Nonlinear Resilient Functions
2001.6.26
Jung Hee Cheon
http://vega.icu.ac.kr/~jhcheon
Information and Communications University (ICU)
한국정보통신대학교 천정희
Linear Resilient Functions
 An [n,m,d] linear code is an m-dimensional subspace C of GF(2)n
such that the Hamming distance between any two vectors in C is at
least d.
 Generating matrix G: an m×n matrix whose rows form a basis for
C.
 [CGH85]
 f(x)=xGT is an (n,m,d-1)-resilient function.
 The existence of an [n,k,d] linear code is equivalent to the existence of a
linear (n,k,d-1)-resilient function.
2/51
한국정보통신대학교 천정희
Nonlinear Resilient Functions
 Conjecture 1: If there is a (n,m,k)-resilient function, does there exist
a linear (n,m,k)-resilient function?
 Disproved by Stinson and Massey(1995)
- An infinite class of counterexamples to a conjecture concerning nonlinear
resilient functions (Journal of Cryptology, Vol. 8, 1995)
- Construct nonlinear resilient functions from the Kerdock and Preparata codes
- Showed nonexistence of linear resilient functions with the same parameter
- For any odd integer r  3, a (2r+1, 2r+1-2r-2, 5)-resilient function exists.
- For r=3, (16,8,5)-resilient function exists.
3/51
한국정보통신대학교 천정희
Zhang and Zheng’s Construction
 Composition of a resilient function and nonlinear permutation gives
a nonlinear resilient function
 F: a linear (n,m,k)-resilient function
 G: a permutation on GF(2)m with nonlinearity NG
 The P=G·F is a (n,m,k)-resilient function such that
 the nonlinearity of P is 2n-m NG
 the algebraic degree of P is the same as that of G
 Note that composition of a permutation does not change the
frequency of the output
4/51
한국정보통신대학교 천정희
Zhang and Zheng’s Construction (Cont.)
 Converse of the conjecture 1 holds.
 If there is a linear function with certain parameters, then there exists a
nonlinear resilient function with the same parameters. Limitation of ZZ
construction
 Nonlinear Resilient Functions gives better parameters and should
be studied.
 Limitation of ZZ construction
 The algebraic degree of F is at most the output size m
 It gives a parameter which corresponds to a linear resilient function
5/51
한국정보통신대학교 천정희
Algebraic Degree and Nonlinearity
 Algebraic Degree of a Boolean function is the maximum of the
degrees of the terms of f when written in reduced form
 A linear function has algebraic degree 1
 The maximum algebraic degree is the size of input.
 The nonlinearity of a Boolean function f is the distance from affine
function
 N(f) = min wt(f+) where  ranges over all affine functions.
 Nonlinearity is an important measure for the resistance against linear
cryptanalysis a block cipher
 The nonlinearity of a vector Boolean function F is the minimum nonlinearity
of each component function b · F.
 The nonlinearity of a linear function is 0
6/51
한국정보통신대학교 천정희
Nonlinearity
 Known Results for nonlinearity of polynomials
 N(x2k+1) = 2n-1 – 2(n+s)/2-1 if n/s is odd for s = gcd(n,k).
 N(x22k-2k+1) = 2n-1 – 2(n-1)/2 if n is odd and gcd(n,k) = 1.
 N(x-1) = 2n-1 – 2n/2 (By notation, 0-1 = 0)
 N(F(x))  2n-1 - k-1/2 · 2n/2 if F is a polynominal of degree k in F2n.
 N(F(1/x))  2n-1 - k+1/2 · 2n/2 if F is a polynominal of degree k in F2n.
 Nonlinearity of a polynomial is related with the number of rational
points of associated algebraic curves.
 What is the maximal nonlinearity of a balanced Boolean function
with odd n ?
7/51
한국정보통신대학교 천정희
Stream Ciphers and Resilient Functions
 Siegenthaler, 1984
 The complexity of a Combining Generator depends on the resiliency of the
combining function F.
 Divide-and-Conquer Attack (Correlation Attack)
- If the output of F has a correlation with the output of KSG1, we can find the
initial vector of the KSG1
KSG 1
KSG 2
F
KSG n
8/51
한국정보통신대학교 천정희
Previous Studies
 Siegenthaler
 Resiliency v.s. Algebraic Degree
 k + d < n for a (n,1,k)-resilient function with algebraic degree d
 Chee, Seberry, Zhang, Zheng, Carlet, Sarkar, Maitar, Tarannikov
 Resiliency v.s. Nonlinearity
 Try to maximize nonlinearity given parameters
 Other works
 Find the relation between cryptographic properties of Boolean functions
- Nonlinearity, Algebraic degree, Resiliency, APN, SAC, PC, GAC, LS
 Count the number of Boolean functions satisfying certain properties
9/51
한국정보통신대학교 천정희
Multi-output Stream Ciphers
 To design a multi-output stream cipher based on a combining
generator, we need a resilient function which
 is nonlinear
 has algebraic degree as large as possible
 has nonlinearity as large as possible
 has resiliency as large as possible
KSG 1
KSG 2
F
KSG n
10/51
한국정보통신대학교 천정희
Resiliency of a Boolean function
 f(x) : a Boolean Function on GF(2)n
 ker(f) = {x  GF(2)n | f(x+y)+f(x)+f(y)=0 for all y  GF(2)n }
 B={a1,a2,a3,…,an} a basis whose first w elements forms a basis of
ker(f)
 Let c=(f(a1)+1, …, f(an)+1)
 Theorem 1. f(x)+Tr[cx] is a (w-1)-resilient function for the
dimension w of ker(f)
11/51
한국정보통신대학교 천정희
Application
 A linearized polynomial is a polynomial over GF(2n) such that
 each of its terms has a degree of a power of 2
 V(R) := {xGF(2n) | R(x) = 0} forms a vector space over GF(2)
 Let F(x) = 1/R(x)
 Define F(x) = 1 when x belongs to V(R)
 ker(f) = V(R) for any f(x) = Tr[b/R(x)] since
1
1
1
1
1




R( x  y ) R( x)  R( y ) R( x) R( x) R( y )
 We can apply the main theorem
12/51
한국정보통신대학교 천정희
Theorem 2
 Tr[bF] is a (w-1)-resilient function under a basis B
where
 F ( x)  1 / R( x)  x
 B  { i ,,  n } : a basis whose first w element forms a basis of V(R)

 
 B  {1 ,,  n } : a dual basis of B
 


 b  1  1    1   bi i for bi  0,1
i  w1
13/51
한국정보통신대학교 천정희
Algebraic Degree and Nonlinearity
 F(x)=1/R(x) has the algebraic degree n-1-w for the dim w of V(R).
 F(x) has nonlinearity at least 2n-1 – 2w2n +2w-1
 Consider a complete nonsingular curve Ca,b : y2 + y = ax+b/R(x)
 |t|=|#Ca,b(GF(2n))-2n-1|  2g2n where g=2w-a,0 is the genus of Ca,b
 #Ca,b(GF(2n))=2#{xGF(2n)|ax=b F(x)}+2w +1 + a,0
 C has a point for a root x of R
 C has two points at the infinity if a =0 and one points otherwise
 N(F) = 2n-1-2-1|t-2w-2n|
14/51
한국정보통신대학교 천정희
Example
 V ( R )  {1 ,  2 ,  3 ,  4 } : a set of linear independen t elements of F28
 R ( x)   ( x   ) where  ranges over all linear combinatio ns of
of element of N R (Fq )
 B  {1 ,  2 ,  ,  8 } : a basis of F2 n
 


 B  {1 ,  2 ,  ,  8 } : a dual basis of B
1
 f(x)  Tr[(ξ1  ξ 2  ξ 3  ξ 4 )(
 x)] is a 3 - resilient function
R( x)
15/51
한국정보통신대학교 천정희
Example2
 V ( R )  {1 , 2 , 3 , 4 } : a set of linearly independen t elements of F28
 R ( x)   ( x   ) where  ranges over all linear combinatio ns od elements
of N R (Fq )
 B  {1 , 2 ,,8 } : a basis of F28
 


 B  {1 , 2 ,,8 } : the dual basis od B
1
 f1 ( x)  Tr[(1   2   3 )(
 x)] is a 2 - resilient function
R( x)
1
 f 2 ( x)  Tr[(1   2   4 )(
 x)] is a 2 - resilient function
R( x)
1
 f 3 ( x)  Tr[( 3   4 )(
 x)] is a 1 - resilient function
R( x)
 ( f1 , f 2 ) is a 1 - resilient function since f1  f 2  f 3
16/51
한국정보통신대학교 천정희
Vector Resilient Functions
 ( B1  F , B2  F ,, Bm  F ) is a (n, m, d  1) - resilient function
with algebraic degree D  n - w - 1 under a basis B where
 F ( x)  1 / R( x)  x
 B  { i ,, n } : a basis whose first w element forms a basis of V ( R )



 B  { i ,, n } : a dual basis of B
 The projection of B1 , B2 ,, Bm  F2 n into V ( R ) forms a [ w, m, d ] linear code.
 Theorem: If a [n,m,d] linear code exists, there is a (n+D+1,m,d-1)resilient function exists for any non-negative integer D.
 Note that we can find a linear (n,m,d-1)-resilient function from a [n,m,d] linear code.
17/51
한국정보통신대학교 천정희
A Simplex Code
 Simplex Codes : a [2m-1,m,2m-1] linear code for any positive m
 Each codeword has the weight 2m-1
 It is optimal in the sense that
 Concatenating each codeword t times gives a [t2m-1, m, t2m-1] linear
code, all of whose codeword have the same weight t2m-1.
 Theorem: There is a (t2m-1+D+1, m, t2m-1-1)-resilient function for
any positive integer t and D.
 If there is a (n,m,d) linear code, there exists a (n+t2m-1+D+1, m, d+t2m-1-1)resilient function for any positive integer t and D.
18/51
한국정보통신대학교 천정희
New Resilient Functions from Old
 [BGS94]
 If there is an (n,m,t)-resilient function, there is an (n-1,m,t-1)-resilient
function.
 If there is a linear (n,m,t)-resilient function, there is an (n-1,m-1,t)-resilient
function.
 [ZZ95]
 If F is an (n,m,t)-resilient functions, then
 G(x,y)=(F(x)  F(y), F(y)  F(z)) is an (3n,2m,2t+1)-resilient function.
 If F is (n,m,t)-resilient and G is (n’,m,t’)-resilient, then
 F(x)  G(y) is (n+n’, m, t+t’+1)-resilient function.
 If F is (n,m,t)-resilient and G is (n’, m’, t’)-resilient, then
 F(x)  G(y) is (n+n’, m+m’, T)-resilient function where T=min{t,t’}
19/51
한국정보통신대학교 천정희
Stream Ciphers -revisited
 Correlation Coefficient
 c(f,g)=#{x|f = g} - #{x|f  g}
 F is k-resilient if Wf(w)=c(F,lw)=0 for all w with wt(w)k.
 Maximal Correlation (Zhang and Agnes, Crypto’00)
 Let F be a function from GF(2n) to GF(2m).
 CF(w)=max c(g°F, lw) where g runs through all Boolean functions on GF(2m).
 Here we consider not only linear functions, but also nonlinear functions for g.
 In a combining generator with more than one bit output,
 A combining function F should have small maximal correlation
(Relate to number of rational points of associated algebraic curves)
 We should consider a resiliency of a composition with F and a Boolean
function which is not necessarily linear.
20/51
한국정보통신대학교 천정희
Questions
 What is the maximum resiliency given n and m?
 Find the relation among nonlinearity, resiliency and the size of
output?
 Count resilient functions with certain parameters
 Relation between nonlinear codes and nonlinear resilient functions
 Extend Siegenthaler’s Inequality to a function with m>1
 k + d < n for a (n,1,k)-resilient function with algebraic degree d
21/51
한국정보통신대학교 천정희
DISCUSSION
Questions????
22/51
한국정보통신대학교 천정희