Abstract
Statistical analysis of attacks on symmetric ciphers often requires assuming the normal behaviour of a test statistic. Typically such an assumption is made in an asymptotic sense. In this work, we consider concrete versions of some important
normal approximations that have been made in the literature. To do this, we use the Berry–Esséen theorem to derive explicit bounds on the approximation errors. A basic mathematical requirement is that such approximation errors
should be within reasonable bounds, a point which appears to have been overlooked in many of the earlier works on statistical
aspects of cryptanalysis. Interpreting the error bounds in the cryptanalytic context yields several
surprising results. One important implication is that this puts in doubt the applicability of the order statistics
based approach for analysing key recovery attacks on block ciphers. This approach has been earlier used to obtain several
results on the data complexities of (multiple) linear and differential cryptanalysis. The non-applicability of the order
statistics based approach puts a question mark on the data complexities obtained using this approach. Fortunately, we
are able to recover all of these results by utilising the hypothesis testing framework.
This, however, necessitates using normal approximations for the
References
1 M. A. Abdelraheem, M. Ågren, P. Beelen and G. Leander, On the distribution of linear biases: Three instructive examples, Advances in Cryptology (CRYPTO 2012), Lecture Notes in Comput. Sci. 7417, Springer, Berlin (2012), 50–67. 10.1007/978-3-642-32009-5_4Search in Google Scholar
2 T. Baignères, P. Junod and S. Vaudenay, How far can we go beyond linear cryptanalysis?, Advances in Cryptology (ASIACRYPT 2004), Lecture Notes in Comput. Sci. 3329, Springer, Berlin (2004), 432–450. 10.1007/978-3-540-30539-2_31Search in Google Scholar
3 T. Baignères, P. Sepehrdad and S. Vaudenay, Distinguishing distributions using Chernoff information, Provable Security, Lecture Notes in Comput. Sci. 6402, Springer, Berlin (2010), 144–165. 10.1007/978-3-642-16280-0_10Search in Google Scholar
4 V. Bentkus, Dependence of the Berry–Esséen estimate on the dimension, Lithuanian Math. J. 26 (1986), 110–114. 10.1007/BF00966143Search in Google Scholar
5 A. C. Berry, The accuracy of the Gaussian approximation to the sum of independent variates, Trans. Amer. Math. Soc. 49 (1941), 122–136. 10.1090/S0002-9947-1941-0003498-3Search in Google Scholar
6 E. Biham and A. Shamir, Differential cryptanalysis of DES-like cryptosystems, Advances in Cryptology (CRYPTO'90), Lecture Notes in Comput. Sci. 537, Springer, Berlin (1990), 2–21. 10.1007/3-540-38424-3_1Search in Google Scholar
7 E. Biham and A. Shamir, Differential cryptanalysis of DES-like cryptosystems, J. Cryptology 4 (1991), 3–72. 10.1007/3-540-38424-3_1Search in Google Scholar
8 A. Biryukov, C. De Cannière and M. Quisquater, On multiple linear approximations, Advances in Cryptology (CRYPTO 2004), Lecture Notes in Comput. Sci. 3152, Springer, Berlin (2004), 1–22. 10.1007/978-3-540-28628-8_1Search in Google Scholar
9 C. Blondeau, A. Bogdanov and G. Leander, Bounds in shallows and in miseries, Advances in Cryptology (CRYPTO 2013), Lecture Notes in Comput. Sci. 8042, Springer, Berlin (2013), 204–221. 10.1007/978-3-642-40041-4_12Search in Google Scholar
10 C. Blondeau and B. Gérard, Multiple differential cryptanalysis: Theory and practice, Fast Software Encryption, Lecture Notes in Comput. Sci. 6733, Springer, Berlin (2011), 35–54. 10.1007/978-3-642-21702-9_3Search in Google Scholar
11 C. Blondeau, B. Gérard and K. Nyberg,
Multiple differential cryptanalysis using LLR and
12 C. Blondeau, B. Gérard and J.-P. Tillich, Accurate estimates of the data complexity and success probability for various cryptanalyses, Des. Codes Cryptogr. 59 (2011), 3–34. 10.1007/s10623-010-9452-2Search in Google Scholar
13 A. Bogdanov and E. Tischhauser, On the wrong key randomisation and key equivalence hypotheses in Matsui's algorithm 2, Fast Software Encryption, Lecture Notes in Comput. Sci. 8424, Springer, Berlin (2014), 19–38. 10.1007/978-3-662-43933-3_2Search in Google Scholar
14 J. Daemen and V. Rijmen, Probability distributions of correlation and differentials in block ciphers, J. Math. Crypt. 1 (2007), 221–242. 10.1515/JMC.2007.011Search in Google Scholar
15 F. C. Drost, W. C. M. Kallenberg, D. S. Moore and J. Oosterhoff, Power approximations to multinomial tests of fit, J. Amer. Statist. Assoc. 84 (1989), 130–141. 10.1080/01621459.1989.10478748Search in Google Scholar
16 C.-G. Esséen, On the Liapounoff limit of error in the theory of probability, Ark. Mat. Astron. Fys. A28 (1942), 1–19. Search in Google Scholar
17 C.-G. Esséen, A moment inequality with an application to the central limit theorem, Scand. Actuar. J. 1956 (1956), 160–170. 10.1080/03461238.1956.10414946Search in Google Scholar
18 W. Feller, An Introduction to Probability Theory and Its Applications, Vol. 2, John Wiley & Sons, New York, 2008. Search in Google Scholar
19 C. Harpes, G. G. Kramer and J. L. Massey, A generalization of linear cryptanalysis and the applicability of Matsui's piling-up lemma, Advances in Cryptology (EUROCRYPT'95), Lecture Notes in Comput. Sci. 921, Springer, Berlin (1995), 24–38. 10.1007/3-540-49264-X_3Search in Google Scholar
20 M. Hermelin, J. Y. Cho and K. Nyberg, Multidimensional extension of Matsui's algorithm 2, Fast Software Encryption, Lecture Notes in Comput. Sci. 5665, Springer, Berlin (2009), 209–227. 10.1007/978-3-642-03317-9_13Search in Google Scholar
21 N. L. Johnson, S. Kotz and N. Balakrishnan, Continuous Univariate Distributions, Vol. 1, 2nd ed., John Wiley & Sons, New York, 1994. Search in Google Scholar
22 N. L. Johnson, S. Kotz and N. Balakrishnan, Continuous Univariate Distributions, Vol. 2, 2nd ed., John Wiley & Sons, New York, 1995. Search in Google Scholar
23 P. Junod, On the optimality of linear, differential, and sequential distinguishers, Advances in Cryptology (EUROCRYPT 2003), Lecture Notes in Comput. Sci. 2656, Springer, Berlin (2003), 17–32. 10.1007/3-540-39200-9_2Search in Google Scholar
24 P. Junod and S. Vaudenay, Optimal key ranking procedures in a statistical cryptanalysis, Fast Software Encryption, Lecture Notes in Comput. Sci. 2887, Springer, Berlin (2003), 235–246. 10.1007/978-3-540-39887-5_18Search in Google Scholar
25 B. S. Kaliski Jr and M. J. B. Robshaw, Linear cryptanalysis using multiple approximations, Advances in Cryptology (Crypto'94), Lecture Notes in Comput. Sci. 839, Springer, Berlin (1994), 26–39. 10.1007/3-540-48658-5_4Search in Google Scholar
26 L. R. Knudsen, Truncated and higher order differentials, Fast Software Encryption, Lecture Notes in Comput. Sci. 1008, Springer, Berlin (1995), 196–211. 10.1007/3-540-60590-8_16Search in Google Scholar
27 G. Leander, On linear hulls, statistical saturation attacks, PRESENT and a cryptanalysis of PUFFIN, Advances in Cryptology (EUROCRYPT 2011), Lecture Notes in Comput. Sci. 6632, Springer, Berlin (2011), 303–322. 10.1007/978-3-642-20465-4_18Search in Google Scholar
28 I. Mantin and A. Shamir, A practical attack on broadcast RC4, Fast Software Encryption, Lecture Notes in Comput. Sci. 2355, Springer, Berlin (2002), 152–164. 10.1007/3-540-45473-X_13Search in Google Scholar
29 M. Matsui, Linear cryptanalysis method for DES cipher, Advances in Cryptology (EUROCRYPT'93), Lecture Notes in Comput. Sci. 765, Springer, Berlin (1993), 386–397. 10.1007/3-540-48285-7_33Search in Google Scholar
30 M. Matsui, The first experimental cryptanalysis of the data encryption standard, Advances in Cryptology (CRYPTO'94), Lecture Notes in Comput. Sci. 839, Springer, Berlin (1994), 1–11. 10.1007/3-540-48658-5_1Search in Google Scholar
31 S. Murphy, The independence of linear approximations in symmetric cryptanalysis, IEEE Trans. Inform. Theory 52 (2006), 5510–5518. 10.1109/TIT.2006.885528Search in Google Scholar
32 S. Murphy, F. Piper, M. Walker and P. Wild, Likelihood estimation for block cipher keys, Technical Report RHUL-MA-2006-3, Royal Holloway, University of London, 1995. Search in Google Scholar
33 V. V. Sazonov, On the multi-dimensional central limit theorem, Sankhya A 30 (1968), 181–204. Search in Google Scholar
34 A. A. Selçuk, On probability of success in linear and differential cryptanalysis, J. Cryptology 21 (2008), 131–147. 10.1007/s00145-007-9013-7Search in Google Scholar
35 A. Tardy-Corfdir and H. Gilbert, A known plaintext attack of FEAL-4 and FEAL-6, Advances in Cryptology (CRYPTO'91), Lecture Notes in Comput. Sci. 576, Springer, Berlin (1991), 172–181. 10.1007/3-540-46766-1_12Search in Google Scholar
36 I. S. Tyurin, An improvement of upper estimates of the constants in the Lyapunov theorem, Russian Math. Surveys 65 (2010), 201–202. 10.1070/RM2010v065n03ABEH004688Search in Google Scholar
37 A. M. Walker, A note on the asymptotic distribution of sample quantiles, J. R. Stat. Soc. Ser. B. Stat. Methodol. 30 (1968), 570–575. 10.1111/j.2517-6161.1968.tb00757.xSearch in Google Scholar
© 2016 by De Gruyter
This article is distributed under the terms of the Creative Commons Attribution Non-Commercial License, which permits unrestricted non-commercial use, distribution, and reproduction in any medium, provided the original work is properly cited.
