Further Results of the Cryptographic Properties on the Butterfly Structures

Recently, a new structure called butterfly introduced by Perrin et at. is attractive for that it has very good cryptographic properties: the differential uniformity is at most equal to 4 and algebraic degree is also very high when exponent $e=3$. It is conjecture that the nonlinearity is also optimal for every odd $k$, which was proposed as a open problem. In this paper, we further study the butterfly structures and show that these structure with exponent $e=2^i+1$ have also very good cryptographic properties. More importantly, we prove in theory the nonlinearity is optimal for every odd $k$, which completely solve the open problem. Finally, we study the butter structures with trivial coefficient and show these butterflies have also optimal nonlinearity. Furthermore, we show that the closed butterflies with trivial coefficient are bijective as well, which also can be used to serve as a cryptographic primitive.Comment: 20 page

On the Derivative Imbalance and Ambiguity of Functions

In 2007, Carlet and Ding introduced two parameters, denoted by $Nb_F$ and $NB_F$, quantifying respectively the balancedness of general functions $F$ between finite Abelian groups and the (global) balancedness of their derivatives $D_a F(x)=F(x+a)-F(x)$, $a\in G\setminus\{0\}$ (providing an indicator of the nonlinearity of the functions). These authors studied the properties and cryptographic significance of these two measures. They provided for S-boxes inequalities relating the nonlinearity $\mathcal{NL}(F)$ to $NB_F$, and obtained in particular an upper bound on the nonlinearity which unifies Sidelnikov-Chabaud-Vaudenay's bound and the covering radius bound. At the Workshop WCC 2009 and in its postproceedings in 2011, a further study of these parameters was made; in particular, the first parameter was applied to the functions $F+L$ where $L$ is affine, providing more nonlinearity parameters. In 2010, motivated by the study of Costas arrays, two parameters called ambiguity and deficiency were introduced by Panario \emph{et al.} for permutations over finite Abelian groups to measure the injectivity and surjectivity of the derivatives respectively. These authors also studied some fundamental properties and cryptographic significance of these two measures. Further studies followed without that the second pair of parameters be compared to the first one. In the present paper, we observe that ambiguity is the same parameter as $NB_F$, up to additive and multiplicative constants (i.e. up to rescaling). We make the necessary work of comparison and unification of the results on $NB_F$, respectively on ambiguity, which have been obtained in the five papers devoted to these parameters. We generalize some known results to any Abelian groups and we more importantly derive many new results on these parameters

A Recursive Construction of Permutation Polynomials over Fq2\mathbb{F}_{q^2} with Odd Characteristic from R\'{e}dei Functions

In this paper, we construct two classes of permutation polynomials over $\mathbb{F}_{q^2}$ with odd characteristic from rational R\'{e}dei functions. A complete characterization of their compositional inverses is also given. These permutation polynomials can be generated recursively. As a consequence, we can generate recursively permutation polynomials with arbitrary number of terms. More importantly, the conditions of these polynomials being permutations are very easy to characterize. For wide applications in practice, several classes of permutation binomials and trinomials are given. With the help of a computer, we find that the number of permutation polynomials of these types is very large

A practical state recovery attack on the stream cipher Sablier v1

Sablier is an authenticated encryption cipher submitted to the CAESAR competition, which is composed of the encryption Sablier v1 and the authentication \textup{Au}. In this work we present a state recovery attack against the encryption Sablier v1 with time complexity about $2^{44}$ operations and data complexity about 24 of 16-bit keywords. Our attack is practical in the workstation. It is noticed that the update of the internal state of Sablier v1 is invertible, thus our attack can further deduce a key recovery attack and a forgery attack against the authenticated encryption Sablier. The result shows that Sablier v1 is far from the goal of its security design (80-bit level)

Involutory Differentially 4-Uniform Permutations from Known Constructions

Substitution box (S-box) is an important component of block ciphers for providing confusion into the cryptosystems. The functions used as S-boxes should have low differential uniformity, high nonlinearity and high algebraic degree. Due to the lack of knowledge on the existence of APN permutations over $\mathbb{F}_{2^{2k}}$, which have the lowest differential uniformity, when $k>3$, they are often constructed from differentially 4-uniform permutations. Up to now, many infinite families of such functions have been constructed. Besides, the less cost of hardware implementation of S-boxes is also an important criterion in the design of block ciphers. If the S-box is an involution, which means that the compositional inverse of the permutation is itself, then the implementation cost for its inverse is saved. The same hardware circuit can be used for both encryption and decryption, which is an advantage in hardware implementation. In this paper, we investigate all the differentially 4-uniform permutations that are known in the literature and determine whether they can be involutory. We found that some involutory differentially 4-uniform permutations with high nonlinearity and algebraic degree can be given from these known constructions

A realtime key recovery attack on the authenticated cipher FASER128

FASER is a family of authenticated ciphers submitted to the CAESAR competition, which contains two parent ciphers: FASER128 and FASER256. In this work we only focus on FASER128 and present a key recovery attack to FASER128, which needs at most 64 key words and is realtime in a PC. The result shows that FASER128 is very insecure. What\u27s more, our attack can be easily applied to FASER256 and break it entirely

On Algebraic Immunity of Trace Inverse Functions over Finite Fields with Characteristic Two

The trace inverse function \Tr(\lambda x^{-1}) over the finite field $\mathbb{F}_{2^n}$ is a class of very important Boolean functions and has be used in many stream ciphers, for example, SFINKS, RAKAPOSHI, the simple counter stream cipher presented by W. Si and C.S. Ding, etc. In order to evaluate the security of those algorithms in assistance to (fast) algebraic attacks, it is essential to algebraic properties of \Tr(\lambda x^{-1}). However, currently only some bounds on algebraic immunity of \Tr(\lambda x^{-1}) are given in public literature. In this work we give the exact value of \Tr(\lambda x^{-1}) over finite fields $\mathbb{F}_{2^n}$, that is, \AI(\Tr(\lambda x^{-1}))=\floor{\sqrt{n}}+\ceil{\frac{n}{\floor{\sqrt{n}}}}-2=\ceil{2\sqrt{n}}-2, where $n\ge2$, $\lambda\in \mathbb{F}_{2^n}$ and $\lambda\ne0$, which is just the upper bound given by Y. Nawaz et al. And at the same time our result shows that D.K. Dalai\u27 conjecture on the algebraic immunity of \Tr(\lambda x^{-1}) is correct. What is more, we further demonstrate some weak properties of \Tr(\lambda x^{-1}) in resistance to fast algebraic attacks

On Two Factors Affecting the Efficiency of MILP Models in Automated Cryptanalyses

In recent years, mixed integer linear programming (MILP, in short) gradually becomes a popular tool of automated cryptanalyses in symmetric ciphers, which can be used to search differential characteristics and linear approximations with high probability/correlation. A key problem in the MILP method is how to build a proper model that can be solved efficiently in the MILP solvers like Gurobi or Cplex. It is known that a MILP problem is NP-hard, and the numbers of variables and inequalities are two important measures of its scale and time complexity. Whilst the solution space and the variables in many MILP models built for symmetric cryptanalyses are fixed without introducing dummy variables, the cardinality, i.e., the number of inequalities, is a main factor that might affect the runtime of MILP models. We notice that the norm of a MILP model, i.e., the maximal absolute value of all coefficients in its inequalities, is also an important factor affecting its runtime. In this work we will illustrate the effects of two parameters cardinality and norm of inequalities on the runtime of Gurobi by a large number of cryptanalysis experiments. Here we choose the popular MILP solver Gurobi and view it a black box, construct a large number of MILP models with different cardinalities or norms by means of differential analyses and impossible differential analyses for some classic block ciphers with SPN structure, and observe their runtimes in Gurobi. As a result, our experiments show that although minimizing the number of inequalities and the norm of coefficients might not always minimize the runtime, it is still a better choice in most situations