Designs, Codes and Cryptography最新文献

{"title":"Quantum rectangle attack and its application on Deoxys-BC","authors":"Yin-Song Xu, Yi-Bo Luo, Zheng Yuan, Xuan Zhou, Qi-di You, Fei Gao, Xiao-Yang Dong","doi":"10.1007/s10623-024-01526-3","DOIUrl":"https://doi.org/10.1007/s10623-024-01526-3","url":null,"abstract":"<p>In recent years, it has become a popular trend to propose quantum versions of classical attacks. The rectangle attack as a differential attack is widely used in symmetric cryptanalysis and applied on many block ciphers. To improve its efficiency, we propose a new quantum rectangle attack firstly. In rectangle attack, it counts the number of valid quartets for each guessed subkeys and filters out subkey candidates according to the counter. To speed up this procedure, we propose a quantum key counting algorithm based on parallel amplitude estimation algorithm and amplitude amplification algorithm. Then, we complete with the remaining key bits and search the right full key by nested Grover search. Besides, we give a strategy to find a more suitable distinguisher to make the complexity lower. Finally, to evaluate post-quantum security of the tweakable block cipher Deoxys-BC, we perform automatic search for good distinguishers of Deoxys-BC according to the strategy, and then apply our attack on 9/10-round Deoxys-BC-256 and 12/13/14-round Deoxys-BC-384. The results show that our attack has some improvements than classical attacks and Grover search.</p>","PeriodicalId":11130,"journal":{"name":"Designs, Codes and Cryptography","volume":"15 1","pages":""},"PeriodicalIF":1.6,"publicationDate":"2024-11-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142684484","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Almost tight security in lattices with polynomial moduli—PRF, IBE, all-but-many LTF, and more","authors":"Zhedong Wang, Qiqi Lai, Feng-Hao Liu","doi":"10.1007/s10623-024-01523-6","DOIUrl":"https://doi.org/10.1007/s10623-024-01523-6","url":null,"abstract":"<p>Achieving tight security is a fundamental task in cryptography. While one of the most important purposes of this task is to improve the overall efficiency of a construction (by allowing smaller security parameters), many current lattice-based instantiations do not completely achieve the goal. Particularly, a super-polynomial modulus seems to be necessary in all prior work for (almost) tight schemes that allow the adversary to conduct queries, such as PRF, IBE, and Signatures. As the super-polynomial modulus would affect the noise-to-modulus ratio and thus increase the parameters, this might cancel out the advantages (in efficiency) brought from the tighter analysis. To determine the full power of tight security/analysis in lattices, it is necessary to determine whether the super-polynomial modulus restriction is inherent. In this work, we remove the super-polynomial modulus restriction for many important primitives—PRF, IBE, all-but-many Lossy Trapdoor Functions, and Signatures. The crux relies on an improvement over the framework of Boyen and Li (Asiacrypt 16), and an almost tight reduction from LWE to LWR, which improves prior work by Alwen et al. (Eurocrypt 13), Bogdanov et al. (TCC 16), and Bai et al. (Asiacrypt 15). By combining these two advances, we are able to derive these almost tight schemes under LWE with a polynomial modulus.</p>","PeriodicalId":11130,"journal":{"name":"Designs, Codes and Cryptography","volume":"10 1","pages":""},"PeriodicalIF":1.6,"publicationDate":"2024-11-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142671014","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Breaking the power-of-two barrier: noise estimation for BGV in NTT-friendly rings","authors":"Andrea Di Giusto, Chiara Marcolla","doi":"10.1007/s10623-024-01524-5","DOIUrl":"https://doi.org/10.1007/s10623-024-01524-5","url":null,"abstract":"<p>The Brakerski–Gentry–Vaikuntanathan (BGV) scheme is a Fully Homomorphic Encryption (FHE) cryptosystem based on the Ring Learning With Error (RLWE) problem. Ciphertexts in this scheme contain an error term that grows with operations and causes decryption failure when it surpasses a certain threshold. Consequently, the parameters of BGV need to be estimated carefully, with a trade-off between security and error margin. The ciphertext space of BGV is the ring <span>(mathcal {R}_q=mathbb {Z}_q[x]/(Phi _m(x)))</span>, where usually the degree <i>n</i> of the cyclotomic polynomial <span>(Phi _m(x))</span> is chosen as a power of two for efficiency reasons. However, the jump between two consecutive powers-of-two polynomials also causes a jump in security, resulting in parameters that are much bigger than what is needed. In this work, we explore the non-power-of-two instantiations of BGV. Although our theoretical research encompasses results applicable to any cyclotomic ring, the focus of our investigation is the case of <span>({m=2^scdot 3^t})</span> where <span>(s,tge 1)</span>, i.e., cyclotomic polynomials with degree <span>({n=phi (m)=2^scdot 3^{t-1}})</span>. We provide a thorough analysis of the noise growth in this new setting using the canonical norm and compare our results with the power-of-two case considering practical aspects like NTT algorithms. We find that in many instances, the parameter estimation process yields better results for the non-power-of-two setting.</p>","PeriodicalId":11130,"journal":{"name":"Designs, Codes and Cryptography","volume":"38 1","pages":""},"PeriodicalIF":1.6,"publicationDate":"2024-11-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142637521","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A new method of constructing $$(k+s)$$ -variable bent functions based on a family of s-plateaued functions on k variables","authors":"Sihong Su, Xiaoyan Chen","doi":"10.1007/s10623-024-01520-9","DOIUrl":"https://doi.org/10.1007/s10623-024-01520-9","url":null,"abstract":"<p>It is important to study the new construction methods of bent functions. In this paper, we first propose a secondary construction method of <span>((k+s))</span>-variable bent function <i>g</i> through a family of <i>s</i>-plateaued functions <span>(f_0,f_1,ldots ,f_{2^s-1})</span> on <i>k</i> variables with disjoint Walsh supports, which can be obtained through any given <span>((k-s))</span>-variable bent function <i>f</i> by selecting <span>(2^s)</span> disjoint affine subspaces <span>(S_0,S_1,ldots ,S_{2^s-1})</span> of <span>({mathbb {F}}_2^k)</span> with dimension <span>(k-s)</span> to specify the Walsh support of these <i>s</i>-plateaued functions respectively, where <i>s</i> is a positive integer and <span>(k-s)</span> is a positive even integer. The dual functions of these newly constructed bent functions are determined. This secondary construction method of bent functions has a great improvement in counting. As a generalization, we find that the one initial <span>((k-s))</span>-variable bent function <i>f</i> can be replaced by several different <span>((k-s))</span>-variable bent functions. Compared to the first construction method, the latter one gives much more bent functions. It is worth mentioning that it can give all the 896 bent functions on 4 variables.</p>","PeriodicalId":11130,"journal":{"name":"Designs, Codes and Cryptography","volume":"9 1","pages":""},"PeriodicalIF":1.6,"publicationDate":"2024-11-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142600906","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Further investigation on differential properties of the generalized Ness–Helleseth function","authors":"Yongbo Xia, Chunlei Li, Furong Bao, Shaoping Chen, Tor Helleseth","doi":"10.1007/s10623-024-01525-4","DOIUrl":"https://doi.org/10.1007/s10623-024-01525-4","url":null,"abstract":"<p>Let <i>n</i> be an odd positive integer, <i>p</i> be an odd prime with <span>(pequiv 3pmod 4)</span>, <span>(d_{1} = {{p^{n}-1}over {2}} -1 )</span> and <span>(d_{2} =p^{n}-2)</span>. The function defined by <span>(f_u(x)=ux^{d_{1}}+x^{d_{2}})</span> is called the generalized Ness–Helleseth function over <span>(mathbb {F}_{p^n})</span>, where <span>(uin mathbb {F}_{p^n})</span>. It was initially studied by Ness and Helleseth in the ternary case. In this paper, for <span>(p^n equiv 3 pmod 4)</span> and <span>(p^n ge 7)</span>, we provide the necessary and sufficient condition for <span>(f_u(x))</span> to be an APN function. In addition, for each <i>u</i> satisfying <span>(chi (u+1) = chi (u-1))</span>, the differential spectrum of <span>(f_u(x))</span> is investigated, and it is expressed in terms of some quadratic character sums of cubic polynomials, where <span>(chi (cdot ))</span> denotes the quadratic character of <span>({mathbb {F}}_{p^n})</span>.\u0000</p>","PeriodicalId":11130,"journal":{"name":"Designs, Codes and Cryptography","volume":"9 1","pages":""},"PeriodicalIF":1.6,"publicationDate":"2024-11-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142597482","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Improved key recovery attacks on reduced-round Salsa20","authors":"Sabyasachi Dey, Gregor Leander, Nitin Kumar Sharma","doi":"10.1007/s10623-024-01522-7","DOIUrl":"https://doi.org/10.1007/s10623-024-01522-7","url":null,"abstract":"<p>In this paper, we present an improved attack on the stream cipher Salsa20. Our improvements are based on two technical contributions. First, we make use of a distribution of a linear combination of several random variables that are derived from different differentials and explain how to exploit this in order to improve the attack complexity. Secondly, we study and exploit how to choose the actual value for so-called probabilistic neutral bits optimally. Because of the limited influence of these key bits on the computation, in the usual attack approach, these are fixed to a constant value, often zero for simplicity. As we will show, despite the fact that their influence is limited, the constant can be chosen in significantly better ways, and intriguingly, zero is the worst choice. Using this, we propose the first-ever attack on 7.5-round of the 128-bit key version of Salsa20. Also, we provide improvements in the attack against the 8-round of the 256-bit key version of Salsa20 and the 7-round of the 128-bit key version of Salsa20.</p>","PeriodicalId":11130,"journal":{"name":"Designs, Codes and Cryptography","volume":"2 1","pages":""},"PeriodicalIF":1.6,"publicationDate":"2024-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142597483","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Parallel construction for constant dimension codes from mixed dimension construction","authors":"Xianmang He, Zusheng Zhang, Si Tian, Jingli Wang, Yindong Chen","doi":"10.1007/s10623-024-01518-3","DOIUrl":"https://doi.org/10.1007/s10623-024-01518-3","url":null,"abstract":"<p>The community has been pursuing improvements in the cardinalities for constant dimensional codes (CDC for short) for the past decade. Lao et al. (IEEE Trans Inf Theory 69(7):4333–4344, 2023) has shown that mixed dimension subspace codes can be used to construct large constant dimension subspace codes. The exploration of the CDCs’ construction is transformed into finding mixed dimension/distance subspace codes with large dimension distributions. In this paper, we apply the parallel construction to this mixed dimension construction, which allows us to contribute approximately more than 80 new constant dimension codes.</p>","PeriodicalId":11130,"journal":{"name":"Designs, Codes and Cryptography","volume":"196 1","pages":""},"PeriodicalIF":1.6,"publicationDate":"2024-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142598203","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Generalized bilateral multilevel construction for constant dimension codes","authors":"Xiaoqin Hong, Xiwang Cao, Gaojun Luo","doi":"10.1007/s10623-024-01513-8","DOIUrl":"https://doi.org/10.1007/s10623-024-01513-8","url":null,"abstract":"<p>Constant dimension codes (CDCs) have drawn extensive attention due to their applications in random network coding. This paper introduces a new class of codes, namely generalized bilateral Ferrers diagram rank-metric codes, to generalize the bilateral multilevel construction in Etzion and Vardy (Adv Math Commun 16:1165–1183, 2022). Combining our generalized bilateral multilevel construction and the double multilevel construction in Liu and Ji (IEEE Trans Inf Theory 69:157–168, 2023), we present an effective technique to construct CDCs. By means of bilateral identifying vectors, this approach helps us to select fewer identifying and inverse identifying vectors to construct CDCs with larger size. The new constructed CDCs have the largest size regarding known codes for many sets of parameters. Our method gives rise to at least 138 new lower bounds for CDCs.</p>","PeriodicalId":11130,"journal":{"name":"Designs, Codes and Cryptography","volume":"37 1","pages":""},"PeriodicalIF":1.6,"publicationDate":"2024-11-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142580297","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Griesmer type bounds for additive codes over finite fields, integral and fractional MDS codes","authors":"Simeon Ball, Michel Lavrauw, Tabriz Popatia","doi":"10.1007/s10623-024-01519-2","DOIUrl":"https://doi.org/10.1007/s10623-024-01519-2","url":null,"abstract":"<p>In this article we prove Griesmer type bounds for additive codes over finite fields. These new bounds give upper bounds on the length of maximum distance separable (MDS) codes, codes which attain the Singleton bound. We will also consider codes to be MDS if they attain the fractional Singleton bound, due to Huffman. We prove that this bound in the fractional case can be obtained by codes whose length surpasses the length of the longest known codes in the integral case. For small parameters, we provide exhaustive computational results for additive MDS codes, by classifying the corresponding (fractional) subspace-arcs. This includes a complete classification of fractional additive MDS codes of size 243 over the field of order 9.</p>","PeriodicalId":11130,"journal":{"name":"Designs, Codes and Cryptography","volume":"68 1","pages":""},"PeriodicalIF":1.6,"publicationDate":"2024-11-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142566117","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Simple vs. vectorial: exploiting structural symmetry to beat the ZeroSum distinguisher","authors":"Sahiba Suryawanshi, Shibam Ghosh, Dhiman Saha, Prathamesh Ram","doi":"10.1007/s10623-024-01502-x","DOIUrl":"https://doi.org/10.1007/s10623-024-01502-x","url":null,"abstract":"&lt;p&gt;Higher order differential properties constitute a very insightful tool at the hands of a cryptanalyst allowing for probing a cryptographic primitive from an algebraic perspective. In FSE 2017, Saha et al. reported &lt;span&gt;SymSum&lt;/span&gt; (referred to as &lt;span&gt;(textsf {SymSum}_textsf {Vec})&lt;/span&gt; in this paper), a new distinguisher based on higher order &lt;i&gt;vectorial&lt;/i&gt; Boolean derivatives of &lt;span&gt;SHA-3&lt;/span&gt;, constituting one of the best distinguishers on the latest cryptographic hash standard. &lt;span&gt;(textsf {SymSum}_textsf {Vec})&lt;/span&gt; exploits the difference in the algebraic degree of highest degree monomials in the algebraic normal form of &lt;span&gt;SHA-3&lt;/span&gt; with regards to their dependence on round constants. Later in AFRICACRYPT 2020, Suryawanshi et al. extended &lt;span&gt;(textsf {SymSum}_textsf {Vec})&lt;/span&gt; using linearization techniques and in SSS 2023 also applied it to &lt;span&gt;NIST-LWC&lt;/span&gt; finalist &lt;span&gt;Xoodyak&lt;/span&gt;. However, a major limitation of &lt;span&gt;(textsf {SymSum}_textsf {Vec})&lt;/span&gt; is the maximum attainable derivative (&lt;span&gt;MAD&lt;/span&gt;) of the polynomial representation, which is &lt;i&gt;less than half&lt;/i&gt; of the widely studied &lt;span&gt;ZeroSum&lt;/span&gt; distinguisher. This is attributed to &lt;span&gt;(textsf {SymSum}_textsf {Vec})&lt;/span&gt; being dependent on &lt;i&gt;k&lt;/i&gt;-fold &lt;i&gt;vectorial&lt;/i&gt; derivatives while &lt;span&gt;ZeroSum&lt;/span&gt; relies on &lt;i&gt;k&lt;/i&gt;-fold &lt;i&gt;simple&lt;/i&gt; derivatives. In this work we overcome this limitation of &lt;span&gt;(textsf {SymSum}_textsf {Vec})&lt;/span&gt; by developing and validating the theory of computing &lt;span&gt;(textsf {SymSum}_textsf {Vec})&lt;/span&gt; with simple derivatives. This gives us a close to &lt;span&gt;(100%)&lt;/span&gt; improvement in the &lt;span&gt;MAD&lt;/span&gt; that can be computed. The new distinguisher reported in this work can also be combined with 1/2-round linearization to penetrate more rounds. Moreover, we identify an issue with the 2-round linearization claim made by Suryawanshi et al. which renders it invalid and also furnishes an algebraic fix at the cost of some additional constraints. Combining all the results we report &lt;span&gt;(textsf {SymSum}_textsf {Sim})&lt;/span&gt;, a new variant of the &lt;span&gt;(textsf {SymSum}_textsf {Vec})&lt;/span&gt; distinguisher based on &lt;i&gt;k&lt;/i&gt;-fold &lt;i&gt;simple&lt;/i&gt; derivatives that outperforms &lt;span&gt;ZeroSum&lt;/span&gt; by a factor of &lt;span&gt;(2^{257}, 2^{129})&lt;/span&gt; for &lt;span&gt;( 10- )&lt;/span&gt;round &lt;span&gt;SHA3-384&lt;/span&gt; and 9-round &lt;span&gt;SHA3-512&lt;/span&gt; respectively while enjoying the same &lt;span&gt;MAD&lt;/span&gt; as &lt;span&gt;ZeroSum&lt;/span&gt;. For every other &lt;span&gt;SHA-3&lt;/span&gt; variant, &lt;span&gt;(textsf {SymSum}_textsf {Sim})&lt;/span&gt; maintains an advantage of factor 2 over the &lt;span&gt;ZeroSum&lt;/span&gt;. Combined with 1/2-round linearization, &lt;span&gt;(textsf {SymSum}_textsf {Sim})&lt;/span&gt; improves upon all existing &lt;span&gt;ZeroSum&lt;/span&gt; and &lt;span&gt;(textsf {SymSum}_textsf {Vec})&lt;/span&gt; distinguishers on both &lt;span&gt;SHA-3&lt;/span&gt; and &lt;span&gt;Xoodyak&lt;/span&gt;. As regards &lt;span&gt;Keccak&lt;/span&gt; &lt;span&gt;(-p)&lt;/span&gt;, the internal permutation of &lt;span&gt;SHA-3&lt;/span&gt;, we re","PeriodicalId":11130,"journal":{"name":"Designs, Codes and Cryptography","volume":"17 1","pages":""},"PeriodicalIF":1.6,"publicationDate":"2024-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142563294","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}