On the Cryptographic Use of Boolean
Functions
Claude Carlet (University of Paris 8-MAATICAH and INRIA)
Outline
I Boolean functions
- their use in symmetric cryptography (stream and block ciphers) ;
- their use in coding theory (Reed-Muller codes) ;
- their representation, including the Fourier transform.
I Cryptographic criteria for Boolean functions
- degree, resiliency and nonlinearity ;
- characterization by means of the Fourier transform.
1
Boolean functions
F2 = {0, 1} : the smallest field.
F2n : the F2-vector space of binary vectors (words) of length n,
with bitwise addition.
Bn : the set of Boolean functions f : F2n 7→ F2.
Bn plays an important role in coding (Reed-Muller codes, Kerdock
codes) and a major role in symmetric cryptography (stream and block
ciphers).
2n
The problem with Bn : its size #Bn = 2 .
2
n
#Bn
≈
4
216
6 · 104
5
232
4 · 109
6
264
1019
7
8
2128
1038
2256
1077
Tab. 1: Number of Boolean functions
⇒ Even for small n, functions meeting cryptographic or coding
theoretic constraints cannot be found by direct computer search
→ constructions are necessary.
3
Representation of Boolean functions :
x1 x2 x3
0 0 0
0 0 1
0 1 0
The truth-table : 0 1 1
1 0 0
1 0 1
1 1 0
1 1 1
f (x)
0
1
0
0
0
1
0
1
4
The Algebraic Normal Form A.N.F. (exists and is unique) :
!
M
Y
x = (x1, · · · , xn); f (x) =
aI
xi .
I⊆{1,...,n}
i∈I
Example : f (x1, x2, x3) = (x1⊕1)(x2⊕1)x3⊕x1(x2⊕1)x3⊕x1x2x3 =
x1x2x3 ⊕ x2x3 ⊕ x3.
The degree of the A.N.F. (algebraic degree) is an affine invariant :
d◦(f ◦ L) = d◦f for every affine isomorphism L : F2n 7→ F2n.
Affine functions : degree ≤ 1 :
f (x) = a1 x1 ⊕ · · · ⊕ an xn ⊕ a0 = a · x ⊕ a0; a ∈ F2n; a0 ∈ F2.
5
Cryptography
message
-
Enciphering
d
KE
-
public
channel
Deciphering
message
-
d
KD
6
Boolean functions and cryptography
Boolean functions and Stream ciphers :
Vernam cipher
Key
Plaintext
-
?
⊕
Ciphertext
-
7
It is necessary to produce long keys from shorter ones.
Linear feedback shift registers :
L
L
×c1
×cL−1 ×cL
6
sn
-
sn−1
L
6
···
6
sn−L+1 sn−L
-
8
sn =
L
M
cisn−i.
i=1
The ci’s must be kept secret.
But these LFSRs are cryptographically weak because of BerlekampMassey algorithm :
from 2L consecutive bits can be deduced the values of the ci’s
and the initialization of the sequence.
9
Combining Boolean functions :
LFSR 1
x1
@
@
LFSR 2
x2
@
R
@
-
..
LFSR n
@
@
f
output si
-
xn
The ci’s can be public.
The short secret key : the initializations of the LFSRs.
10
Filtered LFSRs
-
L
L
6
6
si+L−1
···
xi
x1
?
L
6
si+1 si
?
xn
?
g(x1, x2, · · · , xn)
output zi
?
11
Boolean functions and block ciphers
Plaintext : x1
xn
···
?
?
Key
E
-
···
?
Ciphertext : f1
?
fm
12
Coding :
message
-
Encoding
-
noisy
channel
Decoding
-
corrected
message
To be able to correct errors in the transmission (or the storage) of
the message : send (or store) only words a = (a1, . . . , aN ) belonging
to a set (a code) with high mutual distances d(a, b) = #{i; ai 6= bi}.
13
Boolean functions and coding :
x1 x2 x3
0 0 0
0 0 1
0 1 0
0 1 1
1 0 0
1 0 1
1 1 0
1 1 1
f (x)
0
1
0
0
0
1
0
1
corresponds to the word 01000101.
Distance : d(f, g) = #{x ∈ F2n; f (x) 6= g(x)}.
14
Reed-Muller codes : The functions of algebraic degrees at most
k have mutual distances at least 2n−k .
n
1+n+(n
+···+
)
(
2
k)
The set R(k, n) has 2
elements.
k = 1 : affine functions ; the distance between two affine functions
equals 2n−1 or 2n.
Example : the Reed-Muller code R(1, 5) corresponding to k = 1
and n = 5 was used in 1972 for transmitting the first photographs of
Mars.
It has 26 = 64 words of length 25 = 32 with mutual distances at
least 24 = 16.
15
A tool for Boolean functions
The discrete Fourier transform :
fb(a) =
X
f (x) (−1)a·x
x∈F2n
where a · x = a1x1 ⊕ · · · ⊕ anxn.
fb(0) equals the Hamming weight of f .
16
The transform of f = (−1)f = 1 − 2f equals :
(
bf(a) =
X
x∈F2n
f (x)⊕a·x
(−1)
=
−2fb(a) if a 6= 0;
.
n
b
2 − 2f (a) if a = 0
17
x1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
x2
0
0
1
1
0
0
1
1
0
0
1
1
0
0
1
1
x3
0
0
0
0
1
1
1
1
0
0
0
0
1
1
1
1
x4
0
0
0
0
0
0
0
0
1
1
1
1
1
1
1
1
x1x2x3
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
1
x1x4
0
0
0
0
0
0
0
0
0
1
0
1
0
1
0
1
f (x)
0
0
1
1
0
0
1
0
0
1
1
0
0
1
1
1
(−1)f (x)
1
1
-1
-1
1
1
-1
1
1
-1
-1
1
1
-1
-1
-1
2
0
-2
0
2
0
-2
0
0
2
0
-2
0
2
0
2
4
0
-4
0
0
0
0
0
0
4
0
0
0
0
0
-4
0
0
8
0
0
0
0
0
0
4
0
4
0
-4
0
4
χ
cf (x)
0
0
8
8
0
0
0
0
4
-4
4
-4
-4
4
4
-4
Tab. 2: truth table and Walsh spectrum of f (x) = x1x2x3 +x1x4 +x2
Cryptographic criteria for Boolean functions
Criterion 1 : any cryptographic function f must have high algebraic degree :
If n LFSR having lengths L1, . . . , Ln are combined by the function
!
f (x) =
M
I⊆{1,...,n}
aI
Y
xi ,
i∈I
19
the sequence produced by f can be obtained by a LFSR of length
!
L=
X
I⊆{1,...,n}
aI
Y
Li .
i∈I
Criterion 2 : any cryptographic function must be at high distance
to all affine functions.
Let la(x) = a1x1 ⊕ · · · ⊕ anxn = a · x.
We have
d(f, la) = wH (f ⊕ la) = f\
⊕ la(0) = 2n−1 − 12bf(a)
20
and d(f, la ⊕ 1) = 2n−1 + 21bf(a).
The nonlinearity of f is the minimum Hamming distance to affine
1
n−1
functions and is therefore equal to : N L(f ) = 2
− maxn |bf(a)|.
2 a∈F2
Parseval’s relation :
X
b2
f (a) =
a∈F2n
since
P
a∈F2n
X X X
(−1)f (x)+f (y)+a·(x+y) = 22n,
a∈F2n x∈F2n y∈F2n
(−1)a·z = 0 if z 6= 0.
21
Consequence : maxa∈F2n |bf(a)| ≥ 2n/2.
The functions with highest nonlinearity 2n−1 − 2n/2−1 (n even)
are called bent.
Bound on algebraic degree of bent fcts (Rothaus) : d ≤ n/2.
Open problem : characterize the bent functions of degrees ≥ 3.
Criterion 3 : any combining function f must be balanced (i.e.
equally distributed) and f (x) must stay balanced if we fix some
coordinates xi of x (at most m where m is as large as possible). We
say that f is then m-resilient.
This can also be characterized through the Fourier transform :
22
bf(a) = 0 for all a ∈ F n such that wH (a) ≤ m.
2
Bound on algebraic degree (Siegenthaler) : d ≤ n − m − 1.
Bound on nonlinearity (Sarkar-Maitra) : bf(a) is divisible by 2m+2
for every a. This implies that N L(f ) is divisible by 2m+1 and thus
N L(f ) ≤ 2n−1 − 2m+1.
If this bound is achieved by f then the bound on the degree is
m+2+b n−m−2
c (C.C.).
b
d
also achieved because f(a) is divisible by 2
Open problem : find numerous examples of functions achieving
these bounds.
23