# Difference between revisions of "Nonlinearity"

m |
m |
||

Line 1: | Line 1: | ||

= Background and Definition = | = Background and Definition = | ||

β | [[Vectorial Boolean Functions]] play an essential role in the design of cryptographic algorithms, and as such should be resistant to various types of cryptanalytic attacks. The notion of nonlinearity is introduced by Nyberg <ref name="nybergNonlinearity>Nyberg K. On the construction of highly nonlinear permutations. Workshop on the Theory and Application of Cryptographic Techniques 1992 May 24 (pp. 92-98). Springer, Berlin, Heidelberg.</ref> in order to measure the resistance of vectorial Boolean functions to Matsui's ''linear attack'' <ref>Matsui M. Linear cryptanalysis method for DES cipher. Workshop on the Theory and Application of Cryptographic Techniques 1993 May 23 (pp. 386-397). Springer, Berlin, Heidelberg.</ref>. This attack attempts to approximate the function used in an encryption algorithm by a linear function (which, in turn, is easy to analyze), and is, therefore, applicable when the actual functions used in the encryption algorithm is "close" to linear in some sense. A natural measure of distance between two functions, | + | [[Vectorial Boolean Functions]] play an essential role in the design of cryptographic algorithms, and as such should be resistant to various types of cryptanalytic attacks. The notion of nonlinearity is introduced by Nyberg <ref name="nybergNonlinearity>Nyberg K. On the construction of highly nonlinear permutations. Workshop on the Theory and Application of Cryptographic Techniques 1992 May 24 (pp. 92-98). Springer, Berlin, Heidelberg.</ref> in order to measure the resistance of vectorial Boolean functions to Matsui's ''linear attack'' <ref>Matsui M. Linear cryptanalysis method for DES cipher. Workshop on the Theory and Application of Cryptographic Techniques 1993 May 23 (pp. 386-397). Springer, Berlin, Heidelberg.</ref>. This attack attempts to approximate the function used in an encryption algorithm by a linear function (which, in turn, is easy to analyze), and is, therefore, applicable when the actual functions used in the encryption algorithm is "close" to linear in some sense. A natural measure of distance between two functions, πΉ and πΊ, is the ''Hamming distance'', i.e. the metric |

<div><math>d_H(F,G) = | \{ x : F(x) \ne G(x) \} |.</math></div> | <div><math>d_H(F,G) = | \{ x : F(x) \ne G(x) \} |.</math></div> | ||

β | Formally, the ''nonlinearity'' | + | Formally, the ''nonlinearity'' ππ(πΉ) of an (π,π)-function πΉ is the minimum distance between any component function of πΉ and any affine Boolean function. In other words, |

<div><math>nl(F) = \min \{ d_H(u \cdot F, f_a) : 0 \ne u \in \mathbb{F}_2^m, f_a : \mathbb{F}_2^n \rightarrow \mathbb{F} \text{ affine } \}.</math></div> | <div><math>nl(F) = \min \{ d_H(u \cdot F, f_a) : 0 \ne u \in \mathbb{F}_2^m, f_a : \mathbb{F}_2^n \rightarrow \mathbb{F} \text{ affine } \}.</math></div> | ||

Line 10: | Line 10: | ||

= Properties = | = Properties = | ||

β | Nonlinearity remains invariant under CCZ-equivalence (and, therefore, under extended affine and affine equivalence as well). If | + | Nonlinearity remains invariant under CCZ-equivalence (and, therefore, under extended affine and affine equivalence as well). If πΉ is (π,π)-permutation, then πΉ and πΉ<sup>-1</sup> have the same nonlinearity. |

β | The nonlinearity of an | + | The nonlinearity of an (π,π)-function πΉ can be expressed in terms of its Walsh transform via the identity |

<div><math> nl(F) = 2^{n-1} - \frac{1}{2} \max \{ |W_F(u,v)| : u \in \mathbb{F}_2^n, 0 \ne v \in \mathbb{F}_2^m \}.</math></div> | <div><math> nl(F) = 2^{n-1} - \frac{1}{2} \max \{ |W_F(u,v)| : u \in \mathbb{F}_2^n, 0 \ne v \in \mathbb{F}_2^m \}.</math></div> | ||

β | There is a relation <ref name="cczPaper">Carlet C, Charpin P, Zinoviev V. Codes, bent functions and permutations suitable for DES-like cryptosystems. Designs, Codes and Cryptography. 1998 Nov 1;15(2):125-56.</ref> between the maximal possible nonlinearity of vectorial Boolean functions and the possible parameters of certain linear codes. If < | + | There is a relation <ref name="cczPaper">Carlet C, Charpin P, Zinoviev V. Codes, bent functions and permutations suitable for DES-like cryptosystems. Designs, Codes and Cryptography. 1998 Nov 1;15(2):125-56.</ref> between the maximal possible nonlinearity of vectorial Boolean functions and the possible parameters of certain linear codes. If πΆ is a linear |

+ | [2<sup>π</sup>,πΎ,π·] containing the Reed-Muller code π
π(1,π) as a subcode, let (π<sub>1</sub>, π<sub>2</sub>,β¦,π<sub>πΎ</sub>) be a basis of πΆ completing a basis (π<sub>1</sub>, π<sub>2</sub>,β¦,π<sub>π+1</sub>) of π
π(1,π). Then the π-variable Boolean functions corresponding to the vectors π<sub>π+2</sub>,β¦, π<sub>πΎ</sub> are the coordinate functions of an (π,πΎ-π-1) functions with nonlinearity π·. Conversely, given an (π,π)-function πΉ of nonlinearity π·>0, the linear code obtained as the union of all cosets <math> \{ v \cdot F + RM(1,n) : v \in \mathbb{F}_2^m \}</math> has parameters [2<sup>π</sup>,π+π+1,π·]. | ||

= Bounds on the Nonlinearity of Vectorial Boolean Functions = | = Bounds on the Nonlinearity of Vectorial Boolean Functions = | ||

Line 24: | Line 25: | ||

<div><math>nl(F) \le 2^{n-1} - 2^{n/2 - 1}</math></div> | <div><math>nl(F) \le 2^{n-1} - 2^{n/2 - 1}</math></div> | ||

β | for any | + | for any (π,π)-function πΉ. [[Bent Functions]] are defined as those meeting this bound with equality. |

β | The ''Sidelnikov-Chabaud-Vaudenay (SCV) bound'' <ref>Sidel'nikov VM. On mutual correlation of sequences. InDoklady Akademii Nauk 1971 (Vol. 196, No. 3, pp. 531-534). Russian Academy of Sciences.</ref> <ref>Chabaud F, Vaudenay S. Links between differential and linear cryptanalysis. Workshop on the Theory and Application of Cryptographic Techniques 1994 May 9 (pp. 356-365). Springer, Berlin, Heidelberg.</ref> bounds the nonlinearity of any | + | The ''Sidelnikov-Chabaud-Vaudenay (SCV) bound'' <ref>Sidel'nikov VM. On mutual correlation of sequences. InDoklady Akademii Nauk 1971 (Vol. 196, No. 3, pp. 531-534). Russian Academy of Sciences.</ref> <ref>Chabaud F, Vaudenay S. Links between differential and linear cryptanalysis. Workshop on the Theory and Application of Cryptographic Techniques 1994 May 9 (pp. 356-365). Springer, Berlin, Heidelberg.</ref> bounds the nonlinearity of any (π,π)-function, with πβ₯π-1, by |

<div><math> nl(F) \le 2^{n-1} - \frac{1}{2} \sqrt{3 \cdot 2^n - 2 - 2 \frac{(2^n-1)(2^{n-1}-1)}{2^m-1}}.</math></div> | <div><math> nl(F) \le 2^{n-1} - \frac{1}{2} \sqrt{3 \cdot 2^n - 2 - 2 \frac{(2^n-1)(2^{n-1}-1)}{2^m-1}}.</math></div> | ||

β | The SCV bound coincides with the covering radius bound for | + | The SCV bound coincides with the covering radius bound for π=π-1, and is strictly sharper than the covering radius bound for πβ₯π. For π>π, the square root in the bound cannot be an integer, and thus the SCV bound can be, and is, tight only for π=π. In this case (for π=π), the bound becomes |

<div><math> nl(F) \le 2^{n-1} - 2^{ (n-1)/2 }.</math></div> | <div><math> nl(F) \le 2^{n-1} - 2^{ (n-1)/2 }.</math></div> | ||

β | This motivates the definition of [[Almost Bent Functions]] as those | + | This motivates the definition of [[Almost Bent Functions]] as those (π,π)-functions that meet the SCV bound with equality. |

## Latest revision as of 11:35, 2 October 2019

# Background and Definition

Vectorial Boolean Functions play an essential role in the design of cryptographic algorithms, and as such should be resistant to various types of cryptanalytic attacks. The notion of nonlinearity is introduced by Nyberg ^{[1]} in order to measure the resistance of vectorial Boolean functions to Matsui's *linear attack* ^{[2]}. This attack attempts to approximate the function used in an encryption algorithm by a linear function (which, in turn, is easy to analyze), and is, therefore, applicable when the actual functions used in the encryption algorithm is "close" to linear in some sense. A natural measure of distance between two functions, πΉ and πΊ, is the *Hamming distance*, i.e. the metric

Formally, the *nonlinearity* ππ(πΉ) of an (π,π)-function πΉ is the minimum distance between any component function of πΉ and any affine Boolean function. In other words,

# Properties

Nonlinearity remains invariant under CCZ-equivalence (and, therefore, under extended affine and affine equivalence as well). If πΉ is (π,π)-permutation, then πΉ and πΉ^{-1} have the same nonlinearity.

The nonlinearity of an (π,π)-function πΉ can be expressed in terms of its Walsh transform via the identity

There is a relation ^{[3]} between the maximal possible nonlinearity of vectorial Boolean functions and the possible parameters of certain linear codes. If πΆ is a linear
[2^{π},πΎ,π·] containing the Reed-Muller code π
π(1,π) as a subcode, let (π_{1}, π_{2},β¦,π_{πΎ}) be a basis of πΆ completing a basis (π_{1}, π_{2},β¦,π_{π+1}) of π
π(1,π). Then the π-variable Boolean functions corresponding to the vectors π_{π+2},β¦, π_{πΎ} are the coordinate functions of an (π,πΎ-π-1) functions with nonlinearity π·. Conversely, given an (π,π)-function πΉ of nonlinearity π·>0, the linear code obtained as the union of all cosets has parameters [2^{π},π+π+1,π·].

# Bounds on the Nonlinearity of Vectorial Boolean Functions

The *covering radius bound* for Boolean functions can naturally be extended to vectorial Boolean functions, stating

for any (π,π)-function πΉ. Bent Functions are defined as those meeting this bound with equality.

The *Sidelnikov-Chabaud-Vaudenay (SCV) bound* ^{[4]} ^{[5]} bounds the nonlinearity of any (π,π)-function, with πβ₯π-1, by

The SCV bound coincides with the covering radius bound for π=π-1, and is strictly sharper than the covering radius bound for πβ₯π. For π>π, the square root in the bound cannot be an integer, and thus the SCV bound can be, and is, tight only for π=π. In this case (for π=π), the bound becomes

This motivates the definition of Almost Bent Functions as those (π,π)-functions that meet the SCV bound with equality.

- β Nyberg K. On the construction of highly nonlinear permutations. Workshop on the Theory and Application of Cryptographic Techniques 1992 May 24 (pp. 92-98). Springer, Berlin, Heidelberg.
- β Matsui M. Linear cryptanalysis method for DES cipher. Workshop on the Theory and Application of Cryptographic Techniques 1993 May 23 (pp. 386-397). Springer, Berlin, Heidelberg.
- β Carlet C, Charpin P, Zinoviev V. Codes, bent functions and permutations suitable for DES-like cryptosystems. Designs, Codes and Cryptography. 1998 Nov 1;15(2):125-56.
- β Sidel'nikov VM. On mutual correlation of sequences. InDoklady Akademii Nauk 1971 (Vol. 196, No. 3, pp. 531-534). Russian Academy of Sciences.
- β Chabaud F, Vaudenay S. Links between differential and linear cryptanalysis. Workshop on the Theory and Application of Cryptographic Techniques 1994 May 9 (pp. 356-365). Springer, Berlin, Heidelberg.