on ccz equivalence extended affine equivalence and
play

On CCZ-Equivalence, Extended-Affine Equivalence and Function - PowerPoint PPT Presentation

Dec 07, 2023 •251 likes •885 views

On CCZ-Equivalence, Extended-Affine Equivalence and Function Twisting Anne Canteaut, L eo Perrin June 3, 2019 Fq14, Vancouver Setting up the background Cryptographic properties Equivalence classes CCZ-equivalence Cryptographic

  1. On CCZ-Equivalence, Extended-Affine Equivalence and Function Twisting Anne Canteaut, L´ eo Perrin June 3, 2019 Fq14, Vancouver

  2. Setting up the background Cryptographic properties → Equivalence classes → CCZ-equivalence

  3. Cryptographic Properties F : F n 2 → F m 2 and G : F n 2 → F m 2 are functions (e.g. S-Boxes). Definition (DDT/LAT) The D(ifference) D(istribution) T(able) of F : F n 2 → F m 2 is 𝒠 F ( α, β ) = # { x , F ( x ⊕ α ) ⊕ F ( x ) = β } The L(inear) A(pproximation) T(able) of F : F n 2 → F m 2 is ( − 1) α · x + β · F ( x ) . ∑︂ 𝒳 F ( α, β ) = x ∈ F n 2

  4. Cryptographic Properties F : F n 2 → F m 2 and G : F n 2 → F m 2 are functions (e.g. S-Boxes). Definition (DDT/LAT) The D(ifference) D(istribution) T(able) of F : F n 2 → F m 2 is 𝒠 F ( α, β ) = # { x , F ( x ⊕ α ) ⊕ F ( x ) = β } The L(inear) A(pproximation) T(able) of F : F n 2 → F m 2 is ( − 1) α · x + β · F ( x ) . ∑︂ 𝒳 F ( α, β ) = x ∈ F n 2 Big APN Problem Is there an APN permutation on 2 t bits such that max(DDT) = 2?

  5. Equivalence Relations that ≈ Preserve DDT/LAT (1/2) Definition (Affine-Equivalence) F and G are affine equivalent if G ( x ) = ( B ∘ F ∘ A )( x ), where A , B are affine permutations.

  6. Equivalence Relations that ≈ Preserve DDT/LAT (1/2) Definition (Affine-Equivalence) F and G are affine equivalent if G ( x ) = ( B ∘ F ∘ A )( x ), where A , B are affine permutations. Definition (EA-Equivalence; EA-mapping) F and G are E(xtented) A(ffine) equivalent if G ( x ) = ( B ∘ F ∘ A )( x ) + C ( x ), where A , B , C are affine and A , B are permutations; so that [︃ A − 1 ]︃ (︁{︁ 0 {︁ ( x , G ( x )) , ∀ x ∈ F n }︁ ( x , F ( x )) , ∀ x ∈ F n }︁)︁ = . 2 CA − 1 2 B

  7. Equivalence Relations that ≈ Preserve DDT/LAT (1/2) Definition (Affine-Equivalence) F and G are affine equivalent if G ( x ) = ( B ∘ F ∘ A )( x ), where A , B are affine permutations. Definition (EA-Equivalence; EA-mapping) F and G are E(xtented) A(ffine) equivalent if G ( x ) = ( B ∘ F ∘ A )( x ) + C ( x ), where A , B , C are affine and A , B are permutations; so that [︃ A − 1 ]︃ (︁{︁ 0 {︁ ( x , G ( x )) , ∀ x ∈ F n }︁ ( x , F ( x )) , ∀ x ∈ F n }︁)︁ = . 2 CA − 1 2 B Affine permutations with such linear part are EA-mappings ; their transposes are TEA-mappings

  8. Equivalence Relations that ≈ Preserve DDT/LAT (2/2) Definition (CCZ-Equivalence) F : F n 2 → F m 2 and G : F n 2 → F m 2 are C(arlet)-C(harpin)-Z(inoviev) equivalent if {︁ ( x , G ( x )) , ∀ x ∈ F n }︁ (︁{︁ ( x , F ( x )) , ∀ x ∈ F n }︁)︁ Γ G = = L = L (Γ F ) , 2 2 where L : F n + m → F n + m is an affine permutation. 2 2

  9. Equivalence Relations that ≈ Preserve DDT/LAT (2/2) Definition (CCZ-Equivalence) F : F n 2 → F m 2 and G : F n 2 → F m 2 are C(arlet)-C(harpin)-Z(inoviev) equivalent if {︁ ( x , G ( x )) , ∀ x ∈ F n }︁ (︁{︁ ( x , F ( x )) , ∀ x ∈ F n }︁)︁ Γ G = = L = L (Γ F ) , 2 2 where L : F n + m → F n + m is an affine permutation. 2 2 CCZ-equivalence plays a crucial role in the investigation of the big APN problem.

  10. Equivalence Relations that ≈ Preserve DDT/LAT (2/2) Definition (CCZ-Equivalence) F : F n 2 → F m 2 and G : F n 2 → F m 2 are C(arlet)-C(harpin)-Z(inoviev) equivalent if {︁ ( x , G ( x )) , ∀ x ∈ F n }︁ (︁{︁ ( x , F ( x )) , ∀ x ∈ F n }︁)︁ Γ G = = L = L (Γ F ) , 2 2 where L : F n + m → F n + m is an affine permutation. 2 2 CCZ-equivalence plays a crucial role in the investigation of the big APN problem. What is the relation between functions that are CCZ- but not EA-equivalent?

  11. The Problem with CCZ-Equivalence Admissible Mapping For F : F n 2 → F m 2 , the affine permutation L is admissible for F if { ( x , F ( x )) , ∀ x ∈ F n = { ( x , G ( x )) , ∀ x ∈ F n (︁ )︁ L 2 } 2 } for a well defined function G : F n 2 → F m 2 .

  12. The Problem with CCZ-Equivalence Admissible Mapping For F : F n 2 → F m 2 , the affine permutation L is admissible for F if { ( x , F ( x )) , ∀ x ∈ F n = { ( x , G ( x )) , ∀ x ∈ F n (︁ )︁ L 2 } 2 } for a well defined function G : F n 2 → F m 2 . How can we list all admissible mappings for F?

  13. Structure of this talk 1 CCZ-Equivalence and Vector Spaces of 0 2 Function Twisting 3 Necessary and Efficient Conditions for CCZ-Equivalence to a Permutation 4 Conclusion

  14. CCZ-Equivalence and Vector Spaces of 0 Function Twisting Vector Spaces of Zeroes Necessary and Efficient Conditions for CCZ-Equivalence to a Permutation Partitioning a CCZ-Class into EA-Classes Conclusion Outline 1 CCZ-Equivalence and Vector Spaces of 0 2 Function Twisting 3 Necessary and Efficient Conditions for CCZ-Equivalence to a Permutation 4 Conclusion 6 / 25

  15. CCZ-Equivalence and Vector Spaces of 0 Function Twisting Vector Spaces of Zeroes Necessary and Efficient Conditions for CCZ-Equivalence to a Permutation Partitioning a CCZ-Class into EA-Classes Conclusion Plan of this Section 1 CCZ-Equivalence and Vector Spaces of 0 Vector Spaces of Zeroes Partitioning a CCZ-Class into EA-Classes 2 Function Twisting 3 Necessary and Efficient Conditions for CCZ-Equivalence to a Permutation 4 Conclusion 6 / 25

  16. CCZ-Equivalence and Vector Spaces of 0 Function Twisting Vector Spaces of Zeroes Necessary and Efficient Conditions for CCZ-Equivalence to a Permutation Partitioning a CCZ-Class into EA-Classes Conclusion Walsh Zeroes For all F : F n 2 → F m 2 , we have ( − 1) α · x +0 · F ( x ) = 0 . ∑︂ 𝒳 F ( α, 0) = x ∈ F n 2 7 / 25

  17. CCZ-Equivalence and Vector Spaces of 0 Function Twisting Vector Spaces of Zeroes Necessary and Efficient Conditions for CCZ-Equivalence to a Permutation Partitioning a CCZ-Class into EA-Classes Conclusion Walsh Zeroes For all F : F n 2 → F m 2 , we have ( − 1) α · x +0 · F ( x ) = 0 . ∑︂ 𝒳 F ( α, 0) = x ∈ F n 2 Definition (Walsh Zeroes) The Walsh zeroes of F : F n 2 → F m 2 is the set 𝒶 F = { u ∈ F n 2 × F m 2 , 𝒳 F ( u ) = 0 } ∪ { 0 } . 2 } ⊂ F n + m With 𝒲 = { ( x , 0) , ∀ x ∈ F n , we have 𝒲 ⊂ 𝒶 F . 2 7 / 25

  18. CCZ-Equivalence and Vector Spaces of 0 Function Twisting Vector Spaces of Zeroes Necessary and Efficient Conditions for CCZ-Equivalence to a Permutation Partitioning a CCZ-Class into EA-Classes Conclusion Walsh Zeroes For all F : F n 2 → F m 2 , we have ( − 1) α · x +0 · F ( x ) = 0 . ∑︂ 𝒳 F ( α, 0) = x ∈ F n 2 Definition (Walsh Zeroes) The Walsh zeroes of F : F n 2 → F m 2 is the set 𝒶 F = { u ∈ F n 2 × F m 2 , 𝒳 F ( u ) = 0 } ∪ { 0 } . 2 } ⊂ F n + m With 𝒲 = { ( x , 0) , ∀ x ∈ F n , we have 𝒲 ⊂ 𝒶 F . 2 Note that if Γ G = L (Γ F ), then 𝒶 G = ( L T ) − 1 ( 𝒶 F ). 7 / 25

  19. CCZ-Equivalence and Vector Spaces of 0 Function Twisting Vector Spaces of Zeroes Necessary and Efficient Conditions for CCZ-Equivalence to a Permutation Partitioning a CCZ-Class into EA-Classes Conclusion Admissibility for F Lemma Let L : F n + m → F n + m be a linear permutation. It is admissible for 2 2 F : F n 2 → F m 2 if and only if L T ( 𝒲 ) ⊆ 𝒶 F 8 / 25

  20. CCZ-Equivalence and Vector Spaces of 0 Function Twisting Vector Spaces of Zeroes Necessary and Efficient Conditions for CCZ-Equivalence to a Permutation Partitioning a CCZ-Class into EA-Classes Conclusion Admissibility of EA-mappings EA-mappings are admissible for all F : F n 2 → F m 2 : [︃ A [︃ A T ]︃ (︃{︃[︃ x ]︃ T C T 0 ]︃ }︃)︃ , ∀ x ∈ F n ( 𝒲 ) = = 𝒲 . B T 2 C B 0 0 9 / 25

  21. CCZ-Equivalence and Vector Spaces of 0 Function Twisting Vector Spaces of Zeroes Necessary and Efficient Conditions for CCZ-Equivalence to a Permutation Partitioning a CCZ-Class into EA-Classes Conclusion Permutations We define 𝒲 ⊥ = { (0 , y ) , ∀ y ∈ F m 2 } ⊂ F n + m . 2 Lemma F : F n 2 → F m 2 is a permutation if and only if 𝒲 ⊥ ⊂ 𝒶 F . 10 / 25

  22. CCZ-Equivalence and Vector Spaces of 0 Function Twisting Vector Spaces of Zeroes Necessary and Efficient Conditions for CCZ-Equivalence to a Permutation Partitioning a CCZ-Class into EA-Classes Conclusion EA-classes imply vector spaces Lemma let F, G and G ′ be such that Γ G = L (Γ F ) and Γ G ′ = L ′ (Γ F ) . If L T ( 𝒲 ) = L ′ T ( 𝒲 ) , then G and G ′ are EA-equivalent. 11 / 25

  23. CCZ-Equivalence and Vector Spaces of 0 Function Twisting Vector Spaces of Zeroes Necessary and Efficient Conditions for CCZ-Equivalence to a Permutation Partitioning a CCZ-Class into EA-Classes Conclusion EA-classes imply vector spaces Lemma let F, G and G ′ be such that Γ G = L (Γ F ) and Γ G ′ = L ′ (Γ F ) . If L T ( 𝒲 ) = L ′ T ( 𝒲 ) , then G and G ′ are EA-equivalent. Can we use this knowledge to partition a CCZ-class into its EA-classes? 11 / 25

  24. CCZ-Equivalence and Vector Spaces of 0 Function Twisting Vector Spaces of Zeroes Necessary and Efficient Conditions for CCZ-Equivalence to a Permutation Partitioning a CCZ-Class into EA-Classes Conclusion EA-classes imply vector spaces Lemma let F, G and G ′ be such that Γ G = L (Γ F ) and Γ G ′ = L ′ (Γ F ) . If L T ( 𝒲 ) = L ′ T ( 𝒲 ) , then G and G ′ are EA-equivalent. Can we use this knowledge to partition a CCZ-class into its EA-classes? The Lemma gives us hope! 1 EA-class = ⇒ 1 vector space of zeroes of dimension n in 𝒶 n 11 / 25

Recommend

On CCZ-Equivalence, Extended-Affine Equivalence and Function Twisting Anne Canteaut, Lo Perrin

On CCZ-Equivalence, Extended-Affine Equivalence and Function Twisting Anne Canteaut, Lo Perrin

On CCZ-Equivalence, Extended-Affine Equivalence and Function Twisting Anne Canteaut, Lo Perrin June 18, 2018 BFA2018 Definition (EA-Equivalence; EA-mapping) F and G are E(xtented) A(ffine) equivalent if G x B F A x C x , where A B C

1.11k views • 98 slides
An Im Improved Affi fine Equivalence Alg lgorithm for Random Permutations Itai Dinur

An Im Improved Affi fine Equivalence Alg lgorithm for Random Permutations Itai Dinur

An Im Improved Affi fine Equivalence Alg lgorithm for Random Permutations Itai Dinur Ben-Gurion University, Israel EUROCRYPT 2018 Affine Equivalence Problem (AEP) F G n n n n Given two functions F,G, are there invertible affine

549 views • 19 slides
Affine Toric Equivalence Relations are Effective Claudiu Raicu University of California, Berkeley

Affine Toric Equivalence Relations are Effective Claudiu Raicu University of California, Berkeley

Affine Toric Equivalence Relations are Effective Claudiu Raicu University of California, Berkeley AMS-SMM Joint Meeting, Berkeley, June 2010 Motivating Question Under what circumstances do quotients by finite equivalence relations exist?

879 views • 39 slides
Equivalences 1 Equivalence Definition (Equivalence) Two formulas F and G are (semantically)

Equivalences 1 Equivalence Definition (Equivalence) Two formulas F and G are (semantically)

Propositional Logic Equivalences 1 Equivalence Definition (Equivalence) Two formulas F and G are (semantically) equivalent if A ( F ) = A ( G ) for every assignment A that is suitable for both F and G . We write F G to denote that F and G

276 views • 12 slides
Polynomial equivalence problem for sums of affine powers ISSAC 2018 Ignacio Garcia-Marco 1 ,

Polynomial equivalence problem for sums of affine powers ISSAC 2018 Ignacio Garcia-Marco 1 ,

Polynomial equivalence problem for sums of affine powers ISSAC 2018 Ignacio Garcia-Marco 1 , Pascal Koiran 2 , Timoth ee Pecatte 2 1 Universidad de la Laguna, 2 LIP, Ecole Normale Sup erieure de Lyon 1 / 21 Models of interest 1 / 21

1.05k views • 83 slides
Algorithms for Extended Alpha-Equivalence and Complexity Manfred Schmidt-Schau, Conrad Rau,

Algorithms for Extended Alpha-Equivalence and Complexity Manfred Schmidt-Schau, Conrad Rau,

Algorithms for Extended Alpha-Equivalence and Complexity Manfred Schmidt-Schau, Conrad Rau, David Sabel Goethe-University, Frankfurt, Germany RTA 2013, Eindhoven, The Netherlands 1 Motivation GI-Completeness GC Applications -Calculus

532 views • 34 slides
Todays Expedition TED highlights Equivalence Relations Equivalence Classes and

Todays Expedition TED highlights Equivalence Relations Equivalence Classes and

Todays Expedition TED highlights Equivalence Relations Equivalence Classes and Partitions Boolean Algebra Boolean functions Sum of Products expansion Logic gates and circuits Sections 8.5, 11.1-11.3 in the text

541 views • 15 slides
Equivalence Relations {( a , b ) | a and b are from the the same state}. Observe that these

Equivalence Relations {( a , b ) | a and b are from the the same state}. Observe that these

Equivalence Relations http://localhost/~senning/courses/ma229/slides/equivalence-relations/slide01.html Equivalence Relations http://localhost/~senning/courses/ma229/slides/equivalence-relations/slide02.html Equivalence Relations prev | slides

235 views • 4 slides
Section 4.2: Equivalence Relations What is equality? What is equivalence? Equality is

Section 4.2: Equivalence Relations What is equality? What is equivalence? Equality is

Section 4.2: Equivalence Relations What is equality? What is equivalence? Equality is more basic, fundamental concept. Every element in a set is equal only to itself. The basic equality relation {(x,x) | x S} We tend to assume

893 views • 61 slides
7.5 EQUIVALENCE RELATIONS def: An equivalence relation is a binary rela- tion that is reflexive,

7.5 EQUIVALENCE RELATIONS def: An equivalence relation is a binary rela- tion that is reflexive,

7.5.1 Section 7.5 Equivalence Relations 7.5 EQUIVALENCE RELATIONS def: An equivalence relation is a binary rela- tion that is reflexive, symmetric, and transitive. Set S = { a, b, c, d, e, f } and Example 7.5.1: R = ( a, a ) , ( b, c )

312 views • 4 slides
Program Equivalence From Trace Equivalence Tim Wood 1 Sophia Drossopoulou 1 1 Imperial College

Program Equivalence From Trace Equivalence Tim Wood 1 Sophia Drossopoulou 1 1 Imperial College

Program Equivalence From Trace Equivalence Tim Wood 1 Sophia Drossopoulou 1 1 Imperial College London Wood, Drossopoulou (Imperial College London) Program Equivalence October 2014 1 / 30 Context Program maintenance is a common and important

1.02k views • 61 slides
A decision procedure for equivalence relations Sbastien Michelland with Pierre Corbineau,

A decision procedure for equivalence relations Sbastien Michelland with Pierre Corbineau,

Congruence closure Equivalence and inclusions Quantified hypotheses Conclusion A decision procedure for equivalence relations Sbastien Michelland with Pierre Corbineau, Lionel Rieg and Karine Altisen July 5, 2020 1 / 14 (CC BY-ND)

660 views • 22 slides
Lecture 4.2: Equivalence relations and equivalence classes Matthew Macauley Department of

Lecture 4.2: Equivalence relations and equivalence classes Matthew Macauley Department of

Lecture 4.2: Equivalence relations and equivalence classes Matthew Macauley Department of Mathematical Sciences Clemson University http://www.math.clemson.edu/~macaule/ Math 4190, Discrete Mathematical Structures M. Macauley (Clemson) Lecture

561 views • 11 slides
Logical equivalence Equivalence proof Multiplexers January 22, 2020 Patrice Belleville /

Logical equivalence Equivalence proof Multiplexers January 22, 2020 Patrice Belleville /

Logical equivalence Equivalence proof Multiplexers January 22, 2020 Patrice Belleville / Geoffrey Tien 1 Announcements Pre-class quiz #4, due Sunday, Jan.26, 19:00 Epp 4e/5e: Chapter 2.3 Pre-class quiz #5, due Sunday, Feb.02, 19:00

212 views • 19 slides
CS137: Today Electronic Design Automation Sequential Verification DFA equivalence

CS137: Today Electronic Design Automation Sequential Verification DFA equivalence

CS137: Today Electronic Design Automation Sequential Verification DFA equivalence Issues Extracting STG Day 9: February 10, 2006 Valid state reduction FSM Equivalence Checking Incomplete Specification

99 views • 5 slides
Stimulus Equivalence Joshua K. Pritchard, PhD In todays workshop Im going to try and

Stimulus Equivalence Joshua K. Pritchard, PhD In todays workshop Im going to try and

Stimulus Equivalence Joshua K. Pritchard, PhD In todays workshop Im going to try and convince you of the richness of humanity and language Im going to try to give you a brief primer on stimulus equivalence Im going to

984 views • 79 slides
Checking NFA Equivalence with Bisimulations up to Congruence Filippo Bonchi and Damien Pous

Checking NFA Equivalence with Bisimulations up to Congruence Filippo Bonchi and Damien Pous

Checking NFA Equivalence with Bisimulations up to Congruence Filippo Bonchi and Damien Pous CNRS, LIP, ENS Lyon POPL, Roma, 25.1.2o13 Language equivalence of finite automata Useful for model checking: check that a program refines its

1.36k views • 92 slides
A Complete Characterization of Observational Equivalence in Polymorphic lambda-Calculus with

A Complete Characterization of Observational Equivalence in Polymorphic lambda-Calculus with

A Complete Characterization of Observational Equivalence in Polymorphic lambda-Calculus with General References Eijiro Sumii (Tohoku University) Executive Summary Sound and complete "proof method" for contextual equivalence in a

496 views • 34 slides
Convention on Road Tra ffi c in view of Automated Driving Observation #1- Equivalence between all

Convention on Road Tra ffi c in view of Automated Driving Observation #1- Equivalence between all

Convention on Road Tra ffi c in view of Automated Driving Observation #1- Equivalence between all drivers is implicit Equivalence in behavioural expectations between all drivers is the foundation for safety in a shared tra ffi c environment.

100 views • 8 slides
The problem of equivalence of different gauges in external current QED Benedikt Wegener

The problem of equivalence of different gauges in external current QED Benedikt Wegener

Gauge Freedom and Canonical Quantization Different Gauges in QED (In-)Equivalence of gauges The problem of equivalence of different gauges in external current QED Benedikt Wegener Foundations and Constructive Aspects of QFT Bergische

679 views • 40 slides
CSCI 246 Class 16 MORE EQUIVALENCE RELATIONS Quiz Questions Lecture 27: What is the

CSCI 246 Class 16 MORE EQUIVALENCE RELATIONS Quiz Questions Lecture 27: What is the

CSCI 246 Class 16 MORE EQUIVALENCE RELATIONS Quiz Questions Lecture 27: What is the difference between an equivalence relation and a partial order relation? Notes and Clarifications Extra credit due tonight Quiz option for

295 views • 25 slides
Equivalence Class Testing Garreth Davies CS 339 Advanced Topics In Computer Science Testing

Equivalence Class Testing Garreth Davies CS 339 Advanced Topics In Computer Science Testing

Equivalence Class Testing Garreth Davies CS 339 Advanced Topics In Computer Science Testing (Prof. Schlingloff & Dr. M Roggenbach) Contents Equivalence Class Testing What is it? Different forms of equivalence class testing

519 views • 35 slides
Countable Borel equivalence relations, recursion theory, and Borel combinatorics Andrew Marks UC

Countable Borel equivalence relations, recursion theory, and Borel combinatorics Andrew Marks UC

Countable Borel equivalence relations, recursion theory, and Borel combinatorics Andrew Marks UC Berkeley Countable Borel equivalence relations Definition A Borel equivalence relation E is an equivalence relation on 2 that has a 0

567 views • 56 slides
Borel equivalence relations and symmetric models Topologies for the Friedman-Stanley jumps Assaf

Borel equivalence relations and symmetric models Topologies for the Friedman-Stanley jumps Assaf

Borel equivalence relations and symmetric models Topologies for the Friedman-Stanley jumps Assaf Shani UCLA Logic colloquium, Udine, Italy July 2018 1 / 7 Motivation Given an equivalence relation E on a Polish space X , how does E behave

225 views • 7 slides

More recommend