A C++ CLASS FOR ANALYSING VECTOR BOOLEAN FUNCTIONS
FROM A CRYPTOGRAPHIC PERSPECTIVE
Jos´e Antonio
´
Alvarez-Cubero and Pedro J. Zufiria
Depto. Matem´atica Aplicada a las Tecnolog´ıas de la Informaci´on, ETSIT, UPM, E-28040 Madrid, Spain
Keywords:
C++ library, Walsh transform, Differential profile, Autocorrelation spectrum, Vector boolean function, Non-
linearity, Linearity distance, Balancedness, Resiliency, Propagation criterion.
Abstract:
In this paper, a C++ class for analising Vector Boolean Functions from a cryptographic perspective is pre-
sented. This implementation uses the NTL library from Victor Shoup, replacing some of the general purpose
modules of this library by some more specialized and better suited to cryptography, and adding new mod-
ules that complement the existing ones. With this class, we can obtain the classical representation of Vec-
tor Boolean Function such as its Truth Table and Algebraic Normal Form (ANF). It is possible to calculate
mathematical structures such as the Walsh Spectrum, Linear Profile, Differential Profile and Autocorrelation
Spectrum. Cryptographic criteria such as nonlinearity, linearity distance, order of correlation immunity, bal-
ancedness, algebraic degree and propagation criterion can be obtained with this class. It permits to find out
some interesting cryptologic parameters such as linear structures, linear potential, differential potential and the
maximum possible nonlinearity or linearity distance of a Vector Boolean Function with the same dimensions.
Finally, operations such as to identify if two Vector Boolean Functions are equal, their sum, direct sum, com-
position, bricklayering, adding coordinate functions and obtaining the polynomial representation over GF(2
n
)
of a Vector Boolean Function given the irreducible polynomial and its Truth Table are presented.
1 INTRODUCTION
Nowadays, Vector Boolean functions play an impor-
tant role in various fields of human activity, such
as Coding Theory (McWilliams and Sloane, 1977),
Switching Theory (Davio et al., 1978) and Cryp-
tography (Carlet, 2008a), (Carlet, 2008b). Conven-
tional secret key cryptosystems can be expressed as
a certain composition of Vector Boolean functions.
Thus, in cipher design, it is essential to define criteria
which measure the cryptographic strength of Boolean
and Vector Boolean functions. Moreover, because of
the size and complexity of modern ciphers, an auto-
matic analysis program is very helpful in reducing the
time which is necessary to spend on studying crypto-
graphic properties of Vector Boolean Functions.
In this paper, a C++ class for analysing crypto-
graphic propertiesof Vector Boolean Functions is pre-
sented. It is called VBF and is based on the well-
known Number Theory Library NTL implemented
by Victor Shoup (Shoup, 2009). NTL is a high-
performance, portable C++ library providing data
structures and algorithms for manipulating signed, ar-
bitrary length integers, and for vectors, matrices, and
polynomials over the integers and over finite fields.
The decision to use this library is mainly based on
four reasons:
1. It is free software, and may be used according to
the terms of the GNU General Public License.
2. It provides high quality implementations of state-
of-the-art algorithms for the Galois field of order
2.
3. It can be easily installed in a matter of minutes on
just about any platform.
4. It provides a clean and consistent interface to a
large variety of classes representing mathematical
objects which are useful in cryptology.
The VBF class makes use of all the Boolean math-
ematical objects defined in NTL modules as starting
point. However, it was necessary to introduce some
new algorithms and cryptographic structures in order
to achieve the results described in this paper. The
main advantages of this approach are derived from the
object oriented implementation and the use of effec-
tive algorithms: reusability, maintainability, extensi-
bility and flexibility in the analysis of a broad range
512
Antonio Álvarez-Cubero J. and J. Zufiria P. (2010).
A C++ CLASS FOR ANALYSING VECTOR BOOLEAN FUNCTIONS FROM A CRYPTOGRAPHIC PERSPECTIVE.
In Proceedings of the International Conference on Security and Cryptography, pages 512-520
DOI: 10.5220/0002964505120520
Copyright
c
SciTePress
of Vector Boolean Functions employed in symmet-
ric ciphers. In our opinion, there is still a lack of
stable and efficient C++ algorithms in cryptographic
libraries and this implementation can be very useful
tool both for the designer and the cryptanalist of sym-
metric ciphers. At the present time, either the libraries
are commercial and restricted to some cryptographic
properties of Boolean functions (such as (Bibliow-
icz et al., 2003) or (Gammel, 2006)) or they do not
benefit from the new paradigms of object orientation
and generic programming (Pommerening, 2001). We
have performed a full analysis of a 14 × 14 S-box
with the VBF class in less than one second with a
Core2 Duo 2.4GHz, 4GB RAM, 2x250GB Debian
linux platform.
The paper is organized as follows: Sections 2
is devoted to the presentation of the main Vector
Boolean Functions concepts. In section 3, we de-
scribe the types of Vector Boolean Functions repre-
sentations that this class can deal with. In section 4,
cryptographic relevant matrices, cryptographic crite-
ria and other useful information for cryptanalysis that
this implementation can calculate for an individual
Vector Boolean Function are described. In section
5, we enumerate the operations over Vector Boolean
Functions that are supported. In section 6, we illus-
trate how the VBF class can be used with examples.
Finally, concluding remarks are summarized in Sec-
tion 7.
2 PRELIMINARIES
Let < GF(2), +, · > be the finite field of order 2,
where GF(2) = Z
2
= {0, 1}, ’+’ the ’integer addition
modulo 2’ and ’·’ the ’integer multiplication modulo
2’. V
n
is the vector space of n-tuples of elements from
GF(2). The
direct sum
of x ∈ V
n
1
and y ∈ V
n
2
is
defined as x ⊕ y = (x
1
, .. . , x
n
1
, y
1
, .. . ,y
n
2
) ∈ V
n
1
+n
2
.
The
inner product
of x, y ∈ V
n
is denoted by x·y, and
The inner product of real vectors x, y ∈ R
n
is denoted
by hx, yi.
f : V
n
→ GF(2) is called a
Boolean function
and
F
n
is the set of all Boolean functions on V
n
. L
n
is
the set of all linear Boolean functions on V
n
: L
n
=
{l
u
∀u ∈ V
n
| l
u
(x) = u · x} and A
n
is the set of all
affine Boolean functions on V
n
.
The real-valued mapping χ
u
(x) = (−1)
∑
i=n
i=1
u
i
x
i
=
(−1)
u·x
for x, u ∈ V
n
is called a
character
. The char-
acter form of f ∈ F
n
is defined as χ
f
(x) = (−1)
f(x)
.
The Truth Table of χ
f
is called as the (1, −1)-
sequence vector
or
sequence vector
of f and is de-
noted by ξ
f
∈ R
2
n
.
Let a Boolean function f ∈ F
n
, the
Walsh Trans-
form
of f at u ∈ V
n
is the n-dimensional Discrete
Fourier Transform and can be calculated as follows:
ˆ
χ
f
(u) =
ξ
f
, ξ
l
u
=
∑
x∈V
n
(−1)
f(x)+ux
(1)
The
autocorrelation
of f ∈ F
n
with respect to the
shift u ∈ V
n
is the cross-correlation of f with itself,
denoted by R
f
(u) : V
n
→ R and defined by:
R
f
(u) =
1
2
n
∑
x∈V
n
χ
f
(x)χ
f
(x+ u)
=
1
2
n
∑
x∈V
n
(−1)
f(x)+ f (u+x)
(2)
F : V
n
→ V
m
, F(x) = ( f
1
(x), . . . , f
m
(x)) is called
a
Vector Boolean function
and F
n,m
is the set of all
Vector Boolean functions F : V
n
→ V
m
. Each f
i
:
V
n
→ GF(2) ∀i ∈ {1, . . . , m} is a coordinate function
of F. The
indicator function
of F ∈ F
n,m
, denoted by
θ
F
: V
n
×V
m
→ R, is defined in (Chabaud and Vaude-
nay, 1994) as θ
F
(x, y) = 1 if y = F(x) and θ
F
(x, y) =
0 if y 6= F(x). The character form of (u, v) ∈ V
n
×V
m
can be defined as follows: χ
(u,v)
(x, y) = (−1)
u·x+v·y
.
Let the Vector Boolean function F ∈ F
n,m
, its
Walsh Transform
is the two-dimensional Walsh
Transform defined by:
ˆ
θ
F
(u, v) =
∑
x∈V
n
∑
y∈V
m
θ
F
(x, y)χ
(u,v)
(x, y)
=
∑
x∈V
n
(−1)
ux+vF(x)
(3)
(Nyberg, 1994) The
autocorrelation
of F ∈ F
n,m
with respect to the shift (u, v) ∈ V
n
× V
m
is the cross-
correlation of F with itself, denoted by R
F
(u, v) :
V
n
× V
m
→ R, so that:
R
F
(u, v) =
1
2
n
∑
x∈V
n
χ
vF
(x+ u)χ
vF
(x)
=
1
2
n
∑
x∈V
n
(−1)
vF(x+u)+vF(x)
(4)
Let F ∈ F
n,m
and u ∈ V
n
, then the
difference Vec-
tor Boolean function
of F in the direction of u ∈
V
n
, denoted by ∆
u
F ∈ F
n,m
is defined as follows:
∆
u
F(x) = F(x+ u) + F(x), x ∈ V
n
. If the following
equality is satisfied: ∆
u
F(x) = c, c ∈ V
n
∀x ∈ V
n
then u ∈ V
n
is called a linear structure of F.
We define the simplifying notation for the max-
imum of the absolute values of a set of real num-
bers {a
uv
}
u,v
, characterized by vectors u and v, as:
max (a
uv
) = max
(u,v)
{|a
uv
|}. Using the same sim-
plifying notation, we define the
∗
max (·) operator on
a set of real numbers {a
uv
}
u,v
, as:
∗
max (a
uv
) =
max
(u,v)6=(0,0)
{|a
uv
|}. This notation will be used in
some criteria definitions.
A C++ CLASS FOR ANALYSING VECTOR BOOLEAN FUNCTIONS FROM A CRYPTOGRAPHIC PERSPECTIVE
513
3 REPRESENTATIONS OF
VECTOR BOOLEAN
FUNCTIONS
Let a Vector Boolean Function F ∈ F
n,m
, the repre-
sentations supported by the VBF class are described
below together with their member functions:
1. The
Truth Table
of F, denoted by T
F
∈
M
2
n
×m
(GF(2)) and defined by:
T
F
=
f
1
(α
0
) . . . f
m
(α
0
)
f
1
(α
1
) . . . f
m
(α
1
)
. . . . . . . . . . . . . . . . . . .
f
1
(α
2
n
−1
) . . . f
m
(α
2
n
−1
)
(5)
where f
i
i ∈ {1, . . . , m} are its component func-
tions and α
i
= (x
1
, . . . , x
n
) ∈ V
n
i ∈ {1, . . . , 2
n
−1}
is a vector whose decimal equivalent dec(α
i
) =
i =
∑
n
j=1
x
j
2
n− j
and we can list all the vectors of
V
n
so that α
0
< α
1
< ··· < α
2
n−1
.
void TT(NTL::mat_GF2& X, VBF& a)
inline NTL::mat_GF2 TT(VBF& a)
2. m-tuple of
polynomials in ANF
. Any F ∈ F
n,m
can
be uniquely represented by m multivariate polyno-
mial over GF(2) where each variable has power
at most one. This polynomial can be expressed
as a sum of all distinct kth-order product terms
(0 < k ≤ n) of the variables:
f(x
1
, . . . , x
n
) = a
0
+ a
1
x
1
+ · · · + a
n
x
n
+a
12
x
1
x
2
+ · · · + a
n−1,n
x
n−1
x
n
+· · · + a
12...n
x
1
x
2
. . . x
n
=
∑
I∈P(N)
a
I
(
∏
i∈I
x
i
) =
∑
I∈P(N)
a
I
x
I
, a
I
∈ GF(2)
(6)
where P(N) denotes the power set of N =
{1, . . . , n}. This representation of f is called the
algebraic normal form (ANF)
of f.
void Pol(NTL_SNS ostream& s, VBF& a)
vec_pol getpol()
3. The
ANF table
of F, denoted by ANF
F
∈
M
2
n
×m
(GF(2)) and represents the 2
n
coefficients
of the polynomials of the m coordinate functions
in ANF.
void ANF(NTL::mat_GF2& X, VBF& a)
inline NTL::mat_GF2 ANF(VBF& a)
If F is Boolean permutation, that is, it is bijective
and has the same number of input bits as output bits
(n = m), then it can be defined as an array:
F =
F(1) . . . F(n)
(7)
having F(i) as the image of the bit i for F.
void putper(const NTL::vec_ZZ& a)
NTL::vec_ZZ getper() const
If F is an affine Vector Boolean Function with
n 6= m (such as the Expansion and Compression DES
permutations (NBS, 1977)), then it can be defined as
an array with m elements which are the output bits.
void putlin(const NTL::vec_ZZ& a)
NTL::mat_GF2 getlin() const
The VBF class also supports the definition of F as
given in (NBS, 1977) for the DES S-boxes.
void putsbox(const NTL::mat_ZZ& a)
NTL::mat_ZZ getsbox()
4 CRYPTOGRAPHIC ANALYSIS
OF A VECTOR BOOLEAN
FUNCTION
This section describes the useful information that can
be extracted with the VBF class from the crypto-
graphic point of view. First of all, matrices with cryp-
tographic interest are presented. Then, we enumerate
the different cryptographic criteria that are supported
and how they can be obtained from these matrices:
nonlinearity, correlation immunity, balancedness, lin-
earity distance, propagation criterion and algebraic
degree. Finally, some useful information for crypt-
analysis supported by the VBF class is described: the
linear potential, the differential potential, the linear
structures of the Vector Boolean Function and the
maximum possible nonlinearity and linearity distance
for a Vector Boolean Function with the same dimen-
sions as the one analysed.
4.1 Matrices with Cryptographic
Interest
Let F ∈ F
n,m
be a Vector Boolean Function, VBF can
calculate all the following matrices associated with it:
1. The
Characteristic Function
of F that can be rep-
resented by a matrix whose rows are indexed by
x ∈ V
n
and whose columns are indexed by y ∈
V
m
in lexicographic order, denoted by Img(F) ∈
M
2
n
×2
m
(GF(2)) and defined as follows:
Img(F) =
θ
F
(α
0
, α
0
) . . . θ
F
(α
0
, α
2
m
−1
)
θ
F
(α
1
, α
0
) . . . θ
F
(α
1
, α
2
m
−1
)
. . . . . . . . . . . . . . . . . . . . . . . . . . .
θ
F
(α
2
n
−1
, α
0
) . . . θ
F
(α
2
n
−1
, α
2
m
−1
)
(8)
SECRYPT 2010 - International Conference on Security and Cryptography
514
where θ
F
(x, y) is the value of the indicator func-
tion at (x, y), defined as θ
F
: V
n
× V
m
→ {0, 1}:
θ
F
(x, y) =
1 if y = F(x)
0 if y 6= F(x)
(9)
mat_ZZ charfunct(const mat_GF2& T, int n, int m)
This function has as arguments the Truth Table,
the number of inputs and the number of outputs
of a vector Boolean function and it calculates its
Characteristic Function.
2. The
Walsh Spectrum
of F that can be represented
by a matrix whose rows are characterized by u ∈
V
n
and whose columns are characterized by v ∈
V
m
in lexicographic order, denoted by WS(F) ∈
M
2
n
×2
m
(R). It holds that
ˆ
θ
F
(u, v) = WS(F)(u, v).
void Walsh(NTL::mat_ZZ& X, VBF& a)
inline NTL::mat_ZZ Walsh(VBF& a)
3. The
Linear Profile
of F that can be represented
by a matrix whose rows are characterized by
u ∈ V
n
and whose columns are characterized
by v ∈ V
m
in lexicographic order, denoted by
LP(F) ∈ M
2
n
×2
m
(R). It holds that LP(F)(u, v) =
1
2
n+m
|WS(F)(u, v)|
2
.
void LAT(NTL::mat_ZZ& X, VBF& a)
inline NTL::mat_ZZ LAT(VBF& a)
4. The
Differential Profile
that can be represented
by a matrix whose rows are characterized by u ∈
V
n
and whose columns are characterized by v ∈
V
m
in lexicographic order, denoted by DP(F) ∈
M
2
n
×2
m
(R). This matrix results from the applica-
tion of the Walsh Transform to the Linear Profile.
void DAT(NTL::mat_ZZ& X, VBF& a)
inline NTL::mat_ZZ DAT(VBF& a)
5. The
Autocorrelation Spectrum
whose rows are
indexed by u ∈ V
n
and whose columns are in-
dexed by v ∈ V
m
in lexicographic order, de-
noted by R(F) ∈ M
2
n
×2
m
(R). This matrix re-
sults from the application of the Walsh Transform
to the Linear Profile. It holds that R(F)(u, v) =
1
DP(F)(0,0)
(DP(F)(u, 0) − DP(F)(u, v)).
void AC(NTL::mat_RR& X, VBF& a)
inline NTL::mat_RR AC(VBF& a)
Some functions have been implemented in the
VBF class to compute one matrix from the knowledge
of others such as:
mat_GF2 rev(const mat_GF2& X, int n, int m)
This function has as arguments the ANF Table, the
number of inputs and the number of outputs of a vec-
tor Boolean function and it computes its Truth Table.
mat_GF2 truthtable(const mat_ZZ& C, int n, int m)
This function has as arguments the Characteristic
Function, the number of inputs and the number of out-
puts of a vector Boolean function and it computes its
Truth Table.
mat_ZZ invwt(const mat_ZZ& X, int n, int m)
This function has as arguments the Walsh Spectrum,
the number of inputs and the number of outputs of
a vector Boolean function and it computes its Char-
acteristic Function. It corresponds with the inverse
Walsh Transform.
4.2 Cryptographic Criteria
Let F ∈ F
n,m
be a Vector Boolean Function, the
following cryptographic criteria can be obtained by
means of the VBF class:
1.
Nonlinearity
defined as the minimum among the
nonlinearities of all nonzero linear combinations
of the coordinate functions of F and can be ob-
tained from the Walsh Spectrum the following
way:
N L (F) = min
v6=0∈V
m
N L (v· F)
= 2
n−1
−
1
2
∗
max (WS(F)(u, v))
(10)
void nl(NTL::RR& x, VBF& a)
inline NTL::RR nl(VBF& a)
2.
Linearity distance
defined as the minimum among
the linearity distances of all nonzero linear com-
binations of the coordinate functions of F and can
be obtained from the Differential Profile the fol-
lowing way:
L D (F) = min
v6=0∈V
m
L D (v· F) (11)
void ld(NTL::RR& x, VBF& a)
inline NTL::RR ld(VBF& a)
3.
Balancedness
, considering that F ∈ F
n,m
is bal-
anced (or to have balanced output) if each pos-
sible output m-tuple occurs with equal probability
1
2
m
, that is, its output is uniformly distributed in
V
m
. This criterion can be obtained from the Walsh
Spectrum the following way:
ˆ
θ
F
(0, v) = 0, ∀v 6= 0 ∈ V
m
(12)
void Bal(int& bal, VBF& a)
inline int Bal(VBF& a)
4.
Correlation Immunity
, so that F ∈ F
n,m
is an
(n, m, t)-CI function if and only if every nonzero
linear combination f(x) =
∑
m
i=1
v
i
f
i
(x) of coor-
dinate functions of F is an (n, 1, t)-CI function,
where x ∈ V
n
, v
i
∈ GF(2) i = 1, . . . , m and not all
A C++ CLASS FOR ANALYSING VECTOR BOOLEAN FUNCTIONS FROM A CRYPTOGRAPHIC PERSPECTIVE
515
zeroes. This criterion can be obtained from the
Walsh Spectrum the following way:
ˆ
θ
F
(u, v) = 0, ∀u ∈ V
n
, 1 ≤ wt(u) ≤ t, ∀v 6= 0 ∈ V
m
(13)
void CI(int& t, VBF& a)
inline int CI(VBF& a)
5.
Propagation criterion
, where F ∈ F
n,m
satisfies
the propagation criterion of degree l (PC(l)) if
any nonzero linear combination of the component
boolean functions satisfies the PC(l). This cri-
terion can be obtained from the Autocorrelation
Spectrum the following way:
R
F
(u, v) = 0, ∀u ∈ V
n
, 1 ≤ wt(u) ≤ l, ∀v 6= 0 ∈ V
m
(14)
void PC(int& k, VBF& a)
inline int PC(VBF& a)
6.
Algebraic degree
defined as the maximum among
the algebraic degrees of all nonzero linear combi-
nations of the coordinate functions of F (Nyberg,
1992), namely:
deg(F) = min
g
{deg(g) | g =
m
∑
j=1
v
j
f
j
, v 6= 0 ∈ V
m
}
(15)
being the algebraic order or degree of a Boolean
function, the order of the largest product term
which exists in the ANF. This criterion is cal-
culated by finding out the ANF table and then
analysing the order of all the linear combinations
of coordinate functions.
void deg(int& d, VBF& a)
inline int deg(VBF& a)
4.3 Useful Information in Cryptanalysis
Let F ∈ F
n,m
be a Vector Boolean Function, the fol-
lowing information can be obtained by means of the
VBF class:
1. The
Linear Potential
of F, defined as lp(F) =
1
2
2n
·
∗
max (WS(F)(u, v)
2
) which is exploited as a
measure of linearity in linear cryptanalysis, and
satisfies (Chabaud and Vaudenay, 1994)
1
2
n
≤
lp(F) ≤ 1 so that the lower bound holds if and
only if F has maximum nonlinearity (F is bent)
and the upper bound is reached when F is linear
or affine.
void lp(NTL::RR& x, VBF& a)
inline NTL::RR lp(VBF& a)
2. The
Differential Potential
of F, defined as
dp(F) =
∗
max (DP(F)(u,v) which is exploited as
a measure of the robustness against differential
cryptanalysis. It holds that
1
2
m
≤ dp(F) ≤ 1 and
the lower bound holds if and only if F is bent and
the upper bound is reached when F is linear or
affine. The differential uniformity of F ∈ F
n,m
and its differential potential are related as follows:
dp(F) =
1
2
n
DU(F).
void dp(NTL::RR& x, VBF& a)
inline NTL::RR dp(VBF& a)
3. The
Linear structures
of F, defined as the vec-
tors for which its associated row in the Differen-
tial Profile coincides with the vector zero.
NTL::mat_GF2 LS(VBF& a)
4. The
Maximum possible nonlinearity
for a Vector
Boolean Function with the same dimensions as F
(when n is even).
NTL::RR nlmax(VBF& a)
5. The
Maximum possible linearity distance
for a
Vector Boolean Function with the same dimen-
sions as F.
NTL::RR ldmax(VBF& a)
5 OPERATIONS OVER VECTOR
BOOLEAN FUNCTIONS
In this section, the operations over Vector Boolean
Functions that the VBF class supports are described.
Some of them corresponds to secondary construc-
tions, which build (n, m) variable Vector Boolean
Functions from (n
′
, m
′
) variable ones (with n
′
≤
n, m
′
≤ m). The direct sum has been used to con-
struct resilient and bent Boolean functions (Carlet,
2004). Adding coordinate functions and bricklayer-
ing are operations used to build modern ciphers such
as CAST (Adams and Tavares, 1993), DES (NBS,
1977) and AES (Daemen and Rijmen, 2002). Fi-
nally, another operations supported are: identification
if two Vector Boolean functions are equal, the sum of
two Vector Boolean functions, the composition of two
Vector Boolean Functions, derivation of polynomial
representation of mappings from GF(2
n
) to GF(2
n
)
by Lagrange interpolation. The definitions of all the
supported operation are the following:
1. Let n ≥ 1, m ≥ 1, F, G ∈ F
n,m
. F and G are
equal
if their Truth Tables are the same.
long operator==(VBF& a, VBF& b)
long operator!=(VBF& a, VBF& b)
SECRYPT 2010 - International Conference on Security and Cryptography
516
2. Let n ≥ 1, m ≥ 1, F, G ∈ F
n,m
. The
Sum
of F and
G (denoted by F+G) is the Vector Boolean Func-
tion whose Truth Table results from the addition
of the Truth Tables of F and G: T
F+G
= T
F
+ T
G
.
It can be proved that Walsh Spectrum of the sum
can be obtained by the convolution of the columns
vectors of the respective Walsh Spectra.
void sum(VBF& X, VBF& A, VBF& B)
VBF operator+(VBF& A, VBF& B)
3. Let n = n
1
+ n
2
, n
1
, n
2
≥ 1, m ≥ 1, F
1
∈ F
n
1
,m
and
F
2
∈ F
n
2
,m
. The
Direct Sum
of F
1
and F
2
is the
function:
(F
1
⊕ F
2
) : V
n
1
× V
n
2
→ V
m
(x, y) → (F
1
⊕ F
2
)(x, y) = F
1
(x) + F
2
(y)
(16)
This is a generalization for Vector Boolean func-
tions of the construction of Boolean functions first
introduced in (Rothaus, 1976).
void directsum(VBF& X, VBF& A, VBF& B)
4. Let n ≥ 1, m = m
1
+ m
2
, m
1
, m
2
≥ 1 and F ∈
F
n,m
1
and G ∈ F
n,m
2
. The result of
adding
coordinate functions
of F and G is the
function (F, G) ∈ F
n,m
1
+m
2
where (F, G)(x) =
( f
1
(x), . . . , f
m
1
(x), g
1
(x), . . . , g
m
2
(x)). This is a
generalization for Vector Boolean functions of the
method used in the CAST algorithm and studied
in (Nyberg, 1994) by adding more than one coor-
dinate function at the same time.
void addimage(VBF& X, VBF& A, VBF& B)
5. Let n = n
1
+n
2
, n
1
, n
2
≥ 1, m = m
1
+m
2
, m
1
, m
2
≥
1, F ∈ F
n
1
,m
1
and G ∈ F
n
2
,m
2
. The
Bricklayer
of F and G is the func-
tion F|G ∈ F
n,m
where F|G(x, y) =
( f
1
(x), . . . , f
m
1
(x), g
1
(y), . . . , g
m
2
(y)). This
construction corresponds to the bricklayer func-
tion (Daemen and Rijmen, 2002) as a parallel
application of a number of Vector Boolean
functions operating on smaller inputs.
void concat(VBF& X, VBF& A, VBF& B)
VBF operator|(VBF& A, VBF& B)
6. Let F be a mapping from GF(2
n
) to GF(2
n
), it
can always represented by a polynomial function
over GF(2
n
). A general way to derive this poly-
nomial representation is given by Lagrange inter-
polation from the knowledge of the irreducible
polynomial of degree n over GF(2) associated
with the field GF(2
n
) and the Truth Table of F.
void interpolate(GF2EX& f, VBF& a)
7. Let F ∈ F
n,p
, G ∈ F
p,m
, then the
Composition
Function
is G◦ F ∈ F
n,m
.
void Comp(VBF& X, VBF& A, VBF& B)
VBF operator*(VBF& A, VBF& B)
6 EXAMPLES OF PROGRAM
CODE
In this section, we present some examples of how the
VBF class can be used. All of them are computed
with a Core2 Duo 2.4GHz, 4GB RAM, 2x250GB De-
bian linux platform in less than one second.
6.1 Analysis of a Vector Boolean
Function from its Truth Table
The example program below obtains cryptographic
information about a Vector Boolean Function from
knowing its Truth Table.
#include <iostream>
#include <fstream>
#include "VBF.h"
int main(int argc, char *argv[])
{
using namespace VBFNS;
VBF F;
NTL::mat_GF2 mat_F;
NTL::mat_GF2 A, T;
NTL::mat_ZZ W, LP, DP;
NTL::mat_RR Ac;
int t, d, k;
ifstream input(argv[1]);
if(!input)
{
cerr << "Error opening the input file
containing the TT" << argv[1] << endl;
return 0;
}
input >> mat_F;
F.puttt(mat_F);
input.close();
ofstream output(argv[2]);
if(!output)
{
cerr << "Error opening the output file"
<< argv[2] << endl;
return 0;
}
output << "Argument Dimension = " << F.n()
<< endl;
output << "Argument space has " << F.spacen()
<< " elements."<< endl;
output << "Image Dimension = " << F.m() << endl;
output << "Image space has " << F.spacem()
<< " elements." << endl << endl;
output << "1. Algebraic Normal Form Table:"
<< endl;
A = ANF(F);
output << A << endl;
A C++ CLASS FOR ANALYSING VECTOR BOOLEAN FUNCTIONS FROM A CRYPTOGRAPHIC PERSPECTIVE
517
output << "2. Truth Table:" << endl;
T = TT(F);
output << T << endl;
output << "3. Walsh Spectrum:" << endl;
W = Walsh(F);
output << W << endl;
output << "4. Linear Profile:" << endl;
LP = LAT(F);
output << LP << endl;;
output << "5. Differential Profile:" << endl;
DP = DAT(F);
output << DP << endl;
output << "6. Linearity/nonlinearity measures:" << endl;
output << "Linear potential: " << lp(F) << endl;
output << "Differential potential: " << dp(F) << endl;
output << "Nonlinearity: " << nl(F) << endl;
output << "Maximum Nonlinearity: " << nlmax(F) << endl;
output << "Linearity distance: " << ld(F) << endl;
output << "Maximum Linearity distance: " << ldmax(F)
<< endl;
output << "7. Correlation immunity:" << endl;
t = CI(F);
if (F.getbal())
{
output << "It is a (" << F.n() << "," << F.m()
<< "," << t << ")-resilient function"
<< endl;
} else
{
output << "It is a (" << F.n() << "," << F.m()
<< "," << t << ")-CI function" << endl;
}
output << "8. Algebraic degree:" << endl;
d = deg(F);
output << "The degree of the function is "
<< d << endl;
output << "9. Propagation criterion:" << endl;
k = PC(F);
output << "The function is PC of degree "
<< k << endl;
output << "10. The polynomial representation is: "
<< endl;
Pol(output,F);
output << "11. Linear structures: " << endl;
A = LS(F);
output << A << endl;
output << "12. Autocorrelation Spectrum: " << endl;
Ac = AC(F);
output << Ac << endl;
input.close();
output.close();
return 0;
}
If we have the Truth Table of the S-box used in Ri-
jndael S
RD
(Daemen and Rijmen, 2002) as the input,
the output of the program is below. We only include
the first rows and columns of the represented matri-
ces, and the first terms of the polynomials:
Argument Dimension = 8
Argument space has 256 elements.
Image Dimension = 8
Image space has 256 elements.
1. Algebraic Normal Form Table:
[[0 1 1 0 0 0 1 1]
[0 0 0 1 1 1 1 1]
2. Truth Table:
[[0 1 1 0 0 0 1 1]
[0 1 1 1 1 1 0 0]
3. Walsh Spectrum:
[[256 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
[0 24 0 24 28 12 4 -12 24 0 16 24 4 20 4 -12 16 -24 24
4. Linear Profile:
[[65536 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
[0 576 0 576 784 144 16 144 576 0 256 576 16 400 16 144
5. Differential Profile:
[[16777216 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
[0 131072 0 0 131072 0 131072 0 131072 131072 131072
6. Linearity/nonlinearity measures:
Linear potential: 0.015625
Differential potential: 0.015625
Nonlinearity: 112
Maximum Nonlinearity: 120
Linearity distance: 126
Maximum Linearity distance: 136
7. Correlation immunity:
It is a (8,8,0)-resilient function
8. Algebraic degree:
The degree of the function is 7
9. Propagation criterion:
The function is PC of degree 0
10. Polynom:
x6+x6x8+x6x7+x5x6x8+x5x6x7+x5x6x7x8+x4+x4x7x8+x4x6+
x4x6x7x8+1+x5+x5x7+x5x7x8+x5x6+x4x8+x4x7x8+x4x6x8+
x4x6x7x8+x4x5x7+1+x6x7x8+x5x8+x5x7x8+x5x6x7x8+x4+
x4x7x8+x4x6+x4x6x8+x4x6x7+x8+x7+x7x8+x6+x5+x5x6+
x5x6x8+x4x8+x4x7+x4x6x7+x4x5+x4x5x8+x8+x6x7+x5x8+
x5x7x8+x5x6+x5x6x8+x5x6x7+x5x6x7x8+x4+x4x7x8+x8+x7
+x6x8+x5x8+x5x7x8+x5x6+x5x6x8+x4x8+x4x7+x4x7x8+
x4x6x8+1+x8+x7x8+x6x8+x5+x5x8+x5x7+x5x7x8+x5x6+
x5x6x8+x5x6x7+x4x8+1+x8+x7x8+x6+x6x7+x5+x5x7+x5x6+
x5x6x7+x5x6x7x8+x4+x4x8+x4x7+
11. Linear structures:
[]
12. Autocorrelation Spectrum:
[[0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
[0 -0.0078125 0 0 -0.0078125 0 -0.0078125 0 -0.0078125
SECRYPT 2010 - International Conference on Security and Cryptography
518
6.2 Direct Sum of Two Vector Boolean
Functions
The example program below obtains the polynomial
representing of the Vector Boolean Function result-
ing from the direct sum of two others, knowing their
Truth Tables.
#include <iostream>
#include <fstream>
#include "VBF.h"
int main(int argc, char *argv[])
{
using namespace VBFNS;
VBF F1, F2, F;
NTL::mat_GF2 T1, T2;
ifstream input1(argv[1]);
if(!input1)
{
cerr << "Error opening the input file
containing the TT of the 1st function: "
<< argv[1] << endl;
return 0;
}
input1 >> T1;
F1.puttt(T1);
input1.close();
ifstream input2(argv[2]);
if(!input2)
{
cerr << "Error opening the input file
containing the TT of the 2nd function: "
<< argv[2] << endl;
return 0;
}
input2 >> T2;
F2.puttt(T2);
input2.close();
ofstream output(argv[3]);
if(!output)
{
cerr << "Error opening the output file "
<< argv[3] << endl;
return 0;
}
directsum(F,F1,F2);
output << "The polynomial representation
of the direct sum is:" << endl;
Pol(output,F);
output.close();
return 0;
}
6.3 Polynomial Representation of
Rijndael S-box
The example program below obtains the polyno-
mial representation over GF(2
8
) given the irreducible
polynomial x
8
+x
4
+x
3
+x+1 and the Truth Table of
S
RD
∈ F
8,8
by Lagrange interpolation.
#include <iostream>
#include <fstream>
#include "VBF.h"
int main(int argc, char *argv[])
{
using namespace VBFNS;
VBF S0;
NTL::mat_GF2 mat_S0;
GF2X g;
GF2EX f;
ifstream input1(argv[1]);
if(!input1)
{
cerr << "Error opening the file
containing the irreducible polynomial"
<< argv[1] << endl;
return 0;
}
input1 >> g;
S0.putirrpol(g);
input1.close();
ifstream input2(argv[2]);
if(!input2)
{
cerr << "Error opening the file
containing the TT" << argv[2] << endl;
return 0;
}
input2 >> mat_S0;
S0.puttt(mat_S0);
input2.close();
ofstream output(argv[3]);
if(!output)
{
cerr << "Error opening the output file "
<< argv[3] << endl;
return 0;
}
output << "The polynomial representation
is: " << endl;
interpolate(f,S0);
print(output,f);
input1.close();
input2.close();
output.close();
return 0;
}
A C++ CLASS FOR ANALYSING VECTOR BOOLEAN FUNCTIONS FROM A CRYPTOGRAPHIC PERSPECTIVE
519
Taking as input the irreducible polynomial rep-
resentation
1 1 0 1 1 0 0 0 1
and S
RD
Truth Table, the output of the program is:
The polynomial representation is:
5xˆ254+9xˆ253+f9xˆ251+25xˆ247+f4xˆ239+1xˆ223+
b5xˆ191+8fxˆ127+63
7 CONCLUSIONS
In this paper we have described a C++ class designed
to analyse Vector Boolean Functions from a crypto-
graphic perspective. It represents a very useful tool
for analysing cryptographic primitives expressed as
Vector Boolean Functions in a question of seconds.
This class supports as input a broad range of repre-
sentations such as Truth Tables, ANF Tables, poly-
nomials in ANF, permutation and linear matrices and
DES-like Sboxes. It can obtain cryptographic struc-
tures such as the Walsh Spectrum, Differential Profile
and Autocorrelation Spectrum among others. Cryp-
tographic criteria such as nonlinearity, linearity dis-
tance, correlation immunity, balancedness, algebraic
degree and propagation criterion are easily calculated.
The behaviour of the cryptographic properties of Vec-
tor Boolean Functions can also be studied when they
interact by means of the VBF class.
ACKNOWLEDGEMENTS
This work has been partially supported by project
MTM2007-62064 of the Plan Nacional de I+D+i,
MEyC, Spain, and by project 166/Q06 0930-099 of
the Universidad Polit´ecnica de Madrid (UPM), Spain.
REFERENCES
Adams, C. and Tavares, S. (1993). Designing s-boxes for
ciphers resistant to differential cryptanalysis. In Pro-
ceedings of the 3rd Symposium on State and Progress
of Research in Cryptography, pages 181–190.
Bibliowicz, A., Cohen, P., and Biham, E. (2003). A system
for assisting analysis of some block ciphers. Technical
report, NESSIE.
Carlet, C. (2004). On the secondary constructions of re-
silient and bent functions. In Progress in Computer
Science and Applied Logic, vol. 23, pages 3–28.
Carlet, C. (2008a). Boolean functions for Cryptography and
Error Correcting Codes. Cambridge University Press.
Carlet, C. (2008b). Vectorial Boolean functions for Cryp-
tography. Cambridge University Press.
Chabaud, F. and Vaudenay, S. (1994). Links between dif-
ferential and linear cryptanalysis. In EUROCRYPT,
pages 356–365.
Daemen, J. and Rijmen, V. (2002). The Design of Rijndael.
Springer-Verlag, New York, Inc., Secaucus, NJ, USA.
Davio, M., Deschamps, J., and Thayse, A. (1978). Discrete
and Switching Functions, volume 1 of Advanced Book
Program. McGraw-Hill.
Gammel, B. M. (2006). http://www.matpack.de/. In Mat-
pack C++ Numerics and Graphics Library.
McWilliams, F. and Sloane, N. (1977). The Theory of Error
Correcting Codes, volume 1,2. New York, NY: North
Holland.
NBS (1977). Data Encryption Standard. NBS, Washington,
DC, USA.
Nyberg, K. (1992). On the construction of highly nonlinear
permutations. In EUROCRYPT, pages 92–98.
Nyberg, K. (1994). S-boxes and round functions with con-
trollable linearity and differential uniformity. In Fast
Software Encryption, pages 111–130.
Pommerening, K. (2001). Analysis of boolean maps (s-
boxes).
Rothaus, O. S. (1976). On ”bent” functions. J. Comb. The-
ory, Ser. A, 20(3):300–305.
Shoup, V. (2009). http://www.shoup.net/ntl/. In NTL: A
Library for doing Number Theory.
SECRYPT 2010 - International Conference on Security and Cryptography
520
