Pieprzyk J., Bent permutations, Proceedings of the International Conference on Finite Fields, Coding Theory, and Advances in Communications and Computing, Las Vegas, USA, 1991.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....strong S boxes. Small, regular (n Theta m) S boxes (n m) with n 6 can be generated by exhaustive search. Larger, SAC satisfying S boxes can be constructed by means of methods presented in [SZZ93a] or by expanding smaller S boxes according to [KMI90] Another approach, introduced in [P91, N93] yields cryptographically strong S boxes which do not satisfy SAC. But the resulting S boxes can be modified by transforming their inputs by a suitable linear transformation [SZZ93b] into SAC satisfying S boxes. Both previous constructions yield large but complex cryptographically strong S boxes. ....

Pieprzyk J., Bent permutations, Proceedings of the International Conference on Finite Fields, Coding Theory, and Advances in Communications and Computing, Las Vegas, USA, 1991.

....while x runs through V n . Although there are many question marks regarding the applicability of differentially 2 uniform quadratic n Theta n S boxes in computer security practices, primarily due to their low algebraic degree, these S boxes have received extensive research in the past years [17, 16, 6, 2, 15] and hence deserve our special attention. These S boxes appear in various forms and researchers have employed different techniques, some of which are rather sophisticated, to prove their nonlinearity characteristics. By refining our proof techniques described in Section 2, we will show in this ....

J. Pieprzyk. Bent permutations. In Proceeding of the International Conference on Finite Fields, Coding Theory, and Advances in Communications and Computing, Las Vegas, 1991.

....and accordingly, ffi is called the differential uniformity of F . Obviously the differential uniformity ffi of an n Theta s S box is constrained by 2 n Gammas = ffi = 2 n . Extensive research has been carried out in constructing differentially ffi uniform S boxes with a low ffi [1, 13, 2, 9, 10, 11, 12]. Some constructions, in particular those based on permutation polynomials on finite fields, are simple and elegant. However, caution must be taken with Definition 2. In particular, it should be noted that low differential uniformity (a small ffi) is only a necessary, but not a sufficient ....

....of 2 n Gammas 1 . In Theorem 3 of [17] it has been proved that for quadratic S boxes, 2 n Gammas 1 is the lower bound on differential uniformity. Note that a differentially 2 uniform permutation is also a permutation with a UHODDT, and vice versa. These permutations have many nice properties [13, 2, 9, 10, 11, 12]. In particular, they achieve the highest possible robustness against the differential attack. The concept of n Theta s S boxes with a UHODDT can be viewed as a generalization of differentially 2 uniform permutations. Hence n Theta s S boxes with a UHODDT are very appealing and have received ....

[Article contains additional citation context not shown here]

J. Pieprzyk. Bent permutations. In Proceeding of the International Conference on Finite Fields, Coding Theory, and Advances in Communications and Computing, Las Vegas, 1991.

....obtained, while studying the design of S boxes, balanced quadratic functions on V 5 that satisfy the propagation criterion with respect to all but one vectors in V 5 . They called these functions near bent functions. They obtained the functions by the use of the cubing technique suggested by Pieprzyk (1991). Propagation characteristics of quadratic functions were also studied extensively in (Preneel et al. 1991a) However, applicability of these quadratic functions in practice is limited by the following two facts: 1. Their algebraic degree is only 2. 2. They are all equivalent in structure in the ....

Pieprzyk, J. 1991. Bent permutations. In: Proceeding of the International Conference on Finite Fields, Coding Theory, and Advances in Communications and Computing.

....while x runs through Vn . Although there are many question marks regarding the applicability of differentially 2 uniform quadratic n Theta n S boxes in computer security practices, primarily due to their low algebraic degree, these S boxes have received extensive research in the past years [17, 16, 6, 2, 15] and hence deserve our special attention. These S boxes appear in various forms and researchers have employed different techniques, some of which are rather sophisticated, to prove their nonlinearity characteristics. By refining our proof techniques described in Section 2, we will show in this ....

J. Pieprzyk. Bent permutations. In Proceeding of the International Conference on Finite Fields, Coding Theory, and Advances in Communications and Computing, Las Vegas, 1991.

....studying the design of S boxes, balanced quadratic functions on V 2k 1 that satisfy the propagation criterion with respect to all but one vectors in V 2k 1 . They called these functions near bent functions. They obtained the functions by the use of the cubing technique suggested by Pieprzyk [13]. Applicability of these quadratic functions in practice is limited by the following two facts: 1. Their algebraic degree is only 2. 2. They are all equivalent in structure in the sense that they can be transformed into one another by linear transformation of input coordinates. 6 Examples This ....

J. Pieprzyk. Bent permutations. In Proceeding of the International Conference on Finite Fields, Coding Theory, and Advances in Communications and Computing, Las Vegas, 1991.

.... table (UHODDT) i.e. S boxes whose differential distribution tables contain an equal number of zero and identical non zero entries in each of their rows (not taking into account the top row) Previous works directly or indirectly related to this line of research include, but not limited to, [1, 3, 15, 16, 17, 18, 19]. Defying efforts by a number of researchers, no n Theta m S box with a UHODDT has emerged. This has led to a conjecture which states that for all n m, there exists no n Theta m S box with a UHODDT. Some progress in proving the conjecture was made in [29] where it was shown that when n or m ....

....an S box is defined as the largest value in the differential distribution table of the S box (not taking into account the top row) Clearly ffi is constrained by 2 n Gammam = ffi = 2 n . Extensive research has been carried out to construct differentially ffi uniform S boxes with low ffi [1, 3, 15, 16, 17, 18, 19]. Some constructions, in particular those based on permutation polynomials on finite fields, are simple and elegant. However, caution must be taken with Definition 3. In particular, it should be noted that low differential uniformity (a small ffi) is only a necessary, but not a sufficient ....

[Article contains additional citation context not shown here]

Pieprzyk, J. Bent permutations. In Proceeding of the International Conference on Finite Fields, Coding Theory, and Advances in Communications and Computing (Las Vegas, 1991).

....contain the value 0. Such S boxes have been extensively investigated in [15, 17, 16, 2] These S boxes, however, suffer some or all of the drawbacks described below, which render them unattractive in practice. 1. Their component functions are quadratic. This is true for all the permutations in [18, 17], the first type of permutations in [16] and some of the permutations in [2] A block cipher that employs functions with such a low algebraic degree as S boxes would be vulnerable to more classic cryptanalytic attacks than the state of the art differential cryptanalysis. 2. It has been suggested ....

....functions of an n Theta n S box are not quadratic. 3. An S box is said to satisfy the SAC if its component functions all satisfy the SAC. This property is considered to be at least as essential as the robustness against differential cryptanalysis. This issue has been completely neglected in [18, 15, 17, 16, 2], and none of the S boxes constructed in those papers satisfies the SAC. 4. The S boxes, with the following two exceptions, only accept an odd number of input bits. Applications of such S boxes are limited. The first exception is some of the S boxes constructed in [2] which accept an even number ....

[Article contains additional citation context not shown here]

Pieprzyk, J. Bent permutations. In Proceeding of the International Conference on Finite Fields, Coding Theory, and Advances in Communications and Computing (Las Vegas, 1991).

....studying the design of S boxes, balanced quadratic functions on V 2k 1 that satisfy the propagation criterion with respect to all but one vectors in V 2k 1 . They called these functions near bent functions. They obtained the functions by the use of the cubing technique suggested by Pieprzyk [Pie91] Propagation characteristics of quadratic functions were also studied extensively in [PGV91] However, applicability of these quadratic functions in practice is limited by the following two facts: 1. Their algebraic degree is only 2. 2. They are all equivalent in structure in the sense that they ....

J. Pieprzyk. Bent permutations. In Proceeding of the International Conference on Finite Fields, Coding Theory, and Advances in Communications and Computing, Las Vegas, 1991.

....ffi uniform, and accordingly, ffi is called the differential uniformity of f . Obviously the differential uniformity ffi of an n Theta s S box is constrained by 2 n Gammas ffi 2 n . Extensive research has been carried out in constructing differentially ffi uniform S boxes with a low ffi [1, 13, 2, 9, 10, 11, 12]. Some constructions, in particular those based on permutation polynomials on finite fields, are simple and elegant. However, caution must be taken with Definition 2. In particular, it should be noted that low differential uniformity (a small ffi) is only a necessary , but not a sufficient ....

....of 2 n Gammas 1 . In Theorem 3 of [17] it has been proved that for quadratic S boxes, 2 n Gammas 1 is the lower bound on differential uniformity. Note that a differentially 2 uniform permutation is also a permutation with a UHODDT, and vice versa. These permutations have many nice properties [13, 2, 9, 10, 11, 12]. In particular, they achieve the highest possible robustness against the differential attack. The concept of n Theta s S boxes with a UHODDT can be viewed as a generalization of differentially 2 uniform permutations. Hence n Thetas Sboxes with a UHODDT are very appealing and have received ....

[Article contains additional citation context not shown here]

Pieprzyk, J.: Bent permutations. In Proceeding of the International Conference on Finite Fields, Coding Theory, and Advances in Communications and Computing (Las Vegas, 1991)

....which include the high nonlinearity, the SAC, the balancedness and the robustness against differential cryptanalysis. As is shown below, the technique can also be applied to other approaches to the construction of S boxes. Application 3 S boxes based on permutation polynomials are studied in [Pie91, NK92, Nyb92, Nyb93, BD93] In general, these permutations do not satisfy the SAC. Employing the transformation technique discussed above, the strict avalanche characteristics of these permutations can be improved. In particular, with the permutations constructed by the cubing method [Pie91, ....

....in [Pie91, NK92, Nyb92, Nyb93, BD93] In general, these permutations do not satisfy the SAC. Employing the transformation technique discussed above, the strict avalanche characteristics of these permutations can be improved. In particular, with the permutations constructed by the cubing method [Pie91, NK92, Nyb93] each component function f j satisfies the propagation criterion with respect to all but one nonzero vectors in V n , where n = 3 is odd. Note that jBj = n. A component function fails to satisfy the SAC if the Hamming weight of the nonzero vector with respect to which the ....

J. Pieprzyk. Bent permutations. In Proceeding of the International Conference on Finite Fields, Coding Theory, and Advances in Communications and Computing, Las Vegas, 1991.

....properties, which include the high nonlinearity, the SAC, the balanced5 ness and the robustness against differential cryptanalysis. As is shown below, the transformation technique can also be applied to other approaches to the construction of S boxes. Application 3 With the S boxes studied in [6, 5, 3] each component function f j has the following property: f j (x) Phi f j (x Phi ff) is balanced for all but one nonzero vector ff 2 V n , where x = x 1 ; x n ) and n = 3 is odd. Thus we have #B = n. By Theorem 2 we can use a nondegenerate matrix to transform all the component ....

J. Pieprzyk. Bent permutations. In Proceeding of the International Conference on Finite Fields, Coding Theory, and Advances in Communications and Computing, Las Vegas, 1991.

....ffi uniform, and accordingly, ffi is called the differential uniformity of F . Obviously the differential uniformity ffi of an n Theta s S box is constrained by 2 n Gammas ffi 2 n . Extensive research has been carried out in constructing differentially ffi uniform S boxes with a low ffi [Ada92, Pie91, BD94, Nyb91, Nyb93, Nyb94, NK93]. Some constructions, in particular those based on permutation polynomials on finite fields, are simple and elegant. However, caution must be taken with Definition 2. In particular, it should be noted that low differential uniformity (a small ffi ) is only a necessary , but not a sufficient ....

....2 n Gammas 1 . In Theorem 3 of [SZZ95b] it has been proved that for quadratic S boxes, 2 n Gammas 1 is the lower bound on differential uniformity. Note that a differentially 2 uniform permutation is also a permutation with a UHODDT, and vice versa. These permutations have many nice properties [Pie91, BD94, Nyb91, Nyb93, Nyb94, NK93]. In particular, they achieve the highest possible robustness against the differential attack. The concept of n Theta s S boxes with a UHODDT can be viewed as a generalization of differentially 2 uniform permutations. Hence n Theta s S boxes with a UHODDT are very appealing and have received ....

[Article contains additional citation context not shown here]

J. Pieprzyk. Bent permutations. In Proceeding of the International Conference on Finite Fields, Coding Theory, and Advances in Communications and Computing, Las Vegas, 1991.

....for any nonzero vector ff 2 V n , F (x) Phi F (x Phi ff) runs through 2 n Gamma1 vectors in V n , each twice, but not through the other 2 n Gamma1 vectors, while x runs through V n . Differentially 2 uniform quadratic n Theta n S boxes have been extensively studied in the past years [14, 13, 6, 2, 12] and hence deserve special attention. Such S boxes appear in various forms and researchers have employed different techniques, some of which are rather sophisticated, to prove their nonlinearity. By refining our proof techniques described in Section 2, we will show in this section that all ....

J. Pieprzyk. Bent permutations. In Proceeding of the International Conference on Finite Fields, Coding Theory, and Advances in Communications and Computing, Las Vegas, 1991.

....nonzero elements of the field. It is well known that exponentiation x ff mod p(x) is a permutation if ff does not divide 2 n Gamma 1. The lowest exponent which generates a nonlinear permutation is 3 provided that 3 does not divide 2 n Gamma 1. This condition holds whenever n is odd (see [Pie92]) In LOKI97, the S1 and S2 S boxes use cubing in GF (2 13 ) and GF (2 11 ) respectively. As these S boxes use cubing for odd n, all output Boolean functions are balanced. This remains true even after the outputs are truncated to 8 bits. Cubing permutations in GF (2 n ) are highly nonlinear ....

....(2 11 ) respectively. As these S boxes use cubing for odd n, all output Boolean functions are balanced. This remains true even after the outputs are truncated to 8 bits. Cubing permutations in GF (2 n ) are highly nonlinear as any output function shares the nonlinearity with the function(see [Pie92]) j(x) x 1 x 2 : xn Gamma2 xn Gamma1 xn whose nonlinearity is equal to N (j) 1 2 Gamma 1 2 (n 1) 2 : Observe that j(x) for xn = 0 and restricted to (n Gamma 1) variables is a bent function (attains the maximum nonlinearity in the space of (n Gamma 1) Boolean variables) The ....

J. Pieprzyk. Bent Permutations. In G. Mullen and P. Shiue, editors, Proceedings of 1st International Conference on Finite Fields, Coding Theory, and Advances in Communications and Computing, volume 141 of Lecture Notes in Pure andApplied Mathematics. Springer-Verlag, 1992.

....(y[j] ffl fi[j] g = LAT S Gamma1 (fi; ff) 2 Corollary 4.1 If ff (x) is the best linear approximation of S fi (x) then fi (x) is the best linear approximation of S Gamma1 ff (x) There have been several definitions proposed for the nonlinearity of permutations. In earlier work, see [7], the nonlinearity of a permutation was defined as the minimum value of nonlinearities of the components; so N (1) S(x) min i=1; n N (F i (x) where S(x) F 1 (x) F n (x) But there are permutations whose every component is highly nonlinear, and yet some components of the ....

J.P. Pieprzyk. On bent permutations. In Proceedings of the International Conference on Finite Fields, Coding Theory, and Advances in Communications and Computing, Las Vegas, August 1991.

.... of a function f : Sigma n Sigma is defined as the Hamming distance between the function and the set of all affine functions [44] The concept of nonlinearity can be extended to measure nonlinearity of arbitrary functions f : Sigma n Sigma m including permutations (n = m) see [47], 38] 58] Strict Avalanche Criterion or SAC was introduced by Webster and Tavares [65] A function f : Sigma n Sigma m satisfies the SAC if f(x Phi ff) is balanced for all x 2 Sigma n and for all ff whose weight is 1 (wt(ff) 1) In other words, it characterizes the number of ....

.... acceptable parameters. It is important to be able to assess the tradeoff of design criteria for arbitrary n. The designers of the LOKI algorithm (see [8] used exponentiation in GF(2 8 ) to generate the S boxes whose structure can be changed to make a private copy of the algorithm. Pieprzyk [47] proved that cubing and other related exponent permutations have high nonlinearity and their properties can be characterized for arbitrary n. Exponentiation can be a good source of universal S boxes (see also [39] In general, any polynomial f(x) x a : b 1 x b 0 , or any function ....

J.P. Pieprzyk. On bent permutations. In Proceedings of the International Conference on Finite Fields, Coding Theory, and Advances in Communications and Computing, Las Vegas, August 1991.

....j=1 (y[j] ffl fi[j] g = LAT S Gamma1 (fi; ff) 2 Corollary 4.1 If ff (x) is the best linear approximation of S fi (x) then fi (x) is the best linear approximation of S Gamma1 ff (x) There have been several definitions proposed for the nonlinearity of permutations. In earlier work, see [7], the nonlinearity of a permutation was defined as the minimum value of nonlinearities of the components; so N (1) S(x) min i=1; n N (F i (x) where S(x) F 1 (x) F n (x) But as the example below shows there are permutations whose every component is highly nonlinear, and ....

J.P. Pieprzyk. On bent permutations. In Proceedings of the International Conference on Finite Fields, Coding Theory, and Advances in Communications and Computing, Las Vegas, August 1991.

No context found.

Pieprzyk J., Bent permutations, Proceedings of the International Conference on Finite Fields, Coding Theory, and Advances in Communications and Computing, Las Vegas, USA, 1991.

No context found.

J. Pieprzyk. Bent permutations. In Proceeding of the International Conference on Finite Fields, Coding Theory, and Advances in Communications and Computing, Las Vegas, 1991.

No context found.

Pieprzyk, J. Bent permutations. In Proceeding of the International Conference on Finite Fields, Coding Theory, and Advances in Communications and Computing (Las Vegas, 1991).

No context found.

J. Pieprzyk. Bent permutations. In Proceeding of the International Conference on Finite Fields, Coding Theory, and Advances in Communications and Computing, Las Vegas, 1991.

No context found.

Pieprzyk, J.: Bent permutations. In Proceeding of the International Conference on Finite Fields, Coding Theory, and Advances in Communications and Computing (Las Vegas, 1991)

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC