Abstract
This work studies the success probability of key recovery attacks based on using a single linear approximation. Previous works had analysed success probability under different hypotheses on the distributions of correlations for the right and wrong key choices. This work puts forward a unifying framework of general key randomisation hypotheses. All previously used key randomisation hypotheses as also zero correlation attacks can be seen as special cases of the general framework. Derivations of expressions for the success probability are carried out under both the settings of the plaintexts being sampled with and without replacements. Compared to previous analysis, we uncover several new cases which have not been considered in the literature. For most of the cases which have been considered earlier, we provide complete expressions for the respective success probabilities. Finally, the full picture of the dependence of the success probability on the data complexity is revealed. Compared to the extant literature, our work provides a deeper and more thorough understanding of the success probability of single linear cryptanalysis.
Highlights
A block cipher is a fundamental cryptographic primitive
The goal of cryptanalysis of a block cipher is to recover a portion of the secret key in time less than that required by a brute force algorithm to try out all possible keys
The expressions for the success probability obtained using the two different approaches are slightly different. They turn out to be equal if certain assumptions and approximations used by Selcuk in [26] are applied to the expression obtained from the order statistics based approach
Summary
A block cipher is a fundamental cryptographic primitive Such a primitive injectively maps an n-bit plaintext under the influence of a secret key to an n-bit ciphertext. It is required to first obtain an approximate linear relation between the input and the output of a block cipher. The goal of (linear) cryptanalysis of a block cipher is to recover a portion of the secret key in time less than that required by a brute force algorithm to try out all possible keys. It is required to obtain some data corresponding to the secret key. Such data consists of plaintext-ciphertext pairs (Pi, Ci), i = 1, . Bose Center for Cryptology and Security, Indian Statistical Institute, Kolkata, India
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
