linear approximations of addition modulo 2 n 1
play

Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, - PowerPoint PPT Presentation

Aug 18, 2022 •362 likes •620 views

Motivation Preliminaries Addition Modulo 2 n 1 The Limit of cor ( 1 ; 1 k ) Conclusion Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu State Key Laboratory of Information Security, Institute of

  1. Motivation Preliminaries Addition Modulo 2 n − 1 The Limit of cor ( 1 ; 1 k ) Conclusion Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, China FSE 2011 Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu

  2. Motivation Preliminaries Addition Modulo 2 n − 1 The Limit of cor ( 1 ; 1 k ) Conclusion Outline Motivation 1 Preliminaries 2 Linear Approximation and Its Correlation Linear Approximations of Addition Modulo 2 n Addition Modulo 2 n − 1 3 Addition Modulo 2 n − 1 with Two Inputs Addition Modulo 2 n − 1 with More Inputs The Limit of cor ( 1 ; 1 k ) 4 Conclusion 5 Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu

  3. Motivation Preliminaries Addition Modulo 2 n − 1 The Limit of cor ( 1 ; 1 k ) Conclusion The Basic Problem That We Studied Given an integer n ≥ 2, consider the operation y = x 1 + x 2 + · · · + x k mod 2 n − 1 where 1 ≤ y , x i ≤ 2 n − 1, 1 ≤ i ≤ k . Question: How can we approximate this function linearly and measure the linear approximation? Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu

  4. Motivation Preliminaries Addition Modulo 2 n − 1 The Limit of cor ( 1 ; 1 k ) Conclusion Why we study the problem? In ZUC - LFSR is defined on prime field GF ( 2 31 − 1 ) - the feedback logic of the LFSR consist of ”+” and ” × ” on prime filed GF ( 2 31 − 1 ) - the LFSR registers are range from 1 to 2 31 -1 In linear analysis, we should approximate the nonlinear part of the cipher by linear function. Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu

  5. Motivation Preliminaries Linear Approximation and Its Correlation Addition Modulo 2 n − 1 Linear Approximations of Addition Modulo 2 n The Limit of cor ( 1 ; 1 k ) Conclusion Some basic definitions n : a positive integer. Z 2 n : { x | 0 ≤ x ≤ 2 n − 1 } . Given an integer x ∈ Z 2 n , let n − 1 � x = x ( n − 1 ) x ( n − 2 ) · · · x ( 0 ) = x ( i ) 2 i i = 0 be the binary representation of x , where x ( i ) ∈ { 0 , 1 } . For arbitrary two integers w , x ∈ Z 2 n , the inner product of w and x is defined as below n − 1 � w ( i ) x ( i ) . w · x = i = 0 Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu

  6. Motivation Preliminaries Linear Approximation and Its Correlation Addition Modulo 2 n − 1 Linear Approximations of Addition Modulo 2 n The Limit of cor ( 1 ; 1 k ) Conclusion The linear approximation Definition 1 Let J be a nonempty subset of Z 2 n , k be a positive integer and f be a function from J k to J. Given k + 1 constants u , w 1 , · · · , w k ∈ Z 2 n , the linear approximation of the function f associated with u , w 1 , · · · , w k is an approximate relation of the form k � u · f ( x 1 , · · · , x k ) = w i · x i , i = 1 and the ( k + 1 ) -tuple ( u , w 1 , · · · , w k ) is called a linear mask of f. Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu

  7. Motivation Preliminaries Linear Approximation and Its Correlation Addition Modulo 2 n − 1 Linear Approximations of Addition Modulo 2 n The Limit of cor ( 1 ; 1 k ) Conclusion The correlation Definition 2 The efficiency of the linear approximation is measured by its correlation, which is defined as below k � cor f ( u ; w 1 , · · · , w k ) = 2 Pr ( u · f ( x 1 , · · · , x k ) = w i · x i ) − 1 , i = 1 where the probability is taken over uniformly distributed x 1 , · · · , x k over J. Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu

  8. Motivation Preliminaries Linear Approximation and Its Correlation Addition Modulo 2 n − 1 Linear Approximations of Addition Modulo 2 n The Limit of cor ( 1 ; 1 k ) Conclusion Addition Modulo 2 n Denote by ⊞ the addition modulo 2 n , that is, mod 2 n . u = x 1 ⊞ x 2 = ( x 1 + x 2 ) Given the linear mask ( u , w 1 , w 2 ) of the addition ⊞ , we can derive a sequence z = z n − 1 · · · z 0 as follows z i = u ( i ) 2 2 + w ( i ) 1 2 + w ( i ) 2 , i = 0 , 1 , · · · , n − 1 . Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu

  9. Motivation Preliminaries Linear Approximation and Its Correlation Addition Modulo 2 n − 1 Linear Approximations of Addition Modulo 2 n The Limit of cor ( 1 ; 1 k ) Conclusion Transition matrix Define n − 1 � M n ( u , w 1 , w 2 ) = A z i , i = 0 where A j ( j = 0 , 1 , · · · , 7) are constant matrices of size 2 × 2 and defined as follows � 3 � � � A 0 = 1 , A 1 = A 2 = − A 4 = 1 1 1 1 , 1 3 − 1 − 1 4 4 � 3 � � � − A 3 = A 5 = A 6 = 1 , A 7 = 1 1 − 1 − 1 . − 1 − 3 4 1 4 1 Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu

  10. Motivation Preliminaries Linear Approximation and Its Correlation Addition Modulo 2 n − 1 Linear Approximations of Addition Modulo 2 n The Limit of cor ( 1 ; 1 k ) Conclusion For any given linear mask ( u , w 1 , w 2 ) , let M n ( u , w 1 , w 2 ) be defined as above. Set M n ( u , w 1 , w 2 ) = ( M i , j ) 0 ≤ i , j ≤ 1 . Then we have M i , j = Pr ( u · ( x 1 ⊞ x 2 ) = w 1 · x 1 ⊕ w 2 · x 2 ∧ c n = i ∧ c 0 = j ) − Pr ( u · ( x 1 ⊞ x 2 ) � = w 1 · x 1 ⊕ w 2 · x 2 ∧ c n = i ∧ c 0 = j ) , where c 0 is an initial carry bit, and c n is the n -th carry bit of the addition x 1 and x 2 with the initial carry bit c 0 . By convention c 0 = 0, we have cor ⊞ ( u ; w 1 , w 2 ) = M 0 , 0 + M 1 , 0 . Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu

  11. Motivation Preliminaries Linear Approximation and Its Correlation Addition Modulo 2 n − 1 Linear Approximations of Addition Modulo 2 n The Limit of cor ( 1 ; 1 k ) Conclusion Summarized as: ( u , w 1 , w 2 ) → z → M n ( u , w 1 , w 2 ) → cor ⊞ ( u ; w 1 , w 2 ) Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu

  12. Motivation Preliminaries Addition Modulo 2 n − 1 with Two Inputs Addition Modulo 2 n − 1 Addition Modulo 2 n − 1 with More Inputs The Limit of cor ( 1 ; 1 k ) Conclusion The difference between addition modulo 2 n and 2 n − 1 There are several differences between addition modulo 2 n and 2 n − 1: the range of inputs and output [ 0 , 2 n − 1 ] vs. [ 1 , 2 n − 1 ] the probability of the input bits equal to 1 2 vs. 2 n − 1 1 2 n − 1 the probability of the input bits equal to 0 2 vs. 2 n − 1 − 1 1 2 n − 1 the carry of the most important position be discarded vs. be added to the least important position of the result Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu

  13. Motivation Preliminaries Addition Modulo 2 n − 1 with Two Inputs Addition Modulo 2 n − 1 Addition Modulo 2 n − 1 with More Inputs The Limit of cor ( 1 ; 1 k ) Conclusion Denote x 1 + x 2 mod 2 n − 1 by x 1 ˆ ⊞ x 2 . � x 1 + x 2 mod 2 n if 0 < x 1 + x 2 < 2 n x 1 ˆ ⊞ x 2 = mod 2 n if x 1 + x 2 ≥ 2 n x 1 + x 2 + 1 It is difficult to calculate the correlation directly, we consider counting the pairs of ( x 1 , x 2 ) which satisfy the linear approximation: ( u , w 1 , w 2 ) → z → M n ( u , w 1 , w 2 ) � M 0 , 0 → ♯ { ( x 1 , x 2 ) | satisfy the LA , 0 ≤ x 1 + x 2 < 2 n } → M 1 , 1 → ♯ { ( x 1 , x 2 ) | satisfy the LA , x 1 + x 2 + 1 ≥ 2 n } � M 0 , 0 → ♯ { ( x 1 , x 2 ) | satisfy the LA , 0 < x 1 + x 2 < 2 n } → M 1 , 1 → ♯ { ( x 1 , x 2 ) | satisfy the LA , x 1 + x 2 ≥ 2 n } → ⊞ ( u ; w 1 , w 2 ) cor ˆ Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu

  14. Motivation Preliminaries Addition Modulo 2 n − 1 with Two Inputs Addition Modulo 2 n − 1 Addition Modulo 2 n − 1 with More Inputs The Limit of cor ( 1 ; 1 k ) Conclusion The formula for the correlation Due to the similarity and the slight difference between these two operations, we can drive an exact formula for cor ( u ; w 1 , w 2 ) : cor ( u ; w 1 , w 2 ) = 2 2 n ( M 0 , 0 + M 1 , 1 ) + 2 n · c + 1 , ( 2 n − 1 ) 2 where  − 3 , if u = w 1 = w 2 and w H ( w 2 ) is even ,    1 , if u � = w 1 = w 2 and w H ( w 2 ) is odd , c = 0 , if u , w 1 and w 2 are pairwise different ,    − 1 , otherwise , and w H ( w 2 ) denotes the hamming weight of w 2 in the binary representation. Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu

  15. Motivation Preliminaries Addition Modulo 2 n − 1 with Two Inputs Addition Modulo 2 n − 1 Addition Modulo 2 n − 1 with More Inputs The Limit of cor ( 1 ; 1 k ) Conclusion The formula for the correlation The correlation of linear approximation of addition modulo 2 n − 1 with more inputs can be computed recursively: cor ( u ; w 1 , · · · , w k ) � 2 n − 1 = 2 n − 1 w = 0 cor ( w ; w 1 , · · · , w k − 1 ) cor ( u ; w , w k ) . 2 n Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Modulo- Parallel Prefix Addition via Excess-Modulo Encoding of

Modulo- Parallel Prefix Addition via Excess-Modulo Encoding of

SBU - Tehran ENSL - Lyon Modulo- Parallel Prefix Addition via Excess-Modulo Encoding of Residues Seyed Hamed Fatemi Langroudi &amp; Ghassem Jaberipur Computer Science &amp; Engineering Department Shahid

1.35k views • 113 slides
On nonlinear approximations and the linear hull effect Anne Canteaut Inria, Paris, France joint

On nonlinear approximations and the linear hull effect Anne Canteaut Inria, Paris, France joint

On nonlinear approximations and the linear hull effect Anne Canteaut Inria, Paris, France joint work with Christof Beierle and Gregor Leander ASK 2018, Kolkota Linear approximations 1 Linear approximations Pr[ x + F ( x ) = 0]

828 views • 27 slides
Modulo-( 2 + 3 ) Parallel Prefix Addition via Diminished-3 Representation of Residues

Modulo-( 2 + 3 ) Parallel Prefix Addition via Diminished-3 Representation of Residues

Modulo-( 2 + 3 ) Parallel Prefix Addition via Diminished-3 Representation of Residues Authors: Ghassem Jaberipur, Sahar Moradi Cherati Arith 26 Kindly presented by: Paulo Srgio Alves Martins Contents 2/22 3/22 I NTRODUCTION Popular

512 views • 22 slides
Linear and Statistical Independence of Linear Approximations and their Correlations Kaisa Nyberg

Linear and Statistical Independence of Linear Approximations and their Correlations Kaisa Nyberg

Linear and Statistical Independence of Linear Approximations and their Correlations Kaisa Nyberg Aalto University School of Science kaisa.nyberg@aalto.fi Boolean Functions and their Applications Os, Norway, July 2017 Outline Introduction

357 views • 18 slides
Satisfiability Modulo Linear Arithmetic Combinatorial Problem Solving (CPS) Albert Oliveras

Satisfiability Modulo Linear Arithmetic Combinatorial Problem Solving (CPS) Albert Oliveras

Satisfiability Modulo Linear Arithmetic Combinatorial Problem Solving (CPS) Albert Oliveras Enric Rodr guez-Carbonell May 31, 2019 Linear Arithmetic Theories In linear arithmetic theories, atoms are of the form: a 1 x 1 + . . . + a

571 views • 41 slides
Linear Approximations Suppose we want to approximate the value of a function f for some value of x

Linear Approximations Suppose we want to approximate the value of a function f for some value of x

Linear Approximations Suppose we want to approximate the value of a function f for some value of x , say x 1 , close to a number x 0 at which we know the value of f . By its nature, the tangent to a curve hugs the curve fairly closely near the point

478 views • 3 slides
New Error Bounds for Approximations from Projected Linear Equations H. Yu . Bertsekas

New Error Bounds for Approximations from Projected Linear Equations H. Yu . Bertsekas

Introduction Data-Dependent Error Analysis Applications and Comparisons of Bounds Summary New Error Bounds for Approximations from Projected Linear Equations H. Yu . Bertsekas D. P Department of Computer Science University of

519 views • 18 slides
Optimizing linear maps modulo 2 (i.e.: fast xor sequences for bitsliced software) D. J.

Optimizing linear maps modulo 2 (i.e.: fast xor sequences for bitsliced software) D. J.

Optimizing linear maps modulo 2 (i.e.: fast xor sequences for bitsliced software) D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 Example: size-4 poly Karatsuba. Start with size 2: F = F 0 + F 1 x , G = G 0 + G 1 x , H 0 =

1.18k views • 68 slides
Superposition Modulo Linear Arithmetic Sup(LA) Ernst Althaus, Evgeny Kruglov, Christoph

Superposition Modulo Linear Arithmetic Sup(LA) Ernst Althaus, Evgeny Kruglov, Christoph

Superposition Modulo Linear Arithmetic Sup(LA) Ernst Althaus, Evgeny Kruglov, Christoph Weidenbach Max Planck Institute for Computer Science Saarbrcken 1 Overview Motivation Building arithmetic into Automated Theorem Proving

385 views • 9 slides
Efficient Interpolant Generation in Satisfiability Modulo Linear Integer Arithmetic Alberto

Efficient Interpolant Generation in Satisfiability Modulo Linear Integer Arithmetic Alberto

Deduction at Scale Seminar 2011 Efficient Interpolant Generation in Satisfiability Modulo Linear Integer Arithmetic Alberto Griggio FBK-IRST, Trento joint work with Thi Thieu Hoa Le and Roberto Sebastiani, DISI - Univ. Trento Introduction

767 views • 39 slides
Nonlinear approximations, multi-linear tools and algorithms with finite but arbitrary accuracy

Nonlinear approximations, multi-linear tools and algorithms with finite but arbitrary accuracy

Nonlinear approximations, multi-linear tools and algorithms with finite but arbitrary accuracy Gregory Beylkin Future Directions in Tensor-Based Computation and Modeling NSF February 20, 2009 Some observations Success of Matlab or LAPACK

634 views • 36 slides
SAT modulo the theory of linear arithmetic: Exact, inexact and commercial solvers Germain Faure,

SAT modulo the theory of linear arithmetic: Exact, inexact and commercial solvers Germain Faure,

SAT modulo the theory of linear arithmetic: Exact, inexact and commercial solvers Germain Faure, Robert Nieuwenhuis, Albert Oliveras and Enric Rodr guez-Carbonell 11th International Conference, SAT 2008 Guangzhou, China May 14th, 2008

861 views • 46 slides
Greedy Sparse Linear Approximations of Functionals from Nodal Data R. Schaback Gttingen

Greedy Sparse Linear Approximations of Functionals from Nodal Data R. Schaback Gttingen

Greedy Sparse Linear Approximations of Functionals from Nodal Data R. Schaback Gttingen Academy of Sciences and Humanities GeorgAugustUniversitt Gttingen Institut fr Numerische und Angewandte Mathematik

506 views • 36 slides
Todays Agenda Upcoming Homework Section 2.8: Linear Approximations and Differentials

Todays Agenda Upcoming Homework Section 2.8: Linear Approximations and Differentials

Todays Agenda Upcoming Homework Section 2.8: Linear Approximations and Differentials Lindsey K. Gamard, ASU SoMSS MAT 265: Calculus for Engineers I Friday, 2 October 2015 1 / 8 Upcoming Homework WeBWorK HW #11 (Section 2.8), due

315 views • 8 slides
Chapter 1 What is Linear Algebra? Chapter 1 What is Linear Algebra? The study of linear

Chapter 1 What is Linear Algebra? Chapter 1 What is Linear Algebra? The study of linear

Chapter 1 What is Linear Algebra? Chapter 1 What is Linear Algebra? The study of linear functions. The word linear means straight or flat . y = 0 + 1 x Linear functions involve only addition and scalar multiplication. Chapter 1 Higher

1.2k views • 56 slides
Vectorized linear approximations for attacks on SNOW 3G Jing Yang 1 Thomas Johansson 1 Alexander

Vectorized linear approximations for attacks on SNOW 3G Jing Yang 1 Thomas Johansson 1 Alexander

Vectorized linear approximations for attacks on SNOW 3G Jing Yang 1 Thomas Johansson 1 Alexander Maximov 2 1 Dept. of Electrical and Information Technology, Lund University 2 Ericsson Research, Lund, Sweden FSE 2020 November, 2020 Outline 1

1.09k views • 94 slides
Applying Learning Algorithms to Preference Elicitation in the Generalized Vickrey Auction ebastien

Applying Learning Algorithms to Preference Elicitation in the Generalized Vickrey Auction ebastien

Applying Learning Algorithms to Preference Elicitation in the Generalized Vickrey Auction ebastien M. Lahaie David C. Parkes S August 16, 2004 Abstract We consider the parallels between the preference elicitation problem in

308 views • 19 slides
Automatic Speech Recognition (CS753) Automatic Speech Recognition (CS753) Lecture 22: Speaker

Automatic Speech Recognition (CS753) Automatic Speech Recognition (CS753) Lecture 22: Speaker

Automatic Speech Recognition (CS753) Automatic Speech Recognition (CS753) Lecture 22: Speaker Adaptation &amp; Pronunciation modelling Instructor: Preethi Jyothi Apr 10, 2017 Speaker variations Major cause of variability in speech is the di

466 views • 22 slides
Bayesian Estimation of InputOutput Tables for Russia Oleg Lugovoy (EDF, RANE) Andrey Polbin

Bayesian Estimation of InputOutput Tables for Russia Oleg Lugovoy (EDF, RANE) Andrey Polbin

Bayesian Estimation of InputOutput Tables for Russia Oleg Lugovoy (EDF, RANE) Andrey Polbin (RANE) Vladimir Potashnikov (RANE) WIOD Conference April 24, 2012 Groningen Outline Motivation Objectives Bayesian methods: a short

638 views • 37 slides
17. Review Linear approximation: f f x x + f y y. Tangent plane: to z = f ( x, y )

17. Review Linear approximation: f f x x + f y y. Tangent plane: to z = f ( x, y )

17. Review Linear approximation: f f x x + f y y. Tangent plane: to z = f ( x, y ) at ( x 0 , y 0 , z 0 ) z z 0 = f x ( x x 0 ) + f y ( y y 0 ) . Let w = f ( x, y, z ). Chain rule: d w = f x d x + f y d y + f z d z. So

454 views • 4 slides
Todays Outline Reinforcement Learning II Dan Weld Review Reinforcement Learning Review

Todays Outline Reinforcement Learning II Dan Weld Review Reinforcement Learning Review

10/26/2012 CSE 573: Artificial Intelligence Todays Outline Reinforcement Learning II Dan Weld Review Reinforcement Learning Review MDPs New MDP Algorithm: Q-value iteration Review Q-learning Large MDPs Linear function

415 views • 8 slides
Function Approximation for (on policy) Prediction and Control Lecture 8, CMU 10-403 Katerina

Function Approximation for (on policy) Prediction and Control Lecture 8, CMU 10-403 Katerina

Carnegie Mellon School of Computer Science Deep Reinforcement Learning and Control Function Approximation for (on policy) Prediction and Control Lecture 8, CMU 10-403 Katerina Fragkiadaki Used Materials Disclaimer : Much of the material

642 views • 41 slides
Math 211 Math 211 Lecture #1 Introduction August 26, 2002 2 Welcome to Math 211 Welcome to

Math 211 Math 211 Lecture #1 Introduction August 26, 2002 2 Welcome to Math 211 Welcome to

1 Math 211 Math 211 Lecture #1 Introduction August 26, 2002 2 Welcome to Math 211 Welcome to Math 211 Math 211 Section 1 John C. Polking Herman Brown 402 713-348-4841 polking@rice.edu Office Hours: 2:30 3:30 TWTh and by

492 views • 4 slides
Class 4: On Policy Prediction With Approximation Chapter 9 Sutton slides/silver slides 295,

Class 4: On Policy Prediction With Approximation Chapter 9 Sutton slides/silver slides 295,

Class 4: On Policy Prediction With Approximation Chapter 9 Sutton slides/silver slides 295, class 4 1 Forms of approximations functions: A linear approximation, a neural network, a decision tree 295, class 4 2 The

423 views • 17 slides

More recommend