outline
play

Outline Framework Antiderivative Functions Applications - PowerPoint PPT Presentation

Antiderivative Functions over F 2 n Valentin SUDER Seminar CALIN - Paris 13 April 12nd 2016. ComSec Lab, University of Waterloo ON, CANADA Outline Framework Antiderivative Functions Applications Conclusion Outline Framework Symmetric


  1. Antiderivative Functions over F 2 n Valentin SUDER Seminar CALIN - Paris 13 April 12nd 2016. ComSec Lab, University of Waterloo ON, CANADA

  2. Outline Framework Antiderivative Functions Applications Conclusion

  3. Outline Framework Symmetric Cryptography Differential Attacks on Block Ciphers Polynomial Representation Problem Antiderivative Functions Applications Conclusion

  4. Framework Symmetric Cryptography Design in Symmetric Cryptography ◮ Symmetric Cryptography : Alice and Bob share the same key. 1 / 30

  5. Framework Symmetric Cryptography Design in Symmetric Cryptography ◮ Symmetric Cryptography : Alice and Bob share the same key. ◮ Primitives : ◮ Block ciphers; ◮ Stream ciphers; ◮ Hash functions; 1 / 30

  6. Framework Symmetric Cryptography Design in Symmetric Cryptography ◮ Symmetric Cryptography : Alice and Bob share the same key. ◮ Primitives : ◮ Block ciphers; ◮ Stream ciphers; ◮ Hash functions; Block Cipher F m 2 × F k F m E : → 2 2 ( M , K ) �→ E ( M , K ) = C . For a fixed key K ∈ F k 2 , E K ( M ) �→ C , is a permutation of F m 2 . 1 / 30

  7. Framework Symmetric Cryptography Design in Symmetric Cryptography ◮ Symmetric Cryptography : Alice and Bob share the same key. ◮ Primitives : ◮ Block ciphers; ◮ Stream ciphers; ◮ Hash functions; Block Cipher F m 2 × F k F m E : → 2 2 ( M , K ) �→ E ( M , K ) = C . For a fixed key K ∈ F k 2 , E K ( M ) �→ C , is a permutation of F m 2 . ◮ Rounds composed by smaller functions: ◮ Confusion (nonlinear); ◮ Diffusion (linear); 1 / 30

  8. b b b b b b b b b Framework Symmetric Cryptography Block Ciphers M Feistel Scheme and Substitution Permutation Network (SPN) Add Round Key L i R i S S S Permutation RK i Key expansion K F Add Round Key S S S Permutation L i +1 R i +1 C 2 / 30

  9. Framework Symmetric Cryptography Design in Symmetric Cryptography ◮ Symmetric Cryptography : Alice and Bob share the same key. ◮ Primitives : ◮ Block ciphers; ◮ Stream ciphers; ◮ Hash functions; ◮ Rounds composed by smaller functions: ◮ Confusion (nonlinear); ◮ Diffusion (linear); ◮ Cryptographic requirements of the confusion part: ◮ Differential; ◮ Linear; ◮ Algebraic; ◮ . . . 3 / 30

  10. Framework Differential Attacks on Block Ciphers Differential Properties of Sboxes F : F 2 n → F 2 n α δ F ( α, β ) = # { x | F ( x ) + F ( x + α ) = β } F F The greater the value δ F ( α, β ) , the more likely an attacker can find x ∈ F 2 n such that F ( x ) + F ( x + α ) = β . β 4 / 30

  11. b b b b b b Framework Differential Attacks on Block Ciphers Differential Cryptanalysis of the last round K E K Key Expansion RK 0 RK 1 RK R − 1 P F 0 F 1 F R − 1 C F R − 1 α Differential on R − 1 rounds β = ? RK ′ ( α → β ) F R − 1 C ′ = C + ? P ′ F 0 F 1 F R − 1 RK 0 RK 1 RK R − 1 Key Expansion E K K 5 / 30

  12. Framework Polynomial Representation Polynomial representation of the functions F 2 n → F 2 n F : → F 2 n F 2 n � 2 n − 1 c i x i , x �→ c i ∈ F 2 n . i = 0 Definition The algebraic degree of F is defined as deg ( F ) = 0 ≤ i ≤ 2 n − 1 { wt ( i ) | c i � = 0 } . max wt ( i ) is the binary Hamming weigth of the integer i . ◮ F ( x ) is said to be a permutation polynomial if the associated function F is bijective. ◮ F is said to be 2-to-1 if the equation F ( x ) = c has exactly 0 or 2 solutions, for any c ∈ F 2 n . 6 / 30

  13. Framework Polynomial Representation Discrete derivatives F : F 2 n → F 2 n Definition The discrete derivative of F in a direction α ∈ F ∗ 2 n is defined as ∆ α F ( x ) = F ( x ) + F ( x + α ) . The differential uniformity of F is defined as δ ( F ) = α � = 0 , β ∈ F 2 n # { x | ∆ α F ( x ) = β } . max Definition [Lai94] The m -order derivative of F in directions α 0 , . . . , α m − 1 ∈ F 2 n is: � � ∆ α 0 ,...,α m − 1 F ( x ) = ∆ α 0 ∆ α 1 ,...,α m − 1 F ( x ) . 7 / 30

  14. Framework Polynomial Representation Equivalences preserving differential uniformity (but not only . . . ) F , G : F 2 n → F 2 n EA-equivalence F and G are Extended Affine (EA) equivalent if there are two affine a permutations A 0 , A 1 : F 2 n → F 2 n and an affine function A 2 : F 2 n → F 2 n such that F = A 0 ◦ G ◦ A 1 + A 2 . a of algebraic degree 1. CCZ-equivalence [Carlet-Charpin-Zinoviev98] F and G are CCZ-equivalent if their graphs { ( x , F ( x )) | x ∈ F 2 n } and { ( x , G ( x )) | x ∈ F 2 n } are affine equivalent , i.e. if there is an affine permutation L = ( L 0 , L 1 ) : F 2 n × F 2 n → F 2 n × F 2 n such that ∀ ( x , y ) ∈ F 2 y = F ( x ) ⇔ L 0 ( x , y ) = G ( L 1 ( x , y )) , 2 n . 8 / 30

  15. Framework Polynomial Representation Some properties F : F 2 n → F 2 n ◮ α ∈ F ∗ 2 n is a c - linear structure of F , c ∈ F 2 n , if ∀ x ∈ F 2 n ∆ α F ( x ) = F ( x ) + F ( x + α ) = c . ◮ F is called APN (Almost Perfect Nonlinear) if δ ( F ) = α � = 0 , β ∈ F 2 n # { x | ∆ α F ( x ) = β } = 2 . max ◮ EA and CCZ-equivalence preserve differential uniformity . ◮ EA-equivalence preserves algebraic degree . ◮ The discrete derivation makes the algebraic degree decrease: deg ( F ) > deg (∆ α 0 F ) > deg (∆ α 0 ,α 1 F ) > . . . 9 / 30

  16. Framework Polynomial Representation Differences Distribution Table (DDT) n = 4 α \ β . 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 . 16 . . . . . . . . . . . . . . . 1 . . . 2 . 2 . 2 2 . 2 2 2 . 2 . 2 . . 2 . . 2 . 6 2 2 . . . . 2 . 3 . . 4 2 . . . 4 . . 2 . . 4 . . 4 . . . . . 2 2 2 2 2 4 . . . . 2 5 . 4 2 . 2 . 2 . 2 . . 2 2 . . . 6 . 2 . . 2 4 2 . . . . 2 . 2 . 2 7 2 2 . 2 . . 4 . . 2 . 2 . . . 2 8 . . . . . . . . 6 2 . . 4 . 4 . 9 . 2 2 . 2 . 2 . . 2 . 2 2 2 . . 10 2 2 . . 2 . 2 . . 2 2 2 . . . 2 11 . . . 2 . . . 2 2 . 2 . 2 . 4 2 12 . . . 2 2 2 . 2 2 2 2 . . . . 2 13 . 4 . 2 . . . . . . 2 4 . 4 . . 14 . . 2 2 2 . 2 2 . . 2 . . . 2 . 15 2 . 4 . 2 . 2 . . . . 2 2 . . 2 10 / 30

  17. Framework Problem Problem Build new functions with desirable differential properties. Classical Solutions ◮ Tweak known APN functions (e.g. switching method); ◮ Use correspondence with relative objects in: Coding Theory , Combinatorics , Sequences Theory , . . . ◮ . . . New Idea ◮ Build derivatives with prescribed images ; ◮ Gather them as if they are derivatives of the same function ; ◮ Retrieve the said function : it should have the desired differential properties. 11 / 30

  18. Outline Framework Antiderivative Functions Matrix point of view Properties Reconstruction Applications Conclusion

  19. Antiderivative Functions Matrix point of view Derivative as a linear application over F 2 n 2 n F : F 2 n → F 2 n c i x i + � � c i ( x + α ) i ∆ α F ( x ) = F ( x ) + F ( x + α ) = i i . . . � x j � c i α i − j = i , i ≻ j j 12 / 30

  20. Antiderivative Functions Matrix point of view Derivative as a linear application over F 2 n 2 n F : F 2 n → F 2 n c i x i + � � c i ( x + α ) i ∆ α F ( x ) = F ( x ) + F ( x + α ) = i i . . . � x j � c i α i − j = i , i ≻ j j � α i − j if i ≻ j ( a ( j ) 0 , a ( j ) 1 , . . . , a ( j ) a ( j ) 2 n − 1 ) · ( c 0 , c 1 , . . . , c 2 n − 1 ) ⊤ , = i 0 otherwise. i ≻ j : supp ( i ) ⊃ supp ( j ) 12 / 30

  21. Antiderivative Functions Matrix point of view Derivative as a linear application over F 2 n 2 n F : F 2 n → F 2 n c i x i + � � c i ( x + α ) i ∆ α F ( x ) = F ( x ) + F ( x + α ) = i i . . . � x j � c i α i − j = i , i ≻ j j � α i − j if i ≻ j ( a ( j ) 0 , a ( j ) 1 , . . . , a ( j ) a ( j ) 2 n − 1 ) · ( c 0 , c 1 , . . . , c 2 n − 1 ) ⊤ , = i 0 otherwise.       a ( 0 ) a ( 0 ) ... c 0 c 0 2 n − 1 0 . . ... . . coeffs (∆ α F ) =  ·  = M ( α )       . .     a ( 2 n − 1 ) a ( 2 n − 1 ) ... c 2 n − 1 c 2 n − 1 2 n − 1 0 i ≻ j : supp ( i ) ⊃ supp ( j ) 12 / 30

  22. Antiderivative Functions Matrix point of view Recursive Construction   . α 2 α 3 α 4 α 5 α 6 α 7 α 8 α 9 α 10 α 11 α 12 α 13 α 14 α 15 n = 4 α . . . . . . . . . α 2 α 4 α 6 α 8 α 10 α 12 α 14     . . . . . . . . . α 4 α 5 α 8 α 9 α 12 α 13   α   . . . . . . . . . . . . . α 4 α 8 α 12     . . . . . . . . . α 2 α 3 α 8 α 9 α 10 α 11   α   . . . . . . . . . . . . . α 2 α 8 α 10     . . . . . . . . . . . . . α 8 α 9   α   . . . . . . . . . . . . . . . α 8     M ( α )= . . . . . . . . . α 2 α 3 α 4 α 5 α 6 α 7   α   . . . . . . . . . . . . .  α 2 α 4 α 6     . . . . . . . . . . . . .  α 4 α 5 α    . . . . . . . . . . . . . . .  α 4     . . . . . . . . . . . . . α 2 α 3 α     . . . . . . . . . . . . . . . α 2     . . . . . . . . . . . . . . .  α  . . . . . . . . . . . . . . . . 13 / 30

Recommend


More recommend