Relationships between Bo olean Functions and Symmetric Groups Chengxin Qu, Jennifer Seb erry, Josef Pieprzyk Center for Computer Security Research Scho ol of Information Technology and Computer Science University of Wollongong Email: cxq01,jennie,[email protected] 2 Background Abstract 2.1 Bo olean space and boolean func- We study the relations b etween b o olean functions tions and symmetric groups. We consider elements of a symmetric group as variable transformation op er- The set of n-tuple vectors, ators for b o olean functions. Bo olean function may V = f =(a ; ;a ) j n 1 n b e xed or p ermuted by these op erators. Wegive a 2 GF (2); i =1; ;ng; i some prop erties relating the symmetric group S n and b o olean functions on V . n is a boolean space if its arithmetic is in a Galois n eld. A b o olean space V contains 2 vectors. n Clearly, all the vectors in V are binary sequences. n A boolean function is de ned on V by the map- n ping f (x): V ! V n 1 where x is a variable vector in V . 1 Intro duction n There are several ways to represent a b o olean function: bya p olynomial; by a binary sequence; The values of a b o olean function for each vector and bya (1; 1) sequence. Here we use the p oly- n in V form a binary sequence of length 2 called n nomial representation to discuss b o olean func- a a the trace of the function. The trace of a boolean a 1 2 n tions. Let x = x x x denote a monomial n 1 2 function is widely used in communication systems on V . Then a b o olean function on V is a linear n n such as DE S and S-b ox theory [1 , 2]. To pro- combination of monomials tect against cryptographic attacks b o olean func- M c x c =0 or1; (1) f (x)= tions must satisfy some algebraic prop erties such 2V n as nonlinearity, balance, the propagation criteria and correlation immunity. These are called cryp- where the sign denotes b o olean addition (XOR). tographic prop erties [6 , 8, 11 ]. In this pap er, we For anytwo binary sequences and with the use symmetric groups to study b o olean functions. same length s, we de ne their multiplication () The transformation of variables, x ! x , is called i j and binary addition () as follows; an op eration or a variable transformation op era- tor. We consider elements in the symmetric group = (a ;a ; ;a ) (b ;b ; ;b ) 1 2 s 1 2 s (2) as a variable exchange op erators for b o olean func- = (a b ;a b ; ;a b ) 1 1 2 2 s s tions. We study the conditions under which a = (a ;a ; ;a ) (b ;b ; ;b ) b o olean function is xed or transformed by this 1 2 s 1 2 s (3) = (a b ;a b ; ;a b ): op eration. 1 1 2 2 s s 1 De nition 4 Let 0 k n. The function f (x) So and are still binary sequences. If f (x) on V is k -th order correlation immune if the fol- corresp onds to the binary sequence and g (x) cor- n lowing equation resp onds to , then the functions f (x)g (x) and f (x) g (x) corresp ond to formulae (2) and (3) X f (x) x (1) =0; for 1 wt( ) k; resp ectively. x2V n We call the numb er of 1s in a binary sequence, , its Hamming weight that is denoted by wt( ). is satis ed, where wt( ) is the Hamming weight of Avector in V is a binary sequence with length n a vector 2 V . n n and the values of a b o olean function for eachvec- n tor in V also form a length 2 binary sequence n 2.2 Symmetric group that we call the trace of the function. For anytwo functions f (x) and g (x), their Hamming distance For an n-tuple vector, = (a ;a ; ;a ) 2 V , 1 2 n n is the numb er of 1s in the sequence of the function we consider an op eration on the vector which p er- f (x) g (x). The function (1), with the restriction mutes the p ositions of a and a . Then the vector i j such that c = 0 for all where wt( ) > 1, is b ecomes called an ane function and denoted by '(x). Us- ing the dot pro duct we can write ane functions (a ; ;a ; ;a ; ;a ): 1 j i n with the form We denote the op eration of p ermuting the posi- '(x)= x c; tions of a and a by the op erator = (ij ) and i j then we write where 2 V ; c =0; 1. An ane function is called n a linear function if c = 0 (which corresp onds c = 0 (a ;a ; ;a )=(a ; ;a ; ;a ; ;a ): 1 2 n 1 j i n 0 in the function (1)). The following de nitions are the most imp ortant cryptographic parameters The p ermutations for an n-tuple vector in V may n for a b o olean functions in cryptography [3 , 9, 10 ]. apply to more than two entries. Thus the op era- tion =(ij k )isde nedbytheith entry go es to j th p osition, the j th entry go es to k th p osition, De nition 1 Let f (x) be a function on V . If, n and so on. Thus the op erator =(ij k ), acting as x runs through al l vectors in V , f (x) = 1 is n n1 on the vector , for example, gives the vector true 2 times f (x)=1, then the function f (x) is said to bebalanced. (a ; ;a ;a ;a ; ;a ;a ;a ; ;a ): 1 i1 i+1 j 1 i j +1 n k De nition 2 Let f (x) be a function on V . The n Let and be anytwo op erators for a vector i j nonlinearity (denoted by N ) of the function f (x) f 2 V . Then the combination of the op erators is n is de ned by the minimum Hamming distance de ned by = such that i j from f (x) to al l ane functions over V i.e. n =( ) = ( ): i j i j N = minfwt(f ') j for al l ' on v g: n f The inverse of an op erator exists. For = 1 De nition 3 Let f (x) be a boolean function on (ij k ); = (k ji) is its inverse b ecause 1 1 V . If for a vector 2 V the function f (x) = = e, the unit p ermutation. n n f (x ) is balanced, then the function f (x) is said to have propagation criteria with respect to De nition 5 For an n- the vector . If f (x) has propagation criteria with tuple vector (a ;a ; ;a ) in the boolean space 1 2 n respect to al l vectors with 0 < wt( ) k , then V ,weconsider operations that permute the po- n f (x) has propagation criteria of degree k denoted sitions of the n-tuple. Then al l possible operations by PC(k ). If k =1, the function is said to satisfy on the n-tuple form a group which is cal led the the strict avalanche criteria (SAC ). symmetric group de nedonV and denotedbyS n n (or permutation group). 2 5. (Cayley's theorem). Any group with order n If a subset of S forms a group under the same n is isomorphic with a subgroup of S . laws of combination used in S , then the group is n n called subgroup of S . Anygrouphasatleasttwo n trivial subgroups: the group containing only one For a b o olean space V , wesay that the sym- n element feg; and the group itself. For a symmetric metric group S is de ned on the space, if each n group S , the following prop erties hold. n element in S just permutes the vectors in V . n n Let V and V b e subspaces of V . Let S be m n m+n m 1. The order of S (the numb er of all elements) n the symmetric group for the space V and S for m n is n! i.e. jS j = n!. n the space V . Then for any elements 2 S and n m 0 0 0 2 S , it is obviously that = . We say n 2. We take some elements in S as the genera- n that the two groups are commutative (b oth the tors of the group, if any element in S can n two groups are subgroups of S and S is m+n m+n be equivalently expressed by those genera- 0 0 on V ). Obviously, the set, f j 2 V ; 2 m+n m tors. Then the minimum set of generators for V g denoted by S S (direct product), is a sub- n m n S is of size n 1. Let f(12); (13); ; (1n)g n group of S with order m! n!. m+n be a set of generators of S . Then the el- n ement (123 n), for example, is equal to Let H be a subgroup of S . Then the sub- n (1n) (13)(12). set H , 2 S 2= H , is called the (left) coset n asso ciated with H in S .