Cryptographic Criteria of Boolean Functions and S-Boxes Luca Mariot - PowerPoint PPT Presentation

University of Milano-Bicocca Department of Informatics, Systems and Communications Cryptographic Criteria of Boolean Functions and S-Boxes Luca Mariot luca.mariot@unimib.it Guest Lecture for Digital Communication Durham – March 18, 2019

Cryptography Basic Goal of Cryptography: Enable two parties (Alice and Bob, A and B) to securely communicate over an insecure channel, even in presence of an opponent (Oscar, O) Oscar CT CT PT PT Encryption Decryption Alice Channel Bob K E K D ◮ PT : plaintext ◮ K E : encryption key ◮ CT : ciphertext ◮ K D : decryption key Luca Mariot Cryptographic Criteria of Boolean Functions and S-Boxes

Symmetric cryptosystems Symmetric cryptosystems ( K E = K D = K ) can be classified as: ◮ Stream ciphers : each symbol of PT is combined with a symbol of a keystream , computed from K ◮ G rain ◮ T rivium ◮ ... ◮ Block ciphers : PT is divided in blocks combined with round keys derived from K through a round function ◮ DES ◮ R ijndael (AES) ◮ ... Luca Mariot Cryptographic Criteria of Boolean Functions and S-Boxes

Vernam Stream Cipher K K PRG PRG z z � � PT CT CT PT (a) Encryption (b) Decryption ◮ K : secret key ◮ � : bitwise XOR ◮ PRG : Pseudorandom Generator ◮ PT : Plaintext ◮ z : keystream ◮ CT : Ciphertext Luca Mariot Cryptographic Criteria of Boolean Functions and S-Boxes

Linear Feedback Shift Registers (LFSR) ◮ Device computing the binary linear recurring sequence s n + k = a + a 0 s n + a 1 s n + 1 + ··· + a k − 1 s n + k − 1 + ··· + + a 0 a 1 a k − 2 a k − 1 ··· Output D 0 D 1 D k − 2 D k − 1 ◮ Too weak as a PRG: 2 k consecutive bits of keystream are enough to recover the LFSR initialization via the Berlekamp-Massey algorithm Luca Mariot Cryptographic Criteria of Boolean Functions and S-Boxes

An Example of PRG: The Combiner Model ◮ a Boolean function f : { 0 , 1 } n → { 0 , 1 } combines the outputs of n LFSR [2] x 1 LFSR 1 x 2 f ( x 1 , x 2 , ··· , x n ) LFSR 2 next bit . . . . . . x n LFSR n ◮ Security of the combiner ⇔ cryptographic properties of f Luca Mariot Cryptographic Criteria of Boolean Functions and S-Boxes

Boolean Functions - Basic Definitions Boolean function: a mapping f : F n 2 → F 2 , where F 2 = { 0 , 1 } ◮ Truth table: vector Ω f specifying f ( x ) for all x ∈ F 2 ( x 1 , x 2 , x 3 ) 000 100 010 110 001 101 011 111 Ω f 0 1 1 1 1 0 0 0 ◮ Algebraic Normal Form (ANF): Sum (XOR) of products (AND) over the finite field F 2 f ( x 1 , x 2 , x 3 ) = x 1 · x 2 ⊕ x 1 ⊕ x 2 ⊕ x 3 ◮ Walsh Transform: correlation with the linear functions defined as ω · x = ω 1 x 1 ⊕···⊕ ω n x n � ˆ ( − 1 ) f ( x ) ⊕ ω · x F ( ω ) = x ∈ F n 2 Luca Mariot Cryptographic Criteria of Boolean Functions and S-Boxes

Cryptographic Properties: Balancedness ◮ Hamming weight w H ( f ) : number of 1s in Ω f ◮ A function f : F n 2 → F 2 is balanced if w H ( f ) = 2 n − 1 ◮ Walsh characterization: f balanced ⇔ ˆ F ( 0 ) = 0 ( x 1 , x 2 , x 3 ) 000 100 010 110 001 101 011 111 Ω f 0 1 1 1 1 0 0 0 ⇓ f is balanced ◮ Unbalanced functions present a statistical bias that can be exploited in attacks Luca Mariot Cryptographic Criteria of Boolean Functions and S-Boxes

Cryptographic Properties: Algebraic Degree ◮ Algebraic degree d : the degree of the multivariate polynomial representing the ANF of f f ( x 1 , x 2 , x 3 ) = x 1 · x 2 ⊕ x 1 ⊕ x 2 ⊕ x 3 ⇓ f has degree d = 2 ◮ Linear functions ω · x = ω 1 x 1 ⊕···⊕ ω n x n have degree d = 1 ◮ Boolean functions of high degree make the attack based on Berlekamp-Massey algorithm less effective Luca Mariot Cryptographic Criteria of Boolean Functions and S-Boxes

Cryptographic Properties: Nonlinearity ◮ Nonlinearity nl ( f ) : Hamming distance of f from linear functions ◮ Walsh characterization: nl ( f ) = 2 n − 1 − 1 �� � ˆ � � 2 max F ( ω ) � � � ω ∈ F n 2 ( x 1 , x 2 , x 3 ) 000 100 010 110 001 101 011 111 Ω f 0 1 1 1 1 0 0 0 ˆ F ( ω ) 0 0 0 0 − 4 4 4 4 ⇓ nl ( f ) = 2 3 − 1 − 1 2 · 4 = 2 ◮ Functions with high nonlinearity resist fast-correlation attacks Luca Mariot Cryptographic Criteria of Boolean Functions and S-Boxes

Cryptographic Properties: Resiliency ◮ t -Resiliency: when fixing any t variables, the restriction of f stays balanced ◮ Walsh characterization: ˆ F ( ω ) = 0 ∀ ω : w H ( ω ) ≤ t ( x 1 , x 2 , x 3 ) 000 100 010 110 001 101 011 111 Ω f 0 1 1 1 1 0 0 0 ˆ F ( ω ) 0 0 0 0 − 4 4 4 4 ⇓ F ( 001 ) = − 4 ⇒ f is NOT 1-resilient ◮ Resilient functions of high order t resist to correlation attacks Luca Mariot Cryptographic Criteria of Boolean Functions and S-Boxes

Bounds and Trade-offs In summary, f : F n 2 → F 2 should: ◮ be balanced ◮ be resilient of high order m ◮ have high algebraic degree d ◮ have high nonlinearity nl But most of these properties cannot be satisfied simultaneously! ◮ Covering Radius bound : nl ≤ 2 n − 1 − 2 n 2 − 1 ◮ Siegenthaler’s bound : d ≤ n − t − 1 ◮ Tarannikov’s bound : nl ≤ 2 n − 1 − 2 t + 1 Luca Mariot Cryptographic Criteria of Boolean Functions and S-Boxes

Constructions of good Boolean Functions ◮ Number of Boolean functions of n variables: 2 2 n ◮ ⇒ too huge for exhaustive search when n > 5! ◮ Functions used in the combiner model have n ≥ 13 variables In practice, one usually resorts to: ◮ Algebraic constructions [2] ◮ Maiorana-McFarland construction ◮ Rothaus’ construction ◮ ... ◮ Heuristic techniques ◮ Simulated Annealing [3] ◮ Evolutionary Algorithms [6] ◮ ... Luca Mariot Cryptographic Criteria of Boolean Functions and S-Boxes

Special classes of functions Special classes of functions: ◮ Bent functions: ˆ n 2 for all ω F ( ω ) = ± 2 ◮ Reach covering radius bound for n even (maximum nonlinearity) n ◮ Unfortunately, they are unbalanced: ˆ F ( 0 ) = ± 2 2 ◮ Plateaued functions: ˆ F ( ω ) ∈ {− 2 λ , 0 , 2 λ } for all ω ◮ Can be balanced ◮ Reach both Siegenthaler’s and Tarannikov’s bounds Luca Mariot Cryptographic Criteria of Boolean Functions and S-Boxes

Block Ciphers: Substitution-Permutation Network Round function of a SPN cipher: PT S 1 S 2 S 3 S 4 S 5 S 6 S 7 S 8 S 9 S 10 π -box � K i CT ◮ S i : F n 2 → F n 2 are S-boxes providing confusion [8] ◮ Security of confusion layer ⇔ cryptographic properties of S i Luca Mariot Cryptographic Criteria of Boolean Functions and S-Boxes

S-Boxes: General definitions ◮ A Substitution Box (S-box) is a mapping F : F n 2 → F m 2 defined by m coordinate functions f i : F n 2 → F 2 ◮ The component functions v · F : F n 2 → F 2 for v ∈ F m 2 of F are the linear combinations of the f i x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 ⇓ F : F n 2 → F m 2 f 1 f 2 f 3 f 4 f 5 f 6 ( 1 , 0 , 1 , 0 , 1 , 0 ) · F = f 1 ⊕ f 3 ⊕ f 5 ◮ In SPN ciphers, one uses S-boxes with m = n Luca Mariot Cryptographic Criteria of Boolean Functions and S-Boxes

Balancedness and Algebraic Degree Balancedness: 2 balanced if | F − 1 ( y ) | = 2 n − m for all y ∈ F m ◮ F : F n 2 → F m 2 ◮ F is balanced ⇔ all its component functions v · F are balanced ◮ Balanced functions with m = n are bijective S-boxes Algebraic degree: ◮ Degree of the ANF of F over F m 2 ◮ Equal to the maximum degree of all coordinate functions ◮ S-boxes of high degree thwart higher-order differential attacks Luca Mariot Cryptographic Criteria of Boolean Functions and S-Boxes

Nonlinearity ◮ Walsh transform for component v · F : � ˆ ( − 1 ) v · F ( x ) ⊕ ω · x F ( v ,ω ) = x ∈ F n 2 ◮ Nonlinearity for component v · F : nl ( v · F ) = 2 n − 1 − 1 �� � ˆ � � 2 max F ( v ,ω ) � � � ω ∈ F n 2 ◮ The nonlinearity of a S-box F is defined as the minimum nonlinearity among all its component functions ◮ S-boxes with high nonlinearity allow to resist to linear cryptanalysis attacks Luca Mariot Cryptographic Criteria of Boolean Functions and S-Boxes

Differential Uniformity ◮ delta difference table of F wrt a , b : � � x ∈ F n D F ( a , b ) = 2 : F ( x ) ⊕ F ( x ⊕ a ) = b . ◮ Given δ F ( a , b ) = | D F ( a , b ) | , the differential uniformity of F is: δ F = max δ F ( a , b ) . a ∈ { 0 , 1 } n ∗ b ∈ { 0 , 1 } m ◮ S-boxes with low differential uniformity are able to resist differential cryptanalysis attacks Luca Mariot Cryptographic Criteria of Boolean Functions and S-Boxes

Bounds and Special Classes For nonlinearity: ◮ Covering Radius Bound ( m < n ): nl ( F ) ≤ 2 n − 1 − 2 n 2 − 1 ◮ Bent functions reach this bound ( n even) ◮ Sidelnikov-Chabaud-Vaudenay Bound ( m = n ): nl ( F ) ≤ 2 n − 1 − 2 n − 1 2 ◮ Almost Bent functions (AB) reach this bound ( n odd) Bounds for differential uniformity: ◮ For m < n : δ F ≥ 2 n − m ◮ Bent functions reach this bound ( n even) ◮ For m = n : δ F ≥ 2 ◮ Almost Perfect Nonlinear functions (APN) reach this bound (AB ⇒ APN) ◮ Exist for even and odd n Luca Mariot Cryptographic Criteria of Boolean Functions and S-Boxes