Optimal Cryptographic Functions Lilya Budaghyan Selmer Center - PowerPoint PPT Presentation

Preliminaries Equivalence Relations of Functions APN Polynomial Constructions, Their Applications and Properties Optimal Cryptographic Functions Lilya Budaghyan Selmer Center University of Bergen Norway Finse Winter School 2019 May 10, 2019 1 / 79

Preliminaries Representations of Functions Equivalence Relations of Functions Differential Uniformity and APN Functions APN Polynomial Constructions, Their Applications and Properties Nonlinearity and AB Functions Boolean Functions For n and m positive integers F : F n Boolean functions: 2 → F 2 F : F n 2 → F m Vectorial Boolean ( n , m ) -functions: 2 Initial motivation for introduction of Boolean functions: fundamental mathematics; mathematical logic. Modern applications of Boolean functions: reliability theory, multicriteria analysis, mathematical biology, image processing, theoretical physics, statistics; voting games, artificial intelligence, management science, digital electronics, propositional logic; coding theory, combinatorics, sequence design, cryptography. 2 / 79

Preliminaries Representations of Functions Equivalence Relations of Functions Differential Uniformity and APN Functions APN Polynomial Constructions, Their Applications and Properties Nonlinearity and AB Functions On the Number of Boolean Functions BF n is the set of Boolean functions F : F n 2 → F 2 . | BF n | = 2 2 n n 4 5 6 7 8 2 16 2 32 2 64 2 128 2 256 | BF n | 6 · 10 4 4 · 10 9 10 19 10 38 10 77 ≈ BF n n is the set of vectorial Boolean functions F : F n 2 → F n 2 . n | = 2 n 2 n | BF n n 4 5 6 7 8 | BF n 2 64 2 160 2 384 2 896 2 2048 n | 3 / 79

Preliminaries Representations of Functions Equivalence Relations of Functions Differential Uniformity and APN Functions APN Polynomial Constructions, Their Applications and Properties Nonlinearity and AB Functions Cryptographic properties of functions S-boxes are vectorial Boolean functions used in block ciphers to provide confusion. They should possess certain properties to ensure resistance of the ciphers to cryptographic attacks. Main cryptographic attacks on block ciphers and corresponding properties of S-boxes: Linear attack – Nonlinearity Differential attack – Differential uniformity Algebraic attack – Existence of low degree multivariate equations Higher order differential attack – Algebraic degree Interpolation attack – Univariate polynomial degree 4 / 79

Preliminaries Representations of Functions Equivalence Relations of Functions Differential Uniformity and APN Functions APN Polynomial Constructions, Their Applications and Properties Nonlinearity and AB Functions Optimal Cryptographic Functions Optimal Cryptographic functions are vectorial Boolean functions optimal for primary cryptographic criteria (APN, AB etc.); are UNIVERSAL - they define optimal objects in several branches of mathematics and information theory (coding theory, sequence design, projective geometry, combinatorics, commutative algebra); are "HARD-TO-GET" - there are only a few known constructions (12 AB, 17 APN); are "HARD-TO-PREDICT" - most conjectures are proven to be false. 5 / 79

Preliminaries Representations of Functions Equivalence Relations of Functions Differential Uniformity and APN Functions APN Polynomial Constructions, Their Applications and Properties Nonlinearity and AB Functions Outline Preliminaries 1 Representations of Functions Differential Uniformity and APN Functions Nonlinearity and AB Functions Equivalence Relations of Functions 2 EAI-equivalence and Known Power APN Functions CCZ-Equivalence and Its Relation to EAI-Equivalence Application of CCZ-Equivalence APN Polynomial Constructions, Their Applications and 3 Properties Classes of APN polynomials CCZ-inequivalent to Monomials Applications of APN constructions Properties of APN Functions 6 / 79

Preliminaries Representations of Functions Equivalence Relations of Functions Differential Uniformity and APN Functions APN Polynomial Constructions, Their Applications and Properties Nonlinearity and AB Functions Binary expansion and representation of integers Binary expansion of an integer k , 0 ≤ k < 2 n : n − 1 � 2 s k s , k = s = 0 where k s , 0 ≤ k s ≤ 1. 2-weight of k : n − 1 � w 2 ( k ) = k s . s = 0 v k = ( k n − 1 , ..., k 0 ) is the binary representation of k . 7 / 79

Preliminaries Representations of Functions Equivalence Relations of Functions Differential Uniformity and APN Functions APN Polynomial Constructions, Their Applications and Properties Nonlinearity and AB Functions Truth Table representation of functions For F : F n 2 → F m 2 the sequence ( F ( v 0 ) , ..., F ( v 2 n − 1 )) is called the truth table of F . Example 1 Truth table of F : F 3 2 → F 2 : ( 0 , 1 , 0 , 0 , 0 , 1 , 0 , 1 ) . x 1 x 2 x 3 F ( x 1 , x 2 , x 3 ) 0 0 0 0 0 0 1 1 0 1 0 0 0 1 1 0 1 0 0 0 1 0 1 1 1 1 0 0 1 1 1 1 k 0 1 2 3 4 5 6 7 F ( v k ) 0 1 0 0 0 1 0 1 8 / 79

Preliminaries Representations of Functions Equivalence Relations of Functions Differential Uniformity and APN Functions APN Polynomial Constructions, Their Applications and Properties Nonlinearity and AB Functions ANF representation of functions Algebraic normal form ANF of F : F n 2 → F m 2 : n x u i � � i , a u ∈ F m F ( x 1 , ..., x n ) = a u 2 , u = ( u 1 , ..., u n ) . u ∈ F n i = 1 2 The algebraic degree d ◦ ( F ) of F is the degree of its ANF . F is affine if d ◦ ( F ) ≤ 1. F is quadratic if d ◦ ( F ) ≤ 2. Example 1 F ( x 1 , x 2 , x 3 ) = x 1 x 2 x 3 + x 2 x 3 + x 3 d ◦ ( F ) = 3 9 / 79

Preliminaries Representations of Functions Equivalence Relations of Functions Differential Uniformity and APN Functions APN Polynomial Constructions, Their Applications and Properties Nonlinearity and AB Functions Field definition A field ( G , + , · ) is a set G with binary operations + , · s.t. (1) a + b = b + a and a · b = b · a for ∀ a , b ∈ G , (2) a + ( b + c ) = ( a + b ) + c and a · ( b · c ) = ( a · b ) · c for ∀ a , b , c ∈ G , (3) a · ( b + c ) = ( a · b ) + ( a · c ) for ∀ a , b ∈ G , (4) there exist elements of G , denoted 0 and 1, and called additive and multiplicative identities s.t. a + 0 = a for ∀ a ∈ G , and a · 1 = a for ∀ a ∈ G \ { 0 } , (5) for ∀ a ∈ G there exist elements of G , denoted − a and, if a � = 0, a − 1 , called additive and multiplicative inverses, s.t. a + ( − a ) = 0 and a · a − 1 = 1. 10 / 79

Preliminaries Representations of Functions Equivalence Relations of Functions Differential Uniformity and APN Functions APN Polynomial Constructions, Their Applications and Properties Nonlinearity and AB Functions Finite Fields Properties Any finite field ( G , + , · ) consists of p n elements for some prime p , called the characteristic of the field, and some positive integer n . Then denote F p n = ( G , + , · ) and F ∗ p n = F p n \{ 0 } . Any prime field F p can be identified with the set { 0 , 1 , .., p − 1 } where addition and multiplication is taken modulo p . α ∈ F ∗ p n is a primitive element of F ∗ p n if for any a ∈ F ∗ p n there is 0 ≤ k ≤ 2 n − 2 s.t. a = α k . ( p − 1 ) a = − a , and for p = 2 then a = − a . 11 / 79

Preliminaries Representations of Functions Equivalence Relations of Functions Differential Uniformity and APN Functions APN Polynomial Constructions, Their Applications and Properties Nonlinearity and AB Functions Univariate representation of functions The univariate representation of F : F 2 n → F 2 m for m | n : 2 n − 1 � c i x i , F ( x ) = c i ∈ F 2 n . i = 0 The univariate degree of F is the degree of its univariate representation. Example 1 F ( x ) = x 7 + α x 6 + α 2 x 5 + α 4 x 3 where α is a primitive element of F 2 3 . 12 / 79

Preliminaries Representations of Functions Equivalence Relations of Functions Differential Uniformity and APN Functions APN Polynomial Constructions, Their Applications and Properties Nonlinearity and AB Functions Algebraic degree of univariate function Algebraic degree in univariate representation of F 2 n − 1 � c i x i , F ( x ) = c i ∈ F 2 n . i = 0 d ◦ ( F ) = 0 ≤ i < 2 n , c i � = 0 w 2 ( i ) . max 13 / 79

Preliminaries Representations of Functions Equivalence Relations of Functions Differential Uniformity and APN Functions APN Polynomial Constructions, Their Applications and Properties Nonlinearity and AB Functions Special Functions F is linear if n − 1 b i x 2 i . � F ( x ) = i = 0 F is affine if it is a linear function plus a constant. F is quadratic if for some affine A n − 1 b ij x 2 i + 2 j + A ( x ) . � F ( x ) = i , j = 0 , i � = j F is power function or monomial if F ( x ) = x d . F is permutation if it is a one-to-one map. The inverse F − 1 of a permutation F is s.t. F − 1 ( F ( x )) = F ( F − 1 ( x )) = x . 14 / 79

Preliminaries Representations of Functions Equivalence Relations of Functions Differential Uniformity and APN Functions APN Polynomial Constructions, Their Applications and Properties Nonlinearity and AB Functions Trace and Component functions Trace function from F 2 n to F 2 m for m | n : n / m − 1 x 2 im . tr m � n ( x ) = i = 0 Absolute trace function: n − 1 x 2 i . tr n ( x ) = tr 1 � n ( x ) = i = 0 For F : F 2 n → F 2 m and v ∈ F ∗ 2 m tr m ( vF ( x )) is a component function of F . 15 / 79