Vector Boolean Functions: Applications in Symmetric Cryptography

José Antonio Álvarez Cubero

Departamento de Matemática Aplicada a las Tecnologías de la Información y las Comunicaciones Universidad Politécnica de Madrid

This dissertation is submitted for the degree of Doctor Ingeniero de Telecomunicación

Escuela Técnica Superior de Ingenieros de Telecomunicación November 2015

I would like to thank my wife, Isabel, for her love, kindness and support she has shown during the past years it has taken me to finalize this thesis. Furthermore I would also liketo thank my parents for their endless love and support. Last but not least, I would like to thank my loved ones such as my daughter and sisters who have supported me throughout entire process, both by keeping me harmonious and helping me putting pieces together. I will be grateful forever for your love.

Declaration

The following papers have been published or accepted for publication, and contain material based on the content of this thesis.

1. [7] Álvarez-Cubero, J. A. and Zufiria, P. J. (expected 2016). Algorithm xxx: VBF: A library of C++ classes for vector Boolean functions in cryptography. ACM Transactions on Mathematical Software. (In Press: http://toms.acm.org/Upcoming.html)

2. [6] Álvarez-Cubero, J. A. and Zufiria, P. J. (2012). Cryptographic Criteria on Vector Boolean Functions, chapter 3, pages 51–70. Cryptography and Security in Computing, Jaydip Sen (Ed.), http://www.intechopen.com/books/cryptography-and-security-in-computing/ cryptographic-criteria-on-vector-boolean-functions. (Published)

3. [5] Álvarez-Cubero, J. A. and Zufiria, P. J. (2010). A C++ class for analysing vector Boolean functions from a cryptographic perspective. In Katsikas, S. K. and Samarati, P., editors, SECRYPT 2010 - Proceedings of the International Conference on Security and Cryptography, Athens, Greece, July 26-28, 2010, SECRYPT is part of ICETE - The International Joint Conference on e-Business and Telecommunications, pages 512–520. SciTePress. (Published)

4. [4] Álvarez-Cubero, J. A. and Zufiria, P. J. (2005). Aplicaciones de la transformada de Walsh al criptoanaálisis lineal y diferencial. In Domínguez, A. P. and Caballero-Gil, P., editors, I Simposio sobre Seguridad Informaática (SSI 2005), pages 11–18. Thomson. (Published)

José Antonio Álvarez Cubero November 2015

Acknowledgements

I would like to thank all the people who have helped me through the years along the route. I would like to express my gratitude to my supervisor Prof. Pedro J. Zufiria for the useful comments, remarks and engagement through the learning process of this thesis. I would also like to acknowledge the editor and reviewers of the journals I published the papers related to this thesis. viii Resumen

Esta tesis establece los fundamentos teóricos y diseña una colección abierta de clases C++ denominada VBF (Vector Boolean Functions) para analizar funciones booleanas vectoriales (funciones que asocian un vector booleano a otro vector booleano) desde una perspectiva criptográfica. Esta nueva implementación emplea la librería NTL de Victor Shoup, incor- porando nuevos módulos que complementan a las funciones de NTL, adecuándolas para el análisis criptográfico. La clase fundamental que representa una función booleana vectorial se puede inicializar de manera muy flexible mediante diferentes estructuras de datas tales como la Tabla de verdad, la Representación de traza y la Forma algebraica normal entre otras. De esta manera VBF permite evaluar los criterios criptográficos más relevantes de los algoritmos de cifra en bloque y de stream, así como funciones hash: por ejemplo, proporciona la no-linealidad, la distancia lineal, el grado algebraico, las estructuras lineales, la distribución de frecuencias de los valores absolutos del espectro Walsh o del espectro de autocorrelación, entre otros criterios. Adicionalmente, VBF puede llevar a cabo operaciones entre funciones booleanas vectoriales tales como la comprobación de igualdad, la composición, la inver- sión, la suma, la suma directa, el bricklayering (aplicación paralela de funciones booleanas vectoriales como la empleada en el algoritmo de cifra Rijndael), y la adición de funciones coordenada. La tesis también muestra el empleo de la librería VBF en dos aplicaciones prácticas. Por un lado, se han analizado las características más relevantes de los sistemas de cifra en bloque. Por otro lado, combinando VBF con algoritmos de optimización, se han diseñado funciones booleanas cuyas propiedades criptográficas son las mejores conocidas hasta la fecha.

Abstract

This thesis develops the theoretical foundations and designs an open collection of C++ classes, called VBF, designed for analyzing vector Boolean functions (functions that map a Boolean vector to another Boolean vector) from a cryptographic perspective. This new implementation uses the NTL library from Victor Shoup, adding new modules which complement the existing ones making VBF better suited for cryptography. The fundamental class representing a vector Boolean function can be initialized in a flexible way via several alternative types of data structures such as Truth Table, Trace Representation, Algebraic Normal Form (ANF) among others. This way, VBF allows the evaluation of the most relevant cryptographic criteria for block and stream ciphers as well as for hash functions: for instance, it provides the nonlinearity, the linearity distance, the algebraic degree, the linear structures, the frequency distribution of the absolute values of the Walsh Spectrum or the Autocorrelation Spectrum, among others. In addition, VBF can perform operations such as equality testing, composition, inversion, sum, direct sum, bricklayering (parallel application of vector Boolean functions as employed in Rijndael cipher), and adding coordinate functions of two vector Boolean functions. This thesis also illustrates the use of VBF in two practical applications. On the one hand, the most relevant properties of the existing block ciphers have been analysed. On the other hand, by combining VBF with optimization algorithms, new Boolean functions have been designed which have the best known cryptographic properties up-to-date.

Table of contents

List of figures xix

List of tables xxi

1 Introduction5 1.1 Information Security ...... 5 1.2 Motivation ...... 8 1.3 Objectives and Outcomes of the Thesis ...... 9 1.4 Structure of the Thesis ...... 11

2 Fundamentals of Block Ciphers and the VBF Library 13 2.1 Basic Theoretical Background ...... 13 2.1.1 Definitions ...... 14 2.2 Block Ciphers ...... 16 2.2.1 Mini-AES Cipher ...... 17 2.2.2 KASUMI Cipher ...... 22 2.2.3 DES Cipher ...... 23 2.2.4 AES Cipher ...... 25 2.3 VBF (Vector Boolean Functions) library ...... 30 2.3.1 Features ...... 30 2.3.2 State-of-the-art on Vector Boolean Functions Analysis Software . . 34

3 Representations and Characterizations 37 3.1 Truth Table ...... 39 3.1.1 Description ...... 39 3.1.2 Library ...... 40 3.2 Trace Representation ...... 45 3.2.1 Description ...... 45 3.2.2 Library ...... 46 xiv Table of contents

3.3 Polynomials in ANF ...... 49 3.3.1 Description ...... 49 3.3.2 Library ...... 49 3.4 ANF Table ...... 51 3.4.1 Description ...... 51 3.4.2 Library ...... 51 3.5 Image ...... 53 3.5.1 Description ...... 53 3.5.2 Library ...... 54 3.6 Walsh Spectrum ...... 55 3.6.1 Description ...... 55 3.6.2 Library ...... 65 3.7 Linear Profile and Linear Cryptanalysis ...... 67 3.7.1 Description ...... 67 3.7.2 Library ...... 70 3.8 Differential Profile and Differential Cryptanalysis ...... 73 3.8.1 Description ...... 73 3.8.2 Library ...... 76 3.9 Autocorrelation Spectrum ...... 79 3.9.1 Description ...... 79 3.9.2 Linear structures ...... 81 3.9.3 Library ...... 82 3.10 Affine Function and Affine Equivalence ...... 84 3.10.1 Description ...... 84 3.10.2 Library ...... 87 3.11 Cycle Structure, Fixed Points and Negated Fixed Points ...... 90 3.11.1 Description ...... 90 3.11.2 Library ...... 91 3.12 Permutation Vector ...... 93 3.12.1 Description ...... 93 3.12.2 Library ...... 93 3.13 DES Representations ...... 94 3.13.1 Description ...... 94 3.13.2 Library ...... 95 3.14 Auxiliary Functions ...... 99 3.15 Summary ...... 100 Table of contents xv

4 Cryptographic Criteria 103 4.1 Introduction ...... 103 4.1.1 Definitions ...... 103 4.1.2 Cryptographically Weak Functions ...... 105 4.2 Algebraic Degree ...... 105 4.2.1 Description ...... 105 4.2.2 Library ...... 106 4.3 Nonlinearity ...... 110 4.3.1 Description ...... 110 4.3.2 Library ...... 113 4.4 r-th Order Nonlinearity ...... 116 4.4.1 Description ...... 116 4.4.2 Library ...... 117 4.5 Balancedness ...... 118 4.5.1 Description ...... 118 4.5.2 Library ...... 119 4.6 Correlation Immunity ...... 121 4.6.1 Description ...... 121 4.6.2 Library ...... 123 4.7 Algebraic Immunity ...... 124 4.7.1 Description ...... 124 4.7.2 Library ...... 125 4.8 Global Avalanche Criterion ...... 127 4.8.1 Description ...... 127 4.8.2 Library ...... 127 4.9 Linearity Distance ...... 129 4.9.1 Description ...... 129 4.9.2 Library ...... 131 4.10 Propagation Criterion ...... 132 4.10.1 Description ...... 132 4.10.2 Library ...... 133 4.11 Bounds, Properties and Trade-offs ...... 134 4.11.1 Bounds ...... 135 4.11.2 Properties ...... 135 4.11.3 Trade-offs ...... 135 4.12 Summary ...... 143 xvi Table of contents

5 Constructions for Vector Boolean Functions 145 5.1 Equality Testing ...... 145 5.1.1 Description ...... 145 5.1.2 Library ...... 146 5.2 Composition Function ...... 147 5.2.1 Description ...... 147 5.2.2 Library ...... 149 5.3 Functional Inverse ...... 154 5.3.1 Description ...... 154 5.3.2 Library ...... 154 5.4 Sum ...... 156 5.4.1 Description ...... 156 5.4.2 Library ...... 158 5.5 Direct Sum ...... 161 5.5.1 Description ...... 161 5.5.2 Library ...... 164 5.6 Concatenation ...... 168 5.6.1 Description ...... 168 5.6.2 Library ...... 169 5.7 Concatenation of Polynomials in ANF ...... 172 5.7.1 Description ...... 172 5.7.2 Library ...... 173 5.8 Addition of Coordinate Functions ...... 174 5.8.1 Description ...... 174 5.8.2 Library ...... 175 5.9 Bricklayer ...... 179 5.9.1 Description ...... 179 5.9.2 Library ...... 182 5.10 Summary ...... 188

6 Security Evaluation of Cryptographic Algorithms 189 6.1 KASUMI Cipher Algorithm Evaluation ...... 189 6.1.1 S-boxes Characterization ...... 190 6.1.2 FI Function Characterization ...... 193 6.2 Mini-AES Cipher Algorithm Evaluation ...... 194 6.2.1 S-box Characterization ...... 194 6.2.2 Mini-AES Cipher Characterization ...... 195 Table of contents xvii

6.3 CLEFIA ...... 196

6.3.1 S0 ...... 198 6.3.2 S1 ...... 201 6.4 Computational Cost Results ...... 201

7 Design of Cryptographically Robust Vector Boolean Functions 205 7.1 Multi-Objective Combinatorial Optimization (MOCO) ...... 205 7.1.1 Problem Formulation ...... 205 7.1.2 Preferences among Criteria. Weighting Method ...... 207 7.2 Boolean Function Design Procedures ...... 208 7.2.1 Algebraic Construction Techniques ...... 209 7.2.2 Computational Techniques for Approximating the Efficient Set . . 215 7.2.3 The Balancedness Constraint ...... 217 7.2.4 Combining Different Algorithms ...... 217

8 Conclusions and Future Research 231 8.1 Summary and Conclusions of the Thesis ...... 231 8.2 Future Directions ...... 232

References 235

Appendix A Mathematical Background 247

A.1 The Vector Space Vn ...... 247 A.1.1 Definition ...... 247 A.1.2 Lexicographic Order ...... 248 A.1.3 The Hamming Distance ...... 249 A.2 Characters ...... 250

A.2.1 Characters on Vn ...... 250 A.2.2 Characters on Vn × Vm ...... 252 A.3 The Vector Space GF(2n) ...... 253 A.3.1 Definition ...... 253 A.3.2 Operations on Polynomials ...... 253 n A.3.3 Relation between Vn and GF(2 ) ...... 254 A.3.4 Mini-AES Finite Field in GF(24) ...... 254 n A.4 The Vector Space R ...... 255 A.4.1 The Inner Product ...... 255 A.4.2 Distance ...... 255 xviii Table of contents

A.4.3 The Pointwise Product ...... 256 A.5 The Vector Space Mn×m(R) ...... 256 A.5.1 The Inner Product ...... 256 A.5.2 Distance ...... 256 A.5.3 The Pointwise Product ...... 257 A.6 Kronecker Product of Matrices ...... 257 A.7 Convolution and Correlation ...... 258 A.7.1 One-dimensional ...... 258 A.7.2 Bidimensional ...... 258

Appendix B CLEFIA Description 261

B.1 Truth Tables of CLEFIA SSi(0 ≤ i ≤ 3) S-boxes ...... 261 B.2 Truth Table of Mul2(x) = 0x2 · x operation ...... 261

B.3 Truth Tables of u0,u1,y0 an y1 ...... 262 B.4 Trace Representation of S0 and S1 ...... 269

Appendix C Using the Library 273 C.1 An Example Program ...... 273 C.2 Compiling ...... 280 C.3 How to Evaluate New Algorithms ...... 280 List of figures

1.1 Block Cipher ...... 6

2.1 Typical internal construction of a Block Cipher ...... 17 2.2 Structure of Mini-AES cipher ...... 20 2.3 Structure of KASUMI cipher FI function ...... 24 2.4 Structure of DES cipher ...... 26 2.5 The Feistel function of DES ...... 27

2.6 Rijndael S-box SRD ...... 29

3.1 Relationships among representations and characterizations of a Vector Boolean function ...... 38 3.2 Image representations of NibbleSub ...... 56 3.3 Linear Profile of NibbleSub ...... 73 3.4 Differential Profile of NibbleSub ...... 79 3.5 Linear structures of NibbleSub ...... 84 3.6 S1,S2,S3,S4 DES S-boxes ...... 96 3.7 S5,S6,S7,S8 DES S-boxes ...... 96

4.1 Relationships among representations and criteria of a Vector Boolean function104 4.2 Algebraic Degree of NibbleSub: Degree 4 ...... 107 4.3 Algebraic Degree of NibbleSub: Degree 3 ...... 108 4.4 Algebraic Degree of NibbleSub: Degree 2 ...... 109 4.5 Nonlinearity of NibbleSub ...... 115 4.6 Balancedness of NibbleSub ...... 121 4.7 Correlation immunity of f ...... 125 4.8 Absolute indicator of NibbleSub ...... 129 4.9 Sum-of-squares indicator of NibbleSub ...... 130 4.10 Propagation Criterion of f ...... 135 xx List of figures

5.1 Composition ...... 147 5.2 Inverse ...... 154 5.3 Direct Sum ...... 161 5.4 CAST Cipher ...... 164 5.5 Adding Coordinate functions ...... 175 5.6 Bricklayer ...... 179 5.7 DES S-boxes ...... 182 5.8 KHAZAD S-box construction ...... 183

6.1 CLEFIA S0 ...... 197 6.2 CLEFIA S1 ...... 197 6.3 CLEFIA S-box S0 ...... 199 6.4 Overall CPU time in seconds for cryptographic characterization of n × m S-boxes ...... 202 6.5 CPU timing measurements for all functions in Algorithm I ...... 203

7.1 Relationship between Known Functions, PE and BKPE...... 210 List of tables

1 Set operators notation ...... 1 2 Characteristics of sets notation ...... 1 3 Important number sets notation ...... 1 4 Function notation ...... 2 5 Matrices notation ...... 2 6 Vectors notation ...... 3

2.1 NibbleSub Truth Table...... 18 2.2 Generation of the Round Keys of Mini-AES...... 21 2.3 Inverse NibbleSub Truth Table...... 22 2.4 NTL modules used in VBF...... 33 2.5 New modules created for VBF...... 33

3.1 Identification of a coordinate function of NibbleSub with trace function. . . 47 3.2 Cycle structure of NibbleSub...... 93 3.3 Representation of VBF...... 100 3.4 Chacterizations of VBF...... 101

4.1 Maximum nonlinearity of Boolean functions for n odd...... 112 4.2 Cryptographic criteria bounds...... 136 4.3 Are the criteria affine invariant? ...... 136 4.4 Weight related cryptographic criteria properties...... 136 4.5 Walsh related cryptographic criteria properties...... 136 4.6 Maximum nonlinearity of Balanced Boolean functions for n...... 137 4.7 Cryptographic criteria...... 144 4.8 Member functions of the cryptographic criteria...... 144

5.1 Results of spectral radius(R),NL,lp,dp,ACmax and LD for bricklayer of DES S-boxes...... 182 xxii List of tables

5.2 Results of spectral radius(r),NL,lp,dp,ACmax and LD for bricklayer of P and Q mini S-boxes...... 186 5.3 Constructions over VBF...... 188

6.1 Cycle structure for S7...... 191 6.2 Cycle structure for S9...... 192 6.3 S7 and S9 Cryptographic criteria...... 192 6.4 S7 and S9 Cryptographic criteria...... 192 6.5 Cycle structure...... 195 6.6 NibbleSub Cryptographic criteria...... 195

6.7 Tables of CLEFIA S-boxes SSi(0 ≤ i ≤ 3)...... 198 6.8 Table of the multiplication 0x2 · x...... 198

6.9 Results of spectral radius (r),NL,lp,dp,ACmax and LD for CLEFIA S0 construction...... 199

6.10 Results of deg,AI,σ,CI for CLEFIA S0 construction...... 200 6.11 Results of spectral radius (r),NL,lp,dp,ACmax,LD,deg,AI,σ and CI for CLE- FIA S1...... 201 6.12 Some CLEFIA S0 security properties versus modern S-boxes based on field inversion...... 201

7.1 Nonlinearity, algebraic degree, absolute and sum-of-squares indicators for Maitra construction in [88]...... 211 7.2 Nonlinearity, algebraic degree for Maitra construction in [133]...... 211 7.3 Nonlinearity, absolute and sum-of-squares indicators for Zhang and Zheng construction [160]...... 212 7.4 Nonlinearity, algebraic degree and algebraic immunity for Carlet construction [26]...... 212 7.5 Nonlinearity, algebraic degree for Charpin construction [30]...... 213 7.6 Nonlinearity, algebraic degree and algebraic immunity for certain power functions xd...... 213

7.7 Comparison of the best achieved computer search results for (NL,deg,ACmax).218 7.8 Comparison of profiles with n = 9...... 218 7.9 Comparison of profiles with n = 11...... 219 7.10 Comparison of nonlinearity achieved in Boolean functions...... 223 7.11 Results obtained for different n-input balanced Boolean functions...... 223 7.12 Representations of Boolean functions in Table 7.11...... 224 7.13 Frequency distribution of the absolute values of the Walsh Spectrum. . . . . 225 List of tables xxiii

7.14 Frequency distribution of the absolute values of the Autocorrelation Spectrum.225

7.15 Additional cryptographic criteria for f1- f5 classes...... 226 7.16 Comparison of the best results for (NL,deg,AI,ACmax,σ)...... 229

Notation

Table 1 Set operators notation

Notation Description Definition Ae Complement of A {x | (x ∈/ A)} A ⊆ BA is a subset of B {x | (x ∈ A) ⇒ (x ∈ B)} A ∪ B Union of sets A and B {x | (x ∈ A) ∧ (x ∈ B)} A − B Difference of sets A and B {x | (x ∈ A) ∧ (x ∈/ B)} A∆B Symmetric difference of A and B (A − B) ∪ (B − A) A ≺ BA is a subspace of B

Table 2 Characteristics of sets notation

Notation Description Definition #A Cardinality of the set A Number of elements in A Supp(A) Support of A {a ∈ A | a ̸= 0}

Table 3 Important number sets notation

Notation Description Definition N Set of natural numbers {1,2,3,...} Z Set of integer numbers {...,−2,−1,0,1,2,...} ZN Set of integers modulo N {0,...,N − 1} n ZN Set of vectors whose n components ∈ ZN (x1,··· ,xn) xi ∈ ZN R Set of real numbers (−∞,+∞) √ C Set of complex numbers {x + iy | x,y ∈ R,i = −1} 2 List of tables

Table 4 Function notation

Notation Description Definition 1 if x = 0 δ(x) Kronecker delta function of x 0 if x ̸= 0 Set of functions with F (A,B) { f | f : A → B} codomain A and domain B Im( f ) Image set of the function f : A → B {y ∈ B | ∃x ∈ A y = f (x)} End(A) Set of endomorphisms of A { f : A → A | f homomorphism} GL(A) Set of automorphisms of A { f ∈ End(A) | f biyective} f |A Function restriction of f to A {(x, f (x)) | x ∈ A}

Table 5 Matrices notation

Notation Description Definition   a11 ... a1m n × m matrix a21 ... a2m A ∈ Mn×m(K) A =   of elements ∈ K ......  an1 ... anm Ai i-th row vector of A ai1 ... aim   a1 j j  .  A j-th column vector of A  .  an j T T A Transposed matrix of AA = B ∈ Mm×n(K) ai j = b ji aii = 1 ∀i ∈ {1,...,n} and In Identity matrix of order n ai j = 0 ∀i ̸= j ∧ i, j ∈ {1,...,n} ∀i ∈ {1,...,n}∃ j ∈ {1,...,n} Pn Permutation matrix of order n Pni = In j   a11B ... a1mB a21B ... a2mB A B Kronecker product of A and B   ......  an1B ... anmB Concatenation of A ∈ Mn×m(GF(2)) A A|B A|B = ∈ M(n+p)×m(GF(2)) and B ∈ Mp×m(GF(2)) B List of tables 3

Table 6 Vectors notation

Notation Description Definition

ei = (x1,··· ,xn) Bn = {e1,...,en} Canonical basis of Vn xi = 1 ∧ x j = 0 ∀ j ̸= i ∥x∥ Norm of the vector x +p⟨x,x⟩ ⟨x,y⟩ ∠(x,y) Angle set by the vectors x and y cos(∠(x,y)) = ∥x∥·∥y∥ n ⟨x,y⟩ Inner product of the vectors x and y ∑i=1 xiyi x y Kronecker product of x ∈ Vn and y ∈ Vm (x1y,...,xny) Supp(x) Support of the vector x {i ∈ {1,...,n} | xi ̸= 0}

Chapter 1

Introduction

1.1 Information Security

Information security defines a series of techniques in order to guarantee that a sendercan deliver a message (usually called plaintext) to a receiver in a secure manner over a channel accessible by third-parties. This security is based on three main principles: confidentiality, integrity and availability (known as the CIA triad). The confidentiality of a message is assured if the sender prevents the intentional or unintentional unauthorized disclosure of its contents. To achieve this objective, the plaintext is processed in such a way that its meaning is hidden. This process is called encryption and is performed by a cipher. As a result, we obtain a message whose contents are meaningless, and it is called ciphertext. The process of reverting the ciphertext into plaintext again is called decryption, and usually make use of a key previously shared between sender and receiver. Cryptology is a discipline whose objective is to safeguard the secrecy of communications over an insecure channel in such a way that any non-authorized entity is unable to recover the message (plaintext) from what is sent in its place over the channel (ciphertext). Cryptology comprises two complementary fields: cryptography and cryptanalysis. Cryptography is the art of designing secure ciphers to provide services such as data confidentiality, integrity and authentication. Cryptanalysis is the study of methods for breaking ciphers, that is, to assess and explore design features that may lead to the discovery of some piece of secret information. A cryptographic algorithm, also called a cipher or cryptographic scheme, is a function which enables the encryption (or ciphering) and the decryption (or deciphering). Three types of cryptographic schemes can be identified: public-key (or asymmetric) cryptography, hash functions and secret key (or symmetric) cryptography. In public key cryptography (e.g. RSA), the encryption and decryption is performed with different keys (public and private 6 Introduction keys), while in secret key cryptography (e.g. DES, AES) both parties share the same key. Hash functions (e.g. MD5, SHA-family) are algorithms that compute a fixed-length hash value based upon the plaintext that makes it impossible for either the contents or length of the plaintext to be recovered. Secret-key (or symmetric) cryptosystems can be further classified into Block Ciphers and stream ciphers. While Block Ciphers (e.g. DES [107], AES [108]) operate with a fixed transformation on blocks of data, stream ciphers (e.g. RC4, A5/1and A5/2) typically operate with a time-varying transformation on smaller units of plaintext, usually bits.

Fig. 1.1 Block Cipher.

For electronic information, asymmetric cryptography together with hash functions can be used to verify the authorship and the integrity of a document by means of digital signatures. Symmetric cryptography can be used to guarantee the confidentiality of a message. Every cryptanalysis technique assumes that a cryptographic algorithm is known and public. The only piece of information that is maintained secret is the key used in the ciphering process. The cipher is considered broken or not secure if a non-authorized party can extract the key within a time complexity less than the time needed to invest in key exhaustive search or brute-force attack (process of trying every possible key and checking whether the resulting plaintext is meaningful). There are many cryptanalytic attacks. Some attacks are applicable to only one particular encryption algorithm. 1.1 Information Security 7

In general, cryptanalytic attacks can be categorized based on the information available to the analyst with respect to the attack:

• Ciphertext-only attack. The cryptanalyst has the ciphertext of several messages encrypted with the same cipher. The analyst will be trying to recover the plaintext of as many messages as possible, or even to deduce the key (or keys) used to encrypt the plaintexts. If the key is found, it will be possible to decrypt other ciphertexts encrypted with the same key and the same cipher.

• Known-plaintext attack. The cryptanalyst has the ciphertext of several messages and their corresponding plaintexts, all of them encrypted with the same cipher. The analyst will be trying to deduce the key (or keys) used to encrypt the plaintexts or an algorithm to decrypt any new plaintexts with these keys.

• Chosen-plaintext attack. The cryptanalyst has the ciphertext of messages and their corresponding plaintexts, all of them encrypted with the same cipher. In this attack, the analyst can choose the plaintexts that want to be encrypted in order to deduce the same piece of information as in the previous attack.

• Chosen-ciphertext attack. The cryptanalyst can choose the ciphertexts to be decrypted and has access to their corresponding plaintexts. The analyst will be trying to deduce the key.

Most of the contemporary data encryption principles and concepts were proposed by Claude Elwood Shannon (1916-2001). Indeed, Shannon in [143] presented the principles of what he called confusion and diffusion, establishing that both of them should be present in a computationally secure cryptosystem. The purpose of confusion is to make the relation between the key and the ciphertext as complex as possible (usually obtained by nonlinear transformations in the form of S-boxes) 1 so that any algebraic structure in the system is concealed. Diffusion has the role of dissipating the redundancy of the plaintext by spreading out the influence of any minor modification of the plaintext or of the key over all ciphertext bits (usually obtained by linear transformations such as permutations).

1S stands for Substitution. This term is used to designate Vector Boolean functions (functions that map a Boolean vector to another Boolean vector) whose role is to provide confusion in a cipher. The most fundamental property of an S-box is that it is a nonlinear mapping. 8 Introduction

1.2 Motivation

During the last years, several international initiatives for selecting ciphers have taken place: AES (United States), CRYPTEC (Japan), NESSIE (European Union). All of them defined evaluation criteria that can be divided into three major categories: security, cost and algorithm and implementation characteristics. Security is the most important category, but it is considered the most difficult to assess. Normally, the institution which organizes the competition invites the cryptology community to mount attacks and to try to cryptanalyse the different candidates. The candidates not satisfying the security requirements imposed by the institution are eliminated from the contest. Section 3 in [105] discusses the tools that the NESSIE project developed to support the evaluation process:

It is clear that modern computers and sophisticated software tools cannot replace human cryptanalysis. Nevertheless, software tools can play an important role in modern cryptanalysis. In most cases, the attacks found by the cryptanalyst require a large number of computational steps, hence the actual computation of the attack is performed on a computer. However, software and software tools can also be essential to find a successful way to attack a symmetric cryptographic algorithm; examples include differential and linear cryptanalysis, dependence tests, and statistical tests. Within NESSIE, we distinguish two classes of tools. The general tools are not specific for the algorithms to be analyzed. Special tools, which are specific for the analysis of one algorithm, are implemented when, in the course of the cryptanalysis of an algorithm, the need for such a tool turns up...... The software for these tools will not be made available outside the project, but all the results obtained using these tools will be made public in full detail.

It is worth mentioning that a comprehensive set of general tools for the evaluation of symmetric ciphers is available such as, for instance, RIPE and NIST test suites. These consist of a collection of statistical tests such as: the frequency test, the collision test, the overlapping m-tuple test, the gap test, the constant runs test, the coupon collector’s test, Maurer’s universal test, the poker test, the spectral test, the correlation test, and the rank test among others. Nevertheless, such available tools are not enough for a rigorous characterization of cryptographic primitives. Section 4 in [104] provides a detailed description of this issue: 1.3 Objectives and Outcomes of the Thesis 9

This document describing the NESSIE security methodology has given a list of important issues that are considered in making a security evaluation of a submitted primitive. Clearly, this list is not complete. Cryptographic primitives with completely inadequate security can often be identified. However, for the remaining cryptographic primitives, the situation is nothing like as clear-cut. There is neither an automatic method of assessing the security of such a primitive nor a general consensus on the relative importance of different security criteria. The few previous initiatives that have undertaken a similar task to the NESSIE project, such as AES, have been more limited in scope and have reached a subjective judgment by experts on the security of such primitives. The NESSIE project will produce a security judgment for the submitted primitives based on the issues discussed in this report.

From above, it is clear that there is no general set of tools to assess the security of cipher components. Because of the size and complexity of modern ciphers, automatic analysis programs are very helpful in reducing the time required to study cryptographic properties of Vector Boolean functions.

1.3 Objectives and Outcomes of the Thesis

Listed below are the main objectives of the research presented in this thesis:

1. To gather, derive and/or reformulate in an efficient manner all the relevant theoretical results associated with the characterization of robust cryptographic functions. The research work reported in this thesis requires knowledge of previously established Boolean function and S-box theory. Such knowledge is essential not only for linking the theoretical concepts to practical applications, but also in order to understand the significance of the research and where this work is placed in relation to thefieldof cryptology.

2. To make available a free open source general tool to automatically assess the security of a cryptographic algorithm defined as a Vector Boolean function. The execution of Boolean function research requires the development of specialised programs, typically written using the C or C++ language. These programs can involve a large amount of computation steps and it is therefore imperative that all appropriate optimisation techniques are used to exploit the full processing power available in 10 Introduction

modern computer systems. There is however, a noticeable absence in the related cryptographic literature of reference to the implementation issues facing Boolean function researchers and with no readily available software for cryptographic Boolean function analysis, researchers have had to independently develop their own implementations.

3. To assess to security of modern Block Ciphers. Fundamental to any area of research is the ability to develop a methodology to perform a systematic observation, measurement, and experiment, and the formulation, testing, and modification of hypotheses. The study of Block Ciphers is an area wherethis basic principle of research has been ignored; the security of these cryptographic algorithms is measured by the best public cryptanalysis reported by an expert. As a result, considerable restrictions have existed with regard to perform an homogeneous analysis of these cryptosystems.

4. To design new robust Boolean functions in order to increase the security of ciphers based on them. These robust cipher components will be those Boolean functions which exhibit suitable measures for a combination of cryptographic properties appropriate for their use according to the type of cipher employing them. The task of obtaining such functions involves generating and/or constructing Boolean functions which not only exhibit the required measures of cryptographic properties but are also of a large enough dimension that they are able to provide resistance to attacks in the long term. Additionally, the means of obtaining these strong cipher components must be computationally efficient.

The outcomes of the work in this thesis are now discussed with reference to the above objectives. To achieve objective1, fundamental theoretical results have been gathered and/or derived concerning the properties of Boolean functions, S-boxes and different architectures constructed combining them. To accomplish objective2, a library of C++ classes for analyzing cryptographic properties of Vector Boolean functions (VBF) is presented in this thesis. The stated mission of the VBF library is to provide with a free open source general tool to automatically assess the security of a cryptographic algorithm defined as a Vector Boolean function, and to help in the design of new cryptographic-interesting functions. This library presents the three main features:

1. It supports a large variety of representations useful from the cryptological viewpoint such as: Truth Table (binary, decimal and hexadecimal), ANF Table, polynomials in 1.4 Structure of the Thesis 11

ANF, Characteristic function, Walsh Spectrum; and characterizations such as Trace, Linear Profile, Differential Profile and Autocorrelation Spectrum.

2. It allows the analysis the robustness of a cryptographic algorithm by means of a set of criteria related to confusion (Algebraic Degree, Nonlinearity, Balancedness, Correlation Immunity (CI), Resiliency and Algebraic Immunity among others) and diffusion (Global Avalanche, Linearity Distance and Propagation among others).

3. It allows to obtain some basic Vector Boolean functions such as: Composition, Inverse, Sum, Direct Sum, Concatenation, Addition of coordinate functions and Bricklayering.

The research work performed in this thesis relating to the first two outcomes has been published in http://vbflibrary.tk,[4], [5], [6], and [7]. Note that the theoretical results and the VBF library allows to analyse the behaviour of the representations, characterizations and criteria when several cryptographic algorithms are interconnected. Accordingly, to count with objective3, we have conducted numerous security analysis of some Block Ciphers candidates for the AES, CRYPTEC and NESSIE projects together with some other ciphers. This allowed us to obtain representations, characterizations and cryptographic criteria for these ciphers. The research work performed in this thesis relating to this outcome is published in http://vbflibrary.tk and in [7]. Finally, objective4, has been fulfilled by developing optimization tools to obtain robust cipher components. Sets of balanced Boolean functions for 9 and 11 number of inputs with best profiles known up-to-date have been obtained.

1.4 Structure of the Thesis

This thesis is divided into eight chapters, including this introductory chapter. Chapter2 presents a preliminary general framework including some basic theoretical background (to make the reader familiar with the notation and fundamental definitions), a brief description of several modern Block Ciphers, and the main basic features of the VBF library. Chapter3 presents the typical forms of Vector Boolean function representation used in cryptography. A definition of all these representations is given, as well as an introduction to the main cryptographic characterizations relating to each representation. In addition, the VBF library methods to obtain these representations and characterizations are described, and the relationships among them are also discussed. Chapter4 defines and discusses many important cryptographic criteria of Boolean functions and their extension to Vector Boolean functions. Following, we develop a brief 12 Introduction

discussion on the relationship among criteria and to what extent they may reach good values within the same function. The methods in VBF library to obtain these cryptographic criteria are also described and the relationships among them are also discussed. Chapter5 describes some basic constructions for Vector Boolean functions together with the corresponding conditions on the cryptographic criteria that are obtained for such constructions. The methods in VBF library to implement these constructions are also described. Based on the previous chapters results, Chapter6 analyses several modern cryptographic algorithms used in symmetric Block Ciphers. The research described in this chapter is complemented with a further analysis of other cryptosystems provided in http://vbflibrary.tk. Chapter7 presents a theoretical framework for the multicriteria optimization of Boolean functions and presents several computational schemes for the optimization of certain cryptographic criteria of Vector Boolean functions. New Boolean functions with unprecedented features are provided. Finally, Chapter8, draws the main conclusions from the research performed for this thesis. It also highlights several directions for future research in this field. Chapter 2

Fundamentals of Block Ciphers and the VBF Library

This chapter provides a preliminary general framework to be referred in the following chapters of the thesis. First, some basic theoretical background is provided to make the reader familiar with the notation and fundamental definitions employed in the chapter. Then, we present the structure of some well known Block Ciphers to be employed as a reference when developing the theoretical and practical contributions. Finally, we present the VBF library basic structure; this will allow a better combined exposition of the theoretical results together with the coding tools in the following chapters.

2.1 Basic Theoretical Background

In a symmetric cipher, the encryption (E) and decryption (D) can be defined as Vector Boolean functions E : K × P → C and D : K ×C → P such that D(K,E(K,P)) = P where:

• A = Symbols used in P,C or K.

• P = Plaintext space.

• C = Ciphertext space.

• K = Keyspace.

In modern symmetric ciphers, this concepts take the following values:

• A = GF(2) = Z2 = {0,1}. 14 Fundamentals of Block Ciphers and the VBF Library

n z }| { • P = C = Vn = GF(2) × ··· × GF(2)

k z }| { • K = Vk = GF(2) × ··· × GF(2)

• E = D = Vk × Vn → Vn

For most Block Ciphers, the ciphertext is produced by repeatedly applying a so-called round function. The key material used in the round function is called a round key. The round keys are computed from the key using a key-schedule algorithm. In the scope of modern ciphers, two different design approaches can be distinguished: Feistel ciphers and ciphers with substitution-permutation networks (SPNs). While a Feistel cipher modifies only half of the data in each round, a cipher with SPN modifies the entire data. The nice feature of a Feistel cipher is that encryption and decryption are structurally identical, except for the round keys which are reversed. Note that DES [107] is an example of a Feistel cipher and the current NIST block encryption standard AES [108] is an SPN cipher. A modern Block Cipher results from the association of Vector Boolean functions. Most of these functions are linear or affine, but some of them called S-boxes are nonlinear preventing from the overall cryptosystem to be linear or affine, and thus not so easily cryptoanalysable. We could say that the robustness of a modern Block Cipher resides in the S-boxes and in the way of interconnection of all the building blocks of the cipher which can be interpreted as Vector Boolean functions. In stream cipher cryptography a pseudo-random sequence of bits of length equal to the message length is generated. This sequence is then bit-wise XOR-ed (addition modulo 2) with the message sequence and the resulting sequence is transmitted. At the receiving end, deciphering is done by generating the same pseudo-random sequence and again bit-wise XOR-ing the cipher bits with the random bits. The seed of the pseudo-random bit generator is obtained from the secret key. Linear Feedback Shift Registers (LFSRs) are important building blocks in stream cipher systems. A standard model of stream [17], cipher [145],[146], combines the outputs of several independent LFSR sequences using a nonlinear Boolean Function to produce the keystream. As LFSRs are linear, some form of nonlinearity is introduced by using nonlinear Boolean Functions (see [130]).

2.1.1 Definitions

The mathematical theory of Vector Boolean functions starts with the formal definition of vector spaces whose elements (vectors) have binary elements. Let < GF(2),+,· > 2.1 Basic Theoretical Background 15 be the finite field of order 2, where GF(2) = Z2 = {0,1},’+’ is the ’integer addition modulo 2’ and ’·’ is the ’integer multiplication modulo 2’. Vn is the vector space of n- tuples of elements from GF(2). The direct sum of x ∈ Vn1 and y ∈ Vn2 is defined as x ⊕ y = (x1,...,xn1 ,y1,...,yn2 ) ∈ Vn1+n2 . The inner product of x,y ∈ Vn is denoted by x · y, n and the inner product of real vectors x,y ∈ R is denoted by ⟨x,y⟩. The weight of an n-bit vector u is the number of ones in u and will be denoted by wt(u). The (Hamming) distance between two vectors x = (x1,x2,...,xn) and y = (y1,y2,...,yn) is the number of places where they differ and is denoted by d(x,y). One can now define binary functions between this type of vector spaces, whose cryptanalysis (for robustness-against-attacks purposes) is very important. f :Vn → GF(2) is called a Boolean function and Fn is the set of all Boolean functions on Vn. Ln is the set of all linear Boolean functions on Vn: Ln = {lu ∀u ∈ Vn | lu(x) = u · x} and An is the set of all affine Boolean functions on Vn. A Truth Table is a tabulation of all possible combinations of input values and their corresponding outputs. For an n-variable Boolean function the Truth Table contains 2n rows for all the enumerations of the input variables and one column for output. The weight of a Boolean function is the weight of its Truth Table. It is possible to characterize Boolean functions via alternative and very useful associated mappings. In the following, some of these mappings are presented. The real-valued mapping i=n ∑ uixi u·x χu(x) = (−1) i=1 = (−1) for x,u ∈ Vn is called a character. The character form of f (x) f ∈ Fn is defined as χ f (x) = (−1) . The Truth Table of χ f is called as the (1,−1)-sequence 2n vector or sequence vector of f and is denoted by ξ f ∈ R . The autocorrelation of f ∈ Fn with respect to the shift u ∈ Vn is a measure of the statistical dependency among the involved variables (indicating robustness against randomness-based attacks). It is the cross-correlation of f with itself, denoted by r f (u) :Vn → Z and defined by 1: f (x)+ f (u+x) r f (u) = ∑ χ f (x)χ f (x + u) = ∑ (−1) (2.1) x∈Vn x∈Vn

The directional derivative of f ∈ Fn in the direction of u ∈ Vn is defined by:

∆u f (x) = f (x + u) + f (x), x ∈ Vn (2.2)

We shall call the linear kernel of f the set of those vectors u such that ∆u f is a constant function. The linear kernel of any Boolean function is a subspace of Vn. Any element u of the linear kernel of f is said to be a linear structure of f . n Let f ∈ Fn, u ∈ Vn is called a linear structure of f if and only if [116] |r f (u)| = 2 .

1 1 Most authors omit the factor 2n 16 Fundamentals of Block Ciphers and the VBF Library

We now extend the scope of the study by considering functions between any pair of

binary-valued vector spaces. F :Vn → Vm, F(x) = ( f1(x),..., fm(x)) is called a Vector Boolean function and Fn,m is the set of all Vector Boolean functions F :Vn → Vm. Each fi :Vn → GF(2) ∀i ∈ {1,...,m} is a coordinate function of F. The component functions of F are the linear combinations, with non all-zero coefficients, of the coordinate functions of F (their set is the vector space spanned by the coordinate functions, deprived of the null function if the coordinate functions are GF(2)-linearly independent). The indicator function

of F ∈ Fn,m, denoted by θF :Vn × Vm → {0,1}, is defined in [29] as: ( 1 if y = F(x) θF (x,y) = (2.3) 0 if y ̸= F(x)

A Vector Boolean function F ∈ Fn,m defined as F(x) = x · A + b with x ∈ Vn,A ∈ Mn×m(GF(2)) and b ∈ Vm so that if b = 0 then F is linear and if b ̸= 0 then F is affine. Several mappings associated with a Vector Boolean functions can be defined, in similar

terms to the binary functions case. Hence, the character form of (u,v) ∈ Vn × Vm can be u·x+v·y defined as follows: χ(u,v)(x,y) = (−1) . Also, the autocorrelation of F ∈ Fn,m with respect to the shift (u,v) ∈ Vn × Vm is the cross-correlation of F with itself, denoted by rF (u,v) :Vn × Vm → Z, so that [115]:

vF(x+u)+vF(x) rF (u,v) = ∑ χvF (x + u)χvF (x) = ∑ (−1) (2.4) x∈Vn x∈Vn

Let F ∈ Fn,m and u ∈ Vn, then the difference Vector Boolean function of F in the direction of u ∈ Vn, denoted by ∆uF ∈ Fn,m is defined as follows: ∆uF(x) = F(x+u)+F(x), x ∈ Vn. n F has a linear structure if exists a vector u ∈ Vn and v ∈ Vm so that |rv·F (u)| = 2 . Finally, we define the simplifying notation for the maximum of the absolute values ofaset

of real numbers {auv}u,v, characterized by vectors u and v, as: max (auv) = max(u,v) {|auv|}. ∗ Using the same simplifying notation, we can define the max (·) operator on a set of real ∗ numbers {auv}u,v, as: max (auv) = max(u,v)̸=(0,0){|auv|}. This notation will be used in some criteria definitions.

2.2 Block Ciphers

A Block Cipher can be divided into two parts: a data processing part and a key scheduling part. Among the Block Ciphers that are analysed throughout this thesis, it is important to mention mini-AES, KASUMI, DES and AES. In this section, we provide a succinct description 2.2 Block Ciphers 17

Fig. 2.1 Typical internal construction of a Block Cipher. of these algorithms. A detailed cryptographical analysis of them and other ciphers can be found on http://vbflibrary.tk.

2.2.1 Mini-AES Cipher

Introduction

Raphael Chung-Wei Phan presented a version of the AES [120], with all the parameters significantly reduced while preserving its original structure. This Mini version ispurely educational and is designed to grasp the underlying concepts of Rijndael-like ciphers. It may also serve as a test-bed for starting cryptanalysts to experiment with various cryptanalytic attacks. The Mini-AES cipher is a 16 × 16 Vector Boolean function and the Mini-AES encryption is performed with a secret key of 16 bits. It takes a 16-bit input block and processes the block by repeating the basic operations of a round twice. Each round consists of (1) substitution based on the S-box NibbleSub γ, (2) a transposition of the bits (i.e., permutation of the bit positions) based on ShiftRow π and

MixColumn θ, and (3) key addition σki . Mini-AES has an S-box, NibbleSub, which operates on a nibble (4 bits) at a time. In addition, another component, MixColumn operates on words of 4 nibbles. In section A.3 is 18 Fundamentals of Block Ciphers and the VBF Library

presented the mathematical background needed for the reader to have a clearer understanding of the components of Mini-AES.

Substitution

In Mini-AES cipher, we break the 16-bit plaintext block into four 4-bit sub-blocks. Each sub-block forms an input to a 4 × 4 S-box (a substitution with 4 input and 4 output bits) called NibbleSub γ, which can be easily implemented with a table lookup of sixteen 4-bit values, indexed by the integer represented by the 4 input bits. For Mini-AES cipher, the same nonlinear mapping for all S-boxes is used. The mapping chosen for our cipher, given in Table 2.1, is chosen from the S-boxes of DES. (It is the first row of the first S-box.)

Table 2.1 NibbleSub Truth Table.

Input Output 0000 1110 0001 0100 0010 1101 0011 0001 0100 0010 0101 1111 0110 1011 0111 1000 1000 0011 1001 1010 1010 0110 1011 1100 1100 0101 1101 1001 1110 0000 1111 0111

Permutation

The permutation portion of a round is simply the transposition of the bits or the permutation of the bit positions. The permutation of Figure 2.2 is given by two operations ShifRow π and MixColumn θ. Note that there would be no MixColumn in the last round. ShiftRow rotates each row of the input block to the left by different nibble amounts. The first row is unchanged while the second row is rotated left by onenibble. 2.2 Block Ciphers 19

MixColumn takes each column of the input block and multiplies it with a constant matrix to obtain a new output column. If a = (a0,a1,a2,a3) and b = (b0,b1,b2,b3) denote the input and output to MixColumn respectively, then:

" # " #" # b 0011 0010 a 0 = 0 (2.5) b1 0010 0011 a1 and

" # " #" # b 0011 0010 a 2 = 2 (2.6) b3 0010 0011 a3

Hence, b0 = (0011 × a0) + (0010 × a1) and b1 = (0010 × a0) + (0011 × a1). Similarly, b2 = (0011 × a2) + (0010 × a3) and b3 = (0010 × a2) + (0011 × a3).

Key Addition

To achieve the key addition, Mini-AES uses a simple bit-wise exclusive-OR between the key bits associated with a round (referred to as a subkey) and the data block input to a round. Normally, in a cipher, the subkey for a round is derived from the cipher’s master key through a process known as the key schedule. In Mini-AES, the 16-bit secret key is passed through a key-schedule to produce one 16-bit round key, k0 to be used prior to the first round, and a 16-bit round key, ki for use in each round of mini-AES. Mini-AES encryption is defined to have 2 rounds, hence three round keys, k0,k1 and k2 are generated. The Key Addition operation is denoted by σk0 ,σk1 ,σk2 respectively. Denote the 16-bit secret key, K as 4 nibbles, K = (k0,k1,k2,k3), and likewise, k0 = (w0,w1,w2,w3),k1 = (w4,w5,w6,w7) and k2 = (w8,w9,w10,w11). Then, the round key values are obtained from the secret key as in Table 2.2. Note that in each round, round constants rcon(i) are used, where rcon(1) = 0001 and rcon(2) = 0010.

Encryption

The application of the four components NibbleSub, ShiftRow, MixColumn and KeyAddition in sequence constitutes one round. The full mini-AES encryption consists of two such rounds, with the exclusion of MixColumn from the last round and the inclusion of an extra KeyAddition prior to the first round. Hence, mini-AES encryption can be denoted by:

Mini − AESEncrypt = σk2 ◦ π ◦ γ ◦ σk1 ◦ θ ◦ π ◦ γ ◦ σk0 (2.7) 20 Fundamentals of Block Ciphers and the VBF Library

Fig. 2.2 Structure of Mini-AES cipher. 2.2 Block Ciphers 21

Table 2.2 Generation of the Round Keys of Mini-AES.

Round Round Key Values   w0 = k0  w = k 0 1 1 w2 = k2   w3 = k3   w4 = w0 + NibbleSub(w3) + rcon(1)  w = w + w 1 5 1 4 w = w2 + w  6 5  w5 = w3 + w6   w8 = w4 + NibbleSub(w7) + rcon(2)  w = w + w 2 9 5 8 w10 = w + w9  6  w11 = w7 + w10

Note that the symbol ◦ refers to the composition of functions and the order of execution is from right to left, which means that σk0 is executed first.

Decryption

In order to decrypt, data is essentially passed backwards through the cipher. However, the mappings used in the S-boxes of the decryption network are the inverse of the mappings in the encryption network (i.e., input becomes output, output becomes input). This implies that in order for a cipher to allow for decryption, all S-boxes must be bijective, that is, a one-to-one mapping with the same number input and output bits. As well, in order for the cipher to properly decrypt, the subkeys are applied in reverse order and the bits of the subkeys must be moved around according to the permutation. Note also that the lack of the permutation after the last round ensures that the decryption network can be the same structure as the encryption network.

−1 Mini − AESDecrypt = (σk2 ◦ π ◦ γ ◦ σk1 ◦ θ ◦ π ◦ γ ◦ σk0 ) −1 −1 −1 −1 −1 −1 −1 −1 = σk0 ◦ γ ◦ π ◦ θ ◦ σk1 ◦ γ ◦ π ◦ σk2 (2.8) −1 −1 = σk0 ◦ γ ◦ π ◦ θ ◦ σk1 ◦ γ ◦ π ◦ σk2

We arrive at this expression since σk0 is an XOR operation, which is its own inverse. We have also specially chosen the constant matrix in MixColumn, θ such that the inverse of MixColumn, θ −1 is the same as MixColumn itself. Since ShiftRow simply causes the 22 Fundamentals of Block Ciphers and the VBF Library second row to be rotated left by one nibble amount, then the inverse of ShiftRow, π−1 causes the second row to be rotated right by one nibble. Rotating the nibble left or right are one and the same operation because one row only has two nibbles, therefore inverse ShiftRow is the same as ShiftRow. NibbleSub is a nibble substitution operation based on Table 2.1. The inverse of Table 2.1 is easily computed by interchanging the input nibble with the output nibble, and then resorting it based on the new input nibble, as given in Table 2.3 below.

Table 2.3 Inverse NibbleSub Truth Table.

Input Output 0000 1110 0001 0011 0010 0100 0011 1000 0100 0001 0101 1100 0110 1010 0111 1111 1000 0111 1001 1101 1010 1001 1011 0110 1100 1011 1101 0010 1110 0000 1111 0101

2.2.2 KASUMI Cipher

Description

KASUMI cipher is used in UMTS [155], GSM [67], and GPRS [65] mobile communications systems. UMTS uses KASUMI [76] in the confidentiality and integrity algorithms named UEA1 and UIA1 [76], respectively. GSM employs KASUMI in the A5/3 key stream generator whereas GPRS does so in the GEA3 key stream generator. KASUMI encrypts a 64-bit input by iterating a round function 8 times. The round function consists of the composition of a 32-bit non-linear mixing function (FO) and a 32-bit linear mixing function (FL). The FO-function is again an iterated "ladder-design" consisting of 3 rounds of a 16-bit non-linear mixing function FI. In turn, FI is defined as a 4-round 2.2 Block Ciphers 23 structure using non-linear look-up tables S7 and S9. All functions involved will mix the data input with key material.

FI Function

The FI function is a 16×16 Vector Boolean function which constitutes the basic randomizing function of KASUMI. It is composed of a four round structure using the S-boxes S7 and S9 as shown in Figure 2.3.

The function FI takes a 16-bit data input I and 16-bit subkey KIi, j. The input I is split into two unequal components, a 9-bit left half L0 and a 7-bit right half R0 where I = L0||R0. Similarly the key KIi, j is split into a 7-bit component KIi, j,1 and a 9-bit component KIi, j,2 where KIi, j = KIi, j,1||KIi, j,2. The function uses two S-boxes, S7 which maps a 7-bit input to a 7-bit output, and S9 which maps a 9-bit input to a 9-bit output. It also uses two additional functions which are designated ZE() and TR() where ZE(x) takes the 7-bit value x and converts it to a 9-bit value by adding two zero bits to the most-significant end and TR(x) takes the 9-bit value x and converts it to a 7-bit value by discarding the two most-significant bits. The following equations summarize the implementation of function FI:

I = L ||R 0 0 (2.9) KIi, j = KIi, j,1||KIi, j,2

L1 = R0, R1 = S9(L0) + ZE(R0) L = R + KI , R = S7(L ) + TR(R ) + KI 2 1 i, j,2 2 1 1 i, j,1 (2.10) L3 = R2, R3 = S9(L2) + ZE(R2) L4 = S7(L3) + TR(R3), R4 = R3

L4 = S7(S7(R0) + TR(S9(L0) + ZE(R0)) + KIi, j,1) + TR(S9(S9(L0) + ZE(R0) +KIi, j,2) + ZE(S7(R0) + TR(S9(L0) + ZE(R0)) + KIi, j,1)) R4 = S9(R1 + KIi, j,2) + ZE(S7(R0) + TR(S9(L0) + ZE(R0)) + KIi, j,1) (2.11)

being the output L4||R4.

2.2.3 DES Cipher

The Data Encryption Standard (DES) was approved as a federal standard in November 1976, and published on 15 January 1977 as FIPS PUB 46, authorized for use on all unclassified 24 Fundamentals of Block Ciphers and the VBF Library

16 9 7

zero−extend

truncate

KI KIi,j,1 i,j,2

zero−extend

truncate

Fig. 2.3 Structure of KASUMI cipher FI function. 2.2 Block Ciphers 25 data. On 26 May 2002, DES was finally superseded by the Advanced Encryption Standard (AES), following a public competition. DES operates on a 64-bit block of plaintext. After an initial permutation (IP), the block is broken into a right half (R0) and a left half (L0), each 32 bits long. Then there are 16 rounds of identical operations, called Function f or Feistel function, in which data are combined with the key. After the sixteenth round, the right and left halves are joined, and a final permutation (the inverse of the initial permutation IP−1) finished off the algorithm. The Feistel function ( f ), depicted in Figure 2.5, operates on half a block (32 bits) at a time and consists of four stages:

1. Expansion: the 32-bit half-block is expanded to 48 bits using the expansion permutation, denoted E in the diagram, by duplicating half of the bits. The output consists of eight 6-bit (8 × 6 = 48 bits) pieces, each containing a copy of 4 corresponding input bits, plus a copy of the immediately adjacent bit from each of the input pieces to either side.

2. Key mixing: the result is combined with a subkey using an XOR operation. Sixteen 48-bit subkeys ( one for each round ) are derived from the main key using the key schedule.

3. Substitution: after mixing in the subkey, the block is divided into eight 6-bit pieces before processing by the S-boxes, or substitution boxes. Each of the 8 S-boxes replaces its 6 input bits with 4 output bits according to a non-linear transformation, provided in the form of a lookup table.

4. Permutation: the 32 outputs from the S-boxes are rearranged according to a fixed permutation, the P-box. This is designed so that, after permutation, each S-box’s output bits are spread across 4 different S boxes in the next round.

2.2.4 AES Cipher

The Advanced Encryption Standard (AES), also referenced as Rijndael (its original name), has been adopted by the U.S. government and is now used worldwide. It supersedes the Data Encryption Standard (DES) since 2002. The AES is a 128-bit Block Cipher, and supports secret key sizes of 128, 192 or 256 bits. We will describe the details of the AES with reference to a 128-bit key. The other variants are similar in nature. The 128-bit block of the AES is expressed as a matrix of 4 × 4 bytes called state, in contrast to Mini-AES being expressed as a matrix of 2 × 2 nibbles. AES consists of 10 26 Fundamentals of Block Ciphers and the VBF Library

Fig. 2.4 Structure of DES cipher. 2.2 Block Ciphers 27

Fig. 2.5 The Feistel function of DES. rounds, where each round is similar to the round of Mini-AES, with the last round having no MixColumn. There is also a KeyAddition prior to the first round. The purpose of the extra KeyAddition and the omission of MixColumn is so that encryption and decryption of the AES would be similar in structure, and this simplifies implementation. The round components of the AES are SubBytes, ShiftRow, MixColumn and KeyAd- dition. SubBytes is similar to NibbleSub, but operates on one byte instead of one nibble. Likewise, ShiftRow rotates each row of the input block to the left by different byte amounts. The first row is unchanged, the second rotated left by 1 byte, the third by 2 and the fourth by 3. MixColumn takes each column of the input block and multiplies it with a constant 4 × 4 matrix. KeyAddition is similar to that of Mini-AES. A high-level description of this algorithm would be:

1. KeyExpansions: round keys are derived from the cipher key using Rijndael’s key schedule. AES requires a separate 128-bit round key block for each round plus one more.

2. InitialRound 28 Fundamentals of Block Ciphers and the VBF Library

(a) AddRoundKey: each byte of the state is combined with a block of the round key using bit-wise xor.

3. Rounds

(a) SubBytes: a non-linear substitution step where each byte is replaced with another according to a lookup table. (b) ShiftRows: a transposition step where the last three rows of the state are shifted cyclically a certain number of steps. (c) MixColumns: a mixing operation which operates on the columns of the state, combining the four bytes in each column. (d) AddRoundKey

4. Final Round (no MixColumns)

(a) SubBytes (b) ShiftRows (c) AddRoundKey

The Mini-AES key schedule takes the 16-bit secret key and expresses it as a group of four nibbles. Meanwhile, the AES key schedule takes the 128-bit secret key and expresses it as a group of four 32-bit words. The 0th round key, K0 equals the secret key itself while each subsequent round key is derived from the secret key in almost the same way as Mini-AES.

Substitution or SubBytes Step

In AES cipher, we break the 128-bit plaintext block into four 8-bit sub-blocks. Each sub- block forms an input to a 8 × 8 S-box (a substitution with 8 input and 8 output bits) called

Rijndael S-box SRD. It is represented in hexadecimal notation as shown in Figure 2.6. There the column is determined by the least significant nibble (four-bit aggregation), and the row is determined by the most significant nibble. For example, the value 0x9a is converted into 0xb8 by Rijndael S-box. Note that the multiplicative inverse of 0x00 is defined as itself.

Permutation

The permutation of AES is given by two steps: ShifRows and MixColumns. Note that there would be no MixColumns in the last round. 2.2 Block Ciphers 29

Fig. 2.6 Rijndael S-box SRD. 30 Fundamentals of Block Ciphers and the VBF Library

ShiftRows step is a byte transposition that cyclically shifts the rows of the state (array of bytes) over different offsets. MixColumns step is a bricklayer permutation operating on the state column by column.

Key Addition and AddRoundKey

To achieve the key addition, AES applies a simple bit-wise exclusive-OR between the key bits associated with a round (referred to as a round key) and the data block input to a round.

2.3 VBF (Vector Boolean Functions) library

2.3.1 Features

The main features of the VBF library are the following:

• It is free/open source under the GPL. In this sense, we are aligned with the Sage project developers who affirm the following:

A standard rule in the mathematics community is that everything is laid open for inspection. The Sage project believes that not doing the same for mathematics software is at best a gesture of impoliteness and rudeness, and at worst a violation against standard scientific practices. An underlying philosophical principle of Sage is to apply the system of open exchange and peer review that characterizes scientific communication to the development of mathematics software. Neither the Sage project nor the Sage Development Team make any claims to being the original proponents of this principle. The development model of Sage is largely inspired by the free software movement as spearheaded by the Free Software Foundation, and by the open source movement. One source of inspiration from within the mathematics community is Joachim Neubuser as expressed in the paper [109] and in particular the following quotation from his paper: "You can read Sylow’s Theorem and its proof in Huppert’s book in the library without even buying the book and then you can use Sylow’s Theorem for the rest of your life free of charge, but...for many computer algebra systems license fees have to be paid regularly for the total time of their use. In order to protect what you pay for, you do not get the source, but only an executable, i.e. a black box. You can press buttons and you get 2.3 VBF (Vector Boolean Functions) library 31

answers in the same way as you get the bright pictures from your television set but you cannot control how they were made in either case. With this situation two of the most basic rules of conduct in mathematics are violated: In mathematics information is passed on free of charge and everything is laid open for checking. Not applying these rules to computer algebra systems that are made for mathematical research...means moving in a most undesirable direction. Most important: Can we expect somebody to believe a result of a program that he is not allowed to see? Moreover: Do we really want to charge colleagues in Moldava several years of their salary for a computer algebra system?" Similar sentiments were also expressed by Andrei Okounkov as can be found in [110], in particular the following quotation: "Computers are no more a threat to mathematicians than food processors are a threat to cooks. As mathematics gets more and more complex while the pace of our lives accelerates, we must delegate as much as we can to machines. And I mean both numeric and symbolic work. Some people can manage without dishwashers, but I think proofs come out a lot cleaner when routine work is automated. This brings up many issues. I am not an expert, but I think we need a symbolic standard to make computer manipulations easier to document and verify. And with all due respect to the free market, perhaps we should not be dependent on commercial software here. An open-source project could, perhaps, find better answers to the obvious problems such as availability, bugs, backward compatibility, platform independence, standard libraries, etc. One can learn from the success of TeX and more specialized software like Macaulay2. I do hope that funding agencies are looking into this."

• It is a library allowing us to use it in conjunction with other tools and libraries.

• It is implemented in C++ language. The main advantages of this language are derived from the object oriented implementation and the use of effective algorithms; such advantages are: reusability, maintainability, extensibility and flexibility in the analysis of a broad range of Vector Boolean functions employed in symmetric ciphers. The size of the vector Boolean functions that can be analyzed by VBF is restricted by the computational resources (memory, disk space, CPU, . . . ) of the platform on which it is executed. However, the maximum value for n and m to be handled by the different functions is conditioned by the maximum value attainable by long int variables (for the 32 Fundamentals of Block Ciphers and the VBF Library

30 computer employed in this work, it is approximately 2 , so that nmax = mmax ≈ 30). Note that, although this size functions would be compatible with the VBF resource management procedures, the run time requirements for computing the characteristics would exceed any realistic bound.

• It can be easily installed in several platforms such as Windows, Linux and MacOS among others.

• It makes use of some modules from the well-known Number Theory Library NTL implemented by Victor Shoup (VBF works with any version of NTL, up to the latest one [111]). A preliminary version of VBF, lacking several of the modules and features in the current package, was presented in [5]. NTL is a high-performance, portable C++ library providing data structures and algorithms for manipulating signed, arbitrary length integers, as well as vectors, matrices, and polynomials over the integers and over finite fields. The decision to use this library is mainly based on four reasons:

1. It is free software, and may be used according to the terms of the GNU General Public License. 2. It provides high quality implementations of state-of-the-art algorithms for the Galois field of order 2. 3. It may be easily installed in a wide range of platforms. 4. It provides a clean and consistent interface to a large variety of classes representing mathematical objects which are useful in cryptology.

The core of VBF library is the VBF class which represents vector Boolean functions whose data members and member functions make use of the NTL modules listed in Table 2.5. However, some new cryptography-related member functions were added to the previous modules. New modules, which are not present in NTL, are defined and they are listed in Table 2.5. The main file in the library, called VBF.h has the definitions of the objects described in the next subsection and makes use of the cited modules.

The process of development of VBF library consisted in four steps:

1. To study the most common representation methods employed in the modern cryptosystems. 2.3 VBF (Vector Boolean Functions) library 33

Table 2.4 NTL modules used in VBF.

CLASS NAME DESCRIPTION GF2 Galois Field of order 2 denoted by GF(2) vec_GF2 Vectors over GF(2) mat_GF2 Matrices over GF(2) RR Arbitrary-precision floating point numbers vec_RR Vectors over reals mat_RR Matrices over reals ZZ Signed, arbitrary length integers vec_ZZ Vectors over integers mat_ZZ Matrices over integers GF2X Implements polynomial arithmetic modulo 2 GF2E Polynomials in F2[X] modulo a polynomial P GF2EX Polynomials over GF2E vec_GF2E Vectors over GF2E

Table 2.5 New modules created for VBF.

CLASS NAME DESCRIPTION pol Polynomial in ANF of a Boolean Function vec_pol Polynomials in ANF of a Vector Boolean Function 34 Fundamentals of Block Ciphers and the VBF Library

2. To compile and elaborate cryptograhic criteria for Vector Boolean functions.

3. To analyse the structure of modern cryptographic algorithms in order to identify most common interconnections among their subsystems. It is important to understand the behaviour of the representations, characterizations and criteria of cryptosystem in terms of the representations, characterizations and criteria of their subsystems.

4. To develop algorithms to load representations, calculate its characterizations and criteria, and apply constructions to subsystems.

2.3.2 State-of-the-art on Vector Boolean Functions Analysis Software

To support our own contributions, we will now survey previous research made regarding the analysis Vector Boolean functions from the cryptographical point of view. At the present time, several other packages are available, for example:

1. CrypTool [44] is a free, open-source e-learning application, used in the implementation and analysis of cryptographic algorithms. It provides cryptanalytical measurement methods (entropy, n-grams, autocorrelation, etc.) but it does not allow the calculation of cryptographic criteria. The current release version, CrypTool 2, is based on the latest .NET Framework (currently .NET 4.0) and it has a pure-plugin architecture. There is also another project called JCrypTool developed in Java and based on Eclipse RCP.

2. Matpack [90] is a C++ numerics and graphics library implementing computational methods that are needed in engineering. The cryptographic algorithms are included in the commercial library; these can only be used to analyze some cryptographic properties of Boolean functions and do not address Vector Boolean functions.

3. In [12], a system for assisting analysis of some criteria of DES-like ciphers is described. This system analyzes only a small subset of the criteria considered by VBF.

4. bma [122] outputs the value table, Walsh Spectrum (WS) (a generalized Fourier spectrum), linear profile, differential profile, and some linearity/nonlinearity measures, given the ANF of a Vector Boolean function. It is an open-source executable program written in C, computationally very efficient for specific S-boxes analysis.

5. The boolfun package [14] is open source software, written in R, to assess cryptographic properties of Boolean functions. It implements three representations: Truth Table, ANF and WS. It can calculate cryptographic properties of Boolean functions that are relevant for the design of stream ciphers (i.e., cryptographic pseudo-random generators), namely 2.3 VBF (Vector Boolean Functions) library 35

nonlinearity, algebraic immunity, correlation immunity and resiliency. Unfortunately it does not provide specific tools for analyzing vector functions.

6. Sage [132] is free open source mathematical software that supports research and teaching in algebra, geometry, number theory, cryptography, and related areas. The Cryptography module contains some descriptions of classical ciphers and simplified modern ciphers such as Simplified DES and Mini-AES. Compared with theVBF library, SAGE lacks much useful functionality.

In summary, the packages cited above present one (or more) of the following disadvan- tages: they are commercial, they do not benefit from the new paradigms of object orientation and generic programming, or they do not cover the broad spectrum of representation and cryptographic criteria for both Boolean and Vector Boolean functions that VBF does. The aim of the VBF package presented in this thesis is to provide an easy-to-use tool both for the designer and the cryptanalyst of symmetric ciphers. The user only needs to code the basic features related to the Vector Boolean functions associated with a cipher (e.g., Truth Table, ANF table, polynomial in ANF, etc). The following chapter analyses the possible representations and characterizations of Boolean functions with the aim of their efficient management via the VBF library.

Chapter 3

Representations and Characterizations

This chapter presents a review of theory relevant to the study of the typical forms of Vector Boolean function representations and chacterizations. We will consider representations those that uniquely represents a Vector Boolean function. Characterizations does not uniquely determine the Vector Boolean function in contrast to the previous matrices but provide some useful information in the context of cryptography. Representations included in this chapter are the Truth Table (TT), the polynomials in Algebraic Normal Form (Pol) and ANF Table (ANF), the Image (Char), Component functions Truth Table(LTT), Sequence vectors of Component functions CTT, the Trace Representation (Trace) and Affine function Representation. A definition for all these representations are given and the relationships among them and their various properties are also discussed. Characterizations such as Linear Profile (LP), Differential Profile (DP), Autocorrelation Spectrum (AC), Linear Structures (LS) are introduced. A definition for all these representations are given and the relationships among them and the above representations and their various properties are also discussed. The basic concepts of linear and differential cryptanalysis are introduced in terms of the Linear Profile and Differential Profile, together with other properties related with these attacks, such as: linear potential, differential potential, linear or differential relations associated with a specific value. Affine equivalence analysis of Boolean functions by means of VBF library is described. It is showed how to obtain the Frequency distribution of the absolute values of the Walsh Spectrum and of the Autocorrelation Spectrum. It is possible to check randomness of a Vector Boolean function outputs with VBF by means of its cycle structure, and the analysis of the presence of fixed points or negated fixed points. 38 Representations and Characterizations

Finally, some other representations useful in block ciphers are described such as the Permutation Vector (Per), Expansion and Compression DES permutations and DES-like S-box representations. The description of each representation and characterization is complemented with the description of the methods in VBF related to them. Most of the member functions of VBF have an in-line definition, for instance: void TT(NTL::mat_GF2& X, VBF& F) is also defined as inline NTL::mat_GF2 TT(VBF& F). The figure 3.1 summarizes the relationships among the different representations.

Fig. 3.1 Relationships among representations and characterizations of a Vector Boolean function.

The representations which are Boolean matrices are coloured in red, those which are Integer matrices are coloured in blue, those that are vector of integers are coloured in yellow and those which are polynomial are coloured in green. In this chapter we apply VBF library methods to find out representations and characterizations of several cryptographic algorithms. Refer to http://vbflibrary.tk for an extensive description of representations and characterizations of modern cryptographic algorithms apart from those described in this chapter. 3.1 Truth Table 39

3.1 Truth Table

3.1.1 Description

A Vector Boolean function F ∈ Fn,m can be uniquely represented by its Truth Table which is a matrix with 2n rows and m columns whose elements are the values of F taken on all possible vector of Vn ordered lexicographically.

Definition 3.1.1. Let F ∈ Fn,m, if we take into account the one-to-one mapping of Vn onto the set of integers as defined in theorem A.1.1, we are able to define any vector Boolean function by the corresponding set of values:

n F(αi) ∈ Vm ∀i ∈ {0,...,2 − 1} (3.1)

The matrix with 2n rows and m columns will be referred as the Truth Table of F and will be generally written as TTF :

  f1(α0) ... fm(α0)  f ( ) ... f ( )   1 α1 m α1  TTF =   (3.2) ......  f1(α2n−1) ... fm(α2n−1) n each αi = (x1,...,xn) ∈ Vn i ∈ {1,...,2 − 1} is a vector whose decimal equivalent is n n− j dec(αi) = i = ∑ j=1 x j2 , and all the vectors of Vn can be listed so that α0 < α1 < ··· < α2n−1 .

As a total order is defined over the assignments (inputs) of the Vector Boolean Function, the Truth Table can be uniquely represented by this matrix. Any function F can be uniquely described by its Truth Table TTF ∈ M2n×m(GF(2)) (or by the Truth Tables of its coordinate functions TT fi i ∈ {1,...,m}) and it holds that:

γ : Fn,m → M n×m(GF(2)) 2 (3.3) F → TTF

2n·m is an isomorphism between the vector spaces Fn,m and M2n×m(GF(2)), so that #Fn,m=2 . The Truth Table for an n-variable Boolean function f should be in lexicographical form, n i.e., TT f = ( f (0), f (1), f (2),..., f (2 −1)). Since the Truth Table length might be too large, we represent it in hexadecimal rather than in binary notation. The hexadecimal Truth Table is obtained by replacing each four bits by their corresponding hexadecimal form. For instance, to enter TT f = (0,0,1,1,1,1,1,1) one should just write TT f = 3 f . 40 Representations and Characterizations

The distance between two Vector Boolean functions F,G ∈ Fn,m is defined as the number of bits that are different in their respective Truth Tables:

d(F,G) = ∑ d (F(x),G(x)) (3.4) x∈Vn where d (F(x),G(x)) is the Hamming distance between the two vectors F(x),G(x) ∈ Vm. The weight of a Vector Boolean function F ∈ Fn,m is equal to the distance between F and the corresponding zero Vector Boolean function 0 ∈ Fn,m where 0(x) = 0 ∀x ∈ Vn. In order to obtain certain characterizations (such as Autocorrelation Spectrum), it is important to take into account two additional representations related to the Truth Table: LTT and CTT.

We will denote by LTT of F ∈ Fn,m the matrix whose columns are the Truth Tables of the 2m component functions of F. We will denote by CTT of F the matrix whose columns are the sequence vectors of the 2m component functions of F 1.

3.1.2 Library

A VBF class can be initialized by a Boolean Matrix representing the Truth Table with the following method: void puttt(const NTL::mat_GF2& T)

To obtain the Truth Table of a Vector Boolean function the following method must be used: void TT(NTL::mat_GF2& X, VBF& F)

A VBF class can be initialized by a collection of strings separated by carriage returns defined by s with the following method: void putHexTT(istream& s)

Each row must be the hexadecimal representation of the Truth Table of the coordinate functions of a Vector Boolean function. To obtain the Truth Table in hexadecimal representation the following method must be used: void getHexTT(ostream& s)

1Sometimes it is called the Polarity Truth Table. 3.1 Truth Table 41

Analogously a VBF class can be initialized by a collecting of strings with binary representation of the Truth Table of coordinate functions: void putBinTT(istream& s)

To obtain its Truth Table in binary representation the following method must be used: void getBinTT(ostream& s)

A VBF class can be initialized by a Boolean vector representing the decimal representation of the Truth Table of a Vector Boolean Function defined by a vector of outputs in lexicographic order, called d, and knowing the number of component Boolean functions m: void putDecTT(const NTL::vec_long& d,const long& m)

To obtain the Truth Table in decimal representation the following method must be used:

NTL::vec_long getDecTT() const

To obtain the weight of a Vector Boolean function F the following method must be used: void weight(long& w, VBF& F)

A VBF class can be initialized by a Boolean Matrix representing the Truth Table of their component functions with the following method: void putltt(const NTL::mat_GF2& L)

To obtain the Truth Table of the component functions of a Vector Boolean function the following method must be used: void LTT(NTL::mat_GF2& X, VBF& F)

A VBF class can be initialized by a Boolean Matrix representing its Polarity Truth Table with the following method: void putctt(const NTL::mat_ZZ& C)

To obtain the Polarity Truth Table of a Vector Boolean function the following method must be used: void CTT(NTL::mat_ZZ& X, VBF& F) 42 Representations and Characterizations

Example 3.1.1. The Truth Table of the NibbleSub S-box described in Table 2.1 is the following:

[[1 1 1 0] [0 1 0 0] [1 1 0 1] [0 0 0 1] [0 0 1 0] [1 1 1 1] [1 0 1 1] [1 0 0 0] [0 0 1 1] [1 0 1 0] [0 1 1 0] [1 1 0 0] [0 1 0 1] [1 0 0 1] [0 0 0 0] [0 1 1 1] ]

If we use a file with this matrix as the input of the following program, we canobtain its hexadecimal, binary and decimal representation, as well as the Truth Tables of the components functions and its Polarity Truth Table.

#include #include #include "VBF.h"

int main(int argc, char *argv[]) { using namespace VBFNS;

VBF F; NTL::mat_GF2 T;

ifstream input(argv[1]); 3.1 Truth Table 43

if(!input) { cerr << "Error opening " << argv[1] << endl; return 0; } input >> T; F.puttt(T); input.close();

cout << "The hexadecimal representation is: " << endl; F.getHexTT(cout);

cout << endl << "The binary representation is: " << endl; F.getBinTT(cout);

cout << endl << "The decimal representation is: " << endl << F.getDecTT() << endl;

cout << endl << "The Truth Table of the component functions is: " << endl << LTT(F) << endl;

cout << endl << "The Polarity Truth Table is: " << endl << CTT(F) << endl;

return 0; }

The output of this program would be:

The hexadecimal representation is: a754 e439 8ee1 368d

The binary representation is: 1010011101010100 44 Representations and Characterizations

1110010000111001 1000111011100001 0011011010001101

The decimal representation is: [14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7]

The Truth Table of the component functions is: [[0 0 1 1 1 1 0 0 1 1 0 0 0 0 1 1] [0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1] [0 1 0 1 1 0 1 0 1 0 1 0 0 1 0 1] [0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1] [0 0 1 1 0 0 1 1 0 0 1 1 0 0 1 1] [0 1 1 0 1 0 0 1 1 0 0 1 0 1 1 0] [0 1 1 0 0 1 1 0 1 0 0 1 1 0 0 1] [0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1] [0 1 1 0 0 1 1 0 0 1 1 0 0 1 1 0] [0 0 1 1 0 0 1 1 1 1 0 0 1 1 0 0] [0 0 1 1 1 1 0 0 0 0 1 1 1 1 0 0] [0 0 0 0 1 1 1 1 1 1 1 1 0 0 0 0] [0 1 0 1 1 0 1 0 0 1 0 1 1 0 1 0] [0 1 0 1 0 1 0 1 1 0 1 0 1 0 1 0] [0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0] [0 1 1 0 1 0 0 1 0 1 1 0 1 0 0 1] ]

The Polarity Truth Table is: [[1 1 -1 -1 -1 -1 1 1 -1 -1 1 1 1 1 -1 -1] [1 1 1 1 -1 -1 -1 -1 1 1 1 1 -1 -1 -1 -1] [1 -1 1 -1 -1 1 -1 1 -1 1 -1 1 1 -1 1 -1] [1 -1 1 -1 1 -1 1 -1 1 -1 1 -1 1 -1 1 -1] [1 1 -1 -1 1 1 -1 -1 1 1 -1 -1 1 1 -1 -1] [1 -1 -1 1 -1 1 1 -1 -1 1 1 -1 1 -1 -1 1] [1 -1 -1 1 1 -1 -1 1 -1 1 1 -1 -1 1 1 -1] [1 1 1 1 1 1 1 1 -1 -1 -1 -1 -1 -1 -1 -1] [1 -1 -1 1 1 -1 -1 1 1 -1 -1 1 1 -1 -1 1] 3.2 Trace Representation 45

[1 1 -1 -1 1 1 -1 -1 -1 -1 1 1 -1 -1 1 1] [1 1 -1 -1 -1 -1 1 1 1 1 -1 -1 -1 -1 1 1] [1 1 1 1 -1 -1 -1 -1 -1 -1 -1 -1 1 1 1 1] [1 -1 1 -1 -1 1 -1 1 1 -1 1 -1 -1 1 -1 1] [1 -1 1 -1 1 -1 1 -1 -1 1 -1 1 -1 1 -1 1] [1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1] [1 -1 -1 1 -1 1 1 -1 1 -1 -1 1 -1 1 1 -1] ]

3.2 Trace Representation

3.2.1 Description

We identify a Boolean function in n variables with a function from GF(2n) to GF(2) and Vector Boolean function in n variables with a function from GF(2n) to GF(2n). A trace is a function over a finite field( GF 2n) defined as follows:

2n−1 tr(x) = ∑ xi (3.5) i=0 n Since there is is an isomorphism between Vn and GF(2 ) (see section A.3.3 ), it is possible to identify the trace function with a Boolean function in n variables. Analogously, a Vector Boolean function can be identified with trace as follows:

n Definition 3.2.1. When m = n, we endow Vn with the structure of the field GF(2 ). Any n F ∈ Fn,n admits a unique univariate polynomial representation over GF(2 ), of degree at most 2n − 1:

2n−1 i n F(x) = ∑ δix , δi ∈ GF(2 ) (3.6) i=0 A general way to derive this polynomial representation is given by a Lagrange interpolation from the knowledge of the irreducible polynomial of degree n over GF(2) associated with the field GF(2n) and the Truth Table of F. The interpolation attack [74] is efficient when the degree of the univariate polynomial representation of the S-box over GF(2n) is low or when the distance of the S-box to the set of low univariate degree functions is small. This attack exploits the low degree of the algebraic relation between some input (respective output) and intermediate data to infer some keybits relating the output (respective input) and the intermediate data. 46 Representations and Characterizations

3.2.2 Library

A VBF class can be initialized giving its trace f and the irreducible polynomial g with the following methods:

void putirrpol(GF2X& g) void puttrace(string& f)

To obtain a Vector Boolean function trace representation the following method must be used:

void Trace(GF2EX& f, VBF& F)

and to print the trace representation use the following method:

void print(NTL_SNS ostream& s, GF2EX& f, const long& m)

Example 3.2.1. Let GF(24) be constructed with the irreducible polynomial defined in Mini- AES g(x) = x4 + x + 1. Element x is primitive (check that all its powers from the first to the fourteenth are distinct). We denote it by α. Below we show how to calculate the trace of each element of the field GF(24). In the last column, the vector of values of the NibbleSub S-box corresponding this trace representation:

5x14 + 7x13 + ex12 + f x11 + 7x10 + 6x9 + cx8 + 5x7 + 9x6 + ax5 + 7x4 + 8x3 + ax2 + 7x + e (3.7) is presented.

Example 3.2.2. The following program provides the Trace representation over GF(2n)of a Vector Boolean function with Truth Table in a file with extension ".tt". GF(2n) is constructed with the irreducible polynomial whose corresponding GF2X representation is in a file with extension ".irr". The class GF2X implements polynomial arithmetic modulo 2 and a polynomial is represented as a coefficient vector.

#include #include #include "VBF.h"

int main(int argc, char *argv[]) { 3.2 Trace Representation 47

Table 3.1 Identification of a coordinate function of NibbleSub with trace function.

Vector Polynomial αk tr(·) NibbleSub 0000 0 − 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + e e 0001 1 α0 5 + 7 + e + f + 7 + 6 + c + 5 + 9 + a + 7 + 8 + a + 7 + e 4 x α 5α14 + 7α13 + eα12 + f α11 + 7α10 + 6α9 + cα8+ d 0010 5α7 + 9α6 + aα5 + 7α4 + 8α3 + aα2 + 7α + e x + 1 α4 5α4·14 + 7α4·13 + eα4·12 + f α4·11 + 7α4·10 + 6α4·9 + cα4·8+ 1 0011 5α4·7 + 9α4·6 + aα4·5 + 7α4·4 + 8α4·3 + aα4·2 + 7α4 + e x2 α2 5α2·14 + 7α2·13 + eα2·12 + f α2·11 + 7α2·10 + 6α2·9 + cα2·8+ 2 0100 5α2·7 + 9α2·6 + aα2·5 + 7α2·4 + 8α2·3 + aα2·2 + 7α2 + e x2 + 1 α8 5α8·14 + 7α8·13 + eα8·12 + f α8·11 + 7α8·10 + 6α8·9 + cα8·8+ f 0101 5α8·7 + 9α8·6 + aα8·5 + 7α8·4 + 8α8·3 + aα8·2 + 7α8 + e x2 + x α5 5α5·14 + 7α5·13 + eα5·12 + f α5·11 + 7α5·10 + 6α5·9 + cα5·8+ b 0110 5α5·7 + 9α5·6 + aα5·5 + 7α5·4 + 8α5·3 + aα5·2 + 7α5 + e x2 + x + 1 α10 5α10·14 + 7α10·13 + eα10·12 + f α10·11 + 7α10·10 + 6α10·9 + cα10·8+ 8 0111 5α10·7 + 9α10·6 + aα10·5 + 7α10·4 + 8α10·3 + aα10·2 + 7α10 + e x3 α3 5α3·14 + 7α3·13 + eα3·12 + f α3·11 + 7α3·10 + 6α3·9 + cα3·8+ 3 1000 5α3·7 + 9α3·6 + aα3·5 + 7α3·4 + 8α3·3 + aα3·2 + 7α3 + e x3 + 1 α14 5α14·14 + 7α14·13 + eα14·12 + f α14·11 + 7α14·10 + 6α14·9 + cα14·8+ a 1001 5α14·7 + 9α14·6 + aα14·5 + 7α14·4 + 8α14·3 + aα14·2 + 7α14 + e x3 + x α9 5α9·14 + 7α9·13 + eα9·12 + f α9·11 + 7α9·10 + 6α9·9 + cα9·8+ 6 1010 5α9·7 + 9α9·6 + aα9·5 + 7α9·4 + 8α9·3 + aα9·2 + 7α9 + e x3 + x + 1 α7 5α7·14 + 7α7·13 + eα7·12 + f α7·11 + 7α7·10 + 6α7·9 + cα7·8+ c 1011 5α7·7 + 9α7·6 + aα7·5 + 7α7·4 + 8α7·3 + aα7·2 + 7α7 + e x3 + x2 α6 5α6·14 + 7α6·13 + eα6·12 + f α6·11 + 7α6·10 + 6α6·9 + cα6·8+ 5 1100 5α6·7 + 9α6·6 + aα6·5 + 7α6·4 + 8α6·3 + aα6·2 + 7α6 + e x3 + x2 + 1 α13 5α13·14 + 7α13·13 + eα13·12 + f α13·11 + 7α13·10 + 6α13·9 + cα13·8+ 9 1101 5α13·7 + 9α13·6 + aα13·5 + 7α13·4 + 8α13·3 + aα13·2 + 7α13 + e x3 + x2 + x α11 5α11·14 + 7α11·13 + eα11·12 + f α11·11 + 7α11·10 + 6α11·9 + cα11·8+ 0 1110 5α11·7 + 9α11·6 + aα11·5 + 7α11·4 + 8α11·3 + aα11·2 + 7α11 + e x3 + x2 + x + 1 α12 5α12·14 + 7α12·13 + eα12·12 + f α12·11 + 7α12·10 + 6α12·9 + cα12·8+ 7 1111 5α12·7 + 9α12·6 + aα12·5 + 7α12·4 + 8α12·3 + aα12·2 + 7α12 + e 48 Representations and Characterizations

using namespace VBFNS;

VBF F; NTL::mat_GF2 T; GF2X g; GF2EX f; int d; char file[33];

sprintf(file,"%s.irr",argv[1]); ifstream input1(file); if(!input1) { cerr << "Error opening " << file << endl; return 0; } input1 >> g; F.putirrpol(g); input1.close();

sprintf(file,"%s.tt",argv[1]); ifstream input(file); if(!input) { cerr << "Error opening " << file << endl; return 0; } input >> T; F.puttt(T); input.close();

cout << "The trace representation is " << endl; f = Trace(F); d = deg(g); print(cout,f,d);

return 0; } 3.3 Polynomials in ANF 49

In this cipher, GF(28) is constructed with the irreducible polynomial g(x) = x8 + x4 + 3 x + x + 1. The inputs of this program would be the Truth Table of the Rijndael S-box SRD (described in Figure 2.6), provided in a file with extension “.tt”, and the corresponding GF2X representation of g : [110110001], provided in a file with extension “.irr”. The output of the program would be a GF2EX which represents polynomials over GF2E; hence, it can be used, for example, for arithmetic in GF(2n):

05·x254 +09·x253 + f 9·x251 +25·x247 + f 4·x239 +01·x223 +b5·x191 +8 f ·x127 +63 (3.8) where the coefficients are elements (of GF 28).

3.3 Polynomials in ANF

3.3.1 Description

Definition 3.3.1. Any vector Boolean function F ∈ Fn,m can be uniquely represented by m multivariate polynomials over GF(2) (called coordinate functions) where each variable has power at most one. Each of these polynomials can be expressed as a sum of all distinct kth-order product terms (0 < k ≤ n) of the variables in the form:

f (x1,...,xn) = a0 + a1x1 + ··· + anxn + a12x1x2 + ··· + an−1,nxn−1xn + ··· I (3.9) +a12...nx1x2 ...xn = ∑I∈P(N) aI (∏i∈I xi) = ∑I∈P(N) aIx , aI ∈ GF(2) where P(N) denotes the power set of N = {1,...,n}. This representation of f is called the algebraic normal form (ANF) of f . The algebraic normal form is thus a set of multivariate polynomials and the constant functions (those obtained by decomposition) are the coefficients of the 2n products of input variables (i.e. monomials).

3.3.2 Library

A VBF class can be initialized giving its Polynomials in ANF with the following method: void putpol(vec_pol& p)

To obtain its representation as Polynomials in ANF, the following method must be used: void Pol(NTL_SNS ostream& s, VBF& F)

Example 3.3.1. The following program provides the Polynomials in ANF Vector Boolean function from its Truth Table. 50 Representations and Characterizations

#include #include #include "VBF.h"

int main(int argc, char *argv[]) { using namespace VBFNS;

VBF F; NTL::mat_GF2 T;

ifstream input(argv[1]); if(!input) { cerr << "Error opening " << argv[1] << endl; return 0; } input >> T; F.puttt(T); input.close();

Pol(cout,F);

return 0; }

If we use as input of this program the Truth Table of NibbleSub, the output of the program would be the following:

1+x4+x2+x2x3+x2x3x4+x1+x1x2+x1x2x3 1+x3x4+x2+x2x4+x1+x1x3+x1x3x4 1+x4+x3+x3x4+x2x4+x2x3+x1x4+x1x3+x1x2+x1x2x4+x1x2x3 x3+x2x4+x1+x1x4+x1x3x4 3.4 ANF Table 51

which corresponds to the coordinate functions of NibbleSub as follows:

f1(NibbleSub) = 1 + x4 + x2 + x2x3 + x2x3x4 + x1 + x1x2 + x1x2x3 f2(NibbleSub) = 1 + x3x4 + x2 + x2x4 + x1 + x1x3 + x1x3x4 f3(NibbleSub) = 1 + x4 + x3 + x3x4 + x2x4 + x2x3 + x1x4 + x1x3 + x1x2 + x1x2x4 + x1x2x3 f4(NibbleSub) = x3 + x2x4 + x1 + x1x4 + x1x3x4 (3.10)

3.4 ANF Table

3.4.1 Description

n Definition 3.4.1. ANF table of F, denoted by ANFF ∈ M2n×m(GF(2)), represents the 2 coefficients of the polynomials of each ofthe m coordinate functions in ANF.

The ANF table of F, denoted by ANFF ∈ M2n×m(GF(2)), is defined by:

i ANFF = ANF fi i ∈ {1,...,m} (3.11)

i where ANFF is the i-th column of ANFF .

The ANF Table can be derived from the Truth Table by a binary matrix transformation called the Algebraic Normal Form Transformation (implemented in the VBF library with getan f method). The Truth Table can be obtained from the ANF Table using a method we call rev.

3.4.2 Library

A VBF class can be initialized giving its ANF table with the following method: void putanf(const NTL::mat_GF2& A)

To obtain its representation as ANF table, the following method must be used: void ANF(NTL::mat_GF2& X, VBF& F)

Example 3.4.1. The following program provides the ANF Table of a Vector Boolean function from its Truth Table. 52 Representations and Characterizations

#include #include #include "VBF.h"

int main(int argc, char *argv[]) { using namespace VBFNS;

VBF F; NTL::mat_GF2 T;

ifstream input(argv[1]); if(!input) { cerr << "Error opening " << argv[1] << endl; return 0; } input >> T; F.puttt(T); input.close();

cout << "The ANF Table is:" << endl; cout << ANF(F) << endl;

return 0; }

If we use as input of this program the Truth Table of NibbleSub, the output of the program would be the following:

The ANF Table is: [[1 1 1 0] [1 0 1 0] [0 0 1 1] [0 1 1 0] [1 1 0 0] [0 1 1 1] [1 0 1 0] 3.5 Image 53

[1 0 0 0] [1 1 0 1] [0 0 1 1] [0 1 1 0] [0 1 0 1] [1 0 1 0] [0 0 1 0] [1 0 1 0] [0 0 0 0] ]

3.5 Image

3.5.1 Description

Definition 3.5.1. The characteristic or indicator function of F ∈ Fn,m, denoted by θF : Vn × Vm → {0,1}, is defined by: ( 1 if y = F(x) θF (x,y) = (3.12) 0 if y ̸= F(x)

Definition 3.5.2. The Image of F can be represented by a matrix whose rows are indexed by x ∈ Vn and whose columns are indexed by y ∈ Vm in lexicographic order, denoted by Img(F) ∈ M2n×2m (GF(2)) and defined as follows:

  θF (α0,α0) ... θF (α0,α2m−1)  ( , ) ... ( , m )   θF α1 α0 θF α1 α2 −1  Img(F) =   (3.13) ......  θF (α2n−1,α0) ... θF (α2n−1,α2m−1) where θF (x,y) is the value of the indicator function at (x,y).

Lemma 3.5.1. By equation 2.3, it is clear that all the rows of the matrix Img(F) have one element equal to one and the rest is zero, that is ∀i ∈ {1,...,2n}: h i Img(F) = a ... a m i i1 i2 (3.14) m m where ∃! j ∈ {1,...,2 } ai j = 1 ∧ (aik = 0 ∀k ̸= j ∈ {1,...,2 }) 54 Representations and Characterizations

The Image of F can be derived from the Truth Table by a method implemented in the VBF library called char f unct. The Truth Table can be obtained from the Characteristic function using a method we call truthtable.

3.5.2 Library

A VBF class can be initialized giving its Image with the following method:

void putchar(const NTL::mat_ZZ& C)

To obtain its representation as Image, the following method must be used:

void Charact(NTL::mat_ZZ& C, VBF& F)

Example 3.5.1. The following program provides the Image of a Vector Boolean function from its Truth Table.

#include #include #include "VBF.h"

int main(int argc, char *argv[]) { using namespace VBFNS;

VBF F; NTL::mat_GF2 T;

ifstream input(argv[1]); if(!input) { cerr << "Error opening " << argv[1] << endl; return 0; } input >> T; F.puttt(T); input.close();

cout << "The Image is:" << endl; 3.6 Walsh Spectrum 55

cout << Charact(F) << endl;

return 0; }

If we use as input of this program the Truth Table of NibbleSub, the output of the program would be the following:

The Image is: [[0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0] [0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0] [0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0] [0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0] [0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0] [0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1] [0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0] [0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0] [0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0] [0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0] [0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0] [0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0] [0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0] [0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0] [1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0] [0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0] ]

This matrix can be easily interpreted with the aid of the figure 3.2 in which the rows and columns are indexed with the corresponding vector: You can see for instance that the output of 0000 is 1110.

3.6 Walsh Spectrum

3.6.1 Description

Linear and affine functions are considered as cryptographically weak functions. It is important to measure if a Vector Boolean function has some similarity with these functions. The 56 Representations and Characterizations

Fig. 3.2 Image representations of NibbleSub. similarity is measured by means of correlation. The values of Walsh Spectrum provide a measure of the correlation of the Vector Boolean function with the different Vector Boolean Linear functions.

Walsh Spectrum of Boolean Functions

n Definition 3.6.1. The matrix Hn is Walsh-Hadamard matrix of order 2 if it generated by the following recursive relation: " # " # 1 1 Hn−1 Hn−1 H0 = 1,Hn = Hn−1 = (3.15) 1 −1 Hn−1 −Hn−1

n Theorem 3.6.1. Let Hn be the Walsh-Hadamard matrix of order 2 , then the vectors associ- n ated with its columns constitute an orthogonal basis for R2 over R so that:

2n xHn = y,∀x,y ∈ R (3.16)

2n Corollary 3.6.2. Let f ∈ Fn, its sequence ξ f ∈ R can be defined as a linear combination of the sequences of all the linear functions over Vn, as they coincide with the rows of Hn.

ξ f = aα ξl + ··· + aα n ξl (3.17) 0 α0 2 −1 α2n−1

1 where au = 2n ξ f ,ξlu 3.6 Walsh Spectrum 57

Proof. n ξ f ,ξlu = 0 + ··· + au ⟨ξlu ,ξlu ⟩ + ··· + 0 = au2

Definition 3.6.2. Let a Boolean function f ∈ Fn, the Walsh Transform of f at u ∈ Vn is the n-dimensional Discrete Fourier Transform and can be calculated as follows:

ˆ W f (u) = χ f (u) = W {ξ f }(u) = ξ f ,ξlu = ∑ χ f (x)χu(x) (3.18) x∈Vn or, as it is most often written as:

f (x)+u·x W f (u) = ∑ (−1) (3.19) x∈Vn

As a result, the Walsh Transform of f ∈ Fn at u is the coefficient of the sequence of f (ξ f ) with respect to the basis constituted by the sequences of linear functions, scaled by a 1 factor of 2n . If W f is the Walsh transform of f , we say that ξ f and W f form a Transform pair and write: W ξ f ←→ W f (ξ f corresponds to W f ) (3.20)

The following properties can be derived from definition 3.6.2:

1. The value of Walsh Transform of f at u equals the sum of the values of its sequence. As a consequence it takes value 0 if the number of 0’s and 1’s in the Truth Table of f

is the same. χ0 is the constant 1 function, so that:

f (x) χˆ f (0) = ξ f ,ξ0 = ∑ (−1) (3.21) x∈Vn

2. The value of Walsh Transform of the constant function 1 is equal to 2n at 0 and 0 at the rest of the inputs: ( 2n if u = 0 1ˆ = 2nδ(u) = (3.22) 0 if u ̸= 0 where δ(u) denotes denotes the Kronecker delta function (δ(0) = 1;δ(u) = 0,∀u ̸= 0).

3. Let c ∈ Fn so that c(x) = c ∀x ∈ Vn:

( n c n c 2 (−1) if u = 0 χˆc(u) = 2 (−1) δ(u) = (3.23) 0 if u ̸= 0 58 Representations and Characterizations

4. Let f ∈ Fn so that f (x) = lv(x) + c ∀x ∈ Vn and c ∈ GF(2):

( n c n c 2 (−1) if u = v χˆ f (u) = 2 (−1) δ(u + v) = (3.24) 0 if u ̸= v

Definition 3.6.3. The Walsh Spectrum of f can be represented by a matrix whose rows are indexed by u ∈ Vn in lexicographic order, denoted by WS( f ) ∈ M2n×1(R) and defined as follows: h iT WS( f ) = χˆ f (α0) ... χˆ f (u) ... χˆ f (α2n−1) (3.25) where χˆ f (u) is the value of the spectrum at u. A Boolean function is uniquely determined by its Walsh Spectrum.

Definition 3.6.4. The Inverse Walsh Transform of f at x ∈ Vn can be expressed as:

1 W −1(x) = χ (x) = (−1) f (x) = χˆ (u)χ (x), ∀x ∈ V (3.26) f f 2n ∑ f u n u∈Vn or, as it is most often written as:

1 χ (x) = χˆ (u)(−1)u·x (3.27) f 2n ∑ f u∈Vn The following properties can be derived from definition 3.6.4:

1. The sum of Walsh coefficients is either 2n or −2n depending on the value of f (0): ( 2n if f (0) = 0 χˆ f (u) = (3.28) ∑ −2n if f (0) ̸= 0 u∈Vn

2. The values of the Walsh Spectrum give information about the distance from the linear and affine functions. If we analyze the summands that appear in (3.19), we can notice the following: ( 1 if f (x) = u · x (−1) f (x)+u·x = −1 if f (x) ̸= u · x

If we denote L f (u) the set: {x ∈ Vn | f (x) = u·x}, then we have χˆ f (u) = 2·#L f (u)− n n n 2 satisfying: −2 ≤ χˆ f (u) ≤ 2 being all values of χˆ f even. The upper bound is achieved for the linear function associated to the vector u denoted by lu because it n holds that: #L f (u) = 2 ⇔ f (x) = u · x. The lower bound is achieved for the affine function associated to the vector u denoted by lu because it holds that: #L f (u) = 0 ⇔ f (x) = u · x + 1 3.6 Walsh Spectrum 59

3. If f (x) = v · x + c, then:

L f (u) = {x ∈ Vn | v · x + c = u · x} = {x ∈ Vn | (u + v) · x = c} (3.29)  2n if (u = v ∧ c = 0)  #L f (u) = 0 if (u = v ∧ c = 1)  2n−1 if u ̸= v

4. Let f ,g ∈ Fn with d( f ,g) = d, then:

|χˆ f (u) − χˆg(u)| ≤ 2d, ∀u ∈ Vn (3.30)

′ ′ Hereunder, we describe the Walsh Theorems for ∀ f ,g ∈ Fn,x,x ,u,u ∈ Vn and ∀a,b ∈ {−1,1}:

Theorem 3.6.3 (Walsh Linearity Theorem). The Walsh Transform is a linear transform. Let

W f and Wg be the Walsh transform of f and g respectively, then the Walsh Transform of any linear combination of their respective sequences ξ f and ξg can be easily found:

W a · ξ f + b · ξg ←→ a · W f + b · Wg (3.31)

Proof.

W {a · ξ f + b · ξg}(u) = a · ξ f ,ξlu + b · ξg,ξlu = a · W f (u) + b · Wg(u)

Theorem 3.6.4 (Walsh Convolution/Correlation Theorem). The convolution (or correlation) in the sequence domain corresponds with pointwise product in the Walsh domain:

W ξ f ∗ ξg ←→ WS( f ) WS(g) (3.32)

Proof.

W {ξ f ∗ ξg}(u) = ∑x∈Vn (ξ f ∗ ξg)(x)χu(x) ′ ′ ′ = ∑x∈Vn ∑x ∈Vn χ f (x )χg(x + x )χu(x) ′ ′ ′ = ∑x ∈Vn χ f (x )∑x∈Vn χg(x + x )χu(x) ′ ′ ′ = ∑x ∈Vn χ f (x )χu(x ) · ∑t∈Vn χg(t)χu(t) = χˆ f (u) · χˆg(u) 60 Representations and Characterizations

Theorem 3.6.5 (Dual of the Walsh Convolution/Correlation Theorem or Modulation The- orem). The pointwise product in the sequence domain corresponds with convolution (or correlation) in the Walsh domain scaled by a factor of 1/2n:

W 1 (3.33) ξ f ξg ←→ 2n WS( f ) ∗ WS(g) Proof.

W {ξ f ξg}(u) = ∑x∈Vn (ξ f ξg)(x)χu(x)

= ∑x∈Vn χ f (x)χg(x)χu(x) 1 ′ ′ ˆ ′ = ∑x∈Vn 2n ∑u ∈Vn χ f (u )χu (x) χg(x)χu(x) 1 ′ ′ ˆ ′ = 2n ∑u ∈Vn χ f (u )∑x∈Vn χu (x)χg(x)χu(x) 1 ′ ′ ˆ ′ = 2n ∑u ∈Vn χ f (u )∑x∈Vn χg(x)χu+u (x) 1 ′ ′ 1 ′ ˆ ˆ = 2n ∑u ∈Vn χ f (u )χg(u + u ) = 2n (WS( f ) ∗ WS(g))(u)

Theorem 3.6.6 (Walsh Power Theorem or Plancherel’s Theorem).

1 ξ ,ξ = ⟨WS( f ),WS(g)⟩ (3.34) f g 2n or alternatively: 1 χ (x)χ (x) = χˆ (u)χˆ (u) (3.35) ∑ f g 2n ∑ f g x∈Vn u∈Vn Proof. −1 ξ f ,ξg = ∑x∈Vn χ f (x)χg(x) = W {(ξ f ∗ ξg)}(0) = 1 ˆ ˆ 1 = 2n ∑u∈Vn χ f (u)χg(u) = 2n ⟨WS( f ),WS(g)⟩

Theorem 3.6.7 (Walsh Rayleigh Energy Theorem or Parseval’s Theorem).

1 |ξ |2 = |WS( f )|2 (3.36) f 2n or alternatively: 1 ε = |χ (x)|2 = |χˆ (u)|2 (3.37) f ∑ f 2n ∑ f x∈Vn u∈Vn Corollary 3.6.8. The sum of the squares of the coefficients of the Walsh Spectrum is always 22n: 2 2n ∑ |χˆ f (u)| = 2 (3.38) u∈Vn 3.6 Walsh Spectrum 61

Walsh Spectrum of Vector Boolean Functions

Definition 3.6.5. Let the vector Boolean function F ∈ Fn,m, the Walsh Transform of F is the two-dimensional Walsh Transform defined by:

ˆ WF (u,v) = θF (u,v) = W {Img(F)}(u,v) = ∑x∈Vn ∑y∈Vm θF (x,y)χ(u,v)(x,y) (3.39)

or, as it is most often written as:

ˆ u·x+v·F(x) WF (u,v) = θF (u,v) = ∑ (−1) (3.40) x∈Vn The following properties can be derived from definition 3.6.5:

1. The two-dimensional Walsh Transform is separable into two one dimensional Walsh

Transforms satisfying ∀(u,v) ∈ Vn × Vm:

ˆ θF (u,v) = ∑x∈Vn ∑y∈Vm θF (x,y)χv(y) χu(x) (3.41) = ∑y∈Vm ∑x∈Vn θF (x,y)χu(x) χv(y)

Proof. ˆ θF (u,v) = ∑x∈Vn ∑y∈Vm θF (x,y)χ(u,v)(x,y)

= ∑x∈Vn ∑y∈Vm θF (x,y)χu(x)χv(y)

2. The two-dimensional Walsh Transform can be calculated from the Walsh Transform of the component functions of F:

ˆ θF (u,v) = χˆv·F (u) = χˆlv◦F (u) ∀(u,v) ∈ Vn × Vm (3.42)

Proof.

! ˆ θF (u,v) = ∑ ∑ θF (x,y)χv(y) χu(x) x∈Vn y∈Vm ! v·y u·x = ∑ ∑ θF (x,y)(−1) (−1) x∈Vn y∈Vm = ∑ (−1)v·F(x)(−1)u·x = ∑ (−1)lv(F(x))(−1)u·x x∈Vn x∈Vn (lv◦F)(x) u·x ˆ = ∑ (−1) (−1) = χlv◦F (u) x∈Vn 62 Representations and Characterizations

3. The coefficient of two-dimensional Walsh Transform of a Vector Boolean function at n n (0,0) is always 2 : θˆF (0,0) = 2

4. The Walsh transform of a Boolean function at u coincides with the two-dimensional

Walsh Transform of a Vector Boolean function with m = 1 at (u,1) Let F ∈ Fn,1, then F ≡ f ∈ Fn having that:

 2n if (u,v) = (0,0)  θˆF (u,v) = 0 if u ̸= 0 ∧ v = 0 (3.43)   χˆ f (u) if v = 1

5. ( 2n if v · F(0) = 0 θˆF (u,v) = ∀v ∈ Vm (3.44) ∑ −2n if v · F(0) ̸= 0 u∈Vn

Proof. ( 2n if v · F(0) = 0 θˆF (u,v) = χˆv·F (u) = ∑ ∑ −2n if v · F(0) ̸= 0 u∈Vn u∈Vn

6. If we analyze the summands that appear in equation (3.40), we can notice the following: ( 1 if u · x = v · F(x) (−1)u·x+v·F(x) = −1 if u · x ̸= v · F(x)

If we denote by LF (u,v) the set where the function v · F coincides with the linear form associated with u by:

LF (u,v) = {x ∈ Vn | u · x = v · F(x)} (3.45)

It holds that:

ˆ θF (u,v) = ∑ ∑ θF (x,y)χu(x)χv(y) x∈Vn y∈Vm u·x+v·y u·x+v·F(x) = ∑ ∑ θF (x,y)(−1) = ∑ (−1) x∈Vn y∈Vm x∈Vn n = #LF (u,v) − (2 − #LF (u,v)) 3.6 Walsh Spectrum 63

so that:

ˆ u·x+v·F(x) n θF (u,v) = ∑ (−1) = 2 · #LF (u,v) − 2 (3.46) x∈Vn

n n In particular, −2 ≤ θˆF ≤ 2 , where all values are even. The matrix containing all n−1 possible values of |#LF (u,v) − 2 | is referred to as its linear approximation table. The upper bound is achieved for the linear approximation of F by (u,v) because it holds that: n #LF (u,v) = 2 ⇔ u · x = v · F(x) (3.47)

The lower bound is achieved for the affine approximation of F by (u,v) because it holds that:

#LF (u,v) = 0 ⇔ u · x + 1 = v · F(x) (3.48)

Definition 3.6.6. The Walsh Spectrum of F can be represented by a matrix whose rows are indexed by u ∈ Vn and whose columns are indexed by v ∈ Vm in lexicographic order, denoted by WS(F) ∈ M2n×2m (R) and defined as follows:   θˆF (α0,α0) ... θˆF (α0,α2m−1)  ˆ ( , ) ... ˆ ( , m )   θF α1 α0 θF α1 α2 −1  WS(F) =   (3.49) ......  θˆF (α2n−1,α0) ... θˆF (α2n−1,α2m−1) where θˆF (u,v) is the value of the spectrum at (u,v).

By equation (3.42), we can deduce that the columns of this matrix are the spectra of the

Boolean functions lv ◦ F for all the linear functions lv ∈ Lm. The following properties can be derived from definitions 3.6.5 and 3.6.6:

1. Let LA,b ∈ Fn,m an affine function where LA,b(x) = Ax + b with A ∈ Mn×m(GF(2)) and b ∈ Vm, its spectrum holds that [122]:  2n if vT A = uT , vT b = 0  ˆ n n T T T θLA,b (u,v) = 2 · #LLA,b (u,v) − 2 = −2 if v A = u , v b = 1 (3.50)  0 if vT A ̸= uT

Each column of the spectrum of LA,b has uniquely one nonzero coefficient, with value 2n or −2n. 64 Representations and Characterizations

Proof.

T T T T T T LLA,b (u,v) = {x ∈ Vn | u x = v Ax + v b} = {x ∈ Vn | (u − v A)x = v b}

 n T T T  2 if v A = u , v b = 0  T T T #LLA,b (u,v) = 0 if v A = u , v b = 1  2n−1 if vT A ̸= uT

2. Let F ∈ Fn,n an affine function where F(x) = x + b with b ∈ Vn, its spectrum holds that:

 n T T T  2 if v = u , v b = 0 n  n T T T θˆF (u,v) = 2 · #LF (u,v) − 2 = −2 if v = u , v b = 1  0 if vT ̸= uT

3. Let LA,b ∈ Fn,m an affine Vector Boolean Function and M(LA,b) ∈ M2n×2m (R) a matrix whose columns has uniquely one nonzero coefficient, with value 1 or −1, it holds that:

n WS(LA,b) = 2 · M(LA,b) (3.51)

4. Let Lb ∈ Fn,n a Vector Boolean Function that consists of the bit-wise addition with a constant vector b ∈ Vn, the Walsh Spectrum is a multiple of a diagonal matrix b·x D(Lb) ∈ M2n×2n (GF(2)) with its values in the diagonal satisfying dx,x = (−1) :

n WS(Lb) = 2 · D(Lb) (3.52)

n 5. Let Π ∈ Fn,n a permutation and P2n (Π) the permutation matrix of order 2 associated with Π, each column of its spectrum has uniquely one nonzero coefficient, with value 2n: n WS(Π) = 2 · P2n (Π) (3.53)

Definition 3.6.7. The Inverse Walsh Transform of F at (u,v) ∈ Vn ×Vm is the two-dimensional Inverse Walsh Fourier Transform of its indicator function defined by:

−1 1 W (x,y) = θF (x,y) = θˆF (u,v)χ (x,y), ∀(u,v) ∈ V × V . (3.54) F 2n+m ∑ ∑ (u,v) n m u∈Vn v∈Vm 3.6 Walsh Spectrum 65 or, as it is most often written as:

1 θ (x,y) = θˆ (u,v)(−1)u·x+v·y, ∀(x,y) ∈ V × V . (3.55) F 2n+m ∑ ∑ F n m u∈Vn v∈Vm

The two-dimensional Inverse Walsh Transform is separable into two Inverse one dimensional Walsh Transforms:

1 1 ˆ θF (x,y) = m ∑ n ∑ θF (u,v)χ (x) χ (y) 2 v∈Vm 2 u∈Vn u v (3.56) 1 1 ˆ = 2n ∑u∈Vn 2m ∑v∈Vm θF (u,v)χv(y) χu(x) .

so that:

1 θ (x,y) = χ (x)χ (y) ∀(x,y) ∈ V × V . (3.57) F 2m ∑ v·F v n m v∈Vm

3.6.2 Library

A VBF class can be initialized giving its Walsh Spectrum with the following method: void putwalsh(const NTL::mat_ZZ& W)

To obtain its representation as Walsh Spectrum the following method must be used: void Walsh(NTL::mat_ZZ& W, VBF& F)

Example 3.6.1. The following program provides the Walsh Spectrum of a Vector Boolean function from its Truth Table.

#include #include #include "VBF.h" int main(int argc, char *argv[]) { using namespace VBFNS;

VBF F; NTL::mat_GF2 T;

ifstream input(argv[1]); 66 Representations and Characterizations

if(!input) { cerr << "Error opening " << argv[1] << endl; return 0; } input >> T; F.puttt(T); input.close();

cout << "The Walsh Spectrum is:" << endl; cout << Walsh(F) << endl;

return 0; }

If we use as input of this program the Truth Table of NibbleSub, the output of the program would be the following:

The Walsh Spectrum is: [[16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0] [0 0 -4 -4 0 0 -4 12 4 4 0 0 4 4 0 0] [0 0 -4 -4 0 0 -4 -4 0 0 4 4 0 0 -12 4] [0 0 0 0 0 0 0 0 4 -12 -4 -4 4 4 -4 -4] [0 4 0 -4 -4 -8 -4 0 0 -4 0 4 4 -8 4 0] [0 -4 -4 0 -4 0 8 4 -4 0 -8 4 0 -4 -4 0] [0 4 -4 8 4 0 0 4 0 -4 4 8 -4 0 0 -4] [0 -4 0 4 4 -8 4 0 -4 0 4 0 8 4 0 4] [0 0 0 0 0 0 0 0 -4 4 4 -4 4 -4 -4 -12] [0 0 -4 -4 0 0 -4 -4 -8 0 -4 4 0 8 4 -4] [0 8 -4 4 -8 0 4 -4 4 4 0 0 4 4 0 0] [0 8 0 -8 8 0 8 0 0 0 0 0 0 0 0 0] [0 -4 8 -4 -4 0 4 0 4 0 4 8 0 4 0 -4] [0 4 4 0 -4 8 0 4 -8 -4 4 0 4 0 0 4] [0 4 4 0 -4 -8 0 4 -4 0 0 -4 -8 4 -4 0] [0 -4 -8 -4 -4 0 4 0 0 -4 8 -4 -4 0 4 0] ] 3.7 Linear Profile and Linear Cryptanalysis 67

Remark. We can see that the Walsh Spectrum of f1(NibbleSub) where

NibbleSub = ( f1(NibbleSub), f2(NibbleSub), f3(NibbleSub), f4(NibbleSub)) (3.58)

corresponds to the Spectrum of l(1,0,0,0) ◦ NibbleSub. As a consequence, the Walsh Spectrum of f1(NibbleSub) coincides with the 9-th column of WS(NibbleSub), that is, the column indexed by the vector (1,0,0,0).

3.7 Linear Profile and Linear Cryptanalysis

3.7.1 Description

Overview of Linear Cryptanalysis

The Linear Cryptanalysis, introduced by Matsui [91], [94] is a known-plaintext attack based on the idea from [152]. It tries to take advantage of high probability occurrences of linear expressions involving plaintext bits, ciphertext bits, and subkey bits. The basic idea is to approximate the operation of a portion of the cipher with an expression that is linear. Such an expression is of the form:

x1 + x2 + ··· + xn + y1 + y2 + ··· + ym = 0 (3.59)

where xi represents the i-th bit of the input x = (x1,x2,...,xn) and y j represents the j-th bit of the output y = (y1,y2,...,ym). As said in [70]:

The approach in Linear Cryptanalysis is to determine expressions of the form above which have a high or low probability of occurrence. No obvious linearity such as above should hold for all input and output values or the cipher would be trivially weak. If a cipher displays a tendency for equation (3.59) to hold with high probability or not hold with high probability, this is evidence of the cipher’s poor randomization abilities. Consider that if we randomly selected values for n + m bits and placed them into the equation above, the probability that the 1 expression would hold would be exactly 2 . It is the deviation or bias from the 1 probability of 2 for an expression to hold that is exploited in Linear Cryptanalysis: the further away that a linear expression is from holding with a probability of 1 2 , the better the cryptanalyst is able to apply Linear Cryptanalysis. Usually, the amount by which the probability of a linear expression holding deviates 68 Representations and Characterizations

1 from 2 is referred as the linear probability bias. Hence, if the expression above holds with probability pL for randomly chosen plaintexts and the corresponding 1 ciphertexts, then the probability bias is pL − 2 . The higher the magnitude of the 1 probability bias, pL − 2 , the better the applicability of Linear Cryptanalysis with fewer known plaintexts required in the attack.

There are several ways to mount the attack of Linear Cryptanalysis (Matsui described 2 algorithms) which use the principle of maximum likelihood. In this thesis, we will focus on what Matsui calls Algorithm 2. We investigate the construction of a linear approximation involving plaintext bits as represented by x in equation (3.59) and the input to the last round of the cipher as represented by y in equation (3.59). The plaintext bits are random and consequently so are the input bits to the last round.

Equation (3.59) could be equivalently reformulated to have the right side being the sum of a number of subkey bits. However, in equation (3.59) as written with the right side of 0, the equation implicitly has subkey bits involved: these bits are fixed but unknown (as they are determined by the key under attack) and implicitly absorbed into the 0 on the right side of equation (3.59) and the

probability pL that the linear expression holds. If the sum of the involved subkey bits is 0, the bias of equation (3.59) will have the same sign (+ or −) as the bias of the expression involving the subkey sum and, if the sum of the involved subkey bits is 1, the bias of equation (3.59) will have the opposite sign.

Note that pL = 1 implies that linear expression of equation (3.59) is a perfect representation of the cipher behaviour and the cipher has a catastrophic weakness.

If pL = 0, then equation (3.59) represents an affine relationship in the cipher, also an indication of a catastrophic weakness. Both linear and affine approximations, 1 1 indicated by pL > 2 and pL < 2 , respectively, are equally susceptible to Linear Cryptanalysis and we shall generally use the term linear to refer to both linear and affine relationships.

The natural question to ask is: How do we construct expressions which are highly linear and, hence, can be exploited? This is done by considering the properties of the cipher’s only nonlinear component: the S-box. When the nonlinearity properties of the S-box are enumerated, it is possible to develop linear approximations between sets of input and output bits in the S-box. Consequently, it is possible to concatenate linear approximations of the S-boxes together so that intermediate bits (i.e., data bits from within the cipher) can be cancelled out 3.7 Linear Profile and Linear Cryptanalysis 69

and we are left with a linear expression which has a large bias and involves only plaintext and the last round input bits.

Linear Expressions for S-boxes

The first step to construct a full linear equation to use with Matsui’s algorithms is learning how to calculate simple linear expressions and how to determine their biases. Finding linear expressions of S-boxes requires us to find equations involving the input bits and output bits, such as x2 + x3 = y1 + y3 + y4. Since in a n × m S-box there are n possible input bits and m possible output bits that we may either keep or omit in each linear expression, we then have to look through 2n × 2m different expressions. Furthermore, we have to try all possible values of the input-output value pairs which is 2n. This gives us 22n+m operations in total on the S-box. In general, we will want to focus on the values that have a high bias and that involve the least possible number of bits. Involving fewer bits in the input and the output helps us to manage the eventual Linear Cryptanalysis, which is composed of many of the linear expressions built on each other. A complete enumeration of all linear approximations of the S-box is given in the Linear 2 Profile , which is a matrix whose rows are indexed by u ∈ Vn and whose columns are indexed by v ∈ Vm in lexicographic order, denoted by LP(F) ∈ M2n×2m (R). It holds that LP(F)(u,v) = |WS(F)(u,v)|2. The lower bound of the Linear Profile values is 0 and the upper bound is 22n. If we divide each element in the Linear Profile by the value on LP(F)(0,0), these values represent the number of matches between the linear equation represented in hexadecimal as "Input Sum" and the sum of the output bits represented in hexadecimal as "Output 1 Sum". Hence, subtracting to these values 2 give the probability bias for the particular linear combination of input and output bits. The hexadecimal value representing a sum, when viewed as a binary value indicates the variables involved in the sum. For a linear combination of input variables represented as u1 · x1 + ··· + un · xn where ui ∈ GF(2), the hexadecimal value represents the binary value u1 ...un, where u1 is the most significant bit. Similarly, for a linear combination of output bits v1 · y1 + ··· + vm · ym where vi ∈ GF(2), the hexadecimal value represents the binary vector v1 ...vm. In Linear Profiles, we are looking for entries with large value. If all of the entries aresmall, then the S-box does not have a very linear structure, and it may make Linear Cryptanalysis on ∗ Linear potential F lp(F) = 1 · WS(F)( , )2 the cipher difficult. The of , defined as 22n max u v is a measure of linearity in Linear Cryptanalysis, and satisfies [29] 2−n ≤ lp(F) ≤ 1 so that the lower bound holds if and only if F has maximum nonlinearity (F is bent) and the upper

2In the literature, an equivalent matrix called Linear Approximation Table is used as well. 70 Representations and Characterizations

1 bound is reached when F is linear or affine. This criterion can take values from 2n to 1. The larger lp(F) is, the "closer" to a Linear Vector Boolean function is F.

Piling-Up Lemma

Once we have linear expressions for S-boxes, we need to combine them to perform Linear Cryptanalysis effectively. The effectiveness is defined by the bias of the overall expression constructed by the combination over the rounds of the cipher. Matsui showed in [91] that the linear expressions "pile-up" in the following way:

Lemma 3.7.1 (Piling-Up Lemma). Assume that we have n independent linear expressions,

say E1,...,En, with associated biases ε1,...,εn. We also need to assume that the are random, as we have no real preconceptions of their values, and Boolean, so that they output 0 or 1.

Then, the bias of an aggregate Boolean Linear expression E1 + ··· + En is the expression:

n−1 ε1,...,n = 2 (ε1 × ··· × εn) (3.60)

where ε1,...,n is the bias of the overall expression E1 + ··· + En

3.7.2 Library

Note that the Linear Profile does not uniquely determine a Vector Boolean function. Thus,a VBF class cannot be initialized by its Linear Profile. To obtain its representation as Linear Profile, the following method must be used:

void LAT(NTL::mat_ZZ& LP, VBF& F)

In the VBF library, several methods have been defined in order to analyse the feasibility of Linear Cryptanalysis: Linear potential and Linear relations associated with a specific value of the Linear Profile. The method used to obtain the linear potential is the following:

void lp(NTL::RR& x, VBF& F)

If we want to obtain the linear expressions associated with the value of the Linear Profile "w", we will use this method:

void linear(NTL_SNS ostream& s, VBF& a, ZZ& w)

1 If we want to obtain the probability bias |pL − 2 | that a linear expression holds with the value of the Linear Profile "w", we will use this method: 3.7 Linear Profile and Linear Cryptanalysis 71 void ProbLin(NTL::RR& x, VBF& a, NTL::ZZ& w)

Example 3.7.1. The following program finds out the Linear Profile of a Vector Boolean function together with the linear expressions that have the highest value, except from the value in LP(F)(0,0), their probability, this highest value and the linear potential.

#include #include #include "VBF.h" int main(int argc, char *argv[]) { using namespace VBFNS;

VBF F; NTL::mat_GF2 T; NTL::ZZ w; NTL::RR bias;

ifstream input(argv[1]); if(!input) { cerr << "Error opening " << argv[1] << endl; return 0; } input >> T; F.puttt(T); input.close();

cout << "The Linear Profile is:" << endl; cout << LAT(F) << endl;

w = maxLAT(F); cout << endl << "The highest value of the Linear Profile is= " << w << endl << endl;

cout << "The linear expressions that have the highest value are:" << endl; 72 Representations and Characterizations

linear(cout,F,w);

ProbLin(bias,F,w); cout << endl; cout << "These expressions hold with probability bias= " << bias << endl;

cout << endl << "The linear potential is= " << lp(F) << endl;

return 0; }

If we use as input of this program the Truth Table of NibbleSub, the output of the program would be the following:

The Linear Profile is: [[256 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0] [0 0 16 16 0 0 16 144 16 16 0 0 16 16 0 0] [0 0 16 16 0 0 16 16 0 0 16 16 0 0 144 16] [0 0 0 0 0 0 0 0 16 144 16 16 16 16 16 16] [0 16 0 16 16 64 16 0 0 16 0 16 16 64 16 0] [0 16 16 0 16 0 64 16 16 0 64 16 0 16 16 0] [0 16 16 64 16 0 0 16 0 16 16 64 16 0 0 16] [0 16 0 16 16 64 16 0 16 0 16 0 64 16 0 16] [0 0 0 0 0 0 0 0 16 16 16 16 16 16 16 144] [0 0 16 16 0 0 16 16 64 0 16 16 0 64 16 16] [0 64 16 16 64 0 16 16 16 16 0 0 16 16 0 0] [0 64 0 64 64 0 64 0 0 0 0 0 0 0 0 0] [0 16 64 16 16 0 16 0 16 0 16 64 0 16 0 16] [0 16 16 0 16 64 0 16 64 16 16 0 16 0 0 16] [0 16 16 0 16 64 0 16 16 0 0 16 64 16 16 0] [0 16 64 16 16 0 16 0 0 16 64 16 16 0 16 0] ]

The highest value of the Linear Profile is= 144

The linear expressions that have the highest value are: 3.8 Differential Profile and Differential Cryptanalysis 73 x4=y2+y3+y4 x3=y1+y2+y3 x3+x4=y1+y4 x1=y1+y2+y3+y4

These expressions hold with probability bias= 0.0625

The linear potential is= 0.5625

The figure 3.3 represents the Linear Profile of NibbleSub and emphasizes in red the elements which achieve the highest value.

Fig. 3.3 Linear Profile of NibbleSub.

3.8 Differential Profile and Differential Cryptanalysis

3.8.1 Description

Overview of Differential Cryptanalysis

The Differential Cryptanalysis, introduced by Biham and Shamir [13], is a chosen-plaintext attack. It exploits the high probability of certain occurrences of plaintext differences and differences into the last round of the cipher. For example, consider a Vector Boolean function with input x = (x1,...,xn) and output y = (y1,...,ym). Let two inputs to the system be ′ ′′ ′ ′′ x and x with the corresponding outputs y and y , respectively. The input difference ′ ′′ ′ ′′ is given by ∆x = x + x = (∆x1,...,∆xn) where ∆xi = xi + xi and the output difference ′ ′′ ′ ′′ ∆y = y + y = (∆y1,...,∆ym) where ∆yi = yi + yi . 74 Representations and Characterizations

As said in [70]:

In an ideally randomizing cipher, the probability that a particular output 1 difference ∆y occurs given a particular input difference ∆x is 2n . Differential cryptanalysis seeks to exploit a scenario where a particular ∆y occurs given a

particular input difference ∆x with a very high probability pD (i.e., much greater 1 than 2n ). The pair (∆x,∆y) is referred to as a differential. Differential cryptanalysis is a chosen plaintext attack, meaning that the attacker is able to select inputs and examine outputs in an attempt to derive the ′ key. For differential cryptanalysis, the attacker will select pairs of inputs, x and ′′ x , to satisfy a particular∆x, knowing that for that ∆x value, a particular ∆y value occurs with high probability. In this thesis, we investigate the construction of a differential (∆x,∆y) involving plaintext bits as represented by x and the input to the last round of the cipher as represented by ∆y. We shall do this by examining high likely differential characteristics where a differential characteristic is a sequence of input and output differences to the rounds so that the output difference from one round corresponds to the input difference for the next round. Using the highly likely differential characteristic gives us the opportunity to exploit information coming into the last round of the cipher to derive bits from the last layer of subkeys.

S-boxes Differentials

The first step of Differential Cryptanalysis is to compute the characteristics of inputs and the outputs of the S-boxes, which we will then combine together to form a characteristic for the complete cipher. Consider a n × m S-box with input x = (x1,...,xn) and output y = (y1,...,ym). All difference pairs of an S-box, (∆x,∆y), can be examined and the ′ ′′ probability of ∆y given ∆x can be derived by considering input pairs (x ,x ) such that ′ ′′ x + x = ∆x. Since the ordering of the pair is not relevant, for a n × m S-box we need ′ ′′ only consider all 2n values for x and then the value of ∆x constrains the value of x to be ′′ ′ ′ ′′ ′ x = x + ∆x. We can derive the resulting values of ∆y for each input pair (x ,x = x + ∆x). We can tabulate the complete differential data for an S-box in the Differential Profile 3, which the rows represent ∆x values and the columns represent ∆y values. If we divide each element in the Differential Profile by the value on DP(F)(0,0), these values represent the probability of the corresponding output difference ∆y value given the input difference ∆x, that is (∆x ⇒ ∆y), called characteristic. In general, entries in the

3In the literature, an equivalent matrix called Difference Distribution Table is used as well. 3.8 Differential Profile and Differential Cryptanalysis 75

Differential Profile with fewer bits set in the ∆x and ∆y that have higher probability are desirable.

Definition 3.8.1. Let F ∈ Fn,m, if we denote by DF (u,v) the set of vectors where the difference Vector Boolean Function of F in the direction of u ∈ Vn coincides with v ∈ Vm by:

DF (u,v) = {x ∈ Vn | ∆uF(x) = v} (3.61)

Definition 3.8.2. Let F ∈ Fn,m where n ≥ m. The matrix containing all possible values of #DF (u,v) is referred to as its XOR or Differential Distribution Table.

Nyberg in [114] introduced the concept of differential uniformity as a measure of the resistance to differential crytanalysis as follows:

Definition 3.8.3. A Vector Boolean function F ∈ Fn,m is called differentially du(F)-uniform if for all u ̸= 0 ∈ Vn and v ∈ Vm:

#{x ∈ Vn | F(x + u) + F(x) = v} ≤ du(F) (3.62)

Let du(F) (differential uniformity of F) is the largest value in Differential Distribution Table of F (not counting the first entry in the first row), namely,

du(F) = max #DF (u,v) = max #{x ∈ Vn | F(x) + F(x + u) = v} (3.63) (u,v)̸=(0,0) (u,v)̸=(0,0)

Definition 3.8.4. Let define the function δF :Vn × Vm → Q as follows: 1 δ (u,v) = #D (u,v) (3.64) F 2n F Definition 3.8.5. The Differential Profile of F can be represented by a matrix whose rows are indexed by u ∈ Vn and whose columns are indexed by v ∈ Vm in lexicographic order, denoted by DP(F) ∈ M2n×2m (R) and defined as follows:

  δF (α0,α0) ... δF (α0,α2m−1)  ( , ) ... ( , m )  2n+m  δF α1 α0 δF α1 α2 −1  DP(F) = 2   ......  δF (α2n−1,α0) ... δF (α2n−1,α2m−1)

Definition 3.8.6. The maximum value of δF (u,v) is called the differential potential of F:

dp(F) = max{δF (u,v) | ∀u ∈ Vn,v ∈ Vm,(u,v) ̸= (0,0)} 76 Representations and Characterizations

Corollary 3.8.1. The differential uniformity of F ∈ Fn,m and its differential potential are related as follows: 1 dp(F) = du(F) (3.65) 2n It is a measure of the robustness against differential cryptanalysis where 2−m ≤ dp(F) ≤ 1 and the lower bound holds if and only if F is bent and the upper bound is reached when F is linear or affine. The differential uniformity of F ∈ Fn,m and its differential potential are related by dp(F) = 2−ndu(F).

3.8.2 Library

Note that the Differential Profile does not uniquely determine a Vector Boolean function. Thus, a VBF class cannot be initialized by its Differential Profile. To obtain its representation as Differential Profile, the following method must be used: void DAT(NTL::mat_ZZ& DP, VBF& F)

In the VBF library, several methods have been defined in order to analyse the feasibility of differential cryptanalysis: Differential potential and Differential relations associated with a specific value of the Differential profile. The method used to obtain the differential potential is the following: void dp(NTL::RR& x, VBF& F)

If we want to obtain the characteristics associated with the value of the Differential Profile "w", we will use this method: void differential(NTL_SNS ostream& s, VBF& a, ZZ& w)

If we want to obtain the probability that a characteristic (∆x ⇒ ∆y) holds with the value of the Differential Profile "w", we will use this method: void ProbDif(NTL::RR& x, VBF& a, NTL::ZZ& w)

Example 3.8.1. The following program finds out the Differential Profile of a Vector Boolean function together with the characteristics that have the highest value, except from the value in DP(F)(0,0), their probability, this highest value and the differential potential. 3.8 Differential Profile and Differential Cryptanalysis 77

#include #include #include "VBF.h" int main(int argc, char *argv[]) { using namespace VBFNS;

VBF F; NTL::mat_GF2 T; NTL::ZZ w; NTL::RR p;

ifstream input(argv[1]); if(!input) { cerr << "Error opening " << argv[1] << endl; return 0; } input >> T; F.puttt(T); input.close();

cout << "The Differential Profile is:" << endl; cout << DAT(F) << endl;

w = maxDAT(F); cout << endl << "The highest value of the Differential Profile is= " << w << endl;

cout << endl << "The characteristics that have the highest value are:" << endl; differential(cout,F,w);

ProbDif(p,F,w); cout << endl << "These expressions hold with probability= " << p << endl; 78 Representations and Characterizations

cout << endl << "The differential potential is= " << dp(F) << endl;

return 0; }

If we use as input of this program the Truth Table of NibbleSub, the output of the program would be the following:

The Differential Profile is: [[4096 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0] [0 0 0 512 0 0 0 512 0 512 1024 0 1024 512 0 0] [0 0 0 512 0 1536 512 512 0 512 0 0 0 0 512 0] [0 0 512 0 512 0 0 0 0 1024 512 0 512 0 0 1024] [0 0 0 512 0 0 1536 0 0 512 0 1024 512 0 0 0] [0 1024 0 0 0 512 512 0 0 0 1024 0 512 0 0 512] [0 0 0 1024 0 1024 0 0 0 0 0 0 512 512 512 512] [0 0 512 512 512 0 512 0 0 512 512 0 0 0 0 1024] [0 0 0 0 0 0 512 512 0 0 0 1024 0 1024 512 512] [0 512 0 0 512 0 0 1024 512 0 512 512 512 0 0 0] [0 512 512 0 0 0 0 0 1536 0 0 512 0 0 1024 0] [0 0 2048 0 0 512 0 512 0 0 0 0 0 512 0 512] [0 512 0 0 512 512 512 0 0 0 0 512 0 1536 0 0] [0 1024 0 0 0 0 0 1024 512 0 512 0 512 0 512 0] [0 0 512 1024 512 0 0 0 1536 0 0 0 0 0 512 0] [0 512 0 0 1536 0 0 0 0 1024 0 512 0 0 512 0] ]

The highest value of the Differential Profile is= 2048

The characteristics that have the highest value are: [1 0 1 1]->[0 0 1 0]

These expressions hold with probability= 0.5

The differential potential is= 0.5

The figure 3.4 represents the Differential Profile of NibbleSub and emphasizes in blue the elements which achieve the highest value. 3.9 Autocorrelation Spectrum 79

Fig. 3.4 Differential Profile of NibbleSub.

3.9 Autocorrelation Spectrum

3.9.1 Description

The Autocorrelation provides a useful description of a Vector Boolean function in relation to some cryptographic criteria. It is derived from the sequences of the component functions of the Vector Boolean function and does not uniquely determine the Vector Boolean function itself.

Definition 3.9.1. The directional derivative of f ∈ Fn in the direction of u ∈ Vn is defined as:

∆u f (x) = f (x + u) + f (x), x ∈ Vn (3.66)

Similarly, the directional derivative of the sequence of a Boolean function ξ f in the direction of u ∈ Vn is defined as:

∆uχ f (x) = χ f (x + u) · χ f (x), x ∈ Vn (3.67)

The autocorrelation of f ∈ Fn with respect to the shift u ∈ Vn, r f (u), is defined by the Polarity Truth Table to be:

r f (u) = ∑ χ f (x)χ f (x + u) (3.68) x∈Vn From this definition of the autocorrelation function we note two important properties:

n 2 1. For every Boolean function r f (0) = 2 , since χ f (x) = 1 ∀x ∈ Vn. 80 Representations and Characterizations

2. The value of r f (u) when u ̸= 0 must be proportional to the correlation between f (x+u) n and f (x), i.e.: r f (u) = 2 · C( f (x + u), f (x)).

The Aucorrelation Spectrum gives an indication of the imbalance of all first order derivatives of the component functions of a Vector Boolean function. As differential cryptanalysis exploits imbalanced derivatives of Vector Boolean functions, the Aucorrelation Spectrum is vital in the analysis. The Walsh Spectrum and the Autocorrelation Spectrum of a Boolean function by the Walsh Wiener-Kintchine Theorem among others as illustrated below.

Theorem 3.9.1 (Cross-Correlation Theorem). Let f ,g ∈ Fn, ∀u ∈ Vn. The Walsh Transform of the cross-correlation of f and g is equal to the product of their respective Walsh transforms:

W 1 (3.69) r f ,g ←→ 2n WS( f ) WS(g) or alternatively:

1 r (x)(−1)u·x = χˆ (u) · χˆ (u), ∀u ∈ V (3.70) ∑ f ,g 2n f g n x∈Vn Proof.

1 ′ ′ ′ ∑x∈Vn r f ,g(x)χu(x) = ∑x∈Vn 2n ∑x ∈Vn χ f (x )χg(x + x) χu(x) 1 ′ ′ ′ = 2n ∑x ∈Vn χ f (x ) ∑x∈Vn χg(x + x)χu(x) 1 ′ ′ ′ = 2n ∑x ∈Vn χ f (x ) χu(x )∑t∈Vn χg(t)χu(t) 1 ′ ′ 1 ˆ ′ ˆ ˆ = 2n χg(u)∑x ∈Vn χ f (x )χu(x ) = 2n χ f (u) · χg(u)

Theorem 3.9.2 (Walsh Wiener-Kintchine Theorem). Let f ∈ Fn, ∀u ∈ Vn. The Walsh Transform of the autocorrelation function of f at u is equal to the value of the energy spectrum of f at u: W 1 2 (3.71) r f ←→ 2n |WS( f )| or alternatively: 1 r (x)(−1)u·x = |χˆ (u)|2, ∀u ∈ V (3.72) ∑ f 2n f n x∈Vn Corollary 3.9.3. Parseval equation[85]

u·x ˆ 2 ∑ WDx f (0)(−1) = |χ f (u)| (3.73) x∈Vn 3.9 Autocorrelation Spectrum 81

Proof. 1 r (x)(−1)u·x = W (0)(−1)u·x ∑ f 2n ∑ Dx f x∈Vn x∈Vn

Corollary 3.9.4. The relationships between the Walsh Transform, the autocorrelation and the energy of a Boolean function f ∈ Fn can be summarized as follows:

W f −−−→ W f   r  1 | |2 y y 2n W f W r f −−−→ ε f

Definition 3.9.2. Autocorrelation Spectrum, denoted by R(F) ∈ M2n×2m (Z), obtained by Equation 2.4. The columns of the matrix correspond to the Autocorrelation Spectrum of their component functions. The lower bound of the Autocorrelation Spectrum values is −2n and the upper bound is 2n.

3.9.2 Linear structures

If the directional derivative of f ∈ Fn in the direction of u ∈ Vn: ∆u f (x) = f (x + u) + f (x) is a constant function, then u is a linear structure of f [84], [31]. The zero vector 0 is a trivial linear structure since ∆0 f (x) = 0 ∀x ∈ Vn. From the point of view of autocorrelation, a vector in Vn is a linear structure if it satisfies the following:

n Definition 3.9.3. The vector u ∈ Vn is a linear structure of f if and only if |r f (u)| = 2 .

The notion of linear structures can be extended for the case of Vector Boolean functions. The definition of a Vector Boolean function that has a linear structure was originally proposed by Chaum [31] and Evertse [58]. They defined that a Vector Boolean function F has a linear structure by considering the existence of nontrivial linear structure in any of the component functions of F.

Definition 3.9.4. F ∈ Fn,m is said to have a linear structure if there exists a nonzero vector u ∈ Vn together with a nonzero vector v ∈ Vm such that v·F(x)+v·F(x+u) takes the same value c ∈ GF(2) ∀x ∈ Vn.

Definition 3.9.5. F ∈ Fn,m is said to have a linear structure if there exists a nonzero vector n u ∈ Vn together with a nonzero vector v ∈ Vm such that |rv·F (u)| = 2 . 82 Representations and Characterizations

Nonlinear cryptographic functions used in block ciphers should have no nonzero linear structures [58]. The existence of nonzero linear structures, for the functions implemented in stream ciphers, is a potential risk that should also be avoided, despite the fact that such existence could not be used in attacks, so far.

3.9.3 Library

To obtain its representation as Autocorrelation Spectrum, the following method must be used:

void AC(NTL::mat_ZZ& R, VBF& F)

The method used to obtain the linear structures is the following:

void LS(NTL_SNS ostream& s, VBF& F)

Example 3.9.1. The following program finds out the Autocorrelation Spectrum of a Vector Boolean function together with its linear structures having as input its Truth Table.

#include #include #include "VBF.h"

int main(int argc, char *argv[]) { using namespace VBFNS;

VBF F; NTL::mat_GF2 T;

ifstream input(argv[1]); if(!input) { cerr << "Error opening " << argv[1] << endl; return 0; } input >> T; F.puttt(T); input.close(); 3.9 Autocorrelation Spectrum 83

cout << "The Autocorrelation Spectrum is:" << endl; cout << AC(F) << endl; cout << endl << "The linear structures are: " << endl; LS(cout,F);

return 0; }

If we use as input of this program the Truth Table of NibbleSub, the output of the program would be the following:

The Autocorrelation Spectrum is: [[16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16] [16 0 0 0 0 0 -8 -8 -8 -8 -8 8 0 0 8 8] [16 -8 0 -8 -8 0 0 8 8 -8 0 0 -8 8 -8 8] [16 0 0 0 0 0 0 -16 -8 8 0 0 0 0 -8 8] [16 0 -8 0 0 -16 0 8 0 8 -8 -8 -8 0 8 8] [16 0 0 -8 0 0 0 -8 0 -8 8 -8 0 -8 8 8] [16 -8 0 0 -8 0 -8 8 0 -8 0 0 8 0 -8 8] [16 0 -8 0 0 0 0 -8 0 8 0 0 0 -8 -8 8] [16 -8 -8 0 -8 0 0 8 -8 8 0 0 0 0 8 -8] [16 0 0 8 0 0 0 -8 0 -8 0 0 -8 0 8 -8] [16 8 0 0 8 0 8 8 -8 -8 0 -8 0 0 -8 -16] [16 0 -8 -8 0 16 -8 -8 8 8 -8 -8 8 8 -8 -8] [16 -8 8 -8 -8 0 -8 8 0 8 0 0 0 -8 8 -8] [16 0 0 0 0 0 8 -8 0 -16 0 0 0 0 8 -8] [16 8 0 8 8 0 0 8 0 -8 -8 0 0 -8 -16 -8] [16 0 8 0 0 -16 0 -8 0 8 8 8 -8 0 -8 -8] ]

The linear structures are: ([0 0 1 1],[0 1 1 1]) ([0 1 0 0],[0 1 0 1]) ([1 0 1 0],[1 1 1 1]) ([1 0 1 1],[0 1 0 1]) ([1 1 0 1],[1 0 0 1]) ([1 1 1 0],[1 1 1 0]) 84 Representations and Characterizations

([1 1 1 1],[0 1 0 1])

We can notice that NibbleSub S-box has seven linear structures which are the following: The figure 3.5 represents the Autocorrelation Spectrum of NibbleSub and emphasizes in red the values corresponding these linear structures.

Fig. 3.5 Linear structures of NibbleSub.

3.10 Affine Function and Affine Equivalence

3.10.1 Description

A Boolean linear function is defined as a Boolean function consisting only of the sumof single input variables. Similarly, the set of Boolean affine functions is defined as the setof linear functions and their complements. A mathematical description of the linear and affine Boolean functions is given as follows.

Definition 3.10.1. A Boolean linear function is defined as the sum of a subset of the input variables, denoted

lu(x) = u1x1 + u2x2 + ··· + unxn (3.74) where u = (u1,...,un) ∈ Vn. 3.10 Affine Function and Affine Equivalence 85

Definition 3.10.2. The set of Boolean affine functions are the linear functions and their complements, denoted

lu,b(x) = lu(x) + b (3.75) where b ∈ GF(2).

An affine Vector Boolean function is defined in terms of a linear Vector Boolean function and a dyadic shift. A linear Vector Boolean function involves the multiplication of the input vector by a Boolean matrix. A dyadic shift (or translation) involves the complement of a subset of input bits. As such, an affine Vector Boolean function may be defined asthe combination of a linear Vector Boolean function and dyadic shift. A mathematical description of the linear and affine Vector Boolean functions is given as follows.

Definition 3.10.3. A Vector Boolean function LA,b ∈ Fn,m defined as LA,b(x) = x · A + b with x ∈ Vn,A ∈ Mn×m(GF(2)) and b ∈ Vm so that if b = 0 then F is linear and if b ̸= 0 then F is affine.

Affine Equivalence of Boolean Functions

Equivalence classes provide a powerful tool in both the construction and analysis of Boolean n functions for cryptography. In particular, rather than considering the entire space of 22 functions a reduced view can be found in the consideration of only one function from each equivalence class. We start by giving an overview of the invariant properties over RM(s; n) for s = 1,0,−1, which are the most frequently used equivalences. The computational complexity of determining if the Boolean function satisfies the invariant property is an important measure for the efficiency of the property. A well-known and widely used approach in the study of algebraic objects (groups, rings,...) is the investigation of their sub-objects and quotient objects. Since linear codes are linear spaces, this approach can also be applied to them. Let C be a linear code over the finite field F and G be the group of automorphisms. If A is a G-invariant subcode of C (i.e., φ(A) ⊆ A for all φ ∈ G) then G naturally induces an action on the quotient space C /A consisting of all cosets c + A,c ∈ C . If φ ∈ G preserves a given property and φ : c1 + A → c2 + A, then both c1 + A and c2 + A satisfy (or do not satisfy) this property. Therefore, once we know the partition of C /A into G-orbits, we can restrict ourselves to the study of the representatives of the orbits. The automorphism group of RM(r,n) for all 0 ≤ r ≤ n is equal to the general affine group AGL(n,2) [96]. Define RM(−1,n) = {}. For −1 ≤ s < r ≤ n, the quotient space of RM(r,n) by the subcode RM(s,n) is denoted by RM(r,n)/RM(s,n). Consequently, two 86 Representations and Characterizations functions f ,g of RM(r,n)/RM(s,n) are said to be equivalent over RM(s,n) if g(x) = f (Ax + b) mod RM(s,n). If s = 1, this means that

g(x) = f (Ax + b) + cx + d (3.76)

where A ∈ Mn×n(GF(2)), b,c ∈ Vn and d ∈ GF(2) and it is an affine transformation. The functions f and g satisfying 3.76 are called equivalent under the action of AGL(n,2). This equivalence determines the affine equivalence classes in RM(r,n) for r ≥ 1. If s = 0, then c = 0 and the functions f and g are said to be equivalent over RM(0,n). If c = 0,d = 0, the functions are equivalent over RM(−1,n). We also say in this case that the functions are affine equivalent. If in addition b = 0, the functions are said to be linear equivalent. A property is called a RM(s,n) invariant property if it is invariant over RM(s,n).A RM(s,n) invariant property can be seen as a mapping M from the set of Boolean functions to a set such that for any two equivalent functions f ,g over RM(s,n), the equality M( f ) = M(g) holds. By definition, a RM(s,n) invariant property is also a RM(k,n) invariant property for all −1 ≤ k ≤ s. Note that on RM(r,n)/RM(r − 1,n) for 0 ≤ r ≤ n, the action of AGL(n,2) is reduced to the action of the general linear group GL(n,2) since translations (x → x + b,∀x ∈ Vn) leave every element of RM(r,n)/RM(r − 1,n) fixed. The equation 7.9 can be interpreted as a composition of several Boolean and Vector Boolean functions as follows:

g x −−−→ g(x)  x L   f (L ( ))+a ( ) A,by  A,b x c,d x f LA,b(x) −−−→ f (LA,b(x)) where:

1. LA,b ∈ Fn,m is an affine Vector Boolean function defined as LA,b(x) = Ax + b with A ∈ Mn×n(GF(2)) non-singular and b ∈ Vn.

2. ac,d ∈ Fn is an affine Boolean function defined as ac,d(x) = c · x + d with c ∈ Vn and d ∈ GF(2).

Of particular interest in the study of equivalence classes is the effect of the affine transformation on the algebraic degree, the Walsh Spectrum and Autocorrelation Spectrum of a Boolean function. 3.10 Affine Function and Affine Equivalence 87

Frequency Distribution of the Absolute Values of the Walsh Spectrum

The effect of the application of an affine transformation to a Boolean function on the Walsh Spectrum is to rearrange the values and hence, the Walsh value distributions are invariant under all affine transformations. If we consider g and f as in equation 7.9, then by 3.51, 5.2.1, it holds that [123]:

c·A−1b u·A−1b −1 −1 χˆg(u) = (−1) (−1) χˆ f A u + A c (3.77)

Thus nonlinearity is also invariant under affine transformation.

Frequency Distribution of the Absolute Values of the Autocorrelation Spectrum

The effect of the application of an affine transformation to a Boolean function onthe Autocorrelation Spectrum is to rearrange the values and hence, the Autocorrelation value distributions are invariant under all affine transformations. If we consider g and f as in equation 7.9, then Preneel in [123] shows that:

u·c rg(u) = (−1) r f (Au) (3.78)

Thus absolute indicator is also invariant under affine transformation.

3.10.2 Library

A VBF class can be initialized for a affine Vector Boolean function giving its corresponding matrix and vector by the following method: void putaffine(const NTL::mat_GF2& A,const NTL::vec_GF2& b)

The method used to obtain the Frequency distribution of the absolute values of the Walsh Spectrum is the following: void printFWH(NTL_SNS ostream& s, VBF& F)

The method used to obtain the Frequency distribution of the absolute values of the Autocorrelation Spectrum is the following: void printFAC(NTL_SNS ostream& s, VBF& F) 88 Representations and Characterizations

Example 3.10.1. The following program finds out the Walsh Spectrum, Frequency distribution of the absolute values of the Walsh Spectrum, Autocorrelation Spectrum, and Frequency distribution of the absolute values of the Autocorrelation Spectrum of a Vector Boolean function having as input the matrix A and the vector b associated with an affine function where:

" # 0 1 A = , b = (0,1) 1 0

#include #include #include "VBF.h"

int main(int argc, char *argv[]) { using namespace VBFNS;

VBF F; NTL::mat_GF2 A; NTL::vec_GF2 b;

ifstream input(argv[1]); if(!input) { cerr << "Error opening " << argv[1] << endl; return 0; } input >> A; input >> b; F.putaffine(A,b); input.close();

cout << "The Walsh Spectrum is:" << endl << Walsh(F) << endl << endl;

cout << "Frequency distribution of the absolute values of the Walsh Spectrum:" << endl; printFWH(cout,F); cout << endl; 3.10 Affine Function and Affine Equivalence 89

cout << "The Autocorrelation Spectrum is:" << endl << AC(F) << endl;

cout << "Frequency distribution of the absolute values of the Autocorrelation Spectrum:" << endl; printFAC(cout,F); cout << endl;

return 0; }

The output of the program would be the following:

The Walsh Spectrum is: [[4 0 0 0] [0 0 4 0] [0 -4 0 0] [0 0 0 -4] ]

Frequency distribution of the absolute values of the Walsh Spectrum: (0,3),(4,1) (0,3),(4,1) (0,3),(4,1)

The Autocorrelation Spectrum is: [[4 4 4 4] [4 4 -4 -4] [4 -4 4 -4] [4 -4 -4 4] ] Frequency distribution of the absolute values of the Autocorrelation Spectrum: (4,4) (4,4) (4,4) 90 Representations and Characterizations

3.11 Cycle Structure, Fixed Points and Negated Fixed Points

3.11.1 Description

Definition 3.11.1. The cycle structure of an invertible vector Boolean function F ∈ Fn,n (permutation) describes the number of cycles and their length.

A permutation can also be written in a way that groups together the images of a given number under repeated applications of F. For example, the permutation: " # 1 2 3 4 5 6 7 8 9 F = (3.79) 3 6 4 7 5 9 1 8 2 can be written

F = (1347)(269)(5)(8) (3.80)

The first group of numbers in parentheses indicates that 1 gets mapped to3,3gets mapped to 4, 4 gets mapped to 7, and 7 gets mapped back to 1. Each of the other groupings is interpreted in a similar way. These groups of numbers are called cycles, and this notation for permutations is referred to as cycle notation. Following are several facts relating to cycles and cycle notation:

• A cycle of k numbers is referred to as a k-cycle or a cycle of length k; for example, (1347) is a 4-cycle or a cycle of length 4.

• A cycle of one number indicates that the number is mapped to itself, and 1-cycles are often referred to as fixed points. In the example above, there are two fixed points: 5 and 8.

• It does not matter which number is written first in a cycle, as long as the order ofthe numbers is preserved. For example, (1347) = (4713), but (1347) ̸= (1437).

A cycle structure with a low number of cycles of high length is considered well suited to be used in cipher design. This fact means that many transpositions are present. The fixed points of F are those which belong to the set {x | F(x) = x}. The negated fixed points of F belong to the set {x | F(x) = x} where x is the invert of x or the vector resulting from adding 1 to each of its components. A cryptographic primitive with a high number of fixed and/or negated fixed points is considered to be not well designed, since it lacks the needed randomness. 3.11 Cycle Structure, Fixed Points and Negated Fixed Points 91

3.11.2 Library

The method used to obtain the Cycle Structure is the following: void Cycle(NTL::vec_ZZ& v, VBF& F)

The method used to print the Cycle structure so that each row has two values separated by a comma: the first one is the Cycle length and the second one is the number of cyclesfor this length. void printCycle(NTL_SNS ostream& s, VBF& F)

The fixed points of F are obtained by this method:

NTL::mat_GF2 fixedpoints(VBF& F)

The negated fixed points of F are obtained by this method:

NTL::mat_GF2 negatedfixedpoints(VBF& F)

Example 3.11.1. The following program prints the cycle structure of a Vector Boolean function having as input its Truth Table.

#include #include #include "VBF.h" int main(int argc, char *argv[]) { using namespace VBFNS;

VBF F; NTL::mat_GF2 T;

ifstream input(argv[1]); if(!input) { cerr << "Error opening " << argv[1] << endl; return 0; } input >> T; 92 Representations and Characterizations

F.puttt(T); input.close();

cout << "The Cycle Structure is:" << endl; printCycle(cout,F);

cout << endl << "The fixed points are the following:" << endl; cout << fixedpoints(F) << endl;

cout << endl << "The negated fixed points are the following:" << endl; cout << negatedfixedpoints(F) << endl;

return 0; }

If we use as input of this program the Truth Table of NibbleSub, the output of the program would be the following:

The Cycle Structure is: 2,1 14,1

The fixed points are the following: []

The negated fixed points are the following: [[0 0 1 0] [0 1 1 1] ]

which means: It has no fixed points and 2 negated fixed points which are the following:

[0 0 1 0] [0 1 1 1]

This is because NibbleSub[(1,1,0,1)] = (0,0,1,0) and NibbleSub[(1,0,0,0)] = (0,1,1,1). 3.12 Permutation Vector 93

Table 3.2 Cycle structure of NibbleSub.

Cycle length Number of cycles 2 1 14 1

3.12 Permutation Vector

3.12.1 Description

If F is a Boolean permutation, that is, it is bijective and has the same number of input bits as h i output bits (n = m), then it can be defined as an array: F = F(1) ... F(n) where F(i) is the output bit of the input bit i for F.

3.12.2 Library

A VBF class can be initialized giving its permutation vector with the following method: void putper(const NTL::vec_ZZ& v)

To obtain its representation as permutation vector, the following method must be used: void PER(NTL::vec_ZZ& v, VBF& F)

Example 3.12.1. The following program finds out the Truth Table of a Vector Boolean function having as input its Permutation Vector:

[ 1 2 3 4 13 14 15 16 9 10 11 12 5 6 7 8 ]

For example, you can see bit 13 moves to bit 5, while bit 5 moves to bit 13.

#include #include #include "VBF.h" int main(int argc, char *argv[]) { using namespace VBFNS;

VBF F; 94 Representations and Characterizations

NTL::vec_ZZ a;

ifstream input(argv[1]); if(!input) { cerr << "Error opening " << argv[1] << endl; return 0; } input >> a; F.putper(a); input.close();

cout << "The Truth Table is:" << endl; cout << TT(F) << endl;

return 0; }

The first 10 lines of the output of the program would be the following:

The Truth Table is: [[0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0] [0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0] [0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0] [0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0] [0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0] [0 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0] [0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0] [0 0 0 0 0 1 1 1 0 0 0 0 0 0 0 0] [0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0]

3.13 DES Representations

3.13.1 Description

The VBF library accepts to types of representations of DES [107] components:

1. Expansion and Compression DES permutations. It can be used to represent both the Compression Permutation in the Key Transformation of DES and the Expansion 3.13 DES Representations 95

Permutation Feistel Function of the DES cipher. The Compression Permutation permutes the order of the bits as well as selects a subset of bits. The Expansion

Permutation expands the right half of the data, Ri, from 32 bits to 48 bits. Because this operation changes the order of the bits as well as repeating certain bits, it is known as an expansion permutation.

2. DES S-box Substitution. Each S-box is a table of 4 rows and 16 columns. Each entry in the box is a 4-bit number. The 6 input bits of the S-box specify under which row and column number to look for the output. The input bits specify an entry in the S-box as follows: Consider an S-box input of

6-bits, labeled b1,b2,b3,b4,b5, and b6. Bits b1 and b6 are combined to form a 2-bit number, from 0 to 3, which corresponds to a row in the table. The middle 4 bits, b2 through b5, are combined to form a 4-bit number, from 0 to 15, which corresponds to a column in the table. For example, assume that the input to the first S-box (i.e. bits 1 to 6 of theXOR function) is 110011. The first and last bits combine to form 11, which corresponds to row 3 of the first S-box. The middle 4 bits combine toform 1001, which corresponds to the column 9 of the same S-box. The entry under row 3, column 9 of S-box 1 is 11 (count rows and columns starting from 0). The value 1110 is substituted for 001011 Figures 3.6 and 3.7 lists the eight S-boxes used in DES. Each S-box replaces a 6-bit input with a 4-bit output. Given a 6-bit input, the 4-bit output is found by selecting the row using the outer two bits, and the column using the inner four bits. For example, an input "011011" has outer bits "01" and inner bits "1101"; noting that the first row is "00" and the first column is "0000", the corresponding output for S-box S5 wouldbe "1001" (=9), the value in the second row, 14th column.

3.13.2 Library

A VBF class can be initialized giving its Expansion and Compression DES permutation vector with the following method: void putexp_comp(const NTL::vec_ZZ& v)

A VBF class can be initialized giving its DES-like S-box representation matrix with the following method: void putsbox(const NTL::mat_ZZ& S) 96 Representations and Characterizations

Fig. 3.6 S1,S2,S3,S4 DES S-boxes.

Fig. 3.7 S5,S6,S7,S8 DES S-boxes. 3.13 DES Representations 97

Example 3.13.1. The following program prints the Truth Table of a Expansion permutation and of the DES S1 S-box. The inputs are respectively the following:

[ 4 1 2 3 4 1 ]

[[14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 ] [ 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 ] [ 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0] [ 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13]]

#include #include #include "VBF.h" int main(int argc, char *argv[]) { using namespace VBFNS;

VBF F,G; NTL::vec_ZZ v; NTL::mat_ZZ S;

ifstream inputv(argv[1]); if(!inputv) { cerr << "Error opening " << argv[1] << endl; return 0; } inputv >> v; inputv.close(); F.putexp_comp(v);

ifstream inputS(argv[2]); if(!inputS) { cerr << "Error opening " << argv[2] << endl; return 0; } inputS >> S; inputS.close(); 98 Representations and Characterizations

G.putsbox(S);

cout << "The Truth Table of Expansion Permutation is:" << endl << TT(F) << endl; cout << endl << "The Truth Table of S1 DES S-box is:" << endl << TT(G) << endl;

return 0; }

The output of the program would be the following 4:

The Truth Table of Expansion Permutation is: [[0 0 0 0 0 0] [1 0 0 0 1 0] [0 0 0 1 0 0] [1 0 0 1 1 0] [0 0 1 0 0 0] [1 0 1 0 1 0] [0 0 1 1 0 0] [1 0 1 1 1 0] [0 1 0 0 0 1] [1 1 0 0 1 1] [0 1 0 1 0 1] [1 1 0 1 1 1] [0 1 1 0 0 1] [1 1 1 0 1 1] [0 1 1 1 0 1] [1 1 1 1 1 1] ]

The Truth Table of S1 DES S-box is: [[1 1 1 0] [0 0 0 0] [0 1 0 0] [1 1 1 1]

4Only a few values of S1 Truth Table is printed for space reasons. 3.14 Auxiliary Functions 99

[1 1 0 1] [0 1 1 1] [0 0 0 1] [0 1 0 0] [0 0 1 0] [1 1 1 0] [1 1 1 1] [0 0 1 0] [1 0 1 1] [1 1 0 1] [1 0 0 0] [0 0 0 1] ...

3.14 Auxiliary Functions

In order to compute the matrices described above, some functions have been implemented which allow to obtain some of these matrices from others:

• A function whose input is an ANF table and its output is the Truth Table: mat_GF2 rev(const mat_GF2& A, int n, int m)

• A function whose input is the Characteristic Function and its output is the Truth Table: mat_GF2 truthtable(const mat_ZZ& C, int n, int m)

• A function whose input is the Truth Table and its output is the Characteristic Function: mat_ZZ charfunct(const mat_GF2& T, int n, int m)

• A function whose input is the Walsh Spectrum and its output is the Characteristic Function (that is the Inverse Walsh Transform): mat_ZZ invwt(const mat_ZZ& X, int n, int m).

• A matrix representing the linear combinations of Truth Table coordinate functions: void LTT(NTL::mat_GF2& X, VBF& a).

• A matrix representing character form of Truth Table coordinate functions: void CTT(NTL::mat_GF2& X, VBF& a). 100 Representations and Characterizations

3.15 Summary

Table 3.3 lists the member functions related to methods of vector Boolean functions initialization. Table 3.4 lists the member functions related to the characterizations of vector Boolean functions as described above. Most of the member functions of VBF have an in-line definition, for instance: void TT(NTL::mat_GF2& X, VBF& F) is also defined as inline NTL::mat_GF2 TT(VBF& F).

Table 3.3 Representation of VBF.

SYNTAX DESCRIPTION

void puttt(const NTL::mat_GF2& T) TTF = T void putHexTT(istream & s) VBF which has an hexadecimal representation of its Truth Table defined by s void putBinTT(istream & s) VBF which has a binary representation of its Truth Table defined by s void putDecTT(const NTL::vec_long& d,const long& m) VBF which has an decimal representation of its Truth Table defined by d and m is the number of component Boolean functions void putltt(const NTL::mat_GF2& L) LTTF = L void putctt(const NTL::mat_ZZ& C) CTTF = C void putirrpol(GF2X& g) void puttrace(string& f) Set F by its trace f and the irreducible polynomial g void putpol(vec_pol& p) Set F with Polynomials in ANF equals to p void putanf(const NTL::mat_GF2& A) ANFF = A void putchar(const NTL::mat_ZZ& C) Img(F) = C void putwalsh(const NTL::mat_ZZ& W) WS(F) = W void putaffine(const NTL::mat_GF2& A,const NTL::vec_GF2& b)F(x) = xA + b void putper(const NTL::vec_ZZ& v) VBF which is a permutation defined by v void putexp_comp(const NTL::vec_ZZ& v) VBF defined by Expansion and Compression DES vector v void putsbox(const NTL::mat_ZZ& S) VBF which is a DES S-Box defined by S 3.15 Summary 101

Table 3.4 Chacterizations of VBF.

SYNTAX DESCRIPTION

void TT(NTL::mat_GF2& X, VBF& F) X = TTF void getHexTT(ostream& s) s is the hexadecimal representation of the Truth Table of F void getBinTT(ostream& s) s is the binary representation of the Truth Table of F NTL::vec_long getDecTT() const Decimal representation of the Truth Table long weight(VBF& F) Weight of F void LTT(NTL::mat_GF2& X, VBF& F) X = LTTF void CTT(NTL::mat_ZZ& X, VBF& F) X = CTTF void Trace(GF2EX& f, VBF& F) F has a trace representation defined by f void Pol(NTL_SNS ostream& s, VBF& F) s contains the Polynomials in ANF of F void ANF(NTL::mat_GF2& X, VBF& F) X = ANFF void Charact(NTL::mat_ZZ& X, VBF& F) X = Img(F) void Walsh(NTL::mat_ZZ& X, VBF& F) X = WS(F) void LAT(NTL::mat_ZZ& X, VBF& F) X = LP(F) void lp(NTL::RR& x, VBF& F) lp(F) = x void linear(NTL_SNS ostream& s, VBF& F, ZZ& x) Linear relations associated with the value x of the Linear Profile of F void ProbLin(NTL::RR& x, VBF& F, NTL::ZZ& w) Probability of Linear relations associated with the value w of the Linear Profile of F void DAT(NTL::mat_ZZ& X, VBF& F) X = DP(F) void dp(NTL::RR& x, VBF& F) dp(F) = x void differential(NTL_SNS ostream& s, VBF& F, ZZ& x) Differential relations associated with the value x of the Differential Profile of F void ProbDif(NTL::RR& x, VBF& F, NTL::ZZ& w) Probability of characteristics associated with the value w of the Differential Profile of F void AC(NTL::mat_ZZ& X, VBF& F) X = R(F) NTL::mat_GF2 LS(VBF& F) Returns a matrix whose rows are the linear structures void printFWH(NTL_SNS ostream& s, VBF& F) Frequency distribution of the absolute values of the Walsh Spectrum void printFAC(NTL_SNS ostream& s, VBF& F) Frequency distribution of the absolute values of the Autocorrelation Spectrum void Cycle(NTL::vec_ZZ& v, VBF& F) v is the Cycle Structure void printCycle(NTL_SNS ostream& s, VBF& F) Print Cycle Structure NTL::mat_GF2 fixedpoints(VBF& F) Return fixed points NTL::mat_GF2 negatedfixedpoints(VBF& F) Return negated fixed points void PER(NTL::vec_ZZ& v, VBF& F) v is the permutation vector defined by F

Chapter 4

Cryptographic Criteria

This chapter defines some properties relevant for cryptographic applications and explains how to use the package to compute them. They are defined in relation to the representation or transform from which they are derived. Those properties are criteria or those which provide useful information in cryptanalysis. Among the criteria we find nonlinearity, r-th order nonlinearity, linearity distance, balancedness, correlation immunity, resiliency (i.e. balancedness and correlation immunity), propagation criterion, global avalanche criterion, algebraic degree and algebraic immunity. Other properties described are the maximum possible nonlinearity or the maximum possible linearity distance achievable by a Vector Boolean function with the same number of inputs, the type of function in terms of nonlinearity. The figure 4.1 summarizes the relationships among several representations and the criteria studied in this chapter. The representations which are Boolean matrices are coloured in red, those which are Integer matrices are coloured in blue, and those which are criteria are coloured in green. In this chapter we apply VBF library methods to find out cryptographic criteria of several cryptographic algorithms. Refer to http://vbflibrary.tk for an extensive description of cryptographic criteria of modern cryptographic algorithms apart from those described in this chapter.

4.1 Introduction

4.1.1 Definitions

A block cipher can be expressed as an interrelation of Vector Boolean functions. Thus, in the context of block cipher’s design, it is essential to define criteria which measure the 104 Cryptographic Criteria

Fig. 4.1 Relationships among representations and criteria of a Vector Boolean function.

cryptographic strength of Boolean functions and Vector Boolean functions. Ideally, some of the following requirements must be fulfilled by this criteria:

1. The principles of confusion and diffusion are enforced by the criterion. [138][143] Confusion ensures that a complex relationship exists among the plaintext, the ciphertext and the key material. This notion has been extrapolated to mean that a significant reliance on some form of substitution is required as a source of this confusion. The confusion in a cipher is achieved through the use of nonlinear components. Diffusion dissipates the redundancy of the plaintext by spreading the influence of a single plaintext bit over many ciphertext bits (obtained by linear transformations). Both techniques make more difficult for a cryptanalyst to find out redundancy and statistical patterns in the ciphertext.

2. The criterion can be expressed in terms of a distance to an appropriate set S of cryptographically weak functions. Functions that exhibit properties common to cryptographically weak functions are also considered to be cryptographically weak. [98]

3. The criterion should remain invariant under a certain group of transformations. This symmetry group should contain the group of affine transformations. [98]

There exists two types of cryptographic criteria:

1. All-or-nothing criterion, meaning that the criterion informs about the presence or absence of some cryptographic weakness. 4.2 Algebraic Degree 105

2. Characteristic, which is a criterion which can be satisfied at levels quantified by numbers.

4.1.2 Cryptographically Weak Functions

Definition 4.1.1. A function is considered to be cryptographically weak if it is easily break- able or it can be turned into a weak function by means of simple (e.g. linear or affine) transformations.

This definition is congruent with the notion of similar secrecy introduced by Shannon in [143], so that two functions R and S are said to be "similar" if there exists a fixed transformation A, with an inverse A−1, such that R = AS. Hereunder are described the best known cryptographically weak functions.

• Linear and affine functions. The simultaneous complementation of a subset of the input variables causes the value of a linear function to always change (from the original value before complementation) or to never change.

• Functions with non-zero linear structures. Lai showed in [82] that if f ∈ Fn has k < n linearly independent vectors b1,...,bk that are linear structures, then f can be mapped to g ∈ Fn via a linear transformation where:

′ g(x1,...,xn) = m1x1 + ··· + mkxk + g (xk+1,...,xn) (4.1)

The main known cryptanalytic techniques on ciphers are conceived to exploit some cryptographic weakness. The cryptographic criteria that can be evaluated by means of the VBF class are described in the following sections.

4.2 Algebraic Degree

4.2.1 Description

Cryptographic algorithms using Boolean functions to achieve confusion in a cipher (S-boxes in block ciphers, combining of filtering functions in stream ciphers) can be attacked if the functions have low algebraic degree. The algebraic degree is a good indicator of the function’s algebraic complexity. The higher the degree of a function, the greater is its algebraic complexity. Higher order differential attack [83] exploits the fact that the algebraic degree of the S-box is low. 106 Cryptographic Criteria

Definition 4.2.1. Algebraic degree of a Vector Boolean function F ∈ Fn,m is defined as the minimum among the algebraic degrees of all component functions of F [113], namely:

m deg(F) = min{deg(g) | g = v j f j, v ̸= 0 ∈ Vm} (4.2) g ∑ j=1 where the algebraic order or degree of a Boolean function is the order of the largest product term in the ANF. This criterion is obtained by generating the ANF table and then analyzing the degree of all the component functions.

Functions with algebraic degree less than or equal to 1 are called affine. A non-constant affine function for which F(0) = 0 is called linear. We refer to functions of degree two as quadratic and functions of degree three as cubic. The following property was proved in [96]:

Theorem 4.2.1. Any two distinct f ,g ∈ Fn of algebraic degrees at most r have mutual distances at least 2n−r.

4.2.2 Library

The method used to obtain this criterion is the following:

void deg(int& d, VBF& F)

Example 4.2.1. The following program provides the algebraic degree of a Vector Boolean function given its Truth Table.

#include #include #include "VBF.h"

int main(int argc, char *argv[]) { using namespace VBFNS;

VBF F; NTL::mat_GF2 T;

ifstream input(argv[1]); if(!input) { 4.2 Algebraic Degree 107

cerr << "Error opening " << argv[1] << endl; return 0; } input >> T; F.puttt(T); input.close();

cout << "The algebraic degree of the function is " << deg(F) << endl;

return 0; }

If we use the NibbleSub S-box Truth Table as input we will find out that its algebraic degree is 2. The figure 4.2 represents the ANF table of NibbleSub nonzero component functions and emphasizes in red the ANF terms of degree 4. As we can see there are no terms of degree 4 in neither of the component functions of NibbleSub.

Fig. 4.2 Algebraic Degree of NibbleSub: Degree 4. 108 Cryptographic Criteria

The figure 4.3 represents the ANF table of NibbleSub nonzero component functions and emphasizes in blue the ANF terms of degree 3. As we can see there are no terms of degree 3 in one of the component functions of NibbleSub, which is marked in yellow.

Fig. 4.3 Algebraic Degree of NibbleSub: Degree 3.

The figure 4.4 represents the ANF table of NibbleSub nonzero component functions and emphasizes in orange the ANF terms of degree 2. As we can see there are always terms of degree 2 in all the component functions of NibbleSub. Because of this, the algebraic degree of NibbleSub is 2.

Example 4.2.2. The following program illustrates some of the properties described in tables 4.4 and 4.5.

#include #include #include "VBF.h"

int main(int argc, char *argv[]) { using namespace VBFNS; 4.2 Algebraic Degree 109

Fig. 4.4 Algebraic Degree of NibbleSub: Degree 2.

VBF F; vec_pol p;

ifstream input(argv[1]); if(!input) { cerr << "Error opening " << argv[1] << endl; return 0; } input >> p; F.putpol(p); input.close();

cout << "Frequency distribution of the absolute values of the Walsh Spectrum:" << endl; printFWH(cout,F); cout << endl;

cout << "The algebraic degree of the function is " 110 Cryptographic Criteria

<< deg(F) << endl;

cout << "The weight of the function is " << weight(F) << endl;

return 0; } If we use the following 7-variable Boolean function as input:

f (x1,...,x7) = x1x2x3x4x5 + x1x3x7 + x1x2 + x3x4 + x5x6 the output of the program would be the following: Frequency distribution of the absolute values of the Walsh Spectrum: (0,40),(8,32),(16,56)

The algebraic degree of the function is 5 The weight of the function is 56 we can show that the Walsh Spectrum takes exactly 3 absolute values: 0,8,16. All of them are divisible by 23. By the divisibility of Walsh coefficients property f has algebraic degree at most 7 − 3 + 1 = 5. In this case the algebraic degree of 5 is attained. The Walsh divisibility property is described in Table 4.5. We can notice that the weight of f is 56. As stated in weight property (see Table 4.4), ⌊ 7−1 ⌋ this value is a multiple of 2 5 = 2.

4.3 Nonlinearity

4.3.1 Description

In order to provide confusion, cryptographic functions must lie at large Hamming distance to all affine functions. Because of Parseval’s Relation 3.6.8, any Vector Boolean function has correlation with some affine functions of its input. This correlation should be small: the existence of affine approximations of the Boolean functions involved in a cipher allowsto build attacks on this system (see, [91] for block ciphers and [17] for stream ciphers).

Definition 4.3.1. The nonlinearity of a Boolean function f ∈ Fm is defined as the Hamming distance between f and the subspace of affine functions [121]:

NL( f ) = d( f ,An) (4.3) 4.3 Nonlinearity 111

Definition 4.3.2. The nonlinearity of a Vector Boolean function F ∈ Fn,m is defined as the minimum among the nonlinearities of all component functions of F [113]:

NL(F) = minNL(v · F) v = (v1,...,vm) ∈ Vm (4.4) v̸=0 The nonlinearity of F can be expressed in terms of the Walsh coefficients by the following theorem:

Theorem 4.3.1. Let F ∈ Fn,m, the nonlinearity of F can be calculated in terms of the maximum of the absolute values of its Walsh Spectrum without taking into account the element of its first row and column, as follows:

1 ∗ NL(F) = 2n−1 − max (WS(F)(u,v)) (4.5) 2 Proof.

n−1 1 ∗ NL(F) = min NL(v · F) = 2 − max|χˆv·F (u)| v=(v1,...,vm)̸=0 2 1 ∗ 1 ∗ = 2n−1 − max|θˆ (u,v)| = 2n−1 − max (WS(F)(u,v)) 2 F 2

Corollary 4.3.2. Let f ∈ Fn, the nonlinearity of f can be expressed in terms of its Walsh transform as follows: n−1 1 NL( f ) = 2 − max |χˆ f (u)| (4.6) 2 u∈Vn̸=0

Definition 4.3.3. The spectral radius of a Boolean function f ∈ Fn is r( f ) = maxu∈Vn̸=0 |χˆ f (u)|.

This criterion is a measure of the distance of a Vector Boolean function and all Affine Vector Boolean functions. If this distance is small, it is possible to mount affine approximations of the Vector Boolean functions involved in a cipher to build attacks (called linear attacks) on a block cipher [92]. In the case of stream ciphers, these attacks are called fast correlation attacks. Thus, this property is useful to assess the resistance of a Vector Boolean function to linear attacks (including correlation attacks), i.e., attacks where the function F is approximated by an affine function.

It is well known that the maximum nonlinearity of Boolean functions f ∈ Fn coincides with the covering radius of the first order binary Reed-Muller code RM (1,n) [39]. Many results on the covering radius of RM (1,n) have direct application to the nonlinearity. n−1 n −1 The nonlinearity of a Boolean function is bounded above by (2 − 2 2 [128]) which is 112 Cryptographic Criteria

n−1 n−1 achieved by bent functions that only exist for n even. For n odd, it lies between 2 − 2 2 n−1 n+1 n−1 n−1 and 2 −2 2 . It has been shown that it is equal to 2 −2 2 when n = 1,3,5,7. (see [56] for n = 1,3,5 by exhaustive search, [106], [53] for n = 7 by theoretical proof) and is strictly n−1 n−1 greater than 2 − 2 2 for n ≥ 15 [118], [119]. The upper bound known for odd number n−2 n −2 of input variables n is 2⌊2 − 2 2 ⌋ [54]. The value of maximum nonlinearity for certain values of n odd is summarized in the following table:

Table 4.1 Maximum nonlinearity of Boolean functions for n odd.

n 3 5 7 9 11 13 15 Benchmark 2 12 56 242 [79] 996 [79] 4040 [89][78] 16276 [118][119][133] Upper Bound 2 12 56 244 1000 4050 16292

For Vector Boolean functions, Nyberg in [112] showed the upper bound of nonlinearity can only be obtained if n ≥ 2m and n even. The corresponding functions are called bent S-boxes:

n−1 n −1 NL(F) ≤ 2 − 2 2 (4.7)

This bound will be called the covering radius bound (since this is the value of the covering radius of the Reed-Muller code of order 1 if n is even). If 2m > n an upper bound was defined by Chabaud and Vaudenay in[29] and it is called Sidelnikov-Chabaud-Vaudenay bound:

Theorem 4.3.3. Let n and m be any positive integers such that m ≥ n−1. Let F ∈ Fn,m, then: s 1 (2n − 1)(2n−1 − 1) NL(F) = 2n−1 − 3 × 2n − 2 − 2 (4.8) 2 2m − 1

We can define several types of Vector Boolean functions in terms of nonlinearity:

1. Linear if its nonlinearity is equal to 0.

2. A F ∈ Fn,n with n odd which achieves the bound of theorem 4.3.3 with equality are n−1 n−1 called almost bent (AB). It holds that NL(F) = 2 − 2 2 (n odd).

3. A F ∈ Fn,m is called bent if it achieves the covering radius bound (equation (4.7)) with equality. 4.3 Nonlinearity 113

4.3.2 Library

The method used to obtain the nonlinearity of a Vector Boolean function is the following: void nl(NTL::RR& x, VBF& F)

The method used to obtain the spectral radius of a Vector Boolean function is the following: void SpectralRadius(NTL::ZZ& x, VBF& F)

The method used to the maximum nonlinearity that can be achieved by a Vector Boolean function with the same number of input bits and output bits is the following:

NTL::RR nlmax(VBF& F)

The method used to obtain the type of function in terms of nonlinearity is the following: void typenl(int& typenl, VBF& F)

Example 4.3.1. The following program provides the nonlinearity of a Vector Boolean function given its Truth Table together with the maximum nonlinearity that can be achieved by a Vector Boolean function with the same number of input bits and output bits.

#include #include #include "VBF.h" int main(int argc, char *argv[]) { using namespace VBFNS;

VBF F; NTL::mat_GF2 T;

ifstream input(argv[1]); if(!input) { cerr << "Error opening " << argv[1] << endl; return 0; } 114 Cryptographic Criteria

input >> T; F.puttt(T); input.close();

cout << "The spectral radius of the function is " << SpectralRadius(F) << endl; cout << "The nonlinearity of the function is " << nl(F) << endl;

cout << "The maximum nonlinearity that can be achieved by a Vector Boolean function with the same dimensions is " << nlmax(F) << endl;

return 0; }

If we use the NibbleSub S-box Truth Table as input, the output would be the following:

The spectral radius of the function is 12 The nonlinearity of the function is 2 The maximum nonlinearity that can be achieved by a Vector Boolean function with the same dimensions is 5

The figure 4.5 represents the Walsh Spectrum of NibbleSub and emphasizes in blue its maximum absolute values. 4−1 1 From definition we have NL(NibbleSub) = 2 − 2 · 12 = 2

Example 4.3.2. The following program provides the nonlinearity of a Vector Boolean function given its polynomial representation in ANF together with the maximum nonlinearity that can be achieved by a Vector Boolean function with the same number of input bits and output bits, and the type of function in terms of nonlinearity.

#include #include #include "VBF.h"

int main(int argc, char *argv[]) { using namespace VBFNS; 4.3 Nonlinearity 115

Fig. 4.5 Nonlinearity of NibbleSub.

VBF F; vec_pol p;

ifstream input(argv[1]); if(!input) { cerr << "Error opening " << argv[1] << endl; return 0; } input >> p; F.putpol(p); input.close();

cout << "The nonlinearity of the function is " << nl(F) << endl; cout << "The maximum nonlinearity that can be achieved by a Vector Boolean function with the same dimensions is " << nlmax(F) << endl;

int type; typenl(type, F); 116 Cryptographic Criteria

if (type == BENT) { cout << "It is a bent function" << endl; } else if (type == ALMOST_BENT) { cout << "It is an almost bent function" << endl; } else if (type == LINEAR) { cout << "It is a linear function" << endl; }

return 0; }

If we use the x1x2 + x3x4 as input, the output would be the following:

The nonlinearity of the function is 6 The maximum nonlinearity that can be achieved by a Vector Boolean function with the same dimensions is 6 It is a bent function

As the nonlinearity of this Boolean function is maximal, it is a bent function.

4.4 r-th Order Nonlinearity

4.4.1 Description

As well as the affine functions, we can consider that functions with low algebraic degree are weak functions from the cryptographic point of view. A criterion can be defined en terms of the Hamming distance to the Reed-Muller code of order r(r < n).

Definition 4.4.1. For every positive integer r, the r-th order nonlinearity of a Vector Boolean function F is the minimum r-th order nonlinearity of its component functions. The r-th order nonlinearity of a Boolean function equals its minimum Hamming distance to functions of algebraic degrees at most r (see [25] for details).

NLr(F) = min NLr(v · F) = min min d( f ,v · F) (4.9) v̸=0∈Vm v̸=0∈Vm f ∈Fn Computing rth-order nonlinearity is not an easy task for r ≥ 2. Unlike the first-order nonlinearity there are no efficient algorithms to compute second-order nonlinearities for n ≥ 11. VBF library naive exhaustive search is employed for this purpose. 4.4 r-th Order Nonlinearity 117

4.4.2 Library

The method used to obtain this criterion is the following: void nlr(long& x, VBF& F, int r)

This method return -1 if the number of functions to check is too large (greater than the maximum value of a long int variable).

Example 4.4.1. The following program provides the 2-nd order nonlinearity of a Vector Boolean function given its Truth Table.

#include #include #include "VBF.h" int main(int argc, char *argv[]) { using namespace VBFNS;

VBF F; NTL::mat_GF2 T; long a;

ifstream input(argv[1]); if(!input) { cerr << "Error opening " << argv[1] << endl; return 0; } input >> T; F.puttt(T); input.close();

nlr(a,F,2); cout << "The 2-nd order nonlinearity of the function is " << a << endl;

return 0; } 118 Cryptographic Criteria

If we use the NibbleSub S-box Truth Table as input, the output would be the following:

The 2-nd order nonlinearity of the function is 0

As we saw in example 4.2.1 this result is congruent to the fact that its algebraic degree is 2.

4.5 Balancedness

4.5.1 Description

The output of a Vector Boolean function F ∈ Fn,m used in a cipher must be uniformly dis- tributed over Vm for avoiding statistical dependence between the plaintext and the ciphertext (which can be used in attacks).

Definition 4.5.1. F ∈ Fn,m is balanced (or has balanced output) if each possible output m-tuple occurs with equal probability 2−m. This criterion can be evaluated from the Walsh Spectrum in the following way:

θˆF (0,v) = 0, ∀v ̸= 0 ∈ Vm (4.10)

Theorem 4.5.1. [122] f ∈ Fn is balanced if and only if the Walsh coefficient at 0 is zero:

f is balanced ⇐⇒ χˆ f (0) = 0 (4.11)

Proof.

f is balanced ⇔ #{x ∈ Vn | f (x) = 0} = #{x ∈ Vn | f (x) = 1} n−1 ⇔ # x ∈ Vn | χ f (x) = 1 = # x ∈ Vn | χ f (x) = −1 = 2

so that: n−1 n−1 χˆ f (0) = ∑ χ f (x) = 1 · 2 + (−1) · 2 = 0, ∀x ∈ Vn x∈Vn

Theorem 4.5.2. [122] F ∈ Fn,m is balanced if and only if the first row of its Walsh Spectrum has all its elements equal to zero except from the first entry:

F is balanced ⇐⇒ θˆF (0,v) = 0, ∀v ̸= 0 ∈ Vm (4.12) 4.5 Balancedness 119

Proof. m F is balanced ⇔ ∑i=1 vi fi is balanced ∀v ̸= 0 ∈ Vm ⇔ χˆ m (0) = 0, ∀v ̸= 0 ∈ V ∑i=1 vi fi m ⇔ χˆv·F (0) = 0, ∀v ̸= 0 ∈ Vm ⇔ θˆF (0,v) = 0 ∀v ̸= 0 ∈ Vm

Definition 4.5.2. The imbalance of a Boolean function is defined to be

I( f ) = |wt( f ) − 2n−1| = 2n−1|C( f ,0)| (4.13) where 0 indicates the constant zero Boolean function.

Imbalance is defined as the minimum Hamming distance to a balanced function andis therefore directly proportional to the magnitude of the correlation with the constant zero Boolean function. Thus, when imbalance is zero, the function is balanced. Balancedness is a fundamental cryptographic criterion as an imbalanced function has suboptimal unconditional entropy, i.e. it is correlated to a constant function. The significance of the balancedness criterion is that the higher the magnitude ofa function’s imbalance (deviation from uniform distribution of outputs), the more likelihood of a high probability linear approximation being obtained. This, in turn, represents a weakness in the function in terms of linear cryptanalysis (see section 3.7). In particular, a large imbalance may enable the function to be easily approximated by a constant function. [140] The total number of balanced S-boxes with n input bits, and m output bits is given by: 2n! B(n,m) = m , n ≥ m (4.14) (2n−m!)2

4.5.2 Library

This criterion can only take values 0 (meaning F is not balanced) or 1 (meaning F is balanced). The method used to obtain this criterion is the following: void Bal(int& bal, VBF& F)

and there is also an inline function: inline int Bal(VBF& a)

Example 4.5.1. The following program finds out if a Vector Boolean function is balanced given its Truth Table. 120 Cryptographic Criteria

#include #include #include "VBF.h"

int main(int argc, char *argv[]) { using namespace VBFNS;

VBF F; NTL::mat_GF2 T;

ifstream input(argv[1]); if(!input) { cerr << "Error opening " << argv[1] << endl; return 0; } input >> T; F.puttt(T); input.close();

if (Bal(F)) { cout << "It is a balanced function" << endl; } else { cout << "It is not a balanced function" << endl; }

return 0; }

If we use the NibbleSub S-box Truth Table as input, the output would be the following:

It is a balanced function

NibbleSub S-box described in Table 2.1 is balanced as each possible 4-tuple occurs with 1 equal probability 24 . The figure 4.6 represents the Walsh Spectrum of NibbleSub and emphasizes in red the first row. 4.6 Correlation Immunity 121

Fig. 4.6 Balancedness of NibbleSub.

As all Walsh Spectrum’s values are 0 except from the 0 ∈ V4, we can conclude that NibbleSub is balanced.

4.6 Correlation Immunity

4.6.1 Description

In stream cipher applications, it is vital that the Boolean function used as the combining function have certain properties. In addition to being balanced, possessing high nonlinearity and high algebraic degree, the function should have correlation immunity greater than zero to resist a divide and conquer attack [145]. This criterion describes the extent to which input values of a Vector Boolean function

F ∈ Fn,m can be guessed given the output value. Equivalently, we can say that F is t-CI if its output distribution does not change when we fix t variables xi of its input.

Example 4.6.1. An example of Boolean function with low correlation immunity is the function f (x1,...,xn) = x1 ···xn. If the output is 1, then we know for sure that the input bit values are all 1.

Interest in this criterion came from discovery by Siegenthaler [145] in 1984 of an attack on pseudo-random generators using combining functions (used in stream ciphers), called a 122 Cryptographic Criteria

correlation attack. This attack is based on the idea of finding correlation between the outputs and the inputs, that is, finding S-boxes with low resiliency.

Definition 4.6.1. A function f ∈ Fn is t −CI if and only if, for every set S of t variables, 1 ≤ t ≤ n, given the value of f , the probability that S takes on any of its 2t assignments of 1 values to the t variables is 2t . If f is t −CI and balanced, then it is t-resilient.

Definition 4.6.2. [158] f ∈ Fn is said to be t-CI if for each linear function lu = u1x1 + ··· + unxn with 1 ≤ wt(u) ≤ t, f + lu is balanced.

Definition 4.6.3. [32] F ∈ Fn,m is an t-CI function (or (n,m,t)-CI function) if and only if every component function of F is an t-CI function. F is said to be t-resilient (or (n,m,t)- resilient function) if it is balanced and t-CI.

Theorem 4.6.1. [158] Let f ∈ Fn and t ∈ {1,...,n − 1}, f is called correlation immune (CI) of order t if its Walsh coefficients, at values of the nonzero vector indexes whose weightat most t, are zero:

f is a t-CI function ⇔ χˆ f (u) = 0, ∀u ∈ Vn, 1 ≤ wt(u) ≤ t (4.15)

f can also be denoted as (n,1,t)-CI function.

Proof.

f is a t-CI function ⇔ f + lu is balanced , ∀u ∈ Vn, 1 ≤ wt(u) ≤ t

⇔ χˆ f +lu (0) = 0, ∀u ∈ Vn, 1 ≤ wt(u) ≤ t 1 n 1 ⇔ 2 2 δ(0) + χˆ f (0) + χˆlu (0) − 2n χˆ f ∗ χˆlu (0) = 0, ∀u ∈ Vn, 1 ≤ wt(u) ≤ t

⇔ χˆ f (0) + χˆlu (0) = 0, ∀u ∈ Vn, 1 ≤ wt(u) ≤ t ⇔ χˆ f (0) = 0, ∀u ∈ Vn, 1 ≤ wt(u) ≤ t

as all the nonzero linear functions are balanced.

Theorem 4.6.2. Let F ∈ Fn,m and t ∈ {1,...,n − 1}, F is a correlation immune Vector Boolean function of order t if its Walsh coefficients, at values of the nonzero vector indexes whose weight at most t, are zero:

F is a t-CI function ⇔ θˆF (u,v) = 0, ∀u ∈ Vn, 1 ≤ wt(u) ≤ t, ∀v ̸= 0 ∈ Vm (4.16)

F can also be denoted as an t-CI function. 4.6 Correlation Immunity 123

Proof. m F is an t-CI function ⇔ ∑i=1 vi fi is an t-CI function ⇔ χˆ m (u) = 0, ∀u ∈ V , 1 ≤ wt(u) ≤ t, ∀v ̸= 0 ∈ V ∑i=1 vi fi n m ⇔ χˆv·F (u) = 0, ∀u ∈ Vn, 1 ≤ wt(u) ≤ t, ∀v ̸= 0 ∈ Vm ⇔ θˆF (u,v) = 0, ∀u ∈ Vn, 1 ≤ wt(u) ≤ t, ∀v ̸= 0 ∈ Vm as θˆF (u,0) = 0 ∀u ̸= 0 ∈ Vn, the restriction v ̸= 0 can be relaxed.

From the definition of resiliency we can derive that a balanced Vector Boolean function can be interpreted as a 0-resilient function. The following theorem from [134] provides a divisibility result of significance in the analysis of resilient Boolean functions.

Theorem 4.6.3. Let f be a t-resilient Boolean function of n variables, then χˆ f (u) ≡ (mod 2n+2).

4.6.2 Library

The method used to obtain this criterion is the following: void CI(int& t, VBF& F)

Example 4.6.2. The following program provides the order of correlation immunity of a Vector Boolean function given its polynomial in ANF.

#include #include #include "VBF.h" int main(int argc, char *argv[]) { using namespace VBFNS;

VBF F; vec_pol p; int t;

ifstream input(argv[1]); if(!input) { 124 Cryptographic Criteria

cerr << "Error opening " << argv[1] << endl; return 0; } input >> p; F.putpol(p); input.close();

t = CI(F); cout << "It is a (" << F.n() << "," << F.m() << "," << t << ")-CI function" << endl;

return 0; }

If we use the function f = (1 + x1)(1 + x2)(1 + x3)(1 + x4) + x1x2x3x4 polynomial in ANF as input, the output would be the following:

It is a (4,1,1)-CI function

The figure 4.7 represents the Walsh Spectrum of f and emphasizes in red the rows whose indexes are of weight 1. For all this rows, the Walsh values are 0 so f is 1-CI. There are rows whose indexes are of weight 2 and the Walsh values are not 0 so f cannot be 2-CI.

4.7 Algebraic Immunity

4.7.1 Description

A new kind of attacks, called algebraic attacks, has been introduced [40], [42], [60]. Algebraic attacks recover the secret key, or at least the initialization of the system, by solving a system of multivariate algebraic equations. A new criterion was introduced in order to identify a cryptographic algorithm’s immunity to this kind of attacks. Definition 4.7.1. [40], [41], [60], [97] Denote the Boolean function obtained by the product 1 of the Truth Tables of two Boolean functions f ,g ∈ Fn by f ·g . The algebraic immunity (AI) of f is defined as the lowest degree of the function g for which f ·g = 0 or (1+ f )·g = 0. The function g for which f · g = 0 is called an annihilator of f . Denote the set of all annihilators of f by An( f ). This set is an ideal in the ring of Boolean functions generated by 1 + f .

1Note that this product is different from the dot product between two vectors x,y 4.7 Algebraic Immunity 125

Fig. 4.7 Correlation immunity of (1 + x1)(1 + x2)(1 + x3)(1 + x4) + x1x2x3x4.

A function f should not be used if f or 1+ f has a low degree annihilator. If this happens, algebraic attacks [43] can be executed.

Definition 4.7.2. The component algebraic immunity of any F ∈ Fn,m, denoted by AI(F), is the minimal algebraic immunity of the component functions v · F(v) of the Vector Boolean function with v ̸= 0 ∈ Vm.

The algebraic attack exploits the existence of multivariate equations involving the input to the S-box and its output, that is, finding S-boxes with low algebraic immunity.

4.7.2 Library

The method used to obtain this criterion is the following: void AI(int& ai, VBF& F)

The method used to the maximum algebraic immunity that can be achieved by a Vector Boolean function with the same number of input bits and output bits is the following: int aimax(VBF& F) 126 Cryptographic Criteria

Example 4.7.1. The following program provides the algebraic immunity of a Vector Boolean function given its Truth Table.

#include #include #include "VBF.h"

int main(int argc, char *argv[]) { using namespace VBFNS;

VBF F; NTL::mat_GF2 T;

ifstream input(argv[1]); if(!input) { cerr << "Error opening " << argv[1] << endl; return 0; } input >> T; F.puttt(T); input.close();

cout << "The algebraic immunity of the function is " << AI(F) << endl; cout << "The maximum algebraic immunity that can be achieved by a Vector Boolean function with the same dimensions is " << aimax(F) << endl;

return 0; }

If we use the NibbleSub S-box Truth Table as input, the output would be the following:

The algebraic immunity of the function is 2 The maximum algebraic immunity that can be achieved by a Vector Boolean function with the same dimensions is 2 4.8 Global Avalanche Criterion 127

4.8 Global Avalanche Criterion

4.8.1 Description

The Global avalanche criterion (GAC) was introduced in [160] to measure the overall avalanche characteristics of a Boolean function.

Definition 4.8.1. [160] Let F ∈ Fn,m, its Global avalanche criterion is defined by two indicators:

1. The absolute indicator of F, denoted by ACmax(F), defines the maximum absolute non-zero value of the Autocorrelation Spectrum:

ACmax(F) = max(|AC(F)(u,v)|) ∀u ̸= 0 ∈ Vn, ∀v ̸= 0 ∈ Vm (4.17)

2. The sum-of-squares indicator, denoted by σ, is the second moment of the autocorrelation coefficients:

1 σ(F) = AC(F)(u,v)2 = WS(F)(u,v)4 (4.18) ∑ 2n ∑ (u,v)∈Vn×Vm (u,v)∈Vn×Vm

In order to achieve good diffusion, cryptographic functions should achieve low values of both indicators.

4.8.2 Library

The methods used to obtain these criteria are the following: void maxAC(NTL::ZZ& x, VBF& F) void sigma(NTL::ZZ& x, VBF& F)

Example 4.8.1. The following program provides the absolute indicator and the sum-of- squares indicator of a Vector Boolean function given its Truth Table.

#include #include #include "VBF.h" int main(int argc, char *argv[]) 128 Cryptographic Criteria

{ using namespace VBFNS;

VBF F; NTL::mat_GF2 T;

ifstream input(argv[1]); if(!input) { cerr << "Error opening " << argv[1] << endl; return 0; } input >> T; F.puttt(T); input.close();

cout << "The absolute indicator of the function is " << maxAC(F) << endl; cout << "The sum-of-squares indicator of the function is " << sigma(F) << endl; cout << "The maximum absolute indicator that can be achieved by a Vector Boolean function with the same dimensions is " << maxACmax(F) << endl; cout << "The maximum sum-of-squares indicator that can be achieved by a Vector Boolean function with the same dimensions is " << sigmamax(F) << endl; cout << "The minimum sum-of-squares indicator that can be achieved by a Vector Boolean function with the same dimensions is " << sigmamin(F) << endl;

return 0; }

If we use the NibbleSub S-box Truth Table as input, the output would be the following:

The absolute indicator of the function is 16 The sum-of-squares indicator of the function is 1408 The maximum absolute indicator that can be achieved by a 4.9 Linearity Distance 129

Vector Boolean function with the same dimensions is 16 The maximum sum-of-squares indicator that can be achieved by a Vector Boolean function with the same dimensions is 4096 The minimum sum-of-squares indicator that can be achieved by a Vector Boolean function with the same dimensions is 256

The figure 4.8 represents the Autocorrelation Spectrum of NibbleSub and emphasizes in red the values in which the maximum is attained.

Fig. 4.8 Absolute indicator of NibbleSub.

The figure 4.9 represents the Autocorrelation Spectrum of NibbleSub and emphasizes in blue the columns (component functions) in which the maximum sum-of-squares is attained.

4.9 Linearity Distance

4.9.1 Description

In the introduction of this chapter we explained that functions with non-zero linear structures are considered weak functions from cryptanalytic viewpoint. It is our interest to identify strong Vector Boolean functions which are far from this weak functions. The cryptanalyst may be able to take advantage of the linear structures in f if some of the mi, i = 1,...,k in equation (4.1) are zero, thus eliminating the influence of some variables (possibly key bits) on the ciphertext. 130 Cryptographic Criteria

Fig. 4.9 Sum-of-squares indicator of NibbleSub.

The cryptanalytic value of linear structures lies in their potential to map a nonlinear function to a degenerate function via a linear transformation, which may reduce the size of the keyspace. S-boxes used in block ciphers should have no nonzero linear structures (see [59]). The existence of nonzero linear structures, for the functions implemented in stream ciphers, is a potential risk that should also be avoided, despite the fact that such existence could not be used in attacks, so far.

Definition 4.9.1. The linearity distance of a Boolean function f ∈ Fn is a characteristic defined by the distance to the set of all Boolean functions admitting nonzero linear structures. These include, among others, all the affine functions and all non bent quadratic functions and are defined as follows [98]:

LD( f ) = d( f ,LSn) = min d( f ,S) (4.19) S∈LSn

where:

LSn = { f ∈ Fn | f has a linear structure ̸= 0} (4.20) 4.9 Linearity Distance 131

Theorem 4.9.1. [24] Linearity distance of a Vector Boolean function, defined as the minimum among the linearity distances of all component functions of F, may be computed from the Autocorrelation Spectrum using:

n−2 1 LD(F) = min LD(v · F) = 2 − · ACmax(F) (4.21) v̸=0∈Vm 4 The differential cryptanalysis is based on the idea of finding high probable differentials pairs between the inputs and outputs of S-boxes present in the cipher, that is, finding S-boxes with low linearity distance. Differential cryptanalysis [13] can be seen as an extension of the ideas of attacks based on the presence of linear structures [112]. If u is a linear structure of f , then the inputs of difference u result in output differences of 1 or −1 with probability 1. In differential cryptanalysis, it is only required that inputs of difference ∆x lead to a known difference ∆y with high probability, or with a probability that noticeably exceeds the mean. The perfect nonlinear functions are resistant to differential cryptanalysis.

Let F ∈ Fn,m, if LD(F) = 0, it means that f has a nontrivial linear structure. As An ⊆ LSn, then NL(F) ≥ LD(F).

4.9.2 Library

The method used to obtain the linearity distance of a Vector Boolean function is the following: void ld(NTL::RR& x, VBF& F)

The method used to the maximum linearity distance that can be achieved by a Vector Boolean function with the same number of input bits and output bits is the following:

NTL::RR ldmax(VBF& F)

Example 4.9.1. The following program provides the linearity distance of a Vector Boolean function given its Truth Table together with the maximum linearity distance that can be achieved by a Vector Boolean function with the same number of input bits and output bits.

#include #include #include "VBF.h" int main(int argc, char *argv[]) { using namespace VBFNS; 132 Cryptographic Criteria

VBF F; NTL::mat_GF2 T;

ifstream input(argv[1]); if(!input) { cerr << "Error opening " << argv[1] << endl; return 0; } input >> T; F.puttt(T); input.close();

cout << "Linearity distance of the function is " << ld(F) << endl; cout << "The maximum linearity distance: " << ldmax(F) << endl;

return 0; }

If we use the NibbleSub S-box Truth Table as input, the output would be the following:

Linearity distance of the function is 0

This result is congruent with the results in example of subsection 3.9.2. We showed that this S-box has linear structures, and as a consequence, the distance to the set of all Boolean functions admitting nonzero linear structures is 0.

4.10 Propagation Criterion

4.10.1 Description

This criterion is based on the properties of the derivatives of Boolean functions and describes the behavior of a function whenever some input bits are complemented. This concept was introduced by Preneel et al. in [124] and it is a generalization of the Strict Avalanche Criterion (SAC) defined by Webster and Tavares in[157].

Definition 4.10.1. f ∈ Fn is said to satisfy the propagation characteristics with respect to u ∈ Vn if and only if f (x) + f (x + u) is balanced. 4.10 Propagation Criterion 133

Definition 4.10.2. A function f ∈ Fn satisfies the propagation criterion of degree l (PC(l)) if and only if complementing any l or fewer of the input bits complements exactly half of the function values.

Definition 4.10.3. Let f ∈ Fn and l ∈ {1,...,n}, f satisfies the propagation criterion of degree l if and only if:

f satisfies the PC(l) ⇔ f (x) + f (x + u) balanced ∀u ∈ Vn, 1 ≤ wt(u) ≤ l (4.22)

Theorem 4.10.1. Let f ∈ Fn and l ∈ {1,...,n}, f satisfies the propagation criterion of degree l if its Autocorrelation Matrix elements, at values of the nonzero vector indexes whose weight at most l, is zero:

f satisfies PC(l) ⇐⇒ r f (u) = 0, ∀u ∈ Vn, 1 ≤ wt(u) ≤ l (4.23)

Proof.

f satisfies the PC(l) ⇔ f (x) + f (x + u) balanced ∀u ∈ Vn, 1 ≤ wt(u) ≤ l

⇔ χˆ f (x)+ f (x+u)(0) = 0, ∀u ∈ Vn, 1 ≤ wt(u) ≤ l f (x)+ f (x+u) ⇔ ∑x∈Vn (−1) = 0, ∀u ∈ Vn, 1 ≤ wt(u) ≤ l ⇔ r f (u) = 0, ∀u ∈ Vn, 1 ≤ wt(u) ≤ l

Definition 4.10.4. F ∈ Fn,m satisfies the propagation criterion of degree l (PC(l)) if any component function of F satisfies the PC(l). This criterion can be obtained from the Autocorrelation Spectrum in the following way:

rF (u,v) = 0, ∀u ∈ Vn, 1 ≤ wt(u) ≤ l, ∀v ̸= 0 ∈ Vm (4.24)

4.10.2 Library

The method used to obtain this criterion is the following: void PC(int& k, VBF& F)

Example 4.10.1. The following program provides the degree of propagation criterion of a Vector Boolean function given its Truth Table.

#include 134 Cryptographic Criteria

#include #include "VBF.h"

int main(int argc, char *argv[]) { using namespace VBFNS;

VBF F; vec_pol p; int t;

ifstream input(argv[1]); if(!input) { cerr << "Error opening " << argv[1] << endl; return 0; } input >> p; F.putpol(p); input.close();

cout << "The function is PC of degree " << PC(F) << endl;

return 0; }

If we use the function f = x1x2 + x3x4 polynomial in ANF as input, the output would be the following:

The function is PC of degree 4

The figure 4.10 represents the Autocorrelation Spectrum of f and emphasizes in red the rows whose indexes are of weight 1,2,3 and 4. For all this rows, the Autocorrelation values are 0. As a consequence f satisfies PC(4).

4.11 Bounds, Properties and Trade-offs

In this section, we present some known bounds, properties and trade-offs among the cryptographic criteria. 4.11 Bounds, Properties and Trade-offs 135

Fig. 4.10 Propagation Criterion of x1x2 + x3x4.

4.11.1 Bounds

Let F ∈ Fn,m be an arbitrary Vector Boolean function, the lower and upper bounds of the cryptographic criteria described above are in Table 4.2.

4.11.2 Properties

Let f ∈ Fn be an arbitrary Boolean function, we describe which criteria are affine invariant in Table 4.3. In Table 4.4, the possible relations with the weight of functions are analyzed. In Table 4.5, the possible relations with the Walsh coefficients of functions are analyzed.

4.11.3 Trade-offs

In an ideal situation, a combination of a large number of desirable cryptographic criteria, all with adequate measures, would be exhibited by individual functions. In reality, such functions cannot exist given the trade-offs between certain cryptographic criteria and the strict rules which limit Boolean function characteristics. We now comment on specific trade-offs between pairs of criteria and discuss how these criteria affect each other. 136 Cryptographic Criteria

Table 4.2 Cryptographic criteria bounds.

Criteria Lower Bound Upper Bound deg 0 (constant functions) n n−1 n −1 NL 0 (affine functions) 2 − 2 2 (n ≥ 2m and n even) n−1 n−1 2 − 2 2 (n < 2m and n odd) CI 0 n n AI 0 [40] ⌈ 2 ⌉ n ACmax 0 (bent functions) 2 (affine functions) σ 22n (bent functions) 23n (affine functions) LD 0 (if it has linear structures) 2n−2 PC 0 n

Table 4.3 Are the criteria affine invariant?

deg NL CI AI ACmax σ LD PC Yes Yes No Yes Yes Yes Yes No

Table 4.4 Weight related cryptographic criteria properties.

Criteria Weight related cryptographic criteria properties ⌊ n−1 ⌋ deg [22] If deg( f ) > 0, then wt( f ) is a multiple of 2 deg( f ) Any Boolean function with deg( f ) < n must possess even weight Any Boolean function with deg( f ) = n must possess odd weight [96] If deg( f ) ≥ 1, then 2n−deg( f ) ≤ wt( f ) ≤ 2n − 2n−deg( f ) NL If f is bent then, wt( f ) = 2n−1 ± 2(n/2)−1 n d n d n AI [26], [19], [15] If 2 − ∑i=0 i < wt( f ) < ∑i=0 i then, AI( f ) ≤ d n Consequently if n is odd, the AI is upper bounded by ⌈ 2 ⌉ − 1 for non-balanced functions

Table 4.5 Walsh related cryptographic criteria properties.

Criteria Walsh related cryptographic criteria properties

deg [72], [21] Let f ∈ Fn and let 1 ≤ k ≤ n. Assume that its Walsh transform takes values divisible by 2k. Then f has algebraic degree at most n − k + 1 n−1 1 NLNL( f ) = 2 − 2 maxu∈Vn |χˆ f (u)| CI [28] The Walsh coefficients of a t-CI function (resp. t-resilient function) of degree d t+1+⌊ n−t−1 ⌋ t+2+⌊ n−t−2 ⌋ are divisible by 2 d (resp. 2 d ) σ [20] σ( f ) ≤ 2n · (r( f ))2 4.11 Bounds, Properties and Trade-offs 137

Balancedness and Nonlinearity

As bent functions are not balanced, they are not suitable for use in cryptosystems. For this reason, it is necessary to study the maximum nonlinearity of balanced functions. But this value is unknown for any n with n ≥ 8. Upper and lower bounds are derived in [142], [51]. In order to discuss these bounds we introduce the notations:

R(n) = min{r( f ) | f ∈ Fn} (4.25) RB(n) = min{r( f ) | f ∈ Fn balanced} Dobbertin in [51] showed the following:

1. RB(2n) ≤ 2n + RB(n)

2. For even n = 2su, u odd and n ≥ 4 the lower and upper bounds are:

n n n n u u+1 2 2 + 4 ≤ RB(n) ≤ 2 2 + 2 4 + 2 8 + ··· + 2 + 2 2 (4.26)

n+1 For n = 1,3,5,7 it is known that R(n) = RB(n) = 2 2 . Dobbertin obtained lower and upper bounds for n = 14: 132 ≤ RB(14) ≤ 144 and by [118] it holds that R(15) ≤ 216. As the spectral radius of the direct sum of f ∈ Fn1 and g ∈ Fn2 we have the formula R f ⊕g = R f · Rg. Hence

RB(n1 + n2) ≤ RB(n1) · RB(n2) (4.27)

for n1 and n2, since f ⊕ g is balanced if f is balanced. Thus:

RB(29) ≤ RB(14) · RB(15) ≤ 144 · 216 (4.28)

More generally this implies

n+1 RB(n) < 2 2 ∀ odd n ≥ 29 (4.29)

Table 4.6 Maximum nonlinearity of Balanced Boolean functions for n.

n 7 8 9 10 11 12 13 14 15 Best Known 56 116 240 492 992 2010 4036 8120 16272 Lowest Upper Bound 56 118 244 494 1000 2014 4050 8126 16292 138 Cryptographic Criteria

The upper bounds are based on previous Dobbertin’s results and Hou results in [54] for n odd:

n−2 n −2 NL( f ) ≤ 2⌊2 − 2 2 ⌋ (4.30)

Seberry et al. among others achieved best know nonlinearities for n = 8,10,12,14. The nonlinearity 240 for n = 9 was obtained by Kavut et al. [77], Saber et al. [131], Filiol and Fontaine [61], Sarkar and Maitra [133], Guillot [68], Read [125],Burnett [16], Zhang and Zheng [160], Stanica [148],those used in Misty 1 and KASUMI 9×9 S-box [2], Charpin et al. [30], Grocholewska [66]. The nonlinearity 992 for n = 11 was obtained by Sarkar and Maitra [133], Johansson and Passalic [75], Maximov et al. [95], Maitra [87], Kavut et al. [77],Read [125], Dalai et al. [47]. The nonlinearity 4036 for n = 13 was obtained by Kavut and Yücel [78]. The nonlinearity 16272 for n = 15 was obtained by Sarkar and Maitra [136]. A nonlinearity 240 for n = 9, 992 for n = 11 can be obtained by bent concatenation n−1 n−1 (2 −2 2 ). This value is also called the bent-concatenation bound since it can be achieved by the concatenation of two bent functions in n − 1 variables.

Balancedness and Global Avalanche

Son, Lim, Chee and Sung in [147] proved that for balanced functions the following property is attained: σ( f ) ≥ 22n + 2n+3 (4.31)

Nonlinearity and Algebraic Degree

Theorem 4.11.1. [128] The degree of an n-variables bent function is less than or equal to n 2 .

Nonlinearity and Global Avalanche

The Wiener-Kintchine Theorem (theorem 3.9.2) provides a direct link between the autocorrelation vector and the Walsh Spectrum of a function. It is clear that if the sum-of-squares indicator is large then the autocorrelation will contain values of large magnitude. Thus, from this theorem we can deduce the if the sum-of-squares indicator is large the nonlinearity of the function is likely to be low. If the sum-of-squares indicator is small, then the nonlinearity may be high. 4.11 Bounds, Properties and Trade-offs 139

The nonlinearity of a function may be estimated using information about the absolute indicator using the Theorem 10 from [103]. This theorem presents a tight upper bound on nonlinearity based on the absolute indicator.

Theorem 4.11.2. Let f ∈ Fn with absolute indicator ACmax and nonlinearity NL( f ), then satisfies:

1p NL( f ) ≤ 2n−1 − 2n + AC (4.32) 2 max From the properties of the sum-of-squares indicator in Table 4.5 with respect to the spectral radius of f , it can be observed that the higher the nonlinearity of the function (that is, the lower R f ), the lower the upper bound on the function’s sum-of-squares indicator will be. In [147] the following inequality is obtained: r 1 σ( f ) NL( f ) ≤ 2n−1 − (4.33) 2 2n These results provide evidence that nonlinearity and avalanche complement each other in a function, i.e.: optimizing one allows the other to be improved.

Nonlinearity and Propagation Criterion

In 2003, Zheng and Zhang [162] presented a theorem relating the nonlinearity of a Boolean function with its degree of Propagation criteria by specifying a lower bound:

Theorem 4.11.3. Let f ∈ Fn satisfying PC(l), then:

n−1 n−1− l (i)NL ( f ) ≥ 2 − 2 2

n−1 n−1− l (ii) From (i), NL( f ) = 2 − 2 2 if and only if either:

(a) n is odd, l = n − 1, and f is of the form

f (x) = g(x1 + xn,...,xn−1 + xn) + h(x1,...,xn) (4.34)

where g is an n − 1-variable bent function and h is an n-variable affine function; or (b) n is even, l = n, and f is a bent function.

The above theorem demonstrates that the greater the degree of propagation criteria l, the greater the minimum nonlinearity of the function will be, and therefore higher nonlinearities are possible. 140 Cryptographic Criteria

Nonlinearity and Correlation Immunity

The relationship between nonlinearity and correlation immunity can be expressed through a study of the effect of Parseval’s Theorem (theorem 3.6.7 ). The higher the order of correlation immunity t, the more Walsh coefficients must have values of zero. It then follows that for Parseval’s Theorem to remain valid, the higher the magnitude of the non-zero Walsh coefficients must be, which results in a lower nonlinearity. Conversely, the higherthe nonlinearity of a function, the lower the magnitude of the non-zero values in its Walsh Spectrum (particularly the spectral radius). Therefore, in order to satisfy Parseval’s Theorem, the number of zero Walsh coefficients must be fewer which means that only a low order of correlation immunity will be possible. An upper bound on the nonlinearity of an t-resilient function was proposed independently in [161], [149], [150], [135] as follows:

Theorem 4.11.4. Let f ∈ Fn be a t-resilient function with 0 ≤ t ≤ n−2, and with nonlinearity NL( f ). Then, NL( f ) ≤ 2n−1 − 2t+1.

It can be seen from this theorem, that nonlinearity and correlation immunity are opposing criteria. Optimizing nonlinearity results in a lower achievable order of correlation immunity. Enforcing a higher order of correlation immunity reduces the maximum achievable nonlinearity.

Correlation Immunity and Algebraic Degree

An important result exists between correlation immunity and algebraic degree. There is a trade off between the algebraic degree of a Boolean function and the maximum level of correlation immunity that it can possess. The following theorem describe the relationship which is known as the Siegenthaler bound or inequality.

Theorem 4.11.5. [146] If f is a t-CI function, then deg( f ) ≤ n − t. Moreover if f is balanced (i.e. f is t-resilient), then deg( f ) ≤ n −t − 1.

The above theorem demonstrates that provided that the dimension of the Boolean function n remains fixed, there exists an opposite relation between the order of correlation immunity and algebraic degree when one these measures is high. The higher the order of correlation immunity, the lower the algebraic degree of that function must be. Conversely, if the order of correlation immunity is low then the algebraic degree of the function may be high. 4.11 Bounds, Properties and Trade-offs 141

Nonlinearity and Algebraic Immunity

k−2 n−1 Theorem 4.11.6. [86] Let f ∈ Fn, if AI( f ) = k, then NL( f ) ≥ 2∑i=0 i . In particular, n−1 n for a f with maximum AI( f ), it holds that NL( f ) ≥ 2 − n for n even and NL( f ) ≥ 2 n−1 n−1 2 − n−1 for n odd. 2

Algebraic Immunity and Algebraic Degree

Theorem 4.11.7. [26], [19], [15] Let f ∈ Fn have a low degree approximation g. If r n d( f ,g) < ∑i=0 i , then AI( f ) ≤ r + AI(g).

Therefore, the criteria AI is stable in some sense. This means that changing some values of the output will not drastically decrease the AI, unlike the algebraic degree of the function.

Correlation Immunity and Global Avalanche

The following theorems from [163] provide a lower bound on the absolute indicator of t-CI Boolean functions, both balanced and non-balanced.

Theorem 4.11.8. Let f ∈ Fn be a t-CI function with 2 ≤ t ≤ n, and absolute indicator ACmax. Then

+∞ t−1 i(t−1−n) ACmax( f ) ≥ 2 ∑ 2 (4.35) i=0

Theorem 4.11.9. Let f ∈ Fn be a t-resilient function with 1 ≤ t ≤ n − 1, and absolute indicator ACmax. Then

+∞ t i(t−n) ACmax( f ) ≥ 2 ∑ 2 (4.36) i=0 The following theorems from [87] provide a lower bound on the sum-of-squares indicator of t-CI and t-resilient Boolean functions and on absolute indicator.

2n n+log ∑t (n) Theorem 4.11.10. Let f ∈ Fn be a t-CI function. Then σ( f ) ≥ 2 +2 2 i=1 i . Similarly, n+log t n if f is t-resilient, then σ( f ) ≥ 22n + 2 2 ∑i=0 (i)

Theorem 4.11.11. Let f ∈ Fn be a t-CI function. Then

s t n n ∑i=1 i AC ( f ) ≥ 2 2 (4.37) max n t n 2 − ∑i=1 i 142 Cryptographic Criteria

Similarly, if f is t-resilient, then

s t n n ∑i=0 i AC ( f ) ≥ 2 2 (4.38) max n t n 2 − ∑i=0 i If we use the weight divisibility results of correlation immune and resilient Boolean functions described in Table 4.5, the following theorems are obtained in [87]:

n+2t+2 Theorem 4.11.12. Let f ∈ Fn be a t-CI function, then σ( f ) ≥ 2 . Similarly, for f ∈ Fn be a t-resilient function, σ( f ) ≥ 2n+2t+4.

2t+1 n 2 Theorem 4.11.13. Let f ∈ Fn be a t-CI function (t > 2 −1), then ACmax( f ) > 2 . Similarly, n 2t+32 for f ∈ Fn be a t-resilient function (t > 2 − 2), σ( f ) ≥ 2 .

Tarannikov et al. in [151] a lower Bound for the absolute indicator of resilient functions is defined:

2t−n+3 n Theorem 4.11.14. Let f ∈ Fn be a t-resilient function, then ACmax( f ) ≥ n+1 2 .

Tarannikov et al. also proved:

n−t−2 Theorem 4.11.15. Let f ∈ Fn be a t-resilient function. If n ≥ (n − t − 1)2 then n ACmax( f ) = 2 .

The theorems above illustrate the effect of an increase in t on the magnitude of ACmax. As the order of correlation immunity increases, the summation on the right hand side of n n each inequality tends to 2, and ACmax tends to 2 . Recall that ACmax = 2 for all affine and functions with non-zero linear structures.

Correlation Immunity and Propagation Criterion

It can be established from theorem in [162] that for some fixed n, the higher the order of resilience the lower the degree of propagation criteria of a Boolean function. Conversely, the higher the degree of propagation criterion, the lower must be the order of resilience:

Theorem 4.11.16. Let f ∈ Fn be a t-resilient function which satisfies PC(l). Then t + l ≤ n − 1. If t + l = n − 1, then l = n − 1, n is odd and t = 0

There exists an opposite relation between the correlation immunity and propagation criterion. What is optimal is one must be least favourable for the other. 4.12 Summary 143

Nonlinearity, Correlation Immunity and Algebraic Degree

Siegenthaler’s inequality is extended by Carlet in [22] to identify the subsets of values from which the non-zero Walsh coefficients can be taken:

Theorem 4.11.17. Let f ∈ Fn be a t-resilient function with 0 ≤ t ≤ n − 2, and let deg( f ) its t+1+⌊ n−t−2 ⌋ algebraic degree. Then for every affine function a, d( f ,a) is divisible by 2 deg( f ) .

The above theorem provides information about the divisibility of the possible NL( f ), as a value dependent on n, order of correlation immunity t and algebraic degree deg( f ). This has been further elaborated on in [28]. Thus, for some fixed t, if deg( f ) is low then NL( f ) has large divisors causing the interval between successive valid nonlinearity values to be large. From this we may infer, particularly for even n, that the highest nonlinearity achievable by a resilient function f having low algebraic degree will be suboptimal given that it will be at least one large interval below covering radius bound. The same argument holds when the order of correlation immunity t is high. The small divisors that result when algebraic degree is higher and t is low provide the possibility of valid nonlinearity values closer to covering radius bound, when n is even.

Global Avalanche, Correlation Immunity and Algebraic Degree

n Theorem 4.11.18. [87] Let f ∈ Fn be a t-CI function (t > 2 − 1) with algebraic degree 2t+1+⌊ n−t−1 ⌋ n+2t+2+2⌊ n−t−1 ⌋ d d, then σ( f ) ≥ 2 d , and ACmax( f ) > 2 2 . Similarly, for f ∈ Fn be a n−t−2 n n+2t+4+2⌊ d ⌋2 t-resilient (t > 2 − 2) with algebraic degree d, σ( f ) ≥ 2 and ACmax( f ) > n−t−2 2t+3+⌊ d ⌋ 2 2 .

Global Avalanche, Correlation Immunity and Nonlinearity

n Theorem 4.11.19. [87] Let f ∈ Fn be a t-CI function (t > 2 − 1) with with maximum n−1 t n+2t+2 possible nonlinearity 2 − 2 , then σ( f ) = 2 . Similarly, for f ∈ Fn be a t-resilient n n−1 t+1 n+2t+4 (t > 2 − 2) with with maximum possible nonlinearity 2 − 2 , then σ( f ) = 2 .

4.12 Summary

A list of the member functions related to these criteria may be found in Table 4.7. Table 4.8 lists the member functions related to bounds and other properties of above criteria. 144 Cryptographic Criteria

Table 4.7 Cryptographic criteria.

SYNTAX DESCRIPTION void deg(int& d, VBF& F) deg(F) = d void nl(NTL::RR& x, VBF& F) NL(F) = x void nlr(long& x, VBF& F, int r) NLr(F) = x void Bal(int& bal, VBF& F) If F is balanced returns 1, otherwise 0 void CI(int& t, VBF& F) F is an (n,m,t) −CI void AI(int& i, VBF& F) AI(F) = i void MaxAC(NTL::ZZ& x, VBF& F) F has absolute indicator x void sigma(NTL::ZZ& x, VBF& F) F has sum-of-squares indicator x void ld(NTL::RR& x, VBF& F) LD(F) = x void PC(int& l, VBF& F) F satisfies the PC(l)

Table 4.8 Member functions of the cryptographic criteria.

SYNTAX DESCRIPTION void SpectralRadius(NTL::ZZ& x, VBF& F) Spectral Radius NTL::RR nlmax(VBF& F) Maximum possible nonlinearity void typenl(int& typenl, VBF& F) 1 = Bent, 2 = Almost Bent, 3 = Linear int aimax(VBF& F) Maximum possible algebraic immunity NTL::ZZ maxACmax(VBF& F) Maximum possible absolute indicator NTL::ZZ maxsigma(VBF& F) Maximum possible sum-of-squares indicator NTL::ZZ minsigma(VBF& F) Minimum possible sum-of-squares indicator NTL::RR ldmax(VBF& F) Maximum possible linearity distance Chapter 5

Constructions for Vector Boolean Functions

In this chapter, some basic constructions for Vector Boolean functions supported by the VBF class are described. Some of them correspond to secondary constructions, which build (n,m) variable vector Boolean functions from (n′,m′) variable ones (with n′ ≤ n,m′ ≤ m). The direct sum has been used to construct resilient and bent Boolean functions [23]. The concatenation can be used to obtain resilient functions or functions with maximal nonlinearity. The concatenation of polynomials in ANF can be used to obtain functions of high nonlinearity with n variables from functions with high nonlinearity with n′ variables (n′ < n). Adding coordinate functions and bricklayering are constructions used to build modern ciphers such as CAST [3], DES [107] and AES [46]. Additionally, VBF provides operations for identification if two vector Boolean functions are equal, the sum of two vector Boolean functions, the composition of two vector Boolean functions and the inverse of a Vector Boolean function. In this chapter we apply VBF library methods to study constructions of several cryptographic algorithms. Refer to http://vbflibrary.tk for an extensive description of constructions of modern cryptographic algorithms apart from those described in this chapter.

5.1 Equality Testing

5.1.1 Description

Definition 5.1.1. Let n ≥ 1,m ≥ 1, F,G ∈ Fn,m. F and G are equal if their Truth Tables are the same. 146 Constructions for Vector Boolean Functions

5.1.2 Library

We can compare two functions for equality with the following method:

long operator==(VBF& F, VBF& G) long operator!=(VBF& F, VBF& G)

Example 5.1.1. The following program informs if two Vector Boolean functions are equal given their Truth Tables.

#include #include #include "VBF.h"

int main(int argc, char *argv[]) { using namespace VBFNS;

VBF F, G, X; NTL::mat_GF2 Tf, Tg;

ifstream input1(argv[1]); if(!input1) { cerr << "Error opening " << argv[1] << endl; return 0; } input1 >> Tf; F.puttt(Tf); input1.close();

ifstream input2(argv[2]); if(!input2) { cerr << "Error opening " << argv[2] << endl; return 0; } input2 >> Tg; G.puttt(Tg); input2.close(); 5.2 Composition Function 147

if (F == G) { cout << "F and G are equal" << endl; } else { cout << "F and G are not equal" << endl; }

return 0; }

The output for the execution of the example program with the code above and the Truth

Tables of S1 and S2 DES S-boxes as inputs would be:

F and G are not equal

5.2 Composition Function

5.2.1 Description

Definition 5.2.1. Let F ∈ Fn,p, G ∈ Fp,m and the composition function G ◦ F ∈ Fn,m where G ◦ F(x) = G(F(x)) ∀x ∈ Vn. See figure 5.1.

Fig. 5.1 Composition.

Theorem 5.2.1. [122] The Walsh Spectrum for the composition of two Vector Boolean Function can be calculated from the product of their respective Walsh Spectra in the following way: 1 WS(G ◦ F) = WS(F) · WS(G) (5.1) 2p

Theorem 5.2.2. [100] Let F ∈ Fn,m and let LA,b ∈ Fn,n an affine bijectionA ( is a nonsingular matrix), then:

rF◦LA,b (u,v) = rF (Au,v) (5.2) 148 Constructions for Vector Boolean Functions

Theorem 5.2.3. Let F ∈ Fn,m and let LA,b ∈ Fn,n an affine bijection. The Differential Profile for their composition can be calculated from the product of their respective Differential Profiles in the following way:

1 DP(F ◦ L ) = DP(L ) · DP(F) (5.3) A,b 2n A,b

Proof. Taking into account the Theorem 5.2.2, it holds that: ( , ) = 1 r ( , ) ( ) δF◦LA,b u w 2n+m ∑w∈Vm F◦LA,b u w χv w = 1 r (A , ) ( ) = (A , ) 2n+m ∑w∈Vm F u w χv w δF u w

Theorem 5.2.4. Let F ∈ Fn,p be a t-resilient function. Let G ∈ Fp,m be a (p,m) Vector Boolean function. Then G ◦ F is a t-resilient function if and only if G is balanced.

Proof. Since F is a t-resilient function, θˆF (u,v) = 0, ∀u ∈ Vn, 0 ≤ wt(u) ≤ t, ∀v ̸= 0 ∈ Vp. Thus

ˆ ˆ ∑ θF (u,v) · θG(v,w) = 0, ∀u ∈ Vn, 0 ≤ wt(u) ≤ t, ∀v ̸= 0 ∈ Vp v∈Vp Then:

1 θˆ (u,w) = θˆ (u,0) · θˆ (0,w) G◦F 2p F G

As G is balanced, then θˆG(0,w) = 0 ∀w ̸= 0 ∈ Vm

This theorem is a generalization of the composition of a (n, p) Vector Boolean function and a p-variable Boolean function showed by Gupta and Sarkar in [69]. Theorem 5.2.4 shows that correlation immunity of a (n, p,t)-resilient Vector Boolean function is preserved under composition with an arbitrary (p,m) Vector Boolean function and the resiliency if this last function is balanced. This is an important security property for the use of resilient S-boxes in stream cipher design.

Corollary 5.2.5. Let F ∈ Fn,p be a t-resilient function. Let G ∈ Fp,m be a (p,m) Vector Boolean function. Then G ◦ F is a balanced function if and only if G is balanced.

Remark. It is possible for G ◦ F to be balanced even when either only F is non-balanced or both F and G are non-balanced. In [69] two examples are given: 5.2 Composition Function 149

1. F non-balanced and G balanced. Let F ∈ F3,2 where the coordinate functions are f1(x1,x2,x3) = x1 + x2 + x1x3 + x1x2x3 and f2(x1,x2,x3) = x2 + x1x2 + x2x3 + x1x3 + x1x2x3 and G ∈ F2,1 with coordinate g1(x1,x2) = x1 +x2. Observe (G◦F)(x1,x2,x3) = f1(x1,x2,x3) + f2(x1,x2,x3) = x1 + x2x3 is balanced.

2. F and G are non-balanced. Let F ∈ F3,2 where the coordinate functions are f1(x1,x2,x3) = x3 +x1x2 +x1x2x3 and f2(x1,x2,x3) = x2 +x3 +x1x2 +x2x3 +x1x2x3 and G ∈ F2,1 with coordinate g1(x1,x2) = x1x2. Observe (G◦F)(x1,x2,x3) = f1(x1,x2,x3)· f2(x1,x2,x3) = x3 is balanced.

5.2.2 Library

It can be obtained with the following method: void Comp(VBF& X, VBF& F, VBF& G)

Example 5.2.1. The following program provides the correlation immunity and balancedness of two Vector Boolean functions given their Truth Tables and calculates the same criteria for their composition.

#include #include #include "VBF.h" int main(int argc, char *argv[]) { using namespace VBFNS;

VBF F, G, X; NTL::mat_GF2 Tf,Tg;

ifstream input1(argv[1]); if(!input1) { cerr << "Error opening " << argv[1] << endl; return 0; } input1 >> Tf; F.puttt(Tf); 150 Constructions for Vector Boolean Functions

input1.close();

ifstream input2(argv[2]); if(!input2) { cerr << "Error opening " << argv[2] << endl; return 0; } input2 >> Tg; G.puttt(Tg); input2.close();

cout << "Correlation immunity of F: " << CI(F) << endl; if (Bal(F)) { cout << "F is a balanced function" << endl; } else { cout << "F is a non-balanced function" << endl; } cout << endl;

cout << "Correlation immunity of G: " << CI(G) << endl; if (Bal(G)) { cout << "G is a balanced function" << endl; } else { cout << "G is a non-balanced function" << endl; } cout << endl;

Comp(X,F,G);

cout << "Correlation immunity of GoF: " << CI(X) << endl; if (Bal(X)) { cout << "GoF is a balanced function" << endl; } else { cout << "GoF is a non-balanced function" << endl; } 5.2 Composition Function 151

return 0; }

If we use y0 of CLEFIA S0 cipher (see section B.3) and NibbleSub Truth Tables as inputs, the output would be the following:

Correlation immunity of F: 1 F is a balanced function

Correlation immunity of G: 0 G is a balanced function

Correlation immunity of GoF: 1 GoF is a balanced function

This result is congruent with theorem 5.2.4.

Example 5.2.2. The following program provides the balancedness of two Vector Boolean functions given its polynomial representation in ANF and calculates the balancedness for the its composition.

#include #include #include "VBF.h" int main(int argc, char *argv[]) { using namespace VBFNS;

VBF F, G, X; vec_pol f,g;

ifstream input1(argv[1]); if(!input1) { cerr << "Error opening " << argv[1] << endl; return 0; } input1 >> f; 152 Constructions for Vector Boolean Functions

F.putpol(f); input1.close();

ifstream input2(argv[2]); if(!input2) { cerr << "Error opening " << argv[2] << endl; return 0; } input2 >> g; G.putpol(g); input2.close();

cout << "The polynomial in ANF of F is "; cout << endl; Pol(cout,F);

if (Bal(F)) { cout << "F is a balanced function" << endl; } else { cout << "F is a non-balanced function" << endl; } cout << endl;

cout << "The polynomial in ANF of G is "; cout << endl; Pol(cout,G);

if (Bal(G)) { cout << "G is a balanced function" << endl; } else { cout << "G is a non-balanced function" << endl; } cout << endl;

Comp(X,F,G); cout << "The polynomial in ANF of the composition of F and G is "; 5.2 Composition Function 153

cout << endl; Pol(cout,X);

if (Bal(X)) { cout << "GoF is a balanced function" << endl; } else { cout << "GoF is a non-balanced function" << endl; }

return 0; }

If we use the Boolean functions of first example described in69 [ ] as inputs, the output would be the following:

The polynomial in ANF of F is x1+x2+x1x3+x1x2x3 x2+x1x2+x2x3+x1x3+x1x2x3 F is a non-balanced function

The polynomial in ANF of G is x1+x2 G is a balanced function

The polynomial in ANF of the composition of F and G is x2x3+x1+x1x2 GoF is a balanced function

If we use the Boolean functions of second example described in [69] as inputs, the output would be the following:

The polynomial in ANF of F is x3+x1x2+x1x2x3 x2+x3+x1x2+x2x3+x1x2x3 F is a non-balanced function

The polynomial in ANF of G is x1x2 154 Constructions for Vector Boolean Functions

G is a non-balanced function

The polynomial in ANF of the composition of F and G is x3 GoF is a balanced function

5.3 Functional Inverse

5.3.1 Description

−1 Definition 5.3.1. Let n ≥ 1, F ∈ Fn,n. F is the functional inverse of F if the composition of both functions results in the identity function. See figure 5.2.

Fig. 5.2 Inverse.

5.3.2 Library

If a Vector Boolean Function F ∈ Fn,n is invertible, then we can find its inverse with the following method:

void inv(VBF& X, VBF& F)

Example 5.3.1. The following program provides the Truth Table of a the inverse of a Vector Boolean function given its Truth Table.

#include #include #include "VBF.h"

int main(int argc, char *argv[]) { using namespace VBFNS; 5.3 Functional Inverse 155

VBF F, X; NTL::mat_GF2 Tf;

ifstream input1(argv[1]); if(!input1) { cerr << "Error opening " << argv[1] << endl; return 0; } input1 >> Tf; F.puttt(Tf); input1.close();

inv(X,F); cout << "The Truth Table of the inverse of F is " << endl << TT(X) << endl;

return 0; }

The output for the execution of the example program with the code above and the Truth Table of NibbleSub S-box as input will be:

The Truth Table of the inverse of F is [[1 1 1 0] [0 0 1 1] [0 1 0 0] [1 0 0 0] [0 0 0 1] [1 1 0 0] [1 0 1 0] [1 1 1 1] [0 1 1 1] [1 1 0 1] [1 0 0 1] [0 1 1 0] [1 0 1 1] [0 0 1 0] 156 Constructions for Vector Boolean Functions

[0 0 0 0] [0 1 0 1] ]

5.4 Sum

5.4.1 Description

Definition 5.4.1. Let n ≥ 1,m ≥ 1, F,G ∈ Fn,m. The Sum of F and G, denoted by F + G ∈ Fn,m is the Vector Boolean Function whose Truth Table results from the addition of the Truth Tables of F and G: TF+G = TF + TG.

Theorem 5.4.1. The Walsh Spectrum for the sum of two Vector Boolean Function can be obtained by the correlation of the columns vectors of the respective Walsh Spectra in the following way: 1 WS(F + G)v = WS(F)v ∗ WS(G)v (5.4) 2n Proof.

ˆ ˆ 1 ˆ ˆ θ(F+G)(u,v) = χv·(F+G)(u) = W {ξv·F ξv·G}(u) = 2n ∑x∈Vn χv·F (u + x)χv·G(x)

The effect of bit complementation in the Truth Table of a Boolean function serves to make a quantifiable change to its Walsh Spectrum. This implies that the nonlinearity ofthe function will also be modified. The magnitude of the change to the Walsh coefficients is related to the number of the bits complemented.

Theorem 5.4.2. [16] Let f ,g ∈ Fn with Walsh transforms W f and Wg respectively. Let ( f (x) + 1 if x = α g(x) = i f (x) if x ̸= αi then

Wg(u) = W f (u) + ∆W f where ∆W f ∈ {−2,2} If we change the value of one bit of the truth table of a Boolean Function, then the values of the Walsh Spectrum are changed by an amount of 2. 5.4 Sum 157

Proof. g(x)+u·x χˆg(u) = ∑x∈Vn (−1) f (x)+u·x f (αi) u·αi = ∑x̸=αi∈Vn (−1) + (−1) (−1) f (x)+u·x = ∑x∈Vn (−1) + ∆W f = χˆ f (u) ± 2

f (αi) u·αi where ∆W f = 2(−1) (−1)

Corollary 5.4.3. Let a Boolean Function f ∈ Fn, if we change the value of one bit of the truth table of f , then the value of its nonlinearity is changed by an amount of 1. If we denote g ∈ Fn the Boolean Function resulting from adding 1 to the value of one bit of f then:

NL(g) = NL( f ) ± 1 (5.5)

Proof. It follows from the corollary 4.3.2 and theorem 5.4.2.

Several results follow from above definitions. The sum of any two Boolean functions f and g will have degree equal to the maximum algebraic degree of either f or g (which ever is higher) unless their sets of highest degree terms are the same in which case the degree will reduce. The addition of a single term of order r to a Boolean function f causes the Truth Table of f to be complemented in 2n−r bits. The complemented bits will be for those inputs x ∈ Vn where by all i ∈ I it is such that xi = 1 [99]. The effect of bit complementation in the Truth Table of a Boolean function serves to make a quantifiable change to its Autocorrelation Spectrum. This implies that the absolute indicator (and linearity distance) of the function will also be modified. The magnitude of the change to the Autocorrelation coefficients is related to the number of the bits complemented.

Theorem 5.4.4. Let f ,g ∈ Fn with Autocorrelation transforms r f and rg respectively. Let g be defined as in equation (5.4.2), then

rg(u) = r f (u) + ∆r f where ∆r f ∈ {−4,4}

If we change the value of one bit of the truth table of a Boolean Function, then the values of the Autocorrelation Spectrum are changed by an amount of 4. Proof.

g(x)+g(u+x) f (x)+ f (u+x) f (αi)+ f (u+αi)+1 rg(u) = ∑x∈Vn (−1) = ∑x̸=αi,u+x̸=αi∈Vn (−1) + 2 · (−1) f (x)+ f (u+x) f (αi)+ f (u+αi) f (αi)+ f (u+αi) = ∑x̸=αi,u+x̸=αi∈Vn (−1) + 2 · (−1) − 4 · (−1) f (α )+ f (u+α ) = r f (u) − 4 · (−1) i i

f (αi)+ f (u+αi) where ∆r f = 4 · (−1) 158 Constructions for Vector Boolean Functions

Corollary 5.4.5. Let a Boolean Function f ∈ Fn, if we change the value of one bit of the truth table of f , then the value of its absolute indicator is changed by an amount of 4. If we

denote g ∈ Fn the Boolean Function resulting from adding 1 to the value of one bit of f then:

ACmax(g) = ACmax( f ) ± 4 (5.6)

Corollary 5.4.6. Let a Boolean Function f ∈ Fn, if we change the value of one bit of the truth table of f , then the value of its linearity distance is changed by an amount of 1. If we

denote g ∈ Fn the Boolean Function resulting from adding 1 to the value of one bit of f then:

LD(g) = LD( f ) ± 1 (5.7)

Proof.

1 1 LD(g) = 2n−2 − · AC (g) = 2n−2 − · AC ( f ) ± 1 = LD( f ) ± 1 4 max 4 max

5.4.2 Library

It can be obtained with the following method:

void sum(VBF& X, VBF& F, VBF& G)

Example 5.4.1. The following program provides the nonlinearity, absolute indicator and linearity distance of two Vector Boolean functions given its polynomial representation in ANF and its hexadecimal representation of Truth Table respectively and calculates the same criteria for the its sum.

#include #include #include "VBF.h"

int main(int argc, char *argv[]) { using namespace VBFNS;

VBF F, G, X; vec_pol f; 5.4 Sum 159

ifstream input1(argv[1]); if(!input1) { cerr << "Error opening " << argv[1] << endl; return 0; } input1 >> f; F.putpol(f); input1.close();

ifstream input2(argv[2]); if(!input2) { cerr << "Error opening " << argv[2] << endl; return 0; } G.putHexTT(input2); input2.close();

cout << "The polynomial in ANF of F is "; cout << endl; Pol(cout,F);

cout << "nl(F)=" << nl(F) << endl; cout << "ACmax(F)=" << maxAC(F) << endl; cout << "LD(F)=" << ld(F) << endl; cout << endl;

cout << "The polynomial in ANF of G is "; cout << endl; Pol(cout,G); cout << endl;

sum(X,F,G); cout << "The polynomial in ANF of the sum of F and G is "; cout << endl; Pol(cout,X); 160 Constructions for Vector Boolean Functions

cout << "nl(F+G)=" << nl(X) << endl; cout << "ACmax(F+G)=" << maxAC(X) << endl; cout << "LD(F+G)=" << ld(X) << endl; cout << endl;

return 0; }

If we use the Boolean function F with ANF x1x2 +x3x4 and function G with hexadecimal representation of Truth Table 0001 as inputs, the output would be the following:

The polynomial in ANF of F is x1x2+x3x4 nl(F)=6 ACmax(F)=0 LD(F)=4

The polynomial in ANF of G is x1x2x3x4

The polynomial in ANF of the sum of F and G is x3x4+x1x2+x1x2x3x4 nl(F+G)=5 ACmax(F+G)=4 LD(F+G)=3

These results are congruent with the properties described above:

• NL(F + G) = NL(F) − 1 = 6 − 1 = 5.

• ACmax(F + G) = ACmax(F) + 4 = 0 + 4 = 4.

• LD(F + G) = LD(F) − 1 = 4 − 1 = 3. 5.5 Direct Sum 161

5.5 Direct Sum

5.5.1 Description

Definition 5.5.1. Let n1,n2 ≥ 1, F1 ∈ Fn1,m,F2 ∈ Fn2,m be Vector Boolean functions. Con- sider the Vector Boolean function F1 ⊕ F2 ∈ Fn1+n2,m, called direct sum, defined as (F1 ⊕ F2)((x1,x2)) = F1(x1) + F2(x2). See figure 5.3.

Fig. 5.3 Direct Sum.

When F1 and F2 are Boolean functions (m = 1) Sarkar and Maitra [133] derived the following properties:

n n • wt(F1 ⊕ F2) = 2 2 · wt(F1) + 2 1 · wt(F2) − 2 · wt(F1) · wt(F2).

• deg(F1 ⊕ F2) = max{deg(F1),deg(F2)}.

ˆ ˆ ˆ • θF1⊕F2 ((u1,u2),v) = θF1 (u1,v) · θF2 (u2,v).

• If F1 is t1-resilient and F2 is t2-resilient, then F1 ⊕ F2 is (t1 +t2 + 1)-resilient.

n n • NL(F1 ⊕ F2) ≥ 2 2 · NL(F1) + 2 1 · NL(F2) − 2 · NL(F1) · NL(F2).

• F1 ⊕ F2 has no linear structure if and only if F1 and F2 have no linear structure.

• max{AI(F1),AI(F2)} ≤ AI(F1 ⊕F2) ≤ min{max{deg(F1),deg(F2)},AI(F1) + AI(F2)}. 162 Constructions for Vector Boolean Functions

Theorem 5.5.1. The elements which conform a row in the Walsh Spectrum (respectively Autocorrelation Matrix) of the direct sum of two Vector Boolean Functions are obtained by the product of the respective components of the rows in both Walsh Spectra (respectively Autocorrelation Matrices) . The rows of the Differential Profile of the direct sum of two Vector Boolean Functions are obtained by the correlation of the rows of the Differential Profiles of each Vector Boolean Function.

ˆ ˆ ˆ θF1⊕F2 (u,v) = θF1 (u1,v) · θF2 (u2,v)

rF1⊕F2 (u,v) = rF1 (u1,v) · rF2 (u2,v) (5.8) 1 DP(F1 ⊕ F2)u = 2m DP(F1)u1 ∗ DP(F2)u2 The first result was already known for Boolean functions [133], here we give a proof for Vector Boolean functions.

Proof.

ˆ ˆ ˆ ˆ ˆ θF1⊕F2 (u,v) = χv·(F1⊕F2)((u1,u2)) = χv·F1⊕v·F2 ((u1,u2)) = χv·F1 (u1) · χv·F2 (u2)

The second result is new and the proof is given below:

Proof.

r ( , ) = 1 ( + ) ( ) F1⊕F2 u v 2n ∑x∈Vn χv·(F1⊕F2) x u χv·(F1⊕F2) x 1 = n +n ∑ ∑ χv ·F (x1)χv ·F (x2)χv·F (x1 + u1)χv·F (x2 + u2) 2 1 2 x1∈Vn1 x2∈Vn2 1 1 2 2 1 2 1 1 = n ∑ χv·F (x1 + u1)χv·F (x1) n ∑ χv·F (x2 + u2)χv·F (x2) 2 1 x1∈Vn1 1 1 2 2 x2∈Vn2 2 2

= rF1 (u1,v) · rF2 (u2,v)

The third result is new and the proof is given below:

Proof.

(DP(F1)u1 ∗ DP(F2)u2 )(v) = ∑w∈Vm δF1 (u1,w + v) · δF2 (u2,w) = 1 r (u ,s) (s) 1 r (u ,t) (t) ∑w∈Vm 2n1+m ∑s∈Vm F1 1 χw+v 2n2+m ∑t∈Vm F2 2 χw = 1 r (u ,z)r (u ,z)χ (z) 2n1+n2+2m ∑z∈Vm F1 1 F2 2 v = 1 r (u,z)χ (z) = 1 DP(F ⊕ F ) (v) 2n1+n2+2m ∑z∈Vm F1⊕F2 v 2m 1 2 u 5.5 Direct Sum 163

Corollary 5.5.2.

∗ ∗ max (WS(F1 ⊕ F2)) = maxv∈Vm {WS(v · F1) · WS(v · F2)} n n (5.9) ACmax(F1 ⊕ F2) = max{2 1 · ACmax(F2),ACmax(F1) · 2 2 }

Corollary 5.5.3. Let F1,...,Fi ∈ Fni,m:

∗ n1+···+ni−1 1 (5.10) NL(F1 ⊕ ··· ⊕ Fi) = 2 − 2 maxv∈Vm {WS(v · F1)···WS(v · Fi)}

Theorem 5.5.4. Let F1 be an (n1,m,t1) resilient function and F2 be an (n2,m,t2)-resilient function, then F1 ⊕ F2 is an (n1 + n2,m,t1 +t2 + 1)-resilient function.

Remark. This result is an extension of what was obtained in [141] for Boolean functions.

Corollary 5.5.5. F1 ⊕ F2 is balanced if and only if F1 is balanced or F2 is balanced.

Remark. This result is an extension of what was obtained in [139] for Boolean functions.

Theorem 5.5.6. If F1 satisfies the PC(l1) and F2 satisfies the PC(l2), then F1 ⊕ F2 satisfies the PC(l) with l = min{l1,l2}.

Proof.

(rF1 (u1,v) = 0, ∀u1 ∈ Vn1 , 1 ≤ wt(u1)) ≤ l1, ∀v ∈ Vm)∧

(rF2 (u2,v) = 0, ∀u2 ∈ Vn2 , 1 ≤ wt(u2)) ≤ l2, ∀v ∈ Vm)

⇒ rF1 (u1,v) · rF2 (u2,v) = 0, ∀(u1,u2) ∈ Vn1 × Vn2 , 1 ≤ wt ((u1,u2)) ≤ min{l1,l2}, ∀v ∈ Vm

⇒ rF1⊕F2 (u,v) = 0, ∀u ∈ Vn, 1 ≤ wt(u) ≤ min{l1,l2}, ∀v ∈ Vm ⇒ F1 ⊕ F2 satisfies the PC(min{l1,l2})

Example 5.5.1. The full substitution function of the CAST algorithm S(CAST) ∈ F32,32 is constructed by forming the direct sum of 4 S-boxes Si(CAST) ∈ F8,32 (see figure 5.4). The calculation of the S(CAST) nonlinearity would imply to find out the maximum value from all the elements of a 232 × 232 matrix representing its Walsh Spectrum, or alternatively, to determine the Walsh Spectra of the 232 linear combinations of its coordinate functions which are 232 × 1 matrices. Nevertheless, by corollary 5.5.3, the nonlinearity is obtained by calculating four Walsh Spectra (28 × 1 matrices) for each of the 232 component functions.

∗ max {WS(v · S (CAST)) · WS(v · S (CAST))· v∈V32 1 2 (5.11) WS(v · S3(CAST)) · WS(v · S4(CAST))} = 29417472 164 Constructions for Vector Boolean Functions

Fig. 5.4 CAST Cipher.

1 NL(S(CAST)) = 232−1 − 29417472 = 2132774912 (5.12) 2 This result coincides with the estimation of nonlinearity done in [159].

5.5.2 Library

The method included in VBF to perform this construction is the following:

void directsum(VBF& X, VBF& F, VBF& G)

Example 5.5.2. The following program provides the weight, algebraic degree, balancedness, correlation immunity, nonlinearity and algebraic immunity of two Vector Boolean functions given its polynomial representation in ANF and calculates the same criteria for the its direct sum.

#include #include #include "VBF.h"

int main(int argc, char *argv[]) { using namespace VBFNS; 5.5 Direct Sum 165

VBF F, G, X;

ifstream input1(argv[1]); if(!input1){ cerr << "Error opening " << argv[1] << endl; return 0; } F.putHexTT(input1); input1.close();

ifstream input2(argv[2]); if(!input2) { cerr << "Error opening " << argv[2] << endl; return 0; } G.putHexTT(input2); input2.close();

cout << "weight(F)=" << weight(F) << endl; cout << "deg(F)=" << deg(F) << endl; if (Bal(F)) { cout << "F is a balanced function" << endl; } else { cout << "F is a non-balanced function" << endl; } cout << "Degree of Correlation immunity of F=" << CI(F) << endl; cout << "R(F)=" << SpectralRadius(F) << endl; cout << "nl(F)=" << nl(F) << endl; cout << "ACmax(F)=" << maxAC(F) << endl; cout << "ld(F)=" << ld(F) << endl; cout << "AI(F)=" << AI(F) << endl; cout << "F is PC of degree " << PC(F) << endl; cout << endl;

cout << "weight(G)=" << weight(G) << endl; 166 Constructions for Vector Boolean Functions

cout << "deg(G)=" << deg(G) << endl; if (Bal(G)) { cout << "G is a balanced function" << endl; } else { cout << "G is a non-balanced function" << endl; } cout << "Degree of Correlation immunity of G=" << CI(G) << endl; cout << "R(G)=" << SpectralRadius(G) << endl; cout << "nl(G)=" << nl(G) << endl; cout << "ACmax(G)=" << maxAC(G) << endl; cout << "ld(G)=" << ld(G) << endl; cout << "AI(G)=" << AI(G) << endl; cout << "G is PC of degree " << PC(G) << endl; cout << endl;

directsum(X,F,G);

cout << "weight(F directsum G)=" << weight(X) << endl; cout << "deg(F directsum G)=" << deg(X) << endl; if (Bal(X)) { cout << "F directsum G is a balanced function" << endl; } else { cout << "F directsum G is a non-balanced function" << endl; } cout << "Degree of Correlation immunity of F directsum G=" << CI(X) << endl; cout << "R(F directsum G)=" << SpectralRadius(X) << endl; cout << "nl(F directsum G)=" << nl(X) << endl; cout << "ACmax(F directsum G)=" << maxAC(X) << endl; cout << "ld(F directsum G)=" << ld(G) << endl; cout << "AI(F directsum G)=" << AI(X) << endl; cout << "F directsum G is PC of degree " << PC(X) << endl;

return 0; }

If we use the Boolean functions with the following Truth Tables (in hexadecimal representation) as inputs: 5.5 Direct Sum 167

6cb405778ea9bd30

5c721bcaac27b1c5

The output would be the following: weight(F)=32 deg(F)=3 F is a balanced function Degree of Correlation immunity of F=1 R(F)=16 nl(F)=24 ACmax(F)=32 ld(F)=8 AI(F)=3 F is PC of degree 2 weight(G)=32 deg(G)=3 G is a balanced function Degree of Correlation immunity of G=2 R(G)=32 nl(G)=16 ACmax(G)=64 ld(G)=0 AI(G)=2 G is PC of degree 1 weight(F directsum G)=2048 deg(F directsum G)=3 F directsum G is a balanced function Degree of Correlation immunity of F directsum G=4 R(F directsum G)=512 nl(F directsum G)=1792 ACmax(F directsum G)=4096 ld(F directsum G)=0 AI(F directsum G)=3 F directsum G is PC of degree 1 168 Constructions for Vector Boolean Functions

These results are congruent with the properties derived in [133] and in corollaries 5.5.2 and 5.5.3 and theorem 5.5.6:

• wt(F ⊕ G) = 26 · 32 + 26 · 32 − 2 · 32 · 32 = 2048.

• deg(F ⊕ G) = max{3,3} = 3.

• F is 1-resilient, G is 2-resilient, and F ⊕ G is (1 + 2 + 1)-resilient.

• R(F ⊕ G) = 16 · 32 = 512 because F and G are Boolean functions.

12−1 1 • NL(F ⊕ G) = 2 − 2 · 512 = 1792.

• ACmax(F ⊕ G) = max{32 · 64,64 · 64} = 4096.

12−2 1 • LD(F ⊕ G) = 2 − 4 · 4096 = 0.

• max{3,2} ≤ AI(F ⊕ G) = 3 ≤ min{max{3,3},3 + 2}.

5.6 Concatenation

5.6.1 Description

Definition 5.6.1. Let n1,n2 ≥ 1, F1 ∈ Fn,m,F2 ∈ Fn,m be Vector Boolean functions. Con- sider the Vector Boolean function F1|cF2 ∈ Fn+1,m defined as (x,xn+1) → (xn+1 + 1)F1(x) + xn+1F2(x) where x ∈ Vn.

When F1 and F2 are Boolean functions (m = 1), the following properties are derived in [18], [23], [47]:

• wt(F1|cF2) = wt(F1) + wt(F2).

• deg(F1|cF2) ≤ 1 + max{deg(F1),deg(F2)} with equality if and only if F1 and F2 do not have the same high degree monomials.

ˆ ˆ un+1 ˆ • θF1|cF2 (u,un+1) = θF1 (u) · (−1) θF2 (un+1) ∀(u,un+1) ∈ Vn+1. ˆ • If F1 is t-resilient and F2 is t-resilient, then F1|cF2 is t-resilient. Moreover, if θF1 (u) + ˆ θF2 (u) = 0 ∀u with wt(u) = t + 1, then F1|cF2 is (t + 1)-resilient.

• NL(F1|cF2) ≥ NL(F1) + NL(F2). 5.6 Concatenation 169

• ∆(u,un+1)F(x,xn+1) = ∆(u)F1(x)+un+1(F1 +F2)(x)+xn+1∆(u)(F1 +F2)(x)+un+1∆(u)(F1 + F2)(x).

• If AI(F1) < AI(F2), then AI(F1|cF2) = AI(F1) + 1. If AI(F1) = AI(F2), then AI(F1) ≤ AI(F1|cF2) ≤ AI(F1) + 1.

5.6.2 Library

The method included in VBF to perform this construction is the following: void concat(VBF& X, VBF& F, VBF& G)

Example 5.6.1. The following program provides the weight, algebraic degree, balancedness, correlation immunity, nonlinearity and algebraic immunity of two Vector Boolean functions given its polynomial representation in ANF and calculates the same criteria for its concatenation.

#include #include #include "VBF.h" int main(int argc, char *argv[]) { using namespace VBFNS;

VBF F, G, X; vec_pol f,g;

ifstream input1(argv[1]); if(!input1) { cerr << "Error opening " << argv[1] << endl; return 0; } input1 >> f; F.putpol(f); input1.close();

ifstream input2(argv[2]); 170 Constructions for Vector Boolean Functions

if(!input2) { cerr << "Error opening " << argv[2] << endl; return 0; } input2 >> g; G.putpol(g); input2.close();

cout << "weight(G)=" << weight(G) << endl; cout << "deg(G)=" << deg(G) << endl; if (Bal(G)) { cout << "G is a balanced function" << endl; } else { cout << "G is a non-balanced function" << endl; } cout << "Degree of Correlation immunity of G=" << CI(G) << endl; cout << "nl(G)=" << nl(G) << endl; cout << "AI(G)=" << AI(G) << endl; cout << endl;

concat(X,F,G); cout << "The polynomial in ANF of the concatenation of F and G is "; cout << endl; Pol(cout,X); 5.6 Concatenation 171

cout << "weight(F concat G)=" << weight(X) << endl; cout << "deg(F concat G)=" << deg(X) << endl; if (Bal(X)) { cout << "F concat G is a balanced function" << endl; } else { cout << "F concat G is a non-balanced function" << endl; } cout << "Degree of Correlation immunity of F concat G=" << CI(X) << endl; cout << "nl(F concat G)=" << nl(X) << endl; cout << "AI(F concat G)=" << AI(X) << endl;

return 0; }

If we use the Boolean functions 1+x3x4 +x2 +x2x4 +x1 +x1x3 +x1x3x4 and x3 +x2x4 + x1 + x1x4 + x1x3x4 as inputs, the output would be the following: weight(F)=8 deg(F)=3 F is a balanced function Degree of Correlation immunity of F=0 nl(F)=4 AI(F)=2 weight(G)=8 deg(G)=3 G is a balanced function Degree of Correlation immunity of G=0 nl(G)=4 AI(G)=2

The polynomial in ANF of the concatenation of F and G is 1+x4x5+x3+x3x5+x2+x2x4+x2x4x5 weight(F concat G)=16 deg(F concat G)=3 172 Constructions for Vector Boolean Functions

F concat G is a balanced function Degree of Correlation immunity of F concat G=0 nl(F concat G)=8 AI(F concat G)=2

These results are congruent with the properties described in this section

• wt(F|cG) = 8 + 8 = 16.

• deg(F|cG) = 3 ≤ 1 + max{3,3} = 1 + 3 = 4.

• F is 0-resilient, G is 0-resilient, and F|cG is 0-resilient.

• NL(F|cG) = 8 ≥ 4 + 4 = 8.

• If AI(F) = AI(G) = 2, then AI(F|cG) = 2 ≤ 2 + 1.

5.7 Concatenation of Polynomials in ANF

5.7.1 Description

Definition 5.7.1. Let n1,n2 ≥ 1, F1 ∈ Fn1,m,F2 ∈ Fn2,m be Vector Boolean functions. Consider

the Vector Boolean function F1|pF2 ∈ Fn1+n2,m defined as (x1,...,xn1 ,xn1+1,...,xn1+n2 ) →

F1(x1,...,xn1 ) + F2(xn1+1,...,xn1+n2 ) where x ∈ Vn1+n2 .

Kavut and Yucel in [79] used this construction to obtain a 11-variable Boolean function

from a 9-variable Boolean function with nonlinearity 242 (say F1) and a 2-variable bent function (say F2). The nonlinearity of the 11-variable Boolean function F1|pF2 has the highest (till date) nonlinearity of a Boolean function with 11 variables:

11−1 11−1 NL(F1|pF2) = 2 − 2 2 + 4 = 996 (5.13)

Similarly, we can obtain a 13-variable Boolean function from a 9-variable Boolean func-

tion with nonlinearity 242 (say F1) and a 4-variable bent function (say F2). The nonlinearity of the 13-variable Boolean function F1|pF2 has the highest (till date) nonlinearity of a Boolean function with 13 variables:

13−1 13−1 NL(F1|pF2) = 2 − 2 2 + 8 = 4040 (5.14) 5.7 Concatenation of Polynomials in ANF 173

5.7.2 Library

The method included in VBF to perform this construction is the following: void concatpol(VBF& X, VBF& F, VBF& G)

Example 5.7.1. The following program provides the ANF of the concatenation of polynomials in ANF of two Vector Boolean functions given its polynomial representation.

#include #include #include "VBF.h" int main(int argc, char *argv[]) { using namespace VBFNS;

VBF F,G,H; vec_pol f,g; NTL::mat_GF2 T;

ifstream inputf(argv[1]); if(!inputf) { cerr << "Error opening " << argv[1] << endl; return 0; } inputf >> f; F.putpol(f); inputf.close();

ifstream inputg(argv[2]); if(!inputg) { cerr << "Error opening " << argv[2] << endl; return 0; } inputg >> g; G.putpol(g); inputg.close(); 174 Constructions for Vector Boolean Functions

concatpol(H,F,G); cout << "The ANF of the concatenation of polynomials in ANF of F and G is "; cout << endl; Pol(cout,H);

return 0; }

If we use the Boolean functions x1x2 + x3x4 and x1 + 1 as inputs, the output would be the following:

The ANF of the concatenation of polynomials in ANF of F and G is x1x2+x3x4+x5+1

5.8 Addition of Coordinate Functions

5.8.1 Description

Definition 5.8.1. Let F = ( f1,..., fm1 ) ∈ Fn,m1 , G = (g1,...,gm2 ) ∈ Fn,m2 and the function

conformed by adding the coordinate functions (F,G) = ( f1,..., fm1 ,g1,...,gm2 ) ∈ Fn,m1+m2 .

Let v ∈ Vm1+m2 ,vF ∈ Vm1 and vG ∈ Vm2 so that v = (vF,vG). See figure 5.5.

Theorem 5.8.1. The columns of the Walsh Spectrum of the Vector Boolean Function resulting by adding the coordinate functions of two Vector Boolean Functions are calculated by the correlation of their respective columns in the following way: 1 WS((F,G))v = WS(F)vF ∗ WS(G)vG 2n where WS((F,G))v is the column of the Walsh Spectrum indexed by v.

Proof.

ˆ ˆ θ(F,G)(u,v) = χ(vF,vG)·(F,G)(u) = W {ξvF·F ξvG·G}(u) 1 ˆ ˆ = 2n ∑x∈Vn χvF·F (u + x)χvG·G(x) 5.8 Addition of Coordinate Functions 175

Fig. 5.5 Adding Coordinate functions.

Corollary 5.8.2. The columns of both WS(F) and WS(G) are contained in the matrix WS((F,G)).

Corollary 5.8.3. From corollary 5.8.2 it can be deduced:

NL((F,G)) ≤ min{NL(F), NL(G)} (5.15)

The corollary 5.8.3 is a generalization of the Theorem 16 in [115]. It can be useful, for instance, to find upper bounds of nonlinearity in S-boxes whose number of output bits ishigh by calculating the nonlinearities of shorter S-boxes (see example 5.8.1).

5.8.2 Library

This construction can be obtained with the following method: void addimage(VBF& X, VBF& F, VBF& G)

Example 5.8.1. The following program provides the Truth Tables of the different intermediate constructions that allow to obtain CLEFIA S0 8 × 8 S-box from the Truth Tables of the four 4-bit S-boxes SS0,SS1,SS2 and SS3 in which it is constructed and the Truth Table of the multiplication operation in 0x2 performed in GF(24) defined by the primitive polynomial x4 + x + 1. See section 6.3 and AppendixB for further details.

#include #include 176 Constructions for Vector Boolean Functions

#include "VBF.h"

int main(int argc, char *argv[]) { using namespace VBFNS;

VBF F,G,T20,T21,U0,U1,Y0,Y1,Y; NTL::mat_GF2 TSS0, TSS1, TSS2, TSS3, Tmul2; NTL::mat_GF2 T2t0, T2t1, Tu0, Tu1, Ty0, Ty1, Ty;

ifstream inputSS0("SS0.tt"); if(!inputSS0) { cerr << "Error opening " << "SS0.tt" << endl; return 0; } inputSS0 >> TSS0; inputSS0.close();

ifstream inputSS1("SS1.tt"); if(!inputSS1) { cerr << "Error opening " << "SS1.tt" << endl; return 0; } inputSS1 >> TSS1; inputSS1.close();

ifstream inputSS2("SS2.tt"); if(!inputSS2) { cerr << "Error opening " << "SS2.tt" << endl; return 0; } inputSS2 >> TSS2; inputSS2.close();

ifstream inputSS3("SS3.tt"); if(!inputSS3) { 5.8 Addition of Coordinate Functions 177

cerr << "Error opening " << "SS3.tt" << endl; return 0; } inputSS3 >> TSS3; inputSS3.close();

ifstream inputmul2("Mul2.tt"); if(!inputmul2) { cerr << "Error opening " << "Mul2.tt" << endl; return 0; } inputmul2 >> Tmul2; inputmul2.close();

cout << "t0=" << endl; cout << TSS0 << endl << endl; cout << "t1=" << endl; cout << TSS1 << endl << endl; F.puttt(TSS1); G.puttt(Tmul2); Comp(T21,F,G); T2t1 = TT(T21); cout << "0x2.t1=" << endl; cout << T2t1 << endl; F.kill(); G.kill(); F.puttt(TSS0); G.puttt(Tmul2); Comp(T20,F,G); T2t0 = TT(T20); cout << "0x2.t0=" << endl; cout << T2t0 << endl; cout << "u0=t0+0x2.t1=" << endl; F.kill(); F.puttt(TSS0); directsum(U0,F,T21); 178 Constructions for Vector Boolean Functions

Tu0 = TT(U0); cout << Tu0 << endl; G.kill(); cout << "u1=0x2.t0+t1=" << endl; G.puttt(TSS1); directsum(U1,T20,G); Tu1 = TT(U1); cout << Tu1 << endl; G.kill(); cout << "y0=SS2(u0)=" << endl; G.puttt(TSS2); Comp(Y0,U0,G); Ty0 = TT(Y0); cout << Ty0 << endl; G.kill(); cout << "y1=SS3(u1)=" << endl; G.puttt(TSS3); Comp(Y1,U1,G); Ty1 = TT(Y1); cout << Ty1 << endl; addimage(Y,Y0,Y1); Ty = TT(Y); cout << "y=(y0,y1)=" << endl; cout << Ty << endl;

return 0; }

The output of this program is described in section 6.3, ChapterB and at [156].

Note that the output of S0 S-box y ∈ F8,8 is defined by the addition of coordinate functions of both y0 ∈ F8,4 and y1 ∈ F8,4. We can see that the corollary 5.8.3 is satisfied:

100 = NL(S0) ≤ min{NL(y0), NL(y1)} = min{100,100} (5.16)

See section 6.3 for justification of these nonlinearities. 5.9 Bricklayer 179

5.9 Bricklayer

5.9.1 Description

Definition 5.9.1. Let n1,n2,m1,m2 ≥ 1 and F1 ∈ Fn1,m1 , F2 ∈ Fn2,m2 and the Bricklayer function F1|F2 ∈ Fn1+n2,m1+m2 . Let u1 ∈ Vn1 , u2 ∈ Vn2 and u = (u1,u2), v1 ∈ Vm1 , v2 ∈ Vm2 and v = (v1,v2). See figure 5.6.

Fig. 5.6 Bricklayer.

Theorem 5.9.1. The elements which conform a row in the Walsh Spectrum (respectively Autocorrelation Matrix or Differential Profile) of the Bricklayer of two Vector Boolean Functions are obtained by the product of the respective components of the rows in both Walsh Spectra (respectively Autocorrelation Matrices or Differential Profile).

ˆ ˆ ˆ θF1|F2 (u,v) = θF1 (u1,v1) · θF2 (u2,v2)

rF1|F2 (u,v) = rF1 (u1,v1) · rF2 (u2,v2)

δF1|F2 (u,v) = δF1 (u1,v1) · δF2 (u2,v2)

Proof.

ˆ ˆ ˆ ˆ θF1|F2 (u,v) = χ(v1,v2)·(F1|F2)((u1,u2)) = χv1·F1 (u1) · χv2·F2 (u2) 180 Constructions for Vector Boolean Functions

Proof.

r (u,v) = 1 χ (x + u) · χ (x) F1|F2 2n1+n2 ∑x∈Vn (v1,v2)·(F1⊕F2) (v1,v2)·(F1⊕F2) 1 = n +n ∑ ∑ χv ·F (x1 + u1)χv ·F (x2 + u2) · χv ·F (x1)χv ·F (x2) 2 1 2 x1∈Vn1 x2∈Vn2 1 1 2 2 1 1 2 2 1 1 = n ∑ χv ·F (x1 + u1)χv ·F (x1) n ∑ χv ·F (x2 + u2)χv ·F (x2) 2 1 x1∈Vn1 1 1 1 1 2 2 x2∈Vn2 2 2 2 2

= rF1 (u1,v1) · rF2 (u2,v2)

Proof.

= δF1 (u1,v1) · δF2 (u2,v2)

Corollary 5.9.2. The Walsh Spectrum (respectively Autocorrelation Matrix or Differential

Profile) of F1|F2 ∈ Fn,m is equal to the Kronecker product of the Walsh Spectra (respectively Autocorrelation Matrix or Differential Profile) of1 F and F2:

WS(F1|F2) = WS(F1) WS(F2) AC(F1|F2) = AC(F1) AC(F2) DP(F1|F2) = DP(F1) DP(F2) Corollary 5.9.3.

∗ n1+n2−1 1 n2 ˆ NL(F1|F2) = 2 − 2 · 2 · max θF1 (u1,v1) n +n ACmax(F1|F2) = 2 1 2 LD(F1|F2) = 0

Corollary 5.9.4. The Walsh Spectrum (respectively Autocorrelation Spectrum and Differ-

ential Profile) of the Bricklayer of i Vector Boolean Functions F1|···|Fi is equal to the Kronecker products of their Walsh Spectra (respectively Autocorrelation Spectra and Differ- ential Profiles): WS(F1|···|Fi) = WS(F1) ··· WS(Fi) AC(F1|···|Fi) = AC(F1) ··· WS(Fi) (5.17) DP(F1|···|Fi) = DP(F1) ··· DP(Fi) 5.9 Bricklayer 181

Corollary 5.9.5. Let F1|···|Fi ∈ Fn,m, the linear potential (respectively differential potential) of their Bricklayer is equal to the linear potential (respectively differential potential) of the first function. lp(F |···|F ) = lp(F ) 1 i 1 (5.18) dp(F1|···|Fi) = dp(F1) Proof.

1 ∗ 2 lp(F1|···|Fi) = · max WS(F1|···|Fi)(u,v) 22·(n1+···+ni) 22·(n2+···+ni) ∗ 2 1 ∗ 2 = · max WS(F1)(u1,v1) = 2n · max WS(F1)(u1,v1) 22·(n1+···+ni) 2 1 = lp(F1) On the other hand:

∗ ∗ dp(F1|···|Fi) =max (δF1|···|Fi (u,v)) =max (δF1 (u1,v1)) = dp(F1)

Theorem 5.9.6. Let F1 be an (n1,m1,t1) resilient function and F2 be an (n2,m2,t2) resilient function, then:

F1|F2 is an (n1 + n2,m1 + m2,min{t1,t2}) resilient function (5.19)

Proof.

(F1 is an (n1,m1,t1) resilient function) ∧ (F2 is an (n2,m2,t2) resilient function) ⇒ ˆ ⇒ θF1 (u1,v1) = 0, ∀u1 ∈ Vn1 , 0 ≤ wt(u1) ≤ t1, ∀v1 ̸= 0 ∈ Vm1 ˆ ∧ θF2 (u2,v2) = 0, ∀u2 ∈ Vn2 , 0 ≤ wt(u2) ≤ t2, ∀v2 ̸= 0 ∈ Vm2 ˆ ˆ ⇒ θF1 (u1,v1) · θF2 (u2,v2) = 0, ∀(u1,u2) ∈ Vn1 × Vn2 , 0 ≤ wt((u1,u2)) ≤ min{t1,t2}

(v1,v2) ̸= 0 ∈ Vm1 × Vm2 ˆ ⇒ θF1|F2 (u,v) = 0, ∀u ∈ Vn1+n2 , 0 ≤ wt(u) ≤ min{t1,t2}, ∀v ̸= 0 ∈ Vm1+m2

Corollary 5.9.7. If F1 and F2 are balanced, then F1|F2 is also balanced.

Example 5.9.1. Let us denote S the result of bricklayering all DES S-boxes Si ∈ F6,4 ∀i = 1,...,8, so that S = S1|···|S8 (see figure 5.7). Thanks to the corollaries 5.9.3 and 5.9.5, it is possible to calculate the nonlinearity, absolute indicator, linearity distance, linearity potential and differential potential of S by just calculating these same criteria for the S1 S-box. With this approach we only have to manage a 26 × 24 matrix instead of a 248 × 232 matrix. 182 Constructions for Vector Boolean Functions

Fig. 5.7 DES S-boxes.

Table 5.1 Results of spectral radius(R),NL,lp,dp,ACmax and LD for bricklayer of DES S-boxes.

S-box S1 S R 36 36 · 27·6 48−1 1 7·6 47 42 NL 14 2 − 2 36 · 2 = 2 − 18 · 2 = 61572651155456 lp 0.31640625 0.31640625 dp 0.25 0.25 6·8 ACmax 48 2 = 281474976710656 LD 4 0

5.9.2 Library

It can be obtained with the following method:

void bricklayer(VBF& X, VBF& F, VBF& G)

Example 5.9.2. KHAZAD is a block cipher designed by Paulo S. L. M. Barreto together with Vincent Rijmen, which was presented at the first NESSIE workshop in 2000, and, after some small changes, was selected as a finalist in the project. This cipher uses a8 × 8 S-box composed of smaller pseudo-randomly generated 4 × 4 mini S-boxes (the P-box and the Q-box) as represented in figure 5.8. The following program provides the Truth Tables of the different intermediate constructions that allow to obtain KHAZAD S-box from P and Q mini S-boxes and the permutation that apply between them.

#include #include #include "VBF.h"

int main(int argc, char *argv[]) { 5.9 Bricklayer 183

Fig. 5.8 KHAZAD S-box construction. 184 Constructions for Vector Boolean Functions

using namespace VBFNS;

VBF P, Q, PQ, R, QP, S, T, U, A; NTL::mat_GF2 Tp, Tq; NTL::vec_ZZ r;

ifstream inputp("P.tt"); if(!inputp) { cerr << "Error opening " << "P.tt" << endl; return 0; } inputp >> Tp; P.puttt(Tp); inputp.close();

ifstream inputq("Q.tt"); if(!inputq) { cerr << "Error opening " << "Q.tt" << endl; return 0; } inputq >> Tq; Q.puttt(Tq); inputq.close();

ifstream input("R.per"); if(!input) { cerr << "Error opening " << "R.per" << endl; return 0; } input >> r; R.putper(r); input.close();

bricklayer(PQ,P,Q); cout << "Bricklayer of P and Q=" << endl; cout << TT(PQ) << endl; 5.9 Bricklayer 185

Comp(S,PQ,R); cout << "Composition of 1st bricklayer with permutation=" << endl; cout << TT(S) << endl;

bricklayer(QP,Q,P); cout << "Bricklayer of Q and P=" << endl; cout << TT(QP) << endl;

Comp(T,S,QP); cout << "Composition of previous result with 2nd bricklayer=" << endl; cout << TT(T) << endl;

Comp(U,T,R); cout << "Composition of previous result with permutation=" << endl; cout << TT(U) << endl;

Comp(A,U,PQ); cout << "Composition of previous result with 1st bricklayer=" << endl; cout << TT(A) << endl;

return 0; }

If we use the Truth Tables of P and Q and the representation of the permutation between them, the output are the Truth Tables described at [156]. In http://vbflibrary.tk you can check the results of table 5.2.

Example 5.9.3. The following program provides the balancedness and correlation immunity (resiliency) of two Vector Boolean functions given its Truth Table in hexadecimal representation and calculates the same criteria for the bricklayering of F and G taking as inputs their Truth Tables in hexadecimal representation.

#include 186 Constructions for Vector Boolean Functions

Table 5.2 Results of spectral radius(r),NL,lp,dp,ACmax and LD for bricklayer of P and Q mini S-boxes.

S-box r NL lp dp ACmax LD P 8 4 0.25 0.25 8 2 Q 8 4 0.25 0.25 8 2 P|Q 128 64 0.25 0.25 256 0 Q|P 128 64 0.25 0.25 256 0 R ◦ (P|Q) 128 64 0.25 0.25 256 0 (Q|P) ◦ ((R ◦ (P|Q))) 96 80 0.140625 0.125 160 24 R ◦ ((Q|P) ◦ ((R ◦ (P|Q)))) 96 80 0.140625 0.125 160 24 S = (P|Q) ◦ (R ◦ ((Q|P) ◦ ((R ◦ (P|Q))))) 64 96 0.0625 0.03125 104 38

#include #include "VBF.h"

int main(int argc, char *argv[]) { using namespace VBFNS;

VBF F, G, H;

ifstream input1(argv[1]); if(!input1) { cerr << "Error opening " << argv[1] << endl; return 0; } F.putHexTT(input1); input1.close();

ifstream input2(argv[2]); if(!input2) { cerr << "Error opening " << argv[2] << endl; return 0; } G.putHexTT(input2); input2.close(); 5.9 Bricklayer 187

cout << "Correlation immunity of F: " << CI(F) << endl; if (Bal(F)) { cout << "F is a balanced function" << endl; } else { cout << "F is a non-balanced function" << endl; }

cout << "Correlation immunity of G: " << CI(G) << endl; if (Bal(G)) { cout << "G is a balanced function" << endl; } else { cout << "G is a non-balanced function" << endl; }

bricklayer(H,F,G);

cout << "Correlation immunity of F bricklayer G: " << CI(H) << endl; if (Bal(H)) { cout << "F bricklayer G is a balanced function" << endl; } else { cout << "F bricklayer G is a non-balanced function" << endl; }

return 0; }

If we use the Boolean functions with the following Truth Tables (in hexadecimal representation) as inputs:

6cb405778ea9bd30

5c721bcaac27b1c5

The output would be the following:

Correlation immunity of F: 1 F is a balanced function Correlation immunity of G: 2 188 Constructions for Vector Boolean Functions

G is a balanced function Correlation immunity of F bricklayer G: 1 F bricklayer G is a balanced function

These results are congruent with theorem 5.9.6.

5.10 Summary

Table 5.3 lists the member functions related to the previous characterizing elements.

Table 5.3 Constructions over VBF.

SYNTAX DESCRIPTION long operator==(VBF& F, VBF& G) Returns 1 if F and G are equal 0 otherwise void Comp(VBF& X, VBF& F, VBF& G) X = G ◦ F void inv(VBF& X, VBF& A) X = F−1 void sum(VBF& X, VBF& F, VBF& G) X = F + G void directsum(VBF& X, VBF& F, VBF& G) X(x,y) = F(x) + G(y) void concat(VBF& X, VBF& F, VBF& G) X(x,xn+1) = (xn+1 + 1)F(x) + xn+1G(x)

void concatpol(VBF& X, VBF& F, VBF& G) X(x1,...,xn1 ,xn1+1,...,xn1+n2 )

= F(x1,...,xn1 ) + G(xn1+1,...,xn1+n2 ) void addimage(VBF& X, VBF& F, VBF& G) X = (F,G) void bricklayer(VBF& X, VBF& F, VBF& G) X = F|G Chapter 6

Security Evaluation of Cryptographic Algorithms

Substitution boxes (often called S-boxes) are Vector Boolean functions typically used in the iterative round functions of block ciphers, but have also been used as components of keystream generators in stream ciphers and in the round function of cryptographic hash functions. S-boxes are one of the few nonlinear components of cryptosystems. They are also capable of providing additional cryptographic properties to a cipher and confusion to system as a whole. In the view of successful existing cryptanalytic attacks on cryptosystems which attempt to exploit weaknesses in cipher components, the analysis of S-boxes and their criteria is an ongoing area of important necessary research. The preceding chapters of this thesis discussed the representations, characterizations, cryptographic criteria and constructions that VBF library support. In this chapter we apply VBF library methods to assess the security of several cryptographic algorithms. Refer to http: //vbflibrary.tk for an extensive description of security assessments of modern cryptographic algorithms apart from those described in this chapter.

6.1 KASUMI Cipher Algorithm Evaluation

In the following, several functional components of KASUMI are studied using VBF with the aim to reveal any weakness that could be used as a basis for an attack on the entire algorithm. Such study characterizes the S-boxes as well as the FI function. 190 Security Evaluation of Cryptographic Algorithms

6.1.1 S-boxes Characterization

The study of S-boxes S7 and S9 shows that they are Almost Perfect Non-linear (APN) bijective Boolean mappings. In fact, a linear approximation analysis shows that the S7 nonlinearity (Item NL in Table 6.3) is equal to 56 which is the maximum value for an S-box with 7 input variables. Its linear potential (Item lp in Table 6.3) is equal to 0.015625 and it

has a second order nonlinearity (Item NL2 in Table 6.3) of 36. Concerning S9, the value for the nonlinearity is equal to 240 which equals the best known upper bound for a balanced Boolean function with 9 input variables. Its linear potential is equal to 0.00390625. From these results, we can conclude that S7 and S9 offer the best immunity against linear attacks .

A differential approximation analysis shows that the S7 linearity distance is equal to 28 over a maximum value of 32 and its differential potential is equal to 0.015625. Finally, the value for the linearity distance of S9 is equal to 0 and its differential potential is equal to 0.00390625. S9 has 511 linear structures which are described within KASUMI cipher analysis in [156]. Nonlinear cryptographic functions used in block ciphers should have no nonzero linear structure but S9 do not satisfy this requirement.

The algebraic normal forms of S7 and S9 are given by (6.1) and (6.2) respectively:

f1 = x5x6 + x4x6x7 + x3x7 + x2x6 + x2x4 + x1 + x1x6x7 + x1x4x5 + x1x3x6 + x1x2x7 f2 = 1 + x5 + x5x7 + x4x7 + x4x5x6 + x3x5x7 + x2x7 + x2x5 + x2x3 + x1x6 + x1x5x6 +x1x4x7 + x1x3x4 + x1x2x5 f3 = 1 + x5x7 + x4 + x4x6 + x3x6 + x3x6x7 + x3x4x5 + x2x7 + x2x4x6 + x2x3x7 + x1x6 +x1x4 + x1x4x7 + x1x2 f4 = x6 + x5x6x7 + x3x6 + x3x4 + x2x7 + x2x6x7 + x2x4x5 + x2x3x6 + x1x5 + x1x4x6 f5 = 1 + x7 + x4x7 + x4x5 + x3x5x6 + x3x4x7 + x2x6 + x2x5x7 + x1x7 + x1x6x7 + x1x5 +x1x3 f6 = 1 + x6x7 + x3x7 + x3x5 + x2 + x2x5x6 + x2x4x7 + x1 + x1x5x7 + x1x4 + x1x2x3 f7 = x4x6 + x3 + x3x6x7 + x2 + x2x5 + x2x3x4 + x1 + x1x7 + x1x6 + x1x4 + x1x3x5 +x1x2x6 + x1x2x3 (6.1) 6.1 KASUMI Cipher Algorithm Evaluation 191

f1 = x8x9 + x7 + x7x8 + x5x6 + x4x8 + x4x7 + x3x8 + x3x5 + x2 + x1x7 + x1x6 f2 = 1 + x8x9 + x7x9 + x7x8 + x6 + x6x9 + x6x7 + x4x5 + x3x7 + x3x6 + x2x7 + x2x4 + x1 f3 = x9 + x6x7 + x4x8 + x4x7 + x4x5 + x3x6 + x3x5 + x3x4 + x2 + x1x8 + x1x6 + x1x4 +x1x2 f4 = 1 + x7 + x5x8 + x4x5 + x3x9 + x3x8 + x2x6 + x2x5 + x2x3 + x1x4 + x1x3 + x1x2 f5 = x8x9 + x6x8 + x5 + x4x9 + x3x6 + x2x9 + x2x3 + x1x8 + x1x7 + x1x6 f6 = x9 + x7x8 + x6x9 + x5x7 + x4 + x3x9 + x3x8 + x2x5 + x1x9 + x1x8 + x1x2 f7 = 1 + x8 + x6x9 + x5x6 + x4x9 + x3x7 + x3x6 + x3x4 + x2x5 + x2x4 + x2x3 + x1 + x1x9 f8 = 1 + x8 + x8x9 + x6x7 + x5x9 + x5x8 + x4x9 + x4x6 + x3 + x2x8 + x2x7 + x1x4 f9 = 1 + x7x9 + x6 + x4x7 + x3x4 + x2x9 + x2x8 + x2x7 + x1x5 + x1x4 + x1x2 (6.2) These forms show that the algebraic degree of S7 is 3 and the algebraic degree of S9 is 2. The algebraic degree of both S-boxes is low and higher order differential attack can be executed against them. The component algebraic immunity of S7 is equal to 3 and for S9 is 2. As a consequence, algebraic attacks by solving a system of multivariate algebraic equations can be executed against S7 and especially against S9. Concerning the cycle structure, S7 and S9 have no obvious deficiencies, e.g. a large number of transpositions. S7 has one fixed point, (0,0,1,1,0,1,1) = (0,0,1,1,0,1,1) and has no negated fixed points. S9 has one fixed point, (0,1,0,0,1,0,1,1,1) = (0,1,0,0,1,0,1,1,1) and one negated fixed point, (1,0,0,0,1,1,0,0,0) = (0,1,1,1,0,0,1,1,1). The cycle structure of the S7 and S9 permutations is shown in Table 6.1 and Table 6.2:

Table 6.1 Cycle structure for S7.

Cycle length for S7 Number of cycles for S7 1 1 13 1 22 1 92 1

Regarding the second moment of the auto-correlation coefficients, for S7 the absolute indicator is 16 and the sum-of-squares indicator is 32768. For S9 the absolute indicator is 512 and the sum-of-squares indicator is 524288. From these results, we can conclude that S7 achieves a fairly good diffusion since its absolute indicator is nearer the lower theoretical bound, 0, than the upper bound, 128, and similarly for the sum-of-squares indicator where the theoretical bounds are 16384 and 192 Security Evaluation of Cryptographic Algorithms

Table 6.2 Cycle structure for S9.

Cycle length for S9 Number of cycles for S9 1 2 2 1 12 1 26 1 74 1 121 1 275 1

2097152. S9 does not achieve a good diffusion because its absolute indicator coincides with the upper bound, 512, while its sum-of-squares indicator is quite close to the lower bound of 262144. A summary of these criteria are given in Tables 6.3 and 6.4:

Table 6.3 S7 and S9 Cryptographic criteria.

S-box NLNL2 LD deg AI ACmax σ S7 56 36 28 3 3 16 32768 S9 240 0 0 2 2 512 524288

Table 6.4 S7 and S9 Cryptographic criteria.

S-box lp dp S7 0.015625 0.015625 S9 0.00390625 0.00390625

The Walsh Spectra of the S7 and S9 mappings are three valued (except from the first row and column value): 16,0 and −16 for S7, and 32,0 and −32 for S9. The Linear Profiles of the S7 and S9 mappings are two-valued (except from the first row and column value): 0 and 256 for S7, and 0 and 1024 for S9. The Differential Profile of the S7 and S9 mappings are two-valued (except from the first row and column value): 0 and 32768 for S7, and 0 and 524288 for S9. The Autocorrelation Spectrum of the S7 mapping is four-valued: 128,16,−16 and 0 for S7, and three-valued for S9: 512,−512 and 0. Having a few valued WS indicates good cryptographic properties, see [64]. The cryptanalysis performed in this section provides, to the best of our knowledge, new results about S7 and S9 that do not appear in [1]. For example, representations of 6.1 KASUMI Cipher Algorithm Evaluation 193 both S-boxes as Truth Table, polynomials in ANF, ANF tables and Walsh Spectrum are calculated; in addition, cryptographic criteria such as nonlinearity, second order nonlinearity, linearity distance, algebraic immunity, absolute indicator and sum-of-squares indicator are also computed.

6.1.2 FI Function Characterization

The algebraic degree of the FI function for all the possible 65536 values of the key has been analyzed. This study reveals that two values of algebraic degree are obtained: 15 and 16 with a frequency of 32931 and 32605 respectively. Such degrees reveal that FI has a very good resistance against higher order differential attacks as the maximum possible algebraic degree is 16. Concerning the cycle structure, the FI function was analyzed for all the possible 65536 values of the key. There are key values for which the number of cycles is quite high, for example, the key 0xa77b has the maximum number of cycles, 2907. This number of cycles is more than three times the proportion that was present in S9. In this case, it was expected a higher number of transpositions and it could reveal some kind of deficiency. For several keys, this function has a significant amount of fixed points and/or negated fixed points. The maximum number of fixed points is 6 for key values:

0x57bc,0x5c38,0x6b f e,0x7b4b,0x85c2,0x987e,0x9a32,0xa3e f ,0xa5ab,0xacbb, 0xb0b4,0xb0e5,0xb327,0xb5c7,0xb90d,0xc4ee,0xc7e4,0xca74,0xcb5d,0xcb5d, 0xcd11,0xcdbe,0xce24,0xd5da,0xe3ce,0xe4eb,0xe531,0xea3b,0xe f 5c,0x f 276, 0x f 59e,0x f d44 (6.3) The maximum number of negated fixed points is 7 for key values:

0x2c3c,0x4041,0x4343,0x06e9,0x518 f ,0x59ac,0xa161,0xa244,0xab77,0xe1d1, 0x1aee,0x1d f 0 (6.4) The key value 0xb0b4 has 10 fixed or negated fixed points and a number of key values have 9 fixed or negated fixed points:

0x3bd0,0x4343,0x5e94,0x5 f f 3,0x6271,0x682d,0x6e45,0x99e3,0xab77,0xb750, 0xc5da,0xd5da,0x167d,0x1d f 0 (6.5) 194 Security Evaluation of Cryptographic Algorithms

This number of fixed and/or negated fixed points is not very high compared with total number of possible inputs/outputs, 65536, and we may, therefore, conclude that the FI function is reasonably well designed. The Walsh Spectra of FI for several keys have also been computed and from this the nonlinearities and linear potentials of FI the 65536 keys have been obtained. Nonlinearities range from 31534 (with the keys 081e, 2d71 and 52c4) to 32049 (with the key c6a6) and linear potentials from 0.00048146 to 0.00141818. Although these nonlinearity values are far from the maximum possible, 32640, the linear potentials do not reveal an obvious vulnerability to linear attacks. As a summary, the KASUMI analysis with VBF provides values for the characteristics analyzed that are similar to those obtained in previous studies [1]. In addition, new characteristics such as the algebraic degree, cycle structure, fixed points, negated fixed points and nonlinearities are also provided. A detailed description of KASUMI cipher analysis in [156].

6.2 Mini-AES Cipher Algorithm Evaluation

6.2.1 S-box Characterization

The study of the NibbleSub S-box shows that it defines Almost Perfect Non-linear (APN) bijective Boolean mappings. In fact, a linear approximation analysis shows that the nonlinearity is equal to 2 while the maximum value for an S-box with 4 input variables is 5. Its linear potential is equal to 0.5625 and it has a second order nonlinearity of 0. From these results, we can conclude that NibbleSub does not offer good immunity against linear attacks for a 4 × 4 S-box. A differential approximation analysis shows that the NibbleSub linearity distance is equal to 0 over a maximum value of 4 and its differential potential is equal to 0.5. NibbleSub has 7 linear structures which are described within mini-AES cipher analysis in [156]. From the previous results, we can conclude that NibbleSub does not have optimal immunity against differential attacks. The algebraic normal form of NibbleSub is:

f1 = 1 + x4 + x2 + x2x3 + x2x3x4 + x1 + x1x2 + x1x2x3 f = 1 + x x + x + x x + x + x x + x x x 2 3 4 2 2 4 1 1 3 1 3 4 (6.6) f3 = 1 + x4 + x3 + x3x4 + x2x4 + x2x3 + x1x4 + x1x3 + x1x2 + x1x2x4 + x1x2x3 f4 = x3 + x2x4 + x1 + x1x4 + x1x3x4 6.2 Mini-AES Cipher Algorithm Evaluation 195

These forms show that the algebraic degree of NibbleSub is 2, which is not high enough to be immune against higher order differential attacks. The component algebraic immunity is equal to 2: as a consequence, algebraic attacks by solving a system of multivariate algebraic equations can be easily executed. Concerning the cycle structure, it has no obvious deficiencies, for example, a large number of transpositions; in addition, it has no fixed point and two negated fixed points (0,0,1,0) and (0,1,1,1). The cycle structure is given in Table 6.5.

Table 6.5 Cycle structure.

Cycle Length Number of cycles 2 1 14 1

Regarding the second moment of the auto-correlation coefficients, the absolute indicator is equal to 16 and the sum-of-squares indicator is 1408. Hence, NibbleSub does not achieve a good diffusion because its absolute indicator reaches the upper bound of 16 while its sum-of-squares indicator is quite close to the upper bound 4096. A summary of the results for these criteria is represented in Table 6.6:

Table 6.6 NibbleSub Cryptographic criteria.

S-box NLNL2 LD deg AI ACmax σ lp dp NibbleSub 2 0 0 2 2 16 1408 0.5625 0.5

Excluding the value of the first row and column, the Walsh Spectrum ofthe NibbleSub mapping takes values among 12,8,4,0,−4,−8, and −12; the Linear Profile takes values among 144,64,16 and 0; the Differential Profile takes values among 2048,1536,1024,512 and 0; finally, the Autocorrelation Spectrum is five-valued:, 16 8,0,−8,−16.

6.2.2 Mini-AES Cipher Characterization

The algebraic degree of Mini-AES for all the possible 65536 values of the key has been analyzed. This study reveals that only one value of algebraic degree is obtained: 14 which indicates that Mini-AES has a fairly good resistance against higher order differential attacks since the maximum possible algebraic degree is 16. In addition, the cycle structure of Mini-AES was analyzed for all the possible 65536 values of the key. It was found that no key values provide a high number of cycles: the key 196 Security Evaluation of Cryptographic Algorithms

(expressed in hexadecimal representation) 0x9e06 has the maximum number of cycles, 28. No deficiency is expected with respect to this criterion.

For several keys, this cipher has a relevant amount of fixed points and/or negated fixed points. The maximum number of fixed points is 7 for key values 0x0352, 0x4661, 0x5557 and 0x783 f . The maximum number of negated fixed points is 9 for key values 0x1d9b and 0x7734. The key values 0x1d9b and 0x4661 have 11 fixed or negated fixed and several values have 10 fixed or negated fixed points:

0x010a,0x0164,0x1ce9,0x24cd,0x2e38,0x4a15,0x5015,0x7734,0x783 f ,0x9868, 0x9 f 18,0xa8a f ,0xaec4,0xbc85,0xc9ca,0xdb09,0x f 580 (6.7) This number of fixed and/or negated fixed points is not very high when compared withthe total number of possible inputs/outputs (65536). We can conclude that the Mini-AES cipher is reasonably well designed from this point of view.

Several Walsh Spectra of Mini-AES for different keys have also been computed and from these the nonlinearities and linear potentials of Mini-AES for more the 65536 keys have been obtained. Nonlinearities range from 31432 (with the key 69b0) to 32040 (with the key f 7de) and linear potentials from 0.000493586 to 0.001662314. Although these nonlinearities are far from the maximum possible nonlinearity, 32640, the linear potentials do not reveal an obvious vulnerability to linear attacks.

6.3 CLEFIA

CLEFIA is a 128-bit block-cipher designed by Sony Corporation [36] which employs two

different types of 8-bit S-boxes: the first one, called S0, is based on four 4-bit random S-boxes, 8 whereas the second one, called S1, is based on the inverse function over GF(2 ). Figures 6.1 and 6.2 show the output values of S0 and S1, respectively. In these figures all values are expressed in a hexadecimal form. For an 8-bit input of the S-box, the upper 4-bits indicate a row and lower 4-bits indicate a column. For example, if we take a value 0xab as an input

to S0, 0x7e will be the corresponding output since 7e is located on the cross line of the row indexed by “a.” and the column indexed by “.b”. 6.3 CLEFIA 197

Fig. 6.1 CLEFIA S0.

Fig. 6.2 CLEFIA S1. 198 Security Evaluation of Cryptographic Algorithms

6.3.1 S0

S0 ∈ F8,8 is generated by combining four 4-bit S-boxes SS0,SS1,SS2 and SS3 in the following way. The values of these S-boxes are defined as shown in Table 6.7 and their Truth Tables are in Section B.1.

Step 1. t0 = SS0(x0), t1 = SS1(x1) where x = x0|x1,xi ∈ V4 Step 2. u0 = t0 + 0x2 · t1, u1 = 0x2 · t0 + t1 (6.8) Step 3. y0 = SS2(u0), y1 = SS3(u1) where y = y0|y1,yi ∈ V4

Table 6.7 Tables of CLEFIA S-boxes SSi(0 ≤ i ≤ 3).

x 0123456789abcdef

SS0(x) e6ca872fb14059d3 SS1(x) 640d2ba39cef8751 SS2(x) b85ea64cf72310d9 SS3(x) a26d345e0789bfc1

4 The multiplication in 0x2 · ti is performed in GF(2 ) defined by the lexicographically first primitive polynomial x4 + x + 1. Here we provide the table of multiplication of 0x2 with an element modulo x4 + x + 1. The entries in the Table 6.8 are represented in hexadecimal notation for compactness. The column indices represent the element to be multiplied by 0x2 modulo x4 + x + 1, and the resulting product is given by the corresponding entry in the

column. Its Truth Table can be seen in section B.2. Figure 6.3 shows the construction of S0.

Table 6.8 Table of the multiplication 0x2 · x.

x 0123456789abcdef 0x2 · x 02468ace3175b9fd

Hence, CLEFIA S0 can be denoted by:

S0(x0,x1) = (SS2 (SS0(x0) ⊕ Mul2(SS1(x1))),SS3 (Mul2(SS0(x0)) ⊕ SS1(x1)))

where the symbol ⊕ refers to the direct sum of functions and Mul2(x) = 0x2 · x. Table 6.9 summarizes the values of the spectral radius, nonlinearity, linear potential, differential potential, absolute indicator and linearity distance of the several constructions

from step 1 to step 3 up to obtain S0 (there, symbol ◦ refers to the composition of functions). 6.3 CLEFIA 199

Fig. 6.3 CLEFIA S-box S0.

Table 6.9 Results of spectral radius (r),NL,lp,dp,ACmax and LD for CLEFIA S0 construction.

S-box r NL lp dp ACmax LD

t0 = SS0 8 4 0.25 0.25 16 0 t1 = SS1 8 4 0.25 0.25 16 0 SS2 8 4 0.25 0.25 16 0 SS3 8 4 0.25 0.25 16 0 Mul2(x) = 0x2 · x 16 0 1 1 16 0 0x2 · t0 = Mul2 ◦ SS0 8 4 0.25 0.25 16 0 0x2 · t1 = Mul2 ◦ SS1 8 4 0.25 0.25 16 0 u0 = SS0 ⊕ (Mul2 ◦ SS1) 64 96 0.0625 0.25 256 0 u1 = (Mul2 ◦ SS0) ⊕ SS1 64 96 0.0625 0.25 256 0 y0 = SS2 ◦ u0 56 100 0.0478515625 0.15625 96 40 y1 = SS3 ◦ u1 56 100 0.0478515625 0.15625 88 42 S0 = y = (y0,y1) 56 100 0.0478515625 0.0390625 96 40 200 Security Evaluation of Cryptographic Algorithms

Note that the criteria are unaltered when the multiplication in 0x2 · ti is performed. u0 and u1 are constructed by direct sum and the spectral radius, linear potential and absolute indicators of both input Vector Boolean functions are multiplied while the differential potential is maintained. y is obtained by adding the coordinate functions y0 and y1 and the criteria from the input functions are maintained except for the differential potential which is multiplied by 2; the resulting absolute indicator is equal to the maximum of the input absolute indicators and consequently the linearity distance is equal to the minimum of the input linearity distances. −4.38 CLEFIA’s authors declare lp(S0) to be 2 = 0.04802734941525 which is very close −4.67 to the value calculated via VBF: 0.0478515625. They also declare dp(S0) to be 2 = 0.03928166795381 where the value computed via VBF is 0.0390625. In CLEFIA, GF(28) is constructed with the irreducible polynomial g(x) = x8 + x4 + x3 + 2 x + 1. The Trace representation of S0 is described in Section B.4. The number of terms over this irreducible polynomial is 246, close to the maximum value, 255, for a permutation over GF(28). This fact makes very unlikely that the interpolation attack will be of any threat to CLEFIA. Table 6.10 summarizes the values of the algebraic degree, algebraic immunity, sum-of- squares indicator and correlation immunity of S1.

Table 6.10 Results of deg,AI,σ,CI for CLEFIA S0 construction.

S-box deg AI σ CI

t0 = SS0 2 2 1024 0 t1 = SS1 2 2 1024 0 SS2 2 2 1024 0 SS3 2 2 1024 0 Mul2(x) = 0x2 · x 1 1 4096 0 0x2 · t0 = Mul2 ◦ SS0 2 2 1024 0 0x2 · t1 = Mul2 ◦ SS1 2 2 1024 0 u0 = SS0 ⊕ (Mul2 ◦ SS1) 3 3 256 1 u1 = (Mul2 ◦ SS0) ⊕ SS1 3 3 256 1 y0 = SS2 ◦ u0 6 4 269056 1 y1 = SS3 ◦ u1 6 4 246784 1 S0 = y = (y0,y1) 6 4 269056 0

CLEFIA’s authors declare deg(S0) to be 6 which is exactly the same value calculated via the VBF library. 6.4 Computational Cost Results 201

6.3.2 S1

Table 6.11 summarizes the values of the spectral radius, nonlinearity, linear potential, differential potential, absolute indicator, linearity distance, algebraic degree, algebraic immunity, sum-of-squares indicator and correlation immunity of S1.

Table 6.11 Results of spectral radius (r),NL,lp,dp,ACmax,LD,deg,AI,σ and CI for CLEFIA S1.

S-box r NL lp dp ACmax LD deg AI σ CI

S1 32 112 0.015625 0.015625 32 56 7 4 133120 0

In CLEFIA, GF(28) is constructed with the irreducible polynomial g(x) = x8 + x4 + x3 + 2 x + 1. The Trace representation of S1 is described in section B.4. The number of terms over this irreducible polynomial is 254 which is close to the maximum value, 255, for a permutation over GF(28). This fact makes very unlikely that the interpolation attack will be of any threat to CLEFIA. −6 CLEFIA’s authors declare lp(S1) = dp(S1) to be 2 = 0.015625 and deg(S0) to be 7; both correspond exactly with the values calculated via the VBF library.

In Table 6.12, some security properties of S0 are described which happen to be quite worse than those found in modern S-boxes based on field inversion.

Table 6.12 Some CLEFIA S0 security properties versus modern S-boxes based on field inversion.

S-box NL lp dp ACmax LD deg AI σ

S0 100 0.0478515625 0.0390625 96 40 6 4 269056 S1 112 0.015625 0.015625 32 56 7 4 133120

6.4 Computational Cost Results

This section assesses and displays the computational performance of the VBF library algorithms via its application to a cryptographic characterization of S-boxes with different size n × m. The program, described in Algorithm I in C.1, first generates random Truth Tables which correspond to vector Boolean functions with dimensions ranging from n = 4 to n = 17 and from m = 1 to m = 15. It then calculates the cryptographic criteria of the vector Boolean functions given from these Truth Tables. The calculations were performed on a Intel(R) 202 Security Evaluation of Cryptographic Algorithms

Fig. 6.4 Overall CPU time in seconds for cryptographic characterization of n × m S-boxes.

Core(TM) i7-2600K CPU @3.40GHz, 16GB RAM, 1TB Debian Linux. Figure 6.4 presents the corresponding computing times graphically, which happen to be a good measure of the computational complexity, provided the computer resources are not exhausted. (If m + n is too large for the whole computation to take place in the available RAM, then the compute time will increase drastically due to hard disk swapping.) As expected, in normal computer conditions the computational complexity grows expo- nentially in the bit length of the vector Boolean functions. In Figure 6.5, we present detailed timing measurements corresponding to the different functions tested for the values n = 17 and m = 1. This heterogeneous distribution of the computing times reflects the diverse complexity of the different routines provided bythe VBF library. 6.4 Computational Cost Results 203

Fig. 6.5 CPU timing measurements for all functions in Algorithm I.

Chapter 7

Design of Cryptographically Robust Vector Boolean Functions

In Chapter4 several criteria where presented which allow to characterize the suitability of S-boxes for cryptosystems design. The most relevant criteria are those whose adjustment minimizes the risk from suffering well known statistical attacks (such as differential and linear attacks); many of the current block ciphers make use of finite field based S-boxes having best known values for some of these criteria [114]. The VBF library developed in this thesis provides a useful set of tools to analyze and design (in combination with optimization schemes) Vector Boolean functions with good cryptographic properties susceptible to use in S-box design. This chapter is devoted to the practical implementation of robust Boolean functions as fundamental components for S-box design. First, the design of such functions is formalized as a Multi-Objective Combinatorial Optimization (MOCO) problem. Then, some relevant algebraic constructions are described for obtaining Boolean functions with some good criteria values. Finally, we present several heuristic techniques which have been developed and applied in this thesis for addressing the MOCO problem. It includes a description of their algorithms and the types of parameters which are required to be used in their processes.

7.1 Multi-Objective Combinatorial Optimization (MOCO)

7.1.1 Problem Formulation

Boolean functions to be used for S-box design in block ciphers and for the design of nonlinear filters and combiners in stream ciphers are required to satisfy various criteria. Although there is no total consensus about the necessary criteria to be taken into account in the design of 206 Design of Cryptographically Robust Vector Boolean Functions robust Boolean functions, the most common criteria considered are the following (as we will see later, some of them are redundant since they just correspond to alternative representations of the same property): the function must be balanced, it must have high nonlinearity, high linearity distance, high algebraic degree, high algebraic immunity and low autocorrelation

(both absolute and sum-of-squares indicators). From now on we will define the profile Pn( f ) of the n-input variables Boolean function f as

Pn( f ) = (NL,deg,AI,ACmax,σ,I) where NL stands for the nonlinearity, deg the algebraic degree, AI the algebraic immunity,

ACmax, absolute indicator, σ the sum-of-squares indicator and I the imbalance. It is important to mention that the linearity distance, LD, is not included in the profile since it can be derived from ACmax, as described in Section 4.9; we decided to select ACmax between the two criteria because it is more employed in the literature. NL,deg,AI are criteria to be maximized and

ACmax and σ are criteria to be minimized). Concerning I, such criterion (see definition 4.5.2) will be usually required to reach the optimal balanced value (I = 0); in such cases it will become a constraint, as shown below. Hence, the design of Vector Boolean functions with good profile can be formalized as a specific type of optimization problem. First of all, the search for functions withgood characteristics has to be performed within the set Fn which is finite; hence such search can be framed as a Combinatorial Optimization problem.

In addition, all the criteria of Pn( f ) = (NL,deg,AI,ACmax,σ,I) need to be taken into account for determining the goodness of a given function. We can formulate Pn( f ) = C( f ) = (C1( f ),...,C6( f )), where each Ci( f ) is a function of the form:

Ci : Fn → R, i = 1,...,6 so that Ci is monotonically increasing with the goodness of the criterion. For instance, one could choose:

• C1( f ) = NL( f ),

• C2( f ) = deg( f ),

• C3( f ) = AI( f ),

• C4( f ) = LD( f ) (it increases as ACmax decreases),

3n • C5( f ) = 2 − σ( f ) (it would reach its maximum value for functions with optimal σ. See table 4.2 for description of σ bounds). 7.1 Multi-Objective Combinatorial Optimization (MOCO) 207

n−1 • C6( f ) = 2 − I( f ) (it would reach its maximum value for balanced functions). In this context, we must define a new type of optimality in order to consider all C =

(C1,...,C6) simultaneously; such new optimality concept can be formalized, without loss of generality, as the search for

“max” (C1( f ),...,C6( f )), (7.1) f ∈Fn where “max” needs now to be defined (note that, equivalently, the problem could be defined as a minimization one). This definition of maximality is usually grounded on the Pareto optimality concept. The Pareto optimality [57] establishes that

Definition 7.1.1. f ∈ Fn is Pareto Optimal (or Efficient) if it does not exist another g ∈ Fn such that Ci(g) ≥ Ci( f ), i = 1,...,6 where strict inequality holds at least once (in such a case g should clearly be preferred to f ).

If f is Pareto Efficient, then C( f ) = (C1( f ),...,C6( f )) is called non-dominated point. The set of all efficient points (in our case, functions) in called Efficient Set and the setofall non-dominated points in called Non-dominated Set. Ideally, our final aim would be to determine the Efficient Set corresponding totheMOCO problem (7.1).

7.1.2 Preferences among Criteria. Weighting Method

A way to simplify the MOCO problem is to assume some sort of preference or relative relevance among the criteria Ci. If Ci,i = 1,...,6 follow an order of preference, the multicriteria problem could be reformulated (e.g., using lexicographic order) into a single objective optimization problem. Among the criteria defined in the profile, usually the Nonlinearity NL has been given a preference. As we will see, many authors have primarily focused on it and we will also address its isolated optimization in Section 7.2.4. Alternatively, if we assume a sort of (soft) relative relevance among the criteria, we can assign different “weights” to each one of them so that (7.1) can be reformulated as a standard optimization problem:

6 max ∑ wi ·Ci( f ) (7.2) f ∈Fn i=1

This is the so called Weighting Method and it can be sensitive to the assigned weights wi, i = 1,...,6 and to the shape of the Pareto optimal set [164]. 208 Design of Cryptographically Robust Vector Boolean Functions

This approach is employed in Section 7.2.4 as a means of successively incorporating new different criteria in the optimization problem.

Strong Preferences or Restrictions

0 Finally, note that if we want some criterion Ck to take a given value (let us say ck), the problem could be reformulated as a search restricted within the subset S = { f ∈ Fn such that Ck( f ) = 0 ck}. Nevertheless, some algorithms may relax this condition in the initial stages (e.g., addressing the original problem (7.1) via a Weighted Method where the corresponding kth 0 additive term would be of the form wk · |Ck( f ) − ck| with large negative wk) may prove to be computationally efficient. These issues will be addressed below for the caseofthe balancedness criterion I (which is desired to take value 2n−1). Hence, for balanced with n-input variables Boolean functions we will re-define the profile

Pn( f ) as

Pn( f ) = C( f ) = (NL,deg,AI,ACmax,σ) where only 5 criteria are left for optimization.

7.2 Boolean Function Design Procedures

As the number n of input variables of the Boolean function increases, the number of functions n in the space grows by a factor of 22 and it quickly becomes unfeasible to exhaustively search the whole space, so that the probability of discovering optimal functions decreases. Thus, it becomes necessary to employ specific techniques to focus the search on certain parts ofthe space which presumably contain functions of interest (typically those which exhibit good values for one or more desirable cryptographic properties). Techniques for the construction of good Boolean functions have included pseudo-random generation [10], [11]), finite field inversion and power mappings [46], [9], [153], [154], [45], [127], [144], as well as various heuristic techniques [93], [8]. Among them, two main types of techniques have prevailed in the research field for searching robust Boolean functions: algebraic constructions and computational (heuristic) techniques. In this Section these two different procedures are considered. First, algebraic construction techniques are presented, well suited to find Boolean functions with good values for some specific criteria. 7.2 Boolean Function Design Procedures 209

7.2.1 Algebraic Construction Techniques

The ability of finite field based S-boxes114 [ ] to optimize the current S-box design criteria has been seemingly the basis for a pause to research into both the design of Vector Boolean functions suitable for S-boxes, as evident from the lack of recent literature in this area. Algebraic construction techniques are usually designed to obtain Boolean functions with a good value on some specific criteria. For instance, constructing some Boolean functions with maximum possible nonlinearity is well-known when the number of input variables n is even but is an unsettled open problem in cryptography when the number of input variables is odd. For functions with an even number of variables n, the maximum possible nonlinearity n−1 n/2−1 n−1 n−1 2 −2 is attained for the bent functions. For odd n, the nonlinearity value 2 −2 2 is known as the (lower) bent concatenation bound, since the concatenation of two bent functions on (n − 1) variables yields n-variable functions achieving this bound. Special emphasis has been given to construct highly nonlinear balanced Boolean functions [51], [61]. Tables 7.1- 7.6 describe the maximum reached nonlinearity (besides some other criteria values) for non-balanced and balanced Boolean functions for several values of n. However, when concentrating on a single property, the effect of other significant cryptographic properties has been often neglected. In the following, we show some of the best partial Boolean functions achieved for, if not all, several criteria of the profile defined in Section 7.1.1.

Best Known Pareto Efficient Boolean Functions

Since the determination of Pareto efficient functions is, in general, computationally unfeasible, we address the problem of determining the Best Known Pareto Efficient (BKPE) functions.

Definition 7.2.1. A function f ∈ Fn is Best Known Pareto Efficient if there is not known g ∈ Fn such that C(g) > C( f ). Obviously, Pareto efficiency (provided the function is known) implies BKPE, butnot vice versa, i.e., if a known function is not BKPE, it cannot be Pareto Efficient, whereas being BKPE does not guarantee Pareto Efficiency (see Figure 7.1). In general, the set of BKPE functions can be considered as an approximation of the Pareto Efficient set in the sense that, as the green set of Known Functions (KF) increases, BKPE tends to PE (the dashed line tends to the boundary of PE and eventually PE will become a subset of KF). Stanica and Sung in [148] defined constructions of Boolean functions that, onodd 2n+1 n−1 ⌊ n ⌋ dimensions, satisfied σ( f ) = 2 and NL( f ) = 2 − 2 2 . They conjectured that if n is 2n+2 n−1 ⌊ n ⌋ even, then σ( f ) = 2 and NL( f ) = 2 − 2 2 . 210 Design of Cryptographically Robust Vector Boolean Functions

Space of all functions

Known Functions BKPE PE

Fig. 7.1 Relationship between Known Functions, PE and BKPE.

They also gave an example 8-variable balanced function f1 whose ANF is x2 + x7 + x1x5 + x2x5 + x3x8 + x4x7 + x4x8 + x5x6 with the following criteria values:

2·8+2 NL( f1) = 112, ACmax( f1) = 256, σ( f1) = 262144 = 2

The values of rest of the criteria are no so good: deg( f1) = 2, AI( f1) = 2, which provides the following profile:

P8( f1) = (112,2,2,256,262144)

In addition, they constructed a 9-variable balanced function f2 whose ANF is x2 + x8 + x1x6 + x2x3 + x2x6 + x3x7 + x4x9 + x5x8 + x5x9 + x6x7 with the following profile:

2·9+1 P9( f2) = (240,2,2,512,524288), where 524288 = 2

Canteaut et al in [20] defined a construction procedure for almost optimal functions. They provided two examples of 8-variable balanced functions with ANF:

f3(x1,...,x8) = x1x2x3x4x5 + x1x3x7 + x1x2 + x3x4 + x5x6 + x8 f4(x1,...,x8) = x1x3x4x6 + x4x6x7 + x1x2 + x3x4 + x5x6 + x8 7.2 Boolean Function Design Procedures 211 which have respectively the following profiles:

P8( f3) = (112,5,3,256,237568) P8( f4) = (112,4,3,256,262144)

Maitra in [88] constructed balanced functions for:

• Even number of variables n ≥ 6 with:

1 NL = 2n−1 − 2n/2 + 2n/2−2, deg = max 5, (n − 6) , AC = 2n−1, σ = 22n+0.89 2 max

• Odd number of variables n ≥ 15 with:

1 NL = 2n−1 −2n/2 +6·2(n−15)/2, deg = max 14, (n − 15) , AC = 2n−7.29,σ = 22n+0.25 2 max

Note that the Algebraic Immunity AI values are not provided for this construction. Table 7.1 summarizes the values for 8 and 15-variable balanced functions. Table 7.1 Nonlinearity, algebraic degree, absolute and sum-of-squares indicators for Maitra construction in [88].

n NL deg ACmax σ 8 116 5 128 120832 15 16282 14 208 1270799360

Sarkar and Maitra in [133] defined a construction of optimized resilient functions which allows to obtain 2p+1-variable balanced functions with algebraic degree 2p and nonlinearity 22p −2p for p ≥ 1. Table 7.2 summarizes the values from 9 to 15-variable balanced functions when n is odd. Table 7.2 Nonlinearity, algebraic degree for Maitra construction in [133].

n NL deg 9 240 8 11 992 10 13 4032 12 15 16256 14

Alternatively, Zhang and Zheng in [160] constructed balanced functions for even number of variables so that: 212 Design of Cryptographically Robust Vector Boolean Functions

n−1 n/2 n/2+1 2n 3n/2+3 3n/2+1 NL ≥ 2 − 2 , ACmax ≤ 2 , σ = 2 + 2 − 2

and for odd number of variables so that:

n−1 (n−1)/2 (n−1)/2+1 2(n−1)+3 NL ≥ 2 − 2 , ACmax ≤ 2 , σ = 2

Note that nothing is said about the remaining criteria in this construction. Table 7.3 summarizes the values from 8 to 15-variable balanced functions. Table 7.3 Nonlinearity, absolute and sum-of-squares indicators for Zhang and Zheng construction [160].

n NL ACmax σ 8 112 ≤ 32 90112 9 240 ≤ 32 219 = 524288 10 480 ≤ 64 1245184 11 992 ≤ 64 223 = 8388608 12 1984 ≤ 128 18350080 13 4032 ≤ 128 227 = 134217728 14 8064 ≤ 256 281018368 15 16256 ≤ 256 231 = 2147483648

Carlet et al in [26] introduced a construction of a n-variable Boolean function with algebraic immunity equal to n/2 (that is, optimal). Table 7.4 summarizes the values for 8 and 10-variable balanced functions. Table 7.4 Nonlinearity, algebraic degree and algebraic immunity for Carlet construction [26].

n NL deg AI 8 58 7 4 10 260 8 5

Charpin et al. in [30] introduced a construction for any odd k ≥ 3 for ⌊k/2⌋-resilient Boolean functions of n = 2k − 1 variables of degree k without linear structure and with n−1 n−1 nonlinearity 2 − 2 2 . Table 7.5 summarizes the values for 9-variable balanced functions: Filiol and Fontaine in [61] found 549339200 balanced functions for n = 9, that is 1142390 up to equivalence. They claimed that they are of degree 2,3,4,5,6,7. They studied the corpus of idempotent functions in order to obtain these results. Guillot in [68] presented an extension of the Maiorana-McFarland method for building Boolean functions with good cryptographic properties (mainly nonlinearity, resiliency and 7.2 Boolean Function Design Procedures 213

Table 7.5 Nonlinearity, algebraic degree for Charpin construction [30].

n NL deg 9 240 5 propagation). He obtained a 9-variable balanced function with nonlinearity 240 and absolute indicator 128 and a 10-variable 2-resilient and PC(2) Boolean function with nonlinearity 480 and absolute indicator 640. Carlet and Gaborit in [27] described how the family of power function xd generate balanced Boolean functions with a good algebraic immunity and a good nonlinearity as represented in Table 7.6.

Table 7.6 Nonlinearity, algebraic degree and algebraic immunity for certain power functions xd.

n d NL deg AI 8 31 112 5 4 8 39(Kasami)∗ 114 6 4 9 57(Kasami) 224 4 4 9 59 240 5 5 9 115 240 5 5 10 241(Kasumi) 480 5 5 10 362 480 5 5 10 31(Dillon)∗ 486 9 5 10 339(Dobbertin)∗ 480 9 5 11 315 992 6 6 12 993(Kasami)∗ 2000 11 6 12 63(Dillon)∗ 2000 11 6 12 636∗ 2000 11 6 13 993(Kasami) 4032 6 6 13 939∗ 4030 12 7 14 4033(Kasami) 8064 7 7 14 127(Dillon)∗ 8088 13 7

Those marked with ∗ are balanced by modifying a small number of bits.

Best Known Vector Boolean Functions

All the authors mentioned above concentrated their optimization efforts on finding Boolean functions that satisfy a subset of the five criteria we consider are essential for balanced 214 Design of Cryptographically Robust Vector Boolean Functions

Boolean functions used in S-boxes. Moreover, in order to design a cryptographically robust S-box, it is necessary to identify a set of Boolean functions whose linear combinations must have excellent profiles. Along this line, Nyberg114 in[ ], gave two examples of transformations of Vn that can be used to construct S-boxes with the following properties: 1. High nonlinearity, large distance from linear functions.

2. High algebraic degree, the degrees of the coordinate functions are large.

3. Resistance against the differential cryptanalysis.

4. Efficient construction and computability.

To satisfy requirement3, Nyberg asserted that it is enough that for every fixed nonzero input difference to the function no output difference occurs with high probability. In other words, it is required that there is a uniform upper-bound of the probability of the possible output differences. Nyberg defined the concept of differential uniformity in other to grasp this property, which is related to the Linearity Distance LD (see definition 3.8.3 for further details). k The first example given in [114] is the inverse of Power polynomials F(x) = x2 +1 ∈ GF(2n) with n odd and gcd(n,k) = 1. This mapping satisfies the following properties:

−1 n−1 n−1 1. NL(F ) = 2 − 2 2 .

−1 −1 2 2. F is differentially 2-uniform, that is: lp(F ) = 2n .

−1 n+1 3. deg(F ) = 2 . The second example given in [114] is the mapping F(x) = x−1 ∈ GF(2n) defined by: ( x−1 if x ̸= 0 F(x) = (7.3) 0 if x = 0

This inversion mapping satisfies the following properties:

n−1 n 1. NL(F) ≥ 2 − 2 2 .

−1 2 2. F is differentially 2-uniform if n is odd lp(F ) = 2n . and it is differentially 4- −1 4 uniform if n is even lp(F ) = 2n . 3. deg(F) = n − 1.

The last mapping has been used in the S-box design of some relevant block ciphers such as AES, Camellia, Clefia (only S1 S-box), GrandCru, Hierocrypt3 and Square. Theyare 8 × 8 S-boxes based on inversion mappings over GF(28) with the following properties: 7.2 Boolean Function Design Procedures 215

8−1 8 1. NL(F) ≥ 2 − 2 2 = 112.

lp(F) = 4 = . 2. 28 0 015625. 3. deg(F) = 8 − 1 = 7.

We have performed an analysis of the component functions of these S-boxes and all of them are balanced Boolean functions with the same profile: P8( f ) = (112,7,4,32,133120). Moreover, the remaining values of the criteria within the profile are very good:

1. AI( f ) = 4 which is the maximum possible algebraic immunity of a 8-variable function: 8 ⌈ 2 ⌉ = 4.

2. ACmax( f ) = 32 where the best achievable value for a balanced 8-variable function is 16.

3. σ( f ) = 133120 where the best known value for the author of this thesis for a balanced 8-variable function is 88960.

The trade-offs between cryptographic criteria keep receiving a lot of attention in Boolean function literature. The more criteria that have to be taken into account, the more difficult it is to generate Boolean functions satisfying those properties purely by constructive algebraic means. Hence, in the next Section, alternative design procedures are addressed.

7.2.2 Computational Techniques for Approximating the Efficient Set

As an alternative to algebraic construction techniques, purely computational procedures can be employed for approximating the Efficient Set corresponding to the MOCO problem (i.e., determining a set of Best Known Pareto Efficient functions). Note that a naïve basic algorithm to find efficient solutions such as direct pairwise 2 comparison would require O(|Fn| p) operations. In practice, due to computational limitations we “approximate” such a set by determining a set of functions f which are efficient when compared to all the functions whose properties are known. In general, the algorithms which can be applied to this type of MOCO problem do not have a formal guarantee of performance; hence they can be considered as “heuristics” [117]. These computational heuristic techniques are often applied to difficult or costly combinatorial problems, since they are well suited to search in large spaces looking for a number of satisfactory (not necessarily optimal) solutions. In general, these techniques are driven by a directed search algorithm typically searching in a localized area from a specified starting point. 216 Design of Cryptographically Robust Vector Boolean Functions

There are several well known different classes of heuristic algorithms such as Local Search (including variants such as Hill Climbing [102] or Tabu Search [62]), Simulated Annealing [81], Genetic Algorithms [71], etc. (see [126] for a review).

Local Search Methods

Local Search methods rely on the concept of a neighbourhood of a given point (a given function in our case). Such neighbourhood can be formalized as a function

Fn N : Fn → 2

This neighbourhood is searched at point f ∈ Fn for improvements so that g ∈ N( f ) is selected if it satisfies C(g) > C( f ) (i.e., Ck(g) ≥ Ck( f ), k = 1,...,6 and strict inequality holds at least once). In several contexts, this procedure (in its simplest form) is also denoted as Hill Climbing. The search stops when no improvement can be performed in an iteration. The implementation and performance of a Local Search algorithm rely on the selection of the initial point and the design of the N function. We will get back to these issues later. Local Search methods have been successfully employed for code design [73] and they also have been employed in this chapter both for single criterion and multiple criteria optimization.

Evolutionary Algorithms

Evolutionary Algorithms (EAs) are specially well suited for multiobjective optimization, where a set of different efficient solutions are usually searched, due to their population based approach [49]. Hence, many authors have addressed the use of EAs in such context [37, 38]. Specifically, Genetic Algorithms (combined with Hill Climbing) are considered16 in[ ] for finding Boolean functions with good cryptographic criteria. In this chapter, Genetic Algorithms and Local Search methods are combined to illustrate the potential of the VBF library. Alternative classes of algorithms have also been employed in the literature of Boolean function design such as Simulated Annealing [34], Particle Filters [137] and Particle Swarm Optimization [129]. Simulated Annealing will be considered in Section 7.2.4. The analysis of Particle Filters and Particle Swarm Optimization algorithms with VBF library is a future research topic. 7.2 Boolean Function Design Procedures 217

7.2.3 The Balancedness Constraint

As mentioned in Section 4.5, balancedness is considered as an essential property in the design of Vector Boolean functions for cryptography. Hence, it is a prioritary criterion when compared with the rest of criteria in the MOCO problem ( 7.1). Following the procedures presented in section 7.1.2, the search for balanced functions can be addressed in different ways. For instance, a search procedure can be defined restricted to lie within the subset S = { f ∈ Fn such that I( f ) = 0}, where I( f ) stands for the imbalance of f . This restriction can be imposed in the generation procedures for new populations of GAs as well as in the selection of neighbourhood elements for Local Search methods. Alternatively, one relax such condition in the initial stages of the algorithms with the aim of having more flexibility in the search procedures, imposing the condition more tightly aswe approach the “neighbourhood” of a good solution. For instance, one can apply a Generalized Differential Evolution rule [55] where the closeness to zero balancedness is considered in the cost function in the spirit explained in section 7.1.2.

7.2.4 Combining Different Algorithms

The performance of Local Search Methods strongly depends on the selection of the initial point (seed) from which to start the iterative search procedure. The selection of such initial value fo may be grounded on known algebraic constructions such as those described in section 7.2.1. Some cryptographic criteria may be sensitive to “local displacements” in the search. Hence, optimal functions may be surrounded by non-optimal ones, meaning that the selection of appropriate initial conditions remains an open issue. This fact justifies the use of Simulated Annealing and/or GAs for determining good enough functions which can be employed as initial conditions for applying (in a second phase) a Local Search Method.

Combining Simulated Annealing and Hill Climbing Methods

Kavut and Yucel in [80] described how to find balanced Boolean functions satisfying multiple desirable criteria such as high nonlinearity, low autocorrelation, balancedness ad high algebraic degree. They presented in [80] some balanced 8 and 9-variable functions which were the best known in the computer search literature, in terms of joint optimization of nonlinearity and autocorrelation. The table 7.7 from [80] compares the best achieved computer search results for (NL,deg,ACmax): Note that Kavut et al. results in [80] proved that the profiles provided by Clark et al. [33][34][35] for n = 8, n = 10 and n = 11 were not Pareto efficient. 218 Design of Cryptographically Robust Vector Boolean Functions

Table 7.7 Comparison of the best achieved computer search results for (NL,deg,ACmax).

(NL,deg,AC ) for Results max n = 8 n = 9 n = 10 n = 11 (116,7,24)(238,8,40)(486,9,56)(984,10,80) Kavut et al. [80] (114,7,16)(234,8,32) (236,8,32) (116,7,24)(238,8,40)(486,9,72)(984,9,96) Clark et al. [33][34][35] (112,5,16)(484,9,56)(982,10,88)

Unfortunately, Kavut et al. [80] only provide the representation of one of the functions found by them:

149016cdd1931 f 10860b4b8bece f 5557b8177a8565229b775e08 f 97b7692c32d

The profile for this 8-input balanced function is: P8( f ) = (114,7,4,16,88960). Table 7.8 illustrates other results for 9-variable balanced Boolean functions with good profiles.

Table 7.8 Comparison of profiles with n = 9.

Authors Profiles Kavut et al. [77] (240,7,4,24,354176) Saber et al. [131] (240,5,4,160,524288) Read [125] (240,5,3,32,524288) Burnett [16] (240,5,4,128,524288) Stanica [148] (240,2,2,512,524288) Misty 1 and KASUMI 9 × 9 S-box [2] (240,2,2,512,524288)

Note again that Kavut et al. results in [77] proved that all the profiles provided by Saber et al. [131], Read [125], Burnett [16], Stanica [148], Misty 1 and KASUMI 9 × 9 S-box [2] for n = 9, were not Pareto efficient. Table 7.9 illustrates other results for 11-variable balanced Boolean functions with good profiles. Note again that Kavut et al. results in [77] proved that, based on the limited number of criteria considered, the profiles provided by Johansson and Passalic75 [ ] and Maximov et al. [95] were not Pareto efficient. They also proved that the two profiles in the secondrow provided by Read [125] were not Pareto efficient either. 7.2 Boolean Function Design Procedures 219

Table 7.9 Comparison of profiles with n = 11.

Authors Profiles Johansson and Passalic [75] (992,5,−,−,−) Maximov et al. [95] (992,6,−,240,−) Kavut et al. [77] (988,10,5,56,5980928),(992,8,−,64,−) (992,4,3,64,8388608),(992,5,3,96,8388608) Read [125] (984,9,4,232,8514560),(970,10,3,192,9404288) Dalai et al. [47] (992,5,5,−,−)

Combining Genetic Algorithms and Hill Climbing Methods

In this section, we present a useful application of Genetic algorithms to search for cryptographically robust Boolean functions. Genetic algorithms were designed to mimic natural evolutionary processes by operating on a genome population (list of solutions to the problem). The genetic processes of selection, mating and mutation are combined in order to "breed" a superior race o genome (solutions). The Genetic Algorithm Library called GAlib was (straightforwardly) linked with our VBF library to perform a search of Boolean Functions with good combined cryptographic criteria. In using the GAlib library we will work primarily with two classes: a genome and a genetic algorithm. Each genome instance represents a single solution to our optimization problem. The genetic algorithm object defines how the evolution should take place. The genetic algorithm uses an objective function to determine how ’fit’ each genome is for survival. It uses the genome operators (built into the genome) and selection/replacement strategies (built into the genetic algorithm) to generate new individuals. The following three items must be defined in order to solve an optimization problem using a genetic algorithm: A representation, the genetic operators and the objective function. The genetic algorithm object determines which individuals should survive, which should reproduce, and which should die. It also records statistics and decides how long the evolution should continue. The algorithm updates the population of solutions over a number of iterations (or generations). We have used the number of generations as a stopping measure. In each iteration a number of steps are involved:

1. Selection of parents from the current population of solutions.

2. Crossover of parents to produce offspring.

3. Mutation of the offspring. 220 Design of Cryptographically Robust Vector Boolean Functions

4. Selection from the mutated offspring and the current population of solutions to determine the population of solutions for the next iteration.

Among the many different types of genetic algorithms offered by GAlib we have chosen the standard ’simple genetic algorithm’ described by Goldberg in his book [63]. This algorithm uses non-overlapping populations and optional elitism. Each generation the algorithm creates an entirely new population of individuals. When you use a genetic algorithm to solve an optimization problem, you must be able to represent a single solution to your problem in a single data structure. The genetic algorithm will create a population of solutions based on a sample data structure that you provide. The genetic algorithm then operates on the population to evolve the best solution. In GAlib, the sample data structure is called a GAGenome (some people refer to it as a chromosome). We have used a type of genome called GA2DBinaryStringGenome. This class is derived from the base GAGenome class and a data structure class which consists of a 2-dimensional array of Boolean with 2n elements (the binary string is the Truth Table of the Boolean function). Each genome has three primary operators: initialization, mutation, and crossover. With these operators you can bias an initial population, define a mutation or crossover specific to our representation, or evolve parts of the genetic algorithm as our population evolves. The initialization operator determines how the genome is initialized. It is called when you initialize a population or the genetic algorithm. This operator does not actually create new genomes, rather it ’stuffs’ the genomes with the primordial genetic material from which all solutions will evolve. We have used a uniform random initialization operator. The mutation operator defines the procedure for mutating each genome. The mutation operation introduces randomness to the population of solutions. Mutation is generally applied to the children which result from the breeding process. We have used the typical mutator for a binary string genome which flips the bits in the string with a given probability (uniform random bit flip). The crossover operator defines the procedure for generating a child from two parent genomes in order to obtain offspring. The crossover operation involves selecting two "parents" from the current population of solutions, picking a random point in the binary string representing each of the parents and swapping the values beyond that point between the two parents. This process results in two "children" with some characteristics of each of the parents.

Weighted Objective Function In addition to the three primary operators, each genome must also contain an Objective Function. The Objective Function is used to evaluate the 7.2 Boolean Function Design Procedures 221 genome in order to know how good it is compared to the other genomes. Several objective functions were employed gradually involving more criteria in a weighted manner:

1. Nonlinearity of the Boolean function: NL( f ). Boolean functions with very high nonlinearity pose some of the most challenging problems in the area of symmetric cryptography and combinatorics. As mentioned in Section 4.3, for the case of the case of n even the maximum possible nonlinearity is known. However, for n is odd, constructing Boolean functions with maximum possible nonlinearity is an unsettled open problem. So far sub-optimal results have been mainly obtained via heuristic search, for example, for n = 9 the best known nonlinearity result is 242 [79]. This cryptographic criterion is represented by a locally smooth fitness function:

o1 = C1( f ) = NL( f ) (7.4)

2. A weighted sum of criteria 1 and 4: the sum of the nonlinearity and linearity distance of the Boolean function, normalized with respect to their (a priori known) maximum values: NL( f ) LD( f ) o = w C ( f ) + w C ( f ) = + (7.5) 2 1 1 4 4 maxNL maxLD where maxNL and maxLD are the maximum values of nonlinearity and linearity distance which can be achieved by a Boolean function with the same number of input variables as f respectively.

3. A weighted sum of criteria 1, 2 and 4: the sum of nonlinearity, algebraic degree and linearity distance of the Boolean function normalized with respect to their (a priori known) maximum values:

NL( f ) deg( f ) LD( f ) o = w C ( f ) + w C ( f ) + w C ( f ) = + + (7.6) 3 1 1 2 2 4 4 maxNL maxDEG maxLD where maxNL, maxDEG and maxLD are respectively the maximum values of nonlinearity, algebraic degree and linearity distance which can be achieved by a Boolean function with the same number of input variables as f .

4. A weighted sum of criteria 1, 2, 3 and 4: the sum of nonlinearity, algebraic degree algebraic immunity and linearity distance of the Boolean function normalized with respect to their (a priori known) maximum values:

o4 = w1C1( f ) + w2C2( f ) + w3C3( f ) + w4C4( f ) NL( f ) deg( f ) AI( f ) LD( f ) (7.7) = maxNL + maxDEG + maxAI + maxLD 222 Design of Cryptographically Robust Vector Boolean Functions

where maxNL, maxDEG, maxAI and maxLD are respectively the maximum values of nonlinearity, algebraic degree, algebraic immunity and linearity distance which can be achieved by a Boolean function with the same number of input variables as f .

5. A weighted sum of criteria 1, 2, 3, 4 and 5: the sum of nonlinearity, algebraic degree algebraic immunity and linearity distance of the Boolean function normalized with respect to their (a priori known) maximum values:

o5 = w1C1( f ) + w2C2( f ) + w3C3( f ) + w4C4( f ) + w5C5( f ) NL( f ) deg( f ) AI( f ) LD( f ) 23n−σ( f ) (7.8) = maxNL + maxDEG + maxAI + maxLD + maxσ−minσ

where maxNL, maxDEG, maxAI, maxLD, maxσ are respectively the maximum values of nonlinearity, algebraic degree, algebraic immunity, linearity distance and sum-of- squares indicator which can be achieved by a Boolean function with the same number of input variables as f ; and minσ is the minimum value of the sum-of-squares indicator achievable by a Boolean function with the same number of input variables as f .

Note that the proposed weighting in the above objective functions is arbitrary and it has been considered only as a first approach to their design. In general, a proper tuning ofthe corresponding weights is required in order to adjust the desired degree of priority among the different criteria. Although simulations have been performed for all the different objective functions (with the above weighting), we mainly focused on o1 and o2, since they are computationally most treatable and they impose total priority to nonlinearity and linearity distance. We carried out exhaustive simulations by forming initial populations with different sizes: 100,330,1000,3300,10000 and 33000 for different number of variables, n, varying from 8 to 15. The experiments were performed on these populations for different number of generations (33,100,330,1000). The probabilities of crossover used in the experiments were 0.9,0.3,0.1,0.033,0.01 and the probabilities of mutation were 0.33,0.1,0.033,0.01,0.0033,0.001. Some of the results achieved for the above experiments are shown in Tables 7.10-7.15. Table 7.10 shows a comparison of our proposed algorithm versus the Genetic Algorithms (GA) implemented by Millan [101] and Dimovski et al [50] in achieving high nonlinearity. Table 7.11 shows the results we obtained for balanced Boolean functions. Table 7.12 shows the corresponding representations of the Boolean functions in Table 7.11.

A Further One-step Hill Climbing At this point, the VBF library can be employed to apply a one-step Hill Climbing for a search of 9-variable Boolean functions with highest 7.2 Boolean Function Design Procedures 223

Table 7.10 Comparison of nonlinearity achieved in Boolean functions.

Nonlinearity n Benchmark GA (Millan) GA (Dimovski et al) Our GA 8 120 113 113 114 9 242 232 232 232 10 496 475 475 475 11 996 968 964 967 12 2016 1964 1956 1959 13 4040 3968 − 3960 14 8128 7996 − 7991 15 16276 16085 − 16079

Table 7.11 Results obtained for different n-input balanced Boolean functions.

n Profile Objec. Pop. size N. gener. Prob. cross. Prob. mut.

8 (112,7,4,40,127744) o1 3300 330 0.01 0.001 9 (232,8,4,72,592640) o1 1000 1000 0.1 0.1 10 (474,9,5,136,2617600) o1 3300 1000 0.01 0.033 11 (966,10,5,216,10900352) o1 330 1000 0.01 0.01 12 (1952,11,6,296,47699968) o2 10000 33 0.033 0.01 224 Design of Cryptographically Robust Vector Boolean Functions

Table 7.12 Representations of Boolean functions in Table 7.11.

n Representation. 8 49fad72ba27c85843c924ef4001254f5977c9a01e6eb6edf38fee6916664034b 4426103560e71d2b f a f a6344d275d47c8d37287b80e f 17d290d f c41096c9 9 f 41 f 75d67d7b72258c400 f 4d54 f 8327cb8 f dac f 7ba513d66cb076c36d802 a9a11515 9972e6c586 f c0456767226241d2b34122323ab4c09a8a71891 f e5d520a7 23a643c4 f a8728ab7c37587db18bd246b0c4 f c47949 f 2deac995a71136d 10 bac8846 f e73a421393dd64144 f 9b595 f c5ca f 2a3dde154756783dcb33db ac879 f da1d1d659d4a1716b81cd63a64e3d3c93e6c2d42b68ed1200386c 1e0c5ca59ee87 f 446e f 9 a3bb5c09be9e f c f 5a53e3ce7 f 4e8c3760d490e56411127271bc947be85 8038553abe588892769e30248de5be0c690 f 23a0d240aa000245732d07 4549166c355492c2e4d17578c f 59944702ea f 2a5e4c9757aaac6 f 3d268 8db8deb3515e1d4b5064eeea35844ad1ec69875b91cd647755 f 8338769 11 d5d1932a f 21843cd f f 704a0d f c5a3e5dec05c624a64e0c9 f f d196720b2 62277a66d f baee4beb f 06d5 f e19bb835d8abaea371597490b47221 f 643 2b3c3982cc9c766dab8825dd1d7be f 7535e2c f 77608026 f 4dab f e22ce7 94ada88d51473111d89c f 7b93ba8d05 f 14e1d539 f 98746792544048c44 442d674e68c9 f ca6a5b0d24c456d f e351 f 0a699528364dea 0d f 1e66 f 2e0a43ebac25e6de10b02026e29747b f 333d606a71484 f b487 edb4dd249d82 f 0cd101 f f 7b328ac3c367a5a3 f dab01a881 f e078c93 f 54 f 186343c f bbc698e f 5624d61b1cb3c8aee19 f 45188904dca0d719aebe7 1c595abb38464b7c715e2048d99685eab104d6563aa04854ece15b9384 da3896a0b5b8e90e7562ac f 79850734ead f 0416472ece5010282c14ce f 00182c827 f 989e20a1b1463ec9817748a9 f 8d98018d3ced4b2ed9b64b9 6dd895407ea77 f 9b9de6a3 f 5a f 90be4 f a044ce5b72a5a6164e8e1 f 5346 de13be3827bc4c43d592e4958b6a7e9547382e688248d2c5 f a007ac10c 32031d9e24 f 24d5 f a2a02b708153b42 f 518 f b445502906a85 f 56d56404 12 e4b0a2a88cdeb658aa0 f 861e7 f 2a f ccdcee9ce3b45be9b4edea0 f 88177 605e54dd8e230 f be4eb5 f e40c8c f ac8 f 9a0c3a58 f 6230c925422bed1b3 baee703729d1994bcd2dacd7383 f 7e5051bbda718ca8a45db79a4364 f 3 f 9b8d43d8 f de98c677721d8 f aec5bca5d836b964b592c1d60c0bb95652 d2c134448a8c45a709753de6d898 f 490595055452 f 430b951 f ddbb40 f 7 b68b6 f f 1b8794ae05 f 8 f e f 3be932e716352e59 f 564e75d05818e736174 dc77579c f a617ca32 f bb4c40c9b01103ca949 f e145 f f 692e8b72bea31a 10ab67c55a88196a f 1 f 0337 f c14d864bc2981 f 3abb48 f 03486c388977a c33d8a78eb5e939 f 6774b441db96e2 f 027b595 7.2 Boolean Function Design Procedures 225 nonlinearity. Using the previous algorithms, we had found 5121 Boolean functions with maximum known nonlinearity 242, which can be grouped into five different affine equivalence classes. Two Boolean functions f ,g are affine equivalent if the following equality holds (refer to section 3.10.1 for a detailed explanation of affine equivalence of Boolean functions):

g(x) = f (Ax + b) + cx + d (7.9) where A ∈ Mn×n(GF(2)), b,c ∈ Vn and d ∈ GF(2). There are some function properties which are invariant over the mapping defined in (7.9). In fact, the five obtained affine equivalence classes can be identified by invariant properties such as the frequency distribution of the absolute values of the Walsh Spectrum and the Autocorrelation Spectrum. These invariants have been obtained for the five affine equivalence classes with the VBF library, providing the following results in Table 7.13:

Table 7.13 Frequency distribution of the absolute values of the Walsh Spectrum.

f Values

f1 (4,30),(12,46),(20,226),(28,210) f2 (4,30),(12,46),(20,226),(28,210) f3 (4,30),(12,46),(20,226),(28,210) f4 (4,56),(12,58),(20,154),(28,244) f5 (4,57),(12,91),(20,97),(28,267)

Table 7.14 Frequency distribution of the absolute values of the Autocorrelation Spectrum.

f Values

f1 (0,129),(8,298),(16,60),(24,9),(32,2),(40,13),(512,1) f2 (0,150),(8,196),(16,148),(24,12),(32,5),(512,1) f3 (0,183),(8,223),(16,84),(24,6),(32,4),(40,10),(56,1),(512,1) f4 (0,157),(8,232),(16,84),(24,8),(32,17),(40,10),(48,3),(512,1) f5 (0,192),(8,156),(16,129),(24,9),(32,13),(40,3),(48,6),(64,3),(512,1)

1024 Boolean functions were found within the classes f1, f3, f4, f5 and 1025 for the class f2. The Truth Tables of all these Boolean functions are available at [156]. Using the VBF library, the value of other cryptographic criteria ( algebraic degree, algebraic immunity, absolute indicator and sum-of-squares indicator) was easily computed for each one of these 5121 Boolean functions. Since such criteria values are invariant under affine transformations, they take the same value within each class. Table 7.15 shows such criteria values for the functions within each class. Note that if we consider the pro- 226 Design of Cryptographically Robust Vector Boolean Functions

Table 7.15 Additional cryptographic criteria for f1- f5 classes.

Class deg AI ACmax σ

f1 7 4 40 324608 f2 7 4 32 324608 f3 7 4 56 324608 f4 7 4 48 343424 f5 7 4 64 354560

files characteristics, we have that ACmax( f2) < ACmax( f1) < ACmax( f3) < ACmax( f5) and ACmax( f1) < ACmax( f4) < ACmax( f5). This implies that f1, f3, f4 and f5 are not Pareto efficient. Hence, f2 remains as the best choice. In fact, to the best of our knowledge, the whole set f2 may be Pareto efficient (i.e., it is Best Known Pareto Efficient). An ad hoc one-step Hill Climbing was furtherly performed in order to obtain balanced Boolean functions with n = 9 with nonlinearity greater or equal than 240 from these unbalanced functions with nonlinearity 242. The idea behind this computational search consists in the following steps:

1. Search for unbalanced functions with nonlinearity 242 and weight either 254 or 258, that is 2 bits far from the weight of a balanced function.

2. Change two bits in the selected functions in order to achieve a balanced function. By corollary 5.4.3, it is guaranteed that the nonlinearity of the Boolean functions obtained after step 2 is at least 240.

3. Remove repeated functions.

4. Calculate the profile of the remaining functions

5. Select the functions with the best profiles in the Pareto sense.

After executing this algorithm on the Boolean functions with nonlinearity 242 described above, the following results were obtained:

• 567 different profiles were found with nonlinearity 240 and algebraic degree8.

• The algebraic immunity takes values from the set {4,5}.

• The linearity distance takes values from the set {110,112,114,116,118,120,122}.

• The absolute indicator takes values from the set {24,32,40,48,56,64,72}. 7.2 Boolean Function Design Procedures 227

• The sum-of-squares takes 137 different values between 323456 and 377600.

Several examples of balanced Boolean functions with Best Known Pareto Efficient profiles are, for instance:

P9( f1) = (240,8,4,24,339200) with hexadecimal representation:

115bd52305367 f c6a07c098e8b1e1d21d5 f d983ce40979a1da85ce591d 02540e f ebd4a7a34ddd f 4d6c6a1b57 f 350b54e9420c3998eba1176c6e8 f b9b8406 f 10 f

Note that giving this profile we have proved that the profile provided by Kavut77 etal.[ ]) is not Pareto Efficient.

P9( f2) = (240,8,5,40,347648) with hexadecimal representation:

1de90d23b5024350 f 57 f 9 f 6020396aa70b8775b1ccb4c9b01dec1d00b6 435a0e6314 f 2d55a f c f d3955d f 9b7383dc69 f 1c786b9a0cc91daae7529 a9323d274047

The same algorithm was executed to obtain balanced Boolean functions for n = 11 providing the following results:

• 3131 different profiles were found with nonlinearity 992.

• The algebraic degree takes values from the set {9,10}.

• The algebraic immunity takes values from the set {4,5}.

• The absolute indicator takes values from the set:

{120,128,136,144,160,168,176,192,200,208,224,232,240,248,256,264}.

• The sum-of-squares indicator takes 659 different values between 5253632 and 5844608. 228 Design of Cryptographically Robust Vector Boolean Functions

Two examples of balanced Boolean functions with Best Known Pareto Efficient profiles are:

P11( f3) = (992,10,5,120,5311616) with hexadecimal representation:

06ee11ee1e11e0eee11ee1e1111ee1e111eeeee11ee1eee1eee11eeee11 1e1eee1eee11e1111e1e11eeee11e111eee111e11111ee1e111ee1eee1 ee1ee11e11ee1eeee1eee11e1e1ee11eeeee11e1111e11e1e1eeeeee111 ee1ee1111e11e11111eee1ee111e1e1eee1e1111eeee1eee11eeee11e1 11eeeee1ee1e11ee1e1eee1ee111e111e1111e1e1ee1ee0e11ee1e1111 1111e111ee111ee1ee11ee1e11e11111e1eee1e1eeeeeee1ee1ee111ee e1e1e1e1111ee11111111ee11ee11e1ee11eee1e11ee11ee1111e1e1e e1ee11e11e1e1ee1111e1eee1e1e1e11e11eee111ee1ee11e1e1eeeeee 111ee11e111eeee1111eee111e111e1ee1eeeee1eeee11e and P11( f4) = (992,10,5,168,5253632) with hexadecimal representation:

f cb4b4bb4bbb4b44bb4b44bb444b44cb4bb444bbbbbbb44444bb444b444 444b4b44bbb4444bb444b4bbb4b4b4bb4b4b44b4b444bbbb44b4b4b4b b44b44b4b44bbb44444bb4444b4b4444b4bbb444444bb444b4b4bbb4 b44b444bbbbb4b44bbbbb4444bb4bbb44b4bbbbb44b444bb444b444b4 44b4b4b44bb444bbb44bbb44bbb4bbb4b44b44bbb44bb4bbbbb4444 bb4bb4444bb4b4b4b4bb4444b4444bbb44b4cb44bbbb4b4b4b444b 44bb4444bb44bbbbbb4bbb444bb4444b44444b44b444bb4b4bb44b 444bbbbbbb4bb4bbb4b4b4b4bb4bbb4bb44b4bb4b4444bb44b4444 44b4bb4b4bb44bbbbbbbbbb444b4b4bb4b44bbb4bb4bb4b4bbbbb44 bbb44b4bbb4

In Table 7.16 we compare the profiles of these functions with the best profiles for balanced Boolean functions obtained for n = 9 and n = 11. In summary, the Best Known Pareto Efficient (BKPE) Boolean functions obtained satisfy: • For n = 9, they are the only BKPE existing functions, since they are strictly better than all the functions provided by other authors. (Remember that the functions provided in Kavut et al. [80][77] discarded all alternative proposals; and now, we have discarded Kavut’s functions by proving that they were not Pareto Efficient either).

• For n = 11, they provide better values for criteria (NL,deg,AI,σ) and worse values

for ACmax. In general, these four criteria (specially (NL,deg)) are considered to be more relevant than ACmax. Hence, the obtained BKPE functions may be considered as very competitive in the whole set of BKPE functions. 7.2 Boolean Function Design Procedures 229

Table 7.16 Comparison of the best results for (NL,deg,AI,ACmax,σ).

(NL,deg,AI,AC ,σ) for Results max n = 9 n = 11 (238,8,−,40,−)(984,10,−,80,−) Kavut et al. [80][77] (240,7,4,24,354176)(988,10,5,56,5980928) (992,8,−,64,−) (240,7,4,32,324608) Ours (240,8,4,24,339200)(992,10,5,120,5311616) (240,8,5,40,347648)(992,10,5,168,5253632)

Chapter 8

Conclusions and Future Research

This chapter starts presenting in the first section a summary of the research performed inthis thesis. This is followed, in the second and final section, by a discussion of possible future directions that could extend the performed research.

8.1 Summary and Conclusions of the Thesis

The research presented in this thesis has fulfilled the aim to expand the boundaries of Vector Boolean function knowledge and, in particular, to provide a library, called VBF, for the study and evaluation of Vector Boolean functions. The main contributions of the thesis come from the objectives and corresponding outcomes outlined in Chapter1. Here, we comment on such results:

• The theoretical results allow for an efficient library coding, a systematic analysis of Vector Boolean functions as basic constituents of Block Ciphers, and a way to analyze combinations of such constituents (as the ones illustrated in existing ciphers).

• The VBF library features, such as being open source and of general purpose among others, make it very useful when compared with other analysis software. The performance and utilities of VBF have been grounded on the analysis of the typical forms of Vector Boolean representation and their relationships, as well as on the analysis of cryptographic criteria of Vector Boolean functions, so that they have been efficiently implemented in the VBF library.

• The combination of the theoretical results and the VBF library implementation has allowed to perform research located between the cryptanalysis and the cryptographic design of symmetric cryptographic algorithms helping to the design of robust ciphers. 232 Conclusions and Future Research

A good understanding of the existing cryptographic attacks has been achieved, leading to a solid grasping of the desired properties or conditions on the algorithms building blocks (to be modelled as Vector Boolean functions or S-boxes), as well as of their relationships.

• The detailed cryptanalysis performed for several existing modern ciphers provides an excellent framework for understanding their behavior and suggesting different ways to improve their performance.

• The VBF has been easily linked with optimization computational schemes, so that these schemes have been successfully employed to find brand new Best Known Pareto Efficient (BKPE) Boolean functions.

• Some of the obtained Boolean functions are the only BKPE ones, i.e., they are strictly better than all the other functions known up-to-date. It is worth mentioning that these computations have been performed with limited computational resources (personal computers).

8.2 Future Directions

There are many open problems in the research related to Vector Boolean functions in cryptography. A list of basic open questions related to the nonlinearity of Boolean functions has been presented by Dobbertin in [52]. However, all these problems are considered to be very hard since they are related to longstanding open problems in Reed-Muller codes. Instead, we present below a list of several open problems which we believe are challenging and tractable in future research. During and subsequent to the research performed for this thesis, a number of areas of future work have been identified. We now discuss directions for future research which involve both an extension of some of the work contained in this thesis, and new topics of related work which could also be investigated.

1. As a fundamental theoretical result, it would be interesting to enumerate the existing bent functions for high number of input variables.

2. The use of parallel computer processing techniques would aid in the implementation of larger computer experiments with VBF library.

This would allow for a most exhaustive exploration of the type o3, o4 and o5 objective functions with different tunings of their weighting parameters. 8.2 Future Directions 233

3. New methods for constructing strong Vector Boolean functions which are a combination of heuristic techniques and algebraic constructions would be a worthwhile direction of research. The rationale for this is that inherent limitations of each technique may possibly be overcome by combining the two approaches to work towards capitalizing on their advantages. Heuristic techniques tend to be able to produce a large number of functions with good cryptographic properties but become inefficient for very large numbers of inputs. Algebraic constructions, on the other hand, typically enable the construction of a small number of functions with optimal or close to optimal properties, often with potential weaknesses in their structure, while the number of inputs tends to be of less relevance than with heuristic searches.

4. The analysis of the linear combinations of robust Boolean function would help to identify possible candidates for coordinates of robust S-boxes.

5. The practical design of a Boolean function or S-box should not only focus on optimizing cryptographic properties but it also should keep the implementation complexity (neglected by many authors until now) in mind. Having relied on scarce computational resources, this thesis has partially (and implicitly) considered such practical aspect, but it is important to address this issue more deeply in the future research.

References

[1] 3rd Generation Partnership Project (2001). Security Algorithms Group of Experts (SAGE); report on the evaluation of 3GPP Standard Confidentiality and Integrity Algo- rithms (SAGE version 2.0). Technical report, 3GPP. http://www.3gpp.org.

[2] 3rd Generation Partnership Project (2005). Specification of the 3gpp confidentiality and integrity algorithms - document 2: Kasumi specification (release 6) no. 3gpp ts 35.202 v6.1.0 (2005-09). Technical report, 3GPP.

[3] Adams, C. M. and Tavares, S. E. (1993). Designing s-boxes for ciphers resistant to differential cryptanalysis (extended abstract). In Proceedings of the 3rd Symposium on State and Progress of Research in Cryptography, pages 181–190.

[4] Álvarez-Cubero, J. A. and Zufiria, P. J. (2005). Aplicaciones de la transformada de walsh al criptoanálisis lineal y diferencial. In Domínguez, A. P. and Caballero-Gil, P., editors, I Simposio sobre Seguridad Informática (SSI’2005), pages 11–18. Thomson.

[5] Álvarez-Cubero, J. A. and Zufiria, P. J. (2010). A C++ class for analysing vector boolean functions from a cryptographic perspective. In Katsikas, S. K. and Samarati, P., editors, SECRYPT 2010 - Proceedings of the International Conference on Security and Cryptography, Athens, Greece, July 26-28, 2010, SECRYPT is part of ICETE - The International Joint Conference on e-Business and Telecommunications, pages 512–520. SciTePress.

[6] Álvarez-Cubero, J. A. and Zufiria, P. J. (2012). Cryptographic Criteria on Vector Boolean Functions, chapter 3, pages 51–70. InTech, Cryptography and Security in Com- puting, Jaydip Sen (Ed.), http://www.intechopen.com/books/cryptography-and-security- in-computing/cryptographic-criteria-on-vector-boolean-functions.

[7] Álvarez-Cubero, J. A. and Zufiria, P. J. (In press). Algorithm xxx: Vbf: A library ofc++ classes for vector boolean functions in cryptography. ACM Transactions on Mathematical Software.

[8] Anderson, R., Biham, E., and Knudsen, L. (2000). Serpent: A proposal for the advanced encryption standard.

[9] Aoki, K., Ichikawa, T., Kanda, M., Matsui, M., Matsui, A. M., Moriai, S., Nakajima, J., and Tokita, T. (2000). Camellia: A 128-bit block cipher suitable for multiple platforms - design and analysis. 236 References

[10] Barreto, P. S. and Rijmen, V. (2000a). Submission to the new european schemes for signatures, integrity and encryption (NESSIE) process. http://cosic.esat.kuleuven.ac.be/nessie/workshop/submission/anubis.zip. [11] Barreto, P. S. and Rijmen, V. (2000b). Submission to the new european schemes for signatures, integrity and encryption (NESSIE) process. http://cosic.esat.kuleuven.ac.be/nessie/workshop/submission/khazad.zip. [12] Bibliowicz, A., Cohen, P., and Biham, E. (2003). A system for assisting analysis of some block ciphers. Technical Report NES/DOC/TEC/WP2/007/2, Israel Institute of Technology, Haifa, Israel. [13] Biham, E. and Shamir, A. (1990). Differential cryptanalysis of des-like cryptosystems. In CRYPTO, pages 2–21. [14] BOOLFUN (2010). Cryptographic boolean functions. http://cran.r- project.org/web/packages/boolfun/index.html. [15] Braeken, A., Borissov, S., Nikova, S., and B., P. (2004). Classification of boolean functions of 6 variables or less with respect to cryptographic properties (extended version). IACR Cryptology ePrint Archive, 2004:248. [16] Burnett, L. (2005). Heuristic Optimization of Boolean Functions and Substitution Boxes for Cryptography . PhD thesis, Queensland University of Technology, Australia. [17] C. Ding, G. X. and Shan, W. (1991). The Stability Theory of Stream Ciphers. Springer- Verlag, Berlin. Lecture Notes in Computer Science Volume 561. [18] Camion, P., Carlet, C., Charpin, P., and Sendrier, N. (1992). On correlation-immune functions. In CRYPTO ’91: Proceedings of the 11th Annual International Cryptology Conference on Advances in Cryptology, pages 86–100, London, UK. Springer-Verlag. [19] Canteaut, A. (2006). Open problems related to algebraic attacks on stream ciphers. In Ytrehus, C., editor, Coding and Cryptography, volume 3969 of Lecture Notes in Computer Science, pages 120–134. Springer Berlin Heidelberg. [20] Canteaut, A., Carlet, C., Charpin, P., and Fontaine, C. (2000). Propagation characteristics and correlation-immunity of highly nonlinear boolean functions. In EUROCRYPT, pages 507–522. [21] Carlet, C. (1993). Two new classes of bent functions. In EUROCRYPT, pages 77–101. [22] Carlet, C. (2001). On the coset weight divisibility and nonlinearity of resilient and correlation immune functions. In Proceedings of SETA’01, pages 131–144. Springer. [23] Carlet, C. (2004). On the secondary constructions of resilient and bent functions. In Progress in Computer Science and Applied Logic, pages 3–28. [24] Carlet, C. (2008a). Boolean functions for cryptography and error correcting codes. [25] Carlet, C. (2008b). On the higher order nonlinearities of Boolean functions and S-boxes, and their generalizations. In Sequences and Their Applications SETA 2008, pages 345–367. Springer. References 237

[26] Carlet, C., Dalai, D. K., Gupta, K. C., and Maitra, S. (2006). Algebraic immunity for cryptographically significant boolean functions: Analysis and construction. IEEE Transactions on Information Theory, 52(7):3105–3121. [27] Carlet, C. and Gaborit, P. (2005). On the construction of balanced boolean functions with a good algebraic immunity. In Information Theory, 2005. ISIT 2005. Proceedings. International Symposium on, pages 1101–1105. [28] Carlet, C. and Sarkar, P. (2001). Spectral domain analysis of correlation immune and resilient boolean functions. [29] Chabaud, F. and Vaudenay, S. (1994). Links between differential and linear cryptanalysis. In EUROCRYPT, pages 356–365. [30] Charpin, P. and Pasalic, E. (2003). On propagation characteristics of resilient functions. In Nyberg, K. and Heys, H., editors, Selected Areas in Cryptography, volume 2595 of Lecture Notes in Computer Science, pages 175–195. Springer Berlin Heidelberg. [31] Chaum, D. and Evertse, J.-H. (1985). Crytanalysis of des with a reduced number of rounds: Sequences of linear factors in block ciphers. In CRYPTO, pages 192–211. [32] Chen, L., Fu, F.-W., and Wei, V. K. (2002). On the constructions and nonlinearity of binary vector correlation-immune functions. In Information Theory, 2002. Proceedings. 2002 IEEE International Symposium on Information Theory, page 39. [33] Clark, J. and Jacob, J. (2000). Two-stage optimisation in the design of boolean functions. In Information Security and Privacy, ACISP 2000, volume 1841 of Lecture Notes in Computer Science, pages 242–254. [34] Clark, J., Jacob, J., Stepney, S., Maitra, S., and Millan, W. (2002). Evolving boolean functions satisfying multiple criteria. In Menezes, A. and Sarkar, P., editors, Progress in Cryptology — INDOCRYPT 2002, volume 2551 of Lecture Notes in Computer Science, pages 246–259. Springer Berlin Heidelberg. [35] Clark, J., of York, U., and of Computer Science, Y. U. G. D. (2001). Metaheuristic Search as a Cryptological Tool. PhD thesis, University of York. [36] CLEFIA (2007). Clefia - the 128-bit blockcipher. http://www.sony.net/Products/cryptography/clefia/download/index.html. [37] Coello, C. A., Dhaenens, C., and Jourdan, L. (2010). Advances in Multi-Objective Nature Inspired Computing. Springer Publishing Company, Incorporated, 1st edition. [38] Coello, C. A. C., Lamont, G. B., and Veldhuizen, D. A. V. (2006). Evolutionary Algorithms for Solving Multi-Objective Problems (Genetic and Evolutionary Computation). Springer-Verlag New York, Inc., Secaucus, NJ, USA. [39] Cohen, G., Karpovsky, M., Mattson, H., and Schatz, J. (1985). Covering radius—survey and recent results. Information Theory, IEEE Transactions on, 31(3):328–343. [40] Courtois, N. (2003). Fast algebraic attacks on stream ciphers with linear feedback. In Advances in cryptology CRYPTO 2003, Lecture Notes in Computer Science 2729, pages 177–194. 238 References

[41] Courtois, N. and Meier, W. (2002). Algebraic attacks on stream ciphers with linear feedback. In Advances in cryptology EUROCRYPT 2003, Lecture Notes in Computer Science 2656, pages 346–359. [42] Courtois, N. and Meier, W. (2003). Algebraic attacks on stream ciphers with linear feedback. In EUROCRYPT, pages 345–359. [43] Courtois, N. T. and Pieprzyk, J. (2002). Cryptanalysis of block ciphers with overdefined systems of equations. In Advances in Cryptology ASIACRYPT 2002, pages 267–287. Springer. [44] CRYPTOOL (2008). Educational tool for cryptography and cryptanalysis. http://www.cryptool.org/. [45] Daemen, J., Knudsen, L., and Rijmen, V. (1997). The block cipher square. In Biham, E., editor, Fast Software Encryption, volume 1267 of Lecture Notes in Computer Science, pages 149–165. Springer Berlin Heidelberg. [46] Daemen, J. and Rijmen, V. (2002). The Design of Rijndael. Springer-Verlag New York, Inc., Secaucus, NJ, USA. [47] Dalai, D. K., Gupta, K. C., and Maitra, S. (2004). Results on algebraic immunity for cryptographically significant boolean functions. In INDOCRYPT, pages 92–106. [48] Davio, M., Deschamps, J., and Thayse, A. (1978). Discrete and Switching Functions, volume 1 of Advanced Book Program. McGraw-Hill. [49] Deb, K. and Kalyanmoy, D. (2001). Multi-Objective Optimization Using Evolutionary Algorithms. John Wiley & Sons, Inc., New York, NY, USA. [50] Dimovski, A. and Gligoroski, D. (2003). Generating highly nonlinear boolean functions using a genetic algorithm. In Telecommunications in Modern Satellite, Cable and Broadcasting Service, 2003. TELSIKS 2003. 6th International Conference on, volume 2, pages 604–607 vol.2. [51] Dobbertin, H. (1994). Construction of bent functions and balanced boolean functions with high nonlinearity. In Fast Software Encryption, pages 61–74. [52] Dobbertin, H. (1998). Ten problems on extremely nonlinear boolean functions. Techni- cal report, Dagstuhl. [53] dong Hou, X. (1996). Covering radius of the reed-muller code r(1,7)-a simpler proof. Journal of Combinatorial Theory, Series A, 74(2):337 – 341. [54] dong Hou, X. (1997). On the norm and covering radius of the first-order reed-muller codes. Information Theory, IEEE Transactions on, 43(3):1025–1027. [55] Dueholm Justesen, P. and Ursem, R. K. (2009). Multiobjective distinct candidates optimization (modco): A cluster-forming differential evolution algorithm. [56] E. Berlekamp, L. W. (1972). Weight distribution of the cosets of the (32, 6) reed-muller code. IEEE Transactions on Information Theory, 18(1):203–207. References 239

[57] Ehrgott, M. (2000). Multicriteria optimization. Lecture Notes in Economics and Mathematical Systems. Springer-Verlag. [58] Evertse, J.-H. (1987). Linear structures in blockciphers. In EUROCRYPT, pages 249–266. [59] Evertse, J. H. (1988). Linear structures in block ciphers. In Advances in Cryptology - EUROCRYPT 87, no. 304 in Lecture Notes in Computer Science, pages 249–266. [60] Faugére, J.-C. and Ars, G. (2003). An algebraic cryptanalysis of nonlinear filter generators using grobner bases. Technical report, INRIA 4739. [61] Filiol, E. and Fontaine, C. (1998). Highly nonlinear balanced boolean functions with a good correlation-immunity. In Nyberg, K., editor, Advances in Cryptology — EUROCRYPT’98, volume 1403 of Lecture Notes in Computer Science, pages 475–488. Springer Berlin Heidelberg. [62] Glover, F. and Laguna, M. (1997). Tabu Search. Kluwer Academic Publishers, Norwell, MA, USA. [63] Goldberg, D. E. (1989). Genetic Algorithms in Search, Optimization and Machine Learning. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 1st edition. [64] Gong, G., Helleseth, T., Hu, H., and Li, C. (2014). New three-valued Walsh transforms from decimations of Helleseth-Gong sequences. In Sequences and Their Applications, SETA 2012, Volume 7280 of Lecture Notes in Computer Science, pages 327–337. [65] GPRS (2014). General packet radio service. http://www.etsi.org/index.php/technologies- clusters/technologies/mobile/gprs. [66] Grocholewska-Czurylo, A. (2006). Random generation of highly nonlinear resilient boolean functions. In Michon, J.-F., Valarcher, P., and Yunès, J.-B., editors, Proceedings of BFCA’06 Conference, March 13–15, 2006, Rouen, France, pages 61–72. [67] GSM (2014). Global system for mobile communications. http://www.etsi.org/index.php/technologies-clusters/technologies/mobile/gsm. [68] Guillot, P. (2005). Cryptographical boolean functions construction from linear codes. In Michon, J.-F., Valarcher, P., and Yunès, J.-B., editors, Proceedings of BFCA’05 Conference, March 7–8, 2005 Rouen, France, pages 141–154. [69] Gupta, K. and Sarkar, P. (2005). Improved construction of nonlinear resilient s-boxes. Information Theory, IEEE Transactions on, 51(1):339–348. [70] Heys, H. (1999). A tutorial on linear and differential cryptanalysis. Technical report, Electrical and Computer Engineering, Faculty of Engineering and Applied Science, Memorial University of Newfoundland, St. Johns, NF, Canada A1B 3X5. [71] Holland, J. H. (1973). Genetic algorithms and the optimal allocation of trials. SIAM J. Comput., 2(2):88–105. [72] Hou, X.-d. (1996). The covering radius of r(1,9) in r(4,9). Designs, Codes and Cryptography, 8(3):285–292. 240 References

[73] I, S, H. and P. R, J. O. (1997). Applications in code design, chapter 12. Local Search in Combinatorial Optimization. John Wiley and Sons. [74] Jakobsen, T. and Knudsen, L. R. (1997). The interpolation attack on block ciphers. In SAC 97, pages 28–40. [75] Johansson, T. and Pasalic, E. (2003). A construction of resilient functions with high nonlinearity. IEEE Transactions on Information Theory, 49(2):494–501. [76] KASUMI (2014). Block cipher used in UMTS, GSM and GPRS. http://www.3gpp.org/DynaReport/35202.htm. [77] Kavut, S., Maitra, S., and Yücel, M. (2006). Autocorrelation spectra of balanced boolean functions on an odd number of input variables. In Michon, J.-F., Valarcher, P., and Yunès, J.-B., editors, Proceedings of BFCA’06 Conference, March 13–15, 2006, Rouen, France, pages 73–86. [78] Kavut, S. and Yücel, M. D. (2007). Balanced boolean functions with nonlinearity > 2n-1 - 2(n-1)/2. IACR Cryptology ePrint Archive, 2007:321. [79] Kavut, S. and Yucel, M. D. (2010). 9-variable boolean functions with nonlinearity 242 in the generalized rotation symmetric class. Inf. Comput., 208(4):341–350. [80] Kavut, S. and Yücel, M. (2003). Improved cost function in the design of boolean functions satisfying multiple criteria. In Johansson, T. and Maitra, S., editors, Progress in Cryptology - INDOCRYPT 2003, volume 2904 of Lecture Notes in Computer Science, pages 121–134. Springer Berlin Heidelberg. [81] Kirkpatrick, S., Gelatt, C. D., and Vecchi, M. P. (1983). Optimization by simulated annealing. SCIENCE, 220(4598):671–680. [82] Lai, X. (1990). Linear structures of functions over prime fields. Unpublished. [83] Lai, X. (1994). Higher order derivatives and differential cryptanalysis. In Proceedings of the Symposium on Communication, Coding and Cryptography. [84] Lai, X. (1995). Additive and linear structures of cryptographic functions. In Preneel, B., editor, Fast Software Encryption, volume 1008 of Lecture Notes in Computer Science, pages 75–85. Springer Berlin Heidelberg. [85] Lechner, R. (1972). Harmonic analysis of switching functions. In Recent Developments in Switching Theory (A. Mukhopadhyay, ed.), New York and London. Academic Press. [86] Lobanov, M. (2005). Tight bound between nonlinearity and algebraic immunity. IACR Cryptology ePrint Archive, 2005:441. [87] Maitra, S. (2001). Highly nonlinear balanced boolean functions with very good autocorrelation property. Electronic Notes in Discrete Mathematics, 6:481 – 490. WCC2001, International Workshop on Coding and Cryptography. [88] Maitra, S. (2002). Highly nonlinear balanced boolean functions with good local and global avalanche characteristics. Information Processing Letters, 83(5):281 – 286. References 241

[89] Maitra, S. (2007). Balanced boolean function on 13-variables having nonlinearity strictly greater than the bent concatenation bound. IACR Cryptology ePrint Archive, 2007:309.

[90] MatPack (2006). MatPack matpack c++ numerics and graphics library. http://www.matpack.de/.

[91] Matsui, M. (1993). Linear cryptanalysis method for des cipher. In EUROCRYPT, pages 386–397.

[92] Matsui, M. (1994). The first experimental cryptanalysis of the data encryption standard. In CRYPTO, pages 1–11.

[93] Matsui, M. (1997). New block encryption algorithm MISTY. In Fast Software En- cryption, 4th International Workshop, FSE ’97, Haifa, Israel, January 20-22, 1997, Proceedings, pages 54–68.

[94] Matsui, M. and Yamagishi, A. (1993). A New Method for Known Plaintext Attack of FEAL Cipher. In Rueppel, R. A., editor, Advances in Cryptology — EUROCRYPT’ 92, volume 658 of Lecture Notes in Computer Science, chapter 7, pages 81–91. Springer Berlin Heidelberg, Berlin, Heidelberg.

[95] Maximov, A., Hell, M., and Maitra, S. (2004). Plateaued rotation symmetric boolean functions on odd number of variables. IACR Cryptology ePrint Archive, 2004:144.

[96] McWilliams, F. and Sloane, N. (1977). The Theory of Error Correcting Codes, volume 1,2. New York, NY: North Holland.

[97] Meier, W., Pasalic, E., and Carlet, C. (2004). Algebraic attacks and decomposition of boolean functions. In Cachin, C. and Camenisch, J., editors, Advances in Cryptology - EUROCRYPT 2004, volume 3027 of Lecture Notes in Computer Science, pages 474–491. Springer Berlin Heidelberg.

[98] Meier, W. and Staffelbach, O. (1989). Nonlinearity criteria for cryptographic functions. In EUROCRYPT, pages 549–562.

[99] Millan, W. (1996). Low order approximation of cipher functions. In Dawson, E. and Golia, J., editors, Cryptography: Policy and Algorithms, volume 1029 of Lecture Notes in Computer Science, pages 144–155. Springer Berlin Heidelberg.

[100] Millan, W. (1998). How to improve the nonlinearity of bijective s-boxes. In Informa- tion Security and Privacy, ACISP 98, volume 1438 of Lecture Notes in Computer Science, pages 181–192.

[101] Millan, W. L. (1997). Analysis and Design of Boolean. Functions for Cryptographic Applications. PhD thesis, Queensland University of Technology, Faculty of Information Technology.

[102] Minsky, M. (1961). Steps toward artificial intelligence. In Computers and Thought, pages 406–450. McGraw-Hill. 242 References

[103] mo Zhang, X. and Zheng, Y. (1996). Auto-correlations and new bounds on the nonlinearity of boolean functions. In In Advances in Cryptology - EUROCRYPT96, pages 294–306. Springer-Verlag. [104] Murphy, S. (2002). Description of methodology for security evaluation. Technical Report NES/DOC/RHU/WP3/D10/3, European Commission. [105] Murphy, S. (2004). Final report of european project number ist-1999-12324, named new european schemes for signatures, integrity, and encryption. Technical Report IST- 1999-12324, Commision of the European Communities. [106] Mykkeltveit, J. (1980). The covering radius of the (128, 8) reed muller code is 56. IEEE Transactions on Information Theory, 26(3):359–362. [107] National Bureau of Standards (1977). Data Encryption Standard. U. S. Department of Commerce, Washington, DC, USA. [108] National Institute for Standards and Technology (2001). Advanced Encryption Stan- dard. U. S. Department of Commerce, Washington, DC, USA. [109] Neubuser, J. (1995). An invitation to computational group theory. In Groups’ 93 – Galway/St. Andrews, volume 212 of London Math. Soc. Lecture Note Ser, pages 457–475. Cambridge University Press. [110] noz, V. M. and Persson, U. (2007). Interviews with three fields medalists. Notices of the American Mathematical Society, 54(3):405–410. [111] NTL (2009). NTL a library for doing number theory. http://www.shoup.net/ntl/. [112] Nyberg, K. (1991). Perfect nonlinear s-boxes. In EUROCRYPT, pages 378–386. [113] Nyberg, K. (1992). On the construction of highly nonlinear permutations. In EURO- CRYPT, pages 92–98. [114] Nyberg, K. (1993). Differentially uniform mappings for cryptography. In EURO- CRYPT, pages 55–64. [115] Nyberg, K. (1994). S-boxes and round functions with controllable linearity and differential uniformity. In Fast Software Encryption, pages 111–130. [116] O’Connor, L. and Klapper, A. (1994). Algebraic nonlinearity and its applications to cryptography. J. Cryptology, 7(4):213–227. [117] Papadimitriou, C. H. and Steiglitz, K. (1982). Combinatorial Optimization: Algo- rithms and Complexity. Prentice-Hall, Inc., Upper Saddle River, NJ, USA. [118] Patterson, N. J. and Wiedemann, D. H. (1983). The covering radius of the (215,16) reed-muller code is at least 16276. IEEE Transactions on Information Theory, 29(3):354– 356. [119] Patterson, N. J. and Wiedemann, D. H. (1990). Correction to - the covering radius of the (215,16) reed-muller code is at least 16276. IEEE Transactions on Information Theory, 36(2):443. References 243

[120] Phan, R. C.-W. (2002). Mini advanced encryption standard (mini-AES): A testbed for cryptanalysis. Students, Cryptologia, pages 283–306. [121] Pieprzyk, J. and Finkelstein, G. (1988). Towards effective nonlinear cryptosystem design. Computers and Digital Techniques, IEE Proceedings E, 135(6):325–335. [122] Pommerening, K. (2005). Linearitatsmaße fur boolesche abbildungen. Technical report, Fachbereich Mathematik der Johannes-Gutenberg-Universitaet. [123] Preneel, B. (1993). Analysis and design of cryptographic hash functions. ph.d. dissertation, katholieke universiteit leuven. [124] Preneel, B., Leekwijck, W. V., Linden, L. V., Govaerts, R., and Vandewalle, J. (1990). Propagation characteristics of boolean functions. In EUROCRYPT, pages 161–173. [125] Read, M. (2007). Explicable Boolean Functions. PhD thesis, The University of York, UK. [126] Ribeiro, C. C. and Hansen, P. (2002). Essays and surveys in Metaheuristics. Opera- tions Research/Computer Science Interfaces Series. Kluwer academic publishers, Boston, Dordrecht, London. [127] Rijmen, V., Daemen, J., Preneel, B., Bosselaers, A., and De Win, E. (1996). The cipher shark. In Gollmann, D., editor, Fast Software Encryption, volume 1039 of Lecture Notes in Computer Science, pages 99–111. Springer Berlin Heidelberg. [128] Rothaus, O. S. (1976). On bent functions. J. Comb. Theory, Ser. A, 20(3):300–305. [129] Roy, R., Dehuri, S., and Cho, S. (2011). A novel particle swarm optimization algorithm for multi-objective combinatorial optimization problem. Int. J. of Applied Metaheuristic Computing, 2(4):41–57. [130] Rueppel, R. A. (1986). Analysis and Design of Stream Ciphers. Springer-Verlag. [131] Saber, Z., Uddin, M., and Youssef, A. (2006). On the existence of (9,3,5,240) resilient functions. Information Theory, IEEE Transactions on, 52(5):2269–2270. [132] SAGE (2014). Open-source mathematics software. http://www.sagemath.org. [133] Sarkar, P. and Maitra, S. (2000a). Construction of nonlinear boolean functions with important cryptographic properties. In EUROCRYPT, pages 488–511. [134] Sarkar, P. and Maitra, S. (2000b). New directions in design of resilient boolean functions. IACR Cryptology ePrint Archive, 2000:9. [135] Sarkar, P. and Maitra, S. (2000c). Nonlinearity bounds and constructions of resilient boolean functions. In CRYPTO ’00: Proceedings of the 20th Annual International Cryp- tology Conference on Advances in Cryptology, pages 515–532, London, UK. Springer- Verlag. [136] Sarkar, S. and Maitra, S. (2008). Idempotents in the neighbourhood of patterson- wiedemann functions having walsh spectra zeros. Designs, Codes and Cryptography, 49(1-3):95–103. 244 References

[137] Schafer, C. (2013). Particle algorithms for optimization on binary spaces. Economics papers from university paris dauphine, Paris Dauphine University. [138] Schneier, B. (1996). Applied cryptography: protocols, algorithms, and source code in C. Wiley, New York, 2nd edition. [139] Seberry, J. and Zhang, X. (1992). Highly nonlinear 0-1 balanced boolean functions satisfying strict avalanche criterion. In Auscrypt. [140] Seberry, J., Zhang, X.-M., and Zheng, Y. (1990). Enumerating boolean functions of cryptographic significance. Journal of Cryptology, pages 155–170. [141] Seberry, J., Zhang, X.-M., and Zheng, Y. (1993). On constructions and nonlinearity of correlation immune functions (extended abstract). In EUROCRYPT, pages 181–199. [142] Seberry, J., Zhang, X.-M., and Zheng, Y. (1996). The relationship between propagation characteristics and nonlinearity of cryptographic functions. In Maurer, H., Calude, C., and Salomaa, A., editors, J.UCS The Journal of Universal Computer Science, pages 136–150. Springer Berlin Heidelberg. [143] Shannon, C. E. (1949). Communication theory of secrecy systems. Bell System Technical Journal, 28(4):657–715. [144] Shimoyama, T., Yanami, H., Yokoyama, K., Takenaka, M., Itoh, K., Yajima, J., Torii, N., and Tanaka, H. (2001). The block cipher sc2000. In Matsui, M., editor, FSE, volume 2355 of Lecture Notes in Computer Science, pages 312–327. Springer. [145] Siegenthaler, T. (1984). Correlation-immunity of nonlinear combining functions for cryptographic applications. IEEE Transactions on Information Theory, 30(5):776–. [146] Siegenthaler, T. (1985). Decrypting a class of stream ciphers using ciphertext only. IEEE Transactions on Computers, 34(1):81–85. [147] Son, J. J., Lim, J. I., Chee, S., and Sung, S. H. (1998). Global avalanche characteristics and nonlinearity of balanced boolean functions. Information Processing Letters, 65(3):139 – 144. [148] Stanica, P. and Sung, S. H. (2001). Improving the nonlinearity of certain balanced boolean functions with good local and global avalanche characteristics. Information Processing Letters, 79(4):167 – 172. [149] Tarannikov, Y. (2000). On resilient boolean functions with maximal possible nonlinearity. In INDOCRYPT, pages 19–30. [150] Tarannikov, Y. and Kirienko, D. (2001). Spectral analysis of high order correlation immune functions. In Information Theory, 2001. Proceedings. 2001 IEEE International Symposium on, pages 69–. [151] Tarannikov, Y., Korolev, P., and Botev, A. (2001). Autocorrelation coefficients and correlation immunity of boolean functions. In Boyd, C., editor, Advances in Cryptology - ASIACRYPT 2001, volume 2248 of Lecture Notes in Computer Science, pages 460–479. Springer Berlin Heidelberg. References 245

[152] Tardy-Corfdir, A. and Gilbert, H. (1992). A known plaintext attack of feal-4 and feal-6. In Feigenbaum, J., editor, Advances in Cryptology — CRYPTO ’91, volume 576 of Lecture Notes in Computer Science, pages 172–182. Springer Berlin Heidelberg. [153] Toshiba (2001). Submission to the new european schemes for signatures, integrity and encryption (NESSIE) process. http://cosic.esat.kuleuven.ac.be/nessie/workshop/submission/hierocrypt-l1.zip. [154] Toshiba (2002). Submission to the new european schemes for signatures, integrity and encryption (NESSIE) process. http://cosic.esat.kuleuven.ac.be/nessie/workshop/submission/hierocrypt-3.zip. [155] UMTS (2014). Universal mobile telecommunications system. http://www.3gpp.org/DynaReport/25816.htm. [156] VBFlib (2014). Analysis of cryptographic algorithms. http://vbflibrary.tk. [157] Webster, A. F. and Tavares, S. E. (1986). On the design of S-boxes. In Williams, H. C., editor, Advances in Cryptology - Crypto ’85, pages 523–534, Berlin. Springer-Verlag. Lecture Notes in Computer Science Volume 218. [158] Xiao, G.-Z. and Massey, J. L. (1988). A spectral characterization of correlation- immune combining functions. IEEE Transactions on Information Theory, 34(3):569–. [159] Youssef, A., Chen, Z., and Tavares, S. (1997). Construction of highly nonlinear injective s-boxes with application to cast-like encryption algorithms. In IEEE 1997 Canadian Conference on Electrical and Computer Engineering, 1997, volume 1, pages 330 –333 vol.1. [160] Zhang, X.-M. and Zheng, Y. (1995). GAC — the criterion for global avalanche characteristics of cryptographic functions. J.UCS: Journal of Universal Computer Science, 1(5):320–337. [161] Zheng, Y. and Zhang, X.-M. (2001). Improved upper bound on the nonlinearity of high order correlation immune functions. In SAC ’00: Proceedings of the 7th Annual International Workshop on Selected Areas in Cryptography, pages 262–274, London, UK. Springer-Verlag. [162] Zheng, Y. and Zhang, X.-M. (2003a). Connections among nonlinearity, avalanche and correlation immunity. Theor. Comput. Sci., 292(3):697–710. [163] Zheng, Y. and Zhang, X.-M. (2003b). Connections among nonlinearity, avalanche and correlation immunity. Theoretical Computer Science, 292(3):697 – 710. Algorithms in Quantum Information Prcoessing. [164] Zitzler, E. (1999). Evolutionary algorithms for multiobjective optimization: Methods and applications.

Appendix A

Mathematical Background

The aim of this chapter is to present some notation and mathematical background that will be used throughout the thesis.

A.1 The Vector Space Vn

A.1.1 Definition

Let the set of boolean variables or bits {0,1}, commonly denoted by GF(2) = Z2 = F2 and the operations ’+’ and ’·’ defined by the following Cayley tables:

 + 0 1     0 0 1  1 1 0

 · 0 1     0 0 0  1 0 1 The 3-tuple < GF(2),+,· > is the finite field of order 2, the operation ’+’ is the ’integer addition modulo 2’ (or the boolean operation XOR) and ’·’ is the ’integer multiplication modulo 2’ (or the boolean operation AND). n z }| { Let Vn = GF(2) × ··· × GF(2), the triple < Vn,+,· > is a vector space over the field < GF(2),+,· > where the inner operation ’+’ is defined by:

+:V × V → V n n n (A.1) (x,y) → x + y = (x1+y1,...,xn+yn) 248 Mathematical Background and the external composition law ’·’ is defined by:

·: GF(2) × V → V n n (A.2) (c,x) → c · x = (c·x1,...,c·xn)

In order to simplify the notation derived from the use of the previous composition laws, it is universally accepted to denote vector addition by the same symbol as the field addition (’+’), and the scalar multiplication by the same symbol as the field multiplication· (’ ’). The nature of this operators is usually unanimously determined by the nature of the operands and the ’·’ operator will be omitted unless it can create ambiguity.

Remark. The operator of vector difference ’−’ coincides with the vector addition:

− :V × V → V n n n (A.3) (x,y) → x − y = x + (−y) = x + y as ∀x ∈ Vn, x + x = 0.

Definition A.1.1. Vn is a direct sum of U and W, and it is written Vn = U⊕W, if U,W ≺ Vn such that each x ∈ Vn can be uniquely represented as x = xu +xw, where xu ∈ U and xw ∈ W, or equivalently: U ∪ W = V n (A.4) U ∩ W = {0}

Definition A.1.2. Let the disjoint 1 GF(2)-vector spaces U and W, their direct sum U⊕W, is well defined. We can construct U ⊕ W as the Cartesian product U × W with coordinate-wise operations: U ⊕ W = U × W (A.5)

A.1.2 Lexicographic Order

[48] A total order can be defined on Vn, called lexicographic order so that if x = (x1,...,xn) and y = (y1,...,yn) ∈ Vn, then x ≤ y if and only if one of the two following assertions holds true:

1. x1 = y1

2. There exists an index k ∈ {1,...,n} such that xk < yk and xi = yi, ∀i ≤ k

1except from the vector 0 A.1 The Vector Space Vn 249

n−i If we define a series of weights wi such that wi = 2 , then a correspondence between n the elements of Vn and Z2n (ring of integers modulo 2 ) can be established via the following function: ψ :V → n n Z2 (A.6) (x1,...,xn) → x1w1 + ··· + xnwn

Theorem A.1.1. [48] The function ψ is a bijection from Vn to Z2n and if one considers the natural order in Z2n and the lexicographical order in Vn, then ψ is an order isomorphism.

Lemma A.1.2. We can represent a vector αk = (x1,...,xn) ∈ Vn by the decimal equivalent n dec(αk) = k = ∑i=1 xiwi and we can list all the vectors of Vn so that α0 < α1 < ··· < α2n−1 .

n n−i Definition A.1.3. Let k = ∑i=1 xi2 , then (x1,...,xn) is called the binary expansion of k. The number of nonzero coefficients xi is denoted by w2(k) and called the 2-weight of k.

A.1.3 The Hamming Distance

Definition A.1.4. The (Hamming) weight of a vector x = (x1,...,xn) ∈ Vn, denoted by wt(x), is the number of nonzero components in x:

n wt(x) = #Supp(x) = ∑ xi (A.7) i=1

Definition A.1.5. The (Hamming) distance between two boolean vectors x and y ∈ Vn, denoted by d(x,y), is the number of coordinates in which they differ:

n d(x,y) = wt(x + y) = #δ(x,y) = ∑ |xi − yi| (A.8) i=1 where

x,y ∈ Vn, δ(x,y) = {xi ∈ GF(2) | xi ̸= yi ∀i = 1,...,n} (A.9)

Remark. The weight of a vector can be interpreted as the distance between this vector and the zero vector 0 which has all its coordinates equal to 0:

wt(x) = d(x,0) (A.10)

The function d :Vn × Vn → R as defined in (A.8) is a distance because ∀x,y,z ∈ Vn satisfies the following properties:

1. d(x,y) > 0 if x ̸= y 250 Mathematical Background

2. d(x,x) = 0

3. Symmetry: d(x,y) = d(y,x)

4. Triangular inequality: d(x,y) ≤ d(x,z) + d(z,y)

Proof.

d(x,z) + d(z,y) = wt(x + z) + wt(y + z) ≥ wt(x + z + y + z) = wt(x + y) = d(x,y)

A.2 Characters

A.2.1 Characters on Vn

n Definition A.2.1. [96] For each u = (u1,...,un) ∈ GF(p ) where p is prime, we define χu to be the complex-valued mapping defined on( GF pn) by:

i=n ∑ uixi u·x χu(x) = ωp i=1 = ωp (A.11)

n n for x = (x1,...,xn) ∈ GF(p ), χu is called a character of GF(p ), where ωp is a primitive pth root of unity.

∗ Definition A.2.2. The complex conjugate of χu(x) is denoted by χu(x) = χu(x) and is defined by: i=n ∗ −∑i= uixi −u·x χu(x) = ωp 1 = ωp = χu(−x) (A.12)

nd πi Definition A.2.3. For GF(2) = {0,1}, ω2 is the primitive 2 root of unity: e = −1 which has two characters:

χ (0) = 1, χ (1) = 1, (the trivial character) 1 1 (A.13) χ−1(0) = 1, χ−1(1) = −1

Definition A.2.4. We will denote the set of all vectors whose n components are characters n by Vn, which is contained in the set of all real vectors with n components, denoted by R , but it is not a subspace. A.2 Characters 251

n n Remark. For u ∈ Zp, its character form is the same as defined on GF(p ). In particular, for n u ∈ Vn, its character form of Vn is the same as defined on( GF 2 ) satisfying:

i=n ∑ uixi χu(x) = (−1) i=1 (A.14)

For Vn it holds that: x = −x ∀x ∈ Vn (A.15)

∗ u·x χu(x) = χu(x) = (−1) ∀u,x ∈ Vn (A.16)

Properties

1. χu(x) = χx(u),∀u,x ∈ Vn

2. χu(0) = χ0(x) = 1,∀u,x ∈ Vn

∗ 3. χu(x)χu(x) = 1,∀u,x ∈ Vn

4. χu(x + y) = χu(x) · χu(y),∀u,x,y ∈ Vn

5. χu+v(x) = χu(x) · χv(x),∀u,v,x ∈ Vn

1 6. χu·v(x) = 2 {1 + χu(x) + χv(x) − χu(x) · χv(x)} ∀u,v,x ∈ Vn ( 2n if u = 0 7. ∑ χu(x) = x∈Vn 0 if u ̸= 0

( n ∗ 2 if u = v 8. ⟨χu, χv⟩ = ∑ χu(x) · χ (x) = x∈Vn v 0 if u ̸= v

2 n 9. ∀u ∈ Vn,∥χu∥ = 2

Proof. 2 ∗ n ∥χu∥ = ⟨χu, χu⟩ = ∑ χu(x)χu(x) = ∑ χu(0) = 2 n x∈Vn x∈ZN 252 Mathematical Background

A.2.2 Characters on Vn × Vm

Definition A.2.5. The character form of (u,v) ∈ Vn × Vm can be defined as follows:

u·x+v·y χ(u,v)(x,y) = (−1) (A.17)

Definition A.2.6. Let u ∈ Vn and v ∈ Vm:

∗ χ(u,v), χ(u′,v′) = ∑ ∑ χ(u,v)(x,y)χ(u′,v′)(x,y) (A.18) x∈Vn y∈Vm

Properties

′ ′ ′ ′ The following properties is satisfied ∀(x,y),(x ,y ),(u,v),(u ,v ) ∈ Vn × Vm

1. χ(u,v)(x,y) = χu(x)χv(y)

2. χ(u,v)(x,y) = χ(x,y)(u,v)

3. χ(u,v)(0,0) = χ(0,0)(x,y) = 1

∗ 4. χ(u,v)(x,y)χ(u,v)(x,y) = 1

′ ′ ′ ′ 5. χ(u,v)(x + x ,y + y ) = χ(u,v)(x,y) · χ(u,v)(x ,y )

6. χ(u+u′,v+v′)(x,y) = χ(u,v)(x,y) · χ(u′,v′)(x,y) ( 2n+m if (u,v) = (0,0) 7. ∑ ∑ χ (x,y) = x∈Vn y∈Vm (u,v) 0 if (u,v) ̸= (0,0)

( n+m ′ ′ 2 if (u,v) = (u ,v ) 8. χ , χ ′ ′ = (u,v) (u ,v ) 0 if (u,v) ̸= (u′,v′)

2 n+m 9. ∀(x,y) ∈ Vn × Vm,∥χ(u,v)∥ = 2

Proof.

2 ∥χ(u,v)∥ = χ(u,v), χ(u,v) ∗ n+m = ∑x∈Vn ∑y∈Vm χ(u,v)(x,y)χ(u,v)(x,y) = 2 A.3 The Vector Space GF(2n) 253

A.3 The Vector Space GF(2n)

A.3.1 Definition

n The field GF(2 ) is an extension of degree n over GF(2) = Z2, and it can be written as Z2[x]/g(x), where g(x) is an irreducible polynomial of degree n over Z2. It can be showed that for every positive value of n there is a field of 2n elements and that this field is unique up to isomorphism. From now on we will call the set of polynomials over the field Z2 by Z2[x]. n Typically elements in GF(2 ) are denoted as polynomials, that is, as elements in Z2[x], and g(x) is a generator for the ideal in this quotient ring representation. A polynomial over Z2 is an expression of the form:

n−1 a(x) = an−1x + ··· + a1x + a0 (A.19) x being called the indeterminate of the polynomial, and ai ∈ GF(2) the coefficients. Let a(x) ∈ Z2[x], the degree of a polynomial a(x) is defined by:

deg(a(x)) = min i ∈ N | ∀ j ∈ N, j > i ⇒ a j = 0 (A.20)

The set of polynomials over the field Z2, which have a degree below l, is denoted by Z2[x]|l: Z2[x]|l = {a(x) ∈ Z2[x] | deg(a(x)) < l} (A.21)

A.3.2 Operations on Polynomials

Finite fields have the special property that operations (+,−,× and ÷) on the field elements always cause the result to be also in the field. We define the following operations on polynomials a(x) and b(x) ∈ Z2[x]|n: Addition. Addition of polynomials consists of adding the coefficients with equal powers of x, where the addition of the coefficients occurs in the underlying field( GF 2):

c(x) = a(x) + b(x) ⇔ ci = ai + bi,0 ≤ i < n (A.22)

Multiplication. The multiplication of two polynomials a(x) and b(x) is defined as the algebraic product of the polynomials modulo an irreducible polynomial g(x) over GF(2) which has degree n:

c(x) = a(x) · b(x) ⇔ c(x) ≡ a(x) × b(x)(mod g(x)) (A.23) 254 Mathematical Background

n A.3.3 Relation between Vn and GF(2 )

n The vector space Vn can be identified with the field GF(2 ). Let {u0,...,un−1} be a basis of n n GF(2 ) over GF(2). Then the relation between Vn and GF(2 ) can be expressed by:

n φ :Vn → GF(2 ) n−1 (A.24) (x0,...,xn−1) → ∑i=0 uixi

A.3.4 Mini-AES Finite Field in GF(24)

The nibbles of Mini-AES can be thought of as elements in the finite field GF(24). Consider a nibble a = (a3,a2,a1,a0) where ai ∈ GF(2). Then, this nibble can be represented as a polynomial with binary coefficients i.e having values in the( setGF 2):

3 2 a(x) = a3x + a2x + a1x + a0 (A.25)

Example A.3.1. Given a nibble, a = (1,0,1,1), then this can be represented as

a(x) = 1x3 + 0x2 + 1x + 1 = x3 + x + 1 (A.26)

Note that when an element of GF(24) is represented in polynomial form, the resulting polynomial would have a degree of at most 3.

Example A.3.2. Given two nibbles, a = (1,0,1,1) and b = (0,1,1,1), then the addition, a + b = 1011 + 0111 = 1100 or in polynomial notation:

a(x) + b(x) = (x3 + x + 1) + (x2 + x + 1) = x3 + x2 (A.27)

Example A.3.3. Given two nibbles, a = (1,0,1,1) and b = (0,1,1,1), then the multiplication is:

(x3 + x + 1)(x2 + x + 1) = x5 + x4 + x3 + x3 + x2 + x + x2 + x + 1 = x5 + x4 + 1 = x5 + x4 + 1

In order to ensure that the result of the multiplication is still within the field GF(24), it must be reduced by division with an irreducible polynomial of degree 4, the remainder of which will be taken as the final result. An irreducible polynomial is analogous to aprime number in arithmetic, and as such a polynomial is irreducible if it has no divisors other than 1 and itself. There are many such irreducible polynomials, but for Mini-AES, it is chosen to be: n A.4 The Vector Space R 255

g(x) = x4 + x + 1

Example A.3.4. Given two nibbles, a = (1,0,1,1) and b = (0,1,1,1), then the final result after multiplication in GF(24) is:

c(x) = (x3 + x + 1) · (x2 + x + 1) ⇔ c(x) ≡ x5 + x4 + 1 (mod x4 + x + 1) = x2

A.4 The Vector Space Rn

A.4.1 The Inner Product

Definition A.4.1. ∀n ∈ N , the inner product is defined as the following function:

n n ⟨⟩ : R × R → R n (A.28) (x,y) → ⟨x,y⟩ = ∑i=1 xiyi

n and the pair (R ,⟨⟩) is denoted by euclidean vector space.

n The energy of the real vector x ∈ R is defined by:

n 2 ⟨x,x⟩ = ∑ xi (A.29) i=1

A.4.2 Distance

n p Let x ∈ R , we define norm or length of x as the real number ∥x∥ = + ⟨x,x⟩. The angle between the vectors x ̸= 0 and y ̸= 0 is the real number ∠(x,y) ∈ [0,π] so that: ⟨x,y⟩ cos( (x,y)) = (A.30) ∠ ∥x∥ · ∥y∥

x and y are linearly dependent if and only if ∠(x,y) = 0 or ∠(x,y) = π. They are π orthogonal if the following condition holds: ∠(x,y) = 2 ⇔ ⟨x,y⟩ = 0. n n n As (R ,⟨⟩) is an euclidean vector space, the function d : R × R → R defined as:

n p ∀x,y ∈ R , d(x,y) = ∥x − y∥ = + ⟨x − y,x − y⟩ (A.31)

n is a distance over R . 256 Mathematical Background

A.4.3 The Pointwise Product

n Definition A.4.2. Let x,y ∈ R , the pointwise product is defined as the following function:

: n × n → n R R R (A.32) (x,y) → x y = (x1 · y1,...,xn · yn)

A.5 The Vector Space Mn×m(R)

A.5.1 The Inner Product

Definition A.5.1. ∀n,m ∈ N , the inner product is defined as the following function:

⟨⟩ : Mn×m(R) × Mn×m(R) → R n m (A.33) (A,B) → ⟨A,B⟩ = ∑i=1 ∑ j=1 ai jbi j and the pair (Mn×m(R),⟨⟩) is denoted by euclidean vector space.

The energy of the vector A ∈ Mn×m(R) is defined by:

n m 2 ⟨A,A⟩ = ∑ ∑ ai j (A.34) i=1 j=1

A.5.2 Distance p Let A ∈ Mn×m(R), we define norm or length of A as the real number ∥A∥ = + ⟨A,A⟩. The angle between the vectors A ̸= 0 and B ̸= 0 is the real number ∠(A,B) ∈ [0,π] so that: ⟨A,B⟩ cos( (A,B)) = (A.35) ∠ ∥A∥ · ∥B∥

A and B are linearly dependent if and only if ∠(A,B) = 0 or ∠(A,B) = π. They are π orthogonal if the following condition holds: ∠(A,B) = 2 ⇔ ⟨A,B⟩ = 0. As (Mn×m(R),⟨⟩) is an euclidean vector space, the function d : Mn×m(R)×Mn×m(R) → R defined as:

n p ∀A,B ∈ R , d(x,y) = ∥A − B∥ = + ⟨A − B,A − B⟩ (A.36)

is a distance over Mn×m(R). A.6 Kronecker Product of Matrices 257

A.5.3 The Pointwise Product

Definition A.5.2. ∀n,m ∈ N , the pointwise product is defined as the following function:

: Mn×m(R) × Mn×m(R) → Mn×m(R)   a11 · b11 ... a1m · b1m a · b ... a · b  (A.37)  21 21 2m 2m (A,B) → A B =   ......  an1 · bn1 ... anm · bnm

A.6 Kronecker Product of Matrices

Definition A.6.1. The Kronecker product of A ∈ Mp×q(R) and B ∈ Mr×s(R) is denoted as A B ∈ Mp·r×q·s(R) and defined by:   a11B ... a1qB a B ... a B  21 2q  A B =   ......  ap1B ... apqB

Let c ∈ R, A ∈ Mp×q(R), B ∈ Mr×s(R), C ∈ Mq×k(R), D ∈ Ms×l(R). The Kronecker product satisfies the following properties:

1. It does not matter where we place the product with a scalar:

(c · A) B = A (c · B) = c · (A B)

2. The Kronecker product is associative:

A B C = (A B) C = A (B C)

3. The mixed-product property:

(A B) · (C D) = A · C B · D 258 Mathematical Background

A.7 Convolution and Correlation

A.7.1 One-dimensional

Let ϕ,ψ :Vn → R :

Definition A.7.1. The circular convolution (ϕ ∗ ψ) :Vn → R is defined by:

(ϕ ∗ ψ)(x) = ∑ ϕ(x′)ψ(x − x′) (A.38) ′ x ∈Vn

Definition A.7.2. The correlation between ϕ and ψ is denoted by (ϕ ⋆ψ) :Vn → R defined by: (ϕ ⋆ ψ)(x) = ∑ ϕ(x′)ψ(x′ + x) = ∑ ϕ(x′)ψ(x′ + x) (A.39) ′ ′ x ∈Vn x ∈Vn

Definition A.7.3. The circular cross-correlation between ϕ and ψ is denoted by rϕ,ψ :Vn → R and defined by:

1 1 ′ ′ rϕ,ψ (x) = n (ϕ ⋆ ψ)(x) = n ∑ ϕ(x )ψ(x + x) (A.40) 2 2 ′ x ∈Vn

Definition A.7.4. The autocorrelation of ϕ :Vn → R with respect to the shift x ∈ Vn is the cross-correlation of ϕ with itself, denoted by rϕ (x) :Vn → R and defined by:

1 1 ′ ′ rϕ (x) = n (ϕ ⋆ ϕ)(x) = n ∑ ϕ(x )ϕ(x + x) (A.41) 2 2 ′ x ∈Vn

A.7.2 Bidimensional

Let ϕ,ψ :Vn × Vm → R :

Definition A.7.5. The circular convolution (ϕ ∗ ψ) :Vn × Vm → R is defined by:

(ϕ ∗ ψ)(x,y) = ∑ ∑ ϕ(x′,y′)ψ(x − x′,y − y′) (A.42) ′ ′ x ∈Vn y ∈Vm

Definition A.7.6. The correlation between ϕ and ψ is denoted by (ϕ ⋆ ψ) :Vn × Vm → R defined by: (ϕ ⋆ ψ)(x,y) = ∑ ∑ ϕ(x′,y′)ψ(x′ + x,y + y′) (A.43) ′ ′ x ∈Vn y ∈Vm A.7 Convolution and Correlation 259

Definition A.7.7. The circular cross-correlation between ϕ and ψ is denoted by rϕ,ψ : Vn × Vm → R and defined by:

1 1 ′ ′ ′ ′ rϕ,ψ (x,y) = n+m (ϕ ⋆ ψ)(x,y) = n+m ∑ ∑ ϕ(x ,y )ψ(x + x,y + y ) (A.44) 2 2 ′ ′ x ∈Vn y ∈Vm

Definition A.7.8. The autocorrelation of ϕ :Vn × Vm → R with respect to the shift (x,y) ∈ Vn × Vm is the cross-correlation of ϕ with itself, denoted by rϕ (x,y) :Vn × Vm → R and defined by:

1 1 ′ ′ ′ ′ rϕ (x,y) = n+m (ϕ ⋆ ϕ)(x,y) = n+m ∑ ∑ ϕ(x ,y )ϕ(x + x,y + y ) (A.45) 2 2 ′ ′ x ∈Vn y ∈Vm

Appendix B

CLEFIA Description

B.1 Truth Tables of CLEFIA SSi(0 ≤ i ≤ 3) S-boxes

SS0=[[1 1 1 0] SS1=[[0 1 1 0] SS2=[[1 0 1 1] SS3=[[1 0 1 0] [0 1 1 0] [0 1 0 0] [1 0 0 0] [0 0 1 0] [1 1 0 0] [0 0 0 0] [0 1 0 1] [0 1 1 0] [1 0 1 0] [1 1 0 1] [1 1 1 0] [1 1 0 1] [1 0 0 0] [0 0 1 0] [1 0 1 0] [0 0 1 1] [0 1 1 1] [1 0 1 1] [0 1 1 0] [0 1 0 0] [0 0 1 0] [1 0 1 0] [0 1 0 0] [0 1 0 1] [1 1 1 1] [0 0 1 1] [1 1 0 0] [1 1 1 0] [1 0 1 1] [1 0 0 1] [1 1 1 1] [0 0 0 0] [0 0 0 1] [1 1 0 0] [0 1 1 1] [0 1 1 1] [0 1 0 0] [1 1 1 0] [0 0 1 0] [1 0 0 0] [0 0 0 0] [1 1 1 1] [0 0 1 1] [1 0 0 1] [0 1 0 1] [1 0 0 0] [0 0 0 1] [1 0 1 1] [1 0 0 1] [0 1 1 1] [0 0 0 0] [1 1 1 1] [1 1 0 1] [0 1 0 1] [1 1 0 1] [1 1 0 0] [0 0 1 1]] [0 0 0 1]] [1 0 0 1]] [0 0 0 1]]

B.2 Truth Table of Mul2(x) = 0x2 · x operation

Mul2=[[0 0 0 0] Mul2*SS1=[[1 1 0 0] Mul2*SS0=[[1 1 1 1] [0 0 1 0] [1 0 0 0] [1 1 0 0] [0 1 0 0] [0 0 0 0] [1 0 1 1] 262 CLEFIA Description

[0 1 1 0] [1 0 0 1] [0 1 1 1] [1 0 0 0] [0 1 0 0] [0 0 1 1] [1 0 1 0] [0 1 0 1] [1 1 1 0] [1 1 0 0] [0 1 1 1] [0 1 0 0] [1 1 1 0] [0 1 1 0] [1 1 0 1] [0 0 1 1] [0 0 0 1] [0 1 0 1] [0 0 0 1] [1 0 1 1] [0 0 1 0] [0 1 1 1] [1 1 1 1] [1 0 0 0] [0 1 0 1] [1 1 0 1] [0 0 0 0] [1 0 1 1] [0 0 1 1] [1 0 1 0] [1 0 0 1] [1 1 1 0] [0 0 0 1] [1 1 1 1] [1 0 1 0] [1 0 0 1] [1 1 0 1] [0 0 1 0] [0 1 1 0] ]]]

B.3 Truth Tables of u0,u1,y0 an y1 u0 = [[0 0 1 0] u1 = [[1 0 0 1] y0 =[[0 0 1 0] y1=[[0 1 1 1] [0 1 1 0] [1 0 1 1] [0 1 1 0] [1 0 0 1] [1 1 1 0] [1 1 1 1] [1 1 1 0] [0 0 0 1] [0 1 1 1] [0 0 1 0] [0 1 1 1] [0 1 1 0] [1 0 1 0] [1 1 0 1] [1 0 1 0] [1 1 1 1] [1 0 1 1] [0 1 0 0] [1 0 1 1] [0 0 1 1] [1 0 0 1] [0 1 0 1] [1 0 0 1] [0 1 0 0] [1 0 0 0] [1 1 0 0] [1 0 0 0] [1 0 1 1] [1 1 1 1] [0 1 1 0] [1 1 1 1] [0 1 0 1] [0 1 0 1] [0 0 1 1] [0 1 0 1] [1 1 0 1] [0 0 0 1] [0 0 0 1] [0 0 0 1] [0 0 1 0] [0 0 1 1] [0 0 0 0] [0 0 1 1] [1 0 1 0] [1 1 0 1] [0 1 1 1] [1 1 0 1] [1 1 1 0] [0 0 0 0] [1 0 0 0] [0 0 0 0] [0 0 0 0] [0 1 0 0] [1 0 1 0] [0 1 0 0] [1 0 0 0] [1 1 0 0] [1 1 1 0] [1 1 0 0] [1 1 0 0] [1 0 1 0] [1 0 1 0] [1 0 1 0] [1 0 0 0] [1 1 1 0] [1 0 0 0] [1 1 1 0] [0 0 0 0] [0 1 1 0] [1 1 0 0] [0 1 1 0] [1 0 1 1] B.3 Truth Tables of u0,u1,y0 an y1 263

[1 1 1 1] [0 0 0 1] [1 1 1 1] [0 0 1 0] [0 0 1 0] [1 1 1 0] [0 0 1 0] [1 1 0 0] [0 0 1 1] [0 1 1 1] [0 0 1 1] [1 1 1 0] [0 0 0 1] [0 1 1 0] [0 0 0 1] [0 1 0 1] [0 0 0 0] [1 1 1 1] [0 0 0 0] [0 0 0 1] [0 1 1 1] [0 1 0 1] [0 1 1 1] [0 1 0 0] [1 1 0 1] [0 0 0 0] [1 1 0 1] [1 0 1 0] [1 0 0 1] [0 0 1 0] [1 0 0 1] [0 1 1 0] [1 0 1 1] [0 0 1 1] [1 0 1 1] [1 1 0 1] [0 1 0 1] [0 1 0 0] [0 1 0 1] [0 0 1 1] [1 0 0 0] [1 0 1 1] [1 0 0 0] [1 0 0 1] [1 1 0 0] [1 0 0 1] [1 1 0 0] [0 1 1 1] [0 1 0 0] [1 1 0 1] [0 1 0 0] [1 1 1 1] [0 0 0 0] [1 1 0 1] [0 0 0 0] [1 1 1 1] [0 1 0 0] [1 1 1 1] [0 1 0 0] [0 0 0 1] [1 1 0 0] [1 0 1 1] [1 1 0 0] [1 0 0 1] [0 1 0 1] [0 1 1 0] [0 1 0 1] [0 1 0 1] [1 0 0 0] [1 0 0 1] [1 0 0 0] [0 1 1 1] [1 0 0 1] [0 0 0 0] [1 0 0 1] [1 0 1 0] [1 0 1 1] [0 0 0 1] [1 0 1 1] [0 0 1 0] [1 0 1 0] [1 0 0 0] [1 0 1 0] [0 0 0 0] [1 1 0 1] [0 0 1 0] [1 1 0 1] [0 1 1 0] [0 1 1 1] [0 1 1 1] [0 1 1 1] [1 1 1 0] [0 0 1 1] [0 1 0 1] [0 0 1 1] [0 1 0 0] [0 0 0 1] [0 1 0 0] [0 0 0 1] [0 0 1 1] [1 1 1 1] [0 0 1 1] [1 1 1 1] [1 1 0 1] [0 0 1 0] [1 1 0 0] [0 0 1 0] [1 0 1 1] [0 1 1 0] [1 1 1 0] [0 1 1 0] [1 1 0 0] [1 1 1 0] [1 0 1 0] [1 1 1 0] [1 0 0 0] [0 1 1 0] [0 0 0 1] [0 1 1 0] [0 0 1 0] [0 0 1 0] [0 0 1 1] [0 0 1 0] [1 1 0 1] [1 0 1 0] [0 1 1 1] [1 0 1 0] [1 1 1 0] [0 0 1 1] [1 0 1 0] [0 0 1 1] [1 0 0 0] [1 1 1 0] [0 1 0 1] [1 1 1 0] [0 1 0 0] [1 1 1 1] [1 1 0 0] [1 1 1 1] [1 0 1 1] [1 1 0 1] [1 1 0 1] [1 1 0 1] [1 1 1 1] 264 CLEFIA Description

[1 1 0 0] [0 1 0 0] [1 1 0 0] [0 0 1 1] [1 0 1 1] [1 1 1 0] [1 0 1 1] [1 1 0 0] [0 0 0 1] [1 0 1 1] [0 0 0 1] [1 0 0 1] [0 1 0 1] [1 0 0 1] [0 1 0 1] [0 1 1 1] [0 1 1 1] [1 0 0 0] [0 1 1 1] [0 0 0 0] [1 0 0 1] [1 1 1 1] [1 0 0 1] [0 0 0 1] [0 1 0 0] [0 0 0 0] [0 1 0 0] [1 0 1 0] [0 0 0 0] [0 0 1 0] [0 0 0 0] [0 1 1 0] [1 0 0 0] [0 1 1 0] [1 0 0 0] [0 1 0 1] [0 1 0 0] [0 1 0 1] [0 1 0 0] [0 1 0 0] [0 0 0 0] [0 1 1 1] [0 0 0 0] [1 1 1 0] [1 0 0 0] [0 0 1 1] [1 0 0 0] [1 1 0 1] [0 0 0 1] [1 1 1 0] [0 0 0 1] [1 1 0 0] [1 1 0 0] [0 0 0 1] [1 1 0 0] [0 0 1 0] [1 1 0 1] [1 0 0 0] [1 1 0 1] [0 0 0 0] [1 1 1 1] [1 0 0 1] [1 1 1 1] [0 1 1 1] [1 1 1 0] [0 0 0 0] [1 1 1 0] [1 0 1 0] [1 0 0 1] [1 0 1 0] [1 0 0 1] [1 0 0 0] [0 0 1 1] [1 1 1 1] [0 0 1 1] [0 0 0 1] [0 1 1 1] [1 1 0 1] [0 1 1 1] [1 1 1 1] [0 1 0 1] [1 1 0 0] [0 1 0 1] [1 0 1 1] [1 0 1 1] [1 0 1 1] [1 0 1 1] [1 0 0 1] [0 1 1 0] [0 1 0 0] [0 1 1 0] [0 0 1 1] [0 0 1 0] [0 1 1 0] [0 0 1 0] [0 1 0 1] [1 0 1 0] [0 0 1 0] [1 0 1 0] [0 1 1 0] [1 0 1 1] [1 0 0 0] [1 0 1 1] [0 0 0 0] [1 1 1 1] [1 0 1 0] [1 1 1 1] [1 0 0 0] [0 1 1 1] [1 1 1 0] [0 1 1 1] [1 1 0 0] [1 1 1 0] [0 0 1 1] [1 1 1 0] [1 1 0 1] [0 0 1 1] [1 1 0 0] [0 0 1 1] [1 0 1 1] [0 0 1 0] [0 1 0 1] [0 0 1 0] [0 1 0 0] [0 0 0 0] [0 1 0 0] [0 0 0 0] [0 0 1 1] [0 0 0 1] [1 1 0 1] [0 0 0 1] [1 1 1 1] [0 1 1 0] [0 1 1 1] [0 1 1 0] [1 1 1 0] [1 1 0 0] [0 0 1 0] [1 1 0 0] [0 1 1 0] [1 0 0 0] [0 0 0 0] [1 0 0 0] [1 0 1 0] B.3 Truth Tables of u0,u1,y0 an y1 265

[1 0 1 0] [0 0 0 1] [1 0 1 0] [0 0 1 0] [0 1 0 0] [0 1 1 0] [0 1 0 0] [0 1 0 1] [1 0 0 1] [1 0 0 1] [1 0 0 1] [0 1 1 1] [1 1 0 1] [1 0 1 1] [1 1 0 1] [1 0 0 1] [0 1 0 1] [1 1 1 1] [0 1 0 1] [0 0 0 1] [1 1 1 0] [0 0 1 0] [1 1 1 0] [0 1 1 0] [1 0 1 0] [0 0 0 0] [1 0 1 0] [1 0 1 0] [0 0 1 0] [0 1 0 0] [0 0 1 0] [0 0 1 1] [1 0 1 1] [1 0 0 1] [1 0 1 1] [0 1 1 1] [0 1 1 0] [0 1 1 0] [0 1 1 0] [0 1 0 1] [0 1 1 1] [1 1 1 1] [0 1 1 1] [0 0 0 1] [0 1 0 1] [1 1 1 0] [0 1 0 1] [1 1 0 0] [0 1 0 0] [0 1 1 1] [0 1 0 0] [1 1 1 0] [0 0 1 1] [1 1 0 1] [0 0 1 1] [1 1 1 1] [1 0 0 1] [1 0 0 0] [1 0 0 1] [0 0 0 0] [1 1 0 1] [1 0 1 0] [1 1 0 1] [1 0 0 0] [1 1 1 1] [1 0 1 1] [1 1 1 1] [1 0 0 1] [0 0 0 1] [1 1 0 0] [0 0 0 1] [1 0 1 1] [1 1 0 0] [0 0 1 1] [1 1 0 0] [1 1 0 1] [1 0 0 0] [0 0 0 1] [1 0 0 0] [0 0 1 0] [0 0 0 0] [0 1 0 1] [0 0 0 0] [0 1 0 0] [0 0 1 1] [1 0 1 1] [0 0 1 1] [1 0 0 1] [0 1 1 1] [1 0 0 1] [0 1 1 1] [0 1 1 1] [1 1 1 1] [1 1 0 1] [1 1 1 1] [1 1 1 1] [0 1 1 0] [0 0 0 0] [0 1 1 0] [1 0 1 0] [1 0 1 1] [1 1 1 1] [1 0 1 1] [0 0 0 1] [1 0 1 0] [0 1 1 0] [1 0 1 0] [0 1 0 1] [1 0 0 0] [0 1 1 1] [1 0 0 0] [1 1 1 0] [1 0 0 1] [1 1 1 0] [1 0 0 1] [1 1 0 0] [1 1 1 0] [0 1 0 0] [1 1 1 0] [0 0 1 1] [0 1 0 0] [0 0 0 1] [0 1 0 0] [0 0 1 0] [0 0 0 0] [0 0 1 1] [0 0 0 0] [1 1 0 1] [0 0 1 0] [0 0 1 0] [0 0 1 0] [0 1 1 0] [1 1 0 0] [0 1 0 1] [1 1 0 0] [0 1 0 0] [0 0 0 1] [1 0 1 0] [0 0 0 1] [1 0 0 0] [0 1 0 1] [1 0 0 0] [0 1 0 1] [0 0 0 0] 266 CLEFIA Description

[1 1 0 1] [1 1 0 0] [1 1 0 1] [1 0 1 1] [0 1 1 1] [0 0 1 1] [0 1 1 1] [1 1 0 1] [0 0 1 1] [0 0 0 1] [0 0 1 1] [0 0 1 0] [1 0 1 1] [0 1 0 1] [1 0 1 1] [0 1 0 0] [0 0 1 0] [1 0 0 0] [0 0 1 0] [0 0 0 0] [1 1 1 1] [0 1 1 1] [1 1 1 1] [1 1 1 0] [1 1 1 0] [1 1 1 0] [1 1 1 0] [1 1 0 0] [1 1 0 0] [1 1 1 1] [1 1 0 0] [0 0 0 1] [1 1 0 1] [0 1 1 0] [1 1 0 1] [0 1 0 1] [1 0 1 0] [1 1 0 0] [1 0 1 0] [1 0 1 1] [0 0 0 0] [1 0 0 1] [0 0 0 0] [0 1 1 1] [0 1 0 0] [1 0 1 1] [0 1 0 0] [1 0 0 1] [0 1 1 0] [1 0 1 0] [0 1 1 0] [1 0 0 0] [1 0 0 0] [1 1 0 1] [1 0 0 0] [1 1 1 1] [0 1 0 1] [0 0 1 0] [0 1 0 1] [0 1 1 0] [0 0 0 1] [0 0 0 0] [0 0 0 1] [1 0 1 0] [1 0 0 1] [0 1 0 0] [1 0 0 1] [0 0 1 1] [1 1 0 1] [0 1 0 0] [1 1 0 1] [0 0 1 1] [1 0 0 1] [0 1 1 0] [1 0 0 1] [0 1 0 1] [0 0 0 1] [0 0 1 0] [0 0 0 1] [0 1 1 0] [1 0 0 0] [1 1 1 1] [1 0 0 0] [0 0 0 1] [0 1 0 1] [0 0 0 0] [0 1 0 1] [1 0 1 0] [0 1 0 0] [1 0 0 1] [0 1 0 0] [0 1 1 1] [0 1 1 0] [1 0 0 0] [0 1 1 0] [0 0 0 0] [0 1 1 1] [0 0 0 1] [0 1 1 1] [0 0 1 0] [0 0 0 0] [1 0 1 1] [0 0 0 0] [1 0 0 1] [1 0 1 0] [1 1 1 0] [1 0 1 0] [1 1 0 0] [1 1 1 0] [1 1 0 0] [1 1 1 0] [1 0 1 1] [1 1 0 0] [1 1 0 1] [1 1 0 0] [1 1 1 1] [0 0 1 0] [1 0 1 0] [0 0 1 0] [1 0 0 0] [1 1 1 1] [0 1 0 1] [1 1 1 1] [0 1 0 0] [1 0 1 1] [0 1 1 1] [1 0 1 1] [1 1 1 0] [0 0 1 1] [0 0 1 1] [0 0 1 1] [1 1 0 1] [1 0 0 0] [1 1 1 0] [1 0 0 0] [1 1 0 0] [1 1 0 0] [1 1 0 0] [1 1 0 0] [1 0 1 1] [0 1 0 0] [1 0 0 0] [0 1 0 0] [0 0 0 0] B.3 Truth Tables of u0,u1,y0 an y1 267

[1 1 0 1] [0 1 0 1] [1 1 0 1] [0 1 0 0] [0 0 0 0] [1 0 1 0] [0 0 0 0] [1 0 0 0] [0 0 0 1] [0 0 1 1] [0 0 0 1] [1 1 0 1] [0 0 1 1] [0 0 1 0] [0 0 1 1] [0 1 1 0] [0 0 1 0] [1 0 1 1] [0 0 1 0] [1 0 0 1] [0 1 0 1] [0 0 0 1] [0 1 0 1] [0 0 1 0] [1 1 1 1] [0 1 0 0] [1 1 1 1] [0 0 1 1] [1 0 1 1] [0 1 1 0] [1 0 1 1] [0 1 0 1] [1 0 0 1] [0 1 1 1] [1 0 0 1] [1 1 1 0] [0 1 1 1] [0 0 0 0] [0 1 1 1] [1 0 1 0] [1 0 1 0] [1 1 1 1] [1 0 1 0] [0 0 0 1] [1 1 1 0] [1 1 0 1] [1 1 1 0] [1 1 1 1] [0 1 1 0] [1 0 0 1] [0 1 1 0] [0 1 1 1] [1 1 0 0] [0 1 1 0] [1 1 0 0] [0 1 0 1] [1 0 0 0] [0 1 0 0] [1 0 0 0] [0 0 1 1] [0 0 0 0] [0 0 0 0] [0 0 0 0] [1 0 1 0] [1 0 0 1] [1 1 0 1] [1 0 0 1] [1 1 1 1] [0 1 0 0] [0 0 1 0] [0 1 0 0] [0 1 1 0] [0 1 0 1] [1 0 1 1] [0 1 0 1] [1 0 0 1] [0 1 1 1] [1 0 1 0] [0 1 1 1] [1 0 0 0] [0 1 1 0] [0 0 1 1] [0 1 1 0] [1 1 0 1] [0 0 0 1] [1 0 0 1] [0 0 0 1] [0 1 1 1] [1 0 1 1] [1 1 0 0] [1 0 1 1] [1 0 1 1] [1 1 1 1] [1 1 1 0] [1 1 1 1] [1 1 0 0] [1 1 0 1] [1 1 1 1] [1 1 0 1] [0 0 0 1] [0 0 1 1] [1 0 0 0] [0 0 1 1] [0 0 0 0] [1 1 1 0] [0 1 1 1] [1 1 1 0] [1 1 1 0] [1 0 1 0] [0 1 0 1] [1 0 1 0] [0 1 0 0] [0 0 1 0] [0 0 0 1] [0 0 1 0] [0 0 1 0] [1 0 0 1] [1 1 0 0] [1 0 0 1] [1 0 1 1] [1 1 0 1] [1 1 1 0] [1 1 0 1] [1 1 0 0] [0 1 0 1] [1 0 1 0] [0 1 0 1] [1 0 0 0] [1 1 0 0] [0 1 1 1] [1 1 0 0] [1 1 1 0] [0 0 0 1] [1 0 0 0] [0 0 0 1] [0 0 0 0] [0 0 0 0] [0 0 0 1] [0 0 0 0] [0 0 1 0] [0 0 1 0] [0 0 0 0] [0 0 1 0] [1 0 1 0] 268 CLEFIA Description

[0 0 1 1] [1 0 0 1] [0 0 1 1] [0 1 1 1] [0 1 0 0] [0 0 1 1] [0 1 0 0] [1 1 0 1] [1 1 1 0] [0 1 1 0] [1 1 1 0] [0 1 0 1] [1 0 1 0] [0 1 0 0] [1 0 1 0] [0 0 1 1] [1 0 0 0] [0 1 0 1] [1 0 0 0] [0 1 0 0] [0 1 1 0] [0 0 1 0] [0 1 1 0] [0 1 1 0] [1 0 1 1] [1 1 0 1] [1 0 1 1] [1 1 1 1] [1 1 1 1] [1 1 1 1] [1 1 1 1] [0 0 0 1] [0 1 1 1] [1 0 1 1] [0 1 1 1] [1 0 0 1] [0 1 0 1] [0 1 1 1] [0 1 0 1] [1 1 1 0] [0 0 0 1] [0 1 0 1] [0 0 0 1] [0 1 0 0] [1 0 0 1] [0 0 0 1] [1 0 0 1] [0 0 1 0] [0 0 0 0] [1 1 0 0] [0 0 0 0] [1 0 1 1] [1 1 0 1] [0 0 1 1] [1 1 0 1] [1 1 0 1] [1 1 0 0] [1 0 1 0] [1 1 0 0] [1 0 0 0] [1 1 1 0] [1 0 1 1] [1 1 1 0] [1 0 0 1] [1 1 1 1] [0 0 1 0] [1 1 1 1] [0 1 1 0] [1 0 0 0] [1 0 0 0] [1 0 0 0] [0 0 0 0] [0 0 1 0] [1 1 0 1] [0 0 1 0] [1 1 1 1] [0 1 1 0] [1 1 1 1] [0 1 1 0] [0 0 0 1] [0 1 0 0] [1 1 1 0] [0 1 0 0] [1 1 0 0] [1 0 1 0] [1 0 0 1] [1 0 1 0] [0 1 1 1] [0 1 1 1] [0 1 1 0] [0 1 1 1] [0 1 0 1] [0 0 1 1] [0 1 0 0] [0 0 1 1] [0 0 1 1] [1 0 1 1] [0 0 0 0] [1 0 1 1] [1 0 1 0] [0 0 0 1] [1 1 1 1] [0 0 0 1] [0 0 0 1] [0 1 0 1] [1 1 0 1] [0 1 0 1] [1 1 1 1] [1 1 0 1] [1 0 0 1] [1 1 0 1] [0 1 1 1] [0 1 0 0] [0 1 0 0] [0 1 0 0] [0 0 1 1] [1 0 0 1] [1 0 1 1] [1 0 0 1] [1 0 0 1] [1 0 0 0] [0 0 1 0] [1 0 0 0] [0 1 1 0] [1 0 1 0] [0 0 1 1] [1 0 1 0] [1 1 0 1] [1 0 1 1] [1 0 1 0] [1 0 1 1] [1 0 0 0] [1 1 0 0] [0 0 0 0] [1 1 0 0] [1 0 1 0] [0 1 1 0] [0 1 0 1] [0 1 1 0] [0 1 0 0] [0 0 1 0] [0 1 1 1] [0 0 1 0] [1 1 1 0] B.4 Trace Representation of S0 and S1 269

[0 0 0 0] [0 1 1 0] [0 0 0 0] [0 1 0 1] [1 1 1 0] [0 0 0 1] [1 1 1 0] [0 0 1 0] [0 0 1 1] [1 1 1 0] [0 0 1 1] [1 1 0 0] [0 1 1 1] [1 1 0 0] [0 1 1 1] [1 0 1 1] [1 1 1 1] [1 0 0 0] [1 1 1 1] [0 0 0 0] [1 1 1 1] [0 0 0 0] [1 1 1 1] [1 0 1 0] [1 0 1 1] [0 0 1 0] [1 0 1 1] [0 1 1 0] [0 0 1 1] [0 1 1 0] [0 0 1 1] [0 1 0 1] [1 0 1 0] [1 0 1 1] [1 0 1 0] [1 0 0 1] [0 1 1 1] [0 1 0 0] [0 1 1 1] [0 0 1 1] [0 1 1 0] [1 1 0 1] [0 1 1 0] [1 1 1 1] [0 1 0 0] [1 1 0 0] [0 1 0 0] [1 0 1 1] [0 1 0 1] [0 1 0 1] [0 1 0 1] [0 1 0 0] [0 0 1 0] [1 1 1 1] [0 0 1 0] [0 0 0 1] [1 0 0 0] [1 0 1 0] [1 0 0 0] [1 0 0 0] [1 1 0 0] [1 0 0 0] [1 1 0 0] [0 0 0 0] [1 1 1 0] [1 0 0 1] [1 1 1 0] [0 1 1 1] [0 0 0 0] [1 1 1 0] [0 0 0 0] [1 1 0 0] [1 1 0 1] [0 0 0 1] [1 1 0 1] [0 0 1 0] [1 0 0 1] [0 0 1 1] [1 0 0 1] [1 1 0 1] [0 0 0 1] [0 1 1 1] [0 0 0 1] [1 1 1 0] ]]]]

B.4 Trace Representation of S0 and S1

252 250 249 248 246 245 244 243 S0(x) = e8·x +88·x +4c·x +5c·x + f a·x +ac·x +a4·x +43·x + c f · x242 + 8d · x241 + c9 · x240 + d8 · x238 + 4c · x237 + be · x236 + 7b · x235 + bb · x234 + 0 f · x233 + 2c · x232 + f 0 · x231 + 9b · x230 + c9 · x229 + b f · x228 + b8 · x227 + 36 · x226 + 4b · x225 + f 1·x224 +b2·x222 +6e·x221 +2c·x220 +89·x219 +e2·x218 +2e·x217 +63·x216 +6d ·x215 + 4b·x214 +dc·x213 +28·x212 +8a·x211 +11·x210 +1b·x209 +c6·x208 +81·x207 +30·x206 + 37·x205 +15·x204 + f d ·x203 +36·x202 +6a·x201 +63·x200 +03·x199 +48·x198 +14·x197 + 11·x196 +76·x195 +da·x194 +2c·x193 +07·x192 +52·x190 +b4·x189 +99·x188 +89·x187 + 75·x186 +d8·x185 +11·x184 +78·x183 +36·x182 +40·x181 +2a·x180 +ac·x179 + f c·x178 + 33·x177 +cb·x176 +68·x175 +d6·x174 +72·x173 +e0·x172 +c8·x171 + f 1·x170 +83·x169 + 10·x168 +4e·x167 +97·x166 +06·x165 +11·x164 +d1·x163 +53·x162 +89·x161 +92·x160 + 65 · x159 + 20 · x158 + 5a · x157 + 70 · x156 + 02 · x155 + f 0 · x154 + 70 · x153 + f 4 · x152 + 42 · 270 CLEFIA Description x151 + f 1 · x150 + 91 · x149 + 4b · x148 + 4d · x147 + e6 · x146 + d f · x145 + 80 · x144 + c3 · x143 + 1b·x142 +30·x141 +9a·x140 +c6·x139 +38·x138 +94·x137 +e f ·x136 +07·x135 + f 3·x134 + 3c·x133 +d4·x132 +2 f ·x131 +4 f ·x130 +b0·x129 +c6·x128 +a9·x126 +4a·x125 +0a·x124 + c6·x123 +4 f ·x122 +19·x121 +c2·x120 +bc·x119 +d8·x118 +bb·x117 +77·x116 +0b·x115 + 24 · x114 + 9b · x113 + f 4 · x112 + 97 · x111 + 58 · x110 + 7e · x109 + 6e · x108 + 82 · x107 + 5 f · x106 +1b·x105 +aa·x104 +d2·x103 +2a·x102 +24·x101 +5b·x100 +3d ·x99 +45·x98 +09· x97 +91·x96 +1a·x95 +84·x94 +33·x93 +04·x92 + f 6·x91 +b5·x90 +0e·x89 +83·x88 + e4 · x87 + 57 · x86 + 10 · x85 + f a · x84 + 66 · x83 + 2b · x82 + 84 · x81 + 7c · x80 + 4e · x79 + b7 · x78 +d4·x77 +b8·x76 +18·x75 +e1·x74 + f 5·x73 +bc·x72 +6e·x71 +14·x70 +5e·x69 + 46 · x68 + a9 · x67 + bc · x66 + ad · x65 + ed · x64 + 76 · x63 + 1c · x62 + 75 · x61 + 67 · x60 + 70 · x59 +e2·x58 +3d ·x57 +a1·x56 +a1·x55 +7d ·x54 +9d ·x53 +28·x52 + f 5·x51 +96·x50 + ea · x49 + e5 · x48 + 80 · x47 + 4e · x46 + 1 f · x45 + 07 · x44 + db · x43 + 29 · x42 + de · x41 + 37 · x40 +90·x39 +83·x38 +39·x37 +4c·x36 +0e·x35 + f 8·x34 +83·x33 +38·x32 +7 f ·x31 + 5a · x30 + 68 · x29 + 0c · x28 + 5d · x27 + d1 · x26 + c4 · x25 + e4 · x24 + f e · x23 + 0b · x22 + a8 · x21 +e0·x20 + f a·x19 + f 2·x18 +1 f ·x17 +87·x16 +31·x15 +a9·x14 +47·x13 +78·x12 + a2·x11 +38·x10 +0d ·x9 +25·x8 +5d ·x7 +70·x6 +52·x5 +3 f ·x4 + f 3·x3 +ed ·x+57

254 253 252 251 250 249 248 S1(x) = 1 f · x + 58 · x + bb · x + 60 · x + 38 · x + 48 · x + 13 · x + 04 · x247 + 5e · x246 + 0d · x245 + 79 · x244 + 71 · x243 + a3 · x242 + 6a · x241 + 9c · x240 + a9 · x239 + 43 · x238 + b1 · x237 + 5e · x236 + 55 · x235 + d7 · x234 + e1 · x233 + 43 · x232 + 62 · x231 + f d · x230 + 56 · x229 + f 4 · x228 + f 4 · x227 + cd · x226 + 22 · x225 + 95 · x224 + 7e · x223 + 41 · x222 + f a · x221 + 99 · x220 + 7 f · x218 + 92 · x217 + 29 · x216 + ca · x215 + f d · x214 + cd · x213 + 23 · x212 + f 1 · x211 + 93 · x210 + 14 · x209 + 2 f · x208 + 09 · x207 + 6c · x206 + 3c · x205 + 94 · x204 + 3 f ·x203 +d f ·x202 +e5·x201 +37·x200 +63·x199 +ce·x198 +e9·x197 +48·x196 +50·x195 + 0b·x194 +a5·x193 +96·x192 +d2·x191 +bc·x190 +9 f ·x189 +2b·x188 +23·x187 +4c·x186 + 31·x185 + f a·x184 +c9·x183 +65·x182 +55·x181 +3d ·x180 +33·x179 +e4·x178 +86·x177 + 46·x176 +67·x175 +45·x174 +0b·x173 + f b·x172 +c8·x171 +b2·x170 +c1·x169 +8c·x168 + 05·x167 +3c·x166 +77·x165 +a1·x164 +c9·x163 +3 f ·x162 +9a·x161 +b f ·x160 +36·x159 + 02 · x158 + f d · x157 + 5c · x156 + f a · x155 + 45 · x154 + f a · x153 + 13 · x152 + be · x151 + 22 · x150 + f 7·x149 +04·x148 +da·x147 +5a·x146 +08·x145 +60·x144 +b f ·x143 +98·x142 + c1·x141 +6b·x140 +71·x139 +cc·x138 +02·x137 +a0·x136 +10·x135 +e5·x134 +c0·x133 + f 4·x132 +86·x131 +cc·x130 +5b·x129 +e8·x128 +44·x127 +2a·x126 +0d ·x125 +c7·x124 + 29·x123 + f 7·x122 +3c·x121 +c1·x120 +6b·x119 + f 6·x118 +9b·x117 +6b·x116 +cc·x115 + 5d ·x114 +1e·x113 +55·x112 +ed ·x111 +8e·x110 +1d ·x109 +9e·x108 +82·x107 +72·x106 + d2·x105 + f 0·x104 +85·x103 +6 f ·x102 + f d ·x101 + f 9·x100 +39·x99 +99·x98 +1a·x97 + 2e · x96 + ed · x95 + 5a · x94 + 1a · x93 + c f · x92 + 58 · x91 + 75 · x90 + 2e · x89 + 9a · x88 + 7e · x87 +cb·x86 +4b·x85 + f d ·x84 +27·x83 +86·x82 +7d ·x81 +b2·x80 +32·x79 +49·x78 + B.4 Trace Representation of S0 and S1 271

1e · x77 + 8 f · x76 + d6 · x75 + 87 · x74 + 2a · x73 + 86 · x72 + c0 · x71 + 84 · x70 + b2 · x69 + 81 · x68 +46·x67 +70·x66 +4b·x65 +3b·x64 +7d ·x63 +b1·x62 +81·x61 +bd ·x60 +6a·x59 + d9 · x58 + 73 · x57 + 78 · x56 + e f · x55 + b1 · x54 + e5 · x53 + b2 · x52 + 61 · x51 + 8 f · x50 + 9c · x49 +82·x48 +23·x47 +88·x46 +b2·x45 + f c·x44 + f 3·x43 +c7·x42 +a7·x41 +c6·x40 + a1 · x39 + c8 · x38 + 53 · x37 + 5 f · x36 + 32 · x35 + b4 · x34 + ac · x33 + 91 · x32 + 94 · x31 + cb · x30 +7e·x29 +e1·x28 +45·x27 +49·x26 +19·x25 + f a·x24 +5c·x23 +9a·x22 +13·x21 + 95 · x20 + f c · x19 + d1 · x18 + 61 · x17 + ec · x16 + e1 · x15 + a2 · x14 + f f · x13 + a8 · x12 + 8e · x11 + f 5·x10 +ec·x9 +33·x8 +ec·x7 +04·x6 +1c·x5 +29·x4 +21·x3 +5 f ·x2 +07·x+6c

Appendix C

Using the Library

This chapter describes how to compile programs that use VBF, and introduces its conventions.

C.1 An Example Program

The following program demonstrates the use of the library to analyze Vector Boolean Functions represented in decimal representation of its Truth Table.

#include #include #include "VBF.h"

/******************************************************************/ int main(int argc, char *argv[]) { using namespace VBFNS;

VBF F; NTL::vec_long vec_F; NTL::vec_ZZ c; NTL::mat_GF2 A, T; NTL::mat_ZZ W, LP, DP; NTL::mat_ZZ Ac; long a; int i, n; 274 Using the Library

char file[33];

// Load VBF definitions

sprintf(file,"%s.dec",argv[1]); ifstream input(file); if(!input) { cerr << "Error opening " << file << endl; return 0; } input >> vec_F; n = atoi(argv[2]); F.putDecTT(vec_F,n); input.close();

sprintf(file,"%s.anf",argv[1]); ofstream output(file); if(!output) { cerr << "Error opening " << file << endl; return 0; }

A = ANF(F); cout << "Argument Dimension = " << F.n() << endl; cout << "Argument space has " << F.spacen() << " elements."<< endl; cout << "Image Dimension = " << F.m() << endl; cout << "Image space has " << F.spacem() << " elements." << endl << endl; cout << "Writing Algebraic Normal Form to file: " << file << endl; cout << "[Columns = Image components]" << endl; output << A << endl; output.close();

sprintf(file,"%s.tt",argv[1]); ofstream output1(file); C.1 An Example Program 275

if(!output1) { cerr << "Error opening " << file << endl; return 0; }

T = TT(F); cout << endl << "Writing Truth Table to file: " << file << endl; cout << "[Columns = Image components]" << endl; output1 << T << endl; output1.close();

sprintf(file,"%s.wal",argv[1]); ofstream output2(file); if(!output2) { cerr << "Error opening " << file << endl; return 0; }

W = Walsh(F); cout << endl << "Writing Walsh Spectrum to file: " << file <

sprintf(file,"%s.lp",argv[1]); ofstream output3(file); if(!output3) { cerr << "Error opening " << file << endl; return 0; }

LP = LAT(F); cout << endl << "Writing Linear Profile to file: " << file << endl; cout << "[To normalize divide by " << LP[0][0] << "]" << endl; 276 Using the Library

output3 << LP << endl; output3.close();

sprintf(file,"%s.dp",argv[1]); ofstream output4(file); if(!output4) { cerr << "Error opening " << file << endl; return 0; }

DP = DAT(F); cout << endl << "Writing Differential Profile to file: " << file << endl; cout << "[To normalize divide by " << DP[0][0] << "]" << endl; output4 << DP << endl; output4.close();

sprintf(file,"%s.pol",argv[1]); ofstream output5(file); if(!output5) { cerr << "Error opening " << file << endl; return 0; }

cout << endl << "Writing the polynomials in ANF to file: " << file << endl; Pol(output5,F); output5.close();

sprintf(file,"%s.ls",argv[1]); ofstream output6(file); if(!output6) { cerr << "Error opening " << file << endl; return 0; } C.1 An Example Program 277

A = LS(F); cout << endl << "Writing Linear structures to file: " << file << endl; output6 << A << endl; output6.close();

sprintf(file,"%s.ac",argv[1]); ofstream output7(file); if(!output7) { cerr << "Error opening " << file << endl; return 0; }

Ac = AC(F); cout << endl << "Writing Autocorrelation Spectrum to file: " << file << endl; output7 << Ac << endl; output7.close();

sprintf(file,"%s.cy",argv[1]); ofstream output8(file); if(!output8) { cerr << "Error opening " << file << endl; return 0; }

c = Cycle(F); cout << endl << "Writing Cycle Structure to file: " << file << endl; for (i = 0; i < c.length(); i++) { if (c[i] > 0) { output8 << i << "," << c[i] << endl; } } 278 Using the Library

output8.close();

cout << endl << "Nonlinearity: " << nl(F) << endl; nlr(a,F,2); cout << "Second order Nonlinearity: " << a << endl; cout << "Linearity distance: " << ld(F) << endl; cout << "Algebraic degree: " << deg(F) << endl; cout << "Algebraic immunity: " << AI(F) << endl; cout << "Absolute indicator: " << maxAC(F) << endl; cout << "Sum-of-squares indicator: " << sigma(F) << endl; cout << "Linear potential: " << lp(F) << endl; cout << "Differential potential: " << dp(F) << endl; cout << "Maximum Nonlinearity (if n is even): " << nlmax(F) << endl; cout << "Maximum Linearity distance: " << ldmax(F) << endl;

int type; typenl(type, F);

if (type == BENT) { cout << "It is a bent function" << endl; } else if (type == ALMOST_OPTIMAL) { cout << "It is an almost optimal function" << endl; } else if (type == LINEAR) { cout << "It is a linear function" << endl; }

cout << "The fixed points are: " << endl; cout << fixedpoints(F) << endl; cout << "The negated fixed points are: " << endl; cout << negatedfixedpoints(F) << endl; cout << "Correlation immunity: " << CI(F) << endl; if (F.getbal()) { C.1 An Example Program 279

cout << "It is a balanced function" << endl; } else { cout << "It is a non-balanced function" << endl; } cout << "The function is PC of degree " << PC(F) << endl;

/* Finish **********************************************************/

return 0; }

A set of files associated with the decimal representation of KASUMI S-boxes (S7.dec and S9.dec) are in the "Example" directory. If we use as input of the program above "S7.dec" (S7 Decimal representation), the output would be:

• S7.ac (Autocorrelation Spectrum)

• S7.cy (Cycle structure)

• S7.lp (Linear Profile)

• S7.tt (Truth Table)

• S7.anf (ANF Table)

• S7.ls (Linear structures): It is an empty vector because there is no linear structures

• S7.char (Cryptographic criteria)

• S7.dp (Differential Profile)

• S7.pol (Polynomial representation)

• S7.wal (Walsh Spectrum)

The same applies to S9 S-box analysis. 280 Using the Library

C.2 Compiling

There is only one library header files called "VBF.h". You should include a statement like this in the program that make use of VBF library,

#include "VBF.h"

If the directory is not installed on the standard search path of your compiler you will also need to provide its location to the preprocessor as a command line flag. The default location of the ‘NTL’ directory is ‘/usr/local/include/NTL’. A typical compilation command for a source file ‘ex.cpp’ with the GNU C++ compiler g++ included in a Makefile is,

GPP=g++ LIBS=-lntl NTLINC= -I/usr/local/include -L/usr/local/lib ex: ex.cpp VBF.h $(GPP) $(NTLINC) -Wall ex.cpp -o ex.exe $(LIBS)

This results in an executable file ‘ex.exe’ if the following command is executed:

$ make ex

In order to execute the example program included in the "Example" program with S7.dec and S9.dec, the following commands must be executed:

$ ./ex.exe S7 7 $ ./ex.exe S9 9

C.3 How to Evaluate New Algorithms

In order to evaluate an algorithm, we need to obtain a representation of this algorithm that can be used to initialize a VBF class. These representations are the Truth Table, Hexadecimal representation (only for Boolean functions), Decimal representation of its Truth Table, its trace together with the irreducible polynomial, Polynomials in ANF, ANF Table, Characteristic Function, Walsh Spectrum, permutation representation, Expansion and Compression DES vector representation, DES S-Box representation. As an example we are going to describe the procedure followed to evaluate FI function in KASUMI algorithm. We used an implementation of KASUMI in c as you can see below: C.3 How to Evaluate New Algorithms 281

/*------* Kasumi.c *------* * A sample implementation of KASUMI, the core algorithm for the * 3GPP Confidentiality and Integrity algorithms. * * This has been coded for clarity, not necessarily for efficiency. * * This will compile and run correctly on both Intel (little endian) * and Sparc (big endian) machines. (Compilers used supported 32-bit ints). * * Version 1.1 08 May 2000 * *------*/

#include #include #include #include #include "VBF.h"

#include "Kasumi.h"

/*------16 bit rotate left ------*/

#define ROL16(a,b) (u16)((a<>(16-b)))

/*------unions: used to remove "endian" issues ------*/ typedef union { u32 b32; u16 b16[2]; u8 b8[4]; } DWORD; 282 Using the Library

typedef union { u16 b16; u8 b8[2]; } WORD;

/*------globals: The subkey arrays ------*/

static u16 KLi1[8], KLi2[8]; static u16 KOi1[8], KOi2[8], KOi3[8]; static u16 KIi1[8], KIi2[8], KIi3[8];

/*------* FI() * The FI function (fig 3). It includes the S7 and S9 tables. * Transforms a 16-bit value. *------*/

static u16 FI( u16 in, u16 subkey ) { u16 nine, seven; static u16 S7[] = { 54, 50, 62, 56, 22, 34, 94, 96, 38, 6, 63, 93, 2, 18,123, 33, 55,113, 39,114, 21, 67, 65, 12, 47, 73, 46, 27, 25,111,124, 81, 53, 9,121, 79, 52, 60, 58, 48,101,127, 40,120,104, 70, 71, 43, 20,122, 72, 61, 23,109, 13,100, 77, 1, 16, 7, 82, 10,105, 98, 117,116, 76, 11, 89,106, 0,125,118, 99, 86, 69, 30, 57,126, 87, 112, 51, 17, 5, 95, 14, 90, 84, 91, 8, 35,103, 32, 97, 28, 66, 102, 31, 26, 45, 75, 4, 85, 92, 37, 74, 80, 49, 68, 29,115, 44, 64,107,108, 24,110, 83, 36, 78, 42, 19, 15, 41, 88,119, 59, 3}; static u16 S9[] = { 167,239,161,379,391,334, 9,338, 38,226, 48,358,452,385, 90,397, 183,253,147,331,415,340, 51,362,306,500,262, 82,216,159,356,177, 175,241,489, 37,206, 17, 0,333, 44,254,378, 58,143,220, 81,400, 95, 3,315,245, 54,235,218,405,472,264,172,494,371,290,399, 76, 165,197,395,121,257,480,423,212,240, 28,462,176,406,507,288,223, C.3 How to Evaluate New Algorithms 283

501,407,249,265, 89,186,221,428,164, 74,440,196,458,421,350,163, 232,158,134,354, 13,250,491,142,191, 69,193,425,152,227,366,135, 344,300,276,242,437,320,113,278, 11,243, 87,317, 36, 93,496, 27, 487,446,482, 41, 68,156,457,131,326,403,339, 20, 39,115,442,124, 475,384,508, 53,112,170,479,151,126,169, 73,268,279,321,168,364, 363,292, 46,499,393,327,324, 24,456,267,157,460,488,426,309,229, 439,506,208,271,349,401,434,236, 16,209,359, 52, 56,120,199,277, 465,416,252,287,246, 6, 83,305,420,345,153,502, 65, 61,244,282, 173,222,418, 67,386,368,261,101,476,291,195,430, 49, 79,166,330, 280,383,373,128,382,408,155,495,367,388,274,107,459,417, 62,454, 132,225,203,316,234, 14,301, 91,503,286,424,211,347,307,140,374, 35,103,125,427, 19,214,453,146,498,314,444,230,256,329,198,285, 50,116, 78,410, 10,205,510,171,231, 45,139,467, 29, 86,505, 32, 72, 26,342,150,313,490,431,238,411,325,149,473, 40,119,174,355, 185,233,389, 71,448,273,372, 55,110,178,322, 12,469,392,369,190, 1,109,375,137,181, 88, 75,308,260,484, 98,272,370,275,412,111, 336,318, 4,504,492,259,304, 77,337,435, 21,357,303,332,483, 18, 47, 85, 25,497,474,289,100,269,296,478,270,106, 31,104,433, 84, 414,486,394, 96, 99,154,511,148,413,361,409,255,162,215,302,201, 266,351,343,144,441,365,108,298,251, 34,182,509,138,210,335,133, 311,352,328,141,396,346,123,319,450,281,429,228,443,481, 92,404, 485,422,248,297, 23,213,130,466, 22,217,283, 70,294,360,419,127, 312,377, 7,468,194, 2,117,295,463,258,224,447,247,187, 80,398, 284,353,105,390,299,471,470,184, 57,200,348, 63,204,188, 33,451, 97, 30,310,219, 94,160,129,493, 64,179,263,102,189,207,114,402, 438,477,387,122,192, 42,381, 5,145,118,180,449,293,323,136,380, 43, 66, 60,455,341,445,202,432, 8,237, 15,376,436,464, 59,461};

/* The sixteen bit input is split into two unequal halves, * * nine bits and seven bits - as is the subkey */ nine = (u16)(in>>7); seven = (u16)(in&0x7F);

/* Now run the various operations */ nine = (u16)(S9[nine] ^ seven); seven = (u16)(S7[seven] ^ (nine & 0x7F)); 284 Using the Library

seven ^= (subkey>>9); nine ^= (subkey&0x1FF); nine = (u16)(S9[nine] ^ seven); seven = (u16)(S7[seven] ^ (nine & 0x7F)); in = (u16)((seven<<9) + nine);

return( in ); }

/*------* FO() * The FO() function. * Transforms a 32-bit value. Uses to identify the * appropriate subkeys to use. *------*/ static u32 FO( u32 in, int index ) { u16 left, right; u16 l,r;

/* Split the input into two 16-bit words */ left = (u16)(in>>16); right = (u16) in; l = left; r = right;

/* Now apply the same basic transformation three times */ left ^= KOi1[index]; left = FI( left, KIi1[index] ); left ^= right; right ^= KOi2[index]; right = FI( right, KIi2[index] ); right ^= left; left ^= KOi3[index]; left = FI( left, KIi3[index] ); left ^= right; C.3 How to Evaluate New Algorithms 285

in = (((u32)right)<<16)+left;

return( in ); }

/*------* FL() * The FL() function. * Transforms a 32-bit value. Uses to identify the * appropriate subkeys to use. *------*/ static u32 FL( u32 in, int index ) { u16 l, r, a, b;

/* split out the left and right halves */ l = (u16)(in>>16); r = (u16)(in);

/* do the FL() operations */ a = (u16) (l & KLi1[index]); r ^= ROL16(a,1); b = (u16)(r | KLi2[index]); l ^= ROL16(b,1);

/* put the two halves back together */ in = (((u32)l)<<16) + r;

return( in ); }

/*------* Kasumi() * the Main algorithm (fig 1). Apply the same pair of operations * four times. Transforms the 64-bit input. 286 Using the Library

*------*/ void Kasumi( u8 *data ) { u32 left, right, temp; DWORD *d; int n;

/* Start by getting the data into two 32-bit words (endian correct) */

d = (DWORD*)data;

left = (((u32)d[0].b8[0])<<24)+(((u32)d[0].b8[1])<<16) +(d[0].b8[2]<<8)+(d[0].b8[3]); right = (((u32)d[1].b8[0])<<24)+(((u32)d[1].b8[1])<<16) +(d[1].b8[2]<<8)+(d[1].b8[3]); n = 0; do{ temp = FL( left, n ); temp = FO( temp, n++ ); right ^= temp; temp = FO( right, n ); temp = FL( temp, n++ ); left ^= temp; }while( n<=7 );

/* return the correct endian result */ d[0].b8[0] = (u8)(left>>24); d[1].b8[0] = (u8)(right>>24); d[0].b8[1] = (u8)(left>>16); d[1].b8[1] = (u8)(right>>16); d[0].b8[2] = (u8)(left>>8); d[1].b8[2] = (u8)(right>>8); d[0].b8[3] = (u8)(left); d[1].b8[3] = (u8)(right); }

/*------* KeySchedule() * Build the key schedule. Most "key" operations use 16-bit * subkeys so we build u16-sized arrays that are "endian" correct. C.3 How to Evaluate New Algorithms 287

*------*/ void KeySchedule( u8 *k ) { static u16 C[] = { 0x0123,0x4567,0x89AB,0xCDEF, 0xFEDC,0xBA98,0x7654,0x3210 }; u16 key[8], Kprime[8]; WORD *k16; int n;

/* Start by ensuring the subkeys are endian correct on a 16-bit basis */ k16 = (WORD *)k; for( n=0; n<8; ++n ) key[n] = (u16)((k16[n].b8[0]<<8) + (k16[n].b8[1]));

/* Now build the K’[] keys */ for( n=0; n<8; ++n ) Kprime[n] = (u16)(key[n] ^ C[n]);

/* Finally construct the various sub keys */ for( n=0; n<8; ++n ) { KLi1[n] = ROL16(key[n],1); KLi2[n] = Kprime[(n+2)&0x7]; KOi1[n] = ROL16(key[(n+1)&0x7],5); KOi2[n] = ROL16(key[(n+5)&0x7],8); KOi3[n] = ROL16(key[(n+6)&0x7],13); KIi1[n] = Kprime[(n+4)&0x7]; KIi2[n] = Kprime[(n+3)&0x7]; KIi3[n] = Kprime[(n+7)&0x7]; } }

In the main procedure, we defined an algorithm to obtain the Truth Table of FI function for the key values that are between "first" and "last" parameters. int main(int argc, char *argv[]) { 288 Using the Library

using namespace VBFNS;

u16 l,k; long i,j,first,last; std::stringstream number; char file[33]; NTL::vec_GF2 vn,vs;

first = atoi(argv[1]); last = atoi(argv[2]);

for (i = first; i <= last; i++) { sprintf(file,"%ld.tt",i); ofstream output(file); if(!output) { cerr << "Error opening " << file << endl; return 0; }

output << "[";

number << i; number >> std::hex >> k;

for (j = 0; j < 65536; j++) { number << j; number >> std::hex >> l;

l = FI( l, k ); vn = to_vecGF2(l,16);

output << vn << endl; } C.3 How to Evaluate New Algorithms 289

output << "]" << endl; output.close(); }

}