**The Inverse of $\chi$ and Its Applications to Rasta-like Ciphers**

*Fukang Liu and Santanu Sarkar and Willi Meier and Takanori Isobe*

**Abstract: **At ASIACRYPT 2021, Liu et al. pointed out a weakness of the Rasta-like ciphers neglected by the designers. The main strategy is to construct exploitable equations of the $n$-bit $\chi$ operation denoted by $\chi_n$. However, these equations are all obtained by first studying $\chi_n$ for small $n$. In this note, we demonstrate that if the explicit formula of the inverse of $\chi_n$ denoted by $\chi_n^{-1}$ is known, all these exploitable equations would have been quite obvious and the weakness of the Rasta-like ciphers could have been avoided at the design phase. However, the explicit formula of $\chi_n^{-1}$ seems to be not well-known and the most relevant work was published by Biryukov et al. at ASIACRYPT 2014. In this work, we give a very simple formula of $\chi_n^{-1}$ that can be written down in only one line and we prove its correctness in a rigorous way. Based on its formula, the formula of exploitable equations for Rasta-like ciphers can be easily derived and therefore more exploitable equations are found.

**Category / Keywords: **secret-key cryptography / Rasta, the inverse of chi, affine variety, algebraic attack

**Date: **received 28 Mar 2022

**Contact author: **liufukangs at gmail com, willimeier48 at gmail com, santanu at iitm ac in, takanori isobe at ai u-hyogo ac jp

**Available format(s): **PDF | BibTeX Citation

**Version: **20220328:144748 (All versions of this report)

**Short URL: **ia.cr/2022/399

[ Cryptology ePrint archive ]