Di®erentially 4-Uniform Bijections by Permuting the Inverse Function Deng Tang1;2 Claude Carlet2 Xiaohu Tang1 Abstract Block ciphers use Substitution boxes (S-boxes) to create confusion into the cryp- tosystems. Functions used as S-boxes should have low di®erential uniformity, high nonlinearity and algebraic degree larger than 3 (preferably strictly larger). They should be fastly computable; from this viewpoint, it is better when they are in even number of variables. In addition, the functions should be bijections in a Substitution-Permutation Network. Almost perfect nonlinear (APN) functions have the lowest di®erential uni- formity 2 and the existence of APN bijections over F2n for even n ¸ 8 is a big open problem. In the present paper, we focus on constructing di®erentially 4-uniform bijec- tions suitable for designing S-boxes for block ciphers. Based on the idea of permuting the inverse function, we design a construction providing a large number of di®erentially 4-uniform bijections with maximum algebraic degree and high nonlinearity. For every even n ¸ 12, we mathematically prove that the functions in a subclass of the con- structed class are CCZ-inequivalent to known di®erentially 4-uniform power functions and to quadratic functions. This is the ¯rst mathematical proof that an in¯nite class of di®erentially 4-uniform bijections is CCZ-inequivalent to known di®erentially 4-uniform power functions and to quadratic functions. We also get a general lower bound on the nonlinearity of our functions, which can be very high in some cases, and obtain three improved lower bounds on the nonlinearity for three special subcases of functions which are extremely large. Keywords: block cipher, substitution box, di®erentially 4-uniform bijection, CCZ- equivalence, nonlinearity. 1Provincial Key Lab of Information Coding and Transmission, Institute of Mobile Communications, Southwest Jiaotong University, Chengdu, 610031, China. 2LAGA, Universities of Paris 8 and Paris 13; CNRS, UMR 7539. Address: University of Paris 8, Depart- ment of Mathematics, 2 rue de la libert¶e,93526 Saint-Denis cedex 02, France. Email: [email protected] (D. Tang), [email protected] (C. Carlet), [email protected] (X. Tang) 1 1 Introduction The generally accepted design principles for block ciphers and stream ciphers are con- fusion and di®usion; they were introduced by Shannon in [12]. Confusion means making the relation between the ciphertext and the plaintext as complex as possible for the at- tacker and di®usion is the spreading out of the influence of one or several arbitrary bits of the plaintext or/and of the key over the output bits. In block ciphers, the confusion property is provided by Substitution boxes (S-boxes) with good cryptographic properties and the di®usion is created by (generally) linear transformations with large branch number (related to codes of large minimum distance). In addition, S-boxes must be bijective in Substitution-Permutation Networks (like the Advanced Encryption Standard, AES). In the present paper, we concentrate on the design of bijective S-boxes. An S-box with n input bits and m output bits is a multiple-output Boolean function which is often called an (n; m)-function or (if the values n and m are omitted) a vectorial Boolean function. The S-boxes used in cryptosystems should satisfy all relevant design criteria simultaneously in order to be resistant against the known attacks and, hopefully, against some attacks which may exist but are not yet e±cient and might be improved in the future. Linear cryptanalysis is a known-plaintext attack based on the existence of linear relations satis¯ed with a probability signi¯cantly di®erent from 1/2, relating the plaintext bits, the ciphertext bits and the key bits. To contribute to resisting linear cryptanalysis [10], S-boxes used in cryptosystems should have high nonlinearity. The di®erential attack, developed by Biham and Shamir [1], is a chosen-plaintext attack that exploits the correlation between the input and output di®erences of a pair of plaintext blocks through the network of transformations with same key. The di®erential attack has a substantial impact on the design of block encryption algorithms. After this attack was invented, Nyberg [11] proposed the concept of di®erential ±-uniformity (see De¯nition 1 below), for measuring the ability of a given function to contribute to resisting this attack. For a given (n; m)-function G, the value of ± should be as small as possible. It is well-known that the smallest possible value of ± is 2 when n = m; the functions achieving this value are called almost perfect nonlinear (APN). Furthermore, functions used as S-boxes should have algebraic degree as high as possible, or at least not low, to resist the higher order di®erential attack [8] introduced by Knudsen. The algebraic degree of 2 is very weak but a degree of 3 seems not enough and a degree at least 4 is safer. In addition, functions would better have high graph algebraic immunity to resist the algebraic attacks (this attack is not yet e±cient but we must consider the possibility it becomes e±cient in the future). Moreover, we need the S-boxes to be e±ciently computable, which in software is easier if the number n of input bits is even; in fact, the best is to take n equal to a power of 2, since this allows decomposing optimally the computation of the output in F2n into computations in sub¯elds. In hardware, n does not need to be a power of 2, but we like in general the cryptosystems to be e±ciently 2 implementable in both hardware and software (which is also more convenient for the design of the whole cipher); for instance the number of input and output bits of the S-boxes of the AES is 8. Up to now, there is only one sporadic example of APN bijection for n = 6, found in [3] and it is a big open problem to know whether there exist APN bijections over F2n for even n ¸ 8. So, for resisting di®erential attacks in even dimensions, we need to choose di®erentially 4-uniform bijections as S-boxes when n is even. Di®erential 4-uniformity is not optimal but it can withstand di®erential attacks in an e±cient way. For example, the AES uses a di®erentially 4-uniform bijection with 8 input bits. By now, only a few classes of di®erentially 4-uniform bijections in even dimensions have been found, some of them are listed in [5, 14]. We list all known APN bijections and di®erentially 4-uniform bijections in even dimensions below for the convenience of the reader. Clearly, the functions xd and x2id are a±ne equivalent for every i, so we only list one value of d for each cyclotomic coset of 2 mod 2n ¡ 1. Besides, any bijection is CCZ-equivalent (see de¯nition in Section 2) to its compositional inverse, so we also omit d¡1 when d is co-prime with 2n ¡ 1. ² There is only one example of APN bijection on 6 variables, given by J. Dillon [3] (the problem of ¯nding an example of APN bijections in even number of variables had been open for ten years). But it is CCZ-equivalent to a quadratic function, which may be vulnerable by the higher order di®erential attack, and its expression is complex, which leads to ine±cient implementation in both hardware and software. ² The inverse function x2n¡2 is bijective and is di®erentially 4-uniform when n is even [11]; it is used as the S-box of the AES with n = 8. This class of functions has best known nonlinearity 2n¡1 ¡2n=2 and has maximum algebraic degree n¡1. But it is the worst possible with respect to algebraic attacks since if we denote y = x¡1 then we have the bilinear relation x2y = x. As mentioned above, though the algebraic attacks are not yet e±cient, they represent a threat. A possible way to repair this weakness will be to compose the inverse function with a simple permutation, see below. ² The Gold functions x2i+1 such that gcd(i; n) = 2 are di®erentially 4-uniform. Some- times, functions in this class are bijective since gcd(2i + 1; 2n ¡ 1) divides gcd(22i ¡ 1; 2n ¡ 1) = 2gcd(2i;n) ¡ 1; hence if n ´ 2 [mod 4], the function is bijective, but n is not a power of 2 and more problematically this class of functions is quadratic and can not be used as S-box. ² The Kasami functions x22i¡2i+1 such that n ´ 2 [mod 4] and gcd(i; n) = 2 are di®erentially 4-uniform. Sometimes, functions in this class are bijective as well. This class of functions never reaches the maximum algebraic degree n ¡ 1 (but this may not be a problem). More problematically, it is related to quadratic functions when it 2i i 23i+1 i n is bijective, since 2 ¡ 2 + 1 = 2i+1 , 2 + 1 is co-prime with 2 ¡ 1 when n ´ 2 [mod ¡1 4] and gcd(i; n) = 2; this implies that it has the form F (x) = Q1(x)Q2 (x) where Q1 3 and Q2 are quadratic permutations. Maybe this could be used in an extended higher order di®erential attack. So this function, which is clearly the most interesting power function to be used as S-box, would represent some risk. ² The function x2n=2+n=4+1 is di®erentially 4-uniform [2] and has best known nonlinearity 2n¡1 ¡ 2n=2 as well.