Cyber Week4 LinearCryptanalysis

What is the primary aim of Linear Cryptanalysis?

To approximate block ciphers using linear expressions

How is a bias in a linear expression used in this attack?

The bias is used to discover secret key bits

In the context of S-Boxes, what do X and Y typically represent?

X represents the input bits and Y represents the output bits

What does it mean if an expression has an 'Agreement' of 8/16?

The expression is true half the time, meaning there is zero bias and no information leakage

What is the formula for calculating bias from a count of agreements out of 16?

Bias = (Count - 8) / 16

If an expression holds 12/16 times, what is the bias?

1/4 or 0.25

What is the purpose of Matsui's Piling Up Lemma?

To estimate the bias of a linear expression derived from multiple independent random variables

What is the Piling Up Lemma formula for two variables with biases e1 and e2?

Prob(Z1 XOR Z2 = 0) = 1/2 + 2(e1 * e2)

In the Piling Up Lemma, what happens if even one variable has zero bias?

The total probability becomes 0.5 (no bias)

What is a Linear Approximation Table (LAT)?

A table showing the deviation from a count of 8 for all input/output bit combinations

How is the input to an S-Box (X) related to the Plaintext (P) and Key (K)?

X = P XOR K

What is the 'Known Plaintext Attack' requirement for linear cryptanalysis?

The analyst must know both the plaintext and the corresponding ciphertext

How does a cryptanalyst 'peel off' the final round of a cipher?

By guessing the final round key to calculate intermediate values and check for bias

What is the result of using an incorrect final round key guess?

The derived intermediate ciphertexts will be incorrect and the bias will stay near zero

How do you identify the actual subkey from a table of tried candidates?

The candidate with the largest deviation (absolute bias) from 0.5 is the most likely key

What does SPN stand for in block cipher design?

Substitution Permutation Network

In an SPN, how are subkeys typically mixed with the data?

Through bitwise XOR

What is the relationship between the number of rounds and the total bias?

As more rounds (approximations) are added, the total bias generally decreases

If a linear expression has a bias of -1/32, what is the probability it is true?

15/32

Why is it possible to ignore the intermediate key XORs when calculating the magnitude of the bias?

Because the key bits only change the sign of the bias, not its magnitude

What is the 'Inverse S-box' used for in this attack?

To move backward from a ciphertext/key guess to the intermediate U bits

What is the E2E-approx expression composed of?

XOR sum of plaintext bits, XOR sum of intermediate U bits, and XOR sum of involved key bits

If you have 10,000 plaintexts, how is the experimental bias calculated?

Absolute value of (Count - 5000) divided by 10000