On Cryptographic Properties of Random Boolean Functions

Transcription

1 O Cryptographic Properties of Radom Boolea Fuctios Daiel Olejár Departmet of Computer Sciece Comeius Uiversity Marti Stae Departmet of Computer Sciece Comeius Uiversity Abstract: Boolea fuctios used i cryptographic applicatios have to satisfy various cryptographic criteria. Although the choice of the criteria depeds o the cryptosystem i which they are used, there are some properties (balacedess, oliearity, high algebraic degree, correlatio immuity, propagatio criteria) which a cryptographically strog Boolea fuctio ought to have. We study the above metioed properties i the set of all Boolea fuctios (all balaced Boolea fuctios) ad prove that almost every Boolea fuctio (almost every balaced Boolea fuctio) satisfies all above metioed criteria o levels very close to optimal ad therefore ca be cosidered to be cryptographically strog. 1 Itroductio The robustess of a cryptosystem substatially depeds o its uderlyig elemets. Sice Boolea fuctios are frequetly used i various cryptosystems, it would be iterestig to determie the properties which cryptographically strog Boolea fuctios should to have ad to fid methods how to costruct them. Nevertheless, oe of these problems ca be solved i geeral. Boolea fuctios meetig all possible cryptographic requiremets do ot exist. The cryptographic research has therefore cocetrated o Boolea fuctios satisfyig criteria formulated by the desigers ad cryptaalysts of real-world cryptosystems [see Seberry 93a, 93b]. The most importat cryptographic properties of Boolea fuctios are balacedess, oliearity, satisfyig propagatio criteria, especially SAC (Strict Avalache Criterio), the absece of liear structures, high algebraic degree, correlatio immuity, etc. Boolea fuctios satisfyig some of these criteria are cosidered to be cryptographically strog. Formally: let P = (p 1,..., p m ) be a set of properties of Boolea fuctios expressed as realvalued parameters; let Λ = (λ 1,..., λ m ) deote the set of required levels of the properties P. The Boolea fuctio f is said to be cryptographically strog o the level Λ with respect to the properties P, if p i (f) λ i, i = 1,..., m; otherwise, f is cryptographically wea o the level Λ with respect to P. The choice of properties P ad settig the level Λ depeds o the cryptosystem itself, o its iteded use ad o the state-of-art of cryptaalysis. By the proper choice of P ad Λ the desiger ca shield his cryptosystem agaist ow cryptaalytic attacs based o the uderlyig Boolea fuctios, but he caot guaratee the

2 robustess of the cryptosystem either agaist uow cryptaalytic attacs or attacs usig some other wea poits of the cryptosystem. We study Boolea fuctios with respect to the above metioed criteria. The cryptographically strog Boolea fuctio i this paper meas that it satisfies the criteria at levels asymptotically equal to optimal. There is o geeral method ow (except for the full search) of how to costruct Boolea fuctios satisfyig a arbitrarily chose subset of cryptographic criteria. Sice the full search is limited to Boolea fuctios with at most five variables ad real world applicatios require Boolea fuctios with more variables, it is of iterest be iterestig to ow how cryptographic properties are distributed i the set of all -ary Boolea fuctios. Mitchell [see Mitchell 90] studied Boolea fuctios satisfyig various cryptographic criteria such as balacedess, oliearity, odegeeracy, correlatio immuity ad symmetry. He eumerated or estimated the cardiality of classes of Boolea fuctios satisfyig various combiatios of the above metioed criteria. O the other had he cosidered the cryptographic criteria as qualitative properties ad did ot distiguish, e.g. betwee strog ad wea oliearity. Moreover, he cocetrated his attetio to criteria that are combiatoricaly tractable, although their cryptographic value is at least questioable (symmetry) or to weaer criteria that follow from stroger oes (odegeeracy SAC). We adopt a differet approach we chose the most importat cryptographic properties of Boolea fuctios, cosider them as quatitative parameters ad estimate how may Boolea fuctios satisfy the particular criterio o some level or of some order. We prove that almost every Boolea fuctio satisfies the set of the most importat cryptographic criteria at the suboptimal but asymptotically optimal level. Therefore, if some Boolea fuctios at least suboptimal i the most importat cryptographic criteria are eeded, they ca be geerated at radom. 2 Prelimiaries A -ary Boolea fuctio is a mappig f : {0, 1} {0, 1}. The set (class) of all -ary Boolea fuctios will be deoted by the symbol P 2. We shall cosider oly -ary Boolea fuctios i this paper ad therefore the otio Boolea fuctio stads for -ary Boolea fuctio (if ot otherwise stated). Let M be a class of -ary Boolea fuctios, the symbol M deotes the cardiality of M. Let P be a property of Boolea fuctios ad let P(M ) deote the subclass of Boolea fuctios, P(M ) M, satisfyig P. We say that Boolea fuctio from M has property P almost surely, if lim P(M ) / M = 1. A -ary Boolea fuctio f will be described by its truth table: f(x 1,..., x ) = (f(0,..., 0), f(0,..., 0, 1),..., f(1,..., 1)). The truth table of a -ary Boolea fuctio f is a biary vector of legth 2 ad will be deoted by tt(f). Let α = (a 1,..., a m ), β = (b 1,..., b m ) be two biary vectors of legth m. The symbol α β deotes the bitwise XOR-operatio of α, β ad the symbol α, β deotes the ier product of the vectors α ad β, i.e. α, β = a 1 b 1 a 2 b 2... a m b m.

3 The Hammig weight of a biary vector α, deoted wt(α), is the umber of oes i α. The Hammig weight of a Boolea fuctio f, wt(tt(f)), will be deoted by wt(f). Let f be a -ary Boolea fuctio. The f is a balaced Boolea fuctio if wt(f) = 2 1. The set of all balaced Boolea fuctios from P2 will be deoted by Bal. The Hammig distace of vectors α, β, deoted d(α, β) = wt(α β), is the umber of bits i which α ad β differ. Let f, g be two -ary Boolea fuctios. The symbol d(f, g) deotes the Hammig distace of fuctios f, g; d(f, g) = d(tt(f), tt(g)). Let f(x 1,..., x ) be a - ary Boolea fuctio. The algebraic ormal form (ANF) of f is give by the followig represetatio of f for each x 1,..., x {0, 1}: f(x 1,..., x ) = a 0 a 1 x 1 a 2 x 2 a 3 x 2 x 1... a 2 1x... x 1, (1) where a i {0, 1}, i = 0, 1,..., 2 1, is a costat. The Boolea fuctio f(x 1,..., x ) is said to be affie if its ANF cotais oly liear terms: f(x 1,..., x ) = a 0 a 1 x 1 a 2 x 2 a 4 x 3... a 2 1x, where a j {0, 1}, j = 0, 1, 2, 4,..., 2 1. A ANF will be represeted by the vector of its coefficiets (a 0, a 1,..., a 2 1) the ANF-vector. A affie Boolea fuctio is said to be liear, if the absolute term a 0 i its ANF is equal to 0. Let f(x 1,..., x ) be a -ary Boolea fuctio. The algebraic degree of f is deg(f) = max{wt(j) a j = 1}, j where the parameter j is represeted i biary ad rages over all idices of ANF f; j = 0,..., 2 1. The algebraic degree of the Boolea fuctio f correspods to the maximal legth (umber of variables) of a cojuctio i its ANF. We will use the followig geometrical model of P2. The Boolea hypercube, B 2, is a labelled graph cotaiig 2 2 vertices v 0,..., v Each vertex of B 2 is labelled by a biary vector of legth 2. Two vertices u, v of B 2 are adjacet, if the correspodig vectors α, β differ i oe bit: d(α, β) = 1. As ca be easily see, B 2 represets P2 ; every fuctio from P2 correspods to a (uique) vertex i B 2 ad two Boolea fuctios differig i oe compoet i their truth tables, correspod to adjacet vertices i B 2. Therefore, the vertices of B 2 will be cosidered i the followig as -ary Boolea fuctios. Let B 2 be a hypercube ad let α be a vertex of B 2. The subgraph S(2, α, r) of B 2 iduced by the set of vertices {β d(α, β) r} is traditioally called the sphere of B 2 with cetre α ad diameter r. Sice we are ot iterested i coectivity ad ay similar problems, we do ot distiguish betwee the graph S(2, α, r) ad its vertex set. Boolea fuctios with various (cryptographic) properties form subgraphs of the Boolea hypercube. To estimate the size of these subgraphs, we eed a precise estimate o the umber of vertices of the sphere with diameter r. The followig asymptotic estimate of biomial coefficiet was proved by Kuth et al. [see Graham, Kuth, Patashi 94].

4 Lemma 1. Let 0 < ε < 1/6 be a costat, let 2 ( 1)(1/2+ε) be a positive iteger. The ( ) 2 +1/2 ( ) 2 1 = 22 /2 1 π 2 e O(2 (3ε 1/2) ). (2) The cardiality of S(2, α, r) will be expressed by meas of the biomial coefficiet ( ) 2 2. Its value ca be obtaied (as a special case for = 0) from (2) but a more 1 precise boud directly follows from Stirlig s formula. Lemma 2. Let be a positive iteger. The it holds ( ) ( = 1 O(2 ) ). (3) π Estimatig the size of spheres i the Boolea hypercube I this sectio we estimate the cardiality of the sphere S(2, α, r) ad fid two importat values of r. Further results of this paper are immediate applicatios of the bouds costructed i this sectio. Let for simplicity s(, r) = S(2, α, r), where α is a arbitrary vertex of B 2. Theorem 3. Let r 1 = 2 1 c 1 2 /2 ; r 2 = 2 1 c 1 lg 2 /2, where c 1 = (1 + ε 0 )(1/2) l 2 ad ε 0 > 0 is a arbitrary costat. The we have s(, r 1 ) = 2 2 O(2 ε 0 ) (4) ad s(, r 2 ) = O(2 2 / 1+ε0 ) (5) Proof. We divide the sum ( ) 2 0 r 1 ito two sums Σ 1, Σ 2 ad estimate them separately. Let m 0 = 2 2 /2, the ( ) 2 ( ) 2 = + 0 r 1 Sice the sequece ( m m 0 < r 1 ( 2 ). (6) ) is uimodal, the first sum, Σ 1, ca be bouded by the product of its last (largest) term ad the upper boud of the umber of its terms. ( 2 ) (( ) ) 2 Σ 1 < = 2 2 O m 0 e 8 = o(2 2 ), (7)

5 sice 2 e < To estimate the secod sum (Σ 2) of (6), we chage the order of summatio ad the use (2) to estimate the summad: ( 2 ) Σ 2 = 2 1 j c 1 2 /2 j<2 2 /2 = 22 +1/2 π 2 ( 1 + O(2 (3ε 1/2) ) ) e j 2 /2 1. c 1 2 /2 j<2 2 /2 Now we trasform the summatio rage by settig = j c 1 2 /2 ad the cocetrate our effort o costructig a upper boud o the sum which appears i (8) ad will be deoted by Σ 3 : +1/2 ( ) Σ 2 = O(2 (3ε 1/2) ) π 2 0 <(2 c 1 ) 2 /2 exp [ (c1 2 /2 + ) 2 ] 2 1 (8) [ ] [ ] Σ 3 = e 2c2 1 2c1 2 exp exp 0 <(2 c 1 ) 2 / /2 [ ] < e 2c2 1 2 exp 0 <(2 c 1 ) 2 1. (9) 2 /2 The sum (deoted by Σ 4 ) i (9) ca be bouded by the itegral (2 c1) 2 /2 Σ 4 < 1 + e x2 /2 1 dx, 0 which ca be expressed by the distributio fuctio of ormal distributio. Let u 2 /2 = x 2 /2 1, the Ad Σ 4 < /2 1 2π (2 c1) 2 0 e u2 /2 du = O(2 /2 ). (10) Σ 2 = 2 2 O(2 ε 0 ), (11) where ε 0 is a positive costat. Taig ito accout (11) ad (7) we obtai (4). To prove (5), it is sufficiet to estimate the value Σ 5 = s(, r 2 ) s(, r 1 ) : ( 2 ) Σ 5 = 2 1 c 1 lg 2 /2 <c 1 2 /2 = 2 2 /2 O( c 1 lg 2 /2 <c 1 2 /2 e 2 /2 1 ). (12)

6 We ca proceed i the same way as i the previous case. Let Σ 6 deote the last sum i (12). Followig the steps (9) ad (10) we obtai Σ 6 = e 2c2 1 lg O(2 /2 ) = e (1+ε 0) l 2 lg O(2 /2 ) = (1+ε 0) O(2 /2 ). Therefore ad Σ 5 = 2 2 O( (1+ε 0) ), s(, r 2 ) = 2 2 O(2 ε0 ) O( (1+ε0) ) = 2 2 O( (1+ε0) ). We shall pay special attetio to balaced Boolea fuctios because of their sigificace i cryptographic desig. To describe the cryptographic properties of a average -ary balaced Boolea fuctio, we eed to estimate the umber of balaced vectors (vertices) i S(2, α, r), with the cetre α Bal (where Bal deotes the set of all balaced Boolea fuctios of variables). To simplify the otatio, let s b (, r) deote the value i questio. Let α be the vector (truth table) of a balaced -ary Boolea fuctio. Without loss of geerality we ca assume that α = (1, 1,... 1, 0, 0,..., 0). There are o balaced eighbourig vectors, or balaced vectors lyig at odd distace from the vector-vertex α i B 2. Therefore we cout the umber of balaced vectors/vertices lyig at distace 2. Such a vector ca be obtaied from α by replacig bits from the first half of α by zeroes ad (to save the balacedess of the costructed vector) replacig zeroes from the secod half of α by oes. Therefore the umber of vertices correspodig to balaced Boolea fuctios lyig at distace 2r or smaller from α is r ( ) s b (, 2r) =. =0 Aalogously as i the previous case, we estimate the value s b (, r) ad fid two importat values of the parameter r. Theorem 4. Let r 3 = 2 1 c 3 2 /2+1 ad r 4 = 2 1 c 4 2 /2+1 lg, where c 3 = (1 + ε 0 )(l 2)/8, c 4 = (1 + ε 0 )/(8 lg e) ad ε 0 is a arbitrary positive costat. The s b (, r 3 ) = 2 2 3/2 O(2 ε 0 ) (13) s b (, r 4 ) = 2 2 /2 O(1/ 1+ε 0 ) (14) Proof. The proof of Theorem 4 is similar to the proof of Theorem 3 ad therefore omitted. Remar. I the rest of this paper the symbols c 1, c 3, c 4 ; r 1, r 2, r 3, r 4 deote costats ad values of parameter r derived i Theorems 3 ad 4.

7 4 Balacedess of Boolea fuctios Balacedess is oe of the most importat cryptographic properties of Boolea fuctios. Bijective S-boxes are created from balaced Boolea fuctios ad the equiprobability of characters of the output alphabet is the basic coditio of a cryptographically strog cryptosystem. ( ) As ca be easily see, Bal = 2 2. Lemma 2 states that the umber of 1 balaced Boolea fuctios i P2 is egligible. O the other had, almost every Boolea fuctio is almost balaced. Theorem 5. Let f be a -ary Boolea fuctio, φ() be a arbitrary fuctio such that φ() as ad let p (0, 1). The almost surely. p 2 2 /2 φ() < wt(f) < p /2 φ(), (15) Proof. The fuctio wt ca be cosidered as a radom variable o P2. Let 0 2, the Pr(wt(f) = ) = p (1 p) 2. The radom variable wt has biomial distributio with parameters 2, p. Let p = 1/2. The iequalities (15) follow from Chebyshev s iequality. 5 Noliearity of radom Boolea fuctios Affie ad liear Boolea fuctios play a peculiar role i cryptography. They are cryptographically wea to be directly used for costructio of cryptosystems, sice liear cryptosystem ca be easily broe by solvig the system of liear equatios. O the other had, affie Boolea fuctios are used i various costructios of cryptographically very strog Boolea fuctios. The (o)liearity of Boolea fuctios is a qualitative property; to express the measure of oliearity, we shall use the followig defiitio [see Pieprzy, Fielstei 88]. For ay Boolea fuctio f, defie N f = mi{d(f, l)}, l where l is a arbitrary affie Boolea fuctio. Obviously, the oliearity of a affie Boolea fuctio is zero; the maximal value of the parameter N f is [see Seberry, Zhag, Zheg 93a] N f /2 1. (16) The oliearity of balaced Boolea fuctios is below the maximal value (16). The followig bouds ca be foud i [Seberry, Zhag, Zeg 93a]: { 2 N f , eve , odd where x deotes the maximum eve iteger less tha or equal to x. We prove lower bouds o the oliearity of almost all -ary (balaced) Boolea fuctios.

8 Theorem Let f be a -ary Boolea fuctio ad let g be a -ary balaced Boolea fuctio. The N f 2 1 c 1 2 /2, (17) almost surely. N g 2 1 c 3 2 /2+1, (18) Proof. Let r r 1 [see remar below Theorem 4]. If the spheres with cetres i affie fuctios were disjoit, they would cotai 2 +1 s(, r 1 ) = 2 2 O(2 ε0 ) vertices. Aalogously, 2 +1 disjoit spheres with diameter r r 3 cotai at least 2 +1 s b (, r 3 ) = 2 2 /2 O(2 ε 0 ) balaced Boolea fuctios. This is egligible with respect to the umber of all -ary balaced Boolea fuctios. 6 Correlatio immuity Boolea fuctios are sometimes used as oliear filters of cryptosystems cosistig of some liear feedbac shift registers (LFSRs). If the filterig fuctio leas some iformatio o oe of its iput bits (the output of a LFSR), a successful cryptaalytic attac ca be mouted based o this weaess. To avoid the correlatio attac the filterig fuctio has to be correlatio immue, [see Siegethaler 84, Seberry, Zhag, Zheg 93b]. Defiitio 7. A -ary Boolea fuctio f is correlatio immue of order, deoted CI, if ad oly if the fuctio f(x) x, α is balaced for every α {0, 1}, 1 wt(α). I other words, f is CI iff the Hammig distace betwee f ad ay ocostat affie fuctio l depedig o less tha or equal to variables, is exactly 2 1. Therefore correlatio immuity is a qualitative property. We itroduce aother measure of correlatio immuity couted correlatio characteristic CCC. Defiitio 8. Let f be a -ary Boolea fuctio. The couted correlatio characteristic of order of the Boolea fuctio f is CCC (f) = mi {wt(g α,a )}, α;1 wt(α) a {0,1} where for fixed α {0, 1} ad a {0, 1}, g α,a is the Boolea fuctio defied by g α,a (x) = f(x) x, α a for each x {0, 1}. As ca be easily see, if CCC (f) = 2 1 the the fuctio f satisfies CI (ad vice versa). We estimate the typical value of CCC. This is almost the same problem as was studied before (the oliearity of a average Boolea fuctio) sice we have to estimate the umber of Boolea fuctios lyig i spheres with cetres i some (chose) affie fuctios. Therefore the oliearity of a radom Boolea fuctio f provides a lower boud o the couted correlatio characteristic of f, too. Thus we have from Theorem 6.

9 Theorem 9. The couted correlatio characteristic of order of a -ary Boolea fuctio f satisfies the followig iequality almost surely CCC (f) 2 1 d 2 /2, (19) where 1, ad d is a positive costat depedig o. Remar. Though the strict correlatio immuity is a rather restrictive property, almost all Boolea fuctios are almost correlatio immue. The order of CCC does ot ifluece the value of CCC substatially. Let us estimate CCC 1 of a radom Boolea fuctio. Taig ito accout the fact that there are 2 affie Boolea fuctios depedig o 1 variable ad usig the upper bouds (5) ad (13) we have almost surely ad for balaced fuctios CCC c 1 lg 2 /2 ; CCC c 4 lg 2 /2+1 ; where c 1, c 4 are costats defied i Theorems 3 ad 4. 7 Propagatio characteristics Boolea fuctios used i cryptographic applicatios have to be very sesitive to small chages of their iputs. That meas, if the iput value of a Boolea fuctio f is chaged, its output value would chage with probability 1/2, too. More precisely, we have the followig defiitio. Defiitio 10. A -ary Boolea fuctio f satisfies the propagatio criterio of order (P C ), if wt(f(x) f(x α)) = 2 1, (20) for each α {0, 1}, 1 wt(α). The case = 1 is of special importace ad is referred to as the Strict Avalache Criterio (SAC) ad was itroduced by Webster ad Tavares [see Webster, Tavares 86]. The eumeratio of the set of (-ary) Boolea fuctios satisfyig P C is a very hard combiatorial problem. Tavares [see Tavares 96] preseted the followig asymptotic boud (costructed by Daiel Biss i 1996) o Pragocrypt 96 SAC() 22 2 /2+ π /2. That meas, the average Boolea fuctio does ot satisfy SAC. O the other had, if we replace the strict coditio of balacedess i (20) by ear-balacedess, we obtai a large set of Boolea fuctios which are still strog eough for cryptographic applicatios.

10 Defiitio 11. Let f be a -ary Boolea fuctio. The couted propagatio characteristic of order of the Boolea fuctio f is CP C (f) = mi {wt(g α)}, (21) α;1 wt(α) where for fixed α {0, 1}, g α is the Boolea fuctio defied by g α (x) = f(x) f(x α) for each x {0, 1}. As ca be easily see, if f meets P C, the CP C (f) = 2 1. Now we cocetrate o the CP C 1 ad costruct a upper boud o the umber of all -ary Boolea fuctios with CP C 1 r. Sice CP C, = 1,...,, is always eve, we cosider oly eve values of r. Let G,r,α (respectively, G, r,α ) deote the set of all -ary Boolea fuctios g satisfyig wt(g α ) = r (respectively, wt(g α ) r), where for fixed α {0, 1}, g α is the Boolea fuctio defied by g α (x) = g(x) g(x α) for each x {0, 1}. Let G, r,m = G, r,α ad G,r,m = G,r,α. α; 1 wt(α) m α; wt(α)=m We estimate G,2,1. Let g G,2,1. There exists a vector β {0, 1} (wt(β) = 1), such that wt(g(x) g(x β)) = 2 (ad for a arbitrary vector γ {0, 1} (wt(γ) = 1): wt(g(x) g(x γ)) 2). Without loss of geerality we assume that β = (1, 0,..., 0). Let (g 0, g 1,..., g 2 1) be the truth table of g. Sice g G,2,β, there exists a -set I of idices; I = {i 1,..., i } where i j {0,..., 2 1 1} for j = 1,..., such that { gi if i I g i = ; g i+2 1 else. ( ) The idex set I ca be chose i 2 1 ways ad there are how to choose the values of g i, i = 0,..., Therefore ( ) 2 1 G,2,β = ways If CP C 1 (g) = 2, the obviously g γ; wt(γ)=1 G,2,γ, ad therefore the umber of g s satisfyig CP C 1 (g) = 2 does ot exceed times G,2,β. Now we ca estimate the value of CP C 1 of a radom Boolea fuctio. Theorem 12. Let f be a -ary Boolea fuctio. The almost surely. CP C 1 (f) (+1)/2 c 1 lg( 1)

11 Proof. Let r = (+1)/2 c 1 lg( 1). We prove that G, r,1 = o(2 2 ). Sice G, r,1 = G, r,γ, γ; wt(γ)=1 we have from the remar precedig Theorem 12 that: G, r,1 = γ; wt(γ)=1 G, r,γ r/2 ( 2 1 To estimate the sum, we use (5) (Theorem 3): ( ) G, r,1 = O = O(2 2 / ε0 ) = o(2 2 ). ( 1) 1+ε0 ). The theorem follows. Remar. If we eed to fid the lower boud of CP C q (for q {1,..., }) of a average Boolea fuctio, we have to fid a maximal r such that ( ) ( ) i is o(2 2 ). 0 i q 0 r/2 Remar. The method used i costructio of the lower boud i CP C 1 i Theorem 12 is ot applicable to the costructio of a boud o CP C 1 for balaced Boolea fuctios. Therefore the problem of fidig better lower bouds o CP C 1 for balaced Boolea fuctios remais still ope. 8 The algebraic degree The algebraic degree is oe of the oliearity measures of Boolea fuctio. The Boolea fuctios with small algebraic degree (liear, quadratic) are i geeral cosidered to be less suitable for cryptographic applicatios tha those with higher degree, although there are large classes of cryptographically strog Boolea fuctios with small algebraic degree (e.g. quadratic bet fuctios). We prove that almost every (balaced) Boolea fuctio has maximal or almost maximal algebraic degree. Boolea fuctios will be represeted by their ANF-vectors. Let tt(f) be the truth table of a Boolea fuctio f, the the correspodig ANF-vector ANF (f) is tt(f) A, where A is a biary matrix of order 2 2 defied recursively: ( ) A 1 A A 0 = (1); A = A 1 where 0 1 deotes the zero matrix of order Now we ca estimate the algebraic degree of radom Boolea fuctios.

12 Theorem Let f be a radom -ary Boolea fuctio. The deg(f) 1 almost surely. 2. Let g be a radom -ary balaced Boolea fuctio. The deg(g) = 1 almost surely. Proof. There are = o(2 2 ) Boolea fuctios with algebraic degree less tha 1. Sice = o( Bal ) [see Lemma 2], the algebraic degree of almost every -ary balaced Boolea fuctio is at least 1. Let g be a balaced -ary Boolea fuctio. The last colum i A cotais oly oes ad therefore the last elemet of its ANF-vector is equal to 0: a 2 1 = 0. Cosequetly, deg(g). The theorem follows. 9 Coclusios We have show that almost every -ary (balaced) Boolea fuctio has such cryptographically strog properties as high oliearity, high algebraic degree, correlatio immuity ad almost optimal propagatio characteristics. Sice the umber of Boolea fuctios ot satisfyig a particular criterio (o a sufficietly high level) is o(2 2 ), we ca say that a average -ary Boolea fuctio is (for a large eough ) cryptographically strog. Theorem 14. Let f be a -ary Boolea fuctio, let g be a -ary balaced Boolea fuctio ad φ() as. The the fuctios f, g have the followig properties almost surely /2 φ() wt(f) /2 φ(), N f 2 1 c 1 2 /2 ; N g 2 1 c 3 2 /2+1 ; CCC (f) 2 1 d 2 /2 ; CCC (g) 2 1 d 2 /2 ; CCC 1 (f) 2 1 c 1 2 /2 lg ; CCC 1 (g) 2 1 c 4 2 /2+1 lg ; CP C 1 (f) (+1)/2 c 1 lg( 1); deg(f) 1; deg(g) = Acowledgemet We would lie to tha the aoymous referees whose commets helped i improvig the presetatio of this paper.

13 11 Refereces [Graham, Kuth, Patashi 94] Graham R.L., Kuth D.E., Patashi O.: Cocrete Mathematics: A Foudatio for Computer Sciece ; Addiso-Wesley, Secod Editio, (1994). [Mitchell 90] Mitchell Ch.: Eumeratig Boolea fuctios of Cryptographic Sigificace ; Joural of Cryptology, Vol. 2, No. 3, (1990), [Pieprzy, Fielstei 88] Pieprzy J., Fielstei G.: Towards effective oliear cryptosystem desig ; IEE Proceedigs (Part E), (1988), 135: [Siegethaler 84] Siegethaler T.: Correlatio-immuity of oliear combiig fuctios for cryptographic applicatios ; IEEE Trasactios o Iformatio Theory, IT-30, (1984), 5: [Seberry, Zhag, Zheg 93a] Seberry J., Zhag X.-M., Zheg Y.: Noliearity ad Propagatio Characteristics of Balaced Boolea Fuctios ; Techical Report o. 4, Computer Security Research Cetre, Uiversity of Wollogog, Australia, (1993). [Seberry, Zhag, Zheg 93b] Seberry J., Zhag X.-M., Zheg Y.: O Costructios ad Noliearity of Correlatio Immue Fuctios ; Advaces i Cryptology EUROCRYPT 93, Spriger-Verlag, (1993), [Tavares 96] Tavares S.E.: persoal commuicatio. [Webster, Tavares 86] Webster A.F., Tavares S.E.: O the desig of S-boxes ; I Advaces i Cryptology: Crypto 85 Proceedigs, Spriger-Verlag, LNCS vol. 219, (1986),