Finite Fields, Applications and Open Problems · DISCRETE MATHEMATICS AND ITS APPLICATIONS Series...

Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences

Finite Fields, Applications and Open Problems

Daniel PanarioSchool of Mathematics and Statistics

Carleton [email protected]

LAWCI School, Campinas, July 2018

Finite Fields, Applications and Open Problems Daniel Panario


Summary

Lecture 1: Applications in Combinatorics

Brief review of finite fields.

Introduction to combinatorics objects (designs, latin squares,several types of arrays).

Classical results (latin squares and sudokus; Costas arrays).

Orthogonal arrays and their constructions based on finitefields.

Some applications in cryptography/coding theory (brief):

secret sharing and combinatorial designs;orthogonal arrays and codes.

Orthogonal array variants (covering arrays, ordered orthogonalarrays) and their constructions based on finite fields.



Summary (cont.)

Lecture 2: Applications in cryptography

Applications of finite fields (brief).

Differential map, differential uniformity, and differentialcryptanalysis.

Example of S-box function and its characteristics.

Perfect nonlinear (PN) and almost perfect nonlinear (APN)functions.

Permutation polynomials and their cycle decomposition.

Iterations of functions.

Generating pseudorandom sequences: how random is asequence, requirements for sequences in cryptography.



Applications in cryptography

Cryptosystems:

Diffie-Hellman method to share a key;

ElGamal digital signature method;

RSA (permutation polynomials over finite fields);

Elliptic and hyperelliptic curve cryptosystem;

Chor-Rivest cryptosystem;

Powerline cryptosystem;

Goppa-code cryptosystem;

Shamir’s secret sharing;

etc.



Applications in cryptography (cont.)

Security:

discrete logarithm problem; index calculus method and itsvariants (Waterloo, Coppersmith);

linear and differential cryptanalysis (PN and APN functions).

Stream ciphers:

WG (Welch-Gong); RC4; etc.

Block ciphers:

AES (advanced encryption standard): Rijndael;

SAFER (Secure And Fast Encryption Routine);

RC6 (permutation polynomials over integer rings).



Applications in coding theory

Classical applications:

BCH codes;

Reed-Solomon codes;

burst error-correcting codes;

convolution codes;

codes based on algebraic curves; etc.

Recent applications:

LDPC (low density parity check) codes;

turbo codes.



Applications in engineering

LFSR (feedback shift register sequences);

pseudorandom number generators (LFSR, polynomials);

radar and sonar (sequences over finite fields, Costas arrays);

digital signal processing: transforms (discrete Fourier,Hadamard, trigonometric);

ad-hoc (like concert hall acoustics); etc.

For more information on LFSR and sequences, see Golomb andGong (2005) book.



Applications in mathematics

Finite geometries: affine and projective geometries;constructions of projective planes with a finite number ofpoints and lines.

Combinatorial designs: BIBD (balance incomplete blockdesigns), latin squares and MOLS (mutually orthogonal latinsquares), orthogonal and covering arrays, etc.

There are also recent applications to bioinformatics(dynamical systems over finite fields).

For more information see (shameless advertisement coming):

Handbook of Finite Fieldsby Gary Mullen and Daniel Panario

published by CRC in 2013.



Applications in mathematics

Finite geometries: affine and projective geometries;constructions of projective planes with a finite number ofpoints and lines.

Combinatorial designs: BIBD (balance incomplete blockdesigns), latin squares and MOLS (mutually orthogonal latinsquares), orthogonal and covering arrays, etc.

There are also recent applications to bioinformatics(dynamical systems over finite fields).

For more information see (shameless advertisement coming):

Handbook of Finite Fieldsby Gary Mullen and Daniel Panario

published by CRC in 2013.Finite Fields, Applications and Open Problems Daniel Panario


K13417

DISCRETE MATHEMATICS AND ITS APPLICATIONSSeries Editor KENNETH H. ROSEN

DISCRETE MATHEMATICS AND ITS APPLICATIONSSeries Editor KENNETH H. ROSEN

Gary L. MullenDaniel Panario

Mullen • Panario

copy to come HANDBOOK OF FINITE FIELDS

HA

ND

BO

OK

OF

FINITE FIELD

S

K13417_Draft.indd 1 9/20/12 9:20 AM



Differential Map



Differential map and uniformity

Brief recall of substitution-permutation networks anddifferential cryptanalysis

Cipher AES (Advanced Encryption Standard)

APN (Almost Perfect Nonlinear) functions



SPN (Substitution Permutation Networks)

A substitution-permutation network consists of R rounds and thesecret key is broken into R+ 1 subkeys.

At each round, the data stream is mixed with a subkey and fedinto a series of substitution boxes (S-boxes), then the resultingoutput bits are mixed by a permutation box (P-box).

S-boxes are functions which act on a subset of the input bits into around; their primary purpose is to increase the confusion of thecipher.

P-boxes act as a shuffling of the bits between rounds; theirpurpose is to diffuse characteristics of the data stream.

The output of the final round’s S-boxes is mixed with a final roundkey to create the ciphertext.

A diagram of a basic 16-bit, 4-round SPN is given next.







An S-box is a look-up table which substitutes small blocks of bitsfor another block of bits. In most cases (but not in all cases,e.g. DES), we consider S-boxes as maps from Fn

2 → Fn2 . Since

permutations and adding round keys are all linear relations betweenbits, S-boxes are the only possibly non-linear component of thenetwork. This non-linearity is crucial to the security of the cipher.

Key-mixing is done by the XOR operation of the key bits with theinput bits of the round. The XOR operation is self-inverse.

Each S-box is a one-to-one function, and so can be inverted, andeach P-box is a permutation, so decryption involves applying theinverse permutation. Since each component of the network isinvertible, decryption is performed by running the ciphertextbackwards through the cipher.



Differential cryptanalisis

Differential cryptanalysis was introduced by Biham and Shamir in1991, as an attack against DES. It has been used to reduce thenumber of DES keys to be tested from 255 (brute-force) to 247.Though less successful than linear cryptanalysis for DES,differential cryptanalysis scales very well to other ciphers.

Differential cryptanalysis is a chosen plaintext attack, where anattacker has access to the keyed cipher and is able to encrypt anyplaintext. The main goal of differential cryptanalysis is to exploithighly probabilistic relationships between differences of plaintextswith the difference of inputs into the last round’s cipher. As inlinear cryptanalysis, differential cryptanalysis can be used torecover bits of the final round’s key.



Ciphers



Practical symmetric-key cryptosystems

In the following we review some ciphers. We start with a classicalblock cipher:

Advanced Encryption Standard (AES)

The Advanced Encryption Standard (AES) is the FederalInformation Processing Standards Publication 197 (FIPS 197),named in 2001 as the standard for symmetric block ciphers:

http://csrc.nist.gov/publications/fips197/fips-197.pdf


http://csrc.nist.gov/publications/fips197/fips-197.pdf


AES is a minor variant of the cipher Rijndael, so named for itsauthors, Daemen and Rijmen. Rijndael and AES differ only inblock and cipher key lengths: in Rijndael, the block length and thekey length can be specified (independently) to any multiple of 32bits between 128 bits and 256 bits. AES originally required theblock length to be fixed at 128 bits, but 192 and 256-bit variantshave arisen. AES also allows key lengths of 128, 192 or 256 bits.See: “The design of Rijndael: AES – the Advanced EncryptionStandard” by Joan Daemen and Vincent Rijmen, Springer, 2002.In what follows, we drop the distinction between AES and Rijndael.

AES is based on the substitution-permutation network framework.

The S-boxes in AES are defined over F28∼= F2[x]/(f), where

f(x) = x8 + x4 + x3 + x+ 1 is a primitive pentanomial.



S S S S S S S S S S S S S S S S

XOR with K0 (0-th round key)

Shift Rows and Mix Columns

128-bit message M

8-bit

8-bit

S S S S S S S S S S S S S S S S

XOR with Ki (i-th round key)

Shift Rows

XOR with Kr (r-th round key)

128-bit ciphertext C

8-bit

8-bit

0-th round

repeatfor r − 1rounds

r-th round

Figure 1: The basic structure of AES.

1



At each round, the state of the cipher consists of a 4× 4 matrix,where the (i, j) entry of the matrix is given by bit 4i+ j of thedata stream, 0 ≤ i, j ≤ 3.

There is one allowable block length, 128 bits, and threeallowable key lengths, 128, 192 and 256 bits.

There are 10, 12 or 14 rounds, corresponding to key lengths of128, 192 or 256 bits, respectively.

At each round, except for the last round, the followingfunctions are applied in order

1 An 8-bit substitution (called the SubBytes() transformation),2 a 128-bit permutation (called the ShiftRows() transformation),3 a 32-bit column mixing (called the MixColumns()

transformation),4 addition of the round key (called the AddRoundKey()

transformation).



In implementation, every transformation is simply defined as a16× 16 lookup table.

The ShiftRows() transformation is performed by cyclically shiftingrow i of the matrix, i = 0, 1, 2, 3, to the left by 4 · i bytes.

In MixColumns(), the columns of the state are treated as degree-3polynomials over F28 and are multiplied by a fixed polynomialmodulo x4 + 1. Though x4 + 1 is not irreducible in characteristictwo, the polynomial chosen for AES has an inverse modulo x4 + 1,so decryption is possible.

AddRoundKey() is simply an addition.

SubBytes(): x→ x28−2 is of particular interest providing the

nonlinearity of the S-box.



SubBytes(): x→ x28−2

The SubBytes() transformation is actually the composition of two(invertible) transformations:

1 Apply the multiplicative inverse function x→ x28−2 over F28 .

Using this representation means that this mapping iswell-defined even at 0.

2 Apply an invertible affine transformation (over F2) to furthermix the output bits.

The only non-linear portion of the cipher is the multiplicativeinverse function. We present next a brief summary of some of itscryptographic characteristics.



Cryptographic characteristics of the function x→ x28−2

over F28

Characteristic

Permutation YesBalanced YesAlmost perfect non-linear NoDifferential uniformity 4Non-linearity (Boolean) 112Non-linearity (general) 0.875



PN and APN Functions



Definition

For fixed a, b ∈ Fnp , let Nf (a, b) denote the number of solutions

x ∈ Fnp of f(x+ a)− f(x) = b where a, b ∈ Fn

p , and let

∆f = max{Nf (a, b) | a, b ∈ Fnp , a 6= 0}.

Nyberg (1994) defines a mapping f to be differentially k-uniform if∆f = k.

If k = 1, then f is called perfect nonlinear (PN).

If k = 2, then f is called almost perfect nonlinear (APN).



A major drawback for cryptography is that these optimal functionsare not invertible as required for S-box functions, and do not existin characteristic 2 (as we will see next).

Proposition. There are no PN permutation.

Proof.Let f be any PN function. Choose b = 0. Since f is PN, for allnonzero a, there must exist a solution to f(x+ a)− f(x) = 0.Thus, f is not a permutation.



Example

The function f(x) = x2 defined in a finite field of oddcharacteristic is PN and not bijective.

Proof.

f(x+ a)− f(x) = (x+ a)2 − x2 = 2ax+ a2 = b

has exactly one solution since 2a is invertible for a 6= 0.

But this function is not bijective since f(1) = f(−1).



Proposition. There are no perfect nonlinear mappings over fieldsof characteristic 2.

Proof.Let f : Fn

2 → Fn2 be any mapping. If x is a solution to

f(x+ a)− f(x) = b,

then x+ a is also a solution, since

f((x+ a) + a)− f(x+ a) = f(x)− f(x+ a) = f(x+ a)− f(x).

Therefore the number of solutions to f(x+ a)− f(x) = b is alwayseven.



Reminder: permutations of low differential uniformity are ofinterest in cryptography. Indeed, differential and linearcryptanalysis attempt to exploit weaknesses of the uniformity ofthe functions employed in block ciphers.

As we just saw, when f is defined over Fn2 , solutions come in pairs,

and the minimum possible value for ∆f is two. Hence, over theimportant characteristic 2 case, APN functions attain thisminimum and so are optimally resistant to differentialcryptanalysis.



The most used APN functions over F2 are power functions xd, forsome particular values of d, but there are other APN functions.

Monomials are intensively studied, since they usually have a lowerimplementation cost in hardware. Moreover, their propertiesregarding differential attacks can be studied more easily. There isalso a relation with weight enumerators of some cyclic codes.

When n is odd, in characteristic 2, any APN monomial is apermutation, but not much is known about other APN functionsbeing in general bijective.

Remark: in practice we are generally interested in even extensionsof F2 . . ..



Power APN functions over F2

Known classes of power APN functions over F2:

Exponents d Conditions

Gold functions 2i + 1 gcd(n, i) = 1

Kasami functions 22i − 2i + 1 gcd(n, i) = 1

Welch function 2t + 3 n = 2t+ 1

Niho function 2t + 2t/2 − 1 n = 2t+ 1, t even

2t + 23t+1

2 − 1 n = 2t+ 1, t odd

Inverse function 22t − 1 n = 2t+ 1

Dobbertin function 24i + 23i + 22i + 2i − 1 n = 5i

Table: Known APN Power Functions xd on F2n .



Gold Case

We give the proof of the Gold function due to Nyberg.

Remarks:

Vectorial functions from Fnp to Fn

p are in one-to-onecorrespondence with the set of polynomials in Fpn [x] ofdegree at most pn − 1.

A polynomial f ∈ Fpn [x] is a permutation polynomial if themap x 7→ f(x) is a permutation from Fpn to Fpn .

Let f ∈ Fpn [x]. Then f(x) = xd is a permutation polynomialif and only if gcd(d, pn − 1) = 1.



Theorem. Let gcd(n, i) = s. Then, the Gold power function overF2n defined by f(x) = x2

i+1 satisfies ∆f = 2s. Moreover, if n/s isodd, then f is a permutation.

Proof (sketch).In order to determine ∆f , we count the number of solutions to

(x+ a)2i+1 + x2

i+1 = b, for all b ∈ F2n . (1)

Since f is defined over F2n , all solutions come in pairs so supposethat x1 and x2 are distinct solutions to the above equation. Then,

(x1 + a)2i+1 + x2

i+11 + (x2 + a)2

i+1 + x2i+1

2 = 0

⇔ x2i

1 + x1 + x2i

2 + x2 = 0

⇔ (x1 + x2)2i−1 = 1,



so that x1 + x2 ∈ F∗2s . One can deduce from this that if x0 is asolution to (1), the set of all solutions is given by x0 + F∗2s , and sothere are 2s solutions. Hence, ∆f = 2s.

To prove that f is a permutation, we need to show thatgcd(2i + 1, 2n − 1) = 1. We recall the notion of the 2-order of aninteger a, which is the highest power of 2 that divides a. Since n/sis odd, the 2-order of s is equal to the 2-order of n, andgcd(2i, n) = gcd(i, n) = s. Therefore,

2s−1 = gcd(22i−1, 2n−1) = gcd(2i−1, 2n−1) gcd(2i+1, 2n−1)

implies gcd(2i + 1, 2n − 1) = 1, and f is a permutation.

Corollary. If gcd(n, i) = 1, then the Gold power function is APNover F2n , and an APN permutation if in addition n is odd.



Other important APN functions

The so-called inverse function over F2n defined by f(x) = x2n−2

(observe f(0) = 0) is APN for n odd. For even n it has differentialuniformity 4 (it takes the values 0, 2 and 4).

Indeed the value 0 is taken 2n−1 + 1 times; the value 2 is taken2n−1 − 2 times, and the value 4 is taken once.

We observe that the S-boxes in AES use the inverse function; AESis defined over F28 , hence it is a permutation but not APN.

APN permutations take values 0 and 2, each 2n−1 times.



The APN functions 45x mod 257 and its inverse in Z256 are usedin the SAFER cryptosystem by Massey (1993).

Open Problem: find APN permutation in F28 (or in F22n forn ≥ 4).

It was conjectured that there are no APN permutations on evenextensions of characteristic 2. Hou proved that there are no APNpermutations in F24 .

The first example of an APN permutation in F26 was found byDillon in 2009!



Permutation Polynomials



Definitions and examples

Definition. For q a prime power, let Fq denote the finite fieldcontaining q elements. A polynomial f ∈ Fq[x] is a permutationpolynomial (PP) if the function f : c→ f(c) from Fq into itselfinduces a permutation. Alternatively, f is a PP if the equationf(x) = a has a unique solution for each a ∈ Fq.

PPs over finite field Fq and rings Zn have applications in AdvancedEncryption Standard (AES), RC6 cipher (Rivest, Robshaw, Sidneyand Yin, 1998; Rivest, 2001) among others ciphers.

RC6 uses the permutation function in Z2w (w = 32 for thesuggested implementation)

f(x) = x(2x+ 1) (mod 2w).



Our security goals are that the data-dependent rotationamount that will be derived from the output of thistransformation should depend on all bits of the inputword and that the transformation should provide goodmixing within the word. The particular choice of thistransformation for RC6 is the function f followed by aleft rotation by five bit positions. This transformationappears to meet our security goals while takingadvantage of simple primitives that are efficientlyimplemented on most modern processors. Note that f isone-to-one modulo 2w, and that the high-order bits of f,which determine the rotation amount used, dependheavily on all the bits of x. See “The Security of the RC6Block Cipher” for more information on these issues.



Well known classes of PPs over Fq

Monomials: The monomial xn is a PP on Fq if and only if(n, q − 1) = 1.

Dickson: For a 6= 0 ∈ Fq, the polynomial

Dn(x, a) =

bn/2c∑i=0

n

n− i

(n− ii

)(−a)ixn−2i

is a PP on Fq if and only if (n, q2 − 1) = 1.



Linearized: The polynomial

L(x) =

n−1∑s=0

asxqs ∈ Fqn [x]

is a PP on Fqn if and only if det(aqj

i−j) 6= 0, 0 ≤ i, j ≤ n− 1.

DO permutation polynomials: A polynomial

f(x) =

n−1∑i,j=0

ai,jxpj+pi

is called a Dembowski-Ostrom (DO) polynomial.



DO polynomials cannot be PP in odd characteristic.Some cases where DO polynomials are PP in characteristic 2 aregiven by Blokhuis, Coulter, Henderson and O’Keefe (2001).

Dembowski-Ostrom polynomials have been used for acryptographic application in the public key cryptosystemHFE (Patarin, 1996). There the author states that “itseems difficult to choose f (a DO polynomial) such thatit is a permutation”. It is the purpose of this article toprovide some examples of Dembowski-Ostrompermutations. We consider this problem in the purelytheoretical spirit of problem P2 of Lidl and Mullen(1988). We do not claim that any of the classesidentified in this article could be used to provide a“secure” cryptosystem when implemented in HFE.



Dickson polynomials

Dickson polynomials generalize monomials: Dn(x, 0) = xn.

The Dickson polynomials with parameter a = ±1 are related toFibonacci and Lucas polynomials. For general a, Dicksonpolynomials over the complex numbers are related to theChebyshev polynomials Tn:

Dn(2xa, a2) = 2anTn(x).

Dickson polynomials have been related to RSA by Muller andNobauer, and by Lidl and Muller.

For more applications and connections, see the book Dicksonpolynomials by Lidl, Mullen and Turnwald (1993).



PPs are related to APN functions. For example, Dobbertin (1999)constructed classes of PPs over finite fields of characteristic twoand used them to prove several conjectures on APN monomials.

Golomb and Moreno (1996) show that PPs are useful in theconstruction of Costas arrays, which are useful in sonar and radarcommunications. They gave an equivalent conjecture for Costasarrays in terms of permutation polynomials.

The connection between Costas arrays and APN permutations ofinteger rings Zn is by Drakakis, Gow and McGuire (2009).Composed with discrete logarithms, permutation polynomials offinite fields are used to produce permutations of integer rings Zn

which generate APN permutations in many cases.



Iteration of Functions



Iterations of functions over finite fields

In general, let Fn be the set of functions (“mappings”) from theset [1..n] to itself. With any ϕ ∈ Fn there is associated afunctional graph on n nodes, with a directed edge from vertex u tovertex v if ϕ(u) = v. We are interested here in functions overfinite fields.

Functional graphs of mappings are sets of connected components;the components are directed cycles of nodes; and each of thosenodes is the root of a tree.

The dynamics of iterations of polynomials and rational functionsover finite fields have attracted much attention in recent years, inpart due to their applications in cryptography and integerfactorization methods like Pollard rho algorithm.



Description of Pollard’s method (iteration only)

Iteration function: f(x) = x2 + a.

Rho path of a random element x0:

xk = f(xk−1), for k ≥ 1.

Figure: Rho path of x0 = 6 under f(x) = x2 + 1 ∈ F13[x].






xk = f(xk−1), for k ≥ 1.







xk = f(xk−1), for k ≥ 1.







xk = f(xk−1), for k ≥ 1.







xk = f(xk−1), for k ≥ 1.







xk = f(xk−1), for k ≥ 1.







xk = f(xk−1), for k ≥ 1.






Rho path of a random element x0: xk = f(xk−1), for k ≥ 1.


Heuristic assumption: behaviour similar to a random mapping.



Random mappings and Pollard method

Used in (brief list):

E. Teske, On random walks for Pollard’s Rho Method,Mathematics of Computation, 2001.

J. Bos, T. Kleinjung, A. K. Lenstra, On the use of thenegation map in Pollard rho method, ANTS 2010.

D.J. Bernstein, T. Lange, Two grumpy giants and a baby,ANTS 2012.

Many parameters defined on mappings; focus on rho length.

It is not clear how “close” particular polynomials and rationalfunctions are to random mappings.



Cycle Decomposition and Iteration of Functions

Functional graphs provide an easy and quick way of determiningpermutational properties of the functions being iterated.

Indeed, if the trees are trivial (that is, with a unique node), thegraph is formed only by cycles and the corresponding function is apermutation.

Information on the permutation such as number of cycles, lengthsof the cycles, cycle decomposition and so on can be readilyobtained from the functional graph decomposition.



Finite dynamics

Let X be a finite set and f : X → X.

For x ∈ X, let n ≥ 1,m ≥ 0 be the smallest integers suchthat fn+m(x) = fm(x). Then, per(x) = n, pper(x) = m.



Finite dynamics

Let X be a finite set and f : X → X.

For x ∈ X, let n ≥ 1,m ≥ 0 be the smallest integers suchthat fn+m(x) = fm(x). Then, per(x) = n, pper(x) = m.

Functional graph: directed graph Gf with vertex set X andedges (x, f(x)) for x ∈ X (indeg(x) = #f−1(x) andoutdeg(x) = 1).



Topics of interest in finite dynamics

Iterations of functions over finite fields have centered on:

period and preperiod;

(average) rho length;

number of connected components;

length of cycles (largest, smallest, average);

number of fix points and conditions to be a permutation;

isomorphic graphs (mathematically, algorithmically);

and so on.

Iterations of some functions have strong symmetries that can bemathematically explained. For more information and concreteresults, see upcoming survey on iterations of functions byR. Martins, D. Panario and C. Qureshi.



Results on univariate dynamics

(T.Rogers) Dynamics of x 7→ x2.T.Rogers. “The graph of the square mapping on the prime fields”. Disc.Math

148, 317-324, 1996.

(A.Peinado et al.) Dynamics of x 7→ x2 + c.A.Peinado, F.Montoya, J.Munoz, A.Yuste. “Maximal periods of x2 + c in Fq”.

LNCS 2227, 219-228, 2001.

(T.Vasiga, J.Shallit) Dynamics of x 7→ x2 − 2.T.Vasiga, J.Shallit. “On the iteration of certain quadratic maps over GF(p)”.

Disc.Math 227, 219-240, 2004.

(W.-S.Chou, I.E.Shparlinski) Dynamics of x 7→ xe.W.-S.Chou, I.E.Shparlinski. “On the cycle structure of repeated exponentiation

modulo a prime”. Journal of Number Theory 107, 345-356, 2004.

(S.Ugolini) Dynamics of x 7→ x+ x−1 and x 7→ xd + x−d.S.Ugolini. “Graphs associated with the map x 7→ x+ x−1 in finite fields of

characteristic three and five”. Journal of Number Theory 133, 1207-1228, 2013.



Results on univariate dynamics (cont)

(T.Gassert) Dynamics of Chebyshev polynomials.T.Gassert. “Chebyshev action on finite fields”. Disc.Math 315-316, 83-94, 2014.

(C.Qureshi, D.Panario) Dynamics of Redei functions.C.Qureshi, D.Panario. “Redei actions on finite fields and multiplication map in

cyclic groups”. SIAM Journal on Discrete Mathematics 29, 1486-1503, 2015.

(R.Martins, D.Panario) Heuristics and randomness.R.Martins, D.Panario. “On the heuristic of approximating polynomials over finite

fields by random mappings”. Intern. J. of Number Theory, 12, 1987-2016, 2016.

(C.Qureshi, D.Panario) Dynamics of Chebyshev functions.C.Qureshi, D.Panario. “The graph structure of the Chebyshev polynomial over

finite fields and applications”, Workshop on Coding and Cryptography 2017.

(D.Panario, L.Reis) Dynamics of linearized polynomials.D.Panario, L.Reis. “The functional graph of linear maps over finite fields and

applications”, preprint, 2017.



From the functional graph we immediately get information onwhen the function is a permutation (all cycles, no trees), the cycledecomposition of that permutation (number of cycles, lengths ofthe cycles), etc.

Comment: This could give a different way of providing preciseinvolutions with small number of fixed points.

Other interesting studies: q = pk, degree n

N(n, q) = number of connected components,

T0(n, q) = number of periodic points,

C(n, q) = average value of cycle length,

T (n, q) = average value of tail length;

and asymptotic estimates over primes p ≤ N , as N →∞, for

S0(n,N) = average value of T0(n, p),

S(n,N) = average value of T (n, p).



Open problems

Give precise shape of functional graphs.

Extensions: study functions not already considered; deriveresults like N,T0, C, T, S0, S using these graphs.

Requires: mostly elementary number theory, and also analyticnumber theory for results “moving p” like S0 and S.

Study functional graphs (directed, outdegree 1).

Extensions: what properties of these graph are interesting?Do the matrices of these graphs have interesting properties?

Requires: graph theory knowledge.



Random Sequences



How random is a sequence?

First, there are no random sequences; we look for pseudorandomsequences. We talk about binary sequences but everything can begeneralized to Fq. We need to define some concepts.

Definition.

1 We define k consecutive zeros (ones) preceed by a one (zero)and followed by a one (zero) of a binary sequence of period Nas a run of k zeros (ones).

2 For a binary sequence a of period N , the autocorrelationfunction of a, denoted by ca(τ) is defined as

ca(τ) =

N−1∑i=0

(−1)ai+ai+τ

where the indices are taken modulo N .



The autocorrelation of a sequence is useful in communications,cryptography and coding theory. For example, low autocorrelationbetween a sequence and its shifts helps the receiver to get accurateinformation in noisy channel (for more information onautocorrelation, check Golomb and Gong’s book).

We have that ca(τ) measures the amount of similarity of asequence a and its phase shift τ . We always have

ca(0) =

N−1∑i=0

(−1)ai+ai = N.

We are interested in sequences with few autocorrelation values.Golomb (1955) proposed the following three postulates to measurethe randomness of a sequence.



Golomb postulates

R-1 In every period, the number of zeros is nearly equal to thenumber of ones (the disparity does not exceed 1, or|∑N−1

i=0 (−1)ai | ≤ 1).

R-2 In every period, half of the run have length 1, one fourth havelength 2, one eighth have length 3, and so on. For each ofthese lengths there are the same number of runs of 0’s andruns of 1’s.

R-3 The autocorrelation function c(τ) is two-valued given by

c(τ) =

{N if τ = 0 mod N

k if τ 6= 0 mod N,

where k is a constant. If k = −1 for N odd, or k = 0 for Neven, we say that the sequence has the ideal two levelautocorrelation function.



Binary case

Now consider the case N = 2n − 1. The postulates above becomeas follows:

R-1 In every period 0′s occur 2n−1 − 1 or (2n−1) times and 1’soccur 2n−1 (or 2n−1 − 1) times.

R-2 In every period, runs of 0’s (or of 1’s) of length k,1 ≤ k ≤ n− 2, occur 2n−2−k times. A run of 0’s of lengthn− 1 occurs once and a run of 1’s of length n occurs once.

R-3 The autocorrelation function c(τ) is two-valued given by

c(τ) =

{2n − 1 if τ = 0 mod 2n − 1

−1 if τ 6= 0 mod 2n − 1.



Examples

Examples

(1) Let a = 1110010 1110010 . . . . We have that a has period 7,minimal polynomial f(x) = x3 + x+ 1. We check if thepostulates above are satisfied:

R-1 Satisfied since we have four ones and three zeros in a period.R-2 Holds. There are the following runs: 111, 00, 1, 0. We have

n = 3 and so k = 1. There are 20 = 1 run of 0 and 20 = 1 runof 1. Also, there is a run (00) of length n− 1 = 2 and one run(111) of length n = 3.

R-3 c(0) = 7, c(1) =∑6

i=0(−1)ai+ai+1 = 1 + 1− 1 + 1− 1− 1− 1.

c(2) =∑6

i=0(−1)ai+ai+2 = 1− 1− 1− 1 + 1 + 1− 1 = −1.Also check that c(3) = c(4) = c(5) = c(6) = −1. So a is anideal two-valued autocorrelation sequence.



Examples (cont.)

Examples

(2) Let a = 000100110101111 . . . of period 15. The minimalpolynomial is x4 + x+ 1.

R-1 Holds (7 zeros, 8 ones).R-2 Holds: 000, 1, 00, 11, 0, 1, 0, 1111 are the 8 runs. We have

n = 4 and k = 2, so 21 runs of 0 and 21 runs of 1; 20 runs of00 and 20 runs of 11; 1 (000) run of length n− 1 = 3 and 1(1111) run of length n = 4.

R-3 Also holds (check!)



Other 2-level autocorrelation sequences

There are some known sequences with 2-level autocorrelation. Themost popular ones are m-sequences; they satisfy R− 1, R− 2 andR− 3.

Other sequences that appear in the Golomb and Gong textbook,for example, are cyclic difference sets sequences, Gordon-Mills andWelch (GMW) sequences, Welch-Gordon (WG) sequences.

There are also three other constructions of sequences with the2-level autocorrelation value property. For period N = p, p a primenumber, Legendre sequence and Hall sextic residue sequence. Forperiod N = p(p+ 2) the sequence is called twin prime sequence.



Legendre sequence

Definition. Let p be an odd prime number. The Legendre symbol(ip

)is defined as

(i

p

)=

{1 if exists x such that x2 ≡ i mod p,

−1 otherwise.

Definition. The Legendre sequence (or the quadratic residuesequence) is defined as

ai =

{0 if

(ip

)= 1;

1 otherwise.



Example

Examples

1 p = 7. The squares modulo 7 are: 0, 1, 2, 4. So(07

)=(17

)=(27

)=(47

)= 1. So the Legendre sequences for

p = 7 is 0001011. Clearly R-1 is satisfied. Now, R-2 is not:We have the runs 000, 1, 0, 11. It does satisfy R-3 (check).

2 p = 11 Check that the Legendre sequence is 00100011101.Check R-1, R-2, R-3 for the general case (notice that we don’thave period 2n − 1 here).

Finding sequences with few autocorrelation values is a very activeresearch area.



Ideal k-tuple distribution

Definition. Let a a sequence over Fq of period qn − 1. If in everyperiod of a each nonzero k-tuple (λ1, λ2, . . . , λk) ∈ Fk

q occurs

qn−k times and the zero k-tuple (0, 0, . . . , 0) (k times) occursqn−k − 1 times where 1 ≤ k ≤ n, then we say that the sequece ahas an ideal k-tuple distribution.

All m-sequences satisfy all the above postulates.

Example

Let a = 1110010 . . . with period 7, q = 2, qn − 1 = 7 or n = 3.k = 1: Every nonzero symbol (in this case there is only one!)appears qn−k = q3−1 = 4 times. 0 appears qn−k − 1 = 3 times.k = 2: 11, 10, 01 occur 2 = qn−k times. 00 occurs once.k = 3: 111, 110, 100, 001, 010, 101, 011 occur once and 000 doesnot appear.Conclusion: a has an ideal k-tuple distribution for 1 ≤ k ≤ 3.



Principles for the design of sequences in cryptography

Consider a sequece over Fq of period N .

(1) Period requirement: long period.

(2) Statistical properties: balance property (R-1), run property(R-2) and ideal k-tuple distribution for 1 ≤ k ≤ n =

⌊logqN

⌋.

(3) Correlation: 2-level autocorrelation (R-3) and lowcrosscorrelation value.

The cross correlation function of two period sequences withsame period N over F2 is defined, for τ = 0, 1, . . . , as

Ca,b(τ) =∑N−1

i=0 (−1)ai+τ+bi .

Let S be a set consisting of sequences over F2 with period N .If for any two sequences a and b in S and a positive constantc, we have 0 ≤ |Ca,b(τ)| < c

√n, where τ 6≡ 0 mod N if

a = b, then S has low correlation value.



Principles for the design of sequences in cryptography II

(4) Linear span (or linear complexity): length of the shortestLFSR which generates the sequence. We want a large ratio ofthe linear span to the period:

ρ(a) =LS(a)

N> δ,

δ a constant, for large N . The ratio ρ(a) is the normalizedlinear span of a. We have that 0 < ρ(a) ≤ 1 for some fixed N .

What we mean is the following: we want sequences a over Fq suchthat they have long period N and large LS(a), so that the ratioρ(a) is large. Obeserve that m-sequences are generated byprimitive polynomials of degree n, so LS(a) = n for anm-sequence a and its period is qn − 1.



Principles for the design of sequences in cryptography III

In general, 1 ≤ LS(a) ≤ N where N |qn − 1. The question is, canwe have large period N AND large linear span LS(a), say,exponential in n? Some sequences have been found with thisproperty. For example, WG sequences.

The linear span of a sequence can be computed using an algorithmcalled Berlekamp-Massey.

In cryptography we usually want large normalized span sequencessince they are more unpredictable. In communications, correlationproperties are more important. We look for sequences with goodcorrelation properties with large normalized linear span, andefficient implementation in hardware and software.



Summary

In this lecture we revised several applications of finite fields tocryptography, coding theory, and mathematics in general.

We centered on applications of finite fields in cryptography. Wecommented on the differential map and on some associatedinteresting functions like PN and APN functions.

We surveyed results on permutation polynomials and on iterationof functions.

Finally, we revised sequences over finite fields and considerrequirements for random sequences in cryptography.


Date post:	01-Jun-2020
Category:	Documents
Upload:	others
View:	21 times
Download:	0 times

Finite Fields, Applications and Open Problems · DISCRETE MATHEMATICS AND ITS APPLICATIONS Series...

Documents