Hadamard Matrices, d-linearly Independent Sets and Correlation-Immune Boolean Functions with Minimum Hamming Weights

Similar documents
1-Resilient Boolean Function with Optimal Algebraic Immunity

arxiv: v5 [cs.it] 4 Nov 2009

A Conjecture on Binary String and Its Applications on Constructing Boolean Functions of Optimal Algebraic Immunity

Fast Algebraic Immunity of 2 m + 2 & 2 m + 3 variables Majority Function

Decomposing Bent Functions

Construction of 1-Resilient Boolean Functions with Optimal Algebraic Immunity and Good Nonlinearity

Correcting Codes in Cryptography

Construction and Count of Boolean Functions of an Odd Number of Variables with Maximum Algebraic Immunity

Haar Spectrum of Bent Boolean Functions

Balanced Boolean Functions with (Almost) Optimal Algebraic Immunity and Very High Nonlinearity

Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers

MathCheck: A SAT+CAS Mathematical Conjecture Verifier

On a generalized combinatorial conjecture involving addition mod 2 k 1

Non-Separable Cryptographic Functions

Decomposed S-Boxes and DPA Attacks: A Quantitative Case Study using PRINCE

Cryptographically Robust Large Boolean Functions. Debdeep Mukhopadhyay CSE, IIT Kharagpur

Differential Power Analysis Attacks Based on the Multiple Correlation Coefficient Xiaoke Tang1,a, Jie Gan1,b, Jiachao Chen2,c, Junrong Liu3,d

The Analysis of affinely Equivalent Boolean Functions

A construction of Boolean functions with good cryptographic properties

Characterizations on Algebraic Immunity for Multi-Output Boolean Functions

Secret-sharing with a class of ternary codes

Balanced Boolean Function on 13-variables having Nonlinearity strictly greater than the Bent Concatenation Bound

Hadamard ideals and Hadamard matrices with two circulant cores

Well known bent functions satisfy both SAC and PC(l) for all l n, b not necessarily SAC(k) nor PC(l) of order k for k 1. On the other hand, balancedne

Hadamard matrices of order 32

Complete characterization of generalized bent and 2 k -bent Boolean functions

Third-order nonlinearities of some biquadratic monomial Boolean functions

Perfect Algebraic Immune Functions

Improved Zero-sum Distinguisher for Full Round Keccak-f Permutation

On Cryptographic Properties of the Cosets of R(1;m)

A New Class of Bent Negabent Boolean Functions

Formulas for cube roots in F 3 m

Analysis of Some Quasigroup Transformations as Boolean Functions

CCZ-equivalence and Boolean functions

On Good Matrices and Skew Hadamard Matrices

Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON

Differential properties of power functions

Sequences, DFT and Resistance against Fast Algebraic Attacks

Constructing differential 4-uniform permutations from know ones

Statistical and Linear Independence of Binary Random Variables

Rank and Kernel of binary Hadamard codes.

On values of vectorial Boolean functions and related problems in APN functions

Constructions of Resilient S-Boxes with Strictly Almost Optimal Nonlinearity Through Disjoint Linear Codes

Generalized hyper-bent functions over GF(p)

Some results on the existence of t-all-or-nothing transforms over arbitrary alphabets

Towards Provable Security of Substitution-Permutation Encryption Networks

Generalized Correlation Analysis of Vectorial Boolean Functions

Some remarks on Hadamard matrices

Division of Trinomials by Pentanomials and Orthogonal Arrays

DPA Attacks and S-Boxes

Some new constructions of orthogonal designs

Cryptographic Properties of the Hidden Weighted Bit Function

Hadamard matrices of order 32

Quadratic Almost Perfect Nonlinear Functions With Many Terms

Perfect Diffusion Primitives for Block Ciphers

Optimal XOR based (2,n)-Visual Cryptography Schemes

Constructions of Resilient S-Boxes with Strictly Almost Optimal Nonlinearity Through Disjoint Linear Codes

A Sound Method for Switching between Boolean and Arithmetic Masking

Constructing hyper-bent functions from Boolean functions with the Walsh spectrum taking the same value twice

Multiplicative Complexity Reductions in Cryptography and Cryptanalysis

Some properties of q-ary functions based on spectral analysis

Céline Blondeau, Anne Canteaut and Pascale Charpin*

Smart Hill Climbing Finds Better Boolean Functions

Comparison of some mask protections of DES against power analysis Kai Cao1,a, Dawu Gu1,b, Zheng Guo1,2,c and Junrong Liu1,2,d

Uniform First-Order Threshold Implementations

The maximal determinant and subdeterminants of ±1 matrices

On Using Genetic Algorithms for Intrinsic Side-Channel Resistance: The Case of AES S-Box

Statistical Properties of Multiplication mod 2 n

New Construction of Single Cycle T-function Families

LIFTED CODES OVER FINITE CHAIN RINGS


A matrix approach for constructing quadratic APN functions

DIFFERENTIAL FAULT ANALYSIS ATTACK RESISTANT ARCHITECTURES FOR THE ADVANCED ENCRYPTION STANDARD *

On The Nonlinearity of Maximum-length NFSR Feedbacks

Constructions of Quadratic Bent Functions in Polynomial Forms

Week 15-16: Combinatorial Design

Characterization of Negabent Functions and Construction of Bent-Negabent Functions with Maximum Algebraic Degree

Randomized Signed-Scalar Multiplication of ECC to Resist Power Attacks

Constructing Vectorial Boolean Functions with High Algebraic Immunity Based on Group Decomposition

Revisit and Cryptanalysis of a CAST Cipher

GENERATING TERNARY SIMPLEX CODES ARISING FROM COMPLEX HADAMARD MATRICES

arxiv: v4 [math.co] 12 Feb 2017

Templates as Master Keys

Visual cryptography schemes with optimal pixel expansion

Side-Channel Leakage in Masked Circuits Caused by Higher-Order Circuit Effects

Several Masked Implementations of the Boyar-Peralta AES S-Box

A Proposition for Correlation Power Analysis Enhancement

Efficient randomized regular modular exponentiation using combined Montgomery and Barrett multiplications

THEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER. A. A. Zadeh and Howard M. Heys

Analysis of cryptographic hash functions

Trades in complex Hadamard matrices

On Welch-Gong Transformation Sequence Generators

A Collision-Attack on AES Combining Side Channel- and Differential-Attack

New Constructions for Resilient and Highly Nonlinear Boolean Functions

Open problems related to algebraic attacks on stream ciphers

Construction of Lightweight S-Boxes using Feistel and MISTY structures (Full Version )

Computers and Mathematics with Applications

On the Symmetric Property of Homogeneous Boolean Functions

Maiorana-McFarland class: Degree optimization and algebraic properties

Binary codes of t-designs and Hadamard matrices

Transcription:

Hadamard Matrices, d-linearly Independent Sets and Correlation-Immune Boolean Functions with Minimum Hamming Weights Qichun Wang Abstract It is known that correlation-immune (CI) Boolean functions used in the framework of side channel attacks need to have low Hamming weights. In 201, Bhasin et al. studied the minimum Hamming weight of d-ci Boolean functions, and presented an open problem: the minimal weight of a d-ci function in n variables might not increase with n. Very recently, Carlet and Chen proposed some constructions of lowweight CI functions, and gave a conjecture on the minimum Hamming weight of -CI functions in n variables. In this paper, we determine the values of the minimum Hamming weights of d-ci Boolean functions in n variables for infinitely many n s and give a negative answer to the open problem proposed by B- hasin et al. We then present a method to construct minimum-weight 2-CI functions through Hadamard matrices, which can provide all minimum-weight 2-CI functions in k 1 variables. Furthermore, we prove that the Carlet-Chen conjecture is equivalent to the famous Hadamard conjecture. Most notably, we propose an efficient method to construct low-weight n-variable CI functions through d-linearly independent sets, which can provide numerous minimum-weight d-ci functions. Particularly, we obtain some new values of the minimum Hamming weights of d-ci functions in n variables for n 1. We conjecture that the functions constructed by us are of the minimum Hamming weights if the sets are of absolute maximum d-linearly independent. If our conjecture holds, then all the values for n 1 and most values for general n are determined. Keywords: Boolean functions, Correlation-immune, Minimum-weight, Hadamard matrices, d-linearly independent sets. MSC 2010: 9C10, 05B20, 11T71, 0E75. School of Computer Science and Technology, Nanjing Normal University, Nanjing, P.R.China 21006. E-mail: qcwang@fudan.edu.cn. 1

1 Introduction Side-channel analysis is a very powerful technique which target implementations of block ciphers [11, 12, 15, 16]. To resist side channel attacks, many possible countermeasures have been proposed, and correlation-immune (CI) Boolean functions with low Hamming weights can be used in the framework [5, 1, 1, 19]. To reduce the cost overhead of countermeasures, one needs to construct d-ci functions with the weight as small as possible, or maximizing d for a given weight [2, 5]. In [2], Bhasin et al. studied the minimum Hamming weight of d-ci Boolean functions, and presented an open problem: the minimal weight of a d-ci function in n variables might not increase with n. In [], Carlet and Chen proposed some constructions of low-weight CI functions, and conjectured that the minimum Hamming weight of -CI functions in n variables is 8 n. In this paper, we prove that the minimum Hamming weight of -CI n-variable Boolean functions is lower bounded by 8 n, and then present a method to construct minimum-weight 2-CI functions through Hadamard matrices, which can provide all minimum-weight 2-CI Boolean functions in k 1 variables. We thus determine the values of the minimum Hamming weights for infinitely many n s and give a negative answer to the open problem proposed by Bhasin et al. Furthermore, we prove that the Carlet- Chen conjecture is equivalent to the famous Hadamard conjecture. Most notably, we propose an efficient method to construct low-weight n-variable CI functions through d-linearly independent sets, which can provide numerous minimum-weight d-ci functions. Particularly, we obtain some new values of the minimum Hamming weights of d-ci functions in n variables for n 1. We conjecture that the functions constructed by us are of the minimum Hamming weights if the sets are of absolute maximum d-linearly independent. If our conjecture holds, then all the values for n 1 and most values for general n are determined. The paper is organized as follows. In Section 2, the necessary background is established. We then study the relationship between Hadamard matrices and minimum-weight d-ci functions in Section. In Section, we study the relationship between d-linearly independent sets and low-weight d-ci functions. We end in Section 5 with conclusions. 2

2 Preliminaries Let F n 2 be the n-dimensional vector space over the finite field F 2. We denote by B n the set of all n-variable Boolean functions, from F n 2 into F 2. Any Boolean function f B n can be represented by its truth table [f(0, 0,..., 0), f(1, 0,..., 0), f(0, 1,..., 0), f(1, 1,..., 0),..., f(1, 1,..., 1)]. Let a = (a 1,..., a n ) F n 2. The Hamming weight of a, denoted by w H(a), is the cardinality of the set {1 i n a i = 1}. Let Supp(f) = {x F n 2 f(x) = 1} be the support of a Boolean function f B n, whose cardinality Supp(f) is called the Hamming weight of f, and will be denoted by w H (f). Clearly, f is determined by Supp(f) uniquely. We say that f is balanced if w H (f) = 2 n 1. Let f B n. f is called correlation-immune of order d (in brief, d-ci) if and only if ( 1) f(x) v x = 0, x F n 2 for any v = (v 1,..., v n ) F n 2 satisfying 1 w H(v) d, where v x = v 1 x 1 + + v n x n is the usual inner product [, 6, 18, 21]. Clearly, for 0 v F n 2, we have ( 1) f(x) v x = ( 1) 1 v x + ( 1) v x = 2 ( 1) v x. x F n 2 x Supp(f) Therefore, f is d-ci if and only if x Supp(f) x/ Supp(f) ( 1) v x = 0, x Supp(f) for any v F n 2 satisfying 1 w H(v) d. A matrix H of order n is called a Hadamard matrix if HH T = ni n, where I n is the n n identity matrix and H T is the transpose of H [9]. Hadamard matrices and minimum Hamming weights of d-ci Boolean functions.1 On the minimum weight of -CI Boolean functions Using the same notation as that of [], we denote the minimum Hamming weight of d-ci nonzero Boolean functions in n variables as w n,d.

Lemma.1 (Proposition 2.6 of []). Let d be an even integer such that n d 2. Then w n+1,d+1 = 2w n,d. Theorem.2. Let n be any integer. Then w n, 8 n. That is, w n,2 n+1, for n 2. Proof. By Lemma.1, it is sufficient to prove that w n,2 n+1, for n 2. Suppose there is an n 2 such that m = w n,2 < n+1. Then there exists a 2-CI f B n with the Hamming weight m. It is well known that deg(f) n 2 and m is a multiple of. Therefore, m n+1 < n+1. Let the support of f be {(a i1, a i2,..., a in )}, where 1 i m. Let M be the matrix a 11 a 12 a 1n M = a 21 a 22 a 2n = [p 1,..., p n ], a m1 a m2 a mn where p j = (a 1j, a 2j,..., a mj ) T and 1 j n. Since f is 2-CI, we have w H (p j ) = m 2 and w H(p j1 p j2 ) = m 2, where 1 j n and 1 j 1 < j 2 n. Therefore, { m p T i 1 p i2 = 2 if i 1 = i 2, m otherwise. We construct an m (n + 1) matrix H as follows. Then H = 1 ( 1) a 11 ( 1) a 12 ( 1) a 1n 1 ( 1) a 21 ( 1) a 22 ( 1) a 2n 1 ( 1) a m1 ( 1) a m2 ( 1) amn H T H = mi, where I is the identity (n + 1) (n + 1) matrix. Therefore, n + 1 = rank(h T H) rank(h) m < n + 1, which is a contradiction, and the result follows. By Theorem.2, if we can find a 2-CI n-variable Boolean function with the weight n+1, then the values of w n,2 and w n+1, are both determined. We now give a method to construct minimum-weight 2-CI n-variable functions through Hadamard matrices, for infinitely many n s..

Construction 1: Let H be any k k Hadamard matrix. By negating columns of H, we can get a matrix whose first row is (1, 1,..., 1). We delete this row and denote the induced (k 1) k matrix as H = ( 1) a 1,1 ( 1) a 1,2 ( 1) a 1,k ( 1) a 2,1 ( 1) a 2,2 ( 1) a 2,k ( 1) a k 1,1 ( 1) a k 1,2 ( 1) a k 1,k where a i,j F 2, 1 i k 1 and 1 j k. Let q j = (a 1,j,..., a k 1,j ), where 1 j k. Then we construct a function f B k 1 whose support is {q 1, q 2,..., q k }. We give an example to illustrate the construction. Example 1: Take the Hadamard matrix H = 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1. Negate the last column and then delete the first row, we have H That is, H = 1 1 1 1 1 1 1 1 1 1 1 1 ( 1) 0 ( 1) 0 ( 1) 1 ( 1) 1 ( 1) 0 ( 1) 1 ( 1) 0 ( 1) 1 ( 1) 1 ( 1) 0 ( 1) 0 ( 1) 1 Then the support of f B defined in Construction 1 is {(0, 0, 1), (0, 1, 0), (1, 0, 0), (1, 1, 1)}. Proposition.. Let H be any k k Hadamard matrix, and f B k 1 be the function defined in Construction 1. Then f is a 2-CI Boolean function with the minimum Hamming weight. Proof. Since H is a Hadamard matrix, the rows of the induced matrix H = [( 1) a i,j ] in Construction 1 are mutually orthogonal and they are all orthogonal to the vector (1, 1,..., 1). Let p i = (a i,1, a i,2,..., a i,k ), where.,. 5

1 i k 1. Then w H (p i ) = 2k and w H (p i1 p i2 ) = 2k, where 1 i k 1 and 1 i 1 < i 2 k 1. Therefore, f is 2-CI. Since w H (f) = k = k 1+1, by Theorem.2, f is a 2-CI Boolean function with the minimum Hamming weight. Corollary.. If there exists a Hadamard matrix H of order k, then w k, = 2k. In [2], Bhasin et al. presented an open problem: the minimal weight of a d-ci function in n variables might not increase with n. By Corollary., we can give a negative answer to this problem, since there are infinitely many Hadamard matrices..2 Equivalence of the Hadamard and Carlet-Chen conjectures Hadamard conjectured that there exists a Hadamard matrix of order k for every positive integer k. After more than one hundred years, this conjecture still remains open. Conjecture.5 (Hadamard Conjecture). A Hadamard matrix of order k exists for every positive integer k. There are many results on this conjecture (see e.g. [1, 7, 8, 10, 17, 20]). The smallest order for which no Hadamard matrix has been known is 668. In [], based on the numerical results, Carlet and Chen proposed the following conjecture. Conjecture.6 (Carlet-Chen Conjecture). Let n be any integer. Then w n, = 8 n. We now prove that the above two conjectures are equivalent. Theorem.7. The Carlet-Chen conjecture is equivalent to the Hadamard conjecture. Proof. If the Carlet-Chen conjecture holds, then for any positive integer k, we have w k, = 8k. Hence, w k 1,2 = k. That is, there exists a 2-CI f B k 1 with the Hamming weight k. Let the support of f be {(a i,1, a i,2,..., a i,k 1 )}, where 1 i k. We construct a k k matrix 6

H as follows. H = 1 ( 1) a 1,1 ( 1) a 1,2 ( 1) a 1,k 1 1 ( 1) a 2,1 ( 1) a 2,2 ( 1) a 2,k 1 1 ( 1) a k,1 ( 1) a k,2 ( 1) a k,k 1 Then H T H = ki, where I is the identity k k matrix. That is, H T is a Hadamard matrix of order k. Now suppose the Hadamard conjecture is correct. Then for any positive integer k, there exists a Hadamard matrix H of order k. By Proposition., the function defined in Construction 1 is a 2-CI Boolean function with the Hamming weight k. Therefore, w k 1,2 k. By Lemma.1 and Theorem.2, we have w k, = 8k. For 1 t, we have w k+t, w k+, = 8(k+1). Then by Theorem.2, 8(k + 1) w k+t, 8 k+t = 8(k + 1), and the result follows. From the proof of Theorem.7, for any minimum-weight 2-CI function f B k 1, there always exists a Hadamard matrix of order k such that the function defined in Construction 1 is the same as f. In other words, our construction can provide all minimum-weight 2-CI Boolean functions in k 1 variables. d-linearly independent sets and d-ci Boolean functions with low Hamming weights.1 d-linearly independent sets We now introduce the notion, d-linearly independent set, which will be used in our construction of d-ci Boolean functions with low Hamming weights. Definition.1. A subset of F m 2 is said to be d-linearly independent if no vector in the set can be written as a linear combination of any other d 1 vectors in the set. Definition.2. A subset S of F m 2 with k vectors is set to be a relative maximum d-linearly independent set if S is not a subset of any d-linearly independent set of F m 2 with k + 1 vectors. Clearly, any d-linearly independent set can be extended to a relative maximum d-linearly independent set, and the rank of a relative maximum d-linearly independent set is m.. 7

Definition.. A subset of F m 2 with k vectors is set to be an absolute maximum d-linearly independent set if there is no d-linearly independent set of F m 2 with k + 1 vectors. We denote this maximum value k as v m,d. It is easy to see that v m,2 = 2 m 1 and v m,d1 v m,d2 for d 1 < d 2. We now determine other values of v m,d. Proposition.. The cardinality of an absolute maximum -linearly independent set of F m 2 is 2m 1. That is, v m, = 2 m 1. Proof. Suppose there exists a -linearly independent set {p 1, p 2,..., p 2 m 1 +1} F m 2. Then we construct a set T = {p i, 1 i 2 m 1 + 1} {p 1 + p j, 2 j 2 m 1 + 1}. Clearly, the cardinality of the set T is 2 m 1 + 1 + 2 m 1 > 2 m, which is contradictory to the fact that T is a subset of F m 2. Therefore, v m, 2 m 1. Clearly, the set S = {p F m 2 w H (p) is odd} is a -linearly independent set with 2 m 1 vectors, and the result follows. Proposition.5. For m 5 and d 2m+2, the cardinality of an absolute maximum d-linearly independent set of F m 2 is m + 1. That is, v m,d = m + 1, for d 2m+2. Proof. Let S = {p 1, p 2,..., p t } F m 2 be any absolute maximum d-linearly independent set. Take a basis of S, say {p 1, p 2,..., p m }. Then any vector in S can be written as a linear combination of the basis vectors. We have p 1 1 0... 0 p 2 0 1... 0............... p 1 p m = 0 0... 1 p 2 p m+1 c m+1,1 c m+1,2... c m+1,m...,............... p m p t c t,1 c t,2... c t,m where (c i,1, c i,2,..., c i,m ) F m 2, for m + 1 i t. Therefore, T = {(1, 0,..., 0),..., (0, 0,..., 1), (c m+1,1,..., c m+1,m ),..., (c t,1,..., c t,m )} is an absolute maximum d-linearly independent set. Since d 2m+2, there is no vector q T with 1 < w H (q) < 2m+2. Moreover, there do not exist two 8

Table 1: The values of v m,d d m 5 6 7 8 9 2 7 15 1 6 127 255 511 8 16 2 6 128 256 5 6 8 11 1 15 5 6 7 9 12 1 6 7 8 9 12 7 8 9 10 different vectors q 1, q 2 T such that w H (q 1 ) 2m+2 and w H (q 2 ) 2m+2 Otherwise, q 1 q 2 is of the Hamming weight 2m = 2m + 2 and it can be written as a linear combination of other 2m+2 2 vectors in T. Therefore, the cardinality of T is at most m + 1. Clearly, the set 2 S = {p F m 2 w H (p) = 1 or m} is a d-linearly independent set with m+1 vectors, and the result follows. If m is small, it is quite easy to determine the values of v m,d. In Table 1, we list all the values of v m,d, for m 9...2 An efficient method to construct d-ci Boolean functions with low Hamming weights We now give a method to construct low-weight d-ci n-variable functions through d-linearly independent sets. Construction 2: Let S = {u 1,..., u k } F m 2 be a d-linearly independent set. Let l j B m be the linear function u j x, where x F m 2 and is the usual inner product. The truth table of l j is denoted by the column vector p j = (a 1,j, a 2,j,..., a 2 m,j) T. Let a 1,1 a 1,2 a 1,k q 1 M = [p 1,..., p k ] = a 2,1 a 2,2 a 2,k = q 2, a 2 m,1 a 2 m,2 a 2 m,k q 2 m 9

where q i F k 2 and 1 i 2m. Then we construct a function f B k whose support is {q 1, q 2,..., q 2 m}. We give an example to illustrate the construction. Example 2: Take m = 7 and S ={(1, 0, 0, 0, 0, 0, 0), (0, 1, 0, 0, 0, 0, 0), (0, 0, 1, 0, 0, 0, 0), (0, 0, 0, 1, 0, 0, 0), (0, 0, 0, 0, 1, 0, 0), (0, 0, 0, 0, 0, 1, 0), (0, 0, 0, 0, 0, 0, 1), (1, 1, 1, 1, 0, 0, 0), (1, 1, 0, 0, 1, 1, 0), (1, 0, 1, 0, 1, 0, 1), (1, 1, 1, 1, 1, 1, 1)}. Clearly, S is a -linearly independent set with 11 vectors. We have l 1 = x 1, l 2 = x 2, l = x, l = x, l 5 = x 5, l 6 = x 6, l 7 = x 7, l 8 = x 1 x 2 x x, l 9 = x 1 x 2 x 5 x 6, l 10 = x 1 x x 5 x 7, l 11 = x 1 x 2 x x x 5 x 6 x 7. Then we can get the function f B 11 by Construction 2 with the support {(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0), (1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0), (0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0), (1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0),..., (0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0), (1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0)} It is easy to check that f is a -CI Boolean function with the Hamming weight 128. Therefore, w 11, 128. Since w 11, w 10, = 128, we have w 11, = 128. This is a previously unknown value, thus a triple question mark??? in Table II of [] can be taken place by it. Proposition.6. Let f B k be the function defined in Construction 2. Then f is a d-ci Boolean function with the Hamming weight 2 m. Proof. Clearly, f is d-ci if and only if ( 1) v x = 0, x Supp(f) for any v = (v 1,..., v k ) F k 2 satisfying 1 w H(v) d. That is, w H (v 1 p 1... v k p k ) = 2 m 1, for any v F k 2 with 1 w H(v) d. Since S is a d-linearly independent set, for any v F k 2 with 1 w H(v) d, we have v 1 u 1 +... + v k u k 0. Therefore, v 1 l 1... v k l k = (v 1 u 1 +... + v k u k ) x is a balanced function, and the result follows. 10

Table 2: The values of w n,d d n 1 2 5 6 7 8 1 2 2 2 2 8 2 8 8 16 5 2 8 16 16 2 6 2 8 16 2 2 6 7 2 8 16 6 6 6 128 8 2 12 16 6 128 128 128 256 9 2 12 2 128 128 256 256 256 10 2 12 2 128 256 512 512 512 11 2 12 2 128 256 512 102 102 12 2 16 2 256? 256 512 102 208 1 2 16 2 256? 512? 102? 102 096 Theorem.7. Let v m,d be the cardinality of the absolute maximum d- linearly independent set of F m 2. Then w vm,d,d 2 m. Proof. Let S = {u 1,..., u k } F m 2 be an absolute maximum d-linearly independent set. Then k = v m,d. By Construction 2, we can generate a function f B vm,d. By Proposition.6, f is a d-ci Boolean function with the Hamming weight 2 m. Therefore, w vm,d,d 2 m. For n 1, there are 8 unknown values of w n,d (see Table II of []). By Theorem.7 and Table 1, we can determine the exact values for half of them. That is, w 11, = 128, w 12,5 = 256, w 12,6 = 512 and w 1,7 = 102. For other four unknown values, Theorem.7 provides an upper bound. In Table 2, we list the values of w n,d for n 1. All values for n 10 can be determined by the SMT tool [2], and those entries in italic are new values obtained by [2, ]. Those entries in bold are new values obtained by us. A question mark? indicates that the value is the upper bound deduced from 11

Theorem.7. In Appendix A, we give an example of the 12-variable 6-CI Boolean function with the minimum Hamming weight. By computing v m,d and w vm,d,d, for small m and d, we find that w vm,d,d = 2 m always holds. So we propose the following conjecture. Conjecture.8. Let v m,d be the cardinality of the absolute maximum d- linearly independent set of F m 2. Then w vm,d,d = 2 m. It is noted that if Conjecture.8 holds, then all the values of w n,d for n 1 and most values for general n are determined. Moreover, the functions generated by Construction 2 using absolute maximum d-linearly independent sets are minimum-weight d-ci Boolean functions. Anyway, given an absolute maximum d-linearly independent set S, Construction 2 can provide a d-ci Boolean function with low weight. That is, we have transformed the problem of finding low-weight correlation-immune Boolean functions to the problem of finding absolute maximum d-linearly independent sets, which can be done very efficient. 5 Conclusion In this paper, we studied the relationships between Hadamard matrices, d- linearly independent sets and correlation-immune Boolean functions with minimum Hamming weights. We proposed two constructions of minimumweight d-ci Boolean functions, and deduced some quite interesting results. The field is still open and there are many problems deserved to be studied. Acknowledgment The author would like to thank the financial support from the National Natural Science Foundation of China (Grant 61572189). References [1] L. Baumert, S. W. Golomb and M. J. Hall, Discovery of an Hadamard Matrix of Order 92, Bulletin of the American Mathematical Society 68: (1962), 27 28. 12

[2] S. Bhasin, C. Carlet and S. Guilley, Theory of masking with codewords in hardware: low-weight dth-order correlation-immune Boolean functions, IACR Cryptology eprint Archive, Report 201/0, 201. [] C. Carlet, Boolean Functions for Cryptography and Error Correcting Codes, Chapter of the monography Boolean Models and Methods in Mathematics, Computer Science, and Engineering, Cambridge University Press, pp. 257 97, 2010. Available: http://wwwroc.inria.fr/secret/claude.carlet/pubs.html. [] C. Carlet and X. Chen, Constructing low-weight dth-order correlation-immune Boolean functions through the Fourier-Hadamard transform, to appear in IEEE Trans. Inform. Theory. [5] C. Carlet and S. Guilley, Side-channel indistinguishability, Proceedings of HASP 1, 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, 201, pp. 9:1 9:8. [6] T. W. Cusick and P. Stănică, Cryptographic Boolean Functions and Applications (2nd ed.), Elsevier Academic Press, 2017. [7] D. Z. Djokovic, Hadamard matrices of order 76 exist, Combinatorica 28: (2008), 87 89. [8] S. Georgiou, C. Koukouvinos and J. Seberry, Hadamard matrices, orthogonal designs and construction algorithms, Designs 56 (200), 1 205. [9] J. Hadamard, Résolution d une question relative aux déterminants, Bull. Sci. Math. 17 (189), 20 26. [10] H. Kharaghani and B. Tayfeh-Rezaie, A Hadamard matrix of order 28, Journal of Combinatorial Designs 1:6 (2005), 5 0. [11] P. Kocher, Timing attacks on implementations of Diffie-Hellman, R- SA, DSS, and other systems, Advances in Cryptology CRYPTO 96, LNCS 1109, Springer Verlag, 1996, pp. 10 11. [12] P. Kocher, J. Jaffe and B. Jun, Differential power analysis, Advances in Cryptology CRYPTO 99, LNCS 1666, Springer Verlag, 1999, pp. 88 97. [1] S. Mangard, N. Pramstaller and E. Oswald, Successfully attacking masked AES hardware implementations, Cryptographic Hardware 1

and Embedded Systems C CHES 2005, LNCS 659, Springer Verlag, 2005, pp. 157 171. [1] S. Mangard, E. Oswald and T. Popp, Power Analysis Attacks: Revealing the Secrets of Smart Cards (Advances in Information Security), Springer-Verlag New York, 2007. [15] B. Mazumdar, D. Mukhopadhyay and I. Sengupta, Constrained Search for a Class of Good Bijective S-Boxes with Improved DPA Resistivity, IEEE Trans. Inform. Forensics and Security 8:12 (201), 215 216. [16] S. Picek, K. Papagiannopoulos, B. Ege, L. Batina and D. Jakobovic, Confused by Confusion: Systematic Evaluation of DPA Resistance of Various S-boxes, Progress in Cryptology INDOCRYPT 201, LNCS 8885, Springer Verlag, 201, pp. 7 90. [17] B. Schmidt, Cyclotomic integers and finite geometry, Journal of the American Mathematical Society 12: (1999), 929 952. [18] T. Siegenthaler, Correlation immunity of Nonlinear Combining Functions for Cryptographic Applications, IEEE Trans. Inform. Theory 0:5 (198), pp. 776 780. [19] E. Trichina, D. D. Seta and L. Germani, Simplified adaptive multiplicative masking for AES, Cryptographic Hardware and Embedded Systems C CHES 2002, LNCS 252, Springer Verlag, 2002, pp. 187 197. [20] J. S. Wallis, On the existence of Hadamard matrices, J. Combinat. Theory A. 21:2 (1976) 188 195. [21] G. Z. Xiao and J. L. Massey, A spectral characterization of correlation-immune combining functions, IEEE Trans. Inform. Theory : (1988), pp. 569 571. 1

A A 12-variable 6-CI Boolean function with the minimum Hamming weight Take m = 9 and S ={(1, 0, 0, 0, 0, 0, 0, 0, 0), (0, 1, 0, 0, 0, 0, 0, 0, 0), (0, 0, 1, 0, 0, 0, 0, 0, 0), (0, 0, 0, 1, 0, 0, 0, 0, 0), (0, 0, 0, 0, 1, 0, 0, 0, 0), (0, 0, 0, 0, 0, 1, 0, 0, 0), (0, 0, 0, 0, 0, 0, 1, 0, 0), (0, 0, 0, 0, 0, 0, 0, 1, 0), (0, 0, 0, 0, 0, 0, 0, 0, 1), (1, 1, 1, 1, 1, 1, 0, 0, 0), (1, 1, 1, 0, 0, 0, 1, 1, 1), (0, 0, 0, 1, 1, 1, 1, 1, 1)}. Clearly, S is a 6-linearly independent set with 12 vectors. We have l 1 = x 1, l 2 = x 2, l = x, l = x, l 5 = x 5, l 6 = x 6, l 7 = x 7, l 8 = x 8, l 9 = x 9, l 10 = x 1 x 2 x x x 5 x 6, l 11 = x 1 x 2 x x 7 x 8 x 9, l 12 = x x 5 x 6 x 7 x 8 x 9. Then a function f B 12 is defined by Construction 2. It is easy to check that f is a 6-CI Boolean function with the minimum Hamming weight 512. 15

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback