Functions over ﬁnite ﬁelds - Analysis, classification and construction of optimal cryptographic

Figure 2.7: Computation of the BCT at point(_a,b)for an S-boxS

bility studied in (2.2) whenEmis an S-box. There is a strong relation between boomerang and differential uniformity. The former is always bigger than or equal to the latter and functions with optimal differential uniformity also have optimal boomerang uniformity.

Another rather powerful attack on symmetric cryptosystems is the linear attack, see [88]. This attack is effective when it is possible to ﬁnd good linear approximations to the cipher up to a certain number of rounds. The nonlinear-ity property evaluates the resistance of the S-box to such attack.

As already mentioned, optimal cryptographic functions, are often optimal for other mathematical ﬁelds as well. Hence studying and getting a better un-derstanding of such functions can lead to important results in other research areas. The work of this thesis is focused on the differential uniformity prop-erty and on the boomerang uniformity propprop-erty. In particular it focuses on the study of optimal vectorial Boolean functions with respect to these properties.

2.2 Functions over ﬁnite ﬁelds

We present here necessary mathematical notions for understanding the con-tent of the next chapters. Even though most of the results presented in this work concern ﬁnite ﬁelds of even characteristic, we prefer to introduce many mathematical objects in their general deﬁnition. This is done in particular for deﬁnitions that will be used also for the case of ﬁnite ﬁelds of odd

characteris-tic in Chapter7.

Forpa prime number andna positive integer, we deﬁneFpⁿthe ﬁnite ﬁeld with pⁿ elements, and Fⁿ_p the n-dimensional vector space over Fp, where an elementλ∈Fⁿ_p is of the formλ= (_λ₁, . . . ,λn). The p-weight of λ∈Fⁿ_pis the integerwp(_λ) =_∑ⁿ_i₌₁_λ_i. Instead, thep-weight of a positive integerk≤pⁿ−1 is thep-weight of thep-ary expansion∑ⁿ_i₌⁻₀¹pⁱk_iofk, that isw_p(k₀, . . . ,k_n₋₁). With F^⋆_pn=hζiwe denote the multiplicative subgroup ofFpⁿ, whereζis a primitive element. In general, for any setE,E^⋆denotes its subsetE\ {0}.

Deﬁnition 2.1. An(n,m,p)-function, or avectorial function, is a map F from the vector spaceFⁿ_pto the vector spaceF^m_p. When p=2, such function is simply called an (n,m)-functionor avectorial Boolean function.

Remark 2.1. We assume here and in the next chapters that, when referring to an (n,m,p)-function, we have m≤n.

When m =1, the function is usually denoted by a lower case f and it is called aBoolean functionwhenp=2. In this last case we call f also ann-variable Boolean function.

An(n,m,p)-functionFcan be seen as a vector of(n, 1,p)-functions:

F= (f1, . . . ,fm),

where f₁, . . . ,fm are (n, 1,p)-functions called the coordinates of F. Given an elementλ∈F^m_p,λ6=0, theλ-component ofFis the(n, 1,p)-function

f_λ=λ·F=

∑

m i=1

λ_if_i.

A vectorial function admits different representations. Thealgebraic normal form, shortly ANF, of an(n,m,p)-functionFis its representation as a polynomial with coefﬁcients inF^m_p. Hence the ANF representation ofF∈F^m_p[x₁, . . . ,xn]is of the form

F(x₁, . . . ,xn) =

∑

u∈Fⁿp

∏

n i=1

x^u_iⁱ, withau∈F^m_p.

Thealgebraic degreeof F, denoted as deg(F), is the maximum value in the set {wp(u):u∈Fⁿ_p s.t.au6= (0, . . . , 0)}and it corresponds to the maximum alge-braic degree of the coordinate functions ofF.

2.2 Functions over ﬁnite ﬁelds 19 The value set or image set ofFis denoted by Im(F), i.e. Im(F) ={F(c):c∈ Fⁿ_p}, and the set of roots ofFoverFⁿ_pis denoted by Ker(F). Whenm=nthe polynomialFis apermutation polynomial(PP) overFⁿ_pif Im(F) =Fⁿ_p, and it is a complete mappingoverFⁿ_pif bothFandF+Idare PPs. WithIdwe indicate the identity map, i.e. Id(u) =ufor everyu∈Fⁿ_p.

An(n,m,p)-function is calledbalancedif it takes every value ofF^m_p the same number pⁿ⁻^m of times. It is equivalent to have all the non-zero components balanced. Obviously, form=n, balanced functions are the permutations ofFⁿ_p. Whenm=ntheunivariate polynomial representationis often used. Indeed, the vector spaceFⁿ_p is identiﬁed with the ﬁnite ﬁeldFpⁿ, and a functionF:Fpⁿ → Fpⁿ admits a unique representation as a polynomial overFpⁿof degree at most pⁿ−1,

F(x) =

pⁿ−1 i

∑

a_ixⁱ, with a_i∈Fpⁿ.

In this case the algebraic degree can be expressed using the p-weight of the exponents. It corresponds to the maximal p-weight ofi such that a_i 6=0, see [42, p. 404] for the case p=2.

Given an(n,n,p)-functionF, we callF

• p^m-linearor ap^m-polynomial, forma positive divisor ofn, if it is of the form F(x) =_∑^n/m_i₌₀⁻¹a_ix^p^mi, witha_i∈Fpⁿ;

• linearif it is of the formF(x) =_∑ⁿ_i₌⁻₀¹a_ix^pⁱ, witha_i∈Fpⁿ;

• afﬁneif it is the sum of a linear function and a constant;

• DO polynomial(Dembowski-Ostrom polynomial) if it is of the formF(x) =

∑ⁿ_i,j⁻₌¹₀a_ijx^pⁱ⁺^p^j, witha_ij∈Fpⁿ (ifp=2 theni<j);

• quadraticif it is the sum of a DO polynomial and an afﬁne function.² A well-known example of linear function is the tracefunction that maps Fpⁿ

intoFp:

Trn(x) =Tr(x) =x+x^p+x^p²+. . .+x^pⁿ⁻¹=

n−1 k

∑

x^p^k.

Forma positive divisor ofn, the map Tr^m_n denotes the trace function fromFpⁿ

intoFp^m:

Tr^m_n(x) =Tr^m(x) =x+x^p^m+x^p^2m+. . .+x^p^(n/m−1)m.

2Afﬁne functions and quadratic functions have algebraic degree at most one and two respectively.

For the univariate representation, theλ-component ofFis the mapf_λ=Tr(λF). Remark 2.2. If m is a positive divisor of n, then a map F:Fpⁿ →Fp^m admits a univariate polynomial representation since it can be viewed as a function fromFpⁿ to itself.

2.2.1 The differential uniformity

Deﬁnition 2.2.For an(n,m,p)-function F and(a,b)∈Fⁿ_p×F^m_p, letδF(a,b)be the number of solutions of the equation F(x+a)−F(x) =b. Then the value

δF= max

a∈Fⁿp\{0},b∈F^mp

δF(a,b) (2.3)

is called the differential uniformity of F and F is said to be differentially δF -uniform. The function

∆F(x,y) =F(x+y)−F(x)−F(y)∈F^m_p[x,y] is called thedifference operator ofF and the map

DaF(x) =F(x+a)−F(x) =_∆_F(x,a) +F(a) is thederivative ofFin the direction ofa.

When the mapF, considered in its univariate polynomial representation, is a power function, then the differential uniformity can be computed by ﬁxing a=1. Indeed, forF(x) =x^d,DaF(x) = (x+a)^d−x^d=a^d _x

a+1_d

− ^x_a^d. The number of solutions ofDaF(x) =bequals the number of solutions ofD1F(x) =

b a^d.

Differential uniformity measures the resistance ofF, used as an S-box inside a cryptosystem, to the differential attack. To achieve a good resistance, the value ofδF has to be small. Hence the best resistance is achieved whenδF= pⁿ⁻^mand in this case the functionFis calledperfect nonlinear(PN). A function F is perfect nonlinear if and only if all its derivatives, except the one in the zero direction, are balanced, see Proposition 9.3 in [42] for the casep=2. For m=nsuch functions, withδF=1, that is, with all non-zero derivatives being permutations, are also calledplanar.

Clearly, forp=2, the smallest value achievable for(n,n)-functions is 2. In-deed ifx⁰ is a solution ofD_aF(x) =b, alsox⁰+asatisﬁes the equation. In even characteristic, functions that achieve the best resistance are calledalmost perfect nonlinear(APN).

2.2 Functions over ﬁnite ﬁelds 21

2.2.2 Equivalence relations

In order to study vectorial functions, it is important to use equivalence rela-tions. This is especially true since the number of functions is so huge that it is not feasible to analyse each function. In this situation, it is easier to divide the set of all functions into equivalence classes and, for each class, study the prop-erties of one representative function. For example, the total number of (n, n)-functions is(2ⁿ)²ⁿ but, when considering an equivalence relation, the number of classes may be considerably smaller. Even for small dimensions the equiv-alence relations give us a big advantage. Indeed for n=4 there are in total 2⁶⁴ (4,4)-functions but, for the case of EA-equivalence, it has been computed that there are only 4713 different classes, see [20]. Since we are mainly inter-ested in studying the differential property of vectorial functions, we introduce equivalence relations that preserve the differential uniformity.

GivenF,F⁰two functions fromFⁿ_ptoF^m_p, they are called

• linear equivalentif F⁰=A₁◦F◦A₂, for A₁,A₂ linear permutations ofF^m_p andFⁿ_prespectively;

• afﬁne equivalent ifF⁰ =A1◦F◦A2, for A1,A2 afﬁne permutations ofF^m_p andFⁿ_prespectively;

• extended afﬁne equivalent(EA-equivalent) if F⁰ =F⁰⁰+A, for A (n,m,p) -afﬁne map andF⁰⁰(n,m,p)-function afﬁne equivalent toF;

• Carlet-Charpin-Zinoviev equivalent(CCZ-equivalent [44]) if there exists an afﬁne permutationLofFⁿ_p×F^m_p that maps the graph ofFinto the graph ofF⁰(L(ΓF) =Γ_F0), whereΓF={(x,F(x)):x∈Fⁿ_p}andΓ_F0={(x,F⁰(x)): x∈Fⁿ_p}.

These relations are connected to each other: linear equivalence is a particular case of afﬁne equivalence, afﬁne equivalence is contained in EA-equivalence and EA-equivalence is contained in CCZ-equivalence. Moreover, every per-mutation is CCZ-equivalent to its inverse, while, in general, a perper-mutation and its inverse are not EA-equivalent. When a function is not afﬁne, its algebraic degree is preserved via EA-equivalence but not via equivalence. CCZ-equivalence is so far the most general notion of CCZ-equivalence for which the dif-ferential uniformity is an invariant. Indeed, it has been proved to be more gen-eral than EA-equivalence together with taking the inverse of a permutation, see

[32]. However there are some speciﬁc cases for which these two equivalences coincide:

• for planar functions, in the case of DO planar functions they coincide also with linear equivalence, [33];

• for Boolean functions, [27];

• two quadratic APN functions are CCZ-equivalent if and only if they are EA-equivalent, as conjectured by Edel and proved by Yoshiara in [105].

Another notion of equivalence is known for planar quadratic functions which preserve differential uniformity and which is more general than CCZ-equivalence. This equivalence is called isotopic equivalence and it will be ex-plained in Section2.4.

In document Analysis, classification and construction of optimal cryptographic Boolean functions (sider 30-35)