A New Method on Constructing Boolean Functions Satisfying the Strict Avalanche Criterion and Bounds on the Number of SAC Functions

2015 3rd AASRI Conference on Computational Intelligence and Bioinformatics (CIB 2015) ISBN: 978-1-60595-308-3

A New Method on Constructing Boolean Functions Satisfying the

Strict Avalanche Criterion and Bounds on the Number of SAC

Functions

Qingping Wang

School of Statistics, Jiangxi University of Finance & Economics, Nanchang, P. R. China

Research Center of Applied Statistics, Jiangxi University of Finance & Economics, Nanchang, P.R. China

ABSTRACT: Properties of Boolean functions satisfying the Strict Avalanche Criterion (SAC) are studied. A new method of constructing SAC functions is proposed, and it is proved that the Hamming weight of SAC functions with n variables belongs to the set W(n)={k|2n-2≤_k ≤3×2n−2_{, k is an even number}. Finally, the} up-per and lower bounds of the number of SAC functions are obtained.

1 INTRODUCTION

The Strict Avalanche Criterion (SAC) for crypto-graphic functions was introduced by A.F. Webster and S.E. Tavares in [1]. Results concerning the enumeration of SAC functions have been studied by cryptographers, and yet there is no known closed form for the number of SAC functions[2-10]. R. Forre[2] has exhaustively enumerated the number of

n-bit functions for _n≤4_{. Among the 65536 4-bit} functions, 4128 are SAC functions. However, it is very complicated and difficult to enumerate the number of n-bit SAC functions when n is too big. In [3], T.W. Cusick provided a method to con-struct22n−2n-bit balanced Boolean functions which satisfy the SAC, and the lower bound on the number of those functions is obtained. In fact, this lower bound is given as n

n

L

2

2 , where _{≥ 4}1

n

L . Besides, T.W. Cusick gave a conjecture to improve this lower bound further, which has not been prove yet(Conjecture 4 in [3]: Give any choice of the val-ues f(vi), 0≤ ≤2 1−1

−

n

i , there exists a choice of

f(vi), 2 1 ≤ ≤2 1−1

− − n n

i such that the resulting func-tion f(x) satisfies the SAC). If this conjecture holds, then a better lower bound can be given as _{≥ 2}1

n

L . In order to improve the lower bound above, a new method to construct Boolean functions which satisfy the SAC is proposed in the present paper.

First of all, it is proved that ₂n−2 ≤

2

2 3 )) (

(_{f x} ≤ × n−

ω _{, where} ω_{(f(x)) is the} Ham-ming weight of f(x), and ω(f(x)) _{is an even}

num-property, it is pointed out that the number of SAC functions is less than 22n−1. Furthermore, a method is given to construct the n-bit SAC functions satisfy-ing the condition ω₍f₍x₎₎=k _{, where}

{

_k

n W

k∈ _{( )}= ₂n−2 ≤_k ≤₃×₂n−2 _{, k is an even}

number}. By means of this method, we can find

       

×

− −

1 2

2 2 2

n n

n-bit SAC functions satisfying

2

2 )) (

(_{f x} = n−

ω _{as well as }

     

×

− −

1 2

2 2

2 _n

n

n-bit SAC

functions satisfying ω(_f(_x))=3×2n−2 _{. Finally,} bounds on the number of SAC functions are ob-tained.

2 SAC FUNCTIONS

In this section, the concept of SAC functions is re-viewed, and properties of SAC functions are studied. Definition 2.1[4] Assume that Z2={0,1}, then any

function f :Z2 Z2

n _→

is called a Boolean function. Definition 2.2[4] Suppose that f(x) is an n-bit

Boolean function,

n

n Z

x x

x=( ₁,, )∈ ₂

, the number of "1" in vector x is called the Hamming weigh of x,

denoted ω(x). The number of x satisfying f(x)=1 is called the Hamming weight of f(x),

denot-edω(f(x)).

implies

1

2 )) ( ) (

(_{f x} + _{f x}+_c = n−

ω

(i.e. f(x) is a bal-anced Boolean function), then f(x) is called a SAC function.

Proposition 2.1 If f(x) is a SAC function, then g(x)=1-f(x) is also a SAC function.

Proof. Suppose that f(x) is an n-bit Boolean

func-tion. ∀c∈Z2, (c)=1

n _ω

, we have g(x)+g(x+c)= )) ( 1 ( )) ( 1 ( )) ( 1 ( )) ( 1

( − f x + − f x+c = + f x + + f x+c

) ( )

(x f x c

f + +

=

.

Since f(x) is a SAC function, then ω(g(x)+g(x

1

2 )) ( ) ( (

))= + + = −

+_c ω _{f x f x c} n

. Hence g(x)=1-f(x) is a SAC function.

Proposition 2.2 Suppose that f(x) is an n-bit SAC

function, then 2 2 ( ( )) 3 2 2 − −

× ≤

≤ n

n

x f

ω

.

Proof. Since f(x) is a SAC function, then ∀c = 1

) ( , ) , ,

(_{c1 c} ∈_Z2n _c =

n ω

, we have ω(f(x)+ f(x

1

2 )) −

=

+_c n

. It is easy to prove that ω(f(x))+ω(g ))

( ) ( ( ))

(x ≥ω f x +g x

and ω(f(x))=ω(f(x+c)),

hence it follows from ω(f(x))+ω(f(x+c))≥ω(

1

2 )) ( )

(_x + _{f x}+_c = n−

f _that ω(_f(_x))≥2n−2 . Since f(x) is a SAC function, by Proposition 2.1, we know that g(x)=1-f(x) is a SAC function. Then

2

2 )) ( ( )) ( 1 ( )) ( (

2 −

≥ =

− =

− n

n _{ω f x ω f x ω g x}

, hence

2

2 3 )) (

(_{f x} ≤ × n−

ω

.

Proposition 2.3 Suppose that f(x) is an n-bit SAC

function, ∀c∈Z2, (c)=1

n _ω

, let V =

{

x f(x)= f(x }

, 1 ) _{x Z2}n

c = ∈

+

. If |V|=a, then a is an even number,

and ω(f(x)+ f(x+c))=2(ω(f(x))−a), where |V| denotes the number of elements in V.

Proof. If α∈V, then f(α)= f(α+c)=1. Let

c +

=α

β

, then f(β)= f(α+c)=1, f(β +c)= 1

) ( ) )

(( + + = =

= _f α _{c c f} α

. Hence β =α+c∈V . i.e. The elements of V are in pairs. i.e. |V|=a is an even number.

If f(x)=f(x+c)=1, then f(x)+f(x+c)=0. Hence

f

( ω

= − + +

− =

+

+ _{( )) ( ( ( )) ) ( ( ( )) )}

)

(x f x c ω f x a ω f x c a

) )) ( ( (

2 ω f x −a

.

Theorem 2.1 Suppose that f(x) is an n-bit (n≥3) SAC function, If f(x) is a SAC function, then 2n−2

2

2 3 )) (

( −

× ≤

≤ n

x f

ω

, and ω(f(x)) is an even number.

Proof. It follows from Proposition 2.2 that 2n−2

2

2 3 )) (

( ≤ × −

≤ω _{f x} n

.

For every c∈Z2n _with ω(c)=1_{, let V={x|f(x)=f}

(x+c)=1,

n Z

x∈ ₂

}, and suppose |V|=a. Then by Proposition 2.3, we have ω(f(x)+ f(x+c))=2(ω

) )) ( (f x −a

.

Since f(x) is a SAC function, then ω(f(x)+

1

2 ) )) ( ( ( 2 ))

(_x+_c = _{f x} −_a = n−

f ω

. Note that n≥3, then 2(ω(f(x))−a) is multiple of 4. i.e. ω(f (x))-a is multiple of 2.

Moreover, |V|=a is an even number, hence ))

( (f x

ω

is an even number.

Lemma 2.1 The following equations hold:

(i) If n is an even number, then

+ +

     

+

     

n n

2 0

    

 −

+

    

 −

+ +

     

+

     

=

     

+

    

 −

n n n

n n

n n n n

n 2 1 3 3 1

1

2 −

= n _.

(ii) If n is an odd number, then

+ +

     

+

     

n n

2 0

     

+

    

 −

+ +

     

+

     

=

    

 −

+

    

 −

n n n

n n

n n

n n

n 3 1 1 3 2

1

2 −

= n _.

These two equations in Lemma 2.1 can be gotten from the properties of binomial coefficient. Hence the proof is omitted.

Theorem 2.2 Suppose that f(x) is an n-bit (n≥3)

SAC function, Let W(n)={ ω(f(x))|f(x) is a SAC function}, then W(n)={k |2n−2 ≤k ≤3×2n−2, and k is an even number}.

Proof. Let f(x) be an n-bit (n≥3) SAC function.

It follows from Theorem 2.1 that 2n 2 ≤ω(f(x)) −

2

2 3× −

≤ n _{, and} ω(f(x)) _{is an even number. In the}

following, we will prove that ∀k∈W(n), there ex-ists an n-bit (n≥3) SAC function f(x) such that

k x f_{( ))}=

( ω

.

Let V {x|x Z2, (x) i}(i 0,1,2, ,n)

n

i = ∈ ω = = _,

then

     

= n

i V_i| |

.

Firstly, suppose that n is an even number and

1 2

(i) If k =2n−2, we can select 2n−2 vectors from

n

n V

V V

V₀ ∪ ₂∪∪ −₂∪ _{to construct a set, denoted}

as X0(In fact, from Lemma 2.1, we know that

      n 0 + +       + n 2 ₁ 2 2 − =       +       − n n n n n

. Hence there are

1

2n−

vectors in V0 ∪V2 ∪∪Vn−2 ∪Vn_{. Therefore}

the selection is possible). Let 

  ∈ = otherwise X x x f , 0 , 1 ) ( 0

then f x X k

n ₌

=

= −2

0 | 2

| )) ( ( ω .

For every c∈Z2n _with ω(c)=1_{, if} x∈V0∪V2

n

n V

V ∪

∪

∪ ₋₂

, then x+c∈V1∪V3∪∪Vn−3

1

−

n V

∪

. Hence { | ( ) ( ) 1, 2}

n Z x c x f x f x

V = = + = ∈

φ

=

. It follows from Proposition 2.3 that ω(f(x)+

1 2 )) ( ( 2 )) ( − = =

+_{c f x} n

x

f ω

. Hence f(x) is a SAC

function with ω(f(x))=k.

(ii)If k =2n−2+2 , we can select 2n−2 −n+1

vectors from V3∪V5∪∪Vn−3∪Vn−1 _{to construct}

a set, denoted as X1(In fact, from Lemma 2.1, we

know that

      n 1 + +       + n 3 =       − +       − n n n

n 3 1

1

2n−

. Hence there are 2n−1−n vectors in V3∪V5

1 3 − − n n V V ∪ ∪ ∪

. Therefore the selection is

possi-ble). Let 

  ∈ = otherwise X V V x x f , 0 , 1 )

( 0 ∪ 1∪ 1

then = + − + + =

=_{| | 1 (2} − ₁₎

)) (

(f x V₀ ∪V₁∪X₁ n n 2 n

ω

k

n− _{+ =}

2

2 2 _.

For every

n Z

c∈ ₂

with ω(c)=1, if x∈V3∪V5

1 3 − − n n V V ∪ ∪ ∪

, then x+c∈V2 ∪V4 ∪∪Vn−2

n V

∪

; If x∈V0_{, then} x+c∈V1_{. Hence} V ={x

} , 1 ) ( ) (

| _{f x = f x+c = x∈Z2}n

has 2 elements. i.e. |V|=2. It follows from Proposition 2.3 that

+

) ( (f x

ω 1 2 |) | ) ( ( 2 ))

(_x+_c = _{f x} − _V = n−

f ω

. Hence f(x) is a SAC function with ω(f(x))=k.

(iii)If 2 2 (1 2 )

3 2 − − ≤ < +

= n _{j j} n

k _{, It follows from}

Lemma 2.1 that

      +       − + +       +       n n n n n n 2 2 0 1 2 −

= n _{. Hence there exists an even number l such}

+       + +       +       ≤ <       + +       +       n l n n j n l n n 2 0 2 0       + n l 2

.we can select

) 2 0 ( _      +       +       − n l n n j

vec-tors from Vl+2 and

      + +       +       − + − n l n n j

n 1 3 1

(

2 2 3_)

     + + n l vectors

from Vl+5 ∪Vl+7∪∪Vn−3∪ Vn−1 _{to construct a}

set, denoted as Xj(In fact, from Lemma 2.1, we

know that

      − + +       +       n n n n 3 3 1 1 2 1 − =       − + n n n

. Hence there are

      +       − − n n

n 1 3

( 2 1 ) 3 1       + +       + + + n l n l

vectors in Vl+5 ∪Vl+7

1 3 − − n n V V ∪ ∪ ∪

. Therefore the selection is

possi-ble). Let

   ∈ = + + otherwise V X V V V V x x

f l l j l

, 0

, 1 )

( 0∪ 1∪∪ ∪ 1∪ ∪ 3

then ω(f(x))=|V0∪V1∪∪Vl ∪Vl+1∪Xj ∪

− +       + +       + +       +       +       = + j n l n l n n n

V_{l 3}| 0 1 2 1 (

+       +       − + +       + +       +       − n n j n l n n

n 1 3

( 2

) 2

0

( 2

k j n l n l n l _n = + =       + +       + +       +

+ 1 3 ₎₎ 3 ₂ −2 ₂

.

For every c∈Z2n _with ω(c)=1_{, if} x∈Vl+5

1 3

7 − −

+ n n

l V V

V ∪∪ ∪

∪

, then x+c∈Vl+4∪Vl+6

n

n V

V ∪

∪

∪ −_{2 ; If} x∈V0∪V2∪∪Vl ∪Vl+2 _,

then x+c∈V1∪V3∪∪Vl+1∪Vl+3_{. Hence} V ={

} , 1 ) ( ) (

| f x f x c x Z₂n

x = + = ∈

has 2j elements. i.e. |V|=2j. It follows from Proposition 2.3 that

+

) ( (f x

ω _{( )) 2 ( ( ) | |) 2} −1

= − =

+_{c f x V} n

x

f ω

. Hence

f(x) is a SAC function with ω(f(x))=k.

Secondly, if n is an odd number, and 2n−2 ≤k

1

2 −

≤ n _{, the proof is similar.}

Lastly, if 2n−1 ≤k ≤3×2n−2, then 2n−2 ≤2n −k

1

2 −

≤ n _{. Hence, there exists a SAC function g(x) such}

that g x k

n ₋ =₂ )) ( ( ω

The proof of Theorem 2.2 provides a method to

construct SAC functions satisfying ω(f(x))=k. In the following, we give a formula to compute the number of n-bit (n≥3) SAC functions.

Theorem 2.3 Assume that the number of all n-bit

(n≥3) SAC function is denoted by η(n), and the

number of n-bit SAC functions satisfying ω(f(x))

1

2k =

is denoted by ξ(2k1,n) _{, then}

∑

− − _{≤ ≤×}

=

3 3 ₃₂

2

1, )

2 ( )

(

n n _k

n k

n ξ

η

.

Proof. Let k=2k1_{. From Theorem 2.2, we know}

that

3 1

3

1,2 3 2

− −

× ≤ ≤

∀_k n _k n

, there exists an n-bit

(n≥3) SAC function f(x) such that ω(f(x))=2k1_.

Since the number of all n-bit SAC functions

satisfy-ing ω(f(x))=2k1 _{is denoted by} ξ(2k1,n)_{, hence}

the number of all n-bit SAC functions η(n) can be

expressed by the formula

∑

− −

× ≤ ≤

=

3 3

2 3 2

1, )

2 ( )

(

n n

k

n k

n ξ

η

.

3 BOUNDS ON THE NUMBER OF SAC FUNCTIONS

There are η(n)n-bit (n≥3) SAC functions in all

n

2

2 Boolean functions. Define n

n n

L 2

) ( log2η

=

. In the following, we turn to discuss the bounds of Ln.

Theorem 3.1 The number η(n) of all n-bit

(n≥3) SAC functions is less than 22n−1.

Proof. It follows from Theorem 2.1 that 2n−2

2

2 3 )) (

( ≤ × −

≤_{ω f x} n

, and ω(f(x)) is an even

number. Hence

+ +

    

 

 +

+

       

≤

− −

n n

n n n

2 2 2 2

2 ) (

2 2

η

       

+ +

     

+

     

<

    

 

 ×

+

    

 

 × − − −

n n

n n n

n

n n

2 2 2

2 2

0

2 2 3 2

2 2

3 2 2

= 22n−1_.

Corollary 3.1 1 2 ( 3)

1 _≥

−

< _n

L_n n

.

Proof. It follows from Theorem 3.1 that η(n)≤

1 2

2 n−

. Thus n n

n

n L

2 1 2

2 log

1

1 2

2 _{= −}

<

−

.

Theorem 3.2 We can explicitly construct 2 ×

       

− −

1 2

2 2

n n

n-bit ( n≥3 ) SAC functions satisfying

2

2 )) (

(_{f x} = n−

ω

. i.e.

       

× ≥

− − −

1 2 2

2 2 2 ) , 2 (

n n n

n

ξ

.

Proof. Suppose that n is an even number. Since

f(x) is a SAC function and ( ( )) 2 2 −

= n

x f

ω

, we can

select 2n−2 vectors from V0∪V2∪∪Vn−2∪Vn

or V1∪V3∪∪Vn−3∪Vn−1 _{to construct a set,}

de-noted as X0. The different selections are

       

×

− −

1 2

2 2 2

n n

.

Let 



 ∈

=

otherwise X x x

f

, 0

, 1 )

( 0

, then f(x) is a SAC

function and

2

2 )) (

(_{f x} = n−

ω

.

Hence

       

× ≥

− − −

1 2 2

2 2 2 ) , 2 (

n n n

n

ξ

.

Corollary 3.2 We can explicitly construct 2 ×

       

− −

1 2

2 2

n n

n-bit ( n≥3 ) SAC functions satisfying

2

2 3 )) (

(_{f x} = × n−

ω

. i.e.

       

× ≥ ×

− − −

1 2 2

2 2 2 ) , 2 3 (

n n n

n

ξ

. Proof. Suppose that f(x) is a SAC function and

2

2 3 )) (

(_{f x} = × n−

ω

. Let f(x)=1-g(x), then g(x) is a

SAC function and

2

2 )) (

( −

= n

x g

ω

. By Theorem 3.2,

we can construct

       

×

− −

1 2

2 2

2 _n

n

n-bit SAC functions

g(x). Hence

       

× ≥ ×

− − −

1 2 2

2 2 2 ) , 2 3 (

n n

n _n

ξ

.

Theorem 3.3 If n≥3 , then

) (

2 1 2

2 2 4

log ₁

2

2

∞ → →

     

×

>

− −

n

L _n

n n

n

.

Proof. It follows from Theorem 3.2 and Corollary

3.2 that

       

× ≥

− −

1 2

2 2 4 )

( _n

n n

η

.

By means of the Stirling's formula

n e n n n!~ 2π ( )

) (_n→∞

, it can be inferred that

=

       

− −

1 2

2 2

2 2 2 2

2 2 1

2 2

1

) ) ( 2 2 (

) ( 2 2 ~ )! 2 ( )! 2 (

)! 2 (

2 2

1 1

− −

− −

− −

− −

−

n n

n n

e n

e n

n n

n

π π

). (

2 2

1 ₁

2

1 _→∞

= +−

− n

n n

π

Hence n n

n n

n n

2 2 log ~ 2

2 2 4 log

2 1 ₃

2 1 2 1

2

2 − + −

−

− 

      

×

π

) (

2 1 2

log 3

2 1_{2 2}

2 1

∞ → →

− − + =

−

n n

n

n _π

.

Therefore

) (

2 1 2

2 2 4

log ₁

2

2

∞ → →

     

×

>

− −

n

L _n

n n

n

.

4 CONCLUSION

In this paper, the properties of SAC functions are

studied. For every k1 with

3 1

3

2 3 2n− ≤_k ≤ × n−

, we provide a new method to construct SAC functions

satisfying ω(f(x))=2k1_{. Then a formula to}

com-pute the number of all n-bit (n≥3) SAC functions

is given as

∑

− −

× ≤ ≤

=

3 3

2 3 2

1, )

2 ( )

(

n n

k

n k

n ξ

η

. Based on this formula, bounds of Ln are obtained. However, as n increases, it is very complicated and difficult to

enumerate ξ(2k1,n) _{, the number of n-bit SAC}

functions satisfying ω(f(x))=2k1_{, which remains}

an open problem to be solved.

5 ACKNOWLEDGEMENTS

I would like to express my gratitude to all those who helped me during the writing of this thesis. This work is supported by the National Natural Science Foundation of China (Grant Nos. 11171200, 61562030), Youth Natural Science Foundation of Jiangxi Province (Grant Nos. 20144BAB2020002).

REFERENCES

[1] Webster, A.F. & Tavares, S.E. 1986. On the design of S-boxes, Advances in Cryptology. CRYPTO'85, Lecture Notes in Computer Science 218: 523-534.

[2] Forre, R. 1990. The strict avalanche criterion: Spectural properties of Boolean functions and an extended definition. Advances in Cryptology, CRYPTO'88, Lecture Notes in Computer Science 403: 450-468.

[3] Cusick, T.W. 1996. Bounds on the number of functions sat-isfying the Strict Avalanche Criterion. Information Pro-cessing Letters 57: 261-263.

[4] Qiaoyan, W. &, Xinyi, N. 2000. Boolean function in mod-ern cryptology. Beijing: Science Press.

[5] Cusick, T.W. 1994. Boolean functions satisfying a higher order strict avalance criterion. Advances in Cryptolo-gy,Eurocrypt'93, Lecture Notes in Computer Science 765: 102-117.

[6] Lloyd, S. 1990. Counting functions satisfying a higher order strict avalance criterion. Advances in Cryptology, Eu-rocrypt'89, Lecture Notes in Computer Science 434: 63-74. [7] Lloyd, S. 1992. Characterising and counting functions

satis-fying the strict avalance criterion of order (n-3). Cryptog-raphy and Coding II: 165-172.

[8] Lloyd, S. 1992. Counting binary functions with certain cryptographic properties. J. Cryptology 5 : 107-131. [9] O'Connor, L.1994. An upper bound on the number of

func-tions satisfying the Strict Avalance Criterion. Information Processing Letters 52: 325-327.