Cryptographic Boolean Functions and Applications

Andreea–P.S.

Preface

Boolean functions have been an object of study in cryptography for over 50 years, beginning with their use in linear feedback shift registers. It was in the late 1940s that Shannon published the concepts of confusion and diffusion as fundamental concepts for achieving security in cryptosystems. Confusion is reflected in the nonlinearity of parts of the cryptosystem; linear systems are generally easy to break. Diffusion is achieved by ensuring that a small change in the input is spread out to make a large change in the output. Boolean functions can easily provide both confusion and diffusion. One goal of this book is to show how to choose good Boolean functions for this purpose.

The book is designed to serve as a reference for various applications of Boolean functions in modern cryptography, which we can say is about 35 years old. The relevant material in the literature is scattered over hundreds of journal articles, conference proceedings, books, reports and notes (some of them only available online). Until this book, there has been no attempt to gather the gist of this material in one place. Our goal is to present the major concepts and associated theorems, with proofs, except in those cases where the proofs would be too long or too technical. The book is expository and we have attempted to be accurate in assigning credit for the many results quoted here. There is some original research in the book, and we have made quite a few corrections and improvements to earlier work.

The bibliography is extensive, but is not intended to be all-inclusive. In particular, it is common in cryptography for research which has been first published in the proceedings of a conference (‘conference version’) to be published later (perhaps with refinements or improvements) in a journal (‘journal version’). Many authors seem to fear that publishing only a conference version will lead to their results not being as widely read or referred to. In some cases where a more complete journal version of an article is available, we have not listed the earlier, less polished, conference version. Of course this justifies the fear that some of the authors had! We have not hesitated to give online references where these are the only possible ones. We believe that the problem of long-term archiving of online materials will be solved.

We have tried to avoid any errors, but in a book of this size it is likely that some remain. The authors at first thought to resolve this issue by having each one blame the other for any mistakes, but then decided instead to request that readers notify at least one of us of any errors. We will then correct them in later editions, or via a posting of online errata.

We would like to thank our institutions, the State University of New York at Buffalo (T.W.C.), and Naval Postgraduate School and Institute of Mathematics of the Romanian Academy (P.S.), for their excellent working conditions, and for allowing us to take some time off, while this book was written.

The authors express their gratitude to the following people who undertook the task of going through the various parts of this book in its incipient form: Anna Bernasconi, David Canright, Claude Carlet, Bruno Codenotti, Ed Dawson, Hal Fredricksen, Subhamoy Maitra, and Yuliang Zheng. The second author also thanks the group of students in the ‘Cryptographic Boolean Functions’ course at Naval Postgraduate School who diligently went through the manuscript in the Fall of 2008.

Thomas W. Cusick

Buffalo, NY

Pantelimon Stănică

Monterey, CA

Chapter 1

A bit of history

1.1 George Boole (1815–1864)

The definitive biography of Boole is George Boole: His Life and Work, by Desmond MacHale (Boole Press, 1985) [286]. We shall be using both this book [286] and the biography written by O’Connor and Robertson for the MacTutor History of Mathematics archive [351].

FIGURE 1.1 Picture reprinted from MacTutor History of Mathematics : http://www-groups.dcs.st-andrews.ac.uk/~history/Mathematicians/Boole.html

George Boole,the son of a lower class tradesman, was born in Lincoln, England, at the end of November 1815. His father gave him his first mathematics lessons and instilled in him the love of learning. A family friend (a local bookseller) helped teach him basic Latin. Boole was translating Latin poetry by the age of 12. By 14, the adolescent Boole was fluent in German, Italian and French, as well. He especially liked novels and poetry. His powers in higher mathematics did not show until he was 17 years old (he read his first advanced mathematics book, namely Lacroix’s Differential and Integral Calculus). Because his father’s business failed, he was forced to work to support his family. At 16 he became an assistant master in a private school at Doncaster, and before he was 20 years old he opened his own school.

In 1838, Boole was offered to take over Hall’s Academy in Waddington, after its founder, Robert Hall, died. His family moved to Waddington and helped him run the school. Using mathematical journals borrowed from the local Mechanic’s Institute, Boole read Principia of Isaac Newton and the works of French mathematicians Pierre-Simon Laplace (1749–1827) and Joseph Louis Lagrange (1736–1813). After learning what these authors previously wrote, Boole, at 24, published his first paper (Researches on the theory of analytical transformations) in the Cambridge Mathematical Journal (CMJ). It sparked a friendship between George Boole and the editor of CMJ, Duncan F. Gregory, which lasted until the premature death of Gregory in 1844. Gregory influenced Boole to study algebra. Because of his family’s financial situation, Boole was unable to take Gregory’s advice and audit courses at Cambridge. In fact, in the summer of 1840 he opened a boarding school in Lincoln and again the whole family moved back with him.

After his father died, Boole took up, in 1849, a Mathematics Professorship position at Queen’s College in Cork, where he remained and taught for the rest of his life. There, he met a niece of Sir George Everest (of Everest mountain fame), by the name of Mary Everest. She was 17 years younger than him, but they became friends instantly. George began to give Mary lessons on the differential calculus, and in 1855, after her father died, Mary married George Boole. They were quite happy together and five daughters were born: Mary Ellen (b. 1856), Margaret (b. 1858), Alicia (later Alicia Stott) (b. 1860), Lucy Everest (b. 1862), and Ethel Lilian (b. 1864).

The works of Boole are contained in about 50 articles and a few other publications. A list of Boole’s memoirs and papers, on logical and mathematical topics, is found in the Catalogue of Scientific Memoirs published by the Royal Society, and in a volume on differential equations (edited by I. Todhunter). Boole wrote 22 articles in the Cambridge Mathematical Journal and its successor, the Cambridge and Dublin Mathematical Journal, 16 papers in the Philosophical Magazine, six memoirs in the Philosophical Transactions (The Royal Society), and a few others in the Transactions of the Royal Society of Edinburgh and of the Royal Irish Academy, in the Bulletin de l’Academie de St-Petersbourg (in 1862, under the pseudonym G. Boldt), and in Crelle’s Journal, and a paper on the mathematical basis of logic published in the Mechanics Magazine (1848).

In 1844, the Royal Society gave him a medal for his contributions to analysis, because of his work on using algebra and calculus to analyze infinitely small and large figures.

Calculus of reasoning, which Boole was preoccupied with, found its way into his 1847 work, The Mathematical Analysis of Logic, that expanded on the work of the German mathematician Gottfried Wilhelm Leibniz (1646–1716) and pushed the idea that logic was a mathematical discipline, rather than philosophy. This paper won him the admiration of the distinguished logician Augustus de Morgan, and a place among the faculty of Ireland’s Queen’s College.

In 1854, Boole published An Investigation into the Laws of Thought, on Which are Founded the Mathematical Theories of Logic and Probabilities, which is perhaps his most important work. Boole approached logic in a new way, reducing it to simple algebra, incorporating logic into mathematics, and laying the foundations of the now famous binary approach. Logical expressions are now represented using a mathematical form called in his honor Boolean Algebra.

Boole’s genius was recognized and he received honorary degrees from the universities of Dublin and Oxford and was elected a Fellow of the Royal Society in 1857. Since his work eventually led people to land on the Moon, it is only natural that Boole is the name of a lunar crater.

One day in 1864, Boole was walking from his home to the college and was caught in a rain storm. He lectured in wet clothes and caught a cold. Because of that, it is unfortunate for mathematics that he died when he was just 49 years old.

1.2 Claude Elwood Shannon (1916–2001)

Two good biographies of Shannon were written by Sloane and Wyner, and by Liversidge in the book edited by Sloane and Wyner containing Shannon’s collected papers [419].

FIGURE 1.2 Picture reprinted from the Notices of AMS paper by Golomb et al., available at http://www.ams.org/notices/200201/fea-shannonpdf (courtesy of the MIT Museum).

Boole’s work on mathematical logic was criticized and/or ignored by his contemporaries, except for an American logician, Charles Sanders Peirce (1839–1914),who gave a speech at the American Academy of Arts and Sciences, describing Boole’s ideas. Peirce spent more than 20 years working on these ideas and their applications in electronic circuitry; ultimately, he designed a theoretical electrical logic circuit.

Unfortunately, Boolean algebra and Peirce’s work remained mostly unknown and unused for (too) many years, until the 1940s, when a young student by the name of Claude Elwood Shannon picked up Boole’s and Peirce’s works and recognized their relevance to electronics design.

Claude E. Shannonwas born in Petoskey, Michigan, on April 30, 1916. His father was a businessman and, for a period, Judge of Probate. His mother was a language teacher and for a number of years Principal of Gaylord High School, in Gaylord, Michigan. Shannon remained in Gaylord until he was 16 when he graduated from high school. He showed an inclination for science and mathematics and kept himself busy by building model planes, a radio-controlled model boat, and a telegraph system to a friend’s house half a mile away [419].

Following his sister, in 1932 he entered University of Michigan (UM), where he was introduced to the work of George Boole. Shannon graduated from UM in 1936 with dual Bachelor’s Degrees of Science in Electrical Engineering and Science in Mathematics. Right away, accepting a research assistant position at Massachusetts Institute of Technology to support himself, he began his graduate studies. He graduated in 1940 with a Master’s Degree in Electrical Engineering and a PhD in Mathematics. His Master’s thesis A Symbolic Analysis of Relay and Switching Circuits is a (successful) attempt to use Boole’s algebra to analyze relay switching circuits, while his doctoral thesis deals with population genetics. A version of his Master’s thesis was published in Transactions of the American Institute of Electrical Engineers (1940), and earned him the Alfred Noble (American Institute of Engineers) Award.

After spending a year at the Institute for Advanced Study, in 1941 Shannon joined AT&T Bell Telephones in New Jersey as a research mathematician to work on fire-control systems and cryptography. He remained affiliated with Bell Laboratories until 1972, but took up other various positions (MIT; Center for the Study of the Behavioral Sciences in Palo Alto; Institute for Advanced Study in Princeton, Visiting Fellow at All Souls College, Oxford; University of California; the IEEE; and the Royal Society).

In 1949 Shannon married Mary Elizabeth Moore and they had three sons and one daughter: Robert, James, Andrew Moore, and Margarita.

In one of his most important works, A Mathematical Theory of Communication[417], Shannon founded the subject of information theory and he proposed a linear schematic model of a communications system. This was a revolutionary idea as there was no longer any need for electromagnetic waves to be sent down a wire. One could communicate instead, by sending sequences of 0 and 1 bits. In the next year, he wrote another fundamental paper, Communication Theory of Secrecy Systems[418], which is the first analysis of cryptography. It was based on classified work on secrecy systems undertaken by Shannon in the final year of World War II.

Shannon died in 2001 after a long struggle with Alzheimer’s disease.

Chapter 2

Fourier analysis of Boolean functions

2.1 Basic Definitions on Boolean Functions

Take what you need; act as you must, and you will obtain that for which you wish!

René Descartes (1596–1650)

The purpose of this chapter is to make some preliminary definitions on Boolean functions and introduce one of the most important tools in cryptography, namely the Walsh transform (also called Hadamard transform),which is the characteristic 2 case of the discrete Fourier transform.The use of the Walsh transform makes the computation of nonlinearity, and many of the cryptographic properties of a Boolean function, a very easy and enjoyable task. Various other topics needed in the subsequent chapters will be introduced here.

(called xor, it is always a row vector unless context obviously requires it to be a column vector. For example, in sometimes denotes a row vector and sometimes denotes a column vector.

Definition 2.1

Ain variables is a map from to . The  (0,1) -sequencedefined by is called the truth table of , where

, ordered by lexicographical order. (Oftentimes, when there is a danger of confusion because of a similar notation, we shall write instead of — we shall point it out, nonetheless.) The  (1,−1) - sequence of (or simply sequence) is defined by . The algebra of all Boolean functions on will be denoted by .

. We shall be using this notation in Chapter 8.

can be expressed as a polynomial in

the algebraic normal form (ANF for short), that is,

covers ). (We refer to the work of McWilliams and Sloane [287, Chapter 13, pp. 370–373] for a method to derive the ANF from the truth table of a Boolean function.) The number of variables in the highest order monomial with nonzero coefficient is called the algebraic degree.) A Boolean function is said to be homogeneousif its ANF contains terms of the same degree only. The logical negation or complement to avoid awkward expressions).

. The restriction , defined by the rule

.

An affine function is a function that takes the form

is a linear function .

we associate its character form, or sign function, and defined by

The behavior of the sign function on the sum and products of Boolean functions is displayed in the next proposition.

Proposition 2.2

If are Boolean functions on , then the following statements hold:

.

.

Proof

Definition 2.3

The Hamming weight of a vector , denoted by , is the number of 1s in the vector . For a Boolean function on , let be the support of .The Hamming weight of a function is the Hamming weight of its truth table, that is, the cardinality of , or equivalently . The Hamming distance between two functions , denoted by is defined as

The nonlinearity of a function , denoted by , is defined as

where is the class of all affine functions on . A function of variables is called balanced if its weight is exactly .

It is a straightforward exercise to prove the next lemma and we leave this to the interested reader.

Lemma 2.4

The Hamming weight and distance satisfy the following properties:

;

;

;

;

.

.

2.2 Walsh Transform

We recommend the articles of Bernasconi et al. [30] and Pommerening [367], and the references contained therein, for more on this topic.

Definition 2.5

The Walsh transform of a function on (with the values of f taken to be real numbers  0 and  1 ) is the map , defined by

(2.1)

which defines the coefficients of with respect to the orthonormal basis of the group characters ; can be recovered by the inverse Walsh transform 

(2.2)

The Walsh spectrumWalsh coefficientsgiven by varies.

are given by the next lemma.

Lemma 2.6

If , we have

Proof

2.3 Autocorrelation Function

Definition 2.7

The autocorrelation function is defined as

(2.3)

We shall write if there is no danger of confusion. Note that equals . The correlation value between two Boolean functions and is defined