Functions on Finite Fields, Boolean Functions, and S-Boxes Gary - PowerPoint PPT Presentation

Functions on Finite Fields, Boolean Functions, and S-Boxes Gary McGuire Claude Shannon Institute www.shannoninstitute.ie and School of Mathematical Sciences University College Dublin Ireland 1 July, 2013 Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Boolean Function Let F 2 = { 0 , 1 } be the integers modulo 2. Let n be a positive integer. A Boolean function in n variables is a function f : ( F 2 ) n − → F 2 (named after George Boole, professor in Cork, Ireland) There are 2 (2 n ) Boolean functions in n variables. A Boolean function can be given by listing all the possible values Input Value 000 0 100 0 010 0 110 1 ( n = 3 here) 001 1 101 1 011 1 111 0 Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Boolean Function Usually we use variables x 1 , . . . , x n called Boolean variables (taking values 0,1) and we write the function as f ( x 1 , . . . , x n ) Example: n = 3, f ( x 1 , x 2 , x 3 ) = x 1 x 2 + x 3 For large n this is more efficient than the truth table! Input Value 000 0 100 0 010 0 110 1 001 1 101 1 011 1 111 0 Suitable for software and hardware, see other talks. Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Boolean Function How many functions can we write down in this way? Note that x 2 i = x i for Boolean variables. When n = 3, any function is a 0,1 combination of 1 , x 1 , x 2 , x 3 , x 1 x 2 , x 1 x 3 , x 2 x 3 , x 1 x 2 x 3 . In other words, any function can be written c 0 1 + c 1 x 1 + c 2 x 2 + c 3 x 3 + c 4 x 1 x 2 + c 5 x 1 x 3 + c 6 x 2 x 3 + c 7 x 1 x 2 x 3 where c i ∈ F 2 . Note: 8 terms, so 2 8 such functions. All of them! In general, any Boolean function in n variables can be written � c u x u u where c u ∈ F 2 , x u = x u 1 1 · · · x u n n , u = ( u 1 , . . . , u n ) ∈ ( F 2 ) n . This is called the Algebraic Normal Form (ANF) of f . Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Boolean Function The algebraic degree of f is the max of the degrees of the terms in the ANF. e.g. f ( x 1 , x 2 , x 3 ) = x 1 x 2 + x 3 has algebraic degree 2. High algebraic degree is needed for some cryptographic applications, e.g. as a combining function in stream ciphers: Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Linear Boolean Function If the algebraic degree is 1, f looks like f ( x 1 , . . . , x n ) = a 0 + a 1 x 1 + · · · + a n x n and we say that f is affine linear. Say f is linear if a 0 = 0. Linear functions can also be defined by f ( x + y ) = f ( x ) + f ( y ). The set of all affine linear functions in n variables is important. There are 2 n +1 such functions. In error-correcting code terminology, this set is the first-order Reed-Muller code, denoted RM (1 , n ). Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Nonlinearity, Boolean Function Define the Hamming distance between two Boolean functions f and g by d ( f , g ) = Number of x ∈ ( F 2 ) n with f ( x ) � = g ( x ) The distance from f to the set of affine linear functions is a ∈ RM (1 , n ) d ( f , a ) min This is called the nonlinearity of f . Combining functions in stream ciphers need high algebraic degree, high nonlinearity, and some other criteria are also important (balanced, resilient,...) but are not the topic of this talk. Research problem: how to find functions that satisfy all the criteria. (see other talks) Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Bent Function What do we mean by ”high” nonlinearity? It can be proved that the nonlinearity of a Boolean function is at most 2 n − 1 − 2 n 2 − 1 Boolean functions that meet this bound are called bent functions . Unfortunately bent functions by themselves do not satisfy some of the other cryptographic criteria. Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Walsh Transform The nonlinearity is nicely related to the Walsh transform. The Walsh (or Walsh-Hadamard, or Fourier) transform of a Boolean function f is � � ( − 1) f ( x )+ a ( x ) f ( a ) = x ∈ ( F 2 ) n where a ( x ) is any linear Boolean function. This measures how much f agrees with a . Maximising � f ( a ) gives the nearest linear function to f . Nonlinearity ( f ) = 2 n − 1 − 1 | � 2 max f ( a ) | a Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Boolean Function, Finite Field There is another common way to write down a Boolean function, i.e. another representation, using a finite field. Recall that a finite field F 2 n (also denoted GF (2 n )) is a field with 2 n elements. In a field you can add, subtract, multiply and divide (except by 0). The field F 2 n is constructed by finding an irreducible polynomial of degree n and performing multiplication modulo this polynomial. The elements of F 2 n are all polynomials of degree < n with coefficients in F 2 . Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Boolean Function, Finite Field Example: x 2 + x + 1 is irreducible over F 2 . This polynomial can be used to construct a finite field with 2 2 = 4 elements. Elements are 0 , 1 , x , x + 1 and x 2 + x + 1 = 0 in this field. Example: x 8 + x 4 + x 3 + x + 1 is irreducible over F 2 . This polynomial can be used to construct a finite field with 2 8 = 256 elements. This example is important in AES. Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Boolean Function, Finite Field Because you can add, subtract, multiply, divide, elements in finite fields, we can construct functions F 2 n − → F 2 n using these operations, for example, x , f ( x ) = x 23 + x 9 + x 4 + 1 f ( x ) = x 3 , f ( x ) = 1 x 2 + x + 1 (which are defined everywhere the denominator is nonzero) The trace is the function Tr : F 2 n − → F 2 defined by Tr ( x ) = x + x 2 + x 4 + · · · + x 2 n − 1 Given any function f : F 2 n − → F 2 n , x �→ f ( x ), we can obtain a Boolean function F 2 n − → F 2 by taking x �→ Tr ( f ( x )). Can all Boolean functions be obtained in this way? Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Boolean Function, Finite Field This point of view can be mathematically simpler. We are using F 2 n for ( F 2 ) n . For example, a maximal LFSR sequence ( s i ) of period 2 n − 1 can be described as s i = Tr ( c α i ) where α is a primitive element in the finite field F 2 n . Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

S-Box Claude Shannon introduced some design criteria for ciphers. He proposed “confusion and diffusion” in the encryption algorithm. Many symmetric block ciphers (and hash functions) now have an S-Box to provide the ”confusion”. Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Vectorial Boolean Functions This S-box represents a function from ( F 2 ) 4 to itself. We need to talk about functions from ( F 2 ) n − → ( F 2 ) n , or functions F 2 n − → F 2 n . These are sometimes called vectorial Boolean functions. So consider f : ( F 2 ) n − → ( F 2 ) n , where x �→ ( f 1 ( x ) , . . . , f n ( x )) The f i are called the coordinate functions of f . Each f i is a Boolean function. [We could also have ( F 2 ) n − → ( F 2 ) m , like DES for example.] Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Vectorial Boolean Functions, S-Boxes Functions used in S-Boxes need to have several properties, to be resistant to various attacks. 1 Differential Attack 2 Linear Attack 3 others omitted for this talk. Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Differential Cryptanalysis Consider equations f ( x + a ) − f ( x ) = b , an input difference of a and an output difference of b . In differential cryptanalysis one exploits an output difference which occurs with high probability. To be resistant to this attack, for every a and b the equation f ( x + a ) + f ( x ) = b should have a small number of solutions x . The highest possible number of solutions is called the differential uniformity of f . The smallest (best) possible differential uniformity is 2, because if x is a solution, then x + a is another solution. Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Vectorial Boolean Functions, Walsh Transform We extend the definition of Walsh/Fourier transform to these functions: � � ( − 1) � b , f ( x ) � + � a , x � f ( a , b ) := x ∈ ( F 2 ) n where a = ( a 1 , . . . , a n ) , a i ∈ F 2 , � a , x � = a 1 x 1 + · · · + a n x n b = ( b 1 , . . . , b n ) , b i ∈ F 2 , � b , f ( x ) � = b 1 f 1 ( x ) + · · · + b n f n ( x ) The nonlinearity of a vectorial Boolean function ( F 2 ) n − → ( F 2 ) n is the minimum of the nonlinearities over all linear combinations of the coordinate Boolean functions. In other words, Nonlinearity ( f ) = 2 n − 1 − 1 a , b ( b � =0) | � max f ( a , b ) | 2 Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Linear Cryptanalysis This is also a powerful attack. Try to approximate the function in the S-box by a linear function. Best resistance is provided by functions with highest nonlinearity. Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes