Functions on Finite Fields, Boolean Functions, and S-Boxes Gary - - PowerPoint PPT Presentation

Functions on Finite Fields, Boolean Functions, and S-Boxes

Gary McGuire

Claude Shannon Institute www.shannoninstitute.ie and School of Mathematical Sciences University College Dublin Ireland

1 July, 2013

Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Boolean Function

Let F2 = {0, 1} be the integers modulo 2. Let n be a positive integer. A Boolean function in n variables is a function f : (F2)n − → F2 (named after George Boole, professor in Cork, Ireland) There are 2(2n) Boolean functions in n variables. A Boolean function can be given by listing all the possible values Input Value 000 100 010 110 1 001 1 101 1 011 1 111 (n = 3 here)

Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Boolean Function

Usually we use variables x1, . . . , xn called Boolean variables (taking values 0,1) and we write the function as f (x1, . . . , xn) Example: n = 3, f (x1, x2, x3) = x1x2 + x3 For large n this is more efficient than the truth table! Input Value 000 100 010 110 1 001 1 101 1 011 1 111 Suitable for software and hardware, see other talks.

Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Boolean Function

How many functions can we write down in this way? Note that x2

i = xi for Boolean variables.

When n = 3, any function is a 0,1 combination of 1, x1, x2, x3, x1x2, x1x3, x2x3, x1x2x3. In other words, any function can be written c01 + c1x1 + c2x2 + c3x3 + c4x1x2 + c5x1x3 + c6x2x3 + c7x1x2x3 where ci ∈ F2. Note: 8 terms, so 28 such functions. All of them! In general, any Boolean function in n variables can be written

• u

cuxu where cu ∈ F2, xu = xu1

1 · · · xun n , u = (u1, . . . , un) ∈ (F2)n.

This is called the Algebraic Normal Form (ANF) of f .

Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Boolean Function

The algebraic degree of f is the max of the degrees of the terms in the ANF. e.g. f (x1, x2, x3) = x1x2 + x3 has algebraic degree 2. High algebraic degree is needed for some cryptographic applications, e.g. as a combining function in stream ciphers:

Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Linear Boolean Function

If the algebraic degree is 1, f looks like f (x1, . . . , xn) = a0 + a1x1 + · · · + anxn and we say that f is affine linear. Say f is linear if a0 = 0. Linear functions can also be defined by f (x + y) = f (x) + f (y). The set of all affine linear functions in n variables is important. There are 2n+1 such functions. In error-correcting code terminology, this set is the first-order Reed-Muller code, denoted RM(1, n).

Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Nonlinearity, Boolean Function

Define the Hamming distance between two Boolean functions f and g by d(f , g) = Number of x ∈ (F2)n with f (x) = g(x) The distance from f to the set of affine linear functions is min

a∈RM(1,n) d(f , a)

This is called the nonlinearity of f . Combining functions in stream ciphers need high algebraic degree, high nonlinearity, and some other criteria are also important (balanced, resilient,...) but are not the topic of this talk. Research problem: how to find functions that satisfy all the criteria. (see other talks)

Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Bent Function

What do we mean by ”high” nonlinearity? It can be proved that the nonlinearity of a Boolean function is at most 2n−1 − 2

n 2 −1

Boolean functions that meet this bound are called bent functions. Unfortunately bent functions by themselves do not satisfy some of the other cryptographic criteria.

Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Walsh Transform

The nonlinearity is nicely related to the Walsh transform. The Walsh (or Walsh-Hadamard, or Fourier) transform of a Boolean function f is

• f (a) =
• x∈(F2)n

(−1)f (x)+a(x) where a(x) is any linear Boolean function. This measures how much f agrees with a. Maximising f (a) gives the nearest linear function to f . Nonlinearity(f ) = 2n−1 − 1 2 max

a

| f (a)|

Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Boolean Function, Finite Field

There is another common way to write down a Boolean function, i.e. another representation, using a finite field. Recall that a finite field F2n (also denoted GF(2n)) is a field with 2n elements. In a field you can add, subtract, multiply and divide (except by 0). The field F2n is constructed by finding an irreducible polynomial of degree n and performing multiplication modulo this polynomial. The elements of F2n are all polynomials of degree < n with coefficients in F2.

Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Boolean Function, Finite Field

Example: x2 + x + 1 is irreducible over F2. This polynomial can be used to construct a finite field with 22 = 4 elements. Elements are 0, 1, x, x + 1 and x2 + x + 1 = 0 in this field. Example: x8 + x4 + x3 + x + 1 is irreducible over F2. This polynomial can be used to construct a finite field with 28 = 256 elements. This example is important in AES.

Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Boolean Function, Finite Field

Because you can add, subtract, multiply, divide, elements in finite fields, we can construct functions F2n − → F2n using these

• perations, for example,

f (x) = x3, f (x) = 1 x , f (x) = x23 + x9 + x4 + 1 x2 + x + 1 (which are defined everywhere the denominator is nonzero) The trace is the function Tr : F2n − → F2 defined by Tr(x) = x + x2 + x4 + · · · + x2n−1 Given any function f : F2n − → F2n, x → f (x), we can obtain a Boolean function F2n − → F2 by taking x → Tr(f (x)). Can all Boolean functions be obtained in this way?

Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Boolean Function, Finite Field

This point of view can be mathematically simpler. We are using F2n for (F2)n. For example, a maximal LFSR sequence (si) of period 2n − 1 can be described as si = Tr(cαi) where α is a primitive element in the finite field F2n.

Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

S-Box

Claude Shannon introduced some design criteria for ciphers. He proposed “confusion and diffusion” in the encryption algorithm. Many symmetric block ciphers (and hash functions) now have an S-Box to provide the ”confusion”.

Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Vectorial Boolean Functions

This S-box represents a function from (F2)4 to itself. We need to talk about functions from (F2)n − → (F2)n, or functions F2n − → F2n. These are sometimes called vectorial Boolean functions. So consider f : (F2)n − → (F2)n, where x → (f1(x), . . . , fn(x)) The fi are called the coordinate functions of f . Each fi is a Boolean function. [We could also have (F2)n − → (F2)m, like DES for example.]

Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Vectorial Boolean Functions, S-Boxes

Functions used in S-Boxes need to have several properties, to be resistant to various attacks.

1 Differential Attack 2 Linear Attack 3 others omitted for this talk. Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Differential Cryptanalysis

Consider equations f (x + a) − f (x) = b, an input difference of a and an output difference of b. In differential cryptanalysis one exploits an output difference which

• ccurs with high probability.

To be resistant to this attack, for every a and b the equation f (x + a) + f (x) = b should have a small number of solutions x. The highest possible number of solutions is called the differential uniformity of f . The smallest (best) possible differential uniformity is 2, because if x is a solution, then x + a is another solution.

Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Vectorial Boolean Functions, Walsh Transform

We extend the definition of Walsh/Fourier transform to these functions:

• f (a, b) :=
• x∈(F2)n

(−1)b,f (x)+a,x where a = (a1, . . . , an), ai ∈ F2, a, x = a1x1 + · · · + anxn b = (b1, . . . , bn), bi ∈ F2, b, f (x) = b1f1(x) + · · · + bnfn(x) The nonlinearity of a vectorial Boolean function (F2)n − → (F2)n is the minimum of the nonlinearities over all linear combinations of the coordinate Boolean functions. In other words, Nonlinearity(f ) = 2n−1 − 1 2 max

a,b (b=0) |

f (a, b)|

Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Linear Cryptanalysis

This is also a powerful attack. Try to approximate the function in the S-box by a linear function. Best resistance is provided by functions with highest nonlinearity.

Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

How do we find good functions for S-Boxes?

Research problem: find functions from (F2)n − → (F2)n, or functions F2n − → F2n, that are good for S-Boxes. (high nonlinearity, low differential uniformity, ...) Method 1: use random search. Method 2: use algebraic construction. (Both methods have several sub-methods.)

Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Nonlinearity

n = 8 Largest possible nonlinearity is 27 − 24 = 112. Random search typically gives nonlinearity of 94, at most 98

Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

Differential Uniformity

n = 8 Smallest possible differential uniformity is 2. Random search typically gives diff. uniformity of 12, at best 8

Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

How do we find good functions for S-Boxes?

What about the function f : F2n − → F2n defined by f (x) = 1 x and f (0) = 0. The nonlinearity is given by the sum K(a, b) =

• x∈F2n

(−1)Tr(bx−1+ax) This is known as a Kloosterman sum. There is a lot of literature about Kloosterman sums. In particular, from the Weil bound it is known that −2n/2+1 ≤ K(a, b) ≤ 2n/2+1 and it follows that the nonlinearity is 112 when n = 8.

Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes

How do we find good functions for S-Boxes?

It is not hard to show that the differential uniformity is 4. (Exercise: show this.) This function, f (x) = x−1, is the function used in the S-Box in Rijndael/AES.

Gary McGuire Functions on Finite Fields, Boolean Functions, and S-Boxes