Cryptography, Attacks and Countermeasures Lecture 4 Boolean Functions - PowerPoint PPT Presentation

1 / 38
About This Presentation
Title:

Cryptography, Attacks and Countermeasures Lecture 4 Boolean Functions

Description:

Cryptography, Attacks and Countermeasures. Lecture 4 Boolean Functions. John A Clark and Susan Stepney. Dept. of Computer Science. University of York, UK ... – PowerPoint PPT presentation

Number of Views:247
Avg rating:3.0/5.0
Slides: 39
Provided by: Cla125
Category:

less

Transcript and Presenter's Notes

Title: Cryptography, Attacks and Countermeasures Lecture 4 Boolean Functions


1
Cryptography, Attacks and Countermeasures
Lecture 4 Boolean Functions
  • John A Clark and Susan StepneyDept. of Computer
    Science
  • University of York, UKjac,susan_at_cs.york.ac.uk

2
Stream Cipher Components
  • Boolean Functions
  • Typical Security Related Criteria
  • Non-linearity.
  • Correlation immunity
  • Algebraic degree.
  • Tradeoffs
  • Will give a linear algebra treatment.
  • Pythagorass theorem!

3
Boolean Functions
  • A Boolean function f0,1n-gt0,1

f(x)
f(x)
x
Polar representation
Can view BF as vector in R2n
4
Boolean Functions Algebraic normal Form (ANF)
  • A Boolean function on n-inputs can be represented
    in minimal sum (XOR ) of products (AND .)
    form
  • This is the algebraic normal form of the
    function.
  • The algebraic degree of the function is the size
    of the largest subset of inputs (i.e. the number
    of xj in it) associated with a non-zero
    co-efficient.
  • 1 is a constant function (as is 0)
  • x1x3x5 is a linear function
  • x1.x3x5 is a quadratic function
  • x1.x3.x5x4x5x2 is a cubic function

f(x1,,xn)a0a1. x1 an. xn
a1,2.x1.x2 an-1,n.xn-1.xn
a1,2..n x1.x2 ...xn
5
Generating ANF
  • Given f(x1,,xn) it is fairly straightforward to
    derive the ANF. Consider the general form
  • The constant term a0 is easily derived.
  • a0f(0,0,,0)
  • We can now determine ak by considering
  • f(1,.,0,0,0)a0a1x1 a0a1 and so
    a1a0f(1,.,0,0,0)
  • f(0,1,0.,0,0)a0a2x2 a0a2 and so a2a0
    f(0,1,0.,0,0).
  • f(0,0,0.,0,1)a0anxn a0an and so
    ana0f(0,0,0,.0,1)
  • We can now determine aj,k by considering
  • f(1,1,0,0)a0a1x1a2x2 a1,2x1,2 a0a1 a2
    a1,2 and so a1,2 a0a1 a2 f(1,1,0,0) and
    so on.

f(x1,,xn)a0a1. x1 an. xn
a1,2.x1.x2 an-1,n.xn-1.xn
a1,2..n x1.x2 ...xn
6
Vectors and their Representations
  • Boolean functions can be regarded as vectors in
    R2n.
  • Boolean functions are vectors with elements 1 or
    1.
  • Any vector space has a basis set of vectors.
  • Given any vector v it can always be expressed
    UNIQUELY as a weighted sum of the vectors in the
    basis set.
  • This in 3-D we have the following standard
    basis
  • Others are possible

7
Orthonormal Basis
  • If the basis vectors are orthogonal and each have
    norm (length) 1 we say that they form an
    orthonormal basis. We can express any vector in
    terms of its projections onto each of the basis
    vectors.

8
Creating Orthonormal Basis
  • Given a basis you can always turn it into an
    orthonomal basis using the Gram-Schmidt
    procedure. (We wont go into details).
  • Given an orthogonal basis you can always create
    an orthonormal one by dividing each vector by its
    norm.
  • In 2-D, the following are clearly orthogonal
  • We can form an orthonomal basis

9
N-Dimensional vectors
  • To normalise an n-dimensional vector we proceed
    in the same way. The norm is the square root of
    the sum of squares of its elements

10
Linear Functions
  • Recall that for any w in 0..(2n-1) we can define
    a linear function for all x in 0..(2n-1)
    bywhere w and x are simply sequences of
    bits
  • We will use natural decimal indexing where
    convenient, e.g

11
Polar Form of Linear Functions
  • The polar form of a linear function is just a
    vector of 1 and 1 elements defined by

12
Orthonormal Basis of Linear Functions
Columns are polar forms of functions
13
Balance
New improved slide
  • One criterion that we might desire for a
    combining function is balance.
  • there are an equal number of 0s and 1s in the
    truth table form.
  • there are an equal number of 1s and 1s in the
    polar form.
  • The polar form has elements that sum to 0.
  • Or, if you take the dot product of the polar form
    of a function with the constant function
    comprising all 1s, the result is 0.

14
Linear Functions are Balanced
  • Each linear function has an equal number of 1s
    and 1s (and so is a balanced function).
  • The sum of elements in a column is just
  • Is it obvious that this will always produce a sum
    to zero, whatever the value of w?
  • Consider w with k bits set (w.l.o.g. consider the
    first k bits as set).
  • Now consider x as it varies over its whole range.
  • Can you partition the x into two equal sets that
    give opposite values of the Lw(x)?
  • (Consider the x1 component.)

15
Linear Functions are Balanced
  • Consider

16
Linear Functions are Orthogonal
  • Dissimilar linear functions are orthogonal.
    Consider the dot product of any two columns of
    the 8 x 8 matrix given earlier. The result is 0.
  • To see why. Consider two linear functions x1 x3
    and x2 x3 . The dot product is given by

17
Orthonormal Basis with Linear Functions
  • The linear functions are vectors of 2n elements
    each of which is 1 or 1. The norm is
    therefore
  • Thus we can form an orthonormal basis set

18
Representing Functions
  • Since a function f is just a vector and we have
    an orthonormal basis, we can represent it as the
    sum or projections onto the elements of that
    basis.

This is the signed magnitude of the projection
onto the linear function
This is called the Walsh Hadamard function
19
Security Criteria - Balance
  • Various desirable properties of functions are
    expressed in terms of the Walsh Hadamard function
    values.
  • Balance equal numbers of trues and falses, or
    1s and 1s in the polar form.
  • Saw that the projection onto the constant
    function should be 0.

20
Security Criteria
  • We saw that functions that looked like (agreed
    with) linear functions too much were a problem.
  • But a measure of agreed with is fairly easily
    calculable (Hamming distance with linear function
    in usual bit form).
  • In polar form, we simply take the dot product
    with the linear function.
  • When sort of function f agrees most with the
    linear function Lw?

Yes, when f Lw all the elements agree
21
Security Criteria Non-linearity
  • Also if they all disagree, i.e. f NOT Lw, we
    can form another function that agrees with Lw
    entirely by negating f. Or in other words f 1
  • A function f that has minimal useful agreement
    (i.e. 50 agreement) with Lw has Hamming distance
    of 2n/2 with it. Or, in polar terms (each is 1
    or 1), half the elements agree and half disagree

22
Security Criteria Non-linearity
  • Well, if correlation with linear functions is a
    bad idea lets have all such correlations being
    equal to 0, i.e. choose f such that the
    projections onto all linear functions are 0.
  • Would if I could, but I cant. Why is this NOT
    possible?

23
Back in Mundane World of 3-D
  • In 3-D is there a vector that has a null
    projection onto the x-axis?
  • Is there a vector that has a null projection onto
    each of the x and y axes?
  • Is there a vector that has a null projection onto
    each of the x, y and z axes?

24
Security Criteria
  • Because we have a basis set of linear functions.
    If a vector has a null projection onto all of
    them it is the zero-vector.
  • A Boolean function is not a zero-vector. It must
    be have projections onto some of the linear
    functions.
  • But some projections are more harmful than others
    from the point of view of the correlation
    attacks.
  • Those correlations with single inputs are
    particularly dangerous, followed by correlations
    with linear functions of two inputs etc.

25
Security Criteria Correlation Immunity
  • Correlations with single inputs correspond to
    projections onto the Lw where the w has only a
    single bit set. For three inputs, we might
    require
  • Similarly, correlations with linear functions on
    two inputs correspond to the projections onto
    linear functions Lw where the w has only two bits
    set.

26
Security Criteria Correlation Immunity
  • If a function has a null projection onto all
    linear Lw functions with 1,2,..,k bits set in w
    (i.e. it is uncorrelated with any subset of k or
    fewer inputs) the function is said to be
    correlation immune of order k.
  • Or put another way
  • If it is also balanced then we say it is
    resilient.

27
Non-linearity
  • For a variety of reasons (there are other attacks
    that exploit linearity) we would like to keep the
    degree of agreement with any linear function as
    low as possible.
  • So if we cannot have all that we want (all
    projections 0) perhaps we might try to keep the
    worst agreement to a minimum.
  • These leads to the definition of the
    non-linearity of a function.
  • We want to keep the Hamming distanceto any
    linear function (or its negation)as close to
    2(n/2) as possible.
  • Or.. Keep the maximum absolute value of any
    projection on a linear function to a minimum.
    Keep the following as low as possible

28
Non-linearity
  • Non-linearity is defined by
  • It seeks to minimise the worst absolute value of
    the projection onto any linear function.
  • But what is the maximum value we can get for
    non-linearity?

29
Boolean Functions
f(x)
We can project these vectors onto a basis of 2 n
orthogonal (Boolean function) vectors L0, ,
L2n-1. where Lw(x)w1x1? ? wnxn
-1
1
1
1
-1
1
-1
-1
Each point on the 2n dimension hyper-sphere
surface has a standard vector representation and
a spectral representation in terms of its Walsh
Hadamard values.
30
Norm of a Vector
  • The square of the length of the vector is just
    the sum of squares of its projection magnitudes
    onto the orthonormal basis.
  • Thus, for 2-D we have the usual Pythagoras rule

c
b
a
31
Norm of a Boolean Vector
  • The square of the norm of a Boolean vector is
    just 2n.
  • But we know that this is just the sum of the
    squares of the projections onto the orthonormal
    basis

32
Parsevals Theorem
  • Parsevals Theorem. This is really a form of
    Pythagorass theorem.
  • This means that if we reduce the magnitude of one
    of the F(w) another must increase in magnitude.

33
Bent Functions Maximise Non-linearity
  • Researched first by Rothaus. These functions
    maximise non-linearity and are functions on even
    numbers of variables.
  • Bent functions have projection magnitudes of the
    same size (but with different signs)

But this includes projection onto the constant
function gt not a balanced function. If you want
maximum non-linearity, you cannot have balance.
34
Correlation Immunity and Non-linearity
  • Lets look again at Parsevals theorem
  • Now if we want correlation immunity of order k
  • Then the F(w) of some of the remaining (wgtk)
    must increase in magnitude. But this increases
    non-linearity.

Non-linearity and correlation immunity are in
conflict.
35
Other Criteria Algebraic Degree
  • All other things being equal, we would prefer
    more complex functions to simpler ones. One
    aspect that is of interest is the algebraic
    degree of the function.
  • We would typically like this to be as high as
    possible.
  • It can be shown (not here) that there is a
    conflict with correlation immunity.
  • Sigenthaler has shown that for function f on n
    variables with correlation immunity of order m
    and algebraic degree d, we must have
  • For balanced functions we must have

mdltn
mdltn-1
36
Further Structure
  • There is another structure that can be exploited.
    It is a form of correlation between outputs
    corresponding to inputs that are related in a
    straightforward way.
  • This is autocorrelation.

Bitwise XOR
37
Tradeoffs
  • We begin to see the sorts of problems
    cryptographers face.
  • There are many different forms of attack.
    Protecting against one in an ideal way may allow
    another form of attack.
  • Life is an unending series of tradeoffs.
  • However, given the mathematical constraints, we
    might still want to achieve the best profile of
    properties we can.
  • A lot of Boolean function research seeks
    constructions to derive such functions.

38
No Such Thing As A Secure Boolean Function
  • There is no such thing as a secure Boolean
    function.
  • There may be functions that are appropriate to be
    used in particular contexts to give secure
    system.
  • However, the treatment here shows quite effective
    that life is not easy and that compromises have
    to be made.
  • Nice treatment in terms of vector algebra and
    security criteria being defined in terms of
    subspaces of a vector space of R2n.
Write a Comment
User Comments (0)
About PowerShow.com