Statistical Properties of the Square Map Modulo a Power of Two

Transcription

1 Statistical Properties of the Square Map Modulo a Power of Two S. M. Dehnavi, A. Mahmoodi Rishakani, M. R. Mirzaee Shamsabad 3, Einollah Pasha Kharazmi University, Faculty of Mathematical and Computer Sciences, Tehran, Iran: std_dehnavism@khu.ac.ir Shahid Rajaee Teacher Training University, Faculty of Sciences, Tehran, Iran: am.rishakani@srttu.edu 3 Shahid Bahonar University, Faculty of Mathematics and Computer Science, Kerman, Iran: mohammadmirzaeesh@yahoo.com Kharazmi University, Faculty of Mathematical and Computer Sciences, Tehran, Iran: pasha@khu.ac.ir Abstract: The square map is one of the functions that is used in cryptography. For instance, the square map is used in Rabin encryption scheme, block cipher RC6 and stream cipher Rabbit, in different forms. In this paper we study a special case of the square map, namely the square function modulo a power of two. We obtain probability distribution of the output of this map as a vectorial Boolean function. We find probability distribution of the component Boolean functions of this map. We present the joint probability distribution of the component Boolean functions of this function. We introduce a new function which is similar to the function that is used in Rabbit cipher and we compute the probability distribution of the component Boolean functions of this new map. Key Words: Square map modulo a power of two, Vectorial Boolean function, Component Boolean function, Rabbit cipher. Introduction The square map, like the operator of multiplication, has various applications in cryptography. For instance in asymmetric cryptography, RSA encryption scheme [] makes use of multiplication and Rabin encryption scheme [] applies the square map. In symmetric cryptography, some symmetric ciphers have the operator of multiplication or the square map in their design. For example block cipher Mars [] uses the operator of multiplication and in design of block cipher RC6 [3] the square map (the operator of multiplication) is used. In designing some stream ciphers, the operator of multiplication and the square map is also used. For instance, the stream cipher Sosemanuk [] uses the operator of multiplication and the stream cipher Rabbit [5] uses the square map. In all the aforementioned cases the operator of multiplication and the

2 square map is used in a variety of methods. In this paper we investigate a special case of the square map, i.e. the square map modulo a power of two and we study probability distribution of this map along with its component Boolean functions. In [6,7] we have studied some statistical and algebraic properties of the operator of multiplication modulo a power of two, but in this paper we study statistical properties of the square map modulo a power of two. At first we consider the square map modulo a power of two as a vectorial Boolean function [8] and we obtain probability distribution of its output. Then, we investigate component Boolean functions of this map and we obtain the probability distribution of these component functions. After that, we consider the joint probability distribution of these component functions for the case of two component functions and we compute the joint probability distribution of these component functions. We introduce a new function similar to what is presented in Rabbit cipher and using joint probability distribution of component Boolean functions of the square map, we obtain the probability distribution of component Boolean functions of this new function. In Section we present the definitions and notations. Section 3 studies probability distribution of the output of the square map modulo a power of two as a vectorial Boolean function. In Section we investigate probability distribution of the component Boolean functions of square map modulo a power of two. In Section 5 we obtain the joint probability distribution of the component Boolean functions of square map modulo a power of two for the case of two component Boolean functions and finally in Section 6 we conclude.. Notations and Definitions In this article, the number of elements or cardinality of a finite set A is denoted by A. For a function f: A B, the preimage of an element b B is denoted by f (b) and is defined as {a A f(a) = b}. The greatest power of that divides a natural number a is denoted by p (a) and the odd part of a or a p (a) is denoted by O (a). Let F be the finite field with two elements. Each element of F n (The Cartesian product of n copies of F ) can be considered as a vector of length n. Each function f: F n F is called a Boolean function and each function f: F n F m with m > is called a vectorial Boolean function; such a function can be viewed as a vector (f m,, f ) of f i s, i < m. Here, f i s are Boolean functions from F n to F. These Boolean functions are called component Boolean functions of the vectorial Boolean function f. Also, if x F n, then the i-th bit of x is denoted by x i. Note that for each vectorial Boolean function f: F n F m we have vectorial Boolean functions f i,j : F n F, i > j, This Paper is an English version of a paper with the same title (in Persian) presented in ISCISC.

3 f i,j (x) = (f i (x), f j (x)), x F n. We call these vectorial Boolean functions joint Boolean functions of f. In this paper, we consider the complete set of remainders modulo n as {,,, n } and denote it by Z n. We define the inverse parity function e j as follows: e j = { j odd, j even. Let (G, ) be a group and φ: G G be a group endomorphism; we denote the kernel of φ by ker(φ) and the image of φ by Im(φ). In the sequel, by the square map (and its component Boolean functions) we mean the square map modulo a power of two. 3. Probability Distribution of the Square Map as a Vectorial Boolean Function In this section, we consider the square map as a vectorial Boolean function and we obtain probability distribution of the output of this map. In Theorem, we employ some facts from group theory [9] and number theory. One of the results of this theorem is identifying the square numbers modulo a power of two. We note that the square of each odd natural number is in the form of 8k +, but not every natural number in the form of 8k + is a square number. Lemma shows that in Z n the square of each odd element is in the form of 8k + ; the interesting point is that, based on Theorem, in Z n every element in the form of 8k + is also a square element. Lemma : Let a Z n be an odd element; we have a = mod 8. Proof: Since a is odd, so there exists a q Z n such that a = q + mod n. Therefore, a = q(q + ) + = 8 ( q(q+) ) + mod n = mod 8. Theorem : Suppose that n > and f: Z n Z n is defined as f(x) = x mod n ; then we have: a) For the case a =, the case a = n with e n =, and the case a = n with e n = :

4 f (a) = n+e n ; b) For the case p (a) mod and the case p (a) mod = with p (a) n 3 and O (a) mod 8 : f (a) = ; c) For the case p (a) mod = with p (a) n 3 and O (a) mod 8 = : f (a) = p (a)+. Proof: a) Consider the equation x = mod n ; on one hand, every x Z n with p (x) n satisfies x = mod n. So, f () is at least n n = n = n+e n. On the other hand, for each x Z n with p (x) < n we have x mod n. Thus, f () = n+e n. Suppose that n is odd and p (a) = n. So a equals to n. Consider the equation x = n mod n ; let x = r q with q odd. We have r q = n mod n. So r = n, q n+ and q = mod. Thus, only odd q s satisfy the equation x = n mod n ; therefore, f (a) = n = n+e n. Now suppose that n is even and p (a) = n. So p (a) = n and a = s n, where s {,3}. If s =, then we consider the equation x = n mod n. Let x = r q with q odd. We have r q = n mod n. Hence r = n, q n+ and q = mod. So only half of odd q s satisfy the equation x = n mod n ; therefore, f (a) = n = n+e n. b) Continuing the proof of the Case a, if s = 3, then considering the equation x = n. 3 mod n and supposing that x = r q with q odd, we have r q = n. 3 mod n ; so, r = n and q = 3 mod. Thus, according to Lemma, we conclude that f (a) =. Suppose that p (a) = mod. Consider the equation x = a mod n. Since the square of any odd element is an odd element, so only even elements x Z n can satisfy

5 x = a mod n. Suppose that x = r q where r and q is odd. We have p (x ) = r which contradicts p (a) = mod. Therefore, f (a) =. Now suppose that p (a) = mod and O (a) mod 8 ; then a = j t, where p (a) = j and t = O (a). Consider the equation x = a mod n. Let x = r q with q odd. We have r q = j t mod n. Consequently, r = j and q = t mod nj ; therefore, regarding Lemma, we have f (a) =. c) We use Theorem 3.3 in [9] to prove this case. Suppose that p (a) = and a = mod 8; the algebraic structure (G, ), where G is the subset of odd elements in Z n and is the operator of multiplication modulo n is a group structure. The function φ: G G with φ(g) = g g is a group endomorphism on G. To compute ker(φ) we must count the number of solutions for the equation x x = G. In other words, we must count the number of solutions for the equation x = mod n. We have (x )(x + ) = mod n. Since x is odd, for some q Z n we have x = q +. So, q(q + ) = mod n. Consequently, we have q =, q = n, q = n or q + = n, q + = n, q + = n. Substituting the values of q, we have these solutions: x =, x = n, x 3 = n +, x = n +. Thus, ker (φ) = and since Im(φ) = G ker (φ), we have Im(φ) = n = n3. On the other hand, according to Lemma and since the number of elements in Z n in the form of 8q + is equal to n3 and Im(φ) = n3, so every element in the form of 8q + in Z n is a square element. Therefore, the equation x = a mod n at least has a solution x = t. It is not hard to verify that

6 x = t. ( n ) mod n, x 3 = t. ( n ) mod n, and x = t. ( n + ) mod n, are the only other solutions for the equation. Consequently, we have f (a) = ker (φ) = = p (a)+. Now suppose that p (a) = mod with p (a) n 3 and O (a) mod 8 =. In this case, we have a = j t with p (a) = j and t = O (a). Consider the equation x = a mod n. Let x = r q with q odd. We have r q = j t mod n ; so, r = j and q = t mod nj. Regarding Lemma and the proof of Case b, this equation has four solutions with q nj. For each of these solutions we present j solutions We have x = j (s nj+ + q), s j. x = j (s nj+ + q + sq nj+ ) = s nj+ + j q + sq n+ = j q mod n. In fact, regarding the inequality j n 3, we have n j n + 3. Thus, f (a) = p (a) + = p (a)+.. Probability Distribution of Component Boolean Functions of the Square Map In this section, we study the component Boolean functions of square map and we find the probability distribution of these component functions. Theorem has been proved in [] with the help of some concepts in T-function theory. Here, we reprove this theorem using Theorem. Theorem : Suppose that n > and the function f: Z n Z n is defined as z = f(x) = x mod n ; then we have

7 i = P(z i = ) = { + i+ i < n Proof: The cases i =, are obvious. Suppose that < i < n and i is odd; the number of elements a with p (a) = j is equal to nj and the number of a s with p (a) = j and O (a) mod 8 is equal to nj3. By Theorem, P(z i = ) = f (a) n p (a)<i p (a) mod = a i = i3 = nj3 j+ n. j= = ( i ) = i+. Suppose that < i < n and i is even; the number of elements a with p (a) = j is equal to nj and the number of a s with p (a) = j and O (a) mod 8 is equal to nj3. By Theorem, P(z i = ) = f (a) n p (a)<i p (a) mod = a i = i = nj3 j+ n. j= = ( i ) = i+. Now suppose that i = n and i is even; we have

8 P(z n = ) = f (a) p (a)<n n p (a) mod = a n = = f ( n ) n + n6 nj3 j+ j= n. = n = i+. Now if i = n and i is odd, then we have P(z n = ) = f (a) n p (a)<n p (a) mod = a n = n5 = nj3 j+ n. j= Now if i = n and i is even, then we have Finally, if i = n and i is odd, then we have = i+. P(z n = ) = f (a) n p (a)<n p (a) mod = a n = n3 = nj3 j+ n. j= = i+.

9 P(z i = ) = f (a) n p (a)<i p (a) mod = a i = n = nj3 j+ n. j= = i+ 5. Joint Probability Distribution of Component Boolean Functions of the Square Map In this section, we investigate the joint component Boolean functions of square map and we obtain the joint probability distribution of these component functions. Then, using these distributions, we introduce a new map similar to what is presented in Rabbit cipher and we find the probability distribution of component Boolean functions of this new map. Theorem 3: Suppose that n > and the function f: Z n Z n is defined as z = f(x) = x mod n ; we have: a) For j + < i, b) For j < i j + with j >, c) For the other cases, + ()a () b + ( a) j, j + i + P(z i = b, z j = a) = ()b + ( a) j =. { i + P(z i = b, z j = a) = + e j(a b) + e a + ea()b. j+3 j+ j+ i+

10 + ( e ae i+j ) ()b j =, i =, P(z i = b, z j = a) = ( a) ( + ()b ) j =, i =,3 a+ b j =, i = 3 3e a { 8 + ae b j =, i =. (These probabilities for n is also presented in the Appendix.) Proof: At first, suppose that j is even; or j = r, r >. We have P(z i = b, z r = ) = P(z = c) c i =b,c r = = P(z = c). p (c) r p (c) mod = c i =b,c r = () In summation (), if p (c) = k, k r, then binary representation of c is in this form: c = (,,, b,,,,,,,, i r k+, k+,,,,). Consequently, k + 5 bits are determined and so we have nk5 nonzero summands, the p(c)+ probability of each is equal to, by Theorem. Thus, the contribution of this case in () is n equal to (k+3). We note that the case k = r contradicts Theorem. For the case k = r, r + bits are determined, and so we have nr nonzero summands, the probability of each p(c)+ equals to by Theorem. Therefore, the contribution of this case in () is equal to n (r+). Hence, r P(z i = b, z r = ) = ( (k+3) ) + (r+) k= Now, using basic probability theory and Theorem and (), we have k = r+. () P(z i = b, z r = ) = P(z i = b ) P(z r = ) + P(z i = b, z r = )

11 = + ()b +. r+ i + So, P(z i = b, z r = a) = + ()a ()b r+ + ( a) i +. At this point, suppose that j is odd; i.e. j = r +, r. We have P(z i = b, z r+ = ) = c i =b,c r+ = P(z = c) = P(z = c). p (c) r+ p (c) mod = c i =b,c r+ = (3) In (3), according to Theorem, p (c) can be,,,r. Similar to the previous case, and So, Thus, in the case j, we have Now, suppose that j = : P(z i = b, z r+ = ) = r+, P(z i = b, z r+ = ) = + ()b +. r+ i + P(z i = b, z r+ = a) = + ()a ()b + ( a). r+ i + P(z i = b, z j = a) = + ()a j + + ( a) P(z i = b, z = ) = P(z = c) c i =b,c = () b i +. = P(z = c). p (c)=,c i =b ()

12 In (), four bits are determined and so we have n summands, the probability of each is equal to n by Theorem. Hence, and similarly, P(z i = b, z = ) = n. n =, P(z i = b, z = ) = P(z i = b ) P(z = ) + P(z i = b, z = ) So, for the case j =, we have = + ()b. i+ P(z i = b, z = a) = b) For < j and i = j + or = j +, we have P(z i = b, z j = ) = P(z = c) c i =b,c j = + ( a) ()b i +. = P(z = c). p (c) j p (c) mod = c i =b,c j = According to the proof of Case a and regarding the binary representation of c, for the even and odd cases of j, we have and P(z i = b, z j = ) = 3 n5 + n7 n = + e je b. j n( n j+ j+ j+ +) n + e je b n(j+3) P(z i = b, z j = ) = (P(z i = b ) + P(z j = ) P(z i = b, z j = )) = j+3 + j+ j+ + ()b + be j. i+ j+ j+ n

13 So, for j < i j + and j >, we have P(z i = b, z j = a) = + e j(a b) + e a + ea()b j+3 j+ j+. i+ c) All the cases are simple. Now, we introduce a new function similar to what is presented in stream cipher Rabbit and we obtain the probability distribution of its component Boolean functions. Theorem : Suppose that n 8 is an even natural number, the function f: Z n Z n is defined as z = f(x) = x mod n and w = g(x) = x (x n ) mod n. Here, is the bitwise right shift operator and means the bitwise XOR. We have Proof: According to Theorem 3, we have P(w i = ) = + i + n i ( n ), i < n. P(w = ) = P(z z n = ) = P(z =, z n = ) + P(z =, z n = ) and for < i < n, = + n+, P(w i = ) = P(z i z i+(n ) = ) = P(z i =, z i+(n ) = ) + P(z i =, z i+(n ) = ) = + i+n+. For n, according to Theorem, we have Therefore, P(w i = ) = + i+n+. P(w i = ) = + i + n i ( n ).

14 References [] D.R. STINSON, Cryptography - Theory and Practice, 3rd edn. Chapman & Hall/CRC, Boca Raton, 3. [] C. Burwick, D. Coppersmith, E. D Avingnon, R. Gennaro, Sh. Halevi, Ch. Jutla, S. M. Matyas Jr., L. O Connor, M. Peyravian, D. Safford, N. Zunic: MARS - a Candidate Cipher for AES, proceeding of st Advanced Encryption Standard Candidate Conference, Venture, California, Aug [3] R. L. Rivest, M. J. B. Robshaw, R. Sidney, Y.L. Yin: The RC6 Block Cipher, Proceeding of st Advanced Encryption Standard Candidate Conference, Venture, California, Aug [] C. Berbain, O. Billet, A. Canteaut, N. Courtois, H. Gilbert, L. Goubin, A. Gouget, L. Granboulan, C. Lauradoux, M. Minier, T. Pornin, and H. Sibert, Sosemanuk, a Fast Software-Oriented Stream Cipher, submitted to Ecrypt, 5. [5] M. Boesgaard, M. Vesterager, T. Pedersen, J. Christiansen, and O. Scavenius, Rabbit: A New High- Performance Stream Cipher, in Fast Software Encryption (FSE 3), LNCS 887, pp , Springer-Verlag, 3. [6] A. Mahmoodi Rishakani, M. R. Mirzaee Shamsabad, S. M. Dehnavi, Hamidreza Maimani, Einollah Pasha, Statistical Properties of Modular Multiplication Modulo a Power of Two, 9 th International Conference on Information Security and Cryptology (ISCISC ), University of Tabriz, Tabriz, Iran, [7] S. M. Dehnavi, A. Mahmoodi Rishakani, M. R. Mirzaee Shamsabad, Einollah Pasha, Cryptographic Properties of Modular Multiplication Modulo a Power of Two, Kharazmi Journal of Science, No. -, pp , 3 (In Persian) [8] Claude Carlet, Boolean functions for Cryptography and Error Correcting Codes, available via [9] J. B. Fraleigh. A First Course in Abstract Algebra, Sixth edition, ADDISON-WESLEY publishing company Inc, 999. [] A. Klimov and A. Shamir, A New Class of Invertible Mappings, Workshop on Cryptographic Hardware and Embedded Systems (CHES),.

15 Appendix In the following tables, the probability corresponding to the i-th column and the j-th row is equal to P(z i = b, z j = a). a = b = a = b = 3 a = b = 3 a = b = 3