A C++ CLASS FOR ANALYSING VECTOR BOOLEAN FUNCTIONS FROM A CRYPTOGRAPHIC PERSPECTIVE Jos´eAntonio Alvarez-Cubero´ and Pedro J. Zufiria Depto. Matem´atica Aplicada a las Tecnolog´ıas de la Informaci´on, ETSIT, UPM, E-28040 Madrid, Spain Keywords: C++ library, Walsh transform, Differential profile, Autocorrelation spectrum, Vector boolean function, Non- linearity, Linearity distance, Balancedness, Resiliency, Propagation criterion. Abstract: In this paper, a C++ class for analising Vector Boolean Functions from a cryptographic perspective is pre- sented. This implementation uses the NTL library from Victor Shoup, replacing some of the general purpose modules of this library by some more specialized and better suited to cryptography, and adding new mod- ules that complement the existing ones. With this class, we can obtain the classical representation of Vec- tor Boolean Function such as its Truth Table and Algebraic Normal Form (ANF). It is possible to calculate mathematical structures such as the Walsh Spectrum, Linear Profile, Differential Profile and Autocorrelation Spectrum. Cryptographic criteria such as nonlinearity, linearity distance, order of correlation immunity, bal- ancedness, algebraic degree and propagation criterion can be obtained with this class. It permits to find out some interesting cryptologic parameters such as linear structures, linear potential, differential potential and the maximum possible nonlinearity or linearity distance of a Vector Boolean Function with the same dimensions. Finally, operations such as to identify if two Vector Boolean Functions are equal, their sum, direct sum, com- position, bricklayering, adding coordinate functions and obtaining the polynomial representation over GF(2n) of a Vector Boolean Function given the irreducible polynomial and its Truth Table are presented. 1 INTRODUCTION polynomials over the integers and over finite fields. The decision to use this library is mainly based on Nowadays, Vector Boolean functions play an impor- four reasons: tant role in various fields of human activity, such 1. It is free software, and may be used according to as Coding Theory (McWilliams and Sloane, 1977), Switching Theory (Davio et al., 1978) and Cryp- the terms of the GNU General Public License. tography (Carlet, 2008a), (Carlet, 2008b). Conven- 2. It provides high quality implementations of state- tional secret key cryptosystems can be expressed as of-the-art algorithms for the Galois field of order a certain composition of Vector Boolean functions. 2. Thus, in cipher design, it is essential to define criteria 3. It can be easily installed in a matter of minutes on which measure the cryptographic strength of Boolean just about any platform. and Vector Boolean functions. Moreover, because of the size and complexity of modern ciphers, an auto- 4. It provides a clean and consistent interface to a matic analysis program is very helpful in reducing the large variety of classes representing mathematical time which is necessary to spend on studying crypto- objects which are useful in cryptology. graphic properties of Vector Boolean Functions. In this paper, a C++ class for analysing crypto- The VBF class makes use of all the Boolean math- graphic properties of Vector Boolean Functions is pre- ematical objects defined in NTL modules as starting sented. It is called VBF and is based on the well- point. However, it was necessary to introduce some known Number Theory Library NTL implemented new algorithms and cryptographic structures in order by Victor Shoup (Shoup, 2009). NTL is a high- to achieve the results described in this paper. The performance, portable C++ library providing data main advantages of this approach are derived from the structures and algorithms for manipulating signed, ar- object oriented implementation and the use of effec- bitrary length integers, and for vectors, matrices, and tive algorithms: reusability, maintainability, extensi- bility and flexibility in the analysis of a broad range 512 Antonio Álvarez-Cubero J. and J. Zufiria P. (2010). A C++ CLASS FOR ANALYSING VECTOR BOOLEAN FUNCTIONS FROM A CRYPTOGRAPHIC PERSPECTIVE. In Proceedings of the International Conference on Security and Cryptography, pages 512-520 DOI: 10.5220/0002964505120520 Copyright c SciTePress A C++ CLASS FOR ANALYSING VECTOR BOOLEAN FUNCTIONS FROM A CRYPTOGRAPHIC PERSPECTIVE of Vector Boolean Functions employed in symmet- form of f at u ∈ Vn is the n-dimensional Discrete ric ciphers. In our opinion, there is still a lack of Fourier Transform and can be calculated as follows: stable and efficient C++ algorithms in cryptographic χˆ u ξ ,ξ ∑ 1 f (x)+ux (1) libraries and this implementation can be very useful f ( )= f lu = (− ) tool both for the designer and the cryptanalist of sym- x∈Vn metric ciphers. At the present time, either the libraries The autocorrelation of f ∈ Fn with respect to the are commercial and restricted to some cryptographic shift u ∈ Vn is the cross-correlation of f with itself, properties of Boolean functions (such as (Bibliow- denoted by R f (u) :Vn → R and defined by: icz et al., 2003) or (Gammel, 2006)) or they do not R (u)= 1 ∑ χ (x)χ (x + u) benefit from the new paradigms of object orientation f 2n x∈Vn f f (2) 1 ∑ f (x)+ f (u+x) and generic programming (Pommerening, 2001). We = 2n x∈Vn (−1) have performed a full analysis of a 14 × 14 S-box F :V → V , F(x) = ( f (x),..., f (x)) is called with the VBF class in less than one second with a n m 1 m a Vector Boolean function and F is the set of all Core2 Duo 2.4GHz, 4GB RAM, 2x250GB Debian n,m Vector Boolean functions F : V → V . Each f : linux platform. n m i V → GF(2) ∀i ∈{1,...,m} is a coordinate function The paper is organized as follows: Sections 2 n of F. The indicator function of F ∈ F , denoted by is devoted to the presentation of the main Vector n,m θ :V ×V → R, is defined in (Chabaud and Vaude- Boolean Functions concepts. In section 3, we de- F n m nay, 1994) as θ (x,y)= 1 if y = F(x) and θ (x,y)= scribe the types of Vector Boolean Functions repre- F F 0 if y 6= F(x). The character form of (u,v) ∈ Vn ×Vm sentations that this class can deal with. In section 4, u x v y can be defined as follows: χ (x,y) = (−1) · + · . cryptographic relevant matrices, cryptographic crite- (u,v) Let the Vector Boolean function F ∈ F , its ria and other useful information for cryptanalysis that n,m Walsh Transform is the two-dimensional Walsh this implementation can calculate for an individual Transform defined by: Vector Boolean Function are described. In section 5, we enumerate the operations over Vector Boolean θˆ ∑ ∑ θ χ F (u,v)= x∈Vn y∈Vm F (x,y) (u,v)(x,y) Functions that are supported. In section 6, we illus- ∑ ux+vF(x) = x∈Vn (−1) trate how the VBF class can be used with examples. (3) Finally, concluding remarks are summarized in Sec- (Nyberg, 1994) The autocorrelation of F ∈ Fn,m tion 7. with respect to the shift (u,v) ∈ Vn ×Vm is the cross- correlation of F with itself, denoted by RF (u,v) : Vn × Vm → R, so that: 2 PRELIMINARIES R (u,v)= 1 ∑ χ (x + u)χ (x) F 2n x∈Vn vF vF (4) = 1 ∑ (−1)vF(x+u)+vF(x) Let < GF(2),+,· > be the finite field of order 2, 2n x∈Vn where GF(2)= Z2 = {0,1},’+’ the ’integer addition Let F ∈ Fn,m and u ∈ Vn, then the difference Vec- modulo 2’ and ’·’ the ’integer multiplication modulo tor Boolean function of F in the direction of u ∈ 2’. Vn is the vector space of n-tuples of elements from Vn, denoted by ∆uF ∈ Fn,m is defined as follows: ∆ GF(2). The direct sum of x ∈ Vn1 and y ∈ Vn2 is uF(x)= F(x + u)+ F(x), x ∈ Vn. If the following ∆ defined as x ⊕ y = (x1,...,xn1 ,y1,...,yn2 ) ∈ Vn1+n2 . equality is satisfied: uF(x)= c, c ∈ Vn ∀x ∈ Vn The inner product of x,y ∈ Vn is denoted by x·y, and then u ∈ Vn is called a linear structure of F. The inner product of real vectors x,y ∈ Rn is denoted We define the simplifying notation for the max- by hx,yi. imum of the absolute values of a set of real num- f :Vn → GF(2) is called a Boolean function and bers {auv}u,v, characterized by vectors u and v, as: Fn is the set of all Boolean functions on Vn. Ln is max (auv)= max(u,v) {|auv|}. Using the same sim- the set of all linear Boolean functions on V : L ∗ n n = plifying notation, we define the max (·) operator on {lu ∀u ∈ Vn | lu(x)= u · x} and An is the set of all ∗ a set of real numbers {auv}u,v, as: max (auv) = affine Boolean functions on Vn. i=n ∑ uixi max(u,v)6=(0,0){|auv|}. This notation will be used in The real-valued mapping χu(x) = (−1) i=1 = u·x some criteria definitions. (−1) for x,u ∈ Vn is called a character. The char- f (x) acter form of f ∈ Fn is defined as χ f (x) = (−1) . The Truth Table of χ f is called as the (1,−1)- sequence vector or sequence vector of f and is de- 2n noted by ξ f ∈ R . Let a Boolean function f ∈ Fn, the Walsh Trans- 513 SECRYPT 2010 - International Conference on Security and Cryptography 3 REPRESENTATIONS OF void putper(const NTL::vec_ZZ& a) VECTOR BOOLEAN NTL::vec_ZZ getper() const FUNCTIONS If F is an affine Vector Boolean Function with n 6= m (such as the Expansion and Compression DES Let a Vector Boolean Function F ∈ Fn,m, the repre- permutations (NBS, 1977)), then it can be defined as sentations supported by the VBF class are described an array with m elements which are the output bits.