Lecture 6

Boolean Functions and S-Boxes

1
Boolean Function
Consider the set F
2
= {1,0}. The simplest field which
can be defined over F
2
is GF(2) = with the
addition and multiplication .
Consider a Boolean function that
assigns a binary element to a vector

Consider all elements of as
) , , (
2
F

2 2
: F F f
n

2
) ( F x f e
n
n
F x x x
2 2 1
) ..., , , ( e
n
F
2
) 1 ,.... 1 , 1 (
.
.
) 1 ,..... 0 , 0 (
) 0 ,.... 0 , 0 (
1 2
1
0
=
=
=

n
o
o
o
2
Boolean Function
The Binary sequence
is called the truth table of function
For example consider
)) ( , .... ), ( ), ( (
1 2
1 0

n
f f f o o o
3 3 2 2 1 3 2 1
) , , ( x x x x x x x x f + + =
0 0 0 0
0 0 1 0
0 1 0 0
0 1 1 1
1 0 0 1
1 0 1 1
1 1 0 0
1 1 1 1
) , , (
3 2 1
x x x f 3
x
2
x
1
x
3
Algebraic Normal Form (ANF):
For a table S with n input bits and a single bit of output or
equivalently for the associated Boolean function f on n
bits, another very interesting representation is to write the
Boolean function f as a polynomial in n variables over the
polynomial ring . This representation is
called the algebraic normal form of f and has many
applications in cryptography and coding theory. In
particular, for a cryptanalyst, it is often interesting, in the
context of algebraic cryptanalysis, to look at the degree of
the algebraic norm form of f.

Some more Definitions
] ,.... , [
1 1 0 2 n
x x x F
4
Algebraic Normal Form (ANF):
More precisely, the algebraic normal form of f is obtained
by writing:


The function g giving the coefficient of the polynomial in
Equation is called the Moebius transform of the Boolean
function f. Since g is also a Boolean function, Moebius
transforms can be computed by using operations on bits
only.


Some more Definitions

=
i
a
i n
F a a
n
i
n
n
x a a g x x x f ) ,...., ( ) ,.... , (
1 0
) ,....., (
1 1 0
2 1 0
5
Algebraic Normal Form (ANF):


Some more Definitions
6
ANF
) ,.... , ( ) ( . 5
) ( ) ,...... ( ) ,...... (
) ,...., , ( ) ,.... , ( . 4
2 .... 2 2
int . 3
1 2 1 . 2
) 0 ,.... 0 , 0 ( ) ,... , ( . 1
lg
2 1
1
1 1
2 1 2 1
1
1
2
2 1
2 1
n
b
i
n
i
n n
n n
n
n n n
n
n
x x x g f ANF
x x x g x x g set
then b b b f b b b g If
b b b b k
k the of rep binary the Compute
do to k For
f x x x g Set
orithm A ANF
i
=
H =
=
+ + + + =
=
=
=

7
ANF
8
Boolean Function
Definitions:
The sequence with components from {1,-1} defined
by:

is called the sequence of the function f
A matrix F with entries
is called the matrix of the function f.

) ) 1 ( , .... , ) 1 ( , ) 1 ((
) (
) ( ) (
1 2 1 0

n
f
f f
o
o o
n n
2 2
) (
,
) 1 (
j i
f
j i
f
o o
=
9
Boolean Function
10
Definitions:
A Boolean function is said to be
balanced if its truth table has zeroes or ones

A Boolean function is affine if it can
be represented in the form

Where
An affine function is called linear if .
The sequence of an affine (or linear) function is called
an affine (or linear) sequence

1
2
n
2 2
: F F f
n

2 2
: F F f
n

n n n
x a x a a x x f = .... ) ,...., (
1 1 0 1
n i for F a
i
,..., 1 , 0
2
= e
0
0
= a
Some more Definitions
11
Definitions:
The Hamming weight of a binary vector ,
denoted by is the number of ones it
contains. For example . Given
two functions
, the Hamming distance between
them is defined as:
n
F
2
e o
) (o W
2 2
: , F F g f
n

Some more Definitions

3 ) 010011 ( = W
)) ( ) ( ( ) , ( x g x f W g f d =
12
Let and
be two vectors the scalar product of ,
denoted by , is defined as the sum of the
component-wise multiplications.
when ,

LEMMA : If and
are sequences of functions
respectively, then is
the sequence of
) ... , , (
2 1 n
a a a = o
| o and
n n
b a b a = > < .... ,
1 1
| o
Some more Definitions
> < | o,
) ... , , (
2 1 n
b b b = |
n
F and
2
e | o
) ... , , (
1 2
2 1

= A
n
a a a ) ... , , (
1 2
2 1

= B
n
b b b
2 2 2 1
: , F F f f
n

) ... , , (
1 2 1 2
1 1 0 0

= - A
n n
b a b a b a B
) ..., , , ( ) ( ) (
2 1 2 1 n
x x x x where x f x f =
13
Some more Definitions
14
An matrix with entries from {1,-1} is called a
Hadamard matrix if
where is the transpose of is the
identity matrix.
Hadamard matrices exist when n=1,2 or n is a multiple of
4.
A Sylvester-Hadamard or Walsh-Hadamard matrix is a
matrix which is generated according to the following
recursive relation:

r r
r r
Some more Definitions
r
T
rI HH =
T
H
n n
2 2
n
H
r
I and H
15
Kronecker product is defined as







can be computed as

Some more Definitions

n
H
1 1
=
n n
H H H
16
Some more Definitions
17
Lemma : The ith row (column) of is the sequence of
linear function where
and is the binary representation of the integer i,
Some more Definitions
> =< x x
i i
, ) ( o
n
H
n
i
F x
2
, e o
i
o
1 2 ..., , 1 , 0 =
n
i
18
Cryptographic criteria for Boolean
functions and S-boxes

19
Completeness Criterion
The criterion is applicable to the whole cryptographic design (or
S-P network) rather than a single S-box. Given S-boxes with a
fixed structure, it is necessary to design a suitable permutation
box (P-box) and compute how many rounds are necessary to
build up the cross dependencies so any binary output is a
complex function of every binary input. The lack of these
dependencies enables an opponent to use the divide and
conquer strategy to analyze the design.
20
Non-linearity
The nonlinearity of a Boolean function can be defined as the
distance between the function and the set of all affine functions.
Set of all affine Boolean functions of n variables is :

Thus minimum distance from the set of all affine functions i.e.,

Non-linearity is the number of bits which must be changed in the
truth table of a Boolean function to reach the closest affine
function

} 0 , ; .... {
2 2 2 1 1 0
n i F a x a x a x a a A
i n n n
s s e + + + + =
) , ( min
} {
a f d N
H A a f
n
e
=
21
Non-linearity
Example

22
Non-linearity
For n number of variables, total number of affine Boolean
functions are: -------
So for a large n this computation will be difficult
However this computation can be simplified using Walsh
Transform
23
Non-linearity
Lemma: Let then




Lemma: Let be the sequence of a function on
Then the non-linearity of the function is expressible by:



Where is the i
th
row of



2 2
, F F g f
n
e
ly respective g and f of sequence the are where
g f d
n
| o
| o
,
,
2
1
2 ) , (
1
> < =

o
f
n
F
2
} , { max
2
1
2
1 2 ,..., 1 , 0
1
> < =
=

i
i
n
f
l N
n
o
i
l
n
H
24
Non-linearity
Thus for example, to find non-linearity of a 3-
variable Boolean function will be computed by
finding the following product:

f
25
Non-linearity
This product is also called as Walsh Spectrum of
represented as:

Non-linearity is thus

Let be an arbitrary function on . The non-linearity of
satisfies the following relation:


With equality, thus the above expression gives the
maximum possible nonlinearity for n even.
A function with maximum non-linearity is called as Bent
Function

f
) (e
f
W
) ( max
2
1
2
1
e
f
n
f
W N =

f
n
F
2
f
1
2
1
1
2 2

s
n
n
f
N
26
Non-linearity
This can be rephrased as the maximum non-linearity of
is
Balancedness of the function can also be computed using
its Walsh spectrum as:


f
1
2

<
n
f
N
m wt for W
f
s s = ) ( 0 0 ) ( e e
27
Non-linearity
The nonlinearity of a Boolean function is invariant under a
nonsingular linear transformation.
Lemma: Let be a Boolean function over , B be a
non-singular matrix and a constant vector
from . Then the function has the
same non-linearity as the function




f
|
n n
n
F
2
n
F
2
) ( | + xB f
f
28
Non-linearity
The notion of nonlinearity can be generalized for a
collection of Boolean functions. Let the function
. The non-linearity of the function is :


Where


is a linear combination of component functions
defined by the vector



m n
F F f
2 2
:
o
o o
f
F
f
N N
m
0 ,
2
min
= e
=
m m
f f f f f o o o o
o
...... ,
2 2 1 1
= =
) ...., , (
1 m
f f f = ) ...., , (
1 m
o o o =
29
Strict Avalanche Criterion or SAC
An S-box satisfies SAC if a single bit change on the input
results in a change on a half of output bits. Note that when
S-box is used to build an S-P network, then a single change
on the input of network causes an avalanche of changes.
More formally a function satisfies
SAC if is balanced for all whose
weight is 1
In other words, the SAC characterizes the output when
there is a single bit change on the input. Higher order SAC
is generalization of the SAC property where the number of
input changes is bigger than one. Both the SAC and higher
order SAC are collectively called propagation criteria



2 2
: F F f
n

) ( ) ( o x f x f
o
30
Strict Avalanche Criterion or SAC
We say that satisfies the propagation criterion with
respect to the vector if is a
balanced function. Where and is a non-
zero vector.

A function which holds the propagation criteria w.r.t. all
whose weight is , is said to
satisfy the propagation criteria of degree k



f
) ( ) ( o x f x f
o
n
F x
2
, e o o
n
F
2
e o
k W s s ) ( 1 o
31
Strict Avalanche Criterion or SAC
32
Strict Avalanche Criterion or SAC
33
Strict Avalanche Criterion or SAC
A Boolean function may not satisfy the propagation
criterion. The ultimate failure happens when the function
is constant.
Let be a function over . A vector is called a
linear structure of if is constant.






Every function has at least one linear structure ------

f
) ( ) ( o x f x f
n
F
2
o
f ) ( ) ( o x f x f
34
Strict Avalanche Criterion or SAC
Obviously, nonzero linear structures should be avoided in
S-boxes as they force the corresponding differences of
functions to be constant
35
XOR Profile or XOR Table Distribution
XOR table of an s-box gives information about the security
of the block ciphers against differential cryptanalysis.
Differential attack exploits particular high-valued entries in
the XOR tables of s-boxes employed by a block cipher.
The XOR table of an s-box is a matrix. The
rows of the matrix represent the change in the output of the
s-box.
m n
m n
2 2
36
XOR Profile or XOR Table Distribution
An entry in the XOR table of an s-box indexed by indicates
the number of input vectors P which, when changed by , result
in the output difference of
:



where
An entry in the XOR table can only take an even value, and the
sum of all values in a row is always
As entries with high values in the XOR table are particularly
useful to differential cryptanalysis, a necessary condition for an
s-box to be immune to differential cryptanalysis is that, it does
not have large values in its XOR table



) , ( b o
o
) ( ) ( o = P f P f b
} ) ( ) ( | { # ) , ( b P f P f P b XOR
f
= = o o
m n
Z b and Z
2 2
e e o
n
2
37
38
XOR Table


Suppose we consider the first S-box, S
1
, and the
input x-or 110100. Then

For each ordered pair in the set (110100), we
compute output x-or of S
1
. For example, S
1
(000000)
= E
16
= 1110 and S
1
(110100) = 9
16
= 1001, so the
output x-or for the pair (000000, 110100) is 0111.




39
XOR Table
If this is done for all 64 pairs in (110100), then the
following distribution of output x-ors is obtained:




40
41
Propagation and Nonlinearity
There is an intrinsic relation between propagation
properties and the nonlinearity of Boolean functions. For
instance, bent functions satisfy propagation criterion with
respect to all nonzero vectors. Now we are going to
investigate the relation between propagation and
nonlinearity for arbitrary Boolean functions.
Let be a Boolean function over . And let
be the sequence of the function
It can be seen that is the sequence of
f
n
F
2
) (o O
) ( o x f
) ( ) 0 ( o O - O
) ( ) ( o x f x f
42
Propagation and Nonlinearity
The autocorrelation of with a shift is defined
as


Lemma: Let be a function over . Then the
Hamming weight of is equal to



Corollary: if and only if
is balanced i.e., f satisfies the propagation criterion with
respect to
f
n
F
2
o
) (
2
1
2
1
o A
n
) ( ), 0 ( ) ( o o O O = A
) ( ) ( o x f x f
f
0 ) ( = A o
) ( ) ( o x f x f
o
43
Propagation and Nonlinearity
Corollary: if and only if
is balanced i.e., f satisfies the propagation criterion with
respect to

Note that if then is
constant and then is a linear structure.

In practice for most Boolean functions, the propagation
criterion with respect to arbitrary is not satisfied and
also is not a linear structure.
For some cases and is relatively small so
is almost balanced and function has
good propagation properties
0 ) ( = A o
) ( ) ( o x f x f
o
n
2 ) ( = A o ) ( ) ( o x f x f
o
o
o
0 ) ( = A o
) ( ) ( o x f x f
44
Propagation and Nonlinearity
Corollary: To measure the global propagation property of a
function with respect to all vectors in
we can use the number



Ideally we expect the number to be as small as possible. In
fact it is smallest for bent functions and largest for affine
functions
n
F
2
f
e
A
n
F
2
) (
2
o
o
45
S-Box Design
Single Boolean functions are basic elements that can be used
to construct complex (and useful from a cryptographic
point of view) S-boxes.

An S-box is a mapping from to
And

Where and


n
F
2
k n
)) ( ....., ), ( ( ) (
1
x f x f x S
k
=
k
F
2
k n >
2 2
: F F f
n
j

46
S-Box Design
The collection of cryptographically essential properties for an
S-box includes the following ones:
Any non-zero linear combination of , i.e.,

should be balanced
Any non-zero linear combination of should be
highly non-linear
Any non-zero linear combination of should
satisfy SAC
should be regular. i.e., each
vector in should occur times while x runs
through


k
f f ,....
1
) 0 ,...., 0 ( ) ,... ( , ....
1 1 1
= =
k k k
c c f c f c f
k
f f ,....
1
k
f f ,....
1
)) ( ....., ), ( ( ) (
1
x f x f x S
k
=
k
F
2
k n
2
n
F
2
47
S-Box Design

48
S-Box Design
49
Balancedness of all linear combinations


001 010 011 100 101 110 111
000 0 0 0 0 0 0 0
001 1 1 0 0 1 1 0
010 0 1 1 0 0 1 1
011 1 1 0 1 0 0 1
100 1 0 1 0 1 0 1
101 0 1 1 1 1 0 0
110 0 0 0 1 1 1 1
111 1 0 1 1 0 1 0
1
f
2
f
2 1
f f
3
f
3 1
f f
2 3
f f
3 2 1
f f f
3 1 3 2 2 1 3
3 2 2 1 2 1 2 3 2 3 1 1
,
x x x x x x f
x x x x x x f x x x x f
=
= =
1 2 3
x x x
50
Finding non-linearity


000 0 1
001 1 -1
010 0 1
011 1 -1
100 1 -1
101 0 1
110 0 1
111 1 -1
1
f
3 2 3 1 1
x x x x f =
1 2 3
x x x
1
f of sequence
51
Finding non-linearity





* =




Non-linearity =
2 2 4 ) 4 (
2
1
2
1 3
= =

52
SAC


3 2 3 1 1
x x x x f =
X
000 0 110 0 0
001 1 111 1 0
010 0 100 1 1
011 1 101 0 1
100 1 010 0 1
101 0 011 1 1
110 0 000 0 0
111 1 001 1 0
) (
1
x f
| X
) (
1
| X f
1 2 3
x x x
110 = | Let
) ( ) (
1 1
| X f X f
53