Cryptogr

Lecture 6
aphy

Military
College of
MSIS 8
Signals,
NUST
 Cryptographic Criteria of Boolean
functions and S-boxes
• We have seen following in last lecture:
– Representation of Boolean functions
– Walsh-Hadamard Matrices
– Sequence of functions
– Def of linear functions
– Scalar product
– Lemma: The ith row ,or 
column of Hn is the sequence
of linear function where
i ( x)  i , x
and is the binary representation of the
 i , x i;F2
integer
n
i
n
i 0, 1, ... , 2  1
 Completeness Criterion
• Completeness criteria was given by: J. Kam and G. Davida, “Structured design
of substitution-permutation networks”. IEEE Transactions on Computers, C-
28:747-753, 1979.
• The criterion is applicable to the whole cryptographic design (or
S-P network) rather than a single S-box. Given S-boxes with a
fixed structure, it is necessary to design a suitable permutation
box (P-box) and compute how many rounds are necessary to
build up the cross dependencies so any binary output is a
complex function of every binary input. The lack of these
dependencies enables an opponent to use the divide and
conquer strategy to analyze the design.
• Assignment: Read the paper mentioned above.. We will have a
discussion on it in next class (u should be prepared to answer
any question asked from it)
 Balancedness
• We have discussed in previous lecture
 Non-linearity
• The nonlinearity of a Boolean function can be defined as the
distance between the function and the set of all affine functions.
• Set of all affine Boolean functions of n variables is :

• Thus minimum distance from the set of all affine functions i.e.,
An {a0  a1 x1  a 2 x 2  ....  a n x n ; a i  F2 , 0 i n}
• Non-linearity is the number of bits which must be changed in
min { afunction
the truth table ofNaf Boolean An } d H ( fto
, areach
) the closest affine
function
 Non-linearity
• Example
 Non-linearity
• For n number of variables, total number of affine Boolean
functions are: -------
• So for a large n this computation will be difficult
• However this computation can be simplified using Walsh
Transform
 Non-linearity
Lemma: Let n then
f , g  F  F22

n 1 1
d ( f , g ) 2    ,  
2
where  ,  are the sequence of f and g respective ly
Lemma: Let be the sequence of a function on
n

Then the non-linearity f by:F2
of the function is expressible

n 1 1
N f 2  maxn {   , l i  }
2 i 0 ,1,...,2  1
Where is the ith row of
li Hn
 Non-linearity
Thus for example, to find non-linearity of a 3-variable
Boolean function will be computed by finding
the following product: f
 Non-linearity
• This product is also called as Walsh Spectrum of
represented as: f
W f ( )
• Non-linearity is thus 1
N f 2 n 1
 max W f ( )
2
• Let be an arbitrary function on . The non-linearity
n
of f
satisfies the following relation:F2
f
1
n 1
n 1
N f 2  2 2
• With equality, thus the above expression gives the
maximum possible nonlinearity for n even.
• A function with maximum non-linearity is called as Bent
Function
 Non-linearity
• This can be rephrased as the maximum non-linearity of
is n 1
f N
• Balancednessf  2
of the function can also be computed using
its Walsh spectrum as:

W f ( ) 0 for 0  wt ( ) m
 Non-linearity
• The nonlinearity of a Boolean function is invariant under a
nonsingular linear transformation.
Lemma: Let be a Boolean function over , B be a
f n
F2 vector
non-singular matrix and a constant
n n . Then the function
from  has the
F2n
same non-linearity
f ( xB   )
as the function
f
 Non-linearity
• The notion of nonlinearity can be generalized for a
collection of Boolean functions. Let the function
. The non-linearity of the function is :
n m
f :F  F
2 2

N f  min N f
Where m
 F2 , 0

f   , f 1 f1   2 f 2  ...... m f m
is a linear combination of component functions
defined by the vector
f ( f1 , ...., f m )  (1 , ....,  m )
 Strict Avalanche Criterion or SAC
• An S-box satisfies SAC if a single bit change on the input
results in a change on a half of output bits. Note that when
S-box is used to build an S-P network, then a single
change on the input of network causes an avalanche of
changes.
• More formally a function n satisfies
SAC if
f : F2 forFall
is balanced 2 whose
weight is 1f ( x )  f ( x   ) 
• In other words, the SAC characterizes the output when
there is a single bit change on the input. Higher order SAC
is generalization of the SAC property where the number of
input changes is bigger than one. Both the SAC and higher
order SAC are collectively called propagation criteria
 Strict Avalanche Criterion or SAC
• We say that satisfies the propagation criterion with
f
respect to the vector if is a
balanced function. Where  ( x   )is a non-
f ( x)  fand
zero vector. x ,   F2
n


• A function which holds the propagation criteria w.r.t. all

whose weight is , is said to
  Fthe
satisfy 2
n
1 of
propagation criteria ( ) k k
W degree
Strict Avalanche Criterion or SAC
 Strict Avalanche Criterion or SAC
• Lets see how a non-singular linear transformation can be
used to obtain a function which satisfies the SAC

• Theorem: Let be a Boolean function and A

n
be a f : F2 matrix
non-singular F2 with entries from
. If n n is balanced for each row of A,
f ( x)  f ( x   )
F2 the function
then satisfies theSAC
 ( x)  f ( xA)
Strict Avalanche Criterion or SAC
 Strict Avalanche Criterion or SAC
• A Boolean function may not satisfy the propagation
criterion. The ultimate failure happens when the function
is constant.
• Let f ( x)  f ( x   )
be a function over . A vector is called a
f
linear structure of if F2 n

is constant.
f f ( x)  f ( x   )

• Every function has at least one linear structure ------

 Strict Avalanche Criterion or SAC
• Obviously, nonzero linear structures should be avoided in
S-boxes as they force the corresponding differences of
functions to be constant
 XOR Profile or XOR Table Distribution
• XOR table of an s-box gives information about the security
of the block ciphers against differential cryptanalysis.
Differential attack exploits particular high-valued entries in
the XOR tables of s-boxes employed by a block cipher.
• The XOR table of an s-box is a matrix. The
rows of the matrix represent the change nin the output of
the s-box. n m 2 2 m

• An entry in the XOR table of an s-box indexed by

indicates the number of input vectors P which, when
changed by , result in the output difference of ( , b )


b  f (P)  f (P  )
 XOR Profile or XOR Table Distribution
• An entry in the XOR table of an s-box indexed by
( , b )
indicates the number of input vectors P which, when
changed by , result in the output difference of
 :
b  f (P)  f (P  )
XOR f ( , b ) # { P | f ( P )  f ( P   ) b}
where
  Z n
• An entry in the XOR
2 and b  Z m
table can
2 only take an even value, and
the sum of all values in a row is always
• As entries with high values in the XOR table are 2n
particularly useful to differential cryptanalysis, a necessary
condition for an s-box to be immune to differential
cryptanalysis is that, it does not have large values in its
XOR table
 Propagation and Nonlinearity
• There is an intrinsic relation between propagation
properties and the nonlinearity of Boolean functions. For
instance, bent functions satisfy propagation criterion with
respect to all nonzero vectors. Now we are going to
investigate the relation between propagation and
nonlinearity for arbitrary Boolean functions.
• Let be a Boolean function over . And let
be the sequence of the function
f
• It can be seen that F 2
n
( )
is the sequence of
f (x  )
(0)  ( )
f ( x)  f ( x   )
 Propagation and Nonlinearity
• The autocorrelation of with a shift is defined
as
f 

 ( )  (0), ( )
Lemma: Let be a function over n.
Then the
f
Hamming weight of
F 2 is equal to
f ( x)  f ( x   )
1
2 n 1
  ( )
2
Corollary: if and only if
is balanced  (f )satisfies
i.e., 0 the propagation  f (x 
f ( x )criterion )
with
respect to

 Propagation and Nonlinearity
Corollary: if and only if
 (  )  0 f ( x)  f ( x   )
is balanced i.e., f satisfies the propagation criterion with
respect to

Note that if then is
( )
constant andthen 2 n
( x)  f ( x   )
is a linearfstructure.

• In practice for most Boolean functions, the propagation
criterion with respect to arbitrary is not satisfied and
also is not a linear structure. 

• For some cases and is relatively small so
is( ) 0balanced and function has
almost
good )  f ( x  properties
f ( xpropagation )
 Propagation and Nonlinearity
Corollary: To measure the global propagation property of a
function with respect to all vectors in
f
we can use the number F 2
n

  ( )2

 F2n
Ideally we expect the number to be as small as possible. In
fact it is smallest for bent functions and largest for affine
functions
 S-Box Design
Single Boolean functions are basic elements that can be
used to construct complex (and useful from a
cryptographic point of view) S-boxes.

An S-box is a mapping from n

to
And n k F 2 F2k
S ( x ) ( f1 ( x ), ....., f k ( x ))
Where and
n k f j : F2n  F2
 S-Box Design
The collection of cryptographically essential properties for an
S-box includes the following ones:
• Any non-zero linear combination of , i.e.,
f1 ,.... f k
f  c f  ....c
should be balanced
1 1 k f k , ( c1 ,...c k ) ( 0,....,0 )
• Any non-zero linear combination of should be
highly non-linear f1 ,.... f k
• Any non-zero linear combination of should
satisfy SAC f1 ,.... f k
• should be regular. i.e., each
S ( x )in( f1 ( xshould
vector ), ....., f koccur
( x )) times while x runs
k n k
through F 2 2
F2n
S-Box Design
S-Box Design
 Balancedness of all linear
•
combinations
f1  x1  x3  x2 x3 , f 2  x1  x2  x1 x2  x2 x3
f 3  x1 x2  x2 x3  x1 x3
001 010 011 100 101 110 111
x3 x2 x1 f1 f2 f1  f 2 f3 f1  f 3 f3  f 2 f1  f 2  f 3
000 0 0 0 0 0 0 0
001 1 1 0 0 1 1 0
010 0 1 1 0 0 1 1
011 1 1 0 1 0 0 1
100 1 0 1 0 1 0 1
101 0 1 1 1 1 0 0
110 0 0 0 1 1 1 1
111 1 0 1 1 0 1 0
 Finding non-linearity
f1  x1  x3  x2 x3

x3 x2 x1 f1 sequence of f1
000 0 1
001 1 -1
010 0 1
011 1 -1
100 1 -1
101 0 1
110 0 1
111 1 -1
 Finding non-linearity

• * =

• Non-linearity =
3 1 1
2  ( 4 ) 4  2  2
2
 SAC
f1  x1  x3  x2 x3 Let  110

X
x3 x2 x1 f1 ( x ) X  f1 ( X   ) f1 ( X )  f1 ( X   )
000 0 110 0 0
001 1 111 1 0
010 0 100 1 1
011 1 101 0 1
100 1 010 0 1
101 0 011 1 1
110 0 000 0 0
111 1 001 1 0