On the number of resilient functions - Boolean Functions for Cryptography and Error Correcting

It is important to ensure that the selected criteria for the Boolean functions, supposed to be used in some cryptosystems, do not restrict the choice of the functions too severely. Hence, the set of functions should be enumerated.

But this enumeration is unknown for most criteria, and the case of resilient functions is not an exception in this matter. We recall below what is known.

As for bent functions, the class of balanced or resilient functions produced by Maiorana-McFarland’s construction is far the widest class, compared to the classes obtained from the other usual constructions, and the number of provably balanced or resilient Maiorana-McFarland’s functions seems negli-gible with respect to the total number of functions with the same properties.

For balanced functions, this can be checked: for every positive r, the num-ber of balanced Maiorana-McFarland’s functions (59) obtained by choosing φ such that φ(y) 6= 0, for every y, equals (2^r+1− 2)²^s, and is smaller than or equal to 2²ⁿ⁻¹ (since r ≥ 1). It is quite negligible with respect to the number ₂n−1²ⁿ ≈ ²^√^{2n+ 1}²

π2ⁿ of all balanced functions on Fⁿ2. The number of m-resilient Maiorana-McFarland’s functions obtained by choosing φ such that wH(φ(y)) > m for every y equals 2 P^r_i=m+1 ^r_i2^n−r

, and is probably also very small compared to the number of all m-resilient functions. But this number is unknown.

The exact numbers of m-resilient functions is known for m ≥ n − 3 (see [35], where (n − 3)-resilient functions are characterized) and (n − 4)-resilient func-tions have been characterized [75, 26].

As for bent function, an upper bound comes directly from the Siegen-thaler bound on the algebraic degree: the number of m-resilient functions is bounded above by 2^P^n−m−1ⁱ⁼⁰ (ⁿ_i). This bound is the so-called naive bound.

In 1990, Yang and Guo published an upper bound on the number of first-order correlation-immune (and thus on resilient) functions. At the same time, Denisov obtained a much stronger result (see below) but his result being published in russian, it was not known internationally. His paper was translated into english two years later but was not widely known either. This explains why several papers appeared with weaker results. Park, Lee, Sung and Kim [294] improved upon Yang-Guo’s bound. Schneider [325] proved that the number of m-resilient n-variable Boolean functions is less than:

n−m

i=1

2ⁱ 2ⁱ⁻¹

(ⁿ⁻ⁱ⁻¹_m−1) .

but this result was known, see [158]. A general upper bound on the number of Boolean functions whose distances to affine functions are all divisible by 2^m has been obtained in [90]. It implies an upper bound on the number of m-resilient functions which improves upon previous bounds for about half the values of (n, m) (it is better for m large). This bound divides the naive bound by approximately 2^P^n−m−1ⁱ⁼⁰ (^m−1_i )⁻¹ if m ≥ n/2 and by approximately 2²^2m+1⁻¹ if m < n/2.

An upper bound on m-resilient functions (m ≥ n/2 − 1) partially improving upon this latter bound was obtained for n/2 − 1 ≤ m < n − 2 in [84]: the number of n-variable m-resilient functions is lower than:

2^P^n−m−2ⁱ⁼⁰ (ⁿ_i) +

The expressions of these bounds seem difficult to compare mathematically.

Tables have been computed in [84].

The problem of counting resilient functions is related to counting integer solutions of a system of linear equations, see [281].

An asymptotic formula for the number of m-resilient (and also for m-th order correlationimmune functions), where m is very small compared to n -namely m = o(√

n) - was given by O. Denisov in [131]. This formula was not correct for m ≥ 2 and a correction was given by the same author in [132] (as well as a simpler proof): the number of m-resilient functions is equivalent to

For large resiliency orders, Y. Tarannikov and D. Kirienko showed in [347]

that, for every positive integer m, there exists a number p(m) such that for n > p(m), any (n − m)-resilient function f (x1, · · · , xn) is equivalent, up to permutation of its input coordinates, to a function of the form g(x1, · · · , x_p(m))⊕

x_p(m)+1⊕ · · · ⊕ x_n. It is then a simple matter to deduce that the number of (n − m)-resilient functions equalsPp(m)

i=0 A(m, i) ⁿ_i, where A(m, i) is the number of i-variable (i − m)-resilient functions that depend on all inputs x1, x2, . . . , xi nonlinearly. Hence, it is equivalent to ^A(m,p(m))_p(m)! n^p(m) for m constant when n tends to infinity, and it is at most Am n^p(m), where Am

depends on m only. It is proved in [348] that 3 · 2^m−2≤ p(m) ≤ (m − 1)2^m−2 and in [347] that p(4) = 10; hence the number of (n − 4)-resilient functions equals (1/2)n¹⁰+ O(n⁹).

8 Functions satisfying the strict avalanche and prop-agation criteria

In this section, we are interested in the functions (and more particularly, in the balanced functions) which achieve P C(l) for some l < n (the functions achieving P C(n) are the bent functions and they cannot be balanced).

8.1 P C(l) criterion

It is shown in [180, 60, 61] that, if n is even, then P C(n−2) implies P C(n); so we can find balanced n-variable P C(l) functions for n even only if l ≤ n − 3.

For odd n ≥ 3, it is also known that the functions which satisfy P C(n − 1) are those functions of the form g(x1⊕ x_n, · · · , xn−1⊕ x_n) ⊕ `(x), where g is bent and ` is affine, and that the P C(n − 2) functions are those functions of a similar form, but where, for at most one index i, the term x_i⊕ x_n may be replaced by x_i or by x_n (other equivalent characterizations exist [61]).

The only known upper bound on the algebraic degrees of P C(l) functions is n − 1. A lower bound on the nonlinearity of functions satisfying the propagation criterion exists [360] and can be very easily proved: if there exists an l-dimensional subspace F such that, for every nonzero a ∈ F , the derivative D_af is balanced, then nl(f ) ≥ 2ⁿ⁻¹− 2ⁿ⁻¹²^l−1; Relation (27), relating the values of the Walsh transform of a function on a flat a + E to the autocorrelation coefficients of the function on a flat b + E^⊥, applied to any a ∈ Fⁿ2, with b = 0 and E = F^⊥, shows indeed that every value bf_χ²(u) is bounded above by 2^2n−l; it implies that P C(l) functions have nonlinearities bounded below by 2ⁿ⁻¹− 2ⁿ⁻¹²^l−1. Equality can occur only if l = n − 1 (n odd) and l = n (n even).

The maximum correlation of Boolean functions satisfying P C(l) (and in particular, of bent functions) can be directly deduced from Relations (40) and (27), see [38].

8.1.1 Characterizations

There exist characterizations of the propagation criterion. A first obvious one is that, according to Relation (24), i.e. to the Wiener-Khintchine The-orem, f satisfies P C(l) if and only if P

u∈Fⁿ₂(−1)^a·u fb_χ²(u) = 0 for every nonzero vector a of weight at most l. A second one is:

Proposition 35 [61] Any n-variable Boolean function f satisfies P C(l) if

and only if, for every vector u of weight at least n − l, and every vector v:

w u

fb_χ²(w + v) = 2^n+w^H^(u).

This is a direct consequence of Relation (27). A third characterization is given in Subsection 8.2 below (apply it to k = 0).

8.1.2 Constructions

Maiorana-McFarland’s construction can be used to produce functions satis-fying the propagation criterion: the derivative D_(a,b)(x, y) of a function of the form (59) being equal to x · Dbφ(y) ⊕ a · φ(y + b) ⊕ Dbg(y), the function satisfies P C(l) under the sufficient condition that:

1. for every nonzero b ∈ F^s₂ of weight smaller than or equal to l, and ev-ery vector y ∈ F^s2, the vector Dbφ(y) is nonzero (or equivalently every set φ⁻¹(u), u ∈ F^r2, either is empty or is a singleton or has minimum distance strictly greater than l);

2. every linear combination of at least one and at most l coordinate func-tions of φ is balanced (this condition corresponds to the case b = 0).

Constructions of such functions have been given in [60, 61, 223].

According to Proposition 35, Dobbertin’s construction cannot produce functions satisfying P C(l) with l ≥ n/2. Indeed, if u is for instance the vector with n/2 first coordinates equal to 0, and with n/2 last coordinates equal to 1, we have, according to Relation (64): ch_χ²(w) = 0 for every w u.

In document Boolean Functions for Cryptography and Error Correcting Codes (Page 131-134)