Boolean Functions for stream ciphers Anne Canteaut - PowerPoint PPT Presentation

Boolean Functions for stream ciphers Anne Canteaut INRIA-Rocquencourt projet CODES Anne.Canteaut@inria.fr http://www-rocq.inria.fr/codes/Anne.Canteaut/ ECRYPT summer school - May 2007

Outline • Basic properties of Boolean functions for LFSR-based generators • Other representations of Boolean functions • Correlation attacks and related criteria • Distance to a�ne functions and Walsh transform • Algebraic attacks and related criteria • Some practical constructions 1

Basic properties of Boolean functions for LFSR-based generators 2

Boolean functions De�nition. A Boolean function of n variables is a function from F n 2 into F 2 . Truth table of a Boolean function. 0 1 0 1 0 1 0 1 x 1 0 0 1 1 0 0 1 1 x 2 0 0 0 0 1 1 1 1 x 3 0 1 0 0 0 1 1 1 f ( x 1 , x 2 , x 3 ) Hamming weight of a Boolean function. The Hamming weight of a Boolean function f , wt ( f ) , is the Hamming weight of its value vector. A function of n variables is balanced if and only if wt ( f ) = 2 n − 1 . 3

Combination generator LFSR 1 ❅ ❅ ❅ ❅ ❘ ❅ LFSR 2 ✲ ✲ s (keystream) f . . . � ✒ � � � LFSR n � where f is a balanced Boolean function of n variables. 4

Filter generator s (keystream) ✻ ✟ ❍❍❍❍❍❍❍❍❍❍❍❍❍❍❍❍❍❍❍❍ ✟ ✟ ✟ ✟ ✟ ✟ ✟ ✟ ✟ ✟ f ✟ ✟ ✟ ✟ ✟ ✟ ✟ ✟ ✟ ✟ ❍ ✻ ✻ ✻ ✻ ✻ ✻ u t ✲ u t + γ 1 u t + γ 2 u t + γ 3 . . . u t + γ n ✲ ∀ t ≥ 0 , s t = f ( u t + γ 1 , u t + γ 2 , . . . , u t + γ n ) 5

Algebraic normal form (ANF) Monomials in F 2 [ x 1 , . . . , x n ] / ( x 2 1 + x 1 , . . . , x 2 n + x n ) : n where x u = x u i x u , u ∈ F n � � � i . 2 i =1 Example: x 1011 = x 1 x 3 x 4 . Proposition. Any Boolean function of n variables has a unique polynomial repre- sentation in F 2 [ x 1 , . . . , x n ] / ( x 2 1 + x 1 , . . . , x 2 n + x n ) : a u x u , � a u ∈ F 2 . f ( x 1 , . . . , x n ) = u ∈ F n 2 Moreover, the coe�cients of the ANF and the values of f satisfy: � � f ( x ) and f ( u ) = a u = a x , x � u x � u where x � y if and only if x i ≤ y i for all 1 ≤ i ≤ n . 6

Computing the ANF 0 1 0 1 0 1 0 1 x 1 0 0 1 1 0 0 1 1 x 2 0 0 0 0 1 1 1 1 x 3 0 1 0 0 0 1 1 1 f ( x 1 , x 2 , x 3 ) a 000 = f (000) = 0 a 100 = f (100) ⊕ f (000) = 1 a 010 = f (010) ⊕ f (000) = 0 a 110 = f (110) ⊕ f (010) ⊕ f (100) ⊕ f (000) = 1 a 001 = f (001) ⊕ f (000) = 0 a 101 = f (101) ⊕ f (001) ⊕ f (100) ⊕ f (000) = 0 a 011 = f (011) ⊕ f (001) ⊕ f (010) ⊕ f (000) = 1 a 111 = � 2 f ( x ) = wt ( f ) mod 2 = 0 x ∈ F 3 f = x 1 + x 1 x 2 + x 2 x 3 . 7

Degree and linear complexity De�nition. The degree of a Boolean function is the degree of the largest mono- mial in its ANF. Proposition. The weight of an n -variable function f is odd if and only if deg f = n . Degree and linear complexity of the combination generator. Proposition. [Rueppel - Sta�elbach 87] For n LFSRs with primitive feedback polynomials and distinct lengths, the linear complexity of the keystream sequence generated by the combination of these LFSR by f is Λ = f ( L 1 , . . . , L n ) where f is evaluated over integers. Example: Ge�e generator (1973) ⇒ Λ = L 1 + L 1 L 2 + L 2 L 3 . f ( x 1 , x 2 , x 3 ) = x 1 + x 1 x 2 + x 2 x 3 . = 8

Degree and linear complexity (2) Degree and linear complexity of the �lter generator. Proposition. [Key76, Rueppel 86] The linear complexity Λ of the keystream sequence generated by an LFSR of length L �ltered by f satis�es deg f � L � � Λ ≤ . i i =0 Moreover, if L is a large prime, L � � Λ ≥ deg f for most �ltering functions. 9

Degree and basic algebraic attacks Communication Theory of Secrecy Systems (1949), page 711. �Using functional notation we have for enciphering E = f ( K, M ) . Given (or assuming) M = m 1 , m 2 , . . . , m s and E = e 1 , e 2 , . . . , e s , the cryptanalyst can set up equations for the di�erent key elements k 1 , k 2 , . . . , k r (namely the enciphering equations). = f 1 ( m 1 , m 2 , . . . , m s ; k 1 , . . . , k r ) e 1 = f 2 ( m 1 , m 2 , . . . , m s ; k 1 , . . . , k r ) e 2 . . . = f s ( m 1 , m 2 , . . . , m s ; k 1 , . . . , k r ) e s All is known, we assume, except the k i . Each of these equations should therefore be complex in the k i , and involve many of them. Otherwise the enemy can solve the simple ones and then the more complex ones by substitution.� 10

Shannon's attack on LFSR-based stream ciphers Set up the enciphering equations:  s 0 = f ( x 0 , . . . , x L − 1 )    s 1 = f ◦ L ( x 0 , . . . , x L − 1 )    = f ◦ L t ( x 0 , . . . , x L − 1 )  s t  System of equations with L variables of degree d = deg( f ) . ⇒ Solve the system by linearization = d ≃ L d � n � � d ! keystream bits i i =1 Time complexity: L 3 d operations . 11

Other representations of Boolean functions 12

Reed-Muller codes De�nition. [Reed 54], [Muller54] The Reed-Muller code of length 2 n and order r , RM ( r, n ) , is the linear code formed by the value vectors of all Boolean functions of n variables and degree at most r . RM ( r, n ) has minimum distance 2 n − r . Proposition. 13

Complexity of a Boolean function [Wegener 87] C Ω ( f ) = smallest number of gates of a circuit computing f , whose gates belong to Ω . Usually, Ω = B 2 , set of Boolean functions of 2 variables. For Programmable Logic-Arrays, Ω = ( ∧ , ∨ , ¬ ) . Example. • x 1 x 2 + x 1 x 3 + x 1 x 4 + x 1 x 5 + x 2 x 3 + x 2 x 4 + x 2 x 5 + x 3 x 4 + x 3 x 5 + x 4 x 5 � 19 gates. • [( z + x 4 )( z + x 5 ) + z ] + [ y ( x 1 + x 3 ) + x 1 ] with z = y + x 3 and y = x 1 + x 2 � 10 gates The Shannon e�ect [Shannon 49], [Lupanov 70] For all n ≥ 9 , �almost all� Boolean functions of n variables have com- plexity C B 2 greater than 2 n /n . 14

Correlation attacks and related criteria 15

Correlation attack [Siegenthaler 85] target LFSR keystream s t ✲ correlation ✲ σ t target LFSR where p = Pr [ s t � = σ t ] � = 1 2 . Problem: Recover the initial state of the target register from the knowledge of some keystream bits. 16

Correlation attack on a combination generator LFSR 1 ❆ ❆ ❆ ❆ ❯ LFSR 2 s ✲ f . . . ✁ ✕ ✁ ✁ LFSR n ✁ ✲ ✲ correlation σ LFSR i with Pr [ f ( x 1 , . . . , x n ) � = x i ] = P [ s t � = σ t ] � = 1 2 . 17

Correlation-immune functions Pr [ f ( X 1 , . . . , X n ) = 1 | X i = 1] = Pr [ f ( X 1 , . . . , X n ) = 1 | X i = 0] . In terms of Hamming distance x ∈ F n x ∈ F n 2 , x i = 0 2 , x i = 1 f f 1 f 2 0 0 . . . 0 0 1 1 . . . 1 1 x �→ x i f + x i f 1 f 2 + 1 f correlation-immune: wt ( f 1 ) = wt ( f 2 ) . ⇒ d ( f, x i ) = wt ( f 1 ) + wt ( f 2 + 1) = wt ( f 1 ) + (2 n − 1 − wt ( f 2 )) = 2 n − 1 . ⇐ 18

Correlation-immunity of order t [Siegenthaler 84] De�nition. A Boolean function f of n variables is t -th order correlation- immune if, for any subset T ⊂ { 1 , . . . , n } , | T | = t , for any a ∈ F t 2 , Pr [ f ( X 1 , . . . , X n ) = 1 |∀ i ∈ T, X i = a i ] = Pr [ f ( X 1 , . . . , X n ) = 1] . Proposition. [Xiao-Massey88] f is t -th order correlation-immune if and only if 2 with 1 ≤ wt ( α ) ≤ t , d ( f, α · x ) = 2 n − 1 . for all α ∈ F n De�nition. A t -resilient function is a balanced t -th order correlation- immune function. ⇒ The correlation-immunity order of a combining function must be = high. 19

Degree of a correlation-immune function Theorem. [Siegenthaler 84] Let f be a Boolean function of n variables. Then, its correlation- immunity order t satis�es deg( f ) + t ≤ n Moreover, if f is balanced, deg( f ) + t ≤ n − 1 20

Distance to a�ne functions and Walsh transform 21

Walsh transform of a Boolean function Imbalance of a Boolean function. For any Boolean function f of n variables ( − 1) f ( x ) = 2 n − 2 wt ( f ) . � F ( f ) = x ∈ F n 2 Linear functions of n variables. ϕ a : x �− → a · x Walsh transform of a function f of n variables F n − → C 2 2 ( − 1) f ( x )+ a · x �− → F ( f + ϕ a ) = � a x ∈ F n 22

Computing the Walsh transform 0 1 0 0 0 1 1 1 f 0 2 1 1 0 0 -1 -1 ( f 1 + f 2 , f 1 − f 2 ) 1 3 -1 1 -1 -1 1 1 ( f 3 + f 4 , f 3 − f 4 , f 5 + f 6 , f 5 − f 6 ) Fourier transform ˆ 4 -2 0 -2 -2 0 2 0 f Walsh transform = 2 n δ 0 − 2 ˆ 0 4 0 4 4 0 -4 0 f 23

Some basic properties of the Walsh transform Lemma: � 2 n if a = 0 ( − 1) a · x = � otherwise . 0 x ∈ F n 2 Proposition. The Walsh transform is an involution (up to a multi- plicative constant). F ( f + ϕ a )( − 1) a · x = ( − 1) f ( u )+ a · u + a · x � � � a ∈ F n u ∈ F n a ∈ F n 2 2 2 ( − 1) a · ( x + u ) � ( − 1) f ( u ) � = u ∈ F n a ∈ F n 2 2 = 2 n ( − 1) f ( x ) Parseval equality. F 2 ( f + ϕ a ) = 2 2 n . � a ∈ F n 2 24

Divisibility of the Walsh coe�cients Proposition. For any a ∈ F n 2 , n F ( f + ϕ a ) ≡ F ( f ) mod 2 ⌈ deg f ⌉ +1 . In particular, F ( f + ϕ a ) ≡ 2 mod 4 if deg f = n ≡ 0 mod 4 if deg f < n . 25