Invertible Quadratic Non-Linear Functions over $\mathbb F_p^n$ via Multiple Local Maps

Ginevra Giordani; Lorenzo Grassi; Silvia Onofri; Marco Pedicini

Paper 2023/690

Invertible Quadratic Non-Linear Functions over $\mathbb F_p^n$ via Multiple Local Maps

Ginevra Giordani

, Università degli Studi dell'Aquila, L'Aquila (Italy)

Lorenzo Grassi

, Ruhr University Bochum, Bochum (Germany), Ponos Technology, Zug (Switzerland)

Silvia Onofri

, Scuola Normale Superiore, Pisa (Italy)

Marco Pedicini

, Università degli Studi Roma Tre, Rome (Italy)

Abstract

The construction of invertible non-linear layers over $\mathbb F_p^n$ that minimize the multiplicative cost is crucial for the design of symmetric primitives targeting Multi Party Computation (MPC), Zero-Knowledge proofs (ZK), and Fully Homomorphic Encryption (FHE). At the current state of the art, only few non-linear functions are known to be invertible over $\mathbb F_p$, as the power maps $x\mapsto x^d$ for $\gcd(d,p-1)=1$. When working over $\mathbb F_p^n$ for $n\ge2$, a possible way to construct invertible non-linear layers $\mathcal S$ over $\mathbb F_p^n$ is by making use of a local map $F:\mathbb F_p^m\rightarrow \mathbb F_p$ for $m\le n$, that is, $\mathcal S_F(x_0, x_1, \ldots, x_{n-1}) = y_0\|y_1\|\ldots \|y_{n-1}$ where $y_i = F(x_i, x_{i+1}, \ldots, x_{i+m-1})$. This possibility has been recently studied by Grassi, Onofri, Pedicini and Sozzi at FSE/ToSC 2022. Given a quadratic local map $F:\mathbb F_p^m \rightarrow \mathbb F_p$ for $m\in\{1,2,3\}$, they proved that the shift-invariant non-linear function $\mathcal S_F$ over $\mathbb F_p^n$ defined as before is never invertible for any $n\ge 2\cdot m-1$. In this paper, we face the problem by generalizing such construction. Instead of a single local map, we admit multiple local maps, and we study the creation of nonlinear layers that can be efficiently verified and implemented by a similar shift-invariant lifting. After formally defining the construction, we focus our analysis on the case $\mathcal S_{F_0, F_1}(x_0, x_1, \ldots, x_{n-1}) = y_0\|y_1\|\ldots \|y_{n-1}$ for $F_0, F_1 :\mathbb F_p^2\rightarrow \mathbb F_p$ of degree at most 2. This is a generalization of the previous construction using two alternating functions $F_0,F_1$ instead of a single $F$. As main result, we prove that (i) if $n\ge3$, then $\mathcal S_{F_0, F_1}$ is never invertible if both $F_0$ and $F_1$ are quadratic, and that (ii) if $n\ge 4$, then $\mathcal S_{F_0, F_1}$ is invertible if and only if it is a Type-II Feistel scheme.

Metadata

Available format(s): PDF
Category: Secret-key cryptography
Publication info: Published elsewhere. AfricaCrypt 2023
Keywords: Invertible Quadratic Functions Local Maps Type-II Feistel
Contact author(s): ginevra giordani @ graduate univaq it
Lorenzo Grassi @ ruhr-uni-bochum de
silvia onofri @ sns it
marco pedicini @ uniroma3 it
History: 2023-05-16: approved; 2023-05-15: received; See all versions
Short URL: https://ia.cr/2023/690
License: CC BY-SA

BibTeX

@misc{cryptoeprint:2023/690,
      author = {Ginevra Giordani and Lorenzo Grassi and Silvia Onofri and Marco Pedicini},
      title = {Invertible Quadratic Non-Linear Functions over $\mathbb F_p^n$ via Multiple Local Maps},
      howpublished = {Cryptology ePrint Archive, Paper 2023/690},
      year = {2023},
      note = {\url{https://eprint.iacr.org/2023/690}},
      url = {https://eprint.iacr.org/2023/690}
}