Bent functions and their connections to coding theory and cryptography Sihem Mesnager University of Paris VIII and University of Paris XIII Department of mathematics, LAGA (Laboratory Analysis, Geometry and Application), CNRS, Telecom Paristech, France Fifteenth International Conference on Cryptography and Coding IMACC 2015 Oxford, United Kingdom 15th December 2015 1 / 68 Bent functions In 1966 : the first paper written by Oscar Rothaus (published in 1976). In 1972 and 1974 : two documents written by John Dillon. In 1975 : a paper based on Dillon’s thesis. In this preliminary period, several people were interested in bent functions, in particular Lloyd Welch and Gerry Mitchell. It seems that bent functions have been studied by V.A. Eliseev and O.P. Stepchenkov in the Soviet Union already in 1962, under the name of minimal functions. Some results were published as technical reports but never declassified. 2 / 68 Outline 1 Boolean functions, bentness and related notions 2 Characterizations and properties of bent functions 3 Bent functions : applications 4 Equivalence, classification and enumeration of bent functions 5 Primary constructions of Boolean bent functions 6 Secondary constructions of Boolean bent functions 7 Bent functions in univariate and bivariate representations 8 Subclasses, super-classes of bent functions 9 Vectorial bent functions 10 p-ary functions and bentness 11 Constructions of bent functions in arbitrary characteristic 3 / 68 Background on Boolean functions : representation n f : F2 ! F2 an n-variable Boolean function. DEFINITION (ALGEBRAIC NORMAL FORM (A.N.F)) n Let f : F2 ! F2 be a Boolean function. Then f can be expressed as : ! M Y M u f (x1;:::; xn) = aI xi = aux ; aI 2 F2 n I⊂{1;:::;ng i2I u2F2 n u Y ui where I = supp(u) = fi = 1;:::; n j ui = 1g and x = xi . i=1 The A.N.F exists and is unique. DEFINITION (THE ALGEBRAIC DEGREE) The algebraic degree deg(f ) is the degree of the A.N.F. Affine functions f (deg(f ) ≤ 1): f (x) = a0 ⊕ a1x1 ⊕ a2x2 ⊕ · · · ⊕ anxn; ai 2 F2 4 / 68 Background on Boolean functions : representation DEFINITION Let n be a positive integer. Every Boolean function f defined on F2n has a (unique) trace expansion called its polynomial form : X o(j) j 2n−1 8x 2 F2n ; f (x) = Tr1 (ajx ) + (1 + x ); aj 2 F2o(j) j2Γn DEFINITION (ABSOLUTE TRACE OVER F2 ) k Let k be a positive integer. For x 2 F2k , the (absolute) trace Tr1(x) of x over F2 is defined by : k−1 k X 2i 2 22 2k−1 Tr1(x) := x = x + x + x + ··· + x 2 F2 i=0 5 / 68 Background on Boolean functions : representation DEFINITION Let n be a positive integer. Every Boolean function f defined on F2n has a (unique) trace expansion called its polynomial form : X o(j) j 2n−1 8x 2 F2n ; f (x) = Tr1 (ajx ) + (1 + x ); aj 2 F2o(j) j2Γn Γn is the set obtained by choosing one element in each cyclotomic class of 2 modulo 2n − 1, o(j) is the size of the cyclotomic coset containing j ( that is o(j) is the smallest positive integer such that j2o(j) ≡ j (mod 2n − 1)) = wt(f ) modulo 2 DEFINITION (THE HAMMING WEIGHT OF A BOOLEAN FUNCTION) wt(f ) = #supp(f ) := #fx 2 F2n j f (x) = 1g 6 / 68 Background on Boolean functions : representation DEFINITION Let n be a positive integer. Every Boolean function f defined on F2n has a (unique) trace expansion called its polynomial form : X o(j) j 2n−1 8x 2 F2n ; f (x) = Tr1 (ajx ) + (1 + x ); aj 2 F2o(j) j2Γn + The algebraic degree of f denoted by deg(f ), is the maximum Hamming weight of the binary expansion of an exponent j for which aj 6= 0 if = 0 and to n if = 1. n Affine functions : Tr1(ax) + λ, a 2 F2n , λ 2 F2: 7 / 68 Background on Boolean functions : representation DEFINITION (THE BIVARIATE REPRESENTATION (UNIQUE)) n Let n = 2m, let F2 ≈ F2m × F2m . X i j f (x; y) = ai;jx y ; ai;j 2 F2m 0≤i;j≤2m−1 . Then the algebraic degree of f equals max(i;j) j ai;j6=0(w2(i) + w2(j)). And f being Boolean, its bivariate representation can be written in the m form f (x; y) = Tr1 (P(x; y)) where P(x; y) is some polynomial over F2m . 8 / 68 Boolean functions + In both Error correcting coding and Symmetric cryptography, Boolean functions are important objects ! Boolean functions Reed-Muller codes Symmetric Cryptosystems (secret key) Coding Theory Cryptography 9 / 68 Cryptographic framework for Boolean functions + To make the cryptanalysis very difficult to implement, we have to pay attention when choosing the Boolean function, that has to follow several recommendations : cryptographic criteria ! 10 / 68 The discrete Fourier (Walsh) Transform of Boolean functions DEFINITION (THE DISCRETE FOURIER (WALSH)TRANSFORM) X f (x)+a·x n χbf (a) = (−1) ; a 2 F2 n x2F2 n where "·" is the canonical scalar product in F2 defined by Pn n n x · y = i=1 xiyi; 8x = (x1;:::; xn) 2 F2; 8y = (y1;:::; yn) 2 F2. DEFINITION (THE DISCRETE FOURIER (WALSH)TRANSFORM) X f (x)+Trn(ax) χbf (a) = (−1) 1 ; a 2 F2n x2F2n n where "Tr1" is the absolute trace function on F2n . DEFINITION (THE DISCRETE FOURIER (WALSH)TRANSFORM) X f (x;y)+Trm(ax+by) χbf (a; b) = (−1) 1 ; a; b 2 F2m : x;y2F2m 11 / 68 A main cryptographic criterion for (cryptographic) Boolean functions DEFINITION (THE HAMMING DISTANCE) f ; g : F2n ! F2 two Boolean functions. The Hamming distance between f and g : dH(f ; g) := #fx 2 F2n j f (x) 6= g(x)g. DEFINITION (NONLINEARITY) f : F2n ! F2 a Boolean function. The nonlinearity denoted by nl(f ) of f is nl(f ) := minl2An dH(f ; l) where An := fl : F2n ! F2; l(x) := a · x + b ; a 2 F2n ; b 2 F2 ( where "·" is an inner product in F2n )} is the set of affine functions on F2n . The nonlinearity of a function f is the minimum number of truth table entries that must be changed in order to convert f to an affine function. * Any cryptographic function must be of high nonlinearity, to prevent the system from linear attacks and correlation attacks. 12 / 68 General upper bound on the nonlinearity of Boolean functions The Nonlinearity of f is equals : n−1 1 nl(f ) = 2 − max jχf (a)j n b 2 a2F2 P 2 2n Thanks to Parseval’s relation : n χf (a) = 2 a2F2 b 2 n we have : maxa2 n (χf (a)) ≥ 2 F2 b Hence : for every n-variable Boolean function f , the nonlinearity is always n−1 n −1 upper bounded by 2 − 2 2 It can reach this value if and only if n is even. The functions used as combining or filtering functions should have nonlinearity close to this maximum. 13 / 68 A main definition of a bent function General upper bound on the nonlinearity of any n-variable Boolean n−1 n −1 function : nl(f ) ≤ 2 − 2 2 DEFINITION (BENT FUNCTION [ROTHAUS, 1975]) n−1 n −1 f : F2n ! F2 (n even) is said to be a bent function if nl(f ) = 2 − 2 2 Bent functions have been studied for more than 40 years (initiators : [Dillon, 1974], [Rothaus, 1975]). 14 / 68 Characterization of bent functions A main characterization of "bentness" : n (f is bent ) () χbf (!) = ±2 2 ; 8! 2 F2n Thanks to Parseval’s identity, one can determine the number of occurrences of each value of the Walsh transform of a bent function. TABLE: Walsh spectrum of bent functions f with f (0) = 0 Value of χbf (!), ! 2 F2n Number of occurrences n n−1 n−2 2 2 2 + 2 2 n n−1 n−2 −2 2 2 − 2 2 15 / 68 Characterization of bent functions in terms of derivatives Let f be a Boolean function over F2n and a 2 F2n . The derivative of f with respect to a is defined as : Daf (x) = f (x) + f (x + a); x 2 F2n : ? + A function f is bent if and only if all the derivatives Daf , a 2 F2n , are balanced (Dillon reports that this has been first observed by D. Lieberman). 16 / 68 Bent functions : applications 17 / 68 Bent Boolean functions in cryptography Two main interests : 1 Their derivatives Daf : x 7! f (x) + f (x + a) are balanced, this has an important relationship with the differential attack on block ciphers. 2 The Hamming distance between f and the set of affine Boolean functions takes optimal value ; this has a direct relationship with the fast correlation attack [Meier-Staffelbach 1988] on stream ciphers and the linear attack [Matsui 1993] on block ciphers. Two main drawbacks : 1 Bent functions are not balanced and then can hardly be used for instance in stream ciphers. 2 A pseudo-random generator using a bent function as combiner or filter is weak against some attacks, like the fast algebraic attack [Courtois 2003], even if the bent function has been modified to make it balanced. 18 / 68 Bent functions in coding theory Bent functions and covering radius of Reed-Muller codes + The covering radius plays an important role in error correcting codes : measures the maximum errors to be corrected in the context of maximum-likelihood decoding. + The Covering radius ρ(1; n) of the Reed-Muller code RM(1; n) coincides with the maximum nonlinearity nl(f ). n−1 n −1 + General upper bound on the nonlinearity: nl(f ) ≤ 2 − 2 2 n−1 n −1 When n is odd, ρ(1; n) < 2 − 2 2 n−1 n −1 When n is even, ρ(1; n) = 2 − 2 2 and the associated n-variable Boolean functions are the bent functions.