Cryptography, Attacks and Countermeasures Lecture 4 –Boolean Functions John A Clark and Susan Stepney Dept. of Computer Science University of York, UK

Stream Cipher Components Boolean Functions Typical Security Related Criteria Non-linearity. Correlation immunity Algebraic degree. Tradeoffs Will give a linear algebra treatment. Pythagoras’s theorem!

Boolean Functions A Boolean function f:{0,1} n ->{0,1} Polar representation f(x) x Can view BF as vector in R 2 n f(x) = ( -1 ) f(x)

Boolean Functions – Algebraic normal Form (ANF) A Boolean function on n-inputs can be represented in minimal sum (XOR +) of products (AND.) form: This is the algebraic normal form of the function. The algebraic degree of the function is the size of the largest subset of inputs (i.e. the number of x j in it) associated with a non-zero co- efficient. 1 is a constant function (as is 0) x 1 +x 3 +x 5 is a linear function x 1.x 3 +x 5 is a quadratic function x 1.x 3.x 5 +x 4 x 5 +x 2 is a cubic function f(x 1,…,x n )=a 0 +a 1. x 1 +…+a n. x n + a 1,2.x 1.x 2 +…+ a n-1,n.x n-1.x n +… …+a 1,2..n x 1.x 2...x n

Generating ANF Given f(x 1,…,x n ) it is fairly straightforward to derive the ANF. Consider the general form: The constant term a0 is easily derived. a 0 =f(0,0,…,0) We can now determine a k by considering: f(1,….,0,0,0)=a 0 +a 1 x 1 = a 0 +a 1 and so a 1 =a 0 +f(1,….,0,0,0) f(0,1,0….,0,0)=a 0 +a 2 x 2 = a 0 +a 2 and so a 2 =a 0 + f(0,1,0….,0,0)……. f(0,0,0….,0,1)=a 0 +a n x n = a 0 +a n and so a n =a 0 +f(0,0,0,….0,1) We can now determine a j,k by considering: f(1,1,0…,0)=a 0 +a 1 x 1 +a 2 x 2 + a 1,2 x 1,2 = a 0 +a 1 +a 2 +a 1,2 and so a 1,2 = a 0 +a 1 +a 2 + f(1,1,0…,0) and so on. f(x 1,…,x n )=a 0 +a 1. x 1 +…+a n. x n + a 1,2.x 1.x 2 +…+ a n-1,n.x n-1.x n +… …+a 1,2..n x 1.x 2...x n

Vectors and their Representations Boolean functions can be regarded as vectors in R 2 n. Boolean functions are vectors with elements 1 or –1. Any vector space has a basis set of vectors. Given any vector v it can always be expressed UNIQUELY as a weighted sum of the vectors in the basis set. This in 3-D we have the following standard basis Others are possible:

Orthonormal Basis If the basis vectors are orthogonal and each have norm (length) 1 we say that they form an orthonormal basis. We can express any vector in terms of its projections onto each of the basis vectors.

Creating Orthonormal Basis Given a basis you can always turn it into an orthonomal basis using the Gram-Schmidt procedure. (We won’t go into details). Given an orthogonal basis you can always create an orthonormal one by dividing each vector by its norm. In 2-D, the following are clearly orthogonal We can form an orthonomal basis

N-Dimensional vectors To normalise an n-dimensional vector we proceed in the same way. The norm is the square root of the sum of squares of its elements

Linear Functions Recall that for any  in 0..(2 n -1) we can define a linear function for all x in 0..(2 n -1) by: where  and x are simply sequences of bits We will use natural decimal indexing where convenient, e.g

Polar Form of Linear Functions The polar form of a linear function is just a vector of +1 and –1 elements defined by

Orthonormal Basis of Linear Functions x Columns are polar forms of functions

Balance One criterion that we might desire for a combining function is balance. there are an equal number of 0’s and 1’s in the truth table form. there are an equal number of +1’s and –1’s in the polar form. The polar form has elements that sum to 0. Or, if you take the dot product of the polar form of a function with the constant function comprising all 1’s, the result is 0. New improved slide

Linear Functions are Balanced Each linear function has an equal number of 1’s and –1’s (and so is a balanced function). The sum of elements in a column is just Is it obvious that this will always produce a sum to zero, whatever the value of  ? Consider  with k bits set (w.l.o.g. consider the first k bits as set). Now consider x as it varies over its whole range. Can you partition the x into two equal sets that give opposite values of the L w (x)? (Consider the x 1 component.)

Linear Functions are Balanced Consider

Linear Functions are Orthogonal Dissimilar linear functions are orthogonal. Consider the dot product of any two columns of the 8 x 8 matrix given earlier. The result is 0. To see why. Consider two linear functions x 1 + x 3 and x 2 + x 3. The dot product is given by

Orthonormal Basis with Linear Functions The linear functions are vectors of 2 n elements each of which is 1 or –1. The norm is therefore Thus we can form an orthonormal basis set

Representing Functions Since a function f is just a vector and we have an orthonormal basis, we can represent it as the sum or projections onto the elements of that basis. This is called the Walsh Hadamard function This is the signed magnitude of the projection onto the linear function

Security Criteria - Balance Various desirable properties of functions are expressed in terms of the Walsh Hadamard function values. Balance – equal numbers of trues and falses, or +1’s and –1’s in the polar form. Saw that the projection onto the constant function should be 0.

Security Criteria We saw that functions that ‘looked like’ (agreed with) linear functions too much were a problem. But a measure of agreed with is fairly easily calculable (Hamming distance with linear function in usual bit form). In polar form, we simply take the dot product with the linear function. When sort of function f agrees most with the linear function L  ? Yes, when f = L  all the elements agree

Security Criteria – Non-linearity Also if they all disagree, i.e. f= NOT L , we can form another function that agrees with L  entirely by negating f. Or in other words f   1 A function f that has minimal useful agreement (i.e. 50% agreement) with L  has Hamming distance of 2 n/2 with it. Or, in polar terms (each is +1 or –1), half the elements agree and half disagree

Security Criteria – Non-linearity Well, if correlation with linear functions is a bad idea let’s have all such correlations being equal to 0, i.e. choose f such that the projections onto all linear functions are 0. Would if I could, but I can’t. Why is this NOT possible?

Back in Mundane World of 3-D In 3-D is there a vector that has a null projection onto the x-axis? Is there a vector that has a null projection onto each of the x and y axes? Is there a vector that has a null projection onto each of the x, y and z axes?

Security Criteria Because we have a basis set of linear functions. If a vector has a null projection onto all of them it is the zero-vector. A Boolean function is not a zero-vector. It must be have projections onto some of the linear functions. But some projections are more harmful than others from the point of view of the correlation attacks. Those correlations with single inputs are particularly dangerous, followed by correlations with linear functions of two inputs etc.

Security Criteria – Correlation Immunity Correlations with single inputs correspond to projections onto the L  where the  has only a single bit set. For three inputs, we might require Similarly, correlations with linear functions on two inputs correspond to the projections onto linear functions L  where the  has only two bits set.

Security Criteria – Correlation Immunity If a function has a null projection onto all linear L  functions with 1,2,..,k bits set in  (i.e. it is uncorrelated with any subset of k or fewer inputs) the function is said to be correlation immune of order k. Or put another way If it is also balanced then we say it is resilient.

Non-linearity For a variety of reasons (there are other attacks that exploit linearity) we would like to keep the degree of agreement with any linear function as low as possible. So if we cannot have all that we want (all projections 0) perhaps we might try to keep the worst agreement to a minimum. These leads to the definition of the non-linearity of a function. We want to keep the Hamming distance to any linear function (or its negation) as close to 2 (n/2) as possible. Or.. Keep the maximum absolute value of any projection on a linear function to a minimum. Keep the following as low as possible

Non-linearity Non-linearity is defined by: It seeks to minimise the worst absolute value of the projection onto any linear function. But what is the maximum value we can get for non- linearity?

Boolean Functions We can project these vectors onto a basis of 2 n orthogonal (Boolean function) vectors L 0, …, L 2 n -1. where L  (x)=  1 x 1  …   n x n f(x) Each point on the 2 n dimension hyper-sphere surface has a standard vector representation and a spectral representation in terms of its Walsh Hadamard values.

Norm of a Vector The square of the length of the vector is just the sum of squares of its projection magnitudes onto the orthonormal basis. Thus, for 2-D we have the usual Pythagoras rule b a c

Norm of a Boolean Vector The square of the norm of a Boolean vector is just 2 n. But we know that this is just the sum of the squares of the projections onto the orthonormal basis

Parseval’s Theorem Parseval’s Theorem. This is really a form of Pythagoras’s theorem. This means that if we reduce the magnitude of one of the F(  ) another must increase in magnitude.

Bent Functions Maximise Non-linearity Researched first by Rothaus. These functions maximise non-linearity and are functions on even numbers of variables. Bent functions have projection magnitudes of the same size (but with different signs) But this includes projection onto the constant function => not a balanced function. If you want maximum non-linearity, you cannot have balance.

Correlation Immunity and Non-linearity Let’s look again at Parseval’s theorem: Now if we want correlation immunity of order k Then the F(  ) of some of the remaining (|  |>k) must increase in magnitude. But this increases non- linearity. Non-linearity and correlation immunity are in conflict.

Other Criteria – Algebraic Degree All other things being equal, we would prefer more complex functions to simpler ones. One aspect that is of interest is the algebraic degree of the function. We would typically like this to be as high as possible. It can be shown (not here) that there is a conflict with correlation immunity. Sigenthaler has shown that for function f on n variables with correlation immunity of order m and algebraic degree d, we must have For balanced functions we must have m+d<=n m+d<=n-1

Further Structure There is another structure that can be exploited. It is a form of correlation between outputs corresponding to inputs that are related in a straightforward way. This is autocorrelation. Bitwise XOR

Tradeoffs We begin to see the sorts of problems cryptographers face. There are many different forms of attack. Protecting against one in an ideal way may allow another form of attack. Life is an unending series of tradeoffs. However, given the mathematical constraints, we might still want to achieve the best profile of properties we can. A lot of Boolean function research seeks constructions to derive such functions.

No Such Thing As A Secure Boolean Function There is no such thing as a secure Boolean function. There may be functions that are appropriate to be used in particular contexts to give secure system. However, the treatment here shows quite effective that life is not easy and that compromises have to be made. Nice treatment in terms of vector algebra and security criteria being defined in terms of subspaces of a vector space of R 2 n.