40 research outputs found
Further Results of the Cryptographic Properties on the Butterfly Structures
Recently, a new structure called butterfly introduced by Perrin et at. is
attractive for that it has very good cryptographic properties: the differential
uniformity is at most equal to 4 and algebraic degree is also very high when
exponent . It is conjecture that the nonlinearity is also optimal for
every odd , which was proposed as a open problem. In this paper, we further
study the butterfly structures and show that these structure with exponent
have also very good cryptographic properties. More importantly, we
prove in theory the nonlinearity is optimal for every odd , which completely
solve the open problem. Finally, we study the butter structures with trivial
coefficient and show these butterflies have also optimal nonlinearity.
Furthermore, we show that the closed butterflies with trivial coefficient are
bijective as well, which also can be used to serve as a cryptographic
primitive.Comment: 20 page
On the Derivative Imbalance and Ambiguity of Functions
In 2007, Carlet and Ding introduced two parameters, denoted by and
, quantifying respectively the balancedness of general functions
between finite Abelian groups and the (global) balancedness of their
derivatives , (providing an
indicator of the nonlinearity of the functions). These authors studied the
properties and cryptographic significance of these two measures. They provided
for S-boxes inequalities relating the nonlinearity to ,
and obtained in particular an upper bound on the nonlinearity which unifies
Sidelnikov-Chabaud-Vaudenay's bound and the covering radius bound. At the
Workshop WCC 2009 and in its postproceedings in 2011, a further study of these
parameters was made; in particular, the first parameter was applied to the
functions where is affine, providing more nonlinearity parameters.
In 2010, motivated by the study of Costas arrays, two parameters called
ambiguity and deficiency were introduced by Panario \emph{et al.} for
permutations over finite Abelian groups to measure the injectivity and
surjectivity of the derivatives respectively. These authors also studied some
fundamental properties and cryptographic significance of these two measures.
Further studies followed without that the second pair of parameters be compared
to the first one.
In the present paper, we observe that ambiguity is the same parameter as
, up to additive and multiplicative constants (i.e. up to rescaling). We
make the necessary work of comparison and unification of the results on ,
respectively on ambiguity, which have been obtained in the five papers devoted
to these parameters. We generalize some known results to any Abelian groups and
we more importantly derive many new results on these parameters
A Recursive Construction of Permutation Polynomials over with Odd Characteristic from R\'{e}dei Functions
In this paper, we construct two classes of permutation polynomials over
with odd characteristic from rational R\'{e}dei functions. A
complete characterization of their compositional inverses is also given. These
permutation polynomials can be generated recursively. As a consequence, we can
generate recursively permutation polynomials with arbitrary number of terms.
More importantly, the conditions of these polynomials being permutations are
very easy to characterize. For wide applications in practice, several classes
of permutation binomials and trinomials are given. With the help of a computer,
we find that the number of permutation polynomials of these types is very
large
Quantum Circuits of AES with a Low-depth Linear Layer and a New Structure
In recent years quantum computing has developed rapidly. The security threat posed by quantum computing to cryptography makes it necessary to better evaluate the resource cost of attacking algorithms, some of which require quantum implementations of the attacked cryptographic building blocks. In this paper we manage to optimize quantum circuits of AES in several aspects. Firstly, based on de Brugière \textit{et al.}\u27s greedy algorithm, we propose an improved depth-oriented algorithm for synthesizing low-depth CNOT circuits with no ancilla qubits. Our algorithm finds a CNOT circuit of AES MixColumns with depth 10, which breaks a recent record of depth 16. In addition, our algorithm gives low-depth CNOT circuits for many MDS matrices and matrices used in block ciphers studied in related work. Secondly, we present a new structure named compressed pipeline structure to synthesize quantum circuits of AES, which can be used for constructing quantum oracles employed in quantum attacks based on Grover and Simon\u27s algorithms. When the number of ancilla qubits required by the round function and its inverse is not very large, our structure will have a better trade-off of - cost. We then give detailed quantum circuits of AES-128 under the guidance of our structure and make some comparisons with other circuits. Finally, our encryption circuit and key schedule circuit have their own application scenarios. The Encryption oracle used in Simon\u27s algorithm built with the former will have smaller depth. For example, we can construct an AES-128 Encryption oracle with -depth 33, while the previous best result is 60. A small variant of the latter, along with our method to make an Sbox input-invariant, can avoid the allocation of extra ancilla qubits for storing key words in the shallowed pipeline structure. Based on this, we achieve a quantum circuit of AES-128 with the lowest - cost 130720 to date
A practical state recovery attack on the stream cipher Sablier v1
Sablier is an authenticated encryption cipher submitted to the CAESAR competition, which is composed of the encryption Sablier v1 and the authentication \textup{Au}. In this work we present a state recovery attack against the encryption Sablier v1 with time complexity about operations and data complexity about 24 of 16-bit keywords. Our attack is practical in the workstation. It is noticed that the update of the internal state of Sablier v1 is invertible, thus our attack can further deduce a key recovery attack and a forgery attack against the authenticated encryption Sablier. The result shows that Sablier v1 is far from the goal of its security design (80-bit level)
Involutory Differentially 4-Uniform Permutations from Known Constructions
Substitution box (S-box) is an important component of block ciphers for providing confusion into the cryptosystems. The functions used as S-boxes should have low differential uniformity, high nonlinearity and high algebraic degree. Due to the lack of knowledge on the existence of APN permutations over , which have the lowest differential uniformity, when , they are often constructed from differentially 4-uniform permutations. Up to now, many infinite families of such functions have been constructed. Besides, the less cost of hardware implementation of S-boxes is also an important criterion in the design of block ciphers. If the S-box is an involution, which means that the compositional inverse of the permutation is itself, then the implementation cost for its inverse is saved. The same hardware circuit can be used for both encryption and decryption, which is an advantage in hardware implementation. In this paper, we investigate all the differentially 4-uniform permutations that are known in the literature and determine whether they can be involutory. We found that some involutory differentially 4-uniform permutations with high nonlinearity and algebraic degree can be given from these known constructions
A realtime key recovery attack on the authenticated cipher FASER128
FASER is a family of authenticated ciphers submitted to the CAESAR competition, which contains two parent ciphers: FASER128 and FASER256. In this work we only focus on FASER128 and present a key recovery attack to FASER128, which needs at most 64 key words and is realtime in a PC. The result shows that FASER128 is very insecure. What\u27s more, our attack can be easily applied to FASER256 and break it entirely
On Algebraic Immunity of Trace Inverse Functions over Finite Fields with Characteristic Two
The trace inverse function \Tr(\lambda x^{-1}) over the finite field is a class of very important Boolean functions and has be used in many stream ciphers, for example, SFINKS, RAKAPOSHI, the simple counter stream cipher presented by W. Si and C.S. Ding, etc. In order to evaluate the security of those algorithms in assistance to (fast) algebraic attacks, it is essential to algebraic properties of \Tr(\lambda x^{-1}). However, currently only some bounds on algebraic immunity of \Tr(\lambda x^{-1}) are given in public literature. In this work we give the exact value of \Tr(\lambda x^{-1}) over finite fields , that is, \AI(\Tr(\lambda x^{-1}))=\floor{\sqrt{n}}+\ceil{\frac{n}{\floor{\sqrt{n}}}}-2=\ceil{2\sqrt{n}}-2, where , and , which is just the upper bound given by Y. Nawaz et al. And at the same time our result shows that D.K. Dalai\u27 conjecture on the algebraic immunity of \Tr(\lambda x^{-1}) is correct. What is more, we further demonstrate some weak properties of \Tr(\lambda x^{-1}) in resistance to fast algebraic attacks