Vector Boolean Functions: Applications in Symmetric Cryptography
Vector Boolean Functions: Applications in Symmetric Cryptography
José Antonio Álvarez Cubero
Departamento de Matemática Aplicada a las Tecnologías de la Información y las Comunicaciones Universidad Politécnica de Madrid
This dissertation is submitted for the degree of Doctor Ingeniero de Telecomunicación
Escuela Técnica Superior de Ingenieros de Telecomunicación November 2015
I would like to thank my wife, Isabel, for her love, kindness and support she has shown during the past years it has taken me to finalize this thesis. Furthermore I would also liketo thank my parents for their endless love and support. Last but not least, I would like to thank my loved ones such as my daughter and sisters who have supported me throughout entire process, both by keeping me harmonious and helping me putting pieces together. I will be grateful forever for your love.
Declaration
The following papers have been published or accepted for publication, and contain material based on the content of this thesis.
1. [7] Álvarez-Cubero, J. A. and Zufiria, P. J. (expected 2016). Algorithm xxx: VBF: A library of C++ classes for vector Boolean functions in cryptography. ACM Transactions on Mathematical Software. (In Press: http://toms.acm.org/Upcoming.html)
2. [6] Álvarez-Cubero, J. A. and Zufiria, P. J. (2012). Cryptographic Criteria on Vector Boolean Functions, chapter 3, pages 51–70. Cryptography and Security in Computing, Jaydip Sen (Ed.), http://www.intechopen.com/books/cryptography-and-security-in-computing/ cryptographic-criteria-on-vector-boolean-functions. (Published)
3. [5] Álvarez-Cubero, J. A. and Zufiria, P. J. (2010). A C++ class for analysing vector Boolean functions from a cryptographic perspective. In Katsikas, S. K. and Samarati, P., editors, SECRYPT 2010 - Proceedings of the International Conference on Security and Cryptography, Athens, Greece, July 26-28, 2010, SECRYPT is part of ICETE - The International Joint Conference on e-Business and Telecommunications, pages 512–520. SciTePress. (Published)
4. [4] Álvarez-Cubero, J. A. and Zufiria, P. J. (2005). Aplicaciones de la transformada de Walsh al criptoanaálisis lineal y diferencial. In Domínguez, A. P. and Caballero-Gil, P., editors, I Simposio sobre Seguridad Informaática (SSI 2005), pages 11–18. Thomson. (Published)
José Antonio Álvarez Cubero November 2015
Acknowledgements
I would like to thank all the people who have helped me through the years along the route. I would like to express my gratitude to my supervisor Prof. Pedro J. Zufiria for the useful comments, remarks and engagement through the learning process of this thesis. I would also like to acknowledge the editor and reviewers of the journals I published the papers related to this thesis. viii Resumen
Esta tesis establece los fundamentos teóricos y diseña una colección abierta de clases C++ denominada VBF (Vector Boolean Functions) para analizar funciones booleanas vectoriales (funciones que asocian un vector booleano a otro vector booleano) desde una perspectiva criptográfica. Esta nueva implementación emplea la librería NTL de Victor Shoup, incor- porando nuevos módulos que complementan a las funciones de NTL, adecuándolas para el análisis criptográfico. La clase fundamental que representa una función booleana vectorial se puede inicializar de manera muy flexible mediante diferentes estructuras de datas tales como la Tabla de verdad, la Representación de traza y la Forma algebraica normal entre otras. De esta manera VBF permite evaluar los criterios criptográficos más relevantes de los algoritmos de cifra en bloque y de stream, así como funciones hash: por ejemplo, proporciona la no-linealidad, la distancia lineal, el grado algebraico, las estructuras lineales, la distribución de frecuencias de los valores absolutos del espectro Walsh o del espectro de autocorrelación, entre otros criterios. Adicionalmente, VBF puede llevar a cabo operaciones entre funciones booleanas vectoriales tales como la comprobación de igualdad, la composición, la inver- sión, la suma, la suma directa, el bricklayering (aplicación paralela de funciones booleanas vectoriales como la empleada en el algoritmo de cifra Rijndael), y la adición de funciones coordenada. La tesis también muestra el empleo de la librería VBF en dos aplicaciones prácticas. Por un lado, se han analizado las características más relevantes de los sistemas de cifra en bloque. Por otro lado, combinando VBF con algoritmos de optimización, se han diseñado funciones booleanas cuyas propiedades criptográficas son las mejores conocidas hasta la fecha.
Abstract
This thesis develops the theoretical foundations and designs an open collection of C++ classes, called VBF, designed for analyzing vector Boolean functions (functions that map a Boolean vector to another Boolean vector) from a cryptographic perspective. This new implementation uses the NTL library from Victor Shoup, adding new modules which complement the existing ones making VBF better suited for cryptography. The fundamental class representing a vector Boolean function can be initialized in a flexible way via several alternative types of data structures such as Truth Table, Trace Representation, Algebraic Normal Form (ANF) among others. This way, VBF allows the evaluation of the most relevant cryptographic criteria for block and stream ciphers as well as for hash functions: for instance, it provides the nonlinearity, the linearity distance, the algebraic degree, the linear structures, the frequency distribution of the absolute values of the Walsh Spectrum or the Autocorrelation Spectrum, among others. In addition, VBF can perform operations such as equality testing, composition, inversion, sum, direct sum, bricklayering (parallel application of vector Boolean functions as employed in Rijndael cipher), and adding coordinate functions of two vector Boolean functions. This thesis also illustrates the use of VBF in two practical applications. On the one hand, the most relevant properties of the existing block ciphers have been analysed. On the other hand, by combining VBF with optimization algorithms, new Boolean functions have been designed which have the best known cryptographic properties up-to-date.
Table of contents
List of figures xix
List of tables xxi
1 Introduction5 1.1 Information Security ...... 5 1.2 Motivation ...... 8 1.3 Objectives and Outcomes of the Thesis ...... 9 1.4 Structure of the Thesis ...... 11
2 Fundamentals of Block Ciphers and the VBF Library 13 2.1 Basic Theoretical Background ...... 13 2.1.1 Definitions ...... 14 2.2 Block Ciphers ...... 16 2.2.1 Mini-AES Cipher ...... 17 2.2.2 KASUMI Cipher ...... 22 2.2.3 DES Cipher ...... 23 2.2.4 AES Cipher ...... 25 2.3 VBF (Vector Boolean Functions) library ...... 30 2.3.1 Features ...... 30 2.3.2 State-of-the-art on Vector Boolean Functions Analysis Software . . 34
3 Representations and Characterizations 37 3.1 Truth Table ...... 39 3.1.1 Description ...... 39 3.1.2 Library ...... 40 3.2 Trace Representation ...... 45 3.2.1 Description ...... 45 3.2.2 Library ...... 46 xiv Table of contents
3.3 Polynomials in ANF ...... 49 3.3.1 Description ...... 49 3.3.2 Library ...... 49 3.4 ANF Table ...... 51 3.4.1 Description ...... 51 3.4.2 Library ...... 51 3.5 Image ...... 53 3.5.1 Description ...... 53 3.5.2 Library ...... 54 3.6 Walsh Spectrum ...... 55 3.6.1 Description ...... 55 3.6.2 Library ...... 65 3.7 Linear Profile and Linear Cryptanalysis ...... 67 3.7.1 Description ...... 67 3.7.2 Library ...... 70 3.8 Differential Profile and Differential Cryptanalysis ...... 73 3.8.1 Description ...... 73 3.8.2 Library ...... 76 3.9 Autocorrelation Spectrum ...... 79 3.9.1 Description ...... 79 3.9.2 Linear structures ...... 81 3.9.3 Library ...... 82 3.10 Affine Function and Affine Equivalence ...... 84 3.10.1 Description ...... 84 3.10.2 Library ...... 87 3.11 Cycle Structure, Fixed Points and Negated Fixed Points ...... 90 3.11.1 Description ...... 90 3.11.2 Library ...... 91 3.12 Permutation Vector ...... 93 3.12.1 Description ...... 93 3.12.2 Library ...... 93 3.13 DES Representations ...... 94 3.13.1 Description ...... 94 3.13.2 Library ...... 95 3.14 Auxiliary Functions ...... 99 3.15 Summary ...... 100 Table of contents xv
4 Cryptographic Criteria 103 4.1 Introduction ...... 103 4.1.1 Definitions ...... 103 4.1.2 Cryptographically Weak Functions ...... 105 4.2 Algebraic Degree ...... 105 4.2.1 Description ...... 105 4.2.2 Library ...... 106 4.3 Nonlinearity ...... 110 4.3.1 Description ...... 110 4.3.2 Library ...... 113 4.4 r-th Order Nonlinearity ...... 116 4.4.1 Description ...... 116 4.4.2 Library ...... 117 4.5 Balancedness ...... 118 4.5.1 Description ...... 118 4.5.2 Library ...... 119 4.6 Correlation Immunity ...... 121 4.6.1 Description ...... 121 4.6.2 Library ...... 123 4.7 Algebraic Immunity ...... 124 4.7.1 Description ...... 124 4.7.2 Library ...... 125 4.8 Global Avalanche Criterion ...... 127 4.8.1 Description ...... 127 4.8.2 Library ...... 127 4.9 Linearity Distance ...... 129 4.9.1 Description ...... 129 4.9.2 Library ...... 131 4.10 Propagation Criterion ...... 132 4.10.1 Description ...... 132 4.10.2 Library ...... 133 4.11 Bounds, Properties and Trade-offs ...... 134 4.11.1 Bounds ...... 135 4.11.2 Properties ...... 135 4.11.3 Trade-offs ...... 135 4.12 Summary ...... 143 xvi Table of contents
5 Constructions for Vector Boolean Functions 145 5.1 Equality Testing ...... 145 5.1.1 Description ...... 145 5.1.2 Library ...... 146 5.2 Composition Function ...... 147 5.2.1 Description ...... 147 5.2.2 Library ...... 149 5.3 Functional Inverse ...... 154 5.3.1 Description ...... 154 5.3.2 Library ...... 154 5.4 Sum ...... 156 5.4.1 Description ...... 156 5.4.2 Library ...... 158 5.5 Direct Sum ...... 161 5.5.1 Description ...... 161 5.5.2 Library ...... 164 5.6 Concatenation ...... 168 5.6.1 Description ...... 168 5.6.2 Library ...... 169 5.7 Concatenation of Polynomials in ANF ...... 172 5.7.1 Description ...... 172 5.7.2 Library ...... 173 5.8 Addition of Coordinate Functions ...... 174 5.8.1 Description ...... 174 5.8.2 Library ...... 175 5.9 Bricklayer ...... 179 5.9.1 Description ...... 179 5.9.2 Library ...... 182 5.10 Summary ...... 188
6 Security Evaluation of Cryptographic Algorithms 189 6.1 KASUMI Cipher Algorithm Evaluation ...... 189 6.1.1 S-boxes Characterization ...... 190 6.1.2 FI Function Characterization ...... 193 6.2 Mini-AES Cipher Algorithm Evaluation ...... 194 6.2.1 S-box Characterization ...... 194 6.2.2 Mini-AES Cipher Characterization ...... 195 Table of contents xvii
6.3 CLEFIA ...... 196
6.3.1 S0 ...... 198 6.3.2 S1 ...... 201 6.4 Computational Cost Results ...... 201
7 Design of Cryptographically Robust Vector Boolean Functions 205 7.1 Multi-Objective Combinatorial Optimization (MOCO) ...... 205 7.1.1 Problem Formulation ...... 205 7.1.2 Preferences among Criteria. Weighting Method ...... 207 7.2 Boolean Function Design Procedures ...... 208 7.2.1 Algebraic Construction Techniques ...... 209 7.2.2 Computational Techniques for Approximating the Efficient Set . . 215 7.2.3 The Balancedness Constraint ...... 217 7.2.4 Combining Different Algorithms ...... 217
8 Conclusions and Future Research 231 8.1 Summary and Conclusions of the Thesis ...... 231 8.2 Future Directions ...... 232
References 235
Appendix A Mathematical Background 247
A.1 The Vector Space Vn ...... 247 A.1.1 Definition ...... 247 A.1.2 Lexicographic Order ...... 248 A.1.3 The Hamming Distance ...... 249 A.2 Characters ...... 250
A.2.1 Characters on Vn ...... 250 A.2.2 Characters on Vn × Vm ...... 252 A.3 The Vector Space GF(2n) ...... 253 A.3.1 Definition ...... 253 A.3.2 Operations on Polynomials ...... 253 n A.3.3 Relation between Vn and GF(2 ) ...... 254 A.3.4 Mini-AES Finite Field in GF(24) ...... 254 n A.4 The Vector Space R ...... 255 A.4.1 The Inner Product ...... 255 A.4.2 Distance ...... 255 xviii Table of contents
A.4.3 The Pointwise Product ...... 256 A.5 The Vector Space Mn×m(R) ...... 256 A.5.1 The Inner Product ...... 256 A.5.2 Distance ...... 256 A.5.3 The Pointwise Product ...... 257 A.6 Kronecker Product of Matrices ...... 257 A.7 Convolution and Correlation ...... 258 A.7.1 One-dimensional ...... 258 A.7.2 Bidimensional ...... 258
Appendix B CLEFIA Description 261
B.1 Truth Tables of CLEFIA SSi(0 ≤ i ≤ 3) S-boxes ...... 261 B.2 Truth Table of Mul2(x) = 0x2 · x operation ...... 261
B.3 Truth Tables of u0,u1,y0 an y1 ...... 262 B.4 Trace Representation of S0 and S1 ...... 269
Appendix C Using the Library 273 C.1 An Example Program ...... 273 C.2 Compiling ...... 280 C.3 How to Evaluate New Algorithms ...... 280 List of figures
1.1 Block Cipher ...... 6
2.1 Typical internal construction of a Block Cipher ...... 17 2.2 Structure of Mini-AES cipher ...... 20 2.3 Structure of KASUMI cipher FI function ...... 24 2.4 Structure of DES cipher ...... 26 2.5 The Feistel function of DES ...... 27
2.6 Rijndael S-box SRD ...... 29
3.1 Relationships among representations and characterizations of a Vector Boolean function ...... 38 3.2 Image representations of NibbleSub ...... 56 3.3 Linear Profile of NibbleSub ...... 73 3.4 Differential Profile of NibbleSub ...... 79 3.5 Linear structures of NibbleSub ...... 84 3.6 S1,S2,S3,S4 DES S-boxes ...... 96 3.7 S5,S6,S7,S8 DES S-boxes ...... 96
4.1 Relationships among representations and criteria of a Vector Boolean function104 4.2 Algebraic Degree of NibbleSub: Degree 4 ...... 107 4.3 Algebraic Degree of NibbleSub: Degree 3 ...... 108 4.4 Algebraic Degree of NibbleSub: Degree 2 ...... 109 4.5 Nonlinearity of NibbleSub ...... 115 4.6 Balancedness of NibbleSub ...... 121 4.7 Correlation immunity of f ...... 125 4.8 Absolute indicator of NibbleSub ...... 129 4.9 Sum-of-squares indicator of NibbleSub ...... 130 4.10 Propagation Criterion of f ...... 135 xx List of figures
5.1 Composition ...... 147 5.2 Inverse ...... 154 5.3 Direct Sum ...... 161 5.4 CAST Cipher ...... 164 5.5 Adding Coordinate functions ...... 175 5.6 Bricklayer ...... 179 5.7 DES S-boxes ...... 182 5.8 KHAZAD S-box construction ...... 183
6.1 CLEFIA S0 ...... 197 6.2 CLEFIA S1 ...... 197 6.3 CLEFIA S-box S0 ...... 199 6.4 Overall CPU time in seconds for cryptographic characterization of n × m S-boxes ...... 202 6.5 CPU timing measurements for all functions in Algorithm I ...... 203
7.1 Relationship between Known Functions, PE and BKPE...... 210 List of tables
1 Set operators notation ...... 1 2 Characteristics of sets notation ...... 1 3 Important number sets notation ...... 1 4 Function notation ...... 2 5 Matrices notation ...... 2 6 Vectors notation ...... 3
2.1 NibbleSub Truth Table...... 18 2.2 Generation of the Round Keys of Mini-AES...... 21 2.3 Inverse NibbleSub Truth Table...... 22 2.4 NTL modules used in VBF...... 33 2.5 New modules created for VBF...... 33
3.1 Identification of a coordinate function of NibbleSub with trace function. . . 47 3.2 Cycle structure of NibbleSub...... 93 3.3 Representation of VBF...... 100 3.4 Chacterizations of VBF...... 101
4.1 Maximum nonlinearity of Boolean functions for n odd...... 112 4.2 Cryptographic criteria bounds...... 136 4.3 Are the criteria affine invariant? ...... 136 4.4 Weight related cryptographic criteria properties...... 136 4.5 Walsh related cryptographic criteria properties...... 136 4.6 Maximum nonlinearity of Balanced Boolean functions for n...... 137 4.7 Cryptographic criteria...... 144 4.8 Member functions of the cryptographic criteria...... 144
5.1 Results of spectral radius(R),NL,lp,dp,ACmax and LD for bricklayer of DES S-boxes...... 182 xxii List of tables
5.2 Results of spectral radius(r),NL,lp,dp,ACmax and LD for bricklayer of P and Q mini S-boxes...... 186 5.3 Constructions over VBF...... 188
6.1 Cycle structure for S7...... 191 6.2 Cycle structure for S9...... 192 6.3 S7 and S9 Cryptographic criteria...... 192 6.4 S7 and S9 Cryptographic criteria...... 192 6.5 Cycle structure...... 195 6.6 NibbleSub Cryptographic criteria...... 195
6.7 Tables of CLEFIA S-boxes SSi(0 ≤ i ≤ 3)...... 198 6.8 Table of the multiplication 0x2 · x...... 198
6.9 Results of spectral radius (r),NL,lp,dp,ACmax and LD for CLEFIA S0 con- struction...... 199
6.10 Results of deg,AI,σ,CI for CLEFIA S0 construction...... 200 6.11 Results of spectral radius (r),NL,lp,dp,ACmax,LD,deg,AI,σ and CI for CLE- FIA S1...... 201 6.12 Some CLEFIA S0 security properties versus modern S-boxes based on field inversion...... 201
7.1 Nonlinearity, algebraic degree, absolute and sum-of-squares indicators for Maitra construction in [88]...... 211 7.2 Nonlinearity, algebraic degree for Maitra construction in [133]...... 211 7.3 Nonlinearity, absolute and sum-of-squares indicators for Zhang and Zheng construction [160]...... 212 7.4 Nonlinearity, algebraic degree and algebraic immunity for Carlet construc- tion [26]...... 212 7.5 Nonlinearity, algebraic degree for Charpin construction [30]...... 213 7.6 Nonlinearity, algebraic degree and algebraic immunity for certain power functions xd...... 213
7.7 Comparison of the best achieved computer search results for (NL,deg,ACmax).218 7.8 Comparison of profiles with n = 9...... 218 7.9 Comparison of profiles with n = 11...... 219 7.10 Comparison of nonlinearity achieved in Boolean functions...... 223 7.11 Results obtained for different n-input balanced Boolean functions...... 223 7.12 Representations of Boolean functions in Table 7.11...... 224 7.13 Frequency distribution of the absolute values of the Walsh Spectrum. . . . . 225 List of tables xxiii
7.14 Frequency distribution of the absolute values of the Autocorrelation Spectrum.225
7.15 Additional cryptographic criteria for f1- f5 classes...... 226 7.16 Comparison of the best results for (NL,deg,AI,ACmax,σ)...... 229
Notation
Table 1 Set operators notation
Notation Description Definition Ae Complement of A {x | (x ∈/ A)} A ⊆ BA is a subset of B {x | (x ∈ A) ⇒ (x ∈ B)} A ∪ B Union of sets A and B {x | (x ∈ A) ∧ (x ∈ B)} A − B Difference of sets A and B {x | (x ∈ A) ∧ (x ∈/ B)} A∆B Symmetric difference of A and B (A − B) ∪ (B − A) A ≺ BA is a subspace of B
Table 2 Characteristics of sets notation
Notation Description Definition #A Cardinality of the set A Number of elements in A Supp(A) Support of A {a ∈ A | a ̸= 0}
Table 3 Important number sets notation
Notation Description Definition N Set of natural numbers {1,2,3,...} Z Set of integer numbers {...,−2,−1,0,1,2,...} ZN Set of integers modulo N {0,...,N − 1} n ZN Set of vectors whose n components ∈ ZN (x1,··· ,xn) xi ∈ ZN R Set of real numbers (−∞,+∞) √ C Set of complex numbers {x + iy | x,y ∈ R,i = −1} 2 List of tables
Table 4 Function notation
Notation Description Definition 1 if x = 0 δ(x) Kronecker delta function of x 0 if x ̸= 0 Set of functions with F (A,B) { f | f : A → B} codomain A and domain B Im( f ) Image set of the function f : A → B {y ∈ B | ∃x ∈ A y = f (x)} End(A) Set of endomorphisms of A { f : A → A | f homomorphism} GL(A) Set of automorphisms of A { f ∈ End(A) | f biyective} f |A Function restriction of f to A {(x, f (x)) | x ∈ A}
Table 5 Matrices notation
Notation Description Definition a11 ... a1m n × m matrix a21 ... a2m A ∈ Mn×m(K) A = of elements ∈ K ...... an1 ... anm Ai i-th row vector of A ai1 ... aim a1 j j . A j-th column vector of A . an j T T A Transposed matrix of AA = B ∈ Mm×n(K) ai j = b ji aii = 1 ∀i ∈ {1,...,n} and In Identity matrix of order n ai j = 0 ∀i ̸= j ∧ i, j ∈ {1,...,n} ∀i ∈ {1,...,n}∃ j ∈ {1,...,n} Pn Permutation matrix of order n Pni = In j a11B ... a1mB a21B ... a2mB A B Kronecker product of A and B ...... an1B ... anmB Concatenation of A ∈ Mn×m(GF(2)) A A|B A|B = ∈ M(n+p)×m(GF(2)) and B ∈ Mp×m(GF(2)) B List of tables 3
Table 6 Vectors notation
Notation Description Definition
ei = (x1,··· ,xn) Bn = {e1,...,en} Canonical basis of Vn xi = 1 ∧ x j = 0 ∀ j ̸= i ∥x∥ Norm of the vector x +p⟨x,x⟩ ⟨x,y⟩ ∠(x,y) Angle set by the vectors x and y cos(∠(x,y)) = ∥x∥·∥y∥ n ⟨x,y⟩ Inner product of the vectors x and y ∑i=1 xiyi x y Kronecker product of x ∈ Vn and y ∈ Vm (x1y,...,xny) Supp(x) Support of the vector x {i ∈ {1,...,n} | xi ̸= 0}
Chapter 1
Introduction
1.1 Information Security
Information security defines a series of techniques in order to guarantee that a sendercan deliver a message (usually called plaintext) to a receiver in a secure manner over a channel accessible by third-parties. This security is based on three main principles: confidentiality, integrity and availability (known as the CIA triad). The confidentiality of a message is assured if the sender prevents the intentional or unintentional unauthorized disclosure of its contents. To achieve this objective, the plaintext is processed in such a way that its meaning is hidden. This process is called encryption and is performed by a cipher. As a result, we obtain a message whose contents are meaningless, and it is called ciphertext. The process of reverting the ciphertext into plaintext again is called decryption, and usually make use of a key previously shared between sender and receiver. Cryptology is a discipline whose objective is to safeguard the secrecy of communications over an insecure channel in such a way that any non-authorized entity is unable to recover the message (plaintext) from what is sent in its place over the channel (ciphertext). Cryptology comprises two complementary fields: cryptography and cryptanalysis. Cryptography is the art of designing secure ciphers to provide services such as data confidentiality, integrity and authentication. Cryptanalysis is the study of methods for breaking ciphers, that is, to assess and explore design features that may lead to the discovery of some piece of secret information. A cryptographic algorithm, also called a cipher or cryptographic scheme, is a function which enables the encryption (or ciphering) and the decryption (or deciphering). Three types of cryptographic schemes can be identified: public-key (or asymmetric) cryptography, hash functions and secret key (or symmetric) cryptography. In public key cryptography (e.g. RSA), the encryption and decryption is performed with different keys (public and private 6 Introduction keys), while in secret key cryptography (e.g. DES, AES) both parties share the same key. Hash functions (e.g. MD5, SHA-family) are algorithms that compute a fixed-length hash value based upon the plaintext that makes it impossible for either the contents or length of the plaintext to be recovered. Secret-key (or symmetric) cryptosystems can be further classified into Block Ciphers and stream ciphers. While Block Ciphers (e.g. DES [107], AES [108]) operate with a fixed transformation on blocks of data, stream ciphers (e.g. RC4, A5/1and A5/2) typically operate with a time-varying transformation on smaller units of plaintext, usually bits.
Fig. 1.1 Block Cipher.
For electronic information, asymmetric cryptography together with hash functions can be used to verify the authorship and the integrity of a document by means of digital signatures. Symmetric cryptography can be used to guarantee the confidentiality of a message. Every cryptanalysis technique assumes that a cryptographic algorithm is known and public. The only piece of information that is maintained secret is the key used in the ciphering process. The cipher is considered broken or not secure if a non-authorized party can extract the key within a time complexity less than the time needed to invest in key exhaustive search or brute-force attack (process of trying every possible key and checking whether the resulting plaintext is meaningful). There are many cryptanalytic attacks. Some attacks are applicable to only one particular encryption algorithm. 1.1 Information Security 7
In general, cryptanalytic attacks can be categorized based on the information available to the analyst with respect to the attack:
• Ciphertext-only attack. The cryptanalyst has the ciphertext of several messages en- crypted with the same cipher. The analyst will be trying to recover the plaintext of as many messages as possible, or even to deduce the key (or keys) used to encrypt the plaintexts. If the key is found, it will be possible to decrypt other ciphertexts encrypted with the same key and the same cipher.
• Known-plaintext attack. The cryptanalyst has the ciphertext of several messages and their corresponding plaintexts, all of them encrypted with the same cipher. The analyst will be trying to deduce the key (or keys) used to encrypt the plaintexts or an algorithm to decrypt any new plaintexts with these keys.
• Chosen-plaintext attack. The cryptanalyst has the ciphertext of messages and their corresponding plaintexts, all of them encrypted with the same cipher. In this attack, the analyst can choose the plaintexts that want to be encrypted in order to deduce the same piece of information as in the previous attack.
• Chosen-ciphertext attack. The cryptanalyst can choose the ciphertexts to be decrypted and has access to their corresponding plaintexts. The analyst will be trying to deduce the key.
Most of the contemporary data encryption principles and concepts were proposed by Claude Elwood Shannon (1916-2001). Indeed, Shannon in [143] presented the principles of what he called confusion and diffusion, establishing that both of them should be present in a computationally secure cryptosystem. The purpose of confusion is to make the relation between the key and the ciphertext as complex as possible (usually obtained by nonlinear transformations in the form of S-boxes) 1 so that any algebraic structure in the system is concealed. Diffusion has the role of dissipating the redundancy of the plaintext by spreading out the influence of any minor modification of the plaintext or of the key over all ciphertext bits (usually obtained by linear transformations such as permutations).
1S stands for Substitution. This term is used to designate Vector Boolean functions (functions that map a Boolean vector to another Boolean vector) whose role is to provide confusion in a cipher. The most fundamental property of an S-box is that it is a nonlinear mapping. 8 Introduction
1.2 Motivation
During the last years, several international initiatives for selecting ciphers have taken place: AES (United States), CRYPTEC (Japan), NESSIE (European Union). All of them defined evaluation criteria that can be divided into three major categories: security, cost and algorithm and implementation characteristics. Security is the most important category, but it is considered the most difficult to assess. Normally, the institution which organizes the competition invites the cryptology community to mount attacks and to try to cryptanalyse the different candidates. The candidates not satisfying the security requirements imposed by the institution are eliminated from the contest. Section 3 in [105] discusses the tools that the NESSIE project developed to support the evaluation process:
It is clear that modern computers and sophisticated software tools cannot replace human cryptanalysis. Nevertheless, software tools can play an important role in modern cryptanalysis. In most cases, the attacks found by the cryptanalyst require a large number of computational steps, hence the actual computation of the attack is performed on a computer. However, software and software tools can also be essential to find a successful way to attack a symmetric cryptographic algorithm; examples include differential and linear cryptanalysis, dependence tests, and statistical tests. Within NESSIE, we distinguish two classes of tools. The general tools are not specific for the algorithms to be analyzed. Special tools, which are specific for the analysis of one algorithm, are implemented when, in the course of the cryptanalysis of an algorithm, the need for such a tool turns up...... The software for these tools will not be made available outside the project, but all the results obtained using these tools will be made public in full detail.
It is worth mentioning that a comprehensive set of general tools for the evaluation of symmetric ciphers is available such as, for instance, RIPE and NIST test suites. These consist of a collection of statistical tests such as: the frequency test, the collision test, the overlapping m-tuple test, the gap test, the constant runs test, the coupon collector’s test, Maurer’s universal test, the poker test, the spectral test, the correlation test, and the rank test among others. Nevertheless, such available tools are not enough for a rigorous characterization of cryptographic primitives. Section 4 in [104] provides a detailed description of this issue: 1.3 Objectives and Outcomes of the Thesis 9
This document describing the NESSIE security methodology has given a list of important issues that are considered in making a security evaluation of a submitted primitive. Clearly, this list is not complete. Cryptographic primitives with completely inadequate security can often be identified. However, for the remaining cryptographic primitives, the situation is nothing like as clear-cut. There is neither an automatic method of assessing the security of such a primitive nor a general consensus on the relative importance of different security criteria. The few previous initiatives that have undertaken a similar task to the NESSIE project, such as AES, have been more limited in scope and have reached a subjective judgment by experts on the security of such primitives. The NESSIE project will produce a security judgment for the submitted primitives based on the issues discussed in this report.
From above, it is clear that there is no general set of tools to assess the security of cipher components. Because of the size and complexity of modern ciphers, automatic analysis programs are very helpful in reducing the time required to study cryptographic properties of Vector Boolean functions.
1.3 Objectives and Outcomes of the Thesis
Listed below are the main objectives of the research presented in this thesis:
1. To gather, derive and/or reformulate in an efficient manner all the relevant theo- retical results associated with the characterization of robust cryptographic func- tions. The research work reported in this thesis requires knowledge of previously established Boolean function and S-box theory. Such knowledge is essential not only for linking the theoretical concepts to practical applications, but also in order to understand the significance of the research and where this work is placed in relation to thefieldof cryptology.
2. To make available a free open source general tool to automatically assess the security of a cryptographic algorithm defined as a Vector Boolean function. The execution of Boolean function research requires the development of specialised programs, typically written using the C or C++ language. These programs can involve a large amount of computation steps and it is therefore imperative that all appropriate optimisation techniques are used to exploit the full processing power available in 10 Introduction
modern computer systems. There is however, a noticeable absence in the related cryp- tographic literature of reference to the implementation issues facing Boolean function researchers and with no readily available software for cryptographic Boolean function analysis, researchers have had to independently develop their own implementations.
3. To assess to security of modern Block Ciphers. Fundamental to any area of research is the ability to develop a methodology to perform a systematic observation, measurement, and experiment, and the formulation, testing, and modification of hypotheses. The study of Block Ciphers is an area wherethis basic principle of research has been ignored; the security of these cryptographic algorithms is measured by the best public cryptanalysis reported by an expert. As a result, considerable restrictions have existed with regard to perform an homogeneous analysis of these cryptosystems.
4. To design new robust Boolean functions in order to increase the security of ci- phers based on them. These robust cipher components will be those Boolean functions which exhibit suitable measures for a combination of cryptographic properties appropriate for their use according to the type of cipher employing them. The task of obtaining such functions involves generating and/or constructing Boolean functions which not only exhibit the required measures of cryptographic properties but are also of a large enough dimension that they are able to provide resistance to attacks in the long term. Additionally, the means of obtaining these strong cipher components must be computationally efficient.
The outcomes of the work in this thesis are now discussed with reference to the above objectives. To achieve objective1, fundamental theoretical results have been gathered and/or de- rived concerning the properties of Boolean functions, S-boxes and different architectures constructed combining them. To accomplish objective2, a library of C++ classes for analyzing cryptographic properties of Vector Boolean functions (VBF) is presented in this thesis. The stated mission of the VBF library is to provide with a free open source general tool to automatically assess the security of a cryptographic algorithm defined as a Vector Boolean function, and to help in the design of new cryptographic-interesting functions. This library presents the three main features:
1. It supports a large variety of representations useful from the cryptological viewpoint such as: Truth Table (binary, decimal and hexadecimal), ANF Table, polynomials in 1.4 Structure of the Thesis 11
ANF, Characteristic function, Walsh Spectrum; and characterizations such as Trace, Linear Profile, Differential Profile and Autocorrelation Spectrum.
2. It allows the analysis the robustness of a cryptographic algorithm by means of a set of criteria related to confusion (Algebraic Degree, Nonlinearity, Balancedness, Correlation Immunity (CI), Resiliency and Algebraic Immunity among others) and diffusion (Global Avalanche, Linearity Distance and Propagation among others).
3. It allows to obtain some basic Vector Boolean functions such as: Composition, Inverse, Sum, Direct Sum, Concatenation, Addition of coordinate functions and Bricklayering.
The research work performed in this thesis relating to the first two outcomes has been published in http://vbflibrary.tk,[4], [5], [6], and [7]. Note that the theoretical results and the VBF library allows to analyse the behaviour of the representations, characterizations and criteria when several cryptographic algorithms are interconnected. Accordingly, to count with objective3, we have conducted numerous security analysis of some Block Ciphers candidates for the AES, CRYPTEC and NESSIE projects together with some other ciphers. This allowed us to obtain representations, characterizations and cryptographic criteria for these ciphers. The research work performed in this thesis relating to this outcome is published in http://vbflibrary.tk and in [7]. Finally, objective4, has been fulfilled by developing optimization tools to obtain robust cipher components. Sets of balanced Boolean functions for 9 and 11 number of inputs with best profiles known up-to-date have been obtained.
1.4 Structure of the Thesis
This thesis is divided into eight chapters, including this introductory chapter. Chapter2 presents a preliminary general framework including some basic theoretical background (to make the reader familiar with the notation and fundamental definitions), a brief description of several modern Block Ciphers, and the main basic features of the VBF library. Chapter3 presents the typical forms of Vector Boolean function representation used in cryptography. A definition of all these representations is given, as well as an introduction to the main cryptographic characterizations relating to each representation. In addition, the VBF library methods to obtain these representations and characterizations are described, and the relationships among them are also discussed. Chapter4 defines and discusses many important cryptographic criteria of Boolean func- tions and their extension to Vector Boolean functions. Following, we develop a brief 12 Introduction
discussion on the relationship among criteria and to what extent they may reach good values within the same function. The methods in VBF library to obtain these cryptographic criteria are also described and the relationships among them are also discussed. Chapter5 describes some basic constructions for Vector Boolean functions together with the corresponding conditions on the cryptographic criteria that are obtained for such constructions. The methods in VBF library to implement these constructions are also described. Based on the previous chapters results, Chapter6 analyses several modern cryptographic algorithms used in symmetric Block Ciphers. The research described in this chapter is complemented with a further analysis of other cryptosystems provided in http://vbflibrary.tk. Chapter7 presents a theoretical framework for the multicriteria optimization of Boolean functions and presents several computational schemes for the optimization of certain crypto- graphic criteria of Vector Boolean functions. New Boolean functions with unprecedented features are provided. Finally, Chapter8, draws the main conclusions from the research performed for this thesis. It also highlights several directions for future research in this field. Chapter 2
Fundamentals of Block Ciphers and the VBF Library
This chapter provides a preliminary general framework to be referred in the following chapters of the thesis. First, some basic theoretical background is provided to make the reader familiar with the notation and fundamental definitions employed in the chapter. Then, we present the structure of some well known Block Ciphers to be employed as a reference when developing the theoretical and practical contributions. Finally, we present the VBF library basic structure; this will allow a better combined exposition of the theoretical results together with the coding tools in the following chapters.
2.1 Basic Theoretical Background
In a symmetric cipher, the encryption (E) and decryption (D) can be defined as Vector Boolean functions E : K × P → C and D : K ×C → P such that D(K,E(K,P)) = P where:
• A = Symbols used in P,C or K.
• P = Plaintext space.
• C = Ciphertext space.
• K = Keyspace.
In modern symmetric ciphers, this concepts take the following values:
• A = GF(2) = Z2 = {0,1}. 14 Fundamentals of Block Ciphers and the VBF Library
n z }| { • P = C = Vn = GF(2) × ··· × GF(2)
k z }| { • K = Vk = GF(2) × ··· × GF(2)
• E = D = Vk × Vn → Vn
For most Block Ciphers, the ciphertext is produced by repeatedly applying a so-called round function. The key material used in the round function is called a round key. The round keys are computed from the key using a key-schedule algorithm. In the scope of modern ciphers, two different design approaches can be distinguished: Feistel ciphers and ciphers with substitution-permutation networks (SPNs). While a Feistel cipher modifies only half of the data in each round, a cipher with SPN modifies the entire data. The nice feature of a Feistel cipher is that encryption and decryption are structurally identical, except for the round keys which are reversed. Note that DES [107] is an example of a Feistel cipher and the current NIST block encryption standard AES [108] is an SPN cipher. A modern Block Cipher results from the association of Vector Boolean functions. Most of these functions are linear or affine, but some of them called S-boxes are nonlinear preventing from the overall cryptosystem to be linear or affine, and thus not so easily cryptoanalysable. We could say that the robustness of a modern Block Cipher resides in the S-boxes and in the way of interconnection of all the building blocks of the cipher which can be interpreted as Vector Boolean functions. In stream cipher cryptography a pseudo-random sequence of bits of length equal to the message length is generated. This sequence is then bit-wise XOR-ed (addition modulo 2) with the message sequence and the resulting sequence is transmitted. At the receiving end, deciphering is done by generating the same pseudo-random sequence and again bit-wise XOR-ing the cipher bits with the random bits. The seed of the pseudo-random bit generator is obtained from the secret key. Linear Feedback Shift Registers (LFSRs) are important building blocks in stream cipher systems. A standard model of stream [17], cipher [145],[146], combines the outputs of several independent LFSR sequences using a nonlinear Boolean Function to produce the keystream. As LFSRs are linear, some form of nonlinearity is introduced by using nonlinear Boolean Functions (see [130]).
2.1.1 Definitions
The mathematical theory of Vector Boolean functions starts with the formal definition of vector spaces whose elements (vectors) have binary elements. Let < GF(2),+,· > 2.1 Basic Theoretical Background 15 be the finite field of order 2, where GF(2) = Z2 = {0,1},’+’ is the ’integer addition modulo 2’ and ’·’ is the ’integer multiplication modulo 2’. Vn is the vector space of n- tuples of elements from GF(2). The direct sum of x ∈ Vn1 and y ∈ Vn2 is defined as x ⊕ y = (x1,...,xn1 ,y1,...,yn2 ) ∈ Vn1+n2 . The inner product of x,y ∈ Vn is denoted by x · y, n and the inner product of real vectors x,y ∈ R is denoted by ⟨x,y⟩. The weight of an n-bit vector u is the number of ones in u and will be denoted by wt(u). The (Hamming) distance between two vectors x = (x1,x2,...,xn) and y = (y1,y2,...,yn) is the number of places where they differ and is denoted by d(x,y). One can now define binary functions between this type of vector spaces, whose cryptanal- ysis (for robustness-against-attacks purposes) is very important. f :Vn → GF(2) is called a Boolean function and Fn is the set of all Boolean functions on Vn. Ln is the set of all linear Boolean functions on Vn: Ln = {lu ∀u ∈ Vn | lu(x) = u · x} and An is the set of all affine Boolean functions on Vn. A Truth Table is a tabulation of all possible combinations of input values and their corresponding outputs. For an n-variable Boolean function the Truth Table contains 2n rows for all the enumerations of the input variables and one column for output. The weight of a Boolean function is the weight of its Truth Table. It is possible to characterize Boolean functions via alternative and very useful associated mappings. In the following, some of these mappings are presented. The real-valued mapping i=n ∑ uixi u·x χu(x) = (−1) i=1 = (−1) for x,u ∈ Vn is called a character. The character form of f (x) f ∈ Fn is defined as χ f (x) = (−1) . The Truth Table of χ f is called as the (1,−1)-sequence 2n vector or sequence vector of f and is denoted by ξ f ∈ R . The autocorrelation of f ∈ Fn with respect to the shift u ∈ Vn is a measure of the statistical dependency among the involved variables (indicating robustness against randomness-based attacks). It is the cross-correlation of f with itself, denoted by r f (u) :Vn → Z and defined by 1: f (x)+ f (u+x) r f (u) = ∑ χ f (x)χ f (x + u) = ∑ (−1) (2.1) x∈Vn x∈Vn
The directional derivative of f ∈ Fn in the direction of u ∈ Vn is defined by:
∆u f (x) = f (x + u) + f (x), x ∈ Vn (2.2)
We shall call the linear kernel of f the set of those vectors u such that ∆u f is a constant function. The linear kernel of any Boolean function is a subspace of Vn. Any element u of the linear kernel of f is said to be a linear structure of f . n Let f ∈ Fn, u ∈ Vn is called a linear structure of f if and only if [116] |r f (u)| = 2 .
1 1 Most authors omit the factor 2n 16 Fundamentals of Block Ciphers and the VBF Library
We now extend the scope of the study by considering functions between any pair of
binary-valued vector spaces. F :Vn → Vm, F(x) = ( f1(x),..., fm(x)) is called a Vector Boolean function and Fn,m is the set of all Vector Boolean functions F :Vn → Vm. Each fi :Vn → GF(2) ∀i ∈ {1,...,m} is a coordinate function of F. The component functions of F are the linear combinations, with non all-zero coefficients, of the coordinate functions of F (their set is the vector space spanned by the coordinate functions, deprived of the null function if the coordinate functions are GF(2)-linearly independent). The indicator function
of F ∈ Fn,m, denoted by θF :Vn × Vm → {0,1}, is defined in [29] as: ( 1 if y = F(x) θF (x,y) = (2.3) 0 if y ̸= F(x)
A Vector Boolean function F ∈ Fn,m defined as F(x) = x · A + b with x ∈ Vn,A ∈ Mn×m(GF(2)) and b ∈ Vm so that if b = 0 then F is linear and if b ̸= 0 then F is affine. Several mappings associated with a Vector Boolean functions can be defined, in similar
terms to the binary functions case. Hence, the character form of (u,v) ∈ Vn × Vm can be u·x+v·y defined as follows: χ(u,v)(x,y) = (−1) . Also, the autocorrelation of F ∈ Fn,m with respect to the shift (u,v) ∈ Vn × Vm is the cross-correlation of F with itself, denoted by rF (u,v) :Vn × Vm → Z, so that [115]:
vF(x+u)+vF(x) rF (u,v) = ∑ χvF (x + u)χvF (x) = ∑ (−1) (2.4) x∈Vn x∈Vn
Let F ∈ Fn,m and u ∈ Vn, then the difference Vector Boolean function of F in the direction of u ∈ Vn, denoted by ∆uF ∈ Fn,m is defined as follows: ∆uF(x) = F(x+u)+F(x), x ∈ Vn. n F has a linear structure if exists a vector u ∈ Vn and v ∈ Vm so that |rv·F (u)| = 2 . Finally, we define the simplifying notation for the maximum of the absolute values ofaset
of real numbers {auv}u,v, characterized by vectors u and v, as: max (auv) = max(u,v) {|auv|}. ∗ Using the same simplifying notation, we can define the max (·) operator on a set of real ∗ numbers {auv}u,v, as: max (auv) = max(u,v)̸=(0,0){|auv|}. This notation will be used in some criteria definitions.
2.2 Block Ciphers
A Block Cipher can be divided into two parts: a data processing part and a key scheduling part. Among the Block Ciphers that are analysed throughout this thesis, it is important to men- tion mini-AES, KASUMI, DES and AES. In this section, we provide a succinct description 2.2 Block Ciphers 17
Fig. 2.1 Typical internal construction of a Block Cipher. of these algorithms. A detailed cryptographical analysis of them and other ciphers can be found on http://vbflibrary.tk.
2.2.1 Mini-AES Cipher
Introduction
Raphael Chung-Wei Phan presented a version of the AES [120], with all the parameters significantly reduced while preserving its original structure. This Mini version ispurely educational and is designed to grasp the underlying concepts of Rijndael-like ciphers. It may also serve as a test-bed for starting cryptanalysts to experiment with various cryptanalytic attacks. The Mini-AES cipher is a 16 × 16 Vector Boolean function and the Mini-AES encryption is performed with a secret key of 16 bits. It takes a 16-bit input block and processes the block by repeating the basic operations of a round twice. Each round consists of (1) substitution based on the S-box NibbleSub γ, (2) a transposition of the bits (i.e., permutation of the bit positions) based on ShiftRow π and
MixColumn θ, and (3) key addition σki . Mini-AES has an S-box, NibbleSub, which operates on a nibble (4 bits) at a time. In addition, another component, MixColumn operates on words of 4 nibbles. In section A.3 is 18 Fundamentals of Block Ciphers and the VBF Library
presented the mathematical background needed for the reader to have a clearer understanding of the components of Mini-AES.
Substitution
In Mini-AES cipher, we break the 16-bit plaintext block into four 4-bit sub-blocks. Each sub-block forms an input to a 4 × 4 S-box (a substitution with 4 input and 4 output bits) called NibbleSub γ, which can be easily implemented with a table lookup of sixteen 4-bit values, indexed by the integer represented by the 4 input bits. For Mini-AES cipher, the same nonlinear mapping for all S-boxes is used. The mapping chosen for our cipher, given in Table 2.1, is chosen from the S-boxes of DES. (It is the first row of the first S-box.)
Table 2.1 NibbleSub Truth Table.
Input Output 0000 1110 0001 0100 0010 1101 0011 0001 0100 0010 0101 1111 0110 1011 0111 1000 1000 0011 1001 1010 1010 0110 1011 1100 1100 0101 1101 1001 1110 0000 1111 0111
Permutation
The permutation portion of a round is simply the transposition of the bits or the permutation of the bit positions. The permutation of Figure 2.2 is given by two operations ShifRow π and MixColumn θ. Note that there would be no MixColumn in the last round. ShiftRow rotates each row of the input block to the left by different nibble amounts. The first row is unchanged while the second row is rotated left by onenibble. 2.2 Block Ciphers 19
MixColumn takes each column of the input block and multiplies it with a constant matrix to obtain a new output column. If a = (a0,a1,a2,a3) and b = (b0,b1,b2,b3) denote the input and output to MixColumn respectively, then:
" # " #" # b 0011 0010 a 0 = 0 (2.5) b1 0010 0011 a1 and
" # " #" # b 0011 0010 a 2 = 2 (2.6) b3 0010 0011 a3
Hence, b0 = (0011 × a0) + (0010 × a1) and b1 = (0010 × a0) + (0011 × a1). Similarly, b2 = (0011 × a2) + (0010 × a3) and b3 = (0010 × a2) + (0011 × a3).
Key Addition
To achieve the key addition, Mini-AES uses a simple bit-wise exclusive-OR between the key bits associated with a round (referred to as a subkey) and the data block input to a round. Normally, in a cipher, the subkey for a round is derived from the cipher’s master key through a process known as the key schedule. In Mini-AES, the 16-bit secret key is passed through a key-schedule to produce one 16-bit round key, k0 to be used prior to the first round, and a 16-bit round key, ki for use in each round of mini-AES. Mini-AES encryption is defined to have 2 rounds, hence three round keys, k0,k1 and k2 are generated. The Key Addition operation is denoted by σk0 ,σk1 ,σk2 respectively. Denote the 16-bit secret key, K as 4 nibbles, K = (k0,k1,k2,k3), and likewise, k0 = (w0,w1,w2,w3),k1 = (w4,w5,w6,w7) and k2 = (w8,w9,w10,w11). Then, the round key val- ues are obtained from the secret key as in Table 2.2. Note that in each round, round constants rcon(i) are used, where rcon(1) = 0001 and rcon(2) = 0010.
Encryption
The application of the four components NibbleSub, ShiftRow, MixColumn and KeyAddition in sequence constitutes one round. The full mini-AES encryption consists of two such rounds, with the exclusion of MixColumn from the last round and the inclusion of an extra KeyAddition prior to the first round. Hence, mini-AES encryption can be denoted by:
Mini − AESEncrypt = σk2 ◦ π ◦ γ ◦ σk1 ◦ θ ◦ π ◦ γ ◦ σk0 (2.7) 20 Fundamentals of Block Ciphers and the VBF Library
Fig. 2.2 Structure of Mini-AES cipher. 2.2 Block Ciphers 21
Table 2.2 Generation of the Round Keys of Mini-AES.
Round Round Key Values w0 = k0 w = k 0 1 1 w2 = k2 w3 = k3 w4 = w0 + NibbleSub(w3) + rcon(1) w = w + w 1 5 1 4 w = w2 + w 6 5 w5 = w3 + w6 w8 = w4 + NibbleSub(w7) + rcon(2) w = w + w 2 9 5 8 w10 = w + w9 6 w11 = w7 + w10
Note that the symbol ◦ refers to the composition of functions and the order of execution is from right to left, which means that σk0 is executed first.
Decryption
In order to decrypt, data is essentially passed backwards through the cipher. However, the mappings used in the S-boxes of the decryption network are the inverse of the mappings in the encryption network (i.e., input becomes output, output becomes input). This implies that in order for a cipher to allow for decryption, all S-boxes must be bijective, that is, a one-to-one mapping with the same number input and output bits. As well, in order for the cipher to properly decrypt, the subkeys are applied in reverse order and the bits of the subkeys must be moved around according to the permutation. Note also that the lack of the permutation after the last round ensures that the decryption network can be the same structure as the encryption network.
−1 Mini − AESDecrypt = (σk2 ◦ π ◦ γ ◦ σk1 ◦ θ ◦ π ◦ γ ◦ σk0 ) −1 −1 −1 −1 −1 −1 −1 −1 = σk0 ◦ γ ◦ π ◦ θ ◦ σk1 ◦ γ ◦ π ◦ σk2 (2.8) −1 −1 = σk0 ◦ γ ◦ π ◦ θ ◦ σk1 ◦ γ ◦ π ◦ σk2
We arrive at this expression since σk0 is an XOR operation, which is its own inverse. We have also specially chosen the constant matrix in MixColumn, θ such that the inverse of MixColumn, θ −1 is the same as MixColumn itself. Since ShiftRow simply causes the 22 Fundamentals of Block Ciphers and the VBF Library second row to be rotated left by one nibble amount, then the inverse of ShiftRow, π−1 causes the second row to be rotated right by one nibble. Rotating the nibble left or right are one and the same operation because one row only has two nibbles, therefore inverse ShiftRow is the same as ShiftRow. NibbleSub is a nibble substitution operation based on Table 2.1. The inverse of Table 2.1 is easily computed by interchanging the input nibble with the output nibble, and then resorting it based on the new input nibble, as given in Table 2.3 below.
Table 2.3 Inverse NibbleSub Truth Table.
Input Output 0000 1110 0001 0011 0010 0100 0011 1000 0100 0001 0101 1100 0110 1010 0111 1111 1000 0111 1001 1101 1010 1001 1011 0110 1100 1011 1101 0010 1110 0000 1111 0101
2.2.2 KASUMI Cipher
Description
KASUMI cipher is used in UMTS [155], GSM [67], and GPRS [65] mobile communications systems. UMTS uses KASUMI [76] in the confidentiality and integrity algorithms named UEA1 and UIA1 [76], respectively. GSM employs KASUMI in the A5/3 key stream generator whereas GPRS does so in the GEA3 key stream generator. KASUMI encrypts a 64-bit input by iterating a round function 8 times. The round function consists of the composition of a 32-bit non-linear mixing function (FO) and a 32-bit linear mixing function (FL). The FO-function is again an iterated "ladder-design" consisting of 3 rounds of a 16-bit non-linear mixing function FI. In turn, FI is defined as a 4-round 2.2 Block Ciphers 23 structure using non-linear look-up tables S7 and S9. All functions involved will mix the data input with key material.
FI Function
The FI function is a 16×16 Vector Boolean function which constitutes the basic randomizing function of KASUMI. It is composed of a four round structure using the S-boxes S7 and S9 as shown in Figure 2.3.
The function FI takes a 16-bit data input I and 16-bit subkey KIi, j. The input I is split into two unequal components, a 9-bit left half L0 and a 7-bit right half R0 where I = L0||R0. Similarly the key KIi, j is split into a 7-bit component KIi, j,1 and a 9-bit component KIi, j,2 where KIi, j = KIi, j,1||KIi, j,2. The function uses two S-boxes, S7 which maps a 7-bit input to a 7-bit output, and S9 which maps a 9-bit input to a 9-bit output. It also uses two additional functions which are designated ZE() and TR() where ZE(x) takes the 7-bit value x and converts it to a 9-bit value by adding two zero bits to the most-significant end and TR(x) takes the 9-bit value x and converts it to a 7-bit value by discarding the two most-significant bits. The following equations summarize the implementation of function FI:
I = L ||R 0 0 (2.9) KIi, j = KIi, j,1||KIi, j,2
L1 = R0, R1 = S9(L0) + ZE(R0) L = R + KI , R = S7(L ) + TR(R ) + KI 2 1 i, j,2 2 1 1 i, j,1 (2.10) L3 = R2, R3 = S9(L2) + ZE(R2) L4 = S7(L3) + TR(R3), R4 = R3
L4 = S7(S7(R0) + TR(S9(L0) + ZE(R0)) + KIi, j,1) + TR(S9(S9(L0) + ZE(R0) +KIi, j,2) + ZE(S7(R0) + TR(S9(L0) + ZE(R0)) + KIi, j,1)) R4 = S9(R1 + KIi, j,2) + ZE(S7(R0) + TR(S9(L0) + ZE(R0)) + KIi, j,1) (2.11)
being the output L4||R4.
2.2.3 DES Cipher
The Data Encryption Standard (DES) was approved as a federal standard in November 1976, and published on 15 January 1977 as FIPS PUB 46, authorized for use on all unclassified 24 Fundamentals of Block Ciphers and the VBF Library
16 9 7
S9
zero−extend
S7
truncate
KI KIi,j,1 i,j,2
S9
zero−extend
S7
truncate
Fig. 2.3 Structure of KASUMI cipher FI function. 2.2 Block Ciphers 25 data. On 26 May 2002, DES was finally superseded by the Advanced Encryption Standard (AES), following a public competition. DES operates on a 64-bit block of plaintext. After an initial permutation (IP), the block is broken into a right half (R0) and a left half (L0), each 32 bits long. Then there are 16 rounds of identical operations, called Function f or Feistel function, in which data are combined with the key. After the sixteenth round, the right and left halves are joined, and a final permutation (the inverse of the initial permutation IP−1) finished off the algorithm. The Feistel function ( f ), depicted in Figure 2.5, operates on half a block (32 bits) at a time and consists of four stages:
1. Expansion: the 32-bit half-block is expanded to 48 bits using the expansion permuta- tion, denoted E in the diagram, by duplicating half of the bits. The output consists of eight 6-bit (8 × 6 = 48 bits) pieces, each containing a copy of 4 corresponding input bits, plus a copy of the immediately adjacent bit from each of the input pieces to either side.
2. Key mixing: the result is combined with a subkey using an XOR operation. Sixteen 48-bit subkeys ( one for each round ) are derived from the main key using the key schedule.
3. Substitution: after mixing in the subkey, the block is divided into eight 6-bit pieces before processing by the S-boxes, or substitution boxes. Each of the 8 S-boxes replaces its 6 input bits with 4 output bits according to a non-linear transformation, provided in the form of a lookup table.
4. Permutation: the 32 outputs from the S-boxes are rearranged according to a fixed permutation, the P-box. This is designed so that, after permutation, each S-box’s output bits are spread across 4 different S boxes in the next round.
2.2.4 AES Cipher
The Advanced Encryption Standard (AES), also referenced as Rijndael (its original name), has been adopted by the U.S. government and is now used worldwide. It supersedes the Data Encryption Standard (DES) since 2002. The AES is a 128-bit Block Cipher, and supports secret key sizes of 128, 192 or 256 bits. We will describe the details of the AES with reference to a 128-bit key. The other variants are similar in nature. The 128-bit block of the AES is expressed as a matrix of 4 × 4 bytes called state, in contrast to Mini-AES being expressed as a matrix of 2 × 2 nibbles. AES consists of 10 26 Fundamentals of Block Ciphers and the VBF Library
Fig. 2.4 Structure of DES cipher. 2.2 Block Ciphers 27
Fig. 2.5 The Feistel function of DES. rounds, where each round is similar to the round of Mini-AES, with the last round having no MixColumn. There is also a KeyAddition prior to the first round. The purpose of the extra KeyAddition and the omission of MixColumn is so that encryption and decryption of the AES would be similar in structure, and this simplifies implementation. The round components of the AES are SubBytes, ShiftRow, MixColumn and KeyAd- dition. SubBytes is similar to NibbleSub, but operates on one byte instead of one nibble. Likewise, ShiftRow rotates each row of the input block to the left by different byte amounts. The first row is unchanged, the second rotated left by 1 byte, the third by 2 and the fourth by 3. MixColumn takes each column of the input block and multiplies it with a constant 4 × 4 matrix. KeyAddition is similar to that of Mini-AES. A high-level description of this algorithm would be:
1. KeyExpansions: round keys are derived from the cipher key using Rijndael’s key schedule. AES requires a separate 128-bit round key block for each round plus one more.
2. InitialRound 28 Fundamentals of Block Ciphers and the VBF Library
(a) AddRoundKey: each byte of the state is combined with a block of the round key using bit-wise xor.
3. Rounds
(a) SubBytes: a non-linear substitution step where each byte is replaced with another according to a lookup table. (b) ShiftRows: a transposition step where the last three rows of the state are shifted cyclically a certain number of steps. (c) MixColumns: a mixing operation which operates on the columns of the state, combining the four bytes in each column. (d) AddRoundKey
4. Final Round (no MixColumns)
(a) SubBytes (b) ShiftRows (c) AddRoundKey
The Mini-AES key schedule takes the 16-bit secret key and expresses it as a group of four nibbles. Meanwhile, the AES key schedule takes the 128-bit secret key and expresses it as a group of four 32-bit words. The 0th round key, K0 equals the secret key itself while each subsequent round key is derived from the secret key in almost the same way as Mini-AES.
Substitution or SubBytes Step
In AES cipher, we break the 128-bit plaintext block into four 8-bit sub-blocks. Each sub- block forms an input to a 8 × 8 S-box (a substitution with 8 input and 8 output bits) called
Rijndael S-box SRD. It is represented in hexadecimal notation as shown in Figure 2.6. There the column is determined by the least significant nibble (four-bit aggregation), and the row is determined by the most significant nibble. For example, the value 0x9a is converted into 0xb8 by Rijndael S-box. Note that the multiplicative inverse of 0x00 is defined as itself.
Permutation
The permutation of AES is given by two steps: ShifRows and MixColumns. Note that there would be no MixColumns in the last round. 2.2 Block Ciphers 29
Fig. 2.6 Rijndael S-box SRD. 30 Fundamentals of Block Ciphers and the VBF Library
ShiftRows step is a byte transposition that cyclically shifts the rows of the state (array of bytes) over different offsets. MixColumns step is a bricklayer permutation operating on the state column by column.
Key Addition and AddRoundKey
To achieve the key addition, AES applies a simple bit-wise exclusive-OR between the key bits associated with a round (referred to as a round key) and the data block input to a round.
2.3 VBF (Vector Boolean Functions) library
2.3.1 Features
The main features of the VBF library are the following:
• It is free/open source under the GPL. In this sense, we are aligned with the Sage project developers who affirm the following:
A standard rule in the mathematics community is that everything is laid open for inspection. The Sage project believes that not doing the same for mathematics software is at best a gesture of impoliteness and rudeness, and at worst a violation against standard scientific practices. An underlying philosophical principle of Sage is to apply the system of open exchange and peer review that characterizes scientific communication to the development of mathematics software. Neither the Sage project nor the Sage Development Team make any claims to being the original proponents of this principle. The development model of Sage is largely inspired by the free software movement as spearheaded by the Free Software Foundation, and by the open source movement. One source of inspiration from within the mathematics community is Joachim Neubuser as expressed in the paper [109] and in particular the following quotation from his paper: "You can read Sylow’s Theorem and its proof in Huppert’s book in the library without even buying the book and then you can use Sylow’s Theorem for the rest of your life free of charge, but...for many computer algebra systems license fees have to be paid regularly for the total time of their use. In order to protect what you pay for, you do not get the source, but only an executable, i.e. a black box. You can press buttons and you get 2.3 VBF (Vector Boolean Functions) library 31
answers in the same way as you get the bright pictures from your television set but you cannot control how they were made in either case. With this situation two of the most basic rules of conduct in mathematics are violated: In mathematics information is passed on free of charge and everything is laid open for checking. Not applying these rules to computer algebra systems that are made for mathematical research...means moving in a most undesirable direction. Most important: Can we expect somebody to believe a result of a program that he is not allowed to see? Moreover: Do we really want to charge colleagues in Moldava several years of their salary for a computer algebra system?" Similar sentiments were also expressed by Andrei Okounkov as can be found in [110], in particular the following quotation: "Computers are no more a threat to mathematicians than food processors are a threat to cooks. As mathematics gets more and more complex while the pace of our lives accelerates, we must delegate as much as we can to machines. And I mean both numeric and symbolic work. Some people can manage without dishwashers, but I think proofs come out a lot cleaner when routine work is automated. This brings up many issues. I am not an expert, but I think we need a symbolic standard to make computer manipulations easier to document and verify. And with all due respect to the free market, perhaps we should not be dependent on commercial software here. An open-source project could, perhaps, find better answers to the obvious problems such as availability, bugs, backward compatibility, platform independence, standard libraries, etc. One can learn from the success of TeX and more specialized software like Macaulay2. I do hope that funding agencies are looking into this."
• It is a library allowing us to use it in conjunction with other tools and libraries.
• It is implemented in C++ language. The main advantages of this language are derived from the object oriented implementation and the use of effective algorithms; such advantages are: reusability, maintainability, extensibility and flexibility in the analysis of a broad range of Vector Boolean functions employed in symmetric ciphers. The size of the vector Boolean functions that can be analyzed by VBF is restricted by the computational resources (memory, disk space, CPU, . . . ) of the platform on which it is executed. However, the maximum value for n and m to be handled by the different functions is conditioned by the maximum value attainable by long int variables (for the 32 Fundamentals of Block Ciphers and the VBF Library
30 computer employed in this work, it is approximately 2 , so that nmax = mmax ≈ 30). Note that, although this size functions would be compatible with the VBF resource management procedures, the run time requirements for computing the characteristics would exceed any realistic bound.
• It can be easily installed in several platforms such as Windows, Linux and MacOS among others.
• It makes use of some modules from the well-known Number Theory Library NTL implemented by Victor Shoup (VBF works with any version of NTL, up to the latest one [111]). A preliminary version of VBF, lacking several of the modules and features in the current package, was presented in [5]. NTL is a high-performance, portable C++ library providing data structures and algorithms for manipulating signed, arbitrary length integers, as well as vectors, matrices, and polynomials over the integers and over finite fields. The decision to use this library is mainly based on four reasons:
1. It is free software, and may be used according to the terms of the GNU General Public License. 2. It provides high quality implementations of state-of-the-art algorithms for the Galois field of order 2. 3. It may be easily installed in a wide range of platforms. 4. It provides a clean and consistent interface to a large variety of classes represent- ing mathematical objects which are useful in cryptology.
The core of VBF library is the VBF class which represents vector Boolean functions whose data members and member functions make use of the NTL modules listed in Table 2.5. However, some new cryptography-related member functions were added to the previous modules. New modules, which are not present in NTL, are defined and they are listed in Table 2.5. The main file in the library, called VBF.h has the definitions of the objects described in the next subsection and makes use of the cited modules.
The process of development of VBF library consisted in four steps:
1. To study the most common representation methods employed in the modern cryptosys- tems. 2.3 VBF (Vector Boolean Functions) library 33
Table 2.4 NTL modules used in VBF.
CLASS NAME DESCRIPTION GF2 Galois Field of order 2 denoted by GF(2) vec_GF2 Vectors over GF(2) mat_GF2 Matrices over GF(2) RR Arbitrary-precision floating point numbers vec_RR Vectors over reals mat_RR Matrices over reals ZZ Signed, arbitrary length integers vec_ZZ Vectors over integers mat_ZZ Matrices over integers GF2X Implements polynomial arithmetic modulo 2 GF2E Polynomials in F2[X] modulo a polynomial P GF2EX Polynomials over GF2E vec_GF2E Vectors over GF2E
Table 2.5 New modules created for VBF.
CLASS NAME DESCRIPTION pol Polynomial in ANF of a Boolean Function vec_pol Polynomials in ANF of a Vector Boolean Function 34 Fundamentals of Block Ciphers and the VBF Library
2. To compile and elaborate cryptograhic criteria for Vector Boolean functions.
3. To analyse the structure of modern cryptographic algorithms in order to identify most common interconnections among their subsystems. It is important to understand the behaviour of the representations, characterizations and criteria of cryptosystem in terms of the representations, characterizations and criteria of their subsystems.
4. To develop algorithms to load representations, calculate its characterizations and criteria, and apply constructions to subsystems.
2.3.2 State-of-the-art on Vector Boolean Functions Analysis Software
To support our own contributions, we will now survey previous research made regarding the analysis Vector Boolean functions from the cryptographical point of view. At the present time, several other packages are available, for example:
1. CrypTool [44] is a free, open-source e-learning application, used in the implementation and analysis of cryptographic algorithms. It provides cryptanalytical measurement methods (entropy, n-grams, autocorrelation, etc.) but it does not allow the calculation of cryptographic criteria. The current release version, CrypTool 2, is based on the latest .NET Framework (currently .NET 4.0) and it has a pure-plugin architecture. There is also another project called JCrypTool developed in Java and based on Eclipse RCP.
2. Matpack [90] is a C++ numerics and graphics library implementing computational methods that are needed in engineering. The cryptographic algorithms are included in the commercial library; these can only be used to analyze some cryptographic properties of Boolean functions and do not address Vector Boolean functions.
3. In [12], a system for assisting analysis of some criteria of DES-like ciphers is described. This system analyzes only a small subset of the criteria considered by VBF.
4. bma [122] outputs the value table, Walsh Spectrum (WS) (a generalized Fourier spectrum), linear profile, differential profile, and some linearity/nonlinearity measures, given the ANF of a Vector Boolean function. It is an open-source executable program written in C, computationally very efficient for specific S-boxes analysis.
5. The boolfun package [14] is open source software, written in R, to assess cryptographic properties of Boolean functions. It implements three representations: Truth Table, ANF and WS. It can calculate cryptographic properties of Boolean functions that are relevant for the design of stream ciphers (i.e., cryptographic pseudo-random generators), namely 2.3 VBF (Vector Boolean Functions) library 35
nonlinearity, algebraic immunity, correlation immunity and resiliency. Unfortunately it does not provide specific tools for analyzing vector functions.
6. Sage [132] is free open source mathematical software that supports research and teaching in algebra, geometry, number theory, cryptography, and related areas. The Cryptography module contains some descriptions of classical ciphers and simplified modern ciphers such as Simplified DES and Mini-AES. Compared with theVBF library, SAGE lacks much useful functionality.
In summary, the packages cited above present one (or more) of the following disadvan- tages: they are commercial, they do not benefit from the new paradigms of object orientation and generic programming, or they do not cover the broad spectrum of representation and cryptographic criteria for both Boolean and Vector Boolean functions that VBF does. The aim of the VBF package presented in this thesis is to provide an easy-to-use tool both for the designer and the cryptanalyst of symmetric ciphers. The user only needs to code the basic features related to the Vector Boolean functions associated with a cipher (e.g., Truth Table, ANF table, polynomial in ANF, etc). The following chapter analyses the possible representations and characterizations of Boolean functions with the aim of their efficient management via the VBF library.
Chapter 3
Representations and Characterizations
This chapter presents a review of theory relevant to the study of the typical forms of Vector Boolean function representations and chacterizations. We will consider representations those that uniquely represents a Vector Boolean function. Characterizations does not uniquely determine the Vector Boolean function in contrast to the previous matrices but provide some useful information in the context of cryptography. Representations included in this chapter are the Truth Table (TT), the polynomials in Algebraic Normal Form (Pol) and ANF Table (ANF), the Image (Char), Component functions Truth Table(LTT), Sequence vectors of Component functions CTT, the Trace Representation (Trace) and Affine function Representation. A definition for all these representations are given and the relationships among them and their various properties are also discussed. Characterizations such as Linear Profile (LP), Differential Profile (DP), Autocorrelation Spectrum (AC), Linear Structures (LS) are introduced. A definition for all these represen- tations are given and the relationships among them and the above representations and their various properties are also discussed. The basic concepts of linear and differential cryptanalysis are introduced in terms of the Linear Profile and Differential Profile, together with other properties related with these attacks, such as: linear potential, differential potential, linear or differential relations associated with a specific value. Affine equivalence analysis of Boolean functions by means of VBF library is described. It is showed how to obtain the Frequency distribution of the absolute values of the Walsh Spectrum and of the Autocorrelation Spectrum. It is possible to check randomness of a Vector Boolean function outputs with VBF by means of its cycle structure, and the analysis of the presence of fixed points or negated fixed points. 38 Representations and Characterizations
Finally, some other representations useful in block ciphers are described such as the Permutation Vector (Per), Expansion and Compression DES permutations and DES-like S-box representations. The description of each representation and characterization is complemented with the description of the methods in VBF related to them. Most of the member functions of VBF have an in-line definition, for instance: void TT(NTL::mat_GF2& X, VBF& F) is also defined as inline NTL::mat_GF2 TT(VBF& F). The figure 3.1 summarizes the relationships among the different representations.
Fig. 3.1 Relationships among representations and characterizations of a Vector Boolean function.
The representations which are Boolean matrices are coloured in red, those which are Integer matrices are coloured in blue, those that are vector of integers are coloured in yellow and those which are polynomial are coloured in green. In this chapter we apply VBF library methods to find out representations and character- izations of several cryptographic algorithms. Refer to http://vbflibrary.tk for an extensive description of representations and characterizations of modern cryptographic algorithms apart from those described in this chapter. 3.1 Truth Table 39
3.1 Truth Table
3.1.1 Description
A Vector Boolean function F ∈ Fn,m can be uniquely represented by its Truth Table which is a matrix with 2n rows and m columns whose elements are the values of F taken on all possible vector of Vn ordered lexicographically.
Definition 3.1.1. Let F ∈ Fn,m, if we take into account the one-to-one mapping of Vn onto the set of integers as defined in theorem A.1.1, we are able to define any vector Boolean function by the corresponding set of values:
n F(αi) ∈ Vm ∀i ∈ {0,...,2 − 1} (3.1)
The matrix with 2n rows and m columns will be referred as the Truth Table of F and will be generally written as TTF :
f1(α0) ... fm(α0) f ( ) ... f ( ) 1 α1 m α1 TTF = (3.2) ...... f1(α2n−1) ... fm(α2n−1) n each αi = (x1,...,xn) ∈ Vn i ∈ {1,...,2 − 1} is a vector whose decimal equivalent is n n− j dec(αi) = i = ∑ j=1 x j2 , and all the vectors of Vn can be listed so that α0 < α1 < ··· < α2n−1 .
As a total order is defined over the assignments (inputs) of the Vector Boolean Function, the Truth Table can be uniquely represented by this matrix. Any function F can be uniquely described by its Truth Table TTF ∈ M2n×m(GF(2)) (or by the Truth Tables of its coordinate functions TT fi i ∈ {1,...,m}) and it holds that:
γ : Fn,m → M n×m(GF(2)) 2 (3.3) F → TTF
2n·m is an isomorphism between the vector spaces Fn,m and M2n×m(GF(2)), so that #Fn,m=2 . The Truth Table for an n-variable Boolean function f should be in lexicographical form, n i.e., TT f = ( f (0), f (1), f (2),..., f (2 −1)). Since the Truth Table length might be too large, we represent it in hexadecimal rather than in binary notation. The hexadecimal Truth Table is obtained by replacing each four bits by their corresponding hexadecimal form. For instance, to enter TT f = (0,0,1,1,1,1,1,1) one should just write TT f = 3 f . 40 Representations and Characterizations
The distance between two Vector Boolean functions F,G ∈ Fn,m is defined as the number of bits that are different in their respective Truth Tables:
d(F,G) = ∑ d (F(x),G(x)) (3.4) x∈Vn where d (F(x),G(x)) is the Hamming distance between the two vectors F(x),G(x) ∈ Vm. The weight of a Vector Boolean function F ∈ Fn,m is equal to the distance between F and the corresponding zero Vector Boolean function 0 ∈ Fn,m where 0(x) = 0 ∀x ∈ Vn. In order to obtain certain characterizations (such as Autocorrelation Spectrum), it is important to take into account two additional representations related to the Truth Table: LTT and CTT.
We will denote by LTT of F ∈ Fn,m the matrix whose columns are the Truth Tables of the 2m component functions of F. We will denote by CTT of F the matrix whose columns are the sequence vectors of the 2m component functions of F 1.
3.1.2 Library
A VBF class can be initialized by a Boolean Matrix representing the Truth Table with the following method: void puttt(const NTL::mat_GF2& T)
To obtain the Truth Table of a Vector Boolean function the following method must be used: void TT(NTL::mat_GF2& X, VBF& F)
A VBF class can be initialized by a collection of strings separated by carriage returns defined by s with the following method: void putHexTT(istream& s)
Each row must be the hexadecimal representation of the Truth Table of the coordi- nate functions of a Vector Boolean function. To obtain the Truth Table in hexadecimal representation the following method must be used: void getHexTT(ostream& s)
1Sometimes it is called the Polarity Truth Table. 3.1 Truth Table 41
Analogously a VBF class can be initialized by a collecting of strings with binary repre- sentation of the Truth Table of coordinate functions: void putBinTT(istream& s)
To obtain its Truth Table in binary representation the following method must be used: void getBinTT(ostream& s)
A VBF class can be initialized by a Boolean vector representing the decimal represen- tation of the Truth Table of a Vector Boolean Function defined by a vector of outputs in lexicographic order, called d, and knowing the number of component Boolean functions m: void putDecTT(const NTL::vec_long& d,const long& m)
To obtain the Truth Table in decimal representation the following method must be used:
NTL::vec_long getDecTT() const
To obtain the weight of a Vector Boolean function F the following method must be used: void weight(long& w, VBF& F)
A VBF class can be initialized by a Boolean Matrix representing the Truth Table of their component functions with the following method: void putltt(const NTL::mat_GF2& L)
To obtain the Truth Table of the component functions of a Vector Boolean function the following method must be used: void LTT(NTL::mat_GF2& X, VBF& F)
A VBF class can be initialized by a Boolean Matrix representing its Polarity Truth Table with the following method: void putctt(const NTL::mat_ZZ& C)
To obtain the Polarity Truth Table of a Vector Boolean function the following method must be used: void CTT(NTL::mat_ZZ& X, VBF& F) 42 Representations and Characterizations
Example 3.1.1. The Truth Table of the NibbleSub S-box described in Table 2.1 is the following:
[[1 1 1 0] [0 1 0 0] [1 1 0 1] [0 0 0 1] [0 0 1 0] [1 1 1 1] [1 0 1 1] [1 0 0 0] [0 0 1 1] [1 0 1 0] [0 1 1 0] [1 1 0 0] [0 1 0 1] [1 0 0 1] [0 0 0 0] [0 1 1 1] ]
If we use a file with this matrix as the input of the following program, we canobtain its hexadecimal, binary and decimal representation, as well as the Truth Tables of the components functions and its Polarity Truth Table.
#include
int main(int argc, char *argv[]) { using namespace VBFNS;
VBF F; NTL::mat_GF2 T;
ifstream input(argv[1]); 3.1 Truth Table 43
if(!input) { cerr << "Error opening " << argv[1] << endl; return 0; } input >> T; F.puttt(T); input.close();
cout << "The hexadecimal representation is: " << endl; F.getHexTT(cout);
cout << endl << "The binary representation is: " << endl; F.getBinTT(cout);
cout << endl << "The decimal representation is: " << endl << F.getDecTT() << endl;
cout << endl << "The Truth Table of the component functions is: " << endl << LTT(F) << endl;
cout << endl << "The Polarity Truth Table is: " << endl << CTT(F) << endl;
return 0; }
The output of this program would be:
The hexadecimal representation is: a754 e439 8ee1 368d
The binary representation is: 1010011101010100 44 Representations and Characterizations
1110010000111001 1000111011100001 0011011010001101
The decimal representation is: [14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7]
The Truth Table of the component functions is: [[0 0 1 1 1 1 0 0 1 1 0 0 0 0 1 1] [0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1] [0 1 0 1 1 0 1 0 1 0 1 0 0 1 0 1] [0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1] [0 0 1 1 0 0 1 1 0 0 1 1 0 0 1 1] [0 1 1 0 1 0 0 1 1 0 0 1 0 1 1 0] [0 1 1 0 0 1 1 0 1 0 0 1 1 0 0 1] [0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1] [0 1 1 0 0 1 1 0 0 1 1 0 0 1 1 0] [0 0 1 1 0 0 1 1 1 1 0 0 1 1 0 0] [0 0 1 1 1 1 0 0 0 0 1 1 1 1 0 0] [0 0 0 0 1 1 1 1 1 1 1 1 0 0 0 0] [0 1 0 1 1 0 1 0 0 1 0 1 1 0 1 0] [0 1 0 1 0 1 0 1 1 0 1 0 1 0 1 0] [0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0] [0 1 1 0 1 0 0 1 0 1 1 0 1 0 0 1] ]
The Polarity Truth Table is: [[1 1 -1 -1 -1 -1 1 1 -1 -1 1 1 1 1 -1 -1] [1 1 1 1 -1 -1 -1 -1 1 1 1 1 -1 -1 -1 -1] [1 -1 1 -1 -1 1 -1 1 -1 1 -1 1 1 -1 1 -1] [1 -1 1 -1 1 -1 1 -1 1 -1 1 -1 1 -1 1 -1] [1 1 -1 -1 1 1 -1 -1 1 1 -1 -1 1 1 -1 -1] [1 -1 -1 1 -1 1 1 -1 -1 1 1 -1 1 -1 -1 1] [1 -1 -1 1 1 -1 -1 1 -1 1 1 -1 -1 1 1 -1] [1 1 1 1 1 1 1 1 -1 -1 -1 -1 -1 -1 -1 -1] [1 -1 -1 1 1 -1 -1 1 1 -1 -1 1 1 -1 -1 1] 3.2 Trace Representation 45
[1 1 -1 -1 1 1 -1 -1 -1 -1 1 1 -1 -1 1 1] [1 1 -1 -1 -1 -1 1 1 1 1 -1 -1 -1 -1 1 1] [1 1 1 1 -1 -1 -1 -1 -1 -1 -1 -1 1 1 1 1] [1 -1 1 -1 -1 1 -1 1 1 -1 1 -1 -1 1 -1 1] [1 -1 1 -1 1 -1 1 -1 -1 1 -1 1 -1 1 -1 1] [1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1] [1 -1 -1 1 -1 1 1 -1 1 -1 -1 1 -1 1 1 -1] ]
3.2 Trace Representation
3.2.1 Description
We identify a Boolean function in n variables with a function from GF(2n) to GF(2) and Vector Boolean function in n variables with a function from GF(2n) to GF(2n). A trace is a function over a finite field( GF 2n) defined as follows:
2n−1 tr(x) = ∑ xi (3.5) i=0 n Since there is is an isomorphism between Vn and GF(2 ) (see section A.3.3 ), it is possible to identify the trace function with a Boolean function in n variables. Analogously, a Vector Boolean function can be identified with trace as follows:
n Definition 3.2.1. When m = n, we endow Vn with the structure of the field GF(2 ). Any n F ∈ Fn,n admits a unique univariate polynomial representation over GF(2 ), of degree at most 2n − 1:
2n−1 i n F(x) = ∑ δix , δi ∈ GF(2 ) (3.6) i=0 A general way to derive this polynomial representation is given by a Lagrange interpola- tion from the knowledge of the irreducible polynomial of degree n over GF(2) associated with the field GF(2n) and the Truth Table of F. The interpolation attack [74] is efficient when the degree of the univariate polynomial representation of the S-box over GF(2n) is low or when the distance of the S-box to the set of low univariate degree functions is small. This attack exploits the low degree of the algebraic relation between some input (respective output) and intermediate data to infer some keybits relating the output (respective input) and the intermediate data. 46 Representations and Characterizations
3.2.2 Library
A VBF class can be initialized giving its trace f and the irreducible polynomial g with the following methods:
void putirrpol(GF2X& g) void puttrace(string& f)
To obtain a Vector Boolean function trace representation the following method must be used:
void Trace(GF2EX& f, VBF& F)
and to print the trace representation use the following method:
void print(NTL_SNS ostream& s, GF2EX& f, const long& m)
Example 3.2.1. Let GF(24) be constructed with the irreducible polynomial defined in Mini- AES g(x) = x4 + x + 1. Element x is primitive (check that all its powers from the first to the fourteenth are distinct). We denote it by α. Below we show how to calculate the trace of each element of the field GF(24). In the last column, the vector of values of the NibbleSub S-box corresponding this trace representation:
5x14 + 7x13 + ex12 + f x11 + 7x10 + 6x9 + cx8 + 5x7 + 9x6 + ax5 + 7x4 + 8x3 + ax2 + 7x + e (3.7) is presented.
Example 3.2.2. The following program provides the Trace representation over GF(2n)of a Vector Boolean function with Truth Table in a file with extension ".tt". GF(2n) is constructed with the irreducible polynomial whose corresponding GF2X representation is in a file with extension ".irr". The class GF2X implements polynomial arithmetic modulo 2 and a polynomial is represented as a coefficient vector.
#include
int main(int argc, char *argv[]) { 3.2 Trace Representation 47
Table 3.1 Identification of a coordinate function of NibbleSub with trace function.
Vector Polynomial αk tr(·) NibbleSub 0000 0 − 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + e e 0001 1 α0 5 + 7 + e + f + 7 + 6 + c + 5 + 9 + a + 7 + 8 + a + 7 + e 4 x α 5α14 + 7α13 + eα12 + f α11 + 7α10 + 6α9 + cα8+ d 0010 5α7 + 9α6 + aα5 + 7α4 + 8α3 + aα2 + 7α + e x + 1 α4 5α4·14 + 7α4·13 + eα4·12 + f α4·11 + 7α4·10 + 6α4·9 + cα4·8+ 1 0011 5α4·7 + 9α4·6 + aα4·5 + 7α4·4 + 8α4·3 + aα4·2 + 7α4 + e x2 α2 5α2·14 + 7α2·13 + eα2·12 + f α2·11 + 7α2·10 + 6α2·9 + cα2·8+ 2 0100 5α2·7 + 9α2·6 + aα2·5 + 7α2·4 + 8α2·3 + aα2·2 + 7α2 + e x2 + 1 α8 5α8·14 + 7α8·13 + eα8·12 + f α8·11 + 7α8·10 + 6α8·9 + cα8·8+ f 0101 5α8·7 + 9α8·6 + aα8·5 + 7α8·4 + 8α8·3 + aα8·2 + 7α8 + e x2 + x α5 5α5·14 + 7α5·13 + eα5·12 + f α5·11 + 7α5·10 + 6α5·9 + cα5·8+ b 0110 5α5·7 + 9α5·6 + aα5·5 + 7α5·4 + 8α5·3 + aα5·2 + 7α5 + e x2 + x + 1 α10 5α10·14 + 7α10·13 + eα10·12 + f α10·11 + 7α10·10 + 6α10·9 + cα10·8+ 8 0111 5α10·7 + 9α10·6 + aα10·5 + 7α10·4 + 8α10·3 + aα10·2 + 7α10 + e x3 α3 5α3·14 + 7α3·13 + eα3·12 + f α3·11 + 7α3·10 + 6α3·9 + cα3·8+ 3 1000 5α3·7 + 9α3·6 + aα3·5 + 7α3·4 + 8α3·3 + aα3·2 + 7α3 + e x3 + 1 α14 5α14·14 + 7α14·13 + eα14·12 + f α14·11 + 7α14·10 + 6α14·9 + cα14·8+ a 1001 5α14·7 + 9α14·6 + aα14·5 + 7α14·4 + 8α14·3 + aα14·2 + 7α14 + e x3 + x α9 5α9·14 + 7α9·13 + eα9·12 + f α9·11 + 7α9·10 + 6α9·9 + cα9·8+ 6 1010 5α9·7 + 9α9·6 + aα9·5 + 7α9·4 + 8α9·3 + aα9·2 + 7α9 + e x3 + x + 1 α7 5α7·14 + 7α7·13 + eα7·12 + f α7·11 + 7α7·10 + 6α7·9 + cα7·8+ c 1011 5α7·7 + 9α7·6 + aα7·5 + 7α7·4 + 8α7·3 + aα7·2 + 7α7 + e x3 + x2 α6 5α6·14 + 7α6·13 + eα6·12 + f α6·11 + 7α6·10 + 6α6·9 + cα6·8+ 5 1100 5α6·7 + 9α6·6 + aα6·5 + 7α6·4 + 8α6·3 + aα6·2 + 7α6 + e x3 + x2 + 1 α13 5α13·14 + 7α13·13 + eα13·12 + f α13·11 + 7α13·10 + 6α13·9 + cα13·8+ 9 1101 5α13·7 + 9α13·6 + aα13·5 + 7α13·4 + 8α13·3 + aα13·2 + 7α13 + e x3 + x2 + x α11 5α11·14 + 7α11·13 + eα11·12 + f α11·11 + 7α11·10 + 6α11·9 + cα11·8+ 0 1110 5α11·7 + 9α11·6 + aα11·5 + 7α11·4 + 8α11·3 + aα11·2 + 7α11 + e x3 + x2 + x + 1 α12 5α12·14 + 7α12·13 + eα12·12 + f α12·11 + 7α12·10 + 6α12·9 + cα12·8+ 7 1111 5α12·7 + 9α12·6 + aα12·5 + 7α12·4 + 8α12·3 + aα12·2 + 7α12 + e 48 Representations and Characterizations
using namespace VBFNS;
VBF F; NTL::mat_GF2 T; GF2X g; GF2EX f; int d; char file[33];
sprintf(file,"%s.irr",argv[1]); ifstream input1(file); if(!input1) { cerr << "Error opening " << file << endl; return 0; } input1 >> g; F.putirrpol(g); input1.close();
sprintf(file,"%s.tt",argv[1]); ifstream input(file); if(!input) { cerr << "Error opening " << file << endl; return 0; } input >> T; F.puttt(T); input.close();
cout << "The trace representation is " << endl; f = Trace(F); d = deg(g); print(cout,f,d);
return 0; } 3.3 Polynomials in ANF 49
In this cipher, GF(28) is constructed with the irreducible polynomial g(x) = x8 + x4 + 3 x + x + 1. The inputs of this program would be the Truth Table of the Rijndael S-box SRD (described in Figure 2.6), provided in a file with extension “.tt”, and the corresponding GF2X representation of g : [110110001], provided in a file with extension “.irr”. The output of the program would be a GF2EX which represents polynomials over GF2E; hence, it can be used, for example, for arithmetic in GF(2n):
05·x254 +09·x253 + f 9·x251 +25·x247 + f 4·x239 +01·x223 +b5·x191 +8 f ·x127 +63 (3.8) where the coefficients are elements (of GF 28).
3.3 Polynomials in ANF
3.3.1 Description
Definition 3.3.1. Any vector Boolean function F ∈ Fn,m can be uniquely represented by m multivariate polynomials over GF(2) (called coordinate functions) where each variable has power at most one. Each of these polynomials can be expressed as a sum of all distinct kth-order product terms (0 < k ≤ n) of the variables in the form:
f (x1,...,xn) = a0 + a1x1 + ··· + anxn + a12x1x2 + ··· + an−1,nxn−1xn + ··· I (3.9) +a12...nx1x2 ...xn = ∑I∈P(N) aI (∏i∈I xi) = ∑I∈P(N) aIx , aI ∈ GF(2) where P(N) denotes the power set of N = {1,...,n}. This representation of f is called the algebraic normal form (ANF) of f . The algebraic normal form is thus a set of multivariate polynomials and the constant functions (those obtained by decomposition) are the coefficients of the 2n products of input variables (i.e. monomials).
3.3.2 Library
A VBF class can be initialized giving its Polynomials in ANF with the following method: void putpol(vec_pol& p)
To obtain its representation as Polynomials in ANF, the following method must be used: void Pol(NTL_SNS ostream& s, VBF& F)
Example 3.3.1. The following program provides the Polynomials in ANF Vector Boolean function from its Truth Table. 50 Representations and Characterizations
#include
int main(int argc, char *argv[]) { using namespace VBFNS;
VBF F; NTL::mat_GF2 T;
ifstream input(argv[1]); if(!input) { cerr << "Error opening " << argv[1] << endl; return 0; } input >> T; F.puttt(T); input.close();
Pol(cout,F);
return 0; }
If we use as input of this program the Truth Table of NibbleSub, the output of the program would be the following:
1+x4+x2+x2x3+x2x3x4+x1+x1x2+x1x2x3 1+x3x4+x2+x2x4+x1+x1x3+x1x3x4 1+x4+x3+x3x4+x2x4+x2x3+x1x4+x1x3+x1x2+x1x2x4+x1x2x3 x3+x2x4+x1+x1x4+x1x3x4 3.4 ANF Table 51
which corresponds to the coordinate functions of NibbleSub as follows:
f1(NibbleSub) = 1 + x4 + x2 + x2x3 + x2x3x4 + x1 + x1x2 + x1x2x3 f2(NibbleSub) = 1 + x3x4 + x2 + x2x4 + x1 + x1x3 + x1x3x4 f3(NibbleSub) = 1 + x4 + x3 + x3x4 + x2x4 + x2x3 + x1x4 + x1x3 + x1x2 + x1x2x4 + x1x2x3 f4(NibbleSub) = x3 + x2x4 + x1 + x1x4 + x1x3x4 (3.10)
3.4 ANF Table
3.4.1 Description
n Definition 3.4.1. ANF table of F, denoted by ANFF ∈ M2n×m(GF(2)), represents the 2 coefficients of the polynomials of each ofthe m coordinate functions in ANF.
The ANF table of F, denoted by ANFF ∈ M2n×m(GF(2)), is defined by:
i ANFF = ANF fi i ∈ {1,...,m} (3.11)
i where ANFF is the i-th column of ANFF .
The ANF Table can be derived from the Truth Table by a binary matrix transformation called the Algebraic Normal Form Transformation (implemented in the VBF library with getan f method). The Truth Table can be obtained from the ANF Table using a method we call rev.
3.4.2 Library
A VBF class can be initialized giving its ANF table with the following method: void putanf(const NTL::mat_GF2& A)
To obtain its representation as ANF table, the following method must be used: void ANF(NTL::mat_GF2& X, VBF& F)
Example 3.4.1. The following program provides the ANF Table of a Vector Boolean function from its Truth Table. 52 Representations and Characterizations
#include
int main(int argc, char *argv[]) { using namespace VBFNS;
VBF F; NTL::mat_GF2 T;
ifstream input(argv[1]); if(!input) { cerr << "Error opening " << argv[1] << endl; return 0; } input >> T; F.puttt(T); input.close();
cout << "The ANF Table is:" << endl; cout << ANF(F) << endl;
return 0; }
If we use as input of this program the Truth Table of NibbleSub, the output of the program would be the following:
The ANF Table is: [[1 1 1 0] [1 0 1 0] [0 0 1 1] [0 1 1 0] [1 1 0 0] [0 1 1 1] [1 0 1 0] 3.5 Image 53
[1 0 0 0] [1 1 0 1] [0 0 1 1] [0 1 1 0] [0 1 0 1] [1 0 1 0] [0 0 1 0] [1 0 1 0] [0 0 0 0] ]
3.5 Image
3.5.1 Description
Definition 3.5.1. The characteristic or indicator function of F ∈ Fn,m, denoted by θF : Vn × Vm → {0,1}, is defined by: ( 1 if y = F(x) θF (x,y) = (3.12) 0 if y ̸= F(x)
Definition 3.5.2. The Image of F can be represented by a matrix whose rows are indexed by x ∈ Vn and whose columns are indexed by y ∈ Vm in lexicographic order, denoted by Img(F) ∈ M2n×2m (GF(2)) and defined as follows:
θF (α0,α0) ... θF (α0,α2m−1) ( , ) ... ( , m ) θF α1 α0 θF α1 α2 −1 Img(F) = (3.13) ...... θF (α2n−1,α0) ... θF (α2n−1,α2m−1) where θF (x,y) is the value of the indicator function at (x,y).
Lemma 3.5.1. By equation 2.3, it is clear that all the rows of the matrix Img(F) have one element equal to one and the rest is zero, that is ∀i ∈ {1,...,2n}: h i Img(F) = a ... a m i i1 i2 (3.14) m m where ∃! j ∈ {1,...,2 } ai j = 1 ∧ (aik = 0 ∀k ̸= j ∈ {1,...,2 }) 54 Representations and Characterizations
The Image of F can be derived from the Truth Table by a method implemented in the VBF library called char f unct. The Truth Table can be obtained from the Characteristic function using a method we call truthtable.
3.5.2 Library
A VBF class can be initialized giving its Image with the following method:
void putchar(const NTL::mat_ZZ& C)
To obtain its representation as Image, the following method must be used:
void Charact(NTL::mat_ZZ& C, VBF& F)
Example 3.5.1. The following program provides the Image of a Vector Boolean function from its Truth Table.
#include
int main(int argc, char *argv[]) { using namespace VBFNS;
VBF F; NTL::mat_GF2 T;
ifstream input(argv[1]); if(!input) { cerr << "Error opening " << argv[1] << endl; return 0; } input >> T; F.puttt(T); input.close();
cout << "The Image is:" << endl; 3.6 Walsh Spectrum 55
cout << Charact(F) << endl;
return 0; }
If we use as input of this program the Truth Table of NibbleSub, the output of the program would be the following:
The Image is: [[0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0] [0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0] [0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0] [0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0] [0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0] [0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1] [0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0] [0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0] [0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0] [0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0] [0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0] [0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0] [0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0] [0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0] [1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0] [0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0] ]
This matrix can be easily interpreted with the aid of the figure 3.2 in which the rows and columns are indexed with the corresponding vector: You can see for instance that the output of 0000 is 1110.
3.6 Walsh Spectrum
3.6.1 Description
Linear and affine functions are considered as cryptographically weak functions. It is important to measure if a Vector Boolean function has some similarity with these functions. The 56 Representations and Characterizations
Fig. 3.2 Image representations of NibbleSub. similarity is measured by means of correlation. The values of Walsh Spectrum provide a measure of the correlation of the Vector Boolean function with the different Vector Boolean Linear functions.
Walsh Spectrum of Boolean Functions
n Definition 3.6.1. The matrix Hn is Walsh-Hadamard matrix of order 2 if it generated by the following recursive relation: " # " # 1 1 Hn−1 Hn−1 H0 = 1,Hn = Hn−1 = (3.15) 1 −1 Hn−1 −Hn−1
n Theorem 3.6.1. Let Hn be the Walsh-Hadamard matrix of order 2 , then the vectors associ- n ated with its columns constitute an orthogonal basis for R2 over R so that:
2n xHn = y,∀x,y ∈ R (3.16)
2n Corollary 3.6.2. Let f ∈ Fn, its sequence ξ f ∈ R can be defined as a linear combination of the sequences of all the linear functions over Vn, as they coincide with the rows of Hn.
ξ f = aα ξl + ··· + aα n ξl (3.17) 0 α0 2 −1 α2n−1
1 where au = 2n ξ f ,ξlu 3.6 Walsh Spectrum 57
Proof. n ξ f ,ξlu = 0 + ··· + au ⟨ξlu ,ξlu ⟩ + ··· + 0 = au2
Definition 3.6.2. Let a Boolean function f ∈ Fn, the Walsh Transform of f at u ∈ Vn is the n-dimensional Discrete Fourier Transform and can be calculated as follows:
ˆ W f (u) = χ f (u) = W {ξ f }(u) = ξ f ,ξlu = ∑ χ f (x)χu(x) (3.18) x∈Vn or, as it is most often written as:
f (x)+u·x W f (u) = ∑ (−1) (3.19) x∈Vn
As a result, the Walsh Transform of f ∈ Fn at u is the coefficient of the sequence of f (ξ f ) with respect to the basis constituted by the sequences of linear functions, scaled by a 1 factor of 2n . If W f is the Walsh transform of f , we say that ξ f and W f form a Transform pair and write: W ξ f ←→ W f (ξ f corresponds to W f ) (3.20)
The following properties can be derived from definition 3.6.2:
1. The value of Walsh Transform of f at u equals the sum of the values of its sequence. As a consequence it takes value 0 if the number of 0’s and 1’s in the Truth Table of f
is the same. χ0 is the constant 1 function, so that:
f (x) χˆ f (0) = ξ f ,ξ0 = ∑ (−1) (3.21) x∈Vn
2. The value of Walsh Transform of the constant function 1 is equal to 2n at 0 and 0 at the rest of the inputs: ( 2n if u = 0 1ˆ = 2nδ(u) = (3.22) 0 if u ̸= 0 where δ(u) denotes denotes the Kronecker delta function (δ(0) = 1;δ(u) = 0,∀u ̸= 0).
3. Let c ∈ Fn so that c(x) = c ∀x ∈ Vn:
( n c n c 2 (−1) if u = 0 χˆc(u) = 2 (−1) δ(u) = (3.23) 0 if u ̸= 0 58 Representations and Characterizations
4. Let f ∈ Fn so that f (x) = lv(x) + c ∀x ∈ Vn and c ∈ GF(2):
( n c n c 2 (−1) if u = v χˆ f (u) = 2 (−1) δ(u + v) = (3.24) 0 if u ̸= v
Definition 3.6.3. The Walsh Spectrum of f can be represented by a matrix whose rows are indexed by u ∈ Vn in lexicographic order, denoted by WS( f ) ∈ M2n×1(R) and defined as follows: h iT WS( f ) = χˆ f (α0) ... χˆ f (u) ... χˆ f (α2n−1) (3.25) where χˆ f (u) is the value of the spectrum at u. A Boolean function is uniquely determined by its Walsh Spectrum.
Definition 3.6.4. The Inverse Walsh Transform of f at x ∈ Vn can be expressed as:
1 W −1(x) = χ (x) = (−1) f (x) = χˆ (u)χ (x), ∀x ∈ V (3.26) f f 2n ∑ f u n u∈Vn or, as it is most often written as:
1 χ (x) = χˆ (u)(−1)u·x (3.27) f 2n ∑ f u∈Vn The following properties can be derived from definition 3.6.4:
1. The sum of Walsh coefficients is either 2n or −2n depending on the value of f (0): ( 2n if f (0) = 0 χˆ f (u) = (3.28) ∑ −2n if f (0) ̸= 0 u∈Vn
2. The values of the Walsh Spectrum give information about the distance from the linear and affine functions. If we analyze the summands that appear in (3.19), we can notice the following: ( 1 if f (x) = u · x (−1) f (x)+u·x = −1 if f (x) ̸= u · x
If we denote L f (u) the set: {x ∈ Vn | f (x) = u·x}, then we have χˆ f (u) = 2·#L f (u)− n n n 2 satisfying: −2 ≤ χˆ f (u) ≤ 2 being all values of χˆ f even. The upper bound is achieved for the linear function associated to the vector u denoted by lu because it n holds that: #L f (u) = 2 ⇔ f (x) = u · x. The lower bound is achieved for the affine function associated to the vector u denoted by lu because it holds that: #L f (u) = 0 ⇔ f (x) = u · x + 1 3.6 Walsh Spectrum 59
3. If f (x) = v · x + c, then:
L f (u) = {x ∈ Vn | v · x + c = u · x} = {x ∈ Vn | (u + v) · x = c} (3.29) 2n if (u = v ∧ c = 0) #L f (u) = 0 if (u = v ∧ c = 1) 2n−1 if u ̸= v
4. Let f ,g ∈ Fn with d( f ,g) = d, then:
|χˆ f (u) − χˆg(u)| ≤ 2d, ∀u ∈ Vn (3.30)
′ ′ Hereunder, we describe the Walsh Theorems for ∀ f ,g ∈ Fn,x,x ,u,u ∈ Vn and ∀a,b ∈ {−1,1}:
Theorem 3.6.3 (Walsh Linearity Theorem). The Walsh Transform is a linear transform. Let
W f and Wg be the Walsh transform of f and g respectively, then the Walsh Transform of any linear combination of their respective sequences ξ f and ξg can be easily found:
W a · ξ f + b · ξg ←→ a · W f + b · Wg (3.31)
Proof.
W {a · ξ f + b · ξg}(u) = a · ξ f ,ξlu + b · ξg,ξlu = a · W f (u) + b · Wg(u)
Theorem 3.6.4 (Walsh Convolution/Correlation Theorem). The convolution (or correlation) in the sequence domain corresponds with pointwise product in the Walsh domain:
W ξ f ∗ ξg ←→ WS( f ) WS(g) (3.32)
Proof.
W {ξ f ∗ ξg}(u) = ∑x∈Vn (ξ f ∗ ξg)(x)χu(x) ′ ′ ′ = ∑x∈Vn ∑x ∈Vn χ f (x )χg(x + x )χu(x) ′ ′ ′ = ∑x ∈Vn χ f (x )∑x∈Vn χg(x + x )χu(x) ′ ′ ′ = ∑x ∈Vn χ f (x )χu(x ) · ∑t∈Vn χg(t)χu(t) = χˆ f (u) · χˆg(u) 60 Representations and Characterizations
Theorem 3.6.5 (Dual of the Walsh Convolution/Correlation Theorem or Modulation The- orem). The pointwise product in the sequence domain corresponds with convolution (or correlation) in the Walsh domain scaled by a factor of 1/2n:
W 1 (3.33) ξ f ξg ←→ 2n WS( f ) ∗ WS(g) Proof.
W {ξ f ξg}(u) = ∑x∈Vn (ξ f ξg)(x)χu(x)
= ∑x∈Vn χ f (x)χg(x)χu(x) 1 ′ ′ ˆ ′ = ∑x∈Vn 2n ∑u ∈Vn χ f (u )χu (x) χg(x)χu(x) 1 ′ ′ ˆ ′ = 2n ∑u ∈Vn χ f (u )∑x∈Vn χu (x)χg(x)χu(x) 1 ′ ′ ˆ ′ = 2n ∑u ∈Vn χ f (u )∑x∈Vn χg(x)χu+u (x) 1 ′ ′ 1 ′ ˆ ˆ = 2n ∑u ∈Vn χ f (u )χg(u + u ) = 2n (WS( f ) ∗ WS(g))(u)
Theorem 3.6.6 (Walsh Power Theorem or Plancherel’s Theorem).
1 ξ ,ξ = ⟨WS( f ),WS(g)⟩ (3.34) f g 2n or alternatively: 1 χ (x)χ (x) = χˆ (u)χˆ (u) (3.35) ∑ f g 2n ∑ f g x∈Vn u∈Vn Proof. −1 ξ f ,ξg = ∑x∈Vn χ f (x)χg(x) = W {(ξ f ∗ ξg)}(0) = 1 ˆ ˆ 1 = 2n ∑u∈Vn χ f (u)χg(u) = 2n ⟨WS( f ),WS(g)⟩
Theorem 3.6.7 (Walsh Rayleigh Energy Theorem or Parseval’s Theorem).
1 |ξ |2 = |WS( f )|2 (3.36) f 2n or alternatively: 1 ε = |χ (x)|2 = |χˆ (u)|2 (3.37) f ∑ f 2n ∑ f x∈Vn u∈Vn Corollary 3.6.8. The sum of the squares of the coefficients of the Walsh Spectrum is always 22n: 2 2n ∑ |χˆ f (u)| = 2 (3.38) u∈Vn 3.6 Walsh Spectrum 61
Walsh Spectrum of Vector Boolean Functions
Definition 3.6.5. Let the vector Boolean function F ∈ Fn,m, the Walsh Transform of F is the two-dimensional Walsh Transform defined by:
ˆ WF (u,v) = θF (u,v) = W {Img(F)}(u,v) = ∑x∈Vn ∑y∈Vm θF (x,y)χ(u,v)(x,y) (3.39)
or, as it is most often written as:
ˆ u·x+v·F(x) WF (u,v) = θF (u,v) = ∑ (−1) (3.40) x∈Vn The following properties can be derived from definition 3.6.5:
1. The two-dimensional Walsh Transform is separable into two one dimensional Walsh
Transforms satisfying ∀(u,v) ∈ Vn × Vm:
ˆ θF (u,v) = ∑x∈Vn ∑y∈Vm θF (x,y)χv(y) χu(x) (3.41) = ∑y∈Vm ∑x∈Vn θF (x,y)χu(x) χv(y)
Proof. ˆ θF (u,v) = ∑x∈Vn ∑y∈Vm θF (x,y)χ(u,v)(x,y)
= ∑x∈Vn ∑y∈Vm θF (x,y)χu(x)χv(y)
2. The two-dimensional Walsh Transform can be calculated from the Walsh Transform of the component functions of F:
ˆ θF (u,v) = χˆv·F (u) = χˆlv◦F (u) ∀(u,v) ∈ Vn × Vm (3.42)
Proof.
! ˆ θF (u,v) = ∑ ∑ θF (x,y)χv(y) χu(x) x∈Vn y∈Vm ! v·y u·x = ∑ ∑ θF (x,y)(−1) (−1) x∈Vn y∈Vm = ∑ (−1)v·F(x)(−1)u·x = ∑ (−1)lv(F(x))(−1)u·x x∈Vn x∈Vn (lv◦F)(x) u·x ˆ = ∑ (−1) (−1) = χlv◦F (u) x∈Vn 62 Representations and Characterizations
3. The coefficient of two-dimensional Walsh Transform of a Vector Boolean function at n n (0,0) is always 2 : θˆF (0,0) = 2
4. The Walsh transform of a Boolean function at u coincides with the two-dimensional
Walsh Transform of a Vector Boolean function with m = 1 at (u,1) Let F ∈ Fn,1, then F ≡ f ∈ Fn having that:
2n if (u,v) = (0,0) θˆF (u,v) = 0 if u ̸= 0 ∧ v = 0 (3.43) χˆ f (u) if v = 1
5. ( 2n if v · F(0) = 0 θˆF (u,v) = ∀v ∈ Vm (3.44) ∑ −2n if v · F(0) ̸= 0 u∈Vn
Proof. ( 2n if v · F(0) = 0 θˆF (u,v) = χˆv·F (u) = ∑ ∑ −2n if v · F(0) ̸= 0 u∈Vn u∈Vn
6. If we analyze the summands that appear in equation (3.40), we can notice the following: ( 1 if u · x = v · F(x) (−1)u·x+v·F(x) = −1 if u · x ̸= v · F(x)
If we denote by LF (u,v) the set where the function v · F coincides with the linear form associated with u by:
LF (u,v) = {x ∈ Vn | u · x = v · F(x)} (3.45)
It holds that:
ˆ θF (u,v) = ∑ ∑ θF (x,y)χu(x)χv(y) x∈Vn y∈Vm u·x+v·y u·x+v·F(x) = ∑ ∑ θF (x,y)(−1) = ∑ (−1) x∈Vn y∈Vm x∈Vn n = #LF (u,v) − (2 − #LF (u,v)) 3.6 Walsh Spectrum 63
so that:
ˆ u·x+v·F(x) n θF (u,v) = ∑ (−1) = 2 · #LF (u,v) − 2 (3.46) x∈Vn
n n In particular, −2 ≤ θˆF ≤ 2 , where all values are even. The matrix containing all n−1 possible values of |#LF (u,v) − 2 | is referred to as its linear approximation table. The upper bound is achieved for the linear approximation of F by (u,v) because it holds that: n #LF (u,v) = 2 ⇔ u · x = v · F(x) (3.47)
The lower bound is achieved for the affine approximation of F by (u,v) because it holds that:
#LF (u,v) = 0 ⇔ u · x + 1 = v · F(x) (3.48)
Definition 3.6.6. The Walsh Spectrum of F can be represented by a matrix whose rows are indexed by u ∈ Vn and whose columns are indexed by v ∈ Vm in lexicographic order, denoted by WS(F) ∈ M2n×2m (R) and defined as follows: θˆF (α0,α0) ... θˆF (α0,α2m−1) ˆ ( , ) ... ˆ ( , m ) θF α1 α0 θF α1 α2 −1 WS(F) = (3.49) ...... θˆF (α2n−1,α0) ... θˆF (α2n−1,α2m−1) where θˆF (u,v) is the value of the spectrum at (u,v).
By equation (3.42), we can deduce that the columns of this matrix are the spectra of the
Boolean functions lv ◦ F for all the linear functions lv ∈ Lm. The following properties can be derived from definitions 3.6.5 and 3.6.6:
1. Let LA,b ∈ Fn,m an affine function where LA,b(x) = Ax + b with A ∈ Mn×m(GF(2)) and b ∈ Vm, its spectrum holds that [122]: 2n if vT A = uT , vT b = 0 ˆ n n T T T θLA,b (u,v) = 2 · #LLA,b (u,v) − 2 = −2 if v A = u , v b = 1 (3.50) 0 if vT A ̸= uT
Each column of the spectrum of LA,b has uniquely one nonzero coefficient, with value 2n or −2n. 64 Representations and Characterizations
Proof.
T T T T T T LLA,b (u,v) = {x ∈ Vn | u x = v Ax + v b} = {x ∈ Vn | (u − v A)x = v b}
n T T T 2 if v A = u , v b = 0 T T T #LLA,b (u,v) = 0 if v A = u , v b = 1 2n−1 if vT A ̸= uT
2. Let F ∈ Fn,n an affine function where F(x) = x + b with b ∈ Vn, its spectrum holds that:
n T T T 2 if v = u , v b = 0 n n T T T θˆF (u,v) = 2 · #LF (u,v) − 2 = −2 if v = u , v b = 1 0 if vT ̸= uT
3. Let LA,b ∈ Fn,m an affine Vector Boolean Function and M(LA,b) ∈ M2n×2m (R) a matrix whose columns has uniquely one nonzero coefficient, with value 1 or −1, it holds that:
n WS(LA,b) = 2 · M(LA,b) (3.51)
4. Let Lb ∈ Fn,n a Vector Boolean Function that consists of the bit-wise addition with a constant vector b ∈ Vn, the Walsh Spectrum is a multiple of a diagonal matrix b·x D(Lb) ∈ M2n×2n (GF(2)) with its values in the diagonal satisfying dx,x = (−1) :
n WS(Lb) = 2 · D(Lb) (3.52)
n 5. Let Π ∈ Fn,n a permutation and P2n (Π) the permutation matrix of order 2 associated with Π, each column of its spectrum has uniquely one nonzero coefficient, with value 2n: n WS(Π) = 2 · P2n (Π) (3.53)
Definition 3.6.7. The Inverse Walsh Transform of F at (u,v) ∈ Vn ×Vm is the two-dimensional Inverse Walsh Fourier Transform of its indicator function defined by:
−1 1 W (x,y) = θF (x,y) = θˆF (u,v)χ (x,y), ∀(u,v) ∈ V × V . (3.54) F 2n+m ∑ ∑ (u,v) n m u∈Vn v∈Vm 3.6 Walsh Spectrum 65 or, as it is most often written as:
1 θ (x,y) = θˆ (u,v)(−1)u·x+v·y, ∀(x,y) ∈ V × V . (3.55) F 2n+m ∑ ∑ F n m u∈Vn v∈Vm
The two-dimensional Inverse Walsh Transform is separable into two Inverse one dimen- sional Walsh Transforms:
1 1 ˆ θF (x,y) = m ∑ n ∑ θF (u,v)χ (x) χ (y) 2 v∈Vm 2 u∈Vn u v (3.56) 1 1 ˆ = 2n ∑u∈Vn 2m ∑v∈Vm θF (u,v)χv(y) χu(x) .
so that:
1 θ (x,y) = χ (x)χ (y) ∀(x,y) ∈ V × V . (3.57) F 2m ∑ v·F v n m v∈Vm
3.6.2 Library
A VBF class can be initialized giving its Walsh Spectrum with the following method: void putwalsh(const NTL::mat_ZZ& W)
To obtain its representation as Walsh Spectrum the following method must be used: void Walsh(NTL::mat_ZZ& W, VBF& F)
Example 3.6.1. The following program provides the Walsh Spectrum of a Vector Boolean function from its Truth Table.
#include
VBF F; NTL::mat_GF2 T;
ifstream input(argv[1]); 66 Representations and Characterizations
if(!input) { cerr << "Error opening " << argv[1] << endl; return 0; } input >> T; F.puttt(T); input.close();
cout << "The Walsh Spectrum is:" << endl; cout << Walsh(F) << endl;
return 0; }
If we use as input of this program the Truth Table of NibbleSub, the output of the program would be the following:
The Walsh Spectrum is: [[16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0] [0 0 -4 -4 0 0 -4 12 4 4 0 0 4 4 0 0] [0 0 -4 -4 0 0 -4 -4 0 0 4 4 0 0 -12 4] [0 0 0 0 0 0 0 0 4 -12 -4 -4 4 4 -4 -4] [0 4 0 -4 -4 -8 -4 0 0 -4 0 4 4 -8 4 0] [0 -4 -4 0 -4 0 8 4 -4 0 -8 4 0 -4 -4 0] [0 4 -4 8 4 0 0 4 0 -4 4 8 -4 0 0 -4] [0 -4 0 4 4 -8 4 0 -4 0 4 0 8 4 0 4] [0 0 0 0 0 0 0 0 -4 4 4 -4 4 -4 -4 -12] [0 0 -4 -4 0 0 -4 -4 -8 0 -4 4 0 8 4 -4] [0 8 -4 4 -8 0 4 -4 4 4 0 0 4 4 0 0] [0 8 0 -8 8 0 8 0 0 0 0 0 0 0 0 0] [0 -4 8 -4 -4 0 4 0 4 0 4 8 0 4 0 -4] [0 4 4 0 -4 8 0 4 -8 -4 4 0 4 0 0 4] [0 4 4 0 -4 -8 0 4 -4 0 0 -4 -8 4 -4 0] [0 -4 -8 -4 -4 0 4 0 0 -4 8 -4 -4 0 4 0] ] 3.7 Linear Profile and Linear Cryptanalysis 67
Remark. We can see that the Walsh Spectrum of f1(NibbleSub) where
NibbleSub = ( f1(NibbleSub), f2(NibbleSub), f3(NibbleSub), f4(NibbleSub)) (3.58)
corresponds to the Spectrum of l(1,0,0,0) ◦ NibbleSub. As a consequence, the Walsh Spectrum of f1(NibbleSub) coincides with the 9-th column of WS(NibbleSub), that is, the column indexed by the vector (1,0,0,0).
3.7 Linear Profile and Linear Cryptanalysis
3.7.1 Description
Overview of Linear Cryptanalysis
The Linear Cryptanalysis, introduced by Matsui [91], [94] is a known-plaintext attack based on the idea from [152]. It tries to take advantage of high probability occurrences of linear expressions involving plaintext bits, ciphertext bits, and subkey bits. The basic idea is to approximate the operation of a portion of the cipher with an expression that is linear. Such an expression is of the form:
x1 + x2 + ··· + xn + y1 + y2 + ··· + ym = 0 (3.59)
where xi represents the i-th bit of the input x = (x1,x2,...,xn) and y j represents the j-th bit of the output y = (y1,y2,...,ym). As said in [70]:
The approach in Linear Cryptanalysis is to determine expressions of the form above which have a high or low probability of occurrence. No obvious linearity such as above should hold for all input and output values or the cipher would be trivially weak. If a cipher displays a tendency for equation (3.59) to hold with high probability or not hold with high probability, this is evidence of the cipher’s poor randomization abilities. Consider that if we randomly selected values for n + m bits and placed them into the equation above, the probability that the 1 expression would hold would be exactly 2 . It is the deviation or bias from the 1 probability of 2 for an expression to hold that is exploited in Linear Cryptanalysis: the further away that a linear expression is from holding with a probability of 1 2 , the better the cryptanalyst is able to apply Linear Cryptanalysis. Usually, the amount by which the probability of a linear expression holding deviates 68 Representations and Characterizations
1 from 2 is referred as the linear probability bias. Hence, if the expression above holds with probability pL for randomly chosen plaintexts and the corresponding 1 ciphertexts, then the probability bias is pL − 2 . The higher the magnitude of the 1 probability bias, pL − 2 , the better the applicability of Linear Cryptanalysis with fewer known plaintexts required in the attack.
There are several ways to mount the attack of Linear Cryptanalysis (Matsui described 2 algorithms) which use the principle of maximum likelihood. In this thesis, we will focus on what Matsui calls Algorithm 2. We investigate the construction of a linear approximation involving plaintext bits as represented by x in equation (3.59) and the input to the last round of the cipher as represented by y in equation (3.59). The plaintext bits are random and consequently so are the input bits to the last round.
Equation (3.59) could be equivalently reformulated to have the right side being the sum of a number of subkey bits. However, in equation (3.59) as written with the right side of 0, the equation implicitly has subkey bits involved: these bits are fixed but unknown (as they are determined by the key under attack) and implicitly absorbed into the 0 on the right side of equation (3.59) and the
probability pL that the linear expression holds. If the sum of the involved subkey bits is 0, the bias of equation (3.59) will have the same sign (+ or −) as the bias of the expression involving the subkey sum and, if the sum of the involved subkey bits is 1, the bias of equation (3.59) will have the opposite sign.
Note that pL = 1 implies that linear expression of equation (3.59) is a perfect representation of the cipher behaviour and the cipher has a catastrophic weakness.
If pL = 0, then equation (3.59) represents an affine relationship in the cipher, also an indication of a catastrophic weakness. Both linear and affine approximations, 1 1 indicated by pL > 2 and pL < 2 , respectively, are equally susceptible to Linear Cryptanalysis and we shall generally use the term linear to refer to both linear and affine relationships.
The natural question to ask is: How do we construct expressions which are highly linear and, hence, can be exploited? This is done by considering the properties of the cipher’s only nonlinear component: the S-box. When the non- linearity properties of the S-box are enumerated, it is possible to develop linear approximations between sets of input and output bits in the S-box. Consequently, it is possible to concatenate linear approximations of the S-boxes together so that intermediate bits (i.e., data bits from within the cipher) can be cancelled out 3.7 Linear Profile and Linear Cryptanalysis 69
and we are left with a linear expression which has a large bias and involves only plaintext and the last round input bits.
Linear Expressions for S-boxes
The first step to construct a full linear equation to use with Matsui’s algorithms is learning how to calculate simple linear expressions and how to determine their biases. Finding linear expressions of S-boxes requires us to find equations involving the input bits and output bits, such as x2 + x3 = y1 + y3 + y4. Since in a n × m S-box there are n possible input bits and m possible output bits that we may either keep or omit in each linear expression, we then have to look through 2n × 2m different expressions. Furthermore, we have to try all possible values of the input-output value pairs which is 2n. This gives us 22n+m operations in total on the S-box. In general, we will want to focus on the values that have a high bias and that involve the least possible number of bits. Involving fewer bits in the input and the output helps us to manage the eventual Linear Cryptanalysis, which is composed of many of the linear expressions built on each other. A complete enumeration of all linear approximations of the S-box is given in the Linear 2 Profile , which is a matrix whose rows are indexed by u ∈ Vn and whose columns are indexed by v ∈ Vm in lexicographic order, denoted by LP(F) ∈ M2n×2m (R). It holds that LP(F)(u,v) = |WS(F)(u,v)|2. The lower bound of the Linear Profile values is 0 and the upper bound is 22n. If we divide each element in the Linear Profile by the value on LP(F)(0,0), these values represent the number of matches between the linear equation represented in hexadecimal as "Input Sum" and the sum of the output bits represented in hexadecimal as "Output 1 Sum". Hence, subtracting to these values 2 give the probability bias for the particular linear combination of input and output bits. The hexadecimal value representing a sum, when viewed as a binary value indicates the variables involved in the sum. For a linear combination of input variables represented as u1 · x1 + ··· + un · xn where ui ∈ GF(2), the hexadecimal value represents the binary value u1 ...un, where u1 is the most significant bit. Similarly, for a linear combination of output bits v1 · y1 + ··· + vm · ym where vi ∈ GF(2), the hexadecimal value represents the binary vector v1 ...vm. In Linear Profiles, we are looking for entries with large value. If all of the entries aresmall, then the S-box does not have a very linear structure, and it may make Linear Cryptanalysis on ∗ Linear potential F lp(F) = 1 · WS(F)( , )2 the cipher difficult. The of , defined as 22n max u v is a measure of linearity in Linear Cryptanalysis, and satisfies [29] 2−n ≤ lp(F) ≤ 1 so that the lower bound holds if and only if F has maximum nonlinearity (F is bent) and the upper
2In the literature, an equivalent matrix called Linear Approximation Table is used as well. 70 Representations and Characterizations
1 bound is reached when F is linear or affine. This criterion can take values from 2n to 1. The larger lp(F) is, the "closer" to a Linear Vector Boolean function is F.
Piling-Up Lemma
Once we have linear expressions for S-boxes, we need to combine them to perform Linear Cryptanalysis effectively. The effectiveness is defined by the bias of the overall expression constructed by the combination over the rounds of the cipher. Matsui showed in [91] that the linear expressions "pile-up" in the following way:
Lemma 3.7.1 (Piling-Up Lemma). Assume that we have n independent linear expressions,
say E1,...,En, with associated biases ε1,...,εn. We also need to assume that the are random, as we have no real preconceptions of their values, and Boolean, so that they output 0 or 1.
Then, the bias of an aggregate Boolean Linear expression E1 + ··· + En is the expression:
n−1 ε1,...,n = 2 (ε1 × ··· × εn) (3.60)
where ε1,...,n is the bias of the overall expression E1 + ··· + En
3.7.2 Library
Note that the Linear Profile does not uniquely determine a Vector Boolean function. Thus,a VBF class cannot be initialized by its Linear Profile. To obtain its representation as Linear Profile, the following method must be used:
void LAT(NTL::mat_ZZ& LP, VBF& F)
In the VBF library, several methods have been defined in order to analyse the feasibility of Linear Cryptanalysis: Linear potential and Linear relations associated with a specific value of the Linear Profile. The method used to obtain the linear potential is the following:
void lp(NTL::RR& x, VBF& F)
If we want to obtain the linear expressions associated with the value of the Linear Profile "w", we will use this method:
void linear(NTL_SNS ostream& s, VBF& a, ZZ& w)
1 If we want to obtain the probability bias |pL − 2 | that a linear expression holds with the value of the Linear Profile "w", we will use this method: 3.7 Linear Profile and Linear Cryptanalysis 71 void ProbLin(NTL::RR& x, VBF& a, NTL::ZZ& w)
Example 3.7.1. The following program finds out the Linear Profile of a Vector Boolean function together with the linear expressions that have the highest value, except from the value in LP(F)(0,0), their probability, this highest value and the linear potential.
#include
VBF F; NTL::mat_GF2 T; NTL::ZZ w; NTL::RR bias;
ifstream input(argv[1]); if(!input) { cerr << "Error opening " << argv[1] << endl; return 0; } input >> T; F.puttt(T); input.close();
cout << "The Linear Profile is:" << endl; cout << LAT(F) << endl;
w = maxLAT(F); cout << endl << "The highest value of the Linear Profile is= " << w << endl << endl;
cout << "The linear expressions that have the highest value are:" << endl; 72 Representations and Characterizations
linear(cout,F,w);
ProbLin(bias,F,w); cout << endl; cout << "These expressions hold with probability bias= " << bias << endl;
cout << endl << "The linear potential is= " << lp(F) << endl;
return 0; }
If we use as input of this program the Truth Table of NibbleSub, the output of the program would be the following:
The Linear Profile is: [[256 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0] [0 0 16 16 0 0 16 144 16 16 0 0 16 16 0 0] [0 0 16 16 0 0 16 16 0 0 16 16 0 0 144 16] [0 0 0 0 0 0 0 0 16 144 16 16 16 16 16 16] [0 16 0 16 16 64 16 0 0 16 0 16 16 64 16 0] [0 16 16 0 16 0 64 16 16 0 64 16 0 16 16 0] [0 16 16 64 16 0 0 16 0 16 16 64 16 0 0 16] [0 16 0 16 16 64 16 0 16 0 16 0 64 16 0 16] [0 0 0 0 0 0 0 0 16 16 16 16 16 16 16 144] [0 0 16 16 0 0 16 16 64 0 16 16 0 64 16 16] [0 64 16 16 64 0 16 16 16 16 0 0 16 16 0 0] [0 64 0 64 64 0 64 0 0 0 0 0 0 0 0 0] [0 16 64 16 16 0 16 0 16 0 16 64 0 16 0 16] [0 16 16 0 16 64 0 16 64 16 16 0 16 0 0 16] [0 16 16 0 16 64 0 16 16 0 0 16 64 16 16 0] [0 16 64 16 16 0 16 0 0 16 64 16 16 0 16 0] ]
The highest value of the Linear Profile is= 144
The linear expressions that have the highest value are: 3.8 Differential Profile and Differential Cryptanalysis 73 x4=y2+y3+y4 x3=y1+y2+y3 x3+x4=y1+y4 x1=y1+y2+y3+y4
These expressions hold with probability bias= 0.0625
The linear potential is= 0.5625
The figure 3.3 represents the Linear Profile of NibbleSub and emphasizes in red the elements which achieve the highest value.
Fig. 3.3 Linear Profile of NibbleSub.
3.8 Differential Profile and Differential Cryptanalysis
3.8.1 Description
Overview of Differential Cryptanalysis
The Differential Cryptanalysis, introduced by Biham and Shamir [13], is a chosen-plaintext attack. It exploits the high probability of certain occurrences of plaintext differences and differences into the last round of the cipher. For example, consider a Vector Boolean function with input x = (x1,...,xn) and output y = (y1,...,ym). Let two inputs to the system be ′ ′′ ′ ′′ x and x with the corresponding outputs y and y , respectively. The input difference ′ ′′ ′ ′′ is given by ∆x = x + x = (∆x1,...,∆xn) where ∆xi = xi + xi and the output difference ′ ′′ ′ ′′ ∆y = y + y = (∆y1,...,∆ym) where ∆yi = yi + yi . 74 Representations and Characterizations
As said in [70]:
In an ideally randomizing cipher, the probability that a particular output 1 difference ∆y occurs given a particular input difference ∆x is 2n . Differential cryptanalysis seeks to exploit a scenario where a particular ∆y occurs given a
particular input difference ∆x with a very high probability pD (i.e., much greater 1 than 2n ). The pair (∆x,∆y) is referred to as a differential. Differential cryptanalysis is a chosen plaintext attack, meaning that the attacker is able to select inputs and examine outputs in an attempt to derive the ′ key. For differential cryptanalysis, the attacker will select pairs of inputs, x and ′′ x , to satisfy a particular∆x, knowing that for that ∆x value, a particular ∆y value occurs with high probability. In this thesis, we investigate the construction of a differential (∆x,∆y) involv- ing plaintext bits as represented by x and the input to the last round of the cipher as represented by ∆y. We shall do this by examining high likely differential characteristics where a differential characteristic is a sequence of input and output differences to the rounds so that the output difference from one round corresponds to the input difference for the next round. Using the highly likely differential characteristic gives us the opportunity to exploit information coming into the last round of the cipher to derive bits from the last layer of subkeys.
S-boxes Differentials
The first step of Differential Cryptanalysis is to compute the characteristics of inputs and the outputs of the S-boxes, which we will then combine together to form a characteristic for the complete cipher. Consider a n × m S-box with input x = (x1,...,xn) and output y = (y1,...,ym). All difference pairs of an S-box, (∆x,∆y), can be examined and the ′ ′′ probability of ∆y given ∆x can be derived by considering input pairs (x ,x ) such that ′ ′′ x + x = ∆x. Since the ordering of the pair is not relevant, for a n × m S-box we need ′ ′′ only consider all 2n values for x and then the value of ∆x constrains the value of x to be ′′ ′ ′ ′′ ′ x = x + ∆x. We can derive the resulting values of ∆y for each input pair (x ,x = x + ∆x). We can tabulate the complete differential data for an S-box in the Differential Profile 3, which the rows represent ∆x values and the columns represent ∆y values. If we divide each element in the Differential Profile by the value on DP(F)(0,0), these values represent the probability of the corresponding output difference ∆y value given the input difference ∆x, that is (∆x ⇒ ∆y), called characteristic. In general, entries in the
3In the literature, an equivalent matrix called Difference Distribution Table is used as well. 3.8 Differential Profile and Differential Cryptanalysis 75
Differential Profile with fewer bits set in the ∆x and ∆y that have higher probability are desirable.
Definition 3.8.1. Let F ∈ Fn,m, if we denote by DF (u,v) the set of vectors where the difference Vector Boolean Function of F in the direction of u ∈ Vn coincides with v ∈ Vm by:
DF (u,v) = {x ∈ Vn | ∆uF(x) = v} (3.61)
Definition 3.8.2. Let F ∈ Fn,m where n ≥ m. The matrix containing all possible values of #DF (u,v) is referred to as its XOR or Differential Distribution Table.
Nyberg in [114] introduced the concept of differential uniformity as a measure of the resistance to differential crytanalysis as follows:
Definition 3.8.3. A Vector Boolean function F ∈ Fn,m is called differentially du(F)-uniform if for all u ̸= 0 ∈ Vn and v ∈ Vm:
#{x ∈ Vn | F(x + u) + F(x) = v} ≤ du(F) (3.62)
Let du(F) (differential uniformity of F) is the largest value in Differential Distribution Table of F (not counting the first entry in the first row), namely,
du(F) = max #DF (u,v) = max #{x ∈ Vn | F(x) + F(x + u) = v} (3.63) (u,v)̸=(0,0) (u,v)̸=(0,0)
Definition 3.8.4. Let define the function δF :Vn × Vm → Q as follows: 1 δ (u,v) = #D (u,v) (3.64) F 2n F Definition 3.8.5. The Differential Profile of F can be represented by a matrix whose rows are indexed by u ∈ Vn and whose columns are indexed by v ∈ Vm in lexicographic order, denoted by DP(F) ∈ M2n×2m (R) and defined as follows:
δF (α0,α0) ... δF (α0,α2m−1) ( , ) ... ( , m ) 2n+m δF α1 α0 δF α1 α2 −1 DP(F) = 2 ...... δF (α2n−1,α0) ... δF (α2n−1,α2m−1)
Definition 3.8.6. The maximum value of δF (u,v) is called the differential potential of F:
dp(F) = max{δF (u,v) | ∀u ∈ Vn,v ∈ Vm,(u,v) ̸= (0,0)} 76 Representations and Characterizations
Corollary 3.8.1. The differential uniformity of F ∈ Fn,m and its differential potential are related as follows: 1 dp(F) = du(F) (3.65) 2n It is a measure of the robustness against differential cryptanalysis where 2−m ≤ dp(F) ≤ 1 and the lower bound holds if and only if F is bent and the upper bound is reached when F is linear or affine. The differential uniformity of F ∈ Fn,m and its differential potential are related by dp(F) = 2−ndu(F).
3.8.2 Library
Note that the Differential Profile does not uniquely determine a Vector Boolean function. Thus, a VBF class cannot be initialized by its Differential Profile. To obtain its representation as Differential Profile, the following method must be used: void DAT(NTL::mat_ZZ& DP, VBF& F)
In the VBF library, several methods have been defined in order to analyse the feasibility of differential cryptanalysis: Differential potential and Differential relations associated with a specific value of the Differential profile. The method used to obtain the differential potential is the following: void dp(NTL::RR& x, VBF& F)
If we want to obtain the characteristics associated with the value of the Differential Profile "w", we will use this method: void differential(NTL_SNS ostream& s, VBF& a, ZZ& w)
If we want to obtain the probability that a characteristic (∆x ⇒ ∆y) holds with the value of the Differential Profile "w", we will use this method: void ProbDif(NTL::RR& x, VBF& a, NTL::ZZ& w)
Example 3.8.1. The following program finds out the Differential Profile of a Vector Boolean function together with the characteristics that have the highest value, except from the value in DP(F)(0,0), their probability, this highest value and the differential potential. 3.8 Differential Profile and Differential Cryptanalysis 77
#include
VBF F; NTL::mat_GF2 T; NTL::ZZ w; NTL::RR p;
ifstream input(argv[1]); if(!input) { cerr << "Error opening " << argv[1] << endl; return 0; } input >> T; F.puttt(T); input.close();
cout << "The Differential Profile is:" << endl; cout << DAT(F) << endl;
w = maxDAT(F); cout << endl << "The highest value of the Differential Profile is= " << w << endl;
cout << endl << "The characteristics that have the highest value are:" << endl; differential(cout,F,w);
ProbDif(p,F,w); cout << endl << "These expressions hold with probability= " << p << endl; 78 Representations and Characterizations
cout << endl << "The differential potential is= " << dp(F) << endl;
return 0; }
If we use as input of this program the Truth Table of NibbleSub, the output of the program would be the following:
The Differential Profile is: [[4096 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0] [0 0 0 512 0 0 0 512 0 512 1024 0 1024 512 0 0] [0 0 0 512 0 1536 512 512 0 512 0 0 0 0 512 0] [0 0 512 0 512 0 0 0 0 1024 512 0 512 0 0 1024] [0 0 0 512 0 0 1536 0 0 512 0 1024 512 0 0 0] [0 1024 0 0 0 512 512 0 0 0 1024 0 512 0 0 512] [0 0 0 1024 0 1024 0 0 0 0 0 0 512 512 512 512] [0 0 512 512 512 0 512 0 0 512 512 0 0 0 0 1024] [0 0 0 0 0 0 512 512 0 0 0 1024 0 1024 512 512] [0 512 0 0 512 0 0 1024 512 0 512 512 512 0 0 0] [0 512 512 0 0 0 0 0 1536 0 0 512 0 0 1024 0] [0 0 2048 0 0 512 0 512 0 0 0 0 0 512 0 512] [0 512 0 0 512 512 512 0 0 0 0 512 0 1536 0 0] [0 1024 0 0 0 0 0 1024 512 0 512 0 512 0 512 0] [0 0 512 1024 512 0 0 0 1536 0 0 0 0 0 512 0] [0 512 0 0 1536 0 0 0 0 1024 0 512 0 0 512 0] ]
The highest value of the Differential Profile is= 2048
The characteristics that have the highest value are: [1 0 1 1]->[0 0 1 0]
These expressions hold with probability= 0.5
The differential potential is= 0.5
The figure 3.4 represents the Differential Profile of NibbleSub and emphasizes in blue the elements which achieve the highest value. 3.9 Autocorrelation Spectrum 79
Fig. 3.4 Differential Profile of NibbleSub.
3.9 Autocorrelation Spectrum
3.9.1 Description
The Autocorrelation provides a useful description of a Vector Boolean function in relation to some cryptographic criteria. It is derived from the sequences of the component functions of the Vector Boolean function and does not uniquely determine the Vector Boolean function itself.
Definition 3.9.1. The directional derivative of f ∈ Fn in the direction of u ∈ Vn is defined as:
∆u f (x) = f (x + u) + f (x), x ∈ Vn (3.66)
Similarly, the directional derivative of the sequence of a Boolean function ξ f in the direction of u ∈ Vn is defined as:
∆uχ f (x) = χ f (x + u) · χ f (x), x ∈ Vn (3.67)
The autocorrelation of f ∈ Fn with respect to the shift u ∈ Vn, r f (u), is defined by the Polarity Truth Table to be:
r f (u) = ∑ χ f (x)χ f (x + u) (3.68) x∈Vn From this definition of the autocorrelation function we note two important properties:
n 2 1. For every Boolean function r f (0) = 2 , since χ f (x) = 1 ∀x ∈ Vn. 80 Representations and Characterizations
2. The value of r f (u) when u ̸= 0 must be proportional to the correlation between f (x+u) n and f (x), i.e.: r f (u) = 2 · C( f (x + u), f (x)).
The Aucorrelation Spectrum gives an indication of the imbalance of all first order deriva- tives of the component functions of a Vector Boolean function. As differential cryptanalysis exploits imbalanced derivatives of Vector Boolean functions, the Aucorrelation Spectrum is vital in the analysis. The Walsh Spectrum and the Autocorrelation Spectrum of a Boolean function by the Walsh Wiener-Kintchine Theorem among others as illustrated below.
Theorem 3.9.1 (Cross-Correlation Theorem). Let f ,g ∈ Fn, ∀u ∈ Vn. The Walsh Transform of the cross-correlation of f and g is equal to the product of their respective Walsh transforms:
W 1 (3.69) r f ,g ←→ 2n WS( f ) WS(g) or alternatively:
1 r (x)(−1)u·x = χˆ (u) · χˆ (u), ∀u ∈ V (3.70) ∑ f ,g 2n f g n x∈Vn Proof.