Selçuk Kavut 1 , Subhamoy Maitra 2 and Melek D. Yücel 1

AUTOCORRELATION SPECTRA OF AUTOCORRELATION SPECTRA OF BALANCED BOOLEAN FUNCTIONS ON AN BALANCED BOOLEAN FUNCTIONS ON AN

ODD NUMBER OF INPUT VARIABLES WITHODD NUMBER OF INPUT VARIABLES WITH

MAXIMUM ABSOLUTE VALUE < 2 MAXIMUM ABSOLUTE VALUE < 2((nn+1)+1)

2 2

Selçuk KavutSelçuk Kavut11,, Subhamoy Maitra Subhamoy Maitra22 and Melek D. Yücel and Melek D. Yücel11

11Department of Electrical and Electronics Engineering Department of Electrical and Electronics Engineering

Middle East Technical UniversityMiddle East Technical University, Ankara, Türkiye, Ankara, Türkiye

{k{kavutavut, melekdy}, melekdy}@[email protected]

22Applied Statistics Unit, Indian Statistical InstituteApplied Statistics Unit, Indian Statistical Institute

203 B T Road, Kolkata 700 108, India203 B T Road, Kolkata 700 108, India

[email protected]@isical.ac.in

OutlineOutline

Introduction Preliminary Definitions and Rotation

Symmetric Boolean Functions (RSBFs) Basic Search Algorithm, Cost Function

and Time Consumption of the Algorithm Best Achieved Results Conclusions

IntroductionIntroduction-1-1

IIn the National Cryptology Conference of Türkiyen the National Cryptology Conference of Türkiye ( (20052005),),

wwe introduced a e introduced a stepest-descent like stepest-descent like search algorithm search algorithm

for the design of cryptographically strong Boolean functions.for the design of cryptographically strong Boolean functions.

In this study, wIn this study, we e modifymodify our search algorithm our search algorithm and apply iand apply itt t to o

Rotation Symmetric Boolean Functions (Rotation Symmetric Boolean Functions (RSBFRSBF’’s)s)..

We obtain sWe obtain some ome cryptographicallycryptographically strong functions for input strong functions for input

variable lengthsvariable lengths 9 and 11, which 9 and 11, which have the minimum absolutehave the minimum absolute

indicators in theindicators in the literature literature (i.e., the maximum absolute value of (i.e., the maximum absolute value of

the autocorrelation spectrum)the autocorrelation spectrum). .

IntroductionIntroduction-2-2

It has been conjectured (by Zhang & Zheng) that for any It has been conjectured (by Zhang & Zheng) that for any

balanced function on an odd number of input variables balanced function on an odd number of input variables nn,,

absolute indicator absolute indicator 2 2

((nn+1)+1)

((3232 for for n n = 9, and = 9, and 6464 for for n n = 11).= 11). 2 2

The conjecture has been disproved for The conjecture has been disproved for n n = 15, and = 15, and n n = 21 (by = 21 (by

Maitra, Sarkar, Gangopadhyay & Keskar) modifying the Maitra, Sarkar, Gangopadhyay & Keskar) modifying the

Patterson-Wiedemann type functionsPatterson-Wiedemann type functions. .

So far there is no evidence of such functions for odd So far there is no evidence of such functions for odd nn < 15, < 15,

which we present which we present in this studyin this study..

OutlineOutline




Preliminary DefinitionsPreliminary Definitions - 1- 1

Algebraic Normal FormAlgebraic Normal Form (ANF) (ANF)::

ff((xx)) == a a00 aa11xx11 ... ... aannxxnn aa1212xx11xx22 aa1313xx11xx33 ... ... aa12...12...nnxx11xx22 ... ... xxnn

Affine BooleanAffine Boolean functions are of degree at most 1. functions are of degree at most 1.

ff ((xx) = ) = ww11 xx11 ww22 xx22 ... ... wwnn xxnn cc = = ww∙∙xx cc (1)(1) Walsh Hadamard Transform: Walsh Hadamard Transform:

FF((ww)) = = (−1)(−1) ff ((xx)) (−1)(−1)ww∙∙xx (2) (2) xxFF22

nn

Nonlinearity:Nonlinearity:

NLNLff = = ( ( 22nn − − max |max |FF((ww)|)| ) ) / 2/ 2 (3) (3)

wwFF22nn

Preliminary Definitions - 2Preliminary Definitions - 2

Autocorrelation andAutocorrelation and Absolute Indicator:Absolute Indicator:

rrf f ((dd)) = = (−1)(−1) f f ((xx)) (−1)(−1) f f ((xx dd)) , , ∆ ∆ff = = max max | | rrf f ((dd) | ) | (4)(4)

xxFF22nn dd≠0≠0FF22

nn

Sum of Squares Indicator:Sum of Squares Indicator:

SSSSIIff = = rrff ((dd))22 (5) (5)

ddFF22nn

Sum of Squared Differences from Bent Spectra:Sum of Squared Differences from Bent Spectra:

dd00 | | rrff (d) | (d) | 22 = = 22nn ww | | FF(w)(w)2222nn || 22 (6) (6)

The above equation is obtained by using the Parseval’s The above equation is obtained by using the Parseval’s relation on the autocorrelation difference relation on the autocorrelation difference from that of a from that of a bent function, bent function,

ee((dd) = ) = rrff (d) (d) rrbentbent(d)(d). Then the Walsh transform of Then the Walsh transform of ee((dd)) is is

EE((ww)) = = FF((ww))22 22nn

Using the Parseval’s relation Using the Parseval’s relation

dd00 ee(d)(d)22 = = 22nn ww EE(w)(w)22 , one obtains , one obtains

dd00 | | rrff (d) | (d) | 22 = = 22nn ww | | FF(w)(w)2222nn || 22 ..

As well as the bias of the probability expressionAs well as the bias of the probability expression

P{ P{ ff ((xx) = ) = ww∙∙xx }= (1/2)+}= (1/2)+ ((FF(w)(w) /2/2nn+1+1) )

the bias term in the expressionthe bias term in the expression

P{ P{ ff ((xx) = ) = ff ((x x d)}= (1/2)+d)}= (1/2)+ ((rrff (d) (d) /2/2nn+1 +1 )) also needs to be minimized.also needs to be minimized.

So, the absolute indicator

∆f = max | rf (d) | d≠0F2

n

is an important parameteris an important parameter for Boolean functions, for Boolean functions, which should be kept as small as possible.which should be kept as small as possible.

Rotation Symmetric Boolean Rotation Symmetric Boolean Functions (RSBFs)Functions (RSBFs)

Let x(k) be k times cyclically shifted form of the n-variable vector x. The set Gn(x) = { x(k) | for 0≤ k ≤ n } is called an orbit. The number of such orbits is approximately 2n/n .

An n-variable Boolean function f(x) is called Rotation Symmetric if for each input x, f(x) = f(x(k) ) for 1≤ k ≤ n.

The number of RSBF’s (22n/n) is much smaller than the total

number (22n) of n-variable Boolean functions. Moreover,

since the class of RSBF’s is rich in terms of cryptographic strength, heuristic search gives fruitful results.

Example: Example: RSBFRSBF Orbits for Orbits for nn=5=5

All cyclically rotated input vectors are mapped to the same valueAll cyclically rotated input vectors are mapped to the same value

in the truth table. As an example, for a 5 variable functionin the truth table. As an example, for a 5 variable function ff::

ff(00001) = (00001) = ff(10000) = (10000) = ff(01000) = (01000) = ff(00100) = (00100) = ff(00010) orbit #1(00010) orbit #1






ff(00000) (00000) orbit #7 orbit #7

ff(11111) (11111) orbit #8 orbit #8

Therefore, for Therefore, for nn = 5, there are = 5, there are 2288 RSBFRSBF’’s among s among 223232 functions.functions.

OutlineOutline




Search Strategy-1Search Strategy-1

The strategy uses a steepest-descent like iterative The strategy uses a steepest-descent like iterative

algorithm.algorithm.

At ach iteration step, the cost function At ach iteration step, the cost function

Cost = Cost = 22nn ww | | FF(w)(w)2222nn || 22 = = dd00 | | rrff (d) | (d) | 22

is calculated within a pre-defined neighborhood.is calculated within a pre-defined neighborhood.

In some rare cases, the cost value does not In some rare cases, the cost value does not

decrease during the iteration; which provides the decrease during the iteration; which provides the

ability of the algorithm to ability of the algorithm to escapeescape from local minima. from local minima.

Search Strategy-2Search Strategy-2 The neighborhood is obtained by swapping truth table entries The neighborhood is obtained by swapping truth table entries

corresponding to possible pairs of equal-size orbits having corresponding to possible pairs of equal-size orbits having

dissimilar values.dissimilar values.

For instance, 9 variable RSBFs contain For instance, 9 variable RSBFs contain

2 orbits of size 1 (all zero and all 1), 2 orbits of size 1 (all zero and all 1),

2 orbits of size 3 [represented by (001001001) & (110110110)], 2 orbits of size 3 [represented by (001001001) & (110110110)],

and 56 orbits of size 9. and 56 orbits of size 9.

Therefore, half of the truth table consists of 28 orbits of size 9, Therefore, half of the truth table consists of 28 orbits of size 9,

one orbit of size 3, and one orbit of size 1 (256 bits = 28x9+3+1). one orbit of size 3, and one orbit of size 1 (256 bits = 28x9+3+1).

In order to constitute the neighborhood, two dissimilar-valued In order to constitute the neighborhood, two dissimilar-valued

orbits of either size 9, or size 3, or size 1 are swapped. orbits of either size 9, or size 3, or size 1 are swapped.

Swapped Orbit SizesSwapped Orbit Sizes NeighborhoNeighborhoodod

11 11 22

33 33 66

1 and 31 and 3 1 and 31 and 3 88

99 99 1818

1 and 91 and 9 1 and 91 and 9 2020

3 and 93 and 9 3 and 93 and 9 2424

1, 3 and 91, 3 and 9 1, 3 and 91, 3 and 9 2626

Used Neighborhoods for Used Neighborhoods for nn=9=9

Basic AlgorithmBasic Algorithm

1.1.ff = = ffinitialinitial

2.2.do do k k = 1:N{= 1:N{

3.3. do do i i = 1:M{= 1:M{

4.4. Swap equal-size orbits of Swap equal-size orbits of ff

5.5. SET SETff[ [ i i ] = ] = ffswappedswapped

6.6. COST[ COST[ ii ] = ] = costcostswappedswapped

7.7. } }

8.8. Find cost Find costminmin (= min. cost (= min. costswappedswapped in COST) and respective in COST) and respective ffminmin in SET in SET

9.9. while ( while (ffminmin is already in STORE){ is already in STORE){

10.10. Remove costRemove costminmin from COST and from COST and ffminmin from SET from SET

11.11. Find costFind costminmin in COST and respective in COST and respective ffminmin in SET in SET

12.12. } }

13.13. STORE[ STORE[ k k ] = ] = ffminmin

14.14. ff = = ffminmin

15.15. } }

To preserveTo preserve

balancednessbalancedness

Time Consumption of the AlgorithmTime Consumption of the Algorithm

N = 40,000 for N = 40,000 for nn = 9, and N = 100,000 for = 9, and N = 100,000 for nn = 11. = 11.

Average search time for one run on a computer with Average search time for one run on a computer with

Pentium IV 2.8 GHz processor and 248 MB RAM is:Pentium IV 2.8 GHz processor and 248 MB RAM is:

27 minutes for 27 minutes for nn = 9, = 9,

and 29.5 hours for and 29.5 hours for nn = 11. = 11.

For For nn = 9, there were 9 successes in 25 runs, and = 9, there were 9 successes in 25 runs, and

for for nn = 11, there were 2 successes within 50 runs. = 11, there were 2 successes within 50 runs.

OutlineOutline




Comparison Comparison withwith Some ReferencesSome References(number of variables, resiliency, degree, nonlinearity, absolute indicator)

Johansson and Pasalic

(9, 1, 4, 240, ), (11, 1, 5, 992, )

Maximov et. al. (11, 1, 6, 992, 240)

Maitra (9, , , 240, 32), (11, , , 992, 64)

Clark et. al. (9, 1, 7, 236, 40), (11, 1, 9, 984, 96)

Ours(9, 1, 7, 240, 24), (11, 1, 8, 992, 64)

(9, 0, 7, 240, 24)*, (11, 0, 10, 988, 56)*

(*) Table elements marked by * have the additional property of PC(1).

Comparison of Some 1-ResilientComparison of Some 1-Resilient FunctionsFunctionsPresented Yesterday & Today at BFCA’06 Presented Yesterday & Today at BFCA’06

(number of variables, resiliency, degree, nonlinearity, absolute indicator)

Some Known

Functions (8, 1, 6, 116, 24) (9, 1, 7, 240, ) (10, 1, 8, 488, )

OpenOpen ((88, , , , , , 118118, , )) ((99, , , , , , 242242, , )) ((1010, , 11, , 88, , 492492, , ))

Yesterday(Anna’s)

(9, 1, , 240, ) (10, 1, , 480, )

Today(Ours)

(8, 1, 6, 116, 16) (9, 1, 7, 240, 24) (10, 1, 8, 488, 32)

ConclusionsConclusions

We have exploited a properly modified steepest-descent We have exploited a properly modified steepest-descent

based iterative heuristic search in RSBFs.based iterative heuristic search in RSBFs.

For the first time, we could attain balanced Boolean For the first time, we could attain balanced Boolean

functions on 9, 11 variables with absolute indicatorfunctions on 9, 11 variables with absolute indicator

< 2< 2

((nn+1)+1)

..

2 2

We expect to come up with still more interesting We expect to come up with still more interesting

results for results for n n = 13.= 13.

Thank you Thank you

for your attentionfor your attention!!....

Selçuk Kavut 1 , Subhamoy Maitra 2 and Melek D. Yücel 1

Documents

Transcript of Selçuk Kavut 1 , Subhamoy Maitra 2 and Melek D. Yücel 1