Effect of the Dependent Paths in Linear Hull
|
|
- Nathaniel Peters
- 5 years ago
- Views:
Transcription
1 1
2 Effect of te Dependent Pats in Linear Hull Zenli Dai, Meiqin Wang, Yue Sun Scool of Matematics, Sandong University, Jinan, , Cina Key Laboratory of Cryptologic Tecnology and Information Security, Ministry of Education, Sandong University, Jinan, , Cina Abstract. Linear Hull is a penomenon tat tere are a lot of linear pats wit te same data mask but different key masks for a block ciper. In 1994, K. Nyberg presented te effect on te key-recovery attack suc as Algoritm 2 wit linear ull, in wic te required number of te known plaintexts can be decreased compared wit tat in te attack using an individual linear pat. In 2009, S. Murpy proved tat K. Nyberg s results can only be used to give a lower bound on te data complexity and will be no use on te real linear cryptanalysis. In fact, te linear ull produces suc positive effect in linear cryptanalysis only for some keys instead of te wole key space. So te linear ull can be used to improve te classic linear cryptanalysis for some weak keys. In te same year, K. Okuma gave te linear ull analysis on reduced-round PRESENT block ciper, and sowed tat tere are 32% weak keys of PRESENT wic make te bias of a given linear ull wit multiple pats more tan a lower bound. However, K. Okuma as not considered te dependency of te multi-pat, and is results are based on te assumption tat te linear pats are independent. Actually, most of te linear pats are dependent in te linear ull. In tis paper, we will analyze te dependency of te linear pats in a linear ull and te real effect of linear ull wit te dependent linear pats. Firstly, we give te relation between te bias of a linear ull and its linear pats in linear cryptanalysis. Secondly, we present te formula to compute te rate of weak keys corresponding to te expected bias of te dependent pats. Based on te formula, we sow tat te dependency of linear pats reduces te number of weak keys corresponding to iger biases of te linear ull compared wit tat in te independent case. It means tat te dependency of linear pats reduces te effect of linear ull. At last, we verify our conclusion by analyzing reduced-round of PRESENT. Keywords: Linear Hull, Dependency of Linear Pats, Weak Key, PRESENT, Block Ciper. Supported by 973 Project (No.2007CB807902), National Natural Science Foundation of Cina (Grant No and Grant No ), Outstanding Young Scientists Foundation Grant of Sandong Province (No.BS2009DX030), and Sandong University Initiative Scientific Researc Program (2009TS087).
3 1 Introduction Linear cryptanalysis[1] is a powerful metod of cryptanalysis introduced by M. Matsui in It is a known plaintext attack in wic te attacker identifies te linear approximations of parity bits of te plaintext, cipertext and te subkey. We denote te probability of linear approximation as p, ten te absolute of te bias ɛ = p 1/2 represents te effectiveness of te linear approximation. Based on tis idea, many variants of linear cryptanalysis appeared, suc as linear cryptanalysis using multiple linear approximations wit te same key mask[2], multiple linear approximations cryptanalysis[3] and linear cryptanalysis based on linear ull[4] etc. Linear cryptanalysis using multiple approximations[2] was introduced by B.S. Kaliski and M.J.B. Robsaw in For a given success rate, tis metod reduced te data complexity by using multiple linear approximations. But teir tecnique is limited to cases were all approximations ave te same key mask. Unfortunately, tis approac imposes a very strong restriction on te approximations. Te concept of linear ull[4] was first announced by K. Nyberg in 1994, and a linear ull stands for te collection of all linear relations tat ave te same input mask and output mask, but involve different sets of round subkey bits in te different linear pats. Te linear ull effect accounts for a clustering of linear pats and decreases te required number of known plaintexts for a given success rate. In 2009, owever, S. Murpy proved tat tere is no linear ull effect in linear cryptanalysis[5]. In te same year, K. Okuma pointed tat 32% of te wole key space for PRESENT are weak keys wic will produce muc larger bias by te multi-pat effect compared wit tat by te single linear pat[6]. Tat is to say, te number of required known plaintexts can be reduced apparently for tese weak keys. However, te results of K. Okuma are based on te assumption tat all linear pats are independent. In fact, te assumption is not correct, so we need to reconsider te effect of linear ull. Many kinds of te dependency are difficult to be considered in cryptanalysis. In tis paper, we will analyze ow te dependency of linear pats of linear ull affects te linear cryptanalysis. And ten we give te relationsip between te bias of linear ull and equivalent subkey values of te linear pats. Since te linear pats are dependent, we will give te metod to compute te final bias of linear ull for a given key and offer a formula to compute te rate of weak keys wit te expected bias. Wit te formula, we sow tat te dependency of linear pats reduces
4 te number of weak keys corresponding to iger biases of te linear ull compared wit tat in te independent case, owever, te dependency of linear pats increases te number of keys corresponding to lower biases of te linear ull compared wit tat in te independent case. It means tat te dependency of linear pats reduces te effect of linear ull. In order to verify our metod, we computed te bias and te corresponding weak keys for block ciper PRESENT. As a result, te rate of te weak keys corresponding to iger biases for te linear ull in PRESENT under te dependent linear pats is lower tan tat under te independent linear pats in [6], and moreover, as te round number increases, te rate of weak keys will be reduced gradually. Tis paper is organized as follows. Section 2 briefly introduces te linear ull and te block ciper PRESENT. Section 3 presents te relationsip between te linear bias and equivalent subkey values, derives te formula of te linear bias under te dependent linear pats, and sows ow te dependency of linear pats affects te number of weak keys for iger biases of te linear ull. In Section 4, we compute te rate of weak keys wit te expected bias for reduced-round PRESENT. Section 5 concludes tis paper. 2 Preliminaries 2.1 Introduction of Linear Hull Te concept of linear ull was first proposed by K. Nyberg in [4]. A linear ull stands for te collection of all linear approximations (across a certain number of rounds) tat ave te same input and output masks, but involve different sets of round subkey bits according to different linear pats. As we know, te differential is te set of te differential caracteristics, and similarly te linear ull is te set of te linear approximations. It is easy to compute te probability of te differential wit multiple differential caracteristics, but te bias of te linear ull is difficult to be obtained. In [4], K. Nyberg also proposed te concept of linear ull effect wic accounts for a clustering of linear pats. Because of te existence of te linear ull effect, te final bias may become significantly iger tan tat of any individual linear pat. Denote te input mask as a and te output mask as b for a block ciper Y = Y (X, K), K. Nyberg computed te potential of te corresponding linear ull as follows, ALH(a, b) = c i Γ(P(a X b Y = c i K) 1 2 )2 = η 2, (1)
5 were c i is te mask for te subkey bits, and te set Γ = {c i K}. Ten, key-recovery attacks suc as Algoritm 2 in [1] apply wit N = t ALH(a, b) = t η 2 known plaintexts, were t is a constant. An advantage to use linear ull in key-recovery attacks, suc as in Algoritm 2, is tat te required number of known plaintexts can be decreased for a given success rate. 2.2 Brief Description of PRESENT PRESENT is an ultra-ligtweigt block ciper proposed by A. Bogdanov, L.R. Knudsen and G. Leander et al.[9]. PRESENT is a 31-round SPnetwork wit block size 64 bits and 80 bits or 128 bits key size. Te round function consists of tree layers: AddRoundKey, SboxLayer and player. Te AddRoundKey is a 64-bit exclusive OR operation wit a round key. Te SboxLayer is a 64-bit nonlinear transform using a single S-box 16 times in parallel. Te S-box is a nonlinear bijective mapping given in Tab. 5. Te player is a bit-by-bit permutation given in Tab. 6. Te design idea of SboxLayer and player is adapted from Serpent [7] and DES block ciper[8], respectively. 3 Te Bias of te Linear Hull 3.1 Te General Formula of te Bias A linear pat is defined as a single pat of linear approximations concatenated over multiple rounds[11]. Now suppose tat tere is a n-round linear ull wit data mask (a, b) and L linear pats. Te bias of te linear ull is denoted as η, and te bias of eac linear pat is denoted as ɛ i (1 i L). In addition, c i (1 i L) is subkey mask. In fact, eac c i K is a key expression about te subkey bits and we name it as te equivalent subkey bit. Te expressions of linear pats are defined as follows, a X b Y = c i K wit probability ɛ i, c i Γ, (2) were Γ is te space of subkey masks. From [5] and [6], we know tat η is determined by ɛ i and c i K. Te bias ɛ i may be positive or negative. Witout loss of generality, we can assume
6 tat all biases are positive, as te sign can be absorbed in te equivalent subkey bits. For example, if ɛ i < 0, we ave ( 1) c i K ɛ i = ( 1) c i K 1 ( ɛ i ). Ten we get te equivalent subkey bit k i = c i K 1. So te bias of a linear ull is given by η = L ( 1) k i ɛ i, (3) i=1 were ɛ i > 0 and k i is te equivalent subkey bit. In order to confirm equation (3), we compute te bias wit enoug amount of pairs of plaintexts and cipertexts under 4-round linear ull of PRESENT, and te results are given in App. B. 3.2 How to Compute te Bias of Linear Hull wit Dependent Pats In tis subsection, we will discuss ow te dependency of linear pats affects te bias of a linear ull. For a n-round liner ull of data mask (a, b), we suppose tat it contains L linear pats. Let us denote te linear pat as a X b Y = K (0) [χ 0 j] K (1) [χ 1 j]... K (n) [χ n j ] = k j, wit probability p j = ɛ j, 1 j L, (4) were k j is an equivalent subkey bit, Γ = {k j } L j=1. Here we denote te vector form of key mask c j as (c 0 j,0,..., c0 j,, c1 j,0,..., c 1 j,,..., cn j,0,..., cn j, ), were cr j,l {0, 1}, 0 r n, 0 l <, and c r j,l {0, 1} is te coefficient of te l-t bit of te r-t round subkey. According to equation (4), te dependency of linear pats means all key masks c j (1 j L) are dependent. For example, if te first four linear pats are dependent, we ave c 1 c 2 c 3 c 4 = 0. Tat is to say te dependency of linear pats is te dependency of vector c j (1 j L). We also call k j = c j K equivalent subkey bit, ten we say te dependency of linear pats also means tat teir equivalent subkey bits are dependent. Assume tat te maximum number of linear pats wose equivalent subkey bits are independent wit eac oter is R. Witout loss of generality, we assume tat k 1, k 2,..., k R are independent wit eac oter, and name tem as independent subkey bits, wic form a set Γ 1. Te dependent subkey bits, wic form a set Γ 2, are denoted by te dependent subkey expressions k j = c 1,j k 1 c 2,j k 2... c R,j k R, R < j L, c i,j {0, 1}, 1 i R. So Γ = Γ 1 Γ 2.
7 In order to compute te bias of linear ull, we must find out te regularity of distribution of independent subkey bits on te expressions of te dependent subkey bits. So we study te relationsip between independent subkey bits and dependent subkey bits at first. If we do te XOR operation for two different equations in (4), we get 0 = K (0) [χ 0 i, χ 0 j]... K (n) [χ n i, χ n j ], i j. Obviously, tis expression is not a linear pat of te linear ull. Te conclusion always olds if te number of tese equations is even. If we do te XOR operation for tree different equations in (4), we get a P b C = K (0) [χ 0 u, χ 0 v, χ 0 w]... K (n) [χ n u, χ n v, χ n w], u v w. Obviously, te expression is a linear pat of te linear ull. Te conclusion always olds if te number of tese equations is odd. So we affirm tat every dependent subkey bit is determined by odd number of independent subkey bits. Tat is to say, te sum of coefficients r j = R i=1 c ij for k j (k j Γ 2 ) is odd. Let us denote te maximal sum as r = max {r j} = max { R c i,j }. (5) R<j L R<j L Now suppose tat we ave derived all te linear pats in a linear ull, te relationsip between dependent subkey bits and independent subkey bits can be obtained. We classify all te independent equivalent subkey bits according to teir values, and present te metod to compute te bias of a given linear ull and te rate of weak keys satisfying a lower bound of te bias. Te main idea is described as follows, 1. We study te distribution of te independent subkey bits on te expressions of te dependent subkey bits. For a given master key, every independent subkey bit as two possible values: 0 or 1, and Γ 1 = 2 R. a. For a possible value of Γ 1, suppose tat te number of te independent subkey bits wose values are 0 is s (s R), and te number of te independent subkey bits wose values are 1 is (R s). We classify te independent subkey bits into two groups according to teir values. i=1
8 b. Consider te values of te dependent subkey bits. If tere are odd number of subkey bits among te s subkey bits in te expressions of te dependent key bit k j (R < j L), we ave k j = 0. c. In order to get te general formula, we classify te dependent subkey bits according to te number of independent subkey bits, wose values are 0, in te expressions of tem. Fig. 1 is useful to understand our idea. 2. Compute te bias of te linear ull for every possible value of Γ 1. Ten we can calculate te rate of weak keys according to te definition of weak keys., k, R 1 2 k R, tere are 2 possible values k, Classify all possible values by te value of te R subkey bits k i Tere are s subkey bits wose values 0 (1 i R) kj 0, ki 1(1 i R, i j) k i 1 (1 i R) are 0. Classify te dependent subkeys bits by te number of te indepentdent subkey bits wose values is zero in teir expressions Te dependent subkey bits wose expressions contain 3 0-value independent subkey bits of s Te dependent subkey bits wose expressions contain 5 0-value independent subkeys bits of s Te dependent subkey bits wose expressions contain 2l 1 0-value independent subkeys bits of s Fig. 1. Classification of Linear Pats Let us denote te times of k i (1 i R) appeared in te dependent subkey bits as N i, and te times of k i1 k i2... k it appeared in dependent subkey bits as N i1,i 2,...,i t, (1 i 1 < i 2 <... < i t R, t R). We denote N i1,i 2,...i t as N (t) at te case of no ambiguity, and ten 0 N (t) L R. According to te definition, we ave N i = L j=r+1 c i,j, N i1,i 2,...,i t = L j=r+1 ( t c il,j). As in [6], we also only consider te best linear pats wic ave te same bias ɛ j = ɛ > 0 (1 j L). Ten te bias of linear ull is η = L i=1 ( 1)k i ɛ, Let us denote Ts j as te number of dependent subkey bits in wic te values of j independent subkey bits are zero. And we define te number of te dependent subkey bits wit zero value as T s = Ts j. 1 j s, j is odd l=1
9 If we coose te values of s independent subkey bits, we ave derived equation (6) to compute T s in App. C. T s = s N j 2 j=1 1 i<j s N i,j + 4 N (3) 8 N (4) +... ( ) ( ) ( ) 2l 2l 2l (2l N 3 5 2l 1 (2l) ( ) ( ) ( ) 2l + 1 2l + 1 2l (2l N 3 5 2l + 1 (2l+1) ( ) ( ) s s ( 1) s 1 (s ) N 3 5 (s). (6) If s independent zero subkey bits ave been cosen, we can compute a value of T s wit equation (6). Tere are ( R s) different distributions for te s independent zero subkey bits, so T s stands for ( R s) different values. Property 1: For a given key wit L subkey bits, if tere are s independent zero subkey bits, R s independent non-zero subkey bits, and dependent zero subkey bits, te bias of te linear ull corresponding to te key will be ((s+) ((R s)+(l R ))) ɛ = (2(+s) L) ɛ. Now in order to compute te number of possible subkey values corresponding to te different bias, we will classify T s by teir values in any distributions of s independent zero subkey bits. Considering all te distributions for te s independent zero subkey bits, we denote te total number of any s independent zero subkey bits wit te bias (2( + s) L) ɛ as m (s). For ( R s) possible values for Ts, we ave m (s) = #{T s = }. For te different values of, we will compute teir bias corresponding to ( R s) different subkey values. Ten we can obtain te number of te subkey values wit te expected bias. For eac value of s (0 s R), we need to compute ( R s) times of Ts. In order to reduce te computing time, we identify te following property: Property 2: For a given key wit L subkey bits, if tere are s independent non-zero subkey bits, R s independent zero subkey bits, and dependent non-zero subkey bits, te bias of te linear ull corresponding to te key will be (((R s) + (L R )) (s + )) ɛ = (2( + s) L) ɛ.
10 From Property 1 and Property 2, te absolute bias of te two cases are equal. Terefore, we only need to compute te bias of s R/2. In equation (6), we only need to compute N (t), t R/2. In equation (5), we ave given te equation to compute r. If r < R/2 and r < l R/2, we can obtain N (l) = 0. Ten equation (6) can be simplified to te following equation: s T s = N j 2 N i,j + 4 N (3) 8 N (4) j=1 1 i<j s ( ) r ( 1) r 1 (r ( r 5 ) ( ) r ) N (r ). If r R/2, we will still compute T s wit equation (6). Wit equation (7), we can compute m (s) for s R/2. According to Property 1 and Property 2, te number of equivalent subkey values satisfying η = L 2( + s) ɛ usually is 2m (s). However, tere is a special case, if R is an even and s = R/2, te number of equivalent subkey values satisfying η = L 2( + s) ɛ is m (s). Wen independent subkey bits take all 2 R possible values, te number of equivalent subkey values wit te different biases is computed as follows, #{ η = L ɛ} = 2, #{ η = L 2 ɛ} = 2m (1) 0, #{ η = L 4 ɛ} = 2m (1) 1 + 2m (2) 0, #{ η = L 6 ɛ} = 2m (1) 2 + 2m (2) 1 + 2m (3) 0, #{ η = L 8 ɛ} = 2m (1) 3 + 2m (2) 2 + 2m (3) 1 + 2m (4) 0,.. r (7) #{ η = L 2(L R + 1) ɛ} = 2m (1) L R + 2m(2) L R c m( R/2 ) L R R/2 +1, #{ η = L 2(L R + 2) ɛ} = 2m (2) L R +..., , #{ η = L 2(L R + R/2 ) ɛ} =..., c m ( R/2 ) L R. were c = 1 as R is even, and c = 2 as R is odd. We classify all possible equivalent subkey values by teir resulted biases of linear ull in equation (8), and we can easily compute te rate of weak keys wit te lower bound of bias. Equation (8) is important to sow ow te dependent pats affect te number of weak keys corresponding to iger biases for te linear ull. In te following, we will describe it. (8)
11 3.3 How te Dependent Pats Affect Weak Keys for Higer Biases of Linear Hull In equation (8), we know tat m (s) means tere are s independent zero subkey bits and dependent zero subkey bits in L subkey bits, and m (s) ( R ( s) L R ). So we ave #{ η = L 2j ɛ} =2m (1) j 1 + 2m(2) = j m (1) j 1 + 2m(2) 2m (1) j 1 + 2m(2) 2m (j L+R) L R 2{ ( )( R L R 1 2{ ( )( R L R 1 j 1 2{ ( R j L+R j m R/2 (0), j < R/2 j cm( R/2 ) j R/2, R/2 j L R, + 2m (j L+R+1) L R cm ( R/2 ) j R/2, L R < j L R + R/2 ) ( j 1 + R )( L R ) ( 2 j R R/2 ) }, j < R/2 ) ( )( ) ( R L R R/2 1 j R/2 +1 } + c R )( L R R/2 j R/2 ), R/2 j L R, ) ( )( ) ( R L R R/2 1 j R/2 +1 } + c R )( L R R/2 j R/2 ), L R < j L R + R/2 (9) were c is te same as tat in equation (8). However, if all te equivalent subkey bits are independent, we ave ( ) L #{ η = L 2j ɛ} = 2. (10) j We denote te rigt sides of equation (9) and (10) as C d and C i, respectively. Namely, C d is te upper bound of te number of keys under te dependent pats wit te bias #{ η = L 2j ɛ}, and C i is te number of keys under te independent pats wit te bias #{ η = L 2j ɛ}. For a large amount of values of (L, R), we compute C i and C d for different bias values for te linear ull wit Matematic Software Version 5.0, te following property as been observed: C i < C d wen j < L/5 + R/14, and C i > C d wen j > L/5 + R/14. Here we only list part of test results for 3 values of (L, R) in Tab.1. Te above property sows tat te dependency of linear pats reduces te number of keys corresponding to iger biases for te linear ull compared wit tat in te independent case. Meanwile, te dependency of linear pats increases te number of keys corresponding to lower biases for te linear ull compared wit tat in te independent case. In order to sow te correctness of te conclusion we derived, we will analyze PRESENT block ciper under te dependent linear pats in te following section.
12 Table 1. Comparison of te Key Quantity in Dependent and Independent Pats L=30, R=13 L=60, R=21 L=100, R=33 bias C d C i C i C d bias C d C i C i C d bias C d C i C i C d 28ɛ ɛ ɛ ɛ ɛ ɛ ɛ ɛ ɛ 6.56e e e+6 22ɛ ɛ ɛ 1.52e e e+8 20ɛ ɛ ɛ 3.41e e e+9 66ɛ 6.647e e e+15 16ɛ ɛ 1.396e e e+9 62ɛ 1.32e e e+16 14ɛ ɛ 5.162e e e+9 58ɛ 2.04e e e+17 12ɛ 1.57e e e+6 34ɛ 1.736e e e+10 54ɛ 2.49e e e+17 10ɛ 3.53e e e+6 32ɛ 5.34e e e+11 50ɛ 2.43e e e+19 4 Effect of Dependency Pats in PRESENT 4.1 Linear Pats of PRESENT From [10] and [11], we know tat tere are plenty of linear ulls in PRESENT wic ave multiple linear pats wit te igest bias. And every linear pat exploits te linear approximations of S-boxes wit only one non-zero bit for te input and output masks. Te output mask of S-box wit more tan one non-zero bit will affect at least two S-boxes in te next round due to te permutation layer, wic will produce muc less linear correlation in te multiple rounds of PRESENT. Here we only focus on te linear single-bit pats wit te igest bias. Just as in [11], let π(α, β) denote a linear approximation of S-box S were α, β F 4 2 are te input and output masks of S, respectively. Te bias of π(α, β) is denoted by ɛ(α, β). Te S-box as te following properties[11]: Property 3: For α, β {2, 4, 8}, ɛ(α, β) = ±2 3, except tat ɛ(8, 4) = 0. Property 4: For α {1, 2, 4, 8}, ɛ(α, 1) = ɛ(1, α) = 0. Let us define I = {S 5, S 6, S 7, S 9, S 10, S 11, S 13, S 14, S 15 } and A = {4i + 1, 4i + 2, 4i i 15, S i I}. Ten, te permutation P of te player as te following property[11]: Property 5: If x A, ten P(x) A. According to te above tree properties, tere are nine S-boxes of S wic are usable for eac round of a single-bit pat, and tere are tree possible values for te mask of eac S-box. Let M i = (0,..., 0, 1, 0,..., 0)
13 (only te i-t (i A) bit is non-zero) denote te input mask or output mask, tere are no more tan 27 possible mask values for eac round. For n-round linear pats, let L (j) i (i A, 0 j n) denote te number of linear pats in wic te i-t bit of te j-t round output mask (namely, te input mask of te (j + 1)-t round) is 1. Wen j = 0, te output mask of te 0-t round means te plaintext mask. We get te following formula by Property 3 and Tab. 6: L j+1 21 = L j 21 + Lj 22 + Lj 23, Lj+1 37 = L j 21 + Lj 22, Lj+1 53 = L j+1 21, L j+1 22 = L j 25 + Lj 26 + Lj 27, Lj+1 38 = L j 25 + Lj 26, Lj+1 54 = L j+1 22, L j+1 23 = L j 29 + Lj 30 + Lj 31, Lj+1 39 = L j 29 + Lj 30, Lj+1 55 = L j+1 23, L j+1 25 = L j 37 + Lj 38 + Lj 39, Lj+1 41 = L j 37 + Lj 38, Lj+1 57 = L j+1 25, L j+1 26 = L j 41 + Lj 42 + Lj 43, Lj+1 42 = L j 41 + Lj 42, Lj+1 58 = L j+1 26, L j+1 27 = L j 45 + Lj 46 + Lj 47, Lj+1 43 = L j 45 + Lj 46, Lj+1 59 = L j+1 27, L j+1 29 = L j 53 + Lj 54 + Lj 55, Lj+1 45 = L j 53 + Lj 54, Lj+1 61 = L j+1 29, L j+1 30 = L j 57 + Lj 58 + Lj 59, Lj+1 46 = L j 57 + Lj 58, Lj+1 62 = L j+1 30, L j+1 31 = L j 61 + Lj 62 + Lj 63, Lj+1 47 = L j 61 + Lj 62, Lj+1 63 = L j (11) For example, bypass Sboxplayer, non-zero bit in 21, 22 or 23 of te j-t round output mask can produce te 21st non-zero bit of te output mask in (j+1)-t round respectively, and P (21) = 21 according to Tab. 6. So we get L j+1 21 = L j 21 + Lj 22 + Lj 23. Wen we fix te input mask α wit one non-zero value in bit l and te output mask β, we ave L (0) l = 1, L (0) i = 0, (i l, i, l A), ten te number of linear pats of n-round linear ull wit data mask (α, β) is L(n) = j A L (n 3) j, n 7. (12) Here we will not describe te proof of equation (12) in tis paper due to te limited space. Tab. 2 sows our computed results for L(n) corresponding to a fixed linear ull, wic are same as te results of Tab. 2 in [10]. In our Tab. 2, te rank is te number of te independent linear pats or te number of te independent equivalent subkey bits in a linear ull. Te rank of i (3 i 13) rounds linear ull is obtained by our computing program. We find te rank will be increased linearly as te number of rounds is increased. So we compute te rank of te linear ull from 14-round to 28-round.
14 Table 2. Number of Linear Pats and Rank of Equivalent Subkey Bits in PRESENT for Data Mask (IM 21, OM 21) #round #pats rank #round #pats 2,985,984 7,817,472 20,466,576 53,582, ,281, ,261,713 rank #round #pats 961,504,803 2,517,252,696 6,590,254,272 17,253,512,704 45,170,283,840 rank (IM 21 means only te 21st bit of input mask is non-zero, and OM 21 means only te 21st bit of output mask is non-zero.) 4.2 Computing te Rate of Weak Keys For n-round PRESENT, we only consider te linear pats wit te igest bias and ɛ i = ɛ = 2 2n 1. Denote te number of linear pats wit equivalent subkey bit 0 by N 0, and te number of linear pats wit equivalent subkey bit 1 by N 1. Ten te bias for te linear ull is approximate to 2 2n 1 N 0 N 1 according to equation (3). From Tab. 2, te linear pats of PRESENT are correlative wit eac oter as n 7. So it is inaccurate to estimate te rate of weak keys wit te assumption of te independency of te linear pats. For 7-round PRESENT, te data mask is (IM 21, OM 21 ), and te number of linear pats of te linear ull is L = 72. Te rank of equivalent subkey bits Γ = {k i } 71 i=0 is R = 45. As in te previous section, we assume tat te first 45 equivalent subkey bits are independent subkey bits. According to te relationsip of linear pats we derived, all dependent subkey bits are determined by tree independent subkey bits for 7-round linear ull. So we just consider tree cases according to s: s=1, it means a single independent subkey bit (45 possible values); s=2, it means te combination of two independent subkey bits ( ( ) 45 2 = 990 possible values); s=3, it means te combination of tree independent subkey bits ( ( ) 45 3 = possible values). Suppose tat tere are s independent subkey bits wit value zero, and let Λ s = {j u } s u=1, were k j u = 0. Firstly, counting N j (0 j < 45), N j1,j 2 (0 j 1 < j 2 < 45) and N j1,j 2,j 3 (0 j 1 < j 2 < j 3 < 45). And
15 N (l) = 0 for l > 3. Secondly, we can compute T 1 = N j1, T 2 = N j1 + N j2 2N j1,j 2, T 3 = N j1 + N j2 + N j3 2(N j1,j 2 + N j1,j 3 + N j2,j 3 ) + 4N j1,j 2,j 3, T 4 = N ju 2 N ju,jv + 4 N ju,jv,j w, j u Λ 4 j u, j v Λ 4 j u, j v, j w Λ , T 22 = N ju 2 j u Λ 22 N ju,jv + 4 N ju,jv,j w. j u, j v Λ 22 j u, j v, j w Λ 22 (13) Te values of T s will be different wen te positions of tese s independent subkey bits are canged. We classify T s by s and teir values, and ten we get m (1) 1, m (2) 2, m (3) 3,..., m (22) 22 (0 1, 2,..., 22 27), were 27 = L R is te number of dependent subkey bits. Finally, we know te bias of linear ull for any equivalent subkey values. Te computation complexity increases rapidly wit te growing of te number of linear pats. Here we offer anoter metod to compute te rate of weak keys. We define te subkey values satisfying η = N 0 N 1 ɛ 72ɛ > 8ɛ as weak keys. Instead of taking all possible subkey values to compute weak keys, we coose a large number of random subkey values to compute te rate of weak keys. Te testing procedure is presented as follows, 1. Coose N (< 2 32 ) values for 45-bit independent equivalent subkey bits randomly. 2. For eac cosen value, compute te values of oter 27 dependent equivalent subkey bits by te linear pats we derived. According to te number of zero subkey bits, add te counter of te corresponding bias value. 3. Compute te number of weak keys satisfying η > 8ɛ. Te results are sown in Tab. 3, N means te number of equivalent subkey values we tested, r d is te rate of weak keys computed by our metod (under te dependent linear pats), and r u is te rate of weak keys computed by K. Okuma s model (under te assumption of independency of linear pats). If te 72 subkey bits are independent, eac bit takes zero wit te probability 1 2. So te rate can be computed by te following equation: 1 2( ) ( ) ( ) ( ) ( ) = , (14)
16 Table 3. Te Rate of Weak Keys for 7-Round PRESENT N r d r u % 29.13% % 29.06% % 28.94% % 28.92% % 28.91% % 28.91% % 28.89% wic approaces to 28.89% in Tab. 3. So we believe tat it is reasonable to use te above random test, and tere are 28.13% weak key in 7-round linear ull of PRESENT, wic is lower tan te case under te assumption of independent linear pats. As we described in te previous section, in PRESENT, te rate of weak keys under dependent linear pats is less tan tat under independent case. In order to furter verify our metod, we compute te rate of weak keys of linear ull for more rounds PRESENT. First of all, we use different number of samples to count weak keys of i-round linear ull (7 i 13). And ten we focus on te size of sample N were te rate of weak keys is steady (tat is more sample don t cange te rate obviously). Finally, we randomly coose 100 groups sample wose size are N to compute te rate of weak keys. Te results are listed in Tab. 4. Here n is te round of linear ull, L is te number of linear pats, R is te number of independent linear pats of all L pats, N stands for te number of equivalent subkey values we used, r d is te rate of weak keys computed by our metod (under te dependent linear pats), and is called te computed rate, r u is te rate of weak keys computed by K. Okuma s model (under te assume of independent linear pats), wose computing metod is similar to equation (14), and is called te predicted rate. r is defined as we call it reduced rate. r = r u r d r u, At last, we compare te computed rate r d wit te predicted rate r u in Fig. 2. From Fig. 2, te difference between te computed rate and te predicted rate will increase as te round number increases, wic is caused by te dependency of te linear pats. Terefore, as te round number increases, te rate of weak keys will be reduced gradually.
17 Table 4. Te Rate of Weak Keys for Reduced-Round PRESENT n L R N r d r u r % 28.88% 2.60% % 34.82% 6.23% % 30.94% 9.95% % 31.28% 12.72% % 32.05% 15.44% % 31.85% 18.21% % 31.65% 20.54% Fig. 2. Difference of Rate of Weak Keys 5 Conclusion Linear cryptanalysis as been an important cryptanalytic metod for block ciper. However, if tere are linear ulls in te block ciper, te linear cryptanalysis may be strengtened or weaken wic is decided by te key value. In fact, te linear cryptanalysis wit linear ull is te cryptanalytic metod under te assumption of te special weak keys. Te previous attack wit linear ull assumed te linear pats are independent. But te assumption is not true, so te previous attack is inaccurate. In tis paper, we assume te round subkeys are independent wit eac oter and consider all kinds of te dependency in te linear pats wit te igest bias, and derive te metod to compute te number of te weak keys satisfying te expected bias for te linear ull. We sow tat te dependency of linear pats reduces te number of weak keys corresponding to iger biases for te linear ull compared wit tat in te
18 independent case, owever, te dependency of linear pats increases te number of keys corresponding to lower biases for te linear ull compared wit tat in te independent case. It means tat te dependency of linear pats reduces te effect of linear ull. We verified our metod by analyzing te reduced-round PRESENT block ciper and we found te rate of weak keys will be reduced gradually as te round number increases. It is noted tat we don t consider te dependency of te key scedule algoritm. If we consider te dependency of te key scedule algoritm, it will be unfavorable to present te effect of te dependency linear pats. However, if we consider all pats wit different biases, it is difficult to decide te effectiveness of te linear cryptanalysis wit te linear ull. References 1. Matsui, M.: Linear Cryptoanalysis Metod for DES Ciper. Advances in Cryptology, Eurocrypt 1993, Springer, LNCS 765, pp (1994). 2. Kaliski, B.S., Robsaw, M.J.B.: Linear Cryptanalysis Using Multiple Approximations. Advances in Cryptology, Crypto 1994, Springer, LNCS 839, pp (1994). 3. Alex, B., Cristope, D.C, Micel Q.: On Multiple Linear Approximations. Crypto 2004, Springer, LNCS 3152, pp (2004). 4. Nyberg, K.: Linear Approximation of Block Cipers. Advances in Cryptology, Eurocrypt 1994, Springer, LNCS 950, pp (1994). 5. Murpy, S.: Te Effectiveness of te Linear Hull Effect. Tecnical Report, RHUL- MA , ttp:// sean/linear Hull.pdf (2009). 6. Okuma, K.: Weak keys of Reduced-Round PRESENT for Linear Cryptanalysis. SAC 2009, Springer, LNCS 5867, pp (2009). 7. Anderson, R., Biam, E., Knudsen, L.: Serpent: A proposal for te Advanced Encryption Standard. First Advanced Encryption Standard (AES) conference (1998). 8. National Bureau of Standards: FIPS PUB 46-3, Data Encryption Standard (DES), National Institute for Standards and Tecnology (1977). 9. Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poscmann, A., Robsaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: an Ultra-Ligtweigt Block Ciper. CHES 2007, Springer, LNCS 4727, pp. 450C466 (2007) 10. Nakaara, J., Seperdad, P., Zang, B., Wang M.: Linear (Hull) and Algebraic Cryptanalysis of te Block Ciper PRESENT. CANS 2009, Springer, LNCS 5888, pp (2009). 11. Joo, Y.C.: Linear Cryptanalysis of Reduced-Round PRESENT. CT-RSA 2010, Springer, LNCS 5985, pp (2010).
19 A Te S-box and Permutation Tables of PRESENT Te S-box and te permutation tables of PRESENT are given in Tab. 5 and Tab. 6, respectively. Table 5. S-box Table in Hexadecimal Notation x A B C D E F S[x] C 5 6 B 9 0 A D 3 E F Table 6. Permutation Table i A B C D E F P[i] i P[i] i P[i] i P[i] B Bias of 4-Round Linear Hull of PRESENT For block ciper PRESENT, te data mask we used is ( x x, x x ), denoted by active bits form as (P[20, 21], C[6, 22, 54]). Tere are tree linear pats in all: P[20, 21] C[6, 22, 54] = K 0[20, 21] K 1[21] K 2[37] K 3[25] K 4[6, 22, 54], P[20, 21] C[6, 22, 54] = K 0[20, 21] K 1[37] K 2[41] K 3[26] K 4[6, 22, 54], P[20, 21] C[6, 22, 54] = K 0[20, 21] K 1[21, 53] K 2[37, 45] K 3[25, 27] K 4[6, 22, 54]. Te biases separately are ɛ 1 = 2 8, ɛ 2 = 2 8 and ɛ 3 = Ten we ave k 1 = K 0[20, 21] K 1[21] K 2[37] K 3[25] K 4[6, 22, 54], k 2 = K 0[20, 21] K 1[37] K 2[41] K 3[26] K 4[6, 22, 54], k 3 = K 0[20, 21] K 1[21, 53] K 2[37, 45] K 3[25, 27] K 4[6, 22, 54]. We computed te bias wit random plaintexts for tree different 80- bit encryption key and te results are listed in Tab. 7. Here we denote te
20 80-bit encryption key as κ, and κ[j] means te j-t (0 j < 80) bit of κ, κ[19] = 1 means only te 19-t bit of κ is 1 and oters are 0. Similarly, κ[17] = κ[19] = 1 means te 17-t and te 19-t bit are 1 and te rest are all 0. Te last column is te bias computed wit a large number of random plaintexts under 4-round PRESENT block ciper, te second to last column is te bias computed wit equation (3). Bot of tem are approximately equal. Table 7. Bias of 4-Round Linear Hull Equivalent Keys Number of Bias Computed Experimental Initial Key k 1 k 2 k 3 Plaintexts by Equation (3) Bias κ[j] = 0, 0 j < κ[19] = κ[17] = κ[19] = C Computing T s in Sect. 4 Symbols: Γ 1 : Te set of independent subkey bits; Γ s : Te subset of Γ 1, wose elements ave zero value; Ts j : Te number of dependent subkey bits in wic j elements of Γ s appear, and te number of dependent subkey bits wit value zero is T s = Ts j. 1 j s, j is odd All biases are computed according to equation (3) in wat follows. 1. Let us first consider te case of s = 1. It means tat tere is only one independent zero subkey bit, and we denote it as k j, j is one value of (1, 2,..., R). If N j = 0, it means tat k j does not appear in any dependent subkey expressions. Te number of dependent zero subkey bits is T 1 = 0, ten η = (L 2)ɛ. If N j = 1, it means tat k j only appears once in all dependent subkey bits. Te number of dependent zero subkey bits is T 1 = 1, ten η = (L 2(T 1 + 1))ɛ = (L 4)ɛ. In te similar way, if N j = t, it means tat k j appears t times in all dependent subkey bits. Te number of dependent zero subkey bits is
21 T 1 = N j = t, ten η = (L 2(T 1 + 1))ɛ = (L 2(N j + 1))ɛ = (L 2(t + 1))ɛ. If s = R 1, it means tat tere is only one independent zero subkey bit. We also denote it as k j, j is one value of (1, 2,..., R), tat is because k j = 0, k l = 1 (1 l R, l j) and k j = 1, k l = 0 (1 l R, l j) for j are one to one correspondence. Similar wit above process, we know tat T R 1 = N l = t and te bias η = (L 2(T R 1 + 1))ɛ = (L 2(N l + 1))ɛ = (L 2(t + 1))ɛ. Here we classify T 1 by teir value. Let m (1) denote te number of possible equivalent subkeys wit only one independent zero subkey bit appearing times in all dependent subkey bits, tat is m (1) = #{1 j R T 1 = N j = }, 0 L R. Ten m (1) = L R =0 m(1) means te total number of T 1, and T 1 = N j as R possible values. So m (1) = ( R 1) = R. Terefore, te number of equivalent subkeys satisfying η = (L 2( + 1))ɛ is m (1). According to symmetry, te number of equivalent subkeys satisfying η = (L 2( + 1))ɛ is m (1) too. 2. Considering te case of s = 2, it is a subset of any two zero or non-zero independent subkey bits k u k v (1 u < v R). As we know, k u appears N u times in dependent subkey expressions, and k v appears N v times, k u k v appears N u,v times, ten te number of dependent subkey expressions wic are dependent on k u but independent on k v is N u = N u N u,v, similarly te number of dependent subkey expressions wic are dependent on k v but independent on k u is N v = N v N u,v. Since k u = k v = 0, te value of dependent subkey bits wic is only dependent on one of k u and k v is 0, and te number of dependent subkey bits wit value zero is T 2 = N u + N v = N u + N v 2N (u,v). So η = (L 2(T 2 + 2))ɛ. Wit te metod in case 1, let us classify T 2 by its value, and define m (2) = #{1 u < v R T 2 = }, 0 L R. Ten m (2) = L R =0 m(2) = ( R 2) means te total number of T2. So te number of equivalent subkeys satisfying η = (L 2( + 2))ɛ is m (2). By symmetry, te number of equivalent subkeys satisfying η = (L 2( + 2))ɛ is m (2) too. 3. For te general case, we consider te subset of any s independent subkey bits Γ s = {k 1, k 2,..., k s }. We need to compute te number of dependent subkey expressions in wic odd elements of Γ s appear. Te number of dependent subkey expressions in wic k 1 k 2... k s 1 appear but k s does not appear (call te s 1 elements of Γ s
22 appear independently) is N 1,2,...,(s 1) = N 1,2,...,(s 1) N 1,2,...,s. Te number of dependent subkey expressions in wic k 1 k 2... k s 2 appear independently is N 1,2,...,(s 2) = N 1,2,...(s 2) N 1,2,...,(s 2),(s 1) N 1,2,...,(s 2),s N 1,2,...,s = N 1,2,...,(s 2) (N 1,2,...,(s 2),(s 1) +N 1,2,...,(s 2),s )+ N 1,2,...,s. We can also compute te number of dependent subkey expressions in wic any s 2 elements of Γ s appear independently. Ten we compute te number of dependent subkey expressions in wic any s 3 elements of Γ s appear independently. According to matematical induction, we get te number of dependent subkey expressions in wic one element of Γ s appears independently N i = N i 1 j s, j i N i,j + 1 j<k s, j i, k i N i,j,k ( 1) s 1 N (s). We know tat N (l) is just a symbol and it stands for ( s l) different values. N (l) in N i (1 i s) are always related wit k i, ten te number of N (l) in N i is ( s 1 l 1). Terefore, te number of all N(l) in s i=1 N i is s (s 1 l 1). By symmetry, te times of every N(l) appeared in s i=1 N i is equal. So te coefficient of N (l) in s i=1 N i s (s 1 is l 1) = l. ( s l) Hence, T 1 s = s s N i = N j 2 N i,j + 3 N (3) i=1 j=1 1 i<j s 4 N (4) ( 1) l 1 l N (l) ( 1) s 1 s N (s). Similarly, we consider te number of N (l) appeared in N (u) (u < l, u is an odd). N (l) in N (u) is always related wit u elements of Γ s, ten te number of N (l) in N (u) is ( s u l u). Terefore, te number of all N(l) in N (u) ( is s s u u) ( l u). By symmetry, te times of every N(l) appeared in N (u) is equal. So te coefficient of N (l) in N (u) is (s u) ( s 1 T u s ( s l) l u) = ( l u). Hence, = N (u) = ( ) u + 1 N (u) N u (u+1) +... ( ) l ( ) s + ( 1) l 1 N(l) ( 1) s 1 N u u (s).
23 Finally, we get te equation (6) T s = T j s 1 j s,j is an odd s = N j + N (3) + N (5) +... = j=1 s N j 2 j=1 1 i<j s N i,j + 4 N (3) 8 N (4) +... ( ) ( ) ( ) 2l 2l 2l (2l N 3 5 2l 1 (2l) ( ) ( ) ( ) 2l + 1 2l + 1 2l (2l N 3 5 2l + 1 (2l+1) ( ) ( ) s s ( 1) s 1 (s ) N 3 5 (s).
Linear Cryptanalysis of Reduced-Round PRESENT
Linear Cryptanalysis of Reduced-Round PRESENT Joo Yeon Cho 1 Helsinki University of Technology, Finland 2 Nokia A/S, Denmark joo.cho@tkk.fi Abstract. PRESENT is a hardware-oriented block cipher suitable
More informationProvable Security Against a Dierential Attack? Aarhus University, DK-8000 Aarhus C.
Provable Security Against a Dierential Attack Kaisa Nyberg and Lars Ramkilde Knudsen Aarus University, DK-8000 Aarus C. Abstract. Te purpose of tis paper is to sow tat tere exist DESlike iterated cipers,
More informationNumerical Differentiation
Numerical Differentiation Finite Difference Formulas for te first derivative (Using Taylor Expansion tecnique) (section 8.3.) Suppose tat f() = g() is a function of te variable, and tat as 0 te function
More information1 The concept of limits (p.217 p.229, p.242 p.249, p.255 p.256) 1.1 Limits Consider the function determined by the formula 3. x since at this point
MA00 Capter 6 Calculus and Basic Linear Algebra I Limits, Continuity and Differentiability Te concept of its (p.7 p.9, p.4 p.49, p.55 p.56). Limits Consider te function determined by te formula f Note
More informationExperiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL
More information2.11 That s So Derivative
2.11 Tat s So Derivative Introduction to Differential Calculus Just as one defines instantaneous velocity in terms of average velocity, we now define te instantaneous rate of cange of a function at a point
More informationTaylor Series and the Mean Value Theorem of Derivatives
1 - Taylor Series and te Mean Value Teorem o Derivatives Te numerical solution o engineering and scientiic problems described by matematical models oten requires solving dierential equations. Dierential
More informationThe derivative function
Roberto s Notes on Differential Calculus Capter : Definition of derivative Section Te derivative function Wat you need to know already: f is at a point on its grap and ow to compute it. Wat te derivative
More informationAlgebraic Techniques in Differential Cryptanalysis
Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London FSE 2009, Leuven, 24.02.2009 Martin Albrecht and Carlos
More informationSymmetry Labeling of Molecular Energies
Capter 7. Symmetry Labeling of Molecular Energies Notes: Most of te material presented in tis capter is taken from Bunker and Jensen 1998, Cap. 6, and Bunker and Jensen 2005, Cap. 7. 7.1 Hamiltonian Symmetry
More informationMore on generalized inverses of partitioned matrices with Banachiewicz-Schur forms
More on generalized inverses of partitioned matrices wit anaciewicz-scur forms Yongge Tian a,, Yosio Takane b a Cina Economics and Management cademy, Central University of Finance and Economics, eijing,
More informationHow to Find the Derivative of a Function: Calculus 1
Introduction How to Find te Derivative of a Function: Calculus 1 Calculus is not an easy matematics course Te fact tat you ave enrolled in suc a difficult subject indicates tat you are interested in te
More informationA = h w (1) Error Analysis Physics 141
Introduction In all brances of pysical science and engineering one deals constantly wit numbers wic results more or less directly from experimental observations. Experimental observations always ave inaccuracies.
More informationNUMERICAL DIFFERENTIATION. James T. Smith San Francisco State University. In calculus classes, you compute derivatives algebraically: for example,
NUMERICAL DIFFERENTIATION James T Smit San Francisco State University In calculus classes, you compute derivatives algebraically: for example, f( x) = x + x f ( x) = x x Tis tecnique requires your knowing
More informationlecture 26: Richardson extrapolation
43 lecture 26: Ricardson extrapolation 35 Ricardson extrapolation, Romberg integration Trougout numerical analysis, one encounters procedures tat apply some simple approximation (eg, linear interpolation)
More informationCombining functions: algebraic methods
Combining functions: algebraic metods Functions can be added, subtracted, multiplied, divided, and raised to a power, just like numbers or algebra expressions. If f(x) = x 2 and g(x) = x + 2, clearly f(x)
More information2.8 The Derivative as a Function
.8 Te Derivative as a Function Typically, we can find te derivative of a function f at many points of its domain: Definition. Suppose tat f is a function wic is differentiable at every point of an open
More informationMaterial for Difference Quotient
Material for Difference Quotient Prepared by Stepanie Quintal, graduate student and Marvin Stick, professor Dept. of Matematical Sciences, UMass Lowell Summer 05 Preface Te following difference quotient
More informationLearning based super-resolution land cover mapping
earning based super-resolution land cover mapping Feng ing, Yiang Zang, Giles M. Foody IEEE Fellow, Xiaodong Xiuua Zang, Siming Fang, Wenbo Yun Du is work was supported in part by te National Basic Researc
More informationThe Verlet Algorithm for Molecular Dynamics Simulations
Cemistry 380.37 Fall 2015 Dr. Jean M. Standard November 9, 2015 Te Verlet Algoritm for Molecular Dynamics Simulations Equations of motion For a many-body system consisting of N particles, Newton's classical
More informationPolynomial Interpolation
Capter 4 Polynomial Interpolation In tis capter, we consider te important problem of approximatinga function fx, wose values at a set of distinct points x, x, x,, x n are known, by a polynomial P x suc
More informationTowards Provable Security of Substitution-Permutation Encryption Networks
Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,
More informationExercises for numerical differentiation. Øyvind Ryan
Exercises for numerical differentiation Øyvind Ryan February 25, 2013 1. Mark eac of te following statements as true or false. a. Wen we use te approximation f (a) (f (a +) f (a))/ on a computer, we can
More informationDedicated to the 70th birthday of Professor Lin Qun
Journal of Computational Matematics, Vol.4, No.3, 6, 4 44. ACCELERATION METHODS OF NONLINEAR ITERATION FOR NONLINEAR PARABOLIC EQUATIONS Guang-wei Yuan Xu-deng Hang Laboratory of Computational Pysics,
More informationIntroduction to Derivatives
Introduction to Derivatives 5-Minute Review: Instantaneous Rates and Tangent Slope Recall te analogy tat we developed earlier First we saw tat te secant slope of te line troug te two points (a, f (a))
More informationSolve exponential equations in one variable using a variety of strategies. LEARN ABOUT the Math. What is the half-life of radon?
8.5 Solving Exponential Equations GOAL Solve exponential equations in one variable using a variety of strategies. LEARN ABOUT te Mat All radioactive substances decrease in mass over time. Jamie works in
More informationPolynomial Interpolation
Capter 4 Polynomial Interpolation In tis capter, we consider te important problem of approximating a function f(x, wose values at a set of distinct points x, x, x 2,,x n are known, by a polynomial P (x
More informationExam 1 Review Solutions
Exam Review Solutions Please also review te old quizzes, and be sure tat you understand te omework problems. General notes: () Always give an algebraic reason for your answer (graps are not sufficient),
More informationERROR BOUNDS FOR THE METHODS OF GLIMM, GODUNOV AND LEVEQUE BRADLEY J. LUCIER*
EO BOUNDS FO THE METHODS OF GLIMM, GODUNOV AND LEVEQUE BADLEY J. LUCIE* Abstract. Te expected error in L ) attimet for Glimm s sceme wen applied to a scalar conservation law is bounded by + 2 ) ) /2 T
More informationLIMITS AND DERIVATIVES CONDITIONS FOR THE EXISTENCE OF A LIMIT
LIMITS AND DERIVATIVES Te limit of a function is defined as te value of y tat te curve approaces, as x approaces a particular value. Te limit of f (x) as x approaces a is written as f (x) approaces, as
More informationDifferential Calculus (The basics) Prepared by Mr. C. Hull
Differential Calculus Te basics) A : Limits In tis work on limits, we will deal only wit functions i.e. tose relationsips in wic an input variable ) defines a unique output variable y). Wen we work wit
More information3.1 Extreme Values of a Function
.1 Etreme Values of a Function Section.1 Notes Page 1 One application of te derivative is finding minimum and maimum values off a grap. In precalculus we were only able to do tis wit quadratics by find
More information1. Which one of the following expressions is not equal to all the others? 1 C. 1 D. 25x. 2. Simplify this expression as much as possible.
004 Algebra Pretest answers and scoring Part A. Multiple coice questions. Directions: Circle te letter ( A, B, C, D, or E ) net to te correct answer. points eac, no partial credit. Wic one of te following
More informationch (for some fixed positive number c) reaching c
GSTF Journal of Matematics Statistics and Operations Researc (JMSOR) Vol. No. September 05 DOI 0.60/s4086-05-000-z Nonlinear Piecewise-defined Difference Equations wit Reciprocal and Cubic Terms Ramadan
More informationLecture 10: Carnot theorem
ecture 0: Carnot teorem Feb 7, 005 Equivalence of Kelvin and Clausius formulations ast time we learned tat te Second aw can be formulated in two ways. e Kelvin formulation: No process is possible wose
More information158 Calculus and Structures
58 Calculus and Structures CHAPTER PROPERTIES OF DERIVATIVES AND DIFFERENTIATION BY THE EASY WAY. Calculus and Structures 59 Copyrigt Capter PROPERTIES OF DERIVATIVES. INTRODUCTION In te last capter you
More informationFunction Composition and Chain Rules
Function Composition and s James K. Peterson Department of Biological Sciences and Department of Matematical Sciences Clemson University Marc 8, 2017 Outline 1 Function Composition and Continuity 2 Function
More informationContinuity and Differentiability of the Trigonometric Functions
[Te basis for te following work will be te definition of te trigonometric functions as ratios of te sides of a triangle inscribed in a circle; in particular, te sine of an angle will be defined to be te
More informationAnalytic Functions. Differentiable Functions of a Complex Variable
Analytic Functions Differentiable Functions of a Complex Variable In tis capter, we sall generalize te ideas for polynomials power series of a complex variable we developed in te previous capter to general
More informationINTRODUCTION TO CALCULUS LIMITS
Calculus can be divided into two ke areas: INTRODUCTION TO CALCULUS Differential Calculus dealing wit its, rates of cange, tangents and normals to curves, curve sketcing, and applications to maima and
More informationTime (hours) Morphine sulfate (mg)
Mat Xa Fall 2002 Review Notes Limits and Definition of Derivative Important Information: 1 According to te most recent information from te Registrar, te Xa final exam will be eld from 9:15 am to 12:15
More informationWind Turbine Micrositing: Comparison of Finite Difference Method and Computational Fluid Dynamics
IJCSI International Journal of Computer Science Issues, Vol. 9, Issue 1, No 1, January 01 ISSN (Online): 169-081 www.ijcsi.org 7 Wind Turbine Micrositing: Comparison of Finite Difference Metod and Computational
More informationPolynomials 3: Powers of x 0 + h
near small binomial Capter 17 Polynomials 3: Powers of + Wile it is easy to compute wit powers of a counting-numerator, it is a lot more difficult to compute wit powers of a decimal-numerator. EXAMPLE
More informationProblem Solving. Problem Solving Process
Problem Solving One of te primary tasks for engineers is often solving problems. It is wat tey are, or sould be, good at. Solving engineering problems requires more tan just learning new terms, ideas and
More informationPrecalculus Test 2 Practice Questions Page 1. Note: You can expect other types of questions on the test than the ones presented here!
Precalculus Test 2 Practice Questions Page Note: You can expect oter types of questions on te test tan te ones presented ere! Questions Example. Find te vertex of te quadratic f(x) = 4x 2 x. Example 2.
More informationIntegral Calculus, dealing with areas and volumes, and approximate areas under and between curves.
Calculus can be divided into two ke areas: Differential Calculus dealing wit its, rates of cange, tangents and normals to curves, curve sketcing, and applications to maima and minima problems Integral
More informationHOW TO DEAL WITH FFT SAMPLING INFLUENCES ON ADEV CALCULATIONS
HOW TO DEAL WITH FFT SAMPLING INFLUENCES ON ADEV CALCULATIONS Po-Ceng Cang National Standard Time & Frequency Lab., TL, Taiwan 1, Lane 551, Min-Tsu Road, Sec. 5, Yang-Mei, Taoyuan, Taiwan 36 Tel: 886 3
More informationProfit Based Unit Commitment in Deregulated Electricity Markets Using A Hybrid Lagrangian Relaxation - Particle Swarm Optimization Approach
Profit Based Unit Commitment in Deregulated Electricity Markets Using A Hybrid Lagrangian Relaxation - Particle Swarm Optimization Approac Adline K. Bikeri, Cristoper M. Maina and Peter K. Kiato Proceedings
More information. If lim. x 2 x 1. f(x+h) f(x)
Review of Differential Calculus Wen te value of one variable y is uniquely determined by te value of anoter variable x, ten te relationsip between x and y is described by a function f tat assigns a value
More informationLecture XVII. Abstract We introduce the concept of directional derivative of a scalar function and discuss its relation with the gradient operator.
Lecture XVII Abstract We introduce te concept of directional derivative of a scalar function and discuss its relation wit te gradient operator. Directional derivative and gradient Te directional derivative
More informationLogarithmic functions
Roberto s Notes on Differential Calculus Capter 5: Derivatives of transcendental functions Section Derivatives of Logaritmic functions Wat ou need to know alread: Definition of derivative and all basic
More informationPoisson Equation in Sobolev Spaces
Poisson Equation in Sobolev Spaces OcMountain Dayligt Time. 6, 011 Today we discuss te Poisson equation in Sobolev spaces. It s existence, uniqueness, and regularity. Weak Solution. u = f in, u = g on
More informationUniversity Mathematics 2
University Matematics 2 1 Differentiability In tis section, we discuss te differentiability of functions. Definition 1.1 Differentiable function). Let f) be a function. We say tat f is differentiable at
More informationSECTION 3.2: DERIVATIVE FUNCTIONS and DIFFERENTIABILITY
(Section 3.2: Derivative Functions and Differentiability) 3.2.1 SECTION 3.2: DERIVATIVE FUNCTIONS and DIFFERENTIABILITY LEARNING OBJECTIVES Know, understand, and apply te Limit Definition of te Derivative
More informationLinear Cryptanalysis of RC5 and RC6
Linear Cryptanalysis of RC5 and RC6 Johan Borst, Bart Preneel, and Joos Vandewalle K.U. Leuven, Dept. Elektrotechniek-ESAT/COSIC Kardinaal Mercierlaan 94, B-3001 Heverlee Belgium Johan.Borst@esat.kuleuven.ac.be
More information5 Ordinary Differential Equations: Finite Difference Methods for Boundary Problems
5 Ordinary Differential Equations: Finite Difference Metods for Boundary Problems Read sections 10.1, 10.2, 10.4 Review questions 10.1 10.4, 10.8 10.9, 10.13 5.1 Introduction In te previous capters we
More informationSFU UBC UNBC Uvic Calculus Challenge Examination June 5, 2008, 12:00 15:00
SFU UBC UNBC Uvic Calculus Callenge Eamination June 5, 008, :00 5:00 Host: SIMON FRASER UNIVERSITY First Name: Last Name: Scool: Student signature INSTRUCTIONS Sow all your work Full marks are given only
More informationDigital Filter Structures
Digital Filter Structures Te convolution sum description of an LTI discrete-time system can, in principle, be used to implement te system For an IIR finite-dimensional system tis approac is not practical
More informationMath 312 Lecture Notes Modeling
Mat 3 Lecture Notes Modeling Warren Weckesser Department of Matematics Colgate University 5 7 January 006 Classifying Matematical Models An Example We consider te following scenario. During a storm, a
More informationMathematics 5 Worksheet 11 Geometry, Tangency, and the Derivative
Matematics 5 Workseet 11 Geometry, Tangency, and te Derivative Problem 1. Find te equation of a line wit slope m tat intersects te point (3, 9). Solution. Te equation for a line passing troug a point (x
More informationVolume 29, Issue 3. Existence of competitive equilibrium in economies with multi-member households
Volume 29, Issue 3 Existence of competitive equilibrium in economies wit multi-member ouseolds Noriisa Sato Graduate Scool of Economics, Waseda University Abstract Tis paper focuses on te existence of
More informationRecall from our discussion of continuity in lecture a function is continuous at a point x = a if and only if
Computational Aspects of its. Keeping te simple simple. Recall by elementary functions we mean :Polynomials (including linear and quadratic equations) Eponentials Logaritms Trig Functions Rational Functions
More information5.1 We will begin this section with the definition of a rational expression. We
Basic Properties and Reducing to Lowest Terms 5.1 We will begin tis section wit te definition of a rational epression. We will ten state te two basic properties associated wit rational epressions and go
More information4. The slope of the line 2x 7y = 8 is (a) 2/7 (b) 7/2 (c) 2 (d) 2/7 (e) None of these.
Mat 11. Test Form N Fall 016 Name. Instructions. Te first eleven problems are wort points eac. Te last six problems are wort 5 points eac. For te last six problems, you must use relevant metods of algebra
More informationLecture 21. Numerical differentiation. f ( x+h) f ( x) h h
Lecture Numerical differentiation Introduction We can analytically calculate te derivative of any elementary function, so tere migt seem to be no motivation for calculating derivatives numerically. However
More informationSin, Cos and All That
Sin, Cos and All Tat James K. Peterson Department of Biological Sciences and Department of Matematical Sciences Clemson University Marc 9, 2017 Outline Sin, Cos and all tat! A New Power Rule Derivatives
More informationBounds on the Moments for an Ensemble of Random Decision Trees
Noname manuscript No. (will be inserted by te editor) Bounds on te Moments for an Ensemble of Random Decision Trees Amit Durandar Received: Sep. 17, 2013 / Revised: Mar. 04, 2014 / Accepted: Jun. 30, 2014
More informationChapter 5 FINITE DIFFERENCE METHOD (FDM)
MEE7 Computer Modeling Tecniques in Engineering Capter 5 FINITE DIFFERENCE METHOD (FDM) 5. Introduction to FDM Te finite difference tecniques are based upon approximations wic permit replacing differential
More informationTHE IDEA OF DIFFERENTIABILITY FOR FUNCTIONS OF SEVERAL VARIABLES Math 225
THE IDEA OF DIFFERENTIABILITY FOR FUNCTIONS OF SEVERAL VARIABLES Mat 225 As we ave seen, te definition of derivative for a Mat 111 function g : R R and for acurveγ : R E n are te same, except for interpretation:
More informationClick here to see an animation of the derivative
Differentiation Massoud Malek Derivative Te concept of derivative is at te core of Calculus; It is a very powerful tool for understanding te beavior of matematical functions. It allows us to optimize functions,
More informationSolving Generalized Small Inverse Problems
Solving Generalized Small Inverse Problems Noboru Kuniiro Te University of Tokyo, Japan kuniiro@k.u-tokyo.ac.jp Abstract. We introduce a generalized small inverse problem (GSIP) and present an algoritm
More informationRegularized Regression
Regularized Regression David M. Blei Columbia University December 5, 205 Modern regression problems are ig dimensional, wic means tat te number of covariates p is large. In practice statisticians regularize
More informationALGEBRA AND TRIGONOMETRY REVIEW by Dr TEBOU, FIU. A. Fundamental identities Throughout this section, a and b denotes arbitrary real numbers.
ALGEBRA AND TRIGONOMETRY REVIEW by Dr TEBOU, FIU A. Fundamental identities Trougout tis section, a and b denotes arbitrary real numbers. i) Square of a sum: (a+b) =a +ab+b ii) Square of a difference: (a-b)
More informationDynamics and Relativity
Dynamics and Relativity Stepen Siklos Lent term 2011 Hand-outs and examples seets, wic I will give out in lectures, are available from my web site www.damtp.cam.ac.uk/user/stcs/dynamics.tml Lecture notes,
More informationOrder of Accuracy. ũ h u Ch p, (1)
Order of Accuracy 1 Terminology We consider a numerical approximation of an exact value u. Te approximation depends on a small parameter, wic can be for instance te grid size or time step in a numerical
More informationarxiv: v3 [cs.ds] 4 Aug 2017
Non-preemptive Sceduling in a Smart Grid Model and its Implications on Macine Minimization Fu-Hong Liu 1, Hsiang-Hsuan Liu 1,2, and Prudence W.H. Wong 2 1 Department of Computer Science, National Tsing
More informationf a h f a h h lim lim
Te Derivative Te derivative of a function f at a (denoted f a) is f a if tis it exists. An alternative way of defining f a is f a x a fa fa fx fa x a Note tat te tangent line to te grap of f at te point
More informationEFFICIENCY OF MODEL-ASSISTED REGRESSION ESTIMATORS IN SAMPLE SURVEYS
Statistica Sinica 24 2014, 395-414 doi:ttp://dx.doi.org/10.5705/ss.2012.064 EFFICIENCY OF MODEL-ASSISTED REGRESSION ESTIMATORS IN SAMPLE SURVEYS Jun Sao 1,2 and Seng Wang 3 1 East Cina Normal University,
More informationDifferentiation in higher dimensions
Capter 2 Differentiation in iger dimensions 2.1 Te Total Derivative Recall tat if f : R R is a 1-variable function, and a R, we say tat f is differentiable at x = a if and only if te ratio f(a+) f(a) tends
More informationLecture 15. Interpolation II. 2 Piecewise polynomial interpolation Hermite splines
Lecture 5 Interpolation II Introduction In te previous lecture we focused primarily on polynomial interpolation of a set of n points. A difficulty we observed is tat wen n is large, our polynomial as to
More informationMATH745 Fall MATH745 Fall
MATH745 Fall 5 MATH745 Fall 5 INTRODUCTION WELCOME TO MATH 745 TOPICS IN NUMERICAL ANALYSIS Instructor: Dr Bartosz Protas Department of Matematics & Statistics Email: bprotas@mcmasterca Office HH 36, Ext
More informationA MONTE CARLO ANALYSIS OF THE EFFECTS OF COVARIANCE ON PROPAGATED UNCERTAINTIES
A MONTE CARLO ANALYSIS OF THE EFFECTS OF COVARIANCE ON PROPAGATED UNCERTAINTIES Ronald Ainswort Hart Scientific, American Fork UT, USA ABSTRACT Reports of calibration typically provide total combined uncertainties
More informationThese errors are made from replacing an infinite process by finite one.
Introduction :- Tis course examines problems tat can be solved by metods of approximation, tecniques we call numerical metods. We begin by considering some of te matematical and computational topics tat
More informationMAT244 - Ordinary Di erential Equations - Summer 2016 Assignment 2 Due: July 20, 2016
MAT244 - Ordinary Di erential Equations - Summer 206 Assignment 2 Due: July 20, 206 Full Name: Student #: Last First Indicate wic Tutorial Section you attend by filling in te appropriate circle: Tut 0
More informationOSCILLATION OF SOLUTIONS TO NON-LINEAR DIFFERENCE EQUATIONS WITH SEVERAL ADVANCED ARGUMENTS. Sandra Pinelas and Julio G. Dix
Opuscula Mat. 37, no. 6 (2017), 887 898 ttp://dx.doi.org/10.7494/opmat.2017.37.6.887 Opuscula Matematica OSCILLATION OF SOLUTIONS TO NON-LINEAR DIFFERENCE EQUATIONS WITH SEVERAL ADVANCED ARGUMENTS Sandra
More informationDerivatives of Exponentials
mat 0 more on derivatives: day 0 Derivatives of Eponentials Recall tat DEFINITION... An eponential function as te form f () =a, were te base is a real number a > 0. Te domain of an eponential function
More informationNew Streamfunction Approach for Magnetohydrodynamics
New Streamfunction Approac for Magnetoydrodynamics Kab Seo Kang Brooaven National Laboratory, Computational Science Center, Building 63, Room, Upton NY 973, USA. sang@bnl.gov Summary. We apply te finite
More informationPreface. Here are a couple of warnings to my students who may be here to get a copy of what happened on a day that you missed.
Preface Here are my online notes for my course tat I teac ere at Lamar University. Despite te fact tat tese are my class notes, tey sould be accessible to anyone wanting to learn or needing a refreser
More information64 IX. The Exceptional Lie Algebras
64 IX. Te Exceptional Lie Algebras IX. Te Exceptional Lie Algebras We ave displayed te four series of classical Lie algebras and teir Dynkin diagrams. How many more simple Lie algebras are tere? Surprisingly,
More informationSection 2.7 Derivatives and Rates of Change Part II Section 2.8 The Derivative as a Function. at the point a, to be. = at time t = a is
Mat 180 www.timetodare.com Section.7 Derivatives and Rates of Cange Part II Section.8 Te Derivative as a Function Derivatives ( ) In te previous section we defined te slope of te tangent to a curve wit
More information1 Limits and Continuity
1 Limits and Continuity 1.0 Tangent Lines, Velocities, Growt In tion 0.2, we estimated te slope of a line tangent to te grap of a function at a point. At te end of tion 0.3, we constructed a new function
More informationChapter Seven The Quantum Mechanical Simple Harmonic Oscillator
Capter Seven Te Quantum Mecanical Simple Harmonic Oscillator Introduction Te potential energy function for a classical, simple armonic oscillator is given by ZÐBÑ œ 5B were 5 is te spring constant. Suc
More informationComplexity of Decoding Positive-Rate Reed-Solomon Codes
Complexity of Decoding Positive-Rate Reed-Solomon Codes Qi Ceng 1 and Daqing Wan 1 Scool of Computer Science Te University of Oklaoma Norman, OK73019 Email: qceng@cs.ou.edu Department of Matematics University
More informationDefinition of the Derivative
Te Limit Definition of te Derivative Tis Handout will: Define te limit grapically and algebraically Discuss, in detail, specific features of te definition of te derivative Provide a general strategy of
More informationJournal of Computational and Applied Mathematics
Journal of Computational and Applied Matematics 94 (6) 75 96 Contents lists available at ScienceDirect Journal of Computational and Applied Matematics journal omepage: www.elsevier.com/locate/cam Smootness-Increasing
More informationExcursions in Computing Science: Week v Milli-micro-nano-..math Part II
Excursions in Computing Science: Week v Milli-micro-nano-..mat Part II T. H. Merrett McGill University, Montreal, Canada June, 5 I. Prefatory Notes. Cube root of 8. Almost every calculator as a square-root
More informationA.P. CALCULUS (AB) Outline Chapter 3 (Derivatives)
A.P. CALCULUS (AB) Outline Capter 3 (Derivatives) NAME Date Previously in Capter 2 we determined te slope of a tangent line to a curve at a point as te limit of te slopes of secant lines using tat point
More informationFinancial Econometrics Prof. Massimo Guidolin
CLEFIN A.A. 2010/2011 Financial Econometrics Prof. Massimo Guidolin A Quick Review of Basic Estimation Metods 1. Were te OLS World Ends... Consider two time series 1: = { 1 2 } and 1: = { 1 2 }. At tis
More informationInvestigating Euler s Method and Differential Equations to Approximate π. Lindsay Crowl August 2, 2001
Investigating Euler s Metod and Differential Equations to Approximate π Lindsa Crowl August 2, 2001 Tis researc paper focuses on finding a more efficient and accurate wa to approximate π. Suppose tat x
More informationCopyright c 2008 Kevin Long
Lecture 4 Numerical solution of initial value problems Te metods you ve learned so far ave obtained closed-form solutions to initial value problems. A closedform solution is an explicit algebriac formula
More information