Boomerang uniformity of popular S-box constructions

Abstract

In order to study the resistance of a block cipher against boomerang attacks, a tool called the Boomerang Connectivity Table (BCT) for S-boxes was recently introduced. Very little is known today about the properties of this table especially for bijective S-boxes defined for n variables with \(n\equiv 0 \mod 4\). In this work we study the boomerang uniformity of some popular constructions used for building large S-boxes, e.g. for eight variables, from smaller ones. We show that the BCTs of all the studied constructions have abnormally high values in some positions. This remark permits us in some cases to link the boomerang properties of an S-box with other well-known cryptanalytic techniques on such constructions while in other cases it leads to the discovery of new ones. A surprising outcome concerns notably the Feistel and MISTY networks. While these two structures are very similar, their boomerang uniformity can be very different. Indeed, we show that the boomerang uniformity of a Feistel network is always the worst one possible, while for a MISTY construction this quantity depends on its inner building blocks. In the second part, we investigate the boomerang uniformity under EA-equivalence for Gold and the inverse function (as used respectively in MPC-friendly ciphers and the AES) and we prove that the boomerang uniformity is EA-invariant in these cases. Finally, we present an algorithm for inverting a given BCT and provide experimental results on the size of the BCT-equivalence classes for some 4 and 8-bit S-boxes.

A Proof of Proposition 6

We prove here the bounds provided in Proposition 6 for the two types of unbalanced MISTY network depicted in Fig. 5. We start by the network on the left.

Proof

Suppose that \(m<n\) and define the function

$$\begin{aligned} S_{b} : {\left\{ \begin{array}{ll} \mathbb {F}_2^{m}\times \mathbb {F}_2^{m} \times \mathbb {F}_2^{n-m} &{}\rightarrow \mathbb {F}_2^{m}\times \mathbb {F}_2^{m} \times \mathbb {F}_2^{n-m} \\ (x,y,z) &{}\mapsto S^{-1}(S(x,y,z) + b) \end{array}\right. } \end{aligned}$$

where \(F_1\) and \(F_3\) are permutations over \(\mathbb {F}_2^n\) and \(F_2\) is a permutation over \(\mathbb {F}_2^m\). This function is displayed at the left of Fig. 9. We denote the values of (x, y, z) after i rounds for both cases as \((\ell _i,m_i,r_i)\).

Fig. 9

The functions \(S_b(x) = S^{-1}(S(x) + b)\), for \(x \in \mathbb {F}_2^{m}\times \mathbb {F}_2^{n}\) (on the left), and for \(x \in \mathbb {F}_2^{n}\times \mathbb {F}_2^{m}\) (on the right), where S is a 3-round unbalanced MISTY structure

Begin with \((l_0,m_0,r_0)=(x,y,z)\in \mathbb {F}_2^{m}\times \mathbb {F}_2^{m}\times \mathbb {F}_2^{n-m}\). Then

$$\begin{aligned}\begin{array}{rcl} (l_1,m_1,r_1)&{}=&{}\left( x,F_1(y||z)_l+x,F_1(y||z)_r\right) ;\\ (l_2,m_2,r_2)&{}=&{}\left( F_2(x)+F_1(y||z)_l+x,F_1(y||z)_l+x,F_1(y||z)_r\right) ;\\ (l_3,m_3,r_3)&{}=&{}\big (F_2(x)+F_1(y||z)_l+x,F_2(x)+F_1(y||z)_l+x+F_3(F_1(y||z)+x||0)_l,\\ &{}&{}F_3(F_1(y||z)+x||0)_r\big ). \end{array} \end{aligned}$$

Consider \(b=(b_1,b_2,b_3)\) with \(b_1=b_2\ne 0\) and \(b_3=0\), with \(b_1\) and \(b_2\) being m-bit values and \(b_3\) being an \((n-m)\)-bit value. By starting with \((l_3+b_1,m_3+b_1,r_3)\), we get

$$\begin{aligned} \begin{array}{rcl} (l_4,m_4,r_4)&{}=&{}\left( F_2(x)+F_1(y||z)_l+x+b_1,F_1(y||z)_l+x,F_1(y||z)_r\right) ;\\ (l_5,m_5,r_5)&{}=&{}\left( F^{-1}_2(F_2(x)+b_1),F_1(y||z)_l+x,F_1(y||z)_r\right) ;\\ (l_6,m_6,r_6)&{}=&{}\big (F^{-1}_2(F_2(x)+b_1),F^{-1}_1\left( F_1(y||z)+(F^{-1}_2(F_2(x)+b_1)+x)||0\right) _l,\\ &{}&{}F^{-1}_1\left( F_1(y||z)+(F^{-1}_2(F_2(x)+b_1)+x)||0\right) _r\big ). \end{array} \end{aligned}$$

That is, for \(b=(b_1,b_1,0)\) with \(b_1\ne 0\in \mathbb {F}_2^m\),

$$\begin{aligned} \begin{array}{rcl} S_b(x,y,z)&{}=&{}\big (F^{-1}_2(F_2(x)+b_1),F^{-1}_1\left( F_1(y||z)+(F^{-1}_2(F_2(x)+b_1)+x)||0\right) _l,\\ &{}&{}F^{-1}_1\left( F_1(y||z)+(F^{-1}_2(F_2(x)+b_1)+x)||0\right) _r\big ). \end{array} \end{aligned}$$

Then, for \(a=(a_1,0,0),b=(b_1,b_1,0)\in \mathbb {F}_2^{m}\times \mathbb {F}_2^{m}\times \mathbb {F}_2^{n-m}\),

$$\begin{aligned} \begin{array}{rcl} &{}&{}S^{-1}(S(x,y,z) + (b_1,b_1,0))+S^{-1}(S(x+a_1,y,z) + (b_1,b_1,0))\\ &{}&{}\quad = S_b(x,y,z)+S_b(x+a_1,y,z)\\ &{}&{}\quad =\big (F^{-1}_2(F_2(x)+b_1)+F^{-1}_2(F_2(x+a_1)+b_1),F^{-1}_1\left( F_1(y||z)+(F^{-1}_2(F_2(x)+b_1)+x)||0)\right) _l\\ &{}&{}\qquad +F^{-1}_1\left( F_1(y||z)+(F^{-1}_2(F_2(x+a_1)+b_1)+x+a_1)||0\right) _l, F^{-1}_1\big ((F^{-1}_2(F_2(x)+b_1)+x)||0)\\ &{}&{}\qquad +F_1(y||z)\big )_r+F^{-1}_1\left( F_1(y||z)+(F^{-1}_2(F_2(x+a_1)+b_1)+x+a_1)||0\right) _r\big ). \end{array}\nonumber \\ \end{aligned}$$

(15)

By definition, we deduce that \(\beta _S(a,b)=2^n\beta _{F_2}(a_1,b_1)\). Indeed, since for any \(x\in T\) where

$$\begin{aligned} T=\big \{x\in \mathbb {F}_2^n| F^{-1}_2(F_2(x)+b_1)+F^{-1}_2(F_2(x+a_1)+b_1)=a_1\big \} \end{aligned}$$

we have \(F^{-1}_2(F_2(x+a_1)+b_1)=F^{-1}_2(F_2(x)+b_1)+a_1\), Eq. (15) becomes

$$\begin{aligned} S^{-1}(S(x,y,z) + (b_1,b_1,0))+S^{-1}(S(x+a_1,y,z) + (b_1,b_1,0))=(a_1,0,0). \end{aligned}$$

Now, by choosing \(a_1,b_1\) such that \(\beta _{F_2}(a_1,b_1)=\beta _{F_2}\), it follows that \(\beta _S\ge 2^n\beta _{F_2} \). \(\square \)

Lemma 2

If \(F_1\) is an affine permutation then the unbalanced MISTY network on the left of Fig. 5 has the worst possible BCT.

Proof

Since \(F_1\) is affine, we can simplify the function \(S_b(x,y,z)\) as

$$\begin{aligned} \begin{array}{rcl} S_b(x,y,z)&{}=&{}\bigg (F^{-1}_2(F_2(x)+b_1),y+F^{-1}_1(0)_l+F^{-1}_1\left( (F^{-1}_2(F_2(x)+b_1)+x)||0\right) _l,\\ &{}&{}z+F^{-1}_1(0)_r+F^{-1}_1\left( (F^{-1}_2(F_2(x)+b_1)+x)||0\right) _r\bigg ). \end{array} \end{aligned}$$

By chosing \(a=(0,a_2,a_3)\in \mathbb {F}_2^{m}\times \mathbb {F}_2^{m}\times \mathbb {F}_2^{n-m}\) with \(a_2,a_3 \ne 0\), we get

$$\begin{aligned} \begin{array}{rcl} &{}&{}S^{-1}(S(x,y,z) + (b_1,b_1,0))+S^{-1}(S(x,y+a_2,z+a_3) + (b_1,b_1,0))\\ &{}&{}\quad =S_b(x,y,z)+S_b(x,y+a_2,z+a_3)\\ &{}&{}\quad =(0,a_2,a_3) \end{array} \end{aligned}$$

which holds for any \((x,y,z)\in \mathbb {F}_2^{m}\times \mathbb {F}_2^{m}\times \mathbb {F}_2^{n-m}\). Therefore, \(\beta _S=2^{n+m}\).\(\square \)

We provide now the proof for the network depicted on the right of Fig. 5. The proof for this case is very similar to the previous one and we only provide it here for the sake of completeness.

Proof

Suppose that \(m<n\) and define the function

$$\begin{aligned} S_{b} : {\left\{ \begin{array}{ll} \mathbb {F}_2^{n-m}\times \mathbb {F}_2^{m}\times \mathbb {F}_2^{m} &{}\rightarrow \mathbb {F}_2^{n-m}\times \mathbb {F}_2^{m}\times \mathbb {F}_2^{m} \\ (x,y,z) &{}\mapsto S^{-1}(S(x,y,z) + b) \end{array}\right. } \end{aligned}$$

when \(F_1\) and \(F_3\) are permutations over \(\mathbb {F}_2^m\) and \(F_2\) is a permutation over \(\mathbb {F}_2^n\). This function is displayed on the rightside of Fig. 9. We denote the values of (x, y, z) after i rounds for both cases as \((\ell _i,m_i,r_i)\).

Begin with \((l_0,m_0,r_0)=(x,y,z)\in \mathbb {F}_2^{n-m}\times \mathbb {F}_2^{m}\times \mathbb {F}_2^{m}\). Then,

$$\begin{aligned}\begin{array}{rcl} (l_1,m_1,r_1)&{}=&{}\left( x,y,y+F_1(z)\right) ;\\ (l_2,m_2,r_2)&{}=&{}\left( F_2(x||y)_l,y+F_1(z)+F_2(x||y)_r,y+F_1(z)\right) ;\\ (l_3,m_3,r_3)&{}=&{}\bigg (F_2(x||y)_l,y+F_1(z)+F_2(x||y)_r,y+F_1(z)+F_2(x||y)_r+F_3\left( y+F_1(z)\right) \bigg ). \end{array} \end{aligned}$$

Consider \(b=(b_1,b_2,b_3)\) with \(b_1= 0\) and \(b_2 = b_3 \ne 0\), with \(b_1\) being an \((n-m)\)-bit value and \(b_2,b_3\) being m-bit values. Then, by beginning with \((l_3,m_3+b_2,r_3+b_2)\) we get

$$\begin{aligned}\begin{array}{rcl} (l_4,m_4,r_4)&{}=&{}\bigg (F_2(x||y)_l,b_2+y+F_1(z)+F_2(x||y)_r,y+F_1(z)\bigg );\\ (l_5,m_5,r_5)&{}=&{}\bigg (F^{-1}_2\left( F_2(x||y)+(0||b_2)\right) _l,F^{-1}_2\left( F_2(x||y)+(0||b_2)\right) _r,y+F_1(z)\bigg );\\ (l_6,m_6,r_6)&{}=&{}\bigg (F^{-1}_2\left( F_2(x||y)+(0||b_2)\right) _l,F^{-1}_2\left( F_2(x||y)+(0||b_2)\right) _r,\\ &{}&{}F^{-1}_1\left( y+F_1(z)+F^{-1}_2\left( F_2(x||y)+(0||b_2)\right) _r\right) \bigg ). \end{array} \end{aligned}$$

That is, for \(b=(0,b_2,b_2)\) with \(b_2\ne 0\in \mathbb {F}_2^m\),

$$\begin{aligned} \begin{array}{rcl} S_b(x,y,z)&{}=&{}\bigg (F^{-1}_2\left( F_2(x||y)+(0||b_2)\right) _l,F^{-1}_2\left( F_2(x||y)+(0||b_2)\right) _r,\\ &{}&{}F^{-1}_1\left( y+F_1(z)+F^{-1}_2\left( F_2(x||y)+(0||b_2)\right) _r\right) \bigg ). \end{array} \end{aligned}$$

Then, for \(a=(0,a_2,0)\), \(b=(0,b_2,b_2)\in \mathbb {F}_2^{n-m}\times \mathbb {F}_2^{m}\times \mathbb {F}_2^{m} \) with \(a_2, b_2 \ne 0\) we have

$$\begin{aligned} \begin{array}{rcl} &{}&{}S^{-1}(S(x,y,z) + (0,b_2,b_2))+S^{-1}(S(x,y+a_2,z) + (0,b_2,b_2))\\ &{}&{}\quad = S_b(x,y,z)+S_b(x,y+a_2,z)\\ &{}&{}\quad = \bigg (F^{-1}_2\left( F_2(x||y)+(0||b_2)\right) _l+F^{-1}_2\left( F_2(x||y+a_2)+(0||b_2)\right) _l,F^{-1}_2\left( F_2(x||y)+(0||b_2)\right) _r\\ &{}&{}\qquad +F^{-1}_2\left( F_2(x||y+a_2)+(0||b_2)\right) _r, F^{-1}_1\left( y+F_1(z)+F^{-1}_2\left( F_2(x||y)+(0||b_2)\right) _r\right) \\ &{}&{}\qquad +F^{-1}_1\left( y+F_1(z)+F^{-1}_2\left( F_2(x||y+a_2)+(0||b_2)\right) _r\right) \bigg ). \end{array}\nonumber \\ \end{aligned}$$

(16)

By definition, we deduce that \(\beta _S(a,b)=2^m\beta _{F_2}(0||a_2,0||b_2)\). Indeed, since for any \(x||y\in T\) where

$$\begin{aligned} T=\big \{x||y\in \mathbb {F}_2^n| F^{-1}_2\left( F_2(x||y)+(0||b_2)\right) +F^{-1}_2\left( F_2(x||y+a_2)+(0||b_2)\right) =0||a_2\big \}, \end{aligned}$$

\(F^{-1}_2\left( F_2(x||y+a_2)+(0||b_2)\right) =F^{-1}_2\left( F_2(x||y)+(0||b_2)\right) +0||a_2\), Eq. (16) becomes

$$\begin{aligned} S^{-1}(S(x,y,z) + (b_1,b_1,0))+S^{-1}(S(x,y,z) + (b_1,b_1,0))=(0,a_2,0). \end{aligned}$$

Now, we choose \(a_2,b_2\) such that \(\beta _{F_2}(0||a_2,0||b_2)=\beta _{F_2|_{\mathbb {F}_2^m}}\). It follows that \(\beta _S\ge 2^m\beta _{F_2|_{\mathbb {F}_2^m}} \). \(\square \)

From the above lower bound, we may come up with the idea of constructing an S-box with boomerang uniformity equal to 4 by setting \(m=1\) and by choosing \(F_2\) to be an APN permutation. However, in this case, \(F_{1}\) would have to be an affine permutation as the only 1-bit permutations are \(x \mapsto x\) and \(x \mapsto x\oplus 1\). Lemma 2 can be adapted to this situation and yields the same conclusion: the boomerang uniformity of such a 3-round MISTY network is maximal. Hence, this approach cannot work.