Analysis of affine equivalent boolean functions for cryptography

Boolean functions, affine transformation, equivalence class, local connectivity, earity, algebraic order, autocorrelation, S-boxes, Advanced Encryption Standard... The newperspective all

Analysis of Affine Equivalent Boolean Functions

for Cryptography

by

Joanne Elizabeth Fuller

Bachelor of Applied Science (Mathematics), 1998Bachelor of Information Technology (Honours), 1999

Thesis submitted in accordance with the regulation for Degree of

Doctor of Philosophy

Information Security Research CentreFaculty of Information TechnologyQueensland University of Technology

December, 2003

Boolean functions, affine transformation, equivalence class, local connectivity, earity, algebraic order, autocorrelation, S-boxes, Advanced Encryption Standard

Boolean functions are an important area of study for cryptography These functions,consisting merely of one’s and zero’s, are the heart of numerous cryptographic systemsand their ability to provide secure communication Boolean functions have applica-tion in a variety of such systems, including block ciphers, stream ciphers and hashfunctions The continued study of Boolean functions for cryptography is thereforefundamental to the provision of secure communication in the future

This thesis presents an investigation into the analysis of Boolean functions and inparticular, analysis of affine transformations with respect to both the design and ap-plication of Boolean functions for cryptography Past research has often been limited

by the difficulties arising from the magnitude of the search space The research sented in this thesis will be shown to provide an important step towards overcomingsuch restrictions and hence forms the basis for a new analysis methodology The newperspective allows a reduced view of the Boolean space in which all Boolean functionsare grouped into connected equivalence classes so that only one function from eachclass need be established This approach is a significant development in Boolean func-tion research with many applications, including class distinguishing, class structures,self mapping analysis and finite field based s-box analysis

pre-The thesis will begin with a brief overview of Boolean function theory; including

an introduction to the main theme of the research, namely the affine transformation.This will be followed by the presentation of a fundamental new theorem describingthe connectivity that exists between equivalence classes The theorem of connectivitywill form the foundation for the remainder of the research presented in this thesis

A discussion of efficient algorithms for the manipulation of Boolean functions willthen be presented The ability of Boolean function research to achieve new levels

of analysis and understanding is centered on the availability of computer based grams that can perform various manipulations The development and optimisation ofefficient algorithms specifically for execution on a computer will be shown to have aconsiderable advantage compared to those constructed using a more traditional ap-proach to algorithm optimisation

pro-The theorem of connectivity will be shown to be fundamental in the provision of

many avenues of new analysis and application These applications include the firstnon-exhaustive test for determining equivalent Boolean functions, a visual represen-tation of the connected equivalence class structure to aid in the understanding of theBoolean space and a self mapping constant that enables enumeration of the functions

in each equivalence class A detailed survey of the classes with six inputs is alsopresented, providing valuable insight into their range and structure

This theme is then continued in the application Boolean function construction.Two important new methodologies are presented; the first to yield bent functionsand the second to yield the best currently known balanced functions of eight inputswith respect to nonlinearity The implementation of these constructions is extremelyefficient The first construction yields bent functions of a variety of algebraic orderand inputs sizes The second construction provides better results than previouslyproposed heuristic techniques Each construction is then analysed with respect to itsability to produce functions from a variety of equivalence classes

Finally, in a further application of affine equivalence analysis, the impact to boths-box design and construction will be considered The effect of linear redundancy infinite field based s-boxes will be examined and in particular it will be shown that theAES s-box possesses complete linear redundancy The effect of such analysis will bediscussed and an alternative construction to s-box design that ensures removal of alllinear redundancy will be presented in addition to the best known example of such ans-box

1.1 Aims and Outcomes of Thesis 1

1.2 Overview of Thesis 3

2 Preliminaries 5 2.1 Representation 6

2.1.1 Truth Tables 6

2.1.2 Algebraic Normal Form 7

2.2 The Walsh-Hadamard Transform 10

2.2.1 Nonlinearity 12

2.2.2 Correlation Immunity and Resilience 12

2.2.3 Subfunction Hamming Weight 14

2.3 Autocorrelation 16

2.3.1 The Propagation Criteria 18

2.4 Bent Functions 19

2.5 Affine Transformations 20

2.5.1 Equivalence Classes 20

2.5.2 Invariance Analysis 22

2.5.3 Local Connectivity 22

2.6 Conclusion 25

3 Tools for Efficient Boolean Function Analysis 27 3.1 General Optimisation Issues 28

3.1.1 Algorithm Development 28

3.1.2 Operation Minimisation 29

3.1.3 ModularProgramming 30

3.2 Implementation Issues 31

3.2.1 Boolean Function Structures 31

3.2.2 The Algebraic Normal Form 32

3.2.3 The Walsh-Hadamard Transform 34

3.2.4 The Autocorrelation Function 36

3.3 A Survey of Boolean Functions of Five Inputs 37

3.4 Conclusion 37

4 Analysis of Affine Equivalent Boolean Functions 39 4.1 Distinguishing Affine Equivalence Classes 40

4.1.1 Basic Class Distinguishing Properties 40

4.1.2 m-step Analysis 42

4.1.3 Identifying the Affine Transform 43

4.1.4 Experimental Analysis 45

4.2 Equivalence Class Structures 45

4.2.1 Exploration of the Class Structure 46

4.2.2 A Visual Representation 47

4.2.3 Bent Function Analysis 52

4.3 Self Mappings 55

4.3.1 Self Mapping Analysis 58

4.3.2 Counting Boolean Functions 59

4.4 A Survey of Boolean Functions of Six Inputs 60

4.4.1 Local and Global Maxima 60

4.4.2 Highly Nonlinear and Balanced Boolean Functions 61

4.4.3 Correlation Immune Boolean Functions 62

4.5 Conclusion 63

5 Constructing Highly Nonlinear Boolean Functions 65

5.1 Construction Methodologies 66

5.1.1 Random and Exhaustive 66

5.1.2 Algebraic 67

5.1.3 Heuristic 68

5.2 A New Construction of Bent Functions 69

5.2.1 Methodology 70

5.2.2 Algorithm 71

5.2.3 Experimental Results 72

5.2.4 Class Analysis 74

5.3 Dynamic Hill Climbing 76

5.3.1 Traditional Hill Climbing 77

5.3.2 The Boolean Terrain 79

5.3.3 The New Approach 82

5.3.4 Experimental Analysis 83

5.3.5 Class Analysis 86

5.3.6 Modified Dynamic Hill Climbing 87

5.4 Conclusion 88

6 Bijective S-box Applications 91 6.1 S-box Review 92

6.1.1 Traditional Design Criteria 93

6.1.2 A New S-box Criterion 94

6.1.3 Modern S-boxes 96

6.2 Redundancy in the AES S-box Functions 97

6.3 Finite Field Based S-boxes 100

6.3.1 Inversion 100

6.3.2 Power Mappings 101

6.3.3 Affine Transforms 102

6.4 Removing Linear Redundancy 102

6.4.1 2-Step Tweaking 103

6.4.2 4-Step Tweaking 107

6.5 Impact on Security 111

6.6 Conclusion 112

7 Conclusion 113 7.1 Thesis Summary 113

7.2 Future Directions 115

A Equivalence Class Summary 117

List of Figures

4.1 Class Connection Diagram n = 3 48

4.2 Class Connection Diagram n = 4 48

4.3 Class Connection Diagram n = 5 49

4.4 Highly Nonlinear Class Connection Diagram (Partial) n = 6 50

List of Tables

2.1 Example of a Truth Table, n = 3 6

2.2 Calculating the ANF, n = 3 8

2.3 Example of an ANF, n = 3 8

2.4 Example of a WHT, n = 3 10

2.5 Example of Subfunction Hamming Weight, n = 3 16

2.6 Example of an AC, n = 3 17

2.7 Equivalence Class Properties, n = 3 21

2.8 Equivalence Class Properties, n = 4 21

2.9 Equivalence Class Connectivity, n = 3 24

2.10 Equivalence Class Connectivity, n = 4 24

3.1 ANFT Timings (ms per 10000 functions) 34

3.2 WHT Timings (ms per 10000 functions) 36

3.3 AC Timings (ms per 10000 functions) 37

3.4 Survey of Boolean Functions of 5 Input Variables 37

4.1 Basic Class Distinguishing Properties 40

4.2 Basic Property Class Analysis, n = 6 41

4.3 Connectivity Class Analysis, n = 6 42

4.4 Average Time to Identify an Affine Transform 45

4.5 Number Class Connections vs Nonlinearity, n = 6 51

4.6 Time to Identify an Affine Transform n = 6 53

4.7 Timing for Bent Function Indicator Analysis 55

4.8 Self Mapping Analysis, n = 5 59

4.9 Self Mapping Analysis, n = 6 59

4.10 Nonlinearity Frequency Survey, n = 6 59

4.11 Maximum Classes for Nonlinearity, n = 6 60

4.12 Balanced Classes of Nonlinearity 26, n = 6 61

4.13 CI(1) Classes of Nonlinearity 26, n = 6 62

5.1 Survey of Random Balanced Boolean Functions 66

5.2 Summary of the New Bent Function Construction 73

5.3 Bent Function Equivalence Classes n = 8 75

5.4 Lower Bounds on the Number of Bent Classes 76

5.5 Classification of Functions in the Boolean Terrain 79

5.6 Survey of 2-step Balanced Functions n = 4 80

5.7 Survey of 2-step Balanced Functions n = 5 80

5.8 Survey of 2-step Balanced Functions n = 6 80

5.9 Comparison of Construction Techniques n = 8 84

5.10 Change Sets From Dynamic Hill Climbing n = 8 85

5.11 Dynamic Hill Climbing Function Types n = 8 85

5.12 Example (8,1,6,116) Equivalence Classes 86

6.1 Average Random Bijective S-box Properties 95

6.2 Summary of Bijective S-boxes 96

6.3 b0 Specification and Basic Properties 97

6.4 b1 Specification and Basic Properties 98

6.5 Possible Mappings Between i and j 99

6.6 8 × 8 Finite Field Inversion Based S-box Properties 100

6.7 8 × 8 Finite Field Power Mapping Properties 101

6.8 Experimental Results From The Two-Step Tweak 106

6.9 Experimental Results From The Four-Step Tweak 109

A.1 Equivalence Class Properties, n = 5 117

B.1 Equivalence Class Connectivity, n = 5 119

D.1 Near Bent Classes n = 6 125

D.2 Near Bent Classes n = 6, Continued 126

E.1 Self Mapping Analysis, n = 5 129

E.2 Self Mapping Frequency Analysis, n = 5 130

E.3 Self Mapping Frequency Analysis, n = 6 130

F.1 Maxima Classes, Nonlinearity ≥ 26 133

F.2 Balanced Classes of Nonlinearity 26, n = 6 136

G.1 Bent Function Classes n = 10 (Order=2) 137

G.2 Bent Function Classes n = 10 (Order=3) 137

G.3 Bent Function Classes n = 10 (Order=4) 138

G.4 Bent Function Classes n = 10 (Order=5) 140

J.1 8 × 8 Finite Field Power Mappings 151K.1 Frequency Distribution of Sbox Properties 153K.2 Distribution of S-box Properties 154

The work contained in this thesis has not been previously submitted for a degree ordiploma at any higher education institution To the best of my knowledge and belief,the thesis contains no material previously published or written by another personexcept where due reference is made

Signed: Date:

[P2] J Fuller, W Millan and E Dawson Efficient Algorithms for Analysis of graphic Boolean Functions In Thirteenth Australiasian Workshop on CombinatorialAlgorithms, Proceedings, pages 133-150, 2002.

Crypto-[P3] J Fuller and W Millan Linear Redundancy in S-boxes In Fast Software cryption, Proceedings, pages 79-92, 2003

En-[P4] W Millan, J Fuller and E Dawson New Concepts in Evolutionary Search forBoolean Functions in Cryptology To appear Congress on Evolutionary Computing,Canberra, Australia, December 8-12, 2003

[P5] J Fuller, W Millan and E Dawson Evolutionary Generation of Bent tions for Cryptography To appear Congress on Evolutionary Computing, Canberra,Australia, December 8-12, 2003

Func-Chapter 1

Introduction

Boolean functions play an important role in modern cryptography and its ability tomeet the continuing demand for increased communications security The study ofBoolean functions from both a theoretical and practical perspective is crucial in theprovision of secure cryptographic applications such as block ciphers, stream ciphersand hash functions

Since the late 1980’s there has been an increasing amount of research in this area,however there are still many open problems with regard to the design and analysis

of Boolean functions for cryptography The level of security achieved in applicationsbased on Boolean functions is measured by the quality of combinatorial propertieswithin the functions The selection of Boolean functions with strong cryptographicproperties reduces the effectiveness of advanced cryptanalytic attacks, including linearcryptanalysis [58] and differential cryptanalysis [6]

This thesis presents a study of Boolean functions and in particular, analysis of an affinetransformation with respect to both the design and application of Boolean functionsfor cryptography The overall aim of the research presented in this thesis is toimprove understanding of Boolean functions by providing new perspectivesand efficient programming techniques, leading to superior search heuristicsfor Boolean functions with optimal cryptographic properties

Past research has often been limited by the difficulties associated with the vastmagnitude of the Boolean space The first objective of this research wastherefore to assist in overcoming such restrictions by means of a map-ping methodology for Boolean functions The theorem of connectivity, initiallyintroduced in Chapter 2, fulfills this objective This theorem defines the relationshipbetween affine equivalent functions It provides the means to view the Boolean space

as a set of connected equivalence classes rather than simply a collection of individualfunctions.

An extension to this objective was to also investigate any useful applications of thistheory Chapter 4 is dedicated to the exploration of such applications and includesdevelopment of the first non exhaustive algorithm for the purpose of distinguishingbetween affine equivalent Boolean functions, a visual representation of the Booleanspace and discovery of a self mapping constant which is able to define the size of anequivalence class

The ability to further study Boolean functions, and in particular explore theBoolean space, is directly correlated with our capacity to manipulate Boolean func-tions in a fast and efficient manner through computer programs The second ob-jective of this research was therefore to investigate the optimal methodsfor such manipulation and determine whether better programming tech-niques could be developed to facilitate their speedy implementation usingthe modern computer processor In Chapter 3 this objective is fulfilled by thespecification of efficient algorithms for calculation of the fundamental Boolean func-tions properties, including the Walsh-Hadamard transform, the algebraic normal formand the autocorrelation function

A third objective was to provide new Boolean function constructiontechniques In Chapter 5 this objective is fulfilled with the specification of a newpseudo-random construction for bent functions Bent functions are of particular in-terest due to their ability to maximise the important cryptographic property of non-linearity This new construction also provides the means to generate a wide variety

of bent function equivalence classes A list of the bent function classes is included Asecond construction is also presented in Chapter 5 It is based on our ability to exploitthe inherent structure of the Boolean space and yields balanced functions of eight in-put variables possessing the currently best known level of nonlinearity The functionsresulting from this construction are also subjected to equivalence class analysis toprovide an understanding of that particular region of the Boolean space

The final objective was to examine the impact of affine equivalenceanalysis in the application of Boolean functions for s-boxes In Chapter 6this objective is fulfilled with the specification of a new s-box design criterion; s-box linear redundancy As well as analysis of many of the currently used s-boxeswith regard to this property The identification of complete linear redundancy in theAdvanced Encryption Standard (AES) is made As well analysis of this property forany finite field based s-box is presented In an extension to the objective, the need for

a technique to remove linear redundancy from an s-box was also identified The final

section of Chapter 6 provides such a technique, as well as examples of the best knowns-boxes without linear redundancy.

The specific suitability of a Boolean function for use in cryptography is typically mined from the evaluation of various properties of the algebraic normal form (ANF)and Walsh-Hadamard transform (WHT) of the function Chapter 2 will provide thepreliminary review of Boolean function theory, including their representation, theANF, the WHT and autocorrelation function (AC); as well as the various properties

deter-of cryptographic importance derived from each

This will be followed by an introduction to the main theme of the research, namelythe affine transformation, which provides the basis for grouping Boolean functions intoequivalence classes that possess similar cryptographic properties and hence provide areduced view of the Boolean search space that is more amenable to exploration Afundamental new theorem describing the connectivity that exists between equivalenceclasses will be presented The theorem of connectivity will form the foundation ofthe research presented in the chapters that follow The definition of the theorem ofconnectivity was published in [P3]

The design and analysis of Boolean functions for cryptographic applications ically involves a substantial amount of computational processing In particular, forBoolean functions of a large number of input variables this analysis places a highdemand on computing resources No consideration has been given, to date, in theprovision of efficient Boolean function programming techniques in the related crypto-graphic literature Chapter 3 will examine a range of general optimisation techniquesthat can be applied to Boolean function programs A structure and code for an op-timal implementation of Boolean functions and their associated operations, includingthe WHT, ANF and AC, will be presented using the C language This work waspublished in [P2]

typ-The theorem of connectivity will then be shown to be fundamental in the provision

of many avenues of new analysis and research In Chapter 4 a variety of applications

of the theorem and equivalence class analysis will be discussed, including the firstnon-exhaustive test for determining equivalent Boolean functions, a visual represen-tation to aid in the understanding of the Boolean space and a self mapping constantthat enables enumeration of the equivalence classes This chapter will present manypreviously unknown sets of exhaustive data, including a survey of the Boolean space

of six input variables with respect to global maximum equivalence classes, balanced

highly nonlinear equivalence classes and correlation immune equivalence classes Thiswork concerning the structure of the equivalence class space has been published in[P4].

The construction of cryptographically useful functions is also a difficult task Arange of algebraic techniques and heuristic techniques are currently available to con-struct such functions, however, these methods can be complex, computationally dif-ficult to implement and do not always produce a sufficient variety of functions InChapter 5 the theme of equivalence class analysis is then continued in the application

of Boolean function construction Two important new construction methodologies arepresented; the first to yield bent functions and the second to yield the best currentlyknown balanced functions of eight inputs with respect to nonlinearity An extension

of the algorithm is also applied to functions of twelve inputs Each construction isanalysed with respect to its ability to produce functions from a variety of equivalenceclasses This work relates to the construction of a Boolean function as published in[P1], as well as more detailed use of the constructions that were published in [P4] and[P5]

Finally, in a further application of affine equivalence analysis, the impact to both box design and construction will be considered in Chapter 6 The non-random nature

s-of s-box linear redundancy will be established The effect s-of linear redundancy infinite field based s-boxes will then be examined and in particular it will be shownthat the AES s-box possesses complete linear redundancy The effect of such analysiswill be discussed and a modified finite field construction for s-box design that ensuresremoval of all linear redundancy will be presented Experimental results will then beprovided to demonstrate the effectiveness of the new construction As well, the bestknown example of an s-box without linear redundancy, generated using this technique,will be listed This work was published in [P3]

Chapter 2

Preliminaries

This chapter presents a review of theory relevant to the study of Boolean functionsfor cryptography The typical forms of Boolean function representation include thetruth table (TT) and the algebraic normal form (ANF) A definition for both the TTand ANF is given, as well as an introduction to the cryptographic measures relating

to each representation The relationships between the TT, ANF and their variousproperties are also discussed

The Walsh-Hadamard transform (WHT) provides another means of representing aBoolean function, in addition to being a source of valuable cryptographic information.The relationship between the WHT and the TT is defined, as well as several importantcryptographic results, including Parseval’s equation, the measure of nonlinearity, theconcept of correlation immunity and the theory relating the WHT to the Hammingweight found in subfunctions The WHT is then also used to provide a definition of thepower spectrum and the autocorrelation function (AC) The AC of a Boolean function

is then also discussed in more detail, including a review of a fundamental theoremthat relates it to the WHT by fast transform techniques, as well as the importantcryptographic measures known as the propagation criteria and the avalanche criteria(defined directly from the AC)

Finally, the affine transformation and a theorem that describes a previously known relationship between equivalent functions is introduced The affine transfor-mation is the basis for much of the research presented in the following chapters and

un-as such, this review will serve un-as the foundation for this work A definition is given, un-aswell as a summary of the known results concerning the affine transformation In par-ticular, the relationship between the affine transform and the various forms of Booleanfunction representation will be considered As well, a new and fundamental result onthe invariance properties of the local connection structure of affine equivalence classeswill be introduced The theorem of connectivity will be established and a survey ofthe connectivity results presented

2.1 Representation

A Boolean function f (x) : Zn

2 → Z2 such that x = (x1, x2, , xn), is a mapping from

n binary inputs to one binary output We let Bn represent the set of all 22n Booleanfunctions of n variables Boolean functions can be represented using a variety ofdifferent forms, each with their own usefulness in regard to cryptographic analysis

The basic representation of a Boolean function is the binary truth table, which is a list

of the output for each of the 2n possible inputs to that Boolean function The binarytruth table is so named because the output symbols are elements of the set {0,1}.Alternatively, for some applications it is useful to consider a Boolean function overthe set {1,-1} The truth table under this mapping is referred to as the polarity truthtable and the hat notation is used to identify a function in this form The polaritytruth table can be easily derived from the binary truth table and vice versa, using themathematical relationship ˆf (x) = 1 − 2f (x) as given in [42, 79] An example Booleanfunction, in binary and polarity form, is given below

Table 2.1: Example of a Truth Table, n = 3

Definition 2.1.2 The Hamming distance between two functions f ∈ Bn and g ∈ Bn

is defined as the number of truth table positions in which the functions differ and can

be expressed as the Hamming weight of the XOR sum of two functions

dist(f, g) = wt(f ⊕ g)

The concept of correlation is significant as it provides a convenient measure of theextent to which two Boolean functions approximate each other The definition andmathematical expression for correlation is given as follows

Definition 2.1.3 The correlation between two functions f ∈ Bn and g ∈ Bn is givenby

c(f, g) = 1 − dist(f, g)

2n−1 Correlation is a rational number in the range [−1, 1] From the definition wesee that the upper bound of 1 is achieved when the Hamming distance between twofunctions is equal to zero Similarly, the lower bound of −1 is achieved when theHamming distance between two functions is equal to 2n Correlation is an importanttool in the analysis of pairs of functions particularly in relation to the concept ofimbalance in a Boolean function

Definition 2.1.4 A function is said to be balanced when half of the function valuesare equal to one; wt(f ) = 2n−1 or alternatively, wt( ˆf ) = 0

Definition 2.1.5 The imbalance of a Boolean function is defined to be

I(f ) = |wt(f ) − 2n−1| = 2n−1|c(f (x), 0)|

where 0 indicates the constant zero Boolean function

Imbalance is defined as the minimum Hamming distance to a balanced function and

is therefore directly proportional to the magnitude of the correlation with the stant zero Boolean function Thus, when imbalance is zero, the function is balanced.Balance is a fundamental cryptographic criterion as an imbalanced function has sub-optimal unconditional entropy, i.e it is correlated to a constant function

The Algebraic Normal Form (ANF) also provides a useful representation of the Booleanfunction The ANF describes a Boolean function in terms of a unique XOR sum ofAND products of the input variables [47]

Definition 2.1.6 The algebraic normal form expresses a Boolean function as the XORsum of ANDed input variables, such that given S = {1, 2, , n} we can describe

ap-Table 2.2: Calculating the ANF, n = 3

input formula for solving for

Form Transformation (ANFT) The ANFT is its own inverse and as such the binarytruth table can be obtained from the ANF also using the ANFT A full discussion of

an efficient software implementation of the ANF for large n is given in Chapter 3.Definition 2.1.7 [47, 80] The ANF of a Boolean function f (x) is related to the TT

by AN Ff = An· f mod 2, where the ANFT matrix, An , of size 2n∗ 2n is definedrecursively using the Kronecker product of matrices as follows

is defined as the number of terms in the ANF [65] Algebraic order, or just order,

is given by the order of the largest product term that exists in the ANF, where theorder of a product term refers to the number of variables it includes [79] Order is animportant property as it provides a measure of the complexity of a Boolean function

We refer to functions of order two as quadratic and functions of order three as cubic

Definition 2.1.8 The algebraic weight, denoted awt(f ), is defined as the number ofcoefficients aI in the algebraic normal form of f that are equal to one

Definition 2.1.9 The algebraic order, denoted ord(f ), is defined as the size of thelargest product term in the algebraic normal form of f

A linear function is defined as that consisting only of the XOR sum of single inputvariables Similarly, the set of affine functions is defined as the set of linear functionsand their complements A mathematical description of the linear and affine functions

is given as follows

Definition 2.1.10 A linear function is defined as the XOR sum of a subset of the inputvariables, denoted

Lω(x) = ω1x1⊕ ω2x2⊕ ⊕ ωnxnwhere ω = (ω1, ω2, , ωn) ∈ Zn

2.Definition 2.1.11 The set of affine functions are the linear functions and their com-plements

Aω,c(x) = Lω(x) ⊕ cwhere c ∈ 0, 1

Several results follow from these definitions With regard to algebraic order, we seethat the XOR sum of any two functions f and g will have order equal to the maximumorder of either f or g (which ever is higher) unless their sets of highest order terms arethe same in which case the order will reduce Also, the addition of a single term aI oforder r to a function f (x) causes the truth table of f (x) to be complemented in 2n−rplaces The complemented bits will be for those inputs x ∈ Zn2 where by for all i ∈ I

it is such that xi = 1 [60] It is also known that the order of a given Boolean functionwill result in limitations to the corresponding Hamming weight [52] In particular, theHamming weight of any Boolean function with order r is a multiple of 2⌈nr⌉−1, where

⌈i⌉ is the least integer not less than i Also, any Boolean function with order r < nmust possess even Hamming weight Similarly, any Boolean function with order r = nmust possess odd Hamming weight

The Walsh-Hadamard Transform (WHT) provides another way to represent a Booleanfunction The WHT expresses a Boolean function in terms of its correlation with alllinear functions and will be unique for each function

Definition 2.2.1 The Walsh-Hadamard transform, denoted by ˆF(ω), is calculatedfrom the polarity truth table as ˆF(ω) =P

xf (x) ˆˆ Lω(x), ω ∈ Zn

2.Most commonly the WHT of a Boolean function is defined in relation to the polaritytruth table (as above), however, an alternative definition does exist with respect tothe binary truth table [38] The relationship between the two formats is given in [42].Both forms of the WHT are invertible The WHT of the example Boolean function(continued from Table 2.1) is given in Table 2.4

From the definition we see that −2n ≤ ˆF(ω) ≤ 2n for all ω and that each ˆF(ω)can be seen as being directly proportional to the correlation with the correspondinglinear function If ˆF(0) = 0 the function is balanced As well, the maximum absolutevalue of the WHT provides an important cryptographic measure of a Boolean functionknown as nonlinearity A discussion and definition of nonlinearity will be given in thefollowing section In Chapter 3 the definition of the Walsh-Hadamard matrix used

to perform this operation is given, in conjunction with a discussion of an efficientsoftware implementation of the WHT

The WHT provides the basis for the definition of the power spectrum The powerspectrum of a Boolean function is defined to be the square of the WHT and as such,

it is a one-way relationship in that the WHT can not be recovered from the powerspectrum due to the loss of the signs of the WHT values The power spectrum is used

to provide an efficient calculation of the AC, as will be discussed in Section 2.3

Definition 2.2.2 The power spectrum of a Boolean function is defined as the square

of the polarity Walsh-Hadamard transform, denoted Pfˆ(ω), such that Pfˆ(ω) = ˆF2(ω)

We shall also make use of the polarity spectrum, which provides the signs of the WHTvalues The polarity sprecturm can be used in conjunction with the power spectrum

to recover the original WHT

Definition 2.2.3 The polarity spectrum of a Boolean function, denoted Sfˆ(ω), suchthat

2.2.1 Nonlinearity

It is vital that the Boolean functions used in cryptographic systems possess ties that reduce the effects of advanced modern cryptanalytic attacks such as linearcryptanalysis [58] In cryptographic systems, the method of iterating confusion anddiffusion is used as a fundamental technique of achieving security [93] Confusion isreflected in the nonlinearity of Boolean functions Nonlinearity is therefore an impor-tant property (perhaps the most important property) in accessing the cryptographicvalue of a Boolean function All linear systems are easily breakable

proper-Several criteria exist for measuring the nonlinearity of a Boolean function, ing the minimum distance to any affine function and the order of a Boolean function

includ-An evaluation of these various measurements of a Boolean function’s nonlinearity wasmade in [59] It was found that the minimum distance to any affine function providesthe most robust measure of nonlinearity, meaning that small changes to the truthtable result in only small changes to this distance Hence, the minimum distance toany affine function is used to define nonlinearity, such that the smaller the minimumdistance to any affine function, the greater the nonlinearity

Definition 2.2.5 The nonlinearity of a Boolean function is defined as the minimumHamming distance to the set of affine functions Nonlinearity is given directly byobserving | ˆFmax|, the maximum absolute value occurring in ˆF(ω), and calculated as

N (f ) = 12(2n− | ˆFmax|)

It should be noted that it remains an open problem to determine the maximumnonlinearity for balanced Boolean functions with an even number of input variablesgreater than six The maximum nonlinearity for Boolean functions with an odd num-ber of input variables greater than seven also remains an open problem An upperbound on the nonlinearity of such functions is, however, given in [41] Other impor-tant papers concerning nonlinearity include [9, 39, 84, 88, 90, 107, 111, 109] As well,much research has been directed towards the study of nonlinearity with regard tocorrelation immunity and resilience, including [22, 25, 26, 40, 41, 50, 54, 56, 75, 76,

77, 85, 91, 96, 97, 110]

In stream cipher applications, in particular, it is vital that the Boolean function used

as the combining function have certain properties In addition to being balanced,possessing high nonlinearity and high order, the function should have correlation im-munity greater than zero to resist a divide and conquer attack [94]

The definition of the property of correlation immunity stems from the question

as to whether or not the output of a Boolean function is correlated to any subset ofthe input variables A Boolean function is described as having correlation immunity

of order m, CI(m), if there is exactly zero correlation between the function and anylinear function of algebraic weight less than or equal to m A Boolean function ofCI(m) is therefore statistically independent of any subset of m input variables [94].Definition 2.2.6 [101] Let f (x) be a Boolean function of n variables with polarityWHT ˆF(ω) The function will have correlation immunity of order m if and only if

ˆF(ω) = 0for all non-zero ω with wt(ω) ≤ m

The term resilient function was introduced independently to describe functions thatare both balanced and correlation immune [28]

Definition 2.2.7 Let f (x) be a Boolean function of n variables with polarity WHTˆ

F(ω) The function can be described as being m-resilient if and only if

ˆF(ω) = 0for all ω with wt(ω) ≤ m

An important result exists between correlation immunity and algebraic order There

is a trade off between the algebraic order of a Boolean function and the maximumlevel of correlation immunity that it can possess The following theorems describe therelationship which is known as the Siegenthaler bound

Theorem 2.2.8 [94] Let f (x) be a Boolean function of n variables and algebraic order

r, that is order m correlation immune Then r ≤ n − m

Theorem 2.2.9 [94] Let f (x) be a balanced nonlinear Boolean function of n variablesand algebraic order r, that is m-resilient Then r ≤ n − m − 1

The property of correlation immunity has been the focus of many papers, ing [8, 26, 25, 41, 50, 57, 73, 75, 91, 101, 108] Despite the increasing interest incorrelation immunity, the number of balanced Boolean functions which possess corre-lation immunity of order m remains, in general, an open problem However, an upperbound on the number of balanced and CI(m) functions for a given number of inputvariables is given in [87] More recently the specific topic of resilient functions hasreceived considerable interest; more general papers include [10, 20, 24, 55, 84, 104],while papers discussing correlation immunity with regard to nonlinearity include [9,

includ-18, 27, 40, 22, 54, 56, 76, 77, 85, 96, 97, 110, 111]

2.2.3 Subfunction Hamming Weight

In an extension to the existing literature, the WHT can be used to define the Hammingweights of subfunctions; an important new result that will be applied in Chapter 5

as the basis for a new methodology for the efficient construction of bent functions

We may consider the truth table of an n-variable Boolean function f (x) as the simpleconcatenation of two subfunction truth tables, f0 and f1, each a Boolean functiontaking n − 1 variables This may be expressed more generally using the followingsplitting notation, where the splitting direction is defined by the n-bit vector ω and

f1 =

(

f (x) if < ω, x >= 1undefined otherwise

The special case where ω = e1 corresponds to the natural concatenation operation.This definition can now be used to examine the Hamming weight of subfunctions

Definition 2.2.11 Let f = [f0|f1]e1 be the representation of a Boolean function f (x)that is split by the m-bit unit vector e1 into two subfunctions f0(x) and f1(x) Byapplying a linear transformation: g(x) = T (f (x)) = f (T (x)), where T is an n × nnon-singular binary matrix that maps ω → e1, we obtain g(x) = [g0|g1]ω

This transform is reversible, so that any g(x) split along e1 is equivalent to sometransformed function f (x) = T−1(g(x)) split along T−1(ω) = e1 It follows that whenconsidering linear transforms, we may think of ω = e1, without loss of generality Itshould be noted that if h(x) = f (x) ⊕ g(x) then hi = fi ⊕ gi for i ∈ {0, 1} whereall splits are with respect to the common direction vector ω The following theoremdefines the Hamming weight of a function in relation to its WHT values

Theorem 2.2.12 The Hamming weight for either of the ω-subfunctions from anyBoolean function is given by the WHT values as follows:

wt(f0, f1) = 2

n− ˆF(0) ± ˆF(ω)

Proof Split a Boolean function along some arbitrary ω so that f (x) = [f0|f1]ω.Clearly we have that wt(f ) = wt(f0) + wt(f1) Let #{·} be the cardinality of a set,then by the WHT definition we have

wt(f ⊕ Lω) = wt(f0) +¡2n−1− wt(f1)¢ Now gathering these threads together we obtain

The subfunction Hamming weight, for all ω, is shown for an example Booleanfunction (continued from Table 2.1) in Table 2.5 The tables demonstrates that forthis particular function, there are three splitting directions which yield balanced sub-functions and four splitting directions which yield unbalanced subfunctions

Table 2.5: Example of Subfunction Hamming Weight, n = 3

The autocorrelation function (AC) provides a useful description of a Boolean function

in relation to its cryptographic properties The AC is derived from the power trum of the WHT and gives an indication of the imbalance of all first order derivatives

spec-of a Boolean function As differential cryptanalysis [6] exploits imbalanced derivatives

of Boolean functions, the AC is vital in the analysis of Boolean functions for raphy

cryptog-Definition 2.3.1 The derivative of a Boolean function f (x), taken with respect to avector s is defined as

Table 2.6: Example of an AC, n = 3

Definition 2.3.3 The absolute indicator of a Boolean function, denoted M(f ), isgiven directly by observing |rmax| = max[|r(s)|] for s 6= 0, the maximum absolutevalue occurring in r

A Boolean function with a small M(f ) is considered cryptographically desirable [105].The absolute indicator will range from zero (for bent functions) to 2n for affine func-tions Another important cryptographic measure observed directly from the AC func-tion is the sum of squares [105]

Definition 2.3.4 [105] The sum of squares defines the sum of squares over all ACvalues

The sum of squares will range from 22n (for bent functions) to 23n for affine tions Other papers that discuss autocorrelation include [17, 42, 79, 80] and also morerecently [55, 104]

func-The WHT and the AC of a Boolean function are related by the well known Kintchine theorem The Wiener-Kintchine theorem is particularly important as itprovides the basis for an efficient software implementation of the AC, to be discussedfurther in Chapter 3 The theorem can be stated as follows, a proof of which is given

Wiener-in [12] The theorem demonstrates that the autocorrelation function may be obtaWiener-ined

as the inverse Walsh-Hadamard transform of the power spectrum

Theorem 2.3.5 The WHT of the autocorrelation function is equal to the power trum Therefore, for all ω ∈ Zn

spec-2 it is true thatX

s∈Z n 2

r(s)(−1)s·ω = ( ˆF(ω))2

Several criteria have been established to describe the response of a Boolean function

in relation to controlled changes in the input In particular, the avalanche effect,the strict avalanche criterion (SAC), the global avalanche criterion (GAC) and thepropagation criterion (PC) are accepted as useful cryptographic properties

The avalanche effect is defined with respect to a specific input bit such that plementing that input bit results in a change to the output bit with a probability ofexactly one half

com-Definition 2.3.6 The avalanche effect with respect to a variable ei of a Boolean tion f (x), denoted Ae i(f ), is defined as

A Boolean function will satisfy the SAC if and only if complementing a single inputbit results in a change to the output bit with a probability of exactly one half TheSAC can also be detected using the autocorrelation function

The avalanche effect can therefore also be measured directly from the values taken

by the autocorrelation function

Lemma 2.3.8 [65] Let f (x) be a Boolean function with autocorrelation function r(s).The avalanche effect, Af(s), of f (x) in direction s is given by

Af(s) = 2

n− r(s)

2n+1