2.6.1
Efficient Hill-climbing for Design
The design of Boolean functions and S-boxes with desirable cryptographic prop- erties remains an important area of cryptological research. The application of heuristic search techniques to these tasks has almost exclusively been carried out by the Security Research Center at the Queensland University of Technology in Brisbane. Several papers have emerged from that group in the past five years.
The early work on efficient hill-climbing is the most important. It is a use- ful technique in its own right and is used as a component in more sophisticated searches. Millan et al. show that small changes to a Boolean function does not radically alter its nonlinearity (and may not alter it at all) and so some form of guided local search is worth consideration [83]. For any index
, flipping the
value of from
to or vice-versa causes each Walsh-Hadamard value
5Interestingly, DES is highly resilient to differential cryptanalysis. It was designed to be so.
The designers must have known in the early-mid 1970s about differential cryptanalysis. Schneier [110] gives a flavour of the controversy surrounding DES.
to change by or . Similarly, if and then flipping both values (to
and
respectively) causes each
to change by B
,
B
or else stay the same. Flipping two bits in this way preserves the balance of a Boolean function (assuming it starts as a balanced function).
The authors propose a hill-climbing approach to maximise nonlinearity and compare it with random generation. Hill-climbing is radically better. To improve nonlinearity a move must reduce the absolute value of the maximum
. To check whether a move does this, one need only consider the effect on
with extreme or near extreme values. Consider for example single bit flipping. If
% then if
this value must be reduced by 2 by the move. If
then any single bit flip will result in
and so can be ignored. Similar arguments apply to the balanced case. Restricting attention to the near extreme cases greatly enhances the speed of hill-climbing. Similar ideas and efficiency gains can also be applied to improving autocorrelation.
The most high profile of the hill-climbing papers [81] documents precisely ef- ficient hill-climbing for nonlinearity and autocorrelation and investigates a variety of joint property hill-climbing strategies. It considers nonlinearity and autocorre- lation as goals and characterises a set of search strategies according to the restric- tions they impose on the acceptance of moves around the state. Thus, nonlinearity strategies may be characterised as strong, weak or none. A strong strategy allows only moves that strictly improve nonlinearity. A weak strategy requires that a move does not worsen nonlinearity. Finally, it is possible not to place a restriction on the search. The terms apply also to autocorrelation strategies. This gives nine combinations of strategy. Thus a ‘strong-strong’ strategy will only allow moves that strictly improve both criteria.
The results show the importance and power of basic hill-climbing. The authors note that nonlinearity is improved over random generation when strong autocor- relation rules are applied (even when no restrictions with respect to nonlinearity are imposed). They state that this is due to the ‘qualitative connection between the maximum values of WHT [Walsh Hadamard Transform] and AC [autocorre- lation]’ [81]. Once again the cost functions are direct expressions of the property desired (nonlinearity and autocorrelation).
2.6.2
Criteria Targeted and Cost Functions Used
The initial work was aimed solely at nonlinearity. This was quickly extended to cover autocorrelation. In both cases the objective function was itself used as the fitness or cost function. Thus, when high nonlinearity or low autocorrelation was the goal the fitness (cost) functions were:
(2.24)
(2.25)
Later work [84] sought Boolean functions that were correlation immune (of de- grees 1 and 2) or which satisfied the so-called strict avalanche criterion (or, equiv- alently, the propagation criterion of order ). To couch the search for such func- tions as optimisation problems notions of correlation deviation and propagation deviation were defined:
(2.26) (2.27)
This is of particular interest since it addresses tradeoffs that can be made by auto- mated search. It would seem that a multi-criteria optimisation is where the tech- niques may potentially have greatest benefit compared with other approaches.
What links all of the above functions is their directness. Although each indi- cated cost or fitness function may characterise well the goal of a particular search (for example, a zero-cost solution of Equation 2.26 is correlation immune of or- der ), it does not follow that it is a good cost or fitness function for guiding a search. Consider the nonlinearity fitness function of Equation 2.24. Suppose %
. If there is a single value of with
then there
is greater possibility of improving the nonlinearity than if there are, say thirty or more with this value. Similar considerations apply to all the cost functions above. Although the fitness or cost values are expressed as functions of particular extreme elements, the ability to reach better values depends on the values of other elements. This observation forms the crux of the work in Chapters 3 and 4.
2.6.3
Optimisation Techniques Used
The Brisbane work has made use of random generation (for comparison purposes), hill-climbing and genetic algorithms [82]. Hill-climbing has generally been found to be a useful final stage to any optimisation based approach. This is consistent with application of genetic algorithms in other fields where an element of local search is often brought to bear.
Hill-climbing is conceptually straightforward. The efficiency savings of the smart hill-climbing are very considerable. It is harder to see why the genetic algo- rithms work. Standard genetic algorithms do not work. The work often makes use of a problem specific cross-over method and occasionally incorporates elements of intermediate hill-climbing. Although the genetic algorithms have shown them- selves to be better than hill-climbing, it appears to this author that they are not
obviously natural candidates for boolean function design. Interesting representa- tional issues arise with the use of genetic algorithms. With the vector represen- tations indicated earlier (truth tables) it is entirely possible to mate two excellent functions to get awful children. Indeed, two optimally non-linear functions may be isomorphic (under relabelling of variables) and yet mate to give children with low nonlinearity. Also combination like this must preserve balance. Millan et al. [84] give balance preserving crossover approaches.
There would appear to be no application of more ‘local’ search techniques (such as simulated annealing).
2.6.4
Generalisation
The work on balanced functions was generalised to encompass bijective [79] and regular [80] S-Boxes. A bijective S-Box is an invertible function
. In a regular S-box on input and outputs each output occurs precisely
times. Regularity is the vector-valued output version of balance. In both cases the cost or fitness functions used are very direct. The nonlinearity of an S-box is just the worst nonlinearity of any linear combination of the outputs (sim- ilarly for autocorrelation). These objective functions measures are used directly as the fitness and cost functions.
The MARS S-box work of Burnett et al. [9] is clearly very significant. IBM has a great deal of cryptographic expertise and is not short of computing power! Two and a half hours computing on a PC allowed Burnett et al. to find boxes with better properties than those proposed by IBM. This paper is fairly recent but has aroused interest. Heuristic search for cryptological applications have rarely caused surprises. This work is an exception.
2.6.5
Successes Achieved
The Brisbane work has equalled the best achieved nonlinearity values for bal- anced Boolean functions for
. At higher the effectiveness of the techniques appears to drop. It would seem fairly easy also to achieve correla- tion immune functions of order 1 with reasonable nonlinearity. No functions of correlation immunity degree 2 have been achieved. The MARS S-box work is significant as indicated above.
2.6.6
General Commentary
The Security Research Centre in Brisbane have been responsible for virtually all progress on the use of guided search for Boolean function and S-box design. The
work has attacked a range of desirable properties (nonlinearity, low autocorre- lation, correlation immunity and propagation characteristics). It has also been extended to S-box design. The superiority of basic guided search over techniques such as random generation has been repeatedly demonstrated. The most signif- icant outputs are the efficient hill-climbing algorithms for nonlinearity and low autocorrelation.
The techniques have shown promise but there have been few surprises. The MARS S-box design work is an exception. The body of work remains an excellent basis on which to build. To cause some surprises it is necessary to consider what has prevented the techniques from performing better. Directness of the cost func- tions has been identified as a potential restriction and also, perhaps, a reluctance to embrace more sophisticated local search techniques.