Paper 2022/399

The Inverse of $\chi$ and Its Applications to Rasta-like Ciphers

Fukang Liu, Santanu Sarkar, Willi Meier, and Takanori Isobe


At ASIACRYPT 2021, Liu et al. pointed out a weakness of the Rasta-like ciphers neglected by the designers. The main strategy is to construct exploitable equations of the $n$-bit $\chi$ operation denoted by $\chi_n$. However, these equations are all obtained by first studying $\chi_n$ for small $n$. In this note, we demonstrate that if the explicit formula of the inverse of $\chi_n$ denoted by $\chi_n^{-1}$ is known, all these exploitable equations would have been quite obvious and the weakness of the Rasta-like ciphers could have been avoided at the design phase. However, the explicit formula of $\chi_n^{-1}$ seems to be not well-known and the most relevant work was published by Biryukov et al. at ASIACRYPT 2014. In this work, we give a very simple formula of $\chi_n^{-1}$ that can be written down in only one line and we prove its correctness in a rigorous way. Based on its formula, the formula of exploitable equations for Rasta-like ciphers can be easily derived and therefore more exploitable equations are found.

Available format(s)
Secret-key cryptography
Publication info
Preprint. MINOR revision.
Rastathe inverse of chiaffine varietyalgebraic attack
Contact author(s)
liufukangs @ gmail com
willimeier48 @ gmail com
santanu @ iitm ac in
takanori isobe @ ai u-hyogo ac jp
2022-03-28: received
Short URL
Creative Commons Attribution


      author = {Fukang Liu and Santanu Sarkar and Willi Meier and Takanori Isobe},
      title = {The Inverse of $\chi$ and Its Applications to Rasta-like Ciphers},
      howpublished = {Cryptology ePrint Archive, Paper 2022/399},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.