on ccz equivalence extended affine equivalence and
play

On CCZ-Equivalence, Extended-Affine Equivalence and Function - PowerPoint PPT Presentation

Dec 07, 2023 •251 likes •885 views

On CCZ-Equivalence, Extended-Affine Equivalence and Function Twisting Anne Canteaut, L eo Perrin June 3, 2019 Fq14, Vancouver Setting up the background Cryptographic properties Equivalence classes CCZ-equivalence Cryptographic

  1. On CCZ-Equivalence, Extended-Affine Equivalence and Function Twisting Anne Canteaut, L´ eo Perrin June 3, 2019 Fq14, Vancouver

  2. Setting up the background Cryptographic properties → Equivalence classes → CCZ-equivalence

  3. Cryptographic Properties F : F n 2 → F m 2 and G : F n 2 → F m 2 are functions (e.g. S-Boxes). Definition (DDT/LAT) The D(ifference) D(istribution) T(able) of F : F n 2 → F m 2 is 𝒠 F ( α, β ) = # { x , F ( x ⊕ α ) ⊕ F ( x ) = β } The L(inear) A(pproximation) T(able) of F : F n 2 → F m 2 is ( − 1) α · x + β · F ( x ) . ∑︂ 𝒳 F ( α, β ) = x ∈ F n 2

  4. Cryptographic Properties F : F n 2 → F m 2 and G : F n 2 → F m 2 are functions (e.g. S-Boxes). Definition (DDT/LAT) The D(ifference) D(istribution) T(able) of F : F n 2 → F m 2 is 𝒠 F ( α, β ) = # { x , F ( x ⊕ α ) ⊕ F ( x ) = β } The L(inear) A(pproximation) T(able) of F : F n 2 → F m 2 is ( − 1) α · x + β · F ( x ) . ∑︂ 𝒳 F ( α, β ) = x ∈ F n 2 Big APN Problem Is there an APN permutation on 2 t bits such that max(DDT) = 2?

  5. Equivalence Relations that ≈ Preserve DDT/LAT (1/2) Definition (Affine-Equivalence) F and G are affine equivalent if G ( x ) = ( B ∘ F ∘ A )( x ), where A , B are affine permutations.

  6. Equivalence Relations that ≈ Preserve DDT/LAT (1/2) Definition (Affine-Equivalence) F and G are affine equivalent if G ( x ) = ( B ∘ F ∘ A )( x ), where A , B are affine permutations. Definition (EA-Equivalence; EA-mapping) F and G are E(xtented) A(ffine) equivalent if G ( x ) = ( B ∘ F ∘ A )( x ) + C ( x ), where A , B , C are affine and A , B are permutations; so that [︃ A − 1 ]︃ (︁{︁ 0 {︁ ( x , G ( x )) , ∀ x ∈ F n }︁ ( x , F ( x )) , ∀ x ∈ F n }︁)︁ = . 2 CA − 1 2 B

  7. Equivalence Relations that ≈ Preserve DDT/LAT (1/2) Definition (Affine-Equivalence) F and G are affine equivalent if G ( x ) = ( B ∘ F ∘ A )( x ), where A , B are affine permutations. Definition (EA-Equivalence; EA-mapping) F and G are E(xtented) A(ffine) equivalent if G ( x ) = ( B ∘ F ∘ A )( x ) + C ( x ), where A , B , C are affine and A , B are permutations; so that [︃ A − 1 ]︃ (︁{︁ 0 {︁ ( x , G ( x )) , ∀ x ∈ F n }︁ ( x , F ( x )) , ∀ x ∈ F n }︁)︁ = . 2 CA − 1 2 B Affine permutations with such linear part are EA-mappings ; their transposes are TEA-mappings

  8. Equivalence Relations that ≈ Preserve DDT/LAT (2/2) Definition (CCZ-Equivalence) F : F n 2 → F m 2 and G : F n 2 → F m 2 are C(arlet)-C(harpin)-Z(inoviev) equivalent if {︁ ( x , G ( x )) , ∀ x ∈ F n }︁ (︁{︁ ( x , F ( x )) , ∀ x ∈ F n }︁)︁ Γ G = = L = L (Γ F ) , 2 2 where L : F n + m → F n + m is an affine permutation. 2 2

  9. Equivalence Relations that ≈ Preserve DDT/LAT (2/2) Definition (CCZ-Equivalence) F : F n 2 → F m 2 and G : F n 2 → F m 2 are C(arlet)-C(harpin)-Z(inoviev) equivalent if {︁ ( x , G ( x )) , ∀ x ∈ F n }︁ (︁{︁ ( x , F ( x )) , ∀ x ∈ F n }︁)︁ Γ G = = L = L (Γ F ) , 2 2 where L : F n + m → F n + m is an affine permutation. 2 2 CCZ-equivalence plays a crucial role in the investigation of the big APN problem.

  10. Equivalence Relations that ≈ Preserve DDT/LAT (2/2) Definition (CCZ-Equivalence) F : F n 2 → F m 2 and G : F n 2 → F m 2 are C(arlet)-C(harpin)-Z(inoviev) equivalent if {︁ ( x , G ( x )) , ∀ x ∈ F n }︁ (︁{︁ ( x , F ( x )) , ∀ x ∈ F n }︁)︁ Γ G = = L = L (Γ F ) , 2 2 where L : F n + m → F n + m is an affine permutation. 2 2 CCZ-equivalence plays a crucial role in the investigation of the big APN problem. What is the relation between functions that are CCZ- but not EA-equivalent?

  11. The Problem with CCZ-Equivalence Admissible Mapping For F : F n 2 → F m 2 , the affine permutation L is admissible for F if { ( x , F ( x )) , ∀ x ∈ F n = { ( x , G ( x )) , ∀ x ∈ F n (︁ )︁ L 2 } 2 } for a well defined function G : F n 2 → F m 2 .

  12. The Problem with CCZ-Equivalence Admissible Mapping For F : F n 2 → F m 2 , the affine permutation L is admissible for F if { ( x , F ( x )) , ∀ x ∈ F n = { ( x , G ( x )) , ∀ x ∈ F n (︁ )︁ L 2 } 2 } for a well defined function G : F n 2 → F m 2 . How can we list all admissible mappings for F?

  13. Structure of this talk 1 CCZ-Equivalence and Vector Spaces of 0 2 Function Twisting 3 Necessary and Efficient Conditions for CCZ-Equivalence to a Permutation 4 Conclusion

  14. CCZ-Equivalence and Vector Spaces of 0 Function Twisting Vector Spaces of Zeroes Necessary and Efficient Conditions for CCZ-Equivalence to a Permutation Partitioning a CCZ-Class into EA-Classes Conclusion Outline 1 CCZ-Equivalence and Vector Spaces of 0 2 Function Twisting 3 Necessary and Efficient Conditions for CCZ-Equivalence to a Permutation 4 Conclusion 6 / 25

  15. CCZ-Equivalence and Vector Spaces of 0 Function Twisting Vector Spaces of Zeroes Necessary and Efficient Conditions for CCZ-Equivalence to a Permutation Partitioning a CCZ-Class into EA-Classes Conclusion Plan of this Section 1 CCZ-Equivalence and Vector Spaces of 0 Vector Spaces of Zeroes Partitioning a CCZ-Class into EA-Classes 2 Function Twisting 3 Necessary and Efficient Conditions for CCZ-Equivalence to a Permutation 4 Conclusion 6 / 25

  16. CCZ-Equivalence and Vector Spaces of 0 Function Twisting Vector Spaces of Zeroes Necessary and Efficient Conditions for CCZ-Equivalence to a Permutation Partitioning a CCZ-Class into EA-Classes Conclusion Walsh Zeroes For all F : F n 2 → F m 2 , we have ( − 1) α · x +0 · F ( x ) = 0 . ∑︂ 𝒳 F ( α, 0) = x ∈ F n 2 7 / 25

  17. CCZ-Equivalence and Vector Spaces of 0 Function Twisting Vector Spaces of Zeroes Necessary and Efficient Conditions for CCZ-Equivalence to a Permutation Partitioning a CCZ-Class into EA-Classes Conclusion Walsh Zeroes For all F : F n 2 → F m 2 , we have ( − 1) α · x +0 · F ( x ) = 0 . ∑︂ 𝒳 F ( α, 0) = x ∈ F n 2 Definition (Walsh Zeroes) The Walsh zeroes of F : F n 2 → F m 2 is the set 𝒶 F = { u ∈ F n 2 × F m 2 , 𝒳 F ( u ) = 0 } ∪ { 0 } . 2 } ⊂ F n + m With 𝒲 = { ( x , 0) , ∀ x ∈ F n , we have 𝒲 ⊂ 𝒶 F . 2 7 / 25

  18. CCZ-Equivalence and Vector Spaces of 0 Function Twisting Vector Spaces of Zeroes Necessary and Efficient Conditions for CCZ-Equivalence to a Permutation Partitioning a CCZ-Class into EA-Classes Conclusion Walsh Zeroes For all F : F n 2 → F m 2 , we have ( − 1) α · x +0 · F ( x ) = 0 . ∑︂ 𝒳 F ( α, 0) = x ∈ F n 2 Definition (Walsh Zeroes) The Walsh zeroes of F : F n 2 → F m 2 is the set 𝒶 F = { u ∈ F n 2 × F m 2 , 𝒳 F ( u ) = 0 } ∪ { 0 } . 2 } ⊂ F n + m With 𝒲 = { ( x , 0) , ∀ x ∈ F n , we have 𝒲 ⊂ 𝒶 F . 2 Note that if Γ G = L (Γ F ), then 𝒶 G = ( L T ) − 1 ( 𝒶 F ). 7 / 25

  19. CCZ-Equivalence and Vector Spaces of 0 Function Twisting Vector Spaces of Zeroes Necessary and Efficient Conditions for CCZ-Equivalence to a Permutation Partitioning a CCZ-Class into EA-Classes Conclusion Admissibility for F Lemma Let L : F n + m → F n + m be a linear permutation. It is admissible for 2 2 F : F n 2 → F m 2 if and only if L T ( 𝒲 ) ⊆ 𝒶 F 8 / 25

  20. CCZ-Equivalence and Vector Spaces of 0 Function Twisting Vector Spaces of Zeroes Necessary and Efficient Conditions for CCZ-Equivalence to a Permutation Partitioning a CCZ-Class into EA-Classes Conclusion Admissibility of EA-mappings EA-mappings are admissible for all F : F n 2 → F m 2 : [︃ A [︃ A T ]︃ (︃{︃[︃ x ]︃ T C T 0 ]︃ }︃)︃ , ∀ x ∈ F n ( 𝒲 ) = = 𝒲 . B T 2 C B 0 0 9 / 25

  21. CCZ-Equivalence and Vector Spaces of 0 Function Twisting Vector Spaces of Zeroes Necessary and Efficient Conditions for CCZ-Equivalence to a Permutation Partitioning a CCZ-Class into EA-Classes Conclusion Permutations We define 𝒲 ⊥ = { (0 , y ) , ∀ y ∈ F m 2 } ⊂ F n + m . 2 Lemma F : F n 2 → F m 2 is a permutation if and only if 𝒲 ⊥ ⊂ 𝒶 F . 10 / 25

  22. CCZ-Equivalence and Vector Spaces of 0 Function Twisting Vector Spaces of Zeroes Necessary and Efficient Conditions for CCZ-Equivalence to a Permutation Partitioning a CCZ-Class into EA-Classes Conclusion EA-classes imply vector spaces Lemma let F, G and G ′ be such that Γ G = L (Γ F ) and Γ G ′ = L ′ (Γ F ) . If L T ( 𝒲 ) = L ′ T ( 𝒲 ) , then G and G ′ are EA-equivalent. 11 / 25

  23. CCZ-Equivalence and Vector Spaces of 0 Function Twisting Vector Spaces of Zeroes Necessary and Efficient Conditions for CCZ-Equivalence to a Permutation Partitioning a CCZ-Class into EA-Classes Conclusion EA-classes imply vector spaces Lemma let F, G and G ′ be such that Γ G = L (Γ F ) and Γ G ′ = L ′ (Γ F ) . If L T ( 𝒲 ) = L ′ T ( 𝒲 ) , then G and G ′ are EA-equivalent. Can we use this knowledge to partition a CCZ-class into its EA-classes? 11 / 25

  24. CCZ-Equivalence and Vector Spaces of 0 Function Twisting Vector Spaces of Zeroes Necessary and Efficient Conditions for CCZ-Equivalence to a Permutation Partitioning a CCZ-Class into EA-Classes Conclusion EA-classes imply vector spaces Lemma let F, G and G ′ be such that Γ G = L (Γ F ) and Γ G ′ = L ′ (Γ F ) . If L T ( 𝒲 ) = L ′ T ( 𝒲 ) , then G and G ′ are EA-equivalent. Can we use this knowledge to partition a CCZ-class into its EA-classes? The Lemma gives us hope! 1 EA-class = ⇒ 1 vector space of zeroes of dimension n in 𝒶 n 11 / 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On CCZ-Equivalence, Extended-Affine Equivalence and Function Twisting Anne Canteaut, Lo Perrin

On CCZ-Equivalence, Extended-Affine Equivalence and Function Twisting Anne Canteaut, Lo Perrin

On CCZ-Equivalence, Extended-Affine Equivalence and Function Twisting Anne Canteaut, Lo Perrin June 18, 2018 BFA2018 Definition (EA-Equivalence; EA-mapping) F and G are E(xtented) A(ffine) equivalent if G x B F A x C x , where A B C

1.11k views • 98 slides
An Im Improved Affi fine Equivalence Alg lgorithm for Random Permutations Itai Dinur

An Im Improved Affi fine Equivalence Alg lgorithm for Random Permutations Itai Dinur

An Im Improved Affi fine Equivalence Alg lgorithm for Random Permutations Itai Dinur Ben-Gurion University, Israel EUROCRYPT 2018 Affine Equivalence Problem (AEP) F G n n n n Given two functions F,G, are there invertible affine

549 views • 19 slides
Affine Toric Equivalence Relations are Effective Claudiu Raicu University of California, Berkeley

Affine Toric Equivalence Relations are Effective Claudiu Raicu University of California, Berkeley

Affine Toric Equivalence Relations are Effective Claudiu Raicu University of California, Berkeley AMS-SMM Joint Meeting, Berkeley, June 2010 Motivating Question Under what circumstances do quotients by finite equivalence relations exist?

879 views • 39 slides
Equivalences 1 Equivalence Definition (Equivalence) Two formulas F and G are (semantically)

Equivalences 1 Equivalence Definition (Equivalence) Two formulas F and G are (semantically)

Propositional Logic Equivalences 1 Equivalence Definition (Equivalence) Two formulas F and G are (semantically) equivalent if A ( F ) = A ( G ) for every assignment A that is suitable for both F and G . We write F G to denote that F and G

276 views • 12 slides
Polynomial equivalence problem for sums of affine powers ISSAC 2018 Ignacio Garcia-Marco 1 ,

Polynomial equivalence problem for sums of affine powers ISSAC 2018 Ignacio Garcia-Marco 1 ,

Polynomial equivalence problem for sums of affine powers ISSAC 2018 Ignacio Garcia-Marco 1 , Pascal Koiran 2 , Timoth ee Pecatte 2 1 Universidad de la Laguna, 2 LIP, Ecole Normale Sup erieure de Lyon 1 / 21 Models of interest 1 / 21

1.05k views • 83 slides
Algorithms for Extended Alpha-Equivalence and Complexity Manfred Schmidt-Schau, Conrad Rau,

Algorithms for Extended Alpha-Equivalence and Complexity Manfred Schmidt-Schau, Conrad Rau,

Algorithms for Extended Alpha-Equivalence and Complexity Manfred Schmidt-Schau, Conrad Rau, David Sabel Goethe-University, Frankfurt, Germany RTA 2013, Eindhoven, The Netherlands 1 Motivation GI-Completeness GC Applications -Calculus

532 views • 34 slides
Todays Expedition TED highlights Equivalence Relations Equivalence Classes and

Todays Expedition TED highlights Equivalence Relations Equivalence Classes and

Todays Expedition TED highlights Equivalence Relations Equivalence Classes and Partitions Boolean Algebra Boolean functions Sum of Products expansion Logic gates and circuits Sections 8.5, 11.1-11.3 in the text

541 views • 15 slides
Equivalence Relations {( a , b ) | a and b are from the the same state}. Observe that these

Equivalence Relations {( a , b ) | a and b are from the the same state}. Observe that these

Equivalence Relations http://localhost/~senning/courses/ma229/slides/equivalence-relations/slide01.html Equivalence Relations http://localhost/~senning/courses/ma229/slides/equivalence-relations/slide02.html Equivalence Relations prev | slides

235 views • 4 slides
Section 4.2: Equivalence Relations What is equality? What is equivalence? Equality is

Section 4.2: Equivalence Relations What is equality? What is equivalence? Equality is

Section 4.2: Equivalence Relations What is equality? What is equivalence? Equality is more basic, fundamental concept. Every element in a set is equal only to itself. The basic equality relation {(x,x) | x S} We tend to assume

893 views • 61 slides
7.5 EQUIVALENCE RELATIONS def: An equivalence relation is a binary rela- tion that is reflexive,

7.5 EQUIVALENCE RELATIONS def: An equivalence relation is a binary rela- tion that is reflexive,

7.5.1 Section 7.5 Equivalence Relations 7.5 EQUIVALENCE RELATIONS def: An equivalence relation is a binary rela- tion that is reflexive, symmetric, and transitive. Set S = { a, b, c, d, e, f } and Example 7.5.1: R = ( a, a ) , ( b, c )

312 views • 4 slides
Program Equivalence From Trace Equivalence Tim Wood 1 Sophia Drossopoulou 1 1 Imperial College

Program Equivalence From Trace Equivalence Tim Wood 1 Sophia Drossopoulou 1 1 Imperial College

Program Equivalence From Trace Equivalence Tim Wood 1 Sophia Drossopoulou 1 1 Imperial College London Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 1 / 30 Context Program maintenance is a common and important

1.02k views • 61 slides
A decision procedure for equivalence relations Sbastien Michelland with Pierre Corbineau,

A decision procedure for equivalence relations Sbastien Michelland with Pierre Corbineau,

Congruence closure Equivalence and inclusions Quantified hypotheses Conclusion A decision procedure for equivalence relations Sbastien Michelland with Pierre Corbineau, Lionel Rieg and Karine Altisen July 5, 2020 1 / 14 (CC BY-ND)

660 views • 22 slides
Lecture 4.2: Equivalence relations and equivalence classes Matthew Macauley Department of

Lecture 4.2: Equivalence relations and equivalence classes Matthew Macauley Department of

Lecture 4.2: Equivalence relations and equivalence classes Matthew Macauley Department of Mathematical Sciences Clemson University http://www.math.clemson.edu/~macaule/ Math 4190, Discrete Mathematical Structures M. Macauley (Clemson) Lecture

561 views • 11 slides
Logical equivalence Equivalence proof Multiplexers January 22, 2020 Patrice Belleville /

Logical equivalence Equivalence proof Multiplexers January 22, 2020 Patrice Belleville /

Logical equivalence Equivalence proof Multiplexers January 22, 2020 Patrice Belleville / Geoffrey Tien 1 Announcements Pre-class quiz #4, due Sunday, Jan.26, 19:00 Epp 4e/5e: Chapter 2.3 Pre-class quiz #5, due Sunday, Feb.02, 19:00

212 views • 19 slides
CS137: Today Electronic Design Automation Sequential Verification DFA equivalence

CS137: Today Electronic Design Automation Sequential Verification DFA equivalence

CS137: Today Electronic Design Automation Sequential Verification DFA equivalence Issues Extracting STG Day 9: February 10, 2006 Valid state reduction FSM Equivalence Checking Incomplete Specification

99 views • 5 slides
Stimulus Equivalence Joshua K. Pritchard, PhD In todays workshop Im going to try and

Stimulus Equivalence Joshua K. Pritchard, PhD In todays workshop Im going to try and

Stimulus Equivalence Joshua K. Pritchard, PhD In todays workshop Im going to try and convince you of the richness of humanity and language Im going to try to give you a brief primer on stimulus equivalence Im going to

984 views • 79 slides
CSE341: Programming Languages Lecture 12 Equivalence Brett Wortzman Spring 2020 Last Topic of

CSE341: Programming Languages Lecture 12 Equivalence Brett Wortzman Spring 2020 Last Topic of

CSE341: Programming Languages Lecture 12 Equivalence Brett Wortzman Spring 2020 Last Topic of Unit More careful look at what two pieces of code are equivalent means Fundamental software-engineering idea Made easier with

389 views • 13 slides
Equivalence of Pushdown Automata with Context-Free Grammar Equivalence of Pushdown Automata with

Equivalence of Pushdown Automata with Context-Free Grammar Equivalence of Pushdown Automata with

Equivalence of Pushdown Automata with Context-Free Grammar Equivalence of Pushdown Automata with Context-Free Grammar p.1/45 Motivation CFG and PDA are equivalent in power: a CFG generates a context-free language and a PDA

627 views • 45 slides
Algebraically Enriched Coalgebras Filippo Bonchi 4 Marcello Bonsangue 1 , 2 Jan Rutten 1 , 3

Algebraically Enriched Coalgebras Filippo Bonchi 4 Marcello Bonsangue 1 , 2 Jan Rutten 1 , 3

Algebraically Enriched Coalgebras Filippo Bonchi 4 Marcello Bonsangue 1 , 2 Jan Rutten 1 , 3 Alexandra Silva 1 1 Centrum Wiskunde en Informatica 2 LIACS - Leiden University 3 Radboud Universiteit Nijmegen 4 INRIA Saclay - LIX, cole Polytechnique

382 views • 27 slides
Borel equivalence relations and symmetric models Topologies for the Friedman-Stanley jumps Assaf

Borel equivalence relations and symmetric models Topologies for the Friedman-Stanley jumps Assaf

Borel equivalence relations and symmetric models Topologies for the Friedman-Stanley jumps Assaf Shani UCLA Logic colloquium, Udine, Italy July 2018 1 / 7 Motivation Given an equivalence relation E on a Polish space X , how does E behave

225 views • 7 slides
Special & General Relativity ASTR/PHYS 4080: Intro to Cosmology Week 2 ASTR/PHYS 4080:

Special & General Relativity ASTR/PHYS 4080: Intro to Cosmology Week 2 ASTR/PHYS 4080:

Special & General Relativity ASTR/PHYS 4080: Intro to Cosmology Week 2 ASTR/PHYS 4080: Introduction to Cosmology Spring 2018: Week 02 1 Special Relativity: no ether Presumes absolute space and time, light is a vibration of some

449 views • 16 slides
Logic as a Tool Chapter 1: Understanding Propositional Logic 1.3 Logical equivalence Negation

Logic as a Tool Chapter 1: Understanding Propositional Logic 1.3 Logical equivalence Negation

Logic as a Tool Chapter 1: Understanding Propositional Logic 1.3 Logical equivalence Negation normal form of propositional formulae Valentin Goranko Stockholm University September 2016 Goranko Logical equivalence of propositional formulae

703 views • 52 slides
3 COMP 1 5 9 3 Algorithmic Verification Simulation and Bisimulation Dr. Liam OConnor

3 COMP 1 5 9 3 Algorithmic Verification Simulation and Bisimulation Dr. Liam OConnor

<latexit

312 views • 16 slides
Equivalence of regular expressions with converse on relations An alternative presentation of the

Equivalence of regular expressions with converse on relations An alternative presentation of the

Equivalence of regular expressions with converse on relations An alternative presentation of the proof by Bloom , sik and Stefanescu Paul Brunet and Damien Pous ENS de Lyon 17 juin 2013 Decidability in REL Paul Brunet and Damien Pous (ENS

768 views • 57 slides

More recommend