Constructions of balanced odd-variable rotation symmetric Boolean functions with optimal algebraic immunity and high nonlinearity

Accepted Manuscript Constructions of balanced odd-variable rotation symmetric Boolean functions with optimal algebraic immunity and high nonlinearity ...

Download PDF

340KB Sizes 1 Downloads 70 Views

Report

PDF Reader
Full Text

Accepted Manuscript Constructions of balanced odd-variable rotation symmetric Boolean functions with optimal algebraic immunity and high nonlinearity

Lei Sun, Fang-Wei Fu

PII: DOI: Reference:

S0304-3975(18)30278-0 https://doi.org/10.1016/j.tcs.2018.04.040 TCS 11570

To appear in:

Theoretical Computer Science

Received date: Revised date: Accepted date:

4 November 2016 28 February 2018 18 April 2018

Please cite this article in press as: L. Sun, F.-W. Fu, Constructions of balanced odd-variable rotation symmetric Boolean functions with optimal algebraic immunity and high nonlinearity, Theoret. Comput. Sci. (2018), https://doi.org/10.1016/j.tcs.2018.04.040

This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.

Highlights • We propose a new class of rotation symmetric Boolean functions(RSBFs) having almost all of the main cryptographic properties: balancedness, high algebraic degree,optimal algebraic immunity, high nonlinearity. • The nonlinearity of the proposed RSBFs is much higher than all the previously obtained RSBFs with optimal algebraic immunity. • The proposed RSBFs have good behavior against fast algebraic attacks at least for small numbers of input variables.

Constructions of balanced odd-variable rotation symmetric Boolean functions with optimal algebraic immunity and high nonlinearity Lei Suna , Fang-Wei Fub a College

of Information Technology, Hebei University of Economics and Business, Shijiazhuang, 050061, P. R. China b Chern Institute of Mathematics, Nankai University, Tianjin, 300071, P. R. China

Abstract Rotation symmetric Boolean functions have been used as components of diﬀerent cryptosystems. In this paper, two classes of balanced rotation symmetric Boolean functions having optimal algebraic immunity on odd number of variables are constructed. We give a lower bound on the algebraic degree of the ﬁrst class of functions, and prove that the n-variable functions in the second class has optimal algebraic degree if n = 2m + 1 for m > 2. Moreover, it is shown that both classes of functions have much better nonlinearity than all the previously obtained rotation symmetric Boolean functions with optimal algebraic immunity, and have good behavior against fast algebraic attacks at least for small numbers of input variables. Keywords: Rotation symmetric Boolean function; Algebraic immunity; Nonlinearity; Algebraic degree; Fast algebraic attack

1. Introduction In the design of cryptographically signiﬁcant Boolean functions, many requirements have to be fulﬁlled, such as balancedness, high nonlinearity, high algebraic degree. To resist against algebraic attacks [6, 7], algebraic immunity, a new cryptographic criterion for designing Boolean functions, has been introduced [8, 18]. As shown in [18], the algebraic immunity of an n-variable Boolean function is bounded by n/2. If the bound is achieved, we say the Boolean function has optimal algebraic immunity. Up until now, many classes of Boolean functions with optimal algebraic immunity have been obtained [2, 3, 10, 19]. Rotation symmetric Boolean functions are invariant under the action of cyclic group. The appeal of these functions for cryptography arises from the fact that their special structure allows much faster computation, and from the fact that the set of all such functions is much smaller than the set of all Boolean functions, so a search for functions with useful cryptographic properties can be carried out relatively quickly. For these reasons, rotation symmetric Boolean

Preprint submitted to Elsevier

April 20, 2018

functions with important cryptographic properties have been investigated extensively, such as bent rotation symmetric Boolean functions [4, 14], resilient rotation symmetric Boolean functions [11, 12] etc. In particular, many rotation symmetric Boolean functions having optimal algebraic immunity have been got [13, 20, 21]. In 2007, Sarker et al. [20] constructed odd-variable rotation symmetric functions with optimal alge Boolean n−1 +2. In 2014, Su et al. [21] prebraic immunity and nonlinearity 2n−1 − (n−1)/2 sented new kinds of construction of rotation symmetric Boolean having n−1 functions optimal algebraic immunity with nonlinearity 2n−1 − (n−1)/2 + 2(n−1)/2 − 2 for odd n. In 2016, Fu et al. [13] provided a construction of odd-variable rotation symmetric Boolean functions with optimal algebraic immunity, whose n−1 nonlinearity is 2n−1 − (n−1)/2 + 2(n−1)/2 + 2(n−5)/2 − n−1 2 . In this paper, with the knowledge of compositions of an integer, we provide two new classes of balanced odd-variable rotation symmetric Boolean functions with optimal algebraic immunity and higher nonlinearity than all the obtained rotation symmetric Boolean functions with optimal algebraic immunity. In addition, the algebraic degree and the immunity to fast algebraic attacks of the two classes of functions are also analyzed. The rest of this paper is organized as follows. Section 2 reviews brieﬂy some basic deﬁnitions and notions on Boolean functions and rotation symmetric Boolean functions. Sections 3 and 4 propose two classes of rotation symmetric Boolean functions with optimal algebraic immunity and other cryptographic properties. This paper is concluded in Section 5. 2. Preliminaries Let F2 be the binary ﬁnite ﬁeld. The vector space of dimension n over F2 is denoted by Fn2 . An n-variable Boolean function can be viewed as a mapping from Fn2 to F2 , and can be deﬁned by its truth table: f = [f (0, 0, . . . , 0), f (1, 0, . . . , 0), . . . , f (1, 1, . . . , 1)]. The Hamming weight of f is the number of ones in its truth table, and is denoted by wt(f ). The Hamming distance between two Boolean functions f and g is deﬁned as d(f, g) = wt(f + g). An n-variable Boolean function is balanced if wt(f ) = 2n−1 . The set of all n-variable Boolean functions is denoted by Bn . Given a vector α = (a1 , a2 , . . . , an ) ∈ Fn2 , we deﬁne its support supp(α) = {1 ≤ i ≤ n | ai = 1}, and its Hamming weight wt(α) = |supp(α)|. For any vector β = (b1 , b2 , . . . , bn ) ∈ Fn2 , α is said to be covered by β if ai ≤ bi for all 1 ≤ i ≤ n, i.e., supp(α) ⊆ supp(β), abbreviated as α β. An n-variable Boolean function f (x1 , x2 , . . . , xn ) can be seen as a multivariate polynomial over F2 , that is f (x1 , . . . , xn ) = aI xi , I⊆{1,2,...,n}

2

i∈I

where aI ∈ F2 . This representation of f is called the algebraic normal form (ANF). The maximum cardinality of I with aI = 0 is called the algebraic degree, or simply the degree of f and denoted by deg(f ). A Boolean function with degree at most one is called an aﬃne function. Deﬁnition 1. The Walsh transform of an n-variable Boolean function f (x) is a real valued function deﬁned as (−1)f (x)+w·x , w ∈ Fn2 , (1) Wf (w) = x∈Fn 2

where the dot product of vectors x and w is deﬁned as w · x = x1 w1 + · · · + xn wn . The nonlinearity of an n-variable Boolean function f is the minimum Hamming distance between f and the set of all n-variable aﬃne functions, which can be expressed as 1 nl(f ) = 2n−1 − maxn |Wf (w)|. 2 w∈F2 For two nonzero n-variable Boolean functions f and g, g is called an annihilator of f if f g = 0. The set of all annihilators of f is denoted by Ann(f ) = {g ∈ Bn | f g = 0}. Deﬁnition 2. [7] For an f ∈ Bn , the algebraic immunity (AI) of f is the lowest degree of nonzero functions g such that f g = 0 or (f + 1)g = 0. Namely AI(f ) = min{deg(g) | 0 = g ∈ Ann(f ) ∪ Ann(f + 1)}. It is known that [18] AI(f ) ≤ n/2. If AI(f ) = n/2, then the Boolean function f is said to have optimal AI. The simplest function having optimal AI is the so-called majority function [9] 1, if wt(x) ≥ n/2, F (x) = 0, else. Having a high algebraic immunity is not suﬃcient for resisting the fast algebraic attacks introduced in [7]. If a function g of low algebraic degree and h = 0 of reasonable degree such that f g = h can be found, then the fast algebraic attacks is feasible [7, 15]. An n-variable function f is optimal with respect to the fast algebraic attack if there do not exist two nonzero functions g and h such that f g = h and deg(g) + deg(h) < n with deg(g) < n/2. For quantifying the resistance of Boolean function to fast algebraic attacks, the deﬁnition of the fast algebraic immunity, denoted by F AI(f ), has been given in [17]. Deﬁnition 3. The fast algebraic immunity of a function f ∈ Bn is the number F AI(f ) = min(2AI(f ), min{deg(g) + deg(f g) | 1 ≤ deg(g) < AI(f )}).

3

If f has fast algebraic immunity n, then we say that f has optimal fast algebraic immunity. Let x = (x1 , x2 , . . . , xn ) ∈ Fn2 . For any 0 ≤ l ≤ n − 1, deﬁne if i + l ≤ n, xi+l , l ρn (xi ) = xi+l−n , if i + l > n. We extend the deﬁnition of ρ to tuples by ρln (x1 , . . . , xn ) = (ρln (x1 ), . . . , ρln (xn )). Deﬁnition 4. For an f ∈ Bn , if f (ρln (x1 , . . . , xn )) = f (x1 , . . . , xn ) holds for 0 ≤ l ≤ n − 1 and (x1 , x2 , . . . , xn ) ∈ Fn2 , then f is called a rotation symmetric Boolean function (RSBF). Let Gn (x1 , . . . , xn ) = {ρln (x1 , . . . , xn ) | 0 ≤ l ≤ n − 1}, that is, the circle generated by (x1 , . . . , xn ) under the action of ρln . If |Gn (x1 , . . . , xn )| = n, we say Gn (x1 , . . . , xn ) is a long circle, and if |Gn (x1 , . . . , xn )| < n, we call it a short circle. Itis clear that Gn generates a partition of Fn2 with cardinality gn , where n gn = n1 t|n φ(t)2 t with φ(t) being Euler’s phi-function. For (x1 , . . . , xn ) ∈ Fn2 , a Boolean function f (x) is rotation symmetric if it takes same value for all elements in Gn (x1 , . . . , xn ), and then there are 2gn n-variable RSBFs. 3. RSBFs with optimal AI First, we review some results on the enumeration of the number of compositions of an integer, which are bases of our new constructions of RSBFs. We know that a composition of k is a sequence of positive integers (k1 , k2 , . . . , km ) with k1 + k2 + · · · + km = k, where the order is considered. Each ki is called a part. It is well known that [16] the number of compositions of n with exactly n−1 . m parts is m−1 For given k and m, an important question is to determine pm (k), the number of compositions satisfying the following conditions: • a1 + a2 + · · · + am = k, • a1 ≤ a2 ≤ · · · ≤ am−1 ≤ am . Fortunately, pm (k) can be calculated by a recursion formula [16] pm (k) = pm−1 (k − 1) + pm (k − m) with p1 (k) = pk (k) = 1. 3.1. Construction For simplicity, for 0 ≤ j ≤ n, denote W j = {w ∈ Fn2 | wt(w) = j}, W >j = {w ∈ Fn2 | wt(w) > j}, W
4

Let Ik = {4, 5, . . . , k − 2, k − 1, k + 1}. For h ∈ Ik , 2 ≤ m ≤ h − 2, we deﬁne a subset Sh,m ⊆ W k+1 as: Sh,m = {(1, . . . , 1, 0, . . . , 0, . . . , 1, . . . , 1, 0, . . . , 0, 1, 0, . . . , 1, 0) | k1 , km ≥ 2,

k1

d1

km

dm

2(k+1−h)

k2 , . . . , km−1 ≥ 1, dm > dm−1 ≥ dm−2 ≥ d2 ≥ d1 ≥ 1}, where k1 + k2 + · · · + km = h, d1 + d2 + · · · + dm = h − 1. Note that Sh,m admits two classes of compositions: compositions of h with m parts and compositions 0 1 and Ch,m respectively: of h − 1 with m parts, denoted by Ch,m 0 Ch,m = {(d1 , d2 , . . . , dm ) | dm > dm−1 ≥ · · · ≥ d1 ≥ 1, d1 + · · · + dm = h − 1}, 1 Ch,m = {(k1 , k2 , . . . , km ) | k1 , km ≥ 2, k2 , . . . , km−1 ≥ 1, k1 + · · · + km = h}. h−3 0 1 . It follows that | = pm (h − 2), |Ch,m | = m−1 Then |Ch,m

h−3 1 0 |Sh,m | = |Ch,m | · |Ch,m | = pm (h − 2) . m−1 h−2 Further, for h ∈ Ik , denote Sh = Sh,m , then Sh = m=2 pm (h − 2≤m≤h−2 h−3 2) m−1 . For convenience, from now on we set Uh = Sh for 4 ≤ h ≤ k − 1, and set Uk = Sk+1 . List the vectors in Uh according to the lexicographic order as

Uh = {uh1 , uh2 , . . . , uh|Uh | }. Now, for 4 ≤ h ≤ k we deﬁne another subset Th ⊆ W h as ⎧ ⎪ 0, . . . , 1, 0) | uhi ∈ Uh }, h ≤ k − 1, ⎨{αhi = uhi + (0, 0, . . . , 1,

Th = 2(k+1−h) ⎪ ⎩ {αhi = uhi + (0, 1, 0 . . . , 0, 0, 0, 0) | uhi ∈ Uh }, h = k. Th , U = Uh . Then |T | = |U |. As |T | and |U | are Let T = 4≤h≤k

4≤h≤k

functions of k, we set Lk = |T | for convenience. Hence, we have

k−1

k−1 h−2 h−3 k−2 pm (h − 2) + pm (k − 1) . Lk = m−1 m−1 m=2 m=2 h=4

List the vectors in U and V as U = {u41 , u51 , . . . , u57 , . . . , . . . , uk1 , . . . , uk|Uk | }, T = {α41 , α51 , . . . , α57 , . . . , . . . , αk1 , . . . , αk|Uk | }, and for convenience denote U = {u1 , u2 , . . . , uLk }, T = {α1 , α2 , . . . , αLk }. Given a vector x = (x1 , x2 , . . . , xn ) ∈ Fn2 , deﬁne (x)ji = (xi , . . . , xj ) where 1 ≤ i ≤ j ≤ n. The following results hold for T and U . 5

Lemma 1. For 4 ≤ h, h ≤ k, 1 ≤ s, t ≤ |Th |, 1 ≤ r ≤ |Th |, αhs , αht ∈ Th , uhs , uht ∈ Uh , αhr ∈ Th , uhr ∈ Uh , we have 1. 2. 3. 4.

ρln (αhs ) ρln (uhs ) for 0 ≤ l ≤ n − 1. ρln (αhs ) = αhs , ρln (uhs ) = uhs for 1 ≤ l ≤ n − 1. αhs ρln (uhs ) for 1 ≤ l ≤ n − 1. αhs ρln (uht ) for s > t, 0 ≤ l ≤ n − 1; αhs ρln (uhr ) for h < h, 0 ≤ l ≤ n − 1.

Proof. Suppose αhs ∈ Th,m , then αhs = (1, a, 1, . . . , 1, 0, . . . , 0, . . . , 1, . . . , 1, 0, . . . , 0, 0, 0, . . . , 0, 0),

k1

d1

km

2(k+1−h)

dm

where a = 0 for h = k + 1, a = 1 for 4 ≤ h ≤ k − 1. Let d = k1 + · · · + km−1 + km + d1 + · · · + dm−1 . 1. This holds obviously by the deﬁnitions of Th and Uh . 2. For 4 ≤ h ≤ k, ρln (uhs ) = uhs holds for 1 ≤ l ≤ n − 1 since (ρln (uhs ))nd+1 = ( 0, 0, . . . , 0 ) = (uhs )nd+1 . dm +2(k+1−h)

For 1 ≤ l ≤ n − 1, ρln (αhs ) = αhs can be proved similarly. 3. When 4 ≤ h ≤ k − 1, we have (αhs )21 = (1, 1) = (ρjn (uhs ))21 for 1 ≤ j ≤ n − d m m = (0, . . . , 0) = (αhs )i+d for n − d + 1 ≤ j ≤ n − 1, i = and (ρjn (uhs ))i+d i+1 i+1 dm

j − (n − d). Therefore, αhs ρln (uhs ) holds for all 1 ≤ l ≤ n − 1. Similarly, αks ρln (βks ) for 1 ≤ l ≤ n − 1 can be proved. 4. Suppose αhr ∈ Th ,m and αhr ρln (uhs ) for h ≤ h ≤ k − 1 with some 0 ≤ l ≤ n − 1. Let αhr =(1, . . . , 1, 0, . . . , 0, . . . , 1, . . . , 1, 0, . . . , 0, 0, 0, . . . , 0, 0),

k1

d1

k

m

d

m

2(k+1−h )

ρln (uhs ) =(1, . . . , 1, 0, . . . , 0, . . . , 1, . . . , 1, 0, . . . , 0, 1, 0, . . . , 1, 0,

ki+1 −Δ

di+1

km

dm

2(k+1−h)

1, . . . , 1, . . . , 1, . . . , 1, 0, . . . , 0, 1, . . . , 1), k1

ki

di

Δ

where i ≥ 0. Since km ≥ 2, we have k1 + d1 + · · · + km ≤ ki+1 − Δ + di+1 + · · · + km , this implies that h = k1 + k2 + · · · + km ≤ ki+1 − Δ + · · · + km ≤ h. Hence, we have h = h and l = 0. It follows that αhr = αhs , which is impossible.

The case of h = k can be proved similarly. We obtain the desired result. 6

Denote by (α1 ), . . . , ρ0n (αLk ), . . . , ρn−1 (αLk )}, T = {ρ0n (α1 ), . . . , ρn−1 n n = {ρ0n (u1 ), . . . , ρn−1 U (u1 ), . . . , ρ0n (uLk ), . . . , ρn−1 (uLk )}. n n | = nLk . It follows from Lemma 1 that |Gn (αi )| = |Gn (ui )| = n, |T| = |U Deﬁne , F (x) + 1, x ∈ T ∪ U f (x) = F (x), otherwise,

(2)

(3)

where F (x) is the n-variable majority function. Then f (x) is a balanced nvariable RSBF. Example 1. For k = 5, we have U4 = {(1, 1, 0, 1, 1, 0, 0, 1, 0, 1, 0)}, U5 = {(1, 1, 0, 1, 1, 1, 1, 0, 0, 0, 0), (1, 1, 1, 0, 1, 1, 1, 0, 0, 0, 0), (1, 1, 0, 0, 1, 1, 1, 1, 0, 0, 0), (1, 1, 1, 0, 0, 1, 1, 1, 0, 0, 0), (1, 1, 0, 1, 0, 1, 1, 1, 0, 0, 0), (1, 1, 0, 1, 1, 0, 1, 1, 0, 0, 0), (1, 1, 1, 0, 1, 0, 1, 1, 0, 0, 0)}. Then T4 = {(1, 1, 0, 1, 1, 0, 0, 0, 0, 0, 0)}, T5 = {(1, 0, 0, 1, 1, 1, 1, 0, 0, 0, 0), (1, 0, 1, 0, 1, 1, 1, 0, 0, 0, 0), (1, 0, 0, 0, 1, 1, 1, 1, 0, 0, 0), (1, 0, 1, 0, 0, 1, 1, 1, 0, 0, 0), (1, 0, 0, 1, 0, 1, 1, 1, 0, 0, 0), (1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0), (1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 0)}. Denote T = T4 ∪ T5 , U = U4 ∪ U5 . Note that |Gn (α)| = 11 for any α ∈ T ∪ U . = Gn (α). Let F (x) be the 11-variable majority Gn (α), U Denote T = α∈T

function, then

α∈U

F (x) + 1, f (x) = F (x),

, x ∈ T ∪ U otherwise,

is a balanced 11-variable RSBF. 3.2. The AI of f (x) in (3) ≤k and U = {β1 , . . . , βl } ⊆ W k+1 , Lemma 2. [5] Let T = {α1 , . . . , αl } ⊆ W n 0 < l < k . If the vectors in T and U satisfy 1. αi βi for 1 ≤ i ≤ l; 2. αi βj for 1 ≤ j < i ≤ l(or 1 ≤ i < j ≤ l). Then the Boolean function f1 (x) =

F (x) ⊕ 1, F (x),

x ∈ T ∪ U, otherwise,

where F (x) is the majority function, has optimal AI. 7

Theorem 1. The function f (x) in (3) has optimal AI. Proof. To prove f in (3) has optimal AI, according to Lemma 2 it is suﬃcient and T satisfy the following three conditions: to verify that the vectors in U (i). ρln (αs ) ρln (us ), for 0 ≤ l ≤ n − 1, 1 ≤ s ≤ Lk . l (ii). ρm n (αs ) ρn (us ) for 0 ≤ m < l ≤ n − 1, 1 ≤ s ≤ Lk . m (iii). ρn (αs ) ρln (ut ), for 0 ≤ m < l ≤ n − 1, 1 ≤ t < s ≤ Lk . Clearly, they all hold according to Lemma 1. 3.3. The nonlinearity of f (x) in (3) Firstly, some necessary lemmas are presented below, and the proof of Lemma 4 is given in Appendix. Lemma 3. [8] Let F (x) be the n-variable majority function with n = 2k + 1. The following results hold for α ∈ Fn2 . 1. If wt(α) = 1, then WF (α) = 2 n−1 k ; 2. If wt(α) = n, then WF (α) = 2(−1)k n−1 k ; n−3 for n ≥ 7. 3. If 2 ≤ wt(α) ≤ n − 1, then |WF (α)| ≤ 2 n−3 k−1 − k Lemma 4. For k ≥ 5, we have n > 6(n + 1)Lk . k Theorem 2. The nonlinearity of the function f (x) in (3) is

k n−1 + (n + 1 − 2h)|Th |. nl(f ) = 2n−1 − k h=4

Proof. For any w ∈ Fn2 , by (1), (2) and (3), we have (−1)f (x)+w·x + (−1)1+w·x + (−1)w·x Wf (w) = x∈ / T∪U

= WF (w) − 2

x∈T

(−1)

w·x

+2

x∈T

x∈U

(−1)

w·x

.

x∈U

We will discuss it in the following four cases. Case 1. When wt(w) = 0, i.e., w = (0, 0, . . . , 0), then Wf (w) = 0 since f is balanced. Case 2. When wt(w) = 1, we have x∈Gn (ui ) (−1)w·x = −1, x∈Gn (αi ) (−1)w·x = n − 2h for wt(αi ) = h. Then, it follows from Lemma 3 that

k n−1 |Wf (w)| = 2 (n − 2h)|Th | − 2Lk −2 k h=4

k n−1 =2 − (2n + 2)Lk + 4 h|Th |. k h=4

8

Table 1: Comparison of the enhanced values of the nonlinearity upon 2n−1 − n

f in [20]

f in [21]

f in [13]

f in (3)

15 17 19 21 23 25 27

2 2 2 2 2 2 2

126 254 510 1022 2048 4094 8190

153 312 631 1270 2549 5108 10227

208 544 1482 3770 9768 24372 61660

n−1 k

f in (4) 208 520 1476 3700 9716 24140 61570

Case 3. When wt(w) = n, i.e., w = (1, 1, . . . , 1), we have x∈Gn (αi ) (−1)w·x = w·x = n(−1)k+1 . Then, it n(−1)h for wt(αi ) = h, x∈Gn (ui ) (−1) follows from Lemma 3 that

k n − 1 |Th |(−1)h + 2n(−1)k+1 Lk − 2n |Wf (w)| = (−1)k k h=4

k n−1 =2 − 2nLk − 2n |Th |(−1)h+k k h=4

k n−1 <2 − (2n + 2)Lk + 4 h|Th |. k h=4

Case 4. When 2 ≤ wt(w) ≤ n − 1, according to Lemmas 3 and 4 we have

n−3 n−3 − + 2nLk |Wf (w)| ≤ 2 k−1 k

n n−1 k−1 · + 2nLk ≤2 − 2k − 1 k k

n−1 6(k − 1)(n + 1)Lk ≤2 − + 2nLk k (2k − 1)

n−1 ≤2 − nLk . k Therefore, the largest |Wf (w)| occurs when wt(w) = 1. It follows that k + h=4 (n + 1 − 2h)|Th |. nl(f ) = 2n−1 − n−1 k f has higher nonlinearity than the RSBFs in [20], [21] and [13]. As a com are illustrated in Table 1. parison, their nonlinearities upon 2n−1 − n−1 k 3.4. The algebraic degree f (x) in (3) Theorem 3. For k ≥ 5, we have deg(f ) ≥ k + 1.

9

Proof. Now, we consider the algebraic degree of f (x). Rewrite f (x) as f (x) = F (x) + G(x) where , 1, x ∈ T ∪ U G(x) = 0, otherwise. Clearly, deg(G) ≤ n − 1 since wt(G) is even. Let αi = (αi1 , αi2 , . . . , αin ) ∈ for 1 ≤ i ≤ 2n−1 . Then, the ANF of G(x) can be expressed as W ≥k ∪ T\U G(x) =

n−1 n 2

(xj + αij + 1).

i=1 j=1

Note that deg(F ) = 2log2 n and deg(g) = deg(F + G). It is known that [8] the coeﬃcient of the term x1 x2 . . . xn /x1 x2 · · · xk in the ANF of F (x) is 1. Clearly, the coeﬃcient of the term x1 x2 . . . xn /x1 x2 · · · xk in the ANF of G(x) is 0. Thus deg(f ) = deg(F + G) ≥ k + 1. 3.5. The immunity to fast algebraic attacks of f (x) in (3) In what follows, due to the memory restrictions, we analyze the resistance to fast algebraic attacks of the functions proposed in (3) for some small values of the number of variables. For n = 2k + 1, let g1 , h1 ∈ Bn be two functions with deg(h1 ) = d and 1 ≤ deg(g1 ) = e < k such that f g1 = h1 . We aim to ﬁnd out the minimal value of e + d to analyze the immunity to fast algebraic attacks. Clearly, since h1 is an annihilator of f + 1, then d ≥ k. So we investigated all the combinations of e and d with 1 ≤ e < k, k ≤ d and e + d ≤ n − 1. By applying the Algorithm 2 of [1] implemented in Magma program, we have the following results. 1. For n = 11, 15, by exhaustive search we only found pairs (e, d) exist for e + d ≥ n − 3, that is F AI(f ) = n − 3. 2. For n = 13, by exhaustive search we only found pairs (e, d) exist for e + d ≥ n − 2, that is F AI(f ) = n − 2. The experiment results suggest that, at least for small numbers of input variables, f has a good behavior against fast algebraic attacks. 4. RSBFs with all main good cryptographic properties Although the function f in (3) has optimal AI and high nonlinearity, its algebraic degree is diﬃcult to be determined. In this section, by modifying the constructions of T and U in the deﬁnition of f (x) in (3), we get a new class of RSBFs having almost all of the main cryptographic properties: balancedness, high algebraic degree, optimal AI, high nonlinearity, good behavior against fast algebraic attacks (as checked for some small numbers of variables). First, we deﬁne Sh based on Sh for h ∈ Ik . When h = 4, 5 and h ≥ 6 with h + k + 1 being even, we take Sh = Sh . When h ≥ 6 and h + k + 1 is odd, for

10

2 ≤ m ≤ h − 2, if take

h−3

is even, we take Sh,m = Sh,m , and if

m−1

h−3 m−1

is odd, we

Sh,m = {(1, . . . , 1, 0, . . . , 0, . . . , 1, . . . , 1, 0, . . . , 0, 0, . . . , 0) k1

d1

km

dm

2(k−h)

1 0 | (k1 , . . . , km ) ∈ Ch,m , (d1 , . . . , dm ) ∈ Ch,m },

h−3 1 1 1 − 1. When h ≥ 6 and h + k + 1 ⊆ Ch,m such that | Ch,m | = m−1 where Ch,m is odd, for 2 ≤ m ≤ h − 2 we have

h−2 2 · pm (h − 1). Sh,m = 2 · m−1

Denote Sh =

2≤m≤h−2

Sh,m and we have

|Sh | =

h−2 h−3 · p (h − 2), m−1 h−3 m m=2 h−2 m=2 2 m−1 /2 · pm (h

− 2),

h = 4, 5 or h + k + 1 is even, otherwise.

Clearly, Sh is a subset of Sh . As we did in Section 2, set Uh = Sh for 4 ≤ h ≤ , T , U , T , T , U k − 1, and set Uk = Sk+1 . Similarly as Th , U , T , T and U h can be deﬁned. ⊆ U , and Note that Uh ⊆ Uh , Th ⊆ Th , T ⊆ T , U ⊆ U , T ⊆ T, U |Th | = |Uh |, |T | = |U |, |T | = |U |. Let , F (x) + 1, x ∈ T ∪ U f (x) = (4) F (x), otherwise, where F (x) is the n-variable majority function. Then f is a balanced n-variable RSBF. Furthermore, we can prove the next theorem similarly as Theorems 1 and 2. Theorem 4. Let f be the n-variable function deﬁned in (4), then f has optimal AI with nonlinearity

n−1

nl(f ) = 2

k n−1 − + (n + 1 − 2h)|Th |. k h=4

f has higher nonlinearity than the RSBFs [20], [21] and [13]. As a in are illustrated in Table 1. comparison, their nonlinearities upon 2n−1 − n−1 k Now, let us consider the algebraic degree of f . Rewrite f (x) as f (x) = F (x) + G (x) where , 1, x ∈ T ∪ U G (x) = 0, otherwise.

11

Since wt(G ) is even, then deg(G ) ≤ n − 1. Further, the coeﬃcient of the k term x1 x2 . . . xn /xi in the ANF of G (x) is h=4 (k + h + 1)|Th | mod 2. Since |T4 | = 1, |T5 | = 3, then we have k

(k + h + 1)|Th | ≡ (k + 4 + 1)|T4 | + (k + 5 + 1)|T5 |

mod 2

h=4

≡ (k + 5) + 3(k + 6) ≡ 1 mod 2.

mod 2

Thus, deg(G ) = n − 1. Recall that deg(F ) = 2log2 n . If n = 2m + 1 for some integer m, then deg(F ) = n − 1. Hence deg(f ) = deg(F + G ) ≤ n − 2. If 2m + 2 ≤ n ≤ 2m+1 , then deg(F ) ≤ n − 2. Thus deg(f ) = deg(F + G ) = deg(G ) = n − 1. Consequently, we get the following theorem. Theorem 5. For the f deﬁned in (4) we have deg(f ) ≤ n − 2, if n = 2m , deg(f ) = n − 1, if 2m + 1 ≤ n ≤ 2m+1 − 1, for some integer m. At last, let’s consider the behavior against fast algebraic attacks of the function in (4). Let g1 , h1 ∈ Bn be two functions with 1 ≤ deg(g1 ) = e < k and deg(h1 ) = d such that f g1 = h1 . Using Algorithm 2 of [1], we only found pairs (e, d) exist for e + d ≥ n − 2 by exhaustive search for n = 11, 13, 15. That is F AI(f ) = n − 2 for n = 11, 13, 15. The experiment results show that, at least for small values of the number of variables, f in (4) has high fast algebraic immunity. 5. Conclusion In this paper, two classes of balanced odd-variable RSBFs with optimal AI are proposed. We show that the nonlinearity of both classes of RSBFs are much higher than that of all the known RSBFs having optimal AI. We also show that, at least for small numbers of variables, both classes of RSBFs have good behavior against fast algebraic attacks. Moreover, the algebraic degree of the second class of functions is optimal in almost all cases. Acknowledgements This research is supported by the National Key Basic Research Program of China (Grant No. 2013CB834204), and the National Natural Science Foundation of China (Grant Nos. 61571243 and 61171082).

12

6. Appendices In this appendix, Lemma 4 will be proved. Before we prove the lemma, we ﬁrst need the next preliminary result. Proposition 1. Let n = 2k + 1. For k ≥ 14, we have k

k−1 m−1

pm (k)

m=2

2 n . 5n k

<

Proof. For 2 ≤ m ≤ k, we deﬁne Rk,m ⊆ W k+1 as

Rk,m = {( 1, . . . , 1, 0, . . . , 0, . . . , 1, . . . , 1, 0, . . . , 0) | k1 ≥ 2, k2 , . . . , km−1 ≥ 1, k1

d1

km

dm

dm ≥ dm−1 ≥ dm−2 ≥ d2 ≥ d1 ≥ 1}.

Note that |Rk,m | = pm (k)

k−1 m−1

. Denote Rk =

|Rk | =

k

2≤m≤k

Rk,m , then

pm (k)

m=2

k−1 . m−1

Now, for 2 ≤ m ≤ k − 2 we deﬁne Rk,m ⊆ W k+1 such that Rk,m ∩ Rk,m = ∅: when 4 ≤ m ≤ k − 2, • if dm−2 = dm−1 = dm , we let

Rk,m = {(1, . . . , 1, 0, . . . , 0, . . . , 1, . . . , 1, 0, . . . , 0, 1, . . . , 1, 0, . . . , 0, 1, . . . , 1, 0, . . . , 0), k1

d1

km−2

dm−2 −1

km−2

dm−2 +2

dm −1

km

(1, . . . , 1, 0, . . . , 0, . . . , 1, . . . , 1, 0, . . . , 0, 1, . . . , 1, 0, . . . , 0, 1, . . . , 1, 0, . . . , 0) | k1

d1

km−2

dm−2 −1

km−1

dm−1 +1

km

dm

(1, . . . , 1, 0, . . . , 0, . . . , 1, . . . , 1, 0, . . . , 0, 1, . . . , 1, 0, . . . , 0) ∈ Rk,m }, k1

d1

km−1

dm−1

km

dm

• if 1 < dm−2 = dm−1 < dm , we let

Rk,m = {(1, . . . , 1, 0, . . . , 0, . . . , 1, . . . , 1, 0, . . . , 0, 1, . . . , 1, 0, . . . , 0, 1, . . . , 1, 0, . . . , 0), k1

d1

km−2

dm−2 +1

km−1

dm−1 −1

dm −1

km

(1, . . . , 1, 0, . . . , 0, . . . , 1, . . . , 1, 0, . . . , 0, 1, . . . , 1, 0, . . . , 0, 1, . . . , 1, 0, . . . , 0) | k1

d1

km−2

dm−2 −1

km−1

dm

km

dm−1 +1

(1, . . . , 1, 0, . . . , 0, . . . , 1, . . . , 1, 0, . . . , 0, 1, . . . , 1, 0, . . . , 0) ∈ Rk,m }, k1

d1

km−1

13

dm−1

km

dm

• if 1 = d1 = · · · = dm−2 = dm−1 < dm , we let

Rk,m = {(1, 0, 1, . . . , 1, 0, . . . , 1, . . . , 1, 0, 1, . . . , 1, 0, 1, . . . , 1, 0, . . . , 0 | k2

k1 −1

km−1

km

dm

(1, . . . , 1, 0, . . . , 0, . . . , 1, . . . , 1, 0, . . . , 0) ∈ Rk,m }, k1

d1

km

dm

• if dm−2 < dm−1 < dm , we let

Rk,m = {(1, . . . , 1, 0, . . . , 0, . . . , 1, . . . , 1, 0, . . . , 0, 1, . . . , 1, 0, . . . , 0, 1, . . . , 1, 0, . . . , 0), k1

d1

km−2

dm−1

km−2

dm−2

km

dm

(1, . . . , 1, 0, . . . , 0, . . . , 1, . . . , 1, 0, . . . , 0, 1, . . . , 1, 0, . . . , 0, 1, . . . , 1, 0, . . . , 0) | k1

d1

km−2

dm

km−1

dm−1

km

dm−2

(1, . . . , 1, 0, . . . , 0, . . . , 1, . . . , 1, 0, . . . , 0, 1, . . . , 1, 0, . . . , 0) ∈ Rk,m }; k1

d1

km−1

dm−1

km

dm

when m = 2, let

Rk,2 = {(1, . . . , 1, 0, . . . , 0, 1, 0, 1, . . . , 1, 0, . . . , 0), (1, . . . , 1, 0, . . . , 0, 1, . . . , 1, 0, . . . , 0, 1, 0) | k1

k2 −1

d1

d2 −1

k1

k2 −1

d1

d2 −1

(1, . . . , 1, 0, . . . , 0, 1, . . . , 1, 0, . . . , 0) ∈ Rk,2 }; k1

d1

k2

d2

when m = 3, let

Rk,3 = {(1, 0, . . . , 0, 1, . . . , 1, 0, . . . , 0, 1, . . . , 1, 0, 1, . . . , 1, 0, . . . , 0), d1

k2

k1 −1

d2

k3

d3 −1

(1, . . . , 1, 0, . . . , 0, 1, . . . , 1, 0, . . . , 0, 1, 0, 0, 1, . . . , 1, 0, . . . , 0), | k1

d1

k2

k3 −1

d2

d3 −2

(1, . . . , 1, 0, . . . , 0, . . . , 1, . . . , 1, 0, . . . , 0) ∈ Rk,3 }. k1

d1

k3

dm

For m = 2, 3, we have |Rk,m | = 2|Rk,m |. For 4 ≤ m ≤ k −2, since pm (k) ≥ 2, then |Rk,m | ≥ 3|Rk,m |/2. Denote Rk = Rk,m . Since |Rk,k | + |Rk,k−1 | < 2≤m≤k

1 2 |Rk,3 |,

then |Rk | > 3|Rk |/2. Note that Rk ∩ Rk = ∅, and |Gn (α)| = n for any α ∈ Rk ∪ Rk . Thus 5n|Rk |/2 < nk . Hence, the proposition follows. n 1 Proof of Lemma 4 It is suﬃcient to prove g(k) = 6(n+1) k − Lk > 0. By a direct calculation, we know that g(k) > 0 for 5 ≤ k ≤ 14. Hence, when

14

k ≥ 15, g(k) > 0 also holds since g(k) is an increasing function for k ≥ 14, that is,

n+2 n 1 1 − Lk+1 − − Lk g(k + 1) − g(k) = 6(n + 3) k + 1 6(n + 1) k

k (2k + 1)(2k + 3) 2k + 1 k−1 1 n − − pm (k) > 6n k (k + 2)(k + 2) 2k + 2 m−1 m=2

k k−1 5 n − pm (k) . > 12n k m −1 m=2

k k−1 2 n − pm (k) . > 5n k m−1 m=2 > 0, where the last inequality follows form Proposition 1. This completes the proof. Acknowledgements This research is supported by the National Key Basic Research Program of China (Grant No. 2013CB834204), and the National Natural Science Foundation of China (Grant Nos. 61571243 and 61171082). References [1] F. Armknecht, C. Carlet, P. Gaborit, S. K¨ unzli, W. Meier, O. Ruatta, Eﬃcient computation of algebraic immunity for algebraic and fast algebraic attacks, in: Advances in Cryptology, EUROCRYPT 2006, in: LNCS, vol. 4004, 2006, pp. 147-164. [2] C. Carlet, A method of construction of balanced functions with optimum algebraic immunity, Available on line, http://eprint.iacr.org/2006/149 (2006). [3] C. Carlet, D. Dalai, K. Gupta, S. Maitra, Algebraic immunity for cryptographically signiﬁcant Boolean functions: analysis and construction, IEEE Trans. Inf. Theory. 52 (7) (2006) 3105-3121. [4] C. Carlet, G. Gao, W. Liu, A secondary construction and a transformation on rotation symmetric functions, and their action on bent and semi-bent functions, J Comb Theory A. 127(1)(2014)161–175. [5] C. Carlet, X. Zeng, C. Li, L. Hu, Further properties of several classes of Boolean functions with optimum algebraic immunity, Des. Codes Cryptogr. (52) (3) (2009) 303–338. [6] N. Courtois, J. Pieprzyk, Cryptanalysis of block ciphers with overdeﬁned systems of equations, in: Advances in Cryptology, ASIACRYPT 2501, in: LNCS, vol. 4002, 2002, pp. 3267–3287.

15

[7] N. Courtois, W. Meier, Algebraic attacks on stream ciphers with linear feedback, in: Advances in Cryptology, EUROCRYPT 2003, in: LNCS, vol. 2729, 2003, pp. 345–349. [8] D. Dalai, S. Maitra, S. Sarkar, Basic theory in construction of Boolean functions with maximum possible annihilator immunity, Des. Codes Cryptogr. (40) (1) (2006) 41–58. [9] C. Ding, G. Xiao, W. Shan, The stability theory of stream ciphers, Springer, Heidelberg, 1991. [10] K. Feng, Q. Liao, J. Yang, Maximal values of generalized algebraic immunity, Des. Codes Cryptogr. (53) (9) (2009) 243–252. [11] J. Du, Q. Wen, J. Zhang, S. Pang, Construction and counting of 1-resilient RSBFs on pq variables, IEICE Trans Fund Electron Comm Comput Sci. (E96-A) (7) (2013) 1653–1656. [12] J. Du, Q. Wen, J. Zhang, S. Pang, Constructions of resilient rotation symmetric Boolean functions on given number of variables, IET Inform Secur. 8(5)(2014) 65–272. [13] S. Fu, C. Li, L. Qu, K. Matsuura, Construction of odd-variable rotation symmetric Boolean functions with maximum algebraic immunity, IEICE Trans Fund Electron Comm Comput Sci. (E99-A) (4) (2016) 853–855. [14] G. Gao, W. Liu, C. Carlet, Constructions of quadratic and cubic rotation symmetric bent functions, IEEE Trans. Inf. Theory. 58 (7) (2012) 4908–4913. [15] P. Hawkes, G. Rose, Rewriting variables: The complexity of fast algebraic attacks on streamciphers, in: Advances in Cryptology, CRYPTO 2004, in: LNCS, vol. 3152, 2004, pp. 390-406. [16] S. Heubach, T. Mansour, Combinatorics of Compositions and Words, Boca Raton, CRC Press, 2009. [17] M. Liu, D. Lin, D. Pei, Fast algebraic attacks and decomposition of symmetric Boolean functions, Trans. Inf. Theory. 57 (7) (2011) 4817-4821. [18] W. Meier, E. Pasalic, C. Carlet, Algebraic attacks and decomposition of Boolean functions. in: Advances in Cryptology, EUROCRYPT 2004, in: LNCS, vol. 3027, 2004, pp. 474-491. [19] L. Qu, K. Feng, F. Liu, L. Wang, Constructing symmetric Boolean functions with maximum algebraic immunity, IEEE Trans. Inf. Theory. 55 (2009) 2406-2412. [20] S. Sarkar, S. Maitra, Construction of rotation symmetric Boolean functions with maximun algebraic immunity on odd number of variables, in: Applied Algebra, Algebraic Algorithms and Error-Correcting Codes 2007, in: LNCS, vol. 4851, 2007, pp. 271–280. [21] S. Su, X. Tang, Construction of rotation symmetric Boolean functions with optimal algebraic immunity and high nonlinearity, Des. Codes Cryptogr. 71 (2) (2014) 183-199.

16

Constructions of balanced odd-variable rotation symmetric Boolean functions with optimal algebraic immunity and high nonlinearity

Constructions of balanced odd-variable rotation symmetric Boolean functions with optimal algebraic immunity and high nonlinearity

Recommend Documents