The Relationship Between Propagation Characteristics and Nonlinearity of Cryptographic Functions

: The connections among the various nonlinearity criteria is currently an important topic in the area of designing and analyzing cryptographic functions. In this paper we show a quantitative relationship between propagation characteristics and nonlinearity, two critical indicators of the cryptographic strength of a Boolean function. We also present a tight lower bound on the nonlinearity of a cryptographic function that has propagation characteristics


Introduction
Data Encryption Standard or DES is a cryptographic algorithm most widely used by industrial, nancial and commercial sectors all over the world NBS77 .DES is also the root of many other data encryption algorithms proposed in the past decade, including LOKI BKPS93 , FEAL Miy91 and IDEA LM91, LaSM91, Lai92 .A core component of these encryption algorithms are the socalled S-boxes or substitution boxes, each essentially a tuple of nonlinear Boolean functions.In most cases, these boxes are the only nonlinear component i n a n underlying encryption algorithm.The same can be said with one-way hashing algorithms which are commonly employed in the process of signing and authenticating electronic messages ZPS93, Riv92, NIST93 .These all indicate the vital importance of the design and analysis of nonlinear cryptographic Boolean functions.
Encryption and authentication require cryptographic Boolean functions with a number of critical properties that distinguish them from linear or a ne functions.Among these properties are high nonlinearity, high degree of propagation, few linear structures, high algebraic degree etc.These properties are often called nonlinearity criteria.An important topic is to investigate relationships among the various nonlinearity criteria.Progress in this direction has been made in SZZ94d , where connections have been revealed among the strict avalanche characteristic, di erential characteristics, linear structures and nonlinearity, o f quadratic functions.
In this paper we carry on the investigation initiated in SZZ94d and bring together nonlinearity and propagation characteristic of a function quadratic or non-quadratic.These two cryptographic criteria are seemly quite separate, in the sense that the former indicates the minimum distance between a Boolean function and all the a ne functions whereas the latter forecasts the avalanche behavior of the function when some input bits to the function are complemented.
In particular we show that if f, a function on V n , satis es the propagation criterion with respect to all but a subset of V n , then the nonlinearity o f f satis es N f 2 n,1 , 2 n, 1 2 ,1 , where is the maximum dimension a linear sub-space contained in f0g V n , can achieve.
We also show that 2 n,2 is the tight l o wer bound on the nonlinearity o f f if f satis es the propagation criterion with respect to at least one vector in V n .A s an immediate consequence, the nonlinearity of a function that ful lls the SAC or strict avalanche criterion is at least 2 n,2 .
Two techniques are employed in the proofs of our main results.The rst technique is in regard to the structure of , the set of vectors where the function f does not satisfy the propagation criterion.By considering a linear sub-space with the maximum dimension contained in f0g V n , , together with its complementary sub-space, we will be able to identify how the vectors in are distributed.The second technique is based on a novel idea of re ning Parseval's equation, a well-known relationship in the theory of orthogonal transforms.A combination of these two techniques together with some careful analyses proves to be a powerful tool in examining the relationship among nonlinearity criteria.
The organization of the rest of the paper is as follows: Section 2 introduces basic notations and conventions, while Section 3 presents background information on the Walsh-Hadamard transform.The distribution of vectors where the propagation criterion is not satis ed is discussed in Section 4. This result is employed in Section 5 where a quantitative relationship between nonlinearity and propagation characteristics is derived.This relationship is further developed in Section 6 to identify a tight l o wer bound on nonlinearity of functions with propagation characteristics.The paper is closed by some concluding remarks in Section 7.

Basic De nitions
We consider Boolean functions from V n to GF 2 or simply functions on V n , V n is the vector space of n tuples of elements from GF2.The truth table of a function f on V n is a 0; 1-sequence de ned by f 0 , f 1 , : : : , f 2 n ,1 , and the sequence of f is a 1; ,1-sequence de ned by ,1 f 0 , ,1 f 1 , : : : , ,1 f 2 n ,1 , where 0 = 0 ; : : : ; 0; 0, 1 = 0 ; : : : ; 0; 1, : : : , 2 n,1 ,1 = 1; : : : ; 1; 1.The matrix of f i s a 1 ; ,1-matrix of order 2 n de ned by M = ,1 f i j .f is said to be balanced if its truth table contains an equal number of ones and zeros.
An a ne function f on V n is a function that takes the form of fx 1 ; : : : ; x n = a 1 x 1 a n x n c, where a j ; c2 GF 2, j = 1 ; 2; : : : ; n .F urthermore f is called a linear function if c = 0 .
De nition1.The Hamming weight of a 0; 1-sequence s, denoted by W s, is the number of ones in the sequence.Given two functions f and g on V n , the Hamming distance df;g b e t ween them is de ned as the Hamming weight of the truth table of fx gx, where x = x 1 ; : : : ; x n .The nonlinearity of f, denoted by N f , is the minimal Hamming distance between f and all a ne functions on V n , i.e., N f = min i=1;2;:::;2 n+1 df;' i where ' 1 , ' 2 , : : : , ' 2 n+1 are all the a ne functions on V n .Note that the maximum nonlinearity of functions on V n coincides with the covering radius of the rst order binary Reed-Muller code RM1; n of length 2 n , which is bounded from above b y 2 n,1 , 2 1 2 n,1 see for instance CKHFMS85 .
Hence N f 2 n,1 , 2 1 2 n,1 for any function on V n .Next we i n troduce the de n- ition of propagation criterion.De nition2.Let f be a function on V n .W e s a y that f satis es 1. the propagation criterion with respect to if fx fx is a balanced function, where x = x 1 ; : : : ; x n and is a vector in V n .2. the propagation criterion of degree k if it satis es the propagation criterion with respect to all 2 V n with 1 W k. fxfx is also called the directional derivative o f f in the direction .The above de nition for propagation criterion is from PLL + 91 .Further work on the topic can be found in PGV91 .Note that the strict avalanche criterion SAC introduced by W ebster and Tavares Web85, WT86 is equivalent to the propagation criterion of degree 1 and that the perfect nonlinearity studied by Meier and Sta elbach MS90 is equivalent to the propagation criterion of degree n where n is the number of the coordinates of the function.
While the propagation characteristic measures the avalanche e ect of a function, the linear structure is a concept that in a sense complements the former, namely, it indicates the straightness of a function.
De nition3.Let f be a function on V n .A v ector 2 V n is called a linear structure of f if fx fx is a constant.By de nition, the zero vector in V n is a linear structure of all functions on V n .It is not hard to see that the linear structures of a function f form a linear sub-space of V n .The dimension of the sub-space is called the linearity dimension of f.W e note that it was Evertse who rst introduced the notion of linear structure in a sense broader than ours and studied its implication on the security of encryption algorithms Eve88 .
A 1 ; ,1-matrix H of order m is called a Hadamard matrix if HH t = mI m , where H t is the transpose of H and I m is the identity matrix of order m.A Sylvester-Hadamard matrix of order 2 n , denoted by H n , is generated by the following recursive relation ; n = 1 ; 2; : : : : 1 Let `i, 0 i 2 n ,1, be the i row o f H n .By Lemma 2 of SZZ94a , `i is the sequence of a linear function ' i x de ned by the scalar product ' i x = h i ; x i, where i is the ith vector in V n according to the ascending order.
De nition4.Let f be a function on V n .The Walsh-Hadamard transform of f is de ned as ,1 fxh ;xi where = a 1 ; : : : ; a n 2 V n , x = x 1 ; : : : ; x n , h ; xi is the scalar product of and x, namely, h ; xi = L n i=1 a i x i , and fxh ; xi is regarded as a real-valued function.
The Walsh-Hadamard transform, also called the discrete Fourier transform, has numerous applications in areas ranging from physical science to communications engineering.It appears in several slightly di erent forms Rot76, MS77, Dil72 .The above de nition follows the line in Rot76 .It can be equivalently written as f 0 ; f 1 ; : : : ; f 2 n ,1 = 2 , n 2 H n where i is the ith vector in V n according to the ascending order, is the sequence of f and H n is the Sylvester-Hadamard matrix of order 2 n .De nition5.A function f on V n is called a bent function if its Walsh-Hadamard transform satis es f = 1 for all 2 V n .
Bent functions can be characterized in various ways AT90, Dil72, SZZ94a, YH89 .In particular the following four statements are equivalent: i f is bent.
ii h;`i = 2 1 2 n for any a ne sequence `of length 2 n , where is the sequence of f. iii f satis es the propagation criterion with respect to all non-zero vectors in V n .iv M, the matrix of f, is a Hadamard matrix.
Bent functions on V n exist only when n is even Rot76 .Another important property o f b e n t functions is that they achieve the highest possible nonlinearity 2 n,1 , 2 1 2 n,1 .
3 More on Walsh-Hadamard transform and Nonlinearity As the Walsh-Hadamard transform play s a k ey role in the proofs of main results to be described in the following sections, this section provides some background knowledge on the transform.More information regarding the transform can be found in MS77, Dil72 .In addition, Beauchamp's book Bea84 is a good source of information on other related orthogonal transforms with their applications.
Given two sequences a = a 1 ; : : : ; a m and b = b 1 ; : : : ; b m , their componentwise product is de ned by a b = a 1 b 1 ; : : : ; a m b m .Let f be a function on V n .For a vector 2 V n , denote by the sequence of fx .Thus 0 is the sequence of f itself and 0 is the sequence of fx fx .Set = h0; i; the scalar product of 0 and . is also called the auto-correlation of f with a shift .O b viously, = 0 if and only if fx fx is balanced, i.e., f satis es the propagation criterion with respect to .On the other hand, if j j = 2 n , then fxfx is a constant and hence is a linear structure of f.
Let M = ,1 f i j be the matrix of f and be the sequence of f.Due t o a v ery pretty result by R .L .M c F arland cf.Theorem 3.3 of Dil72 , M can be decomposed into M = 2 ,n H n diagh;`0i; ; h;`2n ,1 iH n 2 where `i is the ith row o f H n , a Sylvester-Hadamard matrix of order 2 n .
Let S be a set of vectors in V n .The rank of S is the maximum number of linearly independent v ectors in S. Note that when S forms a linear sub-space of V n , its rank coincides with its dimension.
The distance between two functions f 1 and f 2 on V n can be expressed as df 1 ; f 2 = 2 n,1 , 1 2 h 1 ; 2 i, where 1 and 2 are the sequences of f 1 and f 2 respectively.F or a proof see for instance Lemma 6 of SZZ94a .Immediately we h a ve: Lemma 6.The nonlinearity of a function f on V n can be c alculated b y where is the sequence o f f and `0, : : : , `2n ,1 are the rows of H n , namely, the sequences of the linear functions on V n .
The next lemma regarding splitting the power of 2 can be found in SZZ94d Lemma 7. Let n 2 be a p ositive integer and p 2 +q 2 = 2 n where b oth p 0 and q 0 are integers.Then p = 2 1 2 n and q = 0 when n is even, and p = q = 2 1 2 n,1 when n is odd.
In the next section we examine the distribution of the vectors in .

Distribution of
Let f be a function on V n .Assume that f satis es the propagation criterion with respect to all but a subset of V n .Note that always contains the zero vector 0. Write = f0; 1 ; : : : ; s g.T h us j j = s + 1 .Set c = V n , .Then f satis es the propagation criterion with respect to all vectors in c .
Consider the set of vectors f0g c .Then f0g is a linear sub-space contained in f0g c .When jf0g c j 1, f0; g is a linear sub-space for any nonzero vector in c .W e are particularly interested in linear sub-spaces with the maximum dimension contained in f0g c .F or convenience, denote by the maximum dimension and by W a linear sub-space in f0g c that achieves the maximum dimension.
Obviously, f is bent if and only if = n, and f does not satisfy the propagation criterion with respect to any v ector if and only if = 0.The case when 1 n , 1 is especially interesting.Now let U be a complementary sub-space of W , namely U W = V n .Then each v ector 2 V n can be uniquely expressed as = , where 2 W and 2 U.As the dimension of W is , the dimension of U is equal to n , .W rite U = f0; 1 ; : : : ; 2 n, ,1 g.Proposition8.W = f0g and W j 6 = , where W j = f j j 2 Wg, j = 1 ; : : : ; 2 n, , 1.
Proof.W = f0g follows from the fact that W is a sub-space of f0g c .
Next we consider W j .
Clearly, V n = W W 1 W 2 n, ,1 : In addition, W W j = for j = 1 ; : : : ; 2 n, , 1, and W j W i = for any j 6 = i.Assume for contradiction that W j0 = for some j 0 , 1 j 0 2 n, , 1. Then we h a ve W j0 c .In this case W W j0 must form a sub-space of V n .This contradicts the de nition that W is a linear sub-space with the maximum dimension in f0g c .This completes the proof.u t The next corollary follows directly from the above proposition.
Corollary 9.The size of satis es j j 2 n, and hence the rank of is at least n , , where is the maximum dimension a linear sub-space i n f0g c can achieve.

Relating Nonlinearity to Propagation Characteristics
We proceed to the discussion of the nonlinearity o f f.The main di culty lies in nding a good approximation of h;`ii for each i = 0 ; : : : ; 2 n , 1, where is the sequence of f and i is a row o f H n .First we assume that W = f j = a 1 ; : : : ; a ; 0; : : : ; 0; a i 2 GF2g 5 U = f j = 0 ; : : : ; 0; a +1 ; : : : ; a n ; a i 2 GF2g 6 where W is a linear sub-space in f0g c that achieves the maximum dimension and U is a complementary sub-space of W. The more general case where 5 or 6 is not satis ed can be dealt with after employing a nonsingular transform on the input of f.This will be discussed in the later part of this section.
Recall that = f0; 1 ; : : : ; s g and = h0; i, where i s t h e sequence of fx .Since 6 = 0 for each 2 while = 0 for each 2 c = V n , , 4 is specialized as 0; 1 ; : : : ; s Q = h;`0i 2 ; : : : ; h;`2n ,1 i 2 : 7 where is the sequence of f, `i is the ith row o f H n and Q comprises the 0th, 1 th, : : : , s th rows of H n .Note that Q is an s + 1 2 n matrix.
Let `be the th row o f H n , where 2 .Note that can be uniquely expressed as = , where 2 W and 2 U. Let `0 be the th row o f H and `00 be the th row o f H n, .A s H n = H H n, , `can be represented by `= `0 `00 , where denotes the Kronecker product.
From the construction of H n, , w e can see that the th row o f H n, is an all-one sequence of length 2 n, if = 0, and a balanced 1; ,1-sequence of length 2 n, if 6 = 0 .
Recall that W = f0g see also Proposition 8.There are two cases associated with = 2 : = 0 and 6 = 0.In the rst case, `= `0 `00 is the all-one sequence of length 2 n , while in the second case, we h a ve 6 = 0 which implies that `00 is a balanced 1; ,1-sequence of length 2 n, and hence `= `0 `00 is a concatenation of 2 balanced 1; ,1-sequences of length 2 n, .
So far we h a ve assumed that W and U satisfy 5 and 6 respectively.When this is not the case, we can always nd a nonsingular n n matrix A whose entries are from GF 2 such that the sub-spaces W 0 and U 0 associated with f 0 x = fxA h a ve the required forms.f 0 and f have the same algebraic degree and nonlinearity see Lemma 10 of SZZ94b .This shows that the following theorem is true.
Theorem11.For any function on V n , the nonlinearity of f satis es N f 2 n,1 , 2 n, 1 2 ,1 , where is the maximum dimension of the linear sub-spaces in f0g c .
Note that according to CKHFMS85 , the maximum nonlinearity a function on V 5 can achieve is 12. Hence we h a ve N f5 = 12.
6 A Tight L o wer Bound on Nonlinearity o f F unctions with Propagation Characteristics By Theorem 11, N f 2 n,1 , 2 n, 3 2 if f, a function on V n , satis es the propagation criterion with respect to at least one vector in V n .This section shows that this lower bound can be signi cantly improved.Indeed we prove that N f 2 n,2 and also show that it is tight.
Theorem12.If f, a function on V n , satis es the propagation criterion with respect to one or more v e ctors in V n , then the nonlinearity of f satis es N f 2 n,2 .Proof.As in the previous sections, we denote by the set of vectors in V n with respect to which the propagation criterion is not satis ed by f.W e also let c = V n , , and W be a linear sub-space in f0g c that achieves the maximum dimension .
By Theorem 11, the theorem is trivially true when 1. Next we consider the case when = 1 .W e prove this part by further re ning the Parseval's equation.
Comparing the rst row of 2, we h a ve a 0 ; a 1 ; : : : ; a 2 n ,1 = 2 ,n h;`0i; ; h;`2n ,1 iH n or equivalently, 2 n a 0 ; a 1 ; : : : ; a 2 n ,1 = h;`0i; ; h;`2n ,1 iH n 11 where each a j = 1 and a 0 ; a 1 ; : : : ; a 2 n ,1 is the rst row of the matrix M described in 2. Rewrite `i, the ith row o f H n , a s ` i , where i is the binary representation of an integer i in the ascending alphabetical order.Set N = h;` i j i; 0 i; j 2 n , 1: N is a symmetric matrix of order 2 n with integer entries.In Rot76 , Rothaus has shown that NN= NN T = 2 2n I 2 n .W e can split N into four sub-matrices of equal size, namely where each N j is a matrix of order 2 n,1 .A s NN= 2 2n I 2 n , w e h a ve N 1 N 2 = 0 .Let c 0 ; c 1 ; : : : ; c 2 n,1 ,1 be an arbitrary linear sequence of length 2 n,1 .Then c 0 ; c 1 ; : : : ; c 2 n,1 ,1 ; c 0 ; c 1 ; : : : ; c 2 n,1 ,1 is a linear sequence of length 2 n , and hence a row o f H n .T h us from 11, we have c j h;` j ic j t h;` j t 2 n,1 i: 13 As c 0 ; c 1 ; : : : ; c 2 n,1 ,1 is a linear sequence, c j c j t = c t .
Thus we h a ve a result described as follows: Lemma 14.The lower bound 2 n,2 as stated i n T h e orem 12 is tight.

Conclusion
We h a ve shown quantitative relationships between nonlinearity, propagation characteristics and the SAC.A tight l o wer bound on the nonlinearity of a function with propagation characteristics is also presented.This research has also introduced a number of interesting problems yet to be resolved.One of the problems is regarding the size and distribution of c , the set of vectors where the propagation criterion is satis ed by a function on V n .F or all the functions we know of, c is either an empty set or a set with at least 2 n,1 vectors.We believe that any further understanding of this problem will contribute to the research i n to the design and analysis of cryptographically strong nonlinear functions.