Symmetric Cryptography and Algebraic Curves

Abstract

We discuss some applications of the theory of algebraic curves to the study of S-boxes in symmetric cryptography. 0. Introduction A symmetric block cipher usually consists of several iterations (rounds) of the following operations on the input message: An F2-linear transformation (to “mix the bits”), a nonlinear map (consisting of one or several S-boxes) and the F2-addition of part of the key. For our purposes an S-box is simply a map f : F2n → F2n . Two well-known attacks on such ciphers, differential and linear cryptanalysis, exploit situations in which an S-box is “close to F2-linear”. There are two corresponding measures of nonlinearity for S-boxes, which we define below. These are closely related (see [CV]). For a function f : F2n → F2n we define δ(f) = max α6=0,β #{x ∈ F2n | f(x+ α)− f(x) = β} For any f , δ(f) is a positive even integer and if f is a polynomial of degree m then δ(f) ≤ m − 1 unless f is an additive polynomial plus a constant. To defend against differential cryptanalysis one needs δ(f) to be small. A function f is said to be almost perfectly nonlinear (APN) if δ(f) = 2. In this paper we will study the behaviour of δ(f) for polynomials f . For a function f : F2n → F2n we define λ(f) = max α6=0,β |#{x ∈ F2n | Tr(αf(x) + βx) = 0} − 2n−1| For any f , λ(f) ≥ 2(n−1)/2 and if f is a polynomial of degree m which is not an additive polynomial plus a constant then λ(f) ≤ (m−1)2(n−1)/2. To defend against linear cryptanalysis one needs λ(f) to be small. The function f is said to be almost bent if λ(f) = 2(n−1)/2. We will not discuss λ in this paper.