- Email: [email protected]
On the construction of odd-variable boolean functions with optimal algebraic immunity
The Journal of China Universities of Posts and Telecommunications June 2013, 20(3): 73–77 www.sciencedirect.com/science/journal/10058885
http://jcupt.xsw.bupt.cn
On the construction of odd-variable boolean functions with optimal algebraic immunity ZHANG Jie1, 2 (*), WEN Qiao-yan2 1. School of Science, Beijing University of Posts and Telecommunications, Beijing 100876, China 2. State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China
Abstract Algebraic immunity is an important cryptographic property of Boolean functions. In this paper, odd-variable balanced Boolean functions with optimal algebraic immunity are obtained by m-sequence and consequently, we get bases with special constructions of vector space. Furthermore, through swapping some vectors of these two bases, we establish all kinds of odd-variable balanced Boolean functions with optimal algebraic immunity. Keywords
1
algebraic immunity, Boolean functions, algebraic attacks, annihilators
Introduction
Boolean functions play important roles in cryptographic systems, not only in stream ciphers, but also in block ciphers. And the security of these systems mainly depends on the cryptographic properties of the Boolean functions used. So it is necessary and of great significance to efficiently construct Boolean functions with the best possible cryptographic characteristics. As is well known, there are different design criteria for Boolean functions corresponding to certain kinds of attacks, such as high algebraic degree to withstand Berlekamp-Massey attacks, balancedness to prevent the system from leaking the statistical information on the plaintext when the cipher text is known, high nonlinearity to counter linear attacks, and high order of correlation immunity to resist correlation attacks. The introduction of the powerful algebraic attacks, proposed by Courtois [1–2] and Armknecht [3] in 2003, imposed a new design criterion: algebraic immunity [4]. The main idea of algebraic attack, recovering the secret key by solving an overdefined system of multivariate algebraic equations, can be traced back to Shannon’s Received date: 29-10-2012 Corresponding author: ZHANG Jie, E-mail: [email protected] DOI: 10.1016/S1005-8885(13)60052-7
classical work mathematical theory of secret communications. With the presentation of effective algorithms, such as XL algorithm and other algorithms based on GrÖbner bases, to solve an overdefined system of multivariate algebraic equations, algebraic attacks did successfully cryptanalyze some well known stream ciphers (like Toyocrypt and LILI-128). Under these circumstances, Meier, Pasalic and Carlet [4] proposed the new concept algebraic immunity (AI for short) and showed us that Boolean functions should have high AI to resist algebraic attacks. It is known that the algebraic immunity of any Boolean function is upper bounded by êé n 2 úù [1,4], and those functions achieving this bound are named as Boolean functions with optimal algebraic immunity. In this case, it is necessary and pressing to construct Boolean functions with high AI and other good properties. And this problem does have received much attention [5– 26]. Contrast to other cryptographic properties, such as correlation immunity, nonlinearity, algebraic degree etc, there are a lot of works on algebraic immunity to do. In this paper, we give a construction of Boolean functions with optimal algebraic immunity by m-sequence. Furthermore, through the method of Ref. [16], we can get all kinds of odd-variable Boolean functions with optimal algebraic immunity.
74
The Journal of China Universities of Posts and Telecommunications
The paper is organized as follows. Sect. 2 recalls the basic concepts, denotations and properties. Sect. 3 proposes a construction of odd-variable Boolean functions with optimal algebraic immunity. Furthermore, all kinds of odd-variable balanced Boolean functions with optimal algebraic immunity are obtained. The conclusion is given in Sect. 4.
2
(respectively, 0 f ).
Obviously, | 1f |=
wt ( f ) , while | 0 f |= 2 - wt ( f ) . n
Let f Î Bn , and 1 f = {a 0 ,..., a wt ( f ) -1}, 0 f = {a wt ( f ) ,..., a 2n -1} For x = ( x0 , x1 ,..., xn -1 ) Î F2n , let v ( x) = (1, x0 ,..., xn -1 , x0 x1 ,..., xn - 2 xn -1 ,..., x0 x1...xéên 2ùú - 2 , ..., xëê n 2ûú +1...xn -1 )
Preliminaries
2.1
denoted by 1 f
2013
that is, the vector consists of all monomials of degree at most éê n 2 ùú - 1 in variables x0 , x1 ,..., xn -1 and the partial
Boolean functions
In this paper, we denote the set of all n-tuples of elements in the finite field F2 = {0,1} by F2n . Then an n -variable Boolean function is defined as a mapping from F2n to F2 . The set of all n-variable Boolean functions is denoted by Bn . For convenience, we denote addition modulo 2 by the symbol ‘+’, and abbreviate f ( x1 , x2 ,..., xn ) as or f, if there is no confusion. Any f Î Bn can be
uniquely
represented
as
a
multivariate polynomial in F2 [ x1 , x2 ,..., xn ] ( x + x1 ,..., 2 1
xn2 + xn ) : f ( x1 , x2 ,..., xn ) = a0 + a1 x1 + ... + an xn + a12 x1 x2 + ... + a1n x1 xn + ... + a1,2,...,n x1 x2 ... xn , ai Î F2 which is called algebraic normal form (ANF). The algebraic degree of f, denoted by deg( f ) , is the number of variables in the highest order term with nonzero coefficient. We know linear space F2n is isomorphic to the finite field F2n . Then every Boolean function f Î Bn can be uniquely represented as a univariate polynomial in F2n [ x ] 2 n -1
f ( x) = å ai xi
degree in each variable is at most 1. Denote by S1 ( f ) (respectively, S0 ( f ) ) the vector set {v (a 0 ),..., v(a wt ( f ) -1 )} (respectively, {v (a wt ( f ) ),..., v(a 2n -1 )} . It is known that a Boolean function should be of high algebraic degree to be cryptographically secure [13]. Further, it has been identified recently, that it should not have a low degree multiple [2,6]. Definition 1 Given f Î Bn , any function of the set Ann ( f ) = {g Î Bn | gf = 0} is called an annihilator of f. And the minimum degree of all nonzero annihilators of f or f + 1 is called the algebraic immunity of f, denoted by AI( f ) . That is, AI( f ) = min{deg g | g ¹ 0, g Î Ann ( f ) U Ann ( f + 1)} It is shown that AI( f )≤ êé n 2 úù , "f Î Bn [1,4]. And if AI( f ) = êén 2 úù , we say f has optimal algebraic immunity. A method to construct n-variable Boolean functions is that both S1 ( f ) and S0 ( f ) are generating sets of the vector space with
éê n 2 ùú -1
å i =0
as following theorem. Theorem 1 [13,16] Let f Î Bn , f achieves optimal algebraic immunity if and only if both S1 ( f ) and S0 ( f )
i =0
where a0 , a2n -1 Î F2 and a2i = (ai ) 2 Î F2n , 1≤i≤2 n - 2 . Any n-variable Boolean function can be represented as a 2 -length binary vector, which is called truth table: r f = ( f (0, 0,..., 0), f (1, 0,..., 0),..., f (1,1,...,1)) n
The number of 1’s in the truth table is called the hamming weight of f, which is denoted as wt ( f ) . We say f is balanced, if its truth table has equal number of 1 and 0, implying wt ( f ) = 2n -1 . The set of a Î F for which f (a ) = 1 (respectively, f (a ) = 0 ) is called the onset (respectively, off set) of f, n 2
Cni -dimension. We summarize it
are generating sets of the
êé n 2 úù -1
å i =0
êé n 2úù -1
F2
å= i 0
C ni
Cni -dimension vector space
. Moreover, if n is odd, then f achieves optimal AI n-1
if and only if f is balanced and S1 ( f ) is a basis of F22 . 2.2
m-sequence
Linear feedback shift registers (LFSRs) are used in many of the key stream generators that have been proposed in the literature. A r-stage shift registers is a circuit consisting of r consecutive 2-state storage units
Issue 3
ZHANG Jie, et al. / On the construction of odd-variable boolean functions with optimal algebraic immunity
(flip or flops) regulated by a single clock. At each clock pulse, the state (0 or 1) of each memory state is shifted to the next stage in line. Definition 2 A binary sequence generated by a r-stage LFSR is called m-sequence if it has period 2r - 1 (or maximal length sequence), r is its order. Let a = (a(0), a(1),...) and b = (b(0), b(1),...) are two sequences. Then a + b = (a(0) + b(0), a(1) + b(1),...) ab = (a(0)b(0), a(1)b(1),...) The kth phase shift of sequence a is denoted by Lk a = (a(k ), a(k + 1),...) , where k≥0 . If a is a m-sequence, then in every period of a , each nonzero r-tuples (l0 , l1 ,..., lr -1 ) Î F2r occurs exactly once. So r-dimension
vectors set
{( a(i ), La (i ),..., Lr -1a (i ))
| 0≤i < 2 - 1} is F (0, 0,..., 0)} . For any binary m-sequence a of order r, let r
r 2
Wa = {( L a )( L a)...( L a) |1≤k≤r , 0≤i1 < i2 < L < ik ≤r - 1} i1
i2
ik
In other words, Wa is consist of r phase shift of sequence a and all product sequences of them. The following theorem is given in Ref. [27]. Theorem 2 [27] Let a be a binary m-sequence of order r. Then sequences in Wa are linearly independent. Moreover, they form a basis for the vector space of sequences with period 2r - 1 .
3 Construction of boolean functions with optimal algebraic immunity Let n = 2t + 1 , s is a m-sequence of order 2t = n - 1 , i.e. the period of s is 2 - 1 = 2 2t
n-1
-1 .
For convenience, we denote s j = L s . Then the set Ws j
can be described as follow: Ws = {( Li1 s )( Li2 s )...( Lik s ) | 1≤k≤2t , 0≤i1 < i2 < ... < ik ≤2t - 1} = {s0 , s1 ,..., s2t -1 , s0 s1 ,..., s2t - 2 s2t -1 ,..., s0 s1 ...s2t -1 } 14 4244 3 1442443 1424 3 2 t sequences
any 2 sequences multi.
2 t sequences multi.
Obviously, | Ws |= C21t + C22t + ... + C22tt = 22t - 1 Let s2 t =
å
t +1≤j≤ 2 t
si1 si2 ...si j , 0≤i1 < i2 < ... < i j ≤2t - 1
To describe clearly, we imitate the denotation of symmetric Boolean functions. Denote
75
s k = å si1 si2 ...sik , 0≤i1 < i2 < L < ik ≤2t - 1.
Then s2t = s t +1 + s t + 2 + ... + s 2t Construct Q s = {si si ...si | 1≤k≤t , 0≤i1 < i2 < ... < ik ≤2t} = 1
2
k
{s0 , s1 ,L , s2t , s0 s1 ,L , s2t -1 s2t , ×××, 14243 144244 3 2 t +1sequences
any2sequences multi.
s0 s1 ××× st -1 , × ××, st +1 st + 2 ××× s2t } 43 144442444 any t sequences multi.
We know that Q s is consist of s0 ,..., s2t -1 , s2t and the product sequences of any l sequence of them, where 1≤l≤t . Similarly, the number of set Q s is | Q s |= C21t +1 + C22t +1 + L + C2t t +1 = 22 t - 1 . That is | Q s |=| Ws | . Then we have: Theorem 3 The sequences in Q s
are linearly
independent. Moreover, they form a basis for the vector space of sequences with period 22t - 1 = 2n-1 - 1 . Proof Sequences, of Q s , which do not comprise s2t ,
are linearly independent according to Theorem 2.
Next, we prove the others, comprising of s2t , are linearly independent, too. In fact, we ignore s2t at the beginning. We sort the others by the numbers of their factor sequence in increase order, then by lexicographical order if the numbers of their factor sequence are equal We denote this ordered set by Q 1s (note: s2t ÏQ s1 ). Then Q 1s = Q s2Q s3 , where
Q s2 = ( s0 , L, s2t -1 , s0 s1 , L , s0 s1 ××× st -1 , L , st st +1 ××× s2t -1 )
æ s2t ö ç ÷ s2t 3 ç ÷ Qs = ç ÷ O ç ÷ s2t ø è The sequences of Q s2
are linearly independent
according to Theorem 2, so those of Q 1s by above equations. And then, we consider s2t . We predicate the sequences in s2t U Q s1 are linearly independent. If not, through the construction of s2t , there is a contradiction to Theorem 2. Then we take each sequence of Q 1s into
Q s Q 1s . Recall the multiplication on F2 , we have
76
The Journal of China Universities of Posts and Telecommunications
si si = si . We can deduce that each sequence cannot be expressed by the combination of its front sequences. So they are linearly independent. Moreover, they form a basis for the vector space of sequences with period 22t - 1 = 2n-1 - 1 . Theorem 4 For any integer t, n = 2t + 1 , we can construct n-variable balanced Boolean function with optimal algebraic immunity. Proof Next denotations are used as above. Let s be
2013
immunity. Studying on these properties will be one subject of our future work. Acknowledgements This work was supported by the National Natural Science Foundation of China (61102093, 61170270, 61121061), The Fundamental
Research
for
the
Central
Universities
(BUPT
2012RC0710).
a m-sequence with period 22t - 1 . Then we can obtain n linearly independent sequences s0 , s1 ,..., s2t .
References
Construct n-variable Boolean function as follow: (1) ( n -1) 1 f = (0, 0,..., 0) U {(a(0) ) | a (ji ) = j , a j ,..., a j
1. Armknecht F. Improving fast algebraic attacks. Proceedings of the 11th International Workshop on Fast Software Encryption (FSE’04), Feb 5-7, 2004, Delhi, India. LNCS 3017. Berlin, Germany: Springer-Verlag, 2004: 65-82 2. Courtois N, Meier W. Algebraic attacks on stream ciphers with linear feedback. Advances in Cryptology: Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’03), May 4-8, 2003, Warsaw, Poland. LNCS 2656. Berlin, Germany: Springer-Verlag, 2003: 345-359 3. Armknecht F, Krause M. Algebraic attacks on combiners with memory. Advances in Cryptology: proceedings of the 23rd Annual International Cryptology Conference (Crypto’03), Aug 17-21, 2003, Santa Barbara, CA, USA. LNCS 2729. Berlin, Germany: Springer-Verlag, 2003:162-176 4. Batten L M. Algebraic attacks over GF (q). Progress in Cryptology: Proceedings of the 5th International Conference on Cryptology in India (INDOCRYPT’04), Dec 20-22, 2004, Chennai, India. LNCS 3348. Berlin, Germany: Springer-Verlag, 2004: 84-91 5. Courtois N. Fast algebraic attacks on stream ciphers with linear feedback. Advances in Cryptology: Proceedings of the 23rd Annual International Cryptology Conference (Crypto’03), Aug 17-21, 2003, Santa Barbara, CA, USA. LNCS 2729. Berlin, Germany: Springer-Verlag, 2003: 176-194 6. MeierW, Pasalic E, Carlet C. Algebraic attacks and decomposition of Boolean functions. Advances in Cryptology: Proceedings of the 23rd International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’04), May 2-6, 2004, Interlaken, Switzerland. LNCS 3027.Berlin, Germany: Springer-Verlag, 2004: 474-491 7. Courtois N, Pieprzyk J. Cryptanalysis of block ciphers with overdefined systems of equations. Advances in Cryptology: Proceedings of the 8th International Conference on the Theory and Applications of Cryptology and Information Security (Asiacrypt’02), Dec 1-5, 2002. Queenstown, New Zealand. LNCS 2501. Berlin, Germany: Springer-Verlag, 2002: 267-287 8. Dalai D K, Maitra S, Sarkar S. Basic theory in construction Boolean functions with maximum possible annihilator immunity. Designs, Codes and Cryptography, 2006, 40(1): 41-58. 9. Li N, Qi W F. Symmetric Boolean functions depending on an odd number of variables with maximum algebraic immunity. IEEE Transactions on Information Theory, 2006, 52(5): 2271-2273 10. Qu L J, Li C, Feng K Q. A note on symmetric Boolean functions with maximum algebraic immunity in odd number of variables. IEEE Transactions on Information Theory, 2007, 53(8): 2908-2910 11. Qu L J, Li C. On the 2m-variable symmetric Boolean functions with maximum algebraic immunity. Science in China Series F: Information Sciences, 2008, 51(2):120-127 12. Qu L J, Feng K Q, Liu F, et al.Constructing symmetric Boolean functions with maximum algebraic immunity. IEEE Transactions on Information Theory, 2009, 55(5): 2406-2412 13. Carlet C. A method of construction of balanced Boolean functions with optimum algebraic immunity. Designs, Codes and Cryptography, 2009,
si ( j ),0≤i≤n - 1, 0≤j≤2n -1 - 2} = ìï 0, 0, L , 0 üï ís , s , L, s ý 1 2t ï îï 0 þ 2t We have | 1 f |= 1 + (2 - 1) = 2n -1 . Thus f is balanced. By simple calculations, we obtain æ1 0 ö S1 ( f ) = ç ÷ è1 Q s ø And all column vectors in
S1 ( f )
are linearly n-1
independent by Theorem 3. So they are a basis of F22 . Therefore f has optimal algebraic immunity by Theorem 1. Ref. [16] gave a method of swap vectors to obtain a different basis of linear space. Through this method, all kinds of odd-variable balanced Boolean functions with optimal algebraic immunity can be obtained using our construction. 4
Conclusions
Algebraic immunity is one of important cryptographic properties of Boolean functions. In this paper, we show a construction of odd-variable balanced with optimal algebraic immunity. Furthermore, through swapping some vectors of two basis of linear space, we can obtain all kinds of odd-variable balanced Boolean functions with optimal algebraic immunity. There are some difficulties to construct even-variable Boolean functions by our method. We are trying to overcome them. It is worth noting that there are still a lot of works to do on the properties of Boolean functions with optimal algebraic immunity, such as nonlinearity and correlation
Issue 3
ZHANG Jie, et al. / On the construction of odd-variable boolean functions with optimal algebraic immunity
52(3): 303-338 14. Carlet C, Zeng X Y, Li C L, et al. Further properties of several classes of Boolean functions with optimum algebraic immunity. Designs, Codes and Cryptography, 2009, 52(3): 303-338 15. Fu S J, Li C, Matssuura K, et al. Construction of rotation symmetric Boolean functions with maximum algebraic immunity. Cryptology and Network Security: Proceedings of the 8th International Conference on Cryptology and Network Security (CANS’09), Dec 12-14, 2009, Kanazawa, Japan. LNCS 5888. Berlin, Germany: Springer-Verlag, 2009: 402-412 16. Li N, Qu L J, Qi W F, et al. On the construction of Boolean functions with optimal algebraic immunity. IEEE Transactions on Information Theory, 2008, 54(3): 1330-1334 17. Sarkar S, Maitra S. Construction of rotation symmetric Boolean functions with maximum algebraic immunity on odd number of variables. Proceedings of the 17th Applied Algebra, Algebraic Algorithms, and Error Correcting Codes Symposium (AAECC’07), Dec 16-20, 2007, Bangalore, India. LNCS 4851. Berlin, Germany: Springer-Verlag, 2007: 271-280 18. Li C L, Zeng X Y, Su W, et al. A class of rotation symmetric Boolean functions with optimum algebraic immunity. Wuhan University Journal of Natural Science, 2008, 13(6): 702-706 19. Liu M C, Pei D Y, Du Y S. Identification and construction of Boolean functions with maximum algebraic immunity. Science in China Series F: Information Sciences, 2010, 53(7): 1379-1396 20. Tu Z R, Deng Y P. A conjecture on binary string and its applications on
21.
22. 23.
24. 25.
26.
27.
77
constructing Boolean functions of optimum algebraic immunity. Designs, Codes and Cryptography, 2011, 60(1): 1-14 Armknecht F, Krause M. Constructing single- and multi-output Boolean functions with maximal algebraic immunity. Proceedings of the 33rd International Colloquium on Automata, Languages and Programming (ICALP’06), Jul 9-16, 2006,Venice, Italy. LNCS4052. Berlin, Germany: Springer-Verlag, 2006: 180-191 Feng K Q, Liao Q Y, Yang J. Maximal values of generalized algebraic immunity. Designs, Codes and Cryptography, 2009, 50(2): 243-252 Ars G, Faugere J C. Algebraic immunity of functions over finite fields. Proceedings of the 1st International Workshop on Boolean Functions: Cryptography and Applications (BFCA’05), Mar 7-8, 2005, Rouen, France. Berlin, Germany: Springer-Verlag, 2005: 21-38 Assmus E F, Key J D Jr. Designs and their codes. New York, NY, USA: Cambridge University Press, 1992 Wang Q C, Peng J, Kan H B, et al. Constructions of cryptographically significant Boolean functions using primitive polynomials. IEEE Transactions on Information Theory, 2010, 56(6): 3048-3053 Zhang J, Song S C, Du J, et al. On the construction of multi-output Boolean functions with optimal algebraic immunity. Science in China Series F: Information Sciences, 2012, 55(7): 1617-1623 Rueppel R A. Analysis and design of stream ciphers. Berlin, Germany: Springer-Verlag, 1986.
(Editor: ZHANG Ying)
From p. 42 5. Kim H W, Hong T C, Kang K, et al. A satellite radio interface for IMT--Advanced system using OFDM. Proceedings of the International Conference on the Information and Communication Technology Convergence (ICTC’10), Nov 17-19, 2010, Jeju Island, Republic of Korea. Piscataway, NJ, USA: IEEE, 2010: 303-308 6. Gacanin H, Takaoka S, Adachi F. Generalized OFDM for bridging between OFDM and single-carrier transmission. Proceedings of the 9th IEEE Singapore International Conference on Communication Systems (ICCS’04), Sept 6-9, 2004, Singapore. Piscataway, NJ, USA: IEEE, 2004: 145-149 7. Gacanin H, Adachi F. On channel estimation for OFDM/TDM using MMSE-FDE in a fast fading channel. EURASIP Journal on Wireless Communications and Networking, 2009, ID 481214: 9p 8. Wu Y C, Wu D, Zhou Q. Novel channel estimation algorithm for OFDM/TDM over fast fading channels. Jounal of Chongqing University, 2011, 34(2): 64-68 (in chinese) 9. Gacanin H, Adachi F. Performance of OFDM/TDM with MMSE-FDE
10.
11.
12.
13.
using pilot-assisted channel estimation. Proceedings of the IEEE Wireless Communications and Networking Conference (WCNC’07), Mar 11-15, 2007, Hong Kong, China. Piscataway, NJ, USA: IEEE, 2007: 222-226 Yeh Y H, Chen S G. DCT-based channel estimation for OFDM systems. Proceedings of the IEEE International Conference on Communications (ICC’04): Vol 4, Jun 20-24, 2004, Paris, France. Piscataway, NJ, USA: IEEE, 2004: 2442-2446 Loo C. Statistical models for land mobile and fixed satellite communications at Ka band. Proceedings of the 46th Vehicular Technology Conference (VTC’96): Vol 2, Apr 28-May 1, 1996, Atlanta, GA, USA. Piscataway, NJ, USA: IEEE, 1996: 1023-1027 Li W, Law C L, Dubey V, et al. Ka-band land mobile satellite channel model incorporating weather effects. IEEE Communications Letters, 2001, 5(5): 194-196 Mehrnia A, Hashemi H. Mobile satellite propagation channe, Part 1: A comparative evaluation of current models. Proceedings of the 50th Vehicular Technology Conference (VTC-Fall’99): Vol 2, Sept 19-22, 1999, Amsterdam, Netherland. Piscataway, NJ, USA: IEEE, 1999: 2775-2779
(Editor: WANG Xu-ying)
http://jcupt.xsw.bupt.cn
On the construction of odd-variable boolean functions with optimal algebraic immunity ZHANG Jie1, 2 (*), WEN Qiao-yan2 1. School of Science, Beijing University of Posts and Telecommunications, Beijing 100876, China 2. State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China
Abstract Algebraic immunity is an important cryptographic property of Boolean functions. In this paper, odd-variable balanced Boolean functions with optimal algebraic immunity are obtained by m-sequence and consequently, we get bases with special constructions of vector space. Furthermore, through swapping some vectors of these two bases, we establish all kinds of odd-variable balanced Boolean functions with optimal algebraic immunity. Keywords
1
algebraic immunity, Boolean functions, algebraic attacks, annihilators
Introduction
Boolean functions play important roles in cryptographic systems, not only in stream ciphers, but also in block ciphers. And the security of these systems mainly depends on the cryptographic properties of the Boolean functions used. So it is necessary and of great significance to efficiently construct Boolean functions with the best possible cryptographic characteristics. As is well known, there are different design criteria for Boolean functions corresponding to certain kinds of attacks, such as high algebraic degree to withstand Berlekamp-Massey attacks, balancedness to prevent the system from leaking the statistical information on the plaintext when the cipher text is known, high nonlinearity to counter linear attacks, and high order of correlation immunity to resist correlation attacks. The introduction of the powerful algebraic attacks, proposed by Courtois [1–2] and Armknecht [3] in 2003, imposed a new design criterion: algebraic immunity [4]. The main idea of algebraic attack, recovering the secret key by solving an overdefined system of multivariate algebraic equations, can be traced back to Shannon’s Received date: 29-10-2012 Corresponding author: ZHANG Jie, E-mail: [email protected] DOI: 10.1016/S1005-8885(13)60052-7
classical work mathematical theory of secret communications. With the presentation of effective algorithms, such as XL algorithm and other algorithms based on GrÖbner bases, to solve an overdefined system of multivariate algebraic equations, algebraic attacks did successfully cryptanalyze some well known stream ciphers (like Toyocrypt and LILI-128). Under these circumstances, Meier, Pasalic and Carlet [4] proposed the new concept algebraic immunity (AI for short) and showed us that Boolean functions should have high AI to resist algebraic attacks. It is known that the algebraic immunity of any Boolean function is upper bounded by êé n 2 úù [1,4], and those functions achieving this bound are named as Boolean functions with optimal algebraic immunity. In this case, it is necessary and pressing to construct Boolean functions with high AI and other good properties. And this problem does have received much attention [5– 26]. Contrast to other cryptographic properties, such as correlation immunity, nonlinearity, algebraic degree etc, there are a lot of works on algebraic immunity to do. In this paper, we give a construction of Boolean functions with optimal algebraic immunity by m-sequence. Furthermore, through the method of Ref. [16], we can get all kinds of odd-variable Boolean functions with optimal algebraic immunity.
74
The Journal of China Universities of Posts and Telecommunications
The paper is organized as follows. Sect. 2 recalls the basic concepts, denotations and properties. Sect. 3 proposes a construction of odd-variable Boolean functions with optimal algebraic immunity. Furthermore, all kinds of odd-variable balanced Boolean functions with optimal algebraic immunity are obtained. The conclusion is given in Sect. 4.
2
(respectively, 0 f ).
Obviously, | 1f |=
wt ( f ) , while | 0 f |= 2 - wt ( f ) . n
Let f Î Bn , and 1 f = {a 0 ,..., a wt ( f ) -1}, 0 f = {a wt ( f ) ,..., a 2n -1} For x = ( x0 , x1 ,..., xn -1 ) Î F2n , let v ( x) = (1, x0 ,..., xn -1 , x0 x1 ,..., xn - 2 xn -1 ,..., x0 x1...xéên 2ùú - 2 , ..., xëê n 2ûú +1...xn -1 )
Preliminaries
2.1
denoted by 1 f
2013
that is, the vector consists of all monomials of degree at most éê n 2 ùú - 1 in variables x0 , x1 ,..., xn -1 and the partial
Boolean functions
In this paper, we denote the set of all n-tuples of elements in the finite field F2 = {0,1} by F2n . Then an n -variable Boolean function is defined as a mapping from F2n to F2 . The set of all n-variable Boolean functions is denoted by Bn . For convenience, we denote addition modulo 2 by the symbol ‘+’, and abbreviate f ( x1 , x2 ,..., xn ) as or f, if there is no confusion. Any f Î Bn can be
uniquely
represented
as
a
multivariate polynomial in F2 [ x1 , x2 ,..., xn ] ( x + x1 ,..., 2 1
xn2 + xn ) : f ( x1 , x2 ,..., xn ) = a0 + a1 x1 + ... + an xn + a12 x1 x2 + ... + a1n x1 xn + ... + a1,2,...,n x1 x2 ... xn , ai Î F2 which is called algebraic normal form (ANF). The algebraic degree of f, denoted by deg( f ) , is the number of variables in the highest order term with nonzero coefficient. We know linear space F2n is isomorphic to the finite field F2n . Then every Boolean function f Î Bn can be uniquely represented as a univariate polynomial in F2n [ x ] 2 n -1
f ( x) = å ai xi
degree in each variable is at most 1. Denote by S1 ( f ) (respectively, S0 ( f ) ) the vector set {v (a 0 ),..., v(a wt ( f ) -1 )} (respectively, {v (a wt ( f ) ),..., v(a 2n -1 )} . It is known that a Boolean function should be of high algebraic degree to be cryptographically secure [13]. Further, it has been identified recently, that it should not have a low degree multiple [2,6]. Definition 1 Given f Î Bn , any function of the set Ann ( f ) = {g Î Bn | gf = 0} is called an annihilator of f. And the minimum degree of all nonzero annihilators of f or f + 1 is called the algebraic immunity of f, denoted by AI( f ) . That is, AI( f ) = min{deg g | g ¹ 0, g Î Ann ( f ) U Ann ( f + 1)} It is shown that AI( f )≤ êé n 2 úù , "f Î Bn [1,4]. And if AI( f ) = êén 2 úù , we say f has optimal algebraic immunity. A method to construct n-variable Boolean functions is that both S1 ( f ) and S0 ( f ) are generating sets of the vector space with
éê n 2 ùú -1
å i =0
as following theorem. Theorem 1 [13,16] Let f Î Bn , f achieves optimal algebraic immunity if and only if both S1 ( f ) and S0 ( f )
i =0
where a0 , a2n -1 Î F2 and a2i = (ai ) 2 Î F2n , 1≤i≤2 n - 2 . Any n-variable Boolean function can be represented as a 2 -length binary vector, which is called truth table: r f = ( f (0, 0,..., 0), f (1, 0,..., 0),..., f (1,1,...,1)) n
The number of 1’s in the truth table is called the hamming weight of f, which is denoted as wt ( f ) . We say f is balanced, if its truth table has equal number of 1 and 0, implying wt ( f ) = 2n -1 . The set of a Î F for which f (a ) = 1 (respectively, f (a ) = 0 ) is called the onset (respectively, off set) of f, n 2
Cni -dimension. We summarize it
are generating sets of the
êé n 2 úù -1
å i =0
êé n 2úù -1
F2
å= i 0
C ni
Cni -dimension vector space
. Moreover, if n is odd, then f achieves optimal AI n-1
if and only if f is balanced and S1 ( f ) is a basis of F22 . 2.2
m-sequence
Linear feedback shift registers (LFSRs) are used in many of the key stream generators that have been proposed in the literature. A r-stage shift registers is a circuit consisting of r consecutive 2-state storage units
Issue 3
ZHANG Jie, et al. / On the construction of odd-variable boolean functions with optimal algebraic immunity
(flip or flops) regulated by a single clock. At each clock pulse, the state (0 or 1) of each memory state is shifted to the next stage in line. Definition 2 A binary sequence generated by a r-stage LFSR is called m-sequence if it has period 2r - 1 (or maximal length sequence), r is its order. Let a = (a(0), a(1),...) and b = (b(0), b(1),...) are two sequences. Then a + b = (a(0) + b(0), a(1) + b(1),...) ab = (a(0)b(0), a(1)b(1),...) The kth phase shift of sequence a is denoted by Lk a = (a(k ), a(k + 1),...) , where k≥0 . If a is a m-sequence, then in every period of a , each nonzero r-tuples (l0 , l1 ,..., lr -1 ) Î F2r occurs exactly once. So r-dimension
vectors set
{( a(i ), La (i ),..., Lr -1a (i ))
| 0≤i < 2 - 1} is F (0, 0,..., 0)} . For any binary m-sequence a of order r, let r
r 2
Wa = {( L a )( L a)...( L a) |1≤k≤r , 0≤i1 < i2 < L < ik ≤r - 1} i1
i2
ik
In other words, Wa is consist of r phase shift of sequence a and all product sequences of them. The following theorem is given in Ref. [27]. Theorem 2 [27] Let a be a binary m-sequence of order r. Then sequences in Wa are linearly independent. Moreover, they form a basis for the vector space of sequences with period 2r - 1 .
3 Construction of boolean functions with optimal algebraic immunity Let n = 2t + 1 , s is a m-sequence of order 2t = n - 1 , i.e. the period of s is 2 - 1 = 2 2t
n-1
-1 .
For convenience, we denote s j = L s . Then the set Ws j
can be described as follow: Ws = {( Li1 s )( Li2 s )...( Lik s ) | 1≤k≤2t , 0≤i1 < i2 < ... < ik ≤2t - 1} = {s0 , s1 ,..., s2t -1 , s0 s1 ,..., s2t - 2 s2t -1 ,..., s0 s1 ...s2t -1 } 14 4244 3 1442443 1424 3 2 t sequences
any 2 sequences multi.
2 t sequences multi.
Obviously, | Ws |= C21t + C22t + ... + C22tt = 22t - 1 Let s2 t =
å
t +1≤j≤ 2 t
si1 si2 ...si j , 0≤i1 < i2 < ... < i j ≤2t - 1
To describe clearly, we imitate the denotation of symmetric Boolean functions. Denote
75
s k = å si1 si2 ...sik , 0≤i1 < i2 < L < ik ≤2t - 1.
Then s2t = s t +1 + s t + 2 + ... + s 2t Construct Q s = {si si ...si | 1≤k≤t , 0≤i1 < i2 < ... < ik ≤2t} = 1
2
k
{s0 , s1 ,L , s2t , s0 s1 ,L , s2t -1 s2t , ×××, 14243 144244 3 2 t +1sequences
any2sequences multi.
s0 s1 ××× st -1 , × ××, st +1 st + 2 ××× s2t } 43 144442444 any t sequences multi.
We know that Q s is consist of s0 ,..., s2t -1 , s2t and the product sequences of any l sequence of them, where 1≤l≤t . Similarly, the number of set Q s is | Q s |= C21t +1 + C22t +1 + L + C2t t +1 = 22 t - 1 . That is | Q s |=| Ws | . Then we have: Theorem 3 The sequences in Q s
are linearly
independent. Moreover, they form a basis for the vector space of sequences with period 22t - 1 = 2n-1 - 1 . Proof Sequences, of Q s , which do not comprise s2t ,
are linearly independent according to Theorem 2.
Next, we prove the others, comprising of s2t , are linearly independent, too. In fact, we ignore s2t at the beginning. We sort the others by the numbers of their factor sequence in increase order, then by lexicographical order if the numbers of their factor sequence are equal We denote this ordered set by Q 1s (note: s2t ÏQ s1 ). Then Q 1s = Q s2Q s3 , where
Q s2 = ( s0 , L, s2t -1 , s0 s1 , L , s0 s1 ××× st -1 , L , st st +1 ××× s2t -1 )
æ s2t ö ç ÷ s2t 3 ç ÷ Qs = ç ÷ O ç ÷ s2t ø è The sequences of Q s2
are linearly independent
according to Theorem 2, so those of Q 1s by above equations. And then, we consider s2t . We predicate the sequences in s2t U Q s1 are linearly independent. If not, through the construction of s2t , there is a contradiction to Theorem 2. Then we take each sequence of Q 1s into
Q s Q 1s . Recall the multiplication on F2 , we have
76
The Journal of China Universities of Posts and Telecommunications
si si = si . We can deduce that each sequence cannot be expressed by the combination of its front sequences. So they are linearly independent. Moreover, they form a basis for the vector space of sequences with period 22t - 1 = 2n-1 - 1 . Theorem 4 For any integer t, n = 2t + 1 , we can construct n-variable balanced Boolean function with optimal algebraic immunity. Proof Next denotations are used as above. Let s be
2013
immunity. Studying on these properties will be one subject of our future work. Acknowledgements This work was supported by the National Natural Science Foundation of China (61102093, 61170270, 61121061), The Fundamental
Research
for
the
Central
Universities
(BUPT
2012RC0710).
a m-sequence with period 22t - 1 . Then we can obtain n linearly independent sequences s0 , s1 ,..., s2t .
References
Construct n-variable Boolean function as follow: (1) ( n -1) 1 f = (0, 0,..., 0) U {(a(0) ) | a (ji ) = j , a j ,..., a j
1. Armknecht F. Improving fast algebraic attacks. Proceedings of the 11th International Workshop on Fast Software Encryption (FSE’04), Feb 5-7, 2004, Delhi, India. LNCS 3017. Berlin, Germany: Springer-Verlag, 2004: 65-82 2. Courtois N, Meier W. Algebraic attacks on stream ciphers with linear feedback. Advances in Cryptology: Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’03), May 4-8, 2003, Warsaw, Poland. LNCS 2656. Berlin, Germany: Springer-Verlag, 2003: 345-359 3. Armknecht F, Krause M. Algebraic attacks on combiners with memory. Advances in Cryptology: proceedings of the 23rd Annual International Cryptology Conference (Crypto’03), Aug 17-21, 2003, Santa Barbara, CA, USA. LNCS 2729. Berlin, Germany: Springer-Verlag, 2003:162-176 4. Batten L M. Algebraic attacks over GF (q). Progress in Cryptology: Proceedings of the 5th International Conference on Cryptology in India (INDOCRYPT’04), Dec 20-22, 2004, Chennai, India. LNCS 3348. Berlin, Germany: Springer-Verlag, 2004: 84-91 5. Courtois N. Fast algebraic attacks on stream ciphers with linear feedback. Advances in Cryptology: Proceedings of the 23rd Annual International Cryptology Conference (Crypto’03), Aug 17-21, 2003, Santa Barbara, CA, USA. LNCS 2729. Berlin, Germany: Springer-Verlag, 2003: 176-194 6. MeierW, Pasalic E, Carlet C. Algebraic attacks and decomposition of Boolean functions. Advances in Cryptology: Proceedings of the 23rd International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’04), May 2-6, 2004, Interlaken, Switzerland. LNCS 3027.Berlin, Germany: Springer-Verlag, 2004: 474-491 7. Courtois N, Pieprzyk J. Cryptanalysis of block ciphers with overdefined systems of equations. Advances in Cryptology: Proceedings of the 8th International Conference on the Theory and Applications of Cryptology and Information Security (Asiacrypt’02), Dec 1-5, 2002. Queenstown, New Zealand. LNCS 2501. Berlin, Germany: Springer-Verlag, 2002: 267-287 8. Dalai D K, Maitra S, Sarkar S. Basic theory in construction Boolean functions with maximum possible annihilator immunity. Designs, Codes and Cryptography, 2006, 40(1): 41-58. 9. Li N, Qi W F. Symmetric Boolean functions depending on an odd number of variables with maximum algebraic immunity. IEEE Transactions on Information Theory, 2006, 52(5): 2271-2273 10. Qu L J, Li C, Feng K Q. A note on symmetric Boolean functions with maximum algebraic immunity in odd number of variables. IEEE Transactions on Information Theory, 2007, 53(8): 2908-2910 11. Qu L J, Li C. On the 2m-variable symmetric Boolean functions with maximum algebraic immunity. Science in China Series F: Information Sciences, 2008, 51(2):120-127 12. Qu L J, Feng K Q, Liu F, et al.Constructing symmetric Boolean functions with maximum algebraic immunity. IEEE Transactions on Information Theory, 2009, 55(5): 2406-2412 13. Carlet C. A method of construction of balanced Boolean functions with optimum algebraic immunity. Designs, Codes and Cryptography, 2009,
si ( j ),0≤i≤n - 1, 0≤j≤2n -1 - 2} = ìï 0, 0, L , 0 üï ís , s , L, s ý 1 2t ï îï 0 þ 2t We have | 1 f |= 1 + (2 - 1) = 2n -1 . Thus f is balanced. By simple calculations, we obtain æ1 0 ö S1 ( f ) = ç ÷ è1 Q s ø And all column vectors in
S1 ( f )
are linearly n-1
independent by Theorem 3. So they are a basis of F22 . Therefore f has optimal algebraic immunity by Theorem 1. Ref. [16] gave a method of swap vectors to obtain a different basis of linear space. Through this method, all kinds of odd-variable balanced Boolean functions with optimal algebraic immunity can be obtained using our construction. 4
Conclusions
Algebraic immunity is one of important cryptographic properties of Boolean functions. In this paper, we show a construction of odd-variable balanced with optimal algebraic immunity. Furthermore, through swapping some vectors of two basis of linear space, we can obtain all kinds of odd-variable balanced Boolean functions with optimal algebraic immunity. There are some difficulties to construct even-variable Boolean functions by our method. We are trying to overcome them. It is worth noting that there are still a lot of works to do on the properties of Boolean functions with optimal algebraic immunity, such as nonlinearity and correlation
Issue 3
ZHANG Jie, et al. / On the construction of odd-variable boolean functions with optimal algebraic immunity
52(3): 303-338 14. Carlet C, Zeng X Y, Li C L, et al. Further properties of several classes of Boolean functions with optimum algebraic immunity. Designs, Codes and Cryptography, 2009, 52(3): 303-338 15. Fu S J, Li C, Matssuura K, et al. Construction of rotation symmetric Boolean functions with maximum algebraic immunity. Cryptology and Network Security: Proceedings of the 8th International Conference on Cryptology and Network Security (CANS’09), Dec 12-14, 2009, Kanazawa, Japan. LNCS 5888. Berlin, Germany: Springer-Verlag, 2009: 402-412 16. Li N, Qu L J, Qi W F, et al. On the construction of Boolean functions with optimal algebraic immunity. IEEE Transactions on Information Theory, 2008, 54(3): 1330-1334 17. Sarkar S, Maitra S. Construction of rotation symmetric Boolean functions with maximum algebraic immunity on odd number of variables. Proceedings of the 17th Applied Algebra, Algebraic Algorithms, and Error Correcting Codes Symposium (AAECC’07), Dec 16-20, 2007, Bangalore, India. LNCS 4851. Berlin, Germany: Springer-Verlag, 2007: 271-280 18. Li C L, Zeng X Y, Su W, et al. A class of rotation symmetric Boolean functions with optimum algebraic immunity. Wuhan University Journal of Natural Science, 2008, 13(6): 702-706 19. Liu M C, Pei D Y, Du Y S. Identification and construction of Boolean functions with maximum algebraic immunity. Science in China Series F: Information Sciences, 2010, 53(7): 1379-1396 20. Tu Z R, Deng Y P. A conjecture on binary string and its applications on
21.
22. 23.
24. 25.
26.
27.
77
constructing Boolean functions of optimum algebraic immunity. Designs, Codes and Cryptography, 2011, 60(1): 1-14 Armknecht F, Krause M. Constructing single- and multi-output Boolean functions with maximal algebraic immunity. Proceedings of the 33rd International Colloquium on Automata, Languages and Programming (ICALP’06), Jul 9-16, 2006,Venice, Italy. LNCS4052. Berlin, Germany: Springer-Verlag, 2006: 180-191 Feng K Q, Liao Q Y, Yang J. Maximal values of generalized algebraic immunity. Designs, Codes and Cryptography, 2009, 50(2): 243-252 Ars G, Faugere J C. Algebraic immunity of functions over finite fields. Proceedings of the 1st International Workshop on Boolean Functions: Cryptography and Applications (BFCA’05), Mar 7-8, 2005, Rouen, France. Berlin, Germany: Springer-Verlag, 2005: 21-38 Assmus E F, Key J D Jr. Designs and their codes. New York, NY, USA: Cambridge University Press, 1992 Wang Q C, Peng J, Kan H B, et al. Constructions of cryptographically significant Boolean functions using primitive polynomials. IEEE Transactions on Information Theory, 2010, 56(6): 3048-3053 Zhang J, Song S C, Du J, et al. On the construction of multi-output Boolean functions with optimal algebraic immunity. Science in China Series F: Information Sciences, 2012, 55(7): 1617-1623 Rueppel R A. Analysis and design of stream ciphers. Berlin, Germany: Springer-Verlag, 1986.
(Editor: ZHANG Ying)
From p. 42 5. Kim H W, Hong T C, Kang K, et al. A satellite radio interface for IMT--Advanced system using OFDM. Proceedings of the International Conference on the Information and Communication Technology Convergence (ICTC’10), Nov 17-19, 2010, Jeju Island, Republic of Korea. Piscataway, NJ, USA: IEEE, 2010: 303-308 6. Gacanin H, Takaoka S, Adachi F. Generalized OFDM for bridging between OFDM and single-carrier transmission. Proceedings of the 9th IEEE Singapore International Conference on Communication Systems (ICCS’04), Sept 6-9, 2004, Singapore. Piscataway, NJ, USA: IEEE, 2004: 145-149 7. Gacanin H, Adachi F. On channel estimation for OFDM/TDM using MMSE-FDE in a fast fading channel. EURASIP Journal on Wireless Communications and Networking, 2009, ID 481214: 9p 8. Wu Y C, Wu D, Zhou Q. Novel channel estimation algorithm for OFDM/TDM over fast fading channels. Jounal of Chongqing University, 2011, 34(2): 64-68 (in chinese) 9. Gacanin H, Adachi F. Performance of OFDM/TDM with MMSE-FDE
10.
11.
12.
13.
using pilot-assisted channel estimation. Proceedings of the IEEE Wireless Communications and Networking Conference (WCNC’07), Mar 11-15, 2007, Hong Kong, China. Piscataway, NJ, USA: IEEE, 2007: 222-226 Yeh Y H, Chen S G. DCT-based channel estimation for OFDM systems. Proceedings of the IEEE International Conference on Communications (ICC’04): Vol 4, Jun 20-24, 2004, Paris, France. Piscataway, NJ, USA: IEEE, 2004: 2442-2446 Loo C. Statistical models for land mobile and fixed satellite communications at Ka band. Proceedings of the 46th Vehicular Technology Conference (VTC’96): Vol 2, Apr 28-May 1, 1996, Atlanta, GA, USA. Piscataway, NJ, USA: IEEE, 1996: 1023-1027 Li W, Law C L, Dubey V, et al. Ka-band land mobile satellite channel model incorporating weather effects. IEEE Communications Letters, 2001, 5(5): 194-196 Mehrnia A, Hashemi H. Mobile satellite propagation channe, Part 1: A comparative evaluation of current models. Proceedings of the 50th Vehicular Technology Conference (VTC-Fall’99): Vol 2, Sept 19-22, 1999, Amsterdam, Netherland. Piscataway, NJ, USA: IEEE, 1999: 2775-2779
(Editor: WANG Xu-ying)