Finite Fields, Applications and Open Problems Daniel Panario School - - PowerPoint PPT Presentation
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences Finite Fields, Applications and Open Problems Daniel Panario School of Mathematics and Statistics Carleton University
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Daniel Panario School of Mathematics and Statistics Carleton University daniel@math.carleton.ca LAWCI School, Campinas, July 2018
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Lecture 1: Applications in Combinatorics Brief review of finite fields. Introduction to combinatorics objects (designs, latin squares, several types of arrays). Classical results (latin squares and sudokus; Costas arrays). Orthogonal arrays and their constructions based on finite fields. Some applications in cryptography/coding theory (brief):
secret sharing and combinatorial designs;
Orthogonal array variants (covering arrays, ordered orthogonal arrays) and their constructions based on finite fields.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Lecture 2: Applications in cryptography Applications of finite fields (brief). Differential map, differential uniformity, and differential cryptanalysis. Example of S-box function and its characteristics. Perfect nonlinear (PN) and almost perfect nonlinear (APN) functions. Permutation polynomials and their cycle decomposition. Iterations of functions. Generating pseudorandom sequences: how random is a sequence, requirements for sequences in cryptography.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Cryptosystems:
Diffie-Hellman method to share a key; ElGamal digital signature method; RSA (permutation polynomials over finite fields); Elliptic and hyperelliptic curve cryptosystem; Chor-Rivest cryptosystem; Powerline cryptosystem; Goppa-code cryptosystem; Shamir’s secret sharing; etc.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Security:
discrete logarithm problem; index calculus method and its variants (Waterloo, Coppersmith); linear and differential cryptanalysis (PN and APN functions).
Stream ciphers:
WG (Welch-Gong); RC4; etc.
Block ciphers:
AES (advanced encryption standard): Rijndael; SAFER (Secure And Fast Encryption Routine); RC6 (permutation polynomials over integer rings).
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Classical applications:
BCH codes; Reed-Solomon codes; burst error-correcting codes; convolution codes; codes based on algebraic curves; etc.
Recent applications:
LDPC (low density parity check) codes; turbo codes.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
LFSR (feedback shift register sequences); pseudorandom number generators (LFSR, polynomials); radar and sonar (sequences over finite fields, Costas arrays); digital signal processing: transforms (discrete Fourier, Hadamard, trigonometric); ad-hoc (like concert hall acoustics); etc. For more information on LFSR and sequences, see Golomb and Gong (2005) book.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Finite geometries: affine and projective geometries; constructions of projective planes with a finite number of points and lines. Combinatorial designs: BIBD (balance incomplete block designs), latin squares and MOLS (mutually orthogonal latin squares), orthogonal and covering arrays, etc. There are also recent applications to bioinformatics (dynamical systems over finite fields). For more information see (shameless advertisement coming):
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Finite geometries: affine and projective geometries; constructions of projective planes with a finite number of points and lines. Combinatorial designs: BIBD (balance incomplete block designs), latin squares and MOLS (mutually orthogonal latin squares), orthogonal and covering arrays, etc. There are also recent applications to bioinformatics (dynamical systems over finite fields). For more information see (shameless advertisement coming): Handbook of Finite Fields by Gary Mullen and Daniel Panario published by CRC in 2013.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
K13417 DISCRETE MATHEMATICS AND ITS APPLICATIONS
Series Editor KENNETH H. ROSENDISCRETE MATHEMATICS AND ITS APPLICATIONS
Series Editor KENNETH H. ROSENGary L. Mullen Daniel Panario
Mullen • Panario
copy to come
HANDBOOK OF FINITE FIELDS
K13417_Draft.indd 1 9/20/12 9:20 AMFinite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Brief recall of substitution-permutation networks and differential cryptanalysis Cipher AES (Advanced Encryption Standard) APN (Almost Perfect Nonlinear) functions
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
A substitution-permutation network consists of R rounds and the secret key is broken into R + 1 subkeys. At each round, the data stream is mixed with a subkey and fed into a series of substitution boxes (S-boxes), then the resulting
S-boxes are functions which act on a subset of the input bits into a round; their primary purpose is to increase the confusion of the cipher. P-boxes act as a shuffling of the bits between rounds; their purpose is to diffuse characteristics of the data stream. The output of the final round’s S-boxes is mixed with a final round key to create the ciphertext. A diagram of a basic 16-bit, 4-round SPN is given next.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
An S-box is a look-up table which substitutes small blocks of bits for another block of bits. In most cases (but not in all cases, e.g. DES), we consider S-boxes as maps from Fn
2 → Fn
permutations and adding round keys are all linear relations between bits, S-boxes are the only possibly non-linear component of the
Key-mixing is done by the XOR operation of the key bits with the input bits of the round. The XOR operation is self-inverse. Each S-box is a one-to-one function, and so can be inverted, and each P-box is a permutation, so decryption involves applying the inverse permutation. Since each component of the network is invertible, decryption is performed by running the ciphertext backwards through the cipher.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Differential cryptanalysis was introduced by Biham and Shamir in 1991, as an attack against DES. It has been used to reduce the number of DES keys to be tested from 255 (brute-force) to 247. Though less successful than linear cryptanalysis for DES, differential cryptanalysis scales very well to other ciphers. Differential cryptanalysis is a chosen plaintext attack, where an attacker has access to the keyed cipher and is able to encrypt any
highly probabilistic relationships between differences of plaintexts with the difference of inputs into the last round’s cipher. As in linear cryptanalysis, differential cryptanalysis can be used to recover bits of the final round’s key.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
In the following we review some ciphers. We start with a classical block cipher: Advanced Encryption Standard (AES) The Advanced Encryption Standard (AES) is the Federal Information Processing Standards Publication 197 (FIPS 197), named in 2001 as the standard for symmetric block ciphers:
http://csrc.nist.gov/publications/fips197/fips-197.pdf
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
AES is a minor variant of the cipher Rijndael, so named for its authors, Daemen and Rijmen. Rijndael and AES differ only in block and cipher key lengths: in Rijndael, the block length and the key length can be specified (independently) to any multiple of 32 bits between 128 bits and 256 bits. AES originally required the block length to be fixed at 128 bits, but 192 and 256-bit variants have arisen. AES also allows key lengths of 128, 192 or 256 bits. See: “The design of Rijndael: AES – the Advanced Encryption Standard” by Joan Daemen and Vincent Rijmen, Springer, 2002. In what follows, we drop the distinction between AES and Rijndael. AES is based on the substitution-permutation network framework. The S-boxes in AES are defined over F28 ∼ = F2[x]/(f), where f(x) = x8 + x4 + x3 + x + 1 is a primitive pentanomial.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
S S S S S S S S S S S S S S S S XOR with K0 (0-th round key) Shift Rows and Mix Columns 128-bit message M 8-bit 8-bit S S S S S S S S S S S S S S S S XOR with Ki (i-th round key) Shift Rows XOR with Kr (r-th round key) 128-bit ciphertext C 8-bit 8-bit 0-th round repeat for r − 1 rounds r-th round
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
At each round, the state of the cipher consists of a 4 × 4 matrix, where the (i, j) entry of the matrix is given by bit 4i + j of the data stream, 0 ≤ i, j ≤ 3. There is one allowable block length, 128 bits, and three allowable key lengths, 128, 192 and 256 bits. There are 10, 12 or 14 rounds, corresponding to key lengths of 128, 192 or 256 bits, respectively. At each round, except for the last round, the following functions are applied in order
1
An 8-bit substitution (called the SubBytes() transformation),
2
a 128-bit permutation (called the ShiftRows() transformation),
3
a 32-bit column mixing (called the MixColumns() transformation),
4
addition of the round key (called the AddRoundKey() transformation).
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
In implementation, every transformation is simply defined as a 16 × 16 lookup table. The ShiftRows() transformation is performed by cyclically shifting row i of the matrix, i = 0, 1, 2, 3, to the left by 4 · i bytes. In MixColumns(), the columns of the state are treated as degree-3 polynomials over F28 and are multiplied by a fixed polynomial modulo x4 + 1. Though x4 + 1 is not irreducible in characteristic two, the polynomial chosen for AES has an inverse modulo x4 + 1, so decryption is possible. AddRoundKey() is simply an addition. SubBytes(): x → x28−2 is of particular interest providing the nonlinearity of the S-box.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
The SubBytes() transformation is actually the composition of two (invertible) transformations:
1 Apply the multiplicative inverse function x → x28−2 over F28.
Using this representation means that this mapping is well-defined even at 0.
2 Apply an invertible affine transformation (over F2) to further
mix the output bits. The only non-linear portion of the cipher is the multiplicative inverse function. We present next a brief summary of some of its cryptographic characteristics.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Characteristic Permutation Yes Balanced Yes Almost perfect non-linear No Differential uniformity 4 Non-linearity (Boolean) 112 Non-linearity (general) 0.875
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
For fixed a, b ∈ Fn
p, let Nf(a, b) denote the number of solutions
x ∈ Fn
p of f(x + a) − f(x) = b where a, b ∈ Fn p, and let
∆f = max{Nf(a, b) | a, b ∈ Fn
p, a = 0}.
Nyberg (1994) defines a mapping f to be differentially k-uniform if ∆f = k. If k = 1, then f is called perfect nonlinear (PN). If k = 2, then f is called almost perfect nonlinear (APN).
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
A major drawback for cryptography is that these optimal functions are not invertible as required for S-box functions, and do not exist in characteristic 2 (as we will see next).
Proof. Let f be any PN function. Choose b = 0. Since f is PN, for all nonzero a, there must exist a solution to f(x + a) − f(x) = 0. Thus, f is not a permutation.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Example The function f(x) = x2 defined in a finite field of odd characteristic is PN and not bijective. Proof. f(x + a) − f(x) = (x + a)2 − x2 = 2ax + a2 = b has exactly one solution since 2a is invertible for a = 0. But this function is not bijective since f(1) = f(−1).
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Proof. Let f : Fn
2 → Fn 2 be any mapping. If x is a solution to
f(x + a) − f(x) = b, then x + a is also a solution, since f((x + a) + a) − f(x + a) = f(x) − f(x + a) = f(x + a) − f(x). Therefore the number of solutions to f(x + a) − f(x) = b is always even.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Reminder: permutations of low differential uniformity are of interest in cryptography. Indeed, differential and linear cryptanalysis attempt to exploit weaknesses of the uniformity of the functions employed in block ciphers. As we just saw, when f is defined over Fn
2, solutions come in pairs,
and the minimum possible value for ∆f is two. Hence, over the important characteristic 2 case, APN functions attain this minimum and so are optimally resistant to differential cryptanalysis.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
The most used APN functions over F2 are power functions xd, for some particular values of d, but there are other APN functions. Monomials are intensively studied, since they usually have a lower implementation cost in hardware. Moreover, their properties regarding differential attacks can be studied more easily. There is also a relation with weight enumerators of some cyclic codes. When n is odd, in characteristic 2, any APN monomial is a permutation, but not much is known about other APN functions being in general bijective. Remark: in practice we are generally interested in even extensions
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Known classes of power APN functions over F2: Exponents d Conditions Gold functions 2i + 1 gcd(n, i) = 1 Kasami functions 22i − 2i + 1 gcd(n, i) = 1 Welch function 2t + 3 n = 2t + 1 Niho function 2t + 2t/2 − 1 n = 2t + 1, t even 2t + 2
3t+1 2
− 1 n = 2t + 1, t odd Inverse function 22t − 1 n = 2t + 1 Dobbertin function 24i + 23i + 22i + 2i − 1 n = 5i
Table: Known APN Power Functions xd on F2n.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
We give the proof of the Gold function due to Nyberg. Remarks: Vectorial functions from Fn
p to Fn p are in one-to-one
correspondence with the set of polynomials in Fpn[x] of degree at most pn − 1. A polynomial f ∈ Fpn[x] is a permutation polynomial if the map x → f(x) is a permutation from Fpn to Fpn. Let f ∈ Fpn[x]. Then f(x) = xd is a permutation polynomial if and only if gcd(d, pn − 1) = 1.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
F2n defined by f(x) = x2i+1 satisfies ∆f = 2s. Moreover, if n/s is
Proof (sketch). In order to determine ∆f, we count the number of solutions to (x + a)2i+1 + x2i+1 = b, for all b ∈ F2n. (1) Since f is defined over F2n, all solutions come in pairs so suppose that x1 and x2 are distinct solutions to the above equation. Then, (x1 + a)2i+1 + x2i+1
1
+ (x2 + a)2i+1 + x2i+1
2
= 0 ⇔ x2i
1 + x1 + x2i 2 + x2 = 0
⇔ (x1 + x2)2i−1 = 1,
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
so that x1 + x2 ∈ F∗
solution to (1), the set of all solutions is given by x0 + F∗
2s, and so
there are 2s solutions. Hence, ∆f = 2s. To prove that f is a permutation, we need to show that gcd(2i + 1, 2n − 1) = 1. We recall the notion of the 2-order of an integer a, which is the highest power of 2 that divides a. Since n/s is odd, the 2-order of s is equal to the 2-order of n, and gcd(2i, n) = gcd(i, n) = s. Therefore, 2s−1 = gcd(22i−1, 2n−1) = gcd(2i−1, 2n−1) gcd(2i+1, 2n−1) implies gcd(2i + 1, 2n − 1) = 1, and f is a permutation.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
The so-called inverse function over F2n defined by f(x) = x2n−2 (observe f(0) = 0) is APN for n odd. For even n it has differential uniformity 4 (it takes the values 0, 2 and 4). Indeed the value 0 is taken 2n−1 + 1 times; the value 2 is taken 2n−1 − 2 times, and the value 4 is taken once. We observe that the S-boxes in AES use the inverse function; AES is defined over F28, hence it is a permutation but not APN. APN permutations take values 0 and 2, each 2n−1 times.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
The APN functions 45x mod 257 and its inverse in Z256 are used in the SAFER cryptosystem by Massey (1993). Open Problem: find APN permutation in F28 (or in F22n for n ≥ 4). It was conjectured that there are no APN permutations on even extensions of characteristic 2. Hou proved that there are no APN permutations in F24. The first example of an APN permutation in F26 was found by Dillon in 2009!
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
containing q elements. A polynomial f ∈ Fq[x] is a permutation polynomial (PP) if the function f : c → f(c) from Fq into itself induces a permutation. Alternatively, f is a PP if the equation f(x) = a has a unique solution for each a ∈ Fq. PPs over finite field Fq and rings Zn have applications in Advanced Encryption Standard (AES), RC6 cipher (Rivest, Robshaw, Sidney and Yin, 1998; Rivest, 2001) among others ciphers. RC6 uses the permutation function in Z2w (w = 32 for the suggested implementation) f(x) = x(2x + 1) (mod 2w).
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Our security goals are that the data-dependent rotation amount that will be derived from the output of this transformation should depend on all bits of the input word and that the transformation should provide good mixing within the word. The particular choice of this transformation for RC6 is the function f followed by a left rotation by five bit positions. This transformation appears to meet our security goals while taking advantage of simple primitives that are efficiently implemented on most modern processors. Note that f is
which determine the rotation amount used, depend heavily on all the bits of x. See “The Security of the RC6 Block Cipher” for more information on these issues.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Monomials: The monomial xn is a PP on Fq if and only if (n, q − 1) = 1. Dickson: For a = 0 ∈ Fq, the polynomial Dn(x, a) =
⌊n/2⌋
n n − i n − i i
is a PP on Fq if and only if (n, q2 − 1) = 1.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Linearized: The polynomial L(x) =
n−1
asxqs ∈ Fqn[x] is a PP on Fqn if and only if det(aqj
i−j) = 0, 0 ≤ i, j ≤ n − 1.
DO permutation polynomials: A polynomial f(x) =
n−1
ai,jxpj+pi is called a Dembowski-Ostrom (DO) polynomial.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
DO polynomials cannot be PP in odd characteristic. Some cases where DO polynomials are PP in characteristic 2 are given by Blokhuis, Coulter, Henderson and O’Keefe (2001). Dembowski-Ostrom polynomials have been used for a cryptographic application in the public key cryptosystem HFE (Patarin, 1996). There the author states that “it seems difficult to choose f (a DO polynomial) such that it is a permutation”. It is the purpose of this article to provide some examples of Dembowski-Ostrom
theoretical spirit of problem P2 of Lidl and Mullen (1988). We do not claim that any of the classes identified in this article could be used to provide a “secure” cryptosystem when implemented in HFE.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Dickson polynomials generalize monomials: Dn(x, 0) = xn. The Dickson polynomials with parameter a = ±1 are related to Fibonacci and Lucas polynomials. For general a, Dickson polynomials over the complex numbers are related to the Chebyshev polynomials Tn: Dn(2xa, a2) = 2anTn(x). Dickson polynomials have been related to RSA by Muller and Nobauer, and by Lidl and Muller. For more applications and connections, see the book Dickson polynomials by Lidl, Mullen and Turnwald (1993).
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
PPs are related to APN functions. For example, Dobbertin (1999) constructed classes of PPs over finite fields of characteristic two and used them to prove several conjectures on APN monomials. Golomb and Moreno (1996) show that PPs are useful in the construction of Costas arrays, which are useful in sonar and radar
arrays in terms of permutation polynomials. The connection between Costas arrays and APN permutations of integer rings Zn is by Drakakis, Gow and McGuire (2009). Composed with discrete logarithms, permutation polynomials of finite fields are used to produce permutations of integer rings Zn which generate APN permutations in many cases.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
In general, let Fn be the set of functions (“mappings”) from the set [1..n] to itself. With any ϕ ∈ Fn there is associated a functional graph on n nodes, with a directed edge from vertex u to vertex v if ϕ(u) = v. We are interested here in functions over finite fields. Functional graphs of mappings are sets of connected components; the components are directed cycles of nodes; and each of those nodes is the root of a tree. The dynamics of iterations of polynomials and rational functions
part due to their applications in cryptography and integer factorization methods like Pollard rho algorithm.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Iteration function: f(x) = x2 + a. Rho path of a random element x0: xk = f(xk−1), for k ≥ 1.
Figure: Rho path of x0 = 6 under f(x) = x2 + 1 ∈ F13[x].
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Iteration function: f(x) = x2 + a. Rho path of a random element x0: xk = f(xk−1), for k ≥ 1.
Figure: Rho path of x0 = 6 under f(x) = x2 + 1 ∈ F13[x].
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Iteration function: f(x) = x2 + a. Rho path of a random element x0: xk = f(xk−1), for k ≥ 1.
Figure: Rho path of x0 = 6 under f(x) = x2 + 1 ∈ F13[x].
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Iteration function: f(x) = x2 + a. Rho path of a random element x0: xk = f(xk−1), for k ≥ 1.
Figure: Rho path of x0 = 6 under f(x) = x2 + 1 ∈ F13[x].
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Iteration function: f(x) = x2 + a. Rho path of a random element x0: xk = f(xk−1), for k ≥ 1.
Figure: Rho path of x0 = 6 under f(x) = x2 + 1 ∈ F13[x].
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Iteration function: f(x) = x2 + a. Rho path of a random element x0: xk = f(xk−1), for k ≥ 1.
Figure: Rho path of x0 = 6 under f(x) = x2 + 1 ∈ F13[x].
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Iteration function: f(x) = x2 + a. Rho path of a random element x0: xk = f(xk−1), for k ≥ 1.
Figure: Rho path of x0 = 6 under f(x) = x2 + 1 ∈ F13[x].
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Iteration function: f(x) = x2 + a. Rho path of a random element x0: xk = f(xk−1), for k ≥ 1.
Figure: Rho path of x0 = 6 under f(x) = x2 + 1 ∈ F13[x].
Heuristic assumption: behaviour similar to a random mapping.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Used in (brief list):
Mathematics of Computation, 2001.
negation map in Pollard rho method, ANTS 2010. D.J. Bernstein, T. Lange, Two grumpy giants and a baby, ANTS 2012. Many parameters defined on mappings; focus on rho length. It is not clear how “close” particular polynomials and rational functions are to random mappings.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Functional graphs provide an easy and quick way of determining permutational properties of the functions being iterated. Indeed, if the trees are trivial (that is, with a unique node), the graph is formed only by cycles and the corresponding function is a permutation. Information on the permutation such as number of cycles, lengths
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Let X be a finite set and f : X → X. For x ∈ X, let n ≥ 1, m ≥ 0 be the smallest integers such that fn+m(x) = fm(x). Then, per(x) = n, pper(x) = m.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Let X be a finite set and f : X → X. For x ∈ X, let n ≥ 1, m ≥ 0 be the smallest integers such that fn+m(x) = fm(x). Then, per(x) = n, pper(x) = m. Functional graph: directed graph Gf with vertex set X and edges (x, f(x)) for x ∈ X (indeg(x) = #f−1(x) and
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Iterations of functions over finite fields have centered on: period and preperiod; (average) rho length; number of connected components; length of cycles (largest, smallest, average); number of fix points and conditions to be a permutation; isomorphic graphs (mathematically, algorithmically); and so on. Iterations of some functions have strong symmetries that can be mathematically explained. For more information and concrete results, see upcoming survey on iterations of functions by
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
(T.Rogers) Dynamics of x → x2.
T.Rogers. “The graph of the square mapping on the prime fields”. Disc.Math 148, 317-324, 1996.
(A.Peinado et al.) Dynamics of x → x2 + c.
A.Peinado, F.Montoya, J.Mu˜ noz, A.Yuste. “Maximal periods of x2 + c in Fq”. LNCS 2227, 219-228, 2001.
(T.Vasiga, J.Shallit) Dynamics of x → x2 − 2.
T.Vasiga, J.Shallit. “On the iteration of certain quadratic maps over GF(p)”. Disc.Math 227, 219-240, 2004.
(W.-S.Chou, I.E.Shparlinski) Dynamics of x → xe.
W.-S.Chou, I.E.Shparlinski. “On the cycle structure of repeated exponentiation modulo a prime”. Journal of Number Theory 107, 345-356, 2004.
(S.Ugolini) Dynamics of x → x + x−1 and x → xd + x−d.
S.Ugolini. “Graphs associated with the map x → x + x−1 in finite fields of characteristic three and five”. Journal of Number Theory 133, 1207-1228, 2013.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
(T.Gassert) Dynamics of Chebyshev polynomials.
T.Gassert. “Chebyshev action on finite fields”. Disc.Math 315-316, 83-94, 2014.
(C.Qureshi, D.Panario) Dynamics of R´ edei functions.
C.Qureshi, D.Panario. “R´ edei actions on finite fields and multiplication map in cyclic groups”. SIAM Journal on Discrete Mathematics 29, 1486-1503, 2015.
(R.Martins, D.Panario) Heuristics and randomness.
R.Martins, D.Panario. “On the heuristic of approximating polynomials over finite fields by random mappings”. Intern. J. of Number Theory, 12, 1987-2016, 2016.
(C.Qureshi, D.Panario) Dynamics of Chebyshev functions.
C.Qureshi, D.Panario. “The graph structure of the Chebyshev polynomial over finite fields and applications”, Workshop on Coding and Cryptography 2017.
(D.Panario, L.Reis) Dynamics of linearized polynomials.
D.Panario, L.Reis. “The functional graph of linear maps over finite fields and applications”, preprint, 2017.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
From the functional graph we immediately get information on when the function is a permutation (all cycles, no trees), the cycle decomposition of that permutation (number of cycles, lengths of the cycles), etc. Comment: This could give a different way of providing precise involutions with small number of fixed points. Other interesting studies: q = pk, degree n N(n, q) = number of connected components, T0(n, q) = number of periodic points, C(n, q) = average value of cycle length, T(n, q) = average value of tail length; and asymptotic estimates over primes p ≤ N, as N → ∞, for S0(n, N) = average value of T0(n, p), S(n, N) = average value of T(n, p).
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Give precise shape of functional graphs. Extensions: study functions not already considered; derive results like N, T0, C, T, S0, S using these graphs. Requires: mostly elementary number theory, and also analytic number theory for results “moving p” like S0 and S. Study functional graphs (directed, outdegree 1). Extensions: what properties of these graph are interesting? Do the matrices of these graphs have interesting properties? Requires: graph theory knowledge.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
First, there are no random sequences; we look for pseudorandom
generalized to Fq. We need to define some concepts. Definition.
1 We define k consecutive zeros (ones) preceed by a one (zero)
and followed by a one (zero) of a binary sequence of period N as a run of k zeros (ones).
2 For a binary sequence a of period N, the autocorrelation
function of a, denoted by ca(τ) is defined as ca(τ) =
N−1
(−1)ai+ai+τ where the indices are taken modulo N.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
The autocorrelation of a sequence is useful in communications, cryptography and coding theory. For example, low autocorrelation between a sequence and its shifts helps the receiver to get accurate information in noisy channel (for more information on autocorrelation, check Golomb and Gong’s book). We have that ca(τ) measures the amount of similarity of a sequence a and its phase shift τ. We always have ca(0) =
N−1
(−1)ai+ai = N. We are interested in sequences with few autocorrelation values. Golomb (1955) proposed the following three postulates to measure the randomness of a sequence.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
R-1 In every period, the number of zeros is nearly equal to the number of ones (the disparity does not exceed 1, or | N−1
i=0 (−1)ai| ≤ 1).
R-2 In every period, half of the run have length 1, one fourth have length 2, one eighth have length 3, and so on. For each of these lengths there are the same number of runs of 0’s and runs of 1’s. R-3 The autocorrelation function c(τ) is two-valued given by c(τ) =
if τ = 0 mod N k if τ = 0 mod N, where k is a constant. If k = −1 for N odd, or k = 0 for N even, we say that the sequence has the ideal two level autocorrelation function.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Now consider the case N = 2n − 1. The postulates above become as follows: R-1 In every period 0′s occur 2n−1 − 1 or (2n−1) times and 1’s
R-2 In every period, runs of 0’s (or of 1’s) of length k, 1 ≤ k ≤ n − 2, occur 2n−2−k times. A run of 0’s of length n − 1 occurs once and a run of 1’s of length n occurs once. R-3 The autocorrelation function c(τ) is two-valued given by c(τ) =
if τ = 0 mod 2n − 1 −1 if τ = 0 mod 2n − 1.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Examples (1) Let a = 1110010 1110010 . . . . We have that a has period 7, minimal polynomial f(x) = x3 + x + 1. We check if the postulates above are satisfied:
R-1 Satisfied since we have four ones and three zeros in a period. R-2 Holds. There are the following runs: 111, 00, 1, 0. We have n = 3 and so k = 1. There are 20 = 1 run of 0 and 20 = 1 run
(111) of length n = 3. R-3 c(0) = 7, c(1) = 6
i=0(−1)ai+ai+1 = 1 + 1 − 1 + 1 − 1 − 1 − 1.
c(2) = 6
i=0(−1)ai+ai+2 = 1 − 1 − 1 − 1 + 1 + 1 − 1 = −1.
Also check that c(3) = c(4) = c(5) = c(6) = −1. So a is an ideal two-valued autocorrelation sequence.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Examples (2) Let a = 000100110101111 . . . of period 15. The minimal polynomial is x4 + x + 1.
R-1 Holds (7 zeros, 8 ones). R-2 Holds: 000, 1, 00, 11, 0, 1, 0, 1111 are the 8 runs. We have n = 4 and k = 2, so 21 runs of 0 and 21 runs of 1; 20 runs of 00 and 20 runs of 11; 1 (000) run of length n − 1 = 3 and 1 (1111) run of length n = 4. R-3 Also holds (check!)
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
There are some known sequences with 2-level autocorrelation. The most popular ones are m-sequences; they satisfy R − 1, R − 2 and R − 3. Other sequences that appear in the Golomb and Gong textbook, for example, are cyclic difference sets sequences, Gordon-Mills and Welch (GMW) sequences, Welch-Gordon (WG) sequences. There are also three other constructions of sequences with the 2-level autocorrelation value property. For period N = p, p a prime number, Legendre sequence and Hall sextic residue sequence. For period N = p(p + 2) the sequence is called twin prime sequence.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
p
i p
if exists x such that x2 ≡ i mod p, −1
sequence) is defined as ai =
p
1
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Examples
1 p = 7. The squares modulo 7 are: 0, 1, 2, 4. So
7
1
7
2
7
4
7
p = 7 is 0001011. Clearly R-1 is satisfied. Now, R-2 is not: We have the runs 000, 1, 0, 11. It does satisfy R-3 (check).
2 p = 11 Check that the Legendre sequence is 00100011101.
Check R-1, R-2, R-3 for the general case (notice that we don’t have period 2n − 1 here). Finding sequences with few autocorrelation values is a very active research area.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
period of a each nonzero k-tuple (λ1, λ2, . . . , λk) ∈ Fk
q occurs
qn−k times and the zero k-tuple (0, 0, . . . , 0) (k times) occurs qn−k − 1 times where 1 ≤ k ≤ n, then we say that the sequece a has an ideal k-tuple distribution. All m-sequences satisfy all the above postulates. Example Let a = 1110010 . . . with period 7, q = 2, qn − 1 = 7 or n = 3. k = 1: Every nonzero symbol (in this case there is only one!) appears qn−k = q3−1 = 4 times. 0 appears qn−k − 1 = 3 times. k = 2: 11, 10, 01 occur 2 = qn−k times. 00 occurs once. k = 3: 111, 110, 100, 001, 010, 101, 011 occur once and 000 does not appear. Conclusion: a has an ideal k-tuple distribution for 1 ≤ k ≤ 3.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
Consider a sequece over Fq of period N. (1) Period requirement: long period. (2) Statistical properties: balance property (R-1), run property (R-2) and ideal k-tuple distribution for 1 ≤ k ≤ n =
(3) Correlation: 2-level autocorrelation (R-3) and low crosscorrelation value. The cross correlation function of two period sequences with same period N over F2 is defined, for τ = 0, 1, . . . , as Ca,b(τ) = N−1
i=0 (−1)ai+τ+bi.
Let S be a set consisting of sequences over F2 with period N. If for any two sequences a and b in S and a positive constant c, we have 0 ≤ |Ca,b(τ)| < c√n, where τ ≡ 0 mod N if a = b, then S has low correlation value.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
(4) Linear span (or linear complexity): length of the shortest LFSR which generates the sequence. We want a large ratio of the linear span to the period: ρ(a) = LS(a) N > δ, δ a constant, for large N. The ratio ρ(a) is the normalized linear span of a. We have that 0 < ρ(a) ≤ 1 for some fixed N. What we mean is the following: we want sequences a over Fq such that they have long period N and large LS(a), so that the ratio ρ(a) is large. Obeserve that m-sequences are generated by primitive polynomials of degree n, so LS(a) = n for an m-sequence a and its period is qn − 1.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
In general, 1 ≤ LS(a) ≤ N where N|qn − 1. The question is, can we have large period N AND large linear span LS(a), say, exponential in n? Some sequences have been found with this
The linear span of a sequence can be computed using an algorithm called Berlekamp-Massey. In cryptography we usually want large normalized span sequences since they are more unpredictable. In communications, correlation properties are more important. We look for sequences with good correlation properties with large normalized linear span, and efficient implementation in hardware and software.
Finite Fields, Applications and Open Problems Daniel Panario
Differential map PN and APN functions Permutation polynomials Iteration of Functions Random sequences
In this lecture we revised several applications of finite fields to cryptography, coding theory, and mathematics in general. We centered on applications of finite fields in cryptography. We commented on the differential map and on some associated interesting functions like PN and APN functions. We surveyed results on permutation polynomials and on iteration
Finally, we revised sequences over finite fields and consider requirements for random sequences in cryptography.
Finite Fields, Applications and Open Problems Daniel Panario