k-bent FUNCTIONS AND QUADRATIC APPROXIMATIONS IN BLOCK CIPHERS Natalia N. Tokareva 1

Transcription

1 Boolean Functions: Cryptography and Applications Fonctions Booléennes : Cryptographie & Applications BFCA 08 k-bent FUNCTIONS AND QUADRATIC APPROXIMATIONS IN BLOCK CIPHERS Natalia N. Tokareva 1 Abstract. We introduce the notion o k-bent unction, here k is integer, 1 k m/2, and m is an even number o variables. The parameter k makes the property o bentness more strong as k grows up. 1-Bent unctions and bent unctions coincide. The constructions o k-bent unctions or any k are given. We study the cryptanalysis (o a block cipher) based on special quadratic approximations and prove that by using k-bent unctions in a cipher it is possible to make it resistant to this attack. Keywords. k-bent unctions, Hadamard codes, Walsh-Hadamard transorm, quadratic approximations, block ciphers. Introduction Bent unctions orm a well-known topic in discrete mathematics and cryptology. A lot o papers deal with them: starting rom papers o the pioneers O. Rothaus (sixties o XX) [15], J. F. Dillon (1972) [2], R. L. McFarland (1973) [12] and inishing or example with papers o A. Yousse and G. Gong (2001, 2007), C. Carlet and P. Gaborit (2006), A. S. Kuzmin et al. (2006, 2008) on generalized hyper-bent unctions. We reer the interested reader to surveys in [3], [9] and [1]. This research was supported by the Siberian Branch o the Russian Academy o Sciences Integration project Tree-like catalogue o mathematical Internet resources mathtree.ru (no. 35), by the Russian Foundation or Basic Research (projects , ) and Russian Science Support Foundation. 1 Sobolev Institute o Mathematics, Pr. Koptyuga 4, Novosibirsk; Novosibirsk State University, St. Pirogova 2, Novosibirsk; Russian Federation. Phone: Fax: tokareva@math.nsc.ru, web: tokareva

2 2 NATALIA TOKAREVA In this paper we introduce the notion o k-bent unction. It is the Boolean unction with m variables v 1,..., v m (m is even) that is on the maximal possible Hamming distance rom the set o all Boolean unctions u, v j a, where j = 1,..., k, u Z m 2, a Z 2 and k is a ixed integer number, 1 k m/2. Here, k is the special type binary product similar with the inner product over Z 2. Among unctions u, v k a (i k is ixed) there are exactly 2 m k+1 (k+1) aine unctions and 2 m k+1 (2 k k 1) unctions o degree 2. The products, k were deined in [19]. They are connected with the series o Hadamard-like codes constructed rom Z 4 -linear Hadamard codes. The classiication o Z 4 -linear Hadamard and perect codes was given by D. S. Krotov [7], [8]. 1-Bent unctions and bent unctions coincide. For k > l the class o k-bent unctions is a proper subclass o the class o l-bent unctions. We show how to construct k-bent unctions or any k and study their properties. For the application to cryptanalysis we study special quadratic approximations in block ciphers. We use the idea o the wellknown method o linear cryptanalysis given in 1993 by M. Matsui [11]. There exist several nonlinear generalizations o the method s technique: such as the common nonlinear approach introduced by L. R. Knudsen and M. J. B. Robshaw (1996) [6] and developed by J. Nakahara et al. (2003) [13], J. M. E. Tapiador et al. (2007) [18] and some quadratic techniques or concrete ciphers or example as in the paper o T. Shimoyama and T. Kaneko (1998) [16] on DES. Some results on special nonlinear approximations based on using reduced representations o Boolean unctions over GF (2 m ) are obtained by A. V. Ivanov (2007) [5]. However, the common nonlinear technique leaves many questions open. We approximate Boolean unctions by all unctions u, π(v) k, where u, k and permutation π on m variables v 1,..., v m are arbitrary. The class o such unctions includes 2 m (i. e. all) linear unctions and not more than 2 m(1+log 2 m) the special type quadratic unctions. So, it is possible to look through all o them in order to ind the best approximation. Properties o the product, k and simple ormulas or the Hamming distances between a Boolean unction and the classes o unctions u, π(v) k (or ixed π, k) account or our choice o the unctions u, π(v) k or approximation. We show that by using k-bent-unctions in a cipher it is possible to make the maximum absolute values o the biases be

3 k-bent FUNCTIONS AND QUADRATIC APPROXIMATIONS 3 minimal. In this way one can reach the extreme resistance o a cipher to these quadratic approximations. Also we consider several 4-bit permutations with the most high nonlinearity recommended or using in S-boxes o GOST , DES, s 3 DES in relation to the quadratic approximations. We show that or the all o them (excepting only one) there are special quadratic equalities on input and output bits with probability more high than any linear equality has. We present our theoretical results in the concentrated orm. All statements we give without proos. The proos or the acts rom sections 1 2 one can ind in [19], [20]; rom sections 3 5 in [21]. In these papers we give also a detailed literature survey, which we omit here. 1. Basic deinitions 1.1. Notions o coding theory Let m be integer. Binary vector (u 1,..., u m ) we denote by u. Consider the metric space Z m 2, d H on the set o all binary vectors o length m with respect to the Hamming metric. The Hamming distance d H (, ) between two binary vectors is the number o coordinates in which they dier. The Hamming weight wt H ( ) o a vector is given by the equality wt H (v) = d H (v, 0), where 0 is the all-zero-vector. By F m we denote the set o all Boolean unctions with m variables. By the distance dist(, ) between two Boolean unctions we mean (as usual) the Hamming distance between their vectors o values. A subset C o Z m 2 is called a code; m is the length o C. The smallest distance between distinct elements o the code (i.e. codewords) is called the minimum distance o C Binary product, k Let u, v = u 1 v 1... u m v m be the inner product o binary vectors u and v over Z 2. For any integer k, 0 k m/2, we deine the binary operation, k : Z m 2 Zm 2 Z 2 by the ollowing rule: ( k k ) u, v k = Y i Y j u, v, (1) i=1 j=i where Y i = (u 2i 1 u 2i )(v 2i 1 v 2i ) or any integer i, 1 i m/2. It is easy to see that u, v 0 = u, v and u, v 1 = u, ˆv, where ˆv is obtained rom v by changing v 1 and v 2 over. For example

4 4 NATALIA TOKAREVA in case m = 4 we have u, v 1 = u 2 v 1 u 1 v 2 u 3 v 3 u 4 v 4 and u, v 2 = (u 1 u 2 )(u 3 u 4 )(v 1 v 3 v 1 v 4 v 2 v 3 v 2 v 4 ) u 2 v 1 u 1 v 2 u 4 v 3 u 3 v 4. The operation, k seems to be an analog o the standard inner product. Proposition 1.1. For any integer m, k, such that 0 k m/2, or any u, v, w Z m 2 it holds (i) u, v k = v, u k ; (ii) au, v k = a u, v k or arbitrary a Z 2 ; { (iii) ( 1) u,v k w,v k 2 = m, i u = w, 0 else. v Z m 2 For more complicated properties o, k see sections 1.4 and k-aine unctions u, v k a For a ixed k, 0 k m/2, we deine the ollowing class o Boolean unctions on m variables v 1,..., v m : A k m = { u, v k a u Z m 2, a Z 2 }. (2) A unction rom A k m we call k-aine unction. It is easy to see that size o A k m (denote it by A k m ) is equal to 2 m+1. We note that classes A 0 m and A 1 m coincide and give us the class o aine unctions. That is why in what ollows we oten consider k, such that 1 k m/2. Note that or the unctions rom A k m the irst 2k and the last m 2k variables play distinct roles. The partition into pairs is also important. So, there is inequality o rights or variables. I g u (k) (v) = u, v k, then it is true dist(, g u (k) ) = 2 m W (k) (u), dist(, g u (k) 1) = 2 m W (k) (u), where W k is the k-walsh-hadamard transorm and will be deined in 1.5. As we know the degree o a Boolean unction is the number o variables in the longest item o its algebraic normal orm. Proposition 1.2. For any integer m, k, 0 k m/2, the class A k m consists o 2 m k+1 (k + 1) unctions o degree 1 and 2 m k+1 (2 k k 1) unctions o degree From k-aine unctions to Hadamard-like code A k m At irst the deinition o, k was given in terms o coding theory [19]. Binary vectors o values or all unctions u, v k a

5 k-bent FUNCTIONS AND QUADRATIC APPROXIMATIONS 5 orm the binary Hadamard-like code A k m o length 2 m, size 2 m+1 and minimum distance 2 m 1. Let us present its construction and properties. Here m and k are any integer numbers, 0 k m/2. Let G k m be the (m k) 2 m -matrix over Z 4 that consists o the lexicographically ordered columns z T, where z runs through Z k 4 (2Z 4) m 2k. Matrices o this type at irst were considered by D. S. Krotov, see [7], [8] or the classiication o Z 4 -linear Hadamard-like and perect codes. For example, G 1 4 = ( ) , G = We use the ollowing notations. Let β, γ : Z i 4 Zi 2 be coordinatewise extensions o the mappings β : 0, 1 0; 2, 3 1 and γ : 0, 3 0; 1, 2 1. Let ϕ : Z i 4 Z2i 2 be the coordinate-wise extension o the Gray mapping: ϕ : a (β(a), γ(a)) or any a Z 4. Let the mapping ϕ k : Z k 4 Zm 2k 2 Z m 2 be given by ϕ k : (u, u ) (ϕ(u ), u ) or any u Z k 4, u Z m 2k 2. Consider the vector h u = ϕ 1 k (u) Gk m o length 2 m over Z 4 or any u Z m 2. Let C k m = (c k u,v), u, v Z m 2, be the 2m 2 m -matrix over Z 4 with the rows h u. These rows we arrange in the lexicographical order o vectors ϕ 1 k (u). We will numerate the columns o Ck m by the vectors v in the lexicographical order o vectors ϕ 1 k (v). For example, see matrices C 1 4 and C2 4 with the required numbering o lines by vectors u, v. Here or the binary vector (u 1, u 2, u 3, u 4 ) we write the number 8u 1 + 4u 2 + 2u 3 + u 4 in the hexadecimal system; e. g. we write 7 or (0111), B or (1011), etc. c 1 u,v CD E F 8 9 AB C D E F A B c 2 u,v CD F E 8 9 BA C D F E B A

6 6 NATALIA TOKAREVA All matrices C k m are symmetric and can be constructed iteratively: C k m+1 = (Ck m J 2 ) + (J 2 m C 0 1 ) and Ck+1 m+2 = (J 4 C ( k m) ) + (C 1 2 J 2 m), where J s is the all-one-matrix o order s, C 0 1 = 00 02, ) A B is the Kronecker product A B = or ( a11 B... a 1p B a p1 B... a pp B the p p-matrix A and q q-matrix B, + is taken over Z 4. Let 2 be the all-two-vector. The rows o matrices C k m and C k m + 2 J 2 m (i. e. all vectors h u and h u + 2) orm a group code A k m with operation + over Z 4, i. e. i x, y A k m then x + y belongs to A k m too. Denote by A k m the binary code obtained rom A k m by an action o β in every position o its codewords, A k m = β(a k m). Although the map β : Z 2m 4 Z 2m 2 is not one-to-one, it is possible to inverse it on the set A k m (one can easily prove it). On codewords o A k m deine the binary operation : A k m A k m A k m connected with + on the set A k m. Let x y = β(β 1 (x) + β 1 (y)) or any vectors x, y A k m. It is easy to see that (A k m, ) is an Abelian group. Moreover the operation is coordinated with the Hamming metric, i. e. Proposition 1.3. For any codewords x, y A k m it holds d H (x, y) = wt H (x y 1 ), where y 1 A k m is the codeword such that y y 1 = 0. Our products, k can be deined like this. Proposition 1.4. For any u, v Z m 2 it holds u, v k = β(c k u,v). The good product s properties that we have are caused by this geometric deinition o, k. With respect to the operation we can say that the nonlinear product, k has the linear-like properties coordinated with Hamming metric. This act can be developed in details in the uture k-walsh-hadamard transorm Now or k, 0 k m/2, we deine the unction W (k) : Z m 2 Z by the rule W (k) (v) = ( 1) u,v k (u) or any v Z m 2, u Z m 2

7 k-bent FUNCTIONS AND QUADRATIC APPROXIMATIONS 7 and call it k-walsh-hadamard transorm o F m. It is obvious that W (0) is the standard Walsh-Hadamard transorm o and W (0) (v) = W (1) (ˆv), here ˆv is the vector deined in 1.2. For the k- Walsh-Hadamard transorm o any F m the inversion ormula holds ( 1) (u) = 1 2 m v Z m 2 ( 1) u,v k W (k) (v) or any u Z m 2, Theorem 1.5. For any m, k, 1 k m/2, or any F m the ( analog o Parseval s equality holds W (k) 2 (v)) = 2 2m. v Z m 2 The inversion ormula and Parseval s equality or W (k) can be easily derived rom Proposition 1.1. It ollows rom Theorem 1.5 that or any F m it holds max v Z m 2 W (k) (v) 2 m/2. (3) 1.6. k-bent unctions Let m, k be arbitrary, such that 1 k m/2. Let k-nonlinearity o F m be deined as N (k) = min g A k m dist(, g). Proposition 1.6. It holds N (k) = 2 m max v Z m 2 W (k) (v). Thus, we have inequality N (k) 2 m 1 2 (m/2) 1. Boolean unction F m we call maximal k-nonlinear, i each parameter N (j), j = 1,..., k, gets the maximal possible value. For even m Boolean unction F m we call k-bent unction, i all coeicients W (j) (v), j = 1,..., k, are equal to ±2 m/2 (and hence N (j) = 2 m 1 2 (m/2) 1 or j = 1,..., k). By constructing k-bent unctions we show that or any even m two deinitions given above do coincide. The class o all k-bent unctions on m variables (m is even) we denote by B k m. We see that B 1 m B m/2 m, and B 1 m coincides with the class o bent unctions B m. Further we show that here any symbol can be changed to and any set B k m is not empty.

8 8 NATALIA TOKAREVA 2. How to construct k-bent unctions 2.1. Small values o m For m = 2 it is known that B 1 2 includes any Boolean unction such that its vector o values has an odd Hamming weight. Thus, B 1 2 = 8. Let m = 4. We have B 1 4 = 896 and any unction rom B1 4 is quadratic (i. e. o degree 2). It is well known (see [10]) that the set B 1 4 o all 1-bent unctions can be divided into 28 classes. Each class contains 32 Boolean unctions with the same quadratic part and all possible linear parts. These 28 dierent types o quadratic parts can be given with the diagram: (3) (12) (12) (1) Here vertices correspond to variables, edges correspond to the quadratic items in algebraic normal orm o a unction. We have proven that B 2 m = 384. The class B 2 m consists o 12 classes. Every class again contains 32 Boolean unctions distinct rom each other only by a linear part. These 12 quadratic parts are o the ollowing types (3) (4) (4) (1) In details, this series o graphs is obtained rom the previous one by taking only those graphs or which the number o non horizontal edges is even. The ordering o vertices is important. We should numerate them rom let to right and then rom up to down. Below one can see these special 8 graphs with 3 or 4 edges: For example, the unction ξ(v 1, v 2, v 3, v 4 ) = v 1 v 2 v 2 v 3 v 3 v 4 is 1-bent, but not 2-bent Iterative construction Now we give simple iterative constructions or k-bent unctions.

9 k-bent FUNCTIONS AND QUADRATIC APPROXIMATIONS 9 Proposition 2.1. Let m, r be even, k be integer, 1 k m/2. Let a unction F m+r be represented in the orm (u, u ) = p(u ) q(u ) or any u Z m 2, u Z r 2, where p F m, q F r are unctions with nonintersecting sets o variables. Then B k m+r i and only i p B k m, q B 1 r. We know that a Boolean unction s F m is called symmetric i it holds s(π(v)) = s(v) or any permutation π on m variables. The set o all symmetric unctions on 2 variables we denote by F 1 2. Proposition 2.2. Let m be even, k be integer, 1 k m/2. Let a unction F m+2 be represented in the orm (a, a, u) = s(a, a ) p(u) or any a, a Z 2, u Z m 2, where s F 1 2, p F m are unctions with nonintersecting sets o variables. Then B k+1 m+2 i and only i s B1 2, p Bk m. Summarizing both Propositions 2.1 and 2.2 we have Theorem 2.3. Let m, r 0 be even, j 0, k 1 be integer, k m/2. Let a unction F 2j+m+r be represented in the orm ( j ) (a 1, a 1,..., a j, a j, u, u ) = s i (a i, a i) p(u ) q(u ), where s 1,..., s j F 1 2, p F m and q F r are unctions with nonintersecting sets o variables. Then B j+k 2j+m+r i and only i s 1,..., s j B 1 2, p Bk m and q B 1 r. i=1 Let m be even (m 2), k be any integer (1 k m/2). Then Corollary 2.4. The class B k m is not empty. Corollary 2.5. It holds B 1 m B m/2 m. Corollary 2.6. I m 4 then or any integer d, 2 d max{2, (m/2) k + 1}, there exists k-bent unction o degree d. Corollary 2.7. It is true that B k m 2 2k 2 B 1 m 2k+2. But the last bound seems to be very rough.

10 10 NATALIA TOKAREVA 2.3. Several properties o k-bent unctions Let S m be the symmetric group on m elements. Denote by S m,k the subgroup o S m generated by all transpositions (1, 2), (3, 4),..., (2k 1, 2k). Let F k m be the set o all Boolean unctions rom F m that are constant on the each orbit o Z m 2 by an action o S m,k. The number o such orbits is equal to 3 k 2 m 2k, and hence we have F k m = 2 3k 2 m 2k = 2 2m k log Theorem 2.8. For any even m, any integer k, 1 k m/2, it is true that F k m B k m = F k m B 1 m. Theorem 2.8 helps to study known bent unctions in order to determine their k-bentness. It seems to be an interesting question. 3. The class m o unctions or approximation Let m be even, k be integer, 1 k m/2. For a permutation π S m deine the ollowing class o unctions on variables v 1,..., v m : A k m,0 (π) = { u, π(v) k u Z m 2 }. Note that or any π the set A 1 m,0 (π) consists o all linear unctions. We will approximate Boolean unctions in ciphers with unctions rom the class m = A k m,0(π). π S m 1 k m/2 We call it the class o approximating unctions. To say inormally by using distinct permutations π here we make all variables v 1,..., v m be equal in rights in this set o unctions (see the remark in 1.3). Let ANF() be the set o all conjunctions in algebraic normal orm o a unction F m. For π S m by π we denote the Boolean unction given by the equality π (v) = (π(v)). Denote by Act() the subset o {1, 2,..., m/2} with the maximal possible size such that or any distinct elements i, j rom Act() (we call them active) conjunctions v 2i 1 v 2j 1, v 2i 1 v 2j, v 2i v 2j 1 and v 2i v 2j belong to ANF(). Note that Act() = 0 or Act() 2 or any (the case Act() = 1 has no sense). By ρ we denote a permutation on m elements such that Act( ρ ) = max π Sm Act( π ) ; it can be chosen in several ways. E. g. i ANF() = {v 1 v 2, v 1 v 3, v 1 v 4, v 2 v 3, v 3 v 4, v 2, v 3, 1} then Act() =, but Act( (1,3,2,4) ) = {1, 2}.

11 k-bent FUNCTIONS AND QUADRATIC APPROXIMATIONS 11 Let us characterize m in terms o ANFs. Theorem 3.1. Boolean unction F m o degree less or equal to 2, such that (0) = 0, belongs to m i and only i it holds 1) conjunctions v 2i 1 v 2j 1, v 2i 1 v 2j, v 2i v 2j 1, v 2i v 2j belong (or not) to ANF( ρ ) simultaneously or any i, j (1 i j m/2); 2) there are no conjunctions o the orm v 2i 1 v 2i in ANF( ρ ); 3) i i Act( ρ ) then exactly one variable among v 2i 1, v 2i belongs to ANF( ρ ). Corollary 3.2. For any even m it is true that ( m = 2 m 1 + ) ) m/2 m (2k 1)!! k=2(. 2k 2 k Here (2k 1)!! is equal to (2k 1). For instance, 4 = 28, 6 = 904, 8 = But the numbers o linear unctions in these classes are 16, 64 and 256. Theorem 3.1 tells us how to run through m without repetitions. At irst consider all linear unctions. Then or any k, 2 k m/2, take all distinct k-subsets o pairwise nonintersecting 2-subsets o {1,..., m}. Each k-subset o pairs uniquely determines the quadratic part o a unction. For any chosen subset take all possible (see Theorem 3.1) linear parts. 4. Quadratic approximations In this section we give our modiication or the well known method o linear cryptanalysis (M. Matsui, 1993). The main idea o it: to use (linear and quadratic) Boolean unctions rom m in approximations. Consider a block cipher with r rounds o ciphering. We use the ollowing notations: m = m text an even length o a plaintext and a ciphertext; P a plaintext, P Z m 2 ; m key an even length o a key; K a key or ciphering, K Z m key 2 ; F : Z m 2 Zm key 2 Z m 2 a transorm that is one-to-one i we ix the second argument; C = F (P, K) a ciphertext, C Z m 2 ; m key an even length o a subkey or a round; K (i) a subkey or the i-th round o ciphering, K (i) Z m key 2, 1 i r, determined by the key K;

12 12 NATALIA TOKAREVA F i : Z m 2 Zm key 2 Z m 2 a transorm or the i-th round o ciphering, 1 i r; it is one-to-one or a ixed second argument; C (0) = P ; C (i) = F i (C (i 1), K (i) ) an intermediate ciphertext, C (i) Z m 2, 1 i r; C = C(r) the ciphertext; Suppose that all plaintexts P (and keys K) are equiprobable The irst algorithm We introduce a modiication o the Matsui s algorithm or the one key bit determination. It is based on the equality a, π(p ) i b, σ(c) j = d, τ(k) k, (4) where a, b Z m 2, d Zm key 2 chosen vectors; π, σ S m, τ S mkey ixed permutations; i, j, k integer numbers such that 1 i, j m/2, 1 k m key /2. Assume that (4) holds with probability p = ε, where 0 < ε 1/2. The number ε we call the bias o (4). To choose parameters a, b, d, π, σ, τ, i, j, k or the value ε to be maximal it is the next task or a concrete algorithm o ciphering. We do not consider this task here. Let us note that i the parameter i, j or k is equal to 1, then dependence on bits o the corresponding block P, C or K in (4) is linear. Let us ix a key K. Consider the set { (P t, C t ) t = 1,..., N } o known pairs (plaintext,ciphertext), where C t = F (P t, K). The algorithm (as in the linear case) is based on the principle o maximum likelihood. Algorithm 1 deine N 0 = { t : a, π(p t ) i b, σ(c t ) j = 0 } ; { 0, i (N0 guess d, τ(k) k = N 2 ) ε > 0; 1, else; try to ind K using the correlation obtained. The end The reliability ξ 0 o Algorithm 1 (the mathematical expectation o its correct work) can be estimated in the same way as in the case o linear cryptanalysis: ξ 0 2 ε N 1 2π e y2 /2 dy.

13 k-bent FUNCTIONS AND QUADRATIC APPROXIMATIONS 13 For a ixed key K, or any integer i, j, such that 1 i, j m/2, or any permutations π, σ S m denote by ε i,a,π j,b,σ (K; 0) the real number between 1/2 and 1/2 such that the probability o a, π(p ) i b, σ(f (P, K)) j = 0 equals 1/2 + ε i,a,π j,b,σ (K; 0). Proposition 4.1. For any map F (, K) : Z m 2 Zm 2, any i, j, a, b, π and σ it holds 2 m+1 ε i,a,π (i) j,b,σ (K; 0) = W b,σ(f (π 1 ( ),K)) j (a). This proposition gives us the strict connection between the bias ε i,a,π j,b,σ (K; 0) and k-walsh-hadamard coeicients o the Boolean unction b, σ(f (π 1 ( ), K)) j. Let ε(k) be a bias o (4) or a ixed key K. Note that or any k, d and τ it is true ε(k) = ε i,a,π j,b,σ (K; 0). Theorem 4.2. Let K Z m key 2 be ixed. Let b Z m 2, π, σ S m and j, 1 j m/2, be such that the unction b, σ(f (π 1 ( ), K)) j : Z m 2 Zm 2 is (m/2)-bent. Then we have max ε(k) = min ε(k) = i,k,a,d,τ i,k,a,d,τ 2 (m/2) 1. It ollows rom the inequality (3) that 2 (m/2) 1 is the minimal possible value or max a Z m 2 ε(k) when i, j, k, b, d, π, σ and τ are arbitrary. Theorem 4.2 tells us that in order to achieve this minimum we should use (m/2)-bent unctions or constructing F. But to make it possible in practice seems to be a hard problem. Note that linear-like properties o, k (see 1.4) can be used in approximations too. But it requires or a separate investigation. For u = (u 1,..., u m ) let ū k = (u 1 u 2,..., u 2k 1 u 2k ) be a vector o length k. By denote the componentwise multiplication o vectors. In a concrete cipher the ollowing act can be helpul or the joint approximation to be made. Proposition 4.3. For any u, v, w Z m 2, 1 k m/2, it holds u v, w k = u, w k v, w k ū k, w k v k, w k ū k v k w k The second algorithm Here we introduce a modiication o the improved Matsui s algorithm (see [11]). Let s 1, s 2, 0 s 1 < s 2 r, be integers.

14 14 NATALIA TOKAREVA Consider the equality a, π(c (s 1) ) i b, σ(c (s 2) ) j = τ(d), K k, (5) where a, b Z m 2, d Zm key 2 are ixed vectors; π, σ S m, τ S mkey are given permutations; i, j, k are integer numbers such that 1 i, j m/2, 1 k m key /2. Assume that (5) holds with probability p = ε, where 0 < ε 1/2. Suppose that vectors P and C are known. Denote by K those bits o a key K, which we need to know or the values a, π(c (s1) ) i and b, σ(c (s2) ) j to be determined. Let m s1,s 2 be the number o bits in K. Algorithm 2 or any K Z m s 1,s 2 2 determine N 0 ( K) = { t : a, π(c (s 1) t ) i b, σ(c (s 2) t ) j = 0 } ; arrange all vectors rom Z ms 1,s 2 2 : K1,..., K2 ms 1,s 2, in such a way that N 2 N 0( K 1 )... N 2 N 0( K 2 ms 1,s 2 ) ; or any q rom 1 to 2 ms 1,s 2 { do 0, i (N0 ( guess d, τ(k) k = K q ) N 2 ) ε > 0; 1, else; The end try to ind K using the correlation obtained. The same acts on ε as in the case o the irst algorithm can be obtained. We omit them here. 5. Permutations in S-boxes For a binary vector x = (x 1, x 2, x 3, x 4 ) denote by x the number 8x 1 +4x 2 +2x 3 +x 4 rom 0 to 15. Let p 1, p 2, p 3, p 4 and c 1, c 2, c 3, c 4 be respectively binary inputs and outputs o a 4-bit permutation S : P C, i.e. S( P ) = C. Using 4 we ind the most probable equalities on input and output bits o S. According to Corollary 3.2 we have 4 = 28. There are 16 linear unctions. 12 quadratic unctions we can list in the way: u, (v 1, v 2, v 3, v 4 ) 2, u, (v 1, v 3, v 2, v 4 ) 2, u, (v 1, v 4, v 2, v 3 ) 2, where ũ gets values 5, 6, 9 and 10. Consider equalities

15 k-bent FUNCTIONS AND QUADRATIC APPROXIMATIONS 15 a, π(p ) i b, σ(c) j = 0, (6) where i i = 1 we take vectors a with ã equal to 0,..., 15 and identity permutation π; i i = 2 we take vectors a with ã = 5, 6, 9, 10 and permutations π = id, (1, 3, 2, 4), (1, 3, 4, 2) (the same we do or b and σ in the cases j = 1, j = 2). With these conditions unctions a, π( ) i and b, σ( ) j run trough 4 without repetitions. For S consider the table with rows numbered by triples (i, ã, π) and columns numbered by triples (j, b, σ), such that an element o the table is the bias o the corresponding equality (6) multiplied by 16. In other words an element o the table is the number o times when (6) holds minus 8. Note that one can construct this table or any l-bit permutation, l > 4. Let us deine the non-quadratic characteristic o a permutation S in the ollowing way: NQ(S) = min i,j min a 0,b 0 min {P : a, π(p ) i b, σ(c) j δ}. δ Z 2,π,σ In other words NQ(S) equals the dierence o 8 and the maximal absolute value o an element in the table (excepting elements or zero combinations o bits). By the nonlinearity o a permutation S we as usual mean NL(S) = min min {P : a, π(p ) 1 b, σ(c) 1 δ}. a 0,b 0 δ,π,σ The part o the table given by i = j = 1 corresponds only to linear equalities o bits. So, the dierence o 8 and the maximal absolute value o an element in this part (excepting elements o the irst lines) is equal to NL(S). Obviously, NQ(S) NL(S). It is known act [4] that or any 4-bit permutation S it holds NL(S) 4. For instance, or S = (0, 1, 9, 14, 13, 11, 7, 6, 15, 2, 12, 5, 10, 4, 3, 8) we have the Table 1. We see that NQ(S ) = 2 but NL(S ) = 4. There are 7 quadratic equations on input and output bits o S with probability 7/8, although any linear equality has probability not higher than 3/4. Among these 7 equalities there is or example c 3 = (0110), P 2 = p 1 p 3 p 1 p 4 p 2 p 3 p 2 p 4 p 1 p 4 that is linear with respect to output bits. We test [21] permutations with the most high nonlinearity NL = 4 recommended or using in S-boxes o GOST , DES, s 3 DES (see or them [14], [17]) and ound that or all o them (excepting one) there are special quadratic relations on input and output bits with probability 7/8 whereas any linear equality has

16 16 NATALIA TOKAREVA probability not more then 3/4. And only or one permutation S = (13, 10, 0, 7, 3, 9, 14, 4, 2, 15, 12, 1, 5, 6, 11, 8) we have NL(S ) = 4 and NQ(S ) = 4; in this case we can not deliver any additional inormation in comparison with linear approximations. j = 1 j = 2 j = 2 j = 2 16 ε i,a,π j,b,σ id id (1,3,2,4) (1,3,4,2) i = id i = id i = (1,3,2,4) i = (1,3,4,2) Table 1. The biases or the permutation S. Reerences [1] Carlet C. Boolean Functions or Cryptography and Error Correcting Codes, chap. o the monogr. Boolean methods and models, Cambridge Univ. Press (P. Hammer, Y. Crama eds.), to appear. Prelim. version is available at www-rocq.inria.r/secret/claude.carlet/chap-cts-bool.pd. [2] Dillon J. F. A survey o bent unctions Special Issue o the NSA Technical Journal, P [3] Dobbertin H., Leander G. A survey o some recent results on bent unctions Proc. o the Int. con. on Sequences and their applications (Seul, Korea. October 24 28, 2004). Berlin: Springer, P (LNCS 3486).

17 k-bent FUNCTIONS AND QUADRATIC APPROXIMATIONS 17 [4] Heys H. M., Tavares S. E. Substitution-permutation networks resistant to dierential and linear cryptanalysis, volume 9 o J. Cryptology, N 1. P [5] Ivanov A. V. The use o the reduced representation o the Boolean unctions in their nonlinear approximations construction, Bulletin o Tomsk State University. Supplement N 23. P [6] Knudsen L. R., Robshaw M. J. B. Non-linear approximation in linear cryptanalysis Proc. o EUROCRYPT 96. (Saragossa, Spain. May 12 16, 1996). P (LNCS 1070). [7] Krotov D. S. Z 4-linear perect codes, volume 7 o Discrete Analysis and Operation Research, N. 4. P (in Russian). English translation is available at [8] Krotov D. S. Z 4 -linear Hadamard and extended perect codes, Proc. o the Int. Workshop on Coding and Cryptography (Paris, France. January 8 12, 2001). P [9] Logachev O. A., Sal nikov A. A., Yashenko V. V. Boolean unctions in coding theory and cryptology. Moscow center or the uninterrupted mathematical education, 2004 (in Russian). [10] MacWilliams F. J., Sloane N. J. A. Theory o error correcting codes. North-Holland: Amsterdam, [11] Matsui M. Linear cryptanalysis method or DES cipher Proc. o EURO- CRYPT 93. (Lothus, Norway. May 23 27, 1993) P (LNCS 765). [12] McFarland R. L. A amily o dierence sets in non-cyclic groups, volume 15 o Journal o Combin. Theory, Ser. A N 1. P [13] Nakahara J., Preneel B., Vandewalle J. Experimental Non-Linear Cryptanalysis, COSIC Internal Report. Katholieke Univ. Leuven p. [14] Rostovtsev A., Mahovenko E. Introduction to the theory o iterative ciphers, Saint-Petersburg, 2003 (in Russian). [15] Rothaus O. On bent unctions, volume 20 o Journal o Combin. Theory, Ser. A N 3. P [16] Shimoyama T., Kaneko T. Quadratic relation o S-box and its application to the linear attack o ull round DES, Proc. o CRYPTO 98. (Santa Barbara, Caliornia. USA. August 23 27, 1998) P (LNCS 1462). [17] Shneier B. Applied cryptography. Protocols, algorithms and source code in C [18] Tapiador J. M. E., Clark J. A., Hernandez-Castro J. C. Non-linear Cryptanalysis Revisited: Heuristic Search or Approximations to S-Boxes, IMA Int. con. (Cirencester, UK. Dec , 2007) P (LNCS 4887). [19] Tokareva N. N. Bent unctions with stronger nonlinear properties: k-bent unctions, volume 14 o Discrete Analysis and Operation Research, N 4. P (in Russian). Engl. trans. will be available soon in J. Applied and Industrial Mathematics and at tokareva. [20] Tokareva N. N. Description o k-bent unctions in our variables, submitted to Discrete Analysis and Operation Research (in Russian). [21] Tokareva N. N. On quadratic approximations in block ciphers, submitted to Problems o Inormation Transmission.