Higher order nonlinearity of some cryptographic functions

Σχετικά έγγραφα
EE512: Error Control Coding

Homomorphism in Intuitionistic Fuzzy Automata

2 Composition. Invertible Mappings

Congruence Classes of Invertible Matrices of Order 3 over F 2

SCITECH Volume 13, Issue 2 RESEARCH ORGANISATION Published online: March 29, 2018

CHAPTER 25 SOLVING EQUATIONS BY ITERATIVE METHODS

Reminders: linear functions

Coefficient Inequalities for a New Subclass of K-uniformly Convex Functions

Second Order Partial Differential Equations

Homework 3 Solutions

Ordinal Arithmetic: Addition, Multiplication, Exponentiation and Limit

Matrices and Determinants

Fractional Colorings and Zykov Products of graphs

Commutative Monoids in Intuitionistic Fuzzy Sets

Partial Differential Equations in Biology The boundary element method. March 26, 2013

Section 8.3 Trigonometric Equations

k A = [k, k]( )[a 1, a 2 ] = [ka 1,ka 2 ] 4For the division of two intervals of confidence in R +

HOMEWORK 4 = G. In order to plot the stress versus the stretch we define a normalized stretch:

Statistical Inference I Locally most powerful tests

The Simply Typed Lambda Calculus

Inverse trigonometric functions & General Solution of Trigonometric Equations

C.S. 430 Assignment 6, Sample Solutions

6.3 Forecasting ARMA processes

New bounds for spherical two-distance sets and equiangular lines

Tridiagonal matrices. Gérard MEURANT. October, 2008

Chapter 6: Systems of Linear Differential. be continuous functions on the interval

ST5224: Advanced Statistical Theory II

Απόκριση σε Μοναδιαία Ωστική Δύναμη (Unit Impulse) Απόκριση σε Δυνάμεις Αυθαίρετα Μεταβαλλόμενες με το Χρόνο. Απόστολος Σ.

Lecture 15 - Root System Axiomatics

Every set of first-order formulas is equivalent to an independent set

Example Sheet 3 Solutions

A Note on Intuitionistic Fuzzy. Equivalence Relation

Nowhere-zero flows Let be a digraph, Abelian group. A Γ-circulation in is a mapping : such that, where, and : tail in X, head in

SCHOOL OF MATHEMATICAL SCIENCES G11LMA Linear Mathematics Examination Solutions

ES440/ES911: CFD. Chapter 5. Solution of Linear Equation Systems

2. THEORY OF EQUATIONS. PREVIOUS EAMCET Bits.

Quadratic Expressions

Phys460.nb Solution for the t-dependent Schrodinger s equation How did we find the solution? (not required)

Homomorphism of Intuitionistic Fuzzy Groups

Second Order RLC Filters

SOME PROPERTIES OF FUZZY REAL NUMBERS

4.6 Autoregressive Moving Average Model ARMA(1,1)

3.4 SUM AND DIFFERENCE FORMULAS. NOTE: cos(α+β) cos α + cos β cos(α-β) cos α -cos β

On a four-dimensional hyperbolic manifold with finite volume

Fourier Series. MATH 211, Calculus II. J. Robert Buchanan. Spring Department of Mathematics

Concrete Mathematics Exercises from 30 September 2016

Lecture 2: Dirac notation and a review of linear algebra Read Sakurai chapter 1, Baym chatper 3

Other Test Constructions: Likelihood Ratio & Bayes Tests

Finite Field Problems: Solutions

Main source: "Discrete-time systems and computer control" by Α. ΣΚΟΔΡΑΣ ΨΗΦΙΑΚΟΣ ΕΛΕΓΧΟΣ ΔΙΑΛΕΞΗ 4 ΔΙΑΦΑΝΕΙΑ 1

Jesse Maassen and Mark Lundstrom Purdue University November 25, 2013

( y) Partial Differential Equations

The k-α-exponential Function

Section 9.2 Polar Equations and Graphs

Approximation of distance between locations on earth given by latitude and longitude

A Bonus-Malus System as a Markov Set-Chain. Małgorzata Niemiec Warsaw School of Economics Institute of Econometrics

GÖKHAN ÇUVALCIOĞLU, KRASSIMIR T. ATANASSOV, AND SINEM TARSUSLU(YILMAZ)

Local Approximation with Kernels

Arithmetical applications of lagrangian interpolation. Tanguy Rivoal. Institut Fourier CNRS and Université de Grenoble 1

Uniform Convergence of Fourier Series Michael Taylor

Exercises 10. Find a fundamental matrix of the given system of equations. Also find the fundamental matrix Φ(t) satisfying Φ(0) = I. 1.

derivation of the Laplacian from rectangular to spherical coordinates

Chapter 6: Systems of Linear Differential. be continuous functions on the interval

Econ 2110: Fall 2008 Suggested Solutions to Problem Set 8 questions or comments to Dan Fetter 1

ANSWERSHEET (TOPIC = DIFFERENTIAL CALCULUS) COLLECTION #2. h 0 h h 0 h h 0 ( ) g k = g 0 + g 1 + g g 2009 =?

PARTIAL NOTES for 6.1 Trigonometric Identities

Strain gauge and rosettes

Math221: HW# 1 solutions

Lecture 13 - Root Space Decomposition II

Homework 8 Model Solution Section

Section 7.6 Double and Half Angle Formulas

Generating Set of the Complete Semigroups of Binary Relations

5. Choice under Uncertainty

About these lecture notes. Simply Typed λ-calculus. Types

A summation formula ramified with hypergeometric function and involving recurrence relation

6.1. Dirac Equation. Hamiltonian. Dirac Eq.

Lecture 21: Properties and robustness of LSE

Solutions to Exercise Sheet 5

Θεωρία Πληροφορίας και Κωδίκων

SOLUTIONS TO MATH38181 EXTREME VALUES AND FINANCIAL RISK EXAM

( ) 2 and compare to M.

Solution Series 9. i=1 x i and i=1 x i.

MINIMAL CLOSED SETS AND MAXIMAL CLOSED SETS

CE 530 Molecular Simulation

CRASH COURSE IN PRECALCULUS

Higher Derivative Gravity Theories

w o = R 1 p. (1) R = p =. = 1

Jordan Form of a Square Matrix

Srednicki Chapter 55

On New Subclasses of Analytic Functions with Respect to Conjugate and Symmetric Conjugate Points

n=2 In the present paper, we introduce and investigate the following two more generalized

forms This gives Remark 1. How to remember the above formulas: Substituting these into the equation we obtain with

Practice Exam 2. Conceptual Questions. 1. State a Basic identity and then verify it. (a) Identity: Solution: One identity is csc(θ) = 1

Problem Set 3: Solutions

Lecture 34 Bootstrap confidence intervals

Optimal Parameter in Hermitian and Skew-Hermitian Splitting Method for Certain Two-by-Two Block Matrices

b. Use the parametrization from (a) to compute the area of S a as S a ds. Be sure to substitute for ds!

ω ω ω ω ω ω+2 ω ω+2 + ω ω ω ω+2 + ω ω+1 ω ω+2 2 ω ω ω ω ω ω ω ω+1 ω ω2 ω ω2 + ω ω ω2 + ω ω ω ω2 + ω ω+1 ω ω2 + ω ω+1 + ω ω ω ω2 + ω

D Alembert s Solution to the Wave Equation

Intuitionistic Fuzzy Ideals of Near Rings

Transcript:

International Journal of Computational and Applied Mathematics. ISSN 0973-1768 Volume 1, Number (017), pp. 195-05 Research India Publications http://www.ripublication.com/ijcam.htm Higher order nonlinearity of some cryptographic functions Deep Singh 1 and Amit Paul Department of Mathematics, Central University of Jammu, Samba, India. Abstract The security of various cryptosystems is strongly related to the higher order nonlinearity of cryptographic functions. This paper investigates some cryptographic functions with good nd and 4th order nonlinearities. Firstly, we tighten the lower bounds on nd order nonlinearity for the function φ λ (u) = Tr1 n (λup ) with p = s + s + 1,λ F s and n = 7s. Further, we give lower bounds for 4th order nonlinearity of 10-variable partial spreads: φ(u) = Tr 10 1 (λu 10 1 ), λ F 10. AMS subject classification: Keywords: Boolean functions, higher-order nonlinearity, trace functions, Kasami functions, Walsh-Hadamard transform. 1. Introduction Boolean functions are considered to be the building blocks in the design of several symmetric key cryptosystems. Let φ : F n F be a Boolean function on n-unknowns. The rth order nonlinearity nl r (φ), 0<r n of φ is the minimum Hamming distance of φ from the functions of degree r (when r = 1, it becomes nl(φ), the first order nonlinearity). The collection of different values of nl r (φ) for 1 r n 1 is nonlinearity profile for φ. The rth order nonlinearity nl r (φ) is a natural generalization of first order nonlinearity of φ which is important for prevention of affine approximation attacks [1, 1, 13]. The best upper bound on nl r (φ) in [6] is asymptotically equivalent to 15 nl r (φ) = n 1 (1 + ) r n + O(n r ). 1 corresponding author

D. Singh and A. Paul For rth order nonlinearity (r > 1) of Boolean functions, we do not have an algorithm unlike the first order nonlinearity. The best algorithm presented in [8] for the case r = for n 11 and up to n = 13 for some functions. Cryptographer feels that there is a need to obtain theoretical bounds of higher order nonlinearities of Boolean functions which are satisfied for all values of n. The rth order bent functions with lower bound n r 3 (r + 5) are presented in [13]. Carlet et al. [5] in 006 derived the lower bounds on rth order nonlinearities of Boolean functions by means of algebraic immunity, the bounds were further improved by Carlet [3]. In [4], Carlet presented recursive approach for rth order nonlinearity. He obtained lower bounds of nonlinearity profiles for the Kasami functions, Welch functions, inverse functions. Using the Carlet s recursive approach various authors [11, 14, 18, 0] have obtained the bounds on the second order nonlinearities of some functions. In this article, we deduce lower bounds on nd order nonlinearity of functions φ λ (u) = Tr1 n (λup ) with p = s + s + 1, λ F s and n = 7s. Further, we obtain lower bounds on 4th order nonlinearity of 10-variable monomial partial spreads: φ(u) = Tr1 10 10 (λu 1 ), λ F 10.. Preliminaries Let F n be the n degree extension field of F. The set of all units of F n is denoted by F n. A function φ : F n F is called n-variable Boolean function. Suppose B n is the collection of all Boolean functions such that cardinality B n = n. The support of φ B n is defined as supp(φ) ={u F n : φ(u) = 1}. The Hamming weight of φ B n is defined as wt(φ) = supp(φ). The Hamming distance between two Boolean function h, κ B n is d(h, κ) = {α F n : h(α) = κ(α)}. The algebraic normal form of φ B n is φ(u 1,u,...,u n ) = α J u j, j J J {1,,...,n} where α J F and the terms j J u j are monomials. The maximum degree of the monomial with nonzero coefficient is algebraic degree of φ. For any subfield F t of F n(obviously t n), the function the function Trt n : F n F t defined by Trt n (u) = u + ut + u t + +u (n 1)t is called a trace function. For t = 1, Tr1 n (u) = u + u + u + +u n 1 is absolute trace function. The derivative of φ B n along α F n is given by D α φ(u) = φ(u) + φ(u+ α) for all u F n. If W = v 1,...,v m is a t-dimensional subspace in F n then D W φ(u) = D v1 D vm φ(u), for all u F n is t-th order derivative of φ along W. The Walsh Hadamard Transform of φ B n is defined as W φ (α) = ( 1) φ(u)+trn 1 (αu), α F n u F n

Higher order nonlinearity of some cryptographic functions 3 The sequence of Walsh coefficients of φ is Walsh Hadamard spectrum (WHS) of φ. The minimum Hamming distance of φ B n from affine functions is nonlinearity of φ given as nl(φ) = n 1 1 max W φ (α). α F n Parseval s identity Wφ (α) = n, implies that nl(φ) n 1 n 1. The α F n function with maximum possible nonlinearity is called bent function [17] and exists only for n-even. Rothaus [17] in 1976 proved that for even n maximum possible nonlinearity of n-variable Boolean functions is n 1 n 1. Let W be a vector space of dimension n over F q, a field of characteristic. A map Q : W F q is a quadratic form on W if 1. Q(mu) = m Q(u) m F q, u W.. B(u, v) = Q(u) + Q(v) + Q(0) + Q(u + v) is bilinear on W. The kernel of B(u, v) denoted by E Q is the subspace of W and is defined as E Q ={u W : B(u, v) = 0 v W}. Lemma.1. [] Suppose W be a vector space of dimension n over F q, a field of characteristic. For a quadratic form Q on W, the dimension of both W and kernel of B(u, v) possess same parity. Lemma.. [] Suppose φ B n is quadratic. The kernel E φ is E φ ={u F n : D α φ = constant}. Lemma.3. [16] If φ B n is quadratic, then the WHT of φ is only linked with the kernel of φ. Lemma.4. [4] Suppose r<nand φ B n, then nl r (φ) 1 max nl r 1 (D α φ). α F n Lemma.5. [4] Suppose r<nand φ B n, then nl r (φ) n 1 1 n nl r 1 (D α φ). α F n In terms of higher-order derivative, for every positive integer l<r. nl r (φ) n 1 1 n nl r l (D α1 D αl φ). α 1 F n α F n α l F n

4 D. Singh and A. Paul Lemma.6. [4] Suppose r < n and φ B n. Also suppose for some nonnegative integers L and θ, and for 0 = α F n, we have Then nl r 1 (D α φ) n 1 L θ. (.1) nl r (φ) n 1 1 ( n 1)L θ+1 + n n 1 L n+θ 1. (.) 3. Main results This section presents lower bounds on higher order nonlinearities of some cryptographic functions. First, we provide bounds on nd order nonlinearities, further, in Subsection 3.1, we discuss 4th order nonlinearities. Theorem 3.1. Let φ λ (u) = Tr1 n (λup ) with p = s + s + 1, n= 7s, λ F s. Then dimension of kernel of bilinear form of D α (φ λ (u)) is either s or 5s. Proof. The derivative D α (φ λ (u)) with respect to α F n is D α φ λ (u) = φ λ (u + α) + φ λ (u) = Tr1 n (λ(u + α)s + s +1 ) + Tr1 n (λus + s +1 ) = Tr1 n (λ(αus + s + α s u s +1 + α s u s +1 + α s +1 u s +α s +1 u s + α s + s u + α s + s +1 )) quadratic. The WHS of D α φ λ (u) is equivalent to that of g λ (u), where g λ (u) is obtained by eliminating linear and constant terms in D α φ λ (u) as g λ (u) can also be written as g λ (u) = Tr n 1 (λ(αus + s + α s u s +1 + α s u s +1 )), g λ (u) = Tr n 1 (λαs u s +1 + (λ 6s α 6s + λα s )u s +1 ). Since s + 1 and s + 1 do not belongs to same cyclotomic coset. So, g λ (u) = 0 for any α F n. Since g λ(u) is a quadratic function. In the view of Lemma. and.3, we collect all those β s for which D β (g λ (u)) is constant. Now, D β (g λ (u)) = g λ (u + β) + g λ (u) = Tr1 n (λ(α(u + β)s + s + α s (u + β) s +1 + α s (u + β) s +1 )) +Tr1 n (λ(αus + s + α s u s +1 + α s u s +1 )) = Tr1 n (λ((αβs + α s β)u s + (αβ s + α s β)u s +(α s β s + α s β s )u)) +Tr n 1 (λ(αβs + s + α s β s +1 + α s β s +1 )).

Higher order nonlinearity of some cryptographic functions 5 Since u, α, β F n and λ F s. Using un = u, α n = α, β n = β,λ n = λ, we get D β (g λ (u)) = Tr n 1 (λu((α5s + α s )β 6s + α 6s β 5s + α s β s + (α 6s + α s )β s )) +Tr n 1 (λ(αβs + s + α s β s +1 + α s β s +1 )). Clearly, D β (g λ (u)) is equal to the constant if and only if (α 5s + α s )β 6s + α 6s β 5s + α s β s + (α 6s + α s )β s = 0. Raising power s th, we have (α 4s + α)β 5s + α 5s β 4s + αβ s + (α 5s + α s )β = 0, (3.1) n which is a s -polynomial. The polynomial L(u) = a i x qi with a i F q m,m>1is q polynomial over F q m. Let i=0 M(β) = (α 4s + α)β 5s + α 5s β 4s + αβ s + (α 5s + α s )β. The dimension of kernel of M(β) is lr, l = 0, 1, 4, 5. Now, quadratic form from F q 5 to F q (q = s ) is R(u) = Tr L E (λ(αus + s + α s u s +1 + α s u s +1 )), where L = F 7s and E = F s The roots of M(u) forms kernel of R(u). In fact, kernel of R(u) is the collection of β s where B(u) = 0 u with Since D b (G λ (x)) = Tr E F (B(u)),weget B(u) = R(u) + R(β) + R(u + β). B(u) = Tr L E (u(m(β))). Thus, R(u) and M(u) have same kernel. According to Lemma.1, R(u) has dimension of its kernel either 1 or 5 which implies either s or 5s is one of the root of M(u). Hence the dimension of the kernel of bilinear form of D α (φ λ (u)) is either s or 5s. Theorem 3.. Let φ λ (u) = Tr1 n (λup ) with p = s + s + 1, λ F s and n = 7s. Then nl (φ λ (u)) 7s 1 s 1 s ( 6s + 3s 1). Proof. From Theorem 3.1, dimension k of kernel of bilinear of D a (φ λ (u)) is either s or 5s. The nonlinearity of D α (φ λ (u)) i.e., nl(d α (φ λ (u))) is either n 1 1 n+s or n 1 1 n+5s. Therefore, we have max nl(d α (φ λ (u))) = n 1 1 α F n n+s.

6 D. Singh and A. Paul Now, Lemma.5 implies that nl (φ λ (u)) n 1 1 n α F n nl(d α φ λ (u)) = 7s 1 1 14s ( 7s s )( 7s 1 4s 1 ) = 7s 1 s 1 s ( 6s + 3s 1). Hence the result. Now with the help of Lemma.6, we improve the above results in the following theorem. Theorem 3.3. Let φ λ (u) = Tr1 n (λup ) with p = s + s + 1, λ F s and n = 7s. Then nl (φ λ (u)) 7s 1 s 4 4. Proof. From Theorem 3., we have max nl(d α (φ λ (u))) = n 1 1 α F n n+s. On comparing the above equation with equation (.1), we get L = 1 and θ = n + s. Thus, by (.), we obtain nl (φ λ (u)) n 1 3n+s 4 4 = 7s 1 s 4 4. 3.1. Lower bounds of 4th-order nonlinearity for monomial partial spread on 10-variables The monomial functions of the form f λ (x) = Tr n 1 (λx n 1 ), where λ F n are called monomial partial spreads on n-variables. For some values of λ these functions becomes PS type bent functions. For details we may refer to [, 7]. Dillon [7] has introduced an important class of Boolean functions called partial spreads. Suppose f B n,n= t. Consider a set {H i : i = 1,...,M} of subspaces of F n of dimension t, with H i H j = {0}, when i = j. The function f with is called a partial spreads (PS). supp(f ) = M i=0 H i

Higher order nonlinearity of some cryptographic functions 7 In the following theorem, we obtain lower bound for 4th order nonlinearity of monomial partial spreads on 10-variables: φ(u) = Tr 10 1 (λu 10 1 ) = Tr n 1 (λu31 ). Theorem 3.4. Let φ(u) = Tr1 10 10 (λu 1 ), for all u F n and λ F n. Then, we have nl 4 (φ λ ) 43. Proof. The derivative D α φ λ of φ λ along α F n is D α φ λ (u) = φ λ (u + α) + φ λ (u) = Tr1 n (λ(u + α)4 + 3 + ++1 ) + Tr1 n (λu4 + 3 + ++1 ) = Tr1 n (λ(αu4 + 3 + + + α 4 u 3 + ++1 + α 3 u 4 + ++1 + α u 4 + 3 ++1 +α u 4 + 3 + +1 )) + c(u), where c(u) is cubic function. The second derivative D β D α φ λ of φ λ along β F n (α = β) is D β D α φ λ (u) = φ λ (u + α + β) + φ λ (u + α) + φ λ (u + β) + φ λ (u) = Tr1 n [λ((αβ + βα )u 4 + 3 + + (αβ 4 + βα 4 )u 3 + + +(αβ 3 + βα 3 )u 3 + + + (αβ + βα )u 4 + 3 + +(α β + α β )u 4 + 3 +1 + (α 3 β + α β 3 )u 4 + +1 +(α 3 β + α β 3 )u 4 ++1 + (α 4 β + α β 4 )u 3 + +1 +(α 4 β k + α k β 4 )u 3 ++1 + (α 4 β 3 + α 3 β 4 )u ++1 )]+q(u), where q(u) is a quadratic function. The third derivative D γ (D β D α φ λ ) of φ λ along γ F n (α = γ, β = γ)is D γ (D β D α φ λ (u)) = φ λ (u + β + α + γ)+ φ λ (u + β + α) + φ λ (u + α + γ)+ φ λ (u + α) +φ λ (u + β + γ)+ φ λ (u + β) + φ λ (u + γ)+ φ λ (u) = Tr n 1 [λ((αβ γ + βα γ + αβ γ + βα γ + α β γ + α β γ)u 4 + 3 +(αβ 4 γ 3 + βα γ 3 + αβ 3 γ 4 + βα 3 γ + α 3 β γ + α β 3 γ)u 4 + +(αβ 3 γ + α 3 βγ + αβ γ 3 + α βγ 3 + α 3 β γ + α β 3 γ)u 4 + +(αβ γ 4 + α βγ 4 + αβ 4 γ + α 4 βγ + α 4 β γ + α β 4 γ)u 3 + +(αβ γ 4 + α βγ 4 + αβ 4 γ + α 4 βγ + α 4 β γ + α β 4 γ)u 3 + +(αβ 4 γ 3 + α 4 βγ 3 + αβ 3 γ 4 + α 3 βγ 4 + α 4 β 3 γ + α 3 β 4 γ)u + +(α β γ 3 + α β γ 3 + α 3 β γ + α β 3 γ + α 3 β γ +α β 3 γ )u 4 +1 + (α β γ 4 + α β γ 4 + α 4 β γ + α β 4 γ +α 4 β γ + α β 4 γ )u 3 +1 + (α 3 β γ 4 + α β 3 γ 4 + α 4 β γ 3 +α β 4 γ 3 + α 4 β 3 γ + α 3 β 4 γ )u +1 + (α 3 β γ 4 + α β 3 γ 4 +α 4 β γ 3 + α β 4 γ 3 + α 4 β 3 γ + α 3 β 4 γ )u +1 )]+l(u).

8 D. Singh and A. Paul Since D γ (D β D α φ λ (u)) is quadratic. The WHS of D γ (D β D α φ λ ) is equivalent to the WHS of h λ (u) with h λ (u) = Tr n 1 [λ((αβ γ + βα γ + αβ γ + βα γ + α β γ + α β γ)u 4 + 3 +(αβ γ 3 + βα γ 3 + αβ 3 γ + βα 3 γ + α 3 β γ + α β 3 γ)u 4 + +(αβ 3 γ + α 3 βγ + αβ γ 3 + α βγ 3 + α 3 β γ + α β 3 γ)u 4 + +(αβ γ 4 + α βγ 4 + αβ 4 γ + α 4 βγ + α 4 β γ + α β 4 γ)u 3 + +(αβ γ 4 + α βγ 4 + αβ 4 γ + α 4 βγ + α 4 β γ + α β 4 γ)u 3 + +(αβ 4 γ 3 + α 4 βγ 3 + αβ 3 γ 4 + α 3 βγ 4 + α 4 β 3 γ + α 3 β 4 γ)u + +(α β γ 3 + α β γ 3 + α 3 β γ + α β 3 γ + α 3 β γ + α β 3 γ )u 4 +1 +(α β γ 4 + α β γ 4 + α 4 β γ + α β 4 γ + α 4 β γ + α β 4 γ )u 3 +1 +(α 3 β γ 4 + α β 3 γ 4 + α 4 β γ 3 + α β 4 γ 3 + α 4 β 3 γ + α 3 β 4 γ )u +1 +(α 3 β γ 4 + α β 3 γ 4 + α 4 β γ 3 + α β 4 γ 3 + α 4 β 3 γ + α 3 β 4 γ )u +1 )]. Let E hλ ={u F ( n ) : B(u, y) = 0 with y F n}, where B(u, y) is the bilinear form of h λ is given by B(u, y) = h λ (0) + h λ (u) + h λ (u) + h λ (u + y) B(u, y) = Tr1 n [λ(y4 {R 1 u 3 + R u + R 3 u + R 7 u}+y 3 {R 1 u 4 + R 4 u where +R 5 u + R 8 u}+y {R u 4 + R 4 u 3 + R 6 u + R 9 u}+y {R 3 u 4 +R 5 u 3 + R 6 u + R 10 u}+y{r 7 u 4 + R 8 u 3 + R 9 u + R 10 u })] = Tr1 n (yp (u)), R 1 = αβ γ + βα γ + αβ γ + βα γ + α β γ + α β γ R = αβ γ 3 + βα γ 3 + αβ 3 γ + βα 3 γ + α 3 β γ + α β 3 γ R 3 = αβ 3 γ + α 3 βγ + αβ γ 3 + α βγ 3 + α 3 β γ + α β 3 γ R 4 = αβ γ 4 + α βγ 4 + αβ 4 γ + α 4 βγ + α 4 β γ + α β 4 γ R 5 = αβ γ 4 + α βγ 4 + αβ 4 γ + α 4 βγ + α 4 β γ + α β 4 γ R 6 = αβ 4 γ 3 + α 4 βγ 3 + αβ 3 γ 4 + α 3 βγ 4 + α 4 β 3 γ + α 3 β 4 γ R 7 = α β γ 3 + α β γ 3 + α 3 β γ + α β 3 γ + α 3 β γ + α β 3 γ R 8 = α β γ 4 + α β γ 4 + α 4 β γ + α β 4 γ + α 4 β γ + α β 4 γ R 9 = α 3 β γ 4 + α β 3 γ 4 + α 4 β γ 3 + α β 4 γ 3 + α 4 β 3 γ + α 3 β 4 γ R 10 = α 3 β γ 4 + α β 3 γ 4 + α 4 β γ 3 + α β 4 γ 3 + α 4 β 3 γ + α 3 β 4 γ and P (u) = (λr 1 u 3 + λr u + λr 3 u + λr 7 u) n 4 +(λr 1 u 4 + λr 4 u + λr 5 u + λr 8 u) n 3 +(λr u 4 + λr 4 u 3 + λr 6 u + λr 9 u) n +(λr 3 u 4 + λr 5 u 3 + λr 6 u + λr 10 u) n 1 +(λr 7 u 4 + λr 8 u 3 + λr 9 u + R 10 u ).

Higher order nonlinearity of some cryptographic functions 9 Let L λ (u) = (P (u)) 4 = λ(r 1 x 3 + R x + R 3 x + R 7 x) + λ [R 1 x5 + R 4 x3 + R 5 x + R 8 x ] +λ [R x6 + R 4 x5 + R 6 x3 + R 9 x ]+λ 3 [R 3 3 x7 + R 3 5 x6 + R 3 6 x5 +R 3 10 x3 ]+λ 4 [R 4 7 x8 + R 7 8 x7 + R 7 9 x6 + R 7 10 x5 ]. (3.) L (λ) (u) is a linearized polynomial in u. The degree of L (λ) (u) is at most 8, this implies that k 6. The Walsh transform of D γ (D β D α φ λ ) at λ F 10 is Therefore, the nonlinearity of D β D α φ λ is W Dγ (D β D α φ λ )(λ) = 10+k 10+8. nl(d γ (D β D α φ λ )) = 9 1 max W Dγ (D β D α φ λ )(λ) λ F 10 9 1 10+8 = 56. From Lemma.4, we conclude that the 4th order nonlinearity of φ λ is Hence, nl 4 (φ λ ) 1 3 max nl(d α (D β D α φ λ )) α,β,γ F n 1 3 56. nl 4 (φ λ ) 3. (3.3) Also, nl(d γ (D β D α φ λ )) 56, for all α, β, γ F 10 (α = β = γ).so there is a scope to improve the bound obtained in (3.3). Lemma.5 implies that nl 4 (φ λ ) 10 1 1 0 nl(d β D α φ λ ) γ F 10 β F 10 α F 10 = 9 1 ( 10 1) ( 10 ) 0 ( 10 3).56 = 9 1 880665.9046 = 43.

10 D. Singh and A. Paul 4. Conclusion The comparison of the results obtained in Theorem 3.3 with the results given by Iwatakurosawa [13], Singh [18] and general bounds i.e., nl (φ) n 3 [4] is provided in Table 1. It is observed that the results given by us in Theorem 3.3 are better than those given in [4, 13, 18]. Table 1: Comparison of results in Theorem 3.3 with the results obtained in [4, 13, 18] for n = 7s n,s 14, 1,3 8,4 35,5 4,6 Bounds in Theorem 3.3 7168 10035 13.1 10 7 1708.49 10 7 194.7 10 9 Bounds by Singh [18] 955894 1.81 10 9 Bounds by Iwata-kurosawa [13] 307 39316 5.03 10 5 6.44 10 7 8.4 10 9 General bounds by Carlet [4] 048 6144 3.35 10 5 4.9 10 7 5.49 10 9 Since there is always need of functions having good cryptographic properties, in particular, functions with good higher order nonlinearities are employed to prevent higher order approximation attacks. Therefore, we expect that the results in this paper will help in selecting good cryptographic functions. Acknowledgement The second author thanks to UGC, India for providing financial support through Rajiv Gandhi National Fellowship. References [1] Biham, E., and Shamir, A., 1991, Differential cryptyanalysis of DES-like cryptosystems, In Advances in cryptography CRYPTO 1990, Lecture Notes in Computer Science, Springer-Verlag, Vol. 537, pp. 1. [] Canteaut, A., Charpin, P., and Kyureghyan, G., 008, A new class of monomial bent functions, Finite Fields and Their Applications, Vol. 14, pp. 1 41. [3] Carlet, C., 006 On the higher order nonlinearities of algebraic immune functions, In CRYPTO 006, Lecture Notes in Computer Science, Springer-Verlag, Vol. 4117, pp. 584 601. [4] Carlet, C., 008, Recursive lower bounds on the nonlinearity profile of Boolean functions and their applications, IEEE Trans. Inform. Theory, Vol. 54 (3), pp. 16 17. [5] Carlet, C., Dalai, D. K., Gupta, K. C., and Maitra, S., 006, Algebraic immunity for cryptographically significant Boolean functions: Analysis and Construction, IEEE Trans. Inform. Theory, Vol. 5 (7), pp. 3105 311.

Higher order nonlinearity of some cryptographic functions 11 [6] Caret, C., and Mesnager, S., 007, Improving the upper bounds on the covering radii of binary Reed-Muller codes, IEEE Trans. Inform Theory, Vol. 53 (1), pp. 16 173. [7] Dillon, J. F., 1974 Elementary Hadamard Difference sets, PhD Thesis, University of Maryland. [8] Fourquet, R. and Tavernier, C., 008, An improved list decoding algorithm for the second order ReedMuller codes and its applications, Des. Codes Cryptogr., Vol. 49, pp. 33 340. [9] Gode, R., and Gangopadhyay, S., On second order nonlinearities of cubic monomial Boolean functions, In cryptography eprint Archive, http://eprint.iacr. org/009/50.pdf. [10] Gode R. and Gangopadhyay S., 010, Third-order nonlinearities of a subclass of Kasami functions, Cryptography and Communications - Discrete Structures, Boolean functions and Sequences, Vol., pp. 69 83. [11] Gode, R. and Gangopadhyay, S., 010, On higher-order nonlinearity of monomial partial-spreads type Boolean functions, Journal of Combinatorics, Information and System Sciences, Vol. 35, pp. 341 360. [1] Golić, J., 1996, Fast low order approximation of cryptographic functions, In proceedings of the EUROCRYPT 1996, Lecture Notes in Computer Science, Springer- Verlag, Vol. 1070, pp. 68 8. [13] Iwata, T., and kurosawa, K., 1999, Probabilistic higher order differential attack and higher order bent functions, In Proceedings of the ASIACRYPT 1999, Lecture Notes in Computer Science, Springer-Verlag, Vol. 1716, pp. 6 74. [14] Li, X., Hu, Y. and Gao, J., 011, Lower bounds on the second-order nonlinearity of Boolean functions, Int l. Journal of Found. of Computer Science, Vol. (6), pp. 1331 1349. [15] Lidl, R. and Niederreiter, H., 1994, Introduction to Finite Fields and Their Applications, Cambridge University Press. [16] MacWilliams, F. J., and Sloane, N. J. A., 1977, The Theory of Error Correcting Codes, North-Holland, Amsterdam. [17] Rothaus, O. S., 1976, On bent functions, J. Combi. Theory, Ser. A, Vol. 0, pp. 300 305. [18] Singh, D., 011, Second-order nonlinearities of some classes of cubic Boolean functions based on secondary constructions, International Journal of Computer Science and Information Technologies, Vol. (), pp. 786 791. [19] Sun, G. and Wu, C., 009, The lower bounds on the second order nonlinearity of three classes of Boolean functions with high nonlinearity, Information Sciences, Vol. 179(3), pp. 67 78. [0] Sun, G. and Wu C., 011, The lower bound on the second order nonlinearity of a class of Boolean functions with high nonlinearity, AAECC, Vol. (1), pp. 37 45.

2025 © DocPlayer.gr Πολιτική Απορρήτου | Όροι Χρήσης | Σχόλια