한국정보통신대학교 천정희 Nonlinear Resilient Functions Jung Hee Cheon Information and Communications University (ICU)

한국정보통신대학교 천정희 2/51 Linear Resilient Functions  An [n,m,d] linear code is an m-dimensional subspace C of GF(2) n such that the Hamming distance between any two vectors in C is at least d.  Generating matrix G: an m×n matrix whose rows form a basis for C.  [CGH85]  f(x)=xG T is an (n,m,d-1)-resilient function.  The existence of an [n,k,d] linear code is equivalent to the existence of a linear (n,k,d-1)-resilient function.

한국정보통신대학교 천정희 3/51 Nonlinear Resilient Functions  Conjecture 1: If there is a (n,m,k)-resilient function, does there exist a linear (n,m,k)-resilient function?  Disproved by Stinson and Massey(1995) -An infinite class of counterexamples to a conjecture concerning nonlinear resilient functions (Journal of Cryptology, Vol. 8, 1995) -Construct nonlinear resilient functions from the Kerdock and Preparata codes -Showed nonexistence of linear resilient functions with the same parameter -For any odd integer r  3, a (2 r+1, 2 r+1 -2r-2, 5)-resilient function exists. -For r=3, (16,8,5)-resilient function exists.

한국정보통신대학교 천정희 4/51 Zhang and Zheng’s Construction  Composition of a resilient function and nonlinear permutation gives a nonlinear resilient function  F: a linear (n,m,k)-resilient function  G: a permutation on GF(2) m with nonlinearity N G  The P=G·F is a (n,m,k)-resilient function such that  the nonlinearity of P is 2 n-m N G  the algebraic degree of P is the same as that of G  Note that composition of a permutation does not change the frequency of the output

한국정보통신대학교 천정희 5/51 Zhang and Zheng’s Construction (Cont.)  Converse of the conjecture 1 holds.  If there is a linear function with certain parameters, then there exists a nonlinear resilient function with the same parameters. Limitation of ZZ construction  Nonlinear Resilient Functions gives better parameters and should be studied.  Limitation of ZZ construction  The algebraic degree of F is at most the output size m  It gives a parameter which corresponds to a linear resilient function

한국정보통신대학교 천정희 6/51 Algebraic Degree and Nonlinearity  Algebraic Degree of a Boolean function is the maximum of the degrees of the terms of f when written in reduced form  A linear function has algebraic degree 1  The maximum algebraic degree is the size of input.  The nonlinearity of a Boolean function f is the distance from affine function  N(f) = min wt(f+  ) where  ranges over all affine functions.  Nonlinearity is an important measure for the resistance against linear cryptanalysis a block cipher  The nonlinearity of a vector Boolean function F is the minimum nonlinearity of each component function b · F.  The nonlinearity of a linear function is 0

한국정보통신대학교 천정희 7/51 Nonlinearity  Known Results for nonlinearity of polynomials  N(x 2 k +1 ) = 2 n-1 – 2 (n+s)/2-1 if n/s is odd for s = gcd(n,k).  N(x 2 2k -2 k +1 ) = 2 n-1 – 2 (n-1)/2 if n is odd and gcd(n,k) = 1.  N(x -1 ) = 2 n-1 – 2 n/2 (By notation, 0 -1 = 0)  N(F(x))  2 n-1 -  k-1/2  · 2 n/2 if F is a polynominal of degree k in F 2 n.  N(F(1/x))  2 n-1 -  k+1/2  · 2 n/2 if F is a polynominal of degree k in F 2 n.  Nonlinearity of a polynomial is related with the number of rational points of associated algebraic curves.  What is the maximal nonlinearity of a balanced Boolean function with odd n ?

한국정보통신대학교 천정희 8/51 Stream Ciphers and Resilient Functions  Siegenthaler, 1984  The complexity of a Combining Generator depends on the resiliency of the combining function F.  Divide-and-Conquer Attack (Correlation Attack) - If the output of F has a correlation with the output of KSG1, we can find the initial vector of the KSG1 KSG 1 KSG 2 KSG n F

한국정보통신대학교 천정희 9/51 Previous Studies  Siegenthaler  Resiliency v.s. Algebraic Degree  k + d < n for a (n,1,k)-resilient function with algebraic degree d  Chee, Seberry, Zhang, Zheng, Carlet, Sarkar, Maitar, Tarannikov  Resiliency v.s. Nonlinearity  Try to maximize nonlinearity given parameters  Other works  Find the relation between cryptographic properties of Boolean functions - Nonlinearity, Algebraic degree, Resiliency, APN, SAC, PC, GAC, LS  Count the number of Boolean functions satisfying certain properties

한국정보통신대학교 천정희 10/51 Multi-output Stream Ciphers  To design a multi-output stream cipher based on a combining generator, we need a resilient function which  is nonlinear  has algebraic degree as large as possible  has nonlinearity as large as possible  has resiliency as large as possible KSG 1 KSG 2 KSG n F

한국정보통신대학교 천정희 11/51 Resiliency of a Boolean function  f(x) : a Boolean Function on GF(2) n  ker(f) = {x  GF(2) n | f(x+y)+f(x)+f(y)=0 for all y  GF(2) n }  B={a 1,a 2,a 3,…,a n } a basis whose first w elements forms a basis of ker(f)  Let c=(f(a 1 )+1, …, f(a n )+1)  Theorem 1. f(x)+Tr[cx] is a (w-1)-resilient function for the dimension w of ker(f)

한국정보통신대학교 천정희 12/51 Application  A linearized polynomial is a polynomial over GF(2 n ) such that  each of its terms has a degree of a power of 2  V(R) := {x  GF(2 n ) | R(x) = 0} forms a vector space over GF(2)  Let F(x) = 1/R(x)  Define F(x) = 1 when x belongs to V(R)  ker(f) = V(R) for any f(x) = Tr[b/R(x)] since  We can apply the main theorem

한국정보통신대학교 천정희 13/51 Theorem 2  Tr[bF] is a (w-1)-resilient function under a basis B where

한국정보통신대학교 천정희 14/51 Algebraic Degree and Nonlinearity  F(x)=1/R(x) has the algebraic degree n-1-w for the dim w of V(R).  F(x) has nonlinearity at least 2 n-1 – 2 w  2 n +2 w-1  Consider a complete nonsingular curve C a,b : y 2 + y = ax+b/R(x)  |t|=|#C a,b (GF(2 n ))-2 n -1|  2g  2 n where g=2 w -  a,0 is the genus of C a,b  #C a,b (GF(2 n ))=2#{x  GF(2 n )|ax=b F(x)}+2 w +1 +  a,0  C has a point for a root x of R  C has two points at the infinity if a =0 and one points otherwise  N(F) = 2 n |t-2 w -2 n |

한국정보통신대학교 천정희 15/51 Example

한국정보통신대학교 천정희 16/51 Example2

한국정보통신대학교 천정희 17/51 Vector Resilient Functions  Theorem: If a [n,m,d] linear code exists, there is a (n+D+1,m,d-1)- resilient function exists for any non-negative integer D.  Note that we can find a linear (n,m,d-1)-resilient function from a [n,m,d] linear code.

한국정보통신대학교 천정희 18/51 A Simplex Code  Simplex Codes : a [2 m -1,m,2 m-1 ] linear code for any positive m  Each codeword has the weight 2 m-1  It is optimal in the sense that  Concatenating each codeword t times gives a [t2 m -1, m, t2 m-1 ] linear code, all of whose codeword have the same weight t2 m-1.  Theorem: There is a (t2 m -1+D+1, m, t2 m-1 -1)-resilient function for any positive integer t and D.  If there is a (n,m,d) linear code, there exists a (n+t2 m -1+D+1, m, d+t2 m-1 -1)- resilient function for any positive integer t and D.

한국정보통신대학교 천정희 19/51 New Resilient Functions from Old  [BGS94]  If there is an (n,m,t)-resilient function, there is an (n-1,m,t-1)-resilient function.  If there is a linear (n,m,t)-resilient function, there is an (n-1,m-1,t)-resilient function.  [ZZ95]  If F is an (n,m,t)-resilient functions, then  G(x,y)=(F(x)  F(y), F(y)  F(z)) is an (3n,2m,2t+1)-resilient function.  If F is (n,m,t)-resilient and G is (n’,m,t’)-resilient, then  F(x)  G(y) is (n+n’, m, t+t’+1)-resilient function.  If F is (n,m,t)-resilient and G is (n’, m’, t’)-resilient, then  F(x)  G(y) is (n+n’, m+m’, T)-resilient function where T=min{t,t’}

한국정보통신대학교 천정희 20/51 Stream Ciphers -revisited  Correlation Coefficient  c(f,g)=#{x|f = g} - #{x|f  g}  F is k-resilient if W f (w)=c(F,l w )=0 for all w with wt(w)  k.  Maximal Correlation (Zhang and Agnes, Crypto’00)  Let F be a function from GF(2 n ) to GF(2 m ).  C F (w)=max c(g ° F, l w ) where g runs through all Boolean functions on GF(2 m ).  Here we consider not only linear functions, but also nonlinear functions for g.  In a combining generator with more than one bit output,  A combining function F should have small maximal correlation (Relate to number of rational points of associated algebraic curves)  We should consider a resiliency of a composition with F and a Boolean function which is not necessarily linear.

한국정보통신대학교 천정희 21/51 Questions  What is the maximum resiliency given n and m?  Find the relation among nonlinearity, resiliency and the size of output?  Count resilient functions with certain parameters  Relation between nonlinear codes and nonlinear resilient functions  Extend Siegenthaler’s Inequality to a function with m>1  k + d < n for a (n,1,k)-resilient function with algebraic degree d

한국정보통신대학교 천정희 22/51 Questions???? DISCUSSION