No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
An APN permutation in dimension six
... Thus APN permutations offer an optimal resistance to both differential and boomerang attacks. However, over finite fields F 2 n with n even, which is the most interesting case in cryptography, the only known example of APN permutation is due to Dillon [4] over F 2 6 . The existence of APN permutations over F 2 n , n ≥ 8 even, is an open problem and often referred to as the Big APN Problem. ...
... While one might wonder if investigating non-permutation is worthy, and we believe that these questions and their answers may reveal results of interests that do have applications to cryptography. With one exception [4], all APN functions on even dimension are nonpermutations. In fact, even the known example from Ref. [4] is an APN permutation that is CCZ-equivalent to the known Kim (non-permutation) APN function. ...
... With one exception [4], all APN functions on even dimension are nonpermutations. In fact, even the known example from Ref. [4] is an APN permutation that is CCZ-equivalent to the known Kim (non-permutation) APN function. Moreover, it is known that the boomerang uniformity is not invariant under the CCZ or even extended affine equivalence, while the differential uniformity is invariant. ...
We consider the boomerang uniformity of an infinite class of (locally-APN) power maps and show that their boomerang uniformity over the finite field F2n\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbb {F}_{2^n}$$\end{document} is 2 and 4, when n≡0(mod4)\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$n \equiv 0 \pmod 4$$\end{document} and n≡2(mod4)\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$n \equiv 2 \pmod 4$$\end{document}, respectively. As a consequence, we show that for this class of power maps, the differential uniformity is strictly greater than their boomerang uniformity.
... It is known that no APN permutations of F 2 n exist when n = 2, 4. An APN permutation of F 2 6 was announced at the Fq9 conference in 2009 [2]. Its construction is based on the APN function κ(x) = x 3 + x 10 + ux 24 where u is a suitable primitive element of F 2 6 . ...
... The function κ is known as Kim function. APN permutations of F 2 6 are then constructed by applying a suitable CCZ equivalence transformation to the Kim function [2]; all examples constructed in [2] are mutually CCZ equivalent. ...
... The function κ is known as Kim function. APN permutations of F 2 6 are then constructed by applying a suitable CCZ equivalence transformation to the Kim function [2]; all examples constructed in [2] are mutually CCZ equivalent. ...
The problem of finding APN permutations of ${\mathbb F}_{2^n}$ where $n$ is even and $n>6$ has been called the Big APN Problem. Li, Li, Helleseth and Qu recently characterized APN functions defined on ${\mathbb F}_{q^2}$ of the form $f(x)=x^{3q}+a_1x^{2q+1}+a_2x^{q+2}+a_3x^3$, where $q=2^m$ and $m\ge 4$. We will call functions of this form Kim-type functions because they generalize the form of the Kim function that was used to construct an APN permutation of ${\mathbb F}_{2^6}$. We extend the result of Li, Li, Helleseth and Qu by proving that if a Kim-type function $f$ is APN and $m\ge 4$, then $f$ is affine equivalent to one of two Gold functions $G_1(x)=x^3$ or $G_2(x)=x^{2^{m-1}+1}$. Combined with the recent result of G\"{o}lo\u{g}lu and Langevin who proved that, for even $n$, Gold APN functions are never CCZ equivalent to permutations, it follows that for $m\ge 4$ Kim-type APN functions on ${\mathbb F}_{2^{2m}}$ are never CCZ equivalent to permutations.
... In Crypto'16, Perrin, Udovenko and Biryukov [19] investigated the only APN permutation over F 2 6 [2] by means of reverse-engineering and proposed the open butterfly and the closed butterfly structures. A generalized butterfly structure was later proposed in [4]. ...
... In Crypto'16, Perrin, Udovenko and Biryukov [19] analyzed the only known APN permutation over F 2 6 [2] and discovered that the APN permutation over F 2 6 has a simple decomposition relying on x 3 over F 2 3 . Based on the power permutation x e over F 2 n , they presented the open butterfly structure and the closed butterfly structure, which were later generalized in [4]. ...
... It's easy to check that ϕ i 's, i = 1, 2, 3, match the ones defined in (2). At the end of this section, we provide a lemma about some properties of the elements ϕ i 's which are characterized in Theorem 1. ...
Boomerang connectivity table is a new tool to characterize the vulnerability of cryptographic functions against boomerang attacks. Consequently, a cryptographic function is desired to have boomerang uniformity as low as its differential uniformity. Based on generalized butterfly structures recently introduced by Canteaut, Duval and Perrin, this paper presents infinite families of permutations of \({\mathbb {F}}_{2^{2n}}\) for a positive odd integer n, which have the best known nonlinearity and boomerang uniformity 4. Both open and closed butterfly structures are considered. The open butterflies, according to experimental results, appear not to produce permutations with boomerang uniformity 4. On the other hand, from the closed butterflies we derive a condition on coefficients \(\alpha , \beta \in {\mathbb {F}}_{2^n}\) such that the functions $$\begin{aligned} V_i(x,y) := (R_i(x,y), R_i(y,x)), \end{aligned}$$where \(R_i(x,y)=(x+\alpha y)^{2^i+1}+\beta y^{2^i+1}\) and \(\gcd (i,n)=1\), permute \({{\mathbb {F}}}_{2^n}^2\) and have boomerang uniformity 4. In addition, experimental results for \(n=3, 5\) indicate that the proposed condition seems to cover all such permutations \(V_i(x,y)\) with boomerang uniformity 4.
... One of the most important open problems concerning APN permutations is their existence in even dimensions. Dillon et al. [5] constructed an APN permutation of 2 6 in 2009 but since then, no new APN permutations in even dimension have been found. The question of the existence of APN permutations in even dimension greater than six is known as the Big APN Problem. ...
... Some WZ spaces of Gold functions in odd dimensions are constructed computer-free, inspired by concrete examples in low dimensions. WZ spaces already occur implicitly in the work of Dillon et al. [5]; recently their importance and applications were recognized more explicitly, see [8] and references therein. ...
... It has many important features, in particular it preserves the APN property. Dillon et al. introduced in [5] a method that, assuming certain conditions are satisfied, constructs a permutation that is CCZ equivalent to a given function. In the following proposition we present this method in a different but equivalent form, using the concept of WZ spaces. ...
A Walsh zero space (WZ space) for f:F2n→F2n\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$f:{\mathbb {F}_{2^n}}\rightarrow {\mathbb {F}_{2^n}}$$\end{document} is an n-dimensional vector subspace of F2n×F2n\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\mathbb {F}_{2^n}}\times {\mathbb {F}_{2^n}}$$\end{document} whose all nonzero elements are Walsh zeros of f. We provide several theoretical and computer-free constructions of WZ spaces for Gold APN functions f(x)=x2i+1\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$f(x)=x^{2^{i}+1}$$\end{document} on F2n\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\mathbb {F}_{2^n}}$$\end{document} where n is odd and gcd(i,n)=1\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\gcd (i,n)=1$$\end{document}. We also provide several constructions of trivially intersecting pairs of such spaces. We illustrate applications of our constructions that include constructing APN permutations that are CCZ equivalent to f but not extended affine equivalent to f or its compositional inverse.
... Browning et al. (2010) exhibited almost perfect nonlinear (APN) permutations on F 2 6 . This was the first example of an APN permutation on an even degree extension of F 2 . ...
... problem since APN functions were first introduced in 1990s by Nyberg [28]. At the 9th International Conference on Finite Fields and their Applications, an APN permutation on F 2 6 was presented by John Dillon [6]. ...
... where u is a specific primitive element [6, Section 3] of F * 2 6 , and was found by utilizing a necessary and sufficient condition on the set of Walsh zeroes of κ. The authors (Browning et al. [6]) observed that an APN function on F 2 n is CCZ-equivalent to a permutation if and only if its set of Walsh transform zeroes contains two trivially intersecting subspaces of dimension n. The authors then generated the sets of Walsh transform zeroes of functions from the list of known APN functions on F 2 6 (see [5, Table 3]) and searched for two trivially intersecting subspaces of dimension n in these sets. ...
Browning et al. (2010) exhibited almost perfect nonlinear (APN) permutations on \(\mathbb {F}_{2^{6}}\). This was the first example of an APN permutation on an even degree extension of \(\mathbb {F}_{2}\). In their approach of finding an APN permutation, Browning et al. made use of a necessary and sufficient condition based on the Walsh transform. In this paper, we give an algorithm based on a related necessary condition which checks whether a vectorial Boolean function is CCZ-inequivalent to a permutation. Using this algorithm, we are able to show that no function belonging to a known family of APN functions is equivalent to a permutation on \(\mathbb {F}_{2^{2m}}\), where m ≤ 6 (except for the known case on \(\mathbb {F}_{2^{6}}\)). We also give an EA-invariant based on the condition. Finally, we give a theoretical proof of the fact that no member of a specific family of APN functions is equivalent to a permutation on doubly-even degree extensions of \(\mathbb {F}_{2}\).
... The following constants are introduced in [9]: 2 1 + a 2ā2 + a 3ā3 θ 2 = a 1 +ā 2 a 3 θ 3 =ā 2 + a 1ā3 θ 4 = a 2 1 + a 2ā2 . ( 1 ) Content courtesy of Springer Nature, terms of use apply. ...
... The following constants are introduced in [9]: 2 1 + a 2ā2 + a 3ā3 θ 2 = a 1 +ā 2 a 3 θ 3 =ā 2 + a 1ā3 θ 4 = a 2 1 + a 2ā2 . ( 1 ) Content courtesy of Springer Nature, terms of use apply. ...
... If u 2 = z, then u = z = 1 and a 1 , a 2 , a 3 ∈ F q . Otherwise 2 ...
The problem of finding APN permutations of \({\mathbb {F}}_{2^{n}}\) where n is even and n > 6 has been called the Big APN Problem. Li, Li, Helleseth and Qu recently characterized APN functions defined on \({\mathbb {F}}_{q^{2}}\) of the form f(x) = x3q + a1x2q+ 1 + a2xq+ 2 + a3x3, where q = 2m and m ≥ 4. We will call functions of this form Kim-type functions because they generalize the form of the Kim function that was used to construct an APN permutation of \({\mathbb {F}}_{2^{6}}\). We prove that Kim-type APN functions with m ≥ 4 (previously characterized by Li, Li, Helleseth, and Qu) are affine equivalent to one of two Gold functions G1(x) = x3 or \(G_{2}(x)=x^{2^{m-1}+1}\). Combined with the recent result of Göloğlu and Langevin who proved that, for even n, Gold APN functions are never CCZ equivalent to permutations, it follows that for m ≥ 4 Kim-type APN functions on \({\mathbb {F}}_{2^{2m}}\) are never CCZ equivalent to permutations.
... Thus APN permutations offer an optimal resistance to both differential and boomerang attacks. However, over finite fields F 2 n with n even, which is the most interesting case in cryptography, the only known example of APN permutation is due to Dillon [4] over F 2 6 . The existence of APN permutations over F 2 n , n ≥ 8 even, is an open problem and often referred to as the Big APN Problem. ...
... While one might wonder if investigating non-permutation is worthy, and we believe that these questions and their answers may reveal results of interests that do have applications to cryptography. With one exception [4], all APN functions on even dimension are nonpermutations. In fact, even the known example from Ref. [4] is an APN permutation that is CCZ-equivalent to the known Kim (non-permutation) APN function. ...
... With one exception [4], all APN functions on even dimension are nonpermutations. In fact, even the known example from Ref. [4] is an APN permutation that is CCZ-equivalent to the known Kim (non-permutation) APN function. Moreover, it is known that the boomerang uniformity is not invariant under the CCZ or even extended affine equivalence, while the differential uniformity is invariant. ...
We consider the boomerang uniformity of an infinite class of (locally-APN) power maps and show that their boomerang uniformity over the finite field F2n is 2 and 4, when n ≡ 0 (mod 4) and n ≡ 2 (mod 4), respectively. As a consequence, we show that for this class of
power maps, the differential uniformity is strictly greater than their boomerang uniformity
... One of the most important open problems concerning APN permutations is their existence in even dimensions. Dillon et al. [5] constructed an APN permutation of F 2 6 in 2009 but since then, no new APN permutations in even dimension have been found. The question of existence of APN permutations in even dimension greater than six is known as the Big APN Problem. ...
... Some WZ spaces of Gold functions in odd dimensions are constructed computer-free, inspired by concrete examples in low dimensions. WZ spaces already occur implicitly in the work of Dillon et al. [5]; recently their importance and applications were recognized more explicitly, see [9] and references therein. ...
... In the following proposition we present this method in a different but equivalent form, using the concept of WZ spaces. We also include a proof of the proposition, which is contained only implicitly in [5], because it allows one to explicitly construct a permutation CCZ equivalent to the given function. ...
A Walsh zero space (WZ space) for $f:F_{2^n}\rightarrow F_{2^n}$ is an $n$-dimensional vector subspace of $F_{2^n}\times F_{2^n}$ whose all nonzero elements are Walsh zeros of $f$. We provide several theoretical and computer-free constructions of WZ spaces for Gold APN functions $f(x)=x^{2^i+1}$ on $F_{2^n}$ where $n$ is odd and $\gcd(i,n)=1$. We also provide several constructions of trivially intersecting pairs of such spaces. We illustrate applications of our constructions that include constructing APN permutations that are CCZ equivalent to $f$ but not extended affine equivalent to $f$ or its compositional inverse.
... Moreover, there have been recently discovered two more sporadic examples for n = 9 in [2] (not classified in any family yet). While for n even there exists only one example of APN permutation over F 2 6 (see [8]), the existence of others remains an open problem. ...
... x 9 + x 8 + 1 2 m = 9t, 3 t, gcd(m, s) = 1 (9, 2) 9 | (s − s), 3 | (s + 2t) (9, 4) (9, 5) (9, 7) (9,8) so that ...
APN functions play a fundamental role in cryptography against attacks on block ciphers. Several families of quadratic APN functions have been proposed in the recent years, whose construction relies on the existence of specific families of polynomials. A key question connected with such constructions is to determine whether such APN functions exist for infinitely many dimensions or do not.
In this paper we consider a family of functions recently introduced by Li et al. in 2021 showing that for any dimension m≥3 there exists an APN function belonging to such a family.
Our main result is proved by a combination of different techniques arising from both algebraic varieties over finite fields connected with linearized permutation rational functions and partial vector space partitions, together with investigations on the kernels of linearized polynomials.
... where a is a primitive element of F 2 6 , satisfying a 6 + a 4 + a 3 + a + 1 = 0. Using a Magma [4] program it is not difficult to check, that the Walsh spectrum of f , given below, is nonclassical and the incidence structures supported by the codewords of the minimum weight are 1-designs, but not 2-designs. For instance: 6,1986) design with 21184 blocks. ...
... We endow F 6 2 with the structure of the finite field (F 2 6 , +, ·) in such a way, that the multiplicative group F * 2 6 is given by F * 2 6 = a , where a is a root of the primitive polynomial p(x) = x 6 + x 4 + x 3 + x + 1. Consider the following CCZequivalent but not EA-equivalent functions on F 2 6 : the Kim's APN function x ∈ F 2 6 → κ(x) and the Dillon's APN permutation x ∈ F 2 6 → g(x), of which the univariate representations can be found in [6]. It is not difficult to check with a computer that for the Kim's APN function there exist: ...
In this paper we consider further applications of $(n,m)$-functions for the construction of 2-designs. For instance, we provide a new application of the extended Assmus-Mattson theorem, by showing that linear codes of APN functions with the classical Walsh spectrum support 2-designs. On the other hand, we use linear codes and combinatorial designs in order to study important properties of $(n,m)$-functions. In particular, we give a new design-theoretic characterization of $(n,m)$-plateaued and $(n,m)$-bent functions and provide a coding-theoretic as well as a design-theoretic interpretation of the extendability problem for $(n,m)$-bent functions.
... We list all the CCZ-and EA-class invariants we are aware of from the literature and, in the case of quadratic APN functions, we introduce a new one based on ortho-derivatives. While it is only defined for quadratic APN functions, this case is of great practical importance: for instance, constructing quadratic APN functions is of interest for finding APN permutations operating on an even number of variables, as the only known example of such a permutation is derived from a quadratic APN function by CCZ-equivalence [BDMW10]. More importantly, the corresponding CCZ-class invariants are very fine grained, and can efficiently prove that more than 20, 000 distinct quadratic APN functions of 8 variables fall into different CCZ-class in only a few minutes on a regular desktop computer. ...
... The Kim mapping is a quadratic APN function κ defined over F 2 6 by κ(x) = x 3 + x 10 + wx 24 , where w is a root of the primitive polynomial used to define F 2 6 . It is well-known for being CCZ-equivalent to a permutation since it is the function which served as a basis for the result of Dillon et al. [BDMW10]. ...
Extended Affine (EA) equivalence is the equivalence relation between two vectorial Boolean functions $F$ and $G$ such that there exist two affine permutations $A$, $B$, and an affine function $C$ satisfying $G = A \circ F \circ B + C$. While a priori simple, it is very difficult in practice to test whether two functions are EA-equivalent. This problem has two variants: EA-testing deals with figuring out whether the two functions can be EA-equivalent, and EA-recovery is about recovering the tuple $(A,B,C)$ if it exists. In this paper, we present a new efficient algorithm that efficiently solves the EA-recovery problem for quadratic functions. Though its worst-case complexity is obtained when dealing with APN functions, it supersedes all previously known algorithms in terms of performance, even in this case. This approach is based on the Jacobian matrix of the functions, a tool whose study in this context can be of independent interest. In order to tackle EA-testing efficiently, the best approach in practice relies on class invariants. We provide an overview of the literature on said invariants along with a new one based on the \emph{ortho-derivative} which is applicable to quadratic APN functions, a specific type of functions that is of great interest, and of which tens of thousands need to be sorted into distinct EA-classes. Our ortho-derivative-based invariant is both very fast to compute, and highly discriminating.
... APN permutations offer maximal resistance to differential and boomerang attacks, but there are extremely difficult to construct despite many efforts and recent advances. The high importance of such families of permutations for real applications comes from the difficulty of finding APN permutations in even dimension (known as the Big APN Problem [6]), making this topic still exciting nowadays. ...
... Remark 2. The power function F (x) = x s(2 m −1)+1 over F 2 2m studied in this paper is a permutation if and only if gcd(2s − 1, 2 m + 1) = 1, i.e., gcd(2 k − 1, 2 m + 1) = 1, which indicates that Theorem 1 produces locally-APN permutations over F 2 2m when m is even and gcd(m, k) = 1. This may be of independent interest regarding to the big APN problem [6]. 4 The boomerang spectrum of the Niho power function F (x) = ...
In this article, we focus on the concept of locally-APN-ness (``APN" is the abbreviation of the well-known notion of Almost Perfect Nonlinear) introduced by Blondeau, Canteaut, and Charpin, which makes the corpus of S-boxes somehow larger regarding their differential uniformity and, therefore, possibly, more suitable candidates against the differential attack (or their variants). Specifically, given two coprime positive integers $m$ and $k$ such that $\gcd(2^m+1,2^k+1)=1$, we investigate the locally-APN-ness property of an infinite family of Niho type power functions in the form $F(x)=x^{s(2^m-1)+1}$ over the finite field ${\mathbb F}_{2^{2m}}$ for $s=(2^k+1)^{-1}$, where $(2^k+1)^{-1}$ denotes the multiplicative inverse modulo $2^m+1$. By employing finer studies of the number of solutions of certain equations over finite fields (with even characteristic) as well as some subtle manipulations of solving some equations, we prove that $F(x)$ is locally APN and determine its differential spectrum. It is worth noting that computer experiments show that this class of locally-APN power functions covers all Niho type locally-APN power functions for $2\leq m\leq10$. In addition, we also determine the boomerang spectrum of $F(x)$ by using its differential spectrum, which particularly generalizes a recent result by Yan, Zhang, and Li.
... The existence of n-bit APN permutation is implied by the existence of n-bit almost Bent (AB) functions [18,36] when n is odd. However, when n is even, only one 6-bit APN S-box has been discovered by Dillon et al. in 2009 [15]. Whether an APN S-box exists or not on other even dimensions is still an open problem, named "The Big APN Problem" [17]. ...
... KECCAK-like S-boxes 10 23,24,3,14,20,9,30,19,10,17,28,2,11,5,4,29,8,12,21,6,13,18,1,27,25,22,16,15,0,7,31,26 12,5,21,14,3,20,30,15,22,1,9,27,26,0,23,28,24,18,19,11,29,2,8,17,6,31,13,16,7,25,4,10 22,30,21,25,11,20,31,2,26,5,12,29,4,8,6,7,1,0,3,13,28,14,16,27,19,10,15,18,24,23,9,17 ASCON-like S-boxes 0 24,9,27,6,3,31,22,1,20,30,8,5,10,21,15,16,4,19,23,12,28,0,13,26,7,11,25,18,17,14,2,29 23,28,15,16,2,1,21,30,25,19,18,12,11,8,13,6,24,14,0,3,5,29,10,27,4,7,31,9,26,22,20,17 3,13,26,22,17,2,15,21,0,23,12,9,20,25,30,10,27,14,4,29,28,8,1,18,7,24,16,19,31,6,11,5 New S-box 2 0 22, 15,16,9,27,3,5,6,1,21,30,18,28,8,10,29,14,0,13,26,24,20,17,31,19,12,7,25,11,23,4,2 PRESENT's DDT into an SMT problem. Then, we describe the property of no fixed point as constraint. ...
The substitution box (S-box) is an important nonlinear component in most symmetric cryptosystems and thus should have good properties. Its difference distribution table (DDT) and linear approximation table (LAT) affect the security of the cipher against differential and linear cryptanalysis. In most previous work, differential uniformity and linearity of an S-box are two primary cryptographic properties to impact the resistance against differential and linear attacks. In some cases, the branch number and fixed point are also be considered. However, other important cryptographic properties such as the frequency of differential uniformity (resp. linearity) and the number of Bad Input and Bad Output (BIBO) patterns in DDT (resp. LAT) are often ignored. These properties substantially affect lightweight cryptography based on substitution bit permutation networks (SbPN) such as PRESENT, GIFT and RECTANGLE. This paper introduces a new method to search for S-boxes satisfying all above criteria simultaneously. In our strategy, we transform the process of searching for S-boxes under certain constraints on cryptographic properties into a satisfiability (SAT) problem. As applications, we use our new approach to search out 4-bit and 5-bit S-boxes with the same or better cryptographic properties compared with the S-boxes from well-known ciphers. Finally, we also utilize our method to verify a conjecture proposed by Boura et al. in the case of all 3-bit and 4-bit S-boxes. We propose a proposition and two corollaries to reduce the search space in this verification.
... This is also one of the topics that we discuss in our work. Moreover, this is especially important for even dimensions n ⩾ 8 , since new APN permutations CCZ-equivalent to quadratic functions might be found in a similar way that this was done for dimension six [10]. ...
... For all possible values of the first two rows of the matrix F such that the condition from Proposition 1 is true, we implement a search through all possible matrices P of the form F(x) = a 100 x + a 88 x 2 + a 89 x 3 + a 107 x 4 + a 57 x 5 + a 98 x 6 + a 56 x 8 + a 9 x 9 + a 58 x 10 +a 60 x 12 + a 109 x 16 ...
Almost perfect nonlinear functions possess optimal resistance to differential cryptanalysis and are widely studied. Most known APN functions are defined using their representation as a polynomial over a finite field and very little is known about combinatorial constructions of them on F2n\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbb {F}_{2}^{n}$$\end{document}. In this work we propose two approaches for obtaining quadratic APN functions on F2n\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbb {F}_{2}^{n}$$\end{document}. The first approach exploits a secondary construction idea, it considers how to obtain a quadratic APN function in n + 1 variables from a given quadratic APN function in n variables using special restrictions on the new terms. The second approach is searching for quadratic APN functions that have a matrix representation partially filled with the standard basis vectors in a cyclic manner. This approach allows us to find a new APN function in 7 variables. We prove that the updated list of quadratic APN functions in dimension 7 is complete up to CCZ-equivalence. Also, we observe that the quadratic parts of some APN functions have a low differential uniformity. This observation allows us to introduce a new subclass of APN functions, the so-called stacked APN functions. These are APN functions of algebraic degree d such that eliminating monomials of degrees k + 1,…, d for any k < d results in APN functions of algebraic degree k. We provide cubic examples of stacked APN functions for dimensions up to 6.
... The APN monomials X 2 i +1 , with gcd(i, n) = 1, provide examples of APN bijections over F 2 n for any odd n. For even n, only one example is known, the APN function over F 2 6 of Browning, Dillon, McQuistan, and Wolfe from [4]. ...
The lower the differential uniformity of a function, the more resilient it is to differential cryptanalysis if used in a substitution box. APN functions and planar functions are specifically those functions which have optimal differential uniformity in even and odd characteristic, respectively. In this article, we provide two methods for constructing functions with low, but not necessarily optimal, differential uniformity. Our first method involves altering the coordinate functions of any known planar function and relies upon the relation between planar functions and orthogonal systems identified by Coulter and Matthews in 1997. As planar functions exist only over fields of odd order, the method works for odd characteristic only. The approach also leads us to a generalization of Dillon’s Switching Technique for constructing APN functions. Our second construction method is motivated by a result of Coulter and Henderson, who showed in 2008 how commutative presemifields of odd order were in one-to-one correspondence with planar Dembowski–Ostrom polynomials via the multiplication of the presemifield. Using this connection as a starting point, we examine the functions arising from the multiplication of other well-structured algebraic objects such as non-commutative presemifields and planar nearfields. In particular, we construct a number of infinite classes of functions which have low, though not optimal, differential uniformity. This class of functions originally stems from the presemifields of Kantor and Williams of characteristic 2. Thus, regardless of the characteristic, between our two methods we are able to construct infinitely many functions which have low, though not optimal, differential uniformity over fields of arbitrarily large order.
... The S-Boxes for which equality holds are called almost perfect nonlinear (APN) functions. It is worth noticing that the APN condition only exists for odd number of variables, and when n = 6 [32]. In the case of even number of variables, the best known differential uniformity value is 4 [26,27,29,30]. ...
The design of cryptographically strong S-Boxes is a wide studied field in symmetric cryptography. Several techniques to produce resilient substitutions have been developed through the years having algebraic constructions the most interesting results. However the most representative solution of these constructions, the finite field inversion, does not warranty total security against algebraic attacks, since the graph algebraic immunity of such permutation is not optimal. In this paper is proposed a combination of algebraic construction and heuristic method to produce a large set of different 8-bit substitution boxes with optimal graph algebraic immunity, maximum value of minimum algebraic degree and almost optimal values of nonlinearity and differential uniformity for application to symmetric cryptographic schemes.
... Those functions are specifically useful for substituting binary strings in a one-to-one manner, which is often required in cryptographic algorithms. Till now, only a single instance of an APN permutation in even dimension is known, i.e., for n = 6 (also known as Dillon's permutation [BDMW10]). Finding more of such instances, especially for n = 8, or proving the non-existence is usually referred to as the "big APN problem". It is well-known that a quadratic APN function in even dimension cannot be a permutation [SZZ94]. ...
By applying a recursive tree search, we find many new instances of quadratic APN functions up to CCZ-equivalence. In particular, we present 12,923 new quadratic APN instances in dimension eight and five new quadratic APN instances in dimension ten. The vast majority of those functions have been found by utilizing linear self-equivalences. Among our 8-bit APN functions, there are three extended Walsh spectra that were not known to be valid extended Walsh spectra of quadratic 8-bit APN functions before and, surprisingly, there exist at least four CCZ-inequivalent 8-bit APN functions with linearity $2^7$, i.e. the highest possible non-trivial linearity.
... Many works have been done on the construction of APN functions (see for instance [4,[8][9][10][11]). For odd values of n there are known families of APN permutations; while for n even there exists only one example of APN permutation over F 2 6 [7] and the existence of others remains an open problem. For ease of implementation, usually, the integer n is required to be even in a Table 1 Primarily-constructed differentially 4-uniform permutations over F 2 n (n even) with the best known nonlinearity Name F(x) deg Conditions In Gold x 2 i +1 2 n = 2k, k odd gcd(i, n) = 2 [ 18] Kasami x 2 2i −2 i +1 i+1 n = 2k, k odd gcd(i, n) = 2 [ 20] Inverse x 2 n −2 n − 1 n = 2k, k ≥ 1 [ 27] Bracken-Leander x 2 2k +2 k +1 3 n = 4k, k odd [5] Bracken-Tan-Tan ζ x 2 i +1 + ζ 2 m x 2 −m +2 m+i 2 n = 3m, m even, m/2 odd, gcd(n, i) = 2, 3|m + i [6] and ζ is a primitive element of F 2 n cryptosystem. ...
Functions with low differential uniformity can be used in a block cipher as S-boxes since they have good resistance to differential attacks. In this paper we consider piecewise constructions for permutations with low differential uniformity. In particular, we give two constructions of differentially 6-uniform functions, modifying the Gold function and the Bracken-Leander function on a subfield.
... Some well-known boundaries are referred to in the literature review towards the optimal values of nonlinearity and differential uniformity of S-boxes [2], [3], [30], [32]. However, there is no mathematical formulation for the upper bound of confusion coefficient variance. ...
Substitution boxes are the main nonlinear component of block ciphers. The security of these ciphers against linear, differential, or side-channel attacks is dependent on the design of such components and their intrinsic properties. There are several methods that aim to cryptographically define, generate, or search for strong substitution boxes. The application of combinatorial optimization algorithms is one of the most useful methodologies in this research area. In this article, we present a novel hybrid method based on the Leaders and Followers and hill-climbing over Hamming Weight Classes metaheuristics, coupled with a new trade-off fitness function that generates 8-bit bijective substitution boxes with good resisting properties towards classical cryptanalysis and side-channel attacks by power consumption. We address the best Pareto optimal solutions for the multi-objective optimization of non-linearity and confusion coefficient variance.
... The functions having δ s = 2 are called almost perfect nonlinear (APN) functions. As for nonlinearity property, the APN condition only exists for odd number of variables, and when n = 6 [45]. In the case of n even, the best-known differential uniformity value is 4 [12,19,33]. ...
The property of nonlinearity has high importance for the design of strong substitution boxes. Therefore, the development of new techniques to produce substitution boxes with high values of nonlinearity is essential. Many research papers have shown that optimization algorithms are an efficient technique to obtain good solutions. However, there is no reference in the public literature showing that a heuristic method obtains optimal nonlinearity unless seeded with optimal initial solutions. Moreover, the majority of papers with the best nonlinearity reported for pseudo-random seeding of the algorithm(s) often achieve their results with the help of some cost function(s) over the Walsh-Hadamard spectrum of the substitution. In the sense, we proposed to present, in this paper, a novel external parameter independent cost function for evolving bijective s-boxes of high nonlinearity, which is highly correlated to this property. Several heuristic approaches including GaT (genetic and tree), LSA (local search algorithm), and the Hill Climbing algorithm have been investigated to assess the performance of evolved s-boxes. A performance comparison has been done to show the advantages of our new cost function, with respect to cost functions for s-boxes like Clark's and Picek's cost functions.
... Using CCZ-equivalence for constructing APN functions turned out to be a very fruitful idea: it did not only allow to increase the algebraic degree of APN functions but also to construct APN permutations in even dimensions and by that to solve one of the main and hardest problems related to APN functions. Indeed, in 2006, Dillon and his team applied CCZ-equivalence to a quadratic APN mapping in dimension 6 and obtained the first and the only currently known APN permutation in even dimension [11]. An interesting fact is that quadratic APN functions, and more generally APN functions with quadratics components, in even dimension are never permutations because they have (partially-)bent component functions (see [26,50]) but CCZ-equivalence allows to increase the algebraic degree and can mix the Walsh spectrum such that none of the component functions of the resulted map are (partially-)bent. ...
This work is dedicated to APN and AB functions which are optimal against differential and linear cryptanlysis when used as S-boxes in block ciphers. They also have numerous applications in other branches of mathematics and information theory such as coding theory, sequence design, combinatorics, algebra and projective geometry. In this paper we give an overview of known constructions of APN and AB functions, in particular, those leading to infinite classes of these functions. Among them, the bivariate construction method, the idea first introduced in 2011 by the third author of the present paper, turned out to be one of the most fruitful. It has been known since 2011 that one of the families derived from the bivariate construction contains the infinite families derived by Dillon's hexanomial method. Whether the former family is larger than the ones it contains has stayed an open problem which we solve in this paper. Further we consider the general bivariate construction from 2013 by the third author and study its relation to the recently found infinite families of bivariate APN functions.
... Browning et al. [5] found the first APN permutation in dimension 6. Their idea was to check the CCZ-equivalence [8] class of a quadratic APN function: indeed, if an APN function is CCZ-equivalent to a permutation, then that permutation has to be APN. ...
If used as S-boxes, APN functions provide optimal resilience against differential attacks. However, the very existence of APN permutations operating on an even number n of bits (with n ≥ 8) has been an open problem for nearly 30 years. A possible method to solve this problem consists in generating APN functions, and then exploring the CCZ-equivalence classes of these functions looking for a permutation. Following this goal, we found 5412 new quadratic APN functions on F28\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbb {F}_{2^{8}}$$\end{document} using an approach based on so-called Quadratic APN Matrices (QAM). This brings the number of known CCZ-inequivalent APN functions on F28\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbb {F}_{2^{8}}$$\end{document} to 26525. Unfortunately, none of these new functions are CCZ-equivalent to permutations. A complete list (to the best of our knowledge) of known quadratic APN functions, including our new ones, has been added to sboxU for ease of study by others. In this paper, we recall how to construct new QAMs from a known one. Based on these results and on others on smaller fields, we make two conjectures: that the total number of CCZ-inequivalent quadratic APN functions on F28\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbb {F}_{2^{8}}$$\end{document} exceeds 50000, and that the full list of quadratic APN functions could be obtained by modifying only a small number of entries of the QAM, though such a search remains computationally infeasible at this stage. Finally, we propose a new model which can handle the last two columns together and avoid some redundant computation.
... and τ is given by (23) in Lemma 8. Using Lemma 8 and Lemma 3, we conclude that z = ax ∈ Z a where the set Z a = {a, η(a), η (2) (a)} which has been defined as in (9), and we have ...
Extending previous results, we study a class of general quadrinomials over the field of size
$2^{2m}$
with odd
$m$
and characterize conditions under which they are permutations with 4-uniform BCT, a new and important parameter related to boomerang-style attacks. These permutations are known to have the best known nonlinearity. Numerical data also show that the inverse of these functions all have large algebraic degree, making them desirable for applications.
... In the case of n = 6, the only two APN functions equivalent to triplicates are the Gold function x 3 , and the trinomial x 3 + α 11 x 6 + αx 9 (where α is a primitive element of 2 6 ). In particular, we note that neither the Kim function (which is CCZ-equivalent to an APN permutation [58]) nor the only known APN function that is CCZ-inequivalent to monomials and quadratic functions [15] is EA-equivalent to a 3-to-1 function. In the case of the Kim function (which is quadratic), we can conclude that there is no quadratic triplicate function in its CCZ-equivalence class at all (due to EA-and CCZ-equivalence coinciding for quadratic functions as discussed in Section 2.4). ...
We define the class of triplicate functions as a generalization of 3-to-1 functions over $$\mathbb {F}_{2^{n}}$$ F 2 n for even values of n . We investigate the properties and behavior of triplicate functions, and of 3-to-1 among triplicate functions, with particular attention to the conditions under which such functions can be APN. We compute the exact number of distinct differential sets of power APN functions and quadratic 3-to-1 functions; we show that, in this sense, quadratic 3-to-1 functions are a generalization of quadratic power APN functions for even dimensions, in the same way that quadratic APN permutations are generalizations of quadratic power APN functions for odd dimensions. We show that quadratic 3-to-1 APN functions cannot be CCZ-equivalent to permutations in the case of doubly-even dimensions. We compute a lower bound on the Hamming distance between any two quadratic 3-to-1 APN functions, and give an upper bound on the number of such functions over $$\mathbb {F}_{2^{n}}$$ F 2 n for any even n . We survey all known infinite families of APN functions with respect to the presence of 3-to-1 functions among them, and conclude that for even n almost all of the known infinite families contain functions that are quadratic 3-to-1 or are EA-equivalent to quadratic 3-to-1 functions. We also give a simpler univariate representation in the case of singly-even dimensions of the family recently introduced by Göloglu than the ones currently available in the literature. We conduct a computational search for quadratic 3-to-1 functions in even dimensions n ≤ 12. We find six new APN instances for n = 10, and the first sporadic APN instance for n = 12 since 2006. We provide a list of all known 3-to-1 APN functions for n ≤ 12.
... Typically, the optimal functions satisfy F = 2 and are called almost perfect nonlinear (APN). However, for an even n, functions defined over 2 n with a small differential uniformity are very rare, and only one example of an APN permutation is known for n = 6 [6]. In particular, when n is even, a few classes of infinite families of functions have differential uniformity F = 4 . ...
The inverse, the Gold, and the Bracken-Leander functions are crucial for building S-boxes of block ciphers with good cryptographic properties in symmetric cryptography. These functions have been intensively studied, and various properties related to standard attacks have been investigated. Thanks to novel advances in symmetric cryptography and, more precisely, those pertaining to boomerang cryptanalysis, this article continues to follow this momentum and further examine these functions. More specifically, we revisit and bring new results about their Difference Distribution Table (DDT), their Boomerang Connectivity Table (BCT), their Feistel Boomerang Connectivity Table (FBCT), and their Feistel Boomerang Difference Table (FBDT). For each table, we give explicit values of all entries by solving specific systems of equations over the finite field F2n\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbb {F}_{2^n}$$\end{document} of cardinality 2n\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2^n$$\end{document} and compute the cardinalities of their corresponding sets of such values. The explicit values of the entries of these tables and their cardinalities are crucial tools to test the resistance of block ciphers based on variants of the inverse, the Gold, and the Bracken-Leander functions against cryptanalytic attacks such as differential and boomerang attacks. The computation of these entries and the cardinalities in each table aimed to facilitate the analysis of differential and boomerang cryptanalysis of S-boxes when studying distinguishers and trails.
... For ease of the implementation in both hardware and software, such functions are required to be defined on F 2 n for even n. It is known that no APN permutations exist over F 2 n for n = 2, 4. Instead, an APN permutation of the field F 2 6 was discovered by Dillon et al. in [5]. It is an open problem whether there exists an APN permutation over F 2 n for even n ≥ 8. So, to resist differential attacks in even dimensions, we can choose differentially 4-uniform permutations as S-boxes. ...
Block ciphers use S-boxes to create confusion in the cryptosystems. Such S-boxes are functions over $\mathbb{F}_{2^{n}}$. These functions should have low differential uniformity, high nonlinearity, and high algebraic degree in order to resist differential attacks, linear attacks, and higher order differential attacks, respectively. In this paper, we construct new classes of differentially $4$ and $6$-uniform permutations by modifying the image of the Dobbertin APN function $x^{d}$ with $d=2^{4k}+2^{3k}+2^{2k}+2^{k}-1$ over a subfield of $\mathbb{F}_{2^{n}}$. Furthermore, the algebraic degree and the lower bound of the nonlinearity of the constructed functions are given.
... If ∆ F = 2, then F is called almost perfect nonlinear (APN). For the known results on APN functions, the readers are referred to [5,6,12,13,15,17,18,24,25,35]. ...
Let $q$ be an odd prime power. Let $F_1(x)=x^{d_1}$ and $F_2(x)=x^{d_2}$ be power mappings over $\mathrm{GF}(q^2)$, where $d_1=q-1$ and $d_2=d_1+\frac{q^2-1}{2}=\frac{(q-1)(q+3)}{2}$. In this paper, we study the the boomerang uniformity of $F_1$ and $F_2$ via their differential properties. It is shown that, the boomerang uniformity of $F_i$ ($i=1,2$) is 2 with some conditions on $q$.
... The case of quadratic APN functions is more tractable than the general one, which is evinced by the fact that all the infinite polynomial families constructed so far are quadratic, and only one known sporadic example of a non-quadratic (up to CCZequivalence) APN function (which is defined over F 2 6 ) is known [23]. Nevertheless, quadratic APN functions are an important ongoing direction of research: in 2010, Dillon et al. discovered an APN permutation in dimension n = 6, thereby disproving the conjecture that APN functions over fields of even dimension could never be bijective [5]. Despite Dillon's permutation not being a quadratic APN function per se, it was constructed by traversing the CCZ-equivalence class of a quadratic function. ...
Almost perfect nonlinear (APN) and almost bent (AB) functions are integral components of modern block ciphers and play a fundamental role in symmetric cryptography. In this paper, we describe a procedure for searching for quadratic APN functions with coefficients in F2 over the finite field F2n and apply this procedure to classify all such functions over F2n with n≤9. We discover two new APN functions (which are also AB) over F29 that are CCZ-inequivalent to any known APN function over this field. We also verify that there are no quadratic APN functions with coefficients in F2 over F2n with 6≤n≤8 other than the currently known ones.
... This is noteworthy, as both of these can (and have) been used constructively. In 2010, John Dillon constructed the only currently known instance of an APN (n, n)-permutation for even n by traversing the CCZ-equivalence class of a known (non-bijective) APN function over the same field [12]. In a similar vein, most of the known instances of APN functions listed in the literature are quadratic. ...
An (n,m)-function is a mapping from F2n\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}${\mathbb {F}_{2}^{n}}$\end{document} to F2m\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}${\mathbb {F}_{2}^{m}}$\end{document}. Such functions have numerous applications across mathematics and computer science, and in particular are used as building blocks of block ciphers in symmetric cryptography. The classes of APN and AB functions have been identified as cryptographically optimal with respect to the resistance against two of the most powerful known cryptanalytic attacks, namely differential and linear cryptanalysis. The classes of APN and AB functions are directly related to optimal objects in many other branches of mathematics, and have been a subject of intense study since at least the early 90’s. Finding new constructions of these functions is hard; one of the most significant practical issues is that any tentatively new function must be proven inequivalent to all the known ones. Testing equivalence can be significantly simplified by computing invariants, i.e. properties that are preserved by the respective equivalence relation. In this paper, we survey the known invariants for CCZ- and EA-equivalence, with a particular focus on their utility in distinguishing between inequivalent instances of APN and AB functions. We evaluate each invariant with respect to how easy it is to implement in practice, how efficiently it can be calculated on a computer, and how well it can distinguish between distinct EA- and CCZ-equivalence classes.
... It is known that no APN permutations exist over F 2 n for n = 2, 4. An APN permutation of the field F 2 6 was discovered by Dillon et al. [6]. It is an open problem whether there exists an APN permutation over F 2 n for even n ≥ 8. To resist differential attacks in even dimensions, we can choose differentially 4-uniform permutations as S-boxes. ...
Substitution boxes (S-boxes) play a central role in block ciphers. In substitution-permutation networks, the S-boxes should be permutation functions over F2n to realize the invertibility of the encryption. More importantly, the S-boxes should have low differential uniformity, high nonlinearity, and high algebraic degree in order to resist differential attacks, linear attacks, and higher order differential attacks, respectively. In this paper, we construct new classes of differentially 4 and 6-uniform permutations by modifying the image of the Dobbertin APN function xd with d=24k+23k+22k+2k−1 over a subfield of F2n. In addition, the algebraic degree and the lower bound of the nonlinearity of the constructed functions are given.
... Hence APN permutations have many advantage for a good S-box, but there are very few results about this subject. It is known that there is no APN permutation when n = 2, 4, and a single example of APN permutation [4] is known for n = 6. However, the existence of APN permutations for even n ≥ 8 is still unsettled, and it is referred as the Big APN Problem. ...
Finding permutations with good cryptographic parameters is a good research topic about constructing a secure S-box in substitution-permutation networks. In particular constructing differentially 4-uniform permutations has made considerable progress in recent years. In this paper, we present new differentially 4-uniform permutations from the inverse function composed by disjoint cycles. Our new differentially 4-uniform permutations have high nonlinearity and low differential-linear uniformity. We give the differential spectrum and the extended Walsh spectrum of some of our differentially 4-uniform permutations, and then we can see that they are CCZ-inequivalent to some permutations whose differential spectrum and extended Walsh spectrum are known.
... Finding APN permutations on 2 2k (where 2 2k is a finite field with 2 2k elements) is a difficult problem, this is commonly known as the big APN problem. For big APN problem, we refer to [3,9]. ...
In this paper, we study the differential δ\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\delta $$\end{document}-uniform property of two position swapped Exponential Welch Costas (EWC) permutations on Zp-1\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\mathbb {Z}}_{p-1}$$\end{document} and construct permutations with δ=4,6\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\delta = 4, 6$$\end{document} for different values of p. We calculate the number of swapped EWC permutations with differential uniformity 6 for primes of the form 4d+3\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$4d+3$$\end{document}. For primes of the form 4d+1\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$4d+1$$\end{document}, we obtain a lower bound on the number of swapped EWC permutations with differential uniformity 4.
... The existence of APN permutations operating on an even number of bits has been a long-standing open question until Dillon et al., who work for the NSA, provided an example on 6 bits in 2009. Browning et al. [15] have provided an APN permutation in dimension 6, which is the only known example of APN permutation available till now in the literature. Finding APN permutations over is now known as the Big APN Problem. ...
Differential cryptanalysis is a general form of cryptanalysis applicable primarily to block and stream ciphers and cryptographic hash functions. The discovery of differential cryptanalysis is generally attributed to Biham and Shamir in the late 1980s, who published several attacks against various block ciphers and hash functions, including a theoretical weakness in the Data Encryption Standard (DES). Boomerang cryptanalysis is a method for the cryptanalysis of block ciphers based on differential cryptanalysis. It was invented by Wagner in (FSE, LNCS 1636, 156–170, 1999) and has allowed new avenues of attack for many ciphers previously deemed safe from differential cryptanalysis. Differential and boomerang uniformities are crucial tools to handle and analyze vectorial functions (designated by substitution boxes, or briefly S-boxes in the context of symmetric cryptography) to resist differential and boomerang attacks, respectively. Ellingsen et al. (IEEE Transactions on Information Theory 66(9), 2020) introduced a new variant of differential uniformity, called c-differential uniformity (where c is a non-zero element of a finite field of characteristic p), of p-ary (n, m)-function for any prime p obtained by extending the well-known derivative of vectorial functions into the (multiplicative) c-derivative. Later, Stănică [Discrete Applied Mathematics, 2021] introduced the notion of c-boomerang uniformity. Both c-differential and c-boomerang uniformities have been extended to the idea of simple differential and boomerang uniformities, respectively, which are recovered when c equals 1.This survey paper combines the known results on this new concept of differential and boomerang uniformities and analyzes their possible cryptographic applications. This survey presents an overview of these significant concepts that might have greater implications for future theoretical research on this subject and applied perspectives in symmetric cryptography and related topics. Along with the paper, we analyze these discoveries and the results provided synthetically. The article intends to help readers explore further avenues in this promising and emerging direction of research. At the end of the article, we present more than nine lines of perspectives and research directions to benefit symmetric cryptography and other related domains such as combinatorial theory (namely, graph theory).
We define the pAPN-spectrum (which is a measure of how close a function is to being APN) of an (n, n)-function F and investigate how its size changes when two of the outputs of a given function F are swapped. We completely characterize the behavior of the pAPN-spectrum under swapping outputs when F is the inverse function over F2n. We further theoretically investigate this behavior for functions from the Gold and Welch monomial APN families, and experimentally determine the size of the pAPN-spectrum after swapping outputs for representatives from all infinite monomial APN families up to dimension n = 10; based on our computation results, we conjecture that the inverse function is the only monomial APN function for which swapping two of its outputs can leave an empty pAPN-spectrum.
In this paper, we develop an S-box designing method by considering an interplay between an S-box and a linear layer, which enhances security against differential cryptanalysis. The basic idea can be found in bitslice-friendly ciphers such as Serpent and bit-permutation ciphers such as PRESENT. In those designs, S-boxes were chosen so that the branch number is not too small, which rapidly diffuses differences. We apply a similar analysis to other constructions. The first target is extended generalized Feistel networks (EGFN) and its instance Lilliput, which has an XOR layer after the standard GFN. We show that security of EGFN can be enhanced by using an S-box that does not allow any difference Δ to be mapped to the same Δ with a high probability, say 2-2 for a 4-bit S-box. The second target is AES-like ciphers that use a binary matrix in MixColumns. We focus on the chain of differences ΔA→ΔB→ΔC→⋯ over the S-box, where each transition occurs with a high probability. We show that security of such AES-like ciphers can be enhanced if the maximum length of the chains is short. As a proof-of-concept, we evaluate Lilliput, Midori, and SKINNY with the new S-box satisfying the property.
This thesis contributes to the cryptanalysis effort needed to trust symmetric-key primitives like block-ciphers or pseudorandom generators. In particular, it studies a family of distinguishers based on subspace trails against SPN ciphers. This thesis also provides methods for modeling frequent cryptanalysis problems into MILP (Mixed-Integer Linear Programming) problems to allow cryptographers to benefit from the existence of very efficient MILP solvers. Finally, it presents techniques to analyze algebraic properties of symmetric-key primitives which could be useful to mount cube attacks.
This Chapter introduces/discusses about the fundamental concepts required for the following Chapters. Overall, it consolidates concepts from multiple disciplines into one place.
Differential Fault Analysis (DFA) is a well-known cryptanalytic method that has been successfully applied to many block ciphers based on Substitution Permutation Network (SPN). In this work we seek the answer: How exactly DFA works and how can we possibly build a cipher level protection against it. Our study shows that SBoxes play a crucial role for DFA to succeed. Interestingly, SBoxes that are better against DFA are proved to be worse against differential cryptanalysis, and vice versa.
Differentially 4-uniform involutions on F22k play important roles in the design of substitution boxes (S-boxes). Despite the active researches on differentially 4-uniform permutation, there is not so much research on differentially 4-uniform involutions, especially over the field F2n with 4|n. In this paper, we introduce a new approach to construct differentially 4-uniform involutions by using Carlitz form. With this approach, we explicitly construct two new classes of differentially 4-uniform involutions over F2n with 4|n. We also show that our constructions have high nonlinearity and optimal algebraic degree. With the help of computer, we show that our constructions are CCZ-inequivalent to the known differentially 4-uniform involutions over F28.
Mixed Integer Linear Programming (MILP) solvers are regularly used by designers for providing security arguments and by cryptanalysts for searching for new distinguishers. For both applications, bitwise models are more refined and permit to analyze properties of primitives more accurately than word-oriented models. Yet, they are much heavier than these last ones. In this work, we first propose many new algorithms for efficiently modeling any subset of Fn2 with MILP inequalities. This permits, among others, to model differential or linear propagation through Sboxes. We manage notably to represent the differential behaviour of the AES Sbox with three times less inequalities than before. Then, we present two new algorithms inspired from coding theory to model complex linear layers without dummy variables. This permits us to represent many diffusion matrices, notably the ones of Skinny-128 and AES in a much more compact way. To demonstrate the impact of our new models on the solving time we ran experiments for both Skinny-128 and AES. Finally, our new models allowed us to computationally prove that there are no impossible differentials for 5-round AES and 13-round Skinny-128 with exactly one input and one output active byte, even if the details of both the Sbox and the linear layer are taken into account.
Almost perfect nonlinear (APN) functions play an important role in the design of block ciphers as they offer the strongest resistance against differential cryptanalysis. Despite more than 25 years of research, only a limited number of APN functions are known. In this paper, we show that a recent construction by Taniguchi provides at least \(\frac{\varphi (m)}{2}\left\lceil \frac{2^m+1}{3m} \right\rceil \) inequivalent APN functions on the finite field with \({2^{2m}}\) elements, where \(\varphi \) denotes Euler’s totient function. This is a great improvement of previous results: for even m, the best known lower bound has been \(\frac{\varphi (m)}{2}\left( \lfloor \frac{m}{4}\rfloor +1\right) \); for odd m, there has been no such lower bound at all. Moreover, we determine the automorphism group of Taniguchi’s APN functions.
Designing S-box with good cryptographic properties still remains as one of the most important areas of research in symmetric key cryptography. For quite sometime, inverse function (\(x\mapsto x^{-1}\), i.e., \(x^{2^n-2}\)) over \(\mathbb {F}_{2^n}\) has been the most popular choice for S-boxes due to good resistance against differential and linear cryptanalysis. Very recently Tang et. al. (2020) proved that inverse function admits a bias (error) of \(\frac{1}{2^{n-2}}\) when considered in its second-order differential spectrum. In this paper we present experimental results related to higher-order differential spectrum of multiplicative inverse functions for \(n=6\) and 8 and compare the result with APN permutation for \(n=6\). In particular, we observe that APN permutation over \(\mathbb {F}_{2^6}\) has larger bias in its second-order differential spectrum with probability \(\frac{1}{8}\) ( \(\frac{1}{2^{n-2}}\)). This fact admits the possibility of higher-order differential attacks against block ciphers which employ APN permutations as a nonlinear layer.
Finding permutation polynomials with low differential and boomerang uniformity is an important topic in S-box designs of many block ciphers. For example, AES chooses the inverse function as its S-box, which is differentially 4-uniform and boomerang 6-uniform. Also there has been considerable research on many non-quadratic permutations which are modifications of the inverse function. In this paper, we give a novel approach which shows that plenty of existing modifications of the inverse function are in fact affine equivalent to permutations of low Carlitz rank, and those modifications cannot be APN. We also present the complete list of permutations of Carlitz rank 3 having the boomerang uniformity six, and give the complete classification of the differential uniformities of permutations of Carlitz rank 3. As an application, we provide all the involutions of Carlitz rank 3 having the boomerang uniformity six.
Let F2n be a finite field with 2n elements and fc_(x)=c0x2m(2k+1)+c1x2m+k+1+c2x2m+2k+c3x2k+1∈F2n[x], where n, m and k are positive integers with n=2m and gcd(m,k)=e. In this paper, motivated by a recent work of Li, Xiong and Zeng (Li et al. (2021) [12]), we further study the boomerang uniformity of fc_(x) by using similar ideas and carrying out particular techniques in solving equations over finite fields. As a consequence, we generalize Li, Xiong and Zeng's result from the case of m being odd and e=1 to that of both m/e and k/e being odd.
Permutations of the form \(F(x)=L_1(x^{-1})+L_2(x)\) with linear functions \(L_1,L_2\) are closely related to several interesting questions regarding CCZ-equivalence and EA-equivalence of the inverse function. In this paper, we show that F cannot be a permutation on binary fields if the kernel of \(L_1\) or \(L_2\) is large. A key step of our proof is an observation on the maximal size of a subspace V of \(\mathbb {F}_{2^n}\) that consists of Kloosterman zeros, i.e. a subspace V such that \(K_n(v)=0\) for every \(v \in V\) where \(K_n(v)\) denotes the Kloosterman sum of v.
In this paper, we establish a lower bound on the total number of inequivalent APN functions on the finite field with 22m elements, where m is even. We obtain this result by proving that the APN functions introduced by Pott and the second author [22], which depend on three parameters k, s and α, are pairwise inequivalent for distinct choices of the parameters k and s. Moreover, we determine the automorphism group of these APN functions.
The inverse function
$x \mapsto x^{-1}$
on
$\mathbb F_{2^{n}}$
is one of the most studied functions in cryptography due to its widespread use as an S-box in block ciphers like AES. In this paper, we show that, if
$n\geq 5$
, every function that is CCZ-equivalent to the inverse function is already EA-equivalent to it. This confirms a conjecture by Budaghyan, Calderini and Villa. We also prove that every permutation that is CCZ-equivalent to the inverse function is already affine equivalent to it. The majority of the paper is devoted to proving that there is no permutation polynomial of the form
$L_{1}(x^{-1})+L_{2}(x)$
over
$\mathbb F_{2^{n}}$
if
$n\geq 5$
, where
$L_{1},L_{2}$
are nonzero linear functions. In the proof, we combine Kloosterman sums, quadratic forms and tools from additive combinatorics.
Работа посвящена теоретическому обоснованию направленного поиска 8-битовых подстановок с заданными криптографическими характеристиками: дифференциальной $\delta$-равномерностью и нелинейностью. Сформулированы и доказаны утверждения о разбиении на классы эквивалентности множества векторных булевых функций, построенных с помощью обобщенной конструкции. Обоснованы утверждения, позволяющие отбраковывать функции из классов эквивалентности либо по высокому показателю дифференциальной $\delta$-равномерности, либо вследствие того, что они не являются подстановками. Результаты работы могут быть использованы для конструирования подстановок с заданными криптографическими свойствами, обеспечивающими стойкость алгоритмов шифрования к линейному и разностному методам криптографического анализа.
Recently, Beierle and Leander found two new sporadic quadratic APN permutations in dimension 9. Up to EA-equivalence, we present a single trivariate representation of those two permutations as Cu:(F2m)3→(F2m)3,(x,y,z)↦(x3+uy2z,y3+uxz2,z3+ux2y), where m=3 and u∈F23∖{0,1} such that the two permutations correspond to different choices of u. We then analyze the differential uniformity and the nonlinearity of Cu in a more general case. For m≥3 being a multiple of 3 and u∈F2m not being a 7-th power, we show that the differential uniformity of Cu is bounded above by 8, and that the linearity of Cu is bounded above by 81+⌊m2⌋. Based on numerical experiments, we conjecture that Cu is not APN if m is greater than 3. We also analyze the CCZ-equivalence classes of the quadratic APN permutations in dimension 9 known so far and derive a lower bound on the number of their EA-equivalence classes. We further show that the two sporadic APN permutations share an interesting similarity with Gold APN permutations in odd dimension divisible by 3, namely that a permutation EA-inequivalent to those sporadic APN permutations and their inverses can be obtained by just applying EA transformations and inversion to the original permutations.
All almost perfect nonlinear (APN) permutations that we know to date admit a special kind of linear self-equivalence, i.e., there exists a permutation
$G$
in their CCZ-equivalence class and two linear permutations
$A$
and
$B$
, such that
$G \circ A = B \circ G$
. After providing a survey on the known APN functions with a focus on the existence of self-equivalences, we search for APN permutations in dimension 6, 7, and 8 that admit such a linear self-equivalence. In dimension six, we were able to conduct an
exhaustive search
and obtain that there is only one such APN permutation up to CCZ-equivalence. In dimensions 7 and 8, we performed an exhaustive search for all but a few classes of linear self-equivalences and we did not find any new APN permutation. As one interesting result in dimension 7, we obtain that all APN permutation polynomials with coefficients in
$\mathbb {F}_{2}$
must be (up to CCZ-equivalence) monomial functions.
ResearchGate has not been able to resolve any references for this publication.