Cryptography, Attacks and Countermeasures Lecture 4 –Boolean Functions

John A Clark and Susan StepneyDept. of Computer Science

University of York, UK{jac,susan}@cs.york.ac.uk

Stream Cipher Components Boolean Functions Typical Security Related Criteria

Non-linearity. Correlation immunity Algebraic degree. Tradeoffs

Will give a linear algebra treatment. Pythagoras’s theorem!

Boolean Functions A Boolean function f:{0,1}n->{0,1}

Polar representation

0 0 00 0 10 1 00 1 11 0 01 0 11 1 01 1 1

01234567

1 -10 10 10 11 -10 11 -11 -1

f(x) f(x)x

Can view BF as vector in R2n

f(x) = ( -1 ) f(x)

Boolean Functions – Algebraic normal Form (ANF)

A Boolean function on n-inputs can be represented in minimal sum (XOR +) of products (AND .) form:

This is the algebraic normal form of the function.

The algebraic degree of the function is the size of the largest subset of inputs (i.e. the number of x j in it) associated with a non-zero co-efficient. 1 is a constant function (as is 0) x1+x3+x5 is a linear function x1.x3+x5 is a quadratic function x1.x3.x5+x4x5+x2 is a cubic function

f(x1,…,xn)=a0+a1. x1 +…+an. xn+ a1,2.x1.x2+…+ an-1,n.xn-1.xn+

… …+a1,2..n x1.x2 ...xn

Generating ANF Given f(x1,…,xn) it is fairly straightforward to derive the ANF. Consider the general form:

The constant term a0 is easily derived. a0=f(0,0,…,0)

We can now determine ak by considering: f(1,….,0,0,0)=a0+a1x1= a0+a1 and so a1=a0+f(1,….,0,0,0) f(0,1,0….,0,0)=a0+a2x2= a0+a2 and so a2=a0+ f(0,1,0….,0,0)……. f(0,0,0….,0,1)=a0+anxn= a0+an and so an=a0+f(0,0,0,….0,1)

We can now determine aj,k by considering: f(1,1,0…,0)=a0+a1x1+a2x2 + a1,2x1,2 = a0+a1 +a2 +a1,2 and so

a1,2 = a0+a1 +a2 + f(1,1,0…,0) and so on.

f(x1,…,xn)=a0+a1. x1 +…+an. xn+ a1,2.x1.x2+…+ an-1,n.xn-1.xn+

… …+a1,2..n x1.x2 ...xn

Vectors and their Representations

Boolean functions can be regarded as vectors in R2n.

Boolean functions are vectors with elements 1 or –1. Any vector space has a basis set of vectors. Given any vector v it can always be expressed UNIQUELY

as a weighted sum of the vectors in the basis set. This in 3-D we have the following standard basis

Others are possible:

1

0

0

e

0

1

0

e

0

0

1

210e

1

1

1

g

0

1

1

g

0

0

1

210g

210 5e 4e3

5

4

3

e

210 5g g -

5

4

3

g

Orthonormal Basis

If the basis vectors are orthogonal and each have norm (length) 1 we say that they form an orthonormal basis. We can express any vector in terms of its projections onto each of the basis vectors.

1

0

0

5

0

1

0

4

0

0

1

3

5

4

3

1

0

0

1

0

0

5

4

3

0

1

0

0

1

0

5

4

3

0

0

1

0

0

1

5

4

3

5

4

3

1001

2

0

0

1

222

1010

2

0

1

0

222

1100

2

1

0

0

222

Creating Orthonormal Basis

Given a basis you can always turn it into an orthonomal basis using the Gram-Schmidt procedure. (We won’t go into details).

Given an orthogonal basis you can always create an orthonormal one by dividing each vector by its norm.

In 2-D, the following are clearly orthogonal

We can form an orthonomal basis

1

1

1

110

ff

1

1

2

1

1

1

2

110

gg

N-Dimensional vectors

To normalise an n-dimensional vector we proceed in the same way. The norm is the square root of the sum of squares of its elements

n

n

j

n

j

v

v

v

vvvg

v

v

v

e 2

1

222

21

2

1

1

Linear Functions Recall that for any in 0..(2n-1) we can define

a linear function for all x in 0..(2n-1) by:

where and x are simply sequences of bits

We will use natural decimal indexing where convenient, e.g

nnxxxL ...)( 11

n ...21 nxxxx ...21

12910000001

Polar Form of Linear Functions The polar form of a linear function

is just a vector of +1 and –1 elements defined by

nnxxxL ...)( 11

n

j

xxx jjnnxL1

... )1()1()(ˆ 11

Orthonormal Basis of Linear Functions

x 000 001 010 011 100 101 110 111

000 1 1 1 1 1 1 1 1

001 1 -1 1 -1 1 -1 1 -1

010 1 1 -1 -1 1 1 -1 -1

011 1 -1 -1 1 1 -1 -1 1

100 1 1 1 1 -1 -1 -1 -1

101 1 -1 1 -1 -1 1 -1 1

110 1 1 -1 -1 -1 -1 1 1

111 1 -1 -1 1 -1 1 1 -1

nn xwxwxL ..... 11)1()(ˆ

Columns are polar forms of functions

0L̂ 1̂L 2L̂ 3L̂ 4L̂ 5L̂ 6L̂ 7L̂

Balance One criterion that we might desire for a

combining function is balance. there are an equal number of 0’s and 1’s in the truth

table form. there are an equal number of +1’s and –1’s in the

polar form. The polar form has elements that sum to 0. Or, if you take the dot product of the polar form of

a function with the constant function comprising all 1’s, the result is 0.

0)(ˆ1)(ˆ)(ˆ)(ˆ12

0

12

0

12

00

nnn

xxx

xfxfxLxf

New improved slide

Linear Functions are Balanced Each linear function has an equal number of 1’s and –1’s

(and so is a balanced function). The sum of elements in a column is just

Is it obvious that this will always produce a sum to zero, whatever the value of ?

Consider with k bits set (w.l.o.g. consider the first k bits as set).

Now consider x as it varies over its whole range. Can you partition the x into two equal sets that give

opposite values of the Lw(x)? (Consider the x1 component.)

12

0

.....12

0

11)1()(ˆn

nn

n

x

xwxw

x

xL

Linear Functions are Balanced Consider 321)1()(1̂11

xxxxL

000 100

011 111

101 001

110 010

)1()(1̂11 xL1)(1̂11 xL

Linear Functions are Orthogonal

Dissimilar linear functions are orthogonal. Consider the dot product of any two columns of the 8 x 8 matrix given earlier. The result is 0.

To see why. Consider two linear functions x1+ x3 and x2+ x3 . The dot product is given by

0)1()1()1(

)1()1()1()1()1()1(

12

0

12

0

12

0

12

0

2121

32313231

nn

nn

x

xxx

x

x

x

x

xxxxx

x

xx

Orthonormal Basis with Linear Functions

The linear functions are vectors of 2n elements each of which is 1 or –1. The norm is therefore

Thus we can form an orthonormal basis set

222ˆn

nwL

1200ˆ

2

1,,ˆ

2

1,ˆ

2

1

222

nnnn LLL

Representing Functions

Since a function f is just a vector and we have an orthonormal basis, we can represent it as the sum or projections onto the elements of that basis.

12

0

12

0

12

0

ˆ)(ˆ2

1

ˆ ˆˆ2

1ˆ2

1 ˆ

2

1ˆˆ22

n

n

n

n

n

nn

ww

www

www

LF

LLfLLff

This is called the Walsh Hadamard function

This is the signed magnitude of the projection onto the linear function

Security Criteria - Balance

Various desirable properties of functions are expressed in terms of the Walsh Hadamard function values.

Balance – equal numbers of trues and falses, or +1’s and –1’s in the polar form.

Saw that the projection onto the constant function should be 0.

0ˆˆ)0(ˆ0 LfF

Security Criteria

We saw that functions that ‘looked like’ (agreed with) linear functions too much were a problem.

But a measure of agreed with is fairly easily calculable (Hamming distance with linear function in usual bit form).

In polar form, we simply take the dot product with the linear function.

When sort of function f agrees most with the linear function L?

nLL 2ˆˆ

Yes, when f = L all the elements agree

Security Criteria – Non-linearity

Also if they all disagree, i.e. f= NOT L, we can form another function that agrees with L entirely by negating f. Or in other words f 1

A function f that has minimal useful agreement (i.e. 50% agreement) with L has Hamming distance of 2n/2 with it. Or, in polar terms (each is +1 or –1), half the elements agree and half disagree

0)(ˆ

0)(ˆ)(ˆˆˆ)(ˆ12

0

wF

xLxfLfwFn

xwww

wL̂ toorthogonal is f̂

Security Criteria – Non-linearity

Well, if correlation with linear functions is a bad idea let’s have all such correlations being equal to 0, i.e. choose f such that the projections onto all linear functions are 0.

Would if I could, but I can’t. Why is this NOT possible?

Back in Mundane World of 3-D

In 3-D is there a vector that has a null projection onto the x-axis?

Is there a vector that has a null projection onto each of the x and y axes?

Is there a vector that has a null projection onto each of the x, y and z axes?

Security Criteria

Because we have a basis set of linear functions. If a vector has a null projection onto all of them it is the zero-vector.

A Boolean function is not a zero-vector. It must be have projections onto some of the linear functions.

But some projections are more harmful than others from the point of view of the correlation attacks.

Those correlations with single inputs are particularly dangerous, followed by correlations with linear functions of two inputs etc.

Security Criteria – Correlation Immunity

Correlations with single inputs correspond to projections onto the L where the has only a single bit set. For three inputs, we might require

Similarly, correlations with linear functions on two inputs correspond to the projections onto linear functions L where the has only two bits set.

0ˆˆ)100(ˆ

0ˆˆ)010(ˆ

0ˆˆ)001(ˆ

100

010

001

LfF

LfF

LfF

Security Criteria – Correlation Immunity

If a function has a null projection onto all linear L functions with 1,2,..,k bits set in (i.e. it is uncorrelated with any subset of k or fewer inputs) the function is said to be correlation immune of order k.

Or put another way

If it is also balanced then we say it is resilient.

0)(ˆ1| Fk

.in set bits ofnumber

) weight(Hamming

Non-linearity For a variety of reasons (there are other attacks that exploit

linearity) we would like to keep the degree of agreement with any linear function as low as possible.

So if we cannot have all that we want (all projections 0) perhaps we might try to keep the worst agreement to a minimum.

These leads to the definition of the non-linearity of a function.

We want to keep the Hamming distanceto any linear function (or its negation)as close to 2(n/2) as possible.

Or.. Keep the maximum absolute value of any projection on a linear function to a minimum. Keep the following as low as possible

)(ˆmax F

Non-linearity

Non-linearity is defined by:

It seeks to minimise the worst absolute value of the projection onto any linear function.

But what is the maximum value we can get for non-linearity?

)(ˆmax22

1 FN n

f

Boolean FunctionsWe can project these vectors onto a basis of 2 n orthogonal (Boolean function) vectors L0, …, L2n-1.

where

L(x)=1x1… nxn

-1111-11-1-1

f(x)

Each point on the 2n dimension hyper-sphere surface has a standard vector representation and a spectral representation in terms of its Walsh Hadamard values.

Norm of a Vector The square of the length of the vector is just

the sum of squares of its projection magnitudes onto the orthonormal basis.

Thus, for 2-D we have the usual Pythagoras rule

b

a

222 bac c

Norm of a Boolean Vector The square of the norm of a Boolean vector is

just 2n. But we know that this is just the sum of the

squares of the projections onto the orthonormal basis

n

www

www

www

n

n

n

n

n

n

n

nn

FLf

LLfLLff

22)(ˆ2

12

ˆ2

1ˆ f̂

ˆˆˆ2

1ˆ2

1ˆ2

1ˆˆ

12

0

12

0

2

12

0

12

0

2

22

Parseval’s Theorem Parseval’s Theorem. This is really a form of

Pythagoras’s theorem.

This means that if we reduce the magnitude of one of the F() another must increase in magnitude.

n

w

n

F 212

0

2 2)(ˆ

Bent Functions Maximise Non-linearity

Researched first by Rothaus. These functions maximise non-linearity and are functions on even numbers of variables.

Bent functions have projection magnitudes of the same size (but with different signs)

22)(ˆ )12..(0n

n F

But this includes projection onto the constant function => not a balanced function.

If you want maximum non-linearity, you cannot have balance.

Correlation Immunity and Non-linearity

Let’s look again at Parseval’s theorem:

Now if we want correlation immunity of order k

Then the F() of some of the remaining (||>k) must increase in magnitude. But this increases non-linearity.

Non-linearity and correlation immunity are in conflict.

n

w

n

F 212

0

2 2)(ˆ

0)(ˆ1| wFkww

Other Criteria – Algebraic Degree All other things being equal, we would prefer more

complex functions to simpler ones. One aspect that is of interest is the algebraic degree of the function.

We would typically like this to be as high as possible.

It can be shown (not here) that there is a conflict with correlation immunity.

Sigenthaler has shown that for function f on n variables with correlation immunity of order m and algebraic degree d, we must have

For balanced functions we must havem+d<=n

m+d<=n-1

Further Structure There is another structure that can be

exploited. It is a form of correlation between outputs corresponding to inputs that are related in a straightforward way.

This is autocorrelation.

)(ˆmax)(ˆ)(ˆmaxˆ12

0

srsxfxfrAC fs

xs

ff

n

Bitwise XOR

Tradeoffs We begin to see the sorts of problems

cryptographers face. There are many different forms of attack.

Protecting against one in an ideal way may allow another form of attack.

Life is an unending series of tradeoffs. However, given the mathematical constraints,

we might still want to achieve the best profile of properties we can.

A lot of Boolean function research seeks constructions to derive such functions.

No Such Thing As A Secure Boolean Function

There is no such thing as a secure Boolean function.

There may be functions that are appropriate to be used in particular contexts to give secure system.

However, the treatment here shows quite effective that life is not easy and that compromises have to be made.

Nice treatment in terms of vector algebra and security criteria being defined in terms of subspaces of a vector space of R2n.