On Probability of Success in Linear and Differential Cryptanalysis Ali Aydın Sel¸cuk Department of Computer Engineering Bilkent University Ankara, 06800, Turkey [email protected] Abstract. Despite their widespread usage in block cipher security, lin- ear and differential cryptanalysis still lack a robust treatment of their success probability, and the success chances of these attacks have com- monly been estimated in a rather ad hoc fashion. In this paper, we present an analytical calculation of the success probability of linear and differ- ential cryptanalytic attacks. The results apply to an extended sense of the term \success" where the correct key is found not necessarily as the highest-ranking candidate but within a set of high-ranking candidates. Experimental results show that the analysis provides accurate results in most cases, especially in linear cryptanalysis. In cases where the re- sults are less accurate, as in certain cases of differential cryptanalysis, the results are useful to provide approximate estimates of the success probability and the necessary plaintext requirement. The analysis also reveals that the attacked key length in differential cryptanalysis is one of the factors that affect the success probability directly besides the signal- to-noise ratio and the available plaintext amount. Key words. Block ciphers, linear cryptanalysis, differential cryptanal- ysis, success probability, order statistics. 1 Introduction Differential cryptanalysis (DC) [3] and linear cryptanalysis (LC) [11, 12] are two of the most important techniques in block cipher cryptanalysis today. Virtually every modern block cipher has its security checked against these attacks and a number of them have actually been broken. Despite this widespread utilization, evaluation of the success probability of these attacks is usually done in a rather ad hoc fashion: Success chances of differential attacks are typically evaluated according to the empirical observations based on the \signal-to-noise ratio" [3]. In the case of linear cryptanalysis, arbitrary ciphers are analyzed using Matsui's results for his DES attacks [11, 12], which were in fact carefully calculated for and were specific to those particular attacks. In this paper, we present an analytical, generally applicable calculation of the success probability of linear and differential attacks. Throughout the analysis, a generalized definition of the term \success" is dealt with: If an attack on an m-bit key gets the correct value ranked among the top r out of 2m possible candidates, we say the attack obtained an (m lg r)-bit advantage over exhaustive search. The traditional, more strict definition− of success, where the attack discovers the right key as the first candidate, corresponds to obtaining an m-bit advantage over an m-bit key. The analysis presented provides formulas for direct calculation of the suc- cess probability of linear and differential attacks. The amount of data required for an attack to achieve a certain success probability can also be calculated through these formulas. Furthermore, the analysis shows that the aimed advan- tage level|that is, in more traditional terms, the number of key bits attacked|is one of the factors that affect the success probability in differential cryptanalysis directly besides the already established factors of the signal-to-noise ratio and the expected number of right pairs. The notations in the paper common to all sections include φ and Φ for the probability density and the cumulative distribution functions of the standard normal distribution. Besides, , , and are used for denoting the binomial, normal, and Poisson distributions,B NrespectivP ely. 2 Success Probability in Linear Cryptanalysis Linear cryptanalysis, developed by Matsui[11], is a known-plaintext attack that exploits the statistical correlation among the plaintext, ciphertext, and key bits of a block cipher to discover the encryption key. The first step in a linear attack is to find a linear approximation for the cipher. A linear approximation is a binary equation of the bits of the plaintext, ciphertext, and the key, which holds with a probability p = 1=2. The quantity p 1=2 , known as the bias, is a measure of correlation among6 the plaintext, ciphertext,j − j and key bits, and it can be used to distinguish the actual key from random key values. In an attack, the attacker collects a large number of plaintext-ciphertext blocks, and for each possible key value he counts the number of plaintext-ciphertext blocks that satisfy the ap- proximation. Assuming that the bias of the approximation with the right key will be significantly higher than the bias with a random key, the key value that maximizes the bias over the given plaintext sample is taken as the right key. In general, it may be sufficient to have the right key ranked reasonably high among the candidates rather than having it as the absolute highest. For example, in Matsui's attack on DES, a 26-bit portion of the key was attacked where the right key was ranked among the top 213. In this kind of ranking attacks, all candidates ranked higher than the right key must be tried before the right key can be reached. Each candidate must be checked with all combinations of the remaining, unattacked bits to see if it is the right value. In such an attack, where an m-bit key is attacked and the right key is ranked rth among all 2m m lg r candidates, the attack provides a complexity reduction by a factor of 2 − over the exhaustive search. In our analysis, we refer to m lg r as the advantage provided by the attack. − 2 2.1 Problem Statement Consider the problem where an attacker is interested in getting the right key ranked within the r top candidates among a total of 2m keys, where an m- bit key is attacked, with an approximation of probability p, using N plaintext m blocks. Let k0 denote the right key and ki; 1 i 2 1, be the wrong key values, and let n denote 2m 1. Let X = T =≤N ≤1=2 and− Y = X , where T − i i − i j ij i is the counter for the plaintexts satisfying the approximation with key ki. Let W ; 1 i 2m 1, be the Y ; i = 0, sorted in increasing order. That is, W is i ≤ ≤ − i 6 1 the lowest sample bias Ti=N 1=2 obtained among the wrong keys, Wn is the highest. Then, the two jconditions− forj the success of the attack are X =(p 1=2) > 0; (1) 0 − that is, T =N 1=2 and p 1=2 have the same sign, and 0 − − X0 > Wn r+1: (2) j j − In the rest of this analysis, we assume for simplicity that p > 1=2.1 Hence, the two conditions become X0 > 0; (3) X0 > Wn r+1: (4) − This modeling of the success probability was originally given by Junod [7], where he derived an expression of the success probability in terms of Euler's incomplete beta integral assuming that the Tis are independent and they are identically distributed for i = 0. He also presented a numerical calculation of that expression for Matsui's 26-bit6 DES attack [12] assuming that the approximation has a zero bias for a wrong key, i.e., E[Ti=N 1=2] = 0 for i = 0. Here, we present a more general calculation− of the success6 probability using the normal approximation for order statistics. Like Junod, we also assume the independence of the Ti counters and a zero bias for the wrong keys. Since the zero bias for the wrong keys is the ideal case for an attacker, the results can be seen as an upper bound for the actual success probability. 2.2 Order Statistics In this section we give a brief review of order statistics, as treated in [13]. The- orem 1, the key for our analysis, states the normal approximation for the order statistics. Definition 1. Let ξ1; ξ2; : : : ; ξn be independent, identically distributed random variables. Arrange the values of ξ1; ξ2; : : : ; ξn in increasing order, resulting in ξ1∗; ξ2∗; : : : ; ξn∗. The statistic ξi∗ is called the i-th order statistic of the sample 1 The corresponding results for the case p < 1=2 can easily be obtained by substituting −X0 for X0. 3 ξ1; ξ2; : : : ; ξn. Definition 2. For 0 < q < 1, the sample quantile of order q is the qn + 1-th b c order statistic ξ∗qn +1. b c Theorem 1. Let ξ1; ξ2; : : : ; ξn be independent, identically distributed random variables, with an absolutely continuous distribution function F (x). Suppose that the density function f(x) = F 0(x) is continuous and positive on the interval [a; b). If 0 < F (a) < q < F (b) < 1, and if i(n) is a sequence of integers such that i(n) lim pn q = 0; n n − !1 further if ξi∗ denotes i-th order statistic of the sample ξ1; ξ2; : : : ; ξn, then ξi∗(n) is in the limit normally distributed, i.e., ξ∗ µq lim P i(n) − < x = Φ(x); n σ !1 q where 1 µq = F − (q); 1 q(1 q) σq = − : f(µq)r n Taking i(n) = qn + 1, the theorem states that the empirical sample quan- tile of order q ofb acsample of n elements is for sufficiently large n nearly nor- 1 mally distributed with expectation µq = F − (q) and standard deviation σq = 1 q(1 q) − . f(µq ) n q 2.3 Success Probability The sample bias of the right key, X0 = T0=N 1=2, approximately follows a normal distribution (µ ; σ2) with µ = p −1=2 and σ2 = 1=(4N). The N 0 0 0 − 0 absolute sample bias of wrong keys, Yi; i = 0, follow a folded normal distribution 2 6 (see Appendix A) (µw; σw) with µw = 0, assuming a zero bias for wrong keys, 2 FN and σw = 1=(4N).