220 likes | 460 Views
Nonlinear Resilient Functions. 2001.6.26. Jung Hee Cheon http://vega.icu.ac.kr/~jhcheon Information and Communications University (ICU). Linear Resilient Functions.
E N D
Nonlinear Resilient Functions 2001.6.26 Jung Hee Cheon http://vega.icu.ac.kr/~jhcheon Information and Communications University (ICU)
Linear Resilient Functions • An [n,m,d] linear code is an m-dimensional subspace C of GF(2)n such that the Hamming distance between any two vectors in C is at least d. • Generating matrix G: an m×n matrix whose rows form a basis for C. • [CGH85] • f(x)=xGT is an (n,m,d-1)-resilient function. • The existence of an [n,k,d] linear code is equivalent to the existence of a linear (n,k,d-1)-resilient function.
Nonlinear Resilient Functions • Conjecture 1: If there is a (n,m,k)-resilient function, does there exist a linear (n,m,k)-resilient function? • Disproved by Stinson and Massey(1995) • An infinite class of counterexamples to a conjecture concerning nonlinear resilient functions (Journal of Cryptology, Vol. 8, 1995) • Construct nonlinear resilient functions from the Kerdock and Preparata codes • Showed nonexistence of linear resilient functions with the same parameter • For any odd integer r 3, a (2r+1, 2r+1-2r-2, 5)-resilient function exists. • For r=3, (16,8,5)-resilient function exists.
Zhang and Zheng’s Construction • Composition of a resilient function and nonlinear permutation gives a nonlinear resilient function • F: a linear (n,m,k)-resilient function • G: a permutation on GF(2)m with nonlinearity NG • The P=G·F is a (n,m,k)-resilient function such that • the nonlinearity of P is 2n-m NG • the algebraic degree of P is the same as that of G • Note that composition of a permutation does not change the frequency of the output
Zhang and Zheng’s Construction (Cont.) • Converse of the conjecture 1 holds. • If there is a linear function with certain parameters, then there exists a nonlinear resilient function with the same parameters. Limitation of ZZ construction • Nonlinear Resilient Functions gives better parameters and should be studied. • Limitation of ZZ construction • The algebraic degree of F is at most the output size m • It gives a parameter which corresponds to a linear resilient function
Algebraic Degree and Nonlinearity • Algebraic Degree of a Boolean function is the maximum of the degrees of the terms of f when written in reduced form • A linear function has algebraic degree 1 • The maximum algebraic degree is the size of input. • The nonlinearity of a Boolean function f is the distance from affine function • N(f) = min wt(f+) where ranges over all affine functions. • Nonlinearity is an important measure for the resistance against linear cryptanalysis a block cipher • The nonlinearity of a vector Boolean function F is the minimum nonlinearity of each component function b · F. • The nonlinearity of a linear function is 0
Nonlinearity • Known Results for nonlinearity of polynomials • N(x2k+1) = 2n-1 – 2(n+s)/2-1 if n/s is odd for s = gcd(n,k). • N(x22k-2k+1) = 2n-1 – 2(n-1)/2 if n is odd and gcd(n,k) = 1. • N(x-1) = 2n-1 – 2n/2 (By notation, 0-1 = 0) • N(F(x)) 2n-1 - k-1/2 · 2n/2 if F is a polynominal of degree k in F2n. • N(F(1/x)) 2n-1 - k+1/2 · 2n/2 if F is a polynominal of degree k in F2n. • Nonlinearity of a polynomial is related with the number of rational points of associated algebraic curves. • What is the maximal nonlinearity of a balanced Boolean function with odd n ?
Stream Ciphers and Resilient Functions • Siegenthaler, 1984 • The complexity of a Combining Generator depends on the resiliency of the combining function F. • Divide-and-Conquer Attack (Correlation Attack) - If the output of F has a correlation with the output of KSG1, we can find the initial vector of the KSG1 KSG 1 KSG 2 F KSG n
Previous Studies • Siegenthaler • Resiliency v.s. Algebraic Degree • k + d < n for a (n,1,k)-resilient function with algebraic degree d • Chee, Seberry, Zhang, Zheng, Carlet, Sarkar, Maitar, Tarannikov • Resiliency v.s. Nonlinearity • Try to maximize nonlinearity given parameters • Other works • Find the relation between cryptographic properties of Boolean functions - Nonlinearity, Algebraic degree, Resiliency, APN, SAC, PC, GAC, LS • Count the number of Boolean functions satisfying certain properties
Multi-output Stream Ciphers • To design a multi-output stream cipher based on a combining generator, we need a resilient function which • is nonlinear • has algebraic degree as large as possible • has nonlinearity as large as possible • has resiliency as large as possible KSG 1 KSG 2 F KSG n
Resiliency of a Boolean function • f(x) : a Boolean Function on GF(2)n • ker(f) = {x GF(2)n | f(x+y)+f(x)+f(y)=0 for all y GF(2)n } • B={a1,a2,a3,…,an} a basis whose first w elements forms a basis of ker(f) • Let c=(f(a1)+1, …, f(an)+1) • Theorem 1. f(x)+Tr[cx] is a (w-1)-resilient function for the dimension w of ker(f)
Application • A linearized polynomial is a polynomial over GF(2n) such that • each of its terms has a degree of a power of 2 • V(R) := {xGF(2n)| R(x) = 0} forms a vector space over GF(2) • Let F(x) = 1/R(x) • Define F(x) = 1 when x belongs to V(R) • ker(f) = V(R) for any f(x) = Tr[b/R(x)] since • We can apply the main theorem
Theorem 2 • Tr[bF] is a (w-1)-resilient function under a basis Bwhere
Algebraic Degree and Nonlinearity • F(x)=1/R(x) has the algebraic degree n-1-w for the dim w of V(R). • F(x) has nonlinearity at least 2n-1 – 2w2n +2w-1 • Consider a complete nonsingular curve Ca,b : y2 + y = ax+b/R(x) • |t|=|#Ca,b(GF(2n))-2n-1| 2g2n where g=2w-a,0 is the genus of Ca,b • #Ca,b(GF(2n))=2#{xGF(2n)|ax=b F(x)}+2w +1 + a,0 • C has a point for a root x of R • C has two points at the infinity if a =0 and one points otherwise • N(F) = 2n-1-2-1|t-2w-2n|
Vector Resilient Functions • Theorem: If a [n,m,d] linear code exists, there is a (n+D+1,m,d-1)-resilient function exists for any non-negative integer D. • Note that we can find a linear (n,m,d-1)-resilient function from a [n,m,d] linear code.
A Simplex Code • Simplex Codes : a [2m-1,m,2m-1] linear code for any positive m • Each codeword has the weight 2m-1 • It is optimal in the sense that • Concatenating each codeword t times gives a [t2m-1, m, t2m-1] linear code, all of whose codeword have the same weight t2m-1. • Theorem: There is a (t2m-1+D+1, m, t2m-1-1)-resilient function for any positive integer t and D. • If there is a (n,m,d) linear code, there exists a (n+t2m-1+D+1, m, d+t2m-1-1)-resilient function for any positive integer t and D.
New Resilient Functions from Old • [BGS94] • If there is an (n,m,t)-resilient function, there is an (n-1,m,t-1)-resilient function. • If there is a linear (n,m,t)-resilient function, there is an (n-1,m-1,t)-resilient function. • [ZZ95] • If F is an (n,m,t)-resilient functions, then • G(x,y)=(F(x) F(y), F(y) F(z)) is an (3n,2m,2t+1)-resilient function. • If F is (n,m,t)-resilient and G is (n’,m,t’)-resilient, then • F(x) G(y) is (n+n’, m, t+t’+1)-resilient function. • If F is (n,m,t)-resilient and G is (n’, m’, t’)-resilient, then • F(x) G(y) is (n+n’, m+m’, T)-resilient function where T=min{t,t’}
Stream Ciphers -revisited • Correlation Coefficient • c(f,g)=#{x|f = g} - #{x|f g} • F is k-resilient if Wf(w)=c(F,lw)=0 for all w with wt(w)k. • Maximal Correlation (Zhang and Agnes, Crypto’00) • Let F be a function from GF(2n) to GF(2m). • CF(w)=max c(g°F, lw) where g runs through all Boolean functions on GF(2m). • Here we consider not only linear functions, but also nonlinear functions for g. • In a combining generator with more than one bit output, • A combining function F should have small maximal correlation (Relate to number of rational points of associated algebraic curves) • We should consider a resiliency of a composition with F and a Boolean function which is not necessarily linear.
Questions • What is the maximum resiliency given n and m? • Find the relation among nonlinearity, resiliency and the size of output? • Count resilient functions with certain parameters • Relation between nonlinear codes and nonlinear resilient functions • Extend Siegenthaler’s Inequality to a function with m>1 • k + d < n for a (n,1,k)-resilient function with algebraic degree d
DISCUSSION Questions????