# Enhanced criteria on differential uniformity and nonlinearity of cryptographically significant functions

- 302 Downloads
- 3 Citations

## Abstract

The functions defined on finite fields with high nonlinearity are important primitives in cryptography. They are used as the substitution boxes in many block ciphers. To avoid the differential and linear attacks on the ciphers, the Sboxes must have low differential uniformity and high nonlinearity. In this paper, we generalize the notions of the differential uniformity and nonlinearity, which are called the *t*-*th differential uniformity* and the *diversity of the nonlinearity*, to measure the nonlinear property of the functions. We show that the Sboxes endorsed by ZUC, SNOW 3G and some lightweight block ciphers have poor performances under these new criteria. The properties and characterizations of these new notions are presented. Another contribution of this paper is to study the nonlinearity of the functions with the form *F* = *f*∘*a*, where *f* is from \({ \mathbb {F}_{2}^{k}}\) to \({ \mathbb {F}_{2}^{n}}\) and *a* is a linear surjection from \({ \mathbb {F}_{2}^{n}}\) to \({ \mathbb {F}_{2}^{m}}\). The motivation of this study is that such a substitution-permutation composition structure is widely used in the design of modern ciphers, which is to bring the confusion and diffusion to the ciphers. We determine the nonlinearity of *F* for the linear function *a* with certain property. Using this result, we compute the diversity of the nonlinearity for *F* and *f*. It is found that the former value is greatly amplified, which weakens the ciphers against the linear attack.

## Keywords

Substitution box Almost perfect nonlinear function Perfect nonlinear function Truncated differential attack## Mathematics Subject Classifications (2010)

06E30 94A60## Notes

### Acknowledgments

We thank the anonymous reviewers for the valuable comments, which significantly improve the quality and presentation of this paper. We thank Cihangir Tezcan for sending us his paper [40].

## References

- 1.Anderson, R., Biham, E., Knudsen, L.: Serpent: A proposal for the advanced encryption standard. http://www.cl.cam.ac.uk/rja14/Papers/serpent.pdf (1999)
- 2.Armknecht, F: Improving fast algebraic attacks. In: 11th International Workshop on Fast Software Encryption, FSE 2004, Lecture Notes in Computer Science, vol. 3017, pp. 65–82 (2004)Google Scholar
- 3.Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. J. Cryptol.
**4**(1), 3–72 (1991)MathSciNetCrossRefzbMATHGoogle Scholar - 4.Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: An ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007, LNCS 4727, pp. 450–466 (2007)Google Scholar
- 5.Boura, C., Canteaut, A., Cannire, C.: Higher-order differential properties of Keccak and Luffa. In: Joux, A. (eds.) FSE 2011, LNCS 6733, pp. 252–269 (2011)Google Scholar
- 6.Bulygin, S., Walter, M., Buchmann, J.: Full analysis of PRINTcipher with respect to invariant subspace attack: Efficient key recovery and countermeasures. Des. Codes Cryptogr
**73**(3), 997–1022 (2014)MathSciNetCrossRefzbMATHGoogle Scholar - 7.Boura, C., Canteaut, A.: On the influence of the algebraic degree of
*F*^{−1}on the algebraic degree of*G*∘*F*. IEEE Trans. Inf. Theory**59**(1), 691–702 (2013)MathSciNetCrossRefGoogle Scholar - 8.De Cannire, C., Sato, H., Watanabe, D.: Hash Function Luffa - Specification Ver. 2.0.1, NIST SHA-3 Submission, Round 2 document (2009)Google Scholar
- 9.Carlet, C.: Boolean functions for cryptography and error correcting codes, chapter of a monograph. In: Crama, Y., Hammer, P. (eds.) Boolean Models and Methods in Mathematics, Computer Science, and Engineering, pp. 257–397. Cambridge University Press, Cambridge. Preliminary version available at http://www.math.univ-paris13.fr/carlet/ (2010)
- 10.Carlet, C.: Vectorial Boolean functions for cryptography, chapter of a monograph. In: Crama, Y., Hammer, P. (eds.) Boolean Models and Methods in Mathematics, Computer Science, and Engineering, pp. 398–472. Cambridge University Press, Cambridge. Preliminary version available at http://www.math.univ-paris13.fr/carlet/ (2010)
- 11.Charpin, P., Helleseth, T., Zinoviev, V.: Progagation characteristics of
*x*↦*x*^{−1}and Kloosterman sums. Finite Fields Appl**13**, 366–381 (2007)MathSciNetCrossRefzbMATHGoogle Scholar - 12.Courtois, N.: Fast algebraic attacks on stream ciphers with linear feedback. In: Advances in Cryptology - CRYPTO 2003, volume 2729 of Lecture Notes in Computer Science, pp. 177–194. Springer-Verlag (2003)Google Scholar
- 13.Courois, N., Meier, W.: Algebraic attack on stream ciphers with linear feedback. In: Advances in Cryptology - EUROCRYPTO 2003 Lecture Notes in Computer Science, vol. 2656, pp. 345–359. Springer-Verlag (2003)Google Scholar
- 14.Daemen, J., Peeters, M., Van Assche, G., Rijmen, V: Nessie Proposal: NOEKEON: NESSIE Proposal (2000)Google Scholar
- 15.Duan, M., Lai, X.: Improved zero-sum distinguisher for full round Keccak-f permutation. IACR ePRINT Archive
**2011**, 23 (2011)Google Scholar - 16.Dolmatov, V.: GOST 28147-89: Encryption, decryption, and message authentication code (MAC) algorithms, internet engineering task force RFC 5830 (2010)Google Scholar
- 17.Engels, D., Fan, X., Gong, G., Hu, H., Smith, E.M.: Hummingbird: Ultra-lightweight cryptography for resource-constrained devices. In: Sion, R. et al. (eds.) FC 2010 Work- shops, LNCS 6054, pp. 3–8. Springer (2010)Google Scholar
- 18.Engels, D., Saarinen, M.-J. O., Schweitzer, P., Smith, E.M.: The Hummingbird-2 lightweight authenticated encryption algorithm, RFIDSec 2011. In: The 7th Workshop on RFID Security and Privacy: 2628, June 2011. Amherst (2011)Google Scholar
- 19.Klapper, A., Chan, A. H., Goresky, M.: Cross-correlations of linearly and quadratically related geometric sequences and GMW sequences. Discret. Appl. Math.
**46**, 1–20 (1993)MathSciNetCrossRefzbMATHGoogle Scholar - 20.Kucuk, O.: The hash function Hamsi, NIST SHA-3 Submission, Round 2 document 14 (2009)Google Scholar
- 21.Knudsen, L.: Truncated and Higher Order Differentials, FSE’94, pp. 196211 (1995)Google Scholar
- 22.Knudsen, L.R., Leander, G., Poschmann, A., Robshaw, M.J.B.: PRINTcipher: A block cipher for IC-PRINTing. In Mangard, S., Standaert, F.-X. (eds.) Proc. CHES 2010, vol. 6225 of LNCS, pp. 16–32 (2010)Google Scholar
- 23.Lai, X.: Higher order derivatives and differential cryptanalysis. In: Proc. Symp. Commun., Coding Cryptography, 227–233, in honor of J. L. Massey on the Occasion of His 60th Birthday. Kluwer Academic Publishers (1994)Google Scholar
- 24.Leander, G., Poschmann, A.: On the classification of 4 bit Sboxes. In: Carlet, C., Sunar, B. (eds.) WAIFI 2007, LNCS 4547, pp. 159–176 (2007)Google Scholar
- 25.Leander, G., Abdelraheem, M. A., Alkhzaimi, H., Zenner, E.: A cryptanalysis of PRINTcipher: The invariant subspace attack. In: Proceedings of Cypto 2011, LNCS, vol. 6841, pp. 206–221 (2011)Google Scholar
- 26.Lidl, R., Niederreiter, H.: Finite Fields. Cambridge University Press (1997)Google Scholar
- 27.Matsui, M.: Linear cryptanalysis method for DES cipher, Advances in Cryptology - EUROCRYPT (1993)Google Scholar
- 28.Nyberg, K.: Perfect Nonlinear Sboxes. EUROCRYPT, 378–386 (1991)Google Scholar
- 29.Nyberg, K.: Sboxes and round functions with controlled linearity and differential uniformity. In: FSE 94, LNCS 1008, pp. 111–130 (1995)Google Scholar
- 30.NIST, Specification of the 3GPP Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3. Document 2: ZUC Specification. http://www.dacas.cn/thread.aspx/ID=2304
- 31.NIST, Specification of the 3GPP Confidentiality and Integrity Algorithms UEA2 & UIA2. Document 2: SNOW 3G Specification. www.gsma.com/technicalprojects/wp-content/uea2uia2
- 32.NIST: Data Encryption Standard, FIPS PUB 46. National Bureau of Standards, U.S. Department of Commerce, Washington D.C. (1977)Google Scholar
- 33.NIST, The Advanced Encryption Standard, FIPS 197. csrc.nist.gov/publications/fips/fips197/fips-197.pdf
- 34.Passman, D.S.: The Algebraic Structure of Group Rings. Wiley-Interscience, New York (1977)zbMATHGoogle Scholar
- 35.Pott, A.: Nonlinear functions in abelian groups and relative difference sets. Discret. Appl. Math.
**138**(1-2), 177–193 (2004)MathSciNetCrossRefzbMATHGoogle Scholar - 36.Saarinen, M. O.: Cryptographic analysis of all 4×4 Sboxes. In: Miri, A., Vaudenay, S. (eds.) SAC 2011, LNCS 7118, pp. 118–133 (2011)Google Scholar
- 37.Schmidt, B.: On (
*p*^{a},*p*^{b},*p*^{a},*p*^{a−b})-relative difference set. J. Algebraic Combin.**6**, 279–297 (1997)MathSciNetCrossRefGoogle Scholar - 38.Sorkin, A.: Lucifer: A cryptographic algorithm. Cryptologia
**8**(1), 22–32 (1984)CrossRefGoogle Scholar - 39.Standaert, F.-X., Piret, G., Rouvroy, G., Quisquater, J.-J., Legat, J.-D.: ICEBERG: An involutional cipher efficient for block encryption in reconfigurable hardware. In: Roy, B., Meier, W. (eds.) FSE 2004, LNCS 3017, pp. 279–299. Springer (2004)Google Scholar
- 40.Tezcan, C.: Improbable differential attacks on Present using undisturbed bits. J. Comput. Appl. Math.
**259**(B), 503–511 (2014)CrossRefzbMATHGoogle Scholar - 41.Wu, H.: The Hash Function JH, NIST SHA-3 Submission, Round 3 document 16 (2011)Google Scholar