On the validity of certain hypotheses used in linear cryptanalysis
暂无分享,去创建一个
Linear cryptanalysis and its generalisations are possible ways to attack an iterated block cipher. Their success relies on a certain number of assumptions made by the attacker. In this thesis, the validity of some of these assumptions is investigated. According to Matsui's Piling-up Lemma, the imbalance of a sum of independent binary random variables is equal to the product of the imbal¬ ances of these random variables. One uses this fact in linear cryptanalysis to compute a lower bound on the probability of success of one's attack. It is shown that, on average, the imbalance of the sum is at least as large as the product of the imbalances and that for large sample spaces, both expressions are almost always approximately equal. It is deduced that, at least as an approximation, the Piling-up Lemma is applicable in a linear cryptanalysis attack to linked threefold sums even if they are not indepen¬ dent. The validity of the hypothesis of fixed-key equivalence is investigated. The hypothesis asserts that for any effective input/output sum (I/O sum) virtually all key-dependent imbalances are approximately equal to their average, the average-key imbalance of the I/O sum. A counter-example is given. It is further proved that, for one round of encryption, the average and the variance of the key-dependent imbalances are approximately the same for virtually all I/O sums. Whether the key-dependent imbalances of an I/O sum can then be considered as "approximately equal" is subjective and therefore no conclusion about it is drawn. Finally, the average, over all I/O sums, of the average-key imbalances is computed for any number of rounds. Based on this result, a new quantitative definition of effective I/O sums is given. The validity of the piling-up hypothesis is studied. This hypothesis is an m-ary analogue to Matsui's Piling-up Lemma. It says that (for certain imbalance measures) the imbalance of a product of independent m-ary random variables is in virtually all cases approximately equal to