correlation of boolean functions - mit - massachusetts institute
TRANSCRIPT
![Page 1: Correlation of Boolean Functions - MIT - Massachusetts Institute](https://reader035.vdocuments.us/reader035/viewer/2022071602/613d6835736caf36b75cf71b/html5/thumbnails/1.jpg)
Correlation of Boolean Functions
Correlation of Boolean Functions
Guang GongDepartment of Electrical & Computer
EngineeringUniversity of Waterloo, CANADA
![Page 2: Correlation of Boolean Functions - MIT - Massachusetts Institute](https://reader035.vdocuments.us/reader035/viewer/2022071602/613d6835736caf36b75cf71b/html5/thumbnails/2.jpg)
G. Gong Beijing'04 2
Presentation OutlinePresentation Outline
Ø Sequences, Correlation, Cryptographic Properties, Cryptanalysis, and Their Relation to Transforms for Signals
Ø Indication Functions: A Bridge to Connect Resiliency (Cross Correlation) and Propagation (Additive Autocorrelation)
Ø Constructions of Boolean Functions with 2-Level (Multiplicative) AC and Three-valued Additive AC, and more
Ø Discussions
![Page 3: Correlation of Boolean Functions - MIT - Massachusetts Institute](https://reader035.vdocuments.us/reader035/viewer/2022071602/613d6835736caf36b75cf71b/html5/thumbnails/3.jpg)
G. Gong Beijing'04 3
Applications of Pseudo-random Sequences
Ø Orthogonal codes, cyclic codes Ø CDMA (code division multiple
access) applicationsØ Synchronization codesØ Radar, and deep water distance
range Ø Testing vectors of hardware
design….
In communications:
Ø Key Stream Generators in Stream Cipher Models
Ø Functions in Block Ciphers Ø Session Key Generators Ø Pseudo-random Number
Generators in Digital Signature Standard (DSS), etc.
Ø Digital Water-mark….
In cryptography:
![Page 4: Correlation of Boolean Functions - MIT - Massachusetts Institute](https://reader035.vdocuments.us/reader035/viewer/2022071602/613d6835736caf36b75cf71b/html5/thumbnails/4.jpg)
G. Gong Beijing'04 4
Design of Pseudo-random Sequence
Generators
(a) Towards 2-Level Auto-Correlation and Low Correlation
(b) Towards Large Linear Span
LFSR as Basic Blocks
![Page 5: Correlation of Boolean Functions - MIT - Massachusetts Institute](https://reader035.vdocuments.us/reader035/viewer/2022071602/613d6835736caf36b75cf71b/html5/thumbnails/5.jpg)
G. Gong Beijing'04 5
Stream Cipher Applications Stream Cipher Applications
f is a boolean function in n variables .
......f
Output
LFSR1
LFSR2
LFSRn
A Combinatorial Function Generator
...
f
...
Output
LFSR: Length m
n ≤ m
A Filtering Generator
![Page 6: Correlation of Boolean Functions - MIT - Massachusetts Institute](https://reader035.vdocuments.us/reader035/viewer/2022071602/613d6835736caf36b75cf71b/html5/thumbnails/6.jpg)
G. Gong Beijing'04 6
1-1 Correspondences Between Sequences, Polynomial Functions and
Boolean Functions
1-1 Correspondences Between Sequences, Polynomial Functions and
Boolean Functions
Polynomial Functions
Periodic Sequences
BooleanFunctions
Trace Representation (Inverse DFT)
Evaluation
Vector Space
Lagrange Interpolation
![Page 7: Correlation of Boolean Functions - MIT - Massachusetts Institute](https://reader035.vdocuments.us/reader035/viewer/2022071602/613d6835736caf36b75cf71b/html5/thumbnails/7.jpg)
Notation
),,( 11
110 nn
n xxxxxx LL =+++= −− ααØ , an element in finite field
GF(2n) or an element in the vector space F2n.
)(xf
Note. is a polynomial function from GF(2n) to GF(2) which can be represented by
Ø F = GF(2n), a finite field, α is a primitive element of FF2 = GF(2), binary field.
Ø a = {ai}, a binary sequence with period N | 2n − 1; , the trace representation of a, i.e.,
. ,1 ,0 ),( K== ifa ii α
)(xf
)2( ,)()( 1kk n
kk
kk
n GFAxATrxf ∈= ∑where the k’s are different coset leaders modulo 2n − 1, and nk is the size of the coset containing k.
![Page 8: Correlation of Boolean Functions - MIT - Massachusetts Institute](https://reader035.vdocuments.us/reader035/viewer/2022071602/613d6835736caf36b75cf71b/html5/thumbnails/8.jpg)
G. Gong Beijing'04 8
(Multiplicative) Autocorrelation(Multiplicative) Autocorrelation
K,1 ,0 ,)1(1)(1)(1
0
=−+=+= ∑−
=
++ τττ τ
N
i
aaf
iiCC
The (multiplicative) autocorrelation of function f(x) is defined as the autocorrelation of the sequence a, which is given by
The sequence a has an (ideal) 2-level autocorrelation if
−≡
=otherwise1
)(mod 0 if )(
NNC
ττ
![Page 9: Correlation of Boolean Functions - MIT - Massachusetts Institute](https://reader035.vdocuments.us/reader035/viewer/2022071602/613d6835736caf36b75cf71b/html5/thumbnails/9.jpg)
G. Gong Beijing'04 9
∑∈
++−=Fx
wxfxff wA )()()1()(
Convolution or Additive AutocorrelationConvolution or Additive Autocorrelation
The additive autocorrelation of f (or the additive autocorrelation of the sequence is defined through its trace representation f) is defined as the convolution of f(x):
![Page 10: Correlation of Boolean Functions - MIT - Massachusetts Institute](https://reader035.vdocuments.us/reader035/viewer/2022071602/613d6835736caf36b75cf71b/html5/thumbnails/10.jpg)
G. Gong Beijing'04 10
Known Constructions of 2-Level Autocorrelation Sequences (or Orthogonal
Codes, or Hadamard Difference Sets)n Number theory approach (N is a prime): quadratic residue
sequences (with N ≡ 3 mod 4), Hall sextic residue sequences, and the twin prime sequences.
N = 2n − 1:n PN-sequences = m-sequences (1931, Singer, 1958, Golomb)n GMW sequences (1961, Golden-Miller-Welch, 1984, Welch-
Scholtz)n Conjectured Sequences (Gong-Gaal-Golomb, 1997, No-
Golomb-Gong-Lee-Gaal, 1998)n Hyper-oval Construction: (Maschietti, 1998)n Kasami Power Function Construction (Dobbertin, Dillon,
1998)
![Page 11: Correlation of Boolean Functions - MIT - Massachusetts Institute](https://reader035.vdocuments.us/reader035/viewer/2022071602/613d6835736caf36b75cf71b/html5/thumbnails/11.jpg)
G. Gong Beijing'04 11
2-level Additive Autocorrelation2-level Additive Autocorrelation
f(x) is a bent function if and only if
Ff n ∈∀±= λλ ,2)(ˆ
Note. Bent functions only exists for n even.
f(x) has 2-level additive autocorrelation if and only if f(x) is bent. There are two general constructions for bent functions (compared with the constructions of the binary sequences with 2-level (multi.) autocorrelation, this is relatively easy).
Question: What is the best additive autocorrelation for n odd?
![Page 12: Correlation of Boolean Functions - MIT - Massachusetts Institute](https://reader035.vdocuments.us/reader035/viewer/2022071602/613d6835736caf36b75cf71b/html5/thumbnails/12.jpg)
Convolution or Additive
autocorrelation of f:
∑∈
++−=Fx
wxfxff wA )()()1()(
They are related by the Convolution Law.
∑∈
−=F
wTrnf fwA
λ
λ λ)(ˆ)1(21)( 2)(
In other words, the square of the Hadamard transform of f is equal to the Hadamard transform of the convolution of f with itself or additive autocorrelation of f. Conversely,
which is a fundamental relation through this representation.
∑∈
+−=Fx
xfxTrf )()()1()(ˆ λλ
Hadamard (Walsh) Transform of f:
)(xf
Time domain
Frequency domain
)(ˆ λf
Transforms for Signal (Sequence) Design (Engineering Perspective)
Transforms for Signal (Sequence) Design (Engineering Perspective)
![Page 13: Correlation of Boolean Functions - MIT - Massachusetts Institute](https://reader035.vdocuments.us/reader035/viewer/2022071602/613d6835736caf36b75cf71b/html5/thumbnails/13.jpg)
Desired Cryptographic Properties of Boolean Functions
Desired Cryptographic Properties of Boolean Functions
Definition 1 (Siegenthaler, 1984)
A Boolean function f(x) in n variables is kth-order correlation immune if for each k-subset K of {0, … , n − 1}, Z = f(x), considered as a random variable over F2, is independent of all xi for i ∈ K. Furthermore, if f(x) is balanced and kth-order correlation immune, then f(x) is said to be k-order resilient.
kHf ≤≤= )(1 ,0)(ˆ λλ
Property (Xiao and Massey, 1988). f(x) is kth-order correlation immune if and only if
where H(x) is the Hamming weight of x.
A historical remark.Golomb studied these concepts under the terminology of invariants of boolean functions in 1959, and he is the first to compute them using Hadamardtransform.
Nonlinearity of f is defined as the minimum distance of f(x) with all affine functions, or equivalently,
|)(ˆ|max21
2 1 λλ fN nf −= −
![Page 14: Correlation of Boolean Functions - MIT - Massachusetts Institute](https://reader035.vdocuments.us/reader035/viewer/2022071602/613d6835736caf36b75cf71b/html5/thumbnails/14.jpg)
G. Gong Beijing'04 14
Definition 2.
A Boolean function f(x) in n variables is said to satisfy the avalanche criterion (SAC) if
0)( =wAf
for all w with 1 ≤ H(w) ≤ k
for all w with H(w) = 1
to have the k-order propagation if
0)( =wAf
![Page 15: Correlation of Boolean Functions - MIT - Massachusetts Institute](https://reader035.vdocuments.us/reader035/viewer/2022071602/613d6835736caf36b75cf71b/html5/thumbnails/15.jpg)
G. Gong Beijing'04 15
Hadamardtransform
Linear cryptanalysis
Resiliency, nonlinearity
Convolution or Additive
autocorrelation
Differentialcryptanalysis
k-order propagation
Indicator Function
(cross correlation with m-sequences)
![Page 16: Correlation of Boolean Functions - MIT - Massachusetts Institute](https://reader035.vdocuments.us/reader035/viewer/2022071602/613d6835736caf36b75cf71b/html5/thumbnails/16.jpg)
Engineering Perspective of Differential Cryptanalysis and Linear Cryptanalysis Associated to Transforms
for Signal (Sequence) Design
Engineering Perspective of Differential Cryptanalysis and Linear Cryptanalysis Associated to Transforms
for Signal (Sequence) Design
t τ+t
)( τ+tf)(tf
Differential cryptanalysis (or propagation) is to exploit the correlation of the signal f(t) at time instances t and .τ+t
t τ+t
)( τ+tl
)(tf
Correlation immunitiy (or resiliency, nonlinearity, linear cryptalalysis) is to exploit the correlation between the signal f(t) and the reference linear signal l(t) at time instances t and .τ+t
![Page 17: Correlation of Boolean Functions - MIT - Massachusetts Institute](https://reader035.vdocuments.us/reader035/viewer/2022071602/613d6835736caf36b75cf71b/html5/thumbnails/17.jpg)
G. Gong Beijing'04 17
Indicator Function: A Bridge for Connecting Resiliency and Additive Autocorrelation
Indicator Function: A Bridge for Connecting Resiliency and Additive Autocorrelation
Definition. A indicator function of f , denoted by σf(x), is defined as
≠==
0)(ˆ if 10)(ˆ if 0)(
λλλσ
ff
f
-8 0 0 0 0 -8 0 8 0 -8 -8 8 0 8 8 0 0 0 -8 8 -8 8 8 0 0 8 8 0 8 0 0)(ˆ if α
Example. For n = 5, GF(25) defined by , and .
0135 =++αα)()( 3xTrxf =
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30i
)( if ασ 1 0 0 0 0 1 0 1 0 1 1 1 0 1 1 0 0 0 1 1 1 1 1 0 0 1 1 0 1 0 0
![Page 18: Correlation of Boolean Functions - MIT - Massachusetts Institute](https://reader035.vdocuments.us/reader035/viewer/2022071602/613d6835736caf36b75cf71b/html5/thumbnails/18.jpg)
Preferred set: For n = 2m + 1, f is said to be preferred if the Hadamard transform of f has the following three values:
}2 ,0{ 1+±= mP
Optimal Additive autocorrelation (AC): For n = 2m +1, let f be balanced, the additive AC of f is said to be optimal if the maximal magnitude of the additive AC at nonzero, denoted as
, is and Af has zeros in GF(2n). 12 +m 12 −nf∆
2. Zhang and Zheng (1995) conjectured that*12 +≥∆ m
f
Note.1. According to the Parseval energy formula, 2m+1 is minimum among magnitudes of all 3-valued Hadamard spectra.
![Page 19: Correlation of Boolean Functions - MIT - Massachusetts Institute](https://reader035.vdocuments.us/reader035/viewer/2022071602/613d6835736caf36b75cf71b/html5/thumbnails/19.jpg)
G. Gong Beijing'04 19
Observation 1: Indicator Function and Resiliency
Observation 1: Indicator Function and Resiliency
Let f be preferred. Then f is 1-order resilient if and only if the dual of f is nonlinear.
Zhang and Zheng, 1999 under boolean forms, Gong and Yousself, 1999 under polynomial forms, Canteaut-Carlet-Charpin-Fontaine, 2000, for any three-valued Hadamardtransform.
![Page 20: Correlation of Boolean Functions - MIT - Massachusetts Institute](https://reader035.vdocuments.us/reader035/viewer/2022071602/613d6835736caf36b75cf71b/html5/thumbnails/20.jpg)
G. Gong Beijing'04 20
Observation 2: Indicator Function and Additive Autocorrelation
Observation 2: Indicator Function and Additive Autocorrelation
Let f be preferred. Then the additive autocorrelation functions of f at nonzero is equal to opposite of the Hadamard transform of f. In other words,
)2(GF0 ),(ˆ)( nff wwwA ∈≠∀−= σ
![Page 21: Correlation of Boolean Functions - MIT - Massachusetts Institute](https://reader035.vdocuments.us/reader035/viewer/2022071602/613d6835736caf36b75cf71b/html5/thumbnails/21.jpg)
G. Gong Beijing'04 21
Theorem. A Sufficient Condition for Preferred Additive Autocorrelation
Theorem. A Sufficient Condition for Preferred Additive Autocorrelation
If the Hadamard transforms of both f and its indicator functions are preferred, then the additive autocorrelation is preferred.
}2,0{ 2/)1( +±= nP
f
Pf ∈)(ˆ λ
gf =σ
nonlinear
1-resiliency
Pf ∈)(ˆ λσ
gσ
PwAf ∈)(
nonlinear
1-propagation
![Page 22: Correlation of Boolean Functions - MIT - Massachusetts Institute](https://reader035.vdocuments.us/reader035/viewer/2022071602/613d6835736caf36b75cf71b/html5/thumbnails/22.jpg)
G. Gong Beijing'04 22
ConstructionsConstructions
All functions, listed in Tables 1-3, are from binary sequences with 2-level (multiplicative) autocorrelation.
Cryptographic Properties:a) 2-level ACb) Nonlinearity: c) Preferred fd) 1-order resiliency e) Preferred additive AC, so optimal additive ACf) 1-order propagation.
2/)1(1 22 −− − nn
![Page 23: Correlation of Boolean Functions - MIT - Massachusetts Institute](https://reader035.vdocuments.us/reader035/viewer/2022071602/613d6835736caf36b75cf71b/html5/thumbnails/23.jpg)
nonlinearThe other Kasami, Welch, Niho
2-level AC (Goldon, Miller, Welch 1961) HT (Games
(85), Klapper(96))
NonlinearSubset of GMW sequences
2-level AC (No et. al 1998, Dillon et. al. 1999)
Kasami power function sequences:
2-level AC (Matchietti1998), Hadamard transform (Xiang 1998, Dillon 1999)
Glynn Type 1 hyperovalsequences
2-level AC (No et. al 1998, Dillon et. al. 1999)
Welch-Gong sequences WG(x)
Kasami 1971, Dillon 1999Kasami decimation:
CommentsIndicator FunctionsFunctions from the sequence sets
122 ),( 2 +−= kkd dxTr nkxTrk
mod 13for ),( 12 ≡+
)(1−dxTr
( )kkxTr /)1( −
)(xCk ( )3/)12( +k
xTr
Table 1. Properties (a)-(d)
![Page 24: Correlation of Boolean Functions - MIT - Massachusetts Institute](https://reader035.vdocuments.us/reader035/viewer/2022071602/613d6835736caf36b75cf71b/html5/thumbnails/24.jpg)
G. Gong Beijing'04 24
Kasami power function sequences:
Welch-Gong sequences
Kasami sequences:
Indicator Functions(Boolean) Functions
122 ),( 2 +−= kkd dxTr )( 12 +k
xTr
)(1−dxTr
3 ),(3 k xC =
( )1−dxTr))(()( 12 +=k
xtTrxCk
)1)1(()( ++= xtTrxWG
12212212212 222
)( −++−+++ ++++=kkkkkkk
xxxxxxt
where
( )3xTr
Table 2. Properties (a)-(e)nk mod 13 ≡
![Page 25: Correlation of Boolean Functions - MIT - Massachusetts Institute](https://reader035.vdocuments.us/reader035/viewer/2022071602/613d6835736caf36b75cf71b/html5/thumbnails/25.jpg)
Kasami power function sequences (5-term sequences):
Welch-Gong sequences
Indicator Functions(Boolean) Functions
)(1−dxTr
( )1−dxTr
Table 3. Properties (a)-(f)
))(()( 12 +=k
xtTrxCk
)1)1(()( ++= xtTrxWG
nkxxxxxxtkkkkkkk
mod 13 ,)( 12212212212 222
≡++++= −++−+++
where
![Page 26: Correlation of Boolean Functions - MIT - Massachusetts Institute](https://reader035.vdocuments.us/reader035/viewer/2022071602/613d6835736caf36b75cf71b/html5/thumbnails/26.jpg)
G. Gong Beijing'04 26
![Page 27: Correlation of Boolean Functions - MIT - Massachusetts Institute](https://reader035.vdocuments.us/reader035/viewer/2022071602/613d6835736caf36b75cf71b/html5/thumbnails/27.jpg)
G. Gong Beijing'04 27
DiscussionsDiscussions
ØWhat are the additive autocorrelations of the rest functions with 2-level autocorrelation?
Ø The functions constructed from sequence design do not have linear structure for any fixed set of input variables (possible week leakage of Maiorana-McFarland like resilient functions).
Ø Experimental results show that there are many functions having preferred Hadamard transform, and preferred additive AC, so optimal additive AC, but not 2-level AC.
![Page 28: Correlation of Boolean Functions - MIT - Massachusetts Institute](https://reader035.vdocuments.us/reader035/viewer/2022071602/613d6835736caf36b75cf71b/html5/thumbnails/28.jpg)
G. Gong Beijing'04 28
G. Gong and K.M. Khoo,
Additive autocorrelation of resilient boolean functions,
Proceedings of Tenth Annual Workshop on Selected Areas in Cryptography (SAC), August 11-12, 2003, Ottawa, Canada, Lecture Notes in Computer Science, Springer-Verlag, 2003.
ReferencesReferences
Welcome to Waterloo for SAC 2004!