1 / 22

Nonlinear Resilient Functions

Nonlinear Resilient Functions. 2001.6.26. Jung Hee Cheon http://vega.icu.ac.kr/~jhcheon Information and Communications University (ICU). Linear Resilient Functions.

lamar
Download Presentation

Nonlinear Resilient Functions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Nonlinear Resilient Functions 2001.6.26 Jung Hee Cheon http://vega.icu.ac.kr/~jhcheon Information and Communications University (ICU)

  2. Linear Resilient Functions • An [n,m,d] linear code is an m-dimensional subspace C of GF(2)n such that the Hamming distance between any two vectors in C is at least d. • Generating matrix G: an m×n matrix whose rows form a basis for C. • [CGH85] • f(x)=xGT is an (n,m,d-1)-resilient function. • The existence of an [n,k,d] linear code is equivalent to the existence of a linear (n,k,d-1)-resilient function.

  3. Nonlinear Resilient Functions • Conjecture 1: If there is a (n,m,k)-resilient function, does there exist a linear (n,m,k)-resilient function? • Disproved by Stinson and Massey(1995) • An infinite class of counterexamples to a conjecture concerning nonlinear resilient functions (Journal of Cryptology, Vol. 8, 1995) • Construct nonlinear resilient functions from the Kerdock and Preparata codes • Showed nonexistence of linear resilient functions with the same parameter • For any odd integer r  3, a (2r+1, 2r+1-2r-2, 5)-resilient function exists. • For r=3, (16,8,5)-resilient function exists.

  4. Zhang and Zheng’s Construction • Composition of a resilient function and nonlinear permutation gives a nonlinear resilient function • F: a linear (n,m,k)-resilient function • G: a permutation on GF(2)m with nonlinearity NG • The P=G·F is a (n,m,k)-resilient function such that • the nonlinearity of P is 2n-m NG • the algebraic degree of P is the same as that of G • Note that composition of a permutation does not change the frequency of the output

  5. Zhang and Zheng’s Construction (Cont.) • Converse of the conjecture 1 holds. • If there is a linear function with certain parameters, then there exists a nonlinear resilient function with the same parameters. Limitation of ZZ construction • Nonlinear Resilient Functions gives better parameters and should be studied. • Limitation of ZZ construction • The algebraic degree of F is at most the output size m • It gives a parameter which corresponds to a linear resilient function

  6. Algebraic Degree and Nonlinearity • Algebraic Degree of a Boolean function is the maximum of the degrees of the terms of f when written in reduced form • A linear function has algebraic degree 1 • The maximum algebraic degree is the size of input. • The nonlinearity of a Boolean function f is the distance from affine function • N(f) = min wt(f+) where  ranges over all affine functions. • Nonlinearity is an important measure for the resistance against linear cryptanalysis a block cipher • The nonlinearity of a vector Boolean function F is the minimum nonlinearity of each component function b · F. • The nonlinearity of a linear function is 0

  7. Nonlinearity • Known Results for nonlinearity of polynomials • N(x2k+1) = 2n-1 – 2(n+s)/2-1 if n/s is odd for s = gcd(n,k). • N(x22k-2k+1) = 2n-1 – 2(n-1)/2 if n is odd and gcd(n,k) = 1. • N(x-1) = 2n-1 – 2n/2 (By notation, 0-1 = 0) • N(F(x))  2n-1 - k-1/2 · 2n/2 if F is a polynominal of degree k in F2n. • N(F(1/x))  2n-1 - k+1/2 · 2n/2 if F is a polynominal of degree k in F2n. • Nonlinearity of a polynomial is related with the number of rational points of associated algebraic curves. • What is the maximal nonlinearity of a balanced Boolean function with odd n ?

  8. Stream Ciphers and Resilient Functions • Siegenthaler, 1984 • The complexity of a Combining Generator depends on the resiliency of the combining function F. • Divide-and-Conquer Attack (Correlation Attack) - If the output of F has a correlation with the output of KSG1, we can find the initial vector of the KSG1 KSG 1 KSG 2 F KSG n

  9. Previous Studies • Siegenthaler • Resiliency v.s. Algebraic Degree • k + d < n for a (n,1,k)-resilient function with algebraic degree d • Chee, Seberry, Zhang, Zheng, Carlet, Sarkar, Maitar, Tarannikov • Resiliency v.s. Nonlinearity • Try to maximize nonlinearity given parameters • Other works • Find the relation between cryptographic properties of Boolean functions - Nonlinearity, Algebraic degree, Resiliency, APN, SAC, PC, GAC, LS • Count the number of Boolean functions satisfying certain properties

  10. Multi-output Stream Ciphers • To design a multi-output stream cipher based on a combining generator, we need a resilient function which • is nonlinear • has algebraic degree as large as possible • has nonlinearity as large as possible • has resiliency as large as possible KSG 1 KSG 2 F KSG n

  11. Resiliency of a Boolean function • f(x) : a Boolean Function on GF(2)n • ker(f) = {x  GF(2)n | f(x+y)+f(x)+f(y)=0 for all y  GF(2)n } • B={a1,a2,a3,…,an} a basis whose first w elements forms a basis of ker(f) • Let c=(f(a1)+1, …, f(an)+1) • Theorem 1. f(x)+Tr[cx] is a (w-1)-resilient function for the dimension w of ker(f)

  12. Application • A linearized polynomial is a polynomial over GF(2n) such that • each of its terms has a degree of a power of 2 • V(R) := {xGF(2n)| R(x) = 0} forms a vector space over GF(2) • Let F(x) = 1/R(x) • Define F(x) = 1 when x belongs to V(R) • ker(f) = V(R) for any f(x) = Tr[b/R(x)] since • We can apply the main theorem

  13. Theorem 2 • Tr[bF] is a (w-1)-resilient function under a basis Bwhere

  14. Algebraic Degree and Nonlinearity • F(x)=1/R(x) has the algebraic degree n-1-w for the dim w of V(R). • F(x) has nonlinearity at least 2n-1 – 2w2n +2w-1 • Consider a complete nonsingular curve Ca,b : y2 + y = ax+b/R(x) • |t|=|#Ca,b(GF(2n))-2n-1|  2g2n where g=2w-a,0 is the genus of Ca,b • #Ca,b(GF(2n))=2#{xGF(2n)|ax=b F(x)}+2w +1 + a,0 • C has a point for a root x of R • C has two points at the infinity if a =0 and one points otherwise • N(F) = 2n-1-2-1|t-2w-2n|

  15. Example

  16. Example2

  17. Vector Resilient Functions • Theorem: If a [n,m,d] linear code exists, there is a (n+D+1,m,d-1)-resilient function exists for any non-negative integer D. • Note that we can find a linear (n,m,d-1)-resilient function from a [n,m,d] linear code.

  18. A Simplex Code • Simplex Codes : a [2m-1,m,2m-1] linear code for any positive m • Each codeword has the weight 2m-1 • It is optimal in the sense that • Concatenating each codeword t times gives a [t2m-1, m, t2m-1] linear code, all of whose codeword have the same weight t2m-1. • Theorem: There is a (t2m-1+D+1, m, t2m-1-1)-resilient function for any positive integer t and D. • If there is a (n,m,d) linear code, there exists a (n+t2m-1+D+1, m, d+t2m-1-1)-resilient function for any positive integer t and D.

  19. New Resilient Functions from Old • [BGS94] • If there is an (n,m,t)-resilient function, there is an (n-1,m,t-1)-resilient function. • If there is a linear (n,m,t)-resilient function, there is an (n-1,m-1,t)-resilient function. • [ZZ95] • If F is an (n,m,t)-resilient functions, then • G(x,y)=(F(x)  F(y), F(y)  F(z)) is an (3n,2m,2t+1)-resilient function. • If F is (n,m,t)-resilient and G is (n’,m,t’)-resilient, then • F(x)  G(y) is (n+n’, m, t+t’+1)-resilient function. • If F is (n,m,t)-resilient and G is (n’, m’, t’)-resilient, then • F(x)  G(y) is (n+n’, m+m’, T)-resilient function where T=min{t,t’}

  20. Stream Ciphers -revisited • Correlation Coefficient • c(f,g)=#{x|f = g} - #{x|f  g} • F is k-resilient if Wf(w)=c(F,lw)=0 for all w with wt(w)k. • Maximal Correlation (Zhang and Agnes, Crypto’00) • Let F be a function from GF(2n) to GF(2m). • CF(w)=max c(g°F, lw) where g runs through all Boolean functions on GF(2m). • Here we consider not only linear functions, but also nonlinear functions for g. • In a combining generator with more than one bit output, • A combining function F should have small maximal correlation (Relate to number of rational points of associated algebraic curves) • We should consider a resiliency of a composition with F and a Boolean function which is not necessarily linear.

  21. Questions • What is the maximum resiliency given n and m? • Find the relation among nonlinearity, resiliency and the size of output? • Count resilient functions with certain parameters • Relation between nonlinear codes and nonlinear resilient functions • Extend Siegenthaler’s Inequality to a function with m>1 • k + d < n for a (n,1,k)-resilient function with algebraic degree d

  22. DISCUSSION Questions????

More Related