degree. Using this cost function that does not necessitate experimental search for pa- ... Boolean functions generated by algebraic construction or computer search are com- ...... Department of Computer Science, University of York, York UK.
Improved Cost Function in the Design of Boolean Functions Satisfying Multiple Criteria
Selçuk Kavut and Melek D. Yücel Department of Electrical and Electronics Engineering Middle East Technical University-ODTÜ, 06531 Ankara, Türkiye {kavut, melekdy}@metu.edu.tr
Abstract. We develop an improved cost function to be used in simulated annealing followed by hill-climbing to find Boolean functions satisfying multiple desirable criteria such as high nonlinearity, low autocorrelation, balancedness, and high algebraic degree. Using this cost function that does not necessitate experimental search for parameter tuning, the annealing-based algorithm reaches the desired function profiles more rapidly. Some Boolean functions of eight and nine variables have been found, which are unattained in the computer search based literature, in terms of joint optimization of nonlinearity and autocorrelation. Global characteristics of eight-variable Boolean functions generated by algebraic construction or computer search are compared with respect to the sum-of-squared-errors in their squared spectra, which is also proportional to the sum-of-squared-errors in their autocorrelation function, the term ‘error’ denoting the deviation from bent function characteristics. Preliminary results consisting of cryptographically strong Boolean functions of nine, ten and eleven variables obtained using a three-stage optimization technique are also presented.
Keywords: Simulated annealing, bent Boolean functions, nonlinearity, WalshHadamard transforms, autocorrelation.
1
Introduction
In cryptographic applications, Boolean functions are required to satisfy various criteria, mainly high nonlinearity and low autocorrelation, to resist linear cryptanalysis and differential cryptanalysis particularly. Constructing Boolean functions with desirable cryptographic properties has received a lot of attention in the literature [1, 5, 8-10, 18]. Some search techniques such as random search, hill-climbing, genetic algorithms, and hybrid approach have been investigated [11-13]; however, these techniques seem to be insufficient in designing “near-the best” Boolean functions. Recently, Clark et al have proposed [2-4] the use of simulated annealing, a heuristic optimization technique based on annealing process for metals, for finding Boolean functions with good cryp-
tographic properties. The results obtained are promising; therefore, in this study, we investigate this optimization method in detail. We develop an improved cost function, which does not necessitate experimental search for parameter tuning, to be used by the simulated annealing process. The optimization algorithm works fast, since Boolean functions with desired characteristics are encountered more frequently and one does not have to tune parameters for each different number of variables as in [2-4]. Defining the ‘profile’ as the (input length ‘n’, nonlinearity ‘nl’, autocorrelation coefficient with maximum magnitude ‘ac’, degree ‘d’), we have encountered a balanced Boolean function profile (n, nl, ac, d) = (8, 114, 16, 7), in which the bold entries are particularly significant. Such low autocorrelation and high nonlinearity have not appeared together for the same Boolean function [2-4, 11-13] in the related literature. For an input length of 9, we have obtained a balanced function with profile (9, 234, 32, 8), where the maximum autocorrelation magnitude, 32, is equal to that of the construction in [9] and lowest possible value for n=9 according to some conjectured bounds for autocorrelation [18]. Table 1 given below compares Clark et al’s best achieved results with ours. After the preliminaries given in the next section, we compare in Table 2, the results of computer search based approaches ([2-4] and ours) with some algebraic constructions [1, 10, 16, 18] of balanced Boolean functions, for n=8. Table. 1 Comparison of the best achieved computer search results for (nl, ac, d)
(nl, ac, d) for
Results Clark et.al.[2-4] Ours
n=8 (116, 24, 7) (112, 16, 5) (116, 24, 7) (114, 16, 7)
*
n=9 (238, 40, 8) (238, 40, 8) (234, 32, 8) (236, 32, 8)*
n=10 (486, 72, 9) (484, 56, 9)
n=11 (984, 96, 9) (982, 88, 10)
(486, 56, 9)*
(984, 80, 10)*
These Boolean functions are obtained using the three-stage method described as a future work in Section 6.
2
Preliminaries n
Let f : F2 → F2 be a Boolean function that maps each possible combination of n-bit variables to a single bit. Balancedness. If the number of 0’s are equal to the number of 1’s in the truth table, then the Boolean function f(x) is said to be balanced. Affine and Linear Functions. A Boolean function f(x) is called an affine function of n x = (x1, x2, ..., xn) ∈ F2 , if it is in the form f(x) = a1 ⊗ x1 ⊕ a2 ⊗ x2 ⊕ ... ⊕ an ⊗ xn ⊕ c = w.x ⊕ c, n
(1)
where a1, ..., an, c ∈ F2, w = (a1, ..., an) ∈ F2 , and ⊕, ⊗, . respectively denote addition, multiplication and inner product operations in F2. f(x) is called linear if c=0.
Walsh-Hadamard Transform. For a function f, the Walsh-Hadamard transform (or spectrum) is defined as F(w) = ∑x∈ F n (−1)
f (x)
2
(−1)
w.x
(2)
.
We denote the maximum absolute value by WHf = maxw∈F n | F(w) |, which is closely 2
related to the nonlinearity of f(x). Nonlinearity Measure. The nonlinearity of a Boolean function is defined as the minimum distance to the set of affine functions, and can be expressed as n
(3)
nlf = ( 2 − WHf ) / 2.
n
Parseval’s Theorem. It states that the sum of squared F(w) values, over all w ∈ F2 , 2n is constant and equal to 2 , which has motivated the derivation of the cost functions in [2-4]: 2
2n
∑w∈ F n (F(w)) = 2 .
(4)
2
2
n
For bent Boolean functions [15], the squared spectrum is flat, so (F(w)) =2 for all values of w. Autocorrelation Function. The autocorrelation function of a Boolean function is given by rf (d) = ∑x∈ F n (−1) 2
f (x)
(−1)
f (x ⊕ d)
(5)
.
The maximum absolute value that we denote by acf = maxd≠0∈F n | rf (d) | is also 2
known as the absolute indicator [18]. Another measure related to the autocorrelation function is commonly called the 2 sum-of-squares indicator [18], given by the sum ∑d∈ F n (rf (d)) . We prefer to use the 2
2
sum-of-squared-errors (SSEf ), ∑d≠0∈ F n (rf (d)) , instead of the sum-of-squares indica2
tor, since SSEf is proportional to the sum of squared spectrum deviations [17] from that of the bent functions, that is 2
−n
2
n 2
∑d≠0∈F n (rf (d)) = 2 ∑w∈ F n [ (F(w)) −2 ] . 2
(6)
2
If f is affine, the sum (6) of squared autocorrelation errors, i.e., the autocorrelation deviations from the autocorrelation of bent functions, is maximum and equal to 23n−22n. Hence, dividing (6) by 23n−22n, one obtains the useful measure of mean squared error (MSEf ), which takes rational values in the interval [0,1]. The mean squared error percentage 100MSEf of the Boolean function f shows the percentage of total squared deviations of its autocorrelation function rf (d) and squared spectrum 2 F (w) respectively, from the autocorrelation and the squared spectrum of bent functions [17]. Algebraic Degree. The algebraic degree d or simply degree of f is defined as the degree of its algebraic normal form.
Table 2. Comparison for 8-variable functions obtained either by algebraic construction or computer search
| r f (d) | max
Function f Affine Stanica, Sung [16] Canteaut et al [1], example 2, f1 Canteaut et al [1], example 2, f2 Maitra [10] Zhang, Zheng [18], Theorem 16 Ours Ours and Clark’s [2-4] Bent
d ≠0
nlf
(acf )
2 r (d) ∑all d≠0 r f (d) ∑ all d ≠0 2 f
167116.8
(SSEf )
(100MSEf ) 100
0
256
16711680
112
256
196608
1.176471 %
112
256
172032
1.029412 %
112
256
196608
1.176471 %
116
128
55296
0.330882 %
≥ 112
≤ 32
24576
0.147059 %
114
16
23424
0.140165 %
116
24
21120
0.126378 %
120
0
0
0
%
%
In Table 2, we compare the computer search based approaches in [2-4] and our results, with balanced Boolean function constructions [1, 10, 16, 18], for n=8. (We also include affine and bent −so unbalanced− functions, as reference.) The constructions in [1, 10, 16, 18] satisfy the SAC or can be made to satisfy the SAC by a change of basis; which is possible for most of our results as well. The functions are ranked in descending order of the sum-of-squared-errors and 100MSEf, shown in the last two columns of Table 2, respectively. Notice that the sum-of-squared-errors SSEf, does not 2 contain the extra and unnecessary constant (rf (0)) =22n (which equals 65536 for n=8), therefore the comparison of different functions can be done on a much fair basis. In terms of the absolute indicator acf and sum-of-squared-errors SSEf given by (6); although search based approaches seem to yield better results than theoretical constructions for n=8, yet it is not clear that they can be that much successful for higher values of n. For instance, for n=9, the construction in Theorem 17 of [18] yields (nl, ac) values equal to (240, 32), (which have not yet been encountered by any search based algorithm) and quite a small percentage of mean squared error (100MSEf = 0.195695%). Same (nl, ac) values of (240, 32) are also obtained by a different construction (Costruction 0 and Theorem 9 of [9]). For odd values of n≥15, the construction in [10] is very promising and yields an extremely small ac value, equal to 0.635% of the maximum possible autocorrelation magnitude (2n); in addition to a very small percentage of mean squared error, which is equal to 18.92/(2n−1)% (so, for n=15, 100MSEf = 0.000577%).
3
Two-Stage Optimization
Clark et al employ [2-4] a two-stage optimization method, which basically consists of an annealing-based search followed by hill-climbing. As the first stage of the optimization, simulated annealing process [7] starts at some initial state (S = S0) and initial temperature (T = T0), and carries out a certain number of moves (Moves in Inner Loop: MIL) at each temperature (see Fig.1 taken from [3] adding the common stopping criterion). As the initial state, one selects a balanced function randomly, then disturbs the function just by complementing two randomly chosen bits to maintain the balancedness, and compares the cost for the disturbed function to that of the original. T = T0 IC = 0 MFC = 0 Generate f (x) randomly: S0 while ( MFC
