Affine Equivalent

The Experts below are selected from a list of 7959 Experts worldwide ranked by ideXlab platform

Sumanta Sarkar – One of the best experts on this subject based on the ideXlab platform.

• on the relationship between resilient boolean functions and linear branch number of s boxes
International Conference on Cryptology in India, 2019
Co-Authors: Sumanta Sarkar, Kalikinkar Mandal, Dhiman Saha

Abstract:

Differential branch number and linear branch number are critical for the security of symmetric ciphers. The recent trend in the designs like PRESENT block cipher, ASCON authenticated encryption shows that applying S-boxes that have nontrivial differential and linear branch number can significantly reduce the number of rounds. As we see in the literature that the class of $$4\times 4$$ S-boxes have been well-analysed, however, a little is known about the $$n \times n$$ S-boxes for $$n \ge 5$$. For instance, the complete classification of $$5 \times 5$$ Affine Equivalent S-boxes is still unknown. Therefore, it is challenging to obtain “the best” S-boxes with dimension $$\ge$$5 that can be used in symmetric cipher designs. In this article, we present a novel approach to construct S-boxes that identifies classes of $$n \times n$$ S-boxes ($$n = 5, 6$$) with differential branch number 3 and linear branch number 3, and ensures other cryptographic properties. To the best of our knowledge, we are the first to report $$6\times 6$$ S-boxes with linear branch number 3, differential branch number 3, and with other good cryptographic properties such as nonlinearity 24 and differential uniformity 4.

• differential power analysis in hamming weight model how to choose among extended AffineEquivalent s boxes
International Conference on Cryptology in India, 2014
Co-Authors: Sumanta Sarkar, Subhamoy Maitra, Kaushik Chakraborty

Abstract:

From the first principle, we concentrate on the Differential Power Analysis (DPA) in the Hamming weight model. Based on the power related data of an $$(n, n)$$ permutation S-box, we propose a spectrum (we call it Relative Power Spectrum, RPS in short) at $$2^n$$ points each providing a vector containing $$n$$ coordinates. Each coordinate contains the data related to single-bit DPA, and taking them together we provide relevant results in the domain of multi-bit DPA. For two Affine Equivalent $$(n,n)$$ permutation S-boxes $$F$$ and $$G$$, such that $$G(x) = F(Ax \oplus b)$$, where $$A$$ is a linear permutation (nonsingular binary matrix) and $$b$$ is an $$n$$-bit vector, the RPSs of $$F$$ and $$G$$ are permutations of each other. However, this is not true in general when $$F$$ and $$G$$ are Affine or extended Affine Equivalent, i.e., $$G(x) = B(F(Ax \oplus b)) \oplus L(x) \oplus c$$, where $$B$$ is a linear permutation, $$L$$ is a linear mapping, and $$c$$ is an $$n$$-bit vector. In such a case, the RPSs of $$F$$ and $$G$$ may not be related by permutation and may contain completely different vectors. We provide the effect of this in terms of DPA both in noise-free and noisy scenarios. Our results guide the designer to choose one S-box among all those in the same (extended) Affine equivalence class when DPA in the Hamming weight model is considered. This is an instance where cryptographic advantage is attained by applying (extended) Affine equivalence. For example, we provide a family of S-boxes that should replace the $$(4, 4)$$ S-boxes proposed in relation to the PRINCE block cipher.

• INDOCRYPT – Differential Power Analysis in Hamming Weight Model: How to Choose among (Extended) AffineEquivalent S-boxes
Progress in Cryptology — INDOCRYPT 2014, 2014
Co-Authors: Sumanta Sarkar, Subhamoy Maitra, Kaushik Chakraborty

Abstract:

From the first principle, we concentrate on the Differential Power Analysis (DPA) in the Hamming weight model. Based on the power related data of an $$(n, n)$$ permutation S-box, we propose a spectrum (we call it Relative Power Spectrum, RPS in short) at $$2^n$$ points each providing a vector containing $$n$$ coordinates. Each coordinate contains the data related to single-bit DPA, and taking them together we provide relevant results in the domain of multi-bit DPA. For two Affine Equivalent $$(n,n)$$ permutation S-boxes $$F$$ and $$G$$, such that $$G(x) = F(Ax \oplus b)$$, where $$A$$ is a linear permutation (nonsingular binary matrix) and $$b$$ is an $$n$$-bit vector, the RPSs of $$F$$ and $$G$$ are permutations of each other. However, this is not true in general when $$F$$ and $$G$$ are Affine or extended Affine Equivalent, i.e., $$G(x) = B(F(Ax \oplus b)) \oplus L(x) \oplus c$$, where $$B$$ is a linear permutation, $$L$$ is a linear mapping, and $$c$$ is an $$n$$-bit vector. In such a case, the RPSs of $$F$$ and $$G$$ may not be related by permutation and may contain completely different vectors. We provide the effect of this in terms of DPA both in noise-free and noisy scenarios. Our results guide the designer to choose one S-box among all those in the same (extended) Affine equivalence class when DPA in the Hamming weight model is considered. This is an instance where cryptographic advantage is attained by applying (extended) Affine equivalence. For example, we provide a family of S-boxes that should replace the $$(4, 4)$$ S-boxes proposed in relation to the PRINCE block cipher.

Kaushik Chakraborty – One of the best experts on this subject based on the ideXlab platform.

• differential power analysis in hamming weight model how to choose among extended AffineEquivalent s boxes
International Conference on Cryptology in India, 2014
Co-Authors: Sumanta Sarkar, Subhamoy Maitra, Kaushik Chakraborty

Abstract:

From the first principle, we concentrate on the Differential Power Analysis (DPA) in the Hamming weight model. Based on the power related data of an $$(n, n)$$ permutation S-box, we propose a spectrum (we call it Relative Power Spectrum, RPS in short) at $$2^n$$ points each providing a vector containing $$n$$ coordinates. Each coordinate contains the data related to single-bit DPA, and taking them together we provide relevant results in the domain of multi-bit DPA. For two Affine Equivalent $$(n,n)$$ permutation S-boxes $$F$$ and $$G$$, such that $$G(x) = F(Ax \oplus b)$$, where $$A$$ is a linear permutation (nonsingular binary matrix) and $$b$$ is an $$n$$-bit vector, the RPSs of $$F$$ and $$G$$ are permutations of each other. However, this is not true in general when $$F$$ and $$G$$ are Affine or extended Affine Equivalent, i.e., $$G(x) = B(F(Ax \oplus b)) \oplus L(x) \oplus c$$, where $$B$$ is a linear permutation, $$L$$ is a linear mapping, and $$c$$ is an $$n$$-bit vector. In such a case, the RPSs of $$F$$ and $$G$$ may not be related by permutation and may contain completely different vectors. We provide the effect of this in terms of DPA both in noise-free and noisy scenarios. Our results guide the designer to choose one S-box among all those in the same (extended) Affine equivalence class when DPA in the Hamming weight model is considered. This is an instance where cryptographic advantage is attained by applying (extended) Affine equivalence. For example, we provide a family of S-boxes that should replace the $$(4, 4)$$ S-boxes proposed in relation to the PRINCE block cipher.

• INDOCRYPT – Differential Power Analysis in Hamming Weight Model: How to Choose among (Extended) AffineEquivalent S-boxes
Progress in Cryptology — INDOCRYPT 2014, 2014
Co-Authors: Sumanta Sarkar, Subhamoy Maitra, Kaushik Chakraborty

Abstract:

From the first principle, we concentrate on the Differential Power Analysis (DPA) in the Hamming weight model. Based on the power related data of an $$(n, n)$$ permutation S-box, we propose a spectrum (we call it Relative Power Spectrum, RPS in short) at $$2^n$$ points each providing a vector containing $$n$$ coordinates. Each coordinate contains the data related to single-bit DPA, and taking them together we provide relevant results in the domain of multi-bit DPA. For two Affine Equivalent $$(n,n)$$ permutation S-boxes $$F$$ and $$G$$, such that $$G(x) = F(Ax \oplus b)$$, where $$A$$ is a linear permutation (nonsingular binary matrix) and $$b$$ is an $$n$$-bit vector, the RPSs of $$F$$ and $$G$$ are permutations of each other. However, this is not true in general when $$F$$ and $$G$$ are Affine or extended Affine Equivalent, i.e., $$G(x) = B(F(Ax \oplus b)) \oplus L(x) \oplus c$$, where $$B$$ is a linear permutation, $$L$$ is a linear mapping, and $$c$$ is an $$n$$-bit vector. In such a case, the RPSs of $$F$$ and $$G$$ may not be related by permutation and may contain completely different vectors. We provide the effect of this in terms of DPA both in noise-free and noisy scenarios. Our results guide the designer to choose one S-box among all those in the same (extended) Affine equivalence class when DPA in the Hamming weight model is considered. This is an instance where cryptographic advantage is attained by applying (extended) Affine equivalence. For example, we provide a family of S-boxes that should replace the $$(4, 4)$$ S-boxes proposed in relation to the PRINCE block cipher.

Subhamoy Maitra – One of the best experts on this subject based on the ideXlab platform.

• differential power analysis in hamming weight model how to choose among extended AffineEquivalent s boxes
International Conference on Cryptology in India, 2014
Co-Authors: Sumanta Sarkar, Subhamoy Maitra, Kaushik Chakraborty

Abstract:

From the first principle, we concentrate on the Differential Power Analysis (DPA) in the Hamming weight model. Based on the power related data of an $$(n, n)$$ permutation S-box, we propose a spectrum (we call it Relative Power Spectrum, RPS in short) at $$2^n$$ points each providing a vector containing $$n$$ coordinates. Each coordinate contains the data related to single-bit DPA, and taking them together we provide relevant results in the domain of multi-bit DPA. For two Affine Equivalent $$(n,n)$$ permutation S-boxes $$F$$ and $$G$$, such that $$G(x) = F(Ax \oplus b)$$, where $$A$$ is a linear permutation (nonsingular binary matrix) and $$b$$ is an $$n$$-bit vector, the RPSs of $$F$$ and $$G$$ are permutations of each other. However, this is not true in general when $$F$$ and $$G$$ are Affine or extended Affine Equivalent, i.e., $$G(x) = B(F(Ax \oplus b)) \oplus L(x) \oplus c$$, where $$B$$ is a linear permutation, $$L$$ is a linear mapping, and $$c$$ is an $$n$$-bit vector. In such a case, the RPSs of $$F$$ and $$G$$ may not be related by permutation and may contain completely different vectors. We provide the effect of this in terms of DPA both in noise-free and noisy scenarios. Our results guide the designer to choose one S-box among all those in the same (extended) Affine equivalence class when DPA in the Hamming weight model is considered. This is an instance where cryptographic advantage is attained by applying (extended) Affine equivalence. For example, we provide a family of S-boxes that should replace the $$(4, 4)$$ S-boxes proposed in relation to the PRINCE block cipher.

• INDOCRYPT – Differential Power Analysis in Hamming Weight Model: How to Choose among (Extended) AffineEquivalent S-boxes
Progress in Cryptology — INDOCRYPT 2014, 2014
Co-Authors: Sumanta Sarkar, Subhamoy Maitra, Kaushik Chakraborty

Abstract:

From the first principle, we concentrate on the Differential Power Analysis (DPA) in the Hamming weight model. Based on the power related data of an $$(n, n)$$ permutation S-box, we propose a spectrum (we call it Relative Power Spectrum, RPS in short) at $$2^n$$ points each providing a vector containing $$n$$ coordinates. Each coordinate contains the data related to single-bit DPA, and taking them together we provide relevant results in the domain of multi-bit DPA. For two Affine Equivalent $$(n,n)$$ permutation S-boxes $$F$$ and $$G$$, such that $$G(x) = F(Ax \oplus b)$$, where $$A$$ is a linear permutation (nonsingular binary matrix) and $$b$$ is an $$n$$-bit vector, the RPSs of $$F$$ and $$G$$ are permutations of each other. However, this is not true in general when $$F$$ and $$G$$ are Affine or extended Affine Equivalent, i.e., $$G(x) = B(F(Ax \oplus b)) \oplus L(x) \oplus c$$, where $$B$$ is a linear permutation, $$L$$ is a linear mapping, and $$c$$ is an $$n$$-bit vector. In such a case, the RPSs of $$F$$ and $$G$$ may not be related by permutation and may contain completely different vectors. We provide the effect of this in terms of DPA both in noise-free and noisy scenarios. Our results guide the designer to choose one S-box among all those in the same (extended) Affine equivalence class when DPA in the Hamming weight model is considered. This is an instance where cryptographic advantage is attained by applying (extended) Affine equivalence. For example, we provide a family of S-boxes that should replace the $$(4, 4)$$ S-boxes proposed in relation to the PRINCE block cipher.

• On Affine (non)equivalence of Boolean functions
Computing, 2009
Co-Authors: Sugata Gangopadhyay, Sumanta Sarkar, Deepmala Sharma, Subhamoy Maitra

Abstract:

In this paper we construct a multiset S ( f ) of a Boolean function f consisting of the weights of the second derivatives of the function f with respect to all distinct two-dimensional subspaces of the domain. We refer to S ( f ) as the second derivative spectrum of f . The frequency distribution of the weights of these second derivatives is referred to as the weight distribution of the second derivative spectrum. It is demonstrated in this paper that this weight distribution can be used to distinguish Affine nonEquivalent Boolean functions. Given a Boolean function f on n variables we present an efficient algorithm having O ( n 2^2 n ) time complexity to compute S ( f ). Using this weight distribution we show that all the 6-variable Affine nonEquivalent bents can be distinguished. We study the subclass of partial-spreads type bent functions known as PS _ ap type bents. Six different weight distributions are obtained from the set of PS _ ap bents on 8-variables. Using the second derivative spectrum we show that there exist 6 and 8 variable bent functions which are not Affine Equivalent to rotation symmetric bent functions. Lastly we prove that no non-quadratic Kasami bent function is Affine Equivalent to Maiorana–MacFarland type bent functions.