Exploring Semi-bent Boolean Functions Arising from Cellular Automata
Luca Mariot, Martina Saletta, Alberto Leporati, Luca Manzoni
EExploring Semi-bent Boolean Functions Arisingfrom Cellular Automata
Luca Mariot , Martina Saletta , Alberto Leporati , and Luca Manzoni Cyber Security Research Group, Delft University of Technology, Mekelweg 2,Delft, The Netherlands , [email protected] DISCo, Universit`a degli Studi di Milano-Bicocca, Viale Sarca 336 /
14, 20126Milano, Italy , [email protected], [email protected] Dipartimento di Matematica e Geoscienze, Universit`a degli Studi di Trieste, ViaValerio 12 /
1, 34127 Trieste, Italy , [email protected] May 19, 2020
Abstract
Semi-bent Boolean functions are interesting from a cryptographic stand-point, since they possess several desirable properties such as having a lowand flat Walsh spectrum, which is useful to resist linear cryptanalysis. In thispaper, we consider the search of semi-bent functions through a constructionbased on cellular automata (CA). In particular, the construction defines aBoolean function by computing the XOR of all output cells in the CA. Sincethe resulting Boolean functions have the same algebraic degree of the CAlocal rule, we devise a combinatorial algorithm to enumerate all quadraticBoolean functions. We then apply this algorithm to exhaustively explore thespace of quadratic rules of up to 6 variables, selecting only those for which ourCA-based construction always yields semi-bent functions of up to 20 variables.Finally, we filter the obtained rules with respect to their balancedness, andremark that the semi-bent functions generated through our construction by theremaining rules have a constant number of linear structures.
Keywords cellular automata · stream ciphers · semi-bent functions · nonlinearity · combinatorial search · balancedness · linear structures Cellular Automata (CA) represent an appealing approach to the design of crypto-graphic primitives. Indeed, starting from the 80s, CA have been extensively inves-1 a r X i v : . [ n li n . C G ] M a y igated for designing Pseudo-Random Number Generators (PRNGs) [16, 14, 7],
S-boxes [15, 5, 12] and secret sharing schemes [3, 9, 10], among other things.In this work, we consider the use of CA for the construction of
Boolean functions with interesting cryptographic properties. Boolean functions are cryptographicprimitives that play an important role in the design of stream ciphers , where theymay be used to combine or filter the output of linear feedback shift registers (LFSR)to construct a keystream, and in block ciphers , where they constitute the coordinatesof S-boxes. Previous research [6, 4] focused on the investigation of CA local rulesas Boolean functions, selecting those with the best cryptographic properties towithstand particular attacks when used in a CA-based PRNG. In this work we adopta di ff erent viewpoint, which spawns from the following question: given a Booleanfunction of m variables with good cryptographic properties, is it possible to derivenew functions from it with a larger number of variables and analogous properties byusing a CA?More specifically, the construction that we investigate in this paper employs aninitial m -variable Boolean function as the local rule of a CA of n ≥ m cells. Then, anew function of n variables is constructed by applying the CA global rule and bycomputing the XOR of the CA cells in the output configuration. In this way, onecan generate an infinite family of Boolean functions starting from the initial localrule by simply adding more cells to the CA. Techniques for generating new Booleanfunctions from existing ones are also called secondary (or recursive ) constructions ,and only few of them are known in the related literature, none of which are basedon CA (see e.g. [2] for a survey). Our analysis focuses on the particular caseof semi-bent Boolean functions, which have interesting cryptographic propertiessuch as high nonlinearity. In particular, we are interested in finding semi-bentfunctions which generate larger semi-bent functions when plugged as local rules inour CA-based construction. As a first basic result, we show that our constructionpreserves the algebraic degree of the local rule. We thus design a combinatorialalgorithm based on the
Algebraic Normal Form representation to enumerate allBoolean functions of a fixed degree. For our experiments, we use our algorithmto enumerate all quadratic functions of 3 ≤ m ≤ n =
20 variables throughour CA construction. The first remarkable finding is that for m = n =
20 variables. By focusing on the balanced rulesof 3, 5 and 6 variables over which the construction works, we finally remark thatthey all have a constant number of non-trivial linear structures , namely 1 when thenumber of variables is odd, and 3 when it is even.The rest of this paper is organized as follows. Section 2 covers the basic defini-tions concerning Boolean functions and their cryptographic properties. Section 3introduces the CA model considered in this work and defines our CA-based con-struction of Boolean functions, while Section 4 describes the search algorithmused to enumerate functions of a fixed degree. Section 5 presents the results ofour exhaustive search experiments on the spaces of quadratic local rules. Finally,2ection 6 concludes the paper and points out some open problems concerning ourconstruction for future research.
In what follows, let F = { , } denote the finite field of two elements and let F n be the n -dimensional vector space over F . The support of x ∈ F n is defined as supp ( x ) = { i : x i (cid:44) } , while the Hamming weight of x is w H ( x ) = | supp ( x ) | , i.e.the number of 1s in x .A Boolean function of n ∈ N variables is a mapping f : F n → F , with its truth table being the 2 n -bit string Ω f that specifies the output value of f for eachof the vectors in F n , in lexicographic order. A function f is called balanced if itstruth table is composed of an equal number of 0s and 1s, i.e. if w H ( Ω f ) = n − .Balancedness is a fundamental cryptographic property that Boolean functions usedin stream and block ciphers should satisfy to resist statistical attacks.Besides the truth table, a second unique representation of a Boolean function f : F n → F commonly used in cryptography is the Algebraic Normal Form (ANF),which is defined as the following multivariate polynomial over the quotient ring F [ x , · · · , x n ] / ( x ⊕ x , · · · , x n ⊕ x n ): P f ( x ) = (cid:77) I ∈ [ n ] a I (cid:89) i ∈ I x i , (1)where 2 [ n ] is the power set of [ n ] = { , · · · , n } . The algebraic degree of f is thecardinality of the largest subset I ∈ [ n ] in its ANF such that a I (cid:44)
0. In particular, a ffi ne functions are defined as those Boolean functions with degree at most 1. Asa cryptographic criterion, the algebraic degree should be as high as possible. Thevector of the ANF coe ffi cients a I and the truth table of f are related by the M¨obiustransform : f ( x ) = (cid:77) I ∈ [ n ] : I ⊆ supp ( x ) a I , (2)Another representation used to characterize several cryptographic propertiesof Boolean functions is the Walsh transform. Formally, the Walsh transform of aBoolean function f : F n → F is defined for all a ∈ F n as: W f ( a ) = (cid:88) x ∈ F n ( − f ( x ) ⊕ a · x , (3)where a · x = (cid:76) ni = a i x i is the scalar product of the vectors a and x . A function f is balanced if and only if the Walsh coe ffi cient over the null vector is zero, i.e. W f (0) =
0. More in general, the coe ffi cient W f ( a ) measures the correlation between f and the linear function a · x . Thus, the Walsh transform can be used to compute the nonlinearity of a Boolean function f , which is defined as the minimum Hamming3istance of f from the set of all a ffi ne functions. In particular, the nonlinearity of f equals N f = n − − · max a ∈ F n {| W f ( a ) |} . (4)For cryptographic applications, the nonlinearity of the involved Boolean func-tions should be as high as possible. From Equation (4), this means that the maximumabsolute value of the Walsh transform should be as low as possible. By Parsevalrelation , this can happen only when all Walsh coe ffi cients have the same absolutevalue 2 n , yielding the covering radius bound : N f ≤ n − − n − . Functions satisfy-ing this bound are called bent , and they exist only when n is even. Unfortunatelysuch functions are not balanced, since W f (0) = ± n , and thus they cannot be useddirectly in the design of stream and block ciphers. For n odd, the quadratic bound isgiven by N f ≤ n − − n + − , and it can be always achieved by functions of algebraicdegree 2. Plateaued functions represent an interesting generalization of bent functions,since they can also be balanced while still retaining high nonlinearity. Formally,a Boolean function f : F n → F is plateaued if its Walsh transform takes onlythree values, i.e. if W f ( a ) ∈ {− λ, , + λ } for all a ∈ F n . In particular, a plateauedfunction is semi-bent if λ = n + for n odd and λ = n + for n even. This meansthat the nonlinearity of a semi-bent function equals 2 n − − n − when n is odd and2 n − − n when n is even. Hence, semi-bent functions reach the quadratic bound fornonlinearity when n is odd.We conclude this section by recalling the concept of linear structures . Givena Boolean function f : F n → F , the derivative of f with respect to b ∈ F n isdefined as D b f ( x ) = f ( x ) ⊕ f ( x ⊕ b ). Then, b is called a linear structure for f if the derivative is a constant function, that is, if D b f ( x ) = x ∈ F n or D b f ( x ) = x ∈ F n . Remark that the null vector is a trivial linear structure,since D f ( x ) = f ( x ) ⊕ f ( x ⊕ = f . Ideally, the numberof linear structures in Boolean functions used for stream and block ciphers shouldbe as low as possible. We start by introducing the CA model considered in this work.
Definition 1.
Let f : F m → F be a Boolean function of m variables, and n ≥ m.A Cellular Automaton (CA) of n cells and local rule f is a vectorial functionF : F n → F n − m + defined for all x ∈ F n as:F ( x , x , · · · , x n ) = ( f ( x , · · · , x m ) , · · · , f ( x n − m + , · · · , x n )) . A CA can thus be seen as a vectorial Boolean function where each coordinatefunction f i : F m → F corresponds to the local rule f applied to the neighborhood ( x i , · · · , x i + m − ). This rule is applied just up to the coordinate n − m +
1, meaning4igure 1: Representation of our CA-based construction for Boolean functions.that the size of the input array shrinks by m − No Boundary CA model studied in [12] for CA-based S-boxes,and in [8] for mutually orthogonal Latin squares. Since the local rule f : F m → F is a Boolean function, it can be defined by a truth table Ω f of 2 m bits. In the CAliterature, the truth table of a local rule is usually represented by its Wolfram code ,which amounts to the decimal value of Ω f seen as a binary number.We can now define our construction of Boolean functions based on the no-boundary CA model discussed above. Definition 2.
Let F : F n → F n − m + be a CA of length n ≥ m equipped with thelocal rule f : F m → F . Then, the Boolean function induced by f through the CA Fis the n-variable function f ∗ : F n → F defined for all x ∈ F n as:f ∗ ( x ) = n − m + (cid:77) i = f ( x i , · · · , x i + m − ) = f ( x , · · · , x m ) ⊕ · · · ⊕ f ( x n − m + , · · · , x n ) . (5)In other words, the construction consists in first applying the CA vectorialfunction F induced by the local rule f to the input vector x ∈ F n ; then, the valueof the constructed function f ∗ is obtained by computing the XOR of all the outputcells of the CA. Figure 1 gives a schematic depiction of how the construction works.Using the terminology of the Boolean functions literature [2], the construction ofDefinition 2 may be classified as a secondary construction , since it starts froma known function f of m variables used as a CA local rule, and generates a newfunction f ∗ of n variables from it. In particular, our construction gives rise to an infinite family of Boolean functions, since f ∗ can be defined for any number ofvariables n ≥ m by simply adding n cells to the CA.Secondary constructions are mainly employed to generate new Boolean func-tions from old ones with analogous cryptographic properties. For example, Rothaus’sconstruction [13] starts from three bent functions of n variables, whose sum is alsobent, and produces a new bent function of n + Lemma 1.
Let f : F m → F be a Boolean function of m variables. For anyn ≥ m, the function f ∗ defined by the CA construction of Equation (5) has the samealgebraic degree of f .Proof. The result is clearly true when n = m , since in that case f ≡ f ∗ . We thusonly consider the case where n > m .Let d be the algebraic degree of f . Each summand in Equation (5) has degree d ,since it always corresponds to the local rule f applied on a di ff erent neighborhood.We thus have to show that not all terms of degree d cancel each other out. Considerthe first summand f ( x , · · · , x m ), and let S d = { I ⊆ [ m ] : | I | = d , a I (cid:44) } bethe set of monomials of degree d in the ANF of f . Further, denote by I min ∈ S d the minimum element of S d with respect to the lexicographic order, that is, if I min = { i , · · · , i d } and J = { j , · · · , j d } is any other set of S d , it holds i k < j k forsome k ∈ [ d ] and i h = j h for all h ∈ [ k − l -th summand f ( x l , · · · , x l + m − ) for l ∈ { , · · · , n − m + } , and we denote by I lmin its minimum monomial of degree d in lexicographic order, we have that I lmin = ( i + l , · · · , i d + l ), which is distinctfrom ( i , · · · , i d ) = I min . Hence, the variables in the monomial I lmin cannot overlapcompletely those of I min , which means that the two terms do not cancel each otherout. Similarly, the monomial I min cannot be canceled by any non-minimal monomialof degree d in the l -th summand. Hence, the monomial corresponding to I min appearsin the ANF of (5), which proves that the algebraic degree of f ∗ is also d . (cid:3) (cid:3) Lemma 1 gives us a first basic insight on the nature of the functions resulting fromour construction. However, the fact that the algebraic degree of the original functionis preserved is not su ffi cient from the cryptographic point of view, since as we sawin Section 2 there are other properties to take into account, such as balancedness andnonlinearity. Considering that semi-bent functions o ff er a good trade-o ff of thesecriteria, we turn our attention to the following question: what are the semi-bentBoolean functions that give rise to an infinite family of semi-bent functions whenused as local rules of our CA-based construction? In other words, we are interestedin finding a subset of semi-bent Boolean functions of m variables such that theygenerate semi-bent functions for any number of variables n ≥ m when pluggedin Equation (5). In this section and in the next one, we address this question byadopting an experimental approach . More precisely, we devise a combinatorialsearch algorithm to e ffi ciently explore the search space of local rules, and retain onlythose semi-bent rules over which our construction yields semi-bent functions up to6 specified number of variables. Clearly, we cannot prove that the rules obtainedin this way indeed generate infinite families of semi-bent functions. However, thisexperimental search is useful to isolate at least a subset of candidate rules, to beinvestigated in future research.A trivial algorithm to search for semi-bent functions simply consists in enu-merating all possible truth tables of m -variables functions, which are 2 m in total.However, this brute-force procedure is extremely ine ffi cient: most Boolean func-tions are not semi-bent, and searching through all of them is feasible only up to m = quadratic functions , i.e. functions of degree 2. As a matterof fact, quadratic functions are a subclass of plateaued functions [2], which in turninclude semi-bent functions, as mentioned in Section 2. Hence, focusing on theintersection of quadratic and semi-bent functions is a reasonable trade-o ff betweenobtaining an interesting enough class of functions to investigate with respect to ourconstruction and enumerating it in a limited amount of time.Our search algorithm is based on the ANF representation. Given a target alge-braic degree d , the 2 m -bit vector of the ANF coe ffi cients can be easily constrainedto yield only Boolean functions of degree d : it su ffi ces to set at least one of thecoe ffi cients a I such that | I | = d to 1, while all coe ffi cients a J with | J | > d mustbe set to 0. The other coe ffi cients related to monomials of lower degree can befreely chosen. Then, by using the M¨obius Transform recalled in Equation (2), onecan recover the truth table starting from its ANF coe ffi cients, and check if thecorresponding quadratic function is semi-bent by computing its Walsh spectrum.In this case, we can finally test if our construction generates quadratic semi-bentfunctions up to a specified number of variables. The pseudocode of our searchalgorithm is reported in Figure 2. Let us analyze the time complexity of the search algorithm described in the previoussection for the case of quadratic functions, i.e. when d =
2. The outer loop isapplied over all subsets of monomials of degree 2, except the empty set which ofcourse does not give a quadratic function. Since the number of quadratic terms inthe ANF of a m -variable function is (cid:16) m (cid:17) , it means that the outer loop is executed2( m ) − linear terms ,hence it is executed for 2( m ) steps. The search space S m , visited by our algorithmis thus composed of the following number of ANF vectors: S m , = (cid:16) m ) − (cid:17) · m ) = (cid:18) m ( m − − (cid:19) · m . (6)7 earch -ANF( m , n , d ) Initialization:
For 1 ≤ k ≤ d , build the family I k = { I ⊆ [ d ] : | I | = k } ofmonomials of degree k , set all 2 m ANF coe ffi cients of f to 0 and initialize L as the empty list Outer Loop:
For all subsets
T ⊆ I d (except the empty set), do: ANF Initialization:
Reset all d -degree terms in the ANF to 0 Instantiation:
For all T ∈ T , set the ANF coe ffi cient a T to 1, i.e. include inthe ANF the combination of d -degree monomials defined by T Inner Loop:
For all subsets
P ⊆ (cid:83) d − k = I k do:1. Reset all terms of degree less than d in the ANF to 02. For all P ∈ P , set the ANF coe ffi cient a P to 1, i.e. include in theANF the combination of monomials of degree at most d − P
3. Apply the M¨obius Transform (Equation (2)) to the ANF coe ffi cientsvector to obtain the truth table of the function f
4. Compute the Walsh transform (Equation (3)) on the truth table of f
5. If f is semi-bent, then for all d < i ≤ n apply the CA constructionof Equation (5) with i cells, and compute the Walsh transform of f ∗
6. If for all d < i ≤ n the function f ∗ is semi-bent, then add f to L Output: return L Figure 2: Pseudocode of the S earch -ANF algorithm.It follows that S m , = O ( m ) , which is asymptotically better than the O (2 m ) boundgiven by the brute-force search approach.We thus applied our algorithm S earch -ANF on the sets of quadratic functionsof 3 ≤ m ≤ n =
20 variables. Table 1reports the results of our search. In particular, for each considered m we givethe corresponding number 2 m of m -variable Boolean functions which would besearched by a brute-force algorithm, the number S m , of quadratic functions actuallyexplored by our algorithm and the number QS B of quadratic semi-bent functionsfound over which our construction works. A first remarkable finding that onecan draw from Table 1 is that our construction does not work on any quadraticfunction of 4 variables. In particular, the largest number of CA cells for whichour construction produced semi-bent functions for m = n = m our algorithm found semi-bent functions overwhich our construction worked up to the target value n =
20. For this reason, we8able 1: Results obtained with the S earch -ANF algorithm and by filtering only therules that produce balanced functions. m m S m , QS B Bal ≈ . ·
32 736 2 208 2806 ≈ . · . ·
12 208 1937excluded the case m = earch -ANF algorithm forwhich our CA-based construction always produced semi-bent functions of up to 20variables, we filtered only those local rules that always produce balanced functions,as reported in the last column of Table 1. For each of the remaining functions, weobserved that the number of linear structures of every function obtained with theapplication of our construction is constant. In particular our experiments show that,regardless of the number of variables of the initial local rule, the number of linearstructures of each constructed function is equal to 1 when the number of cells n isodd, and 3 when n is even. As we observed in Section 4, our experimental results do not rule out the possibilitythat our CA-based construction fails for n >
20 over the semi-bent rules foundby our algorithm. However, we believe that at least for a subset of these rulesthis construction indeed generates semi-bent functions for any n ∈ N , and thepreliminary filtering operation performed in this paper greatly reduces the numberof possible candidates, thus easing their theoretical analysis for future research. Thefirst interesting open question to address is understanding why our constructionalways failed only for m = ffi cient condition for our construction to work.From an applicative point of view, we remark that the 8 balanced rules of m = n ∈ N , oneidea could be to modify the pseudorandom generator by taking the value of all cellsin the CA instead of only the central one, and then compute their XOR as the nextpseudorandom bit.More in general, a very interesting research direction would be to investigateour construction with respect to semi-bent functions of higher algebraic degree.Indeed, even though quadratic functions can reach high levels of nonlinearity, theirdegree is too low and this can be exploited in algebraic attacks [2]. In this regard, itwould be interesting to apply our algorithm to search for cubic semi-bent functionsover which our construction works.Finally, another venue for further research on a topic which is not related tocryptography but rather on the theory of CA themselves, is to investigate whetherour construction could give any insight about the periods of spatially periodicpreimages in surjective CA. As shown in [11], the least periods of preimagesfamilies in bipermutive CA are characterized by disjoint cycles, but up to now analgebraic characterization of such periods has been given only for the case of linearrules. Given that the rules of an even number of variables found in our experimentsare all characterized by three linear structures, it could be the case that many ofthem are indeed bipermutive, considering the connection between bipermutivity andlinear structures observed for instance in [6]. In that case, our construction couldpossibly give further information on the least periods of preimages of quadraticbipermutive CA.
Appendix: Source Code and Experimental Data
The source code of the search algorithm and the experimental data are available at https://github.com/rymoah/ca-boolfun-construction . Acknowledgements.
The authors wish to thank Claude Carlet and Stjepan Picek for useful comments ona preliminary version of this work. This research was partially supported by FRA2020 - UNITS.
References [1] G. Bertoni, J. Daemen, M. Peeters, and G. V. Assche. The K eccak reference,January 2011.[2] C. Carlet. Boolean functions for cryptography and error correcting codes.In Y. Crama and P. Hammer, editors,
Boolean Models and Methods in Math- matics, Computer Science, and Engineering , pages 257–397. CambridgeUniversity Press, 2010.[3] ´A. M. del Rey, J. P. Mateus, and G. R. S´anchez. A secret sharing schemebased on cellular automata. Appl. Math. Comput. , 170(2):1356–1364, 2005.[4] E. Formenti, K. Imai, B. Martin, and J.-B. Yun`es. Advances on random se-quence generation by uniform cellular automata. In C. S. Calude, R. Freivalds,and I. Kazuo, editors,
Computing with New Resources , pages 56–70. Springer,2014.[5] A. Ghoshal, R. Sadhukhan, S. Patranabis, N. Datta, S. Picek, andD. Mukhopadhyay. Lightweight and side-channel secure 4 × IACR Trans. Symmetric Cryptol. , 2018(3):311–334,2018.[6] A. Leporati and L. Mariot. Cryptographic properties of bipermutive cellularautomata rules.
J. Cell. Autom. , 9(5-6):437–475, 2014.[7] L. Manzoni and L. Mariot. Cellular automata pseudo-random number genera-tors and their resistance to asynchrony. In G. Mauri, S. E. Yacoubi, A. Den-nunzio, K. Nishinari, and L. Manzoni, editors,
ACRI 2018 , volume 11115 of
LNCS , pages 428–437. Springer, 2018.[8] L. Mariot, M. Gadouleau, E. Formenti, and A. Leporati. Mutually orthogonallatin squares based on cellular automata.
Des. Codes Cryptogr. , 88(2):391–411,2020.[9] L. Mariot and A. Leporati. Sharing secrets by computing preimages of biper-mutive cellular automata. In J. Was, G. C. Sirakoulis, and S. Bandini, editors,
ACRI 2014 , volume 8751 of
LNCS , pages 417–426. Springer, 2014.[10] L. Mariot and A. Leporati. Inversion of mutually orthogonal cellular automata.In G. Mauri, S. E. Yacoubi, A. Dennunzio, K. Nishinari, and L. Manzoni,editors,
ACRI 2018 , volume 11115 of
LNCS , pages 364–376. Springer, 2018.[11] L. Mariot, A. Leporati, A. Dennunzio, and E. Formenti. Computing the periodsof preimages in surjective cellular automata.
Nat. Comput. , 16(3):367–381,2017.[12] L. Mariot, S. Picek, A. Leporati, and D. Jakobovic. Cellular automata baseds-boxes.
Cryptography and Communications , 11(1):41–62, 2019.[13] O. S. Rothaus. On ”bent” functions.
J. Comb. Theory, Ser. A , 20(3):300–305,1976.[14] F. Seredynski, P. Bouvry, and A. Y. Zomaya. Cellular automata computationsand secret key cryptography.
Parallel Comput. , 30(5-6):753–766, 2004.1115] M. Szaban and F. Seredynski. Cryptographically strong s-boxes based oncellular automata. In H. Umeo, S. Morishita, K. Nishinari, T. Komatsuzaki,and S. Bandini, editors,
ACRI 2008 , volume 5191 of
LNCS , pages 478–485.Springer, 2008.[16] S. Wolfram. Cryptography with cellular automata. In H. C. Williams, editor,
CRYPTO ’85 , volume 218 of