Fast Implementation of the ANF Transform Valentin Bakoev Faculty of Mathematics and Informatics, Veliko Turnovo University, Bulgaria MDS – OCRT, 10–14 July, 2017 Sofia, Bulgaria V. Bakoev (FMI, VTU) Fast Implementation of the ANFT OCRT, 10–14.07.2017 1 / 29 Outline 1 Introduction 2 Basic notions and preliminary results 3 Fast implementation of the ANFT 4 Experimental results and conclusions V. Bakoev (FMI, VTU) Fast Implementation of the ANFT OCRT, 10–14.07.2017 2 / 29 Computing: its computing includes obtaining of the algebraic normal forms of the coordinate Boolean functions, which form the S-box. During the generation of S-boxes it should be done as fast as possible (as well as computing the other cryptographic criteria), in order to obtain more S-boxes and to select the best of them. The algebraic degree of a Boolean function is defined by one special representation – in the area of algebra and cryptology it is known as Algebraic Normal Form (ANF). 1. Introduction Importance: the algebraic degree of an S-box (or a vectorial Boolean function) is one of its most important cryptographic parameters. V. Bakoev (FMI, VTU) Fast Implementation of the ANFT OCRT, 10–14.07.2017 3 / 29 During the generation of S-boxes it should be done as fast as possible (as well as computing the other cryptographic criteria), in order to obtain more S-boxes and to select the best of them. The algebraic degree of a Boolean function is defined by one special representation – in the area of algebra and cryptology it is known as Algebraic Normal Form (ANF). 1. Introduction Importance: the algebraic degree of an S-box (or a vectorial Boolean function) is one of its most important cryptographic parameters. Computing: its computing includes obtaining of the algebraic normal forms of the coordinate Boolean functions, which form the S-box. V. Bakoev (FMI, VTU) Fast Implementation of the ANFT OCRT, 10–14.07.2017 3 / 29 The algebraic degree of a Boolean function is defined by one special representation – in the area of algebra and cryptology it is known as Algebraic Normal Form (ANF). 1. Introduction Importance: the algebraic degree of an S-box (or a vectorial Boolean function) is one of its most important cryptographic parameters. Computing: its computing includes obtaining of the algebraic normal forms of the coordinate Boolean functions, which form the S-box. During the generation of S-boxes it should be done as fast as possible (as well as computing the other cryptographic criteria), in order to obtain more S-boxes and to select the best of them. V. Bakoev (FMI, VTU) Fast Implementation of the ANFT OCRT, 10–14.07.2017 3 / 29 1. Introduction Importance: the algebraic degree of an S-box (or a vectorial Boolean function) is one of its most important cryptographic parameters. Computing: its computing includes obtaining of the algebraic normal forms of the coordinate Boolean functions, which form the S-box. During the generation of S-boxes it should be done as fast as possible (as well as computing the other cryptographic criteria), in order to obtain more S-boxes and to select the best of them. The algebraic degree of a Boolean function is defined by one special representation – in the area of algebra and cryptology it is known as Algebraic Normal Form (ANF). V. Bakoev (FMI, VTU) Fast Implementation of the ANFT OCRT, 10–14.07.2017 3 / 29 Circuit theory, switching functions etc. – it is known as: modulo-2 sum-of-products, Reed-Muller-canonical expansion, positive polarity Reed-Muller form, etc. Harking B., Efficient algorithm for canonical Reed-Muller expansions of Boolean functions, IEE Proc. Comput. Digit. Tech., 137, 5, 1990, 366–370. Porwik P., Efficient calculation of the Reed-Muller form by means of the Walsh transform, Int. J. Appl. Math. Comput. Sci., 12, 4, 2002, 571-579. 1. Introduction The ANF representation is considered in the literature from other viewpoints and has many generalizations: The classical (logical) one – it is known as Zhegalkin polynomial. The famous Zhegalkin theorem states that for every Boolean function there exists an unique polynomial form of it over the functionally complete set of Boolean functions fx:y; x ⊕ y; 1~g. Yablonski S., Introduction to discrete mathematics, Fourth Edition, Visshaia Shkola, Moskow, 2003. (in Russian) V. Bakoev (FMI, VTU) Fast Implementation of the ANFT OCRT, 10–14.07.2017 4 / 29 1. Introduction The ANF representation is considered in the literature from other viewpoints and has many generalizations: The classical (logical) one – it is known as Zhegalkin polynomial. The famous Zhegalkin theorem states that for every Boolean function there exists an unique polynomial form of it over the functionally complete set of Boolean functions fx:y; x ⊕ y; 1~g. Yablonski S., Introduction to discrete mathematics, Fourth Edition, Visshaia Shkola, Moskow, 2003. (in Russian) Circuit theory, switching functions etc. – it is known as: modulo-2 sum-of-products, Reed-Muller-canonical expansion, positive polarity Reed-Muller form, etc. Harking B., Efficient algorithm for canonical Reed-Muller expansions of Boolean functions, IEE Proc. Comput. Digit. Tech., 137, 5, 1990, 366–370. Porwik P., Efficient calculation of the Reed-Muller form by means of the Walsh transform, Int. J. Appl. Math. Comput. Sci., 12, 4, 2002, 571-579. V. Bakoev (FMI, VTU) Fast Implementation of the ANFT OCRT, 10–14.07.2017 4 / 29 1. Introduction The computing of these representations for a given Boolean function can be done in different ways. In dependence of the area of consideration they have different names: ANF Transform (ANFT); (fast) Möbius (or Moebius) Transform; Zhegalkin Transform; Positive polarity Reed-Muller Transform (PPRMT), etc. Our experience convinced us how important these facts are in searching papers by keywords. V. Bakoev (FMI, VTU) Fast Implementation of the ANFT OCRT, 10–14.07.2017 5 / 29 1. Introduction The algorithm for performing ANFT in its typical form (i.e. operating on bytes) is well-known and is given in many sources. However its bitwise implementation is considered quite rarely. J. Fuller and A. Joux Fuller J., Analysis of affine equivalent Boolean functions for cryptography, Ph.D. Thesis, Queensland University of Technology, Australia, 2003. Joux A., Algorithmic Cryptanalysis, Chapman & Hall/CRC Cryptography and Network Security, 2012. stress to the necessity of optimization issues and techniques, and consider some of them. They give two different programs (in C language) that perform the ANFT. They use the bitwise representation of Boolean functions in 32-bits computer words. However, in both sources: the role of shifts and masks is not explained; the correctness and the complexity of the programs are not given; there are not experimental results; it is not clear how to modify the programs to run on 64-bits (or more bits) computer words. V. Bakoev (FMI, VTU) Fast Implementation of the ANFT OCRT, 10–14.07.2017 6 / 29 1. Introduction In 1998 we developed an algorithm for computing the Zhegalkin transform. In 2008 we proposed other version of this algorithm (called PPRMT), derived in a different way. Manev K. and Bakoev V., Algorithms for performing the Zhegulakin transfroemation, in Proc. of the XXVII Spring Conf. of the Union of Bulgarian Mathematicians, (Pleven, Bulgaria, April 9–11, 1998), Mathematics and education in mathematics, Sofia, 1998, 229–233. Bakoev V. and Manev K., Fast computing of the positive polarity Reed-Muller transform over GF(2) and GF(3), in Proc. of the XI Intern. Workshop on Algebraic and Combinatorial Coding Theory (ACCT), 16-22 June, 2008, Pamporovo, Bulgaria, 2008, 13–21. We also commented its bitwise representation and implementation, that can improve its time and space complexity. However, this work did not attract the attention of cryptographers and a reason for this might have been its name – PPRMT. V. Bakoev (FMI, VTU) Fast Implementation of the ANFT OCRT, 10–14.07.2017 7 / 29 1. Introduction Our report is a continuation of the last work. We represent our full version of the bitwise ANFT with comments about its implementation and correctness. We obtained a general time complexity Θ((9n − 2):2n−7) by using a bitwise representation of Boolean functions in 64-bits computer words. Some experimental results are also given. V. Bakoev (FMI, VTU) Fast Implementation of the ANFT OCRT, 10–14.07.2017 8 / 29 2. Basic notions and preliminary results Here we consider: F2 = f0; 1g – the field of two elements with two operations: x ⊕ y and x:y (or xy), for x; y 2 F2; n n F2 – the n-dimensional vector space over F2, it includes all 2 binary vectors; n ¯ for an arbitrary a = (a1; a2;:::; an) 2 F2, a is the natural number Pn n−i n a¯ = i=1 ai :2 . The binary representation of a¯ (0 ≤ a¯ ≤ 2 − 1) in n bits determines the coordinates of a. The correspondence between a and a¯ is a bijection. n for a = (a1; a2;:::; an) and b = (b1; b2;:::; bn) 2 F2, we say that "a precedes lexicographically b" and denote it by a ≺ b if 9 k; 0 ≤ k < n, such that ai = bi , for i ≤ k, and ak+1 < bk+1. V. Bakoev (FMI, VTU) Fast Implementation of the ANFT OCRT, 10–14.07.2017 9 / 29 2. Basic notions and preliminary results n The relation "≺" over F2, gives an unique lexicographic (standard) n order of the vectors of F2 in the sequence a0 = (0; 0;:::; 0) ≺ a1 = (0; 0;:::; 0; 1) ≺ · · · ≺ a2n−1 = (1; 1;:::; 1). So n a¯0 = 0 < a¯1 = 1 < ··· < a¯2n−1 = 2 − 1. Boolean function of n variables (denoted by x1; x2;:::; xn) is a n mapping f : F2 ! F2, i.e.