Branch number

Last updated July 11, 2023

In cryptography, the branch number is a numerical value that characterizes the amount of diffusion introduced by a vectorial Boolean function $F$ that maps an input vector $a$ to output vector $F(a)$ . For the (usual^[1]) case of a linear $F$ the value of the differential branch number is produced by:

applying nonzero values of $a$ (i.e., values that have at least one non-zero component of the vector) to the input of $F$ ;
calculating for each input value $a$ the Hamming weight $W$ (number of nonzero components), and adding weights $W(a)$ and $W(F(a))$ together;
selecting the smallest combined weight across for all nonzero input values: $B_{d}(F)={\underset {a\neq 0}{\min }}(W(a)+W(F(a)))$ .

If both $a$ and $F(a)$ have $s$ components, the result is obviously limited on the high side by the value $s+1$ (this "perfect" result is achieved when any single nonzero component in $a$ makes all components of $F(a)$ to be non-zero). A high branch number suggests higher resistance to the differential cryptanalysis: the small variations of input will produce large changes on the output and in order to obtain small variations of the output, large changes of the input value will be required.^[2]

The term was introduced by Daemen and Rijmen in early 2000s and quickly became a typical tool to assess the diffusion properties of the transformations.^[1]

Mathematics

The branch number concept is not limited to the linear transformations, Daemen and Rijmen provided two general metrics:^[3]

differential branch number, where the minimum is obtained over inputs of $F$ that are constructed by independently sweeping all the values of two nonzero and unequal vectors $a$ , $b$ ( $\oplus$ is a component-by-component exclusive-or): $B_{d}(F)={\underset {a\neq b}{\min }}(W(a\oplus b)+W(F(a)\oplus F(b))$ ;
for linear branch number, the independent candidates $\alpha$ and $\beta$ are independently swept; they should be nonzero and correlated with respect to $F$ (the $LAT(\alpha ,\beta )$ coefficient of the linear approximation table of $F$ should be nonzero): $B_{l}(F)={\underset {\alpha \neq 0,\beta ,LAT(\alpha ,\beta )\neq 0}{\min }}(W(\alpha )+W(\beta ))$ .^[4]

Related Research Articles

In mathematics, the term linear is used in two distinct senses for two different properties:

In multilinear algebra, a tensor contraction is an operation on a tensor that arises from the natural pairing of a finite-dimensional vector space and its dual. In components, it is expressed as a sum of products of scalar components of the tensor(s) caused by applying the summation convention to a pair of dummy indices that are bound to each other in an expression. The contraction of a single mixed tensor occurs when a pair of literal indices of the tensor are set equal to each other and summed over. In Einstein notation this summation is built into the notation. The result is another tensor with order reduced by 2.

In mathematics, differential forms provide a unified approach to define integrands over curves, surfaces, solids, and higher-dimensional manifolds. The modern notion of differential forms was pioneered by Élie Cartan. It has many applications, especially in geometry, topology and physics.

In mathematics, the exterior algebra, or Grassmann algebra, named after Hermann Grassmann, is an algebra that uses the exterior product or wedge product as its multiplication. In mathematics, the exterior product or wedge product of vectors is an algebraic construction used in geometry to study areas, volumes, and their higher-dimensional analogues. The exterior product of two vectors $and, denoted by is called a bivector and lives in a space called the exterior square, a vector space that is distinct from the original space of vectors. The magnitude of can be interpreted as the area of the parallelogram with sides and which in three dimensions can also be computed using the cross product of the two vectors. More generally, all parallel plane surfaces with the same orientation and area have the same bivector as a measure of their oriented area. Like the cross product, the exterior product is anticommutative, meaning that for all vectors and but, unlike the cross product, the exterior product is associative.$

In cryptography, confusion and diffusion are two properties of the operation of a secure cipher identified by Claude Shannon in his 1945 classified report A Mathematical Theory of Cryptography. These properties, when present, work together to thwart the application of statistics and other methods of cryptanalysis.

In mathematics, specifically the algebraic theory of fields, a normal basis is a special kind of basis for Galois extensions of finite degree, characterised as forming a single orbit for the Galois group. The normal basis theorem states that any finite Galois extension of fields has a normal basis. In algebraic number theory, the study of the more refined question of the existence of a normal integral basis is part of Galois module theory.

In statistics, a confidence region is a multi-dimensional generalization of a confidence interval. It is a set of points in an n-dimensional space, often represented as an ellipsoid around a point which is an estimated solution to a problem, although other shapes can occur.

In theoretical physics, a super-Poincaré algebra is an extension of the Poincaré algebra to incorporate supersymmetry, a relation between bosons and fermions. They are examples of supersymmetry algebras, and are Lie superalgebras. Thus a super-Poincaré algebra is a Z₂-graded vector space with a graded Lie bracket such that the even part is a Lie algebra containing the Poincaré algebra, and the odd part is built from spinors on which there is an anticommutation relation with values in the even part.

<span class="mw-page-title-main">Semisimple Lie algebra</span> Direct sum of simple Lie algebras

In mathematics, a Lie algebra is semisimple if it is a direct sum of simple Lie algebras..

In mathematics, a matrix norm is a vector norm in a vector space whose elements (vectors) are matrices.

In mathematics, Riemann's differential equation, named after Bernhard Riemann, is a generalization of the hypergeometric differential equation, allowing the regular singular points to occur anywhere on the Riemann sphere, rather than merely at 0, 1, and $. The equation is also known as the Papperitz equation .$

In cryptography, higher-order differential cryptanalysis is a generalization of differential cryptanalysis, an attack used against block ciphers. While in standard differential cryptanalysis the difference between only two texts is used, higher-order differential cryptanalysis studies the propagation of a set of differences between a larger set of texts. Xuejia Lai, in 1994, laid the groundwork by showing that differentials are a special case of the more general case of higher order derivates. Lars Knudsen, in the same year, was able to show how the concept of higher order derivatives can be used to mount attacks on block ciphers. These attacks can be superior to standard differential cryptanalysis. Higher-order differential cryptanalysis has notably been used to break the KN-Cipher, a cipher which had previously been proved to be immune against standard differential cryptanalysis.

In mathematics, a real or complex-valued function f on d-dimensional Euclidean space satisfies a Hölder condition, or is Hölder continuous, when there are real constants C ≥ 0, α > 0, such that

In quantum field theory, gaugino condensation is the nonzero vacuum expectation value in some models of a bilinear expression constructed in theories with supersymmetry from the superpartner of a gauge boson called the gaugino. The gaugino and the bosonic gauge field and the D-term are all components of a supersymmetric vector superfield in the Wess–Zumino gauge.

A kernel smoother is a statistical technique to estimate a real valued function $as the weighted average of neighboring observed data. The weight is defined by the kernel, such that closer points are given higher weights. The estimated function is smooth, and the level of smoothness is set by a single parameter. Kernel smoothing is a type of weighted moving average.$

In statistics, projection pursuit regression (PPR) is a statistical model developed by Jerome H. Friedman and Werner Stuetzle which is an extension of additive models. This model adapts the additive models in that it first projects the data matrix of explanatory variables in the optimal direction before applying smoothing functions to these explanatory variables.

In mathematics, Ricci calculus constitutes the rules of index notation and manipulation for tensors and tensor fields on a differentiable manifold, with or without a metric tensor or connection. It is also the modern name for what used to be called the absolute differential calculus, developed by Gregorio Ricci-Curbastro in 1887–1896, and subsequently popularized in a paper written with his pupil Tullio Levi-Civita in 1900. Jan Arnoldus Schouten developed the modern notation and formalism for this mathematical framework, and made contributions to the theory, during its applications to general relativity and differential geometry in the early twentieth century.

In theoretical particle physics, the gluon field strength tensor is a second order tensor field characterizing the gluon interaction between quarks.

In geometric algebra, the outermorphism of a linear function between vector spaces is a natural extension of the map to arbitrary multivectors. It is the unique unital algebra homomorphism of exterior algebras whose restriction to the vector spaces is the original function.

In machine learning, Manifold regularization is a technique for using the shape of a dataset to constrain the functions that should be learned on that dataset. In many machine learning problems, the data to be learned do not cover the entire input space. For example, a facial recognition system may not need to classify any possible image, but only the subset of images that contain faces. The technique of manifold learning assumes that the relevant subset of data comes from a manifold, a mathematical structure with useful properties. The technique also assumes that the function to be learned is smooth: data with different labels are not likely to be close together, and so the labeling function should not change quickly in areas where there are likely to be many data points. Because of this assumption, a manifold regularization algorithm can use unlabeled data to inform where the learned function is allowed to change quickly and where it is not, using an extension of the technique of Tikhonov regularization. Manifold regularization algorithms can extend supervised learning algorithms in semi-supervised learning and transductive learning settings, where unlabeled data are available. The technique has been used for applications including medical imaging, geographical imaging, and object recognition.

References

1 2 Zhang et al. 2009, p. 327.
↑ Liu & Sim 2016, p. 105.
↑ Daemen & Rijmen 2013, pp. 131–132.
↑ SAGE. "S-Boxes and Their Algebraic Representations". sagemath.org. SageMath . Retrieved 25 April 2023.

Sources

Liu, Meicheng; Sim, Siang Meng (25 July 2016). "Branch Number of the Diffusion Layer". In Thomas Peyrin (ed.). Fast Software Encryption: 23rd International Conference, FSE 2016, Bochum, Germany, March 20-23, 2016, Revised Selected Papers. Springer. pp. 101–121. ISBN 978-3-662-52993-5. OCLC 1008648217.
Zhang, Wentao; Wu, Wenling; Feng, Dengguo; Su, Bozhan (2009). "Some New Observations on the SMS4 Block Cipher in the Chinese WAPI Standard". Information Security Practice and Experience. Lecture Notes in Computer Science. Vol. 5451. Springer Berlin Heidelberg. pp. 324–335. doi:10.1007/978-3-642-00843-6_28. eISSN 1611-3349. ISBN 978-3-642-00842-9. ISSN 0302-9743.
Daemen, Joan; Rijmen, Vincent (9 March 2013). The Design of Rijndael: AES - The Advanced Encryption Standard (PDF). Springer Science & Business Media. ISBN 978-3-662-04722-4. OCLC 1259405449.

This cryptography-related article is a stub. You can help Wikipedia by expanding it.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[FOOTNOTEZhangWuFengSu2009327-1] 1 2 Zhang et al. 2009, p. 327.

[FOOTNOTELiuSim2016105-2] Liu & Sim 2016, p. 105.

[FOOTNOTEDaemenRijmen2013131–132-3] Daemen & Rijmen 2013, pp. 131–132.

[4] SAGE. "S-Boxes and Their Algebraic Representations". sagemath.org. SageMath . Retrieved 25 April 2023.

[1]

[2]

[3]

[4]

Branch number

Contents

Mathematics

Related Research Articles

References

Sources