Marion Videau

Symmetric Boolean functions

We present an extensive study of symmetric Boolean functions, especially of their cryptographic properties. Our main result establishes the link between the periodicity of the simplified value vector of a symmetric Boolean function and its degree. Besides the reduction of the amount of memory required for representing a symmetric function, this property has some consequences from a cryptographic point of view. For instance, it leads to a new general bound on the order of resiliency of symmetric functions, which improves Siegenthalers bound. The propagation characteristics of these functions are also addressed and the algebraic normal forms of all their derivatives are given. We finally detail the characteristics of the symmetric functions of degree at most 7, for any number of variables. Most notably, we determine all balanced symmetric functions of degree less than or equal to 7.

Degree of Composition of Highly Nonlinear Functions and Applications to Higher Order Differential Cryptanalysis

To improve the security of iterated block ciphers, the resistance against linear cryptanalysis has been formulated in terms of provable security which suggests the use of highly nonlinear functions as round functions. Here, we show that some properties of such functions enable to find a new upper bound for the degree of the product of its Boolean components. Such an improvement holds when all values occurring in the Walsh spectrum of the round function are divisible bya high power of 2. This result leads to a higher order differential attack on any 5-round Feistel ciphers using an almost bent substitution function. We also show that the use of such a function is precisely the origin of the weakness of a reduced version of MISTY1 reported in [23, 1].

Matriochka symmetric Boolean functions

We present the properties of a new class of Boolean functions defined as the sum of m symmetric functions with decreasing number of variables and degrees. The choice of this construction is justified by the possibility to study these functions by using tools existing for symmetric functions. On the one hand we show that the synthesis is well understood and give an upper bound on the gate complexity. On the other hand, we investigate the Walsh spectrum of the sum of two functions and get explicit formulae for the case of degree at most three.

Analysis of the initial and modified versions of the candidate 3GPP integrity algorithm 128-EIA3

In this paper we investigate the security of the two most recent versions of the message authentication code 128-EIA3, which is considered for adoption as a third integrity algorithm in the emerging 3GPP standard LTE. We first present an efficient existential forgery attack against the June 2010 version of the algorithm. This attack allows, given any message and the associated MAC value under an unknown integrity key and an initial vector, to predict the MAC value of a related message under the same key and the same initial vector with a success probability 1/2. We then briefly analyse the tweaked version of the algorithm that was introduced in January 2011 to circumvent this attack. We give some evidence that while this new version offers a provable resistance against similar forgery attacks under the assumption that (key, IV) pairs are never reused by any legitimate sender or receiver, some of its design features limit its resilience against IV reuse.

On some properties of symmetric Boolean functions

This paper the link between the periodicity of the value vectors symmetric Boolean functions and their degrees. It also deduce new results concerning balancedness, resiliency and propagation criteria of symmetric Boolean functions.

Cryptanalysis of block ciphers and weight divisibility of some binary codes

The resistance of an iterated block cipher to most classical attacks can be quantified by some properties of its round function. The involved parameters (nonlinearity, degrees of the derivatives...) for a function F from F 2 m into F 2 m are related to the weight distribution of a binary linear code C F of length 2 m − 1 and dimension 2m. In particular, the weight divisibility of C F appears as an important criterion in the context of linear cryptanalysis and of higher-order differential attacks. When the round function F is a power permutation over \({F_{{2^m}}}\), the associated code C F is the dual of a primitive cyclic code with two zeroes. Therefore, McEliece’s theorem provides a powerful tool for evaluating the resistance of some block ciphers to linear and higher-order differential attacks.

Higher order differential attacks on iterated block ciphers using almost bent round functions

We show that the use of a round function whose Walsh coefficients are divisible by a high power of 2 may lead to a higher order differential attack.