on the distribution of linear biases three instructive
play

On The Distribution of Linear Biases: Three Instructive Examples - PowerPoint PPT Presentation

Aug 08, 2023 •166 likes •584 views

On The Distribution of Linear Biases: Three Instructive Examples Mohamed Ahmed Abdelraheem 1 , Martin Agren 2 , Peter Beelen 1 , and Gregor Leander 1 1 Technical University of Denmark 2 Lund University, Sweden 120820 / Santa Barbara Outline 1

  1. On The Distribution of Linear Biases: Three Instructive Examples Mohamed Ahmed Abdelraheem 1 , Martin ˚ Agren 2 , Peter Beelen 1 , and Gregor Leander 1 1 Technical University of Denmark 2 Lund University, Sweden 120820 / Santa Barbara

  2. Outline 1 Introduction 2 The Problem 3 The Examples The Cube Cipher PRESENT with identical round-keys PRINTcipher , Invariant Subspaces, and Eigenvectors 4 Conclusion M. ˚ Agren, Lund University, Sweden

  3. Outline 1 Introduction 2 The Problem 3 The Examples The Cube Cipher PRESENT with identical round-keys PRINTcipher , Invariant Subspaces, and Eigenvectors 4 Conclusion M. ˚ Agren, Lund University, Sweden

  4. Setting We are analyzing/constructing/breaking block ciphers. . . Fix the (unknown) key and consider the permutation F : F n 2 → F n 2 . M. ˚ Agren, Lund University, Sweden

  5. Linear Approximation Given F : F n 2 → F n 2 , a linear approximation is an equation like � α , x � = � β , F ( x ) � . (Input mask α , output mask β .) M. ˚ Agren, Lund University, Sweden

  6. Linear Approximation Given F : F n 2 → F n 2 , a linear approximation is an equation like � α , x � = � β , F ( x ) � . (Input mask α , output mask β .) The bias ǫ F ( α , β ): Pr [ � α , x � = � β , F ( x ) � ] = 1 2 + ǫ F ( α , β ) The correlation c F ( α , β ): c F ( α , β ) = 2 ǫ F ( α , β ) M. ˚ Agren, Lund University, Sweden

  7. Linear Approximation of a Composite Function x F 1 F 2 F r F ( x ) θ 0 θ 1 θ r A linear trail θ is a collection of all intermediate masks θ = ( θ 0 = α , . . . , θ r = β ) . M. ˚ Agren, Lund University, Sweden

  8. Linear Approximation of a Composite Function x F 1 F 2 F r F ( x ) θ 0 θ 1 θ r A linear trail θ is a collection of all intermediate masks θ = ( θ 0 = α , . . . , θ r = β ) . The correlation of a trail is � C θ = c F i ( θ i , θ i +1 ) . i Theorem � c F ( α , β ) = C θ . θ : θ 0 = α , θ r = β M. ˚ Agren, Lund University, Sweden

  9. Linear Approximation of a Composite Function k 0 k 1 k r x F 1 F 2 F r F ( x ) θ 0 θ 1 θ r A linear trail θ is a collection of all intermediate masks θ = ( θ 0 = α , . . . , θ r = β ) . The correlation of a trail is C θ = ( − 1) � θ , k � � c F i ( θ i , θ i +1 ) . i Theorem (Linear Hull) � ( − 1) � θ , k � C θ . c F ( α , β ) = θ : θ 0 = α , θ r = β M. ˚ Agren, Lund University, Sweden

  10. Outline 1 Introduction 2 The Problem 3 The Examples The Cube Cipher PRESENT with identical round-keys PRINTcipher , Invariant Subspaces, and Eigenvectors 4 Conclusion M. ˚ Agren, Lund University, Sweden

  11. The Problem We can: bound the correlation of single linear trails. We cannot: bound the correlation of a linear approximation. Because: Many linear trails interact in a key dependent way. Each key gives a different correlation. We need to understand the distribution. M. ˚ Agren, Lund University, Sweden

  12. Some Approaches I: Deal with single trails. M. ˚ Agren, Lund University, Sweden

  13. Some Approaches I: Deal with single trails. II: Model the situation – make assumptions. (Possible assumption: Different trails are independent.) M. ˚ Agren, Lund University, Sweden

  14. Some Approaches I: Deal with single trails. II: Model the situation – make assumptions. (Possible assumption: Different trails are independent.) III: Perform experiments to validate the model/assumptions. M. ˚ Agren, Lund University, Sweden

  15. Some Approaches I: Deal with single trails. II: Model the situation – make assumptions. (Possible assumption: Different trails are independent.) III: Perform experiments to validate the model/assumptions. Todo: Develop a sound framework. Why has it not been done before? ◮ it’s difficult ◮ we didn’t try very hard M. ˚ Agren, Lund University, Sweden

  16. Our Contribution Three interesting examples of what can happen. ◮ Counterexample to earlier “theorem”. ◮ Give an idea what you can/cannot hope to prove. ◮ Serve as inspiration for future work. M. ˚ Agren, Lund University, Sweden

  17. Outline 1 Introduction 2 The Problem 3 The Examples The Cube Cipher PRESENT with identical round-keys PRINTcipher , Invariant Subspaces, and Eigenvectors 4 Conclusion M. ˚ Agren, Lund University, Sweden

  18. Normal Distribution? Consider an n -bit block cipher and assume ◮ independent round keys, ◮ (exponentially in n ) many non-zero trails, ◮ all with the same absolute correlation. If we pick a key, what bias do we get? Theorem (Daemen and Rijmen, ePrint 2005/212) The bias distribution tends to a normal distribution as n → ∞ . M. ˚ Agren, Lund University, Sweden

  19. Normal Distribution? Number of keys Theorem (Linear Hull) � ( − 1) � θ , k � C θ . c F ( α , β ) = θ Bias M. ˚ Agren, Lund University, Sweden

  20. The Cube Cipher k 0 k 1 k 2 F ( x ) x x 3 x 3 ◮ independent round keys, � ◮ (exponentially in n ) many non-zero trails, � ◮ all with the same absolute correlation, � ◮ toy cipher. M. ˚ Agren, Lund University, Sweden

  21. Normal Distribution? Number of keys Bias Cube cipher vs. the normal distribution. Only 5 values — for any n ! M. ˚ Agren, Lund University, Sweden

  22. The Role of Key-Scheduling Common analysis: Assume independent round keys and hope that the key-scheduling does not influence the distribution. Two counter-examples: ◮ PRESENT with identical round-keys ◮ PRINTcipher M. ˚ Agren, Lund University, Sweden

  23. PRESENT k i S S S S S S S S S S S S S S S S k i +1 S S S S S S S S S S S S S S S S ◮ many linear trails with one active Sbox per round ◮ distribution is close to normal M. ˚ Agren, Lund University, Sweden

  24. PRESENT Number of keys Bias Distribution for 17 rounds of PRESENT . M. ˚ Agren, Lund University, Sweden

  25. PRESENT with Identical Round-Keys k ⊕ RC i S S S S S S S S S S S S S S S S k ⊕ RC i +1 S S S S S S S S S S S S S S S S Modification: ◮ identical round-keys ◮ round constants M. ˚ Agren, Lund University, Sweden

  26. PRESENT With Identical Round-Keys Number of keys Bias Identical vs. original round-keys. M. ˚ Agren, Lund University, Sweden

  27. PRESENT -Conclusions ◮ PRESENT -const is not secure. ◮ SPONGENT does not have the PRESENT Sbox. ◮ More rounds help. M. ˚ Agren, Lund University, Sweden

  28. PRINTcipher , Invariant Subspaces, and Eigenvectors ⊕ k ⊕ RC i π 15 π 14 π 13 π 12 π 11 π 10 π 9 π 8 π 7 π 6 π 5 π 4 π 3 π 2 π 1 π 0 S S S S S S S S S S S S S S S S Last year at CRYPTO: invariant subspaces: Let U ⊆ F n 2 be a subspace and d ∈ F n 2 . Assume a weak key. F k ( U + d ) = U + d . M. ˚ Agren, Lund University, Sweden

  29. PRINTcipher , Invariant Subspaces, and Eigenvectors ⊕ k ⊕ RC i π 15 π 14 π 13 π 12 π 11 π 10 π 9 π 8 π 7 π 6 π 5 π 4 π 3 π 2 π 1 π 0 S S S S S S S S S S S S S S S S Last year at CRYPTO: invariant subspaces: Let U ⊆ F n 2 be a subspace and d ∈ F n 2 . Assume a weak key. F k ( U + d ) = U + d . ⇓ F ( U + d ) = U + d . M. ˚ Agren, Lund University, Sweden

  30. Linear Biases in PRINTcipher Number of keys “ PRINTcipher -24:” Bias M. ˚ Agren, Lund University, Sweden

  31. Linear Biases in PRINTcipher Number of keys “ PRINTcipher -24:” Bias M. ˚ Agren, Lund University, Sweden

  32. Linear Biases in PRINTcipher Number of keys “ PRINTcipher -24:” Number of keys Bias Precisely those keys that yield an invariant subspace! Bias 2 − 9 . 0 M. ˚ Agren, Lund University, Sweden

  33. Correlation Matrices; an Eigenvector Correlation matrix C = ( c F ( α, β )) α,β . Theorem Invariant subspace ⇒ A sub-matrix (A) of the correlation matrix has an eigenvector with a special ± -structure and eigenvalue 1 . The matrix has a nonzero limit. We have trail-clustering! M. ˚ Agren, Lund University, Sweden

  34. The Matrix Power Limit The eigenvector is � � const · +1 +1 − 1 − 1 +1 +1 − 1 . . . . M. ˚ Agren, Lund University, Sweden

  35. The Matrix Power Limit The eigenvector is � � const · +1 +1 − 1 − 1 +1 +1 − 1 . . . , so  +1 +1 − 1 − 1 +1 +1 − 1  . . . +1 +1 − 1 − 1 +1 +1 − 1 . . .     − 1 − 1 +1 +1 − 1 − 1 +1 . . .     − 1 − 1 +1 +1 − 1 − 1 +1 . . .   A r → const 2 · .   +1 +1 − 1 − 1 +1 +1 − 1 . . .     +1 +1 − 1 − 1 +1 +1 − 1 . . .     − 1 − 1 +1 +1 − 1 − 1 +1 . . .    . . . . . . .  ... . . . . . . . . . . . . . . M. ˚ Agren, Lund University, Sweden

  36. The Matrix Power Limit The eigenvector is � � const · +1 +1 − 1 − 1 +1 +1 − 1 . . . , so  +1 +1 − 1 − 1 +1 +1 − 1  . . . +1 +1 − 1 − 1 +1 +1 − 1 . . .     − 1 − 1 +1 +1 − 1 − 1 +1 . . .     − 1 − 1 +1 +1 − 1 − 1 +1 . . . 1   A r → 2 16 − 1 · .   +1 +1 − 1 − 1 +1 +1 − 1 . . .     +1 +1 − 1 − 1 +1 +1 − 1 . . .     − 1 − 1 +1 +1 − 1 − 1 +1 . . .    . . . . . . .  ... . . . . . . . . . . . . . . Indeed, experimentally, c F ( α, β ) ≈ ± 2 − 16 ( PRINTcipher -48). M. ˚ Agren, Lund University, Sweden

Recommend

Linear Biases in AEGIS Keystream Brice Minaud ANSSI, France SAC August 15, 2014 Plan 1

Linear Biases in AEGIS Keystream Brice Minaud ANSSI, France SAC August 15, 2014 Plan 1

Linear Biases in AEGIS Keystream Brice Minaud ANSSI, France SAC August 15, 2014 Plan 1 Blockwise Stream Ciphers 2 Presentation of AEGIS 3 Linear Biases in AEGIS 1/22 Blockwise Stream Ciphers 2/22 Authenticated Encryption Schemes C

1.07k views • 39 slides
Unexpected biases in the distribution of consecutive primes Robert J. Lemke Oliver, Kannan

Unexpected biases in the distribution of consecutive primes Robert J. Lemke Oliver, Kannan

Unexpected biases in the distribution of consecutive primes Robert J. Lemke Oliver, Kannan Soundararajan Stanford University Chebyshevs Bias Let ( x ; q , a ) := # { p < x : p a (mod q ) } . Chebyshevs Bias Let ( x ; q , a )

1.31k views • 93 slides
Capital Budgeting: Biases (Welch, Chapter 13-5) Ivo Welch More Biases Overconfidence Are you

Capital Budgeting: Biases (Welch, Chapter 13-5) Ivo Welch More Biases Overconfidence Are you

Capital Budgeting: Biases (Welch, Chapter 13-5) Ivo Welch More Biases Overconfidence Are you overconfident? (Note that this can also affect proper volatility estimates in real options.) 90% Confidence Interval Give a 90% confidence interval

517 views • 13 slides
Outline Probability Calculations Using the Normal Distribution (5.1) Linear Combinations

Outline Probability Calculations Using the Normal Distribution (5.1) Linear Combinations

12/21/2006 219323 Probability y and Statistics for Software and Knowledge Engineers Lecture 6: The Normal Distribution Monchai Sopitkamon, Ph.D. Outline Probability Calculations Using the Normal Distribution (5.1) Linear

590 views • 20 slides
Role of Linear Instabilities Extremely Instructive for Identifying Key Physics in Problems of

Role of Linear Instabilities Extremely Instructive for Identifying Key Physics in Problems of

Selected Topics in Plasma Astrophysics Range of Astrophysical Plasmas and Relevant Techniques Stellar Winds (Lecture I) Thermal, Radiation, and Magneto-Rotational Driven Winds Connections to Other Areas of Astrophysical

547 views • 34 slides
Notes on the Non-linear Regression The model Non-linear regression models, like ordinary linear

Notes on the Non-linear Regression The model Non-linear regression models, like ordinary linear

Notes on the Non-linear Regression The model Non-linear regression models, like ordinary linear models, assume that the response, Y , has a normal distribution with constant variance. Unlike linear models, however, the mean function may depend

159 views • 4 slides
Instructive Feedback: Effects of a Presentation Variable Article in The Journal of Special

Instructive Feedback: Effects of a Presentation Variable Article in The Journal of Special

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/249833577 Instructive Feedback: Effects of a Presentation Variable Article in The Journal of Special Education August 2003 DOI:

471 views • 12 slides
Unconscious Bias 1 Questions to Start: Are we aware of our unconscious biases? Do we accept

Unconscious Bias 1 Questions to Start: Are we aware of our unconscious biases? Do we accept

Unconscious Bias 1 Questions to Start: Are we aware of our unconscious biases? Do we accept them? What types of biases are you aware of? Do you have experience with your own or seen biases in others? Activity: You are working

289 views • 14 slides
Breakout for small group discussions Topics Understanding your biases Awareness of

Breakout for small group discussions Topics Understanding your biases Awareness of

8/18/2020 Listen and Learn about Racial Justice 1 Presentation then Q&A Breakout for small group discussions Topics Understanding your biases Awareness of how biases affect behaviors Discerning your voice and your role

465 views • 13 slides
Investigating Potential Investigating Potential Biases in Aerosol Light Biases in Aerosol Light

Investigating Potential Investigating Potential Biases in Aerosol Light Biases in Aerosol Light

Investigating Potential Investigating Potential Biases in Aerosol Light Biases in Aerosol Light Absorption Absorption Measurements Measurements Christine Walsh Lund University (Lund, Sweden) NOAA ERSL (Aerosol Research Group) Overview of

354 views • 17 slides
The Distribution of a Linear Combination of Random Variables Bernd Schr oder logo1 Bernd

The Distribution of a Linear Combination of Random Variables Bernd Schr oder logo1 Bernd

The Distribution of a Linear Combination of Random Variables Bernd Schr oder logo1 Bernd Schr oder Louisiana Tech University, College of Engineering and Science The Distribution of a Linear Combination of Random Variables Introduction

908 views • 68 slides
Heuristics and biases Tina Nane 2 Heuristics and biases Lotto Icon by Dapete is

Heuristics and biases Tina Nane 2 Heuristics and biases Lotto Icon by Dapete is

1 Heuristics and biases Tina Nane 2 Heuristics and biases Lotto Icon by Dapete is licensed under CC BY 2.5 2 Heuristics and biases Heuristics Lotto Icon by Dapete is licensed under CC BY 2.5 Tricks, rules of thumb,

372 views • 23 slides
TEXT AND TEXT AND AUTOMATED BIASES AUTOMATED BIASES NATURAL LANGUAGES ARE THE NATURAL

TEXT AND TEXT AND AUTOMATED BIASES AUTOMATED BIASES NATURAL LANGUAGES ARE THE NATURAL

TEXT AND TEXT AND AUTOMATED BIASES AUTOMATED BIASES NATURAL LANGUAGES ARE THE NATURAL LANGUAGES ARE THE BASE HUMAN COMMUNICATION BASE HUMAN COMMUNICATION we learn from books of all kinds about complex topics and keep ourself updated

532 views • 51 slides
Biases in Decision Making Alexander Felfernig alexander.felfernig@ist.tugraz.at Decision Biases

Biases in Decision Making Alexander Felfernig alexander.felfernig@ist.tugraz.at Decision Biases

Institute for Software Technology International Workshop on Decision Making and Recommender Systems, Bolzano, 2014 Biases in Decision Making Alexander Felfernig alexander.felfernig@ist.tugraz.at Decision Biases & Recommender Systems 1

1.11k views • 53 slides
Theory of Generalized Linear Models If Y has a Poisson distribution with parameter then P (

Theory of Generalized Linear Models If Y has a Poisson distribution with parameter then P (

Theory of Generalized Linear Models If Y has a Poisson distribution with parameter then P ( Y = y ) = y e y ! for y a non-negative integer. We can use the method of maximum likelihood to estimate if we have a sample Y 1 , . .

1.06k views • 18 slides
Spectral and Radiometric Issues for Level 1C L. Larrabee Strow and Scott Hannon Atmospheric

Spectral and Radiometric Issues for Level 1C L. Larrabee Strow and Scott Hannon Atmospheric

Introduction Scan Angle Biases Doppler Effect Biases IASI vs AIRS Biases Conclusions Spectral and Radiometric Issues for Level 1C L. Larrabee Strow and Scott Hannon Atmospheric Spectroscopy Laboratory (ASL) Physics Department and Joint

437 views • 20 slides
EC3062 ECONOMETRICS HYPOTHESIS TESTS FOR THE CLASSICAL LINEAR MODEL The Normal Distribution and

EC3062 ECONOMETRICS HYPOTHESIS TESTS FOR THE CLASSICAL LINEAR MODEL The Normal Distribution and

EC3062 ECONOMETRICS HYPOTHESIS TESTS FOR THE CLASSICAL LINEAR MODEL The Normal Distribution and the Sampling Distributions To denote that x is a normally distributed random variable with a mean of E ( x ) = and a dispersion matrix of D ( x ) =

552 views • 22 slides
Today Finish Linear Regression: Best linear function prediction of Y given X . MMSE: Best Function

Today Finish Linear Regression: Best linear function prediction of Y given X . MMSE: Best Function

Today Finish Linear Regression: Best linear function prediction of Y given X . MMSE: Best Function that predicts Y from S . Conditional Expectation. Applications to random processes. LLSE Theorem Consider two RVs X , Y with a given distribution

748 views • 36 slides
Distribution of Eigenvalues of Linear Stochastic Systems S A DHIKARI and R. S. L ANGLEY

Distribution of Eigenvalues of Linear Stochastic Systems S A DHIKARI and R. S. L ANGLEY

Distribution of Eigenvalues of Linear Stochastic Systems S A DHIKARI and R. S. L ANGLEY Department of Aerospace Engineering, University of Bristol, Bristol, U.K. Email: S.Adhikari@bristol.ac.uk URL:

410 views • 28 slides
1. Normal distribution 2. Geometric distribution 3. Binomial distribution 4.

1. Normal distribution 2. Geometric distribution 3. Binomial distribution 4.

Chapter 3. Distribution of Random Variables Jan 26, 2016 by Huamei Dong 1. Normal distribution 2. Geometric distribution 3. Binomial distribution 4. Negative binomial distribution 5. Poisson distribution 1.Normal distribution

520 views • 11 slides
Joint Distribution of Eigenvalues of Linear Stochastic Systems S Adhikari Department of

Joint Distribution of Eigenvalues of Linear Stochastic Systems S Adhikari Department of

Joint Distribution of Eigenvalues of Linear Stochastic Systems S Adhikari Department of Aerospace Engineering, University of Bristol, Bristol, U.K. URL: http://www.aer.bris.ac.uk/contact/academic/adhikari/home.html 19 April 2005 Joint

386 views • 37 slides
PROC NLMIXED SUMMARY Strengths: - Easy to specify non-linear model - Conditional distribution of Y

PROC NLMIXED SUMMARY Strengths: - Easy to specify non-linear model - Conditional distribution of Y

PROC NLMIXED SUMMARY Strengths: - Easy to specify non-linear model - Conditional distribution of Y can be almost anything. Normal, Poisson, Binomial, Gamma, Negative Binomial are built in or you can program your own log- likelihood function - Can

281 views • 12 slides
Ge Getting tting Re Real al Ab About out Bia Biases ses an and Issues d Issues Re

Ge Getting tting Re Real al Ab About out Bia Biases ses an and Issues d Issues Re

Ge Getting tting Re Real al Ab About out Bia Biases ses an and Issues d Issues Re Related lated to to Bi Bias as Kenne neth h Roach, ch, Ed.D .D., ., LCMHC HC Wendy dy Thomas, mas, MS, , ACMHC MHC The Universi versity

269 views • 26 slides
Direct Verifjcation of Linear Systems with over 10000 Dimensions Stanley Bak and Parasara Sridhar

Direct Verifjcation of Linear Systems with over 10000 Dimensions Stanley Bak and Parasara Sridhar

Direct Verifjcation of Linear Systems with over 10000 Dimensions Stanley Bak and Parasara Sridhar Duggirala DISTRIBUTION A: Approved for public release; distribution unlimited (#88ABW-2017-0429, 02 FEB 2017). Overview Description of Safety

256 views • 22 slides

More recommend