-
Recovering or Testing Extended-Affine Equivalence
Authors:
Anne Canteaut,
Alain Couvreur,
Léo Perrin
Abstract:
Extended Affine (EA) equivalence is the equivalence relation between two vectorial Boolean functions $F$ and $G$ such that there exist two affine permutations $A$, $B$, and an affine function $C$ satisfying $G = A \circ F \circ B + C$. While the problem has a simple formulation, it is very difficult in practice to test whether two functions are EA-equivalent. This problem has two variants: {\em EA…
▽ More
Extended Affine (EA) equivalence is the equivalence relation between two vectorial Boolean functions $F$ and $G$ such that there exist two affine permutations $A$, $B$, and an affine function $C$ satisfying $G = A \circ F \circ B + C$. While the problem has a simple formulation, it is very difficult in practice to test whether two functions are EA-equivalent. This problem has two variants: {\em EA-partitioning} deals with partitioning a set of functions into disjoint EA-equivalence classes, and \emph{EA-recovery} is about recovering the tuple $(A,B,C)$ if it exists.
In this paper, we present a new algorithm that efficiently solves the EA-recovery problem for quadratic functions. Although its worst-case complexity occurs when dealing with APN functions, it supersedes, in terms of performance, all previously known algorithms for solving this problem for all quadratic functions and in any dimension, even in the case of APN functions. This approach is based on the Jacobian matrix of the functions, a tool whose study in this context can be of independent interest.
The best approach for EA-partitioning in practice mainly relies on class invariants. We provide an overview of the known invariants along with a new one based on the \emph{ortho-derivative}. This new invariant is applicable to quadratic APN functions, a specific type of functions that is of great interest, and of which tens of thousands need to be sorted into distinct EA-classes. Our ortho-derivative-based invariant is very fast to compute, and it practically always distinguishes between EA-inequivalent quadratic APN functions.
△ Less
Submitted 16 May, 2022; v1 submitted 26 February, 2021;
originally announced March 2021.
-
On the Differential-Linear Connectivity Table of Vectorial Boolean Functions
Authors:
Anne Canteaut,
Lukas Kölsch,
Chao Li,
Chunlei Li,
Kangquan Li,
Longjiang Qu,
Friedrich Wiemer
Abstract:
Vectorial Boolean functions are crucial building-blocks in symmetric ciphers. Different known attacks on block ciphers have resulted in diverse cryptographic criteria for vectorial Boolean functions, such as differential uniformity and nonlinearity. Very recently, Bar-On et al. introduced at Eurocrypt'19 a new tool, called the differential-linear connectivity table (DLCT), which allows for taking…
▽ More
Vectorial Boolean functions are crucial building-blocks in symmetric ciphers. Different known attacks on block ciphers have resulted in diverse cryptographic criteria for vectorial Boolean functions, such as differential uniformity and nonlinearity. Very recently, Bar-On et al. introduced at Eurocrypt'19 a new tool, called the differential-linear connectivity table (DLCT), which allows for taking into account the dependency between the two subciphers $E_0$ and $E_1$ involved in differential-linear attacks. This new notion leads to significant improvements of differential-linear attacks on several ciphers. This paper presents a theoretical characterization of the DLCT of vectorial Boolean functions and also investigates this new criterion for some families of functions with specific forms.
More precisely, we firstly reveal the connection between the DLCT and the autocorrelation of vectorial Boolean functions, we characterize properties of the DLCT by means of the Walsh transform of the function and of its differential distribution table, and we present generic bounds on the highest magnitude occurring in the DLCT of vectorial Boolean functions, which coincides (up to a factor~\(2\)) with the well-established notion of absolute indicator. Next, we investigate the invariance property of the DLCT of vectorial Boolean functions under the affine, extended-affine, and Carlet-Charpin-Zinoviev (CCZ) equivalence and exhaust the DLCT spectra of optimal $4$-bit S-boxes under affine equivalence. Furthermore, we study the DLCT of APN, plateaued and AB functions and establish its connection with other cryptographic criteria. Finally, we investigate the DLCT and the absolute indicator of some specific polynomials with optimal or low differential uniformity, including monomials, cubic functions, quadratic functions and inverses of quadratic permutations.
△ Less
Submitted 16 August, 2019;
originally announced August 2019.
-
Differential properties of functions x -> x^{2^t-1} -- extended version
Authors:
Céline Blondeau,
Anne Canteaut,
Pascale Charpin
Abstract:
We provide an extensive study of the differential properties of the functions $x\mapsto x^{2^t-1}$ over $\F$, for $2 \leq t \leq n-1$. We notably show that the differential spectra of these functions are determined by the number of roots of the linear polynomials $x^{2^t}+bx^2+(b+1)x$ where $b$ varies in $\F$.We prove a strong relationship between the differential spectra of $x\mapsto x^{2^t-1}$ a…
▽ More
We provide an extensive study of the differential properties of the functions $x\mapsto x^{2^t-1}$ over $\F$, for $2 \leq t \leq n-1$. We notably show that the differential spectra of these functions are determined by the number of roots of the linear polynomials $x^{2^t}+bx^2+(b+1)x$ where $b$ varies in $\F$.We prove a strong relationship between the differential spectra of $x\mapsto x^{2^t-1}$ and $x\mapsto x^{2^{s}-1}$ for $s= n-t+1$. As a direct consequence, this result enlightens a connection between the differential properties of the cube function and of the inverse function. We also determine the complete differential spectra of $x \mapsto x^7$ by means of the value of some Kloosterman sums, and of $x \mapsto x^{2^t-1}$ for $t \in \{\lfloor n/2\rfloor, \lceil n/2\rceil+1, n-2\}$.
△ Less
Submitted 25 August, 2011; v1 submitted 24 August, 2011;
originally announced August 2011.
-
Computing the biases of parity-check relations
Authors:
Anne Canteaut,
Maria Naya-Plasencia
Abstract:
A divide-and-conquer cryptanalysis can often be mounted against some keystream generators composed of several (nonlinear) independent devices combined by a Boolean function. In particular, any parity-check relation derived from the periods of some constituent sequences usually leads to a distinguishing attack whose complexity is determined by the bias of the relation. However, estimating this bi…
▽ More
A divide-and-conquer cryptanalysis can often be mounted against some keystream generators composed of several (nonlinear) independent devices combined by a Boolean function. In particular, any parity-check relation derived from the periods of some constituent sequences usually leads to a distinguishing attack whose complexity is determined by the bias of the relation. However, estimating this bias is a difficult problem since the piling-up lemma cannot be used. Here, we give two exact expressions for this bias. Most notably, these expressions lead to a new algorithm for computing the bias of a parity-check relation, and they also provide some simple formulae for this bias in some particular cases which are commonly used in cryptography.
△ Less
Submitted 28 April, 2009;
originally announced April 2009.
-
SOSEMANUK: a fast software-oriented stream cipher
Authors:
Come Berbain,
Olivier Billet,
Anne Canteaut,
Nicolas Courtois,
Henri Gilbert,
Louis Goubin,
Aline Gouget,
Louis Granboulan,
Cedric Lauradoux,
Marine Minier,
Thomas Pornin,
Herve Sibert
Abstract:
Sosemanuk is a new synchronous software-oriented stream cipher, corresponding to Profile 1 of the ECRYPT call for stream cipher primitives. Its key length is variable between 128 and 256 bits. It ac- commodates a 128-bit initial value. Any key length is claimed to achieve 128-bit security. The Sosemanuk cipher uses both some basic design principles from the stream cipher SNOW 2.0 and some transf…
▽ More
Sosemanuk is a new synchronous software-oriented stream cipher, corresponding to Profile 1 of the ECRYPT call for stream cipher primitives. Its key length is variable between 128 and 256 bits. It ac- commodates a 128-bit initial value. Any key length is claimed to achieve 128-bit security. The Sosemanuk cipher uses both some basic design principles from the stream cipher SNOW 2.0 and some transformations derived from the block cipher SERPENT. Sosemanuk aims at improv- ing SNOW 2.0 both from the security and from the efficiency points of view. Most notably, it uses a faster IV-setup procedure. It also requires a reduced amount of static data, yielding better performance on several architectures.
△ Less
Submitted 10 October, 2008;
originally announced October 2008.
