Another Look at Normal Approximations in Cryptanalysis Palash Sarkar (Based on joint work with Subhabrata Samajder) Indian Statistical Institute palash@isical.ac.in INDOCRYPT 2015 IISc Bengaluru 8 th December 2015 (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 1 / 43
Symmetric Key Ciphers Block Ciphers: DES, Idea, AES, RC6, PRESENT,... Stream Ciphers: RC4, SNOW, Salsa, Trivium,... Design goals: Compact and efficient in hardware and/or software. Secure. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 2 / 43
Analysis of Block Ciphers Cryptanalytic techniques: Differential cryptanalysis. Linear cryptanalysis.... Known/chosen plaintext attacks: The cipher is instantiated with a secret key. (P 1, C 1 ),..., (P N, C N ): C i is the output of the cipher on input P i. Goal: Obtain the secret key. Weaker goal: build a distinguisher. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 3 / 43
Key Recovery Attacks: A Top-Level View Structural analysis: A detailed study of the target algorithm to obtain a measureable deviation from randomness. Identify a target sub-key. Statistical analysis: Obtain a tractable (closed form) relation between the following three quantities: N: data complexity. P S : (lower bound on the) success probability. a: the (expected) number of false alarms is (at most) a fraction 2 a of the number of all possible choices of the target sub-key. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 4 / 43
Random Variables and their Distributions P 1,..., P N are assumed to be independent and uniformly distributed. The key is unknown but fixed. Test statistic: T T (P 1, C 1,..., P N, C N ). Distribution of the test statistic: The exact distribution is hard to obtain. The test statistic often arises as a sum of random variables; use of the Central Limit Theorem to approximate the distribution of T by a suitable normal distribution. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 5 / 43
(Normal) Assumptions Galore Distribution of order statistics by normal. Binomial to normal; multinomial to multi-variate normal. (Non-central) Chi-squared to normal. Assumptions involved in Taylor series expansion.... (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 6 / 43
Goal Validity and interpretation of assumptions: Assumptions hold in an asymptotic sense. Cryptanalytic context requires a concrete setting. Surprises galore! (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 7 / 43
Linear Cryptanalysis Background (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 8 / 43
Block Cipher: Structure and Analysis n Γ P k (0) k (1) K (r) = k (0)... k (r 1) Γ K k (r 1) Γ B k (r) P B κ Random variable L = <,P> <,B> Γ P Inner key bit: z=< Γ (r) K,K > Γ B Linear approximation: L=z p Pr P [L=z] = { 1/2 if κ is correct; if κ is incorrect. n C m (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 9 / 43
Multiple Linear Approximations ( Γ (1) P, Γ(1) B ) ( ), Γ(1) K,..., Γ (l) P, Γ(l) B, Γ(l) K L i = Γ (i) P, P Γ(i) B, B, i = 1,..., l. X = (L 1,..., L l ). Inner key bit: z i = Γ (i) K, K (r). Joint distribution: for z = (z 1,..., z l ) and η = (η 1,..., η l ) p z (η) = Pr[L 1 z 1 = η 1,..., L l z l = η l ] = 1 2 l + ɛ η(z); p z β (η) = p z (η β). For any incorrect choice of κ: ɛ η (z) = 0 for all η; For the correct choice of κ there is an imbalance. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 10 / 43
Capacity of Joint Distribution Define p z = (pz (0),..., p z (2 l 1)). Let p = p 0 l so that p(η) = 1/2 l + ɛ η for η {0, 1} l ; 1/2 l ɛ η 1 1/2 l. Capacity C( p): C( p) = 2 l η {0,1} l ɛ 2 η. Note C( p) = C( p z ). (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 11 / 43
Key Recovery Attack Data: (P 1, C 1 ),..., (P N, C N ), where P 1,..., P N are independent and uniform random n-bit strings. C 1,..., C N are determined by κ ( ) (the actual target sub-key); B κ,1,..., B κ,n are determined by the choice of κ. Test statistics: T κ T (X κ,1,..., X κ,n ) For each choice of κ {0, 1} m, sort the keys in the order of T κ ; Test values one by one from the ordered list. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 12 / 43
Statistical Analysis Ranked list: T (0),..., T (2 m 1 ). Advantage a: κ is within the top 2 m a portion of the ranked list. Success: T κ T (2 m q); where q = 1 2 a ; Probability of success: P S = Pr[T κ T (2 m q)]. Data complexity: N. Goal: Express N in terms a and P S. Often P S and a are lower bounds on the success probability and the advantage respectively. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 13 / 43
Statistical Analysis Order statistics: T (2 m q) approximately follows N (ξ q, q(1 q)/(2 m 1)f 2 (ξ q ))), where ξ q = F 1 (q), F() and f () are respectively the distribution and the density functions of the T i s. Use approximations to ensure that T κ follows a normal distribution. Then T κ T (q2 m ) follows a normal distribution and it is possible to express P S in terms of the cdf Φ of the standard normal distribution. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 14 / 43
Test Statistic Single linear cryptanalysis: l = 1; T κ = W κ where W κ = (L κ,1 + + L κ,n )/N 1/2. L κ,j follows a Bernoulli distribution; W κ follows binomial which can be approximated by a normal distribution. κ incorrect: T κ approximately follows half normal; T (2 m q) approximately follows normal. κ correct: T κ approximately follows folded normal. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 15 / 43
Statistical Aspects of Linear Cryptanalysis Some important references: Matsui (1993, 1994): proposed linear cryptanalysis; idea of the key ranking algorithm. Baignéres, Junod, Vaudenay (2004): distinguishing attacks using linear approximations; LLR test statistics. Biryukov et al (2004): multiple linear cryptanalysis. Selçuk (2008): order statistics based approach. Hermelin, Cho and Nyberg (2009): multiple linear cryptanalysis without independence assumption. Followed the order statistics based approach of Selçuk. Used LLR and Chi-Squared test statistics. There is a parallel line of work on differential cryptanalysis. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 16 / 43
From Asymptotic to Concrete Analysis (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 17 / 43
Berry-Esséen Theorem Theorem: Suppose V 1,..., V λ are independent and identically distribution random variables with E[V i ] = 0, E[V 2 i ] = σ 2 and E[ V i 3 ] = ρ < ; Let D λ = (V 1 + + V λ )/( λσ); Φ() be the distribution function of the standard normal distribution; Then there is a positive constant C such that for all real x and positive integer λ Pr [D λ x] Φ(x) Cρ σ 3 λ. The value of C is known to be between 0.40973 and 0.4748. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 18 / 43
Order Statistics Theorem (Asymptotic Version) Let T 1,..., T λ be iid random variables following a distribution F(x) which is continuous and strictly increasing for 0 < F(x) < 1. Let T (1) T (2)... T (λ) be the order statistics of T 1,..., T λ. Let q (0, 1), ξ q = F 1 (q) and suppose that F (ξ q ) = f (ξ q ) exists and is positive. Let {r (λ)} be an integer sequence with lim λ λ 1 2 (r (λ) λq) = 0. Let W λ = λ 1 2 (T (r(λ)) ξ q ). Then{W λ } converges in distribution to N (0, q(1 q)/f 2 (ξ q )). (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 19 / 43
Order Statistics Theorem (Concrete Version) Hypothesis: same as before. Consequent: For each real number z ( ) Pr[W zf (ξ q ) λ z] Φ + (ζ λ λ 1/2 (r(λ) λq)) σ λ σ λ Here q λ = F ( ) ξ q + z λf (ξq), ζ λ = z + λ(q λ q), Λ q λ λ 1/2. Λ qλ = C (1 q λ) 2 + q 2 λ (q λ (1 q λ )) 1/2 and Φ() is the standard normal distribution function. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 20 / 43
Order Statistics Based Cryptanalysis λ = 2 m 1. λ: length of the random variable sequence in the order statistics result. m: the size of the target sub-key. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 21 / 43
Order Statistics Based Cryptanalysis: Shortcoming 1 Requirement: q λ = q + 1 λ (z + ζ q ) converges to q as λ. Rate of convergence: determined by λ. For the error in approximation to be about 2 ε, 2 m should be about 2 2ε : if ε = 10 (i.e., 2 ε = 2 10 10 3 ), then m should be about 20. Lesson: if the size of the target subkey is small, then the applicability of the order statistics based analysis is doubtful. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 22 / 43
Order Statistics Based Cryptanalysis: Shortcoming 2 With q = 1 2 a and λ = 2 m 1, the upper bound on the error in normal approximation becomes C 2 2a + (1 2 a ) 2 (2 m a (1 2 a )) 1/2. For the error in approximation to be about 2 ε we must have 2 m a 2 2ε C 2 (2 2a + (1 2 a ) 2 ) 2 } 1 {{ 2 a. } small for a 1 Lesson: for error 2 ε, it is required for m a to be around 2ε. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 23 / 43
Order Statistics Based Cryptanalysis: Shortcoming 2 a = 1: eliminates only half the keys. a = m: determines the key uniquely. So, closer the value of a to m, the better the attack; But: for the normal approximation to be meaningful, m a must be large; Lesson: the method is not applicable for attacks with high advantage. This conclusion does not depend on the value of m. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 24 / 43
Key Recovery via Hypothesis Testing (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 25 / 43
Hypothesis Testing Set-Up H 0 : κ is correct; versus H 1 : κ is incorrect. Decision rule: Reject H 0 if T κ t. Pr[Type-I error] = Pr[κ is rejected H 0 holds ] = Pr[T t H 0 holds ] α; Pr[Type-II error] = Pr[κ is accepted H 1 holds ] = Pr[T > t H 1 holds ] β; Pr[succ] = 1 Pr[Type-I error] 1 α = P S. Requirement: Obtain the distributions of T κ under H 0 and H 1. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 26 / 43
Data Complexity via Hypothesis Testing Obtaining an expression for the data complexity: Expressions for P S and β involve N and t. Eliminating t provides an expression for N in terms of P S and β. Relating to the advantage: Each Type-II error causes a false positive. There are a total of 2 m hypothesis tests of which 2 m 1 are with incorrect κ. So, the expected number of false positives is β(2 m 1) β2 m. Advantage a implies that the size of false alarm list is 2 m a. Equating to β2 m gives β = 2 a. Substituting β = 2 a in the expression for N provides the data complexity in terms of P S and a. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 27 / 43
Applying Hypothesis Testing to Multiple Linear Cryptanalysis (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 28 / 43
Log-Likelihood Ratio Test Statistic For κ {0, 1} m, z {0, 1} l and 1 j N define: X κ,z,j = (L κ,j,1 z 1,..., L κ,j,l z l ); Q κ,z,η = #{1 j N : X κ,z,j = η}, for η = 0,..., 2 l 1; LLR κ,z = p z (η) Q κ,z,η ln 2 l. η {0,1} l LLR κ,z approximately follows N (Nµ, Nσ 2 ), where σ 2 C( p) and µ = { µ0 = D ( p p $ ) if H 0 holds; µ 1 = D ( p $ p) if H 1 holds. Decision rule: Reject H 0 if LLR κ,z t for all z {0, 1} l. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 29 / 43
Multiple Linear Cryptanalysis: LLR Test Statistics Pr[Type-I error] = Pr[LLR κ,z t for all z {0, 1} l H 0 holds] Pr[LLR κ,z t H 0 holds] ( ) t Nµ0 = Φ = α = 1 P S. Nσ0 Pr[Type-II error] = Pr[LLR κ,z > t for some z H 1 holds] Pr[LLR κ,z > t H 1 holds] z {0,1} l ( )) t = 2 (1 l Nµ1 Φ = β = 2 a. Nσ1 This gives N = { σ1 Φ 1 ( 1 2 l a) + σ 0 Φ 1 (P S ) } 2 (µ 0 µ 1 ) 2. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 30 / 43
Comparison to Previous Data Complexity Hermelin, Cho and Nyberg (2009): ( {Φ 1 (P 12 ) + Φ 1 2 l 2 1 2 a)} N =. C( p) P 12 can be taken to be P S. Approximations used in HCN (2009): 2 l 1 2 a 1 2 a l. D( p p $ ) 1 2 C( p). Using these show the two expressions for N to be the same. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 31 / 43
LLR Statistics and Normal Approximation (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 32 / 43
LLR Statistics Rewrite the LLR test statistics: T κ,z = N j=1 Y κ,z,j where ( ( ) ) Y κ,z,j = ln p z Xκ,z,j /2 l. Let µ = E[Y j ], σ 2 = E[(Y j µ) 2 ] and ρ = E[ Y j µ 3 ]. Let µ 0, σ 0, ρ 0 correspond to H 0. Let µ 1, σ 1, ρ 1 correspond to H 1. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 33 / 43
LLR Statistics and Normal Approximation The distribution of T κ,z is approximated using a normal distribution. For the error in the normal approximation to be at most 2 ε, it is required that ( ρ N C 2 2 2ε 2 max 0 σ0 6, ρ2 1 σ1 6 ). Approximate expressions for µ i and σi 2 can be derived, but, deriving an approximation of ρ i seems to be difficult. Difficult to determine N for which the error in approximation can be bounded above. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 34 / 43
LLR Statistics and Capacity (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 35 / 43
LLR Statistics: Mean and Variance µ = σ 2 C( p). { µ0 = D( p p $ ) 1 2 C( p) if H 0 holds; µ 1 = D( p $ p) 1 2 C( p) if H 1 holds; How does one obtain D( p p $ ) 1 2 C( p)? (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 36 / 43
Kullback-Leibler Divergence: Taylor Series Expansion D( p p $ ) = η {0,1} m p(η) ln p(η) p $ (η) = η {0,1} m p(η) ln For each η, consider the Taylor series expansion of ( ln 1 + ɛ ) η 2 l. ( 1 + ɛ η 2 l ). Up to quadratic terms are retained while cubic and higher order terms are discarded. From this a routine calculation shows the approximation of µ 0 = C( p)/2. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 37 / 43
Validity of the Taylor Series Expansion The expansions are valid only if for each ɛ η the following holds. ɛ η < 1. 2 l This in particular means that ɛ η < 2 l for all η. So, even if for one η it happens that 2 l ɛ η 1 2 l the Taylor series expansion cannot be performed for this ɛ η and so the overall approximations of the means and the variances in terms of the capacity do not hold. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 38 / 43
Restricted Applicability Suppose that for some η, ɛ η = 2 l. Then the corresponding probability is 2 l+1 which is twice the probability that would be expected if the distribution were uniform. Such a situation can indeed occur in practice. Mantin-Shamir: Probability the second output byte of RC4 is 0 is twice that of the uniform distribution. This is a stream cipher example; this may also arise for block ciphers. The capacity based expression for the data complexity using the LLR test statistic does not hold. A large bias invalidates the data complexity expression! (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 39 / 43
Other Results Hypothesis testing based framework: Single linear and differential cryptanalysis: recover expressions for data complexity obtained by Selçuk. Multiple linear cryptanalysis based on the Chi-squared test statistic: recover expressions for data complexity obtained by Blondeau, Gérard and Nyberg (2012). Multiple differential cryptanalysis based on the LLR and the Chi-squared test statistics: recover expressions for data complexities obtained by Blondeau, Gérard and Nyberg. Normal approximations for the Chi-squared test statistics: Several counter-intuitive results. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 40 / 43
Message Be careful about asymptotic assumptions! S. Samajder and P. Sarkar. Another Look at Normal Approximations in Cryptanalysis. https://eprint.iacr.org/2015/679. Also available at the Another Look page: http: //cacr.uwaterloo.ca/~ajmeneze/anotherlook/na.shtml. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 41 / 43
Further Work Rigorous statistical analysis: A close look at the analysis shows that the requirement is to obtain bounds on tail probabilities. Single linear and differential cryptanalysis: Chernoff bound applies. Multiple linear and differential cryptanalysis: Application of the Azuma-Hoeffding bound for martingales. https://eprint.iacr.org/2015/916. (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 42 / 43
Thank you for your kind attention! (ISI, Kolkata) Normal Approximations Revisited INDOCRYPT 2015 43 / 43