}

𝐸 = 𝑂, 𝝀 ∈ 𝑋 𝐾𝑃

distribution D𝐾𝑃

slide-16
SLIDE 16

Algorithm 2 style attacks (multiple appr.)

  • 𝒀𝐾𝑃 : vector-valued random variable having the distribution determined by

( −1 𝛾1

∗𝜗1𝜐1 𝜆1

∗, 𝐸 , … , −1 𝛾𝑛

∗ 𝜗𝑛𝜐𝑛 𝜆𝑛

∗ , 𝐸 , 𝜗𝑘1𝜐𝑘1 𝜆𝑘1, 𝐸 , … , 𝜗𝑘𝑣𝜐𝑘𝑣 𝜆𝑘𝑣, 𝐸 )

  • Hypothesis (Stronger):

𝒀𝐾𝑃 ∼ N( 𝝂𝐾𝑃, 𝚻𝐾𝑃)

  • 𝝂𝐾𝑃 =

𝜈1, … , 𝜈𝑛+𝑣 , 𝚻𝐾𝑃 = diag 𝜏1

2, … , 𝜏𝑛+𝑣 2

; (𝜈𝑘, 𝜏

𝑘 2) = (𝑂𝜗𝑘 2, 𝑂𝜗𝑘 2) for 𝑘 ∈ {1, … , 𝑛}, (𝜈𝑛+𝑚, 𝜏𝑛+𝑚 2

) = (0, 𝑂𝜗𝑘𝑚

2) for 𝑚 ∈ {1, … , 𝑣}

16

For each 𝐾𝑃

𝐸 = 𝑂, 𝝀 ∈ 𝑋 𝐾𝑃

Let 1, … , 𝑛 ∖ 𝐾𝑃 = {𝑘1, … , 𝑘𝑣} right key statistic wrong key statistic

distribution D 𝐾𝑃

slide-17
SLIDE 17

Algorithm 2MT

  • Determine (𝝀, 𝜸) to be correct if
  • 𝑈(𝝀, 𝜸, 𝐸) ≥ 𝑢𝑂𝜗2
  • Success Probability 𝑞S(𝑢):
  • Pr

𝐸 (𝑈(𝝀∗, 𝜸∗, 𝐸) ≥ 𝑢𝑂𝜗2)

= Pr

𝒀∼D{1,…,𝑛}

(𝑌1 + ⋯ + 𝑌𝑛 ≥ 𝑢𝑂𝜗2) = Φ( 1 − 𝑢 𝑂𝜗)

  • False alarm probability:

1 2𝑙𝑃+𝑛 × 𝐾𝑃,𝐾𝐽 :𝑥𝑠𝑝𝑜𝑕 |𝑋 𝐾𝑃 |𝑞fa 2𝑈, 𝐾𝑃,𝐾𝐽 (𝑢)

  • 𝑞fa

2𝑈, 𝐾𝑃,𝐾𝐽 (𝑢): probability that (𝝀, 𝜸) of type (𝐾𝑃, 𝐾𝐽) satisfies the threshold

condition

17

𝑈 𝝀, 𝜸, 𝐸 ≔

𝑘

−1 𝛾𝑘𝜗𝑘𝜐𝑘 𝜆𝑘, 𝐸 𝑙𝑃: number of bits in 𝝀 linear inequality

slide-18
SLIDE 18

Algorithm 2MT

  • False alarm probability 𝑞fa

2𝑈, 𝐾𝑃,𝐾𝐽 for type 𝐾𝑃, 𝐾𝐽

  • The false alarm probability 𝑞fa

2T(𝑢)

  • 1

2𝑙𝑃+𝑛 𝐾𝑃,𝐾𝐽 :wrong 𝑋 𝐾𝑃 𝑞fa 2𝑈, 𝐾𝑃,𝐾𝐽 (𝑢)

  • Advantage: − log2 𝑞fa

2T 𝑢

18

Pr

𝐸,𝝀∈𝑋(𝐾𝑃)(𝑈(𝝀, 𝜸𝐾𝐽, 𝐸) ≥ 𝑢𝑂𝜗2)=

Pr

𝒀∼D 𝐾𝑃

( 𝑘∈𝐾𝑃∩𝐾𝐽 𝑌

𝑘 − 𝑘∈𝐾𝑃∖𝐾𝐽 𝑌 𝑘 + 𝑚=1 𝑣

−1 𝛾𝑘𝑚𝑌𝑛+𝑚) ≥ 𝑢𝑂𝜗2) = Φ( 𝑂 𝑘∈𝐾𝑃∩𝐾𝐽 𝜗𝑘

2 − 𝑘∈𝐾𝑃∖𝐾𝐽 𝜗𝑘 2 − 𝑢𝜗2 /𝜗)

≈ Φ(−𝑢 𝑂𝜗) (in many cases) linear inequality

slide-19
SLIDE 19

Algorithm 2MR

  • Rank (𝝀, 𝜸) according to the statistic 𝑈(𝝀, 𝜸, 𝐸)
  • Success Probability = 1
  • False alarm probability:

1 2𝑙𝑃+𝑛 × 𝐾𝑃,𝐾𝐽 :𝑥𝑠𝑝𝑜𝑕 |𝑋 𝐾𝑃 |𝑞fa 2𝑆, 𝐾𝑃,𝐾𝐽

  • 𝑞fa

2𝑆, 𝐾𝑃,𝐾𝐽 : probability that (𝝀, 𝜸) of type (𝐾𝑃, 𝐾𝐽) is ranked higher than (𝝀∗, 𝜸∗)

19

slide-20
SLIDE 20

Algorithm 2MR

  • False alarm probability 𝑞fa

2𝑆, 𝐾𝑃,𝐾𝐽 for type (𝐾𝑃, 𝐾𝐽):

Pr

𝐸,𝝀∈𝑋(𝐾𝑃)(𝑈(𝝀, 𝜸𝐾𝐽, 𝐸) ≥ 𝑈(𝝀∗, 𝜸∗, 𝐸) )

= Pr

𝒀∼D 𝐾𝑃

(−

𝑘:𝑘≤𝑛,𝑘∉𝐾𝑃

𝑌

𝑘 − 2 𝑘∈𝐾𝑃∖𝐾𝐽

−1 𝛾𝑘

∗𝑌

𝑘 + 𝑚=1 𝑣

−1 𝛾𝑘𝑚

𝑌𝑛+𝑚) ≥ 𝑢𝑂𝜗2)

= Φ(− 𝑂(

𝑘∈𝐾𝑃∖𝐾𝐽

𝜗𝑘

2 + 1

2

𝑘∈ 1,…𝑛 ∖𝐾𝑃

𝜗𝑘

2 1/2

)

  • The false alarm probability 𝑞fa

2R

  • 1

2𝑙𝑃+𝑛 𝐾𝑃,𝐾𝐽 :wrong |𝑋 𝐾𝑃 |𝑞fa 2𝑆, 𝐾𝑃,𝐾𝐽

  • Advantage: − log2 𝑞fa

2R − 1

20

≈ Φ(− 𝑂/2𝜗) (in many cases) linear inequality

slide-21
SLIDE 21

Algorithm 2MC

  • Pick out 𝜸’s with 𝑈(𝝀, 𝜸, 𝐸) ≥ 𝑢𝑂𝜗2 and then rank them according to

the statistic

  • Success Probability: the same as in Algorithm 2MT
  • Φ( 1 − 𝑢

𝑂𝜗)

  • False alarm probability:

1 2𝑙𝑃+𝑛 × 𝐾𝑃,𝐾𝐽 :𝑥𝑠𝑝𝑜𝑕 |𝑋 𝐾𝑃 |𝑞fa 2𝐷, 𝐾𝑃,𝐾𝐽 (𝑢)

  • 𝑞fa

2𝐷, 𝐾𝑃,𝐾𝐽 (𝑢): probability that (𝝀, 𝜸) of type (𝐾𝑃, 𝐾𝐽) is ranked higher than

(𝝀∗, 𝜸∗) and satisfies the threshold condition

21

slide-22
SLIDE 22

Algorithm 2MC

  • False alarm probability 𝑞fa

2𝐷, 𝐾𝑃,𝐾𝐽 (𝑢) for type (𝐾𝑃, 𝐾𝐽):

Pr

𝐸,𝝀∈𝑋(𝐾𝑃)(𝑈(𝝀, 𝜸𝐾𝐽, 𝐸) ≥ 𝑈(𝝀∗, 𝜸∗, 𝐸), 𝑈(𝝀, 𝜸𝐾𝐽, 𝐸) ≥ 𝑢𝑂𝜗2)

  • The false alarm probability 𝑞fa

2C(𝑢)

  • 1

2𝑙𝑃+𝑛 𝐾𝑃,𝐾𝐽 :wrong |𝑋 𝐾𝑃 |𝑞fa 2C,(𝐾𝑃,𝐾𝐽) t

  • Advantage: − log2 𝑞fa

2C(𝑢)

22

can be estimated numerically or by simulation Two linear inequalities ≈ 𝑞fa

2C,(∅,∅) t (in many cases)

slide-23
SLIDE 23

Application to DES

  • Exploit 4 linear trails [BV17]
  • Γ1: 𝜗1 = 𝐷 Γ

1 = −2−19.75, 𝑙𝑃 1 = 12

  • Γ2: 𝜗2 = 𝐷 Γ

2 = −2−20.07, 𝑙𝑃 2 = 18

  • Γ3: 𝜗3 = 𝐷 Γ

3 = −2−19.75, 𝑙𝑃 3 = 12

  • Γ4: 𝜗4 = 𝐷 Γ

4 = −2−20.07, 𝑙𝑃 4 = 18

  • Perform Algorithm 2MC, given data 𝐸 of size 𝑂:
  • compress data and get 4 lists 𝑀𝑘’s applying FWHT.
  • combine lists 𝑀1 and 𝑀2 to get a list 𝑀1,2; combine lists 𝑀3 and 𝑀4 to get a list 𝑀3,4
  • Sort 𝑀1,2 and 𝑀3,4 and get the list 𝑀1,2,3,4 considering the threshold condition
  • Try the candidates in 𝑀1,2,3,4 one by one

23

𝜗 = 2−18.89

𝜆1, 𝜆2 share 6 bits 𝜆3, 𝜆4 share 6 bits 𝝀 has 48 bits: 𝑙𝑃 = 48 𝜆1||𝜆2 and 𝜆3||𝜆4 does not have any bits in common 𝑈(𝝀, 𝜸, 𝐸) ≥ 𝑢𝑂𝜗2

slide-24
SLIDE 24

Application to DES

24

theoretical/experimental 𝑄S theoretical/experimental advantage 1,000 experiments 𝑂 up to 242.78

slide-25
SLIDE 25

Multiple linear cryptanalysis [BCQ04]

  • Algorithm 1 and Algorithm 2 style attacks
  • formulas for advantage estimated in terms of trail correlations and data

complexity

  • rank based, 𝑄S fixed to 1
  • limitations
  • advantage not analyzed theoretically for 𝑄S < 1
  • experimental advantage not satisfactory
  • e.g. when applied to DES [BV17]

25

slide-26
SLIDE 26

Multidimensional linear cryptanalysis [HCN09]

  • Algorithm 1 and Algorithm 2 style attacks
  • threshold based or rank based
  • use LLR statistic or 𝜓2 statistic
  • approximate, asymptotic advantages theoretically provided
  • under certain independence assumptions
  • does not require trails to be dominant
  • does not yield attack better than [Mat94] on DES
  • advantage not satisfactory when using a small number of trails
  • LLR method more effective, but not separable in general:

adding outer rounds requires much overhead

26

slide-27
SLIDE 27

Recent linear attacks on DES

  • multiple linear cryptanalysis using 8 dependent trails [BV17]
  • conditional linear cryptanalysis [BP19]
  • analysis using a separable statistic [FS19]

27

  • cf. 243 data/ 243 time / 0.85 [Mat94]

Our attacks have comparable complexities; advantageous with smaller data size.

slide-28
SLIDE 28

Merits of the attack

  • Why efficient?
  • the linear statistic
  • separable: overhead in adding outer rounds minimized
  • almost the same as the optimal LLR statistic up to a constant
  • parity bits recovered at the same time ⇒ advantage increased
  • 𝜓2 method does not consider recovering parity bits
  • existing LLR methods usually assume parity bits are known
  • multivariate normal distribution
  • allows to get estimates of attack complexity better than using order statistics

28

slide-29
SLIDE 29

Generalization

  • Exploit close-to-dominant, dependent trails
  • Use modified hypotheses on the distributions of multivariate random

variables

  • presume multivariate normal distributions but with different mean vectors and

covariance matrices – need to be precomputed in advance

  • Perform the same procedure with similar statistics
  • Use linear statistics with varying coefficients
  • 𝑄

S, 𝑄fa can be computed in the same way for each attack

  • probability of regions represented by linear inequalities for an multivariate

normal random variable

29

slide-30
SLIDE 30

Conclusion

  • Multiple linear attacks using multiple dominant linear trails
  • statistical models regarding the distribution of vector valued random variables

consisting of component statistics

  • closed formulas for success probability and advantage of various Algorithm 1

and Algorithm 2 style attacks in terms of data size, correlations of the trails, and threshold parameter incorporating the decomposition of outer key bits

  • best advantage among existing linear attacks when exploiting multiple dominant

statistical independent trails

  • Application to DES
  • exhibit the validity of the statistical models
  • show the effectiveness of the attack

30