Shift-invariant transformations and almost liftings
Jan Kristian Haugland, Tron Omland
TL;DR
This work develops the framework of shift-invariant (rotation-symmetric) S-boxes on $\mathbb{F}_2^n$ induced from a $k$-variable Boolean function, relaxing bijectivity to allow controlled collisions. It introduces potential liftings and, more broadly, almost liftings, establishing that an almost lifting with diameter $k$ has at most $2^{k-1}$ collisions for any $n$, and connecting these to surjective cellular automata. The authors classify and enumerate small-$k$ examples, introduce the notion of virtual liftings, and analyze cryptographic properties such as DP/DU, NL, LPU, and differential branch number. They present selected candidate functions with favorable collision patterns and differential properties, and outline future research directions including extensions to other fields and co-design with linear layers for near-permutation-based cryptography.
Abstract
We investigate shift-invariant transformations, also known as rotation-symmetric vectorial Boolean functions, on $n$ bits that are induced from Boolean functions on $k$ bits, for $k\leq n$. We consider such transformations that are not necessarily permutations, but are, in some sense, almost bijective, and study their cryptographic properties. In this context, we define an almost lifting as a Boolean function for which there is an upper bound on the number of collisions of its induced transformation that does not depend on $n$. We show that if a Boolean function with diameter $k$ is an almost lifting, then the maximum number of collisions of its induced transformation is $2^{k-1}$ for any $n$. Moreover, we search for functions in the class of almost liftings that have good cryptographic properties and for which the non-bijectivity does not cause major security weaknesses. These functions generalize the well-known map $χ$ used in the Keccak hash function.