Abstract
In the context of linear cryptanalysis of block ciphers, let \(p_0\) (resp. \(p_1\)) be the probability that a particular linear approximation holds for the right (resp. a wrong) key choice. The standard right key randomisation hypothesis states that \(p_0\) is a constant \(p\ne 1/2\) and the standard wrong key randomisation hypothesis states that \(p_1=1/2\). Using these hypotheses, the success probability \(P_S\) of the attack can be expressed in terms of the data complexity N. The resulting expression for \(P_S\) is a monotone increasing function of N. Building on earlier work by O’Connor (In: Preneel B (ed) Fast Software Encryption: Second International Workshop. Leuven, Belgium, 14–16 December 1994, Proceedings, volume 1008 of Lecture Notes in Computer Science, pp. 131–136. Springer, 1994) and Daemen and Rijmen (J Math Cryptol 1(3):221–242, 2007), Bogdanov and Tischhauser (In: Moriai S (ed) Fast Software Encryption—20th International Workshop, FSE 2013, Singapore, March 11–13, 2013. Revised Selected Papers, volume 8424 of Lecture Notes in Computer Science, pp. 19–38. Springer, 2013) argued that \(p_1\) should be considered to be a random variable. They postulated the adjusted wrong key randomisation hypothesis which states that \(p_1\) follows a normal distribution. A non-intuitive consequence is that the resulting expression for \(P_S\) is no longer a monotone increasing function of N. A later work by Blondeau and Nyberg (Des Codes Cryptogr 82(1–2):319–349, 2017) argued that \(p_0\) should also be considered to be a random variable and they postulated the adjusted right key randomisation hypothesis which states that \(p_0\) follows a normal distribution. In this work, we revisit the key randomisation hypotheses. While the argument that \(p_0\) and \(p_1\) should be considered to be random variables is indeed valid, we show that if \(p_0\) and \(p_1\) follow any distributions with supports which are subsets of [0, 1], and \({\textbf{E}}[p_0]=p\) and \({\textbf{E}}[p_1]=1/2\), then the expression for \(P_S\) that is obtained is exactly the same as the one obtained using the standard key randomisation hypotheses. Consequently, \(P_S\) is a monotone increasing function of N even when \(p_0\) and \(p_1\) are considered to be random variables.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Ashur T., Beyne T., Rijmen V.: Revisiting the wrong-key-randomization hypothesis. IACR Cryptol. ePrint Arch. 2016, 990 (2016).
Blondeau C., Nyberg K.: Joint data and key distribution of simple, multiple, and multidimensional linear cryptanalysis test statistic and its impact to data complexity. Des. Codes Cryptogr. 82(1–2), 319–349 (2017).
Bogdanov, A., Tischhauser, E.: On the wrong key randomisation and key equivalence hypotheses in Matsui’s algorithm 2. In: Moriai S (ed) Fast Software Encryption—20th International Workshop, FSE 2013, Singapore, March 11–13, 2013. Revised Selected Papers, volume 8424 of Lecture Notes in Computer Science, pp. 19–38. Springer (2013)
Bogdanov A., Kavun E.B., Tischhauser E., Yalçin T.: Large-scale high-resolution computational validation of novel complexity models in linear cryptanalysis. J. Comput. Appl. Math. 259, 592–598 (2014).
Daemen J., Rijmen V.: Probability distributions of correlation and differentials in block ciphers. J. Math. Cryptol. 1(3), 221–242 (2007).
Harpes, C., Kramer, G. G., Massey, J. L.: A generalization of linear cryptanalysis and the applicability of Matsui’s piling-up lemma. In: Guillou L. C., Quisquater J.-J. (eds.) Advances in Cryptology—EUROCRYPT ’95, International Conference on the Theory and Application of Cryptographic Techniques, Saint-Malo, France, May 21–25, 1995, Proceeding, volume 921 of Lecture Notes in Computer Science, pp. 24–38, Springer (1995)
Junod, P., Vaudenay, S.: Optimal key ranking procedures in a statistical cryptanalysis. In: Johansson, T. (ed) Fast Software Encryption, 10th International Workshop, FSE 2003, Lund, Sweden, February 24–26, 2003, Revised Papers, volume 2887 of Lecture Notes in Computer Science, pp. 235–246, Springer (2003)
Kaliski Jr, B. S., Robshaw, M. J. B.: Linear cryptanalysis using multiple approximations. In: Desmedt, Y. (ed) Advances in Cryptology—CRYPTO ’94, 14th Annual International Cryptology Conference, Santa Barbara, California, USA, August 21–25, 1994, Proceedings, volume 839 of Lecture Notes in Computer Science, pp. 26–39, Springer (1994)
Leander G.: Small scale variants of the block cipher PRESENT. IACR Cryptol. ePrint Arch. 2010, 143 (2010).
Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed) Advances in Cryptology—EUROCRYPT ’93, Workshop on the Theory and Application of of Cryptographic Techniques, Lofthus, Norway, May 23–27, 1993, Proceedings, volume 765 of Lecture Notes in Computer Science, pp. 386–397, Springer (1993)
Matsui, M.: The first experimental cryptanalysis of the data encryption standard. In: Desmedt, Y, (ed) Advances in Cryptology—CRYPTO ’94, 14th Annual International Cryptology Conference, Santa Barbara, California, USA, August 21–25, 1994, Proceedings, volume 839 of Lecture Notes in Computer Science, pp. 1–11, Springer (1994)
O’Connor, L.: Properties of linear approximation tables. In: Preneel, B. (ed) Fast Software Encryption: Second International Workshop. Leuven, Belgium, 14–16 December 1994, Proceedings, volume 1008 of Lecture Notes in Computer Science, pp. 131–136, Springer (1994)
Samajder S., Sarkar P.: Another look at normal approximations in cryptanalysis. J. Math. Cryptol. 10(2), 69–99 (2016).
Samajder S., Sarkar P.: Correlations between (nonlinear) combiners of input and output of random functions and permutations. IACR Cryptol. ePrint Arch. 2017, 1219 (2017).
Samajder S., Sarkar P.: Success probability of multiple/multidimensional linear cryptanalysis under general key randomisation hypotheses. Cryptogr. Commun. 10(5), 835–879 (2018).
Samajder S., Sarkar P.: Another look at success probability of linear cryptanalysis. Adv. Math. Commun. 13(4), 645–688 (2019).
Selçuk A.A.: On probability of success in linear and differential cryptanalysis. J. Cryptol. 21(1), 131–147 (2008).
Acknowledgements
We thank the reviewers of the paper and the communicating editor for their kind comments.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by T. Iwata.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Samajder, S., Sarkar, P. Another look at key randomisation hypotheses. Des. Codes Cryptogr. 91, 3837–3855 (2023). https://doi.org/10.1007/s10623-023-01272-y
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-023-01272-y