Almost Perfect Nonlinear (APN) Functions

From Boolean
Jump to navigation Jump to search

Background and definition

Almost perfect nonlinear (APN) functions are the class of (𝑛,𝑛) Vectorial Boolean Functions that provide optimum resistance to against differential attack. Intuitively, the differential attack against a given cipher incorporating a vectorial Boolean function 𝐹 is efficient when fixing some difference 𝛿 and computing the output of 𝐹 for all pairs of inputs (π‘₯₁,π‘₯β‚‚) whose difference is 𝛿 produces output pairs with a difference distribution that is far away from uniform.

The formal definition of an APN function 𝐹 : 𝔽2𝑛 β†’ 𝔽2𝑛 is usually given through the values

[math]\displaystyle{ \Delta_F(a,b) = | \{ x \in \mathbb{F}_{2^n} : F(x) + F(a+x) = b \}| }[/math]

which, for π‘Žβ‰ 0, express the number of input pairs with difference π‘Ž that map to a given 𝑏. The existence of a pair [math]\displaystyle{ (a,b) \in \mathbb{F}_{2^n}^* \times \mathbb{F}_{2^n} }[/math] with a high value of Δ𝐹(π‘Ž,𝑏) makes the function 𝐹 vulnerable to differential cryptanalysis. This motivates the definition of differential uniformity as

[math]\displaystyle{ \Delta_F = \max \{ \Delta_F(a,b) : a \in \mathbb{F}_{2^n}^*, b \in \mathbb{F}_{2^n} \} }[/math]

which clearly satisfies Δ𝐹 β‰₯ 2 for any function 𝐹. The functions meeting this lower bound are called almost perfect nonlinear (APN).

The characterization by means of the derivatives below suggests the following definition: a v.B.f. 𝐹 is said to be strongly-plateuaed if, for every π‘Ž and every 𝑣, the size of the set [math]\displaystyle{ \{ b \in \mathbb{F}_2^n : D_aD_bF(x) = v \} }[/math] does not depend on π‘₯, or, equivalently, the size of the set [math]\displaystyle{ \{ b \in \mathbb{F}_2^n : D_aF(b) = D_aF(x) + v \} }[/math] does not depend on π‘₯.

Characterizations

Walsh transform[1]

Any (𝑛,π‘š)-function 𝐹 satisfies

[math]\displaystyle{ \sum_{a \in \mathbb{F}_{2^n}, b \in \mathbb{F}_{2^m}^*} W_F^4(a,b) \ge 2^{2n}(3 \cdot 2^{n+m} - 2^{m+1} - 2^{2n}) }[/math]

with equality characterizing APN functions.

In particular, for (𝑛,𝑛)-functions we have

[math]\displaystyle{ \sum_{a \in \mathbb{F}_{2^n}, b \in \mathbb{F}_{2^n}^*} W_F^4(a,b) \ge 2^{3n+1}(2^n-1) }[/math]

with equality characterizing APN functions.

Sometimes, it is more convenient to sum through all 𝑏 ∈ 𝔽2π‘š instead of just the nonzero ones. In this case, the inequality for (𝑛,π‘š)-functions becomes

[math]\displaystyle{ \sum_{a \in \mathbb{F}_{2^n}, b \in \mathbb{F}_{2^m}} W_F^4(a,b) \ge 2^{2n + m}(3 \cdot 2^n - 2) }[/math]

and the particular case for (𝑛,𝑛)-functions becomes

[math]\displaystyle{ \sum_{a,b \in \mathbb{F}_{2^n}} W_F^4(a,b) \ge 2^{3n+1}(3 \cdot 2^{n-1} - 1) }[/math]

with equality characterizing APN functions in both cases.

Autocorrelation functions of the directional derivatives [2]

Given a Boolean function 𝑓 : 𝔽2𝑛 β†’ 𝔽2, the autocorrelation function of 𝑓 is defined as

[math]\displaystyle{ \mathcal{F}(f) = \sum_{x \in \mathbb{F}_{2^n}} (-1)^{f(x)} = 2^n - 2wt(f). }[/math]

Any (𝑛,𝑛)-function 𝐹 satisfies

[math]\displaystyle{ \sum_{\lambda \in \mathbb{F}_{2^n}} \mathcal{F}(D_af_\lambda) = 2^{2n+1} }[/math]

for any π‘Ž ∈ 𝔽*2𝑛 . Equality occurs if and only if [math]\displaystyle{ F }[/math] is APN.

This allows APN functions to be characterized in terms of the sum-of-square-indicator [math]\displaystyle{ \nu(f) }[/math] defined as

[math]\displaystyle{ \nu(f) = \sum_{a \in \mathbb{F}_{2^n}} \mathcal{F}^2(D_aF) = 2^{-n} \sum_{a \in \mathbb{F}_{2^n}} \mathcal{F}^4(f + \varphi_a) }[/math]

for [math]\displaystyle{ \varphi_a(x) = {\rm Tr}(ax) }[/math].

Then any (𝑛,𝑛) function 𝐹 satisfies

[math]\displaystyle{ \sum_{\lambda \in \mathbb{F}_{2^n}^*} \nu(f_\lambda) \ge (2^n-1)2^{2n+1} }[/math]

and equality occurs if and only if 𝐹 is APN.

Similar techniques can be used to characterize permutations and APN functions with plateaued components.

  1. ↑ Florent Chabaud, Serge Vaudenay, Links between differential and linear cryptanalysis, Workshop on the Theory and Application of Cryptographic Techniques, 1994 May 9, pp. 356-365, Springer, Berlin, Heidelberg
  2. ↑ Thierry Berger, Anne Canteaut, Pascale Charpin, Yann Laigle-Chapuy, On Almost Perfect Nonlinear Functions Over GF(2^n), IEEE Transactions on Information Theory, 2006 Sep,52(9),4160-70
Retrieved from "http://boolean.wiki.uib.no/index.php?title=Almost_Perfect_Nonlinear_(APN)_Functions&oldid=415"