Multiple (Truncated) Differential Cryptanalysis: Explicit Upper Bounds on Data Complexity

Abstract

Statistical analyzes of multiple (truncated) differential attacks are considered in this paper. Following the work of Blondeau and Gérard, the most general situation of multiple differential attack where there are no restrictions on the set of differentials is studied. We obtain closed form upper bounds on the data complexity in terms of the success probability and the advantage of an attack. This is done under two scenarios – one, where an independence assumption used by Blondeau and Gérard is assumed to hold and second, where no such assumption is made. The first case employs the Chernoff bounds while the second case uses the Hoeffding bounds from the theory of concentration inequalities. In both cases, we do not make use of any approximations in our analysis. Moreover, the results are more generally applicable compared to previous works. The analysis without the independence assumption is the first of its kind in the literature. We believe that the current work places the statistical analysis of multiple (truncated) differential attack on a more rigorous foundation than what was previously known.

Appendices

Appendix A: Concentration inequalities

1.1 A.1 Chernoff bounds

We briefly recall some results on tail probabilities of sums of Poisson trials that will be used. These results can be found in standard texts such as [23, 24] and are usually referred to as the Chernoff bounds.

Theorem 4

Let X ₁,X ₂,…,X _λ be a sequence of independent Poisson trials such that for1 ≤ i ≤ λ , Pr[X _i = 1] = p _i . Then for \(X = {\sum }_{i = 1}^{\lambda }X_{i}\) and \(\mu = E\left [ X \right ] = {\sum }_{i = 1}^{\lambda }p_{i}\) the following bounds hold:

$$\begin{array}{@{}rcl@{}} \text{For any \(\gamma > 0\), } \Pr\left[ X \geq (1 + \gamma) \mu \right] < \left( \frac{e^{-\gamma}}{(1 + \gamma)^{(1 + \gamma)}}\right)^{\mu}. \end{array} $$

(27)

$$\begin{array}{@{}rcl@{}} \text{For any \(0 < \gamma < 1\), } \Pr\left[ X \leq (1 - \gamma) \mu \right] \leq \left( \frac{e^{-\gamma}}{(1 - \gamma)^{(1 - \gamma)}}\right)^{\mu}. \end{array} $$

(28)

These bounds can be simplified to the following form.

$$\begin{array}{@{}rcl@{}} \text{For any \(0 < \gamma \leq 1\), } \Pr\left[ X \geq (1 + \gamma) \mu \right] \leq e^{-\mu\gamma^{2}/3}. \end{array} $$

(29)

$$\begin{array}{@{}rcl@{}} \text{For any \(0 < \gamma < 1\), } \Pr\left[ X \leq (1 - \gamma) \mu \right] \leq e^{-\mu\gamma^{2}/2}. \end{array} $$

(30)

1.2 A.2 Hoeffding inequality

we briefly recall Hoeffding’s inequality for sum of independent random variables. The result can be found in standard texts such as [23].

Theorem 5 (Hoeffding Inequality)

Let, X ₁,X ₂,…,X _λ be a finite sequence of independent random variables, such that for all i = 1,…,λ , there exists real numbers \(a_{i}, b_{i} \in \mathbb {R}\) , with a _i < b _i and a _i ≤ X _i ≤ b _i . Let \(X = {\sum }_{i = 1}^{\lambda } X_{i}\) . Then for any positive t > 0,

$$\begin{array}{@{}rcl@{}} \Pr[X - E[X] \geq t] & \leq & \exp\left( -\frac{2t^{2}}{D_{\lambda}}\right) , \end{array} $$

(31)

$$\begin{array}{@{}rcl@{}} \Pr[X - E[X] \leq -t] & \leq & \exp\left( -\frac{2t^{2}}{D_{\lambda}}\right) , \end{array} $$

(32)

$$\begin{array}{@{}rcl@{}} \Pr[|X - E[X]| \geq t] & \leq & 2\exp\left( -\frac{2t^{2}}{D_{\lambda}}\right) ; \end{array} $$

(33)

where \(D_{\lambda } = {\sum }_{i = 1}^{\lambda } (b_{i} - a_{i})^{2}.\)

Appendix B: On the expressions for data complexity in [7]

The work by Blondeau and Gérard [7] provides expressions relating success probability, advantage and the data complexity of mutliple differential cryptanalysis. These are given in Corollaries 1 and 2 of [7] and have been earlier stated in this work as (7) and (9). In this section, we consider these expressions further.

The expressions for G(x) (and G ^∗(x)) required for (9) are given in Proposition 1 of [7]. We reproduce these expressions below.

From Proposition 1 of [7]

Let \(G_{\mathcal {P}}(\tau ,q)\) be the cumulative distribution function of the Poisson distribution with parameter q N _s . Let G ₋(τ,q) and G ₊(τ,q) be as defined in [7, Theorem 3]. Define G(τ,q) as

$$\begin{array}{@{}rcl@{}} G(\tau,q) & \overset{\text{def}}{=} & \left\{ \begin{array}{ll} G_{-}(\tau,q) & \text{if } \tau<q-3\cdot\sqrt{q/N_{s}}, \\ 1-G_{+}(\tau,q) & \text{if } \tau>q + 3\cdot\sqrt{q/N_{s}}, \\ G_{\mathcal{P}}(\tau,q) & \text{otherwise.} \end{array} \right. \end{array} $$

(34)

The functions G and G ^∗ are defined as follows.

$$ G^{*}(\tau)\overset{\text{def}}{=} G(\tau,p_{*}) \text{ and } G(\tau)\overset{\text{def}}{=} G(\tau,p), $$

(35)

where

$$\begin{array}{@{}rcl@{}} p_{*} = \frac{{\sum}_{i,j} p_{*}^{(i,j)}}{\nu_{0}}; \text{ and } & p = \frac{{\sum}_{i,j} p^{(i,j)}}{\nu_{0}}\approx \frac{{\sum}_{i = 1}^{\nu_{0}}\nu_{i}}{2^{m}\nu_{0}}. \\ \end{array} $$

The functions G ₋(τ,q) and G ₊(τ,q) used in the above definition of G(x) and G ^∗(x) are given in [7, Theorem 3] as follows:

$$\begin{array}{@{}rcl@{}} \left. \begin{array}{rcl} G_{-}(\tau,q) & \overset{\text{def}}{=} & e^{-N_{s} D(\tau||q)} \cdot\left[\frac{q\sqrt{1-\tau}}{(q-\tau)\sqrt{2\pi\tau N_{s}}} + \frac{1}{\sqrt{8\pi\tau N_{s}}} \right], \\ G_{-}(\tau,q) & \overset{\text{def}}{=} & e^{-N_{s} D(\tau||q)} \cdot\left[\frac{(1-q)\sqrt{\tau}}{(\tau-q)\sqrt{2\pi N_{s}(1-\tau)}} + \frac{1}{\sqrt{8\pi\tau N_{s}}} \right]. \end{array}\right\} \end{array} $$

(36)

In the above,

$$ N_{s} = \frac{\nu_{0} N^{\prime}}{2} $$

(37)

where N ^′ is the data complexity and D(⋅) is the Kullback-Liebler divergence.

It is required to combine (9), (10), (34), (35), (36) and (37) to obtain a single expression involving N ^′, P _S and a. Then, it is required to solve this expression for N ^′ in terms of P _S and a. It is not possible to obtain any meaningful closed form expression for N ^′. On the other hand, an expression for P _S in terms of N ^′ can be obtained by combining (9), (10), (34), (35), (36) and (37). (In fact, the plots given in [7] are that of P _S expressed as a function of N ^′.) It should be possible to use some numerical analysis technique, such as the bisection method, on this expression to solve for N ^′ for a specified value of P _S . Though the earlier work [10] describes such a method, it has not been used in [7]. In this context we note that the proof of Corollary 1 of [7] refers to [10] for use of the fixed point method for solving an equation arising in the proof. Applicability of the fixed point method to solve for N ^′ for any specific value of P _S has not been discussed in [7].