 The topic of my presentation today is capacity and data complexity in multi-dimensional linear attack. This presentation will include the following parts. First, we give the background knowledge related to our work. Second, we will give the related work and the motivation from these works. Then we will introduce our contribution and conclude it. Let's start with the background. Statistical attacks are the most popular techniques to analyze the block cipher. It uses non-uniform behaviors of the plain text and the cipher text to find the information of the key. There are two primary types of the statistical attacks. In our work, we focus on the linear attacks and one of its most important variants, multi-dimensional linear attack. Linear attack uses the non-uniformity of the x-osm of the input and output bits. If the x-osm is denoted as spk here, then linear attacks exploit how biased this spk equal to 0 or equal to 1. The correlation of the BK is the most important way to measure how effective a linear attack is. And sometimes people also use linear potential, which is the square correlation. In iterated block cipher, at first, the linear relation is considered round by round. Then there will be a pass like this one. In the attacks, we usually only consider the bits related to the plain text and related to the cipher text. The vector denoting which bits involved in the plain text and in the cipher text are called input mask and output mask as the U and V here. If there are many linear trails sharing the same mask, U and V, then they form a linear approximation, like this one. Multidimensional linear approximation use approximations with linearly independent masks to construct a m-dimensional vector Boolean function F. We call these m approximations as base approximations. If the probability distribution of F is p, is denoted as p here, then the capacity of this m-dimensional linear approximation is like this one. And similar to correlation, the capacity is also the most important way to measure how effective, to measure how effective the multidimensional linear attack. Then it's related work. At the beginning, the equal behaviors in the linear trails or in the linear approximations for each key are considered. Then the effect that many trails in one approximation is discussed and also this is called linear heart effect. Later, the fixed key probability distribution for single linear attack is given. This encourages the following works, like some discussion about the fundamental assumptions or effect of key schedules or the measures of data complexity. However, all of these works are only for the single linear attacks. So far in multidimensional linear attacks, we are not sure how the situations are. About multidimensional linear attacks, so far we already know it can save data complexity significantly in some attack scenarios. Also, the multidimensional linear attacks has been discovered to have connection with some other attacks. For example, the truncated differential distinguisher and so on. However, there are still some open questions. For example, does the traditional key equivalent hypothesis hold in multidimensional setting? Or is the current measure of the data complexity accurate enough in multidimensional attacks? Or we are also wondering whether the similar results of the multidimensional setting can be derived as those results in single setting. We try to answer these questions. We first start with starting the key-dependent capacity in the multidimensional attacks. We focus on two cases. Both of them exist in practical block cyphers. These two cases are identified by two assumptions. And we need to check the validity of these two assumptions in experiments of the reduced round of the cyphers. So in case one, we assume that there are correlation of each base approximations is identical and independent distributed to this normal distribution. Here, the second parameter is the average square correlation which also known as expected linear potential. And also for each key, the x-osm of the base approximations are statistically independent. With these two conditions, we can derive that the capacity of the m-dimensional linear approximation follows a gamma distribution with the parameters like here and the average value and the variance as here. We will skip the proof here, but an intuitive explanation for this case one is like this. In this case, we basically can only the correlation of the base approximation are dominant. So according to this no relation between the capacity and the correlation, the capacity can be approximated by summing the linear potential of the only the base approximations and ignoring the linear potential of the other combined approximations. The arrow of these approximations is upper bounded by this value. And this value is actually very negligible, small, especially when this average correlation as square correlation is small enough. We did experiments on five round of present. And as you can see in here, the theoretical results follows the other experimental results follows the theoretical results quite close. In the second case, we assume that the probability of the m-dimensional approximation is identical and independent distributed to this normal distribution. And in this case, the capacity is followed to this gamma distribution. In this case, not only the m-based approximation, but also the remaining combined approximation are taken into consideration. All of them have a non-negligible contribution to their capacity. So in this case, those correlations are not independent anymore, but we still can prove that they have equal expected linear potential. So with this fact, the capacity can be further derived into this form with this parameter and with this average value and variance. Case one and case two are slightly different approaches for getting estimates of the parameter of the probability distribution. So in the next work, we only focus on the case one. With the distribution of the capacity, we can study more about the data complexity. Since we already know the capacity follows the gamma distribution, the data complexity can be formally derived into a inverse gamma distribution with these parameters. Here, lambda is a constant for any given success probability in an attack. So for easier explanation, we take lambda as one later. Here is an example of how this distribution looks like. Here, we take the average linear potential as two to minus 40. This is roughly about 15 round of the present block cipher. We also take different dimensions from two until 20. So the distribution looks like this. The left one is the capacity and the right one is the data complexity. With the knowledge of the data complexity, distribution, we can discuss some question which were not very clear before. First is about the average data complexity. As we know, the actual average data complexity is defined like this, and this one was hard to estimate before. So usually people use the inverse of their average capacity as a measurement for their average data complexity. However, with the distribution, we can know how the values of these two, how the values of these two measures are. And we find that the inverse of the average capacity is only a lower bound of the real average data complexity. This has already been discussed before in single case. Then we discuss about the key equivalence hypothesis. We already know that the capacity wouldn't remain constant in multi-dimensional linear attack. And further, we know that as a skill distribution, in our case, the mean value is always smaller than the medium value is always smaller than the mean value. So we can infer that there are always less than half of the keys having a capacity larger than the average capacity. This means the average capacity is far from being able to represent the majority of the keys. So we adjust the key equivalence hypothesis into this way. And here the G is the cumulative distribution function of this gamma distribution. And this key equivalence hypothesis means that using this amount of data is enough to recovery 90% of the keys. Then we discuss about the medium data complexity. The medium data complexity was first proposed to overcome the problem of infinite average data complexity in single linear attack. The general definition of the medium complexity, medium data complexity is here. For the complexity NP, the probability that for a given key, the attack complexity is lower than NP is P. We extend the results in multi-dimensional setting as follows. When P% of the key generates a capacity of at least this amount, then the complexity is less than this amount with probability P. Finally, we summarize that in these three measurements for data complexity, the average data complexity is always no smaller than the medium complexity. And the medium one is always no smaller than the inverse of the average capacity which we was usually used before. We also use our results. We also apply our results to a previous attack on present block cipher. Compared with the previous results, there are two benefits. And first we can have a close estimation of the average capacity as in the previous paper. But we use a much simpler ways and skip off the complicated proof. And also because now we know the exact distribution of the capacity, so we can calculate the number of the weak keys precisely. For example, for two to 122 keys, the 26th round of present can be attacked using less than two to 62.5 data complexity with success probability point H. Here we conclude our work. Like in our work, we studied our statistical key dependent behaviors in multi-dimensional linear attacks. We formulate the capacity and the data complexity with gamma distribution and inverse gamma distribution. And with this knowledge, we can further estimate the average data complexity, the medium data complexity, and the key equivalent hypothesis more accurately. Thank you and any questions?