Copyright

by

Shweta Prem Agrawal

2007

Algebraic Attacks: A Survey

by

Shweta Prem Agrawal, B.E.

Thesis

Presented to the Faculty of the Graduate School of

The University of Texas at Austin

in Partial Fulfillment

of the Requirements

for the Degree of

Master of Arts

The University of Texas at Austin

December 2007

Algebraic Attacks: A Survey

Approved by

Supervising Committee:

For my mother

Acknowledgments

Many people have contributed in large measure to making this work possible. I

want to thank my advisor Anna, for her understanding and support. I have learnt

much from working with her- both technically and otherwise. She provided excellent

guidance in research but more importantly, she was kind and encouraging during my

struggle to get into theory from an unrelated background. I am especially grateful

to her for the numerous times she went out of her way to help me, and for the

comfortable work environment she helped create. Working with her has been both

enjoyable and inspiring.

I am deeply indebted to David Zuckerman for the most beautiful introduction

to theory that I could have hoped for. My love for both math and research has been

largely shaped by my interaction with him. More significant than the math I learnt

from him was the spirit of mathematical reasoning, rigor and intuition that I was

able to imbibe.

I am grateful to everyone I interacted with at UT for an enthusiastic and

motivational academic atmosphere. Special thanks is due to members of the theory

group, especially Anna, David and Greg for their concern, help and advice.

I thank my friends for the long discussions and fun times. Not enough can be

said for the love, faith and support of my parents and brother. Across the thousands

of miles between us, they have given me comfort, optimism, trust. A special thanks

to my mother- without whose love, nothing is possible.

v

Thanks to Austin for all the experiences I have had here. My time here has

created memories that I will cherish all my life.

Shweta Prem Agrawal

The University of Texas at Austin

December 2007

vi

Algebraic Attacks: A Survey

Shweta Prem Agrawal, M.A.

The University of Texas at Austin, 2007

Supervisor: Anna Gal

Algebraic attacks have recently acquired great importance in the area of cryptog-

raphy, not only due to the ciphers they have been able to break, but more impor-

tantly, because the principle of algebraic attacks is very generic and can be applied

to break large classes of ciphers. Several ciphers, previously considered secure and

widely used in practice were found to be potentially vulnerable to algebraic attacks.

In this survey, we examine algebraic attacks against both public and symmet-

ric key ciphers. We discuss the Boolean functions used in the design of ciphers from

the perspective of algebraic attacks, and consider the ”cryptographic” complexity

and explicit construction of these functions. We also briefly look at recently discov-

ered methods of solving certain systems of multivariate polynomial equations since

algebraic attacks rely on being able to solve such systems of equations efficiently.

vii

Contents

Acknowledgments v

Abstract vii

Chapter 1 Introduction 1

1.1 Public key ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.2 Symmetric key ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1.2.1 Block ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1.2.2 Stream ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Chapter 2 Cryptographic Complexity of Boolean Functions 23

2.1 Important cryptographic properties of Boolean functions . . . . . . . 23

2.2 About the cryptographic complexity of Boolean functions . . . . . . 34

Chapter 3 Algebraic attacks against symmetric key ciphers 40

3.1 Algebraic attacks against stream ciphers . . . . . . . . . . . . . . . . 40

3.1.1 Conventional attacks against stream Ciphers . . . . . . . . . 40

3.1.2 Setup for algebraic attack . . . . . . . . . . . . . . . . . . . . 41

3.1.3 The problem of cryptanalysis . . . . . . . . . . . . . . . . . . 41

3.1.4 The attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

3.2 Algebraic attacks against block ciphers . . . . . . . . . . . . . . . . . 43

3.2.1 Conventional methods of cryptanalysis against block ciphers 43

3.2.2 How block ciphers resist conventional statistical attacks . . . 44

3.2.3 Algebraic attacks on Block ciphers . . . . . . . . . . . . . . . 44

viii

Chapter 4 Solving systems of multivariate equations 47

4.1 The Quadratic Solvability problem . . . . . . . . . . . . . . . . . . . 47

4.2 Methods of solving systems of multivariate polynomial equations: . . 48

4.2.1 Linearization . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

4.2.2 Relinearization . . . . . . . . . . . . . . . . . . . . . . . . . . 49

4.2.3 XL algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

4.2.4 XSL method . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

4.2.5 Grobner basis techniques . . . . . . . . . . . . . . . . . . . . 52

4.2.6 SAT solvers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

4.2.7 ”Gluing” Algorithm . . . . . . . . . . . . . . . . . . . . . . . 53

Chapter 5 Explicit Constructions of Boolean functions with Impor-

tant Cryptographic Properties 54

5.1 Algebraic construction . . . . . . . . . . . . . . . . . . . . . . . . . . 54

5.2 Heuristic Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Chapter 6 Some open problems and concluding remarks 62

Appendix A Useful Definitions 66

A.1 Algebraic definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

A.2 Cryptographic definitions . . . . . . . . . . . . . . . . . . . . . . . . 68

A.3 Fourier-Walsh Transforms . . . . . . . . . . . . . . . . . . . . . . . . 70

Bibliography 74

Vita 93

ix

Chapter 1

Introduction

The area of algebraic attacks has recently received a lot of attention in cryptographic

literature. As is well known, there are two main kinds of encryption: public key

encryption and symmetric key encryption. Algebraic attacks are relevant to both

kinds. The principle of algebraic attacks is to recover the secret key of the cipher

by solving a system of algebraic equations. We will make this more precise sub-

sequently. Regardless of the type of cipher used, there are equations that can be

set up involving the plaintext bits, ciphertext bits and the key. In particular, you

can describe all encryption schemes, whether public key or symmetric key, as repre-

sented by the following simple relation: C = E(M,K), where C is the ciphertext, E

is the function describing how the ciphertext is obtained from the plaintext and key,

M is the plaintext and K is the secret key. Each ciphertext bit ci where i = 1....n is

obtained from the plaintext bits x1, ..., xn and the key bits k1, k2..., km considered as

input variables, by applying a function f , i.e. ci = f(x1, ..., xn, k1, ..., km). Thus, we

can think of the encryption E as a set of functions with the plaintext and key bits

as variables. We will consider the case when these functions are polynomials. In

the case of Boolean functions, this can always be assumed. Often, the ciphertext C

and the polynomials representing the encryption are known publicly, specifically to

the attacker. The basis of security of such a setup is the hardness of the problem of

solving complex systems of multivariate polynomial equations. In fact, this problem

is NP-hard even for the case of quadratic polynomials, and is called the Multivariate

Quadratic(abbreviated as MQ) problem. We discuss this problem further in chapter

4.

1

The hardness of MQ is an old and well known result [GJ79]; in fact in his

seminal paper in 1949 [Sha49], Shannon wrote that if we could show that breaking a

cipher requires at least as much work as ”solving a system of simultaneous equations

in a large number of unknowns of a complex type”, then we could think of it as a

good cipher.

Several cryptosystems, both public and symmetric key, have used the hard-

ness of solving appropriately chosen systems of polynomial equations as a basis of

their security. For example, in public key ciphers, the public key can be a set of mul-

tivariate polynomials, say P = {pi; i = 1, ...,m}, and the encryption C of an n−bit

message M is done by assigning the variables of the polynomials values correspond-

ing to the bits of the message, i.e. cj = pi(M). If the polynomials are publicly

known, and the ciphertext is also known, (as is usually the case), the secrecy of the

encoded message relies on the hardness of computing M = P−1(C).

However, it recently became known, that several ciphers that use the diffi-

culty of the above-mentioned problem for encryption, are vulnerable to what are

known as algebraic attacks. Algebraic attacks are those that recover the secret key

by solving a system of equations. As mentioned above, all ciphers can be repre-

sented by some system of multivariate polynomial equations. We could argue that

this should pose no threat, because as we noted, the problem of solving certain sys-

tems of equations, is known to be NP hard even for the quadratic case. However,

the threat posed by algebraic attacks relies on the fact that not all multivariate

quadratic equations are hard to solve; the hardness of solving such a system of

equations depends on the choice of equations.

It has been shown that most systems of equations produced by or used by

ciphers, are very far from random. Such systems of equations often have some alge-

braic structure or hidden properties that can be used to solve them efficiently.

Let’s make this notion more precise with some examples. In one of the early

instances of algebraic attacks, Kipnis and Shamir [KS99] exploit the structure of

the cipher to get an overdefined system of equations. By overdefined, we mean that

2

the number of equations is greater than the number of variables. For a long time,

the best known method to solve systems of multivariate polynomial equations was

by using Buchberger’s algorithm for computing a Grobner basis. Buchberger’s algo-

rithm has large exponential complexity and does not exploit the specific structure of

the system of equations. But in [KS99], Kipnis and Shamir introduced an algorithm

called ”Relinearization” that uses the overdefinedness of the system of equations

to solve it very efficiently. Further improvements to this algorithm were discovered

later. Faster algorithms for computing Grobner basis also became known and used

for cryptanalysis of ciphers, e.g. the HFE cryptosystem [FJ03]. In 2002, Courtois

and Pieprzyk in [CP02] came up with another algorithm called ”XSL” that exploits

the sparsity of the system of equations to solve it efficiently. By sparsity, we mean

that the number of monomials in the system of equations is very ”small”. We make

the notion of sparsity more precise later on.

To summarize, the way algebraic attacks work is that a system of equations

is first set up, involving the plaintext, ciphertext and key. This system of equa-

tions depends on the cipher under consideration. The attacker then looks for some

implicit structure in these equations that would make them easier to solve than

an arbitrary system of equations. After identifying the structure, the system of

equations is solved using methods such as Grobner basis techniques, Linearization,

Relinearization, the XL algorithm and other techniques.

These new algorithms were used to attack well known ciphers like LILI-128

and Toyocrypt successfully[CM03]. Several ciphers, so far considered secure, sud-

denly became suspect to such attacks, including AES. The algebraic structure of the

AES was analyzed and it is suspected now that AES is not as secure as previously

believed. [CP02].

The field of algebraic attacks became very important, not only because of

the specific ciphers that had been attacked, but also because the principle of these

attacks is very generic and can be used to design successful attacks against a variety

of ciphers- both symmetric and public key.

Algebraic attacks began to be studied extensively, specifically the strength

3

of Boolean functions used in the design of ciphers began to be formally analyzed.

To better understand the strength/weakness of these functions and quantify their

resistance/vulnerability to algebraic attacks, various properties of the functions were

identified. Several such properties, like the algebraic degree, normality, nonlinearity,

algebraic thickness, algebraic immunity among others, have been defined to represent

the cryptographic complexity (different from computational complexity) of Boolean

functions. There has also been interest in the explicit construction of functions

possessing a ”good combination” of these properties, that will make them provably

secure from algebraic attacks.

As mentioned previously, algebraic attacks are known against:

1. Public key ciphers

2. Symmetric key ciphers

(a) Block ciphers

(b) Stream ciphers

We briefly describe here the broad principles of each of these three types of

ciphers, the concept of an algebraic attack against each of them and provide a brief

historical perspective on algebraic attacks against each of these three main types

of ciphers. We describe an algebraic attack against a public key cipher (the HFE

cipher) here and against block ciphers and stream ciphers later(in chapter 3).

We list some standard mathematical definitions used in the text in the ap-

pendix.

1.1 Public key ciphers

For the sake of completeness, we briefly describe public key cryptography. Public

key cryptography is a form of cryptography in which a user has a pair of crypto-

graphic keys - a public key and a private key. The private key is kept secret, while

the public key may be widely distributed. The keys are related mathematically,

but the private key cannot be practically derived from the public key. A message

encrypted with the public key can be decrypted only with the corresponding private

4

key.

As mentioned previously, public key cryptosystems are sometimes built based

on the difficulty of solving a system of multivariate quadratic equations.

One way in which this problem is used to design public key cryptosystems

is as follows: The public key comprises of a set of multivariate quadratic polyno-

mials in n variables, say fi(x1, x2..., xn) ∈ F for i ∈ [1...m]. The encoding works

as follows: To encrypt an n bit message M = m1m2...mn, each bit of the message

mi is assigned to a variable xi of the polynomial. The polynomials f ∈ F are then

evaluated at the n points specified by message M . Let C = c1, ..., cm be the encoded

message, then ci = fi(x1, ..., xn) i.e. C = F (M).

The private key comprises of some secret information, often called the trapdoor

which makes the equations easy to invert; that is, with knowledge of the trapdoor,

the equations become efficiently solvable for any given ciphertext. In other words

M = F−1(C) should be infeasible to compute without knowing the secret key or

trapdoor, and easy to compute with knowledge of the trapdoor. The main difference

between various ciphers that are based on this concept, is the manner in which they

encode this secret information in the publicly known polynomials.

We describe here a public key cipher known as the Hidden Field Equations cipher,

abbreviated as HFE:

Brief(and simplified) description of the basic HFE public key cryptosys-

tem[Pat96]:

First we describe the basic construction of the HFE cryptosystem, along with

a brief overview of the main mathematical ideas used in the design of the cipher.

Subsequently we describe how the message and ciphertext are represented, how the

encryption and decryption are performed and what the private and public keys are.

The HFE cryptosystem consists of the following mathematical components:

1. A finite field K of cardinality q = pm, where p is prime.

2. An extension of K of degree n called Ln.

3. βij , αi and µ0 elements of Ln.

5

4. θij, φij , ξi are integers.

5. Two affine bijections s and t such that s, t : Ln → Ln.

6. f : Ln → Ln is a function of a special form:

f(x) =∑

ij

βijxqθij +qφij

+∑

i

αixqξi + µ0.

An alternate function representation

Consider the function f introduced above. Let B be a basis of Ln where Ln is

viewed as a vector space over K.

Say y = f(x), where x, y ∈ Ln. When Ln is viewed as a vector space over K,

any element in Ln (specifically x and y) can be represented as a linear combination

of the basis elements bi ∈ B. So we obtain x =∑n

i=1 xibi and y =∑n

i=1 yibi.

Note that xq = (∑n

i=1 xibi)q =

∑ni=1 x

qi b

qi =

∑ni=1 xib

qi (since K has q = pm

elements and p is prime), and thus xq will finally contain terms linear in xi, i =

1, . . . , n. Extending this argument, x 7→ xqδis linear in xi, i = 1, . . . , n, for any

integer δ. It follows that x 7→ xqθ+qφis quadratic in xi, i = 1, . . . , n, for integers

θ and φ. Hence, using y = f(x) =∑n

i=1 yibi =∑

ij βijxqθij +qφij

+∑

i αixqξi + µ0,

and equating coefficients of bi, we can express each yi, i = 1, . . . , n as a quadratic

polynomial in (xj)nj=1. This set of n polynomials over the n variables (xj)

nj=1 con-

stitutes a representation of the function f .

To complete the mathematical setup, we now only need the following theo-

rem:

Theorem 1.1.1. [Pat96] Let Ln be a finite field, with |Ln| = qn with q and n ”not

too large” (for example q ≤ 64 and n ≤ 1024. Let f(x) be a given polynomial in x

in a field Ln , with a degree d ”not too large” for example d ≤ 1024. Let a be an

element of Ln. Then it is always possible (on a computer) to find all the roots of

the equation f(x) = a efficiently.

Several known efficient algorithms for finding roots of polynomials over finite

fields are discussed in [Pat96], for eg. the Berlekamp Rabin algorithm, the linearized

polynomial algorithm, the Berlekamp trace algorithm. Patarin also discusses vari-

ants of these algorithms that are useful in different cases like when degree d is very

6

small, when d is not too small and when an asymptotically fast algorithm is needed.

These algorithms can be used for polynomial root finding depending on the specific

instance to be solved. As mentioned above, these algorithms are quite efficient:

the total expected time of the linearized polynomial algorithm for example, is in

O(d3n2 +m3n3 + dm2n3), and the average expected time for the Berlekamp trace

algorithm is in O(mn3d2 + n2d3). We do not discuss these algorithms further, the

interested reader is referred to [Pat96].

We now describe the construction of the cipher:

Message: The message M is represented by a string of n elements of K. So

M = m1m2m3...mn where mi ∈ K.

For our example described below, M is a 3 bit vector over F2.

Public key:

1. Field K (F2 in our example) and length n (For our example n = 3).

2. n polynomials in n variables over Ln. These polynomials are obtained by

representing the function g : Ln → Ln, g = t ◦ f ◦ s by n polynomials

in n variables using the alternative representation described in the previ-

ous subsection, where ◦ denotes function composition. Note here that since

s and t are of degree 1 and f is of degree 2 in any basis, the composi-

tion of these functions g will also be a quadratic function in the basis. Let

p1(x1, x2, . . . , xn), p2(x1, x2, . . . , xn), . . . , pn(x1, x2, . . . , xn) represent these n poly-

nomials in n unknowns.

3. A way to put redundancy into the message M . This redundancy is needed to

ensure one-one decryption. We will not elaborate on how this redundancy is

added.

Private key:

1. The function f described above of degree d which is ”not too large”. In our

example, f : F23 → F23 with d = 5.

2. Two affine bijections s, t. For our example s, t : F2n → F2n

7

Encryption:

The message M is encrypted by setting the variables x1, x2...xn of the polynomi-

als p1, p2, ..., pn to the values specified by the message M . More formally, set x1 =

m1, x2 = m2, ...., xn = mn and evaluate p1(m1,m2, ...,mn), p2(m1,m2, ...,mn).....pn(m1,m2, ...,mn).

Let y denote the ciphertext. Because of the way we constructed p1, ...pn, we have

y = t(f(s(m)))).

Decryption:

Since the encryption is y = t(f(s(m))), the decryption proceeds asm = s−1f−1t−1(y).

s, t, f are known, specifically f is known in its univariate form. The theorem 1.1

implies that this can be carried out efficiently.

Example:

We demonstrate the representation of a function f having the special form men-

tioned above by n polynomials in n unknowns. Note that in the actual construction

of the HFE cipher, the published n polynomials in n variables actually represent

g = t ◦ f ◦ s.Consider a ∈ F23 .The extension field F23 can be represented by F2[x]/(1 + x2 + x3),

because (1 + x2 + x3) is an irreducible polynomial. We view F23 as a vector space

of dimension 3 over F2. Consider the basis vectors of this space as 1, x, x2. Suppose

a = a2x2 + a1x+ a0.

Consider a function f(a) = a + a3 + a5. Let v = f(a). Since v ∈ F23 , v =

v2x2 + v1x + v0. So we have v = f(a) = a + a3 + a5 = (a2x

2 + a1x + a0) +

(a2x2 + a1x + a0)

3 + (a2x2 + a1x + a0)

5mod(x3 + x2 + 1) = (a2 + a2a1 + a2a0 +

a1)x2 + (a2a1 + a1a0 + a2)x+ (a0 + a2 + a1a0 + a2a0).

Thus we get 3 quadratic equations in 3 unknowns:

v2 = a2 + a2a1 + a2a0 + a1 = p1(a0, a1, a2)

v1 = a2a1 + a1a0 + a2 = p2(a0, a1, a2)

v0 = a0 + a2 + a1a0 + a2a0 = p3(a0, a1, a2)

In general, we have n quadratic equations in n unknowns vi = pi(x1, .., xn),

i = 1...n. As mentioned earlier, this problem is known to be NP-hard to solve in

general.

8

Difficulty of decryption when private key is not known: The difficulty of

decryption relies on the well known difficulty of solving a system of multivariate

quadratic equations.

Efficiency of decryption when private key is known: The only hindrance in

computing s−1f−1t−1(y) is in computing f−1. The key to the efficiency of decryp-

tion is the theorem 1.1.

The algebraic attack: In general the algebraic attack seeks to determine

some structure in the system of equations that makes them much easier to solve

than random equations of the same size. Patarin’s HFE cryptosystem was broken

by Kipnis and Shamir in [KS99]. The attack works by exploiting the fact that any

given system of n multivariate polynomial equations in n variables over a field G can

be represented by a single univariate polynomial of a special form over H which is

an extension field of degree n over G. The authors translate the problem of solving n

quadratic equations in n unknowns over a small field G into the problem of solving a

very overdefined system of ǫm2 quadratic equations in m variables over a large field

H, where m is a small multiple of n and ǫ is a small constant. They also introduce

a new algorithm called ”Relinearization”(described in detail in later section) which

is expected to solve random systems of equations of this form in polynomial time

for fixed ǫ.

Patarin’s HFE cryptosystem was broken independently by Faugere and Joux in

[FJ03]. They exploited the observation that equations in the HFE system were

”simpler” than arbitrary equations of the same size. As explained by the authors,

the structure of equations in an instance of HFE implies a relatively small upper

bound on the degree of the intermediate polynomials which occur during computa-

tion of the Grobner basis. They prove that this bound depends on the degree of

the secret function f but does not depend on the size of the field Fn2 . On the other

hand, with random systems of equations, the degree of these intermediate polyno-

mials strongly depends on n. By exploiting this structure and using a fast algorithm

to compute Grobner basis, the authors are able to crack the HFE cryptosystem.

Brief Historical perspective:

One of the early examples of the deployment the MQ(solving a complex system of

9

multivariate quadratic equations) problem in building public key ciphers was in the

design of a cryptosystem in 1988, by Matsumoto and Imai, [MI88]. They designed

a public key cryptosystem called C∗, in which the public key is as described earlier,

an n−tuple of quadratic n−variate polynomials over F2m, say F . An n−bit message

M is encrypted by evaluating F on M . In 1995, J Patarin [Pat95], proved that the

algorithm described by [MI88] is insecure and described one of the earliest algebraic

attacks. Shortly after, Patarin proposed to repair this cryptosystem and devised the

HFE(hidden field equation) cryptosystem in [Pat96]. The HFE cryptosystem was

also based on the difficulty of solving a system of multivariate quadratic equations

over a finite field, and it was expected that breaking HFE will require exponen-

tial complexity. HFE was the second attempt to design a cryptosystem based on

the hardness of quadratic solvability after [MI88]. The HFE system was carefully

designed to avoid the weaknesses of the Matsumoto-Imai cryptosystem, and many

variants to the HFE cryptosystem were also proposed. However in [KS99], Kipnis

and Shamir were able to break this scheme using the ”Relinearization” technique.

Also, in [FJ03], Faugere and Joux were able to break HFE cryptosystems using fast

algorithms for computing Grobner basis. Other papers related to attacks on HFE

are [Cou04b, Cou01, JDH07]. Recently, methods have been proposed to modify the

scheme to avoid known attacks [ACDG03].

Another early example of a multivariate signature scheme was developed by

Ong, Schnorr and Shamir in [OSS84] in 1984. But this system was broken by Pol-

lard and Schnorr in [PS87]. Fell and Diffie published another multivariate scheme

in [FD85] but observed it was insecure for any practical key size.

Shamir proposed two multivariate schemes in [Sha93], but Coppersmith,

Stern and Vaudenay broke them in [CSV97]. Patarin came up with several new

types of trapdoors, the simplest among which was the Oil and Vinegar signature

scheme [Pat97], which was broken by Kipnis and Shamir [KS98].

Algebraic attacks on a public key cryptosystems based on ”braid groups”(certain

special groups in algebra) are discussed in [LP03, Hug02]. In [Hug02], the author

employs the ”Burau matrix representation” of the braid group and techniques from

computational linear algebra to provide evidence that at least certain classes of keys

10

are weak. Cryptanalysis of public key ciphers based on polynomial reconstruction

is discussed in [Cor04].

1.2 Symmetric key ciphers

1.2.1 Block ciphers

Informally, block ciphers can be described as follows: A block cipher is a type of

symmetric-key encryption algorithm that transforms a fixed-length block of plain-

text data into a block of ciphertext data of the same length. This transformation

takes place under the action of a user-provided secret key. Decryption is performed

by applying the reverse transformation to the ciphertext block using the same se-

cret key. The fixed length is called the block size. More precisely, as described by

Wagner in [Wag04], a block cipher is a map E : K ×M → M , (where as usual, M

is the message space, K the key and E the encryption transformation) so that Ek

is invertible for all keys k ∈ K, and both Ek and Ek−1 can be efficiently computed.

A block cipher is ”secure” if it behaves as a pseudo-random permutation: no effi-

cient algorithm A given interactive access to encryption and decryption black boxes

should be able to distinguish the real cipher i.e. Ek and Ek−1 from a truly random

permutation (i.e. π and π−1, where π is uniformly distributed on the set of all

permutations on M) [Wag04]. An attack which distinguishes the cipher from a ran-

dom permutation is called a ”distinguishing attack”. Usually, once a distinguishing

attack is found, one can recover the secret key.

In this section, we will describe the broad construction of a block cipher.

Before we do that however, we briefly review Shannon’s principles of confusion and

diffusion. These principles, stated more than 50 years ago, are still considered very

relevant. These principles are still taken into account in the design of ciphers today.

We will see examples of this in later sections. Confusion and Diffusion can be briefly

explained as follows [Car06a]:

1. Confusion: Confusion aims at concealing any algebraic structure in the system.

In his book ”Cryptography: Fundamentals and applications”, Massey inter-

prets confusion as ”the ciphertext statistics should depend on the plaintext

statistics in a manner too complicated to be exploited by the cryptanalyst”.

11

2. Diffusion: Diffusion consists of spreading out the influence of any minor mod-

ification of the input data or of the key over all outputs.

Most block ciphers are constructed by repeatedly applying a simple function

to the input. This approach is known as iterated block cipher. Each iteration is

termed a round, and the repeated function is termed the round function. More pre-

cisely, most block ciphers are product ciphers: the cipher is built as the composition

of individual round transformations. We choose a round function f : M → M ,

compute a sequence of round keys k1, k2....kn as a function of the key k, and set

Ek = fkn◦ .... ◦ fk1. The function f computes one round of the cipher[Wag04].

Each round typically consists of possibly multiple S-boxes or ”substitution

boxes” that are connected by key dependent linear transformations. S-boxes or

Substitution boxes are used to obscure the relationship between the plaintext and

the ciphertext. In general, an S-box takes some number of input bits and transforms

them into some number(possibly different) of output bits. (Note that block length

of the cipher still remains the same. Even if S-boxes change the size of the block,

there are other operations performed that counter the size change). The S-boxes

typically provide ”confusion” to the cipher, and the linear transformations provide

the ”diffusion”. Product ciphers typically repeat a substitution layer and a linear

transformation sufficiently many times in the hope of obtaining a strong cipher.

The traditional methods of cryptanalysis of block ciphers are linear and dif-

ferential cryptanalysis, which are based on probabilistic characteristics. This makes

the security of the cipher grow exponentially with number of rounds. For example,

differential cryptanalysis is based on the study of how differences in input reflect

as differences in output. The attacker typically tries, given a difference in input,

to trace the difference in output of each round through the multiple rounds of the

cipher, and hopes to measure non-random behavior at the output, which helps at-

tack the cipher. Linear attacks, discussed in more detail later, are also based on

this ”statistical” approach: the attacker tries to construct probabilistic character-

istics through as many rounds of the cipher as possible, in order to distinguish the

cipher from a random permutation [Cid04]. Recent block ciphers, like the AES for

example, were carefully designed to resist such probabilistic attacks.

However, algebraic attacks focus on writing systems of algebraic equations

that completely describe the block cipher, and then using newly discovered algo-

rithms to solving this system and recovering the plaintext. More explicitly, specific

12

structure of the S-box in the AES for example, permits finding a small set of poly-

nomial equations in the input and output bits that completely define the S-box.

By combining equations written for the various S-boxes, the attacker can write a

system of equations that completely describe the whole block cipher, and then try

to somehow solve this system.

Brief historical perspective:

Because of its importance and exciting history we discuss AES separately:

Advanced Encryption Standard(AES):

The security of the AES(Rijndael) has received a lot of attention in cryptographic lit-

erature. Researchers have studied the potential of algebraic attacks against AES(Rijndael)

in a number of recent papers. According to Rijndael’s designers, Daemen and Rij-

men, Rijndael was intentionally constructed in such a way that all its components

are derived from simple algebraic functions with well studied properties [DR00].

This was motivated by the desire to be able to analyze and prove important secu-

rity aspects of Rijndael. But this simple algebraic structure makes AES potentially

vulnerable to algebraic attacks.

In [CP02], the authors showed that the S-boxes of both Serpent and Rijn-

dael can be described by an overdefined system of algebraic equations (recall that

overdefined means that the number of equations are greater than the number of un-

knowns). They also introduced a new algorithm called XSL, which uses the sparsity

(’small’ number of monomials in the equations) and specific structure of equations

to solve them. The complexity of XSL was not clearly understood, but the authors

claimed that their ”optimistic” evaluations showed that this attack might be able

to break Serpent and Rijndael. These were significant claims; Rijndael was the

currently proposed AES (by NIST), and Serpent had been a finalist for the same

Advanced Encryption Standard. But whether these estimates for XSL are valid

remains an interesting open question. A great deal of controversy erupted over the

correctness of the arguments in the original XSL paper [CP02]. In [MR02], the

authors made estimates about the use of the XSL algorithm to break AES and

claimed substantial improvements over the complexity of the brute force approach.

In [MR03], Robshaw and Murphy said that they did not believe that the XSL es-

13

timates had the accuracy required to substantiate claims of breaking AES. Some

other cryptographers expressed disagreement with the claims made about the XSL

algorithm. The cryptographer T. Moh, wrote an article [Moh02] claiming that the

XSL attack is infeasible(Courtois disagrees, says no one has proved that it is infea-

sible [Cou]). Don Coppersmith, noted cryptographer and mathematician (winner

of RSA Security Award for Mathematics in 2002) said [Cop]: ”I believe that the

Courtois-Pieprzyk work is flawed. They overcount the number of linearly indepen-

dent equations. The result is that they do not in fact have enough linear equations

to solve the system, and the method does not break Rijndael...The method has some

merit, and is worth investigating, but it does not break Rijndael as it stands.” One

of the inventors of Rijndael, Vincent Rijmen, commented, ”The XSL attack is not

an attack. It is a dream”[Cou]. The community at large still has to come to a

conclusion about this.

The attack cannot be easily implemented and tested because of its great complexity.

Schneier observed in his crypto-gram newsletter on the web [Sch], that ”we are not

yet in an age where the attack can be tested. So, we seem to be secure from these

attacks now. However if these attacks do work, we will not know until it is too late”.

In [FIL03], Filiol claimed to break AES and recover some keybits; a spectacular re-

sult. But in [CJJ+03], the authors claimed that this attack was incorrect.

To understand better the strength/weakness of the AES with respect to al-

gebraic attacks, the algebraic structure of AES has been extensively studied. The

hope is that understanding the structure of the AES will help in exploiting this

structure in solving systems of equations that describe AES. Several papers discuss

the algebraic structure of the AES.

In 2002, a paper by Fuller and Millan [FM02] showed that all the outputs of

AES’s 8× 8-bit S-box are equivalent under affine transformations, so that the 8× 8

S-box can be considered an 8 × 1-bit S-box. Since the S-box is the only source of

nonlinearity in the AES and hence the only component that provides confusion to

the cipher, evidence that the S-box is not as strong as was believed has increased

concerns about the security of AES. Another paper by Filiol [Fil02] claimed to have

detected some biases in the Boolean functions of AES, which could possibly be used

to break AES. Observations such as these suggest that the AES can be completely

14

described by a system of equations that are much simpler than expected, which has

implications for the resistance of the AES to algebraic attacks. Such weaknesses

may also lead to other attacks against AES.

In [MR02], the authors discussed the difficulty in understanding the algebraic prop-

erties of AES, because operations in AES exist over two different fields F2 and F28 .

While it is easy to define all the operations of the cipher in terms of operations over

F2, the resulting expressions quickly become messy and hard to analyze. The au-

thors, Murphy and Robshaw created a cipher called BES (Big encryption standard),

with the advantage that all the operations in BES are entirely described using very

simple operations in F28. The properties of BES are closely related to the properties

of the AES, since the BES is basically a generalization of the AES. By recasting

the AES in this way the authors highlight some important structural features of the

AES. Other papers that explore the structure of the AES include [MR00, CMR04].

In [MR00], the authors summarized some observations on Rijndael and presented an

alternative view of the structure of Rijndael. In [CMR04], Cid, Murphy and Rob-

shaw considered a number of aspects of the AES, and examined a few computational

and algebraic aspects that could be used in the cryptanalysis of the cipher. They

discussed how to express the cipher as a very large but simple system of multivariate

quadratic equations over the finite field F28 , and considered approaches on how to

solve the system. Murphy, Cid and Robshaw even wrote a book on the algebraic

aspects of the AES [CMR06].

Other Block ciphers:

Algebraic attacks on block ciphers besides AES have been explored in the following:

In [BC03], Biryukov and De Canniere compare systems of multivariate polynomials,

which completely define some popular block ciphers in the view of potential danger

of the algebraic re-linearization attack.

In [Cou04c], Courtois surveys the attacks that exploit various types of mul-

tivariate algebraic relations. He derives new, very general design criteria to avoid

the existence, if possible, of ”too simple” algebraic relations.

The resistance of S-boxes to algebraic attacks has been further discussed in

[CL04, CDG05].

Recent developments:

15

Many interesting open questions remain about the security of block ciphers against

algebraic attacks. This is currently an active area of research. Recently, there have

been some important results in this area.

In [Cou07b], Courtois proposed a new toy cipher called the ”Courtois toy

cipher(CTC)” and followed it up with CTC2 [Cou07a]. These ciphers are very like

practical block ciphers for large enough parameters. Courtois encourages people to

try to break these ciphers(he can break 6 rounds of CTC and up-to 10 rounds of

CTC2), and believes that attacks against these ciphers can lead to attacks on real

ciphers easily enough.

In [BPW05], the authors analyze some well known ciphers that are sound

against linear and differential attacks but for which the encryption process can be

described by very simple polynomial equations. For a block and key size of 128 bits,

they present ciphers for which practical Grobner basis attacks can recover the full

cipher key requiring only a minimal number of plaintext/ciphertext pairs. They are

also able to construct Grobner basis for some ciphers with small computational effort

which reduces the breaking of the cipher to a Grobner basis conversion problem.

They are also able to bound the running time of an algorithm that implements this

conversion.

In an important paper [CB06], the authors discuss an algebraic attack against

the Data Encryption Standard(DES). DES has been a popular cipher, and though

NIST replaced it by AES, DES cannot be considered obsolete and triple-DES is still

widely used, especially in the financial sector[CB06]. In this paper the authors claim:

”we finally show that practical algebraic attacks are in fact possible for reduced-

round versions of DES. This is the first known example of a working algebraic attack

on up to 10 rounds of a real-life industrial block cipher. The attack requires only one

single known plaintext (instead of a very large quantity). This is an unprecedented

thing that has no equivalent in any cryptographic attack ever done.” They also claim

that ”though (on a PC) we recover the key for only six rounds, in a weaker sense

we can break 12 full rounds of DES. These results are very interesting because DES

is known to be a very robust cipher, and our methods are very generic. Thus, if

DES is susceptible to this kind of algebraic cryptanalysis, then probably nearly any

other cipher is, and some may be substantially weaker.”

Recently, a block cipher called KeeLoq, used in wireless devices that unlock

doors in cars manufactured by Chrysler, Daewoo, Fiat, GM, Honda, Jaguar, Toyota,

16

Volvo, Volkswagen etc was broken by Courtois and Bard in [CB07]. This attack is

very significant because for the first time in history, a full round real-life

block cipher is broken by an algebraic attack! Moreover, they claim that

their attacks are easy to implement, have been tested experimentally, and the full

key can be recovered in practice on a PC.

Recently, Nicolas Courtois has even created a web-page that allows people

to bet on cryptographic algorithms with real money!!!

1.2.2 Stream ciphers

Stream ciphers are ciphers which encrypt plaintext bits one at a time, using an

encryption function which changes over time. Stream ciphers are based on the

Vernam cipher (one-time pad). In the Vernam cipher, the plaintext, which is a

binary string of some length is bitwise added to a binary secret key of the same

length in order to produce ciphertext. The Vernam cipher is the only cipher that

guarantees unconditional security if the key is truly random and a brand new key

is used for every new encryption. However it is impractical to produce a new truly

random key per encryption. So in practice, in stream ciphers, a small random

key is used to produce a long pseudo-random sequence (by some method) and this

pseudo-random sequence is combined with the plaintext in some way to produce

the ciphertext. What is shared between users now is not the entire sequence that is

used for encryption but the short secret truly random key along with the method

used to generate the pseudo-random sequence. This pseudo-random sequence is

generated by a finite state automaton with a secret state initialized by the private

key. The i-th keystream digit only depends on the secret key and the previous (i−1)

plaintext digits. Then the i-th ciphertext digit is obtained by combining the i-th

plaintext digit with the i-th keystream digit. If the attacker can somehow guess the

keystream, he can break the cipher.

We briefly discuss here a particular method of generating the pseudo-random

sequence: the Linear Feedback Shift Registers because of their popularity.

Linear Feedback Shift Registers: Linear Feedback Shift Registers (LFSR)s

are used sometimes to generate the long pseudo-random sequence from the short

key. Note that unconditional security is no longer guaranteed. An LFSR works

17

loosely as follows: Consider a register of length L. This register is initialized in

some secret way(determined by the short random secret key described above). Af-

ter initialization, the contents of the register are updated every clock cycle, typically

by ”shifting” the contents of the register right by one bit, causing one bit to ”fall

out” of the register at the extreme right, this being the output bit, and the leftmost

bit of the register is a linear function of the current contents of the register. This

linear function which is used to update the state of the LFSR(or whichever finite

state automaton is used) is called the transition function.

More formally, as defined in [MvOV97], a linear feedback shift register (LFSR)

of length L consists of L stages (also called delay elements) numbered 0, 1, ....., L−1,

each capable of storing one bit and having one input and one output; and a clock

which controls the movement of data. During each unit of time the following oper-

ations are performed:

1. The content of stage 0 is output and forms part of the output sequence.

2. the content of stage i is moved to stage i− 1 for each i; 1 ≤ i ≤ L− 1.

3. the new content of stage L − 1 is the feedback bit sj which is calculated by

adding together modulo 2 the previous contents of a fixed subset of stages

0, 1, ......., L − 1.

The number of stages in an LFSR is called its length.

A LFSR is said to generate a finite sequence sn = s0s1s2....sn−1 if there is some

initial state of the LFSR for which the output sequence of the LFSR has sn as its

first n terms [MvOV97]. The linear complexity a finite binary sequence sn is the

length of the shortest LFSR that generates a sequence having sn as its first n terms

[MvOV97].

There is a well known algorithm, called the ”Berlekamp Massey” algorithm

that can be used to ”break” LFSRs. The Berlekamp Massey algorithm provides a

way to efficiently determine the linear complexity of a finite sequence and determine

the shortest LFSR capable of generating the given sequence [MvOV97]. If the

linear complexity of a sequence(or the length of the shortest LFSR generating the

sequence) is L, then knowing 2L consecutive bits enables the Berlekamp-Massey

algorithm to recover the value of L, the initialization of the LFSR and the linear

transition function.

18

SL−1

xn

f (x , x , ... , x )1 2 n

x1 xi

S0

output

Figure 1.1: Filtering function

To avoid attacks by the Berlekamp Massey algorithm, modern ciphers use

LFSRs in conjunction with filtering or combining functions. These functions com-

bine outputs of several LFSRs or several bits from one LFSR to produce a keystream

sequence with high linear complexity if well chosen.

Filtering function [Car06a]:

A filtering function is a way to use Boolean functions to avoid attack by the

Berlekamp Massey algorithm. An LFSR with a filtering function, called a filtered

LFSR does not output the bit contained in the rightmost register of the LFSR but

outputs f(x1, ..., xn), where f is the n variable filtering function and x1, ..., xn are

bits contained in some registers of the LFSR.

Combining function [Car06a]:

Combining functions are typically nonlinear functions that combine the output of

several LFSRs so as to add confusion to the system. The way that a combining

function works is illustrated in the figure below.

Note that though the purpose of the filtering function and the combining

function is the same, the attacks conducted on the two functions are different, hence

the properties that a function needs to satisfy in these two roles are often different.

Also note that the transition function and the filtering/combining function are usu-

19

k1

k2

k3

S

S

S

1

2

3

PLAINTEXT

KEYSTREAM

f

G

CIPHERTEXT

Figure 1.2: Combining function

ally public and only the initialization of the finite state automaton is private.

A combiner is a specific construction of the keystream generator. A (k, l)-

combiner consists of k parallel LFSRs, and the nonlinear filtering is done via an

automaton with k input bits and l memory bits [AK03].

Brief historical perspective:

Traditionally known attacks against stream ciphers include the inversion attack

[Gol96], the conditional correlation attack [And94] and the fast correlation attack

[MS89a]. Various types of correlation attacks work by identifying a correlation be-

tween specific output bits and a subset of the input bits. If the combining function

can be well approximated by linear functions, it is easier to find statistical depen-

dence between the output sequence and a subset of the input bits. In order to resist

such attacks, many authors focused on proposing combining functions that will have

no good linear approximations.

Algebraic attacks against stream ciphers were first discussed by Courtois, in

[Cou02]. In the attack discussed in this paper, the nonlinear combining function is

approximated by another function of low degree (notice that this function is nonlin-

ear) and Courtois was able to reduce breaking the cipher to solving an overdefined

20

system of quadratic equations. He was also able to adapt the XL algorithm to solve

this system of equations and successfully break the cipher Toyocrypt. This paper

”generalized” the danger of using functions with linear approximations to the dan-

ger of using functions with nonlinear but low degree approximations. In [CM03],

the authors showed that algebraic attacks on stream ciphers will apply even if there

is no good low degree approximation to the combining function. They showed how

to substantially lower the degree of these equations by multiplying them by well-

chosen multivariate polynomials. This enabled them to substantially speed up the

cryptanalysis of the cipher Toyocrypt. In the same paper, the authors described

a new general algebraic attack that breaks stream ciphers satisfying all previously

known design criteria far more efficiently than was previously known (in at most

the square root of the complexity of the previously known generic attack).

Many subsequent papers investigated algebraic attacks on stream ciphers.

In [MPC04], the authors streamlined the ideas developed behind these attacks, re-

ducing and simplifying the various scenarios which had been considered so far. In

[Bat04], Batten generalized the theory that had been built around the Boolean

function case to arbitrary finite fields. In particular, properties of Boolean func-

tions were identified to quantify their resilience to such attacks. One such property-

the algebraic immunity(discussed at length in chapter 2) received significant atten-

tion. In [ACG+06, DT06], the authors proposed methods to efficiently compute the

algebraic immunity of a function. In [LQ06], the authors constructed and counted

Boolean functions of an odd number of variables with maximum algebraic immunity.

In [LfQ05, BP05], the authors discussed special:”symmetric”(defined later) Boolean

functions with respect to their algebraic immunity. In [CL06], the authors gave

some lower bounds on the algebraic immunity of Boolean functions. In [Ars05], al-

gebraic immunity of functions over finite fields was explored, properties of algebraic

immunity were explored, and some bounds related to it were given. Other papers

that have explored bounds on algebraic immunity are [NGG06, DGM04, NGG06].

Construction of Boolean functions with maximum immunity has been discussed in

[DMS06, AK06].

Algebraic attacks and ”fast” algebraic attacks are further explored in [AA05,

HR04, DGM06, Arm04, Cou03, Cou04a, AK03, FA03]. In [AK03], the authors an-

21

alyzed the keystream generator from the Bluetooth standard E0 and showed how

the secret key can be recovered by solving a system of linear equations with large

number of unknowns. They also extended the use of algebraic attacks to combiners

with memory and provided an algorithm to construct low degree(say d) relations

for r clocks, i.e. a relation which holds for any sequence of r consecutive bits of the

keystream.

22

Chapter 2

Cryptographic Complexity of

Boolean Functions

2.1 Important cryptographic properties of Boolean func-

tions

In order to understand how Boolean functions could resist algebraic attacks, some

properties were identified that quantify the resistance of a given Boolean function to

algebraic attacks. These properties indicate the cryptographic complexity of Boolean

functions. Some such properties are:

1. Balancedness

2. Algebraic degree

3. Nonlinearity

4. Correlation immunity

5. Algebraic thickness

6. Algebraic immunity

7. Non-normality

8. Strict Avalanche Criteria and Global Avalanche Characteristics

23

We describe each of the above-mentioned properties below. Before we do

that however, we make a small digression to discuss affine invariance and its sig-

nificance because as we shall see, affine invariance is an important consideration in

almost every property we consider.

Significance of affine invariance: In cryptography, a function is consid-

ered weak if it can be turned into a cryptographically weak function by means of

a simple transformation, e.g. an affine transformation. This is because an alge-

braic attack which may be infeasible on a Boolean function f may be trivial on

an affine equivalent of f , say g, and an attack on g can easily be transformed into

an attack on the original function f . To illustrate this, we consider an extreme

example from [MS89b]. Let us consider the number of monomials of a function

as a desirable property of the function, i.e., a function with more monomials is

stronger. To demonstrate that this is unsatisfactory, consider the Boolean func-

tion f(x1, x2, ..., xn) whose algebraic normal form is obtained by summing up all

possible product terms in x1, x2, ..., xn. At first glance this looks like a good func-

tion, since it contains all nonlinear terms. However f can be written as the product

f(x1, x2, .., xn) = (1+x1)(1+x2)...(1+xn) which transforms into the monomial func-

tion g(x1, x2, ..., xn) = x1x2x3...xn by simply complementing all arguments. This

turns f into a poor function with respect to the number of nonlinear terms and f

becomes vulnerable.

Thus we want the properties quantifying cryptographic complexity of Boolean func-

tions to be affine invariants.

Now, we discuss the above-mentioned properties.

1. Balancedness: An n−variable Boolean function f is said to be balanced if

its Hamming weight is 2n−1.

Motivation: Intuitively, the output of a cryptographic Boolean function

should be equally distributed over {0, 1} to avoid statistical dependence be-

tween input and output (since statistical dependence can be exploited in at-

tacks).

From equations A.6 and A.9 in appendix A3, we can derive an interesting link

between the balancedness of a function and Walsh transforms: A function f

24

is balanced if and only if χf (0) = 0.

Balancedness is an affine invariant.

2. Algebraic Degree [Car06a, Car04b]: Every Boolean function f over the field

Fn2 can be represented uniquely by its algebraic normal form or A.N.F.

f(x) =∑

u∈Fn2

au(∏

i|ui=1

xi)

The degree of the A.N.F of a function is called the algebraic degree of the

function. For security, we want the function to possess as high degree as pos-

sible.

Motivation: The complexity of the ”higher order differential attack” on block

ciphers due to Knudsen and Lai [Knu94, Lai94] depend on the algebraic degrees

of the Boolean functions in the cipher. Also, as described earlier, in most

stream ciphers the keystream generator combines the output of one or more

LFSRs by a nonlinear function to produce the keystream sequence. The linear

complexity of such a sequence depends on the degree of the combining function

and on the number of monomials in its ANF. These parameters determine

the resistance of the produced sequence to the Berlekamp Massey algorithm

[Rue86, Mas69]. Hence the nonlinear combining functions must have high

algebraic degrees and many monomials in their ANF.

To make this concrete, we describe an example. Consider the case of keystream

generator with combining function f . If n LFSRs having lengths L1, L2...Ln

are combined by the function

f(x) =⊕

I∈P (n)

aI(∏

i∈I

xi)

where P (n) denotes the power set of n = 1, 2, ..., n and ⊕ denotes the sum

computed mod 2; then we know from [RS87] that the sequence produced by

f can be obtained by a single LFSR of length

L ≤∑

I∈P (n)

aI(∏

i∈I

Li)

25

The algebraic degree of f has to be high so that L can have high value. As

mentioned previously, if the attacker knows at least 2L consecutive bits then

the Berlekamp Massey algorithm recovers the values of L as well as the secret

initialization of the LFSR(hence the secret key). So, if linear complexity of

the sequence L has a low value, then the function is very susceptible to attack.

Relationship between algebraic degree and Walsh transform:

Proposition 2.1.1. [Lan90] Let f be an n-variable Boolean function, and let

1 ≤ k ≤ n. Assume that its Walsh transform takes values divisible by 2k.

Then f has algebraic degree at most n− k + 1.

Algebraic degree is an affine invariant. The degree of any function f equals

that of any affinely equivalent function f ◦ A, where A is an element of the

general affine group.

However, in [Car06b], Carlet remarks that algebraic degree is not a suitable

criterion because a function with low algebraic degree can be converted to a

function with high algebraic degree by simply complementing a few bits in the

truth table. This operation does not change the robustness of the function

much but significantly increases the algebraic degree.

Carlet identifies a new property called Nonlinearity Profile which we describe

later.

3. Nonlinearity [Car03, Car06a]: The nonlinearity of a Boolean function f is

the minimum Hamming distance of f to affine functions. For security, we want

high nonlinearity.

Motivation: Nonlinearity is crucial because most linear systems are easily

breakable by linear and correlation attacks as illustrated by [CT00, DXS91,

Mat93]. Hence a Boolean function needs to have high nonlinearity to be cryp-

tographically strong. Nonlinearity is an intuitive criterion: affine functions are

considered the weakest functions and a strong function should be as far away

from them as possible.

In [Car06a], Carlet says that there is a correlation between a Boolean function

f and a linear function l if dH(f, l) is different from 2n−1. The nonlinearity

26

criterion can be expressed by the Walsh transform as follows: let la(x) =

a1x1 + .... + anxn = a · x be any linear function. According to equation 2.11

we have

dH(f, la) = 2n−1 − 1

2χf (a)

and we deduce

dH(f, la ⊕ 1) = 2n−1 +1

2χf (a)

Therefore the nonlinearity of f is equal to:

NL(f) = 2n−1 − 1

2maxa∈F

n2

|χf (a)| (2.1)

Parseval’s relation applied to χf gives

∑

a∈Fn2

χf2(a) = 22n (2.2)

and implies that the mean of χf2(a) is 2n. Since the maximum will be greater

than or equal to mean, we can say:

maxa∈Fn

2

|χf (a)| ≥ 2n/2 (2.3)

This implies,

NL(f) ≤ 2n−1 − 2n/2−1 (2.4)

This bound, valid for every Boolean function, is called the universal nonlin-

earity bound. Thus we see that any Boolean function has correlation with

some linear functions. But this correlation should be small, since the exis-

tence of affine approximations of Boolean functions in a cipher- both stream

and block- make the cipher susceptible to attacks such as those described in

[Mat93, DXS91, CT00].

Nonlinearity is an affine invariant by definition, since dH(f ◦L, l◦L) = dH(f, l)

for every function f, l and every affine automorphism L.

The functions which match the universal nonlinearity upper bound 2n−1 −

27

2n/2−1 are called bent functions. Bent functions are thus maximally nonlinear

functions. They are not directly useful in ciphers because they are not bal-

anced.

The concept of nonlinearity has been generalized to ”Nonlinearity Profile”:

Nonlinearity Profile [Car06b]: let NLr(f) denote the distance between f

and the set of all functions of degrees at most r. We call NLr(f) the r-th

order nonlinearity of f , and the nonlinearity profile is the sequence of NLr(f)

for r = 1, ...., n − 1.

4. Correlation immunity and resiliency [SM00a]: A function is said to be

correlation immune if its output leaks no information about any fixed set of

input values. An n variable function f(xn, ....., x1) is said to be correlation

immune (CI) of order m if

Prob(f = 1|xi1 = c1, ...xim = cm) = Prob(f = 1)

for any choice of distinct i1, i2, ..., im from 1, 2, ..., n and c1, ..., cm ∈ {0, 1}.

m-Resilient: A balanced m-th order correlation immune function is called

m-resilient.

Note that to say that f is m-resilient does not mean that f is NOT k-resilient

for k > m. The largest value of m such that f is m-resilient is called the

resiliency order of f [Car06a].

Motivation: The property Correlation immunity was motivated by ”Corre-

lation attacks” introduced by Siegenthaler in [Sei84]. We describe correlation

attacks here:

Correlation attacks:

Consider a stream cipher in which the keystream generator is implemented as

n LFSRs whose output is combined by a nonlinear combining function f , as

depicted in figure 1.2. The secret key K determines the initialization of the

LFSRs. We assume that K consists of the n keys, K1,K2, ...,Kn, one for each

28

of the n LFSRs S1, ..., Sn so that LFSR Si is initialized by a secret key Ki,

i ∈ {1, ..., n}. We assume the key is private, and everything else is public. Say

Mi is the number of possible subkeys Ki for the LFSR Si. Thus the number

of different keys for the generator is:

M =n

∏

i=1

Mi

The nonlinear combining function f is meant to provide ”confusion” and make

the keystream difficult to predict. We desire that the cryptanalyst be forced

to try an average of half of the M possible values of K before hitting on the

correct key. But Siegenthaler observed that if the keystream is correlated to

at least one of the LFSR sequences, say sequence of Si, then the subkey used

to initialize Si, Ki can be determined using exhaustive search and this will

significantly simplify the brute force attack used to find K. If the output of

the keystream is correlated to one or more of the n LFSR sequences, then the

cryptanalyst can attack individual LFSRs and find their subkeys. So if the

keystream is correlated with sequence produced by Si, then the subkey Ki will

be found in at most Mi tries. Hence by divide and conquer, the cryptanalyst

can obtain the key in at most

M ′ =

n∑

i=1

Mi ≪M

attempts.

In general, to resist correlation attack, one should ensure that there is no

statistical dependence between any small subset of the n LFSR sequences

and the keystream sequence. This motivated the identification of correlation

immunity:

Let’s call the keystream sequence Z1, Z2, .... This sequence is determined as

Zj = f(X1j ,X2j , ....,Xnj)

where Xj = (X1j ,X2j , ....,Xnj) is the n−tuple of LFSR output digits at time

29

j. Then the combining function f is m−th order correlation immune if every

m−tuple obtained by choosing m components from Xj is statistically indepen-

dent of Zj for all j = 1, 2, 3.... This provides an alternate equivalent definition

of the m−th order correlation immunity defined earlier.

To summarize, Correlation Immunity is desirable for a Boolean function be-

cause dependence between the input and output bits can lead to a significant

reduction in complexity of the attack through the ”divide and conquer” ap-

proach.

Fast correlation attacks, introduced by Meier and Staffelbach in [MS89a] sig-

nificantly speed up the correlation attack. In fast correlation attacks, the

correct initialization of the LFSRs is found in a more efficient way, related to

error correcting decoding. Another type of correlation attack, called the con-

ditional correlation attack has also been discovered and explored in (among

others) [And94, LCPP96, Loh03]. We will not describe these attacks further.

It was found that to resist fast correlation attacks on stream ciphers, the fil-

tering function needs to possess high nonlinearity as shown in [JJ99, MS88,

Car06a]. In [Car06a] Carlet observes that just like filtering functions, combin-

ing functions also (when used in stream ciphers) should be highly nonlinear.

It was shown by Canteaut and Trabbia in [CT00] and Canteaut in [Can02]

that highly nonlinear combining functions are useful to thwart fast correlation

attacks as much as possible. Highly nonlinear m-resilient Boolean functions

have the property that the coefficient χf (u) is very small for every vector u

of hamming weight higher than, but close to, m, and this property makes fast

correlation attacks as inefficient as possible.

Siegenthaler [Sei84] proved a fundamental relation between the number of vari-

ables n, degree d and order of correlation immunity m of a Boolean function:

m+ d ≤ n.

In addition, if the function is balanced then

m+ d ≤ n− 1.

In [Car06a], Carlet observes that resiliency has been characterized by Xiao

and Massey through the Fourier and the Walsh transforms:

30

Proposition 2.1.2. [XGZ88] Any n-variable Boolean function f is m-resilient

if and only if χf (u) = 0 for all u ∈ Fn2 such that wH(u) ≤ m, where wH(u)

denotes the Hamming weight of u (see appendix for definition). Equivalently,

f is m-resilient if and only if it is balanced and f(u) = 0 for all u ∈ Fn2 such

that 0 < wH(u) ≤ m.

We do not describe the proof here. A clear proof of this proposition can be

found in [Car06a] as well as the original paper.

Resiliency order of a function is not an affine invariant [Car06a].

5. Algebraic thickness [Car04b]: The algebraic thickness Γ(f) of a Boolean

function f is the minimum number of monomials with nonzero coefficients in

the ANF of the functions f ◦A where A ranges over the general affine group.

Equivalently, for every Boolean function

f(x) =∑

u∈Fn2

au(

n∏

i=1

xiui)

the parameter Γ(f) is the minimum number of monomials in the ANF of the

functions∑

u∈Fn2

au(

n∏

i=1

(li(x))ui)

where the lis are affine functions whose linear parts are linearly independent.

Motivation: As mentioned earlier, it is desirable for a function to have many

monomials in its ANF to resist known attacks [Rue86, Mas69]. However, the

number of monomials in the ANF of a function is not an affine invariant. This

motivated the identification of the property of ’Algebraic thickness’ which is

an affine invariant.

6. k-Normality [Car04b]: Let k ≤ n. A Boolean function f on Fn2 is called

k-normal(respectively k-weakly normal) if there exists a k-dimensional flat on

which f is constant (respectively affine). For security, we want non-normality.

Motivation: In [Car04b], Carlet remarks that Non-normality is a natural

complexity criterion to consider because ”complex functions are supposed to be

31

very different from affine functions, and since any affine function is constant on

at least one affine hyper-plane, it is natural to expect from a complex function

to be non-constant on any flat of some low dimension”. This complexity

criterion is not yet related to explicit attacks on ciphers but this is not new:

degree and nonlinearity were also identified as important cryptographic criteria

before they were explicitly related to attacks.

7. Algebraic Immunity [MPC04]: Let g be the lowest degree function such

that g annihilates f or f + 1, i.e. g ∗ f = 0 or g ∗ (f + 1) = 0, where ∗ denotes

multiplication. If g has degree d, then the algebraic immunity of function f is

d.

Motivation: In [CM03], the authors describe an algebraic attack by obtaining

a very overdefined system of equations involving plaintext, ciphertext and key

bits. We know that the cipher can be described by a system of multivariate

polynomial equations in plaintext, ciphertext and key bits. The system can be

attacked if the attacker is able to obtain a very overdefined system of equations

from the given equations. Moreover, this attack can become very efficient if

this overdefined system is of low degree. In [CM03], the authors describe how

such low degree relations can be found by multiplying the output function of

the cipher by a well chosen low degree function such that the product function

is also of low degree. They also describe three scenarios under which such low

degree relations may exist. In [MPC04], the authors collapse these into two

scenarios by proving that two of the original three are equivalent. The two

scenarios are as follows:

Say f has high degree.

(a) Assume that there exists a function g of low degree such that f ∗ g = h

is a nonzero function of low degree.

(b) Assume there exists a function g of low degree such that f ∗ g = 0.

We refer to these as AA scenario 1 and AA scenario 2 respectively in the rest

of this survey. There is a useful relation between these two scenarios as shown

below:

32

Proposition 2.1.3. [MPC04] Assume that f ∗ g = h 6= 0, does hold for some

functions g and h of degrees at most d (AA scenario 1). Suppose in addition

that g 6= h. Then there is a function g′ of degree at most d such that f ∗g′ = 0

(AA scenario S3b).

Proof. We know that over F2, f2 = f , hence f ∗ g = f2 ∗ g = f ∗ f ∗ g = f ∗ h.

Hence f ∗ (g + h) = 0.

This argument shows we can restrict ourselves to the following two cases:

1. AA scenario 2 and

2. AA scenario 1 with g = h.

But if g = h, then f ∗ g = h = g which means (f + 1) ∗ g = 0, which is AA

scenario 2 for the function f + 1.

The existence of algebraic attacks thus impose that neither f nor f+1 have an

annihilating function of low degree. This motivated the definition of algebraic

immunity given above.

In [CM03], Courtois and Meier showed that given any n variable Boolean func-

tion f , it is always possible to get a Boolean function g with degree at most

⌈n2 ⌉ such that f ∗ g has degree at most ⌈n

2 ⌉. Thus

AI(f) ≤ ⌈n2 ⌉.

In [CDGM06], the authors show that if a function has low nonlinearity then

it must also have low algebraic immunity. Hence if one chooses a function

with good algebraic immunity then this will automatically provide nonlinearity

which is not low. Algebraic immunity is an affine invariant.

8. Strict avalanche criterion(SAC) and propagation criterion(PC) [Car06a]:

For completeness, we first define the derivative of a function:

Let f be an n-variable Boolean function and let b be any vector in Fn2 . The

Boolean function Dbf(x) is called the derivative of f with respect to the di-

rection b, where Dbf(x) = f(x)⊕

f(x + b), where⊕

denotes addition over

F2.

Now we define SAC and PC:

33

Let f be a Boolean function on Fn2 and E ⊂ F

n2 . The function f satisfies

the propagation criteria PC with respect to E if for ∀a ∈ E the derivative

Daf(x) = f(x)⊕

f(a + x) is balanced. It satisfies PC(l) if it satisfies PC

with respect to the set of all those nonzero vectors of weights at most l. The

case of l = 1 is of special importance as is referred to as Strict Avalanche Cri-

terion (SAC) (See appendix for definition of derivative of Boolean function).

Motivation: Propagation characteristics(SAC and PC) are useful to consider

while designing cryptographically strong Boolean functions because they pro-

vide ”diffusion” to the cipher. We know that Boolean functions used in ciphers

need to be very sensitive to changes in inputs, and propagation characteristics

quantify this intuition. The Strict Avalanche Criterion (SAC) was introduced

by Webster and Tavares [WT85] and this concept was generalized into the

Propagation Criterion (PC) by Bart Preneel [PLL+90]. The SAC, and its

generalizations, are based on the properties of the derivatives of Boolean func-

tions. These properties describe the behavior of a function whenever some

coordinates of the input are complemented. These criteria are not affine in-

variants in general [Car06a].

A good Boolean function must possess a ”good combination” of the above properties

to be useful in ciphers.

2.2 About the cryptographic complexity of Boolean func-

tions

It is now known that random functions are almost surely highly complex. As is well

known, almost all Boolean functions have high circuit complexity. This was called

the Shannon effect by Lupanov [Lup70]. The Shannon effect holds for cryptographic

complexity as well, as we describe below.

Asymptotically, almost all Boolean functions have ”high” algebraic degrees, that

is algebraic degrees ≥ (n − 1). We can prove this using a simple counting argu-

ment. The number of Boolean functions of algebraic degrees at most n − 2 equals

2Pn−2

i=0 (ni) = 22n−n−1 and this number is very small as compared to the 22n

Boolean

functions.

34

In [OS98], Stanek and Olejar show that almost all Boolean functions exhibit

high cryptographic complexity with respect to balancedness, nonlinearity, correla-

tion immunity and propagation characteristics. We broadly state the results here

without proof. The interested reader is referred to [OS98].

1. Balancedness: The number of balanced Boolean functions in the total number

of Boolean functions over Fn2 is

( 2n

2n−1

)

. By Stirling’s formula we get:( 2n

2n−1

)

= 22n

√π·2n−1

(1−O(2−n)) [OS98]. The fraction of balanced Boolean func-

tions compared to all Boolean functions is (1−O(2−n)√π·2n−1

, which goes to 0 as n

gos to ∞. Thus the number of balanced Boolean functions is negligible with

respect to the total number of Boolean functions over Fn2 . For most Boolean

functions however, if we relax the rigidity of balancedness, we obtain some-

thing interesting. The following theorem holds even if instead of the uniform

distribution over all Boolean functions of n-variables, we consider the binomial

distribution with arbitrary p ∈ (0, 1). Note that in the case of the uniform

distribution p = 12 :

Theorem 2.2.1. [OS98] Let f be an n-ary Boolean function, φ(n) be an

arbitrary function such that φ(n) → ∞ as n→ ∞ and let p ∈ (0, 1). Then,

p · 2n − 2n/2 · φ(n) < wH(f) < p · 2n + 2n/2 · φ(n)

almost surely. Here wH(f) denotes the Hamming weight of f or the number

of inputs x to f such that f(x) = 1.

Proof. The Hamming weight of f , wH(f) can be considered as a random

variable binomially distributed over the set {0, 1, ..., 2n}. Let 0 ≤ k ≤ 2n.

Then,

Pr(wH(f) = k) =

(

2n

k

)

pk(1 − p)2n−k.

For convenience, we denote wH(f) by w. By Chebyshev’s inequality, we have

Pr(|w − E(w)| ≥ cσ) ≤ 1

c2

where σ2 is the variance of w and c is some real number. Since w has binomial

distribution, we get E(w) = p · 2n and σ2 = p · (1 − p) · 2n. Let c = φ(n)√p·(1−p)

.

35

So we get

Pr(|w − p · 2n| ≥ φ(n)2n2 ) ≤ p · (1 − p)

φ2(n).

Clearly p·(1−p)φ2(n)

tends to 0 as n tends to ∞. Hence Pr(|w − p · 2n| < φ · 2n2 )

tends to 1 as n tends to ∞. So, we can say that |w − p · 2n| < φ · 2n2 almost

surely, which implies the statement of the theorem.

2. Nonlinearity: Olejar and Stanek show that almost all Boolean functions have

”high” nonlinearities [OS98]. Specifically, almost all Boolean functions over

Fn2 have nonlinearities greater than 2n−1 − √

n · 2(n−1)

2 . Carlet in [Car06b]

generalizes their result to the nonlinearity profile. The best known asymptotic

upper bound has been given in [CM07]:

maxf

NLr(f) ≤ 2n−1 −√

15

2· (1 +

√2)r−2 · 2n/2 +O(nr−2) (2.5)

3. Correlation Immunity: Similarly, Olejar and Stanek show that almost all

Boolean functions are ”almost correlation immune” [OS98]. They introduce

a new property called counted correlation characteristic abbreviated as CCC,

which is closely related to correlation immunity and provide a lower bound for

it. They prove that any n-ary Boolean function f satisfies this bound ”almost

surely”(or with probability close to 1), from which they conclude that almost

all Boolean functions are almost correlation immune. We will not explain this

in further detail and refer the reader to [OS98].

4. Propagation Characteristics: Very few Boolean functions satisfy SAC but if

we replace the strict condition of balancedness in the definition of SAC by

”near-balancedness” then there is a large set of Boolean functions which are

”strong enough for cryptographic applications”.

Carlet showed in [Car06b], that asymptotically almost all Boolean functions

also have high algebraic thicknesses and are highly non-normal. In [Car04b], Carlet

improved upon his previous result and showed that almost all Boolean functions

have algebraic thicknesses greater than 2n−1 − n · 2(n−1)

2 .

In [MPC04], the authors propose an algorithm for determining whether a

given function f admits annihilators of degree ≤ d, i.e. if f has algebraic immunity

36

≤ d (Note that the algorithm becomes infeasible for values n ≥ 32 and d ≥ 6). The

authors also bound the probability that a given function will have low algebraic

immunity:

Theorem 2.2.2. [MPC04] There is a constant c where c ≈ 0.22, such that for any

sequence dn of positive integers with dn ≤ c ∗ n, Pr(AI(f) ≤ dn) → 0, n → ∞

Thus for a random function f , with a large number of inputs n ≥ 18, low alge-

braic immunity is very unlikely. However, some functions that are used in ciphers, for

example, degree optimized functions from the Maiorana MacFarland family, which

satisfy several cryptographic complexity criteria were found to have low algebraic

immunity [MPC04]. This suggests a potential tradeoff between previously known

criteria like nonlinearity, correlation immunity and others with algebraic immunity.

Since a cryptographically strong Boolean function must possess a good com-

bination of the above properties, it is important to understand the relationships

between these cryptographic properties. Briefly here, we state a few of such rela-

tions without proof.

In [Car02], Carlet nicely summarizes some of the relations between crypto-

graphic properties as follows: Siegenthaler’s inequality [Sei84] states that any m-th

order correlation immune function in n variables has degree at most n − m, that

any m-resilient function (0 ≤ m < n− 1) has algebraic degree smaller than or equal

to n−m− 1 and that any (n − 1)-resilient function has algebraic degree 1. Sarkar

and Maitra [SM00b] have shown that the nonlinearity of any m-resilient function

(m ≤ n− 2) is divisible by 2m+1 and this has led to an upper bound on the nonlin-

earity of m-resilient functions: the nonlinearity of any m-resilient function is smaller

than or equal to 2n−1−2m+1 if n2 −1 < m+1. If n

2 −1 ≥ m+1, then the nonlinearity

is bounded by 2n−1−2n2−1−2m+1 if n is even and 2n−1−2m+1⌈2n

2−m−2⌉ if n is odd.

If a function achieves this bound (independently obtained by Tarannikov[Tar00]

and Zheng and Zhang [ZZ00]), then it also achieves Siegenthaler’s bound and the

Fourier spectrum of the function has then three values (such functions are often

called ”plateaued” or ”three-valued”; these values are 0 and ±2m+2. In [KG03], the

authors remark that it is desirable for a function to have 3-valued Hadamard trans-

form because it limits the efficiency of the soft output joint attack of [LZGB02]).

37

Carlet calls these upper bounds Sarkar et al.’s bound. Please see [Car02] for more

details, the paper provides a very nice summary of these bounds.

Meier and Staffelbach showed in [MS89b] that maximal nonlinearity and per-

fect propagation characteristics are equivalent requirements for Boolean functions

with an even number of variables. However the functions that satisfy these two

properties simultaneously: bent functions, are not balanced and hence not cryp-

tographically strong. In [CCCF00], the authors further investigate the relation

between nonlinearity(providing confusion) to propagation characteristics(providing

diffusion) and conclude that highly nonlinear functions usually have good propaga-

tion characteristics. They also show that most highly nonlinear functions with a

three valued Walsh spectrum can be transformed into 1-resilient functions.

Zheng et all first showed the following nice relation between non-normality

and nonlinearity:

Theorem 2.2.3. [ZZI99] Let f be a weakly k−normal Boolean function on Fn2 .

Then,

NL(f) ≤ 2n−1 − 2k−1

We do not give the proof here and refer the interested reader to [Car04b].

Dalai, Gupta and Maitra showed the following connection between algebraic

immunity and nonlinearity, which we state without proof.

Theorem 2.2.4. [DGM04] If NL(f) <∑d

i=0

(ni

)

, then AI(f) ≤ d+1 where f is an

n variable Boolean function.

In [Lob05], Lobanov obtained a tight bound between nonlinearity and alge-

braic immunity:

NL(f) ≥ 2

AI(f)−2∑

i=0

(

n− 1

i

)

Carlet extended the above lower bound into a bound on the general r − th order

nonlinearity:

Theorem 2.2.5. [Car06b] Let f be a Boolean function in n variables and let r be

38

a positive integer. The nonlinearity of order r of f satisfies:

NLr(f) ≥ 2

AI(f)−r−1∑

i=0

(

n− r

i

)

While constructing Boolean functions to be used in ciphers, it is useful to

keep these properties in mind so as to identify suitable tradeoffs.

39

Chapter 3

Algebraic attacks against

symmetric key ciphers

3.1 Algebraic attacks against stream ciphers

3.1.1 Conventional attacks against stream Ciphers

We briefly describe one of the conventional methods of attacking stream ciphers so

that its method might be contrasted with algebraic attacks described later.

Linear Consistency attack: This attack was introduced in [ZYR89]. The

attack is possible if one can separate out some portion of the secret key, say K1 and

write a linear system Ax = b where the matrix A depends on K1 alone, and the

attacker has access to keystream bits in vector b. Then an exhaustive search for K1

can be performed and the correct value for K1 can be determined by plugging each

value into the linear system and checking if the system is consistent. Once K1 is

recovered, the whole key can potentially be recovered via divide and conquer.

This attack has been applied to various stream ciphers as in [FL01, ZYR89]. Other

traditional attacks on stream ciphers are discussed in [BD00, WB02, GBM02, Mul04,

CHJ02].

40

3.1.2 Setup for algebraic attack

We present in this section a description of a working algebraic attack against a

stream cipher. We consider specifically additive stream ciphers, in which the ci-

phertext is obtained by adding bitwise the plaintext to the keystream. We consider

a simplified version of the classical construction of the keystream generator: the

generator uses one(typically several) LFSR to implement the linear transition func-

tion L and a highly nonlinear Boolean function f for the filtering function. Note

that f or L do not depend on the secret key.

3.1.3 The problem of cryptanalysis

Both L and f are public, only the state of the LFSR is secret.

Let (k0, k1...kn−1) be the initial state of the LFSR. Then the generated keystream

bits are given by:

b0 = f(k0, k1, ..., kn−1)

b1 = f(L(k0, k1, ..., kn−1))

b2 = f(L(L(k0, k1, ..., kn−1)))

and so on where bi indicates the bit generated at time slot i. Some of these output

bits bi might become known to the cryptanalyst. The problem of cryptanalysis is

to recover the key k = (k0, k1, ..., kn−1) from some subset of these output bits bi.

This is considered a hard problem since, as mentioned previously, the problem

of solving systems of multivariate polynomial equations is NP-complete even if all

the equations are quadratic and the field is F2.

When the number of equations is equal to the number of variables, the best known

algorithms are exhaustive search for small fields, and Grobner bases algorithms

which have exponential complexity.

3.1.4 The attack

If the attacker can exploit some inherent algebraic structure of the cipher to get

equations that are overdefined or sparse or have some other similar nice property,

then the system of equations becomes much easier to solve than expected.

41

The attack we describe below is due to Courtois and Meier [CM03], and is

based on solving ”overdefined” systems of equations of low degree. This is a partially

known plaintext attack, i.e. we know some bits of the plaintext and corresponding

ciphertext bits. The bits do not need to be consecutive. We assume that we have

some m bits of the keystream bi at some known positions.

At time t, the current keystream bit gives an equation f(s) = bt with s being

the current state of the LFSR. The function f(s) is usually of high degree, but

we multiply it by a well chosen multivariate polynomial g(s), such that we get the

product say h(s).

So if bt = 0, f(s) = 0, hence f(s) ∗ g(s) = 0 and we can use AA scenario 1 (refer

to motivation for Algebraic immunity in section 3) to get a low degree equation

h(s) = 0. If bt = 1, we can use AA scenario 2 to get bt = f(s) = 1, hence

f(s) ∗ g(s) = g(s). But f(s) ∗ g(s) = 0 hence g(s) = 0. To make this more formal,

consider:

For each known keystream bit at position t, bt, we have the equation

f(s) = bt

f(Lt(k0, k1, ..., kn−1)) = bt

Multiplying both sides by a well chosen polynomial g(s), we get

f(Lt(k0, k1, ..., kn−1))g(Lt(k0, k1, ..., kn−1)) = btg(L

t(k0, k1, ..., kn−1))

If bt = 0, then f(Lt(k0, k1, ..., kn−1))g(Lt(k0, k1, ..., kn−1) = 0, and we use scenario 1

so that LHS is of low degree. If bt = 1, then we use scenario 2 to get LHS = 0 =

g(Lt(k0, k1, ..., kn−1) and we know RHS is of low degree. We get one multivariate

equation for each keystream bit.

Given m keystream bits, let R be the number of multivariate equations of

degree d, and with n variables ki. With one g, we get R = m. But if we use several

different gs for the same f , we can get R > m. Thus we obtain a very overdefined

system of multivariate equations, that can be solved efficiently using techniques like

Relinearization, XL etc. which are discussed later in detail.

42

3.2 Algebraic attacks against block ciphers

Algebraic attacks were quite devastating for public key and stream ciphers. The

question that many people started asking is: do these types of attacks matter also

for block ciphers? First we describe some conventional attacks on block ciphers,

again to contrast with algebraic attacks.

3.2.1 Conventional methods of cryptanalysis against block ciphers

Differential attacks [BS91b]: Differential cryptanalysis is a method which anal-

yses the effect of particular differences in plaintext pairs on the differences in the

resultant ciphertext pairs. These differences can be used to assign probabilities to

the possible keys and to locate the most probable key. For a successful differential

cryptanalysis attack, the cryptanalyst needs to know an input difference pattern

that propagates to an output difference pattern over all but a few rounds of the

cipher, with a large enough probability(This probability is known as the difference

propagation probability). The attacker generally proceeds by encrypting some plain-

text, then making particular changes to that plaintext and encrypting it again. The

attacker then observes the corresponding differences in the ciphertext and attempts

to measure non-random behavior which will help in determining the key.

Differential analysis is explored in [YLH98, BS91b, Mat99, KCP00, BS91a]

Linear attacks: Linear attacks were introduced by Mitsuru Matsui in

[Mat93]. Basically, the attack works by attempting to find linear approximations of

the equations that describe the cipher. Given plaintext and ciphertext pairs, simple

linear approximations are created for the relations involving the plaintext, ciphertext

and keybits, from which it is easy to derive the key. Those approximations that tend

to hold true are likely to have the value of the key for the real cipher, and as more and

more plaintext-ciphertext pairs are obtained, approximations get better and better,

and it gets more and more likely that the real key has been found. Linear Cryptanal-

ysis of a block cipher starts by finding approximate linear expressions for S-boxes

then extends these expressions to describe the entire cipher(as was done for the DES

cipher by Matsui). These linear expressions are then solved to obtain probable key-

bits. Linear attacks are discussed in [Mat94, MY92, KR94, YT95, HKM95, TSM95].

A nice survey on linear and differential attacks can be found in [Key02].

43

3.2.2 How block ciphers resist conventional statistical attacks

Thus, conventional methods of attacking block ciphers like linear and differential

cryptanalysis, use the ”statistical” approach of tracing observed patterns between

input-change and corresponding output-change through multiple rounds, and mea-

suring non-random behavior at the output.

We briefly describe here the Wide trail strategy, which has been successfully used

by AES designers to resist statistical attacks such as those described above. As

described in [DR02], in the ”wide trail strategy”, the round transformations are

composed of two invertible steps:

1. A local non-linear transformation, i.e. a good s-box. This component provides

”confusion”.

2. A linear transformation that spreads influence of modification in input over

all output. The way it achieves this is by breaking the block into further

”bundles” of bits. The transformation combines the bundles linearly so that

each bundle at the output is a linear function of bundles at the input. This

ensures that change in the input bits is spread over a large number of the

output bits, providing ”diffusion” and confusing statistical analysis.

A new generation of block-ciphers (among them the Advanced Encryption

Standard (AES) Rijndael) were designed to resist statistical attacks, in particular

linear and differential attacks. The task of designing ciphers immune to statistical

attacks is made easier by the fact that the complexity of the attacks grows expo-

nentially with the number of rounds of a cipher. This ensures that the data and the

time requirements of the attacks quickly become impractical.

3.2.3 Algebraic attacks on Block ciphers

Basic Idea: In contrast, algebraic attacks exploit the intrinsic algebraic structure

of the cipher. The attacker is able to express the encryption transformation as a

large set of multivariate polynomial equations, and subsequently attempt to solve

such a system of equations to recover the encryption key.

Where do these equations come from? As discussed earlier, many block

ciphers are built using multiple S-boxes(that provide confusion) that are intercon-

44

nected using simple linear transformations(that provide diffusion). The operation of

S-boxes can be represented by a system of nonlinear equations. New equations can

be added to represent the linear transformations that connect these S-boxes and a

system of equations that describes the entire cipher can be obtained. S-boxes often

form the only source of non-linearity in a cipher and therefore (usually)provide the

main difficulty in solving the system of equations efficiently.

S-boxes are therefore typically carefully chosen to avoid explicit low degree relations

involving plaintext, key and ciphertext bits. However, sometimes implicit low de-

gree relations might occur. For example, typically combining relations of a certain

degree results in equivalent but even more complex new relations which are not use-

ful at all. But sometimes, intelligent combining of existing relations might result in

new ”simplified” relations; like relations with lower degrees for example. In [CP02],

the authors discuss that the ciphers ”Serpent” and ”Rijndael”, for different reasons,

have S-boxes that can be completely represented by ”simple” algebraic equations.

Building on recent progress in Relinearization techniques(discussed later), the au-

thors argue that a method called XSL might provide a way to effectively solve such

equations and recover the key from a few plaintext-ciphertext pairs.

How are these methods different from statistical methods? As dis-

cussed in [BC03], the algebraic attack method differs in the following respects from

the standard statistical approaches to cryptanalysis:

(a) it requires only few known-plaintext queries;

(b) its complexity doesn’t seem to grow exponentially with the number of rounds of

a cipher.

Structure of Algebraic attacks:

In [Cou04c], Courtois suggests the following three stages in attacking block

ciphers:

1. Write an appropriate initial system: Write a system of equations that, given

one or several known plaintexts, uniquely characterizes the key. This system

should be as over-defined and as sparse as possible. This can be measured by

the initial ratio Rini/Tini between the number of equations Rini in the system

and the total number of monomials Tini that appear in it. It is not clear

what is the optimal setting for algebraic attacks. Note that we care about

number of monomials in these equations because the XSL method described

45

later can attack systems of equations with a small number of monomials(sparse

equations).

2. Expand it : The second step is an expansion step. The goal is, starting from

the original Rini equations with Tini monomials, to produce (for example by

multiplying the equations by some well chosen polynomials) another (much

bigger) set of R equations with T monomials. The goal is to have the new

ratio R/T close (or bigger than) 1.

3. Final in place elimination: The final step should be an in place elimination

method that given an almost saturated system with R/T close to 1, finds a

solution to the system.

How to avoid algebraic attacks on block ciphers: In [Cou04c], Courtois

proposes that to avoid algebraic attacks on Block ciphers, the S-boxes of the block

cipher should avoid the existence of ”too simple” algebraic relations. The exact

definition of ”simple” that would prevent all algebraic attacks on block ciphers is

not obvious to give. But for example, systems that are too overdefined or too sparse

should be avoided. Courtois says that this should not be too hard to achieve. He

says that using random S-boxes on 8 bits should be about sufficient to achieve 128

bit security(though not for sure). He recommends to construct bigger S-boxes that

have no algebraic relations starting from random bijective 8-bit S-boxes, and for

higher security requirements random S-boxes of at least 16 bits be used.

46

Chapter 4

Solving systems of multivariate

equations

4.1 The Quadratic Solvability problem

As we described earlier, algebraic attacks are especially relevant against ciphers that

use the hardness of the problem of solving multivariate polynomial equations as basis

for security. We also mentioned that this problem (called MQ), is NP Complete.

Here we provide the reduction of MQ from 3-SAT [HPS93].

Let p be a fixed prime. We consider the following problem: an instance is a set of

polynomial equations P of degree at most two in n unknowns over Fp,

Pi(x1, ..., xn) = 0 for i ∈ 1, 2, ..., s.

The problem is to find an assignment to the variables which satisfy the equations.

Theorem 4.1.1. [GJ79] MQ is NP complete over any finite field.

Proof. We show a polynomial time reduction from 3SAT to MQ in F2. We are given

a conjunction of clauses C1∧C2∧C3..., each of the form Ci = ti1∨ ti2∨ ti3 where the

ti’s are either positive or negated variables. We write 3 equations for each clause

Ci:

1. yi = ti1 + ti2 + ti3 (an odd number of terms are true)

2. zi = ti1ti2 + ti1ti3 + ti2ti3 (at least two terms are true)

3. yi + zi + yizi = 1 (one or both of the above must be satisfied)

47

where if tj is a positive variable xj, then we use directly xj in the equations above,

otherwise (1 − xj).

If we want a field bigger than F2, than we need to add additional equations of the

form xj(1−xj) = 0 for each variable. This will force 0/1-values in the solution.

4.2 Methods of solving systems of multivariate polyno-

mial equations:

We know that algebraic attacks rely on being able to exploit some intrinsic algebraic

structure of the cipher to set up a feasible system of equations involving the plaintext,

ciphertext and key bits, and then endeavor to solve this system. Briefly discussed

here are some of the main ideas and algorithms used to solve such systems. We

provide only a brief overview of each method and refer the reader to the appropriate

papers for detailed algorithms.

1. Linearization method.

2. Relinearization

3. XL method

4. XSL method

5. Grobner basis techniques

6. SAT solvers

7. ”Gluing” algorithm

4.2.1 Linearization

Linearization is a technique for solving very overdefined systems of quadratic equa-

tions. It works by substituting each nonlinear term by a new variable, thus convert-

ing a nonlinear system of equations into a linear system with many more unknowns.

If the system is sufficiently overdefined, then it can be solved by standard methods

such as Gaussian elimination.

More precisely, consider a system of m = ǫn2 quadratic equations in n vari-

ables. We substitute every quadratic term by a new variable, to get n(n + 1)/2

48

new variables. Now we have a linear system of ǫn2 equations in ≈ n2/2 new vari-

ables which can be solved by using Gaussian Elimination if m = n(n + 1)/2, or

equivalently if ǫ ≥ 0.5.

But since ǫ < 0.5 in real applications, the number of equations is often not

big enough and the linear system has exponentially many solutions which do not

correspond to solutions of the original quadratic system.

4.2.2 Relinearization

[CKPS00] At Crypto 99, Kipnis and Shamir introduced a new method for solving

overdefined systems of polynomial equations, called Relinearization. It was designed

to handle systems of ǫn2 quadratic equations in n variables where 0 ≤ ǫ ≤ 1/2.

Relinearization starts as does linearization, that is by replacing quadratic

terms by new variables. (For every xixj , i ≤ j, create a new variable yij). Given

this system of linear equations in the yij, one adds additional nonlinear equations

which express the fact that these variables are related rather than independent. For

example, we can take any 4-tuple of indexes

1 ≤ a ≤ b ≤ c ≤ d ≤ n

and form new equations based on the commutative property

(xaxb)(xcxd) = (xaxc)(xbxd) = (xaxd)(xbxc) =⇒ yabycd = yacybd = yadybc

Thus we have increased the number of equations, though these new equations are

nonlinear. To make them linear, one applies linearization again.

Kipnis and Shamir used Relinearization to attack the HFE cryptosystem

based on the observation that any given system of n multivariate polynomials in n

variables over a field F can be represented by a single univariate polynomial of a

special form over K which is an extension field of degree n over F .[KS99] However

the technique of Relinearization is quite general and may be applied to other ciphers

as well.

The problem with Relinearization is that we might get linearly dependent

equations if ǫ is ”too small” (for eg. ǫ < 0.1). For more details, we refer the reader

to [KS99].

49

4.2.3 XL algorithm

[CKPS00] The XL(eXtended Linearization) technique can be viewed as a combi-

nation of bounded degree Grobner bases and linearization. XL was introduced by

Courtois, Klimov, Patarin and Shamir in [CKPS00]. As explained by [CKPS00],

the basic idea of this technique is to generate from each polynomial equation a large

number of higher degree variants by multiplying it with all the possible monomials

of some bounded degree, and then to linearize the expanded system. The authors

claim that this simple technique is at least as powerful as Relinearization.

The XL algorithm is described in [SKI06] as follows:

Let K be a field, and let A be a system of multivariate quadratic equations

lk = 0; (1 ≤ k ≤ m) where each lk is the multivariate polynomial fk(x1, ....., xn)−bk.

The problem is to find at least one solution x = (x1, ........, xn) ∈ Kn, for a given

b = (b1, .........., bm) ∈ Km.

Let D ∈ N. We consider all the polynomials∏

j xij ∗ li of total degree ≤ D, and call

the set of all such polynomials P .

Let ID be the set of polynomials spanned by P , i.e. ID = {u|u =∑

i αipi} where

αi ∈ K and pi ∈ P .

The idea of the XL algorithm is to find in some ID a set of equations which is easier

to solve than the initial set of equations A.

This is the authors’ description of the XL algorithm:

1. Multiply: Starting with equations li = 0 ∈ A, multiply both sides of the

equations to generate all the products∏k

j=1 xij ∗ li ∈ ID with k ≤ D − 2 on

the LHS. This gives us a new set of equations.

2. Linearize: Consider each monomial in xi of degree ≤ D as a new variable and

perform Gaussian elimination on the equations obtained in 1.

3. Solve: Assume that step 2 yields at least one univariate equation in the pow-

ers of x1. Solve this equation over the finite fields (e.g. with Berlekamp’s

algorithm).

4. Repeat: Simplify the equations and repeat the process to find the values of

the other variables.

50

The XL algorithm is very simple, but it is not clear for which values of n and

m it ends successfully, what is its asymptotic complexity, and what is its relation-

ship to Relinearization and Grobner base techniques. But the authors claim that

despite it’s simplicity, XL may be one of the best algorithms for randomly generated

overdefined systems of multivariate equations.

4.2.4 XSL method

XSL stands for ”Extended Sparse Linearization” or more clearly ”Multiply (X)

by Selected Monomials and Linearize”. The XSL algorithm uses the sparsity of

equations and their specific structure to attack the system. The XSL algorithm was

created by Courtois and Pieprzyk in [CP02]. In their paper, the authors describe the

XSL attack specifically against what they call ”XSL ciphers”. The attack has broad

implications however, and can be extended to other block ciphers as well. This

paper created a lot of controversy. The authors expressed Rijndael as a sparse and

overdefined system of multivariate quadratic equations over F2, and suggested XSL

to solve this system exploiting its overdefined-ness and sparseness. However, the

complexity of XSL is not clearly understood and there is no full scale implementation

of the attack. But the simple algebraic structure of Rijndael has caused insecurity

since this attack was published, and even if the attack is impractical now, it might

have implications for the future.

An XSL cipher is a composition of Nr similar rounds:

X The first round i = 1 starts by XORing the input with the session key Ki−1

S Then we apply a layer of B bijective S-boxes in parallel, each on s bits,

L Then we apply a linear diffusion layer,

X Then we XOR with another session key Ki . Finally, if i = Nr we finish, otherwise

we increment i and go back to step S.

The authors loosely describe the main idea of the algorithm as follows: First

we start from the initial equations of each S-box of the cipher with r equations

and t terms and write a system of quadratic equations that completely define the

secret key of the cipher. To exploit the sparsity of the system, we need the total

number of linearly independent equations to be roughly equal to the total number of

monomials that appear. The sparseness should then help reduce the total number

51

of new terms we introduce

4.2.5 Grobner basis techniques

Grobner basis techniques are the standard techniques used to solve systems of mul-

tivariate quadratic equations, and have been studied intensively. Grobner basis were

first introduced by Bruno Buchberger in his PhD dissertation work in 1965. They

are named after his advisor Wolfgang Grobner. Grobner basis theory is applied in

the following way:

[Buc06] Given a set F of polynomials in κ[x1, x2, ...xn] that describes the problem at

hand, we transform F into another set G of polynomials ”with certain nice proper-

ties” (called the Grobner basis) such that F and G are equivalent. The motivation

for this conversion comes from the fact that because of the useful properties of

Grobner basis, some problems which are hard to solve for F might be easier to solve

for G.

Definition. Grobner Basis: A set of polynomials g1, g2, ..., gt is a Grobner basis

if for any polynomial f , we can write f =∑

i higi + r for polynomials h1, h2, ..., ht

such that:

1. r = 0 if and only if f ∈< g1, g2, ..., gt >, where < g1, g2, ..., gt > denotes the

ideal generated by functions g1, g2, ..., gt.

2. r is uniquely defined.

Buchberger’s algorithm converts a given basis f1, f2, ..., ft into a Grobner

basis g1, g2...gt such that < f1, f2, ...ft >=< g1, g2, ...gt >, where < g1, g2, ..., gt >

denotes the ideal generated by functions g1, g2, ..., gt. For a clear and understand-

able introduction to Grobner basis, we refer the reader to [Stu05]. However, such

techniques do not exploit the overdefinedness of a given system as they proceed

by eliminating sequentially a single monomial from a particular pair of equations.

They have exponential running time and hence cannot be used for cryptanalysis.

The cryptographically important case of using Grobner basis techniques to solve

multivariate systems of quadratic equations did not receive enough attention un-

til fairly recently(we discuss this later). Faugere suggested new and efficient ways

to compute Grobner basis in his F4 and F5 algorithms. Efficient computation of

52

Grobner basis has had implications for algebraic attacks as explored in the follow-

ing papers:[BPW05, FA03, FJ03, CMR05]. In particular the F4 algorithm was used

to break the HFE cryptosystem in [FJ03]. A relation between the XL algorithm

and Grobner basis algorithms has been studied in [SKI06].

4.2.6 SAT solvers

Recently, methods have been studied to convert low degree sparse multivariate equa-

tions into a CNF-SAT problem. This might seem useless, since CNF-SAT is an NP-

complete problem itself. However, in recent times, several heuristic methods have

been developed to solve the CNF-SAT problem, for example MiniSat [ES03] and

Chaff [MMZ+01]. A nice primer on SAT solvers is provided in [Mit05]. This ap-

proach is motivated by the observation of the authors Bard, Courtois and Jefferson

in [BCJ07], that ”no polynomial-system-solving” algorithm demonstrates that a sig-

nificant benefit is obtained from the extreme sparsity of some systems of equations.”

The authors therefore study methods for efficiently converting systems of low-degree

sparse multivariate equations into a conjunctive normal form satisfiability(CNF-

SAT) problem. They claim that a direct application of this method gives very

efficient results: they show that sparse multivariate quadratic systems (especially

if over-defined) can be solved much faster than exhaustive search if the system is

sparse enough. Methods to convert the MQ problem to CNF-SAT and subsequent

solving of CNF-SAT using SAT-solvers have been discussed at length by Bard in his

PhD thesis[Bar07].

4.2.7 ”Gluing” Algorithm

In [RS06], Raddum and Samaev take a different approach to the problem of solving

non-linear equation systems, and propose a new method for solving them. Their

method differs from the others in that the equations are not represented as multi-

variate polynomials and that the core of the algorithm for finding the solution can

be seen as message passing on a graph. Bounds on the complexities for the main

algorithms are presented and they compare favorably with the known bounds.

53

Chapter 5

Explicit Constructions of

Boolean functions with

Important Cryptographic

Properties

The known methods for design and construction of Boolean functions and S-boxes

can be categorized into these main types of techniques:

1. Algebraic construction

2. Heuristic design

5.1 Algebraic construction

Boolean functions can be directly constructed in two broad ways: bit-by-bit and

recursively. Bit-by-bit methods, also called primary construction methods generate

the entire truth table of a Boolean function. The truth table is created to satisfy

some constraints and these constraints ensure that the constructed function satisfies

some predetermined property(ies). Such methods however, tend to become infea-

sible very quickly for larger number of inputs. Recursive constructions, also called

secondary constructions start with existing functions that satisfy a property and

then combine them to obtain a new function with more inputs that also satisfies the

54

property. To understand how smaller functions might be combined to create a bigger

function, consider 2 functions, say f on Fn2 and g on F

m2 that satisfy some property

(for e.g. high nonlinearity). Now create a new function h on Fn+m2 in some way

that preserves the property. For example, a crude way to construct h would simply

be h(x, y) = f(x) ⊕ g(y), with x ∈ Fn2 and y ∈ F

m2 (Note: This example is provided

to illustrate the basic idea; this crude construction of h does not claim to preserve

nonlinearity). One method of constructing bigger functions from smaller ones is con-

catenation, meaning concatenation of truth tables. To define it, let f1, f2 : Fn2 → F2

and g : Fn+12 → F2, y ∈ F2 . We define g as : g(z) = (y + 1)f1(x) + yf2(x) where

z = (y, x). Clearly, g(0, x) = f1(x) and g(1, x) = f2(x). In [Sei84], Siegenthaler

showed that if f1, f2 are m-th order correlation immune, then so is g.

Concatenation is popularly deployed in the construction of functions. Some special

classes of functions- the Maiorana McFaland class for example- use concatenation in

the construction of functions. The Maiorana-McFarland construction is based on the

concatenation of affine functions. The Maiorana-McFarland function f : Fn2 → F2

takes the form [KTLG05]:

f(x) = g(x0, ...., xk−1) + (xk, ...., xn−1) · φ(x0, ..., xk−1)

where g : Fk2 → F2 and φ : F

k2 → F

n−k2 and f and φ are linear functions. Sarkar

and Maitra showed in [SM00a] that if we replace one of the linear functions in the

above construction by a nonlinear function, we obtain resilient functions with high

nonlinearity.

A related method of secondary construction is to start with a suitable func-

tion and modify it to improve it’s properties. Modification of a given function might

mean for example, complementing a few bits in its truth table. Constructing func-

tions starting with a function from the Maiorana-McFarland class was quite popular

[Pas03, GS05]. However, Carlet pointed out in [Car02] that functions constructed

by modifying a Maiorana-McFarland class function may be weak since the derived

functions obtained by fixing certain input bits of these functions are affine. To

avoid this potential weakness, Carlet introduced a natural extension of the Maio-

rana McFarland class: the Maiorana McFarland superclass. In [ZH05], Zeng and Hu

construct balanced Boolean functions with high nonlinearity and optimum algebraic

55

degree by modifying functions from this superclass. Useful studies of the properties

of functions belonging to the Maiorana McFarland class have been conducted in

[Car04a, Pas06].

We give some examples here of the various ways in which construction of

cryptographically strong Boolean functions has been approached. The following

discussion (on algebraic construction) is by no means comprehensive, a complete

discussion of this vast body of literature is beyond the scope of this survey. A good

discussion on algebraic construction of cryptographically strong Boolean functions

can be found in [Car06a].

In [KMI91], the authors propose a recursive construction method to construct

”strong”(with respect to avalanche criterion) S-boxes of arbitrary size when given

as input ”strong” S-boxes of size 3 (i.e. 3 bit input).

In [Tar01], the author introduces a matrix of special form, called proper

matrix, and uses it for constructing cryptographically strong Boolean functions. In

[FT01], the authors further explore the properties of proper matrices, obtain bounds

for its important parameters and construct m-resilient n variable Boolean functions

with maximum possible nonlinearity for particular values of m that supersede the

previous construction.

In [KG03], the authors present constructions based on the theory of geometric

sequences by Klapper, Chan and Goresky [AAG93]. They start with a plateaued

(n − 1) 1-resilient function (a 1-resilient function whose Hadamard transform only

takes values 0,±2(n+1)/2) and from any one such function, they are able to obtain an

infinite number of 1-resilient plateaued functions by applying the geometric sequence

construction of [AAG93].

In [SS04], the authors use partially defined Boolean functions(PDBF) to gen-

erate cryptographically strong Boolean functions. A PDBF, as they define it, can

be considered as a Boolean function with some undefined values, i.e. it’s values are

from the set {0, 1, ?}. They generalize some known properties of Boolean functions

like balancedness, nonlinearity, propagation characteristics to these functions and

show that the usual relationships among these properties hold for these generaliza-

tions as well. They then apply the results in methods for generating strong Boolean

functions.

56

In [CY05], the authors generalize the techniques used in MacWilliams’ and

Sloane’s presentation of the Kerdock code and develop a theory of piecewise quadratic

Boolean functions. This generalization leads them to construct large families of po-

tentially new bent and cryptographically strong functions from quadratic forms in

this piecewise fashion.

Another flavor of methods used in the generation of functions is the so-

called search methodology. Search methods typically find a small subset of Boolean

functions using combinatorial techniques and then perform exhaustive search over

the reduced domain. For example, in [KTLG05], the authors describe some con-

structions based on finite fields. They present an efficient search algorithm that

exhaustively searches for highly nonlinear resilient Boolean functions with optimum

correlation properties from among special classes of functions called ”preferred”

functions. Search methods are usually used in conjunction with recursive construc-

tion methods: searching is used to find suitable functions which are then combined

to create better functions.

Algebraic methods are very good for constructing functions with certain spe-

cific properties, but they do not in general perform well for properties that were not

considered during construction. For example, some functions constructed from the

Maiorana-McFarland class which were considered strong were suddenly found to

be vulnerable when algebraic attacks were introduced. This is because ’algebraic

immunity’ which quantifies the resistance of functions to algebraic attacks was not

identified at the time these functions were constructed and they were not designed

to have high AI. [MPC04].

5.2 Heuristic Design

Heuristic techniques like Simulated Annealing and Genetic algorithms have enjoyed

much success in Computer Science despite little theoretical backing. Consider an

optimization problem P . A heuristic search algorithm will look for a solution to P

by ”implicitly defining a search graph on possible solutions to P , and using some

(often randomized) method for moving along the edges of this graph in search of

good quality solutions” [Imp01]. Some years ago, these methods became popular

in the generation of cryptographically strong functions. We briefly describe below

57

some main flavors of heuristic design as deployed in Boolean function generation.

A word on optimization techniques: Optimization techniques work ei-

ther with a single candidate solution or with a population of candidate solutions.

Techniques working with a single solution are called local techniques, and those

working with many solutions are called global solutions. The optimization is carried

out with respect to some ‘cost function’ that measures how ‘good’ a candidate is

[CJ00].

1. Genetic algorithm: The Genetic Algorithm (GA) mimics the natural pro-

cess of evolution; the ”genes” are a population of solutions to the problem at

hand. It then uses a ”breeding scheme” to combine solutions and create new

ones. The breeding scheme usually combines ”better” solutions according to

some criteria, in some manner to produce new solutions. This is motivated

by the hope that new solutions will be better than the older ones. Genetic

algorithms can be considered to have the following outline as described by

Obitko [Obi]:

(a) Start Generate a random population of n chromosomes (suitable solutions

for the problem).

(b) Fitness Evaluate the fitness f(x) of each chromosome x in the population.

(c) New population Create a new population by repeating the following steps

until the new population is complete:

Selection Select two parent chromosomes from a population according to

their fitness (the better fitness, the bigger chance to be selected)

Crossover With a crossover probability cross over the parents to form a

new offspring (children). If no crossover was performed, offspring is an

exact copy of parents.

(d) Mutation With a mutation probability mutate new offspring.

(e) Accepting Place new offspring in a new population.

(f) Replace Use new generated population for a further run of the algorithm.

(g) Test If the end condition is satisfied, stop, and return the best solution

in current population.

58

(h) Loop If the end condition is not satisfied, go to step (b).

The most important steps in the above outline are crossover and mutation.

Crossover selects genes from parent chromosomes and creates a new offspring.

The simplest way how to do this is to choose randomly some crossover point

and everything before this point copy from a first parent and then everything

after a crossover point copy from the second parent. Mutation is to prevent all

solutions from falling into a local optimum of the solved problem. Mutation

randomly changes the new offspring.

In our context, a gene/chromosome is represented by the truth table of a

function in binary format, i.e. each gene is a binary string that represents the

truth table of the function. Fitness of the function is evaluated using the cri-

teria we have been discussing: Algebraic immunity, thickness, balancedness et

all. During crossover, a random point is picked in the binary string represent-

ing each of the parents and the value beyond that point is swapped between

the two parents. More sophisticated techniques to ”mate” are also used in

practice. Mutation introduces some randomness into the pool of solutions. A

possible method of mutation is to complement a random subset of bits in the

string representing the function.

The genetic algorithm approach as applied to Boolean function generation has

been explored in [MCD97a, MCD98, DG03] (among others).

2. Hill Climbing: The Hill Climbing technique uses the fact that small truth

table changes have predictable effect on properties that we are interested in

(like nonlinearity, resiliency etc) . Due to this, we can make small incremental

changes to the truth table carefully, modifying the properties of the function

to make it more appropriate for our needs. This method typically changes

truth table entries in pairs, with the constraint that the values of the 2 en-

tries being complemented are not the same, so that the hamming weight of

the function is maintained. In [MFD03], the authors categorize these pairs of

entries into the following three categories: improvement, static and reduction.

In the improvement category, complementing the pair improves nonlinearity,

in the static category, complementing the pair does not change nonlinearity

and in the reduction category, complementing the pair reduces nonlinearity.

59

So there are variants of the hill climbing technique that iteratively complement

all the pairs in the improvement set to get new functions with higher nonlin-

earity or complement pairs in the static set to obtain different functions that

have the same nonlinearity but that might hopefully be better with respect to

other characteristics. The authors also discuss the difference between strong

and weak hill climbing introduced in [MCD97b] and [MCD99] respectively:

Strong hill climbing iteratively improves the function until the improvement

set of the current function is empty or maximum number of iterations have

been implemented. Weak hill climbing differs in that in any iteration the non-

linearity of the function does not necessarily increase but must not decrease.

In [MFD03], the authors also propose a new adaptive strategy called Dynamic

Hill Climbing which they describe as ”a truly adaptive technique because it

decides to implement either strong or weak hill climbing depending on the

classification of the current function”.

Thus, Hill climbing methods generally start with some function and make

iterative improvements. They will typically find the ”local maxima” of the

design space. Hill climbing to construct strong Boolean functions is explored

in [MFD03, MCD97b, MCD99]. A problem with these methods is that they

can get ”stuck in local optima”, meaning that once at the local optimum, the

algorithm will stop changing the function, thus potentially missing a better

function that is separated from the current function by a few weak functions.

This is avoided by techniques like simulated annealing which we describe next.

3. Simulated Annealing: Simulated Annealing is a method motivated by the

annealing process of metals and was introduced by Kirkpatrick, Gelatt and

Vecchi in [KJV83]. It was applied in the construction of Boolean functions

much later however; Clark and Jacob introduced simulated annealing to the

area of Boolean function generation in 2000 with [CJ00]. Annealing is a con-

cept in metallurgy which refers to a technique involving heating and controlled

cooling of a material to increase the size of its crystals and reduce their defects.

The properties of the metal are improved if the atoms in the metal can lower

their internal energy states. This is accomplished by heating and slow cool-

ing: the heat causes the atoms to move out their current energy level(which

60

corresponds to local optima, locally lowest energy level) and wander randomly

through states of higher energy; the slow cooling gives them more chances of

finding configurations with lower internal energy than the initial one. Simu-

lated annealing works similarly when applied to optimization problems and is

described below.

As described earlier, hill climbing methods tend to get stuck in local optima.

To counter this, techniques like simulated annealing allow worsening moves to

be accepted with some probability. The process is nicely described by Clark

and Jacob([CJ00]): ”From the current state a move in a local neighborhood is

generated and considered. Improving moves are always accepted. Worsening

moves may also be accepted probabilistically in a way that depends on the

temperature T of the search and the extent to which the move is worse. A

number of moves are considered at each temperature. Initially the tempera-

ture is high and virtually any move is accepted. Gradually the temperature is

cooled and it becomes ever harder to accept worsening moves. Eventually the

process ‘freezes’ and only improving moves are accepted at all. If no move has

been accepted for some time then the search halts.” Simulated Annealing is

often used in conjunction with hill climbing methods. For example, in [CJ00]

Clark and Jacob introduced a new cost function to be optimized which was

motivated by Parseval’s Theorem, and enabled the search to reach areas of the

design space from which hill climbing methods could be used more effectively.

Simulated Annealing has been further explored in [CJS+02, CJS05].

Remark: In [CJMS04], the authors generate functions in a very unorthodox and

interesting way. Most techniques consider the space of Boolean functions and con-

struct/search for the ones with the desired properties. The authors invert this notion

in their paper: they search the space of artifacts with the required properties and

seek the one which is a Boolean function. They combine this general approach with

existing theory to obtain strong functions.

61

Chapter 6

Some open problems and

concluding remarks

The area of algebraic attacks has attracted a lot of interest in recent years. In

[Cou07a], Courtois says that the whole research in symmetric key cryptography has

been ”heavily distorted” in the sense that impractical attacks(which require large

amounts of known plaintext) have been studied extensively, while important prac-

tical attacks(requiring few/chosen plaintexts but computationally intensive) have

not been studied enough. He suggests a change in emphasis in the area, and urges

researchers to try to break the toy ciphers CTC and CTC2 which will help in un-

derstanding cryptanalysis of practical ciphers better.

In [AK03], the authors study algebraic attacks against combiners with mem-

ory and provide an algorithm to construct low degree(say d) relations for r clocks,

i.e. a relation which holds for any sequence of r consecutive bits of the keystream.

Armknecht also posed the question of whether a faster method to construct these low

degree relations exists, since the method proposed in [AK03] quickly becomes im-

practical for large values of d and r. He also describes the failings of known methods

of solving obtained relations: Linearization is polynomial time but requires knowl-

edge of many keystream bits, other methods like XL or Grobner basis methods

require fewer keystream bits but can have exponential complexity. He suggests that

we need to explore better methods for solving these systems of equations.

62

In [Can06], Anne Canteaut provides a very nice summary of open problems

related to algebraic attacks on stream ciphers under the following categories:

1. Open problems related to the complexity of algebraic attacks:

Let the transition function be L and filtering function be f . The author wants

to determine suitable parameters for the keystream generator. In order to so,

she tries to estimate the complexity of algebraic attacks, and focuses on the

simplest technique: Linearization. To estimate the complexity of an algebraic

attack, it is essential to determine the proportion of monomials in the system

of equations, because sparse systems can often be solved quite efficiently. It is

clearly important to understand how the sparsity of equations might depend

on values of f and L. So she presents the following open problem:

Determine the number of monomials involved in the system of equations to be

solved, depending on the choice of f and L.

We also need to understand how many keystream bits are required to get

enough linearly independent equations to be able to solve the system. Since

Linearization converts the given system of (nonlinear) equations to a linear

system, this is equivalent to determining the rank of the linear system depend-

ing on the choice of f and L.

Grobner basis techniques have been studied in the context of algebraic at-

tacks, and complexities of algorithms that compute Grobner basis have been

analyzed in several papers, for eg [BFS04]. These complexity results how-

ever only hold for specific cases, for eg the semi-regular case as defined in

[BFS04]. This results in the important open problem of ascertaining whether

the system of equations that we need to solve to break the cipher behaves like

a semi-regular system.

2. Open problems related to the algebraic immunity of functions:

The author lists the following open problems related to the algebraic immunity

of functions:

63

(a) For a balanced Boolean function f , is there a general relationship between

AN(f) and AN(1 + f)?

(b) What is the average value of algebraic immunity for a balanced Boolean

function in n variables?

(c) What is the proportion of balanced Boolean functions of n variables with

optimal algebraic immunity?

3. Open problems with respect to fast algebraic attacks:

Fast algebraic attacks rely on the existence of low degree relations between

the bits of the initial state and several consecutive keystream bits. We can

express this dependence by a function which has multiple outputs:

fm : Fn2 → F

m2

fm(x1, ..., xn) = (b1, b2, ..., bm) where b1...bm are m consecutive keystream bits.

An important open question asks to find an algorithm which will determine

such low degree relations, i.e. an algorithm to find function fm of low de-

gree. This multiple output function is very similar to the augmented function

defined in [And94]. Augmented functions are special multi-output functions

with special properties. Another open problem asks if these special properties

influence the algebraic immunity of augmented functions.

As described in [Cou03], fast algebraic attacks exploit the fact that when

the known keystream bits are consecutive, an important part of the equations will

have a recursive structure, and this allows to partially replace the usual sub-cubic

Gaussian algorithms for eliminating the monomials, by a much faster, essentially

linear, version of the Berlekamp-Massey algorithm. So another important open

problem is to explore variants of the Berlekamp-Massey algorithm which are better

suited to this particular application.

Many stream ciphers do not use simple Boolean functions as combining or

filtering functions, they use sophisticated functions like multi-output functions or

functions with memory. There are open problems that are concerned with improving

efficiency of algorithms that compute the algebraic immunity of such special func-

tions as well as problems related to constructing special functions that are guaranteed

to resist known attacks.

64

The area of algebraic attacks is thus an exciting area full of open problems

which have important real world implications.

65

Appendix A

Useful Definitions

We briefly define here a few important terms and state some useful results.

A.1 Algebraic definitions

Definition. Affine Geometry [Rom92]: Let V be a vector space. If v ∈ V and S

is a subspace of V , then the set

v + S = {v + s|s ∈ S}

is called a flat or a coset in V . The set A(V ) of all flats in V is called the affine

geometry of V . The dimension dim(A(V )) of A(V ) is defined to be dim(V ). A flat

in V is nothing more than a translated subspace of V . Each flat k+S is associated

with a unique subspace S.

Definition. Dimension of flats [Rom92]: The dimension of a flat x+S is dim(S),

i.e. the dimension of the subspace S. A flat of dimension k is called a k-flat. A 0-flat

is a point, a 1-flat is a line and a 2-flat is a plane. A flat of dimension dim(A(V ))−1

is called a hyper-plane.

Definition. Affine Combinations [Rom92]: V is a vector space over field F. ∀i ∈1, 2, 3...n, if ri ∈ F and

∑

i ri = 1, then the linear combination, r1x1+r2x2+...+rnxn

is referred to as an affine combination of the vectors x1, x2, ...xn. A subset X of V

is a flat in V if and only if it is closed under affine combinations.

66

Definition. Affine Subspace [Rom92]: An affine subspace of a vector space V is

a subset of V closed under affine combinations of vectors in the space.

Definition. Co-dimension [Rom92]: If W is a vector subspace of a vector space

V over a field F , then the Co-dimension of W in V is the dimension of the quotient

space V/W , viewed as a vector space over F .

codim(W ) = dim(V/W ) = dim(V ) − dim(W )

Definition. Affine Hyper-plane: An affine hyper-plane H of a vector space V is

an affine subspace of V satisfying :

1. H = x+ U where U is a subspace of V and x ∈ V .

2. codim(U) = 1.

Definition. Affine Hulls [Rom92]: Let C be a nonempty set of vectors in V .

The affine hull, hull(C) is the smallest flat containing C, i.e. C ⊂ hull(C), and

C ⊂ A→ hull(C) ⊂ A for all flats A. It can also be referred to as the flat generated

by C.

Theorem A.1.1. [Rom92] The affine hull, hull(C) is the set of all affine combina-

tions of vectors in C, i.e. hull(C) = {∑ni=1 rixi|n ≥ 1;x1, x2, ..., xn ∈ C;

∑ni=1 ri =

1}.

Definition. Affine Transformation [Rom92]: A function f : V → V that pre-

serves affine combinations, i.e. for which

∑

i

ri = 1 ⇒ f(∑

i

rixi) =∑

i

rif(xi), xi ∈ V ∀i

is called an affine transformation.

Definition. Translation [Rom92]: Let v ∈ V . The affine map

Tv : V → V

defined by

Tv(x) = x+ v

∀x ∈ V is called a translation by V .

67

Theorem A.1.2. [Rom92] V is a vector space over field F. A function f : V → V

is an affine transformation iff f = Tv ◦ τ where v ∈ V and τ ∈ ζ(V )

Notation:

◦ denotes function composition.

τ : V → V is a linear operator if τ(ru+ sv) = rτ(u) + sτ(v).

ζ(V ) denotes the set of linear operators of V.

Additionally, an affine transformation f = Tv ◦ τ is bijective iff τ is bijective.

Also, composition of affine transformations is also an affine transformation.

Definition. Affine Group [Rom92]: The set Aff(V) of all bijective affine transfor-

mations on V is a group under composition of transformations. This group is called

the affine group.

Definition. Affine Equivalence [Car04b]: Two functions f and g are said to be

affinely equivalent if

f = g ◦ A

where A is an element of the affine group, i.e A ∈ Aff(V ).

Definition. Affine Invariant [Car03]: A property p of a function f is said to be

an affine invariant if every affinely equivalent function g also possesses the same

property.

Definition. Affine Variety: The affine variety V (f1, f2, ..., fs) of functions f1, f2...fs

where fi : Fn → F∀i ∈ 1, 2, .., s is the set of common zeroes of the functions f1, f2...fs.

More formally,

V (f1, f2, ..., fs) = {x ∈ Fn|fi(x) = 0∀i ∈ {1, 2, .., s}}.

Definition. Ideal Generated by Functions The ideal generated by functions

f1, f2..., fs, denoted by < f1, f2, ...fs > is defined as the set {f |f(x) = 0 at all points

of V (f1, f2, ..., fs)}.

A.2 Cryptographic definitions

Definition. Hamming Distance [Car04b]: The Hamming distance between 2 n-

variable functions f : {0, 1}n → {0, 1} and g : {0, 1}n → {0, 1}, is the number of

68

inputs x, for which f(x) 6= g(x).

Definition. Hamming Weight [Car04b]: The Hamming weight of a function

f : {0, 1}n → {0, 1} is the number of inputs x such that f(x) = 1 and is denoted by

wH(f).

Definition. Algebraic Normal Form [Car04b]: Every Boolean function f over

the field Fn2 can be represented uniquely by its algebraic normal form or A.N.F.

f(x) =∑

u∈Fn2

au(∏

i|ui=1

xi)

The A.N.F is useful because it exists and is unique for every Boolean function,

and is often used in cryptography and coding.

Definition. Algebraic Degree [Car04b]: The degree of the A.N.F of function f

is called the algebraic degree of f .

Definition. Affine Functions [Car03]: Functions with algebraic degree at most 1

are called affine functions. If constant term is 0, they are linear.

Definition. Vernam Ciphers [MvOV97]: In Vernam ciphers, also called one-

time pads, the plaintext is bitwise added to a binary secret key of the same length

in order to produce ciphertext. The Vernam cipher is the only known cipher offering

unconditional security.

Definition. Stream Ciphers [MvOV97]: Stream ciphers are ciphers in which

plaintext bits are encrypted one at a time, using an encryption transformation that

varies with time.

Definition. Block Ciphers [MvOV97]: An n−bit block cipher is a function E :

Vn × κ → Vn, where Vn is the set of all n−bit vectors, and κ is the keyspace, such

that for each key K ∈ κ, E(P,K) is an invertible mapping (the encryption function

for K) from Vn to Vn, written as EK(P ). The inverse mapping is the decryption

function, denoted DK(C) where C = EK(P ).

Definition. Symmetric Functions [BP05]: Symmetric functions are functions

such that every Boolean vector of the same weight has the same function value.

That is, all inputs with the same number of 1s have the same output value.

69

Definition. Annihilating Functions [MPC04]: An annihilating function of f is

a function g such that f ∗ g = 0

Definition. Derivative of a Function [Car06a]: Let f be an n-variable Boolean

function and let b be any vector in Fn2 . We call derivative of f with respect to

the direction b the Boolean function Dbf(x) = f(x)⊕

f(x + b), where⊕

denotes

addition over F2..

Definition. Sparse Equations [CP02]: Sparse equations are defined to be equa-

tions with ”small” number of monomials. Let n be the number of variables in the

system of equations and t be the number of monomials in the system of equations.

For a given degree d, usually t ≈(n

d

)

. If t ≪(n

d

)

, we say that the equations are

sparse.

Definition. Overdefined Equations [CP02]: Overdefined equations are systems

of equations in which the number of equations is greater than the number of variables

involved in the system of equations.

A.3 Fourier-Walsh Transforms

Fourier transforms have very nice properties which are useful for studying Boolean

functions. Most characteristics of Boolean functions that we describe in this survey

can be expressed by means of weights of some related Boolean functions (for eg f⊕ lwhere l is affine). As pointed out by Carlet in [Car06a], fourier analysis becomes a

very powerful and useful tool, since given a Boolean function f , knowledge of the

discrete fourier transform of f is equivalent with the knowledge of the weights of all

the functions f ⊕ l, where l is linear or affine.

We briefly define here Fourier Transforms and discuss some of their proper-

ties. Other flavors of Fourier transforms are Hadamard transforms and Walsh trans-

forms which are introduced below. We will primarily be working with Hadamard

and Walsh transforms in subsequent sections.

Let G be a finite abelian group of order n written additively.

Definition. Characters [LN83, Bab02]: A character of G is a homomorphism

χ : G→ C× of G to the multiplicative group of nonzero complex numbers.

χ(a+ b) = χ(a)χ(b)

70

a, b ∈ G.

χ(a)n = χ(na) = χ(0) = 1

a ∈ G. So, the values of χ are the nth roots of unity.

Note that χ(−a) = χ(a)−1 = χ(a) where the bar indicates complex conjugation.

Note that the pointwise product of the characters χ and ψ is a character

again.

(χψ)(a) = χ(a)ψ(a)

Let G denote the set of characters. This set forms an abelian group under

the above operation.

Let CG denote the space of functions f : G → C. An inner product on this

space is defined by:

(f, g) =1

n

∑

a∈G

f(a)g(a) (A.1)

where (f, g ∈ CG).

Theorem A.3.1. [Has01, Bab02] G forms an orthonormal space in CG.

Corollary A.3.2. [Has01, Bab02] Any function f ∈ CG can be written as a linear

combination of characters.

f =∑

χ∈G

cχχ (A.2)

The coefficients cχ are called the fourier coefficients and are given by the formula

cχ = (χ, f).

Definition. Fourier Transform [Has01, Bab02]: The function f : G→ C defined

as

f(χ) = ncχ = n(χ, f) =∑

a∈G

χ(a)f(a) (A.3)

where χ ∈ G is called the fourier transform of f. This transformation is easily

inverted.

f(a) =1

n

∑

χ∈G

f(χ)χ(−a) (A.4)

71

where a ∈ G. Here, f(a) is the inverse fourier transform.

Definition. Hadamard Transform [Car06a]:

The Hadamard transform is essentially the Fourier transform with character

χu(x) = (−1)u·x

for some u. Here, · denotes the usual inner product on vectors i.e. for vectors

u = u1u2...un, x = x1, x2...xn, u · x =∑n

i=1 uixi. Notice that

χu(a+ b) = (−1)(a+b)u = χ(a)χ(b).

It is a real-valued function over Fn2 , with x, u ∈ F

n2 , defined as

f(u) =∑

x∈Fn2

f(x)(−1)x·u (A.5)

Clearly, by definition of Hamming weight,

wH(f) = f(0) (A.6)

Definition. Sign Function: The Sign Function is defined as

χf (x) = (−1)f(x). (A.7)

Definition. Walsh Transform [Car06a]: The Walsh transform of a function is

the Hadamard transform of the sign function and is given by

χf (u) =∑

x∈Fn2

(−1)f(x)+u·x (A.8)

Since

χf = 1 − 2f

we get

χf = 1 − 2f

It has been proved that 1 = 2nδ0 where δ is the Dirac symbol: δ0(u) = 1 if u is the

null vector and 0 otherwise. We do not give the proof of this here, please look at

72

[Car06a] for details.

Hence we get,

χf (u) = 2nδ0(u) − 2f(u) (A.9)

We have that

χf (0) = 1 − 2f(0) = 2n − 2f(0)

which implies

f(0) = 2n−1 − χf (0)

2

Thus we get:

wH(f) = 2n−1 − χf (0)

2(A.10)

Applying this to f ⊕ la, where la(x) = a · x, for some a ∈ Fn2 we get

dH(f, la) = wH(f ⊕ la) = 2n−1 − χf (a)

2(A.11)

Note that ⊕ denotes addition mod 2.

Theorem A.3.3. [Car06a] Parseval’s Relation: For every Boolean function φ,

we have:∑

u∈Fn2

φ2(u) = 2n∑

x∈Fn2

φ2(x) (A.12)

If φ is the sign function, this becomes

∑

u∈Fn2

φ2(u) = 22n (A.13)

Definition. Walsh Spectrum: The Walsh spectrum of a Boolean function f with

n variables consists of all values {χf (a) where a ∈ Fn2}.

73

Bibliography

[AA05] Armknecht and Ars. Introducing a new variant of fast algebraic attacks

and minimizing their successive data complexity. In Proceedings of In-

ternational Conference on Cryptology in Malaysia (Mycrypt), LNCS,

volume 1, pages 16–32, 2005.

[AAG93] A.Klapper, A.Chan, and M. Goresky. Cascaded GMW sequences. In

Proceedings of IEEE Transactions on Information Theory, volume 39,

pages 177–183, 1993.

[ACDG03] Akkar, Courtois, Duteuil, and Goubin. A fast and secure implementation

of sflash. In Proceedings of International Workshop on Practice and

Theory in Public Key Cryptography (PKC), pages 267–278. LNCS, 2003.

[ACG+06] Frederik Armknecht, Claude Carlet, Philippe Gaborit, Simon Kunzli,

Willi Meier, and Olivier Ruatta. Efficient computation of algebraic im-

munity for algebraic and fast algebraic attacks. In Advances in Cryptol-

ogy: Proceedings of EUROCRYPT, volume 4004 of LNCS, pages 147–

164. Springer, 2006.

[AK03] Armknecht and Krause. Algebraic attacks on combiners with memory.

In Proceedings of CRYPTO, pages 162–175, 2003.

[AK06] Armknecht and Krause. Constructing single- and multi-output boolean

functions with maximal algebraic immunity. In Proceedings of Annual

International Colloquium on Automata, Languages and Programming

(ICALP), pages 180–191, 2006.

74

[And94] Anderson. Searching for the optimum correlation attack. In Proceed-

ings of International Workshop on Fast Software Encryption (IWFSE),

LNCS, pages 137–143, 1994.

[Arm04] Armknecht. Improving fast algebraic attacks. In Proceedings of Interna-

tional Workshop on Fast Software Encryption (IWFSE), LNCS, pages

65–82, 2004.

[Ars05] Ars, G. and Faugere, J.-C. Algebraic immunities of functions over finite

fields. In First workshop on Boolean Functions : Cryptography and

Applications, pages 21–38, 2005.

[Bab02] Laszlo Babai. The fourier transform

and equations over finite abelian groups.

http://people.cs.uchicago.edu/~laci/reu02/fourier.pdf, 2002.

[Bar07] Gregory Bard. PhD thesis of Gregory Bard: Algorithms

for solving Linear and Polynomial systems of equations

over finite fields with applications to cryptanalysis. PhD

thesis, University of Maryland at College Park, 2007.

http://www.cs.umd.edu/users/jkatz/THESES/bard thesis.pdf.

[Bat04] Batten. Algebraic attacks over GF(q). In Proceedings of International

Conference in Cryptology in India (INDOCRYPT), pages 84–91. LNCS,

Springer-Verlag, 2004.

[BC03] Biryukov and De Canniere. Block ciphers and systems of quadratic

equations. In Proceedings of International Workshop on Fast Software

Encryption (IWFSE), pages 274–289, 2003.

[BCJ07] Gregory V. Bard, Nicolas T. Courtois, and Chris Jefferson. Efficient

methods for conversion and solution of sparse systems of low-degree

multivariate polynomials over gf(2) via sat-solvers. Technical report:

Cryptology ePrint Archive, Report 2007/024, 2007.

[BD00] Biham and Dunkelman. Cryptanalysis of the a5/1 gsm stream cipher.

In Proceedings of International Conference in Cryptology in India (IN-

DOCRYPT), pages 43–51. LNCS, Springer-Verlag, 2000.

75

[BFS04] M. Bardet, J.-C. Faugere, and B. Salvy. On the complexity of grobner

basis computation of semi-regular overdetermined algebraic equations.

In Proceedings of the International Conference on Polynomial System

Solving, pages 71–74, 2004.

[BP05] Braeken and Preneel. On the algebraic immunity of symmetric boolean

functions. In Proceedings of International Conference in Cryptology in

India (INDOCRYPT), pages 35–48. LNCS, Springer-Verlag, 2005.

[BPW05] Johannes Buchmann, Andrei Pychkine, and Ralf-Philipp Weinmann.

Block ciphers sensitive to groebner basis attacks. Technical Report:

Cryptology ePrint Archive, Report 2005/200, 2005.

[BS91a] Biham and Shamir. Differential cryptanalysis of snefru, khafre, redoc-ii,

loki, and lucifer. In Proceedings of CRYPTO, pages 156–171, 1991.

[BS91b] E. Biham and A. Shamir. Differential cryptanalysis of DES-like cryp-

tosystems. Journal of Cryptology, 4(1):3–72, 1991.

[Buc06] Bruno Buchberger. Bruno buchberger’s phd thesis 1965: An algorithm

for finding the basis elements of the residue class ring of a zero dimen-

sional polynomial ideal. Journal of Symbolic Computing, 41(3-4):475–

511, 2006.

[Can02] Canteaut. On the correlations between a combining function and func-

tions of fewer variables. In Proceedings of the Information Theory Work-

shop ’02, Bangalore, pages 78 – 81, 2002.

[Can06] Anne Canteaut. Open problems related to algebraic attacks on stream

ciphers. Proceedings of Dans Workshop on Coding and Cryptography

(WCC), 3969:120–134, 2006.

[Car02] Carlet. A larger class of cryptographic boolean functions via a study

of the maiorana-mcfarland construction. In Proceedings of CRYPTO,

pages 549–564, 2002.

[Car03] Claude Carlet. On the algebraic thickness and non-normality of boolean

functions. In Proceedings of IEEE Information Theory Workshop, pages

147–150, 2003.

76

[Car04a] Carlet. On the confusion and diffusion properties of maiorana-

mcfarland’s and extended maiorana-mcfarland’s functions. Journal of

Complexity, 20(2-3):182–204, 2004.

[Car04b] Claude Carlet. On the degree, nonlinearity, algebraic thickness, and

nonnormality of boolean functions, with developments on symmetric

functions. IEEE Transactions on Information Theory, 50(9):2178–2185,

2004.

[Car06a] Carlet. Boolean functions for cryptography and error correcting codes

in book Boolean methods and models edited by Peter Hammer and Yves

Crama. Cambridge University Press, 2005-2006.

[Car06b] Claude Carlet. The complexity of boolean functions from cryptographic

viewpoint. In Proceedings of Dagstuhl Seminar 06111 - Complexity of

Boolean functions, 2006.

[CB06] Nicolas T. Courtois and Gregory V. Bard. Algebraic cryptanalysis of

the data encryption standard. Technical Report: Cryptology ePrint

Archive, Report 2006/402, 2006.

[CB07] Nicolas T. Courtois and Gregory V. Bard. Algebraic and slide attacks on

keeloq. Technical Report: Cryptology ePrint Archive, Report 2007/062,

2007.

[CCCF00] Canteaut, Carlet, Charpin, and Fontaine. Propagation characteristics

and correlation-immunity of highly nonlinear boolean functions. In Ad-

vances in Cryptology: Proceedings of EUROCRYPT, pages 507–522,

2000.

[CDG05] Nicolas Courtois, Blandine Debraize, and Eric Garrido. On exact al-

gebraic [non-]immunity of s-boxes based on power functions. Technical

Report: Cryptology ePrint Archive, Report 2005/203, 2005.

[CDGM06] Carlet, Dalai, Gupta, and Maitra. Algebraic immunity for cryptograph-

ically significant boolean functions: Analysis and construction. IEEE

Transactions on Information Theory, 52(7):3105–3121, 2006.

77

[CHJ02] Coppersmith, Halevi, and Jutla. Cryptanalysis of stream ciphers with

linear masking. In Proceedings of CRYPTO, pages 515–532, 2002.

[Cid04] Cid. Some algebraic aspects of the advanced encryption standard. In

Proceedings of International Conference on Advanced Encryption Stan-

dard (AES), LNCS, volume 4, pages 58–66, 2004.

[CJ00] John Clark and Jeremy Jacob. Two-stage optimisation in the design of

boolean functions. In Proceedings of the 5th Australasian Conference on

Information Security and Privacy (ACISP), pages 242–254. Springer-

Verlag, 2000.

[CJJ+03] Nicolas T. Courtois, Robert T. Johnson, Pascal Junod, Thomas Pornin,

and Michael Scott. Did filiol break aes ? Techincal Report: Cryptology

ePrint Archive, Report 2003/022, 2003.

[CJMS04] Clark, Jacob, Maitra, and Stanica. Almost boolean functions: The

design of boolean functions by spectral inversion. Computational Intel-

ligence: An International Journal, 20(3):450–462, 2004.

[CJS+02] Clark, Jacob, Stepney, Maitra, and Millan. Evolving boolean functions

satisfying multiple criteria. In Proceedings of International Conference

in Cryptology in India (INDOCRYPT), pages 246–259. LNCS, Springer-

Verlag, 2002.

[CJS05] John A. Clark, Jeremy L. Jacob, and Susan Stepney. The design of s-

boxes by simulated annealing. New Generation Computing, 23(3):219–

231, 2005.

[CKPS00] Courtois, Klimov, Patarin, and Shamir. Efficient algorithms for solving

overdefined systems of multivariate polynomial equations. In Advances

in Cryptology: Proceedings of EUROCRYPT, page 392, 2000.

[CL04] Cheon and Lee. Resistance of S-boxes against algebraic attacks. In

Proceedings of International Workshop on Fast Software Encryption

(IWFSE), LNCS, pages 83–94, 2004.

78

[CL06] Hao Chen and Jianhua Li. Lower bounds on the algebraic immunity

of boolean functions. ArXiv Computer Science e-prints, cs/0608080,

September 02 2006.

[CM03] Courtois and Meier. Algebraic attacks on stream ciphers with linear

feedback. In Advances in Cryptology: Proceedings of EUROCRYPT,

page 644, 2003.

[CM07] Claude Carlet and Sihem Mesnager. Improving the upper bounds on

the covering radii of binary reed-muller codes. IEEE Transactions on

Information Theory, 53(1):162–173, 2007.

[CMR04] Cid, Murphy, and Robshaw. Computational and algebraic aspects of

the advanced encryption standard. In Proceedings of the Seventh In-

ternational Workshop on Computer Algebra in Scientific Computing,

(CASC), pages 93–103, 2004.

[CMR05] Cid, Murphy, and Robshaw. Small scale variants of the aes. In Proceed-

ings of International Workshop on Fast Software Encryption (IWFSE),

LNCS, pages 145–162, 2005.

[CMR06] Carlos Cid, Sean Murphy, and Matthew Robshaw. Algebraic Aspects of

the Advanced Encryption Standard, volume 310 of Advances in Informa-

tion Security. Springer-Verlag, 2006.

[Cop] D. Coppersmith. Xsl against rijndael. http://www.schneier.com/crypto-

gram-0210.html#8.

[Cor04] Coron. Cryptanalysis of a public-key encryption scheme based on the

polynomial reconstruction problem. In Proceedings of International

Workshop on Practice and Theory in Public Key Cryptography (PKC),

pages 14–27. LNCS, 2004.

[Cou] N. Courtois. Is aes a secure cipher? http://www.cryptosystem.net/aes/.

[Cou01] Courtois. The security of hidden field equations (HFE). In Proceedings

of The Cryptographers’ Track at RSA (CTRSA), LNCS, pages 266–281,

2001.

79

[Cou02] Courtois. Higher order correlation attacks, XL algorithm and crypt-

analysis of toyocrypt. In Proceedings of International Conference on

Information Security and Cryptology (ICISC), pages 182–199. LNCS,

2002.

[Cou03] Courtois. Fast algebraic attacks on stream ciphers with linear feedback.

In Proceedings of CRYPTO, pages 176–194, 2003.

[Cou04a] Courtois. Algebraic attacks on combiners with memory and several

outputs. In Proceedings of International Conference on Information

Security and Cryptology (ICISC), pages 3–20. LNCS, 2004.

[Cou04b] Courtois. Algebraic attacks over GF (2k), application to HFE challenge

2 and sflash-v2. In Proceedings of International Workshop on Practice

and Theory in Public Key Cryptography (PKC), pages 201–217. LNCS,

2004.

[Cou04c] Courtois. General principles of algebraic attacks and new design criteria

for cipher components. In Proceedings of International Conference on

Advanced Encryption Standard (AES), LNCS, volume 4, pages 67–83,

2004.

[Cou07a] Nicolas T. Courtois. Ctc2 and fast algebraic attacks on block ciphers re-

visited. Technical Report: Cryptology ePrint Archive, Report 2007/152,

2007.

[Cou07b] Nicolas T. Courtois. How fast can be algebraic attacks on block ci-

phers? In Symmetric Cryptography, number 07021 in Dagstuhl Seminar

Proceedings, 2007.

[CP02] Courtois and Pieprzyk. Cryptanalysis of block ciphers with overde-

fined systems of equations. In Advances in Cryptology : Proceedings of

ASIACRYPT– International Conference on the Theory and Application

of Cryptology, pages 267–287. LNCS, Springer-Verlag, 2002.

[CSV97] Coppersmith, Stern, and Vaudenay. The security of the birational per-

mutation signature schemes. Journal of Cryptology, 10(3):207–221, 1997.

80

[CT00] Canteaut and Trabbia. Improved fast correlation attacks using parity-

check equations of weight 4 and 5. In Advances in Cryptology: Proceed-

ings of EUROCRYPT, pages 573–588, 2000.

[CY05] Claude Carlet and Joseph L. Yucas. Piecewise constructions of bent and

almost optimal boolean functions. Designs, Codes and Cryptography,

37(3):449–464, 2005.

[DG03] A. Dimovski and D. Gligoroski. Generating highly nonlinear boolean

functions using a genetic algorithm. In Proceedings of Telecommunica-

tions in Modern Satellite, Cable and Broadcasting Service, Vol 2., pages

604– 607, 2003.

[DGM04] Dalai, Gupta, and Maitra. Results on algebraic immunity for cryp-

tographically significant boolean functions. In Proceedings of Interna-

tional Conference in Cryptology in India (INDOCRYPT), pages 92–106.

LNCS, Springer-Verlag, 2004.

[DGM06] Deepak Kumar Dalai, Kishan Chand Gupta, and Subhamoy Maitra.

Notion of algebraic immunity and its evaluation related to fast alge-

braic attacks. In Second International Workshop of Boolean Functions:

Cryptography and Applications (BFCA), pages 107–124, 2006.

[DMS06] Deepak Kumar Dalai, Subhamoy Maitra, and Sumanta Sarkar. Ba-

sic theory in construction of boolean functions with maximum possible

annihilator immunity. Designs, Codes and Cryptography, 40(1):41–58,

2006.

[DR00] Joan Daemen and Vincent Rijmen. Answer to ”new observations on

rijndael”, August 11 2000. http://citeseer.ist.psu.edu/317291.html.

[DR02] Daemen and Rijmen. Security of a wide trail design. In Proceedings of

International Conference in Cryptology in India (INDOCRYPT), pages

1–11. LNCS, Springer-Verlag, 2002.

[DT06] Frederic Didier and Jean-Pierre Tillich. Computing the algebraic im-

munity efficiently. In Proceedings of Fast Software Encryption, 13th

81

International Workshop, (FSE) Revised Selected Papers, volume 4047

of LNCS, pages 359–374. Springer, 2006.

[DXS91] C. (Cunsheng) Ding, G. Xiao, and W. Shan. The stability theory of

stream ciphers, volume 561 of LNCS. Springer-Verlag, 1991.

[ES03] Een and Sorensson. An extensible SAT-solver. In Proceedings of Inter-

national Conference on Theory and Applications of Satisfiability Testing

(SAT), LNCS, volume 6, pages 502–518, 2003.

[FA03] Jean-Charles Faugere and Gwenole Ars. An algebraic crypt-

analysis of nonlinear filter generators using grobner bases.

http://hal.ccsd.cnrs.fr/docs/00/07/18/48/PDF/RR-4739.pdf, 2003.

INRIA report RR-4739.

[FD85] Fell and Diffie. Analysis of a public key approach based on polynomial

substitution. In Proceedings of CRYPTO, pages 340–349, 1985.

[Fil02] Eric Filiol. A new statistical testing for symmetric ciphers and hash func-

tions. Technical Report: Cryptology ePrint Archive, Report 2002/099,

2002. http://eprint.iacr.org/.

[FIL03] Eric FILIOL. Plaintext-dependant repetition codes cryptanalysis of

block ciphers - the aes case. Technical Report: Cryptology ePrint

Archive, Report 2003/003, 2003.

[FJ03] Faugere and Joux. Algebraic cryptanalysis of hidden field equation

(HFE) cryptosystems using grobner bases. In Proceedings of CRYPTO,

pages 44–60, 2003.

[FL01] Fluhrer and Lucks. Analysis of the E0 encryption system. In Proceedings

of the Annual International Workshop on Selected Areas in Cryptography

(SAC), pages 38–48. LNCS, 2001.

[FM02] Joanne Fuller and William Millan. On linear redundancy in the aes s-

box. Technical Report: Cryptology ePrint Archive, Report 2002/111,

2002.

82

[FT01] Fedorova and Tarannikov. On the constructing of highly nonlinear re-

silient boolean functions by means of special matrices. In Proceedings of

International Conference in Cryptology in India (INDOCRYPT), pages

254–266. LNCS, Springer-Verlag, 2001.

[GBM02] Golic, Bagini, and Morgari. Linear cryptanalysis of bluetooth stream

cipher. In Advances in Cryptology: Proceedings of EUROCRYPT, pages

238–255, 2002.

[GJ79] M. R. Garey and D. S. Johnson. Computers and Intractability: A Guide

to the Theory of NP-Completeness. W. H. Freeman, 1979.

[Gol96] Golic. On the security of nonlinear filter generators. In Proceedings of

International Workshop on Fast Software Encryption (IWFSE), LNCS,

pages 173–188, 1996.

[GS05] Gupta and Sarkar. Improved construction of nonlinear resilient S-boxes.

IEEE Transactions on Information Theory, 51(1):339–348, 2005.

[Has01] Hastad. Some optimal inapproximability results. Journal of the ACM,

48(4):798–859, 2001.

[HKM95] Harpes, Kramer, and Massey. A generalization of linear cryptanaly-

sis and the applicability of matsui’s piling-up lemma. In Advances in

Cryptology: Proceedings of EUROCRYPT, pages 24–38, 1995.

[HPS93] Hastad, Phillips, and Safra. A well-characterized approximation prob-

lem. Information Processing Letters, 47(6):301–305, 1993.

[HR04] Hawkes and Rose. Rewriting variables: The complexity of fast algebraic

attacks on stream ciphers. In Proceedings of CRYPTO, pages 390–406,

2004.

[Hug02] Hughes. A linear algebraic attack on the AAFG1 braid group cryptosys-

tem. In Proceedings of Information Security and Privacy: Australasian

Conference (ACISP), pages 176–189, 2002.

83

[Imp01] Impagliazzo. Hill-climbing vs. simulated annealing for planted bisec-

tion problems. In Proceedings of International Workshop on Approxi-

mation Algorithms for Combinatorial Optimization (APPROX), pages

2–5, 2001.

[JDH07] Xin Jiang, Jintai Ding, and Lei Hu. Kipnis-shamir’s attack on hfe revis-

ited. In Proceedings of the 3rd International Conference on Information

Security and Cryptology (SKLOIS), 2007. to appear.

[JJ99] Johansson and Jonsson. Improved fast correlation attacks on stream

ciphers via convolutional codes. In Advances in Cryptology: Proceedings

of EUROCRYPT, pages 347–362, 1999.

[KCP00] Kang, Chee, and Park. A note on the higher order differential attack of

block ciphers with two-block structures. In Proceedings of International

Conference on Information Security and Cryptology (ICISC), pages 1–

13. LNCS, 2000.

[Key02] Keys. A tutorial on linear and differential cryptanalysis. Cryptologia,

26, 2002.

[KG03] Khoongming Khoo and Guang Gong. New constructions for resilient

and highly nonlinear boolean functions. In Proceedings of Information

Security and Privacy, 8th Australasian Conference (ACISP), pages 498–

509, 2003.

[KJV83] S. Kirkpatrick, C. D. Gelatt Jr., and M. P. Vecchi. Optimization by

simulated annealing. Science, 220(4598):671–679, 1983.

[KMI91] Kwangjo Kim, Tsutomu Matsumoto, and Hideki Imai. A recursive con-

struction method of S-boxes satisfying strict avalanche criterion. Pro-

ceedings of the 10th Annual International Cryptology Conference on Ad-

vances in Cryptology, 537:564–574, 1991.

[Knu94] Knudsen. Truncated and higher order differentials. In Proceedings of

International Workshop on Fast Software Encryption (IWFSE), LNCS,

pages 196–211, 1994.

84

[KR94] Kaliski and Robshaw. Linear cryptanalysis using multiple approxima-

tions. In Proceedings of CRYPTO, pages 26–39, 1994.

[KS98] Kipnis and Shamir. Cryptanalysis of the oil and vinegar signature

scheme. In Proceedings of CRYPTO, pages 257–267, 1998.

[KS99] Kipnis and Shamir. Cryptanalysis of the HFE public key cryptosystem

by relinearization. In Proceedings of CRYPTO, pages 19–30, 1999.

[KTLG05] Khoongming Khoo, Guat-Ee Tan, Hian-Kiat Lee, and Guang Gong.

Comparison of boolean function design. In Proceedings of International

Symposium on Information Theory (ISIT), pages 1111–1115, 2005.

[Lai94] Lai. Higher order derivatives and differential cryptanalysis. In Proceed-

ings of Symposium on communication, coding and cryptography, pages

227–233, 1994.

[Lan90] Philippe Langevin. Covering radius of RM (1, 9) in RM (3, 9). In Pro-

ceedings of EUROCODE, volume 514 of LNCS, pages 51–59. Springer,

1990.

[LCPP96] S. Lee, S. Chee, S. Park, and S. Park. Conditional correlation attack on

nonlinear filter generators. In Advances in Cryptology : Proceedings of

ASIACRYPT– International Conference on the Theory and Application

of Cryptology, pages 360–367, 1996.

[LfQ05] Na Li and Wen feng Qi. Symmetric boolean function with maximum al-

gebraic immunity on odd number of variables. ArXiv Computer Science

e-prints, cs/0511099, 2005.

[LN83] Rudolf Lidl and Harald Niederreiter. Finite Fields. Addison-Wesley,

1983.

[Lob05] M. Lobanov. Tight bound between nonlinearity and algebraic im-

munity. In Proceedings of the Second International Scientific Con-

ference on Security and Countering Terrorism Issues, 2005. cite-

seer.ist.psu.edu/lobanov05tight.html.

85

[Loh03] Bernhard Lohlein. Attacks based on conditional correlations against

the nonlinear filter generator. http://citeseer.ist.psu.edu/554481.html;

http://eprint.iacr.org/2003/020.ps.gz, February 03 2003.

[LP03] Lee and Park. Cryptanalysis of the public-key encryption based on braid

groups. In Advances in Cryptology: Proceedings of EUROCRYPT, pages

477–490, 2003.

[LQ06] N. Li and W.-F. Qi. Construction and Count of Boolean Functions of an

Odd Number of Variables with Maximum Algebraic Immunity. ArXiv

Computer Science e-prints, cs/0605139, 2006.

[Lup70] O. B. Lupanov. On circuits of functional elements with delay. Probl.

Kibern, 23:43–81, 1970.

[LZGB02] Sabine Leveiller, Gilles Zemor, Philippe Guillot, and Joseph Boutros. A

new cryptanalytic attack for pn-generators filtered by a boolean func-

tion. In Proceedings of Selected Areas in Cryptography, pages 232–249,

2002.

[Mas69] J. L. Massey. Shift-register synthesis and BCH decoding. IEEE Trans-

actions on Information Theory, 15:122–127, 1969.

[Mat93] Matsui. Linear cryptanalysis method for DES cipher. In Advances in

Cryptology: Proceedings of EUROCRYPT, pages 386–397, 1993.

[Mat94] Matsui. The first experimental cryptanalysis of the data encryption

standard. In Proceedings of CRYPTO, pages 1–11, 1994.

[Mat99] Matsui. On a structure of block ciphers with provable security against

differential and linear cryptanalysis. IEICE Transactions on Communi-

cations, Electronics, Information and Systems, 1999.

[MCD97a] Millan, Ckark, and Dawson. An effective genetic algorithm for finding

highly nonlinear boolean functions. In Proceedings of International Con-

ference on Information and Communications Security (ICIS), LNCS,

page 149, 1997.

86

[MCD97b] W. Millan, A. Clark, and E. Dawson. Smart hill climbing finds better

boolean functions. citeseer.ist.psu.edu/millan97smart.html, 1997. 4th

Workshop on Selected Areas in Cryptography SAC’97, 1997.

[MCD98] Millan, Clark, and Dawson. Heuristic design of cryptographically strong

balanced boolean functions. In Advances in Cryptology: Proceedings of

EUROCRYPT, pages 489–499, 1998.

[MCD99] Millan, Clark, and Dawson. Boolean function design using hill climbing

methods. In Proceedings of Information Security and Privacy: Aus-

tralasian Conference (ACISP), pages 1–11, 1999.

[MFD03] William Millan, Joanne Fuller, and Ed Dawson. New concepts in evo-

lutionary search for boolean functions in cryptology. In Ruhul Sarker,

Robert Reynolds, Hussein Abbass, Kay Chen Tan, Bob McKay, Daryl

Essam, and Tom Gedeon, editors, Proceedings of the 2003 Congress on

Evolutionary Computation, pages 2157–2164. IEEE Press, 2003.

[MI88] Matsumoto and Imai. Public quadratic polynomial-tuples for efficient

signature-verification and message-encryption. In Advances in Cryptol-

ogy: Proceedings of EUROCRYPT, pages 419–453, 1988.

[Mit05] Mitchell. A SAT solver primer. Bulletin of the European Association

for Theoretical Computer Science, 85:112–133, 2005.

[MMZ+01] Matthew W. Moskewicz, Conor F. Madigan, Ying Zhao, Lintao Zhang,

and Sharad Malik. Chaff: Engineering an Efficient SAT Solver. In

Proceedings of the 38th Design Automation Conference (DAC’01), pages

530–535, June 2001.

[Moh02] T. Moh. Comments on the courtois-pieprzyk’s attack on rijndael.

http://www.usdsi.com/aes.html, 2002.

[MPC04] Meier, Pasalic, and Carlet. Algebraic attacks and decomposition of

boolean functions. In Advances in Cryptology : Proceedings of EU-

ROCRYPT, pages 474–491, 2004.

[MR00] S. Murphy and M. Robshaw. New observations on rijndael, 2000. cite-

seer.ist.psu.edu/murphy00new.html.

87

[MR02] Murphy and Robshaw. Essential algebraic structure within the AES. In

Proceedings of CRYPTO, pages 1–16, 2002.

[MR03] S. Murphy and M. Robshaw. Comments on the security of the aes and

the xsl technique. Electronic Letters, 39:36–38, 2003.

[MS88] Meier and Staffelbach. Fast correlation attacks on stream ciphers. In

Advances in Cryptology: Proceedings of EUROCRYPT, pages 301–316,

1988.

[MS89a] Meier and Staffelbach. Fast correlation attacks on certain stream ci-

phers. Journal of Cryptology, 1(3):159–176, 1989.

[MS89b] Meier and Staffelbach. Nonlinearity criteria for cryptographic functions.

In Advances in Cryptology: Proceedings of EUROCRYPT, pages 549–

562, 1989.

[Mul04] Muller. Differential attacks against the helix stream cipher. In Proceed-

ings of International Workshop on Fast Software Encryption (IWFSE),

LNCS, pages 94–108, 2004.

[MvOV97] Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Hand-

book of Applied Cryptography. CRC Press, 1997.

[MY92] Matsui and Yamagishi. A new method for known plaintext attack of

FEAL cipher. In Advances in Cryptology: Proceedings of EUROCRYPT,

pages 81–91, 1992.

[NGG06] Yassir Nawaz, Guang Gong, and Kishan Chand Gupta. Upper bounds on

algebraic immunity of boolean power functions. In Proceedings of Fast

Software Encryption, 13th International Workshop, FSE 2006, Graz,

Austria, Revised Selected Papers, volume 4047 of LNCS, pages 375–389.

Springer, 2006.

[Obi] M Obitko. Genetic algorithms. http://cs.felk.cvut.cz/~xobitko/ga/.

[OS98] Daniel Olejar and Martin Stanek. On cryptographic properties of

random boolean functions. Journal of Universal Computer Science,

4(8):705–717, 1998.

88

[OSS84] Ong, Schnorr, and Shamir. An efficient signature scheme based on

quadratic equations. In Proceedings of ACM Symposium on Theory of

Computing (STOC), pages 208–216, 1984.

[Pas03] Pasalic. Degree optimized resilient boolean functions from maiorana-

mcfarland class. In Proceedings of Conference on Cryptography and

Coding (IMA), LNCS, pages 93–114, 2003.

[Pas06] Pasalic. Maiorana-mcfarland class: Degree optimization and algebraic

properties. IEEE Transactions on Information Theory, 52(10):4581–

4594, 2006.

[Pat95] Patarin. Cryptanalysis of the matsumoto and imai public key scheme

of eurocrypt ’88. In Proceedings of CRYPTO, pages 248–261, 1995.

[Pat96] Patarin. Hidden fields equations (HFE) and isomorphisms of polynomi-

als (IP): Two new families of asymmetric algorithms. In Advances in

Cryptology: Proceedings of EUROCRYPT, pages 33–48, 1996.

[Pat97] J. Patarin. The oil and vinegar algorithm for signatures. In Proceedings

of Dagstuhl workshop of cryptography, 1997.

[PLL+90] Preneel, Van Leekwijk, Van Linden, Govaerts, and Vandewalle. Propa-

gation characteristics of boolean functions. In Advances in Cryptology:

Proceedings of EUROCRYPT, pages 161–173, 1990.

[PS87] Pollard and Schnorr. An efficient solution of the congruence x2 + ky2 =

m(modn). IEEE Transactions on Information Theory, 33(5):702–709,

1987.

[Rom92] Steven Roman. Advanced Linear Algebra. Springer-Verlag, 1992.

[RS87] Rainer A. Rueppel and Othmar Staffelbach. Products of linear recurring

sequences with maximum complexity. IEEE Transactions on Informa-

tion Theory, 33(1):124–131, 1987.

[RS06] Hvard Raddum and Igor Semaev. New technique for solving sparse

equation systems. Technical Report: Cryptology ePrint Archive, Report

2006/475, 2006.

89

[Rue86] R. A. Rueppel. Analysis and Design of Stream Ciphers. Springer-Verlag,

1986.

[Sch] Bruce Schneier. Aes news. http://www.schneier.com/crypto-gram-

0209.html#1.

[Sei84] T. Seigenthaler. Correlation-immunity of nonlinear combining functions

for cryptographic applications. IEEE Transactions on Information The-

ory, 30(5):776–779, 1984.

[Sha49] C. E. Shannon. Communication theory of secrecy systems. Bell Systems

Tech. Journal, 28:657–715, 1949.

[Sha93] Shamir. Efficient signature schemes based on birational permutations.

In Proceedings of CRYPTO, pages 1–12, 1993.

[SKI06] Makoto Sugita, Mitsuru Kawazoe, and Hideki Imai. Relation between

the xl algorithm and grobner basis algorithms. IEICE Transactions on

Fundamentals of Electronics, Communications and Computer Sciences,

E89-A(1):11–18, 2006.

[SM00a] Sarkar and Maitra. Construction of nonlinear boolean functions with

important cryptographic properties. In Advances in Cryptology: Pro-

ceedings of EUROCRYPT, pages 485–506, 2000.

[SM00b] Sarkar and Maitra. Nonlinearity bounds and constructions of resilient

boolean functions. In Proceedings of CRYPTO, pages 515–532, 2000.

[SS04] Marta Simovcov and Martin Stanek. Generating cryptographically

strong boolean functions using partial information. Periodica Mathemat-

ica Hungarica, 49(1):119–130, 2004. citeseer.ist.psu.edu/525089.html.

[Stu05] Sturmfels. What is a grobner basis? Notices of the American Mathe-

matical Society, 52:1199–1200, 2005.

[Tar00] Tarannikov. On resilient boolean functions with maximal possible non-

linearity. In Proceedings of International Conference in Cryptology in

India (INDOCRYPT), pages 19–30. LNCS, Springer-Verlag, 2000.

90

[Tar01] Tarannikov. New constructions of resilient boolean functions with max-

imal nonlinearity. In Proceedings of International Workshop on Fast

Software Encryption (IWFSE), LNCS, pages 66–77, 2001.

[TSM95] Tokita, Sorimachi, and Matsui. On applicability of linear cryptanaly-

sis to DES-like cryptosystems–LOKI89, LOKI91ands2DES–. IEICE

Transactions on Communications, Electronics, Information and Sys-

tems, 78(9):1148–1153, 1995.

[Wag04] Wagner. Towards a unifying view of block cipher cryptanalysis. In

Proceedings of International Workshop on Fast Software Encryption

(IWFSE), LNCS, pages 16–33, 2004.

[WB02] Wu and Bao. Cryptanalysis of stream cipher cos (2, 128) mode i. In Pro-

ceedings of Information Security and Privacy: Australasian Conference

(ACISP), pages 154–158, 2002.

[WT85] Webster and Tavares. On the design of S-boxes. In Proceedings of

CRYPTO, pages 523–534, 1985.

[XGZ88] J.L Massey Xiao Guo-Zhen. A spectral characterization of correlation

immune combining functions. IEEE Transactions on Information The-

ory, 34(3):569–571, 1988.

[YLH98] Yi, Lam, and Han. Differential cryptanalysis of a block cipher. In Pro-

ceedings of Information Security and Privacy: Australasian Conference

(ACISP), pages 58–67, 1998.

[YT95] A. M. Youssef and S. E. Tavares. Resistance of balanced s-boxes to

linear and differential cryptanalysis. Information Processing Letters,

56(5):249–252, December 1995.

[ZH05] Xiangyong Zeng and Lei Hu. Constructing boolean functions by modify-

ing maiorana-mcfarland’s superclass functions. IEICE Transactions on

Fundamentals of Electronics, Communications and Computer Sciences,

88-A(1):59–66, 2005.

91

[ZYR89] Zeng, Yang, and Rao. On the linear consistency test (LCT) in crypt-

analysis with applications. In Proceedings of CRYPTO, pages 164–174,

1989.

[ZZ00] Zheng and Zhang. Improved upper bound on the nonlinearity of high

order correlation immune functions. In Proceedings of the Annual In-

ternational Workshop on Selected Areas in Cryptography (SAC), pages

262–274. LNCS, 2000.

[ZZI99] Zheng, Zhang, and Imai. Restriction, terms and nonlinearity of boolean

functions. Theoretical Computer Science, 226(1-2):207–223, 1999.

92

Vita

Educational Qualifications:

Graduate Student, Computer Science, University of Texas, Austin.

Bachelor of Engineering, Information Technology, University of Pune, India.

Research interests:

Complexity theory, cryptography, information theory and all things mathematical.

Permanent Address: L/A-4, 303,

Ajmera housing complex,

Pimpri, Pune 411018.

This thesis was typeset with LATEX2ε1 by the author.

1LATEX2ε is an extension of LATEX. LATEX is a collection of macros for TEX. TEX is a trademark

of the American Mathematical Society. The macros used in formatting this thesis were written by

Dinesh Das, Department of Computer Sciences, The University of Texas at Austin, and extended

by Bert Kay, James A. Bednar, and Ayman El-Khashab.

93