On the construction of balanced Boolean
functions with a good algebraic immunity
Claude Carlet (University of Paris 8-MAATICAH and INRIA)
Philippe Gaborit (LACO, Université de Limoges)
Outline
I Algebraic attacks
I Algebraic immunity
I Algebraic immunity of random balanced Boolean functions
I Algebraic immunity and Maiorana-McFarland construction
I Examples of balanced Boolean functions with a good algebraic
immunity
1
Algebraic attacks
Principle :
-Find equations with the key bits as unknowns
-Solve the system of these equations
Example : Suppose an LFSR based stream cipher, has for initial
state : (s0, s1, · · · , sk−1), and the output is given by :
b0 = f (s0, s1, · · · , sk−1),
b1 = f (L(s0, s1, · · · , sk−1)),
b2 = f (L2(s0, s1, · · · , sk−1)),
2
...
where L denotes the linear update function and f is a nonlinear
function.
The problem is to recover (s0, s1, · · · , sk−1) from the bi’s
Problems :
-Non-linear equations (of high degree)
-Many unknowns
If f has algebraic degree df then for any t, f (Lt(s0, s1, · · · , sk−1))
canbe expressed as a Boolean expression in the si’s. There are roughly
n
possible monomials.
d
f
3
Therefore taking all the different monomials as unknowns, if
roughly dn output bits bi are known, one can recover the si’s by
f
n
solving a system with d variables.
f
This operation has complexity roughly
n 3
df .
Note that the system can also be solved by other methods like the
Gröbner bases, but then the complexity is more difficult to evaluate.
4
Courtois-Meier and Meier-Pasalic-C. showed that if one can find
g of degree d such that g ∗ f = 0 or g ∗ (1 + f) = 0 then the number
of unknowns to consider could decrease to nd .
In particular this attack is efficient on Boolean functions f with
many variables but with a function g of low degree such that f ∗g = 0,
as for ToyoCrypt or LILY.
This attack gives rise to the notion of Algebraic immunity.
5
Algebraic immunity
Let f be a Boolean function with n variables, the algebraic
immunity AI(f ) of f is then defined as the lowest degree of any
non null function g such that f ∗ g = 0 or (1 + f ) ∗ g = 0.
It is proven that for f a function with n variables :
AI(f ) ≤ d n2 e,
6
Algebraic immunity is a new criterion for the study of Boolean
functions. One wants to construct functions with the highest possible
AI.
This new criterion has also to be studied in conjugation with other
usual criteria like the nonlinearity and the order of resiliency.
In the following we study this new criterion in itself, and also
conjugated with the nonlinearity and with the nonlinearity and the
order of resiliency.
7
Algebraic immunity of random balanced Boolean
functions
Meier, Pasalic and C. proved that the AI of a random balanced
Boolean function with n variables is almost always at least equal to
0.22 n, they also give an heuristic with 0.27 n.
We adopt now a coding point of view for the AI.
Denote by Gd the generator matrix of R(d, n),
8
Consider Gfd the punctured matrix of Gd obtained by keeping only
the columns corresponding to the support of f .
∃ g ∈ R(d, n) | f ∗ g = 0, (g 6= 0) is equivalent to :
∃ c 6= 0 | c × Gfd = 0.
Lemma 1. A Boolean function f has no non null annihilator of
degree up to d if and only if the punctured matrix Gfd with wH (f )
Pd
n
columns and k rows where k = i=0 i (the dimension of the code
R(d, n)) has full rank k.
9
Estimation of the behaviour, in terms of rank, of Gfd
For large k a random binary k × (k + e) matrix has rank k with
probability roughly 1 − s2−e for s a constant.
Adding a new column divides the probability that the matrix has
not full rank by 2.
Idea : check the behaviour of k × (k + e) submatrices of Gfd .
10
R(d,n)
e=0
e=7
e=8
(3,8)
(3,9)
(3,10)
(4,10)
(4,11)
(3,12)
(5,12)
(3,13)
(5,13)
0.78
0.72
0.71
0.71
0.71
0.71
0.72
0.72
0.71
0.04
1.1 10−2
7.7 10−3
8.0 10−3
7.7 10−3
7.2 10−3
7.6 10−3
6.8 10−3
7.2 10−3
0.028
6.8 10−3
3.8 10−3
3.9 10−3
3.5 10−3
3.4 10−3
3.9 10−3
3.4 10−3
3.3 10−3
e=10
1.5 10−2
2.5 10−3
9.3 10−4
9.1 10−4
9.1 10−4
8.0 10−4
9.0 10−4
8.9 10−4
8.9 10−4
e=11
1.1 10−2
1.9 10−3
4.8 10−4
5.6 10−4
5.5 10−4
3.0 10−4
4.0 10−4
4.6 10−4
4.8 10−4
Tab. 1: Probability that a k × (k + e) random extracted matrix from
the Reed-Muller code R(d, n) (of dimension k) does not have full
rank k
11
Simulations seem to indicate that submatrices of Gdf behave like
random matrices (in term of rank) : adding a new column divides the
probability that the rank does not equal k by 2.
Our simulations seem to indicate that the probability that a
random balanced Boolean function f (or its complement 1 + f ) has
Pm−1 n
0 −e
n−1
an anihilator of degree m−1 is s 2 , where e = 2
− i=0 i =
n
m .
Conclusion : our heuristic indicates that :
- for even n, AI is almost always equal to n/2,
- for odd n, AI is almost always greater than or equal to (n − 1)/2.
12
Algebraic immunity and Maiorana-McFarland
construction
Let m and n = r + s be such that r > m ≥ 0, s > 0. Let
g : F2s → F2 and φ : F2s → F2r such that ∀y ∈ F2s, wH (φ(y)) > m,
then the function :
f (x, y) = x · φ(y) + g(y), x ∈ F2r , y ∈ F2s
(1)
(where “ · ” denotes here the usual dot product in F2r ) is m-resilient.
The degree of f is upper bounded by s + 1.
13
Definition 2. Let s and r be two positive integers and φ a mapping
from F2s to F2r . We say that φ is an ultimate nonlinear mapping if, for
every affine subspace A of F2s, whose dimension is strictly positive,
P
the sum y∈A φ(y) is non nul.
Properties :
- dimension 1 → injectivity ;
- dimension 2 → almost perfect nonlinearity ; etc...
Proposition 3. Let f be a Maiorana-McFarland function. If φ is not
ultimate nonlinear, then f has algebraic immunity at most s.
14
Proof : Let A be a d-dimensional affine subspace of F2s such that
P
y∈A φ(y) = 0.
The function g = f ∗ 1F2r ×A, has degree at most s.
g is clearly an annihilator of f + 1.
Remark : Ultimate nonlinear mappings do exist when r is sufficiently
larger than s :
1. Let r = 2s ; F2s = {a1, . . . , ar } and ∀i = 1, ..., r, φi = 1{ai}. Then,
P
for every flat A and every index i, we have y∈A φi(y) 6= 0 if and
only if ai ∈ A.
15
2. The constraint on φ given by x∈A φ(x) = 0 is F2r -linear.
The space of solutions is a hyperplane of the space of all mappings
φ : F2s → F2r .
r 2s−1
r 2s−1
Hence, there are (2 )
solutions for each flat A. If (2 )
times
the number
P
Ns =
s
X
d=1
s
s
s
d−1
(2
−
1)(2
−
2)...(2
−
2
)
s−d
2
(2d − 1)(2d − 2)...(2d − 2d−1)
r2s
of flats A is smaller than 2 , that is, if Ns < 2r , there exist
P
mappings φ such that x∈A φ(x) 6= 0 for every flat A of F2s.
(2s−1)...(2s−2d−1)
(2d−1)...(2d−2d−1)
∼ C × 2d(s−d), where C ≈ 4.
16
s
s
d−1
s−d (2 −1)...(2 −2
Hence, 2 (2d−1)...(2d−2d−1)) ∼
s ( s +1)
2
s is odd, and Ns ∼ C 2 2
if
C 2(d+1)(s−d) and Ns ∼ C 2
(s+1)2
4
if
s is even.
Hence, the order of magnitude of r for which ultimate nonlinear
(s+1)2
s
r
mappings φ : F2 → F2 exist is r ≥ 4 (that is, is quadratic in s).
17
Examples of balanced Boolean functions with a
good algebraic immunity
Balanced Boolean functions with a good algebraic immunity
and a good nonlinearity
A natural family to consider is the family of power functions xd.
One considers them directly when they are balanced or we make
them balanced by modifying a small number of bits (construction *
in the table).
18
n
8
8
9
9
9
10
10
10
10
11
12
12
12
13
13
14
14
d
31
39 (Kasami)
57 (Kasami)
59
115
241 (Kasami)
362
31 (Dillon)
339 (Dobbertin)
315
993 (Kasami)
63 (Dillon)
636
993 (Kasami)
939
4033 (Kasami)
127 (Dillon)
weight
128
128∗
256
256
256
512
512
512∗
512∗
1024
2048∗
2048∗
2048∗
4096
4096∗
8192
8192∗
degree
5
6
4
5
5
5
5
9
9
6
11
11
11
6
12
7
13
nonlinearity
112
114
224
240
240
480
480
486
480
992
2000
2000
2000
4032
4030
8064
8088
alg. immunity
4
4
4
5
5
5
5
5
5
6
6
6
6
6
7
7
7
Tab. 2: Computation of the nonlinearity, algebraic degree and algebraic immunity for certain power functions xd
19
We are also interested in the particular family of inverse functions.
These functions seem to be not optimal for n ≥ 11
n
6
7
8
9
10
11
12
13
14
d
-1
-1
-1
-1
-1
-1
-1
-1
-1
weight
32
64
128
256
512
1024
2048
4096
8192
degree
5
6
7
8
9
10
11
12
13
nonlinearity
24
54
112
234
480
980
1984
4006
8064
alg. immunity
3
4
4
4
5
5
5
6
6
Tab. 3: Computation of the nonlinearity and algebraic immunity for
the inverse function for 6 ≤ n ≤ 14
20
The previous results show that for n ≥ 14 it is possible to construct
functions with an optimal AI and an almost optimal nonlinearity.
This also shows that it is possible to find (at least for n ≤ 14)
Boolean functions suitable for cryptographic purposes as filtering
functions, since in that case the two main criteria are the nonlinearity
and the AI.
21
Balanced Boolean functions with a good algebraic immunity,
a good order of resiliency and a good nonlinearity
We checked the AI of the classical constructions by Camion et al.
’91 and C. and Prouff ’03.
And also construction of the form (C.) :
f (x, y) = [x·φ1(y)][x·φ2(y)]+[x·φ1(y)][x·φ3(y)]+[x·φ2(y)][x·φ3(y)].
22
n
8
9
9
10
10
11
11
12
12
13
13
13
14
14
14
14
14
r
4
5
5
5
6
6
6
6
7
7
7
8
7
8
8
8
9
s
4
4
4
5
4
5
5
6
5
6
6
5
7
6
6
6
5
d
5
5
5
6
5
6
6
7
6
7
7
6
8
7
7
7
6
Const.
b
b
a
b
a
b
a
b
a
a
b
a
b
b
a
a
a
w
2
3
3
3
4
4
3
4
4
4
4
5
4
6
5
5
7
m
2
3
2
3
3
4
2
4
3
3
4
4
4
6
4
4
6
nl
112
224
240
480
480
960
992
211 − 26
211 − 26
211 − 26
212 − 27
212 − 27
213 − 27
213 − 28
213 − 27
213 − 27
213 − 28
ai
3
3
4
4
4
4
5
5
5
5
5
5
5
5
5
5
5
Tab. 4: Computation of some characteristics for Boolean functions
built by the Maiorana-McFarland construction
23
A recent construction of Boolean functions with optimal
algebraic immunity (Dalai-Gupta-Sarkar)
φ2k+2 = φ2k ||φ2k ||φ2k ||φ12k
where || denotes the concatenation,
i.e. φ2k+2 = φ2k + x2k+1x2k+2(φ2k + φ12k ),
and where φ12k is defined by
i+1
i
i
||φ
||φ
||φ
φi2j = φi−1
2j−2
2j−2
2j−2
2j−2
24
i.e.
φi2j =
i−1
i−1
i+1
i
φi−1
+
(x
+
x
)(φ
+
φ
)
+
x
x
(φ
+
φ
2j−1
2j
2j−1 2j 2j−2
2j−2
2j−2
2j−2
2j−2)
for j > 0, i > 0,
with base step φ0j = φj for j > 0, φi0 = i [mod 2] for i ≥ 0.
This function has degree at least 2k − 3 and can be obtained from
symmetric functions with an efficient transformation (C.C.).
25