Another Look at Normal Approximations in Cryptanalysis

Similar documents
Another Look at Success Probability in Linear Cryptanalysis

Success Probability of Multiple/Multidimensional Linear Cryptanalysis Under General Key Randomisation Hypotheses

Two hours. To be supplied by the Examinations Office: Mathematical Formula Tables and Statistical Tables THE UNIVERSITY OF MANCHESTER

Tutorial 11: Limit Theorems. Baoxiang Wang & Yihan Zhang bxwang, April 10, 2017

Week 2 Quantitative Analysis of Financial Markets Hypothesis Testing and Confidence Intervals

INDIAN INSTITUTE OF SCIENCE STOCHASTIC HYDROLOGY. Lecture -5 Course Instructor : Prof. P. P. MUJUMDAR Department of Civil Engg., IISc.

Lecture 17: More on Markov Decision Processes. Reinforcement learning

Probability. An intro for calculus students P= Figure 1: A normal integral

Unit 5: Sampling Distributions of Statistics

Unit 5: Sampling Distributions of Statistics

Results of the block cipher design contest

Week 1 Quantitative Analysis of Financial Markets Distributions B

Chapter 4: Commonly Used Distributions. Statistics for Engineers and Scientists Fourth Edition William Navidi

Strategies for Improving the Efficiency of Monte-Carlo Methods

Math489/889 Stochastic Processes and Advanced Mathematical Finance Homework 5

STATE UNIVERSITY OF NEW YORK AT ALBANY Department of Economics. Ph. D. Comprehensive Examination: Macroeconomics Fall, 2010

Version A. Problem 1. Let X be the continuous random variable defined by the following pdf: 1 x/2 when 0 x 2, f(x) = 0 otherwise.

CHOICE THEORY, UTILITY FUNCTIONS AND RISK AVERSION

Multiple Modular Additions and Crossword Puzzle Attack on NLSv2

Financial Risk Forecasting Chapter 9 Extreme Value Theory

Multiple Modular Additions and Crossword Puzzle Attack on NLSv2

EVA Tutorial #1 BLOCK MAXIMA APPROACH IN HYDROLOGIC/CLIMATE APPLICATIONS. Rick Katz

Information Processing and Limited Liability

Chapter 5. Continuous Random Variables and Probability Distributions. 5.1 Continuous Random Variables

Central Limit Theorem, Joint Distributions Spring 2018

Point Estimators. STATISTICS Lecture no. 10. Department of Econometrics FEM UO Brno office 69a, tel

continuous rv Note for a legitimate pdf, we have f (x) 0 and f (x)dx = 1. For a continuous rv, P(X = c) = c f (x)dx = 0, hence

The Bernoulli distribution

4-1. Chapter 4. Commonly Used Distributions by The McGraw-Hill Companies, Inc. All rights reserved.

Posterior Inference. , where should we start? Consider the following computational procedure: 1. draw samples. 2. convert. 3. compute properties

Asymptotic results discrete time martingales and stochastic algorithms

Lecture Notes 6. Assume F belongs to a family of distributions, (e.g. F is Normal), indexed by some parameter θ.

Statistical Tables Compiled by Alan J. Terry

Commonly Used Distributions

1. You are given the following information about a stationary AR(2) model:

Central Limit Theorem (cont d) 7/28/2006

IEOR E4602: Quantitative Risk Management

STAT 830 Convergence in Distribution

Statistics for Business and Economics

Are stylized facts irrelevant in option-pricing?

Two Hours. Mathematical formula books and statistical tables are to be provided THE UNIVERSITY OF MANCHESTER. 22 January :00 16:00

Much of what appears here comes from ideas presented in the book:

Practice Exercises for Midterm Exam ST Statistical Theory - II The ACTUAL exam will consists of less number of problems.

STATE UNIVERSITY OF NEW YORK AT ALBANY Department of Economics. Ph. D. Preliminary Examination: Macroeconomics Fall, 2009

Chapter 5. Statistical inference for Parametric Models

Exam 2 Spring 2015 Statistics for Applications 4/9/2015

Optimal reinsurance for variance related premium calculation principles

A Differential Fault Attack on MICKEY 2.0

Modelling Returns: the CER and the CAPM

5.3 Statistics and Their Distributions

Sampling Distribution

Business Statistics 41000: Probability 3

Lecture 23. STAT 225 Introduction to Probability Models April 4, Whitney Huang Purdue University. Normal approximation to Binomial

1 The continuous time limit

STA2601. Tutorial letter 105/2/2018. Applied Statistics II. Semester 2. Department of Statistics STA2601/105/2/2018 TRIAL EXAMINATION PAPER

BIO5312 Biostatistics Lecture 5: Estimations

Normal distribution Approximating binomial distribution by normal 2.10 Central Limit Theorem

Non-informative Priors Multiparameter Models

Optimally Thresholded Realized Power Variations for Lévy Jump Diffusion Models

Financial Mathematics III Theory summary

Online Appendix to Grouped Coefficients to Reduce Bias in Heterogeneous Dynamic Panel Models with Small T

Review for Final Exam Spring 2014 Jeremy Orloff and Jonathan Bloom

The Irrevocable Multi-Armed Bandit Problem

MTH6154 Financial Mathematics I Stochastic Interest Rates

10/1/2012. PSY 511: Advanced Statistics for Psychological and Behavioral Research 1

Chapter 7. Sampling Distributions and the Central Limit Theorem

Estimation after Model Selection

Lecture 10: Point Estimation

The rth moment of a real-valued random variable X with density f(x) is. x r f(x) dx

Chapter 8: Sampling distributions of estimators Sections

Log-Robust Portfolio Management

Dr. Maddah ENMG 625 Financial Eng g II 10/16/06

Bivariate Birnbaum-Saunders Distribution

SYSM 6304 Risk and Decision Analysis Lecture 2: Fitting Distributions to Data

Continuous random variables

Definition 9.1 A point estimate is any function T (X 1,..., X n ) of a random sample. We often write an estimator of the parameter θ as ˆθ.

4.3 Normal distribution

What was in the last lecture?

Course information FN3142 Quantitative finance

Financial Econometrics Jeffrey R. Russell. Midterm 2014 Suggested Solutions. TA: B. B. Deng

Probability without Measure!

Chapter 4: Asymptotic Properties of MLE (Part 3)

ELEMENTS OF MONTE CARLO SIMULATION

Financial Econometrics

Homework Assignments

**BEGINNING OF EXAMINATION** A random sample of five observations from a population is:

Chapter 7. Sampling Distributions and the Central Limit Theorem

12 The Bootstrap and why it works

LECTURE NOTES 3 ARIEL M. VIALE

Monte Carlo Methods for Uncertainty Quantification

Business Statistics 41000: Probability 4

LESSON 7 INTERVAL ESTIMATION SAMIE L.S. LY

Eco504 Spring 2010 C. Sims FINAL EXAM. β t 1 2 φτ2 t subject to (1)

Algorithmic and High-Frequency Trading

Asymptotic Methods in Financial Mathematics

Math 489/Math 889 Stochastic Processes and Advanced Mathematical Finance Dunbar, Fall 2007

Applications of Good s Generalized Diversity Index. A. J. Baczkowski Department of Statistics, University of Leeds Leeds LS2 9JT, UK

STRESS-STRENGTH RELIABILITY ESTIMATION

Volatility. Roberto Renò. 2 March 2010 / Scuola Normale Superiore. Dipartimento di Economia Politica Università di Siena

Numerical valuation for option pricing under jump-diffusion models by finite differences

Transcription:

Another Look at Normal Approximations in Cryptanalysis Palash Sarkar (Based on joint work with Subhabrata Samajder) Indian Statistical Institute palash@isical.ac.in INDOCRYPT 2015 IISc Bengaluru 8 th December 2015 (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 1 / 43

Symmetric Key Ciphers Block Ciphers: DES, Idea, AES, RC6, PRESENT,... Stream Ciphers: RC4, SNOW, Salsa, Trivium,... Design goals: Compact and efficient in hardware and/or software. Secure. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 2 / 43

Analysis of Block Ciphers Cryptanalytic techniques: Differential cryptanalysis. Linear cryptanalysis.... Known/chosen plaintext attacks: The cipher is instantiated with a secret key. (P 1, C 1 ),..., (P N, C N ): C i is the output of the cipher on input P i. Goal: Obtain the secret key. Weaker goal: build a distinguisher. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 3 / 43

Key Recovery Attacks: A Top-Level View Structural analysis: A detailed study of the target algorithm to obtain a measureable deviation from randomness. Identify a target sub-key. Statistical analysis: Obtain a tractable (closed form) relation between the following three quantities: N: data complexity. P S : (lower bound on the) success probability. a: the (expected) number of false alarms is (at most) a fraction 2 a of the number of all possible choices of the target sub-key. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 4 / 43

Random Variables and their Distributions P 1,..., P N are assumed to be independent and uniformly distributed. The key is unknown but fixed. Test statistic: T T (P 1, C 1,..., P N, C N ). Distribution of the test statistic: The exact distribution is hard to obtain. The test statistic often arises as a sum of random variables; use of the Central Limit Theorem to approximate the distribution of T by a suitable normal distribution. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 5 / 43

(Normal) Assumptions Galore Distribution of order statistics by normal. Binomial to normal; multinomial to multi-variate normal. (Non-central) Chi-squared to normal. Assumptions involved in Taylor series expansion.... (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 6 / 43

Goal Validity and interpretation of assumptions: Assumptions hold in an asymptotic sense. Cryptanalytic context requires a concrete setting. Surprises galore! (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 7 / 43

Linear Cryptanalysis Background (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 8 / 43

Block Cipher: Structure and Analysis n Γ P k (0) k (1) K (r) = k (0)... k (r 1) Γ K k (r 1) Γ B k (r) P B κ Random variable L = <,P> <,B> Γ P Inner key bit: z=< Γ (r) K,K > Γ B Linear approximation: L=z p Pr P [L=z] = { 1/2 if κ is correct; if κ is incorrect. n C m (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 9 / 43

Multiple Linear Approximations ( Γ (1) P, Γ(1) B ) ( ), Γ(1) K,..., Γ (l) P, Γ(l) B, Γ(l) K L i = Γ (i) P, P Γ(i) B, B, i = 1,..., l. X = (L 1,..., L l ). Inner key bit: z i = Γ (i) K, K (r). Joint distribution: for z = (z 1,..., z l ) and η = (η 1,..., η l ) p z (η) = Pr[L 1 z 1 = η 1,..., L l z l = η l ] = 1 2 l + ɛ η(z); p z β (η) = p z (η β). For any incorrect choice of κ: ɛ η (z) = 0 for all η; For the correct choice of κ there is an imbalance. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 10 / 43

Capacity of Joint Distribution Define p z = (pz (0),..., p z (2 l 1)). Let p = p 0 l so that p(η) = 1/2 l + ɛ η for η {0, 1} l ; 1/2 l ɛ η 1 1/2 l. Capacity C( p): C( p) = 2 l η {0,1} l ɛ 2 η. Note C( p) = C( p z ). (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 11 / 43

Key Recovery Attack Data: (P 1, C 1 ),..., (P N, C N ), where P 1,..., P N are independent and uniform random n-bit strings. C 1,..., C N are determined by κ ( ) (the actual target sub-key); B κ,1,..., B κ,n are determined by the choice of κ. Test statistics: T κ T (X κ,1,..., X κ,n ) For each choice of κ {0, 1} m, sort the keys in the order of T κ ; Test values one by one from the ordered list. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 12 / 43

Statistical Analysis Ranked list: T (0),..., T (2 m 1 ). Advantage a: κ is within the top 2 m a portion of the ranked list. Success: T κ T (2 m q); where q = 1 2 a ; Probability of success: P S = Pr[T κ T (2 m q)]. Data complexity: N. Goal: Express N in terms a and P S. Often P S and a are lower bounds on the success probability and the advantage respectively. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 13 / 43

Statistical Analysis Order statistics: T (2 m q) approximately follows N (ξ q, q(1 q)/(2 m 1)f 2 (ξ q ))), where ξ q = F 1 (q), F() and f () are respectively the distribution and the density functions of the T i s. Use approximations to ensure that T κ follows a normal distribution. Then T κ T (q2 m ) follows a normal distribution and it is possible to express P S in terms of the cdf Φ of the standard normal distribution. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 14 / 43

Test Statistic Single linear cryptanalysis: l = 1; T κ = W κ where W κ = (L κ,1 + + L κ,n )/N 1/2. L κ,j follows a Bernoulli distribution; W κ follows binomial which can be approximated by a normal distribution. κ incorrect: T κ approximately follows half normal; T (2 m q) approximately follows normal. κ correct: T κ approximately follows folded normal. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 15 / 43

Statistical Aspects of Linear Cryptanalysis Some important references: Matsui (1993, 1994): proposed linear cryptanalysis; idea of the key ranking algorithm. Baignéres, Junod, Vaudenay (2004): distinguishing attacks using linear approximations; LLR test statistics. Biryukov et al (2004): multiple linear cryptanalysis. Selçuk (2008): order statistics based approach. Hermelin, Cho and Nyberg (2009): multiple linear cryptanalysis without independence assumption. Followed the order statistics based approach of Selçuk. Used LLR and Chi-Squared test statistics. There is a parallel line of work on differential cryptanalysis. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 16 / 43

From Asymptotic to Concrete Analysis (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 17 / 43

Berry-Esséen Theorem Theorem: Suppose V 1,..., V λ are independent and identically distribution random variables with E[V i ] = 0, E[V 2 i ] = σ 2 and E[ V i 3 ] = ρ < ; Let D λ = (V 1 + + V λ )/( λσ); Φ() be the distribution function of the standard normal distribution; Then there is a positive constant C such that for all real x and positive integer λ Pr [D λ x] Φ(x) Cρ σ 3 λ. The value of C is known to be between 0.40973 and 0.4748. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 18 / 43

Order Statistics Theorem (Asymptotic Version) Let T 1,..., T λ be iid random variables following a distribution F(x) which is continuous and strictly increasing for 0 < F(x) < 1. Let T (1) T (2)... T (λ) be the order statistics of T 1,..., T λ. Let q (0, 1), ξ q = F 1 (q) and suppose that F (ξ q ) = f (ξ q ) exists and is positive. Let {r (λ)} be an integer sequence with lim λ λ 1 2 (r (λ) λq) = 0. Let W λ = λ 1 2 (T (r(λ)) ξ q ). Then{W λ } converges in distribution to N (0, q(1 q)/f 2 (ξ q )). (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 19 / 43

Order Statistics Theorem (Concrete Version) Hypothesis: same as before. Consequent: For each real number z ( ) Pr[W zf (ξ q ) λ z] Φ + (ζ λ λ 1/2 (r(λ) λq)) σ λ σ λ Here q λ = F ( ) ξ q + z λf (ξq), ζ λ = z + λ(q λ q), Λ q λ λ 1/2. Λ qλ = C (1 q λ) 2 + q 2 λ (q λ (1 q λ )) 1/2 and Φ() is the standard normal distribution function. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 20 / 43

Order Statistics Based Cryptanalysis λ = 2 m 1. λ: length of the random variable sequence in the order statistics result. m: the size of the target sub-key. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 21 / 43

Order Statistics Based Cryptanalysis: Shortcoming 1 Requirement: q λ = q + 1 λ (z + ζ q ) converges to q as λ. Rate of convergence: determined by λ. For the error in approximation to be about 2 ε, 2 m should be about 2 2ε : if ε = 10 (i.e., 2 ε = 2 10 10 3 ), then m should be about 20. Lesson: if the size of the target subkey is small, then the applicability of the order statistics based analysis is doubtful. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 22 / 43

Order Statistics Based Cryptanalysis: Shortcoming 2 With q = 1 2 a and λ = 2 m 1, the upper bound on the error in normal approximation becomes C 2 2a + (1 2 a ) 2 (2 m a (1 2 a )) 1/2. For the error in approximation to be about 2 ε we must have 2 m a 2 2ε C 2 (2 2a + (1 2 a ) 2 ) 2 } 1 {{ 2 a. } small for a 1 Lesson: for error 2 ε, it is required for m a to be around 2ε. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 23 / 43

Order Statistics Based Cryptanalysis: Shortcoming 2 a = 1: eliminates only half the keys. a = m: determines the key uniquely. So, closer the value of a to m, the better the attack; But: for the normal approximation to be meaningful, m a must be large; Lesson: the method is not applicable for attacks with high advantage. This conclusion does not depend on the value of m. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 24 / 43

Key Recovery via Hypothesis Testing (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 25 / 43

Hypothesis Testing Set-Up H 0 : κ is correct; versus H 1 : κ is incorrect. Decision rule: Reject H 0 if T κ t. Pr[Type-I error] = Pr[κ is rejected H 0 holds ] = Pr[T t H 0 holds ] α; Pr[Type-II error] = Pr[κ is accepted H 1 holds ] = Pr[T > t H 1 holds ] β; Pr[succ] = 1 Pr[Type-I error] 1 α = P S. Requirement: Obtain the distributions of T κ under H 0 and H 1. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 26 / 43

Data Complexity via Hypothesis Testing Obtaining an expression for the data complexity: Expressions for P S and β involve N and t. Eliminating t provides an expression for N in terms of P S and β. Relating to the advantage: Each Type-II error causes a false positive. There are a total of 2 m hypothesis tests of which 2 m 1 are with incorrect κ. So, the expected number of false positives is β(2 m 1) β2 m. Advantage a implies that the size of false alarm list is 2 m a. Equating to β2 m gives β = 2 a. Substituting β = 2 a in the expression for N provides the data complexity in terms of P S and a. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 27 / 43

Applying Hypothesis Testing to Multiple Linear Cryptanalysis (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 28 / 43

Log-Likelihood Ratio Test Statistic For κ {0, 1} m, z {0, 1} l and 1 j N define: X κ,z,j = (L κ,j,1 z 1,..., L κ,j,l z l ); Q κ,z,η = #{1 j N : X κ,z,j = η}, for η = 0,..., 2 l 1; LLR κ,z = p z (η) Q κ,z,η ln 2 l. η {0,1} l LLR κ,z approximately follows N (Nµ, Nσ 2 ), where σ 2 C( p) and µ = { µ0 = D ( p p $ ) if H 0 holds; µ 1 = D ( p $ p) if H 1 holds. Decision rule: Reject H 0 if LLR κ,z t for all z {0, 1} l. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 29 / 43

Multiple Linear Cryptanalysis: LLR Test Statistics Pr[Type-I error] = Pr[LLR κ,z t for all z {0, 1} l H 0 holds] Pr[LLR κ,z t H 0 holds] ( ) t Nµ0 = Φ = α = 1 P S. Nσ0 Pr[Type-II error] = Pr[LLR κ,z > t for some z H 1 holds] Pr[LLR κ,z > t H 1 holds] z {0,1} l ( )) t = 2 (1 l Nµ1 Φ = β = 2 a. Nσ1 This gives N = { σ1 Φ 1 ( 1 2 l a) + σ 0 Φ 1 (P S ) } 2 (µ 0 µ 1 ) 2. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 30 / 43

Comparison to Previous Data Complexity Hermelin, Cho and Nyberg (2009): ( {Φ 1 (P 12 ) + Φ 1 2 l 2 1 2 a)} N =. C( p) P 12 can be taken to be P S. Approximations used in HCN (2009): 2 l 1 2 a 1 2 a l. D( p p $ ) 1 2 C( p). Using these show the two expressions for N to be the same. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 31 / 43

LLR Statistics and Normal Approximation (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 32 / 43

LLR Statistics Rewrite the LLR test statistics: T κ,z = N j=1 Y κ,z,j where ( ( ) ) Y κ,z,j = ln p z Xκ,z,j /2 l. Let µ = E[Y j ], σ 2 = E[(Y j µ) 2 ] and ρ = E[ Y j µ 3 ]. Let µ 0, σ 0, ρ 0 correspond to H 0. Let µ 1, σ 1, ρ 1 correspond to H 1. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 33 / 43

LLR Statistics and Normal Approximation The distribution of T κ,z is approximated using a normal distribution. For the error in the normal approximation to be at most 2 ε, it is required that ( ρ N C 2 2 2ε 2 max 0 σ0 6, ρ2 1 σ1 6 ). Approximate expressions for µ i and σi 2 can be derived, but, deriving an approximation of ρ i seems to be difficult. Difficult to determine N for which the error in approximation can be bounded above. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 34 / 43

LLR Statistics and Capacity (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 35 / 43

LLR Statistics: Mean and Variance µ = σ 2 C( p). { µ0 = D( p p $ ) 1 2 C( p) if H 0 holds; µ 1 = D( p $ p) 1 2 C( p) if H 1 holds; How does one obtain D( p p $ ) 1 2 C( p)? (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 36 / 43

Kullback-Leibler Divergence: Taylor Series Expansion D( p p $ ) = η {0,1} m p(η) ln p(η) p $ (η) = η {0,1} m p(η) ln For each η, consider the Taylor series expansion of ( ln 1 + ɛ ) η 2 l. ( 1 + ɛ η 2 l ). Up to quadratic terms are retained while cubic and higher order terms are discarded. From this a routine calculation shows the approximation of µ 0 = C( p)/2. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 37 / 43

Validity of the Taylor Series Expansion The expansions are valid only if for each ɛ η the following holds. ɛ η < 1. 2 l This in particular means that ɛ η < 2 l for all η. So, even if for one η it happens that 2 l ɛ η 1 2 l the Taylor series expansion cannot be performed for this ɛ η and so the overall approximations of the means and the variances in terms of the capacity do not hold. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 38 / 43

Restricted Applicability Suppose that for some η, ɛ η = 2 l. Then the corresponding probability is 2 l+1 which is twice the probability that would be expected if the distribution were uniform. Such a situation can indeed occur in practice. Mantin-Shamir: Probability the second output byte of RC4 is 0 is twice that of the uniform distribution. This is a stream cipher example; this may also arise for block ciphers. The capacity based expression for the data complexity using the LLR test statistic does not hold. A large bias invalidates the data complexity expression! (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 39 / 43

Other Results Hypothesis testing based framework: Single linear and differential cryptanalysis: recover expressions for data complexity obtained by Selçuk. Multiple linear cryptanalysis based on the Chi-squared test statistic: recover expressions for data complexity obtained by Blondeau, Gérard and Nyberg (2012). Multiple differential cryptanalysis based on the LLR and the Chi-squared test statistics: recover expressions for data complexities obtained by Blondeau, Gérard and Nyberg. Normal approximations for the Chi-squared test statistics: Several counter-intuitive results. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 40 / 43

Message Be careful about asymptotic assumptions! S. Samajder and P. Sarkar. Another Look at Normal Approximations in Cryptanalysis. https://eprint.iacr.org/2015/679. Also available at the Another Look page: http: //cacr.uwaterloo.ca/~ajmeneze/anotherlook/na.shtml. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 41 / 43

Further Work Rigorous statistical analysis: A close look at the analysis shows that the requirement is to obtain bounds on tail probabilities. Single linear and differential cryptanalysis: Chernoff bound applies. Multiple linear and differential cryptanalysis: Application of the Azuma-Hoeffding bound for martingales. https://eprint.iacr.org/2015/916. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 42 / 43

Thank you for your kind attention! (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 43 / 43

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback