Explore the vast range of titles available.

New symmetric primitives are being designed to address a novel set of design criteria. Instead of being executed on regular processors or smartcards, they are instead intended to be run in abstract settings such as multi-party computations or zero-knowledge proof systems. This implies in particular that these new primitives are described using operations over large finite fields. As the number of such primitives grows, it is important to better understand the properties of their underlying operations. In this paper, we investigate the algebraic degree of one of the first such block ciphers, namely MiMC. It is composed of many iterations of a simple round function, which consists of an addition and of a low-degree power permutation applied to the full state, usually x ↦ x 3 . We show in particular that, while the univariate degree increases predictably with the number of rounds, the algebraic degree (a.k.a multivariate degree) has a much more complex behaviour, and simply stays constant during some rounds. Such plateaus slightly slow down the growth of the algebraic degree. We present a full investigation of this behaviour. First, we prove some lower and upper bounds for the algebraic degree of an arbitrary number of iterations of MiMC and of its inverse. Then, we combine theoretical arguments with simulations to prove that the upper bound is tight for up to 16,265 rounds. Using these results, we slightly improve the higher-order differential attack presented at Asiacrypt 2020 to cover one or two more rounds. More importantly, our results provide some precise guarantees on the algebraic degree of this cipher, and then on the minimal complexity for a higher-order differential attack.

The origins of linear cryptanalysis can be traced back to a number of seminal works of the early 1990s. Since its invention, several theoretical and practical aspects of the technique have been studied, understood and generalized, resulting in more elaborated attacks against certain ciphers, but also in some negative results regarding the potential of various attempts at generalization. This book gives an overview of the current state of the discipline, as well as taking a look at potential future developments, and is divided into five parts. The first part deals with basic assumptions in linear cryptanalysis and their consequences for the design of modern block ciphers; part two explores a theory of multi-dimensional linear attacks on block ciphers; the third part covers how linear attacks can be applied to stream ciphers, and gives an overview of the development of linear attacks as well as a theoretical explanation of their current use. Part four details interesting and useful links between linear cryptanalysis and coding theory, and the fifth and final part discusses how correlation analysis can be conducted at the level of elements of GF (2n) without the need to deal with field representation issues. This book will be of interest to anybody who wishes to explore this fascinating yet complex part of symmetrical cryptanalysis.

We study [2m-1,2m]-binary linear codes whose weights lie between w0 and 2m-w0, where w0 takes the highest possible value. Primitive cyclic codes with two zeros whose dual satisfies this property actually correspond to almost bent power functions and to pairs of maximum-length sequences with preferred crosscorrelation. We prove that, for odd m, these codes are completely characterized by their dual distance and by their weight divisibility. Using McEliece's theorem we give some general results on the weight divisibility of duals of cyclic codes with two zeros; specifically, we exhibit some infinite families of pairs of maximum-length sequences which are not preferred.

The resistance of a block cipher against differential cryptanalysis is usually quantified by the differential uniformity of the involved Sbox. However, this criterion is not very precise; for instance, it does not capture the different behaviors which may be observed for affinely equivalent Sboxes. A more precise quantity derived from the differential spectrum of the Sbox is introduced here and provides a better estimate of the maximum expected differential probability for any two-round Substitution-Permutation Network whose diffusion layer is linear over the field corresponding to the domain of the Sbox. In particular, this result shows that the inversion in the field with

Extended Affine (EA) equivalence is the equivalence relation between two vectorial Boolean functions \\(F\\) and \\(G\\) such that there exist two affine permutations \\(A\\), \\(B\\), and an affine function \\(C\\) satisfying \\(G = A \\circ F \\circ B + C\\). While the problem has a simple formulation, it is very difficult in practice to test whether two functions are EA-equivalent. This problem has two variants: {\\em EA-partitioning} deals with partitioning a set of functions into disjoint EA-equivalence classes, and \\emph{EA-recovery} is about recovering the tuple \\((A,B,C)\\) if it exists. In this paper, we present a new algorithm that efficiently solves the EA-recovery problem for quadratic functions. Although its worst-case complexity occurs when dealing with APN functions, it supersedes, in terms of performance, all previously known algorithms for solving this problem for all quadratic functions and in any dimension, even in the case of APN functions. This approach is based on the Jacobian matrix of the functions, a tool whose study in this context can be of independent interest. The best approach for EA-partitioning in practice mainly relies on class invariants. We provide an overview of the known invariants along with a new one based on the \\emph{ortho-derivative}. This new invariant is applicable to quadratic APN functions, a specific type of functions that is of great interest, and of which tens of thousands need to be sorted into distinct EA-classes. Our ortho-derivative-based invariant is very fast to compute, and it practically always distinguishes between EA-inequivalent quadratic APN functions.

Vectorial Boolean functions are crucial building-blocks in symmetric ciphers. Different known attacks on block ciphers have resulted in diverse cryptographic criteria for vectorial Boolean functions, such as differential uniformity and nonlinearity. Very recently, Bar-On et al. introduced at Eurocrypt'19 a new tool, called the differential-linear connectivity table (DLCT), which allows for taking into account the dependency between the two subciphers \\(E_0\\) and \\(E_1\\) involved in differential-linear attacks. This new notion leads to significant improvements of differential-linear attacks on several ciphers. This paper presents a theoretical characterization of the DLCT of vectorial Boolean functions and also investigates this new criterion for some families of functions with specific forms. More precisely, we firstly reveal the connection between the DLCT and the autocorrelation of vectorial Boolean functions, we characterize properties of the DLCT by means of the Walsh transform of the function and of its differential distribution table, and we present generic bounds on the highest magnitude occurring in the DLCT of vectorial Boolean functions, which coincides (up to a factor~\\(2\\)) with the well-established notion of absolute indicator. Next, we investigate the invariance property of the DLCT of vectorial Boolean functions under the affine, extended-affine, and Carlet-Charpin-Zinoviev (CCZ) equivalence and exhaust the DLCT spectra of optimal \\(4\\)-bit S-boxes under affine equivalence. Furthermore, we study the DLCT of APN, plateaued and AB functions and establish its connection with other cryptographic criteria. Finally, we investigate the DLCT and the absolute indicator of some specific polynomials with optimal or low differential uniformity, including monomials, cubic functions, quadratic functions and inverses of quadratic permutations.

A divide-and-conquer cryptanalysis can often be mounted against some keystream generators composed of several (nonlinear) independent devices combined by a Boolean function. In particular, any parity-check relation derived from the periods of some constituent sequences usually leads to a distinguishing attack whose complexity is determined by the bias of the relation. However, estimating this bias is a difficult problem since the piling-up lemma cannot be used. Here, we give two exact expressions for this bias. Most notably, these expressions lead to a new algorithm for computing the bias of a parity-check relation, and they also provide some simple formulae for this bias in some particular cases which are commonly used in cryptography.

Sosemanuk is a new synchronous software-oriented stream cipher, corresponding to Profile 1 of the ECRYPT call for stream cipher primitives. Its key length is variable between 128 and 256 bits. It ac- commodates a 128-bit initial value. Any key length is claimed to achieve 128-bit security. The Sosemanuk cipher uses both some basic design principles from the stream cipher SNOW 2.0 and some transformations derived from the block cipher SERPENT. Sosemanuk aims at improv- ing SNOW 2.0 both from the security and from the efficiency points of view. Most notably, it uses a faster IV-setup procedure. It also requires a reduced amount of static data, yielding better performance on several architectures.