On cryptographic properties of (n + 1)-bit S-boxes constructed by known n-bit S-boxes

Abstract: S-box is the basic component of symmetric cryptographic algorithms, and its cryptographic properties play a key role in security of the algorithms. In this paper we give the distributions of Walsh spectrum and the distributions of autocorrelation functions for (n + 1)-bit S-boxes in [12]. We obtain the nonlinearity of (n + 1)-bit S-boxes, and one necessary and sufficient conditions of (n + 1)-bit S-boxes satisfying m-order resilient. Meanwhile, we also give one characterization of (n + 1)-bit S-boxes satisfying t-order propagation criterion. Finally, we give one relationship of the sum-of-squares indicators between an n-bit S-box S0 and the (n + 1)-bit S-box S (which is constructed by S0).


Introduction
S-boxes are the most key components of encryption algorithms, diffusion and confusion [11] are two important properties of a block cipher (such as DES, AES, etc). It is very important to construct an S-box that satisfies the linear and differential properties [2,9]. There are well studied criteria that a good S-box make the cipher resistant against differential and linear cryptanalyses.
So far, there are two main ways to produce S-boxes.

Test a random S-box.
First, it is necessary to generate many random S-boxes, and then select S-boxes that meet certain encryption characteristics from the random S-boxes. 2. Construct an S-box that satisfies certain cryptographic properties through mathematical methods.
In the second way, some results have been obtained.
1. Based on the disjoint linear codes, Zhang, et al. [14] proposed put up a construction of unknown resilient S-Boxes with strictly almost optimal nonlinearity. These functions reached the Siegenthaler's bound, and can be of optimal algebraic immunity or suboptimal algebraic immunity. In 2016, a construction of resilient S-boxes with higher-dimensional vectorial outputs and strictly almost optimal non-linearity was presented in [15]. A construction of highly nonlinear (n, m, t, d) resilient S-boxes with given algebraic degree was gave in [6]. 2. In 2014, Li, et al. [8] gave the construction of S-boxes for lightweight ciphers with the feistel structure.
Later, the linear and differential cryptanalysis of small-sized random (n, m)-S-boxes were analyzed in [1]. 3. In 2019, Varici, et al. [12] constructed the (n + 1)-bit S-boxes from n-bit S-boxes with known sharings, and investigated the self-equivalency of S-boxes. Meanwhile, the classification of all 3-bit S-boxes and 4-bit S-boxes according to affine equivalency were given for the first time in [4,7], respectively.
In this paper, we focus on (n + 1)-bit S-boxes constructed by n-bit S-boxes in [12]. From [12], some results on the presence of self-equivalent S-boxes and involutions in affine equivalence classes were presented. But they did not give cryptographic properties of (n + 1)-bit S-boxes, such as resilient, the propagation criterion, the distribution of the Walsh spectrums and the autocorrelation functions, etc. Therefore, we give these cryptographic properties in this paper. These results, which are obtained in this paper, can help us to further understand the cryptographic properties of such construction method.
The organization of this paper is as follows. In Section 2, the basic concepts and notions are presented. In Section 3, we give some cryptographic properties of this construction. Section 4 concludes this paper.

Preliminaries
Let Bn be the set of n-variable Boolean functions, and ⊕ be additions in F 2 , in F n 2 and in Bn. Every Boolean function f ∈ Bn admits a unique representation (called its algebraic normal form (ANF)) as a polynomial over F 2 : where the coefficients a 0 , a i , a i,j , · · · , a 1,··· ,n ∈ F 2 . The algebraic degree, deg(f ), is the number of variables in the highest order term with non-zero coefficient. The support of a Boolean function f ∈ Bn is defined as Supp(f ) = {(x 1 , · · · , xn) | f (x 1 , · · · , xn) = 1}. We say that a Boolean function f is balanced if its truth table contains an equal numbers of ones and zeros, i.e., if | Supp(f ) |= 2 n−1 . A Boolean function is affine if there exists no term of degree > 1 in the ANF and the set of all affine functions is denoted by An. An affine function with its constant term equal to zero is called a linear function.
Furthermore, then the nonlinearity of f is defined as f ∈ Bn is m-resilient if and only if F(f ⊕ φα) = 0 for all α ∈ F n 2 and wt(α) ≤ m in [13].
The cross-correlation function between f and g is defined as Thus, if f = g, then the auto-correlation function of f ∈ Bn is Let f , g ∈ Bn, then f and g are perfectly uncorrelated, if △ f ,g (α) = 0 for any α ∈ F n 2 . In order to study cross-correlation distributions between any two Boolean functions, we need the following definition: Definition 2.3. The two indicators (σ f and △ f ) are called the global avalanche characteristics of Boolean functions f , g ∈ Bn (GAC [16]).
where 0 n is the zero vector of F n 2 .
The research of this paper is based on the following construction methods.

Main result
In this section, we give the distributions of Walsh spectrum and the autocorrelation functions, respectively.

The distributions of Walsh spectrum of S ′
We give the Walsh spectrum of S ′ , and obtain some properties in this subsection.
For any wt(ω) ≠ 0 and ω ∈ F n 2 , then Proof. According to the definition of Walsh spectrum, we have We prove it for two cases.
1. When v ≠ 0 n . Because S ′ is a bijection, (v, v n+1 ) · S ′ is a balanced function for any wt(v, v n+1 ) ≠ 0 n+1 . Thus, v n+1 = 1 or v n+1 = 0. Note that S is a balanced bijection, thus v · S is a balanced function for any wt(v) ≠ 0, that is, ∑︀ Because S ′ is a bijection, v n+1 = 1. Then Combining the resilient functions and the distributions of Walsh Spectrum, we obtain Corollary 3.5.
According to the expression of S ′ in Definition 2.4, we have and Thus, we prove this result.
Based on the distribution of autocorrelation functions in Theorem 3.6, we have this Corollary 3.7. Thus, for any wt(v, v n+1 ) ≠ 0, σ (v,vn+1)·S ′ satisfies the propagation criterion PC(t) if and only if (v · S) ⊕ G satisfies the propagation criterion PC(t).
Finally, we give one relationship between σ S ′ and σ S . 2σ v·S⊕G , v n+1 = 1; for given v ∈ F n 2 .

Conclusions
In this paper, we give the distributions of Walsh spectrum and the distributions of the autocorrelation functions for (n +1)-bit S-boxes in [12], and obtain the correlation immunity, propagation criterion, etc. Our results are a supplement to the result in [12]. Meanwhile, these results of this paper are given for any n-bit S-box and any G ∈ Bn, if G is replaced with the rotation symmetric Boolean function [3], then more specific results can be obtained. These properties can help us to evaluate whether the S-boxes can be used in Block cipher or Stream cipher or not. In the next step, it will be an important issue to study the difference properties, the algebraic immunity [10], and the global avalanche characteristics of cross-correlation function [18] of the S-box in this paper. It is also interesting to extend the method [12] for constructing new S-boxes.