Finite Field Functions to Counterattack Linear and Differential Cryptanalysis Daniel Panario School of Mathematics and Statistics Carleton University daniel@math.carleton.ca ASCrypto (Advanced School of Cryptography) Latincrypt 2019 – Santiago (Chile) Daniel Panario Finite Field Functions ASCrypto 2019 1 / 61
Outline Finite Fields 1 Definition and Background Differential Cryptanalysis 2 Introduction PN and APN Functions Related Concepts 3 Permutation Polynomials Costas Arrays and APN Permutations Other Related Measures Linear Cryptanalysis 4 Linear Polynomials Nonlinearity and Almost Bent Functions Conclusion 5 Daniel Panario Finite Field Functions ASCrypto 2019 2 / 61
Finite Fields in Cryptography Classical cryptosystems and security: ◮ Diffie-Hellman, ElGamal, etc; ◮ elliptic and hyperelliptic curve cryptosystem; other cryptosystems (Chor-Rivest, McEliece, TCHo, etc); ◮ discrete logarithm problem (index calculus method and its variants). Ciphers: ◮ RC4, WG, etc; ◮ AES, RC6, etc. Hardware and software arithmetic. Pos-quantum cryptography: ◮ code-based; ◮ multivariate; ◮ isogenies. Daniel Panario Finite Field Functions ASCrypto 2019 3 / 61
Definition Definition. A field ( F, + , · ) is a set F together with operations + and · such that: (1) ( F, +) is an Abelian group; (2) ( F \ { 0 } , · ) is an Abelian group; (3) distributive laws hold, that is, for a, b, c ∈ F , we have a · ( b + c ) = a · b + a · c, ( b + c ) · a = b · a + c · a. If # F is finite, then F is a finite field. Example: Z / ( p ) is a field if and only if p is a prime . Daniel Panario Finite Field Functions ASCrypto 2019 4 / 61
Background on Finite Fields I (Existence and Uniqueness) Up to isomorphism, there is exactly one finite field with q = p n elements, denoted F p n = F q for all prime p and positive integer n . The characteristic of the finite field F q is p . In F q , a q = a for all a ∈ F q . (Freshman’s Dream) We have that for 0 < i < p � p � = p ( p − 1) . . . ( p − i + 1) ≡ 0 (mod p ) . i i ! Hence, if α, β ∈ F p , we have ( α + β ) p = α p + β p . This generalizes to powers p n . The multiplicative group of F q is cyclic. The generators of this multiplicative group are primitive elements. Daniel Panario Finite Field Functions ASCrypto 2019 5 / 61
Background on Finite Fields II Every subfield of F q n is of the form F q k for k dividing n . The trace of α ∈ F q n over F q is defined as Tr F qn / F q ( α ) = α + α q + · · · + α q n − 1 . If q = p , p prime, then Tr F qn / F q ( α ) is the absolute trace and is denoted by Tr ( α ) . The extension field F q n can be seen as a vector space of dimension n over F q . For α ∈ F q n , if N = { α, α q , . . . , α q n − 1 } is a basis of F q n , then N is a normal basis, and α is a normal element. Daniel Panario Finite Field Functions ASCrypto 2019 6 / 61
Polynomial Representation I A monic polynomial over F q of degree n is of the form x n + a n − 1 x n − 1 + · · · + a 1 x + a 0 with a i ∈ F q for 0 ≤ i < n . We create F q n by taking the quotient of F q [ x ] by an irreducible polynomial f of degree n . That is F q n ∼ = F q [ x ] / ( f ) . Finite field elements are represented by polynomials of degree less than n with coefficients in F q . Addition is performed term-wise and multiplication is taken ( mod f ) . There are irreducible polynomials of any degree an over any finite field. Since this is the polynomial used in the reduction, in practice, highly sparse irreducible polynomials are preferred. Over F 2 , the most sparse polynomials are trinomials: x n + x k + 1 . Daniel Panario Finite Field Functions ASCrypto 2019 7 / 61
Polynomial Representation II Trinomials over F 2 do not exist for all degree n . Hence, many studies center on finding the best irreducible polynomials to use in practice. Theoretically, it has been proved that trinomials in characteristic 2 of degree a multiple of 8 do not exist (Swan, 1962). For those values of n , pentanomials should be used. Example In Rijndael most arithmetic is done in F 2 8 using the irreducible polynomial x 8 + x 4 + x 3 + x + 1 to define the extension. There are theoretical and practical reasons to pick this polynomial . . . Practically, polynomials with many zeros on the upper part of the polynomial (higher degrees) seem to behave better. Daniel Panario Finite Field Functions ASCrypto 2019 8 / 61
Differential Cryptanalysis Daniel Panario Finite Field Functions ASCrypto 2019 9 / 61
General Concepts Around 1992, two cryptanalysis methods were introduced directed to symmetric cryptosystems: differential cryptanalysis (due to Biham and Shamir) and linear cryptanalysis (due to Matsui). In order to resist these attacks the S-boxes (that are vectorial functions from F n 2 to F n 2 ) used in an iterated block cipher must satisfy some mathematical properties: nonlinearity and differential uniformity, respectively. 1 The main goal of this talk is to comment on these properties and to show functions that have good nonlinearity and differential uniformity, and hence can be used (or are already used) as S-boxes. 1 Although we mostly present results for characteristic 2 , all concepts can be generalized to any finite field F q . Daniel Panario Finite Field Functions ASCrypto 2019 10 / 61
Vectorial Functions We consider functions from F n 2 into F m 2 , where we assume n ≥ m . If m = 1 , then this is a Boolean function. We are specially interested here in functions on F n 2 , that is, when m = n . Vectorial functions and extension fields over finite fields of characteristic two are used in many cryptographic systems. For example, the Advanced Encryption Standard (AES) use these objects for its S-boxes (substitution boxes). The security of the system depends heavily on the properties of the chosen S-boxes. This substitution should be one-to-one, to ensure invertibility, but the S-box is usually more than a permutation of the bits. Other properties are needed . . . . Daniel Panario Finite Field Functions ASCrypto 2019 11 / 61
Main Idea The differential attack is based on analyzing how differences in the input of an S-box affect differences in the corresponding outputs. The basic method uses pairs of plaintext related by a constant difference. The attacker then computes the differences of the corresponding ciphertexts, hoping to detect statistical patterns in their distribution. Let f be an S-box. The method begins by constructing a difference table for f . Let a ∈ F n 2 be fixed. For every pair of vectors x, y ∈ F n 2 such that y − x = a we compute f ( y ) − f ( x ) = b and count the number of times each value of b occurs. We repeat this for every value of a ∈ F n 2 , so each entry in the table is the number of times b occurs for a given value of a . Daniel Panario Finite Field Functions ASCrypto 2019 12 / 61
From the difference table we select an entry ( a, b ) such that the pair ( a, b ) occurs a large number of times. Then, one particular ciphertext difference is expected to be especially frequent and this is used to guess the key. In order to be resistant to differential cryptanalysis, we should choose our S-boxes such that their difference tables do not have large values. More precisely, a function f offers high resistance to differential cryptanalysis when the number of solutions to the system � y − x = a, f ( y ) − f ( x ) = b, is low for every a � = 0 , b ∈ F n 2 . Daniel Panario Finite Field Functions ASCrypto 2019 13 / 61
Definition For fixed a, b ∈ F n 2 , let N f ( a, b ) denote the number of solutions x ∈ F n 2 of f ( x + a ) − f ( x ) = b , where a, b ∈ F n 2 , and let ∆ f = max { N f ( a, b ) | a, b ∈ F n 2 , a � = 0 } . Nyberg (1994) defines a mapping f to be differentially k -uniform if ∆ f = k . If k = 1 , then f is a perfect nonlinear function (PN). If k = 2 , then f is a almost perfect nonlinear function (APN). Daniel Panario Finite Field Functions ASCrypto 2019 14 / 61
These notions can be generalized for vectorial functions from F n 2 into F m 2 , where n ≥ m , not necessarily n = m . A function f from F n 2 into F m 2 , where n ≥ m , is balanced if it is uniformly 2 exactly 2 n − m times. When distributed, that is, f takes each value of F m n = m , each value of F n 2 is taken exactly once. In general, for n ≥ m , the function f is PN if and only if all of its derivatives are balanced, that is, if for nonzero a ∈ F n 2 and b ∈ F m 2 , N f ( a, b ) = 2 n − m for any a and any b . Let m = 1 . A function f : F n 2 → F 2 is PN if and only if for all a � = 0 in F n 2 and b ∈ F 2 , the number of solutions of f ( x + a ) − f ( x ) = b is 2 n − 1 . Daniel Panario Finite Field Functions ASCrypto 2019 15 / 61
PN functions are also called bent functions. They were first introduced in the area of finite geometries as planar functions. They have the property that for every nonzero a , the difference mapping is a permutation in F p n . There are many notions related to bent functions including almost bent, hyper bent, self-dual bent, etc. Bent functions are also related to constructions of objects both in combinatorics and finite geometries including difference sets, strongly regular graphs, association schemes, etc. Daniel Panario Finite Field Functions ASCrypto 2019 16 / 61
Recommend
More recommend
