Further Results of the Cryptographic Properties on the Butterfly Structures

Recently, a new structure called butterfly introduced by Perrin et at. is attractive for that it has very good cryptographic properties: the differential uniformity is at most equal to 4 and algebraic degree is also very high when exponent $e=3$. It is conjecture that the nonlinearity is also optimal for every odd $k$, which was proposed as a open problem. In this paper, we further study the butterfly structures and show that these structure with exponent $e=2^i+1$ have also very good cryptographic properties. More importantly, we prove in theory the nonlinearity is optimal for every odd $k$, which completely solve the open problem. Finally, we study the butter structures with trivial coefficient and show these butterflies have also optimal nonlinearity. Furthermore, we show that the closed butterflies with trivial coefficient are bijective as well, which also can be used to serve as a cryptographic primitive.Comment: 20 page

On the Derivative Imbalance and Ambiguity of Functions

In 2007, Carlet and Ding introduced two parameters, denoted by $Nb_F$ and $NB_F$, quantifying respectively the balancedness of general functions $F$ between finite Abelian groups and the (global) balancedness of their derivatives $D_a F(x)=F(x+a)-F(x)$, $a\in G\setminus\{0\}$ (providing an indicator of the nonlinearity of the functions). These authors studied the properties and cryptographic significance of these two measures. They provided for S-boxes inequalities relating the nonlinearity $\mathcal{NL}(F)$ to $NB_F$, and obtained in particular an upper bound on the nonlinearity which unifies Sidelnikov-Chabaud-Vaudenay's bound and the covering radius bound. At the Workshop WCC 2009 and in its postproceedings in 2011, a further study of these parameters was made; in particular, the first parameter was applied to the functions $F+L$ where $L$ is affine, providing more nonlinearity parameters. In 2010, motivated by the study of Costas arrays, two parameters called ambiguity and deficiency were introduced by Panario \emph{et al.} for permutations over finite Abelian groups to measure the injectivity and surjectivity of the derivatives respectively. These authors also studied some fundamental properties and cryptographic significance of these two measures. Further studies followed without that the second pair of parameters be compared to the first one. In the present paper, we observe that ambiguity is the same parameter as $NB_F$, up to additive and multiplicative constants (i.e. up to rescaling). We make the necessary work of comparison and unification of the results on $NB_F$, respectively on ambiguity, which have been obtained in the five papers devoted to these parameters. We generalize some known results to any Abelian groups and we more importantly derive many new results on these parameters

A Recursive Construction of Permutation Polynomials over Fq2\mathbb{F}_{q^2} with Odd Characteristic from R\'{e}dei Functions

In this paper, we construct two classes of permutation polynomials over $\mathbb{F}_{q^2}$ with odd characteristic from rational R\'{e}dei functions. A complete characterization of their compositional inverses is also given. These permutation polynomials can be generated recursively. As a consequence, we can generate recursively permutation polynomials with arbitrary number of terms. More importantly, the conditions of these polynomials being permutations are very easy to characterize. For wide applications in practice, several classes of permutation binomials and trinomials are given. With the help of a computer, we find that the number of permutation polynomials of these types is very large

A realtime key recovery attack on the authenticated cipher FASER128

FASER is a family of authenticated ciphers submitted to the CAESAR competition, which contains two parent ciphers: FASER128 and FASER256. In this work we only focus on FASER128 and present a key recovery attack to FASER128, which needs at most 64 key words and is realtime in a PC. The result shows that FASER128 is very insecure. What\u27s more, our attack can be easily applied to FASER256 and break it entirely

A practical state recovery attack on the stream cipher Sablier v1

Sablier is an authenticated encryption cipher submitted to the CAESAR competition, which is composed of the encryption Sablier v1 and the authentication \textup{Au}. In this work we present a state recovery attack against the encryption Sablier v1 with time complexity about $2^{44}$ operations and data complexity about 24 of 16-bit keywords. Our attack is practical in the workstation. It is noticed that the update of the internal state of Sablier v1 is invertible, thus our attack can further deduce a key recovery attack and a forgery attack against the authenticated encryption Sablier. The result shows that Sablier v1 is far from the goal of its security design (80-bit level)

On Two Factors Affecting the Efficiency of MILP Models in Automated Cryptanalyses

In recent years, mixed integer linear programming (MILP, in short) gradually becomes a popular tool of automated cryptanalyses in symmetric ciphers, which can be used to search differential characteristics and linear approximations with high probability/correlation. A key problem in the MILP method is how to build a proper model that can be solved efficiently in the MILP solvers like Gurobi or Cplex. It is known that a MILP problem is NP-hard, and the numbers of variables and inequalities are two important measures of its scale and time complexity. Whilst the solution space and the variables in many MILP models built for symmetric cryptanalyses are fixed without introducing dummy variables, the cardinality, i.e., the number of inequalities, is a main factor that might affect the runtime of MILP models. We notice that the norm of a MILP model, i.e., the maximal absolute value of all coefficients in its inequalities, is also an important factor affecting its runtime. In this work we will illustrate the effects of two parameters cardinality and norm of inequalities on the runtime of Gurobi by a large number of cryptanalysis experiments. Here we choose the popular MILP solver Gurobi and view it a black box, construct a large number of MILP models with different cardinalities or norms by means of differential analyses and impossible differential analyses for some classic block ciphers with SPN structure, and observe their runtimes in Gurobi. As a result, our experiments show that although minimizing the number of inequalities and the norm of coefficients might not always minimize the runtime, it is still a better choice in most situations

Fault Attack on the Authenticated Cipher ACORN v2

Fault attack is an efficient cryptanalysis method against cipher implementations and has attracted a lot of attention in recent public cryptographic literatures. In this work we introduce a fault attack on the CAESAR candidate ACORN v2. Our attack is done under the assumption of random fault injection into an initial state of ACORN v2 and contains two main steps: fault locating and equation solving. At the first step, we first present a fundamental fault locating method, which uses 99-bit output keystream to determine the fault injected location with probability 97.08%. And then several improvements are provided, which can further increase the probability of fault locating to almost 1. As for the system of equations retrieved at the first step, we give two solving methods at the second step, that is, linearization and guess-and-determine. The time complexity of our attack is not larger than c·2179.19-1.76N at worst, where N is the number of fault injections such that 31≤N≤88 and c is the time complexity of solving linear equations. Our attack provides some insights into the diffusion ability of such compact stream ciphers

A Framework with Improved Heuristics to Optimize Low-Latency Implementations of Linear Layers

In recent years, lightweight cryptography has been a hot field in symmetric cryptography. One of the most crucial problems is to find low-latency implementations of linear layers. The current main heuristic search methods include the Boyar-Peralta (BP) algorithm with depth limit and the backward search. In this paper we firstly propose two improved BP algorithms with depth limit mainly by minimizing the Euclidean norm of the new distance vector instead of maximizing it in the tie-breaking process of the BP algorithm. They can significantly increase the potential for finding better results. Furthermore, we give a new framework that combines forward search with backward search to expand the search space of implementations, where the forward search is one of the two improved BP algorithms. In the new framework, we make a minor adjustment of the priority of rules in the backward search process to enable the exploration of a significantly larger search space. As results, we find better results for the most of matrices studied in previous works. For example, we find an implementation of AES MixColumns of depth 3 with 99 XOR gates, which represents a substantial reduction of 3 XOR gates compared to the existing record of 102 XOR gates