A New Construction of Boolean Functions with Maximum Algebraic - PowerPoint PPT Presentation

A New Construction of Boolean Functions with Maximum Algebraic Immunity National University of Defense Technology Deshuai Dong 2009-8-26

Outline � Preliminaries on Boolean functions � Algebraic attacks and Algebraic immunity � The recent constructions of Boolean functions with MAI � The main results of our paper 2 2009-9-27

Preliminaries on Boolean functions � Boolean functions map n binary inputs to a single binary output → : F n � More formally map f F 2 2 ⋅⋅⋅ ∈ → ∈ n ( , , ) x x F x F 1 2 2 n 3 2009-9-27

Preliminaries on Boolean functions � It can be represented as a polynomial in the ring < − − > � 2 � 2 [ , , ]/ , , F x x x x x x 2 1 1 1 n n n � This ring is simply a set of all polynomials with binary coefficients in n indeterminates = 2 x x with property that i i 4 2009-9-27

Algebraic Normal Form � A Boolean function can be formalized further by defining ∑ ∑ = = = ⋅⋅⋅ � u u u u ( ) , ( , , ) f x a x a x x x u u u 1 2 n 1 2 1 u u n n ∈ ∈ n n u F u F 2 2 � This also can be called the algebraic normal form (ANF) of f 5 2009-9-27

Algebraic degree � Algebraic degree of a Boolean function is defined as maximum length of terms in ANF of f � The algebraic degree should be large because of Berlekamp-Massey and Ronjom- Helleseth attacks (stream ciphers) and higher differential attack (block ciphers) 6 2009-9-27

Affine and linear functions � The set of all Boolean functions in n variables is denoted by B n � Boolean Functions of degree at most one are called affine = + + + + ∈ ≤ ≤ � { | ,0 } A a a x a x a x a F i n 0 1 1 2 2 2 n n n i a = � An affine function with is said to be 0 0 linear, and all linear functions are denoted by L n 7 2009-9-27

The Walsh Transform � The Walsh transform of Boolean functions is defined by ∧ ∑ + ⋅ = − ( ) f x u x ( ) ( 1) f u ∈ n x F 2 � The Hamming distance between two functions: = + = ≠ ( , ) ( ) { | ( ) ( )} d f g w f g x f x g x H H 8 2009-9-27

Nonlinearity definition � The nonlinearity of a Boolean function is the minimum distance from f to all affine functions i.e. = min ( , ) N d f g f H ∈ g A n � The nonlinearity of a Boolean function f also can be represented as: ∧ 1 − = − 1 n 2 max ( ) N f a f 2 ∈ n a F 2 9 2009-9-27

The nonlinearity must be high to prevent the system from fast correlation attacks (stream ciphers) and linear attacks( block ciphers) 10 2009-9-27

The application 11 2009-9-27

The application 12 2009-9-27

� Before the introduction of algebraic attacks, balancedness, high algebraic degree and high nonlinearity were considered as roughly sufficient for the filter model of PRG 13 2009-9-27

Outline � Preliminaries on Boolean functions � Algebraic attacks and Algebraic immunity 14 2009-9-27

Algebraic attacks principle( Shannon ) � Find equations with the key bits as unknowns � Solve the system of these equations 15 2009-9-27

� For stream ciphers (combining or filtering Boolean functions): � ( , , ) s s - denote by the initial state of the − 0 1 N linear part of the PRG - there exists a linear automorphism L and ' a linear mapping : L = ' � � i ( ( , , , )) s f L L s s s − 0 1 1 i N 16 2009-9-27

� For stream ciphers we can have many equations, so we can gain an over-defined system � One can linearize the system (or use Gr ő bner bases) to solve it 17 2009-9-27

Problem of algebraic attacks � However the number of unknowns is too large � The common ways to solve this system are mostly impossible 18 2009-9-27

Algebraic attacks g ≠ 0 � Courtois-Meier 2003: if one can find = h and of low degree such that , then fg h = � � ' i ( ( , , , )) s f L L s s s the equation − 0 1 1 i N implies the following low degree equation: = � � � � ' ' i i ( ( , , )) ( ( , , )) s g L L s s h L L s s − − 0 1 0 1 i N N � Then the degree of the original nonlinear system and the unknowns in the related linear system decrease 19 2009-9-27

Algebraic immunity � Meier-Pasalic-C.C. EUROCRYPY 2004 : A necessary and sufficient condition for g ≠ 0 h existence and of low degree = such that : fg h g ≠ 0 there exist of low degree such that ⋅ = + ⋅ = or 0 (1 ) 0 f g f g 20 2009-9-27

Algebraic immunity g ∈ � Given , a nonzero function is called f B n ⋅ = an annihilator of if . By we ( ) 0 f g AN f f mean the set of annihilators of f � The algebraic immunity of , denoted by f ∈ , where is the minimum = g B ( ) deg( ) AI f g n ⋅ = degree nonzero function such that 0 f g either + ⋅ = (1 ) 0 f g 21 2009-9-27

Algebraic immunity � It is easy to prove that and ≤ ( ) deg( ) AI f f ≤ ⎡ ⎤ ( ) ⎢ / 2 ⎥ AI f n � If the AI of a Boolean function in n-variable equals , we call it a maximum algebraic ⎡ ⎤ ⎢ / 2 ⎥ n immunity (MAI) function. � In practical situation, should be greater ( ) AI f than or equal to 7 n ≥ � So we need 13 22 2009-9-27

Algebraic immunity and nonlinearity � Lobanov (IACR e-print archive) given a tight bound between nonlinearity and algebraic immunity: − ⎛ ⎞ − ( ) 2 1 AI f n ∑ ≥ 2 ⎜ ⎟ N f ⎝ ⎠ i = 0 i � This tight bound does not guarantee that an maximum algebraic immunity implies a good enough nonlinearity 23 2009-9-27

Design criteria � High algebraic degree � High nonlinearity � Resiliency ( for certain applications) � High algebraic immunity 24 2009-9-27

Outline � Preliminaries on Boolean functions � Algebraic attacks and Algebraic immunity � The recent constructions of Boolean functions with MAI 25 2009-9-27

Three Recent constructions � Construction based support-inclusion � Construction based basis-exchange technique � Construction based finite field expression 26 2009-9-27

Construction based support-inclusion � Dalai, Basic theory in construction of MAI functions, 2005 � Lemma 1. Let f, f 1 , f 2 in B n , and (1) f 1 , f 2 both have no nonzero annihilators ⎡ ⎤ degree less than ; n ⎢ ⎥ ⎢ ⎥ 2 (2) Then ⊇ + ⊇ ( ) ( ), ( 1) ( ) Supp f Supp f Supp f Supp f 1 2 ⎡ ⎤ n = ⎢ ⎥ ( ) AI f ⎢ ⎥ 2 27 2009-9-27

Construction based support-inclusion (Cont.) � Theorem 1. Let f in B n , if n is odd, let ⎧ ⎡ ⎤ n < 0, ( ) ⎪ wt x ⎢ ⎥ ⎪ ⎢ ⎥ 2 = ⎨ ( ) f x ⎡ ⎤ ⎪ n ≥ ⎢ ⎥ 1, ( ) wt x ⎪ ⎢ ⎥ ⎩ 2 if n is even, let ⎧ ⎡ ⎤ n < 0, ( ) ⎪ wt x ⎢ ⎥ ⎢ ⎥ 2 ⎪ ⎪ ⎡ ⎤ n = > ⎨ ( ) 1, ( ) f x wt x ⎢ ⎥ ⎢ ⎥ 2 ⎪ ⎪ ⎡ ⎤ n ∈ = ⎪ {0,1}, ( ) b wt x ⎢ ⎥ ⎢ ⎥ ⎩ 2 ⎡ ⎤ n Then = ⎢ ⎥ ( ) AI f ⎢ ⎥ 2 28 2009-9-27

Construction based basis-exchange technique � Longjiang Qu, Na Li, et al., On MAI functions: construction and a lower bound of the count, 2005. � Idea of basis-exchange technique: 29 2009-9-27

Construction based basis-exchange technique (Cont.) � Lemma 2 Let U be an m -dimension vector space, α α α β β β � � , , , , , , and be two bases of U , 1 2 1 2 m m ≤ ≤ then for any integer , for any k integers 1 k m ≤ < < < ≤ 1 � , there exist k integers 1 i i i m 1 2 k ≤ < < < ≤ � such that 1 j j j m 1 2 k α α α ∪ β β α α � � � { , , , } { , , } \ { , , } 1 2 m j j i i 1 k 1 k and β β β ∪ α α β β � � � { , , , } { , , } \ { , , } 1 2 m i i j j 1 1 k k are two new bases of U . 30 2009-9-27

Construction based finite field expression � C. Carlet, K. Feng, An infinite class of balanced functions with optimal AI, good immunity to fast algebraic attacks, 2008. 31 2009-9-27

Construction based finite field expression (Cont.) Theorem 3 Let n be any integer such that α n ≥ 2 and a primitive element of the field . Let f be the Boolean function on n n F F 2 2 − − α α α 1 n 2 � 2 2 whose support is . Then f {0,1, , , , } ⎡ ⎤ n has optimal algebraic immunity . ⎢ ⎥ ⎢ ⎥ 2 32 2009-9-27

Outline � Preliminaries on Boolean functions � Algebraic attacks and Algebraic immunity � The recent constructions of Boolean functions with MAI � The main results of our paper 33 2009-9-27