Cross-Correlation Analysis of Cryptographically Useful Boolean Functions and S-Boxes

DOI: 10.1007/s00224-001-1019-1

Theory Comput. Systems35, 39–57 (2002) Theory ofComputing

Systems© 2002 Springer-Verlag

New York Inc.

Cross-Correlation Analysis of Cryptographically UsefulBoolean Functions and S-Boxes∗

P. Sarkar1 and S. Maitra2

1Applied Statistics Unit, Indian Statistical Institute,203 B.T. Road, Calcutta 700 035, [email protected]

2Computer and Statistical Service Centre, Indian Statistical Institute,203 B.T. Road, Calcutta 700 035, [email protected]

Abstract. We use the cross-correlation function as a fundamental tool to studycryptographic properties of Boolean functions. This provides a unified treatmentof a large section of Boolean function literature. In the process we generalize oldresults and obtain new characterizations of cryptographic properties. In particu-lar, new characterizations of bent functions and functions satisfying propagationcharacteristics are obtained in terms of the cross-correlation and auto-correlationproperties of subfunctions. The exact relationship between the algebraic structureof the non-zeros of the spectrum and the auto-correlation values is obtained fora cryptographically important class of functions. Finally we study the suitabilityof S-boxes in stream ciphers and conclude that currently known constructions forS-boxes may not be adequate for such applications.

1. Introduction

In his seminal paper on cryptography, Shannon [14] outlined the basic design principlesof secret key cryptosystems. These principles were calledconfusionanddiffusion. Theprinciple of confusion underlines the importance of hiding the overall structure of thecryptosystem, while diffusion suggests that uncertainty is spread out evenly over thewhole system.

∗ This work was done while Palash Sarkar was at the Centre for Applied Cryptographic Research,University of Waterloo.

40 P. Sarkar and S. Maitra

In most secret key cryptosystems, the basic components are Boolean functions,which are maps fromn-bit strings to{0,1}. Attempts have been made to translate Shan-non’s notions of confusion and diffusion to properties of Boolean functions [1]. From amore practical standpoint, research in cryptanalysis of secret key systems have shownthe necessity for Boolean functions to possess certain cryptographic properties.

Here we approach the design problem for Boolean functions from Shannon’s stand-points of confusion and diffusion. We try to explain these concepts in terms of correla-tion between two Boolean functions. If two functions are highly correlated, then theyare “close” to each other in a precise statistical sense. On the other hand a correlationof zero between two functions means that statistically the functions are far apart. Thenotion of confusion can be interpreted as meaning that the constituent functions of asecret key system should have small correlation to each other. This results in the con-stituent functions being “very different” from each other. Diffusion on the other handcan be interpreted as meaning that the constituent Boolean functions should have certain“uniformity” properties, leading to an overall “uniformity” of the cryptosystem.

Most works on Boolean function design have been motivated by properties whichresist known attacks. While this is useful for current practice, a fundamental under-standing is required in the long run. The main theoretical requirement is to understandthe relationship between Shannon’s informal concepts of confusion and diffusion andcryptographic properties of Boolean functions motivated by practical considerations. Inthis article we attempt such an investigation.

The basic tool in our study is correlation between two Boolean functions. Specialforms of this correlation have already been studied. For example, the correlations of aBoolean function to linear functions constitute the spectrum of the Boolean functionand have been used quite extensively in Boolean function literature. Another kind ofcorrelation is the correlation of a function with its dyadic shifts. The values of this kindof correlation is given by the auto-correlation function.

We study the more general notion of correlation between two arbitrary functions.This is called the cross-correlation between the functions. Here we treat the cross-correlation function as a fundamental tool and present a unified view of a large sectionof Boolean function theory. The relationship between cross-correlation and spectra offunctions is characterized. The concept of cross-correlation allows us to generalize manyof the results on cryptographic properties of Boolean functions that have previouslyappeared in the literature. Further, we obtain new characterization of bent functionsand functions satisfying propagation characteristics in terms of the cross-correlation andauto-correlation of subfunctions.

The relationship between the algebraic structure of the non-zeros of the spectrum andthe auto-correlation values is characterized for functions whose non-zero spectral valueshave the same magnitude. This class of functions encompass several cryptographicallyimportant classes of functions. The use of S-boxes in stream ciphers have been proposedto speed up the system further. We carefully examine this proposition and conclude thatthe currently known constructions may not be adequate for such applications.

2. Preliminaries

An n-variable Boolean function is a mapf : {0,1}n→ {0,1}. In Section 7 we considerS-boxes (or vectorial functions) which are mapsf : {0,1}n→ {0,1}m. Let F2 = GF(2).

Cross-Correlation Analysis of Boolean Functions and S-Boxes 41

We consider the domain of a Boolean function to be the vector space(Fn2 ,⊕) over F2,

where⊕ is used to denote the addition operator over bothF2 and the vector spaceFn2 .

The inner product of two vectorsu, v ∈ Fn2 will be denoted by〈u, v〉. The weight of an

n-bit vectoru is the number of ones inu and will be denoted by wt(u).The fundamental tool that we use in this paper is the correlation between two arbitrary

Boolean functions which is called the cross-correlation. The cross-correlation betweentwo functions f andg is an integer-valued functionCf,g: {0,1}n → [−2n,2n] definedby

Cf,g(u) =∑x∈Fn

2

(−1) f (x)⊕g(x⊕u). (1)

Note that the quantityCf,g(0) denotes the correlation between the functionsf andg.The following simple result states some of the basic properties of the cross-correlationfunction. The proof is just routine verification from the definition.

Lemma 2.1. Let f(x), g(x)be n-variable functions and define h(x) = f (x)⊕g(x⊕a)for some a∈ Fn

2 . Then(a) wt(h(x)) = wt(h(x ⊕ a)), (b) Cf,g(a) = 2n − 2× wt(h(x))and(c) Cf,g(a) = Cg, f (a).

We say that twon-variable functionsf andg areperfectly uncorrelatedif Cf,g(u) = 0for all u ∈ Fn

2 . Weaker forms of this notion are obtained by restricting the set ofu forwhichCf,g(u) = 0. We say that two functions areuncorrelated of degree kif Cf,g(u) = 0for all u ∈ Fn

2 such that 0≤ wt(u) ≤ k.We interpret Shannon’s notion of confusion in the sense of heterogeneity. If the

component functions of a secret key system are pairwise perfectly uncorrelated, thenthe statistical distance between any two functions is the maximum possible and we saythat the system has the best possible confusion. However, this may be too restrictivein practice. Thus it may be desirable to enforce pairwise uncorrelatedness of degreek.Another approach could be to ensure that for eachu, the values of|Cf,g(u)| is boundedabove by a “small” constant. This will ensure that the cross-correlation between thefunctions is uniformly small.

The Fourier Transform is the most widely used tool in the analysis of Booleanfunctions. In most cases it is convenient to apply the Fourier Transform to(−1) f (x) insteadof f (x). The resulting transform is called the Walsh Transform off (x). More precisely,the Walsh Transform off (x) is an integer-valued functionWf : {0,1}n → [−2n,2n]defined by (see [6])

Wf (u) =∑w∈Fn

2

(−1) f (w)⊕〈u,w〉.

The Walsh Transform is called the spectrum off . Note that the spectrum measures thecross-correlations between a function and the set of linear functions. Another way oflooking at the spectrum is via Hadamard matrices. LetHn be the Hadamard matrix oforder 2n defined recursively as (see [9])

H1 =[

1 1

1 −1

],

Hn = H1⊗ Hn−1 for n > 1,


where⊗ denotes the Kronecker product of two matrices. Considering the rows andcolumns ofHn to be indexed by the elements ofFn

2 , we obtain [Hn](u,v) = (−1)〈u,v〉.Using this fact the Walsh Transform can be written as

[(−1) f (0), . . . , (−1) f (2n−1)]Hn = [Wf (0), . . . ,Wf (2n − 1)].

Since Hn Hn = 2n I2n , post-multiplying both sides byHn, we get the inverse WalshTransform:

(−1) f (u) = 1

2n

∑w∈Fn

2

Wf (w)(−1)〈u,w〉.

A parameter of fundamental importance in cryptography is the non-linearity of afunction (see [9]). This is defined to be the distance from the set of all affine functions.It is more convenient to define it in terms of the spectrum of a Boolean function. Thenon-linearity nl( f ) of ann-variable Boolean functionf , is defined as

nl( f ) = 2n−1− 12 max

u∈Fn2

|Wf (u)|.

Another commonly used tool is the auto-correlation function which provides thecross-correlation values of a function with its dyadic shifts. The auto-correlation functionis an integer-valued mapCf : {0,1}n→ [−2n,2n] defined by (see [9] for a related conceptcalled the directional derivative)

Cf (u) =∑w∈Fn

2

(−1) f (w)⊕ f (u⊕w).

It is clear thatCf (0) = 2n. The auto-correlation is not a transform in the sense that itdoes not uniquely determine the function.

Several important classes of Boolean functions can be described in terms of thespectrum and the auto-correlation function:

1. For evenn, ann-variable function f is calledbent if Wf (u) = ±2n/2, for allu ∈ Fn

2 (see [12]). This class of functions are important in both cryptographyand coding theory.

2. Ann-variable function is calledcorrelation immuneof orderm(m-CI) if Wf (u) =0 for all 1≤ wt(u) ≤ m (see [15] and [17]). Further, if the function is balanced,thenWf (0) = 0 and the function is calledm-resilient.

3. An n-variable function is said to satisfypropagation characteristicsof orderk(PC(k)) if Cf (u) = 0 for all 1≤ wt(u) ≤ k (see [11]).

If f is a bent function, thenCf (u) = 0 for all non-zerou [9]. Hence bent functionssatisfy PC(n).

3. Cross-Correlation Theorem

In this section we present the Cross-Correlation Theorem and its consequences.

Theorem 3.1(Cross-Correlation Theorem).Let f and g be n-variable functions.Then

[Cf,g(0), . . . ,Cf,g(2n − 1)]Hn= [Wf (0)Wg(0), . . . ,Wf (2

n−1)Wg(2n−1)]. (2)


Proof. It is sufficient to show that for eachw ∈ Fn2 ,∑

u∈Fn2

Cf,g(u)(−1)〈u,w〉 =Wf (w)Wg(w). We proceed to do this as follows:∑

u∈Fn2

Cf,g(u)(−1)〈u,w〉 =∑u∈Fn

2

∑x∈Fn

2

(−1) f (x)⊕g(x⊕u)(−1)〈u,w〉

=∑x∈Fn

2

(−1) f (x)∑u∈Fn

2

(−1)g(x⊕u)⊕〈u,w〉

=∑x∈Fn

2

(−1) f (x)∑u∈Fn

2

(−1)g(u)⊕〈w,x⊕u〉

=∑x∈Fn

2

(−1) f (x)∑u∈Fn

2

(−1)g(u)⊕〈w,x〉⊕〈w,u〉

=∑x∈Fn

2

(−1) f (x)⊕〈w,x〉∑u∈Fn

2

(−1)g(u)⊕〈w,u〉

= Wf (w)Wg(w).

A special case of the Cross-Correlation Theorem is whenf = g and gives us thefollowing:

Corollary 3.1. Let f be an n-variable function. Then

[Cf (0), . . . ,Cf (2n − 1)]Hn = [W2

f (0), . . . ,W2f (2

n − 1)].

This result is called the Wiener–Khintchine Theorem in continuous analysis and has alsobeen obtained for Boolean functions [2], [20], [11]. Applying the inverse transform tothe cross-correlation vector gives the following:

Corollary 3.2. Let f and g be n-variable functions. Then

2n[Cf,g(0), . . . ,Cf,g(2n−1)]= [Wf (0)Wg(0), . . . ,Wf (2

n−1)Wg(2n−1)]Hn. (3)

Applying the inverse transform withg = f , gives∑

u∈Fn2

W2f (u) = 2nCf (0) = 22n. This

is a conservation law for the spectral values off and is known as Parseval’s theorem(see [6]).

Let h(x) = f (x)⊕ g(x), g1(x) = g(x) ⊕ 〈u, x〉. ThenWg1(w) = Wg(u⊕ w) forall w ∈ Fn

2 andWh(u) = Cf,g1(0). Using Corollary 3.2, this gives

Wh(u) = 1

2n

∑w∈Fn

2

Wf (w)Wg1(w) =1

2n

∑w∈Fn

2

Wf (w)Wg(u⊕ w),

which is the so-called Convolution Theorem. We summarize this as

Corollary 3.3. Let h(x) = f (x)⊕g(x), where both f and g are n-variable functions.Then

Wh(u) = 1

2n

∑w∈Fn

2

Wf (w)Wg(u⊕ w). (4)


We say that two functionsf andg havenon-intersecting spectraif Wf (u)Wg(u) = 0for all u. Using Theorem 3.1 and Corollary 3.2 we get the following characterization ofperfect uncorrelatedness in terms of the spectra off andg.

Corollary 3.4. Let f and g be two n-variable functions. Then f and g have non-intersecting spectra if and only if they are perfectly uncorrelated.

Remarks. 1. Let f and g be n-variable functions. Thenf and g are perfectly un-correlated if and only ifXn+1 ⊕ f and Xn+1 ⊕ g are perfectly uncorrelated. Fur-ther, if f and g are perfectly uncorrelated, then usingWf (u)Wg(u) = 0 for all u ∈Fn

2 , it is possible to show (see [13]) that the(n + 1)-variable functionh defined byh(X1, X2, . . . , Xn, Xn+1) = (1⊕ Xn+1) f (X1, . . . , Xn)⊕ Xn+1g(X1, . . . , Xn) has non-linearity 2n−1+min(nl( f ),nl(g)).

2. The Walsh Transform of ann-variable Boolean function can be computed in timeO(n2n) using the fast Walsh Transform [9]. Using this algorithm and Corollary 3.2 weobtain anO(n2n) algorithm to compute the cross-correlation between a pair of Booleanfunctions. Similarly, using the fast Walsh Transform and Corollary 3.1 we obtain anO(n2n) algorithm to compute the auto-correlation of a Boolean function.

3.1. Algebraic Properties

Here we study algebraic properties of cross-correlations. Using the Cross-CorrelationTheorem we are able to generalize many previous results concerning cryptographicproperties of Boolean functions. We present three such cases.

Proposition 3.1. Let f and g be n-variable functions. Then∑

v∈Fn2

C2f,g(v) ≤ 23n.

Proof. Let W = (Wf (0)Wg(0), . . . ,Wf (0)Wg(0)) andC = (Cf,g(0), . . . ,Cf,g(0)).Then

〈W,W〉 = 〈CHn,CHn〉 = CHn H Tn C = 2n〈C,C〉.

Hence

2n∑u∈Fn

2

C2f,g(u) =

∑u∈Fn

2

W2f (u)W

2g (u)

≤∑

u∈Fn2

W2f (u)

∑u∈Fn

2

W2g (u)

= 22n22n = 24n.

From this the result follows.

The above generalizes the bounds on sum of squares of the auto-correlation coeffi-cients obtained in Theorem 2 of [20].


Theorem 3.2. Let f and g be n-variable functions and let E be a subspace of Fn2 .

Then∑w∈E

Wf (w)Wg(w) = |E|∑

u∈E⊥Cf,g(u).

Proof. Using Theorem 3.1, we can write∑w∈E

Wf (w)Wg(w) =∑w∈E

∑u∈Fn

2

Cf,g(u)(−1)〈u,w〉

=∑u∈Fn

2

∑w∈E

Cf,g(u)(−1)〈u,w〉.

If u ∈ E⊥, then〈u, w〉 = 0 for all w ∈ E. If u 6∈ E⊥, then〈u, w〉 = 0 for half of thevectorsw ∈ E and〈u, w〉 = 1 for the other half of the vectorsw ∈ E. Thus we get∑

w∈E

Wf (w)Wg(w) = |E|∑

u∈E⊥Cf,g(u).

For the special case off = g, this result has been obtained in Proposition 5 of [1].Let Nr be the number of zeros of the auto-correlation functionCf () and letNw

be the number of zeros of the spectrumWf (). In Theorem 2.1 of [2] it was provedthat (2n − Nr )(2n − Nw) ≥ 2n and the condition when equality holds was preciselycharacterized. Here we obtain a similar relation between the zeros of the cross-correlationfunction of f andg and the pointwise product of the spectra off andg.

Theorem 3.3. Let f and g be n-variable functions. Then

(2n − Nc)(2n − Ns) ≥ max

u∈Fn2

|Cf,g(u)|, (5)

where Nc = |{u ∈ Fn2 : Cf,g(u) = 0}| and Ns = |{u ∈ Fn

2 : Wf (u)Wg(u) = 0}|.

Proof. First note that ifCf,g(u) = 0 for all u ∈ Fn2 , thenNc = 2n and the result holds.

So suppose there exists someu such thatCf,g(u) 6= 0. Using Theorem 3.1, this impliesthatWf (u)Wg(u) cannot be zero for allu. We prove two separate lower bounds on thequantitites 2n− Nc and 2n− Ns. Multiplying the bounds will provide the desired result.

For a pair of Boolean functionsh1 andh2, definenc(h1, h2) = |{u ∈ Fn2 : Ch1,h2(u) =

0}| and ns(h1, h2) = |{u ∈ Fn2 : Wh1(u)Wh2(u) = 0}|. Then Nc = nc( f, g) and

Ns = ns( f, g).We first obtain a lower bound on 2n − Nc. Letw ∈ Fn

2 be such that

|Wf (w)Wg(w)| = maxu∈Fn

2

|Wf (u)Wg(u)|.

Define a functiong1 in the following manner. IfWf (w)Wg(w) < 0, theng1 = 1⊕g, elseg1 = g. Thus we haveWf (w)Wg1(w) = |Wf (w)Wg(w)| > 0 andnc( f, g) = nc( f, g1).


Now defineh1(x) = f (x) +〈w, x〉 andh2(x) = g1(x) +〈w, x〉. This impliesWh1(0) =Wf (w) andWh2(0) = Wg1(w) and soWh1(0)Wh2(0) = maxu∈Fn

2|Wf (u)Wg(u)|. Also

nc(h1, h2) = nc( f, g1) = nc( f, g) = Nc. Since the values ofCh1,h2() are all at most 2n,we obtain

(2n − Nc) = (2n − nc(h1, h2)) ≥ 2−n∑u∈Fn

2

Ch1,h2(u). (6)

Using the facts that∑

u∈Fn2

Ch1,h2(u) = Wh1(0)Wh2(0) and Wh1(0)Wh2(0) =maxu∈Fn

2|Wf (u)Wg(u)|, we obtain

(2n − Nc) ≥ 2−n maxu∈Fn

2

|Wf (u)Wg(u)|. (7)

Now we obtain a lower bound on(2n − Ns). Let v ∈ Fn2 be such that|Cf,g(v)| =

maxu∈Fn2|Cf,g(v)|. Defineg1 in the following manner. IfCf,g(v) < 0, theng1 = 1⊕ g,

elseg1 = g. ThenCf,g1(v) = maxu∈Fn2|Cf,g(v)| andns( f, g1) = ns( f, g). We now

write∑u∈Fn

2

|Wf (u)Wg1(u)| ≥∑u∈Fn

2

Wf (u)Wg1(u)(−1)〈u,v〉

= 2nCf,g1(v) = 2n maxu∈Fn

2

|Cf,g(u)|. (8)

Also we have

(2n − Ns) = (2n − ns( f, g1)) ≥∑

u∈Fn2|Wf (u)Wg1(u)|

maxu∈Fn2|Wf (u)Wg1(u)|

. (9)

Using inequality (8) we obtain

(2n − Ns) ≥2n maxu∈Fn

2|Cf,g(v)|

maxu∈Fn2|Wf (u)Wg(u)| . (10)

Multiplying inequalities (7) and (10), we obtain the desired inequality.

Equality holds in (5) if and only if equality holds in (6), (8) and (9). However, theredoes not seem to be any simple characterization of these conditions.

4. Characterization of Bent Functions

In this section we present a new characterization of bent functions in terms of the auto-correlation and cross-correlation properties of its subfunctions. This can be consideredto be a refinement of the characterization of bent functions presented in [1].

Let f be ann-variable Boolean function. Letv ∈ {0,1}r with 1 ≤ r ≤ nand v = vr · · · v1, where eachvi ∈ {0,1}. By fv we denote the functionf (Xn =vr , . . . , Xn−r+1 = v1, Xn−r , . . . , X1). Givenu ∈ {0,1}r andw ∈ {0,1}n−r , we use thenotationuw to denote then-bit string formed by concatenatingu andw.


Theorem 4.1. Let u∈ {0,1}r , w ∈ {0,1}n−r and f be an n-variable Boolean function.Then

Cf (uw) =∑v∈Fr

2

Cfv, fv⊕u(w).

Proof. By definition,

Cf (uw) =∑x∈Fn

2

(−1) f (x)⊕ f (x⊕uw) =∑v∈Fr

2

∑z∈Fn−r

2

(−1) f (vz)⊕ f (vz⊕uw),

where then-bit vectorx is written as the concatenation of anr -bit stringv and an(n−r )-bit stringz. For a fixedv we havef (vz) = fv(z) and f (vz⊕ uw) = fv⊕u(z⊕ w). Thisgives

Cf (uw) =∑v∈Fr

2

∑z∈Fn−r

2

(−1) fv(z)⊕ fv⊕u(z⊕w) =∑v∈Fr

2

Cfv, fv⊕u(w).

Corollary 4.1. Let f be an n-variable function and let f0 and f1 be obtained from fby restricting the variable Xn to 0 and1, respectively. Then we have:

1. Cf (0w) = Cf0(w)+ Cf1(w).2. Cf (1w) = Cf0, f1(w)+ Cf1, f0(w) = 2Cf0, f1(w).

An immediate consequence of this result is to obtain a new characterization of bentfunctions based on the auto-correlation properties of its subfunctions. We say that twofunctions f andg havecomplementary auto-correlationif Cf (u) + Cg(u) = 0 for allnon-zerou.

Theorem 4.2. Let n be an odd integer and let h be an(n+ 1)-variable function andwe write

h(Xn+1, Xn, . . . , X1) = (1⊕ Xn+1) f (Xn, . . . , X1)⊕ Xn+1g(Xn, . . . , X1).

Then the following are equivalent:

1. h is bent.2. f and g have complementary autocorrelation.3. f and g are perfectly uncorrelated andnl( f ) = nl(g) = 2n−1− 2(n−1)/2.

Proof. (1) ⇒ (2) If h is bent, thenCh(w) = 0 for all non-zerow ∈ Fn+12 . Let u be

a non-zero vector inFn2 . Using Corollary 4.1, we getCh(0u) = Cf (u) + Cg(u). Since

u 6= 0 we haveCh(0u) = 0. This givesCf (u) = −Cg(u).


(2)⇒ (3) SupposeCf (v) = −Cg(v) for all non-zerov ∈ Fn2 . Using Corollary 3.1,

we have for eachu ∈ Fn2 ,

W2f (u) =

∑v∈Fn

2

Cf (v)(−1)〈u,v〉 = 2n −∑

v 6=0,v∈Fn2

Cg(v)(−1)〈u,v〉 = 2n+1−W2g (u).

This givesW2f (u)+W2

g (u) = 2n+1.We now use Jacobi’s lemma (see Chapter VI of [5]), which states that for oddm,

the only integer solutions to the equationx2+ y2 = 2m+1 arex = 0, y = ±2(m+1)/2 andx = ±2(m+1)/2, y = 0.

Thus we get that eitherW2f (u) = 2n+1 andW2

g (u) = 0 orW2f (u) = 0 andW2

g (u) =2n+1. In either case we haveWf (u)Wg(u) = 0 and nl( f ) = nl(g) = 2n−1 − 2(n−1)/2.Since this holds for eachu ∈ Fn

2 , the spectra off and g are non-intersecting. Us-ing Corollary 3.4 it follows that the functionsf andg are perfectly uncorrelated, i.e.Cf,g(u) = 0 for eachu ∈ Fn

2 .(3) ⇒ (1) Since the non-linearity of bothf andg is 2n−1 − 2(n−1)/2, it follows

that for eachu ∈ Fn2 , we must have|Wf (u)|, |Wg(u)| ≤ 2(n+1)/2. Let the number of

non-zero points ofWf () andWg() bek1 andk2, respectively. Using Parseval’s theoremand the bound on|Wf (u)|, |Wg(u)| we have 22n ≤ k12n+1 and 22n ≤ k22n+1. Thisgivesk1, k2 ≥ 2n−1. Since f and g are perfectly uncorrelated, their spectra are non-intersecting, i.e.Wf (u)Wg(u) = 0 for all u ∈ Fn

2 . Thus the number of points at whichWf () is zero is at least as large as the number of points whereWg() is non-zero. Hence2n − k1 ≥ k2. This combined withk1, k2 ≥ 2n−1 shows thatk1 = k2 = 2n−1 and hencethe spectra off and g can take only the values 0,±2(n+1)/2. Also for eachu ∈ Fn

2 ,exactly one ofWf (u) andWg(u) is non-zero and takes the value±2(n+1)/2.

Let w ∈ Fn+12 . Then we can writew = 0u or w = 1u for someu ∈ Fn

2 . It iseasy to verify thatWh(0u) = Wf (u) + Wg(u) andWh(1u) = Wf (u) − Wg(u). Sinceexactly one ofWf (u) and Wg(u) is non-zero and equal to±2(n+1)/2, it follows thatWh(w) = ±2(n+1)/2 for all w ∈ Fn+1

2 . Henceh is bent.

Remark. The subfunctionsf andghave non-intersecting three valued spectra and boththeir non-linearities are 2n−1 − 2(n−1)/2. These facts are also stated in Theorems 4(ii)and 5(iv) of [1]. However, the complementariness of the auto-correlation off andg andtheir perfect uncorrelatedness have not been considered in [1].

5. Propagation Characteristics

The concept of propagation characteristics was introduced by Preneel [11]. Later investi-gations can be found in [3], [4] and [8]. Here we study the cross-correlation between thesubfunctions of a function satisfying propagation characteristics. We characterize prop-agation characteristics in terms of the uncorrelatedness of its subfunctions. ByfXi=0 andfXi=1 we denote the(n− 1)-variable subfunctions obtained fromf by settingXi to 0and 1, respectively.


Theorem 5.1. Let f be an(n+1)-variable function. Then f satisfiesPC(l +1) if andonly if for each1 ≤ i ≤ n+ 1, the pair of functions fXi=0 and fXi=1 are uncorrelatedof degree l.

Proof. Supposef satisfies PC(l + 1). Let g = fXi=0 andh = fXi=1 and letu ∈ Fn2 be

of weight l . Let π be a permutation of the variables which interchangesXi and Xn+1.Let f ′ be the new function formed fromf . Clearly, f ′ also satisfies PC(l + 1). Since0 ≤ wt(u) ≤ l , the vector 1u ∈ Fn+1

2 is non-zero and has weight at mostl + 1. ThusCf ′(1u) = 0. Using Corollary 4.1, we haveCf ′(1u) = 2Cg,h(u). HenceCg,h(u) = 0.

We now prove the converse. Letw ∈ Fn+12 be non-zero and have weight at most

l + 1. Sincew 6= 0, there is ani , such thatwi = 1. Let g = fXi=0 andh = fXi=1.Then from the given conditionCg,h(v) = 0 for all 0 ≤ wt(v) ≤ l . Again letπ be apermutation that interchangesXn+1 andXi . Let the corresponding changes onf andwbe denoted byf ′ andw′. Thenw′ is of the form 1u for someu ∈ Fn

2 and 0≤ wt(u) ≤ l .ThenCf (w) = Cf ′(w

′) = Cf ′(1u) = 2Cg,h(u) = 0.

Let f be any function defined on the domainFn2 . By adyadic shiftof f (x) by u we

mean the functionf (x⊕ u). When f is a Boolean function the sum (overF2) of f andits dyadic shift byu is called the derivative off atu. Propagation characteristics assuresthat the derivative is balanced at allu of bounded Hamming weight. A dyadic shift of thespectrumWf () of f by u is the functionWu

f () defined byWuf (v) = Wf (u⊕ v). We next

explore the relationship between the spectra of the derivatives of a Boolean function andthe dyadic shifts in its spectrum.

Let ha(x) = f (x) ⊕ f (x ⊕ a). We now define two matrices as follows. LetDf

be a 2n × 2n matrix whose rows and columns are indexed by the elements ofFn2 . The

(u, v)th entry ofDf is Whv (u). LetTf be another 2n×2n matrix whose rows and columnsare indexed by the elements ofFn

2 , where the(u, v)th entry ofTf is Wf (u)Wf (u⊕ v).The entries ofDf are the spectral values of the derivatives off . On the other hand, theentries ofTf are products of the spectral values off with its dyadic shifts. The followingresult relates these two matrices and provides the relationship between the spectra of thederivatives off and the dyadic shifts of the spectra off .

Theorem 5.2. For any n-variable Boolean function HnTf = 2n Df , where Hn is theHadamard matrix of order2n.

Proof. Let ga(x) = f (x ⊕ a). It is easy to verify thatWga(u) = (−1)〈a,u〉Wf (u). ByCorollary 3.3, we have

Wha(u) =1

2n

∑w∈Fn

2

Wf (w)Wga(u⊕ w) =1

2n

∑w∈Fn

2

Wga(w)Wf (u⊕ w)

= 1

2n

∑w∈Fn

2

(−1)〈a,w〉Wf (w)Wf (u⊕ w).

The last expression is the inner product of theath row of Hn and theuth column ofTf .Hence the result follows.


A consequence of the above is the following known result [6], which states that thedyadic shifts of the spectrum off are orthogonal to each other.

Corollary 5.1. Let f be any Boolean function. Then∑w∈Fn

2

Wf (w)Wf (u⊕ w) = 22n if u = 0,

= 0 if u 6= 0.

6. Non-Linear Combining Functions

Boolean functions are used as non-linear combining functions in LFSR-based stream ci-phers. The outputs of several independent LFSRs are combined using a Boolean functionto produce the keystream. Research in stream cipher cryptanalysis have shown that sucha function must be balanced, have high non-linearity, high resiliency and high algebraicdegree. Here we study the correlation properties of this class of Boolean functions.

In [18] the concept of maximum correlation analysis was introduced. This con-siders the correlation of ann-variable function to alln-variable function which arenon-degenerate on at mostm variables. For the usual notion of correlation immunity,correlation to only the linear functions are considered. The next result assures us thatif a function is m-resilient then it is uncorrelated toany subfunction on at mostmvariables.

An n-variable functionf (X1, . . . , Xn) is said to be degenerate on variableXi if thefunctions

f (X1, . . . , Xi−1, Xi = 0, Xi+1, . . . , Xn)

and

f (X1, . . . , Xi−1, Xi = 1, Xi+1, . . . , Xn)

are identical. Otherwisef is said to be non-degenerate on the variableXi .

Theorem 6.1. Let f be an m-CI (respectively m-resilient) function. Then Cf,g(0) =(1/2n)Wf (0)Wg(0) (respectively Cf,g(0) = 0) for any n-variable function g which isnon-degenerate on at most m variables.

Proof. Letw ∈ Fn2 be a vector of weight at mostw such thatwi = 1 if and only ifg is

non-degenerate on variableXi . Then for any vectoru ∈ Fn2 , such thatu 6≤ w, we have

g(x) ⊕ 〈u, x〉 to be a balanced function and henceWg(u) = 0. Using Corollary 3.2, wehaveCf,g(0) = (1/2n)

∑u∈Fn

2Wf (u)Wg(u). Since f is m-CI, we haveWf (u) = 0 for

all u ∈ Fn2 with 1≤ wt(u) ≤ m. If wt(u) > m, thenu 6≤ w and henceWg(u) = 0. Thus

we getCf,g(0) = (1/2n)Wf (0)Wg(0). If further f is balanced we haveWf (0) = 0 andhenceCf,g(0) = 0.


The Walsh Transform of a functionf determines the correlation of the function tothe linear and affine functions. However,f may be correlated to non-affine functionsalso. Any functiong with which f has a non-zero correlation is called a correlatorof f . Supposef is m-resilient. This implies that the correlation off to any affinefunction non-degenerate on at mostm variables is zero. However, there is the possibilitythat there exists non-affine functions non-degenerate on at mostm variables to whichfis correlated. Theorem 6.1 assures us that this does not happen.

Remarks. 1. In Theorem 6.1 it is easy to see that iff is not balanced, then the functiong (non-degenerate on at mostm variables) to whichf is maximally correlated is the allzero function.

2. Let g be non-degenerate onm+ 1 variables and letw be defined fromg as inthe proof of Theorem 6.1. Suppose thatf is m-resilient. Then using the argument ofTheorem 6.1, we haveCf,g(0) = (1/2n)Wf (w)Wg(w). Clearly,Cf,g(0) is maximumwhen g(x) = b ⊕ 〈w, x〉, for b ∈ {0,1}. Thus the maximum correlators of anm-resilient function with respect to any(m+1) variables are the two non-degenerate affinefunctions on thesem + 1 variables. In fact, this is the result obtained in Theorem 3of [18].

3. If we consider more thanm+ 1 variables, then the maximum correlator of anm-resilient function need not be an affine function. As an example, letf (X1, X2, X3, X4, X5)

= (1⊕ X5)(1⊕ X4)(X2 ⊕ X1)⊕ (1⊕ X5)X4(X3 ⊕ X1)⊕ X5(1⊕ X4)(X3 ⊕ X2)⊕X5X4(X3 ⊕ X2 ⊕ X1). The function f is 1-resilient andWf (u) = 0,±8, for allu ∈ F5

2 and hence the maximum correlation to affine functions is 8. However, if wechooseg1(X1, X2, X3, X4, X5) = X2 ⊕ X1X2 ⊕ X2X3 ⊕ X1X3 ⊕ X2X4 ⊕ X1X4 ⊕X3X4 ⊕ X1X3X4, thenCf,g(0) = 16. Again if we chooseg(X1, X2, X3, X4, X5) =X1 ⊕ X2 ⊕ X3 ⊕ X1X2X3, thenCf,g(0) = 12. These are the (non-affine) maximumcorrelators for four and three variables, respectively.

We now concentrate on functions for which the magnitude of the non-zero spectrumvalues are all equal. Such functions can have at most three valued spectra. Functions ofthese type are important from the cryptographic point of view. We give three examples:

1. Bent functions ofn variables have two valued spectra±2n/2.2. Subfunctions ofn variables obtained from(n + 1)-variable bent functions by

restricting any one variable to zero or one have three valued spectra: 0,±2(n+1)/2.Such functions have been studied in [1].

3. Resilient functions of orderm with maximum possible non-linearity have threevalued spectra [13].

We analyse the relation between spectrum and auto-correlation values for the above typeof functions. Given a Boolean functionf , we define NZ( f ) to be a matrix whose rowsareu ∈ Fn

2 such thatWf (u) 6= 0. In other words, NZ( f ) is a matrix whose rows are thevectors at which the spectrum off is non-zero. Suppose NZ( f ) is anr ×n matrix, i.e.ris the number of places whereWf () is non-zero. Let the magnitudes of all the non-zerospectrum values beM . Using Parseval’s theorem we haverM2 = 22n, where f is ann-variable function. This givesr = 22n/M2. It is clear thatM has to be a power of two,


sayM = 2k. Thusr = 22n−2k. Using Corollary 3.1 we can write

Cf (u) = 1

2n

∑v∈Fn

2

W2f (v)(−1)〈u,v〉 = 22k−n

∑{v: Wf (v) 6=0}

(−1)〈u,v〉

= 22k−n∑

v∈NZ( f )

(−1)〈u,v〉 = 22k−n(22n−2k − 2 wt(NZ( f )uT ))

= 2n − 22k+1−n wt(NZ( f )uT ),

where NZ( f )uT is the product of the matrix NZ( f ) and the vectoruT . We summarizethe above description as

Theorem 6.2. Let f be an n-variable function for which the magnitude of the non-zerospectral values are all equal to2k. Then Cf (u) = 2n − 22k+1−n wt(NZ( f )uT ) for allu ∈ Fn

2 .

Remark. If u = 0, then we haveCf (0) = 2n as expected. For bent functions,k = n/2and NZ( f ) = Fn

2 . Hence for any non-zerou, we have wt(NZ( f )uT ) = 2n−1 and soCf (u) = 0.

An elegant recursive construction for resilient functions has been provided in [16].A modified version of this construction has been used in [10] to construct functions withthe best possible tradeoff among the parameters non-linearity, resiliency and algebraicdegree. We study the auto-correlation values of the functions constructed by the methodof [10]. To do that we briefly describe the construction of [16] as modified in [10].

The initial function to the recursive construction in [10] is at-variable, resiliencyp function, which is formed by the concatenation of two(t − 1)-variable, resiliencyp functions f andg having non-intersecting spectra and hence perfectly uncorrelated.The spectra off andg are three valued: 0,±2p+2. (In [10] the initial function used isa 7-variable, resiliency 2 function that was obtained by computer search.) The methodof [10] constructs functionshi of t + 3i variables fori ≥ 0. The functionhi is theconcatenation of two functionsfi , gi of ((t − 1) + 3i ) variables. For the base case,f0 = f andg0 = g andh0 is the concatenation off0 andg0. The recursive constructionof fi+1, gi+1 from fi , gi is the following. Leth2

i = Xt+3i ⊕ fi andh3i = Xt+3i ⊕ gi .

Define fi+1 = Xt+2+3i⊕Xt+1+3i⊕hi andgi+1 = Xt+2+3i⊕(1⊕Xt+2+3i⊕Xt+1+3i )h2i ⊕

(Xt+2+3i ⊕ Xt+1+3i )h3i . Thenhi+1 is the concatenation offi+1 andgi+1. We have the

following result on the maximum auto-correlation value ofhi+1.

Theorem 6.3. Let hi+1 be the(n = t+3(i +1))-variable(i ≥ 0) function constructedby the above described method. Thenmaxu∈Fn

2−{0} |Chi+1(u)| = 2(t−1)+3(i+1) = 2n−1.

Proof. The non-zeros of the spectra off andg are the rows of the matrices NZ( f ) andNZ(g). The matrix NZ(hi ) is formed from NZ( f ) and NZ(g). In fact, we can providea recursive description of NZ(hi ) for all i ≥ 0. For this we need to introduce somenotation. Letu ∈ Fr

2 and letM be ans× t matrix of bits. Thenu||M is thes× (r + t)


matrix whose rows are of the formuv, wherev is a row ofM . We number the columnsof M from the right, i.e. the rightmost is numbered 1 and the leftmost column gets thehighest number.

The structures of NZ( fi+1),NZ(gi+1) and NZ(hi+1) are as follows:

NZ( fi+1) =

110||NZ( fi )

111||NZ( fi )

110||NZ(gi )

111||NZ(gi )

,

NZ(gi+1) =

011||NZ( fi )

101||NZ( fi )

011||NZ(gi )

101||NZ(gi )

,

NZ(hi+1) =

0||NZ( fi+1)

1||NZ( fi+1)

0||NZ(gi+1)

1||NZ(gi+1)

=

0110||NZ( fi )

0111||NZ( fi )

0110||NZ(gi )

0111||NZ(gi )

1110||NZ( fi )

1111||NZ( fi )

1110||NZ(gi )

1111||NZ(gi )

0011||NZ( fi )

0101||NZ( fi )

0011||NZ(gi )

0101||NZ(gi )

1011||NZ( fi )

1101||NZ( fi )

1011||NZ(gi )

1101||NZ(gi )

.

Note that NZ( fi+1)∩NZ(gi+1) = ∅, hencefi+1, gi+1 have non-intersecting spectraand consequently are perfectly uncorrelated.

The functionhi+1 is a function ofn = t + 3(i + 1) variables and is(p+ 2(i + 1))-resilient. From this it follows that the spectrum ofhi+1 takes only the values 2k wherek = p+2+2(i +1) (see [10] and [13]). Then the number of non-zeros of the spectrumof hi+1 is r = 22n−2k. Let u be such thatun−1 = 1 anduj = 0 for j 6= n − 1.Then it is easy to see that wt(NZ(hi+1)uT ) = r/2+ r/4. Using Theorem 6.2 we getChi+1(u) = 2n − 22k+1−n(r/2+ r/4) = −2n−1. Also a careful examination of the linear


combinations of the columns of NZ(hi+1) shows that there is no combination whichprovides an absolute auto-correlation of more than 2n−1.

7. S-Boxes for Stream Ciphers

Here we consider functions with more than one output, i.e. maps fromFn2 to Fm

2 . Suchfunctions are called S-boxes and are mostly used in block ciphers. However, the use ofS-boxes in stream ciphers can speed up encryption/decryption in the following way. Anon-linear combining function extracts only one key bit pern bits. Use of an S-box willmean thatm > 1 bits can be extracted pern bits. Thus the use of S-boxes for streamciphers is an attractive proposition and has been suggested in recent papers [19], [7].Here we carefully examine this idea and show that there are several difficulties in suchan approach.

Note that a trivial way to extract more than one bit per clock cycle is to increasethe number of LFSRs. For example, ifn LFSRs are used to obtain one bit per cycle,then we can repeat this arrangement (with different combining functions)k times toobtain k bits per cycle. However, increasing the number of LFSRs will escalate thecost of implementation. Hence the idea is to obtain more than one bit per clock cyclewithout increasing the number of LFSRs. This means that the security parameters remainconstant, but we will still be able to increase the speed of encryption. It is this approachthat we investigate here.

Let f : {0,1}n → {0,1}m be an S-box used to extractm bits from eachn-bit inputprovided byn LFSRs at each clock. Anm-length decimation of the output key streamwill provide the sequence of bits generated by a component Boolean function of theoutput of the S-box. An obvious extension of the correlation attack would be to look forcorrelations between some combination of the output bits and (some linear combinationof) the input bits.

Thus we would like the cross-correlation between an arbitrary combination of theoutput and any linear combination of the input to be zero. Of course this is not possiblesince it would violate Parseval’s theorem. Instead we require that any arbitrary non-trivialcombination of the output is uncorrelated to any linear combination of input involving notmore thant variables. Hence using Theorem 6.1, it is also uncorrelated to any arbitrarycombination of the input involving not more thant variables.

A class of S-boxes called resilient functions have been studied in the literature. AnS-box f : {0,1}n→ {0,1}m is said to bet-resilient if any subfunction off obtained byfixing at mostt input bits to constant is balanced. Here, by balanced we mean that everyvector inFm

2 occurs in the output of the subfunction the same number 2n−m−t times. Itis known that an S-box ist-resilient if and only if every non-zero linear combinationof the component function of the output ist-resilient. However, this does not assurethat an arbitrary combination of the output is correlated to a linear combination of theinput. First we prove this form = 2. Let f : {0,1}n → {0,1}m be an S-box and letg: {0,1}m → {0,1} be them-variable Boolean function. Theng ◦ f is ann-variableBoolean function defined by(g ◦ f )(x) = g( f (x)).

Theorem 7.1. Let f : {0,1}n → {0,1}2 be a t-resilient function. Let g be any two-variable Boolean function. Then g◦ f is t-CI.


Proof. Let the component functions off be f1, f2. Then f1, f2, f1⊕ f2 aren-variable,t-resilient Boolean functions. The functiong(X2, X1) = a ⊕ bX1 ⊕ cX2 ⊕ d X1X2,wherea,b, c,d ∈ {0,1}. Without loss of generality we can takea = 0. If d = 0,then clearlyg ◦ f is t-resilient for any combinations ofb and c. Thus letd = 1.If b = c = 0, then the functiong is the logical AND of X1, X2. It is not dif-ficult to verify that (−1)(g◦ f )(x) = (−1) f1(x) f2(x) = 1

2(1 + (−1) f1(x) + (−1) f2(x) −(−1) f1(x)⊕ f2(x)).

HenceWg◦ f (u) = 12(2

nδ(u) +Wf1(u) +Wf2(u) −Wf1⊕ f2(u)), whereδ(u) = 1 ifu = 0, else it is 0. From this it follows thatg ◦ f is t-CI. If b = c = 1, theng is thelogical OR ofX1 andX2. In this case(g ◦ f )(x) = f1(x) ∨ f2(x) = 1⊕ (1⊕ f1(x))(1⊕ f2(x)).

Hence for eachu ∈ Fn2 , Wg◦ f (u) = − 1

2(2nδ(u)−Wf1(u)−Wf2(u)−Wf1⊕ f2(u)).

Again we have thatg ◦ f is t-CI.The only cases that remain to be considered are when exactly one ofb or c is

zero. Without loss of generality letb = 0, c = 1. Theng(X2, X1) = X2(1⊕ X1) and(g ◦ f )(x) = f2(x)(1⊕ f1(x)). Using an argument similar to the logical AND case wehaveg ◦ f to bet-CI.

Remark. It is not clear how this result can be extended wheng is a function of threeor more variables. Thus it may be possible that form > 2, some Boolean combinationof the output is correlated to a linear combination of the input. Further, the next resultshows that the non-linearity of non-affine output combinations can be very low.

Theorem 7.2. Let f : {0,1}n → {0,1}m be a t-resilient S-box where m≥ 2 andf1, . . . , fm are the component n-variable Boolean functions. Thennl( fi ∧ f j ),nl( fi ∨f j ) ≤ 2n−1− 2n−2, for all 1≤ i, j ≤ n.

Proof. From the proof of Theorem 7.1,Wf1∧ f2(u) = 12(2

nδ(u) +Wf1(u) +Wf2(u) −Wf1⊕ f2(u)).Since f is t-resilient, we havef1, f2, f1⊕ f2 to bet-resilient and soWf1(0) =Wf2(0) = Wf1⊕ f2(0) = 0. HenceWf1∧ f2(0) = 2n−1 and consequently nl( f1 ∧ f2) ≤2n−1− 2n−2. Similarly for f1 ∨ f2.

This shows that it is possible to obtain good affine approximations of certain non-affine output combinations and could also prove to be a potential weakness. Similaranalysis is possible for the algebraic degree and the order of resiliency of Booleancombinations of the output. Our conclusion from these results is that though extractingmore than one bit at each clock cycle is an attractive proposition, the concept needsto be examined more closely before it can be considered secure. A suitable model forextracting multiple bits from then LFSR bits is a future research question.

8. Conclusion

In this paper we have studied several classes of cryptographically useful Boolean func-tions and S-boxes. Our main tool has been the Cross-Correlation Theorem. This has


allowed us to obtain new characterizations and explore relationships between the spec-trum and correlation properties of a Boolean function. We have studied the possibilityof using S-boxes in LFSR-based stream ciphers. Our conclusion is that currently knownconstructions of S-boxes are not suitable for such applications.

Acknowledgment

The authors are grateful to the reviewers for their careful reading of the paper and critical comments which

helped to improve the paper substantially.

References

[1] A. Canteaut, C. Carlet, P. Charpin and C. Fontaine. Propagation characteristics and correlation-immunityof highly non-linear Boolean functions. InAdvances in Cryptology - Eurocrypt2000, pages 507–522.Number 1807 in Lecture Notes in Computer Science, Springer-Verlag, Berlin, 2000.

[2] C. Carlet. Partially-bent functions. InAdvances in Cryptology - CRYPTO ’92, pages 280–291. Number740 in Lecture Notes in Computer Science, Springer-Verlag, Berlin, 1992.

[3] T. W. Cusick. Boolean functions satisfying a higher order strict avalanche criteria.Advances in Cryp-tology - Eurocrypt ’93, pages 102–117.

[4] T. W. Cusick. Bounds on the number of functions satisfying the strict avalanche criteria. InformationProcessing Letter, 57(5):261–263 (1996).

[5] L. E. Dickson.History of the Theory of Numbers, volume II. Chelsea, New York, 1919.[6] C. Ding, G. Xiao and W. Shan.The Stability Theory of Stream Ciphers. Number 561 in Lecture Notes

in Computer Science, Springer-Verlag, Berlin, 1991.[7] T. Johansson and E. Pasalic. A construction of resilient functions with high nonlinearity.International

Symposium on Information Theory, ISIT 2000.[8] K. Kurosawa and T. Satoh. Design ofSAC/PC(l ) of orderk Boolean functions and three other crypto-

graphic criteria. InAdvances in Cryptology - Eurocrypt ’97, pages 434–449. Number 1233 in LectureNotes in Computer Science, Springer-Verlag, Berlin, 1997.

[9] F. J. MacWillams and N. J. A. Sloane.The Theory of Error Correcting Codes. North-Holland, Amster-dam, 1977.

[10] E. Pasalic, S. Maitra, T. Johansson and P. Sarkar. New constructions of resilent and correlation im-mune Boolean functions achieving upper bounds on nonlinearity. InProceedings of the Workshop onCryptography and Coding Theory, Paris, 2001. Electronic Notes in Discrete Mathematics, Volume 6,Elsevier, Amsterdam, 2000.

[11] B. Preneel. Analysis and design of cryptographic hash functions. Doctoral dissertation, K.U. Leuven,1993.

[12] O. S. Rothaus. On bent functions.Journal of Combinatorial Theory, Series A, 20:300–305, 1976.[13] P. Sarkar and S. Maitra. Nonlinearity bounds and constructions of resilient Boolean functions. InAd-

vances in Cryptology - CRYPTO2000, pages 515–532. Number 1880 in Lecture Notes in ComputerScience, Springer-Verlag, Berlin, 2000.

[14] C. Shannon. Communication theory of secrecy systems.Bell System Technical Journal, 28:656–715,1949.

[15] T. Siegenthaler. Correlation-immunity of nonlinear combining functions for cryptographic applications.IEEE Transactions on Information Theory, IT-30(5):776–780, September 1984.

[16] Y. V. Tarannikov. On resilient Boolean functions with maximum possible nonlinearity.Proceedingsof INDOCRYPT, pages 19–30. Number 1977 in Lecture Notes in Computer Science, Springer-Verlag,Berlin, 2000.

[17] G. Xiao and J. L. Massey. A spectral characterization of correlation-immune combining functions.IEEETransactions on Information Theory, 34(3):569–571, 1988.


[18] M. Zhang. Maximum correlation analysis of nonlinear combining functions in stream ciphers.Journalof Cryptology, 13:301–313, 2000.

[19] M. Zhang and A. Chan. Maximum correlation analysis of nonlinear S-boxes in stream ciphers. InAdvances in Cryptology - CRYPTO2000, pages 501–514. Number 1880 in Lecture Notes in ComputerScience, Springer-Verlag, Berlin, 2000.

[20] X.-M. Zhang and Y. Zheng, GAC—the criterion for global avalanche characteristics of cryptographicfunctions.Journal for Universal Computer Science, 1(5):316–333, 1995.

Received April27, 2001,and in revised form October30, 2001.Online publication February20, 2002.

Documents

Cross-Correlation Analysis of Cryptographically Useful Boolean Functions and S-Boxes