A New Test Statistic for Key Recovery Attacks Using Multiple Linear Approximations

  • Subhabrata Samajder
  • Palash Sarkar
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10311)


The log-likelihood ratio (LLR) and the chi-squared distribution based test statistics have been proposed in the literature for performing statistical analysis of key recovery attacks on block ciphers. A limitation of the LLR test statistic is that its application requires the full knowledge of the corresponding distribution. Previous work using the chi-squared approach required approximating the distribution of the relevant test statistic by chi-squared and normal distributions. Problematic issues regarding such approximations have been reported in the literature. Perhaps more importantly, both the LLR and the chi-squared based methods are applicable only if the success probability \(P_S\) is greater than 0.5. On the other hand, an attack with success probability less than 0.5 is also of considerable interest. This work proposes a new test statistic for key recovery attacks which has the following features. Its application does not require the full knowledge of the underlying distribution; it is possible to carry out an analysis using this test statistic without using any approximations; the method applies for all values of the success probability. The statistical analysis of the new test statistic follows the hypothesis testing framework and uses Hoeffding’s inequalities to bound the probabilities of Type-I and Type-II errors.


Multiple linear cryptanalyis LLR statistic Chi-squared statistic Hoeffding inequality 


  1. 1.
    Baignères, T., Junod, P., Vaudenay, S.: How far can we go beyond linear cryptanalysis? In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 432–450. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-30539-2_31 CrossRefGoogle Scholar
  2. 2.
    Baignères, T., Sepehrdad, P., Vaudenay, S.: Distinguishing distributions using chernoff information. In: Heng, S.-H., Kurosawa, K. (eds.) ProvSec 2010. LNCS, vol. 6402, pp. 144–165. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-16280-0_10 CrossRefGoogle Scholar
  3. 3.
    Biryukov, A., De Cannière, C., Quisquater, M.: On multiple linear approximations. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 1–22. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-28628-8_1 CrossRefGoogle Scholar
  4. 4.
    Blondeau, C., Gérard, B., Nyberg, K.: Multiple differential cryptanalysis using, and \(X^2\) statistics. In: Visconti, I., Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 343–360. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-32928-9_19 CrossRefGoogle Scholar
  5. 5.
    Blondeau, C., Nyberg, K.: Joint data and key distribution of simple, multiple, and multidimensional linear cryptanalysis test statistic and its impact to data complexity. Des. Codes Crypt. 1–31 (2016). doi: 10.1007/s10623-016-0268-6, ISSN: 1573-7586
  6. 6.
    Bogdanov, A., Tischhauser, E.: On the wrong key randomisation and key equivalence hypotheses in Matsui’s algorithm 2. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 19–38. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-43933-3_2 Google Scholar
  7. 7.
    Collard, B., Standaert, F.-X., Quisquater, J.-J.: (2008). Accessed 30 July 2014
  8. 8.
    Collard, B., Standaert, F.-X., Quisquater, J.-J.: Experiments on the multiple linear cryptanalysis of reduced round serpent. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 382–397. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-71039-4_24 CrossRefGoogle Scholar
  9. 9.
    Daemen, J., Rijmen, V.: Probability distributions of correlation and differentials in block ciphers. J. Math. Crypt. JMC 1(3), 221–242 (2007)MathSciNetzbMATHGoogle Scholar
  10. 10.
    Gérard, B., Tillich, J.-P.: On linear cryptanalysis with many linear approximations. In: Parker, M.G. (ed.) IMACC 2009. LNCS, vol. 5921, pp. 112–132. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-10868-6_8 CrossRefGoogle Scholar
  11. 11.
    Handschuh, H., Gilbert, H.: \(\chi ^2\) cryptanalysis of the SEAL encryption algorithm. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 1–12. Springer, Heidelberg (1997). doi: 10.1007/BFb0052330 CrossRefGoogle Scholar
  12. 12.
    Harpes, C., Kramer, G.G., Massey, J.L.: A generalization of linear cryptanalysis and the applicability of Matsui’s piling-up lemma. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 24–38. Springer, Heidelberg (1995). doi: 10.1007/3-540-49264-X_3 Google Scholar
  13. 13.
    Hermelin, M., Cho, J.Y., Nyberg, K.: Multidimensional linear cryptanalysis of reduced round serpent. In: Mu, Y., Susilo, W., Seberry, J. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 203–215. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-70500-0_15 CrossRefGoogle Scholar
  14. 14.
    Hermelin, M., Cho, J.Y., Nyberg, K.: Multidimensional extension of Matsui’s Algorithm 2. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 209–227. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-03317-9_13 CrossRefGoogle Scholar
  15. 15.
    Hermelin, M., Cho, J.Y., Nyberg, K.: Statistical tests for key recovery using multidimensional extension of Matsui’s Algorithm 1. In: Handschuh, H., Lucks, S., Preneel, B., Rogaway, P. (ed.) Symmetric Cryptography, number 09031 in Dagstuhl Seminar Proceedings, Dagstuhl, Germany. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, Germany (2009)., ISSN: 1862–4405
  16. 16.
    Johansson, T., Maximov, A.: A linear distinguishing attack on scream. In: Proceedings 2003 IEEE International Symposium on Information Theory, p. 164. IEEE (2003)Google Scholar
  17. 17.
    Junod, P.: On the complexity of Matsui’s attack. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 199–211. Springer, Heidelberg (2001). doi: 10.1007/3-540-45537-X_16 CrossRefGoogle Scholar
  18. 18.
    Junod, P.: On the Optimality of linear, differential, and sequential distinguishers. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 17–32. Springer, Heidelberg (2003). doi: 10.1007/3-540-39200-9_2 CrossRefGoogle Scholar
  19. 19.
    Junod, P., Vaudenay, S.: Optimal key ranking procedures in a statistical cryptanalysis. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 235–246. Springer, Heidelberg (2003). doi: 10.1007/978-3-540-39887-5_18 CrossRefGoogle Scholar
  20. 20.
    Kaliski, B.S., Robshaw, M.J.B.: Linear cryptanalysis using multiple approximations. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 26–39. Springer, Heidelberg (1994). doi: 10.1007/3-540-48658-5_4 Google Scholar
  21. 21.
    Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994). doi: 10.1007/3-540-48285-7_33 Google Scholar
  22. 22.
    Matsui, M.: The first experimental cryptanalysis of the data encryption standard. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 1–11. Springer, Heidelberg (1994). doi: 10.1007/3-540-48658-5_1 Google Scholar
  23. 23.
    Mitzenmacher, M., Upfal, E.: Probability and Computing: Randomized Algorithms and Probabilistic Analysis. Cambridge University Press, Cambridge (2005)CrossRefzbMATHGoogle Scholar
  24. 24.
    Murphy, S.: The independence of linear approximations in symmetric cryptanalysis. IEEE Trans. Inform. Theory 52(12), 5510–5518 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
  25. 25.
    Nyberg, K., Hermelin, M.: Multidimensional walsh transform and a characterization of bent functions. In: Proceedings of the 2007 IEEE Information Theory Workshop on Information Theory for Wireless Networks, pp. 83–86 (2007)Google Scholar
  26. 26.
    Samajder, S., Sarkar, P.: Rigorous upper bounds on data complexities of block cipher cryptanalysis. IACR Cryptology ePrint Archive, 2015:916 (2015).
  27. 27.
    Samajder, S., Sarkar, P.: Another Look at Normal Approximations in Cryptanalysis. J. Math. Crypt. (2016). doi: 10.1515/jmc-2016-0006
  28. 28.
    Samajder, S., Sarkar, P.: Can large deviation theory be used for estimating data complexity? Cryptology ePrint Archive, Report 2016/465 (2016).
  29. 29.
    Selçuk, A.A.: On probability of success in linear and differential cryptanalysis. J. Cryptol. 21(1), 131–147 (2008)MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Applied Statistics UnitIndian Statistical InstituteKolkataIndia

Personalised recommendations