-
Trims and Extensions of Quadratic APN Functions
Authors:
Christof Beierle,
Gregor Leander,
Léo Perrin
Abstract:
In this work, we study functions that can be obtained by restricting a vectorial Boolean function $F \colon \mathbb{F}_2^n \rightarrow \mathbb{F}_2^n$ to an affine hyperplane of dimension $n-1$ and then projecting the output to an $n-1$-dimensional space. We show that a multiset of $2 \cdot (2^n-1)^2$ EA-equivalence classes of such restrictions defines an EA-invariant for vectorial Boolean functio…
▽ More
In this work, we study functions that can be obtained by restricting a vectorial Boolean function $F \colon \mathbb{F}_2^n \rightarrow \mathbb{F}_2^n$ to an affine hyperplane of dimension $n-1$ and then projecting the output to an $n-1$-dimensional space. We show that a multiset of $2 \cdot (2^n-1)^2$ EA-equivalence classes of such restrictions defines an EA-invariant for vectorial Boolean functions on $\mathbb{F}_2^n$. Further, for all of the known quadratic APN functions in dimension $n < 10$, we determine the restrictions that are also APN. Moreover, we construct 6,368 new quadratic APN functions in dimension eight up to EA-equivalence by extending a quadratic APN function in dimension seven. A special focus of this work is on quadratic APN functions with maximum linearity. In particular, we characterize a quadratic APN function $F \colon \mathbb{F}_2^n \rightarrow \mathbb{F}_2^n$ with linearity of $2^{n-1}$ by a property of the ortho-derivative of its restriction to a linear hyperplane. Using the fact that all quadratic APN functions in dimension seven are classified, we are able to obtain a classification of all quadratic 8-bit APN functions with linearity $2^7$ up to EA-equivalence.
△ Less
Submitted 23 March, 2022; v1 submitted 30 August, 2021;
originally announced August 2021.
-
ClepsydraCache -- Preventing Cache Attacks with Time-Based Evictions
Authors:
Jan Philipp Thoma,
Christian Niesler,
Dominic Funke,
Gregor Leander,
Pierre Mayr,
Nils Pohl,
Lucas Davi,
Tim Güneysu
Abstract:
In the recent past, we have witnessed the shift towards attacks on the microarchitectural CPU level. In particular, cache side-channels play a predominant role as they allow an attacker to exfiltrate secret information by exploiting the CPU microarchitecture. These subtle attacks exploit the architectural visibility of conflicting cache addresses. In this paper, we present ClepsydraCache, which mi…
▽ More
In the recent past, we have witnessed the shift towards attacks on the microarchitectural CPU level. In particular, cache side-channels play a predominant role as they allow an attacker to exfiltrate secret information by exploiting the CPU microarchitecture. These subtle attacks exploit the architectural visibility of conflicting cache addresses. In this paper, we present ClepsydraCache, which mitigates state-of-the-art cache attacks using a novel combination of cache decay and index randomization. Each cache entry is linked with a Time-To-Live (TTL) value. We propose a new dynamic scheduling mechanism of the TTL which plays a fundamental role in preventing those attacks while maintaining performance. ClepsydraCache efficiently protects against the latest cache attacks such as Prime+(Prune+)Probe. We present a full prototype in gem5 and lay out a proof-of-concept hardware design of the TTL mechanism, which demonstrates the feasibility of deploying ClepsydraCache in real-world systems.
△ Less
Submitted 18 August, 2022; v1 submitted 23 April, 2021;
originally announced April 2021.
-
A Further Study of Quadratic APN Permutations in Dimension Nine
Authors:
Christof Beierle,
Claude Carlet,
Gregor Leander,
Léo Perrin
Abstract:
Recently, Beierle and Leander found two new sporadic quadratic APN permutations in dimension 9. Up to EA-equivalence, we present a single trivariate representation of those two permutations as $C_u \colon (\mathbb{F}_{2^m})^3 \rightarrow (\mathbb{F}_{2^m})^3, (x,y,z) \mapsto (x^3+uy^2z, y^3+uxz^2,z^3+ux^2y)$, where $m=3$ and $u \in \mathbb{F}_{2^3}\setminus\{0,1\}$ such that the two permutations c…
▽ More
Recently, Beierle and Leander found two new sporadic quadratic APN permutations in dimension 9. Up to EA-equivalence, we present a single trivariate representation of those two permutations as $C_u \colon (\mathbb{F}_{2^m})^3 \rightarrow (\mathbb{F}_{2^m})^3, (x,y,z) \mapsto (x^3+uy^2z, y^3+uxz^2,z^3+ux^2y)$, where $m=3$ and $u \in \mathbb{F}_{2^3}\setminus\{0,1\}$ such that the two permutations correspond to different choices of $u$. We then analyze the differential uniformity and the nonlinearity of $C_u$ in a more general case. In particular, for $m \geq 3$ being a multiple of 3 and $u \in \mathbb{F}_{2^m}$ not being a 7-th power, we show that the differential uniformity of $C_u$ is bounded above by 8, and that the linearity of $C_u$ is bounded above by $8^{1+\lfloor \frac{m}{2} \rfloor}$. Based on numerical experiments, we conjecture that $C_u$ is not APN if $m$ is greater than $3$. We also analyze the CCZ-equivalence classes of the quadratic APN permutations in dimension 9 known so far and derive a lower bound on the number of their EA-equivalence classes. We further show that the two sporadic APN permutations share an interesting similarity with Gold APN permutations in odd dimension divisible by 3, namely that a permutation EA-inequivalent to those sporadic APN permutations and their inverses can be obtained by just applying EA transformations and inversion to the original permutations.
△ Less
Submitted 25 April, 2022; v1 submitted 16 April, 2021;
originally announced April 2021.
-
New Instances of Quadratic APN Functions
Authors:
Christof Beierle,
Gregor Leander
Abstract:
In a recent work, Beierle, Brinkmann and Leander presented a recursive tree search for finding APN permutations with linear self-equivalences in small dimensions. In this paper, we describe how this search can be adapted to find many new instances of quadratic APN functions. In particular, we found 12,921 new quadratic APN functions in dimension eight, 35 new quadratic APN functions in dimension n…
▽ More
In a recent work, Beierle, Brinkmann and Leander presented a recursive tree search for finding APN permutations with linear self-equivalences in small dimensions. In this paper, we describe how this search can be adapted to find many new instances of quadratic APN functions. In particular, we found 12,921 new quadratic APN functions in dimension eight, 35 new quadratic APN functions in dimension nine and five new quadratic APN functions in dimension ten up to CCZ-equivalence. Remarkably, two of the 35 new APN functions in dimension nine are APN permutations.
Among the 8-bit APN functions, there are three extended Walsh spectra that do not correspond to any of the previously-known quadratic 8-bit APN functions and, surprisingly, there exist at least four CCZ-inequivalent 8-bit APN functions with linearity $2^7$, i.e., the highest possible non-trivial linearity for quadratic functions in dimension eight.
△ Less
Submitted 14 October, 2021; v1 submitted 15 September, 2020;
originally announced September 2020.
-
Linearly Self-Equivalent APN Permutations in Small Dimension
Authors:
Christof Beierle,
Marcus Brinkmann,
Gregor Leander
Abstract:
All almost perfect nonlinear (APN) permutations that we know to date admit a special kind of linear self-equivalence, i.e., there exists a permutation $G$ in their CCZ-equivalence class and two linear permutations $A$ and $B$, such that $G \circ A = B \circ G$. After providing a survey on the known APN functions with a focus on the existence of self-equivalences, we search for APN permutations in…
▽ More
All almost perfect nonlinear (APN) permutations that we know to date admit a special kind of linear self-equivalence, i.e., there exists a permutation $G$ in their CCZ-equivalence class and two linear permutations $A$ and $B$, such that $G \circ A = B \circ G$. After providing a survey on the known APN functions with a focus on the existence of self-equivalences, we search for APN permutations in dimension 6, 7, and 8 that admit such a linear self-equivalence. In dimension six, we were able to conduct an exhaustive search and obtain that there is only one such APN permutation up to CCZ-equivalence. In dimensions 7 and 8, we performed an exhaustive search for all but a few classes of linear self-equivalences and we did not find any new APN permutation. As one interesting result in dimension 7, we obtain that all APN permutation polynomials with coefficients in $\mathbb{F}_2$ must be (up to CCZ-equivalence) monomial functions.
△ Less
Submitted 6 April, 2021; v1 submitted 26 March, 2020;
originally announced March 2020.
-
Bounds on the degree of APN polynomials The Case of $x^{-1}+g(x)$
Authors:
Gregor Leander,
François Rodier
Abstract:
We prove that functions $f:\f{2^m} \to \f{2^m}$ of the form $f(x)=x^{-1}+g(x)$ where $g$ is any non-affine polynomial are APN on at most a finite number of fields $\f{2^m}$. Furthermore we prove that when the degree of $g$ is less then 7 such functions are APN only if $m \le 3$ where these functions are equivalent to $x^3$.
We prove that functions $f:\f{2^m} \to \f{2^m}$ of the form $f(x)=x^{-1}+g(x)$ where $g$ is any non-affine polynomial are APN on at most a finite number of fields $\f{2^m}$. Furthermore we prove that when the degree of $g$ is less then 7 such functions are APN only if $m \le 3$ where these functions are equivalent to $x^3$.
△ Less
Submitted 27 January, 2009;
originally announced January 2009.
-
A Highly Nonlinear Differentially 4 Uniform Power Mapping That Permutes Fields of Even Degree
Authors:
Carl Bracken,
Gregor Leander
Abstract:
Functions with low differential uniformity can be used as the s-boxes of symmetric cryptosystems as they have good resistance to differential attacks. The AES (Advanced Encryption Standard) uses a differentially-4 uniform function called the inverse function. Any function used in a symmetric cryptosystem should be a permutation. Also, it is required that the function is highly nonlinear so that…
▽ More
Functions with low differential uniformity can be used as the s-boxes of symmetric cryptosystems as they have good resistance to differential attacks. The AES (Advanced Encryption Standard) uses a differentially-4 uniform function called the inverse function. Any function used in a symmetric cryptosystem should be a permutation. Also, it is required that the function is highly nonlinear so that it is resistant to Matsui's linear attack. In this article we demonstrate that a highly nonlinear permutation discovered by Hans Dobbertin has differential uniformity of four and hence, with respect to differential and linear cryptanalysis, is just as suitable for use in a symmetric cryptosystem as the inverse function.
△ Less
Submitted 13 January, 2009;
originally announced January 2009.
