Key differentiation attacks on stream ciphers

In this paper the applicability of differential cryptanalytic tool to stream ciphers is elaborated using the algebraic representation similar to early Shannon\u27s postulates regarding the concept of confusion. In 2007, Biham and Dunkelman \cite{BihDunk} have formally introduced the concept of differential cryptanalysis in stream ciphers by addressing the three different scenarios of interest. Here we mainly consider the first scenario where the key difference and/or IV difference influence the internal state of the cipher $(\Delta key, \Delta IV) \rightarrow \Delta S$. We then show that under certain circumstances a chosen IV attack may be transformed in the key chosen attack. That is, whenever at some stage of the key/IV setup algorithm (KSA) we may identify linear relations between some subset of key and IV bits, and these key variables only appear through these linear relations, then using the differentiation of internal state variables (through chosen IV scenario of attack) we are able to eliminate the presence of corresponding key variables. The method leads to an attack whose complexity is beyond the exhaustive search, whenever the cipher admits exact algebraic description of internal state variables and the keystream computation is not complex. A successful application is especially noted in the context of stream ciphers whose keystream bits evolve relatively slow as a function of secret state bits. A modification of the attack can be applied to the TRIVIUM stream cipher \cite{Trivium}, in this case 12 linear relations could be identified but at the same time the same 12 key variables appear in another part of state register. Still, a significant decrease in the degree and complexity of state bit expressions after the KSA is achieved. Computer simulations, currently in progress, will answer the question for what number of initialization rounds the attack is faster than exhaustive search

Improving the lower bound on the maximum nonlinearity of 1-resilient Boolean functions and designing functions satisfying all cryptographic criteria

In this paper, we improve the lower bound on the maximum nonlinearity of 1-resilient Boolean functions, for $n$ even, by proposing a method of constructing this class of functions attaining the best nonlinearity currently known. Thus for the first time, at least for small values of $n$, the upper bound on nonlinearity can be reached in a deterministic manner in difference to some heuristic search methods proposed previously. The nonlinearity of these functions is extremely close to the maximum nonlinearity attained by bent functions and it might be the case that this is the highest possible nonlinearity of 1-resilient functions. Apart from this theoretical contribution, it turns out that the cryptographic properties of these functions are overall good apart from their moderate resistance to fast algebraic attacks (FAA). This weakness is repaired by a suitable modification of the original functions giving a class of balanced functions with almost optimal resistance to FAA whose nonlinearity is better than the nonlinearity of other methods

Design and analysis of bent functions using M\mathcal{M}-subspaces

In this article, we provide the first systematic analysis of bent functions $f$ on $\mathbb{F}_2^{n}$ in the Maiorana-McFarland class $\mathcal{MM}$ regarding the origin and cardinality of their $\mathcal{M}$-subspaces, i.e., vector subspaces on which the second-order derivatives of $f$ vanish. By imposing restrictions on permutations $\pi$ of $\mathbb{F}_2^{n/2}$, we specify the conditions, such that Maiorana-McFarland bent functions $f(x,y)=x\cdot \pi(y) + h(y)$ admit a unique $\mathcal{M}$-subspace of dimension $n/2$. On the other hand, we show that permutations $\pi$ with linear structures give rise to Maiorana-McFarland bent functions that do not have this property. In this way, we contribute to the classification of Maiorana-McFarland bent functions, since the number of $\mathcal{M}$-subspaces is invariant under equivalence. Additionally, we give several generic methods of specifying permutations $\pi$ so that $f\in\mathcal{MM}$ admits a unique $\mathcal{M}$-subspace. Most notably, using the knowledge about $\mathcal{M}$-subspaces, we show that using the bent 4-concatenation of four suitably chosen Maiorana-McFarland bent functions, one can in a generic manner generate bent functions on $\mathbb{F}_2^{n}$ outside the completed Maiorana-McFarland class $\mathcal{MM}^\#$ for any even $n\geq 8$. Remarkably, with our construction methods it is possible to obtain inequivalent bent functions on $\mathbb{F}_2^8$ not stemming from two primary classes, the partial spread class $\mathcal{PS}$ and $\mathcal{MM}$. In this way, we contribute to a better understanding of the origin of bent functions in eight variables, since only a small fraction, of which size is about $2^{76}$, stems from $\mathcal{PS}$ and $\mathcal{MM}$, whereas the total number of bent functions on $\mathbb{F}_2^8$ is approximately $2^{106}$

Cycle structure of generalized and closed loop invariants

This article gives a rigorous mathematical treatment of generalized and closed loop invariants (CLI) which extend the standard notion of (nonlinear) invariants used in the cryptanalysis of block ciphers. Employing the cycle structure of bijective S-box components, we precisely characterize the cardinality of both generalized and CLIs. We demonstrate that for many S-boxes used in practice quadratic invariants (especially useful for mounting practical attacks in cases when the linear layer is an orthogonal matrix) might not exist, whereas there are many quadratic invariants of generalized type (alternatively quadratic CLIs). In particular, it is shown that the inverse mapping $S(x)=x^{-1}$ over $GF(2^4)$ admits quadratic CLIs that additionally possess linear structures. The use of cycle structure is further refined through a novel concept of active cycle set, which turns out to be useful for defining invariants of the whole substitution layer. We present an algorithm for finding such invariants provided the knowledge about the cycle structure of the constituent S-boxes used

Construction of resilient S-boxes with higher-dimensional vectorial outputs and strictly almost optimal nonlinearity

Resilient substitution boxes (S-boxes) with high nonlinearity are important cryptographic primitives in the design of certain encryption algorithms. There are several trade-offs between the most important cryptographic parameters and their simultaneous optimization is regarded as a difficult task. In this paper we provide a construction technique to obtain resilient S-boxes with so-called strictly almost optimal (SAO) nonlinearity for a larger number of output bits $m$ than previously known. This is the first time that the nonlinearity bound $2^{n-1}-2^{n/2}$ of resilient $(n,m)$ S-boxes, where $n$ and $m$ denote the number of the input and output bits respectively, has been exceeded for $m>\lfloor\frac{n}{4}\rfloor$. Thus, resilient S-boxes with extremely high nonlinearity and a larger output space compared to other design methods have been obtained

Permutations via linear translators

International audienceWe show that many infinite classes of permutations over finite fields can be constructedvia translators with a large choice of parameters. We first characterize some functionshaving linear translators, based on which several families of permutations are then derived. Extending the results of \cite{kyu}, we give in several cases thecompositional inverse of these permutations. The connection with complete permutations is also utilized to provide further infinite classes of permutations. Moreover, wepropose new tools to study permutations of the form $x\mapsto x+(x^{p^m}-x+\delta)^s$ and a few infinite classes of permutations of this form are proposed