A New Criterion for Avoiding the Propagation of Linear Relations Through an Sbox

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8424)


In several cryptographic primitives, Sboxes of small size are used to provide nonlinearity. After several iterations, all the output bits of the primitive are ideally supposed to depend in a nonlinear way on all of the input variables. However, in some cases, it is possible to find some output bits that depend in an affine way on a small number of input bits if the other input bits are fixed to a well-chosen value. Such situations are for example exploited in cube attacks or in attacks like the one presented by Fuhr against the hash function Hamsi. Here, we define a new property for nonlinear Sboxes, named \((v,w)\)-linearity, which means that \(2^w\) components of an Sbox are affine on all cosets of a \(v\)-dimensional subspace. This property is related to the generalization of the so-called Maiorana-McFarland construction for Boolean functions. We show that this concept quantifies the ability of an Sbox to propagate affine relations. As a proof of concept, we exploit this new notion for analyzing and slightly improving Fuhr’s attack against Hamsi and we show that its success strongly depends on the \((v,w)\)-linearity of the involved Sbox.


Sbox Boolean function Linear relations Maiorana-McFarland construction Hash functions 


  1. 1.
    Berlekamp, E.R., Welch, L.R.: Weight distributions of the cosets of the (32,6) Reed-Muller code. IEEE Trans. Inf. Theor. 18(1), 203–207 (1972)CrossRefMATHMathSciNetGoogle Scholar
  2. 2.
    Boura, C., Canteaut, A.: A new criterion for avoiding the propagation of linear relations through an Sbox (Full version). IACR ePrint Report 2013/211, April 2013. http://eprint.iacr.org/2013/211
  3. 3.
    De Cannière, C.: Analysis and Design of Symmetric Encryption Algorithms. Ph.D. thesis, Katholieke Universiteit Leuven (2007)Google Scholar
  4. 4.
    Canteaut, A., Carlet, C., Charpin, P., Fontaine, C.: On cryptographic properties of the cosets of \(R(1, m)\). IEEE Trans. Inf. Theor. 47(4), 1494–1513 (2001)CrossRefMATHMathSciNetGoogle Scholar
  5. 5.
    Canteaut, A., Daum, M., Dobbertin, H., Leander, G.: Finding nonnormal bent functions. Discret. Appl. Math. 154(2), 202–218 (2006)CrossRefMATHMathSciNetGoogle Scholar
  6. 6.
    Carlet, C., Prouff, E.: Vectorial functions and covering sequences. In: Mullen, G.L., Poli, A., Stichtenoth, H. (eds.) Fq7 2003. LNCS, vol. 2948, pp. 215–248. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  7. 7.
    Charpin, P.: Normal Boolean functions. J. Complex. 20(2–3), 245–265 (2004)CrossRefMATHMathSciNetGoogle Scholar
  8. 8.
    Dillon, J.F.: Elementary Hadamard Difference Sets. Ph.D. thesis, University of Maryland (1974)Google Scholar
  9. 9.
    Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  10. 10.
    Dinur, I., Shamir, A.: An improved algebraic attack on Hamsi-256. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 88–106. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  11. 11.
    Dobbertin, H.: Construction of bent functions and balanced Boolean functions with high nonlinearity. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 61–74. Springer, Heidelberg (1995) CrossRefGoogle Scholar
  12. 12.
    Fuhr, T.: Finding second preimages of short messages for Hamsi-256. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 20–37. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  13. 13.
    Fuhr, T.: Conception, preuves et analyse de fonctions de hachage cryptographiques. Ph.D. thesis, Télécom ParisTech (2011)Google Scholar
  14. 14.
    Gupta, C.K., Sarkar, P.: Improved construction of nonlinear resilient S-boxes. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 466–483. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  15. 15.
    Küçük, Ö: The Hash Function Hamsi. Submission to NIST (Round 2) (2009)Google Scholar
  16. 16.
    Leander, G., Abdelraheem, M.A., AlKhzaimi, H., Zenner, E.: A cryptanalysis of PRINTcipher: the invariant subspace attack. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 206–221. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  17. 17.
    Leander, G., Poschmann, A.: On the classification of 4 Bit S-boxes. In: Carlet, C., Sunar, B. (eds.) WAIFI 2007. LNCS, vol. 4547, pp. 159–176. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  18. 18.
    McFarland, R.L.: A family of noncyclic difference sets. J. Comb. Theor. Ser. A 15, 1–10 (1973)CrossRefMATHMathSciNetGoogle Scholar
  19. 19.
    Nyberg, K.: Perfect nonlinear S-boxes. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 378–386. Springer, Heidelberg (1991) CrossRefGoogle Scholar
  20. 20.
    Nyberg, K.: S-boxes and round functions with controllable linearity and differential uniformity. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 111–130. Springer, Heidelberg (1995) CrossRefGoogle Scholar
  21. 21.
    Pasalic, E., Maitra, S.: Linear codes in generalized construction of resilient functions with very high nonlinearity. IEEE Trans. Inf. Theor. 48(8), 2182–2191 (2002)CrossRefMATHMathSciNetGoogle Scholar
  22. 22.
    Saarinen, M.-J.O.: Cryptographic analysis of all 4 \(\times \) 4-Bit S-boxes. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 118–133. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  23. 23.
    Wu, H.: The Hash Function JH. Submission to NIST (Round 3) (2011)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  1. 1.SECRET Project-Team - INRIA Paris-RocquencourtLe Chesnay CedexFrance
  2. 2.GemaltoMeudonFrance

Personalised recommendations