On values of vectorial Boolean functions and related problems in APN functions

Similar documents
Constructing differential 4-uniform permutations from know ones

CCZ-equivalence and Boolean functions

Quadratic Almost Perfect Nonlinear Functions With Many Terms

Characterizations of the differential uniformity of vectorial functions by the Walsh transform

A matrix approach for constructing quadratic APN functions

Two Notions of Differential Equivalence on Sboxes

Fourier Spectra of Binomial APN Functions

DIFFERENTIAL cryptanalysis is the first statistical attack

Fast Algebraic Immunity of 2 m + 2 & 2 m + 3 variables Majority Function

Differential properties of power functions

Extended Criterion for Absence of Fixed Points

Some Results on the Known Classes of Quadratic APN Functions

A class of quadratic APN binomials inequivalent to power functions

Vectorial Boolean Functions for Cryptography

Decomposing Bent Functions

If a Generalised Butterfly is APN then it Operates on 6 Bits

Construction and Count of Boolean Functions of an Odd Number of Variables with Maximum Algebraic Immunity

Generalized hyper-bent functions over GF(p)

Complete characterization of generalized bent and 2 k -bent Boolean functions

Non-Separable Cryptographic Functions

Statistical and Linear Independence of Binary Random Variables

Quadratic Equations from APN Power Functions

On structural properties of the class of bent functions

Two Notions of Differential Equivalence on Sboxes

Céline Blondeau, Anne Canteaut and Pascale Charpin*

G-Perfect Nonlinear Functions

1-Resilient Boolean Function with Optimal Algebraic Immunity

Statistical Properties of Multiplication mod 2 n

A New Class of Bent Negabent Boolean Functions

Analysis of Some Quasigroup Transformations as Boolean Functions

Constructing new APN functions from known ones

hal , version 1-9 Mar 2011

Dirichlet Product for Boolean Functions

Maiorana McFarland Functions with High Second Order Nonlinearity

On Cryptographic Properties of the Cosets of R(1;m)

Math-Net.Ru All Russian mathematical portal

Constructions of Quadratic Bent Functions in Polynomial Forms

Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers

Hadamard Matrices, d-linearly Independent Sets and Correlation-Immune Boolean Functions with Minimum Hamming Weights

ON POSITIVE, LINEAR AND QUADRATIC BOOLEAN FUNCTIONS

Third-order nonlinearities of some biquadratic monomial Boolean functions

CONSTRUCTING APN FUNCTIONS THROUGH ISOTOPIC SHIFTS

CRYPTOGRAPHIC PROPERTIES OF ADDITION MODULO 2 n

Special Monomial Maps: Examples, Classification, Open Problems

Perfectly Balanced Boolean Functions and Golić Conjecture

arxiv: v2 [cs.cr] 18 Jan 2016

Finding Low Degree Annihilators for a Boolean Function Using Polynomial Algorithms

Some approaches to construct MDS matrices over a finite field

Characterizations on Algebraic Immunity for Multi-Output Boolean Functions

Linear Cryptanalysis of Reduced-Round PRESENT

Provable Security Against Differential and Linear Cryptanalysis

AES side channel attacks protection using random isomorphisms

Virtual isomorphisms of ciphers: is AES secure against differential / linear attack?

Obstinate filters in residuated lattices

Haar Spectrum of Bent Boolean Functions

The simplest method for constructing APN polynomials EA-inequivalent to power functions

Towards Provable Security of Substitution-Permutation Encryption Networks

Polynomials on F 2. cryptanalysis. Y. Aubry 1 G. McGuire 2 F. Rodier 1. m with good resistance to. 1 IML Marseille 2 University College Dublin

Functions on Finite Fields, Boolean Functions, and S-Boxes

Well known bent functions satisfy both SAC and PC(l) for all l n, b not necessarily SAC(k) nor PC(l) of order k for k 1. On the other hand, balancedne

Provable Security Against Differential and Linear Cryptanalysis

Lecture 8: Equivalence Relations

Improved S-Box Construction from Binomial Power Functions

Constructing hyper-bent functions from Boolean functions with the Walsh spectrum taking the same value twice

On the exponents of APN power functions and Sidon sets, sum-free sets, and Dickson polynomials

Constructing Vectorial Boolean Functions with High Algebraic Immunity Based on Group Decomposition

Automorphism group of the set of all bent functions

On the computation of best second order approximations of Boolean Functions ΕΤΗΣΙΑ ΕΚΘΕΣΗ 2010

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

The Analysis of affinely Equivalent Boolean Functions

On Boolean functions which are bent and negabent

Generalized Correlation Analysis of Vectorial Boolean Functions

On the Existence and Constructions of Vectorial Boolean Bent Functions

Affine equivalence in the AES round function

arxiv: v1 [cs.it] 12 Jun 2016

Groups with Few Normalizer Subgroups

Algebraic nonlinearity and its applications to cryptography

GENERALIZED NONLINEARITY OF S-BOXES. Sugata Gangopadhyay

A Conjecture on Binary String and Its Applications on Constructing Boolean Functions of Optimal Algebraic Immunity

Differentially uniform mappings for cryptography

BENT POLYNOMIALS OVER FINITE FIELDS

Minimal enumerations of subsets of a nite set and the middle level problem

New polynomials for strong algebraic manipulation detection codes 1

ANALYSIS OF PRIVACY-PRESERVING ELEMENT REDUCTION OF A MULTISET

Mathematical Structures Combinations and Permutations

Statistical and Algebraic Properties of DES

Balanced Boolean Functions with (Almost) Optimal Algebraic Immunity and Very High Nonlinearity

Constructions of Resilient S-Boxes with Strictly Almost Optimal Nonlinearity Through Disjoint Linear Codes

Maiorana-McFarland class: Degree optimization and algebraic properties

hold or a eistel cipher. We nevertheless prove that the bound given by Nyberg and Knudsen still holds or any round keys. This stronger result implies

A NEW ALGORITHM TO CONSTRUCT S-BOXES WITH HIGH DIFFUSION

New Construction of Single Cycle T-function Families

COUNT AND CRYPTOGRAPHIC PROPERTIES OF GENERALIZED SYMMETRIC BOOLEAN FUNCTIONS

On non-tabular m-pre-complete classes of formulas in the propositional provability logic

Extension of continuous functions in digital spaces with the Khalimsky topology

On the Permutation Products of Manifolds

functions. E.G.BARDIS*, N.G.BARDIS*, A.P.MARKOVSKI*, A.K.SPYROPOULOS**

Optimal Ternary Cyclic Codes From Monomials

Construction of Lightweight S-Boxes using Feistel and MISTY structures (Full Version )

Reachability relations and the structure of transitive digraphs

Transcription:

On values of vectorial Boolean functions and related problems in APN functions George Shushuev Sobolev Institute of Mathematics, Novosibirsk, Russia Novosibirsk State University, Novosibirsk, Russia E-mail: shushuev@math.nsc.ru Abstract. In this paper we prove that there are only differential 4-uniform functions which are on distance 1 from an APN function. Also we prove that there are no APN functions of distance 1 from another APN functions up to dimension 5. We determine some properties of the set of values of an arbitrary vectorial Boolean function from F n 2 to F n 2 in connection to the set of values of its derivatives. These results are connected to several open question concerning metric properties of APN functions. Keywords: Vectorial Boolean function, APN function, differentially δ-uniform function. 1 Introduction In this paper we deal with vectorial Boolean functions F : F n 2 Fn 2 that are also known as substitution boxes. Substitution boxes play a central role in the robustness of block ciphers in symmetric cryptography. The notion of differentially δ-uniform functions was introduced by K. Nyberg [1] in 1994. A vectorial Boolean function F : F n 2 Fn 2 is called differentially δ-uniform if for any nonzero a F n 2 and for any b Fn 2 the equation F (x) F (x a) = b has at most δ solutions, where δ is a positive integer. An order of differential uniformity of a function F is the minimal possible δ such that F is differential δ-uniform. The fewer the order of differential uniformity of substitution box that using in a cipher, the better the resistance of this cipher to differential attack [2]. The minimal possible value of δ is two. If δ = 2, then a differentially δ-uniform function is called almost perfect nonlinear (APN) function. Classification of APN functions up to dimension five is given in [3], constructions of APN and differentially 4-uniform functions are presented in [4, 5]. Surveys of cryptographic functions can be found in [6, 7, 8]. In [9, 10] we studied distance between distinct APN functions. In this paper we prove that there are only differential 4-uniform functions which are on distance 1 from an APN function and experimentally prove that the minimal distance between distinct APN functions up to dimestion 5 is equal to 2. Also we determine some properties of the set of values of an arbitrary vectorial Boolean function from F n 2 to Fn 2 in connection to the set of values of its derivatives. The obtained results will help us with respect to metrical properties of the class of APN functions. The author was supported by the Russian Foundation for Basic Research (project no. 15-31-20635). 1

2 Preliminaries For a vectorial Boolean function F and for any vector a F n 2 it is defined the set B a (F ) = {F (x) F (x a) x F n 2 }. The maximal possible cardinality of the set B a (F ) is equal to 2 n 1. In particular, if it holds B a (F ) = 2 n 1 for any non-zero vector a, then the function F is an APN function, but if it holds B a (F ) = 2 n 1 1 then the function F is a differential 4-uniformity function. Let the sum of a vector x F n 2 and a set A Fn 2 be the shift of the set A: x A = {x a a A}. Let the sum of two sets A F n 2 and B Fn 2 be the set of all pairwise sums of elements of these sets, A B = {a b a A, b B}. The set of all values of a vectorial Boolean function F : F n 2 Fn 2 is the image of the function F. Denote the image of a function F by im(f ). A distance between vectorial Boolean functions F and G is called cardinality of the set {x F n 2 F (x) G(x)}. 3 Vectorial Boolean functions on distance 1 from an APN function Statement 1. Let F be APN function of n variables, then on distance one from F there are only differential 4-uniform functions. Proof. Let F is APN function. So for all non-zero vector a F n 2 we have B a(f ) = 2 n 1. Consider the function G which coincide with F in each vectors except one x F n 2. Let B a (G) = {G(x) G(x a) x F n 2 \{x, x a}}. For all non-zero vector a F n 2 the set B a(f ) coincide with B a (G) and we have the equation B a (G) = 2 n 1 1. Note that B a (G) = B a (G) {G(x ) G(x a)}. Then for all values G(x ) (including one non equal to F (x )) and for all non-zero vector a F n 2 we have B a(g) B a (G) = 2 n 1 1, i. e. function G is differentially 4-uniform. Since APN functions are differentially 4-uniform then statement 1 does not exclude the possibility of existence of APN functions on distance one from each other. An exception of this is equal to the fact that all functions distanced one from an APN function possess differentially uniformity of order 4. We consider hypothesis that means that unite of shifted derivatives of an APN function coincides with the whole space F n 2. Further we will prove that this hypothesis is equivalent to the fact that there is no APN functions on distance 1 from any APN function. Hypothesis 1. If F is APN function in n variables, then the following expression is true: a F n 2,a 0 (B a (F ) F (x a)) = F n 2 x F n 2. (1) 2

Theorem 1. The hypothesis 1 is true if and only if there are only functions with differential uniformity of order 4 on distance one from APN functions. Proof. Let a function F is an APN function. According to the statement 1 a function G coinciding with F in each vectors but one x F n 2 is differentially 4-uniform. We shall show that if the hypothesis 1 is true, then for any arbitrary value of the function G on the vector x, which is not equal to F (x ), function G is of differential uniformity order equals 4. A necessary and sufficient conduction for this to be true is existence of a vector a F n 2 for which the equality B a (G) = B a (G) is true. This requires that there is a sum G(x ) G(x a) belonging to the set B a (G). Let G(x ) = v. So the theorem is true if and only if the next statement is true: x F n 2 v F n 2 \{F (x )} a F n 2 \{0} : v G(x a) B a (G). Note that B a (F ) is equal to B a (G) {F (x ) F (x a)} and for any vector v other than F (x ) the sum v G(x a) belongs B a (G) if and only if v F (x a) belongs to B a (F ). So we shall prove the next expression: x F n 2 v F n 2 \{F (x )} a F n 2 \{0} : v F (x a) B a (F ). Since F (x ) F (x a) belongs to the set B a (F ) by the definition, then the expression above is always true for any vector v equals to F (x ). So we can represent the statement to prove as follows: x F n 2 v F n 2 a F n 2 \{0} : v F (x a) B a (F ). Let us express the vector v x F n 2 v F n 2 a F n 2 \{0} : v B a (F ) F (x a). Now we obviously have that the statement to prove is represented in a convenient way: a F n 2,a 0 (B a (F ) F (x a)) = F n 2 x F n 2. So there is only function with differential uniformity of order 4 on distance 1 from APN functions if and only if hypothesis 1 is true. As the corollary the hypothesis 1 is true if and only if there is no APN functions on distance 1 from an APN function. Note that there are APN functions on distance 2 from an APN function. For instance functions F = (0, 0, 1, 2, 1, 4, 2, 4) and G = (0, 0, 1, 2, 1, 4, 4, 2) differ in the two last vectors and both are APN functions. Finally note that there are not only APN functions correspond to expression (1). For instance function H = (0, 1, 15, 0, 12, 2, 4, 6, 6, 4, 6, 3, 8, 12, 11, 1) is function with differential uniformity of order 4 and (1) is true for H. 4 Distance between APN functions of small dimensions Statement 1. If vectorial Boolean functions F and G are EA-equivalent and (1) is true for F then (1) is true for G. 3

Proof. We shall prove that if functions F and G are EA-equivalent then function G = A 1 F A 2 A satisfies the equation (1) if and only if F satisfies the equation (1). It is known that Let consider B a (G) = A 1 (B A2 (a) A 2 (0)(F )) A 1 (0) A(a) A(0). G(x a) = A 1 (F (A 2 (x a)) A(x a)) = A 1 (F (A 2 (x ) A 2 (a) A 2 (0)) A(x ) A(a) A(0))). Summing and reducing like terms we obtain B a (G) G(x a) = A 1 (B A2 (a) A 2 (0)(F ) F (A 2 (x ) A 2 (a) A 2 (0)) A 1 (0) A(x ) = A 1 (B b (F ) F (y b)) const. Remark that since A 2 is a permutation we have y = A 2 (x ) and b = A 2 (a) A 2 (0) take any value from F n 2 if x and a take any value from F n 2. Also we see that b is equal to zero if and only if a is equal to zero. Since A 1 is a permutation we see that for any y of the set F n 2 we have (B b (G) F (y b)) = (A 1 (B b (F ) F (y b)) const) = b F n 2,b 0 b F n 2,b 0 const (A 1 (B b (F ) F (y b))) = F n 2. b F n 2,b 0 Since by [3] classes of EA-equivalence of APN functions that cover all APN functions up to dimension 5 and classes of EA-equivalence that cover all quadratic APN functions in dimension 6 are known, we experimentally obtain the next statement by checking representatives of corresponding EA-equivalence classes: Statement 2. Hypothesis 1 is true for APN functions up to dimension 5, for all quadratic APN functions of dimension 6 and some EA-equivalence classes of APN functions in dimension 7 and 8 from the article [5]. As the corollary there are no APN functions on distance 1 from an another APN function up to dimension 5. 5 Sum of vectorial Boolean function s values In this section we determine requirements for an image of vectorial Boolean function which it should requires to the set of all derivatives coincides with the whole space F n 2. Lemma 1. Let A, B F n 2, A 2n 1 and B 2 n 1 + 1. Then A B = F n 2. Proof. Since A 2 n 1, for all x F n 2 it holds x A 2n 1. Suppose (x A) B =. Hence x A F n 2 \B but Fn 2 \B 2n 1 1. We obtain a contradiction, therefore for any x F n 2 it holds that (x A) B hence for any x F n 2 there exist a A, b B such that x a = b, in other words, x = a b. 4

Theorem 2. Let F : F n 2 Fn 2 be a vectorial Boolean function, 1. If 2 n 1 < im(f ) < 2 n, then B a (F ) = F n 2. a F n 2,a 0 2. If im(f ) = 2 n, i.e. F is one-to-one function, then a F n 2,a 0 B a (F ) = F n 2 \{0}. Proof. Let a F n 2,a 0 B a (F ) = M. Firstly prove that it holds the equality a F n B a(f ) = F n 2 2 and then consider the union without B 0 (F ). By the definition, M B 0 (F ) = B a (F ) = {F (x) F (x a)}. a F n 2 x,a F n 2 Since the union over all x, a F n 2 is considered, then for every x sum x a can take any value from F n 2 and that is why this union is equal to the sum of function s images, and by the Lemma is equal to F n 2 : {F (x) F (x a)} = im(f ) im(f ) = F n 2. x,a F n 2 Now we remove B 0 (F ) from the union. We can do it because B 0 (F ) = F (x) F (x 0) is zero for all x. The set M does not contain zero if and only if for any x, a F n 2 such that a is not equal to zero, it follows that F (x) F (x a), which is equivalent that F is a one-to-one function. From the other hand, if F is not one-to-one function then for any x F n 2 there exists non-zero vector a F n 2 such that F (x) = F (x a) and zero is contained in M. The following example shows us that the condition on cardinality of function s image cannot be reduced. There is a function F such that im(f ) = 2 n 1 and a F n 2,a 0 B a(f ) F n 2. For example APN function F : F 3 2 F3 2 given by the following vector of values (0, 0, 1, 2, 1, 4, 2, 4). In this case im(f ) = 2 2 and B a (F ) = F n 2 \{7}. a F n 2,a 0 References [1] Nyberg K., Differentially uniform mapping for cryptography // EUROCRYPT 93. 1994 P. 55 64. [2] Biham E., Shamir A., Differential cryptoanalysis of DES-like cryptosystems // J. Cryptology, 1991, 4 P. 3 72. [3] Brinkmann M., Leander G., On the classification of APN functions up to dimension five // Designs, Codes and Cryptography., 2008, V. 49 P. 273 288. 5

[4] Carlet C., More constructions of APN and differentially 4-uniform functions by concatenation // Sci. China Math., 2013, V. 56(7) P. 1373 1384. [5] Yu Y., Wang M., Li Y., A matrix approach for constructing quadratic APN functions // Des. Codes Cryptogr., 2014, V. 73 P. 587 600. [6] Glukhov M. M., Planar mappings of finite fields and their generalizations // Presentation for the conference Algebra and Logic: theory and applications, (Krasnoyarsk, Russia. July 21 27, 2013) in Russian. [7] Budaghyan L., Construction and Analysis of Cryptographic Functions: Habilitation Thesis. // University of Paris 8. Sept. 2013. 192 pages. [8] Carlet C., Vectorial Boolean functions for cryptography // Boolean Models and Methods in Mathematics, Computer Science, and Engineering / Eds. P. Hammer, Y. Crama. Cambridge Univ. Press, 2010. Chapter 9. P. 398 472. [9] Shushuev G.I., Vectorial Boolean functions on distance one from APN functions // Prikl. Diskr. Mat. Suppl., 2014, 7. P. 36 37. [10] Shushuev G.I., On properties of the set of values of an arbitrary vectorial Boolean functions // Prikl. Diskr. Mat. Suppl., 2015, 8. P. 51 53. 6

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback