Generalized Maiorana-McFarland Constructions for Almost Optimal Resilient Functions

Confusion and diffusion, introduced by Shannon [2], are two important principles used in the design of symmetric cryptosystems (stream ciphers and block ciphers). Boolean functions possessing multiple cryptographic criteria play an important role in enforcing these principles. The following criteria for cryptographic Boolean functions are often considered: high nonlinearity, high resiliency, high algebraic degree and strict avalanche criterion (SAC). The tradeoffs among these criteria are difficult problems and have received lots of attention. By an (n, m, d, N f ) function we mean an nvariable, m-resilient Boolean function f with algebraic degree d and nonlinearity N f . Siegenthaler [3] and Xiao [4] proved that d ≤ nm -1 for n-variable, m-resilient functions. Such a function, reaching this bound, is called degree-optimized. For relations between SAC and resiliency, one can find in [5], [6]. Construction of resilient functions with high nonlinearity has been a challenging research problem in cryptography for twenty years [7][8] [9][10] [11] [12][13] [14] [1]. On even number of variables n, Bent functions [15] achieve optimal nonlinearity 2 n-1 -2 n/2-1 , but they are not resilient and their algebraic degrees are not more than n/2. For the case when n ≥ 9 is odd, the maximum achievable value of N f is unknown in general, and we know only that it is strictly larger than 2 n-1 -2 (n-1)/2 [16]. (For odd n ≤ 7, the optimal nonlinearity of n-variable functions is 2 n-1 -2 (n-1)/2 .) An n-variable Boolean function f is said to be almost optimal if N f ≥ 2 n-1 -2 ⌊n/2⌋ . The problem how tight is the nonlinearity bound of resilient Boolean functions remains open. Construction of almost optimal resilient functions has been discussed in [11], [12], [13], [14], [1], and will also be extensive studied in this paper. A classical class of cryptographic Boolean functions are the Maiorana-McFarland (M-M) class which can ensure many of the criteria above mentioned. For more detailed information about M-M class functions please see [17][1] and their references. In this paper, we will introduce a generalized Maiorana-McFarland (GMM) construction technique to obtain almost optimal resilient functions. The organization of this paper is as follows. In Section 2, the basic concepts and notions are presented. Section 3 describes the GMM construction technique. The resilient functions satisfying SAC with very high nonlinearity are constructed. The degree of the GMM type resilient functions can also be optimized. In Section 4, by using Patterson-Wiedemann functions or Kavut-Yücel functions, many new n-variable resilient functions with nonlinearity > 2 n-2 -2 (n-1)/2 (n odd) are obtained. In section 5, we provide a construction technique for multiple-output resilient functions on n variables (n even) with nonlinearity > 2 n-1 -2 n/2 . Section 6 concludes the paper with several open problems. F n 2 is the vector space of tuples of elements from F 2 . To avoid confusion with the additions of integers in R, denoted by + and Σ i , we denote the additions over F 2 by ⊕ and i . For simplicity, we denote by + the addition of vectors of F n 2 . f (X n ) is generally represented by its algebraic normal form (ANF): where The algebraic degree of f (X n ), denoted by deg(f ), is the maximal value of wt(u) such that λ u = 0, where wt(u) denotes the Hamming weight of u. f is called an affine function when deg(f ) = 1. An affine function with constant term equal to zero is called a linear function. Any linear function on F n 2 is denoted by: ω f ∈ B n is said to be balanced if its output column in the truth table contains equal number of 0's and 1's (i.e. W f (0) = 0). In [4], a spectral characterization of resilient functions has been presented. Lemma 1: A n-variable Boolean function is m-resilient if and only if its Walsh transform satisfies In term of Walsh spectra, the nonlinearity of f ∈ B n is given by [18] N Definition 1: The Boolean function f ∈ B n is said to be almost optimal if , when n is even; , when n is odd. The autocorrelation function of f ∈ B n is defined by The SAC was introduced by Webster and Tavares [19]. Definition 2 ( [7]): The functions of original M-M class are defined as follows: For any positive integers p, q such that n = p + q an M-M function is a function f ∈ B n defined by where φ is any mapping from F q 2 to F p 2 and π ∈ B q . This section presents two versions of GMM construction methods for constructing almost optimal resilient functions. The SAC and degree optimization of the GMM type functions are also considered. Construction 1: Let n ≥ 12 be even, and let m be a positive integer such that there exists an integer k with Let and Let E 0 be any subset of . Denote by φ 0 any bijective mapping from E 0 to T 0 , φ 1 any injective mapping from where t ∈ {n/2, k}. Then we construct the function f ∈ B n as follows: Remark: For Inequality (8) holds, we always have So we can find an injective mapping φ 1 . Theorem 1: Let f ∈ F n 2 be as in Construction 1. Then f is an almost optimal (n, m, d, N f ) function with for some j, where We obtain S 0 = 0. Similarly, for 0 ≤ wt Thus, S 1 = 0. Then we have W f (ω) = 0. Obviously, when 0 ≤ wt(ω) ≤ m, we always have 0 In this case, for φ 0 is a bijective mapping from E 0 to T 0 , we have Then Hence, Since φ 1 is an injective mapping from E 1 to T 1 , we have Hence, Then we have Obviously, max If the equality ( 14) holds, then the term Using the method proposed in Construction 1, for the first time, the almost optimal resilient functions proposed in Let for 1 and Let g i ∈ B n-i and φ i be a mapping from A cryptographic Boolean function can be constructed as follows: where where Especially, when for n/2 Using the generalized version of GMM construction, we can provide functions having parameters which cannot be constructed using the reduced version. Examples for resilient functions which were not known earlier can be found in Table 2. To the best of our knowledge, the nonlinearity values of the known constructed resilient function satisfying SAC are not more than 2 n-1 -2 ⌊n/2⌋ [20] [11]. In this section, we present a method to obtain GMM type resilient functions satisfying SAC with nonlinearity > 2 n-1 -2 ⌊n/2⌋ . Construction 2: Let n ≥ 12 be even, and let m be a positive integer such that there exists an integer k ′ with and Let ℜ 0 be any subset of . Let Ω ⊆ Γ 1 with |Ω| = |ℜ 1 | and for any β ∈ Ω, β c ∈ Ω, where β c is the complementary vector of β, i.e. β + β c = (11 • • • 1). Denote by ψ 0 any bijective mapping from ℜ 0 to Γ 0 , ψ 1 any bijective mapping from ℜ 1 to Ω. Then we construct the function f ′ ∈ B n as follows: Theorem 2: Let f ′ ∈ F n 2 be as in Construction 2. Then f satisfies SAC, and has the nonlinearity for some j, then the algebraic degree of where (-1) When wt(α) = 1, to compute U 0 , there exists two cases to be considered: Case 1: wt(α ′ n/2 ) = 1 and wt(α ′′ n/2 ) = 0. Since α ′ n/2 = 0 and ψ 0 is an bijection from ℜ 0 to Γ 0 , we have It follows that Then, U 0 = 0. Case 2: wt(α ′ n/2 ) = 0 and wt(α ′′ n/2 ) = 1. In this case, Due to the fact that for any β ∈ Ω, β c ∈ Ω, we have Thus, U 0 = 0. So, U 0 = 0 when wt(α) = 1. Similarly, U 1 = 0 when wt(α) = 1. Hence, ∆ f ′ (α) = 0 when wt(α) = 1. f ′ satisfies SAC. The algebraic degree of any (n, m, d, N f ) function f obtained in Construction 1 can be optimized by adding a monomial where δ ∈ E 1 and l ∈ B k ′′ -m-1 is a linear function. It is not difficult to prove that the nonlinearity of the degree optimized function f ′′ is equal to N f , or N f -2 m+1 . To ensure that N f ′′ = N f under certain condition, we below propose a method to optimize the algebraic degree of the GMM functions. This idea has been considered by Pasalic in [17], and later also be used in [1]. Construction 3: Let n ≥ 12 be an even number, m be a positive integer such that there exists an integer k ′′ with We construct the function f ′′ ∈ B n as follows: (50) (51) Then clearly, So we have max From (4), When 0 ≤ wt(ω) ≤ m, we always have From ( 52) and (55), W f ′′ (ω) = 0. By Lemma 1, f ′′ is an m-resilient function. 4 Construction of almost optimal m-resilient functions on n variables (n odd) with nonlinearity > 2 n-1 -2 (n-1)/2 For odd n, 15-variable Boolean functions with nonlinearity 16276 were constructed by Patterson and Wiedemann (PW) [22]. Recently, 9-variable Boolean functions with nonlinearity 242 were found by Kavut and Yücel (KY) [21]. We will use PW functions (or KY functions) to construct m-resilient functions with nonlinearity greater than > 2 n-1 -2 (n-1)/2 for odd n. Theorem 4: Let n = n 0 + 15 (respectively n = n 0 + 9) where n 0 be even, and m, k be positive integers such that It is possible to construct an almost optimal m-resilient functions f ∈ B n with Proof: If (56) holds, then we can construct an (n 0 , m, -, ) function f 0 ∈ B n 0 by the method proposed in Construction 1 (Note that examples can be found in Appendix 1). Let g ∈ B 15 be a PW function, and f ∈ B n defined by We can easily deduce that When g ∈ B 9 be a KY function, the proof is similar. Let n m be the minimum n 0 such that the nonlinearity of the m-resilient functions f ∈ B nm+15 (or f ∈ B nm+9 ) constructed above is strictly greater than 2 n-1 -2 (n-1)/2 . By using the information in Appendix [30]. To the best of our knowledge, the nonlinearity of the multiple-output resilient functions on F n 2 obtained by the existing constructions is at most 2 n-1 -2 ⌊n/2⌋ . In this section, we present a technique on constructing an m-resilient function, F : where k < n/2. Definition 3: The nonlinearity of F = (f 1 , f 2 , • • • , f r ), denoted by N F , is defined as [31] N F = min N fc where where α is primitive in F 2 r and θ disjoint linear codes with v as large as possible, and associate to each code a mapping ̺ j : where β is primitive in F 2 r and η j 0 , • • • , η j m-1 is a basis of C ′ j . Define the matrix B j by When ψ -1 (β ′′ ) = ∅, we have U 0 = 0; or else Similarly, We have Noticing that for any β ′′ ∈ T 0 , γ ′′ ∈ T 1 , we always have wt(β ′′ ) ≥ m + 1 and wt(γ ′′ ) ≥ m + 1. With the similar proof as in Theorem 1 (see Case 1), we can obtain that f c is an m-resilient function. By Lemma 2, F is an m-resilient function. In this paper, we present a generalized Maiorana-McFarland (GMM) construction method to obtain almost optimal resilient functions with a nonlinearity higher than that attainable by any previously known construction method. The following problems are left for future work. Conjectures: 1) Let n ≥ 12 be even and m < ⌈n/4⌉. For any (n, m, -, 2) Let n ≥ 12 be even and ⌈n/4⌉ ≤ m ≤ n/2 -2. For any (n, m, -, 3) Let n ≥ 12 be even and m Appendix 1: Examples of (n, m, nk + 1, 2 n-1 -2 n/2-1 -2 k-1 ) resilient functions. m = 1 n 12 16 20 24