Relationships Between Boolean Functions and Symmetric Groups

Relationships between Bo olean Functions and

Symmetric Groups

Chengxin Qu, Jennifer Seb erry, Josef Pieprzyk

Center for Computer Security Research

Scho ol of Information Technology and Computer Science

University of Wollongong

Email: cxq01,jennie,[email protected]

2 Background Abstract

2.1 Bo olean space and boolean func-

We study the relations b etween b o olean functions

tions

and symmetric groups. We consider elements of a

symmetric group as variable transformation op er-

The set of n-tuple vectors,

ators for b o olean functions. Bo olean function may

V = f =(a ;


;a ) j

n 1 n

b e xed or p ermuted by these op erators. Wegive

a 2 GF (2); i =1;


;ng;

i

some prop erties relating the symmetric group S

n

and b o olean functions on V .

n

is a boolean space if its arithmetic is in a Galois

n

eld. A b o olean space V contains 2 vectors.

n

Clearly, all the vectors in V are binary sequences.

n

A boolean function is de ned on V by the map-

n

ping

f (x): V ! V

n 1

where x is a variable vector in V .

1 Intro duction

n

There are several ways to represent a b o olean

function: bya p olynomial; by a binary sequence;

The values of a b o olean function for each vector

and bya (1; 1) sequence. Here we use the p oly-

n

in V form a binary sequence of length 2 called

n

nomial representation to discuss b o olean func-

a a

the trace of the function. The trace of a boolean

a

1 2

n

tions. Let x = x x


x denote a monomial

n

1 2

function is widely used in communication systems

on V . Then a b o olean function on V is a linear

n n

such as DE S and S-b ox theory [1 , 2]. To pro-

combination of monomials

tect against cryptographic attacks b o olean func-

M

c x c =0 or1; (1) f (x)=

tions must satisfy some algebraic prop erties such

2V

n

as nonlinearity, balance, the propagation criteria

and correlation immunity. These are called cryp-

where the sign  denotes b o olean addition (XOR).

tographic prop erties [6 , 8, 11 ]. In this pap er, we

For anytwo binary sequences  and  with the

use symmetric groups to study b o olean functions.

same length s, we de ne their multiplication ()

The transformation of variables, x ! x , is called

i j

and binary addition () as follows;

an op eration or a variable transformation op era-

tor. We consider elements in the symmetric group

   = (a ;a ;


;a )  (b ;b ;


;b )

1 2 s 1 2 s

(2)

as a variable exchange op erators for b o olean func-

= (a b ;a b ;


;a b )

1 1 2 2 s s

tions. We study the conditions under which a

   = (a ;a ;


;a )  (b ;b ;


;b ) b o olean function is xed or transformed by this

1 2 s 1 2 s

(3)

= (a  b ;a  b ;


;a  b ): op eration.

1 1 2 2 s s 1

De nition 4 Let 0  k  n. The function f (x) So    and    are still binary sequences. If f (x)

on V is k -th order correlation immune if the fol- corresp onds to the binary sequence  and g (x) cor-

n

lowing equation resp onds to  , then the functions f (x)g (x) and

f (x)  g (x) corresp ond to formulae (2) and (3)

X

f (x)
x

(1) =0; for 1  wt( )  k;

resp ectively.

x2V

n

We call the numb er of 1s in a binary sequence,

 , its Hamming weight that is denoted by wt( ).

is satis ed, where wt( ) is the Hamming weight of

Avector in V is a binary sequence with length n

a vector 2 V .

n

n

and the values of a b o olean function for eachvec-

n

tor in V also form a length 2 binary sequence

n

2.2 Symmetric group

that we call the trace of the function. For anytwo

functions f (x) and g (x), their Hamming distance

For an n-tuple vector, = (a ;a ;


;a ) 2 V ,

1 2 n n

is the numb er of 1s in the sequence of the function

we consider an op eration on the vector which p er-

f (x)  g (x). The function (1), with the restriction

mutes the p ositions of a and a . Then the vector

i j

such that c = 0 for all where wt( ) > 1, is

b ecomes

called an ane function and denoted by '(x). Us-

ing the dot pro duct we can write ane functions

(a ;


;a ;


;a ;


;a ):

1 j i n

with the form

We denote the op eration of p ermuting the posi-

'(x)=
x  c;

tions of a and a by the op erator  = (ij ) and

i j

then we write

where 2 V ; c =0; 1. An ane function is called

n

a linear function if c = 0 (which corresp onds c =

0

 (a ;a ;


;a )=(a ;


;a ;


;a ;


;a ):

1 2 n 1 j i n

0 in the function (1)). The following de nitions

are the most imp ortant cryptographic parameters

The p ermutations for an n-tuple vector in V may

n

for a b o olean functions in cryptography [3 , 9, 10 ].

apply to more than two entries. Thus the op era-

tion  =(ij k


)isde nedbytheith entry go es

to j th p osition, the j th entry go es to k th p osition,

De nition 1 Let f (x) be a function on V . If,

n

and so on. Thus the op erator  =(ij


k ), acting

as x runs through al l vectors in V , f (x) = 1 is

n

n1

on the vector , for example, gives the vector

true 2 times f (x)=1, then the function f (x)

is said to bebalanced.

(a ;


;a ;a ;a ;


;a ;a ;a ;


;a ):

1 i1 i+1 j 1 i j +1 n

k

De nition 2 Let f (x) be a function on V . The

n

Let  and  be anytwo op erators for a vector

i j

nonlinearity (denoted by N ) of the function f (x)

f

2 V . Then the combination of the op erators is

n

is de ned by the minimum Hamming distance

de ned by  =   such that

i j

from f (x) to al l ane functions over V i.e.

n

 =(  ) =  ( ):

i j i j

N = minfwt(f  ') j for al l ' on v g:

n

f

The inverse of an op erator exists. For  =

1

De nition 3 Let f (x) be a boolean function on

(ij


k );  = (k


ji) is its inverse b ecause

1 1

V . If for a vector 2 V the function f (x) 

 =   = e, the unit p ermutation.

n n

f (x  ) is balanced, then the function f (x) is

said to have propagation criteria with respect to

De nition 5 For an n-

the vector . If f (x) has propagation criteria with

tuple vector (a ;a ;


;a ) in the boolean space

1 2 n

respect to al l vectors with 0 < wt( )  k , then

V ,weconsider operations  that permute the po-

n

f (x) has propagation criteria of degree k denoted

sitions of the n-tuple. Then al l possible operations

by PC(k ). If k =1, the function is said to satisfy

on the n-tuple form a group which is cal led the

the strict avalanche criteria (SAC ).

symmetric group de nedonV and denotedbyS

n n

(or permutation group). 2

5. (Cayley's theorem). Any group with order n If a subset of S forms a group under the same

n

is isomorphic with a subgroup of S . laws of combination used in S , then the group is

n n

called subgroup of S . Anygrouphasatleasttwo

n

trivial subgroups: the group containing only one

For a b o olean space V , wesay that the sym-

n

element feg; and the group itself. For a symmetric

metric group S is de ned on the space, if each

n

group S , the following prop erties hold.

n

element in S just permutes the vectors in V .

n n

Let V and V b e subspaces of V . Let S be

m n m+n m

1. The order of S (the numb er of all elements)

n

the symmetric group for the space V and S for

m n

is n! i.e. jS j = n!.

n

the space V . Then for any elements  2 S and

n m

0 0 0

 2 S , it is obviously that  =   . We say

n

2. We take some elements in S as the genera-

n

that the two groups are commutative (b oth the

tors of the group, if any element in S can

n

two groups are subgroups of S and S is

m+n m+n

be equivalently expressed by those genera-

0 0

on V ). Obviously, the set, f j  2 V ;  2

m+n m

tors. Then the minimum set of generators for

V g denoted by S  S (direct product), is a sub-

n m n

S is of size n 1. Let f(12); (13);


; (1n)g

n

group of S with order m!  n!.

m+n

be a set of generators of S . Then the el-

n

ement (123


n), for example, is equal to

Let H be a subgroup of S . Then the sub-

n

(1n)


(13)(12).

set H ,  2 S  2= H , is called the (left) coset

n

asso ciated with H in S . The subgroup H is

n

3. The transitive relations of symmetric groups

called a normal subgroup (or invariant subgroup)

S ;S ;


;S are as follows;

1 2 n

1

of S if H  = H for any  2 S . For any

n n

subgroup H of S , there exists jS j=jH j elements

S  S 


 S  S :

n n

1 2 n1 n

g ; (g 2= H; g 2 S ) suchthat

i i i n

The following statements from group theory

0

will b e used later. Let G and G be anytwo groups

S = H [ (g H ) [


[(g H ); (4)

n 1 s1

0

and elements g and g be elements with g 2 G and

0 0

g 2 G .

where s = jS j=jH j. In the ab ove formula, if H is

n

a normal subgroup, the set, fH; g H;


;g H g,

1 s1

1. (Homomorphism). If there is a mapping G !

forms a group (called quotient group or factor

0

G and the laws of combination for the two

group of S ) with order n!=jH (f )j. For more de-

n

groups are preserved, i.e.

tail ab out group theory, one can refer the b o oks

)

[7 ][5 ].

0

g ! g

i

0 0

i

); g ) (g g ) ! (g

i j

j 0 i

g ! g

j

j

0

then the two groups, G and G , are said to b e

3 Relationships between sym-

homomorphic.

metric group and

2. (Isomorphism). For two homomorphic

b o olean functions

0

groups, G and G , if the mapping is invert-

ible, then the two groups are said to be iso-

Now we turn our discussion to the relationships

morphic.

between the symmetric group and b o olean func-

tions on nite boolean spaces V . We highlight

n

3. (Kernel). For the homomorphic mapping of

0

features of a boolean function under the op era-

G and G , the unit element in G maps to a

0 0

tions of a symmetric group.

subset H in G . The subset H in G corre-

e e

sp onding to the unit element e in G is called

the kernel of the homomorphic mapping.

De nition 6 Let  denote an element of the

symmetric group S . We take al l the elements 4. (Lagrange's theorem). The order of a sub-

n

of S as permuting operators on a vector in V . group of a nite group is a divisor of the order

n n

We say that a permuting operator acts on a func- of the group. 3

element of the set is de ned by the function it- tion on V as fol lows

n

self f (x). Let  f (x) be an element of the set.

0 1

i

M

Then the element has its inverse  f (x), such as

j

@ A

f (x) =  c x

1

 =  , in the set, since

j

i

2V

n

M



1 1

= c x

[f (x)]  [ f (x)] = [ f (x)]  [f (x)]



 2V

n

= f (x):

M

(6)

= c x

According to the de nition of the group op eration,

2V

n

[ f (x)   f (x)]   f (x) =

where  = and c = c 2 GF (2).

i j

k

(7)

 f (x)  [ f (x)   f (x)]

i j

k

We denote by H a subgroup of S asso ciated

n

f

holds. Hence the asso ciative law holds. The set,

with the b o olean function f (x)over V . Then the

n

G = ff (x) j8 2 S g,contains all the di erent

n

f

subgroup H is describ ed by the following lemma.

f

b o olean functions generated by permutations in

S . Therefore, the set is closed. So wehave proved

n

Lemma 1 Let H denote the subset that contains

f

that the set, ff (x) j  2 S g, with comp osition

n

al l the elements  2 S such that f (x) = f (x).

n

 is a group. 2

Then H is a subgroup of S .

n

f

The group op eration \"onG is not the group

f

Pro of. For the subset H to b e a group, we only

op eration of S . The equality

f

n

need to show the set is closed under the laws of

(  )f (x)= f (x) (8)

i j

k

group combination of S . In fact if  and  are

n i j

in the set H ,then  and   are also in H ,

i j j i

f f

do es not restrict   to equal  , b ecause any

i j

k

b ecause

element in H will leave the function  f (x)

 f k

k

unchanged. For convenience, we use the element

  f (x)= ( f (x)) =  f (x)=f (x):

i j i j i

 =   to identity the function  f . The group

i j

k k

G is a set of p olynomials on a nite b o olean

The set H is closed. Therefore it is a subgroup

f

f

space, which is generated by a b o olean function

of S . 2

n

f (x) on V and the symmetric group S . Each

n n

Asso ciated with the function f (x) on V and

element, f (x), in G corresp onds to a subgroup,

n

f

the symmetric group S , we have another group,

H , of S . Then for the function f (x), we have

n

n

f

denoted by G , which is describ ed by the following

the left coset H and rightcoset H  that give

f

f f

lemma.

the function f (x). Therefore among the elements

in G , the following lemma holds.

f

Lemma 2 If ef (x) = f (x) (e the unit of S ) is

n

the unit of the set ff (x) j  2 S g, then the set

n

Lemma 3 Let  f (x) and  f (x) be any two el-

i j

of functions forms a group, denoted by G , where

f

ements in G associated with the function f (x)

f

the group operation \", stands for composition of

over V . Then

n

functions, de ned as fol lows

(i) jH j = jH j = jH j =


;

f  f  f

i j

[ f (x)]  [ f (x)] = (  )f (x)= f (x): (5)

i j i j

k

(ii) There exists a subset of

elements fe;  ; ;


g, cal led representative

Pro of. To b e a group, the set G with the op era-

1 2

f

set of S , denoted by C , such that

tion  must satisfy the following conditions: (i)the

n

f

unit element must exist; (ii) each element must

S = H [  H [  H


; (9)

n 1 2

f f f

haveaninverse in the set and the left inverse must

b e equal to the rightinverse; (iii) the asso ciative

(iii) Let  and  belong to C . If  6=  , then

i j i j

f

rule must hold for the op eration; (vi) the set must

 f (x) 6=  f (x) and C f (x)=G .

i j

f f

be closed under the group op eration. The unit 4

all vectors with 1  wt( )  k . Pro of. The group H is the group of the func-

f

tion f (x). So H contains all the elements in

f

According to de nition 4, the if f has k -th or-

S such that  (f (x)) = f (x). The left coset,

n j

der correlation immunity, then it satis es

H , acting on the function f (x), also pro duces

X

f

f (x)
x

(1) =0; for all 1  wt( )  k:

the function f (x). So jH j  jH j. On the

f f

x2V

n

other hand, H contains all elements in S such

n

f

Let f (x) be a function in G . Since the map

that ( )f (x) = f (x) for each  2 H . Thus

f

i i

f

from f (x)to f (x) is a one-to one linear transform

we have jH j  jH j. Therefore jH j = jH j

f f f f

and the vector has b een chosen for such that

whichproves (i).

1  wt( )  k , f (x) has the same correlation

Since the intersection of distinct cosets is empty

immunityas f (x) has. 2

and all cosets contain jS j elements, then (ii)

n

holds.

Lemma 5 Let the f (x) be a boolean function on

The part (iii) is obvious. According to the

V and r the number of x occurs in the func-

n i i

de nition of G , each function is uniquely gen-

f

tion. (i) The numbers of repetitions of each vari-

erated by the function f (x). The set of func-

in f (x) being equal (i.e. able of the x ;


;x

i i

1

k

tions, C f (x), contains all the di erent functions.

f

r =


= r ), is a necessary condition for the

i i

1

k

Therefore C f (x)=G 2

f f

group S associated with variables x ;


;x to

i i

k

1

k

be a subgroup of H . (ii) The order of G is

f f

The subset C is not the only subset. We can

f

greater than or equal to the number of al l di erent

cho ose one representativefromeach group H to

f

patterns of (r ;


;r ).

1 n

form a subset C . But the group G is unique.

f f

Any C in S generates the group G and so may

n

f f

Pro of. Weprove the lemma bycontradiction. By

be used as the identity set for the function f (x).

the lemma 1 the element in H op erating on the

f

Each element  in the identity set may b e used as

function f (x)doesnotchange the function itself.

the identity element for the function f (x). Note

Supp ose r 6= r . After the op eration, x in the

i j j

that the class C may not contain the unit ele-

f

function f (x) is transformed to x . Obviously,

i

ment.

the numb er of rep etitions of x in f (x)isr that

i j

It is clear that an op erator acting on a function

induces f (x) 6= f (x). Therefore  2= H .

f

f (x) is equivalentto a one-to-one linear transfor-

Assume that r 6= r for all i 6= j; 1  i; j  n.

i j

mation. The functions f (x) and f (x)inG have

f

Any op eration from S will change the represen-

n

many prop erties in common.

tation of the function f (x). So G = S . For all

n

f

r 6= r we have  f (x) 6=  f (x). Therefore we

i j i j

Lemma 4 Let f (x) be a boolean function on V .

n

have proved (ii). 2

Then the al l functions in G have the same (1)

f

Hamming weight, (2) nonlinearity, (3) propaga-

Lemma 6 Let f (x) and g (x) be any two boolean

tion criteria PC(k ) and (4) correlation immunity.

functions on V and H and H be their groups

n g

f

Pro of. Since each function in G relates to an-

respectively. Then in the group H formed by

f

f g

other by a one-to-one linear transformation, they

the function f (x)  g (x), at least the intersection

have the same Hamming weight wt(f ) and non-

of H and H is a subgroup i.e. H \ H  H .

g g

f f f g

linearity N .

f

Pro of. Since the intersection set is a subset of S ,

n

Let f (x) on V have k -th order propagation

n

all the laws of combination for S are preserved.

n

criteria. According to de nition 3, f (x)  f (x  )

The rst we prove the intersection H \ H is a

g

f

is balanced for all 0 < wt( )  k . The function

subset of H . Let  ; 2 H and  ; 2 H .

i j i j g

f g f

f (x)=f (x) and then

Then  ; are in the intersection set H \ H .

i j g

f

0 0

Because

f (x)  f (x   )=f (x )  f (x  )

  (f (x)  g (x)) =  (f (x)  g (x))

i j i

Of course wt( )=wt( ). As runs through all

= f (x)  g (x); vectors such that 1  wt( )  k , runs through 5

4 Discussion the elements  ; and   are in the group H .

i j i j

f g

Therefore H \ H  H . The unit element is

g

f f g

n

2

in H \ H . So to prove H \ H is a group, it

g g

f f

For a xed b o olean space V , there are 2 b o olean

n

is enough to show it is self closed under the laws

functions and the size of the p ermutation group is

of combination that are used in S . The ab ove

n

n!. Although this is very large, we can use the

formula shows that the element   is in H

i j

f g

permutation groups to discuss b o olean functions.

and also in H \ H . So H \ H is self closed.

g g

f f

The b o olean functions in the group G share the

f

Therefore it is a group. Because the elements in

same cryptographic prop erties such as Hamming

H are all elements in S that leave the function

n

f g

weight, nonlinearity, propagation criteria and cor-

f (x)  g (x)unchanged, H \ H is a subgroup of

g

f

relation immunity. For a group G , there exist

f

H for the function f (x)  g (x). 2

f g

subsets, @ = ff jf 2 G g, of functions suchthat @

f

is a additive group (f; )ifwe add the zero to the

Note: The groups H and H \ H may

g

f g f

subset and regard the zero as the unit element.

equal, since the function f (x)  g (x)may increase

There are trivial additive groups, for example,

the symmetric prop erties but also may reduce the

f0; f (x)g (since  f   f =0). If such a subset

i i i

prop erties. If f (x)  g (x) = 0, H = S and

n

f g

contains m functions (of course m  jG j), the

f

H \ H is a subgroup. If f (x) and g (x) do not

g

f

additivegroupis a S-b ox design n  m (note the

contain any common term, then H = H \ H .

g

f g f

group order is m + 1). Good S-box designs need to

satisfy some cryptographic prop erties such as (1) The following are a few trivial facts for some

any nonzero linear combination c f 


 c f b o olean functions

1 1 m m

is balanced, (2) any nonzero linear combination

has high nonlinearity,(3)any nonzero linear com-

1. Let k be an integer with 0  k  n. Then

bination satis es the same and go o d propagation

the function

criteria, (4) the mapping of the S-b ox is regular

M

nm

i.e. each vector in V corresp onds to 2 vec-

m

h (x)= x

k

tors in V as x runs through all vectors in V once,

n n

8 2V ; & wt( )=k

n

and (5) the S-b ox has go o d di erential distribu-

tion [1 , 2, 4, 12 ]. If all comp onents of an S-b ox

has group S , i.e. H = S .

n n

h

are in an additive group @ and G at the same

f

time, then the discussion of the S-b ox concerns

2. Let fi ;i ;


g be a subset of f1; 2;


;ng.

1 2

the one function f (x)on V only.

Based on lemma 6, for the function

n

h(x)=h (x)  h (x) 


; (10)

i i

1 2

References

the group H is S .

n

h

[1] E. Biham and A. Shamir. Di erential crypt-

3. Let H be the group for the function f (x)

f

analysis of DES-like cryptosystems. Journal

on V . Then H is also the group for the

n

f

of Cryptology, 4.1:3{72, 1991.

function f (x)  h(x), where h(x) is the func-

tion (10) over V .

n

[2] E. F. Brickell, J. H. Mo ore, and M. R. Pur-

till. Structures in S-b oxes of the DES. Ad-

4. Let fi ;i ;


;i g b e a subset of f1; 2;


;ng

1 2

d

vances in Cryptology {CRYPTO'86, Lecture

and

Notes in Computer Science, Springer-Verlag,

f (x)=x x


x

Berlin Heidelberg New York Toyko, pages 3{

i i i

1 2

d

8, 1987.

b e an algebraic degree d b o olean function on

V . Then the group H = S  S , where

n

f d nd

[3] P. Camion, C. Carlet,

S is the symmetric group asso ciated with the

d

P. Charpin, and N. Sendrier. On correlation-

subset and S is the group asso ciated with

nd

immune functions. Advances in Cryptology

the subset f1; 2;


;ngnfi ;i ;


;i g.

1 2

d

- CRYPTO'91, Lecture Notes in Computer 6

Science, Springer-Verlag, Berlin Heidelberg

New York Toyko, 576:86{100, 1991.

[4] J. H. Cheon, S. Chee, and C. Park. S-b oxes

with controllable nonlinearity. Advances

in Cryptology { EUROCRYPT'99, Lecture

Note in Computer Science, Springer-Verlag,

Berlin Heidelberg New York, 1592:286{294,

1999.

[5] M. Hamermesh. Group Theory and Its Appli-

cation to Physical Problems. Reading, Mass.,

Addison-Wesley, 1962.

[6] L. O'Connor and A. Klapp er. Algebraic non-

linearity and its applications to cryptography.

Journal of Cryptology, 7:213{227, 1994.

[7] B. E. Sagan. The Symmetric Group; Rep-

resentations, Combinatorial Algorithms, and

Symmetric Functions. Paci c Grove, Calif.,

Wadosworth & Bo oks, 1991.

[8] J. Seb erry, X. Zhang, and Y. Zheng. Non-

linearity and propagation characteristics of

balanced b o olean functions. Information and

Computation, Academic Press, 119, No.1:1{

13, 1995.

[9] T. Siegenthaler. Correlation-immunity of

nonlinear combining functions for crypto-

graphic applications. IEEE Transaction on

Information Theory, 30.5:776{779, 1984.

[10] G. Xiao and J. L. Massey. A sp ectral char-

acterization of correlation-immune combining

functions. IEEE Transactions on Informa-

tion Theory, 34:3, May 1988.

[11] X. Zhang and Y. Zheng. Auto-correlations

and new b ounds on the nonlinearity of

b o olean functions. Advances in Cryptology

{ EUROCRYPT'96, Lecture Notes in Com-

puter Science, Springer-Verlag, Berlin Hei-

delberg New York, 1070:294{306, 1996.

[12] X. Zhang, Y. Zheng, and H. Imai. Relating

di erential distribution tables to other prop-

erties of substitution boxes. Designs, Codes

and Cryptography, 19:45{63, 2000. 7