Boolean functions in cryptography

Transcription

1 University of Wollongong Research Online University of Wollongong Thesis Collection University of Wollongong Thesis Collections Boolean functions in cryptography Cheng-Xin Qu University of Wollongong Recommended Citation Qu, Cheng-Xin, Boolean functions in cryptography, Doctor of Philosophy thesis, Department of Computer Science, University of Wollongong,. Research Online is the open access institutional repository for the University of Wollongong. For further information contact the UOW Library:

2

3 u w NIVERSITY OF OLLONGONG oolean Functions In Cryptography i A thesis submitted in fulfillment of the requirements for the award of the degree Doctor of Philosophy from UNIVERSITY OF WOLLONGONG by Cheng-Xin QU Computer Science Department November

4 / Copyright by Cheng-Xin QU All Rights Reserved n

5 Dedicated to my mother, wife and son. iii

6 Declaration This is to certify that the work reported in this thesis was done f by the author, unless specified otherwise, and that no part of it has been submitted in a thesis to any other university or similar institution. Cheng-Xin QU November 9, iv

7 Abstract This thesis is about Boolean functions and their cryptographic properties. Two kinds of Boolean functions are discussed - balanced functions and bent functions. In addition to surveying recent activities of research into Boolean functions, a new representation of bent functions - degree-3 homogeneous bent functions are discovered. The complete 7 set of degree-3 homogeneous bent functions on the lowest dimension Boolean spaces V 6 is given. By using bent functions, some ways to construct highly nonlinear balanced Boolean functions are shown in this thesis, which yield a new property of bent functions. The structure of degree-3 highly nonlinear homogeneous balanced functions is also discussed. These results are based on computer searching. The theory of symmetric groups is applied in the research. In this study symmetric groups are applied to Boolean functions. Any Boolean function on V n has its own symmetric properties associated with the symmetric group S n. The relations between Boolean functions and symmetric groups are highlighted. This may lead to a new way to design good S-boxes by using an additive group of Boolean functions which is a subset of the function group generated by the symmetric group. Because good symmetric properties have the potential to be faster for implementation, the applications of homogeneous Boolean functions taken as rotation functions are discussed. Bent-like balanced functions are very good candidates of Boolean functions for good S-box design. In a degree-3 homogeneous bent or balanced Boolean function, each term is considered as a three variety block. Then it is found that the homogeneous Boolean function is tightly related with block designs BIBD and PBIBD. So in this thesis, the method of combinatorial block designs to discuss Boolean functions is also used. The connection of symmetric group theory with Boolean functions is established. v

8 Publications During the study, the author, in cooperation with supervisors and colleagues, has published and submitted some papers. There is the list of them showing how much work the author did in these papers. 1. J. Pieprzyk and C. Qu, Rotation-symmetric functions and fast hashing, Information Security and Privacy - ACISP'98, Lecture Note in Computer Science, Springer-Verlag, Berlin Heidelberg New York Toyko, 1438:169-18, This paper shows the symmetric properties of Boolean functions in fast implementations. The author did about 5 percent of the work.. C. Qu and J. Seberry and J. Pieprzyk, On the symmetric properties of homogeneous Boolean functions, Information Security and Privacy - ACISP'99, Lecture Note in Computer Science, Springer-Verlag, Berlin Heidelberg New York Toyko, 1587:6-35, In this paper, the symmetric properties of homogeneous Boolean functions are studied. The author did about 8 percent of the work. 3. J. Pieprzyk and C. Qu, Fast hashing and rotation-symmetric functions, Journal of Universal Computer Science, 5.1:-31, In this paper further study was taken on the symmetric properties of Boolean functions in fast implementations. The author did about 5 percent of the work. 4. C. Qu and J. Seberry and J. Pieprzyk, Homogeneous bent functions, Discrete Applied Mathematics, 1: ,. In this paper the bent functions that do not contain any quadratic terms were discovered. Block designs were involved to analyze homogeneous bent functions. The author did 8 percent of the work. (Note: The paper wasfinishedin 1998 and was accepted in 1999.) vi

9 5. C. Qu, J. Seberry and J. Pieprzyk, Construction of highly nonlinear balanced Boolean, functions, (Submit to ASIACRYPT'). This paper gave a new property of bent sequences and shown a few ways to construct highly nonlinear balanced Boolean functions. The author did 8 percent of the work. 6. C. Qu, J. Seberry and J. Pieprzyk, Relationships between Boolean functions and symmetric groups, (Accepted by ICS'), Taiwan,. In this paper symmetric group theory was applied for studying homogeneous Boolean functions and some relations between Boolean functions and symmetric groups were established. The author did about 8 percent of the work. 7. J. Seberry, T. Xia, C. Qu and J. Pieprzyk, Construction of highly non-linearit cubic homogeneous Boolean functions on GF() n+l and their properties, (Submitted to Designs, Codes, and Cryptography), In this paper, The author did about 5 percent of the work. vn

10 Symbols Galois field with parameter An n entry boolean space ) A vector in V n Nonlinearity of the boolean function f(x) on V n An affine boolean function on V n A sequence of a linear boolean function Hamming weight, the number of Is in the sequence Hamming weight, the number of solutions of f(x) = l over V n ) A variable vector in the boolean space V n A boolean function on V n A boolean function on the subspace V s (c V n ) The Walsh-Hadamard transform of a boolean function f(x) on The n x " Sylvester-Hadamard matrix Sequences (binary or ±1) with length n on V n Boolean addition, 11=, 1 = 1, = S-box, a mapping S(x) : V n > V m The dual space of a subspace V m C V n Subset of V n The dual set of the subset E The number -of all vectors in the space V n Set The A;-th order propagation criteria Balanced incomplete block design Partial balanced incomplete block design vm

11 Acknowledgements I wish to acknowledge the help of my supervisor Professor Jennifer Seberry whose knowledge, patience and enthusiasm have been a driving force behind this work. She devoted many hours to my studies not only on academic research but also with English language help. I would like to thank Associate,Professor Josef Pieprzyk, Co-supervisor, who gave me many ideas and suggestions which greatly benefited to my studies. I have also appreciated our talks with Dr M. Zhang, Dr C. Charnes and Mr T. Xia which gave me many hints that enriched the thesis. Here I express my deep appreciation to them. I wish to thank all the staff and students in the Center for Computer Security Research and School of IT & CS, University of Wollongong for the help, both academic and technical. IX

12 Contents Abstract j v Publications vi Acknowledgements / ix 1 Introduction Contributions to this thesis 1 1. Contents of the thesis 1.3 Further research problems...' 4 Boolean spaces and Boolean functions 5.1 Review of Boolean functions in cryptography 5. Boolean space and Boolean functions 1.3 Cryptographic desirable characteristics of Boolean functions 16.4 Hadamard matrix and Walsh-Hadamard transformation 1.5 Construction of affine sequences 6 3 Bent Boolean functions and their constructions Bent functions and their basic properties 9 3. Constructions for bent functions Constructing bent sequences Notes on the propagation criterion of degree / and order k Partially-bent functions Plateaued Boolean functions 49 4 The excess of Boolean functions and Hadamard transform 5 x

13 5 On the symmetric properties of Boolean functions Symmetric group and Boolean functions 6 5. Homogeneous Boolean functions Degree-3 homogeneous Bent Functions Degree-3 homogeneous Balanced Functions Degree-3 homogeneous Boolean functions 81 6 Balanced Boolean functions Balanced Boolean functions with high nonlinearity and good propagation criteria, Concatenating functions Constructions for highly nonlinear balanced Boolean functions by bent functions Constructions for highly nonlinear balanced Boolean functions by highly nonlinear non-balanced Boolean functions 96 7 Block designs and degree-3 homogeneous functions Introduction of BIBD and PBIBD Designs for highly nonlinear homogeneous Boolean functions 1 8 The applications of degree-3 homogeneous Boolean functions Motivation Definition of Rotation-Symmetric Boolean Functions Properties of Rotation-Symmetric Functions Ill 8.4 Balanced Rotation-Symmetric Boolean Functions Evaluation of Functions Extensions and Further Research 116 A Homogeneous bent functions on B Homogeneous balanced functions 11 C Homogeneous functions with the highest nonlinearity 137 Bibliography 139 xi

14 Chapter 1 Introduction This chapter contains three parts. In the first part, the author's contributions to this thesis are declared. In the second part, the contents in the following chapters are summarized. In the last part, some open problems related to the thesis are listed. 1.1 Contributions to this thesis In chapter and 3, Boolean functions and bent functions are characterized from the viewpoint of cryptography. We have restated and reproved, giving examples, previously known lemmas and theorems. The author's main research contributions are as follows: Chapter 4, which is all the author's own work, establishes the direct relationship between the excess of the matrices of a Boolean function and nonlinearity. Higher excess means that the function may have higher nonlinearity, and lower nonlinearity means the function has lower excess. In chapter 5, the author studies the relations of symmetric groups and homogeneous Boolean functions in which he found homogeneous bent functions [77] and highly nonlinear homogeneous balanced functions [75]. Degree- and degree-3 homogeneous Boolean functions are studied and some relations are set up which show how they affect cryptographically desirable properties. The author explored some structured homogeneous Boolean functions, which called bent-like- MM functions in part 5.5, and which have some of the same properties as bent functions. The author uses those functions to construct highly non-linear balanced Boolean functions. In this chapter, about 8 percent is his own work. In chapter 6, a few constructions for highly nonlinear balanced functions [76, 75] are explored in which a new property of bent function was discovered. About 8 1

15 1.. Contents of the thesis percent of this chapter is author's own work. Degree-3 homogeneous functions are tightly related to the parameters oi&pbibd and covering packing design. The author searched specially for some 3-designs that corresponded to Boolean functions with perfect cryptography properties. This part forms chapter 7. About 8 percent of this chapter is author's own work. The relationships between symmetric groups and Boolean functions and the symmetric property of Boolean functions applied to fast hashing algorithms [71, 7] is shown in chapter 8. About 5 percent of this chapter is my own work. 1. Contents of the thesis As computer networks develop, using public channels to transmit secure information from one client to another becomes more and more important. Secure cipher text depends on the encrypting algorithms. The purpose of the study of Boolean functions and their cryptographic properties is to provide resources for the protocol of computer network security algorithms. This thesis is about Boolean functions. We study the cryptographic properties and combinatorial structure of Boolean functions because they have been widely used in cryptography. In particular, balanced Boolean functions, bent functions and highly nonlinear Boolean functions are studied. The thesis is divided into eight chapters and this is the first chapter. We have endeavoured to make the thesis easy to read with a systematic approach. In chapter, we generally review the development of the study of Boolean functions in cryptography and introduce the background of Boolean spaces and Boolean functions. Then the general definitions of the properties of Boolean functions on finite Boolean space that are related with cryptography are given, which are called cryptographic properties, such as balance, nonlinearity, correlation immune, propagation criteria etc.. Since Hadamard matrices and Walsh-Hadamard transformations play very important roles, they are briefly introduced and some relations to Boolean functions are given in this chapter. The constructions of affine Boolean functions by polynomials and by binary sequences are also given. Most of the chapter can be found in the literature although the descriptions may vary. In chapter 3 we discuss special Boolean functions - bent functions. In this chapter some structures and properties of bent functions, partial bent functions and plateau

16 1.. Contents of the thesis 3 functions are introduced. Since bent functions are maximum nonlinear Boolean functions and each bent function relates to a Hadamard matrix, bent functions play a very important role in coding theory and construction of cryptographic Boolean functions. At the end of this part some of this area is observed. Since each Boolean function is related with a binary matrix in the field GF(), the excesses of Boolean functions reveals the properties of Boolean functions and their Hadamard transform from another perspective. In chapter 4, the excesses of Boolean functions and Hadamard transforms of Boolean functions are explored. Some relations are developed. Chapter 5 shows the relations between Boolean functions and symmetric groups. Homogeneous Boolean functions are studied in this chapter. Before the papers [44, 71, 7, 75, 76, 77] were published, there were few papers considering homogeneous Boolean functions. We first found the bent functions with the form that does not explicitly contain any degree 1 and terms on the Boolean space V 6n (degree-3 homogeneous form), (see paper [77]). Balanced degree-3 homogeneous Boolean functions are also studied in this chapter. The complete sets of degree-3 homogeneous Boolean functions of both bent and balanced forms on V& (see appendix A, B), and their group symmetric properties are given in this chapter. The degree-3 homogeneous Boolean functions can also reach the upper bound of nonlinearity on their definition space. Appendix C lists some examples of degree-3 homogeneous Boolean functions on V- in which all functions have maximum nonlinearity. For the application of Boolean functions in cryptography, highly nonlinear balanced functions are desirable for encoding/decoding system. In chapter 6, the structures of balanced Boolean functions are discussed and some new methods to construct highly nonlinear balanced functions are given [76, 75]. The propagation criteria and correlation immunity of highly balanced Boolean function are also discussed. By discussing the behaviour of bent functions on the subspaces of the space that bent functions are defined on, a new property of bent functions is discovered. This is that either of the restrictions, j = or Xi = 1, of a bent function on the subspace V n -i is balanced and both the restrictions of the bent function on V n -\ have the same nonlinearity n- _ T -1, where Xi is a variable over V n. These balanced functions on odd size Boolean spaces are easy to construct and have very good cryptographic properties. Block designs and covering designs are a combinatorial method to treatfinitevarieties [6, 14]. This thesis considers each variable in afinite Boolean space as a variety, each monomial on the space as a block and the number of appearances of each

17 1.3. Further research problems 4 variable in a Boolean function (polynomial form) as the repetition of the variety. And then a homogeneous Boolean function is treated as a block design BIBD or PBIBD that also corresponds to a covering design. In chapter 7, the theory of block designs and covering designs is introduced into the study of homogeneous Boolean functions. Some relations of Boolean functions and the results of some designs are given. From appendices A, B, C, each function can be considered as a block design. According to this view, the class of degree-3 homogeneous bent functions, described by lemma 34 in chapter 5, are exactly PBIBD designs [5, 4]. In the last part, chapter 8 introduces one of the applications of Boolean function for cryptography by this study of the rotation functions for the fast hash implementation [71, 7]. / 1.3 Further research problems Boolean functions in the same group have the same cryptographic properties. If some functions that form an additive group can be chosen, then the additive group is a perfect S-box design. Further study of the possible existence of a higher order subset of a function group to form the additive group is required. To construct highly nonlinear balanced Boolean functions, bent functions are used. In part 5.5 of this thesis, a bent-like-mm function similar to a bent function which gives good experimental results is given. Bent functions have the highest nonlinearity and perfect propagation criterion, however, further study of bentlike-mm Boolean functions is needed. Block designs and covering/packing theorem have been studied for many years. Methods to apply them to construct cryptographically desirable Boolean functions is also a topic for further study. Rotation Boolean functions can give faster implementations in each iteration of a hashing algorithm. It is claimed that the secure application of rotation Boolean functions is important for fast hashing. This is an open research topic.

18 Chapter Boolean spaces and Boolean functions This chapter introduces the background for Boolean spaces and Boolean functions which include most terminologies that are used. For the purpose of cryptographic applications of Boolean functions, the properties of balance, nonlinearity, propagation criteria, correlation immunity, symmetric and the algebraic degree are always considered important. The dimension of a Boolean spaces, V n that is considered, is always finite. The study of Boolean functions in cryptography is briefly reviewed first..1 Review of Boolean functions in cryptography The study of Boolean functions has been a branch of cryptography for many decades. In 1949 Shannon [97] established the foundations of modern cryptography by formulating the notion of product ciphers which use two basic cryptographic transformations: permutations and substitutions. Both extensively use Boolean functions with desirable cryptographic properties. Since then Boolean functions have been widely used in cryptography and their use in S-box theory has became an important part of Cryptology. To get secure encryption algorithms, it is enough to design two elementary blocks: a permutation block (P-box) and a substitution block (S-box). P-boxes provide diffusion while S-boxes furnish confusion as introduced by Shannon [97]. Encryption algorithms, according to Shannon's concepts, are nothing but a sequence of iterations. Each iteration uses a layer of S-boxes controlled by a secret key. Between two consecutive iterations, a single P-box of known structure is used (the P-box may be keyed). The design and evaluation of cryptographically desirable Boolean functions require the definition of design criteria. It is known that the security of schemes, based on a combination of permutations and substitutions, strongly depends on the characteristics of the substitution tables or S-boxes [74]. An example of the study of the design principles of the Data Encryption Standard can be found in [1]. The analysis of key clustering for limited number of rounds of the DES also used intensive properties of the 5

19 .1. Review of Boolean functions in cryptography 6 S-boxes when two input bits are fixed [8]. An attack on the same cipher using linear structures will be thwarted if the S-boxes are perfectly nonlinear [34]. Using highly nonlinear Boolean functions to construct good S-boxes has received considerable attention over recent decades [4, 3, 5, 64, 16, 17, 19, 111, 117]. Confidence in the security of modern and future electronic communications rests on the belief that the cryptographic algorithms employed are able to resist cryptographic attacks. Since the introduction of the original Data Encryption Standard (DES) by NIST in the 197's, there has been an increasing research effort devoted to discovering structures and components that can be utilized in the design of ciphers to achieve this goal of security. S-boxes are the most widely used method to provide high nonlinearity in: block ciphers [66]. In order to resist modern cryptographic attacks based on linear approximation and differential characteristics [3, 8, 9, 55], highly nonlinear Boolean functions with good propagation criteria and less linear linear structure are needed. Most common running key generators in stream cipher systems are based on a combination of shift registers and several nonlinear Boolean functions [5, 39]. According to the method of combination, the generators are mainly divided into two categories; feedback type and feedforward type. The feedback generator is an n-stage shift register together with a feedback loop which computes the next term for the first stage of the shift register based on a nonlinear Boolean function using the previous n term. The feedforward generator consists of n driving linear feedback shift registers and a nonlinear function that operates on the n output sequence to generator the key sequence [8]. Boolean functions are universal tools for S-box design [117]. The cryptographic usefulness of a given Boolean function is measured by its cryptographic properties. The collection of these basic properties includes balance, strict avalanche criterion (SAC), high nonlinearity [] and higher-order propagation criteria [74]. To resist various attacks, C. Adams and S. Tavares described what is a good S-box design []. A good S-box should possess a design procedure that is guaranteed to produce S-boxes possessing properties such as bijection, nonlinearity, strict avalanche and independence of output bits. This gives us an insight to the design of good S-boxes. Furthermore, it also allows to generate, quickly and easily, S-boxes which can be used in the development of private-key cryptosystems; an area of renewed importance since the increasing power and speed of computers, mainframes, and workstations make early fears about the relatively small key-size of DES increasingly relevant. Shannon's product cipher is easy to implement. If building blocks are selected at random (so both P-boxes and S-boxes are random), this will still get a strong cipher with a high probability, provided "a large

20 .1. Review of Boolean functions in cryptography 7 enough" number of iterations [65] is used. The real challenge in the S-box theory is how to design S-boxes to reduce the number of iterations without loss of security. If an S-box (or corresponding collection of Boolean functions) is implemented as a lookup table, then the length or the form of Boolean functions is not important. This is no longer true when the evaluation of the function is done on the fly - this is the case in all MD-type hashing algorithms (MD4, MD5, SHA-1, HAVAL) [8]. It was argued in [71], that symmetric Boolean functions can be very efficiently evaluated. The strict avalanche criteria (SAC) was introduced in 1985 by A. Webster and S. Tavares [16] for the design of the Boolean functions involved in S-boxes. It is related to their dynamic behaviour when their input is modified, and has been later generalized by B. Preneel, W. V. Leelwijck, L. V. Linden, R. Govaerts and J. Vandewalle who defined the important propagation criteria (PC(k)) [74]. The propagation criteria was studied [1] later. To protect against linear attacks, non-linear Boolean functions are involved. Nonlinearity is a key parameter to characterize a non-linear Boolean function. Generally, an application of permutations of the maximum nonlinearity does not guarantee that an encryption algorithm based on them generates a "strong" cipher. For example, the well known DES algorithm is built using 3 permutations (each S-box consists of four permutations) and none of them attains the maximum nonlinearity [68]. Cryptographic transformations are usually designed by appropriate composition of nonlinear functions. In stream cipher design such functions have been applied to combine the output of linear feedback shift registers in order to produce the key stream. In this design combining functions should not leak information about the individual linear feedback shift register sequences into the key stream. For this purpose the concept of correlation immunity has been introduced and studied in order to prevent divide and conquer correlation attack [57, 8, 98]. For a memory-less combiner the output always has correlation to certain linear functions of the inputs, and the total correlation is independent of the combining functions [58]. The functions used in conventional ciphers must provide both diffusion, for merging several inputs, and confusion, for hiding any structures [, 97]. These notions are formalized through the properties of correlation-immunity and nonlinearity [7, 13, 14, 15, 58, 61, 9, 98, 11]. Highly nonlinear Boolean functions are required to be balanced and satisfy the propagation criteria [98, 113, 114]. For Boolean functions defined over n binary variables, bent functions have the highest nonlinearity and the best propagation criteria, but they are not balanced. For any n Boolean variables, there are " different functions. In

21 .1. Review of Boolean functions in cryptography 8 fact, a very high proportion of all functions are balanced. There are balanced \ n ~ l j functions over the Boolean space V n [76]. For example, out of the 56 functions on V 3, 7 are balanced (for more detail see chapter 5). Hashing algorithms are important cryptographic primitives which are indispensable for an efficient generation of both signatures and message authentication codes [13]. They are also widely used as one-way functions in key agreement and key establishment protocols [59]. Hashing can be designed using either block encryption algorithms or computationally hard problems or substitution-permutation networks (S-P networks). Parameters of hashing algorithms based on block encryption algorithms/ are restricted by properties of the underlying encryption algorithms. Assume that an encryption algorithm operates on n-bit strings. A single, use of the cipher produces n-bit hash value. This means that the n-bit strings have to be at least 18-bit long. Otherwise, the hash algorithm is subject to the birthday attack. The attackfindscolliding messages in n / steps with a high probability (larger than.5). If the hash algorithm applies more than one encryption, it becomes slower than underlying cipher. The use of a "strong" encryption algorithm does not guarantee a collision-free hash algorithm. There have been many spectacular failures that prove the point [73]. The design of hashing algorithms using intractable problems can be attractive as the security evaluation can sometimes be reduced to the proof that finding a collision is as difficult as solving an instance of a computationally hard problem. Numerous examples have shown that the application of hard problems does not automatically produce sound hash algorithms. The misunderstanding springs from the general characterization of the problem. For example, a problem is considered to be difficult if it belongs to the NP-complete class [36]. Any problem is a collection of instances. Some of them are intractable but some are easy. If a hash algorithm applies easy instances, it is simply insecure. The main shortcoming of this class of hash algorithms is that they are inherently slow. The class of hash algorithms based on S-P networks includes fastest algorithms. They apply confusion and diffusion. Representatives of this class are MD4 [79], MD5 [78], SHA [8] and many others [86]. Despite demolishing MD4 and weakening MD5 by Dobbertin [31, 3], their structural properties look sound and they are frequently used as benchmarks for efficiency evaluation. In the design of cryptographic functions, there is a need to consider various nonlinear characteristics simultaneously [1]. It is noticed that some characteristics restrict

22 .1. Review of Boolean functions in cryptography.9 each other. Bent functions, for example, have maximum nonlinearity and satisfy the propagation criteria with respect to every non-zero vector over the Boolean spaces on which they are defined. However, bent functions are not balanced and exist only on even size Boolean spaces. Furthermore, bent functions are not correlation immune. Partially bent functions are highly nonlinear and can be balanced. However, except for bent functions, partially bent functions have non-zero linear structures that are cryptographically undesirable. For these reasons, people study other classes of Boolean functions to try to overcome the disadvantage of bent functions or partially bent bent functions. The class of plateaued Boolean functions is one candidate that is defined by a series of inequalities and examines the critical case of each inequality. Compared with other functions, plateaued functions may reach the upper bound on nonlinearity given by the inequalities. In the paper [67], J.D. Olsen, R.A. Scholtz and L.R. Welch described the use of bent functions to construct families (OSW) of ±1 sequences with good correlation properties. A major tool in the OSW construction is the conventional discrete transformation as used by Rothaus in [81] by representing the elements of V n in terms of the a traceorthogonal basis [47]. A. Lempel and M. Cohn showed that the sequences produced by the OSW construction of bent sequences possess the same correlation properties if and only if the underlying bent functions are pairwise orthogonal [48]. Boolean functions have been studied on some aspects according to their properties. For their applications some properties need to be considered simultaneously. To produce good stream ciphers, for example, needs at least the Boolean function being highly nonlinear and balanced. To resist various attacks, other properties of Boolean functions must be satisfied. To construct cryptographic Boolean functions incurs much research. In the paper [49], S. Lloyd investigated the connections among the properties, balance, correlation immunity and strict avalanche criterion, of Boolean functions. An important question in design cryptographic functions, including S-boxes, is the relationships among the various nonlinearity criteria each of which indicates the strength or weakness of a cryptographic function against a particular type of crypt-analysis attacks. J. Seberry, X. Zhang and Y. Zhengfirstrevealed the connections among SAC, differential characteristics, linear structures and nonlinearity of quadratic S-boxes [96]. In the paper [15], P. Camion, C. Carlet, P. Charpin and N. Sendrier establish the link between correlation-immune functions and orthogonal arrays. A recursive definition of any correlation-immune function of maximal degree was also given. The relation between the Walsh-Hadamard transforms and the auto-correlation function of Boolean

23 .1. Review of Boolean functions in cryptography 1 functions is used to study propagation characteristics of these functions. The strict avalanche criterion and the perfect nonlinearity criterion are generalized in a propagation criterion of degree k. In the paper [74], B. Preneel, W. V. Leekwijck, L. V. Linden, R. Govaerts and J. Vandewalle gave some new properties and constructions for Boolean bent functions and discussed the extension of the definition to odd values of n space size. To evaluate a Boolean function, its Hamming weight, nonlinearity, propagation criterion and correlation immunity are the basic parameters. In the paper [81], O.S. Rothaus revealed a class of Boolean functions with the highest nonlinearity and named these functions as bent functions. Bent functions have Hamming weight n_1 ± n / _1 and nonlinearity n_1 - n/_1. He also discovered basic properties of bent functions. J. Dillon gave the connection between Boolean functions and Hadamard different sets [9]. Later, P. V. Kumar, R. A. Scholtz and L. R. Welch [46] generalized the concept of bent function on thefieldsj that is m-tuple set over the integers modulo q. Since bent functions have the highest nonlinearity and are perfect nonlinear Boolean functions over their Boolean space, they are widely used in nonlinear ciphers and constructing highly nonlinear balanced Boolean functions. In addition to the work of O.S. Rothaus and J.D. Olsen, R.A. Scholtz and L.R. Welch [67] on bent functions and bent sequences, Kaisa Nyberg [6] discussed the relations of different sets and bent functions and gave a condition under which McFarland's construction gives a binary bent function with maximum nonlinear degree. To form bent sequences, C. Adams and S. Tavares gave two general classes of binary bent sequences, bent based and linear based [1]. A group Hadamard matrix is used to construct a k-set of bent functions on V-ik such that any nonzero linear combination of bent functions in this set is still a bent function on V^k- Such a k-set bent function can be used to construct perfect nonlinear S-boxes. In the paper [69], J. Pieprzyk discussed the application of bent functions to bent permutations. C. Carlet gave two new classes of bent functions [17]. Since bent functions exist on even size Boolean spaces only, C. Carlet generalized the concept of bent function and defined partially-bent Boolean functions [18] which exist on both even and odd size Boolean spaces. Partially-bent functions can be divided into balanced and non-balanced (bent functions are non-balanced). To extend the concepts of bent function and partially bent function, X. Zhang described a large class of Boolean functions named plateaued functions [1], which contains both bent and partially bent functions. Perfect nonlinear functions werefirstlyintroduced by W. Meier and. Staffelbach [58] and are Boolean functions that satisfy PC(n) over the Boolean space

24 .1. Review of Boolean functions in cryptography 11 V n. Bent functions are perfect nonlinear functions. However, other perfect nonlinear Boolean functions have not been found yet. In the paper [94], the relation of the nonlinearity and propagation criteria of balanced Boolean functions was discussed. In that paper some methods to construct balanced Boolean functions with high nonlinearity and good propagation criteria are presented. It also noted the algebraic degree of the balanced Boolean functions. K. Nyberg-[61, 63] gave two methods to construct perfect nonlinear S-boxes, one is based on Maiorana-McFaland construction of bent functions which is easy and efficient to implement, and the another one is based on Dillon's construction of different sets. Differential crypt-analysis and linear crypt-analysis are known as the~most effective attacks applicable to various block ciphers [55, 63]. The paper [56] deals with the correlation between the order of S-boxes and the strength of DES. Differential cryptanalysis is a method that analyzes the effect of particular differences in plaintext pairs of the differences of the resulting ciphertext pairs, which was first explained by Biham and Shamir [8, 9]. The concept of nonhomomorphicity of Boolean functions was introduced in the paper [116, 11] as an alternative criterion that forecasts nonlinear characteristics of Boolean functions. Although both nonhomomorphicity and nonlinearity of a Boolean function reflect a difference between a Boolean function to affine functions, they measure the function from different perspectives. The fc-th order nonhomomorphicity of S-boxes is an alternative indicator which forecasts nonlinearity of an S-box, where k > 4 is even [119]. In stream cipher design, pseudo random generators have been proposed which combine the output of one or several linear feedback shift registers (LFSRs) in order to produce the key stream. If correlation probabilities are conditioned on side information, e.g., on on known output digits, it is known that stronger correlations may be needed [57]. The paper [118] shows the restriction of a Boolean function on a coset has significant influence on cryptographic properties of the function, identifies relationships between the nonlinearity of the function and the distribution of terms in the polynomial representation of the function. The cycles of odd length in the terms and quadratic terms in a function play an important role in determining the nonlinearity of the function. In the paper [37], correlation properties of a general binary combiner with an arbitrary number of memory bits were analyzed. It is shown that there exists a pair of certain linear functions of the output and input respectively that produce correlated

25 Boolean space and Boolean functions 1 binary sequences. An efficient procedure, based on a linear sequential circuit approximation, was studied to find such pair of linear functions. Boolean functions satisfying a higher order strict avalanche criterion were explored in the paper [7]. Many practical information authentication techniques are based on such cryptographic means as data encryption algorithms and one-way hash functions. A core component of such algorithms and functions are nonlinear functions. The relation of a Boolean function with the criterion of propagation of degree I and order k is also an interesting topic for Boolean functions [1, 115]. The propagation criterion was introduced by B. Preneel et. al. [4, 74], they also defined the concept of the criterion of propagation of degree I and order k which are the functions that satisfy PC (I) when a certain number k of coordinates, Xi,, x n of x are kept. Recently, Palash Sarkar and Subhamoy Maitra presented a new proof of the Walsh transform characterization of correlation immune Boolean functions. Also they provide a simpler proof of the fundamental relation between the order of correlation immunity and algebraic degree of a Boolean function [85]. They gives a new construction method, using a small set of recursive operations, for a large class of highly nonlinear, resilient Boolean functions optimizing Siegenthaler's inequality [53, 84].. Boolean space and Boolean functions Let a = fa, -, a n ) be an element in an n-tuple set. If all entries of a are or 1 GF()) and the following arithmetic rules are obeyed =, 1 + = 1, 1x =, 1x1 = 1, then the set is called a Boolean space denoted by V n [99]. All elements in V n are called vectors. Since = 1-1 =, the notation '' is used instead of the sign '+' or '-' for binary computations '(XOR) to distinguish the usual signs + and -. It is clear that a Boolean space V n contains n distinct vectors that correspond to the natural numbers from to n - 1. An n-tuple variable x = (x x,, x n ) is defined on a Boolean space V n which varies from a = (,, ) to a "-i = (1,,!) By convention, when x varies from a to a n_i, each entry of x varies in its appropriate column: V n : x ao = a x = (X\ X Xn-l %n) ( ) ( 1) (-1) ( ). Ci n-l

26 .. Boolean space and Boolean functions 13 So the values' of x x on V n are always (CV^O, T~~~l) and the values of x { are n-. n -> n ~ i n-i (,,,1,, 1,~^7,T~^T, ), where i = 1,, n. Since these binary sequences will be frequently used, The arithmetic rules for binary sequences are given as follows. Definition 1 Let = (a x,---,a s ) and n = (b x,---,b s ) be two sequences with length s. Then their multiplication (x), binary addition ( ), dot-product inner product are defined as follows, x 77 = (o l ii I --- l o 5 i,) ) 77 = (a l b l ),---,(a s ), (.) 77 = a x b x - a s b s <,77 >= a x b x H r-a s b s. Now x 77 and 77 are still binary sequences. However, 77 is a re in GF() and <,77 > is a real integer value ( << <f,77 >< s). A Boolean function on V n is defined by the mapping /: V n^v x which means that for each vector in V n f takes the values or 1. There a ways to represent a Boolean function. Normally polynomials, binary sequences or (±1) sequences are used to represent Boolean functions. Let a = (a x,---,a n ) be a vector in V n and x a = x" 1^ x denote a single term in polynomial form in V n. Then a Boolean function in V n is represented by the polynomial form f(x) = c a x a c a = or 1. (.3) aev n The binary sequence and ± sequence forms for the function (.3) are, Cn = ( /(ao) fm f(a n_ x ) ) (.4) n = ( (_l)/( a ) (-i)f(^)... (_i)/(* "-n ), (.5) respectively. The sequence (.5) can also produced by the polynomial f(x) = 1-f(x). Now for a function f(x), one knows how to produce the sequences (.4) and (.5). To transform a (,1) sequence, f, to its polynomial form, equivalent function f(x), one

27 .. Boolean space and Boolean functions 14 uses the» x» nratrix G n over GF() and a 1 x» matnx, X n, to convert. The G n is denned by the recursive formula as follows- and the matrix -X n is Gn = G n-i G n _ x G _! and G x = X n = [x ao x ai x" "- 1 ]. Then a binary sequence representation of a function can be converted to its polynomial by f(x) - x G n x X* n where X* n is the transpose of matrix X n. In fact, the i-th row of G is the binary sequence of x ai. Let g (y),..., ^ ( y ) be functions on ^ and ^... ^ ^ ^ sequences ^ ^ tively. Let a, = (a ix,a i,, a*) be a vector on V k, i =,1,, k - 1. Then function obtained by concatenating the sequence77 = (f >.. ^ J on y k+h is *-l /(*,?) = D i (x)g i (y) (6) j= where >(*) = (D Q (x), D x (x),, D,_ x (x)) is the combining function defined by [94] Di(x) = (x x k = H(xj aijql), ;=i where a {j is the j'-th entry of vector a { e V k. In fact, D t (x) = for x ^ ct{, 1 for x = a i} i =,...,*-l. Thus the values of the sequence 77 from thefirstentry to ( h - l)-th entry are the values of g (y) over V h, fromthe ( A )-th entry to the { h + l - l)-th entry are the values of g x (y),, and from the ( /l+a; - 1 )-th entry to the ( h + k - l)-th entry are the values of 9«-i(y). If k =, then f(x,y) = «?(T/) ; if h = there is no any function on V. Suppose go = c,g x = c x,---, g k_ x = c k_ x, where a =, =, - -, * 1. Then *-l /(*,y) = /(*) = ><(*)<* i= (.7) Formula (.7) can be used to convert a sequence on V n to its polynomial form, if the sequence on V n is formed by the concatenation of the constant functions g { = c % on

28 .. Boolean space and Boolean functions 15 V Q = {}. Thus each entry of the sequence 77 is a constant c,. Therefore the sequence 77 = (c c x c "_i) corresponds the function fc f(x) = Ci(x x a ix l)(x a i 1) (x k a** 1) i= on V n, which is another way to transform a sequence to the polynomial representation. Let 77 = (1 11), for example, be sequence on V z. Then the polynomial form of the function is f(x) = (x l)x x (x l)(x x x (x = X X XiX X 3 x x 3 x 3. Definition Let f(x) be a function on V n. Then the (-1,1) matrix of the functio defined by M = [(-1)'( Q ' Q 7)]. Similarly, its (,1) matrix is defined by M = [/(a* ^)]. The first row of M is just the sequence of the function. When a sequence of a function on V n is considered, the length of the sequence is n. Now the sub-sequences of the sequence of a function on V n is defined by the following definition. Definition 3 Let, xi = (b Q b x b n_ x ), be the sequence of f(x) on V n. The sub-sequences, &, of with length h are defined by 1 = (b -b h_ x ), = (b h -b h+i_ x ),,,<= = (b h+k-i -b h+k_ x ), where h, k < n and h + k = n. Let the polynomial form of & on 14 be gi(y), where i = 1,,---, *. Then the function (.6) is the polynomial form of the sequence on V h+k. Lemma 1 Let f(x) be a Boolean function on V n and its sequence. Let x,, n - h denote the sub-sequences o/ of length h. Suppose that the longest sub-sequence of has the length h and an odd Hamming weight, then the algebraic degree of the function f(x) is greater than or equal to h. Proof. Let be the sequence of the function f(x). Suppose the longest subsequence of with odd Hamming weight has length h. Then the polynomial form function of & has algebraic degree h on V h. Let gj(x x,,x h ) correspond the subsequence,, j =,l,---, n - /l. Then n-/i f{x) = D j (x h+x,---,x n )g J (x x,---,x h ), j=q

29 .3. Cryptographic desirable characteristics of Boolean functions in which n h Dj{x h+u, x n ) = J[ (x k+h a jk 1) jt=i where a jk is thefc-thentry of a 7 - V n - h. In the function f(x), the algebraic degree of the term Di(x h+x,, x n )g i (x 1,, x h ) is greater than or equal to h. Case 1. If all subsequences have odd Hamming weight. Case. Some of the subsequences have odd Hamming weight. Therefore the lemma is proved..3 Cryptographic desirable characteristics of Boolean functions Since the research is desired to be useful to cryptography, the functions studied must satisfy some cryptographically desirable properties. This section gives the definitions of cryptographic properties for Boolean functions which can be found in the literature. Definition 4 (Affine and linear functions) A Boolean function f{x) = c a x a c a = or 1 aev n on V n is called an affine function if c a = for all wt(a) > 1, where a V n. For an affine function, if CQ = ; it is called linear function. Using the definition of dot-product, an affine function can also be expressed as <p(x) = a x c, a e V n, c =,1. In the above function, if c =, the function is linear. A linear function is an affine function. The total number of distinct vectors a in V n is n. Therefore, over V n, there are n distinct linear functions which include the constant function and n+1 distinct affine functions which include the constant function and 1. For later use, the following statement is given as a lemma. The proof of the lemma is directly from definition 4. Lemma Let tpi(x) and <Pj(x) be affine functions on V n. Then the function <Pi(x)@^(x), <i,j< n+1 is affine. Furthermore, if <fi(x) and ifj(x) are linear functions, <Pi{x) (pj(x) is a linear function.

30 .3. Cryptographic desirable characteristics of Boolean functions 17 Definition 5 (Hamming weight and Hamming distance) Let and n be ( 1) sequences. The Hamming weight of denoted by wt(, is the number of Is m the sequence. The Hamming distance between the two sequences and n is defined by the Hamming weight of the sequence rj, and denoted by d(, n), i.e. d(,r]) =wt{ ri). Let f(x) be a function on V n and its binary sequence. The Hamming weight of fix) is the number of Is in its sequence i.e. the number of solutions of f(x) = 1. For two functions f(x) and g(x) over V n, the Hamming distance is the Hamming weight of the function f(x) g(x) denoted by d(f, g). Notice that for f(a) = g(a) it contributes a zero for the binary sequence of f(x) g(x), and for f(a) # g(a) it contributes a 1. Therefore, the Hamming distance of the function f(x) and g(x) is also equal to the number of vectors such that f(a) # g(a). The Hamming weight of the function x" on V n depends on the Hamming weight, wt(a), which equals n ~ wt^. Lemma 3 Let f(x) and g(x) be two functions on V n. Then d(f,g) = \( n -<ii,n>) where and n are the ± sequences off and g respectively. Proof. Let f = (a,, a n_ 1 ) and 77 = (b or,b n_ x ). Let N + and N~ denote the numbers of a { = b { and a x / bi respectively. It is obvious that N + + N~ = n and < f, 77 >= N + - N~ = n - N~. The Hamming distance of f and 77 is the number N~. Therefore d(f,g)=n-= 1 -( n -<Z, v >) Definition 6 (Balanced functions) A function f(x) on V n is said to be balanced if the number of solutions of f(x) = (or f(x) = 1) is n_1. By definition 5 a balanced function has Hamming weight n_1. Any non-constant affine function is balanced. From lemma it can be seen that the Hamming distance between any two distinct affine functions (at least one is non constant) is n_1. The following equation gives a relationship between a function and a set of linear functions.

31 .3. Cryptographic desirable characteristics of Boolean functions 18 Lemma 4 (Paseval's equation [5]) Let f(x) be a function on V n and be its ± sequence. Then' i= where U are ±1 linear sequences. JC <, /, > = " Proof. Let be the sequence of the function f(x) on V n. Then <Z,l { >= J (-l) f{x)mi{x) x6v n and <^,i { > = Y, (-i) f{xm{x) E (-i) /(x ' )e/i(i,) xev n x'ev n The linear functions k(x) and ^(x') can be written as o^ - x anda,- x' respectively. Thus summing the above formulae with the variable x gives E* < f.'t > = *E ( E (-l) /(x)e ' l(x) E (-l) /(x ' )/ ' (x/) i= i= \xev n x' V n n -l / y y (_I)/(^) Q.-I y /_ 1 j/(i')ea,-i' i= \xev n x'&v n "-l / = y [ V (_X)/(i)e/(x') ar(xei') n -l _ y / IJ/(I) /(I') y (_i)a<-(xei') x,x'evn. Z= It is seen that Zllo l (-l) ai ' {xex,) = for x ^ x' and E^^-l)^* 1 ') = n for x = x'. Furthermore Ex.x'gvJ-l) 7^1 7^ = n for x = x ' Therefore we have y < i > = y (-^/(^ /^^E^o -^- 1 )^-^ ^) = n. i= x,x' V n D Definition 7 (Nonlinearity) The nonlinearity of a function f(x), denoted by Nj, is the minimum Hamming distance between f and all affine functions i.e. N f = min{d(f,(fi) V <p on V n }.

32 .3. Cryptographic desirable characteristics of Boolean functions 19 Nonlinearity is one of important parameters for a function to assess its v the cryptographic applications. According to the definition of nonlinearity, all affine functions have zero nonlinearity. In the other hand, a Boolean function having nonzero nonlinearity implies the function is not affine. According to the definition of nonlinearity, the nonlinearity of a non-linear Boolean function on V n can not exceed n-1. On an even size Boolean space, there is a class of Boolean functions, called bent functions, that have maximum nonlinearity, n_1-1, over the space. Also bent functions have Hamming distances either n_1 - _1 or n_1 + ~ x to any affine function over the Boolean space. The chapter will introduce more detail about bent functions. Lemma 5 Let B be a nonsingular n x n matrix over GF(). Let f(x) be a func on V n. Then the function, g(x) = f(xb@a), aev n and f(x) has same nonlinearity, N g = Nf. Proof. By the definition of nonlinearity, there exists at least one affine such that d{f,ip) = N f. Let 4>(x) = <p{xb a). Then the function o(x) is affin and d(g, <f>) = d(f, <p) = N f. According to the definition of nonlinearity,it induc N g < d(g,(j>) = N f. Similarly, one can get another inequality N f < N g. Therefore N f = N g. D Definition 8 (Propagation criteria PC(k)) Let f(x) be function on V n. If ference, f(x) f(x@a), of the function f(x) is balanced, then the functio said to have the propagation criteria with respect to the vector a. If f(x) balanced for all vectors with < wt(a) < k in V n, then the function f(x) s k-th order propagation criteria and is denoted by PC(k) Definition 9 (Strict avalanche criteria (SAC)) If the function f(x) f(x balanced for all vectors with wt(a) = 1 in V n, then the function f(x) is strict avalanche criteria (SAC). The strict avalanche criteria was introduced in 1985 by A. Webster and S. [16] for the Boolean functions involved in S-boxes. It is related to their dynamic behaviour (when their input is modified) and was later generalized by B. Preneel, W. V. LeelWijck, L. V. Linden, R. Govaerts and J. Vandewalle [74] who defined the