linear and statistical independence of linear
play

Linear and Statistical Independence of Linear Approximations and - PowerPoint PPT Presentation

Feb 10, 2023 •171 likes •357 views

Linear and Statistical Independence of Linear Approximations and their Correlations Kaisa Nyberg Aalto University School of Science kaisa.nyberg@aalto.fi Boolean Functions and their Applications Os, Norway, July 2017 Outline Introduction

  1. Linear and Statistical Independence of Linear Approximations and their Correlations Kaisa Nyberg Aalto University School of Science kaisa.nyberg@aalto.fi Boolean Functions and their Applications Os, Norway, July 2017

  2. Outline Introduction Xiao-Massey Lemma Main Result Applications Conclusions BFA 2017 2/18

  3. Outline Introduction Xiao-Massey Lemma Main Result Applications Conclusions BFA 2017 3/18

  4. Independence ◮ Random variables Z 1 , . . . , Z k are statistically independent if Pr ( Z 1 = z 1 , . . . , Z k = z k ) = Pr ( Z 1 = z 1 ) · · · Pr ( Z k = z k ) for all z 1 , . . . , z k in the value spaces ◮ If random variables Z 1 , . . . , Z k are statistically independent then E ( Z 1 · · · Z k ) = E ( Z 1 ) · · · E ( Z k ) ◮ Binary random variables X 1 , . . . , X k are linearly independent if λ 1 X 1 + · · · + λ k X k � = 0 for every choice of λ 1 , . . . , λ k , not all zero, in F 2 . Clearly, linear dependence (of non-zero variables) implies statistical dependence. In general, the converse statement is not true. This talk: For a certain class of binary random variables linear independence guarantees statistical independence. BFA 2017 4/18

  5. Background ◮ Biryukov et al. 2004: Model for multiple linear cryptanalysis developed under the assumption that the linear approximations are statistically independent, and hence, they must be linearly independent ◮ Linear independence often seen as hurdle preventing from using the best approximations ◮ Hermelin et al. 2009 presented multidimensional linear cryptanalysis to overcome the assumption of statistical independence: linear approximations form a linear space. ◮ Disadvantage: also weak linear approximations included ◮ In practice, multiple linear approximations (derived from the cipher) have been found to follow the model even if they are not linearly independent and the independence assumption is often ignored. BFA 2017 5/18

  6. Motivation ◮ Distinguishing attack (the basis for key recovery in iterated block ciphers) uses a statistical model for the practical cipher, and the alternative object is modelled to follow random behavior ◮ Independence assumptions, if required by the model, should be satisfied, in partcular, for the random case ◮ It is too easy to distinguish from random something coming from the cipher that is not random even in the random world ◮ To satisfy statistical independence the linear approximations must be linearly independent. ◮ Is linear independence enough? No, not in general. ◮ Yes, in a linear space of pairwise independent variables. BFA 2017 6/18

  7. Outline Introduction Xiao-Massey Lemma Main Result Applications Conclusions BFA 2017 7/18

  8. Xiao-Massey Lemma Presented by Xiao and Massey 1988 in the context of correlation-immune functions. A short proof was presented by Brynielsson in 1989 (both in IEEE Trans of IT). Lemma (Xiao-Massey lemma) A binary random variable Y is independent of the set of k independent binary variables X 1 , . . . , X k if and only if Y is independent of the linear combination λ 1 X 1 + · · · + λ k X k for every choice of λ 1 , . . . , λ k , not all zero, in F 2 . BFA 2017 8/18

  9. Outline Introduction Xiao-Massey Lemma Main Result Applications Conclusions BFA 2017 9/18

  10. Main Result Theorem Let X be a linear space of binary random variables over F 2 such that any two different variables in X are statistically independent. Then linearly independent random variables in X are also statistically independent. The converse holds for nonzero random variables in X . BFA 2017 10/18

  11. Outline of the Proof By induction. Main step: Lemma Let X be a linear space of binary random variables over F 2 such that any two different variables in X are statistically independent. Assume that the binary random variables X 1 , . . . , X k in X are linearly and statistically independent. If given Y ∈ X the variables X 1 , . . . , X k , Y are linearly independent, then they are also statistically independent. Proof. Assume X 1 , . . . , X k , Y are statistically dependent ⇒ Y is dependent of X 1 , . . . , X k . Then Xiao-Massey lemma ⇒ there exist λ 1 , . . . , λ k not all zero in F 2 such that Y and λ 1 X 1 + · · · + λ k X k are statistically dependent. Both Y and the sum are in X ⇒ Y = λ 1 X 1 + · · · + λ k X k . BFA 2017 11/18

  12. Statistical Independence of Correlations Correlation of X cor ( X ) = Pr ( X = 0 ) − Pr ( X = 1 ) = 2 Pr ( X = 0 ) − 1 Proposition Let X be a linear space of binary random variables over F 2 such that any two different variables in X are statistically independent. Let A be a set of elements in X such that E ( cor ( X )) = 0 and E ( cor ( X ) 2 ) � = 0 for all X ∈ A. If then the correlations of random variables in A are statistically independent, the variables are statistically independent and hence also linearly independent. That is, we cannot have independence of correlations unless the variables are linearly independent. Proof is based on the piling-up lemma. BFA 2017 12/18

  13. Summarizing Corollary Let X be a linear space of binary random variables over F 2 such that any two different variables in X are statistically independent. Let A be a subset in X such that E ( cor ( X )) = 0 and E ( cor ( X ) 2 ) � = 0 for all X ∈ A. Then the following three conditions are equivalent. (i) The variables in A are statistically independent. (ii) The correlations of variables in A are statistically independent. (iii) The variables in A are linearly independent. BFA 2017 13/18

  14. Outline Introduction Xiao-Massey Lemma Main Result Applications Conclusions BFA 2017 14/18

  15. Applications X the linear space of linear approximations A subset in X used in an attack χ 2 distinguisher ◮ builds statistical models: one for random and one for cipher, and ◮ defines a χ 2 test statistic 1. by summing (non-trivial) empirical squared correlations over a linear subspace of linear approximations (multidimensional) 2. by summing independent empirical squared correlations of individual linear approximations 3. by combination of independent, type 1 and/or type 2, χ 2 statistics, e.g., from direct sums of linear spaces of linear approximations related to parallel S-boxes. BFA 2017 15/18

  16. Checking Validity of Assumptions Random Two different linear approximations of a random permutation are statistically independent E ( cor ( X )) = 0 and E ( cor ( X ) 2 ) = 2 − n � = 0 Long-key Cipher Iterated block ciphers with independent round keys are pairwise independent, and E ( cor ( X )) = 0 and E ( cor ( X ) 2 ) = ELP � = 0 Other Ciphers Assumptions to be checked and tested on reduced versions BFA 2017 16/18

  17. Outline Introduction Xiao-Massey Lemma Main Result Applications Conclusions BFA 2017 17/18

  18. Conclusions ◮ Natural necessary and sufficient conditions under which correlations of linear approximations are statistically independent ◮ For example, correlations of linear approximations of a random cipher are statistically independent if and only if the linear approximations are linearly independent ◮ Our observations are particularly useful for getting the model for the random cipher correct. BFA 2017 18/18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Chapter 6 Linear Independence Chapter 6 Linear Dependence/Independence A set of vectors { v 1 ,

Chapter 6 Linear Independence Chapter 6 Linear Dependence/Independence A set of vectors { v 1 ,

Chapter 6 Linear Independence Chapter 6 Linear Dependence/Independence A set of vectors { v 1 , v 2 , . . . , v p } is linearly dependent if we can express the zero vector, 0 , as a non-trivial linear combination of the vectors. 1 v 1 + 2

687 views • 23 slides
A Quick Review of Linear Algebra (linear combination, linear independence, span, basis) +

A Quick Review of Linear Algebra (linear combination, linear independence, span, basis) +

A Quick Review of Linear Algebra (linear combination, linear independence, span, basis) + Partial Fractions for Differential Equations By Dr. Isabel Darcy, Dept of Mathematics and AMCS, University of Iowa

142 views • 13 slides
Linear dependence and independence Linear dependence 1 Definition (linear (in)dependence) Let {

Linear dependence and independence Linear dependence 1 Definition (linear (in)dependence) Let {

L INEAR A LGEBRA Berkant Ustao glu CRYPTOLOUNGE . NET Linear dependence and independence Linear dependence 1 Definition (linear (in)dependence) Let { v 1 , v 2 , . . . , v k } be a set of vectors. If v k = a 1 v 1 + a 2

382 views • 25 slides
Math 313 - Linear Algebra 1.7 - 1.10 September 9 - 16, 2016 There is no royal road to

Math 313 - Linear Algebra 1.7 - 1.10 September 9 - 16, 2016 There is no royal road to

Math 313 - Linear Algebra 1.7 - 1.10 September 9 - 16, 2016 There is no royal road to geometry. - Euclid to Ptolemy 1.7 Linear Independence Definition (Linear Independence) An indexed set of vectors { v 1 , . . . , v p } in R n is said to

393 views • 26 slides
Vector Spaces Linear Independence, Bases and Dimension Marco Chiarandini Department of

Vector Spaces Linear Independence, Bases and Dimension Marco Chiarandini Department of

DM559 Linear and Integer Programming Lecture 7 Vector Spaces Linear Independence, Bases and Dimension Marco Chiarandini Department of Mathematics & Computer Science University of Southern Denmark Vector Spaces and Subspaces Linear

726 views • 49 slides
Math 221: LINEAR ALGEBRA Chapter 6. Vector Spaces 6-3. Vector Spaces - Linear Independence Le

Math 221: LINEAR ALGEBRA Chapter 6. Vector Spaces 6-3. Vector Spaces - Linear Independence Le

Math 221: LINEAR ALGEBRA Chapter 6. Vector Spaces 6-3. Vector Spaces - Linear Independence Le Chen 1 Emory University, 2020 Fall (last updated on 10/09/2020) Creative Commons License (CC BY-NC-SA) 1 Slides are adapted from those by Karen

666 views • 50 slides
Functional Linear Models 1 66 / 181 Functional Linear Models Statistical Models So far we have

Functional Linear Models 1 66 / 181 Functional Linear Models Statistical Models So far we have

Functional Linear Models Functional Linear Models 1 66 / 181 Functional Linear Models Statistical Models So far we have focussed on exploratory data analysis Smoothing Functional covariance Functional PCA Now we wish to examine predictive

1.04k views • 43 slides
Outline Statistical inference for linear mixed models general form of linear mixed models

Outline Statistical inference for linear mixed models general form of linear mixed models

Outline Statistical inference for linear mixed models general form of linear mixed models Rasmus Waagepetersen examples of analyses using linear mixed models Department of Mathematics prediction of random effects Aalborg University

284 views • 10 slides
Linear independence of zeros of Dirichlet L -functions Greg Martin University of British Columbia

Linear independence of zeros of Dirichlet L -functions Greg Martin University of British Columbia

Linear independence conjectures Vertical arithmetic progressions Other work in progress Linear independence of zeros of Dirichlet L -functions Greg Martin University of British Columbia joint work with Nathan Ng University of Lethbridge 3rd

923 views • 81 slides
Linear Programming Linear Programming In a linear programming problem, there is a set of

Linear Programming Linear Programming In a linear programming problem, there is a set of

Linear Programming Linear Programming In a linear programming problem, there is a set of variables, and we want to assign real values to CISC5835, Algorithms for Big Data them so as to satisfy a set of linear equations and/or linear

414 views • 6 slides
Linear probing with constant independence Anna Pagh, Rasmus Pagh, and Milan Ru i IT

Linear probing with constant independence Anna Pagh, Rasmus Pagh, and Milan Ru i IT

Linear probing with constant independence Anna Pagh, Rasmus Pagh, and Milan Ru i IT University of Copenhagen STOC 2007 Hashing with linear probing Hashing with linear probing Hashing with linear probing Hashing with linear probing

827 views • 48 slides
Theory of Linear Ordinary Differential Equations Bernd Schr oder logo1 Bernd Schr oder

Theory of Linear Ordinary Differential Equations Bernd Schr oder logo1 Bernd Schr oder

Existence and Uniqueness Linear Independence Matrices and Determinants Linear Independence Revisited Solution Theorem Theory of Linear Ordinary Differential Equations Bernd Schr oder logo1 Bernd Schr oder Louisiana Tech University,

1.55k views • 136 slides
Linear regression DS GA 1002 Statistical and Mathematical Models

Linear regression DS GA 1002 Statistical and Mathematical Models

Linear regression DS GA 1002 Statistical and Mathematical Models http://www.cims.nyu.edu/~cfgranda/pages/DSGA1002_fall15 Carlos Fernandez-Granda Linear models Least-squares estimation Overfitting Example: Global warming Regression The aim is

447 views • 34 slides
Fitting Linear Statistical Models to Data by Least Squares III: Multivariate Brian R. Hunt and C.

Fitting Linear Statistical Models to Data by Least Squares III: Multivariate Brian R. Hunt and C.

Fitting Linear Statistical Models to Data by Least Squares III: Multivariate Brian R. Hunt and C. David Levermore University of Maryland, College Park Math 420: Mathematical Modeling January 25, 2012 version Outline 1) Introduction to Linear

551 views • 13 slides
Chapter 1 What is Linear Algebra? Chapter 1 What is Linear Algebra? The study of linear

Chapter 1 What is Linear Algebra? Chapter 1 What is Linear Algebra? The study of linear

Chapter 1 What is Linear Algebra? Chapter 1 What is Linear Algebra? The study of linear functions. The word linear means straight or flat . y = 0 + 1 x Linear functions involve only addition and scalar multiplication. Chapter 1 Higher

1.2k views • 56 slides
Introduction to the R Statistical Computing Environment Linear and Generalized Linear Models in R

Introduction to the R Statistical Computing Environment Linear and Generalized Linear Models in R

Introduction to the R Statistical Computing Environment Linear and Generalized Linear Models in R John Fox McMaster University ICPSR 2013 John Fox (McMaster University) Linear and Generalized Linear Models in R ICPSR 2013 1 / 12 Linear and

329 views • 6 slides
1 A statistical definition of probability: frequentist 2 concepts: 1. Sam ple space , S , is the

1 A statistical definition of probability: frequentist 2 concepts: 1. Sam ple space , S , is the

Probability and Likelihood, a brief introduction in support of a course on m olecular evolution ( BI OL 3 0 4 6 ) Probability The subject of probability is a branch of mathematics dedicated to building models to describe conditions of

244 views • 12 slides
Statistics and Data Analysis Introduction to Probability (1) Ling-Chieh Kung Department of

Statistics and Data Analysis Introduction to Probability (1) Ling-Chieh Kung Department of

Basic concepts Independent events Random variables Descriptive measurements Statistics and Data Analysis Introduction to Probability (1) Ling-Chieh Kung Department of Information Management National Taiwan University Introduction to

287 views • 27 slides
Randomized Algorithms Lecture 5: Two-point Sampling Sotiris Nikoletseas Professor CEID -

Randomized Algorithms Lecture 5: Two-point Sampling Sotiris Nikoletseas Professor CEID -

Randomized Algorithms Lecture 5: Two-point Sampling Sotiris Nikoletseas Professor CEID - ETY Course 2017 - 2018 Sotiris Nikoletseas, Professor Randomized Algorithms - Lecture 5 1 / 26 Overview A. Pairwise independence of random

303 views • 26 slides
Basic probability Mendels lows 24.10.2005 GE02: day 1 part 1 Yurii Aulchenko Erasmus MC

Basic probability Mendels lows 24.10.2005 GE02: day 1 part 1 Yurii Aulchenko Erasmus MC

Basic probability Mendels lows 24.10.2005 GE02: day 1 part 1 Yurii Aulchenko Erasmus MC Rotterdam Experiment Any planned process of data collection Tossing a coin Measuring height is people Genotyping people Sampling

569 views • 27 slides
Lecture 1 Matthieu Bloch 1 Notation and basic definitions integers are denoted by R and N ,

Lecture 1 Matthieu Bloch 1 Notation and basic definitions integers are denoted by R and N ,

1 arises with random vectors. Tie notion of Markov kernel is mainly used to simplify notation and does not bear any profound (1) use the notion of Markov kernel as defined below. convenient to define a conditional distribution without specific

771 views • 11 slides
Sta$s$cs & Experimental Design with R Barbara Kitchenham

Sta$s$cs & Experimental Design with R Barbara Kitchenham

Sta$s$cs & Experimental Design with R Barbara Kitchenham Keele University 1 Basic Sta$s$cal Theory Part 2 2 Probability Distribu$ons Frequency

645 views • 20 slides
Pisa mai 2006 Nonstandard Averaging and Signal Processing E.Benot Universit de La Rochelle

Pisa mai 2006 Nonstandard Averaging and Signal Processing E.Benot Universit de La Rochelle

Pisa mai 2006 Nonstandard Averaging and Signal Processing E.Benot Universit de La Rochelle IST framework. Notations : I R for the (hyper)reals R for the standard reals (external set) I for the limited real numbers Point of view for

161 views • 12 slides
Polynomial completeness properties Erhard Aichinger Department of Algebra Johannes Kepler

Polynomial completeness properties Erhard Aichinger Department of Algebra Johannes Kepler

Polynomial completeness properties Erhard Aichinger Department of Algebra Johannes Kepler University Linz, Austria June 2012, AAA84 Polynomials Definition A = A , F an algebra, n N . Pol k ( A ) is the subalgebra of A A k = { f

604 views • 59 slides

More recommend