Boolean Functions, S-Boxes and Evolutionary Algorithms Luca Mariot - PowerPoint PPT Presentation

University of Milano-Bicocca Department of Informatics, Systems and Communications Boolean Functions, S-Boxes and Evolutionary Algorithms Luca Mariot luca.mariot@unimib.it De Cifris Athesis Local Seminar Trento – December 16, 2019

Summary Part 1: Boolean Functions and S-Boxes Luca Mariot Boolean Functions, S-Boxes and Evolutionary Algorithms

Stream Ciphers: The Combiner Model ◮ a Boolean function f : F n 2 → F 2 combines the outputs of n Linear Feedback Shift Registers (LFSR) [Carlet10] x 1 LFSR 1 x 2 f ( x 1 , x 2 , ··· , x n ) LFSR 2 next bit . . . . . . x n LFSR n ◮ Security of the combiner ⇔ cryptographic properties of f Luca Mariot Boolean Functions, S-Boxes and Evolutionary Algorithms

Block Ciphers: Substitution-Permutation Network Round function of a SPN cipher: PT S 1 S 2 S 3 S 4 S 5 S 6 S 7 S 8 S 9 S 10 π -box � K i CT ◮ S i : F n 2 → F n 2 are S-boxes providing confusion ◮ Security of confusion layer ⇔ cryptographic properties of S i Luca Mariot Boolean Functions, S-Boxes and Evolutionary Algorithms

Boolean Functions - Basic Representations ◮ Truth table: vector Ω f specifying f ( x ) for all x ∈ F 2 ( x 1 , x 2 , x 3 ) 000 100 010 110 001 101 011 111 Ω f 0 1 1 1 1 0 0 0 ◮ Algebraic Normal Form (ANF): Sum (XOR) of products (AND) over the finite field F 2 f ( x 1 , x 2 , x 3 ) = x 1 · x 2 ⊕ x 1 ⊕ x 2 ⊕ x 3 ◮ Walsh Transform: correlation with the linear functions defined as ω · x = ω 1 x 1 ⊕···⊕ ω n x n � ˆ ( − 1 ) f ( x ) ⊕ ω · x F ( ω ) = x ∈ F n 2 Luca Mariot Boolean Functions, S-Boxes and Evolutionary Algorithms

S-boxes – Representation ◮ Substitution Box (S-box, or ( n , m ) -function): a mapping F : F n 2 → F m 2 defined by m coordinate functions f i : F n 2 → F 2 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 ⇓ F : { 0 , 1 } n → { 0 , 1 } m f 1 f 2 f 3 f 4 f 5 f 6 f 1 ⊕ f 3 ⊕ f 5 ◮ Component functions v · F : non-trivial linear combinations of the coordinate functions f i Luca Mariot Boolean Functions, S-Boxes and Evolutionary Algorithms

Design Criteria Several properties to consider for thwarting attacks, e.g.: A Boolean function used in the combiner model should: ◮ be balanced ◮ have high algebraic degree d ◮ have high nonlinearity nl ( F ) ◮ be resilient of high order t A ( n , n ) -function used in the SPN paradigm should ◮ be balanced ( ⇔ bijective) ◮ have high nonlinearity N F ◮ have low differential uniformity δ F Luca Mariot Boolean Functions, S-Boxes and Evolutionary Algorithms

Bounds and Trade-offs Most of these properties cannot be satisfied simultaneously! Bounds for Boolean functions : ◮ Covering Radius : nl ( f ) ≤ 2 n − 1 − 2 2 − 1 (met by bent functions) n ◮ Siegenthaler : d ≤ n − t − 1 ◮ Tarannikov : nl ( f ) ≤ 2 n − 1 − 2 t + 1 Bounds for S-Boxes : ◮ Covering Radius : N F ≤ 2 n − 1 − 2 n 2 − 1 (met by bent functions) ◮ Sidelnikov-Chabaud-Vaudenay : N F ≤ 2 n − 1 − 2 n − 1 2 (met by AB functions) ◮ Differential Uniformity : δ F ≥ 2 (met by APN functions) Luca Mariot Boolean Functions, S-Boxes and Evolutionary Algorithms

Constructions of good Boolean Functions and S-Boxes ◮ Number of Boolean functions of n variables: 2 2 n n 3 4 5 6 7 8 2 2 n 4 . 3 · 10 9 1 . 8 · 10 19 3 . 4 · 10 38 1 . 2 · 10 77 256 65536 ◮ ⇒ too huge for exhaustive search when n > 5! In practice, one usually resorts to: ◮ Algebraic constructions ( Maiorana-McFarland, Rothaus,... ) [Carlet10] ◮ Combinatorial optimization techniques ◮ Simulated Annealing [Clark04] ◮ Evolutionary Algorithms [Millan98] ◮ Swarm Intelligence [Mariot15b], ... Luca Mariot Boolean Functions, S-Boxes and Evolutionary Algorithms

Summary Part 2: Combinatorial Optimization and Evolutionary Algorithms Luca Mariot Boolean Functions, S-Boxes and Evolutionary Algorithms

Combinatorial Optimization ◮ Combinatorial Optimization Problem: map P : I → S from a set I of problem instances to a family S of solution spaces ◮ S = P ( I ) is a finite set equipped with a fitness function fit : S → R , giving a score to candidate solutions x ∈ S ◮ Optimization goal: find x ∗ ∈ S such that: Minimization: Maximization: x ∗ = argmin x ∈ S { fit ( x ) } x ∗ = argmax x ∈ S { fit ( x ) } ◮ Heuristic optimization algorithm: iteratively tweaks a (set of) candidate solution(s) using fit to drive the search Luca Mariot Boolean Functions, S-Boxes and Evolutionary Algorithms

Hill Climbing and Simulated Annealing ◮ Let d S : S × S → R be a distance over the solution space S , and assume there is a minimum distance d m ∈ R such that d S ( x , x ′ ) ≥ d m for all x , x ′ ∈ S . ◮ Neighborhood of a solution x ∈ S : N ( x ) = { y ∈ S : ∀ z ∈ S d S ( z , x ) ≥ d S ( y , x ) } ◮ Hill Climbing: always choose y in N ( x ) with better fitness ◮ Simulated Annealing: acceptance probability defined as:  1 if f ( x ) < f ( y ) [ f ( x ) > f ( y )] ,    P a =  � � | f ( y ) − f ( x ) | −   T if f ( x ) ≥ f ( y ) [ f ( x ) ≤ f ( y )] e ,   Temperature T updated as T ← α T , where α ∈ ( 0 , 1 ) . Luca Mariot Boolean Functions, S-Boxes and Evolutionary Algorithms

Genetic Algorithms (GA) – Genetic Programming (GP) Optimization algorithms loosely based on evolutionary principles, introduced respectively by J. Holland (1975) and J. Koza (1989) ◮ Work on a coding of the candidate solutions ◮ Evolve in parallel a population of solutions. ◮ Black-box optimization : use only the fitness function to optimize the solutions. ◮ Use Probabilistic operators to evolve the solutions GA Encoding : Typically, an individual is represented with a fixed-length bitstring 0 1 1 1 1 0 0 0 ⇓ f ( x 1 , x 2 , x 3 ) = x 1 · x 2 ⊕ x 1 ⊕ x 2 ⊕ x 3 Luca Mariot Boolean Functions, S-Boxes and Evolutionary Algorithms

Genetic Algorithms (GA) – Genetic Programming (GP) ◮ GP Encoding : an individual is represented by a tree ◮ Terminal nodes: input variables of a program ◮ Internal nodes: operators (e.g. AND, OR, NOT, XOR, ...) f ( x 1 , x 2 , x 3 , x 4 ) = ( x 1 AND x 2 ) OR ( x 3 XOR x 4 ) OR AND XOR x 3 x 1 x 2 x 4 Luca Mariot Boolean Functions, S-Boxes and Evolutionary Algorithms

The EA Loop Crossover Mutation Initialize Fitness Selection Population Evaluation No Output Best Replace Terminate? Solution Yes Luca Mariot Boolean Functions, S-Boxes and Evolutionary Algorithms

Selection Roulette-Wheel Selection (RWS) : the probability of selecting an individual is proportional to its fitness Tournament Selection (TS) : Randomly sample t individuals from the population and select the fittest one. Individual 1 46.6 % 2.0 % 1.3 % Individual 6 5.1 % Individual 5 24.6 % Individual 4 20.4 % Individual 2 Individual 3 Generational Breeding : Draw as many pairs as population size Steady-State Breeding : Select only a single pair Luca Mariot Boolean Functions, S-Boxes and Evolutionary Algorithms

Crossover Idea : Recombine the genes of two parents individuals to create the offspring (Exploitation) GA Example: One-Point Crossover p 1 c 1 0 1 0 1 0 1 1 0 0 1 0 0 1 0 1 1 χ � χ point p 2 c 2 1 0 0 0 1 0 1 1 1 0 0 1 0 1 1 0 GP Example: Subtree Crossover χ point χ point Swap subtrees Luca Mariot Boolean Functions, S-Boxes and Evolutionary Algorithms

Mutation Idea : Introduce new genetic material in the offspring (Exploration) GA Example : Bit-flip mutation ↓ r < p µ 1 0 0 0 1 0 1 1 ⇓ µ 1 0 1 0 1 0 1 1 GP Example : Subtree mutation µ point Generate random subtree Luca Mariot Boolean Functions, S-Boxes and Evolutionary Algorithms

Replacement and Termination ◮ Elitism : keep the best individual from the previous generation ◮ Termination : several criteria such as budget of fitness evaluations, solutions diversity, ... Image credit: https://xkcd.com/720/ Luca Mariot Boolean Functions, S-Boxes and Evolutionary Algorithms

Summary of Contributions Part 3: Evolving Boolean Functions and S-Boxes Luca Mariot Boolean Functions, S-Boxes and Evolutionary Algorithms

Direct Search of Boolean Functions [Millan98] ◮ GA encoding: represent the truth tables as 2 n -bit strings ◮ Fitness function measuring nonlinearity, algebraic degree, and deviation from correlation-immunity ◮ Specialized crossover and mutation operators for preserving balancedness Crossover Idea: Use counters to keep track of the multiplicities of zeros and ones p 1 0 1 0 1 0 1 1 0 χ ⇒ c 1 1 0 0 1 1 0 0 p 2 1 0 0 0 1 0 1 1 count[1] = 4 fill with 0 ◮ GP has better performance than GA with direct search [Picek16] Luca Mariot Boolean Functions, S-Boxes and Evolutionary Algorithms

Spectral Inversion [Clark04] ◮ Applying the Inverse Walsh Transform to a generic spectrum yields a pseudoboolean function f : F n 2 → R S f = ( 0 , − 4 , − 2 , 2 , 2 , 4 , 4 , − 2 ) ⇓ ˆ F − 1 Ω ˆ f = ( 0 , 0 , 0 , − 1 , 0 , − 1 , 2 ) ◮ New objective: minimize the deviation of Walsh spectra which satisfy the desired cryptographic constraints ◮ Heuristic techniques proposed for this optimization problem: ◮ Clark et al. [Clark04]: Simulated Annealing (SA) ◮ Mariot and Leporati [Mariot15a]: Genetic Algorithms (GA) Luca Mariot Boolean Functions, S-Boxes and Evolutionary Algorithms