Patrick Felke

Construction of bent functions via Niho power functions

A Boolean function with an even number n = 2k of variables is called bent if it is maximally nonlinear. We present here a new construction of bent functions. Boolean functions of the form f(x) = tr(α1xd1 + α2xd2), α1, α2, x ∈ F2n, are considered, where the exponents di (i = 1, 2) are of Niho type, i.e. the restriction of xdi on F2k is linear. We prove for several pairs of (d1, d2) that f is a bent function, when α1 and α2 fulfill certain conditions. To derive these results we develop a new method to prove that certain rational mappings on F2n, are bijective.

Niho type cross-correlation functions via dickson polynomials and Kloosterman sums

Suppose that n=2k is even. We study the cross-correlation function between two m-sequences for Niho type decimations d=(2/sup k/-1)s+1. We develop a new technique to study the value distribution of these cross-correlation functions, which makes use of Dickson polynomials. As a first application, we derive here the distribution of the six-valued cross-correlation function for s=3 and odd k, up to a term which depends on Kloosterman sums. In addition, applying simpler methods, we prove a theorem providing Niho type decimations with four-valued cross-correlation functions and their distribution. We conjecture that the latter result actually covers all such decimations.

A Collision-Attack on AES

Recently a new class of collision attacks which was originally suggested by Hans Dobbertin has been introduced. These attacks use side channel analysis to detect internal collisions and are generally not restricted to a particular cryptographic algorithm. As an example, a collision attack against DES was proposed which combines internal collisions with side channel information leakage. It had not been obvious, however, how this attack applies to non-Feistel ciphers with bijective S-boxes such as the Advanced Encryption Standard (AES). This contribution takes the same basic ideas and develops new optimized attacks against AES. Our major finding is that the new combined analytical and side channel approach reduces the attack effort compared to all other known side channel attacks. We develop several versions and refinements of the attack. First we show that key dependent collisions can be caused in the output bytes of the mix column transformation in the first round. By taking advantage of the birthday paradox, it is possible to cause a collision in an output with as little as 20 measurements. If a SPA leak is present from which collisions can be determined with certainty, then each collision will reveal at least 8 bits of the secret key. Furthermore, in an optimized attack, it is possible to cause collisions in all four output bytes of the mix column transformation with an average of only 31 measurements, which results in knowledge of all 32 key bits. Finally, if collisions are caused in all four columns of the AES in parallel, it is possible to determine the entire 128-bit key with only 40 measurements, which a is a distinct improvement compared to DPA and other side channel attacks.

An infinite class of quadratic APN functions which are not equivalent to power mappings

We exhibit an infinite class of almost perfect nonlinear quadratic polynomials from F2n to F2n (n ges 12, n divisible by 3 but not by 9). We prove that these functions are EA-inequivalent to any power function and that they are CCZ-inequivalent to any Gold function. In a forthcoming full paper, we shall also prove that at least some of these functions are CCZ-inequivalent to any Kasami function

On the affine transformations of HFE-Cryptosystems and systems with branches

We show how to recover the affine parts of the secret key for a certain class of HFE-Cryptosystems. Further we will show that any system with branches can be decomposed in its single branches in polynomial time on average. The attack on the affine parts generalizes the results from [1, 11] to a bigger class of systems and is achieved by a different approach. Despite the fact that systems with branches are not used anymore (see [11, 6]), our second attack is a still of interest, as it shows that branches belong to the list of algebraic properties, which cannot be hidden by composition with secret affine transformations. We derived both algorithms by considering the cryptosystem as objects from the theory of nonassociative algebras and applying classical techniques from this theory. This general framework might be a useful tool for future investigations of HFE-Cryptosystems, e.g. to detect further invariants, which are not hidden by composition with affine transformations.