Nyberg K., Differentially uniform mappings for cryptography, Advances in Cryptology -- EUROCRYPT'93, Springer-Verlag, 1993.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....in the design of Rijndael have been its resistance against differential [1] and linear cryptanalysis [11] This motivated the designers to choose an s box which is optimized against these two attacks. In particular the designers decided to base their s box construction on the inversion mapping [14] f(x) x ; x 2 GF (2 Because this inverse mapping has a very simple algebraic expression that may enable some attacks such as the interpolation attacks [8] 9] this mapping was modified in such a way that doesn t modify its resistance towards both linear and differential cryptanalysis ....

K. Nyberg, Differentially Uniform Mappings for Cryptography, Proceedings of Eurocrypt '93, LNCS 765, Springer-Verlag, pp. 55-64, 1994, 7 Appendix I Trace Representation of the AES round

.... table (not taking into account the leftmost entry in the top row) In measuring the strength of an S box (in terms of the security of a block cipher that employs the S box) against differential attacks, a useful indicator commonly used is differential uniformity which is defined as follows [17]. Definition 3 Let F be an n Theta m S box, where n m. Let ffi be the largest value in the differential distribution table of the S box (not taking into account the leftmost entry in the top row) namely, Then F is said to be differentially ffi uniform, and accordingly, ffi is called the ....

Nyberg, K. Differentially uniform mappings for cryptography. In Advances in Cryptology - EUROCRYPT'93 (1994), vol. 765, Lecture Notes in Computer Science, Springer-Verlag, Berlin, Heidelberg, New York, pp. 55--65.

....coordinate functions of highly nonlinear bijective s boxes. Given the distinct bijective functions Fi, 1 i M, over GF(2 ) an injective s box G with n inputs and nM outputs can be obtained by setting G = FlllF2ll . IIFM) 8) In this method we use the inversion mapping proposed by Nyberg [ 10] (X q ai) 1 X ai, 9) Fi(x) 0, x=ai, where x GF(2) Using Lemma 2, it is easy to see that the nonlinearity of the function Fi is lower bounded by 2 1 2 n 2. Experimental results show that injective 8 x 16 s boxes constructed by this method always have nonlinearity of 96. For 8 x 24 and ....

.... 32 Random 87 80 73 Mister and Adams [9] 74 Method I 96 86 76 Method II 96 96 80 Table 3 Best S box Nonlinear ty Obtained by Different Construction Methods The construction methods proposed in this paper can be extended to other highly nonlinear mappings such as those proposed in [5] [10]. In order to frustrate possible algebraic attacks, the four 8 x 32 s boxes should be generated using different Figure 1 CAST Round Function Figure 1 shows the CAST round function. In this paper we assume that operations a, b, c and d are XOR addition of 32 bit quantities. The resistance of ....

K. Nyberg. Differentially uniform mappings for cryptography. Advances in Cryptology: Proc. of EUROCRYPT '93, Springer-Verlag, Berlin, pp.55-64, 1994.

....predict an n bit value of the ciphertext after a certain number of rounds. But as we will show now it is not always necessary to predict the full n bit value. Even a 1 bit value suffices in some cases. A differential that predicts only parts of an n bit value is called a partial differential. In [7] it is shown that the functions f(x) x f(x) 0 for x = 0, are differentially 2 uniform for odd n and differentially 4 uniform for even n, i.e. the highest probability of a non trivial one round differential is 2=2 and 4=2 respectively. In both cases the nonlinear order of the outputs ....

....the functions f(x) x f(x) 0 for x = 0, are differentially 2 uniform for odd n and differentially 4 uniform for even n, i.e. the highest probability of a non trivial one round differential is 2=2 and 4=2 respectively. In both cases the nonlinear order of the outputs is n Gamma 1 [7]. As an example consider a 5 round cipher using as round function f(x; k) x Phi k) for n odd. From the results of [8] this cipher is highly resistant against differential attacks using full differentials, since any 3 round differential has a probability of at most 2 according to Th. 2 ....

K. Nyberg. Differentially uniform mappings for cryptography. In T. Helleseth, editor, Advances in Cryptology - Proc. Eurocrypt'93, LNCS 765, pages 55--64. Springer Verlag, 1993.

....application of linear and differential cryptanalysis to ciphers proposed before the existence of the attacks was known. As well, many techniques in cipher design have been proposed to make the application of the attacks difficult, focusing on the constructions of cipher components such as S boxes [25][8] and the interconnection between layers of S boxes [8] 26] 27] As a result, the attacks and their extensions are now very well understood and proposals such as Rijndael [7] have been especially constructed with security against the attacks in mind. Finally, we note that our presentation of ....

K. Nyberg, "Differentially Uniform Mappings for Cryptography, Advances in Cryptology - EUROCRYPT '93 (Lecture Notes in Computer Science no. 765), Springer-Verlag, pp. 55-64, 1994.

....construction [NK95, N95] using F 2 32 inversion as F function and having 8 round. This cipher is provably secure against differential attack [BS93] and linear attack [M94] and may be secure against higher order differential attack [K95] since algebraic degree of F 2 32 inversion is 31 [N94, Proposition 4] 10 . The prototype cipher achieves about 20Mb s. 7.2 Elliptic Curve We estimate the timings for calculating non supersingular elliptic curve operation and compare with Win s algorithm [WBV 96, Table 2] The result is described in Table 9. Win et al. execute the tests on a ....

K. Nyberg. Differentially uniform mappings for cryptography. In T. Helleseth, editor, Advances in Cryptology --- EUROCRYPT'93, Volume 765 of Lecture Notes in Computer Science, pp. 55-- 64. Springer-Verlag, Berlin, Heidelberg, New York, 1994.

....against linear cryptanalysis [LW90, CV95] The power polynomials corresponding to t 2 Q i or t 2 W can neither be used since a differential exponent smallest value of ffi such that notation for the corresponding ref. f is differentially ffi uniform cyclotomic coset 2 i 1 2 gcd(n;i) Q i [Nyb93] 2 n Gamma 2 i Gamma 1 2 if n is odd I [Nyb93, BD93] 4 if n is even 2 2i Gamma 2 i 1 2 if n is odd and gcd(n; i) 1 K i [Kas71] 2 n Gamma1 2 3 2 if n is odd W [Dob] Table 1: Minimum value of ffi for some power polynomials on F 2 n . attack using higher order differentials ....

....polynomials corresponding to t 2 Q i or t 2 W can neither be used since a differential exponent smallest value of ffi such that notation for the corresponding ref. f is differentially ffi uniform cyclotomic coset 2 i 1 2 gcd(n;i) Q i [Nyb93] 2 n Gamma 2 i Gamma 1 2 if n is odd I [Nyb93, BD93] 4 if n is even 2 2i Gamma 2 i 1 2 if n is odd and gcd(n; i) 1 K i [Kas71] 2 n Gamma1 2 3 2 if n is odd W [Dob] Table 1: Minimum value of ffi for some power polynomials on F 2 n . attack using higher order differentials is feasible when the Hamming weight of t is small [JK97] ....

K. Nyberg. Differentially uniform mappings for cryptography. In Advances in Cryptology - EUROCRYPT'93, number 765 in Lecture Notes in Computer Science, pages 55--64. Springer-Verlag, 1993.

....strong S boxes. Small, regular (n Theta m) S boxes (n m) with n 6 can be generated by exhaustive search. Larger, SAC satisfying S boxes can be constructed by means of methods presented in [SZZ93a] or by expanding smaller S boxes according to [KMI90] Another approach, introduced in [P91, N93] yields cryptographically strong S boxes which do not satisfy SAC. But the resulting S boxes can be modified by transforming their inputs by a suitable linear transformation [SZZ93b] into SAC satisfying S boxes. Both previous constructions yield large but complex cryptographically strong S boxes. ....

Nyberg K., Differentially uniform mappings for cryptography, Advances in Cryptology -- EUROCRYPT'93, Springer-Verlag, 1993.

....2. Minimisation of the largest non trivial correlation between linear combinations of input bits and linear combination of output bits; 3. Minimisation of the largest non trivial value in the EXOR table; 4. Complexity of its algebraic expression in GF(2 8 ) 5. Simplicity of description. In [Ny94] several methods are given to construct S boxes that satisfy the first three criteria. For invertible S boxes operating on bytes, the maximum input output correlation can be made as low as 2 3 and the maximum value in the EXOR table can be as low as 4 (corresponding to a difference propagation ....

.... For invertible S boxes operating on bytes, the maximum input output correlation can be made as low as 2 3 and the maximum value in the EXOR table can be as low as 4 (corresponding to a difference propagation probability of 2 6 ) We have decided to take from the candidate constructions in [Ny94] the S box defined by the mapping x x 1 in GF(2 8 ) By definition, the selected mapping has a very simple algebraic expression. This enables algebraic manipulations that can be used to mount attacks such as interpolation attacks [JaKn97] Therefore, the mapping is modified by composing it ....

K. Nyberg, "Differentially uniform mappings for cryptography," Advances in Cryptology, Proceedings Eurocrypt'93, LNCS 765, T. Helleseth, Ed., Springer-Verlag, 1994, pp. 55-64.

.... table (not taking into account the leftmost entry in the top row) In measuring the strength of an S box (in terms of the security of a block cipher that employs the S box) against differential attacks, a useful indicator commonly used is differential uniformity which is defined as follows [17]. Definition 3 Let F be an n Theta m S box, where n = m. Let ffi be the largest value in the differential distribution table of the S box (not taking into account the leftmost entry in the top row) namely, ffi = max ff2Vn ;ff6=0 max fi2Vm #fxjF (x) Phi F (x Phi ff) fig Then F is ....

Nyberg, K. Differentially uniform mappings for cryptography. In Advances in Cryptology - EUROCRYPT'93 (1994), vol. 765, Lecture Notes in Computer Science, Springer-Verlag, Berlin, Heidelberg, New York, pp. 55--65.

....a finer grained diffusion, instead of a 4 by 4 MDS matrix over GF(2 8 ) the former would have been no slower on a Pentium but at least twice as slow on a low memory smart card. 6. 2 Conservative Design There has been considerable research in designing ciphers to be resistant to known attacks [Nyb91, Nyb93, OCo94a, OCo94b, OCo94c, Knu94a, Knu94b, Nyb94, DGV94b, Nyb95, NK95, Mat96, Nyb96], such as differential [BS93] linear [Mat94] and related key cryptanalysis [Bih94, KSW96, KSW97] This research has culminated in strong cipher designs CAST 128 [Ada97a] and MISTY [Mat97] are probably the most noteworthy as well as some excellent cryptanalytic theory. However, it is ....

K. Nyberg, "Differentially Uniform Mappings for Cryptography," Advances in Cryptology --- EUROCRYPT '93 Proceedings, Springer-Verlag, 1994, pp. 55--64.

....and accordingly, ffi is called the differential uniformity of f . Obviously the differential uniformity ffi of an n Theta s S box is constrained by 2 n Gammas = ffi = 2 n . Extensive research has been carried out in constructing differentially ffi uniform S boxes with a low ffi [13, 1, 14, 16, 15, 2]. Some constructions, in particular those based on permutation polynomials on finite fields, are simple and elegant. However, caution must be taken with Definition 5. In particular, it should be noted that low differential uniformity (a small ffi) is only a necessary, but not a sufficient ....

....while x runs through V n . Although there are many question marks regarding the applicability of differentially 2 uniform quadratic n Theta n S boxes in computer security practices, primarily due to their low algebraic degree, these S boxes have received extensive research in the past years [17, 16, 6, 2, 15] and hence deserve our special attention. These S boxes appear in various forms and researchers have employed different techniques, some of which are rather sophisticated, to prove their nonlinearity characteristics. By refining our proof techniques described in Section 2, we will show in this ....

K. Nyberg. Differentially uniform mappings for cryptography. In Advances in Cryptology - EUROCRYPT'93. Springer-Verlag, Berlin, Heidelberg, New York, 1993. to appear.

....and accordingly, ffi is called the differential uniformity of F . Obviously the differential uniformity ffi of an n Theta s S box is constrained by 2 n Gammas = ffi = 2 n . Extensive research has been carried out in constructing differentially ffi uniform S boxes with a low ffi [1, 13, 2, 9, 10, 11, 12]. Some constructions, in particular those based on permutation polynomials on finite fields, are simple and elegant. However, caution must be taken with Definition 2. In particular, it should be noted that low differential uniformity (a small ffi) is only a necessary, but not a sufficient ....

....of 2 n Gammas 1 . In Theorem 3 of [17] it has been proved that for quadratic S boxes, 2 n Gammas 1 is the lower bound on differential uniformity. Note that a differentially 2 uniform permutation is also a permutation with a UHODDT, and vice versa. These permutations have many nice properties [13, 2, 9, 10, 11, 12]. In particular, they achieve the highest possible robustness against the differential attack. The concept of n Theta s S boxes with a UHODDT can be viewed as a generalization of differentially 2 uniform permutations. Hence n Theta s S boxes with a UHODDT are very appealing and have received ....

[Article contains additional citation context not shown here]

K. Nyberg. Differentially uniform mappings for cryptography. In Advances in Cryptology - EUROCRYPT'93, volume 765, Lecture Notes in Computer Science, pages 55--65. SpringerVerlag, Berlin, Heidelberg, New York, 1994.

....ffi F (a; b) for the differential cryptanalysis. F = sup b6=0;a j F (a; b)j for the linear cryptanalysis. The lower these values are, the more resistant the function F will be against the corresponding cryptanalysis method. Note 1 If Delta F = ffi, then F is said differentially ffi uniform [Nyb94]. Definition 1 For a given set F of functions, we will say a function F 2 F is differential resistant in F if Delta F is minimal. As the same, we will say F is linear resistant in F if F is minimal. I 3 ffi Bent functions We just recall here the definitions of Bent functions. Definition 2 ....

....if the fraction III.4 is not an integer. Hence, using lemmas 4 and 5 we get p = q. The bound III.3 then gives III.5, and so p must be odd. Example 2 Let F (x) x 2 k 1 be a power polynomial in GF (2 n ) If n is odd, 1 k n and gcd(n; k) 1, then F is an Almost Bent permutation [Nyb94, proposition 3]. Example 3 (C. Carlet) Let F (x) x Gamma1 be the inversion mapping in GF (2 n ) completed in 0 by F (0) 0. If n is odd, then F is an Almost Perfect Nonlinear Permutation [Nyb94, proposition 6] Yet, it is not an Almost Bent function (consequence of [LW90, theorem 3.4] IV ....

[Article contains additional citation context not shown here]

K. Nyberg. Differentially uniform mappings for cryptography. In Lecture Notes in Computer Science, Advances in Cryptology -- EUROCRYPT `93, volume 765, pages 55--64. Springer-Verlag, 1994.

....ffi uniform, and accordingly, ffi is called the differential uniformity of f . Obviously the differential uniformity ffi of an n Theta s S box is constrained by 2 n Gammas ffi 2 n . Extensive research has been carried out in constructing differentially ffi uniform S boxes with a low ffi [13, 1, 14, 16, 15, 2]. Some constructions, in particular those based on permutation polynomials on finite fields, are simple and elegant. However, caution must be taken with Definition 7. In particular, it should be noted that low differential uniformity (a small ffi) is only a necessary , but not a sufficient ....

....while x runs through Vn . Although there are many question marks regarding the applicability of differentially 2 uniform quadratic n Theta n S boxes in computer security practices, primarily due to their low algebraic degree, these S boxes have received extensive research in the past years [17, 16, 6, 2, 15] and hence deserve our special attention. These S boxes appear in various forms and researchers have employed different techniques, some of which are rather sophisticated, to prove their nonlinearity characteristics. By refining our proof techniques described in Section 2, we will show in this ....

K. Nyberg. Differentially uniform mappings for cryptography. In Advances in Cryptology - EUROCRYPT'93. Springer-Verlag, Berlin, Heidelberg, New York, 1993. to appear.

....in mind that there is in general no inclusive relationship in the power of cryptanalytic attacks. In particular, a cipher secure against linear and differential cryptanalysis may be insecure against other (seemingly weaker) types of cryptanalysis. One example of such an algorithm can be found in [Nyb93]. In this context the MISTY cipher deserves special attention, as it employs a new transform that is different from a DES like one. It is quite natural for one to expect that a cryptanalytic attack not applicable to DES may be used for breaking the MISTY cipher, which is precisely the major ....

....4.2 [NK95, Nyb94] For an s round concatenation (s 3) of DES like transforms D(f s ; f 2 ; f 1 ) assuming that DP (f i ) p, we have DP (D(f s ; f 2 ; f 1 ) 2p 2 : Similarly, assuming that LP (f i ) p, we have LP (D(f s ; f 2 ; f 1 ) 2p 2 : Remark 4. 3: Nyberg [Nyb93] showed that a DES like transform based on a function f(x; k) x Phi k) Gamma1 on GF(2 n ) achieves high resistance against differential attacks. Note, however, we can easily crack such a cipher by solving a set of low degree polynomial equations derived from known plaintext ciphertext ....

Nyberg, K. "Differentially uniform mappings for cryptography," in Advances in Cryptology -- EUROCRYPT '93, LNCS 765, pp.55-64, Springer-Verlag , Berlin (1994).

....are high nonlinearity, high degree of propagation, few linear structures, high algebraic degree etc. These properties are often called nonlinearity criteria. An important topic is to investigate relationships among the various nonlinearity criteria. Progress in this direction has been made in [2] [8], 14] where connections have been revealed among the strict avalanche characteristic (SAC) differential characteristics, linear structures and nonlinearity, of quadratic functions. In this paper we carry on the investigation initiated in [14] and bring together nonlinearity and propagation ....

K. Nyberg. Differentially uniform mappings for cryptography. In Advances in Cryptology - EUROCRYPT'93, volume 765, Lecture Notes in Computer Science, pages 55--65. Springer-Verlag, Berlin, Heidelberg, New York, 1994.

....number of minimal diffusion elements. There were some changes in S box construction. At a first time, we tried to use just one 8 Theta 8 Sbox constructed from an inverse polynomial over GF(2 8 ) since such an S box is self invertible and has very good differential and linear characteristics [18]. However, such S boxes can only be implemented in hardware using ROM or EEPROM. Then, the speed of a cipher will be limited by the memory access time. The speed limitation may be even worse, considering parallel accesses to the S boxes in CRYPTON. Therefore, we wanted the S boxes to be ....

K. Nyberg, Differentially uniform mappings for cryptography, In Advances in CryptologyEurocrypt '93, LNCS 765, Springer-Verlag, 1994, pp. 55-64.

....principles. By using mathematical constructions, S boxes can be constructed which offer proven security against linear and differential cryptanalysis together with good diffusive properties. 26 Block Ciphers As an example of this approach one could draw attention to a recent proposal by Nyberg [113] which perfectly embodies this math made approach. It is perhaps unlikely that any technique will be sufficient on its own to generate cryptographically secure S boxes. Perhaps the best approach is to use a judicious mix of both math made and man made techniques. Preneel [125] writing about ....

K. Nyberg. Differentially uniform mappings for cryptography. In T. Helleseth, editor, Advances in Cryptology --- Eurocrypt '93, volume 765 of Lecture Notes in Computer Science, pages 55--64, Berlin, 1994. Springer-Verlag.

....new properties of the S boxes of DES and discuss some new criteria for design of block cipher algorithms. Concerning the analysis of shift register sequences, we have three kinds of known transforms: the Fourier transform, the Hadamard transform and the Avalanche transform. Pieprzyk [19] Nyberg [18], and Webster and Tavares [26] discussed the nonlinearity and the Strict Avalanche Criterion (SAC) of a function from Z n 2 to Z m 2 . For a function from Z n 2 to Z m 2 , the Fourier transform represents its linear span property, the Hadamard transform reflects its nonlinearity, and the ....

.... ) Gamma1) f(x) T r(x) 2 GF(2 n ) 4) Definition 3 The Avalanche spectrum of f(x) is given by D(f; X x2GF (2 n ) Gamma1) f(x) f(x ) 6= 0; 2 GF(2 n ) 5) The nonlinearity and the Strict Avalanche Criterion (SAC) of a function from Z n 2 to Z 2 were discussed in [18, 26, 19]. In the following, we will show the relationship between functions from Z n 2 to Z 2 and from GF(2 n ) to GF (2) Let g(x) g 0 (x) g m Gamma1 (x) be a function from Z n 2 to Z m 2 and x = x 0 x 1 2 Delta Delta Delta x n Gamma1 2 n Gamma1 ; x i 2 Z 2 : 6) In terms ....

[Article contains additional citation context not shown here]

K. Nyberg, Differentially uniform mappings for cryptography, Advances in Cryptology, Proceedings of EuroCrypt'93, Lecture Notes in Computer Science, 1993.

....balanced XOR tables are those for which each row has 2 m Gamma1 entries that are 2, with the remaining XOR entries being zero. In both cases the mappings are constructed from boolean functions that are either bent or almost bent. More recently, several other such constructions have been found [2, 19]. We have concentrated on characteristics Omega r but more important to the system designer are differentials. A differential is similar to a characteristic except that only an input difference DeltaX and output difference DeltaY r = DeltaY are specified while the intermediate differences ....

K. Nyberg. Differentially uniform mappings for cryptography. abstracts of papers, EUROCRYPT 93.

....will have low absolute biases. Examples of such functions are f(x) x 2 k 1 in GF (2 n ) for odd n [12] The output bits of f are quadratic in the input bits and any linear approximation for f will have an absolute bias at most 2 n s 2 Gamma1 =2 n , where s = gcd(k; n) [10]. For a Feistel cipher with round function F (x; k) f(x Phi k) with n = 33, k = s = 1 (given as an example in [12] this yields a maximum bias for one round of 2 Gamma17 . Clearly, the 2R method is impossible for this cipher, and the 1R method requires many effective text and key bits. ....

K. Nyberg. Differentially uniform mappings for cryptography. In T. Helleseth, editor, Advances in Cryptology --- Eurocrypt '93, Lecture Notes in Computer Science 765, Springer-Verlag (1994), 55--64.

....to prove resistance for all practical implementations of these two attacks, if the probability of the best non trivial characteristic can be arranged to be sufficiently small. One way of obtaining this is by constructing the round functions based on the differentially uniform mappings from [18]. As the name indicates, for these functions the probabilities of non trivial one round characteristics are low. And because of their high nonlinearity they are also wellsuited for the construction of ciphers resistant against linear attacks as we will illustrate in the next section. Finally it ....

....resistant to differential attacks. A similar result for linear attacks is not known to us. 3.3 Examples In this section we give two examples of iterated block ciphers practically resistant to both linear and differential attacks. The examples are based on the differentially uniform mappings from [18]. Consider an r round Feistel cipher with block size 2m defined as in the introduction of this paper. For simplicity, let F (K; R) f(R Phi K) a function producing an m bit value. Example 1: Let r = 8 and m = 34. Divide the input X to the f function into two halves X 1 and X 2 . Define the ....

[Article contains additional citation context not shown here]

K. Nyberg. Differentially uniform mappings for cryptography. Proceedings of EuroCrypt '93, Springer Verlag, LNCS 765, 1994.

.... table (UHODDT) i.e. S boxes whose differential distribution tables contain an equal number of zero and identical non zero entries in each of their rows (not taking into account the top row) Previous works directly or indirectly related to this line of research include, but not limited to, [1, 3, 15, 16, 17, 18, 19]. Defying efforts by a number of researchers, no n Theta m S box with a UHODDT has emerged. This has led to a conjecture which states that for all n m, there exists no n Theta m S box with a UHODDT. Some progress in proving the conjecture was made in [29] where it was shown that when n or m ....

.... table (not taking into account the leftmost entry in the top row) In measuring the strength of an S box (in terms of the security of a block cipher that employs the Sbox) against differential attacks, a useful indicator commonly used is differential uniformity whose formal definition follows [17]. Definition 3 Let F be an n Theta m S box, where n = m. Let ffi be the largest value in the differential distribution table of the S box (not taking into account the leftmost entry in the top row) namely, ffi = max ff2Vn ;ff6=0 max fi2Vs jfxjF(x) Phi F (x Phi ff) figj Then F is ....

[Article contains additional citation context not shown here]

Nyberg, K. Differentially uniform mappings for cryptography. In Advances in Cryptology - EUROCRYPT '93 (1994), vol. 765, Lecture Notes in Computer Science, Springer-Verlag, Berlin, Heidelberg, New York, pp. 55--65.

....in some cases. A differential that predicts only parts of an n bit value is called a truncated differential. More formally, let (a; b) be an i round differential. If a 0 is a subsequence of a and b 0 is a subsequence of b, then (a 0 ; b 0 ) is called an i round truncated differential. In [7] it is shown that the functions f(x) x Gamma1 in GF(2 n ) where f(x) 0 for x = 0, are differentially 2 uniform for odd n and differentially 4uniform for even n, i.e. the highest probability of a non trivial one round differential is 2=2 n and 4=2 n respectively. In both cases the ....

.... Gamma1 in GF(2 n ) where f(x) 0 for x = 0, are differentially 2 uniform for odd n and differentially 4uniform for even n, i.e. the highest probability of a non trivial one round differential is 2=2 n and 4=2 n respectively. In both cases the nonlinear order of the outputs is n Gamma 1 [7]. As an example consider a 5 round cipher using as round function f(x;k) x Phi k) Gamma1 in GF(2 n ) for n odd. From the results of [8] this cipher is highly resistant against differential attacks using full differentials, since any 3 round differential has a probability of at most 2 ....

K. Nyberg. Differentially uniform mappings for cryptography. In T. Helleseth, editor, Advances in Cryptology - Proc. Eurocrypt'93, LNCS 765, pages 55--64. Springer Verlag, 1993.

....applies also to other cryptographic primitives such as one way hash functions. Since differential cryptanalysis was introduced, researchers have devoted a large number of efforts to designing substitution boxes (S boxes) in order to strengthen the security of a block cipher against the attack [14, 1, 15, 17, 16, 2]. Although these S boxes are interesting in terms of their security against differential cryptanalysis, they bear a number of shortcomings which render them unattractive in practice. These shortcomings will be fully addressed in Section 3. Here we mention briefly two of them: 1) The S boxes are ....

....(1 Gamma 2 Gamman 1 ) The maximum robustness is attained by a permutation with the following difference distribution table: except for the first row, half of the entries in a row contain the value 2 while the other half contain the value 0. Such S boxes have been extensively investigated in [15, 17, 16, 2]. These S boxes, however, suffer some or all of the drawbacks described below, which render them unattractive in practice. 1. Their component functions are quadratic. This is true for all the permutations in [18, 17] the first type of permutations in [16] and some of the permutations in [2] A ....

[Article contains additional citation context not shown here]

Nyberg, K. Differentially uniform mappings for cryptography. In Advances in Cryptology - EUROCRYPT'93 (1993), Springer-Verlag, Berlin, Heidelberg, New York. to appear.

....Matsui [M93] to construct a linear approximation of the cipher with high correlation. 2.2 Substitution Boxes Non linear S boxes provide resistance against linear and differential cryptanalysis. A large amount of criteria, which are sometimes conflicting, have been published (see, for example, [C94, DT91, KMI91, N91, N94]) The exor table E of a mapping fl is defined as follows [BS90] E ij = #fxjfl(x) Phi fl(i Phi x) jg : High entries in the exor table can lead to differential characteristics with a high probability making the cipher susceptible to a differential attack. In [N94] Nyberg proposes several ....

....[C94, DT91, KMI91, N91, N94] The exor table E of a mapping fl is defined as follows [BS90] E ij = #fxjfl(x) Phi fl(i Phi x) jg : High entries in the exor table can lead to differential characteristics with a high probability making the cipher susceptible to a differential attack. In [N94] Nyberg proposes several classes of non linear substitution boxes. For SHARK, we choose an S box that is based on the mapping F (x) x Gamma1 over GF (2 m ) This class of S boxes has the following properties (when m is even) Differentially 4 uniform. This means that the highest ....

[Article contains additional citation context not shown here]

K. Nyberg, "Differentially uniform mappings for cryptography," Advances in Cryptology, Proc. Eurocrypt'93, LNCS 765, T. Helleseth, Ed., SpringerVerlag, 1994, pp. 55--64.aa

....Next consider a version with n = 2. Let xL and xR denote the left and right halves of the plaintext, respectively, and let y i;L and y i;R denote the left and right halves of the ciphertext after i rounds of encryption. In general we get y i;L = p i;1 (x L ; xR ) p i;2 (x L ; xR ) 10) 4 In [8] a similar cipher was investigated. It was explained that this cipher could be solved with a number of known plaintexts linear in the number of rounds. Our results shows that this number is a constant. and similarly for y i;R , where p i;1 ; p i;2 2 GF(2 32 ) x L ; xR ] It remains to show how ....

K. Nyberg. Differentially uniform mappings for cryptography. In T. Helleseth, editor, Advances in Cryptology - Proc. Eurocrypt'93, LNCS 765, pages 55--64. Springer Verlag, 1993.

....2. Theorem 3 implies that highly nonlinear resilient functions can be constructed from linear resilient functions by applying highly nonlinear permutations in the transforming process. A number of highly nonlinear permutations which are based on polynomials on a finite field have been shown in [23], 24] In particular, it is shown in [23] that the nonlinearity of a permutation G based on the inverse function on GF (2 m ) satisfies NG 2 m Gamma1 Gamma 2 1 2 m and the algebraic degree of G is m Gamma 1. Hence the following is proved: Corollary 6: If there exists a linear (n; m; ....

....resilient functions can be constructed from linear resilient functions by applying highly nonlinear permutations in the transforming process. A number of highly nonlinear permutations which are based on polynomials on a finite field have been shown in [23] 24] In particular, it is shown in [23] that the nonlinearity of a permutation G based on the inverse function on GF (2 m ) satisfies NG 2 m Gamma1 Gamma 2 1 2 m and the algebraic degree of G is m Gamma 1. Hence the following is proved: Corollary 6: If there exists a linear (n; m; t) resilient function, then there exists a ....

K. Nyberg, "Differentially uniform mappings for cryptography," in Advances in Cryptology - EUROCRYPT'93. 1994, vol. 765, Lecture Notes in Computer Science, pp. 55--65, Springer-Verlag, Berlin, Heidelberg, New York.

....up to 2 n . A given entry ( Delta; ffi) contains the number of x values for which Equation (1) holds. Lemma (4.2.1) says that all entries must be even. According to Lemma (4.2. 2) every z = x ff where ff 6= Delta falls into some other entry ( Delta; ffi 1 ) 2 For further background, see [Nyb94]. The above considerations are valid for the cubing permutation on the full n Theta n S box. What happens if we cut off some output bits Clearly the resulting (n Theta m) S box is no longer a permutation (m n) Some observations for shortened (n Theta m) S boxes based on cubing are: ffl ....

Kaisa Nyberg. Differentially uniform mappings for cryptography. In T. Helleseth, editor, Advances in Cryptology - Eurocrypt'93, volume 765 of Lecture Notes in Computer Science, pages 55--64. Springer-Verlag, 1994.

....2. Theorem 3 implies that highly nonlinear resilient functions can be constructed from linear resilient functions by applying highly nonlinear permutations in the transforming process. A number of highly nonlinear permutations which are based on polynomials on a finite field have been shown in [14, 2]. In particular, it is shown in [14] that the nonlinearity of a permutation G based on the inverse function on GF (2 m ) satisfies NG = 2 m Gamma1 Gamma 2 1 2 m and the algebraic degree of G is m Gamma 1. Hence the following is proved: Corollary 6 If there exists a linear (n; m; ....

....resilient functions can be constructed from linear resilient functions by applying highly nonlinear permutations in the transforming process. A number of highly nonlinear permutations which are based on polynomials on a finite field have been shown in [14, 2] In particular, it is shown in [14] that the nonlinearity of a permutation G based on the inverse function on GF (2 m ) satisfies NG = 2 m Gamma1 Gamma 2 1 2 m and the algebraic degree of G is m Gamma 1. Hence the following is proved: Corollary 6 If there exists a linear (n; m; t) resilient function, then there exists ....

Nyberg, K. Differentially uniform mappings for cryptography. In Advances in Cryptology - EUROCRYPT'93 (1994), vol. 765, Lecture Notes in Computer Science, Springer-Verlag, Berlin, Heidelberg, New York, pp. 55--65.

....ffi uniform, and accordingly, ffi is called the differential uniformity of f . Obviously the differential uniformity ffi of an n Theta s S box is constrained by 2 n Gammas ffi 2 n . Extensive research has been carried out in constructing differentially ffi uniform S boxes with a low ffi [1, 13, 2, 9, 10, 11, 12]. Some constructions, in particular those based on permutation polynomials on finite fields, are simple and elegant. However, caution must be taken with Definition 2. In particular, it should be noted that low differential uniformity (a small ffi) is only a necessary , but not a sufficient ....

....of 2 n Gammas 1 . In Theorem 3 of [17] it has been proved that for quadratic S boxes, 2 n Gammas 1 is the lower bound on differential uniformity. Note that a differentially 2 uniform permutation is also a permutation with a UHODDT, and vice versa. These permutations have many nice properties [13, 2, 9, 10, 11, 12]. In particular, they achieve the highest possible robustness against the differential attack. The concept of n Theta s S boxes with a UHODDT can be viewed as a generalization of differentially 2 uniform permutations. Hence n Thetas Sboxes with a UHODDT are very appealing and have received ....

[Article contains additional citation context not shown here]

Nyberg, K.: Differentially uniform mappings for cryptography. In Advances in Cryptology - EUROCRYPT'93 (1994) vol. 765, Lecture Notes in Computer Science Springer-Verlag, Berlin, Heidelberg, New York pp. 55--65

....S(x Phi i) jg : We define ffi = max i;j fE ij g Delta 2 Gamma8 . We present three alternative choices for the S box: explicitly constructed nonlinear algebraic transformations, slightly modified versions of the latter and randomly selected invertible mappings. 5. 1 Explicit Construction In [13] a method is given to construct m bit S boxes with fl = 2 1 Gammam=2 and ffi = 2 2 Gammam , the theoretically minimum possible values. From the proposals in [13] we select the mapping x 7 x Gamma1 over GF(2 8 ) with ffi = 2 Gamma6 and = 2 Gamma3 . The problem with this choice ....

....transformations, slightly modified versions of the latter and randomly selected invertible mappings. 5.1 Explicit Construction In [13] a method is given to construct m bit S boxes with fl = 2 1 Gammam=2 and ffi = 2 2 Gammam , the theoretically minimum possible values. From the proposals in [13] we select the mapping x 7 x Gamma1 over GF(2 8 ) with ffi = 2 Gamma6 and = 2 Gamma3 . The problem with this choice is that the mapping has a very simple description in GF(2 8 ) The other components of the round transformation also have a simple description in GF(2 8 ) This ....

K. Nyberg, "Differentially uniform mappings for cryptography," Advances in Cryptology, Proceedings Eurocrypt'93, LNCS 765, T. Helleseth, Ed., SpringerVerlag, 1994, pp. 55--64.

....high nonlinearity, the SAC, the balancedness and the robustness against differential cryptanalysis. As is shown below, the technique can also be applied to other approaches to the construction of S boxes. Application 3 S boxes based on permutation polynomials are studied in [Pie91, NK92, Nyb92, Nyb93, BD93] In general, these permutations do not satisfy the SAC. Employing the transformation technique discussed above, the strict avalanche characteristics of these permutations can be improved. In particular, with the permutations constructed by the cubing method [Pie91, NK92, Nyb93] each ....

....Nyb92, Nyb93, BD93] In general, these permutations do not satisfy the SAC. Employing the transformation technique discussed above, the strict avalanche characteristics of these permutations can be improved. In particular, with the permutations constructed by the cubing method [Pie91, NK92, Nyb93] each component function f j satisfies the propagation criterion with respect to all but one nonzero vectors in V n , where n = 3 is odd. Note that jBj = n. A component function fails to satisfy the SAC if the Hamming weight of the nonzero vector with respect to which the propagation ....

K. Nyberg. Differentially uniform mappings for cryptography. In Advances in Cryptology - EUROCRYPT'93. Springer-Verlag, Berlin, Heidelberg, New York, 1993. to appear.

....ffi uniform, and accordingly, ffi is called the differential uniformity of F . Obviously the differential uniformity ffi of an n Theta s S box is constrained by 2 n Gammas ffi 2 n . Extensive research has been carried out in constructing differentially ffi uniform S boxes with a low ffi [Ada92, Pie91, BD94, Nyb91, Nyb93, Nyb94, NK93]. Some constructions, in particular those based on permutation polynomials on finite fields, are simple and elegant. However, caution must be taken with Definition 2. In particular, it should be noted that low differential uniformity (a small ffi ) is only a necessary , but not a sufficient ....

....2 n Gammas 1 . In Theorem 3 of [SZZ95b] it has been proved that for quadratic S boxes, 2 n Gammas 1 is the lower bound on differential uniformity. Note that a differentially 2 uniform permutation is also a permutation with a UHODDT, and vice versa. These permutations have many nice properties [Pie91, BD94, Nyb91, Nyb93, Nyb94, NK93]. In particular, they achieve the highest possible robustness against the differential attack. The concept of n Theta s S boxes with a UHODDT can be viewed as a generalization of differentially 2 uniform permutations. Hence n Theta s S boxes with a UHODDT are very appealing and have received ....

[Article contains additional citation context not shown here]

K. Nyberg. Differentially uniform mappings for cryptography. In Advances in Cryptology - EUROCRYPT'93, volume 765, Lecture Notes in Computer Science, pages 55--65. Springer-Verlag, Berlin, Heidelberg, New York, 1994.

....ffi = max ff2Vn ;ff6=0 max fi2Vs jfxjF(x) Phi F (x Phi ff) figj: Then F is said to be differentially ffi uniform, and accordingly, ffi is called the differential uniformity of f . Extensive research has been conducted in constructing differentially ffi uniform S boxes with a low ffi [10, 1, 11, 13, 12, 2]. Some constructions, in particular those based on permutation polynomials on finite fields, are simple and elegant. However, as pointed in [4, 5, 16] cautions must be taken with Definition 5. In particular, it should be noted that low differential uniformity (a small ffi ) is only a necessary, ....

....for any nonzero vector ff 2 V n , F (x) Phi F (x Phi ff) runs through 2 n Gamma1 vectors in V n , each twice, but not through the other 2 n Gamma1 vectors, while x runs through V n . Differentially 2 uniform quadratic n Theta n S boxes have been extensively studied in the past years [14, 13, 6, 2, 12] and hence deserve special attention. Such S boxes appear in various forms and researchers have employed different techniques, some of which are rather sophisticated, to prove their nonlinearity. By refining our proof techniques described in Section 2, we will show in this section that all ....

K. Nyberg. Differentially uniform mappings for cryptography. In Advances in Cryptology - EUROCRYPT '93, volume 765, Lecture Notes in Computer Science, pages 55--65. Springer-Verlag, Berlin, Heidelberg, New York, 1994.

....of this block cipher has probability less than or equal to 2 Gamma61 . Therefore we suggest at least six rounds for the block cipher. All round keys should be independent, therefore we need at least 198 key bits. More examples of permutations f for which pmax is low can be found in [9]. The examples include the inverses of x 7 x 2 k 1 and the mappings x 7 x Gamma1 , whose coordinate functions are of higher nonlinear order than quadratic. 6 Acknowledgements We would like to thank D. Coppersmith and an anonymous referee for comments that improved the paper. ....

K. Nyberg. Differentially uniform mappings for cryptography. Proceedings of Eurocrypt '93 (to appear). This article was processed using the L a T E X macro package with LLNCS style

No context found.

Nyberg K., Differentially uniform mappings for cryptography, Advances in Cryptology -- EUROCRYPT'93, Springer-Verlag, 1993.

No context found.

K. Nyberg. Differentially uniform mappings for cryptography. In Advances in Cryptology - EUROCRYPT'93. Springer-Verlag, Berlin, Heidelberg, New York, 1993. to appear.

No context found.

K. Nyberg, "Differentially uniform mappings for cryptography," in Advances in Cryptology - EUROCRYPT'93. 1994, vol. 765, Lecture Notes in Computer Science, pp. 55--65, Springer-Verlag, Berlin, Heidelberg, New York.

No context found.

Nyberg, K. Differentially uniform mappings for cryptography. In Advances in Cryptology - EUROCRYPT '93 (1994), vol. 765, Lecture Notes in Computer Science, Springer-Verlag, Berlin, Heidelberg, New York, pp. 55--65.

No context found.

K. Nyberg. Differentially uniform mappings for cryptography. In Advances in Cryptology - EUROCRYPT'93, volume 765, Lecture Notes in Computer Science, pages 55--65. Springer-Verlag, Berlin, Heidelberg, New York, 1994.

No context found.

K. Nyberg. Differentially uniform mappings for cryptography. In Advances in Cryptology - EUROCRYPT'93, volume 765, Lecture Notes in Computer Science, pages 55--65. Springer-Verlag, Berlin, Heidelberg, New York, 1994.

No context found.

Nyberg, K.: Differentially uniform mappings for cryptography. In Advances in Cryptology - EUROCRYPT'93 (1994) vol. 765, Lecture Notes in Computer Science Springer-Verlag, Berlin, Heidelberg, New York pp. 55--65

No context found.

Nyberg, K. Differentially uniform mappings for cryptography. In Advances in Cryptology - EUROCRYPT'93 (1994), vol. 765, Lecture Notes in Computer Science, Springer-Verlag, Berlin, Heidelberg, New York, pp. 55--65.

No context found.

K. Nyberg, "Differentially Uniform Mappings for Cryptography," Advances in Cryptology --- EUROCRYPT '90, Lecture Notes in Computer Science 763, pp.55--64, Springer Verlag, 1994.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC