![Page 1: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/1.jpg)
On the propagation of a�ne relations through an Sbox
Christina Boura and Anne Canteaut
SECRET Project-Team, INRIA Paris-Rocquencourt
Gemalto, France
October 8, 2012
1 / 25
![Page 2: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/2.jpg)
Outline
1 Description of Hamsi-256
2 Thomas Fuhr's attack
3 Improvement of the attack
4 (v, w)-linear functions
2 / 25
![Page 3: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/3.jpg)
Description of Hamsi-256
Outline
1 Description of Hamsi-256
2 Thomas Fuhr's attack
3 Improvement of the attack
4 (v, w)-linear functions
3 / 25
![Page 4: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/4.jpg)
Description of Hamsi-256
Hamsi Hash Function
Designed by Özgül Küçük in 2008 for the SHA-3 competition.Selected by NIST for the 2nd round (14 candidates).
Compression function of Hamsi-256
message block
chain valuemessage block
256-bit 256-bit
chain value
Concatenation
32-bit
Permutation P
4 / 25
![Page 5: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/5.jpg)
Description of Hamsi-256
Concatenation
State : 4× 4 matrix of 32-bit words
s0
s5
s10
s15
s1 s2 s3
s6
s11
s4
s9
s14
s8
s12 s13
s7
m0
m2
m4 m5
m1
m3
m6 m7
c0 c1
c2 c3
c4 c5
c6 c7
5 / 25
![Page 6: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/6.jpg)
Description of Hamsi-256
Permutation P
3 rounds of a 512-bit round permutation R
XOR of constants
Substitution by 4× 4-bit Sboxes
Di�usion by a linear transformation L
6 / 25
![Page 7: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/7.jpg)
Description of Hamsi-256
Substitution
128 parallel applications of a 4× 4 Sbox SS is a Serpent Sbox
S = {8, 6, 7, 9, 3, 12, 10, 15, 13, 1, 14, 4, 0, 11, 5, 2}
7 / 25
![Page 8: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/8.jpg)
Description of Hamsi-256
Di�usion
4 parallel applications of a linear function L
L : F1282 → F128
2
L(a, b, c, d) = (a′, b′, c′, d′),
a
b
c
d
a′
b′
c′
d′
Each bit of a′ and c′ is the XOR of 7 bits of a, b, c, d.
Each bit of b′ and d′ is the XOR of 3 bits of a, b, c, d.
8 / 25
![Page 9: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/9.jpg)
Thomas Fuhr's attack
Outline
1 Description of Hamsi-256
2 Thomas Fuhr's attack
3 Improvement of the attack
4 (v, w)-linear functions
9 / 25
![Page 10: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/10.jpg)
Thomas Fuhr's attack
First second preimage attack against Hamsi-256 by Thomas Fuhr(Asiacrypt 2010)
Idea:
Find some output bits which can be expressed as an a�ne function ofsome inputs bits when the other input bits are �xed to any arbitrary value.
Build the linear system.
Solve the system (�nd preimages for the compression function).
Use a meet-in-the-middle algorithm to extend these pseudo-preimagesto second preimages for the hash function.
10 / 25
![Page 11: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/11.jpg)
Thomas Fuhr's attack
Description of the attack in [Fuhr10]
Important property of S
S(1, x, 0, x̄) = (1, 0, 0, x) ∀x ∈ F2
Fix Nvar positions i = 1, . . . , Nvar (here Nvar = 4).
Choose a message block m such that si0 = 1 (resp. si1 = 1) andsi8 = 0 (resp. si8 = 1).
Consider Nvar variables xi, i = 1, . . . , Nvar.
11 / 25
![Page 12: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/12.jpg)
Thomas Fuhr's attack
Description of the attack in [Fuhr10]
Important property of S
S(1, x, 0, x̄) = (1, 0, 0, x) ∀x ∈ F2
Fix Nvar positions i = 1, . . . , Nvar (here Nvar = 4).
Choose a message block m such that si0 = 1 (resp. si1 = 1) andsi8 = 0 (resp. si8 = 1).
Consider Nvar variables xi, i = 1, . . . , Nvar.
1
0
1
0
1 1
0 0
11 / 25
![Page 13: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/13.jpg)
Thomas Fuhr's attack
Description of the attack in [Fuhr10]
Important property of S
S(1, x, 0, x̄) = (1, 0, 0, x) ∀x ∈ F2
Fix Nvar positions i = 1, . . . , Nvar (here Nvar = 4).
Choose a message block m such that si0 = 1 (resp. si1 = 1) andsi8 = 0 (resp. si8 = 1).
Consider Nvar variables xi, i = 1, . . . , Nvar.
1
0
x1
x1
1
0
1 1
0 0
x2
x2
x3
x3
x4
x4
11 / 25
![Page 14: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/14.jpg)
Thomas Fuhr's attack
1
0
x1
x1
1
0
1 1
0 0
x2
x2
x3
x3
x4
x4
x1 x2 x3 x4
1 1 11
0
0
0
0
0
0
0
0
Sboxes
Linear Layer
After the �rst round, the state is linear in the input variables, forany choice of the other constants.
12 / 25
![Page 15: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/15.jpg)
Thomas Fuhr's attack
1
0
x1
x1
1
0
1 1
0 0
x2
x2
x3
x3
x4
x4
x1 x2 x3 x4
1 1 11
0
0
0
0
0
0
0
0
Sboxes
Linear Layer
After the �rst round, the state is linear in the input variables, forany choice of the other constants.
12 / 25
![Page 16: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/16.jpg)
Thomas Fuhr's attack
4 di�erent situations
All the input bits are constant.
S
c
c
c
c c
c
c
c
All output bits are constant.
13 / 25
![Page 17: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/17.jpg)
Thomas Fuhr's attack
4 di�erent situations
At most one input bit depends on one variable (or a a�necombination of variables).
S
c
x3
c
c A(x3)
A(x3)
A(x3)
A(x3)
All output bits are an a�ne combination of this variable.
13 / 25
![Page 18: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/18.jpg)
Thomas Fuhr's attack
4 di�erent situations
At least two input bits depend on the same variable (or the samea�ne combination of variables).
S
c
x3
c
x3 A(x3)
A(x3)
A(x3)
A(x3)
All output bits are an a�ne combination of this variable.
13 / 25
![Page 19: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/19.jpg)
Thomas Fuhr's attack
4 di�erent situations
At least two input bits depend on at least two di�erent variables.
S
c
x3
c
x5
?
?
?
?
13 / 25
![Page 20: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/20.jpg)
Thomas Fuhr's attack
4 di�erent situations
At least two input bits depend on at least two di�erent variables.
S
c
x3
c
x5
?
?
?
?
Are all output bits non-linear?
13 / 25
![Page 21: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/21.jpg)
Thomas Fuhr's attack
Two properties of S noticed by Thomas Fuhr
y0 is of degree at most 1 if x0x2 is of degree at most 1.
y3 is of degree at most 1 if x1x3 and x0x1x2 are of degree at most 1.
y0 = x0x2 + x1 + x2 + x3
y1 = x0x1x2 + x0x1x3 + x0x2x3 + x1x2 + x0x3 + x2x3 + x0 + x1 + x2
y2 = x0x1x3 + x0x2x3 + x1x2 + x1x3 + x2x3 + x0 + x1 + x3
y3 = x0x1x2 + x1x3 + x0 + x1 + x2 + 1.
14 / 25
![Page 22: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/22.jpg)
Thomas Fuhr's attack
Two properties of S noticed by Thomas Fuhr
y0 is of degree at most 1 if x0x2 is of degree at most 1.
y3 is of degree at most 1 if x1x3 and x0x1x2 are of degree at most 1.
y0 = x0x2 + x1 + x2 + x3
y1 = x0x1x2 + x0x1x3 + x0x2x3 + x1x2 + x0x3 + x2x3 + x0 + x1 + x2
y2 = x0x1x3 + x0x2x3 + x1x2 + x1x3 + x2x3 + x0 + x1 + x3
y3 = x0x1x2 + x1x3 + x0 + x1 + x2 + 1.
14 / 25
![Page 23: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/23.jpg)
Thomas Fuhr's attack
Two properties of S noticed by Thomas Fuhr
y0 is of degree at most 1 if x0x2 is of degree at most 1.
y3 is of degree at most 1 if x1x3 and x0x1x2 are of degree at most 1.
y0 = x0x2 + x1 + x2 + x3
y1 = x0x1x2 + x0x1x3 + x0x2x3 + x1x2 + x0x3 + x2x3 + x0 + x1 + x2
y2 = x0x1x3 + x0x2x3 + x1x2 + x1x3 + x2x3 + x0 + x1 + x3
y3 = x0x1x2 + x1x3 + x0 + x1 + x2 + 1.
Results (PhD of T. Fuhr)
16 a�ne equations on 8 variables.11 a�ne equations on 9 variables.9 a�ne equations on 10 variables.
14 / 25
![Page 24: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/24.jpg)
Improvement of the attack
Outline
1 Description of Hamsi-256
2 Thomas Fuhr's attack
3 Improvement of the attack
4 (v, w)-linear functions
15 / 25
![Page 25: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/25.jpg)
Improvement of the attack
An equivalent notation
y0 is of degree at most 1 if x0x2 is of degree at most 1.ww�y0 is of degree at most 1 if x ∈ V ⊥ ⊂ F4
2 with V = 〈1〉 , V = 〈4〉 orV = 〈5〉, or to any coset of these hyperplanes.
y3 is of degree at most 1 if x1x3 and x0x1x2 are of degree at most 1.ww�y3 is of degree at most 1 if x belongs to any coset of V ⊥ ⊂ F4
2 withV = 〈1, 2〉 , V = 〈2, 4〉 or V = 〈2, 5〉.
16 / 25
![Page 26: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/26.jpg)
Improvement of the attack
An equivalent notation
y0 is of degree at most 1 if x0x2 is of degree at most 1.ww�y0 is of degree at most 1 if x ∈ V ⊥ ⊂ F4
2 with V = 〈1〉 , V = 〈4〉 orV = 〈5〉, or to any coset of these hyperplanes.
y3 is of degree at most 1 if x1x3 and x0x1x2 are of degree at most 1.ww�y3 is of degree at most 1 if x belongs to any coset of V ⊥ ⊂ F4
2 withV = 〈1, 2〉 , V = 〈2, 4〉 or V = 〈2, 5〉.
16 / 25
![Page 27: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/27.jpg)
Improvement of the attack
We have identi�ed many such relations for S with dimV = 2
〈1, 2〉 {1, 6, 7, 8, 9, e, f}〈1, 4〉 {1, e, f}〈1, 6〉 {1, 4, 5, a, b, e, f}〈1, 8〉 {1, e, f}〈1, a〉 {1, 2, 3, c, d, e, f}〈1, c〉 {1, e, f}〈1, e〉 {1, e, f}〈2, 4〉 {1, 8, 9}〈2, 5〉 {1, 8, 9}〈2, 8〉 {e}〈2, 9〉 {e}〈2, d〉 {f}〈3, 4〉 {1, 6, 7}...
...
35 properties in total
17 / 25
![Page 28: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/28.jpg)
Improvement of the attack
We have identi�ed many such relations for S with dimV = 2
〈1, 2〉 {1, 6, 7, 8, 9, e, f}〈1, 4〉 {1, e, f}〈1, 6〉 {1, 4, 5, a, b, e, f}〈1, 8〉 {1, e, f}〈1, a〉 {1, 2, 3, c, d, e, f}〈1, c〉 {1, e, f}〈1, e〉 {1, e, f}〈2, 4〉 {1, 8, 9}〈2, 5〉 {1, 8, 9}〈2, 8〉 {e}〈2, 9〉 {e}〈2, d〉 {f}〈3, 4〉 {1, 6, 7}...
...
35 properties in total
17 / 25
![Page 29: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/29.jpg)
Improvement of the attack
Improvement of the attack of [Fuhr10]
1. Use these properties to search for a�ne propagation of the inputvariables through the 2nd and the 3rd round.
2. Use the following relations of S to go through the 1st round.
S(1, x, 0, x̄) = (1, 0, 0, x) ∀x ∈ F2
S(1, x, 0, x) = (0, x, 1, 0) ∀x ∈ F2
3. Track backwards the propagation of the output bits to �x the inputvariables.
Results
13 a�ne equations on 9 variables.11 a�ne equations on 10 variables.
18 / 25
![Page 30: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/30.jpg)
Improvement of the attack
Improvement of the attack of [Fuhr10]
1. Use these properties to search for a�ne propagation of the inputvariables through the 2nd and the 3rd round.
2. Use the following relations of S to go through the 1st round.
S(1, x, 0, x̄) = (1, 0, 0, x) ∀x ∈ F2
S(1, x, 0, x) = (0, x, 1, 0) ∀x ∈ F2
3. Track backwards the propagation of the output bits to �x the inputvariables.
Results
13 a�ne equations on 9 variables.11 a�ne equations on 10 variables.
18 / 25
![Page 31: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/31.jpg)
Improvement of the attack
Improvement of the attack of [Fuhr10]
1. Use these properties to search for a�ne propagation of the inputvariables through the 2nd and the 3rd round.
2. Use the following relations of S to go through the 1st round.
S(1, x, 0, x̄) = (1, 0, 0, x) ∀x ∈ F2
S(1, x, 0, x) = (0, x, 1, 0) ∀x ∈ F2
3. Track backwards the propagation of the output bits to �x the inputvariables.
Results
13 a�ne equations on 9 variables.11 a�ne equations on 10 variables.
18 / 25
![Page 32: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/32.jpg)
Improvement of the attack
Improvement of the attack of [Fuhr10]
1. Use these properties to search for a�ne propagation of the inputvariables through the 2nd and the 3rd round.
2. Use the following relations of S to go through the 1st round.
S(1, x, 0, x̄) = (1, 0, 0, x) ∀x ∈ F2
S(1, x, 0, x) = (0, x, 1, 0) ∀x ∈ F2
3. Track backwards the propagation of the output bits to �x the inputvariables.
Results
13 a�ne equations on 9 variables.11 a�ne equations on 10 variables.
18 / 25
![Page 33: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/33.jpg)
(v, w)-linear functions
Outline
1 Description of Hamsi-256
2 Thomas Fuhr's attack
3 Improvement of the attack
4 (v, w)-linear functions
19 / 25
![Page 34: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/34.jpg)
(v, w)-linear functions
The notion of (v, w)-linearity
De�nition
Let S be a function from Fn2 into Fm2 . Then, S is said to be (v, w)-linear ifthere exist two subspaces V ⊂ Fn2 and W ⊂ Fm2 with dimV = v anddimW = w such that, for all λ ∈W , Sλ has degree at most 1 on allcosets of V , where Sλ is the Boolean function x 7→ λ · S(x).
We used that the Sbox of Hamsi is (3, 2)-linear for some (V,W ), and thatit is (2,2)-linear for many (V,W ).
20 / 25
![Page 35: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/35.jpg)
(v, w)-linear functions
Link with the Maiorana-McFarland construction
A function S from Fn2 into Fm2 is (v, w)-linear if the function SW thatcorresponds to all the components Sλ , λ ∈W can be written as
SW (u, v) = M(u)v +G(u),
where U × V = Fn2 , G is a function from U in Fw2 and M(u) is a w × vbinary matrix.
Generalisation of the Maiorana-McFarland construction
The degree of each Sλ is at most dimU + 1 = n+ 1− v.
21 / 25
![Page 36: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/36.jpg)
(v, w)-linear functions
Link with the Maiorana-McFarland construction
A function S from Fn2 into Fm2 is (v, w)-linear if the function SW thatcorresponds to all the components Sλ , λ ∈W can be written as
SW (u, v) = M(u)v +G(u),
where U × V = Fn2 , G is a function from U in Fw2 and M(u) is a w × vbinary matrix.
Generalisation of the Maiorana-McFarland construction
The degree of each Sλ is at most dimU + 1 = n+ 1− v.
21 / 25
![Page 37: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/37.jpg)
(v, w)-linear functions
Boolean functions that are equivalent to the Maiorana-McFarlandconstruction can be characterized by their second-order derivatives.(Similar for vectorial functions)
Proposition
Let S be a function from Fn2 into Fm2 . Then, S is (v, w)-linear if and onlyif there exists a subset of w independent components of S,SW = (Si1 , . . . , Siw), and a linear subspace V of dimension v such that allsecond-order derivatives of SW , DαDβSW with α, β ∈ V vanish.
Easy algorithm for �nding all (v, w)-linear subspaces.
22 / 25
![Page 38: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/38.jpg)
(v, w)-linear functions
Boolean functions that are equivalent to the Maiorana-McFarlandconstruction can be characterized by their second-order derivatives.(Similar for vectorial functions)
Proposition
Let S be a function from Fn2 into Fm2 . Then, S is (v, w)-linear if and onlyif there exists a subset of w independent components of S,SW = (Si1 , . . . , Siw), and a linear subspace V of dimension v such that allsecond-order derivatives of SW , DαDβSW with α, β ∈ V vanish.
Easy algorithm for �nding all (v, w)-linear subspaces.
22 / 25
![Page 39: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/39.jpg)
(v, w)-linear functions
Link with non-linearity
Proposition
Let S be a function from Fn2 into Fm2 . If S is (v, w)-linear, then S has wweakly v-normal coordinates. In particular, L(S) ≥ 2v.
23 / 25
![Page 40: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/40.jpg)
(v, w)-linear functions
(n− 1, 1)-linear functions
Proposition
Let f be a Boolean function of n variables. Then, f is (n− 1, 1)-linear ifand only if deg f ≤ 2 and L(f) ≥ 2n−1. Moreover, if deg(f) = 2 andL(f) ≥ 2n−1, there exist exactly 3 distinct hyperplanes H such that f hasdegree at most 1 on both H and H̄.
Remark : The number of subspaces for which S is (n− 1, 1)-linear isdetermined by the number of the quadratic components of S.
24 / 25
![Page 41: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/41.jpg)
(v, w)-linear functions
(n− 1, 1)-linear functions
Proposition
Let f be a Boolean function of n variables. Then, f is (n− 1, 1)-linear ifand only if deg f ≤ 2 and L(f) ≥ 2n−1. Moreover, if deg(f) = 2 andL(f) ≥ 2n−1, there exist exactly 3 distinct hyperplanes H such that f hasdegree at most 1 on both H and H̄.
Remark : The number of subspaces for which S is (n− 1, 1)-linear isdetermined by the number of the quadratic components of S.
24 / 25
![Page 42: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/42.jpg)
(v, w)-linear functions
Classi�cation of 4× 4 Sboxes
A 4× 4 Sbox S with optimal linearity (L(S) = 8) has 0, 1, 3, or 7quadratic components.
Sboxes with 15 quadratic components have one linear component.
Sboxes with 7 quadratic components are not optimal againstdi�erential cryptanalysis.
Merci pour votre attention !
25 / 25
![Page 43: Christina Boura and Anne Canteaut - univ-rennes1.fr · 2016-03-14 · Sis a Serpent Sbox S= f8;6;7;9;3;12;10;15;13;1;14;4;0;11;5;2g 7/25. Description of Hamsi-256 Di usion 4 parallel](https://reader034.vdocuments.us/reader034/viewer/2022042623/5fae4a69096fad1e83244912/html5/thumbnails/43.jpg)
(v, w)-linear functions
Classi�cation of 4× 4 Sboxes
A 4× 4 Sbox S with optimal linearity (L(S) = 8) has 0, 1, 3, or 7quadratic components.
Sboxes with 15 quadratic components have one linear component.
Sboxes with 7 quadratic components are not optimal againstdi�erential cryptanalysis.
Merci pour votre attention !
25 / 25