Algebraic Complexity and Nonlinearity

The relationship between inputs of the function and its output must be suffi- ciently ‘complex’ if it is to resist attack. It is common to say that the relationship

should be highly non-linear, though there are various interpretations and measures of nonlinearity. One measure of nonlinearity is algebraic degree. A Boolean func- tion can be expressed as a minimal (XOR) sum of (AND) products:

Here the are Boolean constants. Given a function it is a simple matter to construct the minimal sum of products, usually referred to as the Algebraic

Normal Form (ANF) of the function (Siegenthaler [114] explains how). The high-

est number of

in a product term is the algebraic degree of the function. Thus

is linear (of degree 1),

is quadratic (degree 2) and

is cubic (degree 3) etc. Siegenthaler [113] has shown that for functions with inputs and with correlation immunity of order and algebraic degree it must follow that

. For balanced functions it must be the case that

.

High correlation immunity implies low algebraic complexity. This has unfor- tunate consequences. Several attacks on the standard stream cipher model become easier the more linear the combining function is, e.g. the Best Affine Attack or Massey’s multi-sequence equivalent LFSR generation (see [31]). Designers seek to reduce the susceptibility to such attacks by engineering functions that are highly nonlinear, i.e. that are resilient to any linear approximation. High algebraic degree is a common requirement. 4

To give a precise definition of one very common measure of nonlinearity, it is necessary to introduce some additional concepts. For each

there is a linear function

defined by Equation 2.5. The polar forms of these functions, viewed as vectors

in , form an orthogonal basis for

. For any function in polar form, the degree to which it is approximated by a linear function

can be measured by the dot product of with

. The Walsh Hadamard Transform value for (or just Walsh value for short) captures this notion and is defined by

(2.11)

4_{High algebraic degree is a common and sensible complexity requirement but high degree}

functions are not necessarily complex. For example, is almost identical to the linear function

.

Dividing

by

gives the correlation between the two vectors and . The Hamming distance

between two functions

and

is a count of the number of truth table positions in which they differ, i.e.

(2.12) Since (2.13) and also (2.14) the Hamming distance

between and is given by (2.15)

Resilience to linear approximation is now captured by the formal measure of non-

linearity. The nonlinearity

of a Boolean function is the minimum distance to any affine function. It is given by

(2.16)

Note, if is an affine function then there is some for which

(i.e. is either equal to a specific linear function

or its complement) and so its nonlinearity is 0.

A major goal is to reduce the extent to which the function f is approximated by any affine function. The following well known theorem, due to Parseval

(2.17) forces

. This places bounds on the best nonlinearity that can be achieved. Functions achieving this bound are called bent functions [105]. They exist only for even numbers of inputs and are never balanced. Parseval’s theorem motivates a new cost function family in Chapter 3.

In Section 2.5.4 correlation immunity for a function was described in terms of statistical independence. An equivalent and very useful characterisation has been derived by Zhen and Massey [47]. This states that a function is correlation immune of order if and only if

(2.18) Here

denotes the number of bits set in natural binary encoding of the inte- ger , i.e. its Hamming weight. The Zhen-Massey characterisation will be used throughout Chapter 4.