Gdtyjr

What favor did Moody owe Dumbledore?

Is it insecure to send a password in a `curl` command?

Synchronized implementation of a bank account in Java

Practical application of matrices and determinants

World War I as a war of liberals against authoritarians?

Usage and meaning of "up" in "...worth at least a thousand pounds up in London"

Turning a hard to access nut?

Print a physical multiplication table

How are passwords stolen from companies if they only store hashes?

Variable completely messes up echoed string

A Ri-diddley-iley Riddle

Am I eligible for the Eurail Youth pass? I am 27.5 years old

Maths symbols and unicode-math input inside siunitx commands

Generic TVP tradeoffs?

What are substitutions for coconut in curry?

How does one measure the Fourier components of a signal?

How is the partial sum of a geometric sequence calculated?

What exactly term 'companion plants' means?

Do native speakers use "ultima" and "proxima" frequently in spoken English?

Could Sinn Fein swing any Brexit vote in Parliament?

Is honey really a supersaturated solution? Does heating to un-crystalize redissolve it or melt it?

Matrix using tikz package

How to generate binary array whose elements with values 1 are randomly drawn

I got the following comment from a reputed math journal. What does it mean?

Differential and Linear trail propagation in Noekeon

differential and linear cryptanalysisDifference between linear cryptanalysis and differential cryptanalysisWhat is the complexity for attacking 3DES in linear or differential cryptanalysis?Differential CryptanalysisDifferential & linear characteristics for integer multiplicationWhat is the meaning of Maximum Expected Differential/Linear Probability (MEDP/MELP)?Understanding the wide trail design strategyit is possible to use quantum algorithm search (Grover's algorithm) for new searching strategies for differential and linear attacksLinear cryptanalysis and number of linear approximationsHow does linear vs. non-linear operations relate to cryptographic security and differential cryptanalysis?

4

2

$begingroup$

In the Noekeon Cipher Specification they write the following :

The propagation through Lambda is denoted by $(a rightarrow A)$, also called a
step. Because of the linearity of Lambda it is fully deterministic:
both for LC and DC patterns, we have: $A = operatornameLambda(a)$. The fact that the
relation is the same for LC and DC is thanks to the fact that the
Lambda is an orthogonal function. If represented in a matrix, its
inverse is its transpose.

I'm having a hard time understanding why the orthogonality of Lambda affects the relation with regards to selection patterns (LC).

Why does the orthogonality of Lambda make it so that the relationship is the same as for DC ? How would the selection pattern propagate through the linear layer if Lambda was not orthogonal ?

cryptanalysis block-cipher linear-cryptanalysis differential-analysis

share|improve this question

edited 6 hours ago

Yuon

asked 6 hours ago

YuonYuon

737

$endgroup$

add a comment | 

4

2

$begingroup$

In the Noekeon Cipher Specification they write the following :

The propagation through Lambda is denoted by $(a rightarrow A)$, also called a
step. Because of the linearity of Lambda it is fully deterministic:
both for LC and DC patterns, we have: $A = operatornameLambda(a)$. The fact that the
relation is the same for LC and DC is thanks to the fact that the
Lambda is an orthogonal function. If represented in a matrix, its
inverse is its transpose.

I'm having a hard time understanding why the orthogonality of Lambda affects the relation with regards to selection patterns (LC).

Why does the orthogonality of Lambda make it so that the relationship is the same as for DC ? How would the selection pattern propagate through the linear layer if Lambda was not orthogonal ?

cryptanalysis block-cipher linear-cryptanalysis differential-analysis

share|improve this question

edited 6 hours ago

Yuon

asked 6 hours ago

YuonYuon

737

$endgroup$

add a comment | 

$begingroup$

In the Noekeon Cipher Specification they write the following :

The propagation through Lambda is denoted by $(a rightarrow A)$, also called a
step. Because of the linearity of Lambda it is fully deterministic:
both for LC and DC patterns, we have: $A = operatornameLambda(a)$. The fact that the
relation is the same for LC and DC is thanks to the fact that the
Lambda is an orthogonal function. If represented in a matrix, its
inverse is its transpose.

I'm having a hard time understanding why the orthogonality of Lambda affects the relation with regards to selection patterns (LC).

Why does the orthogonality of Lambda make it so that the relationship is the same as for DC ? How would the selection pattern propagate through the linear layer if Lambda was not orthogonal ?

cryptanalysis block-cipher linear-cryptanalysis differential-analysis

share|improve this question

edited 6 hours ago

Yuon

asked 6 hours ago

YuonYuon

737

$endgroup$

share|improve this question

edited 6 hours ago

Yuon

asked 6 hours ago

YuonYuon

737

share|improve this question

edited 6 hours ago

Yuon

asked 6 hours ago

YuonYuon

737

asked 6 hours ago

YuonYuon

737

asked 6 hours ago

YuonYuon

737

1 Answer
1

active

oldest

votes

2

$begingroup$

This is due to the duality between linear and differential trails.
Let $L$ be an invertible linear map on $mathbbF_2^n$, think of it as a matrix for convenience.
In general, a nonzero differential $Delta_1 to Delta_2$ over $L$ must satisfy

$$Delta_2 = L,Delta_1.$$

A nonzero linear approximation $u_1 to u_2$, however, must satisfy

$$u_2 = L^-top,u_1$$

An elementary way to see this is to observe that $u_1^top x = u_2^top (Lx)$ is equivalent to $u_1^top x = (L^top,u_2)^top x$. This holds for all $x in mathbbF_2^n$ whenever $u_2 = L^-top,u_1$, and otherwise for half (some hyperplane) the $x$.

If $L$ is orthogonal, then $L^-T = L$. So then we have both $Delta_2 = LDelta_1$ and $u_2 = L u_1$.

share|improve this answer

answered 3 hours ago

AlephAleph

1,2961220

$endgroup$

• 
  
  
  

  
  

  
  
  
  
  
  

  
  $begingroup$
  I suspected it was because of something like that. Could you just give some intuition as to why we want $u^T_1 x = u^T_2(Lx)$ in first place ? If I had to come up with that, I'd think it's the other way around $u^T_2 x = u^T_1 (Lx)$ just like the differential case.
  $endgroup$
  – Yuon
  1 hour ago
  
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ifUsing("editor", function ()
return StackExchange.using("mathjaxEditing", function ()
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
);
);
, "mathjax-editing");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68085%2fdifferential-and-linear-trail-propagation-in-noekeon%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

2

$begingroup$

This is due to the duality between linear and differential trails.
Let $L$ be an invertible linear map on $mathbbF_2^n$, think of it as a matrix for convenience.
In general, a nonzero differential $Delta_1 to Delta_2$ over $L$ must satisfy

$$Delta_2 = L,Delta_1.$$

A nonzero linear approximation $u_1 to u_2$, however, must satisfy

$$u_2 = L^-top,u_1$$

An elementary way to see this is to observe that $u_1^top x = u_2^top (Lx)$ is equivalent to $u_1^top x = (L^top,u_2)^top x$. This holds for all $x in mathbbF_2^n$ whenever $u_2 = L^-top,u_1$, and otherwise for half (some hyperplane) the $x$.

If $L$ is orthogonal, then $L^-T = L$. So then we have both $Delta_2 = LDelta_1$ and $u_2 = L u_1$.

share|improve this answer

answered 3 hours ago

AlephAleph

1,2961220

$endgroup$

• 
  
  
  

  
  

  
  
  
  
  
  

  
  $begingroup$
  I suspected it was because of something like that. Could you just give some intuition as to why we want $u^T_1 x = u^T_2(Lx)$ in first place ? If I had to come up with that, I'd think it's the other way around $u^T_2 x = u^T_1 (Lx)$ just like the differential case.
  $endgroup$
  – Yuon
  1 hour ago
  
  

  
  
  
  

add a comment | 

2

$begingroup$

This is due to the duality between linear and differential trails.
Let $L$ be an invertible linear map on $mathbbF_2^n$, think of it as a matrix for convenience.
In general, a nonzero differential $Delta_1 to Delta_2$ over $L$ must satisfy

$$Delta_2 = L,Delta_1.$$

A nonzero linear approximation $u_1 to u_2$, however, must satisfy

$$u_2 = L^-top,u_1$$

An elementary way to see this is to observe that $u_1^top x = u_2^top (Lx)$ is equivalent to $u_1^top x = (L^top,u_2)^top x$. This holds for all $x in mathbbF_2^n$ whenever $u_2 = L^-top,u_1$, and otherwise for half (some hyperplane) the $x$.

If $L$ is orthogonal, then $L^-T = L$. So then we have both $Delta_2 = LDelta_1$ and $u_2 = L u_1$.

share|improve this answer

answered 3 hours ago

AlephAleph

1,2961220

$endgroup$

• 
  
  
  

  
  

  
  
  
  
  
  

  
  $begingroup$
  I suspected it was because of something like that. Could you just give some intuition as to why we want $u^T_1 x = u^T_2(Lx)$ in first place ? If I had to come up with that, I'd think it's the other way around $u^T_2 x = u^T_1 (Lx)$ just like the differential case.
  $endgroup$
  – Yuon
  1 hour ago
  
  

  
  
  
  

add a comment | 

$begingroup$

This is due to the duality between linear and differential trails.
Let $L$ be an invertible linear map on $mathbbF_2^n$, think of it as a matrix for convenience.
In general, a nonzero differential $Delta_1 to Delta_2$ over $L$ must satisfy

$$Delta_2 = L,Delta_1.$$

A nonzero linear approximation $u_1 to u_2$, however, must satisfy

$$u_2 = L^-top,u_1$$

An elementary way to see this is to observe that $u_1^top x = u_2^top (Lx)$ is equivalent to $u_1^top x = (L^top,u_2)^top x$. This holds for all $x in mathbbF_2^n$ whenever $u_2 = L^-top,u_1$, and otherwise for half (some hyperplane) the $x$.

If $L$ is orthogonal, then $L^-T = L$. So then we have both $Delta_2 = LDelta_1$ and $u_2 = L u_1$.

share|improve this answer

answered 3 hours ago

AlephAleph

1,2961220

$endgroup$

share|improve this answer

answered 3 hours ago

AlephAleph

1,2961220

answered 3 hours ago

AlephAleph

1,2961220

answered 3 hours ago

AlephAleph

1,2961220