On a Generalisation of Dillons APN Permutation Lo Perrin Anne - PowerPoint PPT Presentation

On a Generalisation of Dillon’s APN Permutation Léo Perrin Anne Canteaut Sébastien Duval leo.perrin@uni.lu Anne.Canteaut@inria.fr Sebastien.Duval@inria.fr May 11, 2017

Introduction Butterflies Generalisation Properties Spectrum Properties Conclusion Table of Contents Introduction 1 Butterflies 2 Generalisation of Butterflies 3 Properties of Generalised Butterflies 4 Walsh Spectrum and Table of Differences 5 Conclusion 6 A. Canteaut, S. Duval and L. Perrin () On a Generalisation of Dillon’s APN Permutation May 11, 2017 2 / 32

Introduction Butterflies Generalisation Properties Spectrum Properties Conclusion SPN Ciphers Plaintext K 0 S S S S ◮ Rijndael/AES (J. Daemen, V. Rijmen, 1988) L ◮ Succession of K 1 confusion/diffusion layers ◮ Good for parallelism and easy S S S S to implement L K 2 Ciphertext A. Canteaut, S. Duval and L. Perrin () On a Generalisation of Dillon’s APN Permutation May 11, 2017 3 / 32

Introduction Butterflies Generalisation Properties Spectrum Properties Conclusion S-Box Definition 1 (S-Box) We will call Substitution-Box or S-Box any mapping from F m 2 into F n 2 , n , m ≥ 0. Main Desirable Properties ◮ Permutation ( ⇒ n = m ) ◮ Non-linear ( ⇒ n small) ◮ Resistant to differential attacks ◮ Resistant to linear attacks ◮ High algebraic degree A. Canteaut, S. Duval and L. Perrin () On a Generalisation of Dillon’s APN Permutation May 11, 2017 4 / 32

Introduction Butterflies Generalisation Properties Spectrum Properties Conclusion Differential Properties Definition 2 (Differential Uniformity) Let F be a function over F n 2 . The table of differences of F is: δ F ( a , b ) = # { x ∈ F n 2 | F ( x ⊕ a ) = F ( x ) ⊕ b } . x x ⊕ a Moreover, the differential uniformity of F is F F δ ( F ) = max a � = 0 , b δ F ( a , b ) . y y ⊕ b ◮ F is resistant against differential attacks if δ ( F ) is small ◮ F is called APN if δ ( F ) = 2 A. Canteaut, S. Duval and L. Perrin () On a Generalisation of Dillon’s APN Permutation May 11, 2017 5 / 32

Introduction Butterflies Generalisation Properties Spectrum Properties Conclusion The Big APN Problem The Big APN Problem We know how to get: ◮ APN functions on F n 2 , ◮ APN permutations on F n 2 , n odd, ◮ permutations with δ = 4 on F n 2 . Are there any APN permutations on F n 2 , n even ? 2009: Dillon S-Box APN permutation on F 6 Browning, Dillon, McQuistan, Wolfe: 2 . The Still Big APN Problem Are there any other APN permutations on F n 2 , n even ? A. Canteaut, S. Duval and L. Perrin () On a Generalisation of Dillon’s APN Permutation May 11, 2017 6 / 32

Introduction Butterflies Generalisation Properties Spectrum Properties Conclusion Linear Properties Definition 3 (Linearity) Let F be a function over F n 2 . The table of linear biases of F is: � ( − 1 ) a · x ⊕ b · F ( x ) . λ F ( a , b ) = x ∈ F n 2 Moreover, the linearity of F is L ( F ) = max a , b � = 0 | λ F ( a , b ) | . ◮ F is resistant to linear attacks if L ( F ) is small A. Canteaut, S. Duval and L. Perrin () On a Generalisation of Dillon’s APN Permutation May 11, 2017 7 / 32

Introduction Butterflies Generalisation Properties Spectrum Properties Conclusion Algebraic Degree Definition 4 (Univariate degree vs algebraic degree) Let F be a function from F n 2 into F n 2 . The algebraic degree (aka multivariate degree) of F is the maximal degree of the algebraic normal forms of its coordinates. The univariate degree of F is the degree of the univariate polynomial in F 2 n [ X ] representing F when it is identified with a function from F 2 n into itself. The algebraic degree of the univariate polynomial x �→ x e of F 2 n is the Hamming weight of the binary expansion of e . A. Canteaut, S. Duval and L. Perrin () On a Generalisation of Dillon’s APN Permutation May 11, 2017 8 / 32

Introduction Butterflies Generalisation Properties Spectrum Properties Conclusion Butterflies: Definitions (1) [Perrin et al.] R k : x �→ R ( x , k ) permutation ∀ k . R − 1 Open Butterfly and Closed Butterfly are R CCZ-equivalent ⇒ share the same sets { δ H R ( a , b ) } a , b = { δ V R ( a , b ) } a , b , H R : Open Butterfly {L H R ( a , b ) } a , b = {L V R ( a , b ) } a , b . In particular, δ ( H R ) = δ ( V R ) and R R L ( H R ) = L ( V R ) . V R : Closed Butterfly A. Canteaut, S. Duval and L. Perrin () On a Generalisation of Dillon’s APN Permutation May 11, 2017 9 / 32

Introduction Butterflies Generalisation Properties Spectrum Properties Conclusion Butterflies: Definitions (2) R k [ e , α ] = ( x ⊕ α k ) e ⊕ k e , with gcd ( e , 2 n − 1 ) = 1 . x e x 1 / e × α × α × α x e x e × α x e x e x e x e H R : Open Butterfly V R : Closed Butterfly Most interesting case for study: e = 3 × 2 t . Then R is quadratic , and V R is quadratic . A. Canteaut, S. Duval and L. Perrin () On a Generalisation of Dillon’s APN Permutation May 11, 2017 10 / 32

Introduction Butterflies Generalisation Properties Spectrum Properties Conclusion Butterflies: Properties Theorem 1 (Properties of Butterflies) Let e = 3 × 2 t , α / ∈ { 0 , 1 } , n odd. ◮ δ ( H R ) ≤ 4 , δ ( V R ) ≤ 4 , ◮ V R is quadratic, ◮ H R has algebraic degree n + 1 . Theorem 2 (APN Butterflies) If n = 3 and x �→ x e is APN, then H R is an APN permutation (affine equivalent to the Dillon permutation). A. Canteaut, S. Duval and L. Perrin () On a Generalisation of Dillon’s APN Permutation May 11, 2017 11 / 32

Introduction Butterflies Generalisation Properties Spectrum Properties Conclusion Open Questions of [Perrin et al.] Open Questions of [Perrin et al.] ◮ Nonlinearity/Linearity of H R (and V R ), ◮ Can we find α such that H R is APN for some n > 6 ? A. Canteaut, S. Duval and L. Perrin () On a Generalisation of Dillon’s APN Permutation May 11, 2017 12 / 32

Introduction Butterflies Generalisation Properties Spectrum Properties Conclusion Objective of this Work ◮ Deeper study of butterflies: ◮ Linearity ◮ Are there other APN butterflies ? ◮ Generalise butterflies: from the structure Results ◮ Generalisation of butterflies (quadratic case) ◮ Study of generalised butterflies ◮ Computed linearity of (generalised) butterflies ◮ Condition for APN ⇒ No other APN butterflies A. Canteaut, S. Duval and L. Perrin () On a Generalisation of Dillon’s APN Permutation May 11, 2017 13 / 32

Introduction Butterflies Generalisation Properties Spectrum Properties Conclusion Generalised Butteflies: Definitions Degree restriction: R − 1 ◮ R y : x �→ R ( x , y ) permutation ∀ y . R ◮ Degree of R is at most 3: ◮ Then R can be written: H α,β : Open Butterfly R ( x , y ) = ( x ⊕ α y ) 3 ⊕ β y 3 R R with α, β ∈ F n 2 . V α,β : Closed Butterfly A. Canteaut, S. Duval and L. Perrin () On a Generalisation of Dillon’s APN Permutation May 11, 2017 14 / 32

Introduction Butterflies Generalisation Properties Spectrum Properties Conclusion Generalised Butterflies: Definitions (2) × β x 3 x 1 / 3 × α × α × α x 3 x 3 × α x 3 × β x 3 × β x 3 × β x 3 H α,β : Open Butterfly V α,β : Closed Butterfly A. Canteaut, S. Duval and L. Perrin () On a Generalisation of Dillon’s APN Permutation May 11, 2017 15 / 32

Introduction Butterflies Generalisation Properties Spectrum Properties Conclusion Equivalences ◮ H α,β and V α,β are CCZ-equivalent. ◮ When α = 1, H α,β is equivalent to a 3-round Feistel network. ◮ Butterfly with e = 3 × 2 t is affine-equivalent to Butterfly with e = 3. ◮ V α,β and V α 2 ,β 2 are affine-equivalent. ◮ If α � = 1, V α,β and V α,β − 1 ( 1 + α ) 6 are affine-equivalent. A. Canteaut, S. Duval and L. Perrin () On a Generalisation of Dillon’s APN Permutation May 11, 2017 16 / 32

Introduction Butterflies Generalisation Properties Spectrum Properties Conclusion Property of Quadratic Functions Property 1 (Linearity of Quadratic Functions) Let f be a quadratic Boolean function of n variables. LS ( f ) = { a ∈ F n 2 : D a f is constant } n + s 2 , with s = dim LS ( f ) . Then L ( f ) = 2 n + s Moreover, the Walsh coefficients of f only the values ± 2 and 0 . 2 A. Canteaut, S. Duval and L. Perrin () On a Generalisation of Dillon’s APN Permutation May 11, 2017 17 / 32

Introduction Butterflies Generalisation Properties Spectrum Properties Conclusion Linear Properties Theorem 3 Let n > 1 be an odd integer and ( α, β ) be a pair of nonzero elements in F 2 n . ◮ If β � = ( 1 + α ) 3 , L ( V α,β ) = 2 n + 1 and the Walsh coefficients of V α,β belong to { 0 , ± 2 n , ± 2 n + 1 } . ◮ If β = ( 1 + α ) 3 , 3 n + 1 2 . L ( V α,β ) = 2 A. Canteaut, S. Duval and L. Perrin () On a Generalisation of Dillon’s APN Permutation May 11, 2017 18 / 32

Introduction Butterflies Generalisation Properties Spectrum Properties Conclusion Differential Properties Theorem 4 (Differential uniformity) Let n > 1 odd, α, β ∈ F 2 n \ { 0 } . Then: ◮ If β � = ( 1 + α ) 3 , δ ( H α,β ) ≤ 4 . ◮ If β = ( 1 + α ) 3 , δ ( H α,β ) = 2 n + 1 . Theorem 5 (APN Condition) Let α � = 0 , 1 . H α,β is APN if and only if: β ∈ { ( α + α 3 ) , ( α − 1 + α 3 ) } and Tr ( A α ( e ))= 1 , ∀ e �∈ { 0 , α, 1 /α } , e α ( 1 + α ) 2 where A α ( e ) = ( 1 + α e )( α + e ) 2 . This condition implies that n = 3 . A. Canteaut, S. Duval and L. Perrin () On a Generalisation of Dillon’s APN Permutation May 11, 2017 19 / 32