Show Summary Details
More options …

# Journal of Mathematical Cryptology

Managing Editor: Magliveras, Spyros S. / Steinwandt, Rainer / Trung, Tran

Editorial Board: Blackburn, Simon R. / Blundo, Carlo / Burmester, Mike / Cramer, Ronald / Gilman, Robert / Gonzalez Vasco, Maria Isabel / Grosek, Otokar / Helleseth, Tor / Kim, Kwangjo / Koblitz, Neal / Kurosawa, Kaoru / Lauter, Kristin / Lange, Tanja / Menezes, Alfred / Nguyen, Phong Q. / Pieprzyk, Josef / Rötteler, Martin / Safavi-Naini, Rei / Shparlinski, Igor E. / Stinson, Doug / Takagi, Tsuyoshi / Williams, Hugh C. / Yung, Moti

CiteScore 2018: 1.41

SCImago Journal Rank (SJR) 2018: 0.342
Source Normalized Impact per Paper (SNIP) 2018: 1.076

Mathematical Citation Quotient (MCQ) 2018: 0.75

Online
ISSN
1862-2984
See all formats and pricing
More options …
Volume 10, Issue 2

# Another look at normal approximations in cryptanalysis

Subhabrata Samajder
/ Palash Sarkar
Published Online: 2016-05-18 | DOI: https://doi.org/10.1515/jmc-2016-0006

## Abstract

Statistical analysis of attacks on symmetric ciphers often requires assuming the normal behaviour of a test statistic. Typically such an assumption is made in an asymptotic sense. In this work, we consider concrete versions of some important normal approximations that have been made in the literature. To do this, we use the Berry–Esséen theorem to derive explicit bounds on the approximation errors. A basic mathematical requirement is that such approximation errors should be within reasonable bounds, a point which appears to have been overlooked in many of the earlier works on statistical aspects of cryptanalysis. Interpreting the error bounds in the cryptanalytic context yields several surprising results. One important implication is that this puts in doubt the applicability of the order statistics based approach for analysing key recovery attacks on block ciphers. This approach has been earlier used to obtain several results on the data complexities of (multiple) linear and differential cryptanalysis. The non-applicability of the order statistics based approach puts a question mark on the data complexities obtained using this approach. Fortunately, we are able to recover all of these results by utilising the hypothesis testing framework. This, however, necessitates using normal approximations for the ${\chi }^{2}$ and the LLR test statistics considered in earlier works. These approximations themselves have issues which seem to be difficult to resolve satisfactorily. More generally, the message of our work is that all cryptanalytic attacks should properly derive and interpret the error bounds for any (normal) approximation that is made.

MSC: 94A60; 11T71; 68P25; 62P99

## References

• 1

M. A. Abdelraheem, M. Ågren, P. Beelen and G. Leander, On the distribution of linear biases: Three instructive examples, Advances in Cryptology (CRYPTO 2012), Lecture Notes in Comput. Sci. 7417, Springer, Berlin (2012), 50–67. Google Scholar

• 2

T. Baignères, P. Junod and S. Vaudenay, How far can we go beyond linear cryptanalysis?, Advances in Cryptology (ASIACRYPT 2004), Lecture Notes in Comput. Sci. 3329, Springer, Berlin (2004), 432–450. Google Scholar

• 3

T. Baignères, P. Sepehrdad and S. Vaudenay, Distinguishing distributions using Chernoff information, Provable Security, Lecture Notes in Comput. Sci. 6402, Springer, Berlin (2010), 144–165. Google Scholar

• 4

V. Bentkus, Dependence of the Berry–Esséen estimate on the dimension, Lithuanian Math. J. 26 (1986), 110–114. Google Scholar

• 5

A. C. Berry, The accuracy of the Gaussian approximation to the sum of independent variates, Trans. Amer. Math. Soc. 49 (1941), 122–136. Google Scholar

• 6

E. Biham and A. Shamir, Differential cryptanalysis of DES-like cryptosystems, Advances in Cryptology (CRYPTO'90), Lecture Notes in Comput. Sci. 537, Springer, Berlin (1990), 2–21. Google Scholar

• 7

E. Biham and A. Shamir, Differential cryptanalysis of DES-like cryptosystems, J. Cryptology 4 (1991), 3–72. Google Scholar

• 8

A. Biryukov, C. De Cannière and M. Quisquater, On multiple linear approximations, Advances in Cryptology (CRYPTO 2004), Lecture Notes in Comput. Sci. 3152, Springer, Berlin (2004), 1–22. Google Scholar

• 9

C. Blondeau, A. Bogdanov and G. Leander, Bounds in shallows and in miseries, Advances in Cryptology (CRYPTO 2013), Lecture Notes in Comput. Sci. 8042, Springer, Berlin (2013), 204–221. Google Scholar

• 10

C. Blondeau and B. Gérard, Multiple differential cryptanalysis: Theory and practice, Fast Software Encryption, Lecture Notes in Comput. Sci. 6733, Springer, Berlin (2011), 35–54. Google Scholar

• 11

C. Blondeau, B. Gérard and K. Nyberg, Multiple differential cryptanalysis using LLR and ${\chi }^{2}$ statistics, Security and Cryptography for Networks, Lecture Notes in Comput. Sci. 7485, Springer, Berlin (2012), 343–360. Google Scholar

• 12

C. Blondeau, B. Gérard and J.-P. Tillich, Accurate estimates of the data complexity and success probability for various cryptanalyses, Des. Codes Cryptogr. 59 (2011), 3–34.

• 13

A. Bogdanov and E. Tischhauser, On the wrong key randomisation and key equivalence hypotheses in Matsui's algorithm 2, Fast Software Encryption, Lecture Notes in Comput. Sci. 8424, Springer, Berlin (2014), 19–38. Google Scholar

• 14

J. Daemen and V. Rijmen, Probability distributions of correlation and differentials in block ciphers, J. Math. Crypt. 1 (2007), 221–242. Google Scholar

• 15

F. C. Drost, W. C. M. Kallenberg, D. S. Moore and J. Oosterhoff, Power approximations to multinomial tests of fit, J. Amer. Statist. Assoc. 84 (1989), 130–141. Google Scholar

• 16

C.-G. Esséen, On the Liapounoff limit of error in the theory of probability, Ark. Mat. Astron. Fys. A28 (1942), 1–19. Google Scholar

• 17

C.-G. Esséen, A moment inequality with an application to the central limit theorem, Scand. Actuar. J. 1956 (1956), 160–170. Google Scholar

• 18

W. Feller, An Introduction to Probability Theory and Its Applications, Vol. 2, John Wiley & Sons, New York, 2008. Google Scholar

• 19

C. Harpes, G. G. Kramer and J. L. Massey, A generalization of linear cryptanalysis and the applicability of Matsui's piling-up lemma, Advances in Cryptology (EUROCRYPT'95), Lecture Notes in Comput. Sci. 921, Springer, Berlin (1995), 24–38. Google Scholar

• 20

M. Hermelin, J. Y. Cho and K. Nyberg, Multidimensional extension of Matsui's algorithm 2, Fast Software Encryption, Lecture Notes in Comput. Sci. 5665, Springer, Berlin (2009), 209–227. Google Scholar

• 21

N. L. Johnson, S. Kotz and N. Balakrishnan, Continuous Univariate Distributions, Vol. 1, 2nd ed., John Wiley & Sons, New York, 1994. Google Scholar

• 22

N. L. Johnson, S. Kotz and N. Balakrishnan, Continuous Univariate Distributions, Vol. 2, 2nd ed., John Wiley & Sons, New York, 1995. Google Scholar

• 23

P. Junod, On the optimality of linear, differential, and sequential distinguishers, Advances in Cryptology (EUROCRYPT 2003), Lecture Notes in Comput. Sci. 2656, Springer, Berlin (2003), 17–32. Google Scholar

• 24

P. Junod and S. Vaudenay, Optimal key ranking procedures in a statistical cryptanalysis, Fast Software Encryption, Lecture Notes in Comput. Sci. 2887, Springer, Berlin (2003), 235–246. Google Scholar

• 25

B. S. Kaliski Jr and M. J. B. Robshaw, Linear cryptanalysis using multiple approximations, Advances in Cryptology (Crypto'94), Lecture Notes in Comput. Sci. 839, Springer, Berlin (1994), 26–39. Google Scholar

• 26

L. R. Knudsen, Truncated and higher order differentials, Fast Software Encryption, Lecture Notes in Comput. Sci. 1008, Springer, Berlin (1995), 196–211. Google Scholar

• 27

G. Leander, On linear hulls, statistical saturation attacks, PRESENT and a cryptanalysis of PUFFIN, Advances in Cryptology (EUROCRYPT 2011), Lecture Notes in Comput. Sci. 6632, Springer, Berlin (2011), 303–322. Google Scholar

• 28

I. Mantin and A. Shamir, A practical attack on broadcast RC4, Fast Software Encryption, Lecture Notes in Comput. Sci. 2355, Springer, Berlin (2002), 152–164. Google Scholar

• 29

M. Matsui, Linear cryptanalysis method for DES cipher, Advances in Cryptology (EUROCRYPT'93), Lecture Notes in Comput. Sci. 765, Springer, Berlin (1993), 386–397. Google Scholar

• 30

M. Matsui, The first experimental cryptanalysis of the data encryption standard, Advances in Cryptology (CRYPTO'94), Lecture Notes in Comput. Sci. 839, Springer, Berlin (1994), 1–11. Google Scholar

• 31

S. Murphy, The independence of linear approximations in symmetric cryptanalysis, IEEE Trans. Inform. Theory 52 (2006), 5510–5518. Google Scholar

• 32

S. Murphy, F. Piper, M. Walker and P. Wild, Likelihood estimation for block cipher keys, Technical Report RHUL-MA-2006-3, Royal Holloway, University of London, 1995. Google Scholar

• 33

V. V. Sazonov, On the multi-dimensional central limit theorem, Sankhya A 30 (1968), 181–204. Google Scholar

• 34

A. A. Selçuk, On probability of success in linear and differential cryptanalysis, J. Cryptology 21 (2008), 131–147. Google Scholar

• 35

A. Tardy-Corfdir and H. Gilbert, A known plaintext attack of FEAL-4 and FEAL-6, Advances in Cryptology (CRYPTO'91), Lecture Notes in Comput. Sci. 576, Springer, Berlin (1991), 172–181. Google Scholar

• 36

I. S. Tyurin, An improvement of upper estimates of the constants in the Lyapunov theorem, Russian Math. Surveys 65 (2010), 201–202. Google Scholar

• 37

A. M. Walker, A note on the asymptotic distribution of sample quantiles, J. R. Stat. Soc. Ser. B. Stat. Methodol. 30 (1968), 570–575. Google Scholar

## About the article

Revised: 2016-04-27

Accepted: 2016-04-27

Published Online: 2016-05-18

Published in Print: 2016-06-01

Citation Information: Journal of Mathematical Cryptology, Volume 10, Issue 2, Pages 69–99, ISSN (Online) 1862-2984, ISSN (Print) 1862-2976,

Export Citation

© 2016 by De Gruyter.