Skip to main content
SpringerLink
Log in

Walsh transforms and cryptographic applications in bias computing

  • Published:
Cryptography and Communications Aims and scope Submit manuscript

Abstract

Walsh transform is used in a wide variety of scientific and engineering applications, including bent functions and cryptanalytic optimization techniques in cryptography. In linear cryptanalysis, it is a key question to find a good linear approximation, which holds with probability (1+d)/2 and the bias d is large in absolute value. Lu and Desmedt (2011) take a step toward answering this key question in a more generalized setting and initiate the work on the generalized bias problem with linearly-dependent inputs. In this paper, we give fully extended results. Deep insights on assumptions behind the problem are given. We take an information-theoretic approach to show that our bias problem assumes the setting of the maximum input entropy subject to the input constraint. By means of Walsh transform, the bias can be expressed in a simple form. It incorporates Piling-up lemma as a special case. Secondly, as application, we answer a long-standing open problem in correlation attacks on combiners with memory. We give a closed-form exact solution for the correlation involving the multiple polynomial of any weight for the first time. We also give Walsh analysis for numerical approximation. An interesting bias phenomenon is uncovered, i.e., for even and odd weight of the polynomial, the correlation behaves differently. Thirdly, we introduce the notion of weakly biased distribution, and study bias approximation for a more general case by Walsh analysis. We show that for weakly biased distribution, Piling-up lemma is still valid. Our work shows that Walsh analysis is useful and effective to a broad class of cryptanalysis problems.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

Notes

  1. Throughout this paper, we loosely say that the bias d is large if |d| is large.

  2. On one hand, the size of internal states of crypto-systems evolves from the traditional 64 bits, to the less common 128 bits, the common 256 bits and the emerging 512 bits or more nowadays. On the other hand, the design of cryptographically strong functions targets at the main building blocks of the crypto-systems, which have small or medium sizes.

  3. It becomes common practice that several core functions, which are not necessarily identical, are combined together (e.g., by block-wise simple operations), in order to construct a new function with large state space.

  4. The detail of how f i is derived is not relevant in this paper (and f i can be derived by just taking the inner product between a fixed binary vector and F i ).

  5. LFSR stands for Linear Feedback Shift Registers, see [29, Sect. 6.2.1, P195–8] for introduction.

  6. We do not take into consideration the time to evaluate the underlying functions. We refer to [18] on this subject.

  7. In spite of the similarities and common properties between the two transforms, note that they are derived from two different topologic groups and are not interchangeable in general (see [34]).

  8. It originated in statistical mechanics in the nineteenth century and has been advocated for use in a broader context (cf. [7, Chapter 12, P425]).

  9. The delta function is defined by δ(xn)=1 if x=n and δ(xn)=0 otherwise, for the discrete x.

  10. Because of this special case, we refer to the general case as linearly-dependent inputs.

  11. see [29, Sect. 6.3, P203–5] for a review on LFSR-based stream ciphers.

  12. The details of how u t is generated are not relevant in our context and we omit here.

  13. In the context of correlation attacks on LFSR-based stream ciphers, we often say that there exists correlation δ 0 with mask γ between keystream outputs {z t } and the equivalent LFSR outputs {y t }, i.e., \(<\gamma ,z_{t_{0}}z_{t_{0}+1}{\ldots } z_{t_{0}+r}>\oplus <\gamma ,y_{t_{0}}y_{t_{0}+1}{\ldots } y_{t_{0}+r}>\), which is equal to \(<\gamma ,u_{t_{0}}u_{t_{0}+1}{\ldots } u_{t_{0}+r}>\), has bias δ 0.

References

  1. Bluetooth TM, Bluetooth Specification (version 2.0 + EDR)., http://www.bluetooth.org

  2. Canteaut, A., Trabbia, M.: Improved fast correlation attacks using parity-check equations of weight 4 and 5, EUROCRYPT 2000, LNCS, vol. 1807, pp 573–588. Springer (2000)

  3. Chabaud, F., Vaudenay, S.: Links between differential and linear cryptanalysis, EUROCRYPT 1994, LNCS. vol. 950, pp. 356–365. Springer (1995)

  4. Charpin, P., Pasalic, E., Tavernier, C.: On bent and semi-bent quadratic Boolean functions. IEEE Trans. Inf. Theory 51(12), 4286–4298 (2005)

    Article  MathSciNet  MATH  Google Scholar 

  5. Collard, B., Standaert, F. -X., Quisquater, J.-J.: Improving the time complexity of Matsui’s linear cryptanalysis, ICISC 2007, LNCS, vol. 4817, pp 77–88. Springer (2007)

  6. Chose, P., Joux, A., Mitton, M.: Fast correlation attacks: an algorithmic point of view, EUROCRYPT 2002, LNCS, vol. 2332, pp 209–221. Springer (2002)

  7. Cover, T.M., Thomas, J.A.: Elements of information theory, 2nd Edn. Wiley (2006)

  8. eSTREAM: ECRYPT stream cipher project., http://www.ecrypt.eu.org/stream/

  9. Golomb, S. W., Gong, G.: Signal design with good correlation: for wireless communications, cryptography and radar applications. Cambridge University Press, Cambridge (2005)

    Book  MATH  Google Scholar 

  10. Hakala, R. M., Nyberg, K.: Linear distinguishing attack on Shannon, ACISP 2008, LNCS, vol. 5107, pp 297–305. Springer (2008)

  11. Harpes, C., Massey, J.L.: Partitioning cryptanalysis, FSE 1997, LNCS, vol. 1267, pp. 13–27. Springer (1997)

  12. Helleseth, T., Kholosha, A.: On generalized bent functions, ITA 2010, pp 178–183. IEEE (2010)

  13. Horadam, K.J.: Hadamard Matrices and Their Applications. Princeton University Press, Princeton (2007)

    Book  MATH  Google Scholar 

  14. Kukorelly, Z.: The Piling-up lemma and dependent random variables, IMA 1999, LNCS, vol. 1746, pp 186–190. Springer (1999)

  15. Lidl, R., Niederreiter, H.: Introduction to finite fields and their applications. Cambridge University Press, Cambridge (1986)

    MATH  Google Scholar 

  16. Löndahl, C., Johansson, T.: Improved algorithms for finding low-weight polynomial multiples in F 2[x] and some cryptographic applications, Designs, Codes and Cryptography, vol. 73, pp 625–640. Springer (2014)

  17. Lu, Y.: Applied stream ciphers in mobile communications, Ph.D. Thesis, EPFL (2006). doi:10.5075/epfl-thesis-3491

  18. Lu, Y.: Sampling with Walsh transforms (2015). arXiv:1502.06221

  19. Lu, Y., Desmedt, Y.: Bias analysis of a certain problem with applications to E0 and Shannon cipher, ICISC 2010, LNCS, vol. 6829, pp. 16–28. Springer (2011)

  20. Lu, Y., Desmedt, Y.: Improved Davies-Murphy’s attack on DES revisited, FPS 2013, LNCS, vol. 8352, pp 264–271. Springer (2014)

  21. Lu, Y., Vaudenay, S.: Faster correlation attack on Bluetooth keystream generator E0, CRYPTO 2004, LNCS, vol. 3152, pp 407–425. Springer (2004)

  22. Lu, Y., Vaudenay, S.: Cryptanalysis of an E0-like combiner with memory, Journal of Cryptology, vol. 21, pp. 430-457. Springer (2008)

  23. Matsui, M.: Linear cryptanalysis method for DES cipher, EUROCRYPT 1993, LNCS, vol. 765, pp 386–397. Springer (1994)

  24. Maximov, A., Johansson, T.: Fast computation of large distributions and its cryptographic applications, ASIACRYPT 2005, LNCS, vol. 3788, pp 313–332. Springer (2005)

  25. Meier, W., Staffelbach, O.: Fast correlation attacks on certain stream ciphers. J. Cryptol. 1, 159–176 (1989). Springer

    Article  MathSciNet  MATH  Google Scholar 

  26. Meier, W., Staffelbach, O.: Nonlinearity criteria for cryptographic functions, EUROCRYPT 1989, LNCS, vol. 434, pp 549–562. Springer (1990)

  27. Meier, W., Staffelbach, O.: Correlation properties of combiners with memory in stream ciphers. J. Cryptol. 5, 67–86 (1992). Springer

    Article  MathSciNet  MATH  Google Scholar 

  28. Meier, W.: Fast correlation attacks: methods and countermeasures, FSE 2011, LNCS, vol. 6733, pp 55–67. Springer (2011)

  29. Menezes, A.J., van Oorschot, P.C., Vanstone, S. A.: Handbook of applied cryptography. CRC Press (1996)

  30. Molland, H., Helleseth, T.: An improved correlation attack against irregular clocked and filtered keystream generators, CRYPTO 2004, LNCS, vol. 3152, pp 373–389. Springer (2004)

  31. Nyberg, K.: Perfect nonlinear S-boxes, EUROCRYPT 1991, LNCS, vol. 547, pp 378–386. Springer (1991)

  32. Nyberg, K.: Constructions of Bent functions and difference sets, EUROCRYPT 1990, LNCS, vol. 473, pp. 151–160. Springer (1991)

  33. Olsen, J., Scholtz, R., Welch, L.: Bent-function sequences. IEEE Trans. Inf. Theory IT-28(6), 858–864 (1982)

    Article  MathSciNet  MATH  Google Scholar 

  34. Pearl, J.: Application of Walsh transform to statistical analysis. IEEE Trans. Syst. Man Cybern. SMC-1(2), 111–119 (1971)

    Article  MathSciNet  MATH  Google Scholar 

  35. Rose, G., Hawkes, P., Paddon, M., McDonald, C., Vries, M.: Design and primitive specification for Shannon, Symmetric Cryptography (2007)

  36. Rothaus, O. S.: On “Bent” functions. J. Comb. Theory Ser. A 20(3), 300–305 (1976)

    Article  MathSciNet  MATH  Google Scholar 

  37. Wagner, D.: A generalized birthday problem, CRYPTO 2002, LNCS, vol. 2442, pp. pp. 288–304. Springer (2002)

  38. Yaroslavsky, L.P.: Digital picture processing - an introduction. Springer, Berlin (1985)

    Book  Google Scholar 

Download references

Acknowledgments

We are indebted to Prof. Serge Vaudenay for his detailed comments and suggestions to improve the paper. We gratefully thank the anonymous reviewers for many helpful and valuable comments to make the presentation of better quality.

Author information

Authors and Affiliations

  1. Institute of Software, Chinese Academy of Sciences, Beijing, China

    Yi Lu

  2. The University of Texas at Dallas, Richardson, TX, USA

    Yvo Desmedt

  3. University College London, London, UK

    Yvo Desmedt

Authors
  1. Yi Lu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yvo Desmedt
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yi Lu.

Additional information

Part of this material appeared in the proceedings [19]. In this paper, we give more theoretical results, new applications and new analytical results.

Yi Lu is supported by the National Science and Technology Major Project under Grant No. 2010ZX01036-001-002 & 2010ZX01037-001-002, the Knowledge Innovation Key Directional Program of Chinese Academy of Sciences under Grant No. KGCX2-YW-125 & KGCX2-YW-174.

Yvo Desmedt was funded by EPSRC EP/C538285/1 and by BT, as BT Chair of Information Security.

Appendix A: Intermediate attack results on E0 core

Appendix A: Intermediate attack results on E0 core

Let p i (x) be the feedback polynomial of R i (for i=1,…,4) with degree L 1=25, L 2=31, L 3=33, L 4=39 respectively. We use the unusual attack strategy to recover the 31-bit R 2 first, rather than recover the shortest 25-bit R 1. The main reason is that we want to find the multiple polynomial of p 1(x)p 3(x)p 4(x) (which has lower degree 25+33+39=97) with weight w=4, rather than find the multiple polynomial of p 2(x)p 3(x)p 4(x) (which has relatively higher degree 31+33+39=103) as done in usual. By the recent coding theoretic technique [16], the complexities of finding the multiple polynomial of weight 4 can be improved, compared with using the generalized birthday problem [37]. We thus expect to find the multiple polynomial with minimal degree 297/3≈233 with estimated time 236.

For the data complexity, based on one largest bias |δ 0|=2−3.3 with γ=(100001)2, the basic distinguisher works with the exact bias δ=2−10.4 when using the multiple polynomial of p 1(x)p 3(x)p 4(x) with weight w=4 by Table 3. Thus, the basic distinguisher needs a total number n=(4L 2 ln2)⋅δ 2≈227 of effective bits to successfully recover R 2.

After recovering R 2, we aim to reconstruct R 1. We want to find the multiple polynomial of p 3(x)p 4(x) (which has degree 33+39=72) with weight w=4. By [16], we expect to find the multiple polynomial with minimal degree 272/3=224 with estimated effort 227. Again, the basic distinguisher works with the same bias δ=2−10.4 when using the multiple polynomial with weight 4. It needs a total number n=(4L 1 ln2)⋅δ 2≈227 of effective bits to successfully recover R 1. Table 6 summarizes these results to recover R 1,R 2.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Lu, Y., Desmedt, Y. Walsh transforms and cryptographic applications in bias computing. Cryptogr. Commun. 8, 435–453 (2016). https://doi.org/10.1007/s12095-015-0155-4

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12095-015-0155-4

Keywords

Mathematics Subject Classification (2010)

Search

Navigation