Cryptographic Criteria on Vector Boolean Functions

Most modern block and stream ciphers can be expressed as certain arrangement of Vector Boolean Functions. Thus, in the context of block and stream ciphers’ design (mainly in S-boxes and combining functions respectively), it is essential to define criteria which measure the cryptographic strength of Boolean Functions and Vector Boolean Functions. Ideally, some of the following requirements must be fulfilled by this criteria:

• Functions not balanced.The output of these kind of functions are not uniformly distributed, avoiding statistical dependence between the input and the output (which can be used in attacks).
• Functions with low algebraic degree can be approximated by low complex functions easing their attack.
• m-th order correlation-immune functions are those whose output distribution probability are unaltered when any m (or, equivalently, at most m) of the inputs are kept constant.
• Functions with low degree of Propagation Criterion has little diffusion property and their output distribution probability are altered when some coordinates of the input are complemented.
The main objective of this chapter is to characterize the more relevant cryptographic criteria (nonlinearity, linear distance, balancedness, algebraic degree, correlation immunity, resiliency and propagation criterion) for constructions of Vector Boolean Functions such as composition, addition of coordinate functions, direct sum and bricklayering, from the knowledge of their components.The study of these functions are relevant in cryptology due to the strong connection between cryptographic attacks on the one hand and cryptographic properties of these building blocks on the other hand.In most cases, the security against a particular class of attack can be expressed by the existence of a certain property of the Vector Boolean function, which results in a measure of security against that class of attacks: • Linear cryptanalysis is based on the idea of finding high probable linear or affine relations between the inputs and outputs of S-boxes present in the cipher, that is, finding S-boxes with low nonlinearity Matsui (1994).
• Differential cryptanalysis is a chosen-plaintext attack based on the idea of finding high probable differentials pairs between the inputs and outputs of S-boxes present in the cipher, that is, finding S-boxes with low linearity distance.Differential cryptanalysis Biham & Shamir (1991) can be seen as an extension of the ideas of attacks based on the presence of linear structures Nyberg (1991).
• Distinguishing attacks are able to distinguish the pseudorandom sequence from a random sequence by observing that the distribution of the sequences is not uniform for not balanced functions.
• Jakobsen and Knudsen identified interpolation attacks on block ciphers with S-boxes having small algebraic degree Jakobsen & Knudsen (1997).Later Canteaut and Videau provided Higher order differential attacks which exploit the fact that the algebraic degree of the S-box is low.In the case of combining functions, the sequence produced by n combined LSFRs can be obtained by a single LSFR.
• For the pseudo-random generators, the best known cryptanalytic technique is the correlation attack, which is based on the idea of finding correlation between the outputs and the inputs, that is, finding S-boxes with low resiliency.
• Propagation Characteristic (PC) is an important cryptographic property for S-boxes to resist differential cryptanalysis.To get uniform output distribution, S-boxes in block ciphers should have PC(l) of higher order for l ≥ 1.
Let < GF(2), +, • > be the finite field of order 2, where GF(2)=Z 2 = {0, 1},'+' the 'integer addition modulo 2' and '•' the 'integer multiplication modulo 2'.V n is the vector space of n-tuples of elements from GF(2).The direct sum of x ∈ V n 1 and y ∈ V n 2 is defined as x ⊕ y =(x 1 ,...,x n 1 , y 1 ,...,y n 2 ) ∈ V n 1 +n 2 .The inner product of x, y ∈ V n is denoted by x • y, and of real vectors x, y ∈ R n is denoted by x, y .Let x, y ∈ R n , the pointwise product is defined as 2) is called a Boolean function and F n is the set of all Boolean functions on V n .
L n is the set of all linear Boolean functions on V n : The character form of f ∈ F n is defined as x) .The truth table of χ f is called as the (1, −1)-sequence vector or sequence vector of f and is denoted by ξ f ∈ R 2 n .In other words: Let two real functions ϕ, ψ :V n → R , the circular convolution or cross-correlation is defined in Chabaud & Vaudenay (1994) as θ F (x, y)=1i fy = F(x) and θ F (x, y)=0i f y = F(x).The character form of (u, v) ∈ V n × V m can be defined as follows: Let F ∈ F n,m and u ∈ V n , then the difference Vector Boolean function of F in the direction of u ∈ V n , denoted by ∆ u F ∈ F n,m is defined as follows: We define the simplifying notation for the maximum of the absolute values of a set of real numbers {a uv } u,v , characterized by vectors u and v, as: max (a uv )=max (u,v) {|a uv |}.
Using the same simplifying notation, we define the * max (•) operator on a set of real numbers

53
Cryptographic Criteria on Vector Boolean Functions www.intechopen.com
The direct sum of F 1 and F 2 is the function: This is a generalization for Vector Boolean functions of the construction of Boolean functions first introduced in Rothaus (1976).

Adding coordinate functions
The result of adding coordinate functions of F and G is the function: This is a generalization for Vector Boolean functions of the method used in the CAST algorithm and studied in Nyberg (1995) by adding more than one coordinate function at the same time.
The Bricklayer of F and G is the function F|G ∈ F n,m : This construction corresponds to the bricklayer function Daemen & Rijmen (2002) as a parallel application of a number of Vector Boolean functions operating on smaller inputs.
Another interesting operation is the restriction o projection of a Vector Boolean Function, which can be found in ciphers such as MacGuffin Blaze & Schneier (1995).

Walsh spectrum, autocorrelation spectrum and differential profile
The Walsh and Autocorrelation Spectrum together with the Differential Profile of the Vector Boolean Functions conforming a cipher play an important role.The cryptograhic criteria nonlinearity, resiliency, balancedness, linearity distance and propagation criteria can be obtained from these three matrices.
The Walsh Spectrum of f can be represented by a matrix whose rows are characteristiced by u ∈ V n in lexicographic order, denoted by The following fundamental result can be seen as an extension of the usual Fourier Transform properties: Proof.
Definition 6.Let the Vector Boolean function F ∈ F n,m , its Walsh Transform is the two-dimensional Walsh Transform defined by: Corollary 1.The value of the Walsh transform of Vector Boolean function coincides with the value of the Walsh transform of the Boolean function v The Walsh Spectrum of F can be represented by a matrix whose rows are characteristiced by u ∈ V n and whose columns are characteristiced by v ∈ V m in lexicographic order, denoted by Definition 7. The autocorrelation of f ∈ F n with respect to the shift u ∈ V n is the cross-correlation of f with itself, denoted by r f (u) :V n → R and defined by: Let F ∈ F n,m , if we denote by D F (u, v) the set of vectors where the difference Vector where n ≥ m.The matrix containing all posible values of #D F (u, v) is referred to as its XOR or Differential Distribution Table .Let DU(F) be the largest value in differential distribution table of F (not counting the first element in the first row), namely, Then F is said to be differentially DU(F)-uniform, and accordingly, DU(F) is called the differential uniformity of F J. Seberry & Zheng (1994).By normalizing the elements of the differential distribution table we obtain the Differential profile: , then the Differential Profile of F can be represented by a matrix whose rows are characterized by u ∈ V n and whose columns are characterized by v ∈ V m in lexicographic order, denoted by DP(F) ∈ M 2 n ×2 m (R) where δ F (ff i , ff j ) with i ∈{1,...,2 n − 1} and j ∈{1,...,2 m − 1}.
and the lower bound holds if and only if F is bent and the upper bound is reached when F is linear or affine.The differential uniformity of F ∈ F n,m and its differential potential are related as follows: dp(F)= 1 2 n DU(F).The differential profile at (u, v) is related with the autocorrelation in the same point in the following way Nyberg (1995)

Characteristics
The resistance of the cryptosystems to the known attacks can be quantified through some fundamental characteristics of the Vector Boolean functions used in them.In this chapter, we consider the characteristics most commonly employed for the design of cryptographic functions present in modern block and stream ciphers.

Nonlinearity
Definition 11.The nonlinearity of the Boolean function f ∈ F n is a characteristic defined as the distance to the nearest affine function as follows: Definition 12.The nonlinearity of a Vector Boolean function F ∈ F n,m is defined as the minimum among the nonlinearities of all nonzero linear combinations of the coordinate functions of F Nyberg (1993): Alternatively, and also associated with the cardinality of the sets of values for which F ∈ F n,m satisfies any given linear relation parametrized by (u, v) we can define the linear potential of ) which is also exploited as a measure of linearity in linear cryptanalysis, and satisfies Chabaud & Vaudenay (1994) 1 2 n ≤ lp(F) ≤ 1 so that the lower bound holds if and only if F has maximum nonlinearity (F is bent) and the upper bound is reached when F is linear or affine.

Linearity distance
Definition 13.The linearity distance of the Vector Boolean function F ∈ F n,m is defined as the minimum among the linearity distances of all nonzero linear combinations of the coordinate functions of F: Definition 14.The linearity distance can be expressed in terms of the differential potential as follows: Pommerening (2005).

Balancedness
Definition 15. f ∈ F n is balanced if its output is uniformly distributed over GF(2) satisfying Definition 16.F ∈ F n,m is balanced (or to have balanced output) if each possible output m-tuple occurs with equal probability 1 2 m , that is, its output is uniformly distributed in V m .This is equivalent to say that for every y ∈ V m : 57 Cryptographic Criteria on Vector Boolean Functions www.intechopen.com
Definition 18. F ∈ F n,m is an (n, m, t)-CI function if and only if every nonzero linear combination f (x)=∑ m i=1 v i f i (x) of coordinate functions of F is an (n,1,t)-CI function, where x ∈ V n , v i ∈ GF(2) i = 1,...,m and not all zeroes.This is equivalent to say Chen et al. (2004): A balanced Boolean function f can be considered as a 0-resilient function.
Definition 20.F ∈ F n,m is said to be t-resilient if it is balanced and t-CI, satisfying: F can also be denoted as an (n, m, t)-resilient.A balanced Vector Boolean function F can be considered as a 0-resilient function.

Propagation
Definition 21.Let f ∈ F n , then f satisfies the propagation criterion of degree l, PC(l)(1 ≤ l ≤ n), if f (x) changes with a probability of 1/2 whenever i(1 ≤ i ≤ t) bits of x are complemented Preneel et al. (2006).
Definition 22. F ∈ F n,m satisfies the PC(l) if any nonzero linear combination of the component boolean functions satisfies the PC(l):

Criteria for constructions with Vector Boolean functions
In this Section, we address the behavior of Walsh Spectra, Differential Profiles, Autocorrelation Spectra and the cited characteristics under several operations of Vector Boolean functions.We present the known properties without a proof and the new to the best of our knowledge results appear with their respective proofs.

Composition of Vector Boolean functions
Let F ∈ F n,p , G ∈ F p,m and the composition function Theorem 5.The Walsh Spectrum for the composition of two Vector Boolean function can be calculated from the product of their respective Walsh Spectra in the following way Pommerening (2005): Proof.Taking into account the equality r F•L A,b (u, v)=r F (Au, v) described in Millan (1998), it holds that: If F is a t-resilient function and G is balanced, then G • F is also a t-resilient function.
Corollary 2. If F is a balanced function, then G • F is also a balanced function.

Affine bijections of Vector Boolean functions
Let F ∈ F n,m and let L A,b ∈ F m,m and L C,d ∈ F n,n be linear (or affine) bijections.
Lemma 1. From Theorem 5 and Theorem 3 we can conclude that the effect of applying an invertible linear function before (or after) a function is only a permutation of its columns (or rows).In case it is an affine bijection, the sign of all the elements of some of its columns (or rows) are changed.
Corollary 3. As a corollary of Lemma 1, we get the following: Corollary 4. The nonlinearity and the linearity distance are invariant under linear (or affine) bijections of the input space and of the output space, so that Nyberg (1995): Here we give alternative proofs as those given by Nyberg in Nyberg (1995) by using corollary 3: Proof.Proof.If we use the equality r F•L A,b (u, v)=r F (Au, v) described in Millan (1998), we can obtain the following:

Adding coordinate functions
Let F =( f 1 ,..., f m 1 ) ∈ F n,m 1 , G =( g 1 ,...,g m 2 ) ∈ F n,m 2 and the function conformed by adding the coordinate functions Theorem 9.The columns of the Walsh Spectrum of the Vector Boolean function constructed by adding the coordinate functions of two Vector Boolean functions are calculated by the correlation of their respective columns in the following way: where WS((F, G)) v is the column of the Walsh Spectrum characteristiced by v. Proof.
Corollary 5.The exact value of the nonlinearity of (F, G) cannot be easily obtained from the knowledge of the nonlinearities of F and G.
Corollary 6.The columns of both WS(F) and WS(G) are contained in the matrix WS((F, G)).
Corollary 7. From corollary 6 it can be deduced that: The corollary 7 is a generalization of the Theorem 16 in Nyberg (1995).It can be useful, for instance, to find upper bounds of nonlinearity in S-boxes whose number of output bits is high by calculating the nonlinearities of shorter S-boxes (see Example 2).

60
Cryptography and Security in Computing www.intechopen.com Example 1.The F-function of the MacGuffin block cipher algorithm consists of the 8 S-boxes of the DES, but the two middle output bits of each S-box are neglected so that S i (MacG) ∈ F 6,2 .Let define the 4-th S-box of DES as S 4 (DES)=( f 1 , f 2 , f 3 , f 4 ), then it holds that S 4 (MacG)=( f 1 , f 4 ).I f we denote MacDES the S-box which uses the second and third component functions of DES, then S 4 (MacDES)=(f 2 , f 3 ).The S-box S 4 (DES) can be obtained by adding the coordinate functions which constitute MacDES and aplying a permutation to reorder the coordinate functions.If we want to obtain the last column of the Walsh Spectrum of S 4 (DES) from the last columns of the Walsh Spectra of S 4 (MacG) and S 4 (MacDES), then the effect of the permutation can be omitted and the results are the following: WS (S 4 (DES)) ( 1111) = 1 2 6 WS (S 4 (MacG)) (11)  * WS (S 4 (MacDES)) (11)  (20) Example 2. The first substitution function of the CAST algorithm Adams & Tavares (1993) , Adams (1994) denoted by S 1 ∈ F 8,32 has a nonlinearity of 74 Youssef et al. (1997).If we decompose this Vector Boolean function into two, taking the first 16 output bits (S 1a ∈ F 8,16 ) and the second 16 output bits (S 1b ∈ F 8, 16) respectively, we can see that the corollary 7 is satisfied: Theorem 10.If F, G ∈ F n,n are bijective, F −1 is a t 1 -resilient function and G −1 is a t 2 -resilient function, then the inverse of the Vector Boolean function obtained by adding the coordinates functions of F and G, denoted by (F, G) Theorem 11.The autocorrelation of the Vector Boolean function resulting by adding the coordinate functions of two Vector Boolean functions can be expressed in terms of their respective directional derivatives as follows: 61 Cryptographic Criteria on Vector Boolean Functions www.intechopen.com Corollary 15.NL(F| A ) ≥ NL(F), LD(F| A ) ≤ LD(F).Corollary 16.By Theorem 9, it can be demonstrated that if F is t-resilient, then F| A is at least t-resilient.

Direct sum of Vector Boolean functions
Let Theorem 13.The elements which conform a row in the Walsh Spectrum of the direct sum of two Vector Boolean functions are equal to the product of the respective components of the rows in both Walsh Spectra .The rows of the Differential Profile of the direct sum of two Vector Boolean functions are obtained by the correlation of the rows of the Differential Profiles of each Vector Boolean function.

63
Cryptographic Criteria on Vector Boolean Functions www.intechopen.com The first result was already known for Boolean functions Sarkar & Maitra (2000a), here we give a proof for Vector Boolean functions. Proof.
The second result is new and the proof is given below: Proof.

NL(F
Example 4. The full substitution function of the CAST algorithm S(CAST) ∈ F 32,32 is constructed by forming the direct sum of 4 S-boxes S i (CAST) ∈ F 8,32 satisfying: For the exact calculation of the S(CAST) nonlinearity we need to find out the maximum value from all the elements of a 2 32 × 2 32 matrix representing its Walsh Spectrum, or alternatively, to determine the Walsh Spectra of the 2 32 linear combinations of its coordinate functions which are 2 32 × 1 matrices.Nevertheless, by 19, the nonlinearity is obtained by calculating the maximum value of the product of the maxima values of four Walsh Spectra (2 8 × 1 matrices) for each of the 2 32 linear combinations of its coordinate functions.
This result coincides with the estimation of nonlinearity done in Youssef et al. (1997).
Here we give alternative proof as those given in Zhang & Zheng (1997): Proof.For all u ∈ V n 1 +n 2 satisfying wt(u)=t 1 + t 2 + 1, exists either u 1 ∈ V n 1 with wt(u 1 )= t 1 + 1 and u 2 ∈ V n 2 with wt(u 2 )=t 2 so that u = u 1 ⊕ u 2 or u 1 ∈ V n 1 with wt(u 1 )=t 1 and u 2 ∈ V n 2 with wt(u 2 )=t 2 + 1 so that u = u 1 ⊕ u 2 .In both scenarios, it holds that: This result is an extension of what was obtained in Seberry & Zhang (1993) for Boolean functions.Theorem 15.The elements which conform a row in the Autocorrelation Spectrum of the direct sum of two Boolean functions are obtained by the product of the respective components of the rows in both Autocorrelation Spectra.Let f 65 Cryptographic Criteria on Vector Boolean Functions www.intechopen.comTheorem 16.Let f 1 satisfies the PC(l 1 ) and f 2 satisfies the PC(l 2 ), then f 1 ⊕ f 2 satisfies the PC(l) with l = min{l 1 , l 2 }.Moreover, it holds that r f 1 ⊕ f 2 (u)=0 for all u = u 1 ⊕ u 2 with wt(u)= l 1 + l 2 + 1 except those which satisfies u 1 = 0 or u 2 = 0.
Theorem 17.The elements which conform the Walsh Spectrum (respect.Differential Profile) of the Bricklayer of two Vector Boolean functions are obtained by the product of the respective components in both Walsh Spectra (respect.Differential Profiles).

66
Cryptography and Security in Computing www.intechopen.com

Conclusions
In this chapter, several characteristics have been obtained for Vector Boolean Functions which are constructed using simpler functions combined in different ways.Precisely, the Walsh Spectrum of the overall function is obtained from the spectra of the functions when they are combined via composition, addition of coordinate functions, direct sum or bricklayer construction.In addition, when affine bijections or projection are employed, the maximum value of the overall Walsh Spectrum is obtained from the maximum values of the involved elements spectra.These results allow for the computation of nonlinearity, balancedness and resiliency of the mentioned constructions.
Alternatively, the Differential Profile of the system resulting from the composition with an affine function, direct sum, or bricklayer is also derived from the Differential Profiles of the involved elements.Moreover, when affine bijections or projections are employed, bounds on the maximum value of the Differential Profile for the resulting Function are also obtained.Therefore, the linearity distance for the cited constructions is computed.
Finally, the Autocorrelation Spectrum of a Vector Boolean Function constructed via affine bijections of Vector Boolean Functions and direct sum of Boolean functions is provided from the knowledge of the respective elements Autocorrelation Spectra.Moreover, the autocorrelation coefficients resulting from adding coordinate functions with linear structures are obtained.As a consequence, the propagation criterion resulting from the cited constructions is also provided.
Let a Boolean function f ∈ F n , the Walsh Transform of f at u ∈ V n is the n-dimensional Discrete Fourier Transform and can be calculated as follows: F) u is the row of the Walsh Spectrum characteristiced by u and WS(F) v is the column of the Walsh Sprectrum characteristiced by v. 55 Cryptographic Criteria on Vector Boolean Functions www.intechopen.comTheorem 3. Let L A,b ∈ F n,m an affine Vector Boolean function where L A,b (x)=Ax + b with A ∈ M n×m (GF(2)) and b ∈ V m , its spectrum holds that Pommerening (2005):

56
Cryptography and Security in Computing www.intechopen.comCryptographic Criteria on Vector Boolean Functions 7 Let F ∈ F n,m and let L A,b ∈ F n,n an affine bijection.The Differential Profile for their composition can be calculated from the product of their respective Differential Profiles in the following way: m and let L A,b ∈ F n,n an affine bijection, then F • L A,b satisfies the PC(l) if and only if F satisfies the PC(l).
n are bijective, F −1 is a balanced Vector Boolean function and G −1 is a balanced Vector Boolean function, then the inverse of the Vector Boolean function resulting of adding the coordinates functions of F and G, denoted by (F, G) −1 is a balanced Vector Boolean function.