Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical - - PowerPoint PPT Presentation

Statistics in Cryptanalysis

Subhabrata Samajder

Indian Statistical Institute, Kolkata 24th May, 2017

0/35

Cryptanalysis of Affine Cipher

Outline

1

Cryptanalysis of Affine Cipher

2

Hypothesis Testing

3

Linear Cryptanalysis

0/35

Cryptanalysis of Affine Cipher

1

Cryptanalysis of Affine Cipher

2

Hypothesis Testing

3

Linear Cryptanalysis

1/35

Cryptanalysis of Affine Cipher

Symmetric-Key Setup

Alice Encryption K Decryption K Bob Eve P Insecure Channel : C P Secure Channel : Key Exchange

2/35

Cryptanalysis of Affine Cipher

Affine Cipher

Encryption: y = e(x) = (ax + b) mod 26; where a, b ∈ Z26 such that gcd(a, 26) = 1. Decryption: d(x) = a−1(y − b) mod 26.

3/35

Cryptanalysis of Affine Cipher

Affine Cipher

Encryption: y = e(x) = (ax + b) mod 26; where a, b ∈ Z26 such that gcd(a, 26) = 1. Decryption: d(x) = a−1(y − b) mod 26. Plaintext strings is ordinary English text. Without punctuations or “spaces”.

3/35

Cryptanalysis of Affine Cipher

Affine Cipher

Encryption: y = e(x) = (ax + b) mod 26; where a, b ∈ Z26 such that gcd(a, 26) = 1. Decryption: d(x) = a−1(y − b) mod 26. Plaintext strings is ordinary English text. Without punctuations or “spaces”. A Ciphertext-only Attack.

3/35

Cryptanalysis of Affine Cipher

Statistical Properties of English Language

Relative Frequencies of the 26 letters. Compiled from numerous novels, magazines and newspaper. The following table was obtained by Beker and Piper.

Letter Probability Letter Probability A 0.082 N 0.067 B 0.015 O 0.075 C 0.028 P 0.019 D 0.043 Q 0.001 E 0.127 R 0.060 F 0.022 S 0.063 G 0.020 T 0.091 H 0.061 U 0.028 I 0.070 V 0.010 J 0.002 W 0.023 K 0.008 X 0.001 L 0.040 Y 0.020 M 0.024 Z 0.001

4/35

Cryptanalysis of Affine Cipher

Statistical Properties of English Language (Cont.)

Partition the 26 letters into five groups: E, having probebility of about 0.120. T, A, O, I, N, S, H, R, each having probability between 0.06 and 0.09. D, L, each having probability around 0.04. C, U, M, W, F, G, Y, P, B, each having probability between 0.015 and 0.028. V, K, J, X, Q, Z, each having probability less than 0.01.

5/35

Cryptanalysis of Affine Cipher

Statistical Properties of English Language (Cont.)

It is also useful to consider distributions digrams and trigrams. Some of the most common diagrams (in decreasing order) are

• TH, HE, IN, ER, AN, RE, ED, . . .

Some of the most common trigrams (in decreasing order) are

• THE, ING, AND, HER, ERE, ENT, . . .

6/35

Cryptanalysis of Affine Cipher

Ciphertext obtained

FMXVEDKAPHFERBNDKRX RSREFMORUDSDKDVSHVU FEDKAPRKDLYEVLRHHRH

7/35

Cryptanalysis of Affine Cipher

Ciphertext obtained

FMXVEDKAPHFERBNDKRX RSREFMORUDSDKDVSHVU FEDKAPRKDLYEVLRHHRH Total - 57 characters.

7/35

Cryptanalysis of Affine Cipher

Empirical distribution

Letter Frequency Letter Frequency A 2 N 1 B 1 O 1 C P 2 D 7 Q E 5 R 8 F 4 S 3 G T H 5 U 2 I V 4 J W K 5 X 2 L 2 Y 1 M 2 Z

8/35

Cryptanalysis of Affine Cipher

Empirical distribution (Cont.)

Most frequencies.

• R - 8
• D - 7
• E, H, K - 5
• F, S, V - 4

9/35

Cryptanalysis of Affine Cipher

Inference

Initial guess: Let e(e) = R and e(t) = D.

10/35

Cryptanalysis of Affine Cipher

Inference

Initial guess: Let e(e) = R and e(t) = D. Implies, 4a + b = 17 19a + b = 3. Solving: a = 6, b = 19.

10/35

Cryptanalysis of Affine Cipher

Inference

Initial guess: Let e(e) = R and e(t) = D. Implies, 4a + b = 17 19a + b = 3. Solving: a = 6, b = 19. But, gcd(a, 26) = 2 > 1.

10/35

Cryptanalysis of Affine Cipher

Inference (Cont.)

Next guess: Let e(e) = R and e(t) = E.

11/35

Cryptanalysis of Affine Cipher

Inference (Cont.)

Next guess: Let e(e) = R and e(t) = E. Proceeding as earlier, we get a = 13.

11/35

Cryptanalysis of Affine Cipher

Inference (Cont.)

Next guess: Let e(e) = R and e(t) = E. Proceeding as earlier, we get a = 13. Again, gcd(a, 26) = 2 > 1.

11/35

Cryptanalysis of Affine Cipher

Inference (Cont.)

Next guess: Let e(e) = R and e(t) = E. Proceeding as earlier, we get a = 13. Again, gcd(a, 26) = 2 > 1. . . . Next guess: Let e(e) = R and e(t) = K.

11/35

Cryptanalysis of Affine Cipher

Inference (Cont.)

Next guess: Let e(e) = R and e(t) = E. Proceeding as earlier, we get a = 13. Again, gcd(a, 26) = 2 > 1. . . . Next guess: Let e(e) = R and e(t) = K. Proceeding as earlier, we get a = 3 and b = 5.

11/35

Cryptanalysis of Affine Cipher

Inference (Cont.)

Next guess: Let e(e) = R and e(t) = E. Proceeding as earlier, we get a = 13. Again, gcd(a, 26) = 2 > 1. . . . Next guess: Let e(e) = R and e(t) = K. Proceeding as earlier, we get a = 3 and b = 5. In this case, gcd(a, 26) = 1.

11/35

Cryptanalysis of Affine Cipher

Verification

12/35

Cryptanalysis of Affine Cipher

Verification

It remains to check if the ciphertexts decrypted by K = (3, 5) gives a meaningful string of English or not?

12/35

Cryptanalysis of Affine Cipher

Verification

It remains to check if the ciphertexts decrypted by K = (3, 5) gives a meaningful string of English or not? Decrypting . . . algorithmsarequitegeneraldefinitionsofarithmeticprocesses

12/35

Cryptanalysis of Affine Cipher

Summary

Structural Analysis: A prior information/distribution of some aspect of the cipher is known.

13/35

Cryptanalysis of Affine Cipher

Summary

Structural Analysis: A prior information/distribution of some aspect of the cipher is known. Statistical Analysis: The attacker has in his/her possession a sample or data of size N. This information along with the data is used to statistically analyse the given cipher. A list (small) L of candidate secret keys (full or partial) are recovered.

13/35

Cryptanalysis of Affine Cipher

Summary

Structural Analysis: A prior information/distribution of some aspect of the cipher is known. Statistical Analysis: The attacker has in his/her possession a sample or data of size N. This information along with the data is used to statistically analyse the given cipher. A list (small) L of candidate secret keys (full or partial) are recovered. Verification: Using the N data, each of the candidate keys from the list L are verified to find the correct secret key.

13/35

Cryptanalysis of Affine Cipher

Question?

What should be the value of N so that the attack find the correct key in “most of the times”?

14/35

Hypothesis Testing

Outline

1

Cryptanalysis of Affine Cipher

2

Hypothesis Testing

3

Linear Cryptanalysis

14/35

Hypothesis Testing

1

Cryptanalysis of Affine Cipher

2

Hypothesis Testing

3

Linear Cryptanalysis

15/35

Hypothesis Testing

Sampling

16/35

Hypothesis Testing

Sampling

With replacement.

16/35

Hypothesis Testing

Sampling

With replacement. Without replacement.

16/35

Hypothesis Testing

Sampling

With replacement. Without replacement.

• Makes no sense when the population is infinite.

16/35

Hypothesis Testing

Sampling

With replacement. Without replacement.

• Makes no sense when the population is infinite.

16/35

Hypothesis Testing

Test Statistics

Let the population follow some arbitrary distribution P.

17/35

Hypothesis Testing

Test Statistics

Let the population follow some arbitrary distribution P. Random Sample of size N: (X1, . . . , XN), s.t., Xi

i.i.d

∼ P.

17/35

Hypothesis Testing

Test Statistics

Let the population follow some arbitrary distribution P. Random Sample of size N: (X1, . . . , XN), s.t., Xi

i.i.d

∼ P. A Sample of size N: A particular instance of (X1, . . . , XN), denoted by (x1, . . . , xN).

17/35

Hypothesis Testing

Test Statistics

Let the population follow some arbitrary distribution P. Random Sample of size N: (X1, . . . , XN), s.t., Xi

i.i.d

∼ P. A Sample of size N: A particular instance of (X1, . . . , XN), denoted by (x1, . . . , xN). Test Statistic: T ≡ f (X1, . . . , XN).

17/35

Hypothesis Testing

Test Statistics

Let the population follow some arbitrary distribution P. Random Sample of size N: (X1, . . . , XN), s.t., Xi

i.i.d

∼ P. A Sample of size N: A particular instance of (X1, . . . , XN), denoted by (x1, . . . , xN). Test Statistic: T ≡ f (X1, . . . , XN). A particular instance is then denoted by t = f (x1, . . . , xN).

17/35

Hypothesis Testing

Hypothesis Testing

A statistical hypothesis is in general refers to an assumption

• f any sort about the distribution function F(x) (say) of the

population P.

18/35

Hypothesis Testing

Hypothesis Testing

A statistical hypothesis is in general refers to an assumption

• f any sort about the distribution function F(x) (say) of the

population P. Assume that F(x) has a known functional form which involves a number of unknown parameters θ1, θ2, . . . , θk.

• Example: Normal distribution N(µ, σ2), where µ ∈ R and

σ2 ∈ R≥0 are its parameters.

18/35

Hypothesis Testing

Hypothesis Testing

A statistical hypothesis is in general refers to an assumption

• f any sort about the distribution function F(x) (say) of the

population P. Assume that F(x) has a known functional form which involves a number of unknown parameters θ1, θ2, . . . , θk.

• Example: Normal distribution N(µ, σ2), where µ ∈ R and

σ2 ∈ R≥0 are its parameters.

Let

H

○ = (θ1, θ2, . . . , θk).

18/35

Hypothesis Testing

Hypothesis Testing

A statistical hypothesis is in general refers to an assumption

• f any sort about the distribution function F(x) (say) of the

population P. Assume that F(x) has a known functional form which involves a number of unknown parameters θ1, θ2, . . . , θk.

• Example: Normal distribution N(µ, σ2), where µ ∈ R and

σ2 ∈ R≥0 are its parameters.

Let

H

○ = (θ1, θ2, . . . , θk). Hypothesis A hypothesis is then any assumption regarding the parameters θ1, θ2, . . . , θk.

18/35

Hypothesis Testing

Hypothesis Testing

A statistical hypothesis is in general refers to an assumption

• f any sort about the distribution function F(x) (say) of the

population P. Assume that F(x) has a known functional form which involves a number of unknown parameters θ1, θ2, . . . , θk.

• Example: Normal distribution N(µ, σ2), where µ ∈ R and

σ2 ∈ R≥0 are its parameters.

Let

H

○ = (θ1, θ2, . . . , θk). Hypothesis A hypothesis is then any assumption regarding the parameters θ1, θ2, . . . , θk. Example: H0 : µ = 2, σ2 = 0.1.

18/35

Hypothesis Testing

Null vs. Alternate Hypothesis

19/35

Hypothesis Testing

Null vs. Alternate Hypothesis

Null Hypothesis We shall very often make a hypothesis wishing it to be accepted by the test, such a hypothesis is called a null hypothesis.

19/35

Hypothesis Testing

Null vs. Alternate Hypothesis

Null Hypothesis We shall very often make a hypothesis wishing it to be accepted by the test, such a hypothesis is called a null hypothesis. Alternate Hypothesis Sometimes, it so happens that we know for certain that either

H

○ ∈ ω0 or

H

○ ∈ ωA, where ω0 and ωA are two disjoint point sets in Pk and it remains for us to decide between the two by means of a test. Now, we have priory reasons to be more inclined to believe in the first hypothesis, then we set up the null hypothesis H0 :

H

○ ∈ ω0 to be tested against the alternative hypothesis H1 :

H

○ ∈ ωA, hoping that the null hypothesis will be accepted by the test and thereby confirm our belief. Then H1 :

H

○ ∈ ωA is called the alternate hypothesis.

19/35

Hypothesis Testing

General Form Of A Test

Let, ˜ x = (x1, x2, . . . , xN) be a sample of size N drawn from the population P.

20/35

Hypothesis Testing

General Form Of A Test

Let, ˜ x = (x1, x2, . . . , xN) be a sample of size N drawn from the population P. On the evidence offered by this sample we shall have to decide whether to accept or reject the null hypothesis.

20/35

Hypothesis Testing

General Form Of A Test

Let, ˜ x = (x1, x2, . . . , xN) be a sample of size N drawn from the population P. On the evidence offered by this sample we shall have to decide whether to accept or reject the null hypothesis. The mathematical formulation of this evidence is known as a test

• f the hypothesis H0.

20/35

Hypothesis Testing

General Form Of A Test (Cont.)

A test of the hypothesis H0, in its general form, consists in choosing a region W in the sample space Rn.

21/35

Hypothesis Testing

General Form Of A Test (Cont.)

A test of the hypothesis H0, in its general form, consists in choosing a region W in the sample space Rn. If the observed position of the sample point ˜ x ∈ W, then H0 is rejected and if ˜ x ∈ Wc then, H0 is accepted.

21/35

Hypothesis Testing

General Form Of A Test (Cont.)

A test of the hypothesis H0, in its general form, consists in choosing a region W in the sample space Rn. If the observed position of the sample point ˜ x ∈ W, then H0 is rejected and if ˜ x ∈ Wc then, H0 is accepted. W is called the rejection region or the critical region and Wc is the acceptance region of the test.

21/35

Hypothesis Testing

Error Probabilities

˜ x ∈ W ˜ x ∈ Wc H0 True

Type-I Error Accept

H1 True

Reject Type-II Error

Type-I Error Probability: Pr[ ˜ X ∈ W | H0 holds]. Type-II Error Probability: Pr[ ˜ X ∈ Wc | H1 holds] = 1 − Pr[ ˜ X ∈ W | H1 holds] = 1 − β(W),

22/35

Linear Cryptanalysis

Outline

1

Cryptanalysis of Affine Cipher

2

Hypothesis Testing

3

Linear Cryptanalysis

22/35

Linear Cryptanalysis

1

Cryptanalysis of Affine Cipher

2

Hypothesis Testing

3

Linear Cryptanalysis

23/35

Linear Cryptanalysis

Substitution-Permutation Network (SPN)

Sub-key k(1) Mixing S11 S12 S13 S14 Sub-key k(2) Mixing S21 S22 S23 S24 Sub-key k(3) Mixing S31 S32 S33 S34 Sub-key k(4) Mixing S41 S42 S43 S44 Sub-key k(5) Mixing P1 . . . Plaintext P16 . . . C1 . . . Ciphertext C16 . . . Round 1 Round 2 Round 3 Round 4

Figure : A Basic Substitution Permutation Network (SPN) Cipher (Courtesy: Heys’s Tutorial).

24/35

Linear Cryptanalysis

Substitution-Permutation Network (SPN) (Cont.)

Consider an (r + 1)-round cipher.

25/35

Linear Cryptanalysis

Substitution-Permutation Network (SPN) (Cont.)

Consider an (r + 1)-round cipher. Round Keys are n-bits long.

25/35

Linear Cryptanalysis

Substitution-Permutation Network (SPN) (Cont.)

Consider an (r + 1)-round cipher. Round Keys are n-bits long. Round Keys: k(0), k(1), . . .

25/35

Linear Cryptanalysis

Substitution-Permutation Network (SPN) (Cont.)

Consider an (r + 1)-round cipher. Round Keys are n-bits long. Round Keys: k(0), k(1), . . . Round Functions: R(0)

k(0), R(1) k(1), . . .

25/35

Linear Cryptanalysis

Substitution-Permutation Network (SPN) (Cont.)

Consider an (r + 1)-round cipher. Round Keys are n-bits long. Round Keys: k(0), k(1), . . . Round Functions: R(0)

k(0), R(1) k(1), . . .

Each round function is a bijection of {0, 1}n.

25/35

Linear Cryptanalysis

Substitution-Permutation Network (SPN) (Cont.)

Consider an (r + 1)-round cipher. Round Keys are n-bits long. Round Keys: k(0), k(1), . . . Round Functions: R(0)

k(0), R(1) k(1), . . .

Each round function is a bijection of {0, 1}n. K (i) = k(0)||k(1)|| · · · ||k(i−1)

25/35

Linear Cryptanalysis

Substitution-Permutation Network (SPN) (Cont.)

Consider an (r + 1)-round cipher. Round Keys are n-bits long. Round Keys: k(0), k(1), . . . Round Functions: R(0)

k(0), R(1) k(1), . . .

Each round function is a bijection of {0, 1}n. K (i) = k(0)||k(1)|| · · · ||k(i−1) E (1)

K (1) = R(0) k(0);

E (i)

K (i) = R(i−1) k(i−1) ◦ · · · ◦ R(0) k(0) = R(i−1) k(i−1) ◦ E (i−1) K (i−1), i ≥ 1.

25/35

Linear Cryptanalysis

Design Goals

Compact and efficient in hardware and/or software. Secure.

26/35

Linear Cryptanalysis

Design Goals

Compact and efficient in hardware and/or software. Secure. Attack Types: Linear Cryptanalysis Differential Cryptanalysis Distinguishing Attacks . . .

26/35

Linear Cryptanalysis

Design Goals

Compact and efficient in hardware and/or software. Secure. Attack Types: Linear Cryptanalysis Differential Cryptanalysis Distinguishing Attacks . . . Known Plaintext Attacks Cipher is instantiated with a secret key K.

26/35

Linear Cryptanalysis

Design Goals

Compact and efficient in hardware and/or software. Secure. Attack Types: Linear Cryptanalysis Differential Cryptanalysis Distinguishing Attacks . . . Known Plaintext Attacks Cipher is instantiated with a secret key K. N plaintext-ciphertext pairs (P1, C1), . . . , (PN, CN) sought, s.t., each Ci = EK(Pi).

26/35

Linear Cryptanalysis

Design Goals

Compact and efficient in hardware and/or software. Secure. Attack Types: Linear Cryptanalysis Differential Cryptanalysis Distinguishing Attacks . . . Known Plaintext Attacks Cipher is instantiated with a secret key K. N plaintext-ciphertext pairs (P1, C1), . . . , (PN, CN) sought, s.t., each Ci = EK(Pi). Goal: Obtain the secret key.

26/35

Linear Cryptanalysis

Key Recovery Attacks: A Top-Level View

Structural analysis:

27/35

Linear Cryptanalysis

Key Recovery Attacks: A Top-Level View

Structural analysis: A detailed study of the target algorithm to obtain a measurable deviation from “randomness”.

27/35

Linear Cryptanalysis

Key Recovery Attacks: A Top-Level View

Structural analysis: A detailed study of the target algorithm to obtain a measurable deviation from “randomness”. Identify a target sub-key. Let the size of the target sub-key be m-bits.

27/35

Linear Cryptanalysis

Key Recovery Attacks: A Top-Level View

Structural analysis: A detailed study of the target algorithm to obtain a measurable deviation from “randomness”. Identify a target sub-key. Let the size of the target sub-key be m-bits. Statistical analysis:

27/35

Linear Cryptanalysis

Key Recovery Attacks: A Top-Level View

Structural analysis: A detailed study of the target algorithm to obtain a measurable deviation from “randomness”. Identify a target sub-key. Let the size of the target sub-key be m-bits. Statistical analysis: Obtain a tractable (closed form) relation between the following three quantities:

• N: data complexity.
• PS: (lower bound on the) success probability.
• a: the (expected) number of false alarms is (at most) a fraction

2−a of the number of all the 2m possible choices of the target sub-key.

27/35

Linear Cryptanalysis

Linear Cryptanalysis

Round 1 k(0) n P ΓP Round 2 k(1) K (r) = k(0)||k(1)|| · · · ||k(r−1) ΓK Round r k(r−1) Round (r + 1) B ΓB n C m κ k(r)

28/35

Linear Cryptanalysis

Linear Cryptanalysis

Round 1 k(0) n P ΓP Round 2 k(1) K (r) = k(0)||k(1)|| · · · ||k(r−1) ΓK Round r k(r−1) Round (r + 1) B ΓB n C m κ k(r)

Proposed by Matsui in EU- ROCRYPT ’93.

28/35

Linear Cryptanalysis

Linear Cryptanalysis

Round 1 k(0) n P ΓP Round 2 k(1) K (r) = k(0)||k(1)|| · · · ||k(r−1) ΓK Round r k(r−1) Round (r + 1) B ΓB n C m κ k(r)

Proposed by Matsui in EU- ROCRYPT ’93. Random Variable: L = ΓP, P ⊕ ΓB, B

28/35

Linear Cryptanalysis

Linear Cryptanalysis

Round 1 k(0) n P ΓP Round 2 k(1) K (r) = k(0)||k(1)|| · · · ||k(r−1) ΓK Round r k(r−1) Round (r + 1) B ΓB n C m κ k(r)

Proposed by Matsui in EU- ROCRYPT ’93. Random Variable: L = ΓP, P ⊕ ΓB, B Inner key bit: z = ΓK, K (r)

28/35

Linear Cryptanalysis

Linear Cryptanalysis

Round 1 k(0) n P ΓP Round 2 k(1) K (r) = k(0)||k(1)|| · · · ||k(r−1) ΓK Round r k(r−1) Round (r + 1) B ΓB n C m κ k(r)

Proposed by Matsui in EU- ROCRYPT ’93. Random Variable: L = ΓP, P ⊕ ΓB, B Inner key bit: z = ΓK, K (r) Linear Approximation: L = z

Pr[L = z] = p; if κ = κ∗ 1/2; if κ = κ∗.

28/35

Linear Cryptanalysis

Linear Cryptanalysis

Round 1 k(0) n P ΓP Round 2 k(1) K (r) = k(0)||k(1)|| · · · ||k(r−1) ΓK Round r k(r−1) Round (r + 1) B ΓB n C m κ k(r)

Proposed by Matsui in EU- ROCRYPT ’93. Random Variable: L = ΓP, P ⊕ ΓB, B Inner key bit: z = ΓK, K (r) Linear Approximation: L = z

Pr[L = z] = p; if κ = κ∗ 1/2; if κ = κ∗.

Source of Randomness: P1, . . . , PN.

28/35

Linear Cryptanalysis

Linear Cryptanalysis (Cont.)

P1, . . . , PN are assumed to be independent and uniformly dis- tributed.

29/35

Linear Cryptanalysis

Linear Cryptanalysis (Cont.)

P1, . . . , PN are assumed to be independent and uniformly dis- tributed. The key is unknown but fixed.

29/35

Linear Cryptanalysis

Linear Cryptanalysis (Cont.)

P1, . . . , PN are assumed to be independent and uniformly dis- tributed. The key is unknown but fixed. Test Statistics: Tκ = |Wκ|, where Wκ = (Lκ,1 + · · · + Lκ,N) − 1/2;

29/35

Linear Cryptanalysis

Linear Cryptanalysis (Cont.)

P1, . . . , PN are assumed to be independent and uniformly dis- tributed. The key is unknown but fixed. Test Statistics: Tκ = |Wκ|, where Wκ = (Lκ,1 + · · · + Lκ,N) − 1/2; Each Lκ,j follows a Bernoulli distribution.

29/35

Linear Cryptanalysis

Linear Cryptanalysis (Cont.)

P1, . . . , PN are assumed to be independent and uniformly dis- tributed. The key is unknown but fixed. Test Statistics: Tκ = |Wκ|, where Wκ = (Lκ,1 + · · · + Lκ,N) − 1/2; Each Lκ,j follows a Bernoulli distribution. Wκ follows a Binomial which can be approximated by a normal distribution.

• κ incorrect: Tκ approximately follows half normal.
• κ correct: Tκ approximately follows folded normal.

29/35

Linear Cryptanalysis

Key Recovery via Hypothesis Testing

Data: (P1, C1), . . . , (PN, CN), where P1, . . . , PN are independent and uniform random n-bit strings.

30/35

Linear Cryptanalysis

Key Recovery via Hypothesis Testing

Data: (P1, C1), . . . , (PN, CN), where P1, . . . , PN are independent and uniform random n-bit strings. C1, . . . , CN are determined by κ∗ (the actual target sub-key);

30/35

Linear Cryptanalysis

Key Recovery via Hypothesis Testing

Data: (P1, C1), . . . , (PN, CN), where P1, . . . , PN are independent and uniform random n-bit strings. C1, . . . , CN are determined by κ∗ (the actual target sub-key); Bκ,1, . . . , Bκ,N are determined by the choice of κ.

30/35

Linear Cryptanalysis

Key Recovery via Hypothesis Testing

Data: (P1, C1), . . . , (PN, CN), where P1, . . . , PN are independent and uniform random n-bit strings. C1, . . . , CN are determined by κ∗ (the actual target sub-key); Bκ,1, . . . , Bκ,N are determined by the choice of κ. Test statistics: For a particular choice κ ∈ {0, 1}m of the target sub-key, Tκ ≡ |Wκ|. where the mean and variances of Wκ are given by

• µ0 = E[Wκ∗] = Np and µ1 = E[Wκ | H1] = N/2.
• σ2

0 = Var(Wκ∗) = Np(1 − p) and σ2 1 = Var(Wκ | H1) = N/4.

30/35

Linear Cryptanalysis

Key Recovery via Hypothesis Testing

Hypothesis Testing Set-Up: H0: κ is correct; versus H1: κ is incorrect. Decision Rule: Reject H0 if Tκ < t.

31/35

Linear Cryptanalysis

Key Recovery via Hypothesis Testing

Hypothesis Testing Set-Up: H0: κ is correct; versus H1: κ is incorrect. Decision Rule: Reject H0 if Tκ < t. Pr[Type-I error] = Pr[T ≤ t|H0 holds] ≤ α Pr[Type-II error] = Pr[T > t|H1 holds] ≤ β Pr[succ] = 1 − Pr[Type-I error] ≥ 1 − α = PS.

31/35

Linear Cryptanalysis

Key Recovery via Hypothesis Testing

Hypothesis Testing Set-Up: H0: κ is correct; versus H1: κ is incorrect. Decision Rule: Reject H0 if Tκ < t. Pr[Type-I error] = Pr[T ≤ t|H0 holds] ≤ α Pr[Type-II error] = Pr[T > t|H1 holds] ≤ β Pr[succ] = 1 − Pr[Type-I error] ≥ 1 − α = PS. Requirement: Obtain the distributions of Tκ under H0 and H1.

31/35

Linear Cryptanalysis

Key Recovery via Hypothesis Testing

Hypothesis Testing Set-Up: H0: κ is correct; versus H1: κ is incorrect. Decision Rule: Reject H0 if Tκ < t. Pr[Type-I error] = Pr[T ≤ t|H0 holds] ≤ α Pr[Type-II error] = Pr[T > t|H1 holds] ≤ β Pr[succ] = 1 − Pr[Type-I error] ≥ 1 − α = PS. Requirement: Obtain the distributions of Tκ under H0 and H1. Data Complexity: N

31/35

Linear Cryptanalysis

Key Recovery via Hypothesis Testing

Hypothesis Testing Set-Up: H0: κ is correct; versus H1: κ is incorrect. Decision Rule: Reject H0 if Tκ < t. Pr[Type-I error] = Pr[T ≤ t|H0 holds] ≤ α Pr[Type-II error] = Pr[T > t|H1 holds] ≤ β Pr[succ] = 1 − Pr[Type-I error] ≥ 1 − α = PS. Requirement: Obtain the distributions of Tκ under H0 and H1. Data Complexity: N Goal: Express N in terms “a” and PS.

31/35

Linear Cryptanalysis

Key Recovery via Hypothesis Testing

Relating to the advantage: Each Type-II error causes a false positive. There are a total of 2m hypothesis tests of which 2m − 1 are with incorrect κ. So, the expected number of false positives is β(2m −1) ≈ β2m. Advantage a implies that the size of false alarm list is 2m−a . Equating to β2m gives β = 2−a.

32/35

Linear Cryptanalysis

Type-I Error Probability

Assume µ0 > µ1.

33/35

Linear Cryptanalysis

Type-I Error Probability

Assume µ0 > µ1. The other case can be handled similarly.

33/35

Linear Cryptanalysis

Type-I Error Probability

Assume µ0 > µ1. The other case can be handled similarly.

Pr[Type-I Error] = Pr [Tκ ≤ t |H0 holds ] = Pr

• −
• σ1t +

√ N(µ0 − µ1) σ0

• ≤ Wκ∗ ≤

σ1t − √ N(µ0 − µ1) σ0

• ≤

Pr

• −∞ ≤ Wκ∗ ≤

σ1t − √ N | µ0 − µ1 | σ0

• =

Φ

• σ1t −

√ N | µ0 − µ1 | σ0

• = α (say).

33/35

Linear Cryptanalysis

Type-I Error Probability

Assume µ0 > µ1. The other case can be handled similarly.

Pr[Type-I Error] = Pr [Tκ ≤ t |H0 holds ] = Pr

• −
• σ1t +

√ N(µ0 − µ1) σ0

• ≤ Wκ∗ ≤

σ1t − √ N(µ0 − µ1) σ0

• ≤

Pr

• −∞ ≤ Wκ∗ ≤

σ1t − √ N | µ0 − µ1 | σ0

• =

Φ

• σ1t −

√ N | µ0 − µ1 | σ0

• = α (say).

Using PS = 1 − α, we get σ1t = −σ0Φ−1(PS) + |µ0 − µ1| √ N. (1)

33/35

Linear Cryptanalysis

Type-II Error Probability

β = Pr[Type-II Error] = Pr [Tκ > t |κ = κ∗ ]

34/35

Linear Cryptanalysis

Type-II Error Probability

β = Pr[Type-II Error] = Pr [Tκ > t |κ = κ∗ ] = Pr [|Wκ| > t |κ = κ∗ ]

34/35

Linear Cryptanalysis

Type-II Error Probability

β = Pr[Type-II Error] = Pr [Tκ > t |κ = κ∗ ] = Pr [|Wκ| > t |κ = κ∗ ] = Pr [Wκ < −t |κ = κ∗ ] + Pr [Wκ > t |κ = κ∗ ]

34/35

Linear Cryptanalysis

Type-II Error Probability

β = Pr[Type-II Error] = Pr [Tκ > t |κ = κ∗ ] = Pr [|Wκ| > t |κ = κ∗ ] = Pr [Wκ < −t |κ = κ∗ ] + Pr [Wκ > t |κ = κ∗ ] = Φ (−t) + 1 − Φ (t) = 2 (1 − Φ (t)) .

34/35

Linear Cryptanalysis

Type-II Error Probability

β = Pr[Type-II Error] = Pr [Tκ > t |κ = κ∗ ] = Pr [|Wκ| > t |κ = κ∗ ] = Pr [Wκ < −t |κ = κ∗ ] + Pr [Wκ > t |κ = κ∗ ] = Φ (−t) + 1 − Φ (t) = 2 (1 − Φ (t)) . Therefore, we get t = Φ−1(1 − β/2). (2)

34/35

Linear Cryptanalysis

Type-II Error Probability

Eliminating t from (1) and (2), we get N =

• σ1Φ−1 (1 − β/2) + σ0Φ−1 (PS)

2 (µ0 − µ1)2 .

35/35

Linear Cryptanalysis

Type-II Error Probability

Eliminating t from (1) and (2), we get N =

• σ1Φ−1 (1 − β/2) + σ0Φ−1 (PS)

2 (µ0 − µ1)2 . Putting β = 2−a and p = (1 + c)/2, we get N =

• Φ−1

1 − 2−a−1 + √ 1 − c2Φ−1 (PS) 2 c2 .

35/35

Linear Cryptanalysis

Thank you for your kind attention!

35/35