on the distribution of linear biases three instructive
play

On The Distribution of Linear Biases: Three Instructive Examples - PowerPoint PPT Presentation

Aug 08, 2023 •166 likes •584 views

On The Distribution of Linear Biases: Three Instructive Examples Mohamed Ahmed Abdelraheem 1 , Martin Agren 2 , Peter Beelen 1 , and Gregor Leander 1 1 Technical University of Denmark 2 Lund University, Sweden 120820 / Santa Barbara Outline 1

  1. On The Distribution of Linear Biases: Three Instructive Examples Mohamed Ahmed Abdelraheem 1 , Martin ˚ Agren 2 , Peter Beelen 1 , and Gregor Leander 1 1 Technical University of Denmark 2 Lund University, Sweden 120820 / Santa Barbara

  2. Outline 1 Introduction 2 The Problem 3 The Examples The Cube Cipher PRESENT with identical round-keys PRINTcipher , Invariant Subspaces, and Eigenvectors 4 Conclusion M. ˚ Agren, Lund University, Sweden

  3. Outline 1 Introduction 2 The Problem 3 The Examples The Cube Cipher PRESENT with identical round-keys PRINTcipher , Invariant Subspaces, and Eigenvectors 4 Conclusion M. ˚ Agren, Lund University, Sweden

  4. Setting We are analyzing/constructing/breaking block ciphers. . . Fix the (unknown) key and consider the permutation F : F n 2 → F n 2 . M. ˚ Agren, Lund University, Sweden

  5. Linear Approximation Given F : F n 2 → F n 2 , a linear approximation is an equation like � α , x � = � β , F ( x ) � . (Input mask α , output mask β .) M. ˚ Agren, Lund University, Sweden

  6. Linear Approximation Given F : F n 2 → F n 2 , a linear approximation is an equation like � α , x � = � β , F ( x ) � . (Input mask α , output mask β .) The bias ǫ F ( α , β ): Pr [ � α , x � = � β , F ( x ) � ] = 1 2 + ǫ F ( α , β ) The correlation c F ( α , β ): c F ( α , β ) = 2 ǫ F ( α , β ) M. ˚ Agren, Lund University, Sweden

  7. Linear Approximation of a Composite Function x F 1 F 2 F r F ( x ) θ 0 θ 1 θ r A linear trail θ is a collection of all intermediate masks θ = ( θ 0 = α , . . . , θ r = β ) . M. ˚ Agren, Lund University, Sweden

  8. Linear Approximation of a Composite Function x F 1 F 2 F r F ( x ) θ 0 θ 1 θ r A linear trail θ is a collection of all intermediate masks θ = ( θ 0 = α , . . . , θ r = β ) . The correlation of a trail is � C θ = c F i ( θ i , θ i +1 ) . i Theorem � c F ( α , β ) = C θ . θ : θ 0 = α , θ r = β M. ˚ Agren, Lund University, Sweden

  9. Linear Approximation of a Composite Function k 0 k 1 k r x F 1 F 2 F r F ( x ) θ 0 θ 1 θ r A linear trail θ is a collection of all intermediate masks θ = ( θ 0 = α , . . . , θ r = β ) . The correlation of a trail is C θ = ( − 1) � θ , k � � c F i ( θ i , θ i +1 ) . i Theorem (Linear Hull) � ( − 1) � θ , k � C θ . c F ( α , β ) = θ : θ 0 = α , θ r = β M. ˚ Agren, Lund University, Sweden

  10. Outline 1 Introduction 2 The Problem 3 The Examples The Cube Cipher PRESENT with identical round-keys PRINTcipher , Invariant Subspaces, and Eigenvectors 4 Conclusion M. ˚ Agren, Lund University, Sweden

  11. The Problem We can: bound the correlation of single linear trails. We cannot: bound the correlation of a linear approximation. Because: Many linear trails interact in a key dependent way. Each key gives a different correlation. We need to understand the distribution. M. ˚ Agren, Lund University, Sweden

  12. Some Approaches I: Deal with single trails. M. ˚ Agren, Lund University, Sweden

  13. Some Approaches I: Deal with single trails. II: Model the situation – make assumptions. (Possible assumption: Different trails are independent.) M. ˚ Agren, Lund University, Sweden

  14. Some Approaches I: Deal with single trails. II: Model the situation – make assumptions. (Possible assumption: Different trails are independent.) III: Perform experiments to validate the model/assumptions. M. ˚ Agren, Lund University, Sweden

  15. Some Approaches I: Deal with single trails. II: Model the situation – make assumptions. (Possible assumption: Different trails are independent.) III: Perform experiments to validate the model/assumptions. Todo: Develop a sound framework. Why has it not been done before? ◮ it’s difficult ◮ we didn’t try very hard M. ˚ Agren, Lund University, Sweden

  16. Our Contribution Three interesting examples of what can happen. ◮ Counterexample to earlier “theorem”. ◮ Give an idea what you can/cannot hope to prove. ◮ Serve as inspiration for future work. M. ˚ Agren, Lund University, Sweden

  17. Outline 1 Introduction 2 The Problem 3 The Examples The Cube Cipher PRESENT with identical round-keys PRINTcipher , Invariant Subspaces, and Eigenvectors 4 Conclusion M. ˚ Agren, Lund University, Sweden

  18. Normal Distribution? Consider an n -bit block cipher and assume ◮ independent round keys, ◮ (exponentially in n ) many non-zero trails, ◮ all with the same absolute correlation. If we pick a key, what bias do we get? Theorem (Daemen and Rijmen, ePrint 2005/212) The bias distribution tends to a normal distribution as n → ∞ . M. ˚ Agren, Lund University, Sweden

  19. Normal Distribution? Number of keys Theorem (Linear Hull) � ( − 1) � θ , k � C θ . c F ( α , β ) = θ Bias M. ˚ Agren, Lund University, Sweden

  20. The Cube Cipher k 0 k 1 k 2 F ( x ) x x 3 x 3 ◮ independent round keys, � ◮ (exponentially in n ) many non-zero trails, � ◮ all with the same absolute correlation, � ◮ toy cipher. M. ˚ Agren, Lund University, Sweden

  21. Normal Distribution? Number of keys Bias Cube cipher vs. the normal distribution. Only 5 values — for any n ! M. ˚ Agren, Lund University, Sweden

  22. The Role of Key-Scheduling Common analysis: Assume independent round keys and hope that the key-scheduling does not influence the distribution. Two counter-examples: ◮ PRESENT with identical round-keys ◮ PRINTcipher M. ˚ Agren, Lund University, Sweden

  23. PRESENT k i S S S S S S S S S S S S S S S S k i +1 S S S S S S S S S S S S S S S S ◮ many linear trails with one active Sbox per round ◮ distribution is close to normal M. ˚ Agren, Lund University, Sweden

  24. PRESENT Number of keys Bias Distribution for 17 rounds of PRESENT . M. ˚ Agren, Lund University, Sweden

  25. PRESENT with Identical Round-Keys k ⊕ RC i S S S S S S S S S S S S S S S S k ⊕ RC i +1 S S S S S S S S S S S S S S S S Modification: ◮ identical round-keys ◮ round constants M. ˚ Agren, Lund University, Sweden

  26. PRESENT With Identical Round-Keys Number of keys Bias Identical vs. original round-keys. M. ˚ Agren, Lund University, Sweden

  27. PRESENT -Conclusions ◮ PRESENT -const is not secure. ◮ SPONGENT does not have the PRESENT Sbox. ◮ More rounds help. M. ˚ Agren, Lund University, Sweden

  28. PRINTcipher , Invariant Subspaces, and Eigenvectors ⊕ k ⊕ RC i π 15 π 14 π 13 π 12 π 11 π 10 π 9 π 8 π 7 π 6 π 5 π 4 π 3 π 2 π 1 π 0 S S S S S S S S S S S S S S S S Last year at CRYPTO: invariant subspaces: Let U ⊆ F n 2 be a subspace and d ∈ F n 2 . Assume a weak key. F k ( U + d ) = U + d . M. ˚ Agren, Lund University, Sweden

  29. PRINTcipher , Invariant Subspaces, and Eigenvectors ⊕ k ⊕ RC i π 15 π 14 π 13 π 12 π 11 π 10 π 9 π 8 π 7 π 6 π 5 π 4 π 3 π 2 π 1 π 0 S S S S S S S S S S S S S S S S Last year at CRYPTO: invariant subspaces: Let U ⊆ F n 2 be a subspace and d ∈ F n 2 . Assume a weak key. F k ( U + d ) = U + d . ⇓ F ( U + d ) = U + d . M. ˚ Agren, Lund University, Sweden

  30. Linear Biases in PRINTcipher Number of keys “ PRINTcipher -24:” Bias M. ˚ Agren, Lund University, Sweden

  31. Linear Biases in PRINTcipher Number of keys “ PRINTcipher -24:” Bias M. ˚ Agren, Lund University, Sweden

  32. Linear Biases in PRINTcipher Number of keys “ PRINTcipher -24:” Number of keys Bias Precisely those keys that yield an invariant subspace! Bias 2 − 9 . 0 M. ˚ Agren, Lund University, Sweden

  33. Correlation Matrices; an Eigenvector Correlation matrix C = ( c F ( α, β )) α,β . Theorem Invariant subspace ⇒ A sub-matrix (A) of the correlation matrix has an eigenvector with a special ± -structure and eigenvalue 1 . The matrix has a nonzero limit. We have trail-clustering! M. ˚ Agren, Lund University, Sweden

  34. The Matrix Power Limit The eigenvector is � � const · +1 +1 − 1 − 1 +1 +1 − 1 . . . . M. ˚ Agren, Lund University, Sweden

  35. The Matrix Power Limit The eigenvector is � � const · +1 +1 − 1 − 1 +1 +1 − 1 . . . , so  +1 +1 − 1 − 1 +1 +1 − 1  . . . +1 +1 − 1 − 1 +1 +1 − 1 . . .     − 1 − 1 +1 +1 − 1 − 1 +1 . . .     − 1 − 1 +1 +1 − 1 − 1 +1 . . .   A r → const 2 · .   +1 +1 − 1 − 1 +1 +1 − 1 . . .     +1 +1 − 1 − 1 +1 +1 − 1 . . .     − 1 − 1 +1 +1 − 1 − 1 +1 . . .    . . . . . . .  ... . . . . . . . . . . . . . . M. ˚ Agren, Lund University, Sweden

  36. The Matrix Power Limit The eigenvector is � � const · +1 +1 − 1 − 1 +1 +1 − 1 . . . , so  +1 +1 − 1 − 1 +1 +1 − 1  . . . +1 +1 − 1 − 1 +1 +1 − 1 . . .     − 1 − 1 +1 +1 − 1 − 1 +1 . . .     − 1 − 1 +1 +1 − 1 − 1 +1 . . . 1   A r → 2 16 − 1 · .   +1 +1 − 1 − 1 +1 +1 − 1 . . .     +1 +1 − 1 − 1 +1 +1 − 1 . . .     − 1 − 1 +1 +1 − 1 − 1 +1 . . .    . . . . . . .  ... . . . . . . . . . . . . . . Indeed, experimentally, c F ( α, β ) ≈ ± 2 − 16 ( PRINTcipher -48). M. ˚ Agren, Lund University, Sweden

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Linear Biases in AEGIS Keystream Brice Minaud ANSSI, France SAC August 15, 2014 Plan 1

Linear Biases in AEGIS Keystream Brice Minaud ANSSI, France SAC August 15, 2014 Plan 1

Linear Biases in AEGIS Keystream Brice Minaud ANSSI, France SAC August 15, 2014 Plan 1 Blockwise Stream Ciphers 2 Presentation of AEGIS 3 Linear Biases in AEGIS 1/22 Blockwise Stream Ciphers 2/22 Authenticated Encryption Schemes C

1.07k views • 39 slides
Unexpected biases in the distribution of consecutive primes Robert J. Lemke Oliver, Kannan

Unexpected biases in the distribution of consecutive primes Robert J. Lemke Oliver, Kannan

Unexpected biases in the distribution of consecutive primes Robert J. Lemke Oliver, Kannan Soundararajan Stanford University Chebyshevs Bias Let ( x ; q , a ) := # { p < x : p a (mod q ) } . Chebyshevs Bias Let ( x ; q , a )

1.31k views • 93 slides
Capital Budgeting: Biases (Welch, Chapter 13-5) Ivo Welch More Biases Overconfidence Are you

Capital Budgeting: Biases (Welch, Chapter 13-5) Ivo Welch More Biases Overconfidence Are you

Capital Budgeting: Biases (Welch, Chapter 13-5) Ivo Welch More Biases Overconfidence Are you overconfident? (Note that this can also affect proper volatility estimates in real options.) 90% Confidence Interval Give a 90% confidence interval

517 views • 13 slides
Outline Probability Calculations Using the Normal Distribution (5.1) Linear Combinations

Outline Probability Calculations Using the Normal Distribution (5.1) Linear Combinations

12/21/2006 219323 Probability y and Statistics for Software and Knowledge Engineers Lecture 6: The Normal Distribution Monchai Sopitkamon, Ph.D. Outline Probability Calculations Using the Normal Distribution (5.1) Linear

590 views • 20 slides
Role of Linear Instabilities Extremely Instructive for Identifying Key Physics in Problems of

Role of Linear Instabilities Extremely Instructive for Identifying Key Physics in Problems of

Selected Topics in Plasma Astrophysics Range of Astrophysical Plasmas and Relevant Techniques Stellar Winds (Lecture I) Thermal, Radiation, and Magneto-Rotational Driven Winds Connections to Other Areas of Astrophysical

547 views • 34 slides
Notes on the Non-linear Regression The model Non-linear regression models, like ordinary linear

Notes on the Non-linear Regression The model Non-linear regression models, like ordinary linear

Notes on the Non-linear Regression The model Non-linear regression models, like ordinary linear models, assume that the response, Y , has a normal distribution with constant variance. Unlike linear models, however, the mean function may depend

159 views • 4 slides
Instructive Feedback: Effects of a Presentation Variable Article in The Journal of Special

Instructive Feedback: Effects of a Presentation Variable Article in The Journal of Special

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/249833577 Instructive Feedback: Effects of a Presentation Variable Article in The Journal of Special Education August 2003 DOI:

471 views • 12 slides
Unconscious Bias 1 Questions to Start: Are we aware of our unconscious biases? Do we accept

Unconscious Bias 1 Questions to Start: Are we aware of our unconscious biases? Do we accept

Unconscious Bias 1 Questions to Start: Are we aware of our unconscious biases? Do we accept them? What types of biases are you aware of? Do you have experience with your own or seen biases in others? Activity: You are working

289 views • 14 slides
Breakout for small group discussions Topics Understanding your biases Awareness of

Breakout for small group discussions Topics Understanding your biases Awareness of

8/18/2020 Listen and Learn about Racial Justice 1 Presentation then Q&A Breakout for small group discussions Topics Understanding your biases Awareness of how biases affect behaviors Discerning your voice and your role

465 views • 13 slides
Investigating Potential Investigating Potential Biases in Aerosol Light Biases in Aerosol Light

Investigating Potential Investigating Potential Biases in Aerosol Light Biases in Aerosol Light

Investigating Potential Investigating Potential Biases in Aerosol Light Biases in Aerosol Light Absorption Absorption Measurements Measurements Christine Walsh Lund University (Lund, Sweden) NOAA ERSL (Aerosol Research Group) Overview of

354 views • 17 slides
The Distribution of a Linear Combination of Random Variables Bernd Schr oder logo1 Bernd

The Distribution of a Linear Combination of Random Variables Bernd Schr oder logo1 Bernd

The Distribution of a Linear Combination of Random Variables Bernd Schr oder logo1 Bernd Schr oder Louisiana Tech University, College of Engineering and Science The Distribution of a Linear Combination of Random Variables Introduction

908 views • 68 slides
Heuristics and biases Tina Nane 2 Heuristics and biases Lotto Icon by Dapete is

Heuristics and biases Tina Nane 2 Heuristics and biases Lotto Icon by Dapete is

1 Heuristics and biases Tina Nane 2 Heuristics and biases Lotto Icon by Dapete is licensed under CC BY 2.5 2 Heuristics and biases Heuristics Lotto Icon by Dapete is licensed under CC BY 2.5 Tricks, rules of thumb,

372 views • 23 slides
TEXT AND TEXT AND AUTOMATED BIASES AUTOMATED BIASES NATURAL LANGUAGES ARE THE NATURAL

TEXT AND TEXT AND AUTOMATED BIASES AUTOMATED BIASES NATURAL LANGUAGES ARE THE NATURAL

TEXT AND TEXT AND AUTOMATED BIASES AUTOMATED BIASES NATURAL LANGUAGES ARE THE NATURAL LANGUAGES ARE THE BASE HUMAN COMMUNICATION BASE HUMAN COMMUNICATION we learn from books of all kinds about complex topics and keep ourself updated

532 views • 51 slides
Biases in Decision Making Alexander Felfernig alexander.felfernig@ist.tugraz.at Decision Biases

Biases in Decision Making Alexander Felfernig alexander.felfernig@ist.tugraz.at Decision Biases

Institute for Software Technology International Workshop on Decision Making and Recommender Systems, Bolzano, 2014 Biases in Decision Making Alexander Felfernig alexander.felfernig@ist.tugraz.at Decision Biases & Recommender Systems 1

1.11k views • 53 slides
Theory of Generalized Linear Models If Y has a Poisson distribution with parameter then P (

Theory of Generalized Linear Models If Y has a Poisson distribution with parameter then P (

Theory of Generalized Linear Models If Y has a Poisson distribution with parameter then P ( Y = y ) = y e y ! for y a non-negative integer. We can use the method of maximum likelihood to estimate if we have a sample Y 1 , . .

1.06k views • 18 slides
Spectral and Radiometric Issues for Level 1C L. Larrabee Strow and Scott Hannon Atmospheric

Spectral and Radiometric Issues for Level 1C L. Larrabee Strow and Scott Hannon Atmospheric

Introduction Scan Angle Biases Doppler Effect Biases IASI vs AIRS Biases Conclusions Spectral and Radiometric Issues for Level 1C L. Larrabee Strow and Scott Hannon Atmospheric Spectroscopy Laboratory (ASL) Physics Department and Joint

437 views • 20 slides
DATE: May 11, 2017 TO: Planning & Organization Committee/Recycling Board FROM: Tom Padia,

DATE: May 11, 2017 TO: Planning & Organization Committee/Recycling Board FROM: Tom Padia,

DATE: May 11, 2017 TO: Planning & Organization Committee/Recycling Board FROM: Tom Padia, Deputy Director BY: Mark Spencer, Senior Program Manager SUBJECT: Presentation of 2016 Benchmark Data SUMMARY StopWaste has collected single

230 views • 20 slides
Has War Really Declined since World War 2? by Michael Spagat Department of Economics Royal

Has War Really Declined since World War 2? by Michael Spagat Department of Economics Royal

Has War Really Declined since World War 2? by Michael Spagat Department of Economics Royal Holloway University of London m.spagat@rhul.ac.uk and Stijn van Weezel School of Economics University College Dublin Paper presented at ISA San

390 views • 15 slides
ANALYSTS BRIEFING 01 01 MARCH H 20 2018 18 1 TABLE OF CONTENTS Consolidated Financial

ANALYSTS BRIEFING 01 01 MARCH H 20 2018 18 1 TABLE OF CONTENTS Consolidated Financial

FULL YEAR FULL YEAR 20 2017 17 FIN FINANCIA ANCIAL L RESUL RESULTS TS ANALYSTS BRIEFING 01 01 MARCH H 20 2018 18 1 TABLE OF CONTENTS Consolidated Financial Highlights Page 3 Stand-alone Portfolio Company Results and Key Page

757 views • 65 slides
Quarter Ended December 31, 2011 Earnings Conference Call February 2, 2012 Cautionary Statement

Quarter Ended December 31, 2011 Earnings Conference Call February 2, 2012 Cautionary Statement

Quarter Ended December 31, 2011 Earnings Conference Call February 2, 2012 Cautionary Statement Certain statements included herein contain forward-looking statements within the meaning of federal securities laws about KEMET Corporation's (the

1.14k views • 14 slides
Fast Item Response Theory (IRT) Analysis by using GPUs Lei Chen lei.chen@liulishuo.com Liulishuo

Fast Item Response Theory (IRT) Analysis by using GPUs Lei Chen lei.chen@liulishuo.com Liulishuo

Fast Item Response Theory (IRT) Analysis by using GPUs Lei Chen lei.chen@liulishuo.com Liulishuo Silicon Valley AI Lab 1 Outline A brief introduction of Item Response Theory (IRT) Edward, a new probabilistic programming (PP) toolkit

719 views • 56 slides
RTI 101 Why RTI? The normal curve is not sacred. It describes the outcome of a random

RTI 101 Why RTI? The normal curve is not sacred. It describes the outcome of a random

RTI 101 Why RTI? The normal curve is not sacred. It describes the outcome of a random process. Since education is a purposeful activity in which we seek to have the students learn what we teach, the achievement distribution should be very

706 views • 44 slides
Deep Dive Into Mann-Whitney and Spearman Rank Deliverance Bougie Sr. Statistician August 2018

Deep Dive Into Mann-Whitney and Spearman Rank Deliverance Bougie Sr. Statistician August 2018

Deep Dive Into Mann-Whitney and Spearman Rank Deliverance Bougie Sr. Statistician August 2018 1 Deep Dive Into Mann-Whitney and Spearman Rank Mann-Whitney Statistical Analysis Why we use it. Getting technical. What do the

488 views • 24 slides
NDPERS Public Safety Retirement Plan DEFINED BENEFIT Public Safety Plan Funded by

NDPERS Public Safety Retirement Plan DEFINED BENEFIT Public Safety Plan Funded by

NDPERS Public Safety Retirement Plan DEFINED BENEFIT Public Safety Plan Funded by contributions and investments Defines the benefit payment using formula Guaranteed member account balance Eligibility At least 18 years of age

616 views • 38 slides

More recommend