{**x** ∈ Vn | Δ**u***F*(**x**) = **v**} (10)

<sup>2</sup>*<sup>n</sup>* #*DF*(**u**, **v**)*, then the Differential*

<sup>2</sup>*<sup>n</sup> DU*(*F*). The differential profile

A ∈ M*n*×*m*(GF(2)) *and* **b** ∈ Vm*, its spectrum holds that Pommerening (2005):*

⎧ ⎨ ⎩

ˆ

**Theorem 4.** *If F* <sup>∈</sup> *Fn*,*<sup>n</sup> is bijective then it holds that:* <sup>ˆ</sup>

*of f with itself, denoted by rf*(**u**) : Vn → **R** *and defined by:*

<sup>2</sup>*<sup>n</sup>* ∑ **x**∈Vn

*rf*(**u**) = <sup>1</sup>

*rF*(**u**, **v**) = <sup>1</sup>

*DU*(*F*) = max

(**u**,**v**)�=(**0**,**0**)

differential distribution table we obtain the Differential profile: **Definition 9.** *Let the function <sup>δ</sup><sup>F</sup>* : Vn <sup>×</sup> Vm <sup>→</sup> *<sup>Q</sup> <sup>δ</sup>F*(**u**, **<sup>v</sup>**) = <sup>1</sup>

*<sup>δ</sup>F*(**ffi**,**ffj**) *with i* ∈ {1, . . . , 2*<sup>n</sup>* <sup>−</sup> <sup>1</sup>} *and j* ∈ {1, . . . , 2*<sup>m</sup>* <sup>−</sup> <sup>1</sup>}*.*

and its differential potential are related as follows: *dp*(*F*) = <sup>1</sup>

<sup>2</sup>*n*+*<sup>m</sup>* <sup>∑</sup>**w**∈Vm *rF*(**u**, **<sup>w</sup>**)*χ***v**(**w**).

max {*δF*(**u**, **v**) | ∀ **u** ∈ Vn, **v** ∈ Vm,(**u**, **v**) �= (**0**, **0**)}*.*

{**x** ∈ Vn | Δ**u***F*(**x**) = **v**}.

Let *<sup>F</sup>* <sup>∈</sup> *Fn*,*<sup>m</sup>* then <sup>1</sup>

(1995): *δF*(**u**, **v**) = <sup>1</sup>

*θL*A,**<sup>b</sup>** (**u**, **v**) =

The resistance of the cryptosystems to the known attacks can be quantified through some fundamental characteristics of the Vector Boolean functions used in them. In this chapter, we consider the characteristics most commonly employed for the design of cryptographic functions present in modern block and stream ciphers.

### **3.1 Nonlinearity**

**Definition 11.** *The nonlinearity of the Boolean function f* ∈ *F<sup>n</sup> is a characteristic defined as the distance to the nearest affine function as follows: NL*(*f*) = min*a***u**∈*A<sup>n</sup> <sup>d</sup>*(*<sup>f</sup>* , *<sup>a</sup>***u**) = <sup>2</sup>*n*−<sup>1</sup> <sup>−</sup> <sup>1</sup> <sup>2</sup> max**u**∈Vn |*χ*<sup>ˆ</sup> *<sup>f</sup>*(**u**)| *Meier & Staffelbach (1990).*

**Definition 12.** *The nonlinearity of a Vector Boolean function F* ∈ *Fn*,*<sup>m</sup> is defined as the minimum among the nonlinearities of all nonzero linear combinations of the coordinate functions of F Nyberg (1993):*

$$\mathcal{N}\mathcal{L}(F) = \min\_{\mathbf{v}\neq\mathbf{0}\in\mathcal{V}\_{\mathbf{m}}} \mathcal{N}\mathcal{L}(\mathbf{v}\cdot F) = 2^{n-1} - \frac{1}{2}\max^\*\left(\mathsf{WS}(F)(\mathbf{u}, \mathbf{v})\right) \tag{11}$$

Alternatively, and also associated with the cardinality of the sets of values for which *<sup>F</sup>* ∈ *Fn*,*<sup>m</sup>* satisfies any given linear relation parametrized by (**u**, **v**) we can define the *linear potential* of *<sup>F</sup>* <sup>∈</sup> *Fn*,*<sup>m</sup>* as *l p*(*F*) = <sup>1</sup> <sup>22</sup>*<sup>n</sup>* · <sup>∗</sup> max (WS(*F*)(**u**, **<sup>v</sup>**) 2 ) which is also exploited as a measure of linearity in linear cryptanalysis, and satisfies Chabaud & Vaudenay (1994) <sup>1</sup> <sup>2</sup>*<sup>n</sup>* ≤ *l p*(*F*) ≤ 1 so that the lower bound holds if and only if *F* has maximum nonlinearity (*F* is bent) and the upper bound is reached when *F* is linear or affine.

### **3.2 Linearity distance**

**Definition 13.** *The linearity distance of the Vector Boolean function F* ∈ *Fn*,*<sup>m</sup> is defined as the minimum among the linearity distances of all nonzero linear combinations of the coordinate functions of F:*

$$\mathcal{L}\mathcal{D}(F) = \min\_{\mathbf{v}\neq\mathbf{0}\in\mathcal{V}\_{\mathbf{m}}} \mathcal{L}\mathcal{D}(\mathbf{v}\cdot F) = 2^{\mathbb{N}-1} \cdot \min\_{\mathbf{u}\neq\mathbf{0}\in\mathcal{V}\_{\mathbf{n}}, \mathbf{v}\neq\mathbf{0}\in\mathcal{V}\_{\mathbf{m}}} \left\{\delta\_{\mathcal{F}}(\mathbf{u},\mathbf{v})\right\} \tag{12}$$

**Definition 14.** *The linearity distance can be expressed in terms of the differential potential as follows: LD*(*F*) = <sup>2</sup>*n*−<sup>1</sup> · (<sup>1</sup> <sup>−</sup> *dp*(*F*)) <sup>=</sup> <sup>2</sup>*n*−<sup>1</sup> · <sup>1</sup><sup>−</sup> <sup>∗</sup> max (DP(*F*)) *Pommerening (2005).*

### **3.3 Balancedness**

**Definition 15.** *<sup>f</sup>* ∈ *F<sup>n</sup> is balanced if its output is uniformly distributed over* GF(2) *satisfying χ*ˆ *<sup>f</sup>*(**0**) = 0*.*

**Definition 16.** *<sup>F</sup>* ∈ *Fn*,*<sup>m</sup> is balanced (or to have balanced output) if each possible output m-tuple occurs with equal probability* <sup>1</sup> <sup>2</sup>*<sup>m</sup> , that is, its output is uniformly distributed in* Vm*. This is equivalent to say that for every* **y** ∈ Vm*:*

$$\#\{\mathbf{x}\in\mathcal{V}\_{\mathbf{n}}\,\big|\,F(\mathbf{x})=\mathbf{y}\}=\mathcal{2}^{\mathrm{n}-\mathrm{m}}\longleftrightarrow\hat{\theta}\_{F}(\mathbf{0},\mathbf{v})=\mathbf{0},\,\forall\,\mathbf{v}\neq\mathbf{0}\in\mathrm{V}\_{\mathrm{m}}\tag{13}$$

**Theorem 6.** *Let F* ∈ *Fn*,*<sup>m</sup> and let L*A,**<sup>b</sup>** ∈ *Fn*,*<sup>n</sup> an affine bijection. The Differential Profile for their composition can be calculated from the product of their respective Differential Profiles in the following*

Cryptographic Criteria on Vector Boolean Functions 59

*Proof.* Taking into account the equality *rF*◦*L*A,**<sup>b</sup>** (**u**, **v**) = *rF*(A**u**, **v**) described in Millan (1998), it

<sup>2</sup>*n*+*<sup>m</sup>* <sup>∑</sup>**w**∈Vm *rF*(A**u**, **<sup>w</sup>**)*χ***v**(**w**) = *<sup>δ</sup>F*(A**u**, **<sup>w</sup>**)

**Theorem 7.** *If F is a t-resilient function and G is balanced, then G* ◦ *F is also a t-resilient function.*

**Lemma 1.** *From Theorem 5 and Theorem 3 we can conclude that the effect of applying an invertible linear function before (or after) a function is only a permutation of its columns (or rows). In case it is*

> <sup>∗</sup> max (WS(*L*A,**<sup>b</sup>** ◦ *<sup>F</sup>* ◦ *<sup>L</sup>*C,**d**)) = <sup>∗</sup> max (WS(*F*)) <sup>∗</sup> max (DP(*L*A,**<sup>b</sup>** ◦ *<sup>F</sup>* ◦ *<sup>L</sup>*C,**d**)) = <sup>∗</sup> max (DP(*F*))

**Corollary 4.** *The nonlinearity and the linearity distance are invariant under linear (or affine)*

*NL*(*L*A,**<sup>b</sup>** ◦ *<sup>F</sup>* ◦ *<sup>L</sup>*C,**d**) = *NL*(*F*) *LD*(*L*A,**<sup>b</sup>** ◦ *<sup>F</sup>* ◦ *<sup>L</sup>*C,**d**) = *LD*(*F*)

Here we give alternative proofs as those given by Nyberg in Nyberg (1995) by using corollary

2

= *LD*(*F*)

<sup>∗</sup> max (WS(*F*)) = *NL*(*F*)

<sup>∗</sup> max (WS(*L*A,**<sup>b</sup>** ◦ *<sup>F</sup>* ◦ *<sup>L</sup>*C,**d**))

<sup>1</sup><sup>−</sup> <sup>∗</sup> max (DP(*L*A,**<sup>b</sup>** ◦ *<sup>F</sup>* ◦ *<sup>L</sup>*C,**d**))

<sup>2</sup>*n*+*<sup>m</sup>* <sup>∑</sup>**w**∈Vm *rF*◦*L*A,**<sup>b</sup>** (**u**, **<sup>w</sup>**)*χ***v**(**w**)

<sup>2</sup>*<sup>n</sup>* DP(*L*A,**b**) · DP(*F*) (18)

DP(*<sup>F</sup>* ◦ *<sup>L</sup>*A,**b**) = <sup>1</sup>

**Corollary 2.** *If F is a balanced function, then G* ◦ *F is also a balanced function.*

Let *<sup>F</sup>* ∈ *Fn*,*<sup>m</sup>* and let *<sup>L</sup>*A,**<sup>b</sup>** ∈ *Fm*,*<sup>m</sup>* and *<sup>L</sup>*C,**<sup>d</sup>** ∈ *Fn*,*<sup>n</sup>* be linear (or affine) bijections.

*an affine bijection, the sign of all the elements of some of its columns (or rows) are changed.*

*<sup>δ</sup>F*◦*L*A,**<sup>b</sup>** (**u**, **<sup>w</sup>**) = <sup>1</sup>

= <sup>1</sup>

**4.2 Affine bijections of Vector Boolean functions**

**Corollary 3.** *As a corollary of Lemma 1, we get the following:*

*bijections of the input space and of the output space, so that Nyberg (1995):*

*NL*(*L*A,**<sup>b</sup>** ◦ *<sup>F</sup>* ◦ *<sup>L</sup>*C,**d**) = <sup>2</sup>*n*−<sup>1</sup> <sup>−</sup> <sup>1</sup>

<sup>1</sup><sup>−</sup> <sup>∗</sup> max (DP(*F*))

<sup>=</sup> <sup>2</sup>*n*−<sup>1</sup> <sup>−</sup> <sup>1</sup>

<sup>=</sup> <sup>2</sup>*n*−<sup>1</sup> ·

2

*LD*(*L*A,**<sup>b</sup>** ◦ *<sup>F</sup>* ◦ *<sup>L</sup>*C,**d**) = <sup>2</sup>*n*−<sup>1</sup> ·

*way:*

3:

*Proof.*

holds that:

### **3.4 Correlation immunity**

**Definition 17.** *<sup>f</sup>* ∈ *F<sup>n</sup> is called correlation-immune of order t (t-CI) if for every subset* {*i*1, *i*2,..., *it*}⊆{1, 2, . . . , *n*}*, f is statistically independent of* (*xi*<sup>1</sup> , *xi*<sup>2</sup> ,..., *xit* )*, satisfying Xiao & Massey (1988): χ*ˆ *<sup>f</sup>*(**u**) = 0, ∀ **u** ∈ Vn, 1 ≤ *wt*(**u**) ≤ *t. f can also be denoted as* (*n*, 1, *t*)*-CI function.*

**Definition 18.** *<sup>F</sup>* ∈ *Fn*,*<sup>m</sup> is an* (*n*, *<sup>m</sup>*, *<sup>t</sup>*)*-CI function if and only if every nonzero linear combination f*(**x**) = ∑*<sup>m</sup> <sup>i</sup>*=<sup>1</sup> *vi fi*(**x**) *of coordinate functions of F is an* (*n*, 1, *t*)*-CI function, where* **x** ∈ Vn, *vi* ∈ GF(2) *i* = 1, . . . , *m and not all zeroes. This is equivalent to say Chen et al. (2004):*

$$\hat{\theta}\_F(\mathbf{u}, \mathbf{v}) = 0, \forall \mathbf{u} \in \mathcal{V}\_{\mathbf{n} \prime} \ 1 \le wt(\mathbf{u}) \le t, \forall \mathbf{v} \ne \mathbf{0} \in \mathcal{V}\_{\mathbf{m}} \tag{14}$$

### **3.5 Resiliency**

**Definition 19.** *<sup>f</sup>* ∈ *F<sup>n</sup> is a t-resilient function if if it is balanced and t-CI, satisfying: <sup>χ</sup>*<sup>ˆ</sup> *<sup>f</sup>*(**u**) = 0, ∀ **u** ∈ Vn, 0 ≤ *wt*(**u**) ≤ *t. A balanced Boolean function f can be considered as a* 0*-resilient function.*

**Definition 20.** *<sup>F</sup>* ∈ *Fn*,*<sup>m</sup> is said to be t-resilient if it is balanced and t-CI, satisfying:*

$$\hat{\theta}\_{\rm F}(\mathbf{u}, \mathbf{v}) = 0, \forall \mathbf{u} \in \mathcal{V}\_{\rm n}, \; 0 \le wt(\mathbf{u}) \le t, \; \forall \mathbf{v} \ne \mathbf{0} \in \mathcal{V}\_{\rm m} \tag{15}$$

*F can also be denoted as an* (*n*, *m*, *t*)*-resilient. A balanced Vector Boolean function F can be considered as a* 0*-resilient function.*

### **3.6 Propagation**

**Definition 21.** *Let f* ∈ *Fn, then f satisfies the propagation criterion of degree l*, *PC*(*l*)(<sup>1</sup> ≤ *<sup>l</sup>* ≤ *<sup>n</sup>*)*, if f*(**x**) *changes with a probability of* 1/2 *whenever i*(1 ≤ *i* ≤ *t*) *bits of* **x** *are complemented Preneel et al. (2006).*

**Definition 22.** *<sup>F</sup>* ∈ *Fn*,*<sup>m</sup> satisfies the PC*(*l*) *if any nonzero linear combination of the component boolean functions satisfies the PC*(*l*)*:*

$$r\_F(\mathbf{u}, \mathbf{v}) = 0, \forall \mathbf{u} \in \mathcal{V}\_{\mathbf{n}}, \ 1 \le wt(\mathbf{u}) \le l, \ \forall \mathbf{v} \ne \mathbf{0} \in \mathcal{V}\_{\mathbf{m}} \tag{16}$$

### **4. Criteria for constructions with Vector Boolean functions**

In this Section, we address the behavior of Walsh Spectra, Differential Profiles, Autocorrelation Spectra and the cited characteristics under several operations of Vector Boolean functions. We present the known properties without a proof and the new to the best of our knowledge results appear with their respective proofs.

### **4.1 Composition of Vector Boolean functions**

Let *<sup>F</sup>* ∈ *Fn*,*p*, *<sup>G</sup>* ∈ *Fp*,*<sup>m</sup>* and the composition function *<sup>G</sup>* ◦ *<sup>F</sup>* ∈ *Fn*,*m*.

**Theorem 5.** *The Walsh Spectrum for the composition of two Vector Boolean function can be calculated from the product of their respective Walsh Spectra in the following way Pommerening (2005):*

$$\mathsf{MSS}(G \circ F) = \frac{1}{2^p} \mathsf{MSS}(F) \cdot \mathsf{MSS}(G) \tag{17}$$

8 Cryptography

**Definition 17.** *<sup>f</sup>* ∈ *F<sup>n</sup> is called correlation-immune of order t (t-CI) if for every subset*

*Massey (1988): χ*ˆ *<sup>f</sup>*(**u**) = 0, ∀ **u** ∈ Vn, 1 ≤ *wt*(**u**) ≤ *t. f can also be denoted as* (*n*, 1, *t*)*-CI function.* **Definition 18.** *<sup>F</sup>* ∈ *Fn*,*<sup>m</sup> is an* (*n*, *<sup>m</sup>*, *<sup>t</sup>*)*-CI function if and only if every nonzero linear combination*

**Definition 19.** *<sup>f</sup>* ∈ *F<sup>n</sup> is a t-resilient function if if it is balanced and t-CI, satisfying: <sup>χ</sup>*<sup>ˆ</sup> *<sup>f</sup>*(**u**) = 0, ∀ **u** ∈ Vn, 0 ≤ *wt*(**u**) ≤ *t. A balanced Boolean function f can be considered as a* 0*-resilient*

*F can also be denoted as an* (*n*, *m*, *t*)*-resilient. A balanced Vector Boolean function F can be considered*

**Definition 21.** *Let f* ∈ *Fn, then f satisfies the propagation criterion of degree l*, *PC*(*l*)(<sup>1</sup> ≤ *<sup>l</sup>* ≤ *<sup>n</sup>*)*, if f*(**x**) *changes with a probability of* 1/2 *whenever i*(1 ≤ *i* ≤ *t*) *bits of* **x** *are complemented Preneel*

**Definition 22.** *<sup>F</sup>* ∈ *Fn*,*<sup>m</sup> satisfies the PC*(*l*) *if any nonzero linear combination of the component*

In this Section, we address the behavior of Walsh Spectra, Differential Profiles, Autocorrelation Spectra and the cited characteristics under several operations of Vector Boolean functions. We present the known properties without a proof and the new to the best of our knowledge results

**Theorem 5.** *The Walsh Spectrum for the composition of two Vector Boolean function can be calculated*

*from the product of their respective Walsh Spectra in the following way Pommerening (2005):*

WS(*<sup>G</sup>* ◦ *<sup>F</sup>*) = <sup>1</sup>

*<sup>i</sup>*=<sup>1</sup> *vi fi*(**x**) *of coordinate functions of F is an* (*n*, 1, *t*)*-CI function, where* **x** ∈ Vn, *vi* ∈

*θF*(**u**, **v**) = 0, ∀ **u** ∈ Vn, 1 ≤ *wt*(**u**) ≤ *t*, ∀ **v** �= **0** ∈ Vm (14)

*θF*(**u**, **v**) = 0, ∀ **u** ∈ Vn, 0 ≤ *wt*(**u**) ≤ *t*, ∀ **v** �= **0** ∈ Vm (15)

*rF*(**u**, **v**) = 0, ∀ **u** ∈ Vn, 1 ≤ *wt*(**u**) ≤ *l*, ∀ **v** �= **0** ∈ Vm (16)

<sup>2</sup>*<sup>p</sup>* WS(*F*) · WS(*G*) (17)

)*, satisfying Xiao &*

{*i*1, *i*2,..., *it*}⊆{1, 2, . . . , *n*}*, f is statistically independent of* (*xi*<sup>1</sup> , *xi*<sup>2</sup> ,..., *xit*

GF(2) *i* = 1, . . . , *m and not all zeroes. This is equivalent to say Chen et al. (2004):*

**Definition 20.** *<sup>F</sup>* ∈ *Fn*,*<sup>m</sup> is said to be t-resilient if it is balanced and t-CI, satisfying:*

**4. Criteria for constructions with Vector Boolean functions**

Let *<sup>F</sup>* ∈ *Fn*,*p*, *<sup>G</sup>* ∈ *Fp*,*<sup>m</sup>* and the composition function *<sup>G</sup>* ◦ *<sup>F</sup>* ∈ *Fn*,*m*.

**3.4 Correlation immunity**

ˆ

ˆ

*boolean functions satisfies the PC*(*l*)*:*

appear with their respective proofs.

**4.1 Composition of Vector Boolean functions**

*f*(**x**) = ∑*<sup>m</sup>*

**3.5 Resiliency**

*as a* 0*-resilient function.*

**3.6 Propagation**

*et al. (2006).*

*function.*

**Theorem 6.** *Let F* ∈ *Fn*,*<sup>m</sup> and let L*A,**<sup>b</sup>** ∈ *Fn*,*<sup>n</sup> an affine bijection. The Differential Profile for their composition can be calculated from the product of their respective Differential Profiles in the following way:*

$$\mathsf{DP}(F \circ L\_{\mathsf{A,b}}) = \frac{1}{2^n} \mathsf{DP}(L\_{\mathsf{A,b}}) \cdot \mathsf{DP}(F) \tag{18}$$

*Proof.* Taking into account the equality *rF*◦*L*A,**<sup>b</sup>** (**u**, **v**) = *rF*(A**u**, **v**) described in Millan (1998), it holds that:

 $\delta\_{\mathrm{F}\odot L\_{\mathrm{A},\mathrm{b}}}(\mathbf{u},\mathbf{w}) = \frac{1}{2^{\overline{\boldsymbol{w}}+\boldsymbol{\pi}}}$  $\sum\_{\mathbf{w}\in V\_{\mathrm{m}}} r\_{\mathrm{F}\odot L\_{\mathrm{A},\mathrm{b}}}(\mathbf{u},\mathbf{w})$  $\chi\_{\mathbf{v}}(\mathbf{w}) = \frac{1}{2^{\overline{\boldsymbol{n}}+\boldsymbol{\pi}}}$  $\sum\_{\mathbf{w}\in V\_{\mathrm{m}}} r\_{\mathrm{F}}(\mathbf{A}\mathbf{u},\mathbf{w})$  $\chi\_{\mathbf{v}}(\mathbf{w}) = \delta\_{\mathrm{F}}(\mathbf{A}\mathbf{u},\mathbf{w})$ 

**Theorem 7.** *If F is a t-resilient function and G is balanced, then G* ◦ *F is also a t-resilient function.*

**Corollary 2.** *If F is a balanced function, then G* ◦ *F is also a balanced function.*

### **4.2 Affine bijections of Vector Boolean functions**

Let *<sup>F</sup>* ∈ *Fn*,*<sup>m</sup>* and let *<sup>L</sup>*A,**<sup>b</sup>** ∈ *Fm*,*<sup>m</sup>* and *<sup>L</sup>*C,**<sup>d</sup>** ∈ *Fn*,*<sup>n</sup>* be linear (or affine) bijections.

**Lemma 1.** *From Theorem 5 and Theorem 3 we can conclude that the effect of applying an invertible linear function before (or after) a function is only a permutation of its columns (or rows). In case it is an affine bijection, the sign of all the elements of some of its columns (or rows) are changed.*

**Corollary 3.** *As a corollary of Lemma 1, we get the following:*

$$\begin{aligned} \max^\* \left( \mathsf{WS} (L\_{\mathsf{A},\mathsf{b}} \circ F \circ L\_{\mathsf{C},\mathsf{d}}) \right) &= \max^\* \left( \mathsf{WS} (F) \right) \\ \max^\* \left( \mathsf{DP} (L\_{\mathsf{A},\mathsf{b}} \circ F \circ L\_{\mathsf{C},\mathsf{d}}) \right) &= \max^\* \left( \mathsf{DP} (F) \right) \end{aligned}$$

**Corollary 4.** *The nonlinearity and the linearity distance are invariant under linear (or affine) bijections of the input space and of the output space, so that Nyberg (1995):*

$$\mathcal{NL}(L\_{\mathsf{A,b}} \circ F \circ L\_{\mathsf{C,d}}) = \mathcal{N}\mathcal{L}(F) \quad \mathcal{LD}(L\_{\mathsf{A,b}} \circ F \circ L\_{\mathsf{C,d}}) = \mathcal{LD}(F)$$

Here we give alternative proofs as those given by Nyberg in Nyberg (1995) by using corollary 3:

*Proof.*

$$\begin{array}{l} \mathsf{\mathcal{M}} \mathsf{\mathcal{L}} (L\_{\mathsf{A},\mathsf{b}} \circ F \circ L\_{\mathsf{C},\mathsf{d}}) = 2^{n-1} - \frac{1}{2} \max^{\*} \left( \mathsf{W} \mathsf{S} (L\_{\mathsf{A},\mathsf{b}} \circ F \circ L\_{\mathsf{C},\mathsf{d}}) \right) \\\ l = 2^{n-1} - \frac{1}{2} \max^{\*} \left( \mathsf{W} \mathsf{S} (F) \right) = \mathsf{\mathcal{M}} \mathsf{\mathcal{L}} (F) \end{array}$$

$$\begin{split} &\mathcal{L}\mathcal{D}(L\_{\mathsf{A},\mathsf{b}}\circ F\circ L\_{\mathsf{C},\mathsf{d}}) = 2^{n-1} \cdot \left(1 - \max^{\*}\left(\mathsf{DP}(L\_{\mathsf{A},\mathsf{b}}\circ F\circ L\_{\mathsf{C},\mathsf{d}})\right)\right) \\ &= 2^{n-1} \cdot \left(1 - \max^{\*}\left(\mathsf{DP}(F)\right)\right) = \mathcal{L}\mathcal{D}(F) \end{split}$$

**Theorem 8.** *Let F* ∈ *Fn*,*<sup>m</sup> and let L*A,**<sup>b</sup>** ∈ *Fn*,*<sup>n</sup> an affine bijection, then F* ◦ *<sup>L</sup>*A,**<sup>b</sup>** *satisfies the PC*(*l*) *if and only if F satisfies the PC*(*l*)*.*

*Proof.* If we use the equality *rF*◦*L*A,**<sup>b</sup>** (**u**, **v**) = *rF*(A**u**, **v**) described in Millan (1998), we can obtain the following:

$$\begin{aligned} &F \circ \text{L}\_{\mathbf{A}, \mathbf{b}} \text{ satisfies the } PC(l) \\ &\longlongarrow \text{R}\_{F \circ L\_{\mathbf{A}, \mathbf{b}}} = 0, \forall \mathbf{u} \in \text{V}\_{\mathbf{n} \prime} \ 1 \le wt(\mathbf{u}) \le l, \forall \mathbf{v} \in \text{V}\_{\mathbf{m}} \\ &\longarrow \text{T}\_{F}(\mathbf{A} \mathbf{u}, \mathbf{v}) = 0, \forall \mathbf{u} \in \text{V}\_{\mathbf{n} \prime} \ 1 \le wt(\mathbf{u}) \le l, \forall \mathbf{v} \in \text{V}\_{\mathbf{m}} \\ &\longarrow \text{T}\_{F}(\mathbf{u}, \mathbf{v}) = 0, \forall \mathbf{u} \in \text{V}\_{\mathbf{n} \prime} \ 1 \le wt(\mathbf{u}) \le l, \forall \mathbf{v} \in \text{V}\_{\mathbf{m}} \end{aligned}$$

*the following:*

*Proof.*

<sup>↔</sup> <sup>ˆ</sup>

∧ ˆ

<sup>↔</sup> <sup>ˆ</sup>

where **u** = **uF** ⊕ **uG**

*derivatives as follows:*

*Proof.*

WS (*S*4(*DES*))

(**1111**) = <sup>1</sup>

*(S*1*<sup>b</sup>* ∈ *F*8,16*) respectively, we can see that the corollary 7 is satisfied:*

*<sup>r</sup>*(*F*,*G*)(**u**, **<sup>v</sup>**) = <sup>1</sup>

*<sup>r</sup>*(*F*,*G*)(**u**, **<sup>v</sup>**) = <sup>1</sup>

= <sup>1</sup>

= <sup>1</sup>

*of F and G, denoted by* (*F*, *<sup>G</sup>*)−<sup>1</sup> <sup>∈</sup> *F*<sup>2</sup>*n*,*<sup>n</sup> is a* <sup>2</sup> · min{*t*1, *<sup>t</sup>*2}*-resilient function.*

*<sup>F</sup>*−<sup>1</sup> is a *<sup>t</sup>*1-resilient function <sup>∧</sup> *<sup>G</sup>*−<sup>1</sup> is a *<sup>t</sup>*2-resilient function

*θF*(**v**, **uF**) = 0, ∀ **v** �= **0** ∈ Vn, ∀ **uF** ∈ Vn, 0 ≤ *wt*(**uF**) ≤ *t*<sup>1</sup>

*θG*(**v**, **uG**) = 0, ∀ **v** �= **0** ∈ Vn, ∀ **uG** ∈ Vn, 0 ≤ *wt*(**uG**) ≤ *t*<sup>2</sup>

**Example 1.** *The F-function of the MacGuffin block cipher algorithm consists of the* 8 *S-boxes of the DES, but the two middle output bits of each S-box are neglected so that Si*(*MacG*) ∈ *F*6,2*. Let define the* 4*-th S-box of DES as S*4(*DES*)=(*f*1, *f*2, *f*3, *f*4)*, then it holds that S*4(*MacG*)=(*f*1, *f*4)*. If we denote MacDES the S-box which uses the second and third component functions of DES, then S*4(*MacDES*)=(*f*2, *f*3)*. The S-box S*4(*DES*) *can be obtained by adding the coordinate functions which constitute MacDES and aplying a permutation to reorder the coordinate functions. If we want to obtain the last column of the Walsh Spectrum of S*4(*DES*) *from the last columns of the Walsh Spectra of S*4(*MacG*) *and S*4(*MacDES*)*, then the effect of the permutation can be omitted and the results are*

Cryptographic Criteria on Vector Boolean Functions 61

<sup>26</sup> WS (*S*4(*MacG*))

**Example 2.** *The first substitution function of the CAST algorithm Adams & Tavares (1993) , Adams (1994) denoted by S*<sup>1</sup> ∈ *F*8,32 *has a nonlinearity of* <sup>74</sup> *Youssef et al. (1997). If we decompose this Vector Boolean function into two, taking the first* <sup>16</sup> *output bits (S*1*<sup>a</sup>* ∈ *F*8,16*) and the second* <sup>16</sup> *output bits*

**Theorem 10.** *If F*, *<sup>G</sup>* <sup>∈</sup> *Fn*,*<sup>n</sup> are bijective, F*−<sup>1</sup> *is a t*1*-resilient function and G*−<sup>1</sup> *is a t*2*-resilient function, then the inverse of the Vector Boolean function obtained by adding the coordinates functions*

*θ*(*F*,*G*)−<sup>1</sup> (**u**, **v**) = 0 ∀ **u** ∈ V2n, 0 ≤ *wt*(**u**) ≤ 2 · min{*t*1, *t*2}, ∀ **v** �= **0** ∈ Vn

**Corollary 8.** *If F*, *<sup>G</sup>* <sup>∈</sup> *Fn*,*<sup>n</sup> are bijective, F*−<sup>1</sup> *is a balanced Vector Boolean function and G*−<sup>1</sup> *is a balanced Vector Boolean function, then the inverse of the Vector Boolean function resulting of adding the coordinates functions of F and G, denoted by* (*F*, *G*)−<sup>1</sup> *is a balanced Vector Boolean function.*

**Theorem 11.** *The autocorrelation of the Vector Boolean function resulting by adding the coordinate functions of two Vector Boolean functions can be expressed in terms of their respective directional*

<sup>2</sup>*<sup>n</sup>* <sup>∑</sup>**x**∈Vn (−1)**vF** *<sup>F</sup>*(**x**+**u**)⊕**vG** *<sup>G</sup>*(**x**+**u**)+**vF** *<sup>F</sup>*(**x**)⊕**vG** *<sup>G</sup>*(**x**)

<sup>2</sup>*<sup>n</sup>* <sup>∑</sup>**x**∈Vn (−1)**vF** *<sup>F</sup>*(**x**+**u**)+**vF** *<sup>F</sup>*(**x**) · (−1)**vG** *<sup>G</sup>*(**x**+**u**)+**vG** *<sup>G</sup>*(**x**)

<sup>2</sup>*<sup>n</sup>* <sup>∑</sup>**x**∈Vn (−1)Δ**uvF** *<sup>F</sup>*(**x**) · (−1)Δ**uvG** *<sup>G</sup>*(**x**)

<sup>2</sup>*<sup>n</sup>* <sup>∑</sup>**x**∈Vn (−1)**vF**⊕**vG**(*F*,*G*)(**x**+**u**)+**vF**⊕**vG**(*F*,*G*)(**x**)

<sup>74</sup> = *NL*(*S*1) ≤ min{*NL*(*S*1*a*), *NL*(*S*1*b*)} = min{86, 82} (21)

(**11**) <sup>∗</sup> WS (*S*4(*MacDES*))

(**11**) (20)

### **4.3 Adding coordinate functions**

Let *<sup>F</sup>* = (*f*1,..., *fm*<sup>1</sup> ) ∈ *Fn*,*m*<sup>1</sup> , *<sup>G</sup>* = (*g*1,..., *gm*<sup>2</sup> ) ∈ *Fn*,*m*<sup>2</sup> and the function conformed by adding the coordinate functions (*F*, *<sup>G</sup>*)=(*f*1,..., *fm*<sup>1</sup> , *<sup>g</sup>*1,..., *gm*<sup>2</sup> ) ∈ *Fn*,*m*1+*m*<sup>2</sup> . Let **v** ∈ Vm1<sup>+</sup>m2 ,**vF** ∈ Vm1 and **vG** ∈ Vm2 so that **v** = **vF** ⊕ **vG**.

**Theorem 9.** *The columns of the Walsh Spectrum of the Vector Boolean function constructed by adding the coordinate functions of two Vector Boolean functions are calculated by the correlation of their respective columns in the following way:*

$$\mathsf{WS}((F,G))^\mathsf{V} = \frac{1}{2^n} \mathsf{WS}(F)^{\mathsf{V}\_\mathsf{F}} \ast \mathsf{WS}(G)^{\mathsf{V}\_\mathsf{G}}$$

*where* WS((*F*, *G*))**<sup>v</sup>** *is the column of the Walsh Spectrum characteristiced by* **v***.*

*Proof.*

$$\begin{split} \hat{\theta}\_{(\mathbf{F},\mathbf{G})}(\mathbf{u},\mathbf{v}) &= \hat{\chi}\_{\mathbf{V}\_{\mathbf{F}} \oplus \mathbf{v}\_{\mathbf{G}} \cdot (\mathbf{F},\mathbf{G})}(\mathbf{u}) = \mathcal{W}\{\underline{\mathfrak{z}}\_{\mathbf{v}\_{\mathbf{F}} \cdot \mathbf{F}} \bullet \underline{\mathfrak{z}}\_{\mathbf{v}\_{\mathbf{G}} \cdot \mathbf{G}}\}(\mathbf{u}) \\ &= \frac{1}{2^{\overline{n}}} \sum\_{\mathbf{x} \in \mathcal{V}\_{\mathbf{n}}} \hat{\chi}\_{\mathbf{v}\_{\mathbf{F}} \cdot \mathbf{F}}(\mathbf{u} + \mathbf{x}) \hat{\chi}\_{\mathbf{v}\_{\mathbf{G}} \cdot \mathbf{G}}(\mathbf{x}) \end{split}$$

**Corollary 5.** *The exact value of the nonlinearity of* (*F*, *G*) *cannot be easily obtained from the knowledge of the nonlinearities of F and G.*

**Corollary 6.** *The columns of both* WS(*F*) *and* WS(*G*) *are contained in the matrix* WS((*F*, *G*))*.*

**Corollary 7.** *From corollary 6 it can be deduced that:*

$$\mathcal{QM}((F,G)) \le \min\{\mathcal{QM}(F), \mathcal{QM}(G)\}\tag{19}$$

The corollary 7 is a generalization of the Theorem 16 in Nyberg (1995). It can be useful, for instance, to find upper bounds of nonlinearity in S-boxes whose number of output bits is high by calculating the nonlinearities of shorter S-boxes (see Example 2).

**Example 1.** *The F-function of the MacGuffin block cipher algorithm consists of the* 8 *S-boxes of the DES, but the two middle output bits of each S-box are neglected so that Si*(*MacG*) ∈ *F*6,2*. Let define the* 4*-th S-box of DES as S*4(*DES*)=(*f*1, *f*2, *f*3, *f*4)*, then it holds that S*4(*MacG*)=(*f*1, *f*4)*. If we denote MacDES the S-box which uses the second and third component functions of DES, then S*4(*MacDES*)=(*f*2, *f*3)*. The S-box S*4(*DES*) *can be obtained by adding the coordinate functions which constitute MacDES and aplying a permutation to reorder the coordinate functions. If we want to obtain the last column of the Walsh Spectrum of S*4(*DES*) *from the last columns of the Walsh Spectra of S*4(*MacG*) *and S*4(*MacDES*)*, then the effect of the permutation can be omitted and the results are the following:*

$$\mathsf{WSS}\left(\mathrm{S}\_{4}(DES)\right)^{(\mathrm{1111})} = \frac{1}{2^{5}}\mathsf{WSS}\left(\mathrm{S}\_{4}(MacG)\right)^{(\mathrm{11})} \* \mathsf{WSS}\left(\mathrm{S}\_{4}(MacDES)\right)^{(\mathrm{11})}\tag{20}$$

**Example 2.** *The first substitution function of the CAST algorithm Adams & Tavares (1993) , Adams (1994) denoted by S*<sup>1</sup> ∈ *F*8,32 *has a nonlinearity of* <sup>74</sup> *Youssef et al. (1997). If we decompose this Vector Boolean function into two, taking the first* <sup>16</sup> *output bits (S*1*<sup>a</sup>* ∈ *F*8,16*) and the second* <sup>16</sup> *output bits (S*1*<sup>b</sup>* ∈ *F*8,16*) respectively, we can see that the corollary 7 is satisfied:*

$$74 = \mathcal{N}\mathcal{L}(S\_1) \le \min\{\mathcal{N}\mathcal{L}(S\_{1a}), \mathcal{N}\mathcal{L}(S\_{1b})\} = \min\{86, 82\}\tag{21}$$

**Theorem 10.** *If F*, *<sup>G</sup>* <sup>∈</sup> *Fn*,*<sup>n</sup> are bijective, F*−<sup>1</sup> *is a t*1*-resilient function and G*−<sup>1</sup> *is a t*2*-resilient function, then the inverse of the Vector Boolean function obtained by adding the coordinates functions of F and G, denoted by* (*F*, *<sup>G</sup>*)−<sup>1</sup> <sup>∈</sup> *F*<sup>2</sup>*n*,*<sup>n</sup> is a* <sup>2</sup> · min{*t*1, *<sup>t</sup>*2}*-resilient function.*

*Proof.*

10 Cryptography

**Theorem 8.** *Let F* ∈ *Fn*,*<sup>m</sup> and let L*A,**<sup>b</sup>** ∈ *Fn*,*<sup>n</sup> an affine bijection, then F* ◦ *<sup>L</sup>*A,**<sup>b</sup>** *satisfies the PC*(*l*) *if*

*Proof.* If we use the equality *rF*◦*L*A,**<sup>b</sup>** (**u**, **v**) = *rF*(A**u**, **v**) described in Millan (1998), we can

←→ *rF*◦*L*A,**<sup>b</sup>** = 0, ∀ **u** ∈ Vn, 1 ≤ *wt*(**u**) ≤ *l*, ∀ **v** ∈ Vm ←→ *rF*(A**u**, **v**) = 0, ∀ **u** ∈ Vn, 1 ≤ *wt*(**u**) ≤ *l*, ∀ **v** ∈ Vm ←→ *rF*(**u**, **v**) = 0, ∀ **u** ∈ Vn, 1 ≤ *wt*(**u**) ≤ *l*, ∀ **v** ∈ Vm

Let *<sup>F</sup>* = (*f*1,..., *fm*<sup>1</sup> ) ∈ *Fn*,*m*<sup>1</sup> , *<sup>G</sup>* = (*g*1,..., *gm*<sup>2</sup> ) ∈ *Fn*,*m*<sup>2</sup> and the function conformed by adding the coordinate functions (*F*, *<sup>G</sup>*)=(*f*1,..., *fm*<sup>1</sup> , *<sup>g</sup>*1,..., *gm*<sup>2</sup> ) ∈ *Fn*,*m*1+*m*<sup>2</sup> . Let

**Theorem 9.** *The columns of the Walsh Spectrum of the Vector Boolean function constructed by adding the coordinate functions of two Vector Boolean functions are calculated by the correlation of*

<sup>2</sup>*<sup>n</sup>* WS(*F*)

*<sup>θ</sup>*(*F*,*G*)(**u**, **<sup>v</sup>**) = *<sup>χ</sup>*ˆ**vF**⊕**vG**·(*F*,*G*)(**u**) = *W* {*ξ***vF**·*<sup>F</sup> <sup>ξ</sup>***vG**·*G*}(**u**)

**Corollary 5.** *The exact value of the nonlinearity of* (*F*, *G*) *cannot be easily obtained from the knowledge*

The corollary 7 is a generalization of the Theorem 16 in Nyberg (1995). It can be useful, for instance, to find upper bounds of nonlinearity in S-boxes whose number of output bits is high

**Corollary 6.** *The columns of both* WS(*F*) *and* WS(*G*) *are contained in the matrix* WS((*F*, *G*))*.*

**vF** <sup>∗</sup> WS(*G*)

*NL*((*F*, *<sup>G</sup>*)) ≤ min{*NL*(*F*), *NL*(*G*)} (19)

**vG**

*F* ◦ *L*A,**<sup>b</sup>** satisfies the *PC*(*l*)

**v** ∈ Vm1<sup>+</sup>m2 ,**vF** ∈ Vm1 and **vG** ∈ Vm2 so that **v** = **vF** ⊕ **vG**.

WS((*F*, *<sup>G</sup>*))**<sup>v</sup>** <sup>=</sup> <sup>1</sup>

*where* WS((*F*, *G*))**<sup>v</sup>** *is the column of the Walsh Spectrum characteristiced by* **v***.*

<sup>2</sup>*<sup>n</sup>* <sup>∑</sup>**x**∈Vn *<sup>χ</sup>*ˆ**vF**·*F*(**<sup>u</sup>** + **<sup>x</sup>**)*χ*ˆ**vG**·*G*(**x**)

by calculating the nonlinearities of shorter S-boxes (see Example 2).

*and only if F satisfies the PC*(*l*)*.*

**4.3 Adding coordinate functions**

*their respective columns in the following way:*

ˆ

*of the nonlinearities of F and G.*

= <sup>1</sup>

**Corollary 7.** *From corollary 6 it can be deduced that:*

obtain the following:

*Proof.*

$$\begin{array}{l} F^{-1} \text{ is a } t\_1\text{-resillient function } \wedge \ G^{-1} \text{ is a } t\_2\text{-resillient function} \\ \leftrightarrow \partial\_{\mathbf{F}}(\mathbf{v}, \mathbf{u\_F}) = 0, \,\forall \,\mathbf{v} \neq \mathbf{0} \in \mathbf{V}\_{\mathbf{n}\prime} \,\forall \,\mathbf{u\_F} \in \mathbf{V\_{n}}, \,\mathbf{0} \le wt(\mathbf{u\_F}) \le t\_1 \\ \wedge \partial\_{\mathbf{G}}(\mathbf{v}, \mathbf{u\_G}) = 0, \,\forall \,\mathbf{v} \neq \mathbf{0} \in \mathbf{V\_{n}} \,\forall \,\mathbf{u\_G} \in \mathbf{V\_{n}}, \,\mathbf{0} \le wt(\mathbf{u\_G}) \le t\_2 \\ \leftrightarrow \partial\_{(F,G)^{-1}}(\mathbf{u}, \mathbf{v}) = 0 \,\forall \,\mathbf{u} \in \mathbf{V\_{2n}}, \,\,\mathbf{0} \le wt(\mathbf{u}) \le 2 \cdot \min\{t\_1, t\_2\}, \,\forall \,\mathbf{v} \ne \mathbf{0} \in \mathbf{V\_{n}} \end{array}$$

where **u** = **uF** ⊕ **uG**

**Corollary 8.** *If F*, *<sup>G</sup>* <sup>∈</sup> *Fn*,*<sup>n</sup> are bijective, F*−<sup>1</sup> *is a balanced Vector Boolean function and G*−<sup>1</sup> *is a balanced Vector Boolean function, then the inverse of the Vector Boolean function resulting of adding the coordinates functions of F and G, denoted by* (*F*, *G*)−<sup>1</sup> *is a balanced Vector Boolean function.*

**Theorem 11.** *The autocorrelation of the Vector Boolean function resulting by adding the coordinate functions of two Vector Boolean functions can be expressed in terms of their respective directional derivatives as follows:*

$$r\_{(F,G)}(
\mathbf{u}, \mathbf{v}) = \frac{1}{2^{\pi}} \sum\_{\mathbf{x} \in V\_{\mathbf{n}}} (-1)^{\Delta\_{\mathbf{u}} \mathbf{v}\_{F} F(\mathbf{x})} \cdot (-1)^{\Delta\_{\mathbf{u}} \mathbf{v}\_{G} G(\mathbf{x})}$$

*Proof.*

$$\begin{array}{l} r\_{(F,G)}(\mathbf{u},\mathbf{v}) = \frac{1}{2^{\overline{n}}} \sum\_{\mathbf{x}\in V\_{n}} (-1)^{\mathbf{v}\_{F}\oplus\mathbf{v}\_{G}} (F,G)(\mathbf{x}+\mathbf{u}) + \mathbf{v}\_{F}\oplus\mathbf{v}\_{G}(F,G)(\mathbf{x})\\ \mathbf{v} = \frac{1}{2^{\overline{n}}} \sum\_{\mathbf{x}\in V\_{n}} (-1)^{\mathbf{v}\_{F}F(\mathbf{x}+\mathbf{u})\oplus\mathbf{v}\_{G}G(\mathbf{x}+\mathbf{u}) + \mathbf{v}\_{F}F(\mathbf{x})\oplus\mathbf{v}\_{G}G(\mathbf{x})}{2^{\overline{n}}\sum\_{\mathbf{x}\in V\_{n}} (-1)^{\mathbf{v}\_{F}F(\mathbf{x}+\mathbf{u}) + \mathbf{v}\_{F}F(\mathbf{x})} \cdot (-1)^{\mathbf{v}\_{G}G(\mathbf{x}+\mathbf{u}) + \mathbf{v}\_{G}G(\mathbf{x})} \end{array}$$

**Corollary 9.** *If* **u** *is a linear structure of G, then the autocorrelation of* (*F*, *G*) *is proportional to the autocorrelation of F:*

$$r\_{(F,G)}(\mathbf{u}, \mathbf{v}) = (-1)^{\varepsilon\_{\mathbf{v}\mathbf{G}^G}} \cdot r\_F(\mathbf{u}, \mathbf{v}\_{\mathbf{F}})$$

*where* Δ**uvG***G*(**x**) = *c***vG** *<sup>G</sup>* ∀ **x** ∈ Vn, ∀ **vG** ∈ Vm2 *.*

**Corollary 10.** *Let F* ∈ *Fn*,*m*<sup>1</sup> *satisfy the PC*(*l*) *and let all the vectors in* Vn *with weight at most l be linear structures of G* ∈ *Fn*,*m*<sup>2</sup> *, then* (*F*, *<sup>G</sup>*) ∈ *Fn*,*m*1+*m*<sup>2</sup> *satisfies PC*(*l*)*.*

*Proof.* By applying corollary 10:

$$r\_{\mathbf{F}}(\mathbf{u}, \mathbf{v}\_{\mathbf{F}}) = 0, \forall \mathbf{u} \in \mathbf{V}\_{\mathbf{n}\prime} \ 1 \le wt(\mathbf{u}) \le l, \ \forall \mathbf{v}\_{\mathbf{F}} \ne \mathbf{0} \in \mathbf{V}\_{\mathbf{m}\_{\parallel}}$$

$$r\_{(\mathbf{f}, \mathbf{G})}(\mathbf{u}, \mathbf{v}) = 0, \ \forall \mathbf{u} \in \mathbf{V}\_{\mathbf{n}\prime} \ 1 \le wt(\mathbf{u}) \le l, \ \forall \mathbf{v} \ne \mathbf{0} \in \mathbf{V}\_{\mathbf{m}}$$

*Proof.* Let **v** = **v**|<sup>A</sup> ⊕ **v**|B:

*15:*

*and*

*t-resilient.*

**4.5 Direct sum of Vector Boolean functions**

ˆ

DP(*F*<sup>1</sup> <sup>⊕</sup> *<sup>F</sup>*2)**<sup>u</sup>** <sup>=</sup> <sup>1</sup>

*<sup>θ</sup>F*1⊕*F*<sup>2</sup> (**u**, **<sup>v</sup>**) = <sup>ˆ</sup>

**u2** ∈ Vn2 , **v** ∈ Vm and **u** = **u1** ⊕ **u2**.

*DF*(**u**, **v**) = {**x** ∈ Vn | *F*(**x** + **u**) + *F*(**x**) = **v**} = {**x** ∈ Vn | *F*|A(**x** + **u**) + *F*|A(**x**) = **v**|A}

Cryptographic Criteria on Vector Boolean Functions 63

**Example 3.** *The F-function of the DES block cipher algorithm consists of* <sup>8</sup> *S-boxes Si*(*DES*) ∈ *F*6,4

*i* 12345678 *NL* (*Si*(*DES*)) 14 16 16 16 16 18 14 16 <sup>∗</sup> max (WS (*Si*(*DES*))) 36 32 32 32 32 28 36 32

*MacGuffin's S-boxes result from restriction of DES S-Boxes, and its characteristics satisfy Corollary*

*i* 12345678 *NL* (*Si*(*MG*)) 18 18 18 16 20 20 18 20 <sup>∗</sup> max (WS (*Si*(*MG*))) 28 28 28 32 24 24 28 24

*LD* (*S*1(*MG*)) = 15, *dp* (*S*1(*MG*)) = 0.53125 *LD* (*S*2(*MG*)) = 14, *dp* (*S*2(*MG*)) = 0.5625 *LD* (*S*3(*MG*)) = 15, *dp* (*S*3(*MG*)) = 0.53125 *LD* (*S*4(*MG*)) = 16, *dp* (*S*4(*MG*)) = 0.5 *LD* (*S*5(*MG*)) = 16, *dp* (*S*5(*MG*)) = 0.5 *LD* (*S*6(*MG*)) = 18, *dp* (*S*6(*MG*)) = 0.4375 *LD* (*S*7(*MG*)) = 15, *dp* (*S*7(*MG*)) = 0.53125 *LD* (*S*8(*MG*)) = 16, *dp* (*S*8(*MG*)) = 0.5

**Corollary 16.** *By Theorem 9, it can be demonstrated that if F is t-resilient, then F*|<sup>A</sup> *is at least*

Let *<sup>n</sup>*1, *<sup>n</sup>*<sup>2</sup> ≥ 1, *<sup>F</sup>*<sup>1</sup> ∈ *Fn*1,*m*, *<sup>F</sup>*<sup>2</sup> ∈ *Fn*2,*<sup>m</sup>* and their direct sum *<sup>F</sup>*<sup>1</sup> ⊕ *<sup>F</sup>*<sup>2</sup> ∈ *F<sup>n</sup>*1+*n*2,*m*. Let **u1** ∈ Vn1 ,

**Theorem 13.** *The elements which conform a row in the Walsh Spectrum of the direct sum of two Vector Boolean functions are equal to the product of the respective components of the rows in both Walsh Spectra . The rows of the Differential Profile of the direct sum of two Vector Boolean functions are obtained by the correlation of the rows of the Differential Profiles of each Vector Boolean function.*

*<sup>θ</sup>F*<sup>1</sup> (**u1**, **<sup>v</sup>**) · <sup>ˆ</sup>

<sup>2</sup>*<sup>m</sup>* DP(*F*1)**u1** <sup>∗</sup> DP(*F*2)**u2**

*θF*<sup>2</sup> (**u2**, **v**)

<sup>4</sup> ∀ *i* = 1, . . . , 8

**Corollary 14.** <sup>∗</sup> max (WS(*F*|A) <sup>≤</sup> <sup>∗</sup> max (WS(*F*))*,* <sup>∗</sup> max (DP(*F*|A) <sup>≥</sup> <sup>∗</sup> max (DP(*F*))*.*

*LD* (*Si*(*DES*)) = 24, *dp* (*Si*(*DES*)) = <sup>1</sup>

<sup>∩</sup> {**<sup>x</sup>** <sup>∈</sup> Vn <sup>|</sup> *<sup>F</sup>*|B(**<sup>x</sup>** <sup>+</sup> **<sup>u</sup>**) + *<sup>F</sup>*|B(**x**) = **<sup>v</sup>**|B} <sup>⊆</sup> *DF*<sup>|</sup><sup>A</sup> (**u**, **<sup>v</sup>**)

*whose respective nonlinearities and linearity distances are the following:*

**Corollary 15.** *NL*(*F*|A) ≥ *NL*(*F*)*, LD*(*F*|A) ≤ *LD*(*F*)*.*

**Corollary 11.** *If we add coordinates of a Vector Boolean function which satisfies the PC*(*l*) *and a Linear (or Affine) Vector Boolean function then the resulting Vector Boolean function satisfies the PC*(*l*)*.*

**Corollary 12.** *If* **u** *is a linear structure of G, then the coefficients of the Differential Profile of* (*F*, *G*) *is proportional to the coefficients of the Differential Profile of F:*

$$\delta\_{(F,G)}(\mathbf{u}, \mathbf{v}) = (-1)^{\varepsilon\_{\mathbf{v}\mathbf{G}}} \cdot \delta\_F(\mathbf{u}, \mathbf{v}\_{\mathbf{F}}) $$

*Proof.*

$$\begin{split} &\delta\_{\left(\mathbf{F},\mathbf{G}\right)}\left(\mathbf{u},\mathbf{v}\right) = \frac{1}{2^{n+m}}\sum\_{\mathbf{w}\in V\_{\mathrm{m}}}r\_{\left(\mathbf{F},\mathbf{G}\right)}(\mathbf{u},\mathbf{w})\chi\_{\mathbf{V}}(\mathbf{w}) \\ &= \frac{1}{2^{n+m\_{1}+m\_{2}}}\sum\_{\mathbf{w}\_{\mathbf{F}}\in V\_{\mathrm{m}\_{1}}}\sum\_{\mathbf{w}\_{\mathbf{G}}\in V\_{\mathrm{m}\_{2}}}(-1)^{c\_{\mathbf{w}\_{\mathbf{G}}\ominus}}r\_{\left(\mathbf{u},\mathbf{w}\_{\mathbf{F}}\right)}\chi\_{\mathbf{V}\_{\mathbf{F}}}(\mathbf{w}\_{\mathbf{F}})\chi\_{\mathbf{V}\_{\mathbf{G}}}(\mathbf{w}\_{\mathbf{F}}) \\ &= \frac{(-1)^{\circ\_{\mathbf{G}\cdot\mathbf{G}}}}{2^{n+m\_{1}+m\_{2}}}\sum\_{\mathbf{w}\_{\mathbf{G}}\in V\_{\mathrm{m}\_{2}}}\chi\_{\mathbf{V}\_{\mathbf{G}}}(\mathbf{w}\_{\mathbf{G}})\sum\_{\mathbf{w}\_{\mathbf{F}}\in V\_{\mathrm{m}\_{1}}}r\_{\mathbf{F}}(\mathbf{u},\mathbf{w}\_{\mathbf{F}})\chi\_{\mathbf{V}\_{\mathbf{F}}}(\mathbf{w}\_{\mathbf{F}}) \\ &= \frac{(-1)^{\circ\_{\mathbf{G}\cdot\mathbf{G}}}}{2^{n+m\_{1}}}\sum\_{\mathbf{w}\_{\mathbf{F}}\in V\_{\mathrm{m}\_{1}}}r\_{\mathbf{F}}(\mathbf{u},\mathbf{w}\_{\mathbf{F}})\chi\_{\mathbf{V}\_{\mathbf{F}}}(\mathbf{w}\_{\mathbf{F}}) \end{split}$$

### **4.4 Projection of a Vector Boolean function**

Let *<sup>F</sup>* = (*f*1,..., *fm*) ∈ *Fn*,*m*, <sup>A</sup> = {*i*1,..., *im*<sup>1</sup> }⊆{1, . . . , *<sup>m</sup>*}, <sup>B</sup> = {*j*1,..., *jm*<sup>2</sup> } ⊆ {1, . . . , *<sup>m</sup>*},<sup>A</sup> ∩ <sup>B</sup> = <sup>∅</sup> so that *<sup>m</sup>* = *<sup>m</sup>*<sup>1</sup> + *<sup>m</sup>*<sup>2</sup> then *<sup>F</sup>*|<sup>A</sup> = (*fi*<sup>1</sup> ,..., *fim*<sup>1</sup> ) ∈ *Fn*,*m*<sup>1</sup> and *<sup>F</sup>*|<sup>B</sup> = (*fj*<sup>1</sup> ,..., *fjm*<sup>2</sup> ) ∈ *Fn*,*m*<sup>2</sup> .

**Corollary 13.** *By Theorem 9, it can be demonstrated that the Walsh spectrum of the projection F*|<sup>A</sup> *is obtained by extracting the columns of* WS(*F*) *characteristiced by* **v** = (*v*1,..., *vm*) *so that if i* ∈ A *then vi* = 1 *and if i* ∈/ A *then vi* = 0*.*

**Theorem 12.** *The set of vectors where the difference Vector Boolean function of F in the direction of* **u** ∈ Vn *coincides with* **v** ∈ Vm *is a subset of the respective set of vectors of F*|A*.*

*Proof.* Let **v** = **v**|<sup>A</sup> ⊕ **v**|B:

12 Cryptography

**Corollary 9.** *If* **u** *is a linear structure of G, then the autocorrelation of* (*F*, *G*) *is proportional to the*

**Corollary 10.** *Let F* ∈ *Fn*,*m*<sup>1</sup> *satisfy the PC*(*l*) *and let all the vectors in* Vn *with weight at most l be*

*rF*(**u**, **vF**) = 0, ∀ **u** ∈ Vn, 1 ≤ *wt*(**u**) ≤ *l*, ∀ **vF** �= **0** ∈ Vm1 *r*(*F*,*G*)(**u**, **v**) = 0, ∀ **u** ∈ Vn, 1 ≤ *wt*(**u**) ≤ *l*, ∀ **v** �= **0** ∈ Vm

**Corollary 11.** *If we add coordinates of a Vector Boolean function which satisfies the PC*(*l*) *and a Linear (or Affine) Vector Boolean function then the resulting Vector Boolean function satisfies the PC*(*l*)*.*

**Corollary 12.** *If* **u** *is a linear structure of G, then the coefficients of the Differential Profile of* (*F*, *G*)

*δ*(*F*,*G*)(**u**, **v**)=(−1)

<sup>2</sup>*n*+*<sup>m</sup>* <sup>∑</sup>**w**∈Vm *<sup>r</sup>*(*F*,*G*)(**u**, **<sup>w</sup>**)*χ***v**(**w**)

<sup>2</sup>*n*+*m*1+*m*<sup>2</sup> <sup>∑</sup>**wG**∈Vm2 *<sup>χ</sup>***vG** (**wG**) <sup>∑</sup>**wF**∈Vm1 *rF*(**u**, **wF**)*χ***vF** (**wF**)

(−1)

Let *<sup>F</sup>* = (*f*1,..., *fm*) ∈ *Fn*,*m*, <sup>A</sup> = {*i*1,..., *im*<sup>1</sup> }⊆{1, . . . , *<sup>m</sup>*}, <sup>B</sup> = {*j*1,..., *jm*<sup>2</sup> } ⊆

**Corollary 13.** *By Theorem 9, it can be demonstrated that the Walsh spectrum of the projection F*|<sup>A</sup> *is obtained by extracting the columns of* WS(*F*) *characteristiced by* **v** = (*v*1,..., *vm*) *so that if i* ∈ A

**Theorem 12.** *The set of vectors where the difference Vector Boolean function of F in the direction of*

*<sup>c</sup>***vG***<sup>G</sup>* · *rF*(**u**, **vF**)

*<sup>c</sup>***vG***<sup>G</sup>* · *<sup>δ</sup>F*(**u**, **vF**)

*<sup>c</sup>***vG***<sup>G</sup> rF*(**u**, **wF**)*χ***vF** (**wF**)*χ***vG** (**wG**)

) ∈ *Fn*,*m*<sup>1</sup> and

*r*(*F*,*G*)(**u**, **v**)=(−1)

*linear structures of G* ∈ *Fn*,*m*<sup>2</sup> *, then* (*F*, *<sup>G</sup>*) ∈ *Fn*,*m*1+*m*<sup>2</sup> *satisfies PC*(*l*)*.*

*is proportional to the coefficients of the Differential Profile of F:*

<sup>2</sup>*n*+*m*1+*m*<sup>2</sup> ∑**wF**∈Vm1 ∑**wG**∈Vm2

<sup>2</sup>*n*+*m*<sup>1</sup> <sup>∑</sup>**wF**∈Vm1 *rF*(**u**, **wF**)*χ***vF** (**wF**)

{1, . . . , *<sup>m</sup>*},<sup>A</sup> ∩ <sup>B</sup> = <sup>∅</sup> so that *<sup>m</sup>* = *<sup>m</sup>*<sup>1</sup> + *<sup>m</sup>*<sup>2</sup> then *<sup>F</sup>*|<sup>A</sup> = (*fi*<sup>1</sup> ,..., *fim*<sup>1</sup>

**u** ∈ Vn *coincides with* **v** ∈ Vm *is a subset of the respective set of vectors of F*|A*.*

*<sup>δ</sup>*(*F*,*G*)(**u**, **<sup>v</sup>**) = <sup>1</sup>

*<sup>c</sup>***vG***<sup>G</sup>*

*<sup>c</sup>***vG***<sup>G</sup>*

**4.4 Projection of a Vector Boolean function**

) ∈ *Fn*,*m*<sup>2</sup> .

= <sup>1</sup>

= (−1)

= (−1)

*then vi* = 1 *and if i* ∈/ A *then vi* = 0*.*

*<sup>F</sup>*|<sup>B</sup> = (*fj*<sup>1</sup> ,..., *fjm*<sup>2</sup>

*autocorrelation of F:*

*Proof.*

*where* Δ**uvG***G*(**x**) = *c***vG** *<sup>G</sup>* ∀ **x** ∈ Vn, ∀ **vG** ∈ Vm2 *.*

*Proof.* By applying corollary 10:

$$\begin{split} D\_{\mathbf{F}}(\mathbf{u},\mathbf{v}) &= \{ \mathbf{x} \in \mathbf{V}\_{\mathbf{n}} \, | \, F(\mathbf{x} + \mathbf{u}) + F(\mathbf{x}) = \mathbf{v} \} = \{ \mathbf{x} \in \mathbf{V}\_{\mathbf{n}} \, | \, F|\_{\mathsf{A}}(\mathbf{x} + \mathbf{u}) + F|\_{\mathsf{A}}(\mathbf{x}) = \mathbf{v}|\_{\mathsf{A}} \} \\ &\cap \{ \mathbf{x} \in \mathbf{V}\_{\mathbf{n}} \, | \, F|\_{\mathsf{B}}(\mathbf{x} + \mathbf{u}) + F|\_{\mathsf{B}}(\mathbf{x}) = \mathbf{v}|\_{\mathsf{B}} \} \subseteq D\_{F|\_{\mathsf{A}}}(\mathbf{u}, \mathbf{v}) \end{split}$$

**Corollary 14.** <sup>∗</sup> max (WS(*F*|A) <sup>≤</sup> <sup>∗</sup> max (WS(*F*))*,* <sup>∗</sup> max (DP(*F*|A) <sup>≥</sup> <sup>∗</sup> max (DP(*F*))*.* **Corollary 15.** *NL*(*F*|A) ≥ *NL*(*F*)*, LD*(*F*|A) ≤ *LD*(*F*)*.*

**Example 3.** *The F-function of the DES block cipher algorithm consists of* <sup>8</sup> *S-boxes Si*(*DES*) ∈ *F*6,4 *whose respective nonlinearities and linearity distances are the following:*


$$\mathcal{LD}\left(\mathcal{S}\_{i}(DES)\right) = \mathbf{24}, dp\left(\mathcal{S}\_{i}(DES)\right) = \frac{1}{4} \; \forall \; i = 1, \dots, 8$$

*MacGuffin's S-boxes result from restriction of DES S-Boxes, and its characteristics satisfy Corollary 15:*


*and*

$$\begin{array}{ll} \mathcal{LD}\left(S\_1(MG)\right) = 15, \ dp\left(S\_1(MG)\right) = 0.53125\\ \mathcal{LD}\left(S\_2(MG)\right) = 14, \ dp\left(S\_2(MG)\right) = 0.5625\\ \mathcal{LD}\left(S\_3(MG)\right) = 15, \ dp\left(S\_3(MG)\right) = 0.53125\\ \mathcal{LD}\left(S\_4(MG)\right) = 16, \ dp\left(S\_4(MG)\right) = 0.5\\ \mathcal{LD}\left(S\_5(MG)\right) = 16, \ dp\left(S\_5(MG)\right) = 0.5\\ \mathcal{LD}\left(S\_6(MG)\right) = 18, \ dp\left(S\_6(MG)\right) = 0.4375\\ \mathcal{LD}\left(S\_7(MG)\right) = 15, \ dp\left(S\_7(MG)\right) = 0.53125\\ \mathcal{LD}\left(S\_8(MG)\right) = 16, \ dp\left(S\_8(MG)\right) = 0.5 \end{array}$$

**Corollary 16.** *By Theorem 9, it can be demonstrated that if F is t-resilient, then F*|<sup>A</sup> *is at least t-resilient.*

### **4.5 Direct sum of Vector Boolean functions**

Let *<sup>n</sup>*1, *<sup>n</sup>*<sup>2</sup> ≥ 1, *<sup>F</sup>*<sup>1</sup> ∈ *Fn*1,*m*, *<sup>F</sup>*<sup>2</sup> ∈ *Fn*2,*<sup>m</sup>* and their direct sum *<sup>F</sup>*<sup>1</sup> ⊕ *<sup>F</sup>*<sup>2</sup> ∈ *F<sup>n</sup>*1+*n*2,*m*. Let **u1** ∈ Vn1 , **u2** ∈ Vn2 , **v** ∈ Vm and **u** = **u1** ⊕ **u2**.

**Theorem 13.** *The elements which conform a row in the Walsh Spectrum of the direct sum of two Vector Boolean functions are equal to the product of the respective components of the rows in both Walsh Spectra . The rows of the Differential Profile of the direct sum of two Vector Boolean functions are obtained by the correlation of the rows of the Differential Profiles of each Vector Boolean function.*

$$\begin{aligned} \hat{\theta}\_{F\_1 \oplus F\_2}(\mathbf{u}, \mathbf{v}) &= \hat{\theta}\_{F\_1}(\mathbf{u}\_{1\prime} \mathbf{v}) \cdot \hat{\theta}\_{F\_2}(\mathbf{u}\_{2\prime} \mathbf{v}) \\ \mathsf{DP}(F\_1 \oplus F\_2)\_{\mathbf{u}} &= \frac{1}{2^m} \mathsf{DP}(F\_1)\_{\mathbf{u}\_1} \ast \mathsf{DP}(F\_2)\_{\mathbf{u}\_2} \end{aligned}$$

The first result was already known for Boolean functions Sarkar & Maitra (2000a), here we give a proof for Vector Boolean functions.

*Proof.*

$$\boldsymbol{\hat{\theta}}\_{\mathrm{F}\_{\mathrm{1}} \oplus \mathrm{F}\_{\mathrm{2}}}(\mathbf{u}, \mathbf{v}) = \boldsymbol{\hat{\chi}}\_{\mathbf{v} \cdot (\mathrm{F}\_{\mathrm{1}} \oplus \mathrm{F}\_{\mathrm{2}})}(\mathbf{u}\_{\mathbf{1}} \oplus \mathbf{u}\_{\mathbf{2}}) = \boldsymbol{\hat{\chi}}\_{\mathbf{v} \cdot \mathrm{F}\_{\mathrm{1}} \oplus \mathbf{v} \cdot \mathrm{F}\_{\mathrm{2}}}(\mathbf{u}\_{\mathbf{1}} \oplus \mathbf{u}\_{\mathbf{2}}) = \boldsymbol{\hat{\chi}}\_{\mathbf{v} \cdot \mathrm{F}\_{\mathrm{1}}}(\mathbf{u}\_{\mathbf{1}}) \cdot \boldsymbol{\hat{\chi}}\_{\mathbf{v} \cdot \mathrm{F}\_{\mathrm{2}}}(\mathbf{u}\_{\mathbf{2}})$$

The second result is new and the proof is given below:

*Proof.*

$$\begin{split} & \left( \operatorname{\mathbf{DP}}(F\_{1})\_{\mathbf{u}\_{1}} \ast \operatorname{\mathbf{DP}}(F\_{2})\_{\mathbf{u}\_{2}} \right) (\mathbf{v}) = \sum\_{\mathbf{w} \in \mathcal{V}\_{\mathbf{m}}} \delta\_{\mathrm{F}\_{1}} (\mathbf{u}\_{1}, \mathbf{w} + \mathbf{v}) \cdot \delta\_{\mathrm{F}\_{2}} (\mathbf{u}\_{2}, \mathbf{w}) \\ & = \sum\_{\mathbf{w} \in \mathcal{V}\_{\mathbf{m}}} \frac{1}{2^{n\_{1} + \mathbf{w}}} \sum\_{\mathbf{s} \in \mathcal{V}\_{\mathbf{m}}} r\_{\mathrm{F}\_{1}}(\mathbf{u}\_{1}, \mathbf{s}) \chi\_{\mathbf{w} + \mathbf{v}}(\mathbf{s}) \frac{1}{2^{n\_{2} + \mathbf{w}}} \sum\_{\mathbf{t} \in \mathcal{V}\_{\mathbf{m}}} r\_{\mathrm{F}\_{2}}(\mathbf{u}\_{2}, \mathbf{t}) \chi\_{\mathbf{w}}(\mathbf{t}) \\ & = \frac{1}{2^{n\_{1} + n\_{2} + 2\mathbf{u}}} \sum\_{\mathbf{z} \in \mathcal{V}\_{\mathbf{m}}} r\_{\mathrm{F}\_{1}}(\mathbf{u}\_{1}, \mathbf{z}) r\_{\mathrm{F}\_{2}}(\mathbf{u}\_{2}, \mathbf{z}) \chi\_{\mathbf{v}}(\mathbf{z}) \\ & = \frac{1}{2^{n + 2\mathbf{u}}} \sum\_{\mathbf{z} \in \mathcal{V}\_{\mathbf{m}}} r\_{\mathrm{F}\_{1} \oplus F\_{2}}(\mathbf{u}, \mathbf{z}) \chi\_{\mathbf{v}}(\mathbf{z}) = \frac{1}{2^{\overline{n}}} \mathsf{DP}(F\_{1} \oplus F\_{2})\_{\mathbf{u}}(\mathbf{v}) \end{split}$$

**Example 4.** *The full substitution function of the CAST algorithm S*(*CAST*) ∈ *F*32,32 *is constructed*

Cryptographic Criteria on Vector Boolean Functions 65

*For the exact calculation of the S*(*CAST*) *nonlinearity we need to find out the maximum value from all the elements of a* <sup>2</sup><sup>32</sup> <sup>×</sup> 232 *matrix representing its Walsh Spectrum, or alternatively, to determine the Walsh Spectra of the* 232 *linear combinations of its coordinate functions which are* 232 <sup>×</sup> <sup>1</sup> *matrices. Nevertheless, by 19, the nonlinearity is obtained by calculating the maximum value of the product of the maxima values of four Walsh Spectra (*2<sup>8</sup> <sup>×</sup> <sup>1</sup> *matrices) for each of the* <sup>2</sup><sup>32</sup> *linear combinations of its*

**Theorem 14.** *Let F*<sup>1</sup> *be an* (*n*1, *m*, *t*1) *resilient function and F*<sup>2</sup> *be an* (*n*2, *m*, *t*2)*-resilient function,*

*Proof.* For all **u** ∈ Vn1<sup>+</sup>n2 satisfying *wt*(**u**) = *t*<sup>1</sup> + *t*<sup>2</sup> + 1, exists either **u1** ∈ Vn1 with *wt*(**u1**) = *t*<sup>1</sup> + 1 and **u2** ∈ Vn2 with *wt*(**u2**) = *t*<sup>2</sup> so that **u** = **u1** ⊕ **u2** or **u1** ∈ Vn1 with *wt*(**u1**) = *t*<sup>1</sup> and

*θF*1⊕*F*<sup>2</sup> (**u**, **v**) = 0, ∀ **u** ∈ Vn1<sup>+</sup>n2 , 0 ≤ *wt*(**u**) ≤ *t*<sup>1</sup> + *t*<sup>2</sup> + 1, ∀ **v** �= **0** ∈ Vm

**Corollary 20.** *Let F*<sup>1</sup> *anf F*<sup>2</sup> *balanced functions, then F*<sup>1</sup> ⊕ *F*<sup>2</sup> *is an* (*n*<sup>1</sup> + *n*2, *m*, 1)*-resilient function. This result is an extension of what was obtained in Seberry & Zhang (1993) for Boolean functions.* **Theorem 15.** *The elements which conform a row in the Autocorrelation Spectrum of the direct sum of two Boolean functions are obtained by the product of the respective components of the rows in both*

*rf*1⊕*f*<sup>2</sup> (**u**) = *rf*<sup>1</sup> (**u1**) · *rf*<sup>2</sup> (**u2**)

<sup>2</sup>*n*1+*n*<sup>2</sup> <sup>∑</sup>**x1**∈Vn1 <sup>∑</sup>**x2**∈Vn2 *<sup>χ</sup>f*<sup>1</sup> (**x1**)*χf*<sup>2</sup> (**x2**)*χf*<sup>1</sup> (**x1** + **u1**)*χf*<sup>2</sup> (**x2** + **u2**)

<sup>1</sup>

<sup>2</sup>*n*<sup>2</sup> <sup>∑</sup>**x2**∈Vn2 *<sup>χ</sup>f*<sup>2</sup> (**x2** + **u2**)*χf*<sup>2</sup> (**x2**)

<sup>2</sup>*<sup>n</sup>* <sup>∑</sup>**x**∈Vn *<sup>χ</sup>f*1⊕*f*<sup>2</sup> (**<sup>x</sup>** + **<sup>u</sup>**)*χf*1⊕*f*<sup>2</sup> (**x**)

<sup>2</sup>*n*<sup>1</sup> <sup>∑</sup>**x1**∈Vn1 *<sup>χ</sup>f*<sup>1</sup> (**x1** + **u1**)*χf*<sup>1</sup> (**x1**)

*θF*<sup>2</sup> (**u2**, **v**) = 0, ∀ **u** ∈ Vn1<sup>+</sup>n2 , 0 ≤ *wt*(**u**) ≤ *t*<sup>1</sup> + *t*<sup>2</sup> + 1, ∀ **v** �= **0** ∈ Vm

**u2** ∈ Vn2 with *wt*(**u2**) = *t*<sup>2</sup> + 1 so that **u** = **u1** ⊕ **u2**. In both scenarios, it holds that:

max**v**∈V32 { <sup>∗</sup> max (WS (**<sup>v</sup>** · *<sup>S</sup>*1(*CAST*)))· <sup>∗</sup> max (WS (**<sup>v</sup>** · *<sup>S</sup>*2(*CAST*)))· <sup>∗</sup> max (WS (**<sup>v</sup>** · *<sup>S</sup>*3(*CAST*)))· <sup>∗</sup> max (WS (**<sup>v</sup>** · *<sup>S</sup>*4(*CAST*)))} <sup>=</sup> <sup>29417472</sup> (24)

<sup>2</sup> 29417472 = 2132774912

*by forming the direct sum of* <sup>4</sup> *S-boxes Si*(*CAST*) ∈ *F*8,32 *satisfying:*

*NL* (*S*(*CAST*)) <sup>=</sup> 232−<sup>1</sup> <sup>−</sup> <sup>1</sup>

*then F*<sup>1</sup> ⊕ *F*<sup>2</sup> *is an* (*n*<sup>1</sup> + *n*2, *m*, *t*<sup>1</sup> + *t*<sup>2</sup> + 1)*-resilient function.*

*Autocorrelation Spectra. Let f*<sup>1</sup> ∈ *F<sup>n</sup>*<sup>1</sup> , *<sup>f</sup>*<sup>2</sup> ∈ *F<sup>n</sup>*<sup>2</sup> *, then:*

*rf*1⊕*f*<sup>2</sup> (**u**) = <sup>1</sup>

= *rf*<sup>1</sup> (**u1**) · *rf*<sup>2</sup> (**u2**)

= <sup>1</sup>

= <sup>1</sup> *l p* (*S*(*CAST*)) <sup>=</sup> 4.69127 · <sup>10</sup>−<sup>5</sup>

Here we give alternative proof as those given in Zhang & Zheng (1997):

*This result coincides with the estimation of nonlinearity done in Youssef et al. (1997).*

*coordinate functions.*

ˆ

*Proof.*

−→ <sup>ˆ</sup>

*<sup>θ</sup>F*<sup>1</sup> (**u1**, **<sup>v</sup>**) · <sup>ˆ</sup>

### **Corollary 17.**

$$\max^\* \left( \mathsf{WS}(F\_1 \oplus F\_2) \right) = \max\_{\mathbf{v} \in V\_{\mathsf{m}}} \left\{ \max^\* \left( \mathsf{WS}(\mathbf{v} \cdot F\_1) \right) \cdot \max^\* \left( \mathsf{WS}(\mathbf{v} \cdot F\_2) \right) \right\} \tag{22}$$

### **Corollary 18.**

$$\mathfrak{A}\{\mathcal{L}(F\_1 \oplus F\_2) = 2^{n\_1 + n\_2 - 1} - \frac{1}{2} \max\_{\mathbf{v} \in V\_{\mathbf{m}}} \{ \left( 2^{n\_1} - 2 \mathfrak{A} \{ \mathbf{\omega} \cdot F\_1 \} \right) \left( 2^{n\_2} - 2 \mathfrak{A} \{ \mathbf{\omega} \cdot F\_2 \} \right) \}$$

*Proof.*

$$\begin{split} \mathcal{N}\mathcal{L}(F\_{\mathbf{1}}\oplus F\_{\mathbf{2}}) &= 2^{n-1} - \frac{1}{2} \max^\* \left( \hat{\theta}\_{\mathbf{F}\_{\mathbf{1}}\oplus\mathbf{F}\_{\mathbf{2}}}(\mathbf{u}, \mathbf{v}) \right) \\ &= 2^{n-1} - \frac{1}{2} \max\_{\mathbf{v}\in V\_{\mathbf{m}}} \{ \max^\* \left( \hat{\theta}\_{\mathbf{F}\_{\mathbf{1}}}(\mathbf{u}\_{\mathbf{1}}, \mathbf{v}) \right) \cdot \max^\* \left( \hat{\theta}\_{\mathbf{F}\_2}(\mathbf{u}\_{\mathbf{2}}, \mathbf{v}) \right) \} \\ &= 2^{n\_1 + n\_2 - 1} - \frac{1}{2} \max\_{\mathbf{v}\in V\_{\mathbf{m}}} \{ \left( 2^{n\_1} - 2\mathcal{N}\mathcal{L}(\mathbf{v} \cdot \mathbf{F}\_1) \right) \left( 2^{n\_2} - 2\mathcal{N}\mathcal{L}(\mathbf{v} \cdot \mathbf{F}\_2) \right) \} \end{split}$$

This result is a generalization of what is obtained for Boolean functions. Let *<sup>f</sup>* ∈ *F<sup>n</sup>*<sup>1</sup> , *<sup>g</sup>* ∈ *F<sup>n</sup>*<sup>2</sup> then *<sup>f</sup>* ⊕ *<sup>g</sup>* ∈ *F<sup>n</sup>*1+*n*<sup>2</sup> holds that:

$$\mathcal{N}\mathcal{L}(f\oplus g) = 2^{n\_1+n\_2-1} - \frac{1}{2} \left( 2^{n\_1} - 2\mathcal{N}\mathcal{L}(f) \right) \left( 2^{n\_2} - 2\mathcal{N}\mathcal{L}(g) \right),$$

**Corollary 19.** *Let F*<sup>1</sup> ⊕···⊕ *Fi* ∈ *Fni*,*<sup>m</sup>*

$$\begin{aligned} &\mathcal{M}(F\_1 \oplus \cdots \oplus F\_{\bar{i}}) = \\ &= 2^{n-1} - \frac{1}{2} \max\_{\mathbf{v} \in \mathcal{V}\_{\mathbf{m}}} \{ \max^\* \left( \mathcal{W} \mathbf{S} (\mathbf{v} \cdot F\_{\bar{1}}) \right) \cdots \max^\* \left( \mathcal{W} \mathbf{S} (\mathbf{v} \cdot F\_{\bar{i}}) \right) \} \end{aligned} \tag{23}$$

14 Cryptography

The first result was already known for Boolean functions Sarkar & Maitra (2000a), here we

*<sup>θ</sup>F*1⊕*F*<sup>2</sup> (**u**, **<sup>v</sup>**) = *<sup>χ</sup>*ˆ**v**·(*F*1⊕*F*2)(**u1** <sup>⊕</sup> **u2**) = *<sup>χ</sup>*ˆ**v**·*F*1⊕**v**·*F*<sup>2</sup> (**u1** <sup>⊕</sup> **u2**) = *<sup>χ</sup>*ˆ**v**·*F*<sup>1</sup> (**u1**) · *<sup>χ</sup>*ˆ**v**·*F*<sup>2</sup> (**u2**)

(DP(*F*1)**u1** ∗ DP(*F*2)**u2** )(**v**) = <sup>∑</sup>**w**∈Vm *<sup>δ</sup>F*<sup>1</sup> (**u1**, **<sup>w</sup>** + **<sup>v</sup>**) · *<sup>δ</sup>F*<sup>2</sup> (**u2**, **<sup>w</sup>**)

<sup>2</sup>*n*2+*<sup>m</sup>* <sup>∑</sup>**t**∈Vm *rF*<sup>2</sup> (**u2**, **<sup>t</sup>**)*χ***w**(**t**)

{ <sup>∗</sup> max (WS(**<sup>v</sup>** · *<sup>F</sup>*1))· <sup>∗</sup> max (WS(**<sup>v</sup>** · *<sup>F</sup>*2)} (22)

<sup>2</sup>*<sup>m</sup>* DP(*F*<sup>1</sup> ⊕ *F*2)**u**(**v**)

<sup>2</sup> max**v**∈Vm {(2*n*<sup>1</sup> <sup>−</sup> <sup>2</sup>*NL*(**<sup>v</sup>** · *<sup>F</sup>*1)) (2*n*<sup>2</sup> <sup>−</sup> <sup>2</sup>*NL*(**<sup>v</sup>** · *<sup>F</sup>*2))}

<sup>2</sup> (2*n*<sup>1</sup> <sup>−</sup> <sup>2</sup>*NL*(*f*)) (2*n*<sup>2</sup> <sup>−</sup> <sup>2</sup>*NL*(*g*))

<sup>2</sup> max**v**∈Vm { <sup>∗</sup> max (WS(**<sup>v</sup>** · *<sup>F</sup>*1))··· <sup>∗</sup> max (WS(**<sup>v</sup>** · *Fi*))} (23)

*θF*<sup>2</sup> (**u2**, **v**))}

<sup>2</sup>*n*1+*<sup>m</sup>* <sup>∑</sup>**s**∈Vm *rF*<sup>1</sup> (**u1**, **<sup>s</sup>**)*χ***w**+**v**(**s**) <sup>1</sup>

**v**∈Vm

2

<sup>2</sup> max**v**∈Vm { <sup>∗</sup> max (<sup>ˆ</sup>

*NL*(*<sup>f</sup>* <sup>⊕</sup> *<sup>g</sup>*) = <sup>2</sup>*n*1+*n*2−<sup>1</sup> <sup>−</sup> <sup>1</sup>

*NL*(*F*<sup>1</sup> ⊕···⊕ *Fi*) =

<sup>∗</sup> max (ˆ

*θF*1⊕*F*<sup>2</sup> (**u**, **v**))

*<sup>θ</sup>F*<sup>1</sup> (**u1**, **<sup>v</sup>**))· <sup>∗</sup> max (<sup>ˆ</sup>

This result is a generalization of what is obtained for Boolean functions. Let *<sup>f</sup>* ∈ *F<sup>n</sup>*<sup>1</sup> , *<sup>g</sup>* ∈ *F<sup>n</sup>*<sup>2</sup>

<sup>2</sup> max**v**∈Vm {(2*n*<sup>1</sup> <sup>−</sup> <sup>2</sup>*NL*(**<sup>v</sup>** · *<sup>F</sup>*1)) (2*n*<sup>2</sup> <sup>−</sup> <sup>2</sup>*NL*(**<sup>v</sup>** · *<sup>F</sup>*2))}

<sup>2</sup>*n*1+*n*2+2*<sup>m</sup>* <sup>∑</sup>**z**∈Vm *rF*<sup>1</sup> (**u1**, **<sup>z</sup>**)*rF*<sup>2</sup> (**u2**, **<sup>z</sup>**)*χ***v**(**z**)

<sup>2</sup>*n*+2*<sup>m</sup>* <sup>∑</sup>**z**∈Vm *rF*1⊕*F*<sup>2</sup> (**u**, **<sup>z</sup>**)*χ***v**(**z**) = <sup>1</sup>

<sup>∗</sup> max (WS(*F*<sup>1</sup> <sup>⊕</sup> *<sup>F</sup>*2)) = max

*NL*(*F*<sup>1</sup> <sup>⊕</sup> *<sup>F</sup>*2) = <sup>2</sup>*n*1+*n*2−<sup>1</sup> <sup>−</sup> <sup>1</sup>

<sup>=</sup> <sup>2</sup>*n*−<sup>1</sup> <sup>−</sup> <sup>1</sup>

then *<sup>f</sup>* ⊕ *<sup>g</sup>* ∈ *F<sup>n</sup>*1+*n*<sup>2</sup> holds that:

**Corollary 19.** *Let F*<sup>1</sup> ⊕···⊕ *Fi* ∈ *Fni*,*<sup>m</sup>*

<sup>=</sup> <sup>2</sup>*n*−<sup>1</sup> <sup>−</sup> <sup>1</sup>

<sup>=</sup> <sup>2</sup>*n*1+*n*2−<sup>1</sup> <sup>−</sup> <sup>1</sup>

*NL*(*F*<sup>1</sup> <sup>⊕</sup> *<sup>F</sup>*2) = <sup>2</sup>*n*−<sup>1</sup> <sup>−</sup> <sup>1</sup>

give a proof for Vector Boolean functions.

= <sup>∑</sup>**w**∈Vm

= <sup>1</sup>

= <sup>1</sup>

The second result is new and the proof is given below:

1

*Proof.*

*Proof.*

**Corollary 17.**

**Corollary 18.**

*Proof.*

ˆ

**Example 4.** *The full substitution function of the CAST algorithm S*(*CAST*) ∈ *F*32,32 *is constructed by forming the direct sum of* <sup>4</sup> *S-boxes Si*(*CAST*) ∈ *F*8,32 *satisfying:*

$$\begin{array}{l} \max\_{\mathbf{v} \in V\_{\mathfrak{U}}} \left( \max^{\star} \left( \mathsf{WS} \left( \mathbf{v} \cdot \mathsf{S}\_{1} (\mathsf{CAST}) \right) \right) \cdot \max^{\star} \left( \mathsf{WS} \left( \mathbf{v} \cdot \mathsf{S}\_{2} (\mathsf{CAST}) \right) \right) \right) \cdot \\\ \max^{\star} \left( \mathsf{WS} \left( \mathbf{v} \cdot \mathsf{S}\_{3} (\mathsf{CAST}) \right) \right) \cdot \max^{\star} \left( \mathsf{WS} \left( \mathbf{v} \cdot \mathsf{S}\_{4} (\mathsf{CAST}) \right) \right) \right) = 29417472 \end{array} \tag{24}$$

*For the exact calculation of the S*(*CAST*) *nonlinearity we need to find out the maximum value from all the elements of a* <sup>2</sup><sup>32</sup> <sup>×</sup> 232 *matrix representing its Walsh Spectrum, or alternatively, to determine the Walsh Spectra of the* 232 *linear combinations of its coordinate functions which are* 232 <sup>×</sup> <sup>1</sup> *matrices. Nevertheless, by 19, the nonlinearity is obtained by calculating the maximum value of the product of the maxima values of four Walsh Spectra (*2<sup>8</sup> <sup>×</sup> <sup>1</sup> *matrices) for each of the* <sup>2</sup><sup>32</sup> *linear combinations of its coordinate functions.*

 $\mathcal{NL}\left(S(CAST)\right) = 2^{32-1} - \frac{1}{2}$  $29417472 = 2132774912$  $\frac{1}{1}\,\mathrm{lp}\left(S(CAST)\right) = 4.69127 \cdot 10^{-5}$ 

*This result coincides with the estimation of nonlinearity done in Youssef et al. (1997).*

**Theorem 14.** *Let F*<sup>1</sup> *be an* (*n*1, *m*, *t*1) *resilient function and F*<sup>2</sup> *be an* (*n*2, *m*, *t*2)*-resilient function, then F*<sup>1</sup> ⊕ *F*<sup>2</sup> *is an* (*n*<sup>1</sup> + *n*2, *m*, *t*<sup>1</sup> + *t*<sup>2</sup> + 1)*-resilient function.*

Here we give alternative proof as those given in Zhang & Zheng (1997):

*Proof.* For all **u** ∈ Vn1<sup>+</sup>n2 satisfying *wt*(**u**) = *t*<sup>1</sup> + *t*<sup>2</sup> + 1, exists either **u1** ∈ Vn1 with *wt*(**u1**) = *t*<sup>1</sup> + 1 and **u2** ∈ Vn2 with *wt*(**u2**) = *t*<sup>2</sup> so that **u** = **u1** ⊕ **u2** or **u1** ∈ Vn1 with *wt*(**u1**) = *t*<sup>1</sup> and **u2** ∈ Vn2 with *wt*(**u2**) = *t*<sup>2</sup> + 1 so that **u** = **u1** ⊕ **u2**. In both scenarios, it holds that:

$$\begin{cases} \hat{\theta}\_{\mathrm{F}} \left( \mathbf{u}\_{\mathrm{L}} \mathbf{v} \right) \cdot \hat{\theta}\_{\mathrm{F}\_{2}} \left( \mathbf{u}\_{\mathrm{2}} \mathbf{v} \right) = 0, \,\forall \mathbf{u} \in \mathrm{V}\_{\mathrm{n}\_{1} + \mathrm{n}\_{2} \prime} \ 0 \le wt(\mathbf{u}) \le t\_{1} + t\_{2} + 1, \,\forall \mathbf{v} \ne \mathbf{0} \in \mathrm{V}\_{\mathrm{m}\_{1}} \\\ \longrightarrow \hat{\theta}\_{\mathrm{F}\_{1} \ominus \mathrm{F}\_{2}} \left( \mathbf{u}\_{\mathrm{'}} \mathbf{v} \right) = 0, \,\forall \mathbf{u} \in \mathrm{V}\_{\mathrm{n}\_{1} + \mathrm{n}\_{2} \prime} \ 0 \le wt(\mathbf{u}) \le t\_{1} + t\_{2} + 1, \,\forall \mathbf{v} \ne \mathbf{0} \in \mathrm{V}\_{\mathrm{m}} \end{cases}$$

**Corollary 20.** *Let F*<sup>1</sup> *anf F*<sup>2</sup> *balanced functions, then F*<sup>1</sup> ⊕ *F*<sup>2</sup> *is an* (*n*<sup>1</sup> + *n*2, *m*, 1)*-resilient function. This result is an extension of what was obtained in Seberry & Zhang (1993) for Boolean functions.*

**Theorem 15.** *The elements which conform a row in the Autocorrelation Spectrum of the direct sum of two Boolean functions are obtained by the product of the respective components of the rows in both Autocorrelation Spectra. Let f*<sup>1</sup> ∈ *F<sup>n</sup>*<sup>1</sup> , *<sup>f</sup>*<sup>2</sup> ∈ *F<sup>n</sup>*<sup>2</sup> *, then:*

$$r\_{f\_1 \oplus f\_2}(\mathbf{u}) = r\_{f\_1}(\mathbf{u\_1}) \cdot r\_{f\_2}(\mathbf{u\_2})$$

*Proof.*

$$\begin{array}{l} r\_{f\_{1}\oplus f\_{2}}(\mathbf{u}) = \frac{1}{2^{n}} \sum\_{\mathbf{x}\in\mathcal{V}\_{n}} \chi\_{f\_{1}\oplus f\_{2}}(\mathbf{x}+\mathbf{u})\chi\_{f\_{1}\oplus f\_{2}}(\mathbf{x})\\ = \frac{1}{2^{n\_{1}+n\_{2}}} \sum\_{\mathbf{x}\_{1}\in\mathcal{V}\_{n\_{1}}} \sum\_{\mathbf{x}\_{2}\in\mathcal{V}\_{n\_{2}}} \chi\_{f\_{1}}(\mathbf{x}\_{1})\chi\_{f\_{2}}(\mathbf{x}\_{2})\chi\_{f\_{1}}(\mathbf{x}\_{1}+\mathbf{u}\_{1})\chi\_{f\_{2}}(\mathbf{x}\_{2}+\mathbf{u}\_{2})\\ = \left(\frac{1}{2^{n\_{1}}}\sum\_{\mathbf{x}\_{1}\in\mathcal{V}\_{n\_{1}}} \chi\_{f\_{1}}(\mathbf{x}\_{1}+\mathbf{u}\_{1})\chi\_{f\_{1}}(\mathbf{x}\_{1})\right)\left(\frac{1}{2^{n\_{2}}}\sum\_{\mathbf{x}\_{2}\in\mathcal{V}\_{n\_{2}}} \chi\_{f\_{2}}(\mathbf{x}\_{2}+\mathbf{u}\_{2})\chi\_{f\_{2}}(\mathbf{x}\_{2})\right)\\ = r\_{f\_{1}}(\mathbf{u\_{1}})\cdot r\_{f\_{2}}(\mathbf{u\_{2}}) \end{array}$$

**Corollary 21.** *The Walsh Spectrum (respectively Differential Profile) of the Bricklayer of i Vector Boolean functions F*1|···|*Fi is equal to the Kronecker products of their Walsh Spectra (respectively*

Cryptographic Criteria on Vector Boolean Functions 67

WS(*F*1|···|*Fi*) = WS(*F*1) ··· WS(*Fi*)

DP(*F*1|···|*Fi*) = DP(*F*1) ··· DP(*Fi*) (25)

<sup>2</sup> max{2*n*<sup>1</sup> (2*n*<sup>2</sup> <sup>−</sup> <sup>2</sup>*NL*(*F*2)), 2*n*<sup>2</sup> (2*n*<sup>1</sup> <sup>−</sup> <sup>2</sup>*NL*(*F*1))}

<sup>2</sup>*n*2−<sup>1</sup> })

*θF*<sup>2</sup> (**u2**, **v2**)} where ((**u1**, **u2**) �= **0**) ∧ ((**v1**, **v2**) �= **0**)

*θF*<sup>1</sup> (**u1**, **v1**))}

*dp*(*F*1|···|*Fi*) = max {*dp*(*F*1),..., *dp*(*Fi*)} (26)

<sup>2</sup>*n*1−<sup>1</sup> , 1 <sup>−</sup> *LD*(*F*2)

*Differential Profiles):*

*Proof.* On one hand

<sup>=</sup> <sup>2</sup>*n*−<sup>1</sup> <sup>−</sup> <sup>1</sup>

<sup>=</sup> <sup>2</sup>*n*−<sup>1</sup> <sup>−</sup> <sup>1</sup>

On the other hand

<sup>=</sup> <sup>2</sup>*n*1+*n*2−<sup>1</sup> <sup>−</sup> <sup>1</sup>

<sup>=</sup> <sup>2</sup>*n*1+*n*2−<sup>1</sup> ·

*functions.*

*NL*(*F*1|*F*2) = <sup>2</sup>*n*−<sup>1</sup> <sup>−</sup> <sup>1</sup>

*LD*(*F*1|*F*2) = <sup>2</sup>*n*−<sup>1</sup> ·

<sup>2</sup> max{ <sup>ˆ</sup>

**Corollary 23.** *Let F*1|···|*Fi* ∈ *Fn*,*<sup>m</sup>*

(48, 32, 7)*- resilient function.*

the analogous in the previous subsection.

*then F*1|*F*<sup>2</sup> *is an* (*n*<sup>1</sup> + *n*2, *m*<sup>1</sup> + *m*2, *t*<sup>1</sup> + *t*2)*-resilient function.*

*NL*(*S*) = 248−<sup>1</sup> <sup>−</sup> <sup>1</sup>

*LD*(*S*) = <sup>2</sup>48−<sup>1</sup> ·

*NL*(*F*1|*F*2) = <sup>2</sup>*n*1+*n*2−<sup>1</sup> <sup>−</sup> <sup>1</sup>

2

<sup>1</sup> <sup>−</sup> max

<sup>2</sup> max{2*n*<sup>1</sup> · <sup>∗</sup> max (<sup>ˆ</sup>

*LD*(*F*1|*F*2) = <sup>2</sup>*n*1+*n*2−<sup>1</sup> · (<sup>1</sup> <sup>−</sup> max{<sup>1</sup> <sup>−</sup> *LD*(*F*1)

<sup>∗</sup> max (ˆ

*<sup>θ</sup>F*<sup>1</sup> (**u1**, **v1**) · max(<sup>ˆ</sup>

*<sup>θ</sup>F*1|*F*<sup>2</sup> (**u**, **<sup>v</sup>**))

<sup>1</sup><sup>−</sup> <sup>∗</sup> max (*δF*1|*F*<sup>2</sup> (**u**, **<sup>v</sup>**))

<sup>=</sup> <sup>2</sup>*n*−<sup>1</sup> · (<sup>1</sup> <sup>−</sup> max{ <sup>∗</sup> max (*δF*<sup>1</sup> (**u1**, **v1**)), <sup>∗</sup> max (*δF*<sup>2</sup> (**u2**, **v2**))})

<sup>1</sup> <sup>−</sup> *LD*(*F*1)

*<sup>θ</sup>F*<sup>2</sup> (**u2**, **v2**)), 2*n*<sup>2</sup> · <sup>∗</sup> max (<sup>ˆ</sup>

<sup>2</sup> max{2*n*<sup>1</sup> · (2*n*<sup>2</sup> <sup>−</sup> <sup>2</sup>*NL*(*F*2)), 2*n*<sup>2</sup> · (2*n*<sup>1</sup> <sup>−</sup> <sup>2</sup>*NL*(*F*1))}

<sup>=</sup> <sup>2</sup>*n*−<sup>1</sup> · (<sup>1</sup> <sup>−</sup> max{*δF*<sup>1</sup> (**u1**, **v1**) · *<sup>δ</sup>F*<sup>2</sup> (**u2**, **v2**)}) where ((**u1**, **u2**) �<sup>=</sup> **<sup>0</sup>**) <sup>∧</sup> ((**v1**, **v2**) �<sup>=</sup> **<sup>0</sup>**)

2*n*2−<sup>1</sup>

The following theorem and corollary are presented without proofs as they are very similar to

**Theorem 18.** *Let F*<sup>1</sup> *be an* (*n*1, *m*1, *t*1)*-resilient function and F*<sup>2</sup> *be an* (*n*2, *m*2, *t*2)*-resilient function,*

**Corollary 24.** *F*1|*F*<sup>2</sup> *is an* (*n*<sup>1</sup> + *n*2, *m*, 1)*-resilient function if and only if F*<sup>1</sup> *or F*<sup>2</sup> *are balanced*

**Example 6.** *Let denote S the result of bricklayering all DES S-boxes Si* ∈ *F*6,4 ∀ *<sup>i</sup>* = 1, . . . , 8*, so that S* = *S*1|···|*S*8*. Thanks to the corollary 22, it is possible to calculate the nonlinearity and linearity distance of S by calculating the maximum values of the Walsh Spectra and Differential Profiles of the* 8

*As all Si* ∈ *F*6,4 ∀ *<sup>i</sup>* = 1, . . . , 8 *are balanced S-boxes, then by Theorem 18 it holds that S is an*

<sup>2</sup> <sup>36</sup> · 242 <sup>=</sup> <sup>61572651155456</sup>

4

<sup>=</sup> <sup>3</sup> · 245

*S-boxes. This algorithm deals with eight* 26 <sup>×</sup> 24 *matrices instead of one* 248 <sup>×</sup> 232 *matrix.*

 <sup>1</sup> <sup>−</sup> <sup>1</sup> 4 

*l p*(*S*) = 0.31640625 *dp*(*S*) = <sup>1</sup>

<sup>2</sup>*n*1−<sup>1</sup> , 1 <sup>−</sup> *LD*(*F*2)

**Corollary 22.**

**Theorem 16.** *Let f*<sup>1</sup> *satisfies the PC*(*l*1) *and f*<sup>2</sup> *satisfies the PC*(*l*2)*, then f*<sup>1</sup> ⊕ *f*<sup>2</sup> *satisfies the PC*(*l*) *with l* = min{*l*1, *<sup>l</sup>*2}*. Moreover, it holds that rf*1⊕*f*<sup>2</sup> (**u**) = <sup>0</sup> *for all* **<sup>u</sup>** = **u1** ⊕ **u2** *with wt*(**u**) = *l*<sup>1</sup> + *l*<sup>2</sup> + 1 *except those which satisfies* **u1** = **0** *or* **u2** = **0***.*

*Proof.* By Theorem 15 we can show:

*f*<sup>1</sup> satisfies the *PC*(*l*1) and *f*<sup>2</sup> satisfies the *PC*(*l*2) *rf*<sup>1</sup> (**u1**) = 0, ∀ **u1** ∈ Vn1 , 1 ≤ *wt*(**u1**) ≤ *l*<sup>1</sup> and *rf*<sup>2</sup> (**u2**) = 0, ∀ **u2** ∈ Vn2 , 1 ≤ *wt*(**u2**) ≤ *l*<sup>2</sup> *rf*<sup>1</sup> (**u1**) · *rf*<sup>2</sup> (**u2**) = 0, ∀ **u** = **u1** ⊕ **u2** ∈ Vn1<sup>+</sup>n2 , 1 ≤ *wt*(**u**) ≤ min{*l*1, *l*2} −→ *rf*1⊕*f*<sup>2</sup> (**u**) = 0, ∀ **<sup>u</sup>** ∈ Vn1<sup>+</sup>n2 , 1 ≤ *wt*(**u**) ≤ min{*l*1, *<sup>l</sup>*2}

Besides, for all **u** ∈ Vn1<sup>+</sup>n2 satisfying *wt*(**u**) = *l*<sup>1</sup> + *l*<sup>2</sup> + 1, exists either **u1** ∈ Vn1 with *wt*(**u1**) = *l*<sup>1</sup> + 1 and **u2** ∈ Vn2 with *wt*(**u2**) = *l*<sup>2</sup> so that **u** = **u1** ⊕ **u2** or **u1** ∈ Vn1 with *wt*(**u1**) = *l*<sup>1</sup> and **u2** ∈ Vn2 with *wt*(**u2**) = *l*<sup>2</sup> + 1 so that **u** = **u1** ⊕ **u2**. In both scenarios, it holds that:

$$r\_{f\_1}(\mathbf{u\_1}) \cdot r\_{f\_2}(\mathbf{u\_2}) = 0,\ \forall \mathbf{u} = \mathbf{u\_1} \oplus \mathbf{u\_2} \in V\_{\mathbf{n}\_1 + \mathbf{n}\_2 \prime}, 1 \le wt(\mathbf{u}) \le l\_1 + l\_2 + 1$$

except those where **u1** = **0** because *rf*<sup>1</sup> (**0**) = 1 and *rf*<sup>2</sup> (**u2**) could be non-zero or where **u2** = **0** because *rf*<sup>2</sup> (**0**) = 1 and *rf*<sup>1</sup> (**u1**) could be non-zero.

**Example 5.** *Let f*1, *<sup>f</sup>*<sup>2</sup> ∈ *F*<sup>5</sup> *which both satisfy PC*(2) *where f*1(**x**) = *<sup>x</sup>*1*x*2*x*3*x*<sup>4</sup> + *<sup>x</sup>*1*x*2*x*3*x*<sup>5</sup> + *x*1*x*2*x*4*x*<sup>5</sup> + *x*1*x*3*x*4*x*<sup>5</sup> + *x*2*x*3*x*4*x*<sup>5</sup> + *x*1*x*<sup>4</sup> + *x*1*x*<sup>5</sup> + *x*2*x*<sup>3</sup> + *x*2*x*<sup>5</sup> + *x*3*x*<sup>4</sup> *and f*2(**x**) = *x*1*x*2*x*3*x*<sup>4</sup> + *x*1*x*2*x*3*x*<sup>5</sup> + *x*1*x*2*x*4*x*<sup>5</sup> + *x*1*x*3*x*4*x*<sup>5</sup> + *x*2*x*3*x*4*x*<sup>5</sup> + *x*1*x*<sup>4</sup> + *x*1*x*<sup>5</sup> + *x*2*x*<sup>3</sup> + *x*2*x*<sup>5</sup> + *x*3*x*<sup>4</sup> + *x*<sup>1</sup> + *x*<sup>2</sup> + *x*<sup>3</sup> + *x*<sup>4</sup> + *x*5*. By Theorem 16 then f*<sup>1</sup> ⊕ *f*<sup>2</sup> *satisfies PC*(2)*.*

### **4.6 Bricklayer of Vector Boolean functions**

Let *<sup>n</sup>*1, *<sup>n</sup>*2, *<sup>m</sup>*1, *<sup>m</sup>*<sup>2</sup> ≥ 1 and *<sup>F</sup>*<sup>1</sup> ∈ *Fn*1,*m*<sup>1</sup> , *<sup>F</sup>*<sup>2</sup> ∈ *Fn*2,*m*<sup>2</sup> and the Bricklayer function *<sup>F</sup>*1|*F*<sup>2</sup> ∈ *F<sup>n</sup>*1+*n*2,*m*1+*m*<sup>2</sup> . Let **u1** ∈ Vn1 , **u2** ∈ Vn2 and **<sup>u</sup>** = **u1** ⊕ **u2**, **v1** ∈ Vm1 , **v2** ∈ Vm2 and **<sup>v</sup>** = **v1** ⊕ **v2**.

**Theorem 17.** *The elements which conform the Walsh Spectrum (respect. Differential Profile) of the Bricklayer of two Vector Boolean functions are obtained by the product of the respective components in both Walsh Spectra (respect. Differential Profiles).*

$$\begin{aligned} \hat{\theta}\_{\mathsf{F}\_{1}|\mathsf{F}\_{2}}(\mathsf{u}\_{\mathsf{v}}\,\mathbf{v}) &= \hat{\theta}\_{\mathsf{F}\_{1}}(\mathsf{u}\_{\mathsf{1}\mathsf{v}}\,\mathbf{v}\_{\mathsf{1}}) \cdot \hat{\theta}\_{\mathsf{F}\_{2}}(\mathsf{u}\_{\mathsf{2}\mathsf{v}}\,\mathbf{v}\_{\mathsf{2}}) \\ \delta\_{\mathsf{F}\_{1}|\mathsf{F}\_{2}}(\mathsf{u}\_{\mathsf{v}}\,\mathbf{v}) &= \delta\_{\mathsf{F}\_{1}}(\mathsf{u}\_{\mathsf{1}\mathsf{v}}\,\mathbf{v}\_{\mathsf{1}}) \cdot \delta\_{\mathsf{F}\_{2}}(\mathsf{u}\_{\mathsf{2}\mathsf{v}}\,\mathbf{v}\_{\mathsf{2}}) \end{aligned}$$

*Proof.*

$$\hat{\theta}\_{\mathbb{F}\_{\mathbb{1}}|\mathbb{F}\_{\mathbb{2}}}(\mathbf{u},\mathbf{v}) = \hat{\chi}\_{\left(\mathbf{v}\_{1},\mathbf{v}\_{2}\right)\cdot\left(\mathbb{F}\_{\mathbb{1}}|\mathbb{F}\_{\mathbb{2}}\right)}(\left(\mathbf{u}\_{1},\mathbf{u}\_{2}\right)) = \hat{\chi}\_{\mathbf{v}\_{1}\cdot\mathbb{F}\_{\mathbb{1}}}(\mathbf{u}\_{1})\cdot\hat{\chi}\_{\mathbf{v}\_{2}\cdot\mathbb{F}\_{\mathbb{2}}}(\mathbf{u}\_{2})$$

*Proof.*

$$\begin{array}{l} \delta\_{F\_{1}|\_{F\_{2}}}(\mathbf{u},\mathbf{v}) = \frac{1}{2^{n+m}} \sum\_{\mathbf{w}\in V\_{\mathrm{m}}} r\_{F\_{1}|\_{F\_{2}}}(\mathbf{u},\mathbf{w}) \chi\_{\mathbf{v}}(\mathbf{w})\\ = \frac{1}{2^{n+m}} \sum\_{\mathbf{w}\in V\_{\mathrm{m}}} r\_{F\_{1}|\_{F\_{2}}}(\mathbf{u}\_{1},\mathbf{w}) r\_{F\_{1}|\_{F\_{2}}}(\mathbf{u}\_{2},\mathbf{w}) \chi\_{\mathbf{v}\_{1}}(\mathbf{w}) \chi\_{\mathbf{v}\_{2}}(\mathbf{w})\\ = \left(\frac{1}{2^{n\_{1}+m\_{1}}} \sum\_{\mathbf{w}\in V\_{\mathrm{m}}} r\_{F\_{1}|\_{F\_{2}}}(\mathbf{u}\_{1},\mathbf{w}) \chi\_{\mathbf{v}\_{1}}(\mathbf{w})\right) \left(\frac{1}{2^{n\_{2}+m\_{2}}} \sum\_{\mathbf{w}\in V\_{\mathrm{m}}} r\_{F\_{1}|\_{F\_{2}}}(\mathbf{u}\_{2},\mathbf{w}) \chi\_{\mathbf{v}\_{2}}(\mathbf{w})\right)\\ = \delta\_{F\_{1}}(\mathbf{u}\_{1},\mathbf{v}\_{1}) \cdot \delta\_{F\_{2}}(\mathbf{u}\_{2},\mathbf{v}\_{2}) \end{array}$$

**Corollary 21.** *The Walsh Spectrum (respectively Differential Profile) of the Bricklayer of i Vector Boolean functions F*1|···|*Fi is equal to the Kronecker products of their Walsh Spectra (respectively Differential Profiles):*

$$\begin{array}{l} \mathsf{MS}(F\_1|\cdots|F\_{\bar{i}}) = \mathsf{MS}(F\_1) \otimes \cdots \otimes \mathsf{MS}(F\_{\bar{i}})\\ \mathsf{DP}(F\_1|\cdots|F\_{\bar{i}}) = \mathsf{DP}(F\_1) \otimes \cdots \otimes \mathsf{DP}(F\_{\bar{i}}) \end{array} \tag{25}$$

**Corollary 22.**

16 Cryptography

**Theorem 16.** *Let f*<sup>1</sup> *satisfies the PC*(*l*1) *and f*<sup>2</sup> *satisfies the PC*(*l*2)*, then f*<sup>1</sup> ⊕ *f*<sup>2</sup> *satisfies the PC*(*l*) *with l* = min{*l*1, *<sup>l</sup>*2}*. Moreover, it holds that rf*1⊕*f*<sup>2</sup> (**u**) = <sup>0</sup> *for all* **<sup>u</sup>** = **u1** ⊕ **u2** *with wt*(**u**) =

*rf*<sup>1</sup> (**u1**) · *rf*<sup>2</sup> (**u2**) = 0, ∀ **u** = **u1** ⊕ **u2** ∈ Vn1<sup>+</sup>n2 , 1 ≤ *wt*(**u**) ≤ min{*l*1, *l*2}

Besides, for all **u** ∈ Vn1<sup>+</sup>n2 satisfying *wt*(**u**) = *l*<sup>1</sup> + *l*<sup>2</sup> + 1, exists either **u1** ∈ Vn1 with *wt*(**u1**) = *l*<sup>1</sup> + 1 and **u2** ∈ Vn2 with *wt*(**u2**) = *l*<sup>2</sup> so that **u** = **u1** ⊕ **u2** or **u1** ∈ Vn1 with *wt*(**u1**) = *l*<sup>1</sup> and

*rf*<sup>1</sup> (**u1**) · *rf*<sup>2</sup> (**u2**) = 0, ∀ **u** = **u1** ⊕ **u2** ∈ Vn1<sup>+</sup>n2 , 1 ≤ *wt*(**u**) ≤ *l*<sup>1</sup> + *l*<sup>2</sup> + 1 except those where **u1** = **0** because *rf*<sup>1</sup> (**0**) = 1 and *rf*<sup>2</sup> (**u2**) could be non-zero or where **u2** = **0**

**Example 5.** *Let f*1, *<sup>f</sup>*<sup>2</sup> ∈ *F*<sup>5</sup> *which both satisfy PC*(2) *where f*1(**x**) = *<sup>x</sup>*1*x*2*x*3*x*<sup>4</sup> + *<sup>x</sup>*1*x*2*x*3*x*<sup>5</sup> + *x*1*x*2*x*4*x*<sup>5</sup> + *x*1*x*3*x*4*x*<sup>5</sup> + *x*2*x*3*x*4*x*<sup>5</sup> + *x*1*x*<sup>4</sup> + *x*1*x*<sup>5</sup> + *x*2*x*<sup>3</sup> + *x*2*x*<sup>5</sup> + *x*3*x*<sup>4</sup> *and f*2(**x**) = *x*1*x*2*x*3*x*<sup>4</sup> + *x*1*x*2*x*3*x*<sup>5</sup> + *x*1*x*2*x*4*x*<sup>5</sup> + *x*1*x*3*x*4*x*<sup>5</sup> + *x*2*x*3*x*4*x*<sup>5</sup> + *x*1*x*<sup>4</sup> + *x*1*x*<sup>5</sup> + *x*2*x*<sup>3</sup> + *x*2*x*<sup>5</sup> + *x*3*x*<sup>4</sup> + *x*<sup>1</sup> + *x*<sup>2</sup> +

Let *<sup>n</sup>*1, *<sup>n</sup>*2, *<sup>m</sup>*1, *<sup>m</sup>*<sup>2</sup> ≥ 1 and *<sup>F</sup>*<sup>1</sup> ∈ *Fn*1,*m*<sup>1</sup> , *<sup>F</sup>*<sup>2</sup> ∈ *Fn*2,*m*<sup>2</sup> and the Bricklayer function *<sup>F</sup>*1|*F*<sup>2</sup> ∈ *F<sup>n</sup>*1+*n*2,*m*1+*m*<sup>2</sup> . Let **u1** ∈ Vn1 , **u2** ∈ Vn2 and **<sup>u</sup>** = **u1** ⊕ **u2**, **v1** ∈ Vm1 , **v2** ∈ Vm2 and **<sup>v</sup>** = **v1** ⊕ **v2**. **Theorem 17.** *The elements which conform the Walsh Spectrum (respect. Differential Profile) of the Bricklayer of two Vector Boolean functions are obtained by the product of the respective components in*

*<sup>θ</sup>F*<sup>1</sup> (**u1**, **v1**) · <sup>ˆ</sup>

*<sup>δ</sup>F*1|*F*<sup>2</sup> (**u**, **<sup>v</sup>**) = *<sup>δ</sup>F*<sup>1</sup> (**u1**, **v1**) · *<sup>δ</sup>F*<sup>2</sup> (**u2**, **v2**)

*<sup>θ</sup>F*1|*F*<sup>2</sup> (**u**, **<sup>v</sup>**) = *<sup>χ</sup>*ˆ(**v1**,**v2** )·(*F*1|*F*2)((**u1**, **u2**)) = *<sup>χ</sup>*ˆ**v1** ·*F*<sup>1</sup> (**u1**) · *<sup>χ</sup>*ˆ**v2** ·*F*<sup>2</sup> (**u2**)

<sup>1</sup>

*θF*<sup>2</sup> (**u2**, **v2**)

<sup>2</sup>*n*2+*m*<sup>2</sup> <sup>∑</sup>**w**∈Vm *rF*1|*F*<sup>2</sup> (**u2**, **<sup>w</sup>**)*χ***v2** (**w**)

−→ *rf*1⊕*f*<sup>2</sup> (**u**) = 0, ∀ **<sup>u</sup>** ∈ Vn1<sup>+</sup>n2 , 1 ≤ *wt*(**u**) ≤ min{*l*1, *<sup>l</sup>*2}

**u2** ∈ Vn2 with *wt*(**u2**) = *l*<sup>2</sup> + 1 so that **u** = **u1** ⊕ **u2**. In both scenarios, it holds that:

*l*<sup>1</sup> + *l*<sup>2</sup> + 1 *except those which satisfies* **u1** = **0** *or* **u2** = **0***.*

because *rf*<sup>2</sup> (**0**) = 1 and *rf*<sup>1</sup> (**u1**) could be non-zero.

*x*<sup>3</sup> + *x*<sup>4</sup> + *x*5*. By Theorem 16 then f*<sup>1</sup> ⊕ *f*<sup>2</sup> *satisfies PC*(2)*.*

**4.6 Bricklayer of Vector Boolean functions**

*both Walsh Spectra (respect. Differential Profiles).*

ˆ

*<sup>δ</sup>F*1|*F*<sup>2</sup> (**u**, **<sup>v</sup>**) = <sup>1</sup>

= *δF*<sup>1</sup> (**u1**, **v1**) · *δF*<sup>2</sup> (**u2**, **v2**)

= <sup>1</sup>

= <sup>1</sup>

*Proof.*

*Proof.*

ˆ

*<sup>θ</sup>F*1|*F*<sup>2</sup> (**u**, **<sup>v</sup>**) = <sup>ˆ</sup>

<sup>2</sup>*n*+*<sup>m</sup>* <sup>∑</sup>**w**∈Vm *rF*1|*F*<sup>2</sup> (**u**, **<sup>w</sup>**)*χ***v**(**w**)

<sup>2</sup>*n*+*<sup>m</sup>* <sup>∑</sup>**w**∈Vm *rF*1|*F*<sup>2</sup> (**u1**, **<sup>w</sup>**)*rF*1|*F*<sup>2</sup> (**u2**, **<sup>w</sup>**)*χ***v1** (**w**)*χ***v2** (**w**)

<sup>2</sup>*n*1+*m*<sup>1</sup> <sup>∑</sup>**w**∈Vm *rF*1|*F*<sup>2</sup> (**u1**, **<sup>w</sup>**)*χ***v1** (**w**)

*f*<sup>1</sup> satisfies the *PC*(*l*1) and *f*<sup>2</sup> satisfies the *PC*(*l*2) *rf*<sup>1</sup> (**u1**) = 0, ∀ **u1** ∈ Vn1 , 1 ≤ *wt*(**u1**) ≤ *l*<sup>1</sup> and *rf*<sup>2</sup> (**u2**) = 0, ∀ **u2** ∈ Vn2 , 1 ≤ *wt*(**u2**) ≤ *l*<sup>2</sup>

*Proof.* By Theorem 15 we can show:

$$\begin{cases} \mathcal{M}(F\_1|F\_2) = 2^{n\_1 + n\_2 - 1} - \frac{1}{2} \max\{2^{n\_1}(2^{n\_2} - 2\mathcal{N}\mathcal{L}(F\_2)), 2^{n\_2}(2^{n\_1} - 2\mathcal{N}\mathcal{L}(F\_1))\} \\\mathcal{L}\mathcal{D}(F\_1|F\_2) = 2^{n\_1 + n\_2 - 1} \cdot (1 - \max\{1 - \frac{\mathcal{L}\mathcal{D}(F\_1)}{2^{n\_1 - 1}}, 1 - \frac{\mathcal{L}\mathcal{D}(F\_2)}{2^{n\_2 - 1}}\}) \end{cases}$$

*Proof.* On one hand

$$\begin{array}{l} \mathcal{NC}(F\_{1}|F\_{2}) = 2^{n-1} - \frac{1}{2} \max\left(\hat{\theta}\_{F\_{1}|F\_{2}}(\mathbf{u}, \mathbf{v})\right) \\ = 2^{n-1} - \frac{1}{2} \max\{\hat{\theta}\_{F\_{1}}(\mathbf{u}\_{1}, \mathbf{v}\_{1}) \cdot \max\{\hat{\theta}\_{F\_{2}}(\mathbf{u}\_{2}, \mathbf{v}\_{2})\} \text{ where } ((\mathbf{u}\_{1}, \mathbf{u}\_{2}) \neq \mathbf{0}) \wedge ((\mathbf{v}\_{1}, \mathbf{v}\_{2}) \neq \mathbf{0})\} \\ = 2^{n-1} - \frac{1}{2} \max\{2^{n\_{1}} \cdot \max\left(\hat{\theta}\_{F\_{2}}(\mathbf{u}\_{2}, \mathbf{v}\_{2})\right), 2^{n\_{2}} \cdot \max\left(\hat{\theta}\_{F\_{1}}(\mathbf{u}\_{1}, \mathbf{v}\_{1})\right)\} \\ = 2^{n\_{1} + n\_{2} - \overline{1}} - \frac{1}{2} \max\{2^{n\_{1}} \cdot (2^{n\_{2}} - 2\mathcal{N}(\mathcal{E}(F\_{2})), 2^{n\_{1}} \cdot (2^{n\_{1}} - 2\mathcal{N}(\mathcal{E}(F\_{1})))\} \end{array}$$

On the other hand

$$\begin{array}{l} \mathcal{L}\mathcal{D}(\mathsf{F}\_{1}|\mathsf{F}\_{2}) = 2^{n-1} \cdot \left(1 - \max^{\*}\left(\delta\_{\mathrm{F}\_{1}|\mathsf{F}\_{2}}(\mathsf{u},\mathsf{v})\right)\right) \\ = 2^{n-1} \cdot \left(1 - \max\{\delta\_{\mathrm{F}\_{1}}(\mathsf{u}\_{1},\mathsf{v}\_{1}) \cdot \delta\_{\mathrm{F}\_{2}}(\mathsf{u}\_{2},\mathsf{v}\_{2})\}\right) \text{ where } ((\mathsf{u}\_{1},\mathsf{u}\_{2}) \neq \mathsf{0}) \wedge ((\mathsf{v}\_{1},\mathsf{v}\_{2}) \neq \mathsf{0}) \\ = 2^{n-1} \cdot \left(1 - \max\left\{\max^{\*}\left(\delta\_{\mathrm{F}\_{1}}(\mathsf{u}\_{1},\mathsf{v}\_{1})\right),\max^{\*}\left(\delta\_{\mathrm{F}\_{2}}(\mathsf{u}\_{2},\mathsf{v}\_{2})\right)\right\}\right) \\ = 2^{n\_{1} + n\_{2} - 1} \cdot \left(1 - \max\left\{1 - \frac{\mathcal{L}\mathcal{D}(\mathsf{F}\_{1})}{2^{n\_{1} - 1}}, 1 - \frac{\mathcal{L}\mathcal{D}(\mathsf{F}\_{2})}{2^{n\_{2} - 1}}\right\}\right) \end{array}$$

**Corollary 23.** *Let F*1|···|*Fi* ∈ *Fn*,*<sup>m</sup>*

$$dp(F\_1|\cdots|F\_i) = \max\left\{dp(F\_1), \ldots, dp(F\_i)\right\} \tag{26}$$

The following theorem and corollary are presented without proofs as they are very similar to the analogous in the previous subsection.

**Theorem 18.** *Let F*<sup>1</sup> *be an* (*n*1, *m*1, *t*1)*-resilient function and F*<sup>2</sup> *be an* (*n*2, *m*2, *t*2)*-resilient function, then F*1|*F*<sup>2</sup> *is an* (*n*<sup>1</sup> + *n*2, *m*<sup>1</sup> + *m*2, *t*<sup>1</sup> + *t*2)*-resilient function.*

**Corollary 24.** *F*1|*F*<sup>2</sup> *is an* (*n*<sup>1</sup> + *n*2, *m*, 1)*-resilient function if and only if F*<sup>1</sup> *or F*<sup>2</sup> *are balanced functions.*

**Example 6.** *Let denote S the result of bricklayering all DES S-boxes Si* ∈ *F*6,4 ∀ *<sup>i</sup>* = 1, . . . , 8*, so that S* = *S*1|···|*S*8*. Thanks to the corollary 22, it is possible to calculate the nonlinearity and linearity distance of S by calculating the maximum values of the Walsh Spectra and Differential Profiles of the* 8 *S-boxes. This algorithm deals with eight* 26 <sup>×</sup> 24 *matrices instead of one* 248 <sup>×</sup> 232 *matrix.*

$$\begin{array}{l} \mathcal{N}\mathcal{L}(S) = 2^{48-1} - \frac{1}{2} 36 \cdot 2^{42} = 61572651155456\\ lp(S) = 0.31640625 \, dp(S) = \frac{1}{4} \\ \mathcal{L}\mathcal{D}(S) = 2^{48-1} \cdot \left(1 - \frac{1}{4}\right) = 3 \cdot 2^{45} \end{array}$$

*As all Si* ∈ *F*6,4 ∀ *<sup>i</sup>* = 1, . . . , 8 *are balanced S-boxes, then by Theorem 18 it holds that S is an* (48, 32, 7)*- resilient function.*

Des (1977). Data encryption standard, *In FIPS PUB 46, Federal Information Processing Standards*

Cryptographic Criteria on Vector Boolean Functions 69

J. Seberry, X. Z. & Zheng, Y. (1994). Nonlinearity characteristics of quadratic substitution

Jakobsen, T. & Knudsen, L. R. (1997). The interpolation attack on block ciphers, *Proceedings*

Maitra, S. & Pasalic, E. (2002). Further constructions of resilient boolean functions with very high nonlinearity, *IEEE Transactions on Information Theory* 48(7): 1825 –1834. Matsui, M. (1994). Linear cryptanalysis method for des cipher, *Workshop on the theory and*

Meier, W. & Staffelbach, O. (1990). Nonlinearity criteria for cryptographic functions,

Millan, W. L. (1998). *Analysis and Design of Boolean. Functions for Cryptographic Applications*, PhD thesis, Queensland University of Technology, Faculty of Information Technology. Nyberg, K. (1991). Perfect nonlinear s-boxes, *Proceedings of the 10th annual international*

Nyberg, K. (1993). On the construction of highly nonlinear permutations, *Proceedings of the*

Nyberg, K. (1995). S-boxes and round functions with controllable linearity and differential

Pasalic, E., Maitra, S., Johansson, T. & Sarkar, P. (2001). New constructions of resilient

Pommerening, K. (2005). LinearitatsmaSSe fur boolesche abbildungen, *Technical report*,

Preneel, B., Van Leekwijck, W., Van Linden, L., Govaerts, R. & Vandewalle, J. (2006).

Sarkar, P. & Maitra, S. (2000a). Construction of nonlinear boolean functions with important

Sarkar, P. & Maitra, S. (2000b). Nonlinearity bounds and constructions of resilient boolean

EUROCRYPT'92, Springer-Verlag, Berlin, Heidelberg, pp. 92–98.

*Computer Science*, Springer Berlin / Heidelberg, pp. 111–130.

Fachbereich Mathematik der Johannes-Gutenberg-Universitaet.

Rothaus, O. S. (1976). On "bent" functions., *J. Comb. Theory, Ser. A* 20(3): 300–305.

Springer-Verlag New York, Inc., Secaucus, NJ, USA, pp. 386–397.

*of the 4th International Workshop on Fast Software Encryption*, FSE '97, Springer-Verlag,

*application of cryptographic techniques on Advances in cryptology*, EUROCRYPT '93,

*Proceedings of the workshop on the theory and application of cryptographic techniques on Advances in cryptology*, Springer-Verlag New York, Inc., New York, NY, USA,

*conference on Theory and application of cryptographic techniques*, EUROCRYPT'91,

*11th annual international conference on Theory and application of cryptographic techniques*,

uniformity, *in* B. Preneel (ed.), *Fast Software Encryption*, Vol. 1008 of *Lecture Notes in*

and correlation immune boolean functions achieving upper bound on nonlinearity, *Electronic Notes in Discrete Mathematics* 6(0): 158 – 167. WCC2001, International

Propagation characteristics of boolean functions, *in* I. DamgÃˇerd (ed.), *Advances in Cryptology EUROCRYPT'90*, Vol. 473 of *Lecture Notes in Computer Science*, Springer

cryptographic properties, *Proceedings of the 19th international conference on Theory and application of cryptographic techniques*, EUROCRYPT'00, Springer-Verlag, Berlin,

functions, *Proceedings of the 20th Annual International Cryptology Conference on Advances in Cryptology*, CRYPTO '00, Springer-Verlag, London, UK, pp. 515–532. Schneier, B. (1995). *Applied cryptography (2nd ed.): protocols, algorithms, and source code in C*, John

*Publication*, pp. 46–2.

London, UK, pp. 28–40.

pp. 549–562.

boxes, *Proceedings of the Workshop on SAC'94*.

Springer-Verlag, Berlin, Heidelberg, pp. 378–386.

Workshop on Coding and Cryptography.

Berlin / Heidelberg, pp. 161–173.

Wiley & Sons, Inc., New York, NY, USA.

Heidelberg, pp. 485–506.

### **5. Conclusions**

In this chapter, several characteristics have been obtained for Vector Boolean Functions which are constructed using simpler functions combined in different ways. Precisely, the Walsh Spectrum of the overall function is obtained from the spectra of the functions when they are combined via composition, addition of coordinate functions, direct sum or bricklayer construction. In addition, when affine bijections or projection are employed, the maximum value of the overall Walsh Spectrum is obtained from the maximum values of the involved elements spectra. These results allow for the computation of nonlinearity, balancedness and resiliency of the mentioned constructions.

Alternatively, the Differential Profile of the system resulting from the composition with an affine function, direct sum, or bricklayer is also derived from the Differential Profiles of the involved elements. Moreover, when affine bijections or projections are employed, bounds on the maximum value of the Differential Profile for the resulting Function are also obtained. Therefore, the linearity distance for the cited constructions is computed.

Finally, the Autocorrelation Spectrum of a Vector Boolean Function constructed via affine bijections of Vector Boolean Functions and direct sum of Boolean functions is provided from the knowledge of the respective elements Autocorrelation Spectra. Moreover, the autocorrelation coefficients resulting from adding coordinate functions with linear structures are obtained. As a consequence, the propagation criterion resulting from the cited constructions is also provided.

### **5.1 Acknowledgements**

This work has been partially supported by project MTM2010-15102 of Ministerio de Ciencia e Innovación, Spain, and by projects Q09 0930-182 and Q10 0930-144 of the Universidad Politécnica de Madrid (UPM), Spain.

### **6. References**


18 Cryptography

In this chapter, several characteristics have been obtained for Vector Boolean Functions which are constructed using simpler functions combined in different ways. Precisely, the Walsh Spectrum of the overall function is obtained from the spectra of the functions when they are combined via composition, addition of coordinate functions, direct sum or bricklayer construction. In addition, when affine bijections or projection are employed, the maximum value of the overall Walsh Spectrum is obtained from the maximum values of the involved elements spectra. These results allow for the computation of nonlinearity, balancedness and

Alternatively, the Differential Profile of the system resulting from the composition with an affine function, direct sum, or bricklayer is also derived from the Differential Profiles of the involved elements. Moreover, when affine bijections or projections are employed, bounds on the maximum value of the Differential Profile for the resulting Function are also obtained.

Finally, the Autocorrelation Spectrum of a Vector Boolean Function constructed via affine bijections of Vector Boolean Functions and direct sum of Boolean functions is provided from the knowledge of the respective elements Autocorrelation Spectra. Moreover, the autocorrelation coefficients resulting from adding coordinate functions with linear structures are obtained. As a consequence, the propagation criterion resulting from the cited

This work has been partially supported by project MTM2010-15102 of Ministerio de Ciencia e Innovación, Spain, and by projects Q09 0930-182 and Q10 0930-144 of the Universidad

Adams, C. (1994). Simple and effective key scheduling for symmetric ciphers, *Workshop on*

Adams, C. M. & Tavares, S. E. (1993). Designing s-boxes for ciphers resistant to differential

Biham, E. & Shamir, A. (1991). Differential cryptanalysis of des-like cryptosystems, *Proceedings*

Blaze, M. & Schneier, B. (1995). The macguffin block cipher algorithm, *Fast Software Encryption,*

Carlet, C. (2004). On the secondary constructions of resilient and bent functions, *Progress in*

Chabaud, F. & Vaudenay, S. (1994). Links between differential and linear cryptanalysis,

Chen, L., Fu, F.-W. & Wei, V. K.-W. (2004). On the constructions and nonlinearity of binary vector-output correlation-immune functions, *J. Complex.* 20: 266–283. Daemen, J. & Rijmen, V. (2002). *The Design of Rijndael*, Springer-Verlag New York, Inc.,

cryptanalysis (extended abstract), *Proceedings of the 3rd Symposium on State and*

*of the 10th Annual International Cryptology Conference on Advances in Cryptology*,

Therefore, the linearity distance for the cited constructions is computed.

**5. Conclusions**

resiliency of the mentioned constructions.

constructions is also provided.

Politécnica de Madrid (UPM), Spain.

Secaucus, NJ, USA.

*Selected Areas in Cryptography*, pp. 129–133.

*Progress of Research in Cryptography*, pp. 181–190.

*volume 1008 of Lecture*, Springer-Verlag, pp. 97–110.

*Advances in Cryptology- Eurorypt 1994*, pp. 356–365.

*Computer Science and Applied Logic* 23: 3–28.

CRYPTO '90, Springer-Verlag, London, UK, UK, pp. 2–21.

**5.1 Acknowledgements**

**6. References**


**1. Introduction**

functions (Gopalakrishnan & Stinson, 2008).

cyclotomic matrices to construct CAs (Colbourn, 2010).

others.

A wide variety of problems found in computer science deals with combinatorial objects. Combinatorics is the branch of mathematics that deals with finite countable objects called combinatorial structures. These structures find many applications in different areas such as hardware and software testing, cryptography, pattern recognition, computer vision, among

**Construction of Orthogonal Arrays of Index** 

*2Instituto de Instrumentación para Imagen Molecular (I3M). Centro mixto CSIC -* 

Jose Torres-Jimenez1, Himer Avila-George2,

*Universitat Politécnica de Valéncia - CIEMAT, Valencia* 

*3Universidad Politécnica de Victoria* 

Nelson Rangel-Valdez3 and Loreto Gonzalez-Hernandez1 *1CINVESTAV-Tamaulipas, Information Technology Laboratory* 

**Unity Using Logarithm Tables for Galois Fields** 

**4**

*1,3México 2Spain* 

Of particular interest in this chapter are the combinatorial objects called Orthogonal Arrays (OAs). These objects have been studied given of their wide range of applications in the industry, Gopalakrishnan & Stinson (2008) present their applications in computer science; among them are in the generation of error correcting codes presented by (Hedayat et al., 1999; Stinson, 2004), or in the design of experiments for software testing as shown by Taguchi (1994). To motivate the study of the OAs, it is pointed out their importance in the development of algorithms for the cryptography area. There, OAs have been used for the generation of authentication codes, error correcting codes, and in the construction of universal hash

This chapter proposes an efficient implementation for the Bush's construction (Bush, 1952) of OAs of index unity, based on the use of logarithm tables for Galois Fields. This is an application of the algorithm of Torres-Jimenez et al. (2011). The motivation of this research work born from the applications of OAs in cryptography as shown by Hedayat et al. (1999). Also, it is discussed an alternative use of the logarithm table algorithm for the construction of

The remaining of the chapter is organized as follows. Section 2 presents a formal definition of OAs and the basic notation to be used through this chapter. Section 3 shows the relevance of OAs for cryptography by showing three of their applications, one in the authentication without secrecy, other in the generation of universal hash functions, and a last one in the construction of difference schemes. Section 4 shows the construction methods, reported in


## **Construction of Orthogonal Arrays of Index Unity Using Logarithm Tables for Galois Fields**

Jose Torres-Jimenez1, Himer Avila-George2,

Nelson Rangel-Valdez3 and Loreto Gonzalez-Hernandez1 *1CINVESTAV-Tamaulipas, Information Technology Laboratory 2Instituto de Instrumentación para Imagen Molecular (I3M). Centro mixto CSIC - Universitat Politécnica de Valéncia - CIEMAT, Valencia 3Universidad Politécnica de Victoria 1,3México 2Spain* 

### **1. Introduction**

20 Cryptography

70 Cryptography and Security in Computing

Seberry, J. & Zhang, X.-M. (1993). Highly nonlinear 0-1 balanced boolean functions satisfying

Shannon, C. E. (1949). Communication theory of secrecy systems, *Bell System Technical Journal*

Xiao, G.-Z. & Massey, J. (1988). A spectral characterization of correlation-immune combining

Youssef, A., Chen, Z. & Tavares, S. (1997). Construction of highly nonlinear injective s-boxes

Zhang, X.-M. & Zheng, Y. (1997). Cryptographically resilient functions, *IEEE Transactions on*

functions, *IEEE Transactions on Information Theory* 34(3): 569 –571.

*Electrical and Computer Engineering, 1997*, Vol. 1, pp. 330 –333 vol.1.

London, UK, pp. 145–155.

*Information Theory* 43(5): 1740 –1747.

28(4): 657–715.

strict avalanche criterion, *Proceedings of the Workshop on the Theory and Application of Cryptographic Techniques: Advances in Cryptology*, ASIACRYPT '92, Springer-Verlag,

with application to cast-like encryption algorithms, *IEEE 1997 Canadian Conference on*

A wide variety of problems found in computer science deals with combinatorial objects. Combinatorics is the branch of mathematics that deals with finite countable objects called combinatorial structures. These structures find many applications in different areas such as hardware and software testing, cryptography, pattern recognition, computer vision, among others.

Of particular interest in this chapter are the combinatorial objects called Orthogonal Arrays (OAs). These objects have been studied given of their wide range of applications in the industry, Gopalakrishnan & Stinson (2008) present their applications in computer science; among them are in the generation of error correcting codes presented by (Hedayat et al., 1999; Stinson, 2004), or in the design of experiments for software testing as shown by Taguchi (1994).

To motivate the study of the OAs, it is pointed out their importance in the development of algorithms for the cryptography area. There, OAs have been used for the generation of authentication codes, error correcting codes, and in the construction of universal hash functions (Gopalakrishnan & Stinson, 2008).

This chapter proposes an efficient implementation for the Bush's construction (Bush, 1952) of OAs of index unity, based on the use of logarithm tables for Galois Fields. This is an application of the algorithm of Torres-Jimenez et al. (2011). The motivation of this research work born from the applications of OAs in cryptography as shown by Hedayat et al. (1999). Also, it is discussed an alternative use of the logarithm table algorithm for the construction of cyclotomic matrices to construct CAs (Colbourn, 2010).

The remaining of the chapter is organized as follows. Section 2 presents a formal definition of OAs and the basic notation to be used through this chapter. Section 3 shows the relevance of OAs for cryptography by showing three of their applications, one in the authentication without secrecy, other in the generation of universal hash functions, and a last one in the construction of difference schemes. Section 4 shows the construction methods, reported in

Figure 3 shows another example of an *OA*(9; 2, 4, 3); note that this time the alphabet is *v* = 3 and the combination of symbols {(0, 0),(0, 1),(0, 2),(1, 0),(1, 1),(1, 2),(2, 0),(2, 1),(2, 2)}

Construction of Orthogonal Arrays of Index Unity Using Logarithm Tables for Galois Fields 73

;

4. Any permutation of rows or columns in an OA, results in another OA with the same

6. Select the rows of an *OA*(*N*; *t*, *k*, *v*) that starts with the symbol 0, and eliminate the first

The following section presents some applications of OAs in the area of cryptography. These applications are related with the construction of difference schemes, universal hash functions,

The purpose of this section is to present three applications that motivate the study of OAs in the area of cryptography. These applications have been described in (Gopalakrishnan &

The use of authentication codes dates back to 1974, the time when they were invented by Gilbert et al. (1974). Most of the time, the transmission of information between two parts that are interested on keeping the integration of their information, is done through the use of *secrecy*, i.e. the practice of hiding information from certain group of individuals. However, sometimes it is important to transmit the information in areas that are insecure and where it is

�

, where 1 ≤ *t*

� ≤ *t*. The index *λ*� of an OA

� , *k*� ⎡ ⎣ *A*0 ... *Ar*

, *v*) of strength *t*

⎤ ⎦ is an

� =

⎞

⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎠

⎛

⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎝

The OAs have some interesting properties, among them are the following ones:

3. Let *Ai* = {0, 1, ...,*r*} be a set of *OA*(*Ni*; *ti*, *k*, *v*), the juxtaposed array *A* =

*OA*(*N*; *t*, *k*, *v*) where *N* = *N*<sup>1</sup> + *N*<sup>2</sup> + ... + *Nr* and *t* ≥ min{*t*0, *t*1, ..., *tr*};

5. Any subarray of size *N* × *k*� of an *OA*(*N*; *t*, *k*, *v*), is an *OA*(*N*; *t*

column; the resulting matrix is an *OA*(*N*/*v*; *t* − 1, *k* − 1, *v*).

**3. Relevance of orthogonal arrays in cryptography**

appears only once in each pair of columns of the OA.

Fig. 3. Example of an *OA*(9; 2, 4, 3).

of strength *t*

parameters;

, *t*};

min{*k*�

1. The parameters of the OA satisfy *λ* = *N*/*v<sup>t</sup>*

� is *<sup>λ</sup>*� <sup>=</sup> *<sup>λ</sup>* · *<sup>v</sup>t*−*<sup>t</sup>*

and in the authentication without secrecy.

Stinson, 2008; Stinson, 1992a).

**3.1 Authentication without secrecy**

2. An OA of strength *t* is also an OA of strength *t*

� ;

the literature, for the construction of OAs. Section 5 presents the algorithm described in Torres-Jimenez et al. (2011) for the construction of the logarithm table of a Galois Field, this algorithm served as basis for a more efficient construction of OAs using the Bush's construction. Section 6 contains the efficient implementation, proposed in this chapter, for the Bush's construction of OAs, based on discrete logarithms. Section 7 presents an extension of the use of the algorithm presented by Torres-Jimenez et al. (2011), in the construction of cyclotomic matrices for CAs. Section 8 shows as results from the proposed approach, a set of bounds obtained for CAs using the constructions of cyclotomic matrices aided by the algorithm described in this chapter. Finally, Section 9 presents the main conclusions derived from the research proposed in this chapter.

### **2. Orthogonal arrays**

The Orthogonal Arrays (OAs) were introduced by Rao (1946; 1947) under the name of *hypercubes* and for use in factorial designs. Figure 1 shows an example of an Orthogonal Array *OA*3(12; 2, 11, 2). The definition of an OA involves that any pair of columns of this


Fig. 1. Example of an *OA*3(12; 2, 11, 2). The interaction, or strength, is 2; also, it has 11 parameters and 12 runs (or test cases) and the combinations {(0, 0),(0, 1),(1, 0),(1, 1)} in each pair of columns extracted from it.

matrix should contain the symbol combinations shown in Figure 2.

$$
\begin{pmatrix} 0 & 0 \\ 0 & 1 \\ 1 & 0 \\ 1 & 1 \end{pmatrix}
$$

Fig. 2. Symbol combinations expected in any pair of columns in an OA of strength 2 and alphabet 2.

Formally, an orthogonal array (OA), denoted by *OAλ*(*N*; *t*, *k*, *v*), can be defined as follows:

**Definition 1.** *An OA, denoted by OA*(*N*; *t*, *k*, *v*)*, is an N* × *k array on v symbols such that every N* × *t sub-array contains all the ordered subsets of size t from v symbols exactly λ times. Orthogonal arrays have the property that λ* = *<sup>N</sup> vt . When λ* = 1 *it can be omitted from the notation and the OA is optimal.*

Figure 3 shows another example of an *OA*(9; 2, 4, 3); note that this time the alphabet is *v* = 3 and the combination of symbols {(0, 0),(0, 1),(0, 2),(1, 0),(1, 1),(1, 2),(2, 0),(2, 1),(2, 2)} appears only once in each pair of columns of the OA.


Fig. 3. Example of an *OA*(9; 2, 4, 3).

2 Will-be-set-by-IN-TECH

the literature, for the construction of OAs. Section 5 presents the algorithm described in Torres-Jimenez et al. (2011) for the construction of the logarithm table of a Galois Field, this algorithm served as basis for a more efficient construction of OAs using the Bush's construction. Section 6 contains the efficient implementation, proposed in this chapter, for the Bush's construction of OAs, based on discrete logarithms. Section 7 presents an extension of the use of the algorithm presented by Torres-Jimenez et al. (2011), in the construction of cyclotomic matrices for CAs. Section 8 shows as results from the proposed approach, a set of bounds obtained for CAs using the constructions of cyclotomic matrices aided by the algorithm described in this chapter. Finally, Section 9 presents the main conclusions derived

The Orthogonal Arrays (OAs) were introduced by Rao (1946; 1947) under the name of *hypercubes* and for use in factorial designs. Figure 1 shows an example of an Orthogonal Array *OA*3(12; 2, 11, 2). The definition of an OA involves that any pair of columns of this

Fig. 1. Example of an *OA*3(12; 2, 11, 2). The interaction, or strength, is 2; also, it has 11 parameters and 12 runs (or test cases) and the combinations {(0, 0),(0, 1),(1, 0),(1, 1)} in

⎛

⎞

⎟⎟⎠

⎜⎜⎝

Fig. 2. Symbol combinations expected in any pair of columns in an OA of strength 2 and

Formally, an orthogonal array (OA), denoted by *OAλ*(*N*; *t*, *k*, *v*), can be defined as follows:

**Definition 1.** *An OA, denoted by OA*(*N*; *t*, *k*, *v*)*, is an N* × *k array on v symbols such that every N* × *t sub-array contains all the ordered subsets of size t from v symbols exactly λ times. Orthogonal*

*vt . When λ* = 1 *it can be omitted from the notation and the OA is*

⎞

⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎠

⎛

⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎝

matrix should contain the symbol combinations shown in Figure 2.

from the research proposed in this chapter.

each pair of columns extracted from it.

*arrays have the property that λ* = *<sup>N</sup>*

alphabet 2.

*optimal.*

**2. Orthogonal arrays**

The OAs have some interesting properties, among them are the following ones:


The following section presents some applications of OAs in the area of cryptography. These applications are related with the construction of difference schemes, universal hash functions, and in the authentication without secrecy.

### **3. Relevance of orthogonal arrays in cryptography**

The purpose of this section is to present three applications that motivate the study of OAs in the area of cryptography. These applications have been described in (Gopalakrishnan & Stinson, 2008; Stinson, 1992a).

### **3.1 Authentication without secrecy**

The use of authentication codes dates back to 1974, the time when they were invented by Gilbert et al. (1974). Most of the time, the transmission of information between two parts that are interested on keeping the integration of their information, is done through the use of *secrecy*, i.e. the practice of hiding information from certain group of individuals. However, sometimes it is important to transmit the information in areas that are insecure and where it is

**3.2 Universal hash function**

change the hash function.

can be found in (Stinson, 1994).

*<sup>n</sup>* <sup>=</sup> *b,k* <sup>=</sup> *a and <sup>λ</sup>* <sup>=</sup> <sup>|</sup>*H*|/*n*2*.*

**3.3 Thresholds schemes**

small.

science.

Assume it is wanted to map keys from some universe *U* into *m* bins (labeled). The algorithm will have to handle some data set of |*S*| = *n* keys, which is not known in advance. Usually, the goal of hashing is to obtain a low number of collisions (keys from *S* that land in the same bin). A deterministic hash function cannot offer any guarantee in an adversarial setting if the size of *U* is greater than *m*2, since the adversary may choose *S* to be precisely the preimage of a bin. This means that all data keys land in the same bin, making hashing useless. Furthermore, a deterministic hash function does not allow for rehashing: sometimes the input data turns out to be bad for the hash function (e.g. there are too many collisions), so one would like to

Construction of Orthogonal Arrays of Index Unity Using Logarithm Tables for Galois Fields 75

The solution to these problems is to pick a function randomly from a family of hash functions. A universal hash function is a family of functions indexed by a parameter called the key with the following property: for all distinct inputs, the probability over all keys that they collide is

A family of functions *H* = {*h* : *U* → [*m*]} is called a universal family if Equation 2 holds.

∀*x*, *y* ∈ *U*, *x* �= *y* : *Pr*[*h*(*x*) = *h*(*y*)] ≤

is drawn randomly from *H*. This is exactly the probability of collision we would expect if the hash function assigned truly random hash codes to every key. Sometimes, the definition is relaxed to allow collision probability *O*(1/*m*). This concept was introduced by (Carter & Wegman, 1979; Wegman & Carter, 1981), and has found numerous applications in computer

For practical applications, it is also important that |*H*| is small. This is because *log*2|*H*| bits are needed to specify a hash function from the family. It is fairly straightforward to show that strongly universal hash functions are equivalent to orthogonal arrays. The following theorem

**Theorem 2.** *If there exists an OAλ*(2, *k*, *n*)*, then there exists an SU*<sup>2</sup> *class H of hash functions from A to B, where* <sup>|</sup>*A*<sup>|</sup> <sup>=</sup> *<sup>k</sup>*, <sup>|</sup>*B*<sup>|</sup> <sup>=</sup> *n and* <sup>|</sup>*H*<sup>|</sup> <sup>=</sup> *<sup>λ</sup>n*<sup>2</sup> *. Conversely, if there exists an SU*<sup>2</sup> *class H of hash functions from A to B, where a* = |*A*| *and b* = |*B*|*, then there exists an OAλ*(2, *k*, *n*)*, where*

This theorem helps in establishing lower bounds on the number of hash functions and in constructing classes of hash functions which meet these bounds. It is straightforward to

In a bank, there is a vault which must be opened every day. The bank employs three senior tellers; but it is not desirable to entrust the combination to any one person. Hence, we want

extend the definition and the theorem to *SUt* class of universal hash functions.

A finite set *H* of hash functions is *strongly* − *universal*<sup>2</sup> (or *SU*<sup>2</sup> ) if Equation 3 holds.

Any two keys of the universe collide with probability at most <sup>1</sup>

{*h* ∈ *H* : *h*(*x*1) = *y*1, *h*(*x*2) = *y*2}| = |*H*|/|*B*|

1

*<sup>m</sup>* (2)

*<sup>m</sup>* when the hash function *h*

2, <sup>∀</sup>*x*1, *<sup>x</sup>*<sup>2</sup> <sup>∈</sup> *<sup>A</sup>*(*x*<sup>1</sup> �<sup>=</sup> *<sup>x</sup>*2), *<sup>y</sup>*1, *<sup>y</sup>*<sup>2</sup> <sup>∈</sup> *<sup>B</sup>* (3)

not necessary the secrecy. This part corresponds to the area of *Authentication Without Secrecy* (or AWS). An authentication code without secrecy is a code where an observed message can correspond to a unique source state.

Jones & Seberry (1986) described a situation in which two countries want to set transmission devices to monitor the activities of the other, such that possible compliance can be avoided.

The general model to define the use of the AWS can be described with three participants: a transmitter, a receiver, and an opponent. Let's call these participants Alice, Bob and Gabriel, respectively. Suppose that Alice wants to transmit a message to Bob in a public communication channel; however, they expect that the message must be transmitted integrally, i.e. without any changes in its composition. To do so, Alice encrypted the message and sent it through the channel. An encoding rule (based on a key scheme) ciphers the message; each encoding rule will be a one-to-one function from the source space to the message space. The key used to cipher the message has been sent to Bob (the receiver) through a secure channel, before the message has been encoded. Now, the third party member, Gabriel, has malicious intention of deforming the message. What is the chance of Gabriel to access the message of Alice and Bob and modify it conveniently to affect the final result?

Let's consider the following protocol of communication between Alice and Bob: a) Firstly, Alice and Bob choose the encoding code previously; b) Alice encode the message with a previously chosen key *K*; c) the message *m* = (*s*, *a*) is sent over the communication channel; d) when Bob receives the message he verifies that *a* = *eK*(*s*) so that he ensures that it comes from Alice.

Let *S* be a set of *k* source states; let M be a set of *v* messages; and let E be a set of *b* encoding rules. Since each encoding rule is a one-to-one function from *S* to M, the code can be represented by a *b* × *k* matrix, where the rows are indexed by encoding rules, the columns are indexed by source states, and the entry in row *e* and column *s* is *e*(*s*). This matrix is called the encoding matrix. For any encoding rule *e* ∈ E, define *M*(*e*) = {*e*(*s*) : *s* ∈ *S*}, i.e. the set of valid messages under encoding rule *e*. For an encoding rule *e*, and a message *m* ∈ *M*(*e*), define *e*−1(*m*) = *s* if *e*(*s*) = *m*.

The types of damage that Gabriel can do to the message of Alice and Bob are impersonation, i.e. sending a message to one of them without the message even existed; and substitution, i.e. changing a message sent.

The application of OAs in *authentication without secrecy* is described by the following theorem:

**Theorem 1.** *Suppose that there is an authentication code without secrecy for k source states and having l authenticators, in which Pd*<sup>0</sup> = *Pd*<sup>1</sup> = 1/*l. Then*


$$
\lambda = \frac{k(l-1) + 1}{l^2},
\tag{1}
$$

*and the authentication rules are used with equal probability.*

This theorem has been proven by Stinson (1992a). It also show that this is the minimum probability expected for this case.

### **3.2 Universal hash function**

4 Will-be-set-by-IN-TECH

not necessary the secrecy. This part corresponds to the area of *Authentication Without Secrecy* (or AWS). An authentication code without secrecy is a code where an observed message can

Jones & Seberry (1986) described a situation in which two countries want to set transmission devices to monitor the activities of the other, such that possible compliance can be avoided. The general model to define the use of the AWS can be described with three participants: a transmitter, a receiver, and an opponent. Let's call these participants Alice, Bob and Gabriel, respectively. Suppose that Alice wants to transmit a message to Bob in a public communication channel; however, they expect that the message must be transmitted integrally, i.e. without any changes in its composition. To do so, Alice encrypted the message and sent it through the channel. An encoding rule (based on a key scheme) ciphers the message; each encoding rule will be a one-to-one function from the source space to the message space. The key used to cipher the message has been sent to Bob (the receiver) through a secure channel, before the message has been encoded. Now, the third party member, Gabriel, has malicious intention of deforming the message. What is the chance of Gabriel to access the

Let's consider the following protocol of communication between Alice and Bob: a) Firstly, Alice and Bob choose the encoding code previously; b) Alice encode the message with a previously chosen key *K*; c) the message *m* = (*s*, *a*) is sent over the communication channel; d) when Bob receives the message he verifies that *a* = *eK*(*s*) so that he ensures that it comes

Let *S* be a set of *k* source states; let M be a set of *v* messages; and let E be a set of *b* encoding rules. Since each encoding rule is a one-to-one function from *S* to M, the code can be represented by a *b* × *k* matrix, where the rows are indexed by encoding rules, the columns are indexed by source states, and the entry in row *e* and column *s* is *e*(*s*). This matrix is called the encoding matrix. For any encoding rule *e* ∈ E, define *M*(*e*) = {*e*(*s*) : *s* ∈ *S*}, i.e. the set of valid messages under encoding rule *e*. For an encoding rule *e*, and a message *m* ∈ *M*(*e*),

The types of damage that Gabriel can do to the message of Alice and Bob are impersonation, i.e. sending a message to one of them without the message even existed; and substitution, i.e.

The application of OAs in *authentication without secrecy* is described by the following theorem: **Theorem 1.** *Suppose that there is an authentication code without secrecy for k source states and*

*2.* |E| ≥ *k*(*l* − 1) + 1*, and equality occurs if and only if the authentication matrix is an OAλ*(2, *k*, *l*)

*<sup>λ</sup>* <sup>=</sup> *<sup>k</sup>*(*<sup>l</sup>* <sup>−</sup> <sup>1</sup>) + <sup>1</sup>

This theorem has been proven by Stinson (1992a). It also show that this is the minimum

<sup>2</sup>*, and equality occurs if and only if the authentication matrix is an OA*(2, *k*, *l*) *(with λ* = 1*)*

*<sup>l</sup>*<sup>2</sup> , (1)

message of Alice and Bob and modify it conveniently to affect the final result?

correspond to a unique source state.

from Alice.

*1.* |E| ≥ *l*

*where*

define *e*−1(*m*) = *s* if *e*(*s*) = *m*.

probability expected for this case.

*having l authenticators, in which Pd*<sup>0</sup> = *Pd*<sup>1</sup> = 1/*l. Then*

*and the authentication rules are used with equal probability;*

*and the authentication rules are used with equal probability.*

changing a message sent.

Assume it is wanted to map keys from some universe *U* into *m* bins (labeled). The algorithm will have to handle some data set of |*S*| = *n* keys, which is not known in advance. Usually, the goal of hashing is to obtain a low number of collisions (keys from *S* that land in the same bin). A deterministic hash function cannot offer any guarantee in an adversarial setting if the size of *U* is greater than *m*2, since the adversary may choose *S* to be precisely the preimage of a bin. This means that all data keys land in the same bin, making hashing useless. Furthermore, a deterministic hash function does not allow for rehashing: sometimes the input data turns out to be bad for the hash function (e.g. there are too many collisions), so one would like to change the hash function.

The solution to these problems is to pick a function randomly from a family of hash functions. A universal hash function is a family of functions indexed by a parameter called the key with the following property: for all distinct inputs, the probability over all keys that they collide is small.

A family of functions *H* = {*h* : *U* → [*m*]} is called a universal family if Equation 2 holds.

$$\forall \mathbf{x}, y \in \mathcal{U}, \mathbf{x} \neq y: Pr[h(\mathbf{x}) = h(y)] \le \frac{1}{m} \tag{2}$$

Any two keys of the universe collide with probability at most <sup>1</sup> *<sup>m</sup>* when the hash function *h* is drawn randomly from *H*. This is exactly the probability of collision we would expect if the hash function assigned truly random hash codes to every key. Sometimes, the definition is relaxed to allow collision probability *O*(1/*m*). This concept was introduced by (Carter & Wegman, 1979; Wegman & Carter, 1981), and has found numerous applications in computer science.

A finite set *H* of hash functions is *strongly* − *universal*<sup>2</sup> (or *SU*<sup>2</sup> ) if Equation 3 holds.

$$|\{h \in H : h(\mathbf{x}\_1) = y\_1, h(\mathbf{x}\_2) = y\_2\}| = |H| / |B|^2, \forall \mathbf{x}\_1, \mathbf{x}\_2 \in A(\mathbf{x}\_1 \neq \mathbf{x}\_2), y\_1, y\_2 \in B \tag{3}$$

For practical applications, it is also important that |*H*| is small. This is because *log*2|*H*| bits are needed to specify a hash function from the family. It is fairly straightforward to show that strongly universal hash functions are equivalent to orthogonal arrays. The following theorem can be found in (Stinson, 1994).

**Theorem 2.** *If there exists an OAλ*(2, *k*, *n*)*, then there exists an SU*<sup>2</sup> *class H of hash functions from A to B, where* <sup>|</sup>*A*<sup>|</sup> <sup>=</sup> *<sup>k</sup>*, <sup>|</sup>*B*<sup>|</sup> <sup>=</sup> *n and* <sup>|</sup>*H*<sup>|</sup> <sup>=</sup> *<sup>λ</sup>n*<sup>2</sup> *. Conversely, if there exists an SU*<sup>2</sup> *class H of hash functions from A to B, where a* = |*A*| *and b* = |*B*|*, then there exists an OAλ*(2, *k*, *n*)*, where <sup>n</sup>* <sup>=</sup> *b,k* <sup>=</sup> *a and <sup>λ</sup>* <sup>=</sup> <sup>|</sup>*H*|/*n*2*.*

This theorem helps in establishing lower bounds on the number of hash functions and in constructing classes of hash functions which meet these bounds. It is straightforward to extend the definition and the theorem to *SUt* class of universal hash functions.

### **3.3 Thresholds schemes**

In a bank, there is a vault which must be opened every day. The bank employs three senior tellers; but it is not desirable to entrust the combination to any one person. Hence, we want

**4.1 Rao-Hamming construction**

of the rows of this generator matrix.

**4.2 Difference scheme algorithm**

a Galois field is a difference scheme.

{0, 1, 2, ...,*s* − 1}.

Figure 4.

following theorem describes the purpose of this construction.

is 1. There are (*s<sup>n</sup>* <sup>−</sup> <sup>1</sup>)/(*<sup>s</sup>* <sup>−</sup> <sup>1</sup>) such columns, as required.

(a)

1001101 0101011 0010111

if the sum exceeds *s*, you divide by *s* and keep the remainder.

⎞ ⎠

⎛ ⎝

The Rao-Hamming construction derived from the geniality of two scientists who independently elaborate procedures for the construction of OAs Hedayat et al. (1999). The

Construction of Orthogonal Arrays of Index Unity Using Logarithm Tables for Galois Fields 77

**Theorem 4.** *If there is a prime power then an OA*(*sn*,(*s<sup>n</sup>* <sup>−</sup> <sup>1</sup>)/(*<sup>s</sup>* <sup>−</sup> <sup>1</sup>), 2) *exists whenever n* <sup>≥</sup> <sup>2</sup>*.*

A simple way to obtain an orthogonal array with these parameters is the following. This construction always produces linear arrays. Form an *<sup>s</sup><sup>n</sup>* <sup>×</sup> *<sup>n</sup>* array whose rows are all possible *n*-tuples from *GF*(*s*). Let *C*1, ..., *Cn* denote the columns of this array. The columns of the full

where *z* = (*z*1, ..., *zn*)*<sup>T</sup>* is an *n*-tuple from *GF*(*s*), not all the *zi* are zero, and the first nonzero *zi*

An alternative way to construct an OA using the Rao-Hamming Construction is by forming an *<sup>n</sup>* <sup>×</sup> (*s<sup>n</sup>* <sup>−</sup> <sup>1</sup>)/(*<sup>s</sup>* <sup>−</sup> <sup>1</sup>) matrix whose columns are all nonzero *<sup>n</sup>*-tuples (*z*1, ..., *zn*)*<sup>T</sup>* from *GF*(*s*) in which the first nonzero *zi* is 1. The OA is then formed by taking all the linear combinations

An example of the construction of an OA, taken from Hedayat et al. (1999), is shown in

Fig. 4. Example of the construction of an *OA*(8; 2, 7, 2) using the Rao-Hamming construction. Figure 4(a) contains the generator matrix. Figure 4(b) shows the OA constructed from it.

Difference schemes (DS), denoted by *D*(*r*, *c*,*s*) are tables of *r* rows and *c* columns with *s* symbols such that the difference between each pair of columns yields all the symbols

If you have a difference scheme, you easily generate an orthogonal array by simply replicating the difference scheme *s* times and adding to each replication all symbols in turn modulo (*s*):

So the problem becomes finding difference schemes. For instance, the multiplicative group of

*z*1*C*<sup>1</sup> + ... + *znCn* = [*C*1, ..., *Cn*]*z* (4)

(b)

⎞

⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎠

⎛

⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎝

orthogonal array then consist of all columns of the form shown in Equation 4.

to design a system whereby any two of the three senior tellers can gain access to the vault but no individual can do so. This problem can be solved by means of a threshold scheme.

Threshold schemes are actually a special case of secret sharing schemes. Stinson (1992b) presents a survey in this topic. Informally a (*t*, *w*)-threshold scheme is a method of sharing a secret key *K* among a finite set P of *w* participants, in such a way that any *t* participants can compute the value of *K*, but no group of *t* − 1 (or fewer) participants can do so. The value of *K* is chosen by a special participant called the *dealer*. The dealer is denoted by *D* and we assume *D* ∈ P / . When *D* wants to share the key *K* among the participants in P, he gives each participant some partial information called a *share*. The shares should be distributed secretly, so no participant knows the share given to another participant.

At a later time, a subset of participants *B* ⊆ P will pool their shares in an attempt to compute the secret key *K*. If |*B*| ≥ *t*, then they should be able to compute the value of *K* as a function of the shares they collectively hold; if |*B*| < *t*, then they should not be able to compute *K*. In the example described above, we desire a (2, 3)-threshold scheme.

Often, we desire not only that an unauthorized subset of participants should be unable to compute the value of *K* by pooling their shares, but also they should be unable to determine anything about the value of *K*. Such a threshold scheme is called a *perfect threshold scheme*. Here, we will be concerned only about perfect threshold schemes.

We will use the following notation. Let P = {*Pi* : 1 ≤ *i* ≤ *w*} be the set of participants. K is the *key set* (i.e., the set of all possible keys); and *S* is the *share threshold schemes*.

Orthogonal arrays come into picture once again by means of the following theorem due to Dawson & Mahmoodian (1993).

**Theorem 3.** *An ideal* (*t*, *w*) *threshold scheme with* |K| = *v exists if and only if an OA*(*t*, *w* + 1, *v*) *exists.*

The construction of the threshold scheme starting from the orthogonal array proceeds as follows. The first column of the OA corresponds to the dealer and the remaining *w* columns correspond to the *w* participants. To distribute a specific key *K*, the dealer selects a random row of the OA such that *K* appears in the first column and gives out the remaining *w* elements of the row as the shares. When *t* participants later pool their shares, the collective information will determine a unique row of the *OA* (as *λ* = 1) and hence they can compute *K* as the value of the first element in the row.

Can a group of *t* − 1 participants compute *K*? Any possible value of the secret along with the actual shares of these *t* − 1 participants determine a unique row of the *OA*. Hence, no value of the secret can be ruled out. Moreover, it is clear that the *t* − 1 participants can obtain no information about the secret.

### **4. Algorithms to construct OAs**

This section presents some of the state-of-art algorithms for the construction of OAs. Special reference is done to the Bush's construction, which is benefited from the approach presented in this chapter because the efficient way of constructing the OAs using logarithm tables.

### **4.1 Rao-Hamming construction**

6 Will-be-set-by-IN-TECH

to design a system whereby any two of the three senior tellers can gain access to the vault but

Threshold schemes are actually a special case of secret sharing schemes. Stinson (1992b) presents a survey in this topic. Informally a (*t*, *w*)-threshold scheme is a method of sharing a secret key *K* among a finite set P of *w* participants, in such a way that any *t* participants can compute the value of *K*, but no group of *t* − 1 (or fewer) participants can do so. The value of *K* is chosen by a special participant called the *dealer*. The dealer is denoted by *D* and we assume *D* ∈ P / . When *D* wants to share the key *K* among the participants in P, he gives each participant some partial information called a *share*. The shares should be distributed secretly,

At a later time, a subset of participants *B* ⊆ P will pool their shares in an attempt to compute the secret key *K*. If |*B*| ≥ *t*, then they should be able to compute the value of *K* as a function of the shares they collectively hold; if |*B*| < *t*, then they should not be able to compute *K*. In

Often, we desire not only that an unauthorized subset of participants should be unable to compute the value of *K* by pooling their shares, but also they should be unable to determine anything about the value of *K*. Such a threshold scheme is called a *perfect threshold scheme*.

We will use the following notation. Let P = {*Pi* : 1 ≤ *i* ≤ *w*} be the set of participants. K is

Orthogonal arrays come into picture once again by means of the following theorem due

**Theorem 3.** *An ideal* (*t*, *w*) *threshold scheme with* |K| = *v exists if and only if an OA*(*t*, *w* + 1, *v*)

The construction of the threshold scheme starting from the orthogonal array proceeds as follows. The first column of the OA corresponds to the dealer and the remaining *w* columns correspond to the *w* participants. To distribute a specific key *K*, the dealer selects a random row of the OA such that *K* appears in the first column and gives out the remaining *w* elements of the row as the shares. When *t* participants later pool their shares, the collective information will determine a unique row of the *OA* (as *λ* = 1) and hence they can compute *K* as the value

Can a group of *t* − 1 participants compute *K*? Any possible value of the secret along with the actual shares of these *t* − 1 participants determine a unique row of the *OA*. Hence, no value of the secret can be ruled out. Moreover, it is clear that the *t* − 1 participants can obtain no

This section presents some of the state-of-art algorithms for the construction of OAs. Special reference is done to the Bush's construction, which is benefited from the approach presented in this chapter because the efficient way of constructing the OAs using logarithm tables.

no individual can do so. This problem can be solved by means of a threshold scheme.

so no participant knows the share given to another participant.

the example described above, we desire a (2, 3)-threshold scheme.

Here, we will be concerned only about perfect threshold schemes.

to Dawson & Mahmoodian (1993).

of the first element in the row.

information about the secret.

**4. Algorithms to construct OAs**

*exists.*

the *key set* (i.e., the set of all possible keys); and *S* is the *share threshold schemes*.

The Rao-Hamming construction derived from the geniality of two scientists who independently elaborate procedures for the construction of OAs Hedayat et al. (1999). The following theorem describes the purpose of this construction.

**Theorem 4.** *If there is a prime power then an OA*(*sn*,(*s<sup>n</sup>* <sup>−</sup> <sup>1</sup>)/(*<sup>s</sup>* <sup>−</sup> <sup>1</sup>), 2) *exists whenever n* <sup>≥</sup> <sup>2</sup>*.*

A simple way to obtain an orthogonal array with these parameters is the following. This construction always produces linear arrays. Form an *<sup>s</sup><sup>n</sup>* <sup>×</sup> *<sup>n</sup>* array whose rows are all possible *n*-tuples from *GF*(*s*). Let *C*1, ..., *Cn* denote the columns of this array. The columns of the full orthogonal array then consist of all columns of the form shown in Equation 4.

$$z\_1\mathbf{C}\_1 + \ldots + z\_n\mathbf{C}\_n = [\mathbf{C}\_1, \ldots, \mathbf{C}\_n]z \tag{4}$$

where *z* = (*z*1, ..., *zn*)*<sup>T</sup>* is an *n*-tuple from *GF*(*s*), not all the *zi* are zero, and the first nonzero *zi* is 1. There are (*s<sup>n</sup>* <sup>−</sup> <sup>1</sup>)/(*<sup>s</sup>* <sup>−</sup> <sup>1</sup>) such columns, as required.

An alternative way to construct an OA using the Rao-Hamming Construction is by forming an *<sup>n</sup>* <sup>×</sup> (*s<sup>n</sup>* <sup>−</sup> <sup>1</sup>)/(*<sup>s</sup>* <sup>−</sup> <sup>1</sup>) matrix whose columns are all nonzero *<sup>n</sup>*-tuples (*z*1, ..., *zn*)*<sup>T</sup>* from *GF*(*s*) in which the first nonzero *zi* is 1. The OA is then formed by taking all the linear combinations of the rows of this generator matrix.

An example of the construction of an OA, taken from Hedayat et al. (1999), is shown in Figure 4.


Fig. 4. Example of the construction of an *OA*(8; 2, 7, 2) using the Rao-Hamming construction. Figure 4(a) contains the generator matrix. Figure 4(b) shows the OA constructed from it.

### **4.2 Difference scheme algorithm**

Difference schemes (DS), denoted by *D*(*r*, *c*,*s*) are tables of *r* rows and *c* columns with *s* symbols such that the difference between each pair of columns yields all the symbols {0, 1, 2, ...,*s* − 1}.

If you have a difference scheme, you easily generate an orthogonal array by simply replicating the difference scheme *s* times and adding to each replication all symbols in turn modulo (*s*): if the sum exceeds *s*, you divide by *s* and keep the remainder.

So the problem becomes finding difference schemes. For instance, the multiplicative group of a Galois field is a difference scheme.

(a)

1 1

⎞ ⎠

Fig. 7. Example of two Hadamard matrices *H*2, *H*<sup>4</sup> of orders 2 and 4, respectively.

The Hadamard matrix *H*4, that is shown in Figure 7(b), does not differ from the Rao-Hamming

Construction of Orthogonal Arrays of Index Unity Using Logarithm Tables for Galois Fields 79

Figure 8 shows another example of a Hadamard matrix. This time it is shown its corresponding OA resulting after the removal of the first column and a symbol recoding.

⎞

⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎠

Fig. 8. Figure 8(a) shows a Hadamard matrix of order 8; Figure 8(b) presents its equivalent

Not all Hadamard matrices can be generated by the Rao Hamming algorithm just by the addition of a column of 1's. Rao Hamming works if the number of levels is a power of a prime number. And this happens in a Hadamard matrix, where the number of levels is 2 (prime number). But not all Rao Hamming arrays are square after the addition of a single column of 1's. Moreover, the number of rows in a Rao Hamming OA is a power of the number of levels. Remember the general form *OA*(*sn*; 2,(*sn* − 1)/(*s* − 1),*s*), Hadamard matrices are square and the number of rows in the array need only to be a multiple of 4. For instance, 12 is a multiple of 4, it is not a prime power being the product 3. No Rao Hamming construction would yield

This construction considers all the elements of the Galois Field *GF*(*v*), and all the polynomials *yj*(*x*) = *at*−1*xt*−<sup>1</sup> <sup>+</sup> *at*−2*xt*−<sup>2</sup> <sup>+</sup> ... <sup>+</sup> *<sup>a</sup>*1*<sup>x</sup>* <sup>+</sup> *<sup>a</sup>*0, where *ai* <sup>∈</sup> *GF*(*v*). The number of polynomials

Let's denote each element of *GF*(*v*) as *ei*, for 0 ≤ *i* ≤ *v* − 1. The construction of an OA

, due to the fact that there are *v* different coefficients per each of the *t* terms.

(b)

11 1 1 1 −1 1 −1 1 1 −1 −1 1 −1 −1 1

⎞

⎟⎟⎠

(b)

⎞

⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎠

; *t*, *v* + 1, *v*), where *v* = *p<sup>n</sup>* is a prime power.

⎛

⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎝

⎛

⎜⎜⎝

*H*<sup>4</sup> =

1 −1

(a)

11 1 1 1 1 1 1 1 −1 1 −1 1 −1 1 −1 1 1 −1 −11 1 −1 −1 1 −1 −11 1 −1 −1 1 11 1 1 −1 −1 −1 −1 1 −1 1 −1 −1 1 −1 1 1 1 −1 −1 −1 −11 1 1 −1 −1 1 −11 1 −1

⎛ ⎝

*H*<sup>2</sup> =

*OA*(4; 2, 3, 2) .

*OA*2(2, 7, 2).

a *H*<sup>12</sup> matrix.

*yj*(*x*) are *v<sup>t</sup>*

**4.4 The Bush's construction**

The Bush's construction is used to construct *OA*(*v<sup>t</sup>*

following the Bush's construction is done as follow:

1. Generate a matrix <sup>M</sup> formed by *<sup>v</sup><sup>t</sup>* rows and *<sup>v</sup>* <sup>+</sup> 1 columns; 2. Label the first *v* columns of M with an element *ei* ∈ *GF*(*v*);

⎛

⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎝

```
⎛
⎜⎜⎜⎜⎜⎜⎝
  000000
  012120
  021102
  022011
  001221
  010212
           ⎞
           ⎟⎟⎟⎟⎟⎟⎠
```
Fig. 5. Example of a difference scheme *D*(6, 6, 3).

An example is shown in Figure 5, as the multiplication table of *GF*(22).

Given that the DS *D*(*r*, *c*,*s*) is an array of size *r* × *c* based on the *s* elements of a group *G* so that for any two columns the element-wise differences contain every element of *G* equally often; clearly *r* = *λs* for some *λ* called the index.

If *D* = *D*(*r*, *c*,*s*), then ⎡ ⎢ ⎢ ⎣ *D* + 0 *D* + 1 ... *D* + (*s* − 1) ⎤ ⎥ ⎥ ⎦ is an *OA*(*rs*; 2, *c*,*s*). Figure 6 shows the construction of the *OA*(16; 2, 4, 4) from a *D*(4, 4, 4).

$$\begin{array}{c} \mbox{(a)} \\ \begin{pmatrix} 0 \ 0 \ 0 \ 0 \\ 0 \ 1 \ 2 \ 3 \\ 0 \ 2 \ 3 \ 1 \\ 0 \ 3 \ 1 \ 2 \end{pmatrix} \\ \mbox{(b)} \\ \mbox{5-5} \\ \mbox{1} \\ \mbox{2} \\ \mbox{1} \\ \mbox{2} \\ \mbox{2} \\ \mbox{2} \\ \mbox{3} \\ \mbox{3} \\ \mbox{3} \\ \mbox{3} \\ \mbox{3} \\ \mbox{3} \\ \mbox{1} \\ \mbox{2} \\ \mbox{3} \\ \mbox{3} \\ \mbox{3} \\ \mbox{1} \\ \mbox{2} \\ \mbox{0} \\ \end{array} \end{array} \begin{array}{c} \mbox{(b)} \\ \mbox{(b)} \\ \mbox{(c)} \\ \mbox{0} \\ \mbox{1} \\ \mbox{2} \\ \mbox{3} \\ \mbox{1} \\ \mbox{2} \\ \mbox{3} \\ \mbox{1} \\ \mbox{2} \\ \mbox{2} \\ \mbox{3} \\ \mbox{3} \\ \mbox{3} \\ \mbox{3} \\ \mbox{1} \\ \mbox{2} \\ \mbox{3} \\ \mbox{3} \\ \mbox{1} \\ \mbox{2} \\ \mbox{3} \\ \mbox{3} \\ \end{array} \end{array} \begin{array}{c} \mbox{(b)} \\ \mbox{(c)} \\ \mbox{(d)} \\ \mbox{3} \\ \mbox{1} \\ \mbox{2} \\ \mbox{3} \\ \mbox{3} \\ \mbox{1} \\ \mbox{2} \\ \mbox{3} \\ \mbox{3} \\ \mbox{1} \\ \mbox{2} \\ \mbox{3} \\ \mbox{3} \\ \mbox{1} \\ \mbox{2} \\ \mbox{3} \\ \mbox{3} \\ \mbox{1} \\ \mbox{2} \\ \mbox{3} \\ \mbox{3} \\ \end{array}$$

Fig. 6. Generated orthogonal array *OA*(16; 2, 4, 4) using the *D*(4, 4, 4). Figure 6(a) presents the different scheme *D* = (4, 4, 4). Figure 6(b) the OA constructed.

### **4.3 Hadamard matrix algorithms**

Hadamard matrix is a *DS* with only two symbols: {−1, +1}. The interest in Hadamard matrices lies in the Hadamard conjecture which states that all multiples of 4 have a corresponding Hadamard matrix. Hadamard matrices are square matrices with a fixed column of just 1's. The smallest one is shown in Figure 7(a).

$$H\_2 = \begin{pmatrix} \text{a)} \\ \begin{pmatrix} 1 & 1 \\ & 1 \end{pmatrix} \\ 1 - 1 \end{pmatrix} \qquad \qquad H\_4 = \begin{pmatrix} \text{b)} \\ \begin{pmatrix} 1 & 1 & 1 & 1 \\ 1 - 1 & 1 & -1 \\ 1 & 1 & -1 & -1 \\ 1 & -1 & -1 & 1 \end{pmatrix} \end{pmatrix}$$

Fig. 7. Example of two Hadamard matrices *H*2, *H*<sup>4</sup> of orders 2 and 4, respectively.

The Hadamard matrix *H*4, that is shown in Figure 7(b), does not differ from the Rao-Hamming *OA*(4; 2, 3, 2) .

Figure 8 shows another example of a Hadamard matrix. This time it is shown its corresponding OA resulting after the removal of the first column and a symbol recoding.


Fig. 8. Figure 8(a) shows a Hadamard matrix of order 8; Figure 8(b) presents its equivalent *OA*2(2, 7, 2).

Not all Hadamard matrices can be generated by the Rao Hamming algorithm just by the addition of a column of 1's. Rao Hamming works if the number of levels is a power of a prime number. And this happens in a Hadamard matrix, where the number of levels is 2 (prime number). But not all Rao Hamming arrays are square after the addition of a single column of 1's. Moreover, the number of rows in a Rao Hamming OA is a power of the number of levels.

Remember the general form *OA*(*sn*; 2,(*sn* − 1)/(*s* − 1),*s*), Hadamard matrices are square and the number of rows in the array need only to be a multiple of 4. For instance, 12 is a multiple of 4, it is not a prime power being the product 3. No Rao Hamming construction would yield a *H*<sup>12</sup> matrix.

### **4.4 The Bush's construction**

8 Will-be-set-by-IN-TECH

Given that the DS *D*(*r*, *c*,*s*) is an array of size *r* × *c* based on the *s* elements of a group *G* so that for any two columns the element-wise differences contain every element of *G* equally often;

⎞

⎟⎟⎟⎟⎟⎟⎠

is an *OA*(*rs*; 2, *c*,*s*). Figure 6 shows the construction of

(b)

⎞

⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎠

⎛

⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎝

Fig. 6. Generated orthogonal array *OA*(16; 2, 4, 4) using the *D*(4, 4, 4). Figure 6(a) presents

Hadamard matrix is a *DS* with only two symbols: {−1, +1}. The interest in Hadamard matrices lies in the Hadamard conjecture which states that all multiples of 4 have a corresponding Hadamard matrix. Hadamard matrices are square matrices with a fixed

⎛

⎜⎜⎜⎜⎜⎜⎝

An example is shown in Figure 5, as the multiplication table of *GF*(22).

⎤ ⎥ ⎥ ⎦

(a)

⎞

⎟⎟⎠

Fig. 5. Example of a difference scheme *D*(6, 6, 3).

clearly *r* = *λs* for some *λ* called the index.

the *OA*(16; 2, 4, 4) from a *D*(4, 4, 4).

**4.3 Hadamard matrix algorithms**

⎡ ⎢ ⎢ ⎣

*D* + 0 *D* + 1 ... *D* + (*s* − 1)

⎛

⎜⎜⎝

the different scheme *D* = (4, 4, 4). Figure 6(b) the OA constructed.

column of just 1's. The smallest one is shown in Figure 7(a).

If *D* = *D*(*r*, *c*,*s*), then

The Bush's construction is used to construct *OA*(*v<sup>t</sup>* ; *t*, *v* + 1, *v*), where *v* = *p<sup>n</sup>* is a prime power. This construction considers all the elements of the Galois Field *GF*(*v*), and all the polynomials *yj*(*x*) = *at*−1*xt*−<sup>1</sup> <sup>+</sup> *at*−2*xt*−<sup>2</sup> <sup>+</sup> ... <sup>+</sup> *<sup>a</sup>*1*<sup>x</sup>* <sup>+</sup> *<sup>a</sup>*0, where *ai* <sup>∈</sup> *GF*(*v*). The number of polynomials *yj*(*x*) are *v<sup>t</sup>* , due to the fact that there are *v* different coefficients per each of the *t* terms.

Let's denote each element of *GF*(*v*) as *ei*, for 0 ≤ *i* ≤ *v* − 1. The construction of an OA following the Bush's construction is done as follow:


**Algorithm 5.1:** BUILDLOGARITHMTABLE(*p*, *n*)

**while** (P(*x*), *<sup>k</sup>*) �∈ L **and** *<sup>k</sup>* <sup>&</sup>lt; *<sup>p</sup><sup>n</sup>* <sup>−</sup> <sup>1</sup>

Now, it follows the presentation of the core of this chapter, the efficient implementation of the Bush construction for OAs, based on a modification of the algorithm presented in this section.

Construction of Orthogonal Arrays of Index Unity Using Logarithm Tables for Galois Fields 81

The idea that leads to an efficient construction of OAs through the Bush's construction relies on the algorithm proposed in (Torres-Jimenez et al., 2011). This algorithm computes the logarithm tables and the primitive element of a given Galois Field *GF*(*v*). In this chapter, it is proposed an extension of this algorithm such that it can be used in combination with the Bush's construction to efficiently construct OAs of index unity. The result is an algorithm that

Let's show an example of this contribution. Suppose that it is wanted to construct the *OA*(43; 3, 5, 4). This array has an alphabet *<sup>v</sup>* <sup>=</sup> *<sup>p</sup><sup>n</sup>* <sup>=</sup> 22 <sup>=</sup> 4 and size 64 <sup>×</sup> 5. To construct it, it is required the polynomial *x* + 1 as the primitive element of *GF*(22), and the logarithm table shown in Table 2(a) (both computed using the algorithm in (Torres-Jimenez et al., 2011)). Table 2(b) is a modified version of the logarithm table that contains all the elements *ei* <sup>∈</sup> *GF*(22) (this includes *<sup>e</sup>*0, the only one which can not be generated by powers of the

The following step in the construction of the OA is the construction of the matrix M. For this purpose, firstly it is labeled its first *<sup>v</sup>* columns with the elements *ei* <sup>∈</sup> *GF*(22); after that, the rows are labeled with all the polynomials of maximum degree 2 and coefficients *ej* <sup>∈</sup> *GF*(22). Next, it is defined the integer value *<sup>u</sup>* for each cell *mj*,*<sup>i</sup>* ∈ M, where 0 <sup>≤</sup> *<sup>j</sup>* <sup>≤</sup> *<sup>v</sup><sup>t</sup>* <sup>−</sup> 1 and

(b) **Element ei** <sup>∈</sup> **GF**(**22**) **Polynomial in GF**(**22**) *e*<sup>0</sup> 0 *e*<sup>1</sup> 1 *e*<sup>2</sup> *x e*<sup>3</sup> *x* + 1

uses only additions and modulus operations to evaluate the polynomials *yj*(*x*).

Table 2. Logarithm table for *GF*(22), with primitive element *x* + 1.

L←L �(P(*x*), *<sup>k</sup>*)

*k* ← *k* + 1 P(*x*) ← *p* ∗ P(*x*)

**return** (*ρ*)

**for each** *<sup>ρ</sup>* <sup>∈</sup> *GF*(*pn*) <sup>−</sup> <sup>0</sup>

L ← ∅ P(*x*) ← 1 *k* ← 0

**do**

⎧ ⎨ ⎩

**if** *<sup>k</sup>* <sup>=</sup> *<sup>p</sup><sup>n</sup>* <sup>−</sup> <sup>1</sup> **then** �

**6. Efficient construction of OAs**

**do**

⎧

⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎨

⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎩

**return** (L)

primitive element).

(a) **Power Polynomial in GF**(**22**)

0 1 1 *x* 2 *x* + 1


The constructed matrix M following the previous steps is an OA. We point out in this moment that the construction requires the evaluation of the polynomials *yj*(*x*) to construct the OA. The following subsection describes the general idea of the algorithm that does this construction with an efficient evaluation of these polynomials.

This section presented a survey of some construction reported in the scientific literature that are used to generate OAs. The following section will present an algorithm for the generation of logarithm tables of finite fields.

### **5. Algorithm for the construction of logarithm tables of Galois fields**

In Barker (1986) a more efficient method to multiply two polynomials in *GF*(*pn*) is presented. The method is based on the definition of logarithms and antilogarithms in *GF*(*pn*). According with Niederreiter (1990), given a primitive element *ρ* of a finite field *GF*(*pn*), the discrete logarithm of a nonzero element *<sup>u</sup>* <sup>∈</sup> *GF*(*pn*) is that integer *<sup>k</sup>*, 1 <sup>≤</sup> *<sup>k</sup>* <sup>≤</sup> *<sup>p</sup><sup>n</sup>* <sup>−</sup> 1, for which *u* = *ρk*. The antilogarithm for an integer *k* given a primitive element *ρ* in *GF*(*pn*) is the element *<sup>u</sup>* <sup>∈</sup> *GF*(*pn*) such that *<sup>u</sup>* <sup>=</sup> *<sup>ρ</sup>k*. Table 1 shows the table of logarithms and antilogarithms for the elements *<sup>u</sup>* <sup>∈</sup> *GF*(32) using the primitive element *<sup>x</sup>*<sup>2</sup> <sup>=</sup> <sup>2</sup>*<sup>x</sup>* <sup>+</sup> 1; column 1 shows the elements in *GF*(32) (the antilogarithm) and column 2 the logarithm.

Using the definition of logarithms and antilogarithms in *GF*(*pn*), the multiplication between two polynomials <sup>P</sup>1(*x*)P2(*x*) <sup>∈</sup> *GF*(*pn*) can be done using their logarithms *<sup>l</sup>*<sup>1</sup> <sup>=</sup> *log*(P1(*x*)), *l*<sup>2</sup> = *log*(P2(*x*)). First, the addition of logarithms *l*<sup>1</sup> + *l*<sup>2</sup> is done and then the antilogarithm of the result is computed.


Table 1. Logarithm table of *GF*(32) using the primitive element 2*x* + 1.

Torres-Jimenez et al. (2011) proposed an algorithm for the construction of logarithm tables for Galois Fields *GF*(*pn*). The pseudocode is shown in Algorithm 5.1. The algorithm simultaneously finds a primitive element and constructs the logarithm table for a given *GF*(*pn*).

**Algorithm 5.1:** BUILDLOGARITHMTABLE(*p*, *n*) **for each** *<sup>ρ</sup>* <sup>∈</sup> *GF*(*pn*) <sup>−</sup> <sup>0</sup> **do** ⎧ ⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎨ ⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎩ L ← ∅ P(*x*) ← 1 *k* ← 0 **while** (P(*x*), *<sup>k</sup>*) �∈ L **and** *<sup>k</sup>* <sup>&</sup>lt; *<sup>p</sup><sup>n</sup>* <sup>−</sup> <sup>1</sup> **do** ⎧ ⎨ ⎩ L←L �(P(*x*), *<sup>k</sup>*) *k* ← *k* + 1 P(*x*) ← *p* ∗ P(*x*) **if** *<sup>k</sup>* <sup>=</sup> *<sup>p</sup><sup>n</sup>* <sup>−</sup> <sup>1</sup> **then** � **return** (*ρ*) **return** (L)

Now, it follows the presentation of the core of this chapter, the efficient implementation of the Bush construction for OAs, based on a modification of the algorithm presented in this section.

### **6. Efficient construction of OAs**

10 Will-be-set-by-IN-TECH

4. For each cell *mj*,*<sup>i</sup>* ∈ M, 0 <sup>≤</sup> *<sup>j</sup>* <sup>≤</sup> *<sup>v</sup><sup>t</sup>* <sup>−</sup> 1, 0 <sup>≤</sup> *<sup>i</sup>* <sup>≤</sup> *<sup>v</sup>* <sup>−</sup> 1, assign the value *<sup>u</sup>* whenever *yj*(*ei*) = *eu* (i.e. evaluates the polynomial *yj*(*x*) with *x* = *ei* and determines the result in

5. Assign value *<sup>u</sup>* in cell *mj*,*i*, for 0 <sup>≤</sup> *<sup>j</sup>* <sup>≤</sup> *<sup>v</sup><sup>t</sup>* <sup>−</sup> 1, *<sup>i</sup>* <sup>=</sup> *<sup>v</sup>*, if *eu* is the leading coefficient of *yj*(*x*),

The constructed matrix M following the previous steps is an OA. We point out in this moment that the construction requires the evaluation of the polynomials *yj*(*x*) to construct the OA. The following subsection describes the general idea of the algorithm that does this construction

This section presented a survey of some construction reported in the scientific literature that are used to generate OAs. The following section will present an algorithm for the generation

In Barker (1986) a more efficient method to multiply two polynomials in *GF*(*pn*) is presented. The method is based on the definition of logarithms and antilogarithms in *GF*(*pn*). According with Niederreiter (1990), given a primitive element *ρ* of a finite field *GF*(*pn*), the discrete logarithm of a nonzero element *<sup>u</sup>* <sup>∈</sup> *GF*(*pn*) is that integer *<sup>k</sup>*, 1 <sup>≤</sup> *<sup>k</sup>* <sup>≤</sup> *<sup>p</sup><sup>n</sup>* <sup>−</sup> 1, for which *u* = *ρk*. The antilogarithm for an integer *k* given a primitive element *ρ* in *GF*(*pn*) is the element *<sup>u</sup>* <sup>∈</sup> *GF*(*pn*) such that *<sup>u</sup>* <sup>=</sup> *<sup>ρ</sup>k*. Table 1 shows the table of logarithms and antilogarithms for the elements *<sup>u</sup>* <sup>∈</sup> *GF*(32) using the primitive element *<sup>x</sup>*<sup>2</sup> <sup>=</sup> <sup>2</sup>*<sup>x</sup>* <sup>+</sup> 1; column 1 shows the elements

Using the definition of logarithms and antilogarithms in *GF*(*pn*), the multiplication between two polynomials <sup>P</sup>1(*x*)P2(*x*) <sup>∈</sup> *GF*(*pn*) can be done using their logarithms *<sup>l</sup>*<sup>1</sup> <sup>=</sup> *log*(P1(*x*)), *l*<sup>2</sup> = *log*(P2(*x*)). First, the addition of logarithms *l*<sup>1</sup> + *l*<sup>2</sup> is done and then the

> *Element u* <sup>∈</sup> *GF*(*pn*) log2*x*+1(*u*) 1 0 *x* 1 2*x* + 1 2 2*x* + 2 3 2 4 2*x* 5 *x* + 2 6 *x* + 1 7

Torres-Jimenez et al. (2011) proposed an algorithm for the construction of logarithm tables for Galois Fields *GF*(*pn*). The pseudocode is shown in Algorithm 5.1. The algorithm simultaneously finds a primitive element and constructs the logarithm table for a given

**5. Algorithm for the construction of logarithm tables of Galois fields**

3. Label each row of M with a polynomial *yj*(*x*);

with an efficient evaluation of these polynomials.

in *GF*(32) (the antilogarithm) and column 2 the logarithm.

Table 1. Logarithm table of *GF*(32) using the primitive element 2*x* + 1.

i.e. *eu* <sup>=</sup> *at*−<sup>1</sup> in the term *at*−1*xt*−<sup>1</sup> of the polynomial *yj*(*x*).

the domain of *GF*(*v*)); and

of logarithm tables of finite fields.

antilogarithm of the result is computed.

*GF*(*pn*).

The idea that leads to an efficient construction of OAs through the Bush's construction relies on the algorithm proposed in (Torres-Jimenez et al., 2011). This algorithm computes the logarithm tables and the primitive element of a given Galois Field *GF*(*v*). In this chapter, it is proposed an extension of this algorithm such that it can be used in combination with the Bush's construction to efficiently construct OAs of index unity. The result is an algorithm that uses only additions and modulus operations to evaluate the polynomials *yj*(*x*).

Let's show an example of this contribution. Suppose that it is wanted to construct the *OA*(43; 3, 5, 4). This array has an alphabet *<sup>v</sup>* <sup>=</sup> *<sup>p</sup><sup>n</sup>* <sup>=</sup> 22 <sup>=</sup> 4 and size 64 <sup>×</sup> 5. To construct it, it is required the polynomial *x* + 1 as the primitive element of *GF*(22), and the logarithm table shown in Table 2(a) (both computed using the algorithm in (Torres-Jimenez et al., 2011)). Table 2(b) is a modified version of the logarithm table that contains all the elements *ei* <sup>∈</sup> *GF*(22) (this includes *<sup>e</sup>*0, the only one which can not be generated by powers of the primitive element).


Table 2. Logarithm table for *GF*(22), with primitive element *x* + 1.

The following step in the construction of the OA is the construction of the matrix M. For this purpose, firstly it is labeled its first *<sup>v</sup>* columns with the elements *ei* <sup>∈</sup> *GF*(22); after that, the rows are labeled with all the polynomials of maximum degree 2 and coefficients *ej* <sup>∈</sup> *GF*(22). Next, it is defined the integer value *<sup>u</sup>* for each cell *mj*,*<sup>i</sup>* ∈ M, where 0 <sup>≤</sup> *<sup>j</sup>* <sup>≤</sup> *<sup>v</sup><sup>t</sup>* <sup>−</sup> 1 and

During the definition of values *eu*, the polynomials *yj*(*ei*) must be evaluated. For example, the evaluation of the polynomial *y*<sup>14</sup> = *e*3*x* + *e*<sup>1</sup> at value *x* = *e*<sup>2</sup> yields *y*14(*e*2) = *e*3*x* + *e*<sup>1</sup> = *e*<sup>3</sup> · *e*<sup>2</sup> + *e*<sup>1</sup> = *e*0. To obtain the result *e*<sup>0</sup> it is necessary to multiply the polynomials *e*<sup>3</sup> and *e*2, and to add the result to *e*1. Here is where lies the main contribution shown in this chapter, it is proposed to use the primitive element and the logarithm table constructed by the algorithm in (Torres-Jimenez et al., 2011) to do the multiplication through additions. To do that they are used equivalent powers of the primitive element of the elements *ei* <sup>∈</sup> *GF*(22) involved in the operation, e.g. instead of multiplying (*<sup>x</sup>* <sup>+</sup> <sup>1</sup>) · (*x*) we multiply *<sup>x</sup>*<sup>2</sup> · *<sup>x</sup>*1. Then, the sum of indices does the multiplication, and the antilogarithm obtains the correct result in *GF*(22). For the case of *<sup>x</sup>*<sup>2</sup> · *<sup>x</sup>*<sup>1</sup> the result is *<sup>x</sup>*<sup>3</sup> <sup>=</sup> *<sup>x</sup>*<sup>0</sup> <sup>=</sup> *<sup>e</sup>*1. Finally, we add this result to *<sup>e</sup>*<sup>1</sup> to complete the operation (this yield the expected value *e*0). Note that whenever and operation yields a result

Construction of Orthogonal Arrays of Index Unity Using Logarithm Tables for Galois Fields 83

The pseudocode for the construction of OAs using the Bush's construction and the logarithm tables is shown in Algorithm 6.1. The logarithm and antilogarithm table L*i*,*<sup>j</sup>* is obtained through the algorithm reported by Torres-Jimenez et al. (2011). After that, each element *ei* and each polynomial *yj*(*x*) in *GF*(*pn*) are considered as the columns and rows of <sup>M</sup>, the OA that is being constructed. Given that the value of each cell *mi*,*<sup>j</sup>* ∈ M is the index *u* of the element *eu* <sup>∈</sup> *GF*(*pn*) such that *yj*(*ei*) = *eu*, the following step in the pseudocode is the evaluation of the polynomial *yj*(*x*). This evaluation is done by determining the coefficient of each term *ak* <sup>∈</sup> *yj*(*x*) and its index, i.e. the value of the element *el* <sup>∈</sup> *GF*(*pn*) that is the coefficient of *ak*, and then adding it to *i* · *d* (the index of *ei* raised to the degree of the term *ak*). A modulus operation is applied to the result to obtained *v*, and then the antilogarithm is used over *v* such that the index it is able to get the value *u* of the element *eu*. Remember that the algorithm BuildLogarithmTable simultaneously find the primitive element and computes

outside of the field, a modulus operations is required.

the logarithm and antilogarithm tables.

M ← ∅

⎧

*c* ← *i*

**do**

⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎨

⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎩

**return** (M)

**do**

L ← BuildLogarithmTable(*p*, *n*)

*r* ← *j*

**do**

*mr*,*<sup>c</sup>* ← *s*

⎧ ⎪⎪⎨

⎪⎪⎩

**for each** element *ei* <sup>∈</sup> *GF*(*pn*)

⎧

⎪⎪⎪⎪⎪⎪⎪⎪⎨

⎪⎪⎪⎪⎪⎪⎪⎪⎩

**Algorithm 6.1:** BUILDORTHOGONALARRAY(*p*, *n*)

**for each** polynomial *yj*(*x*) <sup>∈</sup> *GF*(*pn*)

**for each** term *ak* ∈ *yj*(*x*)

*s* ← L*v*,1

*d* ← GetDegree(*ak*)

*l* ← GetIndexCoefficient(*ak*) *<sup>v</sup>* <sup>←</sup> (*<sup>i</sup>* · *<sup>d</sup>* <sup>+</sup> *<sup>l</sup>*)mod(*p<sup>n</sup>* <sup>−</sup> <sup>1</sup>)

Note that in the pseudocode the more complex operation is the module between integers, which can be reduced to shifts when *GF*(*pn*) involves powers of two. This fact makes the algorithm easy and efficient for the construction of OAs, requiring only additions to operate, and modulus operations when the field is over powers of primes different of two. After the

0 ≤ *i* ≤ *v* − 1, as the one satisfying *yj*(*ei*) = *eu*. Finally, it is generated the values of cell *mj*,*i*, where the column *i* = *v*, using the value of the leading coefficient of the polynomial *yj*(*x*), for each 0 <sup>≤</sup> *<sup>j</sup>* <sup>≤</sup> *<sup>v</sup><sup>t</sup>* <sup>−</sup> 1. Table 3 shows part of the construction of the *OA*(43; 3, 5, 4) through this method.


Table 3. Example of a partial construction of the *OA*(43; 3, 4, 5), using the Bush's construction.

12 Will-be-set-by-IN-TECH

0 ≤ *i* ≤ *v* − 1, as the one satisfying *yj*(*ei*) = *eu*. Finally, it is generated the values of cell *mj*,*i*, where the column *i* = *v*, using the value of the leading coefficient of the polynomial *yj*(*x*), for each 0 <sup>≤</sup> *<sup>j</sup>* <sup>≤</sup> *<sup>v</sup><sup>t</sup>* <sup>−</sup> 1. Table 3 shows part of the construction of the *OA*(43; 3, 5, 4) through this

*yj*(*x*) **Polynomial 0 1 x x+1** *e*<sup>0</sup> {*u*|*y*0(*e*0) = *eu*} {*u*|*y*0(*e*1) = *eu*} {*u*|*y*0(*e*2) = *eu*} {*u*|*y*0(*e*3) = *eu*} *e*<sup>0</sup> *e*<sup>1</sup> {*u*|*y*1(*e*0) = *eu*} {*u*|*y*1(*e*1) = *eu*} {*u*|*y*1(*e*2) = *eu*} {*u*|*y*1(*e*3) = *eu*} *e*<sup>0</sup> *e*<sup>2</sup> {*u*|*y*2(*e*0) = *eu*} {*u*|*y*2(*e*1) = *eu*} {*u*|*y*2(*e*2) = *eu*} {*u*|*y*2(*e*3) = *eu*} *e*<sup>0</sup> *e*<sup>3</sup> {*u*|*y*3(*e*0) = *eu*} {*u*|*y*3(*e*1) = *eu*} {*u*|*y*3(*e*2) = *eu*} {*u*|*y*3(*e*3) = *eu*} *e*<sup>0</sup> *e*1*x* {*u*|*y*4(*e*0) = *eu*} {*u*|*y*4(*e*1) = *eu*} {*u*|*y*4(*e*2) = *eu*} {*u*|*y*4(*e*3) = *eu*} *e*<sup>0</sup> *e*1*x* + *e*<sup>1</sup> {*u*|*y*5(*e*0) = *eu*} {*u*|*y*5(*e*1) = *eu*} {*u*|*y*5(*e*2) = *eu*} {*u*|*y*5(*e*3) = *eu*} *e*<sup>0</sup> *e*1*x* + *e*<sup>2</sup> {*u*|*y*6(*e*0) = *eu*} {*u*|*y*6(*e*1) = *eu*} {*u*|*y*6(*e*2) = *eu*} {*u*|*y*6(*e*3) = *eu*} *e*<sup>0</sup> *e*1*x* + *e*<sup>3</sup> {*u*|*y*7(*e*0) = *eu*} {*u*|*y*7(*e*1) = *eu*} {*u*|*y*7(*e*2) = *eu*} {*u*|*y*7(*e*3) = *eu*} *e*<sup>0</sup> *e*2*x* {*u*|*y*8(*e*0) = *eu*} {*u*|*y*8(*e*1) = *eu*} {*u*|*y*8(*e*2) = *eu*} {*u*|*y*8(*e*3) = *eu*} *e*<sup>0</sup> *e*2*x* + *e*<sup>1</sup> {*u*|*y*9(*e*0) = *eu*} {*u*|*y*9(*e*1) = *eu*} {*u*|*y*9(*e*2) = *eu*} {*u*|*y*9(*e*3) = *eu*} *e*<sup>0</sup> *e*2*x* + *e*<sup>2</sup> {*u*|*y*10(*e*0) = *eu*} {*u*|*y*10(*e*1) = *eu*} {*u*|*y*10(*e*2) = *eu*} {*u*|*y*10(*e*3) = *eu*} *e*<sup>0</sup> *e*2*x* + *e*<sup>3</sup> {*u*|*y*11(*e*0) = *eu*} {*u*|*y*11(*e*1) = *eu*} {*u*|*y*11(*e*2) = *eu*} {*u*|*y*11(*e*3) = *eu*} *e*<sup>0</sup> *e*3*x* {*u*|*y*12(*e*0) = *eu*} {*u*|*y*12(*e*1) = *eu*} {*u*|*y*12(*e*2) = *eu*} {*u*|*y*12(*e*3) = *eu*} *e*<sup>0</sup> *e*3*x* + *e*<sup>1</sup> {*u*|*y*13(*e*0) = *eu*} {*u*|*y*13(*e*1) = *eu*} {*u*|*y*13(*e*2) = *eu*} {*u*|*y*13(*e*3) = *eu*} *e*<sup>0</sup> *e*3*x* + *e*<sup>2</sup> {*u*|*y*14(*e*0) = *eu*} {*u*|*y*14(*e*1) = *eu*} {*u*|*y*14(*e*2) = *eu*} {*u*|*y*14(*e*3) = *eu*} *e*<sup>0</sup> *e*3*x* + *e*<sup>3</sup> {*u*|*y*15(*e*0) = *eu*} {*u*|*y*15(*e*1) = *eu*} {*u*|*y*15(*e*2) = *eu*} {*u*|*y*15(*e*3) = *eu*} *e*<sup>0</sup> *<sup>e</sup>*1*x*<sup>2</sup> {*u*|*y*16(*e*0) = *eu*} {*u*|*y*16(*e*1) = *eu*} {*u*|*y*16(*e*2) = *eu*} {*u*|*y*16(*e*3) = *eu*} *<sup>e</sup>*<sup>1</sup> *<sup>e</sup>*1*x*<sup>2</sup> <sup>+</sup> *<sup>e</sup>*<sup>1</sup> {*u*|*y*17(*e*0) = *eu*} {*u*|*y*17(*e*1) = *eu*} {*u*|*y*17(*e*2) = *eu*} {*u*|*y*17(*e*3) = *eu*} *<sup>e</sup>*<sup>1</sup> *<sup>e</sup>*1*x*<sup>2</sup> <sup>+</sup> *<sup>e</sup>*<sup>2</sup> {*u*|*y*18(*e*0) = *eu*} {*u*|*y*18(*e*1) = *eu*} {*u*|*y*18(*e*2) = *eu*} {*u*|*y*18(*e*3) = *eu*} *<sup>e</sup>*<sup>1</sup> *<sup>e</sup>*1*x*<sup>2</sup> <sup>+</sup> *<sup>e</sup>*<sup>3</sup> {*u*|*y*19(*e*0) = *eu*} {*u*|*y*19(*e*1) = *eu*} {*u*|*y*19(*e*2) = *eu*} {*u*|*y*19(*e*3) = *eu*} *<sup>e</sup>*<sup>1</sup> *<sup>e</sup>*1*x*<sup>2</sup> <sup>+</sup> *<sup>e</sup>*1*<sup>x</sup>* {*u*|*y*20(*e*0) = *eu*} {*u*|*y*20(*e*1) = *eu*} {*u*|*y*20(*e*2) = *eu*} {*u*|*y*20(*e*3) = *eu*} *<sup>e</sup>*<sup>1</sup> *<sup>e</sup>*1*x*<sup>2</sup> <sup>+</sup> *<sup>e</sup>*1*<sup>x</sup>* <sup>+</sup> *<sup>e</sup>*<sup>1</sup> {*u*|*y*21(*e*0) = *eu*} {*u*|*y*21(*e*1) = *eu*} {*u*|*y*21(*e*2) = *eu*} {*u*|*y*21(*e*3) = *eu*} *<sup>e</sup>*<sup>1</sup> *<sup>e</sup>*1*x*<sup>2</sup> <sup>+</sup> *<sup>e</sup>*1*<sup>x</sup>* <sup>+</sup> *<sup>e</sup>*<sup>2</sup> {*u*|*y*22(*e*0) = *eu*} {*u*|*y*22(*e*1) = *eu*} {*u*|*y*22(*e*2) = *eu*} {*u*|*y*22(*e*3) = *eu*} *<sup>e</sup>*<sup>1</sup> *<sup>e</sup>*1*x*<sup>2</sup> <sup>+</sup> *<sup>e</sup>*1*<sup>x</sup>* <sup>+</sup> *<sup>e</sup>*<sup>3</sup> {*u*|*y*23(*e*0) = *eu*} {*u*|*y*23(*e*1) = *eu*} {*u*|*y*23(*e*2) = *eu*} {*u*|*y*23(*e*3) = *eu*} *<sup>e</sup>*<sup>1</sup> *<sup>e</sup>*1*x*<sup>2</sup> <sup>+</sup> *<sup>e</sup>*2*<sup>x</sup>* {*u*|*y*24(*e*0) = *eu*} {*u*|*y*24(*e*1) = *eu*} {*u*|*y*24(*e*2) = *eu*} {*u*|*y*24(*e*3) = *eu*} *<sup>e</sup>*<sup>1</sup> *<sup>e</sup>*1*x*<sup>2</sup> <sup>+</sup> *<sup>e</sup>*2*<sup>x</sup>* <sup>+</sup> *<sup>e</sup>*<sup>1</sup> {*u*|*y*25(*e*0) = *eu*} {*u*|*y*25(*e*1) = *eu*} {*u*|*y*25(*e*2) = *eu*} {*u*|*y*25(*e*3) = *eu*} *<sup>e</sup>*<sup>1</sup> *<sup>e</sup>*1*x*<sup>2</sup> <sup>+</sup> *<sup>e</sup>*2*<sup>x</sup>* <sup>+</sup> *<sup>e</sup>*<sup>2</sup> {*u*|*y*26(*e*0) = *eu*} {*u*|*y*26(*e*1) = *eu*} {*u*|*y*26(*e*2) = *eu*} {*u*|*y*26(*e*3) = *eu*} *<sup>e</sup>*<sup>1</sup> *<sup>e</sup>*1*x*<sup>2</sup> <sup>+</sup> *<sup>e</sup>*2*<sup>x</sup>* <sup>+</sup> *<sup>e</sup>*<sup>3</sup> {*u*|*y*27(*e*0) = *eu*} {*u*|*y*27(*e*1) = *eu*} {*u*|*y*27(*e*2) = *eu*} {*u*|*y*27(*e*3) = *eu*} *<sup>e</sup>*<sup>1</sup> *<sup>e</sup>*1*x*<sup>2</sup> <sup>+</sup> *<sup>e</sup>*3*<sup>x</sup>* {*u*|*y*28(*e*0) = *eu*} {*u*|*y*28(*e*1) = *eu*} {*u*|*y*28(*e*2) = *eu*} {*u*|*y*28(*e*3) = *eu*} *<sup>e</sup>*<sup>1</sup> *<sup>e</sup>*1*x*<sup>2</sup> <sup>+</sup> *<sup>e</sup>*3*<sup>x</sup>* <sup>+</sup> *<sup>e</sup>*<sup>1</sup> {*u*|*y*29(*e*0) = *eu*} {*u*|*y*29(*e*1) = *eu*} {*u*|*y*29(*e*2) = *eu*} {*u*|*y*29(*e*3) = *eu*} *<sup>e</sup>*<sup>1</sup> *<sup>e</sup>*1*x*<sup>2</sup> <sup>+</sup> *<sup>e</sup>*3*<sup>x</sup>* <sup>+</sup> *<sup>e</sup>*<sup>2</sup> {*u*|*y*30(*e*0) = *eu*} {*u*|*y*30(*e*1) = *eu*} {*u*|*y*30(*e*2) = *eu*} {*u*|*y*30(*e*3) = *eu*} *<sup>e</sup>*<sup>1</sup> *<sup>e</sup>*1*x*<sup>2</sup> <sup>+</sup> *<sup>e</sup>*3*<sup>x</sup>* <sup>+</sup> *<sup>e</sup>*<sup>3</sup> {*u*|*y*31(*e*0) = *eu*} {*u*|*y*31(*e*1) = *eu*} {*u*|*y*31(*e*2) = *eu*} {*u*|*y*31(*e*3) = *eu*} *<sup>e</sup>*<sup>1</sup>

*e*<sup>0</sup> *e*<sup>1</sup> *e*<sup>2</sup> *e*<sup>3</sup>

<sup>M</sup> **Elements of** *GF*(22)

. . . . .

. .

.

Table 3. Example of a partial construction of the *OA*(43; 3, 4, 5), using the Bush's construction.

. .

.

. .

. .

method.

During the definition of values *eu*, the polynomials *yj*(*ei*) must be evaluated. For example, the evaluation of the polynomial *y*<sup>14</sup> = *e*3*x* + *e*<sup>1</sup> at value *x* = *e*<sup>2</sup> yields *y*14(*e*2) = *e*3*x* + *e*<sup>1</sup> = *e*<sup>3</sup> · *e*<sup>2</sup> + *e*<sup>1</sup> = *e*0. To obtain the result *e*<sup>0</sup> it is necessary to multiply the polynomials *e*<sup>3</sup> and *e*2, and to add the result to *e*1. Here is where lies the main contribution shown in this chapter, it is proposed to use the primitive element and the logarithm table constructed by the algorithm in (Torres-Jimenez et al., 2011) to do the multiplication through additions. To do that they are used equivalent powers of the primitive element of the elements *ei* <sup>∈</sup> *GF*(22) involved in the operation, e.g. instead of multiplying (*<sup>x</sup>* <sup>+</sup> <sup>1</sup>) · (*x*) we multiply *<sup>x</sup>*<sup>2</sup> · *<sup>x</sup>*1. Then, the sum of indices does the multiplication, and the antilogarithm obtains the correct result in *GF*(22). For the case of *<sup>x</sup>*<sup>2</sup> · *<sup>x</sup>*<sup>1</sup> the result is *<sup>x</sup>*<sup>3</sup> <sup>=</sup> *<sup>x</sup>*<sup>0</sup> <sup>=</sup> *<sup>e</sup>*1. Finally, we add this result to *<sup>e</sup>*<sup>1</sup> to complete the operation (this yield the expected value *e*0). Note that whenever and operation yields a result outside of the field, a modulus operations is required.

The pseudocode for the construction of OAs using the Bush's construction and the logarithm tables is shown in Algorithm 6.1. The logarithm and antilogarithm table L*i*,*<sup>j</sup>* is obtained through the algorithm reported by Torres-Jimenez et al. (2011). After that, each element *ei* and each polynomial *yj*(*x*) in *GF*(*pn*) are considered as the columns and rows of <sup>M</sup>, the OA that is being constructed. Given that the value of each cell *mi*,*<sup>j</sup>* ∈ M is the index *u* of the element *eu* <sup>∈</sup> *GF*(*pn*) such that *yj*(*ei*) = *eu*, the following step in the pseudocode is the evaluation of the polynomial *yj*(*x*). This evaluation is done by determining the coefficient of each term *ak* <sup>∈</sup> *yj*(*x*) and its index, i.e. the value of the element *el* <sup>∈</sup> *GF*(*pn*) that is the coefficient of *ak*, and then adding it to *i* · *d* (the index of *ei* raised to the degree of the term *ak*). A modulus operation is applied to the result to obtained *v*, and then the antilogarithm is used over *v* such that the index it is able to get the value *u* of the element *eu*. Remember that the algorithm BuildLogarithmTable simultaneously find the primitive element and computes the logarithm and antilogarithm tables.

```
Algorithm 6.1: BUILDORTHOGONALARRAY(p, n)
 L ← BuildLogarithmTable(p, n)
 M ← ∅
 for each element ei ∈ GF(pn)
  do
      ⎧
      ⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎨
      ⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎩
         c ← i
         for each polynomial yj(x) ∈ GF(pn)
          do
              ⎧
              ⎪⎪⎪⎪⎪⎪⎪⎪⎨
              ⎪⎪⎪⎪⎪⎪⎪⎪⎩
                 r ← j
                 for each term ak ∈ yj(x)
                  do
                      ⎧
                      ⎪⎪⎨
                      ⎪⎪⎩
                        d ← GetDegree(ak)
                        l ← GetIndexCoefficient(ak)
                        v ← (i · d + l)mod(pn − 1)
                        s ← Lv,1
                 mr,c ← s
 return (M)
```
Note that in the pseudocode the more complex operation is the module between integers, which can be reduced to shifts when *GF*(*pn*) involves powers of two. This fact makes the algorithm easy and efficient for the construction of OAs, requiring only additions to operate, and modulus operations when the field is over powers of primes different of two. After the

The strategy to construct a cyclotomic matrix involves the identification of a good vector starter. This task can be facilitated using the logarithm table derived from a Galois field. The construction is simple. The first step is the generation of the logarithm table for a certain *GF*(*pn*). After that, the table is transposed in order to transform it into a vector starter *v*. Then, by using all the possible rotations of it, the cyclotomic matrix is constructed. Finally, the

Construction of Orthogonal Arrays of Index Unity Using Logarithm Tables for Galois Fields 85

(a) Vector Starter 0 0 1 1 0 0 0 0 0 0 1 1 0

(b) Cyclotomic matrix

Fig. 10. Example of a cyclotomic vector *V*, or a vector starter, and the cyclotomic matrix

⎞

⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎠

⎞

⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎠

⎛

⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎝

validation of the matrix is done such that a CA can be identified.

Fig. 9. Covering array where *N* = 9, *t* = 2, *k* = 4 and *v* = 3.

⎛

⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎝

formed with it. The matrix constitutes a *CA*(13; 2, 13, 2).

Figure 10 shows an example of a cyclotomic matrix.

construction of the OA, the number of operations required by the algorithm are bounded by *O*(*N* · *t* <sup>2</sup>), due to it requires *<sup>t</sup>* operations for the construction of an OA matrix of size *<sup>N</sup>* <sup>×</sup> (*<sup>t</sup>* <sup>+</sup> 1).

### **7. Efficient constructions of CAs**

This section analyzes the case when Covering Arrays can be constructed from cyclotomy by rotating a vector created from an OA(Colbourn, 2010). It is another process that can be benefited from the previously constructed logarithm tables. The cyclotomy process requires the test of different cyclotomic vectors for the construction of CAs. This vectors can be constructed using the logarithm table. The rest of the section details a bit more about CAs and this process of construction.

**Definition 2** (Covering Array)**.** *Let N*, *t*, *k*, *v be positive integers with t* ≤ *N. A covering array CA*(*N*; *t*, *k*, *v*)*, with strength t and alphabet size v is an N* × *k array with entries from* {0, 1, ..., *k* − 1} *and the property that any N* <sup>×</sup> *t sub-array has all v<sup>t</sup> possible t-tuples occurring at least once.*

Figure 9 shows the corresponding *CA*(9; 2, 4, 3). The strength of this CA is *t* = 2 and the alphabet is *v* = 3, hence the combinations {0, 0}, {0, 1}, {0, 2}, {1, 0}, {1, 1}, {1, 2}, {2, 0}, {2, 1}, {2, 2} appear at least once in each subset of size *N* × 2 of the CA. The CAs are commonly used instead of full experimental designs (FED) when constructing test sets, it is so because the relaxation produced by the use of a small interaction in a CA *t* = 2 (pair-wise) significantly reduce the number of test cases in a test set, implying in some cases savings of more than 90 percent in costs (time or other resources); the confidence level of the testing using combinatorial objects as CA increases with the interaction level involved (Kuhn et al., 2008).

When a *CA* contains the minimum possible number of rows, it is optimal and its size is called the *Covering Array Number* (*CAN*). The *CAN* is defined according to Equation 5.

$$\text{CAN}(t,k,\upsilon) = \min\_{N \in \mathbb{N}} \{ N : \exists \, \text{CA}(N; t, k, \upsilon) \}. \tag{5}$$

The trivial mathematical *lower bound* for a covering array is *<sup>v</sup><sup>t</sup>* <sup>≤</sup> *CAN*(*t*, *<sup>k</sup>*, *<sup>v</sup>*), however, this number is rarely achieved. Therefore determining achievable lower bounds is one of the main research lines for CAs; this problem has been overcome with the reduction of the known upper bounds. The construction of cyclotomic matrices can help to accomplish this purpose.

According to Colbourn (2010), a cyclotomic matrix (CM) is an array O of size *k* × *k* that is formed by *k* rotations of a vector of size *k* (called starter vector). Table 4 gives an example of a CM.


Table 4. CM of size 7 × 7 formed from the starter vector {0, 0, 0, 1, 0, 1, 1}. This matrix is a *CA*(7; 2, 7, 2).

The strategy to construct a cyclotomic matrix involves the identification of a good vector starter. This task can be facilitated using the logarithm table derived from a Galois field. The construction is simple. The first step is the generation of the logarithm table for a certain *GF*(*pn*). After that, the table is transposed in order to transform it into a vector starter *v*. Then, by using all the possible rotations of it, the cyclotomic matrix is constructed. Finally, the validation of the matrix is done such that a CA can be identified.

$$
\begin{pmatrix} 0 \ 0 \ 0 \ 0 \\ 0 \ 1 \ 1 \ 1 \\ 0 \ 2 \ 2 \ 2 \\ 1 \ 0 \ 1 \ 2 \\ 1 \ 1 \ 2 \ 0 \\ 1 \ 2 \ 0 \ 1 \\ 2 \ 0 \ 2 \ 1 \\ 2 \ 1 \ 0 \ 2 \\ 2 \ 2 \ 1 \ 0 \end{pmatrix}
$$

Fig. 9. Covering array where *N* = 9, *t* = 2, *k* = 4 and *v* = 3.

Figure 10 shows an example of a cyclotomic matrix.

14 Will-be-set-by-IN-TECH

construction of the OA, the number of operations required by the algorithm are bounded by

This section analyzes the case when Covering Arrays can be constructed from cyclotomy by rotating a vector created from an OA(Colbourn, 2010). It is another process that can be benefited from the previously constructed logarithm tables. The cyclotomy process requires the test of different cyclotomic vectors for the construction of CAs. This vectors can be constructed using the logarithm table. The rest of the section details a bit more about CAs

**Definition 2** (Covering Array)**.** *Let N*, *t*, *k*, *v be positive integers with t* ≤ *N. A covering array CA*(*N*; *t*, *k*, *v*)*, with strength t and alphabet size v is an N* × *k array with entries from* {0, 1, ..., *k* − 1}

Figure 9 shows the corresponding *CA*(9; 2, 4, 3). The strength of this CA is *t* = 2 and the alphabet is *v* = 3, hence the combinations {0, 0}, {0, 1}, {0, 2}, {1, 0}, {1, 1}, {1, 2}, {2, 0}, {2, 1}, {2, 2} appear at least once in each subset of size *N* × 2 of the CA. The CAs are commonly used instead of full experimental designs (FED) when constructing test sets, it is so because the relaxation produced by the use of a small interaction in a CA *t* = 2 (pair-wise) significantly reduce the number of test cases in a test set, implying in some cases savings of more than 90 percent in costs (time or other resources); the confidence level of the testing using combinatorial objects as CA increases with the interaction level involved (Kuhn et al.,

When a *CA* contains the minimum possible number of rows, it is optimal and its size is called

The trivial mathematical *lower bound* for a covering array is *<sup>v</sup><sup>t</sup>* <sup>≤</sup> *CAN*(*t*, *<sup>k</sup>*, *<sup>v</sup>*), however, this number is rarely achieved. Therefore determining achievable lower bounds is one of the main research lines for CAs; this problem has been overcome with the reduction of the known upper bounds. The construction of cyclotomic matrices can help to accomplish this purpose.

According to Colbourn (2010), a cyclotomic matrix (CM) is an array O of size *k* × *k* that is formed by *k* rotations of a vector of size *k* (called starter vector). Table 4 gives an example of a

Table 4. CM of size 7 × 7 formed from the starter vector {0, 0, 0, 1, 0, 1, 1}. This matrix is a

*<sup>N</sup>*∈**N**{*<sup>N</sup>* : <sup>∃</sup> *CA*(*N*; *<sup>t</sup>*, *<sup>k</sup>*, *<sup>v</sup>*)}. (5)

the *Covering Array Number* (*CAN*). The *CAN* is defined according to Equation 5.

*CAN*(*t*, *k*, *v*) = min

*and the property that any N* <sup>×</sup> *t sub-array has all v<sup>t</sup> possible t-tuples occurring at least once.*

<sup>2</sup>), due to it requires *<sup>t</sup>* operations for the construction of an OA matrix of size *<sup>N</sup>* <sup>×</sup> (*<sup>t</sup>* <sup>+</sup>

*O*(*N* · *t*

2008).

CM.

*CA*(7; 2, 7, 2).

**7. Efficient constructions of CAs**

and this process of construction.

1).


Fig. 10. Example of a cyclotomic vector *V*, or a vector starter, and the cyclotomic matrix formed with it. The matrix constitutes a *CA*(13; 2, 13, 2).

⎛

Construction of Orthogonal Arrays of Index Unity Using Logarithm Tables for Galois Fields 87

Fig. 11. *CA*(67; 4, 67, 2) generated through a cyclotomic matrix. This CA is the best known

⎞

⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎠

⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎝

upper bound so far.

The pseudocode to generate the cyclotomic vector and construct the CA is presented in Algorithm 7.1. There, the algorithm BuildLogarithmTable(p,n) is used to construct the table of logarithm and antilogarithms L, where the *i th* row indicate the element *ei* <sup>∈</sup> *GF*(*pn*), and the column 0 its logarithm, and the column 1 its antilogarithm. The first step is the construction of the vector starter V, which is done by transposing the logarithm table L∗,0, i.e. the first column of L. After that, the cyclotomic matrix M is constructed by rotating the vector starter *<sup>p</sup><sup>n</sup>* times, each time the vector rotated will constituted a row of <sup>M</sup>. Finally, the cyclotomic matrix M must be validated as a CA to finally return it; one strategy to do so is the parallel algorithm reported by Avila-George et al. (2010).

**Algorithm 7.1:** BUILDCOVERINGARRAY(*p*, *n*) L ← BuildLogarithmTable(*p*, *n*) **for each** *ei* <sup>∈</sup> *GF*(*pn*) **do** � V*i* ← L*i*,0 **for each** *ei* <sup>∈</sup> *GF*(*pn*) **do** ⎧ ⎨ ⎩ **for each** *ej* <sup>∈</sup> *GF*(*pn*) **do** �*<sup>k</sup>* <sup>←</sup> (*<sup>i</sup>* <sup>+</sup> *<sup>j</sup>*)mod(*pn*) *mi*,*<sup>j</sup>* ← V*<sup>k</sup>* **if** IsACoveringArray(M) **then** � *return*M **else** � *return*∅

The following section presents some results derived from the research presented so far in this chapter.

### **8. Results**

An example of one of the best known upper bounds for CAs constructed through the use of cyclotomic matrices is shown in Figure 11; the construction of such table was done with aid of the implementation proposed in this chapter.

The results from the experiment are found in the repository of CAs of Torres-Jimenez 1. Some of the CAs matrices presented there are derived from the use of cyclotomic vectors constructed through the process described in the previous section, benefiting from the construction of the logarithm tables. Table 5 shows new upper bounds derived from this process.

http://www.tamps.cinvestav.mx/~jtj/CA.php

Will-be-set-by-IN-TECH

The pseudocode to generate the cyclotomic vector and construct the CA is presented in Algorithm 7.1. There, the algorithm BuildLogarithmTable(p,n) is used to construct the

and the column 0 its logarithm, and the column 1 its antilogarithm. The first step is the construction of the vector starter V, which is done by transposing the logarithm table L∗,0, i.e. the first column of L. After that, the cyclotomic matrix M is constructed by rotating the vector starter *<sup>p</sup><sup>n</sup>* times, each time the vector rotated will constituted a row of <sup>M</sup>. Finally, the cyclotomic matrix M must be validated as a CA to finally return it; one strategy to do so is

The following section presents some results derived from the research presented so far in this

An example of one of the best known upper bounds for CAs constructed through the use of cyclotomic matrices is shown in Figure 11; the construction of such table was done with aid

The results from the experiment are found in the repository of CAs of Torres-Jimenez 1. Some of the CAs matrices presented there are derived from the use of cyclotomic vectors constructed through the process described in the previous section, benefiting from the construction of the

logarithm tables. Table 5 shows new upper bounds derived from this process.

*th* row indicate the element *ei* <sup>∈</sup> *GF*(*pn*),

table of logarithm and antilogarithms L, where the *i*

the parallel algorithm reported by Avila-George et al. (2010).

**Algorithm 7.1:** BUILDCOVERINGARRAY(*p*, *n*)

�*<sup>k</sup>* <sup>←</sup> (*<sup>i</sup>* <sup>+</sup> *<sup>j</sup>*)mod(*pn*)

L ← BuildLogarithmTable(*p*, *n*)

**for each** *ej* <sup>∈</sup> *GF*(*pn*)

*mi*,*<sup>j</sup>* ← V*<sup>k</sup>*

of the implementation proposed in this chapter.

http://www.tamps.cinvestav.mx/~jtj/CA.php

**for each** *ei* <sup>∈</sup> *GF*(*pn*)

**do**

**if** IsACoveringArray(M)

*return*M

*return*∅

V*i* ← L*i*,0 **for each** *ei* <sup>∈</sup> *GF*(*pn*)

**do** �

⎧ ⎨ ⎩

**then** �

**else** �

chapter.

**8. Results**

**do**


Fig. 11. *CA*(67; 4, 67, 2) generated through a cyclotomic matrix. This CA is the best known upper bound so far.

support of the algorithm reported here. These matrices are available on request in http:

Construction of Orthogonal Arrays of Index Unity Using Logarithm Tables for Galois Fields 89

In addition to the efficient implementation of the Bush's construction through logarithm tables of finite fields, this chapter also presents a brief summary of the combinatorial structures called Orthogonal Arrays. The summary included formal definition, and basic notation used in the scientific literature. Additionally, several applications of OAs in cryptography were presented; and also, different methodologies to construct the combinatorial objects were

The authors thankfully acknowledge the computer resources and assistance provided by Spanish Supercomputing Network (TIRANT-UV). This research work was partially funded by the following projects: CONACyT 58554, Calculo de Covering Arrays; 51623 Fondo Mixto

Avila-George, H., Torres-Jimenez, J., Hernández, V. & Rangel-Valdez, N. (2010). Verification

Barker, H. A. (1986). Sum and product tables for galois fields, *International Journal of*

Bush, K. (1952). Orthogonal arrays of index unity, *Annals of Mathematical Statistics*

Carter, J. & Wegman, M. (1979). Universal classes of hash functions, *Journal of Computer and*

Colbourn, C. J. (2010). Covering arrays from cyclotomy, *Designs, Codes and Cryptography* 55: 201–219. http://dx.doi.org/10.1007/s10623-009-9333-8. Dawson, E. & Mahmoodian, E. (1993). Orthogonal arrays and ordered threshold schemes,

Gilbert, E., MacWilliams, F. & Sloane, N. (1974). Codes which detect deception, *The Bell System*

Gopalakrishnan, K. & Stinson, D. R. (2008). Applications of orthogonal arrays to computer

Hedayat, A., Sloane, N. & Stufken, J. (1999). *Orthogonal Arrays: Theory and Applications*,

Jones, T. & Seberry, J. (1986). Authentication without secrecy, *ARS Combinatoria* 21-A: 115–121. Kuhn, R., Lei, Y. & Kacker, R. (2008). Practical Combinatorial Testing: Beyond Pairwise, *IT*

science, *Ramanujan Mathematical Society, Lecture Notes Series in Mathematics* 7: 149–164.

*Professional* 10(3): 19–23. http://doi.ieeecomputersociety.org/10.1109/

6265 of *Lecture Notes in Computer Science*, Springer, pp. 112–123.

of general and cyclic covering arrays using grid computing, *Data Management in Grid and Peer-to-Peer Systmes, Third International Conference, Globe 2010, Bilbao, Spain*, Vol.

*Mathematical Education in Science and Technology* 17: 473 – 485. http://dx.doi.

*System Sciences* 18: 143–154. http://dx.doi.org/10.1016/0022-0000(79)

//www.tamps.cinvestav.mx/~jtj/CA.php.

described; among them was the Bush's construction.

CONACyT y Gobierno del Estado de Tamaulipas.

org/10.1080/0020739860170409.

URL: *http://www.jstor.org/pss/2236685*

*Australasian Journal of Combinatorics* 8: 27–44.

*Technical Journal* 53: 405–424.

Springer-Verlag, New York.

MITP.2008.54.

URL: *http://ajc.maths.uq.edu.au/pdf/8/ocr-ajc-v8-p27.pdf*

URL: *http://www2.research.att.com/ njas/doc/detection.pdf*

**10. Acknowledgments**

23(3): 426–434.

90044-8.

**11. References**


Table 5. New upper bounds for CAs obtained through cyclotomic matrices.

### **9. Conclusions**

The main objective of this chapter was the presentation of a efficient implementation of the Bush's construction for Orthogonal Arrays (OAs). Also, it was presented a brief summary of the applications of OAs in cryptography, which could be benefited from the implementation. In addition, the algorithm was also applied for the construction of cyclotomy matrices that yielded new upper bounds of CAs.

Hence, the main contribution of this chapter consisted precisely in an algorithm that requires only additions and modulus operations over finite fields for the construction of OAs. To do so, it relies on a logarithm table constructed through a simple method reported in the literature. It is also presented the details for this construction through the code required to be implemented.

Additionally, the algorithm to construct logarithm table was also slightly modified to construct cyclotomy matrices for the construction of CAs. Here, it is presented the matrix of the *CA*(67; 4, 67, 2) constructed from a cyclotomic matrix; it represents the best upper bound known so far for these parameters of the CA. Also, it is reported a set of 37 upper bounds of CAs obtained by the construction of the cyclotomy matrices constructed with support of the algorithm reported here. These matrices are available on request in http: //www.tamps.cinvestav.mx/~jtj/CA.php.

In addition to the efficient implementation of the Bush's construction through logarithm tables of finite fields, this chapter also presents a brief summary of the combinatorial structures called Orthogonal Arrays. The summary included formal definition, and basic notation used in the scientific literature. Additionally, several applications of OAs in cryptography were presented; and also, different methodologies to construct the combinatorial objects were described; among them was the Bush's construction.

### **10. Acknowledgments**

The authors thankfully acknowledge the computer resources and assistance provided by Spanish Supercomputing Network (TIRANT-UV). This research work was partially funded by the following projects: CONACyT 58554, Calculo de Covering Arrays; 51623 Fondo Mixto CONACyT y Gobierno del Estado de Tamaulipas.

### **11. References**

18 Will-be-set-by-IN-TECH

Table 5. New upper bounds for CAs obtained through cyclotomic matrices.

The main objective of this chapter was the presentation of a efficient implementation of the Bush's construction for Orthogonal Arrays (OAs). Also, it was presented a brief summary of the applications of OAs in cryptography, which could be benefited from the implementation. In addition, the algorithm was also applied for the construction of cyclotomy matrices that

Hence, the main contribution of this chapter consisted precisely in an algorithm that requires only additions and modulus operations over finite fields for the construction of OAs. To do so, it relies on a logarithm table constructed through a simple method reported in the literature. It is also presented the details for this construction through the code required to be implemented. Additionally, the algorithm to construct logarithm table was also slightly modified to construct cyclotomy matrices for the construction of CAs. Here, it is presented the matrix of the *CA*(67; 4, 67, 2) constructed from a cyclotomic matrix; it represents the best upper bound known so far for these parameters of the CA. Also, it is reported a set of 37 upper bounds of CAs obtained by the construction of the cyclotomy matrices constructed with

**9. Conclusions**

yielded new upper bounds of CAs.

	- URL: *http://www.jstor.org/pss/2236685*
	- URL: *http://ajc.maths.uq.edu.au/pdf/8/ocr-ajc-v8-p27.pdf*

URL: *http://www2.research.att.com/ njas/doc/detection.pdf*


**5** 

*Malaysia* 

**Elliptic Curve Cryptography and** 

*School of Mathematical Sciences, Universiti Sains Malaysia, Minden, Penang* 

Elliptic curves cryptography was introduced independently by Victor Miller (Miller, 1986) and Neal Koblitz (Koblitz, 1987) in 1985. At that time elliptic curve cryptography was not actually seen as a promising cryptographic technique. As time progress and further research and intensive development done especially on the implementation side, elliptic curve cryptography is now being implemented widely. Elliptic curves cryptography offers smaller key size, bandwidth savings and faster in implementations when compared to the RSA (Rivest-Shamir-Adleman) cryptography which based its security on the integer factorization problem. The most interesting feature of the elliptic curves is the group structure of the points generated by the curves, where points on the elliptic curves form a group. The security of elliptic curves cryptography relies on the elliptic curves discrete logarithm problem. The elliptic curve discrete logarithm problem is analogous to the ordinary algebraic discrete logarithm problem, *l = gx*, where given the *l* and *g*, it is infeasible to compute the *x*. Elliptic curve discrete logarithm problem deals with solving for *n* the relation *P = nG.* Given the point *P* and the point *G*, then it is very hard to find the integer *n*. To implement the discrete logarithm problem in elliptic curve cryptography, the main task is to compute the order of group of the curves or in other words the number of points on the curve. Computation to find the number of points on a curve, has given rise to several point counting algorithms. The Schoof and the SEA (Schoof-Elkies-Atkin) point counting algorithms will be part of the discussion in this chapter. This chapter is organized as follows: Section 2, gives some preliminaries on elliptic curves, and in section 3, elliptic curve discrete logarithm problem is discussed. Some relevant issues on elliptic curve cryptography is discussed in section 4, in which the Diffie-Hellman key exchange scheme, ElGamal elliptic curve cryptosystem and elliptic curve digital signature scheme are discussed here accompanied with some examples. Section 5 discussed the two point counting algorithms, Schoof algorithm and the SEA (Schoof-Elkies-Atkin) algorithm. Following the discussion in section 5, section 6 summaries some similarities and the differences between these two algorithms. Section 7 gives some brief literature on these two point counting algorithms.

Elliptic curves obtained their name from their relation to elliptic integrals that arise from the computation of the arc length of ellipses (Lawrence & Wade, 2006). Elliptic curves are

Finally, section 8 is the concluding remarks for this chapter.

**1. Introduction** 

**2. Elliptic curves** 

**Point Counting Algorithms** 

Hailiza Kamarulhaili and Liew Khang Jie


## **Elliptic Curve Cryptography and Point Counting Algorithms**

Hailiza Kamarulhaili and Liew Khang Jie *School of Mathematical Sciences, Universiti Sains Malaysia, Minden, Penang Malaysia* 

### **1. Introduction**

20 Will-be-set-by-IN-TECH

90 Cryptography and Security in Computing

Niederreiter, H. (1990). A short proof for explicit formulas for discrete logarithms in finite

Rao, C. (1946). Hypercube of strength 'd' leading to confounded designs in factorial

Rao, C. (1947). Factorial experiments derivable from combinatorial arrangements of arrays,

Stinson, D. (1992a). Combinatorial characterizations of authentication codes, *Designs, Codes and Cryptography* 2: 175–187. http://dx.doi.org/10.1007/BF00124896. Stinson, D. (1992b). An explication of secret sharing schemes, *Designs, Codes and Cryptography*

Stinson, D. (1994). Combinatorial techniques for universal hashing, *Journal of Computer and*

Stinson, D. R. (2004). Orthogonal arrays and codes, *Combinatorial Designs*, Springer-Verlag,

Wegman, M. & Carter, J. (1981). New hash functions and their use in authentication and set

Taguchi, G. (1994). *Taguchi Methods: Design of Experiments*, American Supplier Institute. Torres-Jimenez, J., Rangel-Valdez, N., Gonzalez-Hernandez, A. & Avila-George, H. (2011).

*System Sciences* 48: 337–346. http://dx.doi.org/10.1016/S0022-0000(05)

Construction of logarithm tables for galois fields, *International Journal of Mathematical Education in Science and Technology* 42(1): 91–102. http://dx.doi.org/10.1080/

equality, *Journal of Computer and System Sciences* 22: 265–279. http://dx.doi.org/

experiments, *Bulletin of the Calcutta Mathematical Society* 38: 67–78.

2: 357–390. http://dx.doi.org/10.1007/BF00125203.

http://dx.doi.org/10.1007/BF01810847.

*Journal of the Royal Statistical Society* 9: 128–139.

URL: *http://www.jstor.org/pss/2983576*

New York, chapter 10, pp. 225–255.

10.1016/0022-0000(81)90033-7.

0020739X.2010.510215.

80007-8.

fields, *Applicable Algebra in Engineering, Communication and Computing* 1(1): 55–57.

Elliptic curves cryptography was introduced independently by Victor Miller (Miller, 1986) and Neal Koblitz (Koblitz, 1987) in 1985. At that time elliptic curve cryptography was not actually seen as a promising cryptographic technique. As time progress and further research and intensive development done especially on the implementation side, elliptic curve cryptography is now being implemented widely. Elliptic curves cryptography offers smaller key size, bandwidth savings and faster in implementations when compared to the RSA (Rivest-Shamir-Adleman) cryptography which based its security on the integer factorization problem. The most interesting feature of the elliptic curves is the group structure of the points generated by the curves, where points on the elliptic curves form a group. The security of elliptic curves cryptography relies on the elliptic curves discrete logarithm problem. The elliptic curve discrete logarithm problem is analogous to the ordinary algebraic discrete logarithm problem, *l = gx*, where given the *l* and *g*, it is infeasible to compute the *x*. Elliptic curve discrete logarithm problem deals with solving for *n* the relation *P = nG.* Given the point *P* and the point *G*, then it is very hard to find the integer *n*. To implement the discrete logarithm problem in elliptic curve cryptography, the main task is to compute the order of group of the curves or in other words the number of points on the curve. Computation to find the number of points on a curve, has given rise to several point counting algorithms. The Schoof and the SEA (Schoof-Elkies-Atkin) point counting algorithms will be part of the discussion in this chapter. This chapter is organized as follows: Section 2, gives some preliminaries on elliptic curves, and in section 3, elliptic curve discrete logarithm problem is discussed. Some relevant issues on elliptic curve cryptography is discussed in section 4, in which the Diffie-Hellman key exchange scheme, ElGamal elliptic curve cryptosystem and elliptic curve digital signature scheme are discussed here accompanied with some examples. Section 5 discussed the two point counting algorithms, Schoof algorithm and the SEA (Schoof-Elkies-Atkin) algorithm. Following the discussion in section 5, section 6 summaries some similarities and the differences between these two algorithms. Section 7 gives some brief literature on these two point counting algorithms. Finally, section 8 is the concluding remarks for this chapter.

### **2. Elliptic curves**

Elliptic curves obtained their name from their relation to elliptic integrals that arise from the computation of the arc length of ellipses (Lawrence & Wade, 2006). Elliptic curves are

Elliptic Curve Cryptography and Point Counting Algorithms 93

�4 �2 2 4 6 8 10

Looking at the curves, how do you create an algebraic structure from something like this. Basically, one needs to figure out how to find a way to define addition of two points that lie on the curve such that the sum is another point which is also on the curve. If this could be done, together with an identity element,*O* , group structure can be constructed from points on the curves. The following are some formulas for points operations on the curves which is

�30

2 3 12 3 13 1 2 1 2 1

*xmxx y mx x y*

 

,

( ),

*y y <sup>m</sup> Q P*

if

<sup>3</sup> if .

() () *PQ R P QR* .

*PQQP* .

2 1 1

*x a m P Q y*

*x x*

2

or

It can be shown that the addition law is associative, that is

Fig. 1.2. 2 3 *y x* 73 .

defined by the equation (2).

2. *PO P*( )

It is also commutative,

1. *P* + *O* = *P*, for all points *P*.

3. The opposite point, *P xy* (, )

4. 1 1 2 2 *P xy Q xy* ( , )& ( , ) , then 3 3 *PQ R xy* (,) , with

�20

�10

10

20

30

different from ellipses and have much more interesting properties when compared to ellipses. An elliptic curve is simply the collection of points in *x-y* plane that satisfy an equation <sup>2</sup> 3 2 1 3 2 46 *y a xy a y x ax ax a* , and this equation could either be defined on real, rational, complex or finite field. This equation is called the Weierstrass equation.

**Definition 2.1**: An elliptic curve *E*, defined over a field *K* is given by the Weierstrass equation:

$$E: \ y^2 + a\_1 \mathbf{x}y + a\_3 \mathbf{y} = \mathbf{x}^3 + a\_2 \mathbf{x}^2 + a\_4 \mathbf{x} + a\_6 \mathbf{y} \quad \text{where} \quad a\_1, a\_2, a\_3, a\_4, a\_6 \in \mathcal{K} \tag{1}$$

In other words, let *K* be any field, then we assume 12346 *aaaaa K* ,,,, and the set of *K*rational points:

$$E(K) = \{ (\mathbf{x}, \mathbf{y}) \mid \mathbf{x}, \mathbf{y} \in K, \mathbf{y}^2 + a\_1 \mathbf{x}\mathbf{y} + a\_3 \mathbf{y} = \mathbf{x}^3 + a\_2 \mathbf{x}^2 + a\_4 \mathbf{x} + a\_6 \}.$$

If one is working with characteristic, char (*K*) 2,3 , then admissible changes of variables will transform the above equation (1) into the following form:

$$a^2 = \mathfrak{x}^3 + a\mathfrak{x} + b \quad \text{where} \ a, b \in K \tag{2}$$

But when one works with *char K*( ) 2 or 3 , then the general form of equation is given by (3) and (4) respectively.

$$\mathbf{x}^2 + \mathbf{x}y = \mathbf{x}^3 + a\_2\mathbf{x}^2 + a\_6\tag{3}$$

$$\mathbf{y}^2 = \mathbf{x}^3 + a\_2 \mathbf{x}^2 + a\_6 \tag{4}$$

### **2.1 Case for real numbers**

This case allows us to work with graphs of *E*. The graph of *E* has two possible forms, whether the cubic polynomial has only one real root or three real roots. Now, we consider the following examples. Take the equations <sup>2</sup> *y xx x* ( 1)( 1) and 2 3 *y x* 73 . The graphs are as follows:

Fig. 1.1. <sup>2</sup> *y xx x* ( 1)( 1)

Fig. 1.2. 2 3 *y x* 73 .

92 Cryptography and Security in Computing

different from ellipses and have much more interesting properties when compared to ellipses. An elliptic curve is simply the collection of points in *x-y* plane that satisfy an

**Definition 2.1**: An elliptic curve *E*, defined over a field *K* is given by the Weierstrass equation:

In other words, let *K* be any field, then we assume 12346 *aaaaa K* ,,,, and the set of *K*-

1 3 2 46 *EK x* ( ) {( , )| , , *y x y K y a xy a y x ax ax a* }. If one is working with characteristic, char (*K*) 2,3 , then admissible changes of variables

But when one works with *char K*( ) 2 or 3 , then the general form of equation is given by (3)

2 32

23 2

This case allows us to work with graphs of *E*. The graph of *E* has two possible forms, whether the cubic polynomial has only one real root or three real roots. Now, we consider the following examples. Take the equations <sup>2</sup> *y xx x* ( 1)( 1) and 2 3 *y x* 73 . The graphs are as follows:

�1 1 2 3

�4

�2

2

4

real, rational, complex or finite field. This equation is called the Weierstrass equation.

2 3 2

will transform the above equation (1) into the following form:

1 3 2 46 *y a xy a y x ax ax a* , and this equation could either be defined on

1 3 2 46 *E* : *y a xy a y x ax ax a* , where 12346 *aaaaa K* ,,,, (1)

2 3 2

2 3 *y x ax b* where *ab K* , (2)

2 6 *y xy x a x a* (3)

2 6 *y x ax a* (4)

equation <sup>2</sup> 3 2

rational points:

and (4) respectively.

**2.1 Case for real numbers** 

Fig. 1.1. <sup>2</sup> *y xx x* ( 1)( 1)

Looking at the curves, how do you create an algebraic structure from something like this. Basically, one needs to figure out how to find a way to define addition of two points that lie on the curve such that the sum is another point which is also on the curve. If this could be done, together with an identity element,*O* , group structure can be constructed from points on the curves. The following are some formulas for points operations on the curves which is defined by the equation (2).

$$1. \quad P + \ O\_{\Leftrightarrow} = P\_{\prime} \text{ for all points } P.$$

$$\text{2.} \qquad \stackrel{-P=O\_{\text{ev}}-(P)}{}$$

$$\text{3.} \quad \text{The opposite point, } -P = (x, -y).$$

$$\text{4.} \qquad P = (\mathbf{x}\_1, \mathbf{y}\_1) \quad \text{\&} \quad Q = (\mathbf{x}\_2, \mathbf{y}\_2) \text{ , then } \\ P + Q = R = (\mathbf{x}\_3, \mathbf{y}\_3) \text{ , with } \\ \mathbf{x}\_1$$

$$\begin{aligned} \mathbf{x}\_3 &= m^2 - \mathbf{x}\_1 - \mathbf{x}\_{2'} \\ y\_3 &= m(\mathbf{x}\_1 - \mathbf{x}\_3) - y\_{1'} \\ m &= \frac{y\_2 - y\_1}{\mathbf{x}\_2 - \mathbf{x}\_1} \quad \text{if} \quad Q \neq \pm P \\ \text{or} \\ m &= \frac{3x\_1^2 + a}{2y\_1} \quad \text{if} \quad P = Q. \end{aligned}$$

It can be shown that the addition law is associative, that is

$$(P+Q)+R=P+(Q+R)\_{\dots}$$

It is also commutative,

$$P + Q = Q + P \dots$$

Elliptic Curve Cryptography and Point Counting Algorithms 95

The operations of points on elliptic curves indicated in the previous section are fascinating and it is applicable to the area of cryptography. It so happen that similar formulas work if real numbers are replaced with finite field. An elliptic curve defined over prime field is cryptographically good if the curve is non-singular. This happens when the discriminant,

Now define an elliptic curve mod *p*, where *p* is a prime. For the rest of this section several

**Example 2.1**: Let *E* be given by 2 3 *yx x* 2 1 (mod5) . First of all, compute and list all the points on the curve by letting *x* run through the values 0, 1, 2, 3, 4 and solve for *y*. Substitute

> 0 1 4 2,3 (mod5) 1 2 no solution 2 11 1 16 1,4 (mod5) 3 32 2 no solution 4 71 1 16 1,4 (mod5)

3 2 16(4 27 ) 0 *a b* . That means, the polynomial <sup>3</sup> *x ax b* has no multiple roots.

each of these into the equation and find the values of *y* that solve the equation.

*x y y*

 

*x y y*

Therefore, yield the following points along with point at infinity, the identity element:

(0,2), (0,3), (2,1), (2,4), (4,1), (4,4), ( , )

Elliptic curves mod *p* generates finite sets of points and it is these elliptic curves that are useful in cryptography. For cryptographic purposes, the polynomial <sup>3</sup> *x ax b* is assumed not to have multiple roots, as it will lead to weak curves and vulnerable to attack. Computation of points on elliptic curve can also be obtained by using the *Mathematica* software. Now we demonstrate how it can be done. First we need to choose the base point *G*, and the coefficient *a.* Then choose the coefficient *b*, so that *G* lies on the curve 2 3 *y x ax b* (mod5). Now say the point *G* = (1, 3 ) and choose *a* = 2. Then substitute this into the equation, give the value of *b* = 1. Thus we have 2 3 *yx x* 2 1 (mod5) . The following points are generated using the *Mathematica* programming software. The command **multsell** is used to generate points from the curve and was fully written by Lawrence Washington (Lawrence & Wade, 2006). The following are the points generated using the **multsell** command. Thus the following points are

(1,3),(3,2),(0,4),(0,1),(3,3),(1,2),( , )

As it was shown earlier in the formulations of points on an elliptic curve, adding points on elliptic curve is not the same as adding points in the plane. Scalar multiplication of a point on the curve for which we have say, *mP* with *m* = 2185, will be evaluated as 2(2(2(2(2(2(2(2(2(2(2(2(2*P*))) + *P*))))+ *P* ))) + *P.* This is called doubling operation. The

*x y y*

*x y*

*x y*

**2.2.1 Points addition and doubling on elliptic curves** 

generated.

**2.2 Case for integer mod** *p* **(prime field)** 

examples are shown to exhibit its cryptographic use.

When several points are added, it does not matter in what order the points are added or how they are grouped together. Technically speaking, the points on the curve, *E* form an abelian group. The point *O* is the identity element of this group.

Fig. 1.3. Addition of elliptic curve points over a real number curve

Fig. 1.5. Addition of a point to itself (point doubling)

### **2.2 Case for integer mod** *p* **(prime field)**

94 Cryptography and Security in Computing

When several points are added, it does not matter in what order the points are added or how they are grouped together. Technically speaking, the points on the curve, *E* form an

abelian group. The point *O* is the identity element of this group.

Fig. 1.3. Addition of elliptic curve points over a real number curve

Fig. 1.4. Arbitrary points *P* and *–P* 

Fig. 1.5. Addition of a point to itself (point doubling)

The operations of points on elliptic curves indicated in the previous section are fascinating and it is applicable to the area of cryptography. It so happen that similar formulas work if real numbers are replaced with finite field. An elliptic curve defined over prime field is cryptographically good if the curve is non-singular. This happens when the discriminant, 3 2 16(4 27 ) 0 *a b* . That means, the polynomial <sup>3</sup> *x ax b* has no multiple roots.

Now define an elliptic curve mod *p*, where *p* is a prime. For the rest of this section several examples are shown to exhibit its cryptographic use.

**Example 2.1**: Let *E* be given by 2 3 *yx x* 2 1 (mod5) . First of all, compute and list all the points on the curve by letting *x* run through the values 0, 1, 2, 3, 4 and solve for *y*. Substitute each of these into the equation and find the values of *y* that solve the equation.

> 2 2 2 2 2 0 1 4 2,3 (mod5) 1 2 no solution 2 11 1 16 1,4 (mod5) 3 32 2 no solution 4 71 1 16 1,4 (mod5) *x y y x y x y y x y x y y*

Therefore, yield the following points along with point at infinity, the identity element:

$$(0,2), (0,3), (2,1), (2,4), (4,1), (4,4), (\infty,\infty)$$

Elliptic curves mod *p* generates finite sets of points and it is these elliptic curves that are useful in cryptography. For cryptographic purposes, the polynomial <sup>3</sup> *x ax b* is assumed not to have multiple roots, as it will lead to weak curves and vulnerable to attack. Computation of points on elliptic curve can also be obtained by using the *Mathematica* software. Now we demonstrate how it can be done. First we need to choose the base point *G*, and the coefficient *a.* Then choose the coefficient *b*, so that *G* lies on the curve 2 3 *y x ax b* (mod5). Now say the point *G* = (1, 3 ) and choose *a* = 2. Then substitute this into the equation, give the value of *b* = 1. Thus we have 2 3 *yx x* 2 1 (mod5) . The following points are generated using the *Mathematica* programming software. The command **multsell** is used to generate points from the curve and was fully written by Lawrence Washington (Lawrence & Wade, 2006). The following are the points generated using the **multsell** command. Thus the following points are generated.

$$(1,3), (3,2), (0,4), (0,1), (3,3), (1,2), (\infty,\infty)$$

### **2.2.1 Points addition and doubling on elliptic curves**

As it was shown earlier in the formulations of points on an elliptic curve, adding points on elliptic curve is not the same as adding points in the plane. Scalar multiplication of a point on the curve for which we have say, *mP* with *m* = 2185, will be evaluated as 2(2(2(2(2(2(2(2(2(2(2(2(2*P*))) + *P*))))+ *P* ))) + *P.* This is called doubling operation. The

Elliptic Curve Cryptography and Point Counting Algorithms 97

More than twenty years ago, when elliptic curve cryptography was first introduced

Neal Koblitz and Victor Miller, researchers never thought that elliptic curve cryptography could be implemented efficiently and securely. During those times the arithmetic operations on elliptic curves were difficult to perform. The arithmetic on the elliptic curves was not very efficient and it was only meant for academic interest. Since then, a great deal of effort has been put on the study of elliptic curve and its implementation in cryptography. By the late 1990s the implementations were ten times more efficient and this has made the elliptic curves cryptography as a challenge to the RSA (Rivest- Shamir-Adleman) cryptography.

In recent years, the bit length for secure RSA use has increased and this has increased the processing load on applications using RSA. This is due to the development of the integer factorization algorithms which runs in sub-exponential time and as a result, RSA had to choose a very large key for it to sustain the intractability of the system, where as the elliptic curves cryptosystem require fewer bits or shorter key lengths for the same security level, since the security of the elliptic curve cryptography relies on the discrete logarithm problem and the best known algorithm to solve those problems is fully exponential time. Thus reduction in the time, cost as well as the size or bandwidth and memory requirements, which is crucial factor in some applications such as designs of smart cards, where both memory and processing power are limited but requiring high security. For an example, 160 bits in elliptic curve cryptosystem is around 1024 bits in RSA cryptosystem. Nowadays, elliptic curve cryptosystem is one of the important components in Microsoft Windows,

As it was mentioned earlier that elliptic curves cryptosystem based its security on the hardness of the discrete logarithm problem. One of the most important aspects in elliptic curve cryptosystem is choosing the right curve that preserved the hardness of discrete logarithm problem. One way to ensure this is to avoid singular curves as the discrete logarithm problem for these types of curves can reduce the hardness of the discrete logarithm problem. The arithmetic on these curves can be much faster over these curves and this is due to the fact that several terms vanished and these types of curves are considered weak and the system will no longer be intractable. Therefore, as mentioned earlier in the previous section, elliptic curves

Before messages can be encrypted, those messages need to be embedded on the points of the elliptic curve (Lawrence & Wade, 2006). The embedding process encoded the message *m*, which is already in a number form, as a point on the curve. Let *K* be a large positive integer so that a failure rate of 1 2 *<sup>K</sup>* is acceptable in the decoding process, where *K Z* . Assume now that *m* satisfies ( 1) . *m Kp* The message *m* is presented by a number *x mK j* , where *K* is an integer and 0 *j K* . For *j K* 0,1,2,...., 1 , compute <sup>3</sup> *x ax b* (mod *p*) and calculate the square root of it. If there is a square root *y*, then embedded point, *P xy <sup>m</sup>* (,) .

**4. Elliptic curve cryptography** 

email applications, bank cards and in mobile phones.

suitable for cryptographic use are of type non-singular curves.

Otherwise, increase the *j* by one and again compute the new *x*.

**4.1 Embedding plaintext on an elliptic curve** 

independently by

following examples show us how addition and doubling operation exactly works using the formulation in section 2.1.

**Example 2.2 (point addition)** : Suppose *E* is defined by 2 3 *yx x* 2 1 (mod5) . Now add the point (1, 2) and the point (3, 2). The slope *m* 2 2 0(mod5) 3 2 . Then, we have the following formulas to obtain the third point on the curve.

$$\begin{aligned} x\_3 &= -1 - 3 = -4 \equiv 1 \text{(mod } 5\text{)}\\ y\_3 &= -2 \equiv 3 \text{(mod } 5\text{)} \end{aligned}$$

This means that (1, 2) + (3, 2) = (1, 3), which is also on the curve. This can be verified using the *Mathematica* function, **addell** which was also developed by Lawrence C. Washington (Lawrence & Wade, 2006).

**Example 2.3 (point doubling)**: Using the same *E* as in example 1.2, compute 2*PPP* , where *P=* ( 1, 3). This operation is called doubling.

$$\begin{aligned} m &= \frac{3(1) + 2}{2(3)} = \frac{5}{6} \equiv 5 \cdot 6 \equiv 0 \text{(mod 5)}\\ \therefore \; m &\equiv 0 \text{(mod 5)}\\ \end{aligned}$$

$$\begin{aligned} \alpha\_3 &= -1 - 1 = -2 \equiv 3 \text{(mod 5)}\\ y\_3 &= -3 \equiv 2 \text{(mod 5)} \end{aligned}$$

Thus we have 3 3 *x y* 3, 2 . Hence (1,3) (1,3) (3,2) . This also can be verified using the *Mathematica* command, **addell**. For the ordinary scalar multiplication, say, 3*P*, is evaluated as 2*P* + *P*.

### **3. Elliptic curve discrete logarithm problem**

The term, elliptic curve discrete logarithm problem (ECDLP) comes from the classical discrete logarithm problem, *<sup>k</sup> x g* (mod *p*), where we want to find *k*. In the context of elliptic curve, suppose that the points , *P Q* on an elliptic curve are made known and *Q kP* for some *k*, then find the *k*. The difficulty of finding the *k* is what makes the elliptic curves an area which is cryptographically worth exploring for. In other words, elliptic curves cryptosystem rely its security on the difficulty of the discrete logarithm problem and the available efficient algorithms that can solve the discrete logarithm problem.

Solving the elliptic curve discrete logarithm problem is very hard and until now there is no good and efficient algorithm available to solve the problem. Nevertheless there are a few algorithms being widely discussed, which is popular amongst the cryptanalysts. They are analog of Pohlig-Hellman attack, index calculus attack and baby step-giant step attack. The baby-step giant-step attack on discrete logarithm problem works for elliptic curves although it requires too much memory to be practical. Generally speaking, there is no algorithm available to solve the discrete logarithm problem in sub-exponential time.

### **4. Elliptic curve cryptography**

96 Cryptography and Security in Computing

following examples show us how addition and doubling operation exactly works using the

**Example 2.2 (point addition)** : Suppose *E* is defined by 2 3 *yx x* 2 1 (mod5) . Now add

1 3 4 1(mod5)

2 3(mod5)

This means that (1, 2) + (3, 2) = (1, 3), which is also on the curve. This can be verified using the *Mathematica* function, **addell** which was also developed by Lawrence C. Washington

**Example 2.3 (point doubling)**: Using the same *E* as in example 1.2, compute 2*PPP* ,

3(1) 2 5 5 6 0(mod5) 2(3) 6

1 1 2 3(mod5)

3 2(mod5)

Thus we have 3 3 *x y* 3, 2 . Hence (1,3) (1,3) (3,2) . This also can be verified using the *Mathematica* command, **addell**. For the ordinary scalar multiplication, say, 3*P*, is evaluated

The term, elliptic curve discrete logarithm problem (ECDLP) comes from the classical discrete logarithm problem, *<sup>k</sup> x g* (mod *p*), where we want to find *k*. In the context of elliptic curve, suppose that the points , *P Q* on an elliptic curve are made known and *Q kP* for some *k*, then find the *k*. The difficulty of finding the *k* is what makes the elliptic curves an area which is cryptographically worth exploring for. In other words, elliptic curves cryptosystem rely its security on the difficulty of the discrete logarithm problem and the

Solving the elliptic curve discrete logarithm problem is very hard and until now there is no good and efficient algorithm available to solve the problem. Nevertheless there are a few algorithms being widely discussed, which is popular amongst the cryptanalysts. They are analog of Pohlig-Hellman attack, index calculus attack and baby step-giant step attack. The baby-step giant-step attack on discrete logarithm problem works for elliptic curves although it requires too much memory to be practical. Generally speaking, there is no algorithm

0 mod5)

available efficient algorithms that can solve the discrete logarithm problem.

available to solve the discrete logarithm problem in sub-exponential time.

2 2 0(mod5) 3 2

. Then, we have the

formulation in section 2.1.

(Lawrence & Wade, 2006).

as 2*P* + *P*.

the point (1, 2) and the point (3, 2). The slope *m*

where *P=* ( 1, 3). This operation is called doubling.

**3. Elliptic curve discrete logarithm problem** 

*m*

*m*

3 3

*x y*

following formulas to obtain the third point on the curve.

3 3

*x y* More than twenty years ago, when elliptic curve cryptography was first introduced independently by

Neal Koblitz and Victor Miller, researchers never thought that elliptic curve cryptography could be implemented efficiently and securely. During those times the arithmetic operations on elliptic curves were difficult to perform. The arithmetic on the elliptic curves was not very efficient and it was only meant for academic interest. Since then, a great deal of effort has been put on the study of elliptic curve and its implementation in cryptography. By the late 1990s the implementations were ten times more efficient and this has made the elliptic curves cryptography as a challenge to the RSA (Rivest- Shamir-Adleman) cryptography.

In recent years, the bit length for secure RSA use has increased and this has increased the processing load on applications using RSA. This is due to the development of the integer factorization algorithms which runs in sub-exponential time and as a result, RSA had to choose a very large key for it to sustain the intractability of the system, where as the elliptic curves cryptosystem require fewer bits or shorter key lengths for the same security level, since the security of the elliptic curve cryptography relies on the discrete logarithm problem and the best known algorithm to solve those problems is fully exponential time. Thus reduction in the time, cost as well as the size or bandwidth and memory requirements, which is crucial factor in some applications such as designs of smart cards, where both memory and processing power are limited but requiring high security. For an example, 160 bits in elliptic curve cryptosystem is around 1024 bits in RSA cryptosystem. Nowadays, elliptic curve cryptosystem is one of the important components in Microsoft Windows, email applications, bank cards and in mobile phones.

As it was mentioned earlier that elliptic curves cryptosystem based its security on the hardness of the discrete logarithm problem. One of the most important aspects in elliptic curve cryptosystem is choosing the right curve that preserved the hardness of discrete logarithm problem. One way to ensure this is to avoid singular curves as the discrete logarithm problem for these types of curves can reduce the hardness of the discrete logarithm problem. The arithmetic on these curves can be much faster over these curves and this is due to the fact that several terms vanished and these types of curves are considered weak and the system will no longer be intractable. Therefore, as mentioned earlier in the previous section, elliptic curves suitable for cryptographic use are of type non-singular curves.

### **4.1 Embedding plaintext on an elliptic curve**

Before messages can be encrypted, those messages need to be embedded on the points of the elliptic curve (Lawrence & Wade, 2006). The embedding process encoded the message *m*, which is already in a number form, as a point on the curve. Let *K* be a large positive integer so that a failure rate of 1 2 *<sup>K</sup>* is acceptable in the decoding process, where *K Z* . Assume now that *m* satisfies ( 1) . *m Kp* The message *m* is presented by a number *x mK j* , where *K* is an integer and 0 *j K* . For *j K* 0,1,2,...., 1 , compute <sup>3</sup> *x ax b* (mod *p*) and calculate the square root of it. If there is a square root *y*, then embedded point, *P xy <sup>m</sup>* (,) . Otherwise, increase the *j* by one and again compute the new *x*.

Elliptic Curve Cryptography and Point Counting Algorithms 99

(269,1803) (4217,7788) (269,1803) (4217, 7788) (5,1743)

A digital signature is an electronic analogue of a hand written signature that allows a receiver to convince a third party that the message is in fact originated from the sender. ElGamal elliptic curve digital signature algorithm is an analogue to the digital signature algorithm proposed earlier by ElGamal in 1985 where some modifications were done to deal

Now suppose that Alice wants to sign a message *m*. assuming that *m* is an integer, Alice fixes an elliptic curve *E p* (mod ) , where *p* is a large prime and a point *A* on *E*. We assume that the number of points *n* on *E* has been calculated and 0 *m n* . Alice also has to choose a private integer *a* and compute *B* = *aA*. The prime *p*, the curve *E*, the integer *n*, and the points

1. Alice chooses a random integer *k* with 1 *k n* and gcd ( *k*, *n*) = 1, and computes *R* =

Note that *R* is a point on *E*, and *m* and *s* are integers. Next, Bob verifies the signature as

We can verify that the verification procedure works because we have the following:

<sup>1</sup> <sup>2</sup> *V xB sR xaA k m ax kA xaA m ax A mA V* ( )( ) ( )

Let 2 3 *E* : ( *y x bx c* mod*p*) be an elliptic curve. Then the number of points on *E* denoted as *#E*(*Fp*), satisfies Hasse's theorem (Jacobson & Hammer, 2009),(Lawrence & Wade,2006). According to Hasse's theorem, the number of points on *E*, *#E*(*Fp*) , satisfy the following

*p* 12 # 12 *p EF p p <sup>p</sup>*

Number of points on the curve *E* is called the order of the curve. The order of a point is defined by the number of times the point added to itself until the infinity is obtained. The order of any point on the curve *E*, will divide the order of the curve *E*. If the order of the curve has many factors or smooth, then this curve is not cryptographically good. For

1

*A* and *B* are made public. To sign the message *m*, Alice does the following procedure:

Now Bob recovered the message *Pm* (5,1743) that Alice sent.

**4.4 ElGamal elliptic curve digital signature algorithm** 

2. Now, Alice computes <sup>1</sup> *s k m ax n* ( )(mod ) and

1. Bob now downloads Alice's public information *p*, *E*, *n*, *A*, *B*, and

3. Sends the signed message (*m*, *R*, *s*) to Bob.

2. Computes *V xB sR* <sup>1</sup> and*V mA* <sup>2</sup> . 3. Declares the signature valid if*V V* 1 2 .

**5. Point counting for** *E* **(mod** *p***)** 

with points on an elliptic curve.

*kA* = ( *x*, *y* ),

follows:

inequality.

Repeat this step until either the square root is found or *j K* . For the case where *j* equals *K*, the mapping of the message to a point failed. In order to recover the message from the embedded point, *P xy <sup>m</sup>* (,) . *m* can be recovered by computing *x K*/ . Once the messages have been encoded as points on an elliptic curve, then those points can be manipulated arithmetically to hide away those messages. This process is called encryption process. The reverse of the encryption process is called decryption process. There are three versions of classical algorithms, where arithmetic of elliptic curves is being adopted. They are the elliptic curve Diffie-Hellman key exchange, ElGamal elliptic curve cryptosystem and ElGamal elliptic curve digital signature algorithm.

### **4.2 Elliptic curve diffie-hellman key exchange**

Elliptic curve Diffie-Hellman key exchange was first introduced by Diffie and Hellman in the year 1976 (Hellman, 1976). Now we exhibit the implementation of elliptic curve Diffie-Hellman key exchange. Alice and Bob want to exchange a key. Thus, they agreed on a public point generator or the base point *G* on an elliptic curve 2 3 *y x ax b*(mod ). *p* Now choose *p* = 7211 and *a* = 1 and the point *G* = (3, 5). This gives *b* = 7206. Alice chooses a random integer *Ak* = 12 and Bob chooses random integer *Bk* = 23. Alice and Bob keep these private to themselves but publish the *Ak G* and *Bk G* . In this case we have

$$k\_A G = \text{(1794,6375) and } \ k\_B G = \text{(3861,1242)}\cdot \text{}$$

Alice now takes *Bk G* and multiples by *Ak* to get the:

( ) 12(3861,1242) (1472,2098). *<sup>A</sup> <sup>B</sup> k kG*

Similarly, Bob takes *Ak G* and multiples by *Bk* to get the key:

( ) 23(1794,6375) (1472,2098). *B A k kG*

Notice that Alice and Bob have the same key.

### **4.3 Elliptic curve Elgamal cryptosystem**

Assuming we have a situation where there are two parties communicating through an insecure channel. The communication is between Alice and Bob. The following example exhibits the use of elliptic curves to encrypt and decrypt messages.

**Example 4.1**: Firstly, we must generate a curve. Choose the prime *p* = 8831, the point

*G* = (,) *x y* = (3,7) and *a* = 1. To make *G* lie on the curve 2 3 *y x ax b*(mod ), *p* we then obtain *b* = 19. Alice has a message, represented as a point *Pm* (5,1743) and she wants to send it to Bob. Bob has chosen a random number 5 *<sup>b</sup> a* and published the point *<sup>b</sup> a G* (7335,7164) . Alice then chooses a random number *k* = 4. She sends Bob *kG* (254,2386) and *P kaG m b* ( ) (269,1803) . Bob then first calculate 5(254,2386) (4217,7788) *<sup>b</sup> a kG* . Bob then subtract this from(269,1803) :

98 Cryptography and Security in Computing

Repeat this step until either the square root is found or *j K* . For the case where *j* equals *K*, the mapping of the message to a point failed. In order to recover the message from the embedded point, *P xy <sup>m</sup>* (,) . *m* can be recovered by computing *x K*/ . Once the messages have been encoded as points on an elliptic curve, then those points can be manipulated arithmetically to hide away those messages. This process is called encryption process. The reverse of the encryption process is called decryption process. There are three versions of classical algorithms, where arithmetic of elliptic curves is being adopted. They are the elliptic curve Diffie-Hellman key exchange, ElGamal elliptic curve cryptosystem and

Elliptic curve Diffie-Hellman key exchange was first introduced by Diffie and Hellman in the year 1976 (Hellman, 1976). Now we exhibit the implementation of elliptic curve Diffie-Hellman key exchange. Alice and Bob want to exchange a key. Thus, they agreed on a public point generator or the base point *G* on an elliptic curve 2 3 *y x ax b*(mod ). *p* Now choose *p* = 7211 and *a* = 1 and the point *G* = (3, 5). This gives *b* = 7206. Alice chooses a random integer *Ak* = 12 and Bob chooses random integer *Bk* = 23. Alice and Bob keep these private to themselves but publish the *Ak G* and *Bk G* . In this

(1794,6375) *Ak G* and *Bk G* = (3861,1242).

( ) 12(3861,1242) (1472,2098). *<sup>A</sup> <sup>B</sup> k kG*

( ) 23(1794,6375) (1472,2098). *B A k kG*

Assuming we have a situation where there are two parties communicating through an insecure channel. The communication is between Alice and Bob. The following example

*G* = (,) *x y* = (3,7) and *a* = 1. To make *G* lie on the curve 2 3 *y x ax b*(mod ), *p* we then obtain *b* = 19. Alice has a message, represented as a point *Pm* (5,1743) and she wants to send it to Bob. Bob has chosen a random number 5 *<sup>b</sup> a* and published the point *<sup>b</sup> a G* (7335,7164) . Alice then chooses a random number *k* = 4. She sends Bob *kG* (254,2386) and *P kaG m b* ( ) (269,1803) . Bob then first calculate 5(254,2386) (4217,7788) *<sup>b</sup> a kG* . Bob

**Example 4.1**: Firstly, we must generate a curve. Choose the prime *p* = 8831, the point

ElGamal elliptic curve digital signature algorithm.

**4.2 Elliptic curve diffie-hellman key exchange** 

Alice now takes *Bk G* and multiples by *Ak* to get the:

Notice that Alice and Bob have the same key.

**4.3 Elliptic curve Elgamal cryptosystem** 

then subtract this from(269,1803) :

Similarly, Bob takes *Ak G* and multiples by *Bk* to get the key:

exhibits the use of elliptic curves to encrypt and decrypt messages.

case we have

(269,1803) (4217,7788) (269,1803) (4217, 7788) (5,1743)

Now Bob recovered the message *Pm* (5,1743) that Alice sent.

### **4.4 ElGamal elliptic curve digital signature algorithm**

A digital signature is an electronic analogue of a hand written signature that allows a receiver to convince a third party that the message is in fact originated from the sender. ElGamal elliptic curve digital signature algorithm is an analogue to the digital signature algorithm proposed earlier by ElGamal in 1985 where some modifications were done to deal with points on an elliptic curve.

Now suppose that Alice wants to sign a message *m*. assuming that *m* is an integer, Alice fixes an elliptic curve *E p* (mod ) , where *p* is a large prime and a point *A* on *E*. We assume that the number of points *n* on *E* has been calculated and 0 *m n* . Alice also has to choose a private integer *a* and compute *B* = *aA*. The prime *p*, the curve *E*, the integer *n*, and the points *A* and *B* are made public. To sign the message *m*, Alice does the following procedure:


Note that *R* is a point on *E*, and *m* and *s* are integers. Next, Bob verifies the signature as follows:


We can verify that the verification procedure works because we have the following:

$$V\_1 = \mathbf{x}B + \mathbf{s}R = \mathbf{x}aA + \mathbf{k}^{-1}(m - a\mathbf{x})(kA) = \mathbf{x}aA + (m - a\mathbf{x})A = mA = V\_2$$

### **5. Point counting for** *E* **(mod** *p***)**

Let 2 3 *E* : ( *y x bx c* mod*p*) be an elliptic curve. Then the number of points on *E* denoted as *#E*(*Fp*), satisfies Hasse's theorem (Jacobson & Hammer, 2009),(Lawrence & Wade,2006). According to Hasse's theorem, the number of points on *E*, *#E*(*Fp*) , satisfy the following inequality.

$$p + 1 - 2\sqrt{p} \le \#E(F\_p) \le p + 1 + 2\sqrt{p}$$

Number of points on the curve *E* is called the order of the curve. The order of a point is defined by the number of times the point added to itself until the infinity is obtained. The order of any point on the curve *E*, will divide the order of the curve *E*. If the order of the curve has many factors or smooth, then this curve is not cryptographically good. For

Elliptic Curve Cryptography and Point Counting Algorithms 101

<sup>2</sup> 0, ( ) *<sup>p</sup> p p*

where *Fp* is the algebraic closure of the prime field *Fp* . Let *t* is the trace of Frobenius

Obviously from equation (5), we have for all points, (,) ( ) *P x <sup>p</sup> y E F* satisfying the

where scalar multiplication by *p* or *t* signifies adding a point to itself *p* or *t* times respectively. For( , ) [] *x y E l* , where [ ] { ( , ) ( )|[ ] } *El P x <sup>p</sup> y EF lP O* , here each *P* [] *E l* is called *l*–torsion point. If (,) (,) *pp pp t x y t x y* where *t* is *t* mod *l* and *p* known as *p* mod *l*

( , ) (,) ( , ) *p p p p x y p x y t x y*

goes to zero on points of particular order. Let *E* be the elliptic curve given by (2). The

m+1) / 2y m , m ≥ 3

m+1 Ψm-1 *m* , m ≥ 2

*<sup>m</sup>* (*x*, *y*) = 0 if and only if (*x, y*) ∈ *E*[*n*]. These polynomials are defined

To determine *t* (mod *l*) for primes *l* > 2, we need to compute the division polynomials.

 

endomorphism, then the number of points, #*E F <sup>p</sup>* is given in (6) as follows:

where *l* is a prime. Now, the equation of (7) is reduced as following:

2 2

Division polynomial (McGee, 2006) is a sequence of polynomials in

The Frobenius map or endomorphism

2 2

**Definition 5.1.1 (Division Polynomial )** 

recursively as follows (Schoof, 1985):

*Ψ<sup>4</sup>* = 4*y* (*x*6 + 5*xa4* + *-20bx3*-5a2*x*2 - 4*abx* -8*b*2 – *a*3)

m – Ψ <sup>3</sup>

m-1 – Ψm-2 Ψ <sup>2</sup>

following equation (7):

division polynomials

*Ψ<sup>3</sup>* = 3*x*4 + 6*ax*2 + 12*bx*- *a2*

Ψ2m = Ψm (Ψm+2 Ψ <sup>2</sup>

Ψ 2m + 1 = Ψm+2 Ψ <sup>3</sup>

*Ψ-1* = -1 *Ψ0* = 0 *Ψ<sup>1</sup>* = 1 *Ψ<sup>2</sup>* = 2*y*

:( ) ( )

*EF EF*

*pp p*

(,) ( , )

*xy x y*

*p p*

*<sup>p</sup>* satisfies the characteristic equation (5)

*t p PF* (5)
