# Finding Low Degree Annihilators for a Boolean Function Using Polynomial Algorithms

Save this PDF as:

Size: px
Start display at page:

Download "Finding Low Degree Annihilators for a Boolean Function Using Polynomial Algorithms"

## Transcription

1 Finding Low Degree Annihilators for a Boolean Function Using Polynomial Algorithms Vladimir Bayev Abstract. Low degree annihilators for Boolean functions are of great interest in cryptology because of algebraic attacks on LFSR-based stream ciphers. Several polynomial algorithms for construction of low degree annihilators are introduced in this paper. The existence of such algorithms is studied for the following forms of the function representation: algebraic normal form (ANF), disjunctive normal form (DNF), conjunctive normal form (CNF), and arbitrary formula with the Boolean operations of negation, conjunction, and disjunction. For ANF and DNF of a Boolean function f there exist polynomial algorithms that nd the vector space A d (f) of all annihilators of degree d. For CNF this problem is NP-hard. Nevertheless author introduces one polynomial algorithm that constructs some subspace of A d (f) having formula that represents f. Keywords. Boolean function, low degree annihilator, polynomial algorithm, recursive algorithm. Algebraic immunity is an important cryptographic characteristic of a Boolean function. Low algebraic immunity of a function means that this function has an annihilating multiplier of low algebraic degree. The problem of annihilator seeking was initially discussed in [3] and [5]. Let F 2 be the eld of two elements, V n = F n 2 be the vector space of n-tuples over F 2, F n be the set of all functions F n 2 F 2. By deg f denote algebraic degree of a Boolean function f F n. A Boolean function g F n is called an annihilator of f F n if f g = 0. We shall use the following notation: A d (f) := {g F n f g = 0, deg g d}. In [5] two algorithms for computation of A d (f) are introduced. First of them is deterministic and has complexity that bounded from above by some polynomial in 2 n. The other algorithm is probabilistic. Its time of computation has the mathematical expectation that bounded from above by some polynomial in n. But this algorithm has nonzero probability of wrong result. Besides, the algorithm assumes quick random access to input data. In this paper we introduce several deterministic algorithms such that their complexity bounded from above by some polynomial in n and in length of a function representation. Moscow State University, the Faculty of Computational Mathematics and Cybernetics, 1

2 We parameterize functions from F n by words of nite length in alphabet {0, 1}. This means that for some set of words Y n {0, 1} we consider a map ϕ n : Y n F n. In these terms, a Boolean function is determined by some pair (n, y), where n N, y Y n. We shall use only "reasonable" maps ϕ n. There should exist a polynomial algorithm with input (n, y, x) (here n N, y Y n, x V n ) such that this algorithm computes the value ϕ n (y)(x). Theorem 1. ([2]) Let y be a list of all monomials in polynomial representation of a Boolean function f y F n, i. e., f y is equal to the sum of all monomials from the list y. Then there exists an algorithm with the following features. This algorithm has input (n, d, y), it computes a basis of the vector space A d (f y ), and its time complexity is O(M y (S d n) 3 ), where M y is the number of monomials in the list y and S d n = d k=0 Ck n. Proposition 1. For arbitrary f 1, f 2 F n the following relations of vector subspaces of F n hold: A d (f 1 ) + A d (f 2 ) A d (f 1 f 2 ), The proof is straightforward. where A d (f 1 + 1) + A d (f 2 + 1) A d (f 1 f 2 + 1), A d (f 1 ) A d (f 2 ) = A d (f 1 f 2 ), A d (f 1 + 1) A d (f 2 + 1) = A d (f 1 f 2 + 1). For x, α V n, x = (x 1,..., x n ), α = (α 1,..., α n ) we denote x α := n i=1 { x α i xi, i := 1, Also, by B n,d denote the set {f F n deg f d}. x α i i, α i = 1 α i = 0. Theorem 2. There exists an algorithm with the following features. The input of this algorithm is DNF (disjunctive normal form) that corresponds to a function f F n. The output of this algorithm is a basis of the vector space A d (f). Finally, the time complexity of this algorithm is bounded from above by some polynomial in n and in length of DNF. Proof. For any α V n we can compute a basis B of the vector space A d (x α ) using the algorithm from theorem 1. It takes O ( (S d n) 3) bit operations. Each basis vector b B is represented in the form of b's coordinates in monomial basis of B n,d. Let σ V n be an arbitrary vector. Consider the map ϕ σ : B n,d B n,d that is given by the formula ϕ σ (g)(x) = g(x + σ). It is clear that for any g A d (x α ) its image ϕ σ (g) belongs to A d ((x + σ) α ). Moreover, ϕ σ gives isomorphism A d (x α ) = A d ((x + σ) α ). The linear map ϕ σ has the matrix Φ σ of size S d n S d n. It is easy to construct a polynomial algorithm that computes this matrix. Thus {Φ σ b b B} is the basis of A d ((x + σ) α ). So, we can obtain polynomial algorithm that computes the basis of A d ((x + σ) α ). 2

3 Let f F n be represented in the form of DNF: f(x) = T (x + σ k ) αk, k=1 where σ k, α k V n (k = 1,..., T ). Then by proposition 1, A d (f) = T A d ((x + σ k ) αk). k=1 Therefore, having bases of A d ((x + σ k ) αk ), we can compute a basis of Ad (f) via methods of linear algebra. The time complexity of such algorithm is bounded from above by polynomial in n and in T. Theorem 3. Let f F n be represented in the form of CNF (conjunctive normal form). Consider the problem of computing of a basis of A d (f), having CNF of f. We claim that for every d 0 this problem is NP-hard. Proof. It is clear that f = 0 A d (f) = B n,d dim A d (f) = S d n. Thus the problem of computing of a basis of A d (f), having CNF of f, is polynomial-time reducible to CNF-satisability problem, which is NP-complete. Now, let a Boolean function f F n be given by a formula F such that this formula consists of symbols of variables, brackets, and the Boolean operations, &,. We want to search for low degree annihilators recursively. Sometimes we shall replace the operation by "+1". Let F be some subformula of F, f be the Boolean function that corresponds to F. In this notation, for every subformula F we shall obtain a pair of vector spaces G d (f ) A d (f + 1), H d (f ) A d (f ), (1) These vector spaces are given by their basis functions. As above, each basis function is represented in the form of its coordinates in monomial basis of B n,d. In the leaves of recursion tree we have the functions of the form f i (x 1,..., x n ) = x i. In this case, there exists an algorithm such that its time complexity is polynomial in n and this algorithm computes bases of the following vector spaces: A d (x i + 1) = {g x i g F n, g does not depend on x i, deg g d 1}, A d (x i ) = {g (x i + 1) g F n, g does not depend on x i, deg g d 1}. Therefore, we can assign G d (f i ) := A d (f i + 1), H d (f i ) := A d (f i ). Let a subformula be of the form f = f = f 1. Suppose recursive condition (1) holds for the function f 1. Then, if we make the following assignments H d (f ) := G d (f 1 ), 3

4 G d (f ) := H d (f 1 ), recursive condition (1) holds for the function f. Let a subformula be of the form f = f 1 f 2. Suppose (1) holds for the functions f 1 and f 2. By denition, put G d (f ) := G d (f 1 ) G d (f 2 ), H d (f ) := H d (f 1 ) + H d (f 2 ). Using proposition 1 and recursive condition (1) for f 1 and f 2, we obtain G d (f ) A d (f 1 + 1) A d (f 2 + 1) = A d (f 1 f 2 + 1) = A d (f + 1), H d (f ) A d (f 1 ) + A d (f 2 ) A d (f 1 f 2 ) = A d (f ). Finally, let a subformula be of the form f = f 1 f 2. Suppose (1) holds for the functions f 1 and f 2. By denition, put G d (f ) := G d (f 1 ) + G d (f 2 ), H d (f ) := H d (f 1 ) H d (f 2 ). Again, using proposition 1 and recursive condition (1) for f 1 and f 2, we obtain G d (f ) A d (f 1 + 1) + A d (f 2 + 1) A d (f 1 f 2 + 1) = A d (f + 1), H d (f ) A d (f 1 ) A d (f 2 ) = A d (f 1 f 2 ) = A d (f ). We can use this recursive algorithm to compute bases of the vector subspaces G d (f) A d (f + 1), H d (f) A d (f). It is easy to check that the time complexity of this algorithm is polynomial in n and in length of the formula F. But this algorithm has a drawback. The vector subspaces G d (f), H d (f) might be equal to {0}, while A d (f + 1) and A d (f) are nontrivial. In some cases the inclusion A d (f 1 ) + A d (f 2 ) A d (f 1 f 2 ) is the equality. The remaining part of this paper contains two theorems about this property. Theorem 4. Let f 1, f 2 F n be nonzero ane functions such that f 1 f 2 and f 1 f Then the vector space A 1 (f 1 f 2 ) is the following direct sum A 1 (f 1 f 2 ) = A 1 (f 1 ) A 1 (f 2 ). Proof. If l F n is an arbitrary nonzero ane function then A 1 (l) = {0, l + 1}. Hence the sum of subspaces A 1 (f 1 ), A 1 (f 2 ) is direct. We have to prove that dim A 1 (f 1 f 2 ) = 2. It is easy to prove that for the functions f 1, f 2 there exists an invertible ane map τ : V n V n such that l 1 (x 1,..., x n ) := f 1 τ(x 1,..., x n ) = x 1, l 2 (x 1,..., x n ) := f 2 τ(x 1,..., x n ) = x 1 + x 2. Since τ is invertible, we have the following isomorphisms: A 1 (f 1 ) = A 1 (f 1 τ) = A 1 (l 1 ), A 1 (f 2 ) = A 1 (f 2 τ) = A 1 (l 2 ), A 1 (f 1 f 2 ) = A 1 ((f 1 f 2 ) τ) = A 1 ((f 1 τ) (f 2 τ)) = A 1 (l 1 l 2 ). Represent g A 1 (l 1 l 2 ) in the following form g(x 1,..., x n ) = a 0 + n 4 i=1 a ix i.

5 It is obvious that a i = 0 for any i 3. Then g A 1 (l 1 l 2 ) g l 1 l 2 = 0 (a 0 + a 1 x 1 + a 2 x 2 ) x 1 (x 1 + x 2 ) = 0 a 0 x 1 + a 1 x 1 + a 2 x 1 x 2 + a 0 x 1 x 2 + a 1 x 1 x 2 + a 2 x 1 x 2 = 0 { a0 + a 1 = 0 a 2 + a 0 + a 1 + a 2 = 0 a 0 + a 1 = 0. Thus we have three coecients a 0, a 1, a 2 and one equation a 0 +a 1 = 0. Therefore dim A 1 (f 1 f 2 ) = dim A 1 (l 1 l 2 ) = 2. Theorem 5. Let f 1, f 2 F n be nonzero functions such that f 2 does not depend on the rst m variables and f 1 does not depend on the last n m variables. Then the vector space A 1 (f 1 f 2 ) is the following direct sum A 1 (f 1 f 2 ) = A 1 (f 1 ) A 1 (f 2 ). Proof. It is clear that A 1 (f 1 ) A 1 (f 2 ) = {0}. Let us show that any Boolean function l A 1 (f 1 f 2 ) can be represented in the form l = l 1 + l 2, where l 1 A 1 (f 1 ), l 2 A 1 (f 2 ). Consider z = (z 1,..., z n ) V n. By x denote (z 1,..., z m ), by y denote (z m+1,..., z n ). In this notation we have (x, y) = z. Let l A 1 (f 1 f 2 ) be given by Then l can be represented in the form l(z) = n a i z i + b. i=1 where Hence l(z) = l (x) + l (y), m n l (x) = a i z i, l (y) = a i z i + b. i=1 i=m+1 l A 1 (f 1 f 2 ) x y l(x, y) f 1 (x) f 2 (y) = 0 x y l (x) f 1 (x) f 2 (y) + l (y) f 1 (x) f 2 (y) = 0 (2) There are only two possibilities: (a) x l (x) f 1 (x) = 0 : The condition f 1 0 means that x 0 : f 1 (x 0 ) = 1. Substituting x 0 for x in (2), we get y 0 f 2 (y) + l (y) 1 f 2 (y) = 0 5

6 y l (y) f 2 (y) = 0. Thus we have l A 1 (f 1 ) and l A 1 (f 2 ). (b) x 0 : l (x 0 ) f 1 (x 0 ) = 1 : In this case f 1 (x 0 ) = 1. If we replace x by x 0 in (2), we obtain y 1 f 2 (y) + l (y) 1 f 2 (y) = 0 y (l (y) + 1) f 2 (y) = 0 y If we combine the last equation with (2), we get l (y) f 2 (y) = f 2 (y). x y l (x) f 1 (x) f 2 (y) + f 1 (x) f 2 (y) = 0 x y (l (x) + 1) f 1 (x) f 2 (y) = 0. The condition f 2 0 means that y 0 : f 2 (y 0 ) = 1. Therefore x (l (x) + 1) f 1 (x) = 0. Finally, we obtain l + 1 A 1 (f 1 ), l + 1 A 1 (f 2 ), and (l + 1) + (l + 1) = l. References [1] F. Armknecht: On the Existence of low-degree Equations for Algebraic Attacks, Cryptology eprint Archive: Report 2004/185, [2] V.V. Bayev: On Some Algorithms for Constructing Annihilators of Low Degree for Boolean Functions, to be published in J. "Discrete Mathematics" (in Russian). [3] N. Courtois, W. Meier: Algebraic Attacks on Stream Ciphers with Linear Feedback, Eurocrypt 2003, LNCS 2656, pp , Springer, [4] N. Courtois: Fast Algebraic Attacks on Stream Ciphers with Linear Feedback, Crypto 2003, LNCS 2729, pp , Springer, [5] W. Meier, E. Pasalic, C. Carlet: Algebraic Attacks and Decomposition of Boolean Functions, Eurocrypt 2004, LNCS 3027, pp , Springer,

### Construction and Count of Boolean Functions of an Odd Number of Variables with Maximum Algebraic Immunity

arxiv:cs/0605139v1 [cs.cr] 30 May 2006 Construction and Count of Boolean Functions of an Odd Number of Variables with Maximum Algebraic Immunity Na Li, Wen-Feng Qi Department of Applied Mathematics, Zhengzhou

### Algebraic Attacks and Decomposition of Boolean Functions

Algebraic Attacks and Decomposition of Boolean Functions Willi Meier 1, Enes Pasalic 2, and Claude Carlet 2 1 FH Aargau, CH-5210 Windisch, Switzerland meierw@fh-aargau.ch 2 INRIA, projet CODES, Domaine

### 1-Resilient Boolean Function with Optimal Algebraic Immunity

1-Resilient Boolean Function with Optimal Algebraic Immunity Qingfang Jin Zhuojun Liu Baofeng Wu Key Laboratory of Mathematics Mechanization Institute of Systems Science, AMSS Beijing 100190, China qfjin@amss.ac.cn

### Construction of 1-Resilient Boolean Functions with Optimal Algebraic Immunity and Good Nonlinearity

Pan SS, Fu XT, Zhang WG. Construction of 1-resilient Boolean functions with optimal algebraic immunity and good nonlinearity. JOURNAL OF COMPUTER SCIENCE AND TECHNOLOGY 26(2): 269 275 Mar. 2011. DOI 10.1007/s11390-011-1129-4

### Efficient Computation of Algebraic Immunity for Algebraic and Fast Algebraic Attacks

Efficient Computation of Algebraic Immunity for Algebraic and Fast Algebraic Attacks Frederik Armknecht 1, Claude Carlet 2, Philippe Gaborit 3, Simon Künzli 4, Willi Meier 4, and Olivier Ruatta 3 1 Universität

### Using Wiedemann s algorithm to compute the immunity against algebraic and fast algebraic attacks

Using Wiedemann s algorithm to compute the immunity against algebraic and fast algebraic attacks Frédéric Didier Projet CODES, INRIA Rocquencourt, Domaine de Voluceau, 78153 Le Chesnay cédex frederic.didier@inria.fr

### On The Nonlinearity of Maximum-length NFSR Feedbacks

On The Nonlinearity of Maximum-length NFSR Feedbacks Meltem Sönmez Turan National Institute of Standards and Technology meltem.turan@nist.gov Abstract. Linear Feedback Shift Registers (LFSRs) are the main

### Algebraic Attacks on Stream Ciphers with Linear Feedback

Algebraic Attacks on Stream Ciphers with Linear Feedback Extended Version of the Eurocrypt 2003 paper, August 24, 2003 Nicolas T. Courtois 1 and Willi Meier 2 1 Cryptography Research, Schlumberger Smart

### Non-Separable Cryptographic Functions

International Symposium on Information Theory and Its Applications Honolulu, Hawaii, USA, November 5 8, 2000 Non-Separable Cryptographic Functions Yuliang Zheng and Xian-Mo Zhang School of Network Computing

### Linear Feedback Shift Registers

Linear Feedback Shift Registers Pseudo-Random Sequences A pseudo-random sequence is a periodic sequence of numbers with a very long period. Golomb's Principles G1: The # of zeros and ones should be as

### A GENERAL FRAMEWORK FOR GUESS-AND-DETERMINE AND TIME-MEMORY-DATA TRADE-OFF ATTACKS ON STREAM CIPHERS

A GENERAL FRAMEWORK FOR GUESS-AND-DETERMINE AND TIME-MEMORY-DATA TRADE-OFF ATTACKS ON STREAM CIPHERS Guanhan Chew, Khoongming Khoo DSO National Laboratories, 20 Science Park Drive, Singapore 118230 cguanhan,kkhoongm@dso.org.sg

### Appendix A. Pseudo-random Sequence (Number) Generators

Communication Systems Security, Appendix A, Draft, L. Chen and G. Gong, 2008 1 Appendix A. Pseudo-random Sequence (Number) Generators In this appendix, we introduce how to design pseudo-random sequence

### Boolean Algebra. Philipp Koehn. 9 September 2016

Boolean Algebra Philipp Koehn 9 September 2016 Core Boolean Operators 1 AND OR NOT A B A and B 0 0 0 0 1 0 1 0 0 1 1 1 A B A or B 0 0 0 0 1 1 1 0 1 1 1 1 A not A 0 1 1 0 AND OR NOT 2 Boolean algebra Boolean

### Attacks Against Filter Generators Exploiting Monomial Mappings

Attacks Against Filter Generators Exploiting Monomial Mappings Anne Canteaut, Yann Rotella To cite this version: Anne Canteaut, Yann Rotella. Attacks Against Filter Generators Exploiting Monomial Mappings.

### Matrix Power S-Box Construction

Matrix Power S-Box Construction Eligijus Sakalauskas a and Kestutis Luksys b Department of Applied Mathematics, Kaunas University of Technology, Studentu g. 50, 52368 Kaunas, Lithuania a Eligijus.Sakalauskas@ktu.lt

### Lecture Notes on Cryptographic Boolean Functions

Lecture Notes on Cryptographic Boolean Functions Anne Canteaut Inria, Paris, France Anne.Canteaut@inria.fr https://www.rocq.inria.fr/secret/anne.canteaut/ version: March 10, 016 Contents 1 Boolean functions

### A Collection of Problems in Propositional Logic

A Collection of Problems in Propositional Logic Hans Kleine Büning SS 2016 Problem 1: SAT (respectively SAT) Instance: A propositional formula α (for SAT in CNF). Question: Is α satisfiable? The problems

### Efficient Computation of Algebraic Immunity for Algebraic and Fast Algebraic Attacks

Efficient Computation of Algebraic Immunity for Algebraic and Fast Algebraic Attacks Frederik Armknecht 1, Claude Carlet 2, Philippe Gaborit 3,SimonKünzli 4, Willi Meier 4, and Olivier Ruatta 3 1 Universität

### Cryptanalysis of Achterbahn

Cryptanalysis of Achterbahn Thomas Johansson 1, Willi Meier 2, and Frédéric Muller 3 1 Department of Information Technology, Lund University P.O. Box 118, 221 00 Lund, Sweden thomas@it.lth.se 2 FH Aargau,

### A Scalable Method for Constructing Galois NLFSRs with Period 2 n 1 using Cross-Join Pairs

A Scalable Method for Constructing Galois NLFSRs with Period 2 n 1 using Cross-Join Pairs Elena Dubrova Royal Institute of Technology (KTH), Forum 12, 164 4 Kista, Sweden {dubrova}@kth.se Abstract. This

### CRYPTOGRAPHIC PROPERTIES OF ADDITION MODULO 2 n

CRYPTOGRAPHIC PROPERTIES OF ADDITION MODULO 2 n S. M. DEHNAVI, A. MAHMOODI RISHAKANI, M. R. MIRZAEE SHAMSABAD, HAMIDREZA MAIMANI, EINOLLAH PASHA Abstract. The operation of modular addition modulo a power

### Achterbahn-128/80: Design and Analysis

Achterbahn-128/80: Design and Analysis Berndt Gammel Rainer Göttfert Oliver Kniffler Infineon Technologies AG Germany berndt.gammel@infineon.com rainer.goettfert@infineon.com oliver.kniffler@infineon.com

### Reduced Ordered Binary Decision Diagrams

Reduced Ordered Binary Decision Diagrams Lecture #12 of Advanced Model Checking Joost-Pieter Katoen Lehrstuhl 2: Software Modeling & Verification E-mail: katoen@cs.rwth-aachen.de December 13, 2016 c JPK

### Algebraic attack on stream ciphers Master s Thesis

Comenius University Faculty of Mathematics, Physics and Informatics Department of Computer Science Algebraic attack on stream ciphers Master s Thesis Martin Vörös Bratislava, 2007 Comenius University Faculty

### Modified Alternating Step Generators

Modified Alternating Step Generators Robert Wicik, Tomasz Rachwalik Military Communication Institute Warszawska 22A, 05-130 Zegrze, Poland {r.wicik, t.rachwalik}@wil.waw.pl Abstract. Irregular clocking

### DK-2800 Lyngby, Denmark, Mercierlaan 94, B{3001 Heverlee, Belgium,

The Interpolation Attack on Block Ciphers? Thomas Jakobsen 1 and Lars R. Knudsen 2 1 Department of Mathematics, Building 303, Technical University of Denmark, DK-2800 Lyngby, Denmark, email:jakobsen@mat.dtu.dk.

### Transform Domain Analysis of DES. Guang Gong and Solomon W. Golomb. University of Southern California. Tels and

Transform Domain Analysis of DES Guang Gong and Solomon W. Golomb Communication Sciences Institute University of Southern California Electrical Engineering-Systems, EEB # 500 Los Angeles, California 90089-2565

### Statistical and Linear Independence of Binary Random Variables

Statistical and Linear Independence of Binary Random Variables Kaisa Nyberg Department of Computer Science, Aalto University School of Science, Finland kaisa.nyberg@aalto.fi October 10, 2017 Abstract.

### Little Dragon Two: An efficient Multivariate Public Key Cryptosystem

Little Dragon Two: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India October

### CS206 Lecture 03. Propositional Logic Proofs. Plan for Lecture 03. Axioms. Normal Forms

CS206 Lecture 03 Propositional Logic Proofs G. Sivakumar Computer Science Department IIT Bombay siva@iitb.ac.in http://www.cse.iitb.ac.in/ siva Page 1 of 12 Fri, Jan 03, 2003 Plan for Lecture 03 Axioms

### On values of vectorial Boolean functions and related problems in APN functions

On values of vectorial Boolean functions and related problems in APN functions George Shushuev Sobolev Institute of Mathematics, Novosibirsk, Russia Novosibirsk State University, Novosibirsk, Russia E-mail:

Introduction to Advanced Results Master Informatique Université Paris 5 René Descartes 2016 Master Info. Complexity Advanced Results 1/26 Outline Boolean Hierarchy Probabilistic Complexity Parameterized

### CSE20: Discrete Mathematics for Computer Science. Lecture Unit 2: Boolan Functions, Logic Circuits, and Implication

CSE20: Discrete Mathematics for Computer Science Lecture Unit 2: Boolan Functions, Logic Circuits, and Implication Disjunctive normal form Example: Let f (x, y, z) =xy z. Write this function in DNF. Minterm

### The Jordan Canonical Form

The Jordan Canonical Form The Jordan canonical form describes the structure of an arbitrary linear transformation on a finite-dimensional vector space over an algebraically closed field. Here we develop

### output H = 2*H+P H=2*(H-P)

Ecient Algorithms for Multiplication on Elliptic Curves by Volker Muller TI-9/97 22. April 997 Institut fur theoretische Informatik Ecient Algorithms for Multiplication on Elliptic Curves Volker Muller

### Improved Linear Distinguishers for SNOW 2.0

Improved Linear Distinguishers for SNOW 2.0 Kaisa Nyberg 1,2 and Johan Wallén 1 1 Helsinki University of Technology and 2 Nokia Research Center, Finland Email: kaisa.nyberg@nokia.com; johan.wallen@tkk.fi

### Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function

Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function Itai Dinur 1, Pawe l Morawiecki 2,3, Josef Pieprzyk 4 Marian Srebrny 2,3, and Micha l Straus 3 1 Computer Science Department, École

### A New Distinguisher on Grain v1 for 106 rounds

A New Distinguisher on Grain v1 for 106 rounds Santanu Sarkar Department of Mathematics, Indian Institute of Technology, Sardar Patel Road, Chennai 600036, India. sarkar.santanu.bir@gmail.com Abstract.

### ICML '97 and AAAI '97 Tutorials

A Short Course in Computational Learning Theory: ICML '97 and AAAI '97 Tutorials Michael Kearns AT&T Laboratories Outline Sample Complexity/Learning Curves: nite classes, Occam's VC dimension Razor, Best

### Another View on Cube Attack, Cube Tester, AIDA and Higher Order Differential Cryptanalysis

Another View on Cube Attack, Cube Tester, AIDA and Higher Order Differential Cryptanalysis Bo Zhu 1, Guang Gong 1, Xuejia Lai 2 and Kefei Chen 2 1 Department of Electrical and Computer Engineering, University

### 17 Galois Fields Introduction Primitive Elements Roots of Polynomials... 8

Contents 17 Galois Fields 2 17.1 Introduction............................... 2 17.2 Irreducible Polynomials, Construction of GF(q m )... 3 17.3 Primitive Elements... 6 17.4 Roots of Polynomials..........................

### Boolean circuits. Lecture Definitions

Lecture 20 Boolean circuits In this lecture we will discuss the Boolean circuit model of computation and its connection to the Turing machine model. Although the Boolean circuit model is fundamentally

### Vector Space Basics. 1 Abstract Vector Spaces. 1. (commutativity of vector addition) u + v = v + u. 2. (associativity of vector addition)

Vector Space Basics (Remark: these notes are highly formal and may be a useful reference to some students however I am also posting Ray Heitmann's notes to Canvas for students interested in a direct computational

### Vectorial Boolean Functions for Cryptography

Vectorial Boolean Functions for Cryptography Claude Carlet June 1, 008 To appear as a chapter of the volume Boolean Methods and Models, published by Cambridge University Press, Eds Yves Crama and Peter

### Review of Linear Algebra

Review of Linear Algebra Throughout these notes, F denotes a field (often called the scalars in this context). 1 Definition of a vector space Definition 1.1. A F -vector space or simply a vector space

### The only method currently known for inverting nf-exp requires computing shortest vectors in lattices whose dimension is the degree of the number eld.

A one way function based on ideal arithmetic in number elds Johannes Buchmann Sachar Paulus Abstract We present a new one way function based on the diculty of nding shortest vectors in lattices. This new

### Complexity of DNF and Isomorphism of Monotone Formulas

Complexity of DNF and Isomorphism of Monotone Formulas Judy Goldsmith 1, Matthias Hagen 2, Martin Mundhenk 2 1 University of Kentucky, Dept. of Computer Science, Lexington, KY 40506 0046, goldsmit@cs.uky.edu

### Cryptanalysis of the Knapsack Generator

Cryptanalysis of the Knapsack Generator Simon Knellwolf and Willi Meier FHNW, Switzerland Abstract. The knapsack generator was introduced in 1985 by Rueppel and Massey as a novel LFSR-based stream cipher

### Cube Testers and Key Recovery Attacks On Reduced-Round MD6 and Trivium

Cube Testers and Key Recovery Attacks On Reduced-Round MD6 and Trivium Jean-Philippe Aumasson 1, Itai Dinur 2, Willi Meier 1, and Adi Shamir 2 1 FHNW, Windisch, Switzerland 2 Computer Science Department,

### Searching for Nonlinear Feedback Shift Registers with Parallel Computing

Searching for Nonlinear Feedback Shift Registers with Parallel Computing Przemysław Dąbrowski, Grzegorz Łabuzek, Tomasz Rachwalik, Janusz Szmidt Military Communication Institute ul. Warszawska 22A, 05-130

### An Improved Affine Equivalence Algorithm for Random Permutations

An Improved Affine Equivalence Algorithm for Random Permutations Itai Dinur Department of Computer Science, Ben-Gurion University, Israel Abstract. In this paper we study the affine equivalence problem,

### On the Readability of Monotone Boolean Formulae

On the Readability of Monotone Boolean Formulae Khaled Elbassioni 1, Kazuhisa Makino 2, Imran Rauf 1 1 Max-Planck-Institut für Informatik, Saarbrücken, Germany {elbassio,irauf}@mpi-inf.mpg.de 2 Department

### On Boolean Functions with Generalized Cryptographic Properties

On Boolean Functions with Generalized Cryptographic Properties An Braeken 1, Ventzislav Nikov 2, Svetla Nikova 1, and Bart Preneel 1 1 Department Electrical Engineering, ESAT/COSIC, Katholieke Universiteit

### Nonlinear feedback shift registers and generating of binary de Bruijn sequences

Nonlinear feedback shift registers and generating of binary de Bruijn sequences Christian Ebne Vivelid November 21, 2016 Master's thesis Department of Informatics University of Bergen 1 Introduction Cryptology

### Propositional Calculus: Formula Simplification, Essential Laws, Normal Forms

P Formula Simplification, Essential Laws, Normal Forms Lila Kari University of Waterloo P Formula Simplification, Essential Laws, Normal CS245, Forms Logic and Computation 1 / 26 Propositional calculus

### Fraction-free Row Reduction of Matrices of Skew Polynomials

Fraction-free Row Reduction of Matrices of Skew Polynomials Bernhard Beckermann Laboratoire d Analyse Numérique et d Optimisation Université des Sciences et Technologies de Lille France bbecker@ano.univ-lille1.fr

### Improving Fast Algebraic Attacks

Improving Fast Algebraic Attacks Frederik Armknecht Theoretische Informatik Universität Mannheim, 68131 Mannheim, Germany armknecht@th.informatik.uni-mannheim.de Abstract. An algebraic attack is a method

### More Propositional Logic Algebra: Expressive Completeness and Completeness of Equivalences. Computability and Logic

More Propositional Logic Algebra: Expressive Completeness and Completeness of Equivalences Computability and Logic Equivalences Involving Conditionals Some Important Equivalences Involving Conditionals

### Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery

Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery Meicheng Liu, Jingchun Yang, Wenhao Wang, and Dongdai Lin State Key Laboratory of Information Security, Institute of Information Engineering,

### Cryptographic D-morphic Analysis and Fast Implementations of Composited De Bruijn Sequences

Cryptographic D-morphic Analysis and Fast Implementations of Composited De Bruijn Sequences Kalikinkar Mandal, and Guang Gong Department of Electrical and Computer Engineering University of Waterloo Waterloo,

### On the centre of the generic algebra of M 1,1

On the centre of the generic algebra of M 1,1 Thiago Castilho de Mello University of Campinas PhD grant from CNPq, Brazil F is a field of characteristic zero; F X = F x 1, x 2,... is the free associative

### Algebraic nonlinearity and its applications to cryptography

Algebraic nonlinearity and its applications to cryptography Luke O Connor Department of Computer Science University of Waterloo, Ontario, Canada, NL 3G1 Andrew Klapper Department of Computer Science University

### Design of Pseudo-Random Spreading Sequences for CDMA Systems

Design of Pseudo-Random Spreading Sequences for CDMA Systems Jian Ren and Tongtong Li Department of Electrical and Computer Engineering Michigan State University, 2120 Engineering Building East Lansing,

### Reducing the Space Complexity of BDD-based Attacks on Keystream Generators

Reducing the Space Complexity of BDD-based Attacks on Keystream Generators Matthias Krause and Dirk Stegemann Theoretical Computer Science University of Mannheim, Germany {krause,stegemann}@th.informatik.uni-mannheim.de

### Embedding and Probabilistic. Correlation Attacks on. Clock-Controlled Shift Registers. Jovan Dj. Golic 1

Embedding and Probabilistic Correlation Attacks on Clock-Controlled Shift Registers Jovan Dj. Golic 1 Information Security Research Centre, Queensland University of Technology, GPO Box 2434, Brisbane,

### Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring

Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics University of Paderborn 33102 Paderborn,

### Improved Linear Cryptanalysis of SOSEMANUK

Improved Linear Cryptanalysis of SOSEMANUK Joo Yeon Cho and Miia Hermelin Helsinki University of Technology, Department of Information and Computer Science, P.O. Box 5400, FI-02015 TKK, Finland {joo.cho,miia.hermelin}@tkk.fi

### CSE 555 HW 5 SAMPLE SOLUTION. Question 1.

CSE 555 HW 5 SAMPLE SOLUTION Question 1. Show that if L is PSPACE-complete, then L is NP-hard. Show that the converse is not true. If L is PSPACE-complete, then for all A PSPACE, A P L. We know SAT PSPACE

### Searching for the Optimum Correlation Attack. Ross Anderson. Computer Laboratory, Pembroke Street, Cambridge CB2 3QG rj ac.

Searching for the Optimum Correlation Attack Ross Anderson Computer Laboratory, Pembroke Street, Cambridge CB2 3QG Email: rj al'4@cl.cam. ac.uk Abstract. We present some new ideas on attacking stream ciphers

### Cryptanalysis of Sosemanuk and SNOW 2.0 Using Linear Masks

Cryptanalysis of Sosemanuk and SNOW 2.0 Using Linear Masks Jung-Keun Lee, Dong Hoon Lee, and Sangwoo Park ETRI Network & Communication Security Division, 909 Jeonmin-dong, Yuseong-gu, Daejeon, Korea Abstract.

### 2 PAVEL PUDLAK AND JIRI SGALL may lead to a monotone model of computation, which makes it possible to use available lower bounds for monotone models o

Algebraic models of computation and interpolation for algebraic proof systems Pavel Pudlak and Jir Sgall 1. Introduction We consider some algebraic models used in circuit complexity theory and in the study

### Some generalizations of Abhyankar lemma. K.N.Ponomaryov. Abstract. ramied extensions of discretely valued elds for an arbitrary (not

Some generalizations of Abhyankar lemma. K.N.Ponomaryov Abstract We prove some generalizations of Abhyankar lemma about tamely ramied extensions of discretely valued elds for an arbitrary (not nite, not

### Upper and Lower Bounds for Tree-like. Cutting Planes Proofs. Abstract. In this paper we study the complexity of Cutting Planes (CP) refutations, and

Upper and Lower Bounds for Tree-like Cutting Planes Proofs Russell Impagliazzo Toniann Pitassi y Alasdair Urquhart z UCSD UCSD and U. of Pittsburgh University of Toronto Abstract In this paper we study

### Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?

Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know? Alexander May, Maike Ritzenhofen Faculty of Mathematics Ruhr-Universität Bochum, 44780 Bochum,

### On some properties of elementary derivations in dimension six

Journal of Pure and Applied Algebra 56 (200) 69 79 www.elsevier.com/locate/jpaa On some properties of elementary derivations in dimension six Joseph Khoury Department of Mathematics, University of Ottawa,

### 2 Z. Lonc and M. Truszczynski investigations, we use the framework of the xed-parameter complexity introduced by Downey and Fellows [Downey and Fellow

Fixed-parameter complexity of semantics for logic programs ZBIGNIEW LONC Technical University of Warsaw and MIROS LAW TRUSZCZYNSKI University of Kentucky A decision problem is called parameterized if its

### Improved Exact Algorithms for Max-Sat

Improved Exact Algorithms for Max-Sat Jianer Chen Iyad A. Kanj Abstract In this paper we present improved exact and parameterized algorithms for the maximum satisfiability problem. In particular, we give

### The Adjacency Graphs of Linear Feedback Shift Registers with Primitive-like Characteristic Polynomials

The Adjacency Graphs of Linear Feedback Shift Registers with Primitive-like Characteristic Polynomials Ming Li and Dongdai Lin State Key Laboratory of Information Security, Institute of Information Engineering,

### ACORN: A Lightweight Authenticated Cipher (v3)

ACORN: A Lightweight Authenticated Cipher (v3) Designer and Submitter: Hongjun Wu Division of Mathematical Sciences Nanyang Technological University wuhongjun@gmail.com 2016.09.15 Contents 1 Specification

### 290 J.M. Carnicer, J.M. Pe~na basis (u 1 ; : : : ; u n ) consisting of minimally supported elements, yet also has a basis (v 1 ; : : : ; v n ) which f

Numer. Math. 67: 289{301 (1994) Numerische Mathematik c Springer-Verlag 1994 Electronic Edition Least supported bases and local linear independence J.M. Carnicer, J.M. Pe~na? Departamento de Matematica

### On public-key cryptosystems based on combinatorial group theory

On public-key cryptosystems based on combinatorial group theory Jean-Camille Birget Department of Computer Science, Rutgers University - Camden, Camden, NJ 08102, U.S.A. birget@camden.rutgers.edu Spyros

### Private-key Systems. Block ciphers. Stream ciphers

Chapter 2 Stream Ciphers Further Reading: [Sim92, Chapter 2] 21 Introduction Remember classication: Private-key Systems Block ciphers Stream ciphers Figure 21: Private-key cipher classication Block Cipher:

### On the Security of NOEKEON against Side Channel Cube Attacks

On the Security of NOEKEON against Side Channel Cube Attacks Shekh Faisal Abdul-Latip 1,2, Mohammad Reza Reyhanitabar 1, Willy Susilo 1, and Jennifer Seberry 1 1 Center for Computer and Information Security

### NP-Hard to Linearly Approximate. University of California, San Diego. Computer Science Department. August 3, Abstract

Minimum Propositional Proof Length is NP-Hard to Linearly Approximate Michael Alekhnovich Faculty of Mechanics & Mathematics Moscow State University, Russia michael@mail.dnttm.ru Shlomo Moran y Department

### Proving Resistance against Invariant Attacks: How to Choose the Round Constants

Proving Resistance against Invariant Attacks: How to Choose the Round Constants Christof Beierle 1, Anne Canteaut 2, Gregor Leander 1, and Yann Rotella 2 1 Horst Görtz Institute for IT Security, Ruhr-Universität

Mathematical Logic for Computer Science Second revised edition, Springer-Verlag London, 2001 Answers to Exercises Mordechai Ben-Ari Department of Science Teaching Weizmann Institute of Science Rehovot

### MATH PRACTICE EXAM 1 SOLUTIONS

MATH 2359 PRACTICE EXAM SOLUTIONS SPRING 205 Throughout this exam, V and W will denote vector spaces over R Part I: True/False () For each of the following statements, determine whether the statement is

### A Polynomial Description of the Rijndael Advanced Encryption Standard

A Polynomial Description of the Rijndael Advanced Encryption Standard arxiv:cs/0205002v1 [cs.cr] 2 May 2002 Joachim Rosenthal Department of Mathematics University of Notre Dame Notre Dame, Indiana 46556,

### On the Complexity of the Hybrid Approach on HFEv-

On the Complexity of the Hybrid Approach on HFEv- Albrecht Petzoldt National Institute of Standards and Technology, Gaithersburg, Maryland, USA albrecht.petzoldt@gmail.com Abstract. The HFEv- signature

### 1 Linear transformations; the basics

Linear Algebra Fall 2013 Linear Transformations 1 Linear transformations; the basics Definition 1 Let V, W be vector spaces over the same field F. A linear transformation (also known as linear map, or

### arxiv:math/ v1 [math.co] 24 Oct 2000

arxiv:math/0010220v1 [math.co] 24 Oct 2000 Nonlinearity, Local and Global Avalanche Characteristics of Balanced Boolean Functions Abstract Pantelimon Stănică Auburn University Montgomery, Department of

### Linear Programming Formulation of Boolean Satisfiability Problem

Linear Programming Formulation of Boolean Satisfiability Problem Maknickas Algirdas Antano Abstract With using of multi-nary logic 2 SAT boolean satisfiability was formulated as linear programming optimization

### Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version)

Cube Attacks on Non-Blackbox Polynomials Based on Division Property (Full Version) Yosuke Todo 1, Takanori Isobe 2, Yonglin Hao 3, and Willi Meier 4 1 NTT Secure Platform Laboratories, Tokyo 180-8585,

### Higher-order differential properties of Keccak and Luffa

Higher-order differential properties of Keccak and Luffa Christina Boura 1,2, Anne Canteaut 1, and Christophe De Cannière 3 1 SECRET Project-Team - INRIA Paris-Rocquencourt - B.P. 105 78153 Le Chesnay

### MATH Linear Algebra

MATH 304 - Linear Algebra In the previous note we learned an important algorithm to produce orthogonal sequences of vectors called the Gramm-Schmidt orthogonalization process. Gramm-Schmidt orthogonalization

### 2 JAKOBSEN, JENSEN, JNDRUP AND ZHANG but it seems that one always has been taking a somewhat dierent point of view, namely that of getting hold of a q

QUADRATIC ALGEBRAS OF TYPE AIII; II HANS PLESNER JAKOBSEN, ANDERS JENSEN, SREN JNDRUP, AND HECHUN ZHANG ;2 Department of Mathematics, Universitetsparken 5 DK{2 Copenhagen, Denmark E-mail: jakobsen, jondrup,

### (1.) For any subset P S we denote by L(P ) the abelian group of integral relations between elements of P, i.e. L(P ) := ker Z P! span Z P S S : For ea

Torsion of dierentials on toric varieties Klaus Altmann Institut fur reine Mathematik, Humboldt-Universitat zu Berlin Ziegelstr. 13a, D-10099 Berlin, Germany. E-mail: altmann@mathematik.hu-berlin.de Abstract

### Left almost semigroups dened by a free algebra. 1. Introduction

Quasigroups and Related Systems 16 (2008), 69 76 Left almost semigroups dened by a free algebra Qaiser Mushtaq and Muhammad Inam Abstract We have constructed LA-semigroups through a free algebra, and the