Bfc a 2006

8/2/2019 Bfc a 2006

1/22

AUTOCORRELATION SPECTRA OF

BALANCED BOOLEAN FUNCTIONS ON AN

ODD NUMBER OF INPUT VARIABLES WITH

MAXIMUM ABSOLUTE VALUE < 2(n+1)

2

Seluk Kavut

1, Subhamoy Maitra2 and Melek D. Ycel11Department of Electrical and Electronics Engineering

Middle East Technical University, Ankara, Trkiye

{kavut, melekdy}@metu.edu.tr

2Applied Statistics Unit, Indian Statistical Institute

203 B T Road, Kolkata 700 108, India

[email protected]

8/2/2019 Bfc a 2006

2/22

Outline

Introduction Preliminary Definitions and Rotation

Symmetric Boolean Functions (RSBFs)

Basic Search Algorithm, Cost Function

and Time Consumption of the Algorithm

Best Achieved Results

Conclusions

8/2/2019 Bfc a 2006

3/22

Introduction-1

In the National Cryptology Conference of Trkiye (2005),

we introduced a stepest-descent like search algorithm

for the design of cryptographically strong Boolean functions.

In this study, we modify our search algorithm and apply it toRotation Symmetric Boolean Functions (RSBFs).

We obtain some cryptographically strong functions for input

variable lengths 9 and 11, which have the minimum absolute

indicators in the literature (i.e., the maximum absolute value of

the autocorrelation spectrum).

8/2/2019 Bfc a 2006

4/22

Introduction-2

It has been conjectured (by Zhang & Zheng) that for any

balanced function on an odd number of input variables n,

absolute indicator 2

(n+1)

(32 forn = 9, and 64 forn = 11).2

The conjecture has been disproved forn = 15, and n = 21 (by

Maitra, Sarkar, Gangopadhyay & Keskar) modifying the

Patterson-Wiedemann type functions.

So far there is no evidence of such functions for odd n < 15,

which we present in this study.

8/2/2019 Bfc a 2006

5/22

Outline






Conclusions

8/2/2019 Bfc a 2006

6/22

Preliminary Definitions - 1

Algebraic Normal Form (ANF):

f(x) = a0a1x1 ... anxna12x1x2a13x1x3 ... a12...nx1x2 ... xn

Affine Boolean functions are of degree at most 1.

f(x) = w1x

1 w

2x

2 ... wnxn c = wxc (1)

Walsh Hadamard Transform:

F(w) = (1)f(x)(1)wx (2)xF2n

Nonlinearity:

NLf = ( 2n max |F(w)| ) / 2 (3)

wF2

n

8/2/2019 Bfc a 2006

7/22

Preliminary Definitions - 2

Autocorrelation andAbsolute Indicator:

rf(d) = (1)f(x)(1)f(xd) , f= max

| rf(d) | (4)xF

2n d0F

2n

Sum of Squares Indicator:

SSIf = rf(d)

2 (5)

dF2n

Sum of Squared Differences from Bent Spectra:d0 | rf(d) |

2 = 2nw | F(w)22n | 2 (6)

8/2/2019 Bfc a 2006

8/22

The above equation is obtained by using the Parsevals

relation on the autocorrelation difference from that of abent function,

e(d) = rf(d) rbent(d). Then the Walsh transform of e(d) is

E(w) = F(w)2

2n

Using the Parsevals relation

d0

e(d)2 = 2nwE(w)2 , one obtains

d0 | rf(d) |2 = 2nw | F(w)

22n | 2.

8/2/2019 Bfc a 2006

9/22

As well as the bias of the probability expression

P{f(x) = wx}= (1/2)+(F(w)/2n+1)

the bias term in the expression

P{f(x) =f(x d)}= (1/2)+(rf(d)/2n+1 )

also needs to be minimized.

So, the absolute indicator

f= max

| rf(d) |d0F

2n

is an important parameterfor Boolean functions,

which should be kept as small as possible.

8/2/2019 Bfc a 2006

10/22

8/2/2019 Bfc a 2006

11/22

Example: RSBF Orbits for n=5

All cyclically rotated input vectors are mapped to the same value

in the truth table. As an example, for a 5 variable functionf:

f(00001) =f(10000) =f(01000) =f(00100) =f(00010) orbit #1

f(10001) =f(11000) =f(01100) =f(00110) =f(00011) orbit #2

f(10011) =f(11001) =f(11100) =f(01110) =f(00111) orbit #3

f(10111) =f(11011) =f(11101) =f(11110) =f(01111) orbit #4

f(10010) =f(01001) =f(10100) =f(01010) =f(00101) orbit #5

f(10110) =f(01011) =f(10101) =f(11010) =f(01101) orbit #6f(00000) orbit #7

f(11111) orbit #8

Therefore, for n = 5, there are 28

RSBFs among 2

32

functions.

8/2/2019 Bfc a 2006

12/22

Outline






Conclusions

8/2/2019 Bfc a 2006

13/22

Search Strategy-1

The strategy uses a steepest-descent like iterativealgorithm.

At ach iteration step, the cost function

Cost = 2nw | F(w)22n | 2 = d0 | rf(d) |

2

is calculated within a pre-defined neighborhood.

In some rare cases, the cost value does not

decrease during the iteration; which provides the

ability of the algorithm to escape from local minima.

8/2/2019 Bfc a 2006

14/22

Search Strategy-2

The neighborhood is obtained by swapping truth table entries

corresponding to possible pairs of equal-size orbits havingdissimilar values.

For instance, 9 variable RSBFs contain

2 orbits of size 1 (all zero and all 1),2 orbits of size 3 [represented by (001001001) & (110110110)],

and 56 orbits of size 9.

Therefore, half of the truth table consists of 28 orbits of size 9,

one orbit of size 3, and one orbit of size 1 (256 bits = 28x9+3+1).

In order to constitute the neighborhood, two dissimilar-valued

orbits of either size 9, or size 3, or size 1 are swapped.

8/2/2019 Bfc a 2006

15/22

Swapped Orbit Sizes Neighborhood

1 1 2

3 3 6

1 and 3 1 and 3 8

9 9 18

1 and 9 1 and 9 20

3 and 9 3 and 9 24

1, 3 and 9 1, 3 and 9 26

Used Neighborhoods forn=9

8/2/2019 Bfc a 2006

16/22

Basic Algorithm

1.f=finitial

2.dok

= 1:N{

3. do i= 1:M{

4. Swap equal-size orbits off

5. SETf[ i] =fswapped6. COST[ i] = costswapped

7. }

8. Find costmin (= min. costswapped in COST) and respectivefmin in SET

9. while (fmin is already in STORE){

10. Remove costmin from COST andfmin from SET

11. Find costmin in COST and respectivefmin in SET12. }

13. STORE[ k] =fmin

14. f=fmin

15. }

To preserve

balancedness

8/2/2019 Bfc a 2006

17/22

Time Consumption of the Algorithm

N = 40,000 for n = 9, and N = 100,000 for n = 11.

Average search time for one run on a computer with

Pentium IV 2.8 GHz processor and 248 MB RAM is:

27 minutes for n = 9,

and 29.5 hours for n = 11.

For n = 9, there were 9 successes in 25 runs, and

for n = 11, there were 2 successes within 50 runs.

8/2/2019 Bfc a 2006

18/22

Outline






Conclusions

8/2/2019 Bfc a 2006

19/22

Comparison with Some References

(number of variables, resiliency, degree, nonlinearity, absolute indicator)

Johansson and

Pasalic(9, 1, 4, 240, ), (11, 1, 5, 992, )

Maximov et. al. (11, 1, 6, 992, 240)

Maitra (9, , , 240, 32), (11, , , 992, 64)

Clark et. al. (9, 1, 7, 236, 40), (11, 1, 9, 984, 96)

Ours(9, 1, 7, 240, 24), (11, 1, 8, 992, 64)

(9, 0, 7, 240, 24)*, (11, 0, 10, 988, 56)*

(*) Table elements marked by * have the additional propertyof PC(1).

8/2/2019 Bfc a 2006

20/22

Comparison of Some 1-Resilient Functions

Presented Yesterday & Today at BFCA06(number of variables, resiliency, degree, nonlinearity, absolute indicator)

Some

Known

Functions

(8, 1, 6, 116, 24) (9, 1, 7, 240, ) (10, 1, 8, 488, )

Open (8, , , 118, ) (9, , , 242, ) (10, 1, 8, 492, )

Yesterday

(Annas) (9, 1, , 240, ) (10, 1, , 480, )

Today

(Ours)(8, 1, 6, 116,16) (9, 1, 7, 240,24) (10, 1, 8, 488,32)

8/2/2019 Bfc a 2006

21/22

Conclusions

We have exploited a properly modified steepest-descent

based iterative heuristic search in RSBFs.

For the first time, we could attain balanced Booleanfunctions on 9, 11 variables with absolute indicator

< 2

(n+1)

.2

We expect to come up with still more interesting

results for n = 13.

8/2/2019 Bfc a 2006

22/22

Bfc a 2006

Documents

Transcript of Bfc a 2006