classification of balanced quadratic functions
play

CLASSIFICATION OF BALANCED QUADRATIC FUNCTIONS Lauren De Meyer - PowerPoint PPT Presentation

Apr 02, 2024 •433 likes •727 views

CLASSIFICATION OF BALANCED QUADRATIC FUNCTIONS Lauren De Meyer & Begl Bilgin BFA, Loen Norway, June 20 th 2018 COSIC (V ECTORIAL ) B OOLEAN F UNCTIONS ? 0123457689+,-./0 Lookup Table (LUT): 1 2 3 = 3 2 3 6 3 7 Algebraic Normal Form

  1. CLASSIFICATION OF BALANCED QUADRATIC FUNCTIONS Lauren De Meyer & Begül Bilgin BFA, Loen Norway, June 20 th 2018 COSIC

  2. ¿(V ECTORIAL ) B OOLEAN F UNCTIONS ? 0123457689+,-./0 Lookup Table (LUT): 1 2 3 = 3 2 ⊕ 3 6 3 7 Algebraic Normal Form 1 6 3 = 3 6 ⊕ 3 6 3 8 ⊕ 3 7 3 8 (ANF): 1 7 3 = 3 7 ⊕ 3 6 3 8 1 8 3 = 3 8 Algebraic Degree: 2 D : 1 3 ⊕ F = 1 3 ⊕ G} = 16 Differential Uniformity (Diff): = max <,>?2 # {3 ∈ C 7 D : F ⋅ 3 = G ⋅ 1 3 } − 2 DL6 | = 16 = max <,>?2 |#{3 ∈ C 7 Linearity (Lin): 2

  3. A FFINE E QUIVALENCE ! " ∼ ! ! " = & ∘ ! $ ∘ ( $ with (, & affine permutations • Algebraic Degree Invariants: • Differential Uniformity • Linearity • Multiplicative Complexity 3

  4. T IMELINE OF A FFINE E QUIVALENCE C LASSIFICATION % → # $ Boolean Functions !: # $ Golomb: invariants and representatives Berlekamp-Welch: Fuller: 6 variables ≤ 5 variables 1972 2017 1959 2003 2007 De Cannière: *×* with * ≤ 4 Bozilov et al.: all quadratic 5 ×5 % → # $ % Vectorial Boolean Functions: ': # $ 4

  5. F IND R EPRESENTATIVE • Algorithm by Biryukov et al. [1] • To find Representative ! = # $% ∘ ' ∘ ( • for permutations only, i.e. )×) Boolean Functions ' • Representative is lexicographically smallest of equivalence class ( ' # . + ((+) #(.) ! + = . [1] A. Biryukov, C. De Canniere, A. Braeken, and B. Preneel. A toolbox for cryptanalysis: Linear and affine equivalence algorithms. In International Conference on the Theory and Applications of Cryptographic Techniques, pages 33–50. Springer, 2003. 5

  6. ! 0 1 2 3 4 5 6 7 8 9 , - . / 0 1 2(!) 1 - 9 . / 6 1 3 0 8 7 4 , 2 5 0 6 ! → ,(!) - 7 ← 7 → 0 → → ← 0 ! 0 1 2 3 4 5 6 7 8 9 , - . / 0 1 0 9(!) 6

  7. ! " 1 2 3 4 5 6 7 8 9 , - . / 0 1 2(!) 5 - 9 . / 6 1 3 0 8 7 4 , 2 5 0 8 ! → ,(!) - 9 ← 9 → 0 → 0 → 1 ← 0 Guess ! 0 1 2 3 4 5 6 7 8 9 , - . / 0 1 0 ;(!) 7

  8. ! 0 # 2 3 4 5 6 7 8 9 , - . / 0 1 2(!) 1 6 9 . / 6 1 3 0 8 7 4 , 2 5 0 8 ! → ,(!) - 9 ← 9 → 0 → 0 → 1 ← 0 Guess 1 → 1 → - ← 1 Guess ! 0 1 2 3 4 5 6 7 8 9 , - . / 0 1 0 1 ;(!) 8

  9. ! 0 1 $ 3 4 5 6 7 8 9 , - . / 0 1 2(!) 1 - 5 . / 6 1 3 0 8 7 4 , 2 5 0 8 ! → ,(!) - 9 ← 9 → 0 → 0 → 1 ← 0 Guess 1 → 1 → - ← 1 Guess 2 → 2 → 9 ← 2 Guess ! 0 1 2 3 4 5 6 7 8 9 , - . / 0 1 0 1 2 ;(!) 9

  10. ! 0 1 2 % 4 5 6 7 8 9 , - . / 0 1 2(!) 1 - 9 5 / 6 1 3 0 8 7 4 , 2 5 0 8 ! → ,(!) - 9 ← 9 → 0 → 0 → 1 ← 0 Guess 1 → 1 → - ← 1 Guess 2 → 2 → 9 ← 2 Guess 3 → 3 → . ← 4 Forward = smallest available power of 2 ! 0 1 2 3 4 5 6 7 8 9 , - . / 0 1 0 1 2 4 ;(!) 10

  11. ! 0 1 2 3 4 5 6 ) 8 9 , - . / 0 1 2(!) 1 - 9 . / 6 1 5 0 8 7 4 , 2 5 0 8 ! → ,(!) - 9 ← 9 → 0 → 0 → 1 ← 0 Guess 1 → 1 → - ← 1 Guess 2 → 2 → 9 ← 2 Guess 3 → 3 → . ← 4 Forward 4 → 7 ← 3 ← 3 Bckward = smallest 9 for which - 9 defined ! 0 1 2 3 4 5 6 7 8 9 , - . / 0 1 0 1 2 4 3 ;(!) 11

  12. ! 0 1 2 3 4 5 ( 7 8 9 , - . / 0 1 2(!) 1 - 9 . / 6 6 3 0 8 7 4 , 2 5 0 8 ! → ,(!) - 9 ← 9 → 0 → 0 → 1 ← 0 Guess 1 → 1 → - ← 1 Guess 2 → 2 → 9 ← 2 Guess 3 → 3 → . ← 4 Forward 4 → 7 ← 3 ← 3 Bckward 5 → 6 → 1 ← 8 Forward = smallest available power of 2 ! 0 1 2 3 4 5 6 7 8 9 , - . / 0 1 0 1 2 4 3 8 ;(!) 12

  13. ! 0 1 2 3 4 ' 6 7 8 9 , - . / 0 1 2(!) 1 - 9 . / 5 1 3 0 8 7 4 , 2 5 0 8 ! → ,(!) - 9 ← 9 → 0 → 0 → 1 ← 0 Guess 1 → 1 → - ← 1 Guess 2 → 2 → 9 ← 2 Guess 3 → 3 → . ← 4 Forward 4 → 7 ← 3 ← 3 Bckward 5 → 6 → 1 ← 8 Forward 6 → 5 → 6 ← 5 Forward … ! 0 1 2 3 4 5 6 7 8 9 , - . / 0 1 0 1 2 4 3 8 5 … ;(!) 13

  14. ! 0 1 2 3 4 5 6 7 8 9 , - . / 0 1 2(!) 1 - 9 . / 6 1 3 0 8 7 4 , 2 5 0 6 ! → ,(!) - 7 ← 7 → 0 → 0 → 1 ← 0 Guess 1 → 5 → 6 ← 1 Guess 2 → , → 7 ← 2 Guess 3 → 1 → 0 ← 3 Forward 4 → 4 ← D ← 4 Guess 5 → 1 → - ← 6 Forward 6 → 0 → 5 ← 8 Forward … ! 0 1 2 3 4 5 6 7 8 9 , - . / 0 1 0 1 2 3 4 6 8 … :(!) 14

  15. C LASSIFYING 5 × 5 Q UADRATIC S- BOXES • Previously by Bozilov et al. [2] ) * • Create list of all ANFs with algebraic degree ≤ 2 • Use AE [1] to get representatives ( ≈ 2 $% times) ) * • Eliminate Doubles … … • Result = 76 classes • 16 threads, ≈ 3 hours runtime ) * 15 [2] D. Bozilov, B. Bilgin, and H. A. Sahin. A Note on 5-bit Quadratic Permutations’ Classification. IACR Transactions on Symmetric Cryptology, 2(1):398–404, 2017.

  16. F IND R EPRESENTATIVE F OR NON - BIJECTIVE % → # $ ' with ( ≤ * (but still balanced) • When !: # $ • Not invertible • Backward: 2 %,' candidates for ! ,- . / 1 ! . 0 1(0) .(/) / 4 16

  17. C OMPLEXITY For Finding 1 Representative with this algorithm: Asymptotically estimated in [1]: Our Average Experimental Runtime (s): 5 10 -2 ! = 5 4 3 Av. Runtime (s) 10 -3 2 1 0 10 -4 1 2 3 4 5 1 2 3 4 5 - - % ! " ⋅ 2 % ⋅ 2 %&' ! ) *+, 18

  18. ! " 1 $ 3 & 5 6 7 8 9 , - . / 0 1 2(!) 5 3 5 0 5 2 3 3 2 0 3 0 2 2 5 0 9 ! → ,(!) - : ← : → 0 → 0 → 1 ← 0 Guess 1 → 2 → 1 ← 0 Bckward 2 → 4 → 1 ← 0 Bckward 3 → 6 → 3 ← 1 Forward 4 → = ← 1 ← 0 Bckward 5 → / → 2 ← 2 Forward 6 → 8 → 0 ← 3 Forward … ! 0 1 2 3 4 5 6 7 8 9 , - . / = 1 0 0 0 1 0 2 3 … >(!) 19

  19. C LASSIFYING +×, B ALANCED Q UADRATIC F UNCTIONS Iterative procedure to find all ! × # representatives ℛ % • Given all balanced quadratic ! -bit Boolean functions ℱ • Given all !× # − 1 representatives ℛ %)* ℛ % ← . 1 ∀ 0 ∈ ℛ %)* , ∀ 2 ∈ ℱ : 2 Create !×# function 3 4 = (0 4 ≪ 1) | 2(4) 3 Find affine eq. representative : 4 ℛ % ← ℛ % ∪ : 5 Sort and eliminate doubles from ℛ % 6 20

  20. FIND REPRESENTATIVE ! × 1 !×($ − 1) ! × $ ℛ )*+ ℛ ) … … … … REDUCE COMBINE 21

  21. 5 × # B ALANCED Q UADRATIC F UNCTIONS 5 ×1 5×2 5×3 5×4 5×5 3 12 80 166 76 Naïve search: On 4 threads in 50 minutes runtime With Optimizations: On 4 threads in 6 minutes runtime # QUADRATIC S-BOX CLASSES 76 ? 6 3 22 , = 3 , = 4 , = 5 , = 6

  22. 6 ×# B ALANCED Q UADRATIC F UNCTIONS 6×1 6×2 6×3 6×4 6×5 6×6 3 24 670 11 891 12 647 2 263 Never been classified before # QUADRATIC S-BOX CLASSES 2263 76 3 6 23 - = 3 - = 4 - = 5 - = 6

  23. 6 ×6 Q UADRATIC S- BOXES • 2258 even vs. 5 odd • 70 have quadratic inverses, 2193 have cubic inverses Lin = 8 Lin = 16 Lin = 32 Diff = 4 8 0 0 Diff = 8 0 0 12 Diff = 16 0 49 100 Diff = 32 0 49 1067 Diff = 64 0 200 779 24

  24. Differentially 6-uniform !×! − 2 functions? • Open questions of C. Carlet [3] • 3.10: unkown if for ! ≥ 5 , ∃ differentially 6-uniform !×! − 2 function? • 6×4 with algebraic degree 2: no Lin = 8 Lin = 16 Lin = 32 Diff = 8 10 1 0 Diff = 16 1935 845 64 Diff = 32 618 5013 740 Diff = 64 42 2016 607 [3] C. Carlet. Open ques2ons on nonlinearity and on APN func2ons. In C ̧. K. Koç, S. Mesnager, and E. Savas, editors, Arithme2c of Finite Fields - 5th Interna2onal Workshop, WAIFI 2014, Gebze, Turkey, September 27-28, 2014. Revised Selected Papers, volume 9061 of 25 Lecture Notes in Computer Science, pages 83–107. Springer, 2014.

  25. • Full listings of all 5 × # and 6 × # classes available on http://homes.esat.kuleuven.be/~ldemeyer/ • More details on ePrint Report 2018/113 26

  26. S- BOX D ECOMPOSITION • Useful for side-channel protected implementations, MPC, … • A higher-degree S-box ! ! ∼ # $ ∘ & ∘ # ' • Goal: Find ( = # $ ∘ & and # ' 27

  27. S- BOX D ECOMPOSITION • Guess ! " and find # such that # ∘ ! " ∼ & • Iteratively (same algorithm!) • ℱ = all quadratic Boolean functions ( such that ( ∘ ! " can be a component of & • ℛ * = all + ×- representatives . such that . ∘ ! " can be a subfunction of & ℛ * ← 0 1 ∀ . ∈ ℛ *34 , ∀ ( ∈ ℱ : 2 Create +×- function 5 6 = (. 6 ≪ 1) | ((6) 3 Find left affine eq. representative ! 4 ℛ * ← ℛ * ∪ ! 5 Sort and eliminate doubles from ℛ * 6 31

  28. S- BO X D EC O M PO SITIO N • Result = compositions with same properties as ! (if exists) • Decompositions: • 5-bit cubic AB permutations • Inverse of Keccak (SHA-3) nonlinear map " • Compositions: “Golden” 5-bit S-boxes: • Algebraic Degree 4 • Diff = 2(APN), 4 • Lin = 6 • Quadratic Decomposition length 2 32

  29. T HANK Y OU ! 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Classification James H. Steiger Department of Psychology and Human Development Vanderbilt

Classification James H. Steiger Department of Psychology and Human Development Vanderbilt

Introduction The Linear Classification Function Quadratic Classification Functions Estimating Misclassification Rates Bias in Error Rate Estimation Error Rates in Variable Selection Classification via the k Nearest Neighbor Rule Classification

417 views • 31 slides
3.2 Graphing Quadratic Functions The equation of a quadratic relation may be written in several

3.2 Graphing Quadratic Functions The equation of a quadratic relation may be written in several

MPM2D1 U3L2 Graphing Quadratic Functions 3.2 Graphing Quadratic Functions The equation of a quadratic relation may be written in several forms: Factored Form: Standard Form: Vertex Form: Last class, we looked at graphing equations in

195 views • 7 slides
Overview Hash Functions On Building Hash Functions From Multivariate Quadratic Equations

Overview Hash Functions On Building Hash Functions From Multivariate Quadratic Equations

Overview Hash Functions On Building Hash Functions From Multivariate Quadratic Equations Multivariate quadratic equations Olivier Billet, Thomas Peyrin, and Matt Robshaw Hash functions and multivariate quadratic equations Orange Labs

299 views • 3 slides
Reciprocals of Quadratic Functions MHF4U: Advanced Functions A quadratic function has the form f (

Reciprocals of Quadratic Functions MHF4U: Advanced Functions A quadratic function has the form f (

r a t i o n a l f u n c t i o n s r a t i o n a l f u n c t i o n s Reciprocals of Quadratic Functions MHF4U: Advanced Functions A quadratic function has the form f ( x ) = ax 2 + bx + c in standard form, where a , b and c are real coefficients.

402 views • 3 slides
Key Terms Solve Quadratic Equations by Factoring Application of Zero Product Property Solve

Key Terms Solve Quadratic Equations by Factoring Application of Zero Product Property Solve

Slide 1 / 222 Slide 2 / 222 Algebra II Quadratic Functions 2014-10-14 www.njctl.org Slide 3 / 222 Slide 4 / 222 Table of Contents Key Terms click on the topic to go to that section Explain Characteristics of Quadratic Functions

645 views • 37 slides
d i E Quadratic functions a l l u d Dr. Abdulla Eid b A College of Science . r D

d i E Quadratic functions a l l u d Dr. Abdulla Eid b A College of Science . r D

Section 3.3 d i E Quadratic functions a l l u d Dr. Abdulla Eid b A College of Science . r D MATHS 103: Mathematics for Business I Dr. Abdulla Eid (University of Bahrain) Quadratics 1 / 10 Introduction Recall: A quadratic

349 views • 10 slides
2 or 2 , are called quadratic functions. 6 y e y x How can you use this pattern to

2 or 2 , are called quadratic functions. 6 y e y x How can you use this pattern to

D AY 121 U NDERSTANDING THE PARTS OF A Q UADRATIC WITH R EAL W ORLD D ATA AND WRITE THE E QUATION The relationship involves the square of the length of an edge. Functions that involve squaring, such as 2 or 2 , are called quadratic

552 views • 13 slides
Solving Quadratic Equations MCR3U: Functions Recall that to solve a quadratic equation means to

Solving Quadratic Equations MCR3U: Functions Recall that to solve a quadratic equation means to

f u n c t i o n s f u n c t i o n s Solving Quadratic Equations MCR3U: Functions Recall that to solve a quadratic equation means to find all values of the independent variable to satisfy a given equation. For example, the quadratic equation x 2

209 views • 3 slides
A Note on 5-bit Quadratic Permutations Classification Duan Boilov Begl Bilgin Hac

A Note on 5-bit Quadratic Permutations Classification Duan Boilov Begl Bilgin Hac

A Note on 5-bit Quadratic Permutations Classification Duan Boilov Begl Bilgin Hac Ali ahin March 6, 2017 Motivation 2/14 Permutations are main nonlinear part of symmetric primitives Quadratic permutations can be used to

381 views • 22 slides
Quadratic functions Elementary Functions In the last lecture we studied polynomials of simple form

Quadratic functions Elementary Functions In the last lecture we studied polynomials of simple form

Quadratic functions Elementary Functions In the last lecture we studied polynomials of simple form f ( x ) = mx + b. Now we move on to a more interesting case, polynomials of degree 2, the Part 2, Polynomials quadratic polynomials. Lecture

488 views • 9 slides
Algebra II Quadratic Functions 2014-10-14 www.njctl.org Slide 3 / 222 Table of Contents click

Algebra II Quadratic Functions 2014-10-14 www.njctl.org Slide 3 / 222 Table of Contents click

Slide 1 / 222 Slide 2 / 222 Algebra II Quadratic Functions 2014-10-14 www.njctl.org Slide 3 / 222 Table of Contents click on the topic to go Key Terms to that section Explain Characteristics of Quadratic Functions Combining

1.62k views • 122 slides
4.1 Quadratic Functions and Parabolas 1 4.1 Continued 2 Use the graph of f ( x ) to estimate

4.1 Quadratic Functions and Parabolas 1 4.1 Continued 2 Use the graph of f ( x ) to estimate

4.1 Quadratic Functions and Parabolas 1 4.1 Continued 2 Use the graph of f ( x ) to estimate the following: a. For what x values is this curve increasing? Decreasing? Write your answer using inequalities. b. Vertex c. x -intercept(s) Back

358 views • 16 slides
Quadratic differential systems possessing invariant ellipses: a complete classification in the

Quadratic differential systems possessing invariant ellipses: a complete classification in the

Quadratic differential systems possessing invariant ellipses: a complete classification in the space R 12 Nicolae Vulpe Institute of Mathematics and Computer Science (Moldova) a work in common with R. D. S. Oliveira, A. C. Rezende Instituto de

970 views • 50 slides
Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full MORUS Siwei Sun

Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full MORUS Siwei Sun

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full MORUS Siwei Sun Joint work

659 views • 54 slides
Learning a classification of Mixed-Integer Quadratic Programming problems 22 nd Combinatorial

Learning a classification of Mixed-Integer Quadratic Programming problems 22 nd Combinatorial

Learning a classification of Mixed-Integer Quadratic Programming problems 22 nd Combinatorial Optimization Workshop Aussois January 12, 2018 Pierre Bonami 1 , Andrea Lodi 2 , Giulia Zarpellon 2 1 CPLEX Optimization, IBM Spain 2 Polytechnique

206 views • 20 slides
Section 7.2 Quadratic Forms Motivation: Non-linear functions The following functions are not

Section 7.2 Quadratic Forms Motivation: Non-linear functions The following functions are not

Section 7.2 Quadratic Forms Motivation: Non-linear functions The following functions are not linear f ( x 1 , x 2 ) = x 2 1 + 2 x 2 x 3 g ( x 1 , x 2 ) = x 2 1 + x 2 2 but they have dot-product expressions: g ( x ) = x T x = x T Ix

342 views • 13 slides
Activities at NOAA/NESDIS in support of v5.0 trace gas retrievals Eric Maddy, Chris Barnet,

Activities at NOAA/NESDIS in support of v5.0 trace gas retrievals Eric Maddy, Chris Barnet,

Activities at NOAA/NESDIS in support of v5.0 trace gas retrievals Eric Maddy, Chris Barnet, Xingpin Liu, Xiaozhen Xiong, Murty Divakarla, Walter Wolf, Lihang Zhou, Mitch Goldberg Tackling the CO 2 problem Remove/Reduce CO 2 /T(p) interference

356 views • 17 slides
IBA Global Market Outlook May, 2017 Mike Yeomans, Head Analyst, Commercial Aircraft and Leasing,

IBA Global Market Outlook May, 2017 Mike Yeomans, Head Analyst, Commercial Aircraft and Leasing,

IBA Global Market Outlook May, 2017 Mike Yeomans, Head Analyst, Commercial Aircraft and Leasing, ISTAT Certified Aviation Appraiser IBA Group - UK www.iba.aero Introduction Market Outlook Narrowbody Outlook Retirements and

468 views • 27 slides
1 &amp; 2 Samuel Series Lesson #120 February 13, 2018 Dean Bible Ministries

1 &amp; 2 Samuel Series Lesson #120 February 13, 2018 Dean Bible Ministries

1 &amp; 2 Samuel Series Lesson #120 February 13, 2018 Dean Bible Ministries www.deanbibleministries.org Dr. Robert L. Dean, Jr. L ION OF J UDAH ; K INGSHIP BY R IGHTEOUSNESS 2 S AMUEL 4:112 Gen. 49:8, Judah, you are he whom your brothers

571 views • 30 slides
Pulsar Natal Kick due to Neutrino-Triggered Magnetorotational Asymmetry (Cherry-Stone

Pulsar Natal Kick due to Neutrino-Triggered Magnetorotational Asymmetry (Cherry-Stone

Pulsar Natal Kick due to Neutrino-Triggered Magnetorotational Asymmetry (Cherry-Stone Shooting Mechanism) Alexander Kuznetsov Yaroslavl State University, Division of Theoretical Physics November 24, 2011 The Conference Physics of

542 views • 26 slides
Detection, Segmentation Overview Object Detection deer cat Object Detection as Classification

Detection, Segmentation Overview Object Detection deer cat Object Detection as Classification

CS6501: Deep Learning for Visual Recognition Detection, Segmentation Overview Object Detection deer cat Object Detection as Classification deer? cat? CNN background? Object Detection as Classification deer? cat? CNN background?

577 views • 28 slides
COS429 FINAL PROJECT Object Detection on PASCAL VOC 2012 Yinda Zhang @ CS 105, Dec 18, 2015

COS429 FINAL PROJECT Object Detection on PASCAL VOC 2012 Yinda Zhang @ CS 105, Dec 18, 2015

COS429 FINAL PROJECT Object Detection on PASCAL VOC 2012 Yinda Zhang @ CS 105, Dec 18, 2015 WHAT TO DO Classification: Cat Detection: Cat + Bounding box CHALLENGING Appearance Viewpoint Occlusion Multiple objects MOST

460 views • 17 slides
O and V , to yield h We cannot report L V ( h ) as the measure of performance The set

O and V , to yield h We cannot report L V ( h ) as the measure of performance The set

Training, Validation, Testing Testing A machine learning system has been trained, using both T O and V , to yield h We cannot report L V ( h ) as the measure of performance The set V is tainted since we used it during training

216 views • 6 slides
CSE 110A: Winter 2020 Fundamentals of Compiler Design I Datatypes and Higher-order

CSE 110A: Winter 2020 Fundamentals of Compiler Design I Datatypes and Higher-order

CSE 110A: Winter 2020 Fundamentals of Compiler Design I Datatypes and Higher-order functions Owen Arden UC Santa Cruz Based on course materials developed by Nadia Polikarpova Representing complex data Weve seen :

490 views • 29 slides

More recommend