Comments on A design of Boolean functions resistant to (fast) algebraic cryptanalysis with efficient implementation

Transcription

1 Cryptogr. Commun. (0 5: 6 DOI 0.007/s Comments on A design of Boolean functions resistant to (fast algebraic cryptanalysis with efficient implementation Wenhao Wang Meicheng Liu Yin Zhang Received: December 0 / Accepted: 4 July 0 / Published online: 9 July 0 Springer Science+Business Media LLC 0 Abstract In this correspondence it is shown that the Boolean functions constructed by Pasalic (Cryptogr Commun 4(: do not always have the high degree product of order n as expected. Keywords Boolean functions High degree product Fast algebraic attacks Mathematics Subject Classifications (00 T55 T7 Introduction A Boolean function on n variables is a mapping from F n to F. Denote the set of all n-variable Boolean functions by B n.any f B n can be uniquely represented as a multivariate polynomial over F called the algebraic normal form (ANF as f (x x n = u F n λ u n i= x ui i λ u F u = (u u n. The algebraic degree of f denoted by deg( f is the maximal value of the Hamming weight of u such that λ u = 0. Supported by the National 97 Program of China under Grant 0CB0400 the National Natural Science Foundation of China under Grants and 674 the Grand Project of Institute of Software of CAS under Grant YOCX W. Wang M. Liu (B Y. Zhang The State Key Laboratory of Information Security Institute of Information Engineering Chinese Academy of Sciences Beijing 0095 People s Republic of China meicheng.liu@gmail.com W. Wang wangwenhao@is.iscas.ac.cn Y. Zhang zhangy@is.iscas.ac.cn

2 Cryptogr. Commun. (0 5: 6 A preprocessing of fast algebraic attacks on linear feedback shift register based stream ciphers which use a Boolean function f as the filter or combination generator is to find a function g of small degree such that the multiple gf has reasonable degree. In [] Pasalic introduced the notion of high degree product (HDP to scale the ability of Boolean functions resistant to fast algebraic attacks. A Boolean function f B n satisfies the HDP of order n if for any non-annihilating function g of degree e e n we necessarily have that d = deg(gf satisfies e + d n. The author presented an iterative construction of Boolean functions with almost optimal HDP thatisthehdp of order n. In this letter it is shown that the constructed functions do not always achieve desired properties. First we point out that there is a flaw in the proof of [ Theorem 4] which is used to construct functions with almost optimal HDP. Then we examine the example given by the author and it turns out that some of the constructed functions do not satisfy the HDP of order n as claimed. Review of Pasalic s construction A Boolean function f B n+ can be considered as a concatenation of four functions denoted by f = f f f f 4 with f i B n.the ANF of f is given by f = x n+ x n+ ( f + f + f + f 4 + x n+ ( f + f + x n+ ( f + f + f. ( The iterative construction is described as follows f i = f i f i + f i f i f i = f i + f i f i + f i f i = + f i f i f i f i ( where f 0 f 0 f 0 B n are initial functions and f i f i f i B n+i the constructed functions. Statement [ Theorem 4] Let f 0 f 0 f 0 B n and for any g = g 0 g0 g0 g0 4 B n+ of degree e [ n ] the following is satisf ied deg f 0 b j g 0 j + f 0 c j g 0 j + f 0 d j g 0 j n e b j c j d j F. j= j= ( Then the functions f j i B n+i i 0 and j = def ined by ( have almost optimal HDP that is satisfying e + d n + i for e [ n +i ]. Let g i+ = g i gi gi gi 4 B n+i+ deg(g i+ = e and μ i e = deg f i b j g i j + f i c j g i j + f i d j g i j b j c j d j F. j= j= j= j= Here is omitted from [] that the functions f 0 f 0 f 0 achieve maximum algebraic immunity since it does not influence the HDP properties of the constructed functions.

3 Cryptogr. Commun. (0 5: 6 In [] the proof of the above statement was presented by induction for n ] μ i e [ n + i e e + i (4 which implies the functions f j i have almost optimal HDP. Thecasei = 0 follows directly from (. Suppose the conditions are satisfied for all k < i thatisfor any g k+ = g k gk gk gk 4 B n+k+ of degree e [ n +k ] it holds that μk e n + k e (which was misprinted in []asμ k e n + k e. Then it needs to show the conditions hold for k + as well. Considering the function f k+ = f k f k + f k f k B n+k+ and a degree e function g k+ B n+k+ it is necessary that deg( f k+ g k+ n + k e + for any e [ n +k]. The author focused on the following term in the product f k+ g k+ x n+k+ x n+k+ [ g k + f k 4 gk 4 + f k (gk + gk + f k gk ] and claimed that deg [ f k 4 gk 4 + f k ( g k + g k + f k g k ] n + k e (5 according to (4. Note that (4 holds for e [ n +k ] but not necessarily for e = n +k. Therefore (5 may not hold then the function f j i B n+i may admit a function g of degree n +k for k < i such that deg(gfi j n + i n k i.e. the function may not achieve almost optimal HDP. In particular the function f j i may admit a function g of degree n such that deg(gfi j n + i n. For example when n = 4 the 0-variable function f may admit a function g of degree such that deg(gf 6. Observation on the constructed functions For i according to ( it holds that and therefore by ( we have f i = f i f i + f i f i f i = f i + f i f i + f i f i = + f i f i f i f i f i = x n+i x n+i ( f i + f i + + x n+i ( f i + f i + x n+i + f i f i = x n+i x n+i ( f i + f i + x n+i ( f i + f i + + x n+i ( f i + f i + f i f i = x n+i x n+i ( f i + f i + + x n+i ( f i + f i + + x n+i ( f i + f i + + f i +.

4 4 Cryptogr. Commun. (0 5: 6 Furthermore we represent f i i by f f i and f i f i = x n+ix n+i ( f i + f i + x n+i ( f i + f i + + x n+i ( f i + f i + f i Let then we calculate that = x n+i x n+i x n+i x n+i ( f i + f i + x n+i x n+i x n+i ( f i + f i + x n+i x n+i x n+i ( f i + f i + + x n+i x n+i ( f i + f i + + x n+i x n+i x n+i ( f i + f i + + x n+i x n+i ( f i + f i + + x n+i x n+i ( f i + f i + + x n+i ( f i + f i + x n+i x n+i x n+i ( f i + f i + + x n+i x n+i ( f i + f i + + x n+i x n+i ( f i + f i + x n+i ( f i + f i + x n+i x n+i ( f i + f i + x n+i ( f i + f i + x n+i ( f i + f i + + f i. g = (x n+i + x n+i (x n+i + x n+i g( f i + f i = x n+i x n+i x n+i x n+i + x n+i x n+i x n+i + x n+i x n+i + x n+i x n+i x n+i + x n+i x n+i + x n+i x n+i (6 which has degree 4. Therefore we have gf i = gfi + x n+i x n+i x n+i x n+i + x n+i x n+i x n+i + x n+i x n+i + x n+i x n+i x n+i + x n+i x n+i + x n+i x n+i (7 This can be examined in Magma see also Appendix for the Magma source codes.

5 Cryptogr. Commun. (0 5: 6 5 and e = deg(g = d = deg(gf i = max{deg(gfi 4} =max{deg( f i + 4}. For n + i 7 if f i is a balanced function which implies deg( f i n + i 5 then e + d n + i and f i never achieves the optimal HDP. For n + i 8 if deg( f i n + i 6 thene + d n + i and f i does not have almost optimal HDP. For i let and Similarly to (7 we can obtain that g = x n+i (x n+i + x n+i + x n+i + g = (x n+i + (x n+i +. g f i = g f i + x n+i x n+i x n+i + x n+i x n+i x n+i + x n+i x n+i + x n+i x n+i + x n+i x n+i + x n+i g f i = g f i + x n+i x n+i x n+i + x n+i x n+i + x n+i x n+i + x n+i + x n+i x n+i x n+i + x n+i x n+i + x n+i x n+i + x n+i. The above equations and (7 show that f i or f i has not almost optimal HDP if one of the functions f i f i f i has degree at most n + i 6. Example Hereinafter is an example in [] of the initial functions with n = 4. f 0 = x + x x + x x 4 + x x x + x x x x 4 f 0 = x + x 4 + x x + x x 4 + x x 4 + x x x + x x x 4 + x x x 4 + x x x x 4 f 0 = x + x + x x + x x + x x 4 + x x x + x x x x 4. We verify that the above functions satisfy relation (. From (and( we have f = x 5x 6 ( f 0 + f 0 + x 5( + f 0 + f 0 + x 6( f 0 + f 0 + f 0 = x x x x 4 + x x x + x x + x x x 4 x 5 + x x x 4 x 6 + x x x 4 + x x 5 x 6 + x x 6 + x x x 4 x 5 + x x x 4 x 6 + x x x 4 + x x x 5 x 6 + x x x 5 + x x 4 x 5 + x x 4 x 6 + x x 4 + x x 5 x 6 + x x 6 + x + x x 4 + x x 5 x 6 + x x 5 + x 4 x 5 + x 4 x 6 + x 4 + x 5 and therefore deg( f = 4.Letg = (x 7 + x 9 (x 8 + x 0 then it follows from (7that gf = gf + x 7x 8 x 9 x 0 + x 7 x 8 x 0 + x 7 x 8 + x 7 x 9 x 0 + x 8 x 9 + x 9 x 0 where g has degree and gf has degree 6. This shows that the 0-variable function has not the HDP of order 9. f

6 6 Cryptogr. Commun. (0 5: 6 As a matter of fact the degree of the i-variable function f i equals to i by our computational experiment for i. Then as mentioned previously the function f i ( i has not almost optimal HDP. We also examine the functions f i and f i with i up to 6. It turns out that f 5 B 4 admits e + d = for e = 4 and f 6 f 6 B 6 admit e + d = 4 for e = 4. Conclusion The functions constructed by ( are not always balanced functions with the HDP of order n whatever initial functions are. Yet the constructed functions do not always achieve the HDP of order n even though the initial functions satisfy the condition (. This raises the question whether these functions have the HDP of order n. We check the constructed functions on variables for dozens of initial functions which satisfy ( and no function is found to have the HDP of order< n. Iterative construction of (almost optimal Boolean functions resistant to fast algebraic attacks seems to be a challenge since it seems very difficult to ensure the lower bound of e + d from B n to B n+ for every n. Acknowledgements The authors thank the anonymous referees for their valuable comments and suggestions on improving the manuscript. The authors also thank Tao Shi and Tianze Wang for helpful discussions and seminar participants at SKLOIS: Shaoyu Du Lin Jiao Yao Lu Wenlun Pan et. al. Appendix: Magma codes P<[x]>:=PolynomialRing(GF(7; Q<xxxx4fff>:=quo<P [x[i]^-x[i]:i in [..7]]>; x:=[xxxx4]; f:=[fff]; for i:= to do n:=*i; tp:=(f[]+f[]+*x[n-]*x[n] +(f[]+f[]*x[n-]+x[n]+f[]; tp:=(f[]+f[]*x[n-]*x[n]+(f[]+f[]+*x[n-] +(f[]+f[]*x[n]+f[]; tp:=(f[]+f[]+*x[n-]*x[n]+(f[]+f[]+ *x[n-]+(f[]+f[]+*x[n]+f[]+; f:=[tptptp]; end for; (x[]+x[]*(x[]+x[4]*(f+f[]; x[]*(x[]+x[]+x[4]+*(f+f[]; (x[]+*(x[]+*(f+f[]; Reference. Pasalic E.: A design of Boolean functions resistant to (fast algebraic cryptanalysis with efficient implementation. Cryptogr. Commun. 4( 5 45 (0 This question is suggested by one of the anonymous reviewers.