The Effectiveness of the Linear Hull Effect

Similar documents
Millennium Relativity Acceleration Composition. The Relativistic Relationship between Acceleration and Uniform Motion

Complexity of Regularization RBF Networks

A variant of Coppersmith s Algorithm with Improved Complexity and Efficient Exhaustive Search

Hankel Optimal Model Order Reduction 1

Optimization of Statistical Decisions for Age Replacement Problems via a New Pivotal Quantity Averaging Approach

Maximum Entropy and Exponential Families

Bäcklund Transformations: Some Old and New Perspectives

INTERNATIONAL JOURNAL OF CIVIL AND STRUCTURAL ENGINEERING Volume 2, No 4, 2012

CMSC 451: Lecture 9 Greedy Approximation: Set Cover Thursday, Sep 28, 2017

Case I: 2 users In case of 2 users, the probability of error for user 1 was earlier derived to be 2 A1

Control Theory association of mathematics and engineering

Robust Recovery of Signals From a Structured Union of Subspaces

Likelihood-confidence intervals for quantiles in Extreme Value Distributions

A simple expression for radial distribution functions of pure fluids and mixtures

Error Bounds for Context Reduction and Feature Omission

Application of the Dyson-type boson mapping for low-lying electron excited states in molecules

max min z i i=1 x j k s.t. j=1 x j j:i T j

23.1 Tuning controllers, in the large view Quoting from Section 16.7:

Assessing the Performance of a BCI: A Task-Oriented Approach

An I-Vector Backend for Speaker Verification

UPPER-TRUNCATED POWER LAW DISTRIBUTIONS

Supplementary Materials

A Queueing Model for Call Blending in Call Centers

Chapter 8 Hypothesis Testing

Einstein s Three Mistakes in Special Relativity Revealed. Copyright Joseph A. Rybczyk

Average Rate Speed Scaling

THE TWIN PARADOX A RELATIVISTIC DOMAIN RESOLUTION

Non-Markovian study of the relativistic magnetic-dipole spontaneous emission process of hydrogen-like atoms

arxiv: v1 [physics.gen-ph] 5 Jan 2018

Sensitivity Analysis in Markov Networks

Perturbation Analyses for the Cholesky Factorization with Backward Rounding Errors

arxiv:cond-mat/ v1 [cond-mat.stat-mech] 16 Aug 2004

REFINED UPPER BOUNDS FOR THE LINEAR DIOPHANTINE PROBLEM OF FROBENIUS. 1. Introduction

The Laws of Acceleration

arxiv: v2 [math.pr] 9 Dec 2016

Wave Propagation through Random Media

3 Tidal systems modelling: ASMITA model

Symmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway

Array Design for Superresolution Direction-Finding Algorithms

Modeling Probabilistic Measurement Correlations for Problem Determination in Large-Scale Distributed Systems

The Hanging Chain. John McCuan. January 19, 2006

The Concept of Mass as Interfering Photons, and the Originating Mechanism of Gravitation D.T. Froedge

LOGISTIC REGRESSION IN DEPRESSION CLASSIFICATION

DIGITAL DISTANCE RELAYING SCHEME FOR PARALLEL TRANSMISSION LINES DURING INTER-CIRCUIT FAULTS

Test of General Relativity Theory by Investigating the Conservation of Energy in a Relativistic Free Fall in the Uniform Gravitational Field

A NETWORK SIMPLEX ALGORITHM FOR THE MINIMUM COST-BENEFIT NETWORK FLOW PROBLEM

arxiv:gr-qc/ v2 6 Feb 2004

22.54 Neutron Interactions and Applications (Spring 2004) Chapter 6 (2/24/04) Energy Transfer Kernel F(E E')

Ordered fields and the ultrafilter theorem

UTC. Engineering 329. Proportional Controller Design. Speed System. John Beverly. Green Team. John Beverly Keith Skiles John Barker.

Integration of the Finite Toda Lattice with Complex-Valued Initial Data

On the Bit Error Probability of Noisy Channel Networks With Intermediate Node Encoding I. INTRODUCTION

The gravitational phenomena without the curved spacetime

RESEARCH ON RANDOM FOURIER WAVE-NUMBER SPECTRUM OF FLUCTUATING WIND SPEED

7 Max-Flow Problems. Business Computing and Operations Research 608

The universal model of error of active power measuring channel

Gluing Potential Energy Surfaces with Rare Event Simulations

CONDITIONAL CONFIDENCE INTERVAL FOR THE SCALE PARAMETER OF A WEIBULL DISTRIBUTION. Smail Mahdi

An Adaptive Optimization Approach to Active Cancellation of Repeated Transient Vibration Disturbances

Wavetech, LLC. Ultrafast Pulses and GVD. John O Hara Created: Dec. 6, 2013

Analysis of discretization in the direct simulation Monte Carlo

Multi-version Coding for Consistent Distributed Storage of Correlated Data Updates

Use of prior information in the form of interval constraints for the improved estimation of linear regression models with some missing responses

Quantum secret sharing without entanglement

arxiv:physics/ v1 [physics.class-ph] 8 Aug 2003

JAST 2015 M.U.C. Women s College, Burdwan ISSN a peer reviewed multidisciplinary research journal Vol.-01, Issue- 01

A Spatiotemporal Approach to Passive Sound Source Localization

The ESO method revisited

Nonreversibility of Multiple Unicast Networks

Counting Idempotent Relations

A Functional Representation of Fuzzy Preferences

Singular Event Detection

Remark 4.1 Unlike Lyapunov theorems, LaSalle s theorem does not require the function V ( x ) to be positive definite.

Probabilistic Graphical Models

Taste for variety and optimum product diversity in an open economy

Computer Science 786S - Statistical Methods in Natural Language Processing and Data Analysis Page 1

Improvements in the Modeling of the Self-ignition of Tetrafluoroethylene

Advanced Computational Fluid Dynamics AA215A Lecture 4

Privately Constraining and Programming PRFs, the LWE Way

LECTURE NOTES FOR , FALL 2004

A Characterization of Wavelet Convergence in Sobolev Spaces

On scaling laws at the phase transition of systems with divergent order parameter and/or internal length : the example of DNA denaturation

UNCERTAINTY RELATIONS AS A CONSEQUENCE OF THE LORENTZ TRANSFORMATIONS. V. N. Matveev and O. V. Matvejev

Advances in Radio Science

Better Security for Deterministic Public-Key Encryption: The Auxiliary-Input Setting

Predicting the confirmation time of Bitcoin transactions

Breakdown of the Special Theory of Relativity as Proven by Synchronization of Clocks

Scalable Positivity Preserving Model Reduction Using Linear Energy Functions

Determination of the reaction order

IMPEDANCE EFFECTS OF LEFT TURNERS FROM THE MAJOR STREET AT A TWSC INTERSECTION

Multicomponent analysis on polluted waters by means of an electronic tongue

Probabilistic and nondeterministic aspects of Anonymity 1

General solution to a higher-order linear difference equation and existence of bounded solutions

Lightpath routing for maximum reliability in optical mesh networks

Reliability Guaranteed Energy-Aware Frame-Based Task Set Execution Strategy for Hard Real-Time Systems

QCLAS Sensor for Purity Monitoring in Medical Gas Supply Lines

Seismic dip estimation based on the two-dimensional Hilbert transform and its application in random noise attenuation a

FNSN 2 - Chapter 11 Searches and limits

Measuring & Inducing Neural Activity Using Extracellular Fields I: Inverse systems approach

Relativity in Classical Physics

Transcription:

The Effetiveness of the Linear Hull Effet S. Murphy Tehnial Report RHUL MA 009 9 6 Otober 009 Department of Mathematis Royal Holloway, University of London Egham, Surrey TW0 0EX, England http://www.rhul.a.uk/mathematis/tehreports

Abstrat There is no linear hull effet in linear ryptanalysis. Introdution Linear ryptanalysis [7] is one of the standard tehniques of assessing the seurity of blok iphers and is based on linear approximations to the plaintext, iphertext and key. In our disussion of linear approximations, we onsider an iterated blok ipher enryption with plaintext p, iphertext and extended key k, where p, and k are binary olumn vetors. We define the extended key k as the onatenation of the the round subkeys derived from the blok ipher key through the key shedule. A linear approximation in its most basi form is usually regarded as a statement of the form α T p = α T P p + αt C = γt k with probability + ǫ γ. The vetors α, α P and α C are known respetively as the overall data mask, the plaintext mask and the iphertext mask, with α T = α T P C αt, and the vetor γ as the key mask. The value ǫ γ is known as the imbalane or orrelation of the linear approximation, and ǫ γ as the bias of the linear approximation. If the linear expression is unbiased, that is ǫ γ 0, then the linear expression an potentially be used to give an estimate of one bit γ T k of key information. The number of plaintext-iphertext pairs required to estimate this key bit to a required auray is proportional to ǫ γ. This is the proedure given by Algorithm of [7]. The more sophistiated Algorithm of [7] uses trial enryptions and deryptions of the outer rounds under various partial subkeys. Under ertain assumptions, the tehnique of Algorithm is equivalent to onstruting a method of distinguishing the distribution of the linear expression α T p + γ T k, whih is zero with probability + ǫ γ, from a uniform distribution [7,8]. As before, the number of plaintext-iphertext pairs required to make this distintion to a required auray is proportional to ǫ γ [7]. The usual method of alulating the probability that suh a single linear expression holds is to use the so-alled Piling-Up Lemma of [7]. However, in the analysis of many blok iphers, suh use of the Piling-Up Lemma an generate a number of linear expressions with the same data mask but differing key masks, that is a key mask set Γ and a olletion of expressions of the form α T p = γ T k with probability + ǫ γ [γ Γ]. The existene of a number of suh unbiased expressions ǫ γ generated by the Piling-Up Lemma appears to be the motivation for the onept of the linear

hull of linear expressions introdued by [8]. The linear hull for data mask α is the set of all suh above expressions for different key masks γ. It is asserted by [8] that existene of suh a linear hull ontaining many suh unbiased expressions generally inreases the effiieny of Algorithm of [7]. Furthermore, suh an assertion appears to be generally aepted and widely used in the analysis of blok iphers. For example, a standard referene work on ryptology makes the following statement about the use of the linear hull in ryptanalysis [3]. LINEAR HULLS: Estimating the bias of approximations by onstruting linear harateristis is very onvenient, but in some ases, the value derived in this way diverges signifiantly from the atual bias. The most important ause for this differene is the so-alled linear hull effet, first desribed by Nyberg in 994 [8]. The effet takes plae when the orrelation between plaintext and iphertext bits, desribed by a speifi linear approximation, an be explained by multiple linear harateristis, eah with a non-negligible bias, and eah involving a different set of key bits. Suh a set of linear harateristis with idential input and output masks is alled a linear hull. Depending on the value of the key, the different harateristis will interfere onstrutively or destrutively, or even anel out ompletely. If the set of keys used in different linear harateristis are independent, then this effet might onsiderably redue the average bias of [a single linear] expression, and thus the suess rate of the simple attak desribed above [Algorithm of [7]]. Nyberg s paper [8] shows, however, that the more effiient attaks [Algorithm ] desribed in [7], whih only use the linear approximations as a distinguisher, will typially benefit from the linear hull effet. We show that this so-alled linear hull effet [3, 8] simply does not exist. The Fundamental Probability Our analysis of the linear hull effet is based on the fundamental probability Definition, together with the related onept of the fundamental imbalane Definition. The fundamental probability is a well-defined probability for use in linear ryptanalysis, partiularly in analysing the linear hull effet. Definition. The fundamental probability qk of data mask α for blok ipher enryptions under the fixed extended key k is qk = P k α T p = 0 Definition. The fundamental imbalane of data mask α under fixed key k with fundamental probability qk = + ηk is ηk = P k α T p = 0 P k α T p = = qk.

3 Probabilisti Interpretation of the Linear Hull We noted that the fundamental probability Definition is well-defined. However, the probability statements made in the usual definition of a linear hull are not in general well-defined. To demonstrate this, we onsider very arefully the nature of the statements about linear expressions used in the linear hull for a data mask α. In the standard formulation of linear ryptanalysis given in Setion, a linear approximation is defined diretly in terms of a key mask γ, that is a linear approximation is a statement of the form α T p = γ T k with probability + ǫ γ, whih only depends on the key through the value of γ T k. In terms of the fundamental probability for data mask α, we have P k α T p = 0 = + ηk = { + ǫ γ [γ T k = 0] ǫ γ [γ T k = ]. Thus the fundamental imbalane ηk is given in terms of the usual form of the imbalane ǫ γ used in linear ryptanalysis by ηk = γt k ǫ γ. However, for a fixed key k, the fundamental imbalane ηk is learly a onstant. Thus for the above probability to be well-defined, we require γt k ǫ γ to be onstant for all non-trivial key masks γ for fixed k. We now disuss this issue in more detail. The linear hull is usually onsidered to be defined by several probabilisti statements suh as for γ γ p α T = γ T k with probability + ǫ γ p and α T = γ T k with probability + ǫ γ. p Aording to these linear expressions, for a fixed key k, α T has to simultaneously take the value γ T k with probability + ǫ γ and the value γ T k with probability + ǫ γ. This means there are four ases required to evaluate the p fundamental probability P k α T = 0, as given in the following Table. γ T k = 0 γ T k = γ T k = 0 + ǫ γ = + ǫ γ + ǫ γ = ǫ γ γ T k = ǫ γ = + ǫ γ ǫ γ = ǫ γ p P k α T = 0

We an therefore dedue that ǫ γ = ǫ γ = 0. Thus the probability statements used in speifying a linear hull are not well-defined if there is more than one unbiased linear approximation in the linear hull. A linear hull in the sense of [3, 8], that is a olletion of several linear expressions eah with a signifiant imbalane or bias, is not a well-defined probabilisti onept. 4 Analogues in Differential Cryptanalysis of Linear Hulls A muh-repeated heuristi justifiation for the linear hull effet is given in [8] by laiming that the use of the linear hull is analogous to the use of the differential [6] in differential ryptanalysis [, ]. However, a detailed examination shows that this analogy is not sustainable. We therefore state the laim of [8] of an analogy between differential and linear ryptanalysis using our notation. We onlude that Algorithm [of [7]] makes in fat use of a family of linear approximate expressions p α P p + α T C + γt k = α T + γ T k where [the data mask] α is fixed but [the key mask] γ varies. This means that the round approximations whih uniquely determine γ and are uniquely determined by γ, an be hosen in all possible ways to form a hain of approximations from α T P p to αt C. Hene there is a lose analog with what is alled differentials in differential ryptanalysis [6]. The key mask γ does indeed determine a series of round data masks with the outer round masks onstrained by α. These data masks give a random proess [4, 5] with a state spae onsisting of two elements {0, }, in for example the manner desribed by [9]. The usual method of analysing this random proess in linear ryptanalysis is to use the Piling-Up Lemma [7], whih is appliable to this random proess if it is a Markov proess [9]. However, whether or not the Piling- Up Lemma is appliable, both states are onsidered by the Piling-Up alulation. Loosely speaking, the Piling-Up Lemma probability alulation may inorretly assign probability to the states if the Markov assumption is not valid, but all probability is assigned. There are no ignored states in linear ryptanalysis, and there is ertainly no missing probability not onsidered by the Piling-Up Lemma waiting to be found. In differential ryptanalysis, a pair of plaintexts is enrypted under the same fixed key. A random proess is derived by taking the differene of those plaintexts at every rounds, so giving a random proess with a state spae of size n. Under the assumption that this differential ryptanalysis random proess is a Markov proess, the differential [6] is alulated by using the produt of the matries of one-step round transition probabilities. The harateristi [, ] is essentially obtained by setting all but one element to 0 in eah of these one-step transition matries and then alulating the produt of these revised matries. A value for

a probability alulated using a differential [6] is therefore always at least that of the same value for a probability alulated using a harateristi [, ]. Thus there is a meaningful sense in differential ryptanalysis in whih the differential an be thought of as finding probabilities missed by the harateristi, as the harateristi ignores most of the states in the random proess. The orret analogue of the linear hull in differential ryptanalysis is the enhaned harateristi, onsidered in Setions 5. and 6.5 of []. The enhaned harateristi gives an enhaned differential ryptanalysis random proess in whih the state at any round is the differene between the between the data values at that round as for standard differential ryptanalysis and also a olletion of data values at ertain bit positions. Similarly, in linear ryptanalysis, the simultaneous use of two key masks with the same data mask, really defines sequenes of -dimensional data masks for the inner rounds. This gives rise to a random proess with, in general, a 4-element state spae rather than the -element state spae given by a single key mask. For both the enhaned harateristi in differential ryptanalysis and the linear hull in linear ryptanalysis, the state spae of the underlying random proess state spae is obtained by refining the standard differential ryptanalysis or linear ryptanalysis state spae. The linear hull therefore defines a new enhaned random proess beyond the standard linear ryptanalysis random proess. By ontrast, probability alulations in differential ryptanalysis using either harateristis or differentials are onduted with respet to the same standard differential ryptanalysis random proess. Thus a alulation using a linear hull and a alulation using a differential are fundamentally different in relation to their underlying standard random proess. A differential an find unused probability, whereas a linear hull simply annot. There is no analogue between linear hulls and differentials in the manner laimed by [8]. 5 Data Requirements for the Linear Hull Effet The linear hull effet supposedly redues the number of plaintext-iphertext pairs required to distinguish to a given auray a given distribution from the uniform distribution [3, 8]. Before analysing this laim, we first alulate the data requirements exatly. For a fixed extended key k, the number N k of plaintextiphertext pairs required to use the distinguisher to a required auray is asymptotially inversely proportional to qk [7]. Under the assumption that all extended keys are equally likely, then the mean number over all keys N of plaintext-iphertext pairs required to use the distinguisher to a speified degree of auray is given by N = E[N k ], for some suitably-defined expetation E. If we let K denote the set of extended keys, then the mean number N of plaintext-iphertext pairs required is proportional to [ qk ] = 4 ηk.

We now onsider the data requirement for the use of the linear hull given by [8]. The supposed existene of a linear hull effet depends on the assertion that this data requirement an be expressed in terms of a quantity defined by the Fundamental Theorem of [8]. We now examine this assertion. Aordingly, we let rγ, k = + γt k ηk, so rγ, k is the quantity referred to as pa, b, ; k in [8], where a, b refer to the data mask α and refers to the key mask γ. We note that pa, b, ; k is referred to as a probability by [8], but is not in general a well-defined probability Setion 3. The Fundamental Theorem onsiders the quantity ψ given by ψ = rγ, k = 4 ηk = 4 qk. Thus the quantity ψ onsidered by the Fundamental Theorem an be expressed in terms of the above expetation E as [ qk ] ψ = = 4 ηk. The laim for the redution in data omplexity given by the linear hull effet is then based on the assertion that the number N of plaintext-iphertext pairs required to distinguish the distribution from uniform is proportional to ψ, that is to say proportional to [ qk ψ ] = = 4 ηk. We now ompare these two quantities for distinguishing the speified distribution from a uniform distribution. The atual expeted number N of plaintextiphertext pairs and the number given by the appliation of the Fundamental Theorem in the manner of [8] are respetively proportional to [ qk ] [ qk ] and. These two quantities an easily be ompared by using Jensen s inequality [0], whih we state in Lemma. Lemma. Jensen s Inequality. A random variable X and onvex funtion ζ satisfy ζ E[X] E [ζx]. Inversion of the positive real numbers is a onvex funtion, so Jensen s inequality gives [ qk ] [ qk ].

The true data requirement is proportional to the left-hand side of the above inequality, whereas the quantity ψ onsidered by the Fundamental Theorem only addresses the right-hand side of this inequality. Thus the Fundamental Theorem an only ever be used to give a lower bound on the data omplexity. We illustrate this point in Examples and. Example. We onsider a linear ryptanalysis for data mask α where the fundamental probability is given by qk = P k α T p = 0 = + γt k ǫ γ + γ T k ǫ γ, where ǫ γ, ǫ γ 0. Thus the fundamental imbalane is given by ηk = γt k ǫ γ + γ T k ǫ γ. The true data requirement to distinguish this distribution from a uniform distribution to a given degree of auray is proportional to [ qk ] = 4 ǫ γ + ǫ γ + ǫ γ ǫ γ = ǫ γ + ǫ γ ǫ γ ǫγ. By ontrast, the approah of [8] based on the Fundamental Theorem asserts that the data requirement is proportional to [ qk ] = ǫγ + ǫ γ + ǫ γ ǫ γ = 4 ǫ γ +. ǫ γ However, ǫ γ + ǫ γ ǫ γ ǫ γ > ǫ, γ + ǫ γ as ǫ γ + ǫ γ > ǫ, γ ǫ γ so an see that [ qk ] [ qk ] >. For this example, we an easily see that the data requirement averaged over all extended keys is always larger than that asserted by the supposed linear hull effet. Example. We onsider the ryptanalysis of Example for a blok ipher where ǫ γ = ǫ γ. Suh a blok ipher would be onsidered to possess a large linear hull effet in the linear hull literature. The fundamental probability qk for data mask α is given by + ǫ γ + ǫ γ [γ T k = γ T k = 0] qk = ǫ γ + ǫ γ [γ T k = γ T k = ] [γ T k γ T k]. Clearly, for any key k kerγ + γ T, that is for half of all the extended keys, the distribution in question is uniform, so by definition is indistinguishable from

a uniform distribution. This is refleted in that fat that the true data requirement, proportional to ǫ γ + ǫ γ ǫ γ ǫ γ, is formally infinite. By ontrast, the supposed linear hull effet gives the data requirement as being proportional to ǫ γ + ǫ γ, a finite quantity. For this example, the supposed linear hull effet is effetively asserting that it is possible to distinguish an indistinguishable distribution given by one key beause there exists a distinguishable distribution given by some other key. 6 Conlusions The usual method of quantifying the supposed linear hull effet assumes that expetation and inversion are operations on a random variable whih ommute. Jensen s inequality shows that this assumption is generally inorret. Thus the supposed linear hull effet simply ignores Jensen s inequality, a fundamental result in probability theory and statistial inferene. Furthermore, Jensen s inequality shows that the Fundamental Theorem of [8] an only ever give a lower bound for the data requirement for using a olletion of linear approximations with the same data mask. The linear hull effet, in the usual sense [3, 8] of always improving the average effiieny of Algorithm of [7], is an illusion. Referenes. E. Biham and A. Shamir. Differential Cryptanalysis of the DES-like Cryptosystems. Journal of Cryptology, 4:3 7, 99.. E. Biham and A. Shamir. Differential Cryptanalysis of the Data Enryption Standard. Springer Verlag, 993. 3. A. Biryukov and C. De Cannière. Linear Cryptanalysis for Blok Ciphers. In H.C. Van Tilborg, editor, Enylopedia of Cryptography and Seurity, pages 35 354. Springer, 005. 4. D.R. Cox and H.D. Miller. The Theory of Stohasti Proesses. Chapman and Hall, 965. 5. G.R. Grimmett and D.R. Stirzaker. Probability and Random Proesses. Oxford University Press, 00. 6. X. Lai, J.L. Massey, and S. Murphy. Markov Ciphers and Differential Cryptanalysis. In D.W. Davies, editor, Advanes in Cryptology EUROCRYPT 99, volume 547 of LNCS, pages 7 38. Springer Verlag, 99. 7. M. Matsui. Linear Cryptanalysis for the DES Cipher. In T. Helleseth, editor, Advanes in Cryptology EUROCRYPT 993, volume 765 of LNCS, pages 386 397. Springer Verlag, 993. 8. K. Nyberg. Linear Approximation of Blok Ciphers. In A. De Santis, editor, Advanes in Cryptology EUROCRYPT 94, volume 950 of LNCS, pages 439 444. Springer Verlag, 995. 9. S. Murphy and F. Piper and M. Walker and P. Wild. Maximum Likelihood Estimation for Blok Cipher Keys. Tehnial Report RHUL-MA-006-3, Royal Holloway University of London, 994. http://www.ma.rhul.a.uk/tehreports. 0. S.D. Silvey. Statistial Analysis. Chapman and Hall, 975.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback