 Hello and welcome to listen to my talk. My name is Kaisa Nyberi and the title of my talk is Statistical Model of Correlation Difference and Related Key Linear Cryptanalysis. First I will give an introduction and then present our contribution and finally discuss some aspects of the solution. Introduction and motivation. The scope of the talk is related key linear cryptanalysis. There is not much literature and much work in this area, so I hope that presenting a correct model, correct statistical model of related key linear cryptanalysis will encourage more work in this area. So the idea is that given a linear approximation, its correlations are computed for two different related keys. And now the problem has been that there are statistical dependencies over the data and also over the related key pairs when we compute these two correlations. Of course using two independent data samples will put, remove the first dependency, but the second one still remains. And this problem has not been properly addressed in the existing literature and my goal is to fill this gap. So let us have a look at the difference of related key correlations and particularly in the case of iterated block cipher. So the correlation can be for an iterated block cipher, the correlation can be given as a sum taken over all traits ending with A, input mask A and output mask B, all the trail correlations with signs depending on the key. And now when we take the difference we get this factor which depends only on the key difference delta. And we can see that terms with tau delta, the inner product between tau and delta equals zero, cancel out. Meaning that there are less terms in this sum and less possible values also for this sum. And these facts may facilitate Matsui's algorithm one-type key recovery as discussed in the paper by Rökan and Neiberg in 2013. The second aspect or possibility to exploit this fact is particularly in a case where all the remaining terms are equal to zero. That is all the trail correlations in a product between tau and delta equals one disappear. And these are the two main applications previously handled in the literature. Let's have a closer look at the algorithm one-type key recovery. The keys are divided into key classes. And now we note this key class by the value C that the difference of correlations take. And if the values C are sufficiently apart, then using a sufficiently large sample, the key class can be identified. So given a sample of size M, the attacker computes a sampled correlation difference. And under the assumption that these two correlations are statistically independent, we get that within the key class key KC, the sample correlation is normally distributed with mean C and various two over N. Then given this distribution, one can use different kind of decision algorithms to decide which key class is the most likely one. There's one decision algorithm present in the paper by Rökan and Neiberg. And another one presented in the single key context by Ashur and Raimen. But this can also easily apply to the related key case. Next, the second type of application is a distinguisher, which can be used for key recovery also in the algorithm two type of key recovery. And this is based on the so-called key difference invariant bias property as introduced by Bognadov and others in 2013. They saw that, had observed that two cyphers L block and twine have such a property that under related keys, the difference of correlation of some linear approximations are equal to zero. Actually, they were able to identify a number of those, a small number of such linear approximations and then they used a multiple linear crypt analysis type of approach to build a distinguisher for this case. But for the distinguisher, we need to know what is the random behavior and we need to know what is the behavior expected from the cypher. So from the cypher, we expect this behavior and for the random pair of functions, because the mean is expected to be zero as well, but the variance is larger, it's 2 to the 1 minus n. And assuming that these correlations are statistically independent, then if we do key recovery, testing by trying different key candidates or part candidates for part of the key and if the key is fully correct, then we expect to see this property that the cypher has the key difference in variant bias property. If the key is not fully correct, we expect to see the random property. And the decision algorithm based on hypothesis testing is presented in the paper, the paper. And how to do we sample for this key difference in variant bias distinguisher in the same way as before, we compute the sample given a sample of plain text of size n, we get the corresponding cypher texts and then under two different keys, then compute the correlations and the difference of the correlation. And again, the model that Bogdanov and others were using, they assumed that the correlations are statistically independent also over the random samples. And then in that case, over the random samples, the correlation is normally distributed with the expected value c and variance 2 over n. Then putting these things together from the previous page and this, the behavior of the c, distribution of the c and this over the keys and distribution of the c hat over random samples, we get that for the right key where we expect to see the behavior of the cypher, the KDIB property, we get that c hat is normally distributed with mean 0 and variance 2 over n. While for the wrong key, the corresponding distribution is also normal, but now mean 0 and variance slightly larger 2 over n plus 2 to the 1 minus n. So now our contribution to these models, first let us recall the problems we just saw there. The problem is that even for a random pair of random functions f and fpr, these correlations may not be or are not, actually are not never fully independent. And we remove this assumption and prove the same distribution as we saw before, without any independence assumption. The second problem is that over the random, over the data samples, these correlations for a fixed key are not statistically independent. And our contribution is that we give an exact expression of the variance of the sample correlation difference without independence assumption. Instead, it's an exact expression containing another parameter which we will discuss later and which will allow a much more natural assumption. So in this way we can confirm, but also generalize the distribution used by Röck and Neiberg. And we can also confirm and generalize the previous understanding of the correlation difference in the case of KDIB property. Maybe generalize two different type of related key correlation properties. The main theorem concerns just a pair of Boolean functions of n-bit vectors. Linear approximations are such Boolean functions and define the correlation as usual and the difference of the correlations and the sampled correlations as given the same way we already discussed these quantities. And let n denote the size of a sample. And now a new parameter is denoted by Q. And it is the probability that these two Boolean functions are equal. In other words we can write it as 1 half times 1 plus the correlation between f and f prime. Then we get that the mean of the sampled correlation is equal to c. And the variance is equal to 4b divided by n times Q minus c squared divided by 4 where b is the so-called finite population correction coefficient which has the expression 2n minus n divided by 2n minus. One if the sample is drawn without replacement. And one if the sample is drawn with replacement. If the sample is drawn without replacement we use hyper geometric distribution here. And if the sample is drawn with replacement we use the binomial distribution. And the difference and the variances in these two cases for these two types of distributions are different by this quantity 2n minus n times 2n minus 1. In fact when we multiply the variance of the binomial in the binomial case with this quantity we get the variance in the hyper geometric case. So these binomial and hyper geometric distributions can be approximated using the normal distribution with the given mean and the sample given the mean and the variance over the random sample. As you more over that the means the c is normally distributed with mean mu and sigma square variance. Then the integrated distribution over the data samples and over the related function pairs of the c hat is approximately normal with mean equal to mu and variance equal to this quantity I have put here. Where q is the mean of q, recall the probability q that the functions are equal over the related function pairs. So the mean is taken over the related function pairs. This formula doesn't appear in the paper. I just I put it here, I put it here in the paper we only considered the special two special cases in the KDIB case. The two special cases are the case of Cypher and the case of the random. In the case of the Cypher mu is equal to zero and also the variance is equal to zero because the difference of the correlations is a constant. And then the c hat is normally distributed by zero mean and variance for bq divided by n where b is sb4 and q also sb4. And for random actually the q is equal to one half and mean mu is equal to zero and sigma square is two to the one minus n. And then the integrated distribution for c hat over the samples and over the random functions is normal distribution with the mean equal to zero and variance equal to two to the one minus n plus two b divided by n times one minus two to the minus n. And we can now look at different cases with replacement we would be equal to one without replacement we would be equal to the constant defined before. And then in the random case from this formula we get this with this formula for replacement and for Cypher two over n assuming that q is equal to one half and without replacement we get two over n for random from this expression. Actually it simplifies to two over n and for the Cypher we get this quantity. So for the Cypher the variance is always slightly smaller and this allows given sufficient amount of plaintext and the related Cypher texts. We can distinguish between the Cypher and the random or wrong key and the right key. Finally discuss a discussion first I want to discuss the role of q. So the q is the average correlation between the bit of a Cypher text computed with key k. And the corresponding bit computed with a related key. It's the average correlation between these two numbers. Sitting q equal to one half means that the related Cypher texts are uncorrelated. So simply sitting q equals one half and with this q equals to one half we get exactly the same distributions as used before. In the previous literature on the by Bogdanov and others and by Röcken Nuber. So the assumption about independence, statistical independence of related key correlations of a linear approximation can now be replaced by a very concrete assumption about uncorrelated Cypher texts under related keys. And moreover this assumption is a very natural one and supposed to be satisfied for modern cyphers which are designed not to have Cypher text only attacks. And particularly if q is different from one half it means that this bit computed from the related Cypher texts is not expected to be balanced. Meaning that it may allow a Cypher text only related key attack if the unbalancedness is really bad. The second issue is the issue of independent samples. Of course we can make the correlations, the two correlations related key correlations independent if we compute them over independently chosen samples. In which case we need two end plate texts. This is always possible, but it will double the number of plain texts we need to do the analysis. With a single sample we need only end plain texts. Of course we need two and oracle calls to get the Cypher texts. In other words with two independent samples we need two end plain text Cypher text pairs. But with a single sample we need n triples of plain text Cypher text computed with one key and Cypher text computed with a related key. So the data requirement is smaller if we can use independent samples. And thanks to our analysis now we know exactly how to handle single sample case. So conclusion. We have revisited statistical premises of related key linear crypt analysis. And shown that the single sample option is legal. We showed how to handle it. We confirmed the model for correlation difference for random functions, which hasn't really been proven before. And we also, which I did not go into the detail in this talk, but in the paper we also discussed extension to multiple linear crypt analysis. And so that it can also work under the assumption that the linear approximations used in this analysis are independent. We also discussed a little bit of extensions to multi dimensional linear crypt analysis, but so some obstacles there. Actually, it looks that the analysis if we want to, it looks quite complicated to handle this issue and therefore it's left for future work. So I wish to thank you for your attention and see you at the conference.