A New Test Statistic for Key Recovery Attacks Using Multiple Linear Approximations

Abstract

The log-likelihood ratio (LLR) and the chi-squared distribution based test statistics have been proposed in the literature for performing statistical analysis of key recovery attacks on block ciphers. A limitation of the LLR test statistic is that its application requires the full knowledge of the corresponding distribution. Previous work using the chi-squared approach required approximating the distribution of the relevant test statistic by chi-squared and normal distributions. Problematic issues regarding such approximations have been reported in the literature. Perhaps more importantly, both the LLR and the chi-squared based methods are applicable only if the success probability \(P_S\) is greater than 0.5. On the other hand, an attack with success probability less than 0.5 is also of considerable interest. This work proposes a new test statistic for key recovery attacks which has the following features. Its application does not require the full knowledge of the underlying distribution; it is possible to carry out an analysis using this test statistic without using any approximations; the method applies for all values of the success probability. The statistical analysis of the new test statistic follows the hypothesis testing framework and uses Hoeffding’s inequalities to bound the probabilities of Type-I and Type-II errors.

Appendices

A Hoeffding Inequality

We briefly recall Hoeffding’s inequality for sum of independent random variables. The result can be found in standard texts such as [23].

Theorem 1

(Hoeffding Inequality). Let, \(X_{1}, X_{2}, \ldots , X_{\lambda }\) be a finite sequence of independent random variables, such that for all \(i = 1, \ldots , \lambda \), there exists real numbers \(a_{i}, b_{i} \in \mathbb {R}\), with \(a_{i} < b_{i}\) and \(a_{i} \le X_{i} \le b_{i}\). Let \(X = \sum _{i = 1}^{\lambda } X_{i}\). Then for any positive \(t > 0\),

$$\begin{aligned} \Pr [X - E[X] \ge t]\le & {} \exp \left( -\frac{2t^{2}}{D_{\lambda }}\right) \end{aligned}$$

(10)

$$\begin{aligned} \Pr [X - E[X] \le -t]\le & {} \exp \left( -\frac{2t^{2}}{D_{\lambda }}\right) \end{aligned}$$

(11)

$$\begin{aligned} \Pr [\mid X - E[X] \mid \ge t]\le & {} 2\exp \left( -\frac{2t^{2}}{D_{\lambda }}\right) ; \end{aligned}$$

(12)

where \(D_{\lambda } = \sum _{i = 1}^{\lambda } (b_{i} - a_{i})^{2}\).

B Proof of Propositon 1

We provide the proof for the case \(\mu _{0} > \mu _{1}\) with the other case being similar. Recall that \(\underline{X}_{\kappa , 1}^{d}, \ldots , \underline{X}_{\kappa , N}^{d}\) are N independently and identically distributed random variables such that for all \(j = 1, \ldots , N\)

$$\begin{aligned} \upsilon _{\min } = 0 \le \underline{X}_{\kappa , j}^{d} \le (2^{\ell } - 1)^{d} = \upsilon _{\max }. \end{aligned}$$

Let, \(\upsilon = \upsilon _{\max } - \upsilon _{\min } = (2^{\ell } - 1)^{d}\). Thus Hoeffding bounds (see Sect. A) can be used on the sum of independently and identically distributed random variables \(T_{\kappa } = \sum _{j = 1}^{N} \underline{X}^{d}_{\kappa , j}\); where \(D_{N} = N\upsilon ^{2}\).

The probabilities of Type-I and Type-II errors are then given by

$$\begin{aligned} \Pr [\text{ Type-I } \text{ Error }]= & {} \Pr [ T_{\kappa } \le t \mid H_{0} \text{ holds }] = \Pr [ T_{\kappa } - \mu _{0} \le -(\mu _{0} - t) |H_0 \text{ holds } ] \\\le & {} \exp \left( -\frac{2(\mu _{0} - t)^{2}}{N\upsilon ^{2}}\right) ; \quad \text{[By } \text{11] }. \\ \Pr [\text{ Type-II } \text{ Error }]= & {} \Pr [ T_{\kappa }> t \mid H_{1} \text{ holds }] = \Pr [ T_{\kappa } - \mu _{1} > t - \mu _{1}] \mid H_{1} \text{ holds } ] \\\le & {} \exp \left( -\frac{2(t - \mu _{1})^{2}}{N\upsilon ^{2}}\right) ; \quad \text{[By } \text{10] }. \end{aligned}$$

Let,

$$\begin{aligned} \alpha = \exp \left( -\frac{2(\mu _{0} - t)^{2}}{N\upsilon ^{2}}\right) ; \quad \beta = \exp \left( -\frac{2(t - N\mu _{1})^{2}}{N\upsilon ^{2}}\right) .\end{aligned}$$

Then, using the fact that \(\mu _{1}< t < \mu _{0}\), we get

$$\begin{aligned} \sqrt{2}t= & {} \sqrt{2}\mu _{0} - \upsilon \sqrt{2N\ln (1/\alpha )} \end{aligned}$$

(13)

$$\begin{aligned} \sqrt{2}t= & {} \sqrt{2}\mu _{1} + \upsilon \sqrt{N\ln (1/\beta )}. \end{aligned}$$

(14)

Eliminating t from the above two equations and using the expressions for \(\mu _0\), \(\mu _1\) and \(\upsilon \), we get the expression given by the right hand side of (9). For any N greater than this value, the probabilities of Type-I and Type-II errors will be at most \(\alpha \) and \(\beta \) respectively.    \(\square \)

C Choice of d

There are two factors that need to be kept in mind while choosing a appropriate value of d.

1. 1.

   The value of d has an effect on the data complexity. So, one should try to choose a value of d which minimises the data complexity.

2. 2.

   For the chosen value of d, it should be possible to obtain an estimate of \(\mu _0\) through the analysis of the block cipher.

Regarding the first point, there does not seem to be a way to formally prove that one particular value of d will minimise the data complexity. Instead, we provide intuitive explanations and experimental evidence.

The statistic \(T_{\kappa }=\sum _{j=1}^N\underline{X}_{\kappa ,j}^d\). As d goes to zero, \(X_{\kappa ,j}^d\) goes to 1 and so the effect of \(X_{\kappa ,j}\) diminishes. Further, as \(d\rightarrow 0\), \((2^{\ell }-1)^d\rightarrow 1\) and \(\underline{\eta }^d\rightarrow 1\) for all \(\eta \in \{0,1\}^{\ell }\). So, the numerator of the data complexity expression given by (9) goes to a constant and the denominator goes to \(\sum _{\eta \in \{0,1\}^{\ell }}\epsilon _{\eta }\). By definition, the later sum is 0. So, as \(d\rightarrow 0\), the data complexity expression given by (9) goes to infinity. Experiments confirm this behaviour.

Based on the above, we do not consider values of \(d<1\). For values of \(d=1,\ldots ,100\), we have run experiments with the known linear approximations of SERPENT and have observed that the minimum data complexity is attained for \(d=1\) and \(d=2\). The values are shown in Table 3. To decide between these two values, we consider the second point mentioned above. Intuitively, it is easier to obtain the value of \(\mu _0\) for \(d=1\) than for \(d=2\). So, we suggest using \(d=1\) for defining the test statistic \(T_{\kappa }\).

Table 3. Table showing the minimum data complexity over different values of d for the linear approximations of SERPENT with a ranging from 1 to 10.

Negative Values of d : Most of the theory that has been developed also works for negative values of d. The only problem is that for \(\underline{\eta }=0\), the value of \(\underline{\eta }^d\) is undefined. This defect can be rectified by defining \(T_{\kappa }\) to be \(\sum _{j=1}^N(1+\underline{X}_{\kappa ,j})^d\). Working out the details of this test statistic leads to \(\upsilon =|2^{\ell d}-1|\) and \(|\mu _0-\mu _1|=\sum _{\eta \in \{0,1\}^{\ell }}(1+\underline{\eta })^d\epsilon _{\eta }\). The value of \(\upsilon \) does not depend on the sign of d. Suppose \(d>0\), then the value of \(|\mu _0-\mu _1|\) with d is greater than the value of \(|\mu _0-\mu _1|\) with \(-d\). As a result, the data complexity with d is lesser compared to the data complexity for \(-d\). Due to this reason, we have not considered negative values of d.