 Hi, welcome to everyone to the second session of today, which is a session on boomerang attacks And the first talk on the boomerang uniformity of cryptographic as boxes is going to be given by an canton Thank you So what I'm presenting here is a joint work with Christina Burra and its work on boomerang connectivity tables of as boxes So this boomerang connectivity tables This is a new notion introduced by Carl Lucid and his coffers at last year encrypt and this is of course related to boomerang attacks So boomerang boomerang attacks as you all know is a notion introduced by David Wagner 20 years ago, and it can be seen as a generalization of differential cryptonizes in the sense that she chooses two different differentials One for each half of the Cypher So more precisely what we do is that we divide the Cypher into two halves E0 and E1 here and so we first consider a differential AD for the first half of the Cypher which means that with a high probability if we consider a period of plain text P and P plus a and we take their images under E0 then we get two elements which differ from D And so now from these two elements what we can do is that we can consider a second differential now for the second half of the Cypher So this is a differential CD And so if we add C to the two elements that have been previously obtained then we get a quartet And if we take the image of this quartet under the second half of the Cypher We get two pairs of Cypher text which differ from B with a high probability And now the nice point is that by construction the plain text corresponding to these two Cypher text here They differ from A with probability P So this boomerang attack It's based on the fact that with a high probability when we take two plain text which differ from A compute the Cypher text add B to the true Cypher text and then Invert the block Cypher when we get to plain text which differ from A with a high probability And this probability is actually the product of the squared probabilities of the two involved Differentials of course this holds under the assumption that the two probabilities involving the two halves of the Cypher or independent The problem is that in most practical cases this independence Assumption fails. So this was first proved by Sean Murphy Who even showed that in some practical cases the previous probability is equal to zero and There are also some cases where this probability is much higher than one what is expected from the previous formula So for this reason Dunkelman Keller and Shamir proposed instead to divide the Cypher not into two halves But into three parts where the middle part is em is very small Typically, it's one single round or a single S box layer of the Cypher And so the idea is to concentrate these dependencies in this middle layer here in this middle part And to study carefully what happens for this middle part So the difference between what we had previously and this probability is that now It does not involve several rounds of the Cypher but a much simpler transformation, which is typically one S box layer And so what is nice is that if this Middle transformation is an S box layer which is composed of several copies of the same or of different But smaller S boxes then this means that we can compute this probability But for the individual S boxes and so this becomes feasible And so this is a nice observation made at last year equipped by Carlos Sidney's car first What they observed is that what we could do is exactly the same thing as what we usually do for studying the differential properties of an S box by computing its difference distribution table Here exactly in the same way what we could do is compute for a given S box This probability with the number of solutions of this equation for all possible pairs of differentials AB and we can store these values in a table exactly as we do for the DDT and This table is named a boomerang connectivity table means BCT for short So here is an example. So this is an example for a four-bit S box So what you have on the left here is the DDT of the S box And I will use this notation delta of A and B to denote the entry at row A and column B of This DDT and as you all know one of the most relevant parameter Related to these DDT this is the maximal value for its entries Of course when the input to difference is not zero and so this maximal value in the DDT It's what is called the differential uniformity of the S box and in that case This differential uniformity is equal to four and so what you have on the right now is the BCT of the same S box and you can observe that it looks a bit similar to the DDT Well, there are some differences. So for instance, you have some entries equal to six here in the BCT and Also, you can see that all values in the first column and the first row of the BCT are equal to 16 So actually the fact that the first all entries in the first row and first column in the BCT are equal to two to the N this is obvious and this was already observed in the original your crypts paper Well, if we come back to the definition of the entries in the BCT and just replace either a or a B by zero Then you can see that all values of X satisfy this equation So this means that what is as a relevant quantity is the maximum value We can have in the BCT But of course if we do not consider the first row and first column and so by analogy with the DDT We decided to call this a boomerang uniformity of the S box So a first observation made in the real your crypt paper is that all entries in the BCT Are greater than or equal to the corresponding entry in the DDT and verse Very interesting case where these two values are equal everywhere Which is the case where the S box is an APN permutation APN means that all values in its DDT are equal to zero or two And so what is very nice is that this APN permutation They then have both differential uniformity and boomerang uniformity which are both Minimal and equal to two which is very nice because they offer an optimal resistance to differential attacks And then this means that also they provide a very good resistance to boomerang attacks And so the bad point is that these APN permutations were very nice But they only exist as far as we know for a number of variable Which is odd or when the number of variable is six because for n equal to six We know as per and the king's apple of APN permutation And so for all other values of n when n is even indifferent from six Then we do not know such APN permutation and then the question of what is the lowest possible boomerang uniformity for such S boxes This is an open problem which was raised in the your crypts paper And so our work mainly focus on this open problem And so what we did here in this work is that we first prove that the lowest possible boomerang uniformity for a 4-bit S box It's equal to six and we also provide a new formulation of the definition of the Entries in the boomerang connectivity table of the S box and this new form formula It's really nice and and it's easier to handle especially when we consider S boxes with differential Uniformity for and thanks to this formula what we have been able to do is to compute the B City of two infinite families of S boxes the inverse and inverse mapping and some Cradratic poor function over the field with two to be an elements when n is even So let me first with some preliminary result, which was quite helpful for studying 4-bit S boxes This is what happens on the BCT when we consider some S boxes, which are equivalent So we first consider two S boxes F and G which are a fine equivalent Which means that G is obtained from F by composing it on the left and right by two affine permutations And then what happens to the BCT is exactly the same as what we have for the DDT Which means that the BCT of G is the same as the BCT of F Up to a linear permutation of the rows and of the columns of the BCT But this means in particular that both the S boxes they have the same boomerang uniformity Also a very simple observation is that that exactly as for the DDT The BCT of the inverse of an S box, this is the transpose of the BCT of the S box itself What is different from what happens for the DDT is that the boomerang uniformity is not Invariant under what is called extended affine equivalence Extending the fine equivalence means that we compose the S box by two affine permutations as before but we add to the result another affine function and then Differential uniformity is invariant under this equivalence, but this is not the case of boomerang uniformity Anyways, the fact that boomerang uniformity and the set of all entries in the BCT is Invariant under affine equivalence This was very helpful for studying 4-bit S boxes because it's enough to study one representative for each equivalent class So this is exactly what we did So remember we would like to know the lowest possible boomerang uniformity for a 4-bit S box We know that this value cannot be equal to two because The boomerang uniformity is greater than or equal to the differential uniformity Which is at least four in the case of 4-bit S boxes And so what we did is that we consider all 4-bit S boxes with differential uniformity exactly four and actually we considered one representative for each equivalent class and also we considered one element among the S box and its inverse and so we used the classification due to Christophe de Canierre for this and so we have computed the differential Uniformity the boomerang uniformity of all these S boxes and for each of them We have computed the number of Occurrences of the different values in the BCT this means for example that for this first S box It has boomerang uniformity six and in the BCT we have 120 values equal to zero 60 entries equal to two 15 equal to four and 30 equal to six and As you can see from this table if we consider a 4-bit S box with differential uniformity for four Then what we can find as a boomerang uniformity is six or eight or ten or sixteen and You can also notice that the values 12 and 14 never appear in the BCT So what we can deduce from this is first that the smallest boomerang uniformity for a 4-bit permutation is Exactly six and there are two equivalence classes here for which We get the slowest possible boomerang uniformity and Something which is a bit more interesting is that by trying to understand the previous classification and some interesting observation then we really So that there exists another formula for computing these elements are in the BCT Which is very helpful in the case of S boxes with differential uniformity for So if we come back to the definition of the entry at row a and column B in the BCT This corresponds to the number of solutions of this equation and now this equation It can be divided into two parts depending on the difference between S of x and S of x plus a and Indeed if we fix this difference to a fixed element gamma Then this means that in this equation we can replace this S of x plus a by S of x plus gamma here And so what it means is that this number of solution of this equation Well for computing it we only need to compute the number of x which satisfy both Equations together for any fixed for a fixed gamma And then we just have to take the sum of these numbers of all possible non-zero gamma So the first case which is interesting is that when gamma is equal to B Then it's not difficult to see that these two equations were exactly the same So in that case this means that the number of x which satisfy both equations That's exactly the number of x which satisfies the first one Which means the elements at row a and column B in the DDT And now when gamma differs from B Then I will introduce in order to understand what happens this set V of a gamma this Calligraphic V what is this? This is nothing else than the outputs of the S box which satisfies the differential a gamma And so if we look at the blue equation Then this blue equation exactly means this is a definition of the set V of a gamma This exactly means that s of x belongs to the set V of a gamma and then after some easy Manipulation it appears that the red equation it exactly means that s of x plus B Belongs to exactly the same set V of a gamma in other words an element satisfy both equations Even only as of x belongs to the intersection between V of a gamma and the same set But after translation by some of by the offset B And this is exactly what is in written here in this formula now We have a new formula for the element at call at row a and column B in the B city This is exactly the sum of the same elements But in the DDT so this corresponds to the case where gamma equal B in the formula plus The sum over all game gamma different from 0 and B of the size of the intersection between This set V of a gamma and its intersection of the same sets but after translation by B So with this formula we of course recovers the fact that the entry in the B city is at least the value of the entry in the DDT but it does not look so nice, but Actually, it's it's easier to handle in a very specific case Which is the case where all this sets V of a gamma are a fine subspaces and This s boxes where all these V of a gamma are a fine subspaces They have been widely studied and this is what our code what is called planar permutations So this is a notion introduced by Johan and Vincent and so Specific case of this planar permutation or the s boxes with differential uniformity Less than or equal to four. So this is exactly the case. We are interested in and so what happens if we look at the previous formula In that case is that this sets V of a gamma and its translation by B Both of these sets were cosets of the same linear space And so I will denote this linear space by this V but now in in Roman type And so what happens if we consider two cosets of the same linear space then were two possibilities only either they are exactly the same or They are disjoint which means that the size of this intersection It's either zero or it's the size of the whole The whole set here, which is exactly delta of a gamma the value that we have in the DDT And so the condition under which those two cosets of the same linear space are exactly the same Well, this is exactly the fact that the offset B belongs to the corresponding linear space So so this means that the entry we have to compute in the BCT This is a sum of the entries we have in the DDT in the same row, but for all columns gamma such that B belongs to the linear set Corresponding to the differential A gamma. So let me have a look quickly at a small example to make it a bit more concrete So suppose that I would like to compute some value for instance This one in the BCT of our previous S box, which is an S box with differential uniformity 4 And so I would like to find The entry in the BCT in at row one of this S box So this means from the previous formula that I have to consider all entries in the DDT in the same row and Then I have to compute The sets V of A gamma for all valid So A is now one for all valid Differentials here. So if we I look at all those sets, there's one set of size 4 and all the other ones they have size 2 So let me compute those sets So they are here. They are all affine subspaces because the S box has differential uniformity 4 So you can see that there's one which is which has size 4 and actually this is not an affine subspace This is a linear subspace It contains 0 and all the other ones they have size 2 for affine subspace and actually It's very easy to compute them because it's not difficult to see that this sets if it's if it has size 2 then The linear subspace corresponding to it consists of two elements 0 and the output difference And so if I want now to deduce from that the value The entry in the BCT at row 1 and column 6 then what I have to do is to just have a look at all these linear subspaces and then I have to add the sizes of all these linear subspaces which contains a value 6 and So I have two of them 4 plus 2 which means that the entry in the BCT is exactly 6 And so from this very small example, you can see immediately that because when When all this this all this sets here of size 2 2 there are all these joints Of course if we forget about the zero value this means that if in the row of the BCT I have only one value for and then Zeroes in twos then I cannot get something which is higher than 6 in the BCT And so by this simple formula We have many observation like this on on the BCT of 4-bit S boxes For instance, if the DDT has a row with at least two values for then the boomerang uniformity is is greater than or equal to 8 and on the contrary if all rows in the DDT have at most two values for then the boomerang uniformity is at most 10 and Also something which was already observed in the Eurocrit paper is that if one row in the DDT has exactly four value For then the boomerang uniformity of the S box is maximal and equal to 16 So something which is now much more interesting that than this is that using this formula We have been able to compute the differential uniformity with a boomerang uniformity of two infinite families of S boxes The first one is the inverse mapping over the field F2 to the n when n is even and this of course includes the AS S box And so what we proved is that the boomerang uniformity of the inverse mapping This is equal to 4 if the number of variables n is equal to 2 model of 4 And it's equal to 6 if n is a multiple of 4 and Actually what we proved is something which is much more precise because we proved that The BCT of the inverse mapping is exactly the same as its DDT except for two values in each row which are equal to 6 when n is a multiple of 4 and Equal to 4 when n is congruent to 2 model of 4 So this is the first infinite family of S boxes with this boomerang uniformity Equal to 4 which is the lowest boomerang uniformity we can have of course unless we can find some apian permutations for this number of variables and We also looked at a second infinite family of S boxes Which are S boxes with algebraic degree 2 with also differential uniformity equal to 4 So first we have a general results which proves that any permutation with differential uniformity 4 and algebraic degree 2 it has boomerang uniformity at most 12 for any number of variables and Also, we focused on a particular example of such as boxes Which are those power permutations here x raised to the power 2 to the t plus 1 over the field with 2 to the n elements Where is the gcd between t and the number of variables is exactly 2 and this is for n Equal to 2 mod 4 so this includes for example x raised to the power of 5 When t is equal to 2 and then what we have proved is that all this poor permutations when n is congruent to 2 mod 4 They have both differential uniformity and boomerang uniformity equal to 4 So again, this is an infinite family of S boxes with the lowest possible boomerang uniformity which is 4 2 minutes So this is my conclusion so So a quick conclusion the conclusion of this work is that the most important result is that the Lowest possible boomerang uniformity for an n-bit S box So it was known before that it was equal to 2 when n is odd or n equal to 6 And these two is achieved only by APN permutation And so what was open is what happened in in the other cases And so what we prove is that we can achieve 4 For when n is equal to 2 mod 4 and so we have Exhibited two families of permutation for which these four is obtained as both differential uniformity and boomerang uniformity And we also have exhibited some some families of permutation for which the boomerang uniformity is equal to 6 While the differential uniformity is equal to 4 so this is in the case where n is a multiple of 4 and We do not know whether we can get some S boxes with both differential uniformity and boomerang uniformity equal to 4 in the case where n is a multiple of 4 and so This is that remaining open problem Thank you. Thank you So are there any questions Fran? Just a good question. Does the for instance for the 4-bit S boxes do the families where you can get minimum BC well boomerang uniformity Correlate with some other good properties of the S boxes like for instance minimum number of differential of a solution for the differential Equations or branch number well, it actually these two families are are exactly the one that That are of the elements of the infinite families that so these are exactly this inverse mapping and So the quadratic function, so for only two and yeah, you have the least here, but one has I don't know where it is, but one has degree two and The other one is the inverse mapping and they all have the optimal linearity if you look this or This two boards in the classification depends on the linearity So these are the optimal S boxes which have the best differential and linearity Those one have a higher linearity and then you can see that the boomerang uniformity is higher I don't know why it's correlated, but I don't know if it's a coincidence or not. Okay. Thank you Okay, thank you very much. There are no more questions. We will thank and again for presentation