Statistical and Linear Independence of Binary Random Variables

Similar documents
Linear and Statistical Independence of Linear Approximations and their Correlations

Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers

Chapter 1 - Linear cryptanalysis.

Cryptanalysis of the Full DES and the Full 3DES Using a New Linear Property

Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers

Thesis Research Notes

Linear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015

Probability Distributions of Correlation and Differentials in Block Ciphers

Revisiting the Wrong-Key-Randomization Hypothesis

Provable Security Against Differential and Linear Cryptanalysis

DD2448 Foundations of Cryptography Lecture 3

Linear Cryptanalysis of Reduced-Round PRESENT

Computing the biases of parity-check relations

A New Algorithm to Construct. Secure Keys for AES

1-Resilient Boolean Function with Optimal Algebraic Immunity

A FAMILY OF 6-TO-4-BIT S-BOXES WITH LARGE LINEAR BRANCH NUMBER

Correcting Codes in Cryptography

Improved Zero-sum Distinguisher for Full Round Keccak-f Permutation

Well known bent functions satisfy both SAC and PC(l) for all l n, b not necessarily SAC(k) nor PC(l) of order k for k 1. On the other hand, balancedne

Block Cipher Cryptanalysis: An Overview

Linear Cryptanalysis Using Low-bias Linear Approximations

Affine equivalence in the AES round function

Linear Cryptanalysis

On values of vectorial Boolean functions and related problems in APN functions

CCZ-equivalence and Boolean functions

Analysis of Some Quasigroup Transformations as Boolean Functions

Fast Algebraic Immunity of 2 m + 2 & 2 m + 3 variables Majority Function

Product Systems, Substitution-Permutation Networks, and Linear and Differential Analysis

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

Links Between Truncated Differential and Multidimensional Linear Properties of Block Ciphers and Underlying Attack Complexities

A new simple technique to attack filter generators and related ciphers

Publication VII Springer Science+Business Media. Reprinted with kind permission from Springer Science and Business Media.

Attacking AES via SAT

jorge 2 LSI-TEC, PKI Certification department

DK-2800 Lyngby, Denmark, Mercierlaan 94, B{3001 Heverlee, Belgium,

On a generalized combinatorial conjecture involving addition mod 2 k 1

Constructing differential 4-uniform permutations from know ones

Wieringa, Celine; Nyberg, Kaisa Improved Parameter Estimates for Correlation and Capacity Deviates in Linear Cryptanalysis

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

Differential-Linear Cryptanalysis of Serpent

Chapter 2 - Differential cryptanalysis.

Hermelin, Miia; Cho, Joo Yeon; Nyberg, Kaisa Multidimensional Linear Cryptanalysis

On Feistel Ciphers Using Optimal Diffusion Mappings Across Multiple Rounds

New Results in the Linear Cryptanalysis of DES

On the Statistically Optimal Divide and Conquer Correlation Attack on the Shrinking Generator

GENERALIZED NONLINEARITY OF S-BOXES. Sugata Gangopadhyay

If a Generalised Butterfly is APN then it Operates on 6 Bits

Generalized hyper-bent functions over GF(p)

Algebraic nonlinearity and its applications to cryptography

Hadamard Matrices, d-linearly Independent Sets and Correlation-Immune Boolean Functions with Minimum Hamming Weights

IN this paper, we exploit the information given by the generalized

Non-Separable Cryptographic Functions

A NEW ALGORITHM TO CONSTRUCT S-BOXES WITH HIGH DIFFUSION

Fast Low Order Approximation of Cryptographic Functions

DIFFERENTIAL cryptanalysis is the first statistical attack

Characterizations on Algebraic Immunity for Multi-Output Boolean Functions

Decomposing Bent Functions

Hyper-bent Functions

Revisit and Cryptanalysis of a CAST Cipher

Linear Cryptanalysis Using Multiple Linear Approximations

Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON

Differential properties of power functions

New Combined Attacks on Block Ciphers

How Biased Are Linear Biases

Distinguishing Attacks on T-functions

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and

Provable Security Against Differential and Linear Cryptanalysis

Smart Hill Climbing Finds Better Boolean Functions

On Correlation Between the Order of S-boxes and the Strength of DES

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

Extended Criterion for Absence of Fixed Points

Differential Attacks: Using Alternative Operations

Algebraic Techniques in Differential Cryptanalysis

AES side channel attacks protection using random isomorphisms

Achterbahn-128/80: Design and Analysis

Haar Spectrum of Bent Boolean Functions

KFC - The Krazy Feistel Cipher

4.3 General attacks on LFSR based stream ciphers

A Weak Cipher that Generates the Symmetric Group

Weaknesses in the HAS-V Compression Function

Towards Provable Security of Substitution-Permutation Encryption Networks

Improved characteristics for differential cryptanalysis of hash functions based on block ciphers

9-variable Boolean Functions with Nonlinearity 242 in the Generalized Rotation Class

Finding Low Degree Annihilators for a Boolean Function Using Polynomial Algorithms

On the Wrong Key Randomisation and Key Equivalence Hypotheses in Matsui s Algorithm 2

Secret-sharing with a class of ternary codes

Linear Cryptanalysis of Reduced-Round Speck

hold or a eistel cipher. We nevertheless prove that the bound given by Nyberg and Knudsen still holds or any round keys. This stronger result implies

Linear Approximations for 2-round Trivium

arxiv: v2 [cs.cr] 18 Jan 2016

Table Of Contents. ! 1. Introduction to AES

Quadratic Equations from APN Power Functions

Differentially uniform mappings for cryptography

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

On Distinct Known Plaintext Attacks

Improved security analysis of OMAC

Analysis of SHA-1 in Encryption Mode

Nonlinear Equivalence of Stream Ciphers

Cryptanalysis of Achterbahn

On the Security of NOEKEON against Side Channel Cube Attacks

Transcription:

Statistical and Linear Independence of Binary Random Variables Kaisa Nyberg Department of Computer Science, Aalto University School of Science, Finland kaisa.nyberg@aalto.fi October 10, 2017 Abstract. Linear cryptanalysis makes use of statistical models that consider linear approximations over block cipher and random permutation as binary random variables. In this note we develop conditions under which linear independence of binary random variables and statistical independence of their correlations are equivalent properties. As an application we obtain that the correlations of linear combinations of the components of a random n-bit to m-bit transformation are statistically independent if and only if these linear combinations are linearly independent. Keywords: Xiao-Massey lemma, block cipher, linear cryptanalysis, linear approximation, random Boolean function, random transformation, multiple linear cryptanalysis 1 Introduction Linear cryptanalysis is a method that is used for distinguishing a block cipher from a random permutation and can be extended to key recovery attacks in practical applications. To this end, the cryptanalyst builds a statistical model of the correlations of linear approximations over the cipher, on the one hand, and over a random permutation, on the other hand. Sometimes only the latter is used. The goal of this short note is to clarify the issues between linear and statistical independence of linear approximations seen as random Boolean functions. It is clear that linearly dependent linear approximations cannot be statistically independent. On the other hand, it would be important to know what kind of independence assumptions are required for a set of linear approximations that is used in multiple linear cryptanalysis. In the context of linear cryptanalysis, a linear approximation of a transformation F from F n 2 to F m 2 is a Boolean function in F n 2 defined by two vectors a, b F n 2 as follows x a x + b F (x). In the statistical setting, a linear approximation is considered as a binary random variable X over the given space of transformations with a probability density

function defined by Pr(X = 0) = #{x F n 2 a x + b F (x) = 0}. So we can write X = a x+b F (x). In the algebraic setting, a linear approximation a x + b F (x) is identified with the vector (a, b) in the linear space F n 2 F n 2 over F 2. 2 Independence of Binary Random Variables In this section, we consider binary random variables X, which form a linear space X over F 2, and their statistical and linear independence. We show that under the condition of pairwise statistical independence of all variables, random variables in any subset of X are statistically independent if and only if they are linearly independent. We first recall the classical Xiao-Massey lemma [4]. For a short proof, see [1]. Lemma 1. (Xiao-Massey lemma) A binary random variable Y is independent of the set of k independent binary variables X 1,..., X k if and only if Y is independent of the linear combination λ 1 X 1 + + λ k X k for every choice of λ 1,..., λ k, not all zero, in F 2. Let us now state the main result. Theorem 1. Let X be a linear space of binary random variables over F 2 such that any two different variables in X are statistically independent. Then linearly independent random variables in X are also statistically independent. The converse holds for nonzero random variables in X. The proof of the theorem goes by induction, where the main step is given by the following lemma. Lemma 2. Let X be a linear space of binary random variables over F 2 such that any two different variables in X are statistically independent. Assume that the binary random variables X 1,..., X k in X are linearly and statistically independent. If given Y X the variables X 1,..., X k, Y are linearly independent, then they are also statistically independent. Proof. Assume that X 1,..., X k, Y are statistically dependent. Since X 1,..., X k are independent, it means that Y is dependent of the set X 1,..., X k. By the Xiao-Massey lemma, this can happen only if there exist λ 1,..., λ k not all zero in F 2 such that Y and λ 1 X 1 + + λ k X k are statistically dependent. Since both of these variables are in X it follows that Y and λ 1 X 1 + + λ k X k must be equal, and therefore X 1,..., X k, Y are linearly dependent. Proof. (Proof of Theorem 1) Assume first that the variables X 1,..., X m in X are linearly independent. For 2 k < m let us state the induction hypothesis as follows: If X 1,..., X k are linearly independent, then they are statistically

independent. Since linear independence of any two of them implies that they are different, they are also statistically independent by the assumption. Hence the induction hypothesis holds for k = 2. Let us assume that the induction hypothesis holds for k, and let X 1,..., X k+1 be linearly independent. Then X 1,..., X k are linearly independent and hence by the induction hypothesis also statistically independent. By Lemma 2 it follows that X 1,..., X k+1 are statistically independent. Assume then that the variables X 1,..., X m are nonzero and linearly dependent. W.l.o.g it can be assumed that there exist a relation X 1 = X 2 + + X k where X 2,..., X k are linearly independent and k m. By the first part of the proof it then follows that X 2,..., X k are statistically independent. Now by the Xiao-Massey lemma, Lemma 1, the variable X 1 must be statistically dependent of X 2,..., X k. Hence X 1,..., X m are not statistically independent. 3 Independence of Correlations Given a binary random variable X its correlation cor(x) is defined as cor(x) = Pr(X = 0) Pr(X = 1) = 2 Pr(X = 0) 1. It is clear that independence of variables implies independence of their correlations. The converse statement is not necessarily true. Next we show that in the setting of Theorem 1 also the converse holds. Moreover, we prove equivalence between linear independence of pairwise independent binary random variables and statistical independence of their correlations. We start by proving the following result. Proposition 1. Let X be a linear space of binary random variables over F 2 such that any two different variables in X are statistically independent. Let A be a set of elements in X such that E(cor(X)) = 0 and E(cor(X) 2 ) 0 for all X A. If then the correlations of random variables in A are statistically independent, the variables are linearly independent. Proof. Let A = {X 1,..., X m }. To prove that the variables X 1,..., X m are linearly independent, let us assume the contrary. Since their expected correlation is equal to zero, they are all nonzero. Then, as in the proof of Theorem 1 it can be assumed w.l.o.g that there exist a relation X 1 = X 2 + + X k where X 2,..., X k are linearly independent and k m. Then we can use Theorem 1 to obtain that the variables X 2,..., X k are statistically independent. By the Piling-up lemma [3], we then have cor(x 2 + + X k ) = cor(x 2 ) cor(x k ).

Now we consider the expectation of the product of correlations of X 1,..., X k and get On the other hand, E(cor(X 1 ) cor(x k )) = E(cor(X 1 ) 2 ) 0. E(cor(X 1 )) E(cor(X k )) = 0, from where it follows that the correlations cor(x 1 ),..., cor(x k ), and hence the correlations cor(x 1 ),..., cor(x m ), are not statistically independent. By combining the results of Proposition 1 with Theorem 1 we get the following corollary. Corollary 1. Let X be a linear space of binary random variables over F 2 such that any two different variables in X are statistically independent. Let A be a subset in X such that E(cor(X)) = 0 and E(cor(X) 2 ) 0 for all X A. Then the following three conditions are equivalent. (i) The variables in A are statistically independent. (ii) The correlations of variables in A are statistically independent. (iii) The variables in A are linearly independent. 4 Applications The natural applications of these results are sets in the linear space of random Boolean functions in F n 2. The correlation of a random Boolean functions in F n 2 is normally distributed with mean 0 and variance 2 n, see e.g., [2]. Hence Corollary 1 applies and we obtain the following result. Corollary 2. Let A be a set of pair-wise independent random non-zero Boolean functions in F n 2. Then the following are equivalent. (i) The correlations of the functions in A are statistically independent. (ii) The correlations of the functions in A are jointly normally distributed. (iii) The functions in A are linearly independent. The equivalence of (i) and (ii) follow from the fact that normally distributed pairwise independent random variables are jointly normally distributed if and only if they are independent. A random n-bit to m-bit transformation is comprised of m independent random Boolean functions of n variables as its components. In particular, any two different linear combinations of the components of such a transformation are independent random Boolean functions. Hence a special case of a set A for which Corollary 2 holds is a set of different non-zero linear combinations of the components of a random transformation.

References 1. Lennart Brynielsson. A short proof of the Xiao-Massey lemma. IEEE Trans. Inform. Theory, IT-35(6):1344, 1989. 2. Joan Daemen and Vincent Rijmen. Probability distributions of correlation and differentials in block ciphers. J. Mathematical Cryptology, 1(3):221 242, 2007. 3. Mitsuru Matsui. Linear Cryptanalysis Method for DES Cipher. In Tor Helleseth, editor, Advances in Cryptology - EUROCRYPT 93, Workshop on the Theory and Application of of Cryptographic Techniques, Lofthus, Norway, May 23-27, 1993, Proceedings, volume 765 of Lecture Notes in Computer Science, pages 386 397. Springer, 1993. 4. G. Z. Xiao and J. L. Massey. A spectral characterization of correlation-immune combining functions. IEEE Trans. Inform. Theory, IT-34(3):569 571, 1988.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback