Presentation is loading. Please wait.

Presentation is loading. Please wait.

한국정보통신대학교 천정희 Nonlinear Resilient Functions 2001.6.26 Jung Hee Cheon Information and Communications University (ICU)

Published byEmory Tucker Modified over 8 years ago

Similar presentations

Presentation on theme: "한국정보통신대학교 천정희 Nonlinear Resilient Functions 2001.6.26 Jung Hee Cheon Information and Communications University (ICU)"— Presentation transcript:

1 한국정보통신대학교 천정희 Nonlinear Resilient Functions 2001.6.26 Jung Hee Cheon http://vega.icu.ac.kr/~jhcheon Information and Communications University (ICU)

2 한국정보통신대학교 천정희 2/51 Linear Resilient Functions  An [n,m,d] linear code is an m-dimensional subspace C of GF(2) n such that the Hamming distance between any two vectors in C is at least d.  Generating matrix G: an m×n matrix whose rows form a basis for C.  [CGH85]  f(x)=xG T is an (n,m,d-1)-resilient function.  The existence of an [n,k,d] linear code is equivalent to the existence of a linear (n,k,d-1)-resilient function.

3 한국정보통신대학교 천정희 3/51 Nonlinear Resilient Functions  Conjecture 1: If there is a (n,m,k)-resilient function, does there exist a linear (n,m,k)-resilient function?  Disproved by Stinson and Massey(1995) -An infinite class of counterexamples to a conjecture concerning nonlinear resilient functions (Journal of Cryptology, Vol. 8, 1995) -Construct nonlinear resilient functions from the Kerdock and Preparata codes -Showed nonexistence of linear resilient functions with the same parameter -For any odd integer r  3, a (2 r+1, 2 r+1 -2r-2, 5)-resilient function exists. -For r=3, (16,8,5)-resilient function exists.

4 한국정보통신대학교 천정희 4/51 Zhang and Zheng’s Construction  Composition of a resilient function and nonlinear permutation gives a nonlinear resilient function  F: a linear (n,m,k)-resilient function  G: a permutation on GF(2) m with nonlinearity N G  The P=G·F is a (n,m,k)-resilient function such that  the nonlinearity of P is 2 n-m N G  the algebraic degree of P is the same as that of G  Note that composition of a permutation does not change the frequency of the output

5 한국정보통신대학교 천정희 5/51 Zhang and Zheng’s Construction (Cont.)  Converse of the conjecture 1 holds.  If there is a linear function with certain parameters, then there exists a nonlinear resilient function with the same parameters. Limitation of ZZ construction  Nonlinear Resilient Functions gives better parameters and should be studied.  Limitation of ZZ construction  The algebraic degree of F is at most the output size m  It gives a parameter which corresponds to a linear resilient function

6 한국정보통신대학교 천정희 6/51 Algebraic Degree and Nonlinearity  Algebraic Degree of a Boolean function is the maximum of the degrees of the terms of f when written in reduced form  A linear function has algebraic degree 1  The maximum algebraic degree is the size of input.  The nonlinearity of a Boolean function f is the distance from affine function  N(f) = min wt(f+  ) where  ranges over all affine functions.  Nonlinearity is an important measure for the resistance against linear cryptanalysis a block cipher  The nonlinearity of a vector Boolean function F is the minimum nonlinearity of each component function b · F.  The nonlinearity of a linear function is 0

7 한국정보통신대학교 천정희 7/51 Nonlinearity  Known Results for nonlinearity of polynomials  N(x 2 k +1 ) = 2 n-1 – 2 (n+s)/2-1 if n/s is odd for s = gcd(n,k).  N(x 2 2k -2 k +1 ) = 2 n-1 – 2 (n-1)/2 if n is odd and gcd(n,k) = 1.  N(x -1 ) = 2 n-1 – 2 n/2 (By notation, 0 -1 = 0)  N(F(x))  2 n-1 -  k-1/2  · 2 n/2 if F is a polynominal of degree k in F 2 n.  N(F(1/x))  2 n-1 -  k+1/2  · 2 n/2 if F is a polynominal of degree k in F 2 n.  Nonlinearity of a polynomial is related with the number of rational points of associated algebraic curves.  What is the maximal nonlinearity of a balanced Boolean function with odd n ?

8 한국정보통신대학교 천정희 8/51 Stream Ciphers and Resilient Functions  Siegenthaler, 1984  The complexity of a Combining Generator depends on the resiliency of the combining function F.  Divide-and-Conquer Attack (Correlation Attack) - If the output of F has a correlation with the output of KSG1, we can find the initial vector of the KSG1 KSG 1 KSG 2 KSG n F

9 한국정보통신대학교 천정희 9/51 Previous Studies  Siegenthaler  Resiliency v.s. Algebraic Degree  k + d < n for a (n,1,k)-resilient function with algebraic degree d  Chee, Seberry, Zhang, Zheng, Carlet, Sarkar, Maitar, Tarannikov  Resiliency v.s. Nonlinearity  Try to maximize nonlinearity given parameters  Other works  Find the relation between cryptographic properties of Boolean functions - Nonlinearity, Algebraic degree, Resiliency, APN, SAC, PC, GAC, LS  Count the number of Boolean functions satisfying certain properties

10 한국정보통신대학교 천정희 10/51 Multi-output Stream Ciphers  To design a multi-output stream cipher based on a combining generator, we need a resilient function which  is nonlinear  has algebraic degree as large as possible  has nonlinearity as large as possible  has resiliency as large as possible KSG 1 KSG 2 KSG n F

11 한국정보통신대학교 천정희 11/51 Resiliency of a Boolean function  f(x) : a Boolean Function on GF(2) n  ker(f) = {x  GF(2) n | f(x+y)+f(x)+f(y)=0 for all y  GF(2) n }  B={a 1,a 2,a 3,…,a n } a basis whose first w elements forms a basis of ker(f)  Let c=(f(a 1 )+1, …, f(a n )+1)  Theorem 1. f(x)+Tr[cx] is a (w-1)-resilient function for the dimension w of ker(f)

12 한국정보통신대학교 천정희 12/51 Application  A linearized polynomial is a polynomial over GF(2 n ) such that  each of its terms has a degree of a power of 2  V(R) := {x  GF(2 n ) | R(x) = 0} forms a vector space over GF(2)  Let F(x) = 1/R(x)  Define F(x) = 1 when x belongs to V(R)  ker(f) = V(R) for any f(x) = Tr[b/R(x)] since  We can apply the main theorem

13 한국정보통신대학교 천정희 13/51 Theorem 2  Tr[bF] is a (w-1)-resilient function under a basis B where

14 한국정보통신대학교 천정희 14/51 Algebraic Degree and Nonlinearity  F(x)=1/R(x) has the algebraic degree n-1-w for the dim w of V(R).  F(x) has nonlinearity at least 2 n-1 – 2 w  2 n +2 w-1  Consider a complete nonsingular curve C a,b : y 2 + y = ax+b/R(x)  |t|=|#C a,b (GF(2 n ))-2 n -1|  2g  2 n where g=2 w -  a,0 is the genus of C a,b  #C a,b (GF(2 n ))=2#{x  GF(2 n )|ax=b F(x)}+2 w +1 +  a,0  C has a point for a root x of R  C has two points at the infinity if a =0 and one points otherwise  N(F) = 2 n-1 -2 -1 |t-2 w -2 n |

15 한국정보통신대학교 천정희 15/51 Example

16 한국정보통신대학교 천정희 16/51 Example2

17 한국정보통신대학교 천정희 17/51 Vector Resilient Functions  Theorem: If a [n,m,d] linear code exists, there is a (n+D+1,m,d-1)- resilient function exists for any non-negative integer D.  Note that we can find a linear (n,m,d-1)-resilient function from a [n,m,d] linear code.

18 한국정보통신대학교 천정희 18/51 A Simplex Code  Simplex Codes : a [2 m -1,m,2 m-1 ] linear code for any positive m  Each codeword has the weight 2 m-1  It is optimal in the sense that  Concatenating each codeword t times gives a [t2 m -1, m, t2 m-1 ] linear code, all of whose codeword have the same weight t2 m-1.  Theorem: There is a (t2 m -1+D+1, m, t2 m-1 -1)-resilient function for any positive integer t and D.  If there is a (n,m,d) linear code, there exists a (n+t2 m -1+D+1, m, d+t2 m-1 -1)- resilient function for any positive integer t and D.

19 한국정보통신대학교 천정희 19/51 New Resilient Functions from Old  [BGS94]  If there is an (n,m,t)-resilient function, there is an (n-1,m,t-1)-resilient function.  If there is a linear (n,m,t)-resilient function, there is an (n-1,m-1,t)-resilient function.  [ZZ95]  If F is an (n,m,t)-resilient functions, then  G(x,y)=(F(x)  F(y), F(y)  F(z)) is an (3n,2m,2t+1)-resilient function.  If F is (n,m,t)-resilient and G is (n’,m,t’)-resilient, then  F(x)  G(y) is (n+n’, m, t+t’+1)-resilient function.  If F is (n,m,t)-resilient and G is (n’, m’, t’)-resilient, then  F(x)  G(y) is (n+n’, m+m’, T)-resilient function where T=min{t,t’}

20 한국정보통신대학교 천정희 20/51 Stream Ciphers -revisited  Correlation Coefficient  c(f,g)=#{x|f = g} - #{x|f  g}  F is k-resilient if W f (w)=c(F,l w )=0 for all w with wt(w)  k.  Maximal Correlation (Zhang and Agnes, Crypto’00)  Let F be a function from GF(2 n ) to GF(2 m ).  C F (w)=max c(g ° F, l w ) where g runs through all Boolean functions on GF(2 m ).  Here we consider not only linear functions, but also nonlinear functions for g.  In a combining generator with more than one bit output,  A combining function F should have small maximal correlation (Relate to number of rational points of associated algebraic curves)  We should consider a resiliency of a composition with F and a Boolean function which is not necessarily linear.

21 한국정보통신대학교 천정희 21/51 Questions  What is the maximum resiliency given n and m?  Find the relation among nonlinearity, resiliency and the size of output?  Count resilient functions with certain parameters  Relation between nonlinear codes and nonlinear resilient functions  Extend Siegenthaler’s Inequality to a function with m>1  k + d < n for a (n,1,k)-resilient function with algebraic degree d

22 한국정보통신대학교 천정희 22/51 Questions???? DISCUSSION

Download ppt "한국정보통신대학교 천정희 Nonlinear Resilient Functions 2001.6.26 Jung Hee Cheon Information and Communications University (ICU)"

Similar presentations

Notes 6.6 Fundamental Theorem of Algebra

Notes 6.6 Fundamental Theorem of Algebra
Vector Spaces A set V is called a vector space over a set K denoted V(K) if is an Abelian group, is a field, and For every element vV and K there exists.

Vector Spaces A set V is called a vector space over a set K denoted V(K) if is an Abelian group, is a field, and For every element vV and K there exists.
5.4 Basis And Dimension.

5.4 Basis And Dimension.
Cryptography and Network Security

Cryptography and Network Security
Session 2: Secret key cryptography – stream ciphers – part 2.

Session 2: Secret key cryptography – stream ciphers – part 2.
Stream ciphers 2 Session 2. Contents PN generators with LFSRs Statistical testing of PN generator sequences Cryptanalysis of stream ciphers 2/75.

Stream ciphers 2 Session 2. Contents PN generators with LFSRs Statistical testing of PN generator sequences Cryptanalysis of stream ciphers 2/75.
SECTION 3.6 COMPLEX ZEROS; COMPLEX ZEROS; FUNDAMENTAL THEOREM OF ALGEBRA FUNDAMENTAL THEOREM OF ALGEBRA.

SECTION 3.6 COMPLEX ZEROS; COMPLEX ZEROS; FUNDAMENTAL THEOREM OF ALGEBRA FUNDAMENTAL THEOREM OF ALGEBRA.
Block ciphers 1 Session 3. Contents Design of block ciphers Non-linear transformations 2/25.

Block ciphers 1 Session 3. Contents Design of block ciphers Non-linear transformations 2/25.
Linear Transformations

Linear Transformations
Chapter 5 Orthogonality

Chapter 5 Orthogonality
DIGITAL COMMUNICATION Coding

DIGITAL COMMUNICATION Coding
Probabilistic Methods in Coding Theory: Asymmetric Covering Codes Joshua N. Cooper UCSD Dept. of Mathematics Robert B. Ellis Texas A&M Dept. of Mathematics.

Probabilistic Methods in Coding Theory: Asymmetric Covering Codes Joshua N. Cooper UCSD Dept. of Mathematics Robert B. Ellis Texas A&M Dept. of Mathematics.
Introduction to Gröbner Bases for Geometric Modeling Geometric & Solid Modeling 1989 Christoph M. Hoffmann.

Introduction to Gröbner Bases for Geometric Modeling Geometric & Solid Modeling 1989 Christoph M. Hoffmann.
1. 2 Overview Some basic math Error correcting codes Low degree polynomials Introduction to consistent readers and consistency tests H.W.

1. 2 Overview Some basic math Error correcting codes Low degree polynomials Introduction to consistent readers and consistency tests H.W.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
Mathematics1 Mathematics 1 Applied Informatics Štefan BEREŽNÝ.

Mathematics1 Mathematics 1 Applied Informatics Štefan BEREŽNÝ.
Linear codes 1 CHAPTER 2: Linear codes ABSTRACT Most of the important codes are special types of so-called linear codes. Linear codes are of importance.

Linear codes 1 CHAPTER 2: Linear codes ABSTRACT Most of the important codes are special types of so-called linear codes. Linear codes are of importance.
DIGITAL COMMUNICATION Error - Correction A.J. Han Vinck.

DIGITAL COMMUNICATION Error - Correction A.J. Han Vinck.
Diophantine Approximation and Basis Reduction

Diophantine Approximation and Basis Reduction
Cyclic codes 1 CHAPTER 3: Cyclic and convolution codes Cyclic codes are of interest and importance because They posses rich algebraic structure that can.

Cyclic codes 1 CHAPTER 3: Cyclic and convolution codes Cyclic codes are of interest and importance because They posses rich algebraic structure that can.

Similar presentations

Ads by Google