Cycle structure of generalized and closed loop invariants

This article gives a rigorous mathematical treatment of generalized and closed loop invariants (CLI) which extend the standard notion of (nonlinear) invariants used in the cryptanalysis of block ciphers. Employing the cycle structure of bijective S-box components, we precisely characterize the cardinality of both generalized and CLIs. We demonstrate that for many S-boxes used in practice quadratic invariants (especially useful for mounting practical attacks in cases when the linear layer is an orthogonal matrix) might not exist, whereas there are many quadratic invariants of generalized type (alternatively quadratic CLIs). In particular, it is shown that the inverse mapping $S(x)=x^{-1}$ over $GF(2^4)$ admits quadratic CLIs that additionally possess linear structures. The use of cycle structure is further refined through a novel concept of active cycle set, which turns out to be useful for defining invariants of the whole substitution layer. We present an algorithm for finding such invariants provided the knowledge about the cycle structure of the constituent S-boxes used

Meet-in-the-Middle Attack on 8 Rounds of the AES Block Cipher under 192 Key Bits

The AES block cipher has a 128-bit block length and a user key of 128, 192 or 256 bits, released by NIST for data encryption in the USA; it became an ISO international standard in 2005. In 2008, Demirci and Selccuk gave a meet-in-the-middle attack on 7-round AES under 192 key bits. In 2009, Demirci et al. (incorrectly) described a new meet-in-the-middle attack on 7-round AES under 192 key bits. Subsequently, Dunkelman et al. described an attack on 8-round AES under 192 key bits by taking advantage of several advanced techniques, including one about the key schedule. In this paper, we show that by exploiting a simple observation on the key schedule, a meet-in-the-middle attack on 8-round AES under 192 key bits can be obtained from Demirci and Selccuk\u27s and Demirci et al.\u27s work; and a more efficient attack can be obtained when taking into account Dunkelman et al.\u27s observation on the key schedule. In the single-key attack scenario, attacking 8 rounds is the best currently known cryptanalytic result for AES in terms of the numbers of attacked rounds, and our attack has a dramatically smaller data complexity than the currently known attacks on 8-round AES under 192 key bits

Minimal binary linear codes - a general framework based on bent concatenation

Minimal codes are characterized by the property that none of the codewords is covered by some other linearly independent codeword. We first show that the use of a bent function $g$ in the so-called direct sum of Boolean functions $h(x,y)=f(x)+g(y)$, where $f$ is arbitrary, induces minimal codes. This approach gives an infinite class of minimal codes of length $2^n$ and dimension $n+1$ (assuming that h: \F_2^n \rightarrow \F_2), whose weight distribution is exactly specified for certain choices of $f$. To increase the dimension of these codes with respect to their length, we introduce the concept of \textit{non-covering permutations} (referring to the property of minimality) used to construct a bent function $g$ in $s$ variables, which allows us to employ a suitable subspace of derivatives of $g$ and generate minimal codes of dimension $s+s/2+1$ instead. Their exact weight distribution is also determined. In the second part of this article, we first provide an efficient method (with easily satisfied initial conditions) of generating minimal $[2^n,n+1]$ linear codes that cross the so-called Ashikhmin-Barg bound. This method is further extended for the purpose of generating minimal codes of larger dimension $n+s/2+2$, through the use of suitable derivatives along with the employment of non-covering permutations. To the best of our knowledge, the latter method is the most general framework for designing binary minimal linear codes that violate the Ashikhmin-Barg bound. More precisely, for a suitable choice of derivatives of $h(x,y)=f(x) + g(y)$, where $g$ is a bent function and $f$ satisfies certain minimality requirements, for any fixed $f$, one can derive a huge class of non-equivalent wide binary linear codes of the same length by varying the permutation $\phi$ when specifying the bent function $g(y_1,y_2)=\phi(y_2)\cdot y_1$ in the Maiorana-McFarland class. The weight distribution is given explicitly for any (suitable) $f$ when $\phi$ is an almost bent permutation

Bent functions stemming from Maiorana-McFarland class being provably outside its completed version

In early nineties Carlet [1] introduced two new classes of bent functions, both derived from the Maiorana-McFarland ($\mathcal{M}$) class, and named them \cC and \cD class, respectively. Apart from a subclass of \cD, denoted by \cD_0 by Carlet, which is provably outside two main (completed) primary classes of bent functions, little is known about their efficient constructions. More importantly, both classes may easily remain in the underlying $\mathcal{M}$ class which has already been remarked in [21]. Assuming the possibility of specifying a bent function $f$ that belongs to one of these two classes (apart from \cD_0), the most important issue is then to determine whether $f$ is still contained in the known primary classes or lies outside their completed versions. In this article, we further elaborate on the analysis of the set of sufficient conditions given in \cite{OutsideMM} concerning the specification of bent functions in \cC and \cD which are provably outside \cM. It is shown that these conditions, related to bent functions in class \cD, can be relaxed so that even those permutations whose component functions admit linear structures still can be used in the design. It is also shown that monomial permutations of the form $x^{2^r+1}$ have inverses which are never quadratic for $n >4$, which gives rise to an infinite class of bent functions in \cC but outside \cM. Similarly, using a relaxed set of sufficient conditions for bent functions in \cD and outside \cM, one explicit infinite class of such bent functions is identified. We also extend the inclusion property of certain subclasses of bent functions in \cC and \cD, as addressed initially in [1,21], that are ultimately within the completed $\mathcal{M}$ class. Most notably, we specify {\em another generic and explicit subclass} of \cD, which we call \cD_2^\star, whose members are bent functions provably outside the completed $\mathcal{M}$ class

Minimal pp-ary codes from non-covering permutations

In this article, we propose several generic methods for constructing minimal linear codes over the field $\mathbb{F}_p$. The first construction uses the method of direct sum of an arbitrary function $f:\mathbb{F}_{p^r}\to \mathbb{F}_{p}$ and a bent function $g:\mathbb{F}_{p^s}\to \mathbb{F}_p$ to induce minimal codes with parameters $[p^{r+s}-1,r+s+1]$ and minimum distance larger than $p^r(p-1)(p^{s-1}-p^{s/2-1})$. For the first time, we provide a general construction of linear codes from a subclass of non-weakly regular plateaued functions, which partially answers an open problem posed in [22]. The second construction deals with a bent function $g:\mathbb{F}_{p^m}\to \mathbb{F}_p$ and a subspace of suitable derivatives $U$ of $g$, i.e., functions of the form $g(y+a)-g(y)$ for some $a\in \mathbb{F}_{p^m}^*$. We also provide a sound generalization of the recently introduced concept of non-covering permutations [45]. Some important structural properties of this class of permutations are derived in this context. The most remarkable observation is that the class of non-covering permutations contains the class of APN power permutations (characterized by having two-to-one derivatives). Finally, the last general construction combines the previous two methods (direct sum, non-covering permutations and subspaces of derivatives) together with a bent function in the Maiorana-McFarland class to construct minimal codes (even those violating the Ashikhmin-Barg bound) with a larger dimension. This last method proves to be quite flexible since it can lead to several non-equivalent codes, depending to a great extent on the choice of the underlying non-covering permutation

Generalized Nonlinear Invariant Attack and a New Design Criterion for Round Constants

The nonlinear invariant attack was introduced at ASIACRYPT 2016 by Todo et al.. The attack has received extensive attention of cryptographic community due to its practical application on the full-round block ciphers SCREAM, iSCREAM, and Midori64. However, the attack heavily relies on the choice of round constants and it becomes inefficient in the case these constants nonlinearly affect the so-called nonlinear invariants. In this article, to eliminate the impact from the round constants, a generalized nonlinear invariant attack which uses a pair of constants in the input of nonlinear invariants is proposed. The efficiency of this extended framework is practically confirmed by mounting a distinguishing attack on a variant of full-round iSCREAM cipher under a class of 280 weak keys. The considered variant of iSCREAM is however resistant against nonlinear invariant attack of Todo et al.. Furthermore, we investigate the resistance of block ciphers against generalized nonlinear invariant attacks with respect to the choice of round constants in an extended framework. We introduce a useful concept of closed-loop invariants of the substitution box (S-box) and show that the choice of robust round constants is closely related to the existence of linear structure of the closed-loop invariants of the substitution layer. In particular, we demonstrate that the design criteria for the round constants in Beierle et al.’s work at CRYPTO 2017 is not an optimal strategy. The round constants selected using this method may induce certain weaknesses that can be exploited in our generalized nonlinear invariant attack model. This scenario is efficiently demonstrated in the case of a slightly modified variant of the Midori64 block cipher

Efficient probabilistic algorithm for estimating the algebraic properties of Boolean functions for large nn

Although several methods for estimating the resistance of a random Boolean function against (fast) algebraic attacks were proposed, these methods are usually infeasible in practice for relative large input variables $n$ (for instance $n\geq 30)$ due to increased computational complexity. An efficient estimation the resistance of Boolean function (with relative large input variables $n$) against (fast) algebraic attacks appears to be a rather difficult task. In this paper, the concept of partial linear relations decomposition is introduced, which decomposes any given nonlinear Boolean function into many linear (affine) subfunctions by using the disjoint sets of input variables. Based on this result, a general probabilistic decomposition algorithm for nonlinear Boolean functions is presented which gives a new framework for estimating the resistance of Boolean function against (fast) algebraic attacks. It is shown that our new probabilistic method gives very tight estimates (lower and upper bound) and it only requires about $O(n^22^n)$ operations for a random Boolean function with $n$ variables, thus having much less time complexity than previously known algorithms

on the construction of cryptographically significant boolean functions using objects in projective geometry spaces

Recently, several construction methods of highly nonlinear Boolean functions with relatively good algebraic properties were proposed. These approaches manage in optimizing most of the relevant cryptographic criteria, but not all of them at the same time. Usually, either the nonlinearity bounds are rather loose (though the actual nonlinearity is relatively high) or the functions do not provide a good resistance to fast algebraic cryptanalysis. In this paper, we develop a theoretical framework for using objects in suitable projective geometry spaces for construction of highly nonlinear Boolean functions. This allows us to establish tight bounds on the nonlinearity using simple counting arguments, thus avoiding rather complicated estimates of certain trace sums. Our method generates a class of almost fully optimized functions, that is the functions apart from very high nonlinearity also have the maximum algebraic degree and optimal algebraic immunity. Compared to the classes of functions proposed by Carlet and Feng, Wang , and Zeng , our functions achieve a slightly better nonlinearity which is traded-off against a little worse resistance against fast algebraic attacks. On the other hand, compared to the functions by Tang and Tu and Deng, our nonlinearity is somewhat lower, but the algebraic properties are slightly better. © 1963-2012 IEEE