Smart Hill Climbing Finds Better Boolean Functions

Block and stream ciphers are made from Boolean functions that usually require a compromise between several conflicting cryptographic criteria. Although some constructions exist to generate Boolean functions satisfying one or more criteria, such as balance and high nonlinearity, there are often drawbacks to them such as low nonlinear order. In this paper we present a new algorithm for simple modification of a Boolean function truth table to improve both nonlinearity and balance. We also show how to modify a balanced function in two truth table positions so that the nonlinearity is increased and the balance is maintained. When the algorithm fails to find an improvement, one does not exist, and we have then identified a locally maximum function. We present results comparing the probability distributions of random functions with that of locally maximum functions found by our algorithms, and also comment on how the number of steps required to find a local maximum is affected by increasing the number of variables. 1 About Boolean Functions Let f(x) denote the binary truth table (f(x) ∈ {0, 1}) and f̂(x) the corresponding polarity truth table, f̂(x) ∈ {1,−1}. We have f̂(x) = (−1)f(x) = 1− 2f(x). The Hamming weight of a Boolean function is the number of ones in the binary truth table, or equivalently the number of −1s in the polarity truth table. A balanced function has the same number of zeroes and ones in the truth table. Balance is a primary cryptographic criterion: an imbalanced function has suboptimum unconditional entropy (ie. it is correlated to a constant function). We define the imbalance of a Boolean function as If = ∑ x f̂(x). The correlation between a function and the constant zero function is simply If 2n , which is a value between -1 and 1. A function with zero imbalance is balanced and has no correlation to the constant functions. Every function has a unique representation in the Algebraic Normal Form (ANF) as the binary coefficient vector of a fixed (positive) polarity Reed-Muller expansion (for example, see [?]). The ANF describes a two level circuit: an XOR sum of AND products. The nonlinear order or just order of a Boolean function is the size of the largest product term in the ANF. Order zero functions are constant, affine functions have order 1, and linear functions are those affine functions with a zero constant term in their ANF. The exclusive-or operation is linear; a linear function is an XOR sum of variables. We may specify a linear function by an n-bit vector ω that selects the variables in this sum: Lω(x) = ω1x1 ⊕ · · · ⊕ ωnxn. The Hamming distance to linear functions is an important cryptographic property, since ciphers that employ nearly linear functions can be broken easily by a variety of methods (for example see [?, ?]). In particular, both differential and linear cryptanalysis techniques [?, ?] are resisted by highly nonlinear functions. Thus the minimum distance to any affine function is an important indicator of the cryptographic strength of a Boolean function. The nonlinearity of a Boolean function is this minimum distance, or the distance to the set of affine functions. We note that complementing the output will not change the nonlinearity of any Boolean function, so we need to consider the magnitude of the correlation to all linear functions, of which there are 2n. The Hamming distance between a pair of functions can be determined by evaluating both functions for all inputs and counting the disagreements. This process has complexity O(2n). It follows that determining the nonlinearity in this naive fashion will require O(22n) function evaluations, which is infeasible even for small n. However, a tool exists that enables the calculation of all linear correlation coefficients in O(n2n) operations. This is the fast Walsh-Hadamard Transform, and its uses in cryptography and elsewhere are well known [?, ?]. Let F̂ (ω) denote the Walsh-Hadamard Transform (WHT) of a Boolean function. Its calculation is defined as F̂ (ω) = ∑ x f̂(x)L̂ω(x). It is clear from this definition that the value of F̂ (ω) is closely related to the Hamming distance between f(x) and the linear function Lω(x). In fact the correlation to the linear function is given by c(f, Lω) = F̂ (ω) 2n . The nonlinearity Nf of f(x) is related to the maximum magnitude of WHT values WHmax, by Nf = 12 ∗ (2−WHmax). Clearly in order to increase the nonlinearity, we must decrease WHmax. A function is uncorrelated with linear function Lω(x) when F̂ (ω) = 0. We would like to find a Boolean function that has all WHT values equal to zero, since such a function has no correlation to any affine function. However, it is known [?] that such functions do not exist. A well known theorem, widely attributed to Parseval [?], states that the sum of the squares of the WHT values is the same constant for every Boolean function: ∑ ω F̂ 2(ω) = 22n. Thus a tradeoff exists in minimising affine correlation. When we alter a function so that its correlation to some affine function is reduced, the correlation to some other affine function is increased. It is known that the Bent functions [?] satisfy the property that |F̂ (ω)| = 2n2 for all ω. Bent functions exist only for even n, and they attain the maximum possible nonlinearity of Nbent = 2n−1−2 n 2 −1. It is an open problem to determine an expression for the maximum nonlinearity of functions with an odd number of inputs. It is known that, for n odd, it is possible to construct a function with nonlinearity 2n−1− 2 2 by concatenating Bent functions. It is known that for n = 3, 5, 7 that this is in fact the upper bound of nonlinearity. The only value of n for which it is known that this value is not the upper bound is n = 15 [?, ?]. We note that determining the covering radius of a Reed-Muller code is the same problem as finding an upper bound on low order approximation. It is a well known open problem to find the covering radius of Reed-Muller codes, so it is not known to what extent functions may resist low order approximations. There seem to be no formal tools for low order nonlinear approximation, so we leave this difficult area, and instead concentrate on improving the nonlinearity of Boolean functions in a systematic way. In this paper, we present algorithms that provide a list of truth table positions that, if complemented, will result in a Boolean function with higher nonlinearity. The approach is based on the observation that small changes to a truth table result in small magnitude changes to the WHT values. In particular, a single truth table complementation will cause every F̂ (ω) to alter by ±2. Two truth table changes will cause ∆F̂ (ω) ∈ {−4, 0, 4}. We use these facts in the next section to prove conditions required for small changes to increase nonlinearity. When two changes are made, the Hamming weight can be maintained while nonlinearity is increased. These techniques provide a fast way of hill-climbing the Boolean function terrain to locate highly nonlinear Boolean functions that would be difficult to obtain by a purely random search or exhaustive hill climbing. 2 Improving Nonlinearity Consider altering a function f(x) by complementing the output for a single input x1, with the nonlinearity increasing. We define the 1-Improvement Set of f(x), 1-ISf , as the set of all inputs such that complementing the corresponding output of any one of them will increase the nonlinearity of the function. Definition 1 Let g(x) = f(x)⊕ 1 for x = x1 and g(x) = f(x) for all other x. If Ng > Nf then x1 ∈ 1-ISf . 2 If 1-ISf is empty, the function is a 1-local maximum for nonlinearity. Of course all Bent functions are global maxima, so their 1-Improvement Sets are empty. There also exist sub-optimum local maxima that will be found by hill climbing algorithms. It is computationally intensive to exhaustively alter truth table positions, find new WHTs and so determine the set 1-ISf , so we seek a fast, systematic way to determine the 1-Improvement Set of a given Boolean function from its truth table and Walsh-Hadamard transform. In this section we present easily checked conditions for an input x to be in the 1-Improvement Set. Definition 2 Let f(x) be a Boolean function with Walsh-Hadamard Transform F̂ (ω). Let WHmax denote the maximum absolute value of F̂ (ω). There will exist one or more linear functions Lω(x) that have minimum distance to f(x), and |F̂ (ω)| = WHmax for these ω. Let us define the following sets: W 1 = {ω : F̂ (ω) = WHmax} and W− 1 = {ω : F̂ (ω) = −WHmax}. We also need to define sets of ω for which the WHT magnitude is close to the maximum. W 2 = {ω : F̂ (ω) = WHmax − 2}, W− 2 = {ω : F̂ (ω) = −(WHmax − 2)}, W 3 = {ω : F̂ (ω) = WHmax − 4}, and W− 3 = {ω : F̂ (ω) = −(WHmax − 4)}.