Further Results of the Cryptographic Properties on the Butterfly Structures

Recently, a new structure called butterfly introduced by Perrin et at. is attractive for that it has very good cryptographic properties: the differential uniformity is at most equal to 4 and algebraic degree is also very high when exponent $e=3$. It is conjecture that the nonlinearity is also optimal for every odd $k$, which was proposed as a open problem. In this paper, we further study the butterfly structures and show that these structure with exponent $e=2^i+1$ have also very good cryptographic properties. More importantly, we prove in theory the nonlinearity is optimal for every odd $k$, which completely solve the open problem. Finally, we study the butter structures with trivial coefficient and show these butterflies have also optimal nonlinearity. Furthermore, we show that the closed butterflies with trivial coefficient are bijective as well, which also can be used to serve as a cryptographic primitive.Comment: 20 page

On the Derivative Imbalance and Ambiguity of Functions

In 2007, Carlet and Ding introduced two parameters, denoted by $Nb_F$ and $NB_F$, quantifying respectively the balancedness of general functions $F$ between finite Abelian groups and the (global) balancedness of their derivatives $D_a F(x)=F(x+a)-F(x)$, $a\in G\setminus\{0\}$ (providing an indicator of the nonlinearity of the functions). These authors studied the properties and cryptographic significance of these two measures. They provided for S-boxes inequalities relating the nonlinearity $\mathcal{NL}(F)$ to $NB_F$, and obtained in particular an upper bound on the nonlinearity which unifies Sidelnikov-Chabaud-Vaudenay's bound and the covering radius bound. At the Workshop WCC 2009 and in its postproceedings in 2011, a further study of these parameters was made; in particular, the first parameter was applied to the functions $F+L$ where $L$ is affine, providing more nonlinearity parameters. In 2010, motivated by the study of Costas arrays, two parameters called ambiguity and deficiency were introduced by Panario \emph{et al.} for permutations over finite Abelian groups to measure the injectivity and surjectivity of the derivatives respectively. These authors also studied some fundamental properties and cryptographic significance of these two measures. Further studies followed without that the second pair of parameters be compared to the first one. In the present paper, we observe that ambiguity is the same parameter as $NB_F$, up to additive and multiplicative constants (i.e. up to rescaling). We make the necessary work of comparison and unification of the results on $NB_F$, respectively on ambiguity, which have been obtained in the five papers devoted to these parameters. We generalize some known results to any Abelian groups and we more importantly derive many new results on these parameters

A Recursive Construction of Permutation Polynomials over Fq2\mathbb{F}_{q^2} with Odd Characteristic from R\'{e}dei Functions

In this paper, we construct two classes of permutation polynomials over $\mathbb{F}_{q^2}$ with odd characteristic from rational R\'{e}dei functions. A complete characterization of their compositional inverses is also given. These permutation polynomials can be generated recursively. As a consequence, we can generate recursively permutation polynomials with arbitrary number of terms. More importantly, the conditions of these polynomials being permutations are very easy to characterize. For wide applications in practice, several classes of permutation binomials and trinomials are given. With the help of a computer, we find that the number of permutation polynomials of these types is very large

Quantum Circuits of AES with a Low-depth Linear Layer and a New Structure

In recent years quantum computing has developed rapidly. The security threat posed by quantum computing to cryptography makes it necessary to better evaluate the resource cost of attacking algorithms, some of which require quantum implementations of the attacked cryptographic building blocks. In this paper we manage to optimize quantum circuits of AES in several aspects. Firstly, based on de Brugière \textit{et al.}\u27s greedy algorithm, we propose an improved depth-oriented algorithm for synthesizing low-depth CNOT circuits with no ancilla qubits. Our algorithm finds a CNOT circuit of AES MixColumns with depth 10, which breaks a recent record of depth 16. In addition, our algorithm gives low-depth CNOT circuits for many MDS matrices and matrices used in block ciphers studied in related work. Secondly, we present a new structure named compressed pipeline structure to synthesize quantum circuits of AES, which can be used for constructing quantum oracles employed in quantum attacks based on Grover and Simon\u27s algorithms. When the number of ancilla qubits required by the round function and its inverse is not very large, our structure will have a better trade-off of $D$-$W$ cost. We then give detailed quantum circuits of AES-128 under the guidance of our structure and make some comparisons with other circuits. Finally, our encryption circuit and key schedule circuit have their own application scenarios. The Encryption oracle used in Simon\u27s algorithm built with the former will have smaller depth. For example, we can construct an AES-128 Encryption oracle with $T$-depth 33, while the previous best result is 60. A small variant of the latter, along with our method to make an Sbox input-invariant, can avoid the allocation of extra ancilla qubits for storing key words in the shallowed pipeline structure. Based on this, we achieve a quantum circuit of AES-128 with the lowest $TofD$-$W$ cost 130720 to date

A practical state recovery attack on the stream cipher Sablier v1

Sablier is an authenticated encryption cipher submitted to the CAESAR competition, which is composed of the encryption Sablier v1 and the authentication \textup{Au}. In this work we present a state recovery attack against the encryption Sablier v1 with time complexity about $2^{44}$ operations and data complexity about 24 of 16-bit keywords. Our attack is practical in the workstation. It is noticed that the update of the internal state of Sablier v1 is invertible, thus our attack can further deduce a key recovery attack and a forgery attack against the authenticated encryption Sablier. The result shows that Sablier v1 is far from the goal of its security design (80-bit level)

Involutory Differentially 4-Uniform Permutations from Known Constructions

Substitution box (S-box) is an important component of block ciphers for providing confusion into the cryptosystems. The functions used as S-boxes should have low differential uniformity, high nonlinearity and high algebraic degree. Due to the lack of knowledge on the existence of APN permutations over $\mathbb{F}_{2^{2k}}$, which have the lowest differential uniformity, when $k>3$, they are often constructed from differentially 4-uniform permutations. Up to now, many infinite families of such functions have been constructed. Besides, the less cost of hardware implementation of S-boxes is also an important criterion in the design of block ciphers. If the S-box is an involution, which means that the compositional inverse of the permutation is itself, then the implementation cost for its inverse is saved. The same hardware circuit can be used for both encryption and decryption, which is an advantage in hardware implementation. In this paper, we investigate all the differentially 4-uniform permutations that are known in the literature and determine whether they can be involutory. We found that some involutory differentially 4-uniform permutations with high nonlinearity and algebraic degree can be given from these known constructions

A realtime key recovery attack on the authenticated cipher FASER128

FASER is a family of authenticated ciphers submitted to the CAESAR competition, which contains two parent ciphers: FASER128 and FASER256. In this work we only focus on FASER128 and present a key recovery attack to FASER128, which needs at most 64 key words and is realtime in a PC. The result shows that FASER128 is very insecure. What\u27s more, our attack can be easily applied to FASER256 and break it entirely

On Algebraic Immunity of Trace Inverse Functions over Finite Fields with Characteristic Two

The trace inverse function \Tr(\lambda x^{-1}) over the finite field $\mathbb{F}_{2^n}$ is a class of very important Boolean functions and has be used in many stream ciphers, for example, SFINKS, RAKAPOSHI, the simple counter stream cipher presented by W. Si and C.S. Ding, etc. In order to evaluate the security of those algorithms in assistance to (fast) algebraic attacks, it is essential to algebraic properties of \Tr(\lambda x^{-1}). However, currently only some bounds on algebraic immunity of \Tr(\lambda x^{-1}) are given in public literature. In this work we give the exact value of \Tr(\lambda x^{-1}) over finite fields $\mathbb{F}_{2^n}$, that is, \AI(\Tr(\lambda x^{-1}))=\floor{\sqrt{n}}+\ceil{\frac{n}{\floor{\sqrt{n}}}}-2=\ceil{2\sqrt{n}}-2, where $n\ge2$, $\lambda\in \mathbb{F}_{2^n}$ and $\lambda\ne0$, which is just the upper bound given by Y. Nawaz et al. And at the same time our result shows that D.K. Dalai\u27 conjecture on the algebraic immunity of \Tr(\lambda x^{-1}) is correct. What is more, we further demonstrate some weak properties of \Tr(\lambda x^{-1}) in resistance to fast algebraic attacks