Commutative Cryptanalysis as a Generalization of Differential Cryptanalysis

Recently, Baudrin et al. analyzed a special case of Wagner’s commutative diagram cryptanalysis, referred to as commutative cryptanalysis. For a family \((E_k)_k\) of permutations on a finite vector space \(G\), commutative cryptanalysis exploits the existence of affine permutations \(A,B \colon G \rightarrow G\), \(I \notin {A,B}\) such that \(E_k \circ A (x) = B \circ E_k(x)\) holds with high probability, taken over inputs \(x\), for a significantly large set of weak keys \(k\). Several attacks against symmetric cryptographic primitives can be formulated within the framework of commutative cryptanalysis, most importantly differential attacks, as well as rotational and rotational-differential attacks. Besides, the notion of \(c\)-differentials on S-boxes can be analyzed as a special case within this framework. We discuss the relations between a general notion of commutative cryptanalysis, with \(A\) and \(B\) being arbitrary functions over a finite Abelian group, and differential cryptanalysis, both from the view of conducting an attack on a symmetric cryptographic primitive, as well as from the view of a theoretical study of cryptographic S-boxes.

Joint work with Jules Baudrin, Christof Beierle, Patrick Felke, Gregor Leander, Léo Perrin, Lukas Stennes

Paper | ePrint