The Key-Dependent Attack on Block Ciphers
|
|
- Meghan Short
- 5 years ago
- Views:
Transcription
1 The Key-Dependent Attack on Block Cphers Xaoru Sun and Xueja La Department of Computer Scence Shangha Jao Tong Unversty Shangha, , Chna Abstract. In ths paper, we formalze an attack scheme usng the key-dependent property, called key-dependent attack. In ths attack, the ntermedate value, whose dstrbuton s key-dependent, s consdered. The attack determnes whether a key s rght by conductng statstcal hypothess test of the ntermedate value. The tme and data complexty of the key-dependent attack s also dscussed. We also apply key-dependent attack on reduced-round IDEA. Ths attack s based on the key-dependent dstrbuton of certan tems n Bryukov-Demrc Equaton. The attack on 5.5-round varant of IDEA requres 2 21 chosen plantexts and encryptons. The attack on 6-round varant requres 2 49 chosen plantexts and encryptons. Compared wth the prevous attacks, the key-dependent attacks on 5.5-round and 6-round IDEA have the lowest tme and data complexty, respectvely. Key words: Block Cpher, Key-Dependent Attack, IDEA 1 Introducton In current cryptanalyss on block cphers, wdespread attacks use specal probablty dstrbutons of certan ntermedate values. These probablty dstrbutons are consdered as nvarant under dfferent keys used. For example, dfferental cryptanalyss [7] makes use of the probablty of the ntermedate dfferental wth hgh probablty. Its value s assumed not to vary remarkably wth dfferent keys. Lnear cryptanalyss [23] s based on the bas of the lnear approxmaton, whch s also generally constant for dfferent keys. Instead of concentratng on the probablty dstrbuton whch s nvarant for dfferent keys, Ben-Aroya and Bham frst proposed the key-dependent property n [2]. Key-dependent property means that the probablty dstrbuton of ntermedate value vares for dfferent keys. In [2], an attack on Lucfer usng key-dependent dfferental was presented. Knudsen and Rjmen also used smlar dea to attack DFC n [20]. In ths paper, we consder the key-dependent property further. The dstrbuton of ntermedate value whch s key-dependent s called key-dependent dstrbuton. Assume that there are some randomly chosen encryptons. For the ntermedate values calculated from these encryptons wth the actual key, they should conform to key-dependent dstrbuton. On the other hand, f we use a wrong key to calculate the ntermedate values, they are assumed to conform to random dstrbuton. Basng on key-dependent dstrbuton, we formalze a scheme of dscoverng the actual key by performng statstcal hypothess test [17] on possble keys, and we call ths scheme key-dependent attack. For a gven key, the null hypothess of the test s that the ntermedate value conforms to the key-dependent dstrbuton determned by the key. The samples of the test are the ntermedate values calculated from a few encryptons. If the test s passed, the gven key s concluded to be the actual key, otherwse t s dscarded. For the keys that share the same key-dependent dstrbuton Ths work was supported by NSFC Grant No , and 11th PRP of Shangha Jao Tong Unversty.
2 and the same ntermedate value calculaton, the correspondng hypothess tests can be merged to reduce the tme needed. By ths crteron, the whole key space s dvded nto several key-dependent subsets. Due to the scheme of the key-dependent attack, the tme complexty of the attack s determned by the tme for dstngushng between the random dstrbuton and the key-dependent dstrbuton. The tme needed reles on the entropy of the key-dependent dstrbuton: the closer the key-dependent dstrbuton s to the random dstrbuton, the more encryptons are needed. For each key-dependent subset, the number of encryptons and the crtera of rejectng hypothess can be chosen so that the attack on ths subset s optmzed. The expected tme of the attack on each subset s also obtaned. The total expected tme complexty can be calculated from the expected tme on each keydependent subset. Dfferent orders of the key-dependent subsets attacked have dfferent expected tme complextes. The order wth mnmal expected tme complexty s presented. The total expected tme complexty s also mnmzed n ths way f the actual key s supposed to be chosen unformly from the whole key space. Ths paper also presents a key-dependent attack on block cpher IDEA. The block cpher IDEA (Internatonal Data Encrypton Algorthm) was proposed n [21, 22]. The cryptanalyss of IDEA was dscussed n [1, 3 6, 8, 9, 11 16, 18, 19, 24, 25], and no attack on full verson IDEA s faster than exhaustve search so far. We nvestgate the Bryukov-Demrc Equaton, whch s wdely used n recent attacks on IDEA [1, 5, 6, 13, 16, 18]. We fnd that partcular tems of Bryukov-Demrc Equaton satsfy key-dependent dstrbuton under some specfc constrants. Ths makes t possble to perform the key-dependent attack on IDEA. Bryukov-Demrc Equaton s used to recover the ntermedate values from encryptons. Our key-dependent attack on 5.5-round varant of IDEA requres 2 21 chosen plantexts and has a tme complexty of encryptons. Our key-dependent attack on the 6-round varant of IDEA requres 2 49 chosen plantexts and has a tme complexty of encryptons. These attacks use both fewer chosen plantexts and less tme than all the prevous correspondng attacks. We also gve two key-dependent attacks on 5-round IDEA startng from the frst round. One requres 2 17 chosen plantexts and needs encryptons.the other one requres 2 64 known plantexts and Rounds Attack type Data Tme Ref. 4.5 Impossble Dfferental 2 64 CP [3] 4.5 Lnear 16 CP [5] 5 Meet-n-the-Mddle 2 24 CP [13] 5 Meet-n-the-Mddle CP [1] 5 Lnear KP [6] 5 Lnear 2 19 KP [5] 5 Lnear 16 KP [6] 5.5 Hgher-Order Dfferental-Lnear 2 32 CP [6] 6 Hgher-Order Dfferental-Lnear KP [6] 5 Key-Dependent 2 17 CP Secton Key-Dependent 2 64 KP Secton Key-Dependent 2 21 CP Secton Key-Dependent 2 49 CP Secton 5.2 CP - Chosen Plantext, KP - Known Plantext Attack on IDEA startng from the frst round Table 1. Selected Results of attacks on IDEA
3 needs encryptons.we summarze our attacks and prevous attacks n Table 1, where the data complexty s measured n the number of plantexts and the tme complexty s measured n the number of encryptons needed n the attack. The paper s organzed as follows: In Secton 2 we gve a general vew of the key-dependent attack. In Secton 3 we gve a bref descrpton of IDEA block cpher. In Secton 4 we show that the probablty dstrbuton of some tems of the Bryukov-Demrc Equaton s a key-dependent dstrbuton. In Secton 5 we present two key-dependent attacks on reduced-round IDEA. Secton 6 concludes ths paper. 2 The Key-Dependent Attack In [2], Ben-Aroya and Bham frst proposed the key-dependent property and mplemented a keydependent dfferental attack on Lucfer. Knudsen and Rjmen also used smlar dea to attack DFC n [20]. In ths secton, we formalze a scheme of dentfyng the actual key usng the followng keydependent property (wth hgh success probablty). Defnton 1. For a block cpher, f the probablty dstrbuton of an ntermedate value vares for dfferent keys under some specfc constrants, then ths probablty dstrbuton s defned as key-dependent dstrbuton. Consder some randomly chosen encryptons satsfyng the specfc constrants. If one uses the actual key to calculate the ntermedate value, t should conform to key-dependent dstrbuton. If one uses a wrong key to calculate the ntermedate value, t s assumed to be randomly dstrbuted. Wth such a property, determnng whether a gven key s rght can be done by dstngushng whch dstrbuton the ntermedate value conforms to, the key-dependent dstrbuton or the random dstrbuton. We propose an attack scheme, called key-dependent attack, usng key-dependent dstrbuton. The attack uses statstcal hypothess test, whose dea s also used n dfferental and lnear attack [17], to dstngush between key-dependent dstrbuton and random dstrbuton. For a key, the null hypothess of the test s that the ntermedate value conforms to the key-dependent dstrbuton determned by the key. Then the attack uses some samples to determne whether the hypothess s rght. The samples of the statstcal hypothess test are the ntermedate values obtaned from the encryptons satsfyng the specfc constrants. If the key passes the hypothess test, the attack concludes that the key s rght, otherwse the key s judged to be wrong. For the keys that share the same key-dependent dstrbuton and the same ntermedate value calculaton, the correspondng hypothess tests can be merged. Hence the whole key space s dvded nto several key-dependent subsets. (Smlar dea s proposed n [2].) Defnton 2. A key-dependent subset s a tuple (P, U), where P s a fxed key-dependent dstrbuton of ntermedate value, and U s a set of keys that share the same key-dependent dstrbuton P and the same ntermedate value calculaton. Defnton 3. The key fracton (f) of a key-dependent subset s the rato between the sze of U and the sze of the whole key space.
4 The key-dependent attack determnes whch key-dependent subset the actual key s n by conductng hypothess tests on each key-dependent subset. Such process on a key-dependent subset (P, U), called ndvdual attack, can be descrbed as the followng four phases: 1. Parameter Determnng Phase Determne the sze of the samples and the crtera of rejectng the hypothess that the ntermedate values conform to P. 2. Data Collectng Phase Randomly choose some encryptons accordng to the specfc constrants Judgement Phase Calculate the ntermedate values from the collected encryptons. If the results satsfy the crtera of rejecton, then dscard ths key-dependent subset, otherwse enter the next phase. 4. Exhaustve Search Phase Exhaustvely search U to fnd the whole key. If the exhaustve search does not fnd the whole actual key, then start another ndvdual attack on the next key-dependent subset. The tme complexty of the key-dependent attack s determned by the tme complexty of each ndvdual attack and the order of performng these ndvdual attacks. For a key-dependent subset (P, U), the tme needed for ndvdual attacks reles on the entropy of P : the closer P s to the random dstrbuton, the more dffcult the attack s to ensure the same probablty of makng the rght judgement, the attack needs more encryptons. Ths ndcates that ndvdual attacks for dfferent key-dependent subsets have dfferent tme complextes. The tme complexty of each ndvdual attack s determned by correspondng key-dependent dstrbuton P. For each key-dependent subset, the number of encryptons and the crtera of rejectng hypothess are then chosen to mnmze the tme complexty of ths ndvdual attack. To mnmze the tme complexty of an ndvdual attack, the attack should consder the probablty of commttng two types of errors: Type I error and Type II error. Type I error occurs when the hypothess s rejected for a key-dependent subset whle n fact the actual key s n U, and the attack wll fal to fnd the actual key n ths case. The probablty of Type I error s also defned as sgnfcant level, denoted as α. Type II error occurs when the test s passed whle n fact t s not rght, and n ths case the attack wll come nto the exhaustve search phase, but wll not fnd the actual key. The probablty of Type II error s denoted as β. Wth a fxed sze of samples (denoted as N) and the sgnfcance level α, the crtera of rejectng the hypothess s determned, and the probablty of Type II error β s also fxed. For a fxed sze of samples, t s mpossble to reduce both α and β smultaneously. In order to reduce both α and β, the attack has to use a larger sze of samples, but tme and data complexty wll ncrease. Hence, an ndvdual attack needs to balance between the sze of samples, and the probablty of makng wrong judgement. For a key-dependent subset (P, U), f the actual key s not n ths subset, the expected tme complexty (measured by the number of encryptons) of the ndvdual attack on ths subset s W = N + β U (1) If the actual key s n ths subset, the expected tme of the ndvdual attack on ths subset s R = N + (1 α) U 2 1 Though each ndvdual attack chooses encryptons randomly, one encrypton can be used for many ndvdual attacks thus to reduces the total data complexty.
5 Snce the tme complexty s domnated by attackng on wrong key-dependent subsets (there s only one key-dependent subset contanng the actual key), the attack only needs to mnmze the tme complexty of the ndvdual attack for each wrong key-dependent subset to mnmze the total tme complexty. Although α does not appear n Equaton (1), α affects the success probablty of the attack, so α should also be consdered. We set one upper bound of α to ensure that the success probablty s above a fxed value, and then choose such sze of samples that Equaton (1) s mnmzed, n order to mnmze the tme complexty of ndvdual attacks. In addton, t s entrely possble that some key-dependent dstrbutons s so close to random dstrbuton that the expected tme for performng hypothess tests s longer than drectly searchng the subsets. For these key-dependent subsets, the attack exhaustvely searches the subset drectly nstead of usng statstcal hypothess test method. On the other hand, the tme complexty of the key-dependent attack s also affected by the order of performng ndvdual attacks on dfferent key-dependent subsets. Because the expected tme complextes of ndvdual attacks are dfferent, dfferent sequences of performng ndvdual attacks result n dfferent total expected tme complexty. Assume that a key-dependent attack performs ndvdual attacks on m key-dependent subsets n the order of (P 1, U 1 ),..., (P m, U m ). Let R denote the expected tme for (P, U ) f the actual key s n U, and W denote the expected tme f the actual key s not n U. We have followng result: Theorem 1. The expected tme for the whole key-dependent attack s mnmal f the followng condton s satsfed f 1 f 2 f m W 1 W 2 W m Proof. The expected tme of the attack n the order of (P 1, U 1 ),..., (P m, U m ) s Φ =f 1 [R 1 + α(w 2 + W W m )] + f 2 [W 1 + R 2 + α(w W m ))] + f 3 [W 1 + W 2 + R 3 + α(w W m )] + + f m (W 1 + W W m 1 + R m ) m m 1 m m = f R + (f W j ) + α (f W j ) =1 =1 j=1 =1 j=+1 (2) If the attack s performed n the order of (P s1, U s1 ), (P s2, U s2 ),..., (P sm, U sm ), where s 1, s 2,..., s m s a permutaton of 1, 2,..., m. The expected tme s Φ = m f s R s + m m m W sj ) + α (f s W sj ) (f s 1 =1 =1 j=1 =1 j=+1 f W j + αf j W occurs n Φ f and only f j < and occurs n Φ f and only f j < where s = and s j = j. Hence Φ Φ = (f W j + αf j W f j W αf W j ) j< and j > Snce α 1 and f W j f j W 0 for j <, Φ Φ 0 for any permutaton s 1, s 2,... s m. In the followng sectons of ths paper, we present a concrete key-dependent attack on the block cpher IDEA.
6 X1 X2 X3 X4 Z1 Z2 Z3 Z4 Y1 Y2 Y3 Y4 Z 5 p q s t u X +1 1 X +1 2 X +1 3 X +1 4 Z 6 Fg. 1. Round of IDEA 3 The IDEA Block Cpher In ths secton, we gve a bref ntroducton of IDEA and notatons used later n ths paper. IDEA block cpher encrypts a 64-bt plantext wth a 128-bt key by an 8.5-round encrypton. The ffty-two 16-bt subkeys are generated from the 128-bt key Z by key-schedule algorthm. The subkeys are generated n the order Z1 1,Z1 2,...,Z1 6,Z2 1,...,Z8 6, Z9 1,...,Z9 4. The key Z s parttoned nto eght 16-bt words whch are used as the frst eght subkeys. The key Z s then cyclcally shfted to the left by 25 bts, and then generate the followng eght subkeys. Ths process s repeated untl all the subkeys are obtaned. In Table 3, the correspondence between the subkeys and the key Z s drectly gven. The block cpher parttons the 64-bt plantext nto four 16-bt words and uses three dfferent group operatons on pars of 16-bt words: exclusve OR, denoted by ; modular addton 2 16, denoted by and modular multplcaton (0 s treated as 2 16 ), denoted by. As Fgure 1, each round of IDEA contans three layers: KA layer, MA layer and Permutaton layer. We denote the 64-bt nput of round by X = (X1, X 2, X 3, X 4 ). In the KA layer, the frst and the fourth words are modular multpled wth Z1 and Z 4 respectvely. The second and the thrd words are modular added wth Z2 and Z 3 respectvely. The output of the KA layer s denoted by Y = (Y1, Y 2, Y 3, Y 4 ).
7 Round Z1 Z2 Z3 Z4 Z5 Z Table 2. The Key-Schedule of IDEA In the MA layer, two ntermedate values p = Y1 Y 3 and q = Y2 Y 4 These two values are processed to gve u and t, u = (p Z 5) t are computed frst. t = ((p Z 5) q ) Z 6 We denote s the ntermedate value p Z5 for convenence. The output of the MA layer s then permutated to gve the output of ths round (Y1 u, Y3 u, Y2 t, Y4 t ), whch s also the nput of round + 1, denoted by (X1 +1, X2 +1, X3 +1, X4 +1 ). The complete dffuson, whch means every bt of (X1 +1, X2 +1, X3 +1, X4 +1 ) s affected by every bt of (Y1, Y 2, Y 3, Y 4 ), s obtaned n the MA layer. In ths paper, we wll use P = (P 1, P 2, P 3, P 4 ) and P = (P 1, P 2, P 3, P 4 ) to denote a par of plantexts, where P and P are 16-bt words. C = (C 1, C 2, C 3, C 4 ) and C = (C 1, C 2, C 3, C 4 ) are ther cphertexts respectvely. We also use the symbol to dstngush the ntermedate values correspondng to P from to P. For example, s s obtaned from plantext P and P wll generate s. The notaton wll denote the XOR dfference, for nstance, s s equal to s s. 4 The Key-Dependent Dstrbuton of IDEA In ths secton, we descrbe the key-dependent dstrbuton of the block cpher IDEA, whch wll be used n our attack later. The notatons used are the same as n [6]. The Bryukov-Demrc relaton was frst proposed by Bryukov [16] and Demrc [13]. Many papers have dscussed attackng on IDEA usng ths relaton, such as [1, 5, 6, 13, 16, 18]. The relaton can be wrtten n followng form (LSB denotes the least sgnfcant bt) LSB(C 2 C 3 ) =LSB(P 2 P 3 Z2 1 Z3 1 s 1 Z2 2 Z3 2 s 2 Z2 3 Z3 3 s 3 Z2 4 Z3 4 s 4 Z2 5 Z3 5 s 5 Z2 6 Z3 6 s 6 Z2 7 Z3 7 s 7 Z2 8 Z3 8 s 8 Z2 9 Z3) 9 (3)
8 It s shown n [5] that, for two pars of plantext and cphertext (P, C) and (P, C ), XOR ther correspondng Bryukov-Demrc relaton, we wll obtan from Equaton (3) LSB(C 2 C 3 C 2 C 3) =LSB(P 2 P 3 P 2 P 3 s 1 s 2 s 3 s 4 s 5 s 6 s 7 s 8 ) (4) We call Equaton (4) Bryukov-Demrc Equaton. The followng theorem shows that the probablty dstrbuton of LSB( s ) n Bryukov-Demrc Equaton s a key-dependent dstrbuton. Theorem 2. Consder round of IDEA. If one par of ntermedate value (p, p ) satsfes p = 8000 x, then the probablty of LSB( s ) = LSB(8000 x Z 5 ) s Prob(LSB( s ) = LSB(8000 x Z 5)) = #W 2 15 (5) where W s the set of all such 16-bt words w that 1 w 8000 x and that (w Z 5) + (8000 x Z 5) < where * s defned as a b = { a b f a b f a b = 0 Proof. Consder every ntermedate par (p, p ) whch satsfes p = 8000 x, excludng (0, 8000 x ). We have p = p x or p = p x. Wthout losng generalty, assume p = p x, where 1 p < 8000 x and 8000 x < p < If we consder only the least sgnfcant bt, LSB(s ) = LSB(p Z5 ). The followng equatons also hold LSB(s ) =LSB(p Z5) =LSB(p Z5) =LSB((p x ) Z5) =LSB(((p Z5) + (8000 x Z5)) (mod )) (6) In the specal case when (p, p ) s (0, 8000 x ), let p = 8000 x, and p = 0. The Equatons (6) also holds, because p = 0 s actually treated as 2 16 for nputs of and. If (p Z 5 )+(8000 x Z 5 ) s smaller than , then LSB(s ) = LSB(s ) LSB(8000 x Z 5 ) holds because of the equvalence of XOR and modular addton for the least sgnfcant bt. Moreover, LSB( s ) = LSB(8000 x Z 5 ) s satsfed, whch means LSB( s ) = LSB(8000 x Z 5 ) Otherwse, LSB(s ) s equal to LSB(s ) LSB(8000 x Z 5 ) 1 because of the carry. So LSB( s ) equals to LSB(8000 x Z 5 ) 1. Therefore, we may conclude that LSB( s ) = LSB(8000 x Z 5 ) f and only f the par (p, p ) satsfes (w Z 5 ) + (8000 x Z 5 ) < , where w s ether p or p, whchever between 1 and 8000 x. And there are at most 2 15 such w, hence Equaton (6) holds. Ths completes the proof.
9 Prob(LSB( s) = 1) The key dependent dstrbuton The random dstrbuton Z5 Fg. 2. The key-dependent dstrbuton of P rob(lsb( s) = 1) on the value of Z5 Remark 1. Fgure 2 plots the relaton between the subkey Z5 and the probablty of LSB( s ) = 1. As shown n Fgure 2, for most Z5, the probablty of LSB( s ) = 1 s dfferent from random dstrbuton. Hence, t s possble to perform key-dependent attack on IDEA usng ths key-dependent dstrbuton. For most Z5, there are general four cases for the probablty of LSB( s ) = 1 as Z5 grows from 0 to 216 1, whch can be roughly approxmated as followng: Z 5 last two bts of Z5 = Z5 last two bts of Z = P rob(lsb( s ) = 1) (7) Z5 = last two bts of Z Z last two bts of Z5 = 11 From Equaton (7), followng approxmaton also holds for most Z5 ( Z 5 LSB(Z5 ) = 0 17, mn{p rob(lsb( s ) = 0), P rob(lsb( s ) = 1)} 2 Z , LSB(Z5 ) = 1 (8) Calculaton shows that, for only 219 out of all 216 possble Z5, the dfference between the approxmaton (Equaton (7) or (8)) and the accurate provablty s larger than Equaton (8) ndcates that we can approxmate left hand sde of Equaton (8) by fxng several most sgnfcant bts and the least sgnfcant bt. In followng sectons, we wll show that we only
10 need to dstngush the approxmate probablty dstrbuton from random dstrbuton. Hence, for most Z5, ths approxmaton s close enough to the accurate value. For Z 5 that can not be approxmated n ths way, we use other methods to deal wth ths stuaton. 5 The Key-Dependent Attack on IDEA In ths secton, we wll present two key-dependent attacks on reduced-round IDEA. In Secton 5.1, we wll gve a basc attack on the 5.5-round varant of IDEA and then extend t to 6-round varant n Secton 5.2. We also gve two key-dependent attacks on 5-round IDEA startng from the frst round n Secton The Attack on 5.5-Round Varant of IDEA We frst present one key-dependent attack on the 5.5-round varant of IDEA. The attack starts from the thrd round and ends before the MA layer of the eghth round. The man dea of ths attack s to perform key-dependent attack based on the key-dependent dstrbuton of s 4 descrbed n Theorem 2. Consder the 5.5-round varant of IDEA startng from the thrd round, the Bryukov-Demrc Equaton can be rewrtten as LSB( s 4 ) = LSB(P 2 P 3 P 2 P 3 C 2 C 3 C 2 C 3 s 3 s 5 s 6 s 7 ) (9) Where P and P are equvalent to X 3 and X 3, C and C are equvalent to Y 8 and Y 8 by the varant of IDEA. We frst construct a par of plantexts satsfyng the specfc constrant p 4 = 8000x. The constructon s based on the followng lemma. Lemma 1. For any α, f two 16-bt words x and x have the same least 15 sgnfcant bts, then x α and x α have the same least 15 sgnfcant bts, x α and x α have the same least 15 sgnfcant bts. Based on Lemma 1, the followng proposton can be obtaned. Proposton 1. If a par of ntermedate values Y 3 and Y 3 satsfy the followng condtons: a. Y1 3 = Y 3 3 = 0 b. Y2 3 = 8000 x c. Y2 3 Y 4 3 = Y 2 3 Y 4 3 then s 3 = 0 and the probablty of LSB( s 4 ) = 0 can be determned by Equaton (5). Proof. From Condton (a), Y1 3 = Y 3 3 = 0, p3 s equal to p 3. Then s 3 = 0 s qute straghtforward. From Condton (c), q 3 s equal to q 3. If p 3 and q 3 are fxed, u 3 and t 3 are also fxed wth respect to any Z5 3 and Z3 6. It ndcates that X4 1 = Y 3. Note that Y 4 and Y 4 1 u3 = X 1 4 and X 4 1 wth the same Z4 1, hence Y 1 4 modular-multplyng X1 4 s equal to Y 4 1. On the other hand, Y2 3 = 8000 x means that the least sgnfcant 15 bts of Y2 3 and that of Y are the results of are equal to those of Y 2 3 and the most sgnfcant bt of Y2 3 2 are dfferent. Because u 3 s fxed, by Lemma 1, the least sgnfcant 15 bts of X3 4 are equal to those of X 4 3. Then X4 3 s equal to 8000 x and Y3 4 x s obtaned by modular addton wth the same Z3 4. From Y 4 1 = 0 and Y 4 3 = 8000 x, p 4 s 8000 x. By Theorem 2, the concluson s obtaned.
11 In our attack, we use the plantext pars satsfyng Proposton 1. We obtan Condton (a) by lettng P 1 = P 3 = 0. By Lemma 2, P 2 and P 2 are fxed to have the same least sgnfcant 15 bts, and hence Y2 1 = 8000 x. In order to fulfll Condton (c), we have to guess Z4 3 and then accordng to ths guess, to choose P 4 and P 4 whch satsfy Y 3 4 = 8000 x. By Proposton 1, s 3 s equal to zero. In order to get the rght hand sde of Equaton (9), we stll need to get s 5, s 6, s 7. We need to guess Z5 5, Z6 1, Z6 2, Z6 5, Z6 6, Z7 1, Z7 2, Z7 3, Z7 4 Z7 5, Z7 6, Z1 8, Z8 2, Z8 3, Z8 4. As shown n [6], one can partally decrypt one par of encryptons usng these 15 subkeys to calculate the values of s 5, s 6, s 7. These 15 subkeys only take key bts and also cover the subkey Z4 3. Hence, for one guessed 103 key bts, we can calculate the value of s4 from a specal par of encryptons. We also note that these 103 bts also cover the key Z5 4, whch determne the key-dependent dstrbuton on s 4 accordng to Theorem 2. Therefore, we can perform the key-dependent attack on 5.5-round varant of IDEA. As descrbed n Secton 2, the key space can be dvded nto key-dependent subsets by the 103 key bts, each contans 2 25 keys. For a key-dependent subset (P, U), let p denote the probablty of LSB( s 4 ) = LSB(8000 x Z5 4 ). For smplcty, n the followng analyss, we assume that p 0.5, the case when p > 0.5 s smlar. Assume the sze of the samples s n pars of encryptons that satsfy the specfc constrant on ths key-dependent subset, and t of them satsfy LSB( s 4 ) = LSB(8000 x Z5 4 ). The crtera for not rejectng the hypothess s that t s smaller or equal to a fxed value k. The probablty of Type I error s n ( ) n α = p (1 p) n Type II error s =k+1 β = k =0 ( ) n 0.5 n If (P, U) s a wrong key-dependent subset, the expected tme complexty of checkng ths subset s W = 2n β (10) As shown n Secton 2, the attack sets α smaller than or equal to 0.01 to ensure that the probablty of the false rejecton wll not exceed Under ths precondton, the attack chooses n and β so that α < 0.01 and mnmzes Equaton (10) to mnmze the tme complexty on each key-dependent subset (P, U). By Secton 2, we mnmze the total expected tme complexty wth ths method. Because ths choce s related only to the key Z5 4, so we only need to get n and k for 2 16 dfferent values. For example, for a key-dependent subset (P, U) wth Z5 4 = 8001 x, p s about The attack checks every possble n and k to fnd the mnmzed expected tme complexty of the ndvdual attack for ths subset. As shown n Secton 2, the expected tme complexty for each subset s upper bounded by exhaustve search on the subset, whch s 2 25 n ths attack. Hence, the attack only checks all the n and k smaller than The expected tme s mnmzed wth precondton α < 0.01 when n = 425 and k = 164. In ths case, α = , β = and W = Snce all the key-dependent subsets have the same key fracton, the order of performng ndvdual attacks wth mnmal expected tme complexty becomes the ascendng order of W for all key-dependent subsets due to Theorem 1. Fgure 3 plots the number of encryptons used and expected tme complexty for all the ndvdual attacks.
12 Encryptons Number of encryptons used Expected tme complexty for the ndvdual attack (W ) * th Indvdual Attack (wth the Performng Order) Fg. 3. The number of encryptons used and expected tme complexty for ndvdual attacks The total expected tme complexty of the attack, descrbed as Equaton (2), becomes Φ = m f R + =1 = ( 2103 m =1 m m W j ) + α (f W j ) (f 1 j=1 1 R + =1 103 ( =1 j= = =1 j=1 = W j W j j= =1 j= =1 j=+1 = ( ( )W ) =1 wth 99% success probablty f the attack chooses n and β for each key-dependent set and determnes the order of performng ndvdual attacks as shown above. The number of pars needed n one test s about 2 19 n the worst case. The attack uses a set of 2 21 plantexts, whch can provde 2 20 plantext pars satsfyng the condtons n Proposton 1 for each key-dependent subset. The attack s summarzed as follows: W j ) W j )
13 1. For every possble Z5 4, calculate the correspondng number of plantext pars needed n and the crtera of not rejectng the hypothess k. 2. Suppose S s an empty set. Randomly enumerate a 16-bt word s, nsert s and s 8000 x nto the set S. Repeat ths enumeraton untl set S contans 2 5 dfferent words. Ask for the encrypton of all the plantexts of the form (A, B, C, D), where A and C are fxed to two arbtrary constants, B takes all the values n S and D takes all the 16-bt possble values. 3. Enumerate the key-dependent sets n ascendng order of W : (a) Randomly choose a set of plantext pars wth cardnalty n from the known encryptons. The plantext pars must satsfy the requrements of Proposton 1. (b) Partally decrypt all the selected encrypton pars and count the occurrence of LSB( s 4 ) = 1. (c) Test the hypothess. If the hypothess s not rejected, perform exhaustve search for the remanng 25 key bts. 5.2 The Attack on 6-Round Varant of IDEA We now extend the 5.5-round attack to an attack on the 6-round varant of IDEA startng before the MA layer of the second round. The data complexty of the attack s 2 49 and the tme complexty s As shown n [6], Z5 2 and Z2 6 are ncluded n the 103 key bts n the 5.5-round attack. Hence, we can add ths half round to the 5.5-round attack wthout enlargng the tme complexty. It s more dffcult to construct rght plantext pars satsfyng Proposton 1. Consder a par of ntermedate values X 3 and X 3 before the thrd round, whch satsfy Proposton 1. If we partally decrypt X 3 and X 3 usng any possble Z5 2 and Z2 6, the only fact we know s that all the results have the same XOR of the frst and thrd words. The attack hence selects all the plantexts P where the least 15 sgnfcant bts of P 1 P 3 are fxed to an arbtrary 15-bt constant. The total number of selected plantexts s It s possble to provde 2 48 plantext pars satsfyng the condtons n Proposton 1 n the test for any Z5 2, Z2 6 and Z3 4. Ths number s suffcent n any stuaton. 5.3 Two Key-Dependent Attacks on 5-Round IDEA Startng From the Frst Round We apply the key-dependent attack to the 5-round IDEA startng from the frst round. Bryukov- Demrc Equaton s reduced to LSB( s 2 ) = LSB(P 2 P 3 P 2 P 3 C 2 C 3 C 2 C 3 s 1 s 3 s 4 s 5 ) (11) We choose the plantext pars to satsfy Proposton 1 before the frst round by guessng Z4 1, and then s 1 s equal to 0 as shown n Secton 5.1. In order to determne the rght hand sde of Equaton (11), we need to know Z5 3, Z4 1, Z4 2, Z4 5, Z4 6, Z5 1, Z5 2, Z5 3, Z5 4, Z5 5, Z5 6. These 12 subkeys take the bts from key Z. These 119 bts only cover the most sgnfcant nne bts of Z5 2, whch determnes the probablty dstrbuton of LSB( s 2 ). It s not necessary to guess the complete subkey Z5 2. The attack contnues to guess the least sgnfcant bt of Z5 2 (the 72nd bt of Z), and estmates the probablty of LSB( s 2 ) = 1 by Remark 1 nstead. Hence, the attack dvdes the key space nto key-dependent subsets by the 120 key bts, and performs the ndvdual attacks on each keydependent subset. The attack uses statstcal hypothess test method to determne whch subset
14 the actual key s n. For the subkeys Z 2 5 of whch P rob(lsb( s2 ) = 1) can not be approxmated by Remark 1 as shown n Secton 4, the attack exhaustvely searches the remanng key bts. In ths attack, t s possble that the expected tme of ndvdual attacks are larger than exhaustvely search drectly for some key-dependent subsets, whch means 2n + β Under ths condton, the attack also uses exhaustve key search to determne the remanng eght key bts to make sure the tme needed not exceed exhaustve search. Ths attack also choose α 0.01 to ensure that the attack successes wth 99% probablty. In ths case, the total expected tme complexty s encryptons. Our experment shows that the attack needs at most 75 pars of encryptons for one test. We ask for 2 17 encryptons whch can provde 2 16 pars of encryptons, whch s suffcent for the test. Ths data complexty(2 17 ) s the least out of all the known attacks on the 5-round IDEA startng from the frst round. In the second attack, we try to obtan the plantext pars satsfyng Proposton 1 before the second round. In order to determne LSB( s 3 ), we need to know the least sgnfcant bts of s 1, s 2, s 4 and s 5. Hence, the subkeys we need to know are Z1 1, Z1 2, Z1 3, Z1 4, Z1 5, Z1 6, Z2 4, Z3 5. Z4 5, Z1 5, Z5 2, Z5 5 and Z5 6. These 13 subkeys only cover 107 bts of key Z(0-106). For every guessed 107 key bts, we use smlar technque as before. The expected tme complexty s , whch s the least tme complexty out of all the known attacks on the 5-round IDEA startng from the frst round. Because t s not possble to predct the plantext pars whch produces the ntermedate pars satsfyng Proposton 1 before the second round, the encryptons of all the 2 64 plantexts are requred. 6 Conclusons In ths paper, we formalzed a scheme of dentfyng the actual key usng the key-dependent dstrbuton, called key-dependent attack. How to mnmze the tme complexty of the key-dependent attack was also dscussed. Wth the key-dependent attack, we could mprove known cryptanalyss results and obtan more powerful attacks. We presented two key-dependent attacks on IDEA. Our attack on 5.5-round and 6-round varant of IDEA has the least tme and data complextes compared wth the prevous attacks. We only mplemented a tentatve exploraton of the key-dependent dstrbuton. How to make full use of the key-dependent dstrbuton, especally how to use the key-dependent dstrbuton to mprove exstng attacks, s worth further studyng. The attack on IDEA makes use of the relaton between XOR, modular addton and modular multplcaton. We beleve that the operaton XOR and modular multplcaton have more propertes that can be explored further [10]. Smlar relatons among other operatons are also valuable to research. The way of makng full use of the Bryukov-Demrc Equaton to mprove attacks on IDEA s also nterestng.
15 References 1. Eyüp Serdar Ayaz and Al Aydn Selçuk. Improved DST Cryptanalyss of IDEA. In El Bham and Amr M. Youssef, edtors, Selected Areas n Cryptography, volume 4356 of Lecture Notes n Computer Scence, pages Sprnger, Isha Ben-Aroya and El Bham. Dfferental Cryptanalyss of Lucfer. J. Cryptology, 9(1):21 34, El Bham, Alex Bryukov, and Ad Shamr. Mss n the Mddle Attacks on IDEA and Khufu. In Lars R. Knudsen, edtor, FSE, volume 1636 of Lecture Notes n Computer Scence, pages Sprnger, El Bham, Orr Dunkelman, and Nathan Keller. Related-Key Boomerang and Rectangle Attacks. In Ronald Cramer, edtor, EUROCRYPT, volume 3494 of Lecture Notes n Computer Scence, pages Sprnger, El Bham, Orr Dunkelman, and Nathan Keller. New Cryptanalytc Results on IDEA. In Xueja La and Kefe Chen, edtors, ASIACRYPT, volume 4284 of Lecture Notes n Computer Scence, pages Sprnger, El Bham, Orr Dunkelman, and Nathan Keller. A New Attack on 6-Round IDEA. In Alex Bryukov, edtor, FSE, volume 4593 of Lecture Notes n Computer Scence, pages Sprnger, El Bham and Ad Shamr. Dfferental Cryptanalyss of DES-lke Cryptosystems. In Alfred Menezes and Scott A. Vanstone, edtors, CRYPTO, volume 537 of Lecture Notes n Computer Scence, pages Sprnger, Alex Bryukov, Jorge Nakahara Jr., Bart Preneel, and Joos Vandewalle. New Weak-Key Classes of IDEA. In Robert H. Deng, Shan Qng, Feng Bao, and Janyng Zhou, edtors, ICICS, volume 2513 of Lecture Notes n Computer Scence, pages Sprnger, Johan Borst, Lars R. Knudsen, and Vncent Rjmen. Two Attacks on Reduced IDEA. In Walter Fumy, edtor, EUROCRYPT, volume 1233 of Lecture Notes n Computer Scence, pages Sprnger, Scott Contn, Ronald L. Rvest, Matthew J. B. Robshaw, and Yqun Lsa Yn. Improved Analyss of Some Smplfed Varants of RC6. In Lars R. Knudsen, edtor, FSE, volume 1636 of Lecture Notes n Computer Scence, pages Sprnger, Joan Daemen, René Govaerts, and Joos Vandewalle. Weak Keys for IDEA. In Douglas R. Stnson, edtor, CRYPTO, volume 773 of Lecture Notes n Computer Scence, pages Sprnger, Hüseyn Demrc. Square-lke Attacks on Reduced Rounds of IDEA. In Kasa Nyberg and Howard M. Heys, edtors, Selected Areas n Cryptography, volume 2595 of Lecture Notes n Computer Scence, pages Sprnger, Hüseyn Demrc, Al Aydn Selçuk, and Erkan Türe. A New Meet-n-the-Mddle Attack on the IDEA Block Cpher. In Mtsuru Matsu and Robert J. Zuccherato, edtors, Selected Areas n Cryptography, volume 3006 of Lecture Notes n Computer Scence, pages Sprnger, Phlp Hawkes. Dfferental-Lnear Weak Key Classes of IDEA. In Kasa Nyberg, edtor, EUROCRYPT, volume 1403 of Lecture Notes n Computer Scence, pages Sprnger, Phlp Hawkes and Luke O Connor. On Applyng Lnear Cryptanalyss to IDEA. In Kwangjo Km and Tsutomu Matsumoto, edtors, ASIACRYPT, volume 1163 of Lecture Notes n Computer Scence, pages Sprnger, Jorge Nakahara Jr., Bart Preneel, and Joos Vandewalle. The Bryukov-Demrc Attack on Reduced-Round Versons of IDEA and MESH Cphers. In Huaxong Wang, Josef Peprzyk, and Vjay Varadharajan, edtors, ACISP, volume 3108 of Lecture Notes n Computer Scence, pages Sprnger, Pascal Junod. On the Optmalty of Lnear, Dfferental, and Sequental Dstngushers. In El Bham, edtor, EUROCRYPT, volume 2656 of Lecture Notes n Computer Scence, pages Sprnger, Pascal Junod. New Attacks Aganst Reduced-Round Versons of IDEA. In Henr Glbert and Helena Handschuh, edtors, FSE, volume 3557 of Lecture Notes n Computer Scence, pages Sprnger, John Kelsey, Bruce Schneer, and Davd Wagner. Key-Schedule Cryptoanalyss of IDEA, G-DES, GOST, SAFER, and Trple-DES. In Neal Kobltz, edtor, CRYPTO, volume 1109 of Lecture Notes n Computer Scence, pages Sprnger, Lars R. Knudsen and Vncent Rjmen. On the Decorrelated Fast Cpher (DFC) and Its Theory. In Lars R. Knudsen, edtor, FSE, volume 1636 of Lecture Notes n Computer Scence, pages Sprnger, Xueja La. On the Desgn and Securty of Block Cphers. ETH Seres n Informaton Processng, Konstanz: Harturg-Gorre Verlag, Xueja La and James L. Massey. A Proposal for a New Block Encrypton Standard. In Ivan Damgård, edtor, EUROCRYPT, volume 473 of Lecture Notes n Computer Scence, pages Sprnger, Mtsuru Matsu. Lnear Cryptoanalyss Method for DES Cpher. In G. Goos and J. Hartmans, edtors, EURO- CRYPT, volume 765 of Lecture Notes n Computer Scence, pages Sprnger, 1993.
16 24. Wll Meer. On the Securty of the IDEA Block Cpher. In G. Goos and J. Hartmans, edtors, EUROCRYPT, volume 765 of Lecture Notes n Computer Scence, pages Sprnger, Håvard Raddum. Cryptanalyss of IDEA-X/2. In Thomas Johansson, edtor, FSE, volume 2887 of Lecture Notes n Computer Scence, pages 1 8. Sprnger, 2003.
Differential Cryptanalysis of Nimbus
Dfferental Cryptanalyss of Nmbus Vladmr Furman Computer Scence Department, Technon - Israel Insttute of Technology, Hafa 32000, Israel. vfurman@cs.technon.ac.l. Abstract. Nmbus s a block cpher submtted
More informationImproved Integral Cryptanalysis of FOX Block Cipher 1
Improved Integral Cryptanalyss of FOX Block Cpher 1 Wu Wenlng, Zhang Wentao, and Feng Dengguo State Key Laboratory of Informaton Securty, Insttute of Software, Chnese Academy of Scences, Bejng 100080,
More informationA Novel Feistel Cipher Involving a Bunch of Keys supplemented with Modular Arithmetic Addition
(IJACSA) Internatonal Journal of Advanced Computer Scence Applcatons, A Novel Festel Cpher Involvng a Bunch of Keys supplemented wth Modular Arthmetc Addton Dr. V.U.K Sastry Dean R&D, Department of Computer
More informationCryptanalysis of Some Double-Block-Length Hash Modes of Block Ciphers with n-bit Block and n-bit Key
Cryptanalyss of Some Double-Block-Length Hash Modes of Block Cphers wth n-bt Block and n-bt Key Deukjo Hong and Daesung Kwon Abstract In ths paper, we make attacks on DBL (Double-Block-Length) hash modes
More informationMessage modification, neutral bits and boomerangs
Message modfcaton, neutral bts and boomerangs From whch round should we start countng n SHA? Antone Joux DGA and Unversty of Versalles St-Quentn-en-Yvelnes France Jont work wth Thomas Peyrn 1 Dfferental
More informationRecover plaintext attack to block ciphers
Recover plantext attac to bloc cphers L An-Png Bejng 100085, P.R.Chna apl0001@sna.com Abstract In ths paper, we wll present an estmaton for the upper-bound of the amount of 16-bytes plantexts for Englsh
More informationThe Synchronous 8th-Order Differential Attack on 12 Rounds of the Block Cipher HyRAL
The Synchronous 8th-Order Dfferental Attack on 12 Rounds of the Block Cpher HyRAL Yasutaka Igarash, Sej Fukushma, and Tomohro Hachno Kagoshma Unversty, Kagoshma, Japan Emal: {garash, fukushma, hachno}@eee.kagoshma-u.ac.jp
More informationModule 3 LOSSY IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur
Module 3 LOSSY IMAGE COMPRESSION SYSTEMS Verson ECE IIT, Kharagpur Lesson 6 Theory of Quantzaton Verson ECE IIT, Kharagpur Instructonal Objectves At the end of ths lesson, the students should be able to:
More informationAttacks on RSA The Rabin Cryptosystem Semantic Security of RSA Cryptology, Tuesday, February 27th, 2007 Nils Andersen. Complexity Theoretic Reduction
Attacks on RSA The Rabn Cryptosystem Semantc Securty of RSA Cryptology, Tuesday, February 27th, 2007 Nls Andersen Square Roots modulo n Complexty Theoretc Reducton Factorng Algorthms Pollard s p 1 Pollard
More informationImpossible differential attacks on 4-round DES-like ciphers
INENAIONA JOUNA OF COMPUES AND COMMUNICAIONS Volume 9, 2015 Impossble dfferental attacks on 4-round DES-lke cphers Pavol Zajac Abstract Data Encrypton Standard was a man publc encrypton standard for more
More informationSimulated Power of the Discrete Cramér-von Mises Goodness-of-Fit Tests
Smulated of the Cramér-von Mses Goodness-of-Ft Tests Steele, M., Chaselng, J. and 3 Hurst, C. School of Mathematcal and Physcal Scences, James Cook Unversty, Australan School of Envronmental Studes, Grffth
More informationSpeeding up Computation of Scalar Multiplication in Elliptic Curve Cryptosystem
H.K. Pathak et. al. / (IJCSE) Internatonal Journal on Computer Scence and Engneerng Speedng up Computaton of Scalar Multplcaton n Ellptc Curve Cryptosystem H. K. Pathak Manju Sangh S.o.S n Computer scence
More informationThe Order Relation and Trace Inequalities for. Hermitian Operators
Internatonal Mathematcal Forum, Vol 3, 08, no, 507-57 HIKARI Ltd, wwwm-hkarcom https://doorg/0988/mf088055 The Order Relaton and Trace Inequaltes for Hermtan Operators Y Huang School of Informaton Scence
More informationThe optimal delay of the second test is therefore approximately 210 hours earlier than =2.
THE IEC 61508 FORMULAS 223 The optmal delay of the second test s therefore approxmately 210 hours earler than =2. 8.4 The IEC 61508 Formulas IEC 61508-6 provdes approxmaton formulas for the PF for smple
More informationGraph Reconstruction by Permutations
Graph Reconstructon by Permutatons Perre Ille and Wllam Kocay* Insttut de Mathémathques de Lumny CNRS UMR 6206 163 avenue de Lumny, Case 907 13288 Marselle Cedex 9, France e-mal: lle@ml.unv-mrs.fr Computer
More informationLectures - Week 4 Matrix norms, Conditioning, Vector Spaces, Linear Independence, Spanning sets and Basis, Null space and Range of a Matrix
Lectures - Week 4 Matrx norms, Condtonng, Vector Spaces, Lnear Independence, Spannng sets and Bass, Null space and Range of a Matrx Matrx Norms Now we turn to assocatng a number to each matrx. We could
More informationCollege of Computer & Information Science Fall 2009 Northeastern University 20 October 2009
College of Computer & Informaton Scence Fall 2009 Northeastern Unversty 20 October 2009 CS7880: Algorthmc Power Tools Scrbe: Jan Wen and Laura Poplawsk Lecture Outlne: Prmal-dual schema Network Desgn:
More informationPower law and dimension of the maximum value for belief distribution with the max Deng entropy
Power law and dmenson of the maxmum value for belef dstrbuton wth the max Deng entropy Bngy Kang a, a College of Informaton Engneerng, Northwest A&F Unversty, Yanglng, Shaanx, 712100, Chna. Abstract Deng
More information2E Pattern Recognition Solutions to Introduction to Pattern Recognition, Chapter 2: Bayesian pattern classification
E395 - Pattern Recognton Solutons to Introducton to Pattern Recognton, Chapter : Bayesan pattern classfcaton Preface Ths document s a soluton manual for selected exercses from Introducton to Pattern Recognton
More informationx = , so that calculated
Stat 4, secton Sngle Factor ANOVA notes by Tm Plachowsk n chapter 8 we conducted hypothess tests n whch we compared a sngle sample s mean or proporton to some hypotheszed value Chapter 9 expanded ths to
More informationProblem Set 9 Solutions
Desgn and Analyss of Algorthms May 4, 2015 Massachusetts Insttute of Technology 6.046J/18.410J Profs. Erk Demane, Srn Devadas, and Nancy Lynch Problem Set 9 Solutons Problem Set 9 Solutons Ths problem
More informationChapter 5. Solution of System of Linear Equations. Module No. 6. Solution of Inconsistent and Ill Conditioned Systems
Numercal Analyss by Dr. Anta Pal Assstant Professor Department of Mathematcs Natonal Insttute of Technology Durgapur Durgapur-713209 emal: anta.bue@gmal.com 1 . Chapter 5 Soluton of System of Lnear Equatons
More informationLecture Notes on Linear Regression
Lecture Notes on Lnear Regresson Feng L fl@sdueducn Shandong Unversty, Chna Lnear Regresson Problem In regresson problem, we am at predct a contnuous target value gven an nput feature vector We assume
More informationLOW BIAS INTEGRATED PATH ESTIMATORS. James M. Calvin
Proceedngs of the 007 Wnter Smulaton Conference S G Henderson, B Bller, M-H Hseh, J Shortle, J D Tew, and R R Barton, eds LOW BIAS INTEGRATED PATH ESTIMATORS James M Calvn Department of Computer Scence
More informationStructure and Drive Paul A. Jensen Copyright July 20, 2003
Structure and Drve Paul A. Jensen Copyrght July 20, 2003 A system s made up of several operatons wth flow passng between them. The structure of the system descrbes the flow paths from nputs to outputs.
More informationOn the correction of the h-index for career length
1 On the correcton of the h-ndex for career length by L. Egghe Unverstet Hasselt (UHasselt), Campus Depenbeek, Agoralaan, B-3590 Depenbeek, Belgum 1 and Unverstet Antwerpen (UA), IBW, Stadscampus, Venusstraat
More informationCOS 511: Theoretical Machine Learning. Lecturer: Rob Schapire Lecture # 15 Scribe: Jieming Mao April 1, 2013
COS 511: heoretcal Machne Learnng Lecturer: Rob Schapre Lecture # 15 Scrbe: Jemng Mao Aprl 1, 013 1 Bref revew 1.1 Learnng wth expert advce Last tme, we started to talk about learnng wth expert advce.
More informationNEW CONSTRUCTIONS IN LINEAR CRYPTANALYSIS OF BLOCK CIPHERS
Proceedngs of ACS 000, Szczecn, pp.53-530 NEW CONSTRUCTIONS IN LINEAR CRYPTANALYSIS OF BLOCK CIPHERS ANNA ZUGAJ, KAROL GÓRSKI, ZBIGNIEW KOTULSKI, ANDRZEJ PASZKIEWICZ 3, JANUSZ SZCZEPAŃSKI ENIGMA Informaton
More informationStatistics II Final Exam 26/6/18
Statstcs II Fnal Exam 26/6/18 Academc Year 2017/18 Solutons Exam duraton: 2 h 30 mn 1. (3 ponts) A town hall s conductng a study to determne the amount of leftover food produced by the restaurants n the
More informationMore metrics on cartesian products
More metrcs on cartesan products If (X, d ) are metrc spaces for 1 n, then n Secton II4 of the lecture notes we defned three metrcs on X whose underlyng topologes are the product topology The purpose of
More informationStanford University CS359G: Graph Partitioning and Expanders Handout 4 Luca Trevisan January 13, 2011
Stanford Unversty CS359G: Graph Parttonng and Expanders Handout 4 Luca Trevsan January 3, 0 Lecture 4 In whch we prove the dffcult drecton of Cheeger s nequalty. As n the past lectures, consder an undrected
More informationEEE 241: Linear Systems
EEE : Lnear Systems Summary #: Backpropagaton BACKPROPAGATION The perceptron rule as well as the Wdrow Hoff learnng were desgned to tran sngle layer networks. They suffer from the same dsadvantage: they
More informationFeature Selection: Part 1
CSE 546: Machne Learnng Lecture 5 Feature Selecton: Part 1 Instructor: Sham Kakade 1 Regresson n the hgh dmensonal settng How do we learn when the number of features d s greater than the sample sze n?
More informationNUMERICAL DIFFERENTIATION
NUMERICAL DIFFERENTIATION 1 Introducton Dfferentaton s a method to compute the rate at whch a dependent output y changes wth respect to the change n the ndependent nput x. Ths rate of change s called the
More informationAppendix for Causal Interaction in Factorial Experiments: Application to Conjoint Analysis
A Appendx for Causal Interacton n Factoral Experments: Applcaton to Conjont Analyss Mathematcal Appendx: Proofs of Theorems A. Lemmas Below, we descrbe all the lemmas, whch are used to prove the man theorems
More informationLecture 4: Universal Hash Functions/Streaming Cont d
CSE 5: Desgn and Analyss of Algorthms I Sprng 06 Lecture 4: Unversal Hash Functons/Streamng Cont d Lecturer: Shayan Oves Gharan Aprl 6th Scrbe: Jacob Schreber Dsclamer: These notes have not been subjected
More informationChapter 13: Multiple Regression
Chapter 13: Multple Regresson 13.1 Developng the multple-regresson Model The general model can be descrbed as: It smplfes for two ndependent varables: The sample ft parameter b 0, b 1, and b are used to
More informationAffine transformations and convexity
Affne transformatons and convexty The purpose of ths document s to prove some basc propertes of affne transformatons nvolvng convex sets. Here are a few onlne references for background nformaton: http://math.ucr.edu/
More informationSociété de Calcul Mathématique SA
Socété de Calcul Mathématque SA Outls d'ade à la décson Tools for decson help Probablstc Studes: Normalzng the Hstograms Bernard Beauzamy December, 202 I. General constructon of the hstogram Any probablstc
More informationVQ widely used in coding speech, image, and video
at Scalar quantzers are specal cases of vector quantzers (VQ): they are constraned to look at one sample at a tme (memoryless) VQ does not have such constrant better RD perfomance expected Source codng
More informationLecture Space-Bounded Derandomization
Notes on Complexty Theory Last updated: October, 2008 Jonathan Katz Lecture Space-Bounded Derandomzaton 1 Space-Bounded Derandomzaton We now dscuss derandomzaton of space-bounded algorthms. Here non-trval
More informationCase A. P k = Ni ( 2L i k 1 ) + (# big cells) 10d 2 P k.
THE CELLULAR METHOD In ths lecture, we ntroduce the cellular method as an approach to ncdence geometry theorems lke the Szemeréd-Trotter theorem. The method was ntroduced n the paper Combnatoral complexty
More informationFormulas for the Determinant
page 224 224 CHAPTER 3 Determnants e t te t e 2t 38 A = e t 2te t e 2t e t te t 2e 2t 39 If 123 A = 345, 456 compute the matrx product A adj(a) What can you conclude about det(a)? For Problems 40 43, use
More informationLecture 17 : Stochastic Processes II
: Stochastc Processes II 1 Contnuous-tme stochastc process So far we have studed dscrete-tme stochastc processes. We studed the concept of Makov chans and martngales, tme seres analyss, and regresson analyss
More informationFinding Dense Subgraphs in G(n, 1/2)
Fndng Dense Subgraphs n Gn, 1/ Atsh Das Sarma 1, Amt Deshpande, and Rav Kannan 1 Georga Insttute of Technology,atsh@cc.gatech.edu Mcrosoft Research-Bangalore,amtdesh,annan@mcrosoft.com Abstract. Fndng
More informationDifference Equations
Dfference Equatons c Jan Vrbk 1 Bascs Suppose a sequence of numbers, say a 0,a 1,a,a 3,... s defned by a certan general relatonshp between, say, three consecutve values of the sequence, e.g. a + +3a +1
More informationThe stream cipher MICKEY
The stream cpher MICKEY-128 2.0 Steve Babbage Vodafone Group R&D, Newbury, UK steve.babbage@vodafone.com Matthew Dodd Independent consultant matthew@mdodd.net www.mdodd.net 30 th June 2006 Abstract: We
More informationFoundations of Arithmetic
Foundatons of Arthmetc Notaton We shall denote the sum and product of numbers n the usual notaton as a 2 + a 2 + a 3 + + a = a, a 1 a 2 a 3 a = a The notaton a b means a dvdes b,.e. ac = b where c s an
More informationBoomerang Distinguisher for the SIMD-512 Compression Function
Boomerang Dstngusher for the SIMD-512 Compresson Functon Floran Mendel and Tomslav Nad Insttute for Appled Informaton Processng and Communcatons (IAIK) Graz Unversty of Technology, Inffeldgasse 16a, A-8010
More informationCSci 6974 and ECSE 6966 Math. Tech. for Vision, Graphics and Robotics Lecture 21, April 17, 2006 Estimating A Plane Homography
CSc 6974 and ECSE 6966 Math. Tech. for Vson, Graphcs and Robotcs Lecture 21, Aprl 17, 2006 Estmatng A Plane Homography Overvew We contnue wth a dscusson of the major ssues, usng estmaton of plane projectve
More informationLearning Theory: Lecture Notes
Learnng Theory: Lecture Notes Lecturer: Kamalka Chaudhur Scrbe: Qush Wang October 27, 2012 1 The Agnostc PAC Model Recall that one of the constrants of the PAC model s that the data dstrbuton has to be
More information2 More examples with details
Physcs 129b Lecture 3 Caltech, 01/15/19 2 More examples wth detals 2.3 The permutaton group n = 4 S 4 contans 4! = 24 elements. One s the dentty e. Sx of them are exchange of two objects (, j) ( to j and
More informationMaximizing the number of nonnegative subsets
Maxmzng the number of nonnegatve subsets Noga Alon Hao Huang December 1, 213 Abstract Gven a set of n real numbers, f the sum of elements of every subset of sze larger than k s negatve, what s the maxmum
More informationFinding Primitive Roots Pseudo-Deterministically
Electronc Colloquum on Computatonal Complexty, Report No 207 (205) Fndng Prmtve Roots Pseudo-Determnstcally Ofer Grossman December 22, 205 Abstract Pseudo-determnstc algorthms are randomzed search algorthms
More informationThe Multiple Classical Linear Regression Model (CLRM): Specification and Assumptions. 1. Introduction
ECONOMICS 5* -- NOTE (Summary) ECON 5* -- NOTE The Multple Classcal Lnear Regresson Model (CLRM): Specfcaton and Assumptons. Introducton CLRM stands for the Classcal Lnear Regresson Model. The CLRM s also
More informationLecture 4: November 17, Part 1 Single Buffer Management
Lecturer: Ad Rosén Algorthms for the anagement of Networs Fall 2003-2004 Lecture 4: November 7, 2003 Scrbe: Guy Grebla Part Sngle Buffer anagement In the prevous lecture we taled about the Combned Input
More informationNP-Completeness : Proofs
NP-Completeness : Proofs Proof Methods A method to show a decson problem Π NP-complete s as follows. (1) Show Π NP. (2) Choose an NP-complete problem Π. (3) Show Π Π. A method to show an optmzaton problem
More informationLai-Massey Scheme and Quasi-Feistel Networks (Extended Abstract)
La-Massey Scheme and Quas-Festel Networks (Extended Abstract Aaram Yun, Je Hong Park 2, and Jooyoung Lee 2 Unversty of Mnnesota - Twn Ctes aaramyun@gmalcom 2 ETRI Network & Communcaton Securty Dvson, Korea
More informationNotes on Frequency Estimation in Data Streams
Notes on Frequency Estmaton n Data Streams In (one of) the data streamng model(s), the data s a sequence of arrvals a 1, a 2,..., a m of the form a j = (, v) where s the dentty of the tem and belongs to
More information1 GSW Iterative Techniques for y = Ax
1 for y = A I m gong to cheat here. here are a lot of teratve technques that can be used to solve the general case of a set of smultaneous equatons (wrtten n the matr form as y = A), but ths chapter sn
More informationCHAPTER 5 NUMERICAL EVALUATION OF DYNAMIC RESPONSE
CHAPTER 5 NUMERICAL EVALUATION OF DYNAMIC RESPONSE Analytcal soluton s usually not possble when exctaton vares arbtrarly wth tme or f the system s nonlnear. Such problems can be solved by numercal tmesteppng
More informationLinear Regression Analysis: Terminology and Notation
ECON 35* -- Secton : Basc Concepts of Regresson Analyss (Page ) Lnear Regresson Analyss: Termnology and Notaton Consder the generc verson of the smple (two-varable) lnear regresson model. It s represented
More informationLecture 5 Decoding Binary BCH Codes
Lecture 5 Decodng Bnary BCH Codes In ths class, we wll ntroduce dfferent methods for decodng BCH codes 51 Decodng the [15, 7, 5] 2 -BCH Code Consder the [15, 7, 5] 2 -code C we ntroduced n the last lecture
More informationarxiv: v2 [cs.cr] 29 Sep 2016
Internatonal Journal of Bfurcaton and Chaos c World Scentfc Publshng Company Breakng a chaotc mage encrypton algorthm based on modulo addton and XOR operaton arxv:107.6536v [cs.cr] 9 Sep 016 Chengqng L
More information= z 20 z n. (k 20) + 4 z k = 4
Problem Set #7 solutons 7.2.. (a Fnd the coeffcent of z k n (z + z 5 + z 6 + z 7 + 5, k 20. We use the known seres expanson ( n+l ( z l l z n below: (z + z 5 + z 6 + z 7 + 5 (z 5 ( + z + z 2 + z + 5 5
More informationLecture 3 Stat102, Spring 2007
Lecture 3 Stat0, Sprng 007 Chapter 3. 3.: Introducton to regresson analyss Lnear regresson as a descrptve technque The least-squares equatons Chapter 3.3 Samplng dstrbuton of b 0, b. Contnued n net lecture
More informationA Robust Method for Calculating the Correlation Coefficient
A Robust Method for Calculatng the Correlaton Coeffcent E.B. Nven and C. V. Deutsch Relatonshps between prmary and secondary data are frequently quantfed usng the correlaton coeffcent; however, the tradtonal
More informationThe Expectation-Maximization Algorithm
The Expectaton-Maxmaton Algorthm Charles Elan elan@cs.ucsd.edu November 16, 2007 Ths chapter explans the EM algorthm at multple levels of generalty. Secton 1 gves the standard hgh-level verson of the algorthm.
More informationSolution Thermodynamics
Soluton hermodynamcs usng Wagner Notaton by Stanley. Howard Department of aterals and etallurgcal Engneerng South Dakota School of nes and echnology Rapd Cty, SD 57701 January 7, 001 Soluton hermodynamcs
More informationBOUNDEDNESS OF THE RIESZ TRANSFORM WITH MATRIX A 2 WEIGHTS
BOUNDEDNESS OF THE IESZ TANSFOM WITH MATIX A WEIGHTS Introducton Let L = L ( n, be the functon space wth norm (ˆ f L = f(x C dx d < For a d d matrx valued functon W : wth W (x postve sem-defnte for all
More informationThe internal structure of natural numbers and one method for the definition of large prime numbers
The nternal structure of natural numbers and one method for the defnton of large prme numbers Emmanul Manousos APM Insttute for the Advancement of Physcs and Mathematcs 3 Poulou str. 53 Athens Greece Abstract
More information/ n ) are compared. The logic is: if the two
STAT C141, Sprng 2005 Lecture 13 Two sample tests One sample tests: examples of goodness of ft tests, where we are testng whether our data supports predctons. Two sample tests: called as tests of ndependence
More informationHMMT February 2016 February 20, 2016
HMMT February 016 February 0, 016 Combnatorcs 1. For postve ntegers n, let S n be the set of ntegers x such that n dstnct lnes, no three concurrent, can dvde a plane nto x regons (for example, S = {3,
More informationCryptanalysis of a Public-key Cryptosystem Using Lattice Basis Reduction Algorithm
www.ijcsi.org 110 Cryptanalyss of a Publc-key Cryptosystem Usng Lattce Bass Reducton Algorthm Roohallah Rastagh 1, Hamd R. Dall Oskoue 2 1,2 Department of Electrcal Engneerng, Aeronautcal Unversty of Snce
More informationChapter 11: Simple Linear Regression and Correlation
Chapter 11: Smple Lnear Regresson and Correlaton 11-1 Emprcal Models 11-2 Smple Lnear Regresson 11-3 Propertes of the Least Squares Estmators 11-4 Hypothess Test n Smple Lnear Regresson 11-4.1 Use of t-tests
More informationSupplement: Proofs and Technical Details for The Solution Path of the Generalized Lasso
Supplement: Proofs and Techncal Detals for The Soluton Path of the Generalzed Lasso Ryan J. Tbshran Jonathan Taylor In ths document we gve supplementary detals to the paper The Soluton Path of the Generalzed
More informationIntroduction to Vapor/Liquid Equilibrium, part 2. Raoult s Law:
CE304, Sprng 2004 Lecture 4 Introducton to Vapor/Lqud Equlbrum, part 2 Raoult s Law: The smplest model that allows us do VLE calculatons s obtaned when we assume that the vapor phase s an deal gas, and
More informationMAXIMUM A POSTERIORI TRANSDUCTION
MAXIMUM A POSTERIORI TRANSDUCTION LI-WEI WANG, JU-FU FENG School of Mathematcal Scences, Peng Unversty, Bejng, 0087, Chna Center for Informaton Scences, Peng Unversty, Bejng, 0087, Chna E-MIAL: {wanglw,
More informationCopyright 2017 by Taylor Enterprises, Inc., All Rights Reserved. Adjusted Control Limits for P Charts. Dr. Wayne A. Taylor
Taylor Enterprses, Inc. Control Lmts for P Charts Copyrght 2017 by Taylor Enterprses, Inc., All Rghts Reserved. Control Lmts for P Charts Dr. Wayne A. Taylor Abstract: P charts are used for count data
More informationAutomatic Differential Analysis of ARX Block Ciphers with Application to SPECK and LEA
Automatc Dfferental Analyss of ARX Block Cphers wth Applcaton to SPECK and LEA Lng Song 1,2,3, Zhangje Huang 1,2( ), Qanqan Yang 1,2 1 State Key Laboratory of Informaton Securty, Insttute of Informaton
More informationGeneralized Linear Methods
Generalzed Lnear Methods 1 Introducton In the Ensemble Methods the general dea s that usng a combnaton of several weak learner one could make a better learner. More formally, assume that we have a set
More informationprinceton univ. F 17 cos 521: Advanced Algorithm Design Lecture 7: LP Duality Lecturer: Matt Weinberg
prnceton unv. F 17 cos 521: Advanced Algorthm Desgn Lecture 7: LP Dualty Lecturer: Matt Wenberg Scrbe: LP Dualty s an extremely useful tool for analyzng structural propertes of lnear programs. Whle there
More informationAnswers Problem Set 2 Chem 314A Williamsen Spring 2000
Answers Problem Set Chem 314A Wllamsen Sprng 000 1) Gve me the followng crtcal values from the statstcal tables. a) z-statstc,-sded test, 99.7% confdence lmt ±3 b) t-statstc (Case I), 1-sded test, 95%
More information18.1 Introduction and Recap
CS787: Advanced Algorthms Scrbe: Pryananda Shenoy and Shjn Kong Lecturer: Shuch Chawla Topc: Streamng Algorthmscontnued) Date: 0/26/2007 We contnue talng about streamng algorthms n ths lecture, ncludng
More informationCryptanalysis of pairing-free certificateless authenticated key agreement protocol
Cryptanalyss of parng-free certfcateless authentcated key agreement protocol Zhan Zhu Chna Shp Development Desgn Center CSDDC Wuhan Chna Emal: zhuzhan0@gmal.com bstract: Recently He et al. [D. He J. Chen
More informationLecture 10 Support Vector Machines II
Lecture 10 Support Vector Machnes II 22 February 2016 Taylor B. Arnold Yale Statstcs STAT 365/665 1/28 Notes: Problem 3 s posted and due ths upcomng Frday There was an early bug n the fake-test data; fxed
More informationTHE CHINESE REMAINDER THEOREM. We should thank the Chinese for their wonderful remainder theorem. Glenn Stevens
THE CHINESE REMAINDER THEOREM KEITH CONRAD We should thank the Chnese for ther wonderful remander theorem. Glenn Stevens 1. Introducton The Chnese remander theorem says we can unquely solve any par of
More informationLecture 4. Instructor: Haipeng Luo
Lecture 4 Instructor: Hapeng Luo In the followng lectures, we focus on the expert problem and study more adaptve algorthms. Although Hedge s proven to be worst-case optmal, one may wonder how well t would
More informationLinear Approximation with Regularization and Moving Least Squares
Lnear Approxmaton wth Regularzaton and Movng Least Squares Igor Grešovn May 007 Revson 4.6 (Revson : March 004). 5 4 3 0.5 3 3.5 4 Contents: Lnear Fttng...4. Weghted Least Squares n Functon Approxmaton...
More information4 Analysis of Variance (ANOVA) 5 ANOVA. 5.1 Introduction. 5.2 Fixed Effects ANOVA
4 Analyss of Varance (ANOVA) 5 ANOVA 51 Introducton ANOVA ANOVA s a way to estmate and test the means of multple populatons We wll start wth one-way ANOVA If the populatons ncluded n the study are selected
More informationFor now, let us focus on a specific model of neurons. These are simplified from reality but can achieve remarkable results.
Neural Networks : Dervaton compled by Alvn Wan from Professor Jtendra Malk s lecture Ths type of computaton s called deep learnng and s the most popular method for many problems, such as computer vson
More informationEstimation: Part 2. Chapter GREG estimation
Chapter 9 Estmaton: Part 2 9. GREG estmaton In Chapter 8, we have seen that the regresson estmator s an effcent estmator when there s a lnear relatonshp between y and x. In ths chapter, we generalzed the
More informationDurban Watson for Testing the Lack-of-Fit of Polynomial Regression Models without Replications
Durban Watson for Testng the Lack-of-Ft of Polynomal Regresson Models wthout Replcatons Ruba A. Alyaf, Maha A. Omar, Abdullah A. Al-Shha ralyaf@ksu.edu.sa, maomar@ksu.edu.sa, aalshha@ksu.edu.sa Department
More informationChapter 6. Supplemental Text Material
Chapter 6. Supplemental Text Materal S6-. actor Effect Estmates are Least Squares Estmates We have gven heurstc or ntutve explanatons of how the estmates of the factor effects are obtaned n the textboo.
More informationIntroduction to Algorithms
Introducton to Algorthms 6.046J/8.40J Lecture 7 Prof. Potr Indyk Data Structures Role of data structures: Encapsulate data Support certan operatons (e.g., INSERT, DELETE, SEARCH) Our focus: effcency of
More informationGames of Threats. Elon Kohlberg Abraham Neyman. Working Paper
Games of Threats Elon Kohlberg Abraham Neyman Workng Paper 18-023 Games of Threats Elon Kohlberg Harvard Busness School Abraham Neyman The Hebrew Unversty of Jerusalem Workng Paper 18-023 Copyrght 2017
More informationResearch on State Collisions of Authenticated Cipher ACORN
4th Internatonal Conference on Sensors, Measurement and Intellgent Materals (ICSMIM 2015) Research on State Collsons of Authentcated Cpher ACORN Pe Zhanga*, Je Guanb, Junzh Lc and Tarong Shd Informaton
More informationErrors for Linear Systems
Errors for Lnear Systems When we solve a lnear system Ax b we often do not know A and b exactly, but have only approxmatons  and ˆb avalable. Then the best thng we can do s to solve ˆx ˆb exactly whch
More information5 The Rational Canonical Form
5 The Ratonal Canoncal Form Here p s a monc rreducble factor of the mnmum polynomal m T and s not necessarly of degree one Let F p denote the feld constructed earler n the course, consstng of all matrces
More informationANSWERS. Problem 1. and the moment generating function (mgf) by. defined for any real t. Use this to show that E( U) var( U)
Econ 413 Exam 13 H ANSWERS Settet er nndelt 9 deloppgaver, A,B,C, som alle anbefales å telle lkt for å gøre det ltt lettere å stå. Svar er gtt . Unfortunately, there s a prntng error n the hnt of
More information