Differential properties of functions x -> x^{2^t-1} -- extended version

📝 Abstract

We provide an extensive study of the differential properties of the functions $x\mapsto x^{2^t-1}$ over $\F $, for $2 \leq t \leq n-1 $. We notably show that the differential spectra of these functions are determined by the number of roots of the linear polynomials $x^{2^t}+bx^2+(b+1)x$ where $b$ varies in $\F $.We prove a strong relationship between the differential spectra of $x\mapsto x^{2^t-1}$ and $x\mapsto x^{2^{s}-1}$ for $s= n-t+1 $. As a direct consequence, this result enlightens a connection between the differential properties of the cube function and of the inverse function. We also determine the complete differential spectra of $x \mapsto x^7$ by means of the value of some Kloosterman sums, and of $x \mapsto x^{2^t-1}$ for $t \in \{\lfloor n/2\rfloor, \lceil n/2\rceil+1, n-2\} $.

💡 Analysis

We provide an extensive study of the differential properties of the functions $x\mapsto x^{2^t-1}$ over $\F $, for $2 \leq t \leq n-1 $. We notably show that the differential spectra of these functions are determined by the number of roots of the linear polynomials $x^{2^t}+bx^2+(b+1)x$ where $b$ varies in $\F $.We prove a strong relationship between the differential spectra of $x\mapsto x^{2^t-1}$ and $x\mapsto x^{2^{s}-1}$ for $s= n-t+1 $. As a direct consequence, this result enlightens a connection between the differential properties of the cube function and of the inverse function. We also determine the complete differential spectra of $x \mapsto x^7$ by means of the value of some Kloosterman sums, and of $x \mapsto x^{2^t-1}$ for $t \in \{\lfloor n/2\rfloor, \lceil n/2\rceil+1, n-2\} $.

📄 Content

arXiv:1108.4753v2 [cs.CR] 25 Aug 2011 Differential properties of functions x 7→x2t−1 – extended version∗– C´eline Blondeau, Anne Canteaut and Pascale Charpin † November 7, 2018 Abstract We provide an extensive study of the differential properties of the functions x 7→x2t−1 over F2n, for 1 < t < n. We notably show that the differential spectra of these functions are determined by the number of roots of the linear polynomials x2t + bx2 + (b + 1)x where b varies in F2n.We prove a strong relationship between the differential spectra of x 7→x2t−1 and x 7→x2s−1 for s = n −t + 1. As a direct consequence, this result enlightens a connection between the differential properties of the cube function and of the inverse function. We also determine the complete differential spectra of x 7→x7 by means of the value of some Kloosterman sums, and of x 7→x2t−1 for t ∈{⌊n/2⌋, ⌈n/2⌉+ 1, n −2}. Keywords. Differential cryptanalysis, block cipher, S-box, power function, monomial, differential uniformity, APN function, permutation, linear poly- nomial, Kloosterman sum, cyclic codes. 1 Introduction Differential cryptanalysis is the first statistical attack proposed for break- ing iterated block ciphers. Its publication [4] then gave rise to numerous works which investigate the security offered by different types of functions regarding differential attacks. This security is quantified by the so-called differential uniformity of the Substitution box used in the cipher [22]. Most ∗of the paper which will appear in IEEE Transactions on Information Theory †SECRET project-team - INRIA Paris-Rocquencourt, Domaine de Voluceau, B.P. 105, 78153 Le Chesnay Cedex, France. Email: celine.blondeau@inria.fr, anne.canteaut@inria.fr, pascale.charpin@inria.fr 1 notably, finding appropriate S-boxes which guarantee that the cipher using them resist differential attacks is a major topic for the last twenty years, see e.g. [11, 16, 9, 6, 8]. Power functions, i.e., monomial functions, form a class of suitable can- didates since they usually have a lower implementation cost in hardware. Also, their particular algebraic structure makes the determination of their differential properties easier. However, there are only a few power functions for which we can prove that they have a low differential uniformity. Up to equivalence, there are two large families of such functions: a subclass of the quadratic power functions (a.k.a. Gold functions) and a subclass of the so- called Kasami functions. Both of these families contain some permutations which are APN over F2n for odd n and differentially 4-uniform for even n. The other known power functions with a low differential uniformity corre- spond to “sporadic” cases in the sense that the corresponding exponents vary with n [17] and they do not belong to a large class: they correspond to the exponents defined by Welch [14, 10], by Niho [13, 18], by Dobbertin [15], by Bracken and Leander [7], and to the inverse function [21]. It is worth noticing that some of these functions seem to have different structures be- cause they do not share the same differential spectrum. For instance, for a quadratic power function or a Kasami function, the differential spectrum has only two values, i.e., the number of occurrences of each differential belongs to {0, δ} for some δ [5]. The inverse function has a very different behavior since its differential spectrum has three values, namely 0, 2 and 4 and, for each input difference, there is exactly one differential which is satisfied four times. However, when classifying all functions with a low differential uniformity, it can be noticed that the family of all power functions x 7→x2t−1 over F2n, with 1 < t < n, contains several functions with a low differential uniformity. Most notably, it includes the cube function and the inverse function, and also x 7→x2(n+1)/2−1 for n odd, which is the inverse of a quadratic function. At a first glance, this family of exponents may be of very small relevance because the involved functions have distinct differential spectra. Then, they are expected to have distinct structures. For this reason, one of the motivations of our study was to determine whether some link could be established between the differential properties of the cube function and of the inverse function. Our work then answers positively to this question since it exhibits a general relationship between the differential spectra of x 7→x2t−1 and x 7→x2n−t+1−1 over F2n. We also determine the complete differential spectra of some other exponents in this family. The rest of the paper is organized as follows. Section 2 recalls some defi- 2 nitions and some general properties of the differential spectrum of monomial functions. Section 3 then focuses on the differential spectra of the monomi- als x 7→x2t−1. First, the differential spectrum of any such function is shown to be determined by the number of roots of a family of linear polynomials. Then, we exhibit a symmetry property for the exponents in this family: it is proved that the di

This content is AI-processed based on ArXiv data.