statistics in cryptanalysis
play

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical - PowerPoint PPT Presentation

May 07, 2023 •405 likes •1.52k views

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

  1. Hypothesis Testing Hypothesis Testing A statistical hypothesis is in general refers to an assumption of any sort about the distribution function F ( x ) (say) of the population P . Assume that F ( x ) has a known functional form which involves a number of unknown parameters θ 1 , θ 2 , . . . , θ k . - Example: Normal distribution N ( µ, σ 2 ), where µ ∈ R and σ 2 ∈ R ≥ 0 are its parameters. Let ○ = ( θ 1 , θ 2 , . . . , θ k ). H 18/35

  2. Hypothesis Testing Hypothesis Testing A statistical hypothesis is in general refers to an assumption of any sort about the distribution function F ( x ) (say) of the population P . Assume that F ( x ) has a known functional form which involves a number of unknown parameters θ 1 , θ 2 , . . . , θ k . - Example: Normal distribution N ( µ, σ 2 ), where µ ∈ R and σ 2 ∈ R ≥ 0 are its parameters. Let ○ = ( θ 1 , θ 2 , . . . , θ k ). H Hypothesis A hypothesis is then any assumption regarding the parameters θ 1 , θ 2 , . . . , θ k . 18/35

  3. Hypothesis Testing Hypothesis Testing A statistical hypothesis is in general refers to an assumption of any sort about the distribution function F ( x ) (say) of the population P . Assume that F ( x ) has a known functional form which involves a number of unknown parameters θ 1 , θ 2 , . . . , θ k . - Example: Normal distribution N ( µ, σ 2 ), where µ ∈ R and σ 2 ∈ R ≥ 0 are its parameters. Let ○ = ( θ 1 , θ 2 , . . . , θ k ). H Hypothesis A hypothesis is then any assumption regarding the parameters θ 1 , θ 2 , . . . , θ k . Example: H 0 : µ = 2 , σ 2 = 0 . 1. 18/35

  4. Hypothesis Testing Null vs. Alternate Hypothesis 19/35

  5. Hypothesis Testing Null vs. Alternate Hypothesis Null Hypothesis We shall very often make a hypothesis wishing it to be accepted by the test, such a hypothesis is called a null hypothesis . 19/35

  6. Hypothesis Testing Null vs. Alternate Hypothesis Null Hypothesis We shall very often make a hypothesis wishing it to be accepted by the test, such a hypothesis is called a null hypothesis . Alternate Hypothesis Sometimes, it so happens that we know for certain that either ○ ∈ ω 0 or ○ ∈ ω A , where ω 0 and ω A are two disjoint point sets H H in P k and it remains for us to decide between the two by means of a test. Now, we have priory reasons to be more inclined to believe in the first hypothesis, then we set up the null hypothesis ○ ∈ ω 0 to be tested against the alternative hypothesis H 0 : H H 1 : ○ ∈ ω A , hoping that the null hypothesis will be accepted by H the test and thereby confirm our belief. Then H 1 : ○ ∈ ω A is H called the alternate hypothesis . 19/35

  7. Hypothesis Testing General Form Of A Test Let, ˜ x = ( x 1 , x 2 , . . . , x N ) be a sample of size N drawn from the population P . 20/35

  8. Hypothesis Testing General Form Of A Test Let, ˜ x = ( x 1 , x 2 , . . . , x N ) be a sample of size N drawn from the population P . On the evidence offered by this sample we shall have to decide whether to accept or reject the null hypothesis. 20/35

  9. Hypothesis Testing General Form Of A Test Let, ˜ x = ( x 1 , x 2 , . . . , x N ) be a sample of size N drawn from the population P . On the evidence offered by this sample we shall have to decide whether to accept or reject the null hypothesis. The mathematical formulation of this evidence is known as a test of the hypothesis H 0 . 20/35

  10. Hypothesis Testing General Form Of A Test (Cont.) A test of the hypothesis H 0 , in its general form, consists in choosing a region W in the sample space R n . 21/35

  11. Hypothesis Testing General Form Of A Test (Cont.) A test of the hypothesis H 0 , in its general form, consists in choosing a region W in the sample space R n . If the observed position of the sample point ˜ x ∈ W , then H 0 is x ∈ W c then, H 0 is accepted. rejected and if ˜ 21/35

  12. Hypothesis Testing General Form Of A Test (Cont.) A test of the hypothesis H 0 , in its general form, consists in choosing a region W in the sample space R n . If the observed position of the sample point ˜ x ∈ W , then H 0 is x ∈ W c then, H 0 is accepted. rejected and if ˜ W is called the rejection region or the critical region and W c is the acceptance region of the test. 21/35

  13. Hypothesis Testing Error Probabilities x ∈ W c ˜ x ∈ W ˜ H 0 True Type-I Error Accept H 1 True Reject Type-II Error Type-I Error Probability: Pr[ ˜ X ∈ W | H 0 holds] . Type-II Error Probability: X ∈ W c | H 1 holds] Pr[ ˜ 1 − Pr[ ˜ X ∈ W | H 1 holds] = = 1 − β ( W ) , 22/35

  14. Linear Cryptanalysis Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 22/35

  15. Linear Cryptanalysis Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 23/35

  16. Linear Cryptanalysis Substitution-Permutation Network (SPN) . . . . . . P 1 Plaintext P 16 Sub-key k (1) Mixing S 11 S 12 S 13 S 14 Round 1 Sub-key k (2) Mixing S 21 S 22 S 23 S 24 Round 2 Sub-key k (3) Mixing S 31 S 32 S 33 S 34 Round 3 Sub-key k (4) Mixing Round 4 S 41 S 42 S 43 S 44 Sub-key k (5) Mixing . . . . . . C 1 Ciphertext C 16 Figure : A Basic Substitution Permutation Network (SPN) Cipher (Courtesy: Heys’s Tutorial). 24/35

  17. Linear Cryptanalysis Substitution-Permutation Network (SPN) (Cont.) Consider an ( r + 1)-round cipher. 25/35

  18. Linear Cryptanalysis Substitution-Permutation Network (SPN) (Cont.) Consider an ( r + 1)-round cipher. Round Keys are n -bits long. 25/35

  19. Linear Cryptanalysis Substitution-Permutation Network (SPN) (Cont.) Consider an ( r + 1)-round cipher. Round Keys are n -bits long. Round Keys: k (0) , k (1) , . . . 25/35

  20. Linear Cryptanalysis Substitution-Permutation Network (SPN) (Cont.) Consider an ( r + 1)-round cipher. Round Keys are n -bits long. Round Keys: k (0) , k (1) , . . . Round Functions: R (0) k (0) , R (1) k (1) , . . . 25/35

  21. Linear Cryptanalysis Substitution-Permutation Network (SPN) (Cont.) Consider an ( r + 1)-round cipher. Round Keys are n -bits long. Round Keys: k (0) , k (1) , . . . Round Functions: R (0) k (0) , R (1) k (1) , . . . Each round function is a bijection of { 0 , 1 } n . 25/35

  22. Linear Cryptanalysis Substitution-Permutation Network (SPN) (Cont.) Consider an ( r + 1)-round cipher. Round Keys are n -bits long. Round Keys: k (0) , k (1) , . . . Round Functions: R (0) k (0) , R (1) k (1) , . . . Each round function is a bijection of { 0 , 1 } n . K ( i ) = k (0) || k (1) || · · · || k ( i − 1) 25/35

  23. Linear Cryptanalysis Substitution-Permutation Network (SPN) (Cont.) Consider an ( r + 1)-round cipher. Round Keys are n -bits long. Round Keys: k (0) , k (1) , . . . Round Functions: R (0) k (0) , R (1) k (1) , . . . Each round function is a bijection of { 0 , 1 } n . K ( i ) = k (0) || k (1) || · · · || k ( i − 1) E (1) K (1) = R (0) k (0) ; E ( i ) K ( i ) = R ( i − 1) k ( i − 1) ◦ · · · ◦ R (0) k (0) = R ( i − 1) k ( i − 1) ◦ E ( i − 1) K ( i − 1) , i ≥ 1 . 25/35

  24. Linear Cryptanalysis Design Goals Compact and efficient in hardware and/or software. Secure. 26/35

  25. Linear Cryptanalysis Design Goals Compact and efficient in hardware and/or software. Secure. Attack Types: Linear Cryptanalysis Differential Cryptanalysis Distinguishing Attacks . . . 26/35

  26. Linear Cryptanalysis Design Goals Compact and efficient in hardware and/or software. Secure. Attack Types: Linear Cryptanalysis Differential Cryptanalysis Distinguishing Attacks . . . Known Plaintext Attacks Cipher is instantiated with a secret key K . 26/35

  27. Linear Cryptanalysis Design Goals Compact and efficient in hardware and/or software. Secure. Attack Types: Linear Cryptanalysis Differential Cryptanalysis Distinguishing Attacks . . . Known Plaintext Attacks Cipher is instantiated with a secret key K . N plaintext-ciphertext pairs ( P 1 , C 1 ) , . . . , ( P N , C N ) sought, s.t., each C i = E K ( P i ). 26/35

  28. Linear Cryptanalysis Design Goals Compact and efficient in hardware and/or software. Secure. Attack Types: Linear Cryptanalysis Differential Cryptanalysis Distinguishing Attacks . . . Known Plaintext Attacks Cipher is instantiated with a secret key K . N plaintext-ciphertext pairs ( P 1 , C 1 ) , . . . , ( P N , C N ) sought, s.t., each C i = E K ( P i ). Goal: Obtain the secret key. 26/35

  29. Linear Cryptanalysis Key Recovery Attacks: A Top-Level View Structural analysis: 27/35

  30. Linear Cryptanalysis Key Recovery Attacks: A Top-Level View Structural analysis: A detailed study of the target algorithm to obtain a measurable deviation from “randomness”. 27/35

  31. Linear Cryptanalysis Key Recovery Attacks: A Top-Level View Structural analysis: A detailed study of the target algorithm to obtain a measurable deviation from “randomness”. Identify a target sub-key. Let the size of the target sub-key be m -bits. 27/35

  32. Linear Cryptanalysis Key Recovery Attacks: A Top-Level View Structural analysis: A detailed study of the target algorithm to obtain a measurable deviation from “randomness”. Identify a target sub-key. Let the size of the target sub-key be m -bits. Statistical analysis: 27/35

  33. Linear Cryptanalysis Key Recovery Attacks: A Top-Level View Structural analysis: A detailed study of the target algorithm to obtain a measurable deviation from “randomness”. Identify a target sub-key. Let the size of the target sub-key be m -bits. Statistical analysis: Obtain a tractable (closed form) relation between the following three quantities: - N: data complexity. - P S : (lower bound on the) success probability. - a : the (expected) number of false alarms is (at most) a fraction 2 − a of the number of all the 2 m possible choices of the target sub-key. 27/35

  34. Linear Cryptanalysis Linear Cryptanalysis n Γ P P k (0) Round 1 k (1) Round 2 K ( r ) = k (0) || k (1) || · · · || k ( r − 1) Γ K k ( r − 1) Round r Γ B B κ k ( r ) Round ( r + 1) m n C 28/35

  35. Linear Cryptanalysis Linear Cryptanalysis Proposed by Matsui in EU- ROCRYPT ’93. n Γ P P k (0) Round 1 k (1) Round 2 K ( r ) = k (0) || k (1) || · · · || k ( r − 1) Γ K k ( r − 1) Round r Γ B B κ k ( r ) Round ( r + 1) m n C 28/35

  36. Linear Cryptanalysis Linear Cryptanalysis Proposed by Matsui in EU- ROCRYPT ’93. n Random Variable: Γ P P L = � Γ P , P � ⊕ � Γ B , B � k (0) Round 1 k (1) Round 2 K ( r ) = k (0) || k (1) || · · · || k ( r − 1) Γ K k ( r − 1) Round r Γ B B κ k ( r ) Round ( r + 1) m n C 28/35

  37. Linear Cryptanalysis Linear Cryptanalysis Proposed by Matsui in EU- ROCRYPT ’93. n Random Variable: Γ P P L = � Γ P , P � ⊕ � Γ B , B � k (0) Round 1 Inner key bit: k (1) Round 2 z = � Γ K , K ( r ) � K ( r ) = k (0) || k (1) || · · · || k ( r − 1) Γ K k ( r − 1) Round r Γ B B κ k ( r ) Round ( r + 1) m n C 28/35

  38. Linear Cryptanalysis Linear Cryptanalysis Proposed by Matsui in EU- ROCRYPT ’93. n Random Variable: Γ P P L = � Γ P , P � ⊕ � Γ B , B � k (0) Round 1 Inner key bit: k (1) Round 2 z = � Γ K , K ( r ) � K ( r ) = k (0) || k (1) || · · · || k ( r − 1) Linear Approximation: Γ K L = z � p ; k ( r − 1) Round r if κ = κ ∗ Pr[ L = z ] = Γ B B κ if κ � = κ ∗ . 1 / 2; k ( r ) Round ( r + 1) m n C 28/35

  39. Linear Cryptanalysis Linear Cryptanalysis Proposed by Matsui in EU- ROCRYPT ’93. n Random Variable: Γ P P L = � Γ P , P � ⊕ � Γ B , B � k (0) Round 1 Inner key bit: k (1) Round 2 z = � Γ K , K ( r ) � K ( r ) = k (0) || k (1) || · · · || k ( r − 1) Linear Approximation: Γ K L = z � p ; k ( r − 1) Round r if κ = κ ∗ Pr[ L = z ] = Γ B B κ if κ � = κ ∗ . 1 / 2; k ( r ) Round ( r + 1) m n C Source of Randomness: P 1 , . . . , P N . 28/35

  40. Linear Cryptanalysis Linear Cryptanalysis (Cont.) P 1 , . . . , P N are assumed to be independent and uniformly dis- tributed. 29/35

  41. Linear Cryptanalysis Linear Cryptanalysis (Cont.) P 1 , . . . , P N are assumed to be independent and uniformly dis- tributed. The key is unknown but fixed. 29/35

  42. Linear Cryptanalysis Linear Cryptanalysis (Cont.) P 1 , . . . , P N are assumed to be independent and uniformly dis- tributed. The key is unknown but fixed. Test Statistics: T κ = | W κ | , where W κ = ( L κ, 1 + · · · + L κ, N ) − 1 / 2; 29/35

  43. Linear Cryptanalysis Linear Cryptanalysis (Cont.) P 1 , . . . , P N are assumed to be independent and uniformly dis- tributed. The key is unknown but fixed. Test Statistics: T κ = | W κ | , where W κ = ( L κ, 1 + · · · + L κ, N ) − 1 / 2; Each L κ, j follows a Bernoulli distribution. 29/35

  44. Linear Cryptanalysis Linear Cryptanalysis (Cont.) P 1 , . . . , P N are assumed to be independent and uniformly dis- tributed. The key is unknown but fixed. Test Statistics: T κ = | W κ | , where W κ = ( L κ, 1 + · · · + L κ, N ) − 1 / 2; Each L κ, j follows a Bernoulli distribution. W κ follows a Binomial which can be approximated by a normal distribution. - κ incorrect: T κ approximately follows half normal. - κ correct: T κ approximately follows folded normal. 29/35

  45. Linear Cryptanalysis Key Recovery via Hypothesis Testing Data: ( P 1 , C 1 ) , . . . , ( P N , C N ), where P 1 , . . . , P N are independent and uniform random n -bit strings. 30/35

  46. Linear Cryptanalysis Key Recovery via Hypothesis Testing Data: ( P 1 , C 1 ) , . . . , ( P N , C N ), where P 1 , . . . , P N are independent and uniform random n -bit strings. C 1 , . . . , C N are determined by κ ∗ (the actual target sub-key); 30/35

  47. Linear Cryptanalysis Key Recovery via Hypothesis Testing Data: ( P 1 , C 1 ) , . . . , ( P N , C N ), where P 1 , . . . , P N are independent and uniform random n -bit strings. C 1 , . . . , C N are determined by κ ∗ (the actual target sub-key); B κ, 1 , . . . , B κ, N are determined by the choice of κ . 30/35

  48. Linear Cryptanalysis Key Recovery via Hypothesis Testing Data: ( P 1 , C 1 ) , . . . , ( P N , C N ), where P 1 , . . . , P N are independent and uniform random n -bit strings. C 1 , . . . , C N are determined by κ ∗ (the actual target sub-key); B κ, 1 , . . . , B κ, N are determined by the choice of κ . Test statistics: For a particular choice κ ∈ { 0 , 1 } m of the target sub-key, T κ ≡ | W κ | . where the mean and variances of W κ are given by - µ 0 = E [ W κ ∗ ] = Np and µ 1 = E [ W κ | H 1 ] = N / 2. - σ 2 0 = Var ( W κ ∗ ) = Np (1 − p ) and σ 2 1 = Var ( W κ | H 1 ) = N / 4. 30/35

  49. Linear Cryptanalysis Key Recovery via Hypothesis Testing Hypothesis Testing Set-Up: H 0 : κ is correct; versus H 1 : κ is incorrect. Decision Rule: Reject H 0 if T κ < t . 31/35

  50. Linear Cryptanalysis Key Recovery via Hypothesis Testing Hypothesis Testing Set-Up: H 0 : κ is correct; versus H 1 : κ is incorrect. Decision Rule: Reject H 0 if T κ < t . Pr[Type-I error] = Pr[ T ≤ t | H 0 holds] ≤ α Pr[Type-II error] = Pr[ T > t | H 1 holds] ≤ β Pr[succ] = 1 − Pr[Type-I error] ≥ 1 − α = P S . 31/35

  51. Linear Cryptanalysis Key Recovery via Hypothesis Testing Hypothesis Testing Set-Up: H 0 : κ is correct; versus H 1 : κ is incorrect. Decision Rule: Reject H 0 if T κ < t . Pr[Type-I error] = Pr[ T ≤ t | H 0 holds] ≤ α Pr[Type-II error] = Pr[ T > t | H 1 holds] ≤ β Pr[succ] = 1 − Pr[Type-I error] ≥ 1 − α = P S . Requirement: Obtain the distributions of T κ under H 0 and H 1 . 31/35

  52. Linear Cryptanalysis Key Recovery via Hypothesis Testing Hypothesis Testing Set-Up: H 0 : κ is correct; versus H 1 : κ is incorrect. Decision Rule: Reject H 0 if T κ < t . Pr[Type-I error] = Pr[ T ≤ t | H 0 holds] ≤ α Pr[Type-II error] = Pr[ T > t | H 1 holds] ≤ β Pr[succ] = 1 − Pr[Type-I error] ≥ 1 − α = P S . Requirement: Obtain the distributions of T κ under H 0 and H 1 . Data Complexity: N 31/35

  53. Linear Cryptanalysis Key Recovery via Hypothesis Testing Hypothesis Testing Set-Up: H 0 : κ is correct; versus H 1 : κ is incorrect. Decision Rule: Reject H 0 if T κ < t . Pr[Type-I error] = Pr[ T ≤ t | H 0 holds] ≤ α Pr[Type-II error] = Pr[ T > t | H 1 holds] ≤ β Pr[succ] = 1 − Pr[Type-I error] ≥ 1 − α = P S . Requirement: Obtain the distributions of T κ under H 0 and H 1 . Data Complexity: N Goal: Express N in terms “ a ” and P S . 31/35

  54. Linear Cryptanalysis Key Recovery via Hypothesis Testing Relating to the advantage: Each Type-II error causes a false positive. There are a total of 2 m hypothesis tests of which 2 m − 1 are with incorrect κ . So, the expected number of false positives is β (2 m − 1) ≈ β 2 m . Advantage a implies that the size of false alarm list is 2 m − a . Equating to β 2 m gives β = 2 − a . 32/35

  55. Linear Cryptanalysis Type-I Error Probability Assume µ 0 > µ 1 . 33/35

  56. Linear Cryptanalysis Type-I Error Probability Assume µ 0 > µ 1 . The other case can be handled similarly. 33/35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev

Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev

Separable Statistics and Multidimensional Linear Cryptanalysis Stian Fauskanger Igor Semaev FFI, Norway Univ. of Bergen, Norway 28 March 2019, FSE, Paris Briefly Matsuis Linear Cryptanalysis is based on the distribution of x 1 . .

331 views • 30 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work

Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work

Separable Statistics in Linear Cryptanalysis Igor Semaev, Univ. of Bergen, Norway joint work with Stian Fauskanger 5 September 2017, MMC workshop Round Block Cipher Cryptanalysis PL-TEXT K1 K1 X K2..K15 Y K16 CH-TEXT Logarithmic

826 views • 41 slides
Separable Statistics and Multivariate Linear Cryptanalysis Stian Fauskanger 1 Igor Semaev 2

Separable Statistics and Multivariate Linear Cryptanalysis Stian Fauskanger 1 Igor Semaev 2

Separable Statistics and Multivariate Linear Cryptanalysis Stian Fauskanger 1 Igor Semaev 2 Norwegian Defence Research Establishment (FFI), PB 25, 2027 Kjeller, Norway Department of Informatics, University of Bergen, Bergen, Norway Boolean

377 views • 16 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Linear Statistics Jung-Keun Lee and Woo-Hwan Kim ETRI Our contribution improved and extended

Linear Statistics Jung-Keun Lee and Woo-Hwan Kim ETRI Our contribution improved and extended

FSE 2020 Multiple Linear Cryptanalysis Using Linear Statistics Jung-Keun Lee and Woo-Hwan Kim ETRI Our contribution improved and extended approach of multiple linear cryptanalysis[BCQ04] (exploit dominant statistically independent linear

714 views • 30 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas Peyrin Orange Labs and Ingenico FSE 2010 - Seoul - Korea

1.38k views • 19 slides
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference of the corresponding two outputs. - the difference M Z of two strings of bits Z and Z

556 views • 10 slides
Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU Leuven, and imec, Belgium FSE, March 2017 1 Table of Contents ARX &amp; Rotational Cryptanalysis Rotational cryptanalysis with constants Experiment

1.12k views • 72 slides
Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below (half of) exhaustive search. Differential Cryptanalysis Note : In all the following discussion we ignore the existence of the initial and the final

330 views • 8 slides
Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Description of LAC Differentials and Characteristics Forgery attack Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . . Gatan Leurent Inria, France DIAC 2014 2 / 9 Description of LAC DIAC

1.04k views • 36 slides
Finite Field Functions to Counterattack Linear and Differential Cryptanalysis Daniel Panario

Finite Field Functions to Counterattack Linear and Differential Cryptanalysis Daniel Panario

Finite Field Functions to Counterattack Linear and Differential Cryptanalysis Daniel Panario School of Mathematics and Statistics Carleton University daniel@math.carleton.ca ASCrypto (Advanced School of Cryptography) Latincrypt 2019

971 views • 62 slides
Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential cryptanalysis David Gerault LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier,

455 views • 26 slides
Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany

Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany

Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany Department of Information and Computer Science, Aalto University School of Science, Finland FSE 2014 1 / 21 Outline Introduction Slide Cryptanalysis

712 views • 49 slides
Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit

Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit

Cryptanalysis of RadioGatn Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit des Systmes dInformation 2 Ingenico FSE 2009 - February 22-25 - Leuven Thomas Fuhr , Thomas Peyrin Cryptanalysis

567 views • 28 slides
Practical data analysis Large Number Theorems Width of a distribution Doru Constantin and

Practical data analysis Large Number Theorems Width of a distribution Doru Constantin and

Practical data analysis References Variability Probability Distributions Practical data analysis Large Number Theorems Width of a distribution Doru Constantin and Guillaume Tresset Sampling Chi-squared doru.constantin@u-psud.fr

783 views • 32 slides
Statistical Modeling of SiPM Noise Sergey Vinogradov Lebedev Physical Institute of the Russian

Statistical Modeling of SiPM Noise Sergey Vinogradov Lebedev Physical Institute of the Russian

Statistical Modeling of SiPM Noise Sergey Vinogradov Lebedev Physical Institute of the Russian Academy of Sciences, Moscow, Russia National Research Nuclear University MEPhI, Moscow, Russia Sergey Vinogradov Statistical Modeling of SiPM

294 views • 27 slides
EM Algorithm and Mixture Models Guojun Zhang University of Waterloo Unsupervised learning and

EM Algorithm and Mixture Models Guojun Zhang University of Waterloo Unsupervised learning and

EM Algorithm and Mixture Models Guojun Zhang University of Waterloo Unsupervised learning and clustering Learn the intrinsic representation of unlabeled data Other examples: density estimation, novelty detection Mixture model

218 views • 9 slides
Information Geometry: Background and Applications in Machine Learning Giovanni Pistone

Information Geometry: Background and Applications in Machine Learning Giovanni Pistone

Geometry and Computer Science Information Geometry: Background and Applications in Machine Learning Giovanni Pistone www.giannidiorestino.it Pescara (IT), February 810, 2017 Abstract Information Geometry (IG) is the name given by S. Amari

688 views • 43 slides
PERCOLATION WITHOUT FKG VINCENT BEFFARA AND DAMIEN GAYET Abstract. We prove a Russo-Seymour-Welsh

PERCOLATION WITHOUT FKG VINCENT BEFFARA AND DAMIEN GAYET Abstract. We prove a Russo-Seymour-Welsh

PERCOLATION WITHOUT FKG VINCENT BEFFARA AND DAMIEN GAYET Abstract. We prove a Russo-Seymour-Welsh theorem for large and natural perturbative families of discrete percolation models that do not necessarily satisfy the Fortuin-Kasteleyn- Ginibre

714 views • 32 slides
Probability Distributions and Introduction to Statistical Inference BIO5312 FALL2017 STEPHANIE

Probability Distributions and Introduction to Statistical Inference BIO5312 FALL2017 STEPHANIE

Probability Distributions and Introduction to Statistical Inference BIO5312 FALL2017 STEPHANIE J. SPIELMAN, PHD Random variable Random processes produce numerical outcomes: Number of tails in 50 coin flips The sum of everyone's

1.22k views • 90 slides
Discrete Mathematics and Its Applications Lecture 5: Discrete Probability: Random Variables MING

Discrete Mathematics and Its Applications Lecture 5: Discrete Probability: Random Variables MING

Discrete Mathematics and Its Applications Lecture 5: Discrete Probability: Random Variables MING GAO DaSE@ ECNU (for course related communications) mgao@dase.ecnu.edu.cn May 15, 2020 Outline Random Variable 1 Bernoulli Trials and the

1.24k views • 112 slides
CS141: DISCUSSION WEEK 3 MASTER THEOREM AND AVERAGE CASE ANALYSIS TABLE OF CONTENTS 1. SOLUTION

CS141: DISCUSSION WEEK 3 MASTER THEOREM AND AVERAGE CASE ANALYSIS TABLE OF CONTENTS 1. SOLUTION

10/19/2020 CS141: DISCUSSION WEEK 3 MASTER THEOREM AND AVERAGE CASE ANALYSIS TABLE OF CONTENTS 1. SOLUTION OF HOMEWORK 1 QUESTION 3 2. MASTER THEOREM 1. DEFINITION 2. EXAMPLES 3. EXCEPTIONS 4. QUESTION 3 PART 3 REVISITED 3. AVERAGE CASE

382 views • 19 slides

More recommend