Vectorial Boolean Functions with very Low Differential-linear - - PowerPoint PPT Presentation
Vectorial Boolean Functions with very Low Differential-linear Uniformity using MaioranaMcFarland type Construction Deng Tang 1 , 2 , Bimal Mandal 3 , Subhamoy Maitra 4 1 School of Mathematics, Southwest Jiaotong University, Chengdu, China 2
Deng Tang1,2, Bimal Mandal3, Subhamoy Maitra4
1School of Mathematics, Southwest Jiaotong University, Chengdu, China 2State Key Laboratory of Cryptology, Beijing, 100878, China 3CARAMBA, INRIA, Nancy–Grand Est., France 4Indian Statistical Institute, Kolkata, India
Indocrypt 2019
◮ Introduction
◮ New properties of the DLCT ◮ Differential-linear uniformity of known balanced (n, m)-function
◮ Construction of a new class of balanced (n, m)-function ◮ Balanced (4t, t − 1)-function with very low differential-linear uniformity ◮ Implementation ◮ Conclusions
1 / 24
◮ Fn
2 = {x = (x1, x2, . . . , xn) : xi ∈ F2, 1 ≤ i ≤ n} ∼
= F2n ◮ Hamming weight of x ∈ Fn
2: wt(x) = n i=1 xi
◮ Vectorial Boolean function or (n, m)-function: S : Fn
2 −
→ Fm
2
◮ Boolean function in n variables: s : Fn
2 −
→ F2 ◮ Support of s: supp(s) = {x ∈ Fn
2 : s(x) = 1}
◮ S(x) = (s1(x), s2(x), . . . , sm(x)).
2 : Component function of S
◮ Autocorrelation of a component function λ · S of S at α ∈ Fn
2:
Cλ·S(α) =
2
(−1)λ·(S(x)⊕S(x⊕α)).
2 / 24
◮ Walsh–Hadamard transform of an (n, m)-function S at (α, λ): Wλ·S(α) =
2
(−1)λ·S(x)⊕α·x. ◮ Nonlinearity of an (n, m)-function S: nl(S) = 2n−1 − 1 2 max
(α,λ)∈Fn
2 ×Fm∗ 2
|Wλ·S(α)|. ◮ Differential uniformity of an (n, m)-function S: δ(S) = max
α∈Fn∗
2 , β∈Fm 2
#{x ∈ Fn
2 : S(x) ⊕ S(x ⊕ α) = β}.
◮ Differential distribution table (DDT) of (n, m)-function S: DDTS(α, β) = #{x ∈ Fn
2 : S(x) ⊕ S(x ⊕ α) = β}.
3 / 24
◮ Langford and Hellman at CRYPTO’94 first introduced the differential-linear cryptanalysis. ◮ Bar-On et al. at EUROCRYPT’19 proposed the differential linear connectivity table (DLCT). ◮ DLCT of an (n, m)-function S: DLCTS(α, λ) = #{x ∈ Fn
2 : λ · S(x) = λ · S(x ⊕ α)} − 2n−1.
2
2 (−1)v·λDDTS(α, v).
◮ Differential-linear uniformity of S: DL(S) = max
(α,λ)∈Fn∗
2 ×Fm∗ 2
|DLCTS(α, λ)|.
4 / 24
◮ Li et al. [arXiv:1907.05986, 2019] investigated the properties
(n, m)-function. ◮ Canteaut et al. [ia.cr/2019/848, 2019] derived similar results
◮ They proved that DLCTS(α, λ) = 1
2Cλ·S(α), and so,
DL(S) = max
(α,λ)∈Fn∗
2 ×Fm∗ 2
1 2
◮ Maiorana-McFarland bent functions in 2k variables (JCTA 1973): h(x, y) = φ(x) · y ⊕ p(x)
5 / 24
◮ h can be written as h = h0||h1|| . . . ||h2k−1, where hi(y) = h(xi, y), for all y ∈ Fk
2.
◮ In FSE’94, Dobbertin first constructed a balanced Boolean function with high nonlinearity. s(x, y) = φ(x) · y, if x = 0 g(y), if x = 0 ◮ Tang et al. (IEEE-TIT 2018), Kavut et al. (DCC 2019) and Tang et al. (SIDMA 2019) also constructed the balanced Boolean functions. ◮ Let n = 2k be an even integer greater than 4. f(x, y) = u(y), if (x, y) ∈ {0} × Fk
2
φ(x) · y, if (x, y) ∈ Fk∗
2 × Fk∗ 2
v(x), if (x, y) ∈ Fk∗
2 × {0}
6 / 24
◮ E0
a = {x ∈ Fn 2 : a · x = 0}, a ∈ Fn 2.
◮ Im(DαS) = {y ∈ Fm
2 : y = S(x) ⊕ S(x ⊕ α), x ∈ Fn 2}.
◮ DLCTS(α, λ) = #{x ∈ Fn
2 : λ · S(x) = λ · S(x ⊕ α)} − 2n−1.
Proposition 1
For any (n, m)-function S, α ∈ Fn
2 and λ ∈ Fm 2 ,
DLCTS(α, λ) =
λ
DDTS(α, δ) − 2n−1.
Corollary 1
Let S be an (n, m)-function. For any α ∈ Fn∗
2
and λ ∈ Fm∗
2 ,
DLCTS(α, λ) = 2n−1 if and only if Im(DαS) ⊂ E0
λ. Moreover,
DLCTS(α, λ) = −2n−1 if and only if Im(DαS) ⊂ Fm
2 \ E0 λ.
7 / 24
Corollary 2
Let S be an APN permutation over Fn
2 ,
DLCTS(α, λ) ≤ 2n−1 − 2. Moreover, DLCTS(α, λ) + 2n−1 = 0 if and only if Im(DαS) = Fn
2 \ E0 λ.
Open problem 1 (Li et al., arXiv:1907.05986)
For an odd integer n, are there (n, n)-function S other than the Kasami–Welch APN functions that have DL(S) = 2
n−1 2 ? 8 / 24
Theorem 1
Let n be an odd integer. For an APN (n, n)-function S, DL(S) = 2
n−1 2
if and only if for any α, λ ∈ Fn∗
2
2n−2 − 2
n−1 2 −1 ≤ #E0
λ ∩ Im(DαS) ≤ 2n−2 + 2
n−1 2 −1. 9 / 24
◮ Qu et al. (IEEE-TIT 2013): I1(x) = x2n−2 ⊕ f(x), where f are well-choose Boolean functions such that f(x2n−2) ⊕ f(x2n−2 ⊕ 1) = 0. ◮ Tang et al. (DCC 2015): I2(x) = (x ⊕ g(x))2n−2, where g are well-choose Boolean functions such that g(x) ⊕ g(x ⊕ 1) = 0.
Theorem 2
For any I1 and I2, we have
2
t=0 (−1)n−t n n−t
n−t
t
.
10 / 24
◮ Let n = 2k and s(x, y) = φ(x) · y, if x = 0 g(y), if x = 0
Lemma 1
Let s be an n = 2k-variable Boolean function defined as above, then for any (a, b) ∈ Fk
2 × Fk 2 we have
Cs(a, b) = 2n if a = b = 0 −2k + Cg(b), if a = 0, b ∈ Fk∗
2
2(−1)φ(a)·bWg(φ(a)), if a ∈ Fk∗
2 , b ∈ Fk 2
.
11 / 24
Theorem 3
Let s be an n = 2k-variable Boolean function defined as above and there exists b ∈ Fk∗
2
such that Cg(b) = 0. If s is a component function of an (n, m)-function S, then we have DL(S) ≥ 2k−1.
12 / 24
Construction 1
Let n = 2k ≥ 4 be an even integer. We construct an (n, m)-func- tion S whose coordinate functions si’s (1 ≤ i ≤ m) are defined as follows: si(x, y) = ui(y), if (x, y) ∈ {0} × Fk
2
φi(x) · y, if (x, y) ∈ Fk∗
2 × Fk∗ 2
vi(x), if (x, y) ∈ Fk∗
2 × {0}
, where x, y ∈ Fk
2, and
2 such that l1φ1 ⊕ l2φ2 ⊕ · · · ⊕ lmφm
is a permutation and l1φ1(0) ⊕ l2φ2(0) ⊕ · · · ⊕ lmφm(0) = 0,
2 such that
wt(⊕m
i=1liui) ⊕ wt(⊕m i=1livi) = 2k−1 and ⊕m i=1liui(0) =
⊕m
i=1livi(0) = 0.
13 / 24
Theorem 4
For any n = 2k ≥ 4, every (n, m)-function S generated by Construction 1 is balanced.
Theorem 5
Let n = 2k ≥ 4 and S be an (n, m)-function generated by Construction 1. For any l = (l1, l2, · · · , lm) ∈ Fm∗
2 , we have Wl·S(a, b) = 0, if (a, b) = (0, 0) Wl·U(b) + Wl·V (0), if (a, b) ∈ {0} × Fk∗
2
Wl·U(0) + Wl·V (a), if (a, b) ∈ Fk∗
2 × {0}
(−1)(l·Φ)−1(b)·a2k + Wl·U(b) + Wl·V (a), if (a, b) ∈ Fk∗
2 × Fk∗ 2
,
where U = (u1, . . . , um), V = (v1, . . . , vm) and Φ = (φ1, . . . , φm).
14 / 24
Theorem 6
Let the notation be the same as in Theorem 5. Let n = 2k ≥ 4 and S be an (n, m)-function generated by Construction 1. For any l = (l1, l2, · · · , lm) ∈ Fm∗
2 , we have Cl·S(a, b) = 2n, if (a, b) = (0, 0) Cl·U(b) + 2W(l·V)′(b) − 2k, if (a, b) ∈ {0} × Fk∗
2
Cl·V(a) + 2Wl·U((l · Φ)(a)) − 2k, if (a, b) ∈ Fk∗
2 × {0}
2(−1)(l·Φ)(a)·bWl·U
if (a, b) ∈ Fk∗
2 × Fk∗ 2
,
where (l·V )′(x) = (l·V )
(l·V )
equals 0 otherwise.
15 / 24
(x1, x2, y1, y2) s′
1(x, y)
s1(x, y) s′
2(x, y)
s2(x, y) (0, 0, 0, 0) u1(0, 0) = 0 u2(0, 0) = 0 (0, 0, 0, 1) u1(0, 1) = 0 y1y2 u2(0, 1) = 0 y1y2 (0, 0, 1, 0) u1(1, 0) = 0 u2(1, 0) = 0 (0, 0, 1, 1) u1(1, 1) = 1 u2(1, 1) = 1 (0, 1, 0, 0) v1(0, 1) = 0 v2(0, 1) = 1 (0, 1, 0, 1) 1 y2 1 y2 1 y1 ⊕ y2 1 y1y2 ⊕ 1 (0, 1, 1, 0) 1 1 (0, 1, 1, 1) 1 1 (1, 0, 0, 0) v1(1, 0) = 0 v2(1, 0) = 0 (1, 0, 0, 1) y1 y1 1 y2 1 y2 (1, 0, 1, 0) 1 1 (1, 0, 1, 1) 1 1 1 1 (1, 1, 0, 0) v1(1, 1) = 1 v2(1, 1) = 0 (1, 1, 0, 1) 1 y1 ⊕ y2 1 y1y2 ⊕ 1 y1 y1 (1, 1, 1, 0) 1 1 1 1 (1, 1, 1, 1) 1 1
Table: φ1(x1, x2) = (x1, x2), φ2(x1, x2) = (x2, x1 ⊕ x2) and S = (s1, s2) is modified (4, 2)-function defined as in Construction 1.
16 / 24
◮ Let n = 2k = 4t and m = t − 1.
Definition 1
Let E = {E1, . . . , E2t+1} be a partial spread of Fk
2 (k = 2t) and
C = [2t − 1, t − 1, 2t−2] be a binary one-weight linear code having a generator G = g1 . . . gt−1 . For every 1 ≤ i ≤ t − 1, we define a Boolean functions vi over Fk
2
whose support is ∪j∈supp(gi)Ej \ {0}.
17 / 24
Theorem 7
For any (l1, l2, · · · , lt−1) ∈ Ft−1∗
2
, the Boolean function v′ = ⊕t−1
i=1livi, where vi’s are defined in Definition 1, has Hamming
weight 2k−2 − 2t−2, |Wv′(a)| ≤
k 2 −1,
if a = 0 3 · 2
k 2 −1,
if a ∈ Fk∗
2
and Cv′(ω) ≥ 2k, if ω = 0 2k−2, if ω ∈ Fk∗
2
.
18 / 24
Definition 2
Let the notation be the same as in Definition 1. We define t − 1 nonzero linear functions h1, . . . , ht−1 over E2t+1 such that for any (l1, . . . , lt−1) ∈ Ft−1∗
2
the Boolean function ⊕t−1
i=1lihi has Hamming
weight 2t−1. For every 1 ≤ i ≤ t − 1, we define a Boolean functions ui over Fk
2 whose support is supp(vi) ∪ supp(hi).
19 / 24
◮ wt
i=1liui
Theorem 8
For any (l1, . . . , lt−1) ∈ Ft−1∗
2
, the Boolean function u′ = ⊕t−1
i=1liui,
where ui’s are defined in Definition 2, has the following properties: |Wu′(a)| ≤
k 2 −1,
if a = 0 5 · 2
k 2 −1,
if a ∈ Fk∗
2
and Cu′(ω) ≥
if ω = 0 2k−2 − 2
k 2 +2,
if ω ∈ Fk∗
2
,
20 / 24
Theorem 9
Let n = 2k = 4t ≥ 20, m = t − 1 in Construction 1, vi’s and ui’s are the k-variable Boolean functions defined in Definitions 1 and 2,
2
, ⊕t−1
i=1liφi is a linear
permutation over Fk
by Construction 1 is balanced and for s′ = ⊕t−1
i=1lisi we have
n 2 −1 − 2 n 4 +1, and
n 2 −2 + 7 · 2 n 4 < 2 n 2 .
Moreover, we have
n 2 −1 − 2 n 4 +1, and
n 2 −3 + 7 · 2 n 4 −1 < 2 n 2 −1.
21 / 24
◮ Required gates in the worst case:
(x1, x2, y1, y2) s′
1(x, y)
s1(x, y) s′
2(x, y)
s2(x, y) (0, 0, 0, 0) u1(0, 0) = 0 u2(0, 0) = 0 (0, 0, 0, 1) u1(0, 1) = 0 y1y2 u2(0, 1) = 0 y1y2 (0, 0, 1, 0) u1(1, 0) = 0 u2(1, 0) = 0 (0, 0, 1, 1) u1(1, 1) = 1 u2(1, 1) = 1 (0, 1, 0, 0) v1(0, 1) = 0 v2(0, 1) = 1 (y1 ⊕ 1)(y2 ⊕ 1) (0, 1, 0, 1) 1 y2 1 y2 1 y1 ⊕ y2 1 ⊕(y1 ⊕ y2) (0, 1, 1, 0) 1 1 = y1y2 ⊕ 1 (0, 1, 1, 1) 1 1 (1, 0, 0, 0) v1(1, 0) = 0 v2(1, 0) = 0 (1, 0, 0, 1) y1 y1 1 y2 1 y2 (1, 0, 1, 0) 1 1 (1, 0, 1, 1) 1 1 1 1 (1, 1, 0, 0) v1(1, 1) = 1 (y1 ⊕ 1)(y2 ⊕ 1) v2(1, 1) = 0 (1, 1, 0, 1) 1 y1 ⊕ y2 1 ⊕(y1 ⊕ y2) y1 y1 (1, 1, 1, 0) 1 1 =y1y2 ⊕ 1 1 1 (1, 1, 1, 1) 1 1 22 / 24
◮ The implementation of the function S defined as in Theorem 9 requires (t − 1){(3t + 1)22t − (22t−2 + (4t − 1)2t−2 + 2t − 1)} gates in the worst case.
23 / 24
◮ We first derive some properties of the DLCT of an (n, m)-function and the differential-linear uniformity of known balanced vectorial Boolean functions. ◮ We construct the balanced (4t, t − 1)-function using Construction 1 which has very low differential-linear uniformity. ◮ Towards implementation, we count the number of gates that are required to implement such circuits.
24 / 24
◮ We first derive some properties of the DLCT of an (n, m)-function and the differential-linear uniformity of known balanced vectorial Boolean functions. ◮ We construct the balanced (4t, t − 1)-function using Construction 1 which has very low differential-linear uniformity. ◮ Towards implementation, we count the number of gates that are required to implement such circuits.
24 / 24
LH94 S. K. Langford and M. E. Hellman, Differential-linear cryptanalysis, In
CRYPTO’94, LNCS, 839:17–25, 1994.
BW19 A. Bar-On, O. Dunkelman, N. Keller, and A. Weizman, DLCT: A new
tool for differential-linear cryptanalysis, In EUROCRYPT’19, Springer, 313–342, 2019.
CLW19 A. Canteaut, L. K¨
Differential-Linear Connectivity Table of Vectorial Boolean Functions, CoRR., http://arxiv.org/abs/1907.05986, 2019.
D94 H. Dobbertin, Construction of bent functions and balanced Boolean
functions with high nonlinearity, In FSE’94, LNCS, 1008:61–74, 1994.
KMT19 S. Kavut, S. Maitra, and D. Tang, Construction and search of balanced
Boolean functions on even number of variables towards excellent autocorrelation profile, Designs, Codes and Cryptography, 87(2-3):261–276, 2019.
24 / 24
TKM19 D. Tang, S. Kavut, B. Mandal, and S. Maitra, Modifying
Maiorana–McFarland type bent functions for good cryptographic properties and efficient implementation, SIAM Journal on Discrete Mathematics (SIDMA), 33(1):238–256, 2019.
TM18 D. Tang and S. Maitra, Constructions of n-variable (n ≡ 2 mod 4)
balanced Boolean functions with maximum absolute value in autocorrelation spectra < 2
n 2 , IEEE Transactions on Information Theory,
64(1):393–402, 2018.
M73 R. L. McFarland, A family of difference sets in non-cyclic groups, Journal
TCT15 D. Tang, C. Carlet and X. Tang, Differentially 4-uniform bijections by
permuting the inverse function, Designs, Codes and Cryptography, 77(1):117–141, 2015.
QTL13 L. Qu, Y. Tan, C. How Tan and C. Li, Constructing differentially
4-uniform permutations over F22k via the switching method, IEEE transactions on information theory, 59(7):4675–4686, 2013.
24 / 24