Relating Undisturbed Bits to Other Properties of Substitution Boxes

Abstract

Recently it was observed that for a particular nonzero input difference to an S-Box, some bits in all the corresponding output differences may remain invariant. These specific invariant bits are called undisturbed bits. Undisturbed bits can also be seen as truncated differentials with probability \(1\) for an S-Box. The existence of undisturbed bits was found in the S-Box of Present and its inverse. A 13-round improbable differential attack on Present was provided by Tezcan and without using the undisturbed bits in the S-Box an attack of this type can only reach 7 rounds. Although the observation and the cryptanalytic application of undisturbed bits are given, their relation with other properties of an S-Box remain unknown. This paper presents some results on mathematical properties of S-Boxes having undisturbed bits. We show that an S-Box has undisturbed bits if any of its coordinate functions has a nontrivial linear structure. The relation of undisturbed bits with other cryptanalytic tools such as difference distribution table (DDT) and linear approximation table (LAT) are also given. We show that autocorrelation table is proven to be a more useful tool, compared to DDT, to obtain all nonzero input differences that yield undisturbed bits. Autocorrelation table can then be viewed as a counterpart of DDT for truncated differential cryptanalysis. Given an \(n \times m\) balanced S-Box, we state that the S-Box has undisturbed bits whenever the degree of any of its coordinate function is quadratic.

Cihangir Tezcan—The work of the second author was supported by The Scientific and Technological Research Council of Turkey (TÜBİTAK) under the grant 112E101 titled “Improbable Differential Cryptanalysis of Block Ciphers”.

7 Appendix

1.1 7.1 Proof of Lemma 3

Before proving the result in Lemma 3, the following two propositions are required.

Proposition 12

[4]. Let \(f\) be \(n\)-variable Boolean function. We have the following relation

$$ \mathcal {W}^2_f(\overline{0}) = \sum _{\overline{b} \in \mathbb {F}_2^n} \mathcal {W}_{D_{\overline{b}}f}(\overline{0}) $$

Proof

$$\begin{aligned} \sum _{\overline{b} \in \mathbb {F}_2^n} \mathcal {W}_{D_{\overline{b}}f}(\overline{0})&= \sum _{\overline{b} \in \mathbb {F}_2^n} \left[ \sum _{\overline{x} \in \mathbb {F}_2^n} (-1)^{D_{\overline{b}} f(\overline{x})} (-1)^{\overline{0} \cdot \overline{x}} \right] = \sum _{\overline{b} \in \mathbb {F}_2^n} \left[ \sum _{\overline{x} \in \mathbb {F}_2^n} (-1)^{D_{\overline{b}} f(\overline{x})} \right] \\&= \sum _{\overline{b} \in \mathbb {F}_2^n} r_{f}(\overline{b}) = \sum _{\overline{b} \in \mathbb {F}_2^n} r_{f}(\overline{b}) (-1)^{\overline{0} \cdot \overline{b}} = \mathcal {W}^2_{f}(\overline{0}) \end{aligned}$$

   \(\square \)

Proposition 13

[4]. If \(f\) is an \(n\)-variables Boolean function with \(\deg (f) = 2\) then

$$ \mathcal {W}_f^2(\overline{0}) = 2^n \sum _{\overline{b} \in \mathcal {LS}_f} (-1)^{D_{\overline{b}} f(\overline{0})} $$

Proof

Since the degree of \(f\) is equal to \(2\), it follows from Proposition 6 that for every \(\overline{b} \in \mathbb {F}_2^n\) we have \(\deg (D_{\overline{b}} f) \le 1\). Clearly \(D_{\overline{b}}f\) is affine, hence from Proposition 2 it is either balanced (for nonzero coefficient vector) or constant function (for zero coefficient vector). Consequently, for the case where \(D_{\overline{b}}f\) is balanced, we have \(\mathcal {W}_{D_{\overline{b}}f}(\overline{0}) = 0\) from Proposition 3. Using the result from the Proposition 12, then

$$\begin{aligned} \mathcal {W}_f^2(\overline{0})&= \sum _{\overline{b} \in \mathbb {F}_2^n} \mathcal {W}_{D_{\overline{b}}f}(\overline{0}) = \sum _{\overline{b} \in \mathcal {LS}_f} \mathcal {W}_{D_{\overline{b}}f}(\overline{0}) = \sum _{\overline{b} \in \mathcal {LS}_f} \left[ \sum _{\overline{x} \in \mathbb {F}_2^n} (-1)^{D_{\overline{b}}f(\overline{x})} \right] \\&= 2^n \sum _{\overline{b} \in \mathcal {LS}_f} (-1)^{D_{\overline{b}}f(\overline{0})} \end{aligned}$$

   \(\square \)

Lemma 3 stated that if \(f\) is a balanced \(n\)-variable Boolean function with \(\deg (f) = 2\), then there exist a nonzero \(\overline{\alpha } \in \mathbb {F}_2^n\) such that \(D_{\overline{\alpha }}f(\overline{x}) = f(\overline{x}) \oplus f(\overline{x} \oplus \overline{\alpha }) = 1\) for all \(\overline{x} \in \mathbb {F}_2^n\). The proof is given below.

Proof

Let \(f\) be a balanced \(n\)-variable Boolean function with \(\deg (f) = 2\). Since \(f\) is balanced, then \(\mathcal {W}_f(\overline{0}) = 0\) and consequently \(\mathcal {W}^2_f(\overline{0}) = 0\). The result from Proposition 13 implies that the sum \(\sum _{\overline{b} \in \mathcal {LS}_f} (-1)^{D_{\overline{b}} f(\overline{0})}\) must be equal to zero. We know that the zero vector \(\overline{0} \in \mathbb {F}_2^n\) is a trivial linear structure because \(D_{\overline{0}}f(\overline{x}) = 0\) for all \(\overline{x} \in \mathbb {F}_2^n\). Clearly \(\overline{0} \in \mathcal {LS}_f\). Using existence of zero vector in the set of linear structure of \(f\), then there must exist a vector \(\overline{\alpha } \in \mathbb {F}_2^n,\; \overline{\alpha } \ne \overline{0}\) such that \(D_{\overline{\alpha }}f(\overline{x}) = 1\) for all \(\overline{x} \in \mathbb {F}_2^n\).   \(\square \)

1.2 7.2 Linear Structures and Output Differences of an S-Box

Theorem 7

Let \(S\) be an \(n \times m\) S-Box and \(\varOmega _{\overline{\alpha }} = \{ \overline{\beta } = (\beta _{m-1}, \ldots , \beta _0) \in \mathbb {F}_2^m \mid \mathbf {Pr}_S[\overline{\alpha } \rightarrow \overline{\beta }] > 0 \}\) be the set of all possible output differences of \(S\) corresponding to input difference \(\overline{\alpha } \in \mathbb {F}_2^n\). The vector \(\overline{\alpha }\) is a linear structure of the component function \(\overline{b} \cdot S(\overline{x})\) if and only if \(\overline{b} \cdot \overline{\beta }\) remains equal for all \(\overline{\beta } \in \varOmega _{\overline{\alpha }}\).

Proof

Let \(h_{m-1}, \ldots , h_0\) be coordinate functions of the S-Box \(S\). For the vector \(\overline{b} = (b_{m-1}, \ldots , b_0) \in \mathbb {F}_2^m\) we can express the component function \(\overline{b} \cdot S(\overline{x})\) as a linear combination of coordinate functions of \(S\), i.e. \(\overline{b} \cdot S(\overline{x}) = b_{m-1}h_{m-1}(\overline{x}) \oplus \ldots \oplus b_0h_0(\overline{x})\). Since \(\overline{\alpha } \in \mathbb {F}_2^n\) is a linear structure of \(\overline{b} \cdot S(\overline{x})\), we have the following

The converse is obvious from above equations.   \(\square \)

1.3 7.3 DDT of the S-Box of PRESENT

See Table 3.

Table 3. Difference distribution table of the S-Box of PRESENT.