Another look at key randomisation hypotheses

Authors

Subhabrata Samajder, Indian Statistical Institute, Kolkata
Palash Sarkar, Indian Statistical Institute, Kolkata

Article Type

Research Article

Publication Title

Designs, Codes, and Cryptography

Abstract

In the context of linear cryptanalysis of block ciphers, let p (resp. p1) be the probability that a particular linear approximation holds for the right (resp. a wrong) key choice. The standard right key randomisation hypothesis states that p is a constant p≠ 1 / 2 and the standard wrong key randomisation hypothesis states that p1= 1 / 2 . Using these hypotheses, the success probability PS of the attack can be expressed in terms of the data complexity N. The resulting expression for PS is a monotone increasing function of N. Building on earlier work by O’Connor (In: Preneel B (ed) Fast Software Encryption: Second International Workshop. Leuven, Belgium, 14–16 December 1994, Proceedings, volume 1008 of Lecture Notes in Computer Science, pp. 131–136. Springer, 1994) and Daemen and Rijmen (J Math Cryptol 1(3):221–242, 2007), Bogdanov and Tischhauser (In: Moriai S (ed) Fast Software Encryption—20th International Workshop, FSE 2013, Singapore, March 11–13, 2013. Revised Selected Papers, volume 8424 of Lecture Notes in Computer Science, pp. 19–38. Springer, 2013) argued that p1 should be considered to be a random variable. They postulated the adjusted wrong key randomisation hypothesis which states that p1 follows a normal distribution. A non-intuitive consequence is that the resulting expression for PS is no longer a monotone increasing function of N. A later work by Blondeau and Nyberg (Des Codes Cryptogr 82(1–2):319–349, 2017) argued that p should also be considered to be a random variable and they postulated the adjusted right key randomisation hypothesis which states that p follows a normal distribution. In this work, we revisit the key randomisation hypotheses. While the argument that p and p1 should be considered to be random variables is indeed valid, we show that if p and p1 follow any distributions with supports which are subsets of [0, 1], and E[p] = p and E[p1] = 1 / 2 , then the expression for PS that is obtained is exactly the same as the one obtained using the standard key randomisation hypotheses. Consequently, PS is a monotone increasing function of N even when p and p1 are considered to be random variables.

First Page

3837

Last Page

3855

DOI

https://10.1007/s10623-023-01272-y

Publication Date

12-1-2023

Recommended Citation

Samajder, Subhabrata and Sarkar, Palash, "Another look at key randomisation hypotheses" (2023). Journal Articles. 3481.
https://digitalcommons.isical.ac.in/journal-articles/3481