Generating highly nonlinear resilient Boolean functions resistance against algebraic and fast algebraic attacks

Transcription

1 SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 2015; 8: Published online 1 September 2014 in Wiley Online Library (wileyonlinelibrary.com) RESEARCH ARTICLE resistance against algebraic and fast algebraic attacks Jun-Po Yang 1 and Wei-Guo Zhang 1,2 * 1 State Key Laboratory of Integrated Services Networks, Xidian University, Xi an , China 2 State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing , China ABSTRACT Boolean functions play an important role in the design of stream ciphers. In this paper, a simulated annealing algorithm is designed to obtain Boolean functions satisfying all the needed criteria: high nonlinearity, 1-resiliency, optimal algebraic degree, optimal (or suboptimal) algebraic immunity, and good immunity to fast algebraic attacks. These functions provide a good trade-off among the criteria to resist the known cryptanalytic techniques. Copyright 2014 John Wiley & Sons, Ltd. KEYWORDS algebraic immunity; Boolean functions; fast algebraic resistance; resiliency; simulated annealing algorithm *Correspondence Wei-Guo Zhang, State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing , China. weiguozhang@vip.qq.com 1. INTRODUCTION A stream cipher is a symmetric cipher which operates with a time-varying transformation on individual plaintext digits. Stream ciphers are usually faster and have a lower hardware complexity, which make them suitable for lots of applications including the encryption and decryption of great data in communication networks [1,2]. As the critical building blocks of stream ciphers, Boolean functions are discussed in this paper. To resist the known attacks on stream ciphers, Boolean functions should satisfy various criteria simultaneously. Before 2003, cryptographic Boolean functions should possess the following criteria: balanceness, resiliency, high algebraic degree, and high nonlinearity. In 2003, algebraic attacks and fast algebraic attacks were introduced in [3,4], which have received lots of attentions. To resist algebraic attack, the concept of algebraic immunity was introduced in [5]. Since then, construction of Boolean functions, which have optimal algebraic immunity and good fast algebraic resistance, becomes important [6 9]. A fundamental relationship between the Walsh spectrum and algebraic immunity was identified, and a construction of Boolean functions with maximum possible algebraic immunity and high degree was presented in [6], which was first presented in [10]. Unfortunately, the construction is unbalanced and not high in the nonlinearity. Carlet and Feng constructed an infinite class of balanced Boolean functions with optimal algebraic immunity, maximal algebraic degree, and high nonlinearity in [7]. Unfortunately, this kind of functions is not resilient, and their nonlinearity is not so high. Based on a combinatorial conjecture, Tu and Deng [11] constructed a class of balanced functions with optimal algebraic immunity, optimal algebraic degree, and high nonlinearity. In 2012, Tu and Deng [12] proposed another class of functions, which satisfy all the main cryptographic criteria: 1-resiliency, optimal algebraic immunity, maximal algebraic degree, and very high nonlinearity. But these functions can not resist the fast algebraic attack. A perfect algebraic immune function is a Boolean function with perfect immunity against algebraic and fast algebraic attacks [13]. It is shown that perfect algebraic immune functions exist when n = 2 m or n =2 m + 1. But a perfect algebraic immune function does not necessarily guarantee other cryptographic criteria such as resiliency and high nonlinearity Copyright 2014 John Wiley & Sons, Ltd.

2 J.-P. Yang and W.-G. Zhang Very recently, McLaughlin and Clark [14] derived balanced Boolean functions, which possess the best nonlinearity so far, optimal algebraic immunity, and good fast algebraic resistance. However, these functions do not possess resiliency either. In this paper, using a simulated annealing algorithm, we found several Boolean functions with optimal algebraic immunity, good fast algebraic resistance, high nonlinearity, and 1-resiliency for 8 n 14. Note that 1-resiliency is efficient to resist correlation attack in the filter model of stream cipher. To the best of our knowledge, these functions satisfy almost all the cryptographic criteria required for stream ciphers. The rest of this paper is organized as follows. In Section 2, some notations and basic definitions are given. The search algorithm of Boolean functions used in our paper is introduced in Section 3. In Section 4, the properties, which include the resiliency, nonlinearity, algebraic immunity, and fast algebraic resistance, are compared with the functions in References [7,12,14]. Section 5 concludes this paper. 2. PRELIMINARIES Let F 2 denote the Galois field GF(2) and F2 n denote the n-dimensional vector space over F 2. An n-variable Boolean function is a mapping from F2 n to F 2. We denote the set of all n-variable Boolean functions by B n. The truth table of a Boolean function f 2 B n can be represented uniquely as a binary string of length 2 n. The truth table of the n-variable function f can be represented as f =(f ( 0), f ( 1),, f ( 2n 1)) where 0 = (000), 1 = (001),, 2n 1 = (1 11). The Hamming weight of f is the number of ones in the truth table, which is denoted by wt(f ). For x = (x 1, :::, x n ), a Boolean function f 2 B n can be represented by its algebraic normal form: f (X n )= X b b2f n 2 where b 2 F 2, b = (b 1, :::, b n ) 2 F2 n. The algebraic degree of f can be defined by ny i=1 x b i i! (1) deg(f ) = max{wt(b) b 0} (2) f is called an affine function when deg(f ) = 1. An affine function with constant term equal to zero is called a linear function. Any linear function on F2 n is denoted by x = 1x nx n where =( 1, :::, n), X n =(x 1, :::, x n ) 2 F n 2 Several properties of Boolean function can be deduced from its Walsh spectrum. For 2 F2 n, the value W f ( ) = X ( 1) f (x)+ x (3) x2f n 2 is the Walsh spectrum of f at. The support of f is given by supp(f )={x 2 F2 n f (x) =1} f 2 B n is balanced if and only if wt(f )=]supp(f )=2 n 1 that is, the number of zeros and ones in its truth table is equal, or equivalent, W f (0)=0. Definition 2.1. The nonlinearity of a Boolean function f 2 B n, denoted by N f, is defined as the distance to the set of all affine functions, N f = min ]{x 2 2A(n) Fn 2 : f (x) (x)} (4) where A(n) is the set of all affine functions on F n 2. The nonlinearity of f can also be obtained through the Walsh transform as follows [15]: N f =2 n max ˇ ˇWf ( )ˇˇ (5) 2F2 n Parseval s equation [16] states that X Wf ( ) 2 =2 2n which implies that x2f n 2 N f 2 n 1 2 n/2 1 Xiao and Massey [17] gave a spectral characterization of Boolean function with resiliency. This characterization is described as follows: Lemma 2.1. f 2 B n is m-resilient if and only if its Walsh transform satisfies W f ( ) =0, for 0 wt( ) m (6) where 2 F2 n and wt( ) is its Hamming weight. Unfortunately, the resiliency and nonlinearity cannot be maximized at the same time. Siegenthaler [18] showed that for m-resilient Boolean functions. deg(f ) n m 1 (7) Security Comm. Networks 2015; 8: John Wiley & Sons, Ltd. 1257

3 J.-P. Yang and W.-G. Zhang Definition 2.2. The algebraic degree of f is called optimal if deg(f ) =n m 1. The balanced Boolean functions can be regarded as 0-resilient functions, whose optimal algebraic degree is n 1. The autocorrelation spectrum of f in point is defined by r f ( ) = X ( 1) f (x)+f (x+ ) x2f n 2 where 2 F2 n. Global avalanche characteristic (GAC) describes the overall avalanche characteristics of f, which are related to two indicators: the absolute indicator f = max 0 r f ( ) and the sum of squares indicator f = X rf 2 ( ) Lemma 2.2. ([19]:) An important relation between r f ( ), f and the Walsh transform is as follows Wf 2 (b) = X r f ( )( 1) b which results in X W 4 f ( ) =2n f Definition 2.3. For an n-variable Boolean function f, we define AN(f )={g 2 B n fg =0} A Boolean function g 2 AN(f ) is an annihilator of f. The algebraic immunity of an n-variable Boolean function f, denoted by AI(f ), is defined as AI(f ) = min{deg(g) fg =0or (f +1)g =0, g 0} Lemma 2.3. ([3,5]): f 2 B n. Then, AI(f ) d n 2 e. f is said to have optimal algebraic immunity if AI(f )=d n 2 e. But unfortunately, high algebraic immunity is necessary but not sufficient condition for good resistance against fast algebraic attack. The resistance against fast algebraic attack is measured by considering the sum of the degrees of functions g and h in the relation of the form f (x)g(x) =h(x). Set e = deg(g) and d = deg(h). The cryptanalyst seeks for nonzero g, h 2 B n so that e+d in the aforementioned relation is minimized. The tuple (e, d) completely determines the complexity of the associated fast algebraic attack (FAA). The fast algebraic resistance of f, which is denoted by FAA(f ), is defined as the minimum value of e + d for all (e, d)-relations of f. FAA(f ) is used to measure the ability to resist fast algebraic attack. The fast algebraic resistance is optimal if e + d n for any e 2 [1, dn/2e 1]. In other words, if we can find g of low degree and h 0 of reasonable degree such that f g = h, then a fast algebraic attack is feasible [4,20,21]. Definition 2.4. An n-variable Boolean function f can be considered as optimal to resist fast algebraic attacks if there do not exist (e, d)-relations with e + d < n. According to the Algorithm 2, 3 in [22], a full program in [23] is used to calculate the algebraic immunity and (e, d)-relations in this paper. 3. SIMULATED ANNEALING ALGORITHM Simulated annealing [24] is a generic probabilistic metaheuristic for the global optimization problem of locating a good approximation to the global optimum of an objective function in a large search space. It is often used when the search space is discrete. In this part, we introduce a simulated annealing algorithm, which can be used to search for Boolean functions satisfying all the cryptographic criteria needed in stream ciphers Individual evaluation in the algorithm We defined the objective function obj(f )as obj(f )= X Wf 4 ( ) According to Parseval s equality and Lemma 2.2, we have and X X Wf 2 ( ) =22n W 4 f ( ) =2n f Note that the sum of squares of the Walsh spectra is constant while the sum of quartic power of the Walsh spectra is not. The sum of quartic power of the Walsh spectra, which is proportional to the GAC, can be used to evaluate the difference of two functions. Simulations show that the nonlinearity is usually high when the GAC properties are good. So, we choose the quartic power of the Walsh spectra as the objective function Security Comm. Networks 2015; 8: John Wiley & Sons, Ltd.

4 J.-P. Yang and W.-G. Zhang 3.2. Early termination condition In the algorithm, an early termination condition is needed to end the algorithm when a satisfactory solution is found. The early termination condition is compromised by three criteria, which are described as follows: To determine Criterion 1, the theorem in [25] is cited without proof. Theorem 3.1. Let n 3 and m n 3. Let f 2 B n be an m-resilient function. Then, W f ( ) is congruent to 0 mod 2 m+2, where 2 F2 n. Obviously, the Walsh spectra of a 1-resilient function are multiples of 2 3. Criterion 1. According to the aforementioned theorem, we introduce the function t(f )= X W f ( ) mod 2 3 We should note that t(f )=0is the necessary but not sufficient condition for the 1-resilient function f. To determine Condition 2, the linear transformations algorithm [26] was presented. Given a balanced function f 2 B n, we define S f = 2 F n 2 W f ( ) =0 (8) If there exist n linearly independent vectors in S f, then one can construct a nonsingular nn matrix B f whose rows are linearly independent vectors from S f. Let f 0 (x) =f (C f x), where C f = B 1 f. Then, f 0 is 1-resilient, and both f 0 and f have the same nonlinearity, algebraic degree, algebraic immunity, and fast algebraic resistance. Criterion 2. If f is a 1-resilient function, then S f >n, where S f denotes the cardinality of S f. Criterion 3. Note that the nonlinearity is proportional to the maximum Walsh spectral value. Setting up an expected maximum Walsh spectral value will help us to find satisfactory solutions. For example, we set 24 as the expected maximum spectral value for eight-variable Boolean function, which will lead to find a f 2 B 8 with nonlinearity 116. Next, we can propose the early termination condition of our algorithm. It can be defined as a logical value: tar( f )=(t ( f )=0)^ (js f j > n) ^ (maxjw f ( )j u) where u is the expected maximum Walsh spectral value of the function, and ^" denotes the Boolean AND operation. That is, if the three aforementioned criteria are satisfied at the same time, then our algorithm can be terminated Temperature control In simulated annealing, a temperature variable is kept to simulate the cooling process of the metal. The temperature has to be set high initially and is allowed to slowly cool while the algorithm is running. When the temperature variable is high, the algorithm will probably accept solutions that are worse than the current solution. This makes the algorithm have the chance to jump out of locally optimal solutions during the early execution. As the temperature is reduced, the chance of accepting worse solutions is decreased too. Therefore, the algorithm will gradually focus on an area of the search space, which is hopefully close to the optimum solution. Hence, the temperature control does affect the probability of finding good solution implicitly. We use T k to denote the temperature at time k, where k denotes the iteration round. The following formula will be used as the temperature drop formula in our algorithm. T k = In( k 1 +1) (9) T 0 In this case, the speed of the temperature drop is prominent at the beginning of the algorithm and will be reduced with the increase of the iteration round k Our simulate annealing algorithm In order to find the best solution of cryptographic Boolean functions, we next described our simulate annealing algorithm as follows: Step 1: Initialization: Let i =0; Set the initial temperature T 0 ; set the maximum number of inner loop I m ; Randomly generate the initial solution, a balanced function f ; Determine the early termination condition tar(f ); Let the memory best = f ; Identify NUM with the maximum number of times the algorithm accept worse solutions than the current solution. Step 2: i = i +1,ifi > I m, go to step 6. Else, repeatedly run steps 2 to 7. Step 3: Randomly changed f by two bits to generate a new solution f 0. Step 4: Calculation of E = obj(f 0 ) obj(f ). If E <0, then f = f 0, best = f 0. Step 5: If E 0 and exp( E/T k )>randfloat(0, 1), then f = f 0, num = num +1. Step 6: If num > NUM, go to step 8. Step 7: If tar(best) = 1, go to step 9. Security Comm. Networks 2015; 8: John Wiley & Sons, Ltd. 1259

5 J.-P. Yang and W.-G. Zhang Step 8: Changed the temperature to T k according to Equation (5); k = k +1;i = 0; go to step 2. Step 9: Outputs the ultimate solution. The algorithm was programmed according to the aforementioned steps in the computer, which has AMD Athlon (tm) II X2 240e CPU and 2.00 G RAM. Before using the algorithm, the I m and NUM were set properly, for example, and 50 for eight-variable function. Running the program for many times, we obtained several good solutions, which will be discussed in the next paragraph. Using our simulate annealing algorithm, many Boolean functions, which satisfy the early termination condition (tar(f ) = 1) can be found. The cryptographic properties of the examples in appendix can be easily checked using the definitions. These functions possess the following desired properties: high nonlinearity (Definition 2.1), optimal algebraic degree (Definition 2.2), optimal (or suboptimal) algebraic immunity (Lemma 2.3), and suboptimal to resist fast algebraic attack (Definition 2.4). These functions are not 1-resilient in general. Fortunately, they can be transformed to 1-resilient functions (Lemma 2.1) by using linear transformations algorithm [26]. Till now, our ideal results are finished. 4. EXPERIMENT RESULTS AND ANALYSIS In this paragraph, the detailed computational processes of the properties are explained. According to the formulas (3) and (4), both nonlinearity and resiliency of the experiment results are obtained by the Walsh spectra, which can be calculated by the formula (2). The algebraic degree, algebraic immunity, and fast algebraic resistance of the functions can be calculated by the computer program provided by Fischer [23]. In Appendix, we give the examples for n = 8, 9, 10, 11, 12, 13, and 14. In Table I, we compare our results with those in [7], [12], and [14]. For simple and convenient, we represent the parameters of the functions by this format: (N f, m, d, AI(f ), FAA(f )), where N f, m, d, AI(f ), and FAA(f ) denote nonlinearity, resiliency, algebraic degree, algebraic immunity, and fast algebraic resistance of a Boolean function f, respectively. The comparison of our results with the results of [7,12,14] is presented in Table I. Next, we analyze the data in Table I in the following aspects. Algebraic degree: By Equation (7), we can see that the algebraic degree of any function in Table I is optimal. Resiliency: The functions in [7] and [14] are not 1-resilient, which are considered to be cryptographically undesirable. Note that our functions and the functions in [12] are 1-resilient, which is commonly preferred in the filter model stream ciphers. Nonlinearity: As we know, achieving a good trade-off between resiliency and nonlinearity is a difficult issue. In other words, the resiliency will do harm" to the nonlinearity of a Boolean function. For this reason, the nonlinearities of our 1-resilient functions are slightly lower than those of the balanced (0-resilient) functions in [14] when n 9. Be that as it may, ours still overmatch those in [7]. At the same time, our functions are no worse than those in [12] when n = 8, 10. Note that the construction technique in [12] is inapplicable when n is odd. Algebraic immunity and fast algebraic resistance: The algebraic immunity of our functions are optimal when n is even and suboptimal when n is odd. It is to be noted here that the fast algebraic resistance of our functions is n 1, which is better than (or the same with) that of the functions in [7,14]. As the functions in [12], Carlet has shown that they are weak against fast algebraic attacks [27]. From aforementioned analysis, we can see that our functions provide the best possible trade-off among the parameters. 5. CONCLUDING REMARK Construction of Boolean functions satisfying various criteria simultaneously is a traditional problem in stream cipher. There are two main methods to obtain Boolean functions with good cryptographic properties. One is using construction methods; the other is using computer search technique. The former needs a precise mathematical proof to convince the readers of the good cryptographic properties of the constructed functions. But the latter does Table I. Comparison of our results with the results of [7,12,14] (8 n 14). n [7] [14] [12] Ours 8 (112, 0, 7, 4, 6) (116, 0, 7, 4, 7) (112, 1, 6, 4, ) (116, 1, 6, 4, 7) 9 (232, 0, 8, 5, 8) (238, 0, 8, 5, 7) (236, 1, 7, 4, 8) 10 (478, 0, 9, 5, 8) (488, 0, 9, 5, 9) (484, 1, 8, 5, ) (484, 1, 8, 5, 9) 11 (980, 0, 10, 6, 10) (988, 0, 10, 6, 9) (984, 1, 9, 5, 10) 12 (1970, 0, 11, 6, 10) (1996, 0, 11, 6, 11) (1996, 1, 10, 6, ) (1988, 1, 10, 6, 11) 13 (4020, 0, 12, 7, 11) (4012, 1, 11, 6, 12) 14 (8036, 0, 13, 7, 12) (8084, 0, 13, 7, 13) (8100, 1, 12, 7, ) (8072, 1, 12, 7, 13) 1260 Security Comm. Networks 2015; 8: John Wiley & Sons, Ltd.

6 J.-P. Yang and W.-G. Zhang not need a mathematical proof because the generated functions must satisfy the expected cryptographic properties (which have been restricted in the early termination conditions). Most people deal with this problem through algebraic methods [7], [12], [28]. Unfortunately, the properties of the constructed functions are always unable to attend to everything at one time. This is partly the reason why simulated annealing is used in this correspondence. Moreover, the problem discussed in this paper is a classic optimization problem. It is also an nondeterministic polynomial (NP) search problem. Simulated annealing is a methodology used to approximate the solution of an NP problem. For example, simulated annealing can be used to the traveling salesman problem. Unfortunately, we can not give a precise mathematical proof for the properties of the proposed Boolean function in theoretical approaches. The simulated annealing algorithm is the classical algorithm applied in solving some NP search problems, which include NP complete problem, see references [29], [30], and [31]. These papers do not provide the mathematical proof for the proposed solutions of the NP search problem either. This question is left for future research. In this paper, using a modified annealing algorithm, we obtain Boolean functions with 1-resiliency, optimal algebraic degree, very high nonlinearity, optimal algebraic immunity, and good fast algebraic resistance. A class of functions is found for the first time, which shows that resiliency and good fast algebraic resistance can be satisfied at the same time. ACKNOWLEDGEMENTS This work is supported by the National Natural Science Foundation of China (nos , , and ), Open Foundation of State key Laboratory of Networking and Switching Technology (Beijing University of Posts and Telecommunications) (SKLNST ), the Natural Science Basic Research Plan in Shaanxi Province of China (no. 2012JM8041), and the 111 Project (no. B08038). REFERENCES 1. Lo CC, Chen YJ. Secure communication mechanisms for GSM networks. Journal of IEEE Transactions on Consumer Electronics 1999; 45(4): Stevenson D, Hillery N, Byrd G. Secure communications in ATM networks. Journal Communications of the ACM 1995; 38(2): Courtois N, Meier W. Algebraic attacks on stream ciphers with linear feedback. In Advances in Cryptology EUROCRYPT 2003, (Lecture Notes in Computer Science). Springer-Verlag: Berlin, Germany, 2003; Courtois N. Fast algebraic attacks on stream ciphers with linear feedback. In Advances in Cryptology CRYPTO 2003, (Lecture Notes in Computer Science). Springer-Verlag: Berlin, Germany, 2003; Meier W, Pasalic E, Carlet C. Algebraic attacks and decomposition of Boolean functions, Advances in Cryptology - EUROCRYPT, Interlaken, Switzerland, 2004; Carlet C, Dalai DK, Gupta KC, Maitra S. Algebraic immunity for cryptographically significant Boolean functions: analysis and construction. IEEE Transactions on Information Theory 2006; 52(7): Carlet C, Feng K. An infinite class of balanced functions with optimal algebraic immunity, good immunity to fast algebraic attacks and good nonlinearity. In Advances in Cryptology Asiacrypt 2008, (Lecture Notes in Computer Science). Springer-Verlag: Berlin, Germany, 2008; Li N, Qu L, Qi W, Feng G, Li C, Xie D. On the construction of Boolean functions with optimal algebraic immunity. IEEE Transactions on Information Theory 2008; 54(3): Pasalic E. Information Security and Cryptology-ICISC 2008, 2009; Dalai DK, Maitra S, Sarkar S. Basic theory in construction of Boolean functions with maximum possible annihilator immunity. Designs, Codes and Cryptography 2006; 40(1): Tu Z, Deng Y. A conjecture about binary strings and its applications on constructing Boolean functions with optimal algebraic immunity. Designs, Codes and Cryptography 2011; 60(1): Tu Z, Deng Y. Boolean functions optimizing most of the cryptographic criteria. Discrete Applied Mathematics 2012; 160(4-5): Liu M, Zhang Y, Lin D. Advances in Cryptology Asiacrypt 2012, 2012; McLaughlin J, Clark JA. Evolving balanced Boolean functions with optimal resistance to algebraic and fast algebraic attacks, maximal algebraic degree, and very high nonlinearity. IACR Cryptology eprint Archive 2013; 11, http: //eprint. iacr. org/2013/011. pdf. 15. Meier W, Staffelbach O. Advances in Cryptology EUROCRYPT 89, 1990; MacWilliams FJ, Sloane NJA. The Theory of Error-correcting Codes. Elsevier/North-Holland: Amsterdam, Xiao GZ, Massey JL. A spectral characterization of correlation-immune combining functions. IEEE Security Comm. Networks 2015; 8: John Wiley & Sons, Ltd. 1261

7 J.-P. Yang and W.-G. Zhang Transactions on Information Theory 1988; 34(3): Siegenthaler T. Correlation-immunity of nonlinear combining functions for cryptographic applications. IEEE Transactions on Information Theory 1984; 30(5): Carlet C. Partially-bent functions. Designs, Codes and Cryptography 1993; 3(2): Armknecht F. Improving Fast Algebraic Attacks, in Fast Software Encryption 2004, Lecture Notes in Computer Science, vol Springer-Verlag: Berlin, Germany, Hawkes P, Rose G. Rewriting variables: the complexity of fast algebraic attacks on stream ciphers. In Advance in Cryptology-CRYPTO 2004, (Lecture Notes in Computer Science). Springer-Verlag: Berlin, Germany, 2004; Armknecht F, Carlet C, Gaborit P. et al., Efficient computation of algebraic immunity for algebraic and fast algebraic attacks, Advances in Cryptology- EUROCRYPT 2006, Springer Berlin Heidelberg, St. Petersburg, Russia, 2006; Fischer S. FAA equation finder version 1 [Online]. (Available from: FAA.php). 24. Kirkpatrick S, Gelatt CD, Jr., Vecchi MP. Optimization by simulated annealing. Science 1983; 220(4598): Sarkar P, Maitra S. Advances in Cryptology-CRYPTO 2000, 2000; Maitra S, Pasalic E. Further constructions of resilient Boolean functions with very high nonlinearity. IEEE Transactions on Information Theory 2002; 48(7): Carlet C. On a weakness of the Tu-Deng function and its repair, cryptology eprint archive, 2009/ Zhang WG, Xiao GZ. Constructions of almost optimal resilient Boolean functions on large even number of variables. IEEE Transactions on Information Theory 2009; 55(12): Lin FT, Kao CY, Hsu CC. Applying the genetic approach to simulated annealing in solving some NPhard problems. IEEE Transactions on Systems, Man and Cybernetics 1993; 23(6): Talal M, Alkhamis MH, Mohamed AA. Simulated annealing for the unconstrained quadratic pseudo- Boolean function. European Journal of Operational Research 1998; 108(3): Shakouri GH, Shojaee K, Behnam TM. Investigation on the choice of the initial temperature in the simulated annealing: a mushy state SA for TSP, MED th Mediterranean Conference on Control and Automation, Thessaloniki, 2009; APPENDICES We present, in hexadecimal format, some of the truth tables of the functions. The algebraic degree of these 1-resilient functions is n 2 (optimal). n = 8: the parameters are (116, 1, 4, 7). 8BC6 402F C631 7C56 6BED DB A 9F CBA7 6E68 5B18 44F0 B0D4 BCAB n = 9: the parameters are (236, 1, 4, 8) D4E4 05D8 3B2B BA39 CEC3 98E1 AC8F 79CE C784 4E71 F5E9 05F1 1C43 A3FA 0573 A7A8 61A6 2F57 C A DFB5 7C6B 460B 98B3 3D4C A343 4E5B F13E 70DC B690 2A90 n = 10: the parameters are (484, 1, 5, 9) E757 EB0F A0D8 96AE 8308 F34B 5A5F E8 1F12 0F84 F69B F31F 3EAE C77A B851 D671 57C9 AE89 98CF 1C1A 670B 003A 217D 7AD9 70C9 7A08 F0A7 DAA9 A CC3 C0F DCED C 1D4D F792 FBAB 67C4 257C D49A B D 5DFD A5C6 9AD4 CBBB 887F 2751 BC DCFE DB14 920C 992A 2C8A E37F A6F8 n = 11: the parameters are (984, 1, 5, 10). 26D1 E653 AA62 2D0A 52DB C73D 1B A 1A8D CFD0 6F2A 5ABE D151 CF5E 69B8 DDC6 E3BA BBE F42C 494F A4D D2 2BAF 1057 BC1C 1E70 BFA3 C9D CC F428 DF0C 3CF2 1AFA FD B809 DED2 AAB0 65F2 6A64 22CC D7E B0DB 40C6 81BD A3 A171 13F8 C75D 967F A108 AF20 08A C16 DDE2 EFFB 55EB ECB AF2 981E 55A0 20BE 523B D619 56A9 F0C C 1C5B 3576 A46F 151B C79C E1F 5C9B DD5E 9A35 828E BE AC B91F 0B33 3C01 7E4D 6AF4 F07C 07D8 85A4 7CA7 979A FCDF 9EE1 9CF8 DBCD 4C18 BFED D545 0D8B 06F7 DA91 E2B3 E528 76C8 3E0E 433B DC90 1D87 2E0B AE EA40 ED4D 15EB 831A n = 12: the parameters are (1988, 1, 6, 11). DD11 889E 5644 B A867 FB83 021E D4F E D 3DA8 7B54 B18F E7 6CCC F5DA 6D54 30F4 268B E3B9 8F4F 8BCC 475A E6D7 C552 27DC ECDD 1EE7 A6D3 E434 B11B A5BE 6C11 85E4 582C 4B3C 94AB 5A A 8E9E E B D0C1 4A D6A 229E 8B35 D2F7 0C06 388D DCBE BD4A 7D80 5DA9 01BA B2EC 22F9 F A 40D7 3ADA D423 1F77 CE0E 12E A 829B 921A FCAC E3A8 BB F1F BA0F B237 2C3A 28DE 7B40 E1DA 95D BA1 ABE1 37EA DD05 ECA1 86EA 2006 B7DD 9FB8 AFFD 8EF2 D4BF E762 ED4A 5B7E 62F1 C12C 1D0D F1AC 7C08 9BB1 8D05 E F FA0D 6BCD 6B83 A473 8D93 4B9B 830D E072 ED6F D E6C 83CE 72CB 00CC 75E0 9F F8 422F B691 A895 BD5B DB89 4AD2 85FC E0F 906D A7E3 AC40 D6F6 BEF9 70B BCEA EE5 C2CF 1779 A0A FDE8 D846 3F94 DE6A 4E D135 FDA8 3BA8 3AC5 63F5 FE33 B9BE 7FD9 CB51 44A6 AD9D 5E7E 03AD EF D3E A4CF 84E4 EDC3 688E 5180 C3A3 7D F4 251D 8E95 265E 8C7A CB88 7B34 26F2 BB ABEE 00F A41 51EC F7F E12E F8F1 32C7 29AD E529 6A24 12C6 0E76 A F496 AC DB3E E1D2 C A 6B42 17C7 3F4A 7751 A2E6 FC14 3A A F 6EC9 1FCD CF7C CA 4AD5 DD0E 27F4 03FC 1262 Security Comm. Networks 2015; 8: John Wiley & Sons, Ltd.

8 J.-P. Yang and W.-G. Zhang D4 52B9 8FD1 639A 1EDD D EF1 94C9 8ACF n = 13: the parameters are (4012, 1, 6, 12). 6DEB 64B9 759D 9D89 64C0 31D5 E7DF 5DAF B F C8A BE7 B7B1 2BCE CD D335 AFFE A59C 1D25 E699 2FA5 78C6 427E 9FE1 E060 E0E8 37A0 44DC 7BCB 740A 5C4E 8A37 FD49 A5F7 3DC0 A0E8 A7D1 6D B8 B076 36D4 EDFB 844C ACA F4 46F5 A6AF AE32 373D 8E4A F603 BCEB EE9E C0C4 B515 0BD0 E77B 2865 F161 0B99 A9DD F4C3 B161 66CF EC5B FACF 4BD0 DF45 1B63 D EA03 AF3F 518A F E408 6BB AE14 EFDD ADCC B1C2 C18F 6F C9 C1B4 779D E094 EBAC DD2C 3ADD 5D49 57CB C3A 3D2C D5DC 40AE E05C 390F 6B14 8F14 725E 7D0A BA5E 4ADA E01D 8D53 368A E836 6C4F CFCD 9158 C16A 3BD9 D193 BF76 E166 E15E 22C5 0ED3 423B 4C0C 4CCC A80 F E312 84A0 B41F 6C19 606E 3A21 80A7 DB25 9B CD5 9FB1 22F5 1CFA A932 2FED D8B8 CF2A ABCB 23E F1 4AEA 9F05 C724 FCE1 64E C F209 2B08 A197 2ABF E2EE 6E0F D490 A B9E1 6C64 BDDB 8F21 603D CE5C FAC FF 7960 E502 D242 A5DF F15F 31B9 4E72 0E88 125B 67A3 EBAE 2CD7 49F D6E8 E318 A2AE 9C79 F1BF 34CD B66E E9D 05DC A 4FA3 4C DF5 D614 D4CB A5B8 433F DB6B 70FC F 15C5 1EBB AA87 7B4F 2AE7 4BA2 EB7D 5B41 EB4B E4 F817 2C87 BDFE 210F 73CA 29B6 E5CB 17EE AF1D 8E19 B23E 88BF D410 9F7E 38DD 7DE5 8B1B 0AC1 54D6 A F C EF B CEF3 B8CA FF75 26B2 3F5A BECC 1026 DE70 BADD 21FD B167 96F0 F BBC CDAD 4358 F440 E6B6 C B F5 DC6B F 00D1 73A2 9E1E 7A0D A A9C F B 9B27 BC26 832D E856 1B2F 4B77 A66D C1E DCFF AEB AF A DB86 1D38 76FE E59A 2AA9 701F 0C23 360D 3B82 00B0 2CD9 AF41 B4BA 6A02 C2CA 02C9 B144 BDFE 1F08 BDA1 8F14 86DA 0E8F F8A1 D0C9 42A9 AD F14 5AB3 235C C A A F874 2AAC D4A EAE5 77B7 59F9 144F CC30 9F7F 2D97 ADCC 2FE8 172D DF14 A39D 01E7 69F4 8A4D 1D72 E6E7 F454 65D EC 7FD7 346F AF3F 99F2 A A 3CD ED ECBC DD3 E1C3 6B8F 2C36 7BCF 3107 CAD0 B0A1 2A7C 70F1 F059 F3DA B7A C9D3 E695 F D EFC 945F E517 46C1 97ED A5B A A A87 78EF F149 BB6B 881B A51F A3F E E5 915B DB9A 35F9 4A33 8D32 1D80 FDC8 12F9 389B D9E2 62C0 EF12 84EA BCCC B 6953 E36E C0B7 D1B2 673F 76D1 883D A812 FA8D 0E29 EDB2 9C84 FB13 AC98 C84D 57FD B5E0 F48E 4FE6 3FBA C508 C DE3D E3 AC7D 23AA 98CB 35F9 F228 2E1E 3A5F B2A9 BE6A 36DE E4EC 5181 DDCB 43E9 4E21 4A46 39A4 1F11 587D 43AD 858F 3009 F321 5DF9 34B2 ADD0 6A14 C n = 14: the parameters are (8072, 1, 7, 13) EDC 7C66 64B B F5DA 97A1 AF4C 3928 E9F8 5D77 7F05 C2A3 00F C19 E10A D798 C938 DECC 1F51 F246 3F5A 19D3 8F7D 35A6 4D29 A616 FF1C F5CF 8F46 C496 B ADE F94D 87A5 F91F 60BF CD46 A084 B0E3 92B8 FD67 FC27 8D84 EAFD B0F5 0A38 C4C6 E3A8 8B17 9A36 51A BA A C 5E57 CFA3 74E6 76D6 C58E A5BC 05B4 DB42 107D C2AE 7C83 C689 AA1C 8B49 D F 7CAA AB CE87 AB6B E378 CB05 AE22 99BD D E91F 5CC1 57BD 09A1 46BB D6C9 1FBC F037 1F6E 61A1 8F71 8A81 B8A6 E32E 9BAC 99EA EC 66FF B2ED B94F F909 4BE9 C5D6 E95C F3E4 27E6 D398 88C6 C2FA 7AE8 31F4 FEA4 8B3F 0322 C417 CD26 CF65 3C6F 456A 86F2 C0B8 E5C6 F677 44DD C73C CE82 BE33 E058 61DE DA1E B071 29A0 FCED 7C3B A6AD 74F5 2B1C 71F4 8C67 30F A 3590 D997 D53D B AE2C 3FBC ADDD 1BEE B5EB A1C EB C94 50BB E56A A BB8 DC5D 9A4B A50 1AC8 5DA1 F58E CAC7 71F9 EC1A CA9 05E0 E973 7B4B 273F B D 82D4 C609 9F4C B71 E33C 2EC DB4C 198B 2F77 69A0 BC30 A163 9DC0 09FB AEF5 434D E34B AE89 8C11 D8EA F835 B0BA 6821 AAD3 85DE 87A1 AB6E FB8F 4415 DC16 64C0 3E27 02CD FD42 DE04 72BD F2A1 474D 5A30 FEFC A25 C0B1 27E4 690A FBE4 F330 E871 D037 C37A 6077 C2F CE5D 93C8 B41B 69EA 35A3 E118 F123 37FD F0BC 0AAA 16E9 3E47 11AF 2A E 5227 A25A 4F78 CFEF 8E7A 2CD A6 5E0A C1C5 58D8 E09A D4D A EED EAA3 D6E5 FB4A 88F2 5BB5 E5FD 3C2D 5F4A AB98 0C02 8DBA BFBB ED44 C8D4 A646 61DF 269A 0A60 224B BDC 013A AD5F A38 09DE E 30FA 3A7C 9288 ADCE A86D AC0 9C72 4B53 EC0F 394F 3A59 2A4F 00DF BAA9 0CED A 99A EC4 242B EC5E DEEC B276 74AB 843D DBAC 0C E0 E4B0 EB2F 0D33 D98A AABA AC1A 77F F E5FC C263 E0D8 5D76 9E7E 99C0 7D3A A 64D B 3F25 E728 BB78 DECD 5D79 18FA 68AE 10FF 328B A29C BEA7 7B64 20DC B704 C768 37F0 07C5 8AD7 A9CD 1BD3 98DB B6D7 C6EC 72AC E19E 96E9 EC78 FD32 5A9C C9DB D C 1F99 61B5 2AA B9FA 8BB3 7EDF F6A 56AE BB0B A D D229 1E58 0ABD 1DC1 760C 6E5C 2D1E B94 86C2 E4DE CEDC CC 2E53 6B85 7BEC 5A41 CF25 C4BC 9BB2 BBA E FF1A 2CB3 CBBA D7D9 BD85 087C A180 D467 ECB9 B042 1B86 870C C 18B2 3D3A A2A7 0A19 DCEC 87C4 46BF E EC 99A5 3E94 219F F1AB 1A01 3B07 90D7 9B A563 B83B BB6 F0F7 4BF CF D346 AB18 0B36 B350 DBAD E B C 514E 3644 DCD9 C077 D6A2 590A EA54 AAAC 3DCC 123A AB1E C386 16FD D16C D90C DD27 B4AE 67B1 469E CC C A74 E F 4AAD 23C8 FCB7 F3C4 AA4A F80C 92CF 057C EEB5 4B98 4DCF EE81 B0FC 59A6 152F 4E8F AAC6 83C9 69BB 694C 8853 AE96 C2EA 757B A52D EECF 5701 D A9C 340A A4E7 BD8C C3E5 01E8 3E74 197B BF9A 0BE1 0F B8AB D2 515F A530 4C66 46DC 6EFF 728D A C 1DFB 6F7F C12B 9FB3 D886 CCED B30 DA0D D 8BD3 897D 8074 BF7B 373B 431E D68 6A17 D7D F1 7D69 D98C 82C0 7F0E 7D21 CD75 E A 2EFE 1B82 083F AC E2CE D4F5 AB83 D3A9 344A E411 FBF4 98EE E892 04C0 52E2 1F21 0AB9 0B29 F7F1 1AA2 FDE1 E28B A0F0 B C B58F E A1C 19C1 B5C2 61B8 B78E 60B1 AD33 AFE C 31E2 B421 10D8 CBC8 A8E B98 7F22 12ED 472F F934 7EBE CDF1 DA77 46AF DF78 3F4C DEE8 910B 7C2C 2FC0 229D 1A35 41D F CB8F 20A8 7FA6 CBFA 9872 Security Comm. Networks 2015; 8: John Wiley & Sons, Ltd. 1263

9 J.-P. Yang and W.-G. Zhang F634 A1E9 A43E 57C2 C99D B55C 2B20 9B53 3FF1 BC82 19C0 C37D 817B C D639 3C25 8E BD F351 E01D DD 29E3 C7C B7B8 20FE AF C E3D2 4F76 CF31 F02F 162C A747 9B88 31A6 5CCD 8275 CEAF 893C DF41 3BC0 6EE FFBA 8CE9 EF77 25A4 0A6A 2DA7 CA E9D B1B1 0AC8 9F15 0F36 79FD 162B C2BD 7C42 9A3D 06E B28 C405 EEFC 6052 A13B 3F C E 66EA A6AE 9555 D AB E466 CCFD FA11 2F41 528C DEFF A518 E00F 40F D6D F62 E167 C594 78DF 491D 146C A2A9 74FB CAA4 EBEB E6F9 5BFD 81B3 7C92 A502 47A4 2CDB 88B0 BB57 2F29 45AB B E22F 8263 D368 27AF 09ED 1D65 A6A6 8ECB 2EC1 2CD C CC51 44CC F748 A550 6DD0 85F0 B A0 B26B 5ACE DE5F B1 C541 84C7 A11B 09C5 DDBA BDD6 7F4C F F 9E20 385F 0F6A 1AB2 F1B8 9BAD DE8B 75AE 3F7F 49C5 77C6 300E 36C5 EB58 CB70 2A6A 4AC7 321C D392 1E1D D67 083C 8D9C 6E0C 73D0 9C67 5A61 273A 257B 98F8 E458 29A7 1D7E 2DCB 29D3 D6CC 3A3F BF7 47DD 1F35 3FDA BDB3 B813 E B D30C F743 8B02 B5C1 211B 4546 D58E A746 89B5 AFB ABE0 58D BDD 7A4A A4A8 A4FC 7C DA47 E7CD DCD0 C745 AB2F A402 6B3C 049E 549C 51FA E B 25CD B1FD C A FFED 257E D827 6B82 CFFE D5E2 C9D4 038E EC64 FBD7 F2B2 9FB6 21E0 D564 FCD7 580B EB81 54A1 3C9E FCF AFFE A7B8 6E33 ADE8 5E7C F5BE 8686 A7B D83 772C A0B0 3EBC 21EF 03D5 A52B 5651 F2C1 B862 C47E 6E7A E6 542F 4502 B6C0 D5A6 FD08 FAA3 51CC 69D2 AD17 DE45 0F7A A9DF FF62 0E2F A8DB F737 FA34 7F99 DD1C ED46 6B9D 0D66 F C DA69 CE99 9BE8 2FD5 840D 2136 AD0D 6299 FAFB 109A CB1C 4F1B FD7E E8B DD E0E8 FC1A E1F 8391 C6C7 2E Security Comm. Networks 2015; 8: John Wiley & Sons, Ltd.