Improved Integral Cryptanalysis of FOX Block Cipher 1
|
|
- Briana Poppy Sherman
- 5 years ago
- Views:
Transcription
1 Improved Integral Cryptanalyss of FOX Block Cpher 1 Wu Wenlng, Zhang Wentao, and Feng Dengguo State Key Laboratory of Informaton Securty, Insttute of Software, Chnese Academy of Scences, Bejng , P. R. Chna E-mal:{wwl}@s.scas.ac.cn Abstract. FOX s a new famly of block cphers presented recently, whch s based upon some results on proven securty and has hgh performances on varous platforms. In ths paper, we construct some dstngushers between 3-round FOX and a random permutaton of the blocks space. By usng ntegral attack and collson-searchng technques, the dstngushers are used to attack on 4, 5, 6 and 7-round of FOX64, 4 and 5-round FOX128. The attack s more effcent than prevous ntegral attack on FOX. The complexty of mproved ntegral attack s on 4-round FOX128, aganst 5-round FOX128 respectvely. For FOX64, the complexty of mproved ntegral attack s on 4- round FOX64, aganst 5-round FOX64, aganst 6-round FOX64, aganst 7-round FOX64 respectvely. Therefore, 4-round FOX64/64, 5-round FOX64/128, 6-round FOX64/192, 7-round FOX64/256 and 5-round FOX128/256 are not mmune to the attack n ths paper. Key words: Block cpher; FOX; Data complexty; Tme complexty; Integral Cryptanalyss. 1 Introducton FOX [1] s a new famly of block cphers, whch s the result of a jont project wth the company MedaCrypt [2] AG n Zurch, Swtzerland. Fox has two versons, both have a varable number rounds whch depends on keysze: the frst one FOX64/k/r has a 64-bt blocksze wth a varable key length whch s a multple of 8 and up to 256 bts. The second one FOX128/k/r uses a 128-bt blocksze wth the same possble key lengths. For FOX64 wth k=128 and FOX128 wth k=256, the desgners advse that round number are both 16. The hgh level of FOX adopts a modfed structure of La-Massey Scheme [3], whch can be proven to have good pseudorandomness propertes n the Luby-Rackoff paradgm and decorrelaton nhertance propertes proposed by Vaudenay [4]. The round functon of FOX uses SP S (Substtuton-Permutaton-Substtuton) structure 1 Supported partally by the Natonal Natural Scence Foundaton of Chna under Grant No ; the Natonal Basc Research 973 Program of Chna under Grant No.2004CB318004;and the Natonal Hgh-technque 863 Program of Chna under Grant No.2003AA14403
2 wth three layers of subkey addton, SP S structure has already been proven to have powerful ablty to resst dfferental and lnear cryptanalyss. The desgn ratonale of dffuson prmtves n FOX s presented n Ref.[5]. The key schedule of FOX s very complex compared wth other exstng block cphers, each subkey of FOX s related to the seed key and t s very dffcult to acqure nformaton about seed key or other subkeys from some certan subkeys. The complex key schedule, hgh-level structure wth provable securty and powerful round functon make FOX appear to be a strong block cpher. Snce FOX s a new cpher publshed last year, all we know about ts securty analyss are lmted to be the desgner s results and the ntegral cryptanalyss presented n Ref.[6]. The securty of FOX aganst dfferental and lnear cryptanalyss s easy to estmate for the good property of ts S-box, SPS transformaton and hgh level structures. The desgners also analyze the securty of FOX aganst dfferental-lnear cryptanalyss [7,8], boomerang [9] and rectangle attacks [10], truncated and hgher-order dfferentals [11], mpossble dfferentals [12],and parttonng cryptanalyss [13,14], algebrac attack [15,16], slde attack [17,18], and relatedcpher attacks [19]. Integral attack [20] s one of the most effectve attack method aganst AES, whch had been used to analyze the securty of other cphers [20,21]. It s ponted n Ref.[1] that ntegral attack has a complexty of 2 72 encryptons aganst 4-round FOX64, aganst 5-round FOX64, aganst 6-round FOX64. The authors also clamed that ntegral attack has a complexty of encryptons aganst 4-round FOX128,and 5-round FOX128 s mmune to ntegral attack. In ths paper, we combne collson technque and ntegral attack to analyze the securty of FOX. The mproved ntegral attack on FOX s more effcent than known ntegral attack. The complexty of our mproved ntegral attack s on 4-round FOX128, aganst 5-round FOX128 respectvely. For FOX64, the complexty of mproved ntegral attack s on 4-round FOX64, aganst 5-round FOX64, aganst 6-round FOX64, aganst 7- round FOX64 respectvely. Ths paper s organzed as follows: Secton 2 brefly ntroduces the structure of FOX round dstngushers are presented n secton 3. In secton 4, we show how to use the 3-round dstngushers to attack 4 and 5 rounds of FOX128. In secton 5, we brefly ntroduce the attacks on 4,5,6 and 7 rounds of FOX64. and Secton 6 concludes the paper. 2 Descrpton of FOX The dfferent members of FOX famly are denoted as follows: Name Block sze Key sze Round number FOX FOX FOX64/k/r 64 k r FOX128/k/r 128 k r In FOX64/k/r and FOX128/k/r, the round number r must satsfy 12 r 255,
3 whle the key length k must satsfy 0 k 256, wth k multple of 8. Due to space lmtaton, we only ntroduce FOX128 brefly. Detals are shown n Ref.[1] 2.1 Round Functon f64 The round functon f64 conssts of three man parts: a substtuton part denoted sgma8, a dffuson part denoted MU8, and a round key addton part (see Fg.1). Formally, the -th round functon f64 takes a 64-bt nput X (64) = X 0(8) X 1(8) X 7(8), a 128-bt round key RK (128) = RK0 (64) RK1 (64) and returns Y (64) = Y 0(8) X 7(8) = sgma8(mu8(sgma8(x (64) RK0 (64))) RK1 (64)) RK0 (64). The mappng sgma8 conssts of 8 parallel computatons of a non-lnear bjectve mappng(see the table n Ref.[1]). MU8 consders an nput (Z 0(8) Z 7(8) ) as a vector (Z 0(8) Z 7(8) ) T over GF (2 8 ) and multply t wth a matrx to obtan an output vector of the same sze. The matrx s the followng: a 1 a b c d e f 1 a b c d e f 1 1 b c d e f 1 a 1 c d e f 1 a b 1 d e f 1 a b c 1 e f 1 a b c d 1 f 1 a b c d e 1 where a = α + 1, b = α 7 + α, c = α, d = α 2, e = α 7 + α 6 + α 5 + α 4 + α 3 + α 2 and f = α 6 + α 5 + α 4 + α 3 + α 2 + α. α s a root of the rreducble polynomal m(x) = x 8 + x 7 + x 6 + x 5 + x 4 + x Encrypton of FOX128 FOX128 s the 15-tmes teraton of round transformaton elmor128, followed by the applcaton of last round transformaton called elmd128. elmor128, llustrated n Fg.2, s bult as an Extended La-Massey scheme combned wth wth two orthomorphsms or. The -th round transformaton elmor128 transforms a 128-bt nput LL LR RL RR and a 128-bt round key RK (128) n a 128-bt output LL +1 LR+1 RL+1 RR+1. Let LL LR RL RR = X (64) = X0(8) X 1(8) X7(8)) and f64 (X(64), RK(128)) = φ L φ R. Then, LL +1 LR+1 RL+1 RR+1 = or(ll φ L) LR φ L or(rl φ R) RR φ R. The elmd128 functon s a slghtly modfed verson of elmor128, namely the two transformatons or are replaced by two dentty transformaton. The transformaton or s a functon takng a 32-bt nput X = X 0(16) X 1(16) and returnng a 32-bt output Y = Y 0(16) Y 1(16) whch s n fact a one-round Festel
4 X X X X X X X X 0(8) 1(8) 2(8) 3(8) 4(8) 5(8) 6(8) 7(8) RK0 (64) S S S S S S S S MU8 RK1 (64) S S S S S S S S RK0 (64) Y0(8) Y 1(8) Y 2(8) Y 3(8) Y 4(8) Y5(8) Y6(8) Y7(8) Fg. 1. The -th Round Functon of FOX128 LL LR RL RR f64 RK(128) or or 1 LL 1 LR RL 1 1 RR Fg. 2. The -th Round Transformaton elmor128
5 scheme wth the dentty functon as round functon; t s defned as Y 0(16) Y 1(16) = X 1(16) (X 0(16) X 1(16) ) The encrypton C 128 by FOX128 of a 128-bt plantext P 128 s defned as C 128 = elmd128(elmor128(... (elmor128(p 128, RK 1 (128)),..., RK 15 (128))RK 16 (128)) where RK 1 (128),..., RK 16 (128) are round subkeys produced by the key schedule algorthm out of the user key. In ths paper, subkeys are assumed to be ndependent of each other. So we omt the key schedule of FOX n ths paper. 3 3-Round Dstngushers Choose plantexts P (128) = LL 1 LR 1 RL 1 RR 1 as follows: LL 1 = LR 1 = c c c c, RL 1 = RR 1 = c c c x. where x take values n {0, 1} 8, c s a constant n {0, 1} 8. Thus, the nput of the frst round functon f64 1 s X 1 (64) = Let f64 1 ( ) = (a 0 a 1... a 7), where a (0 7) are entrely determned by round subkey RK 1 (128), so a (0 7) are constants when the user key s fxed. Then the output of the 1st round can be wrtten as follows: LL 2 = a 2 c a 3 c a 0 a 2 a 1 a 3, LR 2 = a 0 c a 1 c a 2 c a 3 c, RL 2 = a 6 c a 7 x a 4 a 6 a 5 a 7 x c, LR 2 = a 4 c a 5 c a 6 c a 7 x, Therefore, the nput of the 2nd round functon f64 2 s the followng: X 2 (64) = X0(8) X 2 2 1(8)... X7(8). 2 X 2 0(8) = a 0 a 2, X 2 4(8) = a 4 a 6, X 2 1(8) = a 1 a 3, X 2 5(8) = a 5 a 7 c x, X 2 2(8) = a 0 c, X 2 6(8) = a 4 c, X 2 3(8) = a 1 c, X 2 7(8) = a 5 c. Let f64 2 (X 2 (64)) = (y 0 y 1... y 7), then the output of the 2nd round can be wrtten as follows: LL 3 = y 2 a 0 a 2 y 3 a 1 a 3 y 0 y 2 a 0 c y 1 y 3 a 1 c, LR 3 = y 0 a 0 c y 1 a 1 c y 2 a 2 c y 3 a 3 c, RL 3 = y 6 a 4 a 6 y 7 a 5 a 7 c x y 4 y 6 a 4 c y 5 y 7 a 5 c, RR 2 = y 4 a 4 c y 5 a 5 c y 6 a 6 c y 7 a 7 x. So the nput of the 3rd round functon f64 3 s the followng: X 3 (64) = X 3 0(8) X 3 1(8)... X 3 7(8).
6 c c c c c c c c c c c x c c c x f a a a a a a a a or f64 2 a a a a a c a c a a a a c x a c a c y y y y y y y y or f64 3 y y a c y y a c y a a y a a y y a c y y a x y a a y x a a c or u u u u u u u u v v v v v v v v Fg Round Dstngushers of FOX128
7 X 3 0(8) = y 0 y 2 a 2 c, X 3 4(8) = y 4 y 6 a 6 c, X 3 1(8) = y 1 y 3 a 3 c, X 3 5(8) = y 5 y 7 a 7 x, X 3 2(8) = y 0 a 0 a 2, X 3 6(8) = y 4 a 4 a 6, X 3 3(8) = y 1 a 1 a 3, X 3 7(8) = y 5 x a 5 a 7. By observng the hgh-level structure of FOX128, we get or 1 (LL 4 ) LR 4 = X 3 0(8) X 3 1(8) X 3 2(8) X 3 3(8), or 1 (RL 4 ) RR 4 = X 3 4(8) X 3 5(8) X 3 6(8) X 3 7(8). From the defnton of or 1, we have or 1 (LL 4 ) = LL 4 0(8) LL 4 2(8) LL 4 1(8) LL 4 3(8) LL 4 0(8) LL 4 1(8), or 1 (RL 4 ) = RL 4 0(8) RL 4 2(8) RL 4 1(8) RL 4 3(8) RL 4 0(8) RL 4 1(8), Thus,we have the followng from the above equatons. Further we have the followng: LL 4 0(8) LL 4 2(8) LR 4 0(8) = y 0 y 2 a 2 c, LL 4 1(8) LL 4 3(8) LR 4 1(8) = y 1 y 3 a 3 c, LL 4 0(8) LR 4 2(8) = y 0 a 0 a 2, LL 4 1(8) LR 4 3(8) = y 1 a 1 a 3, RL 4 0(8) RL 4 2(8) RR 4 0(8) = y 4 y 6 a 6 c, RL 4 1(8) RL 4 3(8) RR 4 1(8) = y 5 y 7 a 7 x, RL 4 0(8) RR 4 2(8) = y 4 a 4 a 6, RL 4 1(8) RR 4 3(8) = y 5 x a 5 a 7. LL 4 2(8) LR 4 0(8) LR 4 2(8) = y 2 a 0 c, LL 4 3(8) LR 4 1(8) LR 4 3(8) = y 3 a 1 c, LL 4 0(8) LR 4 2(8) = y 0 a 0 a 2, LL 4 1(8) LR 4 3(8) = y 1 a 1 a 3, RL 4 2(8) RR 4 0(8) RR 4 2(8) = y 6 a 4 c, RL 4 3(8) RR 4 1(8) RR 4 3(8) = y 7 a 5, RL 4 0(8) RR 4 2(8) = y 4 a 4 a 6, Now we analyze the property of y (0 7). Let y = s(x a 5 a 7 c RK0 2 0(8)), then y = s(y b ) RK0 2 (8), here b (0 7) are entrely determned by a (0 7), c and RK 2 (128), so b (0 7) are constants when the user key s fxed. Because s s a permutaton, y = s(x a 5 a 7 c RK0 2 0(8)) dffers when x takes dfferent values and the user key s fxed. As a consequence, y = s(y b ) RK0 2 (8) wll have dfferent values when x takes dfferent values and the user key s fxed. Thus, from the above dscusson we know that LL 4 2(8) LR 4 0(8) LR 4 2(8), LL 4 3(8) LR 4 1(8) LR 4 3(8), LL 4 0(8) LR 4 2(8), LL 4 1(8) LR 4 3(8), RL 4 2(8) RR 4 0(8) RR 4 2(8), RL 4 3(8) RR 4 1(8) RR 4 3(8)
8 and RL 4 0(8) RR 4 2(8) each wll have dfferent values when x takes dfferent values. Therefore we get the followng theorem. Theorem 1. Let P (128) = LL 1 LR RL 1 1 RR 1 and P (128) = LL 1 LR 1 RL 1 RR 1 be two plantexts of 3-round FOX128, C (128) = LL 4 LR RL 4 4 RR 4 and C (128) = LL 4 LR RL 4 4 RR 4 be the correspondng cphertexts. RR (8) (0 7) denotes the (+1) th byte of RR. If LL 1 = LR 1 = LL 1 = LR, 1 RL 1 = RR, 1 RL 1 = RR, 1 RR 1 (8) = RR(8)( 1 = 0, 1, 2), RR 1 3(8) RR3(8), 1 then C (128) and C (128) satsfy the followng nequaltes: LL 4 2(8) LR 4 0(8) LR 4 2(8) LL 4 2(8) LR 4 0(8) LR 4 2(8), (1) LL 4 3(8) LR 4 1(8) LR 4 3(8) LL 4 3(8) LR 4 1(8) LR 4 3(8) (2) LL 4 0(8) LR 4 2(8) LL 4 0(8) LR 4 2(8) (3) LL 4 1(8) LR 4 3(8) LL 4 1(8) LR 4 3(8) (4) RL 4 2(8) RR 4 0(8) RR 4 2(8) RL 4 2(8) RR 4 0(8) RR 4 2(8) (5) RL 4 3(8) RR 4 1(8) RR 4 3(8) RL 4 3(8) RR 4 1(8) RR 4 3(8) (6) RL 4 0(8) RR 4 2(8) RL 4 0(8) RR 4 2(8) (7) From the above dscusson, we have RL 4 1(8) RR 4 3(8) = y 5 x a 5 a 7, and y 5 wll have dfferent values when x take dfferent values. So we can get the followng Corollary, whch s smlar to the ntegral dstngusher presented n Ref.[1] and Ref.[6]. Corollary 1. Let P j (128) = LLj 1 LRj 1 RLj 1 RRj 1 (0 j 255) be 256 plantexts of 3-round FOX128, Cj (128) = LLj 4 LRj 4 RLj 4 RRj 4 be the correspondng cphertexts. If LLj 1 = LRj 1, RLj 1 = RLj 1, RLj (8) ( = 0, 1, 2) are constants, and LRj 3(8) take all possble values between 0 and 255, then Cj (128) (0 j 255) satsfy: 255 (RLj 4 1(8) RRj3(8)) 4 = 0 (8) j=0 4 Attacks on Reduced-Round FOX Attackng 4-round FOX128 Ths secton explans the attack on 4-round FOX128 n detal. The last round omt the or transformaton. Frst we recover 72 bts subkey RK0 4 (64) and RK1 4 0(8). Choose plantext P (128) = LL 1 LR RL 1 1 RR, 1 and let C (128) = LL 5 LR RL 5 5 RR 5 be the correspondng cphertext. The nput of the fourth round functon f64 4 s LL 5 LR RL 5 5 RR, 5 and we can calculate the value of LL 4 2(8) LR 4 2(8) because LL 4 2(8) LR 4 2(8) = LL 5 2(8) LR2(8). 5 If we guess the value of LR0(8), 4 then we can guess LL 4 2(8) LR 4 2(8) LR0(8). 4 From the structure of f64 4, t s known that the value of LR 4 0(8) s entrely determned by the nput LL 5 LR RL 5 5 RR 5 and subkey RK0 4 (64), RK1 4 0(8). Thus usng the nequalty (1) of Theorem 1, we construct the followng algorthm to recover RK0 4 (64) and RK1 4 0(8).
9 Algorthm 1 Step1, Choose 166 plantexts P j (128) j 165) as follows: = LLj 1 LRj 1 RLj 1 RRj 1 (0 LLj 1 = (c c c c), LRj 1 = (c c c c), RLj 1 = (c c c j), RRj 1 = (c c c j). where c s a constant, 0 j 165. The correspondng cphertexts are Cj (128) = LLj 5 LRj 5 RLj 5 RRj 5. Step2, For each possble value of RK0 4 (64) RK1 4 0(8), frst compute the frst byte Y j 4 0(8) of f64 4 (LLj 5 LRj 5 RLj 5 RRj 5 ), and then compute j = Y j 4 0(8) LLj 5 2(8) LRj 5 2(8) LRj 5 0(8). Check f there a a collson among j. If so, dscard the value of RK0 4 (64) RK1 4 0(8). Otherwse, output RK0 4 (64) RK1 4 0(8). Step3, From the output values of RK0 4 (64) RK1 4 0(8) n Step2, choose some other plantexts, and repeat Step2. The probablty of at least one collson occurs when we throw 166 balls nto 256 buckets at random s larger than 1 e 166(166 1)/ So the probablty of passng the test of Step 2 s less than2 76. Because the rght subkey canddates must pass the test of Step2, the number of subkey canddates passng Step2 s about 1 + ( ) Then, only two plantexts are needed n Step3. The data complexty of ths attack s about 168 chosen plantexts. And the man tme complexty of Algorthm 2 s n step2, the tme of computng each j s less than 1-round encrypton, so the tme complexty s less than / encryptons. Next we recover RK1 4 1(8). The steps are very smlar to Algorthm1, except RK0 4 (64) s known here. So the number of canddates s 2 8, only 64 chosen plantexts are needed(we can use the data n Algorthm 1 agan). Usng the nequalty (2) n Theorem 1, we can recover RK1 4 1(8) by computng j = Y j 4 1(8) LLj 5 3(8) LRj 5 3(8) LRj 5 1(8). and the attack requres /4 = 2 12 encryptons. Knowng RK0 4 (64) and RK1 4 0(8), usng nequalty (3) n Theorem 1 and the plantexts chosen n Algorthm 1, we can recover RK1 4 2(8) by computng and the attack requres 2 12 encryptons. j = Y j 4 0(8) Y j 4 2(8) LLj 5 0(8) LRj 5 2(8)
10 Smlarly, knowng RK0 4 (64) and RK1 4 1(8), usng nequalty (4) n Theorem 1 and the plantexts chosen n Algorthm 1, we can recover RK1 4 3(8) by computng and the attack requres 2 12 encryptons. j = Y j 4 1(8) Y j 4 3(8) LLj 5 1(8) LRj 5 3(8) Furthermore,usng nequalty (5) n Theorem 1 and the plantexts chosen n Algorthm 1, we can recover RK1 4 4(8) by computng and the attack requres 2 12 encryptons. j = Y j 4 4(8) RLj 5 2(8) RRj 5 2(8) RRj 5 0(8) And usng nequalty (6) n Theorem 1 and the plantexts chosen n Algorthm 1, we can recover RK1 4 5(8) by computng and the attack requres 2 12 encryptons. j = Y j 4 5(8) RLj 5 3(8) RRj 5 3(8) RRj 5 1(8) Knowng RK0 4 (64) and RK1 4 4(8), usng nequalty(7) n Theorem 1 and the plantexts chosen n Algorthm 1, we can recover RK1 4 6(8) by computng and the attack requres 2 12 encryptons. j = Y j 4 4(8) RLj 5 0(8) Y j 5 6(8) RRj 5 2(8) We can t use smlar approach to recover RK1 4 7(8), fortunately ntegral technque can be used here. Knowng RK0 4 (64)) and RK1 4 5(8), usng equaton (8) n Theorem 1,we can construct the followng algorthm to recover RK1 4 7(8). Algorthm 2 Step1, Choose 256 plantexts P j (128) j 122) as follows: = LLj 1 LRj 1 RLj 1 RRj 1 (0 LLj 1 = (c c c c), LRj 1 = (c c c c), RLj 1 = (c c c j), RRj 1 = (c c c j). where c s a constant, 0 j 255. The correspondng cphertexts are Cj (128) = LLj 5 LRj 5 RLj 5 RRj 5. Step2, For each possble value of RK1 4 7(8), frst compute Y j 4 7(8), and then compute 255 = (RL 5 1(8) RR 5 3(8) Y j 4 5(8) Y j7(8)). 4 j=0
11 Check f = 0. If not, dscard the value of RK1 4 7(8), Otherwse, output RK1 4 7(8). Step3, From the output values of RK1 4 7(8) n Step2, choose another group of plantexts, and repeat Step2 untl the key canddate s unque. Wrong values wll pass step2 successfully wth probablty 2 8. Thus Algorthm 2 requres about 2 9 chosen plantexts, and the tme complexty s about /4 = 2 15 encryptons. The data n Algorthm 1 can be repeatedly used here agan, so the data complexty for recoverng RK 4 (128)) s about 2 9, and the tme complexty s about Now we have recovered RK 4 (128) usng 2 9 chosen plantexts and encryptons. By decryptng the 4th round, we can recover RK 3 (128), the tme complexty s less than Smlarly, we can recover RK 2 (128)) and RK 1 (128)), the tme complexty are both less than Therefore, the attack on the 4-round FOX128 requres 2 9 chosen plantexts and about encryptons. 4.2 Attackng 5-round FOX128 We could extend the prevous attack on 5-round FOX128, usng a key exhaustve search on the ffth subkey RK 5 (128). The attack requres encryptons, whch s less expensve than a key exhaustve search. 5 Attacks on Reduced-Round FOX64 Smlar to FOX128, we can get the followng theorem for FOX64. Theorem 2. Let P (64) = L 1 R 1 and P (64) = L 1 R 1 be two plantexts of 3-round FOX64,C (64) = L 4 R 4 and C (64) = L 4 R 4 be the correspondng cphertexts, L (8) denotes the ( + 1) th byte of L, If L 1 = R, 1 L 1 = R, 1 and L 1 (8) = L 1 (8)( = 0, 1, 2),L 1 3(8) L 1 3(8), then C (64) and C (64) satsfy: L 4 2(8) R 4 2(8) R 4 0(8) L 4 2(8) R 4 2(8) R 4 0(8), (9) L 4 3(8) R 4 3(8) R 4 1(8) L 4 3(8) R 4 3(8) R 4 1(8) (10) L 4 0(8) R 4 2(8) L 4 0(8) R 4 2(8) (11) Corollary 2. Let P j (64) = Lj 1 Rj 1 (0 j 255) be 256 plantexts of 3-round FOX64, Cj (64) = Lj 4 Rj 4 be the correspondng cphertexts, If Lj 1 = Rj 1, Lj (8) ( = 0, 1, 2) are constants, and Lj 3(8) take all possble values between 0 and 255, then Cj (64) (0 j 255) satsfy: 255 (Lj 4 1(8) Rj3(8)) 4 = 0 (12) j=0 Usng Theorem 2 and Corollary 2, we can construct the Algorthms smlar to those n Secton 4, and get four subkeys of 4-round FOX64. The attack requres
12 less than 2 9 chosen plantexts, and the tme complexty s about round FOX64 encryptons. Smlarly, we can get subkeys of 5(6, 7)-round FOX64 just through guessng the overall key bts behnd the fourth round, then usng the attack procedure for 4-round FOX64. The tme complexty on 5,6 and 7-round FOX64 s about , and respectvely. 6 Concludng remarks Snce FOX s a new cpher publshed last year, all we know about ts securty analyss are lmted to be the desgner s results [ 1] and Ref.[6]. In ths paper, we combne collson technque and ntegral attack to analyze the securty of FOX. The mproved ntegral attack on FOX s more effcent than known ntegral attacks. The complexty of mproved ntegral attack s on 4-round FOX128, aganst 5-round FOX128 respectvely. For FOX64, the complexty of mproved ntegral attack s about on 4-round FOX64, aganst 5-round FOX64, aganst 6-round FOX64, aganst 7-round FOX64 respectvely. Our results also show that 4-round FOX64/64, 5-round FOX64/128, 6-round FOX64/192,7-round FOX64/256 and 5-round FOX128/256 are not mmune to mproved ntegral attack n ths paper. There are some mstakes about the ntegral cryptanalyss n Ref.[6], so we only compare the performance of known ntegral attacks on FOX n Ref.[1] and that of ths paper n the followng table. Name round Tme Notes FOX Ref.[1] FOX ths paper FOX Ref.[1] FOX ths paper FOX Ref.[1] FOX ths paper FOX ths paper FOX Ref.[1] FOX ths paper FOX ths paper References 1. P.Junod and S. Vaudenay, FOX: a new Famly of Block Cphers, Selected Areas n Cryptography-SAC 2004,LNCS 2595, pp ,sprnger-verlag. FOX Specfcatons Verson 1.2 appeared on 2. Medacrypt AG X.La and J. Massey, A proposal for a new block encrypton standard, Advances n Cryptology-EUROCRYPT 90, LNCS 473,pp ,Sprnger-Verlag. 4. S.Vaudenay, On the La-Massey scheme, Advances n Cryptology- ASIACRYPT 99, LNCS 1716, pp.8-19,sprnger-verlag. 5. P.Junod and S. Vaudenay, Perfect dffuson prmtves for block cphers buldng effcent MDS matrces, Selected Areas n Cryptography-SAC 2004,LNCS 2595, pp ,sprnger-verlag.
13 6. Marne Mner, An ntegral cryptanalyss aganst a fve rounds verson of FOX, Western European Workshop on Research n Crpytography - WEWoRC, July 05-07, Leuven, Belgum, K.Lanford and E.Hellman, Dfferental-lnear cryptanalyss,advances n Cryptology-CRYPTO 94,LNCS 893, pp.17-25,sprnger-verlag. 8. E.Bham, A.Bryukov, and A.Shamr, Enhancng dfferental-lnaer cryptanalyss, Advances n Cryptology-ASIACRYPT 02, LNCS 2501, pp ,sprnger-verlag, 9. D.Wagner, The boomerang attack,fast Software Encrypton-FSE 99, LNCS 1636,pp ,Sprnger-Verlag. 10. E.Bham,O.Dunkelman,and N.Keller, The rectangle attack-rectanglng the Serpent, Advances n Cryptology-EUROCRYPT 01, LNCS 2045,pp ,Sprnger- Verlag. 11. L.Knudsen, Truncated and hgher order dfferentals, Fast Software Encrypton- FSE 95, LNCS 2595,pp ,Sprnger-Verlag. 12. E.Bham, A.Bryukov, and A.Shamr, Cryptanalyss of Skpjack reduced to 31 rounds usng mpossble dfferentals, Advances n Cryptology- EUROCRYPT 99,LNCS 2595, pp.12-23,sprnger-verlag. 13. C.Harpes and J.Massey, Parttonng cryptanalyss,fast Software Encrypton- FSE 97, LNCS 1267,pp.13-27,Sprnger-Verlag. 14. T.Jakobsen and L.Knudsen, The nterpolaton attack aganst block cphers, Fast Software Encrypton-FSE 99, LNCS 1267,pp.28-40,Sprnger-Verlag. 15. N. Courtos and J. Peprzyk, Cryptanalyss of block cphers wth overdefned systems of equatons, Advances n Cryptology-ASIACRYPT 02, LNCS 2595, pp ,sprnger-verlag. 16. S.Murphy and M.Robshaw, Comments on the securty of the AES and the XSL technque,electronc Letters,39(1): A. Bryukov and D.Wagner, Slde attacks, Fast Software Encrypton-FSE 99, LNCS 1636, pp ,sprnger-verlag. 18. A. Bryukov and D.Wagner, Advanced slde attacks, Advances n Cryptology- EUROCRYPT 00, LNCS 1807,pp ,Sprnger-Verlag. 19. H.Wu, Related-cpher attacks, Informaton and Communcatons Securty,ICICS 2002,LNCS 2513, pp ,sprnger-verlag. 20. L. Knudsen and D. wagner, Integral cryptanalyss(extended abstract) Fast Software Encrypton-FSE2002,LNCS 2595, pp ,sprnger-verlag. 21. Y.Yeom, S.Park, and I. Km, On the securty of Camella aganst the square attack, Fast Software Encrypton-FSE 02,LNCS 2356, Sprnger-Verlag 2002,pp Y.Yeom, I. Park, and I. Km, A study of Integral type cryptanalyss on Camella, The 2003 Symposum on Cryptography and Informaton Securty-SCIS 03.
The Synchronous 8th-Order Differential Attack on 12 Rounds of the Block Cipher HyRAL
The Synchronous 8th-Order Dfferental Attack on 12 Rounds of the Block Cpher HyRAL Yasutaka Igarash, Sej Fukushma, and Tomohro Hachno Kagoshma Unversty, Kagoshma, Japan Emal: {garash, fukushma, hachno}@eee.kagoshma-u.ac.jp
More informationLai-Massey Scheme and Quasi-Feistel Networks (Extended Abstract)
La-Massey Scheme and Quas-Festel Networks (Extended Abstract Aaram Yun, Je Hong Park 2, and Jooyoung Lee 2 Unversty of Mnnesota - Twn Ctes aaramyun@gmalcom 2 ETRI Network & Communcaton Securty Dvson, Korea
More informationA Novel Feistel Cipher Involving a Bunch of Keys supplemented with Modular Arithmetic Addition
(IJACSA) Internatonal Journal of Advanced Computer Scence Applcatons, A Novel Festel Cpher Involvng a Bunch of Keys supplemented wth Modular Arthmetc Addton Dr. V.U.K Sastry Dean R&D, Department of Computer
More informationThe stream cipher MICKEY
The stream cpher MICKEY-128 2.0 Steve Babbage Vodafone Group R&D, Newbury, UK steve.babbage@vodafone.com Matthew Dodd Independent consultant matthew@mdodd.net www.mdodd.net 30 th June 2006 Abstract: We
More informationDifferential Cryptanalysis of Nimbus
Dfferental Cryptanalyss of Nmbus Vladmr Furman Computer Scence Department, Technon - Israel Insttute of Technology, Hafa 32000, Israel. vfurman@cs.technon.ac.l. Abstract. Nmbus s a block cpher submtted
More informationResearch on State Collisions of Authenticated Cipher ACORN
4th Internatonal Conference on Sensors, Measurement and Intellgent Materals (ICSMIM 2015) Research on State Collsons of Authentcated Cpher ACORN Pe Zhanga*, Je Guanb, Junzh Lc and Tarong Shd Informaton
More informationThe Key-Dependent Attack on Block Ciphers
The Key-Dependent Attack on Block Cphers Xaoru Sun and Xueja La Department of Computer Scence Shangha Jao Tong Unversty Shangha, 200240, Chna sunsrus@sjtu.edu.cn, la-xj@cs.sjtu.edu.cn Abstract. In ths
More informationCryptanalysis of pairing-free certificateless authenticated key agreement protocol
Cryptanalyss of parng-free certfcateless authentcated key agreement protocol Zhan Zhu Chna Shp Development Desgn Center CSDDC Wuhan Chna Emal: zhuzhan0@gmal.com bstract: Recently He et al. [D. He J. Chen
More informationLectures - Week 4 Matrix norms, Conditioning, Vector Spaces, Linear Independence, Spanning sets and Basis, Null space and Range of a Matrix
Lectures - Week 4 Matrx norms, Condtonng, Vector Spaces, Lnear Independence, Spannng sets and Bass, Null space and Range of a Matrx Matrx Norms Now we turn to assocatng a number to each matrx. We could
More informationChapter 5. Solution of System of Linear Equations. Module No. 6. Solution of Inconsistent and Ill Conditioned Systems
Numercal Analyss by Dr. Anta Pal Assstant Professor Department of Mathematcs Natonal Insttute of Technology Durgapur Durgapur-713209 emal: anta.bue@gmal.com 1 . Chapter 5 Soluton of System of Lnear Equatons
More informationImpossible differential attacks on 4-round DES-like ciphers
INENAIONA JOUNA OF COMPUES AND COMMUNICAIONS Volume 9, 2015 Impossble dfferental attacks on 4-round DES-lke cphers Pavol Zajac Abstract Data Encrypton Standard was a man publc encrypton standard for more
More informationRecover plaintext attack to block ciphers
Recover plantext attac to bloc cphers L An-Png Bejng 100085, P.R.Chna apl0001@sna.com Abstract In ths paper, we wll present an estmaton for the upper-bound of the amount of 16-bytes plantexts for Englsh
More informationLecture Space-Bounded Derandomization
Notes on Complexty Theory Last updated: October, 2008 Jonathan Katz Lecture Space-Bounded Derandomzaton 1 Space-Bounded Derandomzaton We now dscuss derandomzaton of space-bounded algorthms. Here non-trval
More informationLecture 4: Universal Hash Functions/Streaming Cont d
CSE 5: Desgn and Analyss of Algorthms I Sprng 06 Lecture 4: Unversal Hash Functons/Streamng Cont d Lecturer: Shayan Oves Gharan Aprl 6th Scrbe: Jacob Schreber Dsclamer: These notes have not been subjected
More informationAttacks on RSA The Rabin Cryptosystem Semantic Security of RSA Cryptology, Tuesday, February 27th, 2007 Nils Andersen. Complexity Theoretic Reduction
Attacks on RSA The Rabn Cryptosystem Semantc Securty of RSA Cryptology, Tuesday, February 27th, 2007 Nls Andersen Square Roots modulo n Complexty Theoretc Reducton Factorng Algorthms Pollard s p 1 Pollard
More informationThe lower and upper bounds on Perron root of nonnegative irreducible matrices
Journal of Computatonal Appled Mathematcs 217 (2008) 259 267 wwwelsevercom/locate/cam The lower upper bounds on Perron root of nonnegatve rreducble matrces Guang-Xn Huang a,, Feng Yn b,keguo a a College
More informationCryptanalysis of Some Double-Block-Length Hash Modes of Block Ciphers with n-bit Block and n-bit Key
Cryptanalyss of Some Double-Block-Length Hash Modes of Block Cphers wth n-bt Block and n-bt Key Deukjo Hong and Daesung Kwon Abstract In ths paper, we make attacks on DBL (Double-Block-Length) hash modes
More information5 The Rational Canonical Form
5 The Ratonal Canoncal Form Here p s a monc rreducble factor of the mnmum polynomal m T and s not necessarly of degree one Let F p denote the feld constructed earler n the course, consstng of all matrces
More informationNotes on Frequency Estimation in Data Streams
Notes on Frequency Estmaton n Data Streams In (one of) the data streamng model(s), the data s a sequence of arrvals a 1, a 2,..., a m of the form a j = (, v) where s the dentty of the tem and belongs to
More informationNEW CONSTRUCTIONS IN LINEAR CRYPTANALYSIS OF BLOCK CIPHERS
Proceedngs of ACS 000, Szczecn, pp.53-530 NEW CONSTRUCTIONS IN LINEAR CRYPTANALYSIS OF BLOCK CIPHERS ANNA ZUGAJ, KAROL GÓRSKI, ZBIGNIEW KOTULSKI, ANDRZEJ PASZKIEWICZ 3, JANUSZ SZCZEPAŃSKI ENIGMA Informaton
More informationThe Order Relation and Trace Inequalities for. Hermitian Operators
Internatonal Mathematcal Forum, Vol 3, 08, no, 507-57 HIKARI Ltd, wwwm-hkarcom https://doorg/0988/mf088055 The Order Relaton and Trace Inequaltes for Hermtan Operators Y Huang School of Informaton Scence
More informationReport on Image warping
Report on Image warpng Xuan Ne, Dec. 20, 2004 Ths document summarzed the algorthms of our mage warpng soluton for further study, and there s a detaled descrpton about the mplementaton of these algorthms.
More information18.1 Introduction and Recap
CS787: Advanced Algorthms Scrbe: Pryananda Shenoy and Shjn Kong Lecturer: Shuch Chawla Topc: Streamng Algorthmscontnued) Date: 0/26/2007 We contnue talng about streamng algorthms n ths lecture, ncludng
More informationConvexity preserving interpolation by splines of arbitrary degree
Computer Scence Journal of Moldova, vol.18, no.1(52), 2010 Convexty preservng nterpolaton by splnes of arbtrary degree Igor Verlan Abstract In the present paper an algorthm of C 2 nterpolaton of dscrete
More informationSpeeding up Computation of Scalar Multiplication in Elliptic Curve Cryptosystem
H.K. Pathak et. al. / (IJCSE) Internatonal Journal on Computer Scence and Engneerng Speedng up Computaton of Scalar Multplcaton n Ellptc Curve Cryptosystem H. K. Pathak Manju Sangh S.o.S n Computer scence
More informationMessage modification, neutral bits and boomerangs
Message modfcaton, neutral bts and boomerangs From whch round should we start countng n SHA? Antone Joux DGA and Unversty of Versalles St-Quentn-en-Yvelnes France Jont work wth Thomas Peyrn 1 Dfferental
More informationLinear Regression Analysis: Terminology and Notation
ECON 35* -- Secton : Basc Concepts of Regresson Analyss (Page ) Lnear Regresson Analyss: Termnology and Notaton Consder the generc verson of the smple (two-varable) lnear regresson model. It s represented
More informationComments on a secure dynamic ID-based remote user authentication scheme for multiserver environment using smart cards
Comments on a secure dynamc ID-based remote user authentcaton scheme for multserver envronment usng smart cards Debao He chool of Mathematcs tatstcs Wuhan nversty Wuhan People s Republc of Chna Emal: hedebao@63com
More informationBoomerang Distinguisher for the SIMD-512 Compression Function
Boomerang Dstngusher for the SIMD-512 Compresson Functon Floran Mendel and Tomslav Nad Insttute for Appled Informaton Processng and Communcatons (IAIK) Graz Unversty of Technology, Inffeldgasse 16a, A-8010
More informationThe Study of Teaching-learning-based Optimization Algorithm
Advanced Scence and Technology Letters Vol. (AST 06), pp.05- http://dx.do.org/0.57/astl.06. The Study of Teachng-learnng-based Optmzaton Algorthm u Sun, Yan fu, Lele Kong, Haolang Q,, Helongang Insttute
More informationModule 3 LOSSY IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur
Module 3 LOSSY IMAGE COMPRESSION SYSTEMS Verson ECE IIT, Kharagpur Lesson 6 Theory of Quantzaton Verson ECE IIT, Kharagpur Instructonal Objectves At the end of ths lesson, the students should be able to:
More informationCube Attack on Reduced-Round Quavium
3rd Internatonal onference on Mechatroncs and Industral Informatcs (IMII 05 ube Attac on Reduced-Round Quavum Shyong Zhang, a *, Gonglang hen,b and Janhua L,c School of Informaton Securty Engneerng, Shangha
More informationErrors for Linear Systems
Errors for Lnear Systems When we solve a lnear system Ax b we often do not know A and b exactly, but have only approxmatons  and ˆb avalable. Then the best thng we can do s to solve ˆx ˆb exactly whch
More informationAn efficient algorithm for multivariate Maclaurin Newton transformation
Annales UMCS Informatca AI VIII, 2 2008) 5 14 DOI: 10.2478/v10065-008-0020-6 An effcent algorthm for multvarate Maclaurn Newton transformaton Joanna Kapusta Insttute of Mathematcs and Computer Scence,
More informationGrover s Algorithm + Quantum Zeno Effect + Vaidman
Grover s Algorthm + Quantum Zeno Effect + Vadman CS 294-2 Bomb 10/12/04 Fall 2004 Lecture 11 Grover s algorthm Recall that Grover s algorthm for searchng over a space of sze wors as follows: consder the
More informationPerron Vectors of an Irreducible Nonnegative Interval Matrix
Perron Vectors of an Irreducble Nonnegatve Interval Matrx Jr Rohn August 4 2005 Abstract As s well known an rreducble nonnegatve matrx possesses a unquely determned Perron vector. As the man result of
More informationLecture 13 APPROXIMATION OF SECOMD ORDER DERIVATIVES
COMPUTATIONAL FLUID DYNAMICS: FDM: Appromaton of Second Order Dervatves Lecture APPROXIMATION OF SECOMD ORDER DERIVATIVES. APPROXIMATION OF SECOND ORDER DERIVATIVES Second order dervatves appear n dffusve
More informationFinding Primitive Roots Pseudo-Deterministically
Electronc Colloquum on Computatonal Complexty, Report No 207 (205) Fndng Prmtve Roots Pseudo-Determnstcally Ofer Grossman December 22, 205 Abstract Pseudo-determnstc algorthms are randomzed search algorthms
More informationCollege of Computer & Information Science Fall 2009 Northeastern University 20 October 2009
College of Computer & Informaton Scence Fall 2009 Northeastern Unversty 20 October 2009 CS7880: Algorthmc Power Tools Scrbe: Jan Wen and Laura Poplawsk Lecture Outlne: Prmal-dual schema Network Desgn:
More informationCryptanalysis of a Public-key Cryptosystem Using Lattice Basis Reduction Algorithm
www.ijcsi.org 110 Cryptanalyss of a Publc-key Cryptosystem Usng Lattce Bass Reducton Algorthm Roohallah Rastagh 1, Hamd R. Dall Oskoue 2 1,2 Department of Electrcal Engneerng, Aeronautcal Unversty of Snce
More informationLecture 10: May 6, 2013
TTIC/CMSC 31150 Mathematcal Toolkt Sprng 013 Madhur Tulsan Lecture 10: May 6, 013 Scrbe: Wenje Luo In today s lecture, we manly talked about random walk on graphs and ntroduce the concept of graph expander,
More informationEcon107 Applied Econometrics Topic 3: Classical Model (Studenmund, Chapter 4)
I. Classcal Assumptons Econ7 Appled Econometrcs Topc 3: Classcal Model (Studenmund, Chapter 4) We have defned OLS and studed some algebrac propertes of OLS. In ths topc we wll study statstcal propertes
More informationSimulated Power of the Discrete Cramér-von Mises Goodness-of-Fit Tests
Smulated of the Cramér-von Mses Goodness-of-Ft Tests Steele, M., Chaselng, J. and 3 Hurst, C. School of Mathematcal and Physcal Scences, James Cook Unversty, Australan School of Envronmental Studes, Grffth
More informationTransfer Functions. Convenient representation of a linear, dynamic model. A transfer function (TF) relates one input and one output: ( ) system
Transfer Functons Convenent representaton of a lnear, dynamc model. A transfer functon (TF) relates one nput and one output: x t X s y t system Y s The followng termnology s used: x y nput output forcng
More informationConstruction of resilient S-boxes with higher-dimensional vectorial outputs and strictly almost optimal nonlinearity
Constructon of reslent S-boxes wth hgher-dmensonal vectoral outputs and strctly almost optmal nonlnearty WeGuo Zhang and LuYang L ISN Laboratory, Xdan Unversty, X an 710071, Chna e-mal: zwg@xdaneducn Enes
More informationHigh-Speed Decoding of the Binary Golay Code
Hgh-Speed Decodng of the Bnary Golay Code H. P. Lee *1, C. H. Chang 1, S. I. Chu 2 1 Department of Computer Scence and Informaton Engneerng, Fortune Insttute of Technology, Kaohsung 83160, Tawan *hpl@fotech.edu.tw
More informationNUMERICAL DIFFERENTIATION
NUMERICAL DIFFERENTIATION 1 Introducton Dfferentaton s a method to compute the rate at whch a dependent output y changes wth respect to the change n the ndependent nput x. Ths rate of change s called the
More informationFinding Dense Subgraphs in G(n, 1/2)
Fndng Dense Subgraphs n Gn, 1/ Atsh Das Sarma 1, Amt Deshpande, and Rav Kannan 1 Georga Insttute of Technology,atsh@cc.gatech.edu Mcrosoft Research-Bangalore,amtdesh,annan@mcrosoft.com Abstract. Fndng
More informationA new Approach for Solving Linear Ordinary Differential Equations
, ISSN 974-57X (Onlne), ISSN 974-5718 (Prnt), Vol. ; Issue No. 1; Year 14, Copyrght 13-14 by CESER PUBLICATIONS A new Approach for Solvng Lnear Ordnary Dfferental Equatons Fawz Abdelwahd Department of
More informationDifference Equations
Dfference Equatons c Jan Vrbk 1 Bascs Suppose a sequence of numbers, say a 0,a 1,a,a 3,... s defned by a certan general relatonshp between, say, three consecutve values of the sequence, e.g. a + +3a +1
More informationCalculation of time complexity (3%)
Problem 1. (30%) Calculaton of tme complexty (3%) Gven n ctes, usng exhaust search to see every result takes O(n!). Calculaton of tme needed to solve the problem (2%) 40 ctes:40! dfferent tours 40 add
More informationLecture 5, October 8. DES System (Modification)
Lecture 5, October 8. 10/10/01 Gene Tsudk, ICS 268 Fall 2001 1 Encrypton Process 64 Bt Plantext Intal Permutaton 32 Bt L0 32 Bt R0 + F(R0,K1) DES System (Modfcaton) Festel Network Buldng Block Key Schedule
More informationCryptanalysis of TWOPRIME
Cryptanalyss of TWOPRIME Don Coppersmth IBM Research copper@watson.bm.com Bruce Schneer Counterpane Systems schneer@counterpane.com Davd Wagner U.C. Berkeley daw@cs.berkeley.edu John Kelsey Counterpane
More informationChapter 13: Multiple Regression
Chapter 13: Multple Regresson 13.1 Developng the multple-regresson Model The general model can be descrbed as: It smplfes for two ndependent varables: The sample ft parameter b 0, b 1, and b are used to
More informationA MORE SECURE MFE MULTIVARIATE PUBLIC KEY ENCRYPTION SCHEME *
Internatonal Journal of Computer Scence and Applcatons Vol No pp - 00 Technomathematcs Research Foundaton A ORE SECURE FE ULTIVARIATE PUBLIC KE ENCRPTION SCHEE n Wang School of Telecommuncatons Engneerng
More informationThe Multiple Classical Linear Regression Model (CLRM): Specification and Assumptions. 1. Introduction
ECONOMICS 5* -- NOTE (Summary) ECON 5* -- NOTE The Multple Classcal Lnear Regresson Model (CLRM): Specfcaton and Assumptons. Introducton CLRM stands for the Classcal Lnear Regresson Model. The CLRM s also
More informationIntroduction to Algorithms
Introducton to Algorthms 6.046J/8.40J Lecture 7 Prof. Potr Indyk Data Structures Role of data structures: Encapsulate data Support certan operatons (e.g., INSERT, DELETE, SEARCH) Our focus: effcency of
More informationRandić Energy and Randić Estrada Index of a Graph
EUROPEAN JOURNAL OF PURE AND APPLIED MATHEMATICS Vol. 5, No., 202, 88-96 ISSN 307-5543 www.ejpam.com SPECIAL ISSUE FOR THE INTERNATIONAL CONFERENCE ON APPLIED ANALYSIS AND ALGEBRA 29 JUNE -02JULY 20, ISTANBUL
More informationHigh resolution entropy stable scheme for shallow water equations
Internatonal Symposum on Computers & Informatcs (ISCI 05) Hgh resoluton entropy stable scheme for shallow water equatons Xaohan Cheng,a, Yufeng Ne,b, Department of Appled Mathematcs, Northwestern Polytechncal
More informationMMA and GCMMA two methods for nonlinear optimization
MMA and GCMMA two methods for nonlnear optmzaton Krster Svanberg Optmzaton and Systems Theory, KTH, Stockholm, Sweden. krlle@math.kth.se Ths note descrbes the algorthms used n the author s 2007 mplementatons
More informationOn the correction of the h-index for career length
1 On the correcton of the h-ndex for career length by L. Egghe Unverstet Hasselt (UHasselt), Campus Depenbeek, Agoralaan, B-3590 Depenbeek, Belgum 1 and Unverstet Antwerpen (UA), IBW, Stadscampus, Venusstraat
More informationRandomness and Computation
Randomness and Computaton or, Randomzed Algorthms Mary Cryan School of Informatcs Unversty of Ednburgh RC 208/9) Lecture 0 slde Balls n Bns m balls, n bns, and balls thrown unformly at random nto bns usually
More informationn α j x j = 0 j=1 has a nontrivial solution. Here A is the n k matrix whose jth column is the vector for all t j=0
MODULE 2 Topcs: Lnear ndependence, bass and dmenson We have seen that f n a set of vectors one vector s a lnear combnaton of the remanng vectors n the set then the span of the set s unchanged f that vector
More informationMaximizing the number of nonnegative subsets
Maxmzng the number of nonnegatve subsets Noga Alon Hao Huang December 1, 213 Abstract Gven a set of n real numbers, f the sum of elements of every subset of sze larger than k s negatve, what s the maxmum
More informationCHAPTER 5 NUMERICAL EVALUATION OF DYNAMIC RESPONSE
CHAPTER 5 NUMERICAL EVALUATION OF DYNAMIC RESPONSE Analytcal soluton s usually not possble when exctaton vares arbtrarly wth tme or f the system s nonlnear. Such problems can be solved by numercal tmesteppng
More informationExercises of Chapter 2
Exercses of Chapter Chuang-Cheh Ln Department of Computer Scence and Informaton Engneerng, Natonal Chung Cheng Unversty, Mng-Hsung, Chay 61, Tawan. Exercse.6. Suppose that we ndependently roll two standard
More informationParametric fractional imputation for missing data analysis. Jae Kwang Kim Survey Working Group Seminar March 29, 2010
Parametrc fractonal mputaton for mssng data analyss Jae Kwang Km Survey Workng Group Semnar March 29, 2010 1 Outlne Introducton Proposed method Fractonal mputaton Approxmaton Varance estmaton Multple mputaton
More informationAttack on cascaded convolutional transducers cryptosystem
INTERNATINA JRNA of MATHEMATICS AND CMPTERS IN SIMATIN Attack on cascaded convolutonal transducers cryptosystem M. A. rumechha S. F. Mohebpoor Abstract Recently the dea of desgn of dynamc symmetrc cryptosystems
More informationNP-Completeness : Proofs
NP-Completeness : Proofs Proof Methods A method to show a decson problem Π NP-complete s as follows. (1) Show Π NP. (2) Choose an NP-complete problem Π. (3) Show Π Π. A method to show an optmzaton problem
More informationFormulas for the Determinant
page 224 224 CHAPTER 3 Determnants e t te t e 2t 38 A = e t 2te t e 2t e t te t 2e 2t 39 If 123 A = 345, 456 compute the matrx product A adj(a) What can you conclude about det(a)? For Problems 40 43, use
More informationFoundations of Arithmetic
Foundatons of Arthmetc Notaton We shall denote the sum and product of numbers n the usual notaton as a 2 + a 2 + a 3 + + a = a, a 1 a 2 a 3 a = a The notaton a b means a dvdes b,.e. ac = b where c s an
More informationCOMPARISON OF SOME RELIABILITY CHARACTERISTICS BETWEEN REDUNDANT SYSTEMS REQUIRING SUPPORTING UNITS FOR THEIR OPERATIONS
Avalable onlne at http://sck.org J. Math. Comput. Sc. 3 (3), No., 6-3 ISSN: 97-537 COMPARISON OF SOME RELIABILITY CHARACTERISTICS BETWEEN REDUNDANT SYSTEMS REQUIRING SUPPORTING UNITS FOR THEIR OPERATIONS
More informationHongyi Miao, College of Science, Nanjing Forestry University, Nanjing ,China. (Received 20 June 2013, accepted 11 March 2014) I)ϕ (k)
ISSN 1749-3889 (prnt), 1749-3897 (onlne) Internatonal Journal of Nonlnear Scence Vol.17(2014) No.2,pp.188-192 Modfed Block Jacob-Davdson Method for Solvng Large Sparse Egenproblems Hongy Mao, College of
More informationLOW BIAS INTEGRATED PATH ESTIMATORS. James M. Calvin
Proceedngs of the 007 Wnter Smulaton Conference S G Henderson, B Bller, M-H Hseh, J Shortle, J D Tew, and R R Barton, eds LOW BIAS INTEGRATED PATH ESTIMATORS James M Calvn Department of Computer Scence
More informationU.C. Berkeley CS278: Computational Complexity Professor Luca Trevisan 2/21/2008. Notes for Lecture 8
U.C. Berkeley CS278: Computatonal Complexty Handout N8 Professor Luca Trevsan 2/21/2008 Notes for Lecture 8 1 Undrected Connectvty In the undrected s t connectvty problem (abbrevated ST-UCONN) we are gven
More informationprinceton univ. F 17 cos 521: Advanced Algorithm Design Lecture 7: LP Duality Lecturer: Matt Weinberg
prnceton unv. F 17 cos 521: Advanced Algorthm Desgn Lecture 7: LP Dualty Lecturer: Matt Wenberg Scrbe: LP Dualty s an extremely useful tool for analyzng structural propertes of lnear programs. Whle there
More informationThe Minimum Universal Cost Flow in an Infeasible Flow Network
Journal of Scences, Islamc Republc of Iran 17(2): 175-180 (2006) Unversty of Tehran, ISSN 1016-1104 http://jscencesutacr The Mnmum Unversal Cost Flow n an Infeasble Flow Network H Saleh Fathabad * M Bagheran
More informationThe Second Anti-Mathima on Game Theory
The Second Ant-Mathma on Game Theory Ath. Kehagas December 1 2006 1 Introducton In ths note we wll examne the noton of game equlbrum for three types of games 1. 2-player 2-acton zero-sum games 2. 2-player
More informationMULTIDIMENSIONAL LINEAR DISTINGUISHING ATTACKS AND BOOLEAN FUNCTIONS
Boolean Functons: Cryptography and Applcatons Fonctons Booléennes : Cryptographe & Applcatons BFCA 08 MULTIDIMENSIONAL LINEAR DISTINGUISHING ATTACKS AND BOOLEAN FUNCTIONS Ma Hermeln 1 and Kasa Nyberg 1
More informationAPPENDIX A Some Linear Algebra
APPENDIX A Some Lnear Algebra The collecton of m, n matrces A.1 Matrces a 1,1,..., a 1,n A = a m,1,..., a m,n wth real elements a,j s denoted by R m,n. If n = 1 then A s called a column vector. Smlarly,
More informationA New Refinement of Jacobi Method for Solution of Linear System Equations AX=b
Int J Contemp Math Scences, Vol 3, 28, no 17, 819-827 A New Refnement of Jacob Method for Soluton of Lnear System Equatons AX=b F Naem Dafchah Department of Mathematcs, Faculty of Scences Unversty of Gulan,
More informationLecture 21: Numerical methods for pricing American type derivatives
Lecture 21: Numercal methods for prcng Amercan type dervatves Xaoguang Wang STAT 598W Aprl 10th, 2014 (STAT 598W) Lecture 21 1 / 26 Outlne 1 Fnte Dfference Method Explct Method Penalty Method (STAT 598W)
More informationRSA /2002/13(08) , ); , ) RSA RSA : RSA RSA [2] , [1,4]
1000-9825/2002/13(081729-06 2002 Journal of Software Vol13, No8 RSA 1,2 1, 1 (, 200433; 2 (, 200070 E-mal: yfhu@fudaneducn http://wwwfudaneducn : RSA RSA :, ; RSA,,, RSA,, : ; RSA ; ;RSA; : TP309 : A RSA
More informationAnalysis of countermeasures against access driven cache attacks on AES
Analyss of countermeasures aganst access drven cache attacks on AES Johannes Blömer and Volker Krummel {bloemer,krummel}@un-paderborn.de Faculty of Computer Scence, Electrcal Engneerng and Mathematcs Unversty
More informationGraph Reconstruction by Permutations
Graph Reconstructon by Permutatons Perre Ille and Wllam Kocay* Insttut de Mathémathques de Lumny CNRS UMR 6206 163 avenue de Lumny, Case 907 13288 Marselle Cedex 9, France e-mal: lle@ml.unv-mrs.fr Computer
More informationOn the Multicriteria Integer Network Flow Problem
BULGARIAN ACADEMY OF SCIENCES CYBERNETICS AND INFORMATION TECHNOLOGIES Volume 5, No 2 Sofa 2005 On the Multcrtera Integer Network Flow Problem Vassl Vasslev, Marana Nkolova, Maryana Vassleva Insttute of
More informationProvable Security Signatures
Provable Securty Sgnatures UCL - Louvan-la-Neuve Wednesday, July 10th, 2002 LIENS-CNRS Ecole normale supéreure Summary Introducton Sgnature FD PSS Forkng Lemma Generc Model Concluson Provable Securty -
More informationLecture 5 Decoding Binary BCH Codes
Lecture 5 Decodng Bnary BCH Codes In ths class, we wll ntroduce dfferent methods for decodng BCH codes 51 Decodng the [15, 7, 5] 2 -BCH Code Consder the [15, 7, 5] 2 -code C we ntroduced n the last lecture
More informationCHARACTERISTICS OF COMPLEX SEPARATION SCHEMES AND AN ERROR OF SEPARATION PRODUCTS OUTPUT DETERMINATION
Górnctwo Geonżynera Rok 0 Zeszyt / 006 Igor Konstantnovch Mladetskj * Petr Ivanovch Plov * Ekaterna Nkolaevna Kobets * Tasya Igorevna Markova * CHARACTERISTICS OF COMPLEX SEPARATION SCHEMES AND AN ERROR
More informationComplete subgraphs in multipartite graphs
Complete subgraphs n multpartte graphs FLORIAN PFENDER Unverstät Rostock, Insttut für Mathematk D-18057 Rostock, Germany Floran.Pfender@un-rostock.de Abstract Turán s Theorem states that every graph G
More informationMore metrics on cartesian products
More metrcs on cartesan products If (X, d ) are metrc spaces for 1 n, then n Secton II4 of the lecture notes we defned three metrcs on X whose underlyng topologes are the product topology The purpose of
More informationSome Comments on Accelerating Convergence of Iterative Sequences Using Direct Inversion of the Iterative Subspace (DIIS)
Some Comments on Acceleratng Convergence of Iteratve Sequences Usng Drect Inverson of the Iteratve Subspace (DIIS) C. Davd Sherrll School of Chemstry and Bochemstry Georga Insttute of Technology May 1998
More informationLINEAR REGRESSION ANALYSIS. MODULE IX Lecture Multicollinearity
LINEAR REGRESSION ANALYSIS MODULE IX Lecture - 30 Multcollnearty Dr. Shalabh Department of Mathematcs and Statstcs Indan Insttute of Technology Kanpur 2 Remedes for multcollnearty Varous technques have
More informationDecoding of the Triple-Error-Correcting Binary Quadratic Residue Codes
Automatc Control and Informaton Scences, 04, Vol., No., 7- Avalable onlne at http://pubs.scepub.com/acs/// Scence and Educaton Publshng DOI:0.69/acs--- Decodng of the rple-error-correctng Bnary Quadratc
More informationTowards Security Limits in Side-Channel Attacks
Towards Securty Lmts n Sde-Channel Attacks (Wth an Applcaton to Block Cphers) F.-X. Standaert, E. Peeters, C. Archambeau, and J.-J. Qusquater UCL Crypto Group, Place du Levant 3, B-348 Louvan-la-Neuve,
More informationPower law and dimension of the maximum value for belief distribution with the max Deng entropy
Power law and dmenson of the maxmum value for belef dstrbuton wth the max Deng entropy Bngy Kang a, a College of Informaton Engneerng, Northwest A&F Unversty, Yanglng, Shaanx, 712100, Chna. Abstract Deng
More informationAutomatic Differential Analysis of ARX Block Ciphers with Application to SPECK and LEA
Automatc Dfferental Analyss of ARX Block Cphers wth Applcaton to SPECK and LEA Lng Song 1,2,3, Zhangje Huang 1,2( ), Qanqan Yang 1,2 1 State Key Laboratory of Informaton Securty, Insttute of Informaton
More informationInexact Newton Methods for Inverse Eigenvalue Problems
Inexact Newton Methods for Inverse Egenvalue Problems Zheng-jan Ba Abstract In ths paper, we survey some of the latest development n usng nexact Newton-lke methods for solvng nverse egenvalue problems.
More informationMin Cut, Fast Cut, Polynomial Identities
Randomzed Algorthms, Summer 016 Mn Cut, Fast Cut, Polynomal Identtes Instructor: Thomas Kesselhem and Kurt Mehlhorn 1 Mn Cuts n Graphs Lecture (5 pages) Throughout ths secton, G = (V, E) s a mult-graph.
More informationIterative General Dynamic Model for Serial-Link Manipulators
EEL6667: Knematcs, Dynamcs and Control of Robot Manpulators 1. Introducton Iteratve General Dynamc Model for Seral-Lnk Manpulators In ths set of notes, we are gong to develop a method for computng a general
More information