Cryptography, Attacks and Countermeasures Lecture 4 –Boolean Functions John A Clark and Susan...
-
Upload
prudence-patterson -
Category
Documents
-
view
216 -
download
1
Transcript of Cryptography, Attacks and Countermeasures Lecture 4 –Boolean Functions John A Clark and Susan...
Cryptography, Attacks and Countermeasures Lecture 4 –Boolean Functions
John A Clark and Susan StepneyDept. of Computer Science
University of York, UK{jac,susan}@cs.york.ac.uk
Stream Cipher Components Boolean Functions Typical Security Related Criteria
Non-linearity. Correlation immunity Algebraic degree. Tradeoffs
Will give a linear algebra treatment. Pythagoras’s theorem!
Boolean Functions A Boolean function f:{0,1}n->{0,1}
Polar representation
0 0 00 0 10 1 00 1 11 0 01 0 11 1 01 1 1
01234567
1 -10 10 10 11 -10 11 -11 -1
f(x) f(x)x
Can view BF as vector in R2n
f(x) = ( -1 ) f(x)
Boolean Functions – Algebraic normal Form (ANF)
A Boolean function on n-inputs can be represented in minimal sum (XOR +) of products (AND .) form:
This is the algebraic normal form of the function.
The algebraic degree of the function is the size of the largest subset of inputs (i.e. the number of x j in it) associated with a non-zero co-efficient. 1 is a constant function (as is 0) x1+x3+x5 is a linear function x1.x3+x5 is a quadratic function x1.x3.x5+x4x5+x2 is a cubic function
f(x1,…,xn)=a0+a1. x1 +…+an. xn+ a1,2.x1.x2+…+ an-1,n.xn-1.xn+
… …+a1,2..n x1.x2 ...xn
Generating ANF Given f(x1,…,xn) it is fairly straightforward to derive the ANF. Consider the general form:
The constant term a0 is easily derived. a0=f(0,0,…,0)
We can now determine ak by considering: f(1,….,0,0,0)=a0+a1x1= a0+a1 and so a1=a0+f(1,….,0,0,0) f(0,1,0….,0,0)=a0+a2x2= a0+a2 and so a2=a0+ f(0,1,0….,0,0)……. f(0,0,0….,0,1)=a0+anxn= a0+an and so an=a0+f(0,0,0,….0,1)
We can now determine aj,k by considering: f(1,1,0…,0)=a0+a1x1+a2x2 + a1,2x1,2 = a0+a1 +a2 +a1,2 and so
a1,2 = a0+a1 +a2 + f(1,1,0…,0) and so on.
f(x1,…,xn)=a0+a1. x1 +…+an. xn+ a1,2.x1.x2+…+ an-1,n.xn-1.xn+
… …+a1,2..n x1.x2 ...xn
Vectors and their Representations
Boolean functions can be regarded as vectors in R2n.
Boolean functions are vectors with elements 1 or –1. Any vector space has a basis set of vectors. Given any vector v it can always be expressed UNIQUELY
as a weighted sum of the vectors in the basis set. This in 3-D we have the following standard basis
Others are possible:
1
0
0
e
0
1
0
e
0
0
1
210e
1
1
1
g
0
1
1
g
0
0
1
210g
210 5e 4e3
5
4
3
e
210 5g g -
5
4
3
g
Orthonormal Basis
If the basis vectors are orthogonal and each have norm (length) 1 we say that they form an orthonormal basis. We can express any vector in terms of its projections onto each of the basis vectors.
1
0
0
5
0
1
0
4
0
0
1
3
5
4
3
1
0
0
1
0
0
5
4
3
0
1
0
0
1
0
5
4
3
0
0
1
0
0
1
5
4
3
5
4
3
1001
2
0
0
1
222
1010
2
0
1
0
222
1100
2
1
0
0
222
Creating Orthonormal Basis
Given a basis you can always turn it into an orthonomal basis using the Gram-Schmidt procedure. (We won’t go into details).
Given an orthogonal basis you can always create an orthonormal one by dividing each vector by its norm.
In 2-D, the following are clearly orthogonal
We can form an orthonomal basis
1
1
1
110
ff
1
1
2
1
1
1
2
110
gg
N-Dimensional vectors
To normalise an n-dimensional vector we proceed in the same way. The norm is the square root of the sum of squares of its elements
n
n
j
n
j
v
v
v
vvvg
v
v
v
e 2
1
222
21
2
1
1
Linear Functions Recall that for any in 0..(2n-1) we can define
a linear function for all x in 0..(2n-1) by:
where and x are simply sequences of bits
We will use natural decimal indexing where convenient, e.g
nnxxxL ...)( 11
n ...21 nxxxx ...21
12910000001
Polar Form of Linear Functions The polar form of a linear function
is just a vector of +1 and –1 elements defined by
nnxxxL ...)( 11
n
j
xxx jjnnxL1
... )1()1()(ˆ 11
Orthonormal Basis of Linear Functions
x 000 001 010 011 100 101 110 111
000 1 1 1 1 1 1 1 1
001 1 -1 1 -1 1 -1 1 -1
010 1 1 -1 -1 1 1 -1 -1
011 1 -1 -1 1 1 -1 -1 1
100 1 1 1 1 -1 -1 -1 -1
101 1 -1 1 -1 -1 1 -1 1
110 1 1 -1 -1 -1 -1 1 1
111 1 -1 -1 1 -1 1 1 -1
nn xwxwxL ..... 11)1()(ˆ
Columns are polar forms of functions
0L̂ 1̂L 2L̂ 3L̂ 4L̂ 5L̂ 6L̂ 7L̂
Balance One criterion that we might desire for a
combining function is balance. there are an equal number of 0’s and 1’s in the truth
table form. there are an equal number of +1’s and –1’s in the
polar form. The polar form has elements that sum to 0. Or, if you take the dot product of the polar form of
a function with the constant function comprising all 1’s, the result is 0.
0)(ˆ1)(ˆ)(ˆ)(ˆ12
0
12
0
12
00
nnn
xxx
xfxfxLxf
New improved slide
Linear Functions are Balanced Each linear function has an equal number of 1’s and –1’s
(and so is a balanced function). The sum of elements in a column is just
Is it obvious that this will always produce a sum to zero, whatever the value of ?
Consider with k bits set (w.l.o.g. consider the first k bits as set).
Now consider x as it varies over its whole range. Can you partition the x into two equal sets that give
opposite values of the Lw(x)? (Consider the x1 component.)
12
0
.....12
0
11)1()(ˆn
nn
n
x
xwxw
x
xL
Linear Functions are Balanced Consider 321)1()(1̂11
xxxxL
000 100
011 111
101 001
110 010
)1()(1̂11 xL1)(1̂11 xL
Linear Functions are Orthogonal
Dissimilar linear functions are orthogonal. Consider the dot product of any two columns of the 8 x 8 matrix given earlier. The result is 0.
To see why. Consider two linear functions x1+ x3 and x2+ x3 . The dot product is given by
0)1()1()1(
)1()1()1()1()1()1(
12
0
12
0
12
0
12
0
2121
32313231
nn
nn
x
xxx
x
x
x
x
xxxxx
x
xx
Orthonormal Basis with Linear Functions
The linear functions are vectors of 2n elements each of which is 1 or –1. The norm is therefore
Thus we can form an orthonormal basis set
222ˆn
nwL
1200ˆ
2
1,,ˆ
2
1,ˆ
2
1
222
nnnn LLL
Representing Functions
Since a function f is just a vector and we have an orthonormal basis, we can represent it as the sum or projections onto the elements of that basis.
12
0
12
0
12
0
ˆ)(ˆ2
1
ˆ ˆˆ2
1ˆ2
1 ˆ
2
1ˆˆ22
n
n
n
n
n
nn
ww
www
www
LF
LLfLLff
This is called the Walsh Hadamard function
This is the signed magnitude of the projection onto the linear function
Security Criteria - Balance
Various desirable properties of functions are expressed in terms of the Walsh Hadamard function values.
Balance – equal numbers of trues and falses, or +1’s and –1’s in the polar form.
Saw that the projection onto the constant function should be 0.
0ˆˆ)0(ˆ0 LfF
Security Criteria
We saw that functions that ‘looked like’ (agreed with) linear functions too much were a problem.
But a measure of agreed with is fairly easily calculable (Hamming distance with linear function in usual bit form).
In polar form, we simply take the dot product with the linear function.
When sort of function f agrees most with the linear function L?
nLL 2ˆˆ
Yes, when f = L all the elements agree
Security Criteria – Non-linearity
Also if they all disagree, i.e. f= NOT L, we can form another function that agrees with L entirely by negating f. Or in other words f 1
A function f that has minimal useful agreement (i.e. 50% agreement) with L has Hamming distance of 2n/2 with it. Or, in polar terms (each is +1 or –1), half the elements agree and half disagree
0)(ˆ
0)(ˆ)(ˆˆˆ)(ˆ12
0
wF
xLxfLfwFn
xwww
wL̂ toorthogonal is f̂
Security Criteria – Non-linearity
Well, if correlation with linear functions is a bad idea let’s have all such correlations being equal to 0, i.e. choose f such that the projections onto all linear functions are 0.
Would if I could, but I can’t. Why is this NOT possible?
Back in Mundane World of 3-D
In 3-D is there a vector that has a null projection onto the x-axis?
Is there a vector that has a null projection onto each of the x and y axes?
Is there a vector that has a null projection onto each of the x, y and z axes?
Security Criteria
Because we have a basis set of linear functions. If a vector has a null projection onto all of them it is the zero-vector.
A Boolean function is not a zero-vector. It must be have projections onto some of the linear functions.
But some projections are more harmful than others from the point of view of the correlation attacks.
Those correlations with single inputs are particularly dangerous, followed by correlations with linear functions of two inputs etc.
Security Criteria – Correlation Immunity
Correlations with single inputs correspond to projections onto the L where the has only a single bit set. For three inputs, we might require
Similarly, correlations with linear functions on two inputs correspond to the projections onto linear functions L where the has only two bits set.
0ˆˆ)100(ˆ
0ˆˆ)010(ˆ
0ˆˆ)001(ˆ
100
010
001
LfF
LfF
LfF
Security Criteria – Correlation Immunity
If a function has a null projection onto all linear L functions with 1,2,..,k bits set in (i.e. it is uncorrelated with any subset of k or fewer inputs) the function is said to be correlation immune of order k.
Or put another way
If it is also balanced then we say it is resilient.
0)(ˆ1| Fk
.in set bits ofnumber
) weight(Hamming
Non-linearity For a variety of reasons (there are other attacks that exploit
linearity) we would like to keep the degree of agreement with any linear function as low as possible.
So if we cannot have all that we want (all projections 0) perhaps we might try to keep the worst agreement to a minimum.
These leads to the definition of the non-linearity of a function.
We want to keep the Hamming distanceto any linear function (or its negation)as close to 2(n/2) as possible.
Or.. Keep the maximum absolute value of any projection on a linear function to a minimum. Keep the following as low as possible
)(ˆmax F
Non-linearity
Non-linearity is defined by:
It seeks to minimise the worst absolute value of the projection onto any linear function.
But what is the maximum value we can get for non-linearity?
)(ˆmax22
1 FN n
f
Boolean FunctionsWe can project these vectors onto a basis of 2 n orthogonal (Boolean function) vectors L0, …, L2n-1.
where
L(x)=1x1… nxn
-1111-11-1-1
f(x)
Each point on the 2n dimension hyper-sphere surface has a standard vector representation and a spectral representation in terms of its Walsh Hadamard values.
Norm of a Vector The square of the length of the vector is just
the sum of squares of its projection magnitudes onto the orthonormal basis.
Thus, for 2-D we have the usual Pythagoras rule
b
a
222 bac c
Norm of a Boolean Vector The square of the norm of a Boolean vector is
just 2n. But we know that this is just the sum of the
squares of the projections onto the orthonormal basis
n
www
www
www
n
n
n
n
n
n
n
nn
FLf
LLfLLff
22)(ˆ2
12
ˆ2
1ˆ f̂
ˆˆˆ2
1ˆ2
1ˆ2
1ˆˆ
12
0
12
0
2
12
0
12
0
2
22
Parseval’s Theorem Parseval’s Theorem. This is really a form of
Pythagoras’s theorem.
This means that if we reduce the magnitude of one of the F() another must increase in magnitude.
n
w
n
F 212
0
2 2)(ˆ
Bent Functions Maximise Non-linearity
Researched first by Rothaus. These functions maximise non-linearity and are functions on even numbers of variables.
Bent functions have projection magnitudes of the same size (but with different signs)
22)(ˆ )12..(0n
n F
But this includes projection onto the constant function => not a balanced function.
If you want maximum non-linearity, you cannot have balance.
Correlation Immunity and Non-linearity
Let’s look again at Parseval’s theorem:
Now if we want correlation immunity of order k
Then the F() of some of the remaining (||>k) must increase in magnitude. But this increases non-linearity.
Non-linearity and correlation immunity are in conflict.
n
w
n
F 212
0
2 2)(ˆ
0)(ˆ1| wFkww
Other Criteria – Algebraic Degree All other things being equal, we would prefer more
complex functions to simpler ones. One aspect that is of interest is the algebraic degree of the function.
We would typically like this to be as high as possible.
It can be shown (not here) that there is a conflict with correlation immunity.
Sigenthaler has shown that for function f on n variables with correlation immunity of order m and algebraic degree d, we must have
For balanced functions we must havem+d<=n
m+d<=n-1
Further Structure There is another structure that can be
exploited. It is a form of correlation between outputs corresponding to inputs that are related in a straightforward way.
This is autocorrelation.
)(ˆmax)(ˆ)(ˆmaxˆ12
0
srsxfxfrAC fs
xs
ff
n
Bitwise XOR
Tradeoffs We begin to see the sorts of problems
cryptographers face. There are many different forms of attack.
Protecting against one in an ideal way may allow another form of attack.
Life is an unending series of tradeoffs. However, given the mathematical constraints,
we might still want to achieve the best profile of properties we can.
A lot of Boolean function research seeks constructions to derive such functions.
No Such Thing As A Secure Boolean Function
There is no such thing as a secure Boolean function.
There may be functions that are appropriate to be used in particular contexts to give secure system.
However, the treatment here shows quite effective that life is not easy and that compromises have to be made.
Nice treatment in terms of vector algebra and security criteria being defined in terms of subspaces of a vector space of R2n.