Differential and Linear properties of vectorial boolean functions based on chi.

Abstract

To evaluate the security of a cryptographic primitive, investigating its resistance against differential and linear cryptanalysis is required. Many modern cryptographic primitives repeatedly apply similar round functions alternated with the addition of round keys or constants. A round function usually consists of a non-linear mapping and a number of linear mappings. The non-linear mapping $\chi$ is used in different cryptographic primitives such as Keccak and Subterranean. An alternative version of $\chi$ is used in Ascon and the non-linear layer of Simon has the same differential and linear properties of $\chi$. The mapping $\chi$ can be applied to strings with different lengths. For instance, it can be parallelly applied to small-length strings as in Keccak, where it works on 5-bit strings, or it can be applied to big-length strings as in Subterranean, where it works on a string of length 257. Investigating the differential and linear properties of $\chi$ working on alternative lengths of strings, provides useful information to designers to make a better choice for the non-linear layer. Some differential properties of $\chi$ have been analyzed in [8] and in this work we provide a revised presentation of them. We then extend this study and we analyze linear propagation properties of $\chi$. Thanks to these additional results, we extend the comparison between the application of parallel instances of $\chi$ on small-length strings and the application of a single instance of $\chi$ on a big-length string. We show how we can apply the results of this study also to the non-linear layers of Ascon and Simon thanks to their affine-equivalence with $\chi$.