Symmetric Encryption Scheme adapted to Fully Homomorphic Encryption - PowerPoint PPT Presentation

(Fast) Algebraic Attack Algebraic Attack [CM03] Let F be the keystream function of a stream cipher 1. find g a low algebraic degree function s.t. gF has low degree, 2. create T equations with monomials of degree ≤ deg ( g ), 3. linearize the system of T equations in D = � deg ( g ) � N variables, � i =0 i 4. solve the system in O ( D ω ). Algebraic Immunity Let F : F N 2 → F 2 , we define: AI( F ) = min { max(deg( g ) , deg( gF ) , g � = 0) } = min { deg ( g ) , g � = 0 | gF = 0 or g ( F + 1) = 0 } Attack complexity depends on deg ( g ) ≥ AI( F ). 14 / 32

(Fast) Algebraic Attack Algebraic Attack [CM03] Let F be the keystream function of a stream cipher 1. find g a low algebraic degree function s.t. gF has low degree, 2. create T equations with monomials of degree ≤ deg ( g ), 3. linearize the system of T equations in D = � deg ( g ) � N variables, � i =0 i 4. solve the system in O ( D ω ). Fast Algebraic Attack [C03] Let F be the keystream function of a stream cipher ◮ find g and h low algebraic degree functions s.t. gF = h with deg( g ) < AI( F ) and possibly deg ( h ) > deg ( g ), ◮ use codes methods to cancel monomials of degree higher than deg ( g ), ◮ solve the system with better complexity than Algebraic Attack. 14 / 32

(Fast) Algebraic Attack Algebraic Attack [CM03] Let F be the keystream function of a stream cipher 1. find g a low algebraic degree function s.t. gF has low degree, 2. create T equations with monomials of degree ≤ deg ( g ), 3. linearize the system of T equations in D = � deg ( g ) � N variables, � i =0 i 4. solve the system in O ( D ω ). Fast Algebraic Attack [C03] Let F be the keystream function of a stream cipher ◮ find g and h low algebraic degree functions s.t. gF = h with deg( g ) < AI( F ) and possibly deg ( h ) > deg ( g ), ◮ use codes methods to cancel monomials of degree higher than deg ( g ), ◮ solve the system with better complexity than Algebraic Attack. We define FAI( F ) = min { 2AI( F ) , min 1 ≤ deg ( g ) ≤ AI( F ) { deg ( g ) + deg ( Fg ) , 3 deg ( g ) }} . 14 / 32

Good Algebraic Immunity Property: AI( F ) ≤ ⌈ N / 2 ⌉ . Majority function � 0 if Hw ( x ) < N 2 , x = ( x 1 , · · · , x N ) ∈ F N Maj N ( x ) = 2 , 1 otherwise. Remark: N AI( Maj N ) = ⌈ N / 2 ⌉ but ANF ≥ � � monomials. ⌈ N / 2 ⌉ 15 / 32

Good Algebraic Immunity Property: AI( F ) ≤ ⌈ N / 2 ⌉ . Majority function � 0 if Hw ( x ) < N 2 , x = ( x 1 , · · · , x N ) ∈ F N Maj N ( x ) = 2 , 1 otherwise. Remark: N AI( Maj N ) = ⌈ N / 2 ⌉ but ANF ≥ � � monomials. ⌈ N / 2 ⌉ Direct Sum f 1 in ℓ variables x 1 , · · · , x ℓ and f 2 , N − ℓ variables x ℓ +1 , · · · , x N ; direct sum F: F ( x 1 , · · · , x N ) = f 1 ( x 1 , · · · , x ℓ ) + f 2 ( x ℓ +1 , · · · , x N ) . Proposition: max(AI( f 1 ) , AI( f 2 )) ≤ AI( F ) ≤ AI( f 1 ) + AI( f 2 ) . 15 / 32

Low Cost and Good Algebraic Immunity Direct Sum f 1 in ℓ variables x 1 , · · · , x ℓ and f 2 , N − ℓ variables x ℓ +1 , · · · , x N ; direct sum F: F ( x 1 , · · · , x N ) = f 1 ( x 1 , · · · , x ℓ ) + f 2 ( x ℓ +1 , · · · , x N ) . Proposition: max(AI( f 1 ) , AI( f 2 )) ≤ AI( F ) ≤ AI( f 1 ) + AI( f 2 ) . Triangular function Let T k be a Boolean function of N = k ( k +1) variables, built as the direct sum of k 2 monomials of degree from 1 to k . Example: T 4 = x 1 + x 2 x 3 + x 4 x 5 x 6 + x 7 x 8 x 9 x 10 . Proposition: AI( T k ) = k Remark: Minimal number of monomials reachable. 15 / 32

Low Cost and Good Algebraic Immunity Triangular function Let T k be a Boolean function of N = k ( k +1) variables, built as the direct sum of k 2 monomials of degree from 1 to k . Proposition: AI( T k ) = k Direct sum vector Let F be a Boolean function obtained by direct sum of monomials ( i.e. each variable appears once and only once in the ANF), we define the direct sum vector of F as: m F = [ m 1 , m 2 , · · · , m k ] , where m i is the number of monomials of degree i . 15 / 32

Low Cost and Good Algebraic Immunity Triangular function Let T k be a Boolean function of N = k ( k +1) variables, built as the direct sum of k 2 monomials of degree from 1 to k . Proposition: AI( T k ) = k Direct sum vector Let F be a Boolean function obtained by direct sum of monomials ( i.e. each variable appears once and only once in the ANF), we define the direct sum vector of F as: m F = [ m 1 , m 2 , · · · , m k ] , where m i is the number of monomials of degree i . Theorem: � � � AI( F ) = min d + m i . 1 ≤ d ≤ k i > d 15 / 32

Correlation-like Attacks Correlation Attack/ BKW-like Attack Let F be the keystream function of a stream cipher: 1. find g the best linear approximation of F , 2. create the linear system replacing F by g , 3. solve the LPN instance with Bernoulli mean the error made by the approximation. 16 / 32

Correlation-like Attacks Correlation Attack/ BKW-like Attack Let F be the keystream function of a stream cipher: 1. find g the best linear approximation of F , 2. create the linear system replacing F by g , 3. solve the LPN instance with Bernoulli mean the error made by the approximation. Possible improvements: use of codes techniques or higher order approximation. 16 / 32

Correlation-like Attacks Correlation Attack/ BKW-like Attack Let F be the keystream function of a stream cipher: 1. find g the best linear approximation of F , 2. create the linear system replacing F by g , 3. solve the LPN instance with Bernoulli mean the error made by the approximation. Possible improvements: use of codes techniques or higher order approximation. Nonlinearity Let F : F N 2 → F 2 , we define NL( F ) = min g affine { d H ( f , g ) } , where d H ( f , g ) = # { x ∈ F N 2 | F ( x ) � = g ( x ) } is the Hamming distance. The approximation error is NL( F ) 2 N . 16 / 32

Correlation-like Attacks Nonlinearity Let F : F N 2 → F 2 , we define NL( F ) = min g affine { d H ( f , g ) } , where d H ( f , g ) = # { x ∈ F N 2 | F ( x ) � = g ( x ) } is the Hamming distance. The approximation error is NL( F ) 2 N . Balancedness F : F N 2 → F 2 is balanced if its output are uniformly distributed over { 0 , 1 } . Resiliency F : F N 2 → F 2 is m resilient if any of its restrictions obtained by fixing at most m of its coordinates is balanced. 16 / 32

Low Cost and good criteria Property: Let F be the direct sum of f 1 in n 1 variables and f 2 in n 2 variables: ◮ res( f ) = res( f 1 ) + res( f 2 ) + 1, ◮ NL( F ) = 2 n 2 NL( f 1 ) + 2 n 1 NL( f 2 ) − 2NL( f 1 )NL( f 2 ). 17 / 32

Low Cost and good criteria Property: Let F be the direct sum of f 1 in n 1 variables and f 2 in n 2 variables: ◮ res( f ) = res( f 1 ) + res( f 2 ) + 1, ◮ NL( F ) = 2 n 2 NL( f 1 ) + 2 n 1 NL( f 2 ) − 2NL( f 1 )NL( f 2 ). Low cost functions ◮ Resiliency: L n = � n i =1 x i ; n − 1 resilient ◮ Nonlinearity: 2 = � n Q n i =1 x 2 i − 1 x 2 i 2 ◮ Algebraic Immunity: T k = � k � i j =1 x i ( i − 1) i =1 + j 2 17 / 32

Low Cost and good criteria Property: Let F be the direct sum of f 1 in n 1 variables and f 2 in n 2 variables: ◮ res( f ) = res( f 1 ) + res( f 2 ) + 1, ◮ NL( F ) = 2 n 2 NL( f 1 ) + 2 n 1 NL( f 2 ) − 2NL( f 1 )NL( f 2 ). Low cost functions ◮ Resiliency: L n = � n i =1 x i ; n − 1 resilient ◮ Nonlinearity: 2 = � n Q n i =1 x 2 i − 1 x 2 i 2 ◮ Algebraic Immunity: T k = � k � i j =1 x i ( i − 1) i =1 + j 2 ◮ Low cost and optimized criteria: 2 + � T k F = L n 1 + Q n 2 17 / 32

Summary Introduction Filter Permutator [MJSC16] Standard Cryptanalysis and Low Cost Criteria Guess and Determine and Recurrent Criteria G&D attacks and lessons Recurrent criteria Fixed Hamming Weight and Restricted Input Criteria [CMR17] Conclusion and open problems 18 / 32

Guess and Determine Attacks x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 x 16 x 17 x 18 x 19 x 20 π − 1 F z 0 = x π (1) + x π (2) + x π (3) + x π (4) z 0 + + + x π (5) x π (6) x π (7) x π (8) x π (9) x π (10) x π (11) + x π (12) x π (13) + x π (14) x π (15) x π (16) + x π (17) x π (18) x π (19) x π (20) + 19 / 32

Guess and Determine Attacks x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 x 16 x 17 x 18 x 19 x 20 0 0 0 π − 1 F z 0 = x π (1) + x π (2) + x π (3) + x π (4) z 0 + + + x π (5) x π (6) x π (7) x π (8) x π (9) x π (10) x π (11) + x π (12) x π (13) + x π (14) x π (15) x π (16) + x π (17) x π (18) x π (19) x π (20) + Guess & Determine attack [Duval,Lallemand,Rotella16] ◮ Guess ℓ positions being 0, 19 / 32

Guess and Determine Attacks x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 x 16 x 17 x 18 x 19 x 20 0 0 0 π − 1 F z 0 = x π (1) + x π (2) + x π (3) + x π (4) z 0 + + + x π (5) x π (6) x π (7) x π (8) x π (9) x π (10) x π (11) + x π (12) x π (13) + x π (14) x π (15) x π (16) + x π (17) x π (18) x π (19) x π (20) + Guess & Determine attack [Duval,Lallemand,Rotella16] ◮ Guess ℓ positions being 0, ◮ focus on permutations cancelling the monomials of degree > 2, 19 / 32

Guess and Determine Attacks x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 x 16 x 17 x 18 x 19 x 20 0 0 0 π − 1 F z 0 = x π (1) + x π (2) + x π (3) + x π (4) z 0 + + + x π (5) x π (6) x π (7) x π (8) x π (9) x π (10) x π (11) + x π (12) x π (13) + x π (14) x π (15) x π (16) + x π (17) x π (18) x π (19) x π (20) + Guess & Determine attack [Duval,Lallemand,Rotella16] ◮ Guess ℓ positions being 0, ◮ focus on permutations cancelling the monomials of degree > 2, ◮ collect all degree 2 equations, 19 / 32

Guess and Determine Attacks x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 x 16 x 17 x 18 x 19 x 20 0 0 0 π − 1 F z 0 = x π (1) + x π (2) + x π (3) + x π (4) z 0 + + + x π (5) x π (6) x π (7) x π (8) x π (9) x π (10) x π (11) + x π (12) x π (13) + x π (14) x π (15) x π (16) + x π (17) x π (18) x π (19) x π (20) + Guess & Determine attack [Duval,Lallemand,Rotella16] ◮ Guess ℓ positions being 0, ◮ focus on permutations cancelling the monomials of degree > 2, ◮ collect all degree 2 equations, ◮ linearise and try to solve the system, ◮ time complexity 2 ℓ (1 + N + � N ) ω , data complexity 1 / Pr ( P ). � 2 19 / 32

G&D attacks and new Boolean criteria Attack lessons: ◮ zero cost homomorphic update → unchanged key bits, ◮ ℓ guesses → F restricted to F ′ on N − ℓ variables, ◮ attack on F ′ degree [DLR16], 20 / 32

G&D attacks and new Boolean criteria Attack lessons: ◮ zero cost homomorphic update → unchanged key bits, ◮ ℓ guesses → F restricted to F ′ on N − ℓ variables, ◮ attack on F ′ degree [DLR16], ◮ AI( F ′ ) → G&D + (fast) algebraic attacks? ◮ NL( F ′ ) , res( F ′ ) → G&D + correlation attacks? 20 / 32

G&D attacks and new Boolean criteria Attack lessons: ◮ zero cost homomorphic update → unchanged key bits, ◮ ℓ guesses → F restricted to F ′ on N − ℓ variables, ◮ attack on F ′ degree [DLR16], ◮ AI( F ′ ) → G&D + (fast) algebraic attacks? ◮ NL( F ′ ) , res( F ′ ) → G&D + correlation attacks? Attack depends on: criteria of F ′ and probabilities of getting F ′ . 20 / 32

G&D attacks and new Boolean criteria Attack lessons: ◮ zero cost homomorphic update → unchanged key bits, ◮ ℓ guesses → F restricted to F ′ on N − ℓ variables, ◮ attack on F ′ degree [DLR16], ◮ AI( F ′ ) → G&D + (fast) algebraic attacks? ◮ NL( F ′ ) , res( F ′ ) → G&D + correlation attacks? Attack depends on: criteria of F ′ and probabilities of getting F ′ . Recurrent criteria For each Boolean criterion, we define its recurrent criterion denoted by [ ℓ ] as the minimal value of this criterion taken over all functions obtained by fixing ℓ of the N variables of F . ◮ Recurrent AI: AI[ ℓ ]( F ), ◮ FAI[ ℓ ]( F ), ◮ res[ ℓ ]( F ), ◮ NL[ ℓ ]( F ). 20 / 32

Recurrent Algebraic immunity Recurrent AI; AI[ ℓ ]( F ) We define AI[ ℓ ]( F ) as the minimal algebraic immunity over all functions obtained by fixing ℓ of the N variables of F . Example: AI[1]( F ( x 1 , x 2 )) = min[AI( F (0 , x 2 )) , AI( F (1 , x 2 )) , AI( F ( x 1 , 0)) , AI( F ( x 1 , 1))] 21 / 32

Recurrent Algebraic immunity Recurrent AI; AI[ ℓ ]( F ) We define AI[ ℓ ]( F ) as the minimal algebraic immunity over all functions obtained by fixing ℓ of the N variables of F . Proposition: For all Boolean function F and ℓ such that 0 ≤ ℓ < N : AI( F ) − ℓ ≤ AI[ ℓ ]( F ) ≤ AI( F ) . Remark: Both bounds are tight. 21 / 32

Recurrent Algebraic immunity Recurrent AI; AI[ ℓ ]( F ) We define AI[ ℓ ]( F ) as the minimal algebraic immunity over all functions obtained by fixing ℓ of the N variables of F . Proposition: For all Boolean function F and ℓ such that 0 ≤ ℓ < N : AI( F ) − ℓ ≤ AI[ ℓ ]( F ) ≤ AI( F ) . Remark: Both bounds are tight. Proposition: For all strictly positive N and ℓ such that 0 ≤ ℓ < N : � � N � � AI[ ℓ ]( Maj N ) = max 0 , − ℓ . 2 21 / 32

Recurrent Criteria and Direct Sums of Monomials Criteria for Direct Sums of Monomials Let F be a direct sum of monomials with associated vector [ m 1 , · · · , m k ], we define two recurent criteria: F : the number of nonzero values of m F , ◮ m ∗ 2 − NL( F ) ◮ δ m F = 1 2 N ; the bias to one half. 22 / 32

Recurrent Criteria and Direct Sums of Monomials Criteria for Direct Sums of Monomials Let F be a direct sum of monomials with associated vector [ m 1 , · · · , m k ], we define two recurent criteria: F : the number of nonzero values of m F , ◮ m ∗ 2 − NL( F ) ◮ δ m F = 1 2 N ; the bias to one half. Remark: If F is a direct sum of monomials, so is F [ ℓ ]. Proposition: For all direct sum of monomials F : � � ℓ ◮ m ∗ F [ ℓ ] ≥ m ∗ F − , min 1 ≤ i ≤ k m i ◮ δ m F [ ℓ ] ≤ δ m F 2 ℓ . 22 / 32

Recurrent Criteria and Direct Sums of Monomials Criteria for Direct Sums of Monomials Let F be a direct sum of monomials with associated vector [ m 1 , · · · , m k ], we define two recurent criteria: F : the number of nonzero values of m F , ◮ m ∗ 2 − NL( F ) ◮ δ m F = 1 2 N ; the bias to one half. Remark: If F is a direct sum of monomials, so is F [ ℓ ]. Proposition: For all direct sum of monomials F : � � ℓ ◮ m ∗ F [ ℓ ] ≥ m ∗ F − , min 1 ≤ i ≤ k m i ◮ δ m F [ ℓ ] ≤ δ m F 2 ℓ . Exact expression of m ∗ F [ ℓ ] and δ m F [ ℓ ] using m F (see [MJSC16]): F [ ℓ ] ↔ upper bound on AI[ ℓ ]( F ), m ∗ δ m F [ ℓ ] ↔ exact value of NL[ ℓ ]( F ). 22 / 32

Summary Introduction Filter Permutator [MJSC16] Standard Cryptanalysis and Low Cost Criteria Guess and Determine and Recurrent Criteria Fixed Hamming Weight and Restricted Input Criteria [CMR17] Restricted input, and algebraic immunity Restricted input, and non-linearity Constant weight, and balancedness Conclusion and open problems 23 / 32

Fixed Hamming Weight and Restricted Input Criteria Joint work with: Claude Carlet and Yann Rotella , title: Boolean functions with restricted input and their robustness; application to the FLIP cipher . ePrint: 97 (2017). 24 / 32

Filter Permutator: Hamming weight of F input ⊲ Key Register K PRNG ψ K : i �→ P i ( K ) Perm. Im ( ψ ) � F N P i 1 2 Gen. Function F F ( P i 1 ( K )) m i c i 25 / 32

Filter Permutator: Hamming weight of F input ⊲ Key Register K PRNG ψ K : i �→ P i ( K ) Perm. Im ( ψ ) � F N P i 1 2 Gen. ∀ i , w H ( P i ( K )) = w H ( K ) Function F F ( P i 1 ( K )) m i c i 25 / 32

Filter Permutator: Hamming weight of F input ⊲ Key Register K PRNG ψ K : i �→ P i ( K ) Perm. Im ( ψ ) � F N P i 1 2 Gen. ∀ i , w H ( P i ( K )) = w H ( K ) F should be studied on Function F E N , k := { x | w H ( x ) = k } F ( P i 1 ( K )) m i c i 25 / 32

Filter Permutator: Hamming weight of F input ⊲ Key Register K PRNG ψ K : i �→ P i ( K ) Perm. Im ( ψ ) � F N P i 1 2 Gen. ∀ i , w H ( P i ( K )) = w H ( K ) F should be studied on Function F E N , k := { x | w H ( x ) = k } F ( P i 1 ( K )) → algebraic immunity m i → non-linearity → balancedness c i 25 / 32

Restricted algebraic immunity Algebraic immunity over E Let f be defined over a set E : AI E ( f ) = min { max(deg( g ) , deg( gf ) , g � = 0 over E ) } = min { deg ( g ) , g � = 0 over E | gf = 0 or g ( f + 1) = 0 } 26 / 32

Restricted algebraic immunity Algebraic immunity over E Let f be defined over a set E : AI E ( f ) = min { max(deg( g ) , deg( gf ) , g � = 0 over E ) } = min { deg ( g ) , g � = 0 over E | gf = 0 or g ( f + 1) = 0 } Let E ⊆ F N 2 , d ∈ N , we define the matrix M d , E : x ∈ E � N � � d u ∈ F N i =0 2 i x u := � N w H ( u ) ≤ d i =1 x u i i | E | 26 / 32

Restricted algebraic immunity Let E ⊆ F N 2 , d ∈ N , we define the matrix M d , E : x ∈ E � N � � d u ∈ F N 2 i =0 i x u := � N w H ( u ) ≤ d i =1 x u i i | E | Proposition: Let f be defined over E , e ∈ N : If rank( M d , E ) + rank( M e , E ) > | E | , then there exists g � = 0 on E , and h such that: deg( g ) ≤ e , deg( h ) ≤ d , and, gf = h on E . Corollary: � d ; rank( M d , E ) > | E | � AI E ( f ) ≤ min . 2 26 / 32

Algebraic immunity over E N , k In particular, consider the set E N , k := { x | w H ( x ) = k } , Theorem: � N � rank( M d , E N , k ) = . min( d , k , N − k ) 27 / 32

Algebraic immunity over E N , k In particular, consider the set E N , k := { x | w H ( x ) = k } , Theorem: � N � rank( M d , E N , k ) = . min( d , k , N − k ) Corollary: For all 0 ≤ k ≤ N / 2: � � N � � N �� AI E N , k ( f ) ≤ min d ; 2 > . d k Remark: It proves that best AI E N , k is lower than in the general case. 27 / 32

Algebraic immunity over E N , k In particular, consider the set E N , k := { x | w H ( x ) = k } , Theorem: � N � rank( M d , E N , k ) = . min( d , k , N − k ) Corollary: For all 0 ≤ k ≤ N / 2: � � N � � N �� AI E N , k ( f ) ≤ min d ; 2 > . d k Remark: It proves that best AI E N , k is lower than in the general case. Theorem: Let F be the direct sum of f and g of n and m variables; if n ≤ k ≤ m then: AI E N , k ( F ) ≥ AI( f ) − deg( g ) . 27 / 32

Restricted non-linearity Non-linearity over E Let E ⊆ F n 2 and f be any Boolean function defined over E , we define: NL E ( f ) = min g { d H ( f , g ) over E } , where g is an affine function over F N 2 . �� � � 2 − 1 NL E ( f ) = | E | � � ( − 1) f ( x )+ a · x 2 max � . � � � � a ∈ F N 2 � x ∈ E � 28 / 32

Restricted non-linearity Non-linearity over E Let E ⊆ F n 2 and f be any Boolean function defined over E , we define: NL E ( f ) = min g { d H ( f , g ) over E } , where g is an affine function over F N 2 . �� � � 2 − 1 NL E ( f ) = | E | � � ( − 1) f ( x )+ a · x 2 max � . � � � � a ∈ F N 2 � x ∈ E � Looking for an upper bound, using the covering radius bound: Proposition: For every subset E of F N 2 and every Boolean function f defined over E , we have: � NL E ( f ) ≤ | E | | E | 2 − . 2 28 / 32

Restricted non-linearity Looking for an upper bound, using the covering radius bound: Proposition: For every subset E of F N 2 and every Boolean function f defined over E , we have: � NL E ( f ) ≤ | E | | E | 2 − . 2 Proposition: Let F be a vector space, assuming that: 2 such that v · ( x + y ) = 1 for all ( x , y ) ∈ E 2 such that 0 � = x + y ∈ F ⊥ , ∃ v ∈ F N we have: | E + λ | � NL E ( f ) ≤ | E | 2 − , 2 where ( − 1) f ( x )+ f ( y ) | . λ = | � ( x , y ) ∈ E 2 0 � = x + y ∈F⊥ 28 / 32

Restricted non-linearity Proposition: Let F be a vector space, assuming that: 2 such that v · ( x + y ) = 1 for all ( x , y ) ∈ E 2 such that 0 � = x + y ∈ F ⊥ , ∃ v ∈ F N we have: | E + λ | � NL E ( f ) ≤ | E | 2 − , 2 where ( − 1) f ( x )+ f ( y ) | . λ = | � ( x , y ) ∈ E 2 0 � = x + y ∈F⊥ Focusing on N − 1 dimentional vector spaces, Corollary: ( − 1) f ( x )+ f ( y ) | = ( − 1) D a f ( x ) | . λ = max max � � 2 ; a � =0 | 2 ; a � =0 | a ∈ F N a ∈ F N ( x , y ) ∈ E 2 x ∈ E ∩ ( a + E ) x + y = a 28 / 32

Non-linearity over E N , k In particular, considering the set E N , k , Proposition: For ( N , k ) � = (50 , 3) nor (50 , 47) the bound: �� n � n 2 − 1 � � NL E N , k ( f ) ≤ k , 2 k cannot be tight. 29 / 32

Non-linearity over E N , k In particular, considering the set E N , k , Proposition: For ( N , k ) � = (50 , 3) nor (50 , 47) the bound: �� n � n 2 − 1 � � NL E N , k ( f ) ≤ k , 2 k cannot be tight. This bound has been improved in [Mesnager17] using power sum of Walsh transform. 29 / 32

Non-linearity over E N , k In particular, considering the set E N , k , Proposition: For ( N , k ) � = (50 , 3) nor (50 , 47) the bound: �� n � n 2 − 1 � � NL E N , k ( f ) ≤ k , 2 k cannot be tight. This bound has been improved in [Mesnager17] using power sum of Walsh transform. Remark: max(NL E N , k ) ≥ d / 2, where d is the minimal distance of a punctured 1st order Reed Müller code, which value has been proved in [Dumer,Kapralova13]. 29 / 32

Non-linearity over E N , k In particular, considering the set E N , k , Proposition: For ( N , k ) � = (50 , 3) nor (50 , 47) the bound: �� n � n 2 − 1 � � NL E N , k ( f ) ≤ k , 2 k cannot be tight. This bound has been improved in [Mesnager17] using power sum of Walsh transform. Remark: max(NL E N , k ) ≥ d / 2, where d is the minimal distance of a punctured 1st order Reed Müller code, which value has been proved in [Dumer,Kapralova13]. Standard non-linearity can collapse: Proposition: For every even N ≥ 4, the quadratic bent functions satisfying NL E N , k ( f ) = 0 for every k are those functions of the form f ( x ) = σ 1 ( x ) ℓ ( x ) + σ 2 ( x ) where ℓ (1 , . . . , 1) = 0. 29 / 32

Balancedness on constant Hamming weight input Balancedness over E f : E → F 2 is balanced over E if its output are uniformly distributed over { 0 , 1 } . 30 / 32

Balancedness on constant Hamming weight input Balancedness over E f : E → F 2 is balanced over E if its output are uniformly distributed over { 0 , 1 } . We could be interested by the behaviour on a family of sets: Weightwise Perfectly Balanced Function Boolean function f defined over F N 2 , is weightwise perfectly balanced ( WPB ): � N � ∀ k ∈ [1 , N − 1] , w H ( f ) k = 2 , and, f (0 , . . . , 0) = 0; f (1 , . . . , 1) = 1 . k 30 / 32

Balancedness on constant Hamming weight input Balancedness over E f : E → F 2 is balanced over E if its output are uniformly distributed over { 0 , 1 } . We could be interested by the behaviour on a family of sets: Weightwise Perfectly Balanced Function Boolean function f defined over F N 2 , is weightwise perfectly balanced ( WPB ): � N � ∀ k ∈ [1 , N − 1] , w H ( f ) k = 2 , and, f (0 , . . . , 0) = 0; f (1 , . . . , 1) = 1 . k Theorem: Let g ′ be an arbitrary N -variable function, if f , f ′ , and g , are 3 N -variable WPB functions then, N h ( x , y ) = f ( x ) + � x i + g ( y ) + ( f ( x ) + f ′ ( x )) g ′ ( y ) , i =1 is a 2 N -variable WPB function. 30 / 32

Balancedness on constant Hamming weight input Weightwise Almost Perfectly Balanced Function f defined over F N 2 , is weightwise almost perfectly balanced ( WAPB ): � N � N ± 1 � � ∀ k ∈ [1 , N − 1] , w H ( f ) k = k k , and, f (0 , . . . , 0) = 0; f (1 , . . . , 1) = 1 . 2 or 2 30 / 32

Balancedness on constant Hamming weight input Weightwise Almost Perfectly Balanced Function f defined over F N 2 , is weightwise almost perfectly balanced ( WAPB ): � N � N ± 1 � � ∀ k ∈ [1 , N − 1] , w H ( f ) k = k k , and, f (0 , . . . , 0) = 0; f (1 , . . . , 1) = 1 . 2 or 2 Proposition: The function f N in N ≥ 2 variables defined as: if N = 2 ,  x 1  if N odd,  f N − 1   f N = f N − 1 + x N − 2 + � 2 d − 1 if N = 2 d ; d > 1 , i =1 x N − i   f N − 1 + x N − 2 + � 2 d  if N = p · 2 d , p > 1 odd , d ≥ 1 . i =1 x n − i  has the following properties for all N ≥ 2: ◮ f N is WAPB , ◮ deg( f N ) = 2 d − 1 ; where 2 d ≤ N < 2 d +1 , ◮ f N ’s ANF contains N − 1 − ( N mod 2) monomials. 30 / 32

Summary Introduction Filter Permutator [MJSC16] Standard Cryptanalysis and Low Cost Criteria Guess and Determine and Recurrent Criteria Fixed Hamming Weight and Restricted Input Criteria [CMR17] Conclusion and open problems 31 / 32

Conclusion and Open Problems Filter Permutator optimal for FHE, bringing new constraints on filtering function: ⋄ higher number of variables with simpler circuit, ⋄ resistant even when some inputs are known, ⋄ robust on particular sets of inputs. 32 / 32

Conclusion and Open Problems Filter Permutator optimal for FHE, bringing new constraints on filtering function: ⋄ higher number of variables with simpler circuit, ⋄ resistant even when some inputs are known, ⋄ robust on particular sets of inputs. Still open questions ? ⋄ Low cost functions without direct sums? ⋄ Simplest function providing security? ⋄ Concrete values of recurrent criteria for all functions? ⋄ Functions maximizing NL E N , k ; AI E N , k ? ⋄ Fixed Hamming weight input and cryptanalysis? ⋄ · · · ? 32 / 32