Security and Communication Networks

Volume 2017, Article ID 6268230, 9 pages

https://doi.org/10.1155/2017/6268230

## 1-Resilient Boolean Functions on Even Variables with Almost Perfect Algebraic Immunity

^{1}School of Electronics and Information, Northwestern Polytechnical University, Shaanxi, China^{2}Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai, China^{3}Westone Cryptologic Research Center, Beijing, China^{4}Department of Computer Science and Technology, East China Normal University, Shanghai, China^{5}National Engineering Laboratory for Wireless Security, Xi’an University of Posts and Telecommunications, Xi’an, China

Correspondence should be addressed to Yu Yu; kh.uyuy@uyuy and Xiangxue Li; nc.ude.unce.sc@ilxx

Received 15 November 2016; Accepted 12 June 2017; Published 14 September 2017

Academic Editor: Pedro García-Teodoro

Copyright © 2017 Gang Han et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

Several factors (e.g., balancedness, good correlation immunity) are considered as important properties of Boolean functions for using in cryptographic primitives. A Boolean function is perfect algebraic immune if it is with perfect immunity against algebraic and fast algebraic attacks. There is an increasing interest in construction of Boolean function that is perfect algebraic immune combined with other characteristics, like resiliency. A resilient function is a balanced correlation-immune function. This paper uses bivariate representation of Boolean function and theory of finite field to construct a generalized and new class of Boolean functions on even variables by extending the Carlet-Feng functions. We show that the functions generated by this construction support cryptographic properties of 1-resiliency and (sub)optimal algebraic immunity and further propose the sufficient condition of achieving optimal algebraic immunity. Compared experimentally with Carlet-Feng functions and the functions constructed by the method of first-order concatenation existing in the literature on even (from 6 to 16) variables, these functions have better immunity against fast algebraic attacks. Implementation results also show that they are almost perfect algebraic immune functions.

#### 1. Introduction

Boolean functions are one of the most important cryptographic primitives for stream ciphers, block ciphers, and hash functions in cryptography [1–4]. For instance, we take Boolean functions extensively as filter and combination generators of stream ciphers based on linear feedback shift registers [3]. Cryptographic criteria for Boolean functions include balancedness, algebraic degree, nonlinearity, and correlation immunity. An overview of cryptographic criteria for Boolean functions with extensive bibliography is given in [1].

The study of the cryptographic criteria of Boolean functions is essential because of the connections between known cryptanalytic attacks and these criteria [4]. An improperly chosen Boolean function will render the system open to various kinds of attacks. Take the property of balancedness (i.e., its Hamming weight = ), for example, the classical cryptographic criterion for designing Boolean function is useful in preventing the system from leaking statistical information on the plaintext when the ciphertext is known.

##### 1.1. Related Work

###### 1.1.1. Resilient Functions

Resilient functions (see Definition 3), first studied by Siegenthaler in [5], are a special class of Boolean functions and find many interesting applications in stream ciphers.

A function is said to be correlation-immune of the order if the output of the function is statistically independent of the combination of any of its inputs [6]. In 1988, Xiao and Massey introduced (by using properties of Walsh spectra) the notion of correlation immunity as an important cryptographic measure of a Boolean function with respect to its resistance against the correlation attack (which can be seen as solving a system of multivariate linear equations) [7].

In [8], Maitra and Sakar discussed the various methods for constructing resilient functions, and their results constitute a subset of a larger set of resilient functions.

###### 1.1.2. Algebraic Attacks

In recent years, algebraic attack [9–11] has received a lot of attention in cryptography. This kind of attacks dates back to 2003 when Courtois and Meier [10] proposed algebraic attack on stream ciphers with linear feedback, which is much powerful (breaking stream ciphers satisfying the previously known design criteria in at most the square root of the complexity of the previously known generic attack). Thus the new cryptographic property of Boolean functions-algebraic immunity (AI), the minimum algebraic degree of annihilators of or , was introduced by Meier et al. [11] to measure the ability of Boolean functions to resist algebraic attacks.

It was shown by Courtois and Meier [10] that maximum AI of* n*-variable Boolean functions is . The properties and constructions of Boolean functions with maximum AI are concerned in a large number of works (to name a few [9, 12–16]). The problem of efficiently constructing balanced Boolean functions with optimal algebraic immunity (and/or other cryptographic properties) is thus of great significance.

###### 1.1.3. Fast Algebraic Attacks

Although Boolean functions with high (or optimal, ideally) algebraic immunity can effectively resist algebraic attack, it does not rule out the possibility that these functions are vulnerable to the improved algebraic attack, that is, fast algebraic attack [17, 18].

Therefore, the cryptographic community turns to address much concern on Boolean functions resisting fast algebraic attack, besides their algebraic immunity. At Asiacrypt 2012, Liu et al. [20] initiated perfect algebraic immune (PAI) functions, Boolean functions with perfect immunity against algebraic and fast algebraic attacks. Although we know that the Carlet-Feng functions [9] on variables and the modified Carlet-Feng functions on variables are shown to be perfect algebraic immune functions [20], it is still not easy in general to explore perfect algebraic immune functions, and we do not see much successful attempt made in the literature on perfect algebraic immune functions on even variables. Thus, it is significant in both theory and practice to construct (almost) perfect algebraic immune functions on even variables with other cryptographic properties (such as resiliency) simultaneously.

We notice that Pan et al. [19] presented a construction for a class of 1-resilient Boolean functions with optimal algebraic immunity on an even number of variables by dividing them into two correlation classes, that is, equivalence classes. However, the cryptographic properties of the resulting functions are highly related to those of the initial functions we choose, and in particular, one would not expect strong resistance against fast algebraic attack in the resulting Boolean functions.

##### 1.2. Our Contributions

In the paper, we use primitive polynomials to construct a class of Boolean functions on even variables, achieving at the same time several desirable features. For the resulting functions, we prove the properties of 1-resiliency (see Definition 3) and suboptimal algebraic immunity (see Definition 4). We also propose the sufficient condition of achieving optimal algebraic immunity.

Compared with Carlet-Feng functions [9] and the functions constructed by the method of first-order concatenation existing in the literature on even (from 6 to 16) variables [19], ours show better immunity against fast algebraic attacks. We check that our constructions are almost perfect algebraic immune functions (see Definition 5).

##### 1.3. Roadmap

The remainder of the paper is organized as follows. Section 2 reviews some definitions related to Boolean functions and their cryptographic criteria. Section 3 presents our proposed construction of almost perfect algebraic immune resilient functions on even variables, followed by resiliency analysis in Section 4, by algebraic immunity analysis in Section 5, and by fast algebraic immunity analysis in Section 6, sequentially. Concluding remarks are located in Section 7.

##### 1.4. Notations

We summarize in Notations the notations used in this paper.

#### 2. Preliminaries

Let be the vector space of dimension over the finite field . A Boolean function on variables is a mapping from to . By the truth table of a Boolean function on input variables , we mean the length binary string , . The set of* n*-variable Boolean functions on is denoted by .

The Hamming weight of is the number of 1s in the binary string, denoted by . The support of is the set and is denoted by ; that is, . The Hamming distance between two Boolean functions and is the Hamming weight of their difference (i.e., ), where + is the addition on .

*Definition 1 (balancedness). *A Boolean function is balanced if its output is equally distributed, that is, the number of 0 elements in its truth table is equal to the number of 1 elements. In other words, an -variable Boolean function is balanced if and only if .

For , it can be uniquely represented as a multivariate polynomial in the ringand its algebraic normal form (ANF) is written as follows:

Elements of a finite field can be represented in a variety of ways, depending on the choice of basis for the representation. Let be a basis of over . Then, we can build an isomorphism between and :and we can further represent as the polynomial

Now suppose . Similarly, can be represented uniquely as bivariate polynomialand the algebraic degree of* f* is where is the Hamming weight of the binary string corresponding to the integer ; namely, if .

*Definition 2 (Walsh spectrum). *Let , , , and . The Walsh spectrum of (at ) is defined as where is the trace function, defined as

Correlation immunity has long been recognized as one of the critical indicators of nonlinear combining functions of shift registers in stream generators [21, 22]. A high correlation immunity is generally a very desirable property, in view of various successful correlation attacks against a number of stream ciphers (see, e.g., [23]). The concept of correlation-immune functions was introduced by Siegenthaler [5]. Xiao and Massey gave an equivalent definition [7, 24].

*Definition 3 (correlation immunity). *A function is called an th-order correlation-immune function ifwhere is the Hamming weight of , that is, the number of nonzero components.

If* f* is also balanced, then it is called* m*-resilient.

*Definition 4 (annihilator and algebraic immunity). *Given , we definewhere is the multiplication on . Any is called an annihilator of* f*.

The algebraic immunity of , denoted by , is defined as the minimum degree of nonzero annihilators of* f* or ; that is,

It is known [10] that , for any . If , then we say the* n*-variable Boolean function has optimal algebraic immunity.

At Crypto 2003, Courtois [17] proposed fast algebraic attacks (FAAs). The key idea is to decrease the degree of the equations (a multivariate polynomial system of equations over a finite field) using a precomputation algorithm. More formally, if there exists* n*-variable Boolean function of low degree such that is somewhat not large, then one can perform fast algebraic attack on with much confidence. To measure the resistance against fast algebraic attack, Liu et al. introduced fast algebraic immunity (FAI), which is considered as an important cryptographic property for Boolean functions used in stream ciphers:where .

Almost all the symmetric Boolean functions including the functions with good algebraic immunity behave badly against FAAs [18, 25]. However, Carlet-Feng function, a class of* n*-variable balanced Boolean functions with the maximum algebraic immunity as well as good nonlinearity [9], was proved to have almost optimal resistance and even optimal resistance against FAAs if exactly with positive integer [20]. Another class of even -variable balanced Boolean functions with the maximum algebraic immunity and large nonlinearity, called Tang-Carlet function [26], was also proved to have almost optimal resistance [27]. Moreover, the immunity of some rotation symmetric Boolean functions against FAAs was also analyzed [18, 28].

The following definition provides the functionalities of both algebraic immunity and fast algebraic immunity.

*Definition 5 ((almost) perfect algebraic immunity). *Let* f* be an* n*-variable Boolean function. The function* f* is said to be perfect algebraic immune (PAI) if, for any positive integers , the product has degree at least for any nonzero function of degree at most .

The function is said to be almost perfect algebraic immune if, for any positive integers , the product has degree at least for any nonzero function () of degree at most* e*.

#### 3. The Proposed Construction

Resilient functions (see Definition 3) are a special class of Boolean functions and find many interesting applications in stream ciphers. In [8], Maitra and Sakar discussed the various methods of creation of resilient functions, and functions constructed by these methods constitute a subset of a larger set of all resilient functions.

Pan et al. [19] presented a construction for a class of 1-resilient Boolean functions with optimal algebraic immunity on an even number of variables by dividing them into two correlation classes. More precisely, Pan et al. proposed a secondary construction (i.e., Siegenthaler’s [6] construction) by concatenating two balanced Boolean functions , with odd variables , where , . They can prove the existence of a nontrivial pair applied in the construction. But they can only construct a part of 1-resilient Boolean functions with optimal algebraic immunity by using these pairs. Pan et al. generalized the construction to a larger class of functions with suboptimal algebraic immunity on any number (>2) of variables. However, the cryptographic properties of the resulting functions are highly related to those of the initial functions they chose as building block, and in particular, this does not rule out the possibility that these functions are vulnerable to fast algebraic attack; that is, one would not expect strong resistance against fast algebraic attack in the resulting Boolean functions. More details on the rationale of their constructions can be found in [19] where two constructions are presented and security properties are analyzed mathematically step by step. In Section 6, we also compare the properties of fast algebraic immunity between our construction and the proposal of Pan et al. [19].

This section will present our construction followed by cryptographic property analysis in the next sections.

Throughout the rest of the paper, let , , , , be positive integers, , , , and . Let be a primitive element of finite field , and .

Set

For any , define* n*-variable Boolean function whose support consists of the following four sets:

In the coming sections, we will discuss its cryptographic properties: resiliency, algebraic immunity, and fast algebraic immunity. In particular, we will show that the functions derived from our construction are 1-resilient and with almost perfect algebraic immunity.

#### 4. Resiliency of the Proposed Construction

Nonlinear Boolean functions are generally used in symmetry cryptography. It is not surprising that the functions should have sufficiently simple scheme implementation in hardware. Besides, they must satisfy certain criteria to resist different attacks (e.g., correlation attacks suggested by Siegenthaler [29] and different types of linear attacks). One of the important factors is good correlation immunity (of order* m*); namely, the output should be statistically independent of combination of any* m* its inputs. And 1-resiliency specifies a balanced correlation-immune of order 1 Boolean function.

Theorem 6. *Suppose that is a Boolean function derived from our construction. Then we have that is -resilient.*

*Proof. *According to the definition of resiliency (see Definition 3), we first show that the function derived from our construction is balanced.

In fact, we have thatthus, the function* f* is balanced as expected.

Set . We know that then, for any , it holds thatPlugging the four sets of into , we have thatNow we consider the following two cases.*Case 1* (* and *). We have *Case 2* (* and *). We have Therefore, we can conclude that , for any and . According to Definition 3, we know that* f* is 1-resilient.

#### 5. Algebraic Immunity of the Proposed Construction

Algebraic attacks have become a powerful tool that can be used for almost all types of cryptographic systems. Algebraic immunity defined for a Boolean function measures the resistance of the function against algebraic attacks. The properties and constructions of Boolean functions with high algebraic immunity are concerned in extensive work, for example, [9, 12–16].

In this section, we will analyze the algebraic immunity of the proposed construction. First we have the following lemma.

Lemma 7 (see [30, 31]). *Suppose the integer ; it holds that**(1) for any we have **(2) for any we have*

Theorem 8. *Let the Boolean function f be derived from the proposed construction. We have*

*(1) ;*

*(2) (i.e., has optimal algebraic immunity) if or .*

*Proof. *Let* h* be an annihilator of such that , . Suppose that For any , we have and Then, for any , , and , it holds thatwhereSuppose that* y* travels in . Then the coefficients in (26) will make up a coefficient matrix which is Vandermonde-like. From the invertibility property of Vandermonde matrix, we know that for any 0 and .

Now we consider the following two cases.*Case 1* (). From Lemma 7, we know that the number of different in (28) is no more than . Thus we can further assume these are .

Setthen, we have Now, the invertibility property of Vandermonde matrix tells that Namely, for any , and , we haveTherefore, for any , it holds that As , we have thus follows.*Case 2* (*, i.e., *). From Lemma 7, we know that the number of different in (28) is no more than . Thus, for any , we have Putting all together, we know that namely, there is not any annihilator of degree lower than* k*.

Next we consider . Its support consists of the following sets:(i)(ii)(iii)(iv).Assume that* h* is an annihilator of, .

Without loss of generality, set Denotethen For any , we haveThen, for any and , it holds thatwhereSuppose that* y* travels in . Then the coefficients in (41) will make up a coefficient matrix which is Vandermonde-like. Similarly, Lemma 7 will lead to the fact that and follows.

If or , then (note that )On the other hand, we haveThus for any ,thereforeSimilarly, we haveIn a nutshell, one can conclude that (i.e.,* f* has optimal algebraic immunity) if or . And this completes the proof.

#### 6. Fast Algebraic Immunity of the Proposed Construction

Algebraic attacks are based on the establishment and processing of an overdefined system of nonlinear equations involving the secret key and the keystream sequence. The system can be practically solved, and thus the secret key is compromised, only if the equations are of low degree. Courtois and Meier demonstrated that a successful algebraic attack exists when the Boolean function (or its complement ) has a low degree annihilator (a nonzero Boolean function , such that ). At crypto 2003, Courtois [17] further generalized the standard algebraic attack to an improved version, fast algebraic attack (see also [32]), by presenting a method that allows substantially reducing the complexity of the attack. Several stream ciphers appeared to be vulnerable to the FAA, such as Toyocrypt, LILI-128, and the keystream generator that is used in E0 cipher. Fast algebraic attacks are considered to be more difficult to study than the standard algebraic attack, and thus a design with good immunity against FAA is expected.

*Definition 9 (Carlet-Feng function [9]). *Let be an -variable Boolean function, be a primitive element in , and be an integer, . DenoteWe call a Carlet-Feng function if .

Theorem 10 (see [9]). *Carlet-Feng function derived from Definition 9 has a good behavior against fast algebraic attacks.*

In particular, Carlet and Feng checked that no nonzero function of degree at most and no function of degree at most exist such that , when for odd and for even.

This has been checked for and also conjectured for every ; for , pairs of degrees such that were never observed; precisely, the nonexistence of such pairs could be checked exhaustively for and , for and , and for and .

This suggests that this class of functions, even if not always optimal against fast algebraic attacks, has a very good behavior.

Pan et al. presented [19] a construction for a class of 1-resilient Boolean functions with optimal algebraic immunity on an even number of variables by dividing them into two correlation classes, that is, equivalence classes. The coming result states the construction.

Theorem 11 (see [19]). *Let n be any odd integer , be a balanced Boolean function with maximum degree and optimal algebraic immunity , and be an annihilator of . Then the following is -resilient Boolean function with optimal algebraic immunity:*

*Let . There exist such that . Assume that and . Following the notion of fast algebraic immunity, one may just multiply (over ) by of degree , , and get by enumerating all possible .*

Comparatively, one can take two odd-variable Carlet-Feng functions as initial functions and construct a class of 1-resilient functions on even variables by the method proposed in [19].

Thus we can determine the appropriate values of for the three classes of Boolean functions, the first two by Carlet-Feng method [9] and the method in [19], respectively, and the last one from the method proposed in Section 3. Implemented via Maple language, Table 1 presents the minimal values of for the functions on even variables (from 6 to 16). In the table, the last column takes .