Professional Documents
Culture Documents
Information Sciences
journal homepage: www.elsevier.com/locate/ins
National Key Laboratory of Integrated Service Networks, Xidian University, Xian 710071, PR China
Key Laboratory of Computer Network and Information Security, Xidian University, Xian 710071, PR China
a r t i c l e
i n f o
Article history:
Received 18 February 2009
Received in revised form 17 September
2009
Accepted 19 September 2009
Keywords:
Stream cipher
Boolean functions
Global avalanche characteristics
Walsh spectrum
Higher order nonlinearity
a b s t r a c t
The criterion for the global avalanche characteristics (GAC) of cryptographic functions is an
important property. To measure the correlation between two arbitrary Boolean functions,
we propose two new criteria called the sum-of-squares indicator and the absolute indicator
of the cross-correlation between two Boolean functions. The two indicators generalize the
GAC criterion. Based on the properties of the cross-correlation function, we deduce the
rough lower and the rough upper bounds on the two indicators by hamming weights of
two Boolean functions, and generalize some properties between the Walsh spectrum and
the cross-correlation function. Furthermore, we give the tight upper and the tight lower
bounds on the two indicators. Finally, we show some relationships between the upper
bounds on the two indicators and the higher order nonlinearity.
2009 Elsevier Inc. All rights reserved.
1. Introduction
Strict avalanche criteria (SAC) [1,15] and propagation characteristic (PC) [11] are important properties to study the dynamic behavior of a cryptographic Boolean function when the input to the function is modied. However, the SAC and PC
capture only the local properties of Boolean functions. In order to improve the global analysis of cryptographically strong
functions, Zhang and Zheng introduced another criterion, which measures GAC [16] of just one Boolean function.
In case of two arbitrary Boolean functions, we say that they are close to each other in a precise statistical sense if they are
highly correlated. On the other hand a correlation of zero between the two Boolean functions means that the two functions
are statistically far apart. Shannon [13] outlined the basic design principles of secret key cryptosystems: confusion and diffusion. Confusion means that the constituent Boolean functions of a secret key system should have small correlation to each
other, which results in the constituent Boolean functions being very different from each other. Diffusion on the other hand
means that the constituent Boolean functions should have certain uniformity properties, leading to an overall uniformity of
the cryptosystem.
Most work about Boolean functions design has been motivated by all kinds of attacks. While this is useful for current
practice, a fundamental understanding is required in the long run. In order to understand the relationship between Shannons informal concepts of confusion and diffusion and cryptographic properties of Boolean functions, we attempt such an
q
This work was supported by the 863 Project (No. 2007AA01Z472 and 2008AA01Z411), the National Natural Science Foundation of China (Grant Nos.
60773003, 60503010 and 60603010), Subject of National Defence Key Lab of Communication Private (No. 9140C1107020905) and Gansu Natural Science
Foundation (Grants No. 096RJZA124).
* Corresponding author.
E-mail address: zhouyu.zhy@tom.com (Y. Zhou).
0020-0255/$ - see front matter 2009 Elsevier Inc. All rights reserved.
doi:10.1016/j.ins.2009.09.012
257
investigation. The auto-correlation function is a basic tool in the study of one Boolean function. In this paper we study the
more general notion of correlation between two arbitrary Boolean functions, which is the so-called cross-correlation in [12].
We treat here the cross-correlation function as a fundamental tool and propose two new indicators of the cross-correlation
function.
Furthermore, the higher order nonlinearity is an important property of Boolean functions, of which much work has been
done in [47,9,10,14]. We know that computing the rth order nonlinearity of a given Boolean function with algebraic degree
strictly greater than r is a hard task for r > 1. In this paper, we will study the relationship between the higher order nonlinearity and the two new indicators.
Based on these consideration, we propose two denitions of the sum-of-squares indicator and the absolute indicator of the
cross-correlation between two Boolean functions in Section 2. We give the rough (or, tight) upper and the rough (or, tight)
lower bounds on the two indicators, and generalize more general properties of the cross-correlation between two arbitrary
Boolean functions in Section 3. Finally we show some relationships between the upper bounds on the two indicators and the
higher order nonlinearity in Section 4.
2. Preliminaries
Let us denote the set of n variables Boolean functions by Bn . We denote by the additions in F 2 , F n2 and Bn . Any f x 2 Bn
can be expressed as a polynomial, called its algebraic normal form (ANF):
f x1 ; . . . ; xn a0 ai xi
16i6n
16i<j6n
ai;j xi xj a1;...;n x1 x2 . . . xn ;
where the coefcients a0 ; ai ; ai;j ; . . . ; a1;...;n 2 F 2 . The algebraic degree, degf , is the number of variables in the highest order
term with non-zero coefcient. A Boolean function is afne if there exists no term of degree > 1 in the ANF and the set of
all afne functions is denoted by An . An afne function with constant term equal to zero is called a linear function. We denote
by ua , a 2 F n2 , the linear function x#ua ax a1 x1 a2 x2 an xn . The hamming weight of f x 2 Bn , wtf , is the size of
its support fx 2 F n2 jf x 1g. A function f x 2 Bn is balanced if wtf 2n1 holds.
The Walsh spectrum of f x 2 Bn is dened as
Ff ua
1f xax :
x2F n2
ReedMuller codes, introduced by Muller and Reed in 1954, being one of the best understood families of codes, can be dened in terms of Boolean functions. The binary rth order ReedMuller code RMr; n) is the set of all binary vectors of length
2n associated with multivariate binary polynomials f x1 ; x2 ; . . . ; xn of algebraic degree at most r in [9].
The hamming distance dH f ; g between two n-variable Boolean functions f x and gx equals the size of the set
fx 2 F n2 jf x gxg. We have
dH f ; g 2n1
1X
1f xgx :
2 x2F n
2
We shall denote by nlr f the minimum hamming distance between a given Boolean function f x 2 Bn and all Boolean functions gx 2 Bn of degrees at most r. Then
nlr f 2
n1
X
1
f
xgx
:
max 1
g2RMr;n
2
x2F n2
Denition 1. The cross-correlation function between two Boolean functions f x; gx 2 Bn is an integer-valued function
Mf ;g : F n2 ! 2n ; 2n dened by
Mf ;g a
1Df ;g a ;
x2F n2
Mf a
x2F n2
Two n-variable Boolean functions f x; gx 2 Bn are called to be perfectly uncorrelated if Mf ;g a 0 for all a 2 F n2 , and are
called to be uncorrelated of degree k if Mf ;g a 0 for all a 2 F n2 such that 0 6 wta 6 k.
In terms of Shannons theory, if the component functions of a secret key system are pairwise perfectly uncorrelated, then
the statistical distance between any two Boolean functions is the maximum possible. So the system has the best confusion.
But this is too restrictive in practice. Thus we need ensure that the cross-correlation between two arbitrary Boolean func-
258
tions is uniformly small. Especially, in most secret key cryptosystems, such as Linear Feedback Shift Register (LFSR), running
key generator, and pseudorandom sequence generator, the main components are Boolean functions. When Boolean functions are used to generate key stream sequences, one sequence can take the place of the other sequence in a statistical sense
if the two sequences generated by two Boolean functions f x and gx are very close. Furthermore, from the perspective of
an attacker, he (or, she) can attack the unknown sequence by the known sequence. So the correlation is an important aspect
of designing different sequences.
To measure correlation between f x and gx, we propose the following two indicators:
Denition 2. Let f x; gx 2 Bn , the sum-of-squares indicator of the cross-correlation between f x and gx is dened by
rf ;g
M2f ;g a;
a2F n2
Mf ;g max
jMf ;g aj:
n
a2F 2
Since the idea of the two indicators come from the GAC [16], the sum-of-squares indicator and the absolute indicator of
the cross-correlation function are called the global avalanche characteristics between two Boolean functions.
From Denition 2, we know that the two new criteria are generalizations of those in [3] and [16].
The smaller Mf ;g and rf ;g , the better the uncorrelation.
The two indicators introduce a number of problems to be resolved. These include:
1. What are the upper and the lower bounds on the two indicators?
2. Are there some relationships between the two indicators and other cryptographic indicators, such as nonlinearity, SAC,
PC and correlation immunity?
3. How to measure precise properties between the GAC of two different Boolean functions and any other criteria?
Mf ;g a 2n 2wtf 2n 2wtg:
a2F n2
Mf ;g a
a2F n2
XX
a2F n2
1f xgxa
x2F n2
1f x
x2F n2
a2F n2
Mf ;g a
X
x2F n2
1f xgxa
1 2f x1gxa 2n 2wtg 2
x2F n2
f x1gxa 2n 2wtg
x2F n2
F n2
259
Proof. By the denition of perfect uncorrelation, Lemma 1 and Theorem 1, we get the result (1). And (2) is easy to be proved
by Theorem 1. h
Based on Theorem 1 and Corollary 1, we give a rough upper bound and a rough lower bond on
weights of f x and gx.
Proof. Since
2
32
X X
X
2
4
jC a j
f xgx a5
f x1 gx1 a f x2 gx2 a f x2n gx2n a
0 2
a2F n2
a2F n2
x2F n2
XX
a2F n2
X X
f 2 xg 2 x a 2
f xi f xj gxi agxj a
a2F n2 x2F n2
a2F n2 x2F n2
2
4f 2 x
x2F n2
g 2 x a5 2
a2F n2
k1 k2 2
a2F n2 gxi
06
agxj a 6
f xi f xj 4
x2F n2
i<j
3
gxi agxj a5
a2F n2
gxi agxj a:
Note that
i<j
k2
2
gxi agxj a 6
k1
k2
2
:
rf ;g
M2f ;g a
a2F n2
X n
2
2 2k1 2k2 4jC 0a j
a2F n2
X 0 2
2
2
23n 2n2 k1 k2 22n2 16k1 k2 k1 k2 2n4 k1 k2 16
jC a j :
X
a2F n2
jC 0a j 16
jC 0a j2
a2F n2
a2F n2
Combining Eq. (1) and the above result, we have the proof.
In the following, we give the relationship among hamming weights of f x and gx, the number of variables n and the
uncorrelation degree t.
Theorem 3. Let f x; gx 2 Bn , wtf k1 ; wtg k2 , f x and gx are uncorrelated of degree t.
P
n
1 k2
6 2k 4k
(1) If k1 k2 > 2n1 , then ti0
n ;
1 2k2 2
i
P
n
1 k2
P 2k 4k
(2) If k1 k2 < 2n1 , then ti0
n :
1 2k2 2
i
n1
0
(3) If k1 k2 2 , then 0 6 Mf ;g 6 4jC a j for a 2 F n2 .
Proof. Since f x and gx are uncorrelated of degree t, for any a 2 F n2 with 0 6 wta 6 t, we have Mf ;g a 0. That is, the
P
n
. By Theorem 1, jC 0a j 14 2wtf 2wtg 2n for any a 2 F n2 such that
number of a with Mf ;g a 0 is at least ti0
i
0 6 wta 6 t. By Corollary 1, we have
wtf wtg
X
a2F n2
jC 0a j
X
a2F n2
06wta6t
jC 0a j
X
a2F n2
wtaPt1
jC 0a j P
X
a2F n2
06wta6t
jC 0a j:
260
n Pt
n
2 2
. Thus (1) and (2) are proved. (3) If k1 k2 2n1 , then Mf ;g a 4jC 0a j for any a 2 F n2 . So this
That is, k1 k2 P 2k1 2k
i0
4
i
result is proved. h
Theorem 3 implies a restrictive relationship among wtf , wtg and the uncorrelation degree t of these two Boolean functions f x and gx. In the design of Boolean functions we should take into account the restrictive relationship among k1 , k2
and t.
Note that Mf ;g maxa2F n2 jMf ;g aj. By the denition of Mf ;g a, we can easily obtain a tight lower and a tight upper bounds
on Mf ;g as follows.
Theorem 4. Let f x; gx 2 Bn . Then
(1) 0 6 Mf ;g 6 2n ;
(2) Mf ;g 0 if and only if f x gx a is balanced for any a 2 F n2 ;
(3) Mf ;g 2n if and only if f x gx a aa 2 F 2 for some a 2 F n2 .
In order to give the lower and the upper bounds on
Lemma 2. Let f x; gx 2 Bn , then
F 2 f ua F 2 g ua 2n
a2F n2
M2f ;g e:
e2F n2
Ff ux Fg ux
Mf ;g u1xu :
u2F n2
We have
2
F f ux F g ux 4
2
32
Mf ;g u1
u2F n2
M2f ;g e
a;e2F n2
xu 5
32
Mf ;g a1
xa 54
a2F n2
3
Mf ;g e1
xe 5
e2F n2
Mf ;g aMf ;g e1aex :
a;e2F n2
ae
ae
Thus
F 2 f ux F 2 g ux
x2F n2
X X
M2f ;g e
x2F n2 e2F n2
X X
Mf ;g aMf ;g e
a;e2F n2
ae
1aex 2n
x2F n2
ae
Mf ;g aMf ;g e1aex
x2F n2 a;e2F n2
M2f ;g e;
e2F n2
since a e, we have
1aex 0:
x2F n2
Thus,
F 2 f ua F 2 g ua 2n
a2F n2
M2f ;g e:
e2F n2
From Lemma 2, we give the following expression of the sum-of-squares indicator between f x and gx.
Corollary 2. Let f x; gx 2 Bn . Then
rf ;g
1 X 2
F f ua F 2 g ua :
2n a2F n
2
Corollary 2 is an important property used to deduce the lower and the upper bounds on
Lemma 3 is also another important property.
Lemma 3. Let f x; gx 2 Bn , and V be a subspace of F n2 with dimV k. Then, for any b 2 F n2 ,
X
a2V
Ff ua Fg uab 2k
e2V
1be FDf ;g e ub :
261
Ff ua Fg uab
a2V
0
@
a2V
10
1
f xxa A@
x2F n2
1
1
1
gyyab A
y2F n2
f xgyyb
x;y2F n2
X X
a2V
X
1xya ;
1f xxagyyab
x;y2F n2
a2V
where
X
1axy 0
a2V
1f xgyyb
x;y2F n2
X
X
X X
1xya 2k
1f xgyyb 2k
1f xgexexb
x;y2F n2
a2V
x2F n2 e2V ?
yxe
xy2V ?
2
3
X X
X
f
xgexxb
4 1
51eb 2k
2
1be FDf ;g e ub :
k
e2V ?
x2F n2
e2V ?
F 2 f uab 2k
a2V
e2V
1be FDf e:
a 2 F n2 .
Let 0 0; 0; . . . ; 0 2 F n2 . Based on Corollary 2, Lemmas 3 and 4, we give the tight lower and the tight upper bounds on rf ;g .
Theorem 5. Let f x; gx 2 Bn . Then
(1) Mf ;g 02 6 rf ;g 6 23n ;
(2) rf ;g 23n if and only if f x and gx are afne Boolean functions;
(3) rf ;g Mf ;g 02 if and only if f x and gx are Bent functions or f x and gx are perfectly uncorrelated.
Proof
(1) By Corollary 2, we have
rf ;g
2
3 2
3
X 2
1 X 2
1 4X 2
2
5
4
n
F f ua F g ua 6 n
F f ua
F g ua 5 23n :
2 a2F n
2 a2F n
a2F n
2
Ff ua Fg ua 2n Mf ;g 0:
a2F n2
rf ;g
2
32
3
2
32
X
X 2
1 X 2
1 4X
1
2 54
2
n
F f ua F g ua 2n
Ff ua Fg ua
1 5 P 2n 4
Ff ua Fg ua 15
2 a2F n
2
2
a2F n
a2F n
a2F n
2
1
22n
2 Mf ;g 0
2
Thus, Mf ;g 02 6 rf ;g 6 23n .
Mf ;g 0 :
262
F 2 f ua F 2 g ua
a2F n2
F 2 f ua
a2F n2
F 2 g ua :
a2F n2
That is,
F 2 f ua F 2 g ub 0
a;b2F n2
ab
2
4
32
2 54
Ff ua Fg ua
a2F n2
X
a2F n2
25
32
Ff ua Fg ua 15 ;
a2F n2
Ff ua Fg ua
k;
1
where k is a real number. There are two cases:
(a)
If k 0, then f x and gx are perfectly uncorrelated by Lemma 4.
(b)
If k 0, then Ff ub Fg ub k for any b 2 F n2 . So Ff ua Fg ua Ff ub Fg ub k for any
a 2 F n2 and b 2 F n2 . For simplicity, let
Ff ua Fg ub
t;
Ff ub Fg ua
that is, Ff ua t Ff ub and Fg ub t Fg ua . By Parsevals relation, we have
22n
a2F n2
F 2 f ua t2
F 2 f ub t 2 22n :
b2F n2
n
Thus t 1. So F 2 f ua and F 2 g ua are constants for any a 2 F n2 , and we have Ff ua 22 and Fg ua 22 . So
f x and gx are Bent functions. h
When f x gx, Mf ;g 0 Mf 0 2n , we generalize the lower and the upper bounds on the sum-of-square in [16]:
Corollary 4 [16]. Let f x 2 Bn . Then
(1) 22n 6 rf 6 23n ;
(2) rf 23n if and only if f x is an afne Boolean function;
(3) rf 22n if and only if f x is a Bent function.
Remark 1. Theorems 4 and 5 generalize the results of the GAC in [16]. The two indicators imply that, if f x and gx have a
lower sum-of-square value, then these two Boolean functions are very close to Bent functions; if f x and gx have a lower
absolute value, these two Boolean functions are very close to afne Boolean functions.
Finally, we give the relationship between the Walsh spectrum and the decompositions of f x and gx.
Denition 3. Let W be a subspace of F n2 with dimW k. The decomposition of f x with respect to W is the sequence
ffa ja 2 Vg, where V is a subspace such that F n2 is the direct sum of W and V and fa is the Boolean function of k variables, from
W to F 2 , dened by fa x f a x for any x 2 W.
263
Ffa
X
1f ax :
x2W
Theorem 6. Let W be a subspace of F n2 with dimension k, and fa ja 2 V and g a ja 2 V be the decompositions of f x and gx with
respect to W. Then
Ff ua Fg ua 2nk
a2W ?
Ffa Fg a :
a2V
Mf ;g b
1
f xgxb
!
X X
f axgxab
:
1
x2F n2
a2V
x2W
nk
Ff ua Fg ua 2
a2W ?
Mf ;g b 2
b2W
nk
"
X XX
b2W
#
1
f axgxab
a2V x2W
nk
"
#
XX X
f axgxab
1
a2V b2W
x2W
XX
X
XX
X
1f ax
1gxab 2nk
1f ax
1gya
a2V x2W
2nk
nk
Ffa Fg a :
a2V x2W
b2W
y2W
yxb
a2V
a2W
F 2 f ua 2nk
F 2 fa :
a2V
1
nlr f 6 2n1 jMf ;g aj:
2
Proof. For any a 2 F n2 , since degg 6 r, we have
X
X
jMf ;g aj 1f xgxa 6 max 1f xhx :
h2RMr;n
x2F n2
x2F n2
So,
nlr f 2
n1
X
1
1
f xhx
n1
jMf ;g aj:
max 1
62
2 h2RMr;n x2F n
2
2
From Lemma 5, we can easily give the relationship between the two new criteria and the rth order nonlinearity:
Theorem 7. Let f x; gx 2 Bn and degg 6 r. Then
264
(1) Mf ;g 6 2n 2nlr f ;
2
(2) rf ;g 6 23n 22n2 nlr f 2n2 nlr f .
In the following, we give a relationship between the r 1th order nonlinearity of the derivative of f x and the two
indicators.
Theorem 8. Let f x; gx 2 Bn and degg 6 r. Then
q
P
22n 2 b2F n nlr1 Df x b;
2
P
6 23n 2n1 b2F n nlr1 Df x b.
(1) Mf ;g 6
(2)
rf ;g
2
M2f ;g
a 4
32
f xgxa 5
1
x2F n2
XX
x;y2F n2
x;yxb2F n2
1Df x bDgxa b :
b2F n2 x2F n2
1
Df x bDgxa b
x2F n2
X
Df x bhx
6 max 1
:
h2RMr1;n
x2F n2
And
x2F n2
So,
nlr1 Df b 2
n1
1
2
X
1X
Df x bhx
n1
1Df x bDgxa b :
max 1
62
h2RMr1;n
2 x2F n
x2F n2
2
M2f ;g a 6
2n 2nlr1 Df x b 22n 2
b2F n2
nlr1 Df x b:
b2F n2
rf ;g
2
M2f ;g
a2F n2
n 4 2n
a 6 2 2 2
X
b2F n2
3
nlr1 Df x b5 23n 2n1
nlr1 Df x b:
b2F n2
5. Conclusion
In this paper, we proposed two new criteria called the sum-of-squares indicator and the absolute indicator of the
cross-correlation function. These two indicators generalize the GAC criterion in [16]. We derived the rough lower and
the rough upper bounds on the two indicators using only hamming weights of the Boolean functions, and generalize
some known properties of the auto-correlation function. At the same time, we gave the tight upper and the tight lower
bounds on the two indicators by the properties of the cross-correlation function. We also derived some results on relations between the two indicators and the higher order nonlinearity. These results can help us design better Boolean
functions when these Boolean functions are used in LFSR, running key generator, and pseudorandom sequence generator
and so on. The future work will focus on how to construct these Boolean functions with good correlation using these
results. Furthermore we hope that these results will be considered helpful in further investigations of symmetric Boolean functions.
Acknowledgement
The authors are grateful to the reviewers and editors for their useful comments and corrections.
265
References
[1] C.M. Adams, S.E. Tavares, Generating and counting binary bent sequences, IEEE Transactions on Information Theory 36 (5) (1990) 11701173.
[2] A. Canteaut, C. Carlet, P. Charpin, C. Fontaine, On cryptographic properties of the cosets of R(1,m), IEEE Transactions on Information Theory 47 (4)
(2001) 14941513.
[3] A. Canteaut, C. Carlet, P. Charpin, C. Fontaine, Propagation characteristics and correlation-immunity of highly nonlinear Boolean functions, in: Advances
in Cryptology-Eurocrypt 2000, Lecture Notes in Computer Science, vol. 1807, Springer-Verlag, Berlin, Germany, 2000, pp. 507522.
[4] C. Carlet, Lower bounds on the higher order nonlinearities of Boolean functions and their applications to the inverse function information theory
workshop, ITW 08, IEEE 59 (2008) 333337.
[5] C. Carlet, On the higher order nonlinearities of Boolean functions and S-boxes, and their generalizations, SETA 2008, LNCS 5203 (2008) 345367.
[6] C. Carlet, S. Mesnager, Improving the upper bounds on the covering Radii of binary ReedMuller codes, IEEE Transactions on Information Theory 53 (1)
(2007) 162173.
[7] E. Elsheh, A. BenHamza, A. Youssef, On the nonlinearity prole of cryptographic Boolean functions, in: Canadian Conference on Electrical and Computer
Engineering, CCECE 2008, 47 (2008) 17671770.
[8] P.H. Ke, L.L. Huang, S.Y. Zhang, Improved lower bound on the number of balanced symmetric functions over GF(p), Information Sciences 179 (5) (2009)
682687.
[9] F.J. MacWillams, N.J.A. Sloane, The Theory of Error Correcting Codes, North Holland, Amsterdam, 1977.
[10] S. Mesnager, Improving the lower bound on the higher order nonlinearity of Boolean functions with prescribed algebraic immunity, IEEE Transactions
on Information Theory 54 (8) (2008) 36563662.
[11] B. Preneel, W. Leekwijck, L.V. Linden, et al, Propagation characteristics of Boolean functions, in: Advances in Cryptology-Eurocrypt90, LNCS, vol. 437,
Springer-Verlag, Berlin, Heidelberg, New York, 1991, pp. 155165.
[12] P. Sarkar, S. Maitra, Cross-correlation analysis of cryptographically useful Boolean functions and S-boxes, Theory Computer Systems 35 (2002) 3957.
[13] C. Shannon, Communication theory of secrecy systems, Bell System Technical Journal 28 (1949) 656715.
[14] G.H. Sun, C.K. Wu, The lower bounds on the second order nonlinearity of three classes of Boolean functions with high nonlinearity, Information
Sciences 179 (3) (2009) 267278.
[15] A.F. Webster, Plaintext/ciphertext bit dependencies in cryptographic system, Masters Thesis, Department of Electrical Engineering, Queens University,
Ontario, Canada(1985).
[16] X.M. Zhang, Y.L. Zheng, GAC the criterion for global avalanche characteristics of cryptographic functions, Journal for Universal Computer Science 1 (5)
(1995) 316333.