Cryptographic Sboxes Anne Canteaut Anne.Canteaut@inria.fr - PowerPoint PPT Presentation

Cryptographic Sboxes Anne Canteaut Anne.Canteaut@inria.fr http://www-rocq.inria.fr/secret/Anne.Canteaut/ Summer School, Sardegna, October 2015

Vectorial Boolean functions A vectorial Boolean function with n inputs and m outputs is a function from F n 2 into F m 2 : F n F m S : − → 2 2 ( x 1 , . . . , x n ) �− → ( y 1 , . . . , y m ) Example. x 0 1 2 3 4 5 6 7 8 9 a b c d e f S ( x ) f e b c 6 d 7 8 0 3 9 a 4 2 1 5 S 1 ( x ) 1 0 1 0 0 1 1 0 0 1 1 0 0 0 1 1 S 2 ( x ) 1 1 1 0 1 0 1 0 0 1 0 1 0 1 0 0 S 3 ( x ) 1 1 0 1 1 1 1 0 0 0 0 0 1 0 0 1 S 4 ( x ) 1 1 1 1 0 1 0 1 0 0 1 1 0 0 0 0 1

Round function in a substitution-permutation network x ( i ) ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ S S S S S S S S S S ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ linear diffusion ✗✔ ❄ k i + ✲ ✖✕ ❄ x ( i +1) 2

Outline • Algebraic degree • Differential uniformity • Nonlinearity • Finding good Sboxes 3

Algebraic degree x 0 1 2 3 4 5 6 7 8 9 a b c d e f S 1 ( x ) 1 0 1 0 0 1 1 0 0 1 1 0 0 0 1 1 1 1 1 0 1 0 1 0 0 1 0 1 0 1 0 0 S 2 ( x ) S 3 ( x ) 1 1 0 1 1 1 1 0 0 0 0 0 1 0 0 1 S 4 ( x ) 1 1 1 1 0 1 0 1 0 0 1 1 0 0 0 0 = 1 + x 1 + x 3 + x 2 x 3 + x 4 + x 2 x 4 + x 3 x 4 + x 1 x 3 x 4 + x 2 x 3 x 4 S 1 = 1 + x 1 x 2 + x 1 x 3 + x 1 x 2 x 3 + x 4 + x 1 x 4 + x 1 x 2 x 4 + x 1 x 3 x 4 S 2 = 1 + x 2 + x 1 x 2 + x 2 x 3 + x 4 + x 2 x 4 + x 1 x 2 x 4 + x 3 x 4 + x 1 x 3 x 4 S 3 = 1 + x 3 + x 1 x 3 + x 4 + x 2 x 4 + x 3 x 4 + x 1 x 3 x 4 + x 2 x 3 x 4 S 4 4

Algebraic normal form (ANF) Monomials in F 2 [ x 1 , . . . , x n ] / ( x 2 1 + x 1 , . . . , x 2 n + x n ) : n where x u = x u i � x u , u ∈ F n � � i . 2 i =1 Example: x 1011 = x 1 1 x 0 2 x 1 3 x 1 4 = x 1 x 3 x 4 . Proposition. Any Boolean function of n variables has a unique polynomial representation in F 2 [ x 1 , . . . , x n ] / ( x 2 1 + x 1 , . . . , x 2 n + x n ) : a u x u , � f ( x 1 , . . . , x n ) = a u ∈ F 2 . u ∈ F n 2 Moreover, the coefficients of the ANF and the values of f satisfy: � � a u = f ( x ) and f ( u ) = a x , x � u x � u where x � y if and only if x i ≤ y i for all 1 ≤ i ≤ n . 5

Example x 1 0 1 0 1 0 1 0 1 x 2 0 0 1 1 0 0 1 1 x 3 0 0 0 0 1 1 1 1 f ( x 1 , x 2 , x 3 ) 0 1 0 0 0 1 1 1 a 000 = f (000) = 0 a 100 = f (100) ⊕ f (000) = 1 a 010 = f (010) ⊕ f (000) = 0 a 110 = f (110) ⊕ f (010) ⊕ f (100) ⊕ f (000) = 1 a 001 = f (001) ⊕ f (000) = 0 a 101 = f (101) ⊕ f (001) ⊕ f (100) ⊕ f (000) = 0 a 011 = f (011) ⊕ f (001) ⊕ f (010) ⊕ f (000) = 1 a 111 = � 2 f ( x ) = wt ( f ) mod 2 = 0 x ∈ F 3 f = x 1 + x 1 x 2 + x 2 x 3 . 6

Degree of an Sbox Definition. The degree of a Boolean function is the degree of the largest monomial in its algebraic normal form. The degree of a vectorial function S with n inputs and m outputs is the maximal degree of its coordinates. Proposition. If S is a permutation of F n 2 , then deg S ≤ n − 1 . 7

Identifying F n 2 with a finite field 2 is identified with the finite field with 2 n elements. F n F 2 n = { 0 } ∪ { α i , 0 ≤ i ≤ 2 n − 2 } where α is a root of a primitive polynomial of degree n . n − 1 α i = λ j α j � ⇒ for any i, j =0 Example for n = 4 : primitive polynomial: 1 + x + x 4 , α a root of this polynomial. α 2 α 3 α 4 α 5 α 6 α 7 F 2 4 0 1 α α 2 + α α 3 + α 2 α 3 + α + 1 α 2 α 3 0 1 α + 1 α F 4 0000 0001 0010 0100 1000 0011 0110 1100 1011 2 α 8 α 9 α 10 α 11 α 12 α 13 α 14 α 2 + 1 α 3 + α α 2 + α + 1 α 3 + α 2 + α α 3 + α 2 + α + 1 α 3 + α 2 + 1 α 3 + 1 0101 1010 0111 1110 1111 1101 1001 8

The univariate representation of Sboxes Any vectorial function with n inputs and n outputs can be seen as S : F 2 n − → F 2 n Then, 2 n − 1 c i X i , c i ∈ F 2 n . � S ( X ) = i =0 Example: x 0 1 2 3 4 5 6 7 8 9 a b c d e f S ( x ) f e b c 6 d 7 8 0 3 9 a 4 2 1 5 S ( X ) = α 12 + α 2 X + α 13 X 2 + α 6 X 3 + α 10 X 4 + αX 5 + α 10 X 6 + α 2 X 7 + α 9 X 8 + α 4 X 9 + α 7 X 10 + α 7 X 11 + α 5 X 12 + X 13 + α 6 X 14 The (multivariate) degree of X i is exactly the number of Remark. ones in the binary expansion of i . 9

Resistance to differential attacks 10

Difference table of an Sbox a \ b 1 2 3 4 5 6 7 8 9 a b c d e f 2 0 4 2 0 2 2 0 0 0 2 0 0 0 2 1 2 2 0 2 4 0 2 0 4 0 0 0 0 0 0 2 2 0 4 0 2 0 0 0 0 6 0 0 0 2 0 3 2 0 2 4 0 0 0 2 2 0 0 2 0 0 2 4 0 4 2 0 0 0 2 2 0 0 4 2 0 0 0 5 4 0 0 0 0 4 0 4 0 0 0 0 4 0 0 6 0 2 0 0 2 2 2 0 2 2 2 0 0 2 0 7 0 4 0 0 0 4 0 0 0 0 0 0 4 0 4 8 2 2 0 2 2 0 0 0 4 0 0 2 0 2 0 9 0 0 2 2 0 2 2 2 0 2 2 0 0 0 2 a 0 0 2 0 4 0 2 2 0 0 0 6 0 0 0 b 0 2 0 0 0 2 0 0 2 2 2 2 0 4 0 c 2 0 0 0 2 0 0 0 0 2 0 0 8 2 0 d 0 0 0 0 0 0 4 0 0 0 4 0 0 4 4 e 0 0 0 4 0 0 0 4 2 2 0 2 0 0 2 f δ S ( a, b ) = # { X ∈ F n 2 , S ( X ⊕ a ) ⊕ S ( X ) = b } 11

Resistance to differential attacks [Nyberg Knudsen 92],[Nyberg 93] Criterion on the Sbox. All entries in the difference table of S should be small. a,b � =0 # { X ∈ F n δ ( S ) = max 2 , S ( X ⊕ a ) ⊕ S ( X ) = b } must be as small as possible. δ ( S ) is called the differential uniformity of S (always even). For any Sbox S with n inputs and n outputs, Theorem. δ ( S ) ≥ 2 . The functions achieving this bound are called almost perfect nonlinear functions (APN). 12

For SPN using S Expected probability of a 2 -round characteristic � d � δ ( S ) ≤ 2 n where d is the branch number of the linear layer. Expected probability of a 2 -round differential [Daemen Rijmen 02] � d − 1 � δ ( S ) MEDP 2 ≤ 2 n E.g., for the 4 -round AES, 2 − 6 � 16 � MEDP 4 ≤ Refinements involving the whole difference table [Park et al. 03] [C. Roué 15]. 13

Resistance to linear attacks 14

Linear approximations of an Sbox a \ b 1 2 3 4 5 6 7 8 9 a b c d e f -4 . 4 . -4 8 -4 4 8 4 . -4 . 4 . 1 4 -4 . -4 . . 4 4 8 . 4 8 -4 -4 . 2 8 4 4 -4 4 . . . . 4 -4 -4 -4 . 8 3 . -4 4 4 -4 . . -8 . 4 4 4 4 . 8 4 -4 4 . 4 8 . 4 -4 8 . -4 . 4 -4 . 5 -4 . 4 . 4 8 4 4 -8 4 . 4 . -4 . 6 . . . 8 . -8 . . . . 8 . 8 . . 7 . -4 4 -8 . 4 4 -8 . -4 -4 . . 4 -4 8 -4 -12 . . 4 -4 . 4 . . -4 -4 . . 4 9 -4 . -12 -4 . 4 . -4 . 4 . . -4 . 4 a . . . 4 -4 4 -4 . . -8 -8 4 -4 -4 4 b . . . -4 -4 -4 -4 . . 8 -8 4 4 -4 -4 c -4 . 4 4 . -4 . -4 . 4 . . -12 . -4 d 4 -4 . . 4 4 -8 -4 . . 4 -4 . -8 -4 e -8 4 4 -8 . -4 -4 . . -4 4 . . -4 4 f Pr[ a · x + b · S ( x ) = 0] = 1 1 + W [ a, b ] � � 2 n 2 For instance, for a = 0x9 and b = 0x2 , we have p = 1 2 (1 − 12 16 ) = 1 8 . 15

Walsh transform of an Sbox Walsh transform of a Boolean function f of n variables F n − → Z 2 2 ( − 1) f ( x )+ a · x a �− → W f ( a ) = � x ∈ F n Walsh transform of an Sbox S : F n 2 × F m − → Z 2 2 ( − 1) b · S ( x )+ a · x = W b · S ( a ) → W S ( a, b ) = � ( a, b ) �− x ∈ F n 16

Linearity of an Sbox Criterion on the Sbox. All linear approximations of S should have a small bias, i.e. , L ( S ) = max 2 ,b � =0 |W S ( a, b ) | a ∈ F n 2 , b ∈ F n must be as small as possible. Parseval’s equality: for any output mask b , S ( a, b ) = 2 2 n . W 2 � a ∈ F n 2 17

For SPN using S Expected square correlation of a 2 -round linear trail � 2 d ′ � L ( S ) ≤ 2 n where d ′ is the linear branch number of the linear layer. Expected square correlation of a 2 -round linear mask [Daemen Rijmen 02] � 2( d ′ − 1) � L ( S ) MELP 2 ≤ 2 n Refinements involving the whole square correlation table [Park et al. 03] [C. Roué 15]. 18

Link between the difference and square correlation tables Theorem. [Chabaud Vaudenay 94][Blondeau Nyberg 13] There is a one-to-one correspondence between the difference table δ ( a, b ) , a ∈ F n 2 , b ∈ F n 2 and the square correlation table W 2 ( a, b ) , a, b ∈ F n 2 , b ∈ F n 2 W 2 ( u, v ) = ( − 1) a · u + b · v δ ( a, b ) � a,b ∈ F n 2 δ ( a, b ) = 2 − 2 n ( − 1) a · u + b · v W 2 ( u, v ) � u,v ∈ F n 2 There is a one-to-one correspondence between the Sbox and the correlation table. But several Sboxes may have the same square correlation table. 19

Finding good Sboxes w.r.t. the previous criteria 20

Equivalence between Sboxes Affine equivalence S 2 = A 2 ◦ S 1 ◦ A 1 where A 1 and A 2 are two affine permutations of F n 2 . CCZ equivalence [Carlet Charpin Zinoviev 98] ( x ′ , S 2 ( x ′ )) = A ( x, S 1 ( x )) where A is an affine permutation of F 2 n 2 . 21