Statistics of Correlation and Differentials in Block Ciphers

In this paper, we derive the statistical distributions of difference propagation probabilities and input-output correlations for random functions and block ciphers, for most of them for the first time. We show that these parameters have distributions that are well-studied in the field of statistics such as the normal, Poisson, Gamma and extreme value distributions. For Markov ciphers there exists a solid theory that expresses bounds on the complexity of differential and linear cryptanalysis in terms of average difference propagation probabilities and average correlations, where the average is taken over the keys. The propagation probabilities and correlations exploited in differential and linear cryptanalysis actually depend on the key and hence so does the attack complexity. Markov theory does not make statements on the distributions of these fixed-key properties but rather makes the assumption that their values will be close to the average for the vast majority of keys. This assumption is made explicit in the form of the hypothesis of stochastic equivalence. In this paper, we study the distributions of propagation properties that are relevant in the resistance of key-alternating ciphers against differential and linear cryptanalysis. Key-alternating ciphers are basically iterative ciphers where round keys are applied by an XOR operation in between unkeyed rounds and are a sub-class of Markov ciphers. We give the distributions of fixed-key difference propagation probability and fixed-key correlation of iterative ciphers. We show that for key-alternating ciphers, the hypothesis of stochastic equivalence can be discarded. In its place comes the explicit formulation of the distribution of fixed-key differential probability (DP) of a differential in terms of its expected differential probability (EDP) and the distribution of the fixed-key linear probability (or rather potential) (LP) of a linear approximation (or hull) in terms of its expected linear probability (ELP). Here the ELP and EDP are defined by disregarding the key schedule of the block cipher and taking the average over independently selected round keys, instead of over all cipher keys. Proving these distributions requires no assumptions standardly made in Markov cipher theory as perfectly uniform behavior, independently acting rounds or the technique of averaging over keys. For key-alternating ciphers, we show that if the EDP is equal to 2−n with n the block length, the fixed-key DP has the same distribution as in a random n-bit cipher. The same holds for the ELP and the corresponding fixed-key LP. Finally we present a statistical technique for computing bounds on the EDP based on the distribution of probabilities of differential characteristics and of the ELP based on the distribution of LP of linear characteristics.