nonlinear resilient functions
DESCRIPTION
Nonlinear Resilient Functions. 2001.6.26. Jung Hee Cheon http://vega.icu.ac.kr/~jhcheon Information and Communications University (ICU). Linear Resilient Functions. - PowerPoint PPT PresentationTRANSCRIPT
한국정보통신대학교 천정희
Nonlinear Resilient Functions
2001.6.26
Jung Hee Cheon
http://vega.icu.ac.kr/~jhcheon
Information and Communications University (ICU)
2/51 한국정보통신대학교 천정희
Linear Resilient Functions
An [n,m,d] linear code is an m-dimensional subspace C of GF(2)n such that the Hamming distance between any two vectors in C is at least d.
Generating matrix G: an m×n matrix whose rows form a basis for C.
[CGH85] f(x)=xGT is an (n,m,d-1)-resilient function. The existence of an [n,k,d] linear code is equivalent to the existence of a line
ar (n,k,d-1)-resilient function.
3/51 한국정보통신대학교 천정희
Nonlinear Resilient Functions
Conjecture 1: If there is a (n,m,k)-resilient function, does there exist a linear (n,m,k)-resilient function?
Disproved by Stinson and Massey(1995)- An infinite class of counterexamples to a conjecture concerning nonlinear res
ilient functions (Journal of Cryptology, Vol. 8, 1995)
- Construct nonlinear resilient functions from the Kerdock and Preparata codes
- Showed nonexistence of linear resilient functions with the same parameter
- For any odd integer r 3, a (2r+1, 2r+1-2r-2, 5)-resilient function exists.
- For r=3, (16,8,5)-resilient function exists.
4/51 한국정보통신대학교 천정희
Zhang and Zheng’s Construction
Composition of a resilient function and nonlinear permutation gives a nonlinear resilient function F: a linear (n,m,k)-resilient function G: a permutation on GF(2)m with nonlinearity NG
The P=G·F is a (n,m,k)-resilient function such that the nonlinearity of P is 2n-m NG
the algebraic degree of P is the same as that of G
Note that composition of a permutation does not change the frequency of the output
5/51 한국정보통신대학교 천정희
Zhang and Zheng’s Construction (Cont.)
Converse of the conjecture 1 holds. If there is a linear function with certain parameters, then there exists a
nonlinear resilient function with the same parameters. Limitation of ZZ construction
Nonlinear Resilient Functions gives better parameters and should be studied.
Limitation of ZZ construction The algebraic degree of F is at most the output size m It gives a parameter which corresponds to a linear resilient function
6/51 한국정보통신대학교 천정희
Algebraic Degree and Nonlinearity
Algebraic Degree of a Boolean function is the maximum of the degrees of the terms of f when written in reduced form A linear function has algebraic degree 1 The maximum algebraic degree is the size of input.
The nonlinearity of a Boolean function f is the distance from affine function N(f) = min wt(f+) where ranges over all affine functions. Nonlinearity is an important measure for the resistance against linear cryptan
alysis a block cipher The nonlinearity of a vector Boolean function F is the minimum nonlinearity
of each component function b · F. The nonlinearity of a linear function is 0
7/51 한국정보통신대학교 천정희
Nonlinearity
Known Results for nonlinearity of polynomials N(x2k+1) = 2n-1 – 2(n+s)/2-1 if n/s is odd for s = gcd(n,k). N(x22k-2k+1) = 2n-1 – 2(n-1)/2 if n is odd and gcd(n,k) = 1. N(x-1) = 2n-1 – 2n/2 (By notation, 0-1 = 0) N(F(x)) 2n-1 - k-1/2 · 2n/2 if F is a polynominal of degree k in F2
n.
N(F(1/x)) 2n-1 - k+1/2 · 2n/2 if F is a polynominal of degree k in F2n.
Nonlinearity of a polynomial is related with the number of rational points of associated algebraic curves.
What is the maximal nonlinearity of a balanced Boolean function with odd n ?
8/51 한국정보통신대학교 천정희
Stream Ciphers and Resilient Functions
Siegenthaler, 1984 The complexity of a Combining Generator depends on the resiliency of the co
mbining function F. Divide-and-Conquer Attack (Correlation Attack)
- If the output of F has a correlation with the output of KSG1, we can find the initial vector of the KSG1
KSG 1
KSG 2
KSG n
F
9/51 한국정보통신대학교 천정희
Previous Studies
Siegenthaler Resiliency v.s. Algebraic Degree k + d < n for a (n,1,k)-resilient function with algebraic degree d
Chee, Seberry, Zhang, Zheng, Carlet, Sarkar, Maitar, Tarannikov Resiliency v.s. Nonlinearity Try to maximize nonlinearity given parameters
Other works Find the relation between cryptographic properties of Boolean functions
- Nonlinearity, Algebraic degree, Resiliency, APN, SAC, PC, GAC, LS Count the number of Boolean functions satisfying certain properties
10/51 한국정보통신대학교 천정희
Multi-output Stream Ciphers
To design a multi-output stream cipher based on a combining generator, we need a resilient function which is nonlinear has algebraic degree as large as possible has nonlinearity as large as possible has resiliency as large as possible
KSG 1
KSG 2
KSG n
F
11/51 한국정보통신대학교 천정희
Resiliency of a Boolean function
f(x) : a Boolean Function on GF(2)n ker(f) = {x GF(2)n | f(x+y)+f(x)+f(y)=0 for all y GF(2)n } B={a1,a2,a3,…,an} a basis whose first w elements forms a basis of k
er(f)
Let c=(f(a1)+1, …, f(an)+1)
Theorem 1. f(x)+Tr[cx] is a (w-1)-resilient function for the dimension w of ker(f)
12/51 한국정보통신대학교 천정희
Application
A linearized polynomial is a polynomial over GF(2n) such that each of its terms has a degree of a power of 2 V(R) := {xGF(2n) | R(x) = 0} forms a vector space over GF(2)
Let F(x) = 1/R(x) Define F(x) = 1 when x belongs to V(R)
ker(f) = V(R) for any f(x) = Tr[b/R(x)] since
We can apply the main theorem
)(
1
)(
1
)(
1
)()(
1
)(
1
yRxRxRyRxRyxR
13/51 한국정보통신대학교 천정희
Theorem 2
Tr[bF] is a (w-1)-resilient function under a basis Bwhere
1111
1
1,0for
of basis dual a:},,{
of basis a formselement first whosebasis a:},,{
)(/1)(
wiiii
n
ni
bbb
BB
V(R)wB
xxRxF
14/51 한국정보통신대학교 천정희
Algebraic Degree and Nonlinearity
F(x)=1/R(x) has the algebraic degree n-1-w for the dim w of V(R).
F(x) has nonlinearity at least 2n-1 – 2w2n +2w-1
Consider a complete nonsingular curve Ca,b : y2 + y = ax+b/R(x)
|t|=|#Ca,b(GF(2n))-2n-1| 2g2n where g=2w-a,0 is the genus of Ca,b
#Ca,b(GF(2n))=2#{xGF(2n)|ax=b F(x)}+2w +1 + a,0 C has a point for a root x of R C has two points at the infinity if a =0 and one points otherwise
N(F) = 2n-1-2-1|t-2w-2n|
15/51 한국정보통신대학교 천정희
Example
functionresilient -3 a is )])(
1)([(
of basis dual a:},,,{
F of basis a:},,,{
)F( ofelement of
of nscombinatiolinear allover ranges where)()(
F of elementst independenlinear ofset a:},,,{)(
4321
821
2821
24321
n
8
xxR
ξξξξTrf(x)
BB
B
N
xxR
RV
qR
16/51 한국정보통신대학교 천정희
Example2
32121
433
4212
3211
821
2821
qR
24321
sincefunction resilient -1 a is ),(
functionresilient -1 a is )])(
1)([()(
functionresilient -2 a is )])(
1)([()(
functionresilient -2 a is )])(
1)([()(
B od basis dual the:},,,{
F of basis a:},,,{
)(FN of
elements od nscombinatiolinear allover ranges where)()(
F of elementst independenlinearly ofset a:},,,{)(
8
8
fffff
xxR
Trxf
xxR
Trxf
xxR
Trxf
B
B
xxR
RV
17/51 한국정보통신대학교 천정희
Vector Resilient Functions
where basis aunder 1-w-nD degree algebraicwith
function resilient -)1,,( a is ),,,( 21
B
dmnFBFBFB m
code.linear ],,[ a forms )( into ,,, of projection The
of basis dual a : },,{
)( of basis a formselement first whosebasis a : },,{
)(/1)(
221 dmwRVFBBB
BB
RVwB
xxRxF
nm
ni
ni
Theorem: If a [n,m,d] linear code exists, there is a (n+D+1,m,d-1)-resilient function exists for any non-negative integer D.
Note that we can find a linear (n,m,d-1)-resilient function from a [n,m,d] linear code.
18/51 한국정보통신대학교 천정희
A Simplex Code
Simplex Codes : a [2m-1,m,2m-1] linear code for any positive m Each codeword has the weight 2m-1
It is optimal in the sense that
Concatenating each codeword t times gives a [t2m-1, m, t2m-1] linear code, all of whose codeword have the same weight t2m-1.
Theorem: There is a (t2m-1+D+1, m, t2m-1-1)-resilient function for any positive integer t and D. If there is a (n,m,d) linear code, there exists a (n+t2m-1+D+1, m, d+t2m-1-1)-
resilient function for any positive integer t and D.
19/51 한국정보통신대학교 천정희
New Resilient Functions from Old
[BGS94] If there is an (n,m,t)-resilient function, there is an (n-1,m,t-1)-resilient
function. If there is a linear (n,m,t)-resilient function, there is an (n-1,m-1,t)-resilient
function.
[ZZ95] If F is an (n,m,t)-resilient functions, then
G(x,y)=(F(x) F(y), F(y) F(z)) is an (3n,2m,2t+1)-resilient function.
If F is (n,m,t)-resilient and G is (n’,m,t’)-resilient, then F(x) G(y) is (n+n’, m, t+t’+1)-resilient function.
If F is (n,m,t)-resilient and G is (n’, m’, t’)-resilient, then F(x) G(y) is (n+n’, m+m’, T)-resilient function where T=min{t,t’}
20/51 한국정보통신대학교 천정희
Stream Ciphers -revisited
Correlation Coefficient c(f,g)=#{x|f = g} - #{x|f g} F is k-resilient if Wf(w)=c(F,lw)=0 for all w with wt(w)k.
Maximal Correlation (Zhang and Agnes, Crypto’00) Let F be a function from GF(2n) to GF(2m). CF(w)=max c(g°F, lw) where g runs through all Boolean functions on GF(2m). Here we consider not only linear functions, but also nonlinear functions for g.
In a combining generator with more than one bit output, A combining function F should have small maximal correlation
(Relate to number of rational points of associated algebraic curves) We should consider a resiliency of a composition with F and a Boolean funct
ion which is not necessarily linear.
21/51 한국정보통신대학교 천정희
Questions
What is the maximum resiliency given n and m?
Find the relation among nonlinearity, resiliency and the size of output?
Count resilient functions with certain parameters
Relation between nonlinear codes and nonlinear resilient functions
Extend Siegenthaler’s Inequality to a function with m>1 k + d < n for a (n,1,k)-resilient function with algebraic degree d
22/51 한국정보통신대학교 천정희
Questions????
DISCUSSION