Analysis of cryptographic hash functions Christina Boura SECRET - - PowerPoint PPT Presentation

Analysis of cryptographic hash functions

Christina Boura

SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France

Ph.D. Defense December 7, 2012

1 / 43

Symmetric key cryptography

Alice and Bob share the same secret key.

Plaintext Encryption Ciphertext Decryption Plaintext

Key

Stream ciphers Block ciphers Hash functions

2 / 43

Cryptographic Hash Functions

H : {0, 1}∗ → {0, 1}n. Security properties: Preimage resistance (Complexity of the generic attack: 2n) Second-preimage resistance (Complexity of the generic attack: 2n) Collision resistance (Complexity of the generic attack: 2n/2) Applications: password protection, digital signatures, key derivation, random number generation,...

3 / 43

The NIST SHA-3 competition

Devastating attacks against MD5, SHA-1,... Lack of confidence in SHA-2 (standard). NIST launches in 2008 a public competition for defining a new standard. 64 submissions (October 2008) 51 first-round candidates 14 second-round candidates (July 2009) 5 finalists (December 2010) Winner of the competition: Keccak

4 / 43

Design of symmetric primitives

Block ciphers and hash functions use similar building blocks. Iterated structure F = Rr ◦ · · · ◦ R1. Every round follows the principles announced by Claude Shannon. A nonlinear part providing confusion. A linear part providing diffusion.

5 / 43

Outline

1

Analysis of the algebraic properties of some primitives Zero-sum distinguishers A bound on the degree of SPN-type iterated permutations A bound implying the degree of the inverse permutation The notion of (v, w)-linearity

2

Side-channel analysis of some SHA-3 candidates

6 / 43

Analysis of the algebraic properties of some primitives

Outline

1

Analysis of the algebraic properties of some primitives Zero-sum distinguishers A bound on the degree of SPN-type iterated permutations A bound implying the degree of the inverse permutation The notion of (v, w)-linearity

2

Side-channel analysis of some SHA-3 candidates

7 / 43

Analysis of the algebraic properties of some primitives

Vectorial functions

Cryptographic primitives seen as vectorial Boolean functions F : Fn

2 → Fm 2 .

These functions should behave like random functions. Study the properties of the inner Boolean functions to detect a non-random behaviour. Find a way to exploit the detected non-random behaviour.

8 / 43

Analysis of the algebraic properties of some primitives

Algebraic degree

F : F4

2

→ F3

2

F(x0, x1, x2, x3) := (x0x1 + x3, x0x2x3 + x1x2, x0 + x1 + x2)

9 / 43

Analysis of the algebraic properties of some primitives

Algebraic degree

F : F4

2

→ F3

2

F(x0, x1, x2, x3) := (x0x1 + x3, x0x2x3 + x1x2, x0 + x1 + x2) deg(F) = 3

9 / 43

Analysis of the algebraic properties of some primitives

Algebraic degree

F : F4

2

→ F3

2

F(x0, x1, x2, x3) := (x0x1 + x3, x0x2x3 + x1x2, x0 + x1 + x2) deg(F) = 3 Exploit a low algebraic degree in: algebraic attacks, higher-order differential attacks, cube attacks,... Higher-order differential attacks [Lai 94, Knudsen 94] For every subspace V with dim V > deg F: DV F(x) =

• v∈V

F(x + v) = 0, for every x ∈ Fn

2.

9 / 43

Analysis of the algebraic properties of some primitives

Algebraic degree of iterated constructions

P = Pr ◦ · · · ◦ P1 Question: How to estimate the algebraic degree of an iterated construction? Trivial bound deg(G ◦ F) ≤ deg G deg F

10 / 43

Analysis of the algebraic properties of some primitives

The SHA-3 case

Keccak [Bertoni-Daemen-Peeters-VanAssche 08] Winner of the SHA-3 competition Sponge construction Keccak-f Permutation 1600-bit state, seen as a 3-dimensional 5 × 5 × 64 matrix 24 rounds of R = ι ◦ χ ◦ π ◦ ρ ◦ θ Nonlinear layer: 320 parallel applications

• f a 5 × 5 S-box χ

deg χ = 2, deg χ−1 = 3

11 / 43

Analysis of the algebraic properties of some primitives

The algebraic degree of the Keccak-f permutation

Algebraic degree of the round permutation: deg(R) = 2. After r rounds (trivial bound): deg(Rr) ≤ 2 deg(Rr−1). For r = 24, deg(R24) > 1600 → no relevant information

12 / 43

Analysis of the algebraic properties of some primitives Zero-sum distinguishers

Zero-sums

For block ciphers (known-key model) [Knudsen-Rijmen 07] For hash functions [Aumasson-Meier 09] Let F : Fn

2 → Fn 2.

A zero-sum of size k for F is a subset {x1, . . . , xk} such that

k

• i=1

xi =

k

• i=1

F(xi) = 0.

13 / 43

Analysis of the algebraic properties of some primitives Zero-sum distinguishers

Minimal size of a zero-sum [SAC 10]

Let F : Fn

2 → Fn 2.

CF: linear code of length 2n and dimension 2n defined by GF =

• x0

x1 x2 x3 . . . x2n−1 F(x0) F(x1) F(x2) F(x3) . . . F(x2n−1)

• Proposition. {xi1, . . . , xiK} ⊂ Fn

2 is a zero-sum for F if and only

if the codeword with support {i1, . . . , iK} belongs to C⊥

F .

Most notably, there exists at least a zero-sum of size ≤ 5 for F; F has no zero-sum of size less than or equal to 4 if and only if F is an APN function.

14 / 43

Analysis of the algebraic properties of some primitives Zero-sum distinguishers

Zero-sum partitions

Let P be a permutation from Fn

2 into Fn

• 2. A zero-sum partition for P of

size K = 2k is a collection of 2n−k disjoint zero-sums. Complexity of the best-known generic algorithm for finding zero-sum partitions: 2n − 2k + (2n)3(2n−k − 1). Finding zero-sum partitions for an iterated permutation: Exploit the non-linear part. Exploit the linear part.

15 / 43

Analysis of the algebraic properties of some primitives Zero-sum distinguishers

Exploiting the non-linear part [Aumasson-Meier 09]

Take advantage of a low algebraic degree after several rounds. P = Rr ◦ · · · ◦ R1. Let Fr−t = Rr ◦ · · · ◦ Rt+1 and Gt = R−1

1

• · · · ◦ R−1

t .

Let V ⊂ Fn

2 with dim V > max(deg Fr−t, deg Gt).

Let V ⊕ W = Fn

2.

P Gt Fr−t V + a Xa P(Xa)

Xa = {Gt(a + z), z ∈ V }, a ∈ W is a zero-sum partition of Fn

2 of size 2dim V for P.

16 / 43

Analysis of the algebraic properties of some primitives Zero-sum distinguishers

Using the principle of higher-order differentials

P Gt Fr−t V + a Xa P(Xa)

• x∈Xa

x =

• z∈V

Gt(z + a) = DV Gt(a) = 0

• x∈Xa

P(x) =

• z∈V

Fr−t(z + a) = DV Fr−t(a) = 0

17 / 43

Analysis of the algebraic properties of some primitives Zero-sum distinguishers

Exploiting the structure of the diffusion part

Round function R = L ◦ S. S composed of several small Sboxes S0 defined over Fn0

2 .

Bi = {x ∈ Fn

2, supp(x) ⊂ word i}.

Let V such that B =

• i∈I

Bi ⊂ V and B′ =

• j∈J

Bj ⊂ L(V ) with dim B > deg Gt and dim B′ > deg Fr−t.

S−1 S L Gt ◦ L−1 Fr−t (b + B) B ⊂ V (b + B′) (b′ + B′)

18 / 43

Analysis of the algebraic properties of some primitives Zero-sum distinguishers

Application to Keccak-f

We have shown by using a result of [Canteaut and Videau 02] that deg(R−7) ≤ 1369. 18 rounds Many zero-sum partitions of size 21370 for Keccak-f By exploiting the linear structure: 19 rounds A zero-sum partition of size 21458 for Keccak-f. 20 rounds A zero-sum partition of size 21595 for Keccak-f.

19 / 43

Analysis of the algebraic properties of some primitives A bound on the degree of SPN-type iterated permutations

Substitution Permutation Networks

S S S S S S Linear Layer S S S S S S Linear Layer S S S S S S Linear Layer

How to estimate the evolution of the degree

• f such constructions?

20 / 43

Analysis of the algebraic properties of some primitives A bound on the degree of SPN-type iterated permutations

deg S = 3

S-Box

x0 x2 x1 x3 y1 y2 y3 y0

Question If S is a permutation, find δk: maximum degree of the product of k coordinates of S

21 / 43

Analysis of the algebraic properties of some primitives A bound on the degree of SPN-type iterated permutations

deg S = 3

S-Box

x0 x2 x1 x3 y1 y2 y3 y0

Question If S is a permutation, find δk: maximum degree of the product of k coordinates of S k δk 1 3

21 / 43

Analysis of the algebraic properties of some primitives A bound on the degree of SPN-type iterated permutations

deg S = 3

S-Box

x0 x2 x1 x3 y1 y2 y3 y0

Question If S is a permutation, find δk: maximum degree of the product of k coordinates of S k δk 1 3 2 3 3 3

21 / 43

Analysis of the algebraic properties of some primitives A bound on the degree of SPN-type iterated permutations

deg S = 3

S-Box

x0 x2 x1 x3 y1 y2 y3 y0

Question If S is a permutation, find δk: maximum degree of the product of k coordinates of S k δk 1 3 2 3 3 3 4 4 F permutation of Fn

2:

δk = n iff k = n.

21 / 43

Analysis of the algebraic properties of some primitives A bound on the degree of SPN-type iterated permutations

The new bound [FSE 11]

• Theorem. Let F be a function from Fn

2 into Fn 2 corresponding to the

parallel application of an Sbox, S, defined over Fn0

2 .

Then, for any G from Fn

2 into Fℓ 2, we have

deg(G ◦ F) ≤ n − n − deg G γ , where γ = max

1≤i≤n0−1

n0 − i n0 − δi .

22 / 43

Analysis of the algebraic properties of some primitives A bound on the degree of SPN-type iterated permutations

S1 S2 S3 S4 Find the maximal degree of the product π of d outputs. xi = # Sboxes for which exactly i coordinates are involved in π.

23 / 43

Analysis of the algebraic properties of some primitives A bound on the degree of SPN-type iterated permutations

S1 S2 S3 S4 Find the maximal degree of the product π of d outputs. xi = # Sboxes for which exactly i coordinates are involved in π. Example (d = 13) x4 = 1, x3 = 3: deg(π) ≤ δ3x3 + δ4x4 = 3 · 3 + 4 · 1 = 13.

23 / 43

Analysis of the algebraic properties of some primitives A bound on the degree of SPN-type iterated permutations

S1 S2 S3 S4 Find the maximal degree of the product π of d outputs. xi = # Sboxes for which exactly i coordinates are involved in π. Example (d = 13) x4 = 2, x3 = 1, x2 = 1: deg(π) ≤ δ2x2+δ3x3+δ4x4 = 3·1+3·1+4·2 = 14.

23 / 43

Analysis of the algebraic properties of some primitives A bound on the degree of SPN-type iterated permutations

S1 S2 S3 S4 Find the maximal degree of the product π of d outputs. xi = # Sboxes for which exactly i coordinates are involved in π. Example (d = 13) x4 = 3, x1 = 1: deg(π) ≤ δ1x1 + δ4x4 = 3 · 1 + 4 · 3 = 15.

23 / 43

Analysis of the algebraic properties of some primitives A bound on the degree of SPN-type iterated permutations

S1 S2 S3 S4 Find the maximal degree of the product π of d outputs. xi = # Sboxes for which exactly i coordinates are involved in π. deg(π) ≤ max

(x1,x2,x3,x4)(δ1x1 + δ2x2 + δ3x3 + δ4x4)

with x1 + 2x2 + 3x3 + 4x4 = d.

23 / 43

Analysis of the algebraic properties of some primitives A bound on the degree of SPN-type iterated permutations

d x4 x3 x2 x1 deg(π) 16 4

• 16

15 3 1

• 15

14 3

• 1
• 15

13 3

• 1

15 12 2 1

• 1

14 11 2

• 1

1 14 10 2

• 2

14 9 1 1

• 2

13 . . . . . . . . . . . . . . . . . . 16 − deg(π) ≥ 16 − d 3

24 / 43

Analysis of the algebraic properties of some primitives A bound on the degree of SPN-type iterated permutations

d x4 x3 x2 x1 deg(π) 16 4

• 16

15 3 1

• 15

14 3

• 1
• 15

13 3

• 1

15 12 2 1

• 1

14 11 2

• 1

1 14 10 2

• 2

14 9 1 1

• 2

13 . . . . . . . . . . . . . . . . . . deg(π) ≤ 16 − 16 − d 3

24 / 43

Analysis of the algebraic properties of some primitives A bound on the degree of SPN-type iterated permutations

Application to Keccak-f deg(F ◦ R) ≤ 1600 − 1600 − deg(F) 3 deg(F ◦ R−1) ≤ 1600 − 1600 − deg(F) 2 Zero-sum partitions of size 21575 for 24 rounds of Keccak-f. r deg(Rr) deg(R−r) 1 2 3 2 4 9 3 8 27 4 16 81 5 32 243 6 64 729 7 128 1164 8 256 1382 9 512 1491 10 1024 1545 11 1408 1572 12 1536 1586 13 1578 1593 14 1592 1596 15 1597 1598 16 1599 1599

25 / 43

Analysis of the algebraic properties of some primitives A bound implying the degree of the inverse permutation

Influence of the inverse [IEEE Trans. IT 12]

Observation of [Duan-Lai 11] for Keccak-f: When multiplying two coordinates of χ−1 the degree is at most 3: δ2(χ−1) = 3.

• Theorem. Let F be a permutation on Fn
• 2. Then, for any k and ℓ,

δℓ(F) < n − k if and only if δk(F −1) < n − ℓ. Case of Keccak: For F = χ−1, k = 1 and ℓ = 2, δ2(χ−1) < 5 − 1 iff deg(χ) < 5 − 2

26 / 43

Analysis of the algebraic properties of some primitives A bound implying the degree of the inverse permutation

A new bound on the degree

Corollary: Let F be a permutation of Fn

2 and let G from Fn 2 into

Fm

2 . Then,

deg(G ◦ F) < n − n − 1 − deg G deg(F −1)

• .

27 / 43

Analysis of the algebraic properties of some primitives A bound implying the degree of the inverse permutation

A new bound on the degree

Corollary: Let F be a permutation of Fn

2 and let G from Fn 2 into

Fm

2 . Then,

deg(G ◦ F) < n − n − 1 − deg G deg(F −1)

• .

Improvement of the bound for the SPN constructions.

27 / 43

Analysis of the algebraic properties of some primitives A bound implying the degree of the inverse permutation

Other applications

Variant of KN

S T E

ki

xi−1 yi−1 xi yi

Improvement of the known bounds on the degree for: Block ciphers: Rijndael-256, AES, LBlock, Piccolo Hash functions: Hamsi, Luffa, JH, ECHO, Grøstl, Photon

28 / 43

Analysis of the algebraic properties of some primitives The notion of (v, w)-linearity

A different algebraic property

ANF of the Hamsi Sbox y0 = x0x2 + x1 + x2 + x3 y1 = x0x1x2 + x0x1x3 + x0x2x3 + x1x2 + x0x3 + x2x3 + x0 + x1 + x2 y2 = x0x1x3 + x0x2x3 + x1x2 + x1x3 + x2x3 + x0 + x1 + x3 y3 = x0x1x2 + x1x3 + x0 + x1 + x2 + 1.

29 / 43

Analysis of the algebraic properties of some primitives The notion of (v, w)-linearity

A different algebraic property

ANF of the Hamsi Sbox y0 = x0x2 + x1 + x2 + x3 y1 = x0x1x2 + x0x1x3 + x0x2x3 + x1x2 + x0x3 + x2x3 + x0 + x1 + x2 y2 = x0x1x3 + x0x2x3 + x1x2 + x1x3 + x2x3 + x0 + x1 + x3 y3 = x0x1x2 + x1x3 + x0 + x1 + x2 + 1. If we fix all-but-one variables to a constant value then all the coordinates of the Sbox are affine with respect to the input variable.

29 / 43

Analysis of the algebraic properties of some primitives The notion of (v, w)-linearity

A different algebraic property

ANF of the Hamsi Sbox y0 = x0x2 + x1 + x2 + x3 y1 = x0x1x2 + x0x1x3 + x0x2x3 + x1x2 + x0x3 + x2x3 + x0 + x1 + x2 y2 = x0x1x3 + x0x2x3 + x1x2 + x1x3 + x2x3 + x0 + x1 + x3 y3 = x0x1x2 + x1x3 + x0 + x1 + x2 + 1. If we fix two variables to a constant value then two coordinates

• f the Sbox are affine with respect to the input variables.

29 / 43

Analysis of the algebraic properties of some primitives The notion of (v, w)-linearity

A different algebraic property

ANF of the Hamsi Sbox y0 = x0x2 + x1 + x2 + x3 y1 = x0x1x2 + x0x1x3 + x0x2x3 + x1x2 + x0x3 + x2x3 + x0 + x1+x2 y2 = x0x1x3 + x0x2x3 + x1x2 + x1x3 + x2x3 + x0 + x1 + x3 y3 = x0x1x2 + x1x3 + x0 + x1 + x2 + 1. If we fix one variable to a constant value then one coordinate

• f the Sbox is affine with respect to the input variables.

29 / 43

Analysis of the algebraic properties of some primitives The notion of (v, w)-linearity

The notion of (v, w)-linearity

Study of the propagation of affine relations through an Sbox. Definition. Let S be a function from Fn

2 into Fm 2 .

Then, S is (v, w)-linear if there exist two linear subspaces V ⊂ Fn

2 and

W ⊂ Fm

2 with dim V = v and dim W = w such that, for all λ ∈ W,

Sλ : x → λ · S(x) has degree at most 1 on all cosets of V .

30 / 43

Analysis of the algebraic properties of some primitives The notion of (v, w)-linearity

Link with the Maiorana-McFarland construction

• Proposition. S is (v, w)-linear w.r.t. (V, W) if and only its components

Sλ, λ ∈ W, can be written as SW : U ⊕ V → Fw

2

(u, v) → M(u)v + G(u) where M(u) is a w × v binary matrix. Equivalently, all second-order derivatives DαDβSW, with α, β ∈ V , vanish.

31 / 43

Analysis of the algebraic properties of some primitives The notion of (v, w)-linearity

General Properties

• Proposition. If S is (v, w)-linear w.r.t. (V, W), then all its compo-

nents Sλ, λ ∈ W have degree at most n + 1 − v and L(S) ≥ 2v. Equivalence holds for v = n − 1 and w = 1.

32 / 43

Analysis of the algebraic properties of some primitives The notion of (v, w)-linearity

Analysis of 4-bit optimal Sboxes [Leander-Poschmann 07]

Number of V such that S is (v, w)-linear w.r.t. (V, W) for some W.

(v, w) Q (2,1) (2,2) (2,3) (2,4) (3,1) (3,2) (3,3) (3,4) G0 3 35 19 5 7 1 G1 3 35 23 3 7 1 G2 3 35 23 3 7 1 G3 35 5 G4 35 5 G5 35 5 G6 35 5 G7 35 5 G8 3 35 19 5 7 1 G9 1 35 13 3 G10 1 35 13 3 G11 35 5 G12 35 5 G13 35 5 G14 1 35 13 3 G15 1 35 11 1 3 33 / 43

Analysis of the algebraic properties of some primitives The notion of (v, w)-linearity

Second-preimage attack for Hamsi-256 [Fuhr ’10]

Compression function of Hamsi [Küçük 08]: 3 SPN rounds based on a 4-bit Sbox. Idea of the attack: Find affine relations between some input bits and some output bits of the compression function when the other input bits are fixed to a well chosen value. → Preimages for the compression function. → Second-preimages for the hash function.

34 / 43

Analysis of the algebraic properties of some primitives The notion of (v, w)-linearity

Finding affine relations

Choose the variables to go linearly through the first round. For the second and the third round: y0 = x0x2 + x1 + x2 + x3 y1 = x0x1x2 + x0x1x3 + x0x2x3 + x1x2 + x0x3 + x2x3 + x0 + x1 + x2 y2 = x0x1x3 + x0x2x3 + x1x2 + x1x3 + x2x3 + x0 + x1 + x3 y3 = x0x1x2 + x1x3 + x0 + x1 + x2 + 1. y0 is of degree at most 1 if x0x2 is of degree at most 1. y3 is of degree at most 1 if x1x3 and x0x1x2 are of degree at most 1.

35 / 43

Analysis of the algebraic properties of some primitives The notion of (v, w)-linearity

Finding affine relations

Choose the variables to go linearly through the first round. For the second and the third round: y0 = x0x2 + x1 + x2 + x3 y1 = x0x1x2 + x0x1x3 + x0x2x3 + x1x2 + x0x3 + x2x3 + x0 + x1 + x2 y2 = x0x1x3 + x0x2x3 + x1x2 + x1x3 + x2x3 + x0 + x1 + x3 y3 = x0x1x2 + x1x3 + x0 + x1 + x2 + 1. y0 is of degree at most 1 if x0x2 is of degree at most 1. y3 is of degree at most 1 if x1x3 and x0x1x2 are of degree at most 1.

35 / 43

Analysis of the algebraic properties of some primitives The notion of (v, w)-linearity

Finding affine relations

Choose the variables to go linearly through the first round. For the second and the third round: y0 = x0x2 + x1 + x2 + x3 y1 = x0x1x2 + x0x1x3 + x0x2x3 + x1x2 + x0x3 + x2x3 + x0 + x1 + x2 y2 = x0x1x3 + x0x2x3 + x1x2 + x1x3 + x2x3 + x0 + x1 + x3 y3 = x0x1x2 + x1x3 + x0 + x1 + x2 + 1. y0 is (3, 1)-linear for three hyperplanes. y3 is (2, 1)-linear for three 2-dimensional subspaces V .

35 / 43

Analysis of the algebraic properties of some primitives The notion of (v, w)-linearity

Automatic search for affine relations

There are 23 subspaces V , with dim V = 2 for which the Sbox of Hamsi is (2, 2)-linear. There are 3 subspaces V , with dim V = 2 for which the Sbox of Hamsi is (2, 3)-linear. Exploit this to propagate more relations through the second and the third round. Results: Nvar = 9: 13 affine relations (two more than in [Fuhr ’10]) Nvar = 10: 11 affine relations (two more than in [Fuhr ’10]) Replace the Hamsi Sbox by some other well-chosen Sbox. The attack does not work anymore!

36 / 43

Side-channel analysis of some SHA-3 candidates

Outline

1

Analysis of the algebraic properties of some primitives Zero-sum distinguishers A bound on the degree of SPN-type iterated permutations A bound implying the degree of the inverse permutation The notion of (v, w)-linearity

2

Side-channel analysis of some SHA-3 candidates

37 / 43

Side-channel analysis of some SHA-3 candidates

Statistical Power Analysis

Attacks against some material implementation of the primitive. Side channel attacks: Observe physical leakages while the algorithm is running on some platform (time, power consumption, electromagnetic radiation,...) Statistical Power Analysis: Keep power traces for many computations. Partition traces using a (partial) key hypothesis Detect the correct key by using statistical methods Hash functions used in MACs → concerned by these attacks.

38 / 43

Side-channel analysis of some SHA-3 candidates

Countermeasures for Grøstl [Gauravaram et al.]

Protect the initial XOR between h and m Protect the rest of the computation in the same way as for AES. Generate a Boolean mask R of 512 bits. Mask the Sboxes. Generate once u, v ∈ F8

2

and compute S′(x + u) = S(x) + v, for every x ∈ F8

2.

39 / 43

Side-channel analysis of some SHA-3 candidates

CPA on HMAC-Grøstl

Non-protected algorithm After the application of the countermeasures

40 / 43

Side-channel analysis of some SHA-3 candidates

Countermeasures for Skein [Ferguson et al.]

Protect the modular addition between the message and the key. Use Goubin’s algorithm for converting Boolean masks to arithmetic and vice versa. Minimize the number of arithmetic to Boolean transformations.

41 / 43

Side-channel analysis of some SHA-3 candidates

Comparison of the two candidates [TrustED 12]

32-bit ARM-based smart card running at 8 MHz.

Algorithm Timings at 8MHz Extra RAM Extra code reference code secured code static stack HMAC-Grøstl 453 ms 486 ms (+7.2%) +325 bytes +688 bytes HMAC-Skein 77.7 ms 155 ms (+100%) +32 bytes +3484 bytes

42 / 43

Side-channel analysis of some SHA-3 candidates

Related open questions

Are there any other algebraic biases than can be exploited? Does the role of the inverse permutation have any other consequences

• n the overall construction, except the influence on the degree?

Study the notion of (v, w)-linearity for other primitives. Applications for block ciphers? Try to exploit some of the algebraic biases studied for certain lightweight block ciphers.

43 / 43