In recent years, it has become a popular trend to propose quantum versions of classical attacks. The rectangle attack as a differential attack is widely used in symmetric cryptanalysis and applied on many block ciphers. To improve its efficiency, we propose a new quantum rectangle attack firstly. In rectangle attack, it counts the number of valid quartets for each guessed subkeys and filters out subkey candidates according to the counter. To speed up this procedure, we propose a quantum key counting algorithm based on parallel amplitude estimation algorithm and amplitude amplification algorithm. Then, we complete with the remaining key bits and search the right full key by nested Grover search. Besides, we give a strategy to find a more suitable distinguisher to make the complexity lower. Finally, to evaluate post-quantum security of the tweakable block cipher Deoxys-BC, we perform automatic search for good distinguishers of Deoxys-BC according to the strategy, and then apply our attack on 9/10-round Deoxys-BC-256 and 12/13/14-round Deoxys-BC-384. The results show that our attack has some improvements than classical attacks and Grover search.
{"title":"Quantum rectangle attack and its application on Deoxys-BC","authors":"Yin-Song Xu, Yi-Bo Luo, Zheng Yuan, Xuan Zhou, Qi-di You, Fei Gao, Xiao-Yang Dong","doi":"10.1007/s10623-024-01526-3","DOIUrl":"https://doi.org/10.1007/s10623-024-01526-3","url":null,"abstract":"<p>In recent years, it has become a popular trend to propose quantum versions of classical attacks. The rectangle attack as a differential attack is widely used in symmetric cryptanalysis and applied on many block ciphers. To improve its efficiency, we propose a new quantum rectangle attack firstly. In rectangle attack, it counts the number of valid quartets for each guessed subkeys and filters out subkey candidates according to the counter. To speed up this procedure, we propose a quantum key counting algorithm based on parallel amplitude estimation algorithm and amplitude amplification algorithm. Then, we complete with the remaining key bits and search the right full key by nested Grover search. Besides, we give a strategy to find a more suitable distinguisher to make the complexity lower. Finally, to evaluate post-quantum security of the tweakable block cipher Deoxys-BC, we perform automatic search for good distinguishers of Deoxys-BC according to the strategy, and then apply our attack on 9/10-round Deoxys-BC-256 and 12/13/14-round Deoxys-BC-384. The results show that our attack has some improvements than classical attacks and Grover search.</p>","PeriodicalId":11130,"journal":{"name":"Designs, Codes and Cryptography","volume":"15 1","pages":""},"PeriodicalIF":1.6,"publicationDate":"2024-11-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142684484","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-11-19DOI: 10.1007/s10623-024-01523-6
Zhedong Wang, Qiqi Lai, Feng-Hao Liu
Achieving tight security is a fundamental task in cryptography. While one of the most important purposes of this task is to improve the overall efficiency of a construction (by allowing smaller security parameters), many current lattice-based instantiations do not completely achieve the goal. Particularly, a super-polynomial modulus seems to be necessary in all prior work for (almost) tight schemes that allow the adversary to conduct queries, such as PRF, IBE, and Signatures. As the super-polynomial modulus would affect the noise-to-modulus ratio and thus increase the parameters, this might cancel out the advantages (in efficiency) brought from the tighter analysis. To determine the full power of tight security/analysis in lattices, it is necessary to determine whether the super-polynomial modulus restriction is inherent. In this work, we remove the super-polynomial modulus restriction for many important primitives—PRF, IBE, all-but-many Lossy Trapdoor Functions, and Signatures. The crux relies on an improvement over the framework of Boyen and Li (Asiacrypt 16), and an almost tight reduction from LWE to LWR, which improves prior work by Alwen et al. (Eurocrypt 13), Bogdanov et al. (TCC 16), and Bai et al. (Asiacrypt 15). By combining these two advances, we are able to derive these almost tight schemes under LWE with a polynomial modulus.
{"title":"Almost tight security in lattices with polynomial moduli—PRF, IBE, all-but-many LTF, and more","authors":"Zhedong Wang, Qiqi Lai, Feng-Hao Liu","doi":"10.1007/s10623-024-01523-6","DOIUrl":"https://doi.org/10.1007/s10623-024-01523-6","url":null,"abstract":"<p>Achieving tight security is a fundamental task in cryptography. While one of the most important purposes of this task is to improve the overall efficiency of a construction (by allowing smaller security parameters), many current lattice-based instantiations do not completely achieve the goal. Particularly, a super-polynomial modulus seems to be necessary in all prior work for (almost) tight schemes that allow the adversary to conduct queries, such as PRF, IBE, and Signatures. As the super-polynomial modulus would affect the noise-to-modulus ratio and thus increase the parameters, this might cancel out the advantages (in efficiency) brought from the tighter analysis. To determine the full power of tight security/analysis in lattices, it is necessary to determine whether the super-polynomial modulus restriction is inherent. In this work, we remove the super-polynomial modulus restriction for many important primitives—PRF, IBE, all-but-many Lossy Trapdoor Functions, and Signatures. The crux relies on an improvement over the framework of Boyen and Li (Asiacrypt 16), and an almost tight reduction from LWE to LWR, which improves prior work by Alwen et al. (Eurocrypt 13), Bogdanov et al. (TCC 16), and Bai et al. (Asiacrypt 15). By combining these two advances, we are able to derive these almost tight schemes under LWE with a polynomial modulus.</p>","PeriodicalId":11130,"journal":{"name":"Designs, Codes and Cryptography","volume":"10 1","pages":""},"PeriodicalIF":1.6,"publicationDate":"2024-11-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142671014","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-11-15DOI: 10.1007/s10623-024-01524-5
Andrea Di Giusto, Chiara Marcolla
The Brakerski–Gentry–Vaikuntanathan (BGV) scheme is a Fully Homomorphic Encryption (FHE) cryptosystem based on the Ring Learning With Error (RLWE) problem. Ciphertexts in this scheme contain an error term that grows with operations and causes decryption failure when it surpasses a certain threshold. Consequently, the parameters of BGV need to be estimated carefully, with a trade-off between security and error margin. The ciphertext space of BGV is the ring (mathcal {R}_q=mathbb {Z}_q[x]/(Phi _m(x))), where usually the degree n of the cyclotomic polynomial (Phi _m(x)) is chosen as a power of two for efficiency reasons. However, the jump between two consecutive powers-of-two polynomials also causes a jump in security, resulting in parameters that are much bigger than what is needed. In this work, we explore the non-power-of-two instantiations of BGV. Although our theoretical research encompasses results applicable to any cyclotomic ring, the focus of our investigation is the case of ({m=2^scdot 3^t}) where (s,tge 1), i.e., cyclotomic polynomials with degree ({n=phi (m)=2^scdot 3^{t-1}}). We provide a thorough analysis of the noise growth in this new setting using the canonical norm and compare our results with the power-of-two case considering practical aspects like NTT algorithms. We find that in many instances, the parameter estimation process yields better results for the non-power-of-two setting.
{"title":"Breaking the power-of-two barrier: noise estimation for BGV in NTT-friendly rings","authors":"Andrea Di Giusto, Chiara Marcolla","doi":"10.1007/s10623-024-01524-5","DOIUrl":"https://doi.org/10.1007/s10623-024-01524-5","url":null,"abstract":"<p>The Brakerski–Gentry–Vaikuntanathan (BGV) scheme is a Fully Homomorphic Encryption (FHE) cryptosystem based on the Ring Learning With Error (RLWE) problem. Ciphertexts in this scheme contain an error term that grows with operations and causes decryption failure when it surpasses a certain threshold. Consequently, the parameters of BGV need to be estimated carefully, with a trade-off between security and error margin. The ciphertext space of BGV is the ring <span>(mathcal {R}_q=mathbb {Z}_q[x]/(Phi _m(x)))</span>, where usually the degree <i>n</i> of the cyclotomic polynomial <span>(Phi _m(x))</span> is chosen as a power of two for efficiency reasons. However, the jump between two consecutive powers-of-two polynomials also causes a jump in security, resulting in parameters that are much bigger than what is needed. In this work, we explore the non-power-of-two instantiations of BGV. Although our theoretical research encompasses results applicable to any cyclotomic ring, the focus of our investigation is the case of <span>({m=2^scdot 3^t})</span> where <span>(s,tge 1)</span>, i.e., cyclotomic polynomials with degree <span>({n=phi (m)=2^scdot 3^{t-1}})</span>. We provide a thorough analysis of the noise growth in this new setting using the canonical norm and compare our results with the power-of-two case considering practical aspects like NTT algorithms. We find that in many instances, the parameter estimation process yields better results for the non-power-of-two setting.</p>","PeriodicalId":11130,"journal":{"name":"Designs, Codes and Cryptography","volume":"38 1","pages":""},"PeriodicalIF":1.6,"publicationDate":"2024-11-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142637521","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-11-13DOI: 10.1007/s10623-024-01520-9
Sihong Su, Xiaoyan Chen
It is important to study the new construction methods of bent functions. In this paper, we first propose a secondary construction method of ((k+s))-variable bent function g through a family of s-plateaued functions (f_0,f_1,ldots ,f_{2^s-1}) on k variables with disjoint Walsh supports, which can be obtained through any given ((k-s))-variable bent function f by selecting (2^s) disjoint affine subspaces (S_0,S_1,ldots ,S_{2^s-1}) of ({mathbb {F}}_2^k) with dimension (k-s) to specify the Walsh support of these s-plateaued functions respectively, where s is a positive integer and (k-s) is a positive even integer. The dual functions of these newly constructed bent functions are determined. This secondary construction method of bent functions has a great improvement in counting. As a generalization, we find that the one initial ((k-s))-variable bent function f can be replaced by several different ((k-s))-variable bent functions. Compared to the first construction method, the latter one gives much more bent functions. It is worth mentioning that it can give all the 896 bent functions on 4 variables.
研究弯曲函数的新构造方法非常重要。在本文中,我们首先提出了一种通过 k 个变量上具有互不相交的 Walsh 支持的 s-plateaued 函数族 (f_0,f_1,ldots ,f_{2^s-1}) 来二次构造 ((k+s))-变量弯曲函数 g 的方法、可以通过任何给定的((k-s))变量弯曲函数 f,选择 (2^s)个不相邻的仿射子空间 (S_0,S_1,ldots 、维度为 (k-s) 的 ({mathbb {F}}_2^k) 的 S_{2^s-1} 子空间来分别指定这些 s 有板函数的沃尔什支持,其中 s 是正整数,(k-s) 是正偶数。这些新构建的弯曲函数的对偶函数被确定下来。这种二次构造弯曲函数的方法在计数方面有很大的改进。作为推广,我们发现一个初始的((k-s))可变弯曲函数 f 可以被多个不同的((k-s))可变弯曲函数代替。与第一种构造方法相比,后一种构造方法得到的弯曲函数要多得多。值得一提的是,它可以给出所有 896 个 4 变量弯曲函数。
{"title":"A new method of constructing $$(k+s)$$ -variable bent functions based on a family of s-plateaued functions on k variables","authors":"Sihong Su, Xiaoyan Chen","doi":"10.1007/s10623-024-01520-9","DOIUrl":"https://doi.org/10.1007/s10623-024-01520-9","url":null,"abstract":"<p>It is important to study the new construction methods of bent functions. In this paper, we first propose a secondary construction method of <span>((k+s))</span>-variable bent function <i>g</i> through a family of <i>s</i>-plateaued functions <span>(f_0,f_1,ldots ,f_{2^s-1})</span> on <i>k</i> variables with disjoint Walsh supports, which can be obtained through any given <span>((k-s))</span>-variable bent function <i>f</i> by selecting <span>(2^s)</span> disjoint affine subspaces <span>(S_0,S_1,ldots ,S_{2^s-1})</span> of <span>({mathbb {F}}_2^k)</span> with dimension <span>(k-s)</span> to specify the Walsh support of these <i>s</i>-plateaued functions respectively, where <i>s</i> is a positive integer and <span>(k-s)</span> is a positive even integer. The dual functions of these newly constructed bent functions are determined. This secondary construction method of bent functions has a great improvement in counting. As a generalization, we find that the one initial <span>((k-s))</span>-variable bent function <i>f</i> can be replaced by several different <span>((k-s))</span>-variable bent functions. Compared to the first construction method, the latter one gives much more bent functions. It is worth mentioning that it can give all the 896 bent functions on 4 variables.</p>","PeriodicalId":11130,"journal":{"name":"Designs, Codes and Cryptography","volume":"9 1","pages":""},"PeriodicalIF":1.6,"publicationDate":"2024-11-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142600906","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-11-10DOI: 10.1007/s10623-024-01525-4
Yongbo Xia, Chunlei Li, Furong Bao, Shaoping Chen, Tor Helleseth
Let n be an odd positive integer, p be an odd prime with (pequiv 3pmod 4), (d_{1} = {{p^{n}-1}over {2}} -1 ) and (d_{2} =p^{n}-2). The function defined by (f_u(x)=ux^{d_{1}}+x^{d_{2}}) is called the generalized Ness–Helleseth function over (mathbb {F}_{p^n}), where (uin mathbb {F}_{p^n}). It was initially studied by Ness and Helleseth in the ternary case. In this paper, for (p^n equiv 3 pmod 4) and (p^n ge 7), we provide the necessary and sufficient condition for (f_u(x)) to be an APN function. In addition, for each u satisfying (chi (u+1) = chi (u-1)), the differential spectrum of (f_u(x)) is investigated, and it is expressed in terms of some quadratic character sums of cubic polynomials, where (chi (cdot )) denotes the quadratic character of ({mathbb {F}}_{p^n}).�
{"title":"Further investigation on differential properties of the generalized Ness–Helleseth function","authors":"Yongbo Xia, Chunlei Li, Furong Bao, Shaoping Chen, Tor Helleseth","doi":"10.1007/s10623-024-01525-4","DOIUrl":"https://doi.org/10.1007/s10623-024-01525-4","url":null,"abstract":"<p>Let <i>n</i> be an odd positive integer, <i>p</i> be an odd prime with <span>(pequiv 3pmod 4)</span>, <span>(d_{1} = {{p^{n}-1}over {2}} -1 )</span> and <span>(d_{2} =p^{n}-2)</span>. The function defined by <span>(f_u(x)=ux^{d_{1}}+x^{d_{2}})</span> is called the generalized Ness–Helleseth function over <span>(mathbb {F}_{p^n})</span>, where <span>(uin mathbb {F}_{p^n})</span>. It was initially studied by Ness and Helleseth in the ternary case. In this paper, for <span>(p^n equiv 3 pmod 4)</span> and <span>(p^n ge 7)</span>, we provide the necessary and sufficient condition for <span>(f_u(x))</span> to be an APN function. In addition, for each <i>u</i> satisfying <span>(chi (u+1) = chi (u-1))</span>, the differential spectrum of <span>(f_u(x))</span> is investigated, and it is expressed in terms of some quadratic character sums of cubic polynomials, where <span>(chi (cdot ))</span> denotes the quadratic character of <span>({mathbb {F}}_{p^n})</span>.\u0000</p>","PeriodicalId":11130,"journal":{"name":"Designs, Codes and Cryptography","volume":"9 1","pages":""},"PeriodicalIF":1.6,"publicationDate":"2024-11-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142597482","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-11-09DOI: 10.1007/s10623-024-01522-7
Sabyasachi Dey, Gregor Leander, Nitin Kumar Sharma
In this paper, we present an improved attack on the stream cipher Salsa20. Our improvements are based on two technical contributions. First, we make use of a distribution of a linear combination of several random variables that are derived from different differentials and explain how to exploit this in order to improve the attack complexity. Secondly, we study and exploit how to choose the actual value for so-called probabilistic neutral bits optimally. Because of the limited influence of these key bits on the computation, in the usual attack approach, these are fixed to a constant value, often zero for simplicity. As we will show, despite the fact that their influence is limited, the constant can be chosen in significantly better ways, and intriguingly, zero is the worst choice. Using this, we propose the first-ever attack on 7.5-round of the 128-bit key version of Salsa20. Also, we provide improvements in the attack against the 8-round of the 256-bit key version of Salsa20 and the 7-round of the 128-bit key version of Salsa20.
{"title":"Improved key recovery attacks on reduced-round Salsa20","authors":"Sabyasachi Dey, Gregor Leander, Nitin Kumar Sharma","doi":"10.1007/s10623-024-01522-7","DOIUrl":"https://doi.org/10.1007/s10623-024-01522-7","url":null,"abstract":"<p>In this paper, we present an improved attack on the stream cipher Salsa20. Our improvements are based on two technical contributions. First, we make use of a distribution of a linear combination of several random variables that are derived from different differentials and explain how to exploit this in order to improve the attack complexity. Secondly, we study and exploit how to choose the actual value for so-called probabilistic neutral bits optimally. Because of the limited influence of these key bits on the computation, in the usual attack approach, these are fixed to a constant value, often zero for simplicity. As we will show, despite the fact that their influence is limited, the constant can be chosen in significantly better ways, and intriguingly, zero is the worst choice. Using this, we propose the first-ever attack on 7.5-round of the 128-bit key version of Salsa20. Also, we provide improvements in the attack against the 8-round of the 256-bit key version of Salsa20 and the 7-round of the 128-bit key version of Salsa20.</p>","PeriodicalId":11130,"journal":{"name":"Designs, Codes and Cryptography","volume":"2 1","pages":""},"PeriodicalIF":1.6,"publicationDate":"2024-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142597483","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-11-09DOI: 10.1007/s10623-024-01518-3
Xianmang He, Zusheng Zhang, Si Tian, Jingli Wang, Yindong Chen
The community has been pursuing improvements in the cardinalities for constant dimensional codes (CDC for short) for the past decade. Lao et al. (IEEE Trans Inf Theory 69(7):4333–4344, 2023) has shown that mixed dimension subspace codes can be used to construct large constant dimension subspace codes. The exploration of the CDCs’ construction is transformed into finding mixed dimension/distance subspace codes with large dimension distributions. In this paper, we apply the parallel construction to this mixed dimension construction, which allows us to contribute approximately more than 80 new constant dimension codes.
在过去的十年中,学术界一直在追求恒维编码(简称 CDC)的心度改进。Lao 等人(IEEE Trans Inf Theory 69(7):4333-4344, 2023)指出,混合维度子空间编码可用于构造大型恒维子空间编码。对 CDC 构建的探索转化为寻找具有大维分布的混合维/距离子空间码。在本文中,我们将并行构造应用于这种混合维度构造,从而贡献了大约 80 多个新的常维码。
{"title":"Parallel construction for constant dimension codes from mixed dimension construction","authors":"Xianmang He, Zusheng Zhang, Si Tian, Jingli Wang, Yindong Chen","doi":"10.1007/s10623-024-01518-3","DOIUrl":"https://doi.org/10.1007/s10623-024-01518-3","url":null,"abstract":"<p>The community has been pursuing improvements in the cardinalities for constant dimensional codes (CDC for short) for the past decade. Lao et al. (IEEE Trans Inf Theory 69(7):4333–4344, 2023) has shown that mixed dimension subspace codes can be used to construct large constant dimension subspace codes. The exploration of the CDCs’ construction is transformed into finding mixed dimension/distance subspace codes with large dimension distributions. In this paper, we apply the parallel construction to this mixed dimension construction, which allows us to contribute approximately more than 80 new constant dimension codes.</p>","PeriodicalId":11130,"journal":{"name":"Designs, Codes and Cryptography","volume":"196 1","pages":""},"PeriodicalIF":1.6,"publicationDate":"2024-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142598203","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-11-05DOI: 10.1007/s10623-024-01513-8
Xiaoqin Hong, Xiwang Cao, Gaojun Luo
Constant dimension codes (CDCs) have drawn extensive attention due to their applications in random network coding. This paper introduces a new class of codes, namely generalized bilateral Ferrers diagram rank-metric codes, to generalize the bilateral multilevel construction in Etzion and Vardy (Adv Math Commun 16:1165–1183, 2022). Combining our generalized bilateral multilevel construction and the double multilevel construction in Liu and Ji (IEEE Trans Inf Theory 69:157–168, 2023), we present an effective technique to construct CDCs. By means of bilateral identifying vectors, this approach helps us to select fewer identifying and inverse identifying vectors to construct CDCs with larger size. The new constructed CDCs have the largest size regarding known codes for many sets of parameters. Our method gives rise to at least 138 new lower bounds for CDCs.
常数维码(CDC)因其在随机网络编码中的应用而受到广泛关注。本文介绍了一类新码,即广义双边费勒斯图等级计量码,以推广 Etzion 和 Vardy (Adv Math Commun 16:1165-1183, 2022) 中的双边多级构造。结合我们的广义双边多级结构和 Liu 和 Ji (IEEE Trans Inf Theory 69:157-168, 2023) 中的双多级结构,我们提出了一种构建 CDC 的有效技术。通过双边识别向量,这种方法可以帮助我们选择更少的识别向量和反向识别向量来构建更大的 CDC。在许多参数集的已知代码中,新构建的 CDC 具有最大的尺寸。我们的方法为 CDC 带来了至少 138 个新下限。
{"title":"Generalized bilateral multilevel construction for constant dimension codes","authors":"Xiaoqin Hong, Xiwang Cao, Gaojun Luo","doi":"10.1007/s10623-024-01513-8","DOIUrl":"https://doi.org/10.1007/s10623-024-01513-8","url":null,"abstract":"<p>Constant dimension codes (CDCs) have drawn extensive attention due to their applications in random network coding. This paper introduces a new class of codes, namely generalized bilateral Ferrers diagram rank-metric codes, to generalize the bilateral multilevel construction in Etzion and Vardy (Adv Math Commun 16:1165–1183, 2022). Combining our generalized bilateral multilevel construction and the double multilevel construction in Liu and Ji (IEEE Trans Inf Theory 69:157–168, 2023), we present an effective technique to construct CDCs. By means of bilateral identifying vectors, this approach helps us to select fewer identifying and inverse identifying vectors to construct CDCs with larger size. The new constructed CDCs have the largest size regarding known codes for many sets of parameters. Our method gives rise to at least 138 new lower bounds for CDCs.</p>","PeriodicalId":11130,"journal":{"name":"Designs, Codes and Cryptography","volume":"37 1","pages":""},"PeriodicalIF":1.6,"publicationDate":"2024-11-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142580297","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-11-03DOI: 10.1007/s10623-024-01519-2
Simeon Ball, Michel Lavrauw, Tabriz Popatia
In this article we prove Griesmer type bounds for additive codes over finite fields. These new bounds give upper bounds on the length of maximum distance separable (MDS) codes, codes which attain the Singleton bound. We will also consider codes to be MDS if they attain the fractional Singleton bound, due to Huffman. We prove that this bound in the fractional case can be obtained by codes whose length surpasses the length of the longest known codes in the integral case. For small parameters, we provide exhaustive computational results for additive MDS codes, by classifying the corresponding (fractional) subspace-arcs. This includes a complete classification of fractional additive MDS codes of size 243 over the field of order 9.
{"title":"Griesmer type bounds for additive codes over finite fields, integral and fractional MDS codes","authors":"Simeon Ball, Michel Lavrauw, Tabriz Popatia","doi":"10.1007/s10623-024-01519-2","DOIUrl":"https://doi.org/10.1007/s10623-024-01519-2","url":null,"abstract":"<p>In this article we prove Griesmer type bounds for additive codes over finite fields. These new bounds give upper bounds on the length of maximum distance separable (MDS) codes, codes which attain the Singleton bound. We will also consider codes to be MDS if they attain the fractional Singleton bound, due to Huffman. We prove that this bound in the fractional case can be obtained by codes whose length surpasses the length of the longest known codes in the integral case. For small parameters, we provide exhaustive computational results for additive MDS codes, by classifying the corresponding (fractional) subspace-arcs. This includes a complete classification of fractional additive MDS codes of size 243 over the field of order 9.</p>","PeriodicalId":11130,"journal":{"name":"Designs, Codes and Cryptography","volume":"68 1","pages":""},"PeriodicalIF":1.6,"publicationDate":"2024-11-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142566117","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
<p>Higher order differential properties constitute a very insightful tool at the hands of a cryptanalyst allowing for probing a cryptographic primitive from an algebraic perspective. In FSE 2017, Saha et al. reported <span>SymSum</span> (referred to as <span>(textsf {SymSum}_textsf {Vec})</span> in this paper), a new distinguisher based on higher order <i>vectorial</i> Boolean derivatives of <span>SHA-3</span>, constituting one of the best distinguishers on the latest cryptographic hash standard. <span>(textsf {SymSum}_textsf {Vec})</span> exploits the difference in the algebraic degree of highest degree monomials in the algebraic normal form of <span>SHA-3</span> with regards to their dependence on round constants. Later in AFRICACRYPT 2020, Suryawanshi et al. extended <span>(textsf {SymSum}_textsf {Vec})</span> using linearization techniques and in SSS 2023 also applied it to <span>NIST-LWC</span> finalist <span>Xoodyak</span>. However, a major limitation of <span>(textsf {SymSum}_textsf {Vec})</span> is the maximum attainable derivative (<span>MAD</span>) of the polynomial representation, which is <i>less than half</i> of the widely studied <span>ZeroSum</span> distinguisher. This is attributed to <span>(textsf {SymSum}_textsf {Vec})</span> being dependent on <i>k</i>-fold <i>vectorial</i> derivatives while <span>ZeroSum</span> relies on <i>k</i>-fold <i>simple</i> derivatives. In this work we overcome this limitation of <span>(textsf {SymSum}_textsf {Vec})</span> by developing and validating the theory of computing <span>(textsf {SymSum}_textsf {Vec})</span> with simple derivatives. This gives us a close to <span>(100%)</span> improvement in the <span>MAD</span> that can be computed. The new distinguisher reported in this work can also be combined with 1/2-round linearization to penetrate more rounds. Moreover, we identify an issue with the 2-round linearization claim made by Suryawanshi et al. which renders it invalid and also furnishes an algebraic fix at the cost of some additional constraints. Combining all the results we report <span>(textsf {SymSum}_textsf {Sim})</span>, a new variant of the <span>(textsf {SymSum}_textsf {Vec})</span> distinguisher based on <i>k</i>-fold <i>simple</i> derivatives that outperforms <span>ZeroSum</span> by a factor of <span>(2^{257}, 2^{129})</span> for <span>( 10- )</span>round <span>SHA3-384</span> and 9-round <span>SHA3-512</span> respectively while enjoying the same <span>MAD</span> as <span>ZeroSum</span>. For every other <span>SHA-3</span> variant, <span>(textsf {SymSum}_textsf {Sim})</span> maintains an advantage of factor 2 over the <span>ZeroSum</span>. Combined with 1/2-round linearization, <span>(textsf {SymSum}_textsf {Sim})</span> improves upon all existing <span>ZeroSum</span> and <span>(textsf {SymSum}_textsf {Vec})</span> distinguishers on both <span>SHA-3</span> and <span>Xoodyak</span>. As regards <span>Keccak</span> <span>(-p)</span>, the internal permutation of <span>SHA-3</span>, we re
{"title":"Simple vs. vectorial: exploiting structural symmetry to beat the ZeroSum distinguisher","authors":"Sahiba Suryawanshi, Shibam Ghosh, Dhiman Saha, Prathamesh Ram","doi":"10.1007/s10623-024-01502-x","DOIUrl":"https://doi.org/10.1007/s10623-024-01502-x","url":null,"abstract":"<p>Higher order differential properties constitute a very insightful tool at the hands of a cryptanalyst allowing for probing a cryptographic primitive from an algebraic perspective. In FSE 2017, Saha et al. reported <span>SymSum</span> (referred to as <span>(textsf {SymSum}_textsf {Vec})</span> in this paper), a new distinguisher based on higher order <i>vectorial</i> Boolean derivatives of <span>SHA-3</span>, constituting one of the best distinguishers on the latest cryptographic hash standard. <span>(textsf {SymSum}_textsf {Vec})</span> exploits the difference in the algebraic degree of highest degree monomials in the algebraic normal form of <span>SHA-3</span> with regards to their dependence on round constants. Later in AFRICACRYPT 2020, Suryawanshi et al. extended <span>(textsf {SymSum}_textsf {Vec})</span> using linearization techniques and in SSS 2023 also applied it to <span>NIST-LWC</span> finalist <span>Xoodyak</span>. However, a major limitation of <span>(textsf {SymSum}_textsf {Vec})</span> is the maximum attainable derivative (<span>MAD</span>) of the polynomial representation, which is <i>less than half</i> of the widely studied <span>ZeroSum</span> distinguisher. This is attributed to <span>(textsf {SymSum}_textsf {Vec})</span> being dependent on <i>k</i>-fold <i>vectorial</i> derivatives while <span>ZeroSum</span> relies on <i>k</i>-fold <i>simple</i> derivatives. In this work we overcome this limitation of <span>(textsf {SymSum}_textsf {Vec})</span> by developing and validating the theory of computing <span>(textsf {SymSum}_textsf {Vec})</span> with simple derivatives. This gives us a close to <span>(100%)</span> improvement in the <span>MAD</span> that can be computed. The new distinguisher reported in this work can also be combined with 1/2-round linearization to penetrate more rounds. Moreover, we identify an issue with the 2-round linearization claim made by Suryawanshi et al. which renders it invalid and also furnishes an algebraic fix at the cost of some additional constraints. Combining all the results we report <span>(textsf {SymSum}_textsf {Sim})</span>, a new variant of the <span>(textsf {SymSum}_textsf {Vec})</span> distinguisher based on <i>k</i>-fold <i>simple</i> derivatives that outperforms <span>ZeroSum</span> by a factor of <span>(2^{257}, 2^{129})</span> for <span>( 10- )</span>round <span>SHA3-384</span> and 9-round <span>SHA3-512</span> respectively while enjoying the same <span>MAD</span> as <span>ZeroSum</span>. For every other <span>SHA-3</span> variant, <span>(textsf {SymSum}_textsf {Sim})</span> maintains an advantage of factor 2 over the <span>ZeroSum</span>. Combined with 1/2-round linearization, <span>(textsf {SymSum}_textsf {Sim})</span> improves upon all existing <span>ZeroSum</span> and <span>(textsf {SymSum}_textsf {Vec})</span> distinguishers on both <span>SHA-3</span> and <span>Xoodyak</span>. As regards <span>Keccak</span> <span>(-p)</span>, the internal permutation of <span>SHA-3</span>, we re","PeriodicalId":11130,"journal":{"name":"Designs, Codes and Cryptography","volume":"17 1","pages":""},"PeriodicalIF":1.6,"publicationDate":"2024-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142563294","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
扫码关注我们
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号