Evaluation Module

One can ask if there is a need for an evaluation tool since most of the algorithms use one or more well-known nonlinear element. Indeed, for example, the AES algorithm uses an S-box that is based on the finite field inversion construction and it possesses many properties that are either the best possible or believed to be the best possible.

However, since we are witnessing new properties defined along the years, to know properties at some point in the past does not give a complete picture today. As an example, in the last decade several properties have been developed for S-boxes and Boolean functions that are of importance, but naturally not considered at the design time. Next, researchers sometimes want to develop proprietary S-boxes, or S-boxes with similar properties, but of other sizes than those currently used. In such situations, we envision the need for a reliable evaluation tool. Prior going into the details about the tool, we give a short overview of other publicly available tools known to the authors.

54

3.5.1 Related Tools

The lack of publicly available tools that can evaluate Boolean functions or S-boxes is somewhat surprising, but this is not because those tools would be very difficult to develop. Indeed, most researchers that are interested in the design of such nonlinear elements use either their own tools or an amalgamation of several available tools.

The main problem is that most of those tools are not publicly available and therefore they are not accessible to the wider community. Here we mention tools that can be used to evaluate Boolean functions or S-boxes and that are publicly available.

Boolfun package in R.R is a free software environment for statistical comput-ing and graphics [R C13]. It works on various UNIX, Windows and Mac Operatcomput-ing System (OS) platforms. Although the default version of R does not have support for the evaluation of Boolean functions, it is possible to load a package named boolf un that provides functionalities related to the cryptographic analysis of Boolean func-tions [Laf13, LHH11].

Boolean functions in Sage.Sage is a well-known free open-source mathematics software [S⁺13]. In Sage there is a module called BooleanF unctions that allows one to study cryptographic properties of Boolean functions. This tool can evaluate most of the relevant properties (connected with linear and differential cryptanalysis) of Boolean functions.

S-boxes in Sage. There is a module called Sbox that allows the algebraic treat-ment of S-boxes. This module has many options, but when considering crypto-graphic properties it is only possible to calculate DDT and a LAT.

3.5.2 Interface

When a user chooses to run the Evaluate module, he needs to enter the file name of the file with the nonlinear element to be analyzed. There is an option to start this module with the command line arguments (input size, output size, module and file name) so it can be used within a script.

A file that contains a Boolean function must be defined in the TT representation in a binary format. For the S-boxes, the text file must contain a LUT of decimal or hexadecimal values with a tabular delimiter. The program can distinguish those two formats so the user does not need to provide any additional information about the format. When the program saves data to the file, the name is a concatenation of word

“stats_” and input file name (for example, for the file name “aes” output file would have name “stats_aes”). Since various representations of an S-box can grow large rather fast, the program writes them in separate files - Walsh-Hadamard transform, autocorrelation function, ANF and TT, as well as for DDT and LAT. Files naming convention is “walsh_”, “ac_”, “anf_”, “tt_”, “ddt_”, “lat_” + input name of the file, respectively.

We wrote the code with the first objective being modularity, i.e. that each of the properties or representations can be calculated separately. Although one can expect that the performance is the key objective of the tool, in our opinion the possibility

to calculate a wide set of properties is of even greater importance. Performance becomes more important in the case when one needs to calculate the properties of bigger S-boxes (e.g. 16×16) or when one uses the program as a script to go through a large number of S-boxes. To improve the execution speed, small functions that are often called are inlined. Furthermore, since HW is often used, instead of calling it every time we call it at the beginning and store results in the lookup table for a faster execution.

Since the number of properties that can be evaluated is large, it is to be expected that some researchers do not necessarily know what values are good and what they can expect in general. Therefore, there is a function “Comment” that offers a short description what are desirable values for every property and what are (if known) trade-offs with other properties.

3.5.3 Program Code Example

We first show the source code example of a small program and after that we display the output of that program. Here we use static library version of the program.

# i n c l u d e < g e t . h>

When running the program, first it is necessary to call the function

prepare (name, argc, argv)where this function sets the global variables and the val-ues from the HW function. After that, we simply call functions for the properties we want to calculate. At the end, function f ree_all() is called to free dynamically allocated arrays and matrices. If we call this program with the AES S-box input and output sizes (8 × 8) and the name of the file where the LUT is stored, i.e.:

GET.exe 8 8 c:/AES.txt

Output size is 8.

Once the input file is loaded and transformed in the TT form, the evaluation process starts. Significant parts of the properties are calculated through the coefficients of the Walsh-Hadamard spectrum, autocorrelation function and algebraic normal form.

Since the formulas are the same for Boolean functions and S-boxes (only difference being that the calculation is repeated for every linear combination of the coordinate Boolean functions in the case of S-boxes) we write here only computational complex-ities for Boolean function case. Computational complexity when calculating the ANF and Walsh-Hadamard spectrum is of order O n · 2ⁿ
. We use Fast Walsh-Hadamard transform when calculating Walsh-Hadamard spectrum. Autocorrelation function has a computational complexity O 2^2·n
.

3.5.5 Speed of the Execution

In Table 3.1, we give execution times for a small number of the functions when cal-culated in GET tool and with some other tools mentioned in Section 3.5.1. We con-ducted the calculations on a system with Intel i5 3230M processor, 4 GB of RAM and operating system Debian 3.13. The times are given for the 8-bit Boolean func-tion (as used in Rakaposhi algorithm [CKK09]) and for 8 × 8 S-box (as in the AES cipher [DR02]).

We emphasize that this comparison should not be regarded as an in-depth anal-ysis of the performances of any of the tools, but rather as an indication of their re-spective execution times. In the analysis we do not take into account specificities of each tool, e.g. precomputed values stored in memory, but rather we are interested only in total time from the call of each function to the display of the corresponding result. In accordance to that, presented times should serve only as a guideline.

For tool realized in R, we use rbenchmark library and function benchmark [Kus12].

In the case of Sage, we use timeit function and in our module, we use C function clock_gettime.

Execution times represent average times over 100 runs in microseconds (µs). Ad-ditionally, we give required input arguments for functions when using evaluation module. Therefore, the following table can be also regarded as a dependency table between different representations and functions.

With N/A we mark those properties that are not possible to calculate and with

“X” those properties that are not defined for a certain type of a nonlinear element. As

Table 3.1: GET evaluation module, average execution times, (µs).

Name Input arg. R Sage GET

Boolean S-box Boolean S-box

walsh_transform TT 50 0.69 N/A 1.17 2 720

autocorrelation TT N/A 0.8 N/A 1.3 2 980

algebraic_normal TT 50 3 160 N/A 10.02 4 501

LAT LUT X X 75.6E3 X 1.1E5

DDT LUT X X 434E3 X 441

nonlinearity Walsh 70 3.31 N/A 0.66 199

correlation_immunity Walsh 40 2.5 N/A 6.6 1 768

absolute_indicator autocorr. N/A 27.4 N/A 0.64 192

sum_of_square_indicator autocorr. N/A 2.6 N/A 0.82 259

algebraic_degree ANF 40 N/A N/A 0.62 166

algebraic_immunity TT 40 2E5 N/A 12 5.2E5

num_fixed_points LUT X X N/A X 0.6

snr_dpa TT N/A N/A N/A N/A 4 019

branch_number LUT X X N/A X 277

transparency_order LUT N/A N/A N/A 1 218.7 6 105

one can see from the Table 3.1, our module is not the fastest for all the functions, but is comparable in speed (naturally, in the limited set of functions possible to compare).