Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography, Attacks and Countermeasures Lecture 4 –Boolean Functions John A Clark and Susan Stepney Dept. of Computer Science University of York, UK.

Published byPrudence Patterson Modified over 8 years ago

Similar presentations

Presentation on theme: "Cryptography, Attacks and Countermeasures Lecture 4 –Boolean Functions John A Clark and Susan Stepney Dept. of Computer Science University of York, UK."— Presentation transcript:

1 Cryptography, Attacks and Countermeasures Lecture 4 –Boolean Functions John A Clark and Susan Stepney Dept. of Computer Science University of York, UK {jac,susan}@cs.york.ac.uk {jac,susan}@cs.york.ac.uk

2 Stream Cipher Components Boolean Functions Typical Security Related Criteria Non-linearity. Correlation immunity Algebraic degree. Tradeoffs Will give a linear algebra treatment. Pythagoras’s theorem!

3 Boolean Functions A Boolean function f:{0,1} n ->{0,1} Polar representation 000 001 010 011 100 101 110 111 0 1 2 3 4 5 6 7 1 01 01 01 1 01 1 1 f(x) x Can view BF as vector in R 2 n f(x) = ( -1 ) f(x)

4 Boolean Functions – Algebraic normal Form (ANF) A Boolean function on n-inputs can be represented in minimal sum (XOR +) of products (AND.) form: This is the algebraic normal form of the function. The algebraic degree of the function is the size of the largest subset of inputs (i.e. the number of x j in it) associated with a non-zero co- efficient. 1 is a constant function (as is 0) x 1 +x 3 +x 5 is a linear function x 1.x 3 +x 5 is a quadratic function x 1.x 3.x 5 +x 4 x 5 +x 2 is a cubic function f(x 1,…,x n )=a 0 +a 1. x 1 +…+a n. x n + a 1,2.x 1.x 2 +…+ a n-1,n.x n-1.x n +… …+a 1,2..n x 1.x 2...x n

5 Generating ANF Given f(x 1,…,x n ) it is fairly straightforward to derive the ANF. Consider the general form: The constant term a0 is easily derived. a 0 =f(0,0,…,0) We can now determine a k by considering: f(1,….,0,0,0)=a 0 +a 1 x 1 = a 0 +a 1 and so a 1 =a 0 +f(1,….,0,0,0) f(0,1,0….,0,0)=a 0 +a 2 x 2 = a 0 +a 2 and so a 2 =a 0 + f(0,1,0….,0,0)……. f(0,0,0….,0,1)=a 0 +a n x n = a 0 +a n and so a n =a 0 +f(0,0,0,….0,1) We can now determine a j,k by considering: f(1,1,0…,0)=a 0 +a 1 x 1 +a 2 x 2 + a 1,2 x 1,2 = a 0 +a 1 +a 2 +a 1,2 and so a 1,2 = a 0 +a 1 +a 2 + f(1,1,0…,0) and so on. f(x 1,…,x n )=a 0 +a 1. x 1 +…+a n. x n + a 1,2.x 1.x 2 +…+ a n-1,n.x n-1.x n +… …+a 1,2..n x 1.x 2...x n

6 Vectors and their Representations Boolean functions can be regarded as vectors in R 2 n. Boolean functions are vectors with elements 1 or –1. Any vector space has a basis set of vectors. Given any vector v it can always be expressed UNIQUELY as a weighted sum of the vectors in the basis set. This in 3-D we have the following standard basis Others are possible:

7 Orthonormal Basis If the basis vectors are orthogonal and each have norm (length) 1 we say that they form an orthonormal basis. We can express any vector in terms of its projections onto each of the basis vectors.

8 Creating Orthonormal Basis Given a basis you can always turn it into an orthonomal basis using the Gram-Schmidt procedure. (We won’t go into details). Given an orthogonal basis you can always create an orthonormal one by dividing each vector by its norm. In 2-D, the following are clearly orthogonal We can form an orthonomal basis

9 N-Dimensional vectors To normalise an n-dimensional vector we proceed in the same way. The norm is the square root of the sum of squares of its elements

10 Linear Functions Recall that for any  in 0..(2 n -1) we can define a linear function for all x in 0..(2 n -1) by: where  and x are simply sequences of bits We will use natural decimal indexing where convenient, e.g

11 Polar Form of Linear Functions The polar form of a linear function is just a vector of +1 and –1 elements defined by

12 Orthonormal Basis of Linear Functions x000001010011100101110111 00011111111 00111 1 1 01011 11 0111 11 1 1001111 10111 1 1 11011 11 1111 1 11 Columns are polar forms of functions

13 Balance One criterion that we might desire for a combining function is balance. there are an equal number of 0’s and 1’s in the truth table form. there are an equal number of +1’s and –1’s in the polar form. The polar form has elements that sum to 0. Or, if you take the dot product of the polar form of a function with the constant function comprising all 1’s, the result is 0. New improved slide

14 Linear Functions are Balanced Each linear function has an equal number of 1’s and –1’s (and so is a balanced function). The sum of elements in a column is just Is it obvious that this will always produce a sum to zero, whatever the value of  ? Consider  with k bits set (w.l.o.g. consider the first k bits as set). Now consider x as it varies over its whole range. Can you partition the x into two equal sets that give opposite values of the L w (x)? (Consider the x 1 component.)

15 Linear Functions are Balanced Consider 000100 011111 101001 110010

16 Linear Functions are Orthogonal Dissimilar linear functions are orthogonal. Consider the dot product of any two columns of the 8 x 8 matrix given earlier. The result is 0. To see why. Consider two linear functions x 1 + x 3 and x 2 + x 3. The dot product is given by

17 Orthonormal Basis with Linear Functions The linear functions are vectors of 2 n elements each of which is 1 or –1. The norm is therefore Thus we can form an orthonormal basis set

18 Representing Functions Since a function f is just a vector and we have an orthonormal basis, we can represent it as the sum or projections onto the elements of that basis. This is called the Walsh Hadamard function This is the signed magnitude of the projection onto the linear function

19 Security Criteria - Balance Various desirable properties of functions are expressed in terms of the Walsh Hadamard function values. Balance – equal numbers of trues and falses, or +1’s and –1’s in the polar form. Saw that the projection onto the constant function should be 0.

20 Security Criteria We saw that functions that ‘looked like’ (agreed with) linear functions too much were a problem. But a measure of agreed with is fairly easily calculable (Hamming distance with linear function in usual bit form). In polar form, we simply take the dot product with the linear function. When sort of function f agrees most with the linear function L  ? Yes, when f = L  all the elements agree

21 Security Criteria – Non-linearity Also if they all disagree, i.e. f= NOT L , we can form another function that agrees with L  entirely by negating f. Or in other words f   1 A function f that has minimal useful agreement (i.e. 50% agreement) with L  has Hamming distance of 2 n/2 with it. Or, in polar terms (each is +1 or –1), half the elements agree and half disagree

22 Security Criteria – Non-linearity Well, if correlation with linear functions is a bad idea let’s have all such correlations being equal to 0, i.e. choose f such that the projections onto all linear functions are 0. Would if I could, but I can’t. Why is this NOT possible?

23 Back in Mundane World of 3-D In 3-D is there a vector that has a null projection onto the x-axis? Is there a vector that has a null projection onto each of the x and y axes? Is there a vector that has a null projection onto each of the x, y and z axes?

24 Security Criteria Because we have a basis set of linear functions. If a vector has a null projection onto all of them it is the zero-vector. A Boolean function is not a zero-vector. It must be have projections onto some of the linear functions. But some projections are more harmful than others from the point of view of the correlation attacks. Those correlations with single inputs are particularly dangerous, followed by correlations with linear functions of two inputs etc.

25 Security Criteria – Correlation Immunity Correlations with single inputs correspond to projections onto the L  where the  has only a single bit set. For three inputs, we might require Similarly, correlations with linear functions on two inputs correspond to the projections onto linear functions L  where the  has only two bits set.

26 Security Criteria – Correlation Immunity If a function has a null projection onto all linear L  functions with 1,2,..,k bits set in  (i.e. it is uncorrelated with any subset of k or fewer inputs) the function is said to be correlation immune of order k. Or put another way If it is also balanced then we say it is resilient.

27 Non-linearity For a variety of reasons (there are other attacks that exploit linearity) we would like to keep the degree of agreement with any linear function as low as possible. So if we cannot have all that we want (all projections 0) perhaps we might try to keep the worst agreement to a minimum. These leads to the definition of the non-linearity of a function. We want to keep the Hamming distance to any linear function (or its negation) as close to 2 (n/2) as possible. Or.. Keep the maximum absolute value of any projection on a linear function to a minimum. Keep the following as low as possible

28 Non-linearity Non-linearity is defined by: It seeks to minimise the worst absolute value of the projection onto any linear function. But what is the maximum value we can get for non- linearity?

29 Boolean Functions We can project these vectors onto a basis of 2 n orthogonal (Boolean function) vectors L 0, …, L 2 n -1. where L  (x)=  1 x 1  …   n x n 1 1 1 1 f(x) Each point on the 2 n dimension hyper-sphere surface has a standard vector representation and a spectral representation in terms of its Walsh Hadamard values.

30 Norm of a Vector The square of the length of the vector is just the sum of squares of its projection magnitudes onto the orthonormal basis. Thus, for 2-D we have the usual Pythagoras rule b a c

31 Norm of a Boolean Vector The square of the norm of a Boolean vector is just 2 n. But we know that this is just the sum of the squares of the projections onto the orthonormal basis

32 Parseval’s Theorem Parseval’s Theorem. This is really a form of Pythagoras’s theorem. This means that if we reduce the magnitude of one of the F(  ) another must increase in magnitude.

33 Bent Functions Maximise Non-linearity Researched first by Rothaus. These functions maximise non-linearity and are functions on even numbers of variables. Bent functions have projection magnitudes of the same size (but with different signs) But this includes projection onto the constant function => not a balanced function. If you want maximum non-linearity, you cannot have balance.

34 Correlation Immunity and Non-linearity Let’s look again at Parseval’s theorem: Now if we want correlation immunity of order k Then the F(  ) of some of the remaining (|  |>k) must increase in magnitude. But this increases non- linearity. Non-linearity and correlation immunity are in conflict.

35 Other Criteria – Algebraic Degree All other things being equal, we would prefer more complex functions to simpler ones. One aspect that is of interest is the algebraic degree of the function. We would typically like this to be as high as possible. It can be shown (not here) that there is a conflict with correlation immunity. Sigenthaler has shown that for function f on n variables with correlation immunity of order m and algebraic degree d, we must have For balanced functions we must have m+d<=n m+d<=n-1

36 Further Structure There is another structure that can be exploited. It is a form of correlation between outputs corresponding to inputs that are related in a straightforward way. This is autocorrelation. Bitwise XOR

37 Tradeoffs We begin to see the sorts of problems cryptographers face. There are many different forms of attack. Protecting against one in an ideal way may allow another form of attack. Life is an unending series of tradeoffs. However, given the mathematical constraints, we might still want to achieve the best profile of properties we can. A lot of Boolean function research seeks constructions to derive such functions.

38 No Such Thing As A Secure Boolean Function There is no such thing as a secure Boolean function. There may be functions that are appropriate to be used in particular contexts to give secure system. However, the treatment here shows quite effective that life is not easy and that compromises have to be made. Nice treatment in terms of vector algebra and security criteria being defined in terms of subspaces of a vector space of R 2 n.

Download ppt "Cryptography, Attacks and Countermeasures Lecture 4 –Boolean Functions John A Clark and Susan Stepney Dept. of Computer Science University of York, UK."

Similar presentations

CS 450: COMPUTER GRAPHICS LINEAR ALGEBRA REVIEW SPRING 2015 DR. MICHAEL J. REALE.

CS 450: COMPUTER GRAPHICS LINEAR ALGEBRA REVIEW SPRING 2015 DR. MICHAEL J. REALE.
Cryptography, Attacks and Countermeasures Lecture 3 - Stream Ciphers

Cryptography, Attacks and Countermeasures Lecture 3 - Stream Ciphers
Transformations We want to be able to make changes to the image larger/smaller rotate move This can be efficiently achieved through mathematical operations.

Transformations We want to be able to make changes to the image larger/smaller rotate move This can be efficiently achieved through mathematical operations.
Session 2: Secret key cryptography – stream ciphers – part 2.

Session 2: Secret key cryptography – stream ciphers – part 2.
Stream ciphers 2 Session 2. Contents PN generators with LFSRs Statistical testing of PN generator sequences Cryptanalysis of stream ciphers 2/75.

Stream ciphers 2 Session 2. Contents PN generators with LFSRs Statistical testing of PN generator sequences Cryptanalysis of stream ciphers 2/75.
Section 2.3 Gauss-Jordan Method for General Systems of Equations

Section 2.3 Gauss-Jordan Method for General Systems of Equations
Artificial Neural Networks

Artificial Neural Networks
6 6.1 © 2012 Pearson Education, Inc. Orthogonality and Least Squares INNER PRODUCT, LENGTH, AND ORTHOGONALITY.

6 6.1 © 2012 Pearson Education, Inc. Orthogonality and Least Squares INNER PRODUCT, LENGTH, AND ORTHOGONALITY.
Symmetric Matrices and Quadratic Forms

Symmetric Matrices and Quadratic Forms
Chapter 5 Orthogonality

Chapter 5 Orthogonality
Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.

Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.
Calculating Spectral Coefficients for Walsh Transform using Butterflies Marek Perkowski September 21, 2005.

Calculating Spectral Coefficients for Walsh Transform using Butterflies Marek Perkowski September 21, 2005.
MAE 552 Heuristic Optimization

MAE 552 Heuristic Optimization
Constrained Optimization

Constrained Optimization
INTEGRALS 5. INTEGRALS We saw in Section 5.1 that a limit of the form arises when we compute an area.  We also saw that it arises when we try to find.

INTEGRALS 5. INTEGRALS We saw in Section 5.1 that a limit of the form arises when we compute an area.  We also saw that it arises when we try to find.
The Terms that You Have to Know! Basis, Linear independent, Orthogonal Column space, Row space, Rank Linear combination Linear transformation Inner product.

The Terms that You Have to Know! Basis, Linear independent, Orthogonal Column space, Row space, Rank Linear combination Linear transformation Inner product.
Basic Concepts and Definitions Vector and Function Space. A finite or an infinite dimensional linear vector/function space described with set of non-unique.

Basic Concepts and Definitions Vector and Function Space. A finite or an infinite dimensional linear vector/function space described with set of non-unique.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
Class 25: Question 1 Which of the following vectors is orthogonal to the row space of A?

Class 25: Question 1 Which of the following vectors is orthogonal to the row space of A?
Orthogonality and Least Squares

Orthogonality and Least Squares

Similar presentations

Ads by Google