Sha Jiang,Kangquan Li,Yubo Li,Longjiang Qu

DOI: https://doi.org/10.1007/s12095-021-00530-x

2021-08-31

Cryptography and Communications

Abstract:The differential (resp. boomerang) spectrum is an important parameter to estimate the resistance of cryptographic functions against some variants of differential (resp. boomerang) cryptanalysis. This paper aims to determine the differential and boomerang spectrums of some power permutations. In 1997, Helleseth and Sandberg proved that the differential uniformity of over , where p is an odd prime, is less than or equal to 4. In this paper, we first determine the differential spectrum of over with n odd and then compute its boomerang spectrum based on the differential spectrum. In addition, in 2018, Boura and Canteaut determined the boomerang spectrum of the inverse function over with n even. Following their work, we characterize the boomerang spectrum of the inverse function over for any odd prime p.

Zhao Hu,Nian Li,Linjie Xu,Xiangyong Zeng,Xiaohu Tang

DOI: https://doi.org/10.1007/s10623-022-01161-w

2023-01-08

Abstract:In this paper, we study the boomerang spectrum of the power mapping over , where , p is a prime, m is a positive integer and . We first determine the differential spectrum of F ( x ) and show that F ( x ) is locally-APN. This extends a result of (IEEE Trans. Inf. Theory 57(12):8127-8137, 2011) from to general ( p ,  k ). We then determine the boomerang spectrum of F ( x ) by making use of its differential spectrum, which shows that the boomerang uniformity of F ( x ) is 4 if and m is odd and otherwise it is 2. Our results not only generalize the results in Hasan et al. (Des Codes Cryptogr 89:2627–2636, 2021) and Yan et al. (Adv Math Commun 16(4):1111–1120, 2022) but also extend the example over in Hasan et al. (Des Codes Cryptogr 89:2627–2636, 2021) into an infinite class of power mappings with boomerang uniformity 2.

Huan Zhou,Xiaoni Du,Xingbin Qiao,Wenping Yuan

2024-09-19

Abstract:Feistel Boomerang Connectivity Table (FBCT) is an important cryptanalytic technique on analysing the resistance of the Feistel network-based ciphers to power attacks such as differential and boomerang attacks. Moreover, the coefficients of FBCT are closely related to the second-order zero differential spectra of the function $F(x)$ over the finite fields with even characteristic and the Feistel boomerang uniformity is the second-order zero differential uniformity of $F(x)$. In this paper, by computing the number of solutions of specific equations over finite fields, we determine explicitly the second-order zero differential spectra of power functions $x^{2^m+3}$ and $x^{2^m+5}$ with $m>2$ being a positive integer over finite field with even characteristic, and $x^{p^k+1}$ with integer $k\geq1$ over finite field with odd characteristic $p$. It is worth noting that $x^{2^m+3}$ is a permutation over $\mathbb{F}_{2^n}$ and only when $m$ is odd, $x^{2^m+5}$ is a permutation over $\mathbb{F}_{2^n}$, where integer $n=2m$. As a byproduct, we find $F(x)=x^4$ is a PN and second-order zero differentially $0$-uniform function over $\mathbb{F}_{3^n}$ with odd $n$. The computation of these entries and the cardinalities in each table aimed to facilitate the analysis of differential and boomerang cryptanalysis of S-boxes when studying distinguishers and trails.

Cryptography and Security,Information Theory

Yuying Man,Nian Li,Zejun Xiang,Xiangyong Zeng

2023-10-28

Abstract:Boukerrou et al. (IACR Trans. Symmetric Cryptol. 2020(1), 331-362) introduced the notion of Feistel Boomerang Connectivity Table (FBCT), the Feistel counterpart of the Boomerang Connectivity Table (BCT), and the Feistel boomerang uniformity (which is the same as the second-order zero differential uniformity in even characteristic). FBCT is a crucial table for the analysis of the resistance of block ciphers to power attacks such as differential and boomerang attacks. It is worth noting that the coefficients of FBCT are related to the second-order zero differential spectra of functions. In this paper, by carrying out certain finer manipulations of solving specific equations over the finite field $\mathbb{F}_{p^n}$, we explicitly determine the second-order zero differential spectra of some power functions with low differential uniformity, and show that our considered functions also have low second-order zero differential uniformity. Our study pushes further former investigations on second-order zero differential uniformity and Feistel boomerang differential uniformity for a power function $F$.

Information Theory

Man, Yuying,Lu, Yuxuan

DOI: https://doi.org/10.1007/s40314-024-02979-x

2024-11-02

Computational and Applied Mathematics

Abstract:Boukerrou et al. (IACR Trans Symmetric Cryptol 2020(1):331–362, 2020) introduced the notion of the Feistel Boomerang Connectivity Table (FBCT), the Feistel counterpart of the Boomerang Connectivity Table (BCT), and the Feistel boomerang uniformity (which is the same as the second-order zero differential uniformity in even characteristic). The FBCT is a crucial table for the analysis of the resistance of block ciphers to power attacks such as differential and boomerang attacks. It is worth noting that the coefficients of the FBCT are related to the second-order zero differential spectra of functions. In this paper, by carrying out certain finer manipulations of solving specific equations over finite fields, we explicitly determine the second-order zero differential spectra of some power functions. Our study further pushes previous investigations on second-order zero differential uniformity and Feistel boomerang uniformity for a power function F .

mathematics, applied

Kwang Ho Kim,Sihem Mesnager,Ye Bong Kim

2023-05-22

Abstract:A substitution box (S-box) in a symmetric primitive is a mapping $F$ that takes $k$ binary inputs and whose image is a binary $m$-tuple for some positive integers $k$ and $m$, which is usually the only nonlinear element of the most modern block ciphers. Therefore, employing S-boxes with good cryptographic properties to resist various attacks is significant. For power permutation $F$ over finite field $\GF{2^k}$, the multiset of values $\beta_F(1,b)=\#\{x\in \GF{2^k}\mid F^{-1}(F(x)+b)+F^{-1}(F(x+1)+b)=1\}$ for $b\in \GF{2^k}$ is called the boomerang spectrum of $F$. The maximum value in the boomerang spectrum is called boomerang uniformity. This paper determines the boomerang spectrum of the power permutation $X^{2^{3n}+2^{2n}+2^{n}-1}$ over $\GF{2^{4n}}$. The boomerang uniformity of that power permutation is $3(2^{2n}-2^n)$. However, on a large subset $\{b\in \GF{2^{4n}}\mid \mathbf{Tr}_n^{4n}(b)\neq 0\}$ of $\GF{2^{4n}}$ of cardinality $2^{4n}-2^{3n}$ (where $ \mathbf{Tr}_n^{4n}$ is the (relative) trace function from $\GF{2^{4n}}$ to $\GF{2^{n}}$), we prove that the studied function $F$ achieves the optimal boomerang uniformity $2$. It is known that obtaining such functions is a challenging problem. More importantly, the set of $b$'s giving this value is explicitly determined for any value in the boomerang spectrum.

Information Theory,Number Theory

Sihem Mesnager,Huawei Wu

2024-09-26

Abstract:Let $q$ be an odd prime power with $q\equiv 3\ ({\rm{mod}}\ 4)$. In this paper, we study the differential and boomerang properties of the function $F_{2,u}(x)=x^2\big(1+u\eta(x)\big)$ over $\mathbb{F}_{q}$, where $u\in\mathbb{F}_{q}^*$ and $\eta$ is the quadratic character of $\mathbb{F}_{q}$. We determine the differential uniformity of $F_{2,u}$ for any $u\in\mathbb{F}_{q}^*$ and determine the differential spectra and boomerang uniformity of the locally-APN functions $F_{2,\pm 1}$, thereby disproving a conjecture proposed in \cite{budaghyan2024arithmetization} which states that there exist infinitely many $q$ and $u$ such that $F_{2,u}$ is an APN function.

Number Theory,Cryptography and Security,Information Theory

Kangquan Li,Longjiang Qu,Bing Sun,Chao Li

DOI: https://doi.org/10.48550/arXiv.1901.10999

2019-01-17

Abstract:In EUROCRYPT 2018, Cid et al. \cite{BCT2018} introduced a new concept on the cryptographic property of S-boxes: Boomerang Connectivity Table (BCT for short) for evaluating the subtleties of boomerang-style attacks. Very recently, BCT and the boomerang uniformity, the maximum value in BCT, were further studied by Boura and Canteaut \cite{BC2018}. Aiming at providing new insights, we show some new results about BCT and the boomerang uniformity of permutations in terms of theory and experiment in this paper. Firstly, we present an equivalent technique to compute BCT and the boomerang uniformity, which seems to be much simpler than the original definition from \cite{BCT2018}. Secondly, thanks to Carlet's idea \cite{Carlet2018}, we give a characterization of functions $f$ from $\mathbb{F}_{2}^n$ to itself with boomerang uniformity $\delta_{f}$ by means of the Walsh transform. Thirdly, by our method, we consider boomerang uniformities of some specific permutations, mainly the ones with low differential uniformity. Finally, we obtain another class of $4$-uniform BCT permutation polynomials over $\mathbb{F}_{2^n}$, which is the first binomial.

Cryptography and Security

Guanghui Li,Xiwang Cao

DOI: https://doi.org/10.1007/s40314-024-02956-4

2024-10-11

Computational and Applied Mathematics

Abstract:Permutation polynomials over finite fields have been extensively studied not only for their applications in cryptography, but have also been applied to coding theory and combinatorial design theory. Recently, a new theoretical tool, the Boomerang Connectivity Table (BCT) and the corresponding boomerang uniformity were introduced to evaluate the resistance of a block cipher against boomerang attacks. Inspired by a multiplier differential, Stănică [Investigations on c -boomerang uniformity and perfect nonlinearity, Discret. Appl. Math., 2021] extended the concept of boomerang uniformity to c -boomerang uniformity. In this paper, we investigate two classes of permutation polynomials over with respect to this new concept. We show that these permutations are 1-uniform c -BCT functions.

mathematics, applied

K. Garg,S.U. Hasan,C. Riera,P. Stanica

2024-07-17

Abstract:It is well-known that functions over finite fields play a crucial role in designing substitution boxes (S-boxes) in modern block ciphers. In order to analyze the security of an S-box, recently, three new tables have been introduced: the Extended Boomerang Connectivity Table (EBCT), the Lower Boomerang Connectivity Table (LBCT), and the Upper Boomerang Connectivity Table (UBCT). In fact, these tables offer improved methods over the usual Boomerang Connectivity Table (BCT) for analyzing the security of S-boxes against boomerang-style attacks. Here, we put in context these new EBCT, LBCT, and UBCT concepts by connecting them to the DDT for a differentially $\delta$-uniform function and also determine the EBCT, LBCT, and UBCT entries of three classes of differentially $4$-uniform power permutations, namely, Gold, Kasami and Bracken-Leander. We also determine the Double Boomerang Connectivity Table (DBCT) entries of the Gold function. As byproducts of our approach, we obtain some previously published results quite easily.

Cryptography and Security,Information Theory

Sihem Mesnager,Chunming Tang,Maosheng Xiong

DOI: https://doi.org/10.48550/arXiv.1903.00501

2019-03-02

Abstract:At Eurocrypt'18, Cid, Huang, Peyrin, Sasaki, and Song introduced a new tool called Boomerang Connectivity Table (BCT) for measuring the resistance of a block cipher against the boomerang attack (which is an important cryptanalysis technique introduced by Wagner in 1999 against block ciphers). Next, Boura and Canteaut introduced an important parameter (related to the BCT) for cryptographic Sboxes called boomerang uniformity. In this context, we present a brief state-of-the-art on the notion of boomerang uniformity of vectorial functions (or Sboxes) and provide new results. More specifically, we present a slightly different (and more convenient) formulation of the boomerang uniformity and show that the row sum and the column sum of the boomerang connectivity table can be expressed in terms of the zeros of the second-order derivative of the permutation or its inverse. Most importantly, we specialize our study of boomerang uniformity to quadratic permutations in even dimension and generalize the previous results on quadratic permutation with optimal BCT (optimal means that the maximal value in the Boomerang Connectivity Table equals the lowest known differential uniformity). As a consequence of our general result, we prove that the boomerang uniformity of the binomial differentially $4$-uniform permutations presented by Bracken, Tan, and Tan equals $4$. This result gives rise to a new family of optimal Sboxes.

Cryptography and Security

Haode Yan,Sihem Mesnager,Xiantong Tan

DOI: https://doi.org/10.1016/j.disc.2024.113881

IF: 0.961

2024-01-26

Discrete Mathematics

Abstract:The differential spectrum of a cryptographic function is of significant interest for estimating the resistance of the involved vectorial function to some variances of differential cryptanalysis. It is well-known that it is difficult to determine a power function's differential spectrum completely. In the present article, we concentrate on studying the differential and the c -differential uniformity (for some c∈Fpn∖{0,1} ) and their related differential spectrum (resp. c -differential spectrum) of the power functions F(x)=xd over the finite field Fpn of order pn (where p is an odd prime) for d=pn−32 . We emphasize that by focusing on the power functions xd with even d over Fpn ( p odd), the considered functions are APN, that is, of the lowest differential uniformity and the nontrivial differential spectrum. By investigating some system of equations and specific character sums over Fpn , the differential spectrum of F is completely determined. Moreover, we examine the extension of the so-called c -differential uniformity by investigating the c -differential properties of F . Specifically, an upper bound of the c -differential uniformity of F is given, and its c -differential spectrum is considered in the case where c=−1 . Finally, we highlight that, throughout our study of the differential spectrum of the considered power functions, we provide methods for evaluating sums of specific characters with connections to elliptic curves and determining the number of solutions of specific systems of equations over finite fields.

mathematics

Yuxuan Lu,Sihem Mesnager,Nian Li,Lisha Wang,Xiangyong Zeng

2024-08-21

Abstract:The Feistel Boomerang Connectivity Table ($\rm{FBCT}$), which is the Feistel version of the Boomerang Connectivity Table ($\rm{BCT}$), plays a vital role in analyzing block ciphers' ability to withstand strong attacks, such as boomerang attacks. However, as of now, only four classes of power functions are known to have explicit values for all entries in their $\rm{FBCT}$. In this paper, we focus on studying the FBCT of the power function $F(x)=x^{2^{n-2}-1}$ over $\mathbb{F}_{2^n}$, where $n$ is a positive integer. Through certain refined manipulations to solve specific equations over $\mathbb{F}_{2^n}$ and employing binary Kloosterman sums, we determine explicit values for all entries in the $\rm{FBCT}$ of $F(x)$ and further analyze its Feistel boomerang spectrum. Finally, we demonstrate that this power function exhibits the lowest Feistel boomerang uniformity.

Information Theory

Carlos Cid,Tao Huang,Thomas Peyrin,Yu Sasaki,Ling Song

DOI: https://doi.org/10.1007/978-3-319-78375-8_22

2018-01-01

Abstract:A boomerang attack is a cryptanalysis framework that regards a block cipher E as the composition of two sub-ciphers E1∘E0$$E_1\circ E_0$$ and builds a particular characteristic for E with probability p2q2$$p^2q^2$$ by combining differential characteristics for E0$$E_0$$ and E1$$E_1$$ with probability p and q, respectively. Crucially the validity of this figure is under the assumption that the characteristics for E0$$E_0$$ and E1$$E_1$$ can be chosen independently. Indeed, Murphy has shown that independently chosen characteristics may turn out to be incompatible. On the other hand, several researchers observed that the probability can be improved to p or q around the boundary between E0$$E_0$$ and E1$$E_1$$ by considering a positive dependency of the two characteristics, e.g. the ladder switch and S-box switch by Biryukov and Khovratovich. This phenomenon was later formalised by Dunkelman et al. as a sandwich attack that regards E as E1∘Em∘E0$$E_1\circ E_m \circ E_0$$, where Em$$E_m$$ satisfies some differential propagation among four texts with probability r, and the entire probability is p2q2r$$p^2q^2r$$. In this paper, we revisit the issue of dependency of two characteristics in Em$$E_m$$, and propose a new tool called Boomerang Connectivity Table (BCT), which evaluates r in a systematic and easy-to-understand way when Em$$E_m$$ is composed of a single S-box layer. With the BCT, previous observations on the S-box including the incompatibility, the ladder switch and the S-box switch are represented in a unified manner. Moreover, the BCT can detect a new switching effect, which shows that the probability around the boundary may be even higher than p or q. To illustrate the power of the BCT-based analysis, we improve boomerang attacks against Deoxys-BC, and disclose the mechanism behind an unsolved probability amplification for generating a quartet in SKINNY. Lastly, we discuss the issue of searching for S-boxes having good BCT and extending the analysis to modular addition.

Chenmiao Shi,Jie Peng,Haibin Kan,Lijing Zheng

DOI: https://doi.org/10.1016/j.ffa.2023.102340

IF: 1.655

2024-01-01

Finite Fields and Their Applications

Abstract:Permutations with differential and boomerang uniformity 4 over F22k offer good resistance to block ciphers against differential and boomerang attacks. There are five primarily constructed infinite classes of differentially 4-uniform permutations with the best known nonlinearity over F22k, namely the Gold functions, the Kasami functions, the Inverse functions, the Bracken-Leander functions and the Bracken-Tan-Tan functions. It has been shown by Boura et al. and by Mesnager et al. respectively, that the Gold functions and the Bracken-Tan-Tan functions also have boomerang uniformity 4. It is known that the Bracken-Tan-Tan functions are CCZ-inequivalent to the Inverse functions and the Bracken-Leander functions. In this paper, it is proved that the Bracken-Tan-Tan functions are also CCZ-inequivalent to the Gold functions and the Kasami functions. In particular, the Gold functions and the Bracken-Tan-Tan functions are two different classes of boomerang uniformity 4 permutations up to EA-equivalence.

Kirpa Garg,Sartaj Ul Hasan,Constanza Riera,Pantelimon Stanica

2023-09-08

Abstract:It was shown by Boukerrou et al.~\cite{Bouk} [IACR Trans. Symmetric Cryptol. 1 2020, 331--362] that the $F$-boomerang uniformity (which is the same as the second-order zero differential uniformity in even characteristic) of perfect nonlinear functions is~$0$ on $\F_{p^n}$ ($p$ prime) and the one of almost perfect nonlinear functions on $\F_{2^n}$ is~$0$. It is natural to inquire what happens with APN or other low differential uniform functions in even and odd characteristics. Here, we explicitly determine the second-order zero differential spectra of several maps with low differential uniformity. In particular, we compute the second-order zero differential spectra for some almost perfect nonlinear (APN) functions, pushing further the study started in Boukerrou et al.~\cite{Bouk} and continued in Li et al. \cite{LYT} [Cryptogr. Commun. 14.3 (2022), 653--662], and it turns out that our considered functions also have low second-order zero differential uniformity.

Information Theory,Number Theory

Pantelimon Stanica

DOI: https://doi.org/10.48550/arXiv.2004.11859

2020-04-25

Abstract:We defined in~\cite{EFRST20} a new multiplicative $c$-differential, and the corresponding $c$-differential uniformity and we characterized the known perfect nonlinear functions with respect to this new concept, as well as the inverse in any characteristic. The work was continued in~\cite{RS20}, investigating the $c$-differential uniformity for some further APN functions. Here, we extend the concept to the boomerang uniformity, introduced at Eurocrypt '18 by Cid et al.~\cite{Cid18}, to evaluate S-boxes of block ciphers, and investigate it in the context of perfect nonlinearity and related functions.

Information Theory,Number Theory

Sartaj Ul Hasan,Mohit Pal,Pantelimon Stanica

DOI: https://doi.org/10.1007/s10623-021-00944-x

2021-09-06

Abstract:We consider the boomerang uniformity of an infinite class of (locally-APN) power maps and show that its boomerang uniformity over the finite field $\F_{2^n}$ is $2$ and $4$, when $n \equiv 0 \pmod 4$ and $n \equiv 2 \pmod 4$, respectively. As a consequence, we show that for this class of power maps, the differential uniformity is strictly greater than its boomerang uniformity.

Information Theory

Mohit Pal,Pantelimon Stanica

2024-08-06

Abstract:This paper makes the first bridge between the classical differential/boomerang uniformity and the newly introduced $c$-differential uniformity. We show that the boomerang uniformity of an odd APN function is given by the maximum of the entries (except for the first row/column) of the function's $(-1)$-Difference Distribution Table. In fact, the boomerang uniformity of an odd permutation APN function equals its $(-1)$-differential uniformity. We next apply this result to easily compute the boomerang uniformity of several odd APN functions. In the second part we give two classes of differentially low-uniform functions obtained by modifying the inverse function. The first class of permutations (CCZ-inequivalent to the inverse) over a finite field $\mathbb{F}_{p^n}$ ($p$, an odd prime) is obtained from the composition of the inverse function with an order-$3$ cycle permutation, with differential uniformity $3$ if $p=3$ and $n$ is odd; $5$ if $p=13$ and $n$ is even; and $4$ otherwise. The second class is a family of binomials and we show that their differential uniformity equals~$4$. We next complete the open case of $p=3$ in the investigation started by G\" olo\u glu and McGuire (2014), for $p\geq 5$, and continued by Kölsch (2021), for $p=2$, $n\geq 5$, on the characterization of $L_1(X^{p^n-2})+L_2(X)$ (with linearized $L_1,L_2$) being a permutation polynomial. Finally, we extend to odd characteristic a result of Charpin and Kyureghyan (2010) providing an upper bound for the differential uniformity of the function and its switched version via a trace function.

Information Theory,Discrete Mathematics,Number Theory

Zhen Li,Haode Yan

DOI: https://doi.org/10.48550/arXiv.2203.00485

2022-03-01

Abstract:Let $q$ be an odd prime power. Let $F_1(x)=x^{d_1}$ and $F_2(x)=x^{d_2}$ be power mappings over $\mathrm{GF}(q^2)$, where $d_1=q-1$ and $d_2=d_1+\frac{q^2-1}{2}=\frac{(q-1)(q+3)}{2}$. In this paper, we study the the boomerang uniformity of $F_1$ and $F_2$ via their differential properties. It is shown that, the boomerang uniformity of $F_i$ ($i=1,2$) is 2 with some conditions on $q$.

Information Theory