Cryptography, Attacks and Countermeasures Lecture 4 Boolean Functions

1
Cryptography, Attacks and Countermeasures
Lecture 4 Boolean Functions

• John A Clark and Susan StepneyDept. of Computer
  Science
• University of York, UKjac,susan_at_cs.york.ac.uk

2
Stream Cipher Components

• Boolean Functions
• Typical Security Related Criteria
• Non-linearity.
• Correlation immunity
• Algebraic degree.
• Tradeoffs
• Will give a linear algebra treatment.
• Pythagorass theorem!

3
Boolean Functions

• A Boolean function f0,1n-gt0,1

f(x)
f(x)
x
Polar representation
Can view BF as vector in R2n
4
Boolean Functions Algebraic normal Form (ANF)

• A Boolean function on n-inputs can be represented
  in minimal sum (XOR ) of products (AND .)
  form
• This is the algebraic normal form of the
  function.
• The algebraic degree of the function is the size
  of the largest subset of inputs (i.e. the number
  of xj in it) associated with a non-zero
  co-efficient.
• 1 is a constant function (as is 0)
• x1x3x5 is a linear function
• x1.x3x5 is a quadratic function
• x1.x3.x5x4x5x2 is a cubic function

f(x1,,xn)a0a1. x1 an. xn
a1,2.x1.x2 an-1,n.xn-1.xn
a1,2..n x1.x2 ...xn
5
Generating ANF

• Given f(x1,,xn) it is fairly straightforward to
  derive the ANF. Consider the general form
• The constant term a0 is easily derived.
• a0f(0,0,,0)
• We can now determine ak by considering
• f(1,.,0,0,0)a0a1x1 a0a1 and so
  a1a0f(1,.,0,0,0)
• f(0,1,0.,0,0)a0a2x2 a0a2 and so a2a0
  f(0,1,0.,0,0).
• f(0,0,0.,0,1)a0anxn a0an and so
  ana0f(0,0,0,.0,1)
• We can now determine aj,k by considering
• f(1,1,0,0)a0a1x1a2x2 a1,2x1,2 a0a1 a2
  a1,2 and so a1,2 a0a1 a2 f(1,1,0,0) and
  so on.

f(x1,,xn)a0a1. x1 an. xn
a1,2.x1.x2 an-1,n.xn-1.xn
a1,2..n x1.x2 ...xn
6
Vectors and their Representations

• Boolean functions can be regarded as vectors in
  R2n.
• Boolean functions are vectors with elements 1 or
  1.
• Any vector space has a basis set of vectors.
• Given any vector v it can always be expressed
  UNIQUELY as a weighted sum of the vectors in the
  basis set.
• This in 3-D we have the following standard
  basis
• Others are possible

7
Orthonormal Basis

• If the basis vectors are orthogonal and each have
  norm (length) 1 we say that they form an
  orthonormal basis. We can express any vector in
  terms of its projections onto each of the basis
  vectors.

8
Creating Orthonormal Basis

• Given a basis you can always turn it into an
  orthonomal basis using the Gram-Schmidt
  procedure. (We wont go into details).
• Given an orthogonal basis you can always create
  an orthonormal one by dividing each vector by its
  norm.
• In 2-D, the following are clearly orthogonal
• We can form an orthonomal basis

9
N-Dimensional vectors

• To normalise an n-dimensional vector we proceed
  in the same way. The norm is the square root of
  the sum of squares of its elements

10
Linear Functions

• Recall that for any w in 0..(2n-1) we can define
  a linear function for all x in 0..(2n-1)
  bywhere w and x are simply sequences of
  bits
• We will use natural decimal indexing where
  convenient, e.g

11
Polar Form of Linear Functions

• The polar form of a linear function is just a
  vector of 1 and 1 elements defined by

12
Orthonormal Basis of Linear Functions
Columns are polar forms of functions
13
Balance
New improved slide

• One criterion that we might desire for a
  combining function is balance.
• there are an equal number of 0s and 1s in the
  truth table form.
• there are an equal number of 1s and 1s in the
  polar form.
• The polar form has elements that sum to 0.
• Or, if you take the dot product of the polar form
  of a function with the constant function
  comprising all 1s, the result is 0.

14
Linear Functions are Balanced

• Each linear function has an equal number of 1s
  and 1s (and so is a balanced function).
• The sum of elements in a column is just
• Is it obvious that this will always produce a sum
  to zero, whatever the value of w?
• Consider w with k bits set (w.l.o.g. consider the
  first k bits as set).
• Now consider x as it varies over its whole range.
• Can you partition the x into two equal sets that
  give opposite values of the Lw(x)?
• (Consider the x1 component.)

15
Linear Functions are Balanced

• Consider

16
Linear Functions are Orthogonal

• Dissimilar linear functions are orthogonal.
  Consider the dot product of any two columns of
  the 8 x 8 matrix given earlier. The result is 0.
• To see why. Consider two linear functions x1 x3
  and x2 x3 . The dot product is given by

17
Orthonormal Basis with Linear Functions

• The linear functions are vectors of 2n elements
  each of which is 1 or 1. The norm is
  therefore
• Thus we can form an orthonormal basis set

18
Representing Functions

• Since a function f is just a vector and we have
  an orthonormal basis, we can represent it as the
  sum or projections onto the elements of that
  basis.

This is the signed magnitude of the projection
onto the linear function
This is called the Walsh Hadamard function
19
Security Criteria - Balance

• Various desirable properties of functions are
  expressed in terms of the Walsh Hadamard function
  values.
• Balance equal numbers of trues and falses, or
  1s and 1s in the polar form.
• Saw that the projection onto the constant
  function should be 0.

20
Security Criteria

• We saw that functions that looked like (agreed
  with) linear functions too much were a problem.
• But a measure of agreed with is fairly easily
  calculable (Hamming distance with linear function
  in usual bit form).
• In polar form, we simply take the dot product
  with the linear function.
• When sort of function f agrees most with the
  linear function Lw?

Yes, when f Lw all the elements agree
21
Security Criteria Non-linearity

• Also if they all disagree, i.e. f NOT Lw, we
  can form another function that agrees with Lw
  entirely by negating f. Or in other words f 1
• A function f that has minimal useful agreement
  (i.e. 50 agreement) with Lw has Hamming distance
  of 2n/2 with it. Or, in polar terms (each is 1
  or 1), half the elements agree and half disagree

22
Security Criteria Non-linearity

• Well, if correlation with linear functions is a
  bad idea lets have all such correlations being
  equal to 0, i.e. choose f such that the
  projections onto all linear functions are 0.
• Would if I could, but I cant. Why is this NOT
  possible?

23
Back in Mundane World of 3-D

• In 3-D is there a vector that has a null
  projection onto the x-axis?
• Is there a vector that has a null projection onto
  each of the x and y axes?
• Is there a vector that has a null projection onto
  each of the x, y and z axes?

24
Security Criteria

• Because we have a basis set of linear functions.
  If a vector has a null projection onto all of
  them it is the zero-vector.
• A Boolean function is not a zero-vector. It must
  be have projections onto some of the linear
  functions.
• But some projections are more harmful than others
  from the point of view of the correlation
  attacks.
• Those correlations with single inputs are
  particularly dangerous, followed by correlations
  with linear functions of two inputs etc.

25
Security Criteria Correlation Immunity

• Correlations with single inputs correspond to
  projections onto the Lw where the w has only a
  single bit set. For three inputs, we might
  require
• Similarly, correlations with linear functions on
  two inputs correspond to the projections onto
  linear functions Lw where the w has only two bits
  set.

26
Security Criteria Correlation Immunity

• If a function has a null projection onto all
  linear Lw functions with 1,2,..,k bits set in w
  (i.e. it is uncorrelated with any subset of k or
  fewer inputs) the function is said to be
  correlation immune of order k.
• Or put another way
• If it is also balanced then we say it is
  resilient.

27
Non-linearity

• For a variety of reasons (there are other attacks
  that exploit linearity) we would like to keep the
  degree of agreement with any linear function as
  low as possible.
• So if we cannot have all that we want (all
  projections 0) perhaps we might try to keep the
  worst agreement to a minimum.
• These leads to the definition of the
  non-linearity of a function.
• We want to keep the Hamming distanceto any
  linear function (or its negation)as close to
  2(n/2) as possible.
• Or.. Keep the maximum absolute value of any
  projection on a linear function to a minimum.
  Keep the following as low as possible

28
Non-linearity

• Non-linearity is defined by
• It seeks to minimise the worst absolute value of
  the projection onto any linear function.
• But what is the maximum value we can get for
  non-linearity?

29
Boolean Functions
f(x)
We can project these vectors onto a basis of 2 n
orthogonal (Boolean function) vectors L0, ,
L2n-1. where Lw(x)w1x1? ? wnxn
-1
1
1
1
-1
1
-1
-1
Each point on the 2n dimension hyper-sphere
surface has a standard vector representation and
a spectral representation in terms of its Walsh
Hadamard values.
30
Norm of a Vector

• The square of the length of the vector is just
  the sum of squares of its projection magnitudes
  onto the orthonormal basis.
• Thus, for 2-D we have the usual Pythagoras rule

c
b
a
31
Norm of a Boolean Vector

• The square of the norm of a Boolean vector is
  just 2n.
• But we know that this is just the sum of the
  squares of the projections onto the orthonormal
  basis

32
Parsevals Theorem

• Parsevals Theorem. This is really a form of
  Pythagorass theorem.
• This means that if we reduce the magnitude of one
  of the F(w) another must increase in magnitude.

33
Bent Functions Maximise Non-linearity

• Researched first by Rothaus. These functions
  maximise non-linearity and are functions on even
  numbers of variables.
• Bent functions have projection magnitudes of the
  same size (but with different signs)

But this includes projection onto the constant
function gt not a balanced function. If you want
maximum non-linearity, you cannot have balance.
34
Correlation Immunity and Non-linearity

• Lets look again at Parsevals theorem
• Now if we want correlation immunity of order k
• Then the F(w) of some of the remaining (wgtk)
  must increase in magnitude. But this increases
  non-linearity.

Non-linearity and correlation immunity are in
conflict.
35
Other Criteria Algebraic Degree

• All other things being equal, we would prefer
  more complex functions to simpler ones. One
  aspect that is of interest is the algebraic
  degree of the function.
• We would typically like this to be as high as
  possible.
• It can be shown (not here) that there is a
  conflict with correlation immunity.
• Sigenthaler has shown that for function f on n
  variables with correlation immunity of order m
  and algebraic degree d, we must have
• For balanced functions we must have

mdltn
mdltn-1
36
Further Structure

• There is another structure that can be exploited.
  It is a form of correlation between outputs
  corresponding to inputs that are related in a
  straightforward way.
• This is autocorrelation.

Bitwise XOR
37
Tradeoffs

• We begin to see the sorts of problems
  cryptographers face.
• There are many different forms of attack.
  Protecting against one in an ideal way may allow
  another form of attack.
• Life is an unending series of tradeoffs.
• However, given the mathematical constraints, we
  might still want to achieve the best profile of
  properties we can.
• A lot of Boolean function research seeks
  constructions to derive such functions.

38
No Such Thing As A Secure Boolean Function

• There is no such thing as a secure Boolean
  function.
• There may be functions that are appropriate to be
  used in particular contexts to give secure
  system.
• However, the treatment here shows quite effective
  that life is not easy and that compromises have
  to be made.
• Nice treatment in terms of vector algebra and
  security criteria being defined in terms of
  subspaces of a vector space of R2n.