Cryptology ePrint Archive: Report 2021/225

Recovering or Testing Extended-Affine Equivalence

Anne Canteaut and Alain Couvreur and Léo Perrin

Abstract: Extended Affine (EA) equivalence is the equivalence relation between two vectorial Boolean functions $F$ and $G$ such that there exist two affine permutations $A$, $B$, and an affine function $C$ satisfying $G = A \circ F \circ B + C$. While a priori simple, it is very difficult in practice to test whether two functions are EA-equivalent. This problem has two variants: EA-testing deals with figuring out whether the two functions can be EA-equivalent, and EA-recovery is about recovering the tuple $(A,B,C)$ if it exists. In this paper, we present a new efficient algorithm that efficiently solves the EA-recovery problem for quadratic functions. Though its worst-case complexity is obtained when dealing with APN functions, it supersedes all previously known algorithms in terms of performance, even in this case. This approach is based on the Jacobian matrix of the functions, a tool whose study in this context can be of independent interest. In order to tackle EA-testing efficiently, the best approach in practice relies on class invariants. We provide an overview of the literature on said invariants along with a new one based on the ortho-derivative which is applicable to quadratic APN functions, a specific type of functions that is of great interest, and of which tens of thousands need to be sorted into distinct EA-classes. Our ortho-derivative-based invariant is both very fast to compute, and highly discriminating.

Category / Keywords: secret-key cryptography / Sboxes, equivalence, APN functions, quadratic functions, ortho-derivative

Date: received 27 Feb 2021

Contact author: anne canteaut at inria fr, leo perrin at inria fr, alain couvreur at inria fr

Available format(s): PDF | BibTeX Citation

Version: 20210302:202747 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]