Geodesic
Flaws of hypercube-like ciphers
Prikladnaâ diskretnaâ matematika, no. 3 (2022), pp. 52-66

Voir la notice de l'article provenant de la source Math-Net.Ru

A class of block XSLP cryptographic algorithms called “hypercube” is considered. These algorithms have a block size ${n=n' \cdot m = n' \cdot m' \cdot k}$ bits. A hypercube-like algorithm is an iterative block algorithm consisted of four main operations: (1) key addition (by XOR), (2) $n'$-bit S-box application, (3) block-diagonal diffusion matrix $\mathrm{diag}\,(A_1,\ldots,A_k)$, $A_i \in \text{GF}(2)_{n'm',n'm'}$, multiplication with diffusion degree $\rho$, and (4) permutation. The main results are the following: 1) the idea of constructing linear correlations and probabilities of distribution of differences, determined by hypercube-like algorithms, has been described; 2) the linear environment propagation index for any number of rounds has been evaluated; 3) the relevance of branch number $\theta(r)$ for differential trails probability and correlation of linear trails for any $r \in \mathbb{N}$, $r\geq 2$, rounds has been formally represented; 4) for hypercube-like algorithms, it is shown that when constructing a $\mathrm{P}$-transform using de Bruijn graphs, the avalanche effect may not occur, which means that the (time) complexity of determining the encryption key will be much less than the exhaustive key search (time) complexity. Let $n=n' (m')^d$ and $\mathrm{P}:V_n \to V_n$ affect $a=(a_0, \ldots, a_{m-1}) \in V_{n}$, $a_i \in V_{n'}$, as follows. Numbers $l \in \{ 0, \ldots, (m')^d-1 \}$ of $a_l \in V_{n'}$ in $a \in V_n$ are considered as $l= j_0 + j_1 m' + \ldots + j_{d-1} (m')^{d-1}$, $j_t = 0,\ldots,m'-1$, $t=0,\ldots,d-1$. Let the mapping $\mathrm{P}$ is defined as $\mathrm{P}(a)=\mathrm{P}(a_0, \ldots, a_{(m')^d-1})= (a_{\tau(0)}, \ldots, a_{\tau((m')^d-1)}),$ $\tau \in S_{(m')^d}$, $\tau(l)= \tau(j_0,\ldots,j_{d-1})$, $l=1,\ldots,(m')^d$. In the case $d=3$ it is obtained that if $\mathrm{P}$ is rotation of hypercube, i.e., $\tau(j_0,j_{1},j_2)= (j_1,j_2,j_0)$, then $\theta(r) \leq t(r)$, $t(1) = m'$, $ t(r) = ((m')^2 + m') \left[ {r}/{2} \right] + m' (r \bmod{2}), $ $r\geq2$. In the case $\tau(i_0,i_1,i_2)= (i_0, i_1+i_0\bmod{m'},i_2+i_0\bmod{m'}) $ we obtain $\theta(r) = \theta(r-4) + \rho^2$, $\theta(1) = 1$, $\theta(2) = \rho$, $\theta(3) = 2\rho -1$, $r\in \mathbb{N}$, $r>4$.
Keywords: XSLP-ciphers, cryptoanalysis, linear method, branch numbers
Mots-clés : hypercube structure. 
@article{PDM_2022_3_a3,
     author = {D. I. Trifonov},
     title = {Flaws of hypercube-like ciphers},
     journal = {Prikladna\^a diskretna\^a matematika},
     pages = {52--66},
     publisher = {mathdoc},
     number = {3},
     year = {2022},
     language = {ru},
     url = {http://geodesic.mathdoc.fr/item/PDM_2022_3_a3/}
}
TY  - JOUR
AU  - D. I. Trifonov
TI  - Flaws of hypercube-like ciphers
JO  - Prikladnaâ diskretnaâ matematika
PY  - 2022
SP  - 52
EP  - 66
IS  - 3
PB  - mathdoc
UR  - http://geodesic.mathdoc.fr/item/PDM_2022_3_a3/
LA  - ru
ID  - PDM_2022_3_a3
ER  - 
%0 Journal Article
%A D. I. Trifonov
%T Flaws of hypercube-like ciphers
%J Prikladnaâ diskretnaâ matematika
%D 2022
%P 52-66
%N 3
%I mathdoc
%U http://geodesic.mathdoc.fr/item/PDM_2022_3_a3/
%G ru
%F PDM_2022_3_a3
D. I. Trifonov. Flaws of hypercube-like ciphers. Prikladnaâ diskretnaâ matematika, no. 3 (2022), pp. 52-66. http://geodesic.mathdoc.fr/item/PDM_2022_3_a3/