Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, - PowerPoint PPT Presentation

Motivation Preliminaries Addition Modulo 2 n − 1 The Limit of cor ( 1 ; 1 k ) Conclusion Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, China FSE 2011 Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu

Motivation Preliminaries Addition Modulo 2 n − 1 The Limit of cor ( 1 ; 1 k ) Conclusion Outline Motivation 1 Preliminaries 2 Linear Approximation and Its Correlation Linear Approximations of Addition Modulo 2 n Addition Modulo 2 n − 1 3 Addition Modulo 2 n − 1 with Two Inputs Addition Modulo 2 n − 1 with More Inputs The Limit of cor ( 1 ; 1 k ) 4 Conclusion 5 Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu

Motivation Preliminaries Addition Modulo 2 n − 1 The Limit of cor ( 1 ; 1 k ) Conclusion The Basic Problem That We Studied Given an integer n ≥ 2, consider the operation y = x 1 + x 2 + · · · + x k mod 2 n − 1 where 1 ≤ y , x i ≤ 2 n − 1, 1 ≤ i ≤ k . Question: How can we approximate this function linearly and measure the linear approximation? Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu

Motivation Preliminaries Addition Modulo 2 n − 1 The Limit of cor ( 1 ; 1 k ) Conclusion Why we study the problem? In ZUC - LFSR is defined on prime field GF ( 2 31 − 1 ) - the feedback logic of the LFSR consist of ”+” and ” × ” on prime filed GF ( 2 31 − 1 ) - the LFSR registers are range from 1 to 2 31 -1 In linear analysis, we should approximate the nonlinear part of the cipher by linear function. Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu

Motivation Preliminaries Linear Approximation and Its Correlation Addition Modulo 2 n − 1 Linear Approximations of Addition Modulo 2 n The Limit of cor ( 1 ; 1 k ) Conclusion Some basic definitions n : a positive integer. Z 2 n : { x | 0 ≤ x ≤ 2 n − 1 } . Given an integer x ∈ Z 2 n , let n − 1 � x = x ( n − 1 ) x ( n − 2 ) · · · x ( 0 ) = x ( i ) 2 i i = 0 be the binary representation of x , where x ( i ) ∈ { 0 , 1 } . For arbitrary two integers w , x ∈ Z 2 n , the inner product of w and x is defined as below n − 1 � w ( i ) x ( i ) . w · x = i = 0 Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu

Motivation Preliminaries Linear Approximation and Its Correlation Addition Modulo 2 n − 1 Linear Approximations of Addition Modulo 2 n The Limit of cor ( 1 ; 1 k ) Conclusion The linear approximation Definition 1 Let J be a nonempty subset of Z 2 n , k be a positive integer and f be a function from J k to J. Given k + 1 constants u , w 1 , · · · , w k ∈ Z 2 n , the linear approximation of the function f associated with u , w 1 , · · · , w k is an approximate relation of the form k � u · f ( x 1 , · · · , x k ) = w i · x i , i = 1 and the ( k + 1 ) -tuple ( u , w 1 , · · · , w k ) is called a linear mask of f. Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu

Motivation Preliminaries Linear Approximation and Its Correlation Addition Modulo 2 n − 1 Linear Approximations of Addition Modulo 2 n The Limit of cor ( 1 ; 1 k ) Conclusion The correlation Definition 2 The efficiency of the linear approximation is measured by its correlation, which is defined as below k � cor f ( u ; w 1 , · · · , w k ) = 2 Pr ( u · f ( x 1 , · · · , x k ) = w i · x i ) − 1 , i = 1 where the probability is taken over uniformly distributed x 1 , · · · , x k over J. Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu

Motivation Preliminaries Linear Approximation and Its Correlation Addition Modulo 2 n − 1 Linear Approximations of Addition Modulo 2 n The Limit of cor ( 1 ; 1 k ) Conclusion Addition Modulo 2 n Denote by ⊞ the addition modulo 2 n , that is, mod 2 n . u = x 1 ⊞ x 2 = ( x 1 + x 2 ) Given the linear mask ( u , w 1 , w 2 ) of the addition ⊞ , we can derive a sequence z = z n − 1 · · · z 0 as follows z i = u ( i ) 2 2 + w ( i ) 1 2 + w ( i ) 2 , i = 0 , 1 , · · · , n − 1 . Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu

Motivation Preliminaries Linear Approximation and Its Correlation Addition Modulo 2 n − 1 Linear Approximations of Addition Modulo 2 n The Limit of cor ( 1 ; 1 k ) Conclusion Transition matrix Define n − 1 � M n ( u , w 1 , w 2 ) = A z i , i = 0 where A j ( j = 0 , 1 , · · · , 7) are constant matrices of size 2 × 2 and defined as follows � 3 � � � A 0 = 1 , A 1 = A 2 = − A 4 = 1 1 1 1 , 1 3 − 1 − 1 4 4 � 3 � � � − A 3 = A 5 = A 6 = 1 , A 7 = 1 1 − 1 − 1 . − 1 − 3 4 1 4 1 Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu

Motivation Preliminaries Linear Approximation and Its Correlation Addition Modulo 2 n − 1 Linear Approximations of Addition Modulo 2 n The Limit of cor ( 1 ; 1 k ) Conclusion For any given linear mask ( u , w 1 , w 2 ) , let M n ( u , w 1 , w 2 ) be defined as above. Set M n ( u , w 1 , w 2 ) = ( M i , j ) 0 ≤ i , j ≤ 1 . Then we have M i , j = Pr ( u · ( x 1 ⊞ x 2 ) = w 1 · x 1 ⊕ w 2 · x 2 ∧ c n = i ∧ c 0 = j ) − Pr ( u · ( x 1 ⊞ x 2 ) � = w 1 · x 1 ⊕ w 2 · x 2 ∧ c n = i ∧ c 0 = j ) , where c 0 is an initial carry bit, and c n is the n -th carry bit of the addition x 1 and x 2 with the initial carry bit c 0 . By convention c 0 = 0, we have cor ⊞ ( u ; w 1 , w 2 ) = M 0 , 0 + M 1 , 0 . Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu

Motivation Preliminaries Linear Approximation and Its Correlation Addition Modulo 2 n − 1 Linear Approximations of Addition Modulo 2 n The Limit of cor ( 1 ; 1 k ) Conclusion Summarized as: ( u , w 1 , w 2 ) → z → M n ( u , w 1 , w 2 ) → cor ⊞ ( u ; w 1 , w 2 ) Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu

Motivation Preliminaries Addition Modulo 2 n − 1 with Two Inputs Addition Modulo 2 n − 1 Addition Modulo 2 n − 1 with More Inputs The Limit of cor ( 1 ; 1 k ) Conclusion The difference between addition modulo 2 n and 2 n − 1 There are several differences between addition modulo 2 n and 2 n − 1: the range of inputs and output [ 0 , 2 n − 1 ] vs. [ 1 , 2 n − 1 ] the probability of the input bits equal to 1 2 vs. 2 n − 1 1 2 n − 1 the probability of the input bits equal to 0 2 vs. 2 n − 1 − 1 1 2 n − 1 the carry of the most important position be discarded vs. be added to the least important position of the result Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu

Motivation Preliminaries Addition Modulo 2 n − 1 with Two Inputs Addition Modulo 2 n − 1 Addition Modulo 2 n − 1 with More Inputs The Limit of cor ( 1 ; 1 k ) Conclusion Denote x 1 + x 2 mod 2 n − 1 by x 1 ˆ ⊞ x 2 . � x 1 + x 2 mod 2 n if 0 < x 1 + x 2 < 2 n x 1 ˆ ⊞ x 2 = mod 2 n if x 1 + x 2 ≥ 2 n x 1 + x 2 + 1 It is difficult to calculate the correlation directly, we consider counting the pairs of ( x 1 , x 2 ) which satisfy the linear approximation: ( u , w 1 , w 2 ) → z → M n ( u , w 1 , w 2 ) � M 0 , 0 → ♯ { ( x 1 , x 2 ) | satisfy the LA , 0 ≤ x 1 + x 2 < 2 n } → M 1 , 1 → ♯ { ( x 1 , x 2 ) | satisfy the LA , x 1 + x 2 + 1 ≥ 2 n } � M 0 , 0 → ♯ { ( x 1 , x 2 ) | satisfy the LA , 0 < x 1 + x 2 < 2 n } → M 1 , 1 → ♯ { ( x 1 , x 2 ) | satisfy the LA , x 1 + x 2 ≥ 2 n } → ⊞ ( u ; w 1 , w 2 ) cor ˆ Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu

Motivation Preliminaries Addition Modulo 2 n − 1 with Two Inputs Addition Modulo 2 n − 1 Addition Modulo 2 n − 1 with More Inputs The Limit of cor ( 1 ; 1 k ) Conclusion The formula for the correlation Due to the similarity and the slight difference between these two operations, we can drive an exact formula for cor ( u ; w 1 , w 2 ) : cor ( u ; w 1 , w 2 ) = 2 2 n ( M 0 , 0 + M 1 , 1 ) + 2 n · c + 1 , ( 2 n − 1 ) 2 where  − 3 , if u = w 1 = w 2 and w H ( w 2 ) is even ,    1 , if u � = w 1 = w 2 and w H ( w 2 ) is odd , c = 0 , if u , w 1 and w 2 are pairwise different ,    − 1 , otherwise , and w H ( w 2 ) denotes the hamming weight of w 2 in the binary representation. Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu

Motivation Preliminaries Addition Modulo 2 n − 1 with Two Inputs Addition Modulo 2 n − 1 Addition Modulo 2 n − 1 with More Inputs The Limit of cor ( 1 ; 1 k ) Conclusion The formula for the correlation The correlation of linear approximation of addition modulo 2 n − 1 with more inputs can be computed recursively: cor ( u ; w 1 , · · · , w k ) � 2 n − 1 = 2 n − 1 w = 0 cor ( w ; w 1 , · · · , w k − 1 ) cor ( u ; w , w k ) . 2 n Linear Approximations of Addition Modulo 2 n -1 Chunfang Zhou, Xiutao Feng and Chuankun Wu