Polynomials on F 2 m with good resistance to cryptanalysis Y. Aubry - PowerPoint PPT Presentation

Polynomials on F 2 m with good resistance to cryptanalysis Y. Aubry 1 G. McGuire 2 . Rodier 1 F 1 IML – Marseille 2 University College Dublin 1

Outline APN functions Characterization of APN polynomials Lower bounds for the degree of an APN polynomial A first bound A second bound Some examples Some prospect 2

Outline APN functions Characterization of APN polynomials Lower bounds for the degree of an APN polynomial A first bound A second bound Some examples Some prospect 3

APN functions. ◮ Vectorial Boolean functions are useful in private key cryptography for designing block ciphers. 4

APN functions. ◮ Vectorial Boolean functions are useful in private key cryptography for designing block ciphers. ◮ Two main attacks on these ciphers are differential attacks and linear attacks. An important criterion on Boolean functions is a high resistance to the differential cryptanalysis. 4

APN functions. ◮ Vectorial Boolean functions are useful in private key cryptography for designing block ciphers. ◮ Two main attacks on these ciphers are differential attacks and linear attacks. An important criterion on Boolean functions is a high resistance to the differential cryptanalysis. ◮ Kaisa Nyberg has introduced the notion of almost perfect nonlinearity (APN) to characterize those functions which have the better resistance to differential attacks. 4

APN functions Let us consider a vectorial Boolean function f : F m → F m 2 − 2 . If we use the function f in a S-box of a cryptosystem, the efficiency of differential cryptanalysis is measured by the maximum of the cardinality of the set of elements x in F m 2 such that f ( x + a ) + f ( x ) = b where a and b are elements in F m 2 and a � = 0. 5

APN functions Let us consider a vectorial Boolean function f : F m → F m 2 − 2 . If we use the function f in a S-box of a cryptosystem, the efficiency of differential cryptanalysis is measured by the maximum of the cardinality of the set of elements x in F m 2 such that f ( x + a ) + f ( x ) = b where a and b are elements in F m 2 and a � = 0. Definition The function f is said to be APN (almost perfect nonlinear) if for every a � = 0 in F m 2 and b ∈ F m 2 , there exists at most 2 elements x of F m 2 such that f ( x + a ) + f ( x ) = b . 5

APN power functions Up to now, the study of APN functions was especially devoted to the power functions. The following functions f ( x ) = x d are APN on F 2 m , where d is given by: ◮ d = 2 h + 1 where gcd ( h , m ) = 1 (Gold functions). 6

APN power functions Up to now, the study of APN functions was especially devoted to the power functions. The following functions f ( x ) = x d are APN on F 2 m , where d is given by: ◮ d = 2 h + 1 where gcd ( h , m ) = 1 (Gold functions). ◮ d = 2 2 h − 2 h + 1 where gcd ( h , m ) = 1 (Kasami functions). 6

APN power functions Up to now, the study of APN functions was especially devoted to the power functions. The following functions f ( x ) = x d are APN on F 2 m , where d is given by: ◮ d = 2 h + 1 where gcd ( h , m ) = 1 (Gold functions). ◮ d = 2 2 h − 2 h + 1 where gcd ( h , m ) = 1 (Kasami functions). ◮ and other functions with exponent d depending on m ◮ d = 2 ( m − 1 ) / 2 + 3 with m odd ( Welch functions). ◮ d = 2 ( m − 1 ) / 2 + 2 ( m − 1 ) / 4 − 1, where m ≡ 1 ( mod 4 ) , d = 2 ( m − 1 ) / 2 + 2 ( 3 m − 1 ) / 4 − 1, where m ≡ 3 ( mod 4 ) (Niho functions). ◮ d = 2 m − 2, for m odd; (inverse function) ◮ d = 2 4 m / 5 + 2 3 m / 5 + 2 2 m / 5 + 2 m / 5 − 1, where m is divisible by 5 (Dobbertin functions). 6

APN power functions Up to now, the study of APN functions was especially devoted to the power functions. The following functions f ( x ) = x d are APN on F 2 m , where d is given by: ◮ d = 2 h + 1 where gcd ( h , m ) = 1 (Gold functions). ◮ d = 2 2 h − 2 h + 1 where gcd ( h , m ) = 1 (Kasami functions). ◮ and other functions with exponent d depending on m ◮ d = 2 ( m − 1 ) / 2 + 3 with m odd ( Welch functions). ◮ d = 2 ( m − 1 ) / 2 + 2 ( m − 1 ) / 4 − 1, where m ≡ 1 ( mod 4 ) , d = 2 ( m − 1 ) / 2 + 2 ( 3 m − 1 ) / 4 − 1, where m ≡ 3 ( mod 4 ) (Niho functions). ◮ d = 2 m − 2, for m odd; (inverse function) ◮ d = 2 4 m / 5 + 2 3 m / 5 + 2 2 m / 5 + 2 m / 5 − 1, where m is divisible by 5 (Dobbertin functions). One conjectured for a long time that the Gold and Kasami functions are the only ones where d is independent from m and which give APN functions for an infinity of values of m . 6

APN power functions Janwa, McGuire, Wilson, Jedlicka worked on this conjecture. 7

APN power functions Janwa, McGuire, Wilson, Jedlicka worked on this conjecture. Fernando Hernando and Gary McGuire proved recently the following theorem: Theorem The Gold and Kasami functions are the only monomials where d is odd and which give APN functions for an infinity of values of m. 7

Other APN functions In 2005, Edel, Kyureghyan and Alexander Pott have proved that the function F 2 10 − → F 2 10 x 3 + ux 36 x �− → where u is a suitable element in the multiplicative group F ∗ 2 10 was APN and not equivalent to power functions. 8

Other APN functions In 2005, Edel, Kyureghyan and Alexander Pott have proved that the function F 2 10 − → F 2 10 x 3 + ux 36 x �− → where u is a suitable element in the multiplicative group F ∗ 2 10 was APN and not equivalent to power functions. A number of people (Budaghyan, Carlet, Felke, Leander, Bracken, Byrne, Markin, McGuire, Dillon. . . ) showed that certain quadratic polynomials were APN and not equivalent to known power functions. 8

New Conjecture G. McGuire proposed the following conjecture. Conjecture The Gold and Kasami functions are the only APN functions which are APN on infinitely many extensions of their field of definition. 9

New Conjecture G. McGuire proposed the following conjecture. Conjecture The Gold and Kasami functions are the only APN functions which are APN on infinitely many extensions of their field of definition. We will give some results toward this conjecture. 9

New Conjecture G. McGuire proposed the following conjecture. Conjecture The Gold and Kasami functions are the only APN functions which are APN on infinitely many extensions of their field of definition. We will give some results toward this conjecture. More precisely, we will give here some bound on the degree of a Boolean polynomial not to be almost perfect nonlinear. 9

Result on monomials We will generalize this result on monomials by Anne Canteaut. Proposition Suppose that the curve x d + y d + 1 + ( x + y + 1 ) d = 0 ( x + y )( x + 1 )( y + 1 ) → x d is not is absolutely irreducible over F 2 . The mapping x �− APN over F q , q ≥ 32 , if d ≤ q 1 / 4 + 4 . 5 10

Outline APN functions Characterization of APN polynomials Lower bounds for the degree of an APN polynomial A first bound A second bound Some examples Some prospect 11

Equivalent polynomials Proposition The class of APN functions is invariant by addition of a q-affine polynomial (that is a polynomial whose monomials are of degree 0 or a power of 2). 12

Equivalent polynomials Proposition The class of APN functions is invariant by addition of a q-affine polynomial (that is a polynomial whose monomials are of degree 0 or a power of 2). We choose for f a polynomial mapping from F 2 m in itself ◮ which has no term of degree a power of 2 ◮ and with no constant term. 12

Characterization of APN polynomials Let q = 2 m and let f be a polynomial mapping of F q in itself. We can rephrase the definition of an APN function. Proposition The function f : F q − → F q is APN if and only if the surface f ( x 0 ) + f ( x 1 ) + f ( x 2 ) + f ( x 0 + x 1 + x 2 ) = 0 has all of its rational points contained in the surface ( x 0 + x 1 )( x 2 + x 1 )( x 0 + x 2 ) = 0 . 13

Outline APN functions Characterization of APN polynomials Lower bounds for the degree of an APN polynomial A first bound A second bound Some examples Some prospect 14

A first bound for the degree of an APN polynomial Theorem Let f be a polynomial mapping from F q to F q , d its degree. Suppose that the surface X with affine equation f ( x 0 ) + f ( x 1 ) + f ( x 2 ) + f ( x 0 + x 1 + x 2 ) = 0 ( x 0 + x 1 )( x 2 + x 1 )( x 0 + x 2 ) is absolutely irreducible. Then, if 9 ≤ d < 0 . 45 q 1 / 4 + 0 . 5 , f is not APN. 15

Sketch of proof ◮ The number of rational points on the surface X is bounded. 16

Sketch of proof ◮ The number of rational points on the surface X is bounded. From an improvement of Lang-Weil’s bound by Ghorpade-Lachaud, we deduce | # X ( F q ) − q 2 − q − 1 | ≤ ( d − 4 )( d − 5 ) q 3 / 2 + 18 d 4 q . 16

Sketch of proof ◮ The number of rational points on the surface X is bounded. From an improvement of Lang-Weil’s bound by Ghorpade-Lachaud, we deduce | # X ( F q ) − q 2 − q − 1 | ≤ ( d − 4 )( d − 5 ) q 3 / 2 + 18 d 4 q . ◮ If f is APN and d too large, then the surface X has too many rational points to be contained in the surface ( x 0 + x 1 )( x 2 + x 1 )( x 0 + x 2 ) = 0. 16

Irreducibility of X Criterion for the surface X to be irreducible. Proposition Let f be a polynomial of F q to itself, d its degree. Let us suppose that the curve X ∞ with homogeneous equation x d 0 + x d 1 + x d 2 + ( x 0 + x 1 + x 2 ) d = 0 ( x 0 + x 1 )( x 2 + x 1 )( x 0 + x 2 ) is absolutely irreducible. 17