Hacking Book | Free Online Hacking Learning


from cryptanalysis to the cryptanalysis of boolean functions - free reading of scientific texts on the subject of mathematical science articles.

Posted by patinella at 2020-02-16

Mathematical encryption method of applied discrete mathematics 2016 № 3) (33)

Mathematical encryption

UDK 519.7

From cryptanalysis to the cryptanalysis of Boolean function 1

Ah. Ah. Gorodilov

Lvov School of Mathematics C. L.L. Sobeleva Soran,G. Novosibirsk, Russia

This overview focuses on the basic cryptographic properties of Boolean functions, such as high algebraic power, balance and complete balance, Avalanche characteristics, lack of linear structure, correlation immunity and stability, high nonlinearity, statistical independence, algebraic immunity, Affine degree and k-normality, differential uniformity, can be decomposed into special functions and multiplicative complexity, high power of linear sets. This paper studies the formation of attribute data of attack based modules and process ciphers, and uses some vulnerabilities of Boolean functions as part of ciphers; The basic idea of attacking data. The basic theoretical results of each characteristic are briefly reviewed and some outstanding problems in this field are put forward.

Keywords: Boolean function, pipeline cipher, block cipher, algebraic power, balance, complete balance, avalanche property, linear structure, Correlation immunity, stability, nonlinearity, statistical independence, algebraic immunity, affinity level, k-normality, differential uniformity, Threshold decomposition, multiplicative complexity, linear set, linear complexity, correlation cryptanalysis, fast correlation attack, linear cryptanalysis, Statistical simulation, algebraic cryptanalysis, differential cryptanalysis, third-party attack, linear attack.

DOI 10.17223 20710410/33 2


The survey is devoted to description of basic,but not all,cryptographic properties of Bolean functions:algebraic degree,balanceness and perfect balanceness,avalanche

1 work funded by rffi grant, No. 15-07-01328.

Keywords:Bolean function,stream cipher,block cipher,algebraic degree,balanced-ness,perfect balanceness,avalanche characteristics,linear structure,correction immunity,resiliency,nonlinearity,statistical independence,algebraic immunity,affinity level,k-normality,differential uniformity,threshold implementation. multiplicative complexity,linearization set,linear complexity,correction attack,fast correction attack,linear cryptanaysis,statistical analogue,differential cryptanaysis,side-channel attacks,linearization attack.


For half a century, there are quite a lot of requirements for the Boolean function of encryption system. The functions that meet these requirements are called Boolean encryption functions.

The main purpose of the work is to make the original connection between different cryptanalysis methods and the mathematical requirements of Boolean functions, These codes are used to deal with these attacks. The table reflects the substance of the work. In order to better understand the theoretical results of different encryption fields, we can recommend related work. Ah. Rogachev, a Ah. S.V.Salnikova,S.V.Ushirieva,V. B. [11] lizard P. [1] Russian Chinese Translation B. [19]

Encryption features under consideration and their uses

Target attribute

1. High algebraic ratio increases the linear complexity of generating sequences and the degree of nonlinear equations describing ciphers

2. Balance to improve the statistical sequence performance of the water generator

Complete balance

4 avalanche characteristics ensure that the value of large output variable changes when the value of small input variable changes

5. Lack of nonlinear characteristics of linear structure improvement function

6 related immunity, resistance

7. Pipeline cipher and linear cipher analysis with high nonlinearity hindering fast correlation attack

8. Obstacles of statistical independence to statistical encryption analysis

End of table

Target attribute

9 algebraic immunity hinders algebraic cryptanalysis

Can't you find what you want? Try a reference tool.

10 level affinities and k-nor mal-mal block linearization without introducing new variables to solve the Boolean equation

Block cipher for differential cryptanalysis

12 sum of decomposability and special functions

13 multiplicative complexity

14 high power linear set obstacle linearization attack

1. Basic definitions and symbols

1.1. Boolean function

Enter a symbol: n-natural number; F2 set, by 0 and 1; X =) Xi“ The coordinate of a binary vector is F2; f ^ the length of all binary vectors n;; 0 =) 0 ^ 0 ^ zero vector; the addition module 2 of f ^. The weight of Hamming lattice WT) x) binary vector is called unit, с-


At X: WT (x) = x " (d) X, y) distance between two vectors


Meters x, y are called different position numbers, or equivalent, d) (x, y) = WT) XFY Scalar product) (x, y) binary vector x, y) is defined as (x), y = Xiyi f F xnyn.

Vector Boolean function) (n, T-function) f is called any display F: FN ^ FM. In the case of M = 1, they say that f-boolean functions take n variables. As you can see, N, T-function is a set of M coordinate functions from n variable: F =) 1. Any nonzero linear combination of coordinate functions, i.e E. Boolean function B, F, where B is FM b=0.

The weight of the wt /) function is equal to the power of its carrier (SUP) /) = {x E FN: / (x) x = 1}. The Boolean function / and (g) between Hamming's (d) / g) are the distance between Hamming's vectors (d) / g) = {x E FN: /) {x x x x x x} g) X. Let Mn - from some Boolean functions of n variable. From function g to many functions Mn is defined as (d) g, Mn = min {d) /, g): / E Mn}. For direction a of any Boolean function / derivative, where EFN is defined as da / (x) = x) f / X a.

Any (n, T-function can be written down in a unique way as the form of a thermal Galilean polynomial, or as an algebraic normal form): (f) x1“


=A1,…..ikxii。 Xik FA, where {IB ,^ h}^ ^ ^ ^ ^ ^ ^ 1. ,n}and ai 1,……。 K=0

The algebraic power (DEG) (f) of the F function is called the number of variables in the longest anf component, where the coefficient is not equal to the zero vector. A function whose power is not greater than 1 is called an affine function. In the case of A0 = 0, linear function.

For each y-e-fn coefficient, Walsh Adama WF) (y) Boolean function / slave n variable is called a value, and WF) y is equal to

5 pieces


Square metre


5 pieces

Abu Locke




=^1 ^ ^ 2) Hu WF array of all eks) This is called spectrum


Can't you find what you want? Try a reference tool.

ROM Walsh adamable function f. Parceval fairness: W ^ u = 22P Walsh Adama spectrum


The validity of all the Boolean functions of Walsh Adama: WF(

=^ 1 ^ ^ 1 ^ ^ 1 ^ h)^ hek?

1.2. Block cipher converts the length n (information) of the open text block (information) into the text of the code block, and uses a certain secret key length n. The encryption process consists of multiple repeated rounds, usually defining the same round function, depending on a round connected to ^, Master key generated by specific rules

The most common group cipher types, br network and fester network, are shown in the diagram. [multilateral treaties deposited with the Secretary General] Both of them embody the two principles of code transformation that Claude Shannon defined in his work, namely, distribution and mixing. Let's explain these principles according to our work: "qualitatively speaking, It's a complex mix that restores the relationship between statistical and Analytical attributes of open and encrypted text, A / distribution extends the influence of an open character on multiple characters, thus eliminating the influence of statistical attributes on text attributes. Code. In the br network example, it is clear that p-blocks can be used for dispersion, while a small set of b-blocks can be used for mixing. Although linear function is usually chosen as r-blog-k, b-blog is a nonlinear encryption transformation.

Basically, B-block - this is a vector (P), T-function, and P and T values are small, such as 4, 6, 8 bits. Although the size is so small, it is difficult to find such a B-block with "good" encryption characteristics. For the sake of intuition, we have noticed that 22048 exists in all kinds of performances, which cannot be completely overcome at present! However, even analytical discussions cannot answer questions that are important for cryptographic applications. For example, we don't know if there is a matching almost completely nonlinear self-expression in even number p ^ 8, in P 12.

1.3. [5] Continuous cipher refers to the widely used flow operation mode of gamma code. These systems are based on the "superposition" method (e.g., by module 2) of the key sequence plus the password information on the public text. As can be seen from Claude Shannon's works, if the length of the key is the same as the length of the message, then the selection is random, possible and only used


■ R1 1 hour

Block, block

A. "


Fester cycle function

chart One

Once, this encryption system is absolutely resistant to code-based attacks. Because this mode is not suitable for wide spread, it is difficult to generate the same number of keys as the message, let alone the transmission keys, The task for developers is to obtain a certain length of gamma key sequence from a short sequence of random key bits, which will be close to random. Note that the encryption stability of a password depends on the nature of the sequence.

Shift feedback register is often used as a part of pipeline cipher. Figure 2 shows their schematic diagram, in which the f-buleva function takes the P variable as the feedback function [20]

chart Two

Before starting work, start filling the register with certain bits. Next, calculate a priority value (a = f) [beep] in each work step Then move all the bits in the register to the left, enter a value in the rightmost bit, and the leftmost bit will become the next output sequence bit = = m0.m1, Page: 1

The most common is the linear feedback shift register)( In those f lines, for example, PP-1 of F, (..., P 0) = and, er, where, from € E We note that the consistency generated by any feedback registry is always cyclical. It is easy to see that, in fact, any periodic sequence can produce an effective length. In this case, the linear complexity and order is called the minimum length and the length it produces. The linear complexity of a sequence is the main parameter to describe the complexity of its analytical structure [5]

To remind you, generating "good" gamma is not a single yevy use. Indeed, if we know the feedback function (f) [J =) and [J], from the € EP, we only need to run the bit sequence continuously to restore the initial state of the register. Through the solution of linear equations. The initial state is usually the secret key of the password.

In addition, there is a more powerful result that can find linear feedback function for any periodic sequence. Suppose we intercept a certain period of time. Then, with the well-known Bergkamp Messi algorithm, you can find the recurrence law from the time of the length polynomials of a finite sequence, This is equivalent to finding a linear register to generate this sequence segment. In this case, if the length of the sequence is not less than 2c, and the linear complexity of the sequence, then the found yevy also produces an infinite sequence, which is what we know.

On the other hand, the linear complexity of the resulting sequence must be high in almost any initial state of the registry - the unknown key. Therefore, some complex methods are used. According to the two main generator models [20] made by the linear feedback shift recorder, Fig. 3. Boolean functions are called combination functions and filter functions respectively.

Combined generator

chart Three



Filter oscillator

2. High algebraic power

Can't you find what you want? Try a reference tool.

*This document was submitted late in order to include the latest information. [24] theoretical results show that if the algebraic power is small, it should be selected as a combination and filter function. First of all, consider the composite oscillator 1,..., P Let the combined l function be represented by algebraic normal form


H)... 1,CP)=0“…… Hg, where 1, (...), (...) 1, (...) And ^ ^ 2. Sometimes, sometimes

K=1 11

When a linear complexity is associated with the resulting sequence, it is evaluated from above by register length as follows:


And ^ and ^ 1 Honey, k = 1

In this case, under known conditions, this estimation can achieve the following: if RG matches the linear complexity of E8 and H sequences generated by any gram and X number Two of them are simple to each other. It can be seen that the higher the level of IMF, the more linear complexity can be obtained.

In the filtering mode, there is no similar accurate result, although there is also an estimate of the linear complexity of the sequence generated by ste-t.


Pen filtering function DEG) h, that is, C ^ g, where the Registrar

Type =0

Coefficient of hyperbolic binomial. In addition, if a simple number, then from the next estimate is correct: C ^^

Larger functions should also be selected in combination ciphers. "" DEG) f) Boolean function must be large. For block encryption, this condition is usually a set of key bit equations designed to use cryptanalysis, including the function of using G. As part of it, it has a very high level. The higher the level of the system, the more difficult it is to solve the problem, which means to determine the key.

3. balance

Definition 1. The Boolean function f from the P variable is called equilibrium, if its weight is equal to 2 P-1, that is E. The function accepts the values of 0 and 1 the same number of times.

This is probably one of the most naturally required features of Boolean functions that use pipeline ciphers. If the Boolean function is balanced, then it will accept a probability of 0 or 1 of 1. This reduces the statistical relationship between function inputs and outputs. Otherwise, the cryptographic analyst can use probability relations for encryption analysis.

This definition is summarized as a vector case.

Definition 2. Vector (P), T-function is called equilibrium, if - 1): {X: P)} = for any one of the € K Distr.

under these circumstances

13. Approval1. Vector (P), T-function can be balanced only when all its component functions are balanced.

4. Complete balance

The property of complete equilibrium of Boolean function is the natural synthesis of general equilibrium, when the function plays, for example, filter function Alternator. This attribute is a formal s H. [original: Russian]

Let the f filter function of the generator from the P variable, x =) x1. (..., x + + + p-1) input sequence segment length + P-1, which adds some natural numbers. Then the generator generates a sequence segment and = =) 1 and love We define function (f) and number (excluding vector) + P-1,), and determine the contrast function of X vector according to the above rules.

Definition 3. Boolean function f is called complete equilibrium, if for any natural number, FG function is balanced.

In particular, if the function is completely balanced, then it is also balanced in the general sense. The opposite mistake.

Forbid Boolean function f to be called vector=( , and ^ for a specific, it brings many items ^ - 1) and ^ are empty. The next theorem reflects the standard of complete equilibrium in terms of forbidden functions.

Theorem 1. When a Boolean function is completely balanced, only when it is a function is not prohibited.

It can be understood intuitively that the generator is "weak" in generating sequences with good statistical characteristics due to the prohibition of its filtering function. But be careful, Because some form of complete balance filter function transfers the properties of input sequence to the properties of generated sequence,] For instance B. [Article 17] there is a new standard, in terms of ideology

Can't you find what you want? Try a reference tool.

Next: "the filter function retains the corresponding meaning of the ban" only if it is fully balanced. Therefore, if the input of the function is from the "remote" of the random sequence, then the statistical property of its output is not good.

Note that if a linear filter function is based on its first and / or last substantive variable, it is completely balanced. However, on the contrary, this is not correct, because the design is completely a function of balance and depends on its limit variable nonlinearly) a reference can be found in [11]. The so-called inversion attacks on filtered generators confirm the significance of finding a wide range of categories of this function, Linear filtering using the first or last substantive function variable. The attack was proposed by j.dj. [original: Spanish]

5. Avalanche characteristics

The concept of avalanche characteristic of Boolean function reflects one of the principles in Shannon code transformation design principle. 1.2. The principle of distribution. The following definition is made by A.F. Webster, S.E. Tavares at work, § 43.

Definition 4. From n variable of Boolean function f conforms to strict avalanche criterion(

If all coordinate vector functions (n) are satisfied by sac, then when the change probability of one input bit is 12, the change of each output bit. As a result, it can be expected that about half of the output bits will change.

B. A comprehensive description of this standard that preneel and others have begun to consider is as follows. [39]

Definition 5. Boolean function f satisfies K from n variable(

According to PC definition, (1) acc. to sac. Looking into the future, it can be pointed out that PC( Article 11 definitions 8, theory 16 (12 posts) If a function meets these criteria, it means that the change of multi input vector will change the value of the function, with a probability of 1 / 2.

As pointed out in Article 11, strict avalanche standards and their generalizations "[ultimately provide an indication of the local nature of the encryption function studied]. More correctly, the average "good" avalanche characteristic of the function is required, which is shown in that the autocorrelation function module (a) () =) 1 (f) x ® f) x ® x ® a) is equal to or close to Most to zero

Vector a e f ^. X-m.zhang and y.zheng put forward this method in their work [] 45.

Definition 6. Global avalanche characteristic) the Boolean function of [GAC] (f) is called the number A / = 2 (a) and a / = maximum a /...) a from n variables.

Obviously, the less data, the better the encryption function, because the global atmosphere monitoring system reflects the average avalanche index. [11] We can find the basic characteristics and some relations of any function of GAC

With other encryption features, especially non-linear and stable order.

6. linear structure

Definition 7. If there is a vector a G FN, a = 0, for example, f = const.

[32] although as described in [24], the code shall select the function without linear structure. So far, these weaknesses have not been used to attack. In fact, the existence of a linear structure indicates that it is "similar" to a linear function, because it is a linear equivalent function with a variable, It depends on linear or virtual. As mentioned before, in a different sense, systems with near linear functions are unacceptable encryption systems.

7. Related immunity and stability

The properties considered here come from different applications, but it turns out to be closely related. t. Relevant immunity terms of Siegenthaler at work [40] It shows that the high correlation immunity function, as a hybrid generator in pipelining cipher, makes the cipher resistant to correlation attacks. The essence of the attack is to find a subset of variables of a composite function whose values can be used to know the meaning of the function. Sustainable functions were also introduced into the open literature in the 1980s, but as pointed out in [11], "... Related to research fields such as distributed computing, "Error proofing and developing a common key for quantum encrypted channels." From K. H. As we all know, the Soviet Union studied similar functions. B. In the 1970s, this was a considerable change.

In the flow code, the comprehensive function of the generator must be stable. In this case, the higher the stability is, the more stable the password is to the correlation cryptanalysis.

Let's formally define these attributes in the combined language. We first define the concept of subfunction. F function extracted from F function from variable x Concrete Therefore, the value is 0 or 1. This is a function marked "^".

Definition 8. The Boolean function f is called the related immune order of K. if the weight of the subfunction of the Fiol ^ function matches the relationship of WT ^ L '"^. ^ wt = WT) ^ f / 2K, any group of indexes 1 ^ I \ IK ^ n and any value .ak G F2.

In other words, F of Boolean function is called K-Correlation immune order, if P [f = 1] = pf ^ 1 '^ 1 ^ 1 is p function of probability, that is, P function of probability. Some input bit knowledge does not provide statistical information about the meaning of functions.

Definition 9. Boolean function f is called k-stability(

It is not difficult to see that F-function is k-stable only when it is in k-order equilibrium and correlation immunity.

7.1. Related attack thought

Consider the general idea of cryptanalysis, following ± 14

Let f-completing function generator, lfsri,,, LFSR his shift register and linear feedback length L1,..., LN respectively, and u = = U0, UI, U2 Register output sequence Labor intensity of cryptanalysis E. The integrity of all initial states of the registry is estimated to be 2ll + + LN. If the register is "correct", then the U sequence is very close to random, so you can think of P [U type = 0] ~ 1 / 2. So, if z = Z0, Z1, Z2 -Any sequence independent of u, you can think of P [u = Z] ~ 1 / 2, because P [u = Z] [type] = P [u = 0] [P] Z type = 0] + P ± Z type = 0] + P ± P ± z = 1] "1 / 2 ± P ± z = 0] + P ± Zi = 1] = 1 / 2.

Suppose F function is function related( At that time, it was said that the unknown initial state of the lfsr1 registry could be restored. To do this, we will review all possible starting states of the first register)( And calculate how many times to realize Z series = U series. Then, if the initial state is assumed to be wrong, then p [Z type = u] ~ 1 / 2, if it is correct, P [Z type = u] ~ 1 / 2 + E. Therefore, the more relevant e is, the more likely we are to find the correct register state. As a result, we reduce the hassle of 2ll + 22 + + LN. If there is an association between F and other variables in this case, the complexity can be further reduced. I f (f) has nothing to do with function (I) (x), = well, you can find that with other linear functions (WT) (C = k is small, for example, C =) 1, 1, 0. Then its complexity is reduced to 2 version 1 + + + 2 version K + + I + + + n. but if K is big enough, then password analysts may not have special benefits.

Please note that it also contains the known result that the filter generator with F function can be attributed to the special combined generator with F function, She's been a group. In this case, the new generator generates the same order in a certain initial full register state. Therefore, the related attacks can be summarized as filtering generators.

Can't you find what you want? Try a reference tool.

7.2. Basic theorem and its relation with nonlinearity

13. Approval2. K series related immune function is also related to I series K immune function.

Because of this statement, the order (COR) (f) function of correlation immunity is naturally determined as

Cor F.) = max {0 ^ k ^ n: f-related immune program K}.

The next well-known theorem provides spectral characteristics of related immune and stabilizing functions.

Theorem 2) spectral characteristics. Let f-boolean function from n variable. Correct COR) (f) = k then only if wF (y) = 0 all vectors y, such as 1 ^ WT) y ^ K. in addition, if f is balanced, only if wF (0) = 0.

This theorem is directly related to the definition and application of K-function related immune order-

The research institute regards it as the comprehensive function of the water generator. Indeed, in order to attack, it is necessary to find a linear function of F) x = (c) x, which is related to the combined function of F, i.e [P][f=]=1/2. Because P] f = = (2n-d), (F.F) / 2n = 1 / 2 + (2n-1-d), [2n-1-d] (F.F). / 2n = 1 / 2, this is equivalent to (d), [F] = 2N-1 In addition, it is easy to get that the distance between F and linear function – (x) = = (C, x) is expressed as (d), (f), f = 2n-1-wf) C/ Therefore, when d) f, f = 2N-1, only if WF) (C = 0. Therefore, if the stable order of composite functions is high enough, it will be difficult to attack the code.

(f) The relationship between the range of and (DEG) (f) functions is shown in the next theory.

Theorem 3) Siegenthaler. Let f-boolean function from n variable.

1. If COR) (f) = k, then run DEG) + K ^ n.

2. If COR) (f) = k, f is balanced and K ^ n-2, then run (f) + K ^ n-1.

Theoretically, it can be seen that the higher the function, the smaller the order of its related immunity, and vice versa. However, as we can see, these two parameters must be high encryption generator complexity functions.

Result 1. Let f-boolean function from n variable. If COR) (f) = n, then f = const If COR) (F = n-1, then f) x = x 1 f f xn f const.

The next known estimate (COR), (f) receives D G. [original: French]

Von de flaass theorem 4). Let f-unbalanced Boolean function from n variable. Then cor (f) ^ 2n3) - 1

(NF) nonlinearity is also mentioned here. Article 10 definitions (8) Related immune function.

Theorem 5) relation (COR) (f) and NF. Let f-boolean function from n variable.

1. If COR) (f) = k, K ^ n-1, it is executed by NF ^ 2n-1-2k.

2. If COR) (f) = k, f is balanced and K ^ n-2, then NF ^ 2n-1-2k + 1 is executed.

8. High nonlinearity

Definition 10. The non-linear n variable of F's Boolean function is called NF value, which is equivalent to Hamming's distance from F to a set, ", all affine functions are from n variable.

stay 7.2 we have mentioned the distance between any function and linear function (d) (f), (c), x) = 2n-1-wf (C / 2). Based on this, it is easy to obtain that the nonlinear f is represented by its Walsh Adama coefficient as follows: = NF = D) (F, an) = 2n-1-max (WF),) C / 2. Moreover, from the equality of pasalvar

C euro F


An estimate can be found below: Max WF) ^ 2n / 2. Therefore, the nonlinearity of function

The inequality of NF ^ 2n-1-2n / 2-1 is always satisfied.

Definition 11. The maximum nonlinear function, whose nonlinearity reaches the maximum possible value. For even variables, the maximum nonlinear function is also called bent function.

Can't you find what you want? Try a reference tool.

The higher the nonlinearity of Boolean function is, the better it is to be used in both stream operation and block encryption. Then we will attack two different types of encryption.

8.1. This is a very good person.

This type of attack joint generator appears shortly after the simple correlation attack) 7.1. Let's describe its basic idea without going into the code theory of correcting mistakes.

We will use the same combined generator at P 7.1. Like correlation attack, in order to fast correlation attack, we must find linear function (I) (x) =) C, J, where f has correlation, that is, f has correlation. [P] The difference is that now we don't care what WT) C is, and it's important to have as much relevance as possible.

We further believe that E 0) will replace I F 1. Let u = U0, U1, U2 Generator generated sequence. As you can imagine, this "right" order) is E. What we can see) is that the interference z = Z0, Z1, Z2 The error probability is 2 of 1, where Z is received by the same generator, but combined with function I rather than F. because we choose a considerable error probability, the error probability will be very small.

Let's say we can see the sequence segment U^+n-1. All kinds of meanings Z + + n-1 is the length n of a linear code. Then, observe the fragment of sequence u, and you can fix the Z sequence by error correction. This is a win, The linear complexity of Z is much lower than that of u, and the sequence length is short enough to restore the recursive law and the initial state of register Using the berkkamp Messi algorithm.

It is pointed out that the correlation value of F-function and affine function can be evaluated by their nonlinearity as follows: e ^ 2n-2nf. So, so

Higher nonlinearity, less maximum correlation, which means more opportunities for errors in analog noise channels, making fast correlation attacks impossible. In the combined F function generator.

8.2. Linear cryptanalysis was the idea in 1993. Japan's M. Matsui provides a statistical method to analyze the password des called linear cryptanalysis. The idea of the simplest work modification [20] algorithm 1 is described.

Let P, C, K blocks open the key to text, code, and some block ciphers. The linear approximation of a cipher is called proportion(

Algorithm 1. Linear cryptanalysis 1: we find a linear encryption approximation for its maximum. 2: 00 when the unknown key is fixed in n-pair sampling) P, s 3: For each sample pair, we calculate the left value selected in step 1. N0 is zero, N1 is zero, N0 + n = n.

4: (7), k = 0, if(

It is found that a linear ratio is the unknown key bit, so the complete interrupt from 2K to 2k-1 can be reduced, There is a more powerful linear cryptanalysis modification that allows you to immediately find a set of unknown key bits, But it's still the same - looking for linear approximations, but not all of the ciphers, but part of it.

The basic complexity of this method lies in how to find linear approximation. In practice, it does this: it analyzes the proportion of execution for s-blocks, then expands to multiple rounds and most p, C, K.

Let s-block password set vector( (1 / 2 + +) (2n-1-d) [a.x] (B, f) [J]) / 2n. Similarly, for a pipeline password, in order to successfully attack, that is to say E. Maximum (E), distance (d) must be minimized: (a, J,), (B, f):) all possible non-zero (e ^, B e ^ f ^ f ^). Therefore, the response to this attack is to select (d) to (a), (J), (b) and (f) vector functions as s-blocks in all possible non-zero degrees (a). B as much as possible. Note that this is equivalent to considering the nonlinearity of F function (b), f).

8.3. [literal] theoretical results and open questions are based on work. [42], 25] Let f-boolean function from n variable. Previously, we have obtained an estimated NF ^ 2n-1-2n / 2-1 nonlinearity, which is realized in even n bent function. In general, we do not know the largest nonlinear odd precision variable. For example, in the variable n f ^ 2n-1-2) N-1 of n = 1,3,5,7 F, we find ^ 2 of n-1, which is an estimate of a square function; but in the function of N-7 of odd number, we find that, Nonlinear) n-1 strictly greater than 2n-1-2/

Theorem 6 nonlinear random function)( There is a constant C, which is almost all Boolean functions from the n variable NF ^ 2n-1-2cy / n2ra 2-1.

The results show that the nonlinearity of any function is close to the upper limit, but it is often the case, It is a non dynamic task to find the specific functions with high nonlinearity.

In the next theory, we will introduce some known facts, bent function.

Theorem 7.

1. All variables of the bent function are very different.

2. For bent-f function, from n variables to WT: (f) = 2 ± 2n / 2-1.

3. For the bent-f function, it is the correct DEG) ^ n / 2 from n variables.

4. Designed by MacFarlane. Let p - any permutation of FF; H - any Boolean function from n / 2 variable. Then (f) ",") =) J '(P)((

From the approvals 3 and 4 of theory 7, the power estimators of bent function can be obtained from n variables.

Approve 3 evaluations (BN). Just: (2) 2 N / 2! ^ Bn^22-1+cn/2.

It is known that evaluation data have improved, but there are still improvements in quality. It can be seen that with the growth of N, the estimation gap becomes very large. The most urgent outstanding issue in this regard is to determine the exact number of seafloor functions, or at least a more appropriate seafloor function level power estimate. This, in turn, has to do with finding new structures. [42] there is a more detailed description of this.

Now let's look at vector Boolean (n), T-function F. we see that in order to combat linear cryptanalysis, we should choose as an s-block function, Its composition function is highly nonlinear. Therefore, the nonlinearity of vector function is defined as NF = min NV f). Therefore, the assessment of NF ^ 2 ° - 1-2n / 2-1 is also fair. When the nonlinear function reaches this estimate, it is also called the vector bent function. The question is, do they always exist?

Theorem 8 - the existence of functions). In m ^ n / 2, where n is explicit.

Theorem 9) Nonlinearity of m ^ n-1 in any century

Can't you find what you want? Try a reference tool.

1 I°2°-1°)

F function is an effective estimate of NF ^ 2 ± 1-3.2n-2-2.

In the case of n = t, it can be seen from the evaluation of female nurses that NF ^ ^ 2 ± 1-2)( At the same time, we know that the estimate is accurate. The maximum nonlinear n, ^ function is called almost bent function when it exists in odd number n) However, in the following cases, the maximum nonlinear problem is still pending:

(a) N is an odd number and M is n-1;

b) Even number and N 2 / M n-1.

9. Statistical independence

The concept of statistical independence was introduced in the consideration of statistical modelling of functions [4].

Definition 12. The statistics of Boolean functions f and n variables do not depend on their subsets u = {x ^, {xik}, if P [fia1:...,..., if f] = 0] = P [f = 0], as GF2.

To test the independence of statistics fairly and constructively.

Theorem 10) criteria for statistical independence. Boolean function (f) x.y) depends on N + m variable, where x g f ^, and G FM, statistics do not depend on X variable, unless and only if WF ^ u, 0 = 0 any u g F.

9.1. From these two times

Let F: FN x F2 ^ f ^. The function may be, for example, to convert an n-length open block to an m-length block with a long R key.

Definition 13. The statistical simulation equation of F function ^ ^ x.y, k = 0, where the function of x g FN, y g FM, k g F2 relation y = f) x, K) and: FN x FM x F2 ^ F2 is x, K) ^ ^ x, f) x, K (k) Statistics do not depend on the X of the variable. P = = 0) number is called probability

Statistical simulation is effective at P = 1 / 2.

Effective statistical analogy is considered to be the same purpose as code linear approximation, in P 8.2., - some simple equations are used to simulate passwords, which connect open text bits, code texts and key together, with a certain probability. But the important difference between them is that the function related to the equation is not statistically dependent on the variable sign of the open text, This ensures that this equation is still possible when any values of open text and related code are replaced.

The working paper [4] also discusses the statistical simulation problem similar to "simple and complex" method, that is to say, the statistical simulation method is a "simple and complex" method. E. How to build the statistical analogy of the whole password and simulate its simple components from the statistics. For example, the superposition position of the two discrete functions is determined by one of them in the interior) and the other of the statistical simulation in the exterior), and it shows that if the additivity The generated superposition function is the statistical simulation function of the first superposition function, and its external function statistical simulation probability "[4] In addition, the algorithm of block encryption analysis using linear and non-linear statistical simulation system is also provided. The maximum likelihood method is used in the encryption function of these simulation systems. Supported by DES code instances.

10. Algebraic immunity

Let the Boolean function be given from the n variable F. The Boolean function g is called the annihilator of F function from n variable, if FG = 0, equality is achieved.

Definition 14. f) The f) value of a function is called the minimum d number. There is a zero integer of g-level D, which is not equal to a function of f or F 1.

10.1. This is a very good person.

Before explaining the definition of algebraic immunity of Boolean functions, the following points must be pointed out. Generally speaking, any code, whether continuous or block, can be described in the form of Boolean equations.

This is the key, open text and code. So if we know several open text and code pairs in an unknown key, you can try to put them in the key found in this system. This system is unique in that it is jointly guaranteed, but for practical encryption, the solution seems to be very difficult. As we all know, in general, it is difficult to solve the problem of nonlinear Boolean equations.

There are some ways to solve nonlinear logic equation (NLL) systems, and learn more about their work. P. [2] Russian Federation We describe one of them. Because linear Boolean system has an effective Gauss method, in general, a natural idea is to try to make nonlinear system linear, But more variables. This is the so-called linearization method. However, the higher the algebraic power of the system, the more variables must be input in general.

So, an intermediate question is: first, can we reduce the size of the system without losing the solution, and then we can use the linearization method? 2003 N. Courtois and W. Meier [29] proposed the algebraic Cryptanalysis of filter oscillator based on the degree reduction of the equations. Later, this method was also used to combine generators and block encryption, and formed the final concept of algebraic immunity of Boolean functions. [the idea of algebraic Cryptanalysis of filtered generators according to this manual]

Consider the filter generator of function h from n variable. I f (F = J) = = (C, J) uses the recursion law of LFS, where C g f ^, and then at the next I-m working rhythm, I = 1, 2,..., the input of filtering function is the value of vector linear function L ^ k ^, where l) [xn ^ u me]“ ",, w = LP-2. (..., W0, f) [xn. U.i] [Wo] and K = =) kn-i [K0] - the initial state of the register.

If Generator output sequence, then

U u = h FC @ u.i. [right answer], [right answer], [right answer], [right answer], [right answer]

ui=h l)k(


UI = H ^ kn-i love

Can't you find what you want? Try a reference tool.

These equality are derived from the unknown k-key of the Boolean equation of the nonlinear system if the known sequence segment {}. Now we're trying to reduce the equation. Suppose one or two of the following conditions are met:

1) There's a function g, what's this(

(2) There is a small g f 0 function, which is(

Then we can reduce the equation as follows:

If UI = 0, not Li),) kn-i..., K0 = 0, look at the equation (LI) kn-i,

... “,”k0“

If UI = 1, instead of Li),) kn-i..., K0 = 1, look at equation g) kn-i

... “,”k0“

Please note condition 1. We have Hg = t; H houses are equal, and we get Hg = H. Therefore, t = t h, or( Repeat condition 1 and we get:

1 ') has a function = 0 small degree, such as:)) g) f 1 correction

Therefore, in order to prevent algebraic Cryptanalysis of filtered generators with l function, all D functions, such as LD = 0 or( DEG (g) is quite large. The algebraic immunity of L-function is called D

10.2. 2、 Baseline results and relationship with nonlinearity

[comment] 24 [indicate some known facts.

It is easy to see that DEG) is a natural evaluation of the algebraic immunity of function. In addition, the next algebraic immunity evaluation based on only the number of P variables is fair.

Theorem 11 last estimate) For any Boolean function / slave P variable, complete 1) ^ ^ P / 2, where the integer part of [k].

But as we all know, this kind of assessment can be realized, as the next theoretical example proves.

Theorem 12 function of maximum value) The functions of the following variables have the greatest algebraic immunity ± P / 2

Um... If ^ - ^) GP / 2

(1) For odd (1): /) I

1'u 1, if G / G 2;

If ^) / 2, then ^) / 2

E {0.1}, if - y = P / 2, 1, if ^ ^ J) P / 2.

Although there are examples of the largest Algebraic Immune function, little is known about this type of function. Another interesting fact is that it shows that the algebraic immunity of random functions is quite high.

Theorem 13 is a random function. For any a ^ 1 and almost all Boolean functions / variables, P2 is generated by 1 ^ 2 ^ 2.1 p ^ 2 ^ 2 ^ 1 P2

The concept of algebraic immunity is integrated in case) [T-function can be understood through work] [25]

We also provide a known and accurate low nonlinear function to estimate the algebraic immunity obtained by it. C. [10]

Theorem 14 relation 1 and a). For Boolean functions / slave P variables reference - 1) / / 2.

A / ^ 2 ^ SP-1 levy estimate


Although according to this assessment, the order of nonlinearity and algebraic immunity of functions is "not contradictory", High algebraic immunity does not guarantee high nonlinearity. Indeed, under the ideal GP / 2 Algebraic Immune rate, ^ this estimate is: A / ^ 2p-1-c) ^ p ^ 11 / 2 when odd P and a ^ 2p-1 ^ 2 are even P. As we did in P 8.3, this estimation is far away from the maximum nonlinear value of 2p-1-2p / 2-1 and the nonlinear value of random function.)(

Can't you find what you want? Try a reference tool.

11. Affinity and k-normality

Definition 15. Boolean function f from n variable is called k-affine, 0 ^ k ^ n-1, if there is a set of 1 ^ II IK ^ n and value ",, AK g F2, such as f secondary function 1'i"

Definition 16. The affine value of LaF Boolean function f is called the minimum non negative integer k, for which F is k-affine.

This Boolean parameter has been considered in the proposed o. Ah. Rogachev, a Ah. Saknikov, В B. Pangolin attack combined generator [12] It involves the possibility of a linearization method without introducing a new Boolean system variable to describe the operation of the generator. The less affine the composite function is, the more efficient the cryptanalysis is. The detailed study of LaF is in M L.L. Briakov [6] studies, among other things, the relationship between this parameter and other basic encryption features. We note that it is well known that the affine energy level behaves asymptotically, which indicates that it is very high.

Article 15 theorem( When n ^ is almost all f-ary functions, it is correct from n-ary n - [log 2 NJ ^ LAF ^ n - ~ log 2 n] + 1

[27,31] introduced a similar concept k-normalization in foreign literature.

Definition 17. If there is an affine subspace of dimension k, in which F is constant.

A successful example is that the main basis of successful cryptanalysis is The filter function of the five variables it uses has a low standard order, which is its 2-NORMAL.

12. Differential consistency

It is generally believed that in the early 1990s, due to the differential cryptanalysis of block encryption, the differential function definition in k.nyberg [38] document appeared, Proposed by E. Biham, A. Shamir is the encoder des 1990. It must be noted, however, that the approach taken by this concept was actually considered by the Soviet Union in the 1960s, as indicated in paragraph 7.

Definition 18. Boolean vector (n), T-function f is called differential 8-uniform, if any one (a = 0, B equation f) f) f) f) f) f f (a) = B has no more than 8 solutions.

It is easy to see that a minimum value of 8 equals 2nm.

Definition 19. Vector Boolean n, T-function f is called completely nonlinear PN function if it is differential 2p \ u t-uniform.

The equivalent definition of PN function is as follows:

Definition 19. F-Pn function, if its DAF derivative in all non-zero direction a G FN balance, that is, in all non-zero direction are the same. {g FN: Da f) {y} = all 2n

Y g FM.

Note that the function in M = n PN does not exist, because if the solution of F (J) equation is f) f (f) f (a) = B, then f (a) is also his decision.

Definition 20. Vector Boolean n, ^ function f is almost called completely nonlinear) [APN function, if it is differential 2-uniform.

12.1. Differential cryptanalysis

This paper describes the idea of differential cryptanalysis of component encryption, which follows working [20] algorithm 2. Consider iterating block code from the G circle. Specify open text P, P, type-C after middle code, C and final code-C, respectively. A pair of vectors, known as a type-m differential password, if there is open text, R, such as r r r r = A and C = C. In this case, probability - a type of differential), "a, l 'is a value [P] [C] = r r r"

Algorithm 2. Differential cryptanalysis 1: select the most likely g-1 differential.

2: N 4 sampling in a fixed unknown key

{P, P, C ', C', as R = a. 3: Break the circular connection kg, decrypt each pair of n to C, s "

In gsg-1, gsg-1 and gsg-1, gsg-1, gsg-1, gsg-1, gsg-1, gsg-1, gsg-1, gsg-1, gsg-1, gsg-1, gsg-1, gsg-1, GSG 4: The principle of equality is stipulated in the presidential decree of the Russian Federation. We think it is right to carry out it frequently.

12.2. The relation between PN and bent function, open problem

On APN function

First of all, pay attention to the close relationship between the complete nonlinear function and the maximum nonlinear function considered in P. 8.

First of all, the title itself "completely nonlinear" reflects that these functions are also very different from the simplest linear functions to some extent. In fact, if l is linear)((

Second, the original PN function class and bent function class! [22] according to the review results, W. Meier and o. staffelbach introduced perfect nonlinear concepts for Boolean functions. It is soon found that the complete nonlinear function is completely consistent with the bent function, which was assumed by O.S. Rothaus as early as the 1970s. The next theory reflects this.

Can't you find what you want? Try a reference tool.

Theorem 16 of this function and its derivatives). When the Boolean function f is from the n-variable-bent-function, only if the derivative of DAF is balanced in all non-zero directions.

It can be seen from the definition of vector standard function (1). P. (3) And 16 theorem show that PN function class and vector bent function class are consistent. Therefore, the PN function only exists in m ^ n / 2.

An interesting open question is whether the nonlinearity of APN function is the same high? We know the following arguments.

13. Approval4. F-apn function, only if its Walsh Adama coefficient satisfies the same value = 3 ^ 24n-2 ^ 23


This identity does not allow the nonlinear estimation of APN function, but it shows that any AB function is APN. Therefore, as in this article, AB function is the best in two cryptographic standards. But a big negative AB function is because they only exist in odd variables, which is not convenient practice. As for the nonlinearity of APN function, we can be sure that it is not equal to zero. All known examples of APN functions show that their nonlinearity is quite high, but its lower or upper nontrivial estimators, even in the case of square functions.

It is worth noting that in the case of odd variables, there is also an APN function, This is not an ab. a known example is the inversion function of the last value of an element in f2n: F) = R2. As described in the M.M. review. Millimeter. [7] The best properties of this function are determined by the following Ah. Published in Ah. Yegorov was back in 1968. notes Ah. Yegorov also shows that for even n, the corresponding substitution is not the APN function, but the differential 4-uniform. This is a function of eight variables known as the code AES block.

Therefore, the second urgent problem we are facing in the field of APN function is the existence of APN substitution in the case of even variables. The calculation tests the functions of two and four variables. There is even a hypothetical question that the answer is No, In general, the answer is right. As you can imagine, when 2009. At the encryption conference of j.f.dillon et al. A common APN function of six variables is proposed. “The discovery in 2009 of an APN permutation in a field of characteristic 2 and even dimension has brought new motivation and new ideas to this field of research”[22] At present, all efforts are aimed at finding answers to this question, especially to the eight variables as encryption policy. Take note of Article 15 in this article.] H. Sakhkov is developing a new combination method to study and build a common APN function.

There is another interesting question. At work(

Rule: YF) a, B = 1, where, a, B, E F, if a = 0 and F) x f) x f (a) = B have solutions, and YF) a, B = 0 others. The following connection has been established.

13. Approval5. Let F -) n, P-function. 6. Fair charge:

(1) When f-apn-function, only when wt = 22n-1-2n-1;

(2) The f-ab function is in and only in the case of YF bent function.

13. Decomposability of special functions

The property of this vector Boolean function is to solve the problem of data masking, which is caused by the third-party channel attack. The encryption algorithm is easy to be attacked, and its purpose is to weaken the actual implementation of the algorithm. The cryptography analyst studies the specific parameters, such as the required power, operation time, electromagnetic radiation. By comparing their different input data and collecting some statistical data, he can obtain information about secret key, operation performed in the device and its parameters. As a countermeasure, the method adopted is to mask the input data to ensure that the calculation work will not rely on these data obviously.

Definition 21. The function of T-S in R part is called NR, T-S J, j = 1 , R, with the following characteristics:


Correct. For all x =) x1 , xn) is true: s) ,(xn)=Sj)…… , XR)


For any Hg =) X1 the United Nations

Not completely. SJ of each function, j = 1 , R, independent of the XJ variable.


Homogeneity For any vector y, 1 , yr e f ^ e.g. fyj = y, normally open


(2) R-1) m-n.s-1) y. any J = 1 notes

It is theoretically proved that if a vector function instead of a vector function realizes its threshold decomposition in krypton system, This will stabilize the system at a level of energy consumption by differential attack( Intuitively, the threshold decomposition of the r part of the function is a scheme of assigning the X-R vector x J, j = 1 between players of the secret input value X-r , R. in this case

Can't you find what you want? Try a reference tool.

What kind of g-1 player can't restore secrets is required by incomplete split: everyone doesn't rely on variable-7, so even if you know it, We cannot restore the original input value of X. The requirement for correctness is natural: the splitting of thresholds enables the same transformation as the original function. In order to ensure the "right transition" between the rounds, there needs to be balance. E. Distribute the values evenly when entering the next round of conversion.

The natural question is: what is the lowest gram value of function 5, and there is a threshold of 5 / gram for this function? This is a real problem, because it is directly related to the scale and cost of the whole cryptographic algorithm. As we all know, for the algebraic power function of D, the minimum value of D is not less than D + + 1. In this case, it is usually easy to establish a threshold that only satisfies the correction and incomplete characteristics, and more difficult to ensure consistency. In addition, it is shown that in the single valued function from the number of small variables to the number of small variables, 21[ Not all d-level functions. You can set a threshold of D + 1, which we call the minimum part. So an open mathematical question is raised: can we choose some easy to test features, these functions, Who has the minimum boundaries? If there is no minimum, then what is it?

Because these problems haven't been solved for the time being, the developers of this method are on their way, Minimum resistance: we can't find the minimum decomposition - the threshold we are looking for is divided into more parts. For example, calculations show that a function that does not interact more than one of the five variables can be defined as a threshold of five parts. However, a compromise must be reached between the size and value of the sale. Therefore, another idea has also been promoted: those functions that cannot find the minimum decomposition 5, as the synthesis of two or more functions, such as 5== PCOC, one of the two coefficients is lower, and the other is easier to determine the minimum splitting threshold.

14. Multiplicative complexity

Simply mention another aspect of using bread as a cryptographic element.

Definition 22. Multiplying ( It is necessary and sufficient for any e-p (P) {P} in the basis {F, 1}.

The multiplicative complexity of the function is related to the size and cost of the hardware using the password. The smaller the complexity of function multiplication, the easier the implementation of the scheme. This applies particularly to the so-called "easy"(

As mentioned earlier 13. In modern hardware execution, it is necessary to hide the calculation to prevent the attack of the third-party channel, What's more, it's important to make different masks perform nonlinear transformations. So the less, the better. Although, as 44 points out, implementing two digit complexity( In this case, is it more efficient to use multiplicative complexity?

[28] we also note that there is a hypothesis that the complexity of implementing a low multiplicative transformation of the entire code may reflect exactly the opposite of its weakness, Specifically, cryptographic algebraic cryptanalysis can be used.

15. Linear set

This method is developed by G P. [straight meaning]3.

Let's have five Boolean equations.

Definition 23. The x-variable quantum set of a system is called linearization. If the values of these variables in the system are fixed, the latter becomes a system of linear equations.

Note that the power of a linear multivariable system can be reduced by introducing auxiliary variables.

Let eleven , X-system variable 5 If a set of values a ^ , is the complete solution of system 5, any subsystem a 1 ^ ^ respectively ^K, known as part of the system solution. If it is replaced by a system to make it linear, the partial solution is quasi complete.

15.1. An idea of L and n e e e e e e e e e e e e e e e e and Z Z Z E e e e e and o o o o o o e e e e e e e e e e e e e e e e e e e e e e e e e e e e e

The work of the key flow generator can be described by a set of Boolean equations if some finite segments of the output sequence are known. The essence of linear attack is to find the least power of the system and the corresponding linear multivariable solution of quasi whole system. In fact, by performing an excess of variable values from a linear set and checking the joint linear equations, The quasi complete solution of the system can be found by the value obtained when substituting the data, and the linear equations can also be completely solved by the complexity of polynomials. In this case, the complexity of the attack is estimated to be 2 x, where x-x is the power of the linear set variable.

To illustrate the work of this attack, we provide a combined generator, uyei, which consists of three largest lengths, 1,2, 3 correspondingly, combined with function f) [x, u, g] = hoof The Boolean equations describing the operation of the generator are as follows:


HH a HH L^


==F. ^ = 0, ^ type = 0 ~ 2-1

0, ^ 0

Type =0-3-1


Type =0


1 P-4,1 P-3,1 P-3,1 P-2,1 P-3,1 P-2,1 P-3,1 P-2,1 P-3,1 P-2,


Can't you find what you want? Try a reference tool.


In T ^ Shah 1, 2, 3;; and 0, 1,..., information 1-known initial output sequence segments; and * some given constants. The unknown key variable is 1 X2... 1,x 2-1,x 0,……,x 3-1. under these circumstances

X={R2 "... , x12-1} forms many variables of the linearized system. Therefore, Linear attack the generator can realize the difficulty of not more than 2 ^ 2 passing the set of X variable values tested. The complexity of this attack is as follows:, (related) see the next article: http://www.xxxdoc.comwww.xxxdoc.comwww.xxxdoc.comwww.xxxdoc.comwww.xxxdoc.comwww.xxdoc.comwww.xxxdoc.comwww.xxxdoc.com P. 7.1. - complexity 2.1 + 2 + 2

The same results are fair for alternant controlled generators, multiplex generators and scalar multiplication generators.


As a conclusion, I would like to point out the beauty of mathematics, which is hidden in the cryptography of Boolean functions, especially in the different meanings of non-linear. It seems that the definition of bent function or ara function can also understand students, And a famous mathematician who can't describe their class completely (and can't even find an acceptable ability to estimate these classes) is impossible! It is likely that the answers to these questions (which will appear sooner or later) will not be so important in application, However, they will be curious about mathematics itself.

In this review, we have barely explained the connection between different encryption features. Practice shows that as a part of password, we must choose the function of "good in all aspects", which is actually a very difficult task, Because many characteristics sometimes contradict each other. Although, as we can see, theoretical results show that many cryptographic parameters of random functions are close to optimal. The question is, how do you choose it, by chance?

The author would like to thank colleagues for their valuable comments and additions.

Reference material

1. Ajibarov mountain P. Favorite elementary encryption theory: learning. Reference material Tomsk: April 2005 116C.

2. Ajibarov mountain P. Methods for solving polynomial equations / Journal of Tomsk National University. Enclosure. 2006. Serial number 17. C. 4-9.

3. Ajibarov mountain P. Tomsk National University informs the logic equation in the encryption analysis of key flow generators. Enclosure. 2003. Serial number 6. C. 31-41.

4. Ajibarov mountain Pancratov I Ah. Discrete function statistical simulation theory element is used to encrypt iterative block / apply Discrete Mathematics for encryption analysis. 2010. Serial number 3. C.51-68.

5. Alfirov a Teeth, teeth The Treasury of the city. Sheremushkin B. Basic password. M.:GELOS ARV,2002. 480C.

6. Briakov angle L.L. Algebraic, combinatorial and cryptographic properties of affine restricted parameters of Boolean functions: dis Candle. Mathematical Science. M. , 2007.

7. Cape glomov Millimeter. On the problem of complete and almost complete nonlinear function / mathematical encryption. 2016. In the press)

8. Cape glomov Millimeter. Plane mapping and generalization of finite fields. Introduction to the meeting Algebra and logic, theory and application. Krasnoyarsk, July 21-27, 2013.

9. Gorodilov a Ah. Almost completely nonlinear functions are described by subfunction / / discrete mathematics. 2015. because 27. Cheers! C.3-16.

10. Lobanov angle C. The exact relationship between nonlinearity and algebraic immunity / / discrete mathematics. 2006. because 18. Cheers! C.152-159.

11. Logachev Island Seal ring Published in Blake, lizard Blake B. Boolean functions in coding and krypton theory. The second edition. M: International Tribunal for the law of the sea, 2012. 584C.

12. Logachev Island Seal ring Lizard. B. Related immunity and authenticity / math and it security. Company profile Moscow, 23-24 October 2003 M: Demining centre, 2004. C. 165-171.

13. Pankow H. The mathematical problem of the asymptotical estimate / encryption of binary display numbers with given cryptographic properties. 2014. because 5. Cheers! 4. C. 73-97.

14. Pancratov I Ah. The password of Boolean function: learning. Reference material Tomsk: Tomsk National University Press, 2014. 88 C.

15. Sachi Kopf H. Poor combinatorial performance 2-uniform permutation / / mathematical cryptography problem. 2015. because 6. Cheers! 1. C. 159-179.

16. Seleznev s H. The multiplicative complexity of some functions in logical algebra / / discrete mathematics. 2014. because 26. Cheers! 4. C.100-109.

17. Smelitjev B. On the weakness of some binary sequence transformation classes / / applying discrete mathematics. 2010. Page: 1 C. 5-15.

18. Sumarokov s H. Prohibit the reversibility of binary functions and a class of coding devices, / / review of Applied Mathematics and industrial mathematics. 1994. because 1. Cheers! 1. C. 33-55.

19. Tarannikov B. Related immune function and stable Boolean function / / MA metric. The problem of cybernetics. 2002. Cheers! 11. C. 91148.

20. Tokalev mountain H. Symmetric encryption Short training class: study. Reference material Novosibirsk: Novosibirsk State University, 2012. 232 C.

Can't you find what you want? Try a reference tool.

21. BilginB., NikovaS., Nikov V., et al. Threshold implementations of small S-boxes // Cryptography and Communications. 2015. V. 7. No. 1. P. 3-33. 22. Blondeau C. and Nyberg K. Perfect nonlinear functions and cryptography // Finite Fields and their Applications. 2015. V. 32. P. 120-147. 23. Braeken A. Cryptographic Properties of Boolean Functions and S-boxes. PhD Thesis, Katholieke Universiteit Leuven, 2006. 24. Carlet C. Boolean functions for cryptography and error correcting codes // Ch. 8 of the Monograph "Boolean Methods and Models in Mathematics, Computer Science, and Engineering", Cambridge Univ. Press, 2010. P. 257-397. 25. Carlet C. Vectorial Boolean functions for cryptography // Ch. 9 of the Monograph "Boolean Methods and Models in Mathematics, Computer Science, and Engineering", Cambridge Univ. Press, 2010. P. 398-472. 26. Carlet C., Charpin P., and Zinoviev V. Codes, bent functions and permutations suitable for DES-like cryptosystems // Des. Codes Cryptogr. 1998. V. 15. P. 125-156. 27. Charpin P. Normal Boolean functions //J. Complexity. 2004. V. 20. P. 245-265. 28. Courtois N., Hulme D., and Mourouzis T. Solving Circuit Optimisation Problems in Cryptography and Cryptanalysis. Cryptology ePrint Archive. Report 2011/475 (2011). 29. Courtois N. and Meier W. Algebraic attack on stream ciphers with linear feedback // LNCS. 2003. V. 2656. P. 345-359. 30. Cusick T. W. and Stanica P. Cryptographic Boolean Functions and Applications. Acad. Press. Elsevier, 2009. 245 p. 31. Dobbertin H. Construction of bent functions and balanced Boolean functions with high nonlinearity // FSE'95. LNCS. 1995. V. 1008. P. 61-74. 32. EvertseJ.H. Linear structures in block ciphers // EUROCRYPT'87. LNCS. 1988. V.304. P. 249-266. 33. Fon-Der-Flaass D. G. A bound on correlation immunity // Siberian Elektron. Mat. Izv. 2007. No. 4. P. 133-135. 34. GolicJ.Dj. On the security of nonlinear filter generators // FSE'96. LNCS. 1996. V. 1039. P. 173-188. 35. Gorodilova A. On a Remarkable Property of APN Gold Functions. Cryptology ePrint Archive. Report 2016/286 (2016). 36. Mihaljevic M., Gangopadhyay S., Paul G., and Imai H. An algorithm for the internal state recovery of Grain-v1 // Proc. CECC'2011. Debrecen, Hungary, June 30-July 2, 2011. P. 7-20. 37. Nikova S., Rechberger C., and Rijmen V. Threshold implementations against side-channel attacks and glitches // LNCS. 2006. V. 4307. P. 529-545. 38. Nyberg K. Differentially uniform mappings for cryptography // Eurocrypt'93. LNCS. 1994. V. 765. P. 55-64. 39. PreneelB., Van Leekwijck W., Van Linden L., et al. Propagation characteristics of Boolean functions // Eurocrypt'90. LNCS. 1991. V.473. P. 161-173. 40. Siegenthaler T. Correlation-immunity of nonlinear combining functions for cryptographic applications // IEEE Trans. Inform. Theory. 1984. V.30. No. 5. P. 776-780. 41. Tarannikov Y. V. Generalized proper matrices and constructing of m-resilient Boolean functions with maximal nonlinearity for expanded range of parameters // Siberian Elektron. Mat. Izv. 2014. No. 11. P. 229-245. 42. Tokareva N. Bent Functions: Results and Applications to Cryptography. Acad. Press. Elsevier, 2015. 220 p. 43. Webster A. F. and Tavares S. E. On the design of S-boxes // Crypto'85. LNCS. 1986. V. 218. P. 523-534. 44. Zajac P. and Jokay M. Multiplicative complexity of bijective 4 x 4 S-boxes // Cryptography and Communications. 2014. V. 6. No. 3. P. 255-277. 45. Zhang X.-M. and Zheng Y. GAC — the criterion for Global Avalanche Characteristics of cryptographic functions //J. Universal Computer Science. 1995. V. 1. No. 5. P. 320-337. REFERENCES 1. Agibalov G. P. Izbrannye teoremy nachal'nogo kursa kriptografii: ucheb. posobie [Selected Theorems of Basic Cryptography Course: Tutorial]. Tomsk, NTL Publ., 2005. (in Russian) 2. Agibalov G. P. Metody resheniya sistem polinomial'nykh uravneniy nad konechnym polem [Methods for solving systems of polynomial equations over a finite field]. Vestnik Tomskogo Gosudarstvennogo Universiteta. Prilozhenie, 2006, no. 17, pp. 4-9. (in Russian) 3. Agibalov G. P. Logicheskie uravneniya v kriptoanalize generatorov klyuchevogo potoka [Logical equations in cryptanalysis of key stream generators]. Vestnik Tomskogo Gosudarstvennogo Universiteta. Prilozhenie, 2003, no. 6, pp. 31-41. (in Russian) 4. Agibalov G. P. and Pankratova I. A. Elementy teorii statisticheskikh analogov diskretnykh funktsiy s primeneniem v kriptoanalize iterativnykh blochnykh shifrov [Statistical approximation theory for discrete functions with application in cryptanalysis of iterative block ciphers]. Prikladnaya Diskretnaya Matematika, 2010, no.3, pp. 51-68. (in Russian) iНе можете найти то, что вам нужно? Попробуйте сервис подбора литературы. 5. AlferovA.P., ZubovA.Yu., Kuz'minA.S., and Cheremushkin A. V. Osnovy Kriptografii [Basics of Cryptography]. Moscow, Gelios ARV Publ., 2002. (in Russian)

6. Buryakov M. L. Algebraicheskie, kombinatornye i kriptograficheskie svoystva parametrov affinnykh ogranicheniy bulevykh funktsiy [Algebraic, Combinatorial, and Cryptographic properties of Parameters of Boolean Functions Affine Restrictions]. PhD Thesis, Moscow, 2007. (in Russian) 7. Glukhov M. M. O sovershenno i pochti sovershenno nelineynykh funktsiyakh [About perfectly and almost perfectly non-linear functions]. Matematicheskie Voprosy Kriptografii, 2016. (to be published) (in Russian) 8. Glukhov M. M. Planarnye otobrazheniya konechnykh poley i ikh obobshcheniya [On planar maps and their generalisation to finite fields]. Pres. conf. "Algebra and Logic, Theory and Applications", Krasnoyarsk, 21-27 July 2013. 9. Gorodilova A. A. Kharakterizatsiya pochti sovershenno nelineynykh funktsiy cherez podfunktsii [Characteristics of almost perfectly non-linear functions by subfunctions]. Diskr. Mat., 2015, vol.27, no.3, pp.3-16. (in Russian) 10. Lobanov M. S. Tochnoe sootnoshenie mezhdu nelineynost'yu i algebraicheskoy immunnost'yu [Exact relation between nonlinearity and algebraic immunity]. Diskr. Mat., 2006, vol. 18, no. 3, pp. 152-159. (in Russian) 11. Logachev O.A., Sal'nikov A. A., Smyshlyaev S. V., and Yashchenko V. V. Bulevy funktsii v teorii kodirovaniya i kriptologii [Boolean Functions in Coding Theory and Cryptology]. Moscow, MCCME Publ., 2012. (in Russian) 12. Logachev O. A., Sal'nikov A. A., and Yashchenko V. V. Korrelyatsionnaya immunnost' i real'naya sekretnost' [Correlation immunity and real privacy]. Proc. conf. "Mathematics and Security of Information Technologies", Moscow, MCCME Publ., 2004, pp. 165-171. (in Russian) 13. Pankov K. N. Asimptoticheskie otsenki dlya chisel dvoichnykh otobrazheniy s zadannymi kriptograficheskimi svoystvami [Asymptotic estimates for numbers of Boolean mappings with given cryptographic properties]. Mat. Vopr. Kriptogr., 2014, vol.5, iss.4, pp. 73-97. (in Russian) 14. Pankratova I. A. Bulevy funktsii v kriptografii: ucheb. posobie [Boolean Functions in Cryptography: Tutorial]. Tomsk, TSU Publ., 2014. (in Russian) 15. Sachkov V. N. Kombinatornye svoystva differentsial'no 2-ravnomernykh podstanovok [Combinatorial properties of differentially 2-uniform substitutions]. Mat. Vopr. Kriptogr., 2015, vol.6, iss. 1, pp. 159-179. (in Russian) 16. Selezneva S. N. Mul'tiplikativnaya slozhnost' nekotorykh funktsiy algebry logiki [Multiplicative complexity of some Boolean functions]. Diskr. Mat., 2014, vol.26, iss.4, pp. 100-109. (in Russian) 17. Smyshlyaev S. V. O kriptograficheskikh slabostyakh nekotorykh klassov preobrazovaniy dvoichnykh posledovatel'nostey [On cryptographic weaknesses of some classes of binary sequence transformations]. Prikladnaya Diskretnaya Matematika, 2010, no. 1, pp. 5-15. (in Russian) 18. Sumarokov S. N. Zaprety dvoichnykh funktsiy i obratimost' dlya odnogo klassa kodiruyushchikh ustroystv [Prohibitions of binary functions and reversibility for a class of encoders]. Obozrenie Prikladnoy i Promyshlennoy Matematiki, 1994, vol.1, no. 1, pp.33-55. (in Russian) 19. Tarannikov Yu. V. O korrelyatsionno-immunnykh i ustoychivykh bulevykh funktsiyakh [On correlation-immune and resilient Boolean functions]. Mat. Voprosy Kibernetiki, 2002, vol. 11, pp. 91-148. (in Russian) 20. Tokareva N. N. Simmetrichnaya kriptografiya. Kratkiy kurs: ucheb. posobie. [Symmetric Cryptography. Short Course: Tutorial]. Novosibirsk, NSU Publ., 2012. (in Russian) 21. BilginB., NikovaS., Nikov V., et al. Threshold implementations of small S-boxes. Cryptography and Communications, 2015, vol.7, no. 1, pp.3-33. 22. Blondeau C. and Nyberg K. Perfect nonlinear functions and cryptography. Finite Fields and their Applications, 2015, vol.32, pp. 120-147. 23. Braeken A. Cryptographic Properties of Boolean Functions and S-boxes. PhD Thesis, Katholieke Universiteit Leuven, 2006. 24. Carlet C. Boolean functions for cryptography and error correcting codes. Ch. 8 of the Monograph "Boolean Methods and Models in Mathematics, Computer Science, and Engineering", Cambridge Univ. Press, 2010, pp. 257-397. 25. Carlet C. Vectorial Boolean functions for cryptography. Ch. 9 of the Monograph "Boolean Methods and Models in Mathematics, Computer Science, and Engineering", Cambridge Univ. Press, 2010, pp. 398-472. 26. Carlet C., Charpin P., and Zinoviev V. Codes, bent functions and permutations suitable for DES-like cryptosystems. Des. Codes Cryptogr., 1998, vol. 15, pp. 125-156. 27. Charpin P. Normal Boolean functions. J. Complexity, 2004, vol.20, pp. 245-265. 28. Courtois N., Hulme D., and Mourouzis T. Solving Circuit Optimisation Problems in Cryptography and Cryptanalysis. Cryptology ePrint Archive. Report 2011/475 (2011). 29. Courtois N. and Meier W. Algebraic attack on stream ciphers with linear feedback. LNCS, 2003, vol. 2656, pp. 345-359. 30. Cusick T. W. and Stanica P. Cryptographic Boolean Functions and Applications. Acad. Press. Elsevier, 2009. 245 p.

31. Dobbertin H. Construction of bent functions and balanced Boolean functions with high nonlinearity. FSE'95, LNCS, 1995, vol.1008, pp. 61-74. 32. EvertseJ.H. Linear structures in block ciphers. EUROCRYPT'87, LNCS, 1988, vol.304, pp. 249-266. 33. Fon-Der-Flaass D. G. A bound on correlation immunity. Siberian Elektron. Mat. Izv., 2007, no. 4, pp.133-135. 34. GolicJ.Dj. On the security of nonlinear filter generators. FSE'96, LNCS, 1996, vol.1039, pp.173-188. iНе можете найти то, что вам нужно? Попробуйте сервис подбора литературы. 35. Gorodilova A. On a Remarkable Property of APN Gold Functions. Cryptology ePrint Archive. Report 2016/286 (2016). 36. Mihaljevic M., Gangopadhyay S., Paul G., and Imai H. An algorithm for the internal state recovery of Grain-v1. Proc. CECC'2011 Debrecen, Hungary, June 30-July 2, 2011, pp. 7-20. 37. Nikova S., Rechberger C., and Rijmen V. Threshold implementations against side-channel attacks and glitches. LNCS, 2006, vol. 4307, pp. 529-545. 38. Nyberg K. Differentially uniform mappings for cryptography. Eurocrypt'93, LNCS, 1994, vol. 765, pp. 55-64. 39. PreneelB., Van Leekwijck W., Van Linden L., et al. Propagation characteristics of Boolean functions. Eurocrypt'90, LNCS, 1991, vol.473, pp. 161-173. 40. Siegenthaler T. Correlation-immunity of nonlinear combining functions for cryptographic applications. IEEE Trans. Inform. Theory, 1984, V. 30, no. 5, pp. 776-780. 41. Tarannikov Y. V. Generalized proper matrices and constructing of m-resilient Boolean functions with maximal nonlinearity for expanded range of parameters. Siberian Elektron. Mat. Izv., 2014, no. 11, pp. 229-245. 42. Tokareva N. Bent Functions: Results and Applications to Cryptography. Acad. Press. Elsevier, 2015. 220 p. 43. Webster A. F. and Tavares S.E. On the design of S-boxes. Crypto'85, LNCS, 1986, vol.218, pp. 523-534. 44. Zajac P. and Jokay M. Multiplicative complexity of bijective 4 x 4 S-boxes. Cryptography and Communications, 2014, vol. 6, no. 3, pp. 255-277. 45. Zhang X.-M. and Zheng Y. GAC — the criterion for Global Avalanche Characteristics of cryptographic functions. J. Universal Computer Science, 1995, vol.1, no. 5, pp. 320-337.