Tight bound between nonlinearity and algebraic immunity

(1)

immunity

Mikhail Lobanov

Meh. & Math. Department

MosowState University

119992 Mosow, Russia

emails: mishamsumail.ru

Abstrat

Weobtain tightbound betweennonlinearity andalgebrai immunity

of aBoolean funtionand onstrut balanedfuntionsthat ahivethis

boundforallpossiblevaluesofparameters.

Boolean funtions havewide appliations in ryptography. Reently,

alge-braiattaksagainststreamipherswereinventedthatappliedtherequirement

ofhighalgebraiimmunityinombinationswithotherrequirementstoBoolean

funtionsexploitedasnonlinearltersinstreamiphers(see,forexample,[1,5℄).

OnemoreryptographiimportantpropertyofBooleanfuntionsespeially

im-portantinstreamiphersisnonlinearity. Inthisrespettheproblemofrelations

betweennonlinearityandalgebraiimmunityofBooleanfuntionshasan

inter-est.

In[2℄itwasprovedthelowerboundforthenonlinearityofaBooleanfuntion

viaitsalgebraiimmunity.

In this paper we obtain stronger lower bound for the nonlinearity of a

Boolean funtion viaits algebrai immunityand onstrut balaned funtions

thatahivethisbound forallpossiblevaluesofparameters.

It is wellknown that aBoolean funtion has the onlyrepresentation by a

polynomial.

Denition1. The degreeofaBooleanfuntionisthelengthofthelongest

termin itspolynomial(thenumberofvariablesinthisterm).

Denition2. ABooleanfuntiong overF n

2

isan annihilatorofaBoolean

funtionf overF n

2

iffg=0.

Obviously, all annihilators of f form a linear subspae in the spae of all

(2)

F n

2

isthedegreeoftheBooleanfuntiong overF n

2

wheregisnonzeroBoolean

funtionofminimumdegreesuhthat fg=0or(f+1)g=0.

Itisknown[1,5℄thatforanyf overF n

2

theinequalityAI(f)d n

2

eholds.

Denition 4. The weightwt(x) of avetorx in F n

2

isthenumberofones

inx.

Denition5. ThedistanebetweenBooleanfuntionsf

1 andf

2

isdened

asd(f

1 ;f

2

)=jfx2F n

2 jf

1 (x)6=f

2 (x)gj.

Denition 6. The nonlinearity nl(f)of a Boolean funtion f overF n

2 is

min

l;deg(l)1 d(f;l).

Denition7. Foranyvetoru2F n

2

thevalue

W

f (u)=

X

x2F n

2 ( 1)

f(x)+<u;x>

isalledthe WalshoeÆientoff atu.

ThenonlinearityisexpressedviaWalshoeÆientsbythenextformula:

nl(f)=2 n 1

1

2 max

u2F n

2 jW

f (u)j:

In[2℄ it was provedthat if nl(f)< P

d

i=0 n

i

then AI(f)d+1. This is

equivalenttothelowerbound ofnonlinearity

nl(f)

AI(f) 2

X

i=0

n

i

:

Denition8. ABooleanfuntionf(x

1 ;:::;x

n

)isalledself-dualiff(x

1 +

1;x

2

+1;:::;x

n

+1)=f(x

1 ;:::;x

n )+1.

Itiseasytosee thatiff isself-dualthenthefatthat f hasnotanonzero

annihilatorofdegreelessthankfollowsthatf+1hasnotanonzeroannihilator

ofdegreelessthanktoo. Thereforetheminimumdegreesofnonzeroannihilators

offuntionsfandf+1arethesame. Thus,forthendingofalgebraiimmunity

of a self-dual funtion f it is suÆient to onsider only annihilators of the

funtionf.

Lemma 1. Any annihilator g(x

1 ;:::;x

n

) of the funtion l(x

1 ;:::;x

n ),

deg(l)=1,an berepresentedinthe form

g(x

1 ;:::;x

n )=f(x

1 ;:::;x

n )(l(x

1 ;:::;x

n )+1)

wheredeg (f)=deg(g) 1.

Proof. BeauseofaÆneequivalenewithoutlossofgeneralityitispossible

toassumel=x

1 +1.

Considertherepresentationof g(x

1 ;:::;x

n

)in thepolynomialform. Sine

allannihilators of a funtion form alinear spae, after the anellation of all

terms that ontain x

1

we must obtain the funtion g

1 (x

2 ;:::;x

n

(3)

1 1 1 1 1 1

anytermofgontainsx

1 ,then

g(x

1 ;:::;x

n )=x

1 f(x

1 ;:::;x

n

)=(l+1)f

wheredeg(f)=deg (g) 1.

Lemma 2. Let l(x

1 ;:::;x

n

) be a Boolean funtion, deg (l) = 1. Then

all annihilators of the funtion l of degree at most t form the linear spae of

dimension P

t 1

i=0 n 1

i

.

Proof. BeauseofanaÆneequivalene,itispossibletoassumel=x

1 +1.

Consideranarbitraryannihilatorg(x

1 ;:::;x

n

)ofthefuntionl(x

1 ;:::;x

n )

suhthatdeg (g)t.Considertherepresentationofg(x

1 ;:::;x

n

)inthe

polyno-mialform. Sineallannihilatorsofafuntionformalinearspae,afterthe

an-ellationofalltermsthatontainx

1

wemustobtainthefuntiong

1 (x

2 ;:::;x

n )

suhthatg

1 l=g

1 (x

1

+1)=0. Sineg

1

doesnotdependonx

1

wehaveg

1 =0.

Hene,anytermofg ontainsx

1 ,then

g(x

1 ;:::;x

n )=x

1 f(x

2 ;:::;x

n )

wheredeg(f)t 1.

In addition, any funtion g(x

1 ;:::;x

n

) = x

1 f(x

2 ;:::;x

n

), where

f(x

2 ;:::;x

n

) is an arbitrary Boolean funtion of n 1 variables and of

de-gree at most t 1, is an annihilatorof l of degree at most t. It follows the

statementofLemma.

Remark. Theproofof thenextlemma it ispossibleto nd in [4℄ but we

giveitherebeauseofitssimpliity.

Lemma3. If f isaBooleanfuntion overF n

2

andAI(f)>k, then

k

X

i=0

n

i

wt(f) n k 1

X

i=0

n

i

:

Proof. We look for an annihilator of the funtion f by the method of

indeterminateoeÆients:

g=a

0 +

n

X

i=1 a

i x

i +

X

1i<jn a

ij x

i x

j

++

X

1i

1 :::i

k n

a

i1:::ik x

i1 :::x

ik ;

deg(g)k.

Thefuntiongisanannihilatoroff ifandonlyiff(x)=1followsg(x)=0.

TheninordertoprovideAI(f)>k,itisneessarythatobtainedhomogeneous

systemof linearequationsona

0 ;a

1 ;a

2

;:::hastheonlyzerosolution. For this

it is neessarythat the number of unknowns does not exeed the number of

equations. Thenumberofequationsiswt(f)whereasthenumberofunknowns

is P

k

i=0 n

i

. Hene,theleftinequalityis proved. Applyingthesamereasoning

(4)

Theorem1. Letf(x

1 ;:::;x

n

)beaBooleanfuntionoverF

2

andAI(f)=

k. Then

nl(f)2 n 1

n k

X

i=k 1

n 1

i

=2 k 2

X

i=0

n 1

i

: (1)

Proof. Fork=1ourboundgivesnl(f)0. Assume k2.

Representthenonlinearityofthefuntion f in theform nl(f)=2

n 1

2

where=max

u2F n

2 jW

f (u)j.

Ifmax

u2F n

2 jW

f

(u)jisahievedatzerovetor,thenf orf+1hastheweight

2 n

2

. Thenin aordanewithLemma 3wehave

2 n

2

k 1

X

i=0

n

i

:

Therefore, P

n k

i=k n

i

2 P

n k

i=k 1 n 1

i

. Fromhereweobtaintherequired

bound onthenonlinearity.

If max

u2F n

2 jW

f

(u)j is not ahieved at zero vetor, then there exists the

funtion l(x

1 ;:::;x

n

);deg (l) = 1, suh that d(f;l) = 2

n

2

. The funtions

f and l have the same values at 2

n

+

2

vetors. Suppose that among these

vetorsthereexist exatly vetorsxwheref(x)=1,thenthereexist exatly

2 n 1

wt(f)

2

+ vetorswheref =0andl=1.

Then

wt(f(l+1))=wt(f) (2)

and

wt((f +1)l)=2 n 1

wt(f)

2

+: (3)

Therightsidein(2)isdereasinginwhereastherightsidein(3)isinreasing

in. Theequalityasahievedfor=wt(f) 2 n 2

+

4

. Itfollowsthat

min(wt(f(l+1));wt((f+1)l))2 n 2

4 :

Ifwt(f(l+1))<wt((f +1)l)then dene f

1 = f;l

1

=l+1, otherwisedene

f

1

=f+1;l

1 =l.

Inputthefuntionf

2 =f

1 l

1

. Thenwt(f

2 )2

n 2

4 .

Welookforannihilatorsg ofthefuntionf

2

ofdegreeatmostk 2bythe

methodofindeterminateoeÆients:

g=a

0 +

n

X

i=1 a

i x

i +

X

1i<jn a

ij x

i x

j

++

X

1i1:::ik 2n a

i

1 :::i

k 2 x

i

1 :::x

i

k 2 :

Afuntiong istheannihilatoroff ifandonlyiff(x)=1followsg(x)=0.

Hene,weobtainthehomogeneoussystemofatmost2 n 2

4

linear

equa-tions on P

k 2

i=0 n

i

unknowns. The spae of solutions of this system has the

dimensionat least P

k 2

i=0 n

i

(2 n 2

(5)

1

degreeatmostk 2is P

k 3

i=0 n 1

i

.

If P

k 2

i=0 n

i

(2

n 2

4 )>

P

k 3

i=0 n 1

i

then there exists thefuntion f

3 ,

deg(f

3

)k 2,suhthat f

2 f

3

=0but f

3 l

1

6=0. Thenf

3 l

1

istheannihilator

off

1

,inadditiondeg (f

3 l

1

)k 1thatontraditstoAI(f)=k.

Itfollows P

k 2

i=0 n

i

(2

n 2

4 )

P

k 3

i=0 n 1

i

,

4 2

n 2 1

2 n k +1

X

i=k 2

n 1

i

+2 n 2

2 n 1

1

2 n k +1

X

i=k 1

n

i

!

;

4

1

2

n k +1

X

i=k 1

n 1

i

+

n 1

i 1

n k +1

X

i=k 2

n 1

i

!

= 1

2 n k

X

i=k 1

n 1

i

:

Therefore,nl(f)2 n 1

P

n k

i=k 1 n 1

i

.

Corollary 1. If n odd andAI(f(x

1 ;:::;x

n ))=

n

2

then

nl(f)2 n 1

n 1

2

: (4)

Notethatin[4℄itwasonstrutedthefuntionofoddnumbernofvariables

withthealgebrai immunity

n

2

and nonlinearitynl(f)=2 n 1

n 1

2

. Our

Corollary 1 laries that this funtion ahieves our bound (4), i. e. among

allfuntions withmaximumpossiblealgebrai immunity thisfuntion has the

worst possible nonlinearity. The alulation of its nonlinearity in [4℄ is quite

diÆultandtakessomepages. Nowthelowerbound for thefuntion from[4℄

followsimmediately from ourCorollary1. Atthesametime theupperbound

forthenonlinearityofthefuntionfrom[4℄willfollowfromourTheorem2sine

thisfuntion isapartiular aseof ourfuntionsf

n;k

appearedin theproofof

ourTheorem 2. Note alsothat in [3℄ forthe onstrutedthere thefuntion f

withoddnumbernofvariablesand thealgebrai immunity

n

2

itwas proved

thelowerbound of nonlinearity nl(f)2 n 1

n 1

2

that oinides with our

bound in Corollary1forallfuntions with suh numberofvariables andsuh

algebraiimmunity.

Corollary 2. If n evenandAI(f(x

1 ;:::;x

n ))=

n

2

then

nl(f)2 n 1

n

2

:

Note that in [4℄ the bound of ourCorollary2 was provedfor verynarrow

lassoffuntions.

Theorem 2. The bound (1) in Theorem 1 is unimprovable for any nand

any kd n

2

e. Moreover, for any admissible parameters n andk there exists a

(6)

anynandanykd n

2

ethebalanedfuntionf(x

1 ;:::;x

n

)suhthatAI(f)=k

andnl(f)=2 n 1

P

n k

i=k 1 n 1

i

.

Denethefuntion f

n;k

bythenextway:

f

n;k (x

1 ;:::;x

n )=

8

<

:

0; if wt(x

1 ;:::;x

n )<k;

1; if wt(x

1 ;:::;x

n

)>n k;

x

1

; if kwt(x

1 ;:::;x

n

)n k:

Now prove that for any n and any k d n

2

e we have AI(f

n;k

) = k and

nl(f

n;k )=2

n 1 P

n k

i=k 1 n 1

i

.

It iseasyto seethat f(x

1 +1;x

2

+1;:::;x

n

+1)=f(x

1 ;:::;x

n

)+1,i.e.

f

n;k

isaself-dualfuntion. Hene,thefuntionf

n;k

isabalaned funtion.

Sinef

n;k

is self-dual,in orderto proveAI(f)k,it issuÆientto prove

thatf

n;k

+1hasnotanonzeroannihilatorofdegreelessthank.

Writethepossibleannihilatorg ofthefuntionf+1ofdegreeatmostk 1

bymeansofindeterminateoeÆients:

g=a

0 +

n

X

i=1 a

i x

i +

X

1i<jn a

ij x

i x

j

++

X

1i1:::ik 1n a

i1:::ik

1 x

i1 :::x

ik

1 :

The funtion g is the annihilator of f

n;k

+1 if and only if f(x)+1 = 1

fol-lowsg(x)=0. We obtainthesystemof homogeneouslinearequations on the

oeÆientsofthefuntion g:

g(x

1 ;:::;x

n )=0

forallvetorsx suhthat wt(x)k 1.

Sineg(0;:::;0)=0,wehavea

0

=0. Sineg(x)=0ifwt(x)=1,wehave

a

i =a

0

=0. Applyingtheindutionontheweightofvetorsweobtainthatall

oeÆientsofg arezeros,hene,g0. Thus, AI(f

n;k

)k. Atthesametime

itis easyto seethat g(x

1 ;:::;x

n )=(x

1

+1):::(x

k

+1) is theannihilatorof

f

n;k

ofdegreek. Therefore,AI(f

n;k )=k.

CalulatetheWalshoeÆientofthefuntionf

n;k

atthevetor(1;0;:::;0)

usingtheself-dualityoff

n;k :

W

f

n;k

(1;0;:::;0)=

X

(x

1 ;:::;x

n )2F

n

2 ( 1)

fn;k(x1;:::;xn)+x1

=

=2 n

2wt(f

n;k (x

1 ;:::;x

n )+x

1 )=

=2 n

2(wt(f

n;k (0;x

2 ;:::;x

n

))+wt(f

n;k (1;x

2 :::;x

n

)+1))=

=2 n

4wt(f

n;k (0;x

2 ;:::;x

n ))=2

n

4 n 1

X

i=n k +1

n 1

i

=2 n k

X

i=k 1

n 1

i

(7)

Hene,nl(f

n;k )2

n 1 P

n k

i=k 1 n 1

i

. Aboveweprovedthat AI(f

n;k )=

k, hene, by Theorem 1 we havenl(f

n;k ) 2

n 1 P

n k

i=k 1 n 1

i

, it follows

nl(f

n;k )=2

n 1 P

n k

i=k 1 n 1

i

.

Theauthorisdeeplygrateful tohissientisupervisorProf.Yuriy T

aran-nikov for theformulationof the problem, attentionto the work and valuable

advies.

Referenes

[1℄ N.Courtois andW.Meier. Algebraiattaksonstream ipherswith linear

feedbak.InAnvanesinCryptology|EUROCRYPT2003,number2656

in Leture Notes in Computer Siene, pages 345{359. Springer-Verlag,

2003.

[2℄ D.K.Dalai, K.C.Gupta and S.Maitra. Results on Algebrai Immunity for

CryptographiallySigniantBooleanFuntions.Indorypt2004,Chennai,

India, Deember 20{22, pages 92{106, volume 3348 in Leture Notes in

ComputerSiene,Springer-Verlag,2004.

[3℄ D.K.Dalai, K.C.Gupta and S.Maitra. Cryptographially Signiant

BooleanFuntions: ConstrationandAnalysisintermsofAlgebrai

Immu-nity.FSE2005,pages98{111, volume3557in LetureNotesin Computer

Siene, Springer-Verlag,2005.

[4℄ D.K.Dalai, S.Maitra, S.Sarkar. Basi Theory in Constrution of Boolean

Funtions with Maximum Possible Annihilator Immunity. Cryptology

ePrintarhive(http://eprint.iar.org/),Report2005/229.

[5℄ W.Meier,E.PasaliandC.Carlet.Algebraiattaksanddeompositionof

Boolean funtions. In Advanes in Cryptology | EUROCRYPT 2004,

number 3027 in Leture Notes in Computer Siene, pages 474{491.