A C++ Class for Analysing Vector Boolean Functions from a Cryptographic Perspective

A C++ CLASS FOR ANALYSING VECTOR BOOLEAN FUNCTIONS FROM A CRYPTOGRAPHIC PERSPECTIVE

JoséAntonio Alvarez-Cubero´ and Pedro J. Zufiria Depto. Matemática Aplicada a las Tecnolog´ıas de la Información, ETSIT, UPM, E-28040 Madrid, Spain

Keywords: C++ library, Walsh transform, Differential proﬁle, Autocorrelation spectrum, Vector boolean function, Non- linearity, Linearity distance, Balancedness, Resiliency, Propagation criterion.

Abstract: In this paper, a C++ class for analising Vector Boolean Functions from a cryptographic perspective is presented. This implementation uses the NTL library from Victor Shoup, replacing some of the general purpose modules of this library by some more specialized and better suited to cryptography, and adding new modules that complement the existing ones. With this class, we can obtain the classical representation of Vec- tor Boolean Function such as its Truth Table and Algebraic Normal Form (ANF). It is possible to calculate mathematical structures such as the Walsh Spectrum, Linear Profile, Differential Profile and Autocorrelation Spectrum. Cryptographic criteria such as nonlinearity, linearity distance, order of correlation immunity, balancedness, algebraic degree and propagation criterion can be obtained with this class. It permits to find out some interesting cryptologic parameters such as linear structures, linear potential, differential potential and the maximum possible nonlinearity or linearity distance of a Vector Boolean Function with the same dimensions. Finally, operations such as to identify if two Vector Boolean Functions are equal, their sum, direct sum, composition, bricklayering, adding coordinate functions and obtaining the polynomial representation over GF(2n) of a Vector Boolean Function given the irreducible polynomial and its Truth Table are presented.

1 INTRODUCTION polynomials over the integers and over finite fields. The decision to use this library is mainly based on Nowadays, Vector Boolean functions play an impor- four reasons: tant role in various fields of human activity, such 1. It is free software, and may be used according to as Coding Theory (McWilliams and Sloane, 1977), Switching Theory (Davio et al., 1978) and Cryp- the terms of the GNU General Public License. tography (Carlet, 2008a), (Carlet, 2008b). Conven- 2. It provides high quality implementations of state- tional secret key cryptosystems can be expressed as of-the-art algorithms for the Galois field of order a certain composition of Vector Boolean functions. 2. Thus, in cipher design, it is essential to define criteria 3. It can be easily installed in a matter of minutes on which measure the cryptographic strength of Boolean just about any platform. and Vector Boolean functions. Moreover, because of the size and complexity of modern ciphers, an auto- 4. It provides a clean and consistent interface to a matic analysis program is very helpful in reducing the large variety of classes representing mathematical time which is necessary to spend on studying crypto- objects which are useful in cryptology. graphic properties of Vector Boolean Functions. In this paper, a C++ class for analysing crypto- The VBF class makes use of all the Boolean math- graphic properties of Vector Boolean Functions is pre- ematical objects defined in NTL modules as starting sented. It is called VBF and is based on the well- point. However, it was necessary to introduce some known Number Theory Library NTL implemented new algorithms and cryptographic structures in order by Victor Shoup (Shoup, 2009). NTL is a high- to achieve the results described in this paper. The performance, portable C++ library providing data main advantages of this approach are derived from the structures and algorithms for manipulating signed, ar- object oriented implementation and the use of effec- bitrary length integers, and for vectors, matrices, and tive algorithms: reusability, maintainability, extensi- bility and flexibility in the analysis of a broad range

512 Antonio Álvarez-Cubero J. and J. Zuﬁria P. (2010). A C++ CLASS FOR ANALYSING VECTOR BOOLEAN FUNCTIONS FROM A CRYPTOGRAPHIC PERSPECTIVE. In Proceedings of the International Conference on Security and Cryptography, pages 512-520 DOI: 10.5220/0002964505120520 Copyright c SciTePress A C++ CLASS FOR ANALYSING VECTOR BOOLEAN FUNCTIONS FROM A CRYPTOGRAPHIC PERSPECTIVE

of Vector Boolean Functions employed in symmet- form of f at u ∈ Vn is the n-dimensional Discrete ric ciphers. In our opinion, there is still a lack of Fourier Transform and can be calculated as follows: stable and efficient C++ algorithms in cryptographic χˆ u ξ ,ξ ∑ 1 f (x)+ux (1) libraries and this implementation can be very useful f ( )= f lu = (− ) tool both for the designer and the cryptanalist of sym- x∈Vn metric ciphers. At the present time, either the libraries The autocorrelation of f ∈ Fn with respect to the are commercial and restricted to some cryptographic shift u ∈ Vn is the cross-correlation of f with itself, properties of Boolean functions (such as (Bibliow- denoted by R f (u) :Vn → R and defined by: icz et al., 2003) or (Gammel, 2006)) or they do not R (u)= 1 ∑ χ (x)χ (x + u) benefit from the new paradigms of object orientation f 2n x∈Vn f f (2) 1 ∑ f (x)+ f (u+x) and generic programming (Pommerening, 2001). We = 2n x∈Vn (−1) have performed a full analysis of a 14 × 14 S-box F :V → V , F(x) = ( f (x),..., f (x)) is called with the VBF class in less than one second with a n m 1 m a Vector Boolean function and F is the set of all Core2 Duo 2.4GHz, 4GB RAM, 2x250GB Debian n,m Vector Boolean functions F : V → V . Each f : linux platform. n m i V → GF(2) ∀i ∈{1,...,m} is a coordinate function The paper is organized as follows: Sections 2 n of F. The indicator function of F ∈ F , denoted by is devoted to the presentation of the main Vector n,m θ :V ×V → R, is defined in (Chabaud and Vaude- Boolean Functions concepts. In section 3, we de- F n m nay, 1994) as θ (x,y)= 1 if y = F(x) and θ (x,y)= scribe the types of Vector Boolean Functions repre- F F 0 if y 6= F(x). The character form of (u,v) ∈ Vn ×Vm sentations that this class can deal with. In section 4, u x v y can be defined as follows: χ (x,y) = (−1) · + · . cryptographic relevant matrices, cryptographic crite- (u,v) Let the Vector Boolean function F ∈ F , its ria and other useful information for cryptanalysis that n,m Walsh Transform is the two-dimensional Walsh this implementation can calculate for an individual Transform defined by: Vector Boolean Function are described. In section 5, we enumerate the operations over Vector Boolean θˆ ∑ ∑ θ χ F (u,v)= x∈Vn y∈Vm F (x,y) (u,v)(x,y) Functions that are supported. In section 6, we illus- ∑ ux+vF(x) = x∈Vn (−1) trate how the VBF class can be used with examples. (3) Finally, concluding remarks are summarized in Sec- (Nyberg, 1994) The autocorrelation of F ∈ Fn,m tion 7. with respect to the shift (u,v) ∈ Vn ×Vm is the cross- correlation of F with itself, denoted by RF (u,v) : Vn × Vm → R, so that: 2 PRELIMINARIES R (u,v)= 1 ∑ χ (x + u)χ (x) F 2n x∈Vn vF vF (4) = 1 ∑ (−1)vF(x+u)+vF(x) Let < GF(2),+,· > be the finite field of order 2, 2n x∈Vn where GF(2)= Z2 = {0,1},’+’ the ’integer addition Let F ∈ Fn,m and u ∈ Vn, then the difference Vec- modulo 2’ and ’·’ the ’integer multiplication modulo tor Boolean function of F in the direction of u ∈ 2’. Vn is the vector space of n-tuples of elements from Vn, denoted by ∆uF ∈ Fn,m is defined as follows: ∆ GF(2). The direct sum of x ∈ Vn1 and y ∈ Vn2 is uF(x)= F(x + u)+ F(x), x ∈ Vn. If the following ∆ defined as x ⊕ y = (x1,...,xn1 ,y1,...,yn2 ) ∈ Vn1+n2 . equality is satisfied: uF(x)= c, c ∈ Vn ∀x ∈ Vn The inner product of x,y ∈ Vn is denoted by x·y, and then u ∈ Vn is called a linear structure of F. The inner product of real vectors x,y ∈ Rn is denoted We define the simplifying notation for the max- by hx,yi. imum of the absolute values of a set of real num- f :Vn → GF(2) is called a Boolean function and bers {auv}u,v, characterized by vectors u and v, as: Fn is the set of all Boolean functions on Vn. Ln is max (auv)= max(u,v) {|auv|}. Using the same sim- the set of all linear Boolean functions on V : L ∗ n n = plifying notation, we define the max (·) operator on {lu ∀u ∈ Vn | lu(x)= u · x} and An is the set of all ∗ a set of real numbers {auv}u,v, as: max (auv) = affine Boolean functions on Vn. i=n ∑ uixi max(u,v)=(6 0,0){|auv|}. This notation will be used in The real-valued mapping χu(x) = (−1) i=1 = u·x some criteria definitions. (−1) for x,u ∈ Vn is called a character. The char- f (x) acter form of f ∈ Fn is defined as χ f (x) = (−1) . The Truth Table of χ f is called as the (1,−1)- sequence vector or sequence vector of f and is de- 2n noted by ξ f ∈ R . Let a Boolean function f ∈ Fn, the Walsh Trans-

513 SECRYPT 2010 - International Conference on Security and Cryptography

3 REPRESENTATIONS OF void putper(const NTL::vec_ZZ& a) VECTOR BOOLEAN NTL::vec_ZZ getper() const FUNCTIONS If F is an affine Vector Boolean Function with n 6= m (such as the Expansion and Compression DES Let a Vector Boolean Function F ∈ Fn,m, the repre- permutations (NBS, 1977)), then it can be defined as sentations supported by the VBF class are described an array with m elements which are the output bits. below together with their member functions: void putlin(const NTL::vec_ZZ& a) NTL::mat_GF2 getlin() const 1. The Truth Table of F, denoted by TF ∈ M2n×m(GF(2)) and defined by: The VBF class also supports the definition of F as given in (NBS, 1977) for the DES S-boxes. f1(α0) ... fm(α0) f (α ) ... f (α ) void putsbox(const NTL::mat_ZZ& a) T  1 1 m 1  (5) F = ...... NTL::mat_ZZ getsbox()  f α n ... f α n   1( 2 −1) m( 2 −1) where fi i ∈{1,...,m} are its component func- n tions and αi = (x1,...,xn) ∈ Vn i ∈{1,...,2 −1} 4 CRYPTOGRAPHIC ANALYSIS is a vector whose decimal equivalent dec(αi)= OF A VECTOR BOOLEAN ∑n n− j i = j=1 x j2 and we can list all the vectors of α α α FUNCTION Vn so that 0 < 1 < ··· < 2n−1 . void TT(NTL::mat_GF2& X, VBF& a) This section describes the useful information that can inline NTL::mat_GF2 TT(VBF& a) be extracted with the VBF class from the cryptographic point of view. First of all, matrices with cryp- 2. m-tuple of polynomials in ANF. Any F ∈ Fn,m can be uniquely represented by m multivariate polyno- tographic interest are presented. Then, we enumerate mial over GF(2) where each variable has power the different cryptographic criteria that are supported at most one. This polynomial can be expressed and how they can be obtained from these matrices: as a sum of all distinct kth-order product terms nonlinearity, correlation immunity, balancedness, lin- (0 < k ≤ n) of the variables: earity distance, propagation criterion and algebraic degree. Finally, some useful information for cryptanalysis supported by the VBF class is described: the f (x1,...,xn) = a0 + a1x1 + ··· + anxn linear potential, the differential potential, the linear a x x a x x + 12 1 2 + ··· + n−1,n n−1 n structures of the Vector Boolean Function and the +··· + a12...nx1x2 ...xn I maximum possible nonlinearity and linearity distance = ∑I∈P(N) aI (∏i∈I xi) = ∑I∈P(N) aIx , aI ∈ GF(2) (6) for a Vector Boolean Function with the same dimen- where P(N) denotes the power set of N = sions as the one analysed. {1,...,n}. This representation of f is called the algebraic normal form (ANF) of f . 4.1 Matrices with Cryptographic void Pol(NTL_SNS ostream& s, VBF& a) Interest vec_pol getpol()

Let F ∈ Fn,m be a Vector Boolean Function, VBF can 3. The ANF table of F, denoted by ANFF ∈ n calculate all the following matrices associated with it: M2n×m(GF(2)) and represents the 2 coefficients of the polynomials of the m coordinate functions 1. The Characteristic Function of F that can be rep- in ANF. resented by a matrix whose rows are indexed by void ANF(NTL::mat_GF2& X, VBF& a) x ∈ Vn and whose columns are indexed by y ∈ inline NTL::mat_GF2 ANF(VBF& a) Vm in lexicographic order, denoted by Img(F) ∈ M2n×2m (GF(2)) and defined as follows: If F is Boolean permutation, that is, it is bijective and has the same number of input bits as output bits θ α α θ α α (n = m), then it can be defined as an array: F ( 0, 0) ... F ( 0, 2m−1) θ (α ,α ) ... θ (α ,α m ) Img(F) =  F 1 0 F 1 2 −1  F = F(1) ... F(n) (7) ...... θ (α n ,α ) ... θ (α n ,α m )  F 2 −1 0 F 2 −1 2 −1  having F(i) as the image of the bit i for F. (8)

514 A C++ CLASS FOR ANALYSING VECTOR BOOLEAN FUNCTIONS FROM A CRYPTOGRAPHIC PERSPECTIVE

where θF (x,y) is the value of the indicator func- mat_GF2 truthtable(const mat_ZZ& C, int n, int m) , θ , tion at (x y), defined as F :Vn × Vm →{0 1}: This function has as arguments the Characteristic 1 if y = F(x) Function, the numberof inputsand the numberof out- θF (x,y)= (9) 0 if y 6= F(x) puts of a vector Boolean function and it computes its Truth Table. mat_ZZ charfunct(const mat_GF2& T, int n, int m) mat_ZZ invwt(const mat_ZZ& X, int n, int m) This function has as arguments the Truth Table, This function has as arguments the Walsh Spectrum, the number of inputs and the number of outputs the number of inputs and the number of outputs of of a vector Boolean function and it calculates its a vector Boolean function and it computes its Char- Characteristic Function. acteristic Function. It corresponds with the inverse 2. The Walsh Spectrum of F that can be represented Walsh Transform. by a matrix whose rows are characterized by u ∈ Vn and whose columns are characterized by v ∈ 4.2 Cryptographic Criteria Vm in lexicographic order, denoted by WS(F) ∈ R θˆ M2n×2m ( ). Itholdsthat F (u,v)= WS(F)(u,v). Let F ∈ Fn,m be a Vector Boolean Function, the void Walsh(NTL::mat_ZZ& X, VBF& a) following cryptographic criteria can be obtained by inline NTL::mat_ZZ Walsh(VBF& a) means of the VBF class: 3. The Linear Profile of F that can be represented 1. Nonlinearity defined as the minimum among the by a matrix whose rows are characterized by nonlinearities of all nonzero linear combinations of the coordinate functions of F and can be ob- u ∈ V and whose columns are characterized n tained from the Walsh Spectrum the following by v ∈ V in lexicographic order, denoted by m way: LP(F) ∈ M2n×2m (R). It holds that LP(F)(u,v)= 1 |WS(F)(u,v)|2. 2n+m NL(F)= minv=6 0∈Vm NL(v · F) n−1 1 ∗ (10) void LAT(NTL::mat_ZZ& X, VBF& a) = 2 − 2 max (WS(F)(u,v)) inline NTL::mat_ZZ LAT(VBF& a) void nl(NTL::RR& x, VBF& a) 4. The Differential Profile that can be represented inline NTL::RR nl(VBF& a) by a matrix whose rows are characterized by u ∈ 2. Linearity distance defined as the minimum among Vn and whose columns are characterized by v ∈ the linearity distances of all nonzero linear com- Vm in lexicographic order, denoted by DP(F) ∈ binations of the coordinate functions of F and can R M2n×2m ( ). This matrix results from the applica- be obtained from the Differential Profile the fol- tion of the Walsh Transform to the Linear Profile. lowing way: void DAT(NTL::mat_ZZ& X, VBF& a) LD LD inline NTL::mat_ZZ DAT(VBF& a) (F)= min (v · F) (11) v=6 0∈Vm 5. The Autocorrelation Spectrum whose rows are void ld(NTL::RR& x, VBF& a) indexed by u ∈ Vn and whose columns are in- inline NTL::RR ld(VBF& a) dexed by v ∈ Vm in lexicographic order, de- F R 3. Balancedness, considering that F ∈ n,m is bal- noted by R(F) ∈ M2n×2m ( ). This matrix re- anced (or to have balanced output) if each pos- sults from the application of the Walsh Transform sible output m-tuple occurs with equal probability to the Linear Profile. It holds that R(F)(u,v)= 1 1 2m , that is, its output is uniformly distributed in DP (DP(F)(u,0) − DP(F)(u,v)). (F)(0,0) Vm. This criterion can be obtainedfrom the Walsh void AC(NTL::mat_RR& X, VBF& a) Spectrum the following way: inline NTL::mat_RR AC(VBF& a) θˆF (0,v)= 0, ∀v 6= 0 ∈ Vm (12) Some functions have been implemented in the void Bal(int& bal, VBF& a) VBF class to compute one matrix from the knowledge inline int Bal(VBF& a) of others such as: 4. Correlation Immunity, so that F ∈ F is an mat_GF2 rev(const mat_GF2& X, int n, int m) n,m (n,m,t)-CI function if and only if every nonzero ∑m This function has as arguments the ANF Table, the linear combination f (x) = i=1 vi fi(x) of coor- number of inputs and the number of outputs of a vec- dinate functions of F is an (n,1,t)-CI function, tor Boolean function and it computes its Truth Table. where x ∈ Vn, vi ∈ GF(2) i = 1,...,m and not all

515 SECRYPT 2010 - International Conference on Security and Cryptography

zeroes. This criterion can be obtained from the 2. The Differential Potential of F, defined as ∗ Walsh Spectrum the following way: dp(F)=max (DP(F)(u,v) which is exploited as a measure of the robustness against differential cryptanalysis. It holds that 1 dp F 1 and θˆF (u,v) = 0, ∀u ∈ Vn, 1 ≤ wt(u) ≤ t, ∀v 6= 0 ∈ Vm 2m ≤ ( ) ≤ (13) the lower bound holds if and only if F is bent and the upper bound is reached when F is linear or void CI(int& t, VBF& a) affine. The differential uniformity of F ∈ Fn,m inline int CI(VBF& a) and its differential potential are related as follows: 1 dp(F)= 2n DU(F). 5. Propagation criterion, where F ∈ Fn,m satisfies the propagation criterion of degree l (PC(l)) if void dp(NTL::RR& x, VBF& a) any nonzero linear combination of the component inline NTL::RR dp(VBF& a) boolean functions satisfies the PC(l). This cri- 3. The Linear structures of F, defined as the vec- terion can be obtained from the Autocorrelation tors for which its associated row in the Differen- Spectrum the following way: tial Profile coincides with the vector zero. NTL::mat_GF2 LS(VBF& a) RF (u,v) = 0, ∀u ∈ Vn, 1 ≤ wt(u) ≤ l, ∀v 6= 0 ∈ Vm (14) 4. The Maximum possible nonlinearity for a Vector Boolean Function with the same dimensions as F void PC(int& k, VBF& a) (when n is even). inline int PC(VBF& a) NTL::RR nlmax(VBF& a) 6. Algebraic degree defined as the maximum among 5. The Maximum possible linearity distance for a the algebraic degrees of all nonzero linear combi- Vector Boolean Function with the same dimen- nations of the coordinate functions of F (Nyberg, sions as F. 1992), namely: NTL::RR ldmax(VBF& a) m deg(F)= min{deg(g) | g = ∑ v j f j, v 6= 0 ∈ Vm} g j=1 (15) 5 OPERATIONS OVER VECTOR being the algebraic order or degree of a Boolean BOOLEAN FUNCTIONS function, the order of the largest product term which exists in the ANF. This criterion is cal- In this section, the operations over Vector Boolean culated by finding out the ANF table and then Functions that the VBF class supports are described. analysing the order of all the linear combinations Some of them corresponds to secondary construc- of coordinate functions. tions, which build (n,m) variable Vector Boolean void deg(int& d, VBF& a) Functions from (n′,m′) variable ones (with n′ ≤ inline int deg(VBF& a) n,m′ ≤ m). The direct sum has been used to con- struct resilient and bent Boolean functions (Carlet, 4.3 Useful Information in Cryptanalysis 2004). Adding coordinate functions and bricklayering are operations used to build modern ciphers such Let F ∈ Fn,m be a Vector Boolean Function, the fol- as CAST (Adams and Tavares, 1993), DES (NBS, lowing information can be obtained by means of the 1977) and AES (Daemen and Rijmen, 2002). Fi- VBF class: nally, another operations supported are: identification 1. The Linear Potential of F, defined as lp(F)= if two Vector Boolean functions are equal, the sum of ∗ two Vector Boolean functions, the composition of two 1 · max (WS(F)(u,v)2) which is exploited as a 22n Vector Boolean Functions, derivation of polynomial measure of linearity in linear cryptanalysis, and representation of mappings from GF(2n) to GF(2n) satisfies (Chabaud and Vaudenay, 1994) 1 ≤ 2n by Lagrange interpolation. The definitions of all the lp(F) ≤ 1 so that the lower bound holds if and supported operation are the following: only if F has maximum nonlinearity (F is bent) and the upper bound is reached when F is linear 1. Let n ≥ 1,m ≥ 1, F,G ∈ Fn,m. F and G are equal or affine. if their Truth Tables are the same. void lp(NTL::RR& x, VBF& a) long operator==(VBF& a, VBF& b) inline NTL::RR lp(VBF& a) long operator!=(VBF& a, VBF& b)

516 A C++ CLASS FOR ANALYSING VECTOR BOOLEAN FUNCTIONS FROM A CRYPTOGRAPHIC PERSPECTIVE

2. Let n ≥ 1,m ≥ 1, F,G ∈ Fn,m. The Sum of F and 6 EXAMPLES OF PROGRAM G (denoted by F +G) is the Vector Boolean Func- CODE tion whose Truth Table results from the addition of the Truth Tables of F and G: T T T . F+G = F + G In this section, we present some examples of how the It can be proved that Walsh Spectrum of the sum VBF class can be used. All of them are computed can be obtained by the convolutionof the columns with a Core2 Duo 2.4GHz, 4GB RAM, 2x250GB De- vectors of the respective Walsh Spectra. bian linux platform in less than one second. void sum(VBF& X, VBF& A, VBF& B) VBF operator+(VBF& A, VBF& B) 6.1 Analysis of a Vector Boolean 3. Let n = n + n ,n ,n ≥ 1,m ≥ 1, F ∈ F and 1 2 1 2 1 n1,m Function from its Truth Table F2 ∈ Fn2,m. The Direct Sum of F1 and F2 is the function: The example program below obtains cryptographic (F1 ⊕ F2) :Vn × Vn → Vm 1 2 information about a Vector Boolean Function from (x,y) → (F1 ⊕ F2)(x,y)= F1(x)+ F2(y) (16) knowing its Truth Table. This is a generalization for Vector Boolean func- #include tions of the construction of Boolean functions ﬁrst #include introduced in (Rothaus, 1976). #include "VBF.h" void directsum(VBF& X, VBF& A, VBF& B) int main(int argc, char *argv[]) 4. Let n ≥ 1,m = m1 + m2,m1,m2 ≥ 1 and F ∈ { using namespace VBFNS; Fn,m1 and G ∈ Fn,m2 . The result of adding coordinate functions of F and G is the , F , VBFF; function (F G) ∈ n,m1+m2 where (F G)(x) = NTL::mat_GF2 mat_F; ( f1(x),..., fm1 (x),g1(x),...,gm2 (x)). This is a NTL::mat_GF2 A, T; generalization for Vector Boolean functions of the NTL::mat_ZZ W, LP, DP; method used in the CAST algorithm and studied NTL::mat_RR Ac; in (Nyberg, 1994) by adding more than one coor- int t, d, k; dinate function at the same time. ifstream input(argv[1]); void addimage(VBF& X, VBF& A, VBF& B) if(!input) { 5. Let n = n1 +n2,n1,n2 ≥ 1,m = m1 +m2,m1,m2 ≥ cerr << "Error opening the input file 1, F ∈ Fn ,m and G ∈ Fn ,m . The 1 1 2 2 containing the TT" << argv[1] << endl; Bricklayer of F and G is the func- return 0; tion F|G ∈ Fn,m where F|G(x,y) = } ( f1(x),..., fm1 (x),g1(y),...,gm2 (y)). This input >> mat_F; construction corresponds to the bricklayer func- F.puttt(mat_F); tion (Daemen and Rijmen, 2002) as a parallel input.close(); application of a number of Vector Boolean functions operating on smaller inputs. ofstream output(argv[2]); if(!output) void concat(VBF& X, VBF& A, VBF& B) { VBF operator|(VBF& A, VBF& B) cerr << "Error opening the output file" 6. Let F be a mapping from GF(2n) to GF(2n), it << argv[2] << endl; return 0; can always represented by a polynomial function } over GF(2n). A general way to derive this polynomial representation is given by Lagrange inter- output << "Argument Dimension = " << F.n() polation from the knowledge of the irreducible << endl; polynomial of degree n over GF(2) associated output << "Argument space has " << F.spacen() with the ﬁeld GF(2n) and the Truth Table of F. << " elements."<< endl; output << "Image Dimension = " << F.m() << endl; void interpolate(GF2EX& f, VBF& a) output << "Image space has " << F.spacem() << " elements." << endl << endl; 7. Let F ∈ Fn,p, G ∈ Fp,m, then the Composition output << "1. Algebraic Normal Form Table:" Function is G ◦ F ∈ F , . n m << endl; void Comp(VBF& X, VBF& A, VBF& B) A = ANF(F); VBF operator*(VBF& A, VBF& B) output << A << endl;

517 SECRYPT 2010 - International Conference on Security and Cryptography

output << "2. Truth Table:" << endl; If we have the Truth Table of the S-box used in Ri- T = TT(F); jndael SRD (Daemen and Rijmen, 2002) as the input, output << T << endl; the output of the program is below. We only include the ﬁrst rows and columns of the represented matri- output << "3. Walsh Spectrum:" << endl; W = Walsh(F); ces, and the ﬁrst terms of the polynomials: output << W << endl; Argument Dimension = 8 Argument space has 256 elements. output << "4. Linear Profile:" << endl; Image Dimension = 8 LP = LAT(F); Image space has 256 elements. output << LP << endl;; 1. Algebraic Normal Form Table: output << "5. Differential Profile:" << endl; [[0 1 1 0 0 0 1 1] DP = DAT(F); [00011111] output << DP << endl; 2. Truth Table: [[0 1 1 0 0 0 1 1] output << "6. Linearity/nonlinearity measures:" << endl; [01111100] output << "Linear potential: " << lp(F) << endl; 3. Walsh Spectrum: output << "Differential potential: " << dp(F) << endl; [[256000000000000000000000000 output << "Nonlinearity: " << nl(F) << endl; [0 24 0 24 28 12 4 -12 24 0 16 24 4 20 4 -12 16 -24 24 output << "Maximum Nonlinearity: " << nlmax(F) << endl; 4. Linear Profile: output << "Linearity distance: " << ld(F) << endl; [[6553600000000000000000000000 output << "Maximum Linearity distance: " << ldmax(F) [0 576 0 576 784 144 16 144 576 0 256 576 16 400 16 144 << endl; 5. Differential Profile: [[1677721600 0000 0000 000 0000 000 00 output << "7. Correlation immunity:" << endl; [0 131072 0 0 131072 0 131072 0 131072 131072 131072 t = CI(F); 6. Linearity/nonlinearity measures: if (F.getbal()) Linear potential: 0.015625 { Differential potential: 0.015625 output << "It is a (" << F.n() << "," << F.m() Nonlinearity: 112 << "," << t << ")-resilient function" Maximum Nonlinearity: 120 << endl; Linearity distance: 126 } else Maximum Linearity distance: 136 { 7. Correlation immunity: output << "It is a (" << F.n() << "," << F.m() It is a (8,8,0)-resilient function << "," << t << ")-CI function" << endl; 8. Algebraic degree: } The degree of the function is 7 9. Propagation criterion: output << "8. Algebraic degree:" << endl; The function is PC of degree 0 d = deg(F); 10. Polynom: output << "The degree of the function is " x6+x6x8+x6x7+x5x6x8+x5x6x7+x5x6x7x8+x4+x4x7x8+x4x6+ << d << endl; x4x6x7x8+1+x5+x5x7+x5x7x8+x5x6+x4x8+x4x7x8+x4x6x8+ x4x6x7x8+x4x5x7+1+x6x7x8+x5x8+x5x7x8+x5x6x7x8+x4+ output << "9. Propagation criterion:" << endl; x4x7x8+x4x6+x4x6x8+x4x6x7+x8+x7+x7x8+x6+x5+x5x6+ k = PC(F); x5x6x8+x4x8+x4x7+x4x6x7+x4x5+x4x5x8+x8+x6x7+x5x8+ output << "The function is PC of degree " x5x7x8+x5x6+x5x6x8+x5x6x7+x5x6x7x8+x4+x4x7x8+x8+x7 << k << endl; +x6x8+x5x8+x5x7x8+x5x6+x5x6x8+x4x8+x4x7+x4x7x8+ output << "10. The polynomial representation is: " x4x6x8+1+x8+x7x8+x6x8+x5+x5x8+x5x7+x5x7x8+x5x6+ << endl; x5x6x8+x5x6x7+x4x8+1+x8+x7x8+x6+x6x7+x5+x5x7+x5x6+ Pol(output,F); x5x6x7+x5x6x7x8+x4+x4x8+x4x7+ output << "11. Linear structures: " << endl; 11. Linear structures: A = LS(F); [] output << A << endl; 12. Autocorrelation Spectrum: output << "12. Autocorrelation Spectrum: " << endl; [[0111111111111111111111111111 Ac = AC(F); [0 -0.0078125 0 0 -0.0078125 0 -0.0078125 0 -0.0078125 output << Ac << endl; input.close(); output.close(); return 0; }

518 A C++ CLASS FOR ANALYSING VECTOR BOOLEAN FUNCTIONS FROM A CRYPTOGRAPHIC PERSPECTIVE

6.2 Direct Sum of Two Vector Boolean 6.3 Polynomial Representation of Functions Rijndael S-box

The example program below obtains the polynomial The example program below obtains the polyno- representing of the Vector Boolean Function result- mial representation over GF(28) given the irreducible ing from the direct sum of two others, knowing their polynomial x8 +x4 +x3 +x+1 and the Truth Table of Truth Tables. SRD ∈ F8,8 by Lagrange interpolation. #include #include #include #include #include "VBF.h" #include "VBF.h" int main(int argc, char *argv[]) int main(int argc, char *argv[]) { { using namespace VBFNS; using namespace VBFNS;

VBF F1, F2, F; VBF S0; NTL::mat_GF2 T1, T2; NTL::mat_GF2 mat_S0; GF2X g; ifstream input1(argv[1]); GF2EX f; if(!input1) { ifstream input1(argv[1]); cerr << "Error opening the input file if(!input1) containing the TT of the 1st function: " { << argv[1] << endl; cerr << "Error opening the file return 0; containing the irreducible polynomial" } << argv[1] << endl; input1 >> T1; return 0; F1.puttt(T1); } input1.close(); input1 >> g; S0.putirrpol(g); ifstream input2(argv[2]); input1.close(); if(!input2) { ifstream input2(argv[2]); cerr << "Error opening the input file if(!input2) containing the TT of the 2nd function: " { << argv[2] << endl; cerr << "Error opening the file return 0; containing the TT" << argv[2] << endl; } return 0; input2 >> T2; } F2.puttt(T2); input2 >> mat_S0; input2.close(); S0.puttt(mat_S0); input2.close(); ofstream output(argv[3]); if(!output) ofstream output(argv[3]); { if(!output) cerr << "Error opening the output file " { << argv[3] << endl; cerr << "Error opening the output file " return 0; << argv[3] << endl; } return 0; } directsum(F,F1,F2); output << "The polynomial representation output << "The polynomial representation of the direct sum is:" << endl; is: " << endl; Pol(output,F); interpolate(f,S0); print(output,f); output.close(); input1.close(); return 0; input2.close(); } output.close(); return 0; }

519 SECRYPT 2010 - International Conference on Security and Cryptography

Taking as input the irreducible polynomial rep- Chabaud, F. and Vaudenay, S. (1994). Links between dif- resentation 110110001 and SRD ferential and linear cryptanalysis. In EUROCRYPT, pages 356–365. Truth Table, the output of the program is: Daemen, J. and Rijmen, V. (2002). The Design of Rijndael. The polynomial representation is: Springer-Verlag, New York, Inc., Secaucus, NJ, USA. 5xˆ254+9xˆ253+f9xˆ251+25xˆ247+f4xˆ239+1xˆ223+ b5xˆ191+8fxˆ127+63 Davio, M., Deschamps, J., and Thayse, A. (1978). Discrete and Switching Functions, volume 1 of Advanced Book Program. McGraw-Hill. Gammel, B. M. (2006). http://www.matpack.de/. In Mat- 7 CONCLUSIONS pack C++ Numerics and Graphics Library. McWilliams, F. and Sloane, N. (1977). The Theory of Error In this paper we have described a C++ class designed Correcting Codes, volume 1,2. New York, NY: North to analyse Vector Boolean Functions from a crypto- Holland. graphic perspective. It represents a very useful tool NBS (1977). Data Encryption Standard. NBS, Washington, for analysing cryptographic primitives expressed as DC, USA. Vector Boolean Functions in a question of seconds. Nyberg, K. (1992). On the construction of highly nonlinear This class supports as input a broad range of repre- permutations. In EUROCRYPT, pages 92–98. sentations such as Truth Tables, ANF Tables, poly- Nyberg, K. (1994). S-boxes and round functions with con- nomials in ANF, permutation and linear matrices and trollable linearity and differential uniformity. In Fast DES-like Sboxes. It can obtain cryptographic struc- Software Encryption, pages 111–130. tures such as the Walsh Spectrum, Differential Proﬁle Pommerening, K. (2001). Analysis of boolean maps (s- and Autocorrelation Spectrum among others. Cryp- boxes). tographic criteria such as nonlinearity, linearity dis- Rothaus, O. S. (1976). On ”bent” functions. J. Comb. The- tance, correlation immunity, balancedness, algebraic ory, Ser. A, 20(3):300–305. degree and propagation criterion are easily calculated. Shoup, V. (2009). http://www.shoup.net/ntl/. In NTL: A The behaviour of the cryptographic properties of Vec- Library for doing Number Theory. tor Boolean Functions can also be studied when they interact by means of the VBF class.

ACKNOWLEDGEMENTS

This work has been partially supported by project MTM2007-62064 of the Plan Nacional de I+D+i, MEyC, Spain, and by project 166/Q06 0930-099 of the Universidad Polit´ecnica de Madrid (UPM), Spain.

REFERENCES

Adams, C. and Tavares, S. (1993). Designing s-boxes for ciphers resistant to differential cryptanalysis. In Pro- ceedings of the 3rd Symposium on State and Progress of Research in Cryptography, pages 181–190. Bibliowicz, A., Cohen, P., and Biham, E. (2003). A system for assisting analysis of some block ciphers. Technical report, NESSIE. Carlet, C. (2004). On the secondary constructions of resilient and bent functions. In Progress in Computer Science and Applied Logic, vol. 23, pages 3–28. Carlet, C. (2008a). Boolean functions for Cryptography and Error Correcting Codes. Cambridge University Press. Carlet, C. (2008b). Vectorial Boolean functions for Cryp- tography. Cambridge University Press.

520