Abstract
Higher order differentiation was introduced in a cryptographic context by Lai. Several attacks can be viewed in the context of higher order differentiations, amongst them the cube attack of Dinur and Shamir and the AIDA attack of Vielhaber. All of the above have been developed for the binary case. We examine differentiation in larger fields, starting with the field mathrm {GF}(p) of integers modulo a prime p, and apply these techniques to generalising the cube attack to mathrm {GF}(p). The crucial difference is that now the degree in each variable can be higher than one, and our proposed attack will differentiate several times with respect to each variable (unlike the classical cube attack and its larger field version described by Dinur and Shamir, both of which differentiate at most once with respect to each variable). Connections to the Moebius/Reed Muller Transform over mathrm {GF}(p) are also examined. Finally we describe differentiation over finite fields mathrm {GF}(p^s) with p^s elements and show that it can be reduced to differentiation over mathrm {GF}(p), so a cube attack over mathrm {GF}(p^s) would be equivalent to cube attacks over mathrm {GF}(p).
Highlights
The main motivation for this work was to generalise the cube attack of Dinur and Shamir [5], and the AIDA attack of Vielhaber [21], from the binary field to arbitrary finite fields
Higher order derivatives were introduced in a cryptographic context by Lai [16]
Differential cryptanalysis has been reformulated by Lai [16]; the cube attack of Dinur and Shamir [5] and the related AIDA attack of Vielhaber [21] have been reformulated in Knellwolf and Meier [14], Duan and Lai [7]
Summary
The main motivation for this work was to generalise the cube attack of Dinur and Shamir [5], and the AIDA attack of Vielhaber [21], from the binary field to arbitrary finite fields. The attacks hope that for suitable choices of subsets I of public variables, the resulting fI is linear in the secret variables, for the cube attack (or equals to one secret variable or the sum of two secret variables for the AIDA attack) This situation is likely when the cardinality k of I is just marginally lower than the total degree of the function, seen that the degree decreases by k in general, and occasionally by slightly more than k. In GF( p) probabilistic linearity testing has a smaller expected number of tests than in GF(2), see [13] We implemented this algorithm and give some concrete examples of functions where this algorithm is much more successful than a binary cube attack. We feel that developing a cube attack in GF( ps), while possible, does not bring any additional advantages compared to a cube attack in GF( p)
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
