remarks on the data complexity of zero correlation linear
play

Remarks on the Data Complexity of Zero-Correlation Linear Attacks C - PowerPoint PPT Presentation

Oct 02, 2022 •109 likes •464 views

Remarks on the Data Complexity of Zero-Correlation Linear Attacks C eline Blondeau Aalto University ESC, Luxembourg 2015 Outline Zero-Correlation Linear Attacks Data Complexity of Zero-Correlation Attacks Repetition of Plaintexts Data

  1. Remarks on the Data Complexity of Zero-Correlation Linear Attacks C´ eline Blondeau Aalto University ESC, Luxembourg 2015

  2. Outline Zero-Correlation Linear Attacks Data Complexity of Zero-Correlation Attacks Repetition of Plaintexts Data Complexity of Key-Invariant Bias Attacks Complexity of Statistical Attacks 2/22

  3. Outline Zero-Correlation Linear Attacks Data Complexity of Zero-Correlation Attacks Repetition of Plaintexts Data Complexity of Key-Invariant Bias Attacks Complexity of Statistical Attacks 3/22

  4. Zero-Correlation (ZC) Linear Cryptanalysis [Bogdanov et al 12, 13,14], [Soleimany, Nyberg 13] The distinguisher takes advantage of linear approximation(s) with no bias. ◮ Single approximation ( u , v ) with cor ( u , v ) = 0 ◮ Multiple approximations: � cor 2 ( u , v ) = 0 , C = u ∈ U , v ∈ V , u � = 0 ◮ multiple ZC: U and V without structure. ◮ multidimensional ZC: U and V linear (affine) spaces. Complexity of Statistical Attacks 4/22

  5. Outline Zero-Correlation Linear Attacks Data Complexity of Zero-Correlation Attacks Repetition of Plaintexts Data Complexity of Key-Invariant Bias Attacks Complexity of Statistical Attacks 5/22

  6. Notation ◮ [Selc ¸uk 08] ◮ X R ∼ N ( µ R , σ R ) and X W ∼ N ( µ W , σ W ) ◮ Φ : CDF of the central normal distribution ◮ a : advantage of the attack    µ R − µ a  , P S ≈ Φ � σ 2 a + σ 2 R where µ a = µ W + σ W · Φ − 1 ( 1 − 2 − a ) and σ a is often negligible. ◮ ϕ a = Φ − 1 ( 1 − 2 − a ) and ϕ P S = Φ − 1 ( P S ) ◮ n : number of bits of the permutation (block cipher) Complexity of Statistical Attacks 6/22

  7. Data Complexity of Multiple/Multidimensional ZC Attacks [SAC 13]: ◮ ℓ : Number of linear approximations ◮ Multiple ZC Attack (m) N m ≈ 2 n ( ϕ PS + ϕ a ) � ℓ/ 2 − ϕ a ◮ Multidimensional ZC Attack (M) N M ≈ ( 2 n − 1 )( ϕ PS + ϕ a ) � ( ℓ − 1 ) / 2 + ϕ PS ◮ In [Soleimany, Nyberg 13], experiments have been conducted for a distinguisher 2 n ◮ The general behaviour: N = O ( ) is correct. � ℓ/ 2 Complexity of Statistical Attacks 7/22

  8. Success Probability ◮ Are these formulas correct for a key-recovery attack? ◮ Why is there a difference ? (In particular, when the set of masks is close to a linear space) Success probability: � N m ℓ/ 2 − ϕ a · ( N m � P m � ≈ Φ 2 n + 1 ) ( m ) S 2 n 2 n − 1 � � N M � ( ℓ − 1 ) / 2 P M ≈ ( 2 n − 1 ) − N M − ϕ a Φ ( M ) ( 2 n − 1 ) − N M S Complexity of Statistical Attacks 8/22

  9. Setting for the Experiments K 1 X 1 2 ✲ ❡ ✲ ❡ s F s F PPPPPPPPPPPPPPP � � � � � � � � � � � � � � � X 2 u 0 0 0 ZC on 9 rounds 0 u 0 0 X 11 K 11 ◮ 16-bit cipher 1 ✲ ❡ ✲ ❡ F F s s PPPPPPPPPPPPPPP � � � � � � ◮ Type-II GFN with 4 branches � � � � � � � � � K 12 X 12 2 ✲ ❡ ✲ ❡ s F s F ◮ Zero-correlation approximations: PPPPPPPPPPPPPPP � � � � � � � � � � � � ( 0 , 0 , u , 0 ) �→ ( 0 , u , 0 , 0 ) over 9 rounds ( u � = 0 ) � � � X 13 ◮ Key-recovery: 1 round before, 2 rounds after ◮ Maximal advantage: 12 bits ◮ Similar structure as for instance CLEFIA Complexity of Statistical Attacks 9/22

  10. Multidimensional ZC Attacks a = 1 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 10/22

  11. Multidimensional ZC Attacks a = 2 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 10/22

  12. Multidimensional ZC Attacks a = 4 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 10/22

  13. Multidimensional ZC Attacks a = 6 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 10/22

  14. Observations N M ≈ ( 2 n − 1 )( ϕ PS + ϕ a ) � ( ℓ − 1 ) / 2 + ϕ PS For a multidimensional ZC linear attack, ◮ N M is accurate for small advantages ◮ N M gives an overestimate of the data complexity for larger advantages Complexity of Statistical Attacks 11/22

  15. Multiple ZC Attack 8 approximations and a = 1 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 12/22

  16. Multiple ZC Attack 8 approximations and a = 2 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 12/22

  17. Multiple ZC Attack 8 approximations and a = 4 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 12/22

  18. Multiple ZC Attack 5 approximations and a = 1 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 12/22

  19. Multiple ZC Attack 5 approximations and a = 2 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 12/22

  20. Multiple ZC Attack 5 approximations and a = 4 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 12/22

  21. Multiple ZC Attack 2 approximations and a = 1 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 12/22

  22. Multiple ZC Attack 2 approximations and a = 2 1 Exp ( 1 ) 0.9 ( 1 ) 0.8 0.7 0.6 P S 0.5 0.4 0.3 0.2 0.1 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 12/22

  23. Data Complexity of Multiple ZC Attacks Based on these experiments, we confirmed that ◮ we do not need a particular formula to compute the data complexity/success probability of multiple zero-correlation attacks (comparatively to the complexity of multidimensional ZC attacks) Complexity of Statistical Attacks 13/22

  24. Outline Zero-Correlation Linear Attacks Data Complexity of Zero-Correlation Attacks Repetition of Plaintexts Data Complexity of Key-Invariant Bias Attacks Complexity of Statistical Attacks 14/22

  25. Repetition of Plaintexts ◮ In the presented attacks, distinct known plaintexts are used. ◮ Indeed the formulas for N M and P M S in the multidimensional linear context have been derived under this assumption. ◮ What happens if there is some repetition (assuming for instance that the plaintexts are generated/obtained randomly)? Complexity of Statistical Attacks 15/22

  26. Repetition of Plaintexts in a Multidimensional ZC Attack a=2 1 Distinct Random ( 1 ) 0.8 ( 1 ) 0.6 P S 0.4 0.2 0 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 16/22

  27. Repetition of Plaintexts in a Multidimensional ZC Attack a=4 1 No repertion Repetition ( 1 ) 0.8 ( 1 ) 0.6 P S 0.4 0.2 0 12 12.5 13 13.5 14 14.5 15 15.5 16 log 2 ( N ) Complexity of Statistical Attacks 16/22

  28. Theoretical Conclusion We can show that ◮ N m ≈ 2 n ( ϕ PS + ϕ a ) , � ℓ/ 2 − ϕ a corresponds to the case where the plaintexts can be repeated. ◮ N M ≈ ( 2 n − 1 )( ϕ PS + ϕ a ) , � ( ℓ − 1 ) / 2 + ϕ PS corresponds to the case of distinct known plaintexts. Complexity of Statistical Attacks 17/22

  29. Theoretical Conclusion We can show that ◮ N m ≈ 2 n ( ϕ PS + ϕ a ) , � ℓ/ 2 − ϕ a corresponds to the case where the plaintexts can be repeated. ◮ N M ≈ ( 2 n − 1 )( ϕ PS + ϕ a ) , � ( ℓ − 1 ) / 2 + ϕ PS corresponds to the case of distinct known plaintexts. ◮ In the known plaintext model how can we select distinct messages? Complexity of Statistical Attacks 17/22

  30. Idea behind the proofs ◮ The proofs have already been presented in [Bogdanov et al 12, 13]. ◮ For distinct known plaintexts, we use hypergeometric distributions (no replacement). ◮ The other model assume a normal distribution of the capacity for the wrong keys. Complexity of Statistical Attacks 18/22

  31. Idea behind the proofs ◮ The proofs have already been presented in [Bogdanov et al 12, 13]. ◮ For distinct known plaintexts, we use hypergeometric distributions (no replacement). ◮ The other model assume a normal distribution of the capacity for the wrong keys. ◮ In both proofs, there is no assumption on the linear masks. Complexity of Statistical Attacks 18/22

  32. In Practice If we consider distinct known plaintexts we can improve the complexities of some ZC attacks. For instance: ◮ on CAST-256 presented at INDOCRYPT 2014 ◮ from 2 123 . 74 KP (2 123 . 2 ?) to 2 123 . 67 DKP (29 rounds) ◮ on Camellia presented at SAC 2013 ◮ Camellia-128 : from 2 125 . 3 KP to 2 125 . 1 DKP (11 rounds) ◮ Camellia-192 : from 2 125 . 7 KP to 2 125 . 5 DKP (12 rounds) Complexity of Statistical Attacks 19/22

Recommend

Visualization of Linear Models Correlation and Regression Possums > ggplot(data = possum,

Visualization of Linear Models Correlation and Regression Possums > ggplot(data = possum,

CORRELATION AND REGRESSION Visualization of Linear Models Correlation and Regression Possums > ggplot(data = possum, aes(y = totalL, x = tailL)) + geom_point() Correlation and Regression Through the origin > ggplot(data = possum,

406 views • 23 slides
Bivariate Correlation r > 0 r < 0 r = 0 r = 0 r > 0 r = 0 remember: r measures

Bivariate Correlation r > 0 r < 0 r = 0 r = 0 r > 0 r = 0 remember: r measures

Today bivariate correlation bivariate regression multiple regression Bivariate Correlation Pearson product-moment correlation (r) assesses nature and strength of the linear relationship between two continuous variables ( X

1.03k views • 89 slides
Biostatistics Correlation and linear regression Burkhardt Seifert & Alois Tschopp

Biostatistics Correlation and linear regression Burkhardt Seifert & Alois Tschopp

Biostatistics Correlation and linear regression Burkhardt Seifert & Alois Tschopp Biostatistics Unit University of Zurich Master of Science in Medical Biology 1 Correlation and linear regression Analysis of the relation of two continuous

826 views • 59 slides
Week 2 Video 4 Metrics for Regressors Metrics for Regressors Linear Correlation MAE/RMSE

Week 2 Video 4 Metrics for Regressors Metrics for Regressors Linear Correlation MAE/RMSE

Week 2 Video 4 Metrics for Regressors Metrics for Regressors Linear Correlation MAE/RMSE Information Criteria Linear correlation (Pearsons correlation) r(A,B) = When As value changes, does B change in the same direction?

959 views • 40 slides
Coefficient of Correlation The regression equation Y = 0 + 1 x + shows the linear

Coefficient of Correlation The regression equation Y = 0 + 1 x + shows the linear

ST 430/514 Introduction to Regression Analysis/Statistics for Management and the Social Sciences II Coefficient of Correlation The regression equation Y = 0 + 1 x + shows the linear relationship between x and Y . The correlation

358 views • 20 slides
Business Statistics CONTENTS The correlation coefficient The rank correlation coefficient

Business Statistics CONTENTS The correlation coefficient The rank correlation coefficient

: ESTIMATES AND TESTS Business Statistics CONTENTS The correlation coefficient The rank correlation coefficient Testing the correlation coefficient Non-linear relationships Old exam question Further study THE CORRELATION COEFFICIENT

404 views • 22 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Linear Correlation Coefficient, r Thus is a measure that shows which the extend two variables

Linear Correlation Coefficient, r Thus is a measure that shows which the extend two variables

D AY 41 C ORRELATION C OEFFICIENT V OCABULARY Scatter Plot - A graph of plotted points that show the relationship between two sets of data. Positive correlation is a relationship between two variables where if one variable increases,

476 views • 11 slides
Correlation and non-linear relationships In both graphs we have set y=x 2 . A strong, non-linear

Correlation and non-linear relationships In both graphs we have set y=x 2 . A strong, non-linear

Introduction to Statistics Correlation and non-linear relationships In both graphs we have set y=x 2 . A strong, non-linear relationship! Introduction to Statistics Correlation and causation I Introduction to Statistics Correlation and causation

349 views • 20 slides
Parameterized Complexity of Integer Linear Programming (ILP) Sebastian Ordyniak Parameterized

Parameterized Complexity of Integer Linear Programming (ILP) Sebastian Ordyniak Parameterized

Parameterized Complexity of Integer Linear Programming (ILP) Sebastian Ordyniak Parameterized Graph Algorithms & Data Reduction (Shonan Meeting 144, 2019) 1 / 62 Integer Linear Programming (ILP) archetypical problem for NP -complete

1.25k views • 88 slides
Correlation Complexity of Classical Planning Domains Jendrik Seipp Florian Pommerening Gabriele

Correlation Complexity of Classical Planning Domains Jendrik Seipp Florian Pommerening Gabriele

Correlation Complexity of Classical Planning Domains Jendrik Seipp Florian Pommerening Gabriele R oger Malte Helmert University of Basel June 13, 2016 J. Seipp, F. Pommerening, G. R oger, M. Helmert (Basel) Correlation Complexity

576 views • 25 slides
Correlation Course Title Correlation Correlation coe ffi cient between -1 and 1 Sign

Correlation Course Title Correlation Correlation coe ffi cient between -1 and 1 Sign

CORRELATION AND REGRESSION Correlation Course Title Correlation Correlation coe ffi cient between -1 and 1 Sign > direction Magnitude > strength Correlation and Regression Near perfect correlation Correlation and

929 views • 35 slides
201ab Quantitative methods L.09: Correlation, regression (2) Alt-text: Correlation doesn't imply

201ab Quantitative methods L.09: Correlation, regression (2) Alt-text: Correlation doesn't imply

201ab Quantitative methods L.09: Correlation, regression (2) Alt-text: Correlation doesn't imply causation, but it does waggle its eyebrows suggestively and gesture furtively while mouthing 'look over there'. Linear relationship. X and Y can

1.06k views • 48 slides
Descriptive complexity linear algebra of Bjarki Holm Logical Approaches to Barriers in

Descriptive complexity linear algebra of Bjarki Holm Logical Approaches to Barriers in

Descriptive complexity linear algebra of Bjarki Holm Logical Approaches to Barriers in Computing & Complexity II Isaac Newton Institute Overview Study definability of natural problems in linear algebra and expressiveness

1.87k views • 171 slides
Complexity and Character of Human Languages The Faculty of Language Informatics 2A: Lecture 28

Complexity and Character of Human Languages The Faculty of Language Informatics 2A: Lecture 28

Human Language Complexity Human Language Complexity Linear Indexed Grammars Linear Indexed Grammars Complexity vs. Difficulty Complexity vs. Difficulty 1 Human Language Complexity Chomsky Hierarchy Complexity and Character of Human Languages

92 views • 6 slides
Linear Cryptanalysis of Stream Ciphers T-79.514 Special Course on Cryptology Seminar talk Emilia

Linear Cryptanalysis of Stream Ciphers T-79.514 Special Course on Cryptology Seminar talk Emilia

Linear Cryptanalysis of Stream Ciphers T-79.514 Special Course on Cryptology Seminar talk Emilia K asper 1 Overview Basic concept of correlation attacks on stream ciphers A correlation attack on the GSM cipher A5/1 A correlation

256 views • 22 slides
Vis u ali z ation of Linear Models C OR R E L ATION AN D R E G R E SSION IN R Ben Ba u mer

Vis u ali z ation of Linear Models C OR R E L ATION AN D R E G R E SSION IN R Ben Ba u mer

Vis u ali z ation of Linear Models C OR R E L ATION AN D R E G R E SSION IN R Ben Ba u mer Assistant Professor at Smith College Poss u ms ggplot(data = possum, aes(y = totalL, x = tailL)) + geom_point() CORRELATION AND REGRESSION IN R Thro

440 views • 23 slides
Complexity, Big Data Science, and Complexity Introduction Happiness Emergence Universality

Complexity, Big Data Science, and Complexity Introduction Happiness Emergence Universality

Complexity, Big Data Science, and Happiness Complexity, Big Data Science, and Complexity Introduction Happiness Emergence Universality Symmetry Breaking Discrete Days, St. Michaels College, 2011 The Big Theory Revolution: Big Data

910 views • 74 slides
17.0 Linear Regression Answer Questions 1 Lines Correlation Regression 17.1 Lines

17.0 Linear Regression Answer Questions 1 Lines Correlation Regression 17.1 Lines

17.0 Linear Regression Answer Questions 1 Lines Correlation Regression 17.1 Lines The algebraic equation for a line is Y = 0 + 1 X The use of coordinate axes to show functional relationships was invented by Ren e

175 views • 17 slides
Linear-Complexity Data-Parallel Earth Movers Distance Approximations Kubilay Atasu, Thomas

Linear-Complexity Data-Parallel Earth Movers Distance Approximations Kubilay Atasu, Thomas

Linear-Complexity Data-Parallel Earth Movers Distance Approximations Kubilay Atasu, Thomas Mittelholzer Earth/Word Movers Distance: Discrete Wasserstein Distance The Queen to tour Canada Royal visit to Halifax Canada Halifax

96 views • 5 slides
9. Numerical linear algebra background matrix structure and algorithm complexity solving

9. Numerical linear algebra background matrix structure and algorithm complexity solving

Convex Optimization Boyd & Vandenberghe 9. Numerical linear algebra background matrix structure and algorithm complexity solving linear equations with factored matrices LU, Cholesky, LDL T factorization block elimination and

179 views • 16 slides
Week 1: Introduction, Simple Linear Regression Data visualization, conditional distributions,

Week 1: Introduction, Simple Linear Regression Data visualization, conditional distributions,

BUS 41100 Applied Regression Analysis Week 1: Introduction, Simple Linear Regression Data visualization, conditional distributions, correlation, and least squares regression Max H. Farrell The University of Chicago Booth School of Business

1.28k views • 59 slides
Linear Regression 18.05 Spring 2014 Agenda Fitting curves to bivariate data Measuring the

Linear Regression 18.05 Spring 2014 Agenda Fitting curves to bivariate data Measuring the

Linear Regression 18.05 Spring 2014 Agenda Fitting curves to bivariate data Measuring the goodness of fit The fit vs. complexity tradeoff Regression to the mean Multiple linear regression January 1, 2017 2 / 20 Modeling bivariate data

577 views • 20 slides
Linear Regression 18.05 Spring 2014 Agenda Fitting curves to bivariate data Measuring the

Linear Regression 18.05 Spring 2014 Agenda Fitting curves to bivariate data Measuring the

Linear Regression 18.05 Spring 2014 Agenda Fitting curves to bivariate data Measuring the goodness of fit The fit vs. complexity tradeoff Regression to the mean Multiple linear regression January 1, 2017 2 / 25 Modeling bivariate data

706 views • 25 slides

More recommend