Section: New Results

Symmetric cryptology

Participants : Xavier Bonnetain, Christina Boura, Anne Canteaut, Pascale Charpin, Sébastien Duval, Gaëtan Leurent, María Naya Plasencia, Yann Rotella, Ferdinand Sibleyras, Tim Beyne, Mathilde de La Morinerie, André Schrottenloher.

• Analysis of linear invariant attacks [41], [54], [28], [29]: C. Beierle, A. Canteaut, G. Leander and Y. Rotella have studied SPN ciphers with a very simple key schedule, such as Prince . They introduce properties of the linear layer and of the round constants than can be used to prove that there are no nonlinear invariants.

• Analysis of the probability of differential characteristics for unkeyed constructions [19]: This work shows that the probabilities of some fixed-key differential characteristics are higher than expected when assuming independent S-Boxes. This leads to improved attacks against RoadRunneR and Minalpher.

• Design and study of a new construction for low-latency block ciphers, named reflection ciphers, which generalizes the so-called $\alpha$-reflection property exploited in Prince . This construction aims at reducing the implementation overhead of decryption on top of encryption [15].

• Modular construction of primitives with code-hardness, time-hardness or memory-hardness [42]. A. Biryukov and L. Perrin have introduced new definitions to formalize hardness, and constructions that are hard to compute for common users, but easy for users knowing a secret.

• Design of encryption schemes for efficient homomorphic-ciphertext compression: A. Canteaut, M. Naya-Plasencia together with their coauthors have investigated the constraints on the symmetric cipher imposed by this application and they have proposed some solutions based on additive IV-based stream ciphers [17].

• Boolean functions with restricted input: Y. Rotella, together with C. Carlet and P. Méaux, has introduced some new criteria on filtering Boolean functions, which measure the security of the recent stream cipher proposal FLIP. Indeed, in this context, the inputs of the filtering function are not uniformly distributed but have a fixed Hamming weight. Then, the main properties of filtering functions (e.g. nonlinearity, algebraic immunity...) have been revisited [20].

• Differential Equivalence of Sboxes: C. Boura, A. Canteaut and their co-authors have studied two notions of differential equivalence of Sboxes corresponding to the case when the functions have the same difference table, or when their difference tables have the same support [45]. They proved that these two notions do not coincide, and that they are invariant under some classical equivalence relations like EA and CCZ equivalence. They also proposed an algorithm for determining the whole equivalence class of a given function.

• A. Canteaut, S. Duval and L. Perrin proposed a construction of a new family of permutations over binary fields of dimension $(4k+2)$ with good cryptographic properties. An interesting property is that this family includes as a specific case the only known APN permutation of an even number of variables [55], [18].

• Construction of cryptographic permutations over finite fields with a sparse representation: P. Charpin, together with N. Cepak and E. Pasalic, exhibited permutations which are derived from sparse functions via linear translators [21].

• New methods for determining the differential spectrum of an Sbox: P. Charpin and G. Kyureghyan have proved that the whole differential spectrum of an Sbox can be determined without examining all derivatives of the mapping, but only the derivatives with respect to an element within a hyperplane [23]. Also, they have proved that, for mappings of a special shape, it is enough to consider the derivatives with respect to all elements within a suitable multiplicative subgroup of ${𝔽}_{2^n}$.

• Differential fault attack against LS-designs and SCREAM [52]: this attack generalized previous work on PRIDE to the class of LS-Designs.

• Use of block ciphers operating on small blocks with the CBC mode [31]: it is well-known that CBC is not secure if the same key is used for encrypting $2^{n/2}$ blocks of plaintext, but this threat has traditionally been dismissed as impractical, even for 64-bit blocks. K.  Bhargavan and G. Leurent demonstrated concrete attacks that exploit such short block ciphers in CBC mode.

• Use of block ciphers operating on small blocks with the CTR mode [77]: the security proof of the CTR mode also requires that no more than $2^{n/2}$ blocks are encrypted with the same key, but the known attacks reveal very little information and are considered even less problematic than on CBC. During his internship with G. Leurent, F. Sibleyras has studied concrete attacks against the CTR mode when processing close to $2^{n/2}$ blocks of data, and has shown that an attacker can actually extract as much information as in the case of CBC encryption.

• Improved generic attacks against hash-based MAC [25].

• Modes of operation for full disk encryption [51]: L. Khati, N. Mouha and D. Vergnaud have classified various FDE modes of operation according to their security in a setting where there is no space to store additional data, like an IV or a MAC value. They also introduce the notion of a diversifier, which does not require additional storage, but allows the plaintext of a particular sector to be encrypted into different ciphertexts.