Paper 2024/1693

A notion on S-boxes for a partial resistance to some integral attacks

Claude Carlet, University of Bergen, 5005 Bergen, Norway, University of Paris 8, 93526 Saint-Denis, France
Abstract

In two recent papers, we introduced and studied the notion of $k$th-order sum-freedom of a vectorial function $F:\mathbb F_2^n\to \mathbb F_2^m$. This notion generalizes that of almost perfect nonlinearity (which corresponds to $k=2$) and has some relation with the resistance to integral attacks of those block ciphers using $F$ as a substitution box (S-box), by preventing the propagation of the division property of $k$-dimensional affine spaces. In the present paper, we show that this notion, which is rarely satisfied by vectorial functions, can be weakened while retaining the property that the S-boxes do not propagate the division property of $k$-dimensional affine spaces. This leads us to the property that we name $k$th-order $t$-degree-sum-freedom, whose strength decreases when $t$ increases, and which coincides with $k$th-order sum-freedom when $t=1$. The condition for $k$th-order $t$-degree-sum-freedom is that, for every $k$-dimensional affine space $A$, there exists a non-negative integer $j$ of 2-weight at most $t$ such that $\sum_{x\in A}(F(x))^j\neq 0$. We show, for a general $k$th-order $t$-degree-sum-free function $F$, that $t$ can always be taken smaller than or equal to $\min(k,m)$ under some reasonable condition on $F$, and that it is larger than or equal to $\frac k{\deg(F)}$, where $\deg(F)$ is the algebraic degree of $F$. We also show two other lower bounds: one, that is often tighter, by means of the algebraic degree of the compositional inverse of $F$ when $F$ is a permutation, and another (valid for every vectorial function) by means of the algebraic degree of the indicator of the graph of the function. We study examples for $k=2$ (case in which $t=1$ corresponds to APNness) showing that finding $j$ of 2-weight 2 can be challenging, and we begin the study of power functions, for which we prove upper bounds. We study in particular the multiplicative inverse function (used as an S-box in the AES), for which we characterize the $k$th-order $t$-degree-sum-freedom by the coefficients of the subspace polynomials of $k$-dimensional vector subspaces (deducing the exact value of $t$ when $k$ divides $n$) and we extend to $k$th-order $t$-degree-sum-freedom the result that it is $k$th-order sum-free if and only if it is $(n-k)$th-order sum-free.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Preprint.
Keywords
vectorial functionS-boxalmost perfect nonlinear$k$th-order sum-freeintegral attackdivision property.
Contact author(s)
claude carlet @ gmail com
History
2025-02-01: last of 2 revisions
2024-10-17: received
See all versions
Short URL
https://ia.cr/2024/1693
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/1693,
      author = {Claude Carlet},
      title = {A notion on S-boxes for a partial resistance to some integral attacks},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1693},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1693}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.