christina boura anne canteaut christophe de cannière · christophe de cannière 3 1 secret eam,...
TRANSCRIPT
![Page 1: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/1.jpg)
Higher-order Di�erential Properties for Ke ak and Lu�aChristina Boura1,2 Anne Canteaut1 Christophe De Cannière31SECRET Proje t-Team, INRIA, Fran e
2Gemalto, Fran e3Katholieke Universiteit Leuven,BelgiumFebruary 15, 2011
1 / 28
![Page 2: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/2.jpg)
Outline1 Introdu tion2 New bound on the degree of iterated permutations3 Appli ation to two SHA-3 andidatesKe akLu�a4 Con lusions 2 / 28
![Page 3: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/3.jpg)
Introdu tionOutline1 Introdu tion2 New bound on the degree of iterated permutations3 Appli ation to two SHA-3 andidatesKe akLu�a4 Con lusions 3 / 28
![Page 4: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/4.jpg)
Introdu tionObje tive of this paperStudy the algebrai degree of some hash fun tion proposals and oftheir inner primitives.Use these results to onstru t higher-order di�erential distinguishersand zero-sum stru tures.Previous work (related with the SHA-3 ompetition)Zero-sum Distinguishers for Ke ak, Lu�a and Hamsi.[Aumasson-Meier 09, Aumasson et al. 09, Boura-Canteaut 10℄Higher-order di�erential atta k on Lu�a v1. [Watanabe et al. 10℄4 / 28
![Page 5: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/5.jpg)
Introdu tionBound on the degree of iterated permutationsQuestionHow to estimate the algebrai degree of an iterated permutationafter r rounds?
5 / 28
![Page 6: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/6.jpg)
Introdu tionBound on the degree of iterated permutationsQuestionHow to estimate the algebrai degree of an iterated permutationafter r rounds?Trivial Bounddeg(G ◦ F ) ≤ degGdegF
5 / 28
![Page 7: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/7.jpg)
Introdu tionBound on the degree of iterated permutationsQuestionHow to estimate the algebrai degree of an iterated permutationafter r rounds?Trivial Bounddeg(G ◦ F ) ≤ degGdegF[Canteaut-Videau 02℄: Improvement when the Walsh spe trum of
F is divisible by a high power of 2. 5 / 28
![Page 8: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/8.jpg)
New bound on the degree of iterated permutationsOutline1 Introdu tion2 New bound on the degree of iterated permutations3 Appli ation to two SHA-3 andidatesKe akLu�a4 Con lusions 6 / 28
![Page 9: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/9.jpg)
New bound on the degree of iterated permutationsTowards a new bound on the degree (degF = 3)
02004006008001000120014001600
0 2 4 6 8 10 12 14 16deg(F)
Rounds Trivial Bound7 / 28
![Page 10: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/10.jpg)
New bound on the degree of iterated permutationsTowards a new bound on the degree (degF = 3)
02004006008001000120014001600
0 2 4 6 8 10 12 14 16deg(F)
Rounds Trivial Bound7 / 28
![Page 11: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/11.jpg)
New bound on the degree of iterated permutationsS-Box
x0 x2x1 x3
y1 y2 y3y0
QuestionIf S is balan ed, what is the degreeof the produ t of k oordinates of S?
8 / 28
![Page 12: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/12.jpg)
New bound on the degree of iterated permutationsS-Box
x0 x2x1 x3
y1 y2 y3y0
QuestionIf S is balan ed, what is the degreeof the produ t of k oordinates of S?De�nitionδk : maximum degree of the produ tof k oordinates of S
8 / 28
![Page 13: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/13.jpg)
New bound on the degree of iterated permutationsS-Box
x0 x2x1 x3
y1 y2 y3y0
QuestionIf S is balan ed, what is the degreeof the produ t of k oordinates of S?De�nitionδk : maximum degree of the produ tof k oordinates of S
k δk1 38 / 28
![Page 14: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/14.jpg)
New bound on the degree of iterated permutationsS-Box
x0 x2x1 x3
y1 y2 y3y0
QuestionIf S is balan ed, what is the degreeof the produ t of k oordinates of S?De�nitionδk : maximum degree of the produ tof k oordinates of S
k δk1 32 33 38 / 28
![Page 15: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/15.jpg)
New bound on the degree of iterated permutationsS-Box
x0 x2x1 x3
y1 y2 y3y0
QuestionIf S is balan ed, what is the degreeof the produ t of k oordinates of S?De�nitionδk : maximum degree of the produ tof k oordinates of S
k δk1 32 33 34 4F permutation of Fn
2 :δk = n i� k = n. 8 / 28
![Page 16: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/16.jpg)
New bound on the degree of iterated permutationsThe new boundTheorem. Let F be a fun tion from Fn2 into F
n2 orresponding to the on atenation of m smaller Sboxes, S1, . . . , Sm, de�ned over Fn0
2. Then,for any fun tion G from F
n2 into F
ℓ2, we have
deg(G ◦ F ) ≤ n −n − deg(G)
γ,where
γ = max1≤i≤n0−1
n0 − i
n0 − δi.Most notably, if all Sboxes are balan ed, we have
deg(G ◦ F ) ≤ n −n − deg(G)
n0 − 1. 9 / 28
![Page 17: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/17.jpg)
New bound on the degree of iterated permutationsS1 S3 S4S2ProblemMultiply d output bits from S1, S2, S3, S4 in su h a way that thedegree of their produ t π, deg(π) is maximized.
10 / 28
![Page 18: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/18.jpg)
New bound on the degree of iterated permutationsS1 S3 S4S2ProblemMultiply d output bits from S1, S2, S3, S4 in su h a way that thedegree of their produ t π, deg(π) is maximized.De�nition
xi = # Sboxes for whi h exa tly i oordinates are involved in π.10 / 28
![Page 19: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/19.jpg)
New bound on the degree of iterated permutationsS1 S3 S4S2ProblemMultiply d output bits from S1, S2, S3, S4 in su h a way that thedegree of their produ t π, deg(π) is maximized.De�nition
xi = # Sboxes for whi h exa tly i oordinates are involved in π.deg(π) ≤ max
(x1,x2,x3,x4)(δ1x1 + δ2x2 + δ3x3 + δ4x4)with x1 + 2x2 + 3x3 + 4x4 = d. 10 / 28
![Page 20: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/20.jpg)
New bound on the degree of iterated permutationsS1 S3 S4S2
d x4 x3 x2 x1 deg(π)
16 4 - - - 161514131211109... ... ... ... ... ...
11 / 28
![Page 21: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/21.jpg)
New bound on the degree of iterated permutationsS1 S3 S4S2
d x4 x3 x2 x1 deg(π)
16 4 - - - 1615 3 1 - - 1514131211109... ... ... ... ... ...
11 / 28
![Page 22: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/22.jpg)
New bound on the degree of iterated permutationsS1 S3 S4S2
d x4 x3 x2 x1 deg(π)
16 4 - - - 1615 3 1 - - 1514 3 - 1 - 15131211109... ... ... ... ... ...
11 / 28
![Page 23: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/23.jpg)
New bound on the degree of iterated permutationsS1 S3 S4S2
d x4 x3 x2 x1 deg(π)
16 4 - - - 1615 3 1 - - 1514 3 - 1 - 1513 3 - - 1 1512 2 1 - 1 1411 2 - 1 1 1410 2 - - 2 149 1 1 - 2 13... ... ... ... ... ...
11 / 28
![Page 24: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/24.jpg)
New bound on the degree of iterated permutationsS1 S3 S4S2
d x4 x3 x2 x1 deg(π)
16 4 - - - 1615 3 1 - - 1514 3 - 1 - 1513 3 - - 1 1512 2 1 - 1 1411 2 - 1 1 1410 2 - - 2 149 1 1 - 2 13... ... ... ... ... ...
16 − deg(π) ≥16 − d
3 11 / 28
![Page 25: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/25.jpg)
New bound on the degree of iterated permutationsS1 S3 S4S2
d x4 x3 x2 x1 deg(π)
16 4 - - - 1615 3 1 - - 1514 3 - 1 - 1513 3 - - 1 1512 2 1 - 1 1411 2 - 1 1 1410 2 - - 2 149 1 1 - 2 13... ... ... ... ... ...
deg(π) ≤ 16 −16 − d
3 11 / 28
![Page 26: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/26.jpg)
Appli ation to two SHA-3 andidatesOutline1 Introdu tion2 New bound on the degree of iterated permutations3 Appli ation to two SHA-3 andidatesKe akLu�a4 Con lusions 12 / 28
![Page 27: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/27.jpg)
Appli ation to two SHA-3 andidates Ke akKe ak [Bertoni-Daemen-Peeters-Van Ass he 08℄3rd round SHA-3 andidateSponge onstru tionKe ak-f Permutation1600-bit state, seen as a 3-dimensional5× 5× 64 matrix24 rounds RNonlinear layer: 320 parallel appli ationsof a 5× 5 S-box χ
degχ = 2, degχ−1 = 3 13 / 28
![Page 28: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/28.jpg)
Appli ation to two SHA-3 andidates Ke akZero-Sums and Zero-sum PartitionsFor blo k iphers (known-key atta k) [Knudsen - Rijmen 07℄For hash fun tions [Aumasson - Meier 09, Boura - Canteaut 10℄De�nition[Zero-Sum℄Let F : Fn2 → F
n2 .A zero-sum for F of size K is a subset {x1, . . . , xK} ⊂ F
n2 su h that
K∑
i=1
xi =
K∑
i=1
F (xi) = 0.
14 / 28
![Page 29: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/29.jpg)
Appli ation to two SHA-3 andidates Ke akZero-Sums and Zero-sum PartitionsFor blo k iphers (known-key atta k) [Knudsen - Rijmen 07℄For hash fun tions [Aumasson - Meier 09, Boura - Canteaut 10℄De�nition[Zero-Sum℄Let F : Fn2 → F
n2 .A zero-sum for F of size K is a subset {x1, . . . , xK} ⊂ F
n2 su h that
K∑
i=1
xi =
K∑
i=1
F (xi) = 0.De�nition[Zero-sum Partition℄Let P be a permutation from Fn2 into F
n2 . A zero-sum partition for
P of size K = 2k is a olle tion of 2n−k disjoint zero-sums. 14 / 28
![Page 30: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/30.jpg)
Appli ation to two SHA-3 andidates Ke akThe new bound applied on Ke ak-fLet R be the round fun tion of Ke ak-f and R−1 its inverse.For any F ,deg(F ◦R) ≤ 1600 −
1600 − deg(F )
3
deg(F ◦R−1) ≤ 1600 −1600 − deg(F )
3Observation [Duan-Lai 11℄ For χ−1 : δ2 = 3Then,deg(F ◦R−1) ≤ 1600 −
1600 − deg(F )
2 15 / 28
![Page 31: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/31.jpg)
Appli ation to two SHA-3 andidates Ke akr deg(Rr) deg(R−r)1 2 32 4 93 8 274 16 815 32 2436 64 7297 128 11648 256 13829 512 149110 1024 154511 1408 157212 1536 158613 1578 159314 1592 159615 1597 159816 1599 1599 16 / 28
![Page 32: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/32.jpg)
Appli ation to two SHA-3 andidates Ke akZero-Sum Partitions for the full Ke ak-f (24 rounds)Starting with any olle tion of 315 rows after the linear layer in the 12-thround, we get zero-sum partitions of size 21575for the full Ke ak-f permutation.
17 / 28
![Page 33: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/33.jpg)
Appli ation to two SHA-3 andidates Lu�aLu�a [De Cannière, Sato and Watanabe 08℄�Sponge-like� onstru tion;Linear message inje tionfun tion MI;Permutation P , splittedinto w parallel 256-bitpermutationsQ0, . . . , Qw−1;Qj : 8-round permutation.Every round alled Step; 18 / 28
![Page 34: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/34.jpg)
Appli ation to two SHA-3 andidates Lu�aThe Step fun tion:SubCrumb: 64 parallel 4× 4 Sboxes of degree 3;MixWord: Linear layer mixing the 32-bit words two by two.
Figure: The Step fun tion 19 / 28
![Page 35: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/35.jpg)
Appli ation to two SHA-3 andidates Lu�aThe Step fun tion:SubCrumb: 64 parallel 4× 4 Sboxes of degree 3;MixWord: Linear layer mixing the 32-bit words two by two.
Figure: The Step fun tionDi�erent Sbox for Lu�a v1 and Lu�a v2! 19 / 28
![Page 36: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/36.jpg)
Appli ation to two SHA-3 andidates Lu�aBound on the degree of Qj for Lu�a v1For r ≤ 5, bound by Watanabe et al.r deg xr1 32 83 204 515 130
20 / 28
![Page 37: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/37.jpg)
Appli ation to two SHA-3 andidates Lu�aBound on the degree of Qj for Lu�a v1For r ≤ 5, bound by Watanabe et al.r deg xr1 32 83 204 515 1306 2147 2428 251For r ≥ 6, we apply,
deg(Stepr+1) ≤512 + deg(Stepr)
3 20 / 28
![Page 38: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/38.jpg)
Appli ation to two SHA-3 andidates Lu�aHigher-order di�erentials for the Lu�a v1 hash fun tionDegree of Lu�a v1 hash fun tion, applied to 256-bit messages is atmost 251.Distinguisher for full Lu�a v1 with 2240 1-blo k messages.Improvement of the previous atta k applied to Lu�a v1 redu ed to7 steps out of 8. [Watanabe et al. 10℄
21 / 28
![Page 39: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/39.jpg)
Appli ation to two SHA-3 andidates Lu�aAn observation on the Sbox of Lu�a v2y0 = 1 + x0 + x1 + x1x2 + x0x3 + x1x3 + x0x1x3 + x0x2x3
y1 = x0 + x3 + x0x1 + x1x2 + x0x3 + x1x3 + x0x1x3 + x0x2x3
y2 = 1 + x1 + x3 + x0x2 + x1x2 + x1x3 + x2x3 + x0x1x2 + x0x1x3
y3 = 1 + x1 + x2 + x0x3 + x0x2 + x1x2 + x1x3 + x2x3 + x0x1x2
+ x0x1x3
22 / 28
![Page 40: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/40.jpg)
Appli ation to two SHA-3 andidates Lu�aAn observation on the Sbox of Lu�a v2y0 = 1 + x0 + x1 + x1x2 + x0x3 + x1x3 + x0x1x3 + x0x2x3
y1 = x0 + x3 + x0x1 + x1x2 + x0x3 + x1x3 + x0x1x3 + x0x2x3
y2 = 1 + x1 + x3 + x0x2 + x1x2 + x1x3 + x2x3 + x0x1x2 + x0x1x3
y3 = 1 + x1 + x2 + x0x3 + x0x2 + x1x2 + x1x3 + x2x3 + x0x1x2
+ x0x1x3
d = y0+y1+y2+y3 = 1+x1+x2+x0x1+x0x3
22 / 28
![Page 41: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/41.jpg)
Appli ation to two SHA-3 andidates Lu�aAn observation on the Sbox of Lu�a v2y0 = 1 + x0 + x1 + x1x2 + x0x3 + x1x3 + x0x1x3 + x0x2x3
y1 = x0 + x3 + x0x1 + x1x2 + x0x3 + x1x3 + x0x1x3 + x0x2x3
y2 = 1 + x1 + x3 + x0x2 + x1x2 + x1x3 + x2x3 + x0x1x2 + x0x1x3
y3 = 1 + x1 + x2 + x0x3 + x0x2 + x1x2 + x1x3 + x2x3 + x0x1x2
+ x0x1x3
d = y0+y1+y2+y3 = 1+x1+x2+x0x1+x0x3The sum of the four oordinates is of degree 2! 22 / 28
![Page 42: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/42.jpg)
Appli ation to two SHA-3 andidates Lu�aAlgebrai degree of the Qj permutationSum of 2 distin t monomials of degree 3 in 4 variables, xi, xj , xk, xℓ, whered = xi + xj + xk + xl:
xixjxk + xixjxℓ = xixjxk + xixj(xi + xj + xk + d)
23 / 28
![Page 43: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/43.jpg)
Appli ation to two SHA-3 andidates Lu�aAlgebrai degree of the Qj permutationSum of 2 distin t monomials of degree 3 in 4 variables, xi, xj , xk, xℓ, whered = xi + xj + xk + xl:
xixjxk + xixjxℓ = xixjxk + xixj(xi + xj + xk + d)
= xixjxk + xixj + xixj + xixjxk + xixjd
23 / 28
![Page 44: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/44.jpg)
Appli ation to two SHA-3 andidates Lu�aAlgebrai degree of the Qj permutationSum of 2 distin t monomials of degree 3 in 4 variables, xi, xj , xk, xℓ, whered = xi + xj + xk + xl:
xixjxk + xixjxℓ = xixjxk + xixj(xi + xj + xk + d)
= xixjxk + xixj + xixj + xixjxk + xixjd
23 / 28
![Page 45: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/45.jpg)
Appli ation to two SHA-3 andidates Lu�aAlgebrai degree of the Qj permutationSum of 2 distin t monomials of degree 3 in 4 variables, xi, xj , xk, xℓ, whered = xi + xj + xk + xl:
xixjxk + xixjxℓ = xixjxk + xixj(xi + xj + xk + d)
= xixjd
23 / 28
![Page 46: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/46.jpg)
Appli ation to two SHA-3 andidates Lu�aAlgebrai degree of the Qj permutationSum of 2 distin t monomials of degree 3 in 4 variables, xi, xj , xk, xℓ, whered = xi + xj + xk + xl:
xixjxk + xixjxℓ = xixjxk + xixj(xi + xj + xk + d)
= xixjd
xr0, xr1, x
r2, x
r3 output words of r rounds of Step.
dr = xr0 + xr1 + xr2 + xr3.23 / 28
![Page 47: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/47.jpg)
Appli ation to two SHA-3 andidates Lu�aAlgebrai degree of the Qj permutationSum of 2 distin t monomials of degree 3 in 4 variables, xi, xj , xk, xℓ, whered = xi + xj + xk + xl:
xixjxk + xixjxℓ = xixjxk + xixj(xi + xj + xk + d)
= xixjd
xr0, xr1, x
r2, x
r3 output words of r rounds of Step.
dr = xr0 + xr1 + xr2 + xr3.Then,deg xr+1
i ≤ 2maxj
deg xrj + deg dr 23 / 28
![Page 48: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/48.jpg)
Appli ation to two SHA-3 andidates Lu�aAlgebrai degree of the Qj permutationSum of 2 distin t monomials of degree 3 in 4 variables, xi, xj , xk, xℓ, whered = xi + xj + xk + xl:
xixjxk + xixjxℓ = xixjxk + xixj(xi + xj + xk + d)
= xixjd
xr0, xr1, x
r2, x
r3 output words of r rounds of Step.
dr = xr0 + xr1 + xr2 + xr3.Then,deg xr+1
i ≤ 2maxj
deg xrj + deg dr
deg dr+1 ≤ 2maxj
deg xrj 23 / 28
![Page 49: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/49.jpg)
Appli ation to two SHA-3 andidates Lu�aUpper bounds on the algebrai degree of Qj in Lu�a v2r deg xr deg dr1 3 22 8 63 22 164 60 445 164 120
24 / 28
![Page 50: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/50.jpg)
Appli ation to two SHA-3 andidates Lu�aUpper bounds on the algebrai degree of Qj in Lu�a v2r deg xr deg dr1 3 22 8 63 22 164 60 445 164 1206 225 2107 245 2408 252 250For r ≥ 6, we apply,
deg(Stepr+1) ≤512 + deg(Stepr)
3 24 / 28
![Page 51: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/51.jpg)
Appli ation to two SHA-3 andidates Lu�aHigher-order di�erential distinguishers for Lu�a v2ResultsDegree of the ompression fun tion at most 252.All-zero higher-order di�erentials for the full ompression fun tion.Not extendable to the hash fun tion, be ause of the addition of ablank round for all the messages.
25 / 28
![Page 52: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/52.jpg)
Con lusionsOutline1 Introdu tion2 New bound on the degree of iterated permutations3 Appli ation to two SHA-3 andidatesKe akLu�a4 Con lusions 26 / 28
![Page 53: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/53.jpg)
Con lusionsAppli ation to Grøstl-256Permutation P
512-bit state, seen as an8× 8 matrix.10 rounds of AES-liketransformations.AES Sbox of degree 7.
27 / 28
![Page 54: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/54.jpg)
Con lusionsAppli ation to Grøstl-256Permutation P
512-bit state, seen as an8× 8 matrix.10 rounds of AES-liketransformations.AES Sbox of degree 7.
Round deg(Rr)1 72 493 3434 4875 5086 51127 / 28
![Page 55: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/55.jpg)
Con lusionsAppli ation to Grøstl-256Permutation P
512-bit state, seen as an8× 8 matrix.10 rounds of AES-liketransformations.AES Sbox of degree 7.
Round deg(Rr)1 72 493 3434 4875 5086 511Zero-sum partitions of size 2509.27 / 28
![Page 56: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/56.jpg)
Con lusionsCon lusionsNew bound on the degree of iterated permutations.Zero-sum distinguishers for the full Ke ak-f permutation.(Contradi tion of the so- alled hermeti sponge strategy)All-zero higher-order di�erentials for the Lu�a hash family.Appli ation to AES-based andidates.28 / 28
![Page 57: Christina Boura Anne Canteaut Christophe De Cannière · Christophe De Cannière 3 1 SECRET eam, Project-T INRIA, rance F 2 Gemalto, rance F 3 e Katholiek Universiteit Leuven,Belgium](https://reader033.vdocuments.mx/reader033/viewer/2022042812/5fae8cbe25315b04f91af377/html5/thumbnails/57.jpg)
Con lusionsCon lusionsNew bound on the degree of iterated permutations.Zero-sum distinguishers for the full Ke ak-f permutation.(Contradi tion of the so- alled hermeti sponge strategy)All-zero higher-order di�erentials for the Lu�a hash family.Appli ation to AES-based andidates.Thank you for your attention! 28 / 28