Top

Designs, Codes and Cryptography

Published in:

03-08-2023

Another look at key randomisation hypotheses

Authors: Subhabrata Samajder, Palash Sarkar

Published in: Designs, Codes and Cryptography | Issue 12/2023

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

In the context of linear cryptanalysis of block ciphers, let \(p_0\) (resp. \(p_1\)) be the probability that a particular linear approximation holds for the right (resp. a wrong) key choice. The standard right key randomisation hypothesis states that \(p_0\) is a constant \(p\ne 1/2\) and the standard wrong key randomisation hypothesis states that \(p_1=1/2\). Using these hypotheses, the success probability \(P_S\) of the attack can be expressed in terms of the data complexity N. The resulting expression for \(P_S\) is a monotone increasing function of N. Building on earlier work by O’Connor (In: Preneel B (ed) Fast Software Encryption: Second International Workshop. Leuven, Belgium, 14–16 December 1994, Proceedings, volume 1008 of Lecture Notes in Computer Science, pp. 131–136. Springer, 1994) and Daemen and Rijmen (J Math Cryptol 1(3):221–242, 2007), Bogdanov and Tischhauser (In: Moriai S (ed) Fast Software Encryption—20th International Workshop, FSE 2013, Singapore, March 11–13, 2013. Revised Selected Papers, volume 8424 of Lecture Notes in Computer Science, pp. 19–38. Springer, 2013) argued that \(p_1\) should be considered to be a random variable. They postulated the adjusted wrong key randomisation hypothesis which states that \(p_1\) follows a normal distribution. A non-intuitive consequence is that the resulting expression for \(P_S\) is no longer a monotone increasing function of N. A later work by Blondeau and Nyberg (Des Codes Cryptogr 82(1–2):319–349, 2017) argued that \(p_0\) should also be considered to be a random variable and they postulated the adjusted right key randomisation hypothesis which states that \(p_0\) follows a normal distribution. In this work, we revisit the key randomisation hypotheses. While the argument that \(p_0\) and \(p_1\) should be considered to be random variables is indeed valid, we show that if \(p_0\) and \(p_1\) follow any distributions with supports which are subsets of [0, 1], and \({\textbf{E}}[p_0]=p\) and \({\textbf{E}}[p_1]=1/2\), then the expression for \(P_S\) that is obtained is exactly the same as the one obtained using the standard key randomisation hypotheses. Consequently, \(P_S\) is a monotone increasing function of N even when \(p_0\) and \(p_1\) are considered to be random variables.

previous article Block-transitive 3- designs with sporadic or alternating socle

next article On the fourth weight of generalized Reed–Muller codes

Ashur T., Beyne T., Rijmen V.: Revisiting the wrong-key-randomization hypothesis. IACR Cryptol. ePrint Arch. 2016, 990 (2016).MATH

Blondeau C., Nyberg K.: Joint data and key distribution of simple, multiple, and multidimensional linear cryptanalysis test statistic and its impact to data complexity. Des. Codes Cryptogr. 82(1–2), 319–349 (2017).MathSciNetCrossRefMATH

Bogdanov, A., Tischhauser, E.: On the wrong key randomisation and key equivalence hypotheses in Matsui’s algorithm 2. In: Moriai S (ed) Fast Software Encryption—20th International Workshop, FSE 2013, Singapore, March 11–13, 2013. Revised Selected Papers, volume 8424 of Lecture Notes in Computer Science, pp. 19–38. Springer (2013)

Bogdanov A., Kavun E.B., Tischhauser E., Yalçin T.: Large-scale high-resolution computational validation of novel complexity models in linear cryptanalysis. J. Comput. Appl. Math. 259, 592–598 (2014).MathSciNetCrossRefMATH

Daemen J., Rijmen V.: Probability distributions of correlation and differentials in block ciphers. J. Math. Cryptol. 1(3), 221–242 (2007).MathSciNetCrossRefMATH

Harpes, C., Kramer, G. G., Massey, J. L.: A generalization of linear cryptanalysis and the applicability of Matsui’s piling-up lemma. In: Guillou L. C., Quisquater J.-J. (eds.) Advances in Cryptology—EUROCRYPT ’95, International Conference on the Theory and Application of Cryptographic Techniques, Saint-Malo, France, May 21–25, 1995, Proceeding, volume 921 of Lecture Notes in Computer Science, pp. 24–38, Springer (1995)

Junod, P., Vaudenay, S.: Optimal key ranking procedures in a statistical cryptanalysis. In: Johansson, T. (ed) Fast Software Encryption, 10th International Workshop, FSE 2003, Lund, Sweden, February 24–26, 2003, Revised Papers, volume 2887 of Lecture Notes in Computer Science, pp. 235–246, Springer (2003)

Kaliski Jr, B. S., Robshaw, M. J. B.: Linear cryptanalysis using multiple approximations. In: Desmedt, Y. (ed) Advances in Cryptology—CRYPTO ’94, 14th Annual International Cryptology Conference, Santa Barbara, California, USA, August 21–25, 1994, Proceedings, volume 839 of Lecture Notes in Computer Science, pp. 26–39, Springer (1994)

Leander G.: Small scale variants of the block cipher PRESENT. IACR Cryptol. ePrint Arch. 2010, 143 (2010).

10.

Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed) Advances in Cryptology—EUROCRYPT ’93, Workshop on the Theory and Application of of Cryptographic Techniques, Lofthus, Norway, May 23–27, 1993, Proceedings, volume 765 of Lecture Notes in Computer Science, pp. 386–397, Springer (1993)

11.

Matsui, M.: The first experimental cryptanalysis of the data encryption standard. In: Desmedt, Y, (ed) Advances in Cryptology—CRYPTO ’94, 14th Annual International Cryptology Conference, Santa Barbara, California, USA, August 21–25, 1994, Proceedings, volume 839 of Lecture Notes in Computer Science, pp. 1–11, Springer (1994)

12.

O’Connor, L.: Properties of linear approximation tables. In: Preneel, B. (ed) Fast Software Encryption: Second International Workshop. Leuven, Belgium, 14–16 December 1994, Proceedings, volume 1008 of Lecture Notes in Computer Science, pp. 131–136, Springer (1994)

13.

Samajder S., Sarkar P.: Another look at normal approximations in cryptanalysis. J. Math. Cryptol. 10(2), 69–99 (2016).MathSciNetCrossRefMATH

14.

Samajder S., Sarkar P.: Correlations between (nonlinear) combiners of input and output of random functions and permutations. IACR Cryptol. ePrint Arch. 2017, 1219 (2017).

15.

Samajder S., Sarkar P.: Success probability of multiple/multidimensional linear cryptanalysis under general key randomisation hypotheses. Cryptogr. Commun. 10(5), 835–879 (2018).MathSciNetCrossRefMATH

16.

Samajder S., Sarkar P.: Another look at success probability of linear cryptanalysis. Adv. Math. Commun. 13(4), 645–688 (2019).MathSciNetCrossRefMATH

17.

Selçuk A.A.: On probability of success in linear and differential cryptanalysis. J. Cryptol. 21(1), 131–147 (2008).MathSciNetCrossRefMATH

Title: Another look at key randomisation hypotheses
Authors: Subhabrata Samajder
Palash Sarkar
Publication date: 03-08-2023
Publisher: Springer US
Published in: Designs, Codes and Cryptography / Issue 12/2023
Print ISSN: 0925-1022
Electronic ISSN: 1573-7586
DOI: https://doi.org/10.1007/s10623-023-01272-y

Springer Professional

Another look at key randomisation hypotheses

Abstract

Premium Partner

Springer Professional

Abstract

Please log in to get access to your license.

Other articles of this Issue 12/2023

Practical attacks on small private exponent RSA: new records and new insights

Construction of storage codes of rate approaching one on triangle-free graphs

Optimal Ferrers diagram rank-metric codes from MRD codes

On the fourth weight of generalized Reed–Muller codes

Private simultaneous messages based on quadratic residues

Scheduling to reduce close contacts: resolvable grid graph decomposition and packing

Premium Partner