GAC - the Criterion for Global Avalance Characteristics of Cryptographic Functions

We show that some widely accepted criteria for cryptographic functions, including the strict avalanche criterion (SAC) and the propagation criterion, have various limitations in capturing properties of vital importance to cryptographic algorithms, and propose a new criterion called GAC to measure the global avalanche characteristics of cryptographic functions. We also introduce two indicators related to the new criterion, one forecasts the sum-of-squares while the other the absolute avalanche characteristics of a function. Lower and upper bounds on the two indicators are derived, and two methods are presented to construct cryptographic functions that achieve nearly optimal global avalanche characteristics. 1 Why the GAC In 1985, Webster and Tavares introduced the concept of the strict avalanche criterion (SAC) when searching for principles for designing DES-like data encryption algorithms 23, 24]. A function is said to satisfy the SAC if complementing a single bit results in the output of the function being complemented with a probability of a half. More formally, let V n denote the vector space of n tuples of elements from GF(2), a function f on V n , a mapping from V n into GF(2), is said to satisfy the SAC if for any n-bit vector with W() = 1, where W () denotes the Hamming weight, f(x) f(x) assumes the values zero and one an equal number of times, namely f(x) f(x) is a balanced function on V n , where denotes the addition in GF(2). The SAC was generalized in one direction by Forr e in 7]. Forr e deenes that a function f satisses the SAC of order k if a partial function obtained by keeping any k input bits to f constant still satisses the SAC. Enumerating functions satisfying the higher order SAC is an interesting combinatorial problem and various results on this topic have been obtained over the past years (see for instance 9, 10, 12]). In another direction, the SAC has been generalized by Adams and Tavares 1] and independently by Preneel et al 16] to what is now called the propagation criterion. A function f on V n is said to satisfy the propagation criterion with respect to a vector 2 V n if f(x) f(x) is balanced, and to satisfy the propagation criterion of degree k if it satisses the propagation criterion with respect to all nonzero vectors whose Hamming weight is at most k. In informal terms, f satisses the …