Success probability of multiple/multidimensional linear cryptanalysis under general key randomisation hypotheses

Abstract

This work considers statistical analysis of attacks on block cyphers using several linear approximations. A general and unified approach is adopted. To this end, the general key randomisation hypotheses for multidimensional and multiple linear cryptanalysis are introduced. Expressions for the success probability in terms of the data complexity and the advantage are obtained using the general key randomisation hypotheses for both multidimensional and multiple linear cryptanalysis and under the settings where the plaintexts are sampled with or without replacement. Particularising to standard/adjusted key randomisation hypotheses gives rise to success probabilities in 16 different cases out of which in only five cases expressions for success probabilities have been previously reported. Even in these five cases, the expressions for success probabilities that we obtain are more general than what was previously obtained. A crucial step in the analysis is the derivation of the distributions of the underlying test statistics. Whilst we carry out the analysis formally to the extent possible, there are certain inherently heuristic assumptions that need to be made. In contrast to previous works which have implicitly made such assumptions, we carefully highlight these and discuss why they are unavoidable. Finally, we provide a complete characterisation of the dependence of the success probability on the data complexity.

Appendix A: Some results on statistics

1.1 A.1 Multivariate normal to chi-square

This section looks at certain conditions under which \(XX^{t}\) follows a (possibly non-central) chi-square distribution, where X follows a multivariate normal distribution with singular variance-covariance matrix. The result can be found in [29, Chapter 3.5].

Theorem 6

Let \(X = (X_{1}, {\ldots } , X_{\tau })\) be \(\mathcal {N}(\mu , {\Sigma })\) , and let \(B_{\tau \times \tau }\) be a symmetric matrix. Assume that, for \(\eta = (\eta _{1}, {\ldots } , \eta _{\tau })\) ,

$$\eta {\Sigma} = 0 \, \Rightarrow \, \eta \mu^{t} = 0,$$

where the superscript t denotes the transpose of a matrix. The \(XBX^{t}\) has a (possiblynon-central) chi-square distribution if and only if

$${\Sigma} B {\Sigma} B {\Sigma} = {\Sigma} B {\Sigma},$$

in which case the degrees offreedom if trace (BΣ) and thenon-centrality parameter is \(\mu B \mu ^{t}\).

From the above theorem we can now lists the following assumptions under which \(XX^{t}\) follows a (possibly non-central) chi-square distribution with \((\tau - 1)\) degrees of freedom, where X follows a multivariate normal distribution with singular variance-covariance matrix.

1. 1.

   There exists an \(\eta \) such that

   $$\eta {\Sigma} = 0 \, \Rightarrow \, \eta \mu^{t} = 0.$$
2. 2.

   Here \(B = I_{\tau }\).

3. 3.

   \({\Sigma }^{2} = {\Sigma }\) and the trace of \({\Sigma } = \tau - 1\).

1.2 A.2 Approximating non-central chi-squared distribution by normal

The following result can be found in [18, Chapter 29.10].

Theorem 7

Let X be a random variable following a non-central chi-square distribution with \(\nu \) degrees of freedom and non-centrality parameter \(\delta \) , i.e., \(X \sim \chi ^{2}_{\nu }(\delta )\) . Then the standarized random variable

$$\frac{X - (\nu + \delta)}{\sqrt{2(\nu + 2\delta)}}$$

approximately follows a standard normal distribution if either

1. 1.

   \(\nu \rightarrow \infty \),\(\delta \) remaining constant, or

2. 2.

   \(\delta \rightarrow \infty \),\(\nu \) remaining constant.