Vector Boolean Functions: Applications in Symmetric...

Vector Boolean Functions: Applicationsin Symmetric Cryptography

José Antonio Álvarez Cubero

Departamento de Matemática Aplicada a las Tecnologías de la Información ylas Comunicaciones

Universidad Politécnica de Madrid

This dissertation is submitted for the degree of

Doctor Ingeniero de Telecomunicación

Escuela Técnica Superior deIngenieros de Telecomunicación November 2015

I would like to thank my wife, Isabel, for her love, kindness and support she has shownduring the past years it has taken me to finalize this thesis. Furthermore I would also like tothank my parents for their endless love and support. Last but not least, I would like to thankmy loved ones such as my daughter and sisters who have supported me throughout entireprocess, both by keeping me harmonious and helping me putting pieces together. I will be

grateful forever for your love.

Declaration

The following papers have been published or accepted for publication, and contain materialbased on the content of this thesis.

1. [7] Álvarez-Cubero, J. A. and Zufiria, P. J. (expected 2016). Algorithm xxx: VBF: Alibrary of C++ classes for vector Boolean functions in cryptography. ACM Transactionson Mathematical Software. (In Press: http://toms.acm.org/Upcoming.html)

2. [6] Álvarez-Cubero, J. A. and Zufiria, P. J. (2012). Cryptographic Criteria on VectorBoolean Functions, chapter 3, pages 51–70. Cryptography and Security in Computing,Jaydip Sen (Ed.), http://www.intechopen.com/books/cryptography-and-security-in-computing/cryptographic-criteria-on-vector-boolean-functions. (Published)

3. [5] Álvarez-Cubero, J. A. and Zufiria, P. J. (2010). A C++ class for analysing vectorBoolean functions from a cryptographic perspective. In Katsikas, S. K. and Samarati,P., editors, SECRYPT 2010 - Proceedings of the International Conference on Securityand Cryptography, Athens, Greece, July 26-28, 2010, SECRYPT is part of ICETE- The International Joint Conference on e-Business and Telecommunications, pages512–520. SciTePress. (Published)

4. [4] Álvarez-Cubero, J. A. and Zufiria, P. J. (2005). Aplicaciones de la transformada deWalsh al criptoanaálisis lineal y diferencial. In Domínguez, A. P. and Caballero-Gil, P.,editors, I Simposio sobre Seguridad Informaática (SSI 2005), pages 11–18. Thomson.(Published)

José Antonio Álvarez CuberoNovember 2015

http://toms.acm.org/Upcoming.html

http://www.intechopen.com/books/cryptography-and-security-in- computing/cryptographic-criteria-on-vector-boolean-functions

http://www.intechopen.com/books/cryptography-and-security-in- computing/cryptographic-criteria-on-vector-boolean-functions

Acknowledgements

I would like to thank all the people who have helped me through the years along the route.I would like to express my gratitude to my supervisor Prof. Pedro J. Zufiria for the usefulcomments, remarks and engagement through the learning process of this thesis. I would alsolike to acknowledge the editor and reviewers of the journals I published the papers related tothis thesis.

viii

Resumen

Esta tesis establece los fundamentos teóricos y diseña una colección abierta de clases C++denominada VBF (Vector Boolean Functions) para analizar funciones booleanas vectoriales(funciones que asocian un vector booleano a otro vector booleano) desde una perspectivacriptográfica. Esta nueva implementación emplea la librería NTL de Victor Shoup, incor-porando nuevos módulos que complementan a las funciones de NTL, adecuándolas para elanálisis criptográfico. La clase fundamental que representa una función booleana vectorial sepuede inicializar de manera muy flexible mediante diferentes estructuras de datas tales comola Tabla de verdad, la Representación de traza y la Forma algebraica normal entre otras. Deesta manera VBF permite evaluar los criterios criptográficos más relevantes de los algoritmosde cifra en bloque y de stream, así como funciones hash: por ejemplo, proporciona lano-linealidad, la distancia lineal, el grado algebraico, las estructuras lineales, la distribuciónde frecuencias de los valores absolutos del espectro Walsh o del espectro de autocorrelación,entre otros criterios. Adicionalmente, VBF puede llevar a cabo operaciones entre funcionesbooleanas vectoriales tales como la comprobación de igualdad, la composición, la inver-sión, la suma, la suma directa, el bricklayering (aplicación paralela de funciones booleanasvectoriales como la empleada en el algoritmo de cifra Rijndael), y la adición de funcionescoordenada.

La tesis también muestra el empleo de la librería VBF en dos aplicaciones prácticas. Porun lado, se han analizado las características más relevantes de los sistemas de cifra en bloque.Por otro lado, combinando VBF con algoritmos de optimización, se han diseñado funcionesbooleanas cuyas propiedades criptográficas son las mejores conocidas hasta la fecha.

Abstract

This thesis develops the theoretical foundations and designs an open collection of C++ classes,called VBF, designed for analyzing vector Boolean functions (functions that map a Booleanvector to another Boolean vector) from a cryptographic perspective. This new implementationuses the NTL library from Victor Shoup, adding new modules which complement the existingones making VBF better suited for cryptography. The fundamental class representing a vectorBoolean function can be initialized in a flexible way via several alternative types of datastructures such as Truth Table, Trace Representation, Algebraic Normal Form (ANF) amongothers. This way, VBF allows the evaluation of the most relevant cryptographic criteriafor block and stream ciphers as well as for hash functions: for instance, it provides thenonlinearity, the linearity distance, the algebraic degree, the linear structures, the frequencydistribution of the absolute values of the Walsh Spectrum or the Autocorrelation Spectrum,among others. In addition, VBF can perform operations such as equality testing, composition,inversion, sum, direct sum, bricklayering (parallel application of vector Boolean functionsas employed in Rijndael cipher), and adding coordinate functions of two vector Booleanfunctions.

This thesis also illustrates the use of VBF in two practical applications. On the one hand,the most relevant properties of the existing block ciphers have been analysed. On the otherhand, by combining VBF with optimization algorithms, new Boolean functions have beendesigned which have the best known cryptographic properties up-to-date.

Table of contents

List of figures xix

List of tables xxi

1 Introduction 51.1 Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.2 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81.3 Objectives and Outcomes of the Thesis . . . . . . . . . . . . . . . . . . . . 91.4 Structure of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2 Fundamentals of Block Ciphers and the VBF Library 132.1 Basic Theoretical Background . . . . . . . . . . . . . . . . . . . . . . . . 13

2.1.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142.2 Block Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

2.2.1 Mini-AES Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . 172.2.2 KASUMI Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . 222.2.3 DES Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232.2.4 AES Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

2.3 VBF (Vector Boolean Functions) library . . . . . . . . . . . . . . . . . . . 302.3.1 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302.3.2 State-of-the-art on Vector Boolean Functions Analysis Software . . 34

3 Representations and Characterizations 373.1 Truth Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

3.1.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393.1.2 Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

3.2 Trace Representation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453.2.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453.2.2 Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

xiv Table of contents

3.3 Polynomials in ANF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493.3.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493.3.2 Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

3.4 ANF Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513.4.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513.4.2 Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

3.5 Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533.5.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533.5.2 Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

3.6 Walsh Spectrum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553.6.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553.6.2 Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

3.7 Linear Profile and Linear Cryptanalysis . . . . . . . . . . . . . . . . . . . 673.7.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673.7.2 Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

3.8 Differential Profile and Differential Cryptanalysis . . . . . . . . . . . . . . 733.8.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 733.8.2 Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

3.9 Autocorrelation Spectrum . . . . . . . . . . . . . . . . . . . . . . . . . . . 793.9.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793.9.2 Linear structures . . . . . . . . . . . . . . . . . . . . . . . . . . . 813.9.3 Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

3.10 Affine Function and Affine Equivalence . . . . . . . . . . . . . . . . . . . 843.10.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 843.10.2 Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

3.11 Cycle Structure, Fixed Points and Negated Fixed Points . . . . . . . . . . . 903.11.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 903.11.2 Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

3.12 Permutation Vector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 933.12.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 933.12.2 Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

3.13 DES Representations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 943.13.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 943.13.2 Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

3.14 Auxiliary Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 993.15 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Table of contents xv

4 Cryptographic Criteria 1034.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

4.1.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1034.1.2 Cryptographically Weak Functions . . . . . . . . . . . . . . . . . . 105

4.2 Algebraic Degree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1054.2.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1054.2.2 Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

4.3 Nonlinearity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1104.3.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1104.3.2 Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

4.4 r-th Order Nonlinearity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1164.4.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1164.4.2 Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

4.5 Balancedness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1184.5.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1184.5.2 Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

4.6 Correlation Immunity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1214.6.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1214.6.2 Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

4.7 Algebraic Immunity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1244.7.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1244.7.2 Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

4.8 Global Avalanche Criterion . . . . . . . . . . . . . . . . . . . . . . . . . . 1274.8.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1274.8.2 Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

4.9 Linearity Distance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1294.9.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1294.9.2 Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

4.10 Propagation Criterion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1324.10.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1324.10.2 Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

4.11 Bounds, Properties and Trade-offs . . . . . . . . . . . . . . . . . . . . . . 1344.11.1 Bounds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1354.11.2 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1354.11.3 Trade-offs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

4.12 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

xvi Table of contents

5 Constructions for Vector Boolean Functions 1455.1 Equality Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

5.1.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1455.1.2 Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

5.2 Composition Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1475.2.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1475.2.2 Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

5.3 Functional Inverse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1545.3.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1545.3.2 Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

5.4 Sum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1565.4.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1565.4.2 Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

5.5 Direct Sum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1615.5.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1615.5.2 Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

5.6 Concatenation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1685.6.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1685.6.2 Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

5.7 Concatenation of Polynomials in ANF . . . . . . . . . . . . . . . . . . . . 1725.7.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1725.7.2 Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

5.8 Addition of Coordinate Functions . . . . . . . . . . . . . . . . . . . . . . 1745.8.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1745.8.2 Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

5.9 Bricklayer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1795.9.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1795.9.2 Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

5.10 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

6 Security Evaluation of Cryptographic Algorithms 1896.1 KASUMI Cipher Algorithm Evaluation . . . . . . . . . . . . . . . . . . . 189

6.1.1 S-boxes Characterization . . . . . . . . . . . . . . . . . . . . . . . 1906.1.2 FI Function Characterization . . . . . . . . . . . . . . . . . . . . . 193

6.2 Mini-AES Cipher Algorithm Evaluation . . . . . . . . . . . . . . . . . . . 1946.2.1 S-box Characterization . . . . . . . . . . . . . . . . . . . . . . . . 1946.2.2 Mini-AES Cipher Characterization . . . . . . . . . . . . . . . . . . 195

Table of contents xvii

6.3 CLEFIA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1966.3.1 S0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1986.3.2 S1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

6.4 Computational Cost Results . . . . . . . . . . . . . . . . . . . . . . . . . 201

7 Design of Cryptographically Robust Vector Boolean Functions 2057.1 Multi-Objective Combinatorial Optimization (MOCO) . . . . . . . . . . . 205

7.1.1 Problem Formulation . . . . . . . . . . . . . . . . . . . . . . . . . 2057.1.2 Preferences among Criteria. Weighting Method . . . . . . . . . . . 207

7.2 Boolean Function Design Procedures . . . . . . . . . . . . . . . . . . . . . 2087.2.1 Algebraic Construction Techniques . . . . . . . . . . . . . . . . . 2097.2.2 Computational Techniques for Approximating the Efficient Set . . . 2157.2.3 The Balancedness Constraint . . . . . . . . . . . . . . . . . . . . . 2177.2.4 Combining Different Algorithms . . . . . . . . . . . . . . . . . . . 217

8 Conclusions and Future Research 2318.1 Summary and Conclusions of the Thesis . . . . . . . . . . . . . . . . . . . 2318.2 Future Directions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

References 235

Appendix A Mathematical Background 247A.1 The Vector Space Vn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

A.1.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247A.1.2 Lexicographic Order . . . . . . . . . . . . . . . . . . . . . . . . . 248A.1.3 The Hamming Distance . . . . . . . . . . . . . . . . . . . . . . . 249

A.2 Characters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250A.2.1 Characters on Vn . . . . . . . . . . . . . . . . . . . . . . . . . . . 250A.2.2 Characters on Vn×Vm . . . . . . . . . . . . . . . . . . . . . . . . 252

A.3 The Vector Space GF(2n) . . . . . . . . . . . . . . . . . . . . . . . . . . . 253A.3.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253A.3.2 Operations on Polynomials . . . . . . . . . . . . . . . . . . . . . . 253A.3.3 Relation between Vn and GF(2n) . . . . . . . . . . . . . . . . . . 254A.3.4 Mini-AES Finite Field in GF(24) . . . . . . . . . . . . . . . . . . 254

A.4 The Vector Space Rn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255A.4.1 The Inner Product . . . . . . . . . . . . . . . . . . . . . . . . . . 255A.4.2 Distance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

xviii Table of contents

A.4.3 The Pointwise Product . . . . . . . . . . . . . . . . . . . . . . . . 256A.5 The Vector Space Mn×m(R) . . . . . . . . . . . . . . . . . . . . . . . . . . 256

A.5.1 The Inner Product . . . . . . . . . . . . . . . . . . . . . . . . . . 256A.5.2 Distance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256A.5.3 The Pointwise Product . . . . . . . . . . . . . . . . . . . . . . . . 257

A.6 Kronecker Product of Matrices . . . . . . . . . . . . . . . . . . . . . . . . 257A.7 Convolution and Correlation . . . . . . . . . . . . . . . . . . . . . . . . . 258

A.7.1 One-dimensional . . . . . . . . . . . . . . . . . . . . . . . . . . . 258A.7.2 Bidimensional . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Appendix B CLEFIA Description 261B.1 Truth Tables of CLEFIA SSi(0≤ i≤ 3) S-boxes . . . . . . . . . . . . . . . 261B.2 Truth Table of Mul2(x) = 0x2 ·x operation . . . . . . . . . . . . . . . . . . 261B.3 Truth Tables of u0,u1,y0 an y1 . . . . . . . . . . . . . . . . . . . . . . . . 262B.4 Trace Representation of S0 and S1 . . . . . . . . . . . . . . . . . . . . . . 269

Appendix C Using the Library 273C.1 An Example Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273C.2 Compiling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280C.3 How to Evaluate New Algorithms . . . . . . . . . . . . . . . . . . . . . . 280

List of figures

1.1 Block Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.1 Typical internal construction of a Block Cipher . . . . . . . . . . . . . . . 17

2.2 Structure of Mini-AES cipher . . . . . . . . . . . . . . . . . . . . . . . . . 20

2.3 Structure of KASUMI cipher FI function . . . . . . . . . . . . . . . . . . . 24

2.4 Structure of DES cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

2.5 The Feistel function of DES . . . . . . . . . . . . . . . . . . . . . . . . . 27

2.6 Rijndael S-box SRD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

3.1 Relationships among representations and characterizations of a Vector Booleanfunction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

3.2 Image representations of NibbleSub . . . . . . . . . . . . . . . . . . . . . 56

3.3 Linear Profile of NibbleSub . . . . . . . . . . . . . . . . . . . . . . . . . . 73

3.4 Differential Profile of NibbleSub . . . . . . . . . . . . . . . . . . . . . . . 79

3.5 Linear structures of NibbleSub . . . . . . . . . . . . . . . . . . . . . . . . 84

3.6 S1,S2,S3,S4 DES S-boxes . . . . . . . . . . . . . . . . . . . . . . . . . . 96

3.7 S5,S6,S7,S8 DES S-boxes . . . . . . . . . . . . . . . . . . . . . . . . . . 96

4.1 Relationships among representations and criteria of a Vector Boolean function104

4.2 Algebraic Degree of NibbleSub: Degree 4 . . . . . . . . . . . . . . . . . . 107



4.5 Nonlinearity of NibbleSub . . . . . . . . . . . . . . . . . . . . . . . . . . 115

4.6 Balancedness of NibbleSub . . . . . . . . . . . . . . . . . . . . . . . . . . 121

4.7 Correlation immunity of f . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

4.8 Absolute indicator of NibbleSub . . . . . . . . . . . . . . . . . . . . . . . 129

4.9 Sum-of-squares indicator of NibbleSub . . . . . . . . . . . . . . . . . . . 130

4.10 Propagation Criterion of f . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

xx List of figures

5.1 Composition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1475.2 Inverse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1545.3 Direct Sum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1615.4 CAST Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1645.5 Adding Coordinate functions . . . . . . . . . . . . . . . . . . . . . . . . . 1755.6 Bricklayer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1795.7 DES S-boxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1825.8 KHAZAD S-box construction . . . . . . . . . . . . . . . . . . . . . . . . 183

6.1 CLEFIA S0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1976.2 CLEFIA S1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1976.3 CLEFIA S-box S0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1996.4 Overall CPU time in seconds for cryptographic characterization of n×m

S-boxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2026.5 CPU timing measurements for all functions in Algorithm I . . . . . . . . . 203

7.1 Relationship between Known Functions, PE and BKPE. . . . . . . . . . . . 210

List of tables

1 Set operators notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

2 Characteristics of sets notation . . . . . . . . . . . . . . . . . . . . . . . . 1

3 Important number sets notation . . . . . . . . . . . . . . . . . . . . . . . . 1

4 Function notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

5 Matrices notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

6 Vectors notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2.1 NibbleSub Truth Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2.2 Generation of the Round Keys of Mini-AES. . . . . . . . . . . . . . . . . . 21

2.3 Inverse NibbleSub Truth Table. . . . . . . . . . . . . . . . . . . . . . . . . 22

2.4 NTL modules used in VBF. . . . . . . . . . . . . . . . . . . . . . . . . . . 33

2.5 New modules created for VBF. . . . . . . . . . . . . . . . . . . . . . . . . 33

3.1 Identification of a coordinate function of NibbleSub with trace function. . . 47

3.2 Cycle structure of NibbleSub. . . . . . . . . . . . . . . . . . . . . . . . . 93

3.3 Representation of VBF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

3.4 Chacterizations of VBF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

4.1 Maximum nonlinearity of Boolean functions for n odd. . . . . . . . . . . . 112

4.2 Cryptographic criteria bounds. . . . . . . . . . . . . . . . . . . . . . . . . 136

4.3 Are the criteria affine invariant? . . . . . . . . . . . . . . . . . . . . . . . 136

4.4 Weight related cryptographic criteria properties. . . . . . . . . . . . . . . . 136

4.5 Walsh related cryptographic criteria properties. . . . . . . . . . . . . . . . 136

4.6 Maximum nonlinearity of Balanced Boolean functions for n. . . . . . . . . 137

4.7 Cryptographic criteria. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

4.8 Member functions of the cryptographic criteria. . . . . . . . . . . . . . . . 144

5.1 Results of spectral radius(R),NL, l p,d p,ACmax and LD for bricklayer of DESS-boxes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

xxii List of tables

5.2 Results of spectral radius(r),NL, l p,d p,ACmax and LD for bricklayer of Pand Q mini S-boxes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

5.3 Constructions over VBF. . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

6.1 Cycle structure for S7. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1916.2 Cycle structure for S9. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1926.3 S7 and S9 Cryptographic criteria. . . . . . . . . . . . . . . . . . . . . . . . 1926.4 S7 and S9 Cryptographic criteria. . . . . . . . . . . . . . . . . . . . . . . . 1926.5 Cycle structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1956.6 NibbleSub Cryptographic criteria. . . . . . . . . . . . . . . . . . . . . . . 1956.7 Tables of CLEFIA S-boxes SSi(0≤ i≤ 3). . . . . . . . . . . . . . . . . . . 1986.8 Table of the multiplication 0x2 ·x. . . . . . . . . . . . . . . . . . . . . . . 1986.9 Results of spectral radius (r),NL, l p,d p,ACmax and LD for CLEFIA S0 con-

struction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1996.10 Results of deg,AI,σ ,CI for CLEFIA S0 construction. . . . . . . . . . . . . 2006.11 Results of spectral radius (r),NL, l p,d p,ACmax,LD,deg,AI,σ and CI for CLE-

FIA S1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2016.12 Some CLEFIA S0 security properties versus modern S-boxes based on field

inversion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

7.1 Nonlinearity, algebraic degree, absolute and sum-of-squares indicators forMaitra construction in [88]. . . . . . . . . . . . . . . . . . . . . . . . . . . 211

7.2 Nonlinearity, algebraic degree for Maitra construction in [133]. . . . . . . . 2117.3 Nonlinearity, absolute and sum-of-squares indicators for Zhang and Zheng

construction [160]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2127.4 Nonlinearity, algebraic degree and algebraic immunity for Carlet construc-

tion [26]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2127.5 Nonlinearity, algebraic degree for Charpin construction [30]. . . . . . . . . 2137.6 Nonlinearity, algebraic degree and algebraic immunity for certain power

functions xd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2137.7 Comparison of the best achieved computer search results for (NL,deg,ACmax).2187.8 Comparison of profiles with n = 9. . . . . . . . . . . . . . . . . . . . . . . 2187.9 Comparison of profiles with n = 11. . . . . . . . . . . . . . . . . . . . . . 2197.10 Comparison of nonlinearity achieved in Boolean functions. . . . . . . . . . 2237.11 Results obtained for different n-input balanced Boolean functions. . . . . . 2237.12 Representations of Boolean functions in Table 7.11. . . . . . . . . . . . . . 2247.13 Frequency distribution of the absolute values of the Walsh Spectrum. . . . . 225

List of tables xxiii

7.14 Frequency distribution of the absolute values of the Autocorrelation Spectrum.2257.15 Additional cryptographic criteria for f1- f5 classes. . . . . . . . . . . . . . . 2267.16 Comparison of the best results for (NL,deg,AI,ACmax,σ). . . . . . . . . . 229

Notation

Table 1 Set operators notation

Notation Description Definition

A Complement of A {x | (x /∈ A)}A⊆ B A is a subset of B {x | (x ∈ A)⇒ (x ∈ B)}A∪B Union of sets A and B {x | (x ∈ A)∧ (x ∈ B)}A−B Difference of sets A and B {x | (x ∈ A)∧ (x /∈ B)}A∆B Symmetric difference of A and B (A−B)∪ (B−A)A≺ B A is a subspace of B

Table 2 Characteristics of sets notation


#A Cardinality of the set A Number of elements in ASupp(A) Support of A {a ∈ A | a = 0}

Table 3 Important number sets notation


N Set of natural numbers {1,2,3, . . .}Z Set of integer numbers {. . . ,−2,−1,0,1,2, . . .}ZN Set of integers modulo N {0, . . . ,N−1}Zn

N Set of vectors whose n components ∈ ZN (x1, · · · ,xn) xi ∈ ZNR Set of real numbers (−∞,+∞)C Set of complex numbers {x+ iy | x,y ∈ R, i =

√−1}

2 List of tables

Table 4 Function notation


δ (x) Kronecker delta function of x{

1 if x = 00 if x = 0

F (A,B)Set of functions withcodomain A and domain B

{ f | f : A→ B}

Im( f ) Image set of the function f : A→ B {y ∈ B | ∃x ∈ A y = f (x)}End(A) Set of endomorphisms of A { f : A→ A | f homomorphism}GL(A) Set of automorphisms of A { f ∈ End(A) | f biyective}

f |A Function restriction of f to A {(x, f (x)) | x ∈ A}

Table 5 Matrices notation


A ∈Mn×m(K)n×m matrixof elements ∈K A=

a11 . . . a1ma21 . . . a2m. . . . . . . . .an1 . . . anm

Ai i-th row vector of A

[ai1 . . . aim

]A j j-th column vector of A

a1 j...

an j

AT Transposed matrix of A AT = B ∈Mm×n(K) ai j = b ji

In Identity matrix of order naii = 1 ∀ i ∈ {1, . . . ,n} andai j = 0 ∀ i = j∧ i, j ∈ {1, . . . ,n}

Pn Permutation matrix of order n∀ i ∈ {1, . . . ,n}∃ j ∈ {1, . . . ,n}Pni = In j

A�B Kronecker product of A and B

a11B . . . a1mBa21B . . . a2mB. . . . . . . . . . .an1B . . . anmB

A|B Concatenation of A ∈Mn×m(GF(2))

and B ∈Mp×m(GF(2)) A|B=

[AB

]∈M(n+p)×m(GF(2))

List of tables 3

Table 6 Vectors notation


Bn = {e1, . . . ,en} Canonical basis of Vnei = (x1, · · · ,xn)xi = 1∧ x j = 0 ∀ j = i

∥x∥ Norm of the vector x +√⟨x,x⟩

∠(x,y) Angle set by the vectors x and y cos(∠(x,y)) = ⟨x,y⟩∥x∥·∥y∥

⟨x,y⟩ Inner product of the vectors x and y ∑ni=1 xiyi

x�y Kronecker product of x ∈ Vn and y ∈ Vm (x1y, . . . ,xny)Supp(x) Support of the vector x {i ∈ {1, . . . ,n} | xi = 0}

Chapter 1

Introduction

1.1 Information Security

Information security defines a series of techniques in order to guarantee that a sender candeliver a message (usually called plaintext) to a receiver in a secure manner over a channelaccessible by third-parties. This security is based on three main principles: confidentiality,integrity and availability (known as the CIA triad).

The confidentiality of a message is assured if the sender prevents the intentional orunintentional unauthorized disclosure of its contents. To achieve this objective, the plaintextis processed in such a way that its meaning is hidden. This process is called encryption andis performed by a cipher. As a result, we obtain a message whose contents are meaningless,and it is called ciphertext. The process of reverting the ciphertext into plaintext again is calleddecryption, and usually make use of a key previously shared between sender and receiver.

Cryptology is a discipline whose objective is to safeguard the secrecy of communicationsover an insecure channel in such a way that any non-authorized entity is unable to recover themessage (plaintext) from what is sent in its place over the channel (ciphertext). Cryptologycomprises two complementary fields: cryptography and cryptanalysis. Cryptography is theart of designing secure ciphers to provide services such as data confidentiality, integrityand authentication. Cryptanalysis is the study of methods for breaking ciphers, that is, toassess and explore design features that may lead to the discovery of some piece of secretinformation.

A cryptographic algorithm, also called a cipher or cryptographic scheme, is a functionwhich enables the encryption (or ciphering) and the decryption (or deciphering). Threetypes of cryptographic schemes can be identified: public-key (or asymmetric) cryptography,hash functions and secret key (or symmetric) cryptography. In public key cryptography (e.g.RSA), the encryption and decryption is performed with different keys (public and private

6 Introduction

keys), while in secret key cryptography (e.g. DES, AES) both parties share the same key.Hash functions (e.g. MD5, SHA-family) are algorithms that compute a fixed-length hashvalue based upon the plaintext that makes it impossible for either the contents or length of theplaintext to be recovered. Secret-key (or symmetric) cryptosystems can be further classifiedinto Block Ciphers and stream ciphers. While Block Ciphers (e.g. DES [107], AES [108])operate with a fixed transformation on blocks of data, stream ciphers (e.g. RC4, A5/1 andA5/2) typically operate with a time-varying transformation on smaller units of plaintext,usually bits.

Fig. 1.1 Block Cipher.

For electronic information, asymmetric cryptography together with hash functions can beused to verify the authorship and the integrity of a document by means of digital signatures.Symmetric cryptography can be used to guarantee the confidentiality of a message.

Every cryptanalysis technique assumes that a cryptographic algorithm is known andpublic. The only piece of information that is maintained secret is the key used in theciphering process. The cipher is considered broken or not secure if a non-authorized partycan extract the key within a time complexity less than the time needed to invest in keyexhaustive search or brute-force attack (process of trying every possible key and checkingwhether the resulting plaintext is meaningful). There are many cryptanalytic attacks. Someattacks are applicable to only one particular encryption algorithm.

1.1 Information Security 7

In general, cryptanalytic attacks can be categorized based on the information available tothe analyst with respect to the attack:

• Ciphertext-only attack. The cryptanalyst has the ciphertext of several messages en-crypted with the same cipher. The analyst will be trying to recover the plaintext of asmany messages as possible, or even to deduce the key (or keys) used to encrypt theplaintexts. If the key is found, it will be possible to decrypt other ciphertexts encryptedwith the same key and the same cipher.

• Known-plaintext attack. The cryptanalyst has the ciphertext of several messages andtheir corresponding plaintexts, all of them encrypted with the same cipher. The analystwill be trying to deduce the key (or keys) used to encrypt the plaintexts or an algorithmto decrypt any new plaintexts with these keys.

• Chosen-plaintext attack. The cryptanalyst has the ciphertext of messages and theircorresponding plaintexts, all of them encrypted with the same cipher. In this attack,the analyst can choose the plaintexts that want to be encrypted in order to deduce thesame piece of information as in the previous attack.

• Chosen-ciphertext attack. The cryptanalyst can choose the ciphertexts to be decryptedand has access to their corresponding plaintexts. The analyst will be trying to deducethe key.

Most of the contemporary data encryption principles and concepts were proposed byClaude Elwood Shannon (1916-2001). Indeed, Shannon in [143] presented the principles ofwhat he called confusion and diffusion, establishing that both of them should be present ina computationally secure cryptosystem. The purpose of confusion is to make the relationbetween the key and the ciphertext as complex as possible (usually obtained by nonlineartransformations in the form of S-boxes) 1 so that any algebraic structure in the system isconcealed. Diffusion has the role of dissipating the redundancy of the plaintext by spreadingout the influence of any minor modification of the plaintext or of the key over all ciphertextbits (usually obtained by linear transformations such as permutations).

1S stands for Substitution. This term is used to designate Vector Boolean functions (functions that map aBoolean vector to another Boolean vector) whose role is to provide confusion in a cipher. The most fundamentalproperty of an S-box is that it is a nonlinear mapping.

8 Introduction

1.2 Motivation

During the last years, several international initiatives for selecting ciphers have taken place:AES (United States), CRYPTEC (Japan), NESSIE (European Union). All of them definedevaluation criteria that can be divided into three major categories: security, cost and algorithmand implementation characteristics.

Security is the most important category, but it is considered the most difficult to assess.Normally, the institution which organizes the competition invites the cryptology communityto mount attacks and to try to cryptanalyse the different candidates. The candidates notsatisfying the security requirements imposed by the institution are eliminated from thecontest.

Section 3 in [105] discusses the tools that the NESSIE project developed to support theevaluation process:

It is clear that modern computers and sophisticated software tools cannotreplace human cryptanalysis. Nevertheless, software tools can play an importantrole in modern cryptanalysis. In most cases, the attacks found by the cryptanalystrequire a large number of computational steps, hence the actual computation ofthe attack is performed on a computer. However, software and software tools canalso be essential to find a successful way to attack a symmetric cryptographicalgorithm; examples include differential and linear cryptanalysis, dependencetests, and statistical tests.

Within NESSIE, we distinguish two classes of tools. The general tools arenot specific for the algorithms to be analyzed. Special tools, which are specificfor the analysis of one algorithm, are implemented when, in the course of thecryptanalysis of an algorithm, the need for such a tool turns up...

... The software for these tools will not be made available outside the project,but all the results obtained using these tools will be made public in full detail.

It is worth mentioning that a comprehensive set of general tools for the evaluation ofsymmetric ciphers is available such as, for instance, RIPE and NIST test suites. These consistof a collection of statistical tests such as: the frequency test, the collision test, the overlappingm-tuple test, the gap test, the constant runs test, the coupon collector’s test, Maurer’suniversal test, the poker test, the spectral test, the correlation test, and the rank test amongothers. Nevertheless, such available tools are not enough for a rigorous characterization ofcryptographic primitives. Section 4 in [104] provides a detailed description of this issue:

1.3 Objectives and Outcomes of the Thesis 9

This document describing the NESSIE security methodology has given alist of important issues that are considered in making a security evaluation of asubmitted primitive. Clearly, this list is not complete.

Cryptographic primitives with completely inadequate security can often beidentified. However, for the remaining cryptographic primitives, the situation isnothing like as clear-cut. There is neither an automatic method of assessing thesecurity of such a primitive nor a general consensus on the relative importanceof different security criteria. The few previous initiatives that have undertakena similar task to the NESSIE project, such as AES, have been more limitedin scope and have reached a subjective judgment by experts on the security ofsuch primitives. The NESSIE project will produce a security judgment for thesubmitted primitives based on the issues discussed in this report.

From above, it is clear that there is no general set of tools to assess the security of ciphercomponents. Because of the size and complexity of modern ciphers, automatic analysisprograms are very helpful in reducing the time required to study cryptographic properties ofVector Boolean functions.

1.3 Objectives and Outcomes of the Thesis

Listed below are the main objectives of the research presented in this thesis:

1. To gather, derive and/or reformulate in an efficient manner all the relevant theo-retical results associated with the characterization of robust cryptographic func-tions.

The research work reported in this thesis requires knowledge of previously establishedBoolean function and S-box theory. Such knowledge is essential not only for linkingthe theoretical concepts to practical applications, but also in order to understand thesignificance of the research and where this work is placed in relation to the field ofcryptology.

2. To make available a free open source general tool to automatically assess thesecurity of a cryptographic algorithm defined as a Vector Boolean function.

The execution of Boolean function research requires the development of specialisedprograms, typically written using the C or C++ language. These programs can involvea large amount of computation steps and it is therefore imperative that all appropriateoptimisation techniques are used to exploit the full processing power available in

10 Introduction

modern computer systems. There is however, a noticeable absence in the related cryp-tographic literature of reference to the implementation issues facing Boolean functionresearchers and with no readily available software for cryptographic Boolean functionanalysis, researchers have had to independently develop their own implementations.

3. To assess to security of modern Block Ciphers.

Fundamental to any area of research is the ability to develop a methodology to performa systematic observation, measurement, and experiment, and the formulation, testing,and modification of hypotheses. The study of Block Ciphers is an area where thisbasic principle of research has been ignored; the security of these cryptographicalgorithms is measured by the best public cryptanalysis reported by an expert. As aresult, considerable restrictions have existed with regard to perform an homogeneousanalysis of these cryptosystems.

4. To design new robust Boolean functions in order to increase the security of ci-phers based on them.

These robust cipher components will be those Boolean functions which exhibit suitablemeasures for a combination of cryptographic properties appropriate for their useaccording to the type of cipher employing them. The task of obtaining such functionsinvolves generating and/or constructing Boolean functions which not only exhibit therequired measures of cryptographic properties but are also of a large enough dimensionthat they are able to provide resistance to attacks in the long term. Additionally, themeans of obtaining these strong cipher components must be computationally efficient.

The outcomes of the work in this thesis are now discussed with reference to the aboveobjectives.

To achieve objective 1, fundamental theoretical results have been gathered and/or de-rived concerning the properties of Boolean functions, S-boxes and different architecturesconstructed combining them.

To accomplish objective 2, a library of C++ classes for analyzing cryptographic propertiesof Vector Boolean functions (VBF) is presented in this thesis. The stated mission of the VBFlibrary is to provide with a free open source general tool to automatically assess the securityof a cryptographic algorithm defined as a Vector Boolean function, and to help in the designof new cryptographic-interesting functions. This library presents the three main features:

1. It supports a large variety of representations useful from the cryptological viewpointsuch as: Truth Table (binary, decimal and hexadecimal), ANF Table, polynomials in

1.4 Structure of the Thesis 11

ANF, Characteristic function, Walsh Spectrum; and characterizations such as Trace,Linear Profile, Differential Profile and Autocorrelation Spectrum.

2. It allows the analysis the robustness of a cryptographic algorithm by means of aset of criteria related to confusion (Algebraic Degree, Nonlinearity, Balancedness,Correlation Immunity (CI), Resiliency and Algebraic Immunity among others) anddiffusion (Global Avalanche, Linearity Distance and Propagation among others).

3. It allows to obtain some basic Vector Boolean functions such as: Composition, Inverse,Sum, Direct Sum, Concatenation, Addition of coordinate functions and Bricklayering.

The research work performed in this thesis relating to the first two outcomes has beenpublished in http://vbflibrary.tk, [4], [5], [6], and [7].

Note that the theoretical results and the VBF library allows to analyse the behaviour ofthe representations, characterizations and criteria when several cryptographic algorithms areinterconnected. Accordingly, to count with objective 3, we have conducted numerous securityanalysis of some Block Ciphers candidates for the AES, CRYPTEC and NESSIE projectstogether with some other ciphers. This allowed us to obtain representations, characterizationsand cryptographic criteria for these ciphers. The research work performed in this thesisrelating to this outcome is published in http://vbflibrary.tk and in [7].

Finally, objective 4, has been fulfilled by developing optimization tools to obtain robustcipher components. Sets of balanced Boolean functions for 9 and 11 number of inputs withbest profiles known up-to-date have been obtained.

1.4 Structure of the Thesis

This thesis is divided into eight chapters, including this introductory chapter. Chapter 2presents a preliminary general framework including some basic theoretical background (tomake the reader familiar with the notation and fundamental definitions), a brief descriptionof several modern Block Ciphers, and the main basic features of the VBF library.

Chapter 3 presents the typical forms of Vector Boolean function representation used incryptography. A definition of all these representations is given, as well as an introductionto the main cryptographic characterizations relating to each representation. In addition, theVBF library methods to obtain these representations and characterizations are described, andthe relationships among them are also discussed.

Chapter 4 defines and discusses many important cryptographic criteria of Boolean func-tions and their extension to Vector Boolean functions. Following, we develop a brief

http://vbflibrary.tk


12 Introduction

discussion on the relationship among criteria and to what extent they may reach good valueswithin the same function. The methods in VBF library to obtain these cryptographic criteriaare also described and the relationships among them are also discussed.

Chapter 5 describes some basic constructions for Vector Boolean functions togetherwith the corresponding conditions on the cryptographic criteria that are obtained for suchconstructions. The methods in VBF library to implement these constructions are alsodescribed.

Based on the previous chapters results, Chapter 6 analyses several modern cryptographicalgorithms used in symmetric Block Ciphers. The research described in this chapter iscomplemented with a further analysis of other cryptosystems provided in http://vbflibrary.tk.

Chapter 7 presents a theoretical framework for the multicriteria optimization of Booleanfunctions and presents several computational schemes for the optimization of certain crypto-graphic criteria of Vector Boolean functions. New Boolean functions with unprecedentedfeatures are provided.

Finally, Chapter 8, draws the main conclusions from the research performed for thisthesis. It also highlights several directions for future research in this field.


Chapter 2

Fundamentals of Block Ciphers and theVBF Library

This chapter provides a preliminary general framework to be referred in the followingchapters of the thesis. First, some basic theoretical background is provided to make thereader familiar with the notation and fundamental definitions employed in the chapter. Then,we present the structure of some well known Block Ciphers to be employed as a referencewhen developing the theoretical and practical contributions. Finally, we present the VBFlibrary basic structure; this will allow a better combined exposition of the theoretical resultstogether with the coding tools in the following chapters.

2.1 Basic Theoretical Background

In a symmetric cipher, the encryption (E) and decryption (D) can be defined as VectorBoolean functions E : K×P→C and D : K×C→ P such that D(K,E(K,P)) = P where:

• A = Symbols used in P,C or K.

• P = Plaintext space.

• C = Ciphertext space.

• K = Keyspace.

In modern symmetric ciphers, this concepts take the following values:

• A = GF(2) = Z2 = {0,1}.

14 Fundamentals of Block Ciphers and the VBF Library

• P =C = Vn =

n︷︸︸︷GF(2)×·· ·×GF(2)

• K = Vk =

k︷︸︸︷GF(2)×·· ·×GF(2)

• E = D = Vk×Vn→ Vn

For most Block Ciphers, the ciphertext is produced by repeatedly applying a so-calledround function. The key material used in the round function is called a round key. The roundkeys are computed from the key using a key-schedule algorithm. In the scope of modernciphers, two different design approaches can be distinguished: Feistel ciphers and cipherswith substitution-permutation networks (SPNs). While a Feistel cipher modifies only halfof the data in each round, a cipher with SPN modifies the entire data. The nice feature ofa Feistel cipher is that encryption and decryption are structurally identical, except for theround keys which are reversed. Note that DES [107] is an example of a Feistel cipher andthe current NIST block encryption standard AES [108] is an SPN cipher.

A modern Block Cipher results from the association of Vector Boolean functions. Most ofthese functions are linear or affine, but some of them called S-boxes are nonlinear preventingfrom the overall cryptosystem to be linear or affine, and thus not so easily cryptoanalysable.We could say that the robustness of a modern Block Cipher resides in the S-boxes and in theway of interconnection of all the building blocks of the cipher which can be interpreted asVector Boolean functions.

In stream cipher cryptography a pseudo-random sequence of bits of length equal to themessage length is generated. This sequence is then bit-wise XOR-ed (addition modulo 2)with the message sequence and the resulting sequence is transmitted. At the receiving end,deciphering is done by generating the same pseudo-random sequence and again bit-wiseXOR-ing the cipher bits with the random bits. The seed of the pseudo-random bit generatoris obtained from the secret key.

Linear Feedback Shift Registers (LFSRs) are important building blocks in stream ciphersystems. A standard model of stream [17], cipher [145],[146], combines the outputs ofseveral independent LFSR sequences using a nonlinear Boolean Function to produce thekeystream. As LFSRs are linear, some form of nonlinearity is introduced by using nonlinearBoolean Functions (see [130]).

2.1.1 Definitions

The mathematical theory of Vector Boolean functions starts with the formal definitionof vector spaces whose elements (vectors) have binary elements. Let < GF(2),+, · >

2.1 Basic Theoretical Background 15

be the finite field of order 2, where GF(2) = Z2 = {0,1}, ’+’ is the ’integer additionmodulo 2’ and ’·’ is the ’integer multiplication modulo 2’. Vn is the vector space of n-tuples of elements from GF(2). The direct sum of x ∈ Vn1 and y ∈ Vn2 is defined asx⊕y = (x1, . . . ,xn1,y1, . . . ,yn2) ∈ Vn1+n2 . The inner product of x,y ∈ Vn is denoted by x ·y,and the inner product of real vectors x,y ∈ Rn is denoted by ⟨x,y⟩. The weight of an n-bitvector u is the number of ones in u and will be denoted by wt(u). The (Hamming) distancebetween two vectors x= (x1,x2, . . . ,xn) and y= (y1,y2, . . . ,yn) is the number of places wherethey differ and is denoted by d(x,y).

One can now define binary functions between this type of vector spaces, whose cryptanal-ysis (for robustness-against-attacks purposes) is very important. f : Vn→ GF(2) is called aBoolean function and Fn is the set of all Boolean functions on Vn. Ln is the set of all linearBoolean functions on Vn: Ln = {lu ∀u ∈ Vn | lu(x) = u · x} and An is the set of all affineBoolean functions on Vn.

A Truth Table is a tabulation of all possible combinations of input values and theircorresponding outputs. For an n-variable Boolean function the Truth Table contains 2n rowsfor all the enumerations of the input variables and one column for output. The weight of aBoolean function is the weight of its Truth Table.

It is possible to characterize Boolean functions via alternative and very useful associatedmappings. In the following, some of these mappings are presented. The real-valued mappingχu(x) = (−1)∑

i=ni=1 uixi = (−1)u·x for x,u ∈ Vn is called a character. The character form of

f ∈Fn is defined as χ f (x)= (−1) f (x). The Truth Table of χ f is called as the (1,−1)-sequencevector or sequence vector of f and is denoted by ξ f ∈ R2n

.The autocorrelation of f ∈Fn with respect to the shift u∈Vn is a measure of the statistical

dependency among the involved variables (indicating robustness against randomness-basedattacks). It is the cross-correlation of f with itself, denoted by r f (u) : Vn→ Z and definedby 1:

r f (u) = ∑x∈Vn

χ f (x)χ f (x+u) = ∑x∈Vn

(−1) f (x)+ f (u+x) (2.1)

The directional derivative of f ∈ Fn in the direction of u ∈ Vn is defined by:

∆u f (x) = f (x+u)+ f (x), x ∈ Vn (2.2)

We shall call the linear kernel of f the set of those vectors u such that ∆u f is a constantfunction. The linear kernel of any Boolean function is a subspace of Vn. Any element u ofthe linear kernel of f is said to be a linear structure of f .

Let f ∈ Fn, u ∈ Vn is called a linear structure of f if and only if [116] |r f (u)|= 2n.1Most authors omit the factor 1

2n


We now extend the scope of the study by considering functions between any pair ofbinary-valued vector spaces. F : Vn → Vm, F(x) = ( f1(x), . . . , fm(x)) is called a VectorBoolean function and Fn,m is the set of all Vector Boolean functions F : Vn→ Vm. Eachfi : Vn→ GF(2) ∀ i ∈ {1, . . . ,m} is a coordinate function of F . The component functionsof F are the linear combinations, with non all-zero coefficients, of the coordinate functionsof F (their set is the vector space spanned by the coordinate functions, deprived of the nullfunction if the coordinate functions are GF(2)-linearly independent). The indicator functionof F ∈ Fn,m, denoted by θF : Vn×Vm→{0,1}, is defined in [29] as:

θF(x,y) =

{1 if y = F(x)0 if y = F(x)

(2.3)

A Vector Boolean function F ∈ Fn,m defined as F(x) = x ·A+ b with x ∈ Vn,A ∈Mn×m(GF(2)) and b ∈ Vm so that if b = 0 then F is linear and if b = 0 then F is affine.

Several mappings associated with a Vector Boolean functions can be defined, in similarterms to the binary functions case. Hence, the character form of (u,v) ∈ Vn×Vm can bedefined as follows: χ(u,v)(x,y) = (−1)u·x+v·y.

Also, the autocorrelation of F ∈ Fn,m with respect to the shift (u,v) ∈ Vn×Vm is thecross-correlation of F with itself, denoted by rF(u,v) : Vn×Vm→ Z, so that [115]:

rF(u,v) = ∑x∈Vn

χvF(x+u)χvF(x) = ∑x∈Vn

(−1)vF(x+u)+vF(x) (2.4)

Let F ∈ Fn,m and u∈Vn, then the difference Vector Boolean function of F in the directionof u ∈Vn, denoted by ∆uF ∈ Fn,m is defined as follows: ∆uF(x) = F(x+u)+F(x), x ∈Vn.F has a linear structure if exists a vector u ∈ Vn and v ∈ Vm so that |rv·F(u)|= 2n.

Finally, we define the simplifying notation for the maximum of the absolute values of a setof real numbers {auv}u,v, characterized by vectors u and v, as: max (auv) = max(u,v) {|auv|}.Using the same simplifying notation, we can define the

∗max (·) operator on a set of real

numbers {auv}u,v, as:∗

max (auv) = max(u,v)=(0,0){|auv|}. This notation will be used in somecriteria definitions.

2.2 Block Ciphers

A Block Cipher can be divided into two parts: a data processing part and a key schedulingpart.

Among the Block Ciphers that are analysed throughout this thesis, it is important to men-tion mini-AES, KASUMI, DES and AES. In this section, we provide a succinct description

2.2 Block Ciphers 17

Fig. 2.1 Typical internal construction of a Block Cipher.

of these algorithms. A detailed cryptographical analysis of them and other ciphers can befound on http://vbflibrary.tk.

2.2.1 Mini-AES Cipher

Introduction

Raphael Chung-Wei Phan presented a version of the AES [120], with all the parameterssignificantly reduced while preserving its original structure. This Mini version is purelyeducational and is designed to grasp the underlying concepts of Rijndael-like ciphers. It mayalso serve as a test-bed for starting cryptanalysts to experiment with various cryptanalyticattacks. The Mini-AES cipher is a 16× 16 Vector Boolean function and the Mini-AESencryption is performed with a secret key of 16 bits.

It takes a 16-bit input block and processes the block by repeating the basic operations ofa round twice. Each round consists of (1) substitution based on the S-box NibbleSub γ , (2)a transposition of the bits (i.e., permutation of the bit positions) based on ShiftRow π andMixColumn θ , and (3) key addition σki .

Mini-AES has an S-box, NibbleSub, which operates on a nibble (4 bits) at a time. Inaddition, another component, MixColumn operates on words of 4 nibbles. In section A.3 is



presented the mathematical background needed for the reader to have a clearer understandingof the components of Mini-AES.

Substitution

In Mini-AES cipher, we break the 16-bit plaintext block into four 4-bit sub-blocks. Eachsub-block forms an input to a 4× 4 S-box (a substitution with 4 input and 4 output bits)called NibbleSub γ , which can be easily implemented with a table lookup of sixteen 4-bitvalues, indexed by the integer represented by the 4 input bits.

For Mini-AES cipher, the same nonlinear mapping for all S-boxes is used. The mappingchosen for our cipher, given in Table 2.1, is chosen from the S-boxes of DES. (It is the firstrow of the first S-box.)

Table 2.1 NibbleSub Truth Table.

Input Output

0000 11100001 01000010 11010011 00010100 00100101 11110110 10110111 10001000 00111001 10101010 01101011 11001100 01011101 10011110 00001111 0111

Permutation

The permutation portion of a round is simply the transposition of the bits or the permutationof the bit positions. The permutation of Figure 2.2 is given by two operations ShifRow π andMixColumn θ . Note that there would be no MixColumn in the last round.

ShiftRow rotates each row of the input block to the left by different nibble amounts. Thefirst row is unchanged while the second row is rotated left by one nibble.


MixColumn takes each column of the input block and multiplies it with a constant matrixto obtain a new output column. If a = (a0,a1,a2,a3) and b = (b0,b1,b2,b3) denote the inputand output to MixColumn respectively, then:[

b0

b1

]=

[0011 00100010 0011

][a0

a1

](2.5)

and [b2

b3

]=

[0011 00100010 0011

][a2

a3

](2.6)

Hence, b0 = (0011×a0)+(0010×a1) and b1 = (0010×a0)+(0011×a1). Similarly,b2 = (0011×a2)+(0010×a3) and b3 = (0010×a2)+(0011×a3).

Key Addition

To achieve the key addition, Mini-AES uses a simple bit-wise exclusive-OR between the keybits associated with a round (referred to as a subkey) and the data block input to a round.Normally, in a cipher, the subkey for a round is derived from the cipher’s master key througha process known as the key schedule. In Mini-AES, the 16-bit secret key is passed througha key-schedule to produce one 16-bit round key, k0 to be used prior to the first round, anda 16-bit round key, ki for use in each round of mini-AES. Mini-AES encryption is definedto have 2 rounds, hence three round keys, k0,k1 and k2 are generated. The Key Additionoperation is denoted by σk0,σk1,σk2 respectively.

Denote the 16-bit secret key, K as 4 nibbles, K = (k0,k1,k2,k3), and likewise, k0 =

(w0,w1,w2,w3),k1 = (w4,w5,w6,w7) and k2 = (w8,w9,w10,w11). Then, the round key val-ues are obtained from the secret key as in Table 2.2. Note that in each round, round constantsrcon(i) are used, where rcon(1) = 0001 and rcon(2) = 0010.

Encryption

The application of the four components NibbleSub, ShiftRow, MixColumn and KeyAdditionin sequence constitutes one round. The full mini-AES encryption consists of two suchrounds, with the exclusion of MixColumn from the last round and the inclusion of an extraKeyAddition prior to the first round. Hence, mini-AES encryption can be denoted by:

Mini−AESEncrypt = σk2 ◦π ◦ γ ◦σk1 ◦θ ◦π ◦ γ ◦σk0 (2.7)


Fig. 2.2 Structure of Mini-AES cipher.


Table 2.2 Generation of the Round Keys of Mini-AES.

Round Round Key Values

0

w0 = k0w1 = k1w2 = k2w3 = k3

1

w4 = w0 +NibbleSub(w3)+ rcon(1)w5 = w1 +w4w6 = w2 +w5w5 = w3 +w6

2

w8 = w4 +NibbleSub(w7)+ rcon(2)w9 = w5 +w8w10 = w6 +w9w11 = w7 +w10

Note that the symbol ◦ refers to the composition of functions and the order of executionis from right to left, which means that σk0 is executed first.

Decryption

In order to decrypt, data is essentially passed backwards through the cipher. However, themappings used in the S-boxes of the decryption network are the inverse of the mappingsin the encryption network (i.e., input becomes output, output becomes input). This impliesthat in order for a cipher to allow for decryption, all S-boxes must be bijective, that is, aone-to-one mapping with the same number input and output bits. As well, in order forthe cipher to properly decrypt, the subkeys are applied in reverse order and the bits of thesubkeys must be moved around according to the permutation. Note also that the lack of thepermutation after the last round ensures that the decryption network can be the same structureas the encryption network.

Mini−AESDecrypt = (σk2 ◦π ◦ γ ◦σk1 ◦θ ◦π ◦ γ ◦σk0)−1

= σk0−1 ◦ γ−1 ◦π−1 ◦θ−1 ◦σk1

−1 ◦ γ−1 ◦π−1 ◦σk2−1

= σk0 ◦ γ−1 ◦π ◦θ ◦σk1 ◦ γ−1 ◦π ◦σk2

(2.8)

We arrive at this expression since σk0 is an XOR operation, which is its own inverse.We have also specially chosen the constant matrix in MixColumn, θ such that the inverseof MixColumn, θ−1 is the same as MixColumn itself. Since ShiftRow simply causes the


second row to be rotated left by one nibble amount, then the inverse of ShiftRow, π−1 causesthe second row to be rotated right by one nibble. Rotating the nibble left or right are oneand the same operation because one row only has two nibbles, therefore inverse ShiftRowis the same as ShiftRow. NibbleSub is a nibble substitution operation based on Table 2.1.The inverse of Table 2.1 is easily computed by interchanging the input nibble with the outputnibble, and then resorting it based on the new input nibble, as given in Table 2.3 below.

Table 2.3 Inverse NibbleSub Truth Table.

Input Output

0000 11100001 00110010 01000011 10000100 00010101 11000110 10100111 11111000 01111001 11011010 10011011 01101100 10111101 00101110 00001111 0101

2.2.2 KASUMI Cipher

Description

KASUMI cipher is used in UMTS [155], GSM [67], and GPRS [65] mobile communicationssystems. UMTS uses KASUMI [76] in the confidentiality and integrity algorithms namedUEA1 and UIA1 [76], respectively. GSM employs KASUMI in the A5/3 key stream generatorwhereas GPRS does so in the GEA3 key stream generator.

KASUMI encrypts a 64-bit input by iterating a round function 8 times. The roundfunction consists of the composition of a 32-bit non-linear mixing function (FO) and a 32-bitlinear mixing function (FL). The FO-function is again an iterated "ladder-design" consistingof 3 rounds of a 16-bit non-linear mixing function FI. In turn, FI is defined as a 4-round


structure using non-linear look-up tables S7 and S9. All functions involved will mix the datainput with key material.

FI Function

The FI function is a 16×16 Vector Boolean function which constitutes the basic randomizingfunction of KASUMI. It is composed of a four round structure using the S-boxes S7 and S9as shown in Figure 2.3.

The function FI takes a 16-bit data input I and 16-bit subkey KIi, j. The input I is splitinto two unequal components, a 9-bit left half L0 and a 7-bit right half R0 where I = L0||R0.Similarly the key KIi, j is split into a 7-bit component KIi, j,1 and a 9-bit component KIi, j,2

where KIi, j = KIi, j,1||KIi, j,2. The function uses two S-boxes, S7 which maps a 7-bit input toa 7-bit output, and S9 which maps a 9-bit input to a 9-bit output. It also uses two additionalfunctions which are designated ZE() and T R() where ZE(x) takes the 7-bit value x andconverts it to a 9-bit value by adding two zero bits to the most-significant end and T R(x)takes the 9-bit value x and converts it to a 7-bit value by discarding the two most-significantbits. The following equations summarize the implementation of function FI:

I = L0||R0

KIi, j = KIi, j,1||KIi, j,2(2.9)

L1 = R0, R1 = S9(L0)+ZE(R0)

L2 = R1 +KIi, j,2, R2 = S7(L1)+T R(R1)+KIi, j,1

L3 = R2, R3 = S9(L2)+ZE(R2)

L4 = S7(L3)+T R(R3), R4 = R3

(2.10)

L4 = S7(S7(R0)+T R(S9(L0)+ZE(R0))+KIi, j,1)+T R(S9(S9(L0)+ZE(R0)

+KIi, j,2)+ZE(S7(R0)+T R(S9(L0)+ZE(R0))+KIi, j,1))

R4 = S9(R1 +KIi, j,2)+ZE(S7(R0)+T R(S9(L0)+ZE(R0))+KIi, j,1)(2.11)

being the output L4||R4.

2.2.3 DES Cipher

The Data Encryption Standard (DES) was approved as a federal standard in November 1976,and published on 15 January 1977 as FIPS PUB 46, authorized for use on all unclassified


16

KIi,j,2KIi,j,1

zero−extend

truncate

truncate

zero−extend

79

S9

S7

S9

S7

Fig. 2.3 Structure of KASUMI cipher FI function.


data. On 26 May 2002, DES was finally superseded by the Advanced Encryption Standard(AES), following a public competition.

DES operates on a 64-bit block of plaintext. After an initial permutation (IP), the block isbroken into a right half (R0) and a left half (L0), each 32 bits long. Then there are 16 roundsof identical operations, called Function f or Feistel function, in which data are combinedwith the key. After the sixteenth round, the right and left halves are joined, and a finalpermutation (the inverse of the initial permutation IP−1) finished off the algorithm.

The Feistel function ( f ), depicted in Figure 2.5, operates on half a block (32 bits) at atime and consists of four stages:

1. Expansion: the 32-bit half-block is expanded to 48 bits using the expansion permuta-tion, denoted E in the diagram, by duplicating half of the bits. The output consists ofeight 6-bit (8×6 = 48 bits) pieces, each containing a copy of 4 corresponding inputbits, plus a copy of the immediately adjacent bit from each of the input pieces to eitherside.

2. Key mixing: the result is combined with a subkey using an XOR operation. Sixteen48-bit subkeys ( one for each round ) are derived from the main key using the keyschedule.

3. Substitution: after mixing in the subkey, the block is divided into eight 6-bit piecesbefore processing by the S-boxes, or substitution boxes. Each of the 8 S-boxes replacesits 6 input bits with 4 output bits according to a non-linear transformation, provided inthe form of a lookup table.

4. Permutation: the 32 outputs from the S-boxes are rearranged according to a fixedpermutation, the P-box. This is designed so that, after permutation, each S-box’s outputbits are spread across 4 different S boxes in the next round.

2.2.4 AES Cipher

The Advanced Encryption Standard (AES), also referenced as Rijndael (its original name),has been adopted by the U.S. government and is now used worldwide. It supersedes the DataEncryption Standard (DES) since 2002. The AES is a 128-bit Block Cipher, and supportssecret key sizes of 128, 192 or 256 bits. We will describe the details of the AES with referenceto a 128-bit key. The other variants are similar in nature.

The 128-bit block of the AES is expressed as a matrix of 4× 4 bytes called state, incontrast to Mini-AES being expressed as a matrix of 2× 2 nibbles. AES consists of 10


Fig. 2.4 Structure of DES cipher.


Fig. 2.5 The Feistel function of DES.

rounds, where each round is similar to the round of Mini-AES, with the last round having noMixColumn. There is also a KeyAddition prior to the first round. The purpose of the extraKeyAddition and the omission of MixColumn is so that encryption and decryption of theAES would be similar in structure, and this simplifies implementation.

The round components of the AES are SubBytes, ShiftRow, MixColumn and KeyAd-dition. SubBytes is similar to NibbleSub, but operates on one byte instead of one nibble.Likewise, ShiftRow rotates each row of the input block to the left by different byte amounts.The first row is unchanged, the second rotated left by 1 byte, the third by 2 and the fourth by3. MixColumn takes each column of the input block and multiplies it with a constant 4×4matrix. KeyAddition is similar to that of Mini-AES.

A high-level description of this algorithm would be:

1. KeyExpansions: round keys are derived from the cipher key using Rijndael’s keyschedule. AES requires a separate 128-bit round key block for each round plus onemore.

2. InitialRound


(a) AddRoundKey: each byte of the state is combined with a block of the round keyusing bit-wise xor.

3. Rounds

(a) SubBytes: a non-linear substitution step where each byte is replaced with anotheraccording to a lookup table.

(b) ShiftRows: a transposition step where the last three rows of the state are shiftedcyclically a certain number of steps.

(c) MixColumns: a mixing operation which operates on the columns of the state,combining the four bytes in each column.

(d) AddRoundKey

4. Final Round (no MixColumns)

(a) SubBytes

(b) ShiftRows

(c) AddRoundKey

The Mini-AES key schedule takes the 16-bit secret key and expresses it as a group offour nibbles. Meanwhile, the AES key schedule takes the 128-bit secret key and expresses itas a group of four 32-bit words. The 0th round key, K0 equals the secret key itself while eachsubsequent round key is derived from the secret key in almost the same way as Mini-AES.

Substitution or SubBytes Step

In AES cipher, we break the 128-bit plaintext block into four 8-bit sub-blocks. Each sub-block forms an input to a 8×8 S-box (a substitution with 8 input and 8 output bits) calledRijndael S-box SRD. It is represented in hexadecimal notation as shown in Figure 2.6. Therethe column is determined by the least significant nibble (four-bit aggregation), and the rowis determined by the most significant nibble. For example, the value 0x9a is converted into0xb8 by Rijndael S-box. Note that the multiplicative inverse of 0x00 is defined as itself.

Permutation

The permutation of AES is given by two steps: ShifRows and MixColumns. Note that therewould be no MixColumns in the last round.


Fig. 2.6 Rijndael S-box SRD.


ShiftRows step is a byte transposition that cyclically shifts the rows of the state (array ofbytes) over different offsets.

MixColumns step is a bricklayer permutation operating on the state column by column.

Key Addition and AddRoundKey

To achieve the key addition, AES applies a simple bit-wise exclusive-OR between the keybits associated with a round (referred to as a round key) and the data block input to a round.

2.3 VBF (Vector Boolean Functions) library

2.3.1 Features

The main features of the VBF library are the following:

• It is free/open source under the GPL. In this sense, we are aligned with the Sage projectdevelopers who affirm the following:

A standard rule in the mathematics community is that everything islaid open for inspection. The Sage project believes that not doing thesame for mathematics software is at best a gesture of impoliteness andrudeness, and at worst a violation against standard scientific practices. Anunderlying philosophical principle of Sage is to apply the system of openexchange and peer review that characterizes scientific communication tothe development of mathematics software. Neither the Sage project nor theSage Development Team make any claims to being the original proponentsof this principle.

The development model of Sage is largely inspired by the free softwaremovement as spearheaded by the Free Software Foundation, and by the opensource movement. One source of inspiration from within the mathematicscommunity is Joachim Neubuser as expressed in the paper [109] and inparticular the following quotation from his paper:

"You can read Sylow’s Theorem and its proof in Huppert’s book inthe library without even buying the book and then you can use Sylow’sTheorem for the rest of your life free of charge, but...for many computeralgebra systems license fees have to be paid regularly for the total time oftheir use. In order to protect what you pay for, you do not get the source,but only an executable, i.e. a black box. You can press buttons and you get

2.3 VBF (Vector Boolean Functions) library 31

answers in the same way as you get the bright pictures from your televisionset but you cannot control how they were made in either case.

With this situation two of the most basic rules of conduct in mathematicsare violated: In mathematics information is passed on free of charge andeverything is laid open for checking. Not applying these rules to computeralgebra systems that are made for mathematical research...means moving ina most undesirable direction. Most important: Can we expect somebody tobelieve a result of a program that he is not allowed to see? Moreover: Dowe really want to charge colleagues in Moldava several years of their salaryfor a computer algebra system?"

Similar sentiments were also expressed by Andrei Okounkov as can befound in [110], in particular the following quotation:

"Computers are no more a threat to mathematicians than food processorsare a threat to cooks. As mathematics gets more and more complex whilethe pace of our lives accelerates, we must delegate as much as we can tomachines. And I mean both numeric and symbolic work. Some people canmanage without dishwashers, but I think proofs come out a lot cleaner whenroutine work is automated.

This brings up many issues. I am not an expert, but I think we need asymbolic standard to make computer manipulations easier to document andverify. And with all due respect to the free market, perhaps we should notbe dependent on commercial software here. An open-source project could,perhaps, find better answers to the obvious problems such as availability,bugs, backward compatibility, platform independence, standard libraries,etc. One can learn from the success of TeX and more specialized softwarelike Macaulay2. I do hope that funding agencies are looking into this."

• It is a library allowing us to use it in conjunction with other tools and libraries.

• It is implemented in C++ language. The main advantages of this language are derivedfrom the object oriented implementation and the use of effective algorithms; suchadvantages are: reusability, maintainability, extensibility and flexibility in the analysisof a broad range of Vector Boolean functions employed in symmetric ciphers. Thesize of the vector Boolean functions that can be analyzed by VBF is restricted by thecomputational resources (memory, disk space, CPU, . . . ) of the platform on which itis executed. However, the maximum value for n and m to be handled by the differentfunctions is conditioned by the maximum value attainable by long int variables (for the


computer employed in this work, it is approximately 230, so that nmax = mmax ≈ 30).Note that, although this size functions would be compatible with the VBF resourcemanagement procedures, the run time requirements for computing the characteristicswould exceed any realistic bound.

• It can be easily installed in several platforms such as Windows, Linux and MacOSamong others.

• It makes use of some modules from the well-known Number Theory Library NTLimplemented by Victor Shoup (VBF works with any version of NTL, up to the latestone [111]). A preliminary version of VBF, lacking several of the modules and featuresin the current package, was presented in [5]. NTL is a high-performance, portableC++ library providing data structures and algorithms for manipulating signed, arbitrarylength integers, as well as vectors, matrices, and polynomials over the integers andover finite fields. The decision to use this library is mainly based on four reasons:

1. It is free software, and may be used according to the terms of the GNU GeneralPublic License.

2. It provides high quality implementations of state-of-the-art algorithms for theGalois field of order 2.

3. It may be easily installed in a wide range of platforms.

4. It provides a clean and consistent interface to a large variety of classes represent-ing mathematical objects which are useful in cryptology.

The core of VBF library is the VBF class which represents vector Boolean functionswhose data members and member functions make use of the NTL modules listed inTable 2.5.

However, some new cryptography-related member functions were added to the previousmodules. New modules, which are not present in NTL, are defined and they are listedin Table 2.5.

The main file in the library, called VBF.h has the definitions of the objects described inthe next subsection and makes use of the cited modules.

The process of development of VBF library consisted in four steps:

1. To study the most common representation methods employed in the modern cryptosys-tems.


Table 2.4 NTL modules used in VBF.

CLASS NAME DESCRIPTION

GF2 Galois Field of order 2 denoted by GF(2)vec_GF2 Vectors over GF(2)mat_GF2 Matrices over GF(2)

RR Arbitrary-precision floating point numbersvec_RR Vectors over realsmat_RR Matrices over reals

ZZ Signed, arbitrary length integersvec_ZZ Vectors over integersmat_ZZ Matrices over integersGF2X Implements polynomial arithmetic modulo 2GF2E Polynomials in F2[X ] modulo a polynomial P

GF2EX Polynomials over GF2Evec_GF2E Vectors over GF2E

Table 2.5 New modules created for VBF.

CLASS NAME DESCRIPTION

pol Polynomial in ANF of a Boolean Functionvec_pol Polynomials in ANF of a Vector Boolean Function


2. To compile and elaborate cryptograhic criteria for Vector Boolean functions.

3. To analyse the structure of modern cryptographic algorithms in order to identify mostcommon interconnections among their subsystems. It is important to understand thebehaviour of the representations, characterizations and criteria of cryptosystem interms of the representations, characterizations and criteria of their subsystems.

4. To develop algorithms to load representations, calculate its characterizations andcriteria, and apply constructions to subsystems.

2.3.2 State-of-the-art on Vector Boolean Functions Analysis Software

To support our own contributions, we will now survey previous research made regarding theanalysis Vector Boolean functions from the cryptographical point of view. At the presenttime, several other packages are available, for example:

1. CrypTool [44] is a free, open-source e-learning application, used in the implementationand analysis of cryptographic algorithms. It provides cryptanalytical measurementmethods (entropy, n-grams, autocorrelation, etc.) but it does not allow the calculationof cryptographic criteria. The current release version, CrypTool 2, is based on the latest.NET Framework (currently .NET 4.0) and it has a pure-plugin architecture. There isalso another project called JCrypTool developed in Java and based on Eclipse RCP.

2. Matpack [90] is a C++ numerics and graphics library implementing computationalmethods that are needed in engineering. The cryptographic algorithms are includedin the commercial library; these can only be used to analyze some cryptographicproperties of Boolean functions and do not address Vector Boolean functions.

3. In [12], a system for assisting analysis of some criteria of DES-like ciphers is described.This system analyzes only a small subset of the criteria considered by VBF.

4. bma [122] outputs the value table, Walsh Spectrum (WS) (a generalized Fourierspectrum), linear profile, differential profile, and some linearity/nonlinearity measures,given the ANF of a Vector Boolean function. It is an open-source executable programwritten in C, computationally very efficient for specific S-boxes analysis.

5. The boolfun package [14] is open source software, written in R, to assess cryptographicproperties of Boolean functions. It implements three representations: Truth Table, ANFand WS. It can calculate cryptographic properties of Boolean functions that are relevantfor the design of stream ciphers (i.e., cryptographic pseudo-random generators), namely


nonlinearity, algebraic immunity, correlation immunity and resiliency. Unfortunately itdoes not provide specific tools for analyzing vector functions.

6. Sage [132] is free open source mathematical software that supports research andteaching in algebra, geometry, number theory, cryptography, and related areas. TheCryptography module contains some descriptions of classical ciphers and simplifiedmodern ciphers such as Simplified DES and Mini-AES. Compared with the VBFlibrary, SAGE lacks much useful functionality.

In summary, the packages cited above present one (or more) of the following disadvan-tages: they are commercial, they do not benefit from the new paradigms of object orientationand generic programming, or they do not cover the broad spectrum of representation andcryptographic criteria for both Boolean and Vector Boolean functions that VBF does. Theaim of the VBF package presented in this thesis is to provide an easy-to-use tool both for thedesigner and the cryptanalyst of symmetric ciphers. The user only needs to code the basicfeatures related to the Vector Boolean functions associated with a cipher (e.g., Truth Table,ANF table, polynomial in ANF, etc).

The following chapter analyses the possible representations and characterizations ofBoolean functions with the aim of their efficient management via the VBF library.

Chapter 3

Representations and Characterizations

This chapter presents a review of theory relevant to the study of the typical forms of VectorBoolean function representations and chacterizations. We will consider representations thosethat uniquely represents a Vector Boolean function. Characterizations does not uniquelydetermine the Vector Boolean function in contrast to the previous matrices but provide someuseful information in the context of cryptography.

Representations included in this chapter are the Truth Table (TT), the polynomials inAlgebraic Normal Form (Pol) and ANF Table (ANF), the Image (Char), Component functionsTruth Table(LTT), Sequence vectors of Component functions CTT, the Trace Representation(Trace) and Affine function Representation. A definition for all these representations aregiven and the relationships among them and their various properties are also discussed.

Characterizations such as Linear Profile (LP), Differential Profile (DP), AutocorrelationSpectrum (AC), Linear Structures (LS) are introduced. A definition for all these represen-tations are given and the relationships among them and the above representations and theirvarious properties are also discussed.

The basic concepts of linear and differential cryptanalysis are introduced in terms of theLinear Profile and Differential Profile, together with other properties related with these attacks,such as: linear potential, differential potential, linear or differential relations associated witha specific value.

Affine equivalence analysis of Boolean functions by means of VBF library is described.It is showed how to obtain the Frequency distribution of the absolute values of the WalshSpectrum and of the Autocorrelation Spectrum.

It is possible to check randomness of a Vector Boolean function outputs with VBF bymeans of its cycle structure, and the analysis of the presence of fixed points or negated fixedpoints.

38 Representations and Characterizations

Finally, some other representations useful in block ciphers are described such as thePermutation Vector (Per), Expansion and Compression DES permutations and DES-likeS-box representations.

The description of each representation and characterization is complemented with thedescription of the methods in VBF related to them. Most of the member functions of V BFhave an in-line definition, for instance: void TT(NTL::mat_GF2& X, VBF& F) is also definedas inline NTL::mat_GF2 TT(VBF& F).

The figure 3.1 summarizes the relationships among the different representations.

Fig. 3.1 Relationships among representations and characterizations of a Vector Booleanfunction.

The representations which are Boolean matrices are coloured in red, those which areInteger matrices are coloured in blue, those that are vector of integers are coloured in yellowand those which are polynomial are coloured in green.

In this chapter we apply VBF library methods to find out representations and character-izations of several cryptographic algorithms. Refer to http://vbflibrary.tk for an extensivedescription of representations and characterizations of modern cryptographic algorithmsapart from those described in this chapter.


3.1 Truth Table 39

3.1 Truth Table

3.1.1 Description

A Vector Boolean function F ∈ Fn,m can be uniquely represented by its Truth Table whichis a matrix with 2n rows and m columns whose elements are the values of F taken on allpossible vector of Vn ordered lexicographically.

Definition 3.1.1. Let F ∈ Fn,m, if we take into account the one-to-one mapping of Vn ontothe set of integers as defined in theorem A.1.1, we are able to define any vector Booleanfunction by the corresponding set of values:

F(αi) ∈ Vm ∀ i ∈ {0, . . . ,2n−1} (3.1)

The matrix with 2n rows and m columns will be referred as the Truth Table of F and willbe generally written as TTF :

TTF =

f1(α0) . . . fm(α0)

f1(α1) . . . fm(α1)

. . . . . . . . . . . . . . . . . .

f1(α2n−1) . . . fm(α2n−1)

(3.2)

each αi = (x1, . . . ,xn) ∈ Vn i ∈ {1, . . . ,2n−1} is a vector whose decimal equivalent isdec(αi) = i = ∑

nj=1 x j2n− j, and all the vectors of Vn can be listed so that α0 < α1 < · · ·<

α2n−1 .

As a total order is defined over the assignments (inputs) of the Vector Boolean Function,the Truth Table can be uniquely represented by this matrix. Any function F can be uniquelydescribed by its Truth Table TTF ∈M2n×m(GF(2)) (or by the Truth Tables of its coordinatefunctions TT fi i ∈ {1, . . . ,m}) and it holds that:

γ : Fn,m → M2n×m(GF(2))F → TTF

(3.3)

is an isomorphism between the vector spaces Fn,m and M2n×m(GF(2)), so that #Fn,m=22n·m.The Truth Table for an n-variable Boolean function f should be in lexicographical form,

i.e., TT f = ( f (0), f (1), f (2), . . . , f (2n−1)). Since the Truth Table length might be too large,we represent it in hexadecimal rather than in binary notation. The hexadecimal Truth Table isobtained by replacing each four bits by their corresponding hexadecimal form. For instance,to enter TT f = (0,0,1,1,1,1,1,1) one should just write TT f = 3 f .


The distance between two Vector Boolean functions F,G ∈ Fn,m is defined as the numberof bits that are different in their respective Truth Tables:

d(F,G) = ∑x∈Vn

d (F(x),G(x)) (3.4)

where d (F(x),G(x)) is the Hamming distance between the two vectors F(x),G(x) ∈ Vm.The weight of a Vector Boolean function F ∈ Fn,m is equal to the distance between F and

the corresponding zero Vector Boolean function 0 ∈ Fn,m where 0(x) = 0 ∀x ∈ Vn.In order to obtain certain characterizations (such as Autocorrelation Spectrum), it is

important to take into account two additional representations related to the Truth Table: LTTand CTT.

We will denote by LTT of F ∈ Fn,m the matrix whose columns are the Truth Tables ofthe 2m component functions of F . We will denote by CTT of F the matrix whose columnsare the sequence vectors of the 2m component functions of F 1.

3.1.2 Library

A VBF class can be initialized by a Boolean Matrix representing the Truth Table with thefollowing method:

void puttt(const NTL::mat_GF2& T)

To obtain the Truth Table of a Vector Boolean function the following method must beused:

void TT(NTL::mat_GF2& X, VBF& F)

A VBF class can be initialized by a collection of strings separated by carriage returnsdefined by s with the following method:

void putHexTT(istream& s)

Each row must be the hexadecimal representation of the Truth Table of the coordi-nate functions of a Vector Boolean function. To obtain the Truth Table in hexadecimalrepresentation the following method must be used:

void getHexTT(ostream& s)

1Sometimes it is called the Polarity Truth Table.

3.1 Truth Table 41

Analogously a VBF class can be initialized by a collecting of strings with binary repre-sentation of the Truth Table of coordinate functions:

void putBinTT(istream& s)

To obtain its Truth Table in binary representation the following method must be used:

void getBinTT(ostream& s)

A VBF class can be initialized by a Boolean vector representing the decimal represen-tation of the Truth Table of a Vector Boolean Function defined by a vector of outputs inlexicographic order, called d, and knowing the number of component Boolean functions m:

void putDecTT(const NTL::vec_long& d,const long& m)

To obtain the Truth Table in decimal representation the following method must be used:

NTL::vec_long getDecTT() const

To obtain the weight of a Vector Boolean function F the following method must be used:

void weight(long& w, VBF& F)

A VBF class can be initialized by a Boolean Matrix representing the Truth Table of theircomponent functions with the following method:

void putltt(const NTL::mat_GF2& L)

To obtain the Truth Table of the component functions of a Vector Boolean function thefollowing method must be used:

void LTT(NTL::mat_GF2& X, VBF& F)

A VBF class can be initialized by a Boolean Matrix representing its Polarity Truth Tablewith the following method:

void putctt(const NTL::mat_ZZ& C)

To obtain the Polarity Truth Table of a Vector Boolean function the following methodmust be used:

void CTT(NTL::mat_ZZ& X, VBF& F)


Example 3.1.1. The Truth Table of the NibbleSub S-box described in Table 2.1 is thefollowing:

[[1 1 1 0][0 1 0 0][1 1 0 1][0 0 0 1][0 0 1 0][1 1 1 1][1 0 1 1][1 0 0 0][0 0 1 1][1 0 1 0][0 1 1 0][1 1 0 0][0 1 0 1][1 0 0 1][0 0 0 0][0 1 1 1]]

If we use a file with this matrix as the input of the following program, we can obtainits hexadecimal, binary and decimal representation, as well as the Truth Tables of thecomponents functions and its Polarity Truth Table.

#include <iostream>#include <fstream>#include "VBF.h"

int main(int argc, char *argv[]){

using namespace VBFNS;

VBF F;NTL::mat_GF2 T;

ifstream input(argv[1]);

3.1 Truth Table 43

if(!input){

cerr << "Error opening " << argv[1] << endl;return 0;

}input >> T;F.puttt(T);input.close();

cout << "The hexadecimal representation is: " << endl;F.getHexTT(cout);

cout << endl << "The binary representation is: " << endl;F.getBinTT(cout);

cout << endl << "The decimal representation is: " << endl<< F.getDecTT() << endl;

cout << endl << "The Truth Table of the component functions is: "<< endl << LTT(F) << endl;

cout << endl << "The Polarity Truth Table is: "<< endl << CTT(F) << endl;

return 0;}

The output of this program would be:

The hexadecimal representation is:a754e4398ee1368d

The binary representation is:1010011101010100


111001000011100110001110111000010011011010001101

The decimal representation is:[14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7]

The Truth Table of the component functions is:[[0 0 1 1 1 1 0 0 1 1 0 0 0 0 1 1][0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1][0 1 0 1 1 0 1 0 1 0 1 0 0 1 0 1][0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1][0 0 1 1 0 0 1 1 0 0 1 1 0 0 1 1][0 1 1 0 1 0 0 1 1 0 0 1 0 1 1 0][0 1 1 0 0 1 1 0 1 0 0 1 1 0 0 1][0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1][0 1 1 0 0 1 1 0 0 1 1 0 0 1 1 0][0 0 1 1 0 0 1 1 1 1 0 0 1 1 0 0][0 0 1 1 1 1 0 0 0 0 1 1 1 1 0 0][0 0 0 0 1 1 1 1 1 1 1 1 0 0 0 0][0 1 0 1 1 0 1 0 0 1 0 1 1 0 1 0][0 1 0 1 0 1 0 1 1 0 1 0 1 0 1 0][0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0][0 1 1 0 1 0 0 1 0 1 1 0 1 0 0 1]]

The Polarity Truth Table is:[[1 1 -1 -1 -1 -1 1 1 -1 -1 1 1 1 1 -1 -1][1 1 1 1 -1 -1 -1 -1 1 1 1 1 -1 -1 -1 -1][1 -1 1 -1 -1 1 -1 1 -1 1 -1 1 1 -1 1 -1][1 -1 1 -1 1 -1 1 -1 1 -1 1 -1 1 -1 1 -1][1 1 -1 -1 1 1 -1 -1 1 1 -1 -1 1 1 -1 -1][1 -1 -1 1 -1 1 1 -1 -1 1 1 -1 1 -1 -1 1][1 -1 -1 1 1 -1 -1 1 -1 1 1 -1 -1 1 1 -1][1 1 1 1 1 1 1 1 -1 -1 -1 -1 -1 -1 -1 -1][1 -1 -1 1 1 -1 -1 1 1 -1 -1 1 1 -1 -1 1]

3.2 Trace Representation 45

[1 1 -1 -1 1 1 -1 -1 -1 -1 1 1 -1 -1 1 1][1 1 -1 -1 -1 -1 1 1 1 1 -1 -1 -1 -1 1 1][1 1 1 1 -1 -1 -1 -1 -1 -1 -1 -1 1 1 1 1][1 -1 1 -1 -1 1 -1 1 1 -1 1 -1 -1 1 -1 1][1 -1 1 -1 1 -1 1 -1 -1 1 -1 1 -1 1 -1 1][1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1][1 -1 -1 1 -1 1 1 -1 1 -1 -1 1 -1 1 1 -1]]

3.2 Trace Representation

3.2.1 Description

We identify a Boolean function in n variables with a function from GF(2n) to GF(2) andVector Boolean function in n variables with a function from GF(2n) to GF(2n).

A trace is a function over a finite field GF(2n) defined as follows:

tr(x) =2n−1

∑i=0

xi (3.5)

Since there is is an isomorphism between Vn and GF(2n) (see section A.3.3 ), it ispossible to identify the trace function with a Boolean function in n variables. Analogously, aVector Boolean function can be identified with trace as follows:

Definition 3.2.1. When m = n, we endow Vn with the structure of the field GF(2n). AnyF ∈ Fn,n admits a unique univariate polynomial representation over GF(2n), of degree atmost 2n−1:

F(x) =2n−1

∑i=0

δixi, δi ∈ GF(2n) (3.6)

A general way to derive this polynomial representation is given by a Lagrange interpola-tion from the knowledge of the irreducible polynomial of degree n over GF(2) associatedwith the field GF(2n) and the Truth Table of F .

The interpolation attack [74] is efficient when the degree of the univariate polynomialrepresentation of the S-box over GF(2n) is low or when the distance of the S-box to the set oflow univariate degree functions is small. This attack exploits the low degree of the algebraicrelation between some input (respective output) and intermediate data to infer some keybitsrelating the output (respective input) and the intermediate data.


3.2.2 Library

A VBF class can be initialized giving its trace f and the irreducible polynomial g with thefollowing methods:

void putirrpol(GF2X& g)void puttrace(string& f)

To obtain a Vector Boolean function trace representation the following method must beused:

void Trace(GF2EX& f, VBF& F)

and to print the trace representation use the following method:

void print(NTL_SNS ostream& s, GF2EX& f, const long& m)

Example 3.2.1. Let GF(24) be constructed with the irreducible polynomial defined in Mini-AES g(x) = x4 +x+1. Element x is primitive (check that all its powers from the first to thefourteenth are distinct). We denote it by α . Below we show how to calculate the trace ofeach element of the field GF(24). In the last column, the vector of values of the NibbleSubS-box corresponding this trace representation:

5x14 +7x13 + ex12 + f x11 +7x10 +6x9 + cx8 +5x7 +9x6 +ax5 +7x4 +8x3 +ax2 +7x+ e(3.7)

is presented.

Example 3.2.2. The following program provides the Trace representation over GF(2n)of aVector Boolean function with Truth Table in a file with extension ".tt". GF(2n) is constructedwith the irreducible polynomial whose corresponding GF2X representation is in a filewith extension ".irr". The class GF2X implements polynomial arithmetic modulo 2 and apolynomial is represented as a coefficient vector.



3.2 Trace Representation 47

Table 3.1 Identification of a coordinate function of NibbleSub with trace function.

Vector Polynomial αk tr(·) NibbleSub

0000 0 − 0+0+0+0+0+0+0+0+0+0+0+0+0+0+ e e0001 1 α0 5+7+ e+ f +7+6+ c+5+9+a+7+8+a+7+ e 4

0010x α 5α14 +7α13 + eα12 + f α11 +7α10 +6α9 + cα8+ d

5α7 +9α6 +aα5 +7α4 +8α3 +aα2 +7α + e

0011x+1 α4 5α4·14 +7α4·13 + eα4·12 + f α4·11 +7α4·10 +6α4·9 + cα4·8+ 1

5α4·7 +9α4·6 +aα4·5 +7α4·4 +8α4·3 +aα4·2 +7α4 + e

0100x2 α2 5α2·14 +7α2·13 + eα2·12 + f α2·11 +7α2·10 +6α2·9 + cα2·8+ 2

5α2·7 +9α2·6 +aα2·5 +7α2·4 +8α2·3 +aα2·2 +7α2 + e

0101x2 +1 α8 5α8·14 +7α8·13 + eα8·12 + f α8·11 +7α8·10 +6α8·9 + cα8·8+ f

5α8·7 +9α8·6 +aα8·5 +7α8·4 +8α8·3 +aα8·2 +7α8 + e

0110x2 +x α5 5α5·14 +7α5·13 + eα5·12 + f α5·11 +7α5·10 +6α5·9 + cα5·8+ b

5α5·7 +9α5·6 +aα5·5 +7α5·4 +8α5·3 +aα5·2 +7α5 + e

0111x2 +x+1 α10 5α10·14 +7α10·13 + eα10·12 + f α10·11 +7α10·10 +6α10·9 + cα10·8+ 8

5α10·7 +9α10·6 +aα10·5 +7α10·4 +8α10·3 +aα10·2 +7α10 + e

1000x3 α3 5α3·14 +7α3·13 + eα3·12 + f α3·11 +7α3·10 +6α3·9 + cα3·8+ 3

5α3·7 +9α3·6 +aα3·5 +7α3·4 +8α3·3 +aα3·2 +7α3 + e

1001x3 +1 α14 5α14·14 +7α14·13 + eα14·12 + f α14·11 +7α14·10 +6α14·9 + cα14·8+ a

5α14·7 +9α14·6 +aα14·5 +7α14·4 +8α14·3 +aα14·2 +7α14 + e

1010x3 +x α9 5α9·14 +7α9·13 + eα9·12 + f α9·11 +7α9·10 +6α9·9 + cα9·8+ 6

5α9·7 +9α9·6 +aα9·5 +7α9·4 +8α9·3 +aα9·2 +7α9 + e

1011x3 +x+1 α7 5α7·14 +7α7·13 + eα7·12 + f α7·11 +7α7·10 +6α7·9 + cα7·8+ c

5α7·7 +9α7·6 +aα7·5 +7α7·4 +8α7·3 +aα7·2 +7α7 + e

1100x3 +x2 α6 5α6·14 +7α6·13 + eα6·12 + f α6·11 +7α6·10 +6α6·9 + cα6·8+ 5

5α6·7 +9α6·6 +aα6·5 +7α6·4 +8α6·3 +aα6·2 +7α6 + e

1101x3 +x2 +1 α13 5α13·14 +7α13·13 + eα13·12 + f α13·11 +7α13·10 +6α13·9 + cα13·8+ 9

5α13·7 +9α13·6 +aα13·5 +7α13·4 +8α13·3 +aα13·2 +7α13 + e

1110x3 +x2 +x α11 5α11·14 +7α11·13 + eα11·12 + f α11·11 +7α11·10 +6α11·9 + cα11·8+ 0

5α11·7 +9α11·6 +aα11·5 +7α11·4 +8α11·3 +aα11·2 +7α11 + e

1111x3 +x2 +x+1 α12 5α12·14 +7α12·13 + eα12·12 + f α12·11 +7α12·10 +6α12·9 + cα12·8+ 7

5α12·7 +9α12·6 +aα12·5 +7α12·4 +8α12·3 +aα12·2 +7α12 + e



VBF F;NTL::mat_GF2 T;GF2X g;GF2EX f;int d;char file[33];

sprintf(file,"%s.irr",argv[1]);ifstream input1(file);if(!input1) {

cerr << "Error opening " << file << endl;return 0;

}input1 >> g;F.putirrpol(g);input1.close();

sprintf(file,"%s.tt",argv[1]);ifstream input(file);if(!input) {



cout << "The trace representation is " << endl;f = Trace(F);d = deg(g);print(cout,f,d);

return 0;}

3.3 Polynomials in ANF 49

In this cipher, GF(28) is constructed with the irreducible polynomial g(x) = x8 +x4 +

x3 +x+1. The inputs of this program would be the Truth Table of the Rijndael S-box SRD

(described in Figure 2.6), provided in a file with extension “.tt”, and the corresponding GF2Xrepresentation of g : [110110001], provided in a file with extension “.irr”. The output of theprogram would be a GF2EX which represents polynomials over GF2E; hence, it can be used,for example, for arithmetic in GF(2n):

05 ·x254+09 ·x253+ f 9 ·x251+25 ·x247+ f 4 ·x239+01 ·x223+b5 ·x191+8 f ·x127+63 (3.8)

where the coefficients are elements of GF(28).

3.3 Polynomials in ANF

3.3.1 Description

Definition 3.3.1. Any vector Boolean function F ∈ Fn,m can be uniquely represented by mmultivariate polynomials over GF(2) (called coordinate functions) where each variable haspower at most one. Each of these polynomials can be expressed as a sum of all distinctkth-order product terms (0 < k ≤ n) of the variables in the form:

f (x1, . . . ,xn) = a0 +a1x1 + · · ·+anxn +a12x1x2 + · · ·+an−1,nxn−1xn + · · ·+a12...nx1x2 . . .xn = ∑I∈P(N) aI (∏i∈I xi) = ∑I∈P(N) aIxI, aI ∈ GF(2)

(3.9)

where P(N) denotes the power set of N = {1, . . . ,n}. This representation of f is called thealgebraic normal form (ANF) of f . The algebraic normal form is thus a set of multivariatepolynomials and the constant functions (those obtained by decomposition) are the coefficientsof the 2n products of input variables (i.e. monomials).

3.3.2 Library

A VBF class can be initialized giving its Polynomials in ANF with the following method:

void putpol(vec_pol& p)

To obtain its representation as Polynomials in ANF, the following method must be used:

void Pol(NTL_SNS ostream& s, VBF& F)

Example 3.3.1. The following program provides the Polynomials in ANF Vector Booleanfunction from its Truth Table.






ifstream input(argv[1]);if(!input) {



Pol(cout,F);

return 0;}

If we use as input of this program the Truth Table of NibbleSub, the output of the programwould be the following:

1+x4+x2+x2x3+x2x3x4+x1+x1x2+x1x2x31+x3x4+x2+x2x4+x1+x1x3+x1x3x41+x4+x3+x3x4+x2x4+x2x3+x1x4+x1x3+x1x2+x1x2x4+x1x2x3x3+x2x4+x1+x1x4+x1x3x4

3.4 ANF Table 51

which corresponds to the coordinate functions of NibbleSub as follows:

f1(NibbleSub) = 1+ x4 + x2 + x2x3 + x2x3x4 + x1 + x1x2 + x1x2x3

f2(NibbleSub) = 1+ x3x4 + x2 + x2x4 + x1 + x1x3 + x1x3x4

f3(NibbleSub) = 1+ x4 + x3 + x3x4 + x2x4 + x2x3 + x1x4 + x1x3 + x1x2 + x1x2x4 + x1x2x3

f4(NibbleSub) = x3 + x2x4 + x1 + x1x4 + x1x3x4(3.10)

3.4 ANF Table

3.4.1 Description

Definition 3.4.1. ANF table of F , denoted by ANFF ∈ M2n×m(GF(2)), represents the 2n

coefficients of the polynomials of each of the m coordinate functions in ANF .The ANF table of F , denoted by ANFF ∈M2n×m(GF(2)), is defined by:

ANFFi = ANF fi i ∈ {1, . . . ,m} (3.11)

where ANFFi is the i-th column of ANFF .

The ANF Table can be derived from the Truth Table by a binary matrix transformationcalled the Algebraic Normal Form Transformation (implemented in the VBF library withgetan f method). The Truth Table can be obtained from the ANF Table using a method wecall rev.

3.4.2 Library

A VBF class can be initialized giving its ANF table with the following method:

void putanf(const NTL::mat_GF2& A)

To obtain its representation as ANF table, the following method must be used:

void ANF(NTL::mat_GF2& X, VBF& F)

Example 3.4.1. The following program provides the ANF Table of a Vector Boolean functionfrom its Truth Table.









cout << "The ANF Table is:" << endl;cout << ANF(F) << endl;

return 0;}


The ANF Table is:[[1 1 1 0][1 0 1 0][0 0 1 1][0 1 1 0][1 1 0 0][0 1 1 1][1 0 1 0]

3.5 Image 53

[1 0 0 0][1 1 0 1][0 0 1 1][0 1 1 0][0 1 0 1][1 0 1 0][0 0 1 0][1 0 1 0][0 0 0 0]]

3.5 Image

3.5.1 Description

Definition 3.5.1. The characteristic or indicator function of F ∈ Fn,m, denoted by θF :Vn×Vm→{0,1}, is defined by:

θF(x,y) =

{1 if y = F(x)0 if y = F(x)

(3.12)

Definition 3.5.2. The Image of F can be represented by a matrix whose rows are indexedby x ∈ Vn and whose columns are indexed by y ∈ Vm in lexicographic order, denoted byImg(F) ∈M2n×2m(GF(2)) and defined as follows:

Img(F) =

θF(α0,α0) . . . θF(α0,α2m−1)

θF(α1,α0) . . . θF(α1,α2m−1)

. . . . . . . . . . . . . . . . . . . . . . . . .

θF(α2n−1,α0) . . . θF(α2n−1,α2m−1)

(3.13)

where θF(x,y) is the value of the indicator function at (x,y).

Lemma 3.5.1. By equation 2.3, it is clear that all the rows of the matrix Img(F) have oneelement equal to one and the rest is zero, that is ∀ i ∈ {1, . . . ,2n}:

Img(F)i =[ai1 . . . ai2m

]where

(∃! j ∈ {1, . . . ,2m} ai j = 1

)∧ (aik = 0 ∀k = j ∈ {1, . . . ,2m})

(3.14)


The Image of F can be derived from the Truth Table by a method implemented in theVBF library called char f unct. The Truth Table can be obtained from the Characteristicfunction using a method we call truthtable.

3.5.2 Library

A VBF class can be initialized giving its Image with the following method:

void putchar(const NTL::mat_ZZ& C)

To obtain its representation as Image, the following method must be used:

void Charact(NTL::mat_ZZ& C, VBF& F)

Example 3.5.1. The following program provides the Image of a Vector Boolean functionfrom its Truth Table.








cout << "The Image is:" << endl;

3.6 Walsh Spectrum 55

cout << Charact(F) << endl;

return 0;}


The Image is:[[0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0][0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0][0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0][0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0][0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0][0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1][0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0][0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0][0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0][0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0][0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0][0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0][0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0][0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0][1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0][0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0]]

This matrix can be easily interpreted with the aid of the figure 3.2 in which the rows andcolumns are indexed with the corresponding vector:

You can see for instance that the output of 0000 is 1110.

3.6 Walsh Spectrum

3.6.1 Description

Linear and affine functions are considered as cryptographically weak functions. It is importantto measure if a Vector Boolean function has some similarity with these functions. The


Fig. 3.2 Image representations of NibbleSub.

similarity is measured by means of correlation. The values of Walsh Spectrum provide ameasure of the correlation of the Vector Boolean function with the different Vector BooleanLinear functions.

Walsh Spectrum of Boolean Functions

Definition 3.6.1. The matrix Hn is Walsh-Hadamard matrix of order 2n if it generated by thefollowing recursive relation:

H0 = 1,Hn =

[1 11 −1

]�Hn−1 =

[Hn−1 Hn−1

Hn−1 −Hn−1

](3.15)

Theorem 3.6.1. Let Hn be the Walsh-Hadamard matrix of order 2n, then the vectors associ-ated with its columns constitute an orthogonal basis for R2n

over R so that:

xHn = y,∀x,y ∈ R2n(3.16)

Corollary 3.6.2. Let f ∈ Fn, its sequence ξ f ∈ R2ncan be defined as a linear combination

of the sequences of all the linear functions over Vn, as they coincide with the rows of Hn.

ξ f = aα0ξlα0+ · · ·+aα2n−1ξlα2n−1

(3.17)

where au = 12n

⟨ξ f ,ξlu

⟩


Proof. ⟨ξ f ,ξlu

⟩= 0+ · · ·+au ⟨ξlu ,ξlu⟩+ · · ·+0 = au2n

Definition 3.6.2. Let a Boolean function f ∈ Fn, the Walsh Transform of f at u ∈ Vn is then-dimensional Discrete Fourier Transform and can be calculated as follows:

W f (u) = χ f (u) = W {ξ f }(u) =⟨ξ f ,ξlu

⟩= ∑

x∈Vn

χ f (x)χu(x) (3.18)

or, as it is most often written as:

W f (u) = ∑x∈Vn

(−1) f (x)+u·x (3.19)

As a result, the Walsh Transform of f ∈ Fn at u is the coefficient of the sequence of f(ξ f ) with respect to the basis constituted by the sequences of linear functions, scaled by afactor of 1

2n . If W f is the Walsh transform of f , we say that ξ f and W f form a Transform pairand write:

ξ fW←→ W f (ξ f corresponds to W f ) (3.20)

The following properties can be derived from definition 3.6.2:

1. The value of Walsh Transform of f at u equals the sum of the values of its sequence.As a consequence it takes value 0 if the number of 0’s and 1’s in the Truth Table of fis the same. χ0 is the constant 1 function, so that:

χ f (0) =⟨ξ f ,ξ0

⟩= ∑

x∈Vn

(−1) f (x) (3.21)

2. The value of Walsh Transform of the constant function 1 is equal to 2n at 0 and 0 atthe rest of the inputs:

1 = 2nδ (u) =

{2n if u = 00 if u = 0

(3.22)

where δ (u) denotes denotes the Kronecker delta function (δ (0) = 1;δ (u) = 0,∀u = 0).

3. Let c ∈ Fn so that c(x) = c ∀x ∈ Vn:

χc(u) = 2n(−1)cδ (u) =

{2n(−1)c if u = 0

0 if u = 0(3.23)


4. Let f ∈ Fn so that f (x) = lv(x)+ c ∀x ∈ Vn and c ∈ GF(2):

χ f (u) = 2n(−1)cδ (u+v) =

{2n(−1)c if u = v

0 if u = v(3.24)

Definition 3.6.3. The Walsh Spectrum of f can be represented by a matrix whose rows areindexed by u ∈ Vn in lexicographic order, denoted by WS( f ) ∈M2n×1(R) and defined asfollows:

WS( f ) =[χ f (α0) . . . χ f (u) . . . χ f (α2n−1)

]T(3.25)

where χ f (u) is the value of the spectrum at u. A Boolean function is uniquely determined byits Walsh Spectrum.

Definition 3.6.4. The Inverse Walsh Transform of f at x ∈ Vn can be expressed as:

W −1f (x) = χ f (x) = (−1) f (x) =

12n ∑

u∈Vn

χ f (u)χu(x), ∀x ∈ Vn (3.26)


χ f (x) =12n ∑

u∈Vn

χ f (u)(−1)u·x (3.27)


1. The sum of Walsh coefficients is either 2n or −2n depending on the value of f (0):

∑u∈Vn

χ f (u) =

{2n if f (0) = 0−2n if f (0) = 0

(3.28)

2. The values of the Walsh Spectrum give information about the distance from the linearand affine functions. If we analyze the summands that appear in (3.19), we can noticethe following:

(−1) f (x)+u·x =

{1 if f (x) = u ·x−1 if f (x) = u ·x

If we denote L f (u) the set: {x ∈Vn | f (x) = u ·x}, then we have χ f (u) = 2 ·#L f (u)−2n satisfying: −2n ≤ χ f (u) ≤ 2n being all values of χ f even. The upper bound isachieved for the linear function associated to the vector u denoted by lu because itholds that: #L f (u) = 2n⇔ f (x) = u · x. The lower bound is achieved for the affinefunction associated to the vector u denoted by lu because it holds that: #L f (u) = 0⇔f (x) = u ·x+1


3. If f (x) = v ·x+ c, then:

L f (u) = {x ∈ Vn | v ·x+ c = u ·x}= {x ∈ Vn | (u+v) ·x = c} (3.29)

#L f (u) =

2n if (u = v∧ c = 0)0 if (u = v∧ c = 1)

2n−1 if u = v

4. Let f ,g ∈ Fn with d( f ,g) = d, then:

|χ f (u)− χg(u)| ≤ 2d, ∀u ∈ Vn (3.30)

Hereunder, we describe the Walsh Theorems for ∀ f ,g ∈ Fn,x,x′,u,u′ ∈ Vn and ∀a,b ∈{−1,1}:

Theorem 3.6.3 (Walsh Linearity Theorem). The Walsh Transform is a linear transform. LetW f and Wg be the Walsh transform of f and g respectively, then the Walsh Transform of anylinear combination of their respective sequences ξ f and ξg can be easily found:

a ·ξ f +b ·ξgW←→ a ·W f +b ·Wg (3.31)

Proof.

W {a ·ξ f +b ·ξg}(u) = a ·⟨ξ f ,ξlu

⟩+b ·

⟨ξg,ξlu

⟩= a ·W f (u)+b ·Wg(u)

Theorem 3.6.4 (Walsh Convolution/Correlation Theorem). The convolution (or correlation)in the sequence domain corresponds with pointwise product in the Walsh domain:

ξ f ∗ξgW←→ WS( f ) �WS(g) (3.32)

Proof.W {ξ f ∗ξg}(u) = ∑x∈Vn(ξ f ∗ξg)(x)χu(x)

= ∑x∈Vn ∑x′∈Vn χ f (x′)χg(x+x′)χu(x)= ∑x′∈Vn χ f (x′)∑x∈Vn χg(x+x′)χu(x)=

(∑x′∈Vn χ f (x′)χu(x′)

)·(∑t∈Vn χg(t)χu(t)

)= χ f (u) · χg(u)


Theorem 3.6.5 (Dual of the Walsh Convolution/Correlation Theorem or Modulation The-orem). The pointwise product in the sequence domain corresponds with convolution (orcorrelation) in the Walsh domain scaled by a factor of 1/2n:

ξ f �ξgW←→ 1

2nWS( f )∗WS(g) (3.33)

Proof.

W {ξ f �ξg}(u) = ∑x∈Vn(ξ f �ξg)(x)χu(x)= ∑x∈Vn χ f (x)χg(x)χu(x)= ∑x∈Vn

( 12n ∑u′∈Vn χ f (u′)χu′(x)

)χg(x)χu(x)

= 12n ∑u′∈Vn χ f (u′)∑x∈Vn χu′(x)χg(x)χu(x)

= 12n ∑u′∈Vn χ f (u′)∑x∈Vn χg(x)χu+u′(x)

= 12n ∑u′∈Vn χ f (u′)χg(u+u′) = 1

2n (WS( f )∗WS(g))(u)

Theorem 3.6.6 (Walsh Power Theorem or Plancherel’s Theorem).

⟨ξ f ,ξg

⟩=

12n ⟨WS( f ),WS(g)⟩ (3.34)

or alternatively:

∑x∈Vn

χ f (x)χg(x) =12n ∑

u∈Vn

χ f (u)χg(u) (3.35)

Proof. ⟨ξ f ,ξg

⟩= ∑x∈Vn χ f (x)χg(x) = W −1{(ξ f ∗ξg)}(0) == 1

2n ∑u∈Vn χ f (u)χg(u) = 12n ⟨WS( f ),WS(g)⟩

Theorem 3.6.7 (Walsh Rayleigh Energy Theorem or Parseval’s Theorem).

|ξ f |2 =12n |WS( f )|2 (3.36)

or alternatively:

ε f = ∑x∈Vn

|χ f (x)|2 =12n ∑

u∈Vn

|χ f (u)|2 (3.37)

Corollary 3.6.8. The sum of the squares of the coefficients of the Walsh Spectrum is always22n:

∑u∈Vn

|χ f (u)|2 = 22n (3.38)


Walsh Spectrum of Vector Boolean Functions

Definition 3.6.5. Let the vector Boolean function F ∈ Fn,m, the Walsh Transform of F is thetwo-dimensional Walsh Transform defined by:

WF(u,v) = θF(u,v) = W {Img(F)}(u,v) = ∑x∈Vn ∑y∈Vm θF(x,y)χ(u,v)(x,y) (3.39)


WF(u,v) = θF(u,v) = ∑x∈Vn

(−1)u·x+v·F(x) (3.40)


1. The two-dimensional Walsh Transform is separable into two one dimensional WalshTransforms satisfying ∀(u,v) ∈ Vn×Vm:

θF(u,v) = ∑x∈Vn

(∑y∈Vm θF(x,y)χv(y)

)χu(x)

= ∑y∈Vm

(∑x∈Vn θF(x,y)χu(x)

)χv(y)

(3.41)

Proof.θF(u,v) = ∑x∈Vn ∑y∈Vm θF(x,y)χ(u,v)(x,y)= ∑x∈Vn ∑y∈Vm θF(x,y)χu(x)χv(y)

2. The two-dimensional Walsh Transform can be calculated from the Walsh Transform ofthe component functions of F :

θF(u,v) = χv·F(u) = χlv◦F(u) ∀(u,v) ∈ Vn×Vm (3.42)

Proof.


(∑

y∈Vm

θF(x,y)χv(y)

)χu(x)

= ∑x∈Vn

(∑

y∈Vm

θF(x,y)(−1)v·y

)(−1)u·x

= ∑x∈Vn

(−1)v·F(x)(−1)u·x = ∑x∈Vn

(−1)lv(F(x))(−1)u·x

= ∑x∈Vn

(−1)(lv◦F)(x)(−1)u·x = χlv◦F(u)


3. The coefficient of two-dimensional Walsh Transform of a Vector Boolean function at(0,0) is always 2n: θF(0,0) = 2n

4. The Walsh transform of a Boolean function at u coincides with the two-dimensionalWalsh Transform of a Vector Boolean function with m = 1 at (u,1) Let F ∈ Fn,1, thenF ≡ f ∈ Fn having that:

θF(u,v) =

2n if (u,v) = (0,0)0 if u = 0∧v = 0

χ f (u) if v = 1(3.43)

5.

∑u∈Vn

θF(u,v) =

{2n if v ·F(0) = 0−2n if v ·F(0) = 0

∀v ∈ Vm (3.44)

Proof.

∑u∈Vn

θF(u,v) = ∑u∈Vn

χv·F(u) =

{2n if v ·F(0) = 0−2n if v ·F(0) = 0

6. If we analyze the summands that appear in equation (3.40), we can notice the following:

(−1)u·x+v·F(x) =

{1 if u ·x = v ·F(x)−1 if u ·x = v ·F(x)

If we denote by LF(u,v) the set where the function v ·F coincides with the linear formassociated with u by:

LF(u,v) = {x ∈ Vn | u ·x = v ·F(x)} (3.45)

It holds that:


∑y∈Vm

θF(x,y)χu(x)χv(y)

= ∑x∈Vn

∑y∈Vm

θF(x,y)(−1)u·x+v·y = ∑x∈Vn

(−1)u·x+v·F(x)

= #LF(u,v)− (2n−#LF(u,v))


so that:


(−1)u·x+v·F(x) = 2 ·#LF(u,v)−2n (3.46)

In particular, −2n ≤ θF ≤ 2n, where all values are even. The matrix containing allpossible values of |#LF(u,v)−2n−1| is referred to as its linear approximation table.The upper bound is achieved for the linear approximation of F by (u,v) because itholds that:

#LF(u,v) = 2n⇔ u ·x = v ·F(x) (3.47)

The lower bound is achieved for the affine approximation of F by (u,v) because itholds that:

#LF(u,v) = 0⇔ u ·x+1 = v ·F(x) (3.48)

Definition 3.6.6. The Walsh Spectrum of F can be represented by a matrix whose rowsare indexed by u ∈ Vn and whose columns are indexed by v ∈ Vm in lexicographic order,denoted by WS(F) ∈M2n×2m(R) and defined as follows:

WS(F) =

θF(α0,α0) . . . θF(α0,α2m−1)

θF(α1,α0) . . . θF(α1,α2m−1)

. . . . . . . . . . . . . . . . . . . . . . . . .

θF(α2n−1,α0) . . . θF(α2n−1,α2m−1)

(3.49)

where θF(u,v) is the value of the spectrum at (u,v).

By equation (3.42), we can deduce that the columns of this matrix are the spectra of theBoolean functions lv ◦F for all the linear functions lv ∈ Lm.

The following properties can be derived from definitions 3.6.5 and 3.6.6:

1. Let LA,b ∈ Fn,m an affine function where LA,b(x) = Ax+b with A ∈Mn×m(GF(2))and b ∈ Vm, its spectrum holds that [122]:

θLA,b(u,v) = 2 ·#LLA,b(u,v)−2n =

2n if vTA= uT , vT b = 0−2n if vTA= uT , vT b = 1

0 if vTA = uT

(3.50)

Each column of the spectrum of LA,b has uniquely one nonzero coefficient, with value2n or −2n.


Proof.

LLA,b(u,v) = {x ∈ Vn | uT x = vTAx+vT b}= {x ∈ Vn | (uT −vTA)x = vT b}

#LLA,b(u,v) =

2n if vTA= uT , vT b = 00 if vTA= uT , vT b = 1

2n−1 if vTA = uT

2. Let F ∈ Fn,n an affine function where F(x) = x+b with b ∈ Vn, its spectrum holdsthat:

θF(u,v) = 2 ·#LF(u,v)−2n =

2n if vT = uT , vT b = 0−2n if vT = uT , vT b = 1

0 if vT = uT

3. Let LA,b ∈ Fn,m an affine Vector Boolean Function and M(LA,b) ∈M2n×2m(R) a matrixwhose columns has uniquely one nonzero coefficient, with value 1 or −1, it holds that:

WS(LA,b) = 2n ·M(LA,b) (3.51)

4. Let Lb ∈ Fn,n a Vector Boolean Function that consists of the bit-wise addition witha constant vector b ∈ Vn, the Walsh Spectrum is a multiple of a diagonal matrixD(Lb) ∈M2n×2n(GF(2)) with its values in the diagonal satisfying dx,x = (−1)b·x:

WS(Lb) = 2n ·D(Lb) (3.52)

5. Let Π ∈ Fn,n a permutation and P2n(Π) the permutation matrix of order 2n associatedwith Π, each column of its spectrum has uniquely one nonzero coefficient, with value2n:

WS(Π) = 2n ·P2n(Π) (3.53)

Definition 3.6.7. The Inverse Walsh Transform of F at (u,v)∈Vn×Vm is the two-dimensionalInverse Walsh Fourier Transform of its indicator function defined by:

W −1F (x,y) = θF(x,y) =

12n+m ∑

u∈Vn

∑v∈Vm

θF(u,v)χ(u,v)(x,y), ∀(u,v) ∈ Vn×Vm . (3.54)



θF(x,y) =1

2n+m ∑u∈Vn

∑v∈Vm

θF(u,v)(−1)u·x+v·y, ∀(x,y) ∈ Vn×Vm . (3.55)

The two-dimensional Inverse Walsh Transform is separable into two Inverse one dimen-sional Walsh Transforms:

θF(x,y) = 12m ∑v∈Vm

( 12n ∑u∈Vn θF(u,v)χu(x)

)χv(y)

= 12n ∑u∈Vn

( 12m ∑v∈Vm θF(u,v)χv(y)

)χu(x) .

(3.56)

so that:

θF(x,y) =1

2m ∑v∈Vm

χv·F(x)χv(y) ∀(x,y) ∈ Vn×Vm . (3.57)

3.6.2 Library

A VBF class can be initialized giving its Walsh Spectrum with the following method:

void putwalsh(const NTL::mat_ZZ& W)

To obtain its representation as Walsh Spectrum the following method must be used:

void Walsh(NTL::mat_ZZ& W, VBF& F)

Example 3.6.1. The following program provides the Walsh Spectrum of a Vector Booleanfunction from its Truth Table.





ifstream input(argv[1]);


if(!input) {cerr << "Error opening " << argv[1] << endl;return 0;


cout << "The Walsh Spectrum is:" << endl;cout << Walsh(F) << endl;

return 0;}


The Walsh Spectrum is:[[16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0][0 0 -4 -4 0 0 -4 12 4 4 0 0 4 4 0 0][0 0 -4 -4 0 0 -4 -4 0 0 4 4 0 0 -12 4][0 0 0 0 0 0 0 0 4 -12 -4 -4 4 4 -4 -4][0 4 0 -4 -4 -8 -4 0 0 -4 0 4 4 -8 4 0][0 -4 -4 0 -4 0 8 4 -4 0 -8 4 0 -4 -4 0][0 4 -4 8 4 0 0 4 0 -4 4 8 -4 0 0 -4][0 -4 0 4 4 -8 4 0 -4 0 4 0 8 4 0 4][0 0 0 0 0 0 0 0 -4 4 4 -4 4 -4 -4 -12][0 0 -4 -4 0 0 -4 -4 -8 0 -4 4 0 8 4 -4][0 8 -4 4 -8 0 4 -4 4 4 0 0 4 4 0 0][0 8 0 -8 8 0 8 0 0 0 0 0 0 0 0 0][0 -4 8 -4 -4 0 4 0 4 0 4 8 0 4 0 -4][0 4 4 0 -4 8 0 4 -8 -4 4 0 4 0 0 4][0 4 4 0 -4 -8 0 4 -4 0 0 -4 -8 4 -4 0][0 -4 -8 -4 -4 0 4 0 0 -4 8 -4 -4 0 4 0]]

3.7 Linear Profile and Linear Cryptanalysis 67

Remark. We can see that the Walsh Spectrum of f1(NibbleSub) where

NibbleSub = ( f1(NibbleSub), f2(NibbleSub), f3(NibbleSub), f4(NibbleSub)) (3.58)

corresponds to the Spectrum of l(1,0,0,0) ◦NibbleSub. As a consequence, the WalshSpectrum of f1(NibbleSub) coincides with the 9-th column of WS(NibbleSub), that is, thecolumn indexed by the vector (1,0,0,0).

3.7 Linear Profile and Linear Cryptanalysis

3.7.1 Description

Overview of Linear Cryptanalysis

The Linear Cryptanalysis, introduced by Matsui [91], [94] is a known-plaintext attack basedon the idea from [152]. It tries to take advantage of high probability occurrences of linearexpressions involving plaintext bits, ciphertext bits, and subkey bits. The basic idea is toapproximate the operation of a portion of the cipher with an expression that is linear. Suchan expression is of the form:

x1 + x2 + · · ·+ xn + y1 + y2 + · · ·+ ym = 0 (3.59)

where xi represents the i-th bit of the input x = (x1,x2, . . . ,xn) and y j represents the j-thbit of the output y = (y1,y2, . . . ,ym). As said in [70]:

The approach in Linear Cryptanalysis is to determine expressions of the formabove which have a high or low probability of occurrence. No obvious linearitysuch as above should hold for all input and output values or the cipher would betrivially weak. If a cipher displays a tendency for equation (3.59) to hold withhigh probability or not hold with high probability, this is evidence of the cipher’spoor randomization abilities. Consider that if we randomly selected values forn+m bits and placed them into the equation above, the probability that theexpression would hold would be exactly 1

2 . It is the deviation or bias from theprobability of 1

2 for an expression to hold that is exploited in Linear Cryptanalysis:the further away that a linear expression is from holding with a probability of12 , the better the cryptanalyst is able to apply Linear Cryptanalysis. Usually,the amount by which the probability of a linear expression holding deviates


from 12 is referred as the linear probability bias. Hence, if the expression above

holds with probability pL for randomly chosen plaintexts and the correspondingciphertexts, then the probability bias is pL− 1

2 . The higher the magnitude of theprobability bias,

∣∣pL− 12

∣∣, the better the applicability of Linear Cryptanalysiswith fewer known plaintexts required in the attack.

There are several ways to mount the attack of Linear Cryptanalysis (Matsuidescribed 2 algorithms) which use the principle of maximum likelihood. Inthis thesis, we will focus on what Matsui calls Algorithm 2. We investigate theconstruction of a linear approximation involving plaintext bits as represented byx in equation (3.59) and the input to the last round of the cipher as representedby y in equation (3.59). The plaintext bits are random and consequently so arethe input bits to the last round.

Equation (3.59) could be equivalently reformulated to have the right sidebeing the sum of a number of subkey bits. However, in equation (3.59) as writtenwith the right side of 0, the equation implicitly has subkey bits involved: thesebits are fixed but unknown (as they are determined by the key under attack)and implicitly absorbed into the 0 on the right side of equation (3.59) and theprobability pL that the linear expression holds. If the sum of the involved subkeybits is 0, the bias of equation (3.59) will have the same sign (+ or −) as thebias of the expression involving the subkey sum and, if the sum of the involvedsubkey bits is 1, the bias of equation (3.59) will have the opposite sign.

Note that pL = 1 implies that linear expression of equation (3.59) is a perfectrepresentation of the cipher behaviour and the cipher has a catastrophic weakness.If pL = 0, then equation (3.59) represents an affine relationship in the cipher, alsoan indication of a catastrophic weakness. Both linear and affine approximations,indicated by pL > 1

2 and pL < 12 , respectively, are equally susceptible to Linear

Cryptanalysis and we shall generally use the term linear to refer to both linearand affine relationships.

The natural question to ask is: How do we construct expressions which arehighly linear and, hence, can be exploited? This is done by considering theproperties of the cipher’s only nonlinear component: the S-box. When the non-linearity properties of the S-box are enumerated, it is possible to develop linearapproximations between sets of input and output bits in the S-box. Consequently,it is possible to concatenate linear approximations of the S-boxes together sothat intermediate bits (i.e., data bits from within the cipher) can be cancelled out


and we are left with a linear expression which has a large bias and involves onlyplaintext and the last round input bits.

Linear Expressions for S-boxes

The first step to construct a full linear equation to use with Matsui’s algorithms is learninghow to calculate simple linear expressions and how to determine their biases. Finding linearexpressions of S-boxes requires us to find equations involving the input bits and output bits,such as x2 + x3 = y1 + y3 + y4. Since in a n×m S-box there are n possible input bits andm possible output bits that we may either keep or omit in each linear expression, we thenhave to look through 2n×2m different expressions. Furthermore, we have to try all possiblevalues of the input-output value pairs which is 2n. This gives us 22n+m operations in totalon the S-box. In general, we will want to focus on the values that have a high bias and thatinvolve the least possible number of bits. Involving fewer bits in the input and the outputhelps us to manage the eventual Linear Cryptanalysis, which is composed of many of thelinear expressions built on each other.

A complete enumeration of all linear approximations of the S-box is given in the LinearProfile 2, which is a matrix whose rows are indexed by u ∈ Vn and whose columns areindexed by v ∈ Vm in lexicographic order, denoted by LP(F) ∈M2n×2m(R). It holds thatLP(F)(u,v) = |WS(F)(u,v)|2. The lower bound of the Linear Profile values is 0 and theupper bound is 22n.

If we divide each element in the Linear Profile by the value on LP(F)(0,0), these valuesrepresent the number of matches between the linear equation represented in hexadecimalas "Input Sum" and the sum of the output bits represented in hexadecimal as "OutputSum". Hence, subtracting to these values 1

2 give the probability bias for the particular linearcombination of input and output bits. The hexadecimal value representing a sum, whenviewed as a binary value indicates the variables involved in the sum. For a linear combinationof input variables represented as u1 · x1 + · · ·+ un · xn where ui ∈ GF(2), the hexadecimalvalue represents the binary value u1 . . .un, where u1 is the most significant bit. Similarly, fora linear combination of output bits v1 · y1 + · · ·+ vm · ym where vi ∈ GF(2), the hexadecimalvalue represents the binary vector v1 . . .vm.

In Linear Profiles, we are looking for entries with large value. If all of the entries are small,then the S-box does not have a very linear structure, and it may make Linear Cryptanalysis onthe cipher difficult. The Linear potential of F , defined as l p(F) = 1

22n ·∗

max(WS(F)(u,v)2

)is a measure of linearity in Linear Cryptanalysis, and satisfies [29] 2−n ≤ l p(F)≤ 1 so thatthe lower bound holds if and only if F has maximum nonlinearity (F is bent) and the upper

2In the literature, an equivalent matrix called Linear Approximation Table is used as well.


bound is reached when F is linear or affine. This criterion can take values from 12n to 1. The

larger l p(F) is, the "closer" to a Linear Vector Boolean function is F .

Piling-Up Lemma

Once we have linear expressions for S-boxes, we need to combine them to perform LinearCryptanalysis effectively. The effectiveness is defined by the bias of the overall expressionconstructed by the combination over the rounds of the cipher. Matsui showed in [91] that thelinear expressions "pile-up" in the following way:

Lemma 3.7.1 (Piling-Up Lemma). Assume that we have n independent linear expressions,say E1, . . . ,En, with associated biases ε1, . . . ,εn. We also need to assume that the are random,as we have no real preconceptions of their values, and Boolean, so that they output 0 or 1.Then, the bias of an aggregate Boolean Linear expression E1 + · · ·+En is the expression:

ε1,...,n = 2n−1 (ε1×·· ·× εn) (3.60)

where ε1,...,n is the bias of the overall expression E1 + · · ·+En

3.7.2 Library

Note that the Linear Profile does not uniquely determine a Vector Boolean function. Thus, aVBF class cannot be initialized by its Linear Profile. To obtain its representation as LinearProfile, the following method must be used:

void LAT(NTL::mat_ZZ& LP, VBF& F)

In the VBF library, several methods have been defined in order to analyse the feasibilityof Linear Cryptanalysis: Linear potential and Linear relations associated with a specific valueof the Linear Profile. The method used to obtain the linear potential is the following:

void lp(NTL::RR& x, VBF& F)

If we want to obtain the linear expressions associated with the value of the Linear Profile"w", we will use this method:

void linear(NTL_SNS ostream& s, VBF& a, ZZ& w)

If we want to obtain the probability bias |pL− 12 | that a linear expression holds with the

value of the Linear Profile "w", we will use this method:


void ProbLin(NTL::RR& x, VBF& a, NTL::ZZ& w)

Example 3.7.1. The following program finds out the Linear Profile of a Vector Booleanfunction together with the linear expressions that have the highest value, except from thevalue in LP(F)(0,0), their probability, this highest value and the linear potential.




VBF F;NTL::mat_GF2 T;NTL::ZZ w;NTL::RR bias;




cout << "The Linear Profile is:" << endl;cout << LAT(F) << endl;

w = maxLAT(F);cout << endl << "The highest value of the Linear Profile is= "<< w << endl << endl;

cout << "The linear expressions that have the highest value are:"<< endl;


linear(cout,F,w);

ProbLin(bias,F,w);cout << endl;cout << "These expressions hold with probability bias= "<< bias << endl;

cout << endl << "The linear potential is= " << lp(F) << endl;

return 0;}


The Linear Profile is:[[256 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0][0 0 16 16 0 0 16 144 16 16 0 0 16 16 0 0][0 0 16 16 0 0 16 16 0 0 16 16 0 0 144 16][0 0 0 0 0 0 0 0 16 144 16 16 16 16 16 16][0 16 0 16 16 64 16 0 0 16 0 16 16 64 16 0][0 16 16 0 16 0 64 16 16 0 64 16 0 16 16 0][0 16 16 64 16 0 0 16 0 16 16 64 16 0 0 16][0 16 0 16 16 64 16 0 16 0 16 0 64 16 0 16][0 0 0 0 0 0 0 0 16 16 16 16 16 16 16 144][0 0 16 16 0 0 16 16 64 0 16 16 0 64 16 16][0 64 16 16 64 0 16 16 16 16 0 0 16 16 0 0][0 64 0 64 64 0 64 0 0 0 0 0 0 0 0 0][0 16 64 16 16 0 16 0 16 0 16 64 0 16 0 16][0 16 16 0 16 64 0 16 64 16 16 0 16 0 0 16][0 16 16 0 16 64 0 16 16 0 0 16 64 16 16 0][0 16 64 16 16 0 16 0 0 16 64 16 16 0 16 0]]

The highest value of the Linear Profile is= 144

The linear expressions that have the highest value are:

3.8 Differential Profile and Differential Cryptanalysis 73

x4=y2+y3+y4x3=y1+y2+y3x3+x4=y1+y4x1=y1+y2+y3+y4

These expressions hold with probability bias= 0.0625

The linear potential is= 0.5625

The figure 3.3 represents the Linear Profile of NibbleSub and emphasizes in red theelements which achieve the highest value.

Fig. 3.3 Linear Profile of NibbleSub.

3.8 Differential Profile and Differential Cryptanalysis

3.8.1 Description

Overview of Differential Cryptanalysis

The Differential Cryptanalysis, introduced by Biham and Shamir [13], is a chosen-plaintextattack. It exploits the high probability of certain occurrences of plaintext differences anddifferences into the last round of the cipher. For example, consider a Vector Boolean functionwith input x = (x1, . . . ,xn) and output y = (y1, . . . ,ym). Let two inputs to the system bex′ and x′′ with the corresponding outputs y′ and y′′ , respectively. The input differenceis given by ∆x = x′ + x′′ = (∆x1, . . . ,∆xn) where ∆xi = xi

′+ xi

′′and the output difference

∆y = y′+y′′ = (∆y1, . . . ,∆ym) where ∆yi = yi′+ yi

′′.


As said in [70]:

In an ideally randomizing cipher, the probability that a particular outputdifference ∆y occurs given a particular input difference ∆x is 1

2n . Differentialcryptanalysis seeks to exploit a scenario where a particular ∆y occurs given aparticular input difference ∆x with a very high probability pD (i.e., much greaterthan 1

2n ). The pair (∆x,∆y) is referred to as a differential.Differential cryptanalysis is a chosen plaintext attack, meaning that the

attacker is able to select inputs and examine outputs in an attempt to derive thekey. For differential cryptanalysis, the attacker will select pairs of inputs, x′ andx′′ , to satisfy a particular∆x, knowing that for that ∆x value, a particular ∆y valueoccurs with high probability.

In this thesis, we investigate the construction of a differential (∆x,∆y) involv-ing plaintext bits as represented by x and the input to the last round of the cipheras represented by ∆y. We shall do this by examining high likely differentialcharacteristics where a differential characteristic is a sequence of input andoutput differences to the rounds so that the output difference from one roundcorresponds to the input difference for the next round. Using the highly likelydifferential characteristic gives us the opportunity to exploit information cominginto the last round of the cipher to derive bits from the last layer of subkeys.

S-boxes Differentials

The first step of Differential Cryptanalysis is to compute the characteristics of inputs andthe outputs of the S-boxes, which we will then combine together to form a characteristicfor the complete cipher. Consider a n×m S-box with input x = (x1, . . . ,xn) and outputy = (y1, . . . ,ym). All difference pairs of an S-box, (∆x,∆y), can be examined and theprobability of ∆y given ∆x can be derived by considering input pairs (x′,x′′) such thatx′ + x′′ = ∆x. Since the ordering of the pair is not relevant, for a n×m S-box we needonly consider all 2n values for x′ and then the value of ∆x constrains the value of x′′ to bex′′ = x′+∆x. We can derive the resulting values of ∆y for each input pair (x′,x′′ = x′+∆x).

We can tabulate the complete differential data for an S-box in the Differential Profile 3,which the rows represent ∆x values and the columns represent ∆y values.

If we divide each element in the Differential Profile by the value on DP(F)(0,0), thesevalues represent the probability of the corresponding output difference ∆y value given theinput difference ∆x, that is (∆x⇒ ∆y), called characteristic. In general, entries in the

3In the literature, an equivalent matrix called Difference Distribution Table is used as well.


Differential Profile with fewer bits set in the ∆x and ∆y that have higher probability aredesirable.

Definition 3.8.1. Let F ∈ Fn,m, if we denote by DF(u,v) the set of vectors where thedifference Vector Boolean Function of F in the direction of u ∈ Vn coincides with v ∈ Vm

by:DF(u,v) = {x ∈ Vn | ∆uF(x) = v} (3.61)

Definition 3.8.2. Let F ∈ Fn,m where n≥ m. The matrix containing all possible values of#DF(u,v) is referred to as its XOR or Differential Distribution Table.

Nyberg in [114] introduced the concept of differential uniformity as a measure of theresistance to differential crytanalysis as follows:

Definition 3.8.3. A Vector Boolean function F ∈ Fn,m is called differentially du(F)-uniformif for all u = 0 ∈ Vn and v ∈ Vm:

#{x ∈ Vn | F(x+u)+F(x) = v} ≤ du(F) (3.62)

Let du(F) (differential uniformity of F) is the largest value in Differential DistributionTable of F (not counting the first entry in the first row), namely,

du(F) = max(u,v)=(0,0)

#DF(u,v) = max(u,v)=(0,0)

#{x ∈ Vn | F(x)+F(x+u) = v} (3.63)

Definition 3.8.4. Let define the function δF : Vn×Vm→Q as follows:

δF(u,v) =12n #DF(u,v) (3.64)

Definition 3.8.5. The Differential Profile of F can be represented by a matrix whose rowsare indexed by u ∈ Vn and whose columns are indexed by v ∈ Vm in lexicographic order,denoted by DP(F) ∈M2n×2m(R) and defined as follows:

DP(F) = 22n+m

δF(α0,α0) . . . δF(α0,α2m−1)

δF(α1,α0) . . . δF(α1,α2m−1)

. . . . . . . . . . . . . . . . . . . . . . . . .

δF(α2n−1,α0) . . . δF(α2n−1,α2m−1)

Definition 3.8.6. The maximum value of δF(u,v) is called the differential potential of F :

d p(F) = max{δF(u,v) | ∀u ∈ Vn,v ∈ Vm,(u,v) = (0,0)}


Corollary 3.8.1. The differential uniformity of F ∈ Fn,m and its differential potential arerelated as follows:

d p(F) =12n du(F) (3.65)

It is a measure of the robustness against differential cryptanalysis where 2−m≤ d p(F)≤ 1and the lower bound holds if and only if F is bent and the upper bound is reached when Fis linear or affine. The differential uniformity of F ∈ Fn,m and its differential potential arerelated by d p(F) = 2−ndu(F).

3.8.2 Library

Note that the Differential Profile does not uniquely determine a Vector Boolean function.Thus, a VBF class cannot be initialized by its Differential Profile. To obtain its representationas Differential Profile, the following method must be used:

void DAT(NTL::mat_ZZ& DP, VBF& F)

In the VBF library, several methods have been defined in order to analyse the feasibilityof differential cryptanalysis: Differential potential and Differential relations associated with aspecific value of the Differential profile. The method used to obtain the differential potentialis the following:

void dp(NTL::RR& x, VBF& F)

If we want to obtain the characteristics associated with the value of the Differential Profile"w", we will use this method:

void differential(NTL_SNS ostream& s, VBF& a, ZZ& w)

If we want to obtain the probability that a characteristic (∆x⇒ ∆y) holds with the valueof the Differential Profile "w", we will use this method:

void ProbDif(NTL::RR& x, VBF& a, NTL::ZZ& w)

Example 3.8.1. The following program finds out the Differential Profile of a Vector Booleanfunction together with the characteristics that have the highest value, except from the valuein DP(F)(0,0), their probability, this highest value and the differential potential.





VBF F;NTL::mat_GF2 T;NTL::ZZ w;NTL::RR p;




cout << "The Differential Profile is:" << endl;cout << DAT(F) << endl;

w = maxDAT(F);cout << endl << "The highest value of the Differential Profile is= "<< w << endl;

cout << endl << "The characteristics that have the highest value are:"<< endl;differential(cout,F,w);

ProbDif(p,F,w);cout << endl << "These expressions hold with probability= " << p << endl;


cout << endl << "The differential potential is= " << dp(F) << endl;

return 0;}


The Differential Profile is:[[4096 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0][0 0 0 512 0 0 0 512 0 512 1024 0 1024 512 0 0][0 0 0 512 0 1536 512 512 0 512 0 0 0 0 512 0][0 0 512 0 512 0 0 0 0 1024 512 0 512 0 0 1024][0 0 0 512 0 0 1536 0 0 512 0 1024 512 0 0 0][0 1024 0 0 0 512 512 0 0 0 1024 0 512 0 0 512][0 0 0 1024 0 1024 0 0 0 0 0 0 512 512 512 512][0 0 512 512 512 0 512 0 0 512 512 0 0 0 0 1024][0 0 0 0 0 0 512 512 0 0 0 1024 0 1024 512 512][0 512 0 0 512 0 0 1024 512 0 512 512 512 0 0 0][0 512 512 0 0 0 0 0 1536 0 0 512 0 0 1024 0][0 0 2048 0 0 512 0 512 0 0 0 0 0 512 0 512][0 512 0 0 512 512 512 0 0 0 0 512 0 1536 0 0][0 1024 0 0 0 0 0 1024 512 0 512 0 512 0 512 0][0 0 512 1024 512 0 0 0 1536 0 0 0 0 0 512 0][0 512 0 0 1536 0 0 0 0 1024 0 512 0 0 512 0]]

The highest value of the Differential Profile is= 2048

The characteristics that have the highest value are:[1 0 1 1]->[0 0 1 0]

These expressions hold with probability= 0.5

The differential potential is= 0.5

The figure 3.4 represents the Differential Profile of NibbleSub and emphasizes in bluethe elements which achieve the highest value.

3.9 Autocorrelation Spectrum 79

Fig. 3.4 Differential Profile of NibbleSub.

3.9 Autocorrelation Spectrum

3.9.1 Description

The Autocorrelation provides a useful description of a Vector Boolean function in relation tosome cryptographic criteria. It is derived from the sequences of the component functions ofthe Vector Boolean function and does not uniquely determine the Vector Boolean functionitself.

Definition 3.9.1. The directional derivative of f ∈ Fn in the direction of u ∈ Vn is definedas:

∆u f (x) = f (x+u)+ f (x), x ∈ Vn (3.66)

Similarly, the directional derivative of the sequence of a Boolean function ξ f in thedirection of u ∈ Vn is defined as:

∆uχ f (x) = χ f (x+u) ·χ f (x), x ∈ Vn (3.67)

The autocorrelation of f ∈ Fn with respect to the shift u ∈ Vn, r f (u), is defined by thePolarity Truth Table to be:

r f (u) = ∑x∈Vn

χ f (x)χ f (x+u) (3.68)

From this definition of the autocorrelation function we note two important properties:

1. For every Boolean function r f (0) = 2n, since(χ f (x)

)2= 1 ∀x ∈ Vn.


2. The value of r f (u) when u = 0 must be proportional to the correlation between f (x+u)and f (x), i.e.: r f (u) = 2n ·C( f (x+u), f (x)).

The Aucorrelation Spectrum gives an indication of the imbalance of all first order deriva-tives of the component functions of a Vector Boolean function. As differential cryptanalysisexploits imbalanced derivatives of Vector Boolean functions, the Aucorrelation Spectrum isvital in the analysis.

The Walsh Spectrum and the Autocorrelation Spectrum of a Boolean function by theWalsh Wiener-Kintchine Theorem among others as illustrated below.

Theorem 3.9.1 (Cross-Correlation Theorem). Let f ,g ∈ Fn, ∀u ∈Vn. The Walsh Transformof the cross-correlation of f and g is equal to the product of their respective Walsh transforms:

r f ,gW←→ 1

2nWS( f ) �WS(g) (3.69)

or alternatively:

∑x∈Vn

r f ,g(x)(−1)u·x =12n χ f (u) · χg(u), ∀u ∈ Vn (3.70)

Proof.

∑x∈Vn r f ,g(x)χu(x) = ∑x∈Vn

( 12n ∑x′∈Vn χ f (x′)χg(x′+x)

)χu(x)

= 12n ∑x′∈Vn χ f (x′)

(∑x∈Vn χg(x′+x)χu(x)

)= 1

2n ∑x′∈Vn χ f (x′)(χu(x′)∑t∈Vn χg(t)χu(t)

)= 1

2n χg(u)∑x′∈Vn χ f (x′)χu(x′) = 12n χ f (u) · χg(u)

Theorem 3.9.2 (Walsh Wiener-Kintchine Theorem). Let f ∈ Fn, ∀u ∈ Vn. The WalshTransform of the autocorrelation function of f at u is equal to the value of the energyspectrum of f at u:

r fW←→ 1

2n |WS( f )|2 (3.71)

or alternatively:

∑x∈Vn

r f (x)(−1)u·x =12n |χ f (u)|2, ∀u ∈ Vn (3.72)

Corollary 3.9.3. Parseval equation[85]

∑x∈Vn

WDx f (0)(−1)u·x = |χ f (u)|2 (3.73)


Proof.

∑x∈Vn

r f (x)(−1)u·x =12n ∑

x∈Vn

WDx f (0)(−1)u·x

Corollary 3.9.4. The relationships between the Walsh Transform, the autocorrelation andthe energy of a Boolean function f ∈ Fn can be summarized as follows:

f W−−−→ W f

ry y 1

2n |W f |2

r fW−−−→ ε f

Definition 3.9.2. Autocorrelation Spectrum, denoted by R(F) ∈M2n×2m(Z), obtained byEquation 2.4. The columns of the matrix correspond to the Autocorrelation Spectrum of theircomponent functions. The lower bound of the Autocorrelation Spectrum values is −2n andthe upper bound is 2n.

3.9.2 Linear structures

If the directional derivative of f ∈ Fn in the direction of u ∈ Vn: ∆u f (x) = f (x+u)+ f (x)is a constant function, then u is a linear structure of f [84], [31]. The zero vector 0 is atrivial linear structure since ∆0 f (x) = 0 ∀x ∈ Vn. From the point of view of autocorrelation,a vector in Vn is a linear structure if it satisfies the following:

Definition 3.9.3. The vector u ∈ Vn is a linear structure of f if and only if |r f (u)|= 2n.

The notion of linear structures can be extended for the case of Vector Boolean functions.The definition of a Vector Boolean function that has a linear structure was originally proposedby Chaum [31] and Evertse [58]. They defined that a Vector Boolean function F has a linearstructure by considering the existence of nontrivial linear structure in any of the componentfunctions of F .

Definition 3.9.4. F ∈ Fn,m is said to have a linear structure if there exists a nonzero vectoru ∈Vn together with a nonzero vector v ∈Vm such that v ·F(x)+v ·F(x+u) takes the samevalue c ∈ GF(2) ∀x ∈ Vn.

Definition 3.9.5. F ∈ Fn,m is said to have a linear structure if there exists a nonzero vectoru ∈ Vn together with a nonzero vector v ∈ Vm such that |rv·F(u)|= 2n.


Nonlinear cryptographic functions used in block ciphers should have no nonzero linearstructures [58]. The existence of nonzero linear structures, for the functions implementedin stream ciphers, is a potential risk that should also be avoided, despite the fact that suchexistence could not be used in attacks, so far.

3.9.3 Library

To obtain its representation as Autocorrelation Spectrum, the following method must be used:

void AC(NTL::mat_ZZ& R, VBF& F)

The method used to obtain the linear structures is the following:

void LS(NTL_SNS ostream& s, VBF& F)

Example 3.9.1. The following program finds out the Autocorrelation Spectrum of a VectorBoolean function together with its linear structures having as input its Truth Table.









cout << "The Autocorrelation Spectrum is:" << endl;cout << AC(F) << endl;cout << endl << "The linear structures are: " << endl;LS(cout,F);

return 0;}


The Autocorrelation Spectrum is:[[16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16][16 0 0 0 0 0 -8 -8 -8 -8 -8 8 0 0 8 8][16 -8 0 -8 -8 0 0 8 8 -8 0 0 -8 8 -8 8][16 0 0 0 0 0 0 -16 -8 8 0 0 0 0 -8 8][16 0 -8 0 0 -16 0 8 0 8 -8 -8 -8 0 8 8][16 0 0 -8 0 0 0 -8 0 -8 8 -8 0 -8 8 8][16 -8 0 0 -8 0 -8 8 0 -8 0 0 8 0 -8 8][16 0 -8 0 0 0 0 -8 0 8 0 0 0 -8 -8 8][16 -8 -8 0 -8 0 0 8 -8 8 0 0 0 0 8 -8][16 0 0 8 0 0 0 -8 0 -8 0 0 -8 0 8 -8][16 8 0 0 8 0 8 8 -8 -8 0 -8 0 0 -8 -16][16 0 -8 -8 0 16 -8 -8 8 8 -8 -8 8 8 -8 -8][16 -8 8 -8 -8 0 -8 8 0 8 0 0 0 -8 8 -8][16 0 0 0 0 0 8 -8 0 -16 0 0 0 0 8 -8][16 8 0 8 8 0 0 8 0 -8 -8 0 0 -8 -16 -8][16 0 8 0 0 -16 0 -8 0 8 8 8 -8 0 -8 -8]]

The linear structures are:([0 0 1 1],[0 1 1 1])([0 1 0 0],[0 1 0 1])([1 0 1 0],[1 1 1 1])([1 0 1 1],[0 1 0 1])([1 1 0 1],[1 0 0 1])([1 1 1 0],[1 1 1 0])


([1 1 1 1],[0 1 0 1])

We can notice that NibbleSub S-box has seven linear structures which are the following:The figure 3.5 represents the Autocorrelation Spectrum of NibbleSub and emphasizes in

red the values corresponding these linear structures.

Fig. 3.5 Linear structures of NibbleSub.

3.10 Affine Function and Affine Equivalence

3.10.1 Description

A Boolean linear function is defined as a Boolean function consisting only of the sum ofsingle input variables. Similarly, the set of Boolean affine functions is defined as the set oflinear functions and their complements. A mathematical description of the linear and affineBoolean functions is given as follows.

Definition 3.10.1. A Boolean linear function is defined as the sum of a subset of the inputvariables, denoted

lu(x) = u1x1 +u2x2 + · · ·+unxn (3.74)

where u = (u1, . . . ,un) ∈ Vn.

3.10 Affine Function and Affine Equivalence 85

Definition 3.10.2. The set of Boolean affine functions are the linear functions and theircomplements, denoted

lu,b(x) = lu(x)+b (3.75)

where b ∈ GF(2).

An affine Vector Boolean function is defined in terms of a linear Vector Boolean functionand a dyadic shift. A linear Vector Boolean function involves the multiplication of the inputvector by a Boolean matrix. A dyadic shift (or translation) involves the complement ofa subset of input bits. As such, an affine Vector Boolean function may be defined as thecombination of a linear Vector Boolean function and dyadic shift. A mathematical descriptionof the linear and affine Vector Boolean functions is given as follows.

Definition 3.10.3. A Vector Boolean function LA,b ∈ Fn,m defined as LA,b(x) = x ·A+bwith x ∈Vn,A ∈Mn×m(GF(2)) and b ∈Vm so that if b = 0 then F is linear and if b = 0 thenF is affine.

Affine Equivalence of Boolean Functions

Equivalence classes provide a powerful tool in both the construction and analysis of Booleanfunctions for cryptography. In particular, rather than considering the entire space of 22n

functions a reduced view can be found in the consideration of only one function from eachequivalence class. We start by giving an overview of the invariant properties over RM(s;n) for s = 1,0,−1, which are the most frequently used equivalences. The computationalcomplexity of determining if the Boolean function satisfies the invariant property is animportant measure for the efficiency of the property.

A well-known and widely used approach in the study of algebraic objects (groups,rings,...) is the investigation of their sub-objects and quotient objects. Since linear codesare linear spaces, this approach can also be applied to them. Let C be a linear code overthe finite field F and G be the group of automorphisms. If A is a G-invariant subcodeof C (i.e., φ(A) ⊆ A for all φ ∈ G) then G naturally induces an action on the quotientspace C /A consisting of all cosets c+A,c ∈ C . If φ ∈ G preserves a given property andφ : c1 +A→ c2 +A, then both c1 +A and c2 +A satisfy (or do not satisfy) this property.Therefore, once we know the partition of C /A into G-orbits, we can restrict ourselves to thestudy of the representatives of the orbits.

The automorphism group of RM(r,n) for all 0 ≤ r ≤ n is equal to the general affinegroup AGL(n,2) [96]. Define RM(−1,n) = {}. For −1 ≤ s < r ≤ n, the quotient spaceof RM(r,n) by the subcode RM(s,n) is denoted by RM(r,n)/RM(s,n). Consequently, two


functions f ,g of RM(r,n)/RM(s,n) are said to be equivalent over RM(s,n) if g(x) = f (Ax+b) mod RM(s,n). If s = 1, this means that

g(x) = f (Ax+b)+ cx+d (3.76)

where A ∈Mn×n(GF(2)), b,c ∈Vn and d ∈GF(2) and it is an affine transformation. Thefunctions f and g satisfying 3.76 are called equivalent under the action of AGL(n,2). Thisequivalence determines the affine equivalence classes in RM(r,n) for r ≥ 1. If s = 0, thenc = 0 and the functions f and g are said to be equivalent over RM(0,n). If c = 0,d = 0, thefunctions are equivalent over RM(−1,n). We also say in this case that the functions are affineequivalent. If in addition b = 0, the functions are said to be linear equivalent. A propertyis called a RM(s,n) invariant property if it is invariant over RM(s,n). A RM(s,n) invariantproperty can be seen as a mapping M from the set of Boolean functions to a set such thatfor any two equivalent functions f ,g over RM(s,n), the equality M( f ) = M(g) holds. Bydefinition, a RM(s,n) invariant property is also a RM(k,n) invariant property for all −1≤k ≤ s. Note that on RM(r,n)/RM(r−1,n) for 0≤ r ≤ n, the action of AGL(n,2) is reducedto the action of the general linear group GL(n,2) since translations (x→ x+b,∀x ∈ Vn)

leave every element of RM(r,n)/RM(r−1,n) fixed.

The equation 7.9 can be interpreted as a composition of several Boolean and VectorBoolean functions as follows:

x g−−−→ g(x)

LA,b

y x f (LA,b(x))+ac,d(x)

LA,b(x)f−−−→ f (LA,b(x))

where:

1. LA,b ∈ Fn,m is an affine Vector Boolean function defined as LA,b(x) = Ax+b withA ∈Mn×n(GF(2)) non-singular and b ∈ Vn.

2. ac,d ∈ Fn is an affine Boolean function defined as ac,d(x) = c ·x+d with c ∈ Vn andd ∈ GF(2).

Of particular interest in the study of equivalence classes is the effect of the affine trans-formation on the algebraic degree, the Walsh Spectrum and Autocorrelation Spectrum of aBoolean function.


Frequency Distribution of the Absolute Values of the Walsh Spectrum

The effect of the application of an affine transformation to a Boolean function on the WalshSpectrum is to rearrange the values and hence, the Walsh value distributions are invariantunder all affine transformations. If we consider g and f as in equation 7.9, then by 3.51, 5.2.1,it holds that [123]:

χg(u) = (−1)c·A−1b(−1)u·A−1bχ f((A−1)u+

(A−1)c

)(3.77)

Thus nonlinearity is also invariant under affine transformation.

Frequency Distribution of the Absolute Values of the Autocorrelation Spectrum

The effect of the application of an affine transformation to a Boolean function on theAutocorrelation Spectrum is to rearrange the values and hence, the Autocorrelation valuedistributions are invariant under all affine transformations. If we consider g and f as inequation 7.9, then Preneel in [123] shows that:

rg(u) = (−1)u·cr f (Au) (3.78)

Thus absolute indicator is also invariant under affine transformation.

3.10.2 Library

A VBF class can be initialized for a affine Vector Boolean function giving its correspondingmatrix and vector by the following method:

void putaffine(const NTL::mat_GF2& A,const NTL::vec_GF2& b)

The method used to obtain the Frequency distribution of the absolute values of the WalshSpectrum is the following:

void printFWH(NTL_SNS ostream& s, VBF& F)

The method used to obtain the Frequency distribution of the absolute values of theAutocorrelation Spectrum is the following:

void printFAC(NTL_SNS ostream& s, VBF& F)


Example 3.10.1. The following program finds out the Walsh Spectrum, Frequency distribu-tion of the absolute values of the Walsh Spectrum, Autocorrelation Spectrum, and Frequencydistribution of the absolute values of the Autocorrelation Spectrum of a Vector Booleanfunction having as input the matrix A and the vector b associated with an affine functionwhere:

A=

[0 11 0

], b = (0,1)




VBF F;NTL::mat_GF2 A;NTL::vec_GF2 b;



}input >> A;input >> b;F.putaffine(A,b);input.close();

cout << "The Walsh Spectrum is:" << endl << Walsh(F) << endl << endl;

cout << "Frequency distribution of the absolute values ofthe Walsh Spectrum:" << endl;printFWH(cout,F);cout << endl;


cout << "The Autocorrelation Spectrum is:" << endl << AC(F) << endl;

cout << "Frequency distribution of the absolute values ofthe Autocorrelation Spectrum:" << endl;printFAC(cout,F);cout << endl;

return 0;}

The output of the program would be the following:

The Walsh Spectrum is:[[4 0 0 0][0 0 4 0][0 -4 0 0][0 0 0 -4]]

Frequency distribution of the absolute values of the Walsh Spectrum:(0,3),(4,1)(0,3),(4,1)(0,3),(4,1)

The Autocorrelation Spectrum is:[[4 4 4 4][4 4 -4 -4][4 -4 4 -4][4 -4 -4 4]]Frequency distribution of the absolute values of the Autocorrelation Spectrum:(4,4)(4,4)(4,4)


3.11 Cycle Structure, Fixed Points and Negated Fixed Points

3.11.1 Description

Definition 3.11.1. The cycle structure of an invertible vector Boolean function F ∈ Fn,n

(permutation) describes the number of cycles and their length.

A permutation can also be written in a way that groups together the images of a givennumber under repeated applications of F . For example, the permutation:

F =

[1 2 3 4 5 6 7 8 93 6 4 7 5 9 1 8 2

](3.79)

can be written

F = (1347)(269)(5)(8) (3.80)

The first group of numbers in parentheses indicates that 1 gets mapped to 3, 3 getsmapped to 4, 4 gets mapped to 7, and 7 gets mapped back to 1. Each of the other groupingsis interpreted in a similar way. These groups of numbers are called cycles, and this notationfor permutations is referred to as cycle notation. Following are several facts relating to cyclesand cycle notation:

• A cycle of k numbers is referred to as a k-cycle or a cycle of length k; for example,(1347) is a 4-cycle or a cycle of length 4.

• A cycle of one number indicates that the number is mapped to itself, and 1-cycles areoften referred to as fixed points. In the example above, there are two fixed points: 5and 8.

• It does not matter which number is written first in a cycle, as long as the order of thenumbers is preserved. For example, (1347) = (4713), but (1347) = (1437).

A cycle structure with a low number of cycles of high length is considered well suited tobe used in cipher design. This fact means that many transpositions are present.

The fixed points of F are those which belong to the set {x | F(x) = x}. The negated fixedpoints of F belong to the set {x | F(x) = x} where x is the invert of x or the vector resultingfrom adding 1 to each of its components.

A cryptographic primitive with a high number of fixed and/or negated fixed points isconsidered to be not well designed, since it lacks the needed randomness.

3.11 Cycle Structure, Fixed Points and Negated Fixed Points 91

3.11.2 Library

The method used to obtain the Cycle Structure is the following:

void Cycle(NTL::vec_ZZ& v, VBF& F)

The method used to print the Cycle structure so that each row has two values separatedby a comma: the first one is the Cycle length and the second one is the number of cycles forthis length.

void printCycle(NTL_SNS ostream& s, VBF& F)

The fixed points of F are obtained by this method:

NTL::mat_GF2 fixedpoints(VBF& F)

The negated fixed points of F are obtained by this method:

NTL::mat_GF2 negatedfixedpoints(VBF& F)

Example 3.11.1. The following program prints the cycle structure of a Vector Booleanfunction having as input its Truth Table.







}input >> T;


F.puttt(T);input.close();

cout << "The Cycle Structure is:" << endl;printCycle(cout,F);

cout << endl << "The fixed points are the following:"<< endl;cout << fixedpoints(F) << endl;

cout << endl << "The negated fixed points are the following:"<< endl;cout << negatedfixedpoints(F) << endl;

return 0;}


The Cycle Structure is:2,114,1

The fixed points are the following:[]

The negated fixed points are the following:[[0 0 1 0][0 1 1 1]]

which means:It has no fixed points and 2 negated fixed points which are the following:

[0 0 1 0][0 1 1 1]

This is because NibbleSub[(1,1,0,1)]= (0,0,1,0) and NibbleSub[(1,0,0,0)]= (0,1,1,1).

3.12 Permutation Vector 93

Table 3.2 Cycle structure of NibbleSub.

Cycle length Number of cycles

2 114 1

3.12 Permutation Vector

3.12.1 Description

If F is a Boolean permutation, that is, it is bijective and has the same number of input bits asoutput bits (n = m), then it can be defined as an array: F =

[F(1) . . . F(n)

]where F(i)

is the output bit of the input bit i for F .

3.12.2 Library

A VBF class can be initialized giving its permutation vector with the following method:

void putper(const NTL::vec_ZZ& v)

To obtain its representation as permutation vector, the following method must be used:

void PER(NTL::vec_ZZ& v, VBF& F)

Example 3.12.1. The following program finds out the Truth Table of a Vector Booleanfunction having as input its Permutation Vector:

[ 1 2 3 4 13 14 15 16 9 10 11 12 5 6 7 8 ]

For example, you can see bit 13 moves to bit 5, while bit 5 moves to bit 13.




VBF F;


NTL::vec_ZZ a;



}input >> a;F.putper(a);input.close();

cout << "The Truth Table is:" << endl;cout << TT(F) << endl;

return 0;}

The first 10 lines of the output of the program would be the following:

The Truth Table is:[[0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0][0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0][0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0][0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0][0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0][0 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0][0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0][0 0 0 0 0 1 1 1 0 0 0 0 0 0 0 0][0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0]

3.13 DES Representations

3.13.1 Description

The VBF library accepts to types of representations of DES [107] components:

1. Expansion and Compression DES permutations. It can be used to represent boththe Compression Permutation in the Key Transformation of DES and the Expansion

3.13 DES Representations 95

Permutation Feistel Function of the DES cipher. The Compression Permutationpermutes the order of the bits as well as selects a subset of bits. The ExpansionPermutation expands the right half of the data, Ri, from 32 bits to 48 bits. Because thisoperation changes the order of the bits as well as repeating certain bits, it is known asan expansion permutation.

2. DES S-box Substitution. Each S-box is a table of 4 rows and 16 columns. Each entryin the box is a 4-bit number. The 6 input bits of the S-box specify under which rowand column number to look for the output.

The input bits specify an entry in the S-box as follows: Consider an S-box input of6-bits, labeled b1,b2,b3,b4,b5, and b6. Bits b1 and b6 are combined to form a 2-bitnumber, from 0 to 3, which corresponds to a row in the table. The middle 4 bits, b2

through b5, are combined to form a 4-bit number, from 0 to 15, which corresponds to acolumn in the table.

For example, assume that the input to the first S-box (i.e. bits 1 to 6 of the XORfunction) is 110011. The first and last bits combine to form 11, which corresponds torow 3 of the first S-box. The middle 4 bits combine to form 1001, which correspondsto the column 9 of the same S-box. The entry under row 3, column 9 of S-box 1 is 11(count rows and columns starting from 0). The value 1110 is substituted for 001011

Figures 3.6 and 3.7 lists the eight S-boxes used in DES. Each S-box replaces a 6-bitinput with a 4-bit output. Given a 6-bit input, the 4-bit output is found by selecting therow using the outer two bits, and the column using the inner four bits. For example, aninput "011011" has outer bits "01" and inner bits "1101"; noting that the first row is"00" and the first column is "0000", the corresponding output for S-box S5 would be"1001" (=9), the value in the second row, 14th column.

3.13.2 Library

A VBF class can be initialized giving its Expansion and Compression DES permutationvector with the following method:

void putexp_comp(const NTL::vec_ZZ& v)

A VBF class can be initialized giving its DES-like S-box representation matrix with thefollowing method:

void putsbox(const NTL::mat_ZZ& S)


Fig. 3.6 S1,S2,S3,S4 DES S-boxes.

Fig. 3.7 S5,S6,S7,S8 DES S-boxes.

3.13 DES Representations 97

Example 3.13.1. The following program prints the Truth Table of a Expansion permutationand of the DES S1 S-box. The inputs are respectively the following:

[ 4 1 2 3 4 1 ]

[[14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 ][ 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 ][ 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0][ 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13]]




VBF F,G;NTL::vec_ZZ v;NTL::mat_ZZ S;

ifstream inputv(argv[1]);if(!inputv) {


}inputv >> v;inputv.close();F.putexp_comp(v);

ifstream inputS(argv[2]);if(!inputS) {


}inputS >> S;inputS.close();


G.putsbox(S);

cout << "The Truth Table of Expansion Permutation is:"<< endl << TT(F) << endl;cout << endl << "The Truth Table of S1 DES S-box is:"<< endl << TT(G) << endl;

return 0;}

The output of the program would be the following 4:

The Truth Table of Expansion Permutation is:[[0 0 0 0 0 0][1 0 0 0 1 0][0 0 0 1 0 0][1 0 0 1 1 0][0 0 1 0 0 0][1 0 1 0 1 0][0 0 1 1 0 0][1 0 1 1 1 0][0 1 0 0 0 1][1 1 0 0 1 1][0 1 0 1 0 1][1 1 0 1 1 1][0 1 1 0 0 1][1 1 1 0 1 1][0 1 1 1 0 1][1 1 1 1 1 1]]

The Truth Table of S1 DES S-box is:[[1 1 1 0][0 0 0 0][0 1 0 0][1 1 1 1]

4Only a few values of S1 Truth Table is printed for space reasons.

3.14 Auxiliary Functions 99

[1 1 0 1][0 1 1 1][0 0 0 1][0 1 0 0][0 0 1 0][1 1 1 0][1 1 1 1][0 0 1 0][1 0 1 1][1 1 0 1][1 0 0 0][0 0 0 1]...

3.14 Auxiliary Functions

In order to compute the matrices described above, some functions have been implementedwhich allow to obtain some of these matrices from others:

• A function whose input is an ANF table and its output is the Truth Table:

mat_GF2 rev(const mat_GF2& A, int n, int m)

• A function whose input is the Characteristic Function and its output is the Truth Table:

mat_GF2 truthtable(const mat_ZZ& C, int n, int m)

• A function whose input is the Truth Table and its output is the Characteristic Function:

mat_ZZ charfunct(const mat_GF2& T, int n, int m)

• A function whose input is the Walsh Spectrum and its output is the CharacteristicFunction (that is the Inverse Walsh Transform):

mat_ZZ invwt(const mat_ZZ& X, int n, int m).

• A matrix representing the linear combinations of Truth Table coordinate functions:

void LTT(NTL::mat_GF2& X, VBF& a).

• A matrix representing character form of Truth Table coordinate functions:

void CTT(NTL::mat_GF2& X, VBF& a).


3.15 Summary

Table 3.3 lists the member functions related to methods of vector Boolean functions ini-tialization. Table 3.4 lists the member functions related to the characterizations of vectorBoolean functions as described above. Most of the member functions of V BF have an in-linedefinition, for instance: void TT(NTL::mat_GF2& X, VBF& F) is also defined as inlineNTL::mat_GF2 TT(VBF& F).

Table 3.3 Representation of VBF.

SYNTAX DESCRIPTION

void puttt(const NTL::mat_GF2& T) TTF = Tvoid putHexTT(istream & s) VBF which has an hexadecimal representation

of its Truth Table defined by svoid putBinTT(istream & s) VBF which has a binary representation

of its Truth Table defined by svoid putDecTT(const NTL::vec_long& d,const long& m) VBF which has an decimal representation of its Truth Table

defined by d and m is the number of component Boolean functionsvoid putltt(const NTL::mat_GF2& L) LTTF = Lvoid putctt(const NTL::mat_ZZ& C) CTTF = C

void putirrpol(GF2X& g) void puttrace(string& f) Set F by its trace f and the irreducible polynomial gvoid putpol(vec_pol& p) Set F with Polynomials in ANF equals to p

void putanf(const NTL::mat_GF2& A) ANFF = Avoid putchar(const NTL::mat_ZZ& C) Img(F) = C

void putwalsh(const NTL::mat_ZZ& W) WS(F) =Wvoid putaffine(const NTL::mat_GF2& A,const NTL::vec_GF2& b) F(x) = xA+b

void putper(const NTL::vec_ZZ& v) VBF which is a permutation defined by vvoid putexp_comp(const NTL::vec_ZZ& v) VBF defined by Expansion and Compression DES vector v

void putsbox(const NTL::mat_ZZ& S) VBF which is a DES S-Box defined by S

3.15 Summary 101

Table 3.4 Chacterizations of VBF.

SYNTAX DESCRIPTION

void TT(NTL::mat_GF2& X, VBF& F) X= TTFvoid getHexTT(ostream& s) s is the hexadecimal representation of the Truth Table of Fvoid getBinTT(ostream& s) s is the binary representation of the Truth Table of F

NTL::vec_long getDecTT() const Decimal representation of the Truth Tablelong weight(VBF& F) Weight of F

void LTT(NTL::mat_GF2& X, VBF& F) X= LTTFvoid CTT(NTL::mat_ZZ& X, VBF& F) X= CTTF

void Trace(GF2EX& f, VBF& F) F has a trace representation defined by fvoid Pol(NTL_SNS ostream& s, VBF& F) s contains the Polynomials in ANF of Fvoid ANF(NTL::mat_GF2& X, VBF& F) X= ANFF

void Charact(NTL::mat_ZZ& X, VBF& F) X= Img(F)void Walsh(NTL::mat_ZZ& X, VBF& F) X=WS(F)void LAT(NTL::mat_ZZ& X, VBF& F) X= LP(F)

void lp(NTL::RR& x, VBF& F) l p(F) = xvoid linear(NTL_SNS ostream& s, VBF& F, ZZ& x) Linear relations associated with the value x of

the Linear Profile of Fvoid ProbLin(NTL::RR& x, VBF& F, NTL::ZZ& w) Probability of Linear relations associated with the value w of

the Linear Profile of Fvoid DAT(NTL::mat_ZZ& X, VBF& F) X= DP(F)

void dp(NTL::RR& x, VBF& F) d p(F) = xvoid differential(NTL_SNS ostream& s, VBF& F, ZZ& x) Differential relations associated with the value x of

the Differential Profile of Fvoid ProbDif(NTL::RR& x, VBF& F, NTL::ZZ& w) Probability of characteristics associated with the value w of

the Differential Profile of Fvoid AC(NTL::mat_ZZ& X, VBF& F) X= R(F)

NTL::mat_GF2 LS(VBF& F) Returns a matrix whose rows are the linear structuresvoid printFWH(NTL_SNS ostream& s, VBF& F) Frequency distribution of the absolute values of

the Walsh Spectrumvoid printFAC(NTL_SNS ostream& s, VBF& F) Frequency distribution of the absolute values of

the Autocorrelation Spectrumvoid Cycle(NTL::vec_ZZ& v, VBF& F) v is the Cycle Structure

void printCycle(NTL_SNS ostream& s, VBF& F) Print Cycle StructureNTL::mat_GF2 fixedpoints(VBF& F) Return fixed points

NTL::mat_GF2 negatedfixedpoints(VBF& F) Return negated fixed pointsvoid PER(NTL::vec_ZZ& v, VBF& F) v is the permutation vector defined by F

Chapter 4

Cryptographic Criteria

This chapter defines some properties relevant for cryptographic applications and explainshow to use the package to compute them. They are defined in relation to the representationor transform from which they are derived. Those properties are criteria or those whichprovide useful information in cryptanalysis. Among the criteria we find nonlinearity, r-thorder nonlinearity, linearity distance, balancedness, correlation immunity, resiliency (i.e.balancedness and correlation immunity), propagation criterion, global avalanche criterion,algebraic degree and algebraic immunity. Other properties described are the maximumpossible nonlinearity or the maximum possible linearity distance achievable by a VectorBoolean function with the same number of inputs, the type of function in terms of nonlinearity.

The figure 4.1 summarizes the relationships among several representations and the criteriastudied in this chapter.

The representations which are Boolean matrices are coloured in red, those which areInteger matrices are coloured in blue, and those which are criteria are coloured in green.

In this chapter we apply VBF library methods to find out cryptographic criteria ofseveral cryptographic algorithms. Refer to http://vbflibrary.tk for an extensive description ofcryptographic criteria of modern cryptographic algorithms apart from those described in thischapter.

4.1 Introduction

4.1.1 Definitions

A block cipher can be expressed as an interrelation of Vector Boolean functions. Thus,in the context of block cipher’s design, it is essential to define criteria which measure the


104 Cryptographic Criteria

Fig. 4.1 Relationships among representations and criteria of a Vector Boolean function.

cryptographic strength of Boolean functions and Vector Boolean functions. Ideally, some ofthe following requirements must be fulfilled by this criteria:

1. The principles of confusion and diffusion are enforced by the criterion. [138] [143]Confusion ensures that a complex relationship exists among the plaintext, the ciphertextand the key material. This notion has been extrapolated to mean that a significantreliance on some form of substitution is required as a source of this confusion. Theconfusion in a cipher is achieved through the use of nonlinear components. Diffusiondissipates the redundancy of the plaintext by spreading the influence of a singleplaintext bit over many ciphertext bits (obtained by linear transformations). Bothtechniques make more difficult for a cryptanalyst to find out redundancy and statisticalpatterns in the ciphertext.

2. The criterion can be expressed in terms of a distance to an appropriate set S ofcryptographically weak functions. Functions that exhibit properties common to crypto-graphically weak functions are also considered to be cryptographically weak. [98]

3. The criterion should remain invariant under a certain group of transformations. Thissymmetry group should contain the group of affine transformations. [98]

There exists two types of cryptographic criteria:

1. All-or-nothing criterion, meaning that the criterion informs about the presence orabsence of some cryptographic weakness.

4.2 Algebraic Degree 105

2. Characteristic, which is a criterion which can be satisfied at levels quantified bynumbers.

4.1.2 Cryptographically Weak Functions

Definition 4.1.1. A function is considered to be cryptographically weak if it is easily break-able or it can be turned into a weak function by means of simple (e.g. linear or affine)transformations.

This definition is congruent with the notion of similar secrecy introduced by Shannonin [143], so that two functions R and S are said to be "similar" if there exists a fixedtransformation A, with an inverse A−1, such that R = AS. Hereunder are described the bestknown cryptographically weak functions.

• Linear and affine functions. The simultaneous complementation of a subset of theinput variables causes the value of a linear function to always change (from the originalvalue before complementation) or to never change.

• Functions with non-zero linear structures. Lai showed in [82] that if f ∈ Fn has k < nlinearly independent vectors b1, . . . ,bk that are linear structures, then f can be mappedto g ∈ Fn via a linear transformation where:

g(x1, . . . ,xn) = m1x1 + · · ·+mkxk +g′(xk+1, . . . ,xn) (4.1)

The main known cryptanalytic techniques on ciphers are conceived to exploit somecryptographic weakness. The cryptographic criteria that can be evaluated by means of theVBF class are described in the following sections.

4.2 Algebraic Degree

4.2.1 Description

Cryptographic algorithms using Boolean functions to achieve confusion in a cipher (S-boxesin block ciphers, combining of filtering functions in stream ciphers) can be attacked ifthe functions have low algebraic degree. The algebraic degree is a good indicator of thefunction’s algebraic complexity. The higher the degree of a function, the greater is itsalgebraic complexity. Higher order differential attack [83] exploits the fact that the algebraicdegree of the S-box is low.


Definition 4.2.1. Algebraic degree of a Vector Boolean function F ∈ Fn,m is defined as theminimum among the algebraic degrees of all component functions of F [113], namely:

deg(F) = ming{deg(g) | g =

m

∑j=1

v j f j, v = 0 ∈ Vm} (4.2)

where the algebraic order or degree of a Boolean function is the order of the largestproduct term in the ANF . This criterion is obtained by generating the ANF table and thenanalyzing the degree of all the component functions.

Functions with algebraic degree less than or equal to 1 are called affine. A non-constantaffine function for which F(0) = 0 is called linear. We refer to functions of degree two asquadratic and functions of degree three as cubic.

The following property was proved in [96]:

Theorem 4.2.1. Any two distinct f ,g ∈ Fn of algebraic degrees at most r have mutualdistances at least 2n−r.

4.2.2 Library

The method used to obtain this criterion is the following:

void deg(int& d, VBF& F)

Example 4.2.1. The following program provides the algebraic degree of a Vector Booleanfunction given its Truth Table.









cout << "The algebraic degree of the function is "<< deg(F) << endl;

return 0;}

If we use the NibbleSub S-box Truth Table as input we will find out that its algebraicdegree is 2.

The figure 4.2 represents the ANF table of NibbleSub nonzero component functions andemphasizes in red the ANF terms of degree 4. As we can see there are no terms of degree 4in neither of the component functions of NibbleSub.

Fig. 4.2 Algebraic Degree of NibbleSub: Degree 4.


The figure 4.3 represents the ANF table of NibbleSub nonzero component functions andemphasizes in blue the ANF terms of degree 3. As we can see there are no terms of degree 3in one of the component functions of NibbleSub, which is marked in yellow.


The figure 4.4 represents the ANF table of NibbleSub nonzero component functions andemphasizes in orange the ANF terms of degree 2. As we can see there are always terms ofdegree 2 in all the component functions of NibbleSub. Because of this, the algebraic degreeof NibbleSub is 2.

Example 4.2.2. The following program illustrates some of the properties described intables 4.4 and 4.5.






VBF F;vec_pol p;



}input >> p;F.putpol(p);input.close();

cout << "Frequency distribution of the absolute values ofthe Walsh Spectrum:" << endl;printFWH(cout,F);cout << endl;

cout << "The algebraic degree of the function is "


<< deg(F) << endl;

cout << "The weight of the function is " << weight(F) << endl;

return 0;}

If we use the following 7-variable Boolean function as input:

f (x1, . . . ,x7) = x1x2x3x4x5 + x1x3x7 + x1x2 + x3x4 + x5x6

the output of the program would be the following:

Frequency distribution of the absolute values of the Walsh Spectrum:(0,40),(8,32),(16,56)

The algebraic degree of the function is 5The weight of the function is 56

we can show that the Walsh Spectrum takes exactly 3 absolute values: 0,8,16. All ofthem are divisible by 23. By the divisibility of Walsh coefficients property f has algebraicdegree at most 7−3+1 = 5. In this case the algebraic degree of 5 is attained. The Walshdivisibility property is described in Table 4.5.

We can notice that the weight of f is 56. As stated in weight property (see Table 4.4),this value is a multiple of 2⌊

7−15 ⌋ = 2.

4.3 Nonlinearity

4.3.1 Description

In order to provide confusion, cryptographic functions must lie at large Hamming distanceto all affine functions. Because of Parseval’s Relation 3.6.8, any Vector Boolean functionhas correlation with some affine functions of its input. This correlation should be small: theexistence of affine approximations of the Boolean functions involved in a cipher allows tobuild attacks on this system (see, [91] for block ciphers and [17] for stream ciphers).

Definition 4.3.1. The nonlinearity of a Boolean function f ∈ Fm is defined as the Hammingdistance between f and the subspace of affine functions [121]:

NL( f ) = d( f ,An) (4.3)

4.3 Nonlinearity 111

Definition 4.3.2. The nonlinearity of a Vector Boolean function F ∈ Fn,m is defined as theminimum among the nonlinearities of all component functions of F [113]:

NL(F) = minv=0

NL(v ·F) v = (v1, . . . ,vm) ∈ Vm (4.4)

The nonlinearity of F can be expressed in terms of the Walsh coefficients by the followingtheorem:

Theorem 4.3.1. Let F ∈ Fn,m, the nonlinearity of F can be calculated in terms of themaximum of the absolute values of its Walsh Spectrum without taking into account theelement of its first row and column, as follows:

NL(F) = 2n−1− 12∗

max (WS(F)(u,v)) (4.5)

Proof.

NL(F) = minv=(v1,...,vm)=0

NL(v ·F) = 2n−1− 12∗

max |χv·F(u)|

= 2n−1− 12∗

max |θF(u,v)|= 2n−1− 12∗

max (WS(F)(u,v))

Corollary 4.3.2. Let f ∈ Fn, the nonlinearity of f can be expressed in terms of its Walshtransform as follows:

NL( f ) = 2n−1− 12

maxu∈Vn =0

|χ f (u)| (4.6)

Definition 4.3.3. The spectral radius of a Boolean function f ∈Fn is r( f )=maxu∈Vn =0 |χ f (u)|.

This criterion is a measure of the distance of a Vector Boolean function and all AffineVector Boolean functions. If this distance is small, it is possible to mount affine approxi-mations of the Vector Boolean functions involved in a cipher to build attacks (called linearattacks) on a block cipher [92]. In the case of stream ciphers, these attacks are called fastcorrelation attacks. Thus, this property is useful to assess the resistance of a Vector Booleanfunction to linear attacks (including correlation attacks), i.e., attacks where the function F isapproximated by an affine function.

It is well known that the maximum nonlinearity of Boolean functions f ∈ Fn coincideswith the covering radius of the first order binary Reed-Muller code RM (1,n) [39]. Manyresults on the covering radius of RM (1,n) have direct application to the nonlinearity.The nonlinearity of a Boolean function is bounded above by (2n−1−2

n2−1 [128]) which is


achieved by bent functions that only exist for n even. For n odd, it lies between 2n−1−2n−1

2

and 2n−1−2n+1

2 . It has been shown that it is equal to 2n−1−2n−1

2 when n= 1,3,5,7. (see [56]for n = 1,3,5 by exhaustive search, [106], [53] for n = 7 by theoretical proof) and is strictlygreater than 2n−1−2

n−12 for n≥ 15 [118], [119]. The upper bound known for odd number

of input variables n is 2⌊2n−2−2n2−2⌋ [54]. The value of maximum nonlinearity for certain

values of n odd is summarized in the following table:

Table 4.1 Maximum nonlinearity of Boolean functions for n odd.

n 3 5 7 9 11 13 15

Benchmark 2 12 56 242 [79] 996 [79] 4040 [89] [78] 16276 [118] [119] [133]Upper Bound 2 12 56 244 1000 4050 16292

For Vector Boolean functions, Nyberg in [112] showed the upper bound of nonlinearitycan only be obtained if n ≥ 2m and n even. The corresponding functions are called bentS-boxes:

NL(F)≤ 2n−1−2n2−1 (4.7)

This bound will be called the covering radius bound (since this is the value of the coveringradius of the Reed-Muller code of order 1 if n is even).

If 2m > n an upper bound was defined by Chabaud and Vaudenay in [29] and it is calledSidelnikov-Chabaud-Vaudenay bound:

Theorem 4.3.3. Let n and m be any positive integers such that m≥ n−1. Let F ∈ Fn,m, then:

NL(F) = 2n−1− 12

√3×2n−2−2

(2n−1)(2n−1−1)2m−1

(4.8)

We can define several types of Vector Boolean functions in terms of nonlinearity:

1. Linear if its nonlinearity is equal to 0.

2. A F ∈ Fn,n with n odd which achieves the bound of theorem 4.3.3 with equality arecalled almost bent (AB). It holds that NL(F) = 2n−1−2

n−12 (n odd).

3. A F ∈ Fn,m is called bent if it achieves the covering radius bound (equation (4.7)) withequality.


4.3.2 Library

The method used to obtain the nonlinearity of a Vector Boolean function is the following:

void nl(NTL::RR& x, VBF& F)

The method used to obtain the spectral radius of a Vector Boolean function is thefollowing:

void SpectralRadius(NTL::ZZ& x, VBF& F)

The method used to the maximum nonlinearity that can be achieved by a Vector Booleanfunction with the same number of input bits and output bits is the following:

NTL::RR nlmax(VBF& F)

The method used to obtain the type of function in terms of nonlinearity is the following:

void typenl(int& typenl, VBF& F)

Example 4.3.1. The following program provides the nonlinearity of a Vector Booleanfunction given its Truth Table together with the maximum nonlinearity that can be achievedby a Vector Boolean function with the same number of input bits and output bits.







}


input >> T;F.puttt(T);input.close();

cout << "The spectral radius of the function is " << SpectralRadius(F) << endl;cout << "The nonlinearity of the function is " << nl(F) << endl;

cout << "The maximum nonlinearity that can be achieved bya Vector Boolean function with the same dimensions is "<< nlmax(F) << endl;

return 0;}

If we use the NibbleSub S-box Truth Table as input, the output would be the following:

The spectral radius of the function is 12The nonlinearity of the function is 2The maximum nonlinearity that can be achieved bya Vector Boolean function with the same dimensions is 5

The figure 4.5 represents the Walsh Spectrum of NibbleSub and emphasizes in blue itsmaximum absolute values.

From definition we have NL(NibbleSub) = 24−1− 12 ·12 = 2

Example 4.3.2. The following program provides the nonlinearity of a Vector Booleanfunction given its polynomial representation in ANF together with the maximum nonlinearitythat can be achieved by a Vector Boolean function with the same number of input bits andoutput bits, and the type of function in terms of nonlinearity.





Fig. 4.5 Nonlinearity of NibbleSub.

VBF F;vec_pol p;




cout << "The nonlinearity of the function is " << nl(F) << endl;cout << "The maximum nonlinearity that can be achieved bya Vector Boolean function with the same dimensions is "<< nlmax(F) << endl;

int type;typenl(type, F);


if (type == BENT) {cout << "It is a bent function" << endl;

} else if (type == ALMOST_BENT) {cout << "It is an almost bent function" << endl;

} else if (type == LINEAR) {cout << "It is a linear function" << endl;

}

return 0;}

If we use the x1x2 + x3x4 as input, the output would be the following:

The nonlinearity of the function is 6The maximum nonlinearity that can be achieved bya Vector Boolean function with the same dimensions is 6It is a bent function

As the nonlinearity of this Boolean function is maximal, it is a bent function.

4.4 r-th Order Nonlinearity

4.4.1 Description

As well as the affine functions, we can consider that functions with low algebraic degree areweak functions from the cryptographic point of view. A criterion can be defined en terms ofthe Hamming distance to the Reed-Muller code of order r(r < n).

Definition 4.4.1. For every positive integer r, the r-th order nonlinearity of a Vector Booleanfunction F is the minimum r-th order nonlinearity of its component functions. The r-th ordernonlinearity of a Boolean function equals its minimum Hamming distance to functions ofalgebraic degrees at most r (see [25] for details).

NLr(F) = minv =0∈Vm

NLr(v ·F) = minv=0∈Vm

minf∈Fn

d( f ,v ·F) (4.9)

Computing rth-order nonlinearity is not an easy task for r ≥ 2. Unlike the first-ordernonlinearity there are no efficient algorithms to compute second-order nonlinearities forn≥ 11. VBF library naive exhaustive search is employed for this purpose.

4.4 r-th Order Nonlinearity 117

4.4.2 Library


void nlr(long& x, VBF& F, int r)

This method return -1 if the number of functions to check is too large (greater than themaximum value of a long int variable).

Example 4.4.1. The following program provides the 2-nd order nonlinearity of a VectorBoolean function given its Truth Table.




VBF F;NTL::mat_GF2 T;long a;




nlr(a,F,2);cout << "The 2-nd order nonlinearity of the function is "<< a << endl;

return 0;}



The 2-nd order nonlinearity of the function is 0

As we saw in example 4.2.1 this result is congruent to the fact that its algebraic degree is2.

4.5 Balancedness

4.5.1 Description

The output of a Vector Boolean function F ∈ Fn,m used in a cipher must be uniformly dis-tributed over Vm for avoiding statistical dependence between the plaintext and the ciphertext(which can be used in attacks).

Definition 4.5.1. F ∈ Fn,m is balanced (or has balanced output) if each possible outputm-tuple occurs with equal probability 2−m. This criterion can be evaluated from the WalshSpectrum in the following way:

θF(0,v) = 0, ∀v = 0 ∈ Vm (4.10)

Theorem 4.5.1. [122] f ∈ Fn is balanced if and only if the Walsh coefficient at 0 is zero:

f is balanced ⇐⇒ χ f (0) = 0 (4.11)

Proof.

f is balanced ⇔ #{x ∈ Vn | f (x) = 0}= #{x ∈ Vn | f (x) = 1}⇔ #

{x ∈ Vn | χ f (x) = 1

}= #

{x ∈ Vn | χ f (x) =−1

}= 2n−1

so that:χ f (0) = ∑

x∈Vn

χ f (x) = 1 ·2n−1 +(−1) ·2n−1 = 0, ∀x ∈ Vn

Theorem 4.5.2. [122] F ∈ Fn,m is balanced if and only if the first row of its Walsh Spectrumhas all its elements equal to zero except from the first entry:

F is balanced ⇐⇒ θF(0,v) = 0, ∀v = 0 ∈ Vm (4.12)

4.5 Balancedness 119

Proof.F is balanced ⇔ ∑

mi=1 vi fi is balanced ∀v = 0 ∈ Vm

⇔ χ∑mi=1 vi fi(0) = 0, ∀v = 0 ∈ Vm

⇔ χv·F(0) = 0, ∀v = 0 ∈ Vm⇔ θF(0,v) = 0 ∀v = 0 ∈ Vm

Definition 4.5.2. The imbalance of a Boolean function is defined to be

I( f ) = |wt( f )−2n−1|= 2n−1|C( f ,0)| (4.13)

where 0 indicates the constant zero Boolean function.

Imbalance is defined as the minimum Hamming distance to a balanced function and istherefore directly proportional to the magnitude of the correlation with the constant zeroBoolean function. Thus, when imbalance is zero, the function is balanced. Balancedness is afundamental cryptographic criterion as an imbalanced function has suboptimal unconditionalentropy, i.e. it is correlated to a constant function.

The significance of the balancedness criterion is that the higher the magnitude of afunction’s imbalance (deviation from uniform distribution of outputs), the more likelihood ofa high probability linear approximation being obtained. This, in turn, represents a weakness inthe function in terms of linear cryptanalysis (see section 3.7). In particular, a large imbalancemay enable the function to be easily approximated by a constant function.

[140] The total number of balanced S-boxes with n input bits, and m output bits is givenby:

B(n,m) =2n!

(2n−m!)2m , n≥ m (4.14)

4.5.2 Library

This criterion can only take values 0 (meaning F is not balanced) or 1 (meaning F is balanced).The method used to obtain this criterion is the following:

void Bal(int& bal, VBF& F)

and there is also an inline function:

inline int Bal(VBF& a)

Example 4.5.1. The following program finds out if a Vector Boolean function is balancedgiven its Truth Table.









if (Bal(F)) {cout << "It is a balanced function" << endl;

} else {cout << "It is not a balanced function" << endl;

}

return 0;}


It is a balanced function

NibbleSub S-box described in Table 2.1 is balanced as each possible 4-tuple occurs withequal probability 1

24 .The figure 4.6 represents the Walsh Spectrum of NibbleSub and emphasizes in red the

first row.

4.6 Correlation Immunity 121

Fig. 4.6 Balancedness of NibbleSub.

As all Walsh Spectrum’s values are 0 except from the 0 ∈ V4, we can conclude thatNibbleSub is balanced.

4.6 Correlation Immunity

4.6.1 Description

In stream cipher applications, it is vital that the Boolean function used as the combiningfunction have certain properties. In addition to being balanced, possessing high nonlinearityand high algebraic degree, the function should have correlation immunity greater than zeroto resist a divide and conquer attack [145].

This criterion describes the extent to which input values of a Vector Boolean functionF ∈ Fn,m can be guessed given the output value. Equivalently, we can say that F is t-CI if itsoutput distribution does not change when we fix t variables xi of its input.

Example 4.6.1. An example of Boolean function with low correlation immunity is thefunction f (x1, . . . ,xn) = x1 · · ·xn. If the output is 1, then we know for sure that the input bitvalues are all 1.

Interest in this criterion came from discovery by Siegenthaler [145] in 1984 of an attackon pseudo-random generators using combining functions (used in stream ciphers), called a


correlation attack. This attack is based on the idea of finding correlation between the outputsand the inputs, that is, finding S-boxes with low resiliency.

Definition 4.6.1. A function f ∈ Fn is t−CI if and only if, for every set S of t variables,1≤ t ≤ n, given the value of f , the probability that S takes on any of its 2t assignments ofvalues to the t variables is 1

2t . If f is t−CI and balanced, then it is t-resilient.

Definition 4.6.2. [158] f ∈ Fn is said to be t-CI if for each linear function lu = u1x1 + · · ·+unxn with 1≤ wt(u)≤ t, f + lu is balanced.

Definition 4.6.3. [32] F ∈ Fn,m is an t-CI function (or (n,m, t)-CI function) if and only ifevery component function of F is an t-CI function. F is said to be t-resilient (or (n,m, t)-resilient function) if it is balanced and t-CI.

Theorem 4.6.1. [158] Let f ∈ Fn and t ∈ {1, . . . ,n−1}, f is called correlation immune (CI)of order t if its Walsh coefficients, at values of the nonzero vector indexes whose weight atmost t, are zero:

f is a t-CI function⇔ χ f (u) = 0, ∀u ∈ Vn, 1≤ wt(u)≤ t (4.15)

f can also be denoted as (n,1, t)-CI function.

Proof.

f is a t-CI function ⇔ f + lu is balanced , ∀u ∈ Vn, 1≤ wt(u)≤ t⇔ χ f+lu(0) = 0, ∀u ∈ Vn, 1≤ wt(u)≤ t⇔ 1

2

(2nδ (0)+ χ f (0)+ χlu(0)− 1

2n

(χ f ∗ χlu

)(0))= 0, ∀u ∈ Vn, 1≤ wt(u)≤ t

⇔ χ f (0)+ χlu(0) = 0, ∀u ∈ Vn, 1≤ wt(u)≤ t⇔ χ f (0) = 0, ∀u ∈ Vn, 1≤ wt(u)≤ t

as all the nonzero linear functions are balanced.

Theorem 4.6.2. Let F ∈ Fn,m and t ∈ {1, . . . ,n−1}, F is a correlation immune VectorBoolean function of order t if its Walsh coefficients, at values of the nonzero vector indexeswhose weight at most t, are zero:

F is a t-CI function ⇔ θF(u,v) = 0, ∀u ∈ Vn, 1≤ wt(u)≤ t, ∀v = 0 ∈ Vm (4.16)

F can also be denoted as an t-CI function.

4.6 Correlation Immunity 123

Proof.F is an t-CI function ⇔ ∑

mi=1 vi fi is an t-CI function

⇔ χ∑mi=1 vi fi(u) = 0, ∀u ∈ Vn, 1≤ wt(u)≤ t, ∀v = 0 ∈ Vm

⇔ χv·F(u) = 0, ∀u ∈ Vn, 1≤ wt(u)≤ t, ∀v = 0 ∈ Vm

⇔ θF(u,v) = 0, ∀u ∈ Vn, 1≤ wt(u)≤ t, ∀v = 0 ∈ Vm

as θF(u,0) = 0 ∀u = 0 ∈ Vn, the restriction v = 0 can be relaxed.

From the definition of resiliency we can derive that a balanced Vector Boolean functioncan be interpreted as a 0-resilient function.

The following theorem from [134] provides a divisibility result of significance in theanalysis of resilient Boolean functions.

Theorem 4.6.3. Let f be a t-resilient Boolean function of n variables, then χ f (u) ≡(mod 2n+2).

4.6.2 Library


void CI(int& t, VBF& F)

Example 4.6.2. The following program provides the order of correlation immunity of aVector Boolean function given its polynomial in ANF.




VBF F;vec_pol p;int t;





t = CI(F);cout << "It is a (" << F.n() << "," << F.m()

<< "," << t << ")-CI function" << endl;

return 0;}

If we use the function f = (1+ x1)(1+ x2)(1+ x3)(1+ x4)+ x1x2x3x4 polynomial inANF as input, the output would be the following:

It is a (4,1,1)-CI function

The figure 4.7 represents the Walsh Spectrum of f and emphasizes in red the rows whoseindexes are of weight 1.

For all this rows, the Walsh values are 0 so f is 1-CI. There are rows whose indexes areof weight 2 and the Walsh values are not 0 so f cannot be 2-CI.

4.7 Algebraic Immunity

4.7.1 Description

A new kind of attacks, called algebraic attacks, has been introduced [40], [42], [60].Algebraic attacks recover the secret key, or at least the initialization of the system, by solvinga system of multivariate algebraic equations. A new criterion was introduced in order toidentify a cryptographic algorithm’s immunity to this kind of attacks.

Definition 4.7.1. [40], [41], [60], [97] Denote the Boolean function obtained by the productof the Truth Tables of two Boolean functions f ,g∈ Fn by f ·g 1. The algebraic immunity (AI)of f is defined as the lowest degree of the function g for which f ·g = 0 or (1+ f ) ·g = 0. Thefunction g for which f ·g = 0 is called an annihilator of f . Denote the set of all annihilatorsof f by An( f ). This set is an ideal in the ring of Boolean functions generated by 1+ f .

1Note that this product is different from the dot product between two vectors x,y

4.7 Algebraic Immunity 125

Fig. 4.7 Correlation immunity of (1+ x1)(1+ x2)(1+ x3)(1+ x4)+ x1x2x3x4.

A function f should not be used if f or 1+ f has a low degree annihilator. If this happens,algebraic attacks [43] can be executed.

Definition 4.7.2. The component algebraic immunity of any F ∈ Fn,m, denoted by AI(F), isthe minimal algebraic immunity of the component functions v ·F(v) of the Vector Booleanfunction with v = 0 ∈ Vm.

The algebraic attack exploits the existence of multivariate equations involving the inputto the S-box and its output, that is, finding S-boxes with low algebraic immunity.

4.7.2 Library


void AI(int& ai, VBF& F)

The method used to the maximum algebraic immunity that can be achieved by a VectorBoolean function with the same number of input bits and output bits is the following:

int aimax(VBF& F)


Example 4.7.1. The following program provides the algebraic immunity of a Vector Booleanfunction given its Truth Table.








cout << "The algebraic immunity of the function is "<< AI(F) << endl;cout << "The maximum algebraic immunity that can be achieved bya Vector Boolean function with the same dimensions is "<< aimax(F) << endl;

return 0;}


The algebraic immunity of the function is 2The maximum algebraic immunity that can be achieved by aVector Boolean function with the same dimensions is 2

4.8 Global Avalanche Criterion 127

4.8 Global Avalanche Criterion

4.8.1 Description

The Global avalanche criterion (GAC) was introduced in [160] to measure the overallavalanche characteristics of a Boolean function.

Definition 4.8.1. [160] Let F ∈ Fn,m, its Global avalanche criterion is defined by twoindicators:

1. The absolute indicator of F , denoted by ACmax(F), defines the maximum absolutenon-zero value of the Autocorrelation Spectrum:

ACmax(F) = max(|AC(F)(u,v)|) ∀u = 0 ∈ Vn, ∀v = 0 ∈ Vm (4.17)

2. The sum-of-squares indicator, denoted by σ , is the second moment of the autocorrela-tion coefficients:

σ(F) = ∑(u,v)∈Vn×Vm

AC(F)(u,v)2 =12n ∑

(u,v)∈Vn×Vm

WS(F)(u,v)4 (4.18)

In order to achieve good diffusion, cryptographic functions should achieve low values ofboth indicators.

4.8.2 Library

The methods used to obtain these criteria are the following:

void maxAC(NTL::ZZ& x, VBF& F)void sigma(NTL::ZZ& x, VBF& F)

Example 4.8.1. The following program provides the absolute indicator and the sum-of-squares indicator of a Vector Boolean function given its Truth Table.


int main(int argc, char *argv[])


{using namespace VBFNS;





cout << "The absolute indicator of the function is "<< maxAC(F) << endl;cout << "The sum-of-squares indicator of the function is "<< sigma(F) << endl;cout << "The maximum absolute indicator that can be achieved bya Vector Boolean function with the same dimensions is "<< maxACmax(F) << endl;

cout << "The maximum sum-of-squares indicator that can be achieved bya Vector Boolean function with the same dimensions is "<< sigmamax(F) << endl;

cout << "The minimum sum-of-squares indicator that can be achieved bya Vector Boolean function with the same dimensions is "<< sigmamin(F) << endl;

return 0;}


The absolute indicator of the function is 16The sum-of-squares indicator of the function is 1408The maximum absolute indicator that can be achieved by a

4.9 Linearity Distance 129

Vector Boolean function with the same dimensions is 16The maximum sum-of-squares indicator that can be achieved by aVector Boolean function with the same dimensions is 4096The minimum sum-of-squares indicator that can be achieved by aVector Boolean function with the same dimensions is 256

The figure 4.8 represents the Autocorrelation Spectrum of NibbleSub and emphasizes inred the values in which the maximum is attained.

Fig. 4.8 Absolute indicator of NibbleSub.

The figure 4.9 represents the Autocorrelation Spectrum of NibbleSub and emphasizes inblue the columns (component functions) in which the maximum sum-of-squares is attained.

4.9 Linearity Distance

4.9.1 Description

In the introduction of this chapter we explained that functions with non-zero linear structuresare considered weak functions from cryptanalytic viewpoint. It is our interest to identifystrong Vector Boolean functions which are far from this weak functions.

The cryptanalyst may be able to take advantage of the linear structures in f if some of themi, i = 1, . . . ,k in equation (4.1) are zero, thus eliminating the influence of some variables(possibly key bits) on the ciphertext.


Fig. 4.9 Sum-of-squares indicator of NibbleSub.

The cryptanalytic value of linear structures lies in their potential to map a nonlinearfunction to a degenerate function via a linear transformation, which may reduce the size ofthe keyspace.

S-boxes used in block ciphers should have no nonzero linear structures (see [59]). Theexistence of nonzero linear structures, for the functions implemented in stream ciphers, is apotential risk that should also be avoided, despite the fact that such existence could not beused in attacks, so far.

Definition 4.9.1. The linearity distance of a Boolean function f ∈ Fn is a characteristicdefined by the distance to the set of all Boolean functions admitting nonzero linear structures.These include, among others, all the affine functions and all non bent quadratic functions andare defined as follows [98]:

LD( f ) = d( f ,LSn) = minS∈LSn

d( f ,S) (4.19)

where:

LSn = { f ∈ Fn | f has a linear structure = 0} (4.20)

4.9 Linearity Distance 131

Theorem 4.9.1. [24] Linearity distance of a Vector Boolean function, defined as the minimumamong the linearity distances of all component functions of F, may be computed from theAutocorrelation Spectrum using:

LD(F) = minv=0∈Vm

LD(v ·F) = 2n−2− 14·ACmax(F) (4.21)

The differential cryptanalysis is based on the idea of finding high probable differentialspairs between the inputs and outputs of S-boxes present in the cipher, that is, finding S-boxeswith low linearity distance. Differential cryptanalysis [13] can be seen as an extension of theideas of attacks based on the presence of linear structures [112]. If u is a linear structure off , then the inputs of difference u result in output differences of 1 or −1 with probability 1.In differential cryptanalysis, it is only required that inputs of difference ∆x lead to a knowndifference ∆y with high probability, or with a probability that noticeably exceeds the mean.The perfect nonlinear functions are resistant to differential cryptanalysis.

Let F ∈ Fn,m, if LD(F) = 0, it means that f has a nontrivial linear structure. As An ⊆ LSn,then NL(F)≥ LD(F).

4.9.2 Library

The method used to obtain the linearity distance of a Vector Boolean function is the following:

void ld(NTL::RR& x, VBF& F)

The method used to the maximum linearity distance that can be achieved by a VectorBoolean function with the same number of input bits and output bits is the following:

NTL::RR ldmax(VBF& F)

Example 4.9.1. The following program provides the linearity distance of a Vector Booleanfunction given its Truth Table together with the maximum linearity distance that can beachieved by a Vector Boolean function with the same number of input bits and output bits.









cout << "Linearity distance of the function is " << ld(F) << endl;cout << "The maximum linearity distance: " << ldmax(F) << endl;

return 0;}


Linearity distance of the function is 0

This result is congruent with the results in example of subsection 3.9.2. We showed thatthis S-box has linear structures, and as a consequence, the distance to the set of all Booleanfunctions admitting nonzero linear structures is 0.

4.10 Propagation Criterion

4.10.1 Description

This criterion is based on the properties of the derivatives of Boolean functions and describesthe behavior of a function whenever some input bits are complemented. This concept wasintroduced by Preneel et al. in [124] and it is a generalization of the Strict Avalanche Criterion(SAC) defined by Webster and Tavares in [157].

Definition 4.10.1. f ∈ Fn is said to satisfy the propagation characteristics with respect tou ∈ Vn if and only if f (x)+ f (x+u) is balanced.

4.10 Propagation Criterion 133

Definition 4.10.2. A function f ∈ Fn satisfies the propagation criterion of degree l (PC(l))if and only if complementing any l or fewer of the input bits complements exactly half of thefunction values.

Definition 4.10.3. Let f ∈ Fn and l ∈ {1, . . . ,n}, f satisfies the propagation criterion ofdegree l if and only if:

f satisfies the PC(l)⇔ f (x)+ f (x+u) balanced ∀u ∈ Vn, 1≤ wt(u)≤ l (4.22)

Theorem 4.10.1. Let f ∈ Fn and l ∈ {1, . . . ,n}, f satisfies the propagation criterion ofdegree l if its Autocorrelation Matrix elements, at values of the nonzero vector indexes whoseweight at most l, is zero:

f satisfies PC(l) ⇐⇒ r f (u) = 0, ∀u ∈ Vn, 1≤ wt(u)≤ l (4.23)

Proof.

f satisfies the PC(l)⇔ f (x)+ f (x+u) balanced ∀u ∈ Vn, 1≤ wt(u)≤ l⇔ χ f (x)+ f (x+u)(0) = 0, ∀u ∈ Vn, 1≤ wt(u)≤ l⇔ ∑x∈Vn(−1) f (x)+ f (x+u) = 0, ∀u ∈ Vn, 1≤ wt(u)≤ l⇔ r f (u) = 0, ∀u ∈ Vn, 1≤ wt(u)≤ l

Definition 4.10.4. F ∈ Fn,m satisfies the propagation criterion of degree l (PC(l)) if anycomponent function of F satisfies the PC(l). This criterion can be obtained from theAutocorrelation Spectrum in the following way:

rF(u,v) = 0, ∀u ∈ Vn, 1≤ wt(u)≤ l, ∀v = 0 ∈ Vm (4.24)

4.10.2 Library


void PC(int& k, VBF& F)

Example 4.10.1. The following program provides the degree of propagation criterion of aVector Boolean function given its Truth Table.

#include <iostream>


#include <fstream>#include "VBF.h"



VBF F;vec_pol p;int t;




cout << "The function is PC of degree " << PC(F) << endl;

return 0;}

If we use the function f = x1x2 + x3x4 polynomial in ANF as input, the output would bethe following:

The function is PC of degree 4

The figure 4.10 represents the Autocorrelation Spectrum of f and emphasizes in red therows whose indexes are of weight 1,2,3 and 4.

For all this rows, the Autocorrelation values are 0. As a consequence f satisfies PC(4).

4.11 Bounds, Properties and Trade-offs

In this section, we present some known bounds, properties and trade-offs among the crypto-graphic criteria.

4.11 Bounds, Properties and Trade-offs 135

Fig. 4.10 Propagation Criterion of x1x2 + x3x4.

4.11.1 Bounds

Let F ∈ Fn,m be an arbitrary Vector Boolean function, the lower and upper bounds of thecryptographic criteria described above are in Table 4.2.

4.11.2 Properties

Let f ∈ Fn be an arbitrary Boolean function, we describe which criteria are affine invariantin Table 4.3. In Table 4.4, the possible relations with the weight of functions are analyzed. InTable 4.5, the possible relations with the Walsh coefficients of functions are analyzed.

4.11.3 Trade-offs

In an ideal situation, a combination of a large number of desirable cryptographic criteria,all with adequate measures, would be exhibited by individual functions. In reality, suchfunctions cannot exist given the trade-offs between certain cryptographic criteria and the strictrules which limit Boolean function characteristics. We now comment on specific trade-offsbetween pairs of criteria and discuss how these criteria affect each other.


Table 4.2 Cryptographic criteria bounds.

Criteria Lower Bound Upper Bound

deg 0 (constant functions) nNL 0 (affine functions) 2n−1−2

n2−1 (n≥ 2m and n even)

2n−1−2n−1

2 (n < 2m and n odd)CI 0 nAI 0 [40] ⌈n

2⌉ACmax 0 (bent functions) 2n (affine functions)σ 22n (bent functions) 23n (affine functions)LD 0 (if it has linear structures) 2n−2

PC 0 n

Table 4.3 Are the criteria affine invariant?

deg NL CI AI ACmax σ LD PC

Yes Yes No Yes Yes Yes Yes No

Table 4.4 Weight related cryptographic criteria properties.

Criteria Weight related cryptographic criteria properties

deg [22] If deg( f )> 0, then wt( f ) is a multiple of 2⌊n−1

deg( f )⌋

Any Boolean function with deg( f )< n must possess even weightAny Boolean function with deg( f ) = n must possess odd weight[96] If deg( f )≥ 1, then 2n−deg( f ) ≤ wt( f )≤ 2n−2n−deg( f )

NL If f is bent then, wt( f ) = 2n−1±2(n/2)−1

AI [26], [19], [15] If 2n−∑di=0(n

i

)< wt( f )< ∑

di=0(n

i

)then, AI( f )≤ d

Consequently if n is odd, the AI is upper bounded by ⌈n2⌉−1 for non-balanced functions

Table 4.5 Walsh related cryptographic criteria properties.

Criteria Walsh related cryptographic criteria properties

deg [72], [21] Let f ∈ Fn and let 1≤ k ≤ n.Assume that its Walsh transform takes values divisible by 2k.Then f has algebraic degree at most n− k+1

NL NL( f ) = 2n−1− 12 maxu∈Vn |χ f (u)|

CI [28] The Walsh coefficients of a t-CI function (resp. t-resilient function) of degree dare divisible by 2t+1+⌊ n−t−1

d ⌋ (resp. 2t+2+⌊ n−t−2d ⌋)

σ [20] σ( f )≤ 2n · (r( f ))2


Balancedness and Nonlinearity

As bent functions are not balanced, they are not suitable for use in cryptosystems. For thisreason, it is necessary to study the maximum nonlinearity of balanced functions. But thisvalue is unknown for any n with n≥ 8. Upper and lower bounds are derived in [142], [51].In order to discuss these bounds we introduce the notations:

R(n) = min{r( f ) | f ∈ Fn}RB(n) = min{r( f ) | f ∈ Fn balanced}

(4.25)

Dobbertin in [51] showed the following:

1. RB(2n)≤ 2n +RB(n)

2. For even n = 2su, u odd and n≥ 4 the lower and upper bounds are:

2n2 +4≤ RB(n)≤ 2

n2 +2

n4 +2

n8 + · · ·+2u +2

u+12 (4.26)

For n = 1,3,5,7 it is known that R(n) = RB(n) = 2n+1

2 . Dobbertin obtained lower andupper bounds for n= 14: 132≤RB(14)≤ 144 and by [118] it holds that R(15)≤ 216. As thespectral radius of the direct sum of f ∈ Fn1 and g ∈ Fn2 we have the formula R f⊕g = R f ·Rg.Hence

RB(n1 +n2)≤ RB(n1) ·RB(n2) (4.27)

for n1 and n2, since f ⊕g is balanced if f is balanced. Thus:

RB(29)≤ RB(14) ·RB(15)≤ 144 ·216 (4.28)

More generally this implies

RB(n)< 2n+1

2 ∀ odd n≥ 29 (4.29)

Table 4.6 Maximum nonlinearity of Balanced Boolean functions for n.

n 7 8 9 10 11 12 13 14 15

Best Known 56 116 240 492 992 2010 4036 8120 16272Lowest Upper Bound 56 118 244 494 1000 2014 4050 8126 16292


The upper bounds are based on previous Dobbertin’s results and Hou results in [54] for nodd:

NL( f )≤ 2⌊2n−2−2n2−2⌋ (4.30)

Seberry et al. among others achieved best know nonlinearities for n = 8,10,12,14.The nonlinearity 240 for n = 9 was obtained by Kavut et al. [77], Saber et al. [131], Filiol

and Fontaine [61], Sarkar and Maitra [133], Guillot [68], Read [125],Burnett [16], Zhangand Zheng [160], Stanica [148],those used in Misty 1 and KASUMI 9×9 S-box [2], Charpinet al. [30], Grocholewska [66].

The nonlinearity 992 for n = 11 was obtained by Sarkar and Maitra [133], Johanssonand Passalic [75], Maximov et al. [95], Maitra [87], Kavut et al. [77],Read [125], Dalai etal. [47].

The nonlinearity 4036 for n = 13 was obtained by Kavut and Yücel [78].The nonlinearity 16272 for n = 15 was obtained by Sarkar and Maitra [136].A nonlinearity 240 for n = 9, 992 for n = 11 can be obtained by bent concatenation

(2n−1−2n−1

2 ). This value is also called the bent-concatenation bound since it can be achievedby the concatenation of two bent functions in n−1 variables.

Balancedness and Global Avalanche

Son, Lim, Chee and Sung in [147] proved that for balanced functions the following propertyis attained:

σ( f )≥ 22n +2n+3 (4.31)

Nonlinearity and Algebraic Degree

Theorem 4.11.1. [128] The degree of an n-variables bent function is less than or equal ton2 .

Nonlinearity and Global Avalanche

The Wiener-Kintchine Theorem (theorem 3.9.2) provides a direct link between the autocor-relation vector and the Walsh Spectrum of a function. It is clear that if the sum-of-squaresindicator is large then the autocorrelation will contain values of large magnitude. Thus, fromthis theorem we can deduce the if the sum-of-squares indicator is large the nonlinearity ofthe function is likely to be low. If the sum-of-squares indicator is small, then the nonlinearitymay be high.


The nonlinearity of a function may be estimated using information about the absoluteindicator using the Theorem 10 from [103]. This theorem presents a tight upper bound onnonlinearity based on the absolute indicator.

Theorem 4.11.2. Let f ∈ Fn with absolute indicator ACmax and nonlinearity NL( f ), thensatisfies:

NL( f )≤ 2n−1− 12

√2n +ACmax (4.32)

From the properties of the sum-of-squares indicator in Table 4.5 with respect to thespectral radius of f , it can be observed that the higher the nonlinearity of the function (thatis, the lower R f ), the lower the upper bound on the function’s sum-of-squares indicator willbe. In [147] the following inequality is obtained:

NL( f )≤ 2n−1− 12

√σ( f )

2n (4.33)

These results provide evidence that nonlinearity and avalanche complement each other ina function, i.e.: optimizing one allows the other to be improved.

Nonlinearity and Propagation Criterion

In 2003, Zheng and Zhang [162] presented a theorem relating the nonlinearity of a Booleanfunction with its degree of Propagation criteria by specifying a lower bound:

Theorem 4.11.3. Let f ∈ Fn satisfying PC(l), then:

(i) NL( f )≥ 2n−1−2n−1− l2

(ii) From (i), NL( f ) = 2n−1−2n−1− l2 if and only if either:

(a) n is odd, l = n−1, and f is of the form

f (x) = g(x1 + xn, . . . ,xn−1 + xn)+h(x1, . . . ,xn) (4.34)

where g is an n−1-variable bent function and h is an n-variable affine function;or

(b) n is even, l = n, and f is a bent function.

The above theorem demonstrates that the greater the degree of propagation criteria l, thegreater the minimum nonlinearity of the function will be, and therefore higher nonlinearitiesare possible.


Nonlinearity and Correlation Immunity

The relationship between nonlinearity and correlation immunity can be expressed through astudy of the effect of Parseval’s Theorem (theorem 3.6.7 ). The higher the order of correlationimmunity t, the more Walsh coefficients must have values of zero. It then follows thatfor Parseval’s Theorem to remain valid, the higher the magnitude of the non-zero Walshcoefficients must be, which results in a lower nonlinearity. Conversely, the higher thenonlinearity of a function, the lower the magnitude of the non-zero values in its WalshSpectrum (particularly the spectral radius). Therefore, in order to satisfy Parseval’s Theorem,the number of zero Walsh coefficients must be fewer which means that only a low order ofcorrelation immunity will be possible.

An upper bound on the nonlinearity of an t-resilient function was proposed independentlyin [161], [149], [150], [135] as follows:

Theorem 4.11.4. Let f ∈ Fn be a t-resilient function with 0≤ t ≤ n−2, and with nonlinearityNL( f ). Then, NL( f )≤ 2n−1−2t+1.

It can be seen from this theorem, that nonlinearity and correlation immunity are opposingcriteria. Optimizing nonlinearity results in a lower achievable order of correlation immu-nity. Enforcing a higher order of correlation immunity reduces the maximum achievablenonlinearity.

Correlation Immunity and Algebraic Degree

An important result exists between correlation immunity and algebraic degree. There is atrade off between the algebraic degree of a Boolean function and the maximum level ofcorrelation immunity that it can possess. The following theorem describe the relationshipwhich is known as the Siegenthaler bound or inequality.

Theorem 4.11.5. [146] If f is a t-CI function, then deg( f ) ≤ n− t. Moreover if f isbalanced (i.e. f is t-resilient), then deg( f )≤ n− t−1.

The above theorem demonstrates that provided that the dimension of the Boolean functionn remains fixed, there exists an opposite relation between the order of correlation immunityand algebraic degree when one these measures is high. The higher the order of correlationimmunity, the lower the algebraic degree of that function must be. Conversely, if the order ofcorrelation immunity is low then the algebraic degree of the function may be high.


Nonlinearity and Algebraic Immunity

Theorem 4.11.6. [86] Let f ∈ Fn, if AI( f ) = k, then NL( f )≥ 2∑k−2i=0(n−1

i

). In particular,

for a f with maximum AI( f ), it holds that NL( f ) ≥ 2n−1−(n

n2

)for n even and NL( f ) ≥

2n−1−(n−1

n−12

)for n odd.

Algebraic Immunity and Algebraic Degree

Theorem 4.11.7. [26], [19], [15] Let f ∈ Fn have a low degree approximation g. Ifd( f ,g)< ∑

ri=0(n

i

), then AI( f )≤ r+AI(g).

Therefore, the criteria AI is stable in some sense. This means that changing some valuesof the output will not drastically decrease the AI, unlike the algebraic degree of the function.

Correlation Immunity and Global Avalanche

The following theorems from [163] provide a lower bound on the absolute indicator of t-CIBoolean functions, both balanced and non-balanced.

Theorem 4.11.8. Let f ∈ Fn be a t-CI function with 2≤ t ≤ n, and absolute indicator ACmax.Then

ACmax( f )≥ 2t−1+∞

∑i=0

2i(t−1−n) (4.35)

Theorem 4.11.9. Let f ∈ Fn be a t-resilient function with 1 ≤ t ≤ n− 1, and absoluteindicator ACmax. Then

ACmax( f )≥ 2t+∞

∑i=0

2i(t−n) (4.36)

The following theorems from [87] provide a lower bound on the sum-of-squares indicatorof t-CI and t-resilient Boolean functions and on absolute indicator.

Theorem 4.11.10. Let f ∈Fn be a t-CI function. Then σ( f )≥ 22n+2n+log2 ∑ti=1 (

ni). Similarly,

if f is t-resilient, then σ( f )≥ 22n +2n+log2 ∑ti=0 (

ni)

Theorem 4.11.11. Let f ∈ Fn be a t-CI function. Then

ACmax( f )≥ 2n2

√∑

ti=1(n

i

)2n−∑

ti=1(n

i

) (4.37)


Similarly, if f is t-resilient, then

ACmax( f )≥ 2n2

√∑

ti=0(n

i

)2n−∑

ti=0(n

i

) (4.38)

If we use the weight divisibility results of correlation immune and resilient Booleanfunctions described in Table 4.5, the following theorems are obtained in [87]:

Theorem 4.11.12. Let f ∈ Fn be a t-CI function, then σ( f )≥ 2n+2t+2. Similarly, for f ∈ Fn

be a t-resilient function, σ( f )≥ 2n+2t+4.

Theorem 4.11.13. Let f ∈ Fn be a t-CI function (t > n2−1), then ACmax( f )> 2

2t+12 . Similarly,

for f ∈ Fn be a t-resilient function (t > n2 −2), σ( f )≥ 22t+32.

Tarannikov et al. in [151] a lower Bound for the absolute indicator of resilient functionsis defined:

Theorem 4.11.14. Let f ∈ Fn be a t-resilient function, then ACmax( f )≥(2t−n+3

n+1

)2n.

Tarannikov et al. also proved:

Theorem 4.11.15. Let f ∈ Fn be a t-resilient function. If n ≥ (n− t − 1)2n−t−2 thenACmax( f ) = 2n.

The theorems above illustrate the effect of an increase in t on the magnitude of ACmax.As the order of correlation immunity increases, the summation on the right hand side ofeach inequality tends to 2, and ACmax tends to 2n. Recall that ACmax = 2n for all affine andfunctions with non-zero linear structures.

Correlation Immunity and Propagation Criterion

It can be established from theorem in [162] that for some fixed n, the higher the order ofresilience the lower the degree of propagation criteria of a Boolean function. Conversely, thehigher the degree of propagation criterion, the lower must be the order of resilience:

Theorem 4.11.16. Let f ∈ Fn be a t-resilient function which satisfies PC(l). Then t + l ≤n−1. If t + l = n−1, then l = n−1, n is odd and t = 0

There exists an opposite relation between the correlation immunity and propagationcriterion. What is optimal is one must be least favourable for the other.

4.12 Summary 143

Nonlinearity, Correlation Immunity and Algebraic Degree

Siegenthaler’s inequality is extended by Carlet in [22] to identify the subsets of values fromwhich the non-zero Walsh coefficients can be taken:

Theorem 4.11.17. Let f ∈ Fn be a t-resilient function with 0≤ t ≤ n−2, and let deg( f ) its

algebraic degree. Then for every affine function a, d( f ,a) is divisible by 2t+1+⌊ n−t−2deg( f ) ⌋.

The above theorem provides information about the divisibility of the possible NL( f ), as avalue dependent on n, order of correlation immunity t and algebraic degree deg( f ). This hasbeen further elaborated on in [28]. Thus, for some fixed t, if deg( f ) is low then NL( f ) haslarge divisors causing the interval between successive valid nonlinearity values to be large.From this we may infer, particularly for even n, that the highest nonlinearity achievable by aresilient function f having low algebraic degree will be suboptimal given that it will be atleast one large interval below covering radius bound. The same argument holds when theorder of correlation immunity t is high. The small divisors that result when algebraic degreeis higher and t is low provide the possibility of valid nonlinearity values closer to coveringradius bound, when n is even.

Global Avalanche, Correlation Immunity and Algebraic Degree

Theorem 4.11.18. [87] Let f ∈ Fn be a t-CI function (t > n2 − 1) with algebraic degree

d, then σ( f ) ≥ 2n+2t+2+2⌊ n−t−1d ⌋, and ACmax( f ) > 2

2t+1+⌊ n−t−1d ⌋

2 . Similarly, for f ∈ Fn be at-resilient (t > n

2 − 2) with algebraic degree d, σ( f ) ≥ 2n+2t+4+2⌊ n−t−2d ⌋2 and ACmax( f ) >

22t+3+⌊ n−t−2

d ⌋2 .

Global Avalanche, Correlation Immunity and Nonlinearity

Theorem 4.11.19. [87] Let f ∈ Fn be a t-CI function (t > n2 − 1) with with maximum

possible nonlinearity 2n−1−2t , then σ( f ) = 2n+2t+2. Similarly, for f ∈ Fn be a t-resilient(t > n

2 −2) with with maximum possible nonlinearity 2n−1−2t+1, then σ( f ) = 2n+2t+4.

4.12 Summary

A list of the member functions related to these criteria may be found in Table 4.7.Table 4.8 lists the member functions related to bounds and other properties of above

criteria.


Table 4.7 Cryptographic criteria.

SYNTAX DESCRIPTION

void deg(int& d, VBF& F) deg(F) = dvoid nl(NTL::RR& x, VBF& F) NL(F) = xvoid nlr(long& x, VBF& F, int r) NLr(F) = xvoid Bal(int& bal, VBF& F) If F is balanced returns 1, otherwise 0void CI(int& t, VBF& F) F is an (n,m, t)−CIvoid AI(int& i, VBF& F) AI(F) = ivoid MaxAC(NTL::ZZ& x, VBF& F) F has absolute indicator xvoid sigma(NTL::ZZ& x, VBF& F) F has sum-of-squares indicator xvoid ld(NTL::RR& x, VBF& F) LD(F) = xvoid PC(int& l, VBF& F) F satisfies the PC(l)

Table 4.8 Member functions of the cryptographic criteria.

SYNTAX DESCRIPTION

void SpectralRadius(NTL::ZZ& x, VBF& F) Spectral RadiusNTL::RR nlmax(VBF& F) Maximum possible nonlinearityvoid typenl(int& typenl, VBF& F) 1 = Bent, 2 = Almost Bent, 3 = Linearint aimax(VBF& F) Maximum possible algebraic immunityNTL::ZZ maxACmax(VBF& F) Maximum possible absolute indicatorNTL::ZZ maxsigma(VBF& F) Maximum possible sum-of-squares indicatorNTL::ZZ minsigma(VBF& F) Minimum possible sum-of-squares indicatorNTL::RR ldmax(VBF& F) Maximum possible linearity distance

Chapter 5

Constructions for Vector BooleanFunctions

In this chapter, some basic constructions for Vector Boolean functions supported by theVBF class are described. Some of them correspond to secondary constructions, which build(n,m) variable vector Boolean functions from (n′,m′) variable ones (with n′ ≤ n,m′ ≤ m).The direct sum has been used to construct resilient and bent Boolean functions [23]. Theconcatenation can be used to obtain resilient functions or functions with maximal nonlinearity.The concatenation of polynomials in ANF can be used to obtain functions of high nonlinearitywith n variables from functions with high nonlinearity with n′ variables (n′ < n). Addingcoordinate functions and bricklayering are constructions used to build modern ciphers such asCAST [3], DES [107] and AES [46]. Additionally, VBF provides operations for identificationif two vector Boolean functions are equal, the sum of two vector Boolean functions, thecomposition of two vector Boolean functions and the inverse of a Vector Boolean function.

In this chapter we apply VBF library methods to study constructions of several crypto-graphic algorithms. Refer to http://vbflibrary.tk for an extensive description of constructionsof modern cryptographic algorithms apart from those described in this chapter.

5.1 Equality Testing

5.1.1 Description

Definition 5.1.1. Let n≥ 1,m≥ 1, F,G ∈ Fn,m. F and G are equal if their Truth Tables arethe same.


146 Constructions for Vector Boolean Functions

5.1.2 Library

We can compare two functions for equality with the following method:

long operator==(VBF& F, VBF& G)long operator!=(VBF& F, VBF& G)

Example 5.1.1. The following program informs if two Vector Boolean functions are equalgiven their Truth Tables.




VBF F, G, X;NTL::mat_GF2 Tf, Tg;

ifstream input1(argv[1]);if(!input1) {


}input1 >> Tf;F.puttt(Tf);input1.close();



}input2 >> Tg;G.puttt(Tg);input2.close();

5.2 Composition Function 147

if (F == G) {cout << "F and G are equal" << endl;

} else {cout << "F and G are not equal" << endl;

}

return 0;}

The output for the execution of the example program with the code above and the TruthTables of S1 and S2 DES S-boxes as inputs would be:

F and G are not equal

5.2 Composition Function

5.2.1 Description

Definition 5.2.1. Let F ∈ Fn,p, G ∈ Fp,m and the composition function G◦F ∈ Fn,m whereG◦F(x) = G(F(x)) ∀x ∈ Vn. See figure 5.1.

Fig. 5.1 Composition.

Theorem 5.2.1. [122] The Walsh Spectrum for the composition of two Vector BooleanFunction can be calculated from the product of their respective Walsh Spectra in the followingway:

WS(G◦F) =12pWS(F) ·WS(G) (5.1)

Theorem 5.2.2. [100] Let F ∈ Fn,m and let LA,b ∈ Fn,n an affine bijection (A is a nonsingularmatrix), then:

rF◦LA,b(u,v) = rF(Au,v) (5.2)


Theorem 5.2.3. Let F ∈ Fn,m and let LA,b ∈ Fn,n an affine bijection. The Differential Profilefor their composition can be calculated from the product of their respective DifferentialProfiles in the following way:

DP(F ◦LA,b) =12nDP(LA,b) ·DP(F) (5.3)

Proof. Taking into account the Theorem 5.2.2, it holds that:

δF◦LA,b(u,w) = 12n+m ∑w∈Vm rF◦LA,b(u,w)χv(w)

= 12n+m ∑w∈Vm rF(Au,w)χv(w) = δF(Au,w)

Theorem 5.2.4. Let F ∈ Fn,p be a t-resilient function. Let G ∈ Fp,m be a (p,m) VectorBoolean function. Then G◦F is a t-resilient function if and only if G is balanced.

Proof. Since F is a t-resilient function, θF(u,v) = 0, ∀u∈Vn, 0≤wt(u)≤ t, ∀v = 0∈Vp.Thus

∑v∈Vp

θF(u,v) · θG(v,w) = 0, ∀u ∈ Vn, 0≤ wt(u)≤ t, ∀v = 0 ∈ Vp

Then:

θG◦F(u,w) =12p θF(u,0) · θG(0,w)

As G is balanced, then θG(0,w) = 0 ∀w = 0 ∈ Vm

This theorem is a generalization of the composition of a (n, p) Vector Boolean functionand a p-variable Boolean function showed by Gupta and Sarkar in [69]. Theorem 5.2.4shows that correlation immunity of a (n, p, t)-resilient Vector Boolean function is preservedunder composition with an arbitrary (p,m) Vector Boolean function and the resiliency ifthis last function is balanced. This is an important security property for the use of resilientS-boxes in stream cipher design.

Corollary 5.2.5. Let F ∈ Fn,p be a t-resilient function. Let G ∈ Fp,m be a (p,m) VectorBoolean function. Then G◦F is a balanced function if and only if G is balanced.

Remark. It is possible for G◦F to be balanced even when either only F is non-balanced orboth F and G are non-balanced. In [69] two examples are given:


1. F non-balanced and G balanced. Let F ∈ F3,2 where the coordinate functions aref1(x1,x2,x3) = x1 + x2 + x1x3 + x1x2x3 and f2(x1,x2,x3) = x2 + x1x2 + x2x3 + x1x3 +

x1x2x3 and G∈ F2,1 with coordinate g1(x1,x2) = x1+x2. Observe (G◦F)(x1,x2,x3) =

f1(x1,x2,x3)+ f2(x1,x2,x3) = x1 + x2x3 is balanced.

2. F and G are non-balanced. Let F ∈F3,2 where the coordinate functions are f1(x1,x2,x3)=

x3+x1x2+x1x2x3 and f2(x1,x2,x3) = x2+x3+x1x2+x2x3+x1x2x3 and G∈ F2,1 withcoordinate g1(x1,x2)= x1x2. Observe (G◦F)(x1,x2,x3)= f1(x1,x2,x3)· f2(x1,x2,x3)=

x3 is balanced.

5.2.2 Library

It can be obtained with the following method:

void Comp(VBF& X, VBF& F, VBF& G)

Example 5.2.1. The following program provides the correlation immunity and balancednessof two Vector Boolean functions given their Truth Tables and calculates the same criteria fortheir composition.




VBF F, G, X;NTL::mat_GF2 Tf,Tg;



}input1 >> Tf;F.puttt(Tf);


input1.close();



}input2 >> Tg;G.puttt(Tg);input2.close();

cout << "Correlation immunity of F: " << CI(F) << endl;if (Bal(F)) {

cout << "F is a balanced function" << endl;} else {

cout << "F is a non-balanced function" << endl;}cout << endl;

cout << "Correlation immunity of G: " << CI(G) << endl;if (Bal(G)) {

cout << "G is a balanced function" << endl;} else {

cout << "G is a non-balanced function" << endl;}cout << endl;

Comp(X,F,G);

cout << "Correlation immunity of GoF: " << CI(X) << endl;if (Bal(X)) {

cout << "GoF is a balanced function" << endl;} else {

cout << "GoF is a non-balanced function" << endl;}


return 0;}

If we use y0 of CLEFIA S0 cipher (see section B.3) and NibbleSub Truth Tables as inputs,the output would be the following:

Correlation immunity of F: 1F is a balanced function

Correlation immunity of G: 0G is a balanced function

Correlation immunity of GoF: 1GoF is a balanced function

This result is congruent with theorem 5.2.4.

Example 5.2.2. The following program provides the balancedness of two Vector Booleanfunctions given its polynomial representation in ANF and calculates the balancedness for theits composition.




VBF F, G, X;vec_pol f,g;



}input1 >> f;


F.putpol(f);input1.close();



}input2 >> g;G.putpol(g);input2.close();

cout << "The polynomial in ANF of F is ";cout << endl;Pol(cout,F);

if (Bal(F)) {cout << "F is a balanced function" << endl;

} else {cout << "F is a non-balanced function" << endl;

}cout << endl;

cout << "The polynomial in ANF of G is ";cout << endl;Pol(cout,G);

if (Bal(G)) {cout << "G is a balanced function" << endl;

} else {cout << "G is a non-balanced function" << endl;

}cout << endl;

Comp(X,F,G);cout << "The polynomial in ANF of the composition of F and G is ";


cout << endl;Pol(cout,X);

if (Bal(X)) {cout << "GoF is a balanced function" << endl;

} else {cout << "GoF is a non-balanced function" << endl;

}

return 0;}

If we use the Boolean functions of first example described in [69] as inputs, the outputwould be the following:

The polynomial in ANF of F isx1+x2+x1x3+x1x2x3x2+x1x2+x2x3+x1x3+x1x2x3F is a non-balanced function

The polynomial in ANF of G isx1+x2G is a balanced function

The polynomial in ANF of the composition of F and G isx2x3+x1+x1x2GoF is a balanced function

If we use the Boolean functions of second example described in [69] as inputs, the outputwould be the following:

The polynomial in ANF of F isx3+x1x2+x1x2x3x2+x3+x1x2+x2x3+x1x2x3F is a non-balanced function

The polynomial in ANF of G isx1x2


G is a non-balanced function

The polynomial in ANF of the composition of F and G isx3GoF is a balanced function

5.3 Functional Inverse

5.3.1 Description

Definition 5.3.1. Let n≥ 1, F ∈ Fn,n. F−1 is the functional inverse of F if the compositionof both functions results in the identity function. See figure 5.2.

Fig. 5.2 Inverse.

5.3.2 Library

If a Vector Boolean Function F ∈ Fn,n is invertible, then we can find its inverse with thefollowing method:

void inv(VBF& X, VBF& F)

Example 5.3.1. The following program provides the Truth Table of a the inverse of a VectorBoolean function given its Truth Table.




5.3 Functional Inverse 155

VBF F, X;NTL::mat_GF2 Tf;



}input1 >> Tf;F.puttt(Tf);input1.close();

inv(X,F);cout << "The Truth Table of the inverse of F is " << endl<< TT(X) << endl;

return 0;}

The output for the execution of the example program with the code above and the TruthTable of NibbleSub S-box as input will be:

The Truth Table of the inverse of F is[[1 1 1 0][0 0 1 1][0 1 0 0][1 0 0 0][0 0 0 1][1 1 0 0][1 0 1 0][1 1 1 1][0 1 1 1][1 1 0 1][1 0 0 1][0 1 1 0][1 0 1 1][0 0 1 0]


[0 0 0 0][0 1 0 1]]

5.4 Sum

5.4.1 Description

Definition 5.4.1. Let n≥ 1,m≥ 1, F,G ∈ Fn,m. The Sum of F and G, denoted by F +G ∈Fn,m is the Vector Boolean Function whose Truth Table results from the addition of the TruthTables of F and G: TF+G = TF +TG.

Theorem 5.4.1. The Walsh Spectrum for the sum of two Vector Boolean Function can beobtained by the correlation of the columns vectors of the respective Walsh Spectra in thefollowing way:

WS(F +G)v =12nWS(F)v ∗WS(G)v (5.4)

Proof.

θ(F+G)(u,v) = χv·(F+G)(u) = W {ξv·F �ξv·G}(u) = 12n ∑x∈Vn χv·F(u+x)χv·G(x)

The effect of bit complementation in the Truth Table of a Boolean function serves tomake a quantifiable change to its Walsh Spectrum. This implies that the nonlinearity of thefunction will also be modified. The magnitude of the change to the Walsh coefficients isrelated to the number of the bits complemented.

Theorem 5.4.2. [16] Let f ,g ∈ Fn with Walsh transforms W f and Wg respectively. Let

g(x) =

{f (x)+1 if x = αi

f (x) if x = αi

then

Wg(u) = W f (u)+∆W f where ∆W f ∈ {−2,2}

If we change the value of one bit of the truth table of a Boolean Function, then the valuesof the Walsh Spectrum are changed by an amount of 2.

5.4 Sum 157

Proof.χg(u) = ∑x∈Vn(−1)g(x)+u·x

= ∑x=αi∈Vn(−1) f (x)+u·x +(−1) f (αi)(−1)u·αi

= ∑x∈Vn(−1) f (x)+u·x +∆W f = χ f (u)±2

where ∆W f = 2(−1) f (αi)(−1)u·αi

Corollary 5.4.3. Let a Boolean Function f ∈ Fn, if we change the value of one bit of thetruth table of f , then the value of its nonlinearity is changed by an amount of 1. If we denoteg ∈ Fn the Boolean Function resulting from adding 1 to the value of one bit of f then:

NL(g) = NL( f )±1 (5.5)

Proof. It follows from the corollary 4.3.2 and theorem 5.4.2.

Several results follow from above definitions. The sum of any two Boolean functions fand g will have degree equal to the maximum algebraic degree of either f or g (which ever ishigher) unless their sets of highest degree terms are the same in which case the degree willreduce. The addition of a single term of order r to a Boolean function f causes the TruthTable of f to be complemented in 2n−r bits. The complemented bits will be for those inputsx ∈ Vn where by all i ∈ I it is such that xi = 1 [99].

The effect of bit complementation in the Truth Table of a Boolean function serves tomake a quantifiable change to its Autocorrelation Spectrum. This implies that the absoluteindicator (and linearity distance) of the function will also be modified. The magnitude of thechange to the Autocorrelation coefficients is related to the number of the bits complemented.

Theorem 5.4.4. Let f ,g ∈ Fn with Autocorrelation transforms r f and rg respectively. Let gbe defined as in equation (5.4.2), then

rg(u) = r f (u)+∆r f where ∆r f ∈ {−4,4}

If we change the value of one bit of the truth table of a Boolean Function, then the valuesof the Autocorrelation Spectrum are changed by an amount of 4.

Proof.

rg(u) = ∑x∈Vn(−1)g(x)+g(u+x) = ∑x=αi,u+x=αi∈Vn(−1) f (x)+ f (u+x)+2 · (−1) f (αi)+ f (u+αi)+1

= ∑x=αi,u+x =αi∈Vn(−1) f (x)+ f (u+x)+2 · (−1) f (αi)+ f (u+αi)−4 · (−1) f (αi)+ f (u+αi)

= r f (u)−4 · (−1) f (αi)+ f (u+αi)

where ∆r f = 4 · (−1) f (αi)+ f (u+αi)


Corollary 5.4.5. Let a Boolean Function f ∈ Fn, if we change the value of one bit of thetruth table of f , then the value of its absolute indicator is changed by an amount of 4. If wedenote g ∈ Fn the Boolean Function resulting from adding 1 to the value of one bit of f then:

ACmax(g) = ACmax( f )±4 (5.6)

Corollary 5.4.6. Let a Boolean Function f ∈ Fn, if we change the value of one bit of thetruth table of f , then the value of its linearity distance is changed by an amount of 1. If wedenote g ∈ Fn the Boolean Function resulting from adding 1 to the value of one bit of f then:

LD(g) = LD( f )±1 (5.7)

Proof.

LD(g) = 2n−2− 14·ACmax(g) = 2n−2− 1

4·ACmax( f )±1 = LD( f )±1

5.4.2 Library


void sum(VBF& X, VBF& F, VBF& G)

Example 5.4.1. The following program provides the nonlinearity, absolute indicator andlinearity distance of two Vector Boolean functions given its polynomial representation inANF and its hexadecimal representation of Truth Table respectively and calculates the samecriteria for the its sum.




VBF F, G, X;vec_pol f;

5.4 Sum 159



}input1 >> f;F.putpol(f);input1.close();



}G.putHexTT(input2);input2.close();

cout << "The polynomial in ANF of F is ";cout << endl;Pol(cout,F);

cout << "nl(F)=" << nl(F) << endl;cout << "ACmax(F)=" << maxAC(F) << endl;cout << "LD(F)=" << ld(F) << endl;cout << endl;

cout << "The polynomial in ANF of G is ";cout << endl;Pol(cout,G);cout << endl;

sum(X,F,G);cout << "The polynomial in ANF of the sum of F and G is ";cout << endl;Pol(cout,X);


cout << "nl(F+G)=" << nl(X) << endl;cout << "ACmax(F+G)=" << maxAC(X) << endl;cout << "LD(F+G)=" << ld(X) << endl;cout << endl;

return 0;}

If we use the Boolean function F with ANF x1x2+x3x4 and function G with hexadecimalrepresentation of Truth Table 0001 as inputs, the output would be the following:

The polynomial in ANF of F isx1x2+x3x4nl(F)=6ACmax(F)=0LD(F)=4

The polynomial in ANF of G isx1x2x3x4

The polynomial in ANF of the sum of F and G isx3x4+x1x2+x1x2x3x4nl(F+G)=5ACmax(F+G)=4LD(F+G)=3

These results are congruent with the properties described above:

• NL(F +G) = NL(F)−1 = 6−1 = 5.

• ACmax(F +G) = ACmax(F)+4 = 0+4 = 4.

• LD(F +G) = LD(F)−1 = 4−1 = 3.

5.5 Direct Sum 161

5.5 Direct Sum

5.5.1 Description

Definition 5.5.1. Let n1,n2 ≥ 1, F1 ∈ Fn1,m,F2 ∈ Fn2,m be Vector Boolean functions. Con-sider the Vector Boolean function F1⊕F2 ∈ Fn1+n2,m, called direct sum, defined as (F1⊕F2)((x1,x2)) = F1(x1)+F2(x2). See figure 5.3.

Fig. 5.3 Direct Sum.

When F1 and F2 are Boolean functions (m = 1) Sarkar and Maitra [133] derived thefollowing properties:

• wt(F1⊕F2) = 2n2 ·wt(F1)+2n1 ·wt(F2)−2 ·wt(F1) ·wt(F2).

• deg(F1⊕F2) = max{deg(F1),deg(F2)}.

• θF1⊕F2((u1,u2),v) = θF1(u1,v) · θF2(u2,v).

• If F1 is t1-resilient and F2 is t2-resilient, then F1⊕F2 is (t1 + t2 +1)-resilient.

• NL(F1⊕F2)≥ 2n2 ·NL(F1)+2n1 ·NL(F2)−2 ·NL(F1) ·NL(F2).

• F1⊕F2 has no linear structure if and only if F1 and F2 have no linear structure.

• max{AI(F1),AI(F2)}≤AI(F1⊕F2)≤min{max{deg(F1),deg(F2)} ,AI(F1)+AI(F2)}.


Theorem 5.5.1. The elements which conform a row in the Walsh Spectrum (respectivelyAutocorrelation Matrix) of the direct sum of two Vector Boolean Functions are obtained bythe product of the respective components of the rows in both Walsh Spectra (respectivelyAutocorrelation Matrices) . The rows of the Differential Profile of the direct sum of twoVector Boolean Functions are obtained by the correlation of the rows of the DifferentialProfiles of each Vector Boolean Function.

θF1⊕F2(u,v) = θF1(u1,v) · θF2(u2,v)rF1⊕F2(u,v) = rF1(u1,v) · rF2(u2,v)

DP(F1⊕F2)u = 12mDP(F1)u1 ∗DP(F2)u2

(5.8)

The first result was already known for Boolean functions [133], here we give a proof forVector Boolean functions.

Proof.

θF1⊕F2(u,v) = χv·(F1⊕F2)((u1,u2)) = χv·F1⊕v·F2((u1,u2)) = χv·F1(u1) · χv·F2(u2)

The second result is new and the proof is given below:

Proof.

rF1⊕F2(u,v) =12n ∑x∈Vn χv·(F1⊕F2)(x+u)χv·(F1⊕F2)(x)

= 12n1+n2 ∑x1∈Vn1

∑x2∈Vn2χv1·F1(x1)χv2·F2(x2)χv·F1(x1 +u1)χv·F2(x2 +u2)

=(

12n1 ∑x1∈Vn1

χv·F1(x1 +u1)χv·F1(x1))(

12n2 ∑x2∈Vn2

χv·F2(x2 +u2)χv·F2(x2))

= rF1(u1,v) · rF2(u2,v)

The third result is new and the proof is given below:

Proof.

(DP(F1)u1 ∗DP(F2)u2)(v) = ∑w∈Vm δF1(u1,w+v) ·δF2(u2,w)

= ∑w∈Vm1

2n1+m ∑s∈Vm rF1(u1,s)χw+v(s) 12n2+m ∑t∈Vm rF2(u2, t)χw(t)

= 12n1+n2+2m ∑z∈Vm rF1(u1,z)rF2(u2,z)χv(z)

= 12n1+n2+2m ∑z∈Vm rF1⊕F2(u,z)χv(z) = 1

2mDP(F1⊕F2)u(v)

5.5 Direct Sum 163

Corollary 5.5.2.

∗max (WS(F1⊕F2)) =

∗maxv∈Vm {WS(v ·F1) ·WS(v ·F2)}

ACmax(F1⊕F2) = max{2n1 ·ACmax(F2),ACmax(F1) ·2n2}(5.9)

Corollary 5.5.3. Let F1, . . . ,Fi ∈ Fni,m:

NL(F1⊕·· ·⊕Fi) = 2n1+···+ni−1− 12∗

maxv∈Vm {WS(v ·F1) · · ·WS(v ·Fi)} (5.10)

Theorem 5.5.4. Let F1 be an (n1,m, t1) resilient function and F2 be an (n2,m, t2)-resilientfunction, then F1⊕F2 is an (n1 +n2,m, t1 + t2 +1)-resilient function.

Remark. This result is an extension of what was obtained in [141] for Boolean functions.

Corollary 5.5.5. F1⊕F2 is balanced if and only if F1 is balanced or F2 is balanced.

Remark. This result is an extension of what was obtained in [139] for Boolean functions.

Theorem 5.5.6. If F1 satisfies the PC(l1) and F2 satisfies the PC(l2), then F1⊕F2 satisfiesthe PC(l) with l = min{l1, l2}.

Proof.

(rF1(u1,v) = 0, ∀u1 ∈ Vn1, 1≤ wt(u1))≤ l1, ∀v ∈ Vm)∧(rF2(u2,v) = 0, ∀u2 ∈ Vn2, 1≤ wt(u2))≤ l2, ∀v ∈ Vm)

⇒ rF1(u1,v) · rF2(u2,v) = 0, ∀(u1,u2) ∈ Vn1×Vn2 , 1≤ wt ((u1,u2))≤min{l1, l2}, ∀v ∈ Vm

⇒ rF1⊕F2(u,v) = 0, ∀u ∈ Vn, 1≤ wt(u)≤min{l1, l2}, ∀v ∈ Vm

⇒ F1⊕F2 satisfies the PC(min{l1, l2})

Example 5.5.1. The full substitution function of the CAST algorithm S(CAST ) ∈ F32,32

is constructed by forming the direct sum of 4 S-boxes Si(CAST ) ∈ F8,32 (see figure 5.4).The calculation of the S(CAST ) nonlinearity would imply to find out the maximum valuefrom all the elements of a 232×232 matrix representing its Walsh Spectrum, or alternatively,to determine the Walsh Spectra of the 232 linear combinations of its coordinate functionswhich are 232×1 matrices. Nevertheless, by corollary 5.5.3, the nonlinearity is obtained bycalculating four Walsh Spectra (28×1 matrices) for each of the 232 component functions.

∗maxv∈V32 {WS(v ·S1(CAST )) ·WS(v ·S2(CAST )) ·WS(v ·S3(CAST )) ·WS(v ·S4(CAST ))}= 29417472

(5.11)


Fig. 5.4 CAST Cipher.

NL(S(CAST )) = 232−1− 12

29417472 = 2132774912 (5.12)

This result coincides with the estimation of nonlinearity done in [159].

5.5.2 Library

The method included in VBF to perform this construction is the following:

void directsum(VBF& X, VBF& F, VBF& G)

Example 5.5.2. The following program provides the weight, algebraic degree, balancedness,correlation immunity, nonlinearity and algebraic immunity of two Vector Boolean functionsgiven its polynomial representation in ANF and calculates the same criteria for the its directsum.




5.5 Direct Sum 165

VBF F, G, X;

ifstream input1(argv[1]);if(!input1){


}F.putHexTT(input1);input1.close();




cout << "weight(F)=" << weight(F) << endl;cout << "deg(F)=" << deg(F) << endl;if (Bal(F)) {


cout << "F is a non-balanced function" << endl;}cout << "Degree of Correlation immunity of F=" << CI(F) << endl;cout << "R(F)=" << SpectralRadius(F) << endl;cout << "nl(F)=" << nl(F) << endl;cout << "ACmax(F)=" << maxAC(F) << endl;cout << "ld(F)=" << ld(F) << endl;cout << "AI(F)=" << AI(F) << endl;cout << "F is PC of degree " << PC(F) << endl;cout << endl;

cout << "weight(G)=" << weight(G) << endl;


cout << "deg(G)=" << deg(G) << endl;if (Bal(G)) {


cout << "G is a non-balanced function" << endl;}cout << "Degree of Correlation immunity of G=" << CI(G) << endl;cout << "R(G)=" << SpectralRadius(G) << endl;cout << "nl(G)=" << nl(G) << endl;cout << "ACmax(G)=" << maxAC(G) << endl;cout << "ld(G)=" << ld(G) << endl;cout << "AI(G)=" << AI(G) << endl;cout << "G is PC of degree " << PC(G) << endl;cout << endl;

directsum(X,F,G);

cout << "weight(F directsum G)=" << weight(X) << endl;cout << "deg(F directsum G)=" << deg(X) << endl;if (Bal(X)) {

cout << "F directsum G is a balanced function" << endl;} else {

cout << "F directsum G is a non-balanced function" << endl;}cout << "Degree of Correlation immunity of F directsum G=" << CI(X) << endl;cout << "R(F directsum G)=" << SpectralRadius(X) << endl;cout << "nl(F directsum G)=" << nl(X) << endl;cout << "ACmax(F directsum G)=" << maxAC(X) << endl;cout << "ld(F directsum G)=" << ld(G) << endl;cout << "AI(F directsum G)=" << AI(X) << endl;cout << "F directsum G is PC of degree " << PC(X) << endl;

return 0;}

If we use the Boolean functions with the following Truth Tables (in hexadecimal repre-sentation) as inputs:

5.5 Direct Sum 167

6cb405778ea9bd30

5c721bcaac27b1c5

The output would be the following:

weight(F)=32deg(F)=3F is a balanced functionDegree of Correlation immunity of F=1R(F)=16nl(F)=24ACmax(F)=32ld(F)=8AI(F)=3F is PC of degree 2

weight(G)=32deg(G)=3G is a balanced functionDegree of Correlation immunity of G=2R(G)=32nl(G)=16ACmax(G)=64ld(G)=0AI(G)=2G is PC of degree 1

weight(F directsum G)=2048deg(F directsum G)=3F directsum G is a balanced functionDegree of Correlation immunity of F directsum G=4R(F directsum G)=512nl(F directsum G)=1792ACmax(F directsum G)=4096ld(F directsum G)=0AI(F directsum G)=3F directsum G is PC of degree 1


These results are congruent with the properties derived in [133] and in corollaries 5.5.2and 5.5.3 and theorem 5.5.6:

• wt(F⊕G) = 26 ·32+26 ·32−2 ·32 ·32 = 2048.

• deg(F⊕G) = max{3,3}= 3.

• F is 1-resilient, G is 2-resilient, and F⊕G is (1+2+1)-resilient.

• R(F⊕G) = 16 ·32 = 512 because F and G are Boolean functions.

• NL(F⊕G) = 212−1− 12 ·512 = 1792.

• ACmax(F⊕G) = max{32 ·64,64 ·64}= 4096.

• LD(F⊕G) = 212−2− 14 ·4096 = 0.

• max{3,2} ≤ AI(F⊕G) = 3≤min{max{3,3} ,3+2}.

5.6 Concatenation

5.6.1 Description

Definition 5.6.1. Let n1,n2 ≥ 1, F1 ∈ Fn,m,F2 ∈ Fn,m be Vector Boolean functions. Con-sider the Vector Boolean function F1|cF2 ∈ Fn+1,m defined as (x,xn+1)→ (xn+1 +1)F1(x)+xn+1F2(x) where x ∈ Vn.

When F1 and F2 are Boolean functions (m = 1), the following properties are derivedin [18], [23], [47]:

• wt(F1|cF2) = wt(F1)+wt(F2).

• deg(F1|cF2) ≤ 1+max{deg(F1),deg(F2)} with equality if and only if F1 and F2 donot have the same high degree monomials.

• θF1|cF2(u,un+1) = θF1(u) · (−1)un+1 θF2(un+1) ∀(u,un+1) ∈ Vn+1.

• If F1 is t-resilient and F2 is t-resilient, then F1|cF2 is t-resilient. Moreover, if θF1(u)+θF2(u) = 0 ∀u with wt(u) = t +1, then F1|cF2 is (t +1)-resilient.

• NL(F1|cF2)≥ NL(F1)+NL(F2).

5.6 Concatenation 169

• ∆(u,un+1)F(x,xn+1)=∆(u)F1(x)+un+1(F1+F2)(x)+xn+1∆(u)(F1+F2)(x)+un+1∆(u)(F1+

F2)(x).

• If AI(F1)< AI(F2), then AI(F1|cF2) = AI(F1)+1. If AI(F1) = AI(F2), then AI(F1)≤AI(F1|cF2)≤ AI(F1)+1.

5.6.2 Library


void concat(VBF& X, VBF& F, VBF& G)

Example 5.6.1. The following program provides the weight, algebraic degree, balanced-ness, correlation immunity, nonlinearity and algebraic immunity of two Vector Booleanfunctions given its polynomial representation in ANF and calculates the same criteria for itsconcatenation.




VBF F, G, X;vec_pol f,g;



}input1 >> f;F.putpol(f);input1.close();

ifstream input2(argv[2]);


if(!input2) {cerr << "Error opening " << argv[2] << endl;return 0;

}input2 >> g;G.putpol(g);input2.close();

cout << "weight(F)=" << weight(F) << endl;cout << "deg(F)=" << deg(F) << endl;if (Bal(F)) {


cout << "F is a non-balanced function" << endl;}cout << "Degree of Correlation immunity of F=" << CI(F) << endl;cout << "nl(F)=" << nl(F) << endl;cout << "AI(F)=" << AI(F) << endl;cout << endl;

cout << "weight(G)=" << weight(G) << endl;cout << "deg(G)=" << deg(G) << endl;if (Bal(G)) {


cout << "G is a non-balanced function" << endl;}cout << "Degree of Correlation immunity of G=" << CI(G) << endl;cout << "nl(G)=" << nl(G) << endl;cout << "AI(G)=" << AI(G) << endl;cout << endl;

concat(X,F,G);cout << "The polynomial in ANF of the concatenation of F and G is ";cout << endl;Pol(cout,X);

5.6 Concatenation 171

cout << "weight(F concat G)=" << weight(X) << endl;cout << "deg(F concat G)=" << deg(X) << endl;if (Bal(X)) {

cout << "F concat G is a balanced function" << endl;} else {

cout << "F concat G is a non-balanced function" << endl;}cout << "Degree of Correlation immunity of F concat G="<< CI(X) << endl;cout << "nl(F concat G)=" << nl(X) << endl;cout << "AI(F concat G)=" << AI(X) << endl;

return 0;}

If we use the Boolean functions 1+x3x4+x2+x2x4+x1+x1x3+x1x3x4 and x3+x2x4+

x1 + x1x4 + x1x3x4 as inputs, the output would be the following:

weight(F)=8deg(F)=3F is a balanced functionDegree of Correlation immunity of F=0nl(F)=4AI(F)=2

weight(G)=8deg(G)=3G is a balanced functionDegree of Correlation immunity of G=0nl(G)=4AI(G)=2

The polynomial in ANF of the concatenation of F and G is1+x4x5+x3+x3x5+x2+x2x4+x2x4x5weight(F concat G)=16deg(F concat G)=3


F concat G is a balanced functionDegree of Correlation immunity of F concat G=0nl(F concat G)=8AI(F concat G)=2

These results are congruent with the properties described in this section

• wt(F |cG) = 8+8 = 16.

• deg(F |cG) = 3≤ 1+max{3,3}= 1+3 = 4.

• F is 0-resilient, G is 0-resilient, and F |cG is 0-resilient.

• NL(F |cG) = 8≥ 4+4 = 8.

• If AI(F) = AI(G) = 2, then AI(F |cG) = 2≤ 2+1.

5.7 Concatenation of Polynomials in ANF

5.7.1 Description

Definition 5.7.1. Let n1,n2≥ 1, F1 ∈Fn1,m,F2 ∈Fn2,m be Vector Boolean functions. Considerthe Vector Boolean function F1|pF2 ∈ Fn1+n2,m defined as (x1, . . . ,xn1,xn1+1, . . . ,xn1+n2)→F1(x1, . . . ,xn1)+F2(xn1+1, . . . ,xn1+n2) where x ∈ Vn1+n2 .

Kavut and Yucel in [79] used this construction to obtain a 11-variable Boolean functionfrom a 9-variable Boolean function with nonlinearity 242 (say F1) and a 2-variable bentfunction (say F2). The nonlinearity of the 11-variable Boolean function F1|pF2 has the highest(till date) nonlinearity of a Boolean function with 11 variables:

NL(F1|pF2) = 211−1−211−1

2 +4 = 996 (5.13)

Similarly, we can obtain a 13-variable Boolean function from a 9-variable Boolean func-tion with nonlinearity 242 (say F1) and a 4-variable bent function (say F2). The nonlinearityof the 13-variable Boolean function F1|pF2 has the highest (till date) nonlinearity of a Booleanfunction with 13 variables:

NL(F1|pF2) = 213−1−213−1

2 +8 = 4040 (5.14)

5.7 Concatenation of Polynomials in ANF 173

5.7.2 Library


void concatpol(VBF& X, VBF& F, VBF& G)

Example 5.7.1. The following program provides the ANF of the concatenation of polynomi-als in ANF of two Vector Boolean functions given its polynomial representation.




VBF F,G,H;vec_pol f,g;NTL::mat_GF2 T;

ifstream inputf(argv[1]);if(!inputf) {


}inputf >> f;F.putpol(f);inputf.close();

ifstream inputg(argv[2]);if(!inputg) {


}inputg >> g;G.putpol(g);inputg.close();


concatpol(H,F,G);cout << "The ANF of the concatenation of polynomialsin ANF of F and G is ";cout << endl;Pol(cout,H);

return 0;}

If we use the Boolean functions x1x2 + x3x4 and x1 +1 as inputs, the output would be thefollowing:

The ANF of the concatenation of polynomials in ANF of F and G isx1x2+x3x4+x5+1

5.8 Addition of Coordinate Functions

5.8.1 Description

Definition 5.8.1. Let F = ( f1, . . . , fm1) ∈ Fn,m1 , G = (g1, . . . ,gm2) ∈ Fn,m2 and the functionconformed by adding the coordinate functions (F,G) = ( f1, . . . , fm1,g1, . . . ,gm2) ∈ Fn,m1+m2 .Let v ∈ Vm1+m2 ,vF ∈ Vm1 and vG ∈ Vm2 so that v = (vF,vG). See figure 5.5.

Theorem 5.8.1. The columns of the Walsh Spectrum of the Vector Boolean Function resultingby adding the coordinate functions of two Vector Boolean Functions are calculated by thecorrelation of their respective columns in the following way:

WS((F,G))v =12nWS(F)vF ∗WS(G)vG

where WS((F,G))v is the column of the Walsh Spectrum indexed by v.

Proof.

θ(F,G)(u,v) = χ(vF,vG)·(F,G)(u) = W {ξvF·F �ξvG·G}(u)= 1

2n ∑x∈Vn χvF·F(u+x)χvG·G(x)

5.8 Addition of Coordinate Functions 175

Fig. 5.5 Adding Coordinate functions.

Corollary 5.8.2. The columns of both WS(F) and WS(G) are contained in the matrixWS((F,G)).

Corollary 5.8.3. From corollary 5.8.2 it can be deduced:

NL((F,G))≤min{NL(F), NL(G)} (5.15)

The corollary 5.8.3 is a generalization of the Theorem 16 in [115]. It can be useful, forinstance, to find upper bounds of nonlinearity in S-boxes whose number of output bits is highby calculating the nonlinearities of shorter S-boxes (see example 5.8.1).

5.8.2 Library

This construction can be obtained with the following method:

void addimage(VBF& X, VBF& F, VBF& G)

Example 5.8.1. The following program provides the Truth Tables of the different intermedi-ate constructions that allow to obtain CLEFIA S0 8×8 S-box from the Truth Tables of thefour 4-bit S-boxes SS0,SS1,SS2 and SS3 in which it is constructed and the Truth Table of themultiplication operation in 0x2 performed in GF(24) defined by the primitive polynomialx4 + x+1. See section 6.3 and Appendix B for further details.

#include <iostream>#include <fstream>


#include "VBF.h"



VBF F,G,T20,T21,U0,U1,Y0,Y1,Y;NTL::mat_GF2 TSS0, TSS1, TSS2, TSS3, Tmul2;NTL::mat_GF2 T2t0, T2t1, Tu0, Tu1, Ty0, Ty1, Ty;

ifstream inputSS0("SS0.tt");if(!inputSS0) {

cerr << "Error opening " << "SS0.tt" << endl;return 0;

}inputSS0 >> TSS0;inputSS0.close();








5.8 Addition of Coordinate Functions 177



ifstream inputmul2("Mul2.tt");if(!inputmul2) {

cerr << "Error opening " << "Mul2.tt" << endl;return 0;

}inputmul2 >> Tmul2;inputmul2.close();

cout << "t0=" << endl;cout << TSS0 << endl << endl;cout << "t1=" << endl;cout << TSS1 << endl << endl;F.puttt(TSS1);G.puttt(Tmul2);Comp(T21,F,G);T2t1 = TT(T21);cout << "0x2.t1=" << endl;cout << T2t1 << endl;F.kill();G.kill();F.puttt(TSS0);G.puttt(Tmul2);Comp(T20,F,G);T2t0 = TT(T20);cout << "0x2.t0=" << endl;cout << T2t0 << endl;cout << "u0=t0+0x2.t1=" << endl;F.kill();F.puttt(TSS0);directsum(U0,F,T21);


Tu0 = TT(U0);cout << Tu0 << endl;G.kill();cout << "u1=0x2.t0+t1=" << endl;G.puttt(TSS1);directsum(U1,T20,G);Tu1 = TT(U1);cout << Tu1 << endl;G.kill();cout << "y0=SS2(u0)=" << endl;G.puttt(TSS2);Comp(Y0,U0,G);Ty0 = TT(Y0);cout << Ty0 << endl;G.kill();cout << "y1=SS3(u1)=" << endl;G.puttt(TSS3);Comp(Y1,U1,G);Ty1 = TT(Y1);cout << Ty1 << endl;addimage(Y,Y0,Y1);Ty = TT(Y);cout << "y=(y0,y1)=" << endl;cout << Ty << endl;

return 0;}

The output of this program is described in section 6.3, Chapter B and at [156].

Note that the output of S0 S-box y∈ F8,8 is defined by the addition of coordinate functionsof both y0 ∈ F8,4 and y1 ∈ F8,4. We can see that the corollary 5.8.3 is satisfied:

100 = NL(S0)≤min{NL(y0), NL(y1)}= min{100,100} (5.16)

See section 6.3 for justification of these nonlinearities.

5.9 Bricklayer 179

5.9 Bricklayer

5.9.1 Description

Definition 5.9.1. Let n1,n2,m1,m2 ≥ 1 and F1 ∈ Fn1,m1 , F2 ∈ Fn2,m2 and the Bricklayerfunction F1|F2 ∈ Fn1+n2,m1+m2 . Let u1 ∈Vn1 , u2 ∈Vn2 and u = (u1,u2), v1 ∈Vm1 , v2 ∈Vm2

and v = (v1,v2). See figure 5.6.

Fig. 5.6 Bricklayer.

Theorem 5.9.1. The elements which conform a row in the Walsh Spectrum (respectivelyAutocorrelation Matrix or Differential Profile) of the Bricklayer of two Vector BooleanFunctions are obtained by the product of the respective components of the rows in both WalshSpectra (respectively Autocorrelation Matrices or Differential Profile).

θF1|F2(u,v) = θF1(u1,v1) · θF2(u2,v2)

rF1|F2(u,v) = rF1(u1,v1) · rF2(u2,v2)

δF1|F2(u,v) = δF1(u1,v1) ·δF2(u2,v2)

Proof.

θF1|F2(u,v) = χ(v1,v2)·(F1|F2)((u1,u2)) = χv1·F1(u1) · χv2·F2(u2)


Proof.

rF1|F2(u,v) =1

2n1+n2 ∑x∈Vn χ(v1,v2)·(F1⊕F2)(x+u) ·χ(v1,v2)·(F1⊕F2)(x)= 1

2n1+n2 ∑x1∈Vn1∑x2∈Vn2

χv1·F1(x1 +u1)χv2·F2(x2 +u2) ·χv1·F1(x1)χv2·F2(x2)

=(

12n1 ∑x1∈Vn1

χv1·F1(x1 +u1)χv1·F1(x1))(

12n2 ∑x2∈Vn2

χv2·F2(x2 +u2)χv2·F2(x2))

= rF1(u1,v1) · rF2(u2,v2)

Proof.

δF1|F2(u,v) =1

2n1+n2+m1+m2 ∑w∈Vm rF1|F2(u,w)χv(w)

= 12n1+n2+m1+m2 ∑w∈Vm rF1|F2(u1,w)rF1|F2(u2,w)χv1(w)χv2(w)

=(

12n1+m1 ∑w∈Vm rF1|F2(u1,w)χv1(w)

)(1

2n2+m2 ∑w∈Vm rF1|F2(u2,w)χv2(w))

= δF1(u1,v1) ·δF2(u2,v2)

Corollary 5.9.2. The Walsh Spectrum (respectively Autocorrelation Matrix or DifferentialProfile) of F1|F2 ∈ Fn,m is equal to the Kronecker product of the Walsh Spectra (respectivelyAutocorrelation Matrix or Differential Profile) of F1 and F2:

WS(F1|F2) =WS(F1)�WS(F2)

AC(F1|F2) = AC(F1)�AC(F2)

DP(F1|F2) = DP(F1)�DP(F2)

Corollary 5.9.3.

NL(F1|F2) = 2n1+n2−1− 12 ·2

n2· ∗max(θF1(u1,v1)

)ACmax(F1|F2) = 2n1+n2

LD(F1|F2) = 0

Corollary 5.9.4. The Walsh Spectrum (respectively Autocorrelation Spectrum and Differ-ential Profile) of the Bricklayer of i Vector Boolean Functions F1| · · · |Fi is equal to theKronecker products of their Walsh Spectra (respectively Autocorrelation Spectra and Differ-ential Profiles):

WS(F1| · · · |Fi) = WS(F1)� · · ·�WS(Fi)

AC(F1| · · · |Fi) = AC(F1)� · · ·�WS(Fi)

DP(F1| · · · |Fi) = DP(F1)� · · ·�DP(Fi)

(5.17)

5.9 Bricklayer 181

Corollary 5.9.5. Let F1| · · · |Fi ∈ Fn,m, the linear potential (respectively differential potential)of their Bricklayer is equal to the linear potential (respectively differential potential) of thefirst function.

l p(F1| · · · |Fi) = l p(F1)

d p(F1| · · · |Fi) = d p(F1)(5.18)

Proof.

l p(F1| · · · |Fi) =1

22·(n1+···+ni)· ∗max

(WS(F1| · · · |Fi)(u,v)2

)= 22·(n2+···+ni)

22·(n1+···+ni)· ∗max

(WS(F1)(u1,v1)

2)= 1

22n1· ∗max

(WS(F1)(u1,v1)

2)

= l p(F1)

On the other hand:

d p(F1| · · · |Fi) =∗

max (δF1|···|Fi(u,v)) =∗

max (δF1(u1,v1)) = d p(F1)

Theorem 5.9.6. Let F1 be an (n1,m1, t1) resilient function and F2 be an (n2,m2, t2) resilientfunction, then:

F1|F2 is an (n1 +n2,m1 +m2,min{t1, t2}) resilient function (5.19)

Proof.

(F1 is an (n1,m1, t1) resilient function)∧ (F2 is an (n2,m2, t2) resilient function)⇒⇒(θF1(u1,v1) = 0, ∀u1 ∈ Vn1, 0≤ wt(u1)≤ t1, ∀v1 = 0 ∈ Vm1

)∧(θF2(u2,v2) = 0, ∀u2 ∈ Vn2, 0≤ wt(u2)≤ t2, ∀v2 = 0 ∈ Vm2

)⇒ θF1(u1,v1) · θF2(u2,v2) = 0, ∀(u1,u2) ∈ Vn1×Vn2 , 0≤ wt((u1,u2))≤min{t1, t2}(v1,v2) = 0 ∈ Vm1×Vm2

⇒ θF1|F2(u,v) = 0, ∀u ∈ Vn1+n2, 0≤ wt(u)≤min{t1, t2}, ∀v = 0 ∈ Vm1+m2

Corollary 5.9.7. If F1 and F2 are balanced, then F1|F2 is also balanced.

Example 5.9.1. Let us denote S the result of bricklayering all DES S-boxes Si ∈ F6,4 ∀ i =1, . . . ,8, so that S = S1| · · · |S8 (see figure 5.7). Thanks to the corollaries 5.9.3 and 5.9.5, it ispossible to calculate the nonlinearity, absolute indicator, linearity distance, linearity potentialand differential potential of S by just calculating these same criteria for the S1 S-box. Withthis approach we only have to manage a 26×24 matrix instead of a 248×232 matrix.


Fig. 5.7 DES S-boxes.

Table 5.1 Results of spectral radius(R),NL, l p,d p,ACmax and LD for bricklayer of DESS-boxes.

S-box S1 S

R 36 36 ·27·6

NL 14 248−1− 12

(36 ·27·6)= 247−18 ·242 = 61572651155456

l p 0.31640625 0.31640625d p 0.25 0.25ACmax 48 26·8 = 281474976710656LD 4 0

5.9.2 Library


void bricklayer(VBF& X, VBF& F, VBF& G)

Example 5.9.2. KHAZAD is a block cipher designed by Paulo S. L. M. Barreto togetherwith Vincent Rijmen, which was presented at the first NESSIE workshop in 2000, and, aftersome small changes, was selected as a finalist in the project. This cipher uses a 8×8 S-boxcomposed of smaller pseudo-randomly generated 4× 4 mini S-boxes (the P-box and theQ-box) as represented in figure 5.8.

The following program provides the Truth Tables of the different intermediate construc-tions that allow to obtain KHAZAD S-box from P and Q mini S-boxes and the permutationthat apply between them.



5.9 Bricklayer 183

Fig. 5.8 KHAZAD S-box construction.



VBF P, Q, PQ, R, QP, S, T, U, A;NTL::mat_GF2 Tp, Tq;NTL::vec_ZZ r;

ifstream inputp("P.tt");if(!inputp) {

cerr << "Error opening " << "P.tt" << endl;return 0;

}inputp >> Tp;P.puttt(Tp);inputp.close();

ifstream inputq("Q.tt");if(!inputq) {

cerr << "Error opening " << "Q.tt" << endl;return 0;

}inputq >> Tq;Q.puttt(Tq);inputq.close();

ifstream input("R.per");if(!input) {

cerr << "Error opening " << "R.per" << endl;return 0;

}input >> r;R.putper(r);input.close();

bricklayer(PQ,P,Q);cout << "Bricklayer of P and Q=" << endl;cout << TT(PQ) << endl;

5.9 Bricklayer 185

Comp(S,PQ,R);cout << "Composition of 1st bricklayerwith permutation=" << endl;cout << TT(S) << endl;

bricklayer(QP,Q,P);cout << "Bricklayer of Q and P=" << endl;cout << TT(QP) << endl;

Comp(T,S,QP);cout << "Composition of previous resultwith 2nd bricklayer=" << endl;cout << TT(T) << endl;

Comp(U,T,R);cout << "Composition of previous resultwith permutation=" << endl;cout << TT(U) << endl;

Comp(A,U,PQ);cout << "Composition of previous resultwith 1st bricklayer=" << endl;cout << TT(A) << endl;

return 0;}

If we use the Truth Tables of P and Q and the representation of the permutation betweenthem, the output are the Truth Tables described at [156]. In http://vbflibrary.tk you can checkthe results of table 5.2.

Example 5.9.3. The following program provides the balancedness and correlation immunity(resiliency) of two Vector Boolean functions given its Truth Table in hexadecimal representa-tion and calculates the same criteria for the bricklayering of F and G taking as inputs theirTruth Tables in hexadecimal representation.

#include <iostream>



Table 5.2 Results of spectral radius(r),NL, l p,d p,ACmax and LD for bricklayer of P and Qmini S-boxes.

S-box r NL l p d p ACmax LD

P 8 4 0.25 0.25 8 2Q 8 4 0.25 0.25 8 2P|Q 128 64 0.25 0.25 256 0Q|P 128 64 0.25 0.25 256 0R◦ (P|Q) 128 64 0.25 0.25 256 0(Q|P)◦ ((R◦ (P|Q))) 96 80 0.140625 0.125 160 24R◦ ((Q|P)◦ ((R◦ (P|Q)))) 96 80 0.140625 0.125 160 24S = (P|Q)◦ (R◦ ((Q|P)◦ ((R◦ (P|Q))))) 64 96 0.0625 0.03125 104 38

#include <fstream>#include "VBF.h"



VBF F, G, H;



}F.putHexTT(input1);input1.close();




5.9 Bricklayer 187

cout << "Correlation immunity of F: " << CI(F) << endl;if (Bal(F)) {


cout << "F is a non-balanced function" << endl;}

cout << "Correlation immunity of G: " << CI(G) << endl;if (Bal(G)) {


cout << "G is a non-balanced function" << endl;}

bricklayer(H,F,G);

cout << "Correlation immunity of F bricklayer G: " << CI(H) << endl;if (Bal(H)) {

cout << "F bricklayer G is a balanced function" << endl;} else {

cout << "F bricklayer G is a non-balanced function" << endl;}

return 0;}

If we use the Boolean functions with the following Truth Tables (in hexadecimal repre-sentation) as inputs:

6cb405778ea9bd30

5c721bcaac27b1c5

The output would be the following:

Correlation immunity of F: 1F is a balanced functionCorrelation immunity of G: 2


G is a balanced functionCorrelation immunity of F bricklayer G: 1F bricklayer G is a balanced function

These results are congruent with theorem 5.9.6.

5.10 Summary

Table 5.3 lists the member functions related to the previous characterizing elements.

Table 5.3 Constructions over VBF.

SYNTAX DESCRIPTION

long operator==(VBF& F, VBF& G) Returns 1 if F and G are equal0 otherwise

void Comp(VBF& X, VBF& F, VBF& G) X = G◦Fvoid inv(VBF& X, VBF& A) X = F−1

void sum(VBF& X, VBF& F, VBF& G) X = F +Gvoid directsum(VBF& X, VBF& F, VBF& G) X(x,y) = F(x)+G(y)void concat(VBF& X, VBF& F, VBF& G) X(x,xn+1) = (xn+1 +1)F(x)+ xn+1G(x)void concatpol(VBF& X, VBF& F, VBF& G) X(x1, . . . ,xn1,xn1+1, . . . ,xn1+n2)

= F(x1, . . . ,xn1)+G(xn1+1, . . . ,xn1+n2)void addimage(VBF& X, VBF& F, VBF& G) X = (F,G)void bricklayer(VBF& X, VBF& F, VBF& G) X = F |G

Chapter 6

Security Evaluation of CryptographicAlgorithms

Substitution boxes (often called S-boxes) are Vector Boolean functions typically used inthe iterative round functions of block ciphers, but have also been used as components ofkeystream generators in stream ciphers and in the round function of cryptographic hashfunctions. S-boxes are one of the few nonlinear components of cryptosystems. They are alsocapable of providing additional cryptographic properties to a cipher and confusion to systemas a whole.

In the view of successful existing cryptanalytic attacks on cryptosystems which attemptto exploit weaknesses in cipher components, the analysis of S-boxes and their criteria is anongoing area of important necessary research.

The preceding chapters of this thesis discussed the representations, characterizations,cryptographic criteria and constructions that VBF library support. In this chapter we applyVBF library methods to assess the security of several cryptographic algorithms. Refer to http://vbflibrary.tk for an extensive description of security assessments of modern cryptographicalgorithms apart from those described in this chapter.

6.1 KASUMI Cipher Algorithm Evaluation

In the following, several functional components of KASUMI are studied using VBF with theaim to reveal any weakness that could be used as a basis for an attack on the entire algorithm.Such study characterizes the S-boxes as well as the FI function.



190 Security Evaluation of Cryptographic Algorithms

6.1.1 S-boxes Characterization

The study of S-boxes S7 and S9 shows that they are Almost Perfect Non-linear (APN)bijective Boolean mappings. In fact, a linear approximation analysis shows that the S7nonlinearity (Item NL in Table 6.3) is equal to 56 which is the maximum value for an S-boxwith 7 input variables. Its linear potential (Item l p in Table 6.3) is equal to 0.015625 and ithas a second order nonlinearity (Item NL2 in Table 6.3) of 36. Concerning S9, the value forthe nonlinearity is equal to 240 which equals the best known upper bound for a balancedBoolean function with 9 input variables. Its linear potential is equal to 0.00390625. Fromthese results, we can conclude that S7 and S9 offer the best immunity against linear attacks .

A differential approximation analysis shows that the S7 linearity distance is equal to28 over a maximum value of 32 and its differential potential is equal to 0.015625. Finally,the value for the linearity distance of S9 is equal to 0 and its differential potential is equalto 0.00390625. S9 has 511 linear structures which are described within KASUMI cipheranalysis in [156]. Nonlinear cryptographic functions used in block ciphers should have nononzero linear structure but S9 do not satisfy this requirement.

The algebraic normal forms of S7 and S9 are given by (6.1) and (6.2) respectively:

f1 = x5x6 + x4x6x7 + x3x7 + x2x6 + x2x4 + x1 + x1x6x7 + x1x4x5 + x1x3x6 + x1x2x7

f2 = 1+ x5 + x5x7 + x4x7 + x4x5x6 + x3x5x7 + x2x7 + x2x5 + x2x3 + x1x6 + x1x5x6

+x1x4x7 + x1x3x4 + x1x2x5

f3 = 1+ x5x7 + x4 + x4x6 + x3x6 + x3x6x7 + x3x4x5 + x2x7 + x2x4x6 + x2x3x7 + x1x6

+x1x4 + x1x4x7 + x1x2

f4 = x6 + x5x6x7 + x3x6 + x3x4 + x2x7 + x2x6x7 + x2x4x5 + x2x3x6 + x1x5 + x1x4x6

f5 = 1+ x7 + x4x7 + x4x5 + x3x5x6 + x3x4x7 + x2x6 + x2x5x7 + x1x7 + x1x6x7 + x1x5

+x1x3

f6 = 1+ x6x7 + x3x7 + x3x5 + x2 + x2x5x6 + x2x4x7 + x1 + x1x5x7 + x1x4 + x1x2x3

f7 = x4x6 + x3 + x3x6x7 + x2 + x2x5 + x2x3x4 + x1 + x1x7 + x1x6 + x1x4 + x1x3x5

+x1x2x6 + x1x2x3(6.1)

6.1 KASUMI Cipher Algorithm Evaluation 191

f1 = x8x9 + x7 + x7x8 + x5x6 + x4x8 + x4x7 + x3x8 + x3x5 + x2 + x1x7 + x1x6

f2 = 1+ x8x9 + x7x9 + x7x8 + x6 + x6x9 + x6x7 + x4x5 + x3x7 + x3x6 + x2x7 + x2x4 + x1

f3 = x9 + x6x7 + x4x8 + x4x7 + x4x5 + x3x6 + x3x5 + x3x4 + x2 + x1x8 + x1x6 + x1x4

+x1x2

f4 = 1+ x7 + x5x8 + x4x5 + x3x9 + x3x8 + x2x6 + x2x5 + x2x3 + x1x4 + x1x3 + x1x2

f5 = x8x9 + x6x8 + x5 + x4x9 + x3x6 + x2x9 + x2x3 + x1x8 + x1x7 + x1x6

f6 = x9 + x7x8 + x6x9 + x5x7 + x4 + x3x9 + x3x8 + x2x5 + x1x9 + x1x8 + x1x2

f7 = 1+ x8 + x6x9 + x5x6 + x4x9 + x3x7 + x3x6 + x3x4 + x2x5 + x2x4 + x2x3 + x1 + x1x9

f8 = 1+ x8 + x8x9 + x6x7 + x5x9 + x5x8 + x4x9 + x4x6 + x3 + x2x8 + x2x7 + x1x4

f9 = 1+ x7x9 + x6 + x4x7 + x3x4 + x2x9 + x2x8 + x2x7 + x1x5 + x1x4 + x1x2(6.2)

These forms show that the algebraic degree of S7 is 3 and the algebraic degree of S9 is2. The algebraic degree of both S-boxes is low and higher order differential attack can beexecuted against them. The component algebraic immunity of S7 is equal to 3 and for S9 is 2.As a consequence, algebraic attacks by solving a system of multivariate algebraic equationscan be executed against S7 and especially against S9.

Concerning the cycle structure, S7 and S9 have no obvious deficiencies, e.g. a large num-ber of transpositions. S7 has one fixed point, (0,0,1,1,0,1,1) = (0,0,1,1,0,1,1) and has nonegated fixed points. S9 has one fixed point, (0,1,0,0,1,0,1,1,1) = (0,1,0,0,1,0,1,1,1)and one negated fixed point, (1,0,0,0,1,1,0,0,0) = (0,1,1,1,0,0,1,1,1). The cycle struc-ture of the S7 and S9 permutations is shown in Table 6.1 and Table 6.2:

Table 6.1 Cycle structure for S7.

Cycle length for S7 Number of cycles for S7

1 113 122 192 1

Regarding the second moment of the auto-correlation coefficients, for S7 the absoluteindicator is 16 and the sum-of-squares indicator is 32768. For S9 the absolute indicator is512 and the sum-of-squares indicator is 524288.

From these results, we can conclude that S7 achieves a fairly good diffusion since itsabsolute indicator is nearer the lower theoretical bound, 0, than the upper bound, 128,and similarly for the sum-of-squares indicator where the theoretical bounds are 16384 and


Table 6.2 Cycle structure for S9.

Cycle length for S9 Number of cycles for S9

1 22 112 126 174 1121 1275 1

2097152. S9 does not achieve a good diffusion because its absolute indicator coincides withthe upper bound, 512, while its sum-of-squares indicator is quite close to the lower bound of262144.

A summary of these criteria are given in Tables 6.3 and 6.4:

Table 6.3 S7 and S9 Cryptographic criteria.

S-box NL NL2 LD deg AI ACmax σ

S7 56 36 28 3 3 16 32768S9 240 0 0 2 2 512 524288

Table 6.4 S7 and S9 Cryptographic criteria.

S-box l p d p

S7 0.015625 0.015625S9 0.00390625 0.00390625

The Walsh Spectra of the S7 and S9 mappings are three valued (except from the first rowand column value): 16,0 and −16 for S7, and 32,0 and −32 for S9. The Linear Profiles ofthe S7 and S9 mappings are two-valued (except from the first row and column value): 0 and256 for S7, and 0 and 1024 for S9. The Differential Profile of the S7 and S9 mappings aretwo-valued (except from the first row and column value): 0 and 32768 for S7, and 0 and524288 for S9. The Autocorrelation Spectrum of the S7 mapping is four-valued: 128,16,−16and 0 for S7, and three-valued for S9: 512,−512 and 0. Having a few valued WS indicatesgood cryptographic properties, see [64].

The cryptanalysis performed in this section provides, to the best of our knowledge,new results about S7 and S9 that do not appear in [1]. For example, representations of

6.1 KASUMI Cipher Algorithm Evaluation 193

both S-boxes as Truth Table, polynomials in ANF, ANF tables and Walsh Spectrum arecalculated; in addition, cryptographic criteria such as nonlinearity, second order nonlinearity,linearity distance, algebraic immunity, absolute indicator and sum-of-squares indicator arealso computed.

6.1.2 FI Function Characterization

The algebraic degree of the FI function for all the possible 65536 values of the key has beenanalyzed. This study reveals that two values of algebraic degree are obtained: 15 and 16 witha frequency of 32931 and 32605 respectively. Such degrees reveal that FI has a very goodresistance against higher order differential attacks as the maximum possible algebraic degreeis 16.

Concerning the cycle structure, the FI function was analyzed for all the possible 65536values of the key. There are key values for which the number of cycles is quite high, forexample, the key 0xa77b has the maximum number of cycles, 2907. This number of cyclesis more than three times the proportion that was present in S9. In this case, it was expected ahigher number of transpositions and it could reveal some kind of deficiency.

For several keys, this function has a significant amount of fixed points and/or negatedfixed points. The maximum number of fixed points is 6 for key values:

0x57bc,0x5c38,0x6b f e,0x7b4b,0x85c2,0x987e,0x9a32,0xa3e f ,0xa5ab,0xacbb,0xb0b4,0xb0e5,0xb327,0xb5c7,0xb90d,0xc4ee,0xc7e4,0xca74,0xcb5d,0xcb5d,0xcd11,0xcdbe,0xce24,0xd5da,0xe3ce,0xe4eb,0xe531,0xea3b,0xe f 5c,0x f 276,0x f 59e,0x f d44

(6.3)

The maximum number of negated fixed points is 7 for key values:

0x2c3c,0x4041,0x4343,0x06e9,0x518 f ,0x59ac,0xa161,0xa244,0xab77,0xe1d1,0x1aee,0x1d f 0

(6.4)

The key value 0xb0b4 has 10 fixed or negated fixed points and a number of key valueshave 9 fixed or negated fixed points:

0x3bd0,0x4343,0x5e94,0x5 f f 3,0x6271,0x682d,0x6e45,0x99e3,0xab77,0xb750,0xc5da,0xd5da,0x167d,0x1d f 0

(6.5)


This number of fixed and/or negated fixed points is not very high compared with totalnumber of possible inputs/outputs, 65536, and we may, therefore, conclude that the FIfunction is reasonably well designed.

The Walsh Spectra of FI for several keys have also been computed and from this thenonlinearities and linear potentials of FI the 65536 keys have been obtained. Nonlinearitiesrange from 31534 (with the keys 081e, 2d71 and 52c4) to 32049 (with the key c6a6) andlinear potentials from 0.00048146 to 0.00141818. Although these nonlinearity values arefar from the maximum possible, 32640, the linear potentials do not reveal an obviousvulnerability to linear attacks.

As a summary, the KASUMI analysis with VBF provides values for the characteristicsanalyzed that are similar to those obtained in previous studies [1]. In addition, new charac-teristics such as the algebraic degree, cycle structure, fixed points, negated fixed points andnonlinearities are also provided. A detailed description of KASUMI cipher analysis in [156].

6.2 Mini-AES Cipher Algorithm Evaluation

6.2.1 S-box Characterization

The study of the NibbleSub S-box shows that it defines Almost Perfect Non-linear (APN)bijective Boolean mappings. In fact, a linear approximation analysis shows that the nonlin-earity is equal to 2 while the maximum value for an S-box with 4 input variables is 5. Itslinear potential is equal to 0.5625 and it has a second order nonlinearity of 0. From theseresults, we can conclude that NibbleSub does not offer good immunity against linear attacksfor a 4×4 S-box.

A differential approximation analysis shows that the NibbleSub linearity distance is equalto 0 over a maximum value of 4 and its differential potential is equal to 0.5. NibbleSub has 7linear structures which are described within mini-AES cipher analysis in [156]. From theprevious results, we can conclude that NibbleSub does not have optimal immunity againstdifferential attacks.

The algebraic normal form of NibbleSub is:

f1 = 1+ x4 + x2 + x2x3 + x2x3x4 + x1 + x1x2 + x1x2x3

f2 = 1+ x3x4 + x2 + x2x4 + x1 + x1x3 + x1x3x4

f3 = 1+ x4 + x3 + x3x4 + x2x4 + x2x3 + x1x4 + x1x3 + x1x2 + x1x2x4 + x1x2x3

f4 = x3 + x2x4 + x1 + x1x4 + x1x3x4

(6.6)

6.2 Mini-AES Cipher Algorithm Evaluation 195

These forms show that the algebraic degree of NibbleSub is 2, which is not high enoughto be immune against higher order differential attacks. The component algebraic immunity isequal to 2: as a consequence, algebraic attacks by solving a system of multivariate algebraicequations can be easily executed.

Concerning the cycle structure, it has no obvious deficiencies, for example, a largenumber of transpositions; in addition, it has no fixed point and two negated fixed points(0,0,1,0) and (0,1,1,1). The cycle structure is given in Table 6.5.

Table 6.5 Cycle structure.

Cycle Length Number of cycles

2 114 1

Regarding the second moment of the auto-correlation coefficients, the absolute indicatoris equal to 16 and the sum-of-squares indicator is 1408. Hence, NibbleSub does not achievea good diffusion because its absolute indicator reaches the upper bound of 16 while itssum-of-squares indicator is quite close to the upper bound 4096.

A summary of the results for these criteria is represented in Table 6.6:

Table 6.6 NibbleSub Cryptographic criteria.

S-box NL NL2 LD deg AI ACmax σ l p d p

NibbleSub 2 0 0 2 2 16 1408 0.5625 0.5

Excluding the value of the first row and column, the Walsh Spectrum of the NibbleSubmapping takes values among 12,8,4,0,−4,−8, and −12; the Linear Profile takes valuesamong 144,64,16 and 0; the Differential Profile takes values among 2048,1536,1024,512and 0; finally, the Autocorrelation Spectrum is five-valued: 16,8,0,−8,−16.

6.2.2 Mini-AES Cipher Characterization

The algebraic degree of Mini-AES for all the possible 65536 values of the key has beenanalyzed. This study reveals that only one value of algebraic degree is obtained: 14 whichindicates that Mini-AES has a fairly good resistance against higher order differential attackssince the maximum possible algebraic degree is 16.

In addition, the cycle structure of Mini-AES was analyzed for all the possible 65536values of the key. It was found that no key values provide a high number of cycles: the key


(expressed in hexadecimal representation) 0x9e06 has the maximum number of cycles, 28.No deficiency is expected with respect to this criterion.

For several keys, this cipher has a relevant amount of fixed points and/or negated fixedpoints. The maximum number of fixed points is 7 for key values 0x0352, 0x4661, 0x5557and 0x783 f . The maximum number of negated fixed points is 9 for key values 0x1d9band 0x7734. The key values 0x1d9b and 0x4661 have 11 fixed or negated fixed and severalvalues have 10 fixed or negated fixed points:

0x010a,0x0164,0x1ce9,0x24cd,0x2e38,0x4a15,0x5015,0x7734,0x783 f ,0x9868,0x9 f 18,0xa8a f ,0xaec4,0xbc85,0xc9ca,0xdb09,0x f 580

(6.7)This number of fixed and/or negated fixed points is not very high when compared with thetotal number of possible inputs/outputs (65536). We can conclude that the Mini-AES cipheris reasonably well designed from this point of view.

Several Walsh Spectra of Mini-AES for different keys have also been computed and fromthese the nonlinearities and linear potentials of Mini-AES for more the 65536 keys have beenobtained. Nonlinearities range from 31432 (with the key 69b0) to 32040 (with the key f 7de)and linear potentials from 0.000493586 to 0.001662314. Although these nonlinearities arefar from the maximum possible nonlinearity, 32640, the linear potentials do not reveal anobvious vulnerability to linear attacks.

6.3 CLEFIA

CLEFIA is a 128-bit block-cipher designed by Sony Corporation [36] which employs twodifferent types of 8-bit S-boxes: the first one, called S0, is based on four 4-bit random S-boxes,whereas the second one, called S1, is based on the inverse function over GF(28). Figures 6.1and 6.2 show the output values of S0 and S1, respectively. In these figures all values areexpressed in a hexadecimal form. For an 8-bit input of the S-box, the upper 4-bits indicate arow and lower 4-bits indicate a column. For example, if we take a value 0xab as an inputto S0, 0x7e will be the corresponding output since 7e is located on the cross line of the rowindexed by “a.” and the column indexed by “.b”.

6.3 CLEFIA 197

Fig. 6.1 CLEFIA S0.

Fig. 6.2 CLEFIA S1.


6.3.1 S0

S0 ∈ F8,8 is generated by combining four 4-bit S-boxes SS0,SS1,SS2 and SS3 in the followingway. The values of these S-boxes are defined as shown in Table 6.7 and their Truth Tablesare in Section B.1.

Step 1. t0 = SS0(x0), t1 = SS1(x1) where x = x0|x1,xi ∈ V4

Step 2. u0 = t0 +0x2 · t1, u1 = 0x2 · t0 + t1

Step 3. y0 = SS2(u0), y1 = SS3(u1) where y = y0|y1,yi ∈ V4

(6.8)

Table 6.7 Tables of CLEFIA S-boxes SSi(0≤ i≤ 3).

x 0 1 2 3 4 5 6 7 8 9 a b c d e f

SS0(x) e 6 c a 8 7 2 f b 1 4 0 5 9 d 3SS1(x) 6 4 0 d 2 b a 3 9 c e f 8 7 5 1SS2(x) b 8 5 e a 6 4 c f 7 2 3 1 0 d 9SS3(x) a 2 6 d 3 4 5 e 0 7 8 9 b f c 1

The multiplication in 0x2 · ti is performed in GF(24) defined by the lexicographicallyfirst primitive polynomial x4 + x+1. Here we provide the table of multiplication of 0x2 withan element modulo x4 + x+1. The entries in the Table 6.8 are represented in hexadecimalnotation for compactness. The column indices represent the element to be multiplied by0x2 modulo x4 + x+1, and the resulting product is given by the corresponding entry in thecolumn. Its Truth Table can be seen in section B.2. Figure 6.3 shows the construction of S0.

Table 6.8 Table of the multiplication 0x2 ·x.

x 0 1 2 3 4 5 6 7 8 9 a b c d e f

0x2 ·x 0 2 4 6 8 a c e 3 1 7 5 b 9 f d

Hence, CLEFIA S0 can be denoted by:

S0(x0,x1) = (SS2 (SS0(x0)⊕Mul2(SS1(x1))) ,SS3 (Mul2(SS0(x0))⊕SS1(x1)))

where the symbol ⊕ refers to the direct sum of functions and Mul2(x) = 0x2 ·x.

Table 6.9 summarizes the values of the spectral radius, nonlinearity, linear potential,differential potential, absolute indicator and linearity distance of the several constructionsfrom step 1 to step 3 up to obtain S0 (there, symbol ◦ refers to the composition of functions).

6.3 CLEFIA 199

Fig. 6.3 CLEFIA S-box S0.

Table 6.9 Results of spectral radius (r),NL, l p,d p,ACmax and LD for CLEFIA S0 construction.

S-box r NL l p d p ACmax LD

t0 = SS0 8 4 0.25 0.25 16 0t1 = SS1 8 4 0.25 0.25 16 0SS2 8 4 0.25 0.25 16 0SS3 8 4 0.25 0.25 16 0Mul2(x) = 0x2 ·x 16 0 1 1 16 00x2 · t0 = Mul2◦SS0 8 4 0.25 0.25 16 00x2 · t1 = Mul2◦SS1 8 4 0.25 0.25 16 0u0 = SS0⊕ (Mul2◦SS1) 64 96 0.0625 0.25 256 0u1 = (Mul2◦SS0)⊕SS1 64 96 0.0625 0.25 256 0y0 = SS2◦u0 56 100 0.0478515625 0.15625 96 40y1 = SS3◦u1 56 100 0.0478515625 0.15625 88 42S0 = y = (y0,y1) 56 100 0.0478515625 0.0390625 96 40


Note that the criteria are unaltered when the multiplication in 0x2 · ti is performed. u0

and u1 are constructed by direct sum and the spectral radius, linear potential and absoluteindicators of both input Vector Boolean functions are multiplied while the differentialpotential is maintained. y is obtained by adding the coordinate functions y0 and y1 and thecriteria from the input functions are maintained except for the differential potential whichis multiplied by 2; the resulting absolute indicator is equal to the maximum of the inputabsolute indicators and consequently the linearity distance is equal to the minimum of theinput linearity distances.

CLEFIA’s authors declare l p(S0) to be 2−4.38 = 0.04802734941525 which is very closeto the value calculated via VBF: 0.0478515625. They also declare d p(S0) to be 2−4.67 =

0.03928166795381 where the value computed via VBF is 0.0390625.

In CLEFIA, GF(28) is constructed with the irreducible polynomial g(x) = x8 +x4 +x3 +

x2 +1. The Trace representation of S0 is described in Section B.4. The number of terms overthis irreducible polynomial is 246, close to the maximum value, 255, for a permutation overGF(28). This fact makes very unlikely that the interpolation attack will be of any threat toCLEFIA.

Table 6.10 summarizes the values of the algebraic degree, algebraic immunity, sum-of-squares indicator and correlation immunity of S1.

Table 6.10 Results of deg,AI,σ ,CI for CLEFIA S0 construction.

S-box deg AI σ CI

t0 = SS0 2 2 1024 0t1 = SS1 2 2 1024 0SS2 2 2 1024 0SS3 2 2 1024 0Mul2(x) = 0x2 ·x 1 1 4096 00x2 · t0 = Mul2◦SS0 2 2 1024 00x2 · t1 = Mul2◦SS1 2 2 1024 0u0 = SS0⊕ (Mul2◦SS1) 3 3 256 1u1 = (Mul2◦SS0)⊕SS1 3 3 256 1y0 = SS2◦u0 6 4 269056 1y1 = SS3◦u1 6 4 246784 1S0 = y = (y0,y1) 6 4 269056 0

CLEFIA’s authors declare deg(S0) to be 6 which is exactly the same value calculated viathe VBF library.

6.4 Computational Cost Results 201

6.3.2 S1

Table 6.11 summarizes the values of the spectral radius, nonlinearity, linear potential, differ-ential potential, absolute indicator, linearity distance, algebraic degree, algebraic immunity,sum-of-squares indicator and correlation immunity of S1.

Table 6.11 Results of spectral radius (r),NL, l p,d p,ACmax,LD,deg,AI,σ and CI for CLEFIAS1.

S-box r NL l p d p ACmax LD deg AI σ CI

S1 32 112 0.015625 0.015625 32 56 7 4 133120 0

In CLEFIA, GF(28) is constructed with the irreducible polynomial g(x) = x8 +x4 +x3 +

x2 + 1. The Trace representation of S1 is described in section B.4. The number of termsover this irreducible polynomial is 254 which is close to the maximum value, 255, for apermutation over GF(28). This fact makes very unlikely that the interpolation attack will beof any threat to CLEFIA.

CLEFIA’s authors declare l p(S1) = d p(S1) to be 2−6 = 0.015625 and deg(S0) to be 7;both correspond exactly with the values calculated via the VBF library.

In Table 6.12, some security properties of S0 are described which happen to be quiteworse than those found in modern S-boxes based on field inversion.

Table 6.12 Some CLEFIA S0 security properties versus modern S-boxes based on fieldinversion.

S-box NL l p d p ACmax LD deg AI σ

S0 100 0.0478515625 0.0390625 96 40 6 4 269056S1 112 0.015625 0.015625 32 56 7 4 133120

6.4 Computational Cost Results

This section assesses and displays the computational performance of the VBF library algo-rithms via its application to a cryptographic characterization of S-boxes with different sizen×m. The program, described in Algorithm I in C.1, first generates random Truth Tableswhich correspond to vector Boolean functions with dimensions ranging from n = 4 to n = 17and from m = 1 to m = 15. It then calculates the cryptographic criteria of the vector Booleanfunctions given from these Truth Tables. The calculations were performed on a Intel(R)


Fig. 6.4 Overall CPU time in seconds for cryptographic characterization of n×m S-boxes.

Core(TM) i7-2600K CPU @3.40GHz, 16GB RAM, 1TB Debian Linux. Figure 6.4 presentsthe corresponding computing times graphically, which happen to be a good measure of thecomputational complexity, provided the computer resources are not exhausted. (If m+n istoo large for the whole computation to take place in the available RAM, then the computetime will increase drastically due to hard disk swapping.)

As expected, in normal computer conditions the computational complexity grows expo-nentially in the bit length of the vector Boolean functions.

In Figure 6.5, we present detailed timing measurements corresponding to the differentfunctions tested for the values n = 17 and m = 1. This heterogeneous distribution of thecomputing times reflects the diverse complexity of the different routines provided by theVBF library.

6.4 Computational Cost Results 203

Fig. 6.5 CPU timing measurements for all functions in Algorithm I.

Chapter 7

Design of Cryptographically RobustVector Boolean Functions

In Chapter 4 several criteria where presented which allow to characterize the suitability ofS-boxes for cryptosystems design. The most relevant criteria are those whose adjustmentminimizes the risk from suffering well known statistical attacks (such as differential andlinear attacks); many of the current block ciphers make use of finite field based S-boxeshaving best known values for some of these criteria [114].

The VBF library developed in this thesis provides a useful set of tools to analyze anddesign (in combination with optimization schemes) Vector Boolean functions with goodcryptographic properties susceptible to use in S-box design.

This chapter is devoted to the practical implementation of robust Boolean functions asfundamental components for S-box design. First, the design of such functions is formalizedas a Multi-Objective Combinatorial Optimization (MOCO) problem. Then, some relevantalgebraic constructions are described for obtaining Boolean functions with some good criteriavalues. Finally, we present several heuristic techniques which have been developed andapplied in this thesis for addressing the MOCO problem. It includes a description of theiralgorithms and the types of parameters which are required to be used in their processes.

7.1 Multi-Objective Combinatorial Optimization (MOCO)

7.1.1 Problem Formulation

Boolean functions to be used for S-box design in block ciphers and for the design of nonlinearfilters and combiners in stream ciphers are required to satisfy various criteria. Although thereis no total consensus about the necessary criteria to be taken into account in the design of

206 Design of Cryptographically Robust Vector Boolean Functions

robust Boolean functions, the most common criteria considered are the following (as we willsee later, some of them are redundant since they just correspond to alternative representationsof the same property): the function must be balanced, it must have high nonlinearity, highlinearity distance, high algebraic degree, high algebraic immunity and low autocorrelation(both absolute and sum-of-squares indicators). From now on we will define the profile Pn( f )of the n-input variables Boolean function f as

Pn( f ) = (NL,deg,AI,ACmax,σ , I)

where NL stands for the nonlinearity, deg the algebraic degree, AI the algebraic immunity,ACmax, absolute indicator, σ the sum-of-squares indicator and I the imbalance. It is importantto mention that the linearity distance, LD, is not included in the profile since it can be derivedfrom ACmax, as described in Section 4.9; we decided to select ACmax between the two criteriabecause it is more employed in the literature. NL,deg,AI are criteria to be maximized andACmax and σ are criteria to be minimized). Concerning I, such criterion (see definition 4.5.2)will be usually required to reach the optimal balanced value (I = 0); in such cases it willbecome a constraint, as shown below.

Hence, the design of Vector Boolean functions with good profile can be formalized asa specific type of optimization problem. First of all, the search for functions with goodcharacteristics has to be performed within the set Fn which is finite; hence such search canbe framed as a Combinatorial Optimization problem.

In addition, all the criteria of Pn( f ) = (NL,deg,AI,ACmax,σ , I) need to be taken intoaccount for determining the goodness of a given function. We can formulate Pn( f ) =C( f ) =(C1( f ), . . . ,C6( f )), where each Ci( f ) is a function of the form:

Ci : Fn→ R, i = 1, . . . ,6

so that Ci is monotonically increasing with the goodness of the criterion. For instance, onecould choose:

• C1( f ) = NL( f ),

• C2( f ) = deg( f ),

• C3( f ) = AI( f ),

• C4( f ) = LD( f ) (it increases as ACmax decreases),

• C5( f ) = 23n−σ( f ) (it would reach its maximum value for functions with optimal σ .See table 4.2 for description of σ bounds).

7.1 Multi-Objective Combinatorial Optimization (MOCO) 207

• C6( f ) = 2n−1− I( f ) (it would reach its maximum value for balanced functions).

In this context, we must define a new type of optimality in order to consider all C =

(C1, . . . ,C6) simultaneously; such new optimality concept can be formalized, without loss ofgenerality, as the search for

“maxf∈Fn

” (C1( f ), . . . ,C6( f )), (7.1)

where “max” needs now to be defined (note that, equivalently, the problem could be definedas a minimization one). This definition of maximality is usually grounded on the Paretooptimality concept. The Pareto optimality [57] establishes that

Definition 7.1.1. f ∈ Fn is Pareto Optimal (or Efficient) if it does not exist another g ∈ Fn

such that Ci(g)≥Ci( f ), i = 1, . . . ,6 where strict inequality holds at least once (in such a caseg should clearly be preferred to f ).

If f is Pareto Efficient, then C( f ) = (C1( f ), . . . ,C6( f )) is called non-dominated point.The set of all efficient points (in our case, functions) in called Efficient Set and the set of allnon-dominated points in called Non-dominated Set.

Ideally, our final aim would be to determine the Efficient Set corresponding to the MOCOproblem (7.1).

7.1.2 Preferences among Criteria. Weighting Method

A way to simplify the MOCO problem is to assume some sort of preference or relativerelevance among the criteria Ci. If Ci, i = 1, . . . ,6 follow an order of preference, the multicri-teria problem could be reformulated (e.g., using lexicographic order) into a single objectiveoptimization problem.

Among the criteria defined in the profile, usually the Nonlinearity NL has been givena preference. As we will see, many authors have primarily focused on it and we will alsoaddress its isolated optimization in Section 7.2.4.

Alternatively, if we assume a sort of (soft) relative relevance among the criteria, we canassign different “weights” to each one of them so that (7.1) can be reformulated as a standardoptimization problem:

maxf∈Fn

6

∑i=1

wi ·Ci( f ) (7.2)

This is the so called Weighting Method and it can be sensitive to the assigned weightswi, i = 1, . . . ,6 and to the shape of the Pareto optimal set [164].


This approach is employed in Section 7.2.4 as a means of successively incorporating newdifferent criteria in the optimization problem.

Strong Preferences or Restrictions

Finally, note that if we want some criterion Ck to take a given value (let us say c0k), the problem

could be reformulated as a search restricted within the subset S = { f ∈ Fn such that Ck( f ) =c0

k}. Nevertheless, some algorithms may relax this condition in the initial stages (e.g.,addressing the original problem (7.1) via a Weighted Method where the corresponding kthadditive term would be of the form wk · |Ck( f )− c0

k | with large negative wk) may proveto be computationally efficient. These issues will be addressed below for the case of thebalancedness criterion I (which is desired to take value 2n−1).

Hence, for balanced with n-input variables Boolean functions we will re-define the profilePn( f ) as

Pn( f ) =C( f ) = (NL,deg,AI,ACmax,σ)

where only 5 criteria are left for optimization.

7.2 Boolean Function Design Procedures

As the number n of input variables of the Boolean function increases, the number of functionsin the space grows by a factor of 22n

and it quickly becomes unfeasible to exhaustively searchthe whole space, so that the probability of discovering optimal functions decreases. Thus, itbecomes necessary to employ specific techniques to focus the search on certain parts of thespace which presumably contain functions of interest (typically those which exhibit goodvalues for one or more desirable cryptographic properties).

Techniques for the construction of good Boolean functions have included pseudo-randomgeneration [10], [11]), finite field inversion and power mappings [46], [9], [153], [154],[45], [127], [144], as well as various heuristic techniques [93], [8].

Among them, two main types of techniques have prevailed in the research field forsearching robust Boolean functions: algebraic constructions and computational (heuristic)techniques. In this Section these two different procedures are considered. First, algebraicconstruction techniques are presented, well suited to find Boolean functions with good valuesfor some specific criteria.

7.2 Boolean Function Design Procedures 209

7.2.1 Algebraic Construction Techniques

The ability of finite field based S-boxes [114] to optimize the current S-box design criteriahas been seemingly the basis for a pause to research into both the design of Vector Booleanfunctions suitable for S-boxes, as evident from the lack of recent literature in this area.

Algebraic construction techniques are usually designed to obtain Boolean functions witha good value on some specific criteria. For instance, constructing some Boolean functionswith maximum possible nonlinearity is well-known when the number of input variables n iseven but is an unsettled open problem in cryptography when the number of input variables isodd. For functions with an even number of variables n, the maximum possible nonlinearity2n−1−2n/2−1 is attained for the bent functions. For odd n, the nonlinearity value 2n−1−2

n−12

is known as the (lower) bent concatenation bound, since the concatenation of two bentfunctions on (n− 1) variables yields n-variable functions achieving this bound. Specialemphasis has been given to construct highly nonlinear balanced Boolean functions [51], [61].Tables 7.1- 7.6 describe the maximum reached nonlinearity (besides some other criteriavalues) for non-balanced and balanced Boolean functions for several values of n.

However, when concentrating on a single property, the effect of other significant cryp-tographic properties has been often neglected. In the following, we show some of the bestpartial Boolean functions achieved for, if not all, several criteria of the profile defined inSection 7.1.1.

Best Known Pareto Efficient Boolean Functions

Since the determination of Pareto efficient functions is, in general, computationally unfeasible,we address the problem of determining the Best Known Pareto Efficient (BKPE) functions.

Definition 7.2.1. A function f ∈ Fn is Best Known Pareto Efficient if there is not knowng ∈ Fn such that C(g)>C( f ).

Obviously, Pareto efficiency (provided the function is known) implies BKPE, but notvice versa, i.e., if a known function is not BKPE, it cannot be Pareto Efficient, whereas beingBKPE does not guarantee Pareto Efficiency (see Figure 7.1).

In general, the set of BKPE functions can be considered as an approximation of the ParetoEfficient set in the sense that, as the green set of Known Functions (KF) increases, BKPEtends to PE (the dashed line tends to the boundary of PE and eventually PE will become asubset of KF).

Stanica and Sung in [148] defined constructions of Boolean functions that, on odddimensions, satisfied σ( f ) = 22n+1 and NL( f ) = 2n−1−2⌊

n2 ⌋. They conjectured that if n is

even, then σ( f ) = 22n+2 and NL( f ) = 2n−1−2⌊n2 ⌋.


Space of all functions

PE

KnownFunctions

BKPE

Fig. 7.1 Relationship between Known Functions, PE and BKPE.

They also gave an example 8-variable balanced function f1 whose ANF is x2 + x7 +

x1x5 + x2x5 + x3x8 + x4x7 + x4x8 + x5x6 with the following criteria values:

NL( f1) = 112, ACmax( f1) = 256, σ( f1) = 262144 = 22·8+2

The values of rest of the criteria are no so good: deg( f1) = 2, AI( f1) = 2, which providesthe following profile:

P8( f1) = (112,2,2,256,262144)

In addition, they constructed a 9-variable balanced function f2 whose ANF is x2 + x8 +

x1x6 + x2x3 + x2x6 + x3x7 + x4x9 + x5x8 + x5x9 + x6x7 with the following profile:

P9( f2) = (240,2,2,512,524288), where 524288 = 22·9+1

Canteaut et al in [20] defined a construction procedure for almost optimal functions. Theyprovided two examples of 8-variable balanced functions with ANF:

f3(x1, . . . ,x8) = x1x2x3x4x5 + x1x3x7 + x1x2 + x3x4 + x5x6 + x8

f4(x1, . . . ,x8) = x1x3x4x6 + x4x6x7 + x1x2 + x3x4 + x5x6 + x8


which have respectively the following profiles:

P8( f3) = (112,5,3,256,237568)P8( f4) = (112,4,3,256,262144)

Maitra in [88] constructed balanced functions for:

• Even number of variables n≥ 6 with:

NL = 2n−1−2n/2 +2n/2−2, deg = max{

5,12(n−6)

}, ACmax = 2n−1, σ = 22n+0.89

• Odd number of variables n≥ 15 with:

NL= 2n−1−2n/2+6 ·2(n−15)/2, deg=max{

14,12(n−15)

}, ACmax = 2n−7.29,σ = 22n+0.25

Note that the Algebraic Immunity AI values are not provided for this construction.Table 7.1 summarizes the values for 8 and 15-variable balanced functions.

Table 7.1 Nonlinearity, algebraic degree, absolute and sum-of-squares indicators for Maitraconstruction in [88].

n NL deg ACmax σ

8 116 5 128 12083215 16282 14 208 1270799360

Sarkar and Maitra in [133] defined a construction of optimized resilient functions whichallows to obtain 2p+1-variable balanced functions with algebraic degree 2p and nonlinearity22p−2p for p≥ 1. Table 7.2 summarizes the values from 9 to 15-variable balanced functionswhen n is odd.

Table 7.2 Nonlinearity, algebraic degree for Maitra construction in [133].

n NL deg

9 240 811 992 1013 4032 1215 16256 14

Alternatively, Zhang and Zheng in [160] constructed balanced functions for even numberof variables so that:


NL≥ 2n−1−2n/2, ACmax ≤ 2n/2+1, σ = 22n +23n/2+3−23n/2+1

and for odd number of variables so that:

NL≥ 2n−1−2(n−1)/2, ACmax ≤ 2(n−1)/2+1, σ = 22(n−1)+3

Note that nothing is said about the remaining criteria in this construction. Table 7.3 summa-rizes the values from 8 to 15-variable balanced functions.

Table 7.3 Nonlinearity, absolute and sum-of-squares indicators for Zhang and Zheng con-struction [160].

n NL ACmax σ

8 112 ≤ 32 901129 240 ≤ 32 219 = 52428810 480 ≤ 64 124518411 992 ≤ 64 223 = 838860812 1984 ≤ 128 1835008013 4032 ≤ 128 227 = 13421772814 8064 ≤ 256 28101836815 16256 ≤ 256 231 = 2147483648

Carlet et al in [26] introduced a construction of a n-variable Boolean function withalgebraic immunity equal to n/2 (that is, optimal). Table 7.4 summarizes the values for 8and 10-variable balanced functions.

Table 7.4 Nonlinearity, algebraic degree and algebraic immunity for Carlet construction [26].

n NL deg AI

8 58 7 410 260 8 5

Charpin et al. in [30] introduced a construction for any odd k ≥ 3 for ⌊k/2⌋-resilientBoolean functions of n = 2k− 1 variables of degree k without linear structure and withnonlinearity 2n−1−2

n−12 . Table 7.5 summarizes the values for 9-variable balanced functions:

Filiol and Fontaine in [61] found 549339200 balanced functions for n= 9, that is 1142390up to equivalence. They claimed that they are of degree 2,3,4,5,6,7. They studied the corpusof idempotent functions in order to obtain these results.

Guillot in [68] presented an extension of the Maiorana-McFarland method for buildingBoolean functions with good cryptographic properties (mainly nonlinearity, resiliency and


Table 7.5 Nonlinearity, algebraic degree for Charpin construction [30].

n NL deg

9 240 5

propagation). He obtained a 9-variable balanced function with nonlinearity 240 and absoluteindicator 128 and a 10-variable 2-resilient and PC(2) Boolean function with nonlinearity480 and absolute indicator 640.

Carlet and Gaborit in [27] described how the family of power function xd generatebalanced Boolean functions with a good algebraic immunity and a good nonlinearity asrepresented in Table 7.6.

Table 7.6 Nonlinearity, algebraic degree and algebraic immunity for certain power functionsxd .

n d NL deg AI

8 31 112 5 48 39(Kasami)∗ 114 6 49 57(Kasami) 224 4 49 59 240 5 59 115 240 5 510 241(Kasumi) 480 5 510 362 480 5 510 31(Dillon)∗ 486 9 510 339(Dobbertin)∗ 480 9 511 315 992 6 612 993(Kasami)∗ 2000 11 612 63(Dillon)∗ 2000 11 612 636∗ 2000 11 613 993(Kasami) 4032 6 613 939∗ 4030 12 714 4033(Kasami) 8064 7 714 127(Dillon)∗ 8088 13 7

Those marked with ∗ are balanced by modifying a small number of bits.

Best Known Vector Boolean Functions

All the authors mentioned above concentrated their optimization efforts on finding Booleanfunctions that satisfy a subset of the five criteria we consider are essential for balanced


Boolean functions used in S-boxes. Moreover, in order to design a cryptographically robustS-box, it is necessary to identify a set of Boolean functions whose linear combinationsmust have excellent profiles. Along this line, Nyberg in [114], gave two examples oftransformations of Vn that can be used to construct S-boxes with the following properties:

1. High nonlinearity, large distance from linear functions.

2. High algebraic degree, the degrees of the coordinate functions are large.

3. Resistance against the differential cryptanalysis.

4. Efficient construction and computability.

To satisfy requirement 3, Nyberg asserted that it is enough that for every fixed nonzeroinput difference to the function no output difference occurs with high probability. In otherwords, it is required that there is a uniform upper-bound of the probability of the possibleoutput differences. Nyberg defined the concept of differential uniformity in other to grasp thisproperty, which is related to the Linearity Distance LD (see definition 3.8.3 for further details).The first example given in [114] is the inverse of Power polynomials F(x) = x2k+1 ∈ GF(2n)

with n odd and gcd(n,k) = 1. This mapping satisfies the following properties:

1. NL(F−1) = 2n−1−2n−1

2 .

2. F−1 is differentially 2-uniform, that is:(l p(F−1) = 2

2n

).

3. deg(F−1) = n+12 .

The second example given in [114] is the mapping F(x) = x−1 ∈ GF(2n) defined by:

F(x) =

{x−1 if x = 00 if x = 0

(7.3)

This inversion mapping satisfies the following properties:

1. NL(F)≥ 2n−1−2n2 .

2. F is differentially 2-uniform if n is odd(l p(F−1) = 2

2n

). and it is differentially 4-

uniform if n is even(l p(F−1) = 4

2n

).

3. deg(F) = n−1.

The last mapping has been used in the S-box design of some relevant block ciphers suchas AES, Camellia, Clefia (only S1 S-box), GrandCru, Hierocrypt3 and Square. They are8×8 S-boxes based on inversion mappings over GF(28) with the following properties:


1. NL(F)≥ 28−1−282 = 112.

2. l p(F) = 428 = 0.015625.

3. deg(F) = 8−1 = 7.

We have performed an analysis of the component functions of these S-boxes and all ofthem are balanced Boolean functions with the same profile: P8( f ) = (112,7,4,32,133120).Moreover, the remaining values of the criteria within the profile are very good:

1. AI( f ) = 4 which is the maximum possible algebraic immunity of a 8-variable function:⌈8

2⌉= 4.

2. ACmax( f ) = 32 where the best achievable value for a balanced 8-variable function is16.

3. σ( f ) = 133120 where the best known value for the author of this thesis for a balanced8-variable function is 88960.

The trade-offs between cryptographic criteria keep receiving a lot of attention in Booleanfunction literature. The more criteria that have to be taken into account, the more difficult itis to generate Boolean functions satisfying those properties purely by constructive algebraicmeans. Hence, in the next Section, alternative design procedures are addressed.

7.2.2 Computational Techniques for Approximating the Efficient Set

As an alternative to algebraic construction techniques, purely computational procedures canbe employed for approximating the Efficient Set corresponding to the MOCO problem (i.e.,determining a set of Best Known Pareto Efficient functions).

Note that a naïve basic algorithm to find efficient solutions such as direct pairwisecomparison would require O(|Fn|2 p) operations. In practice, due to computational limitationswe “approximate” such a set by determining a set of functions f which are efficient whencompared to all the functions whose properties are known.

In general, the algorithms which can be applied to this type of MOCO problem do nothave a formal guarantee of performance; hence they can be considered as “heuristics” [117].These computational heuristic techniques are often applied to difficult or costly combinatorialproblems, since they are well suited to search in large spaces looking for a number ofsatisfactory (not necessarily optimal) solutions. In general, these techniques are driven bya directed search algorithm typically searching in a localized area from a specified startingpoint.


There are several well known different classes of heuristic algorithms such as LocalSearch (including variants such as Hill Climbing [102] or Tabu Search [62]), SimulatedAnnealing [81], Genetic Algorithms [71], etc. (see [126] for a review).

Local Search Methods

Local Search methods rely on the concept of a neighbourhood of a given point (a givenfunction in our case). Such neighbourhood can be formalized as a function

N : Fn→ 2Fn

This neighbourhood is searched at point f ∈ Fn for improvements so that g ∈ N( f ) isselected if it satisfies C(g) > C( f ) (i.e., Ck(g) ≥ Ck( f ), k = 1, . . . ,6 and strict inequalityholds at least once). In several contexts, this procedure (in its simplest form) is also denotedas Hill Climbing. The search stops when no improvement can be performed in an iteration.

The implementation and performance of a Local Search algorithm rely on the selectionof the initial point and the design of the N function. We will get back to these issues later.

Local Search methods have been successfully employed for code design [73] and they alsohave been employed in this chapter both for single criterion and multiple criteria optimization.

Evolutionary Algorithms

Evolutionary Algorithms (EAs) are specially well suited for multiobjective optimization,where a set of different efficient solutions are usually searched, due to their population basedapproach [49]. Hence, many authors have addressed the use of EAs in such context [37, 38].Specifically, Genetic Algorithms (combined with Hill Climbing) are considered in [16]for finding Boolean functions with good cryptographic criteria. In this chapter, GeneticAlgorithms and Local Search methods are combined to illustrate the potential of the VBFlibrary.

Alternative classes of algorithms have also been employed in the literature of Booleanfunction design such as Simulated Annealing [34], Particle Filters [137] and Particle SwarmOptimization [129]. Simulated Annealing will be considered in Section 7.2.4.

The analysis of Particle Filters and Particle Swarm Optimization algorithms with VBFlibrary is a future research topic.


7.2.3 The Balancedness Constraint

As mentioned in Section 4.5, balancedness is considered as an essential property in thedesign of Vector Boolean functions for cryptography. Hence, it is a prioritary criterion whencompared with the rest of criteria in the MOCO problem ( 7.1).

Following the procedures presented in section 7.1.2, the search for balanced functionscan be addressed in different ways. For instance, a search procedure can be defined restrictedto lie within the subset S = { f ∈ Fn such that I( f ) = 0}, where I( f ) stands for the imbalanceof f . This restriction can be imposed in the generation procedures for new populations ofGAs as well as in the selection of neighbourhood elements for Local Search methods.

Alternatively, one relax such condition in the initial stages of the algorithms with the aimof having more flexibility in the search procedures, imposing the condition more tightly as weapproach the “neighbourhood” of a good solution. For instance, one can apply a GeneralizedDifferential Evolution rule [55] where the closeness to zero balancedness is considered inthe cost function in the spirit explained in section 7.1.2.

7.2.4 Combining Different Algorithms

The performance of Local Search Methods strongly depends on the selection of the initialpoint (seed) from which to start the iterative search procedure. The selection of such initialvalue fo may be grounded on known algebraic constructions such as those described insection 7.2.1.

Some cryptographic criteria may be sensitive to “local displacements” in the search.Hence, optimal functions may be surrounded by non-optimal ones, meaning that the selectionof appropriate initial conditions remains an open issue. This fact justifies the use of SimulatedAnnealing and/or GAs for determining good enough functions which can be employed asinitial conditions for applying (in a second phase) a Local Search Method.

Combining Simulated Annealing and Hill Climbing Methods

Kavut and Yucel in [80] described how to find balanced Boolean functions satisfying multipledesirable criteria such as high nonlinearity, low autocorrelation, balancedness ad high alge-braic degree. They presented in [80] some balanced 8 and 9-variable functions which werethe best known in the computer search literature, in terms of joint optimization of nonlinearityand autocorrelation. The table 7.7 from [80] compares the best achieved computer searchresults for (NL,deg,ACmax):

Note that Kavut et al. results in [80] proved that the profiles provided by Clark etal. [33] [34] [35] for n = 8, n = 10 and n = 11 were not Pareto efficient.


Table 7.7 Comparison of the best achieved computer search results for (NL,deg,ACmax).

Results(NL,deg,ACmax) for

n = 8 n = 9 n = 10 n = 11

Kavut et al. [80](116,7,24) (238,8,40) (486,9,56) (984,10,80)(114,7,16) (234,8,32)

(236,8,32)

Clark et al. [33] [34] [35](116,7,24) (238,8,40) (486,9,72) (984,9,96)(112,5,16) (484,9,56) (982,10,88)

Unfortunately, Kavut et al. [80] only provide the representation of one of the functionsfound by them:

149016cdd1931 f 10860b4b8bece f 5557b8177a8565229b775e08 f 97b7692c32d

The profile for this 8-input balanced function is: P8( f ) = (114,7,4,16,88960).

Table 7.8 illustrates other results for 9-variable balanced Boolean functions with goodprofiles.

Table 7.8 Comparison of profiles with n = 9.

Authors Profiles

Kavut et al. [77] (240,7,4,24,354176)Saber et al. [131] (240,5,4,160,524288)Read [125] (240,5,3,32,524288)Burnett [16] (240,5,4,128,524288)Stanica [148] (240,2,2,512,524288)Misty 1 and KASUMI 9×9 S-box [2] (240,2,2,512,524288)

Note again that Kavut et al. results in [77] proved that all the profiles provided by Saberet al. [131], Read [125], Burnett [16], Stanica [148], Misty 1 and KASUMI 9×9 S-box [2]for n = 9, were not Pareto efficient.

Table 7.9 illustrates other results for 11-variable balanced Boolean functions with goodprofiles.

Note again that Kavut et al. results in [77] proved that, based on the limited number ofcriteria considered, the profiles provided by Johansson and Passalic [75] and Maximov etal. [95] were not Pareto efficient. They also proved that the two profiles in the second rowprovided by Read [125] were not Pareto efficient either.


Table 7.9 Comparison of profiles with n = 11.

Authors Profiles

Johansson and Passalic [75] (992,5,−,−,−)Maximov et al. [95] (992,6,−,240,−)Kavut et al. [77] (988,10,5,56,5980928),(992,8,−,64,−)

Read [125](992,4,3,64,8388608),(992,5,3,96,8388608)(984,9,4,232,8514560),(970,10,3,192,9404288)

Dalai et al. [47] (992,5,5,−,−)

Combining Genetic Algorithms and Hill Climbing Methods

In this section, we present a useful application of Genetic algorithms to search for crypto-graphically robust Boolean functions. Genetic algorithms were designed to mimic naturalevolutionary processes by operating on a genome population (list of solutions to the problem).The genetic processes of selection, mating and mutation are combined in order to "breed" asuperior race o genome (solutions).

The Genetic Algorithm Library called GAlib was (straightforwardly) linked with ourVBF library to perform a search of Boolean Functions with good combined cryptographiccriteria. In using the GAlib library we will work primarily with two classes: a genome and agenetic algorithm. Each genome instance represents a single solution to our optimizationproblem. The genetic algorithm object defines how the evolution should take place. Thegenetic algorithm uses an objective function to determine how ’fit’ each genome is forsurvival. It uses the genome operators (built into the genome) and selection/replacementstrategies (built into the genetic algorithm) to generate new individuals.

The following three items must be defined in order to solve an optimization problemusing a genetic algorithm: A representation, the genetic operators and the objective function.

The genetic algorithm object determines which individuals should survive, which shouldreproduce, and which should die. It also records statistics and decides how long the evolutionshould continue. The algorithm updates the population of solutions over a number ofiterations (or generations). We have used the number of generations as a stopping measure.In each iteration a number of steps are involved:

1. Selection of parents from the current population of solutions.

2. Crossover of parents to produce offspring.

3. Mutation of the offspring.


4. Selection from the mutated offspring and the current population of solutions to deter-mine the population of solutions for the next iteration.

Among the many different types of genetic algorithms offered by GAlib we have chosenthe standard ’simple genetic algorithm’ described by Goldberg in his book [63]. Thisalgorithm uses non-overlapping populations and optional elitism. Each generation thealgorithm creates an entirely new population of individuals.

When you use a genetic algorithm to solve an optimization problem, you must be able torepresent a single solution to your problem in a single data structure. The genetic algorithmwill create a population of solutions based on a sample data structure that you provide. Thegenetic algorithm then operates on the population to evolve the best solution. In GAlib, thesample data structure is called a GAGenome (some people refer to it as a chromosome). Wehave used a type of genome called GA2DBinaryStringGenome. This class is derived fromthe base GAGenome class and a data structure class which consists of a 2-dimensional arrayof Boolean with 2n elements (the binary string is the Truth Table of the Boolean function).

Each genome has three primary operators: initialization, mutation, and crossover. Withthese operators you can bias an initial population, define a mutation or crossover specific toour representation, or evolve parts of the genetic algorithm as our population evolves.

The initialization operator determines how the genome is initialized. It is called whenyou initialize a population or the genetic algorithm. This operator does not actually createnew genomes, rather it ’stuffs’ the genomes with the primordial genetic material from whichall solutions will evolve. We have used a uniform random initialization operator.

The mutation operator defines the procedure for mutating each genome. The mutationoperation introduces randomness to the population of solutions. Mutation is generally appliedto the children which result from the breeding process. We have used the typical mutator fora binary string genome which flips the bits in the string with a given probability (uniformrandom bit flip).

The crossover operator defines the procedure for generating a child from two parentgenomes in order to obtain offspring. The crossover operation involves selecting two"parents" from the current population of solutions, picking a random point in the binarystring representing each of the parents and swapping the values beyond that point betweenthe two parents. This process results in two "children" with some characteristics of each ofthe parents.

Weighted Objective Function In addition to the three primary operators, each genomemust also contain an Objective Function. The Objective Function is used to evaluate the


genome in order to know how good it is compared to the other genomes. Several objectivefunctions were employed gradually involving more criteria in a weighted manner:

1. Nonlinearity of the Boolean function: NL( f ). Boolean functions with very highnonlinearity pose some of the most challenging problems in the area of symmetriccryptography and combinatorics. As mentioned in Section 4.3, for the case of thecase of n even the maximum possible nonlinearity is known. However, for n is odd,constructing Boolean functions with maximum possible nonlinearity is an unsettledopen problem. So far sub-optimal results have been mainly obtained via heuristicsearch, for example, for n = 9 the best known nonlinearity result is 242 [79].

This cryptographic criterion is represented by a locally smooth fitness function:

o1 =C1( f ) = NL( f ) (7.4)

2. A weighted sum of criteria 1 and 4: the sum of the nonlinearity and linearity distanceof the Boolean function, normalized with respect to their (a priori known) maximumvalues:

o2 = w1C1( f )+w4C4( f ) =NL( f )maxNL

+LD( f )maxLD

(7.5)

where maxNL and maxLD are the maximum values of nonlinearity and linearitydistance which can be achieved by a Boolean function with the same number of inputvariables as f respectively.

3. A weighted sum of criteria 1, 2 and 4: the sum of nonlinearity, algebraic degree andlinearity distance of the Boolean function normalized with respect to their (a prioriknown) maximum values:

o3 = w1C1( f )+w2C2( f )+w4C4( f ) =NL( f )maxNL

+deg( f )

maxDEG+

LD( f )maxLD

(7.6)

where maxNL, maxDEG and maxLD are respectively the maximum values of nonlin-earity, algebraic degree and linearity distance which can be achieved by a Booleanfunction with the same number of input variables as f .

4. A weighted sum of criteria 1, 2, 3 and 4: the sum of nonlinearity, algebraic degreealgebraic immunity and linearity distance of the Boolean function normalized withrespect to their (a priori known) maximum values:

o4 = w1C1( f )+w2C2( f )+w3C3( f )+w4C4( f )

= NL( f )maxNL +

deg( f )maxDEG + AI( f )

maxAI +LD( f )maxLD

(7.7)


where maxNL, maxDEG, maxAI and maxLD are respectively the maximum values ofnonlinearity, algebraic degree, algebraic immunity and linearity distance which can beachieved by a Boolean function with the same number of input variables as f .

5. A weighted sum of criteria 1, 2, 3, 4 and 5: the sum of nonlinearity, algebraic degreealgebraic immunity and linearity distance of the Boolean function normalized withrespect to their (a priori known) maximum values:

o5 = w1C1( f )+w2C2( f )+w3C3( f )+w4C4( f )+w5C5( f )

= NL( f )maxNL +

deg( f )maxDEG + AI( f )

maxAI +LD( f )maxLD + 23n−σ( f )

maxσ−minσ

(7.8)

where maxNL, maxDEG, maxAI, maxLD, maxσ are respectively the maximum valuesof nonlinearity, algebraic degree, algebraic immunity, linearity distance and sum-of-squares indicator which can be achieved by a Boolean function with the same numberof input variables as f ; and minσ is the minimum value of the sum-of-squares indicatorachievable by a Boolean function with the same number of input variables as f .

Note that the proposed weighting in the above objective functions is arbitrary and it hasbeen considered only as a first approach to their design. In general, a proper tuning of thecorresponding weights is required in order to adjust the desired degree of priority among thedifferent criteria. Although simulations have been performed for all the different objectivefunctions (with the above weighting), we mainly focused on o1 and o2, since they arecomputationally most treatable and they impose total priority to nonlinearity and linearitydistance.

We carried out exhaustive simulations by forming initial populations with different sizes:100,330,1000,3300,10000 and 33000 for different number of variables, n, varying from8 to 15. The experiments were performed on these populations for different number ofgenerations (33,100,330,1000). The probabilities of crossover used in the experiments were0.9,0.3,0.1,0.033,0.01 and the probabilities of mutation were 0.33,0.1,0.033,0.01,0.0033,0.001.Some of the results achieved for the above experiments are shown in Tables 7.10-7.15.

Table 7.10 shows a comparison of our proposed algorithm versus the Genetic Algorithms(GA) implemented by Millan [101] and Dimovski et al [50] in achieving high nonlinearity.Table 7.11 shows the results we obtained for balanced Boolean functions.

Table 7.12 shows the corresponding representations of the Boolean functions in Table7.11.

A Further One-step Hill Climbing At this point, the VBF library can be employed toapply a one-step Hill Climbing for a search of 9-variable Boolean functions with highest


Table 7.10 Comparison of nonlinearity achieved in Boolean functions.

nNonlinearity

Benchmark GA (Millan) GA (Dimovski et al) Our GA

8 120 113 113 1149 242 232 232 23210 496 475 475 47511 996 968 964 96712 2016 1964 1956 195913 4040 3968 − 396014 8128 7996 − 799115 16276 16085 − 16079

Table 7.11 Results obtained for different n-input balanced Boolean functions.

n Profile Objec. Pop. size N. gener. Prob. cross. Prob. mut.

8 (112,7,4,40,127744) o1 3300 330 0.01 0.0019 (232,8,4,72,592640) o1 1000 1000 0.1 0.110 (474,9,5,136,2617600) o1 3300 1000 0.01 0.03311 (966,10,5,216,10900352) o1 330 1000 0.01 0.0112 (1952,11,6,296,47699968) o2 10000 33 0.033 0.01


Table 7.12 Representations of Boolean functions in Table 7.11.

n Representation.

8 49fad72ba27c85843c924ef4001254f5977c9a01e6eb6edf38fee6916664034b

94426103560e71d2b f a f a6344d275d47c8d37287b80e f 17d290d f c41096c9f 41 f 75d67d7b72258c400 f 4d54 f 8327cb8 f dac f 7ba513d66cb076c36d802a9a11515

10

9972e6c586 f c0456767226241d2b34122323ab4c09a8a71891 f e5d520a723a643c4 f a8728ab7c37587db18bd246b0c4 f c47949 f 2deac995a71136dbac8846 f e73a421393dd64144 f 9b595 f c5ca f 2a3dde154756783dcb33dbac879 f da1d1d659d4a1716b81cd63a64e3d3c93e6c2d42b68ed1200386c1e0c5ca59ee87 f 446e f 9

11

a3bb5c09be9e f c f 5a53e3ce7 f 4e8c3760d490e56411127271bc947be858038553abe588892769e30248de5be0c690 f 23a0d240aa000245732d074549166c355492c2e4d17578c f 59944702ea f 2a5e4c9757aaac6 f 3d2688db8deb3515e1d4b5064eeea35844ad1ec69875b91cd647755 f 8338769d5d1932a f 21843cd f f 704a0d f c5a3e5dec05c624a64e0c9 f f d196720b262277a66d f baee4beb f 06d5 f e19bb835d8abaea371597490b47221 f 6432b3c3982cc9c766dab8825dd1d7be f 7535e2c f 77608026 f 4dab f e22ce794ada88d51473111d89c f 7b93ba8d05 f 14e1d539 f 98746792544048c44442d674e68c9 f ca6a5b0d24c456d f e351 f 0a699528364dea

12

0d f 1e66 f 2e0a43ebac25e6de10b02026e29747b f 333d606a71484 f b487edb4dd249d82 f 0cd101 f f 7b328ac3c367a5a3 f dab01a881 f e078c93 f 54f 186343c f bbc698e f 5624d61b1cb3c8aee19 f 45188904dca0d719aebe71c595abb38464b7c715e2048d99685eab104d6563aa04854ece15b9384da3896a0b5b8e90e7562ac f 79850734ead f 0416472ece5010282c14ce f00182c827 f 989e20a1b1463ec9817748a9 f 8d98018d3ced4b2ed9b64b96dd895407ea77 f 9b9de6a3 f 5a f 90be4 f a044ce5b72a5a6164e8e1 f 5346de13be3827bc4c43d592e4958b6a7e9547382e688248d2c5 f a007ac10c32031d9e24 f 24d5 f a2a02b708153b42 f 518 f b445502906a85 f 56d56404e4b0a2a88cdeb658aa0 f 861e7 f 2a f ccdcee9ce3b45be9b4edea0 f 88177605e54dd8e230 f be4eb5 f e40c8c f ac8 f 9a0c3a58 f 6230c925422bed1b3baee703729d1994bcd2dacd7383 f 7e5051bbda718ca8a45db79a4364 f 3f 9b8d43d8 f de98c677721d8 f aec5bca5d836b964b592c1d60c0bb95652d2c134448a8c45a709753de6d898 f 490595055452 f 430b951 f ddbb40 f 7b68b6 f f 1b8794ae05 f 8 f e f 3be932e716352e59 f 564e75d05818e736174dc77579c f a617ca32 f bb4c40c9b01103ca949 f e145 f f 692e8b72bea31a10ab67c55a88196a f 1 f 0337 f c14d864bc2981 f 3abb48 f 03486c388977ac33d8a78eb5e939 f 6774b441db96e2 f 027b595


nonlinearity. Using the previous algorithms, we had found 5121 Boolean functions withmaximum known nonlinearity 242, which can be grouped into five different affine equivalenceclasses. Two Boolean functions f ,g are affine equivalent if the following equality holds(refer to section 3.10.1 for a detailed explanation of affine equivalence of Boolean functions):

g(x) = f (Ax+b)+ cx+d (7.9)

where A ∈Mn×n(GF(2)), b,c ∈ Vn and d ∈ GF(2).There are some function properties which are invariant over the mapping defined in (7.9).

In fact, the five obtained affine equivalence classes can be identified by invariant propertiessuch as the frequency distribution of the absolute values of the Walsh Spectrum and theAutocorrelation Spectrum. These invariants have been obtained for the five affine equivalenceclasses with the VBF library, providing the following results in Table 7.13:

Table 7.13 Frequency distribution of the absolute values of the Walsh Spectrum.

f Values

f1 (4,30),(12,46),(20,226),(28,210)f2 (4,30),(12,46),(20,226),(28,210)f3 (4,30),(12,46),(20,226),(28,210)f4 (4,56),(12,58),(20,154),(28,244)f5 (4,57),(12,91),(20,97),(28,267)

Table 7.14 Frequency distribution of the absolute values of the Autocorrelation Spectrum.

f Values

f1 (0,129),(8,298),(16,60),(24,9),(32,2),(40,13),(512,1)f2 (0,150),(8,196),(16,148),(24,12),(32,5),(512,1)f3 (0,183),(8,223),(16,84),(24,6),(32,4),(40,10),(56,1),(512,1)f4 (0,157),(8,232),(16,84),(24,8),(32,17),(40,10),(48,3),(512,1)f5 (0,192),(8,156),(16,129),(24,9),(32,13),(40,3),(48,6),(64,3),(512,1)

1024 Boolean functions were found within the classes f1, f3, f4, f5 and 1025 for the classf2. The Truth Tables of all these Boolean functions are available at [156].

Using the VBF library, the value of other cryptographic criteria ( algebraic degree, al-gebraic immunity, absolute indicator and sum-of-squares indicator) was easily computedfor each one of these 5121 Boolean functions. Since such criteria values are invariant un-der affine transformations, they take the same value within each class. Table 7.15 showssuch criteria values for the functions within each class. Note that if we consider the pro-


Table 7.15 Additional cryptographic criteria for f1- f5 classes.

Class deg AI ACmax σ

f1 7 4 40 324608f2 7 4 32 324608f3 7 4 56 324608f4 7 4 48 343424f5 7 4 64 354560

files characteristics, we have that ACmax( f2) < ACmax( f1) < ACmax( f3) < ACmax( f5) andACmax( f1) < ACmax( f4) < ACmax( f5). This implies that f1, f3, f4 and f5 are not Paretoefficient. Hence, f2 remains as the best choice.

In fact, to the best of our knowledge, the whole set f2 may be Pareto efficient (i.e., it isBest Known Pareto Efficient).

An ad hoc one-step Hill Climbing was furtherly performed in order to obtain balancedBoolean functions with n = 9 with nonlinearity greater or equal than 240 from these unbal-anced functions with nonlinearity 242. The idea behind this computational search consists inthe following steps:

1. Search for unbalanced functions with nonlinearity 242 and weight either 254 or 258,that is 2 bits far from the weight of a balanced function.

2. Change two bits in the selected functions in order to achieve a balanced function. Bycorollary 5.4.3, it is guaranteed that the nonlinearity of the Boolean functions obtainedafter step 2 is at least 240.

3. Remove repeated functions.

4. Calculate the profile of the remaining functions

5. Select the functions with the best profiles in the Pareto sense.

After executing this algorithm on the Boolean functions with nonlinearity 242 describedabove, the following results were obtained:

• 567 different profiles were found with nonlinearity 240 and algebraic degree 8.

• The algebraic immunity takes values from the set {4,5}.

• The linearity distance takes values from the set {110,112,114,116,118,120,122}.

• The absolute indicator takes values from the set {24,32,40,48,56,64,72}.


• The sum-of-squares takes 137 different values between 323456 and 377600.

Several examples of balanced Boolean functions with Best Known Pareto Efficientprofiles are, for instance:

P9( f1) = (240,8,4,24,339200) with hexadecimal representation:

115bd52305367 f c6a07c098e8b1e1d21d5 f d983ce40979a1da85ce591d02540e f ebd4a7a34ddd f 4d6c6a1b57 f 350b54e9420c3998eba1176c6e8f b9b8406 f 10 f

Note that giving this profile we have proved that the profile provided by Kavut et al. [77]) isnot Pareto Efficient.

P9( f2) = (240,8,5,40,347648) with hexadecimal representation:

1de90d23b5024350 f 57 f 9 f 6020396aa70b8775b1ccb4c9b01dec1d00b6435a0e6314 f 2d55a f c f d3955d f 9b7383dc69 f 1c786b9a0cc91daae7529a9323d274047

The same algorithm was executed to obtain balanced Boolean functions for n = 11providing the following results:

• 3131 different profiles were found with nonlinearity 992.

• The algebraic degree takes values from the set {9,10}.

• The algebraic immunity takes values from the set {4,5}.

• The absolute indicator takes values from the set:

{120,128,136,144,160,168,176,192,200,208,224,232,240,248,256,264}.

• The sum-of-squares indicator takes 659 different values between 5253632 and 5844608.


Two examples of balanced Boolean functions with Best Known Pareto Efficient profiles are:P11( f3) = (992,10,5,120,5311616) with hexadecimal representation:

06ee11ee1e11e0eee11ee1e1111ee1e111eeeee11ee1eee1eee11eeee111e1eee1eee11e1111e1e11eeee11e111eee111e11111ee1e111ee1eee1ee1ee11e11ee1eeee1eee11e1e1ee11eeeee11e1111e11e1e1eeeeee111ee1ee1111e11e11111eee1ee111e1e1eee1e1111eeee1eee11eeee11e111eeeee1ee1e11ee1e1eee1ee111e111e1111e1e1ee1ee0e11ee1e11111111e111ee111ee1ee11ee1e11e11111e1eee1e1eeeeeee1ee1ee111eee1e1e1e1111ee11111111ee11ee11e1ee11eee1e11ee11ee1111e1e1ee1ee11e11e1e1ee1111e1eee1e1e1e11e11eee111ee1ee11e1e1eeeeee111ee11e111eeee1111eee111e111e1ee1eeeee1eeee11e

and P11( f4) = (992,10,5,168,5253632) with hexadecimal representation:

f cb4b4bb4bbb4b44bb4b44bb444b44cb4bb444bbbbbbb44444bb444b444444b4b44bbb4444bb444b4bbb4b4b4bb4b4b44b4b444bbbb44b4b4b4bb44b44b4b44bbb44444bb4444b4b4444b4bbb444444bb444b4b4bbb4b44b444bbbbb4b44bbbbb4444bb4bbb44b4bbbbb44b444bb444b444b444b4b4b44bb444bbb44bbb44bbb4bbb4b44b44bbb44bb4bbbbb4444bb4bb4444bb4b4b4b4bb4444b4444bbb44b4cb44bbbb4b4b4b444b44bb4444bb44bbbbbb4bbb444bb4444b44444b44b444bb4b4bb44b444bbbbbbb4bb4bbb4b4b4b4bb4bbb4bb44b4bb4b4444bb44b444444b4bb4b4bb44bbbbbbbbbb444b4b4bb4b44bbb4bb4bb4b4bbbbb44bbb44b4bbb4

In Table 7.16 we compare the profiles of these functions with the best profiles forbalanced Boolean functions obtained for n = 9 and n = 11. In summary, the Best KnownPareto Efficient (BKPE) Boolean functions obtained satisfy:

• For n = 9, they are the only BKPE existing functions, since they are strictly better thanall the functions provided by other authors. (Remember that the functions provided inKavut et al. [80] [77] discarded all alternative proposals; and now, we have discardedKavut’s functions by proving that they were not Pareto Efficient either).

• For n = 11, they provide better values for criteria (NL,deg,AI,σ) and worse valuesfor ACmax. In general, these four criteria (specially (NL,deg)) are considered to bemore relevant than ACmax. Hence, the obtained BKPE functions may be considered asvery competitive in the whole set of BKPE functions.


Table 7.16 Comparison of the best results for (NL,deg,AI,ACmax,σ).

Results(NL,deg,AI,ACmax,σ) for

n = 9 n = 11

Kavut et al. [80] [77](238,8,−,40,−) (984,10,−,80,−)(240,7,4,24,354176) (988,10,5,56,5980928)

(992,8,−,64,−)

Ours(240,7,4,32,324608)(240,8,4,24,339200) (992,10,5,120,5311616)(240,8,5,40,347648) (992,10,5,168,5253632)

Chapter 8

Conclusions and Future Research

This chapter starts presenting in the first section a summary of the research performed in thisthesis. This is followed, in the second and final section, by a discussion of possible futuredirections that could extend the performed research.

8.1 Summary and Conclusions of the Thesis

The research presented in this thesis has fulfilled the aim to expand the boundaries of VectorBoolean function knowledge and, in particular, to provide a library, called VBF, for the studyand evaluation of Vector Boolean functions.

The main contributions of the thesis come from the objectives and corresponding out-comes outlined in Chapter 1. Here, we comment on such results:

• The theoretical results allow for an efficient library coding, a systematic analysis ofVector Boolean functions as basic constituents of Block Ciphers, and a way to analyzecombinations of such constituents (as the ones illustrated in existing ciphers).

• The VBF library features, such as being open source and of general purpose amongothers, make it very useful when compared with other analysis software. The perfor-mance and utilities of VBF have been grounded on the analysis of the typical formsof Vector Boolean representation and their relationships, as well as on the analysis ofcryptographic criteria of Vector Boolean functions, so that they have been efficientlyimplemented in the VBF library.

• The combination of the theoretical results and the VBF library implementation hasallowed to perform research located between the cryptanalysis and the cryptographicdesign of symmetric cryptographic algorithms helping to the design of robust ciphers.

232 Conclusions and Future Research

A good understanding of the existing cryptographic attacks has been achieved, leadingto a solid grasping of the desired properties or conditions on the algorithms buildingblocks (to be modelled as Vector Boolean functions or S-boxes), as well as of theirrelationships.

• The detailed cryptanalysis performed for several existing modern ciphers provides anexcellent framework for understanding their behavior and suggesting different ways toimprove their performance.

• The VBF has been easily linked with optimization computational schemes, so thatthese schemes have been successfully employed to find brand new Best Known ParetoEfficient (BKPE) Boolean functions.

• Some of the obtained Boolean functions are the only BKPE ones, i.e., they are strictlybetter than all the other functions known up-to-date.

It is worth mentioning that these computations have been performed with limitedcomputational resources (personal computers).

8.2 Future Directions

There are many open problems in the research related to Vector Boolean functions incryptography. A list of basic open questions related to the nonlinearity of Boolean functionshas been presented by Dobbertin in [52]. However, all these problems are considered tobe very hard since they are related to longstanding open problems in Reed-Muller codes.Instead, we present below a list of several open problems which we believe are challengingand tractable in future research.

During and subsequent to the research performed for this thesis, a number of areas offuture work have been identified. We now discuss directions for future research which involveboth an extension of some of the work contained in this thesis, and new topics of relatedwork which could also be investigated.

1. As a fundamental theoretical result, it would be interesting to enumerate the existingbent functions for high number of input variables.

2. The use of parallel computer processing techniques would aid in the implementationof larger computer experiments with VBF library.

This would allow for a most exhaustive exploration of the type o3, o4 and o5 objectivefunctions with different tunings of their weighting parameters.

8.2 Future Directions 233

3. New methods for constructing strong Vector Boolean functions which are a combi-nation of heuristic techniques and algebraic constructions would be a worthwhiledirection of research. The rationale for this is that inherent limitations of each tech-nique may possibly be overcome by combining the two approaches to work towardscapitalizing on their advantages. Heuristic techniques tend to be able to produce alarge number of functions with good cryptographic properties but become inefficientfor very large numbers of inputs. Algebraic constructions, on the other hand, typicallyenable the construction of a small number of functions with optimal or close to optimalproperties, often with potential weaknesses in their structure, while the number ofinputs tends to be of less relevance than with heuristic searches.

4. The analysis of the linear combinations of robust Boolean function would help toidentify possible candidates for coordinates of robust S-boxes.

5. The practical design of a Boolean function or S-box should not only focus on optimiz-ing cryptographic properties but it also should keep the implementation complexity(neglected by many authors until now) in mind. Having relied on scarce computationalresources, this thesis has partially (and implicitly) considered such practical aspect,but it is important to address this issue more deeply in the future research.

References

[1] 3rd Generation Partnership Project (2001). Security Algorithms Group of Experts(SAGE); report on the evaluation of 3GPP Standard Confidentiality and Integrity Algo-rithms (SAGE version 2.0). Technical report, 3GPP. http://www.3gpp.org.

[2] 3rd Generation Partnership Project (2005). Specification of the 3gpp confidentiality andintegrity algorithms - document 2: Kasumi specification (release 6) no. 3gpp ts 35.202v6.1.0 (2005-09). Technical report, 3GPP.

[3] Adams, C. M. and Tavares, S. E. (1993). Designing s-boxes for ciphers resistant todifferential cryptanalysis (extended abstract). In Proceedings of the 3rd Symposium onState and Progress of Research in Cryptography, pages 181–190.

[4] Álvarez-Cubero, J. A. and Zufiria, P. J. (2005). Aplicaciones de la transformada de walshal criptoanálisis lineal y diferencial. In Domínguez, A. P. and Caballero-Gil, P., editors, ISimposio sobre Seguridad Informática (SSI’2005), pages 11–18. Thomson.

[5] Álvarez-Cubero, J. A. and Zufiria, P. J. (2010). A C++ class for analysing vectorboolean functions from a cryptographic perspective. In Katsikas, S. K. and Samarati,P., editors, SECRYPT 2010 - Proceedings of the International Conference on Securityand Cryptography, Athens, Greece, July 26-28, 2010, SECRYPT is part of ICETE - TheInternational Joint Conference on e-Business and Telecommunications, pages 512–520.SciTePress.

[6] Álvarez-Cubero, J. A. and Zufiria, P. J. (2012). Cryptographic Criteria on VectorBoolean Functions, chapter 3, pages 51–70. InTech, Cryptography and Security in Com-puting, Jaydip Sen (Ed.), http://www.intechopen.com/books/cryptography-and-security-in-computing/cryptographic-criteria-on-vector-boolean-functions.

[7] Álvarez-Cubero, J. A. and Zufiria, P. J. (In press). Algorithm xxx: Vbf: A library of c++classes for vector boolean functions in cryptography. ACM Transactions on MathematicalSoftware.

[8] Anderson, R., Biham, E., and Knudsen, L. (2000). Serpent: A proposal for the advancedencryption standard.

[9] Aoki, K., Ichikawa, T., Kanda, M., Matsui, M., Matsui, A. M., Moriai, S., Nakajima, J.,and Tokita, T. (2000). Camellia: A 128-bit block cipher suitable for multiple platforms -design and analysis.

236 References

[10] Barreto, P. S. and Rijmen, V. (2000a). Submission to the new eu-ropean schemes for signatures, integrity and encryption (NESSIE) process.http://cosic.esat.kuleuven.ac.be/nessie/workshop/submission/anubis.zip.

[11] Barreto, P. S. and Rijmen, V. (2000b). Submission to the new eu-ropean schemes for signatures, integrity and encryption (NESSIE) process.http://cosic.esat.kuleuven.ac.be/nessie/workshop/submission/khazad.zip.

[12] Bibliowicz, A., Cohen, P., and Biham, E. (2003). A system for assisting analysis ofsome block ciphers. Technical Report NES/DOC/TEC/WP2/007/2, Israel Institute ofTechnology, Haifa, Israel.

[13] Biham, E. and Shamir, A. (1990). Differential cryptanalysis of des-like cryptosystems.In CRYPTO, pages 2–21.

[14] BOOLFUN (2010). Cryptographic boolean functions. http://cran.r-project.org/web/packages/boolfun/index.html.

[15] Braeken, A., Borissov, S., Nikova, S., and B., P. (2004). Classification of booleanfunctions of 6 variables or less with respect to cryptographic properties (extended version).IACR Cryptology ePrint Archive, 2004:248.

[16] Burnett, L. (2005). Heuristic Optimization of Boolean Functions and SubstitutionBoxes for Cryptography . PhD thesis, Queensland University of Technology, Australia.

[17] C. Ding, G. X. and Shan, W. (1991). The Stability Theory of Stream Ciphers. Springer-Verlag, Berlin. Lecture Notes in Computer Science Volume 561.

[18] Camion, P., Carlet, C., Charpin, P., and Sendrier, N. (1992). On correlation-immunefunctions. In CRYPTO ’91: Proceedings of the 11th Annual International CryptologyConference on Advances in Cryptology, pages 86–100, London, UK. Springer-Verlag.

[19] Canteaut, A. (2006). Open problems related to algebraic attacks on stream ciphers. InYtrehus, C., editor, Coding and Cryptography, volume 3969 of Lecture Notes in ComputerScience, pages 120–134. Springer Berlin Heidelberg.

[20] Canteaut, A., Carlet, C., Charpin, P., and Fontaine, C. (2000). Propagation characteris-tics and correlation-immunity of highly nonlinear boolean functions. In EUROCRYPT,pages 507–522.

[21] Carlet, C. (1993). Two new classes of bent functions. In EUROCRYPT, pages 77–101.

[22] Carlet, C. (2001). On the coset weight divisibility and nonlinearity of resilient andcorrelation immune functions. In Proceedings of SETA’01, pages 131–144. Springer.

[23] Carlet, C. (2004). On the secondary constructions of resilient and bent functions. InProgress in Computer Science and Applied Logic, pages 3–28.

[24] Carlet, C. (2008a). Boolean functions for cryptography and error correcting codes.

[25] Carlet, C. (2008b). On the higher order nonlinearities of Boolean functions and S-boxes,and their generalizations. In Sequences and Their Applications SETA 2008, pages 345–367.Springer.

References 237

[26] Carlet, C., Dalai, D. K., Gupta, K. C., and Maitra, S. (2006). Algebraic immunityfor cryptographically significant boolean functions: Analysis and construction. IEEETransactions on Information Theory, 52(7):3105–3121.

[27] Carlet, C. and Gaborit, P. (2005). On the construction of balanced boolean functionswith a good algebraic immunity. In Information Theory, 2005. ISIT 2005. Proceedings.International Symposium on, pages 1101–1105.

[28] Carlet, C. and Sarkar, P. (2001). Spectral domain analysis of correlation immune andresilient boolean functions.

[29] Chabaud, F. and Vaudenay, S. (1994). Links between differential and linear cryptanaly-sis. In EUROCRYPT, pages 356–365.

[30] Charpin, P. and Pasalic, E. (2003). On propagation characteristics of resilient functions.In Nyberg, K. and Heys, H., editors, Selected Areas in Cryptography, volume 2595 ofLecture Notes in Computer Science, pages 175–195. Springer Berlin Heidelberg.

[31] Chaum, D. and Evertse, J.-H. (1985). Crytanalysis of des with a reduced number ofrounds: Sequences of linear factors in block ciphers. In CRYPTO, pages 192–211.

[32] Chen, L., Fu, F.-W., and Wei, V. K. (2002). On the constructions and nonlinearity ofbinary vector correlation-immune functions. In Information Theory, 2002. Proceedings.2002 IEEE International Symposium on Information Theory, page 39.

[33] Clark, J. and Jacob, J. (2000). Two-stage optimisation in the design of boolean functions.In Information Security and Privacy, ACISP 2000, volume 1841 of Lecture Notes inComputer Science, pages 242–254.

[34] Clark, J., Jacob, J., Stepney, S., Maitra, S., and Millan, W. (2002). Evolving booleanfunctions satisfying multiple criteria. In Menezes, A. and Sarkar, P., editors, Progress inCryptology — INDOCRYPT 2002, volume 2551 of Lecture Notes in Computer Science,pages 246–259. Springer Berlin Heidelberg.

[35] Clark, J., of York, U., and of Computer Science, Y. U. G. D. (2001). MetaheuristicSearch as a Cryptological Tool. PhD thesis, University of York.

[36] CLEFIA (2007). Clefia - the 128-bit blockcipher.http://www.sony.net/Products/cryptography/clefia/download/index.html.

[37] Coello, C. A., Dhaenens, C., and Jourdan, L. (2010). Advances in Multi-ObjectiveNature Inspired Computing. Springer Publishing Company, Incorporated, 1st edition.

[38] Coello, C. A. C., Lamont, G. B., and Veldhuizen, D. A. V. (2006). EvolutionaryAlgorithms for Solving Multi-Objective Problems (Genetic and Evolutionary Computation).Springer-Verlag New York, Inc., Secaucus, NJ, USA.

[39] Cohen, G., Karpovsky, M., Mattson, H., and Schatz, J. (1985). Covering radius—surveyand recent results. Information Theory, IEEE Transactions on, 31(3):328–343.

[40] Courtois, N. (2003). Fast algebraic attacks on stream ciphers with linear feedback. InAdvances in cryptology CRYPTO 2003, Lecture Notes in Computer Science 2729, pages177–194.

238 References

[41] Courtois, N. and Meier, W. (2002). Algebraic attacks on stream ciphers with linearfeedback. In Advances in cryptology EUROCRYPT 2003, Lecture Notes in ComputerScience 2656, pages 346–359.

[42] Courtois, N. and Meier, W. (2003). Algebraic attacks on stream ciphers with linearfeedback. In EUROCRYPT, pages 345–359.

[43] Courtois, N. T. and Pieprzyk, J. (2002). Cryptanalysis of block ciphers with overdefinedsystems of equations. In Advances in Cryptology ASIACRYPT 2002, pages 267–287.Springer.

[44] CRYPTOOL (2008). Educational tool for cryptography and cryptanalysis.http://www.cryptool.org/.

[45] Daemen, J., Knudsen, L., and Rijmen, V. (1997). The block cipher square. In Biham,E., editor, Fast Software Encryption, volume 1267 of Lecture Notes in Computer Science,pages 149–165. Springer Berlin Heidelberg.

[46] Daemen, J. and Rijmen, V. (2002). The Design of Rijndael. Springer-Verlag New York,Inc., Secaucus, NJ, USA.

[47] Dalai, D. K., Gupta, K. C., and Maitra, S. (2004). Results on algebraic immunity forcryptographically significant boolean functions. In INDOCRYPT, pages 92–106.

[48] Davio, M., Deschamps, J., and Thayse, A. (1978). Discrete and Switching Functions,volume 1 of Advanced Book Program. McGraw-Hill.

[49] Deb, K. and Kalyanmoy, D. (2001). Multi-Objective Optimization Using EvolutionaryAlgorithms. John Wiley & Sons, Inc., New York, NY, USA.

[50] Dimovski, A. and Gligoroski, D. (2003). Generating highly nonlinear boolean func-tions using a genetic algorithm. In Telecommunications in Modern Satellite, Cable andBroadcasting Service, 2003. TELSIKS 2003. 6th International Conference on, volume 2,pages 604–607 vol.2.

[51] Dobbertin, H. (1994). Construction of bent functions and balanced boolean functionswith high nonlinearity. In Fast Software Encryption, pages 61–74.

[52] Dobbertin, H. (1998). Ten problems on extremely nonlinear boolean functions. Techni-cal report, Dagstuhl.

[53] dong Hou, X. (1996). Covering radius of the reed-muller code r(1,7)-a simpler proof.Journal of Combinatorial Theory, Series A, 74(2):337 – 341.

[54] dong Hou, X. (1997). On the norm and covering radius of the first-order reed-mullercodes. Information Theory, IEEE Transactions on, 43(3):1025–1027.

[55] Dueholm Justesen, P. and Ursem, R. K. (2009). Multiobjective distinct candidatesoptimization (modco): A cluster-forming differential evolution algorithm.

[56] E. Berlekamp, L. W. (1972). Weight distribution of the cosets of the (32, 6) reed-mullercode. IEEE Transactions on Information Theory, 18(1):203–207.

References 239

[57] Ehrgott, M. (2000). Multicriteria optimization. Lecture Notes in Economics andMathematical Systems. Springer-Verlag.

[58] Evertse, J.-H. (1987). Linear structures in blockciphers. In EUROCRYPT, pages249–266.

[59] Evertse, J. H. (1988). Linear structures in block ciphers. In Advances in Cryptology -EUROCRYPT 87, no. 304 in Lecture Notes in Computer Science, pages 249–266.

[60] Faugére, J.-C. and Ars, G. (2003). An algebraic cryptanalysis of nonlinear filtergenerators using grobner bases. Technical report, INRIA 4739.

[61] Filiol, E. and Fontaine, C. (1998). Highly nonlinear balanced boolean functionswith a good correlation-immunity. In Nyberg, K., editor, Advances in Cryptology —EUROCRYPT’98, volume 1403 of Lecture Notes in Computer Science, pages 475–488.Springer Berlin Heidelberg.

[62] Glover, F. and Laguna, M. (1997). Tabu Search. Kluwer Academic Publishers, Norwell,MA, USA.

[63] Goldberg, D. E. (1989). Genetic Algorithms in Search, Optimization and MachineLearning. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 1st edition.

[64] Gong, G., Helleseth, T., Hu, H., and Li, C. (2014). New three-valued Walsh transformsfrom decimations of Helleseth-Gong sequences. In Sequences and Their Applications,SETA 2012, Volume 7280 of Lecture Notes in Computer Science, pages 327–337.

[65] GPRS (2014). General packet radio service. http://www.etsi.org/index.php/technologies-clusters/technologies/mobile/gprs.

[66] Grocholewska-Czurylo, A. (2006). Random generation of highly nonlinear resilientboolean functions. In Michon, J.-F., Valarcher, P., and Yunès, J.-B., editors, Proceedingsof BFCA’06 Conference, March 13–15, 2006, Rouen, France, pages 61–72.

[67] GSM (2014). Global system for mobile communications.http://www.etsi.org/index.php/technologies-clusters/technologies/mobile/gsm.

[68] Guillot, P. (2005). Cryptographical boolean functions construction from linear codes. InMichon, J.-F., Valarcher, P., and Yunès, J.-B., editors, Proceedings of BFCA’05 Conference,March 7–8, 2005 Rouen, France, pages 141–154.

[69] Gupta, K. and Sarkar, P. (2005). Improved construction of nonlinear resilient s-boxes.Information Theory, IEEE Transactions on, 51(1):339–348.

[70] Heys, H. (1999). A tutorial on linear and differential cryptanalysis. Technical re-port, Electrical and Computer Engineering, Faculty of Engineering and Applied Science,Memorial University of Newfoundland, St. Johns, NF, Canada A1B 3X5.

[71] Holland, J. H. (1973). Genetic algorithms and the optimal allocation of trials. SIAM J.Comput., 2(2):88–105.

[72] Hou, X.-d. (1996). The covering radius of r(1,9) in r(4,9). Designs, Codes andCryptography, 8(3):285–292.

240 References

[73] I, S, H. and P. R, J. O. (1997). Applications in code design, chapter 12. Local Search inCombinatorial Optimization. John Wiley and Sons.

[74] Jakobsen, T. and Knudsen, L. R. (1997). The interpolation attack on block ciphers. InSAC 97, pages 28–40.

[75] Johansson, T. and Pasalic, E. (2003). A construction of resilient functions with highnonlinearity. IEEE Transactions on Information Theory, 49(2):494–501.

[76] KASUMI (2014). Block cipher used in UMTS, GSM and GPRS.http://www.3gpp.org/DynaReport/35202.htm.

[77] Kavut, S., Maitra, S., and Yücel, M. (2006). Autocorrelation spectra of balancedboolean functions on an odd number of input variables. In Michon, J.-F., Valarcher, P., andYunès, J.-B., editors, Proceedings of BFCA’06 Conference, March 13–15, 2006, Rouen,France, pages 73–86.

[78] Kavut, S. and Yücel, M. D. (2007). Balanced boolean functions with nonlinearity >2n-1 - 2(n-1)/2. IACR Cryptology ePrint Archive, 2007:321.

[79] Kavut, S. and Yucel, M. D. (2010). 9-variable boolean functions with nonlinearity 242in the generalized rotation symmetric class. Inf. Comput., 208(4):341–350.

[80] Kavut, S. and Yücel, M. (2003). Improved cost function in the design of booleanfunctions satisfying multiple criteria. In Johansson, T. and Maitra, S., editors, Progressin Cryptology - INDOCRYPT 2003, volume 2904 of Lecture Notes in Computer Science,pages 121–134. Springer Berlin Heidelberg.

[81] Kirkpatrick, S., Gelatt, C. D., and Vecchi, M. P. (1983). Optimization by simulatedannealing. SCIENCE, 220(4598):671–680.

[82] Lai, X. (1990). Linear structures of functions over prime fields. Unpublished.

[83] Lai, X. (1994). Higher order derivatives and differential cryptanalysis. In Proceedingsof the Symposium on Communication, Coding and Cryptography.

[84] Lai, X. (1995). Additive and linear structures of cryptographic functions. In Preneel,B., editor, Fast Software Encryption, volume 1008 of Lecture Notes in Computer Science,pages 75–85. Springer Berlin Heidelberg.

[85] Lechner, R. (1972). Harmonic analysis of switching functions. In Recent Developmentsin Switching Theory (A. Mukhopadhyay, ed.), New York and London. Academic Press.

[86] Lobanov, M. (2005). Tight bound between nonlinearity and algebraic immunity. IACRCryptology ePrint Archive, 2005:441.

[87] Maitra, S. (2001). Highly nonlinear balanced boolean functions with very good auto-correlation property. Electronic Notes in Discrete Mathematics, 6:481 – 490. WCC2001,International Workshop on Coding and Cryptography.

[88] Maitra, S. (2002). Highly nonlinear balanced boolean functions with good local andglobal avalanche characteristics. Information Processing Letters, 83(5):281 – 286.

References 241

[89] Maitra, S. (2007). Balanced boolean function on 13-variables having nonlinearitystrictly greater than the bent concatenation bound. IACR Cryptology ePrint Archive,2007:309.

[90] MatPack (2006). MatPack matpack c++ numerics and graphics library.http://www.matpack.de/.

[91] Matsui, M. (1993). Linear cryptanalysis method for des cipher. In EUROCRYPT, pages386–397.

[92] Matsui, M. (1994). The first experimental cryptanalysis of the data encryption standard.In CRYPTO, pages 1–11.

[93] Matsui, M. (1997). New block encryption algorithm MISTY. In Fast Software En-cryption, 4th International Workshop, FSE ’97, Haifa, Israel, January 20-22, 1997,Proceedings, pages 54–68.

[94] Matsui, M. and Yamagishi, A. (1993). A New Method for Known Plaintext Attackof FEAL Cipher. In Rueppel, R. A., editor, Advances in Cryptology — EUROCRYPT’92, volume 658 of Lecture Notes in Computer Science, chapter 7, pages 81–91. SpringerBerlin Heidelberg, Berlin, Heidelberg.

[95] Maximov, A., Hell, M., and Maitra, S. (2004). Plateaued rotation symmetric booleanfunctions on odd number of variables. IACR Cryptology ePrint Archive, 2004:144.

[96] McWilliams, F. and Sloane, N. (1977). The Theory of Error Correcting Codes, volume1,2. New York, NY: North Holland.

[97] Meier, W., Pasalic, E., and Carlet, C. (2004). Algebraic attacks and decomposition ofboolean functions. In Cachin, C. and Camenisch, J., editors, Advances in Cryptology -EUROCRYPT 2004, volume 3027 of Lecture Notes in Computer Science, pages 474–491.Springer Berlin Heidelberg.

[98] Meier, W. and Staffelbach, O. (1989). Nonlinearity criteria for cryptographic functions.In EUROCRYPT, pages 549–562.

[99] Millan, W. (1996). Low order approximation of cipher functions. In Dawson, E. andGolia, J., editors, Cryptography: Policy and Algorithms, volume 1029 of Lecture Notes inComputer Science, pages 144–155. Springer Berlin Heidelberg.

[100] Millan, W. (1998). How to improve the nonlinearity of bijective s-boxes. In Informa-tion Security and Privacy, ACISP 98, volume 1438 of Lecture Notes in Computer Science,pages 181–192.

[101] Millan, W. L. (1997). Analysis and Design of Boolean. Functions for CryptographicApplications. PhD thesis, Queensland University of Technology, Faculty of InformationTechnology.

[102] Minsky, M. (1961). Steps toward artificial intelligence. In Computers and Thought,pages 406–450. McGraw-Hill.

242 References

[103] mo Zhang, X. and Zheng, Y. (1996). Auto-correlations and new bounds on thenonlinearity of boolean functions. In In Advances in Cryptology - EUROCRYPT96, pages294–306. Springer-Verlag.

[104] Murphy, S. (2002). Description of methodology for security evaluation. TechnicalReport NES/DOC/RHU/WP3/D10/3, European Commission.

[105] Murphy, S. (2004). Final report of european project number ist-1999-12324, namednew european schemes for signatures, integrity, and encryption. Technical Report IST-1999-12324, Commision of the European Communities.

[106] Mykkeltveit, J. (1980). The covering radius of the (128, 8) reed muller code is 56.IEEE Transactions on Information Theory, 26(3):359–362.

[107] National Bureau of Standards (1977). Data Encryption Standard. U. S. Departmentof Commerce, Washington, DC, USA.

[108] National Institute for Standards and Technology (2001). Advanced Encryption Stan-dard. U. S. Department of Commerce, Washington, DC, USA.

[109] Neubuser, J. (1995). An invitation to computational group theory. In Groups’ 93 –Galway/St. Andrews, volume 212 of London Math. Soc. Lecture Note Ser, pages 457–475.Cambridge University Press.

[110] noz, V. M. and Persson, U. (2007). Interviews with three fields medalists. Notices ofthe American Mathematical Society, 54(3):405–410.

[111] NTL (2009). NTL a library for doing number theory. http://www.shoup.net/ntl/.

[112] Nyberg, K. (1991). Perfect nonlinear s-boxes. In EUROCRYPT, pages 378–386.

[113] Nyberg, K. (1992). On the construction of highly nonlinear permutations. In EURO-CRYPT, pages 92–98.

[114] Nyberg, K. (1993). Differentially uniform mappings for cryptography. In EURO-CRYPT, pages 55–64.

[115] Nyberg, K. (1994). S-boxes and round functions with controllable linearity anddifferential uniformity. In Fast Software Encryption, pages 111–130.

[116] O’Connor, L. and Klapper, A. (1994). Algebraic nonlinearity and its applications tocryptography. J. Cryptology, 7(4):213–227.

[117] Papadimitriou, C. H. and Steiglitz, K. (1982). Combinatorial Optimization: Algo-rithms and Complexity. Prentice-Hall, Inc., Upper Saddle River, NJ, USA.

[118] Patterson, N. J. and Wiedemann, D. H. (1983). The covering radius of the (215,16)reed-muller code is at least 16276. IEEE Transactions on Information Theory, 29(3):354–356.

[119] Patterson, N. J. and Wiedemann, D. H. (1990). Correction to - the covering radius ofthe (215,16) reed-muller code is at least 16276. IEEE Transactions on Information Theory,36(2):443.

References 243

[120] Phan, R. C.-W. (2002). Mini advanced encryption standard (mini-AES): A testbed forcryptanalysis. Students, Cryptologia, pages 283–306.

[121] Pieprzyk, J. and Finkelstein, G. (1988). Towards effective nonlinear cryptosystemdesign. Computers and Digital Techniques, IEE Proceedings E, 135(6):325–335.

[122] Pommerening, K. (2005). Linearitatsmaße fur boolesche abbildungen. Technicalreport, Fachbereich Mathematik der Johannes-Gutenberg-Universitaet.

[123] Preneel, B. (1993). Analysis and design of cryptographic hash functions. ph.d. disser-tation, katholieke universiteit leuven.

[124] Preneel, B., Leekwijck, W. V., Linden, L. V., Govaerts, R., and Vandewalle, J. (1990).Propagation characteristics of boolean functions. In EUROCRYPT, pages 161–173.

[125] Read, M. (2007). Explicable Boolean Functions. PhD thesis, The University of York,UK.

[126] Ribeiro, C. C. and Hansen, P. (2002). Essays and surveys in Metaheuristics. Opera-tions Research/Computer Science Interfaces Series. Kluwer academic publishers, Boston,Dordrecht, London.

[127] Rijmen, V., Daemen, J., Preneel, B., Bosselaers, A., and De Win, E. (1996). Thecipher shark. In Gollmann, D., editor, Fast Software Encryption, volume 1039 of LectureNotes in Computer Science, pages 99–111. Springer Berlin Heidelberg.

[128] Rothaus, O. S. (1976). On bent functions. J. Comb. Theory, Ser. A, 20(3):300–305.

[129] Roy, R., Dehuri, S., and Cho, S. (2011). A novel particle swarm optimization algorithmfor multi-objective combinatorial optimization problem. Int. J. of Applied MetaheuristicComputing, 2(4):41–57.

[130] Rueppel, R. A. (1986). Analysis and Design of Stream Ciphers. Springer-Verlag.

[131] Saber, Z., Uddin, M., and Youssef, A. (2006). On the existence of (9,3,5,240) resilientfunctions. Information Theory, IEEE Transactions on, 52(5):2269–2270.

[132] SAGE (2014). Open-source mathematics software. http://www.sagemath.org.

[133] Sarkar, P. and Maitra, S. (2000a). Construction of nonlinear boolean functions withimportant cryptographic properties. In EUROCRYPT, pages 488–511.

[134] Sarkar, P. and Maitra, S. (2000b). New directions in design of resilient booleanfunctions. IACR Cryptology ePrint Archive, 2000:9.

[135] Sarkar, P. and Maitra, S. (2000c). Nonlinearity bounds and constructions of resilientboolean functions. In CRYPTO ’00: Proceedings of the 20th Annual International Cryp-tology Conference on Advances in Cryptology, pages 515–532, London, UK. Springer-Verlag.

[136] Sarkar, S. and Maitra, S. (2008). Idempotents in the neighbourhood of patterson-wiedemann functions having walsh spectra zeros. Designs, Codes and Cryptography,49(1-3):95–103.

244 References

[137] Schafer, C. (2013). Particle algorithms for optimization on binary spaces. Economicspapers from university paris dauphine, Paris Dauphine University.

[138] Schneier, B. (1996). Applied cryptography: protocols, algorithms, and source code inC. Wiley, New York, 2nd edition.

[139] Seberry, J. and Zhang, X. (1992). Highly nonlinear 0-1 balanced boolean functionssatisfying strict avalanche criterion. In Auscrypt.

[140] Seberry, J., Zhang, X.-M., and Zheng, Y. (1990). Enumerating boolean functions ofcryptographic significance. Journal of Cryptology, pages 155–170.

[141] Seberry, J., Zhang, X.-M., and Zheng, Y. (1993). On constructions and nonlinearity ofcorrelation immune functions (extended abstract). In EUROCRYPT, pages 181–199.

[142] Seberry, J., Zhang, X.-M., and Zheng, Y. (1996). The relationship between propagationcharacteristics and nonlinearity of cryptographic functions. In Maurer, H., Calude, C., andSalomaa, A., editors, J.UCS The Journal of Universal Computer Science, pages 136–150.Springer Berlin Heidelberg.

[143] Shannon, C. E. (1949). Communication theory of secrecy systems. Bell SystemTechnical Journal, 28(4):657–715.

[144] Shimoyama, T., Yanami, H., Yokoyama, K., Takenaka, M., Itoh, K., Yajima, J., Torii,N., and Tanaka, H. (2001). The block cipher sc2000. In Matsui, M., editor, FSE, volume2355 of Lecture Notes in Computer Science, pages 312–327. Springer.

[145] Siegenthaler, T. (1984). Correlation-immunity of nonlinear combining functions forcryptographic applications. IEEE Transactions on Information Theory, 30(5):776–.

[146] Siegenthaler, T. (1985). Decrypting a class of stream ciphers using ciphertext only.IEEE Transactions on Computers, 34(1):81–85.

[147] Son, J. J., Lim, J. I., Chee, S., and Sung, S. H. (1998). Global avalanche characteristicsand nonlinearity of balanced boolean functions. Information Processing Letters, 65(3):139– 144.

[148] Stanica, P. and Sung, S. H. (2001). Improving the nonlinearity of certain balancedboolean functions with good local and global avalanche characteristics. InformationProcessing Letters, 79(4):167 – 172.

[149] Tarannikov, Y. (2000). On resilient boolean functions with maximal possible nonlin-earity. In INDOCRYPT, pages 19–30.

[150] Tarannikov, Y. and Kirienko, D. (2001). Spectral analysis of high order correlationimmune functions. In Information Theory, 2001. Proceedings. 2001 IEEE InternationalSymposium on, pages 69–.

[151] Tarannikov, Y., Korolev, P., and Botev, A. (2001). Autocorrelation coefficients andcorrelation immunity of boolean functions. In Boyd, C., editor, Advances in Cryptology -ASIACRYPT 2001, volume 2248 of Lecture Notes in Computer Science, pages 460–479.Springer Berlin Heidelberg.

References 245

[152] Tardy-Corfdir, A. and Gilbert, H. (1992). A known plaintext attack of feal-4 andfeal-6. In Feigenbaum, J., editor, Advances in Cryptology — CRYPTO ’91, volume 576 ofLecture Notes in Computer Science, pages 172–182. Springer Berlin Heidelberg.

[153] Toshiba (2001). Submission to the new european schemesfor signatures, integrity and encryption (NESSIE) process.http://cosic.esat.kuleuven.ac.be/nessie/workshop/submission/hierocrypt-l1.zip.

[154] Toshiba (2002). Submission to the new european schemesfor signatures, integrity and encryption (NESSIE) process.http://cosic.esat.kuleuven.ac.be/nessie/workshop/submission/hierocrypt-3.zip.

[155] UMTS (2014). Universal mobile telecommunications system.http://www.3gpp.org/DynaReport/25816.htm.

[156] VBFlib (2014). Analysis of cryptographic algorithms. http://vbflibrary.tk.

[157] Webster, A. F. and Tavares, S. E. (1986). On the design of S-boxes. In Williams, H. C.,editor, Advances in Cryptology - Crypto ’85, pages 523–534, Berlin. Springer-Verlag.Lecture Notes in Computer Science Volume 218.

[158] Xiao, G.-Z. and Massey, J. L. (1988). A spectral characterization of correlation-immune combining functions. IEEE Transactions on Information Theory, 34(3):569–.

[159] Youssef, A., Chen, Z., and Tavares, S. (1997). Construction of highly nonlinearinjective s-boxes with application to cast-like encryption algorithms. In IEEE 1997Canadian Conference on Electrical and Computer Engineering, 1997, volume 1, pages330 –333 vol.1.

[160] Zhang, X.-M. and Zheng, Y. (1995). GAC — the criterion for global avalanchecharacteristics of cryptographic functions. J.UCS: Journal of Universal Computer Science,1(5):320–337.

[161] Zheng, Y. and Zhang, X.-M. (2001). Improved upper bound on the nonlinearity ofhigh order correlation immune functions. In SAC ’00: Proceedings of the 7th AnnualInternational Workshop on Selected Areas in Cryptography, pages 262–274, London, UK.Springer-Verlag.

[162] Zheng, Y. and Zhang, X.-M. (2003a). Connections among nonlinearity, avalanche andcorrelation immunity. Theor. Comput. Sci., 292(3):697–710.

[163] Zheng, Y. and Zhang, X.-M. (2003b). Connections among nonlinearity, avalanche andcorrelation immunity. Theoretical Computer Science, 292(3):697 – 710. Algorithms inQuantum Information Prcoessing.

[164] Zitzler, E. (1999). Evolutionary algorithms for multiobjective optimization: Methodsand applications.

Appendix A

Mathematical Background

The aim of this chapter is to present some notation and mathematical background that will beused throughout the thesis.

A.1 The Vector Space Vn

A.1.1 Definition

Let the set of boolean variables or bits {0,1}, commonly denoted by GF(2) = Z2 = F2 andthe operations ’+’ and ’·’ defined by the following Cayley tables: + 0 1

0 0 11 1 0

· 0 1

0 0 01 0 1

The 3-tuple < GF(2),+, ·> is the finite field of order 2, the operation ’+’ is the ’integer

addition modulo 2’ (or the boolean operation XOR) and ’·’ is the ’integer multiplicationmodulo 2’ (or the boolean operation AND).

Let Vn =

n︷︸︸︷GF(2)×·· ·×GF(2), the triple < Vn,+, · > is a vector space over the field

< GF(2),+, ·> where the inner operation ’+’ is defined by:

+ : Vn×Vn → Vn

(x,y) → x+y = (x1+y1, . . . ,xn+yn)(A.1)

248 Mathematical Background

and the external composition law ’·’ is defined by:

· : GF(2)×Vn → Vn

(c,x) → c ·x = (c·x1, . . . ,c·xn)(A.2)

In order to simplify the notation derived from the use of the previous composition laws,it is universally accepted to denote vector addition by the same symbol as the field addition(’+’), and the scalar multiplication by the same symbol as the field multiplication (’·’). Thenature of this operators is usually unanimously determined by the nature of the operands andthe ’·’ operator will be omitted unless it can create ambiguity.

Remark. The operator of vector difference ’−’ coincides with the vector addition:

− : Vn×Vn → Vn

(x,y) → x−y = x+(−y) = x+y(A.3)

as ∀x ∈ Vn, x+x = 0.

Definition A.1.1. Vn is a direct sum of U and W, and it is written Vn = U⊕W, if U,W≺Vn

such that each x∈Vn can be uniquely represented as x = xu+xw, where xu ∈U and xw ∈W,or equivalently:

U∪W = Vn

U∩W = {0}(A.4)

Definition A.1.2. Let the disjoint 1 GF(2)-vector spaces U and W, their direct sum U⊕W, iswell defined. We can construct U⊕W as the Cartesian product U×W with coordinate-wiseoperations:

U⊕W = U×W (A.5)

A.1.2 Lexicographic Order

[48] A total order can be defined on Vn, called lexicographic order so that if x = (x1, . . . ,xn)

and y = (y1, . . . ,yn) ∈ Vn, then x≤ y if and only if one of the two following assertions holdstrue:

1. x1 = y1

2. There exists an index k ∈ {1, . . . ,n} such that xk < yk and xi = yi, ∀ i≤ k

1except from the vector 0

A.1 The Vector Space Vn 249

If we define a series of weights wi such that wi = 2n−i, then a correspondence betweenthe elements of Vn and Z2n (ring of integers modulo 2n) can be established via the followingfunction:

ψ : Vn → Z2n

(x1, . . . ,xn) → x1w1 + · · ·+ xnwn(A.6)

Theorem A.1.1. [48] The function ψ is a bijection from Vn to Z2n and if one considers thenatural order in Z2n and the lexicographical order in Vn, then ψ is an order isomorphism.

Lemma A.1.2. We can represent a vector αk = (x1, . . . ,xn) ∈ Vn by the decimal equivalentdec(αk) = k = ∑

ni=1 xiwi and we can list all the vectors of Vn so that α0 < α1 < · · ·< α2n−1 .

Definition A.1.3. Let k = ∑ni=1 xi2n−i, then (x1, . . . ,xn) is called the binary expansion of k.

The number of nonzero coefficients xi is denoted by w2(k) and called the 2-weight of k.

A.1.3 The Hamming Distance

Definition A.1.4. The (Hamming) weight of a vector x = (x1, . . . ,xn) ∈ Vn, denoted bywt(x), is the number of nonzero components in x:

wt(x) = #Supp(x) =n

∑i=1

xi (A.7)

Definition A.1.5. The (Hamming) distance between two boolean vectors x and y ∈ Vn,denoted by d(x,y), is the number of coordinates in which they differ:

d(x,y) = wt(x+y) = #δ (x,y) =n

∑i=1|xi− yi| (A.8)

wherex,y ∈ Vn, δ (x,y) = {xi ∈ GF(2) | xi = yi ∀ i = 1, . . . ,n} (A.9)

Remark. The weight of a vector can be interpreted as the distance between this vector andthe zero vector 0 which has all its coordinates equal to 0:

wt(x) = d(x,0) (A.10)

The function d : Vn×Vn→ R as defined in (A.8) is a distance because ∀x,y,z ∈ Vn

satisfies the following properties:

1. d(x,y)> 0 if x = y


2. d(x,x) = 0

3. Symmetry: d(x,y) = d(y,x)

4. Triangular inequality: d(x,y)≤ d(x,z)+d(z,y)

Proof.

d(x,z)+d(z,y) = wt(x+ z)+wt(y+ z)

≥ wt(x+ z+y+ z) = wt(x+y) = d(x,y)

A.2 Characters

A.2.1 Characters on Vn

Definition A.2.1. [96] For each u = (u1, . . . ,un) ∈ GF(pn) where p is prime, we define χu

to be the complex-valued mapping defined on GF(pn) by:

χu(x) = ωp∑

i=ni=1 uixi = ωp

u·x (A.11)

for x = (x1, . . . ,xn) ∈GF(pn), χu is called a character of GF(pn), where ωp is a primitivepth root of unity.

Definition A.2.2. The complex conjugate of χu(x) is denoted by χu(x) = χ∗u(x) and isdefined by:

χ∗u(x) = ωp

−∑i=ni=1 uixi = ωp

−u·x = χu(−x) (A.12)

Definition A.2.3. For GF(2) = {0,1}, ω2 is the primitive 2nd root of unity: eπi =−1 whichhas two characters:

χ1(0) = 1, χ1(1) = 1, (the trivial character)χ−1(0) = 1, χ−1(1) =−1

(A.13)

Definition A.2.4. We will denote the set of all vectors whose n components are charactersby Vn, which is contained in the set of all real vectors with n components, denoted by Rn,but it is not a subspace.

A.2 Characters 251

Remark. For u ∈ Znp, its character form is the same as defined on GF(pn). In particular, for

u ∈ Vn, its character form of Vn is the same as defined on GF(2n) satisfying:

χu(x) = (−1)∑i=ni=1 uixi (A.14)

For Vn it holds that:x =−x ∀x ∈ Vn (A.15)

χu(x) = χ∗u(x) = (−1)u·x ∀u,x ∈ Vn (A.16)

Properties

1. χu(x) = χx(u),∀u,x ∈ Vn

2. χu(0) = χ0(x) = 1,∀u,x ∈ Vn

3. χu(x)χ∗u(x) = 1,∀u,x ∈ Vn

4. χu(x+y) = χu(x) ·χu(y),∀u,x,y ∈ Vn

5. χu+v(x) = χu(x) ·χv(x),∀u,v,x ∈ Vn

6. χu·v(x) = 12{1+χu(x)+χv(x)−χu(x) ·χv(x)} ∀u,v,x ∈ Vn

7. ∑x∈Vn χu(x) =

{2n if u = 00 if u = 0

8. ⟨χu,χv⟩= ∑x∈Vn χu(x) ·χ∗v (x) =

{2n if u = v0 if u = v

9. ∀u ∈ Vn,∥χu∥2 = 2n

Proof.∥χu∥2 = ⟨χu,χu⟩= ∑

x∈Vn

χu(x)χ∗u(x) = ∑x∈Zn

N

χu(0) = 2n


A.2.2 Characters on Vn×Vm

Definition A.2.5. The character form of (u,v) ∈ Vn×Vm can be defined as follows:

χ(u,v)(x,y) = (−1)u·x+v·y (A.17)

Definition A.2.6. Let u ∈ Vn and v ∈ Vm:⟨χ(u,v),χ(u′,v′)

⟩= ∑

x∈Vn

∑y∈Vm

χ(u,v)(x,y)χ∗(u′,v′)(x,y) (A.18)

Properties

The following properties is satisfied ∀(x,y),(x′,y′),(u,v),(u′,v′) ∈ Vn×Vm

1. χ(u,v)(x,y) = χu(x)χv(y)

2. χ(u,v)(x,y) = χ(x,y)(u,v)

3. χ(u,v)(0,0) = χ(0,0)(x,y) = 1

4. χ(u,v)(x,y)χ∗(u,v)(x,y) = 1

5. χ(u,v)(x+x′,y+y′) = χ(u,v)(x,y) ·χ(u,v)(x′,y′)

6. χ(u+u′,v+v′)(x,y) = χ(u,v)(x,y) ·χ(u′,v′)(x,y)

7. ∑x∈Vn ∑y∈Vm χ(u,v)(x,y) =

{2n+m if (u,v) = (0,0)

0 if (u,v) = (0,0)

8.⟨χ(u,v),χ(u′,v′)

⟩=

{2n+m if (u,v) = (u′,v′)

0 if (u,v) = (u′,v′)

9. ∀(x,y) ∈ Vn×Vm,∥χ(u,v)∥2 = 2n+m

Proof.

∥χ(u,v)∥2 =⟨χ(u,v),χ(u,v)

⟩= ∑x∈Vn ∑y∈Vm χ(u,v)(x,y)χ∗(u,v)(x,y) = 2n+m

A.3 The Vector Space GF(2n) 253

A.3 The Vector Space GF(2n)

A.3.1 Definition

The field GF(2n) is an extension of degree n over GF(2) = Z2, and it can be written asZ2[x]/g(x), where g(x) is an irreducible polynomial of degree n over Z2. It can be showedthat for every positive value of n there is a field of 2n elements and that this field is unique upto isomorphism. From now on we will call the set of polynomials over the field Z2 by Z2[x].Typically elements in GF(2n) are denoted as polynomials, that is, as elements in Z2[x], andg(x) is a generator for the ideal in this quotient ring representation. A polynomial over Z2 isan expression of the form:

a(x) = an−1xn−1 + · · ·+a1x+a0 (A.19)

x being called the indeterminate of the polynomial, and ai ∈ GF(2) the coefficients.Let a(x) ∈ Z2[x], the degree of a polynomial a(x) is defined by:

deg(a(x)) = min{

i ∈ N | ∀ j ∈ N, j > i⇒ a j = 0}

(A.20)

The set of polynomials over the field Z2, which have a degree below l, is denoted byZ2[x]|l:

Z2[x]|l = {a(x) ∈ Z2[x] | deg(a(x))< l} (A.21)

A.3.2 Operations on Polynomials

Finite fields have the special property that operations (+,−,× and ÷) on the field elementsalways cause the result to be also in the field. We define the following operations onpolynomials a(x) and b(x) ∈ Z2[x]|n:

Addition. Addition of polynomials consists of adding the coefficients with equal powersof x, where the addition of the coefficients occurs in the underlying field GF(2):

c(x) = a(x)+b(x)⇔ ci = ai +bi,0≤ i < n (A.22)

Multiplication. The multiplication of two polynomials a(x) and b(x) is defined as thealgebraic product of the polynomials modulo an irreducible polynomial g(x) over GF(2)which has degree n:

c(x) = a(x) ·b(x)⇔ c(x)≡ a(x)×b(x) (mod g(x)) (A.23)


A.3.3 Relation between Vn and GF(2n)

The vector space Vn can be identified with the field GF(2n). Let {u0, . . . ,un−1} be a basis ofGF(2n) over GF(2). Then the relation between Vn and GF(2n) can be expressed by:

φ : Vn → GF(2n)

(x0, . . . ,xn−1) → ∑n−1i=0 uixi

(A.24)

A.3.4 Mini-AES Finite Field in GF(24)

The nibbles of Mini-AES can be thought of as elements in the finite field GF(24). Considera nibble a = (a3,a2,a1,a0) where ai ∈ GF(2). Then, this nibble can be represented as apolynomial with binary coefficients i.e having values in the set GF(2):

a(x) = a3x3 +a2x2 +a1x+a0 (A.25)

Example A.3.1. Given a nibble, a = (1,0,1,1), then this can be represented as

a(x) = 1x3 +0x2 +1x+1 = x3 + x+1 (A.26)

Note that when an element of GF(24) is represented in polynomial form, the resultingpolynomial would have a degree of at most 3.

Example A.3.2. Given two nibbles, a = (1,0,1,1) and b = (0,1,1,1), then the addition,a+b = 1011+0111 = 1100 or in polynomial notation:

a(x)+b(x) = (x3 + x+1)+(x2 + x+1) = x3 + x2 (A.27)

Example A.3.3. Given two nibbles, a=(1,0,1,1) and b=(0,1,1,1), then the multiplicationis:

(x3 +x+1)(x2 +x+1) = x5 +x4 +x3 +x3 +x2 +x+x2 +x+1 = x5 +x4 +1 = x5 +x4 +1

In order to ensure that the result of the multiplication is still within the field GF(24), itmust be reduced by division with an irreducible polynomial of degree 4, the remainder ofwhich will be taken as the final result. An irreducible polynomial is analogous to a primenumber in arithmetic, and as such a polynomial is irreducible if it has no divisors other than1 and itself. There are many such irreducible polynomials, but for Mini-AES, it is chosen tobe:

A.4 The Vector Space Rn 255

g(x) = x4 + x+1

Example A.3.4. Given two nibbles, a = (1,0,1,1) and b = (0,1,1,1), then the final resultafter multiplication in GF(24) is:

c(x) = (x3 + x+1) · (x2 + x+1)⇔ c(x)≡ x5 + x4 +1 (mod x4 + x+1) = x2

A.4 The Vector Space Rn

A.4.1 The Inner Product

Definition A.4.1. ∀n ∈ N , the inner product is defined as the following function:

⟨⟩ : Rn×Rn → R(x,y) → ⟨x,y⟩= ∑

ni=1 xiyi

(A.28)

and the pair (Rn,⟨⟩) is denoted by euclidean vector space.

The energy of the real vector x ∈ Rn is defined by:

⟨x,x⟩=n

∑i=1

x2i (A.29)

A.4.2 Distance

Let x ∈ Rn, we define norm or length of x as the real number ∥x∥=+√⟨x,x⟩.

The angle between the vectors x = 0 and y = 0 is the real number ∠(x,y) ∈ [0,π] so that:

cos(∠(x,y)) =⟨x,y⟩∥x∥ · ∥y∥

(A.30)

x and y are linearly dependent if and only if ∠(x,y) = 0 or ∠(x,y) = π . They areorthogonal if the following condition holds: ∠(x,y) = π

2 ⇔ ⟨x,y⟩= 0.As (Rn,⟨⟩) is an euclidean vector space, the function d : Rn×Rn→ R defined as:

∀x,y ∈ Rn, d(x,y) = ∥x−y∥=+√⟨x−y,x−y⟩ (A.31)

is a distance over Rn.


A.4.3 The Pointwise Product

Definition A.4.2. Let x,y ∈ Rn, the pointwise product is defined as the following function:

� : Rn×Rn → Rn

(x,y) → x �y = (x1 · y1, . . . ,xn · yn)(A.32)

A.5 The Vector Space Mn×m(R)

A.5.1 The Inner Product

Definition A.5.1. ∀n,m ∈ N , the inner product is defined as the following function:

⟨⟩ : Mn×m(R)×Mn×m(R) → R(A,B) → ⟨A,B⟩= ∑

ni=1 ∑

mj=1 ai jbi j

(A.33)

and the pair (Mn×m(R),⟨⟩) is denoted by euclidean vector space.

The energy of the vector A ∈Mn×m(R) is defined by:

⟨A,A⟩=n

∑i=1

m

∑j=1

ai j2 (A.34)

A.5.2 Distance

Let A ∈Mn×m(R), we define norm or length of A as the real number ∥A∥=+√⟨A,A⟩.

The angle between the vectors A = 0 and B = 0 is the real number ∠(A,B) ∈ [0,π] sothat:

cos(∠(A,B)) =⟨A,B⟩∥A∥ · ∥B∥

(A.35)

A and B are linearly dependent if and only if ∠(A,B) = 0 or ∠(A,B) = π . They areorthogonal if the following condition holds: ∠(A,B) = π

2 ⇔ ⟨A,B⟩= 0.

As (Mn×m(R),⟨⟩) is an euclidean vector space, the function d : Mn×m(R)×Mn×m(R)→R defined as:

∀A,B ∈ Rn, d(x,y) = ∥A−B∥=+√⟨A−B,A−B⟩ (A.36)

is a distance over Mn×m(R).

A.6 Kronecker Product of Matrices 257

A.5.3 The Pointwise Product

Definition A.5.2. ∀n,m ∈ N , the pointwise product is defined as the following function:

� : Mn×m(R)×Mn×m(R) → Mn×m(R)

(A,B) → A �B=

a11 ·b11 . . . a1m ·b1m

a21 ·b21 . . . a2m ·b2m

. . . . . . . . . . . . . . .

an1 ·bn1 . . . anm ·bnm

(A.37)

A.6 Kronecker Product of Matrices

Definition A.6.1. The Kronecker product of A ∈Mp×q(R) and B ∈Mr×s(R) is denoted asA�B ∈Mp·r×q·s(R) and defined by:

A�B=

a11B . . . a1qB

a21B . . . a2qB

. . . . . . . . . . .

ap1B . . . apqB

Let c ∈ R, A ∈Mp×q(R), B ∈Mr×s(R), C ∈Mq×k(R), D ∈Ms×l(R). The Kronecker

product satisfies the following properties:

1. It does not matter where we place the product with a scalar:

(c ·A)�B= A� (c ·B) = c · (A�B)

2. The Kronecker product is associative:

A�B�C= (A�B)�C= A� (B�C)

3. The mixed-product property:

(A�B) · (C�D) = A ·C � B ·D


A.7 Convolution and Correlation

A.7.1 One-dimensional

Let ϕ,ψ : Vn→ R :

Definition A.7.1. The circular convolution (ϕ ∗ψ) : Vn→ R is defined by:

(ϕ ∗ψ)(x) = ∑x′∈Vn

ϕ(x′)ψ(x−x′) (A.38)

Definition A.7.2. The correlation between ϕ and ψ is denoted by (ϕ ⋆ψ) : Vn→R definedby:

(ϕ ⋆ψ)(x) = ∑x′∈Vn

ϕ(x′)ψ(x′+x) = ∑x′∈Vn

ϕ(x′)ψ(x′+x) (A.39)

Definition A.7.3. The circular cross-correlation between ϕ and ψ is denoted by rϕ,ψ : Vn→R and defined by:

rϕ,ψ(x) =12n (ϕ ⋆ψ)(x) =

12n ∑

x′∈Vn

ϕ(x′)ψ(x′+x) (A.40)

Definition A.7.4. The autocorrelation of ϕ : Vn→ R with respect to the shift x ∈ Vn is thecross-correlation of ϕ with itself, denoted by rϕ(x) : Vn→ R and defined by:

rϕ(x) =12n (ϕ ⋆ϕ)(x) =

12n ∑

x′∈Vn

ϕ(x′)ϕ(x′+x) (A.41)

A.7.2 Bidimensional

Let ϕ,ψ : Vn×Vm→ R :

Definition A.7.5. The circular convolution (ϕ ∗ψ) : Vn×Vm→ R is defined by:

(ϕ ∗ψ)(x,y) = ∑x′∈Vn

∑y′∈Vm

ϕ(x′,y′)ψ(x−x′,y−y′) (A.42)

Definition A.7.6. The correlation between ϕ and ψ is denoted by (ϕ ⋆ψ) : Vn×Vm→ Rdefined by:

(ϕ ⋆ψ)(x,y) = ∑x′∈Vn

∑y′∈Vm

ϕ(x′,y′)ψ(x′+x,y+y′) (A.43)

A.7 Convolution and Correlation 259

Definition A.7.7. The circular cross-correlation between ϕ and ψ is denoted by rϕ,ψ :Vn×Vm→ R and defined by:

rϕ,ψ(x,y) =1

2n+m (ϕ ⋆ψ)(x,y) =1

2n+m ∑x′∈Vn

∑y′∈Vm

ϕ(x′,y′)ψ(x′+x,y+y′) (A.44)

Definition A.7.8. The autocorrelation of ϕ : Vn×Vm→R with respect to the shift (x,y) ∈Vn×Vm is the cross-correlation of ϕ with itself, denoted by rϕ(x,y) : Vn×Vm→ R anddefined by:

rϕ(x,y) =1

2n+m (ϕ ⋆ϕ)(x,y) =1

2n+m ∑x′∈Vn

∑y′∈Vm

ϕ(x′,y′)ϕ(x′+x,y+y′) (A.45)

Appendix B

CLEFIA Description

B.1 Truth Tables of CLEFIA SSi(0≤ i≤ 3) S-boxes

SS0=[[1 1 1 0] SS1=[[0 1 1 0] SS2=[[1 0 1 1] SS3=[[1 0 1 0][0 1 1 0] [0 1 0 0] [1 0 0 0] [0 0 1 0][1 1 0 0] [0 0 0 0] [0 1 0 1] [0 1 1 0][1 0 1 0] [1 1 0 1] [1 1 1 0] [1 1 0 1][1 0 0 0] [0 0 1 0] [1 0 1 0] [0 0 1 1][0 1 1 1] [1 0 1 1] [0 1 1 0] [0 1 0 0][0 0 1 0] [1 0 1 0] [0 1 0 0] [0 1 0 1][1 1 1 1] [0 0 1 1] [1 1 0 0] [1 1 1 0][1 0 1 1] [1 0 0 1] [1 1 1 1] [0 0 0 0][0 0 0 1] [1 1 0 0] [0 1 1 1] [0 1 1 1][0 1 0 0] [1 1 1 0] [0 0 1 0] [1 0 0 0][0 0 0 0] [1 1 1 1] [0 0 1 1] [1 0 0 1][0 1 0 1] [1 0 0 0] [0 0 0 1] [1 0 1 1][1 0 0 1] [0 1 1 1] [0 0 0 0] [1 1 1 1][1 1 0 1] [0 1 0 1] [1 1 0 1] [1 1 0 0][0 0 1 1]] [0 0 0 1]] [1 0 0 1]] [0 0 0 1]]

B.2 Truth Table of Mul2(x) = 0x2 ·x operation

Mul2=[[0 0 0 0] Mul2*SS1=[[1 1 0 0] Mul2*SS0=[[1 1 1 1][0 0 1 0] [1 0 0 0] [1 1 0 0][0 1 0 0] [0 0 0 0] [1 0 1 1]

262 CLEFIA Description

[0 1 1 0] [1 0 0 1] [0 1 1 1][1 0 0 0] [0 1 0 0] [0 0 1 1][1 0 1 0] [0 1 0 1] [1 1 1 0][1 1 0 0] [0 1 1 1] [0 1 0 0][1 1 1 0] [0 1 1 0] [1 1 0 1][0 0 1 1] [0 0 0 1] [0 1 0 1][0 0 0 1] [1 0 1 1] [0 0 1 0][0 1 1 1] [1 1 1 1] [1 0 0 0][0 1 0 1] [1 1 0 1] [0 0 0 0][1 0 1 1] [0 0 1 1] [1 0 1 0][1 0 0 1] [1 1 1 0] [0 0 0 1][1 1 1 1] [1 0 1 0] [1 0 0 1][1 1 0 1] [0 0 1 0] [0 1 1 0]

] ] ]

B.3 Truth Tables of u0,u1,y0 an y1

u0 = [[0 0 1 0] u1 = [[1 0 0 1] y0 =[[0 0 1 0] y1=[[0 1 1 1][0 1 1 0] [1 0 1 1] [0 1 1 0] [1 0 0 1][1 1 1 0] [1 1 1 1] [1 1 1 0] [0 0 0 1][0 1 1 1] [0 0 1 0] [0 1 1 1] [0 1 1 0][1 0 1 0] [1 1 0 1] [1 0 1 0] [1 1 1 1][1 0 1 1] [0 1 0 0] [1 0 1 1] [0 0 1 1][1 0 0 1] [0 1 0 1] [1 0 0 1] [0 1 0 0][1 0 0 0] [1 1 0 0] [1 0 0 0] [1 0 1 1][1 1 1 1] [0 1 1 0] [1 1 1 1] [0 1 0 1][0 1 0 1] [0 0 1 1] [0 1 0 1] [1 1 0 1][0 0 0 1] [0 0 0 1] [0 0 0 1] [0 0 1 0][0 0 1 1] [0 0 0 0] [0 0 1 1] [1 0 1 0][1 1 0 1] [0 1 1 1] [1 1 0 1] [1 1 1 0][0 0 0 0] [1 0 0 0] [0 0 0 0] [0 0 0 0][0 1 0 0] [1 0 1 0] [0 1 0 0] [1 0 0 0][1 1 0 0] [1 1 1 0] [1 1 0 0] [1 1 0 0][1 0 1 0] [1 0 1 0] [1 0 1 0] [1 0 0 0][1 1 1 0] [1 0 0 0] [1 1 1 0] [0 0 0 0][0 1 1 0] [1 1 0 0] [0 1 1 0] [1 0 1 1]

B.3 Truth Tables of u0,u1,y0 an y1 263

[1 1 1 1] [0 0 0 1] [1 1 1 1] [0 0 1 0][0 0 1 0] [1 1 1 0] [0 0 1 0] [1 1 0 0][0 0 1 1] [0 1 1 1] [0 0 1 1] [1 1 1 0][0 0 0 1] [0 1 1 0] [0 0 0 1] [0 1 0 1][0 0 0 0] [1 1 1 1] [0 0 0 0] [0 0 0 1][0 1 1 1] [0 1 0 1] [0 1 1 1] [0 1 0 0][1 1 0 1] [0 0 0 0] [1 1 0 1] [1 0 1 0][1 0 0 1] [0 0 1 0] [1 0 0 1] [0 1 1 0][1 0 1 1] [0 0 1 1] [1 0 1 1] [1 1 0 1][0 1 0 1] [0 1 0 0] [0 1 0 1] [0 0 1 1][1 0 0 0] [1 0 1 1] [1 0 0 0] [1 0 0 1][1 1 0 0] [1 0 0 1] [1 1 0 0] [0 1 1 1][0 1 0 0] [1 1 0 1] [0 1 0 0] [1 1 1 1][0 0 0 0] [1 1 0 1] [0 0 0 0] [1 1 1 1][0 1 0 0] [1 1 1 1] [0 1 0 0] [0 0 0 1][1 1 0 0] [1 0 1 1] [1 1 0 0] [1 0 0 1][0 1 0 1] [0 1 1 0] [0 1 0 1] [0 1 0 1][1 0 0 0] [1 0 0 1] [1 0 0 0] [0 1 1 1][1 0 0 1] [0 0 0 0] [1 0 0 1] [1 0 1 0][1 0 1 1] [0 0 0 1] [1 0 1 1] [0 0 1 0][1 0 1 0] [1 0 0 0] [1 0 1 0] [0 0 0 0][1 1 0 1] [0 0 1 0] [1 1 0 1] [0 1 1 0][0 1 1 1] [0 1 1 1] [0 1 1 1] [1 1 1 0][0 0 1 1] [0 1 0 1] [0 0 1 1] [0 1 0 0][0 0 0 1] [0 1 0 0] [0 0 0 1] [0 0 1 1][1 1 1 1] [0 0 1 1] [1 1 1 1] [1 1 0 1][0 0 1 0] [1 1 0 0] [0 0 1 0] [1 0 1 1][0 1 1 0] [1 1 1 0] [0 1 1 0] [1 1 0 0][1 1 1 0] [1 0 1 0] [1 1 1 0] [1 0 0 0][0 1 1 0] [0 0 0 1] [0 1 1 0] [0 0 1 0][0 0 1 0] [0 0 1 1] [0 0 1 0] [1 1 0 1][1 0 1 0] [0 1 1 1] [1 0 1 0] [1 1 1 0][0 0 1 1] [1 0 1 0] [0 0 1 1] [1 0 0 0][1 1 1 0] [0 1 0 1] [1 1 1 0] [0 1 0 0][1 1 1 1] [1 1 0 0] [1 1 1 1] [1 0 1 1][1 1 0 1] [1 1 0 1] [1 1 0 1] [1 1 1 1]


[1 1 0 0] [0 1 0 0] [1 1 0 0] [0 0 1 1][1 0 1 1] [1 1 1 0] [1 0 1 1] [1 1 0 0][0 0 0 1] [1 0 1 1] [0 0 0 1] [1 0 0 1][0 1 0 1] [1 0 0 1] [0 1 0 1] [0 1 1 1][0 1 1 1] [1 0 0 0] [0 1 1 1] [0 0 0 0][1 0 0 1] [1 1 1 1] [1 0 0 1] [0 0 0 1][0 1 0 0] [0 0 0 0] [0 1 0 0] [1 0 1 0][0 0 0 0] [0 0 1 0] [0 0 0 0] [0 1 1 0][1 0 0 0] [0 1 1 0] [1 0 0 0] [0 1 0 1][0 1 0 0] [0 1 0 1] [0 1 0 0] [0 1 0 0][0 0 0 0] [0 1 1 1] [0 0 0 0] [1 1 1 0][1 0 0 0] [0 0 1 1] [1 0 0 0] [1 1 0 1][0 0 0 1] [1 1 1 0] [0 0 0 1] [1 1 0 0][1 1 0 0] [0 0 0 1] [1 1 0 0] [0 0 1 0][1 1 0 1] [1 0 0 0] [1 1 0 1] [0 0 0 0][1 1 1 1] [1 0 0 1] [1 1 1 1] [0 1 1 1][1 1 1 0] [0 0 0 0] [1 1 1 0] [1 0 1 0][1 0 0 1] [1 0 1 0] [1 0 0 1] [1 0 0 0][0 0 1 1] [1 1 1 1] [0 0 1 1] [0 0 0 1][0 1 1 1] [1 1 0 1] [0 1 1 1] [1 1 1 1][0 1 0 1] [1 1 0 0] [0 1 0 1] [1 0 1 1][1 0 1 1] [1 0 1 1] [1 0 1 1] [1 0 0 1][0 1 1 0] [0 1 0 0] [0 1 1 0] [0 0 1 1][0 0 1 0] [0 1 1 0] [0 0 1 0] [0 1 0 1][1 0 1 0] [0 0 1 0] [1 0 1 0] [0 1 1 0][1 0 1 1] [1 0 0 0] [1 0 1 1] [0 0 0 0][1 1 1 1] [1 0 1 0] [1 1 1 1] [1 0 0 0][0 1 1 1] [1 1 1 0] [0 1 1 1] [1 1 0 0][1 1 1 0] [0 0 1 1] [1 1 1 0] [1 1 0 1][0 0 1 1] [1 1 0 0] [0 0 1 1] [1 0 1 1][0 0 1 0] [0 1 0 1] [0 0 1 0] [0 1 0 0][0 0 0 0] [0 1 0 0] [0 0 0 0] [0 0 1 1][0 0 0 1] [1 1 0 1] [0 0 0 1] [1 1 1 1][0 1 1 0] [0 1 1 1] [0 1 1 0] [1 1 1 0][1 1 0 0] [0 0 1 0] [1 1 0 0] [0 1 1 0][1 0 0 0] [0 0 0 0] [1 0 0 0] [1 0 1 0]


[1 0 1 0] [0 0 0 1] [1 0 1 0] [0 0 1 0][0 1 0 0] [0 1 1 0] [0 1 0 0] [0 1 0 1][1 0 0 1] [1 0 0 1] [1 0 0 1] [0 1 1 1][1 1 0 1] [1 0 1 1] [1 1 0 1] [1 0 0 1][0 1 0 1] [1 1 1 1] [0 1 0 1] [0 0 0 1][1 1 1 0] [0 0 1 0] [1 1 1 0] [0 1 1 0][1 0 1 0] [0 0 0 0] [1 0 1 0] [1 0 1 0][0 0 1 0] [0 1 0 0] [0 0 1 0] [0 0 1 1][1 0 1 1] [1 0 0 1] [1 0 1 1] [0 1 1 1][0 1 1 0] [0 1 1 0] [0 1 1 0] [0 1 0 1][0 1 1 1] [1 1 1 1] [0 1 1 1] [0 0 0 1][0 1 0 1] [1 1 1 0] [0 1 0 1] [1 1 0 0][0 1 0 0] [0 1 1 1] [0 1 0 0] [1 1 1 0][0 0 1 1] [1 1 0 1] [0 0 1 1] [1 1 1 1][1 0 0 1] [1 0 0 0] [1 0 0 1] [0 0 0 0][1 1 0 1] [1 0 1 0] [1 1 0 1] [1 0 0 0][1 1 1 1] [1 0 1 1] [1 1 1 1] [1 0 0 1][0 0 0 1] [1 1 0 0] [0 0 0 1] [1 0 1 1][1 1 0 0] [0 0 1 1] [1 1 0 0] [1 1 0 1][1 0 0 0] [0 0 0 1] [1 0 0 0] [0 0 1 0][0 0 0 0] [0 1 0 1] [0 0 0 0] [0 1 0 0][0 0 1 1] [1 0 1 1] [0 0 1 1] [1 0 0 1][0 1 1 1] [1 0 0 1] [0 1 1 1] [0 1 1 1][1 1 1 1] [1 1 0 1] [1 1 1 1] [1 1 1 1][0 1 1 0] [0 0 0 0] [0 1 1 0] [1 0 1 0][1 0 1 1] [1 1 1 1] [1 0 1 1] [0 0 0 1][1 0 1 0] [0 1 1 0] [1 0 1 0] [0 1 0 1][1 0 0 0] [0 1 1 1] [1 0 0 0] [1 1 1 0][1 0 0 1] [1 1 1 0] [1 0 0 1] [1 1 0 0][1 1 1 0] [0 1 0 0] [1 1 1 0] [0 0 1 1][0 1 0 0] [0 0 0 1] [0 1 0 0] [0 0 1 0][0 0 0 0] [0 0 1 1] [0 0 0 0] [1 1 0 1][0 0 1 0] [0 0 1 0] [0 0 1 0] [0 1 1 0][1 1 0 0] [0 1 0 1] [1 1 0 0] [0 1 0 0][0 0 0 1] [1 0 1 0] [0 0 0 1] [1 0 0 0][0 1 0 1] [1 0 0 0] [0 1 0 1] [0 0 0 0]


[1 1 0 1] [1 1 0 0] [1 1 0 1] [1 0 1 1][0 1 1 1] [0 0 1 1] [0 1 1 1] [1 1 0 1][0 0 1 1] [0 0 0 1] [0 0 1 1] [0 0 1 0][1 0 1 1] [0 1 0 1] [1 0 1 1] [0 1 0 0][0 0 1 0] [1 0 0 0] [0 0 1 0] [0 0 0 0][1 1 1 1] [0 1 1 1] [1 1 1 1] [1 1 1 0][1 1 1 0] [1 1 1 0] [1 1 1 0] [1 1 0 0][1 1 0 0] [1 1 1 1] [1 1 0 0] [0 0 0 1][1 1 0 1] [0 1 1 0] [1 1 0 1] [0 1 0 1][1 0 1 0] [1 1 0 0] [1 0 1 0] [1 0 1 1][0 0 0 0] [1 0 0 1] [0 0 0 0] [0 1 1 1][0 1 0 0] [1 0 1 1] [0 1 0 0] [1 0 0 1][0 1 1 0] [1 0 1 0] [0 1 1 0] [1 0 0 0][1 0 0 0] [1 1 0 1] [1 0 0 0] [1 1 1 1][0 1 0 1] [0 0 1 0] [0 1 0 1] [0 1 1 0][0 0 0 1] [0 0 0 0] [0 0 0 1] [1 0 1 0][1 0 0 1] [0 1 0 0] [1 0 0 1] [0 0 1 1][1 1 0 1] [0 1 0 0] [1 1 0 1] [0 0 1 1][1 0 0 1] [0 1 1 0] [1 0 0 1] [0 1 0 1][0 0 0 1] [0 0 1 0] [0 0 0 1] [0 1 1 0][1 0 0 0] [1 1 1 1] [1 0 0 0] [0 0 0 1][0 1 0 1] [0 0 0 0] [0 1 0 1] [1 0 1 0][0 1 0 0] [1 0 0 1] [0 1 0 0] [0 1 1 1][0 1 1 0] [1 0 0 0] [0 1 1 0] [0 0 0 0][0 1 1 1] [0 0 0 1] [0 1 1 1] [0 0 1 0][0 0 0 0] [1 0 1 1] [0 0 0 0] [1 0 0 1][1 0 1 0] [1 1 1 0] [1 0 1 0] [1 1 0 0][1 1 1 0] [1 1 0 0] [1 1 1 0] [1 0 1 1][1 1 0 0] [1 1 0 1] [1 1 0 0] [1 1 1 1][0 0 1 0] [1 0 1 0] [0 0 1 0] [1 0 0 0][1 1 1 1] [0 1 0 1] [1 1 1 1] [0 1 0 0][1 0 1 1] [0 1 1 1] [1 0 1 1] [1 1 1 0][0 0 1 1] [0 0 1 1] [0 0 1 1] [1 1 0 1][1 0 0 0] [1 1 1 0] [1 0 0 0] [1 1 0 0][1 1 0 0] [1 1 0 0] [1 1 0 0] [1 0 1 1][0 1 0 0] [1 0 0 0] [0 1 0 0] [0 0 0 0]


[1 1 0 1] [0 1 0 1] [1 1 0 1] [0 1 0 0][0 0 0 0] [1 0 1 0] [0 0 0 0] [1 0 0 0][0 0 0 1] [0 0 1 1] [0 0 0 1] [1 1 0 1][0 0 1 1] [0 0 1 0] [0 0 1 1] [0 1 1 0][0 0 1 0] [1 0 1 1] [0 0 1 0] [1 0 0 1][0 1 0 1] [0 0 0 1] [0 1 0 1] [0 0 1 0][1 1 1 1] [0 1 0 0] [1 1 1 1] [0 0 1 1][1 0 1 1] [0 1 1 0] [1 0 1 1] [0 1 0 1][1 0 0 1] [0 1 1 1] [1 0 0 1] [1 1 1 0][0 1 1 1] [0 0 0 0] [0 1 1 1] [1 0 1 0][1 0 1 0] [1 1 1 1] [1 0 1 0] [0 0 0 1][1 1 1 0] [1 1 0 1] [1 1 1 0] [1 1 1 1][0 1 1 0] [1 0 0 1] [0 1 1 0] [0 1 1 1][1 1 0 0] [0 1 1 0] [1 1 0 0] [0 1 0 1][1 0 0 0] [0 1 0 0] [1 0 0 0] [0 0 1 1][0 0 0 0] [0 0 0 0] [0 0 0 0] [1 0 1 0][1 0 0 1] [1 1 0 1] [1 0 0 1] [1 1 1 1][0 1 0 0] [0 0 1 0] [0 1 0 0] [0 1 1 0][0 1 0 1] [1 0 1 1] [0 1 0 1] [1 0 0 1][0 1 1 1] [1 0 1 0] [0 1 1 1] [1 0 0 0][0 1 1 0] [0 0 1 1] [0 1 1 0] [1 1 0 1][0 0 0 1] [1 0 0 1] [0 0 0 1] [0 1 1 1][1 0 1 1] [1 1 0 0] [1 0 1 1] [1 0 1 1][1 1 1 1] [1 1 1 0] [1 1 1 1] [1 1 0 0][1 1 0 1] [1 1 1 1] [1 1 0 1] [0 0 0 1][0 0 1 1] [1 0 0 0] [0 0 1 1] [0 0 0 0][1 1 1 0] [0 1 1 1] [1 1 1 0] [1 1 1 0][1 0 1 0] [0 1 0 1] [1 0 1 0] [0 1 0 0][0 0 1 0] [0 0 0 1] [0 0 1 0] [0 0 1 0][1 0 0 1] [1 1 0 0] [1 0 0 1] [1 0 1 1][1 1 0 1] [1 1 1 0] [1 1 0 1] [1 1 0 0][0 1 0 1] [1 0 1 0] [0 1 0 1] [1 0 0 0][1 1 0 0] [0 1 1 1] [1 1 0 0] [1 1 1 0][0 0 0 1] [1 0 0 0] [0 0 0 1] [0 0 0 0][0 0 0 0] [0 0 0 1] [0 0 0 0] [0 0 1 0][0 0 1 0] [0 0 0 0] [0 0 1 0] [1 0 1 0]


[0 0 1 1] [1 0 0 1] [0 0 1 1] [0 1 1 1][0 1 0 0] [0 0 1 1] [0 1 0 0] [1 1 0 1][1 1 1 0] [0 1 1 0] [1 1 1 0] [0 1 0 1][1 0 1 0] [0 1 0 0] [1 0 1 0] [0 0 1 1][1 0 0 0] [0 1 0 1] [1 0 0 0] [0 1 0 0][0 1 1 0] [0 0 1 0] [0 1 1 0] [0 1 1 0][1 0 1 1] [1 1 0 1] [1 0 1 1] [1 1 1 1][1 1 1 1] [1 1 1 1] [1 1 1 1] [0 0 0 1][0 1 1 1] [1 0 1 1] [0 1 1 1] [1 0 0 1][0 1 0 1] [0 1 1 1] [0 1 0 1] [1 1 1 0][0 0 0 1] [0 1 0 1] [0 0 0 1] [0 1 0 0][1 0 0 1] [0 0 0 1] [1 0 0 1] [0 0 1 0][0 0 0 0] [1 1 0 0] [0 0 0 0] [1 0 1 1][1 1 0 1] [0 0 1 1] [1 1 0 1] [1 1 0 1][1 1 0 0] [1 0 1 0] [1 1 0 0] [1 0 0 0][1 1 1 0] [1 0 1 1] [1 1 1 0] [1 0 0 1][1 1 1 1] [0 0 1 0] [1 1 1 1] [0 1 1 0][1 0 0 0] [1 0 0 0] [1 0 0 0] [0 0 0 0][0 0 1 0] [1 1 0 1] [0 0 1 0] [1 1 1 1][0 1 1 0] [1 1 1 1] [0 1 1 0] [0 0 0 1][0 1 0 0] [1 1 1 0] [0 1 0 0] [1 1 0 0][1 0 1 0] [1 0 0 1] [1 0 1 0] [0 1 1 1][0 1 1 1] [0 1 1 0] [0 1 1 1] [0 1 0 1][0 0 1 1] [0 1 0 0] [0 0 1 1] [0 0 1 1][1 0 1 1] [0 0 0 0] [1 0 1 1] [1 0 1 0][0 0 0 1] [1 1 1 1] [0 0 0 1] [0 0 0 1][0 1 0 1] [1 1 0 1] [0 1 0 1] [1 1 1 1][1 1 0 1] [1 0 0 1] [1 1 0 1] [0 1 1 1][0 1 0 0] [0 1 0 0] [0 1 0 0] [0 0 1 1][1 0 0 1] [1 0 1 1] [1 0 0 1] [1 0 0 1][1 0 0 0] [0 0 1 0] [1 0 0 0] [0 1 1 0][1 0 1 0] [0 0 1 1] [1 0 1 0] [1 1 0 1][1 0 1 1] [1 0 1 0] [1 0 1 1] [1 0 0 0][1 1 0 0] [0 0 0 0] [1 1 0 0] [1 0 1 0][0 1 1 0] [0 1 0 1] [0 1 1 0] [0 1 0 0][0 0 1 0] [0 1 1 1] [0 0 1 0] [1 1 1 0]

B.4 Trace Representation of S0 and S1 269

[0 0 0 0] [0 1 1 0] [0 0 0 0] [0 1 0 1][1 1 1 0] [0 0 0 1] [1 1 1 0] [0 0 1 0][0 0 1 1] [1 1 1 0] [0 0 1 1] [1 1 0 0][0 1 1 1] [1 1 0 0] [0 1 1 1] [1 0 1 1][1 1 1 1] [1 0 0 0] [1 1 1 1] [0 0 0 0][1 1 1 1] [0 0 0 0] [1 1 1 1] [1 0 1 0][1 0 1 1] [0 0 1 0] [1 0 1 1] [0 1 1 0][0 0 1 1] [0 1 1 0] [0 0 1 1] [0 1 0 1][1 0 1 0] [1 0 1 1] [1 0 1 0] [1 0 0 1][0 1 1 1] [0 1 0 0] [0 1 1 1] [0 0 1 1][0 1 1 0] [1 1 0 1] [0 1 1 0] [1 1 1 1][0 1 0 0] [1 1 0 0] [0 1 0 0] [1 0 1 1][0 1 0 1] [0 1 0 1] [0 1 0 1] [0 1 0 0][0 0 1 0] [1 1 1 1] [0 0 1 0] [0 0 0 1][1 0 0 0] [1 0 1 0] [1 0 0 0] [1 0 0 0][1 1 0 0] [1 0 0 0] [1 1 0 0] [0 0 0 0][1 1 1 0] [1 0 0 1] [1 1 1 0] [0 1 1 1][0 0 0 0] [1 1 1 0] [0 0 0 0] [1 1 0 0][1 1 0 1] [0 0 0 1] [1 1 0 1] [0 0 1 0][1 0 0 1] [0 0 1 1] [1 0 0 1] [1 1 0 1][0 0 0 1] [0 1 1 1] [0 0 0 1] [1 1 1 0]] ] ] ]

B.4 Trace Representation of S0 and S1

S0(x) = e8 ·x252+88 ·x250+4c ·x249+5c ·x248+ f a ·x246+ac ·x245+a4 ·x244+43 ·x243+

c f · x242 + 8d · x241 + c9 · x240 + d8 · x238 + 4c · x237 + be · x236 + 7b · x235 + bb · x234 + 0 f ·x233 +2c ·x232 + f 0 ·x231 +9b ·x230 + c9 ·x229 +b f ·x228 +b8 ·x227 +36 ·x226 +4b ·x225 +

f 1 ·x224+b2 ·x222+6e ·x221+2c ·x220+89 ·x219+e2 ·x218+2e ·x217+63 ·x216+6d ·x215+

4b ·x214+dc ·x213+28 ·x212+8a ·x211+11 ·x210+1b ·x209+c6 ·x208+81 ·x207+30 ·x206+

37 ·x205+15 ·x204+ f d ·x203+36 ·x202+6a ·x201+63 ·x200+03 ·x199+48 ·x198+14 ·x197+

11 ·x196+76 ·x195+da ·x194+2c ·x193+07 ·x192+52 ·x190+b4 ·x189+99 ·x188+89 ·x187+

75 ·x186+d8 ·x185+11 ·x184+78 ·x183+36 ·x182+40 ·x181+2a ·x180+ac ·x179+ f c ·x178+

33 ·x177+cb ·x176+68 ·x175+d6 ·x174+72 ·x173+e0 ·x172+c8 ·x171+ f 1 ·x170+83 ·x169+

10 ·x168+4e ·x167+97 ·x166+06 ·x165+11 ·x164+d1 ·x163+53 ·x162+89 ·x161+92 ·x160+

65 · x159 + 20 · x158 + 5a · x157 + 70 · x156 + 02 · x155 + f 0 · x154 + 70 · x153 + f 4 · x152 + 42 ·


x151 + f 1 ·x150 +91 ·x149 +4b ·x148 +4d ·x147 +e6 ·x146 +d f ·x145 +80 ·x144 +c3 ·x143 +

1b ·x142+30 ·x141+9a ·x140+c6 ·x139+38 ·x138+94 ·x137+e f ·x136+07 ·x135+ f 3 ·x134+

3c ·x133+d4 ·x132+2 f ·x131+4 f ·x130+b0 ·x129+c6 ·x128+a9 ·x126+4a ·x125+0a ·x124+

c6 ·x123+4 f ·x122+19 ·x121+c2 ·x120+bc ·x119+d8 ·x118+bb ·x117+77 ·x116+0b ·x115+

24 · x114 + 9b · x113 + f 4 · x112 + 97 · x111 + 58 · x110 + 7e · x109 + 6e · x108 + 82 · x107 + 5 f ·x106+1b ·x105+aa ·x104+d2 ·x103+2a ·x102+24 ·x101+5b ·x100+3d ·x99+45 ·x98+09 ·x97+91 ·x96+1a ·x95+84 ·x94+33 ·x93+04 ·x92+ f 6 ·x91+b5 ·x90+0e ·x89+83 ·x88+

e4 ·x87 +57 ·x86 +10 ·x85 + f a ·x84 +66 ·x83 +2b ·x82 +84 ·x81 +7c ·x80 +4e ·x79 +b7 ·x78+d4 ·x77+b8 ·x76+18 ·x75+e1 ·x74+ f 5 ·x73+bc ·x72+6e ·x71+14 ·x70+5e ·x69+

46 ·x68 +a9 ·x67 +bc ·x66 +ad ·x65 + ed ·x64 +76 ·x63 +1c ·x62 +75 ·x61 +67 ·x60 +70 ·x59+e2 ·x58+3d ·x57+a1 ·x56+a1 ·x55+7d ·x54+9d ·x53+28 ·x52+ f 5 ·x51+96 ·x50+

ea ·x49 + e5 ·x48 +80 ·x47 +4e ·x46 +1 f ·x45 +07 ·x44 +db ·x43 +29 ·x42 +de ·x41 +37 ·x40+90 ·x39+83 ·x38+39 ·x37+4c ·x36+0e ·x35+ f 8 ·x34+83 ·x33+38 ·x32+7 f ·x31+

5a ·x30 +68 ·x29 +0c ·x28 +5d ·x27 +d1 ·x26 + c4 ·x25 + e4 ·x24 + f e ·x23 +0b ·x22 +a8 ·x21+e0 ·x20+ f a ·x19+ f 2 ·x18+1 f ·x17+87 ·x16+31 ·x15+a9 ·x14+47 ·x13+78 ·x12+

a2 ·x11+38 ·x10+0d ·x9+25 ·x8+5d ·x7+70 ·x6+52 ·x5+3 f ·x4+ f 3 ·x3+ed ·x+57

S1(x) = 1 f ·x254 +58 ·x253 +bb ·x252 +60 ·x251 +38 ·x250 +48 ·x249 +13 ·x248 +04 ·x247 +5e ·x246 +0d ·x245 +79 ·x244 +71 ·x243 +a3 ·x242 +6a ·x241 +9c ·x240 +a9 ·x239 +

43 · x238 + b1 · x237 + 5e · x236 + 55 · x235 + d7 · x234 + e1 · x233 + 43 · x232 + 62 · x231 + f d ·x230 +56 ·x229 + f 4 ·x228 + f 4 ·x227 +cd ·x226 +22 ·x225 +95 ·x224 +7e ·x223 +41 ·x222 +

f a · x221 + 99 · x220 + 7 f · x218 + 92 · x217 + 29 · x216 + ca · x215 + f d · x214 + cd · x213 + 23 ·x212 + f 1 ·x211 +93 ·x210 +14 ·x209 +2 f ·x208 +09 ·x207 +6c ·x206 +3c ·x205 +94 ·x204 +

3 f ·x203+d f ·x202+e5 ·x201+37 ·x200+63 ·x199+ce ·x198+e9 ·x197+48 ·x196+50 ·x195+

0b ·x194+a5 ·x193+96 ·x192+d2 ·x191+bc ·x190+9 f ·x189+2b ·x188+23 ·x187+4c ·x186+

31 ·x185+ f a ·x184+c9 ·x183+65 ·x182+55 ·x181+3d ·x180+33 ·x179+e4 ·x178+86 ·x177+

46 ·x176+67 ·x175+45 ·x174+0b ·x173+ f b ·x172+c8 ·x171+b2 ·x170+c1 ·x169+8c ·x168+

05 ·x167+3c ·x166+77 ·x165+a1 ·x164+c9 ·x163+3 f ·x162+9a ·x161+b f ·x160+36 ·x159+

02 · x158 + f d · x157 + 5c · x156 + f a · x155 + 45 · x154 + f a · x153 + 13 · x152 + be · x151 + 22 ·x150+ f 7 ·x149+04 ·x148+da ·x147+5a ·x146+08 ·x145+60 ·x144+b f ·x143+98 ·x142+

c1 ·x141+6b ·x140+71 ·x139+cc ·x138+02 ·x137+a0 ·x136+10 ·x135+e5 ·x134+c0 ·x133+

f 4 ·x132+86 ·x131+cc ·x130+5b ·x129+e8 ·x128+44 ·x127+2a ·x126+0d ·x125+c7 ·x124+

29 ·x123+ f 7 ·x122+3c ·x121+c1 ·x120+6b ·x119+ f 6 ·x118+9b ·x117+6b ·x116+cc ·x115+

5d ·x114+1e ·x113+55 ·x112+ed ·x111+8e ·x110+1d ·x109+9e ·x108+82 ·x107+72 ·x106+

d2 ·x105+ f 0 ·x104+85 ·x103+6 f ·x102+ f d ·x101+ f 9 ·x100+39 ·x99+99 ·x98+1a ·x97+

2e ·x96 + ed ·x95 +5a ·x94 +1a ·x93 + c f ·x92 +58 ·x91 +75 ·x90 +2e ·x89 +9a ·x88 +7e ·x87+cb ·x86+4b ·x85+ f d ·x84+27 ·x83+86 ·x82+7d ·x81+b2 ·x80+32 ·x79+49 ·x78+

B.4 Trace Representation of S0 and S1 271

1e ·x77 +8 f ·x76 +d6 ·x75 +87 ·x74 +2a ·x73 +86 ·x72 + c0 ·x71 +84 ·x70 +b2 ·x69 +81 ·x68+46 ·x67+70 ·x66+4b ·x65+3b ·x64+7d ·x63+b1 ·x62+81 ·x61+bd ·x60+6a ·x59+

d9 ·x58 +73 ·x57 +78 ·x56 + e f ·x55 +b1 ·x54 + e5 ·x53 +b2 ·x52 +61 ·x51 +8 f ·x50 +9c ·x49+82 ·x48+23 ·x47+88 ·x46+b2 ·x45+ f c ·x44+ f 3 ·x43+c7 ·x42+a7 ·x41+c6 ·x40+

a1 ·x39 + c8 ·x38 +53 ·x37 +5 f ·x36 +32 ·x35 +b4 ·x34 +ac ·x33 +91 ·x32 +94 ·x31 + cb ·x30+7e ·x29+e1 ·x28+45 ·x27+49 ·x26+19 ·x25+ f a ·x24+5c ·x23+9a ·x22+13 ·x21+

95 ·x20 + f c ·x19 +d1 ·x18 +61 ·x17 + ec ·x16 + e1 ·x15 +a2 ·x14 + f f ·x13 +a8 ·x12 +8e ·x11+ f 5 ·x10+ec ·x9+33 ·x8+ec ·x7+04 ·x6+1c ·x5+29 ·x4+21 ·x3+5 f ·x2+07 ·x+6c

Appendix C

Using the Library

This chapter describes how to compile programs that use VBF, and introduces its conventions.

C.1 An Example Program

The following program demonstrates the use of the library to analyze Vector BooleanFunctions represented in decimal representation of its Truth Table.


/******************************************************************/int main(int argc, char *argv[]){


VBF F;NTL::vec_long vec_F;NTL::vec_ZZ c;NTL::mat_GF2 A, T;NTL::mat_ZZ W, LP, DP;NTL::mat_ZZ Ac;long a;int i, n;

274 Using the Library

char file[33];

// Load VBF definitions

sprintf(file,"%s.dec",argv[1]);ifstream input(file);if(!input){


}input >> vec_F;n = atoi(argv[2]);F.putDecTT(vec_F,n);input.close();

sprintf(file,"%s.anf",argv[1]);ofstream output(file);if(!output){


}

A = ANF(F);cout << "Argument Dimension = " << F.n() << endl;cout << "Argument space has " << F.spacen() << " elements."<< endl;cout << "Image Dimension = " << F.m() << endl;cout << "Image space has " << F.spacem() << " elements." << endl << endl;cout << "Writing Algebraic Normal Form to file: " << file << endl;cout << "[Columns = Image components]" << endl;output << A << endl;output.close();

sprintf(file,"%s.tt",argv[1]);ofstream output1(file);

C.1 An Example Program 275

if(!output1){


}

T = TT(F);cout << endl << "Writing Truth Table to file: " << file << endl;cout << "[Columns = Image components]" << endl;output1 << T << endl;output1.close();

sprintf(file,"%s.wal",argv[1]);ofstream output2(file);if(!output2){


}

W = Walsh(F);cout << endl << "Writing Walsh Spectrum to file: " << file <<endl;output2 << W << endl;output2.close();

sprintf(file,"%s.lp",argv[1]);ofstream output3(file);if(!output3){


}

LP = LAT(F);cout << endl << "Writing Linear Profile to file: " << file << endl;cout << "[To normalize divide by " << LP[0][0] << "]" << endl;


output3 << LP << endl;output3.close();

sprintf(file,"%s.dp",argv[1]);ofstream output4(file);if(!output4){


}

DP = DAT(F);cout << endl << "Writing Differential Profile to file: " << file << endl;cout << "[To normalize divide by " << DP[0][0] << "]" << endl;output4 << DP << endl;output4.close();

sprintf(file,"%s.pol",argv[1]);ofstream output5(file);if(!output5){


}

cout << endl << "Writing the polynomials in ANF to file: " << file << endl;Pol(output5,F);output5.close();

sprintf(file,"%s.ls",argv[1]);ofstream output6(file);if(!output6){


}


A = LS(F);cout << endl << "Writing Linear structures to file: " << file << endl;output6 << A << endl;output6.close();

sprintf(file,"%s.ac",argv[1]);ofstream output7(file);if(!output7){


}

Ac = AC(F);cout << endl << "Writing Autocorrelation Spectrum to file: " << file << endl;output7 << Ac << endl;output7.close();

sprintf(file,"%s.cy",argv[1]);ofstream output8(file);if(!output8){


}

c = Cycle(F);cout << endl << "Writing Cycle Structure to file: " << file << endl;for (i = 0; i < c.length(); i++){

if (c[i] > 0){

output8 << i << "," << c[i] << endl;}

}


output8.close();

cout << endl << "Nonlinearity: " << nl(F) << endl;nlr(a,F,2);cout << "Second order Nonlinearity: " << a << endl;cout << "Linearity distance: " << ld(F) << endl;cout << "Algebraic degree: " << deg(F) << endl;cout << "Algebraic immunity: " << AI(F) << endl;cout << "Absolute indicator: " << maxAC(F) << endl;cout << "Sum-of-squares indicator: " << sigma(F) << endl;cout << "Linear potential: " << lp(F) << endl;cout << "Differential potential: " << dp(F) << endl;cout << "Maximum Nonlinearity (if n is even): " << nlmax(F) << endl;cout << "Maximum Linearity distance: " << ldmax(F) << endl;

int type;typenl(type, F);

if (type == BENT){

cout << "It is a bent function" << endl;} else if (type == ALMOST_OPTIMAL){

cout << "It is an almost optimal function" << endl;} else if (type == LINEAR){

cout << "It is a linear function" << endl;}

cout << "The fixed points are: " << endl;cout << fixedpoints(F) << endl;cout << "The negated fixed points are: " << endl;cout << negatedfixedpoints(F) << endl;cout << "Correlation immunity: " << CI(F) << endl;if (F.getbal()){


cout << "It is a balanced function" << endl;} else{

cout << "It is a non-balanced function" << endl;}cout << "The function is PC of degree " << PC(F) << endl;

/* Finish **********************************************************/

return 0;}

A set of files associated with the decimal representation of KASUMI S-boxes (S7.decand S9.dec) are in the "Example" directory. If we use as input of the program above "S7.dec"(S7 Decimal representation), the output would be:

• S7.ac (Autocorrelation Spectrum)

• S7.cy (Cycle structure)

• S7.lp (Linear Profile)

• S7.tt (Truth Table)

• S7.anf (ANF Table)

• S7.ls (Linear structures): It is an empty vector because there is no linear structures

• S7.char (Cryptographic criteria)

• S7.dp (Differential Profile)

• S7.pol (Polynomial representation)

• S7.wal (Walsh Spectrum)

The same applies to S9 S-box analysis.


C.2 Compiling

There is only one library header files called "VBF.h". You should include a statement likethis in the program that make use of VBF library,

#include "VBF.h"

If the directory is not installed on the standard search path of your compiler you will alsoneed to provide its location to the preprocessor as a command line flag. The default locationof the ‘NTL’ directory is ‘/usr/local/include/NTL’. A typical compilation command for asource file ‘ex.cpp’ with the GNU C++ compiler g++ included in a Makefile is,

GPP=g++LIBS=-lntlNTLINC= -I/usr/local/include -L/usr/local/lib

ex: ex.cpp VBF.h$(GPP) $(NTLINC) -Wall ex.cpp -o ex.exe $(LIBS)

This results in an executable file ‘ex.exe’ if the following command is executed:

$ make ex

In order to execute the example program included in the "Example" program with S7.decand S9.dec, the following commands must be executed:

$ ./ex.exe S7 7$ ./ex.exe S9 9

C.3 How to Evaluate New Algorithms

In order to evaluate an algorithm, we need to obtain a representation of this algorithmthat can be used to initialize a VBF class. These representations are the Truth Table,Hexadecimal representation (only for Boolean functions), Decimal representation of itsTruth Table, its trace together with the irreducible polynomial, Polynomials in ANF, ANFTable, Characteristic Function, Walsh Spectrum, permutation representation, Expansion andCompression DES vector representation, DES S-Box representation.

As an example we are going to describe the procedure followed to evaluate FI function inKASUMI algorithm. We used an implementation of KASUMI in c as you can see below:

C.3 How to Evaluate New Algorithms 281

/*-----------------------------------------------------------------------* Kasumi.c*-----------------------------------------------------------------------** A sample implementation of KASUMI, the core algorithm for the* 3GPP Confidentiality and Integrity algorithms.** This has been coded for clarity, not necessarily for efficiency.** This will compile and run correctly on both Intel (little endian)* and Sparc (big endian) machines. (Compilers used supported 32-bit ints).** Version 1.1 08 May 2000**-----------------------------------------------------------------------*/

#include <iostream>#include <fstream>#include <string>#include <sstream>#include "VBF.h"

#include "Kasumi.h"

/*--------- 16 bit rotate left ------------------------------------------*/

#define ROL16(a,b) (u16)((a<<b)|(a>>(16-b)))

/*------- unions: used to remove "endian" issues ------------------------*/

typedef union {u32 b32;u16 b16[2];u8 b8[4];

} DWORD;


typedef union {u16 b16;u8 b8[2];

} WORD;

/*-------- globals: The subkey arrays -----------------------------------*/

static u16 KLi1[8], KLi2[8];static u16 KOi1[8], KOi2[8], KOi3[8];static u16 KIi1[8], KIi2[8], KIi3[8];

/*---------------------------------------------------------------------* FI()* The FI function (fig 3). It includes the S7 and S9 tables.* Transforms a 16-bit value.*---------------------------------------------------------------------*/

static u16 FI( u16 in, u16 subkey ){

u16 nine, seven;static u16 S7[] = {

54, 50, 62, 56, 22, 34, 94, 96, 38, 6, 63, 93, 2, 18,123, 33,55,113, 39,114, 21, 67, 65, 12, 47, 73, 46, 27, 25,111,124, 81,53, 9,121, 79, 52, 60, 58, 48,101,127, 40,120,104, 70, 71, 43,20,122, 72, 61, 23,109, 13,100, 77, 1, 16, 7, 82, 10,105, 98,117,116, 76, 11, 89,106, 0,125,118, 99, 86, 69, 30, 57,126, 87,112, 51, 17, 5, 95, 14, 90, 84, 91, 8, 35,103, 32, 97, 28, 66,102, 31, 26, 45, 75, 4, 85, 92, 37, 74, 80, 49, 68, 29,115, 44,64,107,108, 24,110, 83, 36, 78, 42, 19, 15, 41, 88,119, 59, 3};

static u16 S9[] = {167,239,161,379,391,334, 9,338, 38,226, 48,358,452,385, 90,397,183,253,147,331,415,340, 51,362,306,500,262, 82,216,159,356,177,175,241,489, 37,206, 17, 0,333, 44,254,378, 58,143,220, 81,400,95, 3,315,245, 54,235,218,405,472,264,172,494,371,290,399, 76,

165,197,395,121,257,480,423,212,240, 28,462,176,406,507,288,223,


501,407,249,265, 89,186,221,428,164, 74,440,196,458,421,350,163,232,158,134,354, 13,250,491,142,191, 69,193,425,152,227,366,135,344,300,276,242,437,320,113,278, 11,243, 87,317, 36, 93,496, 27,487,446,482, 41, 68,156,457,131,326,403,339, 20, 39,115,442,124,475,384,508, 53,112,170,479,151,126,169, 73,268,279,321,168,364,363,292, 46,499,393,327,324, 24,456,267,157,460,488,426,309,229,439,506,208,271,349,401,434,236, 16,209,359, 52, 56,120,199,277,465,416,252,287,246, 6, 83,305,420,345,153,502, 65, 61,244,282,173,222,418, 67,386,368,261,101,476,291,195,430, 49, 79,166,330,280,383,373,128,382,408,155,495,367,388,274,107,459,417, 62,454,132,225,203,316,234, 14,301, 91,503,286,424,211,347,307,140,374,35,103,125,427, 19,214,453,146,498,314,444,230,256,329,198,285,50,116, 78,410, 10,205,510,171,231, 45,139,467, 29, 86,505, 32,72, 26,342,150,313,490,431,238,411,325,149,473, 40,119,174,355,

185,233,389, 71,448,273,372, 55,110,178,322, 12,469,392,369,190,1,109,375,137,181, 88, 75,308,260,484, 98,272,370,275,412,111,

336,318, 4,504,492,259,304, 77,337,435, 21,357,303,332,483, 18,47, 85, 25,497,474,289,100,269,296,478,270,106, 31,104,433, 84,

414,486,394, 96, 99,154,511,148,413,361,409,255,162,215,302,201,266,351,343,144,441,365,108,298,251, 34,182,509,138,210,335,133,311,352,328,141,396,346,123,319,450,281,429,228,443,481, 92,404,485,422,248,297, 23,213,130,466, 22,217,283, 70,294,360,419,127,312,377, 7,468,194, 2,117,295,463,258,224,447,247,187, 80,398,284,353,105,390,299,471,470,184, 57,200,348, 63,204,188, 33,451,97, 30,310,219, 94,160,129,493, 64,179,263,102,189,207,114,402,

438,477,387,122,192, 42,381, 5,145,118,180,449,293,323,136,380,43, 66, 60,455,341,445,202,432, 8,237, 15,376,436,464, 59,461};

/* The sixteen bit input is split into two unequal halves, ** nine bits and seven bits - as is the subkey */

nine = (u16)(in>>7);seven = (u16)(in&0x7F);

/* Now run the various operations */nine = (u16)(S9[nine] ^ seven);seven = (u16)(S7[seven] ^ (nine & 0x7F));


seven ^= (subkey>>9);nine ^= (subkey&0x1FF);nine = (u16)(S9[nine] ^ seven);seven = (u16)(S7[seven] ^ (nine & 0x7F));in = (u16)((seven<<9) + nine);

return( in );}

/*---------------------------------------------------------------------* FO()* The FO() function.* Transforms a 32-bit value. Uses <index> to identify the* appropriate subkeys to use.*---------------------------------------------------------------------*/

static u32 FO( u32 in, int index ){

u16 left, right;u16 l,r;

/* Split the input into two 16-bit words */left = (u16)(in>>16);right = (u16) in;l = left;r = right;

/* Now apply the same basic transformation three times */left ^= KOi1[index];left = FI( left, KIi1[index] );left ^= right;right ^= KOi2[index];right = FI( right, KIi2[index] );right ^= left;left ^= KOi3[index];left = FI( left, KIi3[index] );left ^= right;


in = (((u32)right)<<16)+left;

return( in );}

/*---------------------------------------------------------------------* FL()* The FL() function.* Transforms a 32-bit value. Uses <index> to identify the* appropriate subkeys to use.*---------------------------------------------------------------------*/

static u32 FL( u32 in, int index ){

u16 l, r, a, b;

/* split out the left and right halves */l = (u16)(in>>16);r = (u16)(in);

/* do the FL() operations */a = (u16) (l & KLi1[index]);r ^= ROL16(a,1);b = (u16)(r | KLi2[index]);l ^= ROL16(b,1);

/* put the two halves back together */in = (((u32)l)<<16) + r;

return( in );}

/*---------------------------------------------------------------------* Kasumi()* the Main algorithm (fig 1). Apply the same pair of operations* four times. Transforms the 64-bit input.


*---------------------------------------------------------------------*/void Kasumi( u8 *data ){

u32 left, right, temp;DWORD *d;int n;

/* Start by getting the data into two 32-bit words (endian correct) */

d = (DWORD*)data;

left = (((u32)d[0].b8[0])<<24)+(((u32)d[0].b8[1])<<16)+(d[0].b8[2]<<8)+(d[0].b8[3]);

right = (((u32)d[1].b8[0])<<24)+(((u32)d[1].b8[1])<<16)+(d[1].b8[2]<<8)+(d[1].b8[3]);

n = 0;do{

temp = FL( left, n );temp = FO( temp, n++ );right ^= temp;temp = FO( right, n );temp = FL( temp, n++ );left ^= temp;

}while( n<=7 );

/* return the correct endian result */d[0].b8[0] = (u8)(left>>24); d[1].b8[0] = (u8)(right>>24);d[0].b8[1] = (u8)(left>>16); d[1].b8[1] = (u8)(right>>16);d[0].b8[2] = (u8)(left>>8); d[1].b8[2] = (u8)(right>>8);d[0].b8[3] = (u8)(left); d[1].b8[3] = (u8)(right);

}

/*---------------------------------------------------------------------* KeySchedule()* Build the key schedule. Most "key" operations use 16-bit* subkeys so we build u16-sized arrays that are "endian" correct.


*---------------------------------------------------------------------*/void KeySchedule( u8 *k ){

static u16 C[] = {0x0123,0x4567,0x89AB,0xCDEF, 0xFEDC,0xBA98,0x7654,0x3210 };

u16 key[8], Kprime[8];WORD *k16;int n;

/* Start by ensuring the subkeys are endian correct on a 16-bit basis */k16 = (WORD *)k;for( n=0; n<8; ++n )

key[n] = (u16)((k16[n].b8[0]<<8) + (k16[n].b8[1]));

/* Now build the K’[] keys */for( n=0; n<8; ++n )

Kprime[n] = (u16)(key[n] ^ C[n]);

/* Finally construct the various sub keys */for( n=0; n<8; ++n ){

KLi1[n] = ROL16(key[n],1);KLi2[n] = Kprime[(n+2)&0x7];KOi1[n] = ROL16(key[(n+1)&0x7],5);KOi2[n] = ROL16(key[(n+5)&0x7],8);KOi3[n] = ROL16(key[(n+6)&0x7],13);KIi1[n] = Kprime[(n+4)&0x7];KIi2[n] = Kprime[(n+3)&0x7];KIi3[n] = Kprime[(n+7)&0x7];

}}

In the main procedure, we defined an algorithm to obtain the Truth Table of FI functionfor the key values that are between "first" and "last" parameters.




u16 l,k;long i,j,first,last;std::stringstream number;char file[33];NTL::vec_GF2 vn,vs;

first = atoi(argv[1]);last = atoi(argv[2]);

for (i = first; i <= last; i++){

sprintf(file,"%ld.tt",i);ofstream output(file);if(!output){


}

output << "[";

number << i;number >> std::hex >> k;

for (j = 0; j < 65536; j++){

number << j;number >> std::hex >> l;

l = FI( l, k );vn = to_vecGF2(l,16);

output << vn << endl;}


output << "]" << endl;output.close();

}

}

Date post:	02-May-2020
Category:	Documents
Upload:	others
View:	3 times
Download:	0 times

Vector Boolean Functions: Applications in Symmetric...

Documents