Vectorial Boolean functions for symmetric
cryptography II
Claude Carlet (University of Paris 8-MAATICAH and INRIA)
Outline
I On highly nonlinear S-boxes and their inability to thwart DPA
attacks
- The transparency order
- Lower bounds
- Power permutations
- The inverse function and the S-box of the AES
I Vectorial Boolean functions for pseudo-random generators with
multi-output
1
- Unrestricted nonlinearity and resiliency.
- An upper bound and a construction.
2
On highly nonlinear S-boxes and their inability to
thwart DPA attacks
The transparency order (Prouff)

TF = maxn |n − 2wH (b)| −
b∈F2
1
22n − 2n

n
X X

bi
(−1) F(Dafi) .
n∗
a∈F2
i=1
3
Lower bounds
Theorem 1. Let F = (f1, . . . , fn) be any (n, n)-function.
Let NF denote the nonlinearity of F , and LF its linearity (such
that NF = 2n−1 − 21 LF ).
Then, TF is lower bounded by :
vX
X 2
u
4
2
1
2 23n
b
b
b
u
n − 3n √
f
(a)
+
2
f
(a)
f
(a)
−
n
i
i
j
2 2 2n − 1 t
1≤i≤n
a∈Fn
2
1≤i<j≤n
a∈Fn
2
4
and therefore by

n−
3n √
22
1
2n − 1
n
X


|Si| + 2
i=1
X
1/2
|Si ∩ Sj | L4F − n223n
1≤i<j≤n
where “| |” denotes the size.
5
Power permutations
The coordinate functions of a power function xd have the form
fi(x) = tr(bixd), where the bi’s are linearly independent.
Set b 6= 0. Assuming that d is co-prime with 2n − 1, and denoting
the function tr(bxd) by fb, and the function tr(xd) by f , we have
a fbb(a) = bf 1/d ,
b
and the support of fbb equals b1/dS, where S is the support of bf.
6
Hence,
bf 2(a)fbc2(a) equals
a∈F2n
P
a X X 2
2
1
bb (a)fbb
f
=
n
1/d
2 −1
c
∗
b∈F2n a∈F2n
X X 2
2
1
b
c
fb (a)fbc (a) =
n
2 −1
∗
b∈F2n a∈F2n
7

1 X X
2n − 1
tr(b(xd+y d+cz d+ctd)+a(x+y+z+t))
X
(−1)
b∈F2n a∈F2n x,y,z,t∈F2n
4n
−2

1 
2n − 1

X
=

X

x,y,z,t∈F2n
tr(b(xd+y d+cz d+ctd))
(−1)
b∈F2n


X


(−1)tr(a(x+y+z+t)) − 24n .
a∈F2n
8
Hence,
bf 2(a)fbc2(a) equals
a∈F2n
P
22n
3
d
d
d
d
n
|{(x,
y,
z)
∈
F
|
x
+
y
+
cz
+
c(x
+
y
+
z)
= 0}|
2
n
2 −1
2n
.
−2
9
Consequence on the inverse function and the S-box of the
AES
r
TF ≥ n −
n
.
n
2
10
Vectorial Boolean functions for pseudo-random
generators with multi-output
To speed up the pseudo-random generator, we can use a vectorial
function to combine the output to n LFSRs :
LFSR 1
LFSR 2
..
LFSR n
x1
@
x2
xn
@
@
@
R
@
-
F
-
11
F must be balanced, and moreover correlation-immune of high
order.
An (n, m)-function F is t-th order correlation-immune its output
distribution does not change when we fix t variables xi.
It is said t-resilient if it is balanced and t-th order correlationimmune.
Are equivalent :
(1) F is t-th order correlation-immune (resp. t-resiliente) ;
(2) for every v ∈ (F2m)∗, function x 7→ v · F (x) is t-th order
correlation-immune (resp. t-resiliente) ;
12
(3) for every Boolean function g on F2m, function g ◦ F is t-th
order correlation-immune.
Consequence 1 : the known bounds on the nonlinearity of resilient
Boolean functions extend to vectorial functions.
Consequence 2 : let
CF (u) = 2
−n
max∗
g∈Bm
X
(−1)g(F (x))+u·x; u ∈ F2n,
x∈F2n
be the unrestricted correlation coefficient between F and the linear
function x ∈ F2n 7→ u · x, where Bm∗ is the set of non-constant
functions. Are equivalent :
13
(1) F is t-th order correlation-immune ;
(2) for every u ∈ F2n such that 1 ≤ wH (u) ≤ t, we have
cF (u) = 0 ;
(3) for every u ∈ F2n such that 1 ≤ wH (u) ≤ t, we have
CF (u) = 0.
Recall that N LF = 2n−1 − 2n−1 maxu∈F2n cF (u).
We call unrestricted nonlinearity of F the number U NF equal to
2n−1 − 2n−1 maxu∈F2n∗ CF (u).
U NF equals the minimum Hamming distance between all functions
g ◦ F (g ∈ Bm∗) and all affine non-constant functions ` on F2n.
14
Remark : if m = n, then U NF = 0 for every bijective (n, n)n−1
n−1
function F , while we can have N LF = 2
−2 2 .
Why maxu∈F2n∗ CF (u) and not maxu∈F2n CF (u) ?
For every (n, m)-function F , we have CF (0) ≥ 1 − 2−m+1 while for
all u 6= 0, CF (u) is near 0.
We would then have, in general, maxu∈F2n CF (u) = CF (0), while
CF (0) does quantify the balancedness of the function.
Bounds on U NF : if F is balanced, we have U NF ≤ N LF ≤
2n−1 − 2n/2−1.
15
Moreover, if m < n, then
U NF ≤ 2
n−1
1
− An,m,
2
where
An,m =
2
2m
m
−2
−
n
2 −1
s
22n
22n−m
−
2n − 1
+
22m
2m
−
2n − 1
2
− 1 + 1.
This bound is better than 2n−1 − 2n/2−1 if m ≥ n/2.
(
x
if y 6= 0
y
, we have
For the balanced function F (x, y) =
x if y = 0
16
U NF = N LF = 2n−1 − 2n/2.
Open problem : find resilient functions with high unrestricted nonlinearities.
Other open problem : find such functions which would also resist
to algebraic attacks.
17