Antiderivative Functions over F 2 n Valentin SUDER Seminar CALIN - Paris 13 April 12nd 2016. ComSec Lab, University of Waterloo ON, CANADA
Outline Framework Antiderivative Functions Applications Conclusion
Outline Framework Symmetric Cryptography Differential Attacks on Block Ciphers Polynomial Representation Problem Antiderivative Functions Applications Conclusion
Framework Symmetric Cryptography Design in Symmetric Cryptography ◮ Symmetric Cryptography : Alice and Bob share the same key. 1 / 30
Framework Symmetric Cryptography Design in Symmetric Cryptography ◮ Symmetric Cryptography : Alice and Bob share the same key. ◮ Primitives : ◮ Block ciphers; ◮ Stream ciphers; ◮ Hash functions; 1 / 30
Framework Symmetric Cryptography Design in Symmetric Cryptography ◮ Symmetric Cryptography : Alice and Bob share the same key. ◮ Primitives : ◮ Block ciphers; ◮ Stream ciphers; ◮ Hash functions; Block Cipher F m 2 × F k F m E : → 2 2 ( M , K ) �→ E ( M , K ) = C . For a fixed key K ∈ F k 2 , E K ( M ) �→ C , is a permutation of F m 2 . 1 / 30
Framework Symmetric Cryptography Design in Symmetric Cryptography ◮ Symmetric Cryptography : Alice and Bob share the same key. ◮ Primitives : ◮ Block ciphers; ◮ Stream ciphers; ◮ Hash functions; Block Cipher F m 2 × F k F m E : → 2 2 ( M , K ) �→ E ( M , K ) = C . For a fixed key K ∈ F k 2 , E K ( M ) �→ C , is a permutation of F m 2 . ◮ Rounds composed by smaller functions: ◮ Confusion (nonlinear); ◮ Diffusion (linear); 1 / 30
b b b b b b b b b Framework Symmetric Cryptography Block Ciphers M Feistel Scheme and Substitution Permutation Network (SPN) Add Round Key L i R i S S S Permutation RK i Key expansion K F Add Round Key S S S Permutation L i +1 R i +1 C 2 / 30
Framework Symmetric Cryptography Design in Symmetric Cryptography ◮ Symmetric Cryptography : Alice and Bob share the same key. ◮ Primitives : ◮ Block ciphers; ◮ Stream ciphers; ◮ Hash functions; ◮ Rounds composed by smaller functions: ◮ Confusion (nonlinear); ◮ Diffusion (linear); ◮ Cryptographic requirements of the confusion part: ◮ Differential; ◮ Linear; ◮ Algebraic; ◮ . . . 3 / 30
Framework Differential Attacks on Block Ciphers Differential Properties of Sboxes F : F 2 n → F 2 n α δ F ( α, β ) = # { x | F ( x ) + F ( x + α ) = β } F F The greater the value δ F ( α, β ) , the more likely an attacker can find x ∈ F 2 n such that F ( x ) + F ( x + α ) = β . β 4 / 30
b b b b b b Framework Differential Attacks on Block Ciphers Differential Cryptanalysis of the last round K E K Key Expansion RK 0 RK 1 RK R − 1 P F 0 F 1 F R − 1 C F R − 1 α Differential on R − 1 rounds β = ? RK ′ ( α → β ) F R − 1 C ′ = C + ? P ′ F 0 F 1 F R − 1 RK 0 RK 1 RK R − 1 Key Expansion E K K 5 / 30
Framework Polynomial Representation Polynomial representation of the functions F 2 n → F 2 n F : → F 2 n F 2 n � 2 n − 1 c i x i , x �→ c i ∈ F 2 n . i = 0 Definition The algebraic degree of F is defined as deg ( F ) = 0 ≤ i ≤ 2 n − 1 { wt ( i ) | c i � = 0 } . max wt ( i ) is the binary Hamming weigth of the integer i . ◮ F ( x ) is said to be a permutation polynomial if the associated function F is bijective. ◮ F is said to be 2-to-1 if the equation F ( x ) = c has exactly 0 or 2 solutions, for any c ∈ F 2 n . 6 / 30
Framework Polynomial Representation Discrete derivatives F : F 2 n → F 2 n Definition The discrete derivative of F in a direction α ∈ F ∗ 2 n is defined as ∆ α F ( x ) = F ( x ) + F ( x + α ) . The differential uniformity of F is defined as δ ( F ) = α � = 0 , β ∈ F 2 n # { x | ∆ α F ( x ) = β } . max Definition [Lai94] The m -order derivative of F in directions α 0 , . . . , α m − 1 ∈ F 2 n is: � � ∆ α 0 ,...,α m − 1 F ( x ) = ∆ α 0 ∆ α 1 ,...,α m − 1 F ( x ) . 7 / 30
Framework Polynomial Representation Equivalences preserving differential uniformity (but not only . . . ) F , G : F 2 n → F 2 n EA-equivalence F and G are Extended Affine (EA) equivalent if there are two affine a permutations A 0 , A 1 : F 2 n → F 2 n and an affine function A 2 : F 2 n → F 2 n such that F = A 0 ◦ G ◦ A 1 + A 2 . a of algebraic degree 1. CCZ-equivalence [Carlet-Charpin-Zinoviev98] F and G are CCZ-equivalent if their graphs { ( x , F ( x )) | x ∈ F 2 n } and { ( x , G ( x )) | x ∈ F 2 n } are affine equivalent , i.e. if there is an affine permutation L = ( L 0 , L 1 ) : F 2 n × F 2 n → F 2 n × F 2 n such that ∀ ( x , y ) ∈ F 2 y = F ( x ) ⇔ L 0 ( x , y ) = G ( L 1 ( x , y )) , 2 n . 8 / 30
Framework Polynomial Representation Some properties F : F 2 n → F 2 n ◮ α ∈ F ∗ 2 n is a c - linear structure of F , c ∈ F 2 n , if ∀ x ∈ F 2 n ∆ α F ( x ) = F ( x ) + F ( x + α ) = c . ◮ F is called APN (Almost Perfect Nonlinear) if δ ( F ) = α � = 0 , β ∈ F 2 n # { x | ∆ α F ( x ) = β } = 2 . max ◮ EA and CCZ-equivalence preserve differential uniformity . ◮ EA-equivalence preserves algebraic degree . ◮ The discrete derivation makes the algebraic degree decrease: deg ( F ) > deg (∆ α 0 F ) > deg (∆ α 0 ,α 1 F ) > . . . 9 / 30
Framework Polynomial Representation Differences Distribution Table (DDT) n = 4 α \ β . 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 . 16 . . . . . . . . . . . . . . . 1 . . . 2 . 2 . 2 2 . 2 2 2 . 2 . 2 . . 2 . . 2 . 6 2 2 . . . . 2 . 3 . . 4 2 . . . 4 . . 2 . . 4 . . 4 . . . . . 2 2 2 2 2 4 . . . . 2 5 . 4 2 . 2 . 2 . 2 . . 2 2 . . . 6 . 2 . . 2 4 2 . . . . 2 . 2 . 2 7 2 2 . 2 . . 4 . . 2 . 2 . . . 2 8 . . . . . . . . 6 2 . . 4 . 4 . 9 . 2 2 . 2 . 2 . . 2 . 2 2 2 . . 10 2 2 . . 2 . 2 . . 2 2 2 . . . 2 11 . . . 2 . . . 2 2 . 2 . 2 . 4 2 12 . . . 2 2 2 . 2 2 2 2 . . . . 2 13 . 4 . 2 . . . . . . 2 4 . 4 . . 14 . . 2 2 2 . 2 2 . . 2 . . . 2 . 15 2 . 4 . 2 . 2 . . . . 2 2 . . 2 10 / 30
Framework Problem Problem Build new functions with desirable differential properties. Classical Solutions ◮ Tweak known APN functions (e.g. switching method); ◮ Use correspondence with relative objects in: Coding Theory , Combinatorics , Sequences Theory , . . . ◮ . . . New Idea ◮ Build derivatives with prescribed images ; ◮ Gather them as if they are derivatives of the same function ; ◮ Retrieve the said function : it should have the desired differential properties. 11 / 30
Outline Framework Antiderivative Functions Matrix point of view Properties Reconstruction Applications Conclusion
Antiderivative Functions Matrix point of view Derivative as a linear application over F 2 n 2 n F : F 2 n → F 2 n c i x i + � � c i ( x + α ) i ∆ α F ( x ) = F ( x ) + F ( x + α ) = i i . . . � x j � c i α i − j = i , i ≻ j j 12 / 30
Antiderivative Functions Matrix point of view Derivative as a linear application over F 2 n 2 n F : F 2 n → F 2 n c i x i + � � c i ( x + α ) i ∆ α F ( x ) = F ( x ) + F ( x + α ) = i i . . . � x j � c i α i − j = i , i ≻ j j � α i − j if i ≻ j ( a ( j ) 0 , a ( j ) 1 , . . . , a ( j ) a ( j ) 2 n − 1 ) · ( c 0 , c 1 , . . . , c 2 n − 1 ) ⊤ , = i 0 otherwise. i ≻ j : supp ( i ) ⊃ supp ( j ) 12 / 30
Antiderivative Functions Matrix point of view Derivative as a linear application over F 2 n 2 n F : F 2 n → F 2 n c i x i + � � c i ( x + α ) i ∆ α F ( x ) = F ( x ) + F ( x + α ) = i i . . . � x j � c i α i − j = i , i ≻ j j � α i − j if i ≻ j ( a ( j ) 0 , a ( j ) 1 , . . . , a ( j ) a ( j ) 2 n − 1 ) · ( c 0 , c 1 , . . . , c 2 n − 1 ) ⊤ , = i 0 otherwise. a ( 0 ) a ( 0 ) ... c 0 c 0 2 n − 1 0 . . ... . . coeffs (∆ α F ) = · = M ( α ) . . a ( 2 n − 1 ) a ( 2 n − 1 ) ... c 2 n − 1 c 2 n − 1 2 n − 1 0 i ≻ j : supp ( i ) ⊃ supp ( j ) 12 / 30
Antiderivative Functions Matrix point of view Recursive Construction . α 2 α 3 α 4 α 5 α 6 α 7 α 8 α 9 α 10 α 11 α 12 α 13 α 14 α 15 n = 4 α . . . . . . . . . α 2 α 4 α 6 α 8 α 10 α 12 α 14 . . . . . . . . . α 4 α 5 α 8 α 9 α 12 α 13 α . . . . . . . . . . . . . α 4 α 8 α 12 . . . . . . . . . α 2 α 3 α 8 α 9 α 10 α 11 α . . . . . . . . . . . . . α 2 α 8 α 10 . . . . . . . . . . . . . α 8 α 9 α . . . . . . . . . . . . . . . α 8 M ( α )= . . . . . . . . . α 2 α 3 α 4 α 5 α 6 α 7 α . . . . . . . . . . . . . α 2 α 4 α 6 . . . . . . . . . . . . . α 4 α 5 α . . . . . . . . . . . . . . . α 4 . . . . . . . . . . . . . α 2 α 3 α . . . . . . . . . . . . . . . α 2 . . . . . . . . . . . . . . . α . . . . . . . . . . . . . . . . 13 / 30
Recommend
More recommend
