CC BY
6
2. Conclusion and Future Work
In this work, we have presented a new algorithmic-algebraic scheme based in the Lai — Massey structure for constructing permutations of dimension n = 2k, k ^ 2. For the common case k = 8, we have obtained new cryptographically strong 8-bit permutations having better resistance to algebraic attacks in comparison with the inversion function in GF(28) which so far has the best-known values for nonlinearity and differential uniformity. Compared to the best nonlinearity (108, for k = 4) offered by the construction presented in [6] and later generalized in [7], the nonlinearity for the permutations obtained by our scheme slightly decrease up to 104, but to the best of our knowledge the schemes presented in [6, 7] can not produce involutions and orthomorphisms with strong cryptographic properties, so we can conclude that the new structure presented in this work is more powerful and attractive due to the diversity of permutations that can be constructed. Interestingly, the involutions and orthomorphisms founded in this work have comparable classical cryptographic properties like those constructed by using spectral-linear and spectral-difference methods [8]. The main advantage of our 8-bit permutations is that they can be constructed using smaller 4-bit components which could be useful for the implementation of the S-Box in hardware or using a bit-sliced approach. We only presented a new scheme that can help to find permutations, involutions and orthomophisms with rather good cryptographic properties. There are several questions (theoretical results, hardware and bit-sliced implementations, efficient methods of masking) about the construction suggested in this work which are left as future work.
REFERENCES
1. http://www.sagemath.org. Sage Mathematics Software (Version 8.1). 2018.
2. Vaudenay S. and Junod P. Fox, a New Family of Block Ciphers. http://crypto.junod.info/ sac04a.pdf. 2004.
3. Feng D., Feng X., Zhang W., et al. Loiss: a byte oriented stream cipher. LNCS, 2011, vol. 6639, pp.109-125.
4. Gligoroski D., Odegard R. S., Mihova M., et al. Cryptographic hash function Edon-R. Proc. IWSCN, Trondheim, 2009, pp. 1-9.
5. Gilboa Sh. and Gueron Sh. Balanced Permutations Even-Mansour Ciphers. Cryptology ePrint Archive, Report 2014.
6. De la Cruz Jiménez R. A. Generation of 8-bit S-Boxes Having Almost Optimal Cryptographic Properties Using Smaller 4-bit S-Boxes and Finite Field Multiplication. 2017. www.cs.haifa. ac.il/orrd/LC17/paper60.pdf.
7. Fomin D. New classes of 8-bit permutations based on a butterfly structure. Pre-proc. CTCrypt'18-Suzdal, 2016, pp. 199-211.
8. Menyachikhin A. Spectral-linear and spectral-difference methods for generating cryptographically strong S-Boxes. Pre-proc. CTCrypt'16-Yaroslavl, 2016, pp. 232-252.
UDC 621.391:519.7 DOI 10.17223/2226308X/12/43
SOME PROPERTIES OF THE OUTPUT SEQUENCES OF COMBINED GENERATOR OVER FINITE FIELDS
Aulet R. Rodriguez
The sequences are an important part of the cryptography and analysis of their properties is of great interest. In this paper, the following characteristics of combined
generator are analyzed: period of output sequences and the distribution of elements in the output sequences over finite field.
Keywords: finite field, correlation-immune function, resilient function, balanced function, combined generator.
Introduction
The randomness is an important property in the cryptographic scheme. One of the components that ensure this property is the random sequence that is built by generators. The elements of random sequences can be used as initialization vectors, in cyclic codes, as keys in block cipher, and in stream cipher. The combined generator presents one class of generators that are used to obtain pseudorandom sequence. Examples of its use are stream ciphers: A.1 of standard GSM [1], Grain, Trivium [2]. The most results belong to generators over the field GF(2) [1, 3, 4].
In this work, we analyze the following characteristics for combined generator: period of the output sequence and distribution elements in output sequence over finite field.
Let P = GF(q) be a finite field with q elements, Fi(x),..., Fk(x) be polynomials with coefficients in P of degrees m1,..., mk respectively. We assume that F1(x),..., Fk(x) are primitive polynomials [5], also gcd(m^ m,j) = 1 for each i = j. For each function ^ : Pk^P, we consider the combined generator [1, 6, 7] with the output sequence
v(i) = <£(«i(i),«2(i),... ,uk(i)), i ^ 0, where Uj is a linear recurring sequence over P with minimal polynomial Fj (x).
1. Period
In [6] the general bounds for the period of combined generator and the exact equality in the case GF(2) is presented. In this work, we give bounds for the period of a given generator for one class of function over any finite field and show, how this period can be calculated.
Theorem 1. If ^ has the form
k
^(x1, . . . , xk) ciii2...isxiixi2 . . . xis , s=1 1^ii<i2<...<is^k
then period T(v) of sequence v satisfies the conditions
(qmi - 1) ... (qmk - 1) (qmi - 1) ... (qmk - 1) -^- T(V) and T(V) --.
Theorem 2. In conditions of theorem 1, if bi = Fi(0)(-1)mi, i = 1,..., k, and m = = mi . . . mk, then
T (v) = (qmi -1)... (qmk -1) d
T (V)= (q - 1)k d,
where d = lcm(ord(b™/mn ...bmJmzs) : ciii2...is = 0). Moreover, d is the minimal number in N for which
/ \ /; dm/mi idm/mk \
<^(xi, ...,xk ) = ^(bi xi,...,b^ xk).
Corollary 1. In conditions of theorem 1, if exist such ii, . . . , ik for which bm/mzi ... brms/mts is a primitive element or function ^(x1,... ,xk) is linear in variables x1, ..., xk, then
, (qmi - 1)... (qmk - 1)
(v) =-(T-i)Fi-■
2. Frequencies
For each element c G P*, we define the following function : Pk ^ C*, where C* is multiplicative group of complex numbers, as follows
,...,Xk) = x(c^(xi,... ,Xk)),
where x is character of (P, +), x(x) = e 7 ritrpo(x)/p, for all x G P, Po = GF(p) is the prime field and trP0(x) is the trace of x over P0. For every function ^ : Pk ^ C*, it is shown [8], that, for any (x1,... ,xk) G Pk,
^c(xi,...,xk) = -1 E W(a)Xa(xi,...,xk), (a) = E ^c^Ma^
q aePfc bePk
where X is the conjugate character.
The class of correlation-immune and resilient function over any field is defined in [9]. In this work, we analyze (k — l)-resilient function. We shall calculate the value
N (z,v) = |{i G{0,...,1 — 1} : v(i) = z}|,
where l G N, l ^ T = (qmi — 1) ... (qmk — 1)/(q — 1)k-1.
Theorem 3. If ^(x1,..., xk) is (k — 1)-resilient function and m = m1 + •
+ mk, then
N,(z,v) - -q
^ (q - 1)(k+2)/2 C ^ -C,,
q
where
C, =
^ ln(T) + 9) qm/2 (qm - T)1/2,
if - < T, if - = T.
Corollary 2. If ^(x1,..., xk) = a1 x1 + ... + akxk, then
Ni(z,v) - -q
i ^C,.
q
For a linear function the Niederreiter's bounds [10, theorem 2] are better than our bounds in whole period. But for to use the Niederreiter's bounds, it is necessary to know the whole period, in practice we have only an interval of the period, which makes our bounds more accurate in the latter case. Now, we shall show that, in general, for other (k — 1)-resilient functions we can use our bounds when the Niederreiter's bounds does not work, or vice-versa.
Denoting by Rk-1 the set of all (k — 1)-resilient functions, in Rk-1 we define the binary relation ~ as follows:
^ 3 permutation n (V(x1,..., xk) G Pk (^2(x1,..., xk) = (x1,..., xk)))) j.
This relation is an equivalence. If we can determine the period and the distribution of elements for the function we can also make it for the function <^2. Let us show that it cannot always take the function linear like representatives of the classes.
Proposition 1. Let P = GF(22), ^(x1,x2) — x1 + x2. A permutation polynomial n(x) and a1,a2 for which n(^(x1,x2)) = a1 x1 + a2x2, do not exist.
For function in proposition 1, it is necessary to use the bound of theorem 3. But if — x2 + x2, we can use the Niederreiter's bounds.
REFERENCES
1. AlferovA.P., ZubovA.Y., Kuz'minA.S., and Cheremushkin A. V. Osnovy kriptografii [Basics of Cryptography]. Moscow, Gelios ARV Publ., 2001. (in Russian)
2. Matthew R. and Oliver B. New Stream Ciphers Designs. Springer, 2008.
3. Andreas K. Stream Cipher. Springer, 2013.
4. Bilyak I. B. and Kamlovskii O. V. Chastotnye kharakteristiki tsiklov vykhodnykh posledovatel'nostey kombiniruyushchikh generatorov nad polem iz dvukh elementov [The frequency characteristics of cycle of output sequences combining generator over the field of two elements]. Prikladnaya Diskretnaya Matematika, 2015, no. 3(29), pp. 17-31. (in Russian)
5. Lidl R. and Niederreiter H. Finite Fields. Encyclopedia of Mathematics and its Applications. Cambridge University Press, 1997.
6. Fomichev V. M. Fomichev V.M. Diskretnaya matematika i kriptologiya Diskretnaya matematika i kriptologiya [Discrete Mathematics and Cryptology. Moscow, Dialog-MEPhI Publ., 2010. (in Russian)
7. Rueppel R. A. Analysis and Design of Stream Ciphers. Springer Verlag, 1986.
8. Kamlovskii O. V. Kolichestvo poyavleniy elementov v vykhodnykh posledovatel'nostyakh fil'truyushchikh generatorov [Distribution properties of sequences produced by filtering generators]. Prikladnaya Diskretnaya Matematika, 2013, no. 3(21), pp. 11-25. (in Russian)
9. Camion P. and Canteaut A. Correlation-Immune and Resilient Function over a Finite Alphabet and Their Application in Cryptography. Springer, 1998.
10. Niederreiter H. Weights of cyclic codes. Information and Control, 1997, vol. 34, pp. 130-140.
UDC 003.26 DOI 10.17223/2226308X/12/44
DISCRETE LOGARITHM FOR NILPOTENT GROUPS AND CRYPTANALYSIS OF POLYLINEAR CRYPTOGRAPHIC SYSTEM1
V. A. Roman'kov
We present an efficient algorithm to compute a discrete logarithm in a finite nilpotent group, or more generally, in a finitely generated nilpotent group. Special cases of a finite p-group (p is a prime) and a finitely generated torsion free nilpotent group are considered. Then we show how the derived algorithm can be generalized to an arbitrary finite or finitely generated nilpotent group respectively. We suppose that group is presented by generating elements and defining relators or as a subgroup of a triangular matrix group over a prime finite field (in finite case) or over the ring of integers (in torsion-free case). On the base of the derived algorithm we give a cryptanalysis of some schemes of polylinear cryptography known in the literature. Keywords: discrete logarithm, nilpotent group, polylinear system, cryptanalysis.
Introduction
Let G be a group. We say that the discrete logarithm is (efficiently) computable in G if there is an efficient algorithm that finds an exponent x G Z for any expression of the form f = gx, where g, f G G. The problem of determining x given g and f = gx is called the discrete logarithm problem in G. The classical Diffie — Hellman exchange protocol, the ElGamal system and many other cryptographic schemes, protocols and systems are based
1The author is supported by RFBR, project No. 18-41-550001а.
