Choosing Round Constants in Lightweight Block Ciphers and Cryptographic Permutations
|
|
- Claud Greene
- 5 years ago
- Views:
Transcription
1 Choosing Round Constants in Lightweight Block Ciphers and Cryptographic Permutations Christof Beierle SnT, University of Luxembourg, Luxembourg (joint work with Anne Canteaut, Gregor Leander, and Yann Rotella) October, 10, 2018 Christof Beierle On Choosing Round Constants October, 10, / 34
2 Block Cipher vs. Cryptographic Permutation k x E y E: F n 2 F κ 2 F n 2, (x, k) E k (x) = y Christof Beierle On Choosing Round Constants October, 10, / 34
3 Block Cipher vs. Cryptographic Permutation k F 0 x E y x E y E: F n 2 F κ 2 F n 2, (x, k) E k (x) = y F : F n 2 F n 2, x E 0 (x) = y Special Case A cryptographic permutation can be seen as a block cipher with a fixed key! Christof Beierle On Choosing Round Constants October, 10, / 34
4 Why Round Constants are Needed Avoiding to use always the same round ( slide attacks) Avoiding symmetries Christof Beierle On Choosing Round Constants October, 10, / 34
5 Why Round Constants are Needed Avoiding to use always the same round ( slide attacks) Avoiding symmetries Example: NORX [Aumasson, Jovanovic, Neves 2014] If the input to the NORX permutation is in the set a a a a b b b b S = c c c c a, b, c, d Fw 2, d d d d the output also is in S. Christof Beierle On Choosing Round Constants October, 10, / 34
6 Basic Definitions Definition: Invariant Set Let F : F n 2 Fn 2 be a permutation. We say that S Fn 2 under F if F (S) = S or F (S) = F n 2 \ S. is an invariant set Christof Beierle On Choosing Round Constants October, 10, / 34
7 Basic Definitions Definition: Invariant Set Let F : F n 2 Fn 2 be a permutation. We say that S Fn 2 under F if F (S) = S or F (S) = F n 2 \ S. is an invariant set F S S F 1 F n 2 F n 2 Christof Beierle On Choosing Round Constants October, 10, / 34
8 Basic Definitions Definition: Invariant Set Let F : F n 2 Fn 2 be a permutation. We say that S Fn 2 under F if F (S) = S or F (S) = F n 2 \ S. F is an invariant set F S S S S F 1 F n 2 F n 2 F 1 F n 2 F n 2 Christof Beierle On Choosing Round Constants October, 10, / 34
9 Basic Definitions Definition: Invariant Set Let F : F n 2 Fn 2 be a permutation. We say that S Fn 2 under F if F (S) = S or F (S) = F n 2 \ S. F is an invariant set F S S S S F 1 F n 2 F n 2 F 1 F n 2 F n 2 Equivalently: Let g be the Boolean function defined by g(x) := 1 iff x S. Then, x F n 2 : g(f (x)) = g(x) or x F n 2 : g(f (x)) = g(x) + 1. Christof Beierle On Choosing Round Constants October, 10, / 34
10 Basic Definitions Definition: Invariant Set Let F : F n 2 Fn 2 be a permutation. We say that S Fn 2 under F if F (S) = S or F (S) = F n 2 \ S. F is an invariant set F S S S S F 1 F n 2 F n 2 F 1 F n 2 F n 2 Equivalently: Let g be the Boolean function defined by g(x) := 1 iff x S. Then, x F n 2 : g(f (x)) = g(x) or x F n 2 : g(f (x)) = g(x) + 1. Definition: Invariant Function Any Boolean function g : F n 2 F 2 for which g F + g is constant is called an invariant for F. Christof Beierle On Choosing Round Constants October, 10, / 34
11 Invariant Attacks Examples of invariants g for F : (g F + g is constant) } g = 0. Equivalent to having S = {} g = 1. Equivalent to having S = F n trivial invariants 2 Christof Beierle On Choosing Round Constants October, 10, / 34
12 Invariant Attacks Examples of invariants g for F : (g F + g is constant) } g = 0. Equivalent to having S = {} g = 1. Equivalent to having S = F n trivial invariants 2 g(x) = 1 iff x U for an affine subspace U F n 2. Invariant Subspace Attack [Leander et al. 2011] Christof Beierle On Choosing Round Constants October, 10, / 34
13 Invariant Attacks Examples of invariants g for F : (g F + g is constant) } g = 0. Equivalent to having S = {} g = 1. Equivalent to having S = F n trivial invariants 2 g(x) = 1 iff x U for an affine subspace U F n 2. Invariant Subspace Attack [Leander et al. 2011] Consider a block cipher E : F n 2 Fκ 2 Fn 2, (x, k) E k(x). Nonlinear Invariant Attack [Todo, Leander, Sasaki 2016] If for some keys k, one can find (non-trivial) invariants for E k, the cipher is vulnerable to the Nonlinear Invariant Attack. Keys which allow for the attack are called weak keys of E. Christof Beierle On Choosing Round Constants October, 10, / 34
14 This Leads to a Distinguisher The knowledge of a (non-trivial) invariant g for E k allows to distinguish the instance from a random permutation P rand. Christof Beierle On Choosing Round Constants October, 10, / 34
15 This Leads to a Distinguisher The knowledge of a (non-trivial) invariant g for E k allows to distinguish the instance from a random permutation P rand. given oracle access to O {E k, P rand } Christof Beierle On Choosing Round Constants October, 10, / 34
16 This Leads to a Distinguisher The knowledge of a (non-trivial) invariant g for E k allows to distinguish the instance from a random permutation P rand. given oracle access to O {E k, P rand } choose m 1,..., m d F n 2 Christof Beierle On Choosing Round Constants October, 10, / 34
17 This Leads to a Distinguisher The knowledge of a (non-trivial) invariant g for E k allows to distinguish the instance from a random permutation P rand. given oracle access to O {E k, P rand } choose m 1,..., m d F n 2 check if i {1,..., d} : g(o(m i )) + g(m i ) is constant Christof Beierle On Choosing Round Constants October, 10, / 34
18 Many Lightweight Ciphers Vulnerable to Invariant Attacks For instance: PRINT-cipher [Leander et al. 2011] Midori-64 [Guo et al. 2016] [Todo, Leander, Sasaki 2016] iscream [Leander, Minaud, Rønjom 2015] SCREAM [Todo, Leander, Sasaki 2016] NORX v2.0 [Chaigneau et al. 2017] Simpira v1 [Rønjom 2016] Haraka v.0 [Jean 2016] Christof Beierle On Choosing Round Constants October, 10, / 34
19 Main Goal: Prevent against Invariant Attacks Our Main Goal (Block Ciphers) Given a block cipher E : F n 2 Fκ 2 Fn 2, (x, k) E k(x). Show that there are no weak keys, i.e., for any k, one can find only trivial invariants for E k. Christof Beierle On Choosing Round Constants October, 10, / 34
20 Main Goal: Prevent against Invariant Attacks Our Main Goal (Block Ciphers) Given a block cipher E : F n 2 Fκ 2 Fn 2, (x, k) E k(x). Show that there are no weak keys, i.e., for any k, one can find only trivial invariants for E k. Our Main Goal (Cryptographic Permutation) Given a permutation F : F n 2 Fn 2, x F (x). Show that one can find only trivial invariants for F. Christof Beierle On Choosing Round Constants October, 10, / 34
21 Our Model Simplification (SPN): Assume the Same Invariant for all Layers We consider only those invariants g, that are simultaneously invariants for the S-box layer and for all Add ki L. k 1 k 2 k t S L S L S L S S S S S S S Almost all real attacks we know exploit such an iterative structure! One exception: [Beyne 2018] Christof Beierle On Choosing Round Constants October, 10, / 34
22 1 Lightweight SPNs: Proving Resistance against Invariant Attacks 2 Design Criteria on the Linear Layer and the Round Constants Christof Beierle On Choosing Round Constants October, 10, / 34
23 Structure of the Invariants for all Add ki L Let g be an invariant for both Add ki L and Add kj L. We then have: g(l(x) + k i ) = g(x) + const. g(l(x) + k j ) = g(x) + const. Christof Beierle On Choosing Round Constants October, 10, / 34
24 Structure of the Invariants for all Add ki L Let g be an invariant for both Add ki L and Add kj L. We then have: g(l(x) + k i ) = g(x) + const. g(l(x) + k j ) = g(x) + const. = g(l(x) + k i ) = g(l(x) + k j ) + const. g(y + k i + k j ) = g(y) + const. Christof Beierle On Choosing Round Constants October, 10, / 34
25 Structure of the Invariants for all Add ki L Let g be an invariant for both Add ki L and Add kj L. We then have: g(l(x) + k i ) = g(x) + const. g(l(x) + k j ) = g(x) + const. = g(l(x) + k i ) = g(l(x) + k j ) + const. g(y + k i + k j ) = g(y) + const. (k i + k j ) is a linear structure of g. Definition: Linear Structures of a Boolean Function g LS(g) := {α F n 2 : x g(x + α) + g(x) is constant} Christof Beierle On Choosing Round Constants October, 10, / 34
26 Requirements on an Invariant g k 1 k 2 k t S L S L S L S S S S S S S g has to be an invariant for the S-box layer and has to satisfy: LS(g) contains all round key differences (k i + k j ). LS(g) is invariant under L, i.e., L(LS(g)) = LS(g). Christof Beierle On Choosing Round Constants October, 10, / 34
27 Requirements on an Invariant g k 1 k 2 k t S L S L S L S S S S S S S g has to be an invariant for the S-box layer and has to satisfy: LS(g) contains all round key differences (k i + k j ). LS(g) is invariant under L, i.e., L(LS(g)) = LS(g). How does the key schedule look like? Christof Beierle On Choosing Round Constants October, 10, / 34
28 SPNs with very Simple Key Schedules In many lightweight block ciphers, the round keys only differ by addition of a publicly-known round constant, i.e., Thus, k i + k j = c i + c j LS(g). i : k i := k + c i. Christof Beierle On Choosing Round Constants October, 10, / 34
29 SPNs with very Simple Key Schedules In many lightweight block ciphers, the round keys only differ by addition of a publicly-known round constant, i.e., Thus, k i + k j = c i + c j LS(g). i : k i := k + c i. In a cryptographic permutation, we only have publicly-known round constants, i.e., i : k i := 0 + c i. Thus, k i + k j = c i + c j LS(g). Christof Beierle On Choosing Round Constants October, 10, / 34
30 Proving the Non-Existence of Invariants Main Condition on an Invariant g 1 g has to be an invariant for the S-box layer and 2 The smallest L-invariant subspace of F n 2 that contains all c i + c j must be a subset of LS(g). We denote this subspace by W L ({c i + c j i, j}). Christof Beierle On Choosing Round Constants October, 10, / 34
31 Proving the Non-Existence of Invariants Main Condition on an Invariant g 1 g has to be an invariant for the S-box layer and 2 The smallest L-invariant subspace of F n 2 that contains all c i + c j must be a subset of LS(g). We denote this subspace by W L ({c i + c j i, j}). Important Observation Assume that the S-box layer has no component of algebraic degree 1. If dim W L ({c i + c j i, j}) n 1, there are only the trivial invariants that fulfill the above main condition! Christof Beierle On Choosing Round Constants October, 10, / 34
32 Proving the Non-Existence of Invariants Main Condition on an Invariant g 1 g has to be an invariant for the S-box layer and 2 The smallest L-invariant subspace of F n 2 that contains all c i + c j must be a subset of LS(g). We denote this subspace by W L ({c i + c j i, j}). Important Observation Assume that the S-box layer has no component of algebraic degree 1. If dim W L ({c i + c j i, j}) n 1, there are only the trivial invariants that fulfill the above main condition! Why? If dim W L ({c i + c j i, j}) n 1, then dim LS(g) n 1. Christof Beierle On Choosing Round Constants October, 10, / 34
33 Proving the Non-Existence of Invariants Main Condition on an Invariant g 1 g has to be an invariant for the S-box layer and 2 The smallest L-invariant subspace of F n 2 that contains all c i + c j must be a subset of LS(g). We denote this subspace by W L ({c i + c j i, j}). Important Observation Assume that the S-box layer has no component of algebraic degree 1. If dim W L ({c i + c j i, j}) n 1, there are only the trivial invariants that fulfill the above main condition! Why? If dim W L ({c i + c j i, j}) n 1, then dim LS(g) n 1. But then, g is linear (or affine). Christof Beierle On Choosing Round Constants October, 10, / 34
34 Proving the Non-Existence of Invariants Main Condition on an Invariant g 1 g has to be an invariant for the S-box layer and 2 The smallest L-invariant subspace of F n 2 that contains all c i + c j must be a subset of LS(g). We denote this subspace by W L ({c i + c j i, j}). Important Observation Assume that the S-box layer has no component of algebraic degree 1. If dim W L ({c i + c j i, j}) n 1, there are only the trivial invariants that fulfill the above main condition! Why? If dim W L ({c i + c j i, j}) n 1, then dim LS(g) n 1. But then, g is linear (or affine). Since the S-box layer does not have a linear (or affine) component, g must be trivial. Christof Beierle On Choosing Round Constants October, 10, / 34
35 Applying the Argument to some Examples Important Observation If dim W L ({c i + c j i, j}) n 1, the invariant attack does not apply! This holds for any (reasonable) choice of the S-box layer. Christof Beierle On Choosing Round Constants October, 10, / 34
36 Applying the Argument to some Examples Important Observation If dim W L ({c i + c j i, j}) n 1, the invariant attack does not apply! This holds for any (reasonable) choice of the S-box layer. Skinny dim W L ({c i + c j i, j}) = 64 (n = 64) the attack does not apply Christof Beierle On Choosing Round Constants October, 10, / 34
37 Applying the Argument to some Examples Important Observation If dim W L ({c i + c j i, j}) n 1, the invariant attack does not apply! This holds for any (reasonable) choice of the S-box layer. Skinny dim W L ({c i + c j i, j}) = 64 (n = 64) the attack does not apply Prince. dim W L ({c i + c j i, j}) = 56 (n = 64) dimension too low Christof Beierle On Choosing Round Constants October, 10, / 34
38 Applying the Argument to some Examples Important Observation If dim W L ({c i + c j i, j}) n 1, the invariant attack does not apply! This holds for any (reasonable) choice of the S-box layer. Skinny dim W L ({c i + c j i, j}) = 64 (n = 64) the attack does not apply Prince. dim W L ({c i + c j i, j}) = 56 (n = 64) dimension too low Mantis-7. dim W L ({c i + c j i, j}) = 42 (n = 64) dimension too low Christof Beierle On Choosing Round Constants October, 10, / 34
39 Applying the Argument to some Examples Important Observation If dim W L ({c i + c j i, j}) n 1, the invariant attack does not apply! This holds for any (reasonable) choice of the S-box layer. Skinny dim W L ({c i + c j i, j}) = 64 (n = 64) the attack does not apply Prince. dim W L ({c i + c j i, j}) = 56 (n = 64) dimension too low Mantis-7. dim W L ({c i + c j i, j}) = 42 (n = 64) dimension too low Midori-64. dim W L ({c i + c j i, j}) = 16 (n = 64) dimension too low Christof Beierle On Choosing Round Constants October, 10, / 34
40 Applying the Argument to some Examples Important Observation If dim W L ({c i + c j i, j}) n 1, the invariant attack does not apply! This holds for any (reasonable) choice of the S-box layer. Skinny dim W L ({c i + c j i, j}) = 64 (n = 64) the attack does not apply Prince. dim W L ({c i + c j i, j}) = 56 (n = 64) the attack does not apply (using properties of the S-box layer) Mantis-7. dim W L ({c i + c j i, j}) = 42 (n = 64) the attack does not apply (using properties of the S-box layer) Midori-64. dim W L ({c i + c j i, j}) = 16 (n = 64) dimension too low Christof Beierle On Choosing Round Constants October, 10, / 34
41 How to Use Properties of the S-box LS(g) := {α F n 2 : x g(x + α) + g(x) is constant} LS 0 (g) := {α F n 2 : x g(x + α) + g(x) = 0} LS(g) We know dim LS 0 (g) {dim LS(g), dim LS(g) 1}. How to find LS 0 (g)? Christof Beierle On Choosing Round Constants October, 10, / 34
42 How to Use Properties of the S-box LS(g) := {α F n 2 : x g(x + α) + g(x) is constant} LS 0 (g) := {α F n 2 : x g(x + α) + g(x) = 0} LS(g) We know dim LS 0 (g) {dim LS(g), dim LS(g) 1}. How to find LS 0 (g)? First Lemma Let g be an invariant for Add ki L for some k i and let V be an L-invariant subspace of LS(g). Then, for any s V, it is s + L(s) LS 0 (g). Christof Beierle On Choosing Round Constants October, 10, / 34
43 How to Use Properties of the S-box LS(g) := {α F n 2 : x g(x + α) + g(x) is constant} LS 0 (g) := {α F n 2 : x g(x + α) + g(x) = 0} LS(g) We know dim LS 0 (g) {dim LS(g), dim LS(g) 1}. How to find LS 0 (g)? First Lemma Let g be an invariant for Add ki L for some k i and let V be an L-invariant subspace of LS(g). Then, for any s V, it is s + L(s) LS 0 (g). Second Lemma Let g be an invariant for S, where S : F n 2 Fn 2 is a permutation with an odd cycle. Then, s LS(g) {S(x) + x x F n 2 } implies s LS 0(g). Christof Beierle On Choosing Round Constants October, 10, / 34
44 How to Use Properties of the S-box Lemma Let g : F n 2 F 2 be an invariant for S and let Z be a subspace of F n 2 with Z LS 0 (g). Then g is constant on each coset Z + a g is constant on S(Z) Z + a1 S(z431) S(z3) Z + a2 Z S(z9) Z + a3 S(z1). Z + a 2 n dim Z Christof Beierle On Choosing Round Constants October, 10, / 34
45 How to Use Properties of the S-box Lemma Let g : F n 2 F 2 be an invariant for S and let Z be a subspace of F n 2 with Z LS 0 (g). Then g is constant on each coset Z + a g is constant on S(Z) Algorithm 1: R = {} 2: repeat 3: z $ Z 4: Compute S(z) 5: Add to R a representative of the coset defined by S(z) 6: until R = 2 n dim Z Christof Beierle On Choosing Round Constants October, 10, / 34
46 Example: LS Designs (e.g., Ascon) Important Observation If dim W L ({c i + c j i, j}) n 1, the invariant attack does not apply! This holds for any (reasonable) choice of the S-box layer. l s n = s l Christof Beierle On Choosing Round Constants October, 10, / 34
47 Example: LS Designs (e.g., Ascon) Important Observation If dim W L ({c i + c j i, j}) n 1, the invariant attack does not apply! This holds for any (reasonable) choice of the S-box layer. l s S n = s l Christof Beierle On Choosing Round Constants October, 10, / 34
48 Example: LS Designs (e.g., Ascon) Important Observation If dim W L ({c i + c j i, j}) n 1, the invariant attack does not apply! This holds for any (reasonable) choice of the S-box layer. l L 1 s L 2 L 3 L 4 Christof Beierle On Choosing Round Constants October, 10, / 34
49 Example: LS Designs (e.g., Ascon) Important Observation If dim W L ({c i + c j i, j}) n 1, the invariant attack does not apply! This holds for any (reasonable) choice of the S-box layer. l L 1 s L 2 L 3 L 4 L 1 L L = 2 L 3 L 4 Christof Beierle On Choosing Round Constants October, 10, / 34
50 Where to Put the Constants? Important Observation If dim W L ({c i + c j i, j}) n 1, the invariant attack does not apply! This holds for any (reasonable) choice of the S-box layer. s l c (0) j c(1) j c(2) j c(3) j L 1 L L = 2 L 3, L 4 dim W L({c i + c j i, j}) l Christof Beierle On Choosing Round Constants October, 10, / 34
51 Where to Put the Constants? Important Observation If dim W L ({c i + c j i, j}) n 1, the invariant attack does not apply! This holds for any (reasonable) choice of the S-box layer. s l c (0) j c (1) j c (2) j c (3) j For the argument, it would be better to put the constants in the columns. Remark A low dimension doesn t imply insecurity of the permutation! Christof Beierle On Choosing Round Constants October, 10, / 34
52 1 Lightweight SPNs: Proving Resistance against Invariant Attacks 2 Design Criteria on the Linear Layer and the Round Constants Christof Beierle On Choosing Round Constants October, 10, / 34
53 Very Different Behavior for each Cipher Skinny dim W L ({c i + c j i, j}) = 64 The constants are sparse. In particular, c i + c j = 0xab Christof Beierle On Choosing Round Constants October, 10, / 34
54 Very Different Behavior for each Cipher Skinny dim W L ({c i + c j i, j}) = 64 The constants are sparse. In particular, c i + c j = 0xab Prince. dim W L ({c i + c j i, j}) = 56 Mantis-7. dim W L ({c i + c j i, j}) = 42 The c i + c j F 64 2 are dense (derived from the fractional digits of π). Christof Beierle On Choosing Round Constants October, 10, / 34
55 Very Different Behavior for each Cipher Skinny dim W L ({c i + c j i, j}) = 64 The constants are sparse. In particular, c i + c j = 0xab Prince. dim W L ({c i + c j i, j}) = 56 Mantis-7. dim W L ({c i + c j i, j}) = 42 The c i + c j F 64 2 are dense (derived from the fractional digits of π). Are the constants for Prince and Mantis just unluckily chosen? Christof Beierle On Choosing Round Constants October, 10, / 34
56 It s a Property of the Linear Layer For a single element c: W L (c) = L t (c), t N. Christof Beierle On Choosing Round Constants October, 10, / 34
57 It s a Property of the Linear Layer For a single element c: W L (c) = L t (c), t N. dim W L (c) equals the smallest d for which there exist λ 0,..., λ d F 2 : d λ t L t (c) = 0. t=0 Christof Beierle On Choosing Round Constants October, 10, / 34
58 It s a Property of the Linear Layer For a single element c: W L (c) = L t (c), t N. dim W L (c) equals the smallest d for which there exist λ 0,..., λ d F 2 : d λ t L t (c) = 0. t=0 dim W L (c) is the degree of the minimal annihilating polynomial of c. Christof Beierle On Choosing Round Constants October, 10, / 34
59 It s a Property of the Linear Layer For a single element c: W L (c) = L t (c), t N. dim W L (c) equals the smallest d for which there exist λ 0,..., λ d F 2 : d λ t L t (c) = 0. t=0 dim W L (c) is the degree of the minimal annihilating polynomial of c. Theorem There exists a c F n 2 such that dim W L(c) = d if and only if d is the degree of a divisor of the minimal polynomial m L of L. Christof Beierle On Choosing Round Constants October, 10, / 34
60 It s a Property of the Linear Layer For a single element c: W L (c) = L t (c), t N. dim W L (c) equals the smallest d for which there exist λ 0,..., λ d F 2 : d λ t L t (c) = 0. t=0 dim W L (c) is the degree of the minimal annihilating polynomial of c. Theorem There exists a c F n 2 such that dim W L(c) = d if and only if d is the degree of a divisor of the minimal polynomial m L of L. max dim W L (c) = deg m L c F n 2 Christof Beierle On Choosing Round Constants October, 10, / 34
61 Examples Skinny-64. m L = (X + 1) 16 F 2 [X] There exists a c F 64 2 with dim W L(c) = d if and only if d {1,..., 16}. Christof Beierle On Choosing Round Constants October, 10, / 34
62 Examples Skinny-64. m L = (X + 1) 16 F 2 [X] There exists a c F 64 2 with dim W L(c) = d if and only if d {1,..., 16}. Prince. m L = (X 4 + X 3 + X 2 + X + 1) 2 (X 2 + X + 1) 4 (X + 1) 4 F 2 [X] There exists a c F 64 2 with dim W L(c) = d if and only if d {1,..., 20}. Christof Beierle On Choosing Round Constants October, 10, / 34
63 Examples Skinny-64. m L = (X + 1) 16 F 2 [X] There exists a c F 64 2 with dim W L(c) = d if and only if d {1,..., 16}. Prince. m L = (X 4 + X 3 + X 2 + X + 1) 2 (X 2 + X + 1) 4 (X + 1) 4 F 2 [X] There exists a c F 64 2 with dim W L(c) = d if and only if d {1,..., 20}. Mantis and Midori. m L = (X + 1) 6 F 2 [X] There exists a c F 64 2 with dim W L(c) = d if and only if d {1,..., 6}. Christof Beierle On Choosing Round Constants October, 10, / 34
64 Considering more Constants: The Rational Canonical Form If deg(m L ) = n, there exists a basis for which the matrix of L is the companion matrix of m L. Definition: Companion Matrix Let p = X m + m 1 i=0 p ix i F 2 [X]. The companion matrix of p is C(p) := p 0 p 1 p 2... p m 1 Christof Beierle On Choosing Round Constants October, 10, / 34
65 Considering more Constants: The Rational Canonical Form If deg(m L ) = n, there exists a basis for which the matrix of L is the companion matrix of m L. Definition: Companion Matrix Let p = X m + m 1 i=0 p ix i F 2 [X]. The companion matrix of p is C(p) := p 0 p 1 p 2... p m 1 In general, there exists a basis for which the matrix of L is C(Q 1 ) C(Q 2 )... C(Q r ) for r polynomials Q r Q r 1 Q 1 = m L. Q 1, Q 2,..., Q r are called the invariant factors of L. Christof Beierle On Choosing Round Constants October, 10, / 34
66 Considering more Constants: The Rational Canonical Form Theorem Let Q 1, Q 2,..., Q r be the invariant factors of L. For any t r, we have max c 1,...,c t dim W L ({c 1,..., c t }) = t deg Q i. i=1 In particular, one needs r elements to obtain the maximal dimension F n 2. Christof Beierle On Choosing Round Constants October, 10, / 34
67 Considering more Constants: The Rational Canonical Form Theorem Let Q 1, Q 2,..., Q r be the invariant factors of L. For any t r, we have max c 1,...,c t dim W L ({c 1,..., c t }) = t deg Q i. i=1 In particular, one needs r elements to obtain the maximal dimension F n 2. Prince. The invariant factor decomposition is Q 1 = Q 2 = X 20 + X 18 + X 16 + X 14 + X 12 + X 8 + X 6 + X 4 + X Q 3 = Q 4 = X 8 + X 6 + X Q 5 = Q 6 = Q 7 = Q 8 = X For t = 5, max dim W L ({c 1,..., c 5 }) = = 58. We need 8 elements to get the full space. Christof Beierle On Choosing Round Constants October, 10, / 34
68 Considering more Constants: The Rational Canonical Form Theorem Let Q 1, Q 2,..., Q r be the invariant factors of L. For any t r, we have max c 1,...,c t dim W L ({c 1,..., c t }) = t deg Q i. i=1 In particular, one needs r elements to obtain the maximal dimension F n 2. Mantis and Midori. The invariant factor decomposition is Q 1 = Q 2 = Q 3 = Q 4 = Q 5 = Q 6 = Q 7 = Q 8 = X Q 9 = Q 10 = Q 11 = Q 12 = Q 13 = Q 14 = Q 15 = Q 16 = X For t = 7, max dim W L ({c 1,..., c 7 }) = 42. For t = 8, max dim W L ({c 1,..., c 8 }) = 48. We need 16 elements to get the full space. Christof Beierle On Choosing Round Constants October, 10, / 34
69 The Maximal Dimension for #D Constants max dim WL(D) #D Prince Mantis Christof Beierle On Choosing Round Constants October, 10, / 34
70 Choosing Random Round Constants For t r, the probability that t uniformly chosen constants c i generate the whole F n 2 can be computed from the invariant factors of L. Christof Beierle On Choosing Round Constants October, 10, / 34
71 Choosing Random Round Constants For t r, the probability that t uniformly chosen constants c i generate the whole F n 2 can be computed from the invariant factors of L. 1 P(dim WL(D) = 64) LED 0.2 Skinny64 Prince Mantis #D Christof Beierle On Choosing Round Constants October, 10, / 34
72 Conclusion For permutations based on SPNs with round constants, there is a (very simple) algorithmic way to prove the resistance against a large class of invariant attacks. Christof Beierle On Choosing Round Constants October, 10, / 34
73 Conclusion For permutations based on SPNs with round constants, there is a (very simple) algorithmic way to prove the resistance against a large class of invariant attacks. Simple Algorithm Input: Linear layer L, RC differences {c i + c j i, j} check if dim {L k (c i + c j ) k < order(l), i, j} n 1 Christof Beierle On Choosing Round Constants October, 10, / 34
74 Conclusion For permutations based on SPNs with round constants, there is a (very simple) algorithmic way to prove the resistance against a large class of invariant attacks. Simple Algorithm Input: Linear layer L, RC differences {c i + c j i, j} check if dim {L k (c i + c j ) k < order(l), i, j} n 1 Depending on the linear layer, one can derive an upper bound on the minimum number of round constants that are necessary for the argument > Design criteria Christof Beierle On Choosing Round Constants October, 10, / 34
75 Conclusion For permutations based on SPNs with round constants, there is a (very simple) algorithmic way to prove the resistance against a large class of invariant attacks. Simple Algorithm Input: Linear layer L, RC differences {c i + c j i, j} check if dim {L k (c i + c j ) k < order(l), i, j} n 1 Depending on the linear layer, one can derive an upper bound on the minimum number of round constants that are necessary for the argument > Design criteria Future work: Can we avoid the restriction of using the same invariant for each of the constituent building blocks? (see [Beyne 2018]) Christof Beierle On Choosing Round Constants October, 10, / 34
76 Conclusion For permutations based on SPNs with round constants, there is a (very simple) algorithmic way to prove the resistance against a large class of invariant attacks. Simple Algorithm Input: Linear layer L, RC differences {c i + c j i, j} check if dim {L k (c i + c j ) k < order(l), i, j} n 1 Depending on the linear layer, one can derive an upper bound on the minimum number of round constants that are necessary for the argument > Design criteria Future work: Can we avoid the restriction of using the same invariant for each of the constituent building blocks? (see [Beyne 2018]) Thanks for your attention! Any questions? Christof Beierle On Choosing Round Constants October, 10, / 34
Proving Resistance against Invariant Attacks: How to Choose the Round Constants
Proving Resistance against Invariant Attacks: How to Choose the Round Constants Christof Beierle 1, Anne Canteaut 2, Gregor Leander 1, and Yann Rotella 2 1 Horst Görtz Institute for IT Security, Ruhr-Universität
More informationThe Invariant Set Attack 26th January 2017
The Invariant Set Attack 26th January 2017 Workgroup Symmetric Cryptography Ruhr University Bochum Friedrich Wiemer Friedrich Wiemer The Invariant Set Attack 26th January 2017 1 Nonlinear Invariant Attack
More informationBlock Cipher Invariants as Eigenvectors of Correlation Matrices
Block Cipher Invariants as Eigenvectors of Correlation Matrices Tim Beyne imec-cosic, KU Leuven name.lastname@esat.kuleuven.be Abstract. A new approach to invariant subspaces and nonlinear invariants is
More informationDivision Property: a New Attack Against Block Ciphers
Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50 Symmetric-key encryption
More informationInvariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs
Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs Jian Guo 1, Jeremy Jean 2, Ivica Nikolić 1, Kexin Qiao 3, Yu Sasaki 4, and Siang Meng Sim 1 1. Nanyang Technological
More informationNonlinear Invariant Attack
Nonlinear Invariant Attack Practical Attack on Full SCREAM, iscream, and Midori64 Yosuke Todo 13, Gregor Leander 2, and Yu Sasaki 1 1 NTT Secure Platform Laboratories, Tokyo, Japan todo.yosuke@lab.ntt.co.jp,
More informationAnalysis of cryptographic hash functions
Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43 Symmetric key cryptography Alice and Bob share
More informationConstruction of Lightweight S-Boxes using Feistel and MISTY structures (Full Version )
Construction of Lightweight S-Boxes using Feistel and MISTY structures (Full Version ) Anne Canteaut, Sébastien Duval, and Gaëtan Leurent Inria, project-team SECRET, France {Anne.Canteaut, Sebastien.Duval,
More informationAnother view of the division property
Another view of the division property Christina Boura and Anne Canteaut Université de Versailles-St Quentin, France Inria Paris, France Dagstuhl seminar, January 2016 Motivation E K : block cipher with
More informationBISON Instantiating the Whitened Swap-Or-Not Construction November 14th, 2018
BION Instantiating the Whitened wap-or-not Construction November 14th, 2018 FluxFingers Workgroup ymmetric Cryptography, Ruhr University Bochum Virginie Lallemand, Gregor Leander, Patrick Neumann, and
More informationInvariant Subspace Attack Against Full Midori64
Invariant Subspace Attack Against Full Midori64 Jian Guo 1, Jérémy Jean 1, Ivica Nikolić 1, Kexin Qiao 1,2, Yu Sasaki 1,3, and Siang Meng Sim 1 1 Nanyang Technological University, Singapore 2 Institute
More informationSimilarities between encryption and decryption: how far can we go?
Similarities between encryption and decryption: how far can we go? Anne Canteaut Inria, France and DTU, Denmark Anne.Canteaut@inria.fr http://www-rocq.inria.fr/secret/anne.canteaut/ SAC 2013 based on a
More informationSome attacks against block ciphers
Some attacks against block ciphers hristina Boura École de printemps en codage et cryptographie May 19, 2016 1 / 59 Last-round attacks Outline 1 Last-round attacks 2 Higher-order differential attacks 3
More informationMultiplicative complexity in block cipher design and analysis
Multiplicative complexity in block cipher design and analysis Pavol Zajac Institute of Computer Science and Mathematics Slovak University of Technology pavol.zajac@stuba.sk Fewer Multiplications in Cryptography
More informationImproved Multiple Impossible Differential Cryptanalysis of Midori128
Improved Multiple Impossible Differential Cryptanalysis of Midori128 Mohamed Tolba, Ahmed Abdelkhalek, and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University,
More informationAlgebraic properties of SHA-3 and notable cryptanalysis results
Algebraic properties of SHA-3 and notable cryptanalysis results Christina Boura University of Versailles, France ICMC 2015, January 9, 2014 1 / 51 Cryptographic Hash Functions H : {0,1} {0,1} n m H h =
More informationLecture Notes on Cryptographic Boolean Functions
Lecture Notes on Cryptographic Boolean Functions Anne Canteaut Inria, Paris, France Anne.Canteaut@inria.fr https://www.rocq.inria.fr/secret/anne.canteaut/ version: March 10, 016 Contents 1 Boolean functions
More informationOpen problems related to algebraic attacks on stream ciphers
Open problems related to algebraic attacks on stream ciphers Anne Canteaut INRIA - projet CODES B.P. 105 78153 Le Chesnay cedex - France e-mail: Anne.Canteaut@inria.fr Abstract The recently developed algebraic
More informationDifferential properties of power functions
Differential properties of power functions Céline Blondeau, Anne Canteaut and Pascale Charpin SECRET Project-Team - INRIA Paris-Rocquencourt Domaine de Voluceau - B.P. 105-8153 Le Chesnay Cedex - France
More informationREU 2015: Complexity Across Disciplines. Introduction to Cryptography
REU 2015: Complexity Across Disciplines Introduction to Cryptography Symmetric Key Cryptosystems Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i
More informationLightweight Multiplication in GF (2 n ) with Applications to MDS Matrices
Lightweight Multiplication in GF (2 n ) with Applications to MDS Matrices Christof Beierle, Thorsten Kranz, and Gregor Leander Horst Görtz Institute for IT Security, Ruhr-Universität Bochum, Germany {christof.beierle,
More informationFast Algebraic Immunity of 2 m + 2 & 2 m + 3 variables Majority Function
Fast Algebraic Immunity of 2 m + 2 & 2 m + 3 variables Majority Function Yindong Chen a,, Fei Guo a, Liu Zhang a a College of Engineering, Shantou University, Shantou 515063, China Abstract Boolean functions
More informationStructural Evaluation by Generalized Integral Property
Structural Evaluation by Generalized Integral Property Yosue Todo NTT Secure Platform Laboratories, Toyo, Japan todo.yosue@lab.ntt.co.jp Abstract. In this paper, we show structural cryptanalyses against
More informationobservations on the simon block cipher family
observations on the simon block cipher family Stefan Kölbl 1 Gregor Leander 2 Tyge Tiessen 1 August 17, 2015 1 DTU Compute, Technical University of Denmark, Denmark 2 Horst Görtz Institute for IT Security,
More informationOn Cryptographic Properties of the Cosets of R(1;m)
1494 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 47, NO. 4, MAY 2001 On Cryptographic Properties of the Cosets of R(1;m) Anne Canteaut, Claude Carlet, Pascale Charpin, and Caroline Fontaine Abstract
More informationIntroduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.
Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography
More informationFunctions on Finite Fields, Boolean Functions, and S-Boxes
Functions on Finite Fields, Boolean Functions, and S-Boxes Claude Shannon Institute www.shannoninstitute.ie and School of Mathematical Sciences University College Dublin Ireland 1 July, 2013 Boolean Function
More informationCyclic codes: overview
Cyclic codes: overview EE 387, Notes 14, Handout #22 A linear block code is cyclic if the cyclic shift of a codeword is a codeword. Cyclic codes have many advantages. Elegant algebraic descriptions: c(x)
More informationOn values of vectorial Boolean functions and related problems in APN functions
On values of vectorial Boolean functions and related problems in APN functions George Shushuev Sobolev Institute of Mathematics, Novosibirsk, Russia Novosibirsk State University, Novosibirsk, Russia E-mail:
More informationDecomposing Bent Functions
2004 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 49, NO. 8, AUGUST 2003 Decomposing Bent Functions Anne Canteaut and Pascale Charpin Abstract In a recent paper [1], it is shown that the restrictions
More informationRational Canonical Form
Introduction k[x]-modules Matrix Representation of Cyclic Submodules The Decomposition Theorem May 2014 Introduction k[x]-modules Matrix Representation of Cyclic Submodules The Decomposition Theorem Table
More informationHigher-order differential properties of Keccak and Luffa
Higher-order differential properties of Keccak and Luffa Christina Boura 1,2, Anne Canteaut 1 and Christophe De Cannière 3 1 SECRET Project-Team - INRIA Paris-Rocquencourt - B.P. 105-78153 Le Chesnay Cedex
More informationBlock Ciphers and Side Channel Protection
Block Ciphers and Side Channel Protection Gregor Leander ECRYPT-CSA@CHANIA-2017 Main Idea Side-Channel Resistance Without protection having a strong cipher is useless Therefore: Masking necessary Usual
More informationSubspace Trail Cryptanalysis and its Applications to AES
Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and Sondre Rønjom March, 2017 1 / 28 Introduction In the case of AES, several alternative representations (algebraic
More informationREU 2015: Complexity Across Disciplines. Introduction to Cryptography
REU 2015: Complexity Across Disciplines Introduction to Cryptography Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i s from any key k K. A block
More informationExtended Criterion for Absence of Fixed Points
Extended Criterion for Absence of Fixed Points Oleksandr Kazymyrov, Valentyna Kazymyrova Abstract One of the criteria for substitutions used in block ciphers is the absence of fixed points. In this paper
More informationKnown and Chosen Key Differential Distinguishers for Block Ciphers
1/19 Known and Chosen Key Differential Distinguishers for Block Ciphers Josef Pieprzyk joint work with Ivica Nikolić, Przemys law Soko lowski, and Ron Steinfeld ASK 2011, August 29-31, 2011 2/19 Outline
More informationbison Instantiating the Whitened Swap-Or-Not Construction
bison Instantiating the Whitened Swap-Or-Not Construction Anne Canteaut 1, Virginie Lallemand 2, Gregor Leander 2, Patrick Neumann 2 and Friedrich Wiemer 2 1 Inria, Paris, France anne.canteaut@inria.fr
More informationConstruction of Lightweight S-Boxes using Feistel and MISTY structures
Construction of Lightweight S-Boxes using Feistel and MISTY structures Anne Canteaut Sébastien Duval Gaëtan Leurent Inria, France SAC 2015 A. Canteaut, S. Duval, G. Leurent (Inria) Lightweight S-Boxes
More informationProvable Security Against Differential and Linear Cryptanalysis
Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University Introduction CRADIC Linear Hull SPN and Two Strategies Highly
More informationCCZ-equivalence and Boolean functions
CCZ-equivalence and Boolean functions Lilya Budaghyan and Claude Carlet Abstract We study further CCZ-equivalence of (n, m)-functions. We prove that for Boolean functions (that is, for m = 1), CCZ-equivalence
More informationSubspace Trail Cryptanalysis and its Applications to AES
Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi 1, Christian Rechberger 1,3 and Sondre Rønjom 2,4 1 IAIK, Graz University of Technology, Austria 2 Nasjonal sikkerhetsmyndighet,
More informationFinding Low Degree Annihilators for a Boolean Function Using Polynomial Algorithms
Finding Low Degree Annihilators for a Boolean Function Using Polynomial Algorithms Vladimir Bayev Abstract. Low degree annihilators for Boolean functions are of great interest in cryptology because of
More informationA New Classification of 4-bit Optimal S-boxes and its Application to PRESENT, RECTANGLE and SPONGENT
A New Classification of 4-bit Optimal S-boxes and its Application to PRESENT, RECTANGLE and SPONGENT Wentao Zhang 1, Zhenzhen Bao 1, Vincent Rijmen 2, Meicheng Liu 1 1.State Key Laboratory of Information
More informationLinear Feedback Shift Registers
Linear Feedback Shift Registers Pseudo-Random Sequences A pseudo-random sequence is a periodic sequence of numbers with a very long period. Golomb's Principles G1: The # of zeros and ones should be as
More information9-variable Boolean Functions with Nonlinearity 242 in the Generalized Rotation Class
9-variable Boolean Functions with Nonlinearity 242 in the Generalized Rotation Class Selçuk Kavut and Melek Diker Yücel arxiv:0808.0684v1 [cs.cr] 5 Aug 2008 Abstract In 2006, 9-variable Boolean functions
More informationHigher-order differential properties of Keccak and Luffa
Higher-order differential properties of Keccak and Luffa Christina Boura 1,2, Anne Canteaut 1, and Christophe De Cannière 3 1 SECRET Project-Team - INRIA Paris-Rocquencourt - B.P. 105 78153 Le Chesnay
More informationMath-Net.Ru All Russian mathematical portal
Math-Net.Ru All Russian mathematical portal G. P. Agibalov, I. A. Pankratova, Asymmetric cryptosystems on Boolean functions, Prikl. Diskr. Mat., 2018, Number 40, 23 33 DOI: https://doi.org/10.17223/20710410/40/3
More informationSequences, DFT and Resistance against Fast Algebraic Attacks
Sequences, DFT and Resistance against Fast Algebraic Attacks Guang Gong Department of Electrical and Computer Engineering University of Waterloo Waterloo, Ontario N2L 3G1, CANADA Email. ggong@calliope.uwaterloo.ca
More informationZero-Sum Partitions of PHOTON Permutations
Zero-Sum Partitions of PHOTON Permutations Qingju Wang 1, Lorenzo Grassi 2, Christian Rechberger 1,2 1 Technical University of Denmark, Denmark, 2 IAIK, Graz University of Technology, Austria quwg@dtu.dk,
More informationBulletin of the Iranian Mathematical Society
ISSN: 1017-060X (Print) ISSN: 1735-8515 (Online) Special Issue of the Bulletin of the Iranian Mathematical Society in Honor of Professor Heydar Radjavi s 80th Birthday Vol 41 (2015), No 7, pp 155 173 Title:
More informationOptimized Interpolation Attacks on LowMC
Optimized Interpolation Attacks on LowMC Itai Dinur 1, Yunwen Liu 2, Willi Meier 3, and Qingju Wang 2,4 1 Département d Informatique, École Normale Supérieure, Paris, France 2 Dept. Electrical Engineering
More informationDD2448 Foundations of Cryptography Lecture 3
DD2448 Foundations of Cryptography Lecture 3 Douglas Wikström KTH Royal Institute of Technology dog@kth.se February 3, 2016 Linear Cryptanalysis of the SPN Basic Idea Linearize Find an expression of the
More information(Can) Canonical Forms Math 683L (Summer 2003) M n (F) C((x λ) ) =
(Can) Canonical Forms Math 683L (Summer 2003) Following the brief interlude to study diagonalisable transformations and matrices, we must now get back to the serious business of the general case. In this
More information1 The Algebraic Normal Form
1 The Algebraic Normal Form Boolean maps can be expressed by polynomials this is the algebraic normal form (ANF). The degree as a polynomial is a first obvious measure of nonlinearity linear (or affine)
More informationALGEBRAIC GEOMETRY COURSE NOTES, LECTURE 2: HILBERT S NULLSTELLENSATZ.
ALGEBRAIC GEOMETRY COURSE NOTES, LECTURE 2: HILBERT S NULLSTELLENSATZ. ANDREW SALCH 1. Hilbert s Nullstellensatz. The last lecture left off with the claim that, if J k[x 1,..., x n ] is an ideal, then
More informationAttacks Against Filter Generators Exploiting Monomial Mappings
Attacks Against Filter Generators Exploiting Monomial Mappings Anne Canteaut, Yann Rotella To cite this version: Anne Canteaut, Yann Rotella. Attacks Against Filter Generators Exploiting Monomial Mappings.
More informationMATH32031: Coding Theory Part 15: Summary
MATH32031: Coding Theory Part 15: Summary 1 The initial problem The main goal of coding theory is to develop techniques which permit the detection of errors in the transmission of information and, if necessary,
More informationMath 550 Notes. Chapter 2. Jesse Crawford. Department of Mathematics Tarleton State University. Fall 2010
Math 550 Notes Chapter 2 Jesse Crawford Department of Mathematics Tarleton State University Fall 2010 (Tarleton State University) Math 550 Chapter 2 Fall 2010 1 / 20 Linear algebra deals with finite dimensional
More informationMultiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs
Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs Alex Biryukov 1,2, Dmitry Khovratovich 2, Léo Perrin 2 1 CSC, University of Luxembourg 2 SnT, University of Luxembourg https://www.cryptolux.org
More informationImproved Zero-sum Distinguisher for Full Round Keccak-f Permutation
Improved Zero-sum Distinguisher for Full Round Keccak-f Permutation Ming Duan 12 and Xuejia Lai 1 1 Department of Computer Science and Engineering, Shanghai Jiao Tong University, China. 2 Basic Courses
More informationThe Jordan Canonical Form
The Jordan Canonical Form The Jordan canonical form describes the structure of an arbitrary linear transformation on a finite-dimensional vector space over an algebraically closed field. Here we develop
More informationOptimized Threshold Implementations: Securing Cryptographic Accelerators for Low-Energy and Low-Latency Applications
Optimized Threshold Implementations: Securing Cryptographic Accelerators for Low-Energy and Low-Latency Applications Dušan Božilov 1,2, Miroslav Knežević 1 and Ventzislav Nikov 1 1 NXP Semiconductors,
More informationMILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher
MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher Raghvendra Rohit, Riham AlTawy, & Guang Gong Department of Electrical and Computer Engineering, University of Waterloo Waterloo,
More informationConstructions of Resilient S-Boxes with Strictly Almost Optimal Nonlinearity Through Disjoint Linear Codes
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL 60, NO 3, PP 1638-1651, 2014 1 Constructions of Resilient S-Boxes with Strictly Almost Optimal Nonlinearity Through Disjoint Linear Codes Wei-Guo Zhang, Member,
More informationQuadratic Almost Perfect Nonlinear Functions With Many Terms
Quadratic Almost Perfect Nonlinear Functions With Many Terms Carl Bracken 1 Eimear Byrne 2 Nadya Markin 3 Gary McGuire 2 School of Mathematical Sciences University College Dublin Ireland Abstract We introduce
More informationInvariant Hopping Attacks on Block Ciphers
Invariant Hopping Attacks on Block Ciphers Nicolas T. Courtois University College London, Gower Street, London, UK Abstract. Block ciphers are in widespread use since the 1970s. Their iterated structure
More informationAttacks against Filter Generators Exploiting Monomial Mappings
Attacks against Filter Generators Exploiting Monomial Mappings Anne Canteaut and Yann Rotella Inria, Paris, France Anne.Canteaut@inria.fr, Yann.Rotella@inria.fr Abstract. Filter generators are vulnerable
More informationProjective Schemes with Degenerate General Hyperplane Section II
Beiträge zur Algebra und Geometrie Contributions to Algebra and Geometry Volume 44 (2003), No. 1, 111-126. Projective Schemes with Degenerate General Hyperplane Section II E. Ballico N. Chiarli S. Greco
More informationMixed-integer Programming based Differential and Linear Cryptanalysis
Mixed-integer Programming based Differential and Linear Cryptanalysis Siwei Sun State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences Data Assurance
More informationConstructions of Resilient S-Boxes with Strictly Almost Optimal Nonlinearity Through Disjoint Linear Codes
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL 60, NO 3, 2014 1 Constructions of Resilient S-Boxes with Strictly Almost Optimal Nonlinearity Through Disjoint Linear Codes Wei-Guo Zhang, Member, IEEE, and
More informationCharacterizations on Algebraic Immunity for Multi-Output Boolean Functions
Characterizations on Algebraic Immunity for Multi-Output Boolean Functions Xiao Zhong 1, and Mingsheng Wang 3 1. Institute of Software, Chinese Academy of Sciences, Beijing 100190, China. Graduate School
More informationUNDERSTANDING THE COST OF GROVER'S ALGORITHM FOR FINDING A SECRET KEY
UNDERSTANDING THE COST OF GROVER'S ALGORITHM FOR FINDING A SECRET KEY Rainer Steinwandt 1,2 Florida Atlantic University, USA (joint work w/ B. Amento, M. Grassl, B. Langenberg 2, M. Roetteler) 1 supported
More informationCount November 21st, 2017
RUHR-UNIVERSITÄT BOCHUM XOR Count November 21st, 2017 FluxFingers Workgroup Symmetric Cryptography Ruhr University Bochum Friedrich Wiemer Friedrich Wiemer XOR Count November 21st, 2017 1 Overview Joint
More informationMaiorana-McFarland class: Degree optimization and algebraic properties
Downloaded from orbitdtudk on: Jan 10, 2019 Maiorana-McFarland class: Degree optimization and algebraic properties Pasalic, Enes Published in: I E E E Transactions on Information Theory Link to article,
More informationWritten Homework # 5 Solution
Math 516 Fall 2006 Radford Written Homework # 5 Solution 12/12/06 Throughout R is a ring with unity. Comment: It will become apparent that the module properties 0 m = 0, (r m) = ( r) m, and (r r ) m =
More informationGröbner Bases. Applications in Cryptology
Gröbner Bases. Applications in Cryptology Jean-Charles Faugère INRIA, Université Paris 6, CNRS with partial support of Celar/DGA FSE 20007 - Luxembourg E cient Goal: how Gröbner bases can be used to break
More informationMath 429/581 (Advanced) Group Theory. Summary of Definitions, Examples, and Theorems by Stefan Gille
Math 429/581 (Advanced) Group Theory Summary of Definitions, Examples, and Theorems by Stefan Gille 1 2 0. Group Operations 0.1. Definition. Let G be a group and X a set. A (left) operation of G on X is
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More informationMin-Rank Conjecture for Log-Depth Circuits
Min-Rank Conjecture for Log-Depth Circuits Stasys Jukna a,,1, Georg Schnitger b,1 a Institute of Mathematics and Computer Science, Akademijos 4, LT-80663 Vilnius, Lithuania b University of Frankfurt, Institut
More informationAlgebraic Attacks and Stream Ciphers
November 25 th, 24 Algebraic Attacks and Stream Ciphers Helsinki University of Technology mkivihar@cc.hut.fi Overview Stream ciphers and the most common attacks Algebraic attacks (on LSFR-based ciphers)
More informationOn The Nonlinearity of Maximum-length NFSR Feedbacks
On The Nonlinearity of Maximum-length NFSR Feedbacks Meltem Sönmez Turan National Institute of Standards and Technology meltem.turan@nist.gov Abstract. Linear Feedback Shift Registers (LFSRs) are the main
More informationLinear and Statistical Independence of Linear Approximations and their Correlations
Linear and Statistical Independence of Linear Approximations and their Correlations Kaisa Nyberg Aalto University School of Science kaisa.nyberg@aalto.fi Boolean Functions and their Applications Os, Norway,
More informationDefinitions. Notations. Injective, Surjective and Bijective. Divides. Cartesian Product. Relations. Equivalence Relations
Page 1 Definitions Tuesday, May 8, 2018 12:23 AM Notations " " means "equals, by definition" the set of all real numbers the set of integers Denote a function from a set to a set by Denote the image of
More informationVectorial Boolean Functions for Cryptography
Vectorial Boolean Functions for Cryptography Claude Carlet June 1, 008 To appear as a chapter of the volume Boolean Methods and Models, published by Cambridge University Press, Eds Yves Crama and Peter
More informationCOUNT AND CRYPTOGRAPHIC PROPERTIES OF GENERALIZED SYMMETRIC BOOLEAN FUNCTIONS
italian journal of pure and applied mathematics n. 37 2017 (173 182) 173 COUNT AND CRYPTOGRAPHIC PROPERTIES OF GENERALIZED SYMMETRIC BOOLEAN FUNCTIONS Shashi Kant Pandey Department of Mathematics University
More informationThird-order nonlinearities of some biquadratic monomial Boolean functions
Noname manuscript No. (will be inserted by the editor) Third-order nonlinearities of some biquadratic monomial Boolean functions Brajesh Kumar Singh Received: April 01 / Accepted: date Abstract In this
More informationLecture 7: Polynomial rings
Lecture 7: Polynomial rings Rajat Mittal IIT Kanpur You have seen polynomials many a times till now. The purpose of this lecture is to give a formal treatment to constructing polynomials and the rules
More informationLinear Cryptanalysis of Reduced-Round PRESENT
Linear Cryptanalysis of Reduced-Round PRESENT Joo Yeon Cho 1 Helsinki University of Technology, Finland 2 Nokia A/S, Denmark joo.cho@tkk.fi Abstract. PRESENT is a hardware-oriented block cipher suitable
More informationBlock Cipher Cryptanalysis: An Overview
0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution
More informationNon-Separable Cryptographic Functions
International Symposium on Information Theory and Its Applications Honolulu, Hawaii, USA, November 5 8, 2000 Non-Separable Cryptographic Functions Yuliang Zheng and Xian-Mo Zhang School of Network Computing
More informationCube Attacks on Stream Ciphers Based on Division Property
Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven 12-10-2017, Crete Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 1 / 23 Plan 1 Cube Attack:
More informationLecture Notes Math 371: Algebra (Fall 2006) by Nathanael Leedom Ackerman
Lecture Notes Math 371: Algebra (Fall 2006) by Nathanael Leedom Ackerman October 17, 2006 TALK SLOWLY AND WRITE NEATLY!! 1 0.1 Integral Domains and Fraction Fields 0.1.1 Theorems Now what we are going
More informationLecture Notes Math 371: Algebra (Fall 2006) by Nathanael Leedom Ackerman
Lecture Notes Math 371: Algebra (Fall 2006) by Nathanael Leedom Ackerman October 31, 2006 TALK SLOWLY AND WRITE NEATLY!! 1 0.1 Symbolic Adjunction of Roots When dealing with subfields of C it is easy to
More informationRC4 State Information at Any Stage Reveals the Secret Key
RC4 State Information at Any Stage Reveals the Secret Key Goutam Paul Department of Computer Science and Engineering, Jadavpur University, Kolkata 700 032, India, Email: goutam paul@cse.jdvu.ac.in Subhamoy
More informationSome consequences of the Riemann-Roch theorem
Some consequences of the Riemann-Roch theorem Proposition Let g 0 Z and W 0 D F be such that for all A D F, dim A = deg A + 1 g 0 + dim(w 0 A). Then g 0 = g and W 0 is a canonical divisor. Proof We have
More informationGeneralized hyper-bent functions over GF(p)
Discrete Applied Mathematics 55 2007) 066 070 Note Generalized hyper-bent functions over GFp) A.M. Youssef Concordia Institute for Information Systems Engineering, Concordia University, Montreal, QC, H3G
More informationIntroduction to symmetric cryptography
Introduction to symmetric cryptography hristina Boura École de printemps en codage et cryptographie May 17, 2016 1 / 48 Overview Introduction to symmetric-key cryptography Block ciphers Boolean functions
More informationConstruction of 1-Resilient Boolean Functions with Optimal Algebraic Immunity and Good Nonlinearity
Pan SS, Fu XT, Zhang WG. Construction of 1-resilient Boolean functions with optimal algebraic immunity and good nonlinearity. JOURNAL OF COMPUTER SCIENCE AND TECHNOLOGY 26(2): 269 275 Mar. 2011. DOI 10.1007/s11390-011-1129-4
More information1. Group Theory Permutations.
1.1. Permutations. 1. Group Theory Problem 1.1. Let G be a subgroup of S n of index 2. Show that G = A n. Problem 1.2. Find two elements of S 7 that have the same order but are not conjugate. Let π S 7
More information