Cryptanalysis of TWOPRIME
|
|
- Shanon Grant
- 6 years ago
- Views:
Transcription
1 Cryptanalyss of TWOPRIME Don Coppersmth IBM Research Bruce Schneer Counterpane Systems Davd Wagner U.C. Berkeley John Kelsey Counterpane Systems Abstract. Dng et al [DNRS97] propose a stream generator based on several layers. We present several attacks. Frst, we observe that the non-surjectvty of a lnear combnaton step allows us to recover half the key wth mnmal effort. Next, we show that the varous bytes are nsuffcently mxed by these layers, enablng an attack smlar to those on two-loop Vgenere cphers to recover the remander of the key. Combnng these technques lets us recover the entre TWOPRIME key. We requre the generator to produce 2 33 blocks (2 35 bytes), or 19 hours worth of output, of whch we examne about one mllon blocks (2 23 bytes); the computatonal workload can be estmated at 2 28 operatons. Another set of attacks trades off texts for tme, reducng the amount of known plantext needed to just eght blocks (64 bytes), whle needng 2 32 tme and 2 32 space. We also show how to break two varants of TWOPRIME presented n the orgnal paper. 1 Introducton The TWOPRIME stream cpher [DNRS97], ntroduced at FSE 97, uses a 128- bt key to generate 64-bt blocks of output at each tme step; these output blocks are exclusve-ored onto the plantext to produce cphertext. At a hgh level, TWOPRIME conssts of a keyed (non-bjectve) cryptographc functon wth 64-bt nputs and 64-bt outputs, whch s used n a counter-lke mode to generate keystream output. The algorthm has ten layers; the frst layer s drven by a counter, and the output of each layer becomes the nput to the next. We explot weaknesses of two of the layers to produce several dfferent attacks aganst the scheme. Our concluson s that there are too few layers for cryptographc strength. One of the man contrbutons of the TWOPRIME work s that the algorthm was desgned so that one could prove certan statements about the securty of the cpher: t has hgh lnear complexty, good cycle length, good resstance to LSFRsynthess attacks, and so on 1. Nonetheless, despte the proofs of varous securty propertes, n ths paper we show how to break TWOPRIME very effcently. 1 Note that t s possble to prove that usng any block cpher n counter mode has good lnear complexty and good cycle length at least, n the sense that [DNRS97] proved for TWOPRIME so n retrospect these proofs are perhaps not terrbly meanngful.
2 Our attacks fall nto two natural categores. The frst three attacks, dscussed n Sectons 4 7, recover half of the key (namely, K 2, K 3 ). The second category (see Sectons 8 9) ncludes two technques whch dentfy the remander of the key (K 0, K 1 ) once we ve found K 2, K 3. The rest of the paper s organzed as follows. In Secton 2 we revew the TWOPRIME scheme. In Secton 3 we gve some prelmnary remarks whch wll be useful n the cryptanalyss. Secton 4 gves a very easy attack to recover half of the key, based on the lnear map of layer 7 falng to be surjectve. Secton 5 shows another attack that reduces the plantext requrements; the cost for ths mprovement s an ncrease n the amount of offlne computaton requred. Secton 6 gves a more complcated attack to recover K 2, K 3 by breakng the perod of p 0 p 1 nto two perods of p 0 and p 1 respectvely. The probablstc analyss backng up ths attack s mentoned n Secton 7. In Secton 8 and 9 we fnsh wth two attacks whch can be used to recover the remander of the key n a more mundane manner. Secton 10 dscusses some of the computatonal requrements of each attack. Secton 11 and 12 dscuss varants of the orgnal scheme, and some attacks on these varants. Conclusons are reserved for Secton Descrpton of TWOPRIME The TWOPRIME scheme [DNRS97] uses a 128-bt key to generate 64-bt blocks of output at each tme step; these output blocks are exclusve-ored onto the plantext to produce cphertext. At a hgh level, TWOPRIME conssts of a keyed functon F K : Z Z and a custom mode for usng F to generate keystream output. The mode s somewhat smlar to counter mode: the nput to F comes from two ndependent 32-bt counters. Each counter s ntalzed wth a key-dependent value, and s stepped by addng a publc constant and then reducng modulo a publc 32-bt prme. The key, consstng of 16 bytes k 0,..., k 15, s dvded nto four 32-bt parts, named K 0, K 1, K 2 and K 3, wth the conventon K 0 = k 8 + k k k K 1 = k 12 + k k k K 2 = (k 0, k 1, k 2, k 3 ) K 3 = (k 4, k 5, k 6, k 7 ). The algorthm has ten layers, whch we wll descrbe. The output of each layer becomes the nput of the subsequent layer. Wth one excepton, each output conssts of eght bytes, and so s an element of Z The scheme s depcted graphcally n Fgure 1. The frst layer nvolves two prmes, p 0 = and p 1 = , and two fxed publc ntegers a 0 and a 1. At tme step t, the output of the frst layer s the two 32-bt ntegers r 0 = a 0 t + K 0 (mod p 0 ) and r 1 = a 1 t + K 1 (mod p 1 ). Each s broken nto four 8-bt bytes, yeldng a total of eght bytes output.
3 partal key K 0 partal key K 1 (p 0, a 0 ) counter (p 1, a 1 ) counter S 0 S 0 S 0 S 0 S 0 S 0 S 0 S 0 K K 3 lnear permutaton K K 1 lnear compresson functon b S 0 S 0 S 0 S 0 S 0 S 0 S 0 S 0 K 2 K 3 bytewse exor plantext block cphertext block Fg. 1. Structure of the cpherng algorthm. In the second layer, each byte x s replaced by S 0 (x) = [(x 255 mod 257) mod 256]. It happens that S 0 s ts own nverse: S 0 (S 0 (x)) = x. The thrd layer nvolves addton (mod 256) of the key bytes consttutng K 2 and K 3. The fourth layer s a lnear permutaton : f x 0,..., x 7 are the nputs to ths
4 layer, the outputs are y j = ( x ) x j (mod 256). =0 Ths s ntended to mx the bytes; however, as we shall see, t s too weak. The only nteracton between the varous bytes x s through the sngle byte x (mod 256), and when that byte s controlled, the mxng s neffectve. The ffth layer nvolves addton (mod 256) of the key bytes consttutng K 0 and K 1. The sxth layer s a non-lnear expanson: each byte x s expanded to the concatenaton of four bytes S 1 (x), S 2 (x), S 3 (x), S 4 (x), where the S are varous nonlnear permutatons on Z 256. The output of ths layer s 32 bytes. The seventh layer apples a lnear compresson to reduce these 32 bytes back to 8 bytes; that s, a fxed publc 8 32 matrx {b j } maps Z to Z Upon nput (X 0,..., X 31 ), the lnear transform b produces the output (Y 0,..., Y 7 ) = b(x 0,..., X 31 ) accordng to the equaton Y 0 = X 0 + X 5 + X 10 + X 15 + X 16 + X 22 + X 24 + X 30, Y 1 = X 1 + X 6 + X 11 + X 12 + X 17 + X 23 + X 25 + X 31, Y 2 = X 2 + X 7 + X 8 + X 13 + X 18 + X 20 + X 26 + X 28, Y 3 = X 3 + X 4 + X 9 + X 14 + X 19 + X 21 + X 27 + X 29, Y 4 = X 16 + X 21 + X 26 + X 31 + X 0 + X 6 + X 8 + X 14, Y 5 = X 17 + X 22 + X 27 + X 28 + X 5 + X 11 + X 13 + X 3, Y 6 = X 18 + X 23 + X 24 + X 29 + X 10 + X 12 + X 2 + X 4, Y 7 = X 19 + X 20 + X 25 + X 30 + X 15 + X 1 + X 7 + X 9. The eghth layer apples the permutaton S 0 to each byte. In the nnth layer, bytes from K 2 and K 3 are exclusve-ored nto the bytes. The tenth round conssts of exclusve-orng these bytes (the output of the nnth round) onto the plantext to produce the cphertext, or (n the case of decrypton) onto the cphertext to recover plantext. Let us denote by x (j) (0 7, 1 j 10) the th byte of the output of the jth round. (For j = 6 we wll allow 0 31.) If the tme step t s mportant we wll wrte x (j,t). The notaton x (j) wll mean the whole 8-tuple of bytes [x (j), 0 7]. 3 Remarks on the scheme Durng most of the rounds, the varous bytes reman separate. Durng the frst round, four bytes are output from one 32-bt word, and four from another. The fourth round combnes bytes wth a lnear map, but (as has been remarked) ths does a weak job of mxng them. The seventh round combnes peces of the varous bytes much more thoroughly, but only wth a lnear transformaton. Also, the seventh round les close to the surface, whch lets us explot the lack of dffuson n the rest of the cpher. (1)
5 The desgners explan that the nternal structure of TWOPRIME (.e. the functon F ) was chosen to resst nverson attacks (where one tres to use the output of F to work backwards). Two of our attacks succeed exactly because we can work backwards from the output of F. In fact, we use the non-nvertblty of F to our advantage n Sectons 4 5. Because F s not bjectve, not all ntermedate values are possble. In partcular, the combnaton of the sxth and seventh layers forms a non-surjectve functon, so not all 64-bt values are attanable as the output of the seventh layer. Furthermore, layers 8 10 depend only on K 2, K 3, and not on K 0, K 1. Therefore, we can solate the effect of K 2, K 3 and attack them standng alone. Later, we can peel off layers 8 10 and use separate technques (see Sectons 8 9) to recover the remander of the key (K 0, K 1 ). 4 Lnear algebra The lnear recombnaton step (layer seven) suffers from the followng regularty. Denote by τ the 8-vector [1, 1, 1, 1, 1, 1, 1, 1]. The matrx b j obeys τ b j = 0 (mod 256) for all ndces j. Ths mples that =0 τ x (7) = 0 (mod 256). (2) We can use ths nformaton, and a few known outputs of the stream generator, to recover the half of the key (K 2, K 3 ). For each byte poston we have x (7) = S 0 (x (8) ) = S 0 (x (9) k ), recallng that S 0 s ts own nverse. For each ths gves a fxed mappng from x (9) to x (7), ndependent of tme and of the other bytes. Denote by y j the unknown quantty y j = S 0 (j k ) whch would be the value of x (7) f x (9) = j. For each block of output of the stream cpher (at tme t) we obtan a lnear equaton relatng these quanttes: 0 = =0 τ x (7,t) = =0 τ y,x (9,t) (mod 256). After we obtan about 2,048 blocks (16, 384 bytes) of output, we wll have 2,048 lnear equatons n the 2,048 unknowns y j, 0 7, 0 j 255. Because of homogenety these equatons wll not be ndependent, and for fxed we wll recover y j only up to an unknown multplcatve factor and an unknown addtve shft: y j = α z j + β (mod 256) (3)
6 wth z j known but α, β unknown. But ths s clearly enough nformaton to recover the unknown key byte k, usng a few hundred operatons of tral-and-error. For each possble value for k, decrypt three or four values j = x (9) nto y j = S 0 (j k ) and check aganst (3). The correct k wll be compatble wth (3), and only a few others; a few more tral decryptons should rule out the false alarms. Havng determned (k 0,..., k 7 ) = (K 2, K 3 ), we stll 2 have to fnd K 0 and K 1. Ths seems to be more expensve (and less nterestng). We see a way of fndng them usng about 2 32 operatons and just a few known outputs of the stream cpher. See Sectons 8 9. The present attack does requre about 2048 blocks (16384 bytes) of stream output. Those known plantext requrements are not onerous, but t s possble to reduce them even further wth meet-n-the-mddle technques, whch we dscuss next. 5 A meet-n-the-mddle attack In ths attack, we take advantage of the non-surjectvty of layer seven n a dfferent way. It s essentally a meet-n-the-mddle attack, takng advantage of unattanable values at the output of the seventh layer. Roughly speakng, we guess (K 2, K 3 ) and work backwards from a block of known keystream to fnd the output of the seventh layer, usng unattanable values to rule out ncorrect guesses at (K 2, K 3 ). Ths would take 2 64 tme to mplement as stated; however, we have an optmzaton (agan based on meetn-the-mddle technques) to reduce the complexty to As before, we rely on the crucal observaton (2). If we take some keystream k ). Pluggng nto (2) gves us a relaton that the correct value of the key k 0,..., k 7 must satsfy. So the attack proceeds as follows. We defne block x (9), then nvertng layers 8 9 shows that x (7) = S 0 (x (9) g(k 2, y 0,..., y 3 ) = h(k 3, y 4,..., y 7 ) = S 0 (y k ) (mod 256) =0 S 0 (y k ) (mod 256). We obtan eght known keystream blocks x (9,j), 0 j 7, and let =4 g (K 2 ) = (g(k 2, x (9,0) 0,..., x (9,0) 3 ),..., g(k 2, x (9,7) 0,..., x (9,7) 3 )) h (K 3 ) = (g(k 3, x (9,0) 4,..., x (9,0) 7 ),..., g(k 3, x (9,7) 4,..., x (9,7) 7 )). 2 In some stuatons, recoverng just (K 2, K 3 ) mght concevably suffce. After all, ths gves us enough nformaton to predct some keystream bytes: gven any seven bytes from a keystream block, we can predct the eghth unknown byte wth certanty by usng (2). However, we can do much better. As we shall see, recoverng (K 0, K 1 ) n a second phase requres a bt more work, but t s stll feasble.
7 Note that, for the correct value of (K 2, K 3 ), we have g (K 2 ) = h (K 3 ). After all ths effort to frame thngs n the language of meet-n-the-mddle attacks, t should be clear how to recover (K 2, K 3 ) wth standard technques. (Here the mddle for the meet-n-the-mddle attack wll be the 64-bt value g (K 2 ) = h (K 3 ),.e. a characterstc of the output of the seventh layer.) Frst, for each guess at K 2, we compute g (K 2 ), and store the par (g (K 2 ), K 2 ) n a hash table ndexed on the frst coordnate of the par. After enumeratng all 2 32 possbltes for K 2, we wll have constructed a hash table of sze Then, for each guess at K 3, we compute h (K 3 ) and look t up n the hash table. If we fnd a match g (K 2 ) = h (K 3 ), then wth hgh probablty we wll have obtaned the correct values for (K 2, K 3 ). We need eght keystream blocks to ensure that the test wll elmnate nearly all ncorrect values. One can count the number of false alarms by countng the number of solutons a, b to g (a) = h (b). Because S 0 s hghly non-lnear, we are justfed n expectng the functons g, h to behave roughly lke random functons of the form Z Z Combnng ths heurstc wth the brthday paradox, we fnd that the probablty of generatng a false alarm s 1 e , and the expected number of false alarms s 1. To ad the ntuton, we can thnk of the present attack as applyng a meetn-the-mddle attack twce, splttng the cpher frst wth a horzontal cut and then splttng t agan wth a vertcal cut. The horzontal cut s possble because layer seven fals to be surjectve, and t s benefcal because layers 8 10 only depend on half of the key. (There s a slght dfference, though. In a normal meet-n-the-mddle attack, one computes forward part-way, backward part-way, and then meets n the mddle. In our attack on TWOPRIME, because layers 6 7 fal to be surjectve, we only need to compute backwards, and the forward part of the computaton s substantally smplfed.) The vertcal cut s made possble by the lnearty of layer seven (or, more precsely, the lnearty of (2)). Here the mddle s the value g (K 2 ) = h (K 3 ). We compute up the left half, and up the rght half, and then meet n the mddle of the output of the seventh layer. Ths second applcaton of meet-n-the-mddle technques lets us solate the effect of K 2 from that of K 3, and hence reduces the attacker s workload sgnfcantly. In summary, we can recover (K 2, K 3 ) wth 2 32 offlne work, 2 32 space, and about eght blocks (64 bytes) of known keystream. As we shall see n Secton 10, the computatonal requrements are not unreasonable. 6 Splttng the perod The prevous two attacks could be avoded (n a hypothetcal TWOPRIME successor) by usng a dfferent lnear transformaton at layer seven. So we develop here another attack aganst that eventualty. Ths attack s smlar to the attacks on two-loop Vgenere cphers, whch can be found n references [Sn68] and [Tuc70].
8 For an arbtrary tme step t 0, let us consder the outputs at four specfc tme steps: a = t 0 b = t 0 + p 0 c = t 0 + p 1 d = t 0 + p 0 + p 1. Because the counters at layer 1 are cyclc wth perods p 0 and p 1 respectvely, we have x (1,a) = x (1,b), x (1,c) = x (1,d), 0 3 x (1,a) = x (1,c), x (1,b) = x (1,d), 4 7, and hence, because the actons of subsequent layers are tme-nvarant, x (3,a) x (3,a) = x (3,b), x (3,c) = x (3,d) = x (3,c), x (3,b), 0 3 = x (3,d), 4 7. Consder the event E that the followng two equatons both hold: =0 =4 x (3,a) = x (3,a) = =0 =4 x (3,c) (mod 256) x (3,b) (mod 256). Each equaton holds wth probablty about 1/256 (for randomly chosen tme step t 0 ), and the two are ndependent, so that event E holds wth probablty about 1/ When t does hold, we have =0 x (3,a) = =0 x (3,b) = =0 x (3,c) = =0 x (3,d) (mod 256). Ths n turn mples that the outputs of layer 4 are well behaved: x (4,a) x (4,a) = x (4,b), x (4,c) = x (4,d) = x (4,c), x (4,b), 0 3 = x (4,d), 4 7. Ths can be pushed forward to gve nformaton on the outputs of layer 6: x (6,a) x (6,a) x (6,a) = x (6,b), x (6,c) = x (6,d) = x (6,c), x (6,b) = x (6,d) + x (6,d) = x (6,b) and because layer 7 s lnear (mod 256), we get x (7,a) + x (7,d) = x (7,b), 0 15, x (6,c), 0 31, + x (7,c) (mod 256). (4)
9 Suppose we know that event E has occurred for tme step t 0, and that we have avalable for the output of the stream cpher x (9,h). Then from x (7,h) = S 0 (k x (9,h) ) and (4), we get a sutablty test for possble values of key byte k. That s, for each poston 0 7, for each possble value of k, we test whether the values of x (7,h) obtaned from x (9,h) usng k would satsfy (4): S 0 (k x (9,a) )+S 0 (k x (9,d) ) =? S 0 (k x (9,b) )+S 0 (k x (9,c) ) (mod 256). (5) Each concatenaton of possble bytes (k 0, k 1,..., k 7 ) from ths step represents a possble settng of (K 2, K 3 ) consstent wth the event E havng occurred at ths tme step t 0. We wll call ths 8-byte settng a putatve key. If event E dd occur, then the correct settng of (k 0, k 1,..., k 7 ) wll be represented among these possbltes. If t dd not occur, we may get several false alarms. The dffculty s that we do not know, a pror, whether event E occurred or not. We may fnd that for one of the byte postons there s no possble settng of k satsfyng (5); n ths case we know that E dd not occur at t 0 and ths case can be dscarded. Our strategy wll be to try about 330,000 dfferent values of t 0, and for each one that has at least one possble settng for each of the eght bytes k, record the possble values of the 8-tuple (k 0, k 1,..., k 7 ) = (K 2, K 3 ). The correct value should show up about fve tmes among these putatve keys, and ncorrect values should show up less often. Havng ascertaned the correct value for (K 2, K 3 ), we wll be able to get the keys (K 0, K 1 ) wth less dffculty n Secton 8. 7 Probablstc analyss For our analyss t wll be useful to know the followng two probablty dstrbutons. For bytes x a, x b, x c, x d, representng x (9,a),..., x (9,d), let N(x a, x b, x c, x d ) be the number of key bytes k that would satsfy (5): S 0 (k x a ) + S 0 (k x d )? = S 0 (k x b ) + S 0 (k x c ) (mod 256). (6) We want to know the dstrbuton P 1 (n) = Pr(N(x a, x b, x c, x d ) = n) when the x h are ndependent random varables. We also want to know the dstrbuton P 2 (n) = Pr(N(x a, x b, x c, x d ) = n) when the x h are known to arse from event E, that s, when the correct key byte k s known to satsfy (6). The two are related by P 2 (n) = np 1 (n). The expermental dstrbutons are gven n the Appendx. The frst dstrbuton s almost Posson wth mean 1: P 1 (n) = e 1 /n!, wth three notable exceptons. Frst, P 1 (256) 2/256 2 = 2 15, because wth that probablty we ether have (x a = x b and x c = x d ), or (x a = x c and x b = x d ), and n ether case all key bytes k wll work.
10 Second, P 1 (128) (1/2)/256 2 = 2 17, and smlarly P 1 (64) (5/4)/256 2, P 1 (32) (13/8)/256 2, and P 1 (16), P 1 (8) are smlarly hgh. Ths happens because of dosyncrases of the permutaton S 0. For example, n the case n = 128, consder the event that x a x d = x b x c = n bnary, and x a and x b agree n the second-lowest bt. Ths event has probablty (1/256) 2 (1/2) = When ths happens, for all 128 key bytes k dsagreeng wth x a n the secondlowest bt, we have (k x a ) + (k x d ) = 257. Then, because S 0 (x) = x 1 (mod 257) f x 0, we have S 0 (k x a ) + S 0 (k x d ) = S 0 (k x b ) + S 0 (k x c ) = 257 for each of these 128 values of k, so that N(x a, x b, x c, x d ) 128. Ths mples P 1 (128) Smlar calculatons obtan for n = 64, 32, 16, 8. Thrd, t appears expermentally that P 1 (0) s a lttle hgher than expected: 0.40 rather than 0.37; and P 1 (1) s a lttle lower. Ths may be related to the frst two observatons. These devatons from the Posson dstrbuton, partcularly the relatve hgh values of P 2 (256) and P 2 (128), create a mnor nusance for our cryptanalyss. When event E has happened, the dstrbuton P 2 (n) s related to the number of tral key bytes k that would satsfy (6) n each byte poston. The number of 8-byte keys (k 0, k 1,..., k 7 ) s gven by 7 =0 N(x (9,a), x (9,b), x (9,c), x (9,d) ) wth expected value about , 000. Ths expected value s so hgh because of the unusually large values of P 2 (256) and P 2 (128). When event E has not happened, the dstrbuton P 1 (n) s relevant, and the expected number of 8-byte keys s 1. In fact wth probablty about 1 ( ) at least one of the values N(x (9,a), x (9,b), x (9,c), x (9,d) ) s zero, so that no 8-byte keys are vald; wth the complementary probablty 0.016, all are nonzero, and then the expected number of keys s 1/ So wth 330,000 experments, the expected number of 8-byte putatve keys s 5 120, (330, 000 5) 1 = 930, 000. Among these, the correct key should appear fve tmes, and should be easy to detect; ncorrect keys should appear at most once, wth possble excepton of those dfferng from the correct key n only one or two bytes. Remark: Although the mean number of putatve keys s farly small, the varance s huge; the standard devaton exceeds Ths s because of the relatvely hgh probablty that, for a gven tme step and byte poston, N(x a, x b, x c, x d ) s ether 256 or 128; f several such bytes occur at the same tme step, ths tme step wll yeld a huge number of putatve keys. In ths case an alternatve data structure s called for. For example, f one tme step has two or more such byte postons, declare that event E has probably occurred, and deduce putatve values for the remanng sx or fewer key bytes. Or we could smply lst 4-byte putatve keys K 2 and K 3 separately.
11 8 Splttng the perod, agan Havng determned K 2 and K 3 by the attack n Secton 6, we also know the handful of postons where event E has occurred; we know several places where =0 x (3,a) = =0 x (3,c) (mod 256). Because of the relaton between x (3) and x (2) we also have whence =0 =0 x (2,a) = S 0 (x (1,a) ) = =0 =0 x (2,c) (mod 256), S 0 (x (1,c) ) (mod 256). (7) By enumeraton of 2 32 possbltes, we can fnd all the possble values of the concatenaton (x (1,a) 0, x (1,a) 1, x (1,a) 2, x (1,a) 3 ) and hence, by addng p 1 a 0 (mod p 0 ), the concatenaton (x (1,c) 0, x (1,c) 1, x (1,c) 2, x (1,c) 3 ), whch satsfy (7). Ths whttles down the possble values of K 0 from a collecton of 2 32 to about 2 32 /256 5 = 2 12 possble values. Smlar calculatons reduce our choce of K 1 to about 2 12 possble values. The correct values can be gotten by exhauston. 9 Meet-n-the-mddle, agan Another approach at recoverng (K 0, K 1 ) s gven here. We assume that we have prevously dentfed (K 2, K 3 ) usng any of the attacks from Sectons 4 6. Ths attack requres only 2 32 operatons, 2 24 space, and two known keystream blocks; therefore, t should be very fast. Because of the form of the lnear relaton n layer 7, we fnd that the sum x (7) 0 + x (7) 2 x (7) 4 x (7) 6 (mod 256) depends only on the four bytes x (5), = 1, 3, 5, 7. Use a meet-n-the-mddle approach, requrng tme = 2 24, to dscover all the 2 24 values of the 4-tuple [x (5), = 1, 3, 5, 7] that could lead to a gven value for ths sum. Smlarly the sum x (7) 0 + x (7) 2 x (7) 5 x (7) 7 (mod 256) depends only on the four bytes x (5), = 0, 2, 4, 6. Combne these two lsts wth another meet-n-the-mddle attack, and n tme 2 24 we can recover the 8-tuple x (5) from any gven value of the 8-tuple x (7). Use tme 2 24 to decrypt one cphertext back to layer 5. For each of the 2 32 tral subkeys K 0, compute forward to x (3), 0 3, and backward from layer 5 to x (4), 0 3. See whether there s a byte sum 7 =0 x(3) whch would enable the lnear permutaton at layer 4 to map x (3), 0 3 to x (4), 0 3. We expect 256 tral subkeys K 0 to pass ths test. Smlarly develop 256 tral subkeys K 1. Try each of the resultng 65,536 pars (K 0, K 1 ) on another cphertext to determne the correct par.
12 10 Computatonal requrements The frst attack should take only a few seconds to fnd all of K 2 and K 3, ncludng gatherng data. The meet-n-the-mddle attack recoverng (K 2, K 3 ) (see Secton 5) requres 2 32 hash table lookups and about 2 33 words of memory. If we keep the entre table n memory, the 2 32 table lookups wll take only 400 seconds or so (assumng 100ns access tme to man memory, whch s not unreasonable). The space requrements may be more notceable. One smple approach s to dstrbute the table across a cluster of 256 workstatons, each wth 128 MB of memory; such a cluster would take roughly 400 seconds to fnd (K 2, K 3 ). Another smple approach, f only one workstaton s avalable, s to trade off tme for memory: by splttng the table across tme, one workstaton can fnsh n seconds (about one month), and n workstatons wll fnsh n tmes as fast that. Ths s not out of reach, and the nterested reader mght be able to fnd better ways to reduce memory needs: for example, the parallel collson search technques of van Oorschot and Wener [OW96] (appled to fnd a golden collson ) look promsng. For the attack based on dentfyng occurrences of event E (see Sectons 6 8), we need the generator to run for p 0 + p tme steps, generatng 2 36 bytes. At the advertsed speed of 1 megabyte per second, ths wll take about nneteen hours. We wll look at only 1,000,000 message blocks (8,000,000 bytes): 330,000 at the begnnng (representng a), another 330,000 n the mddle (representng both b and c, because p 0 and p 1 are so close to each other), and another 330,000 at the end. For each selecton (a, b, c, d) we mght need to evaluate = 2048 tral key bytes 0 k 255, 0 7. However, realze that much of the tme we wll fnd that, for example, key byte k 1 has no possble values, so that bytes k 2,..., k 7 need not be examned for ths case. In total about 212,000,000 key bytes need to be examned. 11 TWOPRIME-1 The same paper [DNRS97] proposes a faster verson TWOPRIME-1, dfferng from TWOPRIME only n the seventh layer; n TWOPRIME-1, ths layer preserves halves. That s, the output bytes x (7), 0 3 only depend on the nput bytes x (6), 0 15, and the output bytes x (7), 4 7 only depend on the nput bytes x (6), Ths means that the only nteracton between the left and rght halves of the message occurs durng the lnear permutaton n the fourth layer, and there the nteracton s lmted to the one byte x(3) (mod 256). In two tme steps where ths sum agrees, the halves are completely separated. So we can examne the output at tme a = t 0 and b = t 0 +p 0. If 7 7 =4 x(3,b) =4 x(3,a) = (mod 256) (.e. the second of the two condtons for event E), then
13 the left-hand half of the output of each layer s the same for a as for b: x (j,a) x (6,a) = x (j,b), 0 3, j 6 = x (6,b), In partcular the left-hand halves of the outputs wll agree. By dentfyng eght pars (a, b) where these output halves agree, we can deduce the value of K 0 as n the TWOPRIME case. Smlar computatons gve us K 1. We can then use exhaustve search to compute K 2 n about 2 32 steps. For example, f we guess the four bytes representng ( 7 j=0 k j) k, 0 3, and we know the values of K 0 and K 1, we can fnd the left-hand half of all layers up through layer 8. We can compare the encryptons of two unrelated tme steps, say a and e, to see whether x (8,a) x (8,e)? = x (9,a) x (9,e), 0 3. If not, these four bytes are wrong. But f they are equal, we can use layer 8 to deduce K 2, gvng us another check on our orgnal assumptons, and furnshng us wth the correct value of K 2. The calculaton of K 3 s left to the reader. We needed to run the generator for 2 32 messages (2 35 bytes), or ten hours, and examne about = 4, 096 blocks (32,768 bytes). The computatonal requrements of 2 32 operatons are not onerous, and the nterested reader mght well fnd more effcent methods to dscover K 2. Another approach s also avalable. In the frst phase of ths attack, we recover (K 2, K 3 ). The key observaton s that modellng each half of layers 6 7 as a random functon only about 1 e 1 of the 2 32 possble values for the left half of the output of the seventh layer wll actually be attanable. Therefore, n the frst phase, we guess K 2, compute up the left sde of the cpher to the output of the seventh layer, and dscard guesses at K 2 when they produce unattanable ntermedate values. Because (1 e 1 ) 50 < 2 32, we see that after about 50 blocks (400 bytes) of known plantext, there wll be just one value remanng namely, the correct value of K 2. A smlar technque recovers K 3. Now the second phase proceeds as n Secton 9. For each guess at K 0, we compute forward down the left sde of the cpher to the output of layer 3 and backward to the output of layer 4, checkng to see whether the two are compatble. We expect 256 values of K 0 to reman, and smlarly 256 values of K 1 ; these remanng 2 16 possbltes can be checked by tral encrypton. In short, ths second approach breaks TWOPRIME-1 wth about the same tme and space complexty as the correspondng attack on TWOPRIME. We requre slghtly more known plantext, but 50 blocks (400 bytes) of known plantext should be readly avalable n many systems. 12 ONEPRIME The same paper [DNRS97] proposes a scheme ONEPRIME, whch dffers from TWOPRIME only n the frst layer: nstead of two prmes p 0 and p 1, we have
14 only one prme p = and fxed multpler a. The output of the frst layer at tme t s (x (1) 0,..., x(1) 7 ) = at + (K 0, K 1 ) (mod p). A slght modfcaton enables our attack to run aganst ths scheme as well. Based on the value a (whch was not specfed n the paper), compute values 0 and 1 such that n the bnary representaton of a 0 (mod p), the left-most 34 bts are 0 (so that the left half s 0 and the rght half represents an nteger smaller than 2 30 ). Smlarly n the bnary representaton of a 1 (mod p), the leftmost (hghest order) two bts are 0, and the rghtmost 32 bts are 0. Each should be about 2 34 and can be computed usng methods from contnued fractons. Then f we select tme steps a = t 0 b = t c = t d = t we wll fnd, wth probablty exceedng (3/4) 2 > 0.56, that the left-hand halves of the outputs of layer 1 agree at tmes a and b, as well as at tmes c and d; and the rght-hand halves agree at tmes a and c, as well as at tmes b and d. The rest of the attack proceeds as before. We need the generator to run for somewhat longer, because 0 > p 0, and we need to examne someone more cphertext, because our favorable condtons only occur wth probablty 0.56, but the attack s stll feasble. Another approach s also avalable. We can break ONEPRIME wth meet-nthe-mddle technques. In fact, smply applyng the attacks n Sectons 5 and 9 mmedately breaks ONEPRIME, wthout any modfcatons needed. Ths second approach requres eght blocks of known keystream as well as 2 33 tme and 2 32 space. 13 Dscusson At a hgh level, the ntuton behnd some of our cryptanalyss s that we apply the meet-n-the-mddle attack repeatedly, at two levels of abstracton. Frst, we dvde the cpher horzontally between layers, and meet at the mddle the output of the seventh layer at the hghest level of abstracton. Second, we dvde the cpher vertcally nto left and rght halves, and meet n the mddle, where the mddle s a characterstc of the output of the seventh layer. Some of the technques, e.g. Sectons 6 8, do not fall cleanly nto ths model. We wll gnore them for the moment. Note that the vertcal splt can be vewed as decomposng the 64-bt functon F nto two parallel 32-bt functons G, H. In other words, splttng F vertcally corresponds to wrtng F (a, b) = (G(a), H(b)). Of course, gven such a parallel
15 decomposton, we can apply a dvde-and-conquer attack; snce breakng a 32- bt functon has complexty at most 2 32, such a decomposton lets us break F n at most tme. So we conclude that F should be desgned to resst parallel decomposton, and n partcular there should be no parallel G, H that approxmate F. Ths just comes down to ensurng there s plenty of dffuson, a well-known desgn prncple for cpher desgn. Ths lack of dffuson helped make our attacks on TWOPRIME possble. We can also analyze the horzontal splt n terms of functonal decomposton. In ths case, we fnd that t corresponds to fndng G, H such that F = H G (.e. F (a) = H(G(a))). When we can fnd such G, H where G s non-surjectve and H s bjectve, then meet-n-the-mddle attacks may allow the cryptanalyst to solate the effect of G from the effect of H. In other words, the cryptanalyst can often analyze H wthout takng nto account the effect of G (or the key bts that enter G); once H has been broken, the cryptanalyst can then peel off the effect of H (snce t s bjectve) and attack G alone. The result of such a dvdeand-conquer attack would be that F s not much stronger than the strongest of G or H standng alone. TWOPRIME put some of ts strength nto G, and some nto H, wth the result that much of ts strength was wasted. Far better would have been to concentrate all the strength n one of G or H and make the other as smple as possble, to avod ths potental danger. Therefore, we suggest the followng desgn prncple, whch seems broadly applcable to the constructon of non-bjectve cryptographc functons from a product of rounds. One should avod ntroducng non-surjectvty n the mddle of the functon, because that may speed up meet-n-the-mddle attacks and thus waste precous cryptographc strength. Note that the latter desgn prncple offers some ntutve justfcaton for the structure of many of today s most successful non-bjectve cryptographc functons (such as MD5, SHA,...). The Daves-Meyer constructon [Wn84] bulds F as F (a) = G(a) a. Here all the strength s concentrated n a bjectve functon G (usually bult out of a block cpher); the non-surjectvty s ntroduced as late as possble, and as smply as possble. MD2 [Kal92] and Snefru [Mer90] also follow our suggested desgn prncple: they too use a bjectve functon G at the core, and ntroduce non-surjectvty only at the endponts (by addng smple redundancy to the nput of G, and truncatng ts output). Ths desgn prncple s not novel. It has been dscussed n more detal by Preneel n the context of the desgn of compresson functons for hash functons; see [Pre93, e.g. Secton 4.2]. 14 Conclusons Pullng t all together, we can dentfy three mportant attacks aganst TWOPRIME. Frst, we can break TWOPRIME wth 2048 blocks of known keystream and 2 32 work by usng the technques of Sectons 4 and 9. Alternatvely, we can get by wth only 8 blocks of known keystream wth repeated use of meet-n-the-mddle
16 attacks (Sectons 5 and 9); the cost s that we need 2 32 space as well as 2 33 work. Fnally, we can cryptanalyze TWOPRIME wth 2 33 blocks of known keystream and about 2 28 operatons by usng the methods from Sectons 6 8; ths last attack uses no specal features of the compresson functon n layer seven (other than ts lnearty). We see that, for a cpher wth a 128-bt key, TWOPRIME s dsappontngly weak. We have ponted out weaknesses n two of the layers n TWOPRIME. Because TWOPRIME has only nne layers, each layer les close to the surface, and any weakness s more easly exploted. The system needs more layers to have any serous cryptographc strength. References [DNRS97] C. Dng, V. Nem, A. Renvall, and A. Salomaa, TWOPRIME: A Fast Stream Cpherng Algorthm, Fast Software Encrypton, FSE 97, Sprnger LNCS volume 1267, pages , [Kal92] B.S. Kalsk, The MD2 Message Dgest Algorthm, RFC 1319, Aprl [Mer90] R.C. Merkle, A Fast Software One-Way hash Functon, Journal of Cryptology, vol 3 no 1, [OW96] P.C. van Oorschot and M.J. Wener, Improvng mplementable meet-nthe-mddle attacks by orders of magntude, CRYPTO 96, pages , Sprnger-Verlag, [Pre93] B. Preneel, Desgn prncples for dedcated hash functons, Fast Software Encrypton, t FSE 93, Sprnger LNCS volume 809, pages 71 82, [Sn68] A. Snkov, Elementary Cryptanalyss, A Mathematcal Approach. New York: Random House, [Tuc70] B. Tuckerman, A study of the Vgenere-Vernam sngle and multple loop encpherng systems, IBM Research Report RC2879, 14 May 1970, Yorktown Heghts NY. [Wn84] R. Wnterntz, Producng One-Way Hash Functons from DES, Advances n Cryptology: Proceedngs of Crypto 83, Plenum Press, 1984, pp
17 A Appendx We gve here the expermental dstrbutons of P 1 (n) and P 2 (n): n e 1 /n! P 1 (n) P 2 (n) np1 (n) = 1, np2 (n) 4.3 Ths artcle was processed usng the L A TEX macro package wth LLNCS style
Message modification, neutral bits and boomerangs
Message modfcaton, neutral bts and boomerangs From whch round should we start countng n SHA? Antone Joux DGA and Unversty of Versalles St-Quentn-en-Yvelnes France Jont work wth Thomas Peyrn 1 Dfferental
More informationDifference Equations
Dfference Equatons c Jan Vrbk 1 Bascs Suppose a sequence of numbers, say a 0,a 1,a,a 3,... s defned by a certan general relatonshp between, say, three consecutve values of the sequence, e.g. a + +3a +1
More informationA Novel Feistel Cipher Involving a Bunch of Keys supplemented with Modular Arithmetic Addition
(IJACSA) Internatonal Journal of Advanced Computer Scence Applcatons, A Novel Festel Cpher Involvng a Bunch of Keys supplemented wth Modular Arthmetc Addton Dr. V.U.K Sastry Dean R&D, Department of Computer
More informationModule 9. Lecture 6. Duality in Assignment Problems
Module 9 1 Lecture 6 Dualty n Assgnment Problems In ths lecture we attempt to answer few other mportant questons posed n earler lecture for (AP) and see how some of them can be explaned through the concept
More informationThe stream cipher MICKEY
The stream cpher MICKEY-128 2.0 Steve Babbage Vodafone Group R&D, Newbury, UK steve.babbage@vodafone.com Matthew Dodd Independent consultant matthew@mdodd.net www.mdodd.net 30 th June 2006 Abstract: We
More informationLecture 4: Universal Hash Functions/Streaming Cont d
CSE 5: Desgn and Analyss of Algorthms I Sprng 06 Lecture 4: Unversal Hash Functons/Streamng Cont d Lecturer: Shayan Oves Gharan Aprl 6th Scrbe: Jacob Schreber Dsclamer: These notes have not been subjected
More information= z 20 z n. (k 20) + 4 z k = 4
Problem Set #7 solutons 7.2.. (a Fnd the coeffcent of z k n (z + z 5 + z 6 + z 7 + 5, k 20. We use the known seres expanson ( n+l ( z l l z n below: (z + z 5 + z 6 + z 7 + 5 (z 5 ( + z + z 2 + z + 5 5
More informationFormulas for the Determinant
page 224 224 CHAPTER 3 Determnants e t te t e 2t 38 A = e t 2te t e 2t e t te t 2e 2t 39 If 123 A = 345, 456 compute the matrx product A adj(a) What can you conclude about det(a)? For Problems 40 43, use
More informationCase A. P k = Ni ( 2L i k 1 ) + (# big cells) 10d 2 P k.
THE CELLULAR METHOD In ths lecture, we ntroduce the cellular method as an approach to ncdence geometry theorems lke the Szemeréd-Trotter theorem. The method was ntroduced n the paper Combnatoral complexty
More informationNotes on Frequency Estimation in Data Streams
Notes on Frequency Estmaton n Data Streams In (one of) the data streamng model(s), the data s a sequence of arrvals a 1, a 2,..., a m of the form a j = (, v) where s the dentty of the tem and belongs to
More informationOne-sided finite-difference approximations suitable for use with Richardson extrapolation
Journal of Computatonal Physcs 219 (2006) 13 20 Short note One-sded fnte-dfference approxmatons sutable for use wth Rchardson extrapolaton Kumar Rahul, S.N. Bhattacharyya * Department of Mechancal Engneerng,
More informationLinear Approximation with Regularization and Moving Least Squares
Lnear Approxmaton wth Regularzaton and Movng Least Squares Igor Grešovn May 007 Revson 4.6 (Revson : March 004). 5 4 3 0.5 3 3.5 4 Contents: Lnear Fttng...4. Weghted Least Squares n Functon Approxmaton...
More informationx = , so that calculated
Stat 4, secton Sngle Factor ANOVA notes by Tm Plachowsk n chapter 8 we conducted hypothess tests n whch we compared a sngle sample s mean or proporton to some hypotheszed value Chapter 9 expanded ths to
More informationNUMERICAL DIFFERENTIATION
NUMERICAL DIFFERENTIATION 1 Introducton Dfferentaton s a method to compute the rate at whch a dependent output y changes wth respect to the change n the ndependent nput x. Ths rate of change s called the
More information2E Pattern Recognition Solutions to Introduction to Pattern Recognition, Chapter 2: Bayesian pattern classification
E395 - Pattern Recognton Solutons to Introducton to Pattern Recognton, Chapter : Bayesan pattern classfcaton Preface Ths document s a soluton manual for selected exercses from Introducton to Pattern Recognton
More informationFoundations of Arithmetic
Foundatons of Arthmetc Notaton We shall denote the sum and product of numbers n the usual notaton as a 2 + a 2 + a 3 + + a = a, a 1 a 2 a 3 a = a The notaton a b means a dvdes b,.e. ac = b where c s an
More informationSection 8.3 Polar Form of Complex Numbers
80 Chapter 8 Secton 8 Polar Form of Complex Numbers From prevous classes, you may have encountered magnary numbers the square roots of negatve numbers and, more generally, complex numbers whch are the
More informationErrors for Linear Systems
Errors for Lnear Systems When we solve a lnear system Ax b we often do not know A and b exactly, but have only approxmatons  and ˆb avalable. Then the best thng we can do s to solve ˆx ˆb exactly whch
More informationStructure and Drive Paul A. Jensen Copyright July 20, 2003
Structure and Drve Paul A. Jensen Copyrght July 20, 2003 A system s made up of several operatons wth flow passng between them. The structure of the system descrbes the flow paths from nputs to outputs.
More informationChapter 13: Multiple Regression
Chapter 13: Multple Regresson 13.1 Developng the multple-regresson Model The general model can be descrbed as: It smplfes for two ndependent varables: The sample ft parameter b 0, b 1, and b are used to
More informationPsychology 282 Lecture #24 Outline Regression Diagnostics: Outliers
Psychology 282 Lecture #24 Outlne Regresson Dagnostcs: Outlers In an earler lecture we studed the statstcal assumptons underlyng the regresson model, ncludng the followng ponts: Formal statement of assumptons.
More information3.1 Expectation of Functions of Several Random Variables. )' be a k-dimensional discrete or continuous random vector, with joint PMF p (, E X E X1 E X
Statstcs 1: Probablty Theory II 37 3 EPECTATION OF SEVERAL RANDOM VARIABLES As n Probablty Theory I, the nterest n most stuatons les not on the actual dstrbuton of a random vector, but rather on a number
More informationCryptanalysis of Some Double-Block-Length Hash Modes of Block Ciphers with n-bit Block and n-bit Key
Cryptanalyss of Some Double-Block-Length Hash Modes of Block Cphers wth n-bt Block and n-bt Key Deukjo Hong and Daesung Kwon Abstract In ths paper, we make attacks on DBL (Double-Block-Length) hash modes
More informationSolution Thermodynamics
Soluton hermodynamcs usng Wagner Notaton by Stanley. Howard Department of aterals and etallurgcal Engneerng South Dakota School of nes and echnology Rapd Cty, SD 57701 January 7, 001 Soluton hermodynamcs
More informationProblem Set 9 Solutions
Desgn and Analyss of Algorthms May 4, 2015 Massachusetts Insttute of Technology 6.046J/18.410J Profs. Erk Demane, Srn Devadas, and Nancy Lynch Problem Set 9 Solutons Problem Set 9 Solutons Ths problem
More informationThe Synchronous 8th-Order Differential Attack on 12 Rounds of the Block Cipher HyRAL
The Synchronous 8th-Order Dfferental Attack on 12 Rounds of the Block Cpher HyRAL Yasutaka Igarash, Sej Fukushma, and Tomohro Hachno Kagoshma Unversty, Kagoshma, Japan Emal: {garash, fukushma, hachno}@eee.kagoshma-u.ac.jp
More informationMA 323 Geometric Modelling Course Notes: Day 13 Bezier Curves & Bernstein Polynomials
MA 323 Geometrc Modellng Course Notes: Day 13 Bezer Curves & Bernsten Polynomals Davd L. Fnn Over the past few days, we have looked at de Casteljau s algorthm for generatng a polynomal curve, and we have
More informationImproved Integral Cryptanalysis of FOX Block Cipher 1
Improved Integral Cryptanalyss of FOX Block Cpher 1 Wu Wenlng, Zhang Wentao, and Feng Dengguo State Key Laboratory of Informaton Securty, Insttute of Software, Chnese Academy of Scences, Bejng 100080,
More informationGlobal Sensitivity. Tuesday 20 th February, 2018
Global Senstvty Tuesday 2 th February, 28 ) Local Senstvty Most senstvty analyses [] are based on local estmates of senstvty, typcally by expandng the response n a Taylor seres about some specfc values
More informationCollege of Computer & Information Science Fall 2009 Northeastern University 20 October 2009
College of Computer & Informaton Scence Fall 2009 Northeastern Unversty 20 October 2009 CS7880: Algorthmc Power Tools Scrbe: Jan Wen and Laura Poplawsk Lecture Outlne: Prmal-dual schema Network Desgn:
More informationEPR Paradox and the Physical Meaning of an Experiment in Quantum Mechanics. Vesselin C. Noninski
EPR Paradox and the Physcal Meanng of an Experment n Quantum Mechancs Vesseln C Nonnsk vesselnnonnsk@verzonnet Abstract It s shown that there s one purely determnstc outcome when measurement s made on
More informationa b a In case b 0, a being divisible by b is the same as to say that
Secton 6.2 Dvsblty among the ntegers An nteger a ε s dvsble by b ε f there s an nteger c ε such that a = bc. Note that s dvsble by any nteger b, snce = b. On the other hand, a s dvsble by only f a = :
More informationDifferential Cryptanalysis of Nimbus
Dfferental Cryptanalyss of Nmbus Vladmr Furman Computer Scence Department, Technon - Israel Insttute of Technology, Hafa 32000, Israel. vfurman@cs.technon.ac.l. Abstract. Nmbus s a block cpher submtted
More informationLecture 12: Discrete Laplacian
Lecture 12: Dscrete Laplacan Scrbe: Tanye Lu Our goal s to come up wth a dscrete verson of Laplacan operator for trangulated surfaces, so that we can use t n practce to solve related problems We are mostly
More informationNote on EM-training of IBM-model 1
Note on EM-tranng of IBM-model INF58 Language Technologcal Applcatons, Fall The sldes on ths subject (nf58 6.pdf) ncludng the example seem nsuffcent to gve a good grasp of what s gong on. Hence here are
More informationChapter 8 Indicator Variables
Chapter 8 Indcator Varables In general, e explanatory varables n any regresson analyss are assumed to be quanttatve n nature. For example, e varables lke temperature, dstance, age etc. are quanttatve n
More informationThe optimal delay of the second test is therefore approximately 210 hours earlier than =2.
THE IEC 61508 FORMULAS 223 The optmal delay of the second test s therefore approxmately 210 hours earler than =2. 8.4 The IEC 61508 Formulas IEC 61508-6 provdes approxmaton formulas for the PF for smple
More informationLINEAR REGRESSION ANALYSIS. MODULE IX Lecture Multicollinearity
LINEAR REGRESSION ANALYSIS MODULE IX Lecture - 30 Multcollnearty Dr. Shalabh Department of Mathematcs and Statstcs Indan Insttute of Technology Kanpur 2 Remedes for multcollnearty Varous technques have
More informationTHE SUMMATION NOTATION Ʃ
Sngle Subscrpt otaton THE SUMMATIO OTATIO Ʃ Most of the calculatons we perform n statstcs are repettve operatons on lsts of numbers. For example, we compute the sum of a set of numbers, or the sum of the
More informationEcon107 Applied Econometrics Topic 3: Classical Model (Studenmund, Chapter 4)
I. Classcal Assumptons Econ7 Appled Econometrcs Topc 3: Classcal Model (Studenmund, Chapter 4) We have defned OLS and studed some algebrac propertes of OLS. In ths topc we wll study statstcal propertes
More informationIntroduction to Vapor/Liquid Equilibrium, part 2. Raoult s Law:
CE304, Sprng 2004 Lecture 4 Introducton to Vapor/Lqud Equlbrum, part 2 Raoult s Law: The smplest model that allows us do VLE calculatons s obtaned when we assume that the vapor phase s an deal gas, and
More informationTHE CHINESE REMAINDER THEOREM. We should thank the Chinese for their wonderful remainder theorem. Glenn Stevens
THE CHINESE REMAINDER THEOREM KEITH CONRAD We should thank the Chnese for ther wonderful remander theorem. Glenn Stevens 1. Introducton The Chnese remander theorem says we can unquely solve any par of
More informationDepartment of Statistics University of Toronto STA305H1S / 1004 HS Design and Analysis of Experiments Term Test - Winter Solution
Department of Statstcs Unversty of Toronto STA35HS / HS Desgn and Analyss of Experments Term Test - Wnter - Soluton February, Last Name: Frst Name: Student Number: Instructons: Tme: hours. Ads: a non-programmable
More informationCS : Algorithms and Uncertainty Lecture 17 Date: October 26, 2016
CS 29-128: Algorthms and Uncertanty Lecture 17 Date: October 26, 2016 Instructor: Nkhl Bansal Scrbe: Mchael Denns 1 Introducton In ths lecture we wll be lookng nto the secretary problem, and an nterestng
More information2.3 Nilpotent endomorphisms
s a block dagonal matrx, wth A Mat dm U (C) In fact, we can assume that B = B 1 B k, wth B an ordered bass of U, and that A = [f U ] B, where f U : U U s the restrcton of f to U 40 23 Nlpotent endomorphsms
More informationLecture 10 Support Vector Machines II
Lecture 10 Support Vector Machnes II 22 February 2016 Taylor B. Arnold Yale Statstcs STAT 365/665 1/28 Notes: Problem 3 s posted and due ths upcomng Frday There was an early bug n the fake-test data; fxed
More information5 The Rational Canonical Form
5 The Ratonal Canoncal Form Here p s a monc rreducble factor of the mnmum polynomal m T and s not necessarly of degree one Let F p denote the feld constructed earler n the course, consstng of all matrces
More informationGrover s Algorithm + Quantum Zeno Effect + Vaidman
Grover s Algorthm + Quantum Zeno Effect + Vadman CS 294-2 Bomb 10/12/04 Fall 2004 Lecture 11 Grover s algorthm Recall that Grover s algorthm for searchng over a space of sze wors as follows: consder the
More informationCHAPTER 14 GENERAL PERTURBATION THEORY
CHAPTER 4 GENERAL PERTURBATION THEORY 4 Introducton A partcle n orbt around a pont mass or a sphercally symmetrc mass dstrbuton s movng n a gravtatonal potental of the form GM / r In ths potental t moves
More informationMore metrics on cartesian products
More metrcs on cartesan products If (X, d ) are metrc spaces for 1 n, then n Secton II4 of the lecture notes we defned three metrcs on X whose underlyng topologes are the product topology The purpose of
More informationAssortment Optimization under MNL
Assortment Optmzaton under MNL Haotan Song Aprl 30, 2017 1 Introducton The assortment optmzaton problem ams to fnd the revenue-maxmzng assortment of products to offer when the prces of products are fxed.
More informationFeature Selection: Part 1
CSE 546: Machne Learnng Lecture 5 Feature Selecton: Part 1 Instructor: Sham Kakade 1 Regresson n the hgh dmensonal settng How do we learn when the number of features d s greater than the sample sze n?
More informationLimited Dependent Variables
Lmted Dependent Varables. What f the left-hand sde varable s not a contnuous thng spread from mnus nfnty to plus nfnty? That s, gven a model = f (, β, ε, where a. s bounded below at zero, such as wages
More informationLecture 5 Decoding Binary BCH Codes
Lecture 5 Decodng Bnary BCH Codes In ths class, we wll ntroduce dfferent methods for decodng BCH codes 51 Decodng the [15, 7, 5] 2 -BCH Code Consder the [15, 7, 5] 2 -code C we ntroduced n the last lecture
More informationANSWERS. Problem 1. and the moment generating function (mgf) by. defined for any real t. Use this to show that E( U) var( U)
Econ 413 Exam 13 H ANSWERS Settet er nndelt 9 deloppgaver, A,B,C, som alle anbefales å telle lkt for å gøre det ltt lettere å stå. Svar er gtt . Unfortunately, there s a prntng error n the hnt of
More information1 Generating functions, continued
Generatng functons, contnued. Generatng functons and parttons We can make use of generatng functons to answer some questons a bt more restrctve than we ve done so far: Queston : Fnd a generatng functon
More informationNumerical Heat and Mass Transfer
Master degree n Mechancal Engneerng Numercal Heat and Mass Transfer 06-Fnte-Dfference Method (One-dmensonal, steady state heat conducton) Fausto Arpno f.arpno@uncas.t Introducton Why we use models and
More informationMathematical Preparations
1 Introducton Mathematcal Preparatons The theory of relatvty was developed to explan experments whch studed the propagaton of electromagnetc radaton n movng coordnate systems. Wthn expermental error the
More informationStanford University CS359G: Graph Partitioning and Expanders Handout 4 Luca Trevisan January 13, 2011
Stanford Unversty CS359G: Graph Parttonng and Expanders Handout 4 Luca Trevsan January 3, 0 Lecture 4 In whch we prove the dffcult drecton of Cheeger s nequalty. As n the past lectures, consder an undrected
More informationEEE 241: Linear Systems
EEE : Lnear Systems Summary #: Backpropagaton BACKPROPAGATION The perceptron rule as well as the Wdrow Hoff learnng were desgned to tran sngle layer networks. They suffer from the same dsadvantage: they
More informationOn the correction of the h-index for career length
1 On the correcton of the h-ndex for career length by L. Egghe Unverstet Hasselt (UHasselt), Campus Depenbeek, Agoralaan, B-3590 Depenbeek, Belgum 1 and Unverstet Antwerpen (UA), IBW, Stadscampus, Venusstraat
More informationKernel Methods and SVMs Extension
Kernel Methods and SVMs Extenson The purpose of ths document s to revew materal covered n Machne Learnng 1 Supervsed Learnng regardng support vector machnes (SVMs). Ths document also provdes a general
More information18.1 Introduction and Recap
CS787: Advanced Algorthms Scrbe: Pryananda Shenoy and Shjn Kong Lecturer: Shuch Chawla Topc: Streamng Algorthmscontnued) Date: 0/26/2007 We contnue talng about streamng algorthms n ths lecture, ncludng
More informationHomework Assignment 3 Due in class, Thursday October 15
Homework Assgnment 3 Due n class, Thursday October 15 SDS 383C Statstcal Modelng I 1 Rdge regresson and Lasso 1. Get the Prostrate cancer data from http://statweb.stanford.edu/~tbs/elemstatlearn/ datasets/prostate.data.
More informationRecover plaintext attack to block ciphers
Recover plantext attac to bloc cphers L An-Png Bejng 100085, P.R.Chna apl0001@sna.com Abstract In ths paper, we wll present an estmaton for the upper-bound of the amount of 16-bytes plantexts for Englsh
More informationCSci 6974 and ECSE 6966 Math. Tech. for Vision, Graphics and Robotics Lecture 21, April 17, 2006 Estimating A Plane Homography
CSc 6974 and ECSE 6966 Math. Tech. for Vson, Graphcs and Robotcs Lecture 21, Aprl 17, 2006 Estmatng A Plane Homography Overvew We contnue wth a dscusson of the major ssues, usng estmaton of plane projectve
More informationVapnik-Chervonenkis theory
Vapnk-Chervonenks theory Rs Kondor June 13, 2008 For the purposes of ths lecture, we restrct ourselves to the bnary supervsed batch learnng settng. We assume that we have an nput space X, and an unknown
More informationHMMT February 2016 February 20, 2016
HMMT February 016 February 0, 016 Combnatorcs 1. For postve ntegers n, let S n be the set of ntegers x such that n dstnct lnes, no three concurrent, can dvde a plane nto x regons (for example, S = {3,
More informationCHAPTER 17 Amortized Analysis
CHAPTER 7 Amortzed Analyss In an amortzed analyss, the tme requred to perform a sequence of data structure operatons s averaged over all the operatons performed. It can be used to show that the average
More informationNegative Binomial Regression
STATGRAPHICS Rev. 9/16/2013 Negatve Bnomal Regresson Summary... 1 Data Input... 3 Statstcal Model... 3 Analyss Summary... 4 Analyss Optons... 7 Plot of Ftted Model... 8 Observed Versus Predcted... 10 Predctons...
More informationCommon loop optimizations. Example to improve locality. Why Dependence Analysis. Data Dependence in Loops. Goal is to find best schedule:
15-745 Lecture 6 Data Dependence n Loops Copyrght Seth Goldsten, 2008 Based on sldes from Allen&Kennedy Lecture 6 15-745 2005-8 1 Common loop optmzatons Hostng of loop-nvarant computatons pre-compute before
More informationComparison of Regression Lines
STATGRAPHICS Rev. 9/13/2013 Comparson of Regresson Lnes Summary... 1 Data Input... 3 Analyss Summary... 4 Plot of Ftted Model... 6 Condtonal Sums of Squares... 6 Analyss Optons... 7 Forecasts... 8 Confdence
More informationChapter 11: Simple Linear Regression and Correlation
Chapter 11: Smple Lnear Regresson and Correlaton 11-1 Emprcal Models 11-2 Smple Lnear Regresson 11-3 Propertes of the Least Squares Estmators 11-4 Hypothess Test n Smple Lnear Regresson 11-4.1 Use of t-tests
More informationCopyright 2017 by Taylor Enterprises, Inc., All Rights Reserved. Adjusted Control Limits for P Charts. Dr. Wayne A. Taylor
Taylor Enterprses, Inc. Control Lmts for P Charts Copyrght 2017 by Taylor Enterprses, Inc., All Rghts Reserved. Control Lmts for P Charts Dr. Wayne A. Taylor Abstract: P charts are used for count data
More information1 Derivation of Rate Equations from Single-Cell Conductance (Hodgkin-Huxley-like) Equations
Physcs 171/271 -Davd Klenfeld - Fall 2005 (revsed Wnter 2011) 1 Dervaton of Rate Equatons from Sngle-Cell Conductance (Hodgkn-Huxley-lke) Equatons We consder a network of many neurons, each of whch obeys
More informationTransfer Functions. Convenient representation of a linear, dynamic model. A transfer function (TF) relates one input and one output: ( ) system
Transfer Functons Convenent representaton of a lnear, dynamc model. A transfer functon (TF) relates one nput and one output: x t X s y t system Y s The followng termnology s used: x y nput output forcng
More informationWeek 5: Neural Networks
Week 5: Neural Networks Instructor: Sergey Levne Neural Networks Summary In the prevous lecture, we saw how we can construct neural networks by extendng logstc regresson. Neural networks consst of multple
More informationMin Cut, Fast Cut, Polynomial Identities
Randomzed Algorthms, Summer 016 Mn Cut, Fast Cut, Polynomal Identtes Instructor: Thomas Kesselhem and Kurt Mehlhorn 1 Mn Cuts n Graphs Lecture (5 pages) Throughout ths secton, G = (V, E) s a mult-graph.
More informationFinding Primitive Roots Pseudo-Deterministically
Electronc Colloquum on Computatonal Complexty, Report No 207 (205) Fndng Prmtve Roots Pseudo-Determnstcally Ofer Grossman December 22, 205 Abstract Pseudo-determnstc algorthms are randomzed search algorthms
More informationAttacks on RSA The Rabin Cryptosystem Semantic Security of RSA Cryptology, Tuesday, February 27th, 2007 Nils Andersen. Complexity Theoretic Reduction
Attacks on RSA The Rabn Cryptosystem Semantc Securty of RSA Cryptology, Tuesday, February 27th, 2007 Nls Andersen Square Roots modulo n Complexty Theoretc Reducton Factorng Algorthms Pollard s p 1 Pollard
More informationFinding Dense Subgraphs in G(n, 1/2)
Fndng Dense Subgraphs n Gn, 1/ Atsh Das Sarma 1, Amt Deshpande, and Rav Kannan 1 Georga Insttute of Technology,atsh@cc.gatech.edu Mcrosoft Research-Bangalore,amtdesh,annan@mcrosoft.com Abstract. Fndng
More informationExample: (13320, 22140) =? Solution #1: The divisors of are 1, 2, 3, 4, 5, 6, 9, 10, 12, 15, 18, 20, 27, 30, 36, 41,
The greatest common dvsor of two ntegers a and b (not both zero) s the largest nteger whch s a common factor of both a and b. We denote ths number by gcd(a, b), or smply (a, b) when there s no confuson
More informationU.C. Berkeley CS294: Spectral Methods and Expanders Handout 8 Luca Trevisan February 17, 2016
U.C. Berkeley CS94: Spectral Methods and Expanders Handout 8 Luca Trevsan February 7, 06 Lecture 8: Spectral Algorthms Wrap-up In whch we talk about even more generalzatons of Cheeger s nequaltes, and
More informationWorkshop: Approximating energies and wave functions Quantum aspects of physical chemistry
Workshop: Approxmatng energes and wave functons Quantum aspects of physcal chemstry http://quantum.bu.edu/pltl/6/6.pdf Last updated Thursday, November 7, 25 7:9:5-5: Copyrght 25 Dan Dll (dan@bu.edu) Department
More informationTemperature. Chapter Heat Engine
Chapter 3 Temperature In prevous chapters of these notes we ntroduced the Prncple of Maxmum ntropy as a technque for estmatng probablty dstrbutons consstent wth constrants. In Chapter 9 we dscussed the
More informationPhysics 5153 Classical Mechanics. Principle of Virtual Work-1
P. Guterrez 1 Introducton Physcs 5153 Classcal Mechancs Prncple of Vrtual Work The frst varatonal prncple we encounter n mechancs s the prncple of vrtual work. It establshes the equlbrum condton of a mechancal
More informationPulse Coded Modulation
Pulse Coded Modulaton PCM (Pulse Coded Modulaton) s a voce codng technque defned by the ITU-T G.711 standard and t s used n dgtal telephony to encode the voce sgnal. The frst step n the analog to dgtal
More informationSL n (F ) Equals its Own Derived Group
Internatonal Journal of Algebra, Vol. 2, 2008, no. 12, 585-594 SL n (F ) Equals ts Own Derved Group Jorge Macel BMCC-The Cty Unversty of New York, CUNY 199 Chambers street, New York, NY 10007, USA macel@cms.nyu.edu
More informationAppendix for Causal Interaction in Factorial Experiments: Application to Conjoint Analysis
A Appendx for Causal Interacton n Factoral Experments: Applcaton to Conjont Analyss Mathematcal Appendx: Proofs of Theorems A. Lemmas Below, we descrbe all the lemmas, whch are used to prove the man theorems
More informationLOW BIAS INTEGRATED PATH ESTIMATORS. James M. Calvin
Proceedngs of the 007 Wnter Smulaton Conference S G Henderson, B Bller, M-H Hseh, J Shortle, J D Tew, and R R Barton, eds LOW BIAS INTEGRATED PATH ESTIMATORS James M Calvn Department of Computer Scence
More informationInner Product. Euclidean Space. Orthonormal Basis. Orthogonal
Inner Product Defnton 1 () A Eucldean space s a fnte-dmensonal vector space over the reals R, wth an nner product,. Defnton 2 (Inner Product) An nner product, on a real vector space X s a symmetrc, blnear,
More informationAffine transformations and convexity
Affne transformatons and convexty The purpose of ths document s to prove some basc propertes of affne transformatons nvolvng convex sets. Here are a few onlne references for background nformaton: http://math.ucr.edu/
More informationLai-Massey Scheme and Quasi-Feistel Networks (Extended Abstract)
La-Massey Scheme and Quas-Festel Networks (Extended Abstract Aaram Yun, Je Hong Park 2, and Jooyoung Lee 2 Unversty of Mnnesota - Twn Ctes aaramyun@gmalcom 2 ETRI Network & Communcaton Securty Dvson, Korea
More informationLECTURE 9 CANONICAL CORRELATION ANALYSIS
LECURE 9 CANONICAL CORRELAION ANALYSIS Introducton he concept of canoncal correlaton arses when we want to quantfy the assocatons between two sets of varables. For example, suppose that the frst set of
More informationWeek3, Chapter 4. Position and Displacement. Motion in Two Dimensions. Instantaneous Velocity. Average Velocity
Week3, Chapter 4 Moton n Two Dmensons Lecture Quz A partcle confned to moton along the x axs moves wth constant acceleraton from x =.0 m to x = 8.0 m durng a 1-s tme nterval. The velocty of the partcle
More informationA Robust Method for Calculating the Correlation Coefficient
A Robust Method for Calculatng the Correlaton Coeffcent E.B. Nven and C. V. Deutsch Relatonshps between prmary and secondary data are frequently quantfed usng the correlaton coeffcent; however, the tradtonal
More informationLecture 2: Gram-Schmidt Vectors and the LLL Algorithm
NYU, Fall 2016 Lattces Mn Course Lecture 2: Gram-Schmdt Vectors and the LLL Algorthm Lecturer: Noah Stephens-Davdowtz 2.1 The Shortest Vector Problem In our last lecture, we consdered short solutons to
More informationLectures - Week 4 Matrix norms, Conditioning, Vector Spaces, Linear Independence, Spanning sets and Basis, Null space and Range of a Matrix
Lectures - Week 4 Matrx norms, Condtonng, Vector Spaces, Lnear Independence, Spannng sets and Bass, Null space and Range of a Matrx Matrx Norms Now we turn to assocatng a number to each matrx. We could
More informationModule 3 LOSSY IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur
Module 3 LOSSY IMAGE COMPRESSION SYSTEMS Verson ECE IIT, Kharagpur Lesson 6 Theory of Quantzaton Verson ECE IIT, Kharagpur Instructonal Objectves At the end of ths lesson, the students should be able to:
More informationChapter 5. Solution of System of Linear Equations. Module No. 6. Solution of Inconsistent and Ill Conditioned Systems
Numercal Analyss by Dr. Anta Pal Assstant Professor Department of Mathematcs Natonal Insttute of Technology Durgapur Durgapur-713209 emal: anta.bue@gmal.com 1 . Chapter 5 Soluton of System of Lnear Equatons
More information