sign in sign up
<<
Home , Snefru, XSL attack

Copyright

by

Shweta Prem Agrawal

2007 Algebraic Attacks: A Survey

by

Shweta Prem Agrawal, B.E.

Thesis

Presented to the Faculty of the Graduate School of

The University of Texas at Austin

in Partial Fulfillment

of the Requirements

for the Degree of

Master of Arts

The University of Texas at Austin

December 2007 Algebraic Attacks: A Survey

Approved by Supervising Committee: For my mother Acknowledgments

Many people have contributed in large measure to making this work possible. I want to thank my advisor Anna, for her understanding and support. I have learnt much from working with her- both technically and otherwise. She provided excellent guidance in research but more importantly, she was kind and encouraging during my struggle to get into theory from an unrelated background. I am especially grateful to her for the numerous times she went out of her way to help me, and for the comfortable work environment she helped create. Working with her has been both enjoyable and inspiring. I am deeply indebted to David Zuckerman for the most beautiful introduction to theory that I could have hoped for. My love for both math and research has been largely shaped by my interaction with him. More significant than the math I learnt from him was the spirit of mathematical reasoning, rigor and intuition that I was able to imbibe. I am grateful to everyone I interacted with at UT for an enthusiastic and motivational academic atmosphere. Special thanks is due to members of the theory group, especially Anna, David and Greg for their concern, help and advice. I thank my friends for the long discussions and fun times. Not enough can be said for the love, faith and support of my parents and brother. Across the thousands of miles between us, they have given me comfort, optimism, trust. A special thanks to my mother- without whose love, nothing is possible.

v Thanks to Austin for all the experiences I have had here. My time here has created memories that I will cherish all my life.

Shweta Prem Agrawal

The University of Texas at Austin December 2007

vi Algebraic Attacks: A Survey

Shweta Prem Agrawal, M.A. The University of Texas at Austin, 2007

Supervisor: Anna G´al

Algebraic attacks have recently acquired great importance in the area of cryptog- raphy, not only due to the they have been able to break, but more impor- tantly, because the principle of algebraic attacks is very generic and can be applied to break large classes of ciphers. Several ciphers, previously considered secure and widely used in practice were found to be potentially vulnerable to algebraic attacks. In this survey, we examine algebraic attacks against both public and symmet- ric ciphers. We discuss the Boolean functions used in the design of ciphers from the perspective of algebraic attacks, and consider the ”cryptographic” complexity and explicit construction of these functions. We also briefly look at recently discov- ered methods of solving certain systems of multivariate polynomial equations since algebraic attacks rely on being able to solve such systems of equations efficiently.

vii Contents

Acknowledgments v

Abstract vii

Chapter 1 Introduction 1 1.1 Publickeyciphers ...... 4 1.2 Symmetrickeyciphers ...... 11 1.2.1 Blockciphers ...... 11 1.2.2 Streamciphers ...... 17

Chapter 2 Cryptographic Complexity of Boolean Functions 23 2.1 Important cryptographic properties of Boolean functions...... 23 2.2 About the cryptographic complexity of Boolean functions ...... 34

Chapter 3 Algebraic attacks against symmetric key ciphers 40 3.1 Algebraic attacks against stream ciphers ...... 40 3.1.1 Conventional attacks against stream Ciphers ...... 40 3.1.2 Setup for algebraic attack ...... 41 3.1.3 Theproblemofcryptanalysis ...... 41 3.1.4 Theattack ...... 41 3.2 Algebraic attacks against block ciphers ...... 43 3.2.1 Conventional methods of against block ciphers 43 3.2.2 How block ciphers resist conventional statistical attacks . . . 44 3.2.3 Algebraic attacks on Block ciphers ...... 44

viii Chapter 4 Solving systems of multivariate equations 47 4.1 The Quadratic Solvability problem ...... 47 4.2 Methods of solving systems of multivariate polynomial equations: . . 48 4.2.1 Linearization ...... 48 4.2.2 Relinearization ...... 49 4.2.3 XLalgorithm ...... 50 4.2.4 XSLmethod ...... 51 4.2.5 Gr¨obner basis techniques ...... 52 4.2.6 SATsolvers...... 53 4.2.7 ”Gluing” Algorithm ...... 53

Chapter 5 Explicit Constructions of Boolean functions with Impor- tant Cryptographic Properties 54 5.1 Algebraicconstruction ...... 54 5.2 HeuristicDesign ...... 57

Chapter 6 Some open problems and concluding remarks 62

Appendix A Useful Definitions 66 A.1 Algebraicdefinitions ...... 66 A.2 Cryptographicdefinitions ...... 68 A.3 Fourier-WalshTransforms ...... 70

Bibliography 74

Vita 93

ix Chapter 1

Introduction

The area of algebraic attacks has recently received a lot of attention in cryptographic literature. As is well known, there are two main kinds of : public key encryption and symmetric key encryption. Algebraic attacks are relevant to both kinds. The principle of algebraic attacks is to recover the secret key of the by solving a system of algebraic equations. We will make this more precise sub- sequently. Regardless of the type of cipher used, there are equations that can be set up involving the bits, bits and the key. In particular, you can describe all encryption schemes, whether public key or symmetric key, as repre- sented by the following simple relation: C = E(M, K), where C is the ciphertext, E is the function describing how the ciphertext is obtained from the plaintext and key,

M is the plaintext and K is the secret key. Each ciphertext bit ci where i = 1....n is obtained from the plaintext bits x1, ..., xn and the key bits k1, k2..., km considered as input variables, by applying a function f, i.e. ci = f(x1, ..., xn, k1, ..., km). Thus, we can think of the encryption E as a set of functions with the plaintext and key bits as variables. We will consider the case when these functions are polynomials. In the case of Boolean functions, this can always be assumed. Often, the ciphertext C and the polynomials representing the encryption are known publicly, specifically to the attacker. The basis of security of such a setup is the hardness of the problem of solving complex systems of multivariate polynomial equations. In fact, this problem is NP-hard even for the case of quadratic polynomials, and is called the Multivariate Quadratic(abbreviated as MQ) problem. We discuss this problem further in chapter 4.

1 The hardness of MQ is an old and well known result [GJ79]; in fact in his seminal paper in 1949 [Sha49], Shannon wrote that if we could show that breaking a cipher requires at least as much work as ”solving a system of simultaneous equations in a large number of unknowns of a complex type”, then we could think of it as a good cipher.

Several , both public and symmetric key, have used the hard- ness of solving appropriately chosen systems of polynomial equations as a basis of their security. For example, in public key ciphers, the public key can be a set of mul- tivariate polynomials, say P = p ; i = 1, ..., m , and the encryption C of an n bit { i } − message M is done by assigning the variables of the polynomials values correspond- ing to the bits of the message, i.e. cj = pi(M). If the polynomials are publicly known, and the ciphertext is also known, (as is usually the case), the secrecy of the 1 encoded message relies on the hardness of computing M = P − (C).

However, it recently became known, that several ciphers that use the diffi- culty of the above-mentioned problem for encryption, are vulnerable to what are known as algebraic attacks. Algebraic attacks are those that recover the secret key by solving a system of equations. As mentioned above, all ciphers can be repre- sented by some system of multivariate polynomial equations. We could argue that this should pose no threat, because as we noted, the problem of solving certain sys- tems of equations, is known to be NP hard even for the quadratic case. However, the threat posed by algebraic attacks relies on the fact that not all multivariate quadratic equations are hard to solve; the hardness of solving such a system of equations depends on the choice of equations.

It has been shown that most systems of equations produced by or used by ciphers, are very far from random. Such systems of equations often have some alge- braic structure or hidden properties that can be used to solve them efficiently.

Let’s make this notion more precise with some examples. In one of the early instances of algebraic attacks, Kipnis and Shamir [KS99] exploit the structure of the cipher to get an overdefined system of equations. By overdefined, we mean that

2 the number of equations is greater than the number of variables. For a long time, the best known method to solve systems of multivariate polynomial equations was by using Buchberger’s algorithm for computing a Gr¨obner basis. Buchberger’s algo- rithm has large exponential complexity and does not exploit the specific structure of the system of equations. But in [KS99], Kipnis and Shamir introduced an algorithm called ”Relinearization” that uses the overdefinedness of the system of equations to solve it very efficiently. Further improvements to this algorithm were discovered later. Faster algorithms for computing Gr¨obner basis also became known and used for cryptanalysis of ciphers, e.g. the HFE [FJ03]. In 2002, Courtois and Pieprzyk in [CP02] came up with another algorithm called ”XSL” that exploits the sparsity of the system of equations to solve it efficiently. By sparsity, we mean that the number of monomials in the system of equations is very ”small”. We make the notion of sparsity more precise later on.

To summarize, the way algebraic attacks work is that a system of equations is first set up, involving the plaintext, ciphertext and key. This system of equa- tions depends on the cipher under consideration. The attacker then looks for some implicit structure in these equations that would make them easier to solve than an arbitrary system of equations. After identifying the structure, the system of equations is solved using methods such as Gr¨obner basis techniques, Linearization, Relinearization, the XL algorithm and other techniques.

These new algorithms were used to attack well known ciphers like LILI-128 and Toyocrypt successfully[CM03]. Several ciphers, so far considered secure, sud- denly became suspect to such attacks, including AES. The algebraic structure of the AES was analyzed and it is suspected now that AES is not as secure as previously believed. [CP02].

The field of algebraic attacks became very important, not only because of the specific ciphers that had been attacked, but also because the principle of these attacks is very generic and can be used to design successful attacks against a variety of ciphers- both symmetric and public key.

Algebraic attacks began to be studied extensively, specifically the strength

3 of Boolean functions used in the design of ciphers began to be formally analyzed. To better understand the strength/weakness of these functions and quantify their resistance/vulnerability to algebraic attacks, various properties of the functions were identified. Several such properties, like the algebraic degree, normality, nonlinearity, algebraic thickness, algebraic immunity among others, have been defined to represent the cryptographic complexity (different from computational complexity) of Boolean functions. There has also been interest in the explicit construction of functions possessing a ”good combination” of these properties, that will make them provably secure from algebraic attacks.

As mentioned previously, algebraic attacks are known against:

1. Public key ciphers

2. Symmetric key ciphers

(a) Block ciphers (b) Stream ciphers

We briefly describe here the broad principles of each of these three types of ciphers, the concept of an algebraic attack against each of them and provide a brief historical perspective on algebraic attacks against each of these three main types of ciphers. We describe an algebraic attack against a public key cipher (the HFE cipher) here and against block ciphers and stream ciphers later(in chapter 3).

We list some standard mathematical definitions used in the text in the ap- pendix.

1.1 Public key ciphers

For the sake of completeness, we briefly describe public key . Public key cryptography is a form of cryptography in which a user has a pair of crypto- graphic keys - a public key and a private key. The private key is kept secret, while the public key may be widely distributed. The keys are related mathematically, but the private key cannot be practically derived from the public key. A message encrypted with the public key can be decrypted only with the corresponding private

4 key.

As mentioned previously, public key cryptosystems are sometimes built based on the difficulty of solving a system of multivariate quadratic equations. One way in which this problem is used to design public key cryptosystems is as follows: The public key comprises of a set of multivariate quadratic polyno- mials in n variables, say f (x ,x ..., x ) F for i [1...m]. The encoding works i 1 2 n ∈ ∈ as follows: To encrypt an n bit message M = m1m2...mn, each bit of the message m is assigned to a variable x of the polynomial. The polynomials f F are then i i ∈ evaluated at the n points specified by message M. Let C = c1, ..., cm be the encoded message, then ci = fi(x1, ..., xn) i.e. C = F (M). The private key comprises of some secret information, often called the trapdoor which makes the equations easy to invert; that is, with knowledge of the trapdoor, the equations become efficiently solvable for any given ciphertext. In other words 1 M = F − (C) should be infeasible to compute without knowing the secret key or trapdoor, and easy to compute with knowledge of the trapdoor. The main difference between various ciphers that are based on this concept, is the manner in which they encode this secret information in the publicly known polynomials. We describe here a public key cipher known as the cipher, abbreviated as HFE: Brief(and simplified) description of the basic HFE public key cryptosys- tem[Pat96]:

First we describe the basic construction of the HFE cryptosystem, along with a brief overview of the main mathematical ideas used in the design of the cipher. Subsequently we describe how the message and ciphertext are represented, how the encryption and decryption are performed and what the private and public keys are.

The HFE cryptosystem consists of the following mathematical components:

1. A finite field K of cardinality = pm, where p is prime.

2. An extension of K of degree n called Ln.

3. βij, αi and µ0 elements of Ln.

5 4. θij, φij ,ξi are integers.

5. Two affine bijections s and t such that s,t : L L . n → n 6. f : L L is a function of a special form: n → n

θ φ q ij +q ij qξi f(x)= βijx + αix + µ0. Xij Xi

An alternate function representation

Consider the function f introduced above. Let B be a basis of Ln where Ln is viewed as a vector space over K. Say y = f(x), where x,y L . When L is viewed as a vector space over K, ∈ n n any element in Ln (specifically x and y) can be represented as a linear combination of the basis elements b B. So we obtain x = n x b and y = n y b . i ∈ i=1 i i i=1 i i q n q n q Pq n q P m Note that x = ( i=1 xibi) = i=1 xi bi = i=1 xibi (since K has q = p q elements and p is prime),P and thus x Pwill finally containP terms linear in xi, i = δ 1,...,n. Extending this argument, x xq is linear in x , i = 1,...,n, for any 7→ i qθ+qφ integer δ. It follows that x x is quadratic in xi, i = 1,...,n, for integers 7→ θ φ n q ij +q ij qξi θ and φ. Hence, using y = f(x) = i=1 yibi = ij βijx + i αix + µ0, and equating coefficients of bi, we canP express eachP yi, i = 1,...,nPas a quadratic n n polynomial in (xj)j=1. This set of n polynomials over the n variables (xj)j=1 con- stitutes a representation of the function f.

To complete the mathematical setup, we now only need the following theo- rem: Theorem 1.1.1. [Pat96] Let L be a finite field, with L = qn with q and n ”not n | n| too large” (for example q 64 and n 1024. Let f(x) be a given polynomial in x ≤ ≤ in a field L , with a degree d ”not too large” for example d 1024. Let a be an n ≤ element of Ln. Then it is always possible (on a computer) to find all the roots of the equation f(x)= a efficiently. Several known efficient algorithms for finding roots of polynomials over finite fields are discussed in [Pat96], for eg. the Berlekamp Rabin algorithm, the linearized polynomial algorithm, the Berlekamp trace algorithm. Patarin also discusses vari- ants of these algorithms that are useful in different cases like when degree d is very

6 small, when d is not too small and when an asymptotically fast algorithm is needed. These algorithms can be used for polynomial root finding depending on the specific instance to be solved. As mentioned above, these algorithms are quite efficient: the total expected time of the linearized polynomial algorithm for example, is in O(d3n2 + m3n3 + dm2n3), and the average expected time for the Berlekamp trace algorithm is in O(mn3d2 + n2d3). We do not discuss these algorithms further, the interested reader is referred to [Pat96].

We now describe the construction of the cipher:

Message: The message M is represented by a string of n elements of K. So M = m m m ...m where m K. 1 2 3 n i ∈ For our example described below, M is a 3 bit vector over F2.

Public key:

1. Field K (F2 in our example) and length n (For our example n = 3).

2. n polynomials in n variables over Ln. These polynomials are obtained by representing the function g : L L , g = t f s by n polynomials n → n ◦ ◦ in n variables using the alternative representation described in the previ- ous subsection, where denotes function composition. Note here that since ◦ s and t are of degree 1 and f is of degree 2 in any basis, the composi- tion of these functions g will also be a quadratic function in the basis. Let

p1(x1,x2,...,xn),p2(x1,x2,...,xn),...,pn(x1,x2,...,xn) represent these n poly- nomials in n unknowns.

3. A way to put redundancy into the message M. This redundancy is needed to ensure one-one decryption. We will not elaborate on how this redundancy is added.

Private key:

1. The function f described above of degree d which is ”not too large”. In our

example, f : F 3 F 3 with d = 5. 2 → 2

2. Two affine bijections s,t. For our example s,t : F n F n 2 → 2

7 Encryption:

The message M is encrypted by setting the variables x1,x2...xn of the polynomi- als p1,p2, ..., pn to the values specified by the message M. More formally, set x1 = m1,x2 = m2, ...., xn = mn and evaluate p1(m1,m2, ..., mn),p2(m1,m2, ..., mn).....pn(m1,m2, ..., mn).

Let y denote the ciphertext. Because of the way we constructed p1, ...pn, we have y = t(f(s(m)))).

Decryption: 1 1 1 Since the encryption is y = t(f(s(m))), the decryption proceeds as m = s− f − t− (y). s,t,f are known, specifically f is known in its univariate form. The theorem 1.1 implies that this can be carried out efficiently.

Example: We demonstrate the representation of a function f having the special form men- tioned above by n polynomials in n unknowns. Note that in the actual construction of the HFE cipher, the published n polynomials in n variables actually represent g = t f s. ◦ ◦ 2 3 Consider a F 3 .The extension field F 3 can be represented by F [x]/(1 + x + x ), ∈ 2 2 2 2 3 F because (1 + x + x ) is an irreducible polynomial. We view 23 as a vector space 2 of dimension 3 over F2. Consider the basis vectors of this space as 1,x,x . Suppose 2 a = a2x + a1x + a0. 3 5 Consider a function f(a) = a + a + a . Let v = f(a). Since v F 3 , v = ∈ 2 2 3 5 2 v2x + v1x + v0. So we have v = f(a) = a + a + a = (a2x + a1x + a0) + 2 3 2 5 3 2 (a2x + a1x + a0) + (a2x + a1x + a0) mod(x + x + 1) = (a2 + a2a1 + a2a0 + 2 a1)x + (a2a1 + a1a0 + a2)x + (a0 + a2 + a1a0 + a2a0). Thus we get 3 quadratic equations in 3 unknowns: v2 = a2 + a2a1 + a2a0 + a1 = p1(a0, a1, a2) v1 = a2a1 + a1a0 + a2 = p2(a0, a1, a2) v0 = a0 + a2 + a1a0 + a2a0 = p3(a0, a1, a2)

In general, we have n quadratic equations in n unknowns vi = pi(x1, .., xn), i = 1...n. As mentioned earlier, this problem is known to be NP-hard to solve in general.

8 Difficulty of decryption when private key is not known: The difficulty of decryption relies on the well known difficulty of solving a system of multivariate quadratic equations.

Efficiency of decryption when private key is known: The only hindrance in 1 1 1 1 computing s− f − t− (y) is in computing f − . The key to the efficiency of decryp- tion is the theorem 1.1.

The algebraic attack: In general the algebraic attack seeks to determine some structure in the system of equations that makes them much easier to solve than random equations of the same size. Patarin’s HFE cryptosystem was broken by Kipnis and Shamir in [KS99]. The attack works by exploiting the fact that any given system of n multivariate polynomial equations in n variables over a field G can be represented by a single univariate polynomial of a special form over H which is an extension field of degree n over G. The authors translate the problem of solving n quadratic equations in n unknowns over a small field G into the problem of solving a very overdefined system of ǫm2 quadratic equations in m variables over a large field H, where m is a small multiple of n and ǫ is a small constant. They also introduce a new algorithm called ”Relinearization”(described in detail in later section) which is expected to solve random systems of equations of this form in polynomial time for fixed ǫ. Patarin’s HFE cryptosystem was broken independently by Faugere and Joux in [FJ03]. They exploited the observation that equations in the HFE system were ”simpler” than arbitrary equations of the same size. As explained by the authors, the structure of equations in an instance of HFE implies a relatively small upper bound on the degree of the intermediate polynomials which occur during computa- tion of the Gr¨obner basis. They prove that this bound depends on the degree of Fn the secret function f but does not depend on the size of the field 2 . On the other hand, with random systems of equations, the degree of these intermediate polyno- mials strongly depends on n. By exploiting this structure and using a fast algorithm to compute Gr¨obner basis, the authors are able to crack the HFE cryptosystem.

Brief Historical perspective: One of the early examples of the deployment the MQ(solving a complex system of

9 multivariate quadratic equations) problem in building public key ciphers was in the design of a cryptosystem in 1988, by Matsumoto and Imai, [MI88]. They designed a public key cryptosystem called C∗, in which the public key is as described earlier, an n tuple of quadratic n variate polynomials over F m , say F . An n bit message − − 2 − M is encrypted by evaluating F on M. In 1995, J Patarin [Pat95], proved that the algorithm described by [MI88] is insecure and described one of the earliest algebraic attacks. Shortly after, Patarin proposed to repair this cryptosystem and devised the HFE(hidden field equation) cryptosystem in [Pat96]. The HFE cryptosystem was also based on the difficulty of solving a system of multivariate quadratic equations over a finite field, and it was expected that breaking HFE will require exponen- tial complexity. HFE was the second attempt to design a cryptosystem based on the hardness of quadratic solvability after [MI88]. The HFE system was carefully designed to avoid the weaknesses of the Matsumoto-Imai cryptosystem, and many variants to the HFE cryptosystem were also proposed. However in [KS99], Kipnis and Shamir were able to break this scheme using the ”Relinearization” technique. Also, in [FJ03], Faugere and Joux were able to break HFE cryptosystems using fast algorithms for computing Gr¨obner basis. Other papers related to attacks on HFE are [Cou04b, Cou01, JDH07]. Recently, methods have been proposed to modify the scheme to avoid known attacks [ACDG03].

Another early example of a multivariate signature scheme was developed by Ong, Schnorr and Shamir in [OSS84] in 1984. But this system was broken by Pol- lard and Schnorr in [PS87]. Fell and Diffie published another multivariate scheme in [FD85] but observed it was insecure for any practical .

Shamir proposed two multivariate schemes in [Sha93], but Coppersmith, Stern and Vaudenay broke them in [CSV97]. Patarin came up with several new types of trapdoors, the simplest among which was the Oil and Vinegar signature scheme [Pat97], which was broken by Kipnis and Shamir [KS98].

Algebraic attacks on a public key cryptosystems based on ”braid groups”(certain special groups in algebra) are discussed in [LP03, Hug02]. In [Hug02], the author employs the ”Burau matrix representation” of the braid group and techniques from computational linear algebra to provide evidence that at least certain classes of keys

10 are weak. Cryptanalysis of public key ciphers based on polynomial reconstruction is discussed in [Cor04].

1.2 Symmetric key ciphers

1.2.1 Block ciphers

Informally, block ciphers can be described as follows: A is a type of symmetric-key encryption algorithm that transforms a fixed-length block of plain- text data into a block of ciphertext data of the same length. This transformation takes place under the action of a user-provided secret key. Decryption is performed by applying the reverse transformation to the ciphertext block using the same se- cret key. The fixed length is called the block size. More precisely, as described by Wagner in [Wag04], a block cipher is a map E : K M M, (where as usual, M × → is the message space, K the key and E the encryption transformation) so that Ek 1 is invertible for all keys k K, and both E and E − can be efficiently computed. ∈ k k A block cipher is ”secure” if it behaves as a pseudo-random permutation: no effi- cient algorithm A given interactive access to encryption and decryption black boxes 1 should be able to distinguish the real cipher i.e. Ek and Ek− from a truly random 1 permutation (i.e. π and π− , where π is uniformly distributed on the set of all permutations on M) [Wag04]. An attack which distinguishes the cipher from a ran- dom permutation is called a ””. Usually, once a distinguishing attack is found, one can recover the secret key. In this section, we will describe the broad construction of a block cipher. Before we do that however, we briefly review Shannon’s principles of confusion and diffusion. These principles, stated more than 50 years ago, are still considered very relevant. These principles are still taken into account in the design of ciphers today. We will see examples of this in later sections. Confusion and Diffusion can be briefly explained as follows [Car06a]:

1. Confusion: Confusion aims at concealing any algebraic structure in the system. In his book ”Cryptography: Fundamentals and applications”, Massey inter- prets confusion as ”the ciphertext statistics should depend on the plaintext statistics in a manner too complicated to be exploited by the cryptanalyst”.

11 2. Diffusion: Diffusion consists of spreading out the influence of any minor mod- ification of the input data or of the key over all outputs. Most block ciphers are constructed by repeatedly applying a simple function to the input. This approach is known as iterated block cipher. Each iteration is termed a round, and the repeated function is termed the round function. More pre- cisely, most block ciphers are product ciphers: the cipher is built as the composition of individual round transformations. We choose a round function f : M M, → compute a sequence of round keys k1, k2....kn as a function of the key k, and set E = f .... f . The function f computes one round of the cipher[Wag04]. k kn ◦ ◦ k1 Each round typically consists of possibly multiple S-boxes or ”substitution boxes” that are connected by key dependent linear transformations. S-boxes or Substitution boxes are used to obscure the relationship between the plaintext and the ciphertext. In general, an S-box takes some number of input bits and transforms them into some number(possibly different) of output bits. (Note that block length of the cipher still remains the same. Even if S-boxes change the size of the block, there are other operations performed that counter the size change). The S-boxes typically provide ”confusion” to the cipher, and the linear transformations provide the ”diffusion”. Product ciphers typically repeat a substitution layer and a linear transformation sufficiently many times in the hope of obtaining a strong cipher. The traditional methods of cryptanalysis of block ciphers are linear and dif- ferential cryptanalysis, which are based on probabilistic characteristics. This makes the security of the cipher grow exponentially with number of rounds. For example, differential cryptanalysis is based on the study of how differences in input reflect as differences in output. The attacker typically tries, given a difference in input, to trace the difference in output of each round through the multiple rounds of the cipher, and hopes to measure non-random behavior at the output, which helps at- tack the cipher. Linear attacks, discussed in more detail later, are also based on this ”statistical” approach: the attacker tries to construct probabilistic character- istics through as many rounds of the cipher as possible, in order to distinguish the cipher from a random permutation [Cid04]. Recent block ciphers, like the AES for example, were carefully designed to resist such probabilistic attacks. However, algebraic attacks focus on writing systems of algebraic equations that completely describe the block cipher, and then using newly discovered algo- rithms to solving this system and recovering the plaintext. More explicitly, specific

12 structure of the S-box in the AES for example, permits finding a small set of poly- nomial equations in the input and output bits that completely define the S-box. By combining equations written for the various S-boxes, the attacker can write a system of equations that completely describe the whole block cipher, and then try to somehow solve this system.

Brief historical perspective: Because of its importance and exciting history we discuss AES separately:

Advanced Encryption Standard(AES): The security of the AES(Rijndael) has received a lot of attention in cryptographic lit- erature. Researchers have studied the potential of algebraic attacks against AES(Rijndael) in a number of recent papers. According to Rijndael’s designers, Daemen and Rij- men, Rijndael was intentionally constructed in such a way that all its components are derived from simple algebraic functions with well studied properties [DR00]. This was motivated by the desire to be able to analyze and prove important secu- rity aspects of Rijndael. But this simple algebraic structure makes AES potentially vulnerable to algebraic attacks.

In [CP02], the authors showed that the S-boxes of both and Rijn- dael can be described by an overdefined system of algebraic equations (recall that overdefined means that the number of equations are greater than the number of un- knowns). They also introduced a new algorithm called XSL, which uses the sparsity (’small’ number of monomials in the equations) and specific structure of equations to solve them. The complexity of XSL was not clearly understood, but the authors claimed that their ”optimistic” evaluations showed that this attack might be able to break Serpent and Rijndael. These were significant claims; Rijndael was the currently proposed AES (by NIST), and Serpent had been a finalist for the same Advanced Encryption Standard. But whether these estimates for XSL are valid remains an interesting open question. A great of controversy erupted over the correctness of the arguments in the original XSL paper [CP02]. In [MR02], the authors made estimates about the use of the XSL algorithm to break AES and claimed substantial improvements over the complexity of the brute force approach. In [MR03], Robshaw and Murphy said that they did not believe that the XSL es-

13 timates had the accuracy required to substantiate claims of breaking AES. Some other cryptographers expressed disagreement with the claims made about the XSL algorithm. The cryptographer T. Moh, wrote an article [Moh02] claiming that the XSL attack is infeasible(Courtois disagrees, says no one has proved that it is infea- sible [Cou]). , noted cryptographer and mathematician (winner of RSA Security Award for Mathematics in 2002) said [Cop]: ”I believe that the Courtois-Pieprzyk work is flawed. They overcount the number of linearly indepen- dent equations. The result is that they do not in fact have enough linear equations to solve the system, and the method does not break Rijndael...The method has some merit, and is worth investigating, but it does not break Rijndael as it stands.” One of the inventors of Rijndael, , commented, ”The XSL attack is not an attack. It is a dream”[Cou]. The community at large still has to come to a conclusion about this. The attack cannot be easily implemented and tested because of its great complexity. Schneier observed in his crypto-gram newsletter on the web [Sch], that ”we are not yet in an age where the attack can be tested. So, we seem to be secure from these attacks now. However if these attacks do work, we will not know until it is too late”. In [FIL03], Filiol claimed to break AES and recover some keybits; a spectacular re- sult. But in [CJJ+03], the authors claimed that this attack was incorrect.

To understand better the strength/weakness of the AES with respect to al- gebraic attacks, the algebraic structure of AES has been extensively studied. The hope is that understanding the structure of the AES will help in exploiting this structure in solving systems of equations that describe AES. Several papers discuss the algebraic structure of the AES.

In 2002, a paper by Fuller and Millan [FM02] showed that all the outputs of AES’s 8 8-bit S-box are equivalent under affine transformations, so that the 8 8 × × S-box can be considered an 8 1-bit S-box. Since the S-box is the only source of × nonlinearity in the AES and hence the only component that provides confusion to the cipher, evidence that the S-box is not as strong as was believed has increased concerns about the security of AES. Another paper by Filiol [Fil02] claimed to have detected some biases in the Boolean functions of AES, which could possibly be used to break AES. Observations such as these suggest that the AES can be completely

14 described by a system of equations that are much simpler than expected, which has implications for the resistance of the AES to algebraic attacks. Such weaknesses may also lead to other attacks against AES. In [MR02], the authors discussed the difficulty in understanding the algebraic prop- F F erties of AES, because operations in AES exist over two different fields 2 and 28 . While it is easy to define all the operations of the cipher in terms of operations over

F2, the resulting expressions quickly become messy and hard to analyze. The au- thors, Murphy and Robshaw created a cipher called BES (Big encryption standard), with the advantage that all the operations in BES are entirely described using very F simple operations in 28 . The properties of BES are closely related to the properties of the AES, since the BES is basically a generalization of the AES. By recasting the AES in this way the authors highlight some important structural features of the AES. Other papers that explore the structure of the AES include [MR00, CMR04]. In [MR00], the authors summarized some observations on Rijndael and presented an alternative view of the structure of Rijndael. In [CMR04], Cid, Murphy and Rob- shaw considered a number of aspects of the AES, and examined a few computational and algebraic aspects that could be used in the cryptanalysis of the cipher. They discussed how to express the cipher as a very large but simple system of multivariate F quadratic equations over the finite field 28 , and considered approaches on how to solve the system. Murphy, Cid and Robshaw even wrote a book on the algebraic aspects of the AES [CMR06].

Other Block ciphers: Algebraic attacks on block ciphers besides AES have been explored in the following: In [BC03], Biryukov and De Canniere compare systems of multivariate polynomials, which completely define some popular block ciphers in the view of potential danger of the algebraic re-linearization attack. In [Cou04c], Courtois surveys the attacks that exploit various types of mul- tivariate algebraic relations. He derives new, very general design criteria to avoid the existence, if possible, of ”too simple” algebraic relations. The resistance of S-boxes to algebraic attacks has been further discussed in [CL04, CDG05].

Recent developments:

15 Many interesting open questions remain about the security of block ciphers against algebraic attacks. This is currently an active area of research. Recently, there have been some important results in this area. In [Cou07b], Courtois proposed a new toy cipher called the ”Courtois toy cipher(CTC)” and followed it up with CTC2 [Cou07a]. These ciphers are very like practical block ciphers for large enough parameters. Courtois encourages people to try to break these ciphers(he can break 6 rounds of CTC and up-to 10 rounds of CTC2), and believes that attacks against these ciphers can lead to attacks on real ciphers easily enough. In [BPW05], the authors analyze some well known ciphers that are sound against linear and differential attacks but for which the encryption process can be described by very simple polynomial equations. For a block and key size of 128 bits, they ciphers for which practical Gr¨obner basis attacks can recover the full cipher key requiring only a minimal number of plaintext/ciphertext pairs. They are also able to construct Gr¨obner basis for some ciphers with small computational effort which reduces the breaking of the cipher to a Gr¨obner basis conversion problem. They are also able to bound the running time of an algorithm that implements this conversion. In an important paper [CB06], the authors discuss an algebraic attack against the (DES). DES has been a popular cipher, and though NIST replaced it by AES, DES cannot be considered obsolete and triple-DES is still widely used, especially in the financial sector[CB06]. In this paper the authors claim: ”we finally show that practical algebraic attacks are in fact possible for reduced- round versions of DES. This is the first known example of a working algebraic attack on up to 10 rounds of a real-life industrial block cipher. The attack requires only one single known plaintext (instead of a very large quantity). This is an unprecedented thing that has no equivalent in any cryptographic attack ever done.” They also claim that ”though (on a PC) we recover the key for only six rounds, in a weaker sense we can break 12 full rounds of DES. These results are very interesting because DES is known to be a very robust cipher, and our methods are very generic. Thus, if DES is susceptible to this kind of algebraic cryptanalysis, then probably nearly any other cipher is, and some may be substantially weaker.” Recently, a block cipher called KeeLoq, used in wireless devices that unlock doors in cars manufactured by Chrysler, Daewoo, Fiat, GM, Honda, Jaguar, Toyota,

16 Volvo, Volkswagen etc was broken by Courtois and Bard in [CB07]. This attack is very significant because for the first time in history, a full round real-life block cipher is broken by an algebraic attack! Moreover, they claim that their attacks are easy to implement, have been tested experimentally, and the full key can be recovered in practice on a PC. Recently, has even created a web-page that allows people to bet on cryptographic algorithms with real money!!!

1.2.2 Stream ciphers

Stream ciphers are ciphers which encrypt plaintext bits one at a time, using an encryption function which changes over time. Stream ciphers are based on the Vernam cipher (one-time pad). In the Vernam cipher, the plaintext, which is a binary string of some length is bitwise added to a binary secret key of the same length in order to produce ciphertext. The Vernam cipher is the only cipher that guarantees unconditional security if the key is truly random and a brand new key is used for every new encryption. However it is impractical to produce a new truly random key per encryption. So in practice, in stream ciphers, a small random key is used to produce a long pseudo-random sequence (by some method) and this pseudo-random sequence is combined with the plaintext in some way to produce the ciphertext. What is shared between users now is not the entire sequence that is used for encryption but the short secret truly random key along with the method used to generate the pseudo-random sequence. This pseudo-random sequence is generated by a finite state automaton with a secret state initialized by the private key. The i-th keystream digit only depends on the secret key and the previous (i 1) − plaintext digits. Then the i-th ciphertext digit is obtained by combining the i-th plaintext digit with the i-th keystream digit. If the attacker can somehow guess the keystream, he can break the cipher. We briefly discuss here a particular method of generating the pseudo-random sequence: the Linear Feedback Shift Registers because of their popularity.

Linear Feedback Shift Registers: Linear Feedback Shift Registers (LFSR)s are used sometimes to generate the long pseudo-random sequence from the short key. Note that unconditional security is no longer guaranteed. An LFSR works

17 loosely as follows: Consider a register of length L. This register is initialized in some secret way(determined by the short random secret key described above). Af- ter initialization, the contents of the register are updated every clock cycle, typically by ”shifting” the contents of the register right by one bit, causing one bit to ”fall out” of the register at the extreme right, this being the output bit, and the leftmost bit of the register is a linear function of the current contents of the register. This linear function which is used to update the state of the LFSR(or whichever finite state automaton is used) is called the transition function. More formally, as defined in [MvOV97], a linear feedback shift register (LFSR) of length L consists of L stages (also called delay elements) numbered 0, 1, ....., L 1, − each capable of storing one bit and having one input and one output; and a clock which controls the movement of data. During each unit of time the following oper- ations are performed:

1. The content of stage 0 is output and forms part of the output sequence.

2. the content of stage i is moved to stage i 1 for each i; 1 i L 1. − ≤ ≤ − 3. the new content of stage L 1 is the feedback bit s which is calculated by − j adding together modulo 2 the previous contents of a fixed subset of stages 0, 1, ...... , L 1. − The number of stages in an LFSR is called its length. n A LFSR is said to generate a finite sequence s = s0s1s2....sn 1 if there is some − initial state of the LFSR for which the output sequence of the LFSR has sn as its first n terms [MvOV97]. The linear complexity a finite binary sequence sn is the length of the shortest LFSR that generates a sequence having sn as its first n terms [MvOV97]. There is a well known algorithm, called the ”Berlekamp Massey” algorithm that can be used to ”break” LFSRs. The Berlekamp Massey algorithm provides a way to efficiently determine the linear complexity of a finite sequence and determine the shortest LFSR capable of generating the given sequence [MvOV97]. If the linear complexity of a sequence(or the length of the shortest LFSR generating the sequence) is L, then knowing 2L consecutive bits enables the Berlekamp-Massey algorithm to recover the value of L, the initialization of the LFSR and the linear transition function.

18 S S L−1 0

x1 xi xn

f (x , x , ... , x ) 1 2 n

output

Figure 1.1: Filtering function

To avoid attacks by the Berlekamp Massey algorithm, modern ciphers use LFSRs in conjunction with filtering or combining functions. These functions com- bine outputs of several LFSRs or several bits from one LFSR to produce a keystream sequence with high linear complexity if well chosen.

Filtering function [Car06a]: A filtering function is a way to use Boolean functions to avoid attack by the Berlekamp Massey algorithm. An LFSR with a filtering function, called a filtered LFSR does not output the bit contained in the rightmost register of the LFSR but outputs f(x1, ..., xn), where f is the n variable filtering function and x1, ..., xn are bits contained in some registers of the LFSR.

Combining function [Car06a]: Combining functions are typically nonlinear functions that combine the output of several LFSRs so as to add confusion to the system. The way that a combining function works is illustrated in the figure below.

Note that though the purpose of the filtering function and the combining function is the same, the attacks conducted on the two functions are different, hence the properties that a function needs to satisfy in these two roles are often different. Also note that the transition function and the filtering/combining function are usu-

19 G k1

S 1

k2

S 2 f

KEYSTREAM k3

S 3

PLAINTEXT CIPHERTEXT

Figure 1.2: Combining function ally public and only the initialization of the finite state automaton is private.

A combiner is a specific construction of the keystream generator. A (k, l)- combiner consists of k parallel LFSRs, and the nonlinear filtering is done via an automaton with k input bits and l memory bits [AK03].

Brief historical perspective: Traditionally known attacks against stream ciphers include the inversion attack [Gol96], the conditional [And94] and the fast correlation attack [MS89a]. Various types of correlation attacks work by identifying a correlation be- tween specific output bits and a subset of the input bits. If the combining function can be well approximated by linear functions, it is easier to find statistical depen- dence between the output sequence and a subset of the input bits. In order to resist such attacks, many authors focused on proposing combining functions that will have no good linear approximations.

Algebraic attacks against stream ciphers were first discussed by Courtois, in [Cou02]. In the attack discussed in this paper, the nonlinear combining function is approximated by another function of low degree (notice that this function is nonlin- ear) and Courtois was able to reduce breaking the cipher to solving an overdefined

20 system of quadratic equations. He was also able to adapt the XL algorithm to solve this system of equations and successfully break the cipher Toyocrypt. This paper ”generalized” the danger of using functions with linear approximations to the dan- ger of using functions with nonlinear but low degree approximations. In [CM03], the authors showed that algebraic attacks on stream ciphers will apply even if there is no good low degree approximation to the combining function. They showed how to substantially lower the degree of these equations by multiplying them by well- chosen multivariate polynomials. This enabled them to substantially speed up the cryptanalysis of the cipher Toyocrypt. In the same paper, the authors described a new general algebraic attack that breaks stream ciphers satisfying all previously known design criteria far more efficiently than was previously known (in at most the root of the complexity of the previously known generic attack).

Many subsequent papers investigated algebraic attacks on stream ciphers. In [MPC04], the authors streamlined the ideas developed behind these attacks, re- ducing and simplifying the various scenarios which had been considered so far. In [Bat04], Batten generalized the theory that had been built around the Boolean function case to arbitrary finite fields. In particular, properties of Boolean func- tions were identified to quantify their resilience to such attacks. One such property- the algebraic immunity(discussed at length in chapter 2) received significant atten- tion. In [ACG+06, DT06], the authors proposed methods to efficiently compute the algebraic immunity of a function. In [LQ06], the authors constructed and counted Boolean functions of an odd number of variables with maximum algebraic immunity. In [LfQ05, BP05], the authors discussed special:”symmetric”(defined later) Boolean functions with respect to their algebraic immunity. In [CL06], the authors gave some lower bounds on the algebraic immunity of Boolean functions. In [Ars05], al- gebraic immunity of functions over finite fields was explored, properties of algebraic immunity were explored, and some bounds related to it were given. Other papers that have explored bounds on algebraic immunity are [NGG06, DGM04, NGG06]. Construction of Boolean functions with maximum immunity has been discussed in [DMS06, AK06].

Algebraic attacks and ”fast” algebraic attacks are further explored in [AA05, HR04, DGM06, Arm04, Cou03, Cou04a, AK03, FA03]. In [AK03], the authors an-

21 alyzed the keystream generator from the Bluetooth standard E0 and showed how the secret key can be recovered by solving a system of linear equations with large number of unknowns. They also extended the use of algebraic attacks to combiners with memory and provided an algorithm to construct low degree(say d) relations for r clocks, i.e. a relation which holds for any sequence of r consecutive bits of the keystream.

22 Chapter 2

Cryptographic Complexity of Boolean Functions

2.1 Important cryptographic properties of Boolean func- tions

In order to understand how Boolean functions could resist algebraic attacks, some properties were identified that quantify the resistance of a given Boolean function to algebraic attacks. These properties indicate the cryptographic complexity of Boolean functions. Some such properties are:

1. Balancedness

2. Algebraic degree

3. Nonlinearity

4.

5. Algebraic thickness

6. Algebraic immunity

7. Non-normality

8. Strict Avalanche Criteria and Global Avalanche Characteristics

23 We describe each of the above-mentioned properties below. Before we do that however, we make a small digression to discuss affine invariance and its sig- nificance because as we shall see, affine invariance is an important consideration in almost every property we consider.

Significance of affine invariance: In cryptography, a function is consid- ered weak if it can be turned into a cryptographically weak function by means of a simple transformation, e.g. an affine transformation. This is because an alge- braic attack which may be infeasible on a Boolean function f may be trivial on an affine equivalent of f, say g, and an attack on g can easily be transformed into an attack on the original function f. To illustrate this, we consider an extreme example from [MS89b]. Let us consider the number of monomials of a function as a desirable property of the function, i.e., a function with more monomials is stronger. To demonstrate that this is unsatisfactory, consider the Boolean func- tion f(x1,x2, ..., xn) whose algebraic normal form is obtained by summing up all possible product terms in x1,x2, ..., xn. At first glance this looks like a good func- tion, since it contains all nonlinear terms. However f can be written as the product f(x1,x2, .., xn) = (1+x1)(1+x2)...(1+xn) which transforms into the monomial func- tion g(x1,x2, ..., xn) = x1x2x3...xn by simply complementing all arguments. This turns f into a poor function with respect to the number of nonlinear terms and f becomes vulnerable. Thus we want the properties quantifying cryptographic complexity of Boolean func- tions to be affine invariants. Now, we discuss the above-mentioned properties.

1. Balancedness: An n variable Boolean function f is said to be balanced if − n 1 its Hamming weight is 2 − .

Motivation: Intuitively, the output of a cryptographic Boolean function should be equally distributed over 0, 1 to avoid statistical dependence be- { } tween input and output (since statistical dependence can be exploited in at- tacks). From equations A.6 and A.9 in appendix A3, we can derive an interesting link between the balancedness of a function and Walsh transforms: A function f

24 is balanced if and only ifχ ˆf (0) = 0. Balancedness is an affine invariant.

2. Algebraic Degree [Car06a, Car04b]: Every Boolean function f over the field Fn 2 can be represented uniquely by its algebraic normal form or A.N.F.

f(x)= au( xi) n uXF i Yui=1 ∈ 2 | The degree of the A.N.F of a function is called the algebraic degree of the function. For security, we want the function to possess as high degree as pos- sible.

Motivation: The complexity of the ”higher order differential attack” on block ciphers due to Knudsen and Lai [Knu94, Lai94] depend on the algebraic degrees of the Boolean functions in the cipher. Also, as described earlier, in most stream ciphers the keystream generator combines the output of one or more LFSRs by a nonlinear function to produce the keystream sequence. The linear complexity of such a sequence depends on the degree of the combining function and on the number of monomials in its ANF. These parameters determine the resistance of the produced sequence to the Berlekamp Massey algorithm [Rue86, Mas69]. Hence the nonlinear combining functions must have high algebraic degrees and many monomials in their ANF. To make this concrete, we describe an example. Consider the case of keystream

generator with combining function f. If n LFSRs having lengths L1,L2...Ln are combined by the function

f(x)= aI ( xi) I MP (n) Yi I ∈ ∈ where P (n) denotes the power set of n = 1, 2, ..., n and denotes the sum ⊕ computed mod 2; then we know from [RS87] that the sequence produced by f can be obtained by a single LFSR of length

L a ( L ) ≤ I i I XP (n) Yi I ∈ ∈

25 The algebraic degree of f has to be high so that L can have high value. As mentioned previously, if the attacker knows at least 2L consecutive bits then the Berlekamp Massey algorithm recovers the values of L as well as the secret initialization of the LFSR(hence the secret key). So, if linear complexity of the sequence L has a low value, then the function is very susceptible to attack.

Relationship between algebraic degree and Walsh transform: Proposition 2.1.1. [Lan90] Let f be an n-variable Boolean function, and let 1 k n. Assume that its Walsh transform takes values divisible by 2k. ≤ ≤ Then f has algebraic degree at most n k + 1. − Algebraic degree is an affine invariant. The degree of any function f equals that of any affinely equivalent function f A, where A is an element of the ◦ general affine group. However, in [Car06b], Carlet remarks that algebraic degree is not a suitable criterion because a function with low algebraic degree can be converted to a function with high algebraic degree by simply complementing a few bits in the truth table. This operation does not change the robustness of the function much but significantly increases the algebraic degree. Carlet identifies a new property called Nonlinearity Profile which we describe later.

3. Nonlinearity [Car03, Car06a]: The nonlinearity of a Boolean function f is the minimum Hamming distance of f to affine functions. For security, we want high nonlinearity.

Motivation: Nonlinearity is crucial because most linear systems are easily breakable by linear and correlation attacks as illustrated by [CT00, DXS91, Mat93]. Hence a Boolean function needs to have high nonlinearity to be cryp- tographically strong. Nonlinearity is an intuitive criterion: affine functions are considered the weakest functions and a strong function should be as far away from them as possible. In [Car06a], Carlet says that there is a correlation between a Boolean function n 1 f and a linear function l if dH (f, l) is different from 2 − . The nonlinearity

26 criterion can be expressed by the Walsh transform as follows: let la(x) = a x + .... + a x = a x be any linear function. According to equation 2.11 1 1 n n · we have n 1 1 d (f, l ) = 2 − χˆ (a) H a − 2 f and we deduce n 1 1 d (f, l 1) = 2 − + χˆ (a) H a ⊕ 2 f Therefore the nonlinearity of f is equal to:

n 1 1 NL(f) = 2 − max χˆf (a) (2.1) − 2 a Fn | | ∈ 2

Parseval’s relation applied to χf gives

2 2n χˆf (a) = 2 (2.2) aXFn ∈ 2

2 n and implies that the mean ofχ ˆf (a) is 2 . Since the maximum will be greater than or equal to mean, we can say:

n/2 max χˆf (a) 2 (2.3) a Fn | |≥ ∈ 2 This implies, n 1 n/2 1 NL(f) 2 − 2 − (2.4) ≤ − This bound, valid for every Boolean function, is called the universal nonlin- earity bound. Thus we see that any Boolean function has correlation with some linear functions. But this correlation should be small, since the exis- tence of affine approximations of Boolean functions in a cipher- both stream and block- make the cipher susceptible to attacks such as those described in [Mat93, DXS91, CT00].

Nonlinearity is an affine invariant by definition, since d (f L, l L)= d (f, l) H ◦ ◦ H for every function f, l and every affine automorphism L.

The functions which match the universal nonlinearity upper bound 2n 1 − −

27 n/2 1 2 − are called bent functions. Bent functions are thus maximally nonlinear functions. They are not directly useful in ciphers because they are not bal- anced.

The concept of nonlinearity has been generalized to ”Nonlinearity Profile”:

Nonlinearity Profile [Car06b]: let NLr(f) denote the distance between f

and the set of all functions of degrees at most r. We call NLr(f) the r-th

order nonlinearity of f, and the nonlinearity profile is the sequence of NLr(f) for r = 1, ...., n 1. − 4. Correlation immunity and resiliency [SM00a]: A function is said to be correlation immune if its output leaks no information about any fixed set of

input values. An n variable function f(xn, ....., x1) is said to be correlation immune (CI) of order m if P rob(f = 1 x = c , ...x = c )= P rob(f = 1) | i1 1 im m for any choice of distinct i , i , ..., i from 1, 2, ..., n and c , ..., c 0, 1 . 1 2 m 1 m ∈ { }

m-Resilient: A balanced m-th order correlation immune function is called m-resilient.

Note that to say that f is m-resilient does not mean that f is NOT k-resilient for k>m. The largest value of m such that f is m-resilient is called the resiliency order of f [Car06a].

Motivation: The property Correlation immunity was motivated by ”Corre- lation attacks” introduced by Siegenthaler in [Sei84]. We describe correlation attacks here:

Correlation attacks: Consider a in which the keystream generator is implemented as n LFSRs whose output is combined by a nonlinear combining function f, as depicted in figure 1.2. The secret key K determines the initialization of the

LFSRs. We assume that K consists of the n keys, K1, K2, ..., Kn, one for each

28 of the n LFSRs S1, ..., Sn so that LFSR Si is initialized by a secret key Ki, i 1, ..., n . We assume the key is private, and everything else is public. Say ∈ { } Mi is the number of possible subkeys Ki for the LFSR Si. Thus the number of different keys for the generator is:

n M = Mi Yi=1

The nonlinear combining function f is meant to provide ”confusion” and make the keystream difficult to predict. We desire that the cryptanalyst be forced to try an average of half of the M possible values of K before hitting on the correct key. But Siegenthaler observed that if the keystream is correlated to at least one of the LFSR sequences, say sequence of Si, then the subkey used to initialize Si, Ki can be determined using exhaustive search and this will significantly simplify the brute force attack used to find K. If the output of the keystream is correlated to one or more of the n LFSR sequences, then the cryptanalyst can attack individual LFSRs and find their subkeys. So if the keystream is correlated with sequence produced by Si, then the subkey Ki will be found in at most Mi tries. Hence by divide and conquer, the cryptanalyst can obtain the key in at most

n M ′ = M M i ≪ Xi=1 attempts.

In general, to resist correlation attack, one should ensure that there is no statistical dependence between any small subset of the n LFSR sequences and the keystream sequence. This motivated the identification of correlation immunity:

Let’s call the keystream sequence Z1, Z2, .... This sequence is determined as

Zj = f(X1j, X2j , ...., Xnj ) where X = (X , X , ...., X ) is the n tuple of LFSR output digits at time j 1j 2j nj −

29 j. Then the combining function f is m th order correlation immune if every − m tuple obtained by choosing m components from X is statistically indepen- − j dent of Zj for all j = 1, 2, 3.... This provides an alternate equivalent definition of the m th order correlation immunity defined earlier. − To summarize, Correlation Immunity is desirable for a Boolean function be- cause dependence between the input and output bits can lead to a significant reduction in complexity of the attack through the ”divide and conquer” ap- proach. Fast correlation attacks, introduced by Meier and Staffelbach in [MS89a] sig- nificantly speed up the correlation attack. In fast correlation attacks, the correct initialization of the LFSRs is found in a more efficient way, related to error correcting decoding. Another type of correlation attack, called the con- ditional correlation attack has also been discovered and explored in (among others) [And94, LCPP96, Loh03]. We will not describe these attacks further. It was found that to resist fast correlation attacks on stream ciphers, the fil- tering function needs to possess high nonlinearity as shown in [JJ99, MS88, Car06a]. In [Car06a] Carlet observes that just like filtering functions, combin- ing functions also (when used in stream ciphers) should be highly nonlinear. It was shown by Canteaut and Trabbia in [CT00] and Canteaut in [Can02] that highly nonlinear combining functions are useful to thwart fast correlation attacks as much as possible. Highly nonlinear m-resilient Boolean functions have the property that the coefficientχ ˆf (u) is very small for every vector u of hamming weight higher than, but close to, m, and this property makes fast correlation attacks as inefficient as possible.

Siegenthaler [Sei84] proved a fundamental relation between the number of vari- ables n, degree d and order of correlation immunity m of a Boolean function: m + d n. ≤ In addition, if the function is balanced then m + d n 1. ≤ −

In [Car06a], Carlet observes that resiliency has been characterized by Xiao and Massey through the Fourier and the Walsh transforms:

30 Proposition 2.1.2. [XGZ88] Any n-variable Boolean function f is m-resilient if and only if χˆ (u) = 0 for all u Fn such that w (u) m, where w (u) f ∈ 2 H ≤ H denotes the Hamming weight of u (see appendix for definition). Equivalently, f is m-resilient if and only if it is balanced and fˆ(u) = 0 for all u Fn such ∈ 2 that 0 < w (u) m. H ≤ We do not describe the proof here. A clear proof of this proposition can be found in [Car06a] as well as the original paper. Resiliency order of a function is not an affine invariant [Car06a].

5. Algebraic thickness [Car04b]: The algebraic thickness Γ(f) of a Boolean function f is the minimum number of monomials with nonzero coefficients in the ANF of the functions f A where A ranges over the general affine group. ◦ Equivalently, for every Boolean function

n ui f(x)= au( xi ) uXFn Yi=1 ∈ 2 the parameter Γ(f) is the minimum number of monomials in the ANF of the functions n ui au( (li(x)) ) uXFn Yi=1 ∈ 2

where the lis are affine functions whose linear parts are linearly independent.

Motivation: As mentioned earlier, it is desirable for a function to have many monomials in its ANF to resist known attacks [Rue86, Mas69]. However, the number of monomials in the ANF of a function is not an affine invariant. This motivated the identification of the property of ’Algebraic thickness’ which is an affine invariant.

6. k-Normality [Car04b]: Let k n. A Boolean function f on Fn is called ≤ 2 k-normal(respectively k-weakly normal) if there exists a k-dimensional flat on which f is constant (respectively affine). For security, we want non-normality. Motivation: In [Car04b], Carlet remarks that Non-normality is a natural complexity criterion to consider because ”complex functions are supposed to be

31 very different from affine functions, and since any affine function is constant on at least one affine hyper-plane, it is natural to expect from a complex function to be non-constant on any flat of some low dimension”. This complexity criterion is not yet related to explicit attacks on ciphers but this is not new: degree and nonlinearity were also identified as important cryptographic criteria before they were explicitly related to attacks.

7. Algebraic Immunity [MPC04]: Let g be the lowest degree function such that g annihilates f or f + 1, i.e. g f =0 or g (f + 1) = 0, where denotes ∗ ∗ ∗ multiplication. If g has degree d, then the algebraic immunity of function f is d. Motivation: In [CM03], the authors describe an algebraic attack by obtaining a very overdefined system of equations involving plaintext, ciphertext and key bits. We know that the cipher can be described by a system of multivariate polynomial equations in plaintext, ciphertext and key bits. The system can be attacked if the attacker is able to obtain a very overdefined system of equations from the given equations. Moreover, this attack can become very efficient if this overdefined system is of low degree. In [CM03], the authors describe how such low degree relations can be found by multiplying the output function of the cipher by a well chosen low degree function such that the product function is also of low degree. They also describe three scenarios under which such low degree relations may exist. In [MPC04], the authors collapse these into two scenarios by proving that two of the original three are equivalent. The two scenarios are as follows:

Say f has high degree.

(a) Assume that there exists a function g of low degree such that f g = h ∗ is a nonzero function of low degree. (b) Assume there exists a function g of low degree such that f g = 0. ∗ We refer to these as AA scenario 1 and AA scenario 2 respectively in the rest of this survey. There is a useful relation between these two scenarios as shown below:

32 Proposition 2.1.3. [MPC04] Assume that f g = h = 0, does hold for some ∗ 6 functions g and h of degrees at most d (AA scenario 1). Suppose in addition that g = h. Then there is a function g of degree at most d such that f g = 0 6 ′ ∗ ′ (AA scenario S3b).

Proof. We know that over F , f 2 = f, hence f g = f 2 g = f f g = f h. 2 ∗ ∗ ∗ ∗ ∗ Hence f (g + h) = 0. ∗

This argument shows we can restrict ourselves to the following two cases: 1. AA scenario 2 and 2. AA scenario 1 with g = h. But if g = h, then f g = h = g which means (f + 1) g = 0, which is AA ∗ ∗ scenario 2 for the function f + 1. The existence of algebraic attacks thus impose that neither f nor f +1 have an annihilating function of low degree. This motivated the definition of algebraic immunity given above.

In [CM03], Courtois and Meier showed that given any n variable Boolean func- tion f, it is always possible to get a Boolean function g with degree at most n such that f g has degree at most n . Thus ⌈ 2 ⌉ ∗ ⌈ 2 ⌉ AI(f) n . ≤ ⌈ 2 ⌉

In [CDGM06], the authors show that if a function has low nonlinearity then it must also have low algebraic immunity. Hence if one chooses a function with good algebraic immunity then this will automatically provide nonlinearity which is not low. Algebraic immunity is an affine invariant.

8. Strict avalanche criterion(SAC) and propagation criterion(PC) [Car06a]: For completeness, we first define the derivative of a function: Fn Let f be an n-variable Boolean function and let b be any vector in 2 . The Boolean function Dbf(x) is called the derivative of f with respect to the di-

rection b, where Dbf(x) = f(x) f(x + b), where denotes addition over

F2. L L Now we define SAC and PC:

33 Let f be a Boolean function on Fn and E Fn. The function f satisfies 2 ⊂ 2 the propagation criteria PC with respect to E if for a E the derivative ∀ ∈ Daf(x) = f(x) f(a + x) is balanced. It satisfies PC(l) if it satisfies PC with respect to theL set of all those nonzero vectors of weights at most l. The case of l = 1 is of special importance as is referred to as Strict Avalanche Cri- terion (SAC) (See appendix for definition of derivative of Boolean function).

Motivation: Propagation characteristics(SAC and PC) are useful to consider while designing cryptographically strong Boolean functions because they pro- vide ”diffusion” to the cipher. We know that Boolean functions used in ciphers need to be very sensitive to changes in inputs, and propagation characteristics quantify this intuition. The Strict Avalanche Criterion (SAC) was introduced by Webster and Tavares [WT85] and this concept was generalized into the Propagation Criterion (PC) by Bart Preneel [PLL+90]. The SAC, and its generalizations, are based on the properties of the derivatives of Boolean func- tions. These properties describe the behavior of a function whenever some coordinates of the input are complemented. These criteria are not affine in- variants in general [Car06a].

A good Boolean function must possess a ”good combination” of the above properties to be useful in ciphers.

2.2 About the cryptographic complexity of Boolean func- tions

It is now known that random functions are almost surely highly complex. As is well known, almost all Boolean functions have high circuit complexity. This was called the Shannon effect by Lupanov [Lup70]. The Shannon effect holds for cryptographic complexity as well, as we describe below. Asymptotically, almost all Boolean functions have ”high” algebraic degrees, that is algebraic degrees (n 1). We can prove this using a simple counting argu- ≥ − ment. The number of Boolean functions of algebraic degrees at most n 2 equals n−2 n − P ( ) 2n n 1 2n 2 i=0 i = 2 − − and this number is very small as compared to the 2 Boolean functions.

34 In [OS98], Stanek and Olejar show that almost all Boolean functions exhibit high cryptographic complexity with respect to balancedness, nonlinearity, correla- tion immunity and propagation characteristics. We broadly state the results here without proof. The interested reader is referred to [OS98].

1. Balancedness: The number of balanced Boolean functions in the total number n 2n of Boolean functions over F2 is n−1 . By Stirling’s formula we get: n 2 2n 22 n  n−1 = − (1 O(2− )) [OS98]. The fraction of balanced Boolean func- 2 √π 2n 1 −  · (1 O(2−n) tions compared to all Boolean functions is − , which goes to 0 as n √π 2n−1 gos to . Thus the number of balanced Boolean· functions is negligible with ∞ n respect to the total number of Boolean functions over F2 . For most Boolean functions however, if we relax the rigidity of balancedness, we obtain some- thing interesting. The following theorem holds even if instead of the uniform distribution over all Boolean functions of n-variables, we consider the binomial distribution with arbitrary p (0, 1). Note that in the case of the uniform 1 ∈ distribution p = 2 : Theorem 2.2.1. [OS98] Let f be an n-ary Boolean function, φ(n) be an arbitrary function such that φ(n) as n and let p (0, 1). Then, →∞ →∞ ∈

p 2n 2n/2 φ(n) < w (f)

almost surely. Here wH (f) denotes the Hamming weight of f or the number of inputs x to f such that f(x) = 1.

Proof. The Hamming weight of f, wH (f) can be considered as a random variable binomially distributed over the set 0, 1, ..., 2n . Let 0 k 2n. { } ≤ ≤ Then, n 2 k 2n k P r(w (f)= k)= p (1 p) − . H  k  −

For convenience, we denote wH (f) by w. By Chebyshev’s inequality, we have

1 P r( w E(w) cσ) | − |≥ ≤ c2

where σ2 is the variance of w and c is some real number. Since w has binomial distribution, we get E(w)= p 2n and σ2 = p (1 p) 2n. Let c = φ(n) . √p (1 p) · · − · · −

35 So we get n n p (1 p) P r( w p 2 φ(n)2 2 ) · − . | − · |≥ ≤ φ2(n)

p (1 p) n n 2 Clearly φ· 2(−n) tends to 0 as n tends to . Hence P r( w p 2 < φ 2 ) ∞ | − · | n · n tends to 1 as n tends to . So, we can say that w p 2 < φ 2 2 almost ∞ | − · | · surely, which implies the statement of the theorem.

2. Nonlinearity: Olejar and Stanek show that almost all Boolean functions have ”high” nonlinearities [OS98]. Specifically, almost all Boolean functions over n− n n 1 ( 1) F have nonlinearities greater than 2 √n 2 2 . Carlet in [Car06b] 2 − − · generalizes their result to the nonlinearity profile. The best known asymptotic upper bound has been given in [CM07]:

n 1 √15 r 2 n/2 r 2 max NLr(f) 2 − (1 + √2) − 2 + O(n − ) (2.5) f ≤ − 2 · ·

3. Correlation Immunity: Similarly, Olejar and Stanek show that almost all Boolean functions are ”almost correlation immune” [OS98]. They introduce a new property called counted correlation characteristic abbreviated as CCC, which is closely related to correlation immunity and provide a lower bound for it. They prove that any n-ary Boolean function f satisfies this bound ”almost surely”(or with probability close to 1), from which they conclude that almost all Boolean functions are almost correlation immune. We will not explain this in further detail and refer the reader to [OS98].

4. Propagation Characteristics: Very few Boolean functions satisfy SAC but if we replace the strict condition of balancedness in the definition of SAC by ”near-balancedness” then there is a large set of Boolean functions which are ”strong enough for cryptographic applications”.

Carlet showed in [Car06b], that asymptotically almost all Boolean functions also have high algebraic thicknesses and are highly non-normal. In [Car04b], Carlet improved upon his previous result and showed that almost all Boolean functions n− n 1 ( 1) have algebraic thicknesses greater than 2 n 2 2 . − − · In [MPC04], the authors propose an algorithm for determining whether a given function f admits annihilators of degree d, i.e. if f has algebraic immunity ≤

36 d (Note that the algorithm becomes infeasible for values n 32 and d 6). The ≤ ≥ ≥ authors also bound the probability that a given function will have low algebraic immunity:

Theorem 2.2.2. [MPC04] There is a constant c where c 0.22, such that for any ≈ sequence d of positive integers with d c n, P r(AI(f) d ) 0,n n n ≤ ∗ ≤ n → →∞ Thus for a random function f, with a large number of inputs n 18, low alge- ≥ braic immunity is very unlikely. However, some functions that are used in ciphers, for example, degree optimized functions from the Maiorana MacFarland family, which satisfy several cryptographic complexity criteria were found to have low algebraic immunity [MPC04]. This suggests a potential tradeoff between previously known criteria like nonlinearity, correlation immunity and others with algebraic immunity.

Since a cryptographically strong Boolean function must possess a good com- bination of the above properties, it is important to understand the relationships between these cryptographic properties. Briefly here, we state a few of such rela- tions without proof.

In [Car02], Carlet nicely summarizes some of the relations between crypto- graphic properties as follows: Siegenthaler’s inequality [Sei84] states that any m-th order correlation immune function in n variables has degree at most n m, that − any m-resilient function (0 m

37 Carlet calls these upper bounds Sarkar et al.’s bound. Please see [Car02] for more details, the paper provides a very nice summary of these bounds.

Meier and Staffelbach showed in [MS89b] that maximal nonlinearity and per- fect propagation characteristics are equivalent requirements for Boolean functions with an even number of variables. However the functions that satisfy these two properties simultaneously: bent functions, are not balanced and hence not cryp- tographically strong. In [CCCF00], the authors further investigate the relation between nonlinearity(providing confusion) to propagation characteristics(providing diffusion) and conclude that highly nonlinear functions usually have good propaga- tion characteristics. They also show that most highly nonlinear functions with a three valued Walsh spectrum can be transformed into 1-resilient functions. Zheng et all first showed the following nice relation between non-normality and nonlinearity:

Theorem 2.2.3. [ZZI99] Let f be a weakly k normal Boolean function on Fn. − 2 Then, n 1 k 1 NL(f) 2 − 2 − ≤ − We do not give the proof here and refer the interested reader to [Car04b].

Dalai, Gupta and Maitra showed the following connection between algebraic immunity and nonlinearity, which we state without proof.

Theorem 2.2.4. [DGM04] If NL(f) < d n , then AI(f) d + 1 where f is an i=0 i ≤ n variable Boolean function. P 

In [Lob05], Lobanov obtained a tight bound between nonlinearity and alge- braic immunity: AI(f) 2 − n 1 NL(f) 2 − ≥  i  Xi=0 Carlet extended the above lower bound into a bound on the general r th order − nonlinearity:

Theorem 2.2.5. [Car06b] Let f be a Boolean function in n variables and let r be

38 a positive integer. The nonlinearity of order r of f satisfies:

AI(f) r 1 − − n r NL (f) 2 − r ≥  i  Xi=0

While constructing Boolean functions to be used in ciphers, it is useful to keep these properties in mind so as to identify suitable tradeoffs.

39 Chapter 3

Algebraic attacks against symmetric key ciphers

3.1 Algebraic attacks against stream ciphers

3.1.1 Conventional attacks against stream Ciphers

We briefly describe one of the conventional methods of attacking stream ciphers so that its method might be contrasted with algebraic attacks described later.

Linear Consistency attack: This attack was introduced in [ZYR89]. The attack is possible if one can separate out some portion of the secret key, say K1 and write a linear system Ax = b where the matrix A depends on K1 alone, and the attacker has access to keystream bits in vector b. Then an exhaustive search for K1 can be performed and the correct value for K1 can be determined by plugging each value into the linear system and checking if the system is consistent. Once K1 is recovered, the whole key can potentially be recovered via divide and conquer. This attack has been applied to various stream ciphers as in [FL01, ZYR89]. Other traditional attacks on stream ciphers are discussed in [BD00, WB02, GBM02, Mul04, CHJ02].

40 3.1.2 Setup for algebraic attack

We present in this section a description of a working algebraic attack against a stream cipher. We consider specifically additive stream ciphers, in which the ci- phertext is obtained by adding bitwise the plaintext to the keystream. We consider a simplified version of the classical construction of the keystream generator: the generator uses one(typically several) LFSR to implement the linear transition func- tion L and a highly nonlinear Boolean function f for the filtering function. Note that f or L do not depend on the secret key.

3.1.3 The problem of cryptanalysis

Both L and f are public, only the state of the LFSR is secret.

Let (k0, k1...kn 1) be the initial state of the LFSR. Then the generated keystream − bits are given by:

b0 = f(k0, k1, ..., kn 1) −

b1 = f(L(k0, k1, ..., kn 1)) −

b2 = f(L(L(k0, k1, ..., kn 1))) − and so on where bi indicates the bit generated at time slot i. Some of these output bits bi might become known to the cryptanalyst. The problem of cryptanalysis is to recover the key k = (k0, k1, ..., kn 1) from some subset of these output bits bi. −

This is considered a hard problem since, as mentioned previously, the problem of solving systems of multivariate polynomial equations is NP-complete even if all the equations are quadratic and the field is F2. When the number of equations is equal to the number of variables, the best known algorithms are exhaustive search for small fields, and Gr¨obner bases algorithms which have exponential complexity.

3.1.4 The attack

If the attacker can exploit some inherent algebraic structure of the cipher to get equations that are overdefined or sparse or have some other similar nice property, then the system of equations becomes much easier to solve than expected.

41 The attack we describe below is due to Courtois and Meier [CM03], and is based on solving ”overdefined” systems of equations of low degree. This is a partially known plaintext attack, i.e. we know some bits of the plaintext and corresponding ciphertext bits. The bits do not need to be consecutive. We assume that we have some m bits of the keystream bi at some known positions.

At time t, the current keystream bit gives an equation f(s)= bt with s being the current state of the LFSR. The function f(s) is usually of high degree, but we multiply it by a well chosen multivariate polynomial g(s), such that we get the product say h(s). So if b = 0, f(s) = 0, hence f(s) g(s) = 0 and we can use AA scenario 1 (refer t ∗ to motivation for Algebraic immunity in section 3) to get a low degree equation h(s) = 0. If bt = 1, we can use AA scenario 2 to get bt = f(s) = 1, hence f(s) g(s) = g(s). But f(s) g(s) = 0 hence g(s) = 0. To make this more formal, ∗ ∗ consider:

For each known keystream bit at position t, bt, we have the equation

f(s)= bt

t f(L (k0, k1, ..., kn 1)) = bt − Multiplying both sides by a well chosen polynomial g(s), we get

t t t f(L (k0, k1, ..., kn 1))g(L (k0, k1, ..., kn 1)) = btg(L (k0, k1, ..., kn 1)) − − −

t t If bt = 0, then f(L (k0, k1, ..., kn 1))g(L (k0, k1, ..., kn 1) = 0, and we use scenario 1 − − so that LHS is of low degree. If bt = 1, then we use scenario 2 to get LHS =0= t g(L (k0, k1, ..., kn 1) and we know RHS is of low degree. We get one multivariate − equation for each keystream bit. Given m keystream bits, let R be the number of multivariate equations of degree d, and with n variables ki. With one g, we get R = m. But if we use several different gs for the same f, we can get R>m. Thus we obtain a very overdefined system of multivariate equations, that can be solved efficiently using techniques like Relinearization, XL etc. which are discussed later in detail.

42 3.2 Algebraic attacks against block ciphers

Algebraic attacks were quite devastating for public key and stream ciphers. The question that many people started asking is: do these types of attacks matter also for block ciphers? First we describe some conventional attacks on block ciphers, again to contrast with algebraic attacks.

3.2.1 Conventional methods of cryptanalysis against block ciphers

Differential attacks [BS91b]: Differential cryptanalysis is a method which anal- yses the effect of particular differences in plaintext pairs on the differences in the resultant ciphertext pairs. These differences can be used to assign probabilities to the possible keys and to locate the most probable key. For a successful differential cryptanalysis attack, the cryptanalyst needs to know an input difference pattern that propagates to an output difference pattern over all but a few rounds of the cipher, with a large enough probability(This probability is known as the difference propagation probability). The attacker generally proceeds by encrypting some plain- text, then making particular changes to that plaintext and encrypting it again. The attacker then observes the corresponding differences in the ciphertext and attempts to measure non-random behavior which will help in determining the key. Differential analysis is explored in [YLH98, BS91b, Mat99, KCP00, BS91a]

Linear attacks: Linear attacks were introduced by Mitsuru Matsui in [Mat93]. Basically, the attack works by attempting to find linear approximations of the equations that describe the cipher. Given plaintext and ciphertext pairs, simple linear approximations are created for the relations involving the plaintext, ciphertext and keybits, from which it is easy to derive the key. Those approximations that tend to hold true are likely to have the value of the key for the real cipher, and as more and more plaintext-ciphertext pairs are obtained, approximations get better and better, and it gets more and more likely that the real key has been found. Linear Cryptanal- ysis of a block cipher starts by finding approximate linear expressions for S-boxes then extends these expressions to describe the entire cipher(as was done for the DES cipher by Matsui). These linear expressions are then solved to obtain probable key- bits. Linear attacks are discussed in [Mat94, MY92, KR94, YT95, HKM95, TSM95]. A nice survey on linear and differential attacks can be found in [Key02].

43 3.2.2 How block ciphers resist conventional statistical attacks

Thus, conventional methods of attacking block ciphers like linear and differential cryptanalysis, use the ”statistical” approach of tracing observed patterns between input-change and corresponding output-change through multiple rounds, and mea- suring non-random behavior at the output. We briefly describe here the Wide trail strategy, which has been successfully used by AES designers to resist statistical attacks such as those described above. As described in [DR02], in the ”wide trail strategy”, the round transformations are composed of two invertible steps:

1. A local non-linear transformation, i.e. a good s-box. This component provides ”confusion”.

2. A linear transformation that spreads influence of modification in input over all output. The way it achieves this is by breaking the block into further ”bundles” of bits. The transformation combines the bundles linearly so that each bundle at the output is a linear function of bundles at the input. This ensures that change in the input bits is spread over a large number of the output bits, providing ”diffusion” and confusing statistical analysis.

A new generation of block-ciphers (among them the Advanced Encryption Standard (AES) Rijndael) were designed to resist statistical attacks, in particular linear and differential attacks. The task of designing ciphers immune to statistical attacks is made easier by the fact that the complexity of the attacks grows expo- nentially with the number of rounds of a cipher. This ensures that the data and the time requirements of the attacks quickly become impractical.

3.2.3 Algebraic attacks on Block ciphers

Basic Idea: In contrast, algebraic attacks exploit the intrinsic algebraic structure of the cipher. The attacker is able to express the encryption transformation as a large set of multivariate polynomial equations, and subsequently attempt to solve such a system of equations to recover the encryption key.

Where do these equations come from? As discussed earlier, many block ciphers are built using multiple S-boxes(that provide confusion) that are intercon-

44 nected using simple linear transformations(that provide diffusion). The operation of S-boxes can be represented by a system of nonlinear equations. New equations can be added to represent the linear transformations that connect these S-boxes and a system of equations that describes the entire cipher can be obtained. S-boxes often form the only source of non-linearity in a cipher and therefore (usually)provide the main difficulty in solving the system of equations efficiently. S-boxes are therefore typically carefully chosen to avoid explicit low degree relations involving plaintext, key and ciphertext bits. However, sometimes implicit low de- gree relations might occur. For example, typically combining relations of a certain degree results in equivalent but even more complex new relations which are not use- ful at all. But sometimes, intelligent combining of existing relations might result in new ”simplified” relations; like relations with lower degrees for example. In [CP02], the authors discuss that the ciphers ”Serpent” and ”Rijndael”, for different reasons, have S-boxes that can be completely represented by ”simple” algebraic equations. Building on recent progress in Relinearization techniques(discussed later), the au- thors argue that a method called XSL might provide a way to effectively solve such equations and recover the key from a few plaintext-ciphertext pairs. How are these methods different from statistical methods? As dis- cussed in [BC03], the algebraic attack method differs in the following respects from the standard statistical approaches to cryptanalysis: (a) it requires only few known-plaintext queries; (b) its complexity doesn’t seem to grow exponentially with the number of rounds of a cipher.

Structure of Algebraic attacks: In [Cou04c], Courtois suggests the following three stages in attacking block ciphers: 1. Write an appropriate initial system: Write a system of equations that, given one or several known , uniquely characterizes the key. This system should be as over-defined and as sparse as possible. This can be measured by

the initial ratio Rini/Tini between the number of equations Rini in the system

and the total number of monomials Tini that appear in it. It is not clear what is the optimal setting for algebraic attacks. Note that we care about number of monomials in these equations because the XSL method described

45 later can attack systems of equations with a small number of monomials(sparse equations).

2. Expand it: The second step is an expansion step. The goal is, starting from

the original Rini equations with Tini monomials, to produce (for example by multiplying the equations by some well chosen polynomials) another (much bigger) set of R equations with T monomials. The goal is to have the new ratio R/T close (or bigger than) 1.

3. Final in place elimination: The final step should be an in place elimination method that given an almost saturated system with R/T close to 1, finds a solution to the system.

How to avoid algebraic attacks on block ciphers: In [Cou04c], Courtois proposes that to avoid algebraic attacks on Block ciphers, the S-boxes of the block cipher should avoid the existence of ”too simple” algebraic relations. The exact definition of ”simple” that would prevent all algebraic attacks on block ciphers is not obvious to give. But for example, systems that are too overdefined or too sparse should be avoided. Courtois says that this should not be too hard to achieve. He says that using random S-boxes on 8 bits should be about sufficient to achieve 128 bit security(though not for sure). He recommends to construct bigger S-boxes that have no algebraic relations starting from random bijective 8-bit S-boxes, and for higher security requirements random S-boxes of at least 16 bits be used.

46 Chapter 4

Solving systems of multivariate equations

4.1 The Quadratic Solvability problem

As we described earlier, algebraic attacks are especially relevant against ciphers that use the hardness of the problem of solving multivariate polynomial equations as basis for security. We also mentioned that this problem (called MQ), is NP Complete. Here we provide the reduction of MQ from 3-SAT [HPS93]. Let p be a fixed prime. We consider the following problem: an instance is a set of polynomial equations P of degree at most two in n unknowns over Fp, P (x , ..., x )=0 for i 1, 2, ..., s. i 1 n ∈ The problem is to find an assignment to the variables which satisfy the equations.

Theorem 4.1.1. [GJ79] MQ is NP complete over any finite field.

Proof. We show a polynomial time reduction from 3SAT to MQ in F2. We are given a conjunction of clauses C C C ..., each of the form C = t t t where the 1 ∧ 2 ∧ 3 i i1 ∨ i2 ∨ i3 ti’s are either positive or negated variables. We write 3 equations for each clause

Ci:

1. yi = ti1 + ti2 + ti3 (an odd number of terms are true)

2. zi = ti1ti2 + ti1ti3 + ti2ti3 (at least two terms are true)

3. yi + zi + yizi = 1 (one or both of the above must be satisfied)

47 where if tj is a positive variable xj, then we use directly xj in the equations above, otherwise (1 x ). − j If we want a field bigger than F2, than we need to add additional equations of the form x (1 x ) = 0 for each variable. This will force 0/1-values in the solution. j − j

4.2 Methods of solving systems of multivariate polyno- mial equations:

We know that algebraic attacks rely on being able to exploit some intrinsic algebraic structure of the cipher to set up a feasible system of equations involving the plaintext, ciphertext and key bits, and then endeavor to solve this system. Briefly discussed here are some of the main ideas and algorithms used to solve such systems. We provide only a brief overview of each method and refer the reader to the appropriate papers for detailed algorithms.

1. Linearization method.

2. Relinearization

3. XL method

4. XSL method

5. Gr¨obner basis techniques

6. SAT solvers

7. ”Gluing” algorithm

4.2.1 Linearization

Linearization is a technique for solving very overdefined systems of quadratic equa- tions. It works by substituting each nonlinear term by a new variable, thus convert- ing a nonlinear system of equations into a linear system with many more unknowns. If the system is sufficiently overdefined, then it can be solved by standard methods such as Gaussian elimination. More precisely, consider a system of m = ǫn2 quadratic equations in n vari- ables. We substitute every quadratic term by a new variable, to get n(n + 1)/2

48 new variables. Now we have a linear system of ǫn2 equations in n2/2 new vari- ≈ ables which can be solved by using Gaussian Elimination if m = n(n + 1)/2, or equivalently if ǫ 0.5. ≥ But since ǫ < 0.5 in real applications, the number of equations is often not big enough and the linear system has exponentially many solutions which do not correspond to solutions of the original quadratic system.

4.2.2 Relinearization

[CKPS00] At Crypto 99, Kipnis and Shamir introduced a new method for solving overdefined systems of polynomial equations, called Relinearization. It was designed to handle systems of ǫn2 quadratic equations in n variables where 0 ǫ 1/2. ≤ ≤ Relinearization starts as does linearization, that is by replacing quadratic terms by new variables. (For every x x , i j, create a new variable y ). Given i j ≤ ij this system of linear equations in the yij, one adds additional nonlinear equations which express the fact that these variables are related rather than independent. For example, we can take any 4-tuple of indexes

1 a b c d n ≤ ≤ ≤ ≤ ≤ and form new equations based on the commutative property

(x x )(x x ) = (x x )(x x ) = (x x )(x x )= y y = y y = y y a b c d a c b d a d b c ⇒ ab cd ac bd ad bc

Thus we have increased the number of equations, though these new equations are nonlinear. To make them linear, one applies linearization again. Kipnis and Shamir used Relinearization to attack the HFE cryptosystem based on the observation that any given system of n multivariate polynomials in n variables over a field F can be represented by a single univariate polynomial of a special form over K which is an extension field of degree n over F .[KS99] However the technique of Relinearization is quite general and may be applied to other ciphers as well. The problem with Relinearization is that we might get linearly dependent equations if ǫ is ”too small” (for eg. ǫ< 0.1). For more details, we refer the reader to [KS99].

49 4.2.3 XL algorithm

[CKPS00] The XL(eXtended Linearization) technique can be viewed as a combi- nation of bounded degree Gr¨obner bases and linearization. XL was introduced by Courtois, Klimov, Patarin and Shamir in [CKPS00]. As explained by [CKPS00], the basic idea of this technique is to generate from each polynomial equation a large number of higher degree variants by multiplying it with all the possible monomials of some bounded degree, and then to linearize the expanded system. The authors claim that this simple technique is at least as powerful as Relinearization.

The XL algorithm is described in [SKI06] as follows: Let K be a field, and let A be a system of multivariate quadratic equations l = 0; (1 k m) where each l is the multivariate polynomial f (x , ....., x ) b . k ≤ ≤ k k 1 n − k The problem is to find at least one solution x = (x , ...... , x ) Kn, for a given 1 n ∈ b = (b , ...... , b ) Km. 1 m ∈ Let D N. We consider all the polynomials x l of total degree D, and call ∈ j ij ∗ i ≤ the set of all such polynomials P . Q Let I be the set of polynomials spanned by P , i.e. I = u u = α p where D D { | i i i} α K and p P . P i ∈ i ∈ The idea of the XL algorithm is to find in some ID a set of equations which is easier to solve than the initial set of equations A.

This is the authors’ description of the XL algorithm:

1. Multiply: Starting with equations l = 0 A, multiply both sides of the i ∈ equations to generate all the products k x l I with k D 2 on j=1 ij ∗ i ∈ D ≤ − the LHS. This gives us a new set of equations.Q

2. Linearize: Consider each monomial in x of degree D as a new variable and i ≤ perform Gaussian elimination on the equations obtained in 1.

3. Solve: Assume that step 2 yields at least one univariate equation in the pow-

ers of x1. Solve this equation over the finite fields (e.g. with Berlekamp’s algorithm).

4. Repeat: Simplify the equations and repeat the process to find the values of the other variables.

50 The XL algorithm is very simple, but it is not clear for which values of n and m it ends successfully, what is its asymptotic complexity, and what is its relation- ship to Relinearization and Gr¨obner base techniques. But the authors claim that despite it’s simplicity, XL may be one of the best algorithms for randomly generated overdefined systems of multivariate equations.

4.2.4 XSL method

XSL stands for ”Extended Sparse Linearization” or more clearly ”Multiply (X) by Selected Monomials and Linearize”. The XSL algorithm uses the sparsity of equations and their specific structure to attack the system. The XSL algorithm was created by Courtois and Pieprzyk in [CP02]. In their paper, the authors describe the XSL attack specifically against what they call ”XSL ciphers”. The attack has broad implications however, and can be extended to other block ciphers as well. This paper created a lot of controversy. The authors expressed Rijndael as a sparse and overdefined system of multivariate quadratic equations over F2, and suggested XSL to solve this system exploiting its overdefined-ness and sparseness. However, the complexity of XSL is not clearly understood and there is no full scale implementation of the attack. But the simple algebraic structure of Rijndael has caused insecurity since this attack was published, and even if the attack is impractical now, it might have implications for the future.

An XSL cipher is a composition of Nr similar rounds:

X The first round i = 1 starts by XORing the input with the session key Ki 1 − S Then we apply a layer of B bijective S-boxes in parallel, each on s bits, L Then we apply a linear diffusion layer,

X Then we XOR with another session key Ki . Finally, if i = Nr we finish, otherwise we increment i and go back to step S. The authors loosely describe the main idea of the algorithm as follows: First we start from the initial equations of each S-box of the cipher with r equations and t terms and write a system of quadratic equations that completely define the secret key of the cipher. To exploit the sparsity of the system, we need the total number of linearly independent equations to be roughly equal to the total number of monomials that appear. The sparseness should then help reduce the total number

51 of new terms we introduce

4.2.5 Gr¨obner basis techniques

Gr¨obner basis techniques are the standard techniques used to solve systems of mul- tivariate quadratic equations, and have been studied intensively. Gr¨obner basis were first introduced by Bruno Buchberger in his PhD dissertation work in 1965. They are named after his advisor Wolfgang Gr¨obner. Gr¨obner basis theory is applied in the following way:

[Buc06] Given a set F of polynomials in κ[x1,x2, ...xn] that describes the problem at hand, we transform F into another set G of polynomials ”with certain nice proper- ties” (called the Gr¨obner basis) such that F and G are equivalent. The motivation for this conversion comes from the fact that because of the useful properties of Gr¨obner basis, some problems which are hard to solve for F might be easier to solve for G.

Definition. Gr¨obner Basis: A set of polynomials g1, g2, ..., gt is a Gr¨obner basis if for any polynomial f, we can write f = i higi + r for polynomials h1, h2, ..., ht such that: P

1. r = 0 if and only if f < g , g , ..., g >, where < g , g , ..., g > denotes the ∈ 1 2 t 1 2 t ideal generated by functions g1, g2, ..., gt.

2. r is uniquely defined.

Buchberger’s algorithm converts a given basis f1,f2, ..., ft into a Gr¨obner basis g1, g2...gt such that < f1,f2, ...ft >=< g1, g2, ...gt >, where < g1, g2, ..., gt > denotes the ideal generated by functions g1, g2, ..., gt. For a clear and understand- able introduction to Gr¨obner basis, we refer the reader to [Stu05]. However, such techniques do not exploit the overdefinedness of a given system as they proceed by eliminating sequentially a single monomial from a particular pair of equations. They have exponential running time and hence cannot be used for cryptanalysis. The cryptographically important case of using Gr¨obner basis techniques to solve multivariate systems of quadratic equations did not receive enough attention un- til fairly recently(we discuss this later). Faugere suggested new and efficient ways to compute Gr¨obner basis in his F4 and F5 algorithms. Efficient computation of

52 Gr¨obner basis has had implications for algebraic attacks as explored in the follow- ing papers:[BPW05, FA03, FJ03, CMR05]. In particular the F4 algorithm was used to break the HFE cryptosystem in [FJ03]. A relation between the XL algorithm and Gr¨obner basis algorithms has been studied in [SKI06].

4.2.6 SAT solvers

Recently, methods have been studied to convert low degree sparse multivariate equa- tions into a CNF-SAT problem. This might seem useless, since CNF-SAT is an NP- complete problem itself. However, in recent times, several heuristic methods have been developed to solve the CNF-SAT problem, for example MiniSat[ES03] and Chaff [MMZ+01]. A nice primer on SAT solvers is provided in [Mit05]. This ap- proach is motivated by the observation of the authors Bard, Courtois and Jefferson in [BCJ07], that ”no polynomial-system-solving” algorithm demonstrates that a sig- nificant benefit is obtained from the extreme sparsity of some systems of equations.” The authors therefore study methods for efficiently converting systems of low-degree sparse multivariate equations into a conjunctive normal form satisfiability(CNF- SAT) problem. They claim that a direct application of this method gives very efficient results: they show that sparse multivariate quadratic systems (especially if over-defined) can be solved much faster than exhaustive search if the system is sparse enough. Methods to convert the MQ problem to CNF-SAT and subsequent solving of CNF-SAT using SAT-solvers have been discussed at length by Bard in his PhD thesis[Bar07].

4.2.7 ”Gluing” Algorithm

In [RS06], Raddum and Samaev take a different approach to the problem of solving non-linear equation systems, and propose a new method for solving them. Their method differs from the others in that the equations are not represented as multi- variate polynomials and that the core of the algorithm for finding the solution can be seen as message passing on a graph. Bounds on the complexities for the main algorithms are presented and they compare favorably with the known bounds.

53 Chapter 5

Explicit Constructions of Boolean functions with Important Cryptographic Properties

The known methods for design and construction of Boolean functions and S-boxes can be categorized into these main types of techniques:

1. Algebraic construction

2. Heuristic design

5.1 Algebraic construction

Boolean functions can be directly constructed in two broad ways: bit-by-bit and recursively. Bit-by-bit methods, also called primary construction methods generate the entire truth table of a Boolean function. The truth table is created to satisfy some constraints and these constraints ensure that the constructed function satisfies some predetermined property(ies). Such methods however, tend to become infea- sible very quickly for larger number of inputs. Recursive constructions, also called secondary constructions start with existing functions that satisfy a property and then combine them to obtain a new function with more inputs that also satisfies the

54 property. To understand how smaller functions might be combined to create a bigger Fn Fm function, consider 2 functions, say f on 2 and g on 2 that satisfy some property Fn+m (for e.g. high nonlinearity). Now create a new function h on 2 in some way that preserves the property. For example, a crude way to construct h would simply be h(x,y)= f(x) g(y), with x Fn and y Fm (Note: This example is provided ⊕ ∈ 2 ∈ 2 to illustrate the basic idea; this crude construction of h does not claim to preserve nonlinearity). One method of constructing bigger functions from smaller ones is con- catenation, meaning concatenation of truth tables. To define it, let f ,f : Fn F 1 2 2 → 2 and g : Fn+1 F ,y F . We define g as : g(z) = (y + 1)f (x)+ yf (x) where 2 → 2 ∈ 2 1 2 z = (y,x). Clearly, g(0,x) = f1(x) and g(1,x) = f2(x). In [Sei84], Siegenthaler showed that if f1,f2 are m-th order correlation immune, then so is g. Concatenation is popularly deployed in the construction of functions. Some special classes of functions- the Maiorana McFaland class for example- use concatenation in the construction of functions. The Maiorana-McFarland construction is based on the concatenation of affine functions. The Maiorana-McFarland function f : Fn F 2 → 2 takes the form [KTLG05]:

f(x)= g(x0, ...., xk 1) + (xk, ...., xn 1) φ(x0, ..., xk 1) − − · −

k k n k where g : F F and φ : F F − and f and φ are linear functions. Sarkar 2 → 2 2 → 2 and Maitra showed in [SM00a] that if we replace one of the linear functions in the above construction by a nonlinear function, we obtain resilient functions with high nonlinearity.

A related method of secondary construction is to start with a suitable func- tion and modify it to improve it’s properties. Modification of a given function might mean for example, complementing a few bits in its truth table. Constructing func- tions starting with a function from the Maiorana-McFarland class was quite popular [Pas03, GS05]. However, Carlet pointed out in [Car02] that functions constructed by modifying a Maiorana-McFarland class function may be weak since the derived functions obtained by fixing certain input bits of these functions are affine. To avoid this potential weakness, Carlet introduced a natural extension of the Maio- rana McFarland class: the Maiorana McFarland superclass. In [ZH05], Zeng and Hu construct balanced Boolean functions with high nonlinearity and optimum algebraic

55 degree by modifying functions from this superclass. Useful studies of the properties of functions belonging to the Maiorana McFarland class have been conducted in [Car04a, Pas06].

We give some examples here of the various ways in which construction of cryptographically strong Boolean functions has been approached. The following discussion (on algebraic construction) is by no means comprehensive, a complete discussion of this vast body of literature is beyond the scope of this survey. A good discussion on algebraic construction of cryptographically strong Boolean functions can be found in [Car06a].

In [KMI91], the authors propose a recursive construction method to construct ”strong”(with respect to avalanche criterion) S-boxes of arbitrary size when given as input ”strong” S-boxes of size 3 (i.e. 3 bit input). In [Tar01], the author introduces a matrix of special form, called proper matrix, and uses it for constructing cryptographically strong Boolean functions. In [FT01], the authors further explore the properties of proper matrices, obtain bounds for its important parameters and construct m-resilient n variable Boolean functions with maximum possible nonlinearity for particular values of m that supersede the previous construction. In [KG03], the authors present constructions based on the theory of geometric sequences by Klapper, Chan and Goresky [AAG93]. They start with a plateaued (n 1) 1-resilient function (a 1-resilient function whose Hadamard transform only − takes values 0, 2(n+1)/2) and from any one such function, they are able to obtain an ± infinite number of 1-resilient plateaued functions by applying the geometric sequence construction of [AAG93]. In [SS04], the authors use partially defined Boolean functions(PDBF) to gen- erate cryptographically strong Boolean functions. A PDBF, as they define it, can be considered as a Boolean function with some undefined values, i.e. it’s values are from the set 0, 1, ? . They generalize some known properties of Boolean functions { } like balancedness, nonlinearity, propagation characteristics to these functions and show that the usual relationships among these properties hold for these generaliza- tions as well. They then apply the results in methods for generating strong Boolean functions.

56 In [CY05], the authors generalize the techniques used in MacWilliams’ and Sloane’s presentation of the Kerdock and develop a theory of piecewise quadratic Boolean functions. This generalization leads them to construct large families of po- tentially new bent and cryptographically strong functions from quadratic forms in this piecewise fashion. Another flavor of methods used in the generation of functions is the so- called search methodology. Search methods typically find a small subset of Boolean functions using combinatorial techniques and then perform exhaustive search over the reduced domain. For example, in [KTLG05], the authors describe some con- structions based on finite fields. They present an efficient search algorithm that exhaustively searches for highly nonlinear resilient Boolean functions with optimum correlation properties from among special classes of functions called ”preferred” functions. Search methods are usually used in conjunction with recursive construc- tion methods: searching is used to find suitable functions which are then combined to create better functions.

Algebraic methods are very good for constructing functions with certain spe- cific properties, but they do not in general perform well for properties that were not considered during construction. For example, some functions constructed from the Maiorana-McFarland class which were considered strong were suddenly found to be vulnerable when algebraic attacks were introduced. This is because ’algebraic immunity’ which quantifies the resistance of functions to algebraic attacks was not identified at the time these functions were constructed and they were not designed to have high AI. [MPC04].

5.2 Heuristic Design

Heuristic techniques like Simulated Annealing and Genetic algorithms have enjoyed much success in Computer Science despite little theoretical backing. Consider an optimization problem P . A heuristic search algorithm will look for a solution to P by ”implicitly defining a search graph on possible solutions to P , and using some (often randomized) method for moving along the edges of this graph in search of good quality solutions” [Imp01]. Some years ago, these methods became popular in the generation of cryptographically strong functions. We briefly describe below

57 some main flavors of heuristic design as deployed in Boolean function generation.

A word on optimization techniques: Optimization techniques work ei- ther with a single candidate solution or with a population of candidate solutions. Techniques working with a single solution are called local techniques, and those working with many solutions are called global solutions. The optimization is carried out with respect to some ‘cost function’ that measures how ‘good’ a candidate is [CJ00].

1. Genetic algorithm: The Genetic Algorithm (GA) mimics the natural pro- cess of evolution; the ”genes” are a population of solutions to the problem at hand. It then uses a ”breeding scheme” to combine solutions and create new ones. The breeding scheme usually combines ”better” solutions according to some criteria, in some manner to produce new solutions. This is motivated by the hope that new solutions will be better than the older ones. Genetic algorithms can be considered to have the following outline as described by Obitko [Obi]:

(a) Start Generate a random population of n chromosomes (suitable solutions for the problem). (b) Fitness Evaluate the fitness f(x) of each chromosome x in the population. (c) New population Create a new population by repeating the following steps until the new population is complete: Selection Select two parent chromosomes from a population according to their fitness (the better fitness, the bigger chance to be selected) Crossover With a crossover probability cross over the parents to form a new offspring (children). If no crossover was performed, offspring is an exact copy of parents. (d) Mutation With a mutation probability mutate new offspring. (e) Accepting Place new offspring in a new population. (f) Replace Use new generated population for a further run of the algorithm. (g) Test If the end condition is satisfied, stop, and return the best solution in current population.

58 (h) Loop If the end condition is not satisfied, go to step (b).

The most important steps in the above outline are crossover and mutation. Crossover selects genes from parent chromosomes and creates a new offspring. The simplest way how to do this is to choose randomly some crossover point and everything before this point copy from a first parent and then everything after a crossover point copy from the second parent. Mutation is to prevent all solutions from falling into a local optimum of the solved problem. Mutation randomly changes the new offspring.

In our context, a gene/chromosome is represented by the truth table of a function in binary format, i.e. each gene is a binary string that represents the truth table of the function. Fitness of the function is evaluated using the cri- teria we have been discussing: Algebraic immunity, thickness, balancedness et all. During crossover, a random point is picked in the binary string represent- ing each of the parents and the value beyond that point is swapped between the two parents. More sophisticated techniques to ”mate” are also used in practice. Mutation introduces some randomness into the pool of solutions. A possible method of mutation is to complement a random subset of bits in the string representing the function. The genetic algorithm approach as applied to Boolean function generation has been explored in [MCD97a, MCD98, DG03] (among others).

2. Hill Climbing: The Hill Climbing technique uses the fact that small truth table changes have predictable effect on properties that we are interested in (like nonlinearity, resiliency etc) . Due to this, we can make small incremental changes to the truth table carefully, modifying the properties of the function to make it more appropriate for our needs. This method typically changes truth table entries in pairs, with the constraint that the values of the 2 en- tries being complemented are not the same, so that the hamming weight of the function is maintained. In [MFD03], the authors categorize these pairs of entries into the following three categories: improvement, static and reduction. In the improvement category, complementing the pair improves nonlinearity, in the static category, complementing the pair does not change nonlinearity and in the reduction category, complementing the pair reduces nonlinearity.

59 So there are variants of the hill climbing technique that iteratively complement all the pairs in the improvement set to get new functions with higher nonlin- earity or complement pairs in the static set to obtain different functions that have the same nonlinearity but that might hopefully be better with respect to other characteristics. The authors also discuss the difference between strong and weak hill climbing introduced in [MCD97b] and [MCD99] respectively: Strong hill climbing iteratively improves the function until the improvement set of the current function is empty or maximum number of iterations have been implemented. Weak hill climbing differs in that in any iteration the non- linearity of the function does not necessarily increase but must not decrease. In [MFD03], the authors also propose a new adaptive strategy called Dynamic Hill Climbing which they describe as ”a truly adaptive technique because it decides to implement either strong or weak hill climbing depending on the classification of the current function”.

Thus, Hill climbing methods generally start with some function and make iterative improvements. They will typically find the ”local maxima” of the design space. Hill climbing to construct strong Boolean functions is explored in [MFD03, MCD97b, MCD99]. A problem with these methods is that they can get ”stuck in local optima”, meaning that once at the local optimum, the algorithm will stop changing the function, thus potentially missing a better function that is separated from the current function by a few weak functions. This is avoided by techniques like simulated annealing which we describe next.

3. Simulated Annealing: Simulated Annealing is a method motivated by the annealing process of metals and was introduced by Kirkpatrick, Gelatt and Vecchi in [KJV83]. It was applied in the construction of Boolean functions much later however; Clark and Jacob introduced simulated annealing to the area of Boolean function generation in 2000 with [CJ00]. Annealing is a con- cept in metallurgy which refers to a technique involving heating and controlled cooling of a material to increase the size of its crystals and reduce their defects. The properties of the metal are improved if the atoms in the metal can lower their internal energy states. This is accomplished by heating and slow cool- ing: the heat causes the atoms to move out their current energy level(which

60 corresponds to local optima, locally lowest energy level) and wander randomly through states of higher energy; the slow cooling gives them more chances of finding configurations with lower internal energy than the initial one. Simu- lated annealing works similarly when applied to optimization problems and is described below. As described earlier, hill climbing methods tend to get stuck in local optima. To counter this, techniques like simulated annealing allow worsening moves to be accepted with some probability. The process is nicely described by Clark and Jacob([CJ00]): ”From the current state a move in a local neighborhood is generated and considered. Improving moves are always accepted. Worsening moves may also be accepted probabilistically in a way that depends on the temperature T of the search and the extent to which the move is worse. A number of moves are considered at each temperature. Initially the tempera- ture is high and virtually any move is accepted. Gradually the temperature is cooled and it becomes ever harder to accept worsening moves. Eventually the process ‘freezes’ and only improving moves are accepted at all. If no move has been accepted for some time then the search halts.” Simulated Annealing is often used in conjunction with hill climbing methods. For example, in [CJ00] Clark and Jacob introduced a new cost function to be optimized which was motivated by Parseval’s Theorem, and enabled the search to reach areas of the design space from which hill climbing methods could be used more effectively. Simulated Annealing has been further explored in [CJS+02, CJS05].

Remark: In [CJMS04], the authors generate functions in a very unorthodox and interesting way. Most techniques consider the space of Boolean functions and con- struct/search for the ones with the desired properties. The authors invert this notion in their paper: they search the space of artifacts with the required properties and seek the one which is a Boolean function. They combine this general approach with existing theory to obtain strong functions.

61 Chapter 6

Some open problems and concluding remarks

The area of algebraic attacks has attracted a lot of interest in recent years. In [Cou07a], Courtois says that the whole research in symmetric key cryptography has been ”heavily distorted” in the sense that impractical attacks(which require large amounts of known plaintext) have been studied extensively, while important prac- tical attacks(requiring few/chosen plaintexts but computationally intensive) have not been studied enough. He suggests a change in emphasis in the area, and urges researchers to try to break the toy ciphers CTC and CTC2 which will help in un- derstanding cryptanalysis of practical ciphers better.

In [AK03], the authors study algebraic attacks against combiners with mem- ory and provide an algorithm to construct low degree(say d) relations for r clocks, i.e. a relation which holds for any sequence of r consecutive bits of the keystream. Armknecht also posed the question of whether a faster method to construct these low degree relations exists, since the method proposed in [AK03] quickly becomes im- practical for large values of d and r. He also describes the failings of known methods of solving obtained relations: Linearization is polynomial time but requires knowl- edge of many keystream bits, other methods like XL or Gr¨obner basis methods require fewer keystream bits but can have exponential complexity. He suggests that we need to explore better methods for solving these systems of equations.

62 In [Can06], Anne Canteaut provides a very nice summary of open problems related to algebraic attacks on stream ciphers under the following categories:

1. Open problems related to the complexity of algebraic attacks:

Let the transition function be L and filtering function be f. The author wants to determine suitable parameters for the keystream generator. In order to so, she tries to estimate the complexity of algebraic attacks, and focuses on the simplest technique: Linearization. To estimate the complexity of an algebraic attack, it is essential to determine the proportion of monomials in the system of equations, because sparse systems can often be solved quite efficiently. It is clearly important to understand how the sparsity of equations might depend on values of f and L. So she presents the following open problem: Determine the number of monomials involved in the system of equations to be solved, depending on the choice of f and L. We also need to understand how many keystream bits are required to get enough linearly independent equations to be able to solve the system. Since Linearization converts the given system of (nonlinear) equations to a linear system, this is equivalent to determining the rank of the linear system depend- ing on the choice of f and L. Gr¨obner basis techniques have been studied in the context of algebraic at- tacks, and complexities of algorithms that compute Gr¨obner basis have been analyzed in several papers, for eg [BFS04]. These complexity results how- ever only hold for specific cases, for eg the semi-regular case as defined in [BFS04]. This results in the important open problem of ascertaining whether the system of equations that we need to solve to break the cipher behaves like a semi-regular system.

2. Open problems related to the algebraic immunity of functions: The author lists the following open problems related to the algebraic immunity of functions:

63 (a) For a balanced Boolean function f, is there a general relationship between AN(f) and AN(1 + f)? (b) What is the average value of algebraic immunity for a balanced Boolean function in n variables? (c) What is the proportion of balanced Boolean functions of n variables with optimal algebraic immunity?

3. Open problems with respect to fast algebraic attacks: Fast algebraic attacks rely on the existence of low degree relations between the bits of the initial state and several consecutive keystream bits. We can express this dependence by a function which has multiple outputs: f : Fn Fm m 2 → 2 fm(x1, ..., xn) = (b1, b2, ..., bm) where b1...bm are m consecutive keystream bits. An important open question asks to find an algorithm which will determine

such low degree relations, i.e. an algorithm to find function fm of low de- gree. This multiple output function is very similar to the augmented function defined in [And94]. Augmented functions are special multi-output functions with special properties. Another open problem asks if these special properties influence the algebraic immunity of augmented functions.

As described in [Cou03], fast algebraic attacks exploit the fact that when the known keystream bits are consecutive, an important part of the equations will have a recursive structure, and this allows to partially replace the usual sub-cubic Gaussian algorithms for eliminating the monomials, by a much faster, essentially linear, version of the Berlekamp-Massey algorithm. So another important open problem is to explore variants of the Berlekamp-Massey algorithm which are better suited to this particular application. Many stream ciphers do not use simple Boolean functions as combining or filtering functions, they use sophisticated functions like multi-output functions or functions with memory. There are open problems that are concerned with improving efficiency of algorithms that compute the algebraic immunity of such special func- tions as well as problems related to constructing special functions that are guaranteed to resist known attacks.

64 The area of algebraic attacks is thus an exciting area full of open problems which have important real world implications.

65 Appendix A

Useful Definitions

We briefly define here a few important terms and state some useful results.

A.1 Algebraic definitions

Definition. Affine Geometry [Rom92]: Let V be a vector space. If v V and S ∈ is a subspace of V , then the set

v + S = v + s s S { | ∈ } is called a flat or a coset in V . The set A(V ) of all flats in V is called the affine geometry of V . The dimension dim(A(V )) of A(V ) is defined to be dim(V ). A flat in V is nothing more than a translated subspace of V . Each flat k + S is associated with a unique subspace S.

Definition. Dimension of flats [Rom92]: The dimension of a flat x+S is dim(S), i.e. the dimension of the subspace S. A flat of dimension k is called a k-flat. A 0-flat is a point, a 1-flat is a line and a 2-flat is a plane. A flat of dimension dim(A(V )) 1 − is called a hyper-plane.

Definition. Affine Combinations [Rom92]: V is a vector space over field F. i ∀ ∈ 1, 2, 3...n, if r F and r = 1, then the linear combination, r x +r x +...+r x i ∈ i i 1 1 2 2 n n is referred to as an affineP combination of the vectors x1,x2, ...xn. A subset X of V is a flat in V if and only if it is closed under affine combinations.

66 Definition. Affine Subspace [Rom92]: An affine subspace of a vector space V is a subset of V closed under affine combinations of vectors in the space.

Definition. Co-dimension [Rom92]: If W is a vector subspace of a vector space V over a field F , then the Co-dimension of W in V is the dimension of the quotient space V/W , viewed as a vector space over F .

codim(W )= dim(V/W )= dim(V ) dim(W ) −

Definition. Affine Hyper-plane: An affine hyper-plane H of a vector space V is an affine subspace of V satisfying : 1. H = x + U where U is a subspace of V and x V . ∈ 2. codim(U) = 1.

Definition. Affine Hulls [Rom92]: Let C be a nonempty set of vectors in V . The affine hull, hull(C) is the smallest flat containing C, i.e. C hull(C), and ⊂ C A hull(C) A for all flats A. It can also be referred to as the flat generated ⊂ → ⊂ by C.

Theorem A.1.1. [Rom92] The affine hull, hull(C) is the set of all affine combina- tions of vectors in C, i.e. hull(C) = n r x n 1; x ,x , ..., x C; n r = { i=1 i i| ≥ 1 2 n ∈ i=1 i 1 . P P } Definition. Affine Transformation [Rom92]: A function f : V V that pre- → serves affine combinations, i.e. for which

r = 1 f( r x )= r f(x ),x V i i ⇒ i i i i i ∈ ∀ Xi Xi Xi is called an affine transformation.

Definition. Translation [Rom92]: Let v V . The affine map ∈

T : V V v → defined by

Tv(x)= x + v

x V is called a translation by V . ∀ ∈

67 Theorem A.1.2. [Rom92] V is a vector space over field F. A function f : V V → is an affine transformation iff f = T τ where v V and τ ζ(V ) v ◦ ∈ ∈ Notation: denotes function composition. ◦ τ : V V is a linear operator if τ(ru + sv)= rτ(u)+ sτ(v). → ζ(V ) denotes the set of linear operators of V.

Additionally, an affine transformation f = T τ is bijective iff τ is bijective. v ◦ Also, composition of affine transformations is also an affine transformation. Definition. Affine Group [Rom92]: The set Aff(V) of all bijective affine transfor- mations on V is a group under composition of transformations. This group is called the affine group. Definition. Affine Equivalence [Car04b]: Two functions f and g are said to be affinely equivalent if f = g A ◦ where A is an element of the affine group, i.e A Aff(V ). ∈ Definition. Affine Invariant [Car03]: A property p of a function f is said to be an affine invariant if every affinely equivalent function g also possesses the same property.

Definition. Affine Variety: The affine variety V (f1,f2, ..., fs) of functions f1,f2...fs where f : Fn F i 1, 2, .., s is the set of common zeroes of the functions f ,f ...f . i → ∀ ∈ 1 2 s More formally,

V (f ,f , ..., f )= x Fn f (x) = 0 i 1, 2, .., s . 1 2 s { ∈ | i ∀ ∈ { }}

Definition. Ideal Generated by Functions The ideal generated by functions f ,f ..., f , denoted by is defined as the set f f(x) = 0 at all points 1 2 s 1 2 s { | of V (f ,f , ..., f ) . 1 2 s }

A.2 Cryptographic definitions

Definition. Hamming Distance [Car04b]: The Hamming distance between 2 n- variable functions f : 0, 1 n 0, 1 and g : 0, 1 n 0, 1 , is the number of { } → { } { } → { }

68 inputs x, for which f(x) = g(x). 6 Definition. Hamming Weight [Car04b]: The Hamming weight of a function f : 0, 1 n 0, 1 is the number of inputs x such that f(x) = 1 and is denoted by { } → { } wH (f).

Definition. Algebraic Normal Form [Car04b]: Every Boolean function f over Fn the field 2 can be represented uniquely by its algebraic normal form or A.N.F.

f(x)= au( xi) n uXF i Yui=1 ∈ 2 | The A.N.F is useful because it exists and is unique for every Boolean function, and is often used in cryptography and coding.

Definition. Algebraic Degree [Car04b]: The degree of the A.N.F of function f is called the algebraic degree of f.

Definition. Affine Functions [Car03]: Functions with algebraic degree at most 1 are called affine functions. If constant term is 0, they are linear.

Definition. Vernam Ciphers [MvOV97]: In Vernam ciphers, also called one- time pads, the plaintext is bitwise added to a binary secret key of the same length in order to produce ciphertext. The Vernam cipher is the only known cipher offering unconditional security.

Definition. Stream Ciphers [MvOV97]: Stream ciphers are ciphers in which plaintext bits are encrypted one at a time, using an encryption transformation that varies with time.

Definition. Block Ciphers [MvOV97]: An n bit block cipher is a function E : − V κ V , where V is the set of all n bit vectors, and κ is the keyspace, such n × → n n − that for each key K κ, E(P, K) is an invertible mapping (the encryption function ∈ for K) from Vn to Vn, written as EK (P ). The inverse mapping is the decryption function, denoted DK (C) where C = EK(P ).

Definition. Symmetric Functions [BP05]: Symmetric functions are functions such that every Boolean vector of the same weight has the same function value. That is, all inputs with the same number of 1s have the same output value.

69 Definition. Annihilating Functions [MPC04]: An annihilating function of f is a function g such that f g = 0 ∗ Definition. Derivative of a Function [Car06a]: Let f be an n-variable Boolean Fn function and let b be any vector in 2 . We call derivative of f with respect to the direction b the Boolean function Dbf(x) = f(x) f(x + b), where denotes addition over F2.. L L

Definition. Sparse Equations [CP02]: Sparse equations are defined to be equa- tions with ”small” number of monomials. Let n be the number of variables in the system of equations and t be the number of monomials in the system of equations. For a given degree d, usually t n . If t n , we say that the equations are ≈ d ≪ d sparse.  

Definition. Overdefined Equations [CP02]: Overdefined equations are systems of equations in which the number of equations is greater than the number of variables involved in the system of equations.

A.3 Fourier-Walsh Transforms

Fourier transforms have very nice properties which are useful for studying Boolean functions. Most characteristics of Boolean functions that we describe in this survey can be expressed by means of weights of some related Boolean functions (for eg f l ⊕ where l is affine). As pointed out by Carlet in [Car06a], fourier analysis becomes a very powerful and useful tool, since given a Boolean function f, knowledge of the discrete fourier transform of f is equivalent with the knowledge of the weights of all the functions f l, where l is linear or affine. ⊕ We briefly define here Fourier Transforms and discuss some of their proper- ties. Other flavors of Fourier transforms are Hadamard transforms and Walsh trans- forms which are introduced below. We will primarily be working with Hadamard and Walsh transforms in subsequent sections. Let G be a finite abelian group of order n written additively.

Definition. Characters [LN83, Bab02]: A character of G is a homomorphism χ : G C of G to the multiplicative group of nonzero complex numbers. → ×

χ(a + b)= χ(a)χ(b)

70 a, b G. ∈ χ(a)n = χ(na)= χ(0) = 1 a G. So, the values of χ are the nth roots of unity. ∈ 1 Note that χ( a)= χ(a)− = χ(a) where the bar indicates complex conjugation. − Note that the pointwise product of the characters χ and ψ is a character again. (χψ)(a)= χ(a)ψ(a)

Let Gˆ denote the set of characters. This set forms an abelian group under the above operation.

Let CG denote the space of functions f : G C. An inner product on this → space is defined by: 1 (f, g)= f(a)g(a) (A.1) n aXG ∈ where (f, g CG). ∈ Theorem A.3.1. [Has01, Bab02] Gˆ forms an orthonormal space in CG.

Corollary A.3.2. [Has01, Bab02] Any function f CG can be written as a linear ∈ combination of characters.

f = cχχ (A.2) χXGˆ ∈ The coefficients cχ are called the fourier coefficients and are given by the formula

cχ = (χ,f).

Definition. Fourier Transform [Has01, Bab02]: The function fˆ : Gˆ C defined → as

fˆ(χ)= ncχ = n(χ,f)= χ(a)f(a) (A.3) aXG ∈ where χ Gˆ is called the fourier transform of f. This transformation is easily ∈ inverted. 1 f(a)= fˆ(χ)χ( a) (A.4) n − χXGˆ ∈

71 where a G. Here, f(a) is the inverse fourier transform. ∈ Definition. Hadamard Transform [Car06a]: The Hadamard transform is essentially the Fourier transform with character

u x χ (x) = ( 1) · u − for some u. Here, denotes the usual inner product on vectors i.e. for vectors · u = u u ...u ,x = x ,x ...x , u x = n u x . Notice that 1 2 n 1 2 n · i=1 i i P χ (a + b) = ( 1)(a+b)u = χ(a)χ(b). u −

It is a real-valued function over Fn, with x, u Fn, defined as 2 ∈ 2

x u fˆ(u)= f(x)( 1) · (A.5) − xXFn ∈ 2 Clearly, by definition of Hamming weight,

wH (f)= fˆ(0) (A.6)

Definition. Sign Function: The Sign Function is defined as

χ (x) = ( 1)f(x). (A.7) f −

Definition. Walsh Transform [Car06a]: The Walsh transform of a function is the Hadamard transform of the sign function and is given by

f(x)+u x χˆ (u)= ( 1) · (A.8) f − xXFn ∈ 2 Since χ = 1 2f f − we get χˆ = 1ˆ 2fˆ f − n It has been proved that 1ˆ = 2 δ0 where δ is the Dirac symbol: δ0(u)=1if u is the null vector and 0 otherwise. We do not give the proof of this here, please look at

72 [Car06a] for details. Hence we get, χˆ (u) = 2nδ (u) 2fˆ(u) (A.9) f 0 − We have that χˆ (0) = 1ˆ 2fˆ(0) = 2n 2fˆ(0) f − − which implies n 1 χˆf (0) fˆ(0) = 2 − − 2 Thus we get: n 1 χˆf (0) w (f) = 2 − (A.10) H − 2 Applying this to f l , where l (x)= a x, for some a Fn we get ⊕ a a · ∈ 2

n 1 χˆf (a) d (f, l )= w (f l ) = 2 − (A.11) H a H ⊕ a − 2

Note that denotes addition mod 2. ⊕

Theorem A.3.3. [Car06a] Parseval’s Relation: For every Boolean function φ, we have: φˆ2(u) = 2n φ2(x) (A.12) uXFn xXFn ∈ 2 ∈ 2 If φ is the sign function, this becomes

φˆ2(u) = 22n (A.13) uXFn ∈ 2 Definition. Walsh Spectrum: The Walsh spectrum of a Boolean function f with n variables consists of all values χˆ (a) where a Fn . { f ∈ 2 }

73 Bibliography

[AA05] Armknecht and Ars. Introducing a new variant of fast algebraic attacks and minimizing their successive data complexity. In Proceedings of In- ternational Conference on Cryptology in Malaysia (Mycrypt), LNCS, volume 1, pages 16–32, 2005.

[AAG93] A.Klapper, A.Chan, and M. Goresky. Cascaded GMW sequences. In Proceedings of IEEE Transactions on Information Theory, volume 39, pages 177–183, 1993.

[ACDG03] Akkar, Courtois, Duteuil, and Goubin. A fast and secure implementation of sflash. In Proceedings of International Workshop on Practice and Theory in Public Key Cryptography (PKC), pages 267–278. LNCS, 2003.

[ACG+06] Frederik Armknecht, Claude Carlet, Philippe Gaborit, K¨unzli, Willi Meier, and Olivier Ruatta. Efficient computation of algebraic im- munity for algebraic and fast algebraic attacks. In Advances in Cryptol- ogy: Proceedings of EUROCRYPT, volume 4004 of LNCS, pages 147– 164. Springer, 2006.

[AK03] Armknecht and Krause. Algebraic attacks on combiners with memory. In Proceedings of CRYPTO, pages 162–175, 2003.

[AK06] Armknecht and Krause. Constructing single- and multi-output boolean functions with maximal algebraic immunity. In Proceedings of Annual International Colloquium on Automata, Languages and Programming (ICALP), pages 180–191, 2006.

74 [And94] Anderson. Searching for the optimum correlation attack. In Proceed- ings of International Workshop on Fast Software Encryption (IWFSE), LNCS, pages 137–143, 1994.

[Arm04] Armknecht. Improving fast algebraic attacks. In Proceedings of Interna- tional Workshop on Fast Software Encryption (IWFSE), LNCS, pages 65–82, 2004.

[Ars05] Ars, G. and Faug`ere, J.-C. Algebraic immunities of functions over finite fields. In First workshop on Boolean Functions : Cryptography and Applications, pages 21–38, 2005.

[Bab02] Laszlo Babai. The fourier transform and equations over finite abelian groups. http://people.cs.uchicago.edu/~laci/reu02/fourier.pdf, 2002.

[Bar07] Gregory Bard. PhD thesis of Gregory Bard: Algorithms for solving Linear and Polynomial systems of equations over finite fields with applications to cryptanalysis. PhD thesis, University of Maryland at College Park, 2007. http://www.cs.umd.edu/users/jkatz/THESES/bard thesis.pdf.

[Bat04] Batten. Algebraic attacks over GF(q). In Proceedings of International Conference in Cryptology in India (INDOCRYPT), pages 84–91. LNCS, Springer-Verlag, 2004.

[BC03] Biryukov and De Canniere. Block ciphers and systems of quadratic equations. In Proceedings of International Workshop on Fast Software Encryption (IWFSE), pages 274–289, 2003.

[BCJ07] Gregory V. Bard, Nicolas T. Courtois, and Chris Jefferson. Efficient methods for conversion and solution of sparse systems of low-degree multivariate polynomials over gf(2) via sat-solvers. Technical report: Cryptology ePrint Archive, Report 2007/024, 2007.

[BD00] Biham and Dunkelman. Cryptanalysis of the a5/1 gsm stream cipher. In Proceedings of International Conference in Cryptology in India (IN- DOCRYPT), pages 43–51. LNCS, Springer-Verlag, 2000.

75 [BFS04] M. Bardet, J.-C. Faug`ere, and B. Salvy. On the complexity of grobner basis computation of semi-regular overdetermined algebraic equations. In Proceedings of the International Conference on Polynomial System Solving, pages 71–74, 2004.

[BP05] Braeken and Preneel. On the algebraic immunity of symmetric boolean functions. In Proceedings of International Conference in Cryptology in India (INDOCRYPT), pages 35–48. LNCS, Springer-Verlag, 2005.

[BPW05] Johannes Buchmann, Andrei Pychkine, and Ralf-Philipp Weinmann. Block ciphers sensitive to groebner basis attacks. Technical Report: Cryptology ePrint Archive, Report 2005/200, 2005.

[BS91a] Biham and Shamir. Differential cryptanalysis of snefru, khafre, -ii, , and . In Proceedings of CRYPTO, pages 156–171, 1991.

[BS91b] E. Biham and A. Shamir. Differential cryptanalysis of DES-like cryp- tosystems. Journal of Cryptology, 4(1):3–72, 1991.

[Buc06] Bruno Buchberger. Bruno buchberger’s phd thesis 1965: An algorithm for finding the basis elements of the residue class ring of a zero dimen- sional polynomial ideal. Journal of Symbolic Computing, 41(3-4):475– 511, 2006.

[Can02] Canteaut. On the correlations between a combining function and func- tions of fewer variables. In Proceedings of the Information Theory Work- shop ’02, Bangalore, pages 78 – 81, 2002.

[Can06] Anne Canteaut. Open problems related to algebraic attacks on stream ciphers. Proceedings of Dans Workshop on Coding and Cryptography (WCC), 3969:120–134, 2006.

[Car02] Carlet. A larger class of cryptographic boolean functions via a study of the maiorana-mcfarland construction. In Proceedings of CRYPTO, pages 549–564, 2002.

[Car03] Claude Carlet. On the algebraic thickness and non-normality of boolean functions. In Proceedings of IEEE Information Theory Workshop, pages 147–150, 2003.

76 [Car04a] Carlet. On the confusion and diffusion properties of maiorana- mcfarland’s and extended maiorana-mcfarland’s functions. Journal of Complexity, 20(2-3):182–204, 2004.

[Car04b] Claude Carlet. On the degree, nonlinearity, algebraic thickness, and nonnormality of boolean functions, with developments on symmetric functions. IEEE Transactions on Information Theory, 50(9):2178–2185, 2004.

[Car06a] Carlet. Boolean functions for cryptography and error correcting codes in book Boolean methods and models edited by Peter Hammer and Yves Crama. Cambridge University Press, 2005-2006.

[Car06b] Claude Carlet. The complexity of boolean functions from cryptographic viewpoint. In Proceedings of Dagstuhl Seminar 06111 - Complexity of Boolean functions, 2006.

[CB06] Nicolas T. Courtois and Gregory V. Bard. Algebraic cryptanalysis of the data encryption standard. Technical Report: Cryptology ePrint Archive, Report 2006/402, 2006.

[CB07] Nicolas T. Courtois and Gregory V. Bard. Algebraic and slide attacks on . Technical Report: Cryptology ePrint Archive, Report 2007/062, 2007.

[CCCF00] Canteaut, Carlet, Charpin, and Fontaine. Propagation characteristics and correlation-immunity of highly nonlinear boolean functions. In Ad- vances in Cryptology: Proceedings of EUROCRYPT, pages 507–522, 2000.

[CDG05] Nicolas Courtois, Blandine Debraize, and Eric Garrido. On exact al- gebraic [non-]immunity of s-boxes based on power functions. Technical Report: Cryptology ePrint Archive, Report 2005/203, 2005.

[CDGM06] Carlet, Dalai, Gupta, and Maitra. Algebraic immunity for cryptograph- ically significant boolean functions: Analysis and construction. IEEE Transactions on Information Theory, 52(7):3105–3121, 2006.

77 [CHJ02] Coppersmith, Halevi, and Jutla. Cryptanalysis of stream ciphers with linear masking. In Proceedings of CRYPTO, pages 515–532, 2002.

[Cid04] Cid. Some algebraic aspects of the advanced encryption standard. In Proceedings of International Conference on Advanced Encryption Stan- dard (AES), LNCS, volume 4, pages 58–66, 2004.

[CJ00] John Clark and Jeremy Jacob. Two-stage optimisation in the design of boolean functions. In Proceedings of the 5th Australasian Conference on Information Security and Privacy (ACISP), pages 242–254. Springer- Verlag, 2000.

[CJJ+03] Nicolas T. Courtois, Robert T. Johnson, Pascal Junod, Thomas Pornin, and Michael Scott. Did filiol break aes ? Techincal Report: Cryptology ePrint Archive, Report 2003/022, 2003.

[CJMS04] Clark, Jacob, Maitra, and Stanica. Almost boolean functions: The design of boolean functions by spectral inversion. Computational Intel- ligence: An International Journal, 20(3):450–462, 2004.

[CJS+02] Clark, Jacob, Stepney, Maitra, and Millan. Evolving boolean functions satisfying multiple criteria. In Proceedings of International Conference in Cryptology in India (INDOCRYPT), pages 246–259. LNCS, Springer- Verlag, 2002.

[CJS05] John A. Clark, Jeremy L. Jacob, and Susan Stepney. The design of s- boxes by simulated annealing. New Generation Computing, 23(3):219– 231, 2005.

[CKPS00] Courtois, Klimov, Patarin, and Shamir. Efficient algorithms for solving overdefined systems of multivariate polynomial equations. In Advances in Cryptology: Proceedings of EUROCRYPT, page 392, 2000.

[CL04] Cheon and Lee. Resistance of S-boxes against algebraic attacks. In Proceedings of International Workshop on Fast Software Encryption (IWFSE), LNCS, pages 83–94, 2004.

78 [CL06] Hao Chen and Jianhua Li. Lower bounds on the algebraic immunity of boolean functions. ArXiv Computer Science e-prints, cs/0608080, September 02 2006.

[CM03] Courtois and Meier. Algebraic attacks on stream ciphers with linear feedback. In Advances in Cryptology: Proceedings of EUROCRYPT, page 644, 2003.

[CM07] Claude Carlet and Sihem Mesnager. Improving the upper bounds on the covering radii of binary reed-muller codes. IEEE Transactions on Information Theory, 53(1):162–173, 2007.

[CMR04] Cid, Murphy, and Robshaw. Computational and algebraic aspects of the advanced encryption standard. In Proceedings of the Seventh In- ternational Workshop on Computer Algebra in Scientific Computing, (CASC), pages 93–103, 2004.

[CMR05] Cid, Murphy, and Robshaw. Small scale variants of the aes. In Proceed- ings of International Workshop on Fast Software Encryption (IWFSE), LNCS, pages 145–162, 2005.

[CMR06] Carlos Cid, Sean Murphy, and Matthew Robshaw. Algebraic Aspects of the Advanced Encryption Standard, volume 310 of Advances in Informa- tion Security. Springer-Verlag, 2006.

[Cop] D. Coppersmith. Xsl against rijndael. http://www.schneier.com/crypto- gram-0210.html#8.

[Cor04] Coron. Cryptanalysis of a public-key encryption scheme based on the polynomial reconstruction problem. In Proceedings of International Workshop on Practice and Theory in Public Key Cryptography (PKC), pages 14–27. LNCS, 2004.

[Cou] N. Courtois. Is aes a secure cipher? http://www.cryptosystem.net/aes/.

[Cou01] Courtois. The security of hidden field equations (HFE). In Proceedings of The Cryptographers’ Track at RSA (CTRSA), LNCS, pages 266–281, 2001.

79 [Cou02] Courtois. Higher order correlation attacks, XL algorithm and - analysis of toyocrypt. In Proceedings of International Conference on Information Security and Cryptology (ICISC), pages 182–199. LNCS, 2002.

[Cou03] Courtois. Fast algebraic attacks on stream ciphers with linear feedback. In Proceedings of CRYPTO, pages 176–194, 2003.

[Cou04a] Courtois. Algebraic attacks on combiners with memory and several outputs. In Proceedings of International Conference on Information Security and Cryptology (ICISC), pages 3–20. LNCS, 2004.

[Cou04b] Courtois. Algebraic attacks over GF (2k), application to HFE challenge 2 and sflash-v2. In Proceedings of International Workshop on Practice and Theory in Public Key Cryptography (PKC), pages 201–217. LNCS, 2004.

[Cou04c] Courtois. General principles of algebraic attacks and new design criteria for cipher components. In Proceedings of International Conference on Advanced Encryption Standard (AES), LNCS, volume 4, pages 67–83, 2004.

[Cou07a] Nicolas T. Courtois. Ctc2 and fast algebraic attacks on block ciphers re- visited. Technical Report: Cryptology ePrint Archive, Report 2007/152, 2007.

[Cou07b] Nicolas T. Courtois. How fast can be algebraic attacks on block ci- phers? In Symmetric Cryptography, number 07021 in Dagstuhl Seminar Proceedings, 2007.

[CP02] Courtois and Pieprzyk. Cryptanalysis of block ciphers with overde- fined systems of equations. In Advances in Cryptology : Proceedings of ASIACRYPT– International Conference on the Theory and Application of Cryptology, pages 267–287. LNCS, Springer-Verlag, 2002.

[CSV97] Coppersmith, Stern, and Vaudenay. The security of the birational per- mutation signature schemes. Journal of Cryptology, 10(3):207–221, 1997.

80 [CT00] Canteaut and Trabbia. Improved fast correlation attacks using parity- check equations of weight 4 and 5. In Advances in Cryptology: Proceed- ings of EUROCRYPT, pages 573–588, 2000.

[CY05] Claude Carlet and Joseph L. Yucas. Piecewise constructions of bent and almost optimal boolean functions. Designs, Codes and Cryptography, 37(3):449–464, 2005.

[DG03] A. Dimovski and D. Gligoroski. Generating highly nonlinear boolean functions using a genetic algorithm. In Proceedings of Telecommunica- tions in Modern Satellite, Cable and Broadcasting Service, Vol 2., pages 604– 607, 2003.

[DGM04] Dalai, Gupta, and Maitra. Results on algebraic immunity for cryp- tographically significant boolean functions. In Proceedings of Interna- tional Conference in Cryptology in India (INDOCRYPT), pages 92–106. LNCS, Springer-Verlag, 2004.

[DGM06] Deepak Kumar Dalai, Kishan Chand Gupta, and Subhamoy Maitra. Notion of algebraic immunity and its evaluation related to fast alge- braic attacks. In Second International Workshop of Boolean Functions: Cryptography and Applications (BFCA), pages 107–124, 2006.

[DMS06] Deepak Kumar Dalai, Subhamoy Maitra, and Sumanta Sarkar. Ba- sic theory in construction of boolean functions with maximum possible annihilator immunity. Designs, Codes and Cryptography, 40(1):41–58, 2006.

[DR00] Joan Daemen and Vincent Rijmen. Answer to ”new observations on rijndael”, August 11 2000. http://citeseer.ist.psu.edu/317291.html.

[DR02] Daemen and Rijmen. Security of a wide trail design. In Proceedings of International Conference in Cryptology in India (INDOCRYPT), pages 1–11. LNCS, Springer-Verlag, 2002.

[DT06] Fr´ed´eric Didier and Jean-Pierre Tillich. Computing the algebraic im- munity efficiently. In Proceedings of Fast Software Encryption, 13th

81 International Workshop, (FSE) Revised Selected Papers, volume 4047 of LNCS, pages 359–374. Springer, 2006.

[DXS91] C. (Cunsheng) Ding, G. Xiao, and W. Shan. The stability theory of stream ciphers, volume 561 of LNCS. Springer-Verlag, 1991.

[ES03] Een and Sorensson. An extensible SAT-solver. In Proceedings of Inter- national Conference on Theory and Applications of Satisfiability Testing (SAT), LNCS, volume 6, pages 502–518, 2003.

[FA03] Jean-Charles Faug`ere and Gw´enol´e Ars. An algebraic crypt- analysis of nonlinear filter generators using grobner bases. http://hal.ccsd.cnrs.fr/docs/00/07/18/48/PDF/RR-4739.pdf, 2003. INRIA report RR-4739.

[FD85] Fell and Diffie. Analysis of a public key approach based on polynomial substitution. In Proceedings of CRYPTO, pages 340–349, 1985.

[Fil02] Eric Filiol. A new statistical testing for symmetric ciphers and hash func- tions. Technical Report: Cryptology ePrint Archive, Report 2002/099, 2002. http://eprint.iacr.org/.

[FIL03] Eric FILIOL. Plaintext-dependant repetition codes cryptanalysis of block ciphers - the aes case. Technical Report: Cryptology ePrint Archive, Report 2003/003, 2003.

[FJ03] Faugere and Joux. Algebraic cryptanalysis of hidden field equation (HFE) cryptosystems using grobner bases. In Proceedings of CRYPTO, pages 44–60, 2003.

[FL01] Fluhrer and Lucks. Analysis of the E0 encryption system. In Proceedings of the Annual International Workshop on Selected Areas in Cryptography (SAC), pages 38–48. LNCS, 2001.

[FM02] Joanne Fuller and William Millan. On linear redundancy in the aes s- box. Technical Report: Cryptology ePrint Archive, Report 2002/111, 2002.

82 [FT01] Fedorova and Tarannikov. On the constructing of highly nonlinear re- silient boolean functions by means of special matrices. In Proceedings of International Conference in Cryptology in India (INDOCRYPT), pages 254–266. LNCS, Springer-Verlag, 2001.

[GBM02] Golic, Bagini, and Morgari. of bluetooth stream cipher. In Advances in Cryptology: Proceedings of EUROCRYPT, pages 238–255, 2002.

[GJ79] M. R. Garey and D. S. Johnson. Computers and Intractability: A Guide to the Theory of NP-Completeness. W. H. Freeman, 1979.

[Gol96] Golic. On the security of nonlinear filter generators. In Proceedings of International Workshop on Fast Software Encryption (IWFSE), LNCS, pages 173–188, 1996.

[GS05] Gupta and Sarkar. Improved construction of nonlinear resilient S-boxes. IEEE Transactions on Information Theory, 51(1):339–348, 2005.

[Has01] Hastad. Some optimal inapproximability results. Journal of the ACM, 48(4):798–859, 2001.

[HKM95] Harpes, Kramer, and Massey. A generalization of linear cryptanaly- sis and the applicability of matsui’s piling-up lemma. In Advances in Cryptology: Proceedings of EUROCRYPT, pages 24–38, 1995.

[HPS93] Hastad, Phillips, and Safra. A well-characterized approximation prob- lem. Information Processing Letters, 47(6):301–305, 1993.

[HR04] Hawkes and Rose. Rewriting variables: The complexity of fast algebraic attacks on stream ciphers. In Proceedings of CRYPTO, pages 390–406, 2004.

[Hug02] Hughes. A linear algebraic attack on the AAFG1 braid group cryptosys- tem. In Proceedings of Information Security and Privacy: Australasian Conference (ACISP), pages 176–189, 2002.

83 [Imp01] Impagliazzo. Hill-climbing vs. simulated annealing for planted bisec- tion problems. In Proceedings of International Workshop on Approxi- mation Algorithms for Combinatorial Optimization (APPROX), pages 2–5, 2001.

[JDH07] Xin Jiang, Jintai Ding, and Lei Hu. Kipnis-shamir’s attack on hfe revis- ited. In Proceedings of the 3rd International Conference on Information Security and Cryptology (SKLOIS), 2007. to appear.

[JJ99] Johansson and Jonsson. Improved fast correlation attacks on stream ciphers via convolutional codes. In Advances in Cryptology: Proceedings of EUROCRYPT, pages 347–362, 1999.

[KCP00] Kang, Chee, and Park. A note on the higher order differential attack of block ciphers with two-block structures. In Proceedings of International Conference on Information Security and Cryptology (ICISC), pages 1– 13. LNCS, 2000.

[Key02] Keys. A tutorial on linear and differential cryptanalysis. Cryptologia, 26, 2002.

[KG03] Khoongming Khoo and Guang Gong. New constructions for resilient and highly nonlinear boolean functions. In Proceedings of Information Security and Privacy, 8th Australasian Conference (ACISP), pages 498– 509, 2003.

[KJV83] S. Kirkpatrick, C. D. Gelatt Jr., and M. P. Vecchi. Optimization by simulated annealing. Science, 220(4598):671–679, 1983.

[KMI91] Kwangjo Kim, Tsutomu Matsumoto, and Hideki Imai. A recursive con- struction method of S-boxes satisfying strict avalanche criterion. Pro- ceedings of the 10th Annual International Cryptology Conference on Ad- vances in Cryptology, 537:564–574, 1991.

[Knu94] Knudsen. Truncated and higher order differentials. In Proceedings of International Workshop on Fast Software Encryption (IWFSE), LNCS, pages 196–211, 1994.

84 [KR94] Kaliski and Robshaw. Linear cryptanalysis using multiple approxima- tions. In Proceedings of CRYPTO, pages 26–39, 1994.

[KS98] Kipnis and Shamir. Cryptanalysis of the oil and vinegar signature scheme. In Proceedings of CRYPTO, pages 257–267, 1998.

[KS99] Kipnis and Shamir. Cryptanalysis of the HFE public key cryptosystem by relinearization. In Proceedings of CRYPTO, pages 19–30, 1999.

[KTLG05] Khoongming Khoo, Guat-Ee Tan, Hian-Kiat Lee, and Guang Gong. Comparison of boolean function design. In Proceedings of International Symposium on Information Theory (ISIT), pages 1111–1115, 2005.

[Lai94] Lai. Higher order derivatives and differential cryptanalysis. In Proceed- ings of Symposium on communication, coding and cryptography, pages 227–233, 1994.

[Lan90] Philippe Langevin. Covering radius of RM (1, 9) in RM (3, 9). In Pro- ceedings of EUROCODE, volume 514 of LNCS, pages 51–59. Springer, 1990.

[LCPP96] S. Lee, S. Chee, S. Park, and S. Park. Conditional correlation attack on nonlinear filter generators. In Advances in Cryptology : Proceedings of ASIACRYPT– International Conference on the Theory and Application of Cryptology, pages 360–367, 1996.

[LfQ05] Na Li and Wen feng Qi. Symmetric boolean function with maximum al- gebraic immunity on odd number of variables. ArXiv Computer Science e-prints, cs/0511099, 2005.

[LN83] Rudolf Lidl and Harald Niederreiter. Finite Fields. Addison-Wesley, 1983.

[Lob05] M. Lobanov. Tight bound between nonlinearity and algebraic im- munity. In Proceedings of the Second International Scientific Con- ference on Security and Countering Terrorism Issues, 2005. cite- seer.ist.psu.edu/lobanov05tight.html.

85 [Loh03] Bernhard Lohlein. Attacks based on conditional correlations against the nonlinear filter generator. http://citeseer.ist.psu.edu/554481.html; http://eprint.iacr.org/2003/020.ps.gz, February 03 2003.

[LP03] Lee and Park. Cryptanalysis of the public-key encryption based on braid groups. In Advances in Cryptology: Proceedings of EUROCRYPT, pages 477–490, 2003.

[LQ06] N. Li and W.-F. Qi. Construction and Count of Boolean Functions of an Odd Number of Variables with Maximum Algebraic Immunity. ArXiv Computer Science e-prints, cs/0605139, 2006.

[Lup70] O. B. Lupanov. On circuits of functional elements with delay. Probl. Kibern, 23:43–81, 1970.

[LZGB02] Sabine Leveiller, Gilles Z´emor, Philippe Guillot, and Joseph Boutros. A new cryptanalytic attack for pn-generators filtered by a boolean func- tion. In Proceedings of Selected Areas in Cryptography, pages 232–249, 2002.

[Mas69] J. L. Massey. Shift-register synthesis and BCH decoding. IEEE Trans- actions on Information Theory, 15:122–127, 1969.

[Mat93] Matsui. Linear cryptanalysis method for DES cipher. In Advances in Cryptology: Proceedings of EUROCRYPT, pages 386–397, 1993.

[Mat94] Matsui. The first experimental cryptanalysis of the data encryption standard. In Proceedings of CRYPTO, pages 1–11, 1994.

[Mat99] Matsui. On a structure of block ciphers with provable security against differential and linear cryptanalysis. IEICE Transactions on Communi- cations, Electronics, Information and Systems, 1999.

[MCD97a] Millan, Ckark, and Dawson. An effective genetic algorithm for finding highly nonlinear boolean functions. In Proceedings of International Con- ference on Information and Communications Security (ICIS), LNCS, page 149, 1997.

86 [MCD97b] W. Millan, A. Clark, and E. Dawson. Smart hill climbing finds better boolean functions. citeseer.ist.psu.edu/millan97smart.html, 1997. 4th Workshop on Selected Areas in Cryptography SAC’97, 1997.

[MCD98] Millan, Clark, and Dawson. Heuristic design of cryptographically strong balanced boolean functions. In Advances in Cryptology: Proceedings of EUROCRYPT, pages 489–499, 1998.

[MCD99] Millan, Clark, and Dawson. Boolean function design using hill climbing methods. In Proceedings of Information Security and Privacy: Aus- tralasian Conference (ACISP), pages 1–11, 1999.

[MFD03] William Millan, Joanne Fuller, and Ed Dawson. New concepts in evo- lutionary search for boolean functions in cryptology. In Ruhul Sarker, Robert Reynolds, Hussein Abbass, Kay Chen Tan, Bob McKay, Daryl Essam, and Tom Gedeon, editors, Proceedings of the 2003 Congress on Evolutionary Computation, pages 2157–2164. IEEE Press, 2003.

[MI88] Matsumoto and Imai. Public quadratic polynomial-tuples for efficient signature-verification and message-encryption. In Advances in Cryptol- ogy: Proceedings of EUROCRYPT, pages 419–453, 1988.

[Mit05] Mitchell. A SAT solver primer. Bulletin of the European Association for Theoretical Computer Science, 85:112–133, 2005.

[MMZ+01] Matthew W. Moskewicz, Conor F. Madigan, Ying Zhao, Lintao Zhang, and Sharad Malik. Chaff: Engineering an Efficient SAT Solver. In Proceedings of the 38th Design Automation Conference (DAC’01), pages 530–535, June 2001.

[Moh02] T. Moh. Comments on the courtois-pieprzyk’s attack on rijndael. http://www.usdsi.com/aes.html, 2002.

[MPC04] Meier, Pasalic, and Carlet. Algebraic attacks and decomposition of boolean functions. In Advances in Cryptology : Proceedings of EU- ROCRYPT, pages 474–491, 2004.

[MR00] S. Murphy and M. Robshaw. New observations on rijndael, 2000. cite- seer.ist.psu.edu/murphy00new.html.

87 [MR02] Murphy and Robshaw. Essential algebraic structure within the AES. In Proceedings of CRYPTO, pages 1–16, 2002.

[MR03] S. Murphy and M. Robshaw. Comments on the security of the aes and the xsl technique. Electronic Letters, 39:36–38, 2003.

[MS88] Meier and Staffelbach. Fast correlation attacks on stream ciphers. In Advances in Cryptology: Proceedings of EUROCRYPT, pages 301–316, 1988.

[MS89a] Meier and Staffelbach. Fast correlation attacks on certain stream ci- phers. Journal of Cryptology, 1(3):159–176, 1989.

[MS89b] Meier and Staffelbach. Nonlinearity criteria for cryptographic functions. In Advances in Cryptology: Proceedings of EUROCRYPT, pages 549– 562, 1989.

[Mul04] Muller. Differential attacks against the helix stream cipher. In Proceed- ings of International Workshop on Fast Software Encryption (IWFSE), LNCS, pages 94–108, 2004.

[MvOV97] Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Hand- book of Applied Cryptography. CRC Press, 1997.

[MY92] Matsui and Yamagishi. A new method for known plaintext attack of FEAL cipher. In Advances in Cryptology: Proceedings of EUROCRYPT, pages 81–91, 1992.

[NGG06] Yassir Nawaz, Guang Gong, and Kishan Chand Gupta. Upper bounds on algebraic immunity of boolean power functions. In Proceedings of Fast Software Encryption, 13th International Workshop, FSE 2006, Graz, Austria, Revised Selected Papers, volume 4047 of LNCS, pages 375–389. Springer, 2006.

[Obi] M Obitko. Genetic algorithms. http://cs.felk.cvut.cz/~xobitko/ga/.

[OS98] Daniel Olejar and Martin Stanek. On cryptographic properties of random boolean functions. Journal of Universal Computer Science, 4(8):705–717, 1998.

88 [OSS84] Ong, Schnorr, and Shamir. An efficient signature scheme based on quadratic equations. In Proceedings of ACM Symposium on Theory of Computing (STOC), pages 208–216, 1984.

[Pas03] Pasalic. Degree optimized resilient boolean functions from maiorana- mcfarland class. In Proceedings of Conference on Cryptography and Coding (IMA), LNCS, pages 93–114, 2003.

[Pas06] Pasalic. Maiorana-mcfarland class: Degree optimization and algebraic properties. IEEE Transactions on Information Theory, 52(10):4581– 4594, 2006.

[Pat95] Patarin. Cryptanalysis of the matsumoto and imai public key scheme of eurocrypt ’88. In Proceedings of CRYPTO, pages 248–261, 1995.

[Pat96] Patarin. Hidden fields equations (HFE) and isomorphisms of polynomi- als (IP): Two new families of asymmetric algorithms. In Advances in Cryptology: Proceedings of EUROCRYPT, pages 33–48, 1996.

[Pat97] J. Patarin. The oil and vinegar algorithm for signatures. In Proceedings of Dagstuhl workshop of cryptography, 1997.

[PLL+90] Preneel, Van Leekwijk, Van Linden, Govaerts, and Vandewalle. Propa- gation characteristics of boolean functions. In Advances in Cryptology: Proceedings of EUROCRYPT, pages 161–173, 1990.

[PS87] Pollard and Schnorr. An efficient solution of the congruence x2 + ky2 = m(modn). IEEE Transactions on Information Theory, 33(5):702–709, 1987.

[Rom92] Steven Roman. Advanced Linear Algebra. Springer-Verlag, 1992.

[RS87] Rainer A. Rueppel and Othmar Staffelbach. Products of linear recurring sequences with maximum complexity. IEEE Transactions on Informa- tion Theory, 33(1):124–131, 1987.

[RS06] Hvard Raddum and Igor Semaev. New technique for solving sparse equation systems. Technical Report: Cryptology ePrint Archive, Report 2006/475, 2006.

89 [Rue86] R. A. Rueppel. Analysis and Design of Stream Ciphers. Springer-Verlag, 1986.

[Sch] . Aes news. http://www.schneier.com/crypto-gram- 0209.html#1.

[Sei84] T. Seigenthaler. Correlation-immunity of nonlinear combining functions for cryptographic applications. IEEE Transactions on Information The- ory, 30(5):776–779, 1984.

[Sha49] C. E. Shannon. Communication theory of secrecy systems. Bell Systems Tech. Journal, 28:657–715, 1949.

[Sha93] Shamir. Efficient signature schemes based on birational permutations. In Proceedings of CRYPTO, pages 1–12, 1993.

[SKI06] Makoto Sugita, Mitsuru Kawazoe, and Hideki Imai. Relation between the xl algorithm and grobner basis algorithms. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, E89-A(1):11–18, 2006.

[SM00a] Sarkar and Maitra. Construction of nonlinear boolean functions with important cryptographic properties. In Advances in Cryptology: Pro- ceedings of EUROCRYPT, pages 485–506, 2000.

[SM00b] Sarkar and Maitra. Nonlinearity bounds and constructions of resilient boolean functions. In Proceedings of CRYPTO, pages 515–532, 2000.

[SS04] Marta Simovcov and Martin Stanek. Generating cryptographically strong boolean functions using partial information. Periodica Mathemat- ica Hungarica, 49(1):119–130, 2004. citeseer.ist.psu.edu/525089.html.

[Stu05] Sturmfels. What is a grobner basis? Notices of the American Mathe- matical Society, 52:1199–1200, 2005.

[Tar00] Tarannikov. On resilient boolean functions with maximal possible non- linearity. In Proceedings of International Conference in Cryptology in India (INDOCRYPT), pages 19–30. LNCS, Springer-Verlag, 2000.

90 [Tar01] Tarannikov. New constructions of resilient boolean functions with max- imal nonlinearity. In Proceedings of International Workshop on Fast Software Encryption (IWFSE), LNCS, pages 66–77, 2001.

[TSM95] Tokita, Sorimachi, and Matsui. On applicability of linear cryptanaly- sis to DES-like cryptosystems–LOKI89,LOKI91ands2DES–. IEICE Transactions on Communications, Electronics, Information and Sys- tems, 78(9):1148–1153, 1995.

[Wag04] Wagner. Towards a unifying view of block cipher cryptanalysis. In Proceedings of International Workshop on Fast Software Encryption (IWFSE), LNCS, pages 16–33, 2004.

[WB02] Wu and Bao. Cryptanalysis of stream cipher cos (2, 128) mode i. In Pro- ceedings of Information Security and Privacy: Australasian Conference (ACISP), pages 154–158, 2002.

[WT85] Webster and Tavares. On the design of S-boxes. In Proceedings of CRYPTO, pages 523–534, 1985.

[XGZ88] J.L Massey Xiao Guo-Zhen. A spectral characterization of correlation immune combining functions. IEEE Transactions on Information The- ory, 34(3):569–571, 1988.

[YLH98] Yi, Lam, and Han. Differential cryptanalysis of a block cipher. In Pro- ceedings of Information Security and Privacy: Australasian Conference (ACISP), pages 58–67, 1998.

[YT95] A. M. Youssef and S. E. Tavares. Resistance of balanced s-boxes to linear and differential cryptanalysis. Information Processing Letters, 56(5):249–252, December 1995.

[ZH05] Xiangyong Zeng and Lei Hu. Constructing boolean functions by modify- ing maiorana-mcfarland’s superclass functions. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, 88-A(1):59–66, 2005.

91 [ZYR89] Zeng, Yang, and Rao. On the linear consistency test (LCT) in crypt- analysis with applications. In Proceedings of CRYPTO, pages 164–174, 1989.

[ZZ00] Zheng and Zhang. Improved upper bound on the nonlinearity of high order correlation immune functions. In Proceedings of the Annual In- ternational Workshop on Selected Areas in Cryptography (SAC), pages 262–274. LNCS, 2000.

[ZZI99] Zheng, Zhang, and Imai. Restriction, terms and nonlinearity of boolean functions. Theoretical Computer Science, 226(1-2):207–223, 1999.

92 Vita

Educational Qualifications: Graduate Student, Computer Science, University of Texas, Austin. Bachelor of Engineering, Information Technology, University of Pune, India.

Research interests: Complexity theory, cryptography, information theory and all things mathematical.

Permanent Address: L/A-4, 303, Ajmera housing complex, Pimpri, Pune 411018.

1 This thesis was typeset with LATEX 2ε by the author.

1 LATEX 2ε is an extension of LATEX. LATEX is a collection of macros for TEX. TEX is a trademark of the American Mathematical Society. The macros used in formatting this thesis were written by Dinesh Das, Department of Computer Sciences, The University of Texas at Austin, and extended by Bert Kay, James A. Bednar, and Ayman El-Khashab.

93