Abstract
Boolean functions and vectorial Boolean functions (S-boxes) are widely used cryptographic primitives for achieving cryptanalytic resistance of modern block or stream ciphers. In the aspect of information security, one of the most desirable characteristics a given S-box should possess is a high nonlinearity. In this paper, we project the nonlinearity optimization problem to the domain of binary integer programming. Then, we demonstrate how this interconnection could be successfully exploited by SAT solvers. The provided toolbox could serve in cases, where the designer’s goal is to increase (or intentionally decrease) the nonlinearity of a given S-box by applying as minimum changes as possible. For example, we demonstrate how the Skipjack S-box, developed by the U.S. National Security Agency (NSA), and the Kuznyechik S-box, developed by the Russian Federation’s standardization agency, could be optimized to a higher nonlinearity by tweaking, respectively, just 4 and 12 bits (out of 2048). In the end, we show that bijective (8,8) S-boxes, the eight coordinates of which possess the currently known optimal nonlinearity value of 116, do exist.
Highlights
S-boxes are the main building blocks of the nonlinearity layer of modern block or stream ciphers, like AES [1], SNOW [2], TWOFISH [3], WHIRLPOOL [4], PICARO [5], PRINCE [6]
We find an interconnection between the Sbox nonlinearity optimization problem and binary integer programming
We demonstrate the effectiveness of the proposed algorithm by increasing the nonlinearity of the Skipjack S-box, developed by National Security Agency (NSA), and Kuznyechik S-box, developed by Russian Federation’s standardization agency, by tweaking respectively 4 and 12 bits only
Summary
S-boxes are the main building blocks of the nonlinearity layer of modern block or stream ciphers, like AES [1], SNOW [2], TWOFISH [3], WHIRLPOOL [4], PICARO [5], PRINCE [6]. An S-box with optimal or nearoptimal nonlinearity value can be constructed by using the finite field inversion method as shown in [12]. Such an S-box would be closely related to an algebraic structure. The size of the search space of bijective S-boxes with dimension (n, n) is 2n!. For dimension (8, 8), which is a common choice among the majority of popular S-boxes, the size of the search space is approximately 21684. Considering stateof-the-art optimization algorithms [13][14][15][16][17], the Walsh-Hadamard transform matrix elements are regularly collected during each iteration. Such calculations add significant overhead to the optimization routine
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
