here - Sites personnels de TELECOM ParisTech - TÃ©lÃ©com ParisTech

More documents

Recommendations

Info

96 Chapter 3. Bent functions and algebraic curvesIn Chapter 1 we emphasized the fact that a cryptographic Boolean function should verify severalcontradictory properties. Constructing satisfying functions is therefore a difficult task, andtrade-offs between the different criteria have to be made. In the present part, our approach willbe slightly different: we solely focus on one criterion — non-linearity — and more precisely onfunctions achieving maximum non-linearity: bent functions. Recall that the significance of thisaspect has again been demonstrated by the recent development of linear cryptanalysis initiatedby Matsui [189, 188]. It is therefore especially important when Boolean functions are used aspart of S-boxes in symmetric cryptosystems.Bent functions were introduced by Rothaus [222] in 1976. They turned out to be rathercomplicated combinatorial objects and a concrete description of all bent functions is elusive. Theclass of bent functions contains a subclass of functions introduced by Youssef and Gong [285]in 2001: the so-called hyper-bent functions. In fact, the first definition of hyper-bent functionswas based on a property of the extended Walsh–Hadamard transform of Boolean functionsintroduced by Golomb and Gong [118]. Golomb and Gong proposed that S-boxes should notbe approximated by a bijective monomial, providing a new criterion for S-box design. Theclassification of (hyper-)bent functions and many related problems remain open. In particular, itseems difficult to define precisely an infinite class of hyper-bent functions, as indicated by thenumber of open problems proposed by Charpin and Gong [46].The purpose of this chapter is to provide the mathematical background needed in Chapter 4where actual characterizations of such functions and efficient algorithms to generate them will bepresented. In Section 3.1, an alternative representation of Boolean functions is introduced, namelythe polynomial form, as well as exponential sums and polynomials classically related to it. It isindeed under that form that (hyper-)bent functions will be characterized in Chapter 4. Section 3.2covers a completely different and at first sight unrelated topic: (hyper)elliptic curves with anemphasis on point counting and efficient algorithms addressing this problem. The main pointthat we need in Chapter 4 is that it is possible to count points on such curves in a very efficientmanner. This introduction can also serve the reader who is not acquainted with the theory ofalgebraic curves and abelian varieties as an introduction to Part III. Therefore, Section 3.2 canalso be seen as the beginning of the transition towards Part III which will definitely depart fromthe study of Boolean functions and dive into that of abelian varieties with complex multiplication.3.1 Bent functions3.1.1 Boolean functions in polynomial formLet n be a positive integer. Recall that a Boolean function f in n variables is an F 2 -valuedfunction on F n 2 . The field F 2 n is (non-canonically) isomorphic to the vector space F n 2 , so that aBoolean function can also be seen as a function f : F 2 n → F 2 . Recall also that the Hammingweight of f, denoted by w H (f), is the Hamming weight of the image vector of f, that is thecardinality of its support supp(f) = {x ∈ F 2 n | f(x) = 1}.We now define another classical representation of Boolean functions involving the trace functionfrom F 2 k to F 2 r.Definition 3.1.1 (Field trace). For any positive integer k, and r dividing k, the trace function
3.1. Bent functions 97from F 2 k to F 2 r is denoted by Tr k r. It can be defined as 1kr −1∑Tr k r (x) = x 2ir = x + x 2r + x 22r + · · · + x 2k−r .i=0In particular, we denote the absolute trace over F 2 of an element x ∈ F 2 nby Tr n 1 (x) = ∑ n−1i=0 x2i .Proposition 3.1.2 (Polynomial form [38, 2.1]). Every non-zero Boolean function f : F 2 n → F 2in n variables has a unique trace expansion of the form∀x ∈ F 2 n, f(x) = ∑ (aj x j) + ɛ(1 + x 2n−1 ), a j ∈ F 2 o(j) ,Tr o(j)1j∈Γ ncalled its polynomial form, where Γ n is the set of integers obtained by choosing one element ineach cyclotomic coset modulo 2 n − 1 (including the trivial coset containing 0), o(j) is the size ofthe cyclotomic coset containing j, and ɛ = w H (f) modulo 2.The most usual choice for the coset elements is the smallest element in each cyclotomic coset,called the coset leader.Recall that, given an integer 0 ≤ j ≤ 2 n − 1 having the binary expansion j = ∑ n−1i=0 j i2 i ,j i ∈ {0, 1}, the Hamming or binary weight of j, denoted by w H (j), is # {0 ≤ i ≤ n − 1 | j i = 1}.The algebraic degree of f is then equal to the maximum weight of an exponent j for which a j ≠ 0if ɛ = 0 and to n if ɛ = 1.The hard problem we will try to tackle in Chapter 4 is to give efficient characterizations ofbentness using the polynomial form, i.e. necessary and sufficient conditions on the coefficients a rfor the corresponding function to be bent.3.1.2 Walsh–Hadamard transformIn this subsection we give another characterization of bentness and definitions of strongerproperties.Definition 3.1.3 (Sign function). Let f be a Boolean function on F 2 n. Its sign function is theinteger-valued function χ (f) = χ f = (−1) f .Definition 3.1.4 (Walsh–Hadamard transform). Let f be a Boolean function on F 2 n. TheWalsh–Hadamard transform of f is the discrete Fourier transform of χ f , whose value at ω ∈ F 2 nis defined aŝχ f (ω) = ∑(−1) f(x)+Trn 1 (ωx) .x∈F 2 nRecall that bent functions are functions with maximum non-linearity. They only exist for evennumber of inputs and can be equivalently defined as follows.Definition 3.1.5 (Bentness). A Boolean function f : F 2 n → F 2 is said to be bent if ̂χ f (ω) = ±2 n 2 ,for all ω ∈ F 2 n.Hyper-bent functions have even stronger properties than bent functions.hyper-bent functions can be defined as follows.More precisely,1 This is the usual field trace. For an element x ∈ F 2 k , it can be defined as the (linear algebra) trace of theendomorphism of multiplication by x where F 2 k is seen as a vector space over F 2 r . Using Galois theory, this canalso be defined as the sum of the conjugates of x in the Galois extension field F 2 k over F 2 r .
Page 1:
2012-ENST-003EDITE de ParisDoctorat
Page 4 and 5:
Jean-Pierre Flori: Boolean function
Page 7:
AbstractThe core of this thesis is
Page 11 and 12:
AcknowledgmentsVladimir. — Quand
Page 13 and 14:
ContentsList of symbols and notatio
Page 15 and 16:
Contentsxv4 Efficient characterizat
Page 17 and 18:
List of figures1.1 The filter model
Page 19 and 20:
List of symbols and notationGeneral
Page 21 and 22:
List of symbols and notationxxil(t)
Page 23 and 24:
List of symbols and notationxxiiidi
Page 25:
List of symbols and notationxxvu
Page 28 and 29:
2 Introduction1 Mathematics and cry
Page 30 and 31:
4 Introductiongiving more general b
Page 33 and 34:
Chapter 1Boolean functions incrypto
Page 35 and 36:
1.1. Cryptographic criteria for Boo
Page 37 and 38:
1.2. Families of Boolean functions
Page 39 and 40:
Page 41 and 42:
Page 43:
Page 46 and 47:
20 Chapter 2. On a conjecture about
Page 48 and 49:
Page 50 and 51:
Page 52 and 53:
Page 54 and 55:
Page 56 and 57:
Page 58 and 59:
Page 60 and 61:
Page 62 and 63:
Page 64 and 65:
Page 66 and 67:
Page 68 and 69:
Page 70 and 71:
Page 72 and 73: 46 Chapter 2. On a conjecture about
Page 119: Part IIBent functions and pointcoun
Page 124 and 125: 98 Chapter 3. Bent functions and al
Page 126 and 127: 100 Chapter 3. Bent functions and a
Page 136 and 137: 110 Chapter 4. Efficient characteri
Page 155: Part IIIComplex multiplication and
Page 158 and 159: 132 Chapter 5. Complex multiplicati
Page 172 and 173:
146 Chapter 5. Complex multiplicati
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Page 180 and 181:
Page 182 and 183:
Page 185 and 186:
Chapter 6Complex multiplication in
Page 187 and 188:
6.1. Abelian varieties 1616.1 Abeli
Page 189 and 190:
6.1. Abelian varieties 163Theorem 6
Page 191 and 192:
6.1. Abelian varieties 165A homomor
Page 193 and 194:
6.1. Abelian varieties 1676.1.5 Hom
Page 195 and 196:
6.2. Class groups and units 169The
Page 197 and 198:
6.2. Class groups and units 171in [
Page 199 and 200:
6.3. Complex multiplication 173If t
Page 201 and 202:
6.3. Complex multiplication 175•
Page 203 and 204:
6.3. Complex multiplication 177We h
Page 205 and 206:
6.3. Complex multiplication 179pola
Page 207 and 208:
6.4. Class polynomials for genus 2
Page 209 and 210:
6.4. Class polynomials for genus 2
Page 211:
Appendices
Page 214 and 215:
Table A.3: Coefficients for d = 3,
Page 216 and 217:
Table A.8: Coefficients for d = 8,
Page 218 and 219:
192 Bibliography[13] Elwyn Ralph Be
Page 220 and 221:
194 Bibliography[42] Claude Carlet,
Page 222 and 223:
196 Bibliography[72] Cunsheng Ding,
Page 224 and 225:
198 Bibliography[102] David Freeman
Page 226 and 227:
200 Bibliography[132] Marc Hindry a
Page 228 and 229:
202 Bibliography[161] Philippe Lang
Page 230 and 231:
204 Bibliography[191] Willi Meier a
Page 232 and 233:
206 Bibliography[222] Oscar Seymour
Page 234 and 235:
208 Bibliography[254] Marco Streng.
Page 236 and 237:
210 Bibliography[286] Chia-Fu Yu. T
Page 238 and 239:
212 IndexForm class group . . . . .
Page 240 and 241:
214 IndexKKloosterman sum . . . . .
Page 243 and 244:
Résumé longFauĆ.Werd’ iĚ beru
Page 245 and 246:
1. Des fonctions booléennes et d
Page 247 and 248:
Page 249 and 250:
Page 251 and 252:
Page 253 and 254:
2. Fonctions courbes et comptage de
Page 255 and 256:
Page 257 and 258:
Page 259 and 260:
Page 261 and 262:
3. Multiplication complexe et polyn
Page 263 and 264:
Page 265 and 266:
Page 267:
show all

here - Sites personnels de TELECOM ParisTech - TÃ©lÃ©com ParisTech

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?