Vectorial Boolean functions for symmetric
cryptography I
Claude Carlet (University of Paris 8-MAATICAH and INRIA)
Outline
I Generalities
I Vectorial Boolean functions for S-boxes in block ciphers
- The corresponding notion of nonlinearity.
- Sidelnikov-Chabaud-Vaudenay’s bound, AB and APN functions.
- Known AB and APN functions.
1
Generalities
F (x) = (f1(x), . . . , fm(x)) : F2n 7→ F2m.
F is called an (n, m)-function or a vectorial function.
If m = 1 then F is simply called an n-variable Boolean function.
Algebraic normal form :
!
F (x1, · · · , xn) =
X
I⊆{1,...,n}
aI
Y
xi ; aI ∈ F2m.
i∈I
Degree : maximal degree of the fj ’s ; j = 1, . . . , m.
2
In cryptography, the minimal degree of all the non-zero linear
combinations of the fj ’s plays also an important role.
An (n, m)-function F is balanced if its output is uniformly distributed in F2m (this is possible only if m ≤ n).
3
NSC : the non-zero linear combinations v · F , v 6= 0, of the fj ’s,
are balanced. Indeed :
−1 F (b) = 2−m
X
(−1)v·(F (x)+b) =
v∈F2m,x∈F2n
2
−m
X
v∈F2m
v·b
(−1)
X
(−1)v·F (x)
x∈F2n
is the Fourier transform of the function v 7→
P
x∈F2n
(−1)v·F (x).
4
Vectorial Boolean functions for S-boxes in block
ciphers
The nonlinearity of an (n, m)-function F quantifies its resistance
to the linear attack (Matsui Eurocrypt’93) :
N LF = min
min dH (v · F, `)
m∗
v∈F2
n−1
= 2
`∈RM (1,n)
X
1
v·F (x)+u·x
max
|
−
(−1)
|
∗
m
n
2 v∈F2 ,u∈F2
n
x∈F2
= 2n−1 − 2n−1 maxn cF (u),
u∈F2
5
where cF (u) =
1
2n
max `∈R(1,m)
`6=cste
P
x∈F2n
(−1)`◦F (x)+u·x is the corre-
lation coefficient of F with respect to the linear function x 7→ u · x.
The nonlinearity is left and right affine invariant.
Bounds on N LF :
Thanks to Parseval’s relation : N LF ≤ 2n−1 − 2n/2−1.
For every even n and every m ≤ n/2, there exists F such that
N LF = 2n−1 − 2n/2−1 (F is called bent).
A vectorial function is bent iff all of its derivatives DaF (x) =
F (x) + F (x + a), where a ∈ F2n∗, are balanced, or equivalently, iff
v · F is (Boolean) bent for every v 6= 0.
6
Examples
• Nyberg : m = n/2, F2m ∼ F2m , F2n ∼ (F2m )2, π : F2m 7→ F2m
permutation, g : F2m 7→ F2m and F (x, y) = x × π(y) + g(y). If
n/2
m < n/2, compose with any linear mapping from F2 onto F2m.
• F (x, y) = G( xy ) (with
( n2 , m)-function.
x
y
= 0 if y = 0), where G is a balanced
( - Example of modification into a balanced function : F (x, y) =
x
if y 6= 0
y
. We have N LF = 2n−1 − 2m.
x if y = 0
7
Sidelnikov-Chabaud-Vaudenay’s bound :
q
(2n−1)(2n−1−1)
1
n−1
n
N LF ≤ 2
−2 3×2 −2−2
.
2m−1
Principle of the proof :
2

max
m∗
v∈F2
,u∈F2n
X

x∈F2n
P
P
P
P
v∈F2m∗,u∈F2n
v∈F2m∗,u∈F2n
(−1)v·F (x)+u·x ≥
x∈F2n
x∈F2n
(−1)v·F (x)+u·x
(−1)v·F (x)+u·x
4
2
8
2

X
X

u∈F2n
(−1)v·F (x)+u·x = 22n; ∀v ∈ F2m
x∈F2n
and
4

X
X

v∈F2m,u∈F2n
=
X

x,y,z,t
∈F2n
x∈F2n



X
(−1)v·F (x)+u·x
v∈F2m
v·(F (x)+F (y)+F (z)+F (t)) 
(−1)
X
(−1)u·(x+y+z+t)
u∈F2n
= 2n+m |{(x, y, z)/ F (x) + F (y) + F (z) + F (x + y + z) = 0}|
≥ 2n+m |{(x, y, z)/ x = y or x = z or y = z}|
9
= 22n+m (3 × 2n − 2) .
Sidelnikov-Chabaud-Vaudenay’s bound improves upon the universal bound N LF ≤ 2n−1 − 2n/2−1 for m ≥ n, only.
It is tight for n = m odd, only. The functions achieving it (i.e.
n−1
n−1
such that N LF ≤ 2
− 2 2 ) are called Almost Bent (AB).
10
Every AB function is Almost Perfect Nonlinear (APN) :
(F (x) + F (y) + F (z) + F (x + y + z) = 0)
⇔
(x = y or x = z or y = z)
that is :
for every a ∈ F2n∗ and every b ∈ F2m,
the equation F (x) + F (x + a) = b has at most 2 solutions
(n ≤ m + 1).
11
F is AB iff it is APN and, for every v 6= 0, v · F is plateaued (i.e.
P
v·F (x)+u·x
(−1)
∈ {0, ±λ}, ∀u).
n
x∈F
2
Open problem : characterize all vectorial plateaued functions.
12
A characterization of AB and APN functions :
Let F be any (n, n)-function. For every a, b ∈ F2n, let γF (a, b)
equal 1 if a 6= 0 and if the equation F (x) + F (x + a) = b admits at
least one solution. Otherwise, let γF (a, b) be null. Then, F is APN if
and only if γF has weight 22n−1 − 2n−1, and it is AB if and only if
γF is bent.
13
Stability of the notions :
Let F be an APN (resp. AB) function on F2n and L1, L2 be
two linear functions from F22n to F2n. Assume that L = (L1, L2) is
a permutation on F22n and that the function F2(x) = L2(F (x), x)
is a permutation on F2n. Then, denoting F1(x) = L1(F (x), x), the
function F 0 = F1 ◦ F2−1 is APN (resp. AB).
Proof. The value γF1◦F −1 (a, b) equals 1 if and only if a 6= 0 and
2
if there exists (x, y) in F2n × F2n such that F2(x) + F2(y) = a and
F1(x) + F1(y) = b. Thus, γF1◦F −1 is equal to γF ◦ L−1. The function
2
γF1◦F −1 is therefore bent if and only if γF is bent.
2
14
Examples :
- if (L1, L2)(b, a) = (a, b), then F1 ◦ F2−1 is equal to F −1 ;
- if L1(b, a) and L2(b, a) depend only on b and a, respectively,
this corresponds to the right and left compositions of F by linear
permutations ;
- if L1(b, a) = b + L(a) and L2(b, a) = a where L is any linear
function from F2n to itself, then we obtain F (x) + L(x).
15
Remark :
Assume there exists ψ : F2n × F2n 7→ F2, of low degree, such that :
ψ(F (x), x) = 0, ∀x ∈ F2n.
ψ could then be used in an algebraic attack (Courtois-Pieprzyk,
Asiacrypt 2002).
ψ ◦ L−1 has same degree as ψ and
ψ ◦ L−1(F1(x), F2(x)) = 0, ∀x ∈ F2n,
implies
ψ ◦ L−1(F 0(y), y) = 0, ∀y ∈ F2n.
16
Known Classes of AB Functions
F : F2m → F2m , F (x) = xd
(i) d = 2k + 1, gcd(m,k)= 1
Gold functions (Gold, 1968) ;
(ii) d = 22k − 2k + 1, gcd(m,k)= 1
Kasami functions (Kasami, 1971) ;
(iii) d = 2k + 3, m = 2k + 1
Welch function
(Canteaut, Charpin, Dobbertin, 2000) ;
(iv) d = 2k + 2k/2 − 1 if k is even,
d = 2k + 2(3k+1)/2 − 1 if k is odd,
17
where m = 2k + 1
Niho function (Hollman, Xiang, 2001).
18
Known Classes of APN Functions
(i) d = 2k + 1, gcd(m,k)= 1
Gold functions (Gold, 1968) ;
(ii) d = 22k − 2k + 1, gcd(m,k)= 1
Kasami functions
(Kasami, 1971 ; Janwa, Wilson, 1993) ;
(iii) d = 2k + 3, m = 2k + 1
Welch function (Dobbertin, 1999) ;
(iv) d = 2k + 2k/2 − 1 if k is even
d = 2k + 2(3k+1)/2 − 1 if k is odd,
where m = 2k + 1
19
Niho function (Dobbertin, 1999) ;
(v)d = 22k − 1, m = 2k + 1
Inverse function (Beth, Ding, 1994) ;
(vi) d = 24k + 23k + 22k + 2k − 1, m = 5k
Dobbertin function (Dobbertin, 2000).
20
Remark. The APN power functions listed above are not permutations when n is even. The question of knowing whether there exist
APN permutations when n is even is open. Nyberg proved that the
answer is no for all permutations which coordinate functions are
partially-bent, as well as all of their linear combinations.
The answer is also no for a class of permutations including power
permutations.
21
Recent APN and AB functions non-equivalent to power
functions
Theorem 1. The function F 0 : F2m → F2m ,
0
2i+1
F (x) = x
2i
2i+1
+ (x + x)tr(x
+ x),
where m > 3 odd, 1 ≤ i < m+1
2 , gcd(m, i) = 1,
is an AB function, which is affine inequivalent to any power function.
22
Theorem 2. The function F 0 : F2m → F2m ,
0
2i+1
F (x) = x
2i
2i+1
+ (x + x + 1)tr(x
),
where m ≥ 4 even, 1 ≤ i < m
2 , gcd(m, i) = 1,
is an APN function, which is affine inequivalent to any power function.
It was conjectured that any AB function is affine equivalent to a
permutation.
The sum F 0 + L is not a permutation on F25 for any linear function
L.
Thus, F 0 is affine inequivalent to any permutation.
23
Theorem 3. The function F 0 : F2m → F2m ,
m even and divisible by 3,
0
2(2i+1)
F (x) = [x + trm/3(x
2i+1
+ tr(x)trm/3(x
4(2i+1)
+x
)
22i(2i+1) 2i+1
+x
)]
,
with gcd(m, i) = 1, 1 ≤ i < m
2,
is an APN function, which is affine inequivalent to other known APN
functions.
24