• Aucun résultat trouvé

Boolean bent functions in impossible cases: odd and plane dimensions

N/A
N/A
Info
Télécharger
Protected

Academic year: 2022

Partager "Boolean bent functions in impossible cases: odd and plane dimensions"

Copied!
90
0
0

Chargement.... (Voir le texte intégral maintenant)

Texte intégral

(1)

Boolean bent functions in impossible cases:

odd and plane dimensions

Laurent Poinsot

Universit ´e du Sud Toulon-Var

SAR/SSI 2006

(2)

Outline

1 Boolean bent functions : traditional approach What is a Boolean bent function ?

Applications for such functions

2 Boolean bent functions : Group actions based approach Basics on group actions

Group actions ”bent” functions

”Bent” functions in impossible cases

Application

(3)

Outline

1 Boolean bent functions : traditional approach What is a Boolean bent function ?

Applications for such functions

2 Boolean bent functions : Group actions based approach Basics on group actions

Group actions ”bent” functions

”Bent” functions in impossible cases

Application

(4)

Outline

1 Boolean bent functions : traditional approach What is a Boolean bent function ?

Applications for such functions

2 Boolean bent functions : Group actions based approach Basics on group actions

Group actions ”bent” functions

”Bent” functions in impossible cases

Application

(5)

Some notations

Let GF (2) = {0, 1} be the finite field with two elements. We denote by V m any m-dimensional vector space over GF(2).

V m will be interpreted as GF (2) m , the vector space of m-tuples,

or as GF (2 m ) the finite field with 2 m elements.

(6)

Some notations

Let GF (2) = {0, 1} be the finite field with two elements. We denote by V m any m-dimensional vector space over GF(2).

V m will be interpreted as GF (2) m , the vector space of m-tuples,

or as GF (2 m ) the finite field with 2 m elements.

(7)

Let G be a finite Abelian group. For instance G = V m , G = Z m = {0, 1, . . . , m − 1} or G = GF (2 m ) .

Definition

A Boolean function is a (mathematical) mapping f from G to V n .

A Boolean function f : G → V n is called bent if its Fourier

spectrum contains all the possible frequencies.

(8)

Let G be a finite Abelian group. For instance G = V m , G = Z m = {0, 1, . . . , m − 1} or G = GF (2 m ) .

Definition

A Boolean function is a (mathematical) mapping f from G to V n .

A Boolean function f : G → V n is called bent if its Fourier

spectrum contains all the possible frequencies.

(9)

Let G be a finite Abelian group. For instance G = V m , G = Z m = {0, 1, . . . , m − 1} or G = GF (2 m ) .

Definition

A Boolean function is a (mathematical) mapping f from G to V n .

A Boolean function f : G → V n is called bent if its Fourier

spectrum contains all the possible frequencies.

(10)

Alternative definition : perfect nonlinearity

Definition

A function f : G → V n is called perfect nonlinear if for each nonzero α in G and for each β ∈ V n ,

|{x ∈ G|f (α + x) ⊕ f (x ) = β}| = |G|

2 n .

Theorem (Dillon 1976, Rothaus 1974, Carlet & Ding 2004)

A function f is bent if and only if f is perfect nonlinear.

(11)

Alternative definition : perfect nonlinearity

Definition

A function f : G → V n is called perfect nonlinear if for each nonzero α in G and for each β ∈ V n ,

|{x ∈ G|f (α + x) ⊕ f (x ) = β}| = |G|

2 n .

Theorem (Dillon 1976, Rothaus 1974, Carlet & Ding 2004)

A function f is bent if and only if f is perfect nonlinear.

(12)

Example

The function f : GF(2) 4 → GF (2) defined by

f (x 1 , x 2 , x 3 , x 4 ) = (x 1 , x 2 ).(x 3 , x 4 ) = x 1 x 3 ⊕ x 2 x 4

is bent.

(13)

Nonexistence results : impossible cases

Odd dimension : If m is an odd integer, there is no bent function f from V m to V n (for any n) ;

Plane dimension : For any integer m, there is no bent function f from V m to itself ;

Nevertheless in this contribution are constructed ”bent”

functions in these cases !

(14)

Nonexistence results : impossible cases

Odd dimension : If m is an odd integer, there is no bent function f from V m to V n (for any n) ;

Plane dimension : For any integer m, there is no bent function f from V m to itself ;

Nevertheless in this contribution are constructed ”bent”

functions in these cases !

(15)

Nonexistence results : impossible cases

Odd dimension : If m is an odd integer, there is no bent function f from V m to V n (for any n) ;

Plane dimension : For any integer m, there is no bent function f from V m to itself ;

Nevertheless in this contribution are constructed ”bent”

functions in these cases !

(16)

Nonexistence results : impossible cases

Odd dimension : If m is an odd integer, there is no bent function f from V m to V n (for any n) ;

Plane dimension : For any integer m, there is no bent function f from V m to itself ;

Nevertheless in this contribution are constructed ”bent”

functions in these cases !

(17)

Outline

1 Boolean bent functions : traditional approach What is a Boolean bent function ?

Applications for such functions

2 Boolean bent functions : Group actions based approach Basics on group actions

Group actions ”bent” functions

”Bent” functions in impossible cases

Application

(18)

Cryptography ;

Mobile communications.

(19)

Cryptography ;

Mobile communications.

(20)

Cryptography ;

Mobile communications.

(21)

Cryptography (I/IV) : DES-like cryptosystem

Let M be the plaintext and f be a mapping. An encryption using a DES-like cryptosystem consists in the iterative process

X 0 := M ;

X i := f (K i + X i−1 ) for n ≥ i > 0.

By definition the ciphertext is C := X n .

(22)

Cryptography (I/IV) : DES-like cryptosystem

Let M be the plaintext and f be a mapping. An encryption using a DES-like cryptosystem consists in the iterative process

X 0 := M ;

X i := f (K i + X i−1 ) for n ≥ i > 0.

By definition the ciphertext is C := X n .

(23)

Cryptography (I/IV) : DES-like cryptosystem

Let M be the plaintext and f be a mapping. An encryption using a DES-like cryptosystem consists in the iterative process

X 0 := M ;

X i := f (K i + X i−1 ) for n ≥ i > 0.

By definition the ciphertext is C := X n .

(24)

Cryptography (II/II) : Differential and linear attacks

Biham & Shamir’s Differential attack takes advantage of a possible weakness of the DES-like cryptosystem in a first-order derivation ;

Matsui’s linear attack exploits the possible existence of an approximation of the entire cryptosystem by a linear function ;

The resistance of DES-like cryptosystem relies on the mapping f used.

The mappings f that offer the best resistance against the

differential and linear attacks are exactly the bent functions.

(25)

Cryptography (II/II) : Differential and linear attacks

Biham & Shamir’s Differential attack takes advantage of a possible weakness of the DES-like cryptosystem in a first-order derivation ;

Matsui’s linear attack exploits the possible existence of an approximation of the entire cryptosystem by a linear function ;

The resistance of DES-like cryptosystem relies on the mapping f used.

The mappings f that offer the best resistance against the

differential and linear attacks are exactly the bent functions.

(26)

Cryptography (II/II) : Differential and linear attacks

Biham & Shamir’s Differential attack takes advantage of a possible weakness of the DES-like cryptosystem in a first-order derivation ;

Matsui’s linear attack exploits the possible existence of an approximation of the entire cryptosystem by a linear function ;

The resistance of DES-like cryptosystem relies on the mapping f used.

The mappings f that offer the best resistance against the

differential and linear attacks are exactly the bent functions.

(27)

Cryptography (II/II) : Differential and linear attacks

Biham & Shamir’s Differential attack takes advantage of a possible weakness of the DES-like cryptosystem in a first-order derivation ;

Matsui’s linear attack exploits the possible existence of an approximation of the entire cryptosystem by a linear function ;

The resistance of DES-like cryptosystem relies on the mapping f used.

The mappings f that offer the best resistance against the

differential and linear attacks are exactly the bent functions.

(28)

Cryptography (II/II) : Differential and linear attacks

Biham & Shamir’s Differential attack takes advantage of a possible weakness of the DES-like cryptosystem in a first-order derivation ;

Matsui’s linear attack exploits the possible existence of an approximation of the entire cryptosystem by a linear function ;

The resistance of DES-like cryptosystem relies on the mapping f used.

The mappings f that offer the best resistance against the

differential and linear attacks are exactly the bent functions.

(29)

Mobile communications (I/V) : Code Division Multiple Access (CDMA)

Definition

Two vectors u = (u 1 , . . . , u m ) and v = (v 1 , . . . , v m ) are called orthogonal if

u.v =

m

X

i=1

u i v i = 0 .

For instance u = (1, 1, 1, −1) and v = (1, −1, 1, 1) are

othogonal.

(30)

Mobile communications (II/V) : CDMA

V : set of mutually orthogonal vectors ;

Each sender S x has a different, unique vector x ∈ V called chip code.

For instance S u has u = (1, 1, 1, −1) and S v has v = (1, −1, 1, 1) ;

Objective : Simultaneous transmission of messages by

several senders on the same channel (multiplexing).

(31)

Mobile communications (II/V) : CDMA

V : set of mutually orthogonal vectors ;

Each sender S x has a different, unique vector x ∈ V called chip code.

For instance S u has u = (1, 1, 1, −1) and S v has v = (1, −1, 1, 1) ;

Objective : Simultaneous transmission of messages by

several senders on the same channel (multiplexing).

(32)

Mobile communications (II/V) : CDMA

V : set of mutually orthogonal vectors ;

Each sender S x has a different, unique vector x ∈ V called chip code.

For instance S u has u = (1, 1, 1, −1) and S v has v = (1, −1, 1, 1) ;

Objective : Simultaneous transmission of messages by

several senders on the same channel (multiplexing).

(33)

Mobile communications (II/V) : CDMA

V : set of mutually orthogonal vectors ;

Each sender S x has a different, unique vector x ∈ V called chip code.

For instance S u has u = (1, 1, 1, −1) and S v has v = (1, −1, 1, 1) ;

Objective : Simultaneous transmission of messages by

several senders on the same channel (multiplexing).

(34)

Mobile communications (III/V) : CDMA

S u wants to send d u = (1, 0, 1) and S v wants to send d v = (0, 0, 1) ;

S u computes its transmitted vector by coding d u with the rules 0 ↔ −u, 1 ↔ u. He obtains (u, −u, u) ;

S v computes (−v , −v , v ) ;

The message sent on the channel is (u − v, −u − v , u + v ).

(35)

Mobile communications (III/V) : CDMA

S u wants to send d u = (1, 0, 1) and S v wants to send d v = (0, 0, 1) ;

S u computes its transmitted vector by coding d u with the rules 0 ↔ −u, 1 ↔ u. He obtains (u, −u, u) ;

S v computes (−v , −v , v ) ;

The message sent on the channel is (u − v, −u − v , u + v ).

(36)

Mobile communications (III/V) : CDMA

S u wants to send d u = (1, 0, 1) and S v wants to send d v = (0, 0, 1) ;

S u computes its transmitted vector by coding d u with the rules 0 ↔ −u, 1 ↔ u. He obtains (u, −u, u) ;

S v computes (−v , −v , v ) ;

The message sent on the channel is (u − v, −u − v , u + v ).

(37)

Mobile communications (III/V) : CDMA

S u wants to send d u = (1, 0, 1) and S v wants to send d v = (0, 0, 1) ;

S u computes its transmitted vector by coding d u with the rules 0 ↔ −u, 1 ↔ u. He obtains (u, −u, u) ;

S v computes (−v , −v , v ) ;

The message sent on the channel is (u − v, −u − v , u + v ).

(38)

Mobile communications (III/V) : CDMA

S u wants to send d u = (1, 0, 1) and S v wants to send d v = (0, 0, 1) ;

S u computes its transmitted vector by coding d u with the rules 0 ↔ −u, 1 ↔ u. He obtains (u, −u, u) ;

S v computes (−v , −v , v ) ;

The message sent on the channel is (u − v, −u − v , u + v ).

(39)

Mobile communications (IV/V) : CDMA

A receiver gets the message M = (u − v , −u − v , u + v ) and he needs to recover d u and/or d v ;

How to recover d u ?

Take the first component of M , u − v and compute the dot-product with u : (u − v ).u = u.u − v .u = 4. Since this is positive, we can deduce that a one digit was sent ;

Take the second component of M , −u − v and

(−u − v ).u = −u.u − v .u = −4. Since this is negative, we can deduce that a zero digit was sent ;

Continuing in this fashion with the third component, the receiver successfully decodes d

u

;

Likewise, applying the same process with chip code v, the

receiver finds the message of S v .

(40)

Mobile communications (IV/V) : CDMA

A receiver gets the message M = (u − v , −u − v , u + v ) and he needs to recover d u and/or d v ;

How to recover d u ?

Take the first component of M , u − v and compute the dot-product with u : (u − v ).u = u.u − v .u = 4. Since this is positive, we can deduce that a one digit was sent ;

Take the second component of M , −u − v and

(−u − v ).u = −u.u − v .u = −4. Since this is negative, we can deduce that a zero digit was sent ;

Continuing in this fashion with the third component, the receiver successfully decodes d

u

;

Likewise, applying the same process with chip code v, the

receiver finds the message of S v .

(41)

Mobile communications (IV/V) : CDMA

A receiver gets the message M = (u − v , −u − v , u + v ) and he needs to recover d u and/or d v ;

How to recover d u ?

Take the first component of M , u − v and compute the dot-product with u : (u − v ).u = u.u − v .u = 4. Since this is positive, we can deduce that a one digit was sent ;

Take the second component of M , −u − v and

(−u − v ).u = −u.u − v .u = −4. Since this is negative, we can deduce that a zero digit was sent ;

Continuing in this fashion with the third component, the receiver successfully decodes d

u

;

Likewise, applying the same process with chip code v, the

receiver finds the message of S v .

(42)

Mobile communications (IV/V) : CDMA

A receiver gets the message M = (u − v , −u − v , u + v ) and he needs to recover d u and/or d v ;

How to recover d u ?

Take the first component of M , u − v and compute the dot-product with u : (u − v ).u = u.u − v .u = 4. Since this is positive, we can deduce that a one digit was sent ;

Take the second component of M , −u − v and

(−u − v ).u = −u.u − v .u = −4. Since this is negative, we can deduce that a zero digit was sent ;

Continuing in this fashion with the third component, the receiver successfully decodes d

u

;

Likewise, applying the same process with chip code v, the

receiver finds the message of S v .

(43)

Mobile communications (IV/V) : CDMA

A receiver gets the message M = (u − v , −u − v , u + v ) and he needs to recover d u and/or d v ;

How to recover d u ?

Take the first component of M , u − v and compute the dot-product with u : (u − v ).u = u.u − v .u = 4. Since this is positive, we can deduce that a one digit was sent ;

Take the second component of M , −u − v and

(−u − v ).u = −u.u − v .u = −4. Since this is negative, we can deduce that a zero digit was sent ;

Continuing in this fashion with the third component, the receiver successfully decodes d

u

;

Likewise, applying the same process with chip code v, the

receiver finds the message of S v .

(44)

Mobile communications (IV/V) : CDMA

A receiver gets the message M = (u − v , −u − v , u + v ) and he needs to recover d u and/or d v ;

How to recover d u ?

Take the first component of M , u − v and compute the dot-product with u : (u − v ).u = u.u − v .u = 4. Since this is positive, we can deduce that a one digit was sent ;

Take the second component of M , −u − v and

(−u − v ).u = −u.u − v .u = −4. Since this is negative, we can deduce that a zero digit was sent ;

Continuing in this fashion with the third component, the receiver successfully decodes d

u

;

Likewise, applying the same process with chip code v, the

receiver finds the message of S v .

(45)

Mobile communications (IV/V) : CDMA

A receiver gets the message M = (u − v , −u − v , u + v ) and he needs to recover d u and/or d v ;

How to recover d u ?

Take the first component of M , u − v and compute the dot-product with u : (u − v ).u = u.u − v .u = 4. Since this is positive, we can deduce that a one digit was sent ;

Take the second component of M , −u − v and

(−u − v ).u = −u.u − v .u = −4. Since this is negative, we can deduce that a zero digit was sent ;

Continuing in this fashion with the third component, the receiver successfully decodes d

u

;

Likewise, applying the same process with chip code v, the

receiver finds the message of S v .

(46)

Mobile communications (IV/V) : CDMA

A receiver gets the message M = (u − v , −u − v , u + v ) and he needs to recover d u and/or d v ;

How to recover d u ?

Take the first component of M , u − v and compute the dot-product with u : (u − v ).u = u.u − v .u = 4. Since this is positive, we can deduce that a one digit was sent ;

Take the second component of M , −u − v and

(−u − v ).u = −u.u − v .u = −4. Since this is negative, we can deduce that a zero digit was sent ;

Continuing in this fashion with the third component, the receiver successfully decodes d

u

;

Likewise, applying the same process with chip code v, the

receiver finds the message of S v .

(47)

Mobile communications (IV/V) : CDMA

A receiver gets the message M = (u − v , −u − v , u + v ) and he needs to recover d u and/or d v ;

How to recover d u ?

Take the first component of M , u − v and compute the dot-product with u : (u − v ).u = u.u − v .u = 4. Since this is positive, we can deduce that a one digit was sent ;

Take the second component of M , −u − v and

(−u − v ).u = −u.u − v .u = −4. Since this is negative, we can deduce that a zero digit was sent ;

Continuing in this fashion with the third component, the receiver successfully decodes d

u

;

Likewise, applying the same process with chip code v, the

receiver finds the message of S v .

(48)

Mobile communication (V/V) : CDMA

Let f : Z m → {0, 1} be a bent function.

For each α ∈ Z m , we define a vector :

u α = (f(α), f (α + 1), . . . , f (α + m − 1)) . In particular u 0 = (f (0), f (1), . . . , f (m − 1)).

Then {u α |α ∈ Z m } is a set of mutually orthogonal vectors.

(49)

Mobile communication (V/V) : CDMA

Let f : Z m → {0, 1} be a bent function.

For each α ∈ Z m , we define a vector :

u α = (f(α), f (α + 1), . . . , f (α + m − 1)) . In particular u 0 = (f (0), f (1), . . . , f (m − 1)).

Then {u α |α ∈ Z m } is a set of mutually orthogonal vectors.

(50)

Mobile communication (V/V) : CDMA

Let f : Z m → {0, 1} be a bent function.

For each α ∈ Z m , we define a vector :

u α = (f(α), f (α + 1), . . . , f (α + m − 1)) . In particular u 0 = (f (0), f (1), . . . , f (m − 1)).

Then {u α |α ∈ Z m } is a set of mutually orthogonal vectors.

(51)

Mobile communication (V/V) : CDMA

Let f : Z m → {0, 1} be a bent function.

For each α ∈ Z m , we define a vector :

u α = (f(α), f (α + 1), . . . , f (α + m − 1)) . In particular u 0 = (f (0), f (1), . . . , f (m − 1)).

Then {u α |α ∈ Z m } is a set of mutually orthogonal vectors.

(52)

Application

Outline

1 Boolean bent functions : traditional approach What is a Boolean bent function ?

Applications for such functions

2 Boolean bent functions : Group actions based approach Basics on group actions

Group actions ”bent” functions

”Bent” functions in impossible cases

Application

(53)

Application

Let X be any nonempty set. We denote by S(X ) the symmetric group of X .

Definition

Let G be any group. An action of G on X is a group homomorphism Φ from G to S(X ).

Write g.x instead of Φ(g)(x) for g ∈ G and x ∈ X . Examples

A group G acts on itself by translation : α.x = α + x ; Let G and H be two groups. G acts on G × H by α.(x, y) = (α + x, y) ;

Let W be a sub-vector space of V . W acts on V by

translation : α.x = α + x ;

(54)

Application

Let X be any nonempty set. We denote by S(X ) the symmetric group of X .

Definition

Let G be any group. An action of G on X is a group homomorphism Φ from G to S(X ).

Write g.x instead of Φ(g)(x) for g ∈ G and x ∈ X . Examples

A group G acts on itself by translation : α.x = α + x ; Let G and H be two groups. G acts on G × H by α.(x, y) = (α + x, y) ;

Let W be a sub-vector space of V . W acts on V by

translation : α.x = α + x ;

(55)

Application

Let X be any nonempty set. We denote by S(X ) the symmetric group of X .

Definition

Let G be any group. An action of G on X is a group homomorphism Φ from G to S(X ).

Write g.x instead of Φ(g)(x) for g ∈ G and x ∈ X . Examples

A group G acts on itself by translation : α.x = α + x ; Let G and H be two groups. G acts on G × H by α.(x, y) = (α + x, y) ;

Let W be a sub-vector space of V . W acts on V by

translation : α.x = α + x ;

(56)

Application

Let X be any nonempty set. We denote by S(X ) the symmetric group of X .

Definition

Let G be any group. An action of G on X is a group homomorphism Φ from G to S(X ).

Write g.x instead of Φ(g)(x) for g ∈ G and x ∈ X . Examples

A group G acts on itself by translation : α.x = α + x ; Let G and H be two groups. G acts on G × H by α.(x, y) = (α + x, y) ;

Let W be a sub-vector space of V . W acts on V by

translation : α.x = α + x ;

(57)

Application

Let X be any nonempty set. We denote by S(X ) the symmetric group of X .

Definition

Let G be any group. An action of G on X is a group homomorphism Φ from G to S(X ).

Write g.x instead of Φ(g)(x) for g ∈ G and x ∈ X . Examples

A group G acts on itself by translation : α.x = α + x ; Let G and H be two groups. G acts on G × H by α.(x, y) = (α + x, y) ;

Let W be a sub-vector space of V . W acts on V by

translation : α.x = α + x ;

(58)

Application

Let X be any nonempty set. We denote by S(X ) the symmetric group of X .

Definition

Let G be any group. An action of G on X is a group homomorphism Φ from G to S(X ).

Write g.x instead of Φ(g)(x) for g ∈ G and x ∈ X . Examples

A group G acts on itself by translation : α.x = α + x ; Let G and H be two groups. G acts on G × H by α.(x, y) = (α + x, y) ;

Let W be a sub-vector space of V . W acts on V by

translation : α.x = α + x ;

(59)

Application

Let X be any nonempty set. We denote by S(X ) the symmetric group of X .

Definition

Let G be any group. An action of G on X is a group homomorphism Φ from G to S(X ).

Write g.x instead of Φ(g)(x) for g ∈ G and x ∈ X . Examples

A group G acts on itself by translation : α.x = α + x ; Let G and H be two groups. G acts on G × H by α.(x, y) = (α + x, y) ;

Let W be a sub-vector space of V . W acts on V by

translation : α.x = α + x ;

(60)

Application

Outline

1 Boolean bent functions : traditional approach What is a Boolean bent function ?

Applications for such functions

2 Boolean bent functions : Group actions based approach Basics on group actions

Group actions ”bent” functions

”Bent” functions in impossible cases

Application

(61)

Application

Alternative definition (recall)

A function f : G → V n is bent if for each nonzero α in G and for each β ∈ V n ,

|{x ∈ G|f (α + x) ⊕ f (x ) = β}| = |G|

2 n .

(62)

Application

Definition

Let G be a finite Abelian group acting on a finite nonempty set X. A function f : X → V n is G-bent if for each nonzero α ∈ G and for each β ∈ V n ,

|{x ∈ X |f (α.x ) ⊕ f (x ) = β}| = |X | 2 n .

In particular a classical bent function f : G → V n should be

called a G-bent function in this new framework, where the

considered group action is the action of G on itself by

translation.

(63)

Application

Definition

Let G be a finite Abelian group acting on a finite nonempty set X. A function f : X → V n is G-bent if for each nonzero α ∈ G and for each β ∈ V n ,

|{x ∈ X |f (α.x ) ⊕ f (x ) = β}| = |X | 2 n .

In particular a classical bent function f : G → V n should be

called a G-bent function in this new framework, where the

considered group action is the action of G on itself by

translation.

(64)

Application

Outline

1 Boolean bent functions : traditional approach What is a Boolean bent function ?

Applications for such functions

2 Boolean bent functions : Group actions based approach Basics on group actions

Group actions ”bent” functions

”Bent” functions in impossible cases

Application

(65)

Application

Odd dimension

Theorem

Let m and n be two odd integers. Then it is possible to construct a function f : V 2m+n → {0, 1} which is V n -bent.

Remark

Because m and n are odd integers there is no classical bent

function from V 2m+n to {0, 1} or also from V n to {0, 1}.

(66)

Application

Odd dimension

Theorem

Let m and n be two odd integers. Then it is possible to construct a function f : V 2m+n → {0, 1} which is V n -bent.

Remark

Because m and n are odd integers there is no classical bent

function from V 2m+n to {0, 1} or also from V n to {0, 1}.

(67)

Application

Odd dimension

Theorem

Let m and n be two odd integers. Then it is possible to construct a function f : V 2m+n → {0, 1} which is V n -bent.

Remark

Because m and n are odd integers there is no classical bent

function from V 2m+n to {0, 1} or also from V n to {0, 1}.

(68)

Application

Plane dimension

Theorem

Let f : GF (2 m ) → GF (2 m ) be a field automorphism. Then f is GF(2 m ) -bent.

Proof

Let x ∈ GF(2 m ) and α ∈ GF (2 m ) , α 6= 1. Let β ∈ GF(2 m ).

f (α.x ) ⊕ f (x ) = β

⇔ f (αx ⊕ x ) = β

⇔ (α ⊕ 1)x = f −1 (β)

⇔ x = f −1 (β)

(α ⊕ 1)

(69)

Application

Plane dimension

Theorem

Let f : GF (2 m ) → GF (2 m ) be a field automorphism. Then f is GF(2 m ) -bent.

Proof

Let x ∈ GF(2 m ) and α ∈ GF (2 m ) , α 6= 1. Let β ∈ GF(2 m ).

f (α.x ) ⊕ f (x ) = β

⇔ f (αx ⊕ x ) = β

⇔ (α ⊕ 1)x = f −1 (β)

⇔ x = f −1 (β)

(α ⊕ 1)

(70)

Application

Plane dimension

Theorem

Let f : GF (2 m ) → GF (2 m ) be a field automorphism. Then f is GF(2 m ) -bent.

Proof

Let x ∈ GF(2 m ) and α ∈ GF (2 m ) , α 6= 1. Let β ∈ GF(2 m ).

f (α.x ) ⊕ f (x ) = β

⇔ f (αx ⊕ x ) = β

⇔ (α ⊕ 1)x = f −1 (β)

⇔ x = f −1 (β)

(α ⊕ 1)

(71)

Application

Plane dimension

Theorem

Let f : GF (2 m ) → GF (2 m ) be a field automorphism. Then f is GF(2 m ) -bent.

Proof

Let x ∈ GF(2 m ) and α ∈ GF (2 m ) , α 6= 1. Let β ∈ GF(2 m ).

f (α.x ) ⊕ f (x ) = β

⇔ f (αx ⊕ x ) = β

⇔ (α ⊕ 1)x = f −1 (β)

⇔ x = f −1 (β)

(α ⊕ 1)

(72)

Application

Plane dimension

Theorem

Let f : GF (2 m ) → GF (2 m ) be a field automorphism. Then f is GF(2 m ) -bent.

Proof

Let x ∈ GF(2 m ) and α ∈ GF (2 m ) , α 6= 1. Let β ∈ GF(2 m ).

f (α.x ) ⊕ f (x ) = β

⇔ f (αx ⊕ x ) = β

⇔ (α ⊕ 1)x = f −1 (β)

⇔ x = f −1 (β)

(α ⊕ 1)

(73)

Application

Plane dimension

Theorem

Let f : GF (2 m ) → GF (2 m ) be a field automorphism. Then f is GF(2 m ) -bent.

Proof

Let x ∈ GF(2 m ) and α ∈ GF (2 m ) , α 6= 1. Let β ∈ GF(2 m ).

f (α.x ) ⊕ f (x ) = β

⇔ f (αx ⊕ x ) = β

⇔ (α ⊕ 1)x = f −1 (β)

⇔ x = f −1 (β)

(α ⊕ 1)

(74)

Application

Outline

1 Boolean bent functions : traditional approach What is a Boolean bent function ?

Applications for such functions

2 Boolean bent functions : Group actions based approach Basics on group actions

Group actions ”bent” functions

”Bent” functions in impossible cases

Application

(75)

Application

We call a cylic bent function, a bent function f : Z m → {0, 1}.

The only known examples of such cyclic bent functions occur when m = 4. It is widely conjectured that this is actually the only case.

Theorem

Let m be an even integer. Then it exists a GF (2) m -bent function f : Z 2

m

→ {0, 1}.

If m 6= 2 then (it is conjectured that) f can not be a classical

bent function.

(76)

Application

We call a cylic bent function, a bent function f : Z m → {0, 1}.

The only known examples of such cyclic bent functions occur when m = 4. It is widely conjectured that this is actually the only case.

Theorem

Let m be an even integer. Then it exists a GF (2) m -bent function f : Z 2

m

→ {0, 1}.

If m 6= 2 then (it is conjectured that) f can not be a classical

bent function.

(77)

Application

We call a cylic bent function, a bent function f : Z m → {0, 1}.

The only known examples of such cyclic bent functions occur when m = 4. It is widely conjectured that this is actually the only case.

Theorem

Let m be an even integer. Then it exists a GF (2) m -bent function f : Z 2

m

→ {0, 1}.

If m 6= 2 then (it is conjectured that) f can not be a classical

bent function.

(78)

Application

We call a cylic bent function, a bent function f : Z m → {0, 1}.

The only known examples of such cyclic bent functions occur when m = 4. It is widely conjectured that this is actually the only case.

Theorem

Let m be an even integer. Then it exists a GF (2) m -bent function f : Z 2

m

→ {0, 1}.

If m 6= 2 then (it is conjectured that) f can not be a classical

bent function.

(79)

Application

Proof

Definition of the group action of GF (2) m on Z 2

m

:

We transport the action by translation of GF(2) m on Z 2

m

: α.x = Θ(α ⊕ Θ −1 (x))

where Θ is the usual radix-two representation of an integer ;

Let choose g : GF (2) m → {0, 1} be a (traditional) bent function (succh a function exists since m is an even integer). We define the function

f : Z 2

m

→ {0, 1}

x 7→ g(Θ −1 (x )) .

(80)

Application

Proof

Definition of the group action of GF (2) m on Z 2

m

:

We transport the action by translation of GF(2) m on Z 2

m

: α.x = Θ(α ⊕ Θ −1 (x))

where Θ is the usual radix-two representation of an integer ;

Let choose g : GF (2) m → {0, 1} be a (traditional) bent function (succh a function exists since m is an even integer). We define the function

f : Z 2

m

→ {0, 1}

x 7→ g(Θ −1 (x )) .

(81)

Application

Proof

Definition of the group action of GF (2) m on Z 2

m

:

We transport the action by translation of GF(2) m on Z 2

m

: α.x = Θ(α ⊕ Θ −1 (x))

where Θ is the usual radix-two representation of an integer ;

Let choose g : GF (2) m → {0, 1} be a (traditional) bent function (succh a function exists since m is an even integer). We define the function

f : Z 2

m

→ {0, 1}

x 7→ g(Θ −1 (x )) .

(82)

Application

Proof

Definition of the group action of GF (2) m on Z 2

m

:

We transport the action by translation of GF(2) m on Z 2

m

: α.x = Θ(α ⊕ Θ −1 (x))

where Θ is the usual radix-two representation of an integer ;

Let choose g : GF (2) m → {0, 1} be a (traditional) bent function (succh a function exists since m is an even integer). We define the function

f : Z 2

m

→ {0, 1}

x 7→ g(Θ −1 (x )) .

(83)

Application

Proof

Definition of the group action of GF (2) m on Z 2

m

:

We transport the action by translation of GF(2) m on Z 2

m

: α.x = Θ(α ⊕ Θ −1 (x))

where Θ is the usual radix-two representation of an integer ;

Let choose g : GF (2) m → {0, 1} be a (traditional) bent function (succh a function exists since m is an even integer). We define the function

f : Z 2

m

→ {0, 1}

x 7→ g(Θ −1 (x )) .

(84)

Application

Proof (cont’d)

Let show that f is GF(2) m -bent :

f (α.x ) ⊕ f (x) = β

⇔ g(Θ −1 (α.x )) ⊕ g(Θ −1 (x )) = β

⇔ g(Θ −1 (Θ(α ⊕ Θ −1 (x ))) ⊕ g(Θ −1 (x )) = β

⇔ g(α ⊕ Θ −1 (x )) ⊕ g(Θ −1 (x)) = β

⇔ g(α ⊕ y ) ⊕ g(y) = β .

(85)

Application

Proof (cont’d)

Let show that f is GF(2) m -bent :

f (α.x ) ⊕ f (x) = β

⇔ g(Θ −1 (α.x )) ⊕ g(Θ −1 (x )) = β

⇔ g(Θ −1 (Θ(α ⊕ Θ −1 (x ))) ⊕ g(Θ −1 (x )) = β

⇔ g(α ⊕ Θ −1 (x )) ⊕ g(Θ −1 (x)) = β

⇔ g(α ⊕ y ) ⊕ g(y) = β .

(86)

Application

Proof (cont’d)

Let show that f is GF(2) m -bent :

f (α.x ) ⊕ f (x) = β

⇔ g(Θ −1 (α.x )) ⊕ g(Θ −1 (x )) = β

⇔ g(Θ −1 (Θ(α ⊕ Θ −1 (x ))) ⊕ g(Θ −1 (x )) = β

⇔ g(α ⊕ Θ −1 (x )) ⊕ g(Θ −1 (x)) = β

⇔ g(α ⊕ y ) ⊕ g(y) = β .

(87)

Application

Proof (cont’d)

Let show that f is GF(2) m -bent :

f (α.x ) ⊕ f (x) = β

⇔ g(Θ −1 (α.x )) ⊕ g(Θ −1 (x )) = β

⇔ g(Θ −1 (Θ(α ⊕ Θ −1 (x ))) ⊕ g(Θ −1 (x )) = β

⇔ g(α ⊕ Θ −1 (x )) ⊕ g(Θ −1 (x)) = β

⇔ g(α ⊕ y ) ⊕ g(y) = β .

(88)

Application

Proof (cont’d)

Let show that f is GF(2) m -bent :

f (α.x ) ⊕ f (x) = β

⇔ g(Θ −1 (α.x )) ⊕ g(Θ −1 (x )) = β

⇔ g(Θ −1 (Θ(α ⊕ Θ −1 (x ))) ⊕ g(Θ −1 (x )) = β

⇔ g(α ⊕ Θ −1 (x )) ⊕ g(Θ −1 (x)) = β

⇔ g(α ⊕ y ) ⊕ g(y) = β .

(89)

Application

Proof (cont’d)

Let show that f is GF(2) m -bent :

f (α.x ) ⊕ f (x) = β

⇔ g(Θ −1 (α.x )) ⊕ g(Θ −1 (x )) = β

⇔ g(Θ −1 (Θ(α ⊕ Θ −1 (x ))) ⊕ g(Θ −1 (x )) = β

⇔ g(α ⊕ Θ −1 (x )) ⊕ g(Θ −1 (x)) = β

⇔ g(α ⊕ y ) ⊕ g(y) = β .

(90)

Application

Proof (cont’d)

Let show that f is GF(2) m -bent :

f (α.x ) ⊕ f (x) = β

⇔ g(Θ −1 (α.x )) ⊕ g(Θ −1 (x )) = β

⇔ g(Θ −1 (Θ(α ⊕ Θ −1 (x ))) ⊕ g(Θ −1 (x )) = β

⇔ g(α ⊕ Θ −1 (x )) ⊕ g(Θ −1 (x)) = β

⇔ g(α ⊕ y ) ⊕ g(y) = β .

Références

Télécharger maintenant ( PDF - 90 Page - 784.07 KB )

Documents relatifs

TD - Est-il possible de faire des exploits ?

La topologie r´ eseau pr´ esent´ ee dans la figure ci-dessus correspond ` a celle obtenue en lan¸ cant le script La topologie r´ eseau correspondante peut ˆ etre obtenue en lan¸

7,49 – 7,5 F Possible F Impossible F Possible F Impossible F Possible F Impossible F Possible F Impossible F Possible F Impossible F Possible F Impossible EXERCICE 3B.2 Donner un Ordre De Grandeur du résultat puis calculer : a

[r]

The Deviation Attack: A Novel Denial-of-Service Attack Against IKEv2

Proof: Summing up implications of all m1 messages sent by Initiator parties to Responder parties, at time t, Victim has installed σ × t connections in its memory.. However, all

A Generalized Attack on Some Variants of the RSA Cryptosystem

The attack is based on applying Coppersmith’s method to a multivariate modular equation and can be seen as an extension of former attacks on such

A new attack on three variants of the RSA cryptosystem

We have proposed an attack on three variants of the RSA cryptosystem, namely the Kuwakado-Koyama-Tsuruoka extension for singular elliptic curves, Elkamchouchi et al.’s extension of

Measurement of attack transients in a clarinet driven by a ramp-like varying pressure

In this experimental study, a clarinet-like instrument is blown through an artificial mouth, which allows the time profile of the blowing pressure to be controlled during the

Experimental Study of Attack Transients in Flute-like Instruments

But it appears that the rise time of acoustic is not correlated with the parameters of the mouth pressure observed in this study.. This parameters, which is the only one specific of

Groestl Distinguishing Attack: A New Rebound Attack of an AES-like Permutation

We consider highly structured truncated differential paths to mount a new rebound attack on Grøstl-512, a hash functions based on two AES-like permutations, P 1024.. and Q 1024 ,