On the Fast Algebraic Immunity of Majority Functions Pierrick M AUX - - PowerPoint PPT Presentation

On the Fast Algebraic Immunity of Majority Functions Pierrick MÉAUX ICTEAM/ELEN/Crypto Group, Université catholique de Louvain, Belgium

Latincrypt 2019— Santiago de Chile Wednesday October 2

1 / 15

Table of Contents

Introduction Results from Threshold Functions FAI of Majority Functions Conclusion

2 / 15

Summary

Introduction Results from Threshold Functions FAI of Majority Functions Conclusion

3 / 15

Motivation: Why FAI and Majority Functions?

A conceptually simple design:

x1 x2 x3 · · · xN Pi, Si F F(Pi(Si(x)))

4 / 15

Motivation: Why FAI and Majority Functions?

A conceptually simple design:

x1 x2 x3 · · · xN Pi, Si F F(Pi(Si(x))) ◮ Goldreich’s PRG [Gol01]: Pseudorandom generators with polynomial stretch and small locality. Local functions. ◮ FLIP cipher [MJSC16]: stream cipher adapted to frameworks using fully homomorphic encryption.

4 / 15

Motivation: Why FAI and Majority Functions?

A conceptually simple design:

x1 x2 x3 · · · xN Pi, Si F F(Pi(Si(x))) ◮ Goldreich’s PRG [Gol01]: Pseudorandom generators with polynomial stretch and small locality. Local functions. ◮ FLIP cipher [MJSC16]: stream cipher adapted to frameworks using fully homomorphic encryption. Fast Algebraic Immunity? Majority functions?

4 / 15

Motivation: Why FAI and Majority Functions?

A conceptually simple design:

x1 x2 x3 · · · xN Pi, Si F F(Pi(Si(x))) ◮ Goldreich’s PRG [Gol01]: Pseudorandom generators with polynomial stretch and small locality. Local functions. ◮ FLIP cipher [MJSC16]: stream cipher adapted to frameworks using fully homomorphic encryption. Fast Algebraic Immunity? Cryptographic criterion on Boolean functions. → bound on complexity best knowns attacks. Majority functions? Easy to compute, good algebraic properties. → XOR-MAJ predicates of [AL18], filtering function in FiLIP [MCJS19].

4 / 15

Algebraic System and Attacks

           b1 = F(P1(S1(x))) b2 = F(P2(S2(x))) b3 = F(P3(S3(x))) . . . Resolution: ◮ SAT solvers , Grobner bases approaches. ◮ Linearization techniques. Example: all equations have the degree of F.

5 / 15

Algebraic System and Attacks

           b1 = F(P1(S1(x))) b2 = F(P2(S2(x))) b3 = F(P3(S3(x))) . . . Resolution: ◮ SAT solvers , Grobner bases approaches. ◮ Linearization techniques. Example: all equations have the degree of F.

Algebraic Attacks [CM03]

Let F be the filtering function

• 1. find g a low algebraic degree function s.t. g and gF has low degree,
• 2. create T equations with monomials of degree ≤ deg(g),
• 3. linearize the system of T equations in D = deg(g)

i=0

N

i

• variables,
• 4. solve the system in O(Dω).

5 / 15

Algebraic System and Attacks

Algebraic Attacks [CM03]

Let F be the filtering function

• 1. find g a low algebraic degree function s.t. g and gF has low degree,
• 2. create T equations with monomials of degree ≤ deg(g),
• 3. linearize the system of T equations in D = deg(g)

i=0

N

i

• variables,
• 4. solve the system in O(Dω).

Algebraic Immunity

Let F : FN

2 → F2, we define:

AI(F) = min{ max(deg(g), deg(gF), g = 0) } = min{deg(g), g = 0 | gF = 0 or g(F + 1) = 0}

5 / 15

Algebraic System and Attacks

Algebraic Attacks [CM03]

Let F be the filtering function

• 1. find g a low algebraic degree function s.t. g and gF has low degree,
• 2. create T equations with monomials of degree ≤ deg(g),
• 3. linearize the system of T equations in D = deg(g)

i=0

N

i

• variables,
• 4. solve the system in O(Dω).

Fast Algebraic Attacks [Cou03]

Let F be the filtering function:

• 1. find g and h of low degree such that gF = h, deg(g) ≤ AI(F) < deg(h).
• 2. search linear relations in the system to cancel the monomials of degree

more that deg(g),

• 3. linearize and solve the system of degree deg(g) ≤ AI(F).

5 / 15

Algebraic System and Attacks

Fast Algebraic Attacks [Cou03]

Let F be the filtering function:

• 1. find g and h of low degree such that gF = h, deg(g) ≤ AI(F) < deg(h).
• 2. search linear relations in the system to cancel the monomials of degree

more that deg(g),

• 3. linearize and solve the system of degree deg(g) ≤ AI(F).

Fast Algebraic Immunity

Let F : FN

2 → F2, we define:

FAI(F) = min

• 2AI(F),

min

1≤deg(g)<AI(F)[deg(g) + deg(Fg)]

• .

5 / 15

Majority Functions

Majority function

x = (x1, · · · , xn) ∈ Fn

2,

MAJn(x) = if wH(x) ≤ n

2,

1

• therwise.

6 / 15

Majority Functions

Majority function

x = (x1, · · · , xn) ∈ Fn

2,

MAJn(x) = if wH(x) ≤ n

2,

1

• therwise.

◮ Symmetric function, easy to compute. → homomorphic evaluation with multiplexers, quasi additive noise [MCJS19]. ◮ Optimal algebraic immunity [BP05,DMS06], AI(MAJn) = ⌊(n + 1)/2⌋. → direct sum F = g + MAJn provides AI(F) ≥ AI(MAJn) and FAI(F) ≥ FAI(MAJn).

6 / 15

Majority Functions

Majority function

x = (x1, · · · , xn) ∈ Fn

2,

MAJn(x) = if wH(x) ≤ n

2,

1

• therwise.

◮ Symmetric function, easy to compute. → homomorphic evaluation with multiplexers, quasi additive noise [MCJS19]. ◮ Optimal algebraic immunity [BP05,DMS06], AI(MAJn) = ⌊(n + 1)/2⌋. → direct sum F = g + MAJn provides AI(F) ≥ AI(MAJn) and FAI(F) ≥ FAI(MAJn). Algebraic properties of MAJn: ◮ deg, known for all n. ◮ AI, known for all n. ◮ FAI, only bounds.

6 / 15

Related Works and Main Result

Notation: n = 2m + 2k + ε, m ∈ N∗, k ∈ N, k < 2m−1, ε ∈ {0, 1}.

7 / 15

Related Works and Main Result

Notation: n = 2m + 2k + ε, m ∈ N∗, k ∈ N, k < 2m−1, ε ∈ {0, 1}. ◮ [ACGKMR06] Theorem 2, for n ≥ 2: FAI(MAJn) ≤ 2m−1 + 2k + 2. ◮ [TLD16], exact FAI when n = 2m and n = 2m + 1. ◮ [CGZ19], exact FAI when n = 2m + 2 and n = 2m + 3, since m ≥ 2.

7 / 15

Related Works and Main Result

Notation: n = 2m + 2k + ε, m ∈ N∗, k ∈ N, k < 2m−1, ε ∈ {0, 1}. ◮ [ACGKMR06] Theorem 2, for n ≥ 2: FAI(MAJn) ≤ 2m−1 + 2k + 2. ◮ [TLD16], exact FAI when n = 2m and n = 2m + 1. ◮ [CGZ19], exact FAI when n = 2m + 2 and n = 2m + 3, since m ≥ 2. This work: Let m ≥ 2, 0 ≤ k < 2m−2, ε ∈ {0, 1}, FAI(MAJn) = 2m−1 + 2k + 2.

7 / 15

Summary

Introduction Results from Threshold Functions FAI of Majority Functions Conclusion

8 / 15

Bounding the FAI

Threshold Function

x = (x1, · · · , xn) ∈ Fn

2, d ∈ {0, · · · , n},

Td(x) =

• if wH(x) < d,

1

• therwise.

n even: MAJn = T n

2 +1, for n odd MAJn = T n+1 2 . 9 / 15

Bounding the FAI

Threshold Function

x = (x1, · · · , xn) ∈ Fn

2, d ∈ {0, · · · , n},

Td(x) =

• if wH(x) < d,

1

• therwise.

n even: MAJn = T n

2 +1, for n odd MAJn = T n+1 2 .

Threshold and Annihilators

Annihilators: AN(f) = ming=0[deg(g) | fg = 0]. AN(Td) = n − d + 1, and AN(1 + Td) = d. Multiplicative property: 0 < deg(g) < AN(f) ⇒ deg(fg) ≥ AN(f + 1).

9 / 15

Bounding the FAI

Threshold and Annihilators

Annihilators: AN(f) = ming=0[deg(g) | fg = 0]. AN(Td) = n − d + 1, and AN(1 + Td) = d. Multiplicative property: 0 < deg(g) < AN(f) ⇒ deg(fg) ≥ AN(f + 1).

Lower Bound

Let n = 2m + 2k + ε, m ≥ 1, 0 ≤ k < 2m−1, and ε ∈ {0, 1}, then: FAI(MAJn) ≥ 2m−1 + k + 2.

9 / 15

Bounding the FAI

Threshold and Annihilators

Annihilators: AN(f) = ming=0[deg(g) | fg = 0]. AN(Td) = n − d + 1, and AN(1 + Td) = d. Multiplicative property: 0 < deg(g) < AN(f) ⇒ deg(fg) ≥ AN(f + 1).

Lower Bound

Let n = 2m + 2k + ε, m ≥ 1, 0 ≤ k < 2m−1, and ε ∈ {0, 1}, then: FAI(MAJn) ≥ 2m−1 + k + 2. 2m−1 + k + 2 ≤ FAI(MAJn) ≤ 2m−1 + 2k + 2. Corollary: for n = 2m + ε, FAI(MAJn) = 2m−1 + 2.

9 / 15

Algebraic Normal Form of Threshold Functions

Algebraic Normal Form

n-variable polynomial representation over F2 i.e. belonging to F2[x1, . . . , xn]/(x2

1 + x1, . . . , x2 n + xn):

F(x) =

• I⊆[n]

aI

• i∈I

xi

• =
• I⊆[n]

aIxI, where aI ∈ F2. Simplified Algebraic Normal Form for Td: λ0 λ1 λ2 · · · λn F symmetric: all, or none, monomials of the same degree in the ANF.

10 / 15

Algebraic Normal Form of Threshold Functions

Algebraic Normal Form

n-variable polynomial representation over F2 i.e. belonging to F2[x1, . . . , xn]/(x2

1 + x1, . . . , x2 n + xn):

F(x) =

• I⊆[n]

aI

• i∈I

xi

• =
• I⊆[n]

aIxI, where aI ∈ F2. Simplified Algebraic Normal Form for Td: λ0 λ1 · · · 1 d D 2D · · · ℓD λd · · · · · · λD Periodicity, D = 2⌈log d⌉

10 / 15

Algebraic Normal Form of Threshold Functions

Algebraic Normal Form

n-variable polynomial representation over F2 i.e. belonging to F2[x1, . . . , xn]/(x2

1 + x1, . . . , x2 n + xn):

F(x) =

• I⊆[n]

aI

• i∈I

xi

• =
• I⊆[n]

aIxI, where aI ∈ F2. Simplified Algebraic Normal Form for Td: · · · 1 d D 2D · · · ℓD 1 1 1 1 1 1 Smaller set of interest

10 / 15

Algebraic Normal Form of Threshold Functions

Simplified Algebraic Normal Form for Td: · · · 1 d D 2D · · · ℓD 1 1 1 1 1 1

Algebraic Normal Form of all Threshold Functions

n ∈ N∗, 0 < d ≤ n + 1, D = 2⌈log d⌉, the sets Sd and S′

d are:

Sd = {v ∈ {0, D − 1} | v D − d}, and S′

d = {kD + d + v |v ∈ Sd} ∩ {1, n}.

The SANF of Td is such that: λi′ = 1 ⇔ i′ ∈ S′

d.

Equivalently: Td =

• i∈S′

d

σi.

10 / 15

Algebraic Normal Form of Threshold Functions

Algebraic Normal Form of all Threshold Functions

n ∈ N∗, 0 < d ≤ n + 1, D = 2⌈log d⌉, the sets Sd and S′

d are:

Sd = {v ∈ {0, D − 1} | v D − d}, and S′

d = {kD + d + v |v ∈ Sd} ∩ {1, n}.

The SANF of Td is such that: λi′ = 1 ⇔ i′ ∈ S′

d.

Equivalently: Td =

• i∈S′

d

σi. Example: d = 3, Sd = {v ∈ {0, 1, 2, 3} | v 001} = {0, 1}, S′

d = {{4k + 3} ∪ {4k + 4}} ∩ {1, n},

T3 = σ3 + σ4 + σ7 + σ8 + · · ·

10 / 15

Algebraic Normal Form of Threshold Functions

Algebraic Normal Form of all Threshold Functions

n ∈ N∗, 0 < d ≤ n + 1, D = 2⌈log d⌉, the sets Sd and S′

d are:

Sd = {v ∈ {0, D − 1} | v D − d}, and S′

d = {kD + d + v |v ∈ Sd} ∩ {1, n}.

The SANF of Td is such that: λi′ = 1 ⇔ i′ ∈ S′

d.

Equivalently: Td =

• i∈S′

d

σi. Example: d = 3, Sd = {v ∈ {0, 1, 2, 3} | v 001} = {0, 1}, S′

d = {{4k + 3} ∪ {4k + 4}} ∩ {1, n},

T3 = σ3 + σ4 + σ7 + σ8 + · · · Corollary: ϕd indicator of Hamming weight d: ϕd =

• i∈S′

d△S′ d+1

σi.

10 / 15

Summary

Introduction Results from Threshold Functions FAI of Majority Functions Conclusion

11 / 15

Proof Overview (1)

n = 2m + 2k + ε, m ≥ 2, 0 ≤ k < 2m−2, ε ∈ {0, 1}. MAJn = T2m−1+k+1. 1 d 2m n

12 / 15

Proof Overview (1)

n = 2m + 2k + ε, m ≥ 2, 0 ≤ k < 2m−2, ε ∈ {0, 1}. MAJn = T2m−1+k+1. 1 d 2m n 1 1 Set of interest: {d, · · · , D}

12 / 15

Proof Overview (1)

n = 2m + 2k + ε, m ≥ 2, 0 ≤ k < 2m−2, ε ∈ {0, 1}. MAJn = T2m−1+k+1. 1 d a b k + 1 2m n 1 1 1 0 · · · 0 1 Set of interest: {d, · · · , D} Gap: a = 2m − 2m−2, b = 2m − 2m−2 + k + 1, and {a, · · · , b} ∩ S′

d = {a, b}.

12 / 15

Proof Overview (1)

n = 2m + 2k + ε, m ≥ 2, 0 ≤ k < 2m−2, ε ∈ {0, 1}. MAJn = T2m−1+k+1. 1 d a b k + 1 2m n 1 1 1 0 · · · 0 1 Set of interest: {d, · · · , D} Gap: a = 2m − 2m−2, b = 2m − 2m−2 + k + 1, and {a, · · · , b} ∩ S′

d = {a, b}.

Tb = T2m−2m−2+k+1. 1 1 1 b 2m n

12 / 15

Proof Overview (1)

n = 2m + 2k + ε, m ≥ 2, 0 ≤ k < 2m−2, ε ∈ {0, 1}. MAJn = T2m−1+k+1. 1 d a b k + 1 2m n 1 1 1 0 · · · 0 1 Set of interest: {d, · · · , D} Gap: a = 2m − 2m−2, b = 2m − 2m−2 + k + 1, and {a, · · · , b} ∩ S′

d = {a, b}.

Tb = T2m−2m−2+k+1. 1 1 1 b 2m n Partition: MAJn = fa + Tb

12 / 15

Proof Overview (2)

Consider n = 2m + 2k + ε; m ≥ 2, 0 ≤ k < 2m−2, ε ∈ {0, 1}. MAJn = T2m−1+k+1 = fa + Tb. 1 d a b k + 1 2m n 1 0 · · · 0 1

13 / 15

Proof Overview (2)

Consider n = 2m + 2k + ε; m ≥ 2, 0 ≤ k < 2m−2, ε ∈ {0, 1}. MAJn = T2m−1+k+1 = fa + Tb. 1 d a b k + 1 2m n 1 0 · · · 0 1 Recall: FAI(F) = min

• 2AI(F), min1≤deg(g)<AI(F)[deg(g) + deg(Fg)]
• Since 2AI(MAJn) ≥ n, we focus on the degree of MAJng:

13 / 15

Proof Overview (2)

Consider n = 2m + 2k + ε; m ≥ 2, 0 ≤ k < 2m−2, ε ∈ {0, 1}. MAJn = T2m−1+k+1 = fa + Tb. 1 d a b k + 1 2m n 1 0 · · · 0 1 Recall: FAI(F) = min

• 2AI(F), min1≤deg(g)<AI(F)[deg(g) + deg(Fg)]
• Since 2AI(MAJn) ≥ n, we focus on the degree of MAJng:

◮ If 1 ≤ deg(g) ≤ k: since k < AI(Tb) ≤ AN(1 + Tb) = b, then deg(gTb) ≥ b deg(gfa) ≤ a + k < b then deg(g(fa + Tb))+ ≥ b ≥ 2m−1 + 2k + 2 (using 2m−2 > k).

13 / 15

Proof Overview (2)

Consider n = 2m + 2k + ε; m ≥ 2, 0 ≤ k < 2m−2, ε ∈ {0, 1}. MAJn = T2m−1+k+1 = fa + Tb. 1 d a b k + 1 2m n 1 0 · · · 0 1 Recall: FAI(F) = min

• 2AI(F), min1≤deg(g)<AI(F)[deg(g) + deg(Fg)]
• Since 2AI(MAJn) ≥ n, we focus on the degree of MAJng:

◮ If 1 ≤ deg(g) ≤ k: since k < AI(Tb) ≤ AN(1 + Tb) = b, then deg(gTb) ≥ b deg(gfa) ≤ a + k < b then deg(g(fa + Tb))+ ≥ b ≥ 2m−1 + 2k + 2 (using 2m−2 > k). ◮ If k < deg(g) < AI(MAJn): deg(gMAJn) ≥ AN(MAJn + 1) (multiplicative property) deg(gMAJn) ≥ 2m−1 + k + 1 (AN threshold functions) then deg(g) + deg(Fg) ≥ 2m−1 + 2k + 2.

13 / 15

Proof Overview (2)

Consider n = 2m + 2k + ε; m ≥ 2, 0 ≤ k < 2m−2, ε ∈ {0, 1}. MAJn = T2m−1+k+1 = fa + Tb. 1 d a b k + 1 2m n 1 0 · · · 0 1 Recall: FAI(F) = min

• 2AI(F), min1≤deg(g)<AI(F)[deg(g) + deg(Fg)]
• Since 2AI(MAJn) ≥ n, we focus on the degree of MAJng:

◮ If 1 ≤ deg(g) ≤ k: since k < AI(Tb) ≤ AN(1 + Tb) = b, then deg(gTb) ≥ b deg(gfa) ≤ a + k < b then deg(g(fa + Tb))+ ≥ b ≥ 2m−1 + 2k + 2 (using 2m−2 > k). ◮ If k < deg(g) < AI(MAJn): deg(gMAJn) ≥ AN(MAJn + 1) (multiplicative property) deg(gMAJn) ≥ 2m−1 + k + 1 (AN threshold functions) then deg(g) + deg(Fg) ≥ 2m−1 + 2k + 2. ⇒ reaching upper bound, FAI(MAJn) = 2m−1 + 2k + 2.

13 / 15

Summary

Introduction Results from Threshold Functions FAI of Majority Functions Conclusion

14 / 15

Conclusion and open questions

Conclusion: ⋄ ANF of threshold functions. → Simple formulation with sets, basis for all symmetric functions. ⋄ Exact fast algebraic immunity of MAJn, n = 2m + 2k + ε, where m ≥ 2, 0 ≤ k < 2m−2, ε ∈ {0, 1}. → Better bounds for XOR-MAJ functions.

15 / 15

Conclusion and open questions

Conclusion: ⋄ ANF of threshold functions. → Simple formulation with sets, basis for all symmetric functions. ⋄ Exact fast algebraic immunity of MAJn, n = 2m + 2k + ε, where m ≥ 2, 0 ≤ k < 2m−2, ε ∈ {0, 1}. → Better bounds for XOR-MAJ functions. Open questions: ⋄ Remaining cases? ◮ m < 2 solved, FAI(MAJ2) = 2, and n = 3 from corollary. ◮ m ≥ 2, 2m−2 < k < 2m−1. Upper bound B = 2m−1 + 2k + 2 unreachable. ◮ m ≥ 2, k = 2m−2. B reachable (ex n = 6). ⋄ Extending techniques for all threshold function? all symmetric functions?

15 / 15

Conclusion and open questions

Conclusion: ⋄ ANF of threshold functions. → Simple formulation with sets, basis for all symmetric functions. ⋄ Exact fast algebraic immunity of MAJn, n = 2m + 2k + ε, where m ≥ 2, 0 ≤ k < 2m−2, ε ∈ {0, 1}. → Better bounds for XOR-MAJ functions. Open questions: ⋄ Remaining cases? ◮ m < 2 solved, FAI(MAJ2) = 2, and n = 3 from corollary. ◮ m ≥ 2, 2m−2 < k < 2m−1. Upper bound B = 2m−1 + 2k + 2 unreachable. ◮ m ≥ 2, k = 2m−2. B reachable (ex n = 6). ⋄ Extending techniques for all threshold function? all symmetric functions? Thanks for your attention!

15 / 15