Xian Mo Zhang

GAC — the Criterion for Global Avalanche Characteristics of Cryptographic Functions

We show that some widely accepted criteria for cryptographic functions, including the strict avalanche criterion (SAC) and the propagation criterion, have various limitations in capturing properties of vital importance to cryptographic algorithms, and propose a new criterion called GAC to measure the global avalanche characteristics of cryptographic functions. We also introduce two indicators related to the new criterion, one forecasts the sum-of-squares while the other the absolute avalanche characteristics of a function. Lower and upper bounds on the two indicators are derived, and two methods are presented to construct cryptographic functions that achieve nearly optimal global avalanche characteristics.

Nonlinearity and propagation characteristics of balanced Boolean functions

Abstract Three important criteria for cryptographically strong Boolean functions are balance, nonlinearity, and the propagation criterion. The main contributions of this paper are to reveal a number of interesting properties of balance and nonlinearity, and to study systematic methods for constructing Boolean functions that satisfy some or all of the three criteria. We show that concatenating, splitting, modifying, and multiplying (in the sense of Kronecker) sequences can yield balanced Boolean functions with a very high nonlinearity. In particular, we show that balanced Boolean functions obtained by modifying and multiplying sequences achieve a nonlinearity higher than that attainable by any previously known construction method. We also present methods for constructing balanced Boolean functions that are highly nonlinear and satisfy the strict avalanche criterion (SAC). Furthermore we present methods for constructing highly nonlinear balanced Boolean functions satisfying the propagation criterion with respect to all but one or three vectors. A technique is developed to transform the vectors where the propagation criterion is not satisfied in such a way that the functions constructed satisfy the propagation criterion of high degree while preserving the balance and nonlinearity of the functions. The algebraic degrees of functions constructed are also discussed.

Relationship among Nonlinearity Criteria

Abs t rac t . An important question in designing cryptographic functions including substitution boxes (S-boxes) is the relationships among the various nonlinearity criteria each of which indicates the strength or weakness of a cryptographic function against a particular type of cryptanalytic attacks. In this paper we reveal, for the first time, interesting connections among the strict avalanche characteristics, differential characteristics, linear structures and nonlinearity of quadratic S-boxes. In addition, we show that our proof techniques allow us to treat in a unified fashion all quadratic permutations, regardless of the underlying construction methods. This greatly simplifies the proofs for a number of known results on nonlinearity characteristics of quadratic permutations. As a by-product, we obtain a negative answer to an open problem regarding the existence of differentially 2-uniform quadratic permutations on an even dimensional vector space.

Improving the strict avalanche characteristics of cryptographic functions

Abstract This letter presents a simple yet effective method for transforming Boolean functions that do not satisfy the strict avalanche criterion (SAC) into ones that satisfy the criterion. Such a method has a wide range of applications in designing cryptographically strong functions, including substitution boxes (S-boxes) employed by common key block encryption algorithms.

Pitfalls in designing substitution boxes

Two significant recent advances in cryptanalysis, namely the differential attack put forward by Biham and Shamir [3] and the linear attack by Matsui [7, 8], have had devastating impact on data encryption algorithms. An eminent problem that researchers are facing is to design S-boxes or substitution boxes so that an encryption algorithm that employs the S-boxes is immune to the attacks. In this paper we present evidence indicating that there are many pitfalls on the road to achieve the goal. In particular, we show that certain types of S-boxes which are seemly very appealing do not exist. We also show that, contrary to previous perception, techniques such as chopping or repeating permutations do not yield cryptographically strong S-boxes. In addition, we reveal an important combinatorial structure associated with certain quadratic permutations, namely, the difference distribution table of each differentially 2-uniform quadratic permutation embodies a Hadamard matrix. As an application of this result, we show that chopping a differentially 2-uniform quadratic permutation results in an S-box that is very prone to the differential cryptanalytic attack.

On constructions and nonlinearity of correlation immune functions

A Boolean function is said to be correlation immune if its output leaks no information about its input values. Such functions have many applications in computer security practices including the construction of key stream generators from a set of shift registers. Finding methods for easy construction of correlation immune functions has been an active research area since the introduction of the notion by Siegenthaler. In this paper we study balanced correlation immune functions using the theory of Hadamard matrices. First we present a simple method for directly constructing balanced correlation immune functions of any order. Then we prove that our method generates exactly the same set of functions as that obtained using a method by Camion, Carlet, Charpin and Sendrier. Advantages of our method over Camion et als include (1) it allows us to calculate the nonlinearity, which is a crucial criterion for cryptographically strong functions, of the functions obtained, and (2) it enables us to discuss the propagation characteristics of the functions. Two examples are given to illustrate our construction method. Finally, we investigate methods for obtaining new correlation immune functions from known correlation immune functions. These methods provide us with a new avenue towards understanding correlation immune functions.

The Nonhomomorphicity of Boolean Functions

We introduce the notion of nonhomomorphicity as an alternative criterion that forecasts nonlinear characteristics of a Boolean function. Although both nonhomomorphicity and nonlinearity reflect a difference between a Boolean function and all the affine functions, they are measured from different perspectives. We are interested in nonhomomorphicity due to several reasons that include (1) unlike other criteria, we have not only established tight lower and upper bounds on the nonhomomorphicity of a function, but also precisely identified the mean of nonhomomorphicity over all the Boolean functions on the same vector space, (2) the nonhomomorphicity of a function can be estimated efficiently, and in fact, we demonstrate a fast statistical method that works both on large and small dimensional vector spaces.

Structures of cryptographic functions with strong avalanche characteristics

This paper studies the properties and constructions of nonlinear functions, which are a core component of cryptographic primitives including data encryption algorithms and one-way hash functions. A main contribution of this paper is to reveal the relationship between nonlinearity and propagation characteristic, two critical indicators of the cryptographic strength of a Boolean function. In particular, we prove that n n(i) n nif f, a Boolean function on V n , satisfies the propagation criterion with respect to all but a subset ℜ of vectors in V n , then the nonlinearity of f satisfies N f ≥2n−1 −21/2(n+t)−1, where t is the rank of ℜ, and n n n n n(ii) n nWhen ¦ℜ¦ > 2, the nonzero vectors in ℜ are linearly dependent. Furthermore we show that n n n n n(iii) n nif¦ℜ¦=2 then n must be odd, the nonlinearity of f satisfies Ninf = 2n−1−21/2(n−1), and the nonzero vector in ℜ must be a linear structure of f. n n n n n(iv) n nthere exists no function on V n such that ¦ℜ¦=3. n n n n n(v) n nif ¦ℜ¦=4 then n must be even, the nonlinearity of f satisfies N f = 2n−1−21/2 n, and the nonzero vectors in ℜ must be linear structures of f. n n n n n(vi) n nif ¦ℜ¦=5 then n must be odd, the nonlinearity of f is N f =2n−1²1/2(n−1), the four nonzero vectors in ℜ, denoted by β1, β2, β3 and β4, are related by the equation β1 ⊕ β2 ⊕ β3 ⊕ β4=0, and none of the four vectors is a linear structure of f. n n n n n(vii) n nthere exists no function on V n such that ¦ℜ¦ = 6.

Comments on "Generating and counting binary Bent sequences"

We prove that the conjecture on Bent sequences stated in the paper written by Kumar, Scholtz and Welch (see J. Combinatorial Theory, Ser A, vol.40, p.90-107, 1985) is false. >