[PPT] - Cryptographic Sboxes Anne Canteaut Anne.Canteaut@inria.fr PowerPoint Presentation

SLIDE 1

Cryptographic Sboxes

Anne Canteaut Anne.Canteaut@inria.fr http://www-rocq.inria.fr/secret/Anne.Canteaut/ Summer School, Sardegna, October 2015

SLIDE 2

Vectorial Boolean functions A vectorial Boolean function with n inputs and m outputs is a function from Fn

2 into Fm 2 :

S : Fn

2

− → Fm

2

(x1, . . . , xn) − → (y1, . . . , ym)

Example. x 1 2 3 4 5 6 7 8 9 a b c d e f S(x) f e b c 6 d 7 8 3 9 a 4 2 1 5 S1(x) 1 1 1 1 1 1 1 1 S2(x) 1 1 1 1 1 1 1 1 S3(x) 1 1 1 1 1 1 1 1 S4(x) 1 1 1 1 1 1 1 1

1

SLIDE 3

Round function in a substitution-permutation network

S S S S S S S S S S

linear diffusion

❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄

x(i)

❄ ❄ ✖✕ ✗✔

+

ki

❄ ✲

x(i+1)

2

SLIDE 4

Outline

Algebraic degree
Differential uniformity
Nonlinearity
Finding good Sboxes

3

SLIDE 5

Algebraic degree x 1 2 3 4 5 6 7 8 9 a b c d e f S1(x) 1 1 1 1 1 1 1 1 S2(x) 1 1 1 1 1 1 1 1 S3(x) 1 1 1 1 1 1 1 1 S4(x) 1 1 1 1 1 1 1 1 S1 = 1 + x1 + x3 + x2x3 + x4 + x2x4 + x3x4 + x1x3x4 + x2x3x4 S2 = 1 + x1x2 + x1x3 + x1x2x3 + x4 + x1x4 + x1x2x4 + x1x3x4 S3 = 1 + x2 + x1x2 + x2x3 + x4 + x2x4 + x1x2x4 + x3x4 + x1x3x4 S4 = 1 + x3 + x1x3 + x4 + x2x4 + x3x4 + x1x3x4 + x2x3x4

4

SLIDE 6

Algebraic normal form (ANF) Monomials in F2[x1, . . . , xn]/(x2

1 + x1, . . . , x2 n + xn):

xu,

u ∈ Fn

2

where xu =

n

i=1

xui

i .

Example: x1011 = x1

1x0 2x1 3x1 4 = x1x3x4.

Proposition. Any Boolean function of n variables has a unique polynomial representation in F2[x1, . . . , xn]/(x2

1 + x1, . . . , x2 n + xn):

f(x1, . . . , xn) =

u∈Fn

2

auxu, au ∈ F2.

Moreover, the coefficients of the ANF and the values of f satisfy:

au =

xu

f(x) and f(u) =

xu

ax,

where x y if and only if xi ≤ yi for all 1 ≤ i ≤ n.

5

SLIDE 7

Example

x1

1 1 1 1

x2

1 1 1 1

x3

1 1 1 1

f(x1, x2, x3)

1 1 1 1

a000 = f(000) = 0 a100 = f(100) ⊕ f(000) = 1 a010 = f(010) ⊕ f(000) = 0 a110 = f(110) ⊕ f(010) ⊕ f(100) ⊕ f(000) = 1 a001 = f(001) ⊕ f(000) = 0 a101 = f(101) ⊕ f(001) ⊕ f(100) ⊕ f(000) = 0 a011 = f(011) ⊕ f(001) ⊕ f(010) ⊕ f(000) = 1 a111 =

x∈F3

2 f(x) = wt(f) mod 2 = 0

f = x1 + x1x2 + x2x3.

6

SLIDE 8

Degree of an Sbox Definition. The degree of a Boolean function is the degree of the largest monomial in its algebraic normal form. The degree of a vectorial function S with n inputs and m outputs is the maximal degree of its coordinates. Proposition. If S is a permutation of Fn

2 , then deg S ≤ n − 1.

7

SLIDE 9

Identifying Fn

2 with a finite field

Fn

2 is identified with the finite field with 2n elements.

F2n = {0} ∪ {αi, 0 ≤ i ≤ 2n − 2}

where α is a root of a primitive polynomial of degree n.

⇒ for any i, αi =

n−1

j=0

λjαj

Example for n = 4: primitive polynomial: 1 + x + x4, α a root of this polynomial.

F24

1 α α2 α3 α4 α5 α6 α7

1 α α2 α3 α + 1 α2 + α α3 + α2 α3 + α + 1

F4

2 0000 0001 0010 0100 1000 0011 0110 1100 1011 α8 α9 α10 α11 α12 α13 α14

α2 + 1 α3 + α α2 + α + 1 α3 + α2 + α α3 + α2 + α + 1 α3 + α2 + 1 α3 + 1

0101 1010 0111 1110 1111 1101 1001

8

SLIDE 10

The univariate representation of Sboxes Any vectorial function with n inputs and n outputs can be seen as

S : F2n − → F2n

Then,

S(X) =

2n−1

i=0

ciXi , ci ∈ F2n.

Example: x 1 2 3 4 5 6 7 8 9 a b c d e f S(x) f e b c 6 d 7 8 3 9 a 4 2 1 5

S(X) = α12 + α2X + α13X2 + α6X3 + α10X4 + αX5 + α10X6 + α2X7 +α9X8 + α4X9 + α7X10 + α7X11 + α5X12 + X13 + α6X14

Remark. The (multivariate) degree of Xi is exactly the number of

nes in the binary expansion of i.

9

SLIDE 11

Resistance to differential attacks

10

SLIDE 12

Difference table of an Sbox

a \ b

1 2 3 4 5 6 7 8 9 a b c d e f 1 2 4 2 2 2 2 2 2 2 2 2 4 2 4 3 2 4 2 6 2 4 2 2 4 2 2 2 2 5 4 2 2 2 4 2 6 4 4 4 4 7 2 2 2 2 2 2 2 2 8 4 4 4 4 9 2 2 2 2 4 2 2 a 2 2 2 2 2 2 2 2 b 2 4 2 2 6 c 2 2 2 2 2 2 4 d 2 2 2 8 2 e 4 4 4 4 f 4 4 2 2 2 2

δS(a, b) = #{X ∈ Fn

2,

S(X ⊕ a) ⊕ S(X) = b}

11

SLIDE 13

Resistance to differential attacks [Nyberg Knudsen 92],[Nyberg 93] Criterion on the Sbox. All entries in the difference table of S should be small.

δ(S) = max

a,b=0 #{X ∈ Fn 2,

S(X ⊕ a) ⊕ S(X) = b}

must be as small as possible.

δ(S) is called the differential uniformity of S (always even).

Theorem. For any Sbox S with n inputs and n outputs,

δ(S) ≥ 2 .

The functions achieving this bound are called almost perfect nonlinear functions (APN).

12

SLIDE 14

For SPN using S Expected probability of a 2-round characteristic

≤

δ(S)

2n

d where d is the branch number of the linear layer. Expected probability of a 2-round differential [Daemen Rijmen 02]

MEDP2 ≤

δ(S)

2n

d−1 E.g., for the 4-round AES,

MEDP4 ≤

2−616

Refinements involving the whole difference table [Park et al. 03] [C. Roué 15].

13

SLIDE 15

Resistance to linear attacks

14

SLIDE 16

Linear approximations of an Sbox

a \ b

1 2 3 4 5 6 7 8 9 a b c d e f 1

4

. 4 .

4

8

4

4 8 4 .

4

. 4 . 2 4

4

.

4

. . 4 4 8 . 4 8

4
4

. 3 8 4 4

4

4 . . . . 4

4
4
4

. 8 4 .

4

4 4

4

. .

8

. 4 4 4 4 . 8 5

4

4 . 4 8 . 4

4

8 .

4

. 4

4

. 6

4

. 4 . 4 8 4 4

8

4 . 4 .

4

. 7 . . . 8 .

8

. . . . 8 . 8 . . 8 .

4

4

8

. 4 4

8

.

4
4

. . 4

4

9

4
12

. . 4

4

. 4 . .

4
4

. . 4 a

4

.

12
4

. 4 .

4

. 4 . .

4

. 4 b . . . 4

4

4

4

. .

8
8

4

4
4

4 c . . .

4
4
4
4

. . 8

8

4 4

4
4

d

4

. 4 4 .

4

.

4

. 4 . .

12

.

4

e 4

4

. . 4 4

8
4

. . 4

4

.

8
4

f

8

4 4

8

.

4
4

. .

4

4 . .

4

4

Pr[a · x + b · S(x) = 0] = 1 2

1 + W[a, b]

2n

For instance, for a = 0x9 and b = 0x2, we have p = 1

2(1 − 12 16) = 1 8.

15

SLIDE 17

Walsh transform of an Sbox Walsh transform of a Boolean function f of n variables

Fn

2

− →

Z

a − → Wf(a) =

x∈Fn

2 (−1)f(x)+a·x

Walsh transform of an Sbox S:

Fn

2 × Fm 2

− →

Z

(a, b) − → WS(a, b) =

x∈Fn

2 (−1)b·S(x)+a·x = Wb·S(a)

16

SLIDE 18

Linearity of an Sbox Criterion on the Sbox. All linear approximations of S should have a small bias, i.e.,

L(S) = max

a∈Fn

2 , b∈Fn 2 ,b=0 |WS(a, b)|

must be as small as possible. Parseval’s equality: for any output mask b,

a∈Fn

2

W2

S(a, b) = 22n .

17

SLIDE 19

For SPN using S Expected square correlation of a 2-round linear trail

≤

L(S)

2n

2d′ where d′ is the linear branch number of the linear layer. Expected square correlation of a 2-round linear mask [Daemen Rijmen 02]

MELP2 ≤

L(S)

2n

2(d′−1) Refinements involving the whole square correlation table [Park et al. 03] [C. Roué 15].

18

SLIDE 20

Link between the difference and square correlation tables

Theorem. [Chabaud Vaudenay 94][Blondeau Nyberg 13]

There is a one-to-one correspondence between the difference table

δ(a, b), a ∈ Fn

2, b ∈ Fn 2

and the square correlation table

W2(a, b), a, b ∈ Fn

2, b ∈ Fn 2

W2(u, v) =

a,b∈Fn

2

(−1)a·u+b·vδ(a, b) δ(a, b) = 2−2n

u,v∈Fn

2

(−1)a·u+b·vW2(u, v)

There is a one-to-one correspondence between the Sbox and the correlation table. But several Sboxes may have the same square correlation table.

19

SLIDE 21

Finding good Sboxes w.r.t. the previous criteria

20

SLIDE 22

Equivalence between Sboxes Affine equivalence

S2 = A2 ◦ S1 ◦ A1

where A1 and A2 are two affine permutations of Fn

2 .

CCZ equivalence [Carlet Charpin Zinoviev 98]

(x′, S2(x′)) = A (x, S1(x))

where A is an affine permutation of F2n

2 .

21

SLIDE 23

Permutations of F4

2

δ(S) ≥ 4 and L(S) ≥ 8 16 classes of optimal Sboxes [Leander-Poschmann 07] 8 of them have all x → b · S(x) of degree 3.

1 2 3 4 5 6 7 8 9 a b c d e f

G0

1 2 13 4 7 15 6 8 11 12 9 3 14 10 5

G1

1 2 13 4 7 15 6 8 11 14 3 5 9 10 12

G2

1 2 13 4 7 15 6 8 11 14 3 10 12 5 9

G3

1 2 13 4 7 15 6 8 12 5 3 10 14 11 9

G4

1 2 13 4 7 15 6 8 12 9 11 10 14 5 3

G5

1 2 13 4 7 15 6 8 12 11 9 10 14 3 5

G6

1 2 13 4 7 15 6 8 12 11 9 10 14 5 3

G7

1 2 13 4 7 15 6 8 12 14 11 10 9 3 5

G8

1 2 13 4 7 15 6 8 14 9 5 10 11 3 12

G9

1 2 13 4 7 15 6 8 14 11 3 5 9 10 12

G10

1 2 13 4 7 15 6 8 14 11 5 10 9 3 12

G11

1 2 13 4 7 15 6 8 14 11 10 5 9 12 3

G12

1 2 13 4 7 15 6 8 14 11 10 9 3 12 5

G13

1 2 13 4 7 15 6 8 14 12 9 5 11 10 3

G14

1 2 13 4 7 15 6 8 14 12 11 3 9 5 10

G15

1 2 13 4 7 15 6 8 14 12 11 9 3 10 5 22

SLIDE 24

Permutations of Fn

2 , n odd

Theorem. [Chabaud Vaudenay 94]

For any function S with n inputs and n ouputs,

L(S) ≥ 2

n+1 2

with equality for odd n only. The functions achieving this bound are called almost bent functions.

Any AB function is APN.

L(S) = 2

n+1 2

= ⇒ δ(S) = 2

The converse holds for some cases only, for instance for APN

Sboxes of degree 2 [Carlet Charpin Zinoviev 98]

23

SLIDE 25

Known AB permutations of Fn

2 , n odd

Monomial permutations S(x) = xs over F2n, n = 2t + 1. quadratic

2i + 1 with gcd(i, n) = 1,

[Gold 68],[Nyberg 93]

1 ≤ i ≤ t

Kasami

22i − 2i + 1 with gcd(i, n) = 1

[Kasami 71]

2 ≤ i ≤ t

Welch

2t + 3

[Dobbertin 98] [C.-Charpin-Dobbertin 00] Niho

2t + 2

t 2 − 1 if t is even

[Dobbertin 98]

2t + 2

3t+1 2

− 1 if t is odd

[Xiang-Hollmann 01] Non-monomial permutations.[Budaghyan-Carlet-Leander08] For n odd, divisible by 3 and not by 9.

S(x) = x2i+1 + ux2jn

3 +2(3−j)n 3 +i

with gcd(i, n) = 1 and j = in

3 mod 3

24

SLIDE 26

Permutations of Fn

2 , n even

There exist Sboxes with

L(S) = 2

n+2 2

but we do not known if this value is minimal. APN power functions over Fn

2 , n even, are not permutations.

Do there exist APN permutations for n even?

25

SLIDE 27

Known APN permutations of Fn

2 , n even

For n = 6.

δ(S) ≥ 2 and L(S) ≥ 12

S= {0, 54, 48, 13, 15, 18, 53, 35, 25, 63, 45, 52, 3, 20, 41, 33, 59, 36, 2, 34, 10, 8, 57, 37, 60, 19, 42, 14, 50, 26, 58, 24, 39, 27, 21, 17, 16, 29, 1, 62, 47, 40, 51, 56, 7, 43, 44, 38, 31, 11, 4, 28, 61, 46, 5, 49, 9, 6, 23, 32, 30, 12, 55, 22}; satisfies

δ(S) = 2 , deg S = 4 and L(S) = 16 [Dillon 09]

The corresponding univariate polynomial over F26 contains 52 nonzero monomials (out of 56 possible monomials of degree at most 4). This is the only known APN permutation with an even number of variables.

26

SLIDE 28

Good permutations of Fn

2, n even

Usually, we search for permutations S with

δ(S) = 4 and L(S) = 2

n+2 2

.

Monomial permutations S(x) = xs over F2n.

2i + 1, gcd(i, n) = 2 n ≡ 2 mod 4

[Gold 68]

22i − 2i + 1, gcd(i, n) = 2 n ≡ 2 mod 4

[Kasami 71]

2n − 2

[Lachaud-Wolfmann 90] The last one is affine equivalent to the AES Sbox.

27

SLIDE 29

Which element in the equivalence class? Algebraic-like attacks. avoid a representation by a very sparse univariate polynomial. Differential and linear attacks. Equivalent Sboxes have the same δ(S) and L(S). But the corresponding ciphers may not have the same resistance to differential and linear attacks.

AES Sbox S(x) = A(x254):

MEDP2 = 53 × 2−34 and MELP2 = 1.638 × 2−28 [Keliher-Sui 07]

Naive Sbox S(x) = x254:

MEDP2 = 79 × 2−34 and MELP2 = 2.873 × 2−28

Proposition. [C. Roué 15]

Involutional power permutations are the functions which provide the highest MEDP2 and MELP2 in their equivalence class, whatever

F2n-linear layer with optimal branch number is chosen.

28

SLIDE 30

SPN with 4 Sboxes S(x) = A(x254) over F28 For any F28-linear M with branch number 5:

For the naive Sbox, i.e. A = Id

MEDP2 = 79 × 2−34 and MELP2 = 2.873 × 2−28

For the affine function A used in the AES

53 × 2−34 ≤ MEDP2 ≤ 55.5 × 2−34 1.6384 × 2−28 ≤ MELP2 ≤ 1.8616 × 2−28

For M = MixColumns, the exact values equal the lower bounds.

For the affine function A used in SHARK and Square

53 × 2−34 ≤ MEDP2 ≤ 56 × 2−34 1.7169 × 2−28 ≤ MELP2 ≤ 1.9847 × 2−28

29

SLIDE 31

Some conclusions

Many other properties of Sboxes can be exploited by an attacker;
A strong algebraic structure may introduce weaknesses;
Don’t forget implementation!!!

30