Cryptanalysis of a Theorem: Decomposing the Only Known Solution to the Big APN Problem

The existence of Almost Perfect Non-linear APN permutations operating on an even number of bits has been a long standing open question until Dillon et al., who work for the NSA, provided an example on 6 bits in 2009. In this paper, we apply methods intended to reverse-engineer S-Boxes with unknown structure to this permutation and find a simple decomposition relying on the cube function over $$GF2^3$$. More precisely, we show that it is a particular case of a permutation structure we introduce, the butterfly. Such butterflies are 2n-bit mappings with two CCZ-equivalent representations: one is a quadratic non-bijective function and one is a degree $$n+1$$ permutation. We show that these structures always have differential uniformity at most 4 when n is odd. A particular case of this structure is actually a 3-round Feistel Network with similar differential and linear properties. These functions also share an excellent non-linearity for $$n=3,5,7$$. Furthermore, we deduce a bitsliced implementation and significantly reduce the hardware cost of a 6-bit APN permutation using this decomposition, thus simplifying the use of such a permutation as building block for a cryptographic primitive.

[1]  Kaisa Nyberg,et al.  Differentially Uniform Mappings for Cryptography , 1994, EUROCRYPT.

[2]  Kaisa Nyberg,et al.  Perfect nonlinear functions and cryptography , 2015, Finite Fields Their Appl..

[3]  Yongqiang Li,et al.  Constructing S-boxes for Lightweight Cryptography with Feistel Structure , 2014, CHES.

[4]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[5]  Alex Biryukov,et al.  Reverse-Engineering the S-Box of Streebog, Kuznyechik and STRIBOBr1 , 2016, EUROCRYPT.

[6]  Gohar M. M. Kyureghyan,et al.  On inverses of APN exponents , 2012, 2012 IEEE International Symposium on Information Theory Proceedings.

[7]  Claude Carlet,et al.  New classes of almost bent and almost perfect nonlinear polynomials , 2006, IEEE Transactions on Information Theory.

[8]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[9]  Alex Biryukov,et al.  On Reverse-Engineering S-Boxes with Hidden Design Criteria or Structure , 2015, CRYPTO.

[10]  Andrey Bogdanov,et al.  Integral and Multidimensional Linear Distinguishers with Correlation Zero , 2012, ASIACRYPT.

[11]  Claude Carlet Relating three nonlinearity parameters of vectorial functions and building APN functions from bent functions , 2011, Des. Codes Cryptogr..

[12]  Alex Biryukov,et al.  A Toolbox for Cryptanalysis: Linear and Affine Equivalence Algorithms , 2003, EUROCRYPT.

[13]  Yin Tan,et al.  Binomial differentially 4 uniform permutations with high nonlinearity , 2012, Finite Fields Their Appl..

[14]  Claude Carlet,et al.  Codes, Bent Functions and Permutations Suitable For DES-like Cryptosystems , 1998, Des. Codes Cryptogr..

[15]  Joos Vandewalle,et al.  A New Approach to Block Cipher Design , 1993, FSE.

[16]  Carl Bracken,et al.  A highly nonlinear differentially 4 uniform power mapping that permutes fields of even degree , 2009, Finite Fields Their Appl..

[17]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[18]  Yongqiang Li,et al.  Constructing differentially 4-uniform permutations over GF(22m) from quadratic APN permutations over GF(22m+1) , 2014, Des. Codes Cryptogr..

[19]  Pulak Mishra,et al.  Mergers, Acquisitions and Export Competitive- ness: Experience of Indian Manufacturing Sector , 2012 .

[20]  Andrey Bogdanov,et al.  Fides: Lightweight Authenticated Cipher with Side-Channel Resistance for Constrained Hardware , 2013, CHES.

[21]  Alex Biryukov,et al.  Structural Cryptanalysis of SASAS , 2001, Journal of Cryptology.

[22]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[23]  R. Firth Function , 1955, Yearbook of Anthropology.