Degree of Composition of Highly Nonlinear Functions and Applications to Higher Order Differential Cryptanalysis

  • Anne Canteaut
  • Marion Videau
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2332)

Abstract

To improve the security of iterated block ciphers, the resistance against linear cryptanalysis has been formulated in terms of provable security which suggests the use of highly nonlinear functions as round functions. Here, we show that some properties of such functions enable to find a new upper bound for the degree of the product of its Boolean components. Such an improvement holds when all values occurring in the Walsh spectrum of the round function are divisible by a high power of 2. This result leads to a higher order differential attack on any 5-round Feistel ciphers using an almost bent substitution function. We also show that the use of such a function is precisely the origin of the weakness of a reduced version of MISTY1 reported in [23, 1].

Keywords

Block ciphers higher order differential cryptanalysis Boolean functions nonlinearity 

References

  1. 1.
    S. Babbage and L. Frisch. On MISTY1 Higher Order Differential Cryptanalysis. In Proceedings of ICISC 2000, number 2015 in Lecture Notes in Computer Science, pages 22–36. Springer-Verlag, 2000.Google Scholar
  2. 2.
    A. Canteaut, P. Charpin, and H. Dobbertin. A new characterization of almost bent functions. In Fast Software Encryption 99, number 1636 in Lecture Notes in Computer Science, pages 186–200. Springer-Verlag, 1999.CrossRefGoogle Scholar
  3. 3.
    A. Canteaut and M. Videau. Weakness of block ciphers using highly nonlinear confusion functions. Research Report 4367, INRIA, February 2002. Available on http://www.inria.fr/rrrt/rr-4367.html.
  4. 4.
    C. Carlet. Two new classes of bent functions. In Advances in Cryptology-EUROCRYPT’93, number 765 in Lecture Notes in Computer Science, pages 77–101. Springer-Verlag, 1994.Google Scholar
  5. 5.
    C. Carlet, P. Charpin, and V. Zinoviev. Codes, bent functions and permutations suitable for DES-like cryptosystems. Designs, Codes and Cryptography, 15:125–156, 1998.MATHCrossRefMathSciNetGoogle Scholar
  6. 6.
    F. Chabaud and S. Vaudenay. Links between differential and linear cryptanalysis. In A. De Santis, editor, Advances in Cryptology-EUROCRYPT’94, number 950 in Lecture Notes in Computer Science, pages 356–365. Springer-Verlag, 1995.CrossRefGoogle Scholar
  7. 7.
    T. Cusick and H. Dobbertin. Some new 3-valued crosscorrelation functions of binary m-sequences. IEEE Transactions on Information Theory, 42:1238–1240, 1996.MATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    H. Dobbertin. One-to-one highly nonlinear power functions on GF(2n). Appl. Algebra Engrg. Comm. Comput., 9(2):139–152, 1998.MATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    R. Gold. Maximal recursive sequences with 3-valued recursive crosscorrelation functions. IEEE Transactions on Information Theory, 14:154–156, 1968.MATHCrossRefGoogle Scholar
  10. 10.
    T. Jakobsen and L.R. Knudsen. The interpolation attack on block ciphers. In Fast Software Encryption 97, number 1267 in Lecture Notes in Computer Science, pages 28–40. Springer-Verlag, 1997.CrossRefGoogle Scholar
  11. 11.
    T. Kasami. The weight enumerators for several classes of subcodes of the second order binary Reed-Muller codes. Information and Control, 18:369–394, 1971.MATHCrossRefMathSciNetGoogle Scholar
  12. 12.
    L. R. Knudsen. Truncated and higher order differentials. In Fast Software Encryption-Second International Workshop, number 1008 in Lecture Notes in Computer Science, pages 196–211. Springer-Verlag, 1995.Google Scholar
  13. 13.
    G. Lachaud and J. Wolfmann. The weights of the orthogonal of the extended quadratic binary Goppa codes. IEEE Transactions on Information Theory, 36(3):686–692, 1990.MATHCrossRefMathSciNetGoogle Scholar
  14. 14.
    X. Lai. Higher order derivatives and differential cryptanalysis. In Proc. “Symposium on Communication, Coding and Cryptography”, in honor of J. L. Massey on the occasion of his 60’th birthday, 1994.Google Scholar
  15. 15.
    F.J. MacWilliams and N.J.A. Sloane. The Theory of Error-Correcting Codes. North-Holland, 1977.Google Scholar
  16. 16.
    M. Matsui. Linear cryptanalysis method for DES cipher. In Advances in Cryptology-EUROCRYPT’93, number 765 in Lecture Notes in Computer Science, pages 386–397. Springer-Verlag, 1993.Google Scholar
  17. 17.
    M. Matsui. The first experimental cryptanalysis of the Data Encryption Standard. In Advances in Cryptology-CRYPTO’94, number 839 in Lecture Notes in Computer Science. Springer-Verlag, 1995.Google Scholar
  18. 18.
    M. Matsui. New Block Encryption Algorithm MISTY. In Fast Software Encryption 97, number 1267 in Lecture Notes in Computer Science, pages 54–68. Springer-Verlag, 1997.CrossRefGoogle Scholar
  19. 19.
    R.J. McEliece. Weight congruence for p-ary cyclic codes. Discrete Mathematics, 3:177–192, 1972.MATHCrossRefGoogle Scholar
  20. 20.
    K. Nyberg. Differentially uniform mappings for cryptography. In Advances in Cryptology-EUROCRYPT’93, number 765 in Lecture Notes in Computer Science, pages 55–64. Springer-Verlag, 1993.Google Scholar
  21. 21.
    K. Nyberg. On the construction of highly nonlinear permutations, In Advances in Cryptology-EUROCRYPT’92, number 658 in Lecture Notes in Computer Science, pages 92–98. Springer-Verlag, 1993.Google Scholar
  22. 22.
    K. Nyberg and L.R. Knudsen. Provable security against differential cryptanalysis. In Advances in Cryptology-CRYPTO’92, number 740 in Lecture Notes in Computer Science, pages 566–574. Springer-Verlag, 1993.Google Scholar
  23. 23.
    H. Tanaka, K. Hisamatsu, and T. Kaneko. Strength of MISTY1 without FL function for Higher Order Differential Attack. In Applied Algebra, Algebraic Algorithms and Error-Correcting Codes, number 1719 in Lecture Notes in Computer Science, pages 221–230. Springer-Verlag, 1999.CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Anne Canteaut
    • 1
  • Marion Videau
    • 1
  1. 1.INRIA — projet CODESLe Chesnay CedexFrance

Personalised recommendations