a new criterion for avoiding the propagation of linear
play

A new criterion for avoiding the propagation of linear relations - PowerPoint PPT Presentation

Jan 03, 2023 •117 likes •488 views

A new criterion for avoiding the propagation of linear relations through an Sbox Christina Boura and Anne Canteaut INRIA Paris-Rocquencourt DTU Compute March 13, 2013 1 / 23 Outline Introduction 1 The notion of ( v, w ) -linearity 2

  1. A new criterion for avoiding the propagation of linear relations through an Sbox Christina Boura and Anne Canteaut INRIA Paris-Rocquencourt DTU Compute March 13, 2013 1 / 23

  2. Outline Introduction 1 The notion of ( v, w ) -linearity 2 Analysis of 4 -bit optimal Sboxes 3 Application to Hamsi 4 Conclusion 5 2 / 23

  3. Introduction Outline Introduction 1 The notion of ( v, w ) -linearity 2 Analysis of 4 -bit optimal Sboxes 3 Application to Hamsi 4 Conclusion 5 3 / 23

  4. Introduction Introduction Investigate SPN primitives using small Sboxes. Ideally, after several rounds, all output bits should be expessed as non-linear functions of all input bits. 4 / 23

  5. Introduction Introduction Investigate SPN primitives using small Sboxes. Ideally, after several rounds, all output bits should be expessed as non-linear functions of all input bits. This is not always so. 4 / 23

  6. Introduction The need for a new linearity measure Some output bits can be expressed as affine functions of some input bits (when the other input bits are fixed to a constant). The sizes of the input and output sets are important. Large sets can lead to a big number of affine relations between input and output bits . Possibly lead to cryptanalysis (Attack against Hamsi 2010, cube-like attacks). We show that the number of affine relations depends on a new linearity measure of the Sbox, that we call ( v, w ) -linearity . 5 / 23

  7. Introduction An example ANF of the Hamsi Sbox = x 0 x 2 + x 1 + x 2 + x 3 y 0 y 1 = x 0 x 1 x 2 + x 0 x 1 x 3 + x 0 x 2 x 3 + x 1 x 2 + x 0 x 3 + x 2 x 3 + x 0 + x 1 + x 2 = x 0 x 1 x 3 + x 0 x 2 x 3 + x 1 x 2 + x 1 x 3 + x 2 x 3 + x 0 + x 1 + x 3 y 2 y 3 = x 0 x 1 x 2 + x 1 x 3 + x 0 + x 1 + x 2 + 1 . 6 / 23

  8. Introduction An example ANF of the Hamsi Sbox = x 0 x 2 + x 1 + x 2 + x 3 y 0 y 1 = x 0 x 1 x 2 + x 0 x 1 x 3 + x 0 x 2 x 3 + x 1 x 2 + x 0 x 3 + x 2 x 3 + x 0 + x 1 + x 2 = x 0 x 1 x 3 + x 0 x 2 x 3 + x 1 x 2 + x 1 x 3 + x 2 x 3 + x 0 + x 1 + x 3 y 2 y 3 = x 0 x 1 x 2 + x 1 x 3 + x 0 + x 1 + x 2 + 1 . If we fix all-but-one variables to a constant value then all the coordinates of the Sbox are affine with respect to the input variable. 6 / 23

  9. Introduction An example ANF of the Hamsi Sbox = x 0 x 2 + x 1 + x 2 + x 3 y 0 y 1 = x 0 x 1 x 2 + x 0 x 1 x 3 + x 0 x 2 x 3 + x 1 x 2 + x 0 x 3 + x 2 x 3 + x 0 + x 1 + x 2 = x 0 x 1 x 3 + x 0 x 2 x 3 + x 1 x 2 + x 1 x 3 + x 2 x 3 + x 0 + x 1 + x 3 y 2 y 3 = x 0 x 1 x 2 + x 1 x 3 + x 0 + x 1 + x 2 + 1 . If we fix two variables to a constant value then two coordinates of the Sbox are affine with respect to the input variables. 6 / 23

  10. Introduction An example ANF of the Hamsi Sbox = x 0 x 2 + x 1 + x 2 + x 3 y 0 y 1 = x 0 x 1 x 2 + x 0 x 1 x 3 + x 0 x 2 x 3 + x 1 x 2 + x 0 x 3 + x 2 x 3 + x 0 + x 1 + x 2 = x 0 x 1 x 3 + x 0 x 2 x 3 + x 1 x 2 + x 1 x 3 + x 2 x 3 + x 0 + x 1 + x 3 y 2 y 3 = x 0 x 1 x 2 + x 1 x 3 + x 0 + x 1 + x 2 + 1 . If we fix one variable to a constant value then one coordinate of the Sbox is affine with respect to the input variables. 6 / 23

  11. The notion of ( v, w ) -linearity Outline Introduction 1 The notion of ( v, w ) -linearity 2 Analysis of 4 -bit optimal Sboxes 3 Application to Hamsi 4 Conclusion 5 7 / 23

  12. The notion of ( v, w ) -linearity Definition of ( v, w ) -linearity Definition. Let S be a function from F n 2 into F m 2 . Then, S is ( v, w ) -linear if there exist two linear subspaces V ⊂ F n 2 and W ⊂ F m with 2 dim V = v and dim W = w such that, for all λ ∈ W , S λ : x �→ λ · S ( x ) has degree at most 1 on all cosets of V . 8 / 23

  13. The notion of ( v, w ) -linearity Example y 0 = x 0 x 2 + x 1 + x 2 + x 3 = x 0 x 1 x 2 + x 0 x 1 x 3 + x 0 x 2 x 3 + x 1 x 2 + x 0 x 3 + x 2 x 3 + x 0 + x 1 + x 2 y 1 = x 0 x 1 x 3 + x 0 x 2 x 3 + x 1 x 2 + x 1 x 3 + x 2 x 3 + x 0 + x 1 + x 3 y 2 = x 0 x 1 x 2 + x 1 x 3 + x 0 + x 1 + x 2 + 1 . y 3 S is (2 , 2) -linear for V = � 1 , 8 � and W = � 1 , 8 � . 9 / 23

  14. The notion of ( v, w ) -linearity Example y 0 = x 0 x 2 + x 1 + x 2 + x 3 = x 0 x 1 x 2 + x 0 x 1 x 3 + x 0 x 2 x 3 + x 1 x 2 + x 0 x 3 + x 2 x 3 + x 0 + x 1 + x 2 y 1 = x 0 x 1 x 3 + x 0 x 2 x 3 + x 1 x 2 + x 1 x 3 + x 2 x 3 + x 0 + x 1 + x 3 y 2 = x 0 x 1 x 2 + x 1 x 3 + x 0 + x 1 + x 2 + 1 . y 3 S is (3 , 1) -linear for V = � 1 , 2 , 8 � and W = � 1 � . 9 / 23

  15. The notion of ( v, w ) -linearity Link with the Maiorana-McFarland Construction An Example: Let f : F 4 2 → F 2 with f ( x 1 , x 2 , x 3 , x 4 ) = x 1 x 3 x 4 + x 1 x 4 + x 2 x 3 + x 3 x 4 + x 2 + x 4 . Let V = � 1 , 2 � . Then f is (2 , 1) -linear w.r.t. V . 10 / 23

  16. The notion of ( v, w ) -linearity Link with the Maiorana-McFarland Construction An Example: Let f : F 4 2 → F 2 with f ( x 1 , x 2 , x 3 , x 4 ) = x 1 x 3 x 4 + x 1 x 4 + x 2 x 3 + x 3 x 4 + x 2 + x 4 . Let V = � 1 , 2 � . Then f is (2 , 1) -linear w.r.t. V . 10 / 23

  17. The notion of ( v, w ) -linearity Link with the Maiorana-McFarland Construction An Example: Let f : F 4 2 → F 2 with f ( x 1 , x 2 , x 3 , x 4 ) = x 1 x 3 x 4 + x 1 x 4 + x 2 x 3 + x 3 x 4 + x 2 + x 4 . Let V = � 1 , 2 � . Then f is (2 , 1) -linear w.r.t. V . f ( x 1 , x 2 , x 3 , x 4 ) = x 1 x 3 x 4 + x 1 x 4 + x 2 x 3 + x 3 x 4 + x 2 + x 4 = ( x 3 x 4 + x 4 ) x 1 + ( x 3 + 1) x 2 + x 3 x 4 + x 4 = ( x 3 x 4 + x 4 , x 3 + 1) · ( x 1 , x 2 ) + x 3 x 4 + x 4 10 / 23

  18. The notion of ( v, w ) -linearity Link with the Maiorana-McFarland Construction An Example: Let f : F 4 2 → F 2 with f ( x 1 , x 2 , x 3 , x 4 ) = x 1 x 3 x 4 + x 1 x 4 + x 2 x 3 + x 3 x 4 + x 2 + x 4 . Let V = � 1 , 2 � . Then f is (2 , 1) -linear w.r.t. V . f ( x 1 , x 2 , x 3 , x 4 ) = x 1 x 3 x 4 + x 1 x 4 + x 2 x 3 + x 3 x 4 + x 2 + x 4 = ( x 3 x 4 + x 4 ) x 1 + ( x 3 + 1) x 2 + x 3 x 4 + x 4 = ( x 3 x 4 + x 4 , x 3 + 1) · ( x 1 , x 2 ) + x 3 x 4 + x 4 In general, any f : F n 2 → F 2 that is ( v, 1) -linear w.r.t. V can be written as f ( x, y ) = π ( x ) · y + h ( x ) , with ( x, y ) ∈ U × V. 10 / 23

  19. The notion of ( v, w ) -linearity Link with the Maiorana-McFarland Construction An Example: Let f : F 4 2 → F 2 with f ( x 1 , x 2 , x 3 , x 4 ) = x 1 x 3 x 4 + x 1 x 4 + x 2 x 3 + x 3 x 4 + x 2 + x 4 . Let V = � 1 , 2 � . Then f is (2 , 1) -linear w.r.t. V . f ( x 1 , x 2 , x 3 , x 4 ) = x 1 x 3 x 4 + x 1 x 4 + x 2 x 3 + x 3 x 4 + x 2 + x 4 = ( x 3 x 4 + x 4 ) x 1 + ( x 3 + 1) x 2 + x 3 x 4 + x 4 = ( x 3 x 4 + x 4 , x 3 + 1) · ( x 1 , x 2 ) + x 3 x 4 + x 4 In general, any f : F n 2 → F 2 that is ( v, 1) -linear w.r.t. V can be written as f ( x, y ) = π ( x ) · y + h ( x ) , with ( x, y ) ∈ U × V. Generalisation of the Maiorana-McFarland construction for bent functions . 10 / 23

  20. The notion of ( v, w ) -linearity Link with the Maiorana-McFarland Construction Proposition. S is ( v, w ) - linear w.r.t. ( V, W ) if and only if its components S λ , λ ∈ W , can be written as F w S W : U ⊕ V → 2 ( u, v ) �→ M ( u ) v + G ( u ) where M ( u ) is a w × v binary matrix. Equivalently, all second-order derivatives D α D β S W , with α, β ∈ V , vanish. 11 / 23

  21. The notion of ( v, w ) -linearity General Properties Proposition. If S is ( v, w ) - linear w.r.t. ( V, W ) , then all its compo- nents S λ , λ ∈ W have degree at most n + 1 − v and L ( S ) ≥ 2 v . Equivalence holds for v = n − 1 and w = 1 . 12 / 23

  22. Analysis of 4 -bit optimal Sboxes Outline Introduction 1 The notion of ( v, w ) -linearity 2 Analysis of 4 -bit optimal Sboxes 3 Application to Hamsi 4 Conclusion 5 13 / 23

  23. Analysis of 4 -bit optimal Sboxes 4-bit optimal Sboxes Many symmetric primitives are based on 4 -bit balanced Sboxes. Optimal Sbox: Sbox with optimal resistance against differential and linear cryptanalysis [Leander-Poschmann07]: 16 classes of optimal 4 -bit balanced Sboxes upon affine equivalence. 14 / 23

  24. Analysis of 4 -bit optimal Sboxes 4-bit optimal Sboxes Many symmetric primitives are based on 4 -bit balanced Sboxes. Optimal Sbox: Sbox with optimal resistance against differential and linear cryptanalysis [Leander-Poschmann07]: 16 classes of optimal 4 -bit balanced Sboxes upon affine equivalence. Study these 16 classes under the spectrum of ( v, w ) -linearity . # ( V, W ) such that an Sbox is ( v, w ) -linear w.r.t. ( V, W ) → invariant under affine equivalence. 14 / 23

  25. Analysis of 4 -bit optimal Sboxes Analysis of 4 -bit optimal Sboxes Number of V such that S is ( v, w ) -linear w.r.t. ( V, W ) for some W . ( v, w ) (2,1) (2,2) (2,3) (2,4) (3,1) (3,2) (3,3) (3,4) Q G 0 3 35 19 5 0 7 1 0 0 G 1 3 35 23 3 0 7 1 0 0 G 2 3 35 23 3 0 7 1 0 0 G 3 0 35 5 0 0 0 0 0 0 G 4 0 35 5 0 0 0 0 0 0 G 5 0 35 5 0 0 0 0 0 0 0 35 5 0 0 0 0 0 0 G 6 0 35 5 0 0 0 0 0 0 G 7 G 8 3 35 19 5 0 7 1 0 0 G 9 1 35 13 0 0 3 0 0 0 G 10 1 35 13 0 0 3 0 0 0 G 11 0 35 5 0 0 0 0 0 0 G 12 0 35 5 0 0 0 0 0 0 G 13 0 35 5 0 0 0 0 0 0 1 35 13 0 0 3 0 0 0 G 14 1 35 11 1 0 3 0 0 0 G 15 15 / 23

  26. Application to Hamsi Outline Introduction 1 The notion of ( v, w ) -linearity 2 Analysis of 4 -bit optimal Sboxes 3 Application to Hamsi 4 Conclusion 5 16 / 23

Recommend

NEW CRITERIA LABELS Criterion 1. Students Criterion 2. Program Educational Objectives Criterion

NEW CRITERIA LABELS Criterion 1. Students Criterion 2. Program Educational Objectives Criterion

NEW CRITERIA LABELS Criterion 1. Students Criterion 2. Program Educational Objectives Criterion 3. Student Outcomes Criterion 4. Continuous Improvement Criterion 5. Curriculum Criterion 6. Faculty Criterion 7. Facilities Criterion 8. Support

427 views • 27 slides
Propagation of EM Waves Polarization and Propagation Linear polarization (frozen time) Linear

Propagation of EM Waves Polarization and Propagation Linear polarization (frozen time) Linear

Propagation of EM Waves Polarization and Propagation Linear polarization (frozen time) Linear polarization (fixed space) Circular polarization (frozen time) Linear vs. Circular Polarization http://en.wikipedia.org/wiki/Polarizer Working with

600 views • 22 slides
Subspace Information Criterion Subspace Information Criterion for Image Restoration for Image

Subspace Information Criterion Subspace Information Criterion for Image Restoration for Image

SCIA2001 June 11, 2001. 1 Subspace Information Criterion Subspace Information Criterion for Image Restoration for Image Restoration Mean Squared Error Estimator Mean Squared Error Estimator for Linear Filters for Linear Filters Department

309 views • 18 slides
A linear-algebraic criterion for indecomposable generalized permutohedra y 1 s Kroupa 2 Milan

A linear-algebraic criterion for indecomposable generalized permutohedra y 1 s Kroupa 2 Milan

A linear-algebraic criterion for indecomposable generalized permutohedra y 1 s Kroupa 2 Milan Studen Tom a 1 Institute of Information Theory and Automation of the CAS Prague, Czech Republic 2 Department of Mathematics, University of Milan

505 views • 27 slides
Introduction to Data Science: Logistic 0 1 1 according to a data fit criterion. account

Introduction to Data Science: Logistic 0 1 1 according to a data fit criterion. account

Linear models for classication Classier evaluation Linear models for classication Linear models for classication Linear models for classication Linear models for classication Linear models for classication Linear models

619 views • 34 slides
PLANT PROPAGATION An Overview of Plant Propagation Methods Two Techniques of Stem Cutting

PLANT PROPAGATION An Overview of Plant Propagation Methods Two Techniques of Stem Cutting

PLANT PROPAGATION An Overview of Plant Propagation Methods Two Techniques of Stem Cutting Propagation Types of Propagation Sexual Propagation: Asexual Propagation: Seed Division & Separation Cuttings Grafting & Budding

623 views • 60 slides
Communication-avoiding sparse direct solvers for linear systems & Sherry Li graph problems

Communication-avoiding sparse direct solvers for linear systems & Sherry Li graph problems

hpcgarage.org/uiuc20 Slides are here right now Piyush Sao get em while theyre hot (ORNL) Communication-avoiding sparse direct solvers for linear systems & Sherry Li graph problems (LBNL) Ramki Kannan Richard (Rich) Vuduc

641 views • 47 slides
Communica)on-Avoiding Algorithms for Linear Algebra and Beyond Jim Demmel EECS & Math

Communica)on-Avoiding Algorithms for Linear Algebra and Beyond Jim Demmel EECS & Math

Communica)on-Avoiding Algorithms for Linear Algebra and Beyond Jim Demmel EECS & Math Departments UC Berkeley Why avoid communica)on? (1/2) Algorithms have two costs (measured in )me or energy): 1. Arithme)c (FLOPS) 2. Communica)on: moving

1.18k views • 99 slides
Notes on Error Propagation in Linear Systems CS3220 Summer 2008 - Jonathan Kaldor Up to this

Notes on Error Propagation in Linear Systems CS3220 Summer 2008 - Jonathan Kaldor Up to this

Notes on Error Propagation in Linear Systems CS3220 Summer 2008 - Jonathan Kaldor Up to this point, we have talked about solving n n linear systems Ax = b where A is of full rank. We have talked about, in passing, difficult systems to

323 views • 5 slides
A New Information Criterion A New Information Criterion for the Selection of Subspace Models for

A New Information Criterion A New Information Criterion for the Selection of Subspace Models for

1 A New Information Criterion A New Information Criterion for the Selection of Subspace Models for the Selection of Subspace Models Department of Computer Science, Tokyo Institute of Technology, Japan Masashi Sugiyama Hidemitsu Ogawa 2

380 views • 26 slides
THE AMATEURS FRIEND OR Enemy A short course on Propagation Propagation What is it? What

THE AMATEURS FRIEND OR Enemy A short course on Propagation Propagation What is it? What

PROPAGATION THE AMATEURS FRIEND OR Enemy A short course on Propagation Propagation What is it? What causes it? How does it effect HF Communications How do we understand the charts Were do we find the propagation information What is it?

978 views • 28 slides
1 How to deal with Radio Propagation How to deal with Radio Propagation Where are you from?

1 How to deal with Radio Propagation How to deal with Radio Propagation Where are you from?

Lecture II Agenda Lecture II Agenda Radio Propagation Physical of radio propagation Two types of propagation models Wireless Multimedia System Outdoor vs. Indoor Radio Propagation Model How to do

538 views • 15 slides
A Warning Propagation-Based Linear-Time-and-Space Algorithm for the Minimum Vertex Cover Problem

A Warning Propagation-Based Linear-Time-and-Space Algorithm for the Minimum Vertex Cover Problem

A Warning Propagation-Based Linear-Time-and-Space Algorithm for the Minimum Vertex Cover Problem on Giant Graphs Hong Xu Kexuan Sun Sven Koenig T. K. Satish Kumar {hongx, kexuansu, skoenig}@usc.edu tkskwork@gmail.com January 3, 2018

565 views • 33 slides
Von Mises Failure Criterion Von Mises Criterion . . . in Mechanics of Materials: Computing V

Von Mises Failure Criterion Von Mises Criterion . . . in Mechanics of Materials: Computing V

Basics of Mechanics of . . . Case of Larger Stress Ductile Materials and . . . Maxwells . . . Von Mises Failure Criterion Von Mises Criterion . . . in Mechanics of Materials: Computing V under . . . New Faster Algorithm . . . How to

353 views • 13 slides
Short range acoustic propagation through non-linear internal waves Daniel Rouseff, DajunTang,

Short range acoustic propagation through non-linear internal waves Daniel Rouseff, DajunTang,

Short range acoustic propagation through non-linear internal waves Daniel Rouseff, DajunTang, Kevin L. Williams Applied Physics Laboratory, University of Washington James N. Moum Oregon State University Zhongkang Wang Hangzhou Applied

955 views • 29 slides
Uncertainty Propagation in Linear Systems: An Exact Solution Using random Matrix Theory S

Uncertainty Propagation in Linear Systems: An Exact Solution Using random Matrix Theory S

Uncertainty Propagation in Linear Systems: An Exact Solution Using random Matrix Theory S Adhikari School of Engineering, University of Wales Swansea, Swansea, U.K. Email: S.Adhikari@swansea.ac.uk URL: http://engweb.swan.ac.uk/ adhikaris

496 views • 37 slides
Channel Models, Favorable Propagation and Multi-Stage Linear Detection in Cell-Free Massive MIMO

Channel Models, Favorable Propagation and Multi-Stage Linear Detection in Cell-Free Massive MIMO

Channel Models, Favorable Propagation and Multi-Stage Linear Detection in Cell-Free Massive MIMO Laura Cottatellucci Dirk Slock Roya Gholami 2020 IEEE International Symposium on Information Theory (ISIT), 21-26 June 2020 Outline I.

512 views • 19 slides
Lecture no: 2 Short on dB calculations Basics about antennas Propagation mechanisms

Lecture no: 2 Short on dB calculations Basics about antennas Propagation mechanisms

RADIO SYSTEMS ETI 051 Contents Lecture no: 2 Short on dB calculations Basics about antennas Propagation mechanisms Free space propagation Reflection and transmission Propagation Propagation over ground plane

456 views • 12 slides
Physical of radio propagation Two types of propagation models

Physical of radio propagation Two types of propagation models

Lecture II Agenda Lecture II Agenda Radio Propagation Physical of radio propagation Two types of propagation models Wireless Multimedia System Outdoor vs. Indoor Radio Propagation Model How to do

633 views • 14 slides
Communication Avoiding: The Past Decade and the New Challenges L. Grigori and collaborators

Communication Avoiding: The Past Decade and the New Challenges L. Grigori and collaborators

Communication Avoiding: The Past Decade and the New Challenges L. Grigori and collaborators Alpines Inria Paris and LJLL, Sorbonne University February 27, 2019 Plan Motivation of our work Short overview of results from CA dense linear

895 views • 61 slides
On Grinbergs Criterion 6 5 5 5 9 Gunnar Brinkmann and Carol T. Zamfirescu Grinbergs

On Grinbergs Criterion 6 5 5 5 9 Gunnar Brinkmann and Carol T. Zamfirescu Grinbergs

On Grinbergs Criterion 6 5 5 5 9 Gunnar Brinkmann and Carol T. Zamfirescu Grinbergs Criterion (Grinberg, 1968) Given a plane graph with a hamiltonian cycle S and f k ( f k ) faces of size k inside (outside) of S , we have ( k

645 views • 29 slides
Shear Strength Chapter 10 Mohrs Failure Criterion 1 4/13/2015 Coulombs

Shear Strength Chapter 10 Mohrs Failure Criterion 1 4/13/2015 Coulombs

4/13/2015 Shear Strength Chapter 10 Mohrs Failure Criterion 1 4/13/2015 Coulombs Failure Criterion N Shear force, T Failure plane T friction angle T cohesion N Normal force, N Mohr Coulomb Failure Criterion

312 views • 20 slides
LANGUAGE, TRUTH, AND LOGIC A.J. AYER Verificationism The criterion which we use to test

LANGUAGE, TRUTH, AND LOGIC A.J. AYER Verificationism The criterion which we use to test

LANGUAGE, TRUTH, AND LOGIC A.J. AYER Verificationism The criterion which we use to test the genuineness of apparent statements of fact is the criterion of verifiability. Verificationism We say that a sentence is factually

500 views • 25 slides
The Existence of Decoherence-Free Subspaces and an Effective Criterion Takeo Kamizawa Faculty of

The Existence of Decoherence-Free Subspaces and an Effective Criterion Takeo Kamizawa Faculty of

Introduction Reducible Systems Quantum Operations DFS Criterion for DFS Summary The Existence of Decoherence-Free Subspaces and an Effective Criterion Takeo Kamizawa Faculty of Physics, Astronomy and Informatics, Nicolaus Copernicus

842 views • 59 slides

More recommend