Equivalence Algorithms
The hierarchy of equivalences
Given two vectorial boolean functions [math]\displaystyle{ F,G : F_2^n \rightarrow F_2^n }[/math] there are various ways to define equivalence between [math]\displaystyle{ f }[/math] and [math]\displaystyle{ g }[/math]. We will study the algorithms for determining Linear, Affine, Extended Affine and CCZ equivalence between vectorial boolean functions.
Linear Equivalence
Given two vectorial boolean functions [math]\displaystyle{ f }[/math] and [math]\displaystyle{ g }[/math] we want to determine if there exist Linear permutations [math]\displaystyle{ A_1 }[/math] and [math]\displaystyle{ A_2 }[/math] such that [math]\displaystyle{ F = A_2 \circ G \circ A_1 }[/math].
The to and from algorithm
This algorithm was presented at eurocrypt 2003 [1]. This algorithm is mainly intended for when the boolean functions are permutation, and we will start by assuming [math]\displaystyle{ F }[/math] and [math]\displaystyle{ G }[/math] are permutations.
The idea of the algorithm is to go use information gathered about [math]\displaystyle{ A_1 }[/math] to deduce information about [math]\displaystyle{ A_2 }[/math] and the other way around. To see how this can work let's say we know some value of [math]\displaystyle{ A_1 }[/math], lets say [math]\displaystyle{ A_1(x) = y }[/math]. We of course also know the value of [math]\displaystyle{ G }[/math] at [math]\displaystyle{ y }[/math] so lets say that [math]\displaystyle{ G(y) = z }[/math]. Then we know that [math]\displaystyle{ F(x) = A_2 \circ G \circ A_1(x) = A_2 \circ G(y) = A_2(z) }[/math]. So we now know that [math]\displaystyle{ A_2(z) }[/math] must be equal to [math]\displaystyle{ G(y) }[/math].
For the other way around let's say we know some value of [math]\displaystyle{ A_2 }[/math], lets say [math]\displaystyle{ A_2(x) = y }[/math]. We know the value of [math]\displaystyle{ F^{-1} }[/math] at y, lets say [math]\displaystyle{ F^{-1}(y) = z }[/math]. Then we know that [math]\displaystyle{ F(z) = y = A_2 \circ G \circ A_1(z) }[/math] so we see that [math]\displaystyle{ A_2 \circ G \circ A_1(z) = y }[/math]. Since we know that [math]\displaystyle{ A_2(x) = y }[/math] we need [math]\displaystyle{ G \circ A_1(z) = x }[/math], which must mean that [math]\displaystyle{ A_1(z) = G^{-1}(y) }[/math].
So we now showed how we can deduce information knowing either a value of [math]\displaystyle{ A_1 }[/math] or [math]\displaystyle{ A_2 }[/math]. Now lets say we now the values of [math]\displaystyle{ A_1 }[/math] at a set of points. Since [math]\displaystyle{ A_1 }[/math] is linear we also know it's value at any linear combinations of these points so we can just assume that we know the values at [math]\displaystyle{ A_1 }[/math] at [math]\displaystyle{ k }[/math] linear independent points, which means that we know the value of [math]\displaystyle{ A_1 }[/math] at [math]\displaystyle{ 2^k }[/math] points. If we now somehow gain value of a point of [math]\displaystyle{ A_1 }[/math] which is not in the span of the already known points then we can deduce the value of [math]\displaystyle{ A_1 }[/math] at [math]\displaystyle{ 2^k }[/math] new points using any linear combination of points including this new point. Then we can use all of these new points and try to deduce points of [math]\displaystyle{ A_2 }[/math] as explained before. We will now explain the complete algorithm before giving the psudocode.
Given two permutations [math]\displaystyle{ F,G : F_2^n \rightarrow F_2^m }[/math] we construct the linear permutations [math]\displaystyle{ A_1,A_2 }[/math]. The algorithm is a backtracking algorithm, and whenever we discover a contradiction we backtrack to the last guess. We first guess two values of [math]\displaystyle{ A_1(x) }[/math]. Since we now know two values of [math]\displaystyle{ A_1 }[/math] we can two values of [math]\displaystyle{ A_2 }[/math], which means we can deduce a third value by linearity. Using this third value we can deduce a value of [math]\displaystyle{ A_1 }[/math], if this value is not in the span of the already known values of [math]\displaystyle{ A_1 }[/math] we can deduce two more values of [math]\displaystyle{ A_1 }[/math] and use this to deduce values of [math]\displaystyle{ A_1 }[/math] and so on. If we ever run out of values before we have finished we will have to make additional guesses. If we ever encounter that a situation where we deduce a value of [math]\displaystyle{ A_1 }[/math] or [math]\displaystyle{ A_2 }[/math], but we have already set them to be something else, we must backtrack to the last guess.
Here is the psudocode:
sage: from sage.crypto.boolean_function import BooleanFunction
sage: B.<x0, x1, x2, x3> = BooleanPolynomialRing(4)
sage: f = x0*x1*x2*x3 + x0*x2*x3 + x1*x2*x3 + x0*x1 + x0*x3 + x1*x2 + x3 + 1
sage: F = BooleanFunction(f)
sage: F.algebraic_degree()
4
Runtime
It can be hard to estimate the runtime of this algorithm as it is hard to know how many guesses we have to make. Initially we will have to make two guesses (or just 1 if the s-boxes do not map 0 to 0) to get the algorithm started. Assuming we do not have to make any more guesses the algorithm runs in time [math]\displaystyle{ O(n^32^{2n}) }[/math] ([math]\displaystyle{ O(n^32^n) }[/math] if the s-boxes do not map 0 to 0). This assumption seems to hold for random functions, but there are bad cases for example when the functions differ in very few points. In general it seems hard to prove any good runtime guarantee for this algorithm.
Affine Equivalence
Given vectorial boolean functions [math]\displaystyle{ F,G : F_2^n \rightarrow F_2^m }[/math] find affine permutations [math]\displaystyle{ A_1,A_2 }[/math] such that [math]\displaystyle{ F = A_2 \circ G \circ A_1 }[/math]. We can also write this as [math]\displaystyle{ F \circ A_1^{-1} = A_2 \circ G }[/math]. If [math]\displaystyle{ A_1(x) = L_1(x) +a_1 , A_2(x) = L_2(x)+a_2 }[/math] then [math]\displaystyle{ F(x+a_1) }[/math] is linear equivalent with [math]\displaystyle{ G(x) + a_2 }[/math]. So we can guess any affine constants [math]\displaystyle{ a_1,a_2 }[/math] and check whether or not [math]\displaystyle{ F(x+a_1) }[/math] is linear equivalent with [math]\displaystyle{ G(x)+a_2 }[/math] using any linear equivalence algorithm. This will add a multiplicative factor of [math]\displaystyle{ 2^{2n} }[/math] to the runtime, but will give us an affine equivalence algorithm.
The to and from algorithm (Affine)
We can adapt the To and from algorithm to the affine case and only add a multiplicative factor of [math]\displaystyle{ 2^n }[/math] to the runtime. Instead of comparing [math]\displaystyle{ F(x+a_1) }[/math] to [math]\displaystyle{ G(x)+a_2 }[/math] for every possible [math]\displaystyle{ a_1,a_2 }[/math] we will instead find a representative function for [math]\displaystyle{ F(x+a) }[/math] for every [math]\displaystyle{ a }[/math] and then a representative function for [math]\displaystyle{ G(x) + a }[/math] for every possible [math]\displaystyle{ a }[/math]. We will then compare to see if any of these representative functions are equal.
The representative for a function is the lexicographic smallest linear equivalent function. To see why this work assume [math]\displaystyle{ F,G }[/math] are affine equivalent with [math]\displaystyle{ F = A_1 \circ G \circ A_2 }[/math] where [math]\displaystyle{ A_1 = L_1 + a_1 }[/math] and [math]\displaystyle{ A_2 = L_2+a_2 }[/math]. Then the functions [math]\displaystyle{ F(x+a_1) }[/math] will be linear equivalent with [math]\displaystyle{ G(x)+a_2 }[/math]. If we have found the minimal linear representative [math]\displaystyle{ F' }[/math] of [math]\displaystyle{ F(x+a_1) }[/math] then since [math]\displaystyle{ G(x)+a_2 }[/math] is linear equivalent with [math]\displaystyle{ F }[/math] it is also linear equivalent with [math]\displaystyle{ F' }[/math] so the minimal linear representative of [math]\displaystyle{ G(x)+a_2 }[/math] is at least smaller than [math]\displaystyle{ F' }[/math]. Using this argument the other way around we get that their linear representatives have to be the same function.
To actually compute the minimal representative of a function [math]\displaystyle{ F }[/math] we do the following. We want to construct [math]\displaystyle{ F' }[/math], the minimal permutation which is linear equivalent with [math]\displaystyle{ F }[/math]. We start by guessing the value of [math]\displaystyle{ A_1 }[/math] at the smallest element of [math]\displaystyle{ F_2^n }[/math]. Let say [math]\displaystyle{ A_1(x) = y }[/math].
EA equivalence
Given two boolean functions [math]\displaystyle{ F,G : F_2^n \rightarrow F_2^m }[/math] find two affine permutations [math]\displaystyle{ A_1,A_2 }[/math] and an affine transformation [math]\displaystyle{ A_3 }[/math] such that [math]\displaystyle{ F = A_2 \circ G \circ A_1 + A_3 }[/math]
Jacobian algorithm
The Jacobian
Given a vectorial boolean function, and any element [math]\displaystyle{ a \in F_2^n }[/math] the deriviative in direction [math]\displaystyle{ a }[/math] is defined by [math]\displaystyle{ D_a F(x) = F(x+a) + F(x) }[/math]. The Jacobian for a vectorial boolean function [math]\displaystyle{ F(x) = (F_1(x),...,F_m(x)) }[/math] is defined as [math]\displaystyle{ J F(x) = \begin{pmatrix}D_{e_1}F_1(x) & D_{e_2}F_1(x) & ... & D_{e_n}F_1(x) \\ D_{e_1}F_2(x) & D_{e_2}F_2(x) & ... & D_{e_n}F_2(x) \\ \vdots & \vdots & \vdots & \vdots \\ D_{e_1}F_m(x) & D_{e_2}F_m(x) & ... & D_{e_n}F_m(x) \end{pmatrix} }[/math] where [math]\displaystyle{ e_i }[/math] is the i-th basis vector of [math]\displaystyle{ F_2^n }[/math]. We denote the linear part of the jacobian by [math]\displaystyle{ J_{lin}F(x) }[/math].
The algorithm is based on the fact that if [math]\displaystyle{ F }[/math] and [math]\displaystyle{ G }[/math] are EA equivalent [math]\displaystyle{ F = A_2 \circ G \circ A_1 + A_3 }[/math] where [math]\displaystyle{ A_1(x) = L_1(x) + a_1, A_2(x) = L_2(x) + a_2 }[/math] then [math]\displaystyle{ J_{lin}F(x) = L_2\cdot J_{lin}G(A_1(x)) \cdot L_1 }[/math]
References
- ↑ Biryukov, Alex, et al. "A toolbox for cryptanalysis: Linear and affine equivalence algorithms." Advances in Cryptology—EUROCRYPT 2003: International Conference on the Theory and Applications of Cryptographic Techniques, Warsaw, Poland, May 4–8, 2003 Proceedings 22. Springer Berlin Heidelberg, 2003.
- ↑ Canteaut, Anne, Alain Couvreur, and Léo Perrin. "Recovering or testing extended-affine equivalence." IEEE Transactions on Information Theory 68.9 (2022): 6187-6206.