Paper A study of differences between bent functions constructed using Rothaus method and randomly generated bent functions Anna Grocholewska-Czuryło Abstract — Bent functions, having the highest possible non- S-box (taken as a linear combination of constituting func- linearity, are among the best candidates for construction of tions). The nonlinear properties are by far the most impor- S-boxes. One problem with bent functions is the fact that they tant. In recent years a class of highly nonlinear functions are hard to find among randomly generated set of Boolean attracted a lot of researchers’ attention – a class of bent functions already for 6 argument functions. There exist some Boolean functions. These functions have in fact the high- algorithms that allow for easy generation of bent functions. est possible nonlinearity (they also have very good prop- The major drawback of these algorithms is the fact that they agation characteristics and are nearly balanced – another rely on deterministic dependencies and are only able to gen- erate bent functions belonging to one specific class. In our important criterion for good cryptographic function – spe- paper we present an efficient generator of random bent func- cial algorithm have been proposed by different authors for tions of more than 4 arguments. Resulting functions are not transforming bent functions into balanced Boolean func- bounded by constraints described above. The generator oper- tions while maintaining high level of nonlinearity). ates in algebraic normal form domain (ANF). We also present However one major drawback is the fact that bent functions our result on comparing the performance of S-boxes build us- are not easily constructed (i.e. their constructions are time ing our bent function generator versus a standard method of consuming). Trying to find bent functions by pure random bent function construction. We also give some directions for search is also virtually impossible (already for 6-argument further research. 10 ¡ functions, only one in 2 :9 10 Boolean functions is bent). Keywords — block ciphers, S-boxes, bent functions, construc- Also, an S-box that is constructed using only bent functions tion, random generation, nonlinearity. does not necessarily possess the best nonlinear qualities. So usually a number of different S-boxes should be gener- ated and tested, and then only the best S-boxes should be selected for incorporating in block cipher. This approach 1. Introduction demands fast S-box generation which in turn translates to fast bent function generation. The remainder concentrates on efficient random bent func- In block ciphers based on S-boxes, the cryptographic tion generation and using such generated function for S-box strength (i.e. resistance to cryptanalysis attack) depends construction. on the nonlinear properties of an S-boxes used to build the cipher. S-boxes are built from Boolean functions, so quality of each and every function constituting an S-box is of a greatest importance. Another major consideration for 2. Preliminaries S-box construction is the way functions that form an S-box ;::: ; ] “interact” (behave as a group of functions) – what are the [ We use square brackets to denote vectors like a1 an ;::: ; µ cryptographic properties of an S-box as a whole. These are ´ and round brackets to denote functions like f x1 xn . two main factors that affect cipher’s cryptographic perfor- < ; ¨; ¯ > Boolean function. Let GF(2) = ∑ be two- mance. f ; g; ¨ ¯ element Galois field, where ∑ = 0 1 and denotes The properties of Boolean functions have been extensively the sum and multiplication mod 2, respectively. A func- n studied. The quality of a single, cryptographically strong tion f : ∑ ! ∑ is an n-argument Boolean function. Let n 1 n 2 0 ¡ · ¡ · ::: · ¡ Boolean function is measured by its cryptographic proper- z = x1 2 x2 2 xn 2 be the decimal rep- ; ;::: ; µ ties. The criteria against which a function quality is mea- resentation of arguments ´x1 x2 xn of the function f . ; ;::: ; µ [ ; ;::: ; ] sured are mainly nonlinearity, balancedness, avalanche and Let us denote f ´x x xn as yz.Theny y y n 1 2 0 1 2 1 propagation criteria. is called a truth table of the function f . The qualities that single Boolean functions should posses Linear and nonlinear Boolean functions. An n-argument to be good candidates for S-box construction are very sim- Boolean function f is linear if it can be represented in the ; ;::: ; µ= ¨ ¨ ::: ilar to those that should be characterizing a good (strong) following form: f ´x1 x2 xn a1x1 a2x2 anxn. 19 Anna Grocholewska-Czuryło Let Ln be a set of all n-argument linear Boolean func- For a perfectly nonlinear Boolean function, any change of n f ! j ´ ; ; ::: ; µ= ¨ = ∑ ∑ tions. Let Mn g : g x1 x2 xn 1 inputs causes the change of the output with probability ; ;::: ; µ ¾ g = [ f ´x1 x2 xn and f Ln .AsetAn Ln Mn is called of 1/2. asetofn-argument affine Boolean functions. A Boolean Meier and Staffelbach [16] proved that the set of per- n function f : ∑ ! ∑ that is not affine is called a nonlinear fectly nonlinear Boolean functions is the same as the set of Boolean function. Boolean bent functions defined by Rothaus [5]. Perfectly nonlinear functions (or bent functions) have the ; ;::: ; ] Balance. Let N [y y y n be a number of ze- 0 0 1 2 1 same, and the maximum possible distance to all affine func- ; ;::: ; ] ros (0’s) in the truth table [y y y n of func- 0 1 2 1 tions. So their correlation to any affine function is consis- ; ;::: ; ] tion f ,andN [y y y n be number of ones (1’s). 1 0 1 2 1 tently bad (minimal). Linear cryptanalysis works if it is ; ;::: ; ]= A Boolean function is balanced if N [y y y n 0 0 1 2 1 possible to find a good linear approximation of the S-box. [ ; ;::: ; ] = N y y y n . 1 0 1 2 1 Bent functions are not balanced. This property prohibits Algebraic normal form. A Boolean function can also their direct application in S-box construction, however there be represented as a maximum of 2n coefficients of the exist numerous methods for modifying bent function in algebraic normal form. These coefficients provide a for- such a way so that the resulting function is balanced and mula for the evaluation of the function for any given input still maintains the good cryptographic properties of a bent ; ;::: ; ] x =[x x x : 1 2 n function [16]. Hamming weight of a bent function equals = n n 1 n 2 1 2 ¦ 2 . µ= ¨ ¨ ¨ ::: ¨ ::: ; f ´x a ∑ a x ∑ a x x a x x xn 0 i i ij i j 12:::n 1 2 Differential analysis [18] can be seen as an extension of < i=1 1 i j n the ideas of attacks based on the presence of linear struc- ¨ where ∑; denote the modulo 2 summation. tures [3]. As perfect nonlinear Boolean function have µ The order of nonlinearity of a Boolean function f ´x maximum distance to the class of linear structures (equal is a maximum number of variables in a product term to 2n 2), they are a useful class of functions for construct- with non-zero coefficient aJ, where J is a subset of ing mappings that are resistant to differential attacks. ; ; ;::: ; g f1 2 3 n . In the case where J is an empty set the Bent functions exist only for even n. The nonlinear order coefficient is denoted as a and is called a zero order coeffi- > 0 of bent functions is bounded from above by n =2 for n 2. ;::: ; cient. Coefficients of order 1 are a ; a an, coefficients 1 2 The number of Boolean bent function for n > 6 remains an ;::: ; of order 2 are a ; a a , coefficient of order n is µ 12 13 ´n 1 n open problem. a . The number of all ANF coefficients equals 2n. 12:::n Let us denote the number of all (zero and non-zero) coef- µ ficients of order i of function f as σ ´ f .Forn-argument i 3. Constructing bent functions function f there are as many coefficients of a given or- der as there are i-element combinations in n-element set, n ¡ There exist a number of algorithms for constructing bent µ= i.e. σ ´ f . i i functions. As an example let’s consider the follow- Hamming distance. Hamming weight of a binary vector ing [8, 12]. n ´ µ ¾ ∑ x , denoted as hwt x , is the number of ones in that n Method 1. ∑ ! ∑ vector. Let Bn denote a set of bent functions f : with n even. Given a set of bent functions B6, bent func- Hamming distance between two Boolean functions f ; g : n tions in B8 can be constructed using the following method ´ ; µ ∑ ! ∑ is denoted by d f g and is defined as follows: (Method 1). 8 ´ ; µ= ´ µ ¨ ´ µ: ¾ ! d f g ∑ f x g x Let a ; b B . Then the function f : ∑ ∑ defined by: n 6 x¾∑ 8 ´ ::: µ; = ; = The distance of a Boolean function f from a set of > a x0 x x 0 x7 0 > 5 6 > < ::: µ; = ; = n-argument Boolean functions X is defined as follows: ´ n a x0 x5 x6 0 x7 1 ::: ; µ= f ´x0 x7 > ´ ::: µ; = ; = > b x x x 0 x 0 µ= ´ ; µ; δ ´ f min d f g 0 5 6 7 > : g ¾Xn ::: µ; ¨ ; = ; = b ´x0 x5 1 x6 0 x7 0 ; µ where d ´ f g is the Hamming distance between functions f and g. The distance of a function f from a set of affine is bent [8]. Rearrangements of the 64 blocks in the expres- functions An is the distance of function f from the nearest sion above also result in bent functions.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages6 Page
-
File Size-