1-Resilient Boolean Functions on Even Variables with Almost Perfect Algebraic Immunity

1School of Electronics and Information, Northwestern Polytechnical University, Shaanxi, China 2Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai, China 3Westone Cryptologic Research Center, Beijing, China 4Department of Computer Science and Technology, East China Normal University, Shanghai, China 5National Engineering Laboratory for Wireless Security, Xi’an University of Posts and Telecommunications, Xi’an, China


Introduction
Boolean functions are one of the most important cryptographic primitives for stream ciphers, block ciphers, and hash functions in cryptography [1][2][3][4].For instance, we take Boolean functions extensively as filter and combination generators of stream ciphers based on linear feedback shift registers [3].Cryptographic criteria for Boolean functions include balancedness, algebraic degree, nonlinearity, and correlation immunity.An overview of cryptographic criteria for Boolean functions with extensive bibliography is given in [1].
The study of the cryptographic criteria of Boolean functions is essential because of the connections between known cryptanalytic attacks and these criteria [4].An improperly chosen Boolean function will render the system open to various kinds of attacks.Take the property of balancedness (i.e., its Hamming weight = 2 −1 ), for example, the classical cryptographic criterion for designing Boolean function is useful in preventing the system from leaking statistical information on the plaintext when the ciphertext is known.

Related Work
1.1.1.Resilient Functions.Resilient functions (see Definition 3), first studied by Siegenthaler in [5], are a special class of Boolean functions and find many interesting applications in stream ciphers.
A function  is said to be correlation-immune of the order  if the output of the function is statistically independent of the combination of any  of its inputs [6].In 1988, Xiao and Massey introduced (by using properties of Walsh spectra) the notion of correlation immunity as an important cryptographic measure of a Boolean function with respect to its resistance against the correlation attack (which can be seen as solving a system of multivariate linear equations) [7].
In [8], Maitra and Sakar discussed the various methods for constructing resilient functions, and their results constitute a subset of a larger set of resilient functions.

Algebraic Attacks.
In recent years, algebraic attack [9][10][11] has received a lot of attention in cryptography.This kind of attacks dates back to 2003 when Courtois and Meier [10] proposed algebraic attack on stream ciphers with linear feedback, which is much powerful (breaking stream ciphers satisfying the previously known design criteria in at most the square root of the complexity of the previously known generic attack).Thus the new cryptographic property of Boolean functions-algebraic immunity (AI), the minimum algebraic degree of annihilators of  or  + 1, was introduced by Meier et al. [11] to measure the ability of Boolean functions to resist algebraic attacks.
It was shown by Courtois and Meier [10] that maximum AI of n-variable Boolean functions is ⌈/2⌉.The properties and constructions of Boolean functions with maximum AI are concerned in a large number of works (to name a few [9,[12][13][14][15][16]).The problem of efficiently constructing balanced Boolean functions with optimal algebraic immunity (and/or other cryptographic properties) is thus of great significance.

Fast Algebraic Attacks.
Although Boolean functions with high (or optimal, ideally) algebraic immunity can effectively resist algebraic attack, it does not rule out the possibility that these functions are vulnerable to the improved algebraic attack, that is, fast algebraic attack [17,18].
Therefore, the cryptographic community turns to address much concern on Boolean functions resisting fast algebraic attack, besides their algebraic immunity.At Asiacrypt 2012, Liu et al. [20] initiated perfect algebraic immune (PAI) functions, Boolean functions with perfect immunity against algebraic and fast algebraic attacks.Although we know that the Carlet-Feng functions [9] on 2  + 1 variables and the modified Carlet-Feng functions on 2  variables are shown to be perfect algebraic immune functions [20], it is still not easy in general to explore perfect algebraic immune functions, and we do not see much successful attempt made in the literature on perfect algebraic immune functions on even variables.Thus, it is significant in both theory and practice to construct (almost) perfect algebraic immune functions on even variables with other cryptographic properties (such as resiliency) simultaneously.
We notice that Pan et al. [19] presented a construction for a class of 1-resilient Boolean functions with optimal algebraic immunity on an even number of variables by dividing them into two correlation classes, that is, equivalence classes.However, the cryptographic properties of the resulting functions are highly related to those of the initial functions we choose, and in particular, one would not expect strong resistance against fast algebraic attack in the resulting Boolean functions.

Our Contributions.
In the paper, we use primitive polynomials to construct a class of Boolean functions on even variables, achieving at the same time several desirable features.For the resulting functions, we prove the properties of 1-resiliency (see Definition 3) and suboptimal algebraic immunity (see Definition 4).We also propose the sufficient condition of achieving optimal algebraic immunity.
Compared with Carlet-Feng functions [9] and the functions constructed by the method of first-order concatenation existing in the literature on even (from 6 to 16) variables [19], ours show better immunity against fast algebraic attacks.We check that our constructions are almost perfect algebraic immune functions (see Definition 5).
1.3.Roadmap.The remainder of the paper is organized as follows.Section 2 reviews some definitions related to Boolean functions and their cryptographic criteria.Section 3 presents our proposed construction of almost perfect algebraic immune resilient functions on even variables, followed by resiliency analysis in Section 4, by algebraic immunity analysis in Section 5, and by fast algebraic immunity analysis in Section 6, sequentially.Concluding remarks are located in Section 7.
1.4.Notations.We summarize in Notations the notations used in this paper.
The Hamming weight of  is the number of 1s in the binary string, denoted by wt().The support of  is the set { ∈   2 | () = 1} and is denoted by supp(); that is, wt() = |supp()|.The Hamming distance   (, ) between two Boolean functions  and  is the Hamming weight of their difference  +  (i.e.,   (, ) = wt( + )), where + is the addition on  2 .
Definition 1 (balancedness).A Boolean function  is balanced if its output is equally distributed, that is, the number of 0 elements in its truth table is equal to the number of 1 elements.In other words, an -variable Boolean function  is balanced if and only if wt() = 2 −1 .
For () ∈ B  , it can be uniquely represented as a multivariate polynomial in the ring and its algebraic normal form (ANF) is written as follows: Elements of a finite field can be represented in a variety of ways, depending on the choice of basis for the representation.
Let ( 1 ,  2 , . . .,   ) be a basis of   2 over  2 .Then, we can build an isomorphism between   2 and  2  : and we can further represent  :  2  →  2 as the polynomial Now suppose  = 2.Similarly,  :  2  ×  2  →  2 can be represented uniquely as bivariate polynomial and the algebraic degree of f is where wt() is the Hamming weight of the binary string corresponding to the integer ; namely, where Tr  1 :  2  →  2 is the trace function, defined as Correlation immunity has long been recognized as one of the critical indicators of nonlinear combining functions of shift registers in stream generators [21,22].A high correlation immunity is generally a very desirable property, in view of various successful correlation attacks against a number of stream ciphers (see, e.g., [23]).The concept of correlationimmune functions was introduced by Siegenthaler [5].Xiao and Massey gave an equivalent definition [7,24].

Definition 3 (correlation immunity). A function 𝑓 is called an 𝑚th-order correlation-immune function if
where wt() is the Hamming weight of , that is, the number of nonzero components.
If f is also balanced, then it is called m-resilient.
Definition 4 (annihilator and algebraic immunity).Given  ∈ B  , we define where ⋅ is the multiplication on  2 .Any  ∈ AN() is called an annihilator of f.
The algebraic immunity of , denoted by AI(), is defined as the minimum degree of nonzero annihilators of f or  + 1; that is, It is known [10] that AI() ≤ ⌈/2⌉, for any  ∈ B  .If AI() = ⌈/2⌉, then we say the n-variable Boolean function  has optimal algebraic immunity.
At Crypto 2003, Courtois [17] proposed fast algebraic attacks (FAAs).The key idea is to decrease the degree of the equations (a multivariate polynomial system of equations over a finite field) using a precomputation algorithm.More formally, if there exists n-variable Boolean function  of low degree such that deg( ⋅ ) is somewhat not large, then one can perform fast algebraic attack on  with much confidence.To measure the resistance against fast algebraic attack, Liu et al. introduced fast algebraic immunity (FAI), which is considered as an important cryptographic property for Boolean functions used in stream ciphers: where It is folklore that FAI() ≤  [10,25].Almost all the symmetric Boolean functions including the functions with good algebraic immunity behave badly against FAAs [18,25].However, Carlet-Feng function, a class of n-variable balanced Boolean functions with the maximum algebraic immunity as well as good nonlinearity [9], was proved to have almost optimal resistance and even optimal resistance against FAAs if  = 2  + 1 exactly with positive integer  [20].Another class of even -variable balanced Boolean functions with the maximum algebraic immunity and large nonlinearity, called Tang-Carlet function [26], was also proved to have almost optimal resistance [27].Moreover, the immunity of some rotation symmetric Boolean functions against FAAs was also analyzed [18,28].
The following definition provides the functionalities of both algebraic immunity and fast algebraic immunity.
Definition 5 ((almost) perfect algebraic immunity).Let f be an n-variable Boolean function.The function f is said to be perfect algebraic immune (PAI) if, for any positive integers  < ⌈/2⌉, the product  ⋅  has degree at least  −  for any nonzero function  ( ∈ B  ) of degree at most .
The function  is said to be almost perfect algebraic immune if, for any positive integers  < ⌈/2⌉, the product  ⋅  has degree at least  −  − 1 for any nonzero function  ( ∈ B  ) of degree at most e.

The Proposed Construction
Resilient functions (see Definition 3) are a special class of Boolean functions and find many interesting applications in stream ciphers.In [8], Maitra and Sakar discussed the various methods of creation of resilient functions, and functions constructed by these methods constitute a subset of a larger set of all resilient functions.Pan et al. [19] presented a construction for a class of 1resilient Boolean functions with optimal algebraic immunity on an even number of variables by dividing them into two correlation classes.More precisely, Pan et al. proposed a secondary construction (i.e., Siegenthaler's [6] construction) by concatenating two balanced Boolean functions ,  with odd variables , where deg() = −1, AI() = (+1)/2.They can prove the existence of a nontrivial pair (, ) applied in the construction.But they can only construct a part of 1-resilient Boolean functions with optimal algebraic immunity by using these pairs.Pan et al. generalized the construction to a larger class of functions with suboptimal algebraic immunity on any number (>2) of variables.However, the cryptographic properties of the resulting functions are highly related to those of the initial functions they chose as building block, and in particular, this does not rule out the possibility that these functions are vulnerable to fast algebraic attack; that is, one would not expect strong resistance against fast algebraic attack in the resulting Boolean functions.More details on the rationale of their constructions can be found in [19] where two constructions are presented and security properties are analyzed mathematically step by step.In Section 6, we also compare the properties of fast algebraic immunity between our construction and the proposal of Pan et al. [19].This section will present our construction followed by cryptographic property analysis in the next sections.
Throughout the rest of the paper, let , , , V,  be positive integers,  = 2,  ≥ 3, 0 ≤  ≤ 2  − 2, and 2 −1 − 1 ≤  ≤ 2  − 2. Let  be a primitive element of finite field  2  , and For any (, V) ∈ , define n-variable Boolean function  whose support supp() consists of the following four sets: In the coming sections, we will discuss its cryptographic properties: resiliency, algebraic immunity, and fast algebraic immunity.In particular, we will show that the functions derived from our construction are 1-resilient and with almost perfect algebraic immunity.

Resiliency of the Proposed Construction
Nonlinear Boolean functions are generally used in symmetry cryptography.It is not surprising that the functions should have sufficiently simple scheme implementation in hardware.Besides, they must satisfy certain criteria to resist different attacks (e.g., correlation attacks suggested by Siegenthaler [29] and different types of linear attacks).One of the important factors is good correlation immunity (of order m); namely, the output should be statistically independent of combination of any m its inputs.And 1-resiliency specifies a balanced correlation-immune of order 1 Boolean function.Theorem 6. Suppose that  is a Boolean function derived from our construction.Then we have that  is 1-resilient.
Proof.According to the definition of resiliency (see Definition 3), we first show that the function derived from our construction is balanced.
In fact, we have that thus, the function f is balanced as expected.

Algebraic Immunity of the Proposed Construction
Algebraic attacks have become a powerful tool that can be used for almost all types of cryptographic systems.Algebraic immunity defined for a Boolean function measures the resistance of the function against algebraic attacks.The properties and constructions of Boolean functions with high algebraic immunity are concerned in extensive work, for example, [9,[12][13][14][15][16].
In this section, we will analyze the algebraic immunity of the proposed construction.First we have the following lemma.
Case 2 ( = 0, i.e.,  = ).From Lemma 7, we know that the number of different ℎ , in ( 28) is no more than 2 −1 − 1.Thus, for any 1 ≤  ≤ 2  − 2, we have Putting all together, we know that namely, there is not any annihilator of degree lower than k.
Next we consider  + 1.Its support supp( + 1) consists of the following sets: Assume that h is an annihilator of + 1, deg(ℎ) < .

Fast Algebraic Immunity of the Proposed Construction
Algebraic attacks are based on the establishment and processing of an overdefined system of nonlinear equations involving the secret key and the keystream sequence.The system can be practically solved, and thus the secret key is compromised, only if the equations are of low degree.Courtois and Meier demonstrated that a successful algebraic attack exists when the Boolean function  (or its complement  + 1) has a low degree annihilator (a nonzero Boolean function , such that   = 0).At crypto 2003, Courtois [17] further generalized the standard algebraic attack to an improved version, fast algebraic attack (see also [32]), by presenting a method that allows substantially reducing the complexity of the attack.Several stream ciphers appeared to be vulnerable to the FAA, such as Toyocrypt, LILI-128, and the keystream generator that is used in E0 cipher.Fast algebraic attacks are considered to be more difficult to study than the standard algebraic attack, and thus a design with good immunity against FAA is expected.
Theorem 10 (see [9]).Carlet-Feng function  derived from Definition 9 has a good behavior against fast algebraic attacks.
In particular, Carlet and Feng checked that no nonzero function  of degree at most  and no function ℎ of degree at most  exist such that  ⋅  = ℎ, when (, ) = (1,  − 2) for  odd and (, ) = (1,  − 3) for  even.
This suggests that this class of functions, even if not always optimal against fast algebraic attacks, has a very good behavior.
Pan et al. presented [19] a construction for a class of 1resilient Boolean functions with optimal algebraic immunity on an even number of variables by dividing them into two correlation classes, that is, equivalence classes.The coming result states the construction.
Theorem 11 (see [19]).Let n be any odd integer ( ≥ 3),  be a balanced Boolean function with maximum degree  − 1 and optimal algebraic immunity ( + 1)/2, and  be an annihilator of .Then the following is 1-resilient Boolean function with optimal algebraic immunity: Comparatively, one can take two odd-variable Carlet-Feng functions as initial functions and construct a class of 1resilient functions on even variables by the method proposed in [19].
Thus we can determine the appropriate values of (, ) for the three classes of Boolean functions, the first two by Carlet-Feng method [9] and the method in [19], respectively, and the last one from the method proposed in Section 3. Implemented via Maple language, Table 1 presents the minimal values of (, ) for the functions on even variables (from 6 to 16).In the table, the last column takes (, , , V) = (0, 2 −1 , 1, 2 −1 − 1).
One can check that when  = 8, 12, 14, and 16, the minimal values of (, ) by the proposed method are closer to the bounds (i.e., n) than those in [19].In fact, when  = 8 and 12, the results by our method are even better than those by Carlet-Feng functions [9], which makes the resistance against fast algebraic attack emerge stronger.
Moreover, one can find that, for all the (, ) of the last column, we have  +  ≥  − 1. Combining this with the results in the previous section, we may expect that the functions constructed by the proposed method are almost perfect algebraic immune.

Conclusion
Based on bivariate representation over finite field, the paper constructed a class of 1-resilient Boolean functions on even variables with almost perfect algebraic immunity.The resulting construction can resist algebraic attack and fast algebraic attack almost perfectly along with corresponding immunity against correlation attack.
We mention that it is expected for the cryptographic community to construct Boolean function with as much cryptographic properties as possible.A natural but interesting question is how to extend the proposed construction to other important cryptographic properties such as algebraic degree and nonlinearity.We leave it as a future work.