Elsevier

Information Sciences

Volumes 415–416, November 2017, Pages 377-396
Information Sciences

New constructions of resilient functions with strictly almost optimal nonlinearity via non-overlap spectra functions

https://doi.org/10.1016/j.ins.2017.06.036Get rights and content

Abstract

The design of n-variable t-resilient functions with strictly almost optimal (SAO) nonlinearity (>2n12n2, n even) appears to be a rather difficult task. The known construction methods commonly use a rather large number (exactly i=t+1n/2(n/2i)) of affine subfunctions in n2 variables which can induce some algebraic weaknesses, making these functions susceptible to certain types of guess and determine cryptanalysis and dynamic cube attacks. In this paper, the concept of non-overlap spectra functions is introduced, which essentially generalizes the idea of disjoint spectra functions on different variable spaces. Two general methods to obtain a large set of non-overlap spectra functions are given and a new framework for designing infinite classes of resilient functions with SAO nonlinearity is developed based on these. Unlike previous construction methods, our approach employs only a few n/2-variable affine subfunctions in the design, resulting in a more favourable algebraic structure. It is shown that these new resilient SAO functions properly include all the existing classes of resilient SAO functions as a subclass. Moreover, it is shown that the new class provides a better resistance against (fast) algebraic attacks than the known functions with SAO nonlinearity, and in addition these functions are more robust to guess and determine cryptanalysis and dynamic cube attacks.

Introduction

During the past three decades, the construction of highly nonlinear resilient Boolean functions has been an interesting research topic [5], [14], [15], [20], [24], [29], [37], [39], [41], [43]. These resilient functions play an important role in the design of certain stream cipher encryption schemes such as nonlinear combiners, for which the output sequences of several linear feedback shift registers (LFSRs) are combined (filtered) via a nonlinear Boolean function to generate the keystream sequence. The security of nonlinear combiners depends almost entirely on the choice of the filtering Boolean function. It is widely accepted that a Boolean function used in nonlinear combiners must fulfill certain cryptographic criteria such as balancedness, high order of resiliency, high nonlinearity and high algebraic degree. These criteria reflect the ability of the cipher to withstand various types of attacks. For instance, the nonlinearity measures the minimum distance between a given Boolean function and the set of affine functions. It indicates the ability of the cipher to withstand various modes of best affine approximation (BAA) and correlation attacks, see [10], [29].

Unfortunately, all the criteria mentioned above cannot be optimized simultaneously and there are certain trade-offs among the criteria. For an n-variable Boolean function whose resiliency order is t, Siegenthaler [29] showed that dnt1, where d is the algebraic degree of the function. Apart from the above mentioned criteria, the algebraic properties of Boolean functions are decisive for protecting the cipher against (fast) algebraic attacks [1], [8], [9]. The concept of algebraic immunity (AI) was introduced in [21], indicating the ability of Boolean functions (in relation to the corresponding encryption scheme) to withstand algebraic attacks proposed in 2003 [9]. An optimal resistance of a Boolean function f against algebraic attacks is achieved if AI of f(x) equals to ⌈n/2⌉. Moreover, the fast algebraic attacks (FAA) on stream ciphers were introduced in [8], thus further extending the mentioned cryptographic criteria. An optimal resistance of Boolean functions (used in certain stream cipher algorithms) against FAA implies that for a given n-variable Boolean function f, there does not exist a pair of functions g and h related through fg=h so that deg(g)+deg(h) is less than n. Furthermore, for balanced functions it was shown that there always exist g and h such that deg(g)+deg(h)=n1, hence in this case the degree value n1 is called optimal, see [19].

The most significant contributions related to the design of highly nonlinear resilient functions, during the past two decades, can be found in [3], [5], [7], [15], [20], [24], [28], [39], [41], [42]. In these works, a well-known method to obtain nonlinear resilient functions relies on the use of Maiorana–McFarland (M–M) techniques or extensions thereof. The basic idea of this approach is to construct nonlinear resilient functions on larger variable spaces by concatenating suitable affine functions on smaller variable spaces. This technique was first introduced by Camion et al. in 1992 [3], and it was further used in [7], [27], [28]. At CRYPTO2002, Carlet proposed an extension of the M-M method for obtaining nonlinear resilient functions by concatenating quadratic functions [5]. In 2006, Pasalic presented a method to obtain degree optimized resilient functions by using a slightly modified M–M technique [24]. Later, Maitra et al. [20] presented methods to obtain resilient functions of order t with nonlinearity 2n12n/212n/232n/24, for all n8t+6.

Recently, Zhang et al. [39], [40] proposed new methods to obtain resilient functions and resilient S-boxes (multiple-output Boolean functions) with strictly almost optimal nonlinearity >2n12n/2, for any n even, by concatenating several sets of disjoint spectra functions defined on small variable spaces (the size being ≤ n/2). However, most of the construction techniques above generally share the same basic idea, that is, the subfunctions of these resilient functions (defined as a restriction of a function when a subset of variables is kept fixed) are affine functions in relatively large number of input variables. More precisely, the number of subfunctions of the t-resilient functions in [40], [41] which are affine in n/2 variables is given by i=t+1n/2(n/2i). To improve relatively bad algebraic properties, a modified construction that uses only a moderate number of affine subfunctions in n/2-variable (the number being 2n/21) has been proposed in [40]. The functions in the modified class then provide relatively good resistance against (fast) algebraic attacks (based on simulations for (n ≤ 14)), but unfortunately the nonlinearity of these functions in [40] is substantially decreased (the functions do not have SAO nonlinearity any longer).

Intuitively, the use of “too many” large affine subfunctions in n/2-variable (namely either i=t+1n/2(n/2i) or 2n/21 as in [40]) may induce some algebraic weaknesses in the structure and make a cipher less resistant to various cryptanalytic methods. Indeed, by fixing l variables of an n-variable nonlinear Boolean function, its (nl)-variable subfuntions are either linear or nonlinear which in the former case gives rise to partial linear relations with respect to the fixed set of l variables. In fact, there are many attacks on stream ciphers which essentially use these partial linear relations, and the attacks become more efficient for relatively small l.

We recall a few important approaches that efficiently use partial linear relations of nonlinear Boolean functions in the various aspects of cryptanalysis. In 2009, Khoo et al. proposed a time-memory-data (TMD) trade-off attack on filtering generators and nonlinear combiners in case the nonlinear filtering function belongs to the Maiorana–McFarland class [16]. These partial linear relations of the nonlinear Boolean functions used in the Grain family of stream ciphers were used to mount related-key chosen IV attacks and internal state recovery attacks on the Grain family of stream ciphers [17], [23]. For the case when the filtering function is a vectorial Boolean function in the M–M class, a guess and determine attack was introduced in [25]. The dynamic cube attacks introduced in [11], [12] also commonly employ some partial linear relations that relate the secret key and IV variables. Finally, at FSE 2013, a new criterion for avoiding the existence of partial linear relations in substitution boxes was proposed in [2].

From the above survey, it appears that cryptographically significant Boolean functions should not give rise to partial linear relations if a relatively small number of inputs is kept fixed. In this direction, our approach efficiently revises the previous construction methods (that can be viewed as a modified M–M class) towards a more favourable algebraic structure of the designed resilient functions with respect to the cardinality of partial linear functions. This is accomplished without degrading the nonlinearity which remains SAO unlike the construction method in [40]. To achieve this goal the concept of non-overlap spectra functions is introduced (and employed in the design) and the existence of a large set of functions with this property is proved. The so-called non-overlap spectra functions, which essentially generalizes the idea of disjoint spectra functions, are characterized by the property that for any pair of these functions their nonzero values in the Walsh spectra do not overlap, even though the functions are not defined on the same variable space (which is the case for standard disjoint spectra functions).

The proposed design of resilient functions with SAO nonlinearity is inevitably rather technical and involved, which is also the case with other design methods whose goal is to achieve extremely high nonlinearity values. In difference to previous approaches [39], [40], [41] that use a large set of n/2-variable affine subfunctions, our method only uses a few n/2-variable affine subfunctions. It is demonstrated (through both theoretical analysis and computer simulations) that these new resilient functions have better algebraic properties, thus improving the resistance to (fast) algebraic attacks compared to the classes in [39], [40], [41]. Furthermore, it is shown that our class properly include the classes of Zhang et al. [40], [41] as a subclass. The use of a small number of n/2-variable affine subfunctions also implies a better robustness to cryptanalytic methods that employ partial linear relations than the classes in [40], [41]. Most notably, we give a semi-deterministic method which generates algebraically optimal functions (thus providing optimal resistance to (fast) algebraic attacks) with slightly decreased nonlinearity for moderate size of input variables, whereas for large n the algebraic properties are quite acceptable for practical applications though not optimal.

The rest of the paper is organized as follows. In Section 2, some basic notations and definitions related to cryptographic criteria of Boolean functions are introduced. A brief overview of related previous work is given in Section 3. In Section 4, the notion of non-overlap spectra functions is introduced and two methods for finding large sets of non-overlap spectra functions are proposed. The main construction methods of resilient functions with SAO nonlinearity, based on the use of non-overlap spectra functions, are presented in Section 5. In addition, a semi-deterministic method for constructing resilient functions with optimal algebraic properties (for moderate size of the input space) and high nonlinearity is also addressed. Finally, some concluding remarks are given in Section 6.

Section snippets

Preliminaries

The binary Galois field is denoted by GF(2) and “⊕” stands for the addition operator over GF(2). An n-dimensional vector space spanned over GF(2) is denoted by GF(2)n. A Boolean function is a mapping f:GF(2)nGF(2) and the set of all Boolean functions f(x1,,xn) over GF(2)n is denoted by Bn. The truth table of a Boolean function f(x1,,xn) is a binary string of length 2n corresponding to the output values of f when the input values run lexicographically through GF(2)n, (f(0,0,,0),f(1,0,,0),f(0

An overview of recent works

In this section, we briefly recall the basic construction methods in [40], [41] for designing resilient Boolean functions whose nonlinearity is strictly almost optimal.

The main construction methods proposed in [40], [41] are given below for self-completeness, the reader can refer to [40], [41] for further details.

Construction A [41]: Let n ≥ 12 be an even number, t be a positive number, and let (a1,,as)GF(2)s satisfies j=t+1n/2(n/2j)+i=1s(aij=t+1n/22i(n/22ij))2n/2,where s=(n2t2)/4.

Constructions of the set of non-overlap spectra functions

In this section, the concept of non-overlap spectra functions is introduced along with an efficient way of generating a large set of such functions. For convenience, throughout the article, we denote by X(i)(j)=(xi,xi+1,,xj)GF(2)ji+1 a subset of variables x1,,xn, where 1 ≤ i < jn. In particular, when i=1 we simply write X(j)=(x1,,xj). Other letters are used similarly to denote the constants, for instance ω(n1)=(ω1,ω2,,ωn1)GF(2)n1. Furthermore, hc will always denote a bent function

Design methods based on non-overlap spectra functions

In this section, we propose new construction methods for obtaining resilient functions with strictly almost optimal nonlinearity based on the set of non-overlap spectra functions.

The first construction method uses a similar strategy as Construction A, where the main distinction between the two classes is in terms of quite a different structure of the subfunctions. More precisely, in this new construction, the set of functions U0 used in Construction A is replaced by the set I0 ∪ I1 of

Conclusions

In this paper, the concept of non-overlap spectra functions, referring to a set of mutually disjoint spectra functions on different variable subspaces, has been introduced. Two general methods for designing a large set of non-overlap spectra functions have been proposed and their use in the construction of resilient functions with SAO nonlinearity has been addressed. In difference to the best known construction methods proposed by Zhang and Pasalic [40], [41] that employ “too many” n2-variable

References (44)

  • C. Carlet et al.

    An infinite class of balanced functions with optimal algebraic immunity, good immunity to fast algebraic attacks and good nonlinearity

    Proceedings of the Advances in Cryptology –ASIACRYPT 2008

    (2008)
  • CheeS. et al.

    On the correlation immune functions and their nonlinearity

    Proceedings of the Advances in Cryptology – ASIACRYPT’96

    (1996)
  • N. Courtois

    Fast algebraic attacks on stream ciphers with linear feedback

    Proceedings of the Advances in Cryptology – CRYPTO 2003

    (2003)
  • N. Courtois et al.

    Algebraic attacks on stream ciphers with linear feedback

    Proceedings of the Advances in Cryptology – CRYPTO 2003

    (2003)
  • DingC. et al.

    The stability theory of stream ciphers

    Lecture Notes in Computer Science

    (1991)
  • I. Dinur et al.

    Cube attacks on tweakable black box polynomials

    Proceedings of the Advances in Cryptology – CRYPTO 2009

    (2009)
  • I. Dinur et al.

    Breaking grain-128 with dynamic cube attacks

    Proceedings of the Fast Software Encryption 2011

    (2011)
  • M. Fedorova et al.

    On the constructing of highly nonlinear resilient Boolean functions by means of special matrices

    Proceedings of the Progress in Cryptology – INDOCRYPT 2001

    (2001)
  • T. Johansson et al.

    A construction of resilient functions with high nonlinearity

    IEEE Trans. Inf. Theory

    (2003)
  • KhooK. et al.

    Time-memory-data trade-off attack on stream ciphers based on Maiorana–Mcfarland functions

    IEICE Trans. Fundam. Electron. Commun. Comput. Sci.

    (2009)
  • LeeY. et al.

    Related-key chosen IV attacks on Grain-v1 and Grain-128

    Proceedings of the Information Security and Privacy

    (2008)
  • LiJ. et al.

    Two constructions of balanced Boolean functions with optimal algebraic immunity, high nonlinearity and good behavior against fast algebraic attacks

    Des. Codes Cryptogr.

    (2015)
  • Cited by (0)

    1

    This work was supported in part by the National Key R&D Program of China (2017YFB0802004), in part by the Natural Science Foundation of China (61572148), in part by the Guangxi Natural Science ​Foundation (2015GXNSFGA139007), in part by the project of Outstanding Young Teachers Training in Higher Education Institutions of Guangxi.

    2

    This work is supported in part by the Slovenian Research Agency (research program P3-0384 and research project J1-6720).

    3

    This work is supported in part by National Science Foundation of China (61303263), and in part by the Fundamental Research Funds for the Central Universities (2015XKMS086).

    4

    This work is supported in part by National Natural Science Foundation of China (61672509 and 61232009).

    5

    This work was supported in part by the EU H2020 ITN 5G Wireless project (Grant No. 641985), EU H2020 RISE TESTBED project (Grant No. 734325), EU FP7 QUICK project (Grant No. PIRSES-GA-2013-612652), and EPSRC TOUCAN project (Grant No. EP/L020009/1).

    View full text