Hybrid classes of balanced Boolean functions with good cryptographic properties

Hybrid classes of balanced Boolean functions with good cryptographic properties

Information Sciences 273 (2014) 319–328 Contents lists available at ScienceDirect Information Sciences journal homepage: www.elsevier.com/locate/ins...
Download PDF
362KB Sizes 0 Downloads 70 Views
Report

Information Sciences 273 (2014) 319–328

Contents lists available at ScienceDirect

Information Sciences journal homepage: www.elsevier.com/locate/ins

Hybrid classes of balanced Boolean functions with good cryptographic properties Mansoor Ahmed Khan a,1, Ferruh Özbudak b,⇑ a b

Institute of Applied Mathematics, Middle East Technical University, Dumlupınar Bul. No:1, 06800 Ankara, Turkey Department of Mathematics and Institute of Applied Mathematics, Middle East Technical University, Dumlupınar Bul. No:1, 06800 Ankara, Turkey

a r t i c l e

i n f o

Article history: Received 23 May 2012 Received in revised form 30 November 2013 Accepted 9 February 2014 Available online 12 March 2014 Keywords: Boolean function Symmetric cipher Non-linearity Algebraic degree Algebraic immunity Optimal algebraic immunity

a b s t r a c t Cryptographically strong Boolean functions play an imperative role in the design of almost every modern symmetric cipher. In this context, the cryptographic properties of Boolean functions, such as non-linearity, algebraic degree, correlation immunity and propagation criteria, are critically considered in the process of designing these ciphers. More recently, with the emergence of algebraic and fast algebraic attacks, algebraic immunity has also been included as an integral property to be considered. As a result, several constructions of Boolean functions with high non-linearity, maximal algebraic degree and optimal algebraic immunity have been devised since then. This paper focuses on some of these constructions and presents two hybrid classes of Boolean functions. The functions constructed within these classes possess maximal algebraic degree for balanced functions, optimal algebraic immunity, high non-linearity and good resistance to algebraic and fast algebraic attacks. A hybrid class of 1-resilient functions has also been proposed that also possesses high algebraic degree, optimal algebraic immunity, high non-linearity and good resistance to algebraic and fast algebraic attacks. Ó 2014 Elsevier Inc. All rights reserved.

1. Introduction Boolean functions are amongst the vital ingredients of any modern symmetric cryptosystem. These are utilized as nonlinear filtering functions or combiner functions in LFSR-based stream ciphers, and as S-Box component functions or non-linear encryption functions in Fiestel structure based block ciphers to implement principles of confusion and diffusion. Consequently, the cryptographic properties of Boolean functions are the main contributors to the strength of these ciphers against cryptanalysis. The key cryptographic characteristics of Boolean functions include balanced-ness, high non-linearity, correlation immunity and resiliency, strict avalanche criteria and propagation criteria, and more recently, high algebraic degree and optimal algebraic immunity. In [11,12], N. Courtois, and W. Meier presented algebraic and fast algebraic attacks on stream ciphers with linear feedback. Subsequently, some variants of these attacks were devised to further improve their efficiency 1–3,18,21. This triggered a series of research work and several constructions of Boolean functions were proposed focused on attaining high algebraic degree and optimal or sub-optimal algebraic immunity, while maintaining high non-linearity [4,6–9,13,14,19,27–30,32]. Constructions in [9,32,28] present balanced Boolean functions possessing above mentioned cryptographic characteristics. ⇑ Corresponding author. Tel.: +90 5413114587. 1

E-mail addresses: [email protected] (M.A. Khan), [email protected] (F. Özbudak). Principal corresponding author. Tel.: +92 3332143697.

http://dx.doi.org/10.1016/j.ins.2014.02.157 0020-0255/Ó 2014 Elsevier Inc. All rights reserved.

320

M.A. Khan, F. Özbudak / Information Sciences 273 (2014) 319–328

In [10], C. Carlet pointed out a weakness in the construction of Z. Tu and Y. Deng [28]. It was discovered that the product of constructed functions with any linear function reduced the degree of resultant function by almost half, making it vulnerable to fast algebraic attacks [1–3,11,12,18,21]. A repair was also suggested to remove this weakness but rest of the properties including algebraic degree and resistance to fast algebraic attacks were mentioned as work in progress. In this paper, we have presented two hybrid classes of balanced Boolean functions based on ideas in [9,28] [15,16]. The proposed functions not only maintain their cryptographic properties i.e. balanced-ness, maximal algebraic degree for balanced functions, optimal algebraic immunity and very high non-linearity, but also avoid the weakness pointed out in [10]. Additionally, we have practically analyzed and verified (using MAGMA) that functions constructed in the two proposed hybrid classes are not comparably vulnerable to fast algebraic attacks as functions in [28]. We have also presented a hybrid class of 1-resilient Boolean functions with high algebraic degree, optimal algebraic immunity, high non-linearity and good resistance to algebraic and fast algebraic attacks. The rest of this paper is organized as follows. In Section 2, some preliminary foundations related to Boolean functions are presented. The functions presented in [9,28] are presented in Section 3, along with the details of the weakness pointed out in [10]. Section 4 describes the two hybrid classes proposed. The cryptographic properties of the two classes are analyzed in Section 5 along with the advantages over the original constructions. Section 6 presents the summarized computer investigation results for 4 6 n 6 18 and their comparison with those in [9,28] in Tables 6.1, 6.2 and 6.3. The hybrid class of 1-resilient functions is presented in Section 7, along with the results after computer implementation. Finally, the paper is concluded in Section 8. 2. Preliminary foundations We start this section with some definitions. Let F2 define the binary field. Then Fn2 can be visualized as an n-dimensional vector space over F2 . A Boolean function f on n-variables can be envisaged as a mapping from Fn2 to F2 . Let Bn denote the set of all Boolean functions from Fn2 into F2 . A Boolean function f ðx1 ; . . . ; xn Þ can be represented as a binary string of length 2n with each representing the output of the function with respect to the ordered pair ðx1 ; . . . ; xn Þ as the input

f ¼ ff ð0; 0; ; . . . ; 0Þ; f ð0; 0; . . . ; 1Þ; . . . ; f ð1; 1; . . . ; 1Þg

ð1Þ

The above representation is known as the truth table of f. The Sequence of f denoted by Seq (f) is a ð1; 1Þ valued mapping of the truth table obtained by Seqðf Þ ¼ 1  2f . The Weight of a Boolean function wt (f), sometimes also referred to as the Hamming Weight, is the number of 1s in its truth table representation. The Algebraic Normal Form of f (ANF (f)) is the multivariate polynomial defined over F2 as

f ðx1 ; x2 ; . . . ; xn Þ ¼

X Y ai xj i#I

ð2Þ

j1;2;...;n

where I = f1; 2; . . . ; ng. The Support of f, supp (f) is defined as

suppðf Þ ¼ f8 x j f ðxÞ ¼ 1g

ð3Þ ðn1Þ

Any n-variable Boolean function is called balanced if wtðf Þ ¼ 2

ðn1Þ

, i.e. its support set supp (f) has dimension 2

. For

a ¼ ða1 ; a2 ; . . . ; an Þ and x ¼ ðx1 ; x2 ; . . . ; xn Þ, define a  x as the usual inner product a  x ¼ ða1 x1 ; a2 x2 ; . . . ; an xn Þ. Then the Wash transform of f, W f is calculated as

W f ðaÞ ¼

X ð1Þf ðxÞþa:x

ð4Þ

xFn2

Obviously, each coefficient in the Walsh spectrum has values between 2n and 2n . The total energy in the Walsh spectrum is conserved, as established in Parseval’s Identity

X 2 W f ðaÞ ¼ 22n

ð5Þ

aFn2

Table 6.1 Comparison on of non-linearities in Proposition 5.2 and constructed functions. n

nl(f1 ; f2 ) in Proposition 5.2

nl(f1 ; f2 ) constructed

4 6 8 10 12 14 16 18

P3 P21 P107 P476 P1982 P8073 P32,551 P130,674

4 26 116 490 2008 8118 32,624 130,792

321

M.A. Khan, F. Özbudak / Information Sciences 273 (2014) 319–328 Table 6.2 Comparison of our constructions with non-linearities in [9,28]. n

nl(fbent )

nl(f½11 )

nl(f½33 )

nl(f1 ; f2 )

4 6 8 10 12 14 16 18

6 28 120 496 2016 8128 32,640 130,812

4⁄ 24 112 478 1970⁄ 8036⁄ 32,530⁄ 130,442⁄

4 26 116 490 2008 8118 32,624 130,792

4 26 116 490 2008 8118 32,624 130,792

The values with ⁄ have been computed in [28] and not in the original construction in [9].

Table 6.3 Total number of functions in Tu-Deng construction [28] and our classes. n

No. of primitive elements (a)

No. of functions in [28]

No. of functions in Construction 1 and 2 (1/2)

4 6 8 10 12 14 16 18

2 6 8 30 36 126 128 432

2 12 24 180 324 2268 3840 23,760

2/2 12/48 72/192 1260/2880 4860/10,368 70,308/145,152 241,920/491,520 3,017,520/6,082,560

The Non-Linearity nl(f) of a function f, is given by

  1 W f ðaÞ nlðf Þ ¼ 2ðn1Þ  max 2 aFn2

ð6Þ

Definition 2.1. A Boolean function f in Fn2 is called bent if it’s Walsh spectrum is two valued, i.e.. W f ðaÞ ¼ 2n=2 8 a  Fn2 , where n is even. Clearly, a bent function is unbalanced since W f ð0Þ – 0. Definition 2.2 [18]. The Annihilator of f, AN(f) is defined as the minimum degree of a Boolean function g such that f  g ¼ 0, where f  g is the usual product of functions f  g ¼ f ðxÞgðxÞ. The algebraic immunity of f, AI(f) is determined as the minimum degree non-zero annihilator of f

AIðf Þ ¼ minf degðgÞ j 8 g  Bn st f  g ¼ 0g

ð7Þ

The term m-Resilience in a Boolean function implies that it is balanced (W f ð0Þ ¼ 0) and possesses Correlation Immunity (CI) = m. Correlation immunity = m follows that W f ðaÞ ¼ 0 for all a with 1 6 wtðaÞ 6 m. A Boolean function is well suited for a symmetric cipher given it has a high algebraic degree, high non-linearity and optimal algebraic immunity. High algebraic degree resists Berlekamp–Massey attack [10], high non-linearity counters fast correlation attacks [15,16], while high algebraic immunity is necessary to counter algebraic and fast algebraic attacks [1–3,11,12,18,21]. Hence, it’s clear that functions with maximum algebraic degree ðn  1Þ for a balanced boolean function, optimal algebraic immunity d2ne and highest possible non-linearity is mandatory for employment in symmetric ciphers. While high algebraic immunity is necessary to counter algebraic and fast algebraic attacks [1–3,11,12,18,21], it is not a sufficient condition. It is elaborated in [10] that if we can find g of low algebraic degree and h – 0 of feasible algebraic degree such that f  g ¼ h, then the function f becomes vulnerable to fast algebraic attack. To attain optimal resistance to fast algebraic attacks for an n-variable function f, there should not exist two functions g – 0 and h such that f  g ¼ h and degðgÞ þ degðhÞ < n while degðgÞ < n=2. The function f is the weakest [10] when there exists a function g of degree 1 (linear function), and a function h with degree d2ne such that f  g ¼ h. The next to weakest case [10] is when there exists a function g of degree 1 (linear function), and a function h with degree dn2e þ 1 with f  g ¼ h. 3. Carlet-Feng and Tu-Deng functions We now describe the infinite class of balanced Boolean functions proposed in [9] by C. Carlet and K. Feng. Let a  Fn2 be the primitive element of Fn2 . Then the n variable Boolean function f from Fn2 to F2 for number of variables n is defined by

suppðf Þ ¼ f0; 1; a; a2 ; . . . ; a2

ðn1Þ

2

g

ð8Þ

322

M.A. Khan, F. Özbudak / Information Sciences 273 (2014) 319–328

It was proved that f has optimal algebraic immunity i.e. d2ne. The algebraic degree of f is ðn  1Þ and it is obviously balanced. Furthermore the non-linearity of f satisfies



n

nlðf Þ ¼ 2ðn1Þ þ

22 þ 1

p

ln



p n

4ð2  1Þ

 1  2ðn1Þ 

2 ln 2

p

n

n22

ð9Þ ðn1Þ

The support set of functions introduced in this class can, in fact, be defined for every n as faj ; ajþ1 ; . . . ; a2 þj1 g for a suitable j, while maintaining optimal algebraic immunity [10]. Z. Tu and Y. Deng used ideas from [9,15,16] to construct an infinite class of balanced Boolean functions (Construction 2 in [28]) that achieved maximal algebraic degree, optimal algebraic immunity and a higher non-linearity compared to the functions belonging to [9,32]. Their construction is explained in the subsequent paragraphs. Let n = 2k, k P 1 and a be a primitive element of Fk2 . The Boolean function g: Fk2 ! F2 is defined as ðk1Þ

suppðf Þ ¼ f1; a; a2 ; . . . ; a2

1

Fk2

Define the function f (x,y) on

g



ð10Þ

Fk2

as follows

8 2k 2 > Þ; if x:y – 0 < gðxy f ¼ 1; if x ¼ 0 and y  D0 > : 0; otherwise

ð11Þ

where D0 ¼ fai j i ¼ 2ðk1Þ  1; 2ðk1Þ ; . . . ; 2k  2g. The function f(x,y) is balanced, has maximum possible algebraic degree i.e. 2k  1 ¼ n  1, has optimal algebraic immunity ¼ dke ¼ d2ne and the non-linearity is lower bounded by k

nlðf Þ P 2ð2k1Þ  2ðk1Þ  22 k ln 2  1

ð12Þ

The function g(x,y) clearly belongs to Dillon’s PSap class of bent functions presented in [18], while the construction principle for the balanced function f(x,y) has been adopted from Dobbertin’s idea in [16], with slight modification. The functions belonging to this class were practically verified to have achieved non-linearity very close to the bent functions for number of variables 4 6 n 6 18 (using MAGMA). In [17], however, it was pointed out by C. Carlet that for every linear function l  Fn2 , the k

k

product l  f was equal to l  gðxyð2 2Þ Þ. Since the degree of the bent function gðxyð2 2Þ Þ is k ¼ n2, the degree of lf was reduced to at the most k þ 1 ¼ 2n þ 1. This reduction in degree falls in the category of next to weakest resistance against fast algebraic attacks [10], as explained in the previous section. Repair of these functions was also suggested in [10] by removing the affine components using affine hyper planes. Resultantly, the lower bound for non-linearity of the functions was revised to n

nlðf 0 Þ ¼ 2ð2k1Þ  2k ¼ 2ðn1Þ  22

ð13Þ

0

where f is the repaired function. However, it was commented that the properties of repaired functions including algebraic degree and resistance to fast algebraic attacks were under investigation. 4. The two hybrid classes We now present the two hybrid classes constructed using ideas in [9,28,15,16], so that the functions attain balancedness, maximal algebraic degree, optimal algebraic immunity, very high non-linearity and do not possess the weakness described in [10]. Our first construction is obtained by modification of Construction 2 in [28], that is itself based on the main idea presented in [16]. We construct a new class of functions in a manner that preserves other cryptographic properties of Construction 2 in [16], in addition to eliminating the weakness against algebraic and fast algebraic attacks. The proposed class utilizes functions belonging to the infinite class in [9] as the balanced component and results into a considerably larger total number of functions for each number of variables. Our second construction is novel as it differs from Dobbertin’s main idea in [16] and Construction 2 of [28] significantly. This construction employs a function different than the one in [9] as the balanced component and results into even a larger total number of functions in comparison with our first construction. Theorem 4.1 (Construction 1). Let g and h be two balanced Boolean functions g; h : Fk2 ! F2 defined as

suppðgÞ ¼ f1; a; a2 ; . . . ; a2 j

suppðhÞ ¼ fa ; a

jþ1

ðk1Þ

1

g

2ðk1Þ þj1

;...;a

ð14Þ g; for 1 6 j 6 2

k2

1

ð15Þ

where a is a primitive element of Fk2 , g has the same definition as in [28], while h is a function belonging to the infinite class in [9]. Note that for j ¼ 0, the function h ¼ g, while for j ¼ 2ðk1Þ  1, h equals the conditions used to balance construction in [28]. Now for n ¼ 2k P 4, define the function f1 ðx; yÞ : Fk2  Fk2 ! F2 as

(

f1 ðx; yÞ ¼

gðxy1 Þ; if x – 0 and y – 0 hðxÞ;

otherwise

ð16Þ

323

M.A. Khan, F. Özbudak / Information Sciences 273 (2014) 319–328

then f1 ðx; yÞ is a balanced Boolean function with maximum possible algebraic degree ¼ 2k  1 ¼ n  1, optimal algebraic immunity ¼ dke ¼ d2ne, and very high non-linearity. The comparison of non-linearity with [9,28] is presented in Table 6.2. It has been practically verified for 4 6 n 6 12 (using MAGMA) that this construction does not possess the weakness as the functions in [28] pointed out in [10]. Details of this analysis are discussed in Sections 5 and 6 and a comparison with functions in [28] has been presented in Table 6.4. Theorem 4.2 (Construction 2). Let g and h be two balanced Boolean functions g; h : Fk2 ! F2 defined as

suppðgÞ ¼ f1; a; a2 ; . . . ; a2 j

jþ1

suppðhÞ ¼ f0; a ; a

ðk1Þ

2

;...;a

1

ðk1Þ

g

ð17Þ

þj2

k1

g; for 1 6 j 6 2

ð18Þ

Fk2 .

where a is a primitive element of Again, g has the same definition as in [28], however, h does not belong to the infinite class in [9]. Now for n ¼ 2k P 4, define the function f2 ðx; yÞ : Fk2  Fk2 ! F2 as

8 1 > < gðxy Þ; if ðx – 0 and y – 0Þ and ðx – yÞ f2 ðx; yÞ ¼ 0; if x – 0 and y ¼ 0 > : hðxÞ; otherwise

ð19Þ

then f2 ðx; yÞ is a balanced Boolean function with maximum possible algebraic degree ¼ 2k  1 ¼ n  1, optimal algebraic immunity ¼ dke ¼ dn2e, and very high non-linearity. Our Construction 1 is a modification of Construction 2 of [28] using the function h belonging to the class in [9] as the balanced function. However, f2 ðx; yÞ our Construction 2 differs from the normal bent function gðxy1 Þ on more input vectors than the function proposed in [16,28] and even our Construction 1. Moreover, the function h is also different to the infinite class in [9] and has much more flexibility in construction as compared to our Construction 1 due to larger range for j. Therefore, our construction 2 is a novel construction that is different from even the main idea presented by Dobbertin in [16]. These functions also do not possess the weakness pointed out in [10]. This has been practically verified for 4 6 n 6 12 (using MAGMA). Table 6.2 highlights the comparison with [9,28] in terms of non-linearity of the functions, while Table 6.4 indicates the comparison with respect to the weakness [10]. 5. Analysis of the Constructions 1 and 2 We shall now analyze the balanced-ness, non-linearity, algebraic degree, algebraic immunity and the resistance to algebraic and fast algebraic attacks of the functions in Constructions 1 and 2. Proposition 5.1. The functions belonging to Constructions 1 and 2 are balanced. Proof. Combining Theorem 5.4.3 and Theorem 6.2.10 (3) of [15], hamming weight of the function gðxy1 Þ is 2ð2k1Þ  2ðk1Þ . Furthermore, h(x) is a balanced Boolean function on Fk2 and therefore, has weight 2ðk1Þ . Hence the weight of functions f1 and f2 is wtðf1 ; f2 Þ ¼ wtðgðxy1 ÞÞ þ wtðhðxÞÞ ¼ 2ð2k1Þ  2ðk1Þ þ 2ðk1Þ ¼ 2ð2k1Þ ¼ 2ðn1Þ . Therefore, the functions are balanced.

h

Proposition 5.2. The non-linearity of function in Construction 1 and 2 satisfies k

nlðf Þ P 2ð2k1Þ  2ðk1Þ  22 k ln 2  1

ð20Þ

Proof. It is obvious that the function gðxy1 Þ is a normal bent function as per definition. Hence we first use Proposition 8 of n

[16] to show that nlðf1 ; f2 Þ ¼ 2ðn1Þ  22 þ nlðhÞ. In this proposition, it was established that

( W fða;bÞ ¼

W gða;bÞ þ W hða;bÞ ; if a – 0 0;

ð21Þ

otherwise

Moreover in Lemma 7 of [16], it has been established that the dual of any normal bent function is also normal. Using the fact that a normal bent function like gðxy1 Þ on Fn2 that is constant on an affine sub-space S of Fn2 with dimension S ¼ n2 is also n

n

n

n

constant on each proper coset of S [16], we deduce that the function has 221 values of 22 and 221 values of 22 in the Walsh n 2

spectrum. Hence for a fixed x0 ; W g ðx0 ; yÞ is 2 and the non-linearity of f can be computed as

nlðf1 ; f2 Þ ¼ 2

ðn1Þ

n 1 22 þ maxjW h ðaÞj  2 aFk2

! ¼ 2ðn1Þ 

 n n 1  n2 2 þ 22  2:nlðhÞ ¼ 2ðn1Þ  22 þ nlðhÞ 2

ð22Þ

324

M.A. Khan, F. Özbudak / Information Sciences 273 (2014) 319–328

In [28], the lower bound on non-linearity of their construction has been computed as k

nlðf Þ P 2ð2k1Þ  2ðk1Þ  22 k ln 2  1 Since the function gðxy1 Þ is the same as in Construction 2 of [28] and the support set of h(x) also has the same dimension, the proof for non-linearity of functions in Proposition 5.4 of [28] remains valid and we do not repeat it here. It may be noted that the above inequality gives a lower bound on the non-linearities of the functions in Constructions 1 and 2, but the exact non-linearities can be precisely calculated using Eq. (22) once that of the function h(x) is known. Proposition 5.3. The algebraic degree of functions in Constructions 1 and 2 is

degðf1 ; f2 Þ ¼ 2k  1 ¼ n  1

ð23Þ

Proof. Since we have ascertained that gðxy1 Þ is a normal bent function, using Lemma 2 of [25], we get

degðf1 ; f2 Þ ¼ degðgðxy1 ÞÞ þ degðhðxÞÞ

ð24Þ ðÞ

From Remark 6.3.11 of [15] and using the fact that PSap bent functions are a sub-class of PS class, we have degðgðxy1 ÞÞ n k n 1 defined over F2k 2  F2 as degðgðxy ÞÞ ¼ k ¼ 2. In [9], the degree of h(x) defined over F2 has been proved to be degðhðxÞÞ ¼ k  1. Hence, we have

degðf1 ; f2 Þ ¼ k þ k  1 ¼ 2k  1 ¼ n  1



Proposition 5.4. With the assumption that Tu-Deng conjecture in [28] is correct, the algebraic immunity of functions in Construction 1 and 2 is optimal i.e. d2ne. Proof. Since there is no change in the support of the function gðxy1 Þ defined in Construction 1 of [28] and the support set of h(x) also has the same dimension, the proof of algebraic immunity in Proposition 5.1 of [28] also remains valid, so we do not reproduce it here. h As mentioned earlier, the functions in two proposed hybrid classes attain very high non-linearity values. In fact, they maintain close to bent function non-linearities as in [28]. A comparison with the infinite class in [9] and Construction 2 in [28] is presented in Table 6.2. Owing to the structure of balanced function h(x) used in our constructions (the range of j in its support set), the total number of functions for each number of variables n increases significantly. Same is highlighted in Table 6.3. Most importantly, it has been practically verified for all linear functions l  Bn that the degree of l  f1 and l  f2 is at least 2k  2 ¼ n  2 for even values of k and 2k  1 ¼ n  1 for odd values of k for the range 4 6 n 6 12. We conjecture it for all even n > 12 as well. Resultantly, there exists no non-zero function g of degree 6 e and no function h of degree at the most d such that f  g ¼ h, when ðe; dÞ ¼ ð1; n  2Þ for odd k and ð1; n  3Þ when k is even. Comparison with [28] is presented in Table 6.4.

6. Implementation and results All implementations were done in MAGMA, including construction of the two hybrid classes in Construction 1 and 2, computation of non-linearity and algebraic degree for 4 6 n 6 18, and analysis of resistance to weakness pointed out in [10] for 4 6 n 6 12. The ‘‘boolfun’’ library of R-package was utilized to verify the results for algebraic immunity of constructed functions for 4 6 n 6 12. Table 6.1 highlights a comparison between values of non-linearity of functions belonging to Construction 1 and 2 (in MAGMA) with the lower bound as per Proposition 5.2. Table 6.2 gives the comparison in terms of non-linearities of the functions in [9,28] with our hybrid classes. A count of total number of functions possible in [28] and our constructions is depicted in Table 6.3. Finally, Table 6.4 demonstrates the results of product of the functions belonging to our hybrid classes with the set of all linear functions l  Bn and compares it with the functions in [28]. Table 6.4 Comparison of degrees of f  l in Tu-Deng construction [28] and our classes. n

deg (fTuDeng )

degðl  fTuDeng Þ

4 6 8 10 12

3 5 7 9 11

62 64 65 66 67

I

deg (f1 ; f2 )

deg (l  f1 ; f2 )

3 5 7 9 11

P2 P5 P6 P9 P 10

The column with I indicates values have been calculated as pointed out in [10].

M.A. Khan, F. Özbudak / Information Sciences 273 (2014) 319–328

325

7. Constructing resilient functions The infinite classes of functions proposed in [9,16] and our Construction 1 and 2 are all 0-resilient and are suited for application in block ciphers. In case of stream cipher on the other hand, constructions like non-linear combining, non-linear filtering and alternating step generator require functions to be at least 1-resilient. However, increase in resilience results in reduction in at least one property out of non-linearity, algebraic degree and algebraic immunity of functions. Siegenthaler’s inequality in [24] establishes that the upper bound on algebraic degree of a m-resilient function of ‘‘n’’ variables is ‘‘n  m  1’’. It implies that for a 1-resilient function, maximum possible algebraic degree is ‘‘n  2’’, that is one less than maximal degree achieved in our constructions 1 and 2. It also implicates that a maximum achievable order of resilience is m ¼ n  2, which means that the algebraic degree of this function would be 1 (linear function). Additionally, since Parseval’s Indentity (5) demands conservation of energy, increase in number zero entries in Walsh spectrum to improve resilience would result into a possible increase in the maximum absolute value. This would decrease the non-linearity of function (6). The upper bounds for non-linearity of m-resilient functions ([22,26,31]) are

8 n1  2mþ1 ; if n=2  1 < m þ 1 > <2 n1 nlðf Þ 6 2  2n=21  2mþ1 ; if n ¼ ev en & n=2  1 P m þ 1 > : n1 2  2mþ1 d2n=2  m  2e; if n ¼ odd & n=2  1 P m þ 1

The trade-off between resilience and achievable non-linearity is tabulated in [22]. It highlights the upper bound for nonlinearity of m-resilient functions for m P 1 and clearly demonstrates a reduction in achievable non-linearity as compared to 0-resilient ones. Nevertheless, we propose a class of 1-resilient functions in n-variables over Fn2 by using ideas in [25,27] and modifying our Construction 2. 7.1. A hybrid class of 1-resilient functions Theorem 7.1 (Construction 3). Let g and h be two balanced Boolean functions g; h : Fk2 ! F2 defined as

suppðgÞ ¼ f1; a; a2 ; . . . ; a2 j

jþ1

suppðhÞ ¼ f0; a ; a

ðk1Þ

1

g

2ðk1Þ þj2

;...;a

ð25Þ k1

g; for 1 6 j 6 2

ð26Þ

where a is a primitive element of Fk2 . The function g has the same definition as in [28] but the function h does not belong to the infinite class in [9]. Now for n ¼ 2k P 4, define the function f2 ðx; yÞ : Fk2  Fk2 ! F2 as

8 gðxy1 Þ; > > > < hðxÞ; f3 ðx; yÞ ¼ > hðxÞ 1; > > : hðyÞ 1;

if ðx – 0 and y – 0Þ and ðx – yÞ if x ¼ y – 0

ð27Þ

if y ¼ 0 if x ¼ 0

then f3 ðx; yÞ is a 1-resilient Boolean function with high algebraic degree ¼ 2k  2 ¼ n  2, optimal algebraic immunity ¼ dke ¼ dn2e, and very high non-linearity. The proofs for balanced-ness and algebraic degree remain unchanged since the support set of g, h and construction of the normal bent function gðxy1 Þ remain the same as our construction 2. We were not able to prove optimal algebraic immunity. However, we have verified it practically by implementation in MAGMA for 4 6 n 6 18. We leave the proof of optimal algebraic immunity as an open problem. Hence, we now need to prove only 1-resilience of functions belonging to this construction. Proposition 7.1. The functions belonging to Constructions 3 are 1-resilient. Proof. We note that for 1-resilience, W f ðkÞ ¼ 0 8 k such that wtðkÞ 6 1. Since the functions are balanced (W f ð0Þ ¼ 0), we only need to investigate the cases when wtðkÞ ¼ 1. We proceed in a similar manner as Theorem 6 in [25], adapting for changes in our construction. According to construction 3, there are only two cases that cover wtðkÞ ¼ 1; a – 0; b ¼ 0 and a ¼ 0; b – 0. Hence, we start by the following fact

8 fbb; bg; > > > < fa; bg; Suppðf3 ða; bÞÞ ¼ > fa; 0g; > > : f0; bg;

b  SuppðgÞ R f1g; b  Fk2 a ¼ b  SuppðhÞ R f0g a  Suppðh 1Þ b  Suppðh 1Þ

Now let’s calculate the Walsh spectrum of f3 ða; bÞ

W f3 ða; bÞ ¼

X

x;yFk2

ð1Þf3 ðx;yÞ ð1ÞtrðaxþbyÞ



ð28Þ

326

M.A. Khan, F. Özbudak / Information Sciences 273 (2014) 319–328

We know that ð1Þf ðxÞ ¼ 1  2f ðxÞ, therefore

W f3 ða; bÞ ¼

X

ð1  2f 3 ðx; yÞÞð1ÞtrðaxþbyÞ ¼

x;yFk2

¼

X

X

ð1ÞtrðaxþbyÞ  2

x;yFk2

X

ð1ÞtrðaxþbyÞ  2

X

f3 ðx; yÞð1ÞtrðaxþbyÞ

x;yFk2

ð1ÞtrðaxþbyÞ

x;ySuppðf3 ðx;yÞÞ

Fk2

x;y

Recall that

X ð1ÞtrðaxÞ ¼

(

2k ; if a ¼ 0 0;

xFk2

ð29Þ

otherwise

Therefore

W f3 ða; bÞ ¼ 2

X

ð1ÞtrðaxþbyÞ

x;ySuppðf3 ðx;yÞÞ

¼ 2

X

X  Fk2

bSuppðgÞRf1gy

X

2

ð1Þ

2

xSuppðhðxÞ 1Þ

¼ 2

X

4

bSuppðgÞRf1g

X

ð1ÞtrðbyÞ

ð30Þ

ySuppðhðyÞ 1Þ

3

X ð1ÞtrðabþbÞy  15  2

ð1ÞtrðaxÞ  2

xSuppðhðxÞ 1Þ

X

ð1ÞtrðaþbÞy

ySuppðhðyÞÞRf0g

yFk2

X

2

ð1ÞtrðaþbÞy

ySuppðhðyÞÞRf0g trðaxÞ

2

X

ð1ÞtrðabþbÞy  2

X

ð1ÞtrðbyÞ

ySuppðhðyÞ 1Þ

Now using a – 0; b ¼ 0 in Eq. (30), we get

W f3 ða; bÞ ¼ 2

2

3 X 4 ð1ÞtrðabyÞ  15  2

X bSuppðgÞRf1g

yFk2

X

2

ð1ÞtrðaxÞ  2

xSuppðhðxÞ 1Þ

¼ 2

2

X

4

bSuppðgÞRf1g

2

X

X

ð1ÞtrðayÞ

ySuppðhðyÞÞRf0g

X

ð1Þ0

ySuppðhðyÞ 1Þ

3 2 3 X X trðabyÞ trðaxÞ 5 4 ð1Þ 1  2 ð1Þ  15 yFk2

xFk2

ð1Þ

ySuppðhðyÞ 1Þ

Since SuppðgðxÞÞ ¼ SuppðhðxÞÞ ¼ SuppðhðxÞ 1Þ ¼ 2k1 , using Eq. (29) we get

W f3 ða; bÞ ¼  2

X

½0  1  2½0  1  2

bSuppðgÞRf1g

X

ð1Þ ¼ 2ð2k1  1Þ þ 2  2:2k1 ¼ 0

ð31Þ

ySuppðhðyÞ 1Þ

The case for a ¼ 0; b – 0 is exactly the same as above with change of exponents only. Hence it is proved that functions belonging to construction 3 are 1-resilient. h Construction 3 was also implemented in MAGMA and results were obtained for 4 6 n 6 18. The results were then compared with already proposed constructions that achieved optimum values of algebraic degree, algebraic immunity and high non-linearity of functions ([25,27]). In all cases, maximum possible algebraic degree for a 1-resilient Boolean function i.e. n  2 is achieved. A comparison of rest of the properties with constructions in [25,27] is presented in Table 7.1. It is evident from above comparison that our Construction 3 achieves the best results for 1-resilient functions having optimal algebraic immunity, together with [27]. The construction in [25] achieves better non-linearities for n P 12 but it does not guarantee optimal algebraic immunity. The construction in [27] and our Construction 3 achieve optimal algebraic immunity (practically verified in MAGMA). Moreover, the total number of functions in our class is much larger as compared to [27]. A comparison between total number of functions for each n is presented in Table 7.2. Constructions in [27,25] do not investigate the resistance of functions to algebraic and fast algebraic attacks. We performed similar analysis of our Construction 3 as for Construction 1 and 2 to test resistance to these attacks; results are depicted in Table 7.3 which clearly reflect that functions in this class offer good resistance to algebraic and fast algebraic attacks.

327

M.A. Khan, F. Özbudak / Information Sciences 273 (2014) 319–328 Table 7.1 Comparison of our Construction 3 with [27,25]. n

nl(f½32 )

AI(f½32 )

nl(f½30 ) Thm 9/10

AI(f½30 )

nl(f3 )

AI(f3 )

4 6 8 10 12 14 16 18

4 24 112 484 1996 8100 32,588 130,760

2 3 4 5 6 7 8 9

4 22/18 108/103 484/482 1998/1994 8104/8106 32,604/– 130,768/130,778

1⁄ 2⁄ 3⁄ 4⁄ 5⁄ 6⁄ 7⁄ 8⁄

4 24 112 484 1996 8100 32,588 130,760

2 3 4 5 6 7 8 9

The entries with  indicate that the functions have sub-optimal values of algebraic immunity, as indicated by authors themselves in [25].

Table 7.2 Total number of functions in [27] and our Construction 3. n

No. of primitive elements (a)

No. of functions in [27]

No. of functions in Construction 3

4 6 8 10 12 14 16 18

2 6 8 30 36 126 128 432

2 12 24 180 324 2268 3840 23,760

2 48 192 2880 10,368 145,152 491,520 6,082,560

Table 7.3 Degrees of f  l for our Construction 3. n

deg (f3 )

deg (l  f3 )

4 6 8 10 12

2 4 6 8 10

2 5 7 9 11

7.2. Obtaining m-resilient functions As discussed earlier, increasing resilience of functions requires a trade-off with achievable algebraic degree, non-linearity and algebraic immunity. Having said that, certain applications, such as functions used as non-linear combining or non-linear filtering functions, do require a reasonable order of resilience in order to effectively resist correlation and fast correlation attacks. Given a t-resilient function, many methods of obtaining m-resilient functions for m P ðt þ 1Þ have been proposed based on composition of functions, iterative and recursive approaches. For example, constructions in [20,26,31] result in an increase in the order of resilience and number of variables, those in [8,22] obtain functions with same order of resilience but larger number of variables, while methods in [5,23] can be used to construct different functions with same order of resilience and number of variables from known ones. Using our construction 3 as the base class, functions with higher order of resilience can be easily constructed using methods proposed in [26,31,20]. Another interesting implication is that although our hybrid class in construction 3 is for even ‘‘n’’ only, techniques in [5,8,20,22,23,26,31] can be used to increase the order of resilience as well as obtain functions for odd ‘‘n þ 1’’ variables as well. For instance, construction in [26] can be used to obtain m-resilient functions in ‘‘n þ 1’’ variables and ðm þ 1Þ-resilient functions in ‘‘n þ 2’’ variables using two m-resilient functions in ‘‘n’’ variables as base functions. Similarly, two functions on ‘‘n1 ’’ and ‘‘n2 ’’ variables that are m1 and m2 -resilient respectively, can be used as base functions to construct ðm1 þ m2 þ 1Þ-resilient function in ‘‘n1 þ n2 ’’ variables using construction in [31].

8. Conclusion We have presented two hybrid classes of balanced Boolean functions for even n P 4, derived from ideas in [9,15,16,28]. The functions obtained possess maximum possible algebraic degree, optimal algebraic immunity and very high values of non-linearity. While our Construction 1 is a modification of Construction 2 in [28], our Construction 2 is a new one that

328

M.A. Khan, F. Özbudak / Information Sciences 273 (2014) 319–328

significantly differs from classes proposed in [9,28,16]. Furthermore, in contrast to the functions in [28], functions belonging to our proposed classes are not weak against fast algebraic attacks. We have also proposed a class of 1-resilient functions with high algebraic degree, optimal algebraic immunity and high non-linearity using ideas in [25,27] and modifying our Construction 2. Functions in our construction 3 can be utilized as base functions to obtain m-resilient functions for m P 2 in number of variables P n using methods proposed in [5,8,20,22,23,26,31]. In all three proposed classes, the total number of functions for each n is substantially larger than existing constructions. We have practically implemented and verified the described cryptographic properties of all three classes for 4 6 n 6 18, while the removal of the weakness pointed out in [10] has been confirmed for 4 6 n 6 12. The implementations were done using MAGMA, while the verification of properties and calculation of algebraic immunity was performed using ‘‘boolfun’’ library of R-package. Acknowledgements The authors would like to sincerely thank all the anonymous reviewers and editors for their useful suggestions, which improved the paper. References [1] F. Armknecht, Improving fast algebraic attacks, in: Fast Software Encryption 2004, LNCS, vol. 3017, Springer-Verlag, 2004, pp. 65–82. [2] F. Armknecht, Algebraic attacks and annihilators, in: WEWoRC 2005, vol. P-74 of LNI, Gesellschaftf Informatik, 2005, pp. 13–21. [3] F. Armknecht, G. Ars, Introducing a new variant of fast algebraic attacks and minimizing their successive data complexity, in: Progress in Cryptology – Mycrypt 2005, LNCS, vol. 3715, Springer-Verlag, 2005, pp. 16–32. [4] A. Braeken, B. Preneel, On the algebraic immunity of symmetric Boolean functions, in: S. Maitra, C.E. Veni Madhavan, R. Venkatesan (Eds.), INDOCRYPT 2005, LNCS, vol. 3797, Springer, Heidelberg, 2005, pp. 35–48. [5] C. Carlet, Designing bent functions and resilient functions from known ones, without extending their number of variables, in: Proceedings of International Symposium on Information Theory (ISIT 2005), September 2005, pp. 1096–1100. [6] C. Carlet, A method of construction of balanced functions with optimum algebraic immunity, IACR Cryptology ePrint Archive 2006: 149, 2006. [7] C. Carlet, D.K. Dalai, K.C. Gupta, S. Maitra, Algebraic immunity for cryptographically significant Boolean functions: analysis and construction, IEEE Trans. Inform. Theory 52 (7) (2006) 3105–3121. [8] C. Carlet, On bent and highly nonlinear balanced/resilient functions and their algebraic immunities, in: Proceedings of AAECC 16, LNCS 3857, 2006, pp. 1–28. [9] C. Carlet, K. Feng, An Infinite Class of Balanced functions with Optimal Algebraic Immunity, Good Immunity to Fast Algebraic Attacks and Good Nonlinearity, ASIACRYPT 2008, 2008, pp. 425–440. [10] C. Carlet, On a weakness of the Tu-Deng function and its repair, Cryptology ePrint Archive, Report 2009/606. . [11] N. Courtois, W. Meier, Algebraic attacks on stream ciphers with linear feedback, in: Advances in Cryptology – EUROCRYPT 2003, LNCS, vol. 2656, Springer-Verlag, 2003, pp. 345–359. [12] N. Courtois, Fast algebraic attacks on stream ciphers with linear feedback, in: Advances in Cryptology – CRYPTO 2003, LNCS, vol. 2729, Springer-Verlag, 2003, pp. 176–194. [13] D.K. Dalai, K.C. Gupta, S. Maitra, Cryptographically significant Boolean functions: construction and analysis in terms of algebraic immunity, in: H. Gilbert, H. Handschuh (Eds.), FSE 2005, LNCS, vol. 3557, Springer, Heidelberg, pp. 98–111. [14] D.K. Dalai, S. Maitra, S. Sarkar, Basic theory in construction of Boolean functions with maximum possible annihilator immunity, Des. Codes Cryptogr. 40 (1) (2006) 41–58. [15] J.F. Dillon, Elementary Hadamard Difference Sets, PhD thesis, University of Maryland, 1974. [16] H. Dobbertin, Construction of bent functions and balanced boolean functions with high nonlinearity, Workshop on Fast Software Encryption, LNCS, vol. 1008, Springer-Verlag, 1995. pp. 61–74. [17] N. Li, L. Qu, W. Qi, G. Feng, C. Li, D. Xie, On the construction of Boolean functions with optimal algebraic immunity, IEEE Trans. Inform. Theory 54 (2008) 1330–1334. [18] W. Meier, E. Pasalic, C. Carlet, Algebraic attacks and decomposition of Boolean functions, in: G. Goos, J. Hartmanis, J. van Leeuwen (Eds.), Advances in Cryptology – EUROCRYPT 2004, LNCS, vol. 3027, Springer-Verlag, Berlin, 2004, pp. 474–491. [19] S. Pan, X. Fu, W. Zhang, Construction of 1-resilient boolean functions with optimal algebraic immunity and good nonlinearity, J. Comput. Sci. Technol. 26 (2) (2011). [20] E. Pasalic, S. Maitra, T. Johansson, P. Sarkar, New constructions of resilient and correlation immune Boolean functions achieving upper bound on nonlinearity, WCC2001, International Workshop on Coding and Cryptography, Electronic Notes in Discrete Mathematics, vol. 6, April 2001, pp 158– 167. [21] S. Rønjom, T. Helleseth, A new attack on the filter generator, IEEE Trans. Inform. Theory 53 (5) (2007) 1752–1758. [22] P. Sarkar, S. Maitra, Nonlinearity bounds and constructions of resilient boolean functions, in: Advances in Cryptology – CRYPTO 2000, Lecture Notes in Computer Science, vol. 1880, 2000, pp. 515–532. [23] P. Sarkar, S. Maitra, Construction of nonlinear Boolean functions with important cryptographic properties, in: Advances in Cryptology – EUROCRYPT 2000, Lecture Notes in Computer Science (LNCS), vol. 1807, 2000, pp. 485–506. [24] T. Siegenthaler, Correlation immunity of nonlinear combining functions for cryptographic applications, IEEE Trans. Inform. Theory IT-30 (5) (1984) 776–780. [25] X. Tang, D. Tang, X. Zeng, L. Hu, Balanced Boolean functions with (almost) optimal algebraic immunity and very high nonlinearity, Cryptology ePrint Archive, Report 2010/443. . [26] Y.V. Tarannikov, On resilient Boolean functions with maximum possible nonlinearity, in: Proceedings of INDOCRYPT 2000, Lecture Notes in Computer Science 1977, 2000, pp. 19–30. [27] Z. Tu, Y. Deng, A class of 1-resilient function with high nonlinearity and algebraic immunity, IACR Cryptology ePrint Archive 2010, 2010, p. 179. [28] Z. Tu, Y. Deng, A conjecture about binary strings and its applications on constructing Boolean functions with optimal algebraic immunity, Des. Codes Cryptogr., 2010. http://dx.doi.org/10.1007/s10623-010-9413-9. [29] Q. Wang, J. Peng, H. Kan, Constructions of cryptographically significant Boolean functions using primitive polynomials, IEEE Trans. Inform. Theory 56 (6) (2010). [30] D. Yusong, P. Dingyi, Construction of Boolean functions with maximum algebraic immunity and count of their annihilators at lowest degree, Sci. China, Inform. Sci. 53 (4) (2010) 780–787. [31] X.M. Zhang, Y. Zheng, Cryptographically resilient functions, IEEE Trans. Inform. Theory 43 (5) (1997). [32] X. Zeng, C. Carlet, J. Shan, L. Hu, More balanced Boolean functions with optimal algebraic immunity and good nonlinearity and resistance to fast algebraic attacks, IEEE Trans. Inform. Theory 57 (9) (2011) 6310–6320.