Correlation immunity and resiliency of Boolean functions
In the standard model of a stream cipher, the outputs of [math]\displaystyle{ n }[/math] linear feedback shift registers are the entries of a Boolean function. The output of the function produces the keystream, which is then bitwise xored with the message to produce the cipher. The decryption consists symmetrically in xoring this same keystream with the ciphertext. There are a lot of divide-and-conquer attacks on this method of encryption, see [1],[2],[3],[4]. To resist these attacks the Boolean function must be properly chosen: balanceness, large algebraic degree, high nonlinearity, and high order correlation immunity [5].
The Boolean functions used in the stream ciphers must be balanced for avoiding statistical dependence between their input and their output [6]. It must also have large algebraic degree, because its degree conditions are the linear complexity of the produced running-key. A third usual criterion is that the function should be far from all affine functions regarding Hamming distance, since the existence of a “good” approximation of [math]\displaystyle{ f }[/math] by an affine function makes fast correlation attacks feasible, see [7]. A fourth criterion on the combining function is that the distribution probability of its output should be unaltered when any [math]\displaystyle{ m }[/math] of its inputs are fixed, with m as large as possible. This property, called [math]\displaystyle{ m }[/math]-th order correlation immunity.
Combining function, combiner model, combination generator
A combination generator is a running-key generator for stream cipher applications. It is composed of several linear feedback shift registers whose outputs are combined by a Boolean function to produce the keystream. The combining function [math]\displaystyle{ f(x_1,x_2,\dots,x_n) }[/math] is a Boolean function that takes the outputs of [math]\displaystyle{ n }[/math] individual generators [math]\displaystyle{ (x_1,x_2,\dots,x_n) }[/math] as inputs and produces a single output bit at each step. The choice of [math]\displaystyle{ f }[/math] significantly affects the cryptographic strength of the system, such as its resilience to correlation attacks, balance properties, and algebraic complexity.
Any combination function [math]\displaystyle{ f(x) }[/math] used for generating the pseudorandom sequence in the stream cipher must stay balanced if we keep constant some coordinates of [math]\displaystyle{ f }[/math].
In the 90’s, high-order resilient functions with the best possible algebraic degree and nonlinearity were needed for applications in stream ciphers using the combiner model. But fast algebraic attacks (FAA) have changed the situation. The combiner model is now considered as problematic, because of Siegenthaler’s bound and the fact that combiner or filter functions need to have very high algebraic degree for resisting FAA.
Correlation immunity
Definition
The Boolean function [math]\displaystyle{ f }[/math] is called [math]\displaystyle{ m }[/math]-th order correlation immune if the output distribution probability of [math]\displaystyle{ f }[/math] is unaltered when any [math]\displaystyle{ m }[/math] of its input bits are kept constant.
Using Walsh transform below, the Boolean function [math]\displaystyle{ f }[/math] is [math]\displaystyle{ m }[/math]-th order correlation immune if and only if [math]\displaystyle{ \widehat{f}(u)=0 }[/math], for all [math]\displaystyle{ u \in \mathbb{F}_2^n }[/math], s.t. [math]\displaystyle{ 1 \leq w_H(u) \leq m, }[/math], where [math]\displaystyle{ w_H(u) }[/math] is the Hamming weight of [math]\displaystyle{ u }[/math].
Importance of correlation-immune functions
The notion of correlation-immune function is related to the notion of orthogonal array. The notion of correlation immunity was introduced by Siegenthaler [8]. If combining function is not [math]\displaystyle{ m }[/math]-th order correlation-immune, then there exist a correlation between the output of the function and [math]\displaystyle{ m }[/math] coordinated of its input. Moreover, if [math]\displaystyle{ m }[/math] is small enough ― a divide-and-conquer attack, correlation attack for stream ciphers, and later improved to fast correlation attack ― uses this weakness for attacking the system.
Resiliency
Definition
Balanced [math]\displaystyle{ m }[/math]-th order correlation-immune functions are called [math]\displaystyle{ m }[/math]-resilient functions.
Using Walsh transform below, the Boolean function [math]\displaystyle{ f }[/math] is [math]\displaystyle{ m }[/math]-resilient if and only if [math]\displaystyle{ \widehat{f}(u)=0 }[/math], for all [math]\displaystyle{ u \in \mathbb{F}_2^n }[/math], s.t. [math]\displaystyle{ w_H(u) \leq m, }[/math].
The maximum value of [math]\displaystyle{ m }[/math] such that [math]\displaystyle{ f }[/math] is [math]\displaystyle{ m }[/math]-resilient is called the resiliency order of [math]\displaystyle{ f }[/math].
Dependance between resiliency, nonlinearity and algebraic degree
Siegenthaler proved that an [math]\displaystyle{ n }[/math] input 1 output, [math]\displaystyle{ m }[/math]-resilient (balanced [math]\displaystyle{ m }[/math]-th order correlation immune) Boolean function with algebraic degree [math]\displaystyle{ d }[/math] satisfies the inequality : [math]\displaystyle{ m + d \leq n − 1 }[/math].
Any [math]\displaystyle{ m }[/math]-resilient function [math]\displaystyle{ f }[/math] on [math]\displaystyle{ \mathbb{F}^n_2 }[/math] has nonlinearity smaller than or equal to [math]\displaystyle{ 2^{n−1} − 2^{m+1} }[/math] [9], and also independently obtained by [10].
Walsh transform
Correlation immunity and resiliency can be characterized through the Walsh transform of the Boolean function [math]\displaystyle{ f }[/math][11].
The discrete Fourier transform of [math]\displaystyle{ f }[/math] is by definition the function [math]\displaystyle{ \widehat{f} }[/math] defined by
[math]\displaystyle{ \widehat{f}(u)=\sum_{x \in F_2^n} f(x)(-1)^{u \cdot x} \text{ for all } u \in \mathbb{F}_2^n, }[/math]
where [math]\displaystyle{ u \cdot x }[/math] is inner product [math]\displaystyle{ u \cdot x = u_1x_1 \oplus \dots \oplus u_n x_n }[/math]. The Walsh transform of [math]\displaystyle{ f }[/math] is the discrete Fourier transform of [math]\displaystyle{ \chi_f = (-1)^f }[/math], i.e [math]\displaystyle{ \forall u \in \mathbb{F}_2^n }[/math]
[math]\displaystyle{ \widehat{\chi_f}(u)=\sum_{x \in \mathbb{F}_2^n}(-1)^{f(x) \oplus x \cdot u}. }[/math]
Example
Let [math]\displaystyle{ r }[/math] be a positive integer smaller than [math]\displaystyle{ n }[/math]. Let [math]\displaystyle{ g }[/math] be any Boolean function on [math]\displaystyle{ \mathbb{F}_2^{n-r} }[/math] and let [math]\displaystyle{ \phi }[/math] be a mapping, s.t. [math]\displaystyle{ \phi : \mathbb{F}_2^{n-r} \mapsto \mathbb{F}_2^{r} }[/math]. Define the function [math]\displaystyle{ f_{\phi , g}(x, y) }[/math] for [math]\displaystyle{ x \in \mathbb{F}_2^r, \; y \in \mathbb{F}_2^{n-r} }[/math], s.t.
[math]\displaystyle{ f_{\phi , g}(x, y)=x \cdot \phi(y) \oplus g(y)=\bigoplus_{i=1}^r x_i \phi_i(y) \oplus g(y), }[/math]
where [math]\displaystyle{ \phi_i(y) }[/math] is the [math]\displaystyle{ i }[/math]-th coordinate of [math]\displaystyle{ \phi(y) }[/math]. Then [math]\displaystyle{ f_{\phi , g}(x, y) }[/math] is [math]\displaystyle{ m }[/math]-resilient with [math]\displaystyle{ m \geq k }[/math] if every element in [math]\displaystyle{ \phi(\mathbb{F}_2^{n-r}) }[/math] has Hamming weight strictly greater than [math]\displaystyle{ k }[/math] [12].
References
- ↑ A. Canteaut, M. Trabbia, Improved fast correlation attacks using paritycheck equations of weight 4 and 5, Advanced in Cryptology-EUROCRYPT 2000. Lecture notes in computer science 1807 (2000), pp. 573-588.
- ↑ T. Johansson, F. Jonsson ¨ , Improved fast correlation attack on stream ciphers via convolutional codes, Advances in Cryptology - EUROCRYPT’99, number 1592 in Lecture Notes in Computer Science (1999), pp. 347–362.
- ↑ T. Johansson, F. Jonsson ¨ Fast correlation attacks based on turbo code techniques, Advances in Cryptology - CRYPTO’99, number 1666 in Lecture Notes in Computer Science (1999), pp. 181–197.
- ↑ T. Siegenthaler, Decrypting a Class of Stream Ciphers Using Ciphertext Only, IEEE Transactions on Computer, V. C-34, No 1 (1985), pp. 81-85.
- ↑ Carlet, C. (2002). On the Coset Weight Divisibility and Nonlinearity of Resilient and Correlation-Immune Functions. In: Helleseth, T., Kumar, P.V., Yang, K. (eds) Sequences and their Applications. Discrete Mathematics and Theoretical Computer Science. Springer, London. https://doi.org/10.1007/978-1-4471-0673-9_9
- ↑ Carlet C. Boolean Functions for Cryptography and Coding Theory. Cambridge University Press; 2021.
- ↑ W. Meier, O. Staffelbach, Fast correlation attack on certain stream ciphers, Jounal of Cryptology (1989), pp. 159-176.
- ↑ Siegenthaler, T. (1984). “Correlation-immunity of nonlinear combining functions for cryptographic applications.” IEEE Transactions on Information theory, IT-30 (5), 776–780.
- ↑ P. Sarkar, S. Maitra, Nonlinearity Bounds and Constructions of Resilient Boolean Functions, CRYPTO 2000, LNCS Vol. 1880, ed. Mihir Bellare, pp. 515-532 (2000).
- ↑ Y. Tarannikov, On resilient Boolean functions with maximal possible nonlinearity, Cryptology ePrint archive (http://eprint.iacr.org/), Report 2000/005, 18 pp. (2000); and Proceedings of Indocrypt 2000, Springer Verlag, LNCS 1977 (2000) pp. 19-30.
- ↑ Xiao, Guo-Zhen and J.L. Massey (1988). “A spectral characterization of correlation-immune combining functions.” IEEE Trans. Inf. Theory, IT-34 (3), 569– 571.
- ↑ Carlet, C. (2005). Correlation Immune and Resilient Boolean Functions. In: van Tilborg, H.C.A. (eds) Encyclopedia of Cryptography and Security. Springer, Boston, MA . https://doi.org/10.1007/0-387-23483-7_81