leo.perrin@inria.fr @lpp_crypto How to Take a Function Apart with SboxU (Also Featuring some New Results on Ortho-Derivatives) Anne Canteaut 1 , Léo Perrin 1 1 Inria, France B oolean F unctions and their A pplications 2020
A wild vectorial Boolean function appears! What do you do?
What do you do? A wild vectorial Boolean function appears!
A wild vectorial Boolean function appears! What do you do?
Basic Functionalities CCZ-Equivalence Ortho-Derivative Conclusion Outline Basic Functionalities 1 CCZ-Equivalence 2 3 Ortho-Derivative 4 Conclusion 2 / 17
Basic Functionalities CCZ-Equivalence Installation Ortho-Derivative Core Functionalities Conclusion Plan of this Section Basic Functionalities 1 Installation Core Functionalities CCZ-Equivalence 2 Ortho-Derivative 3 4 Conclusion 2 / 17
Basic Functionalities CCZ-Equivalence Installation Ortho-Derivative Core Functionalities Conclusion Plan of this Section Basic Functionalities 1 Installation Core Functionalities CCZ-Equivalence 2 Ortho-Derivative 3 4 Conclusion 2 / 17
Demo Basic Functionalities CCZ-Equivalence Installation Ortho-Derivative Core Functionalities Conclusion How to You need to have SAGE installed Then head to https://github.com/lpp-crypto/sboxU 3 / 17
SAGE SBox Supports output size input Assumes output size input size size Sub-routines written in Sub-routines written in Python or Cython Python or multi-threaded C++ Built-in SAGE Cutting functionalities functionalities sboxU Basic Functionalities CCZ-Equivalence Installation Ortho-Derivative Core Functionalities Conclusion Sbox from SAGE vs. sboxU There are already many functions for investigating vectorial boolean functions in SAGE: Class SBox from sage.crypto.sbox (or sage.crypto.mq.sbox in older versions) Module boolean_function from sage.crypto 4 / 17
sboxU Basic Functionalities CCZ-Equivalence Installation Ortho-Derivative Core Functionalities Conclusion Sbox from SAGE vs. sboxU There are already many functions for investigating vectorial boolean functions in SAGE: Class SBox from sage.crypto.sbox (or sage.crypto.mq.sbox in older versions) Module boolean_function from sage.crypto SAGE SBox Supports output size ̸ = input Assumes output size = input size size Sub-routines written in Sub-routines written in Python or Cython Python or multi-threaded C++ Built-in SAGE Cutting functionalities functionalities 4 / 17
Basic Functionalities CCZ-Equivalence Installation Ortho-Derivative Core Functionalities Conclusion Plan of this Section Basic Functionalities 1 Installation Core Functionalities CCZ-Equivalence 2 Ortho-Derivative 3 4 Conclusion 4 / 17
Demo Basic Functionalities CCZ-Equivalence Installation Ortho-Derivative Core Functionalities Conclusion Some Tools DDT/LAT (+ Pollock representation thereof) 1 ANF, algebraic degree 2 3 Finite field arithmetic 4 Linear mappings 5 / 17
Basic Functionalities CCZ-Equivalence Definition and Basic Theorems Ortho-Derivative How Can sboxU Help? Conclusion Plan of this Section Basic Functionalities 1 CCZ-Equivalence 2 Definition and Basic Theorems How Can sboxU Help? Ortho-Derivative 3 4 Conclusion 5 / 17
Basic Functionalities CCZ-Equivalence Definition and Basic Theorems Ortho-Derivative How Can sboxU Help? Conclusion Plan of this Section Basic Functionalities 1 CCZ-Equivalence 2 Definition and Basic Theorems How Can sboxU Help? Ortho-Derivative 3 4 Conclusion 5 / 17
Definition (EA-Equivalence; EA-mapping) F and G are E(xtented) A(ffine) equivalent if G x B F A x C x , where A B C are affine and A B are permutations; so that 1 A 0 n n x G x x x F x x 2 1 2 CA B Basic Functionalities CCZ-Equivalence Definition and Basic Theorems Ortho-Derivative How Can sboxU Help? Conclusion CCZ- and EA-equivalence Definition (CCZ-Equivalence) F : F n 2 → F m 2 and G : F n 2 → F m 2 are C(arlet)-C(harpin)-Z(inoviev) equivalent if { } ({ }) ( x , G ( x )) , ∀ x ∈ F n ( x , F ( x )) , ∀ x ∈ F n Γ G = = L = L (Γ F ) , 2 2 where L : F n + m → F n + m is an affine permutation. 2 2 6 / 17
Basic Functionalities CCZ-Equivalence Definition and Basic Theorems Ortho-Derivative How Can sboxU Help? Conclusion CCZ- and EA-equivalence Definition (CCZ-Equivalence) F : F n 2 → F m 2 and G : F n 2 → F m 2 are C(arlet)-C(harpin)-Z(inoviev) equivalent if { } ({ }) ( x , G ( x )) , ∀ x ∈ F n ( x , F ( x )) , ∀ x ∈ F n Γ G = = L = L (Γ F ) , 2 2 where L : F n + m → F n + m is an affine permutation. 2 2 Definition (EA-Equivalence; EA-mapping) F and G are E(xtented) A(ffine) equivalent if G ( x ) = ( B ◦ F ◦ A )( x ) + C ( x ) , where A , B , C are affine and A , B are permutations; so that [ ] ({ A − 1 0 { } }) ( x , G ( x )) , ∀ x ∈ F n ( x , F ( x )) , ∀ x ∈ F n = . 2 CA − 1 2 B 6 / 17
EA-class EA-class EA-class EA-class EA-class F 4 F 1 F F 2 F F 3 G Basic Functionalities CCZ-Equivalence Definition and Basic Theorems Ortho-Derivative How Can sboxU Help? Conclusion Some Algorithmic Problems with CCZ-Equivalence CCZ-class F 7 / 17
F 4 F 1 F F 2 F 3 G Basic Functionalities CCZ-Equivalence Definition and Basic Theorems Ortho-Derivative How Can sboxU Help? Conclusion Some Algorithmic Problems with CCZ-Equivalence CCZ-class EA-class EA-class EA-class EA-class EA-class F 7 / 17
F G Basic Functionalities CCZ-Equivalence Definition and Basic Theorems Ortho-Derivative How Can sboxU Help? Conclusion Some Algorithmic Problems with CCZ-Equivalence CCZ-class EA-class EA-class EA-class EA-class EA-class F 4 F 1 F 2 F F 3 7 / 17
G Basic Functionalities CCZ-Equivalence Definition and Basic Theorems Ortho-Derivative How Can sboxU Help? Conclusion Some Algorithmic Problems with CCZ-Equivalence CCZ-class EA-class EA-class EA-class EA-class EA-class F 4 F 1 F ′ F 2 F F 3 7 / 17
Basic Functionalities CCZ-Equivalence Definition and Basic Theorems Ortho-Derivative How Can sboxU Help? Conclusion Some Algorithmic Problems with CCZ-Equivalence CCZ-class EA-class EA-class EA-class EA-class EA-class F 4 F 1 F ′ F 2 F F 3 G 7 / 17
Basic Functionalities CCZ-Equivalence Definition and Basic Theorems Ortho-Derivative How Can sboxU Help? Conclusion Plan of this Section Basic Functionalities 1 CCZ-Equivalence 2 Definition and Basic Theorems How Can sboxU Help? Ortho-Derivative 3 4 Conclusion 7 / 17
Finding permutations ! Demo Demo Basic Functionalities CCZ-Equivalence Definition and Basic Theorems Ortho-Derivative How Can sboxU Help? Conclusion Exploring a CCZ-class Algorithms used here are based on: an efficient vector space search algorithm from “Anomalies and Vector Space Search: Tools for S-Box Analysis” (ASIACRYPT’19), and the framework based on Walsh zeroes we introduced in “On CCZ-equivalence, extended-affine equivalence, and function twisting” , FFA’19 Finding representatives of EA-classes 8 / 17
Demo Demo Basic Functionalities CCZ-Equivalence Definition and Basic Theorems Ortho-Derivative How Can sboxU Help? Conclusion Exploring a CCZ-class Algorithms used here are based on: an efficient vector space search algorithm from “Anomalies and Vector Space Search: Tools for S-Box Analysis” (ASIACRYPT’19), and the framework based on Walsh zeroes we introduced in “On CCZ-equivalence, extended-affine equivalence, and function twisting” , FFA’19 Finding representatives of EA-classes Finding permutations ! 8 / 17
Definition (Walsh spectrum) b F x . The Walsh spectrum is the 1 a x Recall that F a b x number of occurrences of each number in the LAT. The extended Walsh spectrum considers only absolute values. Differential and extended Walsh spectra are constant in a CCZ -class. The algebraic degree and the thickness spectrum are constant in an EA -class. Demo Basic Functionalities CCZ-Equivalence Definition and Basic Theorems Ortho-Derivative How Can sboxU Help? Conclusion Class Invariants Definition (Differential spectrum) { } Recall that DDT F [ a , b ] = # x , F ( x + a ) + F ( x ) = b . The differential spectrum is the number of occurrences of each number in the DDT. 9 / 17
Differential and extended Walsh spectra are constant in a CCZ -class. The algebraic degree and the thickness spectrum are constant in an EA -class. Demo Basic Functionalities CCZ-Equivalence Definition and Basic Theorems Ortho-Derivative How Can sboxU Help? Conclusion Class Invariants Definition (Differential spectrum) { } Recall that DDT F [ a , b ] = # x , F ( x + a ) + F ( x ) = b . The differential spectrum is the number of occurrences of each number in the DDT. Definition (Walsh spectrum) Recall that W F [ a , b ] = ∑ x ( − 1 ) a · x + b · F ( x ) . The Walsh spectrum is the number of occurrences of each number in the LAT. The extended Walsh spectrum considers only absolute values. 9 / 17
Recommend
More recommend
