Understanding Linear Cryptanalysis

Understanding Linear Cryptanalysis Dipanjan Bhowmik Abstract The objective of this paper is to provide a better understanding of the Linear Cryptanalysis Attack developed by M.Matsui [2]. This paper has been written after going through noted literature in this field and has been structured in such a way that a beginner in this field would be able to understand the idea with little prior knowledge. The paper describes a simple cipher and then applies Linear Cryptanalysis to break it. The cipher has been intentionally taken to be very simple so that a beginner can actually implement it and get an actual feel of the attack. The paper also describes all the algorithms involved in this attack again with the intention of letting a beginner actually realize the attack. Keywords: Linear Cryptanalysis, Linear Approximation Table, s-box, Toy cipher, Parity. Introduction: If one feeds a random input with a particular property into a magic box and can guess the corresponding property in the output, the magic box is some what linear. For example imagine that the box takes an input and adds one to it. Now, let’s say that the property which is looked at is whether the input/output is even. By feeding it an input, one knows the property will be opposite in the output every single time. In other words, adding one to an even number will always produce an odd number and vice versa. This magic box will be completely linear with respect to divisibility by 2. In an iterative cipher, substitution box(s) (S-Box(s)) add non linearity to it. Ideally, an s-box should receive an input with property X and output a number that has property Y exactly 50% of the time. The property, which is being looked at in Linear Cryptanalysis is Parity. Definition Parity: It is a Boolean value (a 0 or a 1), that we get if we perform an XOR operation on some or all of the bits of a number expressed in binary form. The bits that are being XORed together is defined by another number called the mask. The mask lets us to ignore some of the bits of the input while calculating the parity. In order to calculate the parity, the mask value it bitwise ANDed with the input value, the bits of the resultant is then taken and XORed together to obtain the parity. Generating Linear Approximation Tables (LATs): The masked input parity concept is used to find linearity in the S-boxes. Every single combination of input mask vs. output mask has to be tested for all possible inputs. Basically we will take an input value, mask it using an input mask and obtain its parity (Input Parity). Next, we will take the original input, run it through the S-box and mask it with 6the output mask. We then compute its parity (Output Parity). If they match, then we know that the combination of input and output mask holds true for that input. After doing this for every possible input against every possible pair of input/output masks, we have made a table called the Linear Approximation Table. Each entry in the table is a number indicating the number of times a specific input/output mask pair holds true when tested against all possible inputs. For example, if a certain S-box takes 4 bit inputs and produce 4 bit output, then the LAT will be of dimension 16 x 16 and each entry will range from 0 to 16, indicating th e number of successful matches between input and output parity. Algorithm 1: Algorithm for generating Linear Approximation Table For i=0 to 2m -1 For j=0 to 2n -1 For k=0 to 2m -1 If Parity (k AND i) =Parity(S-box[k] AND j) then LAT[i][j] à ¯Ã‚ Ã‚ ¦LAT[i][j] +1 Where, LAT is a 2-D array of size m x m. Parity () is a function that computes the parity of the given input. M is the total number of bits fed as input to the S-box. N is the total number of bits produced as output by the S-box. I ranges from 0 to 2m -1 , it represents all possible input masks. J ranges from 0 to 2n-1 representing all possible output masks. K ranges from 0 to 2m -1, it represents all possible inputs to S-box. Let us assume an S-box that takes 4 bit inputs and produces 4 bit output. Both the input and output ranges from 0 to 15. Such a S-box is injective in nature. For such an S-box, the algorithm to generate the Linear Approximation Table is modified as following: Algorithm 2: Algorithm for generating Linear Approximation Table for the S-box given in Fig 1. For i=0 to 15 For j=0 to 15 For k=0 to 15 If Parity (k AND i) =Parity(S-box[k] AND j) then LAT[i][j]à ¯Ã‚ Ã‚ ¦ LAT[i][j] +1 In this case, the LAT generated is of dimension 16 x 16.The following table depicts the Linear Approximation Table generated for the S-box given in fig. 1 using algorithm 2. Similarly, the LAT for any of the DES S-box can also be generated, For DES S-box; the algorithm is modified as the following: Algorithm 3: Algorithm for generating LAT for DES S-Box. For i=0 to 15 For j=0 to 63 For k=0 to 15 If Parity (k AND i) =Parity(S-box[k] AND j) then LAT[i][j] à ¯Ã‚ Ã‚ ¦AT[i][j] +1 In this case, the LAT is of dimension 16 x 64, the reason being DES S-box takes 4 bit input and produces 6 bit output. Piling Up Principle One of the fundamental tools used for linear cryptanalysis is the Piling Up Principle. Let us conceder two random binary variables X1 and X2, and let us assume And Then, the probability of the relationship X1(+)X2 will be That is, X1 (+) X2 will be 0 when X1=X2 i.e. when both X1 and X2 are 0 and both X1 and X2 are 1. And X1 (+) X2 will be 1 when X1≠  X2 i.e. when X1=0 and X2=1 or X1=1 and X2=0. Accordingly probabilities are computed, assuming X1 and X2 are independent. We are particularly interested in deviation of the probability from  ½, so, let us consider p1=1/2+ ÃŽ µ1 and p2=1/2+ÃŽ µ2, where ÃŽ µ1 and ÃŽ µ2 are the deviation of p1 and p2 from respectively from  ½ and are referred to as probability bias. Now, P(X1 (+) X2=0)=(1/2 + ÃŽ µ1).(1/2+ÃŽ µ2) + (1-(1/2+ÃŽ µ1)).(1-(1/2+ÃŽ µ2)) =1/2+2.ÃŽ µ1.ÃŽ µ2 So, probability bias of X1 (+) X2 is given by ÃŽ µ1,2=2.ÃŽ µ1.ÃŽ µ2 Generally, if X1,X2,†¦Xn are n independent random binary variables, then the probability of X1 (+) X2 (+) †¦(+) Xn=0 is given by the Piling Up Lemma. P( X1 (+) X2 (+) †¦Xn =0) =  ½ + 2 n-1 . ∠i=1†¦n ÃŽ µi†¦Ã¢â‚¬ ¦Ã¢â‚¬ ¦.(1) And the probability bias of (+) X2 (+) †¦(+) Xn=0 is given by ÃŽ µ1†¦n=2 n-1 . ∠i=1†¦n ÃŽ µi Note that, P( X1 (+) X2 (+) †¦Xn =0) =  ½, if there exist some ÃŽ µi such that ÃŽ µi=0 or pi=1/2. And P( X1 (+) X2 (+) †¦Xn =0) = 0 or 1, if for all ÃŽ µi, ÃŽ µi=+1/2 or -1/2 respectively or pi=0 or 1 respectively. Attacking a Toy Cipher Let us consider a toy cipher that takes 4 bit input goes through two iterations of key addition and block substitution and yields a 4 bit output. The following figure diagrammatically represents the toy cipher. P1, P2, P3, P4 represents the 4 bit plain text C1, C2, C3, C4 represents 4 bit cipher text. K0, K1, K2 are 4 bit sub keys Total key length is of 12 bits. The cipher uses two identical S-boxes, which is same as the S-box described earlier. The following algorithm implements the toy cipher Algorithm 4: Implementing Toy Cipher Kye[]à ¯Ã‚ Ã‚ ¦{k0,k1,k2} Sbox[]=à ¯Ã‚ Ã‚ ¦{E,4,D,1,2,F,B,8,A,6,C,5,9,0,7} For i=0 to 15// 16 possible inputs { p=i For j= 0 to 1// 2 iterations pà ¯Ã‚ Ã‚ ¦Sbox [ p (+) Key[j]] C[i]à ¯Ã‚ Ã‚ ¦ p (+) Key[2] //final key whitening step } The toy cipher yields the following output when Key[]à ¯Ã‚ Ã‚ ¦{B,7,F} The first step towards attacking the cipher begins by obtaining an equation of the form X1 (+) X2 (+)†¦(+) Xn =0. Such an expression can be obtained using Linear Approximation Table. In our example P(LAT[F][A])=12/16 or equivalently Bias( LAT[F][A})=4/16,k where F is the input mask and A is the output mask. It should be noted that although LAT[0][0]=16 but it cannot be used. Let Uij demote the jth input of ith S-Box and Vij denote the jth output of the ith S-Box. So, P(U11 (+) U12 (+) U13 (+) U14 =V11 (+) V13)= 12/16 Let Kij denote the jth bit of the ith sub key, then U11 = P1 (+) K01, U12 =P2 (+) K02, U13 = P3 (+) K03, and U14 = P4 (+) K04, where Pi denotes the ith plain text bit. Therefore, P( P1 (+) K01 (+) P2 (+) K02 (+) P3 (+) K03 (+) P4 (+) K04 = V11 (+) V13)) = 12/16 orP ( P1 (+) P2 (+) P3 (+) P4 (+) ∑K0 = V11 (+) V13) = 12/ 16 Since, U21 = V11 (+) K11 or, V11 = U21 (+) K11 and U23 = V23 (+) K13 or, V13 = U23 (+) K13 Hence, P (P1 (+) P2 (+) P3 (+) P4 (+)∑K0 = U21 (+) K11 (+)U23 (+) K13) = 12/ 16 or, P (P1 (+) P2 (+) P3 (+) P4 (+)∑K0 (+) K11 (+) K13 = U21 (+)U23) = 12/ 16 Let us assume K=∑K0 (+) K11 (+) K13, which can either be 0 or 1 Therefore, P (P1 (+) P2 (+) P3 (+) P4 (+) K= U21 (+)U23) = 12/ 16 Or,P (P1 (+) P2 (+) P3 (+) P4 = U21 (+)U23) = Now, as we have obtained a linear expression with a relatively high probability bias, we would now partially decrypt the cipher text to obtain U2 (input to the 2nd S-Box). The following algorithm does this. Algorithm 5: Partially decrypting the cipher text C[] à ¯Ã‚ Ã‚ ¦ { 3,B,6,D,1,7,F,2,4,9,E,5,8,A,C,0} Isbox[] à ¯Ã‚ Ã‚ ¦ {E,3,4,6,1,C,A,F,7,D,9,6,B,2,0,5} For k=0 to 15 {pro[k]à ¯Ã‚ Ã‚ ¦ 0 For I = 0 to 15 {pdc [k][i] à ¯Ã‚ Ã‚ ¦ isbox [ C[i] (+) k] If Parity (pdc[k][i] AND A) = Parity ( I AND F) then pro[k] à ¯Ã‚ Ã‚ ¦ pro[k] +1 } } It should be noted that Parity (pdc[k][i] AND A) = Parity ( I AND F) is the algorithmic implementation of P1 (+) P2 (+) P3 (+) P4 (+) = U21 (+) U23. Since, bit wise ANDing retrieves the required bits when ANDed with a mask having 1 in the required position in its binary equivalent. The algorithm yields the following probabilities. From the result we observe that probability when key=F is 12/16 which matches with our expected probability, there by indicating that K2=F. It should be noted that in our example, it so happened that there is only one candidate for K2, but generally there may be more than one candidate and all of then should be given due consideration. For the next round, we use the partially decrypted cipher text with respect to key =F as the cipher text and perform the procedure defined as algorithm 5. That is , now C[]à ¯Ã‚ Ã‚ ¦{B,1,D,4,0,7,E,2,6,A,3,9,F,C,8,5} The output yielded at this point is given below. At this time we are comparing the plain text block P1, P2, P3, P4 to the input of the first S-Box i.e. U1, U2, U3, U4, so the expected probability is computed as P( P1 (+) P2 (+) P3 (+) P4 = P1 (+) P2 (+) P3 (+) P4) =1 Or, P( P1 (+) P2 (+) P3 (+) P4 = P1 (+) P2 (+) P3 (+) P4 (+) ∑K0) = Or, P( P1 (+) P2 (+) P3 (+) P4 = P1 (+) K01 (+) P2 (+) K02 (+) P3 (+) K03 (+) P4 (+) K04) = Or, P( P1 (+) P2 (+) P3 (+) P4 = U11 (+) U12 (+) U13 (+) U14) = The expected probability match4es with the observed probability for sub key K1= 7. Therefore with high degree of certainty, K1=7. So, we retain the partially decrypted cipher text for sub key =7, which is contained in pdc[7][i] for i=0 to 15. The partially cipher text for sub key =7 is given in the following table. Now, in order to obtain the sub key K0, we need simply to choose any pair of plain text and partially decrypted cipher text and perform a bitwise XOR operation. Say, we choose (4,F), then 4 (+) F = B, So, K0=B. Thus, the actual key ={B, 7, F}, which is the key we originally used in our example toy cipher. It should be noted that, at every step of our attack, we obtain unique sub key values that matches our expected probability, which may not be the case all the time. And in such situations where multiple sub keys matches the expected probability we need to consider each of these sub keys. Observations If the Linear Approximation Table (LAT) has an entry such that Bias (LAT[i][j])| =1/2 (50%) and i=j, then the S-box is prone to Linear attack. So, such an S-box is a strict no for any cipher If the Linear Approximation Table has entries such that |Bias(LAT[i][j])| =1/2 and | Bias (LAT[j][k])| =  ½ where i ≠  j ≠ k , then such a cipher is also susceptible to Linear Attack. If |Bias(LAT[i][j])| =  ½ where i≠ j and there is no pair such that |Bias(LAT[i][j])|=1/2 and |Bias(LAT[j][k])|=1/2 where i ≠  j ≠ k , then after a certain number of iterations, Linear Cryptanalysis becomes ineffective. The observation is illustrated using the following graph. Conclusion As the number of iterations of an iterative cipher increases and observations 1 and 2 does not hold, Linear Cryptanalysis becomes increasingly less effective. References: Heys,H.M,2002,†A Tutorial on Linear And Differential Cryptanalysis†, Cryptologia,XXV(3),189-221. Matsui, M.,1994,†Linear Cr4yptanalysis Method For DES Cipher†, Advance in Cryptlogy-EUROCRYPT’93, Springer-Verlag,386-397. Jakobson, B.T.,Abyar, M.,Nordholt, P.S.,2006,†Linear And Differential Cryptanalysis† Paar, C., Pelzl, J.,2010,Understanding Cryptography.Berlin:Springer-Nerlag.

Medea Reflectiv Statement

Ana Maksimovic IB English 11/ 3 Per. Ms Bachmann 03/11/2012 335 Words Reflective Statement Medea has lot information that is often not conspicuous to the reader. In Medea the place and time play a big role. The place matters because of the events that happen. The events are related to Gods and gods were mainly famous in Greece. If you would change the place the meaning of gods would lose its importance.Time is always relevant because the play was written a long time ago and it shows how life was back then. Nowadays the country people live in is owned by the state; however this was not always the case. Back in the time there were individual kings who had the power over their whole land/country. Hard to understand was when the characters in the play referred to goddesses. If someone doesn’t know what the God stands for it was a bit confusing. Also easy for me to understand was the role of women.Not that I understand that they don’t have the same right but if you compare t he equality between women and men now it is easy follow the concept how it was in Greece a long time ago. Definitely the role of women can still be related to nowadays even if the equality between men and women got better; it is still not on the same level even if it should. Also the fact that the children stay with their mom when the dad leaves kind of reminds me of today in the society.A really big connection between today and Medea is that men had the power over a country. They used to own their own country but that hasn’t changed that much because most presidents are still male. The technique of using the voice of the population during speeches or just conflicts is very interesting. This kind of technique shows you what the other people think and it also makes the conflict more clear and understanding. Also the way Euripides uses the dramatic irony gives the whole play the final touch.

The Issue Of Welfare Spending Essay - 915 Words

Introduction The purpose of my research is to discern how welfare spending, healthcare spending, defence spending, and pension spending impacted vote choice in the 2013 Australian election in comparison to the 2012 United States election, 2013 German election, and 2012 France election. I expect that as support for welfare spending, pension spending, and healthcare spending, decreases, support for right wing parties will increase. I expect that there will be a positive effect on voting for right wing parties as support for defence spending increases. I expect that of these issues, welfare spending will have the largest magnitude and that pension spending will have the lowest magnitude. I do not believe there will be an additional effect in Australia and that the impact will be similar to that of other industrial democracies. Theory and Literature The Funnel of Causality model describes voting behaviour in terms of socio-demographics, party identification, issues, and candidates. In this essay I will focus on issues because they can be compared between countries. An issue is essentially a problem that is perceived to be important, and there is an actor with â€Å"ownership† of the issue, meaning that there is someone who is thought to be â€Å"the best man for the job† so to speak. The economy isn’t an issue because you can’t have â€Å"ownership† over the economy. Issues are important because they explain a lot about voting behaviour. In this paper I have chosen to focus on the issuesShow MoreRelatedWelfare Policy During The Great Depression1439 Words   |  6 PagesWelfare Policy has helped an abundance of people in America. Sometimes, unforeseen events occur and assistance is needed. Because of these troubling circumstances, the need for institution and development of welfare programs came about. The American Welfare Policy has good intent; it has helped millions of people through its time. Although, there are many that believe our Welfare Policy is in great need of reform and the abuse of the system must come to an end. Welfare policy made its formal debutRead MoreEssay on Obama and the National Debt1185 Words   |  5 PagesEveryone agrees that the national debt needs to be fixed. However, people are disagreeing about how to tackle this problem and whether or not we are making any progress. Like most global issues, it is a complicated issue with equally difficult solutions. It is hard to keep people’s interest in a confusing issue, but since we children are the ones that will be stuck with this problem soon, we’d better start taking an interest. To make this easier to understand, I’m going to breakdown theRead MoreRepublicans vs Democrats Essay1539 Words   |  7 PagesThe American political system is made up of primarily two parties, Democrats and Republicans. These parties go against each-other for many political positions, such as presidency. Each supports and opposes different issues. The Democratic Party supports a bigger government and believes the government should guide the people. They are known as Liberals because typically they like change. The Republican Party supports a smaller government and believes the people should guide the government. TheyRead MoreI Am Writing About The Social Welfare System Essay1432 Words   |  6 PagesI am writing about the Social Welfare System. How a system that was created for the purpose of helping the needy, has now become a highway for people to abuse of it. This public policy program has come to be a very controversial subject on both sides of the political arena. Originally created during the Great Depression, where the majority of households, through no fault of their own were living in poverty. Although many changes to the system have been made, the original focus is the same. ToRead MoreWelfare Of The United States Essay869 Words   |  4 PagesWelfare in the United States began in the 1800’s when the colonies imported British Poor Laws. Before the Great Depression began in America, the government was already supporting certain programs such as the Civil War Pension Program was that passed in 1862 that gave aid to Civil War Veterans and their families. Once the Great Depression hit, unemployment rose and President Franklin D. Roosevelt, enacted the Social Security Act in 1935. The act formed a number of programs that provided aid to a widerRead MoreEconomic Development And Development Of Welfare1640 Words   |  7 Pagesdiscussing the origins of welfare states it is easy to make an assumption that the development of wel fare states was in direct response to social needs brought by industrialization and economic development. In fact the early scholarship in social policy did not question the causational effect between economic development and development of welfare states. Understanding that economic development alone cannot sufficiently explain why some countries developed into full welfare states while others didRead MoreWelfare And Health Care Reform1527 Words   |  7 PagesWe the People: An Introduction to American Politics covers the topic of social policy. The two main issues of social policy in today’s society are welfare and health care reform. They are considered the main issues because they require the most government spending, and are the two most controversial and debated parts of social policy in America. America has always had some sort of welfare state. Before the Great Depression, a time of great economic hardship in this country, local governmentsRead MoreSocial Welfare And The Welfare System924 Words   |  4 Pagespublic policy issues, whether those issues include social welfare, immigration or even environmental issues. Congress receives numerous issues on public polices every day, but they cannot handle and solve every issues that comes across their daily agenda, nor can they satisfy every person in this country. Congress prioritizes on those issues that are more important and relevant to find a probable solution too. A growing issue we see that in today’s society are issues in the social welfare system. SocialRead MoreDescription of Political Party Preference in our Society Essay1067 Words   |  5 Pagespreferences on many different issue. There are many differences between the two major political parties Democratic and Republican. Each one of those parties has th eir own beliefs and they can be similar, but some may be different in many different issues. With time, personal experience, and with reading on many different issues, I have realized that I am more of a liberal democrat and not a conservative republican. I looked at each parties beliefs on the issues of welfare, abortion, gun control, educationRead MoreEssay about Hcr 230 Week 3 Assignment the Welfare Reform Act1018 Words   |  5 PagesThe Welfare Reform Act HCR/230—Claims Prep II Jeana Timmcke University of Phoenix—Axia College The Welfare Reform Act Welfare has been a controversial issue since the 1960s, and continues to be a controversial issue. During the late 1980s, citizens were calling for reform of the Welfare System. Due to citizen concern the Personal Responsibility, Welfare and Opportunity Reconciliation Act (PRWORA) came into effect

A Report On Ninos Barrio Inc.five Year Plans - 851 Words

Nià ±os Barrio Inc.five year plans include developing the strategies and actions to accomplish measurable achievements in kindergarten readiness. The strategies that are presented are grounded in evidence-based practices, and are exclusively intended to be used as a guide for policymakers, legislators, caregivers, early care and education providers, healthcare providers, and other concerned community members to expand on our ideas and concepts to make access to this beneficent nuance program available in every Hispanic and low-income community around the United States. Nià ±os Barrio Inc. plans on receiving funding through numerous routes such as local, federal, and private grants. As a high-quality preschool program in an at-risk community location, we would automatically receive federal and local grants, due to the amount of money that has been put into early childhood education recently. Obama has placed $1 billion dollars alone not including the Health and Human Services Department has awarded another $500 million to expand head start in 40 states, and another $330 million has been donated from major corporations, foundations, and individuals to help with the early childhood education goal.† (Obama announces $1 billion investment, 2015, p. 1). There is also an abundance of private grants that can be applied for, our organization is non-profit giving us a multitude of tax breaks and benefits as well. Participation in different high-quality programs such as the