Copyright by Shweta Prem Agrawal 2007

advertisement
Copyright
by
Shweta Prem Agrawal
2007
Algebraic Attacks: A Survey
by
Shweta Prem Agrawal, B.E.
Thesis
Presented to the Faculty of the Graduate School of
The University of Texas at Austin
in Partial Fulfillment
of the Requirements
for the Degree of
Master of Arts
The University of Texas at Austin
December 2007
Algebraic Attacks: A Survey
Approved by
Supervising Committee:
For my mother
Acknowledgments
Many people have contributed in large measure to making this work possible. I
want to thank my advisor Anna, for her understanding and support. I have learnt
much from working with her- both technically and otherwise. She provided excellent
guidance in research but more importantly, she was kind and encouraging during my
struggle to get into theory from an unrelated background. I am especially grateful
to her for the numerous times she went out of her way to help me, and for the
comfortable work environment she helped create. Working with her has been both
enjoyable and inspiring.
I am deeply indebted to David Zuckerman for the most beautiful introduction
to theory that I could have hoped for. My love for both math and research has been
largely shaped by my interaction with him. More significant than the math I learnt
from him was the spirit of mathematical reasoning, rigor and intuition that I was
able to imbibe.
I am grateful to everyone I interacted with at UT for an enthusiastic and
motivational academic atmosphere. Special thanks is due to members of the theory
group, especially Anna, David and Greg for their concern, help and advice.
I thank my friends for the long discussions and fun times. Not enough can be
said for the love, faith and support of my parents and brother. Across the thousands
of miles between us, they have given me comfort, optimism, trust. A special thanks
to my mother- without whose love, nothing is possible.
v
Thanks to Austin for all the experiences I have had here. My time here has
created memories that I will cherish all my life.
Shweta Prem Agrawal
The University of Texas at Austin
December 2007
vi
Algebraic Attacks: A Survey
Shweta Prem Agrawal, M.A.
The University of Texas at Austin, 2007
Supervisor: Anna Gál
Algebraic attacks have recently acquired great importance in the area of cryptography, not only due to the ciphers they have been able to break, but more importantly, because the principle of algebraic attacks is very generic and can be applied
to break large classes of ciphers. Several ciphers, previously considered secure and
widely used in practice were found to be potentially vulnerable to algebraic attacks.
In this survey, we examine algebraic attacks against both public and symmetric key ciphers. We discuss the Boolean functions used in the design of ciphers from
the perspective of algebraic attacks, and consider the ”cryptographic” complexity
and explicit construction of these functions. We also briefly look at recently discovered methods of solving certain systems of multivariate polynomial equations since
algebraic attacks rely on being able to solve such systems of equations efficiently.
vii
Contents
Acknowledgments
v
Abstract
vii
Chapter 1 Introduction
1
1.1
Public key ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
1.2
Symmetric key ciphers . . . . . . . . . . . . . . . . . . . . . . . . . .
11
1.2.1
Block ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . .
11
1.2.2
Stream ciphers . . . . . . . . . . . . . . . . . . . . . . . . . .
17
Chapter 2 Cryptographic Complexity of Boolean Functions
23
2.1
Important cryptographic properties of Boolean functions . . . . . . .
23
2.2
About the cryptographic complexity of Boolean functions . . . . . .
34
Chapter 3 Algebraic attacks against symmetric key ciphers
3.1
3.2
40
Algebraic attacks against stream ciphers . . . . . . . . . . . . . . . .
40
3.1.1
Conventional attacks against stream Ciphers . . . . . . . . .
40
3.1.2
Setup for algebraic attack . . . . . . . . . . . . . . . . . . . .
41
3.1.3
The problem of cryptanalysis . . . . . . . . . . . . . . . . . .
41
3.1.4 The attack . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Algebraic attacks against block ciphers . . . . . . . . . . . . . . . . .
41
43
3.2.1
Conventional methods of cryptanalysis against block ciphers
43
3.2.2
How block ciphers resist conventional statistical attacks . . .
44
3.2.3
Algebraic attacks on Block ciphers . . . . . . . . . . . . . . .
44
viii
Chapter 4 Solving systems of multivariate equations
47
4.1
The Quadratic Solvability problem . . . . . . . . . . . . . . . . . . .
47
4.2
Methods of solving systems of multivariate polynomial equations: . .
48
4.2.1
Linearization . . . . . . . . . . . . . . . . . . . . . . . . . . .
48
4.2.2
Relinearization . . . . . . . . . . . . . . . . . . . . . . . . . .
49
4.2.3
XL algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . .
50
4.2.4
XSL method . . . . . . . . . . . . . . . . . . . . . . . . . . .
51
4.2.5
Gröbner basis techniques . . . . . . . . . . . . . . . . . . . .
52
4.2.6
SAT solvers . . . . . . . . . . . . . . . . . . . . . . . . . . . .
53
4.2.7
”Gluing” Algorithm . . . . . . . . . . . . . . . . . . . . . . .
53
Chapter 5 Explicit Constructions of Boolean functions with Important Cryptographic Properties
54
5.1
Algebraic construction . . . . . . . . . . . . . . . . . . . . . . . . . .
54
5.2
Heuristic Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
57
Chapter 6 Some open problems and concluding remarks
62
Appendix A Useful Definitions
66
A.1 Algebraic definitions . . . . . . . . . . . . . . . . . . . . . . . . . . .
66
A.2 Cryptographic definitions . . . . . . . . . . . . . . . . . . . . . . . .
68
A.3 Fourier-Walsh Transforms . . . . . . . . . . . . . . . . . . . . . . . .
70
Bibliography
74
Vita
93
ix
Chapter 1
Introduction
The area of algebraic attacks has recently received a lot of attention in cryptographic
literature. As is well known, there are two main kinds of encryption: public key
encryption and symmetric key encryption. Algebraic attacks are relevant to both
kinds. The principle of algebraic attacks is to recover the secret key of the cipher
by solving a system of algebraic equations. We will make this more precise subsequently. Regardless of the type of cipher used, there are equations that can be
set up involving the plaintext bits, ciphertext bits and the key. In particular, you
can describe all encryption schemes, whether public key or symmetric key, as represented by the following simple relation: C = E(M, K), where C is the ciphertext, E
is the function describing how the ciphertext is obtained from the plaintext and key,
M is the plaintext and K is the secret key. Each ciphertext bit ci where i = 1....n is
obtained from the plaintext bits x1 , ..., xn and the key bits k1 , k2 ..., km considered as
input variables, by applying a function f , i.e. ci = f (x1 , ..., xn , k1 , ..., km ). Thus, we
can think of the encryption E as a set of functions with the plaintext and key bits
as variables. We will consider the case when these functions are polynomials. In
the case of Boolean functions, this can always be assumed. Often, the ciphertext C
and the polynomials representing the encryption are known publicly, specifically to
the attacker. The basis of security of such a setup is the hardness of the problem of
solving complex systems of multivariate polynomial equations. In fact, this problem
is NP-hard even for the case of quadratic polynomials, and is called the Multivariate
Quadratic(abbreviated as MQ) problem. We discuss this problem further in chapter
4.
1
The hardness of MQ is an old and well known result [GJ79]; in fact in his
seminal paper in 1949 [Sha49], Shannon wrote that if we could show that breaking a
cipher requires at least as much work as ”solving a system of simultaneous equations
in a large number of unknowns of a complex type”, then we could think of it as a
good cipher.
Several cryptosystems, both public and symmetric key, have used the hardness of solving appropriately chosen systems of polynomial equations as a basis of
their security. For example, in public key ciphers, the public key can be a set of multivariate polynomials, say P = {pi ; i = 1, ..., m}, and the encryption C of an n−bit
message M is done by assigning the variables of the polynomials values corresponding to the bits of the message, i.e. cj = pi (M ). If the polynomials are publicly
known, and the ciphertext is also known, (as is usually the case), the secrecy of the
encoded message relies on the hardness of computing M = P −1 (C).
However, it recently became known, that several ciphers that use the difficulty of the above-mentioned problem for encryption, are vulnerable to what are
known as algebraic attacks. Algebraic attacks are those that recover the secret key
by solving a system of equations. As mentioned above, all ciphers can be represented by some system of multivariate polynomial equations. We could argue that
this should pose no threat, because as we noted, the problem of solving certain systems of equations, is known to be NP hard even for the quadratic case. However,
the threat posed by algebraic attacks relies on the fact that not all multivariate
quadratic equations are hard to solve; the hardness of solving such a system of
equations depends on the choice of equations.
It has been shown that most systems of equations produced by or used by
ciphers, are very far from random. Such systems of equations often have some algebraic structure or hidden properties that can be used to solve them efficiently.
Let’s make this notion more precise with some examples. In one of the early
instances of algebraic attacks, Kipnis and Shamir [KS99] exploit the structure of
the cipher to get an overdefined system of equations. By overdefined, we mean that
2
the number of equations is greater than the number of variables. For a long time,
the best known method to solve systems of multivariate polynomial equations was
by using Buchberger’s algorithm for computing a Gröbner basis. Buchberger’s algorithm has large exponential complexity and does not exploit the specific structure of
the system of equations. But in [KS99], Kipnis and Shamir introduced an algorithm
called ”Relinearization” that uses the overdefinedness of the system of equations
to solve it very efficiently. Further improvements to this algorithm were discovered
later. Faster algorithms for computing Gröbner basis also became known and used
for cryptanalysis of ciphers, e.g. the HFE cryptosystem [FJ03]. In 2002, Courtois
and Pieprzyk in [CP02] came up with another algorithm called ”XSL” that exploits
the sparsity of the system of equations to solve it efficiently. By sparsity, we mean
that the number of monomials in the system of equations is very ”small”. We make
the notion of sparsity more precise later on.
To summarize, the way algebraic attacks work is that a system of equations
is first set up, involving the plaintext, ciphertext and key. This system of equations depends on the cipher under consideration. The attacker then looks for some
implicit structure in these equations that would make them easier to solve than
an arbitrary system of equations. After identifying the structure, the system of
equations is solved using methods such as Gröbner basis techniques, Linearization,
Relinearization, the XL algorithm and other techniques.
These new algorithms were used to attack well known ciphers like LILI-128
and Toyocrypt successfully[CM03]. Several ciphers, so far considered secure, suddenly became suspect to such attacks, including AES. The algebraic structure of the
AES was analyzed and it is suspected now that AES is not as secure as previously
believed. [CP02].
The field of algebraic attacks became very important, not only because of
the specific ciphers that had been attacked, but also because the principle of these
attacks is very generic and can be used to design successful attacks against a variety
of ciphers- both symmetric and public key.
Algebraic attacks began to be studied extensively, specifically the strength
3
of Boolean functions used in the design of ciphers began to be formally analyzed.
To better understand the strength/weakness of these functions and quantify their
resistance/vulnerability to algebraic attacks, various properties of the functions were
identified. Several such properties, like the algebraic degree, normality, nonlinearity,
algebraic thickness, algebraic immunity among others, have been defined to represent
the cryptographic complexity (different from computational complexity) of Boolean
functions. There has also been interest in the explicit construction of functions
possessing a ”good combination” of these properties, that will make them provably
secure from algebraic attacks.
As mentioned previously, algebraic attacks are known against:
1. Public key ciphers
2. Symmetric key ciphers
(a) Block ciphers
(b) Stream ciphers
We briefly describe here the broad principles of each of these three types of
ciphers, the concept of an algebraic attack against each of them and provide a brief
historical perspective on algebraic attacks against each of these three main types
of ciphers. We describe an algebraic attack against a public key cipher (the HFE
cipher) here and against block ciphers and stream ciphers later(in chapter 3).
We list some standard mathematical definitions used in the text in the appendix.
1.1
Public key ciphers
For the sake of completeness, we briefly describe public key cryptography. Public
key cryptography is a form of cryptography in which a user has a pair of cryptographic keys - a public key and a private key. The private key is kept secret, while
the public key may be widely distributed. The keys are related mathematically,
but the private key cannot be practically derived from the public key. A message
encrypted with the public key can be decrypted only with the corresponding private
4
key.
As mentioned previously, public key cryptosystems are sometimes built based
on the difficulty of solving a system of multivariate quadratic equations.
One way in which this problem is used to design public key cryptosystems
is as follows: The public key comprises of a set of multivariate quadratic polynomials in n variables, say fi (x1 , x2 ..., xn ) ∈ F for i ∈ [1...m]. The encoding works
as follows: To encrypt an n bit message M = m1 m2 ...mn , each bit of the message
mi is assigned to a variable xi of the polynomial. The polynomials f ∈ F are then
evaluated at the n points specified by message M . Let C = c1 , ..., cm be the encoded
message, then ci = fi (x1 , ..., xn ) i.e. C = F (M ).
The private key comprises of some secret information, often called the trapdoor
which makes the equations easy to invert; that is, with knowledge of the trapdoor,
the equations become efficiently solvable for any given ciphertext. In other words
M = F −1 (C) should be infeasible to compute without knowing the secret key or
trapdoor, and easy to compute with knowledge of the trapdoor. The main difference
between various ciphers that are based on this concept, is the manner in which they
encode this secret information in the publicly known polynomials.
We describe here a public key cipher known as the Hidden Field Equations cipher,
abbreviated as HFE:
Brief(and simplified) description of the basic HFE public key cryptosystem[Pat96]:
First we describe the basic construction of the HFE cryptosystem, along with
a brief overview of the main mathematical ideas used in the design of the cipher.
Subsequently we describe how the message and ciphertext are represented, how the
encryption and decryption are performed and what the private and public keys are.
The HFE cryptosystem consists of the following mathematical components:
1. A finite field K of cardinality q = pm , where p is prime.
2. An extension of K of degree n called Ln .
3. βij , αi and µ0 elements of Ln .
5
4. θij , φij , ξi are integers.
5. Two affine bijections s and t such that s, t : Ln → Ln .
6. f : Ln → Ln is a function of a special form:
f (x) =
X
βij xq
θij
+q φij
ij
+
X
ξ
αi xq i + µ0 .
i
An alternate function representation
Consider the function f introduced above. Let B be a basis of Ln where Ln is
viewed as a vector space over K.
Say y = f (x), where x, y ∈ Ln . When Ln is viewed as a vector space over K,
any element in Ln (specifically x and y) can be represented as a linear combination
P
P
of the basis elements bi ∈ B. So we obtain x = ni=1 xi bi and y = ni=1 yi bi .
P
P
P
Note that xq = ( ni=1 xi bi )q = ni=1 xqi bqi = ni=1 xi bqi (since K has q = pm
elements and p is prime), and thus xq will finally contain terms linear in xi , i =
δ
1, . . . , n. Extending this argument, x 7→ xq is linear in xi , i = 1, . . . , n, for any
integer δ. It follows that x 7→ xq
θ +q φ
is quadratic in xi , i = 1, . . . , n, for integers
P
Pn
P
φij
θij
ξ
θ and φ. Hence, using y = f (x) = i=1 yi bi = ij βij xq +q + i αi xq i + µ0 ,
and equating coefficients of bi , we can express each yi , i = 1, . . . , n as a quadratic
polynomial in (xj )nj=1 . This set of n polynomials over the n variables (xj )nj=1 constitutes a representation of the function f .
To complete the mathematical setup, we now only need the following theorem:
Theorem 1.1.1. [Pat96] Let Ln be a finite field, with |Ln | = q n with q and n ”not
too large” (for example q ≤ 64 and n ≤ 1024. Let f (x) be a given polynomial in x
in a field Ln , with a degree d ”not too large” for example d ≤ 1024. Let a be an
element of Ln . Then it is always possible (on a computer) to find all the roots of
the equation f (x) = a efficiently.
Several known efficient algorithms for finding roots of polynomials over finite
fields are discussed in [Pat96], for eg. the Berlekamp Rabin algorithm, the linearized
polynomial algorithm, the Berlekamp trace algorithm. Patarin also discusses variants of these algorithms that are useful in different cases like when degree d is very
6
small, when d is not too small and when an asymptotically fast algorithm is needed.
These algorithms can be used for polynomial root finding depending on the specific
instance to be solved. As mentioned above, these algorithms are quite efficient:
the total expected time of the linearized polynomial algorithm for example, is in
O(d3 n2 + m3 n3 + dm2 n3 ), and the average expected time for the Berlekamp trace
algorithm is in O(mn3 d2 + n2 d3 ). We do not discuss these algorithms further, the
interested reader is referred to [Pat96].
We now describe the construction of the cipher:
Message: The message M is represented by a string of n elements of K. So
M = m1 m2 m3 ...mn where mi ∈ K.
For our example described below, M is a 3 bit vector over F2 .
Public key:
1. Field K (F2 in our example) and length n (For our example n = 3).
2. n polynomials in n variables over Ln . These polynomials are obtained by
representing the function g : Ln → Ln , g = t ◦ f ◦ s by n polynomials
in n variables using the alternative representation described in the previous subsection, where ◦ denotes function composition. Note here that since
s and t are of degree 1 and f is of degree 2 in any basis, the composi-
tion of these functions g will also be a quadratic function in the basis. Let
p1 (x1 , x2 , . . . , xn ), p2 (x1 , x2 , . . . , xn ), . . . , pn (x1 , x2 , . . . , xn ) represent these n polynomials in n unknowns.
3. A way to put redundancy into the message M . This redundancy is needed to
ensure one-one decryption. We will not elaborate on how this redundancy is
added.
Private key:
1. The function f described above of degree d which is ”not too large”. In our
example, f : F23 → F23 with d = 5.
2. Two affine bijections s, t. For our example s, t : F2n → F2n
7
Encryption:
The message M is encrypted by setting the variables x1 , x2 ...xn of the polynomials p1 , p2 , ..., pn to the values specified by the message M . More formally, set x1 =
m1 , x2 = m2 , ...., xn = mn and evaluate p1 (m1 , m2 , ..., mn ), p2 (m1 , m2 , ..., mn ).....pn (m1 , m2 , ..., mn ).
Let y denote the ciphertext. Because of the way we constructed p1 , ...pn , we have
y = t(f (s(m)))).
Decryption:
Since the encryption is y = t(f (s(m))), the decryption proceeds as m = s−1 f −1 t−1 (y).
s, t, f are known, specifically f is known in its univariate form. The theorem 1.1
implies that this can be carried out efficiently.
Example:
We demonstrate the representation of a function f having the special form mentioned above by n polynomials in n unknowns. Note that in the actual construction
of the HFE cipher, the published n polynomials in n variables actually represent
g = t ◦ f ◦ s.
Consider a ∈ F23 .The extension field F23 can be represented by F2 [x]/(1 + x2 + x3 ),
because (1 + x2 + x3 ) is an irreducible polynomial. We view F23 as a vector space
of dimension 3 over F2 . Consider the basis vectors of this space as 1, x, x2 . Suppose
a = a2 x2 + a1 x + a0 .
Consider a function f (a) = a + a3 + a5 . Let v = f (a). Since v ∈ F23 , v =
v2 x2 + v1 x + v0 . So we have v = f (a) = a + a3 + a5 = (a2 x2 + a1 x + a0 ) +
(a2 x2 + a1 x + a0 )3 + (a2 x2 + a1 x + a0 )5 mod(x3 + x2 + 1) = (a2 + a2 a1 + a2 a0 +
a1 )x2 + (a2 a1 + a1 a0 + a2 )x + (a0 + a2 + a1 a0 + a2 a0 ).
Thus we get 3 quadratic equations in 3 unknowns:
v2 = a2 + a2 a1 + a2 a0 + a1 = p1 (a0 , a1 , a2 )
v1 = a2 a1 + a1 a0 + a2 = p2 (a0 , a1 , a2 )
v0 = a0 + a2 + a1 a0 + a2 a0 = p3 (a0 , a1 , a2 )
In general, we have n quadratic equations in n unknowns vi = pi (x1 , .., xn ),
i = 1...n. As mentioned earlier, this problem is known to be NP-hard to solve in
general.
8
Difficulty of decryption when private key is not known: The difficulty of
decryption relies on the well known difficulty of solving a system of multivariate
quadratic equations.
Efficiency of decryption when private key is known: The only hindrance in
computing s−1 f −1 t−1 (y) is in computing f −1 . The key to the efficiency of decryption is the theorem 1.1.
The algebraic attack: In general the algebraic attack seeks to determine
some structure in the system of equations that makes them much easier to solve
than random equations of the same size. Patarin’s HFE cryptosystem was broken
by Kipnis and Shamir in [KS99]. The attack works by exploiting the fact that any
given system of n multivariate polynomial equations in n variables over a field G can
be represented by a single univariate polynomial of a special form over H which is
an extension field of degree n over G. The authors translate the problem of solving n
quadratic equations in n unknowns over a small field G into the problem of solving a
very overdefined system of ǫm2 quadratic equations in m variables over a large field
H, where m is a small multiple of n and ǫ is a small constant. They also introduce
a new algorithm called ”Relinearization”(described in detail in later section) which
is expected to solve random systems of equations of this form in polynomial time
for fixed ǫ.
Patarin’s HFE cryptosystem was broken independently by Faugere and Joux in
[FJ03]. They exploited the observation that equations in the HFE system were
”simpler” than arbitrary equations of the same size. As explained by the authors,
the structure of equations in an instance of HFE implies a relatively small upper
bound on the degree of the intermediate polynomials which occur during computation of the Gröbner basis. They prove that this bound depends on the degree of
the secret function f but does not depend on the size of the field Fn2 . On the other
hand, with random systems of equations, the degree of these intermediate polynomials strongly depends on n. By exploiting this structure and using a fast algorithm
to compute Gröbner basis, the authors are able to crack the HFE cryptosystem.
Brief Historical perspective:
One of the early examples of the deployment the MQ(solving a complex system of
9
multivariate quadratic equations) problem in building public key ciphers was in the
design of a cryptosystem in 1988, by Matsumoto and Imai, [MI88]. They designed
a public key cryptosystem called C ∗ , in which the public key is as described earlier,
an n−tuple of quadratic n−variate polynomials over F2m , say F . An n−bit message
M is encrypted by evaluating F on M . In 1995, J Patarin [Pat95], proved that the
algorithm described by [MI88] is insecure and described one of the earliest algebraic
attacks. Shortly after, Patarin proposed to repair this cryptosystem and devised the
HFE(hidden field equation) cryptosystem in [Pat96]. The HFE cryptosystem was
also based on the difficulty of solving a system of multivariate quadratic equations
over a finite field, and it was expected that breaking HFE will require exponential complexity. HFE was the second attempt to design a cryptosystem based on
the hardness of quadratic solvability after [MI88]. The HFE system was carefully
designed to avoid the weaknesses of the Matsumoto-Imai cryptosystem, and many
variants to the HFE cryptosystem were also proposed. However in [KS99], Kipnis
and Shamir were able to break this scheme using the ”Relinearization” technique.
Also, in [FJ03], Faugere and Joux were able to break HFE cryptosystems using fast
algorithms for computing Gröbner basis. Other papers related to attacks on HFE
are [Cou04b, Cou01, JDH07]. Recently, methods have been proposed to modify the
scheme to avoid known attacks [ACDG03].
Another early example of a multivariate signature scheme was developed by
Ong, Schnorr and Shamir in [OSS84] in 1984. But this system was broken by Pollard and Schnorr in [PS87]. Fell and Diffie published another multivariate scheme
in [FD85] but observed it was insecure for any practical key size.
Shamir proposed two multivariate schemes in [Sha93], but Coppersmith,
Stern and Vaudenay broke them in [CSV97]. Patarin came up with several new
types of trapdoors, the simplest among which was the Oil and Vinegar signature
scheme [Pat97], which was broken by Kipnis and Shamir [KS98].
Algebraic attacks on a public key cryptosystems based on ”braid groups”(certain
special groups in algebra) are discussed in [LP03, Hug02]. In [Hug02], the author
employs the ”Burau matrix representation” of the braid group and techniques from
computational linear algebra to provide evidence that at least certain classes of keys
10
are weak. Cryptanalysis of public key ciphers based on polynomial reconstruction
is discussed in [Cor04].
1.2
Symmetric key ciphers
1.2.1
Block ciphers
Informally, block ciphers can be described as follows: A block cipher is a type of
symmetric-key encryption algorithm that transforms a fixed-length block of plaintext data into a block of ciphertext data of the same length. This transformation
takes place under the action of a user-provided secret key. Decryption is performed
by applying the reverse transformation to the ciphertext block using the same secret key. The fixed length is called the block size. More precisely, as described by
Wagner in [Wag04], a block cipher is a map E : K × M → M , (where as usual, M
is the message space, K the key and E the encryption transformation) so that Ek
is invertible for all keys k ∈ K, and both Ek and Ek −1 can be efficiently computed.
A block cipher is ”secure” if it behaves as a pseudo-random permutation: no efficient algorithm A given interactive access to encryption and decryption black boxes
should be able to distinguish the real cipher i.e. Ek and Ek −1 from a truly random
permutation (i.e. π and π −1 , where π is uniformly distributed on the set of all
permutations on M ) [Wag04]. An attack which distinguishes the cipher from a random permutation is called a ”distinguishing attack”. Usually, once a distinguishing
attack is found, one can recover the secret key.
In this section, we will describe the broad construction of a block cipher.
Before we do that however, we briefly review Shannon’s principles of confusion and
diffusion. These principles, stated more than 50 years ago, are still considered very
relevant. These principles are still taken into account in the design of ciphers today.
We will see examples of this in later sections. Confusion and Diffusion can be briefly
explained as follows [Car06a]:
1. Confusion: Confusion aims at concealing any algebraic structure in the system.
In his book ”Cryptography: Fundamentals and applications”, Massey interprets confusion as ”the ciphertext statistics should depend on the plaintext
statistics in a manner too complicated to be exploited by the cryptanalyst”.
11
2. Diffusion: Diffusion consists of spreading out the influence of any minor modification of the input data or of the key over all outputs.
Most block ciphers are constructed by repeatedly applying a simple function
to the input. This approach is known as iterated block cipher. Each iteration is
termed a round, and the repeated function is termed the round function. More precisely, most block ciphers are product ciphers: the cipher is built as the composition
of individual round transformations. We choose a round function f : M → M ,
compute a sequence of round keys k1 , k2 ....kn as a function of the key k, and set
Ek = fkn ◦ .... ◦ fk1 . The function f computes one round of the cipher[Wag04].
Each round typically consists of possibly multiple S-boxes or ”substitution
boxes” that are connected by key dependent linear transformations. S-boxes or
Substitution boxes are used to obscure the relationship between the plaintext and
the ciphertext. In general, an S-box takes some number of input bits and transforms
them into some number(possibly different) of output bits. (Note that block length
of the cipher still remains the same. Even if S-boxes change the size of the block,
there are other operations performed that counter the size change). The S-boxes
typically provide ”confusion” to the cipher, and the linear transformations provide
the ”diffusion”. Product ciphers typically repeat a substitution layer and a linear
transformation sufficiently many times in the hope of obtaining a strong cipher.
The traditional methods of cryptanalysis of block ciphers are linear and differential cryptanalysis, which are based on probabilistic characteristics. This makes
the security of the cipher grow exponentially with number of rounds. For example,
differential cryptanalysis is based on the study of how differences in input reflect
as differences in output. The attacker typically tries, given a difference in input,
to trace the difference in output of each round through the multiple rounds of the
cipher, and hopes to measure non-random behavior at the output, which helps attack the cipher. Linear attacks, discussed in more detail later, are also based on
this ”statistical” approach: the attacker tries to construct probabilistic characteristics through as many rounds of the cipher as possible, in order to distinguish the
cipher from a random permutation [Cid04]. Recent block ciphers, like the AES for
example, were carefully designed to resist such probabilistic attacks.
However, algebraic attacks focus on writing systems of algebraic equations
that completely describe the block cipher, and then using newly discovered algorithms to solving this system and recovering the plaintext. More explicitly, specific
12
structure of the S-box in the AES for example, permits finding a small set of polynomial equations in the input and output bits that completely define the S-box.
By combining equations written for the various S-boxes, the attacker can write a
system of equations that completely describe the whole block cipher, and then try
to somehow solve this system.
Brief historical perspective:
Because of its importance and exciting history we discuss AES separately:
Advanced Encryption Standard(AES):
The security of the AES(Rijndael) has received a lot of attention in cryptographic literature. Researchers have studied the potential of algebraic attacks against AES(Rijndael)
in a number of recent papers. According to Rijndael’s designers, Daemen and Rijmen, Rijndael was intentionally constructed in such a way that all its components
are derived from simple algebraic functions with well studied properties [DR00].
This was motivated by the desire to be able to analyze and prove important security aspects of Rijndael. But this simple algebraic structure makes AES potentially
vulnerable to algebraic attacks.
In [CP02], the authors showed that the S-boxes of both Serpent and Rijndael can be described by an overdefined system of algebraic equations (recall that
overdefined means that the number of equations are greater than the number of unknowns). They also introduced a new algorithm called XSL, which uses the sparsity
(’small’ number of monomials in the equations) and specific structure of equations
to solve them. The complexity of XSL was not clearly understood, but the authors
claimed that their ”optimistic” evaluations showed that this attack might be able
to break Serpent and Rijndael. These were significant claims; Rijndael was the
currently proposed AES (by NIST), and Serpent had been a finalist for the same
Advanced Encryption Standard. But whether these estimates for XSL are valid
remains an interesting open question. A great deal of controversy erupted over the
correctness of the arguments in the original XSL paper [CP02]. In [MR02], the
authors made estimates about the use of the XSL algorithm to break AES and
claimed substantial improvements over the complexity of the brute force approach.
In [MR03], Robshaw and Murphy said that they did not believe that the XSL es13
timates had the accuracy required to substantiate claims of breaking AES. Some
other cryptographers expressed disagreement with the claims made about the XSL
algorithm. The cryptographer T. Moh, wrote an article [Moh02] claiming that the
XSL attack is infeasible(Courtois disagrees, says no one has proved that it is infeasible [Cou]). Don Coppersmith, noted cryptographer and mathematician (winner
of RSA Security Award for Mathematics in 2002) said [Cop]: ”I believe that the
Courtois-Pieprzyk work is flawed. They overcount the number of linearly independent equations. The result is that they do not in fact have enough linear equations
to solve the system, and the method does not break Rijndael...The method has some
merit, and is worth investigating, but it does not break Rijndael as it stands.” One
of the inventors of Rijndael, Vincent Rijmen, commented, ”The XSL attack is not
an attack. It is a dream”[Cou]. The community at large still has to come to a
conclusion about this.
The attack cannot be easily implemented and tested because of its great complexity.
Schneier observed in his crypto-gram newsletter on the web [Sch], that ”we are not
yet in an age where the attack can be tested. So, we seem to be secure from these
attacks now. However if these attacks do work, we will not know until it is too late”.
In [FIL03], Filiol claimed to break AES and recover some keybits; a spectacular result. But in [CJJ+ 03], the authors claimed that this attack was incorrect.
To understand better the strength/weakness of the AES with respect to algebraic attacks, the algebraic structure of AES has been extensively studied. The
hope is that understanding the structure of the AES will help in exploiting this
structure in solving systems of equations that describe AES. Several papers discuss
the algebraic structure of the AES.
In 2002, a paper by Fuller and Millan [FM02] showed that all the outputs of
AES’s 8 × 8-bit S-box are equivalent under affine transformations, so that the 8 × 8
S-box can be considered an 8 × 1-bit S-box. Since the S-box is the only source of
nonlinearity in the AES and hence the only component that provides confusion to
the cipher, evidence that the S-box is not as strong as was believed has increased
concerns about the security of AES. Another paper by Filiol [Fil02] claimed to have
detected some biases in the Boolean functions of AES, which could possibly be used
to break AES. Observations such as these suggest that the AES can be completely
14
described by a system of equations that are much simpler than expected, which has
implications for the resistance of the AES to algebraic attacks. Such weaknesses
may also lead to other attacks against AES.
In [MR02], the authors discussed the difficulty in understanding the algebraic properties of AES, because operations in AES exist over two different fields F2 and F28 .
While it is easy to define all the operations of the cipher in terms of operations over
F2 , the resulting expressions quickly become messy and hard to analyze. The authors, Murphy and Robshaw created a cipher called BES (Big encryption standard),
with the advantage that all the operations in BES are entirely described using very
simple operations in F28 . The properties of BES are closely related to the properties
of the AES, since the BES is basically a generalization of the AES. By recasting
the AES in this way the authors highlight some important structural features of the
AES. Other papers that explore the structure of the AES include [MR00, CMR04].
In [MR00], the authors summarized some observations on Rijndael and presented an
alternative view of the structure of Rijndael. In [CMR04], Cid, Murphy and Robshaw considered a number of aspects of the AES, and examined a few computational
and algebraic aspects that could be used in the cryptanalysis of the cipher. They
discussed how to express the cipher as a very large but simple system of multivariate
quadratic equations over the finite field F28 , and considered approaches on how to
solve the system. Murphy, Cid and Robshaw even wrote a book on the algebraic
aspects of the AES [CMR06].
Other Block ciphers:
Algebraic attacks on block ciphers besides AES have been explored in the following:
In [BC03], Biryukov and De Canniere compare systems of multivariate polynomials,
which completely define some popular block ciphers in the view of potential danger
of the algebraic re-linearization attack.
In [Cou04c], Courtois surveys the attacks that exploit various types of multivariate algebraic relations. He derives new, very general design criteria to avoid
the existence, if possible, of ”too simple” algebraic relations.
The resistance of S-boxes to algebraic attacks has been further discussed in
[CL04, CDG05].
Recent developments:
15
Many interesting open questions remain about the security of block ciphers against
algebraic attacks. This is currently an active area of research. Recently, there have
been some important results in this area.
In [Cou07b], Courtois proposed a new toy cipher called the ”Courtois toy
cipher(CTC)” and followed it up with CTC2 [Cou07a]. These ciphers are very like
practical block ciphers for large enough parameters. Courtois encourages people to
try to break these ciphers(he can break 6 rounds of CTC and up-to 10 rounds of
CTC2), and believes that attacks against these ciphers can lead to attacks on real
ciphers easily enough.
In [BPW05], the authors analyze some well known ciphers that are sound
against linear and differential attacks but for which the encryption process can be
described by very simple polynomial equations. For a block and key size of 128 bits,
they present ciphers for which practical Gröbner basis attacks can recover the full
cipher key requiring only a minimal number of plaintext/ciphertext pairs. They are
also able to construct Gröbner basis for some ciphers with small computational effort
which reduces the breaking of the cipher to a Gröbner basis conversion problem.
They are also able to bound the running time of an algorithm that implements this
conversion.
In an important paper [CB06], the authors discuss an algebraic attack against
the Data Encryption Standard(DES). DES has been a popular cipher, and though
NIST replaced it by AES, DES cannot be considered obsolete and triple-DES is still
widely used, especially in the financial sector[CB06]. In this paper the authors claim:
”we finally show that practical algebraic attacks are in fact possible for reducedround versions of DES. This is the first known example of a working algebraic attack
on up to 10 rounds of a real-life industrial block cipher. The attack requires only one
single known plaintext (instead of a very large quantity). This is an unprecedented
thing that has no equivalent in any cryptographic attack ever done.” They also claim
that ”though (on a PC) we recover the key for only six rounds, in a weaker sense
we can break 12 full rounds of DES. These results are very interesting because DES
is known to be a very robust cipher, and our methods are very generic. Thus, if
DES is susceptible to this kind of algebraic cryptanalysis, then probably nearly any
other cipher is, and some may be substantially weaker.”
Recently, a block cipher called KeeLoq, used in wireless devices that unlock
doors in cars manufactured by Chrysler, Daewoo, Fiat, GM, Honda, Jaguar, Toyota,
16
Volvo, Volkswagen etc was broken by Courtois and Bard in [CB07]. This attack is
very significant because for the first time in history, a full round real-life
block cipher is broken by an algebraic attack! Moreover, they claim that
their attacks are easy to implement, have been tested experimentally, and the full
key can be recovered in practice on a PC.
Recently, Nicolas Courtois has even created a web-page that allows people
to bet on cryptographic algorithms with real money!!!
1.2.2
Stream ciphers
Stream ciphers are ciphers which encrypt plaintext bits one at a time, using an
encryption function which changes over time. Stream ciphers are based on the
Vernam cipher (one-time pad). In the Vernam cipher, the plaintext, which is a
binary string of some length is bitwise added to a binary secret key of the same
length in order to produce ciphertext. The Vernam cipher is the only cipher that
guarantees unconditional security if the key is truly random and a brand new key
is used for every new encryption. However it is impractical to produce a new truly
random key per encryption. So in practice, in stream ciphers, a small random
key is used to produce a long pseudo-random sequence (by some method) and this
pseudo-random sequence is combined with the plaintext in some way to produce
the ciphertext. What is shared between users now is not the entire sequence that is
used for encryption but the short secret truly random key along with the method
used to generate the pseudo-random sequence. This pseudo-random sequence is
generated by a finite state automaton with a secret state initialized by the private
key. The i-th keystream digit only depends on the secret key and the previous (i−1)
plaintext digits. Then the i-th ciphertext digit is obtained by combining the i-th
plaintext digit with the i-th keystream digit. If the attacker can somehow guess the
keystream, he can break the cipher.
We briefly discuss here a particular method of generating the pseudo-random
sequence: the Linear Feedback Shift Registers because of their popularity.
Linear Feedback Shift Registers: Linear Feedback Shift Registers (LFSR)s
are used sometimes to generate the long pseudo-random sequence from the short
key. Note that unconditional security is no longer guaranteed. An LFSR works
17
loosely as follows: Consider a register of length L. This register is initialized in
some secret way(determined by the short random secret key described above). After initialization, the contents of the register are updated every clock cycle, typically
by ”shifting” the contents of the register right by one bit, causing one bit to ”fall
out” of the register at the extreme right, this being the output bit, and the leftmost
bit of the register is a linear function of the current contents of the register. This
linear function which is used to update the state of the LFSR(or whichever finite
state automaton is used) is called the transition function.
More formally, as defined in [MvOV97], a linear feedback shift register (LFSR)
of length L consists of L stages (also called delay elements) numbered 0, 1, ....., L− 1,
each capable of storing one bit and having one input and one output; and a clock
which controls the movement of data. During each unit of time the following operations are performed:
1. The content of stage 0 is output and forms part of the output sequence.
2. the content of stage i is moved to stage i − 1 for each i; 1 ≤ i ≤ L − 1.
3. the new content of stage L − 1 is the feedback bit sj which is calculated by
adding together modulo 2 the previous contents of a fixed subset of stages
0, 1, ......., L − 1.
The number of stages in an LFSR is called its length.
A LFSR is said to generate a finite sequence sn = s0 s1 s2 ....sn−1 if there is some
initial state of the LFSR for which the output sequence of the LFSR has sn as its
first n terms [MvOV97]. The linear complexity a finite binary sequence sn is the
length of the shortest LFSR that generates a sequence having sn as its first n terms
[MvOV97].
There is a well known algorithm, called the ”Berlekamp Massey” algorithm
that can be used to ”break” LFSRs. The Berlekamp Massey algorithm provides a
way to efficiently determine the linear complexity of a finite sequence and determine
the shortest LFSR capable of generating the given sequence [MvOV97]. If the
linear complexity of a sequence(or the length of the shortest LFSR generating the
sequence) is L, then knowing 2L consecutive bits enables the Berlekamp-Massey
algorithm to recover the value of L, the initialization of the LFSR and the linear
transition function.
18
S
S
0
L−1
xi
x1
xn
f (x , x , ... , x )
1
2
n
output
Figure 1.1: Filtering function
To avoid attacks by the Berlekamp Massey algorithm, modern ciphers use
LFSRs in conjunction with filtering or combining functions. These functions combine outputs of several LFSRs or several bits from one LFSR to produce a keystream
sequence with high linear complexity if well chosen.
Filtering function [Car06a]:
A filtering function is a way to use Boolean functions to avoid attack by the
Berlekamp Massey algorithm. An LFSR with a filtering function, called a filtered
LFSR does not output the bit contained in the rightmost register of the LFSR but
outputs f (x1 , ..., xn ), where f is the n variable filtering function and x1 , ..., xn are
bits contained in some registers of the LFSR.
Combining function [Car06a]:
Combining functions are typically nonlinear functions that combine the output of
several LFSRs so as to add confusion to the system. The way that a combining
function works is illustrated in the figure below.
Note that though the purpose of the filtering function and the combining
function is the same, the attacks conducted on the two functions are different, hence
the properties that a function needs to satisfy in these two roles are often different.
Also note that the transition function and the filtering/combining function are usu19
G
k1
S1
k2
S2
f
KEYSTREAM
k3
S3
PLAINTEXT
CIPHERTEXT
Figure 1.2: Combining function
ally public and only the initialization of the finite state automaton is private.
A combiner is a specific construction of the keystream generator. A (k, l)combiner consists of k parallel LFSRs, and the nonlinear filtering is done via an
automaton with k input bits and l memory bits [AK03].
Brief historical perspective:
Traditionally known attacks against stream ciphers include the inversion attack
[Gol96], the conditional correlation attack [And94] and the fast correlation attack
[MS89a]. Various types of correlation attacks work by identifying a correlation between specific output bits and a subset of the input bits. If the combining function
can be well approximated by linear functions, it is easier to find statistical dependence between the output sequence and a subset of the input bits. In order to resist
such attacks, many authors focused on proposing combining functions that will have
no good linear approximations.
Algebraic attacks against stream ciphers were first discussed by Courtois, in
[Cou02]. In the attack discussed in this paper, the nonlinear combining function is
approximated by another function of low degree (notice that this function is nonlinear) and Courtois was able to reduce breaking the cipher to solving an overdefined
20
system of quadratic equations. He was also able to adapt the XL algorithm to solve
this system of equations and successfully break the cipher Toyocrypt. This paper
”generalized” the danger of using functions with linear approximations to the danger of using functions with nonlinear but low degree approximations. In [CM03],
the authors showed that algebraic attacks on stream ciphers will apply even if there
is no good low degree approximation to the combining function. They showed how
to substantially lower the degree of these equations by multiplying them by wellchosen multivariate polynomials. This enabled them to substantially speed up the
cryptanalysis of the cipher Toyocrypt. In the same paper, the authors described
a new general algebraic attack that breaks stream ciphers satisfying all previously
known design criteria far more efficiently than was previously known (in at most
the square root of the complexity of the previously known generic attack).
Many subsequent papers investigated algebraic attacks on stream ciphers.
In [MPC04], the authors streamlined the ideas developed behind these attacks, reducing and simplifying the various scenarios which had been considered so far. In
[Bat04], Batten generalized the theory that had been built around the Boolean
function case to arbitrary finite fields. In particular, properties of Boolean functions were identified to quantify their resilience to such attacks. One such propertythe algebraic immunity(discussed at length in chapter 2) received significant attention. In [ACG+ 06, DT06], the authors proposed methods to efficiently compute the
algebraic immunity of a function. In [LQ06], the authors constructed and counted
Boolean functions of an odd number of variables with maximum algebraic immunity.
In [LfQ05, BP05], the authors discussed special:”symmetric”(defined later) Boolean
functions with respect to their algebraic immunity. In [CL06], the authors gave
some lower bounds on the algebraic immunity of Boolean functions. In [Ars05], algebraic immunity of functions over finite fields was explored, properties of algebraic
immunity were explored, and some bounds related to it were given. Other papers
that have explored bounds on algebraic immunity are [NGG06, DGM04, NGG06].
Construction of Boolean functions with maximum immunity has been discussed in
[DMS06, AK06].
Algebraic attacks and ”fast” algebraic attacks are further explored in [AA05,
HR04, DGM06, Arm04, Cou03, Cou04a, AK03, FA03]. In [AK03], the authors an21
alyzed the keystream generator from the Bluetooth standard E0 and showed how
the secret key can be recovered by solving a system of linear equations with large
number of unknowns. They also extended the use of algebraic attacks to combiners
with memory and provided an algorithm to construct low degree(say d) relations
for r clocks, i.e. a relation which holds for any sequence of r consecutive bits of the
keystream.
22
Chapter 2
Cryptographic Complexity of
Boolean Functions
2.1
Important cryptographic properties of Boolean functions
In order to understand how Boolean functions could resist algebraic attacks, some
properties were identified that quantify the resistance of a given Boolean function to
algebraic attacks. These properties indicate the cryptographic complexity of Boolean
functions. Some such properties are:
1. Balancedness
2. Algebraic degree
3. Nonlinearity
4. Correlation immunity
5. Algebraic thickness
6. Algebraic immunity
7. Non-normality
8. Strict Avalanche Criteria and Global Avalanche Characteristics
23
We describe each of the above-mentioned properties below. Before we do
that however, we make a small digression to discuss affine invariance and its significance because as we shall see, affine invariance is an important consideration in
almost every property we consider.
Significance of affine invariance: In cryptography, a function is considered weak if it can be turned into a cryptographically weak function by means of
a simple transformation, e.g. an affine transformation. This is because an algebraic attack which may be infeasible on a Boolean function f may be trivial on
an affine equivalent of f , say g, and an attack on g can easily be transformed into
an attack on the original function f . To illustrate this, we consider an extreme
example from [MS89b]. Let us consider the number of monomials of a function
as a desirable property of the function, i.e., a function with more monomials is
stronger. To demonstrate that this is unsatisfactory, consider the Boolean function f (x1 , x2 , ..., xn ) whose algebraic normal form is obtained by summing up all
possible product terms in x1 , x2 , ..., xn . At first glance this looks like a good function, since it contains all nonlinear terms. However f can be written as the product
f (x1 , x2 , .., xn ) = (1+x1 )(1+x2 )...(1+xn ) which transforms into the monomial function g(x1 , x2 , ..., xn ) = x1 x2 x3 ...xn by simply complementing all arguments. This
turns f into a poor function with respect to the number of nonlinear terms and f
becomes vulnerable.
Thus we want the properties quantifying cryptographic complexity of Boolean functions to be affine invariants.
Now, we discuss the above-mentioned properties.
1. Balancedness: An n−variable Boolean function f is said to be balanced if
its Hamming weight is 2n−1 .
Motivation: Intuitively, the output of a cryptographic Boolean function
should be equally distributed over {0, 1} to avoid statistical dependence between input and output (since statistical dependence can be exploited in attacks).
From equations A.6 and A.9 in appendix A3, we can derive an interesting link
between the balancedness of a function and Walsh transforms: A function f
24
is balanced if and only if χˆf (0) = 0.
Balancedness is an affine invariant.
2. Algebraic Degree [Car06a, Car04b]: Every Boolean function f over the field
Fn2 can be represented uniquely by its algebraic normal form or A.N.F.
f (x) =
X
au (
u∈Fn
2
Y
xi )
i|ui =1
The degree of the A.N.F of a function is called the algebraic degree of the
function. For security, we want the function to possess as high degree as possible.
Motivation: The complexity of the ”higher order differential attack” on block
ciphers due to Knudsen and Lai [Knu94, Lai94] depend on the algebraic degrees
of the Boolean functions in the cipher. Also, as described earlier, in most
stream ciphers the keystream generator combines the output of one or more
LFSRs by a nonlinear function to produce the keystream sequence. The linear
complexity of such a sequence depends on the degree of the combining function
and on the number of monomials in its ANF. These parameters determine
the resistance of the produced sequence to the Berlekamp Massey algorithm
[Rue86, Mas69]. Hence the nonlinear combining functions must have high
algebraic degrees and many monomials in their ANF.
To make this concrete, we describe an example. Consider the case of keystream
generator with combining function f . If n LFSRs having lengths L1 , L2 ...Ln
are combined by the function
f (x) =
M
I∈P (n)
Y
aI ( xi )
i∈I
where P (n) denotes the power set of n = 1, 2, ..., n and ⊕ denotes the sum
computed mod 2; then we know from [RS87] that the sequence produced by
f can be obtained by a single LFSR of length
L≤
X
I∈P (n)
25
Y
aI ( Li )
i∈I
The algebraic degree of f has to be high so that L can have high value. As
mentioned previously, if the attacker knows at least 2L consecutive bits then
the Berlekamp Massey algorithm recovers the values of L as well as the secret
initialization of the LFSR(hence the secret key). So, if linear complexity of
the sequence L has a low value, then the function is very susceptible to attack.
Relationship between algebraic degree and Walsh transform:
Proposition 2.1.1. [Lan90] Let f be an n-variable Boolean function, and let
1 ≤ k ≤ n. Assume that its Walsh transform takes values divisible by 2k.
Then f has algebraic degree at most n − k + 1.
Algebraic degree is an affine invariant. The degree of any function f equals
that of any affinely equivalent function f ◦ A, where A is an element of the
general affine group.
However, in [Car06b], Carlet remarks that algebraic degree is not a suitable
criterion because a function with low algebraic degree can be converted to a
function with high algebraic degree by simply complementing a few bits in the
truth table. This operation does not change the robustness of the function
much but significantly increases the algebraic degree.
Carlet identifies a new property called Nonlinearity Profile which we describe
later.
3. Nonlinearity [Car03, Car06a]: The nonlinearity of a Boolean function f is
the minimum Hamming distance of f to affine functions. For security, we want
high nonlinearity.
Motivation: Nonlinearity is crucial because most linear systems are easily
breakable by linear and correlation attacks as illustrated by [CT00, DXS91,
Mat93]. Hence a Boolean function needs to have high nonlinearity to be cryptographically strong. Nonlinearity is an intuitive criterion: affine functions are
considered the weakest functions and a strong function should be as far away
from them as possible.
In [Car06a], Carlet says that there is a correlation between a Boolean function
f and a linear function l if dH (f, l) is different from 2n−1 . The nonlinearity
26
criterion can be expressed by the Walsh transform as follows: let la (x) =
a1 x1 + .... + an xn = a · x be any linear function. According to equation 2.11
we have
and we deduce
1
dH (f, la ) = 2n−1 − χˆf (a)
2
1
dH (f, la ⊕ 1) = 2n−1 + χˆf (a)
2
Therefore the nonlinearity of f is equal to:
N L(f ) = 2n−1 −
1
max |χˆf (a)|
2 a∈Fn2
(2.1)
Parseval’s relation applied to χf gives
X
χˆf 2 (a) = 22n
(2.2)
a∈Fn
2
and implies that the mean of χˆf 2 (a) is 2n . Since the maximum will be greater
than or equal to mean, we can say:
maxn |χˆf (a)| ≥ 2n/2
(2.3)
N L(f ) ≤ 2n−1 − 2n/2−1
(2.4)
a∈F2
This implies,
This bound, valid for every Boolean function, is called the universal nonlinearity bound. Thus we see that any Boolean function has correlation with
some linear functions. But this correlation should be small, since the existence of affine approximations of Boolean functions in a cipher- both stream
and block- make the cipher susceptible to attacks such as those described in
[Mat93, DXS91, CT00].
Nonlinearity is an affine invariant by definition, since dH (f ◦L, l◦L) = dH (f, l)
for every function f, l and every affine automorphism L.
The functions which match the universal nonlinearity upper bound 2n−1 −
27
2n/2−1 are called bent functions. Bent functions are thus maximally nonlinear
functions. They are not directly useful in ciphers because they are not balanced.
The concept of nonlinearity has been generalized to ”Nonlinearity Profile”:
Nonlinearity Profile [Car06b]: let N Lr (f ) denote the distance between f
and the set of all functions of degrees at most r. We call N Lr (f ) the r-th
order nonlinearity of f , and the nonlinearity profile is the sequence of N Lr (f )
for r = 1, ...., n − 1.
4. Correlation immunity and resiliency [SM00a]: A function is said to be
correlation immune if its output leaks no information about any fixed set of
input values. An n variable function f (xn , ....., x1 ) is said to be correlation
immune (CI) of order m if
P rob(f = 1|xi1 = c1 , ...xim = cm ) = P rob(f = 1)
for any choice of distinct i1 , i2 , ..., im from 1, 2, ..., n and c1 , ..., cm ∈ {0, 1}.
m-Resilient: A balanced m-th order correlation immune function is called
m-resilient.
Note that to say that f is m-resilient does not mean that f is NOT k-resilient
for k > m. The largest value of m such that f is m-resilient is called the
resiliency order of f [Car06a].
Motivation: The property Correlation immunity was motivated by ”Correlation attacks” introduced by Siegenthaler in [Sei84]. We describe correlation
attacks here:
Correlation attacks:
Consider a stream cipher in which the keystream generator is implemented as
n LFSRs whose output is combined by a nonlinear combining function f , as
depicted in figure 1.2. The secret key K determines the initialization of the
LFSRs. We assume that K consists of the n keys, K1 , K2 , ..., Kn , one for each
28
of the n LFSRs S1 , ..., Sn so that LFSR Si is initialized by a secret key Ki ,
i ∈ {1, ..., n}. We assume the key is private, and everything else is public. Say
Mi is the number of possible subkeys Ki for the LFSR Si . Thus the number
of different keys for the generator is:
M=
n
Y
Mi
i=1
The nonlinear combining function f is meant to provide ”confusion” and make
the keystream difficult to predict. We desire that the cryptanalyst be forced
to try an average of half of the M possible values of K before hitting on the
correct key. But Siegenthaler observed that if the keystream is correlated to
at least one of the LFSR sequences, say sequence of Si , then the subkey used
to initialize Si , Ki can be determined using exhaustive search and this will
significantly simplify the brute force attack used to find K. If the output of
the keystream is correlated to one or more of the n LFSR sequences, then the
cryptanalyst can attack individual LFSRs and find their subkeys. So if the
keystream is correlated with sequence produced by Si , then the subkey Ki will
be found in at most Mi tries. Hence by divide and conquer, the cryptanalyst
can obtain the key in at most
M′ =
n
X
i=1
Mi ≪ M
attempts.
In general, to resist correlation attack, one should ensure that there is no
statistical dependence between any small subset of the n LFSR sequences
and the keystream sequence. This motivated the identification of correlation
immunity:
Let’s call the keystream sequence Z1 , Z2 , .... This sequence is determined as
Zj = f (X1j , X2j , ...., Xnj )
where Xj = (X1j , X2j , ...., Xnj ) is the n−tuple of LFSR output digits at time
29
j. Then the combining function f is m−th order correlation immune if every
m−tuple obtained by choosing m components from Xj is statistically independent of Zj for all j = 1, 2, 3.... This provides an alternate equivalent definition
of the m−th order correlation immunity defined earlier.
To summarize, Correlation Immunity is desirable for a Boolean function because dependence between the input and output bits can lead to a significant
reduction in complexity of the attack through the ”divide and conquer” approach.
Fast correlation attacks, introduced by Meier and Staffelbach in [MS89a] significantly speed up the correlation attack. In fast correlation attacks, the
correct initialization of the LFSRs is found in a more efficient way, related to
error correcting decoding. Another type of correlation attack, called the conditional correlation attack has also been discovered and explored in (among
others) [And94, LCPP96, Loh03]. We will not describe these attacks further.
It was found that to resist fast correlation attacks on stream ciphers, the filtering function needs to possess high nonlinearity as shown in [JJ99, MS88,
Car06a]. In [Car06a] Carlet observes that just like filtering functions, combining functions also (when used in stream ciphers) should be highly nonlinear.
It was shown by Canteaut and Trabbia in [CT00] and Canteaut in [Can02]
that highly nonlinear combining functions are useful to thwart fast correlation
attacks as much as possible. Highly nonlinear m-resilient Boolean functions
have the property that the coefficient χˆf (u) is very small for every vector u
of hamming weight higher than, but close to, m, and this property makes fast
correlation attacks as inefficient as possible.
Siegenthaler [Sei84] proved a fundamental relation between the number of variables n, degree d and order of correlation immunity m of a Boolean function:
m + d ≤ n.
In addition, if the function is balanced then
m + d ≤ n − 1.
In [Car06a], Carlet observes that resiliency has been characterized by Xiao
and Massey through the Fourier and the Walsh transforms:
30
Proposition 2.1.2. [XGZ88] Any n-variable Boolean function f is m-resilient
if and only if χˆf (u) = 0 for all u ∈ Fn2 such that wH (u) ≤ m, where wH (u)
denotes the Hamming weight of u (see appendix for definition). Equivalently,
f is m-resilient if and only if it is balanced and fˆ(u) = 0 for all u ∈ Fn such
2
that 0 < wH (u) ≤ m.
We do not describe the proof here. A clear proof of this proposition can be
found in [Car06a] as well as the original paper.
Resiliency order of a function is not an affine invariant [Car06a].
5. Algebraic thickness [Car04b]: The algebraic thickness Γ(f ) of a Boolean
function f is the minimum number of monomials with nonzero coefficients in
the ANF of the functions f ◦ A where A ranges over the general affine group.
Equivalently, for every Boolean function
f (x) =
X
u∈Fn
2
n
Y
au ( xi ui )
i=1
the parameter Γ(f ) is the minimum number of monomials in the ANF of the
functions
X
u∈Fn
2
n
Y
au ( (li (x))ui )
i=1
where the li s are affine functions whose linear parts are linearly independent.
Motivation: As mentioned earlier, it is desirable for a function to have many
monomials in its ANF to resist known attacks [Rue86, Mas69]. However, the
number of monomials in the ANF of a function is not an affine invariant. This
motivated the identification of the property of ’Algebraic thickness’ which is
an affine invariant.
6. k-Normality [Car04b]: Let k ≤ n. A Boolean function f on Fn2 is called
k-normal(respectively k-weakly normal) if there exists a k-dimensional flat on
which f is constant (respectively affine). For security, we want non-normality.
Motivation: In [Car04b], Carlet remarks that Non-normality is a natural
complexity criterion to consider because ”complex functions are supposed to be
31
very different from affine functions, and since any affine function is constant on
at least one affine hyper-plane, it is natural to expect from a complex function
to be non-constant on any flat of some low dimension”. This complexity
criterion is not yet related to explicit attacks on ciphers but this is not new:
degree and nonlinearity were also identified as important cryptographic criteria
before they were explicitly related to attacks.
7. Algebraic Immunity [MPC04]: Let g be the lowest degree function such
that g annihilates f or f + 1, i.e. g ∗ f = 0 or g ∗ (f + 1) = 0, where ∗ denotes
multiplication. If g has degree d, then the algebraic immunity of function f is
d.
Motivation: In [CM03], the authors describe an algebraic attack by obtaining
a very overdefined system of equations involving plaintext, ciphertext and key
bits. We know that the cipher can be described by a system of multivariate
polynomial equations in plaintext, ciphertext and key bits. The system can be
attacked if the attacker is able to obtain a very overdefined system of equations
from the given equations. Moreover, this attack can become very efficient if
this overdefined system is of low degree. In [CM03], the authors describe how
such low degree relations can be found by multiplying the output function of
the cipher by a well chosen low degree function such that the product function
is also of low degree. They also describe three scenarios under which such low
degree relations may exist. In [MPC04], the authors collapse these into two
scenarios by proving that two of the original three are equivalent. The two
scenarios are as follows:
Say f has high degree.
(a) Assume that there exists a function g of low degree such that f ∗ g = h
is a nonzero function of low degree.
(b) Assume there exists a function g of low degree such that f ∗ g = 0.
We refer to these as AA scenario 1 and AA scenario 2 respectively in the rest
of this survey. There is a useful relation between these two scenarios as shown
below:
32
Proposition 2.1.3. [MPC04] Assume that f ∗ g = h 6= 0, does hold for some
functions g and h of degrees at most d (AA scenario 1). Suppose in addition
that g 6= h. Then there is a function g′ of degree at most d such that f ∗ g′ = 0
(AA scenario S3b).
Proof. We know that over F2 , f 2 = f , hence f ∗ g = f 2 ∗ g = f ∗ f ∗ g = f ∗ h.
Hence f ∗ (g + h) = 0.
This argument shows we can restrict ourselves to the following two cases:
1. AA scenario 2 and
2. AA scenario 1 with g = h.
But if g = h, then f ∗ g = h = g which means (f + 1) ∗ g = 0, which is AA
scenario 2 for the function f + 1.
The existence of algebraic attacks thus impose that neither f nor f +1 have an
annihilating function of low degree. This motivated the definition of algebraic
immunity given above.
In [CM03], Courtois and Meier showed that given any n variable Boolean function f , it is always possible to get a Boolean function g with degree at most
⌈ n2 ⌉ such that f ∗ g has degree at most ⌈ n2 ⌉. Thus
AI(f ) ≤ ⌈ n2 ⌉.
In [CDGM06], the authors show that if a function has low nonlinearity then
it must also have low algebraic immunity. Hence if one chooses a function
with good algebraic immunity then this will automatically provide nonlinearity
which is not low. Algebraic immunity is an affine invariant.
8. Strict avalanche criterion(SAC) and propagation criterion(PC) [Car06a]:
For completeness, we first define the derivative of a function:
Let f be an n-variable Boolean function and let b be any vector in Fn2 . The
Boolean function Db f (x) is called the derivative of f with respect to the diL
L
rection b, where Db f (x) = f (x) f (x + b), where
denotes addition over
F2 .
Now we define SAC and PC:
33
Let f be a Boolean function on Fn2 and E ⊂ Fn2 . The function f satisfies
the propagation criteria PC with respect to E if for ∀a ∈ E the derivative
L
Da f (x) = f (x) f (a + x) is balanced. It satisfies P C(l) if it satisfies P C
with respect to the set of all those nonzero vectors of weights at most l. The
case of l = 1 is of special importance as is referred to as Strict Avalanche Cri-
terion (SAC) (See appendix for definition of derivative of Boolean function).
Motivation: Propagation characteristics(SAC and PC) are useful to consider
while designing cryptographically strong Boolean functions because they provide ”diffusion” to the cipher. We know that Boolean functions used in ciphers
need to be very sensitive to changes in inputs, and propagation characteristics
quantify this intuition. The Strict Avalanche Criterion (SAC) was introduced
by Webster and Tavares [WT85] and this concept was generalized into the
Propagation Criterion (P C) by Bart Preneel [PLL+ 90]. The SAC, and its
generalizations, are based on the properties of the derivatives of Boolean functions. These properties describe the behavior of a function whenever some
coordinates of the input are complemented. These criteria are not affine invariants in general [Car06a].
A good Boolean function must possess a ”good combination” of the above properties
to be useful in ciphers.
2.2
About the cryptographic complexity of Boolean functions
It is now known that random functions are almost surely highly complex. As is well
known, almost all Boolean functions have high circuit complexity. This was called
the Shannon effect by Lupanov [Lup70]. The Shannon effect holds for cryptographic
complexity as well, as we describe below.
Asymptotically, almost all Boolean functions have ”high” algebraic degrees, that
is algebraic degrees ≥ (n − 1). We can prove this using a simple counting argu-
ment. The number of Boolean functions of algebraic degrees at most n − 2 equals
Pn−2 n
n
n
2 i=0 ( i ) = 22 −n−1 and this number is very small as compared to the 22 Boolean
functions.
34
In [OS98], Stanek and Olejar show that almost all Boolean functions exhibit
high cryptographic complexity with respect to balancedness, nonlinearity, correlation immunity and propagation characteristics. We broadly state the results here
without proof. The interested reader is referred to [OS98].
1. Balancedness: The number of balanced Boolean functions in the total number
2n of Boolean functions over F2n is 2n−1
. By Stirling’s formula we get:
n
2
2n 2
−n
√
(1 − O(2 )) [OS98]. The fraction of balanced Boolean funcn−1
2n−1 =
π·2
tions compared to all Boolean functions is
−n )
(1−O(2
√
,
π·2n−1
which goes to 0 as n
gos to ∞. Thus the number of balanced Boolean functions is negligible with
respect to the total number of Boolean functions over F2n . For most Boolean
functions however, if we relax the rigidity of balancedness, we obtain something interesting. The following theorem holds even if instead of the uniform
distribution over all Boolean functions of n-variables, we consider the binomial
distribution with arbitrary p ∈ (0, 1). Note that in the case of the uniform
distribution p = 12 :
Theorem 2.2.1. [OS98] Let f be an n-ary Boolean function, φ(n) be an
arbitrary function such that φ(n) → ∞ as n → ∞ and let p ∈ (0, 1). Then,
p · 2n − 2n/2 · φ(n) < wH (f ) < p · 2n + 2n/2 · φ(n)
almost surely. Here wH (f ) denotes the Hamming weight of f or the number
of inputs x to f such that f (x) = 1.
Proof. The Hamming weight of f , wH (f ) can be considered as a random
variable binomially distributed over the set {0, 1, ..., 2n }. Let 0 ≤ k ≤ 2n .
Then,
P r(wH (f ) = k) =
2n k
n
p (1 − p)2 −k .
k
For convenience, we denote wH (f ) by w. By Chebyshev’s inequality, we have
P r(|w − E(w)| ≥ cσ) ≤
1
c2
where σ 2 is the variance of w and c is some real number. Since w has binomial
distribution, we get E(w) = p · 2n and σ 2 = p · (1 − p) · 2n . Let c = √ φ(n) .
p·(1−p)
35
So we get
n
P r(|w − p · 2n | ≥ φ(n)2 2 ) ≤
Clearly
p·(1−p)
φ2 (n)
p · (1 − p)
.
φ2 (n)
n
tends to 0 as n tends to ∞. Hence P r(|w − p · 2n | < φ · 2 2 )
n
tends to 1 as n tends to ∞. So, we can say that |w − p · 2n | < φ · 2 2 almost
surely, which implies the statement of the theorem.
2. Nonlinearity: Olejar and Stanek show that almost all Boolean functions have
”high” nonlinearities [OS98]. Specifically, almost all Boolean functions over
(n−1)
√
F2n have nonlinearities greater than 2n−1 − n · 2 2 . Carlet in [Car06b]
generalizes their result to the nonlinearity profile. The best known asymptotic
upper bound has been given in [CM07]:
n−1
max N Lr (f ) ≤ 2
f
−
√
√
15
· (1 + 2)r−2 · 2n/2 + O(nr−2 )
2
(2.5)
3. Correlation Immunity: Similarly, Olejar and Stanek show that almost all
Boolean functions are ”almost correlation immune” [OS98]. They introduce
a new property called counted correlation characteristic abbreviated as CCC,
which is closely related to correlation immunity and provide a lower bound for
it. They prove that any n-ary Boolean function f satisfies this bound ”almost
surely”(or with probability close to 1), from which they conclude that almost
all Boolean functions are almost correlation immune. We will not explain this
in further detail and refer the reader to [OS98].
4. Propagation Characteristics: Very few Boolean functions satisfy SAC but if
we replace the strict condition of balancedness in the definition of SAC by
”near-balancedness” then there is a large set of Boolean functions which are
”strong enough for cryptographic applications”.
Carlet showed in [Car06b], that asymptotically almost all Boolean functions
also have high algebraic thicknesses and are highly non-normal. In [Car04b], Carlet
improved upon his previous result and showed that almost all Boolean functions
have algebraic thicknesses greater than 2n−1 − n · 2
(n−1)
2
.
In [MPC04], the authors propose an algorithm for determining whether a
given function f admits annihilators of degree ≤ d, i.e. if f has algebraic immunity
36
≤ d (Note that the algorithm becomes infeasible for values n ≥ 32 and d ≥ 6). The
authors also bound the probability that a given function will have low algebraic
immunity:
Theorem 2.2.2. [MPC04] There is a constant c where c ≈ 0.22, such that for any
sequence dn of positive integers with dn ≤ c ∗ n, P r(AI(f ) ≤ dn ) → 0, n → ∞
Thus for a random function f , with a large number of inputs n ≥ 18, low alge-
braic immunity is very unlikely. However, some functions that are used in ciphers, for
example, degree optimized functions from the Maiorana MacFarland family, which
satisfy several cryptographic complexity criteria were found to have low algebraic
immunity [MPC04]. This suggests a potential tradeoff between previously known
criteria like nonlinearity, correlation immunity and others with algebraic immunity.
Since a cryptographically strong Boolean function must possess a good combination of the above properties, it is important to understand the relationships
between these cryptographic properties. Briefly here, we state a few of such relations without proof.
In [Car02], Carlet nicely summarizes some of the relations between cryptographic properties as follows: Siegenthaler’s inequality [Sei84] states that any m-th
order correlation immune function in n variables has degree at most n − m, that
any m-resilient function (0 ≤ m < n − 1) has algebraic degree smaller than or equal
to n − m − 1 and that any (n − 1)-resilient function has algebraic degree 1. Sarkar
and Maitra [SM00b] have shown that the nonlinearity of any m-resilient function
(m ≤ n − 2) is divisible by 2m+1 and this has led to an upper bound on the nonlinearity of m-resilient functions: the nonlinearity of any m-resilient function is smaller
n
2 −1
m+1
−2
if
than or equal to 2n−1 −2m+1 if
is bounded by 2n−1 − 2
n
−1
2
n
2 −1 ≥ m+1, then the nonlinearity
n
and 2n−1 − 2m+1 ⌈2 2 −m−2 ⌉ if n is odd.
< m+1. If
n is even
If a function achieves this bound (independently obtained by Tarannikov[Tar00]
and Zheng and Zhang [ZZ00]), then it also achieves Siegenthaler’s bound and the
Fourier spectrum of the function has then three values (such functions are often
called ”plateaued” or ”three-valued”; these values are 0 and ±2m+2 . In [KG03], the
authors remark that it is desirable for a function to have 3-valued Hadamard transform because it limits the efficiency of the soft output joint attack of [LZGB02]).
37
Carlet calls these upper bounds Sarkar et al.’s bound. Please see [Car02] for more
details, the paper provides a very nice summary of these bounds.
Meier and Staffelbach showed in [MS89b] that maximal nonlinearity and perfect propagation characteristics are equivalent requirements for Boolean functions
with an even number of variables. However the functions that satisfy these two
properties simultaneously: bent functions, are not balanced and hence not cryptographically strong. In [CCCF00], the authors further investigate the relation
between nonlinearity(providing confusion) to propagation characteristics(providing
diffusion) and conclude that highly nonlinear functions usually have good propagation characteristics. They also show that most highly nonlinear functions with a
three valued Walsh spectrum can be transformed into 1-resilient functions.
Zheng et all first showed the following nice relation between non-normality
and nonlinearity:
Theorem 2.2.3. [ZZI99] Let f be a weakly k−normal Boolean function on Fn2 .
Then,
N L(f ) ≤ 2n−1 − 2k−1
We do not give the proof here and refer the interested reader to [Car04b].
Dalai, Gupta and Maitra showed the following connection between algebraic
immunity and nonlinearity, which we state without proof.
Theorem 2.2.4. [DGM04] If N L(f ) <
n variable Boolean function.
Pd
i=0
n
i ,
then AI(f ) ≤ d + 1 where f is an
In [Lob05], Lobanov obtained a tight bound between nonlinearity and algebraic immunity:
N L(f ) ≥ 2
AI(f )−2 X
i=0
n−1
i
Carlet extended the above lower bound into a bound on the general r − th order
nonlinearity:
Theorem 2.2.5. [Car06b] Let f be a Boolean function in n variables and let r be
38
a positive integer. The nonlinearity of order r of f satisfies:
N Lr (f ) ≥ 2
AI(f )−r−1 X
i=0
n−r
i
While constructing Boolean functions to be used in ciphers, it is useful to
keep these properties in mind so as to identify suitable tradeoffs.
39
Chapter 3
Algebraic attacks against
symmetric key ciphers
3.1
Algebraic attacks against stream ciphers
3.1.1
Conventional attacks against stream Ciphers
We briefly describe one of the conventional methods of attacking stream ciphers so
that its method might be contrasted with algebraic attacks described later.
Linear Consistency attack: This attack was introduced in [ZYR89]. The
attack is possible if one can separate out some portion of the secret key, say K1 and
write a linear system Ax = b where the matrix A depends on K1 alone, and the
attacker has access to keystream bits in vector b. Then an exhaustive search for K1
can be performed and the correct value for K1 can be determined by plugging each
value into the linear system and checking if the system is consistent. Once K1 is
recovered, the whole key can potentially be recovered via divide and conquer.
This attack has been applied to various stream ciphers as in [FL01, ZYR89]. Other
traditional attacks on stream ciphers are discussed in [BD00, WB02, GBM02, Mul04,
CHJ02].
40
3.1.2
Setup for algebraic attack
We present in this section a description of a working algebraic attack against a
stream cipher. We consider specifically additive stream ciphers, in which the ciphertext is obtained by adding bitwise the plaintext to the keystream. We consider
a simplified version of the classical construction of the keystream generator: the
generator uses one(typically several) LFSR to implement the linear transition function L and a highly nonlinear Boolean function f for the filtering function. Note
that f or L do not depend on the secret key.
3.1.3
The problem of cryptanalysis
Both L and f are public, only the state of the LFSR is secret.
Let (k0 , k1 ...kn−1 ) be the initial state of the LFSR. Then the generated keystream
bits are given by:
b0 = f (k0 , k1 , ..., kn−1 )
b1 = f (L(k0 , k1 , ..., kn−1 ))
b2 = f (L(L(k0 , k1 , ..., kn−1 )))
and so on where bi indicates the bit generated at time slot i. Some of these output
bits bi might become known to the cryptanalyst. The problem of cryptanalysis is
to recover the key k = (k0 , k1 , ..., kn−1 ) from some subset of these output bits bi .
This is considered a hard problem since, as mentioned previously, the problem
of solving systems of multivariate polynomial equations is NP-complete even if all
the equations are quadratic and the field is F2 .
When the number of equations is equal to the number of variables, the best known
algorithms are exhaustive search for small fields, and Gröbner bases algorithms
which have exponential complexity.
3.1.4
The attack
If the attacker can exploit some inherent algebraic structure of the cipher to get
equations that are overdefined or sparse or have some other similar nice property,
then the system of equations becomes much easier to solve than expected.
41
The attack we describe below is due to Courtois and Meier [CM03], and is
based on solving ”overdefined” systems of equations of low degree. This is a partially
known plaintext attack, i.e. we know some bits of the plaintext and corresponding
ciphertext bits. The bits do not need to be consecutive. We assume that we have
some m bits of the keystream bi at some known positions.
At time t, the current keystream bit gives an equation f (s) = bt with s being
the current state of the LFSR. The function f (s) is usually of high degree, but
we multiply it by a well chosen multivariate polynomial g(s), such that we get the
product say h(s).
So if bt = 0, f (s) = 0, hence f (s) ∗ g(s) = 0 and we can use AA scenario 1 (refer
to motivation for Algebraic immunity in section 3) to get a low degree equation
h(s) = 0. If bt = 1, we can use AA scenario 2 to get bt = f (s) = 1, hence
f (s) ∗ g(s) = g(s). But f (s) ∗ g(s) = 0 hence g(s) = 0. To make this more formal,
consider:
For each known keystream bit at position t, bt , we have the equation
f (s) = bt
f (Lt (k0 , k1 , ..., kn−1 )) = bt
Multiplying both sides by a well chosen polynomial g(s), we get
f (Lt (k0 , k1 , ..., kn−1 ))g(Lt (k0 , k1 , ..., kn−1 )) = bt g(Lt (k0 , k1 , ..., kn−1 ))
If bt = 0, then f (Lt (k0 , k1 , ..., kn−1 ))g(Lt (k0 , k1 , ..., kn−1 ) = 0, and we use scenario 1
so that LHS is of low degree. If bt = 1, then we use scenario 2 to get LHS = 0 =
g(Lt (k0 , k1 , ..., kn−1 ) and we know RHS is of low degree. We get one multivariate
equation for each keystream bit.
Given m keystream bits, let R be the number of multivariate equations of
degree d, and with n variables ki . With one g, we get R = m. But if we use several
different gs for the same f , we can get R > m. Thus we obtain a very overdefined
system of multivariate equations, that can be solved efficiently using techniques like
Relinearization, XL etc. which are discussed later in detail.
42
3.2
Algebraic attacks against block ciphers
Algebraic attacks were quite devastating for public key and stream ciphers. The
question that many people started asking is: do these types of attacks matter also
for block ciphers? First we describe some conventional attacks on block ciphers,
again to contrast with algebraic attacks.
3.2.1
Conventional methods of cryptanalysis against block ciphers
Differential attacks [BS91b]: Differential cryptanalysis is a method which analyses the effect of particular differences in plaintext pairs on the differences in the
resultant ciphertext pairs. These differences can be used to assign probabilities to
the possible keys and to locate the most probable key. For a successful differential
cryptanalysis attack, the cryptanalyst needs to know an input difference pattern
that propagates to an output difference pattern over all but a few rounds of the
cipher, with a large enough probability(This probability is known as the difference
propagation probability). The attacker generally proceeds by encrypting some plaintext, then making particular changes to that plaintext and encrypting it again. The
attacker then observes the corresponding differences in the ciphertext and attempts
to measure non-random behavior which will help in determining the key.
Differential analysis is explored in [YLH98, BS91b, Mat99, KCP00, BS91a]
Linear attacks: Linear attacks were introduced by Mitsuru Matsui in
[Mat93]. Basically, the attack works by attempting to find linear approximations of
the equations that describe the cipher. Given plaintext and ciphertext pairs, simple
linear approximations are created for the relations involving the plaintext, ciphertext
and keybits, from which it is easy to derive the key. Those approximations that tend
to hold true are likely to have the value of the key for the real cipher, and as more and
more plaintext-ciphertext pairs are obtained, approximations get better and better,
and it gets more and more likely that the real key has been found. Linear Cryptanalysis of a block cipher starts by finding approximate linear expressions for S-boxes
then extends these expressions to describe the entire cipher(as was done for the DES
cipher by Matsui). These linear expressions are then solved to obtain probable keybits. Linear attacks are discussed in [Mat94, MY92, KR94, YT95, HKM95, TSM95].
A nice survey on linear and differential attacks can be found in [Key02].
43
3.2.2
How block ciphers resist conventional statistical attacks
Thus, conventional methods of attacking block ciphers like linear and differential
cryptanalysis, use the ”statistical” approach of tracing observed patterns between
input-change and corresponding output-change through multiple rounds, and measuring non-random behavior at the output.
We briefly describe here the Wide trail strategy, which has been successfully used
by AES designers to resist statistical attacks such as those described above. As
described in [DR02], in the ”wide trail strategy”, the round transformations are
composed of two invertible steps:
1. A local non-linear transformation, i.e. a good s-box. This component provides
”confusion”.
2. A linear transformation that spreads influence of modification in input over
all output. The way it achieves this is by breaking the block into further
”bundles” of bits. The transformation combines the bundles linearly so that
each bundle at the output is a linear function of bundles at the input. This
ensures that change in the input bits is spread over a large number of the
output bits, providing ”diffusion” and confusing statistical analysis.
A new generation of block-ciphers (among them the Advanced Encryption
Standard (AES) Rijndael) were designed to resist statistical attacks, in particular
linear and differential attacks. The task of designing ciphers immune to statistical
attacks is made easier by the fact that the complexity of the attacks grows exponentially with the number of rounds of a cipher. This ensures that the data and the
time requirements of the attacks quickly become impractical.
3.2.3
Algebraic attacks on Block ciphers
Basic Idea: In contrast, algebraic attacks exploit the intrinsic algebraic structure
of the cipher. The attacker is able to express the encryption transformation as a
large set of multivariate polynomial equations, and subsequently attempt to solve
such a system of equations to recover the encryption key.
Where do these equations come from? As discussed earlier, many block
ciphers are built using multiple S-boxes(that provide confusion) that are intercon44
nected using simple linear transformations(that provide diffusion). The operation of
S-boxes can be represented by a system of nonlinear equations. New equations can
be added to represent the linear transformations that connect these S-boxes and a
system of equations that describes the entire cipher can be obtained. S-boxes often
form the only source of non-linearity in a cipher and therefore (usually)provide the
main difficulty in solving the system of equations efficiently.
S-boxes are therefore typically carefully chosen to avoid explicit low degree relations
involving plaintext, key and ciphertext bits. However, sometimes implicit low degree relations might occur. For example, typically combining relations of a certain
degree results in equivalent but even more complex new relations which are not useful at all. But sometimes, intelligent combining of existing relations might result in
new ”simplified” relations; like relations with lower degrees for example. In [CP02],
the authors discuss that the ciphers ”Serpent” and ”Rijndael”, for different reasons,
have S-boxes that can be completely represented by ”simple” algebraic equations.
Building on recent progress in Relinearization techniques(discussed later), the authors argue that a method called XSL might provide a way to effectively solve such
equations and recover the key from a few plaintext-ciphertext pairs.
How are these methods different from statistical methods? As discussed in [BC03], the algebraic attack method differs in the following respects from
the standard statistical approaches to cryptanalysis:
(a) it requires only few known-plaintext queries;
(b) its complexity doesn’t seem to grow exponentially with the number of rounds of
a cipher.
Structure of Algebraic attacks:
In [Cou04c], Courtois suggests the following three stages in attacking block
ciphers:
1. Write an appropriate initial system: Write a system of equations that, given
one or several known plaintexts, uniquely characterizes the key. This system
should be as over-defined and as sparse as possible. This can be measured by
the initial ratio Rini /Tini between the number of equations Rini in the system
and the total number of monomials Tini that appear in it. It is not clear
what is the optimal setting for algebraic attacks. Note that we care about
number of monomials in these equations because the XSL method described
45
later can attack systems of equations with a small number of monomials(sparse
equations).
2. Expand it: The second step is an expansion step. The goal is, starting from
the original Rini equations with Tini monomials, to produce (for example by
multiplying the equations by some well chosen polynomials) another (much
bigger) set of R equations with T monomials. The goal is to have the new
ratio R/T close (or bigger than) 1.
3. Final in place elimination: The final step should be an in place elimination
method that given an almost saturated system with R/T close to 1, finds a
solution to the system.
How to avoid algebraic attacks on block ciphers: In [Cou04c], Courtois
proposes that to avoid algebraic attacks on Block ciphers, the S-boxes of the block
cipher should avoid the existence of ”too simple” algebraic relations. The exact
definition of ”simple” that would prevent all algebraic attacks on block ciphers is
not obvious to give. But for example, systems that are too overdefined or too sparse
should be avoided. Courtois says that this should not be too hard to achieve. He
says that using random S-boxes on 8 bits should be about sufficient to achieve 128
bit security(though not for sure). He recommends to construct bigger S-boxes that
have no algebraic relations starting from random bijective 8-bit S-boxes, and for
higher security requirements random S-boxes of at least 16 bits be used.
46
Chapter 4
Solving systems of multivariate
equations
4.1
The Quadratic Solvability problem
As we described earlier, algebraic attacks are especially relevant against ciphers that
use the hardness of the problem of solving multivariate polynomial equations as basis
for security. We also mentioned that this problem (called MQ), is NP Complete.
Here we provide the reduction of MQ from 3-SAT [HPS93].
Let p be a fixed prime. We consider the following problem: an instance is a set of
polynomial equations P of degree at most two in n unknowns over Fp ,
Pi (x1 , ..., xn ) = 0 for i ∈ 1, 2, ..., s.
The problem is to find an assignment to the variables which satisfy the equations.
Theorem 4.1.1. [GJ79] MQ is NP complete over any finite field.
Proof. We show a polynomial time reduction from 3SAT to MQ in F2 . We are given
a conjunction of clauses C1 ∧ C2 ∧ C3 ..., each of the form Ci = ti1 ∨ ti2 ∨ ti3 where the
ti ’s are either positive or negated variables. We write 3 equations for each clause
Ci :
1. yi = ti1 + ti2 + ti3 (an odd number of terms are true)
2. zi = ti1 ti2 + ti1 ti3 + ti2 ti3 (at least two terms are true)
3. yi + zi + yi zi = 1 (one or both of the above must be satisfied)
47
where if tj is a positive variable xj , then we use directly xj in the equations above,
otherwise (1 − xj ).
If we want a field bigger than F2 , than we need to add additional equations of the
form xj (1 − xj ) = 0 for each variable. This will force 0/1-values in the solution.
4.2
Methods of solving systems of multivariate polynomial equations:
We know that algebraic attacks rely on being able to exploit some intrinsic algebraic
structure of the cipher to set up a feasible system of equations involving the plaintext,
ciphertext and key bits, and then endeavor to solve this system. Briefly discussed
here are some of the main ideas and algorithms used to solve such systems. We
provide only a brief overview of each method and refer the reader to the appropriate
papers for detailed algorithms.
1. Linearization method.
2. Relinearization
3. XL method
4. XSL method
5. Gröbner basis techniques
6. SAT solvers
7. ”Gluing” algorithm
4.2.1
Linearization
Linearization is a technique for solving very overdefined systems of quadratic equations. It works by substituting each nonlinear term by a new variable, thus converting a nonlinear system of equations into a linear system with many more unknowns.
If the system is sufficiently overdefined, then it can be solved by standard methods
such as Gaussian elimination.
More precisely, consider a system of m = ǫn2 quadratic equations in n variables. We substitute every quadratic term by a new variable, to get n(n + 1)/2
48
new variables. Now we have a linear system of ǫn2 equations in ≈ n2 /2 new vari-
ables which can be solved by using Gaussian Elimination if m = n(n + 1)/2, or
equivalently if ǫ ≥ 0.5.
But since ǫ < 0.5 in real applications, the number of equations is often not
big enough and the linear system has exponentially many solutions which do not
correspond to solutions of the original quadratic system.
4.2.2
Relinearization
[CKPS00] At Crypto 99, Kipnis and Shamir introduced a new method for solving
overdefined systems of polynomial equations, called Relinearization. It was designed
to handle systems of ǫn2 quadratic equations in n variables where 0 ≤ ǫ ≤ 1/2.
Relinearization starts as does linearization, that is by replacing quadratic
terms by new variables. (For every xi xj , i ≤ j, create a new variable yij ). Given
this system of linear equations in the yij , one adds additional nonlinear equations
which express the fact that these variables are related rather than independent. For
example, we can take any 4-tuple of indexes
1≤a≤b≤c≤d≤n
and form new equations based on the commutative property
(xa xb )(xc xd ) = (xa xc )(xb xd ) = (xa xd )(xb xc ) =⇒ yab ycd = yac ybd = yad ybc
Thus we have increased the number of equations, though these new equations are
nonlinear. To make them linear, one applies linearization again.
Kipnis and Shamir used Relinearization to attack the HFE cryptosystem
based on the observation that any given system of n multivariate polynomials in n
variables over a field F can be represented by a single univariate polynomial of a
special form over K which is an extension field of degree n over F .[KS99] However
the technique of Relinearization is quite general and may be applied to other ciphers
as well.
The problem with Relinearization is that we might get linearly dependent
equations if ǫ is ”too small” (for eg. ǫ < 0.1). For more details, we refer the reader
to [KS99].
49
4.2.3
XL algorithm
[CKPS00] The XL(eXtended Linearization) technique can be viewed as a combination of bounded degree Gröbner bases and linearization. XL was introduced by
Courtois, Klimov, Patarin and Shamir in [CKPS00]. As explained by [CKPS00],
the basic idea of this technique is to generate from each polynomial equation a large
number of higher degree variants by multiplying it with all the possible monomials
of some bounded degree, and then to linearize the expanded system. The authors
claim that this simple technique is at least as powerful as Relinearization.
The XL algorithm is described in [SKI06] as follows:
Let K be a field, and let A be a system of multivariate quadratic equations
lk = 0; (1 ≤ k ≤ m) where each lk is the multivariate polynomial fk (x1 , ....., xn )− bk .
The problem is to find at least one solution x = (x1 , ........, xn ) ∈ K n , for a given
b = (b1 , .........., bm ) ∈ K m .
Q
Let D ∈ N. We consider all the polynomials j xij ∗ li of total degree ≤ D, and call
the set of all such polynomials P .
Let ID be the set of polynomials spanned by P , i.e. ID = {u|u =
αi ∈ K and pi ∈ P .
P
i
αi pi } where
The idea of the XL algorithm is to find in some ID a set of equations which is easier
to solve than the initial set of equations A.
This is the authors’ description of the XL algorithm:
1. Multiply: Starting with equations li = 0 ∈ A, multiply both sides of the
Q
equations to generate all the products kj=1 xij ∗ li ∈ ID with k ≤ D − 2 on
the LHS. This gives us a new set of equations.
2. Linearize: Consider each monomial in xi of degree ≤ D as a new variable and
perform Gaussian elimination on the equations obtained in 1.
3. Solve: Assume that step 2 yields at least one univariate equation in the powers of x1 . Solve this equation over the finite fields (e.g. with Berlekamp’s
algorithm).
4. Repeat: Simplify the equations and repeat the process to find the values of
the other variables.
50
The XL algorithm is very simple, but it is not clear for which values of n and
m it ends successfully, what is its asymptotic complexity, and what is its relationship to Relinearization and Gröbner base techniques. But the authors claim that
despite it’s simplicity, XL may be one of the best algorithms for randomly generated
overdefined systems of multivariate equations.
4.2.4
XSL method
XSL stands for ”Extended Sparse Linearization” or more clearly ”Multiply (X)
by Selected Monomials and Linearize”. The XSL algorithm uses the sparsity of
equations and their specific structure to attack the system. The XSL algorithm was
created by Courtois and Pieprzyk in [CP02]. In their paper, the authors describe the
XSL attack specifically against what they call ”XSL ciphers”. The attack has broad
implications however, and can be extended to other block ciphers as well. This
paper created a lot of controversy. The authors expressed Rijndael as a sparse and
overdefined system of multivariate quadratic equations over F2 , and suggested XSL
to solve this system exploiting its overdefined-ness and sparseness. However, the
complexity of XSL is not clearly understood and there is no full scale implementation
of the attack. But the simple algebraic structure of Rijndael has caused insecurity
since this attack was published, and even if the attack is impractical now, it might
have implications for the future.
An XSL cipher is a composition of Nr similar rounds:
X The first round i = 1 starts by XORing the input with the session key Ki−1
S Then we apply a layer of B bijective S-boxes in parallel, each on s bits,
L Then we apply a linear diffusion layer,
X Then we XOR with another session key Ki . Finally, if i = Nr we finish, otherwise
we increment i and go back to step S.
The authors loosely describe the main idea of the algorithm as follows: First
we start from the initial equations of each S-box of the cipher with r equations
and t terms and write a system of quadratic equations that completely define the
secret key of the cipher. To exploit the sparsity of the system, we need the total
number of linearly independent equations to be roughly equal to the total number of
monomials that appear. The sparseness should then help reduce the total number
51
of new terms we introduce
4.2.5
Gröbner basis techniques
Gröbner basis techniques are the standard techniques used to solve systems of multivariate quadratic equations, and have been studied intensively. Gröbner basis were
first introduced by Bruno Buchberger in his PhD dissertation work in 1965. They
are named after his advisor Wolfgang Gröbner. Gröbner basis theory is applied in
the following way:
[Buc06] Given a set F of polynomials in κ[x1 , x2 , ...xn ] that describes the problem at
hand, we transform F into another set G of polynomials ”with certain nice properties” (called the Gröbner basis) such that F and G are equivalent. The motivation
for this conversion comes from the fact that because of the useful properties of
Gröbner basis, some problems which are hard to solve for F might be easier to solve
for G.
Definition. Gröbner Basis: A set of polynomials g1 , g2 , ..., gt is a Gröbner basis
P
if for any polynomial f , we can write f = i hi gi + r for polynomials h1 , h2 , ..., ht
such that:
1. r = 0 if and only if f ∈< g1 , g2 , ..., gt >, where < g1 , g2 , ..., gt > denotes the
ideal generated by functions g1 , g2 , ..., gt .
2. r is uniquely defined.
Buchberger’s algorithm converts a given basis f1 , f2 , ..., ft into a Gröbner
basis g1 , g2 ...gt such that < f1 , f2 , ...ft >=< g1 , g2 , ...gt >, where < g1 , g2 , ..., gt >
denotes the ideal generated by functions g1 , g2 , ..., gt . For a clear and understandable introduction to Gröbner basis, we refer the reader to [Stu05]. However, such
techniques do not exploit the overdefinedness of a given system as they proceed
by eliminating sequentially a single monomial from a particular pair of equations.
They have exponential running time and hence cannot be used for cryptanalysis.
The cryptographically important case of using Gröbner basis techniques to solve
multivariate systems of quadratic equations did not receive enough attention until fairly recently(we discuss this later). Faugere suggested new and efficient ways
to compute Gröbner basis in his F4 and F5 algorithms. Efficient computation of
52
Gröbner basis has had implications for algebraic attacks as explored in the following papers:[BPW05, FA03, FJ03, CMR05]. In particular the F4 algorithm was used
to break the HFE cryptosystem in [FJ03]. A relation between the XL algorithm
and Gröbner basis algorithms has been studied in [SKI06].
4.2.6
SAT solvers
Recently, methods have been studied to convert low degree sparse multivariate equations into a CNF-SAT problem. This might seem useless, since CNF-SAT is an NPcomplete problem itself. However, in recent times, several heuristic methods have
been developed to solve the CNF-SAT problem, for example MiniSat[ES03] and
Chaff [MMZ+ 01]. A nice primer on SAT solvers is provided in [Mit05]. This approach is motivated by the observation of the authors Bard, Courtois and Jefferson
in [BCJ07], that ”no polynomial-system-solving” algorithm demonstrates that a significant benefit is obtained from the extreme sparsity of some systems of equations.”
The authors therefore study methods for efficiently converting systems of low-degree
sparse multivariate equations into a conjunctive normal form satisfiability(CNFSAT) problem. They claim that a direct application of this method gives very
efficient results: they show that sparse multivariate quadratic systems (especially
if over-defined) can be solved much faster than exhaustive search if the system is
sparse enough. Methods to convert the MQ problem to CNF-SAT and subsequent
solving of CNF-SAT using SAT-solvers have been discussed at length by Bard in his
PhD thesis[Bar07].
4.2.7
”Gluing” Algorithm
In [RS06], Raddum and Samaev take a different approach to the problem of solving
non-linear equation systems, and propose a new method for solving them. Their
method differs from the others in that the equations are not represented as multivariate polynomials and that the core of the algorithm for finding the solution can
be seen as message passing on a graph. Bounds on the complexities for the main
algorithms are presented and they compare favorably with the known bounds.
53
Chapter 5
Explicit Constructions of
Boolean functions with
Important Cryptographic
Properties
The known methods for design and construction of Boolean functions and S-boxes
can be categorized into these main types of techniques:
1. Algebraic construction
2. Heuristic design
5.1
Algebraic construction
Boolean functions can be directly constructed in two broad ways: bit-by-bit and
recursively. Bit-by-bit methods, also called primary construction methods generate
the entire truth table of a Boolean function. The truth table is created to satisfy
some constraints and these constraints ensure that the constructed function satisfies
some predetermined property(ies). Such methods however, tend to become infeasible very quickly for larger number of inputs. Recursive constructions, also called
secondary constructions start with existing functions that satisfy a property and
then combine them to obtain a new function with more inputs that also satisfies the
54
property. To understand how smaller functions might be combined to create a bigger
function, consider 2 functions, say f on Fn2 and g on Fm
2 that satisfy some property
(for e.g. high nonlinearity). Now create a new function h on F2n+m in some way
that preserves the property. For example, a crude way to construct h would simply
be h(x, y) = f (x) ⊕ g(y), with x ∈ Fn2 and y ∈ Fm
2 (Note: This example is provided
to illustrate the basic idea; this crude construction of h does not claim to preserve
nonlinearity). One method of constructing bigger functions from smaller ones is concatenation, meaning concatenation of truth tables. To define it, let f1 , f2 : Fn2 → F2
and g : Fn+1
→ F2 , y ∈ F2 . We define g as : g(z) = (y + 1)f1 (x) + yf2 (x) where
2
z = (y, x). Clearly, g(0, x) = f1 (x) and g(1, x) = f2 (x). In [Sei84], Siegenthaler
showed that if f1 , f2 are m-th order correlation immune, then so is g.
Concatenation is popularly deployed in the construction of functions. Some special
classes of functions- the Maiorana McFaland class for example- use concatenation in
the construction of functions. The Maiorana-McFarland construction is based on the
concatenation of affine functions. The Maiorana-McFarland function f : Fn2 → F2
takes the form [KTLG05]:
f (x) = g(x0 , ...., xk−1 ) + (xk , ...., xn−1 ) · φ(x0 , ..., xk−1 )
where g : Fk2 → F2 and φ : Fk2 → F2n−k and f and φ are linear functions. Sarkar
and Maitra showed in [SM00a] that if we replace one of the linear functions in the
above construction by a nonlinear function, we obtain resilient functions with high
nonlinearity.
A related method of secondary construction is to start with a suitable function and modify it to improve it’s properties. Modification of a given function might
mean for example, complementing a few bits in its truth table. Constructing functions starting with a function from the Maiorana-McFarland class was quite popular
[Pas03, GS05]. However, Carlet pointed out in [Car02] that functions constructed
by modifying a Maiorana-McFarland class function may be weak since the derived
functions obtained by fixing certain input bits of these functions are affine. To
avoid this potential weakness, Carlet introduced a natural extension of the Maiorana McFarland class: the Maiorana McFarland superclass. In [ZH05], Zeng and Hu
construct balanced Boolean functions with high nonlinearity and optimum algebraic
55
degree by modifying functions from this superclass. Useful studies of the properties
of functions belonging to the Maiorana McFarland class have been conducted in
[Car04a, Pas06].
We give some examples here of the various ways in which construction of
cryptographically strong Boolean functions has been approached. The following
discussion (on algebraic construction) is by no means comprehensive, a complete
discussion of this vast body of literature is beyond the scope of this survey. A good
discussion on algebraic construction of cryptographically strong Boolean functions
can be found in [Car06a].
In [KMI91], the authors propose a recursive construction method to construct
”strong”(with respect to avalanche criterion) S-boxes of arbitrary size when given
as input ”strong” S-boxes of size 3 (i.e. 3 bit input).
In [Tar01], the author introduces a matrix of special form, called proper
matrix, and uses it for constructing cryptographically strong Boolean functions. In
[FT01], the authors further explore the properties of proper matrices, obtain bounds
for its important parameters and construct m-resilient n variable Boolean functions
with maximum possible nonlinearity for particular values of m that supersede the
previous construction.
In [KG03], the authors present constructions based on the theory of geometric
sequences by Klapper, Chan and Goresky [AAG93]. They start with a plateaued
(n − 1) 1-resilient function (a 1-resilient function whose Hadamard transform only
takes values 0, ±2(n+1)/2 ) and from any one such function, they are able to obtain an
infinite number of 1-resilient plateaued functions by applying the geometric sequence
construction of [AAG93].
In [SS04], the authors use partially defined Boolean functions(PDBF) to generate cryptographically strong Boolean functions. A PDBF, as they define it, can
be considered as a Boolean function with some undefined values, i.e. it’s values are
from the set {0, 1, ?}. They generalize some known properties of Boolean functions
like balancedness, nonlinearity, propagation characteristics to these functions and
show that the usual relationships among these properties hold for these generalizations as well. They then apply the results in methods for generating strong Boolean
functions.
56
In [CY05], the authors generalize the techniques used in MacWilliams’ and
Sloane’s presentation of the Kerdock code and develop a theory of piecewise quadratic
Boolean functions. This generalization leads them to construct large families of potentially new bent and cryptographically strong functions from quadratic forms in
this piecewise fashion.
Another flavor of methods used in the generation of functions is the socalled search methodology. Search methods typically find a small subset of Boolean
functions using combinatorial techniques and then perform exhaustive search over
the reduced domain. For example, in [KTLG05], the authors describe some constructions based on finite fields. They present an efficient search algorithm that
exhaustively searches for highly nonlinear resilient Boolean functions with optimum
correlation properties from among special classes of functions called ”preferred”
functions. Search methods are usually used in conjunction with recursive construction methods: searching is used to find suitable functions which are then combined
to create better functions.
Algebraic methods are very good for constructing functions with certain specific properties, but they do not in general perform well for properties that were not
considered during construction. For example, some functions constructed from the
Maiorana-McFarland class which were considered strong were suddenly found to
be vulnerable when algebraic attacks were introduced. This is because ’algebraic
immunity’ which quantifies the resistance of functions to algebraic attacks was not
identified at the time these functions were constructed and they were not designed
to have high AI. [MPC04].
5.2
Heuristic Design
Heuristic techniques like Simulated Annealing and Genetic algorithms have enjoyed
much success in Computer Science despite little theoretical backing. Consider an
optimization problem P . A heuristic search algorithm will look for a solution to P
by ”implicitly defining a search graph on possible solutions to P , and using some
(often randomized) method for moving along the edges of this graph in search of
good quality solutions” [Imp01]. Some years ago, these methods became popular
in the generation of cryptographically strong functions. We briefly describe below
57
some main flavors of heuristic design as deployed in Boolean function generation.
A word on optimization techniques: Optimization techniques work either with a single candidate solution or with a population of candidate solutions.
Techniques working with a single solution are called local techniques, and those
working with many solutions are called global solutions. The optimization is carried
out with respect to some ‘cost function’ that measures how ‘good’ a candidate is
[CJ00].
1. Genetic algorithm: The Genetic Algorithm (GA) mimics the natural process of evolution; the ”genes” are a population of solutions to the problem at
hand. It then uses a ”breeding scheme” to combine solutions and create new
ones. The breeding scheme usually combines ”better” solutions according to
some criteria, in some manner to produce new solutions. This is motivated
by the hope that new solutions will be better than the older ones. Genetic
algorithms can be considered to have the following outline as described by
Obitko [Obi]:
(a) Start Generate a random population of n chromosomes (suitable solutions
for the problem).
(b) Fitness Evaluate the fitness f (x) of each chromosome x in the population.
(c) New population Create a new population by repeating the following steps
until the new population is complete:
Selection Select two parent chromosomes from a population according to
their fitness (the better fitness, the bigger chance to be selected)
Crossover With a crossover probability cross over the parents to form a
new offspring (children). If no crossover was performed, offspring is an
exact copy of parents.
(d) Mutation With a mutation probability mutate new offspring.
(e) Accepting Place new offspring in a new population.
(f) Replace Use new generated population for a further run of the algorithm.
(g) Test If the end condition is satisfied, stop, and return the best solution
in current population.
58
(h) Loop If the end condition is not satisfied, go to step (b).
The most important steps in the above outline are crossover and mutation.
Crossover selects genes from parent chromosomes and creates a new offspring.
The simplest way how to do this is to choose randomly some crossover point
and everything before this point copy from a first parent and then everything
after a crossover point copy from the second parent. Mutation is to prevent all
solutions from falling into a local optimum of the solved problem. Mutation
randomly changes the new offspring.
In our context, a gene/chromosome is represented by the truth table of a
function in binary format, i.e. each gene is a binary string that represents the
truth table of the function. Fitness of the function is evaluated using the criteria we have been discussing: Algebraic immunity, thickness, balancedness et
all. During crossover, a random point is picked in the binary string representing each of the parents and the value beyond that point is swapped between
the two parents. More sophisticated techniques to ”mate” are also used in
practice. Mutation introduces some randomness into the pool of solutions. A
possible method of mutation is to complement a random subset of bits in the
string representing the function.
The genetic algorithm approach as applied to Boolean function generation has
been explored in [MCD97a, MCD98, DG03] (among others).
2. Hill Climbing: The Hill Climbing technique uses the fact that small truth
table changes have predictable effect on properties that we are interested in
(like nonlinearity, resiliency etc) . Due to this, we can make small incremental
changes to the truth table carefully, modifying the properties of the function
to make it more appropriate for our needs. This method typically changes
truth table entries in pairs, with the constraint that the values of the 2 entries being complemented are not the same, so that the hamming weight of
the function is maintained. In [MFD03], the authors categorize these pairs of
entries into the following three categories: improvement, static and reduction.
In the improvement category, complementing the pair improves nonlinearity,
in the static category, complementing the pair does not change nonlinearity
and in the reduction category, complementing the pair reduces nonlinearity.
59
So there are variants of the hill climbing technique that iteratively complement
all the pairs in the improvement set to get new functions with higher nonlinearity or complement pairs in the static set to obtain different functions that
have the same nonlinearity but that might hopefully be better with respect to
other characteristics. The authors also discuss the difference between strong
and weak hill climbing introduced in [MCD97b] and [MCD99] respectively:
Strong hill climbing iteratively improves the function until the improvement
set of the current function is empty or maximum number of iterations have
been implemented. Weak hill climbing differs in that in any iteration the nonlinearity of the function does not necessarily increase but must not decrease.
In [MFD03], the authors also propose a new adaptive strategy called Dynamic
Hill Climbing which they describe as ”a truly adaptive technique because it
decides to implement either strong or weak hill climbing depending on the
classification of the current function”.
Thus, Hill climbing methods generally start with some function and make
iterative improvements. They will typically find the ”local maxima” of the
design space. Hill climbing to construct strong Boolean functions is explored
in [MFD03, MCD97b, MCD99]. A problem with these methods is that they
can get ”stuck in local optima”, meaning that once at the local optimum, the
algorithm will stop changing the function, thus potentially missing a better
function that is separated from the current function by a few weak functions.
This is avoided by techniques like simulated annealing which we describe next.
3. Simulated Annealing: Simulated Annealing is a method motivated by the
annealing process of metals and was introduced by Kirkpatrick, Gelatt and
Vecchi in [KJV83]. It was applied in the construction of Boolean functions
much later however; Clark and Jacob introduced simulated annealing to the
area of Boolean function generation in 2000 with [CJ00]. Annealing is a concept in metallurgy which refers to a technique involving heating and controlled
cooling of a material to increase the size of its crystals and reduce their defects.
The properties of the metal are improved if the atoms in the metal can lower
their internal energy states. This is accomplished by heating and slow cooling: the heat causes the atoms to move out their current energy level(which
60
corresponds to local optima, locally lowest energy level) and wander randomly
through states of higher energy; the slow cooling gives them more chances of
finding configurations with lower internal energy than the initial one. Simulated annealing works similarly when applied to optimization problems and is
described below.
As described earlier, hill climbing methods tend to get stuck in local optima.
To counter this, techniques like simulated annealing allow worsening moves to
be accepted with some probability. The process is nicely described by Clark
and Jacob([CJ00]): ”From the current state a move in a local neighborhood is
generated and considered. Improving moves are always accepted. Worsening
moves may also be accepted probabilistically in a way that depends on the
temperature T of the search and the extent to which the move is worse. A
number of moves are considered at each temperature. Initially the temperature is high and virtually any move is accepted. Gradually the temperature is
cooled and it becomes ever harder to accept worsening moves. Eventually the
process ‘freezes’ and only improving moves are accepted at all. If no move has
been accepted for some time then the search halts.” Simulated Annealing is
often used in conjunction with hill climbing methods. For example, in [CJ00]
Clark and Jacob introduced a new cost function to be optimized which was
motivated by Parseval’s Theorem, and enabled the search to reach areas of the
design space from which hill climbing methods could be used more effectively.
Simulated Annealing has been further explored in [CJS+ 02, CJS05].
Remark: In [CJMS04], the authors generate functions in a very unorthodox and
interesting way. Most techniques consider the space of Boolean functions and construct/search for the ones with the desired properties. The authors invert this notion
in their paper: they search the space of artifacts with the required properties and
seek the one which is a Boolean function. They combine this general approach with
existing theory to obtain strong functions.
61
Chapter 6
Some open problems and
concluding remarks
The area of algebraic attacks has attracted a lot of interest in recent years. In
[Cou07a], Courtois says that the whole research in symmetric key cryptography has
been ”heavily distorted” in the sense that impractical attacks(which require large
amounts of known plaintext) have been studied extensively, while important practical attacks(requiring few/chosen plaintexts but computationally intensive) have
not been studied enough. He suggests a change in emphasis in the area, and urges
researchers to try to break the toy ciphers CTC and CTC2 which will help in understanding cryptanalysis of practical ciphers better.
In [AK03], the authors study algebraic attacks against combiners with memory and provide an algorithm to construct low degree(say d) relations for r clocks,
i.e. a relation which holds for any sequence of r consecutive bits of the keystream.
Armknecht also posed the question of whether a faster method to construct these low
degree relations exists, since the method proposed in [AK03] quickly becomes impractical for large values of d and r. He also describes the failings of known methods
of solving obtained relations: Linearization is polynomial time but requires knowledge of many keystream bits, other methods like XL or Gröbner basis methods
require fewer keystream bits but can have exponential complexity. He suggests that
we need to explore better methods for solving these systems of equations.
62
In [Can06], Anne Canteaut provides a very nice summary of open problems
related to algebraic attacks on stream ciphers under the following categories:
1. Open problems related to the complexity of algebraic attacks:
Let the transition function be L and filtering function be f . The author wants
to determine suitable parameters for the keystream generator. In order to so,
she tries to estimate the complexity of algebraic attacks, and focuses on the
simplest technique: Linearization. To estimate the complexity of an algebraic
attack, it is essential to determine the proportion of monomials in the system
of equations, because sparse systems can often be solved quite efficiently. It is
clearly important to understand how the sparsity of equations might depend
on values of f and L. So she presents the following open problem:
Determine the number of monomials involved in the system of equations to be
solved, depending on the choice of f and L.
We also need to understand how many keystream bits are required to get
enough linearly independent equations to be able to solve the system. Since
Linearization converts the given system of (nonlinear) equations to a linear
system, this is equivalent to determining the rank of the linear system depending on the choice of f and L.
Gröbner basis techniques have been studied in the context of algebraic attacks, and complexities of algorithms that compute Gröbner basis have been
analyzed in several papers, for eg [BFS04]. These complexity results however only hold for specific cases, for eg the semi-regular case as defined in
[BFS04]. This results in the important open problem of ascertaining whether
the system of equations that we need to solve to break the cipher behaves like
a semi-regular system.
2. Open problems related to the algebraic immunity of functions:
The author lists the following open problems related to the algebraic immunity
of functions:
63
(a) For a balanced Boolean function f , is there a general relationship between
AN (f ) and AN (1 + f )?
(b) What is the average value of algebraic immunity for a balanced Boolean
function in n variables?
(c) What is the proportion of balanced Boolean functions of n variables with
optimal algebraic immunity?
3. Open problems with respect to fast algebraic attacks:
Fast algebraic attacks rely on the existence of low degree relations between
the bits of the initial state and several consecutive keystream bits. We can
express this dependence by a function which has multiple outputs:
fm : Fn2 → Fm
2
fm (x1 , ..., xn ) = (b1 , b2 , ..., bm ) where b1 ...bm are m consecutive keystream bits.
An important open question asks to find an algorithm which will determine
such low degree relations, i.e. an algorithm to find function fm of low degree. This multiple output function is very similar to the augmented function
defined in [And94]. Augmented functions are special multi-output functions
with special properties. Another open problem asks if these special properties
influence the algebraic immunity of augmented functions.
As described in [Cou03], fast algebraic attacks exploit the fact that when
the known keystream bits are consecutive, an important part of the equations will
have a recursive structure, and this allows to partially replace the usual sub-cubic
Gaussian algorithms for eliminating the monomials, by a much faster, essentially
linear, version of the Berlekamp-Massey algorithm. So another important open
problem is to explore variants of the Berlekamp-Massey algorithm which are better
suited to this particular application.
Many stream ciphers do not use simple Boolean functions as combining or
filtering functions, they use sophisticated functions like multi-output functions or
functions with memory. There are open problems that are concerned with improving
efficiency of algorithms that compute the algebraic immunity of such special functions as well as problems related to constructing special functions that are guaranteed
to resist known attacks.
64
The area of algebraic attacks is thus an exciting area full of open problems
which have important real world implications.
65
Appendix A
Useful Definitions
We briefly define here a few important terms and state some useful results.
A.1
Algebraic definitions
Definition. Affine Geometry [Rom92]: Let V be a vector space. If v ∈ V and S
is a subspace of V , then the set
v + S = {v + s|s ∈ S}
is called a flat or a coset in V . The set A(V ) of all flats in V is called the affine
geometry of V . The dimension dim(A(V )) of A(V ) is defined to be dim(V ). A flat
in V is nothing more than a translated subspace of V . Each flat k + S is associated
with a unique subspace S.
Definition. Dimension of flats [Rom92]: The dimension of a flat x+ S is dim(S),
i.e. the dimension of the subspace S. A flat of dimension k is called a k-flat. A 0-flat
is a point, a 1-flat is a line and a 2-flat is a plane. A flat of dimension dim(A(V )) − 1
is called a hyper-plane.
Definition. Affine Combinations [Rom92]: V is a vector space over field F. ∀i ∈
P
1, 2, 3...n, if ri ∈ F and i ri = 1, then the linear combination, r1 x1 +r2 x2 +...+rn xn
is referred to as an affine combination of the vectors x1 , x2 , ...xn . A subset X of V
is a flat in V if and only if it is closed under affine combinations.
66
Definition. Affine Subspace [Rom92]: An affine subspace of a vector space V is
a subset of V closed under affine combinations of vectors in the space.
Definition. Co-dimension [Rom92]: If W is a vector subspace of a vector space
V over a field F , then the Co-dimension of W in V is the dimension of the quotient
space V /W , viewed as a vector space over F .
codim(W ) = dim(V /W ) = dim(V ) − dim(W )
Definition. Affine Hyper-plane: An affine hyper-plane H of a vector space V is
an affine subspace of V satisfying :
1. H = x + U where U is a subspace of V and x ∈ V .
2. codim(U ) = 1.
Definition. Affine Hulls [Rom92]: Let C be a nonempty set of vectors in V .
The affine hull, hull(C) is the smallest flat containing C, i.e. C ⊂ hull(C), and
C ⊂ A → hull(C) ⊂ A for all flats A. It can also be referred to as the flat generated
by C.
Theorem A.1.1. [Rom92] The affine hull, hull(C) is the set of all affine combinaP
P
tions of vectors in C, i.e. hull(C) = { ni=1 ri xi |n ≥ 1; x1 , x2 , ..., xn ∈ C; ni=1 ri =
1}.
Definition. Affine Transformation [Rom92]: A function f : V → V that pre-
serves affine combinations, i.e. for which
X
i
X
X
ri = 1 ⇒ f (
ri xi ) =
ri f (xi ), xi ∈ V ∀i
i
i
is called an affine transformation.
Definition. Translation [Rom92]: Let v ∈ V . The affine map
Tv : V → V
defined by
Tv (x) = x + v
∀x ∈ V is called a translation by V .
67
Theorem A.1.2. [Rom92] V is a vector space over field F. A function f : V → V
is an affine transformation iff f = Tv ◦ τ where v ∈ V and τ ∈ ζ(V )
Notation:
◦ denotes function composition.
τ : V → V is a linear operator if τ (ru + sv) = rτ (u) + sτ (v).
ζ(V ) denotes the set of linear operators of V.
Additionally, an affine transformation f = Tv ◦ τ is bijective iff τ is bijective.
Also, composition of affine transformations is also an affine transformation.
Definition. Affine Group [Rom92]: The set Aff(V) of all bijective affine transformations on V is a group under composition of transformations. This group is called
the affine group.
Definition. Affine Equivalence [Car04b]: Two functions f and g are said to be
affinely equivalent if
f =g◦A
where A is an element of the affine group, i.e A ∈ Af f (V ).
Definition. Affine Invariant [Car03]: A property p of a function f is said to be
an affine invariant if every affinely equivalent function g also possesses the same
property.
Definition. Affine Variety: The affine variety V (f1 , f2 , ..., fs ) of functions f1 , f2 ...fs
where fi : Fn → F∀i ∈ 1, 2, .., s is the set of common zeroes of the functions f1 , f2 ...fs .
More formally,
V (f1 , f2 , ..., fs ) = {x ∈ Fn |fi (x) = 0∀i ∈ {1, 2, .., s}}.
Definition. Ideal Generated by Functions The ideal generated by functions
f1 , f2 ..., fs , denoted by < f1 , f2 , ...fs > is defined as the set {f |f (x) = 0 at all points
of V (f1 , f2 , ..., fs )}.
A.2
Cryptographic definitions
Definition. Hamming Distance [Car04b]: The Hamming distance between 2 nvariable functions f : {0, 1}n → {0, 1} and g : {0, 1}n → {0, 1}, is the number of
68
inputs x, for which f (x) 6= g(x).
Definition. Hamming Weight [Car04b]: The Hamming weight of a function
f : {0, 1}n → {0, 1} is the number of inputs x such that f (x) = 1 and is denoted by
wH (f ).
Definition. Algebraic Normal Form [Car04b]: Every Boolean function f over
the field Fn2 can be represented uniquely by its algebraic normal form or A.N.F.
f (x) =
X
au (
u∈Fn
2
Y
xi )
i|ui =1
The A.N.F is useful because it exists and is unique for every Boolean function,
and is often used in cryptography and coding.
Definition. Algebraic Degree [Car04b]: The degree of the A.N.F of function f
is called the algebraic degree of f .
Definition. Affine Functions [Car03]: Functions with algebraic degree at most 1
are called affine functions. If constant term is 0, they are linear.
Definition. Vernam Ciphers [MvOV97]: In Vernam ciphers, also called onetime pads, the plaintext is bitwise added to a binary secret key of the same length
in order to produce ciphertext. The Vernam cipher is the only known cipher offering
unconditional security.
Definition. Stream Ciphers [MvOV97]: Stream ciphers are ciphers in which
plaintext bits are encrypted one at a time, using an encryption transformation that
varies with time.
Definition. Block Ciphers [MvOV97]: An n−bit block cipher is a function E :
Vn × κ → Vn , where Vn is the set of all n−bit vectors, and κ is the keyspace, such
that for each key K ∈ κ, E(P, K) is an invertible mapping (the encryption function
for K) from Vn to Vn , written as EK (P ). The inverse mapping is the decryption
function, denoted DK (C) where C = EK (P ).
Definition. Symmetric Functions [BP05]: Symmetric functions are functions
such that every Boolean vector of the same weight has the same function value.
That is, all inputs with the same number of 1s have the same output value.
69
Definition. Annihilating Functions [MPC04]: An annihilating function of f is
a function g such that f ∗ g = 0
Definition. Derivative of a Function [Car06a]: Let f be an n-variable Boolean
function and let b be any vector in Fn2 . We call derivative of f with respect to
L
L
the direction b the Boolean function Db f (x) = f (x) f (x + b), where
denotes
addition over F2 ..
Definition. Sparse Equations [CP02]: Sparse equations are defined to be equations with ”small” number of monomials. Let n be the number of variables in the
system of equations and t be the number of monomials in the system of equations.
For a given degree d, usually t ≈ nd . If t ≪ nd , we say that the equations are
sparse.
Definition. Overdefined Equations [CP02]: Overdefined equations are systems
of equations in which the number of equations is greater than the number of variables
involved in the system of equations.
A.3
Fourier-Walsh Transforms
Fourier transforms have very nice properties which are useful for studying Boolean
functions. Most characteristics of Boolean functions that we describe in this survey
can be expressed by means of weights of some related Boolean functions (for eg f ⊕ l
where l is affine). As pointed out by Carlet in [Car06a], fourier analysis becomes a
very powerful and useful tool, since given a Boolean function f , knowledge of the
discrete fourier transform of f is equivalent with the knowledge of the weights of all
the functions f ⊕ l, where l is linear or affine.
We briefly define here Fourier Transforms and discuss some of their proper-
ties. Other flavors of Fourier transforms are Hadamard transforms and Walsh transforms which are introduced below. We will primarily be working with Hadamard
and Walsh transforms in subsequent sections.
Let G be a finite abelian group of order n written additively.
Definition. Characters [LN83, Bab02]: A character of G is a homomorphism
χ : G → C× of G to the multiplicative group of nonzero complex numbers.
χ(a + b) = χ(a)χ(b)
70
a, b ∈ G.
χ(a)n = χ(na) = χ(0) = 1
a ∈ G. So, the values of χ are the nth roots of unity.
Note that χ(−a) = χ(a)−1 = χ(a) where the bar indicates complex conjugation.
Note that the pointwise product of the characters χ and ψ is a character
again.
(χψ)(a) = χ(a)ψ(a)
Let Ĝ denote the set of characters. This set forms an abelian group under
the above operation.
Let C G denote the space of functions f : G → C. An inner product on this
space is defined by:
(f, g) =
1X
f (a)g(a)
n
(A.1)
a∈G
where (f, g ∈ C G ).
Theorem A.3.1. [Has01, Bab02] Ĝ forms an orthonormal space in C G .
Corollary A.3.2. [Has01, Bab02] Any function f ∈ C G can be written as a linear
combination of characters.
f=
X
cχ χ
(A.2)
χ∈Ĝ
The coefficients cχ are called the fourier coefficients and are given by the formula
cχ = (χ, f ).
Definition. Fourier Transform [Has01, Bab02]: The function fˆ : Ĝ → C defined
as
fˆ(χ) = ncχ = n(χ, f ) =
X
χ(a)f (a)
(A.3)
a∈G
where χ ∈ Ĝ is called the fourier transform of f. This transformation is easily
inverted.
f (a) =
1X ˆ
f (χ)χ(−a)
n
χ∈Ĝ
71
(A.4)
where a ∈ G. Here, f (a) is the inverse fourier transform.
Definition. Hadamard Transform [Car06a]:
The Hadamard transform is essentially the Fourier transform with character
χu (x) = (−1)u·x
for some u. Here, · denotes the usual inner product on vectors i.e. for vectors
P
u = u1 u2 ...un , x = x1 , x2 ...xn , u · x = ni=1 ui xi . Notice that
χu (a + b) = (−1)(a+b)u = χ(a)χ(b).
It is a real-valued function over Fn2 , with x, u ∈ Fn2 , defined as
fˆ(u) =
X
f (x)(−1)x·u
(A.5)
x∈Fn
2
Clearly, by definition of Hamming weight,
wH (f ) = fˆ(0)
(A.6)
Definition. Sign Function: The Sign Function is defined as
χf (x) = (−1)f (x) .
(A.7)
Definition. Walsh Transform [Car06a]: The Walsh transform of a function is
the Hadamard transform of the sign function and is given by
χ̂f (u) =
X
(−1)f (x)+u·x
(A.8)
x∈Fn
2
Since
χf = 1 − 2f
we get
χ̂f = 1̂ − 2fˆ
It has been proved that 1̂ = 2n δ0 where δ is the Dirac symbol: δ0 (u) = 1 if u is the
null vector and 0 otherwise. We do not give the proof of this here, please look at
72
[Car06a] for details.
Hence we get,
χ̂f (u) = 2n δ0 (u) − 2fˆ(u)
(A.9)
We have that
χ̂f (0) = 1̂ − 2fˆ(0) = 2n − 2fˆ(0)
which implies
χ̂f (0)
fˆ(0) = 2n−1 −
2
Thus we get:
wH (f ) = 2n−1 −
χˆf (0)
2
(A.10)
Applying this to f ⊕ la , where la (x) = a · x, for some a ∈ Fn2 we get
dH (f, la ) = wH (f ⊕ la ) = 2n−1 −
χˆf (a)
2
(A.11)
Note that ⊕ denotes addition mod 2.
Theorem A.3.3. [Car06a] Parseval’s Relation: For every Boolean function φ,
we have:
X
φ̂2 (u) = 2n
u∈Fn
2
X
φ2 (x)
(A.12)
x∈Fn
2
If φ is the sign function, this becomes
X
φ̂2 (u) = 22n
(A.13)
u∈Fn
2
Definition. Walsh Spectrum: The Walsh spectrum of a Boolean function f with
n variables consists of all values {χ̂f (a) where a ∈ Fn2 }.
73
Bibliography
[AA05]
Armknecht and Ars. Introducing a new variant of fast algebraic attacks
and minimizing their successive data complexity. In Proceedings of International Conference on Cryptology in Malaysia (Mycrypt), LNCS,
volume 1, pages 16–32, 2005.
[AAG93]
A.Klapper, A.Chan, and M. Goresky. Cascaded GMW sequences. In
Proceedings of IEEE Transactions on Information Theory, volume 39,
pages 177–183, 1993.
[ACDG03] Akkar, Courtois, Duteuil, and Goubin. A fast and secure implementation
of sflash. In Proceedings of International Workshop on Practice and
Theory in Public Key Cryptography (PKC), pages 267–278. LNCS, 2003.
[ACG+ 06] Frederik Armknecht, Claude Carlet, Philippe Gaborit, Simon Künzli,
Willi Meier, and Olivier Ruatta. Efficient computation of algebraic immunity for algebraic and fast algebraic attacks. In Advances in Cryptology: Proceedings of EUROCRYPT, volume 4004 of LNCS, pages 147–
164. Springer, 2006.
[AK03]
Armknecht and Krause. Algebraic attacks on combiners with memory.
In Proceedings of CRYPTO, pages 162–175, 2003.
[AK06]
Armknecht and Krause. Constructing single- and multi-output boolean
functions with maximal algebraic immunity. In Proceedings of Annual
International Colloquium on Automata, Languages and Programming
(ICALP), pages 180–191, 2006.
74
[And94]
Anderson. Searching for the optimum correlation attack. In Proceedings of International Workshop on Fast Software Encryption (IWFSE),
LNCS, pages 137–143, 1994.
[Arm04]
Armknecht. Improving fast algebraic attacks. In Proceedings of International Workshop on Fast Software Encryption (IWFSE), LNCS, pages
65–82, 2004.
[Ars05]
Ars, G. and Faugère, J.-C. Algebraic immunities of functions over finite
fields. In First workshop on Boolean Functions : Cryptography and
Applications, pages 21–38, 2005.
[Bab02]
Laszlo
Babai.
and
The
equations
over
fourier
finite
transform
abelian
groups.
http://people.cs.uchicago.edu/~laci/reu02/fourier.pdf, 2002.
[Bar07]
Gregory
for
Bard.
solving
over
thesis,
finite
PhD
Linear
fields
and
with
University
thesis
of
of
Gregory
Polynomial
applications
Maryland
to
at
Bard:
systems
Algorithms
of
equations
cryptanalysis.
PhD
College
2007.
Park,
http://www.cs.umd.edu/users/jkatz/THESES/bard thesis.pdf.
[Bat04]
Batten. Algebraic attacks over GF(q). In Proceedings of International
Conference in Cryptology in India (INDOCRYPT), pages 84–91. LNCS,
Springer-Verlag, 2004.
[BC03]
Biryukov and De Canniere. Block ciphers and systems of quadratic
equations. In Proceedings of International Workshop on Fast Software
Encryption (IWFSE), pages 274–289, 2003.
[BCJ07]
Gregory V. Bard, Nicolas T. Courtois, and Chris Jefferson. Efficient
methods for conversion and solution of sparse systems of low-degree
multivariate polynomials over gf(2) via sat-solvers. Technical report:
Cryptology ePrint Archive, Report 2007/024, 2007.
[BD00]
Biham and Dunkelman. Cryptanalysis of the a5/1 gsm stream cipher.
In Proceedings of International Conference in Cryptology in India (INDOCRYPT), pages 43–51. LNCS, Springer-Verlag, 2000.
75
[BFS04]
M. Bardet, J.-C. Faugère, and B. Salvy. On the complexity of grobner
basis computation of semi-regular overdetermined algebraic equations.
In Proceedings of the International Conference on Polynomial System
Solving, pages 71–74, 2004.
[BP05]
Braeken and Preneel. On the algebraic immunity of symmetric boolean
functions. In Proceedings of International Conference in Cryptology in
India (INDOCRYPT), pages 35–48. LNCS, Springer-Verlag, 2005.
[BPW05]
Johannes Buchmann, Andrei Pychkine, and Ralf-Philipp Weinmann.
Block ciphers sensitive to groebner basis attacks. Technical Report:
Cryptology ePrint Archive, Report 2005/200, 2005.
[BS91a]
Biham and Shamir. Differential cryptanalysis of snefru, khafre, redoc-ii,
loki, and lucifer. In Proceedings of CRYPTO, pages 156–171, 1991.
[BS91b]
E. Biham and A. Shamir. Differential cryptanalysis of DES-like cryptosystems. Journal of Cryptology, 4(1):3–72, 1991.
[Buc06]
Bruno Buchberger. Bruno buchberger’s phd thesis 1965: An algorithm
for finding the basis elements of the residue class ring of a zero dimensional polynomial ideal. Journal of Symbolic Computing, 41(3-4):475–
511, 2006.
[Can02]
Canteaut. On the correlations between a combining function and functions of fewer variables. In Proceedings of the Information Theory Workshop ’02, Bangalore, pages 78 – 81, 2002.
[Can06]
Anne Canteaut. Open problems related to algebraic attacks on stream
ciphers. Proceedings of Dans Workshop on Coding and Cryptography
(WCC), 3969:120–134, 2006.
[Car02]
Carlet. A larger class of cryptographic boolean functions via a study
of the maiorana-mcfarland construction. In Proceedings of CRYPTO,
pages 549–564, 2002.
[Car03]
Claude Carlet. On the algebraic thickness and non-normality of boolean
functions. In Proceedings of IEEE Information Theory Workshop, pages
147–150, 2003.
76
[Car04a]
Carlet.
On the confusion and diffusion properties of maiorana-
mcfarland’s and extended maiorana-mcfarland’s functions. Journal of
Complexity, 20(2-3):182–204, 2004.
[Car04b]
Claude Carlet. On the degree, nonlinearity, algebraic thickness, and
nonnormality of boolean functions, with developments on symmetric
functions. IEEE Transactions on Information Theory, 50(9):2178–2185,
2004.
[Car06a]
Carlet. Boolean functions for cryptography and error correcting codes
in book Boolean methods and models edited by Peter Hammer and Yves
Crama. Cambridge University Press, 2005-2006.
[Car06b]
Claude Carlet. The complexity of boolean functions from cryptographic
viewpoint. In Proceedings of Dagstuhl Seminar 06111 - Complexity of
Boolean functions, 2006.
[CB06]
Nicolas T. Courtois and Gregory V. Bard. Algebraic cryptanalysis of
the data encryption standard. Technical Report: Cryptology ePrint
Archive, Report 2006/402, 2006.
[CB07]
Nicolas T. Courtois and Gregory V. Bard. Algebraic and slide attacks on
keeloq. Technical Report: Cryptology ePrint Archive, Report 2007/062,
2007.
[CCCF00] Canteaut, Carlet, Charpin, and Fontaine. Propagation characteristics
and correlation-immunity of highly nonlinear boolean functions. In Advances in Cryptology: Proceedings of EUROCRYPT, pages 507–522,
2000.
[CDG05]
Nicolas Courtois, Blandine Debraize, and Eric Garrido. On exact algebraic [non-]immunity of s-boxes based on power functions. Technical
Report: Cryptology ePrint Archive, Report 2005/203, 2005.
[CDGM06] Carlet, Dalai, Gupta, and Maitra. Algebraic immunity for cryptographically significant boolean functions: Analysis and construction. IEEE
Transactions on Information Theory, 52(7):3105–3121, 2006.
77
[CHJ02]
Coppersmith, Halevi, and Jutla. Cryptanalysis of stream ciphers with
linear masking. In Proceedings of CRYPTO, pages 515–532, 2002.
[Cid04]
Cid. Some algebraic aspects of the advanced encryption standard. In
Proceedings of International Conference on Advanced Encryption Standard (AES), LNCS, volume 4, pages 58–66, 2004.
[CJ00]
John Clark and Jeremy Jacob. Two-stage optimisation in the design of
boolean functions. In Proceedings of the 5th Australasian Conference on
Information Security and Privacy (ACISP), pages 242–254. SpringerVerlag, 2000.
[CJJ+ 03]
Nicolas T. Courtois, Robert T. Johnson, Pascal Junod, Thomas Pornin,
and Michael Scott. Did filiol break aes ? Techincal Report: Cryptology
ePrint Archive, Report 2003/022, 2003.
[CJMS04] Clark, Jacob, Maitra, and Stanica. Almost boolean functions: The
design of boolean functions by spectral inversion. Computational Intelligence: An International Journal, 20(3):450–462, 2004.
[CJS+ 02]
Clark, Jacob, Stepney, Maitra, and Millan. Evolving boolean functions
satisfying multiple criteria. In Proceedings of International Conference
in Cryptology in India (INDOCRYPT), pages 246–259. LNCS, SpringerVerlag, 2002.
[CJS05]
John A. Clark, Jeremy L. Jacob, and Susan Stepney. The design of sboxes by simulated annealing. New Generation Computing, 23(3):219–
231, 2005.
[CKPS00] Courtois, Klimov, Patarin, and Shamir. Efficient algorithms for solving
overdefined systems of multivariate polynomial equations. In Advances
in Cryptology: Proceedings of EUROCRYPT, page 392, 2000.
[CL04]
Cheon and Lee. Resistance of S-boxes against algebraic attacks. In
Proceedings of International Workshop on Fast Software Encryption
(IWFSE), LNCS, pages 83–94, 2004.
78
[CL06]
Hao Chen and Jianhua Li. Lower bounds on the algebraic immunity
of boolean functions. ArXiv Computer Science e-prints, cs/0608080,
September 02 2006.
[CM03]
Courtois and Meier. Algebraic attacks on stream ciphers with linear
feedback. In Advances in Cryptology: Proceedings of EUROCRYPT,
page 644, 2003.
[CM07]
Claude Carlet and Sihem Mesnager. Improving the upper bounds on
the covering radii of binary reed-muller codes. IEEE Transactions on
Information Theory, 53(1):162–173, 2007.
[CMR04]
Cid, Murphy, and Robshaw. Computational and algebraic aspects of
the advanced encryption standard. In Proceedings of the Seventh International Workshop on Computer Algebra in Scientific Computing,
(CASC), pages 93–103, 2004.
[CMR05]
Cid, Murphy, and Robshaw. Small scale variants of the aes. In Proceedings of International Workshop on Fast Software Encryption (IWFSE),
LNCS, pages 145–162, 2005.
[CMR06]
Carlos Cid, Sean Murphy, and Matthew Robshaw. Algebraic Aspects of
the Advanced Encryption Standard, volume 310 of Advances in Information Security. Springer-Verlag, 2006.
[Cop]
D. Coppersmith. Xsl against rijndael. http://www.schneier.com/cryptogram-0210.html#8.
[Cor04]
Coron. Cryptanalysis of a public-key encryption scheme based on the
polynomial reconstruction problem. In Proceedings of International
Workshop on Practice and Theory in Public Key Cryptography (PKC),
pages 14–27. LNCS, 2004.
[Cou]
N. Courtois. Is aes a secure cipher? http://www.cryptosystem.net/aes/.
[Cou01]
Courtois. The security of hidden field equations (HFE). In Proceedings
of The Cryptographers’ Track at RSA (CTRSA), LNCS, pages 266–281,
2001.
79
[Cou02]
Courtois. Higher order correlation attacks, XL algorithm and cryptanalysis of toyocrypt. In Proceedings of International Conference on
Information Security and Cryptology (ICISC), pages 182–199. LNCS,
2002.
[Cou03]
Courtois. Fast algebraic attacks on stream ciphers with linear feedback.
In Proceedings of CRYPTO, pages 176–194, 2003.
[Cou04a]
Courtois. Algebraic attacks on combiners with memory and several
outputs. In Proceedings of International Conference on Information
Security and Cryptology (ICISC), pages 3–20. LNCS, 2004.
[Cou04b]
Courtois. Algebraic attacks over GF (2k ), application to HFE challenge
2 and sflash-v2. In Proceedings of International Workshop on Practice
and Theory in Public Key Cryptography (PKC), pages 201–217. LNCS,
2004.
[Cou04c]
Courtois. General principles of algebraic attacks and new design criteria
for cipher components. In Proceedings of International Conference on
Advanced Encryption Standard (AES), LNCS, volume 4, pages 67–83,
2004.
[Cou07a]
Nicolas T. Courtois. Ctc2 and fast algebraic attacks on block ciphers revisited. Technical Report: Cryptology ePrint Archive, Report 2007/152,
2007.
[Cou07b]
Nicolas T. Courtois. How fast can be algebraic attacks on block ciphers? In Symmetric Cryptography, number 07021 in Dagstuhl Seminar
Proceedings, 2007.
[CP02]
Courtois and Pieprzyk. Cryptanalysis of block ciphers with overdefined systems of equations. In Advances in Cryptology : Proceedings of
ASIACRYPT– International Conference on the Theory and Application
of Cryptology, pages 267–287. LNCS, Springer-Verlag, 2002.
[CSV97]
Coppersmith, Stern, and Vaudenay. The security of the birational permutation signature schemes. Journal of Cryptology, 10(3):207–221, 1997.
80
[CT00]
Canteaut and Trabbia. Improved fast correlation attacks using paritycheck equations of weight 4 and 5. In Advances in Cryptology: Proceedings of EUROCRYPT, pages 573–588, 2000.
[CY05]
Claude Carlet and Joseph L. Yucas. Piecewise constructions of bent and
almost optimal boolean functions. Designs, Codes and Cryptography,
37(3):449–464, 2005.
[DG03]
A. Dimovski and D. Gligoroski. Generating highly nonlinear boolean
functions using a genetic algorithm. In Proceedings of Telecommunications in Modern Satellite, Cable and Broadcasting Service, Vol 2., pages
604– 607, 2003.
[DGM04]
Dalai, Gupta, and Maitra. Results on algebraic immunity for cryptographically significant boolean functions. In Proceedings of International Conference in Cryptology in India (INDOCRYPT), pages 92–106.
LNCS, Springer-Verlag, 2004.
[DGM06]
Deepak Kumar Dalai, Kishan Chand Gupta, and Subhamoy Maitra.
Notion of algebraic immunity and its evaluation related to fast algebraic attacks. In Second International Workshop of Boolean Functions:
Cryptography and Applications (BFCA), pages 107–124, 2006.
[DMS06]
Deepak Kumar Dalai, Subhamoy Maitra, and Sumanta Sarkar. Basic theory in construction of boolean functions with maximum possible
annihilator immunity. Designs, Codes and Cryptography, 40(1):41–58,
2006.
[DR00]
Joan Daemen and Vincent Rijmen. Answer to ”new observations on
rijndael”, August 11 2000. http://citeseer.ist.psu.edu/317291.html.
[DR02]
Daemen and Rijmen. Security of a wide trail design. In Proceedings of
International Conference in Cryptology in India (INDOCRYPT), pages
1–11. LNCS, Springer-Verlag, 2002.
[DT06]
Frédéric Didier and Jean-Pierre Tillich. Computing the algebraic immunity efficiently. In Proceedings of Fast Software Encryption, 13th
81
International Workshop, (FSE) Revised Selected Papers, volume 4047
of LNCS, pages 359–374. Springer, 2006.
[DXS91]
C. (Cunsheng) Ding, G. Xiao, and W. Shan. The stability theory of
stream ciphers, volume 561 of LNCS. Springer-Verlag, 1991.
[ES03]
Een and Sorensson. An extensible SAT-solver. In Proceedings of International Conference on Theory and Applications of Satisfiability Testing
(SAT), LNCS, volume 6, pages 502–518, 2003.
[FA03]
Jean-Charles Faugère and Gwénolé Ars.
analysis
of
nonlinear
filter
generators
An algebraic cryptusing
grobner
http://hal.ccsd.cnrs.fr/docs/00/07/18/48/PDF/RR-4739.pdf,
bases.
2003.
INRIA report RR-4739.
[FD85]
Fell and Diffie. Analysis of a public key approach based on polynomial
substitution. In Proceedings of CRYPTO, pages 340–349, 1985.
[Fil02]
Eric Filiol. A new statistical testing for symmetric ciphers and hash functions. Technical Report: Cryptology ePrint Archive, Report 2002/099,
2002. http://eprint.iacr.org/.
[FIL03]
Eric FILIOL. Plaintext-dependant repetition codes cryptanalysis of
block ciphers - the aes case.
Technical Report: Cryptology ePrint
Archive, Report 2003/003, 2003.
[FJ03]
Faugere and Joux. Algebraic cryptanalysis of hidden field equation
(HFE) cryptosystems using grobner bases. In Proceedings of CRYPTO,
pages 44–60, 2003.
[FL01]
Fluhrer and Lucks. Analysis of the E0 encryption system. In Proceedings
of the Annual International Workshop on Selected Areas in Cryptography
(SAC), pages 38–48. LNCS, 2001.
[FM02]
Joanne Fuller and William Millan. On linear redundancy in the aes sbox. Technical Report: Cryptology ePrint Archive, Report 2002/111,
2002.
82
[FT01]
Fedorova and Tarannikov. On the constructing of highly nonlinear resilient boolean functions by means of special matrices. In Proceedings of
International Conference in Cryptology in India (INDOCRYPT), pages
254–266. LNCS, Springer-Verlag, 2001.
[GBM02]
Golic, Bagini, and Morgari. Linear cryptanalysis of bluetooth stream
cipher. In Advances in Cryptology: Proceedings of EUROCRYPT, pages
238–255, 2002.
[GJ79]
M. R. Garey and D. S. Johnson. Computers and Intractability: A Guide
to the Theory of NP-Completeness. W. H. Freeman, 1979.
[Gol96]
Golic. On the security of nonlinear filter generators. In Proceedings of
International Workshop on Fast Software Encryption (IWFSE), LNCS,
pages 173–188, 1996.
[GS05]
Gupta and Sarkar. Improved construction of nonlinear resilient S-boxes.
IEEE Transactions on Information Theory, 51(1):339–348, 2005.
[Has01]
Hastad. Some optimal inapproximability results. Journal of the ACM,
48(4):798–859, 2001.
[HKM95]
Harpes, Kramer, and Massey. A generalization of linear cryptanalysis and the applicability of matsui’s piling-up lemma. In Advances in
Cryptology: Proceedings of EUROCRYPT, pages 24–38, 1995.
[HPS93]
Hastad, Phillips, and Safra. A well-characterized approximation problem. Information Processing Letters, 47(6):301–305, 1993.
[HR04]
Hawkes and Rose. Rewriting variables: The complexity of fast algebraic
attacks on stream ciphers. In Proceedings of CRYPTO, pages 390–406,
2004.
[Hug02]
Hughes. A linear algebraic attack on the AAFG1 braid group cryptosystem. In Proceedings of Information Security and Privacy: Australasian
Conference (ACISP), pages 176–189, 2002.
83
[Imp01]
Impagliazzo. Hill-climbing vs. simulated annealing for planted bisection problems. In Proceedings of International Workshop on Approximation Algorithms for Combinatorial Optimization (APPROX), pages
2–5, 2001.
[JDH07]
Xin Jiang, Jintai Ding, and Lei Hu. Kipnis-shamir’s attack on hfe revisited. In Proceedings of the 3rd International Conference on Information
Security and Cryptology (SKLOIS), 2007. to appear.
[JJ99]
Johansson and Jonsson. Improved fast correlation attacks on stream
ciphers via convolutional codes. In Advances in Cryptology: Proceedings
of EUROCRYPT, pages 347–362, 1999.
[KCP00]
Kang, Chee, and Park. A note on the higher order differential attack of
block ciphers with two-block structures. In Proceedings of International
Conference on Information Security and Cryptology (ICISC), pages 1–
13. LNCS, 2000.
[Key02]
Keys. A tutorial on linear and differential cryptanalysis. Cryptologia,
26, 2002.
[KG03]
Khoongming Khoo and Guang Gong. New constructions for resilient
and highly nonlinear boolean functions. In Proceedings of Information
Security and Privacy, 8th Australasian Conference (ACISP), pages 498–
509, 2003.
[KJV83]
S. Kirkpatrick, C. D. Gelatt Jr., and M. P. Vecchi. Optimization by
simulated annealing. Science, 220(4598):671–679, 1983.
[KMI91]
Kwangjo Kim, Tsutomu Matsumoto, and Hideki Imai. A recursive construction method of S-boxes satisfying strict avalanche criterion. Proceedings of the 10th Annual International Cryptology Conference on Advances in Cryptology, 537:564–574, 1991.
[Knu94]
Knudsen. Truncated and higher order differentials. In Proceedings of
International Workshop on Fast Software Encryption (IWFSE), LNCS,
pages 196–211, 1994.
84
[KR94]
Kaliski and Robshaw. Linear cryptanalysis using multiple approximations. In Proceedings of CRYPTO, pages 26–39, 1994.
[KS98]
Kipnis and Shamir.
Cryptanalysis of the oil and vinegar signature
scheme. In Proceedings of CRYPTO, pages 257–267, 1998.
[KS99]
Kipnis and Shamir. Cryptanalysis of the HFE public key cryptosystem
by relinearization. In Proceedings of CRYPTO, pages 19–30, 1999.
[KTLG05] Khoongming Khoo, Guat-Ee Tan, Hian-Kiat Lee, and Guang Gong.
Comparison of boolean function design. In Proceedings of International
Symposium on Information Theory (ISIT), pages 1111–1115, 2005.
[Lai94]
Lai. Higher order derivatives and differential cryptanalysis. In Proceedings of Symposium on communication, coding and cryptography, pages
227–233, 1994.
[Lan90]
Philippe Langevin. Covering radius of RM (1, 9) in RM (3, 9). In Proceedings of EUROCODE, volume 514 of LNCS, pages 51–59. Springer,
1990.
[LCPP96] S. Lee, S. Chee, S. Park, and S. Park. Conditional correlation attack on
nonlinear filter generators. In Advances in Cryptology : Proceedings of
ASIACRYPT– International Conference on the Theory and Application
of Cryptology, pages 360–367, 1996.
[LfQ05]
Na Li and Wen feng Qi. Symmetric boolean function with maximum algebraic immunity on odd number of variables. ArXiv Computer Science
e-prints, cs/0511099, 2005.
[LN83]
Rudolf Lidl and Harald Niederreiter. Finite Fields. Addison-Wesley,
1983.
[Lob05]
M. Lobanov.
munity.
Tight bound between nonlinearity and algebraic im-
In Proceedings of the Second International Scientific Con-
ference on Security and Countering Terrorism Issues, 2005.
seer.ist.psu.edu/lobanov05tight.html.
85
cite-
[Loh03]
Bernhard Lohlein. Attacks based on conditional correlations against
the nonlinear filter generator. http://citeseer.ist.psu.edu/554481.html;
http://eprint.iacr.org/2003/020.ps.gz, February 03 2003.
[LP03]
Lee and Park. Cryptanalysis of the public-key encryption based on braid
groups. In Advances in Cryptology: Proceedings of EUROCRYPT, pages
477–490, 2003.
[LQ06]
N. Li and W.-F. Qi. Construction and Count of Boolean Functions of an
Odd Number of Variables with Maximum Algebraic Immunity. ArXiv
Computer Science e-prints, cs/0605139, 2006.
[Lup70]
O. B. Lupanov. On circuits of functional elements with delay. Probl.
Kibern, 23:43–81, 1970.
[LZGB02] Sabine Leveiller, Gilles Zémor, Philippe Guillot, and Joseph Boutros. A
new cryptanalytic attack for pn-generators filtered by a boolean function. In Proceedings of Selected Areas in Cryptography, pages 232–249,
2002.
[Mas69]
J. L. Massey. Shift-register synthesis and BCH decoding. IEEE Transactions on Information Theory, 15:122–127, 1969.
[Mat93]
Matsui. Linear cryptanalysis method for DES cipher. In Advances in
Cryptology: Proceedings of EUROCRYPT, pages 386–397, 1993.
[Mat94]
Matsui. The first experimental cryptanalysis of the data encryption
standard. In Proceedings of CRYPTO, pages 1–11, 1994.
[Mat99]
Matsui. On a structure of block ciphers with provable security against
differential and linear cryptanalysis. IEICE Transactions on Communications, Electronics, Information and Systems, 1999.
[MCD97a] Millan, Ckark, and Dawson. An effective genetic algorithm for finding
highly nonlinear boolean functions. In Proceedings of International Conference on Information and Communications Security (ICIS), LNCS,
page 149, 1997.
86
[MCD97b] W. Millan, A. Clark, and E. Dawson. Smart hill climbing finds better
boolean functions. citeseer.ist.psu.edu/millan97smart.html, 1997. 4th
Workshop on Selected Areas in Cryptography SAC’97, 1997.
[MCD98]
Millan, Clark, and Dawson. Heuristic design of cryptographically strong
balanced boolean functions. In Advances in Cryptology: Proceedings of
EUROCRYPT, pages 489–499, 1998.
[MCD99]
Millan, Clark, and Dawson. Boolean function design using hill climbing
methods. In Proceedings of Information Security and Privacy: Australasian Conference (ACISP), pages 1–11, 1999.
[MFD03]
William Millan, Joanne Fuller, and Ed Dawson. New concepts in evolutionary search for boolean functions in cryptology. In Ruhul Sarker,
Robert Reynolds, Hussein Abbass, Kay Chen Tan, Bob McKay, Daryl
Essam, and Tom Gedeon, editors, Proceedings of the 2003 Congress on
Evolutionary Computation, pages 2157–2164. IEEE Press, 2003.
[MI88]
Matsumoto and Imai. Public quadratic polynomial-tuples for efficient
signature-verification and message-encryption. In Advances in Cryptology: Proceedings of EUROCRYPT, pages 419–453, 1988.
[Mit05]
Mitchell. A SAT solver primer. Bulletin of the European Association
for Theoretical Computer Science, 85:112–133, 2005.
[MMZ+ 01] Matthew W. Moskewicz, Conor F. Madigan, Ying Zhao, Lintao Zhang,
and Sharad Malik. Chaff: Engineering an Efficient SAT Solver. In
Proceedings of the 38th Design Automation Conference (DAC’01), pages
530–535, June 2001.
[Moh02]
T. Moh.
Comments on the courtois-pieprzyk’s attack on rijndael.
http://www.usdsi.com/aes.html, 2002.
[MPC04]
Meier, Pasalic, and Carlet. Algebraic attacks and decomposition of
boolean functions. In Advances in Cryptology : Proceedings of EUROCRYPT, pages 474–491, 2004.
[MR00]
S. Murphy and M. Robshaw. New observations on rijndael, 2000. citeseer.ist.psu.edu/murphy00new.html.
87
[MR02]
Murphy and Robshaw. Essential algebraic structure within the AES. In
Proceedings of CRYPTO, pages 1–16, 2002.
[MR03]
S. Murphy and M. Robshaw. Comments on the security of the aes and
the xsl technique. Electronic Letters, 39:36–38, 2003.
[MS88]
Meier and Staffelbach. Fast correlation attacks on stream ciphers. In
Advances in Cryptology: Proceedings of EUROCRYPT, pages 301–316,
1988.
[MS89a]
Meier and Staffelbach. Fast correlation attacks on certain stream ciphers. Journal of Cryptology, 1(3):159–176, 1989.
[MS89b]
Meier and Staffelbach. Nonlinearity criteria for cryptographic functions.
In Advances in Cryptology: Proceedings of EUROCRYPT, pages 549–
562, 1989.
[Mul04]
Muller. Differential attacks against the helix stream cipher. In Proceedings of International Workshop on Fast Software Encryption (IWFSE),
LNCS, pages 94–108, 2004.
[MvOV97] Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1997.
[MY92]
Matsui and Yamagishi. A new method for known plaintext attack of
FEAL cipher. In Advances in Cryptology: Proceedings of EUROCRYPT,
pages 81–91, 1992.
[NGG06]
Yassir Nawaz, Guang Gong, and Kishan Chand Gupta. Upper bounds on
algebraic immunity of boolean power functions. In Proceedings of Fast
Software Encryption, 13th International Workshop, FSE 2006, Graz,
Austria, Revised Selected Papers, volume 4047 of LNCS, pages 375–389.
Springer, 2006.
[Obi]
M Obitko. Genetic algorithms. http://cs.felk.cvut.cz/~xobitko/ga/.
[OS98]
Daniel Olejar and Martin Stanek.
On cryptographic properties of
random boolean functions. Journal of Universal Computer Science,
4(8):705–717, 1998.
88
[OSS84]
Ong, Schnorr, and Shamir. An efficient signature scheme based on
quadratic equations. In Proceedings of ACM Symposium on Theory of
Computing (STOC), pages 208–216, 1984.
[Pas03]
Pasalic. Degree optimized resilient boolean functions from maioranamcfarland class. In Proceedings of Conference on Cryptography and
Coding (IMA), LNCS, pages 93–114, 2003.
[Pas06]
Pasalic. Maiorana-mcfarland class: Degree optimization and algebraic
properties. IEEE Transactions on Information Theory, 52(10):4581–
4594, 2006.
[Pat95]
Patarin. Cryptanalysis of the matsumoto and imai public key scheme
of eurocrypt ’88. In Proceedings of CRYPTO, pages 248–261, 1995.
[Pat96]
Patarin. Hidden fields equations (HFE) and isomorphisms of polynomials (IP): Two new families of asymmetric algorithms. In Advances in
Cryptology: Proceedings of EUROCRYPT, pages 33–48, 1996.
[Pat97]
J. Patarin. The oil and vinegar algorithm for signatures. In Proceedings
of Dagstuhl workshop of cryptography, 1997.
[PLL+ 90]
Preneel, Van Leekwijk, Van Linden, Govaerts, and Vandewalle. Propagation characteristics of boolean functions. In Advances in Cryptology:
Proceedings of EUROCRYPT, pages 161–173, 1990.
[PS87]
Pollard and Schnorr. An efficient solution of the congruence x2 + ky 2 =
m(modn). IEEE Transactions on Information Theory, 33(5):702–709,
1987.
[Rom92]
Steven Roman. Advanced Linear Algebra. Springer-Verlag, 1992.
[RS87]
Rainer A. Rueppel and Othmar Staffelbach. Products of linear recurring
sequences with maximum complexity. IEEE Transactions on Information Theory, 33(1):124–131, 1987.
[RS06]
Hvard Raddum and Igor Semaev. New technique for solving sparse
equation systems. Technical Report: Cryptology ePrint Archive, Report
2006/475, 2006.
89
[Rue86]
R. A. Rueppel. Analysis and Design of Stream Ciphers. Springer-Verlag,
1986.
[Sch]
Bruce Schneier.
Aes news.
http://www.schneier.com/crypto-gram-
0209.html#1.
[Sei84]
T. Seigenthaler. Correlation-immunity of nonlinear combining functions
for cryptographic applications. IEEE Transactions on Information Theory, 30(5):776–779, 1984.
[Sha49]
C. E. Shannon. Communication theory of secrecy systems. Bell Systems
Tech. Journal, 28:657–715, 1949.
[Sha93]
Shamir. Efficient signature schemes based on birational permutations.
In Proceedings of CRYPTO, pages 1–12, 1993.
[SKI06]
Makoto Sugita, Mitsuru Kawazoe, and Hideki Imai. Relation between
the xl algorithm and grobner basis algorithms. IEICE Transactions on
Fundamentals of Electronics, Communications and Computer Sciences,
E89-A(1):11–18, 2006.
[SM00a]
Sarkar and Maitra. Construction of nonlinear boolean functions with
important cryptographic properties. In Advances in Cryptology: Proceedings of EUROCRYPT, pages 485–506, 2000.
[SM00b]
Sarkar and Maitra. Nonlinearity bounds and constructions of resilient
boolean functions. In Proceedings of CRYPTO, pages 515–532, 2000.
[SS04]
Marta Simovcov and Martin Stanek.
Generating cryptographically
strong boolean functions using partial information. Periodica Mathematica Hungarica, 49(1):119–130, 2004. citeseer.ist.psu.edu/525089.html.
[Stu05]
Sturmfels. What is a grobner basis? Notices of the American Mathematical Society, 52:1199–1200, 2005.
[Tar00]
Tarannikov. On resilient boolean functions with maximal possible nonlinearity. In Proceedings of International Conference in Cryptology in
India (INDOCRYPT), pages 19–30. LNCS, Springer-Verlag, 2000.
90
[Tar01]
Tarannikov. New constructions of resilient boolean functions with maximal nonlinearity. In Proceedings of International Workshop on Fast
Software Encryption (IWFSE), LNCS, pages 66–77, 2001.
[TSM95]
Tokita, Sorimachi, and Matsui. On applicability of linear cryptanalysis to DES-like cryptosystems–LOKI89, LOKI91ands2 DES–. IEICE
Transactions on Communications, Electronics, Information and Systems, 78(9):1148–1153, 1995.
[Wag04]
Wagner. Towards a unifying view of block cipher cryptanalysis. In
Proceedings of International Workshop on Fast Software Encryption
(IWFSE), LNCS, pages 16–33, 2004.
[WB02]
Wu and Bao. Cryptanalysis of stream cipher cos (2, 128) mode i. In Proceedings of Information Security and Privacy: Australasian Conference
(ACISP), pages 154–158, 2002.
[WT85]
Webster and Tavares. On the design of S-boxes. In Proceedings of
CRYPTO, pages 523–534, 1985.
[XGZ88]
J.L Massey Xiao Guo-Zhen. A spectral characterization of correlation
immune combining functions. IEEE Transactions on Information Theory, 34(3):569–571, 1988.
[YLH98]
Yi, Lam, and Han. Differential cryptanalysis of a block cipher. In Proceedings of Information Security and Privacy: Australasian Conference
(ACISP), pages 58–67, 1998.
[YT95]
A. M. Youssef and S. E. Tavares. Resistance of balanced s-boxes to
linear and differential cryptanalysis. Information Processing Letters,
56(5):249–252, December 1995.
[ZH05]
Xiangyong Zeng and Lei Hu. Constructing boolean functions by modifying maiorana-mcfarland’s superclass functions. IEICE Transactions on
Fundamentals of Electronics, Communications and Computer Sciences,
88-A(1):59–66, 2005.
91
[ZYR89]
Zeng, Yang, and Rao. On the linear consistency test (LCT) in cryptanalysis with applications. In Proceedings of CRYPTO, pages 164–174,
1989.
[ZZ00]
Zheng and Zhang. Improved upper bound on the nonlinearity of high
order correlation immune functions. In Proceedings of the Annual International Workshop on Selected Areas in Cryptography (SAC), pages
262–274. LNCS, 2000.
[ZZI99]
Zheng, Zhang, and Imai. Restriction, terms and nonlinearity of boolean
functions. Theoretical Computer Science, 226(1-2):207–223, 1999.
92
Vita
Educational Qualifications:
Graduate Student, Computer Science, University of Texas, Austin.
Bachelor of Engineering, Information Technology, University of Pune, India.
Research interests:
Complexity theory, cryptography, information theory and all things mathematical.
Permanent Address: L/A-4, 303,
Ajmera housing complex,
Pimpri, Pune 411018.
This thesis was typeset with LATEX 2ε 1 by the author.
1 A
LT
EX 2ε is an extension of LATEX. LATEX is a collection of macros for TEX. TEX is a trademark
of the American Mathematical Society. The macros used in formatting this thesis were written by
Dinesh Das, Department of Computer Sciences, The University of Texas at Austin, and extended
by Bert Kay, James A. Bednar, and Ayman El-Khashab.
93
Download