Tools in Analyzing Linear Approximation for Boolean Functions Related to FLIP

Abstract

For cryptographic purposes, we generally study the characteristics of a Boolean function in n-variables with the inherent assumption that each of the n-bit inputs take the value 0 or 1, independently and randomly with probability 1 / 2. However, in the context of the FLIP stream cipher proposed by Méaux et al. (Eurocrypt 2016), this type of analysis warrants a different approach. To this end, Carlet et al. (IACR Trans. Symm. Crypto. 2018) recently presented a detailed analysis of Boolean functions with restricted inputs (mostly considering inputs with weight \(\frac{n}{2}\)) and provided certain bounds on linear approximation, which are related to restricted nonlinearity. The Boolean function used in the FLIP cipher reveals that it is actually a direct sum of several Boolean functions on a small number of inputs. Thus, with a different approach, we start a study in order to understand how the inputs to the composite function are distributed on the smaller functions. In this direction, we obtain several results that summarize the exact biases related to such Boolean functions. Finally, for the nonlinear filter function of FLIP, we obtain the lower bound on the restricted Walsh–Hadamard transform (i.e., upper bound on restricted nonlinearity). Our techniques provide a general theoretical framework to study such functions and better than previously published estimations of the biases, which is directly linked to the security parameters of the stream cipher.

Appendices

A Biases for 12-variable Function

In our example, the function \(F=x_0+x_1+x_2x_3+x_4x_5+x_6+x_7x_8 +x_9x_{10}x_{11}\) takes input from \(E_{12,6}\). The bias of the function F in this restricted domain is \(\approx 0.264069\). It is worth noticing that in the uniform domain (i.e., the function takes input from \(\mathbb {F}_2^{12}\) instead of \(E_{12,6}\)) the bias between the original function F and the linear function \(l_1=l_{\mathbf{{a}}_1,0}=x_0+x_1+x_6\) is high, as the monomial of the form \(x_ix_j\) or \(x_ix_jx_k\) is always 0 unless all variables involved in the monomials are 1. It can be observed that, the bias between F and \(l_1\) in the domain \(\mathbb {F}_2^{12}\) and \(E_{12,6}\) are \(|\mathcal {W}_F(\mathbf{{a}}_1)|=0.09375\) and \(|\mathcal {W}_F^{(6)}(\mathbf{{a}}_1)|=0.099567\), respectively.

The situation is different when the domain of the function F is \(E_{12,6}\) (restricted domain). In this domain, the bias between the original function F and a linear function is highest for \(l_2=l_{\mathbf{{a}}_2,0}=x_0+x_1+x_2+x_3+x_4+x_5+x_6\) instead of \(l_1=x_0+x_1+x_6\). The bias between F and \(l_2\) in restricted domain \(E_{12,6}\) is \(|\mathcal {W}_F^{(6)}(\mathbf{{a}}_2)|=0.264069\), but the bias between F and \(l_1\) in the restricted domain \(E_{12,6}\) is \(|\mathcal {W}_F^{(6)}(\mathbf{{a}}_1)|=0.099567\). All the linear function for which the bias is high in the restricted domain \(E_{12,6}\) are provided below:

1. 1.

   \(l_{\mathbf{{a}}_2,0}=l_2=x_0+x_1+x_2+x_3+x_4+x_5+x_6\): \(|\mathcal {W}_F^{(6)}(\mathbf{{a}}_2)|=0.264069\), \(|\mathcal {W}_F(\mathbf{{a}}_2)|=0.09375\).

2. 2.

   \(l_{\mathbf{{a}}_3,0}=l_3=x_0+x_1+x_2+x_3+x_6+x_7+x_8\): \(|\mathcal {W}_F^{(6)}(\mathbf{{a}}_3)|=0.264069\), \(|\mathcal {W}_F(\mathbf{{a}}_3)|=0.09375\).

3. 3.

   \(l_{\mathbf{{a}}_4,0}=l_4=x_0+x_1+x_4+x_5+x_6+x_7+x_8\): \(|\mathcal {W}_F^{(6)}(\mathbf{{a}}_4)|=0.264069\), \(|\mathcal {W}_F(\mathbf{{a}}_4)|=0.09375\).

4. 4.

   \(l_{\mathbf{{a}}_5,0}=l_5=x_2+x_3+x_9+x_{10}+x_{11}\): \(|\mathcal {W}_F^{(6)}(\mathbf{{a}}_5)|=0.264069\), \(|\mathcal {W}_F(\mathbf{{a}}_5)|=0\).

5. 5.

   \(l_{\mathbf{{a}}_6,0}=l_6=x_4+x_5+x_9+x_{10}+x_{11}\): \(|\mathcal {W}_F^{(6)}(\mathbf{{a}}_6)|=0.264069\), \(|\mathcal {W}_F(\mathbf{{a}}_6)|=0\).

6. 6.

   \(l_{\mathbf{{a}}_7,0}=l_7=x_7+x_8+x_9+x_{10}+x_{11}\): \(|\mathcal {W}_F^{(6)}(\mathbf{{a}}_7)|=0.264069\), \(|\mathcal {W}_F(\mathbf{{a}}_7)|=0\).

B Existence of a Point \(\mathbf{b}\) Referred to in Sect. 4.2

This appendix describes the existence of a point \(\mathbf{b}\) for each function \(f_j\) at which \(\displaystyle \sum _{\mathbf{x}\in E_{n,i}}(-1)^{f_j(\mathbf{x})+\mathbf{b}\cdot \mathbf{x}}\) attains \(\displaystyle \max _{\mathbf{{a}}}\left| \sum _{\mathbf{x}\in E_{n,i}}(-1)^{f_j(\mathbf{x})+\mathbf{{a}}\cdot \mathbf{x}} \right| \) for all weight i.

1. 1.

   First, let \(f_1=x_0+x_1+x_2+x_3+x_4+x_5+x_6+x_7+x_8+x_9\). The existence of a point \(\mathbf{b}\) corresponding to each weight starting from weight zero to weight ten is given below (points are provided in integer form): 0, 1023, 0, 1023, 0, 1023, 0, 1023, 0, 1023, 0.

2. 2.

   For \(f_2=x_0x_1+x_2x_3+x_4x_5+x_6x_7\), the existence of a point \(\mathbf{b}\) corresponding to each weight starting from weight zero to weight eight is mentioned below (points are provided in integer form): 0, 0, 0, 63, 15, 3, 0, 255, 0.

3. 3.

   For \(f_3=x_0x_1x_2\), the existence of a point \(\mathbf{b}\) corresponding to each weight starting from weight zero to weight three is provided below (points are provided in integer form): 0, 0, 0, 1.

4. 4.

   For \(f_4=x_0x_1x_2x_3\), the existence of a point \(\mathbf{b}\) corresponding to each weight starting from weight zero to weight four is mentioned below (points are provided in integer form): 0, 0, 0, 0, 1.

5. 5.

   For \(f_5=x_0x_1x_2x_3x_4\), the existence of a point \(\mathbf{b}\) corresponding to each weight starting from weight zero to weight five is given below (points are provided in integer form): 0, 0, 0, 0, 0, 1.

6. 6.

   For \(f_6=x_0x_1x_2x_3x_4x_5\), the existence of a point \(\mathbf{b}\) corresponding to each weight starting from weight zero to weight six is provided below (points are provided in integer form): 0, 0, 0, 0, 0, 0, 1.

7. 7.

   For \(f_7=x_0x_1x_2x_3x_4x_5x_6\), the existence of a point \(\mathbf{b}\) corresponding to each weight starting from weight zero to weight seven is mentioned below (points are provided in integer form): 0, 0, 0, 0, 0, 0, 0, 1.

8. 8.

   For \(f_8=x_0x_1x_2x_3x_4x_5x_6x_7\), the existence of a point \(\mathbf{b}\) corresponding to each weight starting from weight zero to weight eight is given below (points are provided in integer form): 0, 0, 0, 0, 0, 0, 0, 0, 1.

9. 9.

   For \(f_9=x_0x_1x_2x_3x_4x_5x_6x_7x_8\), the existence of a point \(\mathbf{b}\) corresponding to each weight starting from weight zero to weight nine is mentioned below (points are provided in integer form): 0, 0, 0, 0, 0, 0, 0, 0, 0, 1.