Objets combinatoires en cryptographie et en thorie des codes Sihem - PowerPoint PPT Presentation

Objets combinatoires en cryptographie et en théorie des codes Sihem Mesnager Université Paris VIII et XIII, Département de Mathématiques LAGA (Laboratoire Analyse, Géométrie et Applications), Équipe MTII (Mathématiques pour le Traitement de l’Information et de l’Image) Séminaire LIPN Université Paris XIII 13 Mai 2014, Villetaneuse, France 1 / 72

Recherche en combinatoire Étude d’objets combinatoires en cryptographie et codes 1 correcteurs Étude de problèmes issus de la théorie de l’information en utilisant 2 des outils combinatoires et des idées venant de la combinatoire Étude de problèmes combinatoires en codes et cryptographie 3 2 / 72

Outline ☞ Study of combinatorial objects in cryptography and coding theory Background on Boolean functions 1 Some background on Boolean functions Boolean functions for error correcting codes and symmetric cryptography Bent functions over finite fields 2 Presentation of some contributions concerning combinatorial objects in symmetric cryptography Presentation of some contributions concerning combinatorial objects in coding theory 3 / 72

Background on Boolean functions 2 → F 2 an n -variable Boolean function. f : F n f ( x ) x 1 x 2 x 3 0 0 0 0 0 0 1 1 0 1 0 0 The truth-table : 0 1 1 0 1 0 0 0 1 0 1 1 1 1 0 0 1 1 1 1 4 / 72

Background on Boolean functions : representation 2 → F 2 an n -variable Boolean function f : F n D EFINITION (A LGEBRAIC N ORMAL F ORM (A.N.F), UNIQUE ) Let f : F n 2 → F 2 a Boolean function. Then f can be expressed as : �� � � � a u x u , a I ∈ F 2 f ( x 1 , . . . , x n ) = a I x i = i ∈ I u ∈ F n I ⊂{ 1 ,..., n } 2 � n where I = supp ( u ) = { i = 1 , . . . , n | u i = 1 } and x u = i . x u i i = 1 The A.N.F exists and is unique. D EFINITION (T HE ALGEBRAIC DEGREE ) The algebraic degree deg ( f ) of f is the maximum weight of u such that a u � = 0 . Affine functions f ( deg ( f ) ≤ 1 ) : f ( x ) = a 0 ⊕ a 1 x 1 ⊕ a 2 x 2 ⊕ · · · ⊕ a n x n , a i ∈ F 2 5 / 72

Background on Boolean functions : Existence of the polynomial form ☞ We identify the vectorspace F n 2 with the Galois field F 2 n Any function f : F 2 n → F 2 n admits a unique representation : f ( x ) = � 2 n − 1 j = 0 a j x j ; a j , x ∈ F 2 n • f is Boolean iff a 0 , a 2 n − 1 ∈ F 2 and a 2 j mod 2 n − 1 = ( a j mod 2 n − 1 ) 2 ; 0 < j < 2 n − 1 • [ 1 , 2 n − 2 ] = ∪ c r = 1 Γ r ; where Γ r = { j r mod 2 n − 1 , 2 j r mod 2 n − 1 , · · · , 2 o ( j r ) − 1 j r mod 2 n − 1 } o ( j r ) − 1 c � � f ( x ) = a 0 + a 2 n − 1 x 2 n − 1 + a 2 s j r mod 2 n − 1 x 2 s j r r = 1 s = 0 o ( j r ) − 1 � c � = a 0 + a 2 n − 1 x 2 n − 1 + ( a j r mod 2 n − 1 x j r ) 2 s r = 1 s = 0 c � = a 0 + a 2 n − 1 x 2 n − 1 + Tr o ( j r ) ( a j r mod 2 n − 1 x j r ) 1 r = 1 where a 0 , a 2 n − 1 ∈ F 2 , a j r mod 2 n − 1 ∈ F 2 o ( jr ) 6 / 72

Background on Boolean functions : representation ☞ We identify the vectorspace F n 2 with the Galois field F 2 n D EFINITION (T HE POLYNOMIAL FORM ( UNIQUE )) Let n be a positive integer. Every Boolean function f defined on F 2 n has a (unique) trace expansion called its polynomial form : � Tr o ( j ) ( a j x j ) + ǫ ( 1 + x 2 n − 1 ) , ∀ x ∈ F 2 n , f ( x ) = a j ∈ F 2 o ( j ) 1 j ∈ Γ n Γ n is the set of representatives of each cyclotomic class of 2 modulo 2 n − 1 , o ( j ) is the size of the cyclotomic coset containing j , ǫ = wt ( f ) modulo 2 (recall wt ( f ) := # supp ( f ) := # { x ∈ F 2 n | f ( x ) = 1 } ). Recall : D EFINITION (A BSOLUTE TRACE OF x ∈ F 2 k OVER F 2 ) 1 ( x ) := � k − 1 i = 0 x 2 i = x + x 2 + x 2 2 + · · · + x 2 k − 1 ∈ F 2 Tr k 7 / 72

Background on Boolean functions : representation Example : Let n = 4 . f : F 2 4 → F 2 , f ( x ) = � j ∈ Γ 4 Tr o ( j ) a j ∈ F 2 o ( j ) . ( a j x j ) + ǫ ( 1 + x 15 ) , 1 Γ 4 is the set obtained by choosing one element in each cyclotomic class of 2 modulo 2 n − 1 = 2 4 − 1 = 15 . C ( j ) the cyclotomic coset of 2 modulo 15 containing j . C ( j ) = { j , j 2 , j 2 2 , j 2 3 , · · · , j 2 o ( j ) − 1 } where o ( j ) is the smallest positive integer such that j 2 o ( j ) ≡ j ( mod 2 n − 1 ) . The cyclotomic cosets modulo 15 are : C ( 0 ) = { 0 } C ( 1 ) = { 1 , 2 , 4 , 8 } C ( 3 ) = { 3 , 6 , 12 , 9 } C ( 5 ) = { 5 , 10 } C ( 7 ) = { 7 , 14 , 11 , 13 } We find Γ 4 = { 0 , 1 , 3 , 5 , 7 } f ( x ) = Tr o ( 1 ) ( a 1 x 1 ) + Tr o ( 3 ) ( a 3 x 3 ) + Tr o ( 5 ) ( a 5 x 5 ) + Tr o ( 7 ) ( a 7 x 7 ) + a 0 + ǫ ( 1 + x 15 ); 1 1 1 1 f ( x ) = Tr 4 1 ( a 1 x ) + Tr 4 1 ( a 3 x 3 ) + Tr 2 1 ( a 5 x 5 ) + Tr 4 1 ( a 7 x 7 ) + a 0 + ǫ ( 1 + x 15 ) where a 1 , a 3 , a 7 ∈ F 2 4 , a 5 ∈ F 2 2 and a 0 , ǫ ∈ F 2 ; 1 : F 2 4 → F 2 ; x �→ x + x 2 + x 2 2 + x 2 3 ; Tr 4 1 : F 2 2 → F 2 ; x �→ x + x 2 . Tr 2 8 / 72

Algebraic degree of the polynomial form D EFINITION Let n be a positive integer. Every Boolean function f defined on F 2 n has a (unique) trace expansion called its polynomial form : � Tr o ( j ) ( a j x j ) + ǫ ( 1 + x 2 n − 1 ) , ∀ x ∈ F 2 n , f ( x ) = a j ∈ F 2 o ( j ) 1 j ∈ Γ n ☞ The algebraic degree of f denoted by deg ( f ) , is the maximum Hamming weight of the binary expansion of an exponent j for which a j � = 0 if ǫ = 0 and to n if ǫ = 1 . Affine functions : Tr n 1 ( ax ) + λ , a ∈ F 2 n , λ ∈ F 2 . 9 / 72

Boolean functions ☞ In both Error correcting coding and Symmetric cryptography , Boolean functions are important objects ! Boolean functions Symmetric Cryptosystems Reed-Muller codes (secret key) Coding Theory Cryptography 10 / 72

Error Correcting Coding − → ( u 1 , . . . , u k ) → → ( x 1 , . . . , x n ) Source Encoding → → noisy channel ( y 1 , . . . , y n ) → → ( v 1 , . . . , v k ) Decoding 11 / 72

Boolean functions in Error Correcting Coding B n = { f : F n 2 → F 2 } The Reed-Muller code RM ( r , n ) can be defined in terms of Boolean functions : RM ( r , n ) is the set of all n -variable Boolean functions B n of algebraic degrees at most r . More precisely, it is the linear code of all binary words of length 2 n corresponding to the truth-tables of these functions. For every 0 ≤ r ≤ n , the Reed-Muller code RM ( r , n ) of order r , is a linear code :    � n �  r �    2 n − r  2 n , ,  ���� ����  i   i = 0 length minimum distance � �� � dimension 12 / 72

Cryptography cyphertext ✲ Decryption ✲ plaintext ✲ plaintext Encryption ✻ ✻ secret key k E secret key k D S ENDER A DVERSARY R ECEIVER 13 / 72

Cryptographic framework for Boolean functions Bloc ciphers (AES,DES, etc) Stream ciphers Ciphertext Plaintext x 1 x n · · · Expansion Pseudo-random � Key generator with operation a Boolean function · · · Ciphertext Plaintext f 1 f n f i : functions of substitution ( S -box ) f i : Boolean function 14 / 72

Cryptographic framework for Boolean functions The two models of pseudo-random generators with a Boolean function : C OMBINER MODEL : c t x ( t ) m t : plain text ✻ ✲ LFSR 1 1 c t : cipher text x ( t ) k t : key stream ✲ � LFSR 2 k t 2 ✲ f . . ✻ . x ( t ) ✲ n LFSR n m t LFSR : Linear Feedback Shift Register • A Boolean function combines the outputs of several LFSR to produce the key stream : a combining (Boolean) function f . • The initial state of the LFSR’s depends on a secret key. 15 / 72

Cryptographic framework for Boolean functions F ILTER MODEL : � � � ✛ ✛ ✻ ✻ ✻ ✲ s i + L − 1 s i + 1 s i · · · x 1 x i x n ❄ ❄ ❄ f ( x 1 , x 2 , · · · , x n ) ❄ output : key stream • A Boolean function takes as inputs several bits of a single LFSR to produce the key stream : a filtering (Boolean) function f ☞ To make the cryptanalysis very difficult to implement, we have to pay attention when choosing the Boolean function, that has to follow several recommendations : cryptographic criteria ! 16 / 72

Some main cryptographic criteria for Boolean functions • C RITERION 1 : To protect the system against distinguishing attacks, the cryptographic function must be balanced, that is, its Hamming weight is 2 n − 1 . • C RITERION 2 : The cryptographic function must have an high algebraic degree to protect against the Berlekamp-Massey attack. • The Hamming distance d H ( f , g ) := # { x ∈ F 2 n | f ( x ) � = g ( x ) } . C RITERION 3 : To protect the system against linear attacks and correlation attacks, the Hamming distance from the cryptographic function to all affine functions must be large. • C RITERION 4 : To be resistant to correlation attacks on combining registers, a combining function f must be m -resilient where m is as large as possible. • Algebraic immunity of f : AI ( f ) is the lowest degree of any nonzero function g such that f · g = 0 or ( 1 + f ) · g = 0 . C RITERION 5 : To be resistant to algebraic attacks, f must be of high algebraic immunity that is, close to the maximum ⌈ n 2 ⌉ . But this condition is not sufficient because of Fast Algebraic Attacks (FFA) : cryptographic functions should be resistant to FFA ! Some of these criteria are antagonistic ! Tradeoffs between all these criteria must be found. 17 / 72