J. Detombe and S. Tavares. Constructing large cryptographically strong S-boxes. In Advances in Cryptology - AUSCRYPT'92, volume 718, Lecture Notes in Computer Science, pages 165--181. Springer-Verlag, Berlin, Heidelberg, New York, 1993.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....while x runs through V n . Although there are many question marks regarding the applicability of differentially 2 uniform quadratic n Theta n S boxes in computer security practices, primarily due to their low algebraic degree, these S boxes have received extensive research in the past years [17, 16, 6, 2, 15] and hence deserve our special attention. These S boxes appear in various forms and researchers have employed different techniques, some of which are rather sophisticated, to prove their nonlinearity characteristics. By refining our proof techniques described in Section 2, we will show in this ....

J. Detombe and S. Tavares. Constructing large cryptographically strong S-boxes. In Advances in Cryptology - AUSCRYPT'92, volume 718, Lecture Notes in Computer Science, pages 165--181. Springer-Verlag, Berlin, Heidelberg, New York, 1993.

....al. 1982; Yarlagadda Hershey, 1989) Kumar, Scholtz and Welch (1985) defined and studied bent functions from Z n q to Z q , where q is a positive integer. Applications of bent functions to digital communications, coding theory and cryptography can be found in such as (Adams Tavares, 1990b; Detombe Tavares, 1993; Lempel Cohn, 1982; Losev, 1987; MacWilliams Sloane, 1978; Meier Staffelbach, 1990; Nyberg, 1991; Olsen et al. 1982; Seberry et al. 1993) The following result can be found in an excellent survey of bent functions by Dillon (1972) Lemma 3 Let f be a function on V n , and let be the ....

Detombe, J., & Tavares, S. 1993. Constructing Large Cryptographically Strong S-boxes. Pages 165--181 of: Advances in Cryptology - AUSCRYPT'92, vol. 718, Lecture Notes in Computer Science. Springer-Verlag, Berlin, Heidelberg, New York.

....while x runs through Vn . Although there are many question marks regarding the applicability of differentially 2 uniform quadratic n Theta n S boxes in computer security practices, primarily due to their low algebraic degree, these S boxes have received extensive research in the past years [17, 16, 6, 2, 15] and hence deserve our special attention. These S boxes appear in various forms and researchers have employed different techniques, some of which are rather sophisticated, to prove their nonlinearity characteristics. By refining our proof techniques described in Section 2, we will show in this ....

J. Detombe and S. Tavares. Constructing large cryptographically strong S-boxes. In Advances in Cryptology - AUSCRYPT'92, volume 718, Lecture Notes in Computer Science, pages 165--181. Springer-Verlag, Berlin, Heidelberg, New York, 1993.

....constructions and counting, can be found in [1, 5, 7, 12, 21] Kumar, Scholtz and Welch [6] defined and studied bent functions from Z n q to Z q , where q is a positive integer. Applications of bent functions to digital communications, coding theory and cryptography can be found in such as [2, 3, 7, 8, 9, 10, 11, 12]. Now we introduce the definition of propagation criterion. Definition 2 Let f be a function on V n . We say that f satisfies 1. the propagation criterion with respect to ff if f(x) Phi f(x Phi ff) is a balanced function, where x = x 1 ; x 2 ; x n ) and ff is a non zero vector in V n . ....

J. Detombe and S. Tavares. Constructing large cryptographically strong S-boxes. In Advances in Cryptology - AUSCRYPT'92. Springer-Verlag, Berlin, Heidelberg, New York, 1993. to appear.

....it is possible to construct mappings : Z m 1 2 Z m 2 2 for which each entry of XOR is 2 m 1 Gammam 2 when the input difference is nonzero. For the construction to be possible it must be the case that m 1 2m 2 which implies that the mapping cannot be bijective. Detombe and Tavares [9] have shown that for bijective mappings : Z m 2 Z m 2 the most balanced XOR tables are those for which each row has 2 m Gamma1 entries that are 2, with the remaining XOR entries being zero. In both cases the mappings are constructed from boolean functions that are either bent or almost ....

J. Detombe and S. Tavares. Constructing large cryptographically strong S-boxes. abstracts of papers, AUSTCRYPT 92.

....properties, constructions and equivalence bounds for bent functions can be found in [2] 5] 7] 12] 16] Kumar, Scholtz and Welch [6] defined and studied the bent functions from Z n q to Z q . Bent functions are useful for digital communications, coding theory and cryptography [3] 1] [4], 7] 8] 10] 9] 11] 12] We say ff = a 1 ; Delta Delta Delta ; a n ) fi = b 1 ; Delta Delta Delta ; b n ) if there exists k, 1 = k = 2 n , such that a 1 = b 1 , a k Gamma1 = b k Gamma1 and a k = 0, b k = 1. Hence we can order all vectors in V n by the ....

J. Detombe and S. Tavares. Constructing large cryptographically strong S-boxes. In Advances in Cryptology - AUSCRYPT'92. Springer-Verlag, Berlin, Heidelberg, New York, 1993. to appear.

....of cryptographic significance, although the concept itself seems interesting from a combinatorial point of view. In contrast, the other generalization of the SAC, namely the propagation criterion, has well established its position in cryptographic design. This can be seen from work represented by [1, 16, 15, 5, 20, 21]. A function satisfying the propagation criterion of degree k shows the perfect avalanche characteristic with respect to vectors of Hamming weight not larger than k. This property, however, does not rule out the possibility that the function can have vectors of Hamming weight larger than k as its ....

....k. This property, however, does not rule out the possibility that the function can have vectors of Hamming weight larger than k as its linear structures. For instance, all currently known methods for constructing functions satisfying higher degree propagation criteria, including those presented in [15, 5, 20, 21], yield functions having undesirable linear structures. Therefore the propagation criterion, though being an extension of the SAC, is merely another indicator for local properties. On the other hand, the criterion is too strict in the sense that it requires that f(x) Phi f(x Phi ff) be 100 ....

J. Detombe and S. Tavares. Constructing large cryptographically strong S-boxes. In Advances in Cryptology - AUSCRYPT'92, volume 718, Lecture Notes in Computer Science, pages 165--181. SpringerVerlag, Berlin, Heidelberg, New York, 1993.

....would be very inconvenient to use the function in practical applications. Although this inconvenience can be removed by using look up tables, the amount of memory required in storing the tables becomes intolerable when n is large. Interesting results on constructing S boxes have been presented in [10]. These include a few 5 Theta5 S boxes which are (1 Gamma2 Gamma4 ) robust against differential cryptanalysis. Although these S boxes satisfy the SAC, they all bear the other three shortcomings. In addition, since the method relies on exhaustive search, it is beyond the currently available ....

....satisfy the SAC, they all bear the other three shortcomings. In addition, since the method relies on exhaustive search, it is beyond the currently available computing power to find a larger, say 7 Theta 7, S box with similar properties. It should be noted that the construction methods used in [18, 15, 17, 10, 16, 2] are essentially the same from a technical point of view: they are all based on permutation polynomials on GF(2 n ) Although such permutations are easy to analyze, they have a very restricted form and consist of only a small portion among all the permutations on GF (2 n ) In the following ....

[Article contains additional citation context not shown here]

Detombe, J., and Tavares, S. Constructing large cryptographically strong S-boxes. In Advances in Cryptology - AUSCRYPT'92 (1993), Springer-Verlag, Berlin, Heidelberg, New York. to appear.

....although the concept itself seems interesting from a combinatorial point of view. In contrast, the other generalization of the SAC, namely the propagation criterion, has well established its position in cryptographic design. This can be seen from work represented by [AT90, PLL 91, PGV91, DT93, SZZ94b, SZZ95] A function satisfying the propagation criterion of degree k shows the perfect avalanche characteristic with respect to vectors of Hamming weight not larger than k. This property, however, does not rule out the possibility that the function can have vectors of Hamming weight ....

....property, however, does not rule out the possibility that the function can have vectors of Hamming weight larger than k as its linear structures. For instance, all currently known methods for constructing functions satisfying higher degree propagation criteria, including those presented in [PGV91, DT93, SZZ94b, SZZ95] yield functions having undesirable linear structures. Therefore the propagation criterion, though being an extension of the SAC, is merely another indicator for local properties. On the other hand, the criterion is too strict in the sense that it requires that f(x) Phi f(x Phi ....

J. Detombe and S. Tavares. Constructing large cryptographically strong Sboxes. In Advances in Cryptology - AUSCRYPT'92, volume 718, Lecture Notes in Computer Science, pages 165--181. Springer-Verlag, Berlin, Heidelberg, New York, 1993.

....is even. It was Rothaus who first introduced and studied bent functions in 1960s, although his pioneering work was not published in the open literature until some ten years later [10] Applications of bent functions to digital communications, coding theory and cryptography can be found in such as [2, 4, 7]. The following result can be found in an excellent survey of bent functions by Dillon [5] Lemma 3. Let f be a function on Vn , and let be the sequence of f . Then the following four statements are equivalent: i) f is bent. ii) h ; i = Sigma2 1 2 n for any affine sequence of length 2 ....

Detombe, J., and Tavares, S. Constructing large cryptographically strong S-boxes. In Advances in Cryptology - AUSCRYPT'92 (1993), Springer-Verlag, Berlin, Heidelberg, New York. to appear.

....can be found in [AT90a, KS83, LC82, OSW82, YH89] Kumar, Scholtz and Welch [KSW85] defined and studied bent functions from Z n q to Z q , where q is a positive integer. Applications of bent functions to digital communications, coding theory and cryptography can be found in such as [AT90b, DT93, LC82, Los87, MS78, MS90, Nyb91, OSW82] The following result can be found in an excellent survey of bent functions by Dillon [Dil72] Lemma 3 Let f be a function on V n , and let be the sequence of f . Then the following four statements are equivalent: i) f is bent. ii) h ; i = Sigma2 1 ....

J. Detombe and S. Tavares. Constructing large cryptographically strong S-boxes. In Advances in Cryptology - AUSCRYPT'92, volume 718, Lecture Notes in Computer Science, pages 165--181. Springer-Verlag, Berlin, Heidelberg, New York, 1993.

....a detailed study of the complex inter relationships between the various cryptographic criteria. In many cryptographic designs we not only require the individual component functions of the S box to have good cryptographic properties but also consider correlations among these individual functions [2, 12, 14, 39, 56]. This is best shown by linear cryptanalysis which exploits low nonlinearity of linear combinations of the component functions of an S box. Consequently, each nonzero linear combination of the components should satisfy a number of strict conditions. Seberry and her colleagues X M Zhang and Y Zheng ....

....which are closely related to Bhaskar Rao designs [45] and generalized Hadamard matrices [44] to obtain extremely secure cryptographic boolean functions. To counter the differential attack, it has been realized that S boxes should have good difference distribution tables. Based on early work in [2, 12, 14, 39, 56], Seberry and X M Zhang identified the three principles for strong difference distribution tables of S boxes which is captured by a measurement called robustness. So far no efficient method has been found to generate S boxes having good difference distributions and also satisfying other ....

J. Detombe and S. Tavares. Constructing large cryptographically strong S-boxes. In Advances in Cryptology - AUSCRYPT'92, volume 718 of Lecture Notes in Computer Science, pages 165--181. Springer-Verlag, Berlin-Heidelberg-New York, 1993.

.... criterion the (SAC) The strict avalanche criterion was originally defined in [16] 17] and was generalized in two different directions [2] 5] 8] 9] 10] 14] The 0 1 balance, the nonlinearity and the avalanche criterion are important criteria for cryptographic functions [1] 5] [7], 10] Definition 5 A (1, 1) matrix of order n will be called a Hadamard matrix if HH T = nI n . If n is the order of an Hadamard matrix then n is 1, 2 or divisible by 4 [15] A special kind of Hadamard matrix defined below will be relevant: Definition 6 A Sylvester Hadamard matrix (or ....

J. Detombe and S. Tavares. Constructing large cryptographically strong S-boxes. In Advances in Cryptology - AUSCRYPT'92. Springer-Verlag, Berlin, Heidelberg, New York, 1993. to appear.

....defined in [20] 21] later it has been generalized in many ways [2] 3] 6] 10] 13] 18] The SAC is relevant to the completeness and the avalanche effect. The 0 1 balancedness, the nonlinearity and the avalanche criterion are important criteria for cryptographic functions [1] 3] [4], 13] Definition 5 A (1, 1) matrix H of order h will be called an Hadamard matrix if HH T = hI h . If h is the order of an Hadamard matrix then h is 1, 2 or divisible by 4 [19] A special kind of Hadamard matrix, defined as follows will be relevant: Definition 6 The Sylvester Hadamard ....

....Further properties, constructions and equivalence bounds for bent functions can be found in [1] 7] 9] 15] 22] Kumar, Scholtz and Welch [8] defined and studied the bent functions from Z n q to Z q . Bent functions are useful for digital communications, coding theory and cryptography [2] [4], 9] 11] 12] 13] 14] 15] Bent functions on Vn (n is even) not only attain the upper bound of nonlinearity, 2 n Gamma1 Gamma 2 1 2 n Gamma1 , but also satisfy SAC. However 0 1 balancedness is often required in cryptosystems and bent functions are not 0 1 balanced since the Hamming ....

John Detombe and Stafford Tavares. Constructing large cryptographically strong S-boxes. Presented in AUSCRYPT'92, 1992.

....properties, which include the high nonlinearity, the SAC, the balanced5 ness and the robustness against differential cryptanalysis. As is shown below, the transformation technique can also be applied to other approaches to the construction of S boxes. Application 3 With the S boxes studied in [6, 5, 3] each component function f j has the following property: f j (x) Phi f j (x Phi ff) is balanced for all but one nonzero vector ff 2 V n , where x = x 1 ; x n ) and n = 3 is odd. Thus we have #B = n. By Theorem 2 we can use a nondegenerate matrix to transform all the component ....

J. Detombe and S. Tavares. Constructing large cryptographically strong S-boxes. In Advances in Cryptology - AUSCRYPT'92. Springer-Verlag, Berlin, Heidelberg, New York, 1993. to appear.

....for any nonzero vector ff 2 V n , F (x) Phi F (x Phi ff) runs through 2 n Gamma1 vectors in V n , each twice, but not through the other 2 n Gamma1 vectors, while x runs through V n . Differentially 2 uniform quadratic n Theta n S boxes have been extensively studied in the past years [14, 13, 6, 2, 12] and hence deserve special attention. Such S boxes appear in various forms and researchers have employed different techniques, some of which are rather sophisticated, to prove their nonlinearity. By refining our proof techniques described in Section 2, we will show in this section that all ....

J. Detombe and S. Tavares. Constructing large cryptographically strong S-boxes. In Advances in Cryptology - AUSCRYPT'92, volume 718, Lecture Notes in Computer Science, pages 165--181. SpringerVerlag, Berlin, Heidelberg, New York, 1993.

No context found.

J. Detombe and S. Tavares. Constructing large cryptographically strong S-boxes. In Advances in Cryptology - AUSCRYPT'92, volume 718, Lecture Notes in Computer Science, pages 165--181. Springer-Verlag, Berlin, Heidelberg, New York, 1993.

No context found.

Detombe, J., and Tavares, S. Constructing large cryptographically strong S-boxes. In Advances in Cryptology - AUSCRYPT'92 (1993), vol. 718, Lecture Notes in Computer Science, Springer-Verlag, Berlin, Heidelberg, New York, pp. 165--181.

No context found.

J. Detombe and S. Tavares. Constructing large cryptographically strong S-boxes. In Advances in Cryptology - AUSCRYPT'92, volume 718, Lecture Notes in Computer Science, pages 165--181. Springer-Verlag, Berlin, Heidelberg, New York, 1993. 12

No context found.

Detombe, J., and Tavares, S. Constructing large cryptographically strong S-boxes. In Advances in Cryptology - AUSCRYPT'92 (1993), Springer-Verlag, Berlin, Heidelberg, New York. to appear.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC