**Meet the editor**

Jaydip Sen has 18 years of experience in the field of networking, security and communication. He has worked in reputed organizations like Tata Consultancy Services, India, Oil and Natural Gas Corporation Ltd., India, Oracle India Pvt. Ltd., and Akamai Technology Pvt. Ltd, India. His research areas include security in wired and wireless networks, intrusion detection systems, secure

routing protocols in wireless ad hoc and sensor networks, secure multicast and broadcast communication in next generation broadband wireless networks, trust and reputation based systems, quality of service in multimedia communication in wireless networks and cross layer optimization based resource allocation algorithms in next generation wireless networks, sensor networks, and privacy issues in ubiquitous and pervasive communication. He has more than 90 publications in reputed international books, journals and referred conference proceedings. He is a member of ACM and IEEE.

Contents

**Preface IX** 

Eric Filiol

Sergey I. Nikolenko

**Part 1 Theoretical and Fundamental Aspects of Cryptography 1** 

Chapter 1 **Provably Secure Cryptographic Constructions 3** 

Chapter 3 **Cryptographic Criteria on Vector Boolean Functions 51**  José Antonio Álvarez-Cubero and Pedro J. Zufiria

Jose Torres-Jimenez, Himer Avila-George,

**Point Counting Algorithms 91**  Hailiza Kamarulhaili and Liew Khang Jie

Chapter 6 **Division and Inversion Over Finite Fields 117** 

**Algorithms and Protocols 131** 

**Attack on the RSA Cryptosystem 165** 

Ryuta Nara, Masao Yanagisawa and Nozomu Togawa

**Index Unity Using Logarithm Tables for Galois Fields 71** 

**Aggregation Protocols for Wireless Sensor Networks 133** 

Nelson Rangel-Valdez and Loreto Gonzalez-Hernandez

Chapter 2 **Malicious Cryptology and Mathematics 23** 

Chapter 4 **Construction of Orthogonal Arrays of** 

Chapter 5 **Elliptic Curve Cryptography and** 

Abdulah Abdulah Zadeh

**Part 2 Applications of Cryptographic** 

Chapter 7 **Secure and Privacy-Preserving Data** 

Jaydip Sen

Chapter 8 **Scan-Based Side-Channel** 

## Contents

### **Preface XI**


	- **Part 2 Applications of Cryptographic Algorithms and Protocols 131**

X Contents

### Chapter 9 **PGP Protocol and Its Applications 181**  Hilal M. Yousif Al-Bayatti, Abdul Monem S. Rahma and Hala Bhjat Abdul Wahab


## Preface

During the last three decades, public academic research in cryptography has exploded. While classical cryptography has been long used by ordinary people, computer cryptography was the exclusive domain of the world's militaries since the World War II. Today, state-of the-art computer cryptography is practiced outside the secured walls of the military agencies. The laypersons can now employ security practices that can protect against the most powerful adversaries. Since we live in an era of connected world with convergence of computer and networks, the need of information security and assurance is more than it had ever has been before. With the advent of rapidly advancing and amazing technologies that enable instantaneous flow of information the purview of cryptography information security has also changed dramatically.

The computer security as it was understood in the 1960s and even later was how to create in a computer system a group of access controls that would implement or emulate processes of the prior paper world, plus the associated issues of protecting such software against unauthorized changes, subversion and illicit use, and of embedding the entire system in a secure physical environment with appropriate management and operational doctrines and procedures. The poorly understood aspect of security, the risk that it might malfunction- or be penetrated- and subvert the proper behaviour of software. For the aspects of communications, personnel, and physical security, there were a plethora of rules, regulations, operating procedures and experience to cover them. It was largely a matter of merging all of it with the hardware/software aspects to yield an overall secure system and operating environment.

However, the world has changed. We now live in an era of rapidly advancing and amazing communication and computing technologies that enable instantaneous flow of information – anytime, anywhere. Networking of computers is now a rule and not the exception. Many commercial transactions are now web-based and many commercial communities – the financial one in particular – have moved into a web posture. The net effect of all these transformation has been to expose the computerbased information system – its hardware, its software processes, its databases, its communication- to an environment over which no one – not the end user, not the network administrator or system owner, not even the government – has full control. What must, therefore, be done is to provide appropriate technical, procedural,

### XII Preface

operational and environmental safeguards against threats as they might appear or be imagined, embedded in an acceptable legal framework. With this rapid transformation of computing and communication world, information-system security has moved from a largely self-contained bounded environment interacting with a generally known and disciplined user community to one of worldwide scope with a body of users that may not be known and are not necessarily trusted. Importantly, security control now must deal with circumstances over which there is a largely no control or expectation of avoiding their impact. Computer security, as it has evolve, shares a similarity with liability assurance; they each face a threat environment that is known in a very general way and can face attacks over a broad spectrum of sources; however, the exact details or even time or certainty of an attack is unknown until an incident actually occurs.

Preface XI

importance in development of algorithms in cryptography and propose an efficient implementation of Bush's construction of orthogonal arrays of index unity based on the use of logarithm tables for Galois Fields. In Chapter 5: Elliptic curve cryptography and the point counting algorithms, Kamarulhaili and Jie present mathematical discussion on elliptic curves, group operations of points on an elliptic curve, the addition algorithm, doubling operations over real numbers as well as over a finite field. In Chapter 6: *Division and inversion over finite fields*, Abdallah presents algorithms for division and inversion operations over finite fields based on Fermat's little theorem

The Part 2 contains five chapters. In Chapter 7: *Secure and privacy-preserving data aggregation protocols for wireless sensor networks*, Sen discusses the requirement of secure and privacy preserving data aggregation in wireless sensor networks and presents a couple of algorithms to achieve these requirements. In Chapter 8: *Scan-based sidechannel attack on the RSA cryptosystem,* Nara et al. present a scan-based attack wherein, by checking a bit sequence or scan signature it is possible to retrieve the secret key in an n RSA cryptosystem. In Chapter 9: *PGP protocols with applications,* Al-Bayatti et al. discuss methods to combine graphical curve security methods with classical

In Chapter 10: *Comparative analysis between master key and interpretative key management (IKM) frameworks*, Chaeikar et al. have presented a comparative analysis of the efficiency and effectiveness of master key and interpretative key management frameworks. In Chapter 11: *Potential applications of IPSec in next-generation networks*, Vintilă discusses how IPSec could be utilized to implement security in next generation

The book can be very useful for researchers, engineers, graduate and doctoral students working in cryptography and security related areas. It can also be very useful for faculty members of graduate schools and universities. However, it is not a basic tutorial on cryptography and network security. Hence, it does not have any detailed introductory information on these topics. The readers need to have at least some basic knowledge on theoretical cryptography and fundamentals on network security. The book should also not be taken as a detailed research report. While some chapters simply present some specific problems and their solutions that might be helpful for graduate students, some talk about fundamental information that might be useful for general readers. Some of the chapters present in-depth cryptography and security related theories and latest updates in a particular research area that might be useful to advanced readers and researchers in identifying their research directions and

My sincere thanks to the authors of different chapters of the book without whose invaluable contributions, this project would never have been possible. All the authors have been extremely cooperative on different occasions during the submission, review, and editing process of the book. I would like to express my special gratitude to

cryptographic algorithm to enhance the level of security in a system.

and Euclidean dividers.

broadband wireless networks.

formulating problems to solve.

In this scenario of uncertainty and threats, cryptography will play a crucial role in developing new security solutions. New cryptographic algorithms, protocols and tools must follow up in order to adapt to the new communication and computing technologies. In addition to classical cryptographic algorithms, new approaches like chaos-based cryptography, DNA-based cryptography and quantum cryptography will be play important roles.

The purpose of this book is to present some of the critical security challenges in today's computing world and to discuss mechanisms for defending against those attacks by using classical and modern approaches of cryptography and other security solutions. With this objective, the book provides a collection of research work in the field of cryptography and its applications in network security by some experts in these areas.

The book contains 11 chapters which are divided into two parts. The chapters in Part 1 of the book mostly deal with theoretical and fundamental aspects of cryptography. The chapters in Part 2, on the other hand, discuss various applications of cryptographic protocols and techniques in designing computing and network security solutions.

The Part 1 of the book contains six chapters. In Chapter 1: *Provably secure cryptographic constructions*, Nikolenko presents a survey of some of the existing methods for proving security in cryptosystems and also discusses feebly secure cryptographic primitives. In Chapter 2: *Malicious cryptology and mathematics*, Filiol discusses existing research work on malicious cryptology, malware-based operational cryptanalysis and other key issues in the emerging field of malicious cryptographic algorithm designs. In Chapter 3: *Cryptographic criteria on vector boolean functions*, Álvarez-Cubero and Zufiria present cryptographic criteria like nonlinearity, linearity distance, balancedness, algebraic degree, correlation immunity, resiliency and propagation criterion for construction of Vector Boolean functions such as composition, addition or coordinate function etc. In Chapter 4: *Construction of orthogonal arrays of index unity Using logarithm tables for Galois fields*, Torres-Jimenez et al. present a discussion on orthogonal arrays and their importance in development of algorithms in cryptography and propose an efficient implementation of Bush's construction of orthogonal arrays of index unity based on the use of logarithm tables for Galois Fields. In Chapter 5: Elliptic curve cryptography and the point counting algorithms, Kamarulhaili and Jie present mathematical discussion on elliptic curves, group operations of points on an elliptic curve, the addition algorithm, doubling operations over real numbers as well as over a finite field. In Chapter 6: *Division and inversion over finite fields*, Abdallah presents algorithms for division and inversion operations over finite fields based on Fermat's little theorem and Euclidean dividers.

X Preface

actually occurs.

be play important roles.

areas.

solutions.

operational and environmental safeguards against threats as they might appear or be imagined, embedded in an acceptable legal framework. With this rapid transformation of computing and communication world, information-system security has moved from a largely self-contained bounded environment interacting with a generally known and disciplined user community to one of worldwide scope with a body of users that may not be known and are not necessarily trusted. Importantly, security control now must deal with circumstances over which there is a largely no control or expectation of avoiding their impact. Computer security, as it has evolve, shares a similarity with liability assurance; they each face a threat environment that is known in a very general way and can face attacks over a broad spectrum of sources; however, the exact details or even time or certainty of an attack is unknown until an incident

In this scenario of uncertainty and threats, cryptography will play a crucial role in developing new security solutions. New cryptographic algorithms, protocols and tools must follow up in order to adapt to the new communication and computing technologies. In addition to classical cryptographic algorithms, new approaches like chaos-based cryptography, DNA-based cryptography and quantum cryptography will

The purpose of this book is to present some of the critical security challenges in today's computing world and to discuss mechanisms for defending against those attacks by using classical and modern approaches of cryptography and other security solutions. With this objective, the book provides a collection of research work in the field of cryptography and its applications in network security by some experts in these

The book contains 11 chapters which are divided into two parts. The chapters in Part 1 of the book mostly deal with theoretical and fundamental aspects of cryptography. The chapters in Part 2, on the other hand, discuss various applications of cryptographic protocols and techniques in designing computing and network security

The Part 1 of the book contains six chapters. In Chapter 1: *Provably secure cryptographic constructions*, Nikolenko presents a survey of some of the existing methods for proving security in cryptosystems and also discusses feebly secure cryptographic primitives. In Chapter 2: *Malicious cryptology and mathematics*, Filiol discusses existing research work on malicious cryptology, malware-based operational cryptanalysis and other key issues in the emerging field of malicious cryptographic algorithm designs. In Chapter 3: *Cryptographic criteria on vector boolean functions*, Álvarez-Cubero and Zufiria present cryptographic criteria like nonlinearity, linearity distance, balancedness, algebraic degree, correlation immunity, resiliency and propagation criterion for construction of Vector Boolean functions such as composition, addition or coordinate function etc. In Chapter 4: *Construction of orthogonal arrays of index unity Using logarithm tables for Galois fields*, Torres-Jimenez et al. present a discussion on orthogonal arrays and their

The Part 2 contains five chapters. In Chapter 7: *Secure and privacy-preserving data aggregation protocols for wireless sensor networks*, Sen discusses the requirement of secure and privacy preserving data aggregation in wireless sensor networks and presents a couple of algorithms to achieve these requirements. In Chapter 8: *Scan-based sidechannel attack on the RSA cryptosystem,* Nara et al. present a scan-based attack wherein, by checking a bit sequence or scan signature it is possible to retrieve the secret key in an n RSA cryptosystem. In Chapter 9: *PGP protocols with applications,* Al-Bayatti et al. discuss methods to combine graphical curve security methods with classical cryptographic algorithm to enhance the level of security in a system.

In Chapter 10: *Comparative analysis between master key and interpretative key management (IKM) frameworks*, Chaeikar et al. have presented a comparative analysis of the efficiency and effectiveness of master key and interpretative key management frameworks. In Chapter 11: *Potential applications of IPSec in next-generation networks*, Vintilă discusses how IPSec could be utilized to implement security in next generation broadband wireless networks.

The book can be very useful for researchers, engineers, graduate and doctoral students working in cryptography and security related areas. It can also be very useful for faculty members of graduate schools and universities. However, it is not a basic tutorial on cryptography and network security. Hence, it does not have any detailed introductory information on these topics. The readers need to have at least some basic knowledge on theoretical cryptography and fundamentals on network security. The book should also not be taken as a detailed research report. While some chapters simply present some specific problems and their solutions that might be helpful for graduate students, some talk about fundamental information that might be useful for general readers. Some of the chapters present in-depth cryptography and security related theories and latest updates in a particular research area that might be useful to advanced readers and researchers in identifying their research directions and formulating problems to solve.

My sincere thanks to the authors of different chapters of the book without whose invaluable contributions, this project would never have been possible. All the authors have been extremely cooperative on different occasions during the submission, review, and editing process of the book. I would like to express my special gratitude to

### XIV Preface

Ms. Martina Durovic and Ms. Mirna Cvijic of Intech Publisher for their support, encouragement, patience and cooperation during the entire period of publication of the book. Finally, I would like to thank my mother Kishna Sen, my wife Nalanda Sen and my daughter Ritabrata Sen for their continuous support and encouragement throughout the entire period of the publication project.

> **Jaydip Sen**  Senior Scientist Innovation Lab, Tata Concultancy Services, Kolkata, India

## **Part 1**

**Cryptography and Security in Computing** 

**0**

**1**

*Russia*

Sergey I. Nikolenko

*Steklov Mathematical Institute, St. Petersburg*

**Provably Secure Cryptographic Constructions**

Modern cryptography has virtually no provably secure constructions. Starting from the first Diffie–Hellman key agreement protocol (Diffie & Hellman, 1976) and the first public key cryptosystem RSA (Rivest et al., 1978), not a single public key cryptographic protocol has been proven secure. Note, however, that there exist secure secret key protocols, e.g., the one-time pad scheme (Shannon, 1949; Vernam, 1926); they can even achieve information–theoretic security, but only if the secret key carries at least as much information as the message.

An *unconditional* proof of security for a public key protocol would be indeed hard to find, since it would necessarily imply that P � NP. Consider, for instance, a one-way function, i.e., a function such that it is easy to compute but hard to invert. One-way functions are basic cryptographic primitives; if there are no one-way functions, there is no public key cryptography. The usual cryptographic definition requires that a one-way function can be computed in polynomial time. Therefore, if we are given a preimage *<sup>y</sup>* <sup>∈</sup> *<sup>f</sup>* <sup>−</sup>1(*x*), we can, by definition, verify in polynomial time that *f*(*y*) = *x*, so the inversion problem is actually in NP. This means that in order to prove that a function is one-way, we have to prove that P� NP, a rather daring feat to accomplish. A similar argument can be made for cryptosystems and other cryptographic primitives; for example, the definition of a trapdoor function (Goldreich,

But the situation is worse: there are also no *conditional* proofs that might establish a connection between natural structural assumptions (like P� NP or BPP� NP) and cryptographic security. Recent developments in lattice-based cryptosystems relate cryptographic security to worst-case complexity, but they deal with problems unlikely to be NP-complete (Ajtai &

An excellent summary of the state of our knowledge regarding these matters was given by Impagliazzo (1995); although this paper is now more than 15 years old, we have not advanced much in these basic questions. Impagliazzo describes five possible worlds – we live in exactly one of them but do not know which one. He shows, in particular, that it may happen that NP problems are hard even on average, but cryptography does not exist (*Pessiland*) or that

<sup>1</sup> To learn the current state of affairs, we recommend to watch Impagliazzo's lecture at the 2009 workshop "Complexity and Cryptography: Status of Impagliazzo's Worlds"; video is available on the web.

one-way functions exist but not public key cryptosystems (*Minicrypt*). <sup>1</sup>

**1. Introduction**

**1.1 Cryptography: treading uncertain paths**

2001) explicitly requires an inversion witness to exist.

Dwork, 1997; Dwork, 1997; Regev, 2005; 2006).

## **Provably Secure Cryptographic Constructions**

### Sergey I. Nikolenko

*Steklov Mathematical Institute, St. Petersburg Russia*

### **1. Introduction**

### **1.1 Cryptography: treading uncertain paths**

Modern cryptography has virtually no provably secure constructions. Starting from the first Diffie–Hellman key agreement protocol (Diffie & Hellman, 1976) and the first public key cryptosystem RSA (Rivest et al., 1978), not a single public key cryptographic protocol has been proven secure. Note, however, that there exist secure secret key protocols, e.g., the one-time pad scheme (Shannon, 1949; Vernam, 1926); they can even achieve information–theoretic security, but only if the secret key carries at least as much information as the message.

An *unconditional* proof of security for a public key protocol would be indeed hard to find, since it would necessarily imply that P � NP. Consider, for instance, a one-way function, i.e., a function such that it is easy to compute but hard to invert. One-way functions are basic cryptographic primitives; if there are no one-way functions, there is no public key cryptography. The usual cryptographic definition requires that a one-way function can be computed in polynomial time. Therefore, if we are given a preimage *<sup>y</sup>* <sup>∈</sup> *<sup>f</sup>* <sup>−</sup>1(*x*), we can, by definition, verify in polynomial time that *f*(*y*) = *x*, so the inversion problem is actually in NP. This means that in order to prove that a function is one-way, we have to prove that P� NP, a rather daring feat to accomplish. A similar argument can be made for cryptosystems and other cryptographic primitives; for example, the definition of a trapdoor function (Goldreich, 2001) explicitly requires an inversion witness to exist.

But the situation is worse: there are also no *conditional* proofs that might establish a connection between natural structural assumptions (like P� NP or BPP� NP) and cryptographic security. Recent developments in lattice-based cryptosystems relate cryptographic security to worst-case complexity, but they deal with problems unlikely to be NP-complete (Ajtai & Dwork, 1997; Dwork, 1997; Regev, 2005; 2006).

An excellent summary of the state of our knowledge regarding these matters was given by Impagliazzo (1995); although this paper is now more than 15 years old, we have not advanced much in these basic questions. Impagliazzo describes five possible worlds – we live in exactly one of them but do not know which one. He shows, in particular, that it may happen that NP problems are hard even on average, but cryptography does not exist (*Pessiland*) or that one-way functions exist but not public key cryptosystems (*Minicrypt*). <sup>1</sup>

<sup>1</sup> To learn the current state of affairs, we recommend to watch Impagliazzo's lecture at the 2009 workshop "Complexity and Cryptography: Status of Impagliazzo's Worlds"; video is available on the web.

complexities of honest parties and adversaries, maybe we can prove at least *some* gap? Alain Hiltgen (1992) managed to present a function that is *twice* (2− *o*(1) times) harder to invert than to compute. His example is a linear function over *GF*(2) with a matrix that has few non-zero entries while the inverse matrix has many non-zero entries; the complexity gap follows by a simple argument of Lamagna and Savage (Lamagna & Savage, 1973; Savage, 1976): every bit of the output depends non-idly on many variables and all these bits correspond to different functions, hence a lower bound on the complexity of computing them all together (see Section 3.2). The model of computation here is the most general one: the number of gates in a Boolean circuit that uses arbitrary binary Boolean gates. We have already noted that little more could be expected for this model at present. For example, the best known lower bound for general circuit complexity of a specific Boolean function is 3*n* − *o*(*n*) (Blum, 1984) even though a simple counting argument proves that there exist plenty of Boolean functions with

Provably Secure Cryptographic Constructions 5

In this chapter, we briefly recount feebly one-way functions but primarily deal with another feebly secure cryptographic primitive: namely, we present constructions of *feebly trapdoor functions*. Of course, in order to obtain the result, we have to prove a lower bound on the circuit complexity of a certain function. To do so, we use the *gate elimination* technique which dates back to the 1970s and which has been used in proving virtually every single known bound in general circuit complexity (Blum, 1984; Paul, 1977; Stockmeyer, 1977). New methods would be of great interest; alas, there has been little progress in general circuit complexity since Blum's result of 3*n* − *o*(*n*). A much simpler proof has been recently presented by Demenkov

We begin with linear constructions; in the linear case, we can actually nail gate elimination down to several well-defined techniques that we present in Section 3.3. These techniques let us present linear feebly trapdoor functions; the linear part of this chapter is based mostly on (Davydow & Nikolenko, 2011; Hirsch & Nikolenko, 2008; 2009). For the nonlinear case, we make use of a specific nonlinear feebly one-way function presented in (Hirsch et al., 2011;

Boolean circuits (see, e.g., (Wegener, 1987)) represent one of the few computational models that allow for proving *specific* rather than asymptotic lower bounds on the complexity. In this model, a function's complexity is defined as the minimal size of a circuit computing this function. Circuits consist of *gates*, and gates can implement various Boolean functions.

**Definition 1.** *Let* <sup>Ω</sup> *be a set of Boolean functions f* : **<sup>B</sup>***<sup>m</sup>* <sup>→</sup> **<sup>B</sup>** (*m may differ for different f*)*. Then*

*Vertices of the first kind are called* inputs *or input variables; vertices of the second kind,* gates*. The*

*• vertices of indegree* 0 (*vertices that no edges enter*) *labeled by one of the variables x*1,..., *xn,*

*an* Ω-circuit *is a directed acyclic labeled graph with vertices of two kinds:*

*• and vertices labeled by a function f* ∈ Ω *with indegree equal to the arity of f .*

functions *<sup>f</sup>* : **<sup>B</sup>***<sup>n</sup>* <sup>→</sup> **<sup>B</sup>***m*, where **<sup>B</sup>** <sup>=</sup> {0, 1} is the field

circuit complexity <sup>≥</sup> <sup>1</sup>

Melanich, 2009).

**2. Basic definitions**

**2.1 Boolean circuits**

with two elements.

We denote by **<sup>B</sup>***n*,*<sup>m</sup>* the set of all 2*m*2*<sup>n</sup>*

size *of a circuit is the number of gates in it.*

*<sup>n</sup>* <sup>2</sup>*<sup>n</sup>* (Wegener, 1987).

& Kulikov (2011), but no improvement has been found yet.

Another angle that might yield an approach to cryptography relates to *complete* cryptographic primitives. In regular complexity theory, much can be learned about complexity classes by studying their complete representatives; for instance, one can study any of the numerous well-defined combinatorial NP-complete problems, and any insight such as a fast algorithm for solving any of them is likely to be easily transferrable to all other problems from the class NP. In cryptography, however, the situation is worse. There exist known complete cryptographic constructions, both one-way functions (Kojevnikov & Nikolenko, 2008; 2009; Levin, 1986) and public key cryptosystems (Grigoriev et al., 2009; Harnik et al., 2005). However, they are still mostly useless in that they are not really combinatorial (their hardness relies on enumerating Turing machines) and they do not let us relate cryptographic security to key assumptions of classical complexity theory. In short, it seems that modern cryptography still has a very long way to go to *provably* secure constructions.

### **1.2 Asymptotics and hard bounds**

Moreover, the asymptotic nature of cryptographic definitions (and definitions of complexity theory in general) does not let us say anything about how hard it is to break a given cryptographic protocol for keys of a certain fixed length. And this is exactly what cryptography means in practice. For real life, it makes little sense to say that something is asymptotically hard. Such a result may (and does) provide some intuition towards the fact that an adversary will not be able to solve the problem, but no real guarantees are made: why is RSA secure for 2048-bit numbers? Why cannot someone come up with a device that breaks into all credit cards that use the same protocol with keys of the same length? There are no theoretical obstacles here. In essence, asymptotic complexity is not something one really wants to get out of cryptographic constructions. Ultimately, I do not care whether my credit card's protocol can or cannot be broken in the limit; I would be very happy if breaking my specific issue of credit cards required constant time, but this constant was larger than the size of the known Universe.

The proper computational model to prove this kind of properties is *general circuit complexity* (see Section 2). This is the only computational model that can deal with specific bounds for specific key lengths; for instance, different implementations of Turing machines may differ by as much as a quadratic factor. Basic results in classical circuit complexity came in the 1980s and earlier, many of them provided by Soviet mathematicians (Blum, 1984; Khrapchenko, 1971; Lupanov, 1965; Markov, 1964; Nechiporuk, 1966; Paul, 1977; Razborov, 1985; 1990; Sholomov, 1969; Stockmeyer, 1977; 1987; Subbotovskaya, 1961; 1963; Yablonskii, 1957). Over the last two decades, efforts in circuit complexity have been relocated mostly towards results related to circuits with bounded depth and/or restricted set of functions computed in a node (Ajtai, 1983; Cai, 1989; Furst et al., 1984; Håstad, 1987; Immerman, 1987; Razborov, 1987; 1995; Smolensky, 1987; Yao, 1985; 1990). However, we need classical results for cryptographic purposes because the bounds we want to prove in cryptography should hold in the most general **B**2,1 basis. It would be a very bold move to advertise a credit card as "secure against adversaries who cannot use circuits of depth more than 3".

### **1.3 Feebly secure cryptographic primitives**

We cannot, at present, hope to prove security either in the "hard" sense of circuit complexity or in the sense of classical cryptographic definitions (Goldreich, 2001; 2004; Goldwasser & Bellare, 2001). However, if we are unable to prove a superpolynomial gap between the 2 Will-be-set-by-IN-TECH

Another angle that might yield an approach to cryptography relates to *complete* cryptographic primitives. In regular complexity theory, much can be learned about complexity classes by studying their complete representatives; for instance, one can study any of the numerous well-defined combinatorial NP-complete problems, and any insight such as a fast algorithm for solving any of them is likely to be easily transferrable to all other problems from the class NP. In cryptography, however, the situation is worse. There exist known complete cryptographic constructions, both one-way functions (Kojevnikov & Nikolenko, 2008; 2009; Levin, 1986) and public key cryptosystems (Grigoriev et al., 2009; Harnik et al., 2005). However, they are still mostly useless in that they are not really combinatorial (their hardness relies on enumerating Turing machines) and they do not let us relate cryptographic security to key assumptions of classical complexity theory. In short, it seems that modern cryptography

Moreover, the asymptotic nature of cryptographic definitions (and definitions of complexity theory in general) does not let us say anything about how hard it is to break a given cryptographic protocol for keys of a certain fixed length. And this is exactly what cryptography means in practice. For real life, it makes little sense to say that something is asymptotically hard. Such a result may (and does) provide some intuition towards the fact that an adversary will not be able to solve the problem, but no real guarantees are made: why is RSA secure for 2048-bit numbers? Why cannot someone come up with a device that breaks into all credit cards that use the same protocol with keys of the same length? There are no theoretical obstacles here. In essence, asymptotic complexity is not something one really wants to get out of cryptographic constructions. Ultimately, I do not care whether my credit card's protocol can or cannot be broken in the limit; I would be very happy if breaking my specific issue of credit cards required constant time, but this constant was larger than the size

The proper computational model to prove this kind of properties is *general circuit complexity* (see Section 2). This is the only computational model that can deal with specific bounds for specific key lengths; for instance, different implementations of Turing machines may differ by as much as a quadratic factor. Basic results in classical circuit complexity came in the 1980s and earlier, many of them provided by Soviet mathematicians (Blum, 1984; Khrapchenko, 1971; Lupanov, 1965; Markov, 1964; Nechiporuk, 1966; Paul, 1977; Razborov, 1985; 1990; Sholomov, 1969; Stockmeyer, 1977; 1987; Subbotovskaya, 1961; 1963; Yablonskii, 1957). Over the last two decades, efforts in circuit complexity have been relocated mostly towards results related to circuits with bounded depth and/or restricted set of functions computed in a node (Ajtai, 1983; Cai, 1989; Furst et al., 1984; Håstad, 1987; Immerman, 1987; Razborov, 1987; 1995; Smolensky, 1987; Yao, 1985; 1990). However, we need classical results for cryptographic purposes because the bounds we want to prove in cryptography should hold in the most general **B**2,1 basis. It would be a very bold move to advertise a credit card as "secure against

We cannot, at present, hope to prove security either in the "hard" sense of circuit complexity or in the sense of classical cryptographic definitions (Goldreich, 2001; 2004; Goldwasser & Bellare, 2001). However, if we are unable to prove a superpolynomial gap between the

still has a very long way to go to *provably* secure constructions.

adversaries who cannot use circuits of depth more than 3".

**1.3 Feebly secure cryptographic primitives**

**1.2 Asymptotics and hard bounds**

of the known Universe.

complexities of honest parties and adversaries, maybe we can prove at least *some* gap? Alain Hiltgen (1992) managed to present a function that is *twice* (2− *o*(1) times) harder to invert than to compute. His example is a linear function over *GF*(2) with a matrix that has few non-zero entries while the inverse matrix has many non-zero entries; the complexity gap follows by a simple argument of Lamagna and Savage (Lamagna & Savage, 1973; Savage, 1976): every bit of the output depends non-idly on many variables and all these bits correspond to different functions, hence a lower bound on the complexity of computing them all together (see Section 3.2). The model of computation here is the most general one: the number of gates in a Boolean circuit that uses arbitrary binary Boolean gates. We have already noted that little more could be expected for this model at present. For example, the best known lower bound for general circuit complexity of a specific Boolean function is 3*n* − *o*(*n*) (Blum, 1984) even though a simple counting argument proves that there exist plenty of Boolean functions with circuit complexity <sup>≥</sup> <sup>1</sup> *<sup>n</sup>* <sup>2</sup>*<sup>n</sup>* (Wegener, 1987).

In this chapter, we briefly recount feebly one-way functions but primarily deal with another feebly secure cryptographic primitive: namely, we present constructions of *feebly trapdoor functions*. Of course, in order to obtain the result, we have to prove a lower bound on the circuit complexity of a certain function. To do so, we use the *gate elimination* technique which dates back to the 1970s and which has been used in proving virtually every single known bound in general circuit complexity (Blum, 1984; Paul, 1977; Stockmeyer, 1977). New methods would be of great interest; alas, there has been little progress in general circuit complexity since Blum's result of 3*n* − *o*(*n*). A much simpler proof has been recently presented by Demenkov & Kulikov (2011), but no improvement has been found yet.

We begin with linear constructions; in the linear case, we can actually nail gate elimination down to several well-defined techniques that we present in Section 3.3. These techniques let us present linear feebly trapdoor functions; the linear part of this chapter is based mostly on (Davydow & Nikolenko, 2011; Hirsch & Nikolenko, 2008; 2009). For the nonlinear case, we make use of a specific nonlinear feebly one-way function presented in (Hirsch et al., 2011; Melanich, 2009).

### **2. Basic definitions**

### **2.1 Boolean circuits**

Boolean circuits (see, e.g., (Wegener, 1987)) represent one of the few computational models that allow for proving *specific* rather than asymptotic lower bounds on the complexity. In this model, a function's complexity is defined as the minimal size of a circuit computing this function. Circuits consist of *gates*, and gates can implement various Boolean functions.

We denote by **<sup>B</sup>***n*,*<sup>m</sup>* the set of all 2*m*2*<sup>n</sup>* functions *<sup>f</sup>* : **<sup>B</sup>***<sup>n</sup>* <sup>→</sup> **<sup>B</sup>***m*, where **<sup>B</sup>** <sup>=</sup> {0, 1} is the field with two elements.

**Definition 1.** *Let* <sup>Ω</sup> *be a set of Boolean functions f* : **<sup>B</sup>***<sup>m</sup>* <sup>→</sup> **<sup>B</sup>** (*m may differ for different f*)*. Then an* Ω-circuit *is a directed acyclic labeled graph with vertices of two kinds:*


*Vertices of the first kind are called* inputs *or input variables; vertices of the second kind,* gates*. The* size *of a circuit is the number of gates in it.*

*x*<sup>1</sup> *x*<sup>2</sup> *x*<sup>3</sup> ... *x <sup>n</sup>*

*fj*(*x*1,..., *xn*) = �

*f* <sup>−</sup>1(*y*1,..., *yn*) =

⎧ ⎨ ⎩

a feebly one-way function with order of security <sup>3</sup>

�

*<sup>y</sup>*<sup>1</sup> ⊕ ... ⊕ *yj*−<sup>1</sup>

*y*<sup>1</sup> ⊕ ... ⊕ *y <sup>n</sup>*

⊕

⊕

⊕

*y n* 2

⊕

Provably Secure Cryptographic Constructions 7

*x*<sup>1</sup> ⊕ *x <sup>n</sup>*

Straighforward computations show that *f* is invertible, and its inverse is given by

⎛

⎜⎜⎜⎜⎜⎜⎜⎜⎝

. . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . .

� ⊕ � *y n*

It remains to invoke Proposition 6 (see below) to show that *<sup>f</sup>* <sup>−</sup><sup>1</sup> requires at least � <sup>3</sup>*<sup>n</sup>*

becomes strictly harder than evaluation at *n* = 7 (eight gates to compute, nine to invert).

gates to compute, while *f* can be obviously computed in *n* + 1 gates. Fig. 2 shows a circuit that computes *f* in *n* + 1 gates; Fig. 3, one of the optimal circuits for *f* <sup>−</sup>1. Therefore, *f* is

In the context of feebly secure primitives, we have to give a more detailed definition of a trapdoor function than the regular cryptographic definition (Goldreich, 2001): since we are interested in constants here, we must pay attention to all the details. The following definition does not say anything about the complexity and hardness of inversion, but merely sets up the

**Definition 2.** *For given functions* pi, ti, *m*, *c* : **N** → **N***, a* feebly trapdoor candidate *is a sequence*

<sup>C</sup> <sup>=</sup> {(Seed*n*, Eval*n*, Inv*n*)}<sup>∞</sup>

2 � ⊕ �

*y n* <sup>2</sup> −1

*y*3

⊕

*y*2

Fig. 2. Hiltgen's feebly one-way function of order <sup>3</sup>

that is (we assume for simplicity that *n* is even),

⊕

*y*1

that is,

*f* <sup>−</sup><sup>1</sup>

dimensions.

*of triples of circuits*

*<sup>j</sup>* (*y*1,..., *yn*) =

**2.3 Feebly trapdoor candidates**

<sup>2</sup> ... *xn*−<sup>2</sup> *xn*−<sup>1</sup> *xn*

⊕

⊕

*yn*−<sup>1</sup>

<sup>2</sup> <sup>⊕</sup> *xn*, *<sup>j</sup>* <sup>=</sup> *<sup>n</sup>*. (3)

⊕

, (4)

<sup>2</sup> <sup>+</sup> 1, . . . , *<sup>n</sup>*. (5)

<sup>2</sup> � − 1

*yn*−<sup>2</sup>

⊕

*yn*−<sup>3</sup>

*xj* ⊕ *xj*+1, *j* = 1, . . . , *n* − 1,

0 0 ... 0 1 1 ... 1 1 1 0 ... 0 1 1 ... 1 1 1 1 ... 0 1 1 ... 1 1

. 1 1 ... 0 1 1 ... 1 1 1 1 ... 1 1 1 ... 1 1 1 1 ... 1 0 1 ... 1 1

. 1 1 ... 1 0 0 ... 0 1

... ... *yn*

<sup>2</sup> : a circuit for *f* .

⎞

⎛

*y*1 *y*2 *y*3 . . . *y*� *n* 2 � *y n* <sup>2</sup> <sup>+</sup><sup>1</sup> *y n* <sup>2</sup> <sup>+</sup><sup>2</sup> . . . *yn*

�

, *j* = *<sup>n</sup>*

�

, *j* = 1, . . . , *<sup>n</sup>*

<sup>2</sup> . For this particular function, inversion

*<sup>n</sup>*=<sup>1</sup> , *where:* (6)

⎞

⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎠

⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎝

⎟⎟⎟⎟⎟⎟⎟⎟⎠

<sup>2</sup> <sup>+</sup><sup>1</sup> ⊕ ... ⊕ *yn*

<sup>2</sup> , �

*yj*−<sup>1</sup> ⊕ ... ⊕ *yn*

Fig. 1. Simple circuits: (*a*) *y* = *x*<sup>1</sup> ⊕ *x*2; (*b*) *y* = *x*<sup>1</sup> ⊕ *x*<sup>2</sup> ⊕ *x*3; (*c*) a suboptimal circuit for *y* = *x*<sup>2</sup> ∧ (*x*<sup>1</sup> ∨ *x*3); (*d*) an optimal one.

We usually speak of *outputs* of a circuit and draw them on pictures, but in theory, every gate of an Ω-circuit computes some Boolean function and can be considered as an output of the circuit. The circuit complexity of a function *<sup>f</sup>* : **<sup>B</sup>***<sup>n</sup>* <sup>→</sup> **<sup>B</sup>***<sup>m</sup>* in the basis <sup>Ω</sup> is denoted by *<sup>C</sup>*Ω(*f*) and is defined as the minimal size of an Ω-circuit that computes *f* (that has *m* gates which compute the result of applying function *f* to input bits).

In order to get rid of unary gates, we will assume that a gate computes both its corresponding function and its negation (the same applies to the inputs, too). Our model of computation is given by Boolean circuits with arbitrary binary gates (this is known as *general circuit complexity*); in other words, each gate of a circuit is labeled by one of 16 Boolean functions from **B**2,1. Several simple examples of such circuits are shown on Fig. 1.

In what follows, we denote by *C*(*f*) the circuit complexity of *f* in the **B**2,1 basis that consists of all binary Boolean functions. We assume that each gate in this circuit depends of both inputs, i.e., there are no gates marked by constants and unary functions Id and ¬. This can be done without loss of generality because such gates are easy to exclude from a nontrivial circuit without any increase in its size.

### **2.2 Feebly secure one-way functions**

We want the size of circuits breaking our family of trapdoor functions to be larger than the size of circuits that perform encoding. Following Hiltgen (1992; 1994; 1998), for every injective function of *n* variables *fn* ∈ **B***n*,*<sup>m</sup>* we can define its *measure of one-wayness* as

$$M\_{\mathcal{F}}(f\_n) = \frac{\mathbb{C}(f\_n^{-1})}{\mathbb{C}(f\_n)}.\tag{1}$$

The problem now becomes to find sequences of functions *<sup>f</sup>* <sup>=</sup> { *fn*}<sup>∞</sup> *<sup>n</sup>*=<sup>1</sup> with a large asymptotic constant lim inf*n*→<sup>∞</sup> *MF*(*fn*), which Hiltgen calls *f* 's *order of one-wayness*.

Hiltgen (1992; 1994; 1998) presented several constructions of feebly secure one-way functions. To give a flavour of his results, we recall a sample one-way function. Consider a function *<sup>f</sup>* : **<sup>B</sup>***<sup>n</sup>* <sup>→</sup> **<sup>B</sup>***<sup>n</sup>* given by the following matrix:

$$f(\mathbf{x}\_1, \dots, \mathbf{x}\_n) = \begin{pmatrix} \begin{matrix} 1 \ 1 \ 0 \ \cdots \ 0 \ \cdots \ 0 \ \vdots \ 0 \\ \vdots \ \vdots \ \vdots \ \vdots \ \vdots \ \vdots \\ \vdots \ \vdots \ 0 \\ 1 \ 0 \ 0 \ \cdots \ 1 \ \cdots \ 0 \ 1 \end{matrix} \end{pmatrix} \begin{pmatrix} \begin{matrix} x\_1 \\ x\_2 \\ \vdots \\ x\_{n-1} \\ x\_n \end{matrix} \end{pmatrix} \tag{2}$$

Fig. 2. Hiltgen's feebly one-way function of order <sup>3</sup> <sup>2</sup> : a circuit for *f* .

that is (we assume for simplicity that *n* is even),

$$f\_{\vec{j}}(\mathbf{x}\_{1\prime}, \dots, \mathbf{x}\_{n\prime}) = \begin{cases} \mathbf{x}\_{\vec{j}} \oplus \mathbf{x}\_{\vec{j}+1\prime} & \mathbf{j} = 1, \dots, n-1, \\\mathbf{x}\_{1} \oplus \mathbf{x}\_{\frac{n}{2}} \oplus \mathbf{x}\_{n\prime} & \mathbf{j} = n. \end{cases} \tag{3}$$

Straighforward computations show that *f* is invertible, and its inverse is given by

$$f^{-1}(y\_1, \ldots, y\_n) = \begin{pmatrix} 0 \ 0 \ \dots \ 0 \ 1 \ 1 \ \dots \ 1 \ 1 \\ 1 \ 0 \ \dots \ 0 \ 1 \ 1 \ \dots \ 1 \ 1 \\ 1 \ 1 \ \dots \ 0 \ 1 \ 1 \ \dots \ 1 \ 1 \\ \vdots \ \vdots \ \vdots \ \vdots \ \vdots \ \vdots \\ 1 \ 1 \ \dots \ 0 \ 1 \ 1 \ \dots \ 1 \ 1 \\ 1 \ 1 \ \dots \ 1 \ 0 \ 1 \ \dots \ 1 \ 1 \\ 1 \ \vdots \ \dots \ 1 \ 0 \ 0 \ \dots \ 0 \ 1 \\ \end{pmatrix} \begin{pmatrix} y\_1 \\ y\_2 \\ \vdots \\ \vdots \\ y\_{\lfloor \frac{1}{2} \rfloor} \\ y\_{\lfloor \frac{2}{2} \rfloor + 1} \\ y\_{\lfloor \frac{3}{2} \rfloor + 1} \\ y\_{\lfloor \frac{4}{2} \rfloor + 1} \\ \vdots \\ \vdots \\ \end{pmatrix} \tag{4}$$

that is,

4 Will-be-set-by-IN-TECH

(*a*) (*b*) (*c*) (*d*)

We usually speak of *outputs* of a circuit and draw them on pictures, but in theory, every gate of an Ω-circuit computes some Boolean function and can be considered as an output of the circuit. The circuit complexity of a function *<sup>f</sup>* : **<sup>B</sup>***<sup>n</sup>* <sup>→</sup> **<sup>B</sup>***<sup>m</sup>* in the basis <sup>Ω</sup> is denoted by *<sup>C</sup>*Ω(*f*) and is defined as the minimal size of an Ω-circuit that computes *f* (that has *m* gates which

In order to get rid of unary gates, we will assume that a gate computes both its corresponding function and its negation (the same applies to the inputs, too). Our model of computation is given by Boolean circuits with arbitrary binary gates (this is known as *general circuit complexity*); in other words, each gate of a circuit is labeled by one of 16 Boolean functions

In what follows, we denote by *C*(*f*) the circuit complexity of *f* in the **B**2,1 basis that consists of all binary Boolean functions. We assume that each gate in this circuit depends of both inputs, i.e., there are no gates marked by constants and unary functions Id and ¬. This can be done without loss of generality because such gates are easy to exclude from a nontrivial circuit

We want the size of circuits breaking our family of trapdoor functions to be larger than the size of circuits that perform encoding. Following Hiltgen (1992; 1994; 1998), for every injective

*MF*(*fn*) = *<sup>C</sup>*(*<sup>f</sup>* <sup>−</sup><sup>1</sup> *<sup>n</sup>* )

Hiltgen (1992; 1994; 1998) presented several constructions of feebly secure one-way functions. To give a flavour of his results, we recall a sample one-way function. Consider a function

> 110 ··· 0 ··· 0 0 011 ··· 0 ··· 0 0

⎞

⎛

*x*1 *x*2 . . . *xn*−<sup>1</sup> *xn*

⎞

⎜⎝

⎟⎠

. <sup>100</sup> ··· <sup>0</sup> ··· 1 1 100 ··· 1 ··· 0 1

⎛

⎜⎝

. . . . . . . . . . . . . . . . .

Fig. 1. Simple circuits: (*a*) *y* = *x*<sup>1</sup> ⊕ *x*2; (*b*) *y* = *x*<sup>1</sup> ⊕ *x*<sup>2</sup> ⊕ *x*3; (*c*) a suboptimal circuit for

*x*<sup>1</sup> *x*<sup>2</sup> *x*<sup>3</sup>

*x*<sup>2</sup> *x*<sup>1</sup> *x*<sup>3</sup>

∧

*y* = *x*<sup>2</sup> ∧ (*x*<sup>1</sup> ∨ *x*3)

*<sup>C</sup>*(*fn*) . (1)

*<sup>n</sup>*=<sup>1</sup> with a large asymptotic

⎟⎠ , (2)

∨

∧ ∧

∨

*y* = *x*<sup>2</sup> ∧ (*x*<sup>1</sup> ∨ *x*3)

*x*<sup>1</sup> *x*<sup>2</sup> *x*<sup>3</sup>

⊕

*y* = *x*<sup>1</sup> ⊕ *x*<sup>2</sup> ⊕ *x*<sup>3</sup>

⊕

compute the result of applying function *f* to input bits).

from **B**2,1. Several simple examples of such circuits are shown on Fig. 1.

function of *n* variables *fn* ∈ **B***n*,*<sup>m</sup>* we can define its *measure of one-wayness* as

The problem now becomes to find sequences of functions *<sup>f</sup>* <sup>=</sup> { *fn*}<sup>∞</sup>

*f*(*x*1,..., *xn*) =

constant lim inf*n*→<sup>∞</sup> *MF*(*fn*), which Hiltgen calls *f* 's *order of one-wayness*.

*x*<sup>1</sup> *x*<sup>2</sup>

⊕

*y* = *x*<sup>1</sup> ⊕ *x*<sup>2</sup>

*y* = *x*<sup>2</sup> ∧ (*x*<sup>1</sup> ∨ *x*3); (*d*) an optimal one.

without any increase in its size.

**2.2 Feebly secure one-way functions**

*<sup>f</sup>* : **<sup>B</sup>***<sup>n</sup>* <sup>→</sup> **<sup>B</sup>***<sup>n</sup>* given by the following matrix:

$$f\_j^{-1}(y\_1, \ldots, y\_n) = \begin{cases} \left(y\_1 \oplus \ldots \oplus y\_{j-1}\right) \oplus \left(y\_{\frac{n}{2} + 1} \oplus \ldots \oplus y\_n\right), & j = 1, \ldots, \frac{n}{2},\\ \left(y\_1 \oplus \ldots \oplus y\_{\frac{n}{2}}\right) \oplus \left(y\_{j-1} \oplus \ldots \oplus y\_n\right), & j = \frac{n}{2} + 1, \ldots, n. \end{cases} \tag{5}$$

It remains to invoke Proposition 6 (see below) to show that *<sup>f</sup>* <sup>−</sup><sup>1</sup> requires at least � <sup>3</sup>*<sup>n</sup>* <sup>2</sup> � − 1 gates to compute, while *f* can be obviously computed in *n* + 1 gates. Fig. 2 shows a circuit that computes *f* in *n* + 1 gates; Fig. 3, one of the optimal circuits for *f* <sup>−</sup>1. Therefore, *f* is a feebly one-way function with order of security <sup>3</sup> <sup>2</sup> . For this particular function, inversion becomes strictly harder than evaluation at *n* = 7 (eight gates to compute, nine to invert).

### **2.3 Feebly trapdoor candidates**

In the context of feebly secure primitives, we have to give a more detailed definition of a trapdoor function than the regular cryptographic definition (Goldreich, 2001): since we are interested in constants here, we must pay attention to all the details. The following definition does not say anything about the complexity and hardness of inversion, but merely sets up the dimensions.

**Definition 2.** *For given functions* pi, ti, *m*, *c* : **N** → **N***, a* feebly trapdoor candidate *is a sequence of triples of circuits*

$$\mathcal{L} = \left\{ (\mathbf{Seed}\_{\mathsf{n}\prime} \mathbf{Eval}\_{\mathsf{n}\prime} \mathbf{Inv}\_{\mathsf{n}\prime}) \right\}\_{\mathsf{n}=1\prime}^{\infty} \text{ where:} \tag{6}$$

A size *s* circuit that breaks a feebly trapdoor candidate C = {Seed*n*, Eval*n*, Inv*n*} on seed length *n* in the sense of Definition 4 provides a counterexample for the statement *Cα*(*Invn*) >

Provably Secure Cryptographic Constructions 9

In fact, in what follows we prove a stronger result: we prove that no circuit (of a certain size) can break our candidate *for any random seed s*, that is, for every seed *s*, every adversary fails. For a trapdoor function to be secure, circuits that break the function should be larger than the circuits computing it. In fact, in our results we can require that every such adversary fails with

> *Cα*(*f*pi(*n*)+*c*(*n*)) *<sup>C</sup>*(Eval*n*) ,

*We say that a feebly trapdoor candidate has* order of security *k if it has order of security k with*

Let us first give a few simple examples. If there is no secret key at all, that is, pi(*n*) = 0, then

a trapdoor function in the usual cryptographic sense then *k* = ∞. Moreover, *k* = ∞ even if the bounds on the size of adversary are merely superlinear, e.g., if every adversary requires Ω(*n* log *n*) gates. Our definitions are not designed to distinguish between these (very different) cases, because, unfortunately, any nonlinear lower bound on general circuit complexity of a specific function appears very far away from the current state of knowledge. One could also consider key generation as a separate process and omit its complexity from the definition of the order of security. However, we prove our results for the definition stated

In closing, let us note explicitly that we are talking about *one-time* security. An adversary can amortize his circuit complexity on inverting a feebly trapdoor candidate for the second time for the same seed, for example, by computing the trapdoor information and successfully

In this section, we first briefly cover classical gate elimination and then introduce a few new ideas related to gate elimination that have recently been presented by Davydow & Nikolenko (2011). Gate elimination is the primary (and, to be honest, virtually the only) technique we have to prove lower bounds in general circuit complexity; so far, it has been used for every single lower bound (Blum, 1984; Paul, 1977; Stockmeyer, 1977; Wegener, 1987). The basic idea of this method lies in the following inductive argument. Consider a function *f* and a circuit

reusing it. Thus, in our setting one has to pick a new seed for every input.

*<sup>n</sup>*=<sup>1</sup> successfully inverts it. If {(Seed*n*, Eval*n*, Inv*n*)}<sup>∞</sup>

*Cα*(*f*pi(*n*)+*c*(*n*)) *C*(Inv*n*)

(Seed*n*,1(*s*), Eval*n*(Seed*n*,1(*s*), *m*)) �→ *m*. (10)

*<sup>n</sup>*=<sup>1</sup> has order of security 1, since the

*<sup>n</sup>*=<sup>1</sup> *has* order of

≥ *k*, (9)

*<sup>n</sup>*=<sup>1</sup> implement

**Definition 5.** *We say that a feebly trapdoor candidate* <sup>C</sup> <sup>=</sup> {(Seed*n*, Eval*n*, Inv*n*)}<sup>∞</sup>

*<sup>C</sup>*(Seed*n*) ,

*s*.

probability at least <sup>1</sup>

*probability α* = <sup>3</sup>

security *k* with probability *α if*

4 *.*

sequence of circuits {Inv*n*}<sup>∞</sup>

above as it makes them stronger.

**3. Gate elimination techniques**

**3.1 Classical gate elimination**

4 .

lim inf *<sup>n</sup>*→<sup>∞</sup> min *<sup>C</sup>α*(*f*pi(*n*)+*c*(*n*))

each feebly trapdoor candidate {(Seed*n*, Eval*n*, Inv*n*)}<sup>∞</sup>

*where the function f*pi(*n*)+*c*(*n*) ∈ **B**pi(*n*)+*c*(*n*),*m*(*n*) *maps*

Fig. 3. Hiltgen's feebly one-way function of order <sup>3</sup> <sup>2</sup> : a circuit for *<sup>f</sup>* <sup>−</sup>1.


*such that for every security parameter n, every seed s* <sup>∈</sup> **<sup>B</sup>***n, and every input* <sup>m</sup> <sup>∈</sup> **<sup>B</sup>***m*(*n*) *,*

$$\operatorname{Inv}\_{\mathfrak{n}}(\operatorname{Seed}\_{\mathfrak{n},2}(s), \operatorname{Eval}\_{\mathfrak{n}}(\operatorname{Seed}\_{\mathfrak{n},1}(s), \mathfrak{m})) = \mathfrak{m},\tag{7}$$

*where* Seed*n*,1(*s*) *and* Seed*n*,2(*s*) *are the first* pi(*n*) *bits* (*"public information"*) *and the last* ti(*n*) *bits* (*"trapdoor information"*) *of* Seed*n*(*s*)*, respectively.*

Informally speaking, *n* is the security parameter (the length of the random seed), *m*(*n*) is the length of the input to the function, *c*(*n*) is the length of the function's output, and pi(*n*) and ti(*n*) are lengths of the public and trapdoor information, respectively. We call these functions "candidates" because Definition 2 does not imply any security, it merely sets up the dimensions and provides correct inversion. In our constructions, *m*(*n*) = *c*(*n*) and pi(*n*) = ti(*n*).

To find how secure a function is, one needs to know the size of the minimal circuit that could invert the function without knowing the trapdoor information. In addition to the worst-case complexity *C*(*f*), we introduce a stronger notion that we will use in this case.

**Definition 3.** *We denote by Cα*(*f*) *the minimal size of a circuit that correctly computes a function f* ∈ B*n*,*<sup>m</sup> on more than α fraction of its inputs* (*of length n*)*. Obviously, Cα*(*f*) ≤ *C*(*f*) *for all f and* 0 ≤ *α* ≤ 1*.*

**Definition 4.** *A circuit N* breaks *a feebly trapdoor candidate* C = {Seed*n*, Eval*n*, Inv*n*} *on seed length n with probability <sup>α</sup> if, for uniformly chosen seeds s* ∈ B*<sup>n</sup> and inputs m* ∈ B*m*(*n*) *,*

$$\Pr\_{(s,m)\in\mathcal{U}}\left[\mathcal{N}(\mathbf{Seed}\_{n,1}(s),\textit{Eval}\_{n}(\mathbf{Seed}\_{n,1}(s),m))=m\right]>a.\tag{8}$$

6 Will-be-set-by-IN-TECH

⊕

*x*<sup>2</sup> *x*<sup>3</sup> *x*<sup>4</sup> *x*<sup>1</sup> ... *x <sup>n</sup>* <sup>2</sup> *x <sup>n</sup>*

*<sup>n</sup>*=<sup>1</sup> *is a family of sampling circuits* Seed*<sup>n</sup>* : **<sup>B</sup>***<sup>n</sup>* <sup>→</sup> **<sup>B</sup>**pi(*n*) <sup>×</sup> **<sup>B</sup>**ti(*n*)

*<sup>n</sup>*=<sup>1</sup> *is a family of inversion circuits* Inv*<sup>n</sup>* : **<sup>B</sup>**ti(*n*) <sup>×</sup> **<sup>B</sup>***c*(*n*) <sup>→</sup> **<sup>B</sup>***m*(*n*) *such that for every security parameter n, every seed s* <sup>∈</sup> **<sup>B</sup>***n, and every input* <sup>m</sup> <sup>∈</sup> **<sup>B</sup>***m*(*n*)

*<sup>n</sup>*=<sup>1</sup> *is a family of evaluation circuits* Eval*<sup>n</sup>* : **<sup>B</sup>**pi(*n*) <sup>×</sup> **<sup>B</sup>***m*(*n*) <sup>→</sup> **<sup>B</sup>***c*(*n*)

*where* Seed*n*,1(*s*) *and* Seed*n*,2(*s*) *are the first* pi(*n*) *bits* (*"public information"*) *and the last* ti(*n*) *bits*

Informally speaking, *n* is the security parameter (the length of the random seed), *m*(*n*) is the length of the input to the function, *c*(*n*) is the length of the function's output, and pi(*n*) and ti(*n*) are lengths of the public and trapdoor information, respectively. We call these functions "candidates" because Definition 2 does not imply any security, it merely sets up the dimensions and provides correct inversion. In our constructions, *m*(*n*) = *c*(*n*) and

To find how secure a function is, one needs to know the size of the minimal circuit that could invert the function without knowing the trapdoor information. In addition to the worst-case

**Definition 3.** *We denote by Cα*(*f*) *the minimal size of a circuit that correctly computes a function f* ∈ B*n*,*<sup>m</sup> on more than α fraction of its inputs* (*of length n*)*. Obviously, Cα*(*f*) ≤ *C*(*f*) *for all f and*

**Definition 4.** *A circuit N* breaks *a feebly trapdoor candidate* C = {Seed*n*, Eval*n*, Inv*n*} *on seed*

*N*(Seed*n*,1(*s*), Eval*n*(Seed*n*,1(*s*), *m*)) = *m*

complexity *C*(*f*), we introduce a stronger notion that we will use in this case.

*length n with probability <sup>α</sup> if, for uniformly chosen seeds s* ∈ B*<sup>n</sup> and inputs m* ∈ B*m*(*n*)

<sup>2</sup> <sup>+</sup><sup>1</sup> *x <sup>n</sup>*

<sup>2</sup> *y <sup>n</sup>*

<sup>2</sup> <sup>+</sup><sup>1</sup> *y <sup>n</sup>*

⊕

⊕

<sup>2</sup> <sup>+</sup><sup>2</sup> *x <sup>n</sup>*

<sup>2</sup> : a circuit for *<sup>f</sup>* <sup>−</sup>1.

Inv*n*(Seed*n*,2(*s*), Eval*n*(Seed*n*,1(*s*), m)) = m, (7)

⊕

⊕

<sup>2</sup> <sup>+</sup><sup>2</sup> ... *yn*−<sup>1</sup> *yn*

⊕

,

*, and*

*,*

*,*

> *α*. (8)

⊕

<sup>⊕</sup> ...

...

<sup>2</sup> <sup>+</sup><sup>3</sup> ... *xn*

<sup>2</sup> <sup>−</sup><sup>1</sup> *<sup>y</sup> <sup>n</sup>*

⊕

*y*<sup>1</sup> *y*<sup>2</sup> *y*<sup>3</sup> ... *y <sup>n</sup>*

⊕

Fig. 3. Hiltgen's feebly one-way function of order <sup>3</sup>

(*"trapdoor information"*) *of* Seed*n*(*s*)*, respectively.*

Pr (*s*,*m*)∈*U* ...

⊕

*•* {Seed*n*}<sup>∞</sup>

*•* {Eval*n*}<sup>∞</sup>

*•* {Inv*n*}<sup>∞</sup>

pi(*n*) = ti(*n*).

0 ≤ *α* ≤ 1*.*

⊕

A size *s* circuit that breaks a feebly trapdoor candidate C = {Seed*n*, Eval*n*, Inv*n*} on seed length *n* in the sense of Definition 4 provides a counterexample for the statement *Cα*(*Invn*) > *s*.

In fact, in what follows we prove a stronger result: we prove that no circuit (of a certain size) can break our candidate *for any random seed s*, that is, for every seed *s*, every adversary fails. For a trapdoor function to be secure, circuits that break the function should be larger than the circuits computing it. In fact, in our results we can require that every such adversary fails with probability at least <sup>1</sup> 4 .

**Definition 5.** *We say that a feebly trapdoor candidate* <sup>C</sup> <sup>=</sup> {(Seed*n*, Eval*n*, Inv*n*)}<sup>∞</sup> *<sup>n</sup>*=<sup>1</sup> *has* order of security *k* with probability *α if*

$$\limsup\_{n \to \infty} \min \left\{ \frac{\mathbb{C}\_{\mathfrak{a}}(f\_{\mathrm{pi}(n) + \mathfrak{c}(n)})}{\mathbb{C}(\mathbf{Seed}\_{\mathfrak{n}})}, \frac{\mathbb{C}\_{\mathfrak{a}}(f\_{\mathrm{pi}(n) + \mathfrak{c}(n)})}{\mathbb{C}(\mathbf{Eval}\_{\mathfrak{n}})}, \frac{\mathbb{C}\_{\mathfrak{a}}(f\_{\mathrm{pi}(n) + \mathfrak{c}(n)})}{\mathbb{C}(\mathbf{Inv}\_{\mathfrak{n}})} \right\} \ge k,\tag{9}$$

*where the function f*pi(*n*)+*c*(*n*) ∈ **B**pi(*n*)+*c*(*n*),*m*(*n*) *maps*

$$(\mathbf{Seed}\_{n,1}(s), \mathbf{Eval}\_{n}(\mathbf{Seed}\_{n,1}(s), m)) \mapsto m. \tag{10}$$

*We say that a feebly trapdoor candidate has* order of security *k if it has order of security k with probability α* = <sup>3</sup> 4 *.*

Let us first give a few simple examples. If there is no secret key at all, that is, pi(*n*) = 0, then each feebly trapdoor candidate {(Seed*n*, Eval*n*, Inv*n*)}<sup>∞</sup> *<sup>n</sup>*=<sup>1</sup> has order of security 1, since the sequence of circuits {Inv*n*}<sup>∞</sup> *<sup>n</sup>*=<sup>1</sup> successfully inverts it. If {(Seed*n*, Eval*n*, Inv*n*)}<sup>∞</sup> *<sup>n</sup>*=<sup>1</sup> implement a trapdoor function in the usual cryptographic sense then *k* = ∞. Moreover, *k* = ∞ even if the bounds on the size of adversary are merely superlinear, e.g., if every adversary requires Ω(*n* log *n*) gates. Our definitions are not designed to distinguish between these (very different) cases, because, unfortunately, any nonlinear lower bound on general circuit complexity of a specific function appears very far away from the current state of knowledge.

One could also consider key generation as a separate process and omit its complexity from the definition of the order of security. However, we prove our results for the definition stated above as it makes them stronger.

In closing, let us note explicitly that we are talking about *one-time* security. An adversary can amortize his circuit complexity on inverting a feebly trapdoor candidate for the second time for the same seed, for example, by computing the trapdoor information and successfully reusing it. Thus, in our setting one has to pick a new seed for every input.

### **3. Gate elimination techniques**

### **3.1 Classical gate elimination**

In this section, we first briefly cover classical gate elimination and then introduce a few new ideas related to gate elimination that have recently been presented by Davydow & Nikolenko (2011). Gate elimination is the primary (and, to be honest, virtually the only) technique we have to prove lower bounds in general circuit complexity; so far, it has been used for every single lower bound (Blum, 1984; Paul, 1977; Stockmeyer, 1977; Wegener, 1987). The basic idea of this method lies in the following inductive argument. Consider a function *f* and a circuit

*Proof.* 1. Consider the minimal circuit of size *s* computing *f* . Since *f* depends (here and in what follows we say "depends" meaning "depends nontrivially") on all *n* of its variables, each input gate must have at least one outgoing edge. Since the circuit is minimal, each of the other gates, except possibly the output, also must have at least one outgoing edge. Therefore, the circuit has at least *s* + *n* − 1 edges. On the other hand, a circuit with *s* binary

Provably Secure Cryptographic Constructions 11

2. Consider a circuit computing *f* . Note that it has at least *c* − 1 gates that do not compute any function of circuit complexity *c* or more (they are the first *c* − 1 gates in some topological order). However, to compute any component function *f* (*i*) we have to add at least one more gate, and we have to add at least one gate for each component, since every new gate

adds only one new function. Thus, we get the necessary bound of *c* + *m* − 1 gates.

Hiltgen counted the minimal complexity of computing one bit of the input (e.g., since each

<sup>2</sup> <sup>+</sup> *<sup>n</sup>* <sup>−</sup> <sup>2</sup> <sup>=</sup> <sup>3</sup>*<sup>n</sup>*

Besides, in cryptography it is generally desirable to prove not only worst-case bounds, but also that an adversary is unable to invert the function on a substantial fraction of inputs. In Hiltgen's works, this fact followed from a very simple observation (which was not even

*f*(*x*1,..., *xn*) = *g*(*xi*<sup>1</sup> ,..., *xim* )

*Proof.* Since *m* < *n*, there exists an index *j* ∈ 1..*n* such that *g* does not depend on *xj*. This means that for every set of values of the other variables, whatever the value of *g* is, for one of the values of *xj f* coincides with *g*, and on the other value *f* differs from *g*. This means that *f*

This argument suffices for Hiltgen's feebly one-wayness result for the square matrix *A*−1: first we apply the first part of Proposition 6 and see that every output has complexity at least *<sup>n</sup>*

a circuit has less than the necessary number of gates, one of its outputs inevitably depends on less than the necessary number of input variables, which, by Lemma 7, gives the necessary <sup>1</sup>

In this section, we deal with gate elimination for *linear* functions. We do not know how to prove that one cannot, in general, produce a smaller circuit for a linear function with nonlinear gates, but it is evident that we cannot assume any gates to be nonlinear in this setting. Thus, gate elimination distills to two very simple ideas. Idea 1 is trivial and has been noted many times before, while Idea 2 will allow us to devise feebly secure constructions in Section 4.

<sup>2</sup> ) and thus produced lower bounds on the complexity of inverting the function (e.g.

<sup>2</sup> − 2).

<sup>2</sup> nonzero entries, the minimal complexity of each component of

*<sup>i</sup>*=<sup>1</sup> *xi. For any g that depends on only m* < *n of these variables,*

. (13)

<sup>2</sup> − 1,

2

<sup>2</sup> − 1. Moreover, if

 <sup>=</sup> <sup>1</sup> 2

gates cannot have more than 2*s* edges. Therefore, 2*s* ≥ *s* + *n* − 1.

�*y* is *<sup>n</sup>*

row of *A*−<sup>1</sup> has at least *<sup>n</sup>*

explicitly stated).

error rate.

the complexity of computing *A*−<sup>1</sup>

**Lemma 7.** *Consider a function f* = *<sup>n</sup>*

differs from *g* on precisely <sup>1</sup>

**3.3 Gate elimination for linear functions**

Pr*x*1,...,*xn*

<sup>2</sup> of the inputs.

and then the second part of Proposition 6 yields the necessary bound of <sup>3</sup>*<sup>n</sup>*

*A*−<sup>1</sup> �*y* is *<sup>n</sup>*

of minimal size *C* that computes it. Now substitute some value *c* for some variable *x* thus obtaining a circuit for the function *f* |*x*=*c*. The original circuit *C* can now be simplified, because the gates that had this variable as inputs become either unary (recall that negation can be embedded into subsequent gates) or constant (in this case we can even proceed to eliminating subsequent gates). After figuring out how many gates one can eliminate on every step, one proceeds by induction as long as it is possible to find a suitable variable that eliminates enough gates. Evidently, the number of eliminated gates is a lower bound on the complexity of *f* .

Usually, the important case here is when a gate is nonlinear, such as an AND or an OR gate. In that case, it is always possible to choose a value for an input of such a gate so that this gate becomes a constant and, therefore, its immediate descendants can also be eliminated. However, for linear functions this kind of reasoning also works, and in Section 3.3 we distill it to two relatively simple ideas.

To give the reader a flavour of classical gate elimination, we briefly recall the proof of the 2*n* − 3 lower bound for the functions of the form *f* (*n*) 3,*<sup>c</sup>* : **<sup>B</sup>***<sup>n</sup>* <sup>→</sup> **<sup>B</sup>** defined by

$$f\_{3\cdot \omega}^{(\mathbb{N})}(\mathbf{x}\_{\mathbb{I}}, \dots, \mathbf{x}\_{\mathbb{II}}) = \left( (\mathbf{x}\_{\mathbb{I}} + \dots + \mathbf{x}\_{\mathbb{II}} + \mathbf{c}) \mod \mathbf{3} \right) \mod \mathbf{2} \right). \tag{11}$$

This proof can be found in many sources, including (Wegener, 1987). Note that every function *f* (*n*) 3,*<sup>c</sup>* has the following property: for every pair of variables *xj* and *xk*, *f* (*n*) 3,*<sup>c</sup>* has at least three different restrictions out of four possible assignments of values to *xj* and *xk*; this is easy to see since different assignments of *xj* and *xk* give three different values of *xj* + *xk*, resulting in functions with three different constants: *f* (*n*−2) 3,0 , *f* (*n*−2) 3,1 , and *f* (*n*−2) 3,2 . Now consider the topmost gate in some topological order on the optimal circuit computing *f* (*n*) 3,*<sup>c</sup>* . Since it is topmost, there are two variables, say *xj* and *xk*, that come to this gate as inputs. At least one of these variables enters at least one other gate because otherwise, *f* (*n*) 3,*<sup>c</sup>* would depend only on *xj* ⊕ *xk* and not on *xj* and *xk* separately, giving rise to only two possible subfunctions among four restrictions. Therefore, there exists a variable that enters at least two gates; therefore, by setting this variable to a constant we eliminate at least two gates from the circuit. It remains to note that setting a variable to a constant transforms *f* (*n*) 3,*<sup>c</sup>* into *f* (*n*−1) 3,*c*� , and we can invoke the induction hypothesis.

### **3.2 Gate elimination for feebly secure one-way functions**

The following very simple argument is due to Lamagna and Savage; this argument actually suffices for all Hiltgen's linear examples.

**Proposition 6** ((Lamagna & Savage, 1973; Savage, 1976); (Hiltgen, 1992, Theorems 3 and 4))**.**

*1. Suppose that f* : **<sup>B</sup>***<sup>n</sup>* <sup>→</sup> **<sup>B</sup>** *depends non-idly on each of its n variables, that is, for every i there exist values a*1,..., *ai*−1, *ai*+1,..., *an* ∈ **<sup>B</sup>** *such that*

$$f(a\_1, \ldots, a\_{i-1}, 0, a\_{i+1}, \ldots, a\_n) \neq f(a\_1, \ldots, a\_{i-1}, 1, a\_{i+1}, \ldots, a\_n). \tag{12}$$

*Then C*(*f*) ≥ *n* − 1.

*2. Let f* = (*<sup>f</sup>* (1),..., *<sup>f</sup>* (*m*)) : **<sup>B</sup>***<sup>n</sup>* <sup>→</sup> **<sup>B</sup>***m, where f* (*k*) *is the k*th *component of f . If the m component functions f* (*i*) *are pairwise different and each of them satisfies C*(*f* (*i*) ) ≥ *c* ≥ 1 *then C*(*f*) ≥ *c* + *m* − 1.

8 Will-be-set-by-IN-TECH

of minimal size *C* that computes it. Now substitute some value *c* for some variable *x* thus obtaining a circuit for the function *f* |*x*=*c*. The original circuit *C* can now be simplified, because the gates that had this variable as inputs become either unary (recall that negation can be embedded into subsequent gates) or constant (in this case we can even proceed to eliminating subsequent gates). After figuring out how many gates one can eliminate on every step, one proceeds by induction as long as it is possible to find a suitable variable that eliminates enough gates. Evidently, the number of eliminated gates is a lower bound on the complexity of *f* . Usually, the important case here is when a gate is nonlinear, such as an AND or an OR gate. In that case, it is always possible to choose a value for an input of such a gate so that this gate becomes a constant and, therefore, its immediate descendants can also be eliminated. However, for linear functions this kind of reasoning also works, and in Section 3.3 we distill it

To give the reader a flavour of classical gate elimination, we briefly recall the proof of the

This proof can be found in many sources, including (Wegener, 1987). Note that every function

different restrictions out of four possible assignments of values to *xj* and *xk*; this is easy to see since different assignments of *xj* and *xk* give three different values of *xj* + *xk*, resulting

topmost, there are two variables, say *xj* and *xk*, that come to this gate as inputs. At least one

*xj* ⊕ *xk* and not on *xj* and *xk* separately, giving rise to only two possible subfunctions among four restrictions. Therefore, there exists a variable that enters at least two gates; therefore, by setting this variable to a constant we eliminate at least two gates from the circuit. It remains

The following very simple argument is due to Lamagna and Savage; this argument actually

**Proposition 6** ((Lamagna & Savage, 1973; Savage, 1976); (Hiltgen, 1992, Theorems 3 and 4))**.** *1. Suppose that f* : **<sup>B</sup>***<sup>n</sup>* <sup>→</sup> **<sup>B</sup>** *depends non-idly on each of its n variables, that is, for every i there exist*

(*n*−2) 3,0 , *f*

3,*<sup>c</sup>* has the following property: for every pair of variables *xj* and *xk*, *f*

topmost gate in some topological order on the optimal circuit computing *f*

of these variables enters at least one other gate because otherwise, *f*

*functions f* (*i*) *are pairwise different and each of them satisfies C*(*f* (*i*)

to note that setting a variable to a constant transforms *f*

**3.2 Gate elimination for feebly secure one-way functions**

suffices for all Hiltgen's linear examples.

*values a*1,..., *ai*−1, *ai*+1,..., *an* ∈ **<sup>B</sup>** *such that*

(*n*)

3,*<sup>c</sup>* (*x*1,..., *xn*) = ((*x*<sup>1</sup> + ... + *xn* + *c*) mod 3) mod 2). (11)

(*n*−2) 3,1 , and *f*

(*n*) 3,*<sup>c</sup>* into *f*

*<sup>f</sup>*(*a*1,..., *ai*−1, 0, *ai*+1,..., *an*) �= *<sup>f</sup>*(*a*1,..., *ai*−1, 1, *ai*+1,..., *an*). (12)

) : **<sup>B</sup>***<sup>n</sup>* <sup>→</sup> **<sup>B</sup>***m, where f* (*k*) *is the k*th *component of f . If the m component*

3,*<sup>c</sup>* : **<sup>B</sup>***<sup>n</sup>* <sup>→</sup> **<sup>B</sup>** defined by

(*n*)

(*n*−2)

(*n*)

(*n*−1)

3,*<sup>c</sup>* has at least three

3,*<sup>c</sup>* . Since it is

3,2 . Now consider the

3,*<sup>c</sup>* would depend only on

3,*c*� , and we can invoke the

) ≥ *c* ≥ 1 *then C*(*f*) ≥

(*n*)

to two relatively simple ideas.

induction hypothesis.

*Then C*(*f*) ≥ *n* − 1. *2. Let f* = (*f* (1),..., *f* (*m*)

*c* + *m* − 1.

*f* (*n*) *f* (*n*)

2*n* − 3 lower bound for the functions of the form *f*

in functions with three different constants: *f*


Hiltgen counted the minimal complexity of computing one bit of the input (e.g., since each row of *A*−<sup>1</sup> has at least *<sup>n</sup>* <sup>2</sup> nonzero entries, the minimal complexity of each component of *A*−1�*y* is *<sup>n</sup>* <sup>2</sup> ) and thus produced lower bounds on the complexity of inverting the function (e.g. the complexity of computing *A*−<sup>1</sup> �*y* is *<sup>n</sup>* <sup>2</sup> <sup>+</sup> *<sup>n</sup>* <sup>−</sup> <sup>2</sup> <sup>=</sup> <sup>3</sup>*<sup>n</sup>* <sup>2</sup> − 2).

Besides, in cryptography it is generally desirable to prove not only worst-case bounds, but also that an adversary is unable to invert the function on a substantial fraction of inputs. In Hiltgen's works, this fact followed from a very simple observation (which was not even explicitly stated).

**Lemma 7.** *Consider a function f* = *<sup>n</sup> <sup>i</sup>*=<sup>1</sup> *xi. For any g that depends on only m* < *n of these variables,*

$$\operatorname{Pr}\_{\mathbf{x}\_{1},\ldots,\mathbf{x}\_{\text{n}}}\left[f(\mathbf{x}\_{1},\ldots,\mathbf{x}\_{\text{n}})=\operatorname{g}(\mathbf{x}\_{\text{i}\_{1}},\ldots,\mathbf{x}\_{\text{i}\_{\text{m}}})\right]=\frac{1}{2}.\tag{13}$$

*Proof.* Since *m* < *n*, there exists an index *j* ∈ 1..*n* such that *g* does not depend on *xj*. This means that for every set of values of the other variables, whatever the value of *g* is, for one of the values of *xj f* coincides with *g*, and on the other value *f* differs from *g*. This means that *f* differs from *g* on precisely <sup>1</sup> <sup>2</sup> of the inputs.

This argument suffices for Hiltgen's feebly one-wayness result for the square matrix *A*−1: first we apply the first part of Proposition 6 and see that every output has complexity at least *<sup>n</sup>* <sup>2</sup> − 1, and then the second part of Proposition 6 yields the necessary bound of <sup>3</sup>*<sup>n</sup>* <sup>2</sup> − 1. Moreover, if a circuit has less than the necessary number of gates, one of its outputs inevitably depends on less than the necessary number of input variables, which, by Lemma 7, gives the necessary <sup>1</sup> 2 error rate.

### **3.3 Gate elimination for linear functions**

In this section, we deal with gate elimination for *linear* functions. We do not know how to prove that one cannot, in general, produce a smaller circuit for a linear function with nonlinear gates, but it is evident that we cannot assume any gates to be nonlinear in this setting. Thus, gate elimination distills to two very simple ideas. Idea 1 is trivial and has been noted many times before, while Idea 2 will allow us to devise feebly secure constructions in Section 4.

*Then, for every matrix A with* ≥ *n* + 1 *different columns, if Pn*(*A*) *holds for some n then C*(*A*) ≥ *n*

Provably Secure Cryptographic Constructions 13

Consider the first gate *g* in the optimal circuit implementing *A*. Since *g* is first, its incoming edges come from the inputs of the circuit; we denote them by *xi* and *xj*. There are three

1. One of the input variables of *g*, say *xi*, goes directly to an output *yk*. Then by setting *xi* to a constant we can eliminate one gate. however, in this case *yk* corresponds to a row with only one nonzero element, so *<sup>i</sup>*th colum has a unique element, so *Pn*−1(*A*−*i*) hold. Therefore, we

2. One of the input variables of *g*, say *xi*, goes to another gate. Then by setting *xi* to a constant we can eliminate two gates, and by properties of *Pn Pn*−2(*A*−*i*) holds, so we invoke

3. Neither *xi* nor *xj* enters any other gate or output. In this case, *A* is a function of neither *xi* nor *xj* but only *g*(*xi*, *xj*); we show that this cannot be the case for a function computing

columns are different; in particular, for one of these variables, say *xi*, there exists an output *yk*

gate in an optimal circuit nontrivially depends on both inputs, there exist values *a* and *b* such that *g*(0, *a*) = *g*(1, *b*). Thus, for every assignment of the remaining variables, either on input strings with (*xi* = 0, *xj* = *a*) or on input strings with (*xi* = 1, *xj* = *b*) the circuit makes a

*• if Qm*(*A*) *holds and A*−*<sup>i</sup> has more zero rows than A (i.e., removing the i*th *column has removed the*

*Then, for every matrix A with* ≥ *n* + 1 *columns all of which are different, if Rn*(*A*) *and Qm*(*A*) *hold*

*Proof.* Immediately follows from Theorem 10 for *Pn*(*A*) = ∃*kRk*(*A*) ∧ *Qn*−*k*(*A*).

4

(*A*) ≥ *n* + *m.*

<sup>4</sup> of all inputs.

<sup>4</sup> of the inputs. *A* itself depends on *xi* and *xj* separately because all of its

*<sup>x</sup>*∈*<sup>X</sup> <sup>x</sup>*, where *xj* ∈/ *<sup>X</sup>*. On the other hand, since every

*<sup>n</sup>*=<sup>1</sup> *and* <sup>Q</sup> <sup>=</sup> {*Qm*}<sup>∞</sup>

*<sup>m</sup>*=<sup>1</sup> *are*

invoke the induction hypothesis as *<sup>C</sup>*(*A*−*i*) ≥ *<sup>n</sup>* − 1 and get the necessary bound.

*Proof.* We argue by induction on *n*; for *n* = 1 the statement is obvious.

Note that Theorem 10 directly generalizes and strengthens Theorem 8. **Corollary 11.** *Fix a real number <sup>α</sup>* <sup>∈</sup> [0, 1]*. Suppose that* <sup>R</sup> <sup>=</sup> {*Rn*}<sup>∞</sup>

*two series of predicates defined on matrices over* **F**<sup>2</sup> *with the following properties:*

*and, moreover, C*<sup>3</sup>

possible cases.

*A* on more than <sup>3</sup>

4

(*A*) ≥ *n.*

the induction hypothesis as *<sup>C</sup>*(*A*−*i*) ≥ *<sup>n</sup>* − 2.

that depends only on *xi*: *yk* = *xi* ⊕

*• if R*1(*A*) *holds then C*(*A*) ≥ 1*;*

*• if Q*1(*A*) *holds then C*(*A*) ≥ 1*;*

mistake, which makes it wrong on at least <sup>1</sup>

*• if Rn*(*A*) *holds then Rk*(*A*) *holds for every* 1 ≤ *k* ≤ *n; • if Rn*(*A*) *holds then, for every i, Rn*−1(*A*−*i*) *holds;*

*• if Qm*(*A*) *holds then Qk*(*A*) *holds for every* 1 ≤ *k* ≤ *n; • if Qm*(*A*) *holds then, for every i, Qm*−1(*A*−*i*) *holds;*

*for some n* ≥ *m then C*(*A*) ≥ *n* + *m and, moreover, C*<sup>3</sup>

*last nonzero element from at least one row) then Qm*(*A*−*i*) *holds.*

Since we are dealing with linear functions, we will, for convenience, state our results in terms of matrices over **F**2; the circuit complexity of a matrix *Cα*(*A*) is the circuit complexity of the corresponding linear function. By *<sup>A</sup>*−*<sup>i</sup>* we denote the matrix *<sup>A</sup>* without its *<sup>i</sup>* th column; note that if *A* corresponds to *f* then *A*−*<sup>i</sup>* corresponds to *f* |*xi*=0. If a matrix *A* has a zero column *Ai*, it means that the corresponding function does not depend on the input *xi*; in what follows, we will always assume that functions depend nontrivially on all their inputs and thus the matrices do not have zero columns; we call such matrices *nontrivial*. Note that if *A* is a submatrix of *B* then *Cα*(*A*) ≤ *Cα*(*B*) for all *α* ∈ [0, 1].

*Idea 1. Suppose that for n steps, there is at least one gate to eliminate. Then C*(*f*) ≥ *n.*

**Theorem 8.** *Fix a real number <sup>α</sup>* <sup>∈</sup> [0, 1]*. Suppose that* <sup>P</sup> <sup>=</sup> {*Pn*}<sup>∞</sup> *<sup>n</sup>*=<sup>1</sup> *is a series of predicates defined on matrices over* **F**<sup>2</sup> *with the following properties:*


*Then, for every matrix A with* ≥ *n* + 1 *columns, if Pn*(*A*) *holds then Cα*(*A*) ≥ *n.*

*Proof.* The proof goes by straightforward induction on the index of *Pi*; the first property of P provides the base, and other properties takes care of the induction step. For the induction step, consider the first gate of an optimal circuit *C* implementing *A*. By the monotonicity property of P and the induction base, the circuit is nontrivial, so there is a first gate. Consider a variable *xi* entering that gate. Note that if *C* computes *f* on fraction *α* of its inputs then for some *c*, *C* |*xi*=*<sup>c</sup>* computes *f* |*xi*=*<sup>c</sup>* on fraction *α* of its inputs. If we substitute this value into this variable, we get a circuit *<sup>C</sup>* |*xi*=*<sup>c</sup>* that has at most (size(*C*) − <sup>1</sup>) gates and implements *<sup>A</sup>*−*<sup>i</sup>* on at least *α* fraction of inputs.

Note that the first statement of Proposition 6 is a special case of Theorem 8 for *Pn*(*A*) = "*A* has a row with *n* + 1 ones". We also derive another corollary.

**Corollary 9.** *If A is a matrix of rank n, and each column of A has at least two ones, then C*(*A*) ≥ *n* − 2*.*

*Proof.* Take *Pn*(*A*) ="rank(*A*) ≥ *n* + 2 and each column of *A* has at least 2 ones".

*Idea 2. Suppose that for n steps, there exists an input in the circuit with two outgoing edges, and, moreover, in m of these cases both of these edges go to a gate* (*rather than a gate and an output*)*. Then C*(*f*) ≥ *n* + *m.*

**Theorem 10.** *We call a nonzero entry* unique *if it is the only nonzero entry in its row. Fix a real number <sup>α</sup>* <sup>∈</sup> [0, 1]*. Suppose that* <sup>P</sup> <sup>=</sup> {*Pn*}<sup>∞</sup> *<sup>n</sup>*=<sup>1</sup> *is a series of predicates defined on matrices over* **F**<sup>2</sup> *with the following properties:*


10 Will-be-set-by-IN-TECH

Since we are dealing with linear functions, we will, for convenience, state our results in terms of matrices over **F**2; the circuit complexity of a matrix *Cα*(*A*) is the circuit complexity of the

that if *A* corresponds to *f* then *A*−*<sup>i</sup>* corresponds to *f* |*xi*=0. If a matrix *A* has a zero column *Ai*, it means that the corresponding function does not depend on the input *xi*; in what follows, we will always assume that functions depend nontrivially on all their inputs and thus the matrices do not have zero columns; we call such matrices *nontrivial*. Note that if *A* is a submatrix of *B*

*Proof.* The proof goes by straightforward induction on the index of *Pi*; the first property of P provides the base, and other properties takes care of the induction step. For the induction step, consider the first gate of an optimal circuit *C* implementing *A*. By the monotonicity property of P and the induction base, the circuit is nontrivial, so there is a first gate. Consider a variable *xi* entering that gate. Note that if *C* computes *f* on fraction *α* of its inputs then for some *c*, *C* |*xi*=*<sup>c</sup>* computes *f* |*xi*=*<sup>c</sup>* on fraction *α* of its inputs. If we substitute this value into this variable, we get a circuit *<sup>C</sup>* |*xi*=*<sup>c</sup>* that has at most (size(*C*) − <sup>1</sup>) gates and implements *<sup>A</sup>*−*<sup>i</sup>* on

Note that the first statement of Proposition 6 is a special case of Theorem 8 for *Pn*(*A*) =

**Corollary 9.** *If A is a matrix of rank n, and each column of A has at least two ones, then C*(*A*) ≥

*Idea 2. Suppose that for n steps, there exists an input in the circuit with two outgoing edges, and, moreover, in m of these cases both of these edges go to a gate* (*rather than a gate and an output*)*. Then*

**Theorem 10.** *We call a nonzero entry* unique *if it is the only nonzero entry in its row. Fix a real*

*• if Pn*(*A*) *holds then, for every index i, if the ith column has no unique entries then Pn*−2(*A*−*i*)

*<sup>n</sup>*=<sup>1</sup> *is a series of predicates defined on matrices over* **F**<sup>2</sup>

*Proof.* Take *Pn*(*A*) ="rank(*A*) ≥ *n* + 2 and each column of *A* has at least 2 ones".

th column; note

*<sup>n</sup>*=<sup>1</sup> *is a series of predicates defined*

corresponding linear function. By *<sup>A</sup>*−*<sup>i</sup>* we denote the matrix *<sup>A</sup>* without its *<sup>i</sup>*

*Idea 1. Suppose that for n steps, there is at least one gate to eliminate. Then C*(*f*) ≥ *n.*

*Then, for every matrix A with* ≥ *n* + 1 *columns, if Pn*(*A*) *holds then Cα*(*A*) ≥ *n.*

**Theorem 8.** *Fix a real number <sup>α</sup>* <sup>∈</sup> [0, 1]*. Suppose that* <sup>P</sup> <sup>=</sup> {*Pn*}<sup>∞</sup>

"*A* has a row with *n* + 1 ones". We also derive another corollary.

then *Cα*(*A*) ≤ *Cα*(*B*) for all *α* ∈ [0, 1].

*• if P*1(*A*) *holds then Cα*(*A*) ≥ 1*;*

at least *α* fraction of inputs.

*n* − 2*.*

*C*(*f*) ≥ *n* + *m.*

*with the following properties:*

*• if P*1(*A*) *holds then C*(*A*) ≥ 1*;*

*holds, otherwise Pn*−1(*A*−*i*) *holds.*

*number <sup>α</sup>* <sup>∈</sup> [0, 1]*. Suppose that* <sup>P</sup> <sup>=</sup> {*Pn*}<sup>∞</sup>

*• if Pn*(*A*) *holds then Pm*(*A*) *holds for every* 1 ≤ *m* ≤ *n;*

*on matrices over* **F**<sup>2</sup> *with the following properties:*

*• if Pn*(*A*) *holds then Pm*(*A*) *holds for every* 1 ≤ *m* ≤ *n; • if Pn*(*A*) *holds then, for every index i, Pn*−1(*A*−*i*) *holds.* *Then, for every matrix A with* ≥ *n* + 1 *different columns, if Pn*(*A*) *holds for some n then C*(*A*) ≥ *n and, moreover, C*<sup>3</sup> 4 (*A*) ≥ *n.*

*Proof.* We argue by induction on *n*; for *n* = 1 the statement is obvious.

Consider the first gate *g* in the optimal circuit implementing *A*. Since *g* is first, its incoming edges come from the inputs of the circuit; we denote them by *xi* and *xj*. There are three possible cases.

1. One of the input variables of *g*, say *xi*, goes directly to an output *yk*. Then by setting *xi* to a constant we can eliminate one gate. however, in this case *yk* corresponds to a row with only one nonzero element, so *<sup>i</sup>*th colum has a unique element, so *Pn*−1(*A*−*i*) hold. Therefore, we invoke the induction hypothesis as *<sup>C</sup>*(*A*−*i*) ≥ *<sup>n</sup>* − 1 and get the necessary bound.

2. One of the input variables of *g*, say *xi*, goes to another gate. Then by setting *xi* to a constant we can eliminate two gates, and by properties of *Pn Pn*−2(*A*−*i*) holds, so we invoke the induction hypothesis as *<sup>C</sup>*(*A*−*i*) ≥ *<sup>n</sup>* − 2.

3. Neither *xi* nor *xj* enters any other gate or output. In this case, *A* is a function of neither *xi* nor *xj* but only *g*(*xi*, *xj*); we show that this cannot be the case for a function computing *A* on more than <sup>3</sup> <sup>4</sup> of the inputs. *A* itself depends on *xi* and *xj* separately because all of its columns are different; in particular, for one of these variables, say *xi*, there exists an output *yk* that depends only on *xi*: *yk* = *xi* ⊕ *<sup>x</sup>*∈*<sup>X</sup> <sup>x</sup>*, where *xj* ∈/ *<sup>X</sup>*. On the other hand, since every gate in an optimal circuit nontrivially depends on both inputs, there exist values *a* and *b* such that *g*(0, *a*) = *g*(1, *b*). Thus, for every assignment of the remaining variables, either on input strings with (*xi* = 0, *xj* = *a*) or on input strings with (*xi* = 1, *xj* = *b*) the circuit makes a mistake, which makes it wrong on at least <sup>1</sup> <sup>4</sup> of all inputs.

Note that Theorem 10 directly generalizes and strengthens Theorem 8.

**Corollary 11.** *Fix a real number <sup>α</sup>* <sup>∈</sup> [0, 1]*. Suppose that* <sup>R</sup> <sup>=</sup> {*Rn*}<sup>∞</sup> *<sup>n</sup>*=<sup>1</sup> *and* <sup>Q</sup> <sup>=</sup> {*Qm*}<sup>∞</sup> *<sup>m</sup>*=<sup>1</sup> *are two series of predicates defined on matrices over* **F**<sup>2</sup> *with the following properties:*


*Then, for every matrix A with* ≥ *n* + 1 *columns all of which are different, if Rn*(*A*) *and Qm*(*A*) *hold for some n* ≥ *m then C*(*A*) ≥ *n* + *m and, moreover, C*<sup>3</sup> 4 (*A*) ≥ *n* + *m.*

*Proof.* Immediately follows from Theorem 10 for *Pn*(*A*) = ∃*kRk*(*A*) ∧ *Qn*−*k*(*A*).

*every Aj satisfies the conditions of Theorem 10 with predicates* <sup>P</sup>*<sup>j</sup>* <sup>=</sup> {*P<sup>j</sup>*

*Pn* = �

take *more* time than even an adversary requires to invert our candidates.

*Proof.* We invoke Theorem 10 with the predicate composed of original predicates:

*P*1 *<sup>i</sup>*<sup>1</sup> <sup>∧</sup> *<sup>P</sup>*<sup>2</sup>

Provably Secure Cryptographic Constructions 15

(since every deleted column affects only one block), and the block diagonal matrix satisfies

Over this section, we will present two constructions of feebly secure trapdoor functions, a linear construction and a nonlinear one. Both of them have the same rather peculiar structure. It turns out that when we directly construct a feebly secure candidate trapdoor function such that an adversary has to spend more time inverting it than honest participants, we will not be able to make encoding (i.e., function evaluation) faster than inversion. In fact, evaluation will

To achieve a feebly secure trapdoor function, we will add another block as a direct sum to that candidate. This block will represent a feebly secure one-way function, one of the constructions presented by Hiltgen (1992; 1994; 1998). In this construction, honest inversion and break are exactly the same since there is no secret key at all; nevertheless, both of them are harder than evaluating the function. Thus, in the resulting block diagonal construction break remains harder than honest inversion but they both gain in complexity over function evaluation. This idea was first presented by Hirsch & Nikolenko (2009) and has been used since in every feebly

This section is based on (Davydow & Nikolenko, 2011). Let us first introduce some notation. By *Un* we denote an upper triangular matrix of size *n* × *n* which is inverse to a bidiagonal

<sup>⎠</sup> , *<sup>U</sup>*−<sup>1</sup> *<sup>n</sup>* <sup>=</sup>

diagonal. We will often use matrices composed of smaller matrices as blocks; for instance,

⎛ ⎝

*<sup>n</sup>* is an upper triangular matrix with zeros and ones chequered above the main

110 ··· 0 011 ··· 0 . . . . . . . . . . . . <sup>000</sup> ··· <sup>1</sup> ⎞ ⎠ ;

*<sup>i</sup>*<sup>2</sup> <sup>∧</sup> ... <sup>∧</sup> *<sup>P</sup><sup>k</sup>*

*ik*

*i*1+...+*ik*=*n*

*k* ∑ *j*=1 *nj.*

It is now straightforward to check that <sup>P</sup> <sup>=</sup> {*Pn*}<sup>∞</sup>

**4. Feebly secure trapdoor functions**

**4.1 Idea of the construction**

secure trapdoor function.

matrix:

*2. C*<sup>3</sup> 4 (*U*<sup>2</sup>

*3. C*<sup>3</sup> 4

note that *U*<sup>2</sup>

**Lemma 15.** *1. C*<sup>3</sup>

4

*<sup>n</sup>*) = *n* − 2*.*

(*U*−<sup>1</sup> *<sup>n</sup>* ) = *<sup>n</sup>* <sup>−</sup> <sup>1</sup>*.*

**4.2 Linear feebly secure trapdoor functions**

*Un* =

(*Un*) = *n* − 1*.*

⎛ ⎝ 1 1 ··· 1 0 1 ··· 1 . . . . . . . . . 0 0 ··· <sup>1</sup>

( *Un Un* ) is a matrix of size *n* × 2*n* composed of two upper triangular blocks.

⎞

*every j. Then C*(*χ*) ≥

*Pn*1+...+*nk* .

*<sup>n</sup>*}<sup>∞</sup>

*n*=1*, and P<sup>j</sup>*

*nj*

. (15)

*<sup>n</sup>*=<sup>1</sup> satisfies the conditions of Theorem 10

(*Aj*) *hold for*

Theorem 10 and Corollary 11 generalize several results that have been proven independently. For example, here is the "master lemma" of the original paper on feebly trapdoor functions.

**Corollary 12** ( (Hirsch & Nikolenko, 2009, Lemma 5) )**.** *Let t*, *u* ≥ 1*. Assume that χ is a linear function with matrix A over* **F**2*. Assume also that all columns of A are different, every row of A has at least u nonzero entries, and after removing any t columns of A, the matrix still has at least one row containing at least two nonzero entries. Then C*(*χ*) ≥ *u* + *t and, moreover, C*3/4(*χ*) ≥ *u* + *t.*

*Proof.* Take *Pn*(*A*) ="After removing any *n* columns of *A*, it still has at least one nonzero row", *Q*0(*A*) ="true", and *Qm*(*A*) ="Every row of *A* has at least *m* + 1 ones" for *m* > 0. Then *Pt*+1(*A*) and *Qu*−1(*A*) hold, and P and Q satisfy the conditions of Corollary 11, which gives the desired bound. Note that in this case, *Qm* for *m* > 0 cannot hold for a matrix where a row has only a single one, so in the gate elimination proof, for the first *u* − 1 steps two gates will be eliminated, and then for *t* − *u* + 2 steps, one gate will be eliminated.

We also derive another, even stronger corollary that will be important for new feebly secure constructions.

**Corollary 13.** *Let t* ≥ *u* ≥ 2*. Assume that A is a u* × *t matrix with different columns, and each column of A has at least two nonzero elements (ones). Then C*(*A*) ≥ 2*t* − *u and, moreover, C*<sup>3</sup> 4 (*A*) ≥ 2*t* − *u.*

*Proof.* Take *Pn*(*A*) ="twice the number of nonzero columns in *A* less the number of nonzero rows in *A* is at least *n*". Then *P*2*t*−*u*(*A*) holds, and P*<sup>n</sup>* satisfy the conditions of Theorem 10.

Naturally, we could prove Corollaries 9 and 13 directly. We have chosen the path of generalization for two reasons: one, to make Theorem 14 more precise and more general, and two, to show the limits of gate elimination for linear functions. As we have already mentioned, for linear functions we cannot count on nonlinear gates that could eliminate their descendants. In Theorems 8 and 10, we have considered two basic cases: when there is only one edge outgoing from a variable and when there are two edges (going either to two gates or to a gate and an output). It appears that we can hardly expect anything more from classical gate elimination in the linear case.

### **3.4 Extension to block diagonal matrices**

We finish this section with an extension of these results to block diagonal matrices. In general, we cannot prove that the direct sum of several functions has circuit complexity equal to the sum of the circuit complexities of these functions; counterexamples are known as "mass production" (Wegener, 1987). However, for linear functions and gate elimination in the flavours of Theorems 8 and 10, we can. The following theorem generalizes Lemma 6 of (Hirsch & Nikolenko, 2009).

**Theorem 14.** *Suppose that a linear function χ is given by a block diagonal matrix*

$$
\begin{pmatrix} A\_1 & 0 & \cdots & 0 \\ 0 & A\_2 & \cdots & 0 \\ \vdots & \vdots & & \vdots \\ 0 & 0 & \cdots & A\_k \end{pmatrix} \\ \prime \\ \tag{14}
$$

12 Will-be-set-by-IN-TECH

Theorem 10 and Corollary 11 generalize several results that have been proven independently. For example, here is the "master lemma" of the original paper on feebly trapdoor functions.

**Corollary 12** ( (Hirsch & Nikolenko, 2009, Lemma 5) )**.** *Let t*, *u* ≥ 1*. Assume that χ is a linear function with matrix A over* **F**2*. Assume also that all columns of A are different, every row of A has at least u nonzero entries, and after removing any t columns of A, the matrix still has at least one row*

*Proof.* Take *Pn*(*A*) ="After removing any *n* columns of *A*, it still has at least one nonzero row", *Q*0(*A*) ="true", and *Qm*(*A*) ="Every row of *A* has at least *m* + 1 ones" for *m* > 0. Then *Pt*+1(*A*) and *Qu*−1(*A*) hold, and P and Q satisfy the conditions of Corollary 11, which gives the desired bound. Note that in this case, *Qm* for *m* > 0 cannot hold for a matrix where a row has only a single one, so in the gate elimination proof, for the first *u* − 1 steps two gates will

We also derive another, even stronger corollary that will be important for new feebly secure

**Corollary 13.** *Let t* ≥ *u* ≥ 2*. Assume that A is a u* × *t matrix with different columns, and each column of A has at least two nonzero elements (ones). Then C*(*A*) ≥ 2*t* − *u and, moreover, C*<sup>3</sup>

*Proof.* Take *Pn*(*A*) ="twice the number of nonzero columns in *A* less the number of nonzero rows in *A* is at least *n*". Then *P*2*t*−*u*(*A*) holds, and P*<sup>n</sup>* satisfy the conditions of Theorem 10.

Naturally, we could prove Corollaries 9 and 13 directly. We have chosen the path of generalization for two reasons: one, to make Theorem 14 more precise and more general, and two, to show the limits of gate elimination for linear functions. As we have already mentioned, for linear functions we cannot count on nonlinear gates that could eliminate their descendants. In Theorems 8 and 10, we have considered two basic cases: when there is only one edge outgoing from a variable and when there are two edges (going either to two gates or to a gate and an output). It appears that we can hardly expect anything more from classical

We finish this section with an extension of these results to block diagonal matrices. In general, we cannot prove that the direct sum of several functions has circuit complexity equal to the sum of the circuit complexities of these functions; counterexamples are known as "mass production" (Wegener, 1987). However, for linear functions and gate elimination in the flavours of Theorems 8 and 10, we can. The following theorem generalizes Lemma 6 of (Hirsch

> *A*<sup>1</sup> 0 ··· 0 0 *A*<sup>2</sup> ··· 0 *. . . . . . . . .* 0 0 ··· *Ak*

⎞

⎟⎠ , (14)

**Theorem 14.** *Suppose that a linear function χ is given by a block diagonal matrix*

⎛

⎜⎝

4 (*A*) ≥

*containing at least two nonzero entries. Then C*(*χ*) ≥ *u* + *t and, moreover, C*3/4(*χ*) ≥ *u* + *t.*

be eliminated, and then for *t* − *u* + 2 steps, one gate will be eliminated.

constructions.

gate elimination in the linear case.

& Nikolenko, 2009).

**3.4 Extension to block diagonal matrices**

2*t* − *u.*

*every Aj satisfies the conditions of Theorem 10 with predicates* <sup>P</sup>*<sup>j</sup>* <sup>=</sup> {*P<sup>j</sup> <sup>n</sup>*}<sup>∞</sup> *n*=1*, and P<sup>j</sup> nj* (*Aj*) *hold for every j. Then C*(*χ*) ≥ *k* ∑ *j*=1 *nj.*

*Proof.* We invoke Theorem 10 with the predicate composed of original predicates:

$$P\_n = \bigvee\_{i\_1+...+i\_k=n} P\_{i\_1}^1 \wedge P\_{i\_2}^2 \wedge ... \wedge P\_{i\_k}^k. \tag{15}$$

It is now straightforward to check that <sup>P</sup> <sup>=</sup> {*Pn*}<sup>∞</sup> *<sup>n</sup>*=<sup>1</sup> satisfies the conditions of Theorem 10 (since every deleted column affects only one block), and the block diagonal matrix satisfies *Pn*1+...+*nk* .

### **4. Feebly secure trapdoor functions**

### **4.1 Idea of the construction**

Over this section, we will present two constructions of feebly secure trapdoor functions, a linear construction and a nonlinear one. Both of them have the same rather peculiar structure. It turns out that when we directly construct a feebly secure candidate trapdoor function such that an adversary has to spend more time inverting it than honest participants, we will not be able to make encoding (i.e., function evaluation) faster than inversion. In fact, evaluation will take *more* time than even an adversary requires to invert our candidates.

To achieve a feebly secure trapdoor function, we will add another block as a direct sum to that candidate. This block will represent a feebly secure one-way function, one of the constructions presented by Hiltgen (1992; 1994; 1998). In this construction, honest inversion and break are exactly the same since there is no secret key at all; nevertheless, both of them are harder than evaluating the function. Thus, in the resulting block diagonal construction break remains harder than honest inversion but they both gain in complexity over function evaluation. This idea was first presented by Hirsch & Nikolenko (2009) and has been used since in every feebly secure trapdoor function.

### **4.2 Linear feebly secure trapdoor functions**

This section is based on (Davydow & Nikolenko, 2011). Let us first introduce some notation. By *Un* we denote an upper triangular matrix of size *n* × *n* which is inverse to a bidiagonal matrix:

$$\mathcal{U}\_{\boldsymbol{n}} = \begin{pmatrix} \begin{matrix} 1 \ 1 \ \cdots \ 1 \end{matrix} \\ \vdots \ \vdots \\ \vdots \ \dot{0} \ \cdots \ \dot{1} \end{matrix} \end{pmatrix}, \qquad \mathcal{U}\_{\boldsymbol{n}}^{-1} = \begin{pmatrix} \begin{matrix} 1 \ 1 \ 0 \ \cdots \ 0 \\ 0 \ 1 \ 1 \ \cdots \ 0 \\ \vdots \ \vdots \\ \dot{0} \ \dot{0} \ \dot{0} \ \cdots \ \dot{1} \end{pmatrix} \end{pmatrix}$$

note that *U*<sup>2</sup> *<sup>n</sup>* is an upper triangular matrix with zeros and ones chequered above the main diagonal. We will often use matrices composed of smaller matrices as blocks; for instance, ( *Un Un* ) is a matrix of size *n* × 2*n* composed of two upper triangular blocks.

**Lemma 15.** *1. C*<sup>3</sup> 4 (*Un*) = *n* − 1*.*


*C*<sup>3</sup> 4

bounds:

lim*n*→<sup>∞</sup> 

to <sup>5</sup>

{ *fn*}<sup>∞</sup>

*C*<sup>3</sup> 4

> *C*<sup>3</sup> 4

*C*<sup>3</sup> 4

*C*<sup>3</sup> 4

The order of security for this protocol is

min *<sup>C</sup>*3/4(Adv*n*) *<sup>C</sup>*(Eval*n*) ,

This expression reaches maximum for *λ* = <sup>1</sup>

**4.3 Nonlinear feebly secure trapdoor functions**

et al., 2011; Melanich, 2009).

(Seed*n*) = *n* − 1,

(*A*−1)=(2<sup>−</sup> *�*)*λ<sup>n</sup>* <sup>+</sup> *<sup>o</sup>*(*n*). Now Lemma 15 and Theorem 14 yield the following complexity

Provably Secure Cryptographic Constructions 17

(Inv*n*) = 2*n* + (2 − *�*)*λn* + *o*(*n*)=(2 + (2 − *�*)*λ*)*n* + *o*(*n*),

(Adv*n*) = 3*n* + (2 − *�*)*λn* + *o*(*n*)=(3 + (2 − *�*)*λ*)*n* + *o*(*n*).

*C*3/4(Adv*n*) *C*(Seed*n*)

**Theorem 16.** *For every �* > 0*, there exists a linear feebly secure trapdoor function with seed length*

Over the previous two sections, we have discussed *linear* feebly secure one-way functions. However, a *nonlinear* approach can yield better constants. This section is based on (Hirsch

Our nonlinear feebly trapdoor constructions are based on a feebly one-way function resulting from uniting Hiltgen's linear feebly one-way function with the first computationally asymmetric function of four variables (Massey, 1996). Consider a sequence of functions

> *<sup>y</sup>*<sup>1</sup> = (*x*<sup>1</sup> ⊕ *<sup>x</sup>*2)*xn* ⊕ *xn*−1, *y*<sup>2</sup> = (*x*<sup>1</sup> ⊕ *x*2)*xn* ⊕ *x*2,

pi(*n*) = ti(*n*) = *n, input and output length c*(*n*) = *m*(*n*) = 2*n, and order of security* <sup>5</sup>

*<sup>n</sup>*=<sup>1</sup> given by the following relations (we denote *yj* = *fj*(*x*1,..., *xn*)):

*y*<sup>3</sup> = *x*<sup>1</sup> ⊕ *x*3, *y*<sup>4</sup> = *x*<sup>3</sup> ⊕ *x*4, ···

*yn*−<sup>1</sup> = *xn*−<sup>2</sup> ⊕ *xn*−1,

*yn* = *xn*.

In order to get *f* <sup>−</sup><sup>1</sup> *<sup>n</sup>* , we sum up all rows except the last one:

<sup>=</sup>

<sup>=</sup> min <sup>3</sup> + (<sup>2</sup> <sup>−</sup> *�*)*<sup>λ</sup>*

*<sup>y</sup>*<sup>1</sup> ⊕ ... ⊕ *yn*−<sup>1</sup> = *<sup>x</sup>*<sup>1</sup> ⊕ *<sup>x</sup>*2. (17)

<sup>3</sup> <sup>+</sup> *<sup>λ</sup>* ,

<sup>1</sup>−*�* , and this maximum equals <sup>5</sup>−4*�* <sup>4</sup>−*�* , which tends

3 + (2 − *�*)*λ* 2 + (2 − *�*)*λ*

<sup>4</sup> − *�.*

 .

(16)

(Eval*n*) = 3*n* + *λn* + *o*(*n*) =(3 + *λ*)*n* + *o*(*n*),

*C*3/4(Adv*n*) *<sup>C</sup>*(Inv*n*) ,

<sup>4</sup> as *�* → 0. Thus, we have proven the following theorem.

*4. C*<sup>3</sup> 4 (( *Un Un* )) = 2*n* − 1*.*

4


*Proof.* Lower bounds in items 1–3 are obvious: the matrices have no identical rows, and not a single input except one (two for item 2) is linked directly to an output. The lower bound in item 4 follows by simple counting: the first row of the matrix contains 2*n* nonzero elements, so at least 2*n* − 1 gates are needed to compute it. The lower bound from item 5 (respectively, 6) follows from Corollary 13: the matrix ( *U*<sup>2</sup> *<sup>n</sup> Un* ) (respectively, ( *Un U*−<sup>1</sup> *<sup>n</sup>* )) satisfies the assumptions of Corollary 13 for all except three (respectively, two) columns, and we can use Corollary 13 for *t* = 2*n* − 3 (respectively, *t* = 2*n* − 2) and *u* = *n*.

To prove upper bounds, we give direct constructions. To compute the matrix from item 1, note that each row differs from the previous one in only one position, so we can compute the outputs as out*<sup>i</sup>* = out*i*+<sup>1</sup> ⊕ in*i*. Moreover, out*<sup>n</sup>* = in*n*, so we do not need more gates to compute it. The same idea works for item 2, but in this case, out*<sup>n</sup>* and out*n*−<sup>1</sup> are computed immediately, and out*<sup>i</sup>* = out*i*−<sup>2</sup> ⊕ in*i*. To compute the matrix from item 3, we compute each row directly. To compute item 4, we note that ( *Un Un* ) · ( *<sup>a</sup> <sup>b</sup>* ) = *Un* · *a* ⊕ *Un* · *b* = *Un* · (*a* ⊕ *b*). Thus, we can use *n* gates to compute *a* ⊕ *b* and then get the result with *n* − 1 more gates. To compute 5 and 6 note that ( *A B* ) · ( *<sup>a</sup> <sup>b</sup>* ) = *A* · *a* ⊕ *B* · *b*. Thus, we have divided the computation in two parts that can be done independently with previously shown circuits, and then we can use *n* gates to XOR the results of these subcircuits.

We use the general idea outlined in Section 4.1. In the first construction, we assume that the lengths of the public key *pi*, secret key *ti*, message *m*, and ciphertext *c* are the same and equal *n*. Let *ti* = *Un* · *pi*, *c* = ( *<sup>U</sup>*−<sup>1</sup> *<sup>n</sup> Un* ) · *m pi* . In this case, an adversary will have to compute the matrix ( *Un Un* ) · ( *<sup>c</sup> ti*) = ( *Un <sup>U</sup>*<sup>2</sup> *<sup>n</sup>* ) · *c pi* . Thus, breaking this trapdoor function is harder than honest inversion, but the evaluation complexity is approximately equal to the complexity of the break, so we cannot yet call this function a feebly secure trapdoor function.

To augment this construction, consider a weakly one-way linear function *A* and use it in the following protocol (by *In* we denote the unit matrix of size *n*):

$$\begin{array}{l} \mathbf{Seed}\_{\mathcal{U}} = \left( \begin{smallmatrix} \mathcal{U}\_{\mathbb{H}} & 0 \\ 0 & \mathcal{I}\_{\mathbb{n}} \end{smallmatrix} \right) \cdot \left( \begin{smallmatrix} \boldsymbol{s} \ \boldsymbol{s} \end{smallmatrix} \right) = \left( \begin{smallmatrix} \boldsymbol{t}\_{i} \\ \boldsymbol{p}\_{i} \end{smallmatrix} \right) \cdot \\\ \mathbf{Eval}\_{\mathcal{U}} = \left( \begin{smallmatrix} \mathcal{U}\_{\mathbb{n}}^{-1} \ \mathcal{U}\_{\mathbb{n}} \ \mathbf{0} \\ 0 & 0 \end{smallmatrix} \right) \cdot \left( \begin{smallmatrix} \mathcal{U}\_{\mathbb{n}} \\ \boldsymbol{p}\_{i} \end{smallmatrix} \right) = \left( \begin{smallmatrix} \mathcal{L}\_{1} \\ \mathcal{C}\_{2} \end{smallmatrix} \right) \\\ \mathbf{Inv}\_{\mathcal{U}} = \left( \begin{smallmatrix} \mathcal{U}\_{\mathbb{n}} \ \mathcal{U}\_{\mathbb{n}} & 0 \\ 0 & 0 \end{smallmatrix} \right) \cdot \left( \begin{smallmatrix} \mathcal{L}\_{1} \\ \mathcal{U}\_{\mathbb{c}} \end{smallmatrix} \right) = \left( \begin{smallmatrix} \mathcal{m}\_{1} \\ \mathcal{m}\_{2} \end{smallmatrix} \right) . \end{array}$$

An adversary is now supposed to compute

$$\mathbf{Adv}\_{\mathcal{U}} = \begin{pmatrix} \mathcal{U}\_{\boldsymbol{n}} \,\mathcal{U}\_{\boldsymbol{n}}^2 & 0\\ 0 & 0 \,\,A^{-1} \end{pmatrix} \cdot \begin{pmatrix} c\_1\\ p\boldsymbol{i} \\ c\_2 \end{pmatrix} = \begin{pmatrix} \,^{m\_1}\boldsymbol{1} \\ \,^{m\_2}\boldsymbol{1} \end{pmatrix}.$$

As a feebly one-way function *A* we take one of Hiltgen's functions with order of security 2 − *�* that have been constructed for every *�* > 0 Hiltgen (1992); we take the matrix of this function to have order *λn*, where *λ* will be chosen below. For such a matrix, *C*<sup>3</sup> 4 (*A*) = *λn* + *o*(*n*), and 14 Will-be-set-by-IN-TECH

*Proof.* Lower bounds in items 1–3 are obvious: the matrices have no identical rows, and not a single input except one (two for item 2) is linked directly to an output. The lower bound in item 4 follows by simple counting: the first row of the matrix contains 2*n* nonzero elements, so at least 2*n* − 1 gates are needed to compute it. The lower bound from item 5

the assumptions of Corollary 13 for all except three (respectively, two) columns, and we can

To prove upper bounds, we give direct constructions. To compute the matrix from item 1, note that each row differs from the previous one in only one position, so we can compute the outputs as out*<sup>i</sup>* = out*i*+<sup>1</sup> ⊕ in*i*. Moreover, out*<sup>n</sup>* = in*n*, so we do not need more gates to compute it. The same idea works for item 2, but in this case, out*<sup>n</sup>* and out*n*−<sup>1</sup> are computed immediately, and out*<sup>i</sup>* = out*i*−<sup>2</sup> ⊕ in*i*. To compute the matrix from item 3, we compute each

Thus, we can use *n* gates to compute *a* ⊕ *b* and then get the result with *n* − 1 more gates. To

in two parts that can be done independently with previously shown circuits, and then we can

We use the general idea outlined in Section 4.1. In the first construction, we assume that the lengths of the public key *pi*, secret key *ti*, message *m*, and ciphertext *c* are the same and equal

honest inversion, but the evaluation complexity is approximately equal to the complexity of

To augment this construction, consider a weakly one-way linear function *A* and use it in the

· ( *s s* ) =

 · *m*<sup>1</sup> *pi m*<sup>2</sup> = ( *<sup>c</sup>*<sup>1</sup> *<sup>c</sup>*<sup>2</sup> ),

 · *<sup>c</sup>*<sup>1</sup> *ti c*2 

 · *c*<sup>1</sup> *pi c*2 

As a feebly one-way function *A* we take one of Hiltgen's functions with order of security 2 − *�* that have been constructed for every *�* > 0 Hiltgen (1992); we take the matrix of this function

 *ti pi* ,

<sup>=</sup> ( *<sup>m</sup>*<sup>1</sup> *<sup>m</sup>*<sup>2</sup> ).

<sup>=</sup> ( *<sup>m</sup>*<sup>1</sup> *<sup>m</sup>*<sup>2</sup> ).

4

(*A*) = *λn* + *o*(*n*), and

*<sup>n</sup> Un* ) (respectively, ( *Un U*−<sup>1</sup> *<sup>n</sup>* )) satisfies

*<sup>b</sup>* ) = *Un* · *a* ⊕ *Un* · *b* = *Un* · (*a* ⊕ *b*).

*<sup>b</sup>* ) = *A* · *a* ⊕ *B* · *b*. Thus, we have divided the computation

. In this case, an adversary will have to compute the

. Thus, breaking this trapdoor function is harder than

*<sup>n</sup> Un* )) ≤ 3*n* − 3*.*

*4. C*<sup>3</sup> 4

*5.* 3*n* − 6 ≤ *C*<sup>3</sup>

*6.* 3*n* − 4 ≤ *C*<sup>3</sup>

(( *Un Un* )) = 2*n* − 1*.*

*<sup>n</sup> Un* )) ≤ *C*(( *<sup>U</sup>*<sup>2</sup>

(respectively, 6) follows from Corollary 13: the matrix ( *U*<sup>2</sup>

row directly. To compute item 4, we note that ( *Un Un* ) · ( *<sup>a</sup>*

use *n* gates to XOR the results of these subcircuits.

*ti*) = ( *Un <sup>U</sup>*<sup>2</sup>

An adversary is now supposed to compute

compute 5 and 6 note that ( *A B* ) · ( *<sup>a</sup>*

*n*. Let *ti* = *Un* · *pi*, *c* = ( *<sup>U</sup>*−<sup>1</sup> *<sup>n</sup> Un* ) ·

matrix ( *Un Un* ) · ( *<sup>c</sup>*

(( *Un <sup>U</sup>*−<sup>1</sup> *<sup>n</sup>* )) ≤ *C*(( *Un <sup>U</sup>*−<sup>1</sup> *<sup>n</sup>* )) ≤ 3*n* − 2*.*

use Corollary 13 for *t* = 2*n* − 3 (respectively, *t* = 2*n* − 2) and *u* = *n*.

 *m pi* 

the break, so we cannot yet call this function a feebly secure trapdoor function.

 *Un* <sup>0</sup> 0 *In* 

 *<sup>U</sup>*−<sup>1</sup> *<sup>n</sup> Un* <sup>0</sup> 0 0 *A*

 *Un Un* <sup>0</sup> 0 0 *A*−<sup>1</sup>

 *Un <sup>U</sup>*<sup>2</sup> *<sup>n</sup>* 0 0 0 *A*−<sup>1</sup>

*<sup>n</sup>* ) · *c pi* 

following protocol (by *In* we denote the unit matrix of size *n*):

Seed*<sup>n</sup>* =

Eval*<sup>n</sup>* =

Inv*<sup>n</sup>* =

Adv*<sup>n</sup>* =

to have order *λn*, where *λ* will be chosen below. For such a matrix, *C*<sup>3</sup>

4 (( *U*<sup>2</sup>

4

*C*<sup>3</sup> 4 (*A*−1)=(2<sup>−</sup> *�*)*λ<sup>n</sup>* <sup>+</sup> *<sup>o</sup>*(*n*). Now Lemma 15 and Theorem 14 yield the following complexity bounds:

$$\begin{aligned} \mathbb{C}\_{\frac{3}{4}}(\mathbf{Seed}\_{\mathbb{N}}) &= n - 1, \\ \mathbb{C}\_{\frac{3}{4}}(\mathbf{Eval}\_{\mathbb{N}}) &= 3n + \lambda n + o(n) \\ \mathbb{C}\_{\frac{3}{4}}(\mathbf{Inv}\_{\mathbb{N}}) &= 2n + (2 - \epsilon)\lambda n + o(n) = (2 + (2 - \epsilon)\lambda)n + o(n), \\ \mathbb{C}\_{\frac{3}{4}}(\mathbf{Adv}\_{\mathbb{N}}) &= 3n + (2 - \epsilon)\lambda n + o(n) = (3 + (2 - \epsilon)\lambda)n + o(n). \end{aligned}$$

The order of security for this protocol is

$$\begin{split} \lim\_{n \to \infty} \left( \min \left( \frac{\mathbb{C}\_{3/4}(\text{Adv}\_{\mathbb{n}})}{\mathbb{C}(\text{Eval}\_{\mathbb{n}})}, \frac{\mathbb{C}\_{3/4}(\text{Adv}\_{\mathbb{n}})}{\mathbb{C}(\text{Inv}\_{\mathbb{n}})}, \frac{\mathbb{C}\_{3/4}(\text{Adv}\_{\mathbb{n}})}{\mathbb{C}(\text{Seed}\_{\mathbb{n}})} \right) \right) = \\ &= \min \left( \frac{3 + (2 - \epsilon)\lambda}{3 + \lambda}, \frac{3 + (2 - \epsilon)\lambda}{2 + (2 - \epsilon)\lambda} \right) . \end{split}$$

This expression reaches maximum for *λ* = <sup>1</sup> <sup>1</sup>−*�* , and this maximum equals <sup>5</sup>−4*�* <sup>4</sup>−*�* , which tends to <sup>5</sup> <sup>4</sup> as *�* → 0. Thus, we have proven the following theorem.

**Theorem 16.** *For every �* > 0*, there exists a linear feebly secure trapdoor function with seed length* pi(*n*) = ti(*n*) = *n, input and output length c*(*n*) = *m*(*n*) = 2*n, and order of security* <sup>5</sup> <sup>4</sup> − *�.*

### **4.3 Nonlinear feebly secure trapdoor functions**

Over the previous two sections, we have discussed *linear* feebly secure one-way functions. However, a *nonlinear* approach can yield better constants. This section is based on (Hirsch et al., 2011; Melanich, 2009).

Our nonlinear feebly trapdoor constructions are based on a feebly one-way function resulting from uniting Hiltgen's linear feebly one-way function with the first computationally asymmetric function of four variables (Massey, 1996). Consider a sequence of functions { *fn*}<sup>∞</sup> *<sup>n</sup>*=<sup>1</sup> given by the following relations (we denote *yj* = *fj*(*x*1,..., *xn*)):

$$\begin{aligned} y\_1 &= (\mathbf{x}\_1 \oplus \mathbf{x}\_2)\mathbf{x}\_n \oplus \mathbf{x}\_{n-1}, \\ y\_2 &= (\mathbf{x}\_1 \oplus \mathbf{x}\_2)\mathbf{x}\_n \oplus \mathbf{x}\_{2'} \\ y\_3 &= \mathbf{x}\_1 \oplus \mathbf{x}\_3, \\ y\_4 &= \mathbf{x}\_3 \oplus \mathbf{x}\_{4'} \\ &\dots \\ y\_{n-1} &= \mathbf{x}\_{n-2} \oplus \mathbf{x}\_{n-1'} \\ y\_n &= \mathbf{x}\_n. \end{aligned} \tag{16}$$

In order to get *f* <sup>−</sup><sup>1</sup> *<sup>n</sup>* , we sum up all rows except the last one:

$$
\mathbf{y}\_1 \oplus \dots \oplus \mathbf{y}\_{n-1} = \mathbf{x}\_1 \oplus \mathbf{x}\_2. \tag{17}
$$

Further, substituting *yn* instead of *xn*, we find *x*<sup>2</sup> and *xn*−1. The other *xk* can be expressed via *xn*−<sup>1</sup> in turn, so the inverse function is given by

$$\begin{aligned} \mathbf{x}\_{n} &= y\_{n}, \\ \mathbf{x}\_{2} &= (y\_{1} \oplus \dots \oplus y\_{n-1}) y\_{n} \oplus y\_{2}, \\ \mathbf{x}\_{n-1} &= (y\_{1} \oplus \dots \oplus y\_{n-1}) y\_{n} \oplus y\_{1}, \\ \mathbf{x}\_{n-2} &= (y\_{1} \oplus \dots \oplus y\_{n-1}) y\_{n} \oplus y\_{1} \oplus y\_{n-1}, \\ \mathbf{x}\_{n-3} &= (y\_{1} \oplus \dots \oplus y\_{n-1}) y\_{n} \oplus y\_{1} \oplus y\_{n-1} \oplus y\_{n-2}, \\ &\dots \\ \mathbf{x}\_{3} &= (y\_{1} \oplus \dots \oplus y\_{n-1}) y\_{n} \oplus y\_{1} \oplus y\_{n-1} \oplus \dots \oplus y\_{4}, \\ \mathbf{x}\_{1} &= (y\_{1} \oplus \dots \oplus y\_{n-1}) y\_{n} \oplus y\_{1} \oplus y\_{n-1} \oplus \dots \oplus y\_{3}. \end{aligned} \tag{18}$$

**Lemma 17.** *The family of functions* { *fn*}<sup>∞</sup> *<sup>n</sup>*=<sup>1</sup> *is feebly one-way of order* 2*.*

*Proof.* It is easy to see that *fn* can be computed in *n* + 1 gates. Each component function of *f* <sup>−</sup><sup>1</sup> *<sup>n</sup>* , except for the last one, depends non-trivially of all *n* variables, and all component functions are different. Therefore, to compute *<sup>f</sup>* <sup>−</sup><sup>1</sup> *<sup>n</sup>* we need at least (*<sup>n</sup>* <sup>−</sup> <sup>1</sup>)+(*<sup>n</sup>* <sup>−</sup> <sup>2</sup>) = <sup>2</sup>*<sup>n</sup>* <sup>−</sup> 3 gates (since *fn* is invertible, Proposition 6 is applicable to *fn* and *f* <sup>−</sup><sup>1</sup> *<sup>n</sup>* ). Therefore,

$$M\_F(f\_n) \ge \frac{2n-3}{n+1}.\tag{19}$$

On the other hand, *fn* cannot be computed faster than in *n* − 1 gates because all component functions *fn* are different, and only one of them is trivial (depends on only one variable). At the same time, *<sup>f</sup>* <sup>−</sup><sup>1</sup> *<sup>n</sup>* can be computed in 2*<sup>n</sup>* <sup>−</sup> 2 gates: one computes (*y*<sup>1</sup> <sup>⊕</sup> ... <sup>⊕</sup> *yn*−1)*yn* in *n* − 1 gates and spends one gate to compute each component function except the last one. We get

$$\frac{2n-3}{n+1} \le M\_F(f\_n) \le \frac{2n-2}{n-1},\tag{20}$$

which is exactly what we need.

For the proof of the following theorem, we refer to (Hirsch et al., 2011; Melanich, 2009).

**Theorem 18.** *<sup>C</sup>*3/4(*<sup>f</sup>* <sup>−</sup><sup>1</sup> *<sup>n</sup>* ) <sup>≥</sup> <sup>2</sup>*<sup>n</sup>* <sup>−</sup> <sup>4</sup>*.*

We can now apply the same direct sum idea to this nonlinear feebly one-way function. The direct sum consists of two blocks. First, for *f* as above, we have:

$$\begin{array}{c} \text{Key}\_{\boldsymbol{n}}(\boldsymbol{s}) = (f\_{\boldsymbol{n}}(\boldsymbol{s}), \boldsymbol{s})\_{\prime} \\ \text{Eval}\_{\boldsymbol{n}}(\boldsymbol{p}i, \boldsymbol{m}) = f\_{\boldsymbol{n}}^{-1}(\boldsymbol{p}i) \oplus \boldsymbol{m}\_{\prime} \\ \text{Inv}\_{\boldsymbol{n}}(\boldsymbol{ti}, \boldsymbol{c}) = f\_{\boldsymbol{n}}^{-1}(\boldsymbol{p}i) \oplus \boldsymbol{c} = \boldsymbol{ti} \oplus \boldsymbol{c}\_{\prime} \\ \text{Adv}\_{\boldsymbol{n}}(\boldsymbol{p}i, \boldsymbol{c}) = f\_{\boldsymbol{n}}^{-1}(\boldsymbol{p}i) \oplus \boldsymbol{c}. \end{array} \tag{21}$$

In this construction, evaluation is no easier than inversion without trapdoor.

For the second block we have

$$\begin{array}{l}\text{Eval}\_{\mathbb{M}}(m) = f(m)\_{\prime} \\ \text{Inv}\_{\mathbb{M}}(\mathcal{c}) = f^{-1}(\mathcal{c})\_{\prime} \\ \text{Adv}\_{\mathbb{M}}(\mathcal{c}) = f^{-1}(\mathcal{c}). \end{array} \tag{22}$$

$$\square$$

Again, as above, it is not a trapdoor function at all because inversion is implemented with no regard for the trapdoor. For a message *m* of length |*m*| = *n* the evaluation circuit has *n* + 1 gates, while inversion, by Theorem 18, can be performed only by circuits with at least 2*n* − 4 gates. Thus, in this construction evaluation is easy and inversion is hard, both for an honest

Provably Secure Cryptographic Constructions 19

Inv*n*(*ti*, *<sup>c</sup>*1, *<sup>c</sup>*2)=(*<sup>f</sup>* <sup>−</sup><sup>1</sup> *<sup>n</sup>* (*pi*) <sup>⊕</sup> *<sup>c</sup>*1, *<sup>f</sup>* <sup>−</sup><sup>1</sup> *<sup>α</sup><sup>n</sup>* (*c*2)) = (*ti* <sup>⊕</sup> *<sup>c</sup>*1, *<sup>f</sup>* <sup>−</sup><sup>1</sup> *<sup>α</sup><sup>n</sup>* (*c*2)),

The proofs of lower bounds on these constructions are rather involved; we refer to (Hirsch

**Lemma 19.** *The following upper and lower bounds hold for the components of our nonlinear trapdoor*

*C*(Eval*n*) ≤ 2*n* − 2 + *n* + *αn* + 1 = 3*n* + *αn* − 1,

To maximize the order of security of this trapdoor function (Definition 5), we have to find *α*

3 + 2*α* <sup>3</sup> <sup>+</sup> *<sup>α</sup>* ,

It is easy to see that this expression is maximized for *α* = 2, and the optimal value of the order

**Theorem 20.** *There exists a nonlinear feebly trapdoor function with seed length* pi(*n*) = ti(*n*) = *n,*

In this chapter, we have discussed recent developments in the field of feebly secure cryptographic primitives. While these primitives can hardly be put to any practical use at present, they are still important from the theoretical point of view. As sad as it sounds, this is actually the frontier of provable, mathematically sound results on security; we do not know

Further work in this direction is twofold. One can further develop the notions of feebly secure primitives. Constants in the orders of security can probably be improved; perhaps, other primitives (key agreement protocols, zero knowledge proofs etc.) can find their feebly secure counterparts. This work can widen the scope of feebly secure methods, but the real

*C*3/4(*Advn*) *C*(*Invn*)

 =

5 *.*

<sup>=</sup> min <sup>3</sup> <sup>+</sup> <sup>2</sup>*<sup>α</sup>*

<sup>3</sup> <sup>+</sup> *<sup>α</sup>* ,

3 + 2*α* 1 + 2*α* . (25)

3 + 2*α* 1 + 2*α* (23)

(24)

We can now unite these two trapdoor candidates and get the following construction:

Key*n*(*s*)=(*fn*(*s*),*s*), Eval*n*(*pi*, *<sup>m</sup>*1, *<sup>m</sup>*2)=(*<sup>f</sup>* <sup>−</sup><sup>1</sup> *<sup>n</sup>* (*pi*) <sup>⊕</sup> *<sup>m</sup>*1, *<sup>f</sup>αn*(*m*2)),

*C*(Key*n*) ≤ *n* + 1,

*C*(Inv*n*) ≤ *n* + 2*αn* − 2, *C*3/4(Adv*n*) ≥ 3*n* + 2*αn* − 8.

> *C*3/4(*Advn*) *<sup>C</sup>*(*Evaln*) ,

<sup>5</sup> . We summarize this in the following theorem.

<sup>1</sup> ,

<sup>=</sup> min <sup>3</sup> <sup>+</sup> <sup>2</sup>*<sup>α</sup>*

*input and output length c*(*n*) = *m*(*n*) = 3*n, and order of security* <sup>7</sup>

Adv*n*(*pi*, *<sup>c</sup>*1, *<sup>c</sup>*2)=(*<sup>f</sup>* <sup>−</sup><sup>1</sup> *<sup>n</sup>* (*pi*) <sup>⊕</sup> *<sup>c</sup>*1, *<sup>f</sup>* <sup>−</sup><sup>1</sup> *<sup>α</sup><sup>n</sup>* (*c*2)),

et al., 2011; Melanich, 2009) for detailed proofs and simply give the results here.

participant of the protocol and for an adversary.

*construction:*

that maximizes

lim inf

of security is <sup>7</sup>

**5. Conclusion**

*<sup>i</sup>*→<sup>∞</sup> min *<sup>C</sup>*3/4(*Advn*)

how to prove anything stronger.

breakthrough can only come from one place.

*<sup>C</sup>*(*Keyn*) ,

16 Will-be-set-by-IN-TECH

Further, substituting *yn* instead of *xn*, we find *x*<sup>2</sup> and *xn*−1. The other *xk* can be expressed via

*<sup>x</sup>*<sup>3</sup> = (*y*<sup>1</sup> ⊕ ... ⊕ *yn*−1)*yn* ⊕ *<sup>y</sup>*<sup>1</sup> ⊕ *yn*−<sup>1</sup> ⊕ ... ⊕ *<sup>y</sup>*4, *<sup>x</sup>*<sup>1</sup> = (*y*<sup>1</sup> ⊕ ... ⊕ *yn*−1)*yn* ⊕ *<sup>y</sup>*<sup>1</sup> ⊕ *yn*−<sup>1</sup> ⊕ ... ⊕ *<sup>y</sup>*3.

*Proof.* It is easy to see that *fn* can be computed in *n* + 1 gates. Each component function of *f* <sup>−</sup><sup>1</sup> *<sup>n</sup>* , except for the last one, depends non-trivially of all *n* variables, and all component functions are different. Therefore, to compute *<sup>f</sup>* <sup>−</sup><sup>1</sup> *<sup>n</sup>* we need at least (*<sup>n</sup>* <sup>−</sup> <sup>1</sup>)+(*<sup>n</sup>* <sup>−</sup> <sup>2</sup>) = <sup>2</sup>*<sup>n</sup>* <sup>−</sup> 3 gates

On the other hand, *fn* cannot be computed faster than in *n* − 1 gates because all component functions *fn* are different, and only one of them is trivial (depends on only one variable). At the same time, *<sup>f</sup>* <sup>−</sup><sup>1</sup> *<sup>n</sup>* can be computed in 2*<sup>n</sup>* <sup>−</sup> 2 gates: one computes (*y*<sup>1</sup> <sup>⊕</sup> ... <sup>⊕</sup> *yn*−1)*yn* in *n* − 1 gates and spends one gate to compute each component function except the last one. We

*<sup>n</sup>*=<sup>1</sup> *is feebly one-way of order* 2*.*

2*n* − 3

2*n* − 2

*<sup>n</sup>* <sup>+</sup> <sup>1</sup> . (19)

*<sup>n</sup>* <sup>−</sup> <sup>1</sup> , (20)

(18)

(21)

(22)

*<sup>x</sup>*<sup>2</sup> = (*y*<sup>1</sup> ⊕ ... ⊕ *yn*−1)*yn* ⊕ *<sup>y</sup>*2, *xn*−<sup>1</sup> = (*y*<sup>1</sup> ⊕ ... ⊕ *yn*−1)*yn* ⊕ *<sup>y</sup>*1,

(since *fn* is invertible, Proposition 6 is applicable to *fn* and *f* <sup>−</sup><sup>1</sup> *<sup>n</sup>* ). Therefore,

2*n* − 3

direct sum consists of two blocks. First, for *f* as above, we have:

*MF*(*fn*) ≥

*<sup>n</sup>* <sup>+</sup> <sup>1</sup> <sup>≤</sup> *MF*(*fn*) <sup>≤</sup>

For the proof of the following theorem, we refer to (Hirsch et al., 2011; Melanich, 2009).

Key*n*(*s*)=(*fn*(*s*),*s*), Eval*n*(*pi*, *<sup>m</sup>*) = *<sup>f</sup>* <sup>−</sup><sup>1</sup> *<sup>n</sup>* (*pi*) <sup>⊕</sup> *<sup>m</sup>*,

Adv*n*(*pi*, *<sup>c</sup>*) = *<sup>f</sup>* <sup>−</sup><sup>1</sup> *<sup>n</sup>* (*pi*) <sup>⊕</sup> *<sup>c</sup>*.

In this construction, evaluation is no easier than inversion without trapdoor.

We can now apply the same direct sum idea to this nonlinear feebly one-way function. The

Inv*n*(*ti*, *<sup>c</sup>*) = *<sup>f</sup>* <sup>−</sup><sup>1</sup> *<sup>n</sup>* (*pi*) <sup>⊕</sup> *<sup>c</sup>* <sup>=</sup> *ti* <sup>⊕</sup> *<sup>c</sup>*,

Eval*n*(*m*) = *f*(*m*), Inv*n*(*c*) = *f* <sup>−</sup>1(*c*), Adv*n*(*c*) = *f* <sup>−</sup>1(*c*).

*xn*−<sup>2</sup> = (*y*<sup>1</sup> ⊕ ... ⊕ *yn*−1)*yn* ⊕ *<sup>y</sup>*<sup>1</sup> ⊕ *yn*−1, *xn*−<sup>3</sup> = (*y*<sup>1</sup> ⊕ ... ⊕ *yn*−1)*yn* ⊕ *<sup>y</sup>*<sup>1</sup> ⊕ *yn*−<sup>1</sup> ⊕ *yn*−2,

*xn*−<sup>1</sup> in turn, so the inverse function is given by

*xn* = *yn*,

···

**Lemma 17.** *The family of functions* { *fn*}<sup>∞</sup>

which is exactly what we need.

**Theorem 18.** *<sup>C</sup>*3/4(*<sup>f</sup>* <sup>−</sup><sup>1</sup> *<sup>n</sup>* ) <sup>≥</sup> <sup>2</sup>*<sup>n</sup>* <sup>−</sup> <sup>4</sup>*.*

For the second block we have

get

Again, as above, it is not a trapdoor function at all because inversion is implemented with no regard for the trapdoor. For a message *m* of length |*m*| = *n* the evaluation circuit has *n* + 1 gates, while inversion, by Theorem 18, can be performed only by circuits with at least 2*n* − 4 gates. Thus, in this construction evaluation is easy and inversion is hard, both for an honest participant of the protocol and for an adversary.

We can now unite these two trapdoor candidates and get the following construction:

$$\begin{array}{c} \text{Key}\_{n}(\mathbf{s}) = (f\_{n}(\mathbf{s}), \mathbf{s}),\\ \text{Eval}\_{\boldsymbol{n}}(\operatorname{pi}\_{\boldsymbol{n}}, \operatorname{m}\_{1}, \operatorname{m}\_{2}) = (f\_{\boldsymbol{n}}^{-1}(\operatorname{pi}) \oplus \operatorname{m}\_{1}, f\_{\boldsymbol{an}}(\operatorname{m}\_{2})),\\ \text{Inv}\_{\boldsymbol{n}}(\operatorname{ti}, \mathbf{c}\_{1}, \mathbf{c}\_{2}) = (f\_{\boldsymbol{n}}^{-1}(\operatorname{pi}) \oplus \operatorname{c}\_{1}, f\_{\boldsymbol{an}}^{-1}(\mathbf{c}\_{2})) = (\operatorname{ti} \oplus \operatorname{c}\_{1}, f\_{\boldsymbol{an}}^{-1}(\mathbf{c}\_{2})),\\ \text{Adv}\_{\boldsymbol{n}}(\operatorname{pi}\_{\boldsymbol{n}}\mathbf{c}\_{1}, \mathbf{c}\_{2}) = (f\_{\boldsymbol{n}}^{-1}(\operatorname{pi}) \oplus \operatorname{c}\_{1}, f\_{\boldsymbol{an}}^{-1}(\mathbf{c}\_{2})), \end{array} \tag{23}$$

The proofs of lower bounds on these constructions are rather involved; we refer to (Hirsch et al., 2011; Melanich, 2009) for detailed proofs and simply give the results here.

**Lemma 19.** *The following upper and lower bounds hold for the components of our nonlinear trapdoor construction:*

$$\begin{array}{l} \text{C(Key}\_{n}\text{)} \le n + 1, \\ \text{C(Eval}\_{\text{n}}\text{)} \le 2n - 2 + n + an + 1 = 3n + an - 1, \\ \text{C(Inv}\_{n}\text{)} \le n + 2an - 2, \\ \text{C}\_{3/4}(\text{Adv}\_{\text{n}}) \ge 3n + 2an - 8. \end{array} \tag{24}$$

To maximize the order of security of this trapdoor function (Definition 5), we have to find *α* that maximizes

$$\begin{split} \liminf\_{i \to \infty} \min \left\{ \frac{\mathbb{C}\_{3/4}(Adv\_{\mathbb{n}})}{\mathbb{C}(Key\_{\mathbb{n}})}, \frac{\mathbb{C}\_{3/4}(Adv\_{\mathbb{n}})}{\mathbb{C}(Eval\_{\mathbb{n}})}, \frac{\mathbb{C}\_{3/4}(Adv\_{\mathbb{n}})}{\mathbb{C}(Inv\_{\mathbb{n}})} \right\} &= \\ &= \min \left\{ \frac{3+2\alpha}{1}, \frac{3+2\alpha}{3+\alpha}, \frac{3+2\alpha}{1+2\alpha} \right\} = \min \left\{ \frac{3+2\alpha}{3+\alpha}, \frac{3+2\alpha}{1+2\alpha} \right\}. \end{split} \tag{25}$$

It is easy to see that this expression is maximized for *α* = 2, and the optimal value of the order of security is <sup>7</sup> <sup>5</sup> . We summarize this in the following theorem.

**Theorem 20.** *There exists a nonlinear feebly trapdoor function with seed length* pi(*n*) = ti(*n*) = *n, input and output length c*(*n*) = *m*(*n*) = 3*n, and order of security* <sup>7</sup> 5 *.*

### **5. Conclusion**

In this chapter, we have discussed recent developments in the field of feebly secure cryptographic primitives. While these primitives can hardly be put to any practical use at present, they are still important from the theoretical point of view. As sad as it sounds, this is actually the frontier of provable, mathematically sound results on security; we do not know how to prove anything stronger.

Further work in this direction is twofold. One can further develop the notions of feebly secure primitives. Constants in the orders of security can probably be improved; perhaps, other primitives (key agreement protocols, zero knowledge proofs etc.) can find their feebly secure counterparts. This work can widen the scope of feebly secure methods, but the real breakthrough can only come from one place.

Harnik, D., Kilian, J., Naor, M., Reingold, O. & Rosen, A. (2005). On robust combiners for

Provably Secure Cryptographic Constructions 21

Håstad, J. (1987). *Computational Limitations for Small Depth Circuits*, MIT Press, Cambridge,

Hiltgen, A. P. (1992). Constructions of feebly-one-way families of permutations, *Proc. of*

Hiltgen, A. P. (1994). Cryptographically relevant contributions to combinatorial complexity

Hiltgen, A. P. (1998). Towards a better understanding of one-wayness: Facing linear

Hirsch, E. A., Melanich, O. & Nikolenko, S. I. (2011). Feebly secure cryptographic primitives. Hirsch, E. A. & Nikolenko, S. I. (2008). A feebly secure trapdoor function, PDMI preprint

Hirsch, E. A. & Nikolenko, S. I. (2009). A feebly secure trapdoor function, *Proceedings of the*

Immerman, M. (1987). Languages which capture complexity classes, *SIAM Journal of*

Impagliazzo, R. (1995). A personal view of average-case complexity, *Proceedings of the 10th*

Khrapchenko, V. M. (1971). Complexity of the realization of a linear function in the class of

Kojevnikov, A. A. & Nikolenko, S. I. (2008). New combinatorial complete one-way functions,

Kojevnikov, A. A. & Nikolenko, S. I. (2009). On complete one-way functions, *Problems of*

Lamagna, E. A. & Savage, J. E. (1973). On the logical complexity of symmetric switching

Levin, L. A. (1986). Average case complete problems, *SIAM Journal of Computing*

Lupanov, O. B. (1965). On a certain approach to the synthesis of control systems – the principle

Markov, A. A. (1964). Minimal relay-diode bipoles for monotonic symmetric functions,

Massey, J. (1996). The difficulty with difficulty: A guide to the transparencies from the

Melanich, O. (2009). Nonlinear feebly secure cryptographic primitives, PDMI preprint

Paul, W. J. (1977). A 2.5*n* lower bound on the combinational complexity of boolean functions,

Nechiporuk, E. I. (1966). A Boolean function, *Soviet Mathematics. Doklady* 7: 999–1000.

*in Computer Science*, Vol. 3494, pp. 96–113.

*AsiaCrypt '92*, pp. 422–434.

Hartung-Gorre.

1233, pp. 319–333.

16/2008.

pp. 129–142.

*Computing* 4: 760–778.

France, pp. 457–466.

Island.

12/2009.

15(1): 285–286.

Washington, DC, USA, p. 134.

*π*-circuits, *Mat. Zametki* 9(1): 36–40.

*Information Transmission* 45(2): 108–189.

of local coding, *Problemy Kibernet.* 14: 31–110.

EUROCRYPT'96 IACR distinguished lecture.

*Problems of Cybernetics* 8: 205–212.

*SIAM Journal of Computing* 6: 427–443.

MA.

oblivious transfers and other primitives, *Proceedings of EuroCrypt âA˘Z05, Lecture Notes ´*

theory, *in* J. L. Massey (ed.), *ETH Series in Information Processing*, Vol. 3, Konstanz:

permutations, *Proceedings of EuroCrypt '98, Lecture Notes in Computer Science*, Vol.

4*th Computer Science Symposium in Russia, Lecture Notes in Computer Science*, Vol. 5675,

*Annual Structure in Complexity Theory Conference (SCT'95)*, IEEE Computer Society,

*Proceedings of the* 25*th Symposium on Theoretical Aspects of Computer Science*, Bordeaux,

functions in monotone and complete bases, *Technical report*, Brown University, Rhode

It becomes clear that cryptographic needs call for further advances in general circuit complexity. General circuit complexity has not had a breakthrough since the 1980s; nonconstructive lower bounds are easy to prove by counting, but constructive lower bounds remain elusive. The best bound we know is Blum's lower bound of 3*n* − *o*(*n*) proven in 1984. At present, we do not know how to rise to this challenge; none of the known methods seem to work, so a general breakthrough is required for nonlinear lower bounds on circuit complexity. The importance of such a breakthrough can hardly be overstated; in this chapter, we have seen only one possible use of circuit lower bounds.

### **6. Acknowledgements**

This work has been partially supported by the Russian Fund for Basic Research, grants no. 11-01-00760-a and 11-01-12135-ofi-m-2011, the Russian Presidential Grant Programme for Leading Scientific Schools, grant no. NSh-3229.2012.1, and the Russian Presidential Grant Programme for Young Ph.D.Šs, grant no. MK-6628.2012.1.

### **7. References**

Ajtai, M. (1983). *σ*<sup>1</sup> <sup>1</sup> -formulae on finite structures, *Annals of Pure and Applied Logic* 24: 1–48.


18 Will-be-set-by-IN-TECH

It becomes clear that cryptographic needs call for further advances in general circuit complexity. General circuit complexity has not had a breakthrough since the 1980s; nonconstructive lower bounds are easy to prove by counting, but constructive lower bounds remain elusive. The best bound we know is Blum's lower bound of 3*n* − *o*(*n*) proven in 1984. At present, we do not know how to rise to this challenge; none of the known methods seem to work, so a general breakthrough is required for nonlinear lower bounds on circuit complexity. The importance of such a breakthrough can hardly be overstated; in this chapter, we have seen

This work has been partially supported by the Russian Fund for Basic Research, grants no. 11-01-00760-a and 11-01-12135-ofi-m-2011, the Russian Presidential Grant Programme for Leading Scientific Schools, grant no. NSh-3229.2012.1, and the Russian Presidential Grant

Ajtai, M. & Dwork, C. (1997). A public-key cryptosystem with worst-case/average-case

Blum, N. (1984). A boolean function requiring 3*n* network size, *Theoretical Computer Science*

Cai, J. (1989). With probability 1, a random oracle separates PSPACE from the polynomial-time

Davydow, A. & Nikolenko, S. I. (2011). Gate elimination for linear functions and new feebly

Demenkov, E. & Kulikov, A. (2011). An elementary proof of a 3n-o(n) lower bound on the

Diffie, W. & Hellman, M. (1976). New directions in cryptography, *IEEE Transactions on*

Dwork, C. (1997). Positive applications of lattices to cryptography, *Proceedings of the* 22*nd*

Furst, M., Saxe, J. & Sipser, M. (1984). Parity, circuits, and the polynomial-time hierarchy,

Goldwasser, S. & Bellare, M. (2001). *Lecture Notes on Cryptography*, Summer course on

Grigoriev, D., Hirsch, E. A. & Pervyshev, K. (2009). A complete public-key cryptosystem,

Goldreich, O. (2001). *Foundations of Cryptography. Basic Tools*, Cambridge University Press. Goldreich, O. (2004). *Foundations of Cryptography II. Basic Applications*, Cambridge University

hierarchy, *Journal of Computer and System Sciences* 38: 68–85.

*Lecture Notes in Computer Science*, Vol. 6651, pp. 148–161.

<sup>1</sup> -formulae on finite structures, *Annals of Pure and Applied Logic* 24: 1–48.

equivalence, *Proceedings of the* 29*th Annual ACM Symposium on Theory of Computing*,

secure constructions, *Proceedings of the* 6*th Computer Science Symposium in Russia,*

circuit complexity of affine dispersers, *Proceedings of the* 36*th International Symposium on Mathematical Foundations of Computer Science, Lecture Notes in Computer Science*, Vol.

*International Symposium on Mathematical Foundations of Computer Science, Lecture Notes*

only one possible use of circuit lower bounds.

Programme for Young Ph.D.Šs, grant no. MK-6628.2012.1.

**6. Acknowledgements**

**7. References**

Ajtai, M. (1983). *σ*<sup>1</sup>

pp. 284–293.

28: 337–345.

6907, pp. 256–265.

cryptography at MIT.

Press.

*Information Theory* IT-22: 644–654.

*in Computer Science*, Vol. 1295, pp. 44–51.

*Groups, Complexity, and Cryptology* 1: 1–12.

*Mathematical Systems Theory* 17: 13–27.


**1. Introduction**

computer virus).

Malicious cryptology and malicious mathematics is an emerging domain initiated in Filiol & Josse (2007); Filiol & Raynal (2008;b). It draws its inspiration from crypto virology Young & Yung (2004). However this latter domain has a very limited approach of how cryptography can be perverted by malware. Indeed, their authors consider the case of extortion malware in which asymmetric cryptography is only used inside a malware payload to extort money in exchange of the secret key necessary to recover the file encrypted by the malware (e.g. a

**Malicious Cryptology and Mathematics** 

*Laboratoire de Cryptologie et De Virologie Opérationnelles* 

**2**

Eric Filiol

*ESIEA France* 

Malicious cryptology and malicious mathematics make in fact explode Young and Yung's narrow vision. This results in an unlimited, fascinating yet disturbing field of research and experimentation. This new domain covers several fields and topics (non-exhaustive list):

• Use of cryptography and mathematics to develop "*super malware*" (*über-malware*) which

**–** Optimized propagation and attack techniques (e.g. by using biased or specific random

**–** Sophisticated self-protection techniques. The malware code protects itself and its own

**–** Sophisticated auto-protection and code armouring techniques. Malware protect their

**–** Partial or total invisibility features. The programmer intends to make his code to

• Use of malware to perform cryptanalysis operations (steal secret keys or passwords), manipulate encryption algorithms to weaken them on the fly in the target computer

memory. The resulting encryption process will be easier to be broken Filiol (2011). • Design and implementation of encryption systems with hidden mathematical trapdoors. The knowledge of the trap (by the system designer only) enables to break the system very efficiently. Despite the fact that the system is open and public, the trapdoor must remain undetectable. This can also apply to the keys themselves in the case of asymmetric

functional activity by using strong cryptography-based tools Filiol (2005b).

become invisible by using statistical simulability Filiol & Josse (2007). • Use of complexity theory or computability theory to design undetectable malware.

evade any kind of detection by implementing:

number generator) Filiol et al. (2007).

cryptography Erra & Grenier (2009).

own code and activity by using strong cryptography.


### **2**

## **Malicious Cryptology and Mathematics**

Eric Filiol *Laboratoire de Cryptologie et De Virologie Opérationnelles ESIEA France* 

### **1. Introduction**

20 Will-be-set-by-IN-TECH

22 Cryptography and Security in Computing

Razborov, A. A. (1985). Lower bounds on monotone complexity of the logical permanent, *Mat.*

Razborov, A. A. (1987). Lower bounds on the size of bounded depth circuits over a complete

Razborov, A. A. (1990). Lower bounds of the complexity of symmetric boolean functions of

Razborov, A. A. (1995). Bounded arithmetic and lower bounds, *in* P. Clote & J. Remmel

Regev, O. (2005). On lattices, learning with errors, random linear codes, and cryptography, *Proceedings of the* 37*th Annual ACM Symposium on Theory of Computing*, pp. 84–93. Regev, O. (2006). Lattice-based cryptography, *Proceedings of the* 26*th Annual International*

Rivest, R. L., Shamir, A. & Adleman, L. (1978). A method for obtaining digital signatures and public-key cryptosystems, *Communications of the ACM* 21(2): 120–126.

Shannon, C. E. (1949). Communication theory of secrecy systems, *Bell System Technical Journal*

Sholomov, L. A. (1969). On the realization of incompletely-defined boolean functions by circuits of functional elements, *Trans: System Theory Research* 21: 211–223. Smolensky, R. (1987). Algebraic methods in the theory of lower bounds for boolean circuit

Stockmeyer, L. (1977). On the combinational complexity of certain symmetric boolean

Stockmeyer, L. (1987). Classifying the computational complexity of problems, *Journal of*

Subbotovskaya, B. A. (1961). Realizations of linear functions by formulas using ∨, &, ¬, *Soviet*

Subbotovskaya, B. A. (1963). On comparison of bases in the case of realization of functions of algebra of logic by formulas, *Soviet Mathematics. Doklady* 149(4): 784–787. Vernam, G. S. (1926). Cipher printing telegraph systems for secret wire and radio telegraphic

Wegener, I. (1987). *The Complexity of Boolean Functions*, B. G. Teubner, and John Wiley & Sons. Yablonskii, S. V. (1957). On the classes of functions of logic algebra with simple circuit

Yao, A. C.-C. (1985). Separating the polynomial-time hierarchy by oracles, *Proceedings of the* 26*th Annual IEEE Symposium on the Foundations of Computer Science*, pp. 1–10. Yao, A. C.-C. (1990). On ACC and threshold circuits, *Proceedings of the* 31*st Annual IEEE*

*Symposium on the Foundations of Computer Science*, pp. 619–627.

(eds), *Feasible Mathematics II*, Vol. 13 of *Progress in Computer Science and Applied Logic*,

*Cryptology Conference (CRYPTO'06), Lecture Notes in Computer Science*, Vol. 4117,

complexity, *Proceedings of the* 19*th Annual ACM Symposium on Theory of Computing*,

basis with logical addition, *Mat. Zametki* 41(4): 598–608.

contact-rectifier circuit, *Mat. Zametki* 48(6): 79–90.

Savage, J. E. (1976). *The Complexity of Computing*, Wiley, New York.

functions, *Mathematical Systems Theory* 10: 323–326.

communications, *Journal of the IEEE* 55: 109–115.

realizations, *Soviet Math. Uspekhi* 12(6): 189–196.

*Zametki* 37(6): 887–900.

Birkhäuser, pp. 344–386.

pp. 131–141.

28(4): 656–717.

pp. 77–82.

*Symbolic Logic* 52: 1–43.

*Mathematics. Doklady* 2: 110–112.

Malicious cryptology and malicious mathematics is an emerging domain initiated in Filiol & Josse (2007); Filiol & Raynal (2008;b). It draws its inspiration from crypto virology Young & Yung (2004). However this latter domain has a very limited approach of how cryptography can be perverted by malware. Indeed, their authors consider the case of extortion malware in which asymmetric cryptography is only used inside a malware payload to extort money in exchange of the secret key necessary to recover the file encrypted by the malware (e.g. a computer virus).

Malicious cryptology and malicious mathematics make in fact explode Young and Yung's narrow vision. This results in an unlimited, fascinating yet disturbing field of research and experimentation. This new domain covers several fields and topics (non-exhaustive list):

	- **–** Optimized propagation and attack techniques (e.g. by using biased or specific random number generator) Filiol et al. (2007).
	- **–** Sophisticated self-protection techniques. The malware code protects itself and its own functional activity by using strong cryptography-based tools Filiol (2005b).
	- **–** Sophisticated auto-protection and code armouring techniques. Malware protect their own code and activity by using strong cryptography.
	- **–** Partial or total invisibility features. The programmer intends to make his code to become invisible by using statistical simulability Filiol & Josse (2007).

both mathematics and cryptology. Two following main techniques (a number of complex

Malicious Cryptology and Mathematics 25

**–** Code rewriting into an equivalent code. From a formal point of view any rewriting technique lies on one or more formal grammar. According to the class of the grammar

**–** Applying encryption techniques to all or part of malware code. Generally, those encryption techniques consist in masking every code byte with a constant byte value (by means of XOR). Any valid encryption technique implies the use of a static key that eventually constitutes a true signature (or infection marker) when ill-implemented. Moreover any skilled reverse-engineer will always succeed in extracting this static key

• *Code armouring* Filiol (2005b) consists in writing a code so as to delay, complicate or even prevent its analysis. While polymorphism/metamorphism aims at limited/preventing automated (e.g. by an antivirus software) analysis, code armouring techniques's purposes

A cryptosystem *S* (symmetric case) is defined as the set of an encryption/decryption algorithm *E*, a secret *K*, a plaintext message *P* and a ciphertext *C*. Let us recall that in the case of asymmetric cryptography (also well-known as public-key cryptography), the decryption and encryption algorithms are different, as well as the encryption and decryption keys. Asymmetric cryptography is mainly used for authentication and digital signature purposes but it can also be used to encrypt small quantities of information (a few dozen bytes). On the contrary, in the symmetric case, the key *K* and the algorithm *E* are the same. Symmetric cryptography is considered for encryption purposes. The plaintext is supposed to be secret while the cipher text is supposed to be accessed by any one. So with those notations, we have

*C* = *E*(*K*, *P*) and *P* = *E*(*K*, *C*)

From a technical point of view, the internal operations (especially with respect to the key) may slightly differ according to the different classes of cryptosystems. But to summarize, any

considered, then the malware protection is more or less stronger.

and hence will easily unprotect the malware source code.

is to limit or bar the reverse engineer (a human being) analysis.

variants exist however) are to be considered:

**2.2 Cryptology**

**2.2.1 Cryptosystems**

Fig. 1. General structure of a cryptosystem

One could define malicious cryptology/mathematics as the interconnection of computer virology with cryptology and mathematics for their mutual benefit. The number of potential applications is almost infinite. In the context of this chapter, we could also define it – or a part of it – as the different mathematical techniques enabling to modify or manipulate reality and to reflect a suitable but false image of reality to the observer (may it be a human being or an automated system).

In this chapter we intend to present in more details a few of these techniques that are very illustrative of what malicious cryptography and malicious mathematics are. Section 2 first recalls a few definition and basic concepts in computer virology and in cryptology to make this chaper self-contained. In Section 3, we expose a detailed state-of-the-art of malicious cryptology and malicious mathematics. We then detail two of the most illustrative techniques in the two next sections. Section 4 addresses how mathematical reality can be perverted to design processor-dependent malware. Section 5 then exposes how malicious cryptosystems can be used to protect malware code against detection and analysis.

### **2. Basic definitions and concepts**

### **2.1 Computer virology**

A rather large definition of what malware (shortened for of *Malicious Software*) are, here follows.

**Definition 1.** *A* malware *is a malicious code or unwated piece of software like a virus, a worm, a spyware, a Trojan horse... whose aim is to undermine systems' confidentiality, integrity or availability.*

In a more formal approach, malware are programs that take data from the environment (computer, system, users..) as input argument and output one or more malicious actions: file erasing, data eavesdropping, denial of services... A detailed and technical presentation of what malware are, is availble in Filiol (2005).

We will address the problematic of anti-antiviral techniques that are used by malware. Indeed, most of the malicious cryptology and malicious mathematics techniques aims at providing such capabilities to malware. It is logical that the latter enforce techniques to prevent or disable functionalities installed by antiviral software or firewalls. Two main techniques can be put forward:


Polymorphic techniques are rather difficult to implement and manage and this is precisely where lies the critical aspect of designing powerful malicious techniques drawn from 2 Will-be-set-by-IN-TECH

One could define malicious cryptology/mathematics as the interconnection of computer virology with cryptology and mathematics for their mutual benefit. The number of potential applications is almost infinite. In the context of this chapter, we could also define it – or a part of it – as the different mathematical techniques enabling to modify or manipulate reality and to reflect a suitable but false image of reality to the observer (may it be a human being or an

In this chapter we intend to present in more details a few of these techniques that are very illustrative of what malicious cryptography and malicious mathematics are. Section 2 first recalls a few definition and basic concepts in computer virology and in cryptology to make this chaper self-contained. In Section 3, we expose a detailed state-of-the-art of malicious cryptology and malicious mathematics. We then detail two of the most illustrative techniques in the two next sections. Section 4 addresses how mathematical reality can be perverted to design processor-dependent malware. Section 5 then exposes how malicious cryptosystems

A rather large definition of what malware (shortened for of *Malicious Software*) are, here

**Definition 1.** *A* malware *is a malicious code or unwated piece of software like a virus, a worm, a spyware, a Trojan horse... whose aim is to undermine systems' confidentiality, integrity or availability.*

In a more formal approach, malware are programs that take data from the environment (computer, system, users..) as input argument and output one or more malicious actions: file erasing, data eavesdropping, denial of services... A detailed and technical presentation of

We will address the problematic of anti-antiviral techniques that are used by malware. Indeed, most of the malicious cryptology and malicious mathematics techniques aims at providing such capabilities to malware. It is logical that the latter enforce techniques to prevent or disable functionalities installed by antiviral software or firewalls. Two main techniques can be put

• *Stealth techniques*.- a set of techniques aiming at convincing the user, the operating system and security programs that there is no malicious code. Malware then aim to escape

• *Polymorphism/metamorphism*.- As antiviral programs are mainly based on the search for viral signatures (scanning techniques), polymorphic techniques aim at making the analysis of files – only by their appearance as sequence of bytes – far more difficult. The basic principle is to keep the code vary constantly from viral copy to viral copy in order to avoid any fixed components that could be exploited by antiviral programs to identify the virus

Polymorphic techniques are rather difficult to implement and manage and this is precisely where lies the critical aspect of designing powerful malicious techniques drawn from

can be used to protect malware code against detection and analysis.

automated system).

**2. Basic definitions and concepts**

what malware are, is availble in Filiol (2005).

(a set of instructions, specific character strings).

monitoring and detection

**2.1 Computer virology**

follows.

forward:

both mathematics and cryptology. Two following main techniques (a number of complex variants exist however) are to be considered:


### **2.2 Cryptology**

### **2.2.1 Cryptosystems**

Fig. 1. General structure of a cryptosystem

A cryptosystem *S* (symmetric case) is defined as the set of an encryption/decryption algorithm *E*, a secret *K*, a plaintext message *P* and a ciphertext *C*. Let us recall that in the case of asymmetric cryptography (also well-known as public-key cryptography), the decryption and encryption algorithms are different, as well as the encryption and decryption keys. Asymmetric cryptography is mainly used for authentication and digital signature purposes but it can also be used to encrypt small quantities of information (a few dozen bytes). On the contrary, in the symmetric case, the key *K* and the algorithm *E* are the same. Symmetric cryptography is considered for encryption purposes. The plaintext is supposed to be secret while the cipher text is supposed to be accessed by any one. So with those notations, we have

$$\mathcal{C} = E(\mathsf{K}, P) \text{ and } P = E(\mathsf{K}, \mathsf{C})$$

From a technical point of view, the internal operations (especially with respect to the key) may slightly differ according to the different classes of cryptosystems. But to summarize, any

focused on those random parts, is it possible to add some TRANSEC (*TRANSmission SECurity*) aspect. The most famous one is steganography but for malware or program protection purposes it is not directly usable (data cannot be directly executed) and we have to find different ways. The other solution is to use malicious statistics as defined and exposed in Filiol & Raynal (2008). It is also possible to break randomness by using noisy encoding techniques

Malicious Cryptology and Mathematics 27

Breaking randomness applies well on any data used for code mutation (e.g. junk code insertion), including specific subsets of code as CFGs (*Comtrol Flow Graphs*): randomly mutated CFG must exhibit the same profile as any normal CFG would. Otherwise,

Encrypting a code or a piece of code implies its preliminary deciphering whenever it is executed. But in all of the cases – except those involving money extortion introduced Young and Yung Young & Yung (2004) – the key must be accessible to the code itself to decipher. Consequently in a way or another it is contained in a more or less obfuscated form inside the code. Therefore is it accessible to the analyst who will always succeed in finding and accessing it. Instead of performing cryptanalysis, a simple decoding/deciphering operation is sufficient. It is therefore necessary to consider keys that are external to the encrypted code. Two cases

• Environmental key management. The code gathers information in its execution environment and calculates the key repeatedly. The correct key will be computed when and only when the suitable conditions will be realized in the code environment – which is usually under the control of the code designer. The security model should prohibit dictionary attacks or environment reduction attacks (enabling reduced exhaustive search) by the code analyst. Consequently the analyst must examine the code in an controlled dynamic area (sandbox or virtual machine) and wait until suitable conditions are met without knowing when they will be. However it is possible to build more operational

scenarii for this case and to detect that the code is being analyzed and controlled.

**3. The state-of-the-art of malicious cryptology and malicious mathematics**

As any recently emerging field, the history of malicious cryptology and malicious mathematics is rather short. Young and Yung seminal work Young & Yung (2004) has stirred

• Use of *k*-ary codes (Filiol (2007c)) in which a program is no longer a single monolithic binary entity but a set of binaries and non executable files (working in a serial mode or in a parallel mode) to produce a desired final (malicious or not) action. Then the analyst has a reduced view on the whole code only since generally he can access a limited subset of this *k*-set. In the context of (legitimate) code protection, one of the files will be a kernel-land module communicating with a userland code to protect. The code without the appropriate operating environment – with a user-specific configuration by the administrator – will never work. This solution has the great advantage of hiding (by outsourcing it), the encryption system itself. It is one particular instance with respect to this last solution that

considering the COMSEC aspect only is bound to make the code detection very easy.

like in Perseus technology.

**2.2.3 Key management**

are possible Filiol (2007):

we present in this paper.

cryptosystem can be defined as a complex combination of substitutions and transpositions of bytes or string of bytes.

Cryptanalysis is the art of breaking cryptosystems; in other words, the attacker wants to access the plaintext *P* without the *a priori* knowledge of the key. This access can be performed directly through plaintext recovery or indirectly through key recovery which then enables the attacker to decipher the cipher text.

### **2.2.2 Entropy profile**

Most of the problem regarding the use of cryptography for malicious purposes lies in the fact that code armouring and code mutation involve random data. These must be generated on-the-fly. In the context of metamorphism, the generator itself must be random too. For sake of simplicity, we shall speak of *Pseudo-Random Number Generator* (PRNG) to describe both a random number generator and an encryption system. The difference lies in the fact that in the latter case either random data produced from the expansion of the key are combined with the plaintext (stream ciphers) or they are the result of the combination of the key with the plaintext (block ciphers).

The whole issue lies in the generation of a so-called "good" randomness. Except that in the context of malicious cryptography Filiol (2007), the term "good" does not necessarily correspond to what cryptographers usually mean. In fact, it is better – yet a simplified but sufficient reduction as a first approximation – to use the concept of entropy Filiol & Raynal (2008). In the same way, the term of random data will indifferently describe the random data themselves or the result of encryption.

Consider a (malicious) code as an information source *X*. When parsed, the source outputs characters taking the possible values *xi* (*i* = 0, . . . , 255), each with a probability *pi* = *P*[*X* = *xi*]. Then the entropy *H*(*X*) of the source is the following sum1:

$$H(X) = \sum\_{i=0}^{255} -p\_i \log\_2(p\_i)$$

Random data, by nature will exhibit a high entropy value thus meaning that the uncertainty is maximal whenever trying to predict the next value output by the source *X*. On the contrary, non random data exhibit a low entropy profile (they are easier or less difficult to predict).

From the attacker's point of view the presence of random data means that something is hidden but he has to make the difference between legitimate data (e.g. use of packers to protect code against piracy) and illegitimate data (e.g. malware code). In the NATO terminology – at the present time it is the most precise and accurate one as far as InfoSec is concerned– random data relate to a COMSEC (*COMmunication SECurity*) aspect only.

For the attacker (automated software or human expert), the problem is twofold: first detect random data parts inside a code and then decrypt them. In this respect, any code area exhibiting a high entropy profile must be considered as suspicious. To prevent attention to be

<sup>1</sup> Let us note that here the entropy considers single characters or 1-grams only. A more accurate value would consider all the possible *n*-grams and would compute entropy when *n* → ∞.

4 Will-be-set-by-IN-TECH

cryptosystem can be defined as a complex combination of substitutions and transpositions of

Cryptanalysis is the art of breaking cryptosystems; in other words, the attacker wants to access the plaintext *P* without the *a priori* knowledge of the key. This access can be performed directly through plaintext recovery or indirectly through key recovery which then enables the attacker

Most of the problem regarding the use of cryptography for malicious purposes lies in the fact that code armouring and code mutation involve random data. These must be generated on-the-fly. In the context of metamorphism, the generator itself must be random too. For sake of simplicity, we shall speak of *Pseudo-Random Number Generator* (PRNG) to describe both a random number generator and an encryption system. The difference lies in the fact that in the latter case either random data produced from the expansion of the key are combined with the plaintext (stream ciphers) or they are the result of the combination of the key with the

The whole issue lies in the generation of a so-called "good" randomness. Except that in the context of malicious cryptography Filiol (2007), the term "good" does not necessarily correspond to what cryptographers usually mean. In fact, it is better – yet a simplified but sufficient reduction as a first approximation – to use the concept of entropy Filiol & Raynal (2008). In the same way, the term of random data will indifferently describe the random data

Consider a (malicious) code as an information source *X*. When parsed, the source outputs characters taking the possible values *xi* (*i* = 0, . . . , 255), each with a probability *pi* = *P*[*X* =

> 255 ∑ *i*=0

Random data, by nature will exhibit a high entropy value thus meaning that the uncertainty is maximal whenever trying to predict the next value output by the source *X*. On the contrary, non random data exhibit a low entropy profile (they are easier or less difficult to predict).

From the attacker's point of view the presence of random data means that something is hidden but he has to make the difference between legitimate data (e.g. use of packers to protect code against piracy) and illegitimate data (e.g. malware code). In the NATO terminology – at the present time it is the most precise and accurate one as far as InfoSec is concerned– random

For the attacker (automated software or human expert), the problem is twofold: first detect random data parts inside a code and then decrypt them. In this respect, any code area exhibiting a high entropy profile must be considered as suspicious. To prevent attention to be

<sup>1</sup> Let us note that here the entropy considers single characters or 1-grams only. A more accurate value

would consider all the possible *n*-grams and would compute entropy when *n* → ∞.

−*pi* log2(*pi*)

bytes or string of bytes.

to decipher the cipher text.

**2.2.2 Entropy profile**

plaintext (block ciphers).

themselves or the result of encryption.

*xi*]. Then the entropy *H*(*X*) of the source is the following sum1:

data relate to a COMSEC (*COMmunication SECurity*) aspect only.

*H*(*X*) =

focused on those random parts, is it possible to add some TRANSEC (*TRANSmission SECurity*) aspect. The most famous one is steganography but for malware or program protection purposes it is not directly usable (data cannot be directly executed) and we have to find different ways. The other solution is to use malicious statistics as defined and exposed in Filiol & Raynal (2008). It is also possible to break randomness by using noisy encoding techniques like in Perseus technology.

Breaking randomness applies well on any data used for code mutation (e.g. junk code insertion), including specific subsets of code as CFGs (*Comtrol Flow Graphs*): randomly mutated CFG must exhibit the same profile as any normal CFG would. Otherwise, considering the COMSEC aspect only is bound to make the code detection very easy.

### **2.2.3 Key management**

Encrypting a code or a piece of code implies its preliminary deciphering whenever it is executed. But in all of the cases – except those involving money extortion introduced Young and Yung Young & Yung (2004) – the key must be accessible to the code itself to decipher. Consequently in a way or another it is contained in a more or less obfuscated form inside the code. Therefore is it accessible to the analyst who will always succeed in finding and accessing it. Instead of performing cryptanalysis, a simple decoding/deciphering operation is sufficient.

It is therefore necessary to consider keys that are external to the encrypted code. Two cases are possible Filiol (2007):


### **3. The state-of-the-art of malicious cryptology and malicious mathematics**

As any recently emerging field, the history of malicious cryptology and malicious mathematics is rather short. Young and Yung seminal work Young & Yung (2004) has stirred

(2005). The last copy of Krause's manuscript has been by chance discovered in a wet cellar of the University of Dortmund, translated into English and published in 2009 only Kraus (1980).

Malicious Cryptology and Mathematics 29

From an academic point of view, malicious cryptology begins with Young & Yung (2004) but with a very narrow vision. In their approach, a malware encrypts user's data with asymmetric cryptology public keys and extort money from the user who wants the key to access his data again. In this approach the malware itself does not deploy any malicious mathematics or malicious cryptology techniques. Only the payload uses cryptology for money extorsion. Young & Yung contribution, while having the merit to initiate the issue does not propose

In 2005, the first academic description of the use of cryptology in the viral mechanism itself is described in Filiol (2005b). In this case the symmetric cryptology combined with environmental key management enables, for specific operational conditions, to protect malware code against reverse engineering. The concept of total code armouring is defined

When dealing with malicious attacks, the main problem that any has to face is detection by security software. The issue is then first to understand how security software are working in order to infer or to identify ways to bypass detection efficiently. In Filiol & Josse (2007), a theoretical study – backed by numerous experiments – describes in a unified way any detection technique by means of statistical testing. From this model, the concept of *statitical simulability* is defined. Here the aim is to reverse the use of statistics to design powerful attack

**Definition 2.** *Simulating a statistical testing consists for an adversary, to introduce, in a given*

• the first one does not depend on the testings (and their parameters) the defender usually

• on the contrary, the second one does depend on those testings that the attackers aims at

Here we call "tester" the one who uses statistical testing in order to decide whether there is

**Definition 3.** *(Strong Testing Simulability) Let P be a property and T a (statistical) testing whose role is to decide whether P holds for given population* P *or not. Strongly simulating this testing consists in modifying or building a biased population P in such a way that T systematically decides that P holds on* P*, up to the statistical risks. But there exists a statistical testing T*� *which is able to detect that bias in* P*. In the same way, we say that t testings* (*T*1, *T*2,..., *Tt*) *are strongly simulated, if applying them*

that mimic normal behaviour. In this respect, we can speak of malicious statistics.

*population* P*, a statistical bias that cannot be detected by an analyst by means of this test.*

**3.1.2 Early stages of modern malicious cryptology**

more than a cryptography book.

and experimented.

**3.1.3 Formalization results** 3.1.3.1 Testing simulability

There exist two different kinds of simulability:

considers. It is called *strong testing simulability*.

simulating. It is called *weak testing simulability*.

an attack or not, or whether a code is malicious or not...

up almost no further research in this area. The main reason is that this new field relates to techniques generally considered by the "bad guys", in other word the attackers (which include militaries, spies...).

Publishing such results is never easy since it addresses the critical issues of result reproducibility at least to enable the process of peer-review: any result whose reality must be verified and confirmed is likely to leak enough data and information allowing thus a misuse by the attacker. This situation hence does not ease the emergence of such a new research field. The first consequence is that the actual corpus of knowledge regarding malicious mathematics and malicious cryptography is likely to be far more extended that has been already published. Most of those techniques are known and used by the military and the intelligence domains. As a result, only a very few seminal papers (both theoretical and technical) are know at the present time. The second consequence is that most of the results are published in the most famous international hacking conferences which are far more reluctant at publishing theoretical and practical results in this area. In this respect, academics are losing interesting opportunities.

### **3.1 From mathematics and cryptology to computer virology**

### **3.1.1 The origins**

The mid 1930s could be reasonably considered as the starting point of the history of malicious mathematics. Indeed, the masterpiece Kleene's recursion theorem in essence contains much of the computer virology concepts Filiol (2005). Of course neither Kleene nor followers in recursion theory, calculability, complexity theory have ever imagined that their results could be used and interpreted in a malicous way.

During World War II then many studies have been performed that could be considered as first premises of malicious mathematics. Von Neuman's work, for exemple, dedicated to *Self-reproducing automata* – in other words viruses – is undoubtly the best case. As many such studies were at that time – due to the war<sup>2</sup> and then due to cold war era – it is very likely that many results were classified and still are nowadays. For instance, NSA released in 2010 only research works performed in computer virology. The case of cryptology – a subfield of mathematics and computer science – is probably even more emblematic since it has been considered as weapons, strictly controlled by governments and military until the early 2000s and is still under a strict control regarding for instance exports and knowledge dissemination (see the different national regulations and the Wassenaar Agreement Wassenaar Agreement (1996)). This the reason why seminal research works in the field of malicious mathematics and malicious cryptology are still very limited at least in the public domain.

Another famous case is the research work of Kraus (1980) which can be considered as the founding work of computer virology in 1980. The German government made suitable and efficient pressures to forbid the publication of this thesis. In this work, Kraus exposes theoretical and practical results in mathematics (recursive functions, computability and calculability theory) that actually has given birth to the modern computer virology Filiol

<sup>2</sup> von Neuman's results which were established in 1948-1949, have been published in 1966 only, by his student R. Burk.

6 Will-be-set-by-IN-TECH

up almost no further research in this area. The main reason is that this new field relates to techniques generally considered by the "bad guys", in other word the attackers (which

Publishing such results is never easy since it addresses the critical issues of result reproducibility at least to enable the process of peer-review: any result whose reality must be verified and confirmed is likely to leak enough data and information allowing thus a misuse by the attacker. This situation hence does not ease the emergence of such a new research field. The first consequence is that the actual corpus of knowledge regarding malicious mathematics and malicious cryptography is likely to be far more extended that has been already published. Most of those techniques are known and used by the military and the intelligence domains. As a result, only a very few seminal papers (both theoretical and technical) are know at the present time. The second consequence is that most of the results are published in the most famous international hacking conferences which are far more reluctant at publishing theoretical and practical results in this area. In this respect, academics are losing interesting

The mid 1930s could be reasonably considered as the starting point of the history of malicious mathematics. Indeed, the masterpiece Kleene's recursion theorem in essence contains much of the computer virology concepts Filiol (2005). Of course neither Kleene nor followers in recursion theory, calculability, complexity theory have ever imagined that their results could

During World War II then many studies have been performed that could be considered as first premises of malicious mathematics. Von Neuman's work, for exemple, dedicated to *Self-reproducing automata* – in other words viruses – is undoubtly the best case. As many such studies were at that time – due to the war<sup>2</sup> and then due to cold war era – it is very likely that many results were classified and still are nowadays. For instance, NSA released in 2010 only research works performed in computer virology. The case of cryptology – a subfield of mathematics and computer science – is probably even more emblematic since it has been considered as weapons, strictly controlled by governments and military until the early 2000s and is still under a strict control regarding for instance exports and knowledge dissemination (see the different national regulations and the Wassenaar Agreement Wassenaar Agreement (1996)). This the reason why seminal research works in the field of malicious mathematics and

Another famous case is the research work of Kraus (1980) which can be considered as the founding work of computer virology in 1980. The German government made suitable and efficient pressures to forbid the publication of this thesis. In this work, Kraus exposes theoretical and practical results in mathematics (recursive functions, computability and calculability theory) that actually has given birth to the modern computer virology Filiol

<sup>2</sup> von Neuman's results which were established in 1948-1949, have been published in 1966 only, by his

**3.1 From mathematics and cryptology to computer virology**

malicious cryptology are still very limited at least in the public domain.

be used and interpreted in a malicous way.

include militaries, spies...).

opportunities.

**3.1.1 The origins**

student R. Burk.

(2005). The last copy of Krause's manuscript has been by chance discovered in a wet cellar of the University of Dortmund, translated into English and published in 2009 only Kraus (1980).

### **3.1.2 Early stages of modern malicious cryptology**

From an academic point of view, malicious cryptology begins with Young & Yung (2004) but with a very narrow vision. In their approach, a malware encrypts user's data with asymmetric cryptology public keys and extort money from the user who wants the key to access his data again. In this approach the malware itself does not deploy any malicious mathematics or malicious cryptology techniques. Only the payload uses cryptology for money extorsion. Young & Yung contribution, while having the merit to initiate the issue does not propose more than a cryptography book.

In 2005, the first academic description of the use of cryptology in the viral mechanism itself is described in Filiol (2005b). In this case the symmetric cryptology combined with environmental key management enables, for specific operational conditions, to protect malware code against reverse engineering. The concept of total code armouring is defined and experimented.

### **3.1.3 Formalization results**

### 3.1.3.1 Testing simulability

When dealing with malicious attacks, the main problem that any has to face is detection by security software. The issue is then first to understand how security software are working in order to infer or to identify ways to bypass detection efficiently. In Filiol & Josse (2007), a theoretical study – backed by numerous experiments – describes in a unified way any detection technique by means of statistical testing. From this model, the concept of *statitical simulability* is defined. Here the aim is to reverse the use of statistics to design powerful attack that mimic normal behaviour. In this respect, we can speak of malicious statistics.

**Definition 2.** *Simulating a statistical testing consists for an adversary, to introduce, in a given population* P*, a statistical bias that cannot be detected by an analyst by means of this test.*

There exist two different kinds of simulability:


Here we call "tester" the one who uses statistical testing in order to decide whether there is an attack or not, or whether a code is malicious or not...

**Definition 3.** *(Strong Testing Simulability) Let P be a property and T a (statistical) testing whose role is to decide whether P holds for given population* P *or not. Strongly simulating this testing consists in modifying or building a biased population P in such a way that T systematically decides that P holds on* P*, up to the statistical risks. But there exists a statistical testing T*� *which is able to detect that bias in* P*. In the same way, we say that t testings* (*T*1, *T*2,..., *Tt*) *are strongly simulated, if applying them*

design his attack or his malware. In other words, he opposes these problems to the defender

Malicious Cryptology and Mathematics 31

In Filiol (2007b); Zbitskiy (2009) the formalization based on formal grammars is considered. Code mutation (polymorphism, metamorphism) is formally described and the authors demonstrate that the choice of formal grammar class (according to the Chomsky classification) can yield powerful attacks. This work has been later extended by Gueguen (2011) by using

Another field of mathematics provides a lot of complex problems: combinatorics and discrete mathematics. Powerful approaches also considers those parts of mathematics to design or model powerful attacks based on malicious mathematics. For instance, the concept of cover set from the graph theory has enabled to understand worms or botnets spreading mechanisms

**Definition 5.** *A k*-ary malware *is a family of k files (some of them may be not executable) whose union constitues a computer malware and performs an offensive action that is equivalent to that of a true malware. Such a code is said* sequential *(*serial mode*) if the k constituent parts are acting strictly*

Detecting such codes becomes almost impossible due to the number of combinations that should be explored. It has been proved Filiol (2007c) that, provided that the program

Other techniques have been recently considered which cannot clearly be related to the previous approaches. They can be considered as exotic approaches and we have chosen to expose them in a detailed way. For instance, the attacker can exploit to his own benefit the difference that exists between theorerical reality and practical reality in mathematics. This different is a critical issue in computer science. In Section 4 we explain how

Other approaches can also rely on malicious cryptanalysis techniques. These techniques have been initiated in Filiol (2006) with the concept of *Zero-knowledge-like proof of cryptanalysis*.

**Definition 6.** *(Zero-knowledge-like proof of cryptanalysis) Let be a cryptosystem SK and a property*

proof of cryptanalysis *of S consists in exhibiting secret keys K*1, *K*2, . . . , ...*Km such that the output*

It worth considering that the reader/verifier can bring up against the author/prover that some random keys has been taken, the keystream has been computed and afterwards been claimed that the keystreams properties have been desired. In other words, the author/prover tries to fool the verifier/reader by using exhaustive search to produce the properties that have been

)1≤*i*≤*<sup>m</sup> verify* P *and such that, checking it requires polynomial time complexity.*

*<sup>K</sup>. No known method other than*

*<sup>K</sup>. Then, a* zero-knowledge-like

and hence to design powerful versions of those malicious codes Filiol et al. (2007). The concept of *k*-ary malware Filiol (2007c) is directly inspired from combinatorics.

*one after the another. It is said* parallel *if the k parts executes simultaneously (parallel mode).*

interactions are determistic, the detection of *k*-ary malware is NP-complete.

which must solve them (whenever possible).

van Wijngaarden grammars.

**3.1.4 Miscellanous**

*sequences* (*σ<sup>n</sup>*

*Ki*

processor-dependent malware can be designed.

<sup>P</sup> *about the output sequence of length n produced by S denoted <sup>σ</sup><sup>n</sup>*

*Moreover, the property* P *does not give any information on the way it was obtained.*

*exhaustive search or random search can obtain property* <sup>P</sup> *for <sup>σ</sup><sup>n</sup>*

*results in deciding that P holds on* P *but does no longer hold when considering a* (*t* + 1)*-th testing Tt*+1*.*

In terms of security, strong simulability is a critical aspect in security analysis. In an antiviral context, strong simulability exists when the malware writer, who has identified any of the techniques used by one or more antivirus, writes malware that cannot be detected by the target antivirus but only by the malware writer. As a typical example, a viral database which contains *t* signatures is equivalent to *t* testings (see previous section) and any new malware corresponds to the testing *Tt*+1.

**Definition 4.** *(Weak Testing Simulability) Let P be a property and T a testing whose role is to decide whether P is valid for a given population* P *or not. To weakly simulate this testing means introducing in* P *a new property P*� *which partially modifies the property P, in such a way that T systematically decides that P holds on* P*, up to the error risks.*

Weak simulability differs from strong simulability since the attacker considers the same testings as the tester does. The attacker thus introduces a bias that the tester is not be able to detect.

The property *P*� of Definition 4 is generally opposite to the property *P*. It precisely represents a flaw that the attacker aims at exploiting. Bringing weak simulability into play is somehow tricky. It requires to get a deep knowledge of the testings to be simulated.

The central approach consists in introducing the property *P*� in such a way that the estimators *Ei* in use remain in the acceptance region of the testing (generally that of the null hypothesis). Let us recall that during the decision step, the tester checks whether *E* < *S* or not. Thus weak simulability consists in changing the value *S* − *E* while keeping it positive. For that purpose, we use the intrinsic properties of the relevant sampling distribution.

3.1.3.2 Reversing calculability and complexity theory

There are two key issues as far as computer science is concerned:


So, as exposed in Filiol (2008c), a clever attacker will consider problems that are either impossible to solve (undecidable problems) or computationally hard to solve in order to 8 Will-be-set-by-IN-TECH

*results in deciding that P holds on* P *but does no longer hold when considering a* (*t* + 1)*-th testing*

In terms of security, strong simulability is a critical aspect in security analysis. In an antiviral context, strong simulability exists when the malware writer, who has identified any of the techniques used by one or more antivirus, writes malware that cannot be detected by the target antivirus but only by the malware writer. As a typical example, a viral database which contains *t* signatures is equivalent to *t* testings (see previous section) and any new malware

**Definition 4.** *(Weak Testing Simulability) Let P be a property and T a testing whose role is to decide whether P is valid for a given population* P *or not. To weakly simulate this testing means introducing in* P *a new property P*� *which partially modifies the property P, in such a way that T systematically*

Weak simulability differs from strong simulability since the attacker considers the same testings as the tester does. The attacker thus introduces a bias that the tester is not be able

The property *P*� of Definition 4 is generally opposite to the property *P*. It precisely represents a flaw that the attacker aims at exploiting. Bringing weak simulability into play is somehow

The central approach consists in introducing the property *P*� in such a way that the estimators *Ei* in use remain in the acceptance region of the testing (generally that of the null hypothesis). Let us recall that during the decision step, the tester checks whether *E* < *S* or not. Thus weak simulability consists in changing the value *S* − *E* while keeping it positive. For that purpose,

• *Calculability*. Here the central concept is Turing machines. The aim is to decide whether there exists a Turing machine (e.g. a program) which can compute a given problem or not. Some problems are not computable (the corresponding Turing machine never stops). Consequently the problem has no solution! So calculability theory aims at determining

• *Complexity*. When dealing with computable programs, another issue arises: how efficiently a problem can be computed. Here the central tool is the number of operations to solve a problem. From that number, problems are split into complexity classes. To describe things simply Papadimitriou (1993), the *Polynomial class* (P) corresponds to problems that are "computationally easy" ˘ato solve, *Non deterministic polynomial class* (NP) to "computationally hard" to solve problems while *NP-complete class* contains the hardest problems from the NP class ("computationally very hard" problems). In practice, only the

So, as exposed in Filiol (2008c), a clever attacker will consider problems that are either impossible to solve (undecidable problems) or computationally hard to solve in order to

which problems are computable and which are not (undecidable problems).

tricky. It requires to get a deep knowledge of the testings to be simulated.

we use the intrinsic properties of the relevant sampling distribution.

There are two key issues as far as computer science is concerned:

P class is computable (from seconds to a few hours however!).

3.1.3.2 Reversing calculability and complexity theory

*Tt*+1*.*

to detect.

corresponds to the testing *Tt*+1.

*decides that P holds on* P*, up to the error risks.*

design his attack or his malware. In other words, he opposes these problems to the defender which must solve them (whenever possible).

In Filiol (2007b); Zbitskiy (2009) the formalization based on formal grammars is considered. Code mutation (polymorphism, metamorphism) is formally described and the authors demonstrate that the choice of formal grammar class (according to the Chomsky classification) can yield powerful attacks. This work has been later extended by Gueguen (2011) by using van Wijngaarden grammars.

Another field of mathematics provides a lot of complex problems: combinatorics and discrete mathematics. Powerful approaches also considers those parts of mathematics to design or model powerful attacks based on malicious mathematics. For instance, the concept of cover set from the graph theory has enabled to understand worms or botnets spreading mechanisms and hence to design powerful versions of those malicious codes Filiol et al. (2007).

The concept of *k*-ary malware Filiol (2007c) is directly inspired from combinatorics.

**Definition 5.** *A k*-ary malware *is a family of k files (some of them may be not executable) whose union constitues a computer malware and performs an offensive action that is equivalent to that of a true malware. Such a code is said* sequential *(*serial mode*) if the k constituent parts are acting strictly one after the another. It is said* parallel *if the k parts executes simultaneously (parallel mode).*

Detecting such codes becomes almost impossible due to the number of combinations that should be explored. It has been proved Filiol (2007c) that, provided that the program interactions are determistic, the detection of *k*-ary malware is NP-complete.

### **3.1.4 Miscellanous**

Other techniques have been recently considered which cannot clearly be related to the previous approaches. They can be considered as exotic approaches and we have chosen to expose them in a detailed way. For instance, the attacker can exploit to his own benefit the difference that exists between theorerical reality and practical reality in mathematics. This different is a critical issue in computer science. In Section 4 we explain how processor-dependent malware can be designed.

Other approaches can also rely on malicious cryptanalysis techniques. These techniques have been initiated in Filiol (2006) with the concept of *Zero-knowledge-like proof of cryptanalysis*.

**Definition 6.** *(Zero-knowledge-like proof of cryptanalysis) Let be a cryptosystem SK and a property* <sup>P</sup> *about the output sequence of length n produced by S denoted <sup>σ</sup><sup>n</sup> <sup>K</sup>. No known method other than exhaustive search or random search can obtain property* <sup>P</sup> *for <sup>σ</sup><sup>n</sup> <sup>K</sup>. Then, a* zero-knowledge-like proof of cryptanalysis *of S consists in exhibiting secret keys K*1, *K*2, . . . , ...*Km such that the output sequences* (*σ<sup>n</sup> Ki* )1≤*i*≤*<sup>m</sup> verify* P *and such that, checking it requires polynomial time complexity. Moreover, the property* P *does not give any information on the way it was obtained.*

It worth considering that the reader/verifier can bring up against the author/prover that some random keys has been taken, the keystream has been computed and afterwards been claimed that the keystreams properties have been desired. In other words, the author/prover tries to fool the verifier/reader by using exhaustive search to produce the properties that have been

**3.2.1 Circumventing IPSec-like network encryption**

Fig. 2. General Scheme of IPSec-like protocol attacks by malware

in order to make its own activity totally invisible.

**3.2.2 Dynamic cryptographic backdoors**

anonimity TOR network Filiol (2011b).

**3.2.3 Anti-forensics cryptography**

IPSec-based protocols are often presented by IT-experts as an efficient solution to prevent attacks against data exchange. More generally, the use of encryption to protect communication channels or to seclude sensitive networks is seen as the ultimate defence. Unfortunately, this confidence is illusory since such "armoured" protocols can be manipulated or corrupted by an attacker to leak information as soon as an access is managed with simple userâA˘ Zs´ permission. In Delaunay et al. (2008), the authors demonstrate how an attacker and/or a malware can subvert and bypass IPsec-like protocols (IPSec, WiFi, IP encryptors...) to make data evade from the accessed system illegitimately. By using a covert channel, they show how a malware can encode the information to be stolen, can insert it into the legitimate encrypted traffic and finally collect/decode the information on the attackerâA˘ Zs side. This attack is ´ summarized in Figure 2 The malware uses efficient techniques from the error-correcting

Malicious Cryptology and Mathematics 33

theory to perform its attack. Moreover it adapts its behaviour to the encrypted traffic load

A more efficient approach consists in exploiting implementation weaknesses in the environment (by means of a malware) or to change this latter as exposed in Filiol (2011). The first technique exploits the fact that many encryption algorithms rely on the operating system primitives to generate secret keys (e.g. Microsoft cryptographic API). The second solution is to modify the cryptographic algorithm on-the-fly in memory, and especially its mode of operation and/or its mathematical design. In fact the malware installs a dynamic trapdoor. The algorithm is not modified on the hard disk (no static forensics evidence). The trapdoor has a limited period of time and can be replayed more than once. In both cases, the encryption has been weakened in such a way that the attacker has just to intercept the ciphertext and perform the cryptanalysis. This technique has been efficiently applied to take control over the

In the field of forensic analysis, encrypted data are particularly interesting when discovered on a hard disk. They are supposed to be a clear proof that a person has intended to protect data against analysis. When the forensics expert succeeds in one way or another to decrypt

considered for the zero-knowledge-like proof protocol. Thus the relevant properties must be carefully chosen such that:


Since there do not exist any known method other than exhaustive search or random search to produce output sequences *σ<sup>n</sup> <sup>K</sup>* having property P, and since the complexity of a successful search is too high in practice, anybody who is effectively able to exhibit a secret *K* producing such output sequences obviously has found some unknown weaknesses he used to obtain this result. The probability of realizing property P through an exhaustive search gives directly the upper bound complexity of the zero-knowledge-like proved cryptanalysis.

This technique has been used to design an efficient code armouring technique. We will detail it in Section 5.

### **3.2 From computer virology to cryptology: malware-based operationel cryptanalysis**

While in the previous section we have exposed how cryptography and mathematics can be used for malicious purposes, the present section deals with the opposite view: how malware can help to solve difficult (in other words computationally hard) problems. As far as cryptology is concerned, it mainly relates to "how get secret quantities (e.g. cryptographic keys) in illegitimate way?"

In this respect, malware can help to solve this problem very efficiently in a technical field called *Applied cryptanalysis*. As an example, let us consider the case of the AES (Advanced Encryption Standard). Let us assume that we use a *Deep-crack*-like computer that can perform an exhaustive key search of 2<sup>56</sup> keys per second (in real life, this computer does not exist; the best cryptanalysis allows exhaustive key search of 56-bit keys in roughly 3 hours). Then, any brute force attack on the different AES versions will require with such a machine:


It is obvious that this approach which has been used for a long time, is no longer valid for modern systems. Moreover, the mathematical analysis of AES did not revealed exploitable weaknesses. Consequently, other techniques, called "*applied cryptanalysis*" must be considered. The purpose of these techniques is not to attack the system directly (via the algorithm) but rather to act at implementation or management levels. By way of illustration, it is as if you wanted to go into a room by making a hole in the bombproof door, when you need only walk through the paper-thin walls. One of these approaches consists in using computer viruses or other malware.

10 Will-be-set-by-IN-TECH

considered for the zero-knowledge-like proof protocol. Thus the relevant properties must be

• the probability to obtain them by random search over the key space makes such a search untractable. On the contrary the verifier/reader would be able to himself exhibit secret keys producing keystream having the same properties by a simple exhaustive search; • the known attacks cannot be applied to retrieve secret keys from a fixed keystream having

• to really convince the reader/verifier, a large number of secret keys must be produced by

Since there do not exist any known method other than exhaustive search or random search

search is too high in practice, anybody who is effectively able to exhibit a secret *K* producing such output sequences obviously has found some unknown weaknesses he used to obtain this result. The probability of realizing property P through an exhaustive search gives directly the

This technique has been used to design an efficient code armouring technique. We will detail

While in the previous section we have exposed how cryptography and mathematics can be used for malicious purposes, the present section deals with the opposite view: how malware can help to solve difficult (in other words computationally hard) problems. As far as cryptology is concerned, it mainly relates to "how get secret quantities (e.g. cryptographic

In this respect, malware can help to solve this problem very efficiently in a technical field called *Applied cryptanalysis*. As an example, let us consider the case of the AES (Advanced Encryption Standard). Let us assume that we use a *Deep-crack*-like computer that can perform an exhaustive key search of 2<sup>56</sup> keys per second (in real life, this computer does not exist; the best cryptanalysis allows exhaustive key search of 56-bit keys in roughly 3 hours). Then, any

It is obvious that this approach which has been used for a long time, is no longer valid for modern systems. Moreover, the mathematical analysis of AES did not revealed exploitable weaknesses. Consequently, other techniques, called "*applied cryptanalysis*" must be considered. The purpose of these techniques is not to attack the system directly (via the algorithm) but rather to act at implementation or management levels. By way of illustration, it is as if you wanted to go into a room by making a hole in the bombproof door, when you need only walk through the paper-thin walls. One of these approaches consists in using computer

brute force attack on the different AES versions will require with such a machine:

**3.2 From computer virology to cryptology: malware-based operationel cryptanalysis**

upper bound complexity of the zero-knowledge-like proved cryptanalysis.

*<sup>K</sup>* having property P, and since the complexity of a successful

carefully chosen such that:

to produce output sequences *σ<sup>n</sup>*

it in Section 5.

keys) in illegitimate way?"

viruses or other malware.

• 1.5 <sup>×</sup> 1012 centuries for a 128-bit key, • 2.76 <sup>×</sup> <sup>10</sup><sup>31</sup> centuries for a 192-bit key, • 5.1 <sup>×</sup> 1050 centuries for a 256 bit-key.

the properties considered by the author/prover.

the author/prover, showing that "he was not lucky".

### **3.2.1 Circumventing IPSec-like network encryption**

IPSec-based protocols are often presented by IT-experts as an efficient solution to prevent attacks against data exchange. More generally, the use of encryption to protect communication channels or to seclude sensitive networks is seen as the ultimate defence. Unfortunately, this confidence is illusory since such "armoured" protocols can be manipulated or corrupted by an attacker to leak information as soon as an access is managed with simple userâA˘ Zs´ permission. In Delaunay et al. (2008), the authors demonstrate how an attacker and/or a malware can subvert and bypass IPsec-like protocols (IPSec, WiFi, IP encryptors...) to make data evade from the accessed system illegitimately. By using a covert channel, they show how a malware can encode the information to be stolen, can insert it into the legitimate encrypted traffic and finally collect/decode the information on the attackerâA˘ Zs side. This attack is ´ summarized in Figure 2 The malware uses efficient techniques from the error-correcting

Fig. 2. General Scheme of IPSec-like protocol attacks by malware

theory to perform its attack. Moreover it adapts its behaviour to the encrypted traffic load in order to make its own activity totally invisible.

### **3.2.2 Dynamic cryptographic backdoors**

A more efficient approach consists in exploiting implementation weaknesses in the environment (by means of a malware) or to change this latter as exposed in Filiol (2011). The first technique exploits the fact that many encryption algorithms rely on the operating system primitives to generate secret keys (e.g. Microsoft cryptographic API). The second solution is to modify the cryptographic algorithm on-the-fly in memory, and especially its mode of operation and/or its mathematical design. In fact the malware installs a dynamic trapdoor. The algorithm is not modified on the hard disk (no static forensics evidence). The trapdoor has a limited period of time and can be replayed more than once. In both cases, the encryption has been weakened in such a way that the attacker has just to intercept the ciphertext and perform the cryptanalysis. This technique has been efficiently applied to take control over the anonimity TOR network Filiol (2011b).

### **3.2.3 Anti-forensics cryptography**

In the field of forensic analysis, encrypted data are particularly interesting when discovered on a hard disk. They are supposed to be a clear proof that a person has intended to protect data against analysis. When the forensics expert succeeds in one way or another to decrypt

**4. Processor-dependant malware**

or OpenCL enabled).

*varieties*? More precisely, we want:

is nothing more than a software).

• classical intelligence gathering...

• while exploiting hardware specificities.

If such an approach would be possible, this would:

possible. This is possible thanks to a different ways:

*to exploit mathematical perfection versus processor reality*.

• or application specific (e.g. macro viruses);

• or protocol dependent (e.g. *Conficker* versus *Slammer*).

From the beginning of malware history (circa 1996), malware are: • either operating system specific (Windows \*.\*, Unices, Mac, . . . );

At the present time, there are almost no hardware specific malware, even if some operating system are themselves hardware dependent (e.g. Nokia cell phones with *Symbian*). Recently, GPGPU malware Ioannidis (Polykronakis & Vasiliadis) have been proposed but they just exploit the fact that graphic cards are just distinct devices with almost the same features and capability as the system they are connected to. They do not really condition their action on new computing features. GPGPU malware strongly depend on the graphic card type (CUDA

Malicious Cryptology and Mathematics 35

We propose here to investigate the following critical issue: *is it possible to design malware – or more generally, any program – that operate beyond operating system and application types and*

• enable far more precise and targeted attacks, at a finer level (surgical strikes) in a large

The recent case of the*StuxNet* worm shows that targeted attacks towards PLC components are nowadays a major concern in cyberattacks. However, while it can be very difficult to forecast and envisage which kind of applications is likely to be present on the target system (it can be a secret information), the variety in terms of hardware – and especially as far as processors are concerned – is far more reduced due to the very limited number of hardware manufacturers. We propose to consider *processor-dependent malware* and to rely on the onboard processor, which seems a good candidate to design hardware dependent software (a malware

To design such *processor-dependent malware*, we need to identify the processor as precisely as

• by reversing existing binaries (but this provides a limited information since a given binary

There is a large spectrum of possibilities to collect this technical intelligence. But there is a bad news: deriving knowledge about processor internals is tricky and require a lot of work. Instead of analyzing processor logic gates architecture, we propose to work at the higher level:

can indifferently execute on several processors like Intel x86s or AMDs chips),

• to operate beyond operating system and application types/varieties ...;

network of heterogeneous machines but with generic malware; • and represent a significant advantage in a context of cyberwarfare.

those encrypted data, the underlying plaintext clearly becomes very strong evidence for the judge. This means that in the process of digital proof, cryptography has a status of extremely high confidence.

In Filiol (2010a) it demonstrated how an attacker can use (malicious) cryptography in order to manipulate both the forensic analyst and the judge and thus fool them to incriminate an innocent people wrongly. The approach mainly lies in malicious cryptography techniques. The aim is to undermine a judgeâA˘ Zs blind faith in the value of cryptographic evidence and ´ fool all those who rely heavily upon it. The paper shows with a fictional scenario how such an attack and manipulation can be performed. Hence it shows that the concept of (cryptographic) proof must be considered very cautiously and has no absolute value.

When coming back to the definition of a cryptosystem given in Section 2.2.1, the key point lies in the fact that any arbitrary cipher text *C* is defined relatively to a 3-tuple (*P*, *K*, *E*) only. In other words, you can do the following:


$$C\_l = E(K, P\_l) \text{ and } P\_l = E(K, C\_l).$$

For any additional arbitrary triplet (*P*, *C*, *K*), it is then possible to modify the cryptosystem *E* into the system *E* so that we obtain

$$\mathcal{C} = E(\mathsf{K}, P) \text{ and } P = E(\mathsf{K}, \mathsf{C})$$

while we still have *Ci* = *E*(*K*, *Pi*) and *Pi* = *E*(*K*, *Ci*).

From a technical point of view, either the attacker modifies the system *E* on-the-fly or he simply replaces it with the modified one (e.g. with a virus). This technique is obviously the trickiest one but also the most convincing one.

Technically speaking, the difficulty depends on the kind of encryption system you intend to consider. While it is relatively easy for stream ciphers, the task becomes far more complex, yet not impossible, with block ciphers. Another aspect to take into consideration is the length (in bits) of the values *C* and *P*. The longer they are, the more difficult it will be to perform such rogue manipulation. However in the context of anti-forensics âA ¸ ˘ S e.g. fooling an forensics expert âA ¸ ˘ S those lengths can be relatively limited. The attacker will just have to build his attacking scenario carefully.

12 Will-be-set-by-IN-TECH

those encrypted data, the underlying plaintext clearly becomes very strong evidence for the judge. This means that in the process of digital proof, cryptography has a status of extremely

In Filiol (2010a) it demonstrated how an attacker can use (malicious) cryptography in order to manipulate both the forensic analyst and the judge and thus fool them to incriminate an innocent people wrongly. The approach mainly lies in malicious cryptography techniques. The aim is to undermine a judgeâA˘ Zs blind faith in the value of cryptographic evidence and ´ fool all those who rely heavily upon it. The paper shows with a fictional scenario how such an attack and manipulation can be performed. Hence it shows that the concept of (cryptographic)

When coming back to the definition of a cryptosystem given in Section 2.2.1, the key point lies in the fact that any arbitrary cipher text *C* is defined relatively to a 3-tuple (*P*, *K*, *E*) only. In

• **Technique 1**. Choose an arbitrary plaintext *P*, an arbitrary cipher text *C* and design accordingly a suitable pair (*K*, *E*) such that we obtain *C* = *E*(*K*, *P*) and *P* = *E*(*K*, *C*). This means that if we find random data on a hard disk and we do not have the algorithm *E*, we can assert almost anything. But worse, using malware we can replace any original pair

• **Technique 2**. Choose an arbitrary 3-tuple (*E*, *C*, *P*) and compute the key *K* such that we obtain *C* = *E*(*K*, *P*). This approach has been partially addressed in Filiol (2006).

• **Technique 3**. Consider an arbitrary set of cipher texts *C*1, *C*2...*Ci*... and an arbitrary encryption/decryption algorithm *E* thus relating to (legitimate) plaintexts *P*1, *P*2...*Pi*... Thus

*Ci* = *E*(*K*, *Pi*) and *Pi* = *E*(*K*, *Ci*)

For any additional arbitrary triplet (*P*, *C*, *K*), it is then possible to modify the cryptosystem

*C* = *E*(*K*, *P*) and *P* = *E*(*K*, *C*)

From a technical point of view, either the attacker modifies the system *E* on-the-fly or he simply replaces it with the modified one (e.g. with a virus). This technique is obviously the

Technically speaking, the difficulty depends on the kind of encryption system you intend to consider. While it is relatively easy for stream ciphers, the task becomes far more complex, yet not impossible, with block ciphers. Another aspect to take into consideration is the length (in bits) of the values *C* and *P*. The longer they are, the more difficult it will be to perform such

˘ S those lengths can be relatively limited. The attacker will just have to build his

˘ S e.g. fooling an forensics

proof must be considered very cautiously and has no absolute value.

we have for all *i*, for a key *K* i (possibly different for any *i*):

while we still have *Ci* = *E*(*K*, *Pi*) and *Pi* = *E*(*K*, *Ci*).

rogue manipulation. However in the context of anti-forensics âA ¸

other words, you can do the following:

(*K*, *E*) with a "malicious" one (*K*, *E*).

*E* into the system *E* so that we obtain

trickiest one but also the most convincing one.

expert âA ¸

attacking scenario carefully.

high confidence.

### **4. Processor-dependant malware**

From the beginning of malware history (circa 1996), malware are:


At the present time, there are almost no hardware specific malware, even if some operating system are themselves hardware dependent (e.g. Nokia cell phones with *Symbian*). Recently, GPGPU malware Ioannidis (Polykronakis & Vasiliadis) have been proposed but they just exploit the fact that graphic cards are just distinct devices with almost the same features and capability as the system they are connected to. They do not really condition their action on new computing features. GPGPU malware strongly depend on the graphic card type (CUDA or OpenCL enabled).

We propose here to investigate the following critical issue: *is it possible to design malware – or more generally, any program – that operate beyond operating system and application types and varieties*? More precisely, we want:


If such an approach would be possible, this would:


The recent case of the*StuxNet* worm shows that targeted attacks towards PLC components are nowadays a major concern in cyberattacks. However, while it can be very difficult to forecast and envisage which kind of applications is likely to be present on the target system (it can be a secret information), the variety in terms of hardware – and especially as far as processors are concerned – is far more reduced due to the very limited number of hardware manufacturers. We propose to consider *processor-dependent malware* and to rely on the onboard processor, which seems a good candidate to design hardware dependent software (a malware is nothing more than a software).

To design such *processor-dependent malware*, we need to identify the processor as precisely as possible. This is possible thanks to a different ways:


There is a large spectrum of possibilities to collect this technical intelligence. But there is a bad news: deriving knowledge about processor internals is tricky and require a lot of work. Instead of analyzing processor logic gates architecture, we propose to work at the higher level: *to exploit mathematical perfection versus processor reality*.

The Intel Assembly Language instruction **CPUID** can be used both on Intel and AMD

Malicious Cryptology and Mathematics 37

Known or unknown bugs are good candidates to design such a set of tests and hence to

• as an instance of such bug/test, it is easy determine whether we use a 1994 bugged Pentium or not: just use the numerical value that makes appear the *Pentium Division Bug*; • but a lot of bugs will *freeze* the computer only (this can be used for processor-dependent

• and it is not so simple to find a list of bugs, even if there are supposed to be "known".

The most interesting bugs to consider involve a floating point arithmetic operator. However it is worth keeping in mind that the knowledge of some other bugs (by the manufacturer, a Nation State...) can be efficiently used to target processors specifically and hence it represents a critical knowledge not to say a strategic one. Worse, hiding such bugs or managing floating

More generally let us consider some differences that exist event within the same type of processors but produced in two different versions: a national and an "export" version. As an example, we can consider the POPCOUNT function which compute the Hamming weight of an integer (the number of 1s in its binary form). Since it is a critical function in the context of cryptanalysis, the national version of a few processors have this function implemented in hardware while the export version just emulate it at the software level. Consequently a good way to discriminate national version from export version consists in computing Hamming weight a large number of times and then to record the computation time: it will be significantly higher for the export version which hence can be specifically targeted by a

The IEEE P754 standard Overton (2011) has been approved as a norm by the IEEE ANSI in 1985. A lot of processors follow and comply to it but some processors do not (e.g. the CRAY 1

It just gives a specification for the four basic operations: addition, substraction, multiplication and division. So, for all other functions, there is very likely to exist differences as far as their

<sup>√</sup>*x*, 1/√*<sup>x</sup>* or *<sup>e</sup>x*.

or the DEC VAX 780). Moreover, not all microcontrollers follow this standard either.

This norm does not impose algorithms to compute usual functions like 1/*x*,

implementation as algorithms are concerned. But we have to find them!

For 32-bit, environments, we have (see Table 2):

• it is easy to "find" it whenever scanning the file (malware detection issue);

• some other processors cannot recognize and process this instruction.

processors, but it has at least two severe drawbacks:

**4.1.2 Processor bugs**

discriminate processors:

malware attack.

• 1 bit for the sign;

• 23 bits for the mantissa;

denial of service [DoS] however);

arithmetics in a very specific way is more than interesting.

**4.1.3 Using floating point arithmetics: the IEEE P754 standard**

### **4.1 Exploiting mathematical processor limitations**

In order to use processors to discriminate programs' action and execution, we exploit the fact that first there is a huge difference between the mathematical reality and their implementation in computing systems and second that this difference is managed in various ways according to the processor brand, model and type.

### **4.1.1 Mathematical perfection versus processor reality**

Let us begin with a very classical example: the algorithm given in Table 1. *what does this code (really) compute?*

**Algorithm** 1 : The √ problem **Input**: — a real *A*; **Output**: — a boolean *B* **Begin**: *<sup>B</sup>* <sup>=</sup> <sup>√</sup>*<sup>A</sup>* <sup>∗</sup> <sup>√</sup>*A*; **Return**[A==B]; **End.**

Table 1. The Square-root problem

Let us suppose we choose *A* = 2.0 as input for this *Square-root* algorithm, we then have two possible answers, that are *opposite*:


Let us now explain why we have these different outputs. This comes from the fact that processors:

	- 1. at the *hardware* level;
	- 2. and/or at the *software* level.

As an example of a "secret algorithm", let us cite the famous Pentium Bugs *case* in 1994: Intel has never published neither the *correct* algorithm nor its bugged version used for the division but some researchers have tried reverse engineering techniques to understand which algorithm was programmed actually Coe et al. (1995).

Let us now consider the following problem: *can we define a set of (simple) tests to know on which processor we are?* As a practical example: *is it possible to know whether we are on a mobile phone or on a computer?*

The Intel Assembly Language instruction **CPUID** can be used both on Intel and AMD processors, but it has at least two severe drawbacks:


### **4.1.2 Processor bugs**

14 Will-be-set-by-IN-TECH

In order to use processors to discriminate programs' action and execution, we exploit the fact that first there is a huge difference between the mathematical reality and their implementation in computing systems and second that this difference is managed in various ways according

Let us begin with a very classical example: the algorithm given in Table 1. *what does this code*

Let us suppose we choose *A* = 2.0 as input for this *Square-root* algorithm, we then have two

Let us now explain why we have these different outputs. This comes from the fact that

As an example of a "secret algorithm", let us cite the famous Pentium Bugs *case* in 1994: Intel has never published neither the *correct* algorithm nor its bugged version used for the division but some researchers have tried reverse engineering techniques to understand which

Let us now consider the following problem: *can we define a set of (simple) tests to know on which processor we are?* As a practical example: *is it possible to know whether we are on a mobile phone or*

<sup>√</sup>*x*, 1/√*<sup>x</sup>* . . . that

**4.1 Exploiting mathematical processor limitations**

**4.1.1 Mathematical perfection versus processor reality**

• have an increasing (architecture) complexity and size, • have bugs, known and unknown (not published),

algorithm was programmed actually Coe et al. (1995).

• use generally "secret" algorithms for usual arithmetic functions like 1/*x*,

to the processor brand, model and type.

**Algorithm** 1 : The √ problem

<sup>√</sup>*A*;

Table 1. The Square-root problem

possible answers, that are *opposite*: 1. *Mathematically*: **True** is returned; 2. *Practically*: **False** is returned!

• use floating point arithmetic,

1. at the *hardware* level; 2. and/or at the *software* level.

can be computed:

*on a computer?*

**Input**: — a real *A*; **Output**: — a boolean *B*

*<sup>B</sup>* <sup>=</sup> <sup>√</sup>*<sup>A</sup>* <sup>∗</sup>

**Return**[A==B];

*(really) compute?*

**Begin**:

**End.**

processors:

Known or unknown bugs are good candidates to design such a set of tests and hence to discriminate processors:


The most interesting bugs to consider involve a floating point arithmetic operator. However it is worth keeping in mind that the knowledge of some other bugs (by the manufacturer, a Nation State...) can be efficiently used to target processors specifically and hence it represents a critical knowledge not to say a strategic one. Worse, hiding such bugs or managing floating arithmetics in a very specific way is more than interesting.

More generally let us consider some differences that exist event within the same type of processors but produced in two different versions: a national and an "export" version. As an example, we can consider the POPCOUNT function which compute the Hamming weight of an integer (the number of 1s in its binary form). Since it is a critical function in the context of cryptanalysis, the national version of a few processors have this function implemented in hardware while the export version just emulate it at the software level. Consequently a good way to discriminate national version from export version consists in computing Hamming weight a large number of times and then to record the computation time: it will be significantly higher for the export version which hence can be specifically targeted by a malware attack.

### **4.1.3 Using floating point arithmetics: the IEEE P754 standard**

The IEEE P754 standard Overton (2011) has been approved as a norm by the IEEE ANSI in 1985. A lot of processors follow and comply to it but some processors do not (e.g. the CRAY 1 or the DEC VAX 780). Moreover, not all microcontrollers follow this standard either.

This norm does not impose algorithms to compute usual functions like 1/*x*, <sup>√</sup>*x*, 1/√*<sup>x</sup>* or *<sup>e</sup>x*. It just gives a specification for the four basic operations: addition, substraction, multiplication and division. So, for all other functions, there is very likely to exist differences as far as their implementation as algorithms are concerned. But we have to find them!

For 32-bit, environments, we have (see Table 2):


**Algorithm** 2 : The Gentleman Code

**While** ((A+1.0)-A)-1.0==0 ;

**While** ((A+B)-A)-B==0 ;

**Input**: — A=1.0 ; B=1.0;

**Output**: — *A*, *B*

A=2\*A;

B=B+1.0; **Return**[A,B];

Table 3. The Gentleman code

Table 4. A few easy computations

in Tables 5 and 6.

• #define Pi1 3.141592653 • #define Pi2 3.141592653589

**4.2 Implementation and experimental results**

Processor Tests

processors that are IEEE P754 compliant will give the same answers..

Let us present a few tests that enables to discriminate processors operationally (for more details refer to Erra & Grenier (2009)). Table 4 summarizes a first set of tests. So these

Malicious Cryptology and Mathematics 39

VAX 750 Yes Yes No No AMD 32 No Yes No No AMD 64 No Yes No No ATOM No Yes No No INTEL DC No Yes No No MIPS 12000 No Yes No No dsPIC33FJ21 No Yes Yes No IPHONE 3G No Yes No No

tests are interesting but not completely useful, this shows that we can simply know whether the processor follows the IEEE P754 arithmetic norm or not. For these simple expression, all

With the following constant definitions in our test program in C, we obtain the results given

1.2-0.8 == 0.4 0.1+0.1 == 0.2 0.1+0.1+0.1 == 0.3 0.1+. . . 0.1 == 1.0

**Begin**: A=1.0; B=1.0;

**End.**


Table 2. Structure of 32-bit float "numbers" in the IEEE P754 Standard

• 8 bits for the exponent (integer).

The floating point arithmetic has a lot of curiosities, let us see some of them. One can find in Kulisch & Miranker (1983) the following questions due to Rump:

• Evaluate the expression

$$F(X\_\prime \, Y) = \frac{(1682XY^4 + 3X^3 + 29XY^2 - 2X^5 + 832)}{107751}$$

with *X* = 192119201 and *Y* = 35675640. The "exact" result is 1783 but numerically we can have a very different value like <sup>−</sup>7.18056 1020 (on a 32-bit IEEE P754 compliant processor).

• Evaluate the expression

$$P(X) = 8118X^4 - 11482X^3 + X^2 + 5741X - 2030$$

with *<sup>X</sup>* <sup>=</sup> 1/√2 and *<sup>X</sup>* <sup>=</sup> 0.707. The "exact" result is 0 but numerically we can have a very different value like <sup>−</sup>2.74822 10−<sup>8</sup> (on a 32-bit IEEE P754 compliant processor).

Let us recall that the numerical value of an algebraic expression depends (generally) on the compiler because a non basic numerical expression result depends strongly on the order of the intermediate computations.

If we want to know on which processor we are working, we need to find, before anything else, some critical information:


For the base value, it is easy to conjecture that the base is 2, at least for modern processors. As far as the the word length is concerned, we have not found any numerical algorithm that is able to answer this question but we have found something very close. The algorithm given in Table 3 called the *Gentleman Code* Gentleman & Marovitch (1974) is surprisingly very interesting for both problems. First we can again ask: *what does this code (really) compute?* Well, again, we have two possible answers:

	- log2(*A*) gives the number of bits used by the mantissa of floating point numbers;
	- *B* is the base used by the floating point arithmetic of the environment (generally it is equal to 2).

Both values are of course *processor-dependent* constants. So, with a small program, which has a polynomial time complexity, we can compute the number of bits used to represent the *mantissa* of any floating point number and so, we can deduce the word length.

16 Will-be-set-by-IN-TECH

sign(x) mantissa(x) exponent(x) 1 bit 23 bits 8 bits

The floating point arithmetic has a lot of curiosities, let us see some of them. One can find in

*<sup>F</sup>*(*X*, *<sup>Y</sup>*) = (1682*XY*<sup>4</sup> <sup>+</sup> <sup>3</sup>*X*<sup>3</sup> <sup>+</sup> <sup>29</sup>*XY*<sup>2</sup> <sup>−</sup> <sup>2</sup>*X*<sup>5</sup> <sup>+</sup> <sup>832</sup>)

with *X* = 192119201 and *Y* = 35675640. The "exact" result is 1783 but numerically we can have a very different value like <sup>−</sup>7.18056 1020 (on a 32-bit IEEE P754 compliant processor).

*<sup>P</sup>*(*X*) = <sup>8118</sup>*X*<sup>4</sup> <sup>−</sup> <sup>11482</sup>*X*<sup>3</sup> <sup>+</sup> *<sup>X</sup>*<sup>2</sup> <sup>+</sup> <sup>5741</sup>*<sup>X</sup>* <sup>−</sup> <sup>2030</sup> with *<sup>X</sup>* <sup>=</sup> 1/√2 and *<sup>X</sup>* <sup>=</sup> 0.707. The "exact" result is 0 but numerically we can have a very

Let us recall that the numerical value of an algebraic expression depends (generally) on the compiler because a non basic numerical expression result depends strongly on the order of

If we want to know on which processor we are working, we need to find, before anything else,

2. second the *word length*, *i.e.* the number of bits the processor is used to work (with floating

For the base value, it is easy to conjecture that the base is 2, at least for modern processors. As far as the the word length is concerned, we have not found any numerical algorithm that is able to answer this question but we have found something very close. The algorithm given in Table 3 called the *Gentleman Code* Gentleman & Marovitch (1974) is surprisingly very interesting for both problems. First we can again ask: *what does this code (really) compute?* Well,

1. *Mathematically*: the two loops are theoretically *infinite loops* so they are looping forever;

• log2(*A*) gives the number of bits used by the mantissa of floating point numbers; • *B* is the base used by the floating point arithmetic of the environment (generally it is

Both values are of course *processor-dependent* constants. So, with a small program, which has a polynomial time complexity, we can compute the number of bits used to represent the *mantissa*

of any floating point number and so, we can deduce the word length.

different value like <sup>−</sup>2.74822 10−<sup>8</sup> (on a 32-bit IEEE P754 compliant processor).

107751

Table 2. Structure of 32-bit float "numbers" in the IEEE P754 Standard

Kulisch & Miranker (1983) the following questions due to Rump:

• 8 bits for the exponent (integer).

• Evaluate the expression

• Evaluate the expression

the intermediate computations.

point numbers for example).

again, we have two possible answers:

equal to 2).

2. *Practically* (see Erra & Grenier (2009)):

1. first the *base* value used to represent numbers;

some critical information:

```
Algorithm 2 : The Gentleman Code
  Input: — A=1.0 ; B=1.0;
  Output: — A, B
  Begin:
     A=1.0;
     B=1.0;
     While ((A+1.0)-A)-1.0==0 ;
        A=2*A;
     While ((A+B)-A)-B==0 ;
        B=B+1.0;
     Return[A,B];
  End.
```
Table 3. The Gentleman code

### **4.2 Implementation and experimental results**

Let us present a few tests that enables to discriminate processors operationally (for more details refer to Erra & Grenier (2009)). Table 4 summarizes a first set of tests. So these


Table 4. A few easy computations

tests are interesting but not completely useful, this shows that we can simply know whether the processor follows the IEEE P754 arithmetic norm or not. For these simple expression, all processors that are IEEE P754 compliant will give the same answers..

With the following constant definitions in our test program in C, we obtain the results given in Tables 5 and 6.


N 10 21 22 25 30 100

Malicious Cryptology and Mathematics 41

*<sup>i</sup>*=<sup>1</sup> <sup>10</sup>*<sup>N</sup>* for different values of *<sup>N</sup>*

*<sup>s</sup>* <sup>−</sup> *<sup>N</sup>* <sup>∗</sup> <sup>10</sup>*<sup>N</sup>* 0.0 0.0 <sup>−</sup>8.05 108 <sup>−</sup>6.71 107 <sup>−</sup>4.50 1015 4.97 1086

More work has to be done to understand these aspects more deeply. Nonetheless, we have here new insights on how design more specific attacks when considering the processor type

Floating Point Arithmetic (FPA) looks promising to define a set of tests enabling to identify the processor or, more precisely, a subset of possible processors. In the context of the malicious

The first open problem relates to the following question: *can we find an numerical algorithm, with a linear complexity in time and space which computes a floating point expression to distinguish a given processor more precisely?* Beyond the examples presented here, a promising algorithm could be based on a variant of the famous *logistic equation*, thoroughly studied in the chaos

The sequence defined by Equation 2, for a chosen and fixed *x*0, can exhibit very different

Another open problem goes deeper into the misuse of mathematics by attackers: *find processor-dependent hash functions*. Generally, hash functions are defined as independent from the processor. But, in some cases (export control of the cryptography, countermeasures...), one can desire to get rid of this view. The aim then consists in taking the *opposite idea*. We consider a hash function that heavily depends of the processor used to compute it. For example, it can be interesting to design a specific hash function for a *smartphone* or a specific processor. The best way to design such a hash function seems to use the properties of the floating point arithmetic operators of the processor; more specifically some of the arithmetic functions implemented on the processor. Consequently, this second open problem evolves slightly towards the following question: *can we define, for a specific processor, hash functions that use the floating point arithmetic*

Fighting against computer malware require a mandatory step of reverse engineering. As soon as the code has been disassemblied/decompiled (including a dynamic analysis step), there is a hope to understand what the malware actually does and to implement a detection algorithm.

*of the concerned processor that respect the classical requirements for such functions?*

This also applies to protection of software whenever one wishes to analyze them.

*xn*+<sup>1</sup> = *r xn* (1 − *xn*) (2)

use of mathematics, a lot of open problems are arising. Let us mention a few of them.

Table 7. Computation of *<sup>s</sup>*(*N*) <sup>−</sup> <sup>∑</sup>*<sup>N</sup>*

AND the compiler version/type as the same time.

• a *periodic* behavior for example for values of r less than 3.0; • or a *chaotic* behavior for values of *r* slightly larger than 3.57.

**4.3 Open problems**

theory, which is defined by:

**5. Evading detection and analysis**

with *r* ∈ [0, 4].

behaviors:


These results are more interesting, especially those in the third column (the numerical computation of sin(1037*π*1)) in Table 5: a simple computation gives four subclasses of the set of processors (emphasized by a double horizontal lign between the subclasses). To


Table 5. Computation of sin(1010*π*) for various numerical values of the constant *π*


Table 6. sin(1037*π*) in hex for various numerical values of the constant *π*

conclude with this part, it is important to stress on the *Influence* of the Compiler. To illustrate this, let us give a last example. We want to compute the generalized sum

$$s(N) := \sum\_{i=1}^{N} 10^{N} \tag{1}$$

The "exact" value is of course *<sup>N</sup>* <sup>∗</sup> <sup>10</sup>*N*, but let us have a look at the Table 7 to see some values we can have when computing *<sup>s</sup>*(*N*) <sup>−</sup> *<sup>N</sup>* <sup>∗</sup> <sup>10</sup>*N*. However we have to point out that the results of the Table 7) heavily depend of course of the processor but *also* of the compiler used, of the options used and so on ....


Table 7. Computation of *<sup>s</sup>*(*N*) <sup>−</sup> <sup>∑</sup>*<sup>N</sup> <sup>i</sup>*=<sup>1</sup> <sup>10</sup>*<sup>N</sup>* for different values of *<sup>N</sup>*

### **4.3 Open problems**

18 Will-be-set-by-IN-TECH

These results are more interesting, especially those in the third column (the numerical computation of sin(1037*π*1)) in Table 5: a simple computation gives four subclasses of the set of processors (emphasized by a double horizontal lign between the subclasses). To

Processor sin(1010*π*1) sin(1017*π*1) sin(1037*π*1) sin(1017*π*1) == sin(1017*π*2)

IPHONE 3G 0.375... 0.423... -0.837... No AMD 32 0.375... 0.424... -0.837... No

AMD 64 0.375.. 0.424.. 0.837... No

ATOM 0.375.. 0.423.. -0.832.. No INTEL DC 0.375... 0.423... -0.832... No MIPS 12000 0.375... 0.423... -0.832... No

dsPIC33 *0.81... 0.62... -0.44... Yes*

Table 5. Computation of sin(1010*π*) for various numerical values of the constant *π*

Table 6. sin(1037*π*) in hex for various numerical values of the constant *π*

this, let us give a last example. We want to compute the generalized sum

options used and so on ....

Processor sin(1037*π*1) sin(1037*π*2) sin(1037*π*3) sin(1037*π*4)

IPHONE 3G 47257756 9d94ef4d 99f9067 99f9067 AMD 64 af545000 af545000 af545000 af545000 ATOM 47257756 9d94ef4d 99f9067 99f9067 INTEL DC 47257756 9d94ef4d 99f9067 99f9067 MIPS 12000 47257756 9d94ef4d 99f9067 99f9067 dsPIC33 bee5 bee5 bee5 bee5

conclude with this part, it is important to stress on the *Influence* of the Compiler. To illustrate

The "exact" value is of course *<sup>N</sup>* <sup>∗</sup> <sup>10</sup>*N*, but let us have a look at the Table 7 to see some values we can have when computing *<sup>s</sup>*(*N*) <sup>−</sup> *<sup>N</sup>* <sup>∗</sup> <sup>10</sup>*N*. However we have to point out that the results of the Table 7) heavily depend of course of the processor but *also* of the compiler used, of the

*N* ∑ *i*=1

10*<sup>N</sup>* (1)

*s*(*N*) :=

• #define Pi3 3.141592653589793 • #define Pi4 3.1415926535897932385

> More work has to be done to understand these aspects more deeply. Nonetheless, we have here new insights on how design more specific attacks when considering the processor type AND the compiler version/type as the same time.

> Floating Point Arithmetic (FPA) looks promising to define a set of tests enabling to identify the processor or, more precisely, a subset of possible processors. In the context of the malicious use of mathematics, a lot of open problems are arising. Let us mention a few of them.

> The first open problem relates to the following question: *can we find an numerical algorithm, with a linear complexity in time and space which computes a floating point expression to distinguish a given processor more precisely?* Beyond the examples presented here, a promising algorithm could be based on a variant of the famous *logistic equation*, thoroughly studied in the chaos theory, which is defined by:

$$\mathbf{x}\_{n+1} = r \,\mathbf{x}\_n \left(1 - \mathbf{x}\_n\right) \tag{2}$$

with *r* ∈ [0, 4].

The sequence defined by Equation 2, for a chosen and fixed *x*0, can exhibit very different behaviors:


Another open problem goes deeper into the misuse of mathematics by attackers: *find processor-dependent hash functions*. Generally, hash functions are defined as independent from the processor. But, in some cases (export control of the cryptography, countermeasures...), one can desire to get rid of this view. The aim then consists in taking the *opposite idea*. We consider a hash function that heavily depends of the processor used to compute it. For example, it can be interesting to design a specific hash function for a *smartphone* or a specific processor. The best way to design such a hash function seems to use the properties of the floating point arithmetic operators of the processor; more specifically some of the arithmetic functions implemented on the processor. Consequently, this second open problem evolves slightly towards the following question: *can we define, for a specific processor, hash functions that use the floating point arithmetic of the concerned processor that respect the classical requirements for such functions?*

### **5. Evading detection and analysis**

Fighting against computer malware require a mandatory step of reverse engineering. As soon as the code has been disassemblied/decompiled (including a dynamic analysis step), there is a hope to understand what the malware actually does and to implement a detection algorithm. This also applies to protection of software whenever one wishes to analyze them.

From a general point of view it is necessary to recall that for both three cases the malware author needs reproducible random sequences. By reproducible (hence the term of pseudo-random), we mean that the malware will replay this sequence to operate its course of execution. The reproducibility condition implies to consider a *deterministic Finite-State Machine* (dFSM). The general scheme of how this dFSM is working is illustrated as follows. Without the dFSM, any instruction data whenever executed produced a data used by the next instruction

Malicious Cryptology and Mathematics 43

*I*<sup>0</sup> → *D*<sup>0</sup> → *I*<sup>1</sup> → *D*<sup>1</sup> ... → *Di* → *I*(*i* + 1) → ...

The problem lies in the fact that any analysis of the code easily reveals to the malware analyst all the malware internals since all instructions are hardcoded and unprotected. But if a few data/instructions are kept under an encrypted form, and are deciphered at execution only, the analysis is likely to be far more difficult (up to decryptor and the secret key protection issue).

) = *Di* for all i. Upon execution, we just have to input data *D*�

Of course to be useful as a prevention tool against (static and dynamic) analysis, the dFSM must itself be obfuscated and protected against analysis. But this last point is supposed to be

In this case, the sequence is arbitrary chosen before the design of the code and hence the code is written directly from this arbitrary sequence. This case is the most simple to manage. We just have to choose carefully the dFSM we need. One of the best choice is to take a congruential

*x*(*i* + 1) = *a* ∗ *Xi* + *b mod*(*N*)

where *a* is the multiplier, *b* is the increment and *N* is the modulus. Since the length of the sequence involved in the malware design is rather very short (up to a few tens of bytes), the choice of those parameters is not as critical as it would be for practical cryptographic applications. In this respect, one can refer to Knuth's reference book to get the best sets of

generator since it implies a very reduced algorithm with simple instructions.

Let us consider *X*<sup>0</sup> an initial value and the corresponding equation

**Standard minimal generator** *<sup>a</sup>* <sup>=</sup> 16, 807 <sup>−</sup> *<sup>b</sup>* <sup>=</sup> <sup>0</sup> <sup>−</sup> *<sup>N</sup>* <sup>=</sup> 231 <sup>−</sup> 1.

*<sup>i</sup>* → *I*(*i* + 1) → ...

*<sup>i</sup>* into the dFSM

It is denied of *a priori* analysis capabilities. So to summarize, so we intend to have

<sup>0</sup> → *I*<sup>1</sup> → *D*<sup>1</sup> ... → *D*�

and so on (e.g. an address, an operand...).

where *dFSM*(*D*�

fulfilled Filiol (2010b).

parameters Knuth (1998).

*i*

which will then output the data *Di*.

A few critical points are worth stressing on

2. instructions can similarly be protected as well.

**5.2 (Malware) code built from an arbitrary sequence**

Here are a few such examples among many others:

1. no key is neither required nor used;

*I*<sup>0</sup> → *D*�

In this section, we show how the techniques of malicious cryptography enable to implement total amoring of programs, thus prohibiting any reverse engineering operation. The main interest of that approach lies in the fact that TRANSEC properties are achieved at the same time. In other words, the protected binaries have the same entropy as any legitimate, unprotected code. This same technique can also achieve a certain level of polymorphism/metamorphism at the same time. For instance, a suitable 59-bit key stream cipher is sufficient to generate up to 2<sup>140</sup> variants very simply. More interestingly, the old fashioned concept of decryptor which usually constitutes a potential signature and hence a weakness, is totally revisited.

To illustrate this approach, let us consider the case study presented in Filiol (2010b) (among many other similar approaches) in which only a very few instructions are protected against any disassembly attempt. Let us consider a piece of x86 assembly instructions to protect from analysis. These instructions are translated into an intermediate representation (IR) derived from the REIL language before a final translation into bytecode.

To evade analysis and detection, we intend to protect this final bytecode by using a malicious PRNG, e.g. the last line in the following extract of code:

```
[X86 ASM] MOV EAX, 0x3 [B803000000]
[REIL IR] STR (0x3, B4, 1, 0), (EAX, B4, 0, 0)
[BYTECODES] 0xF1010000 0x40004 0x3 0x0 0x6A
```
Let us now explore the different possible malicious PRNG we can use depending on the various operational conditions.

### **5.1 Malicious PRNG & protection scenarii**

Sophisticated polymorphic/metamorphic or obfuscation techniques must rely on PRNG (Pseudo-Random Number Generator). In our context, the aim is to generate sequences of random numbers (here bytecode values) on-the-fly while hiding the code behavior.

Sequences are precomputed and we have to design a generator (the malicious PRNG) which will afterwards output those data. The idea is that any data produced by the resulting generator will be first used by the code as a valid address, and then will itself seed the PNRG to produce the next random data.

Three cases are to be considered:


This relates to interesting problems of PRNG cryptanalysis. We are going to address these three cases.

20 Will-be-set-by-IN-TECH

In this section, we show how the techniques of malicious cryptography enable to implement total amoring of programs, thus prohibiting any reverse engineering operation. The main interest of that approach lies in the fact that TRANSEC properties are achieved at the same time. In other words, the protected binaries have the same entropy as any legitimate, unprotected code. This same technique can also achieve a certain level of polymorphism/metamorphism at the same time. For instance, a suitable 59-bit key stream cipher is sufficient to generate up to 2<sup>140</sup> variants very simply. More interestingly, the old fashioned concept of decryptor which usually constitutes a potential signature and hence a

To illustrate this approach, let us consider the case study presented in Filiol (2010b) (among many other similar approaches) in which only a very few instructions are protected against any disassembly attempt. Let us consider a piece of x86 assembly instructions to protect from analysis. These instructions are translated into an intermediate representation (IR) derived

To evade analysis and detection, we intend to protect this final bytecode by using a malicious

Let us now explore the different possible malicious PRNG we can use depending on the

Sophisticated polymorphic/metamorphic or obfuscation techniques must rely on PRNG (Pseudo-Random Number Generator). In our context, the aim is to generate sequences of

Sequences are precomputed and we have to design a generator (the malicious PRNG) which will afterwards output those data. The idea is that any data produced by the resulting generator will be first used by the code as a valid address, and then will itself seed the PNRG

2. the sequence is given by a (non yet protected) instance of bytecode and we have to design

3. a more interesting problem lies in producing random data that can be somehow interpreted

This relates to interesting problems of PRNG cryptanalysis. We are going to address these

random numbers (here bytecode values) on-the-fly while hiding the code behavior.

from the REIL language before a final translation into bytecode.

[X86 ASM] MOV EAX, 0x3 [B803000000]

[REIL IR] STR (0x3, B4, 1, 0), (EAX, B4, 0, 0) [BYTECODES] 0xF1010000 0x40004 0x3 0x0 0x6A

PRNG, e.g. the last line in the following extract of code:

1. the code is built from any arbitrary random sequence;

by a PRNG as meaningful instructions like jump 0x89 directly.

weakness, is totally revisited.

various operational conditions.

to produce the next random data. Three cases are to be considered:

three cases.

an instance of PNRG accordingly;

**5.1 Malicious PRNG & protection scenarii**

From a general point of view it is necessary to recall that for both three cases the malware author needs reproducible random sequences. By reproducible (hence the term of pseudo-random), we mean that the malware will replay this sequence to operate its course of execution. The reproducibility condition implies to consider a *deterministic Finite-State Machine* (dFSM). The general scheme of how this dFSM is working is illustrated as follows. Without the dFSM, any instruction data whenever executed produced a data used by the next instruction and so on (e.g. an address, an operand...).

$$I\_0 \to D\_0 \to I\_1 \to D\_1 \dots \to D\_{\bar{i}} \to I\_{\bar{(i}} + 1) \to \dots$$

The problem lies in the fact that any analysis of the code easily reveals to the malware analyst all the malware internals since all instructions are hardcoded and unprotected. But if a few data/instructions are kept under an encrypted form, and are deciphered at execution only, the analysis is likely to be far more difficult (up to decryptor and the secret key protection issue). It is denied of *a priori* analysis capabilities. So to summarize, so we intend to have

$$I\_0 \to D\_0' \to I\_1 \to D\_1 \dots \to D\_i' \to I\_(i+1) \to \dots$$

where *dFSM*(*D*� *i* ) = *Di* for all i. Upon execution, we just have to input data *D*� *<sup>i</sup>* into the dFSM which will then output the data *Di*.

A few critical points are worth stressing on


Of course to be useful as a prevention tool against (static and dynamic) analysis, the dFSM must itself be obfuscated and protected against analysis. But this last point is supposed to be fulfilled Filiol (2010b).

### **5.2 (Malware) code built from an arbitrary sequence**

In this case, the sequence is arbitrary chosen before the design of the code and hence the code is written directly from this arbitrary sequence. This case is the most simple to manage. We just have to choose carefully the dFSM we need. One of the best choice is to take a congruential generator since it implies a very reduced algorithm with simple instructions.

Let us consider *X*<sup>0</sup> an initial value and the corresponding equation

$$x(i+1) = a \ast X\_i + b \qquad mod(N)$$

where *a* is the multiplier, *b* is the increment and *N* is the modulus. Since the length of the sequence involved in the malware design is rather very short (up to a few tens of bytes), the choice of those parameters is not as critical as it would be for practical cryptographic applications. In this respect, one can refer to Knuth's reference book to get the best sets of parameters Knuth (1998).

Here are a few such examples among many others:

**Standard minimal generator** *<sup>a</sup>* <sup>=</sup> 16, 807 <sup>−</sup> *<sup>b</sup>* <sup>=</sup> <sup>0</sup> <sup>−</sup> *<sup>N</sup>* <sup>=</sup> 231 <sup>−</sup> 1.

We then have to find a dFSM such that

a two-fold cryptanalytic issue:

dFSM,

features in order to

entropy tests).

whose prototype is given by

values *Xi*.

{

... }

• be used for code mutation purposes,

*X*<sup>0</sup> = *dFSM*(*K*0), *X*<sup>1</sup> = *dFSM*(*K*1)... *Xi* = *dFSM*(*Ki*)...

Malicious Cryptology and Mathematics 45

The notation *Ki* directly suggests that the quantity input to the dFSM is a key in a cryptographic context but these keys have to exhibit local low entropy profile at the same time. So the malicious PRNG must take this into account as well. In this case, we have to face

• either fix the output value *Xi* and find out the key *Ki* which outputs *Xi* for an arbitrary

The first case directly relates to a cryptanalytic problem while the second refers more to the problem of designing cryptographic dFSMs with trapdoors. In our context of malicious cryptography, the trapdoors here are precisely the arbitrary pairs of values (*Xi*, *Ki*) while the dFSM behaves for any other pair as a strong cryptosystem Filiol (2010a). This second issue is

Let us focus on the first case which has been partially addressed for real-life cryptosystem like *Bluetooth* E0 Filiol (2007) in the context of zero knowledge-like proof of cryptanalysis. But in the present case we do not need to consider such systems and much simpler dFSM can be

To fullfil all operational constraints Filiol (2010b) those dFSM have to exhibit additional

• exhibit TRANSEC properties. In other words, if we have *Y* = *dFSM*(*X*), then *X* and *Y* must have the same entropy profile. Replacing *X* with a *Y* having a higher entropy profile would focus the analyst's attention (or trigger security software alert by considering local

In Filiol (2010b) a 59-key bit stream cipher has been considered. This encryption system is a combination generator which ismade of three linear feedback shift register and a combining Boolean function. The value *Ki* initializes the content of registers *R*1, *R*<sup>2</sup> and *R*<sup>3</sup> at time instant *t* = 0, and the stream cipher (our dFSM) outputs bits *s<sup>t</sup>* which represent the binary version of

To describe the general principle of this technique, we will use this dFSM in a procedure

/\* K obfuscated value (input), X unobfuscated value (output) \*/ /\* (array of 8 unsigned char) by SCO \*/

void sco(unsigned long long int \* X, unsigned long long int K)

built conveniently for our purposes: sequences of data we use are rather short.

• or for an arbitrary set of pairs (*Xi*, *Ki*) design a unique suitable dFSM for those pairs.

far more complex to address and still is an open problem.

**VAX-Marsaglia generator** *<sup>a</sup>* <sup>=</sup> 16, 645 <sup>−</sup> *<sup>b</sup>* <sup>=</sup> <sup>0</sup> <sup>−</sup> *<sup>N</sup>* <sup>=</sup> <sup>2</sup>32.

**Lavaux & Jenssens generator** *<sup>a</sup>* <sup>=</sup> 31, 167, 285 <sup>−</sup> *<sup>b</sup>* <sup>=</sup> <sup>0</sup> <sup>−</sup> *<sup>N</sup>* <sup>=</sup> 248.

**Haynes generator** *<sup>a</sup>* <sup>=</sup> 6, 364, 136, 223, 846, 793, 005 <sup>−</sup> *<sup>b</sup>* <sup>=</sup> <sup>0</sup> <sup>−</sup> *<sup>N</sup>* <sup>=</sup> 264.

**Kuth's generator** *<sup>a</sup>* <sup>=</sup> 22 695 477 <sup>−</sup> *<sup>b</sup>* <sup>=</sup> <sup>1</sup> <sup>−</sup> *<sup>N</sup>* <sup>=</sup> 232 and *Xn*+<sup>1</sup> >><sup>=</sup> 16.

Of course the choice of the modulus is directly depending on the data type used in the malware.

Another interesting approach is to consider hash functions and S/key. The principle is almost the same. We take a (*m*, *n*) hash function *H* which produces a *n*-bit output from a *m*-bit input with *m* > *n*. In our case we can build *m* in the following way

m = <data to protect><padding of random data><size of data>

or equivalently

m = D\_i <random data> |D\_i|

Then we choose a *m*-bit initialization vector (IV) and we compute the random sequence as follows

> *IV* <sup>→</sup> *Di* <sup>=</sup> *<sup>H</sup>*(*IV*) <sup>→</sup> *<sup>x</sup>* <sup>=</sup> *<sup>H</sup>*|*Di*<sup>|</sup> (*Di*) <sup>→</sup> *<sup>y</sup>* <sup>=</sup> *<sup>H</sup>*|*x*<sup>|</sup> (*x*) <sup>→</sup> *<sup>H</sup>*|*y*<sup>|</sup> (*y*) →

The iteration value |*Di*| can be used to get one or more required arbitrary value thus anticipating the next case. Of course the nature of the hash function is also a key parameter: you can either use existing hash function (e.g MD5, SHA-1, RIPEMD 160, SHA-2...) and keep only a subset of the output bit; or you can design your own hash function as explained in Knuth (1998).

### **5.3 Random sequence coming from an arbitrary (malware) code**

In this slightly different case, the sequence is determined by a (non yet protected) instance of a code. This issue is then to design or use an instance of PRNG accordingly. This is of course a far more difficult issue which implies cryptanalytic techniques. To formalize the problem we have a sequence

$$\mathbf{x}\_{0\prime}\mathbf{x}\_{1\prime}\mathbf{x}\_2\ldots\mathbf{x}\_i\ldots\mathbf{x}\_n$$

which represents critical data (addresses, ASM instructions, operands...) of a particular instance of a (malware) code. As for example let us consider three series of 32-bit integers describing bytecode values:

0x2F010000 0x040004 0x3 0x0 0x89 (1) 0x3D010000 0x040004 0x3 0x0 0x50 (2) 0x5010000 0x040004 0x3 0x0 0x8D (3)

They are just different instances of the same instruction Filiol (2010b). The aim is to have these data in the code under a non hardcoded but an obfuscated form, e.g.

$$\mathbb{K}\_0, \mathbb{K}\_1, \mathbb{K}\_2, \dots, \mathbb{K}\_{i\prime}, \dots, \mathbb{K}\_n, \dots$$

22 Will-be-set-by-IN-TECH

Of course the choice of the modulus is directly depending on the data type used in the

Another interesting approach is to consider hash functions and S/key. The principle is almost the same. We take a (*m*, *n*) hash function *H* which produces a *n*-bit output from a *m*-bit input

Then we choose a *m*-bit initialization vector (IV) and we compute the random sequence as

The iteration value |*Di*| can be used to get one or more required arbitrary value thus anticipating the next case. Of course the nature of the hash function is also a key parameter: you can either use existing hash function (e.g MD5, SHA-1, RIPEMD 160, SHA-2...) and keep only a subset of the output bit; or you can design your own hash function as explained in

In this slightly different case, the sequence is determined by a (non yet protected) instance of a code. This issue is then to design or use an instance of PRNG accordingly. This is of course a far more difficult issue which implies cryptanalytic techniques. To formalize the problem we

*X*0, *X*1, *X*<sup>2</sup> ... *xi* ... *Xn* which represents critical data (addresses, ASM instructions, operands...) of a particular instance of a (malware) code. As for example let us consider three series of 32-bit integers

They are just different instances of the same instruction Filiol (2010b). The aim is to have these

*K*0, *K*1, *K*2,... *Ki*,... *Kn* ...

(*Di*) <sup>→</sup> *<sup>y</sup>* <sup>=</sup> *<sup>H</sup>*|*x*<sup>|</sup>

(*x*) <sup>→</sup> *<sup>H</sup>*|*y*<sup>|</sup>

(*y*) →

m = <data to protect><padding of random data><size of data>

**VAX-Marsaglia generator** *<sup>a</sup>* <sup>=</sup> 16, 645 <sup>−</sup> *<sup>b</sup>* <sup>=</sup> <sup>0</sup> <sup>−</sup> *<sup>N</sup>* <sup>=</sup> <sup>2</sup>32.

with *m* > *n*. In our case we can build *m* in the following way

*IV* <sup>→</sup> *Di* <sup>=</sup> *<sup>H</sup>*(*IV*) <sup>→</sup> *<sup>x</sup>* <sup>=</sup> *<sup>H</sup>*|*Di*<sup>|</sup>

**5.3 Random sequence coming from an arbitrary (malware) code**

0x2F010000 0x040004 0x3 0x0 0x89 (1) 0x3D010000 0x040004 0x3 0x0 0x50 (2) 0x5010000 0x040004 0x3 0x0 0x8D (3)

data in the code under a non hardcoded but an obfuscated form, e.g.

malware.

or equivalently

follows

Knuth (1998).

have a sequence

describing bytecode values:

m = D\_i <random data> |D\_i|

**Lavaux & Jenssens generator** *<sup>a</sup>* <sup>=</sup> 31, 167, 285 <sup>−</sup> *<sup>b</sup>* <sup>=</sup> <sup>0</sup> <sup>−</sup> *<sup>N</sup>* <sup>=</sup> 248. **Haynes generator** *<sup>a</sup>* <sup>=</sup> 6, 364, 136, 223, 846, 793, 005 <sup>−</sup> *<sup>b</sup>* <sup>=</sup> <sup>0</sup> <sup>−</sup> *<sup>N</sup>* <sup>=</sup> 264. **Kuth's generator** *<sup>a</sup>* <sup>=</sup> 22 695 477 <sup>−</sup> *<sup>b</sup>* <sup>=</sup> <sup>1</sup> <sup>−</sup> *<sup>N</sup>* <sup>=</sup> 232 and *Xn*+<sup>1</sup> >><sup>=</sup> 16. We then have to find a dFSM such that

$$X\_0 = dFSM(K\_0)\_\prime X\_1 = dFSM(K\_1)\dots X\_i = dFSM(K\_i)\dots$$

The notation *Ki* directly suggests that the quantity input to the dFSM is a key in a cryptographic context but these keys have to exhibit local low entropy profile at the same time. So the malicious PRNG must take this into account as well. In this case, we have to face a two-fold cryptanalytic issue:


The first case directly relates to a cryptanalytic problem while the second refers more to the problem of designing cryptographic dFSMs with trapdoors. In our context of malicious cryptography, the trapdoors here are precisely the arbitrary pairs of values (*Xi*, *Ki*) while the dFSM behaves for any other pair as a strong cryptosystem Filiol (2010a). This second issue is far more complex to address and still is an open problem.

Let us focus on the first case which has been partially addressed for real-life cryptosystem like *Bluetooth* E0 Filiol (2007) in the context of zero knowledge-like proof of cryptanalysis. But in the present case we do not need to consider such systems and much simpler dFSM can be built conveniently for our purposes: sequences of data we use are rather short.

To fullfil all operational constraints Filiol (2010b) those dFSM have to exhibit additional features in order to


In Filiol (2010b) a 59-key bit stream cipher has been considered. This encryption system is a combination generator which ismade of three linear feedback shift register and a combining Boolean function. The value *Ki* initializes the content of registers *R*1, *R*<sup>2</sup> and *R*<sup>3</sup> at time instant *t* = 0, and the stream cipher (our dFSM) outputs bits *s<sup>t</sup>* which represent the binary version of values *Xi*.

To describe the general principle of this technique, we will use this dFSM in a procedure whose prototype is given by

```
void sco(unsigned long long int * X, unsigned long long int K)
{
 /* K obfuscated value (input), X unobfuscated value (output) */
 /* (array of 8 unsigned char) by SCO */
 ...
}
```
M\_1 = 0x0F404000000LL; K\_1 = 0x7514360000053C0LL; M\_2 = 0x080008000000060LL; K\_2 = 0x4C07A200000A414LL; M\_3 = 0x000000000000050LL; K\_3 = 0x60409500001884ALL;

Malicious Cryptology and Mathematics 47

M\_1 = 0x01404000000LL; K\_1 = 0x76050E00001F0B1LL; M\_2 = 0x080008000000060LL; K\_2 = 0x00000010C80C460LL; M\_3 = 0x00000000000008DLL; K\_3 = 0x000000075098031LL;

The main interest of that method is that the interpretation of code is not straightforward. Code/data alignment does not follow any logic (that is precisely why a 59-bit dFSM has been considered compared to a seemingly more obvious 64-bit dFSM ; any prime value is optimal). Moreover, as we can notice, the *Ki* values are themselves sparse as unobfuscated opcodes are (structural aspect). Additionally, their entropy profile (quantitative aspect) is very similar to the *Mi* values (and hence the *Xi* ones). This implies that any detection techniques based on

Due to the careful design of the 59-bit dFSM, the unicity distance obtained is greater than 59 bits (the unicity distance is the minimal size for a dFSM output to be produced by a single secret key). In the present case, a large number of different 59-bit keys can output an arbitrary output sequence. Here are the results for the three series (1), (2) and (3) (Table 8): This implies

Serie *Mi* values Number of *Ki Mi* values Number of *Ki Mi* values Number of *Ki*

<sup>314</sup> <sup>×</sup> (2, 755)<sup>3</sup> <sup>×</sup> 8, 177 <sup>×</sup> <sup>319</sup> <sup>×</sup> 26, 511 <sup>×</sup> 9, 863 <sup>×</sup> 3, 009

different possible code variants. It is approximatively equal to 2103 variants. Details of

In this second case, the dFSM outputs 59-bit chunks of data whose only the 32 least significant bits are useful. Then here five 59-bit chunks of data *M*1, *M*2, *M*3, *M*<sup>4</sup> and *M*<sup>5</sup> are output. For

= 13, 475, 238, 762, 538, 894, 122, 655, 502, 879, 250

(1) *M*<sup>1</sup> 314 *M*<sup>2</sup> 2,755 *M*<sup>3</sup> 8,177 (2) *M*<sup>1</sup> 319 *M*<sup>2</sup> 2,755 *M*<sup>3</sup> 26,511 (3) *M*<sup>1</sup> 9,863 *M*<sup>2</sup> 2,755 *M*<sup>3</sup> 3,009

Table 8. Number of possible keys for a given output value Filiol (2010b)

that the 9 *Mi* values can be randomly selected and thus we have

implementation are described in Filiol (2010b).

M\_1 = 0x\*\*\*\*\*\*\*2F010000LL; M\_2 = 0x\*\*\*\*\*\*\*00040004LL;

**5.3.2 Non concatenated bytecodes**

sequence (1) we have

and for sequence (3)

local entropy picks is bound to fail.

Now according to the level of obfuscation we need, different ways exist to protect critical data inside a code (series of integers (1), (2) and (3) above). We are going to detail two of them.

### **5.3.1 Concatenated bytecodes**

The dFSM outputs critical data under a concatenated form to produce chunks of code corresponding to the exact entropy of the input value (*Ki*). This enables to prevent any local increase of the code entropy. For the dFSM considered, it means that we output series (1), (2) and (3) under the following form

```
1)--> 0x2F01000000040004000000030000000000000089
2)--> 0x3D01000000040004000000030000000000000050
3)--> 0x050100000004000400000003000000000000008D
```
Let us detail the first output sequence (1). It will be encoded as three 59-bit outputs *M*1, *M*<sup>2</sup> and *M*<sup>3</sup>

M\_1 = 0x0BC04000000LL; M\_2 = 0x080008000000060LL; M\_3 = 0x000000000000089LL;

To transform *M*1, *M*<sup>2</sup> and *M*<sup>3</sup> back into five 32-bit values *X*1, *X*2, *X*3, *X*<sup>4</sup> and *X*5, we use the following piece of code:

```
/* Generate the M_i values */
sco(&M_1, K_1);
sco(&M_2, K_2);
sco(&M_3, K_3);
X_1 = M_1 >> 10; /* X_1 = 0x2F010000L */
X_2 = ((M_2 >> 37) | (M_1 << 22)) & 0xFFFFFFFFL
                  /* X_2 = 0x00040004L */
X_3 = (M_2 >> 5) & 0xFFFFFFFFL; /* X_3 = 0x3 */
X_4 = ((M_3 >> 32) | (M_2 << 27)) & 0xFFFFFFFFL;
                  /* X_4 = 0x0 */
X_5 = M_3 & 0xFFFFFFFFL; /* X_5 = 0x89 */
```
Values *M*1, *M*<sup>2</sup> and *M*<sup>3</sup> will be stored in the code as the values *K*1, *K*<sup>2</sup> and *K*<sup>3</sup> with *dFSM*(*Ki*) = *Mi*:

K\_1 = 0x6AA006000000099LL; K\_2 = 0x500403000015DC8LL; K\_3 = 0x0E045100001EB8ALL;

Similarly we have for sequence (2)

24 Will-be-set-by-IN-TECH

Now according to the level of obfuscation we need, different ways exist to protect critical data inside a code (series of integers (1), (2) and (3) above). We are going to detail two of them.

The dFSM outputs critical data under a concatenated form to produce chunks of code corresponding to the exact entropy of the input value (*Ki*). This enables to prevent any local increase of the code entropy. For the dFSM considered, it means that we output series (1), (2)

Let us detail the first output sequence (1). It will be encoded as three 59-bit outputs *M*1, *M*<sup>2</sup>

To transform *M*1, *M*<sup>2</sup> and *M*<sup>3</sup> back into five 32-bit values *X*1, *X*2, *X*3, *X*<sup>4</sup> and *X*5, we use the

1)--> 0x2F01000000040004000000030000000000000089 2)--> 0x3D01000000040004000000030000000000000050 3)--> 0x050100000004000400000003000000000000008D

**5.3.1 Concatenated bytecodes**

and (3) under the following form

M\_1 = 0x0BC04000000LL; M\_2 = 0x080008000000060LL; M\_3 = 0x000000000000089LL;

/\* Generate the M\_i values \*/

K\_1 = 0x6AA006000000099LL; K\_2 = 0x500403000015DC8LL; K\_3 = 0x0E045100001EB8ALL;

Similarly we have for sequence (2)

X\_1 = M\_1 >> 10; /\* X\_1 = 0x2F010000L \*/

X\_2 = ((M\_2 >> 37) | (M\_1 << 22)) & 0xFFFFFFFFL

X\_3 = (M\_2 >> 5) & 0xFFFFFFFFL; /\* X\_3 = 0x3 \*/ X\_4 = ((M\_3 >> 32) | (M\_2 << 27)) & 0xFFFFFFFFL; /\* X\_4 = 0x0 \*/ X\_5 = M\_3 & 0xFFFFFFFFL; /\* X\_5 = 0x89 \*/

/\* X\_2 = 0x00040004L \*/

Values *M*1, *M*<sup>2</sup> and *M*<sup>3</sup> will be stored in the code as the values *K*1, *K*<sup>2</sup> and *K*<sup>3</sup> with *dFSM*(*Ki*) =

and *M*<sup>3</sup>

*Mi*:

following piece of code:

sco(&M\_1, K\_1); sco(&M\_2, K\_2); sco(&M\_3, K\_3);

```
M_1 = 0x0F404000000LL; K_1 = 0x7514360000053C0LL;
  M_2 = 0x080008000000060LL; K_2 = 0x4C07A200000A414LL;
  M_3 = 0x000000000000050LL; K_3 = 0x60409500001884ALL;
and for sequence (3)
  M_1 = 0x01404000000LL; K_1 = 0x76050E00001F0B1LL;
  M_2 = 0x080008000000060LL; K_2 = 0x00000010C80C460LL;
  M_3 = 0x00000000000008DLL; K_3 = 0x000000075098031LL;
```
The main interest of that method is that the interpretation of code is not straightforward. Code/data alignment does not follow any logic (that is precisely why a 59-bit dFSM has been considered compared to a seemingly more obvious 64-bit dFSM ; any prime value is optimal).

Moreover, as we can notice, the *Ki* values are themselves sparse as unobfuscated opcodes are (structural aspect). Additionally, their entropy profile (quantitative aspect) is very similar to the *Mi* values (and hence the *Xi* ones). This implies that any detection techniques based on local entropy picks is bound to fail.

Due to the careful design of the 59-bit dFSM, the unicity distance obtained is greater than 59 bits (the unicity distance is the minimal size for a dFSM output to be produced by a single secret key). In the present case, a large number of different 59-bit keys can output an arbitrary output sequence. Here are the results for the three series (1), (2) and (3) (Table 8): This implies


Table 8. Number of possible keys for a given output value Filiol (2010b)

that the 9 *Mi* values can be randomly selected and thus we have

<sup>314</sup> <sup>×</sup> (2, 755)<sup>3</sup> <sup>×</sup> 8, 177 <sup>×</sup> <sup>319</sup> <sup>×</sup> 26, 511 <sup>×</sup> 9, 863 <sup>×</sup> 3, 009 = 13, 475, 238, 762, 538, 894, 122, 655, 502, 879, 250

different possible code variants. It is approximatively equal to 2103 variants. Details of implementation are described in Filiol (2010b).

### **5.3.2 Non concatenated bytecodes**

In this second case, the dFSM outputs 59-bit chunks of data whose only the 32 least significant bits are useful. Then here five 59-bit chunks of data *M*1, *M*2, *M*3, *M*<sup>4</sup> and *M*<sup>5</sup> are output. For sequence (1) we have

M\_1 = 0x\*\*\*\*\*\*\*2F010000LL; M\_2 = 0x\*\*\*\*\*\*\*00040004LL;

Filiol. E. (2005). Strong Cryptography Armoured Computer Viruses Forbidding Code

Malicious Cryptology and Mathematics 49

Filiol, E (2006). Zero Knowledge-like proof of cryptanalysis of Bluetooth Encryption.

Filiol, E., Franc, E., Gubbioli, A., Moquet, B. & Roblot, G. (2007). Combinatorial Optimisation

Filiol, E. & Josse, S. (2007). Statistical model for viral undecidability, *Journal of Computer*

Filiol, E. (2007). Zero knowledge-like Proof of Cryptanalysis of Bluetooth Encryption.

Filiol, E. (2007). *Techniques virales avancées*, IRIS Series, Springer Verlag France, ISBN

Filiol, E. (2007). Metamorphism, Formal Grammars and Undecidable Code Mutation.

Filiol, E. (2007). Formalisation and Implementation Aspects of *K*-ary (malicious) Codes.

Filiol, E. & Raynal, F. (2008). Malicious Cryptography...reloaded, *CanSecWest*

Filiol, E & Raynal, F. (2008) Enciphered communications: a can of worms? *Revue de Défense Nationale*, Special Issue "From Crybercrime to Cyberwarfare", 5:86–97. Filiol, E. (2008). Malware of the Future: When Mathematics Work for the Dark Side.

Filiol, E. (2010). Anti-forensics Techniques Based on Malicious Cryptography. *Proceedings of the*

Filiol, E. (2010). Malicious Cryptography Techniques for Unreversable (malicious or not)

Filiol, E (2011). Dynamic cryptographic backdoors, *CanSecWest Conference*, Vancouver,

Filiol, E (2011). Dynamic cryptographic backdoors - How to Take Control over the TOR

Gentleman, W. & Marovitch, S. (1974). More on algorithms that reveal properties of floating

Gueguen, G. (2011). Van Wijngaarden Grammars and Metamorphism. *6th International*

Ioannidis, S., Polykronakis, M. & Vasiliadis, G. (2010). GPU-assisted Malware. *Malware 2010*.

*Workshop on Frontiers in Availability, Reliability and Security 2011 (ARES/FARES'11)*,

[online] http://dcs.ics.forth.gr/Activities/papers/gpumalware.

Network, *H2HC Conference*, Sao Paulo, Brazil, October 2011.

point arithmetic units. *Communications of the ACM*, 17(5): 276–277.

*Conference*, Vancouver, Canada. [online] http://cansecwest.com/csw08/

*Hack.lu 2008*, Keynote Talk, Luxembourg, October 22nd. [Online] http://hack.

*9th European Conference in Information Warfare ECIW 2010*, Thessaloniki, Greece, pp.

binaries". *H2HC 2010 Conference* Sao Paulo, Brazil [online] http://arxiv.org/

978-2-287-33887-8 (An English translation is due at the end of 2012).

*International Journal in Information Technology*, 3(4): 285–293.

org/journals/ijit/v3/v3-4-40.pdf

*Journal in Computer Virology*, 3(2): 75–86.

*International Journal in Computer Science*, 2(1): 70–75.

63–70, Academic Conferences International Press.

Publishing, pp. 201–217.

*Science*, 2(2): 124–130.

csw08-raynal.pdf

lu/archives.

abs/1009.4000

Vienna, Austria.

malware10.pdf

Canada.

Analysis: the BRADLEY virus. *Proceedings of the 14th EICAR Conference*, ESAT

of Worm Propagation on an Unknown Network. *International Journal in Computer*

*Virology*, 3(2): 65–74, http://www.springer.com/computer/journal/11416

*International Journal in Information Theory*, 3(4): 40–51. [online] http://www.waset.

M\_3 = 0x\*\*\*\*\*\*\*00000003LL; M\_4 = 0x\*\*\*\*\*\*\*00000000LL; M\_5 = 0x\*\*\*\*\*\*\*00000089LL;

where the symbol \* describes any random nibble.

The main interest of that method lies in the fact that it naturally and very simply provides increased polymorphism properties compared to the previous approach. Indeed about 2<sup>140</sup> 5-tuples (*K*1, *K*2, *K*3, *K*4, *K*5) whenever they are input in the dFSM, produces 5-tuples (*X*1, *X*2, *X*3, *X*4, *X*5). Then a huge number of different instances of the same code can be produced by randomly choosing any possible 5-tuples. By increasing size of the memory of the FSM we even can arbitrarily increase the number of possible polymorphic instances.

### **6. Conclusion**

The rise of malicious mathematics and malicious cryptography results in a number of critical issues.

For the first time, the advantage goes definitively to the attacker as soon as he uses malicious mathematics and malicious cryptology techniques. He has just to use most of the results of calculability theory and complexity theory for his own benefit. This shed a new light on the importance to answer to the famous question: "*does P = NP or not?*" But a positive solution would solve only the problem partly. Let us recall that modern cryptology for the first time in Mankind History was giving the advantage to the defender. Unfortunately this period of peace was short. The threat has just evolved, adapted and changed. We now have to face a very unsecure world again.

From that it follows that science can no be neutral and the question of science's dual use – and it corollary the control of knowledge – is more than ever into question.

Aside those society issues, malicious mathematics and malicious cryptology propose a new, stimulating, exciting research universe from a purely academic point of view. A huge number of open problems, both theoretical and practical have been identified. More are likely to come. in this respect, we can hope that meny good things can also arise from the research that will consider those problems.

### **7. References**


26 Will-be-set-by-IN-TECH

The main interest of that method lies in the fact that it naturally and very simply provides increased polymorphism properties compared to the previous approach. Indeed about 2<sup>140</sup> 5-tuples (*K*1, *K*2, *K*3, *K*4, *K*5) whenever they are input in the dFSM, produces 5-tuples (*X*1, *X*2, *X*3, *X*4, *X*5). Then a huge number of different instances of the same code can be produced by randomly choosing any possible 5-tuples. By increasing size of the memory of the FSM we even can arbitrarily increase the number of possible polymorphic instances.

The rise of malicious mathematics and malicious cryptography results in a number of critical

For the first time, the advantage goes definitively to the attacker as soon as he uses malicious mathematics and malicious cryptology techniques. He has just to use most of the results of calculability theory and complexity theory for his own benefit. This shed a new light on the importance to answer to the famous question: "*does P = NP or not?*" But a positive solution would solve only the problem partly. Let us recall that modern cryptology for the first time in Mankind History was giving the advantage to the defender. Unfortunately this period of peace was short. The threat has just evolved, adapted and changed. We now have to face a

From that it follows that science can no be neutral and the question of science's dual use – and

Aside those society issues, malicious mathematics and malicious cryptology propose a new, stimulating, exciting research universe from a purely academic point of view. A huge number of open problems, both theoretical and practical have been identified. More are likely to come. in this respect, we can hope that meny good things can also arise from the research that will

Coe, T., Mathissen, T., Moler, C. & Pratt, V. (1995). Computational Aspects of the Pentium

Delaunay, G., Filiol, E. & Jennequin, F. (2008). Malware-based Information Leakage over

Erra, R. & Grenier, C. (2009). How to choose RSA Keys (The Art of RSA: Past,

Filiol, E. (2005). *Computer Viruses: from Theory to Applications*, IRIS International Series,

Present and Future)? *iAWACS 2009*, Laval, France. [online] http://www. esiea-recherche.eu/Slides09/slides\_iAWACS09\_Erra-Grenier\_

Affair. *IEEE Computational Science & Engineering*, 2(1): 18–30.

IPSEC Tunnels. *Journal of Information Warfare*, 7(3):11–22.

How-to-compute-RSA-keys.pdf

Springer Verlag France, ISBN-10: 2287239391.

it corollary the control of knowledge – is more than ever into question.

M\_3 = 0x\*\*\*\*\*\*\*00000003LL; M\_4 = 0x\*\*\*\*\*\*\*00000000LL; M\_5 = 0x\*\*\*\*\*\*\*00000089LL;

**6. Conclusion**

very unsecure world again.

consider those problems.

**7. References**

issues.

where the symbol \* describes any random nibble.


**0**

**3**

*Spain*

**Cryptographic Criteria on Vector**

José Antonio Álvarez-Cubero and Pedro J. Zufiria

Most modern block and stream ciphers can be expressed as certain arrangement of Vector Boolean Functions. Thus, in the context of block and stream ciphers' design (mainly in S-boxes and combining functions respectively), it is essential to define criteria which measure the cryptographic strength of Boolean Functions and Vector Boolean Functions. Ideally, some

1. The principles of confusion and diffusion must be enforced by the criterion Shannon (1949). *Confusion* obscures the relationship between the plaintext and the ciphertext Schneier (1995). *Difussion* dissipates the redundancy of the plaintext by spreading it over the ciphertext. Both techniques make more difficult for a cryptanalyst to find out redundancy

2. The criterion must be expressed in terms of a distance to an appropriate set S of cryptographically weak functions Meier & Staffelbach (1990). Functions that exhibit properties common to cryptographically weak functions are also considered to be

3. The criterion should remain invariant under a certain group of transformations Meier & Staffelbach (1990). This symmetry group should contain the group of affine

A function is considered to be cryptographically weak if it is easily breakable or it can be turned into a weak function by means of simple (e.g. linear or affine) transformations. This definition is congruent with the notion of similar secrecy introduced by Shannon in Shannon (1949), so that two functions *R* and *S* are said to be "similar" if there exists a fixed transformation *A*, with an inverse *A*−1, such that *R* = *AS*. Hereunder are described the best

• *Linear and affine functions*. These functions are easily breakable because the simultaneous complementation of a subset of the input variables causes the value of a linear or an affine function to always change (from the original value before complementation) or to never

• *Functions with non-zero linear structures*. The cryptanalytic value of linear structures lies in their potential to map a nonlinear function to a degenerate function via a linear

transformation, which may reduce the size of the keyspace.

of the following requirements must be fulfilled by this criteria:

and statistical patterns in the ciphertext.

known cryptographically weak functions.

cryptographically weak.

transformations.

change.

**1. Introduction**

**Boolean Functions**

*Universidad Politécnica de Madrid (UPM)*


## **Cryptographic Criteria on Vector Boolean Functions**

José Antonio Álvarez-Cubero and Pedro J. Zufiria *Universidad Politécnica de Madrid (UPM) Spain*

### **1. Introduction**

28 Will-be-set-by-IN-TECH

50 Cryptography and Security in Computing

Knuth, D. E., (1998). *The Art of Computer Programming: Seminumerical Algorithms*, Volume 2,

Kraus, J. (1980). *Selbst Reproduzierende Programme*. Master Thesis in Computer Science,

Kulisch, U. W. & Miranker, W. L. (1983). Arithmetic of computers, *Siam J. of computing*,

Overton, M.-L. (2001). *Numerical Computing with IEEE Floating Point Arithmetic*, SIAM

Papadimitriou, C. H. (1993). *Computational Complexity*. Addison Wesley, ISBN-10 0201530821.

The Wassenaar Arrangement in Export Control for Conventional Arms and Dual-Use Goods

Young, A. & Yung, M. (2004). *Malicious Cryptography: Exposing Cryptovirology*, Wiley, ISBN

Zbitskiy, P. V. (2009). Code Mutation Techniques by Means of Formal Grammars and

University of Dortmund. Translated from the German and edited by D. Bilar & E.

Addison-Wesley.

76:54–55.

0-7645-4975-8.

Filiol, *Journal in Computer Virology*, 5(1): 9–87.

Perseus homepage. http://code.google.com/p/libperseus/

and Technologies http://www.wassenaar.org

Automata. *Journal in Computer Virology*, 5(3): 199–207.

Publishing, ISBN-10: 0-89871-571-7.

Most modern block and stream ciphers can be expressed as certain arrangement of Vector Boolean Functions. Thus, in the context of block and stream ciphers' design (mainly in S-boxes and combining functions respectively), it is essential to define criteria which measure the cryptographic strength of Boolean Functions and Vector Boolean Functions. Ideally, some of the following requirements must be fulfilled by this criteria:


A function is considered to be cryptographically weak if it is easily breakable or it can be turned into a weak function by means of simple (e.g. linear or affine) transformations. This definition is congruent with the notion of similar secrecy introduced by Shannon in Shannon (1949), so that two functions *R* and *S* are said to be "similar" if there exists a fixed transformation *A*, with an inverse *A*−1, such that *R* = *AS*. Hereunder are described the best known cryptographically weak functions.


**2. Preliminaries**

defined as **x y** = (*x*<sup>1</sup> · *y*1,..., *xn* · *yn*).

The real-valued mapping *<sup>χ</sup>***u**(**x**)=(−1)∑*i*=*<sup>n</sup> <sup>i</sup>*=<sup>1</sup> *uixi* = (−1)

words: *<sup>ξ</sup> <sup>f</sup>* <sup>=</sup> **TØf** = ((−1)*f*(*α*0),(−1)*f*(*α*1),...,(−1)*f*(*α*2*n*−<sup>1</sup>)).

Vn → **<sup>R</sup>** is defined by: (*<sup>ϕ</sup>* ∗ *<sup>ψ</sup>*)(**x**) = <sup>∑</sup>**u**∈Vn *<sup>ϕ</sup>*(**u**)*ψ*(**<sup>x</sup>** + **<sup>u</sup>**).

{*a***uv**}**u**,**v**, as: <sup>∗</sup> max (*a***uv**) = max(**u**,**v**)�=(**0**,**0**){|*a***uv**|}.

**2.2 Constructions of Vector Boolean Functions**

, *m*�

Boolean Functions from (*n*�

Let < GF(2), +, · > be the finite field of order 2, where GF(2) = *Z*<sup>2</sup> = {0, 1}, '+' the 'integer addition modulo 2' and '·' the 'integer multiplication modulo 2'. Vn is the vector space of *n*-tuples of elements from GF(2). The *direct sum* of **x** ∈ Vn1 and **y** ∈ Vn2 is defined as **x** ⊕ **y** = (*x*1,..., *xn*<sup>1</sup> , *y*1,..., *yn*<sup>2</sup> ) ∈ Vn1<sup>+</sup>n2 . The *inner product* of **x**, **y** ∈ Vn is denoted by **x** · **y**, and of real vectors **<sup>x</sup>**, **<sup>y</sup>** <sup>∈</sup> **<sup>R</sup>***<sup>n</sup>* is denoted by �**x**, **<sup>y</sup>**�. Let **<sup>x</sup>**, **<sup>y</sup>** <sup>∈</sup> **<sup>R</sup>***n*, the pointwise product is

Cryptographic Criteria on Vector Boolean Functions 53

*<sup>f</sup>* : Vn → GF(2) is called a *Boolean function* and *F<sup>n</sup>* is the set of all Boolean functions on Vn. *L<sup>n</sup>* is the set of all linear Boolean functions on Vn: *L<sup>n</sup>* = {*l***<sup>u</sup>** ∀ **<sup>u</sup>** ∈ Vn | *<sup>l</sup>***u**(**x**) = **<sup>u</sup>** · **<sup>x</sup>**} and *A<sup>n</sup>* is the set of all affine Boolean functions on Vn. The *directional derivative* of *<sup>f</sup>* ∈ *F<sup>n</sup>* in the direction of **u** ∈ Vn is defined by Δ**<sup>u</sup>** *f*(**x**) = *f*(**x** + **u**) + *f*(**x**), **x** ∈ Vn. If the following equality is satisfied: Δ**<sup>u</sup>** *f*(**x**) = *c*, *c* ∈ GF(2) ∀ **x** ∈ Vn then **u** ∈ Vn is called a linear structure of *f* .

The character form of *<sup>f</sup>* <sup>∈</sup> *F<sup>n</sup>* is defined as *<sup>χ</sup>f*(**x**)=(−1)*f*(**x**). The truth table of *<sup>χ</sup><sup>f</sup>* is called

Let two real functions *ϕ*, *ψ* : Vn → **R** , the *circular convolution* or *cross-correlation* (*ϕ* ∗ *ψ*) :

*<sup>F</sup>* : Vn → Vm, *<sup>F</sup>*(**x**)=(*f*1(**x**),..., *fm*(**x**)) is called a *Vector Boolean function* and *Fn*,*<sup>m</sup>* is the set of all Vector Boolean functions *F* : Vn → Vm. Each *fi* : Vn → GF(2) ∀ *i* ∈ {1, . . . , *m*} is a coordinate function of *<sup>F</sup>*. The *indicator function* of *<sup>F</sup>* ∈ *Fn*,*m*, denoted by *<sup>θ</sup><sup>F</sup>* : Vn × Vm → **<sup>R</sup>**, is defined in Chabaud & Vaudenay (1994) as *θF*(**x**, **y**) = 1 if **y** = *F*(**x**) and *θF*(**x**, **y**) = 0 if **y** �= *F*(**x**). The character form of (**u**, **v**) ∈ Vn × Vm can be defined as follows: *χ*(**u**,**v**)(**x**, **y**) =

Let *<sup>F</sup>* ∈ *Fn*,*<sup>m</sup>* and **<sup>u</sup>** ∈ Vn, then the *difference Vector Boolean function* of *<sup>F</sup>* in the direction of **<sup>u</sup>** ∈ Vn, denoted by <sup>Δ</sup>**u***<sup>F</sup>* ∈ *Fn*,*<sup>m</sup>* is defined as follows: <sup>Δ</sup>**u***F*(**x**) = *<sup>F</sup>*(**<sup>x</sup>** + **<sup>u</sup>**) + *<sup>F</sup>*(**x**), **<sup>x</sup>** ∈ Vn. If the following equality is satisfied: Δ**u***F*(**x**) = **c**, **c** ∈ Vn ∀ **x** ∈ Vn then **u** ∈ Vn is called a linear

We define the simplifying notation for the maximum of the absolute values of a set of real numbers {*a***uv**}**u**,**v**, characterized by vectors **u** and **v**, as: max (*a***uv**) = max(**u**,**v**) {|*a***uv**|}. Using the same simplifying notation, we define the <sup>∗</sup> max (·) operator on a set of real numbers

In this chapter, some secondary contructions are studied, which build (*n*, *m*) variable Vector

construction has been used to construct resilient and bent Boolean functions Carlet (2004), Maitra & Pasalic (2002), Pasalic et al. (2001), Sarkar & Maitra (2000a), Sarkar & Maitra (2000b). Adding coordinate functions and bricklayering are operations used to build modern ciphers such as CAST Adams & Tavares (1993), DES Des (1977) and AES Daemen & Rijmen (2002).

) variable ones (with *n*� ≤ *n*, *m*� ≤ *m*). The direct sum

as the (1, <sup>−</sup>1)-*sequence vector* or *sequence vector* of *<sup>f</sup>* and is denoted by *<sup>ξ</sup> <sup>f</sup>* <sup>∈</sup> **<sup>R</sup>**2*<sup>n</sup>*

**<sup>u</sup>**·**<sup>x</sup>** for **<sup>x</sup>**, **<sup>u</sup>** <sup>∈</sup> Vn is called a *character*.

. In other

**2.1 Definitions**

(−1)

**<sup>u</sup>**·**x**+**v**·**y**.

structure of *F*.


The main objective of this chapter is to characterize the more relevant cryptographic criteria (nonlinearity, linear distance, balancedness, algebraic degree, correlation immunity, resiliency and propagation criterion) for constructions of Vector Boolean Functions such as composition, addition of coordinate functions, direct sum and bricklayering, from the knowledge of their components. The study of these functions are relevant in cryptology due to the strong connection between cryptographic attacks on the one hand and cryptographic properties of these building blocks on the other hand. In most cases, the security against a particular class of attack can be expressed by the existence of a certain property of the Vector Boolean function, which results in a measure of security against that class of attacks:


### **2. Preliminaries**

### **2.1 Definitions**

2 Cryptography

• *Functions not balanced*. The output of these kind of functions are not uniformly distributed, avoiding statistical dependence between the input and the output (which can

• *Functions with low algebraic degree* can be approximated by low complex functions

• *m-th order correlation-immune functions* are those whose output distribution probability are unaltered when any *m* (or, equivalently, at most *m*) of the inputs are kept constant. • *Functions with low degree of Propagation Criterion* has little diffusion property and their output distribution probability are altered when some coordinates of the input are

The main objective of this chapter is to characterize the more relevant cryptographic criteria (nonlinearity, linear distance, balancedness, algebraic degree, correlation immunity, resiliency and propagation criterion) for constructions of Vector Boolean Functions such as composition, addition of coordinate functions, direct sum and bricklayering, from the knowledge of their components. The study of these functions are relevant in cryptology due to the strong connection between cryptographic attacks on the one hand and cryptographic properties of these building blocks on the other hand. In most cases, the security against a particular class of attack can be expressed by the existence of a certain property of the Vector Boolean function,

• *Linear cryptanalysis* is based on the idea of finding high probable linear or affine relations between the inputs and outputs of S-boxes present in the cipher, that is, finding S-boxes

• *Differential cryptanalysis* is a chosen-plaintext attack based on the idea of finding high probable differentials pairs between the inputs and outputs of S-boxes present in the cipher, that is, finding S-boxes with low linearity distance. Differential cryptanalysis Biham & Shamir (1991) can be seen as an extension of the ideas of attacks based on the presence

• *Distinguishing attacks* are able to distinguish the pseudorandom sequence from a random sequence by observing that the distribution of the sequences is not uniform for not

• Jakobsen and Knudsen identified *interpolation attacks* on block ciphers with S-boxes having small algebraic degree Jakobsen & Knudsen (1997). Later Canteaut and Videau provided *Higher order differential attacks* which exploit the fact that the algebraic degree of the S-box is low. In the case of combining functions, the sequence produced by *n*

• For the pseudo-random generators, the best known cryptanalytic technique is the *correlation attack*, which is based on the idea of finding correlation between the outputs

• Propagation Characteristic (PC) is an important cryptographic property for S-boxes to resist differential cryptanalysis. To get uniform output distribution, S-boxes in block

which results in a measure of security against that class of attacks:

with low nonlinearity Matsui (1994).

of linear structures Nyberg (1991).

combined LSFRs can be obtained by a single LSFR.

ciphers should have *PC*(*l*) of higher order for *l* ≥ 1.

and the inputs, that is, finding S-boxes with low resiliency.

balanced functions.

be used in attacks).

easing their attack.

complemented.

Let < GF(2), +, · > be the finite field of order 2, where GF(2) = *Z*<sup>2</sup> = {0, 1}, '+' the 'integer addition modulo 2' and '·' the 'integer multiplication modulo 2'. Vn is the vector space of *n*-tuples of elements from GF(2). The *direct sum* of **x** ∈ Vn1 and **y** ∈ Vn2 is defined as **x** ⊕ **y** = (*x*1,..., *xn*<sup>1</sup> , *y*1,..., *yn*<sup>2</sup> ) ∈ Vn1<sup>+</sup>n2 . The *inner product* of **x**, **y** ∈ Vn is denoted by **x** · **y**, and of real vectors **<sup>x</sup>**, **<sup>y</sup>** <sup>∈</sup> **<sup>R</sup>***<sup>n</sup>* is denoted by �**x**, **<sup>y</sup>**�. Let **<sup>x</sup>**, **<sup>y</sup>** <sup>∈</sup> **<sup>R</sup>***n*, the pointwise product is defined as **x y** = (*x*<sup>1</sup> · *y*1,..., *xn* · *yn*).

*<sup>f</sup>* : Vn → GF(2) is called a *Boolean function* and *F<sup>n</sup>* is the set of all Boolean functions on Vn. *L<sup>n</sup>* is the set of all linear Boolean functions on Vn: *L<sup>n</sup>* = {*l***<sup>u</sup>** ∀ **<sup>u</sup>** ∈ Vn | *<sup>l</sup>***u**(**x**) = **<sup>u</sup>** · **<sup>x</sup>**} and *A<sup>n</sup>* is the set of all affine Boolean functions on Vn. The *directional derivative* of *<sup>f</sup>* ∈ *F<sup>n</sup>* in the direction of **u** ∈ Vn is defined by Δ**<sup>u</sup>** *f*(**x**) = *f*(**x** + **u**) + *f*(**x**), **x** ∈ Vn. If the following equality is satisfied: Δ**<sup>u</sup>** *f*(**x**) = *c*, *c* ∈ GF(2) ∀ **x** ∈ Vn then **u** ∈ Vn is called a linear structure of *f* .

The real-valued mapping *<sup>χ</sup>***u**(**x**)=(−1)∑*i*=*<sup>n</sup> <sup>i</sup>*=<sup>1</sup> *uixi* = (−1) **<sup>u</sup>**·**<sup>x</sup>** for **<sup>x</sup>**, **<sup>u</sup>** <sup>∈</sup> Vn is called a *character*. The character form of *<sup>f</sup>* <sup>∈</sup> *F<sup>n</sup>* is defined as *<sup>χ</sup>f*(**x**)=(−1)*f*(**x**). The truth table of *<sup>χ</sup><sup>f</sup>* is called as the (1, <sup>−</sup>1)-*sequence vector* or *sequence vector* of *<sup>f</sup>* and is denoted by *<sup>ξ</sup> <sup>f</sup>* <sup>∈</sup> **<sup>R</sup>**2*<sup>n</sup>* . In other words: *<sup>ξ</sup> <sup>f</sup>* <sup>=</sup> **TØf** = ((−1)*f*(*α*0),(−1)*f*(*α*1),...,(−1)*f*(*α*2*n*−<sup>1</sup>)).

Let two real functions *ϕ*, *ψ* : Vn → **R** , the *circular convolution* or *cross-correlation* (*ϕ* ∗ *ψ*) : Vn → **<sup>R</sup>** is defined by: (*<sup>ϕ</sup>* ∗ *<sup>ψ</sup>*)(**x**) = <sup>∑</sup>**u**∈Vn *<sup>ϕ</sup>*(**u**)*ψ*(**<sup>x</sup>** + **<sup>u</sup>**).

*<sup>F</sup>* : Vn → Vm, *<sup>F</sup>*(**x**)=(*f*1(**x**),..., *fm*(**x**)) is called a *Vector Boolean function* and *Fn*,*<sup>m</sup>* is the set of all Vector Boolean functions *F* : Vn → Vm. Each *fi* : Vn → GF(2) ∀ *i* ∈ {1, . . . , *m*} is a coordinate function of *<sup>F</sup>*. The *indicator function* of *<sup>F</sup>* ∈ *Fn*,*m*, denoted by *<sup>θ</sup><sup>F</sup>* : Vn × Vm → **<sup>R</sup>**, is defined in Chabaud & Vaudenay (1994) as *θF*(**x**, **y**) = 1 if **y** = *F*(**x**) and *θF*(**x**, **y**) = 0 if **y** �= *F*(**x**). The character form of (**u**, **v**) ∈ Vn × Vm can be defined as follows: *χ*(**u**,**v**)(**x**, **y**) = (−1) **<sup>u</sup>**·**x**+**v**·**y**.

Let *<sup>F</sup>* ∈ *Fn*,*<sup>m</sup>* and **<sup>u</sup>** ∈ Vn, then the *difference Vector Boolean function* of *<sup>F</sup>* in the direction of **<sup>u</sup>** ∈ Vn, denoted by <sup>Δ</sup>**u***<sup>F</sup>* ∈ *Fn*,*<sup>m</sup>* is defined as follows: <sup>Δ</sup>**u***F*(**x**) = *<sup>F</sup>*(**<sup>x</sup>** + **<sup>u</sup>**) + *<sup>F</sup>*(**x**), **<sup>x</sup>** ∈ Vn. If the following equality is satisfied: Δ**u***F*(**x**) = **c**, **c** ∈ Vn ∀ **x** ∈ Vn then **u** ∈ Vn is called a linear structure of *F*.

We define the simplifying notation for the maximum of the absolute values of a set of real numbers {*a***uv**}**u**,**v**, characterized by vectors **u** and **v**, as: max (*a***uv**) = max(**u**,**v**) {|*a***uv**|}. Using the same simplifying notation, we define the <sup>∗</sup> max (·) operator on a set of real numbers {*a***uv**}**u**,**v**, as: <sup>∗</sup> max (*a***uv**) = max(**u**,**v**)�=(**0**,**0**){|*a***uv**|}.

### **2.2 Constructions of Vector Boolean Functions**

In this chapter, some secondary contructions are studied, which build (*n*, *m*) variable Vector Boolean Functions from (*n*� , *m*� ) variable ones (with *n*� ≤ *n*, *m*� ≤ *m*). The direct sum construction has been used to construct resilient and bent Boolean functions Carlet (2004), Maitra & Pasalic (2002), Pasalic et al. (2001), Sarkar & Maitra (2000a), Sarkar & Maitra (2000b). Adding coordinate functions and bricklayering are operations used to build modern ciphers such as CAST Adams & Tavares (1993), DES Des (1977) and AES Daemen & Rijmen (2002).

**Definition 5.** *Let a Boolean function f* ∈ *Fn, the Walsh Transform of f at* **<sup>u</sup>** ∈ Vn *is the*

Cryptographic Criteria on Vector Boolean Functions 55

The *Walsh Spectrum* of *f* can be represented by a matrix whose rows are characteristiced by **<sup>u</sup>** ∈ Vn in lexicographic order, denoted by WS(*f*) ∈ <sup>M</sup>2*<sup>n</sup>*×1(**R**) and defined as WS(*f*) =

The following fundamental result can be seen as an extension of the usual Fourier Transform

*W* {*<sup>ξ</sup> <sup>f</sup> <sup>ξ</sup>g*}(**u**) = <sup>∑</sup>**x**∈Vn (*<sup>ξ</sup> <sup>f</sup> <sup>ξ</sup>g*)(**x**)*χ***u**(**x**) = <sup>∑</sup>**x**∈Vn *<sup>χ</sup>f*(**x**)*χg*(**x**)*χ***u**(**x**)

**Theorem 2.** *Let* **<sup>u</sup>** ∈ Vn, **u1** ∈ Vn1 , **u2** ∈ Vn2 , *<sup>n</sup>* = *<sup>n</sup>*<sup>1</sup> + *<sup>n</sup>*<sup>2</sup> *so that* **<sup>u</sup>** = **u1** ⊕ **u2***. Let f*<sup>1</sup> ∈ *F<sup>n</sup>*<sup>1</sup> *and <sup>f</sup>*<sup>2</sup> <sup>∈</sup> *F<sup>n</sup>*<sup>2</sup> *, their direct sum f*<sup>1</sup> <sup>⊕</sup> *<sup>f</sup>*<sup>2</sup> <sup>∈</sup> *Fn, and it satisfies: <sup>χ</sup>*<sup>ˆ</sup> *<sup>f</sup>*1⊕*f*<sup>2</sup> (**u**) = *<sup>χ</sup>*<sup>ˆ</sup> *<sup>f</sup>*<sup>1</sup> (**u1**) · *<sup>χ</sup>*<sup>ˆ</sup> *<sup>f</sup>*<sup>2</sup> (**u2**) *Sarkar &*

**Definition 6.** *Let the Vector Boolean function F* ∈ *Fn*,*m, its Walsh Transform is the two-dimensional*

**Corollary 1.** *The value of the Walsh transform of Vector Boolean function F* ∈ *Fn*,*<sup>m</sup> at* (**u**, **<sup>v</sup>**)

The *Walsh Spectrum* of *F* can be represented by a matrix whose rows are characteristiced by **u** ∈ Vn and whose columns are characteristiced by **v** ∈ Vm in lexicographic order, denoted

Walsh Spectrum characteristiced by **u** and WS(*F*)**<sup>v</sup>** is the column of the Walsh Sprectrum

*χg*(**x**)*χ***u**(**x**)

<sup>2</sup>*<sup>n</sup>* (WS(*f*) ∗ WS(*g*))(**u**)

*θF*(**x**, **y**)*χ*(**u**,**v**)(**x**, **y**) = ∑

**x**∈Vn

*θF*(**u**, **v**) = WS(*F*)(**u**, **v**), WS(*F*)**<sup>u</sup>** is the row of the

(−1)**ux**+**v***F*(**x**) (7)

*θF*(**u**, **v**) =

*χf*(**x**)*χ***u**(**x**) = ∑

**x**∈Vn

*<sup>T</sup>* where *<sup>χ</sup>*<sup>ˆ</sup> *<sup>f</sup>*(**u**) = WS(*f*)(**u**) and satisfying that <sup>−</sup>2*<sup>n</sup>* <sup>≤</sup>

<sup>2</sup>*<sup>n</sup>* WS(*f*) <sup>∗</sup> WS(*g*) (6)

(−1)*f*(**x**)+**ux** (5)

*n-dimensional Discrete Fourier Transform and can be calculated as follows:*

*ξ <sup>f</sup> ξ<sup>g</sup>*

<sup>2</sup>*<sup>n</sup>* <sup>∑</sup>**v**∈Vn *<sup>χ</sup>*<sup>ˆ</sup> *<sup>f</sup>*(**v**)*χ***v**(**x**)

<sup>2</sup>*<sup>n</sup>* <sup>∑</sup>**v**∈Vn *<sup>χ</sup>*<sup>ˆ</sup> *<sup>f</sup>*(**v**) <sup>∑</sup>**x**∈Vn *<sup>χ</sup>g*(**x**)*χ***u**+**v**(**x**)

<sup>2</sup>*<sup>n</sup>* <sup>∑</sup>**v**∈Vn *<sup>χ</sup>*<sup>ˆ</sup> *<sup>f</sup>*(**v**)*χ*ˆ*g*(**<sup>u</sup>** <sup>+</sup> **<sup>v</sup>**) = <sup>1</sup>

*θF*(**u**, **v**) = ∑

**x**∈Vn

∑ **y**∈Vm

*coincides with the value of the Walsh transform of the Boolean function* **<sup>v</sup>** · *F at* **<sup>u</sup>***:* <sup>ˆ</sup>

<sup>2</sup>*<sup>n</sup>* <sup>∑</sup>**v**∈Vn *<sup>χ</sup>*<sup>ˆ</sup> *<sup>f</sup>*(**v**) <sup>∑</sup>**x**∈Vn *<sup>χ</sup>***v**(**x**)*χg*(**x**)*χ***u**(**x**)

*W* ←→ <sup>1</sup>

*ξ <sup>f</sup>* , *ξl***<sup>u</sup>** = ∑ **x**∈Vn

*<sup>W</sup>f*(**u**) = *<sup>χ</sup>*<sup>ˆ</sup> *<sup>f</sup>*(**u**) =

*χ*ˆ *<sup>f</sup>*(**ff0**) ... *χ*ˆ *<sup>f</sup>*(**u**) ... *χ*ˆ *<sup>f</sup>*(**ff2n**−**1**)

**Theorem 1.** ∀ *<sup>f</sup>* , *<sup>g</sup>* ∈ *F<sup>n</sup> it holds that:*

= <sup>∑</sup>**x**∈Vn

= <sup>1</sup>

= <sup>1</sup>

= <sup>1</sup>

*Walsh Transform defined by:*

*<sup>χ</sup>*ˆ**v**·*F*(**u**) ∀ (**u**, **<sup>v</sup>**) ∈ Vn × Vm*.*

characteristiced by **v**.

by WS(*F*) <sup>∈</sup> <sup>M</sup>2*<sup>n</sup>*×2*<sup>m</sup>* (**R**). It holds that <sup>ˆ</sup>

*WF*(**u**, **v**) = ˆ

*Maitra (2000a).*

<sup>1</sup>

*<sup>χ</sup>*<sup>ˆ</sup> *<sup>f</sup>*(**u**) <sup>≤</sup> <sup>2</sup>*n*.

properties:

*Proof.*

### **2.2.1 Direct sum**

**Definition 1.** *Let n* = *<sup>n</sup>*<sup>1</sup> + *<sup>n</sup>*2, *<sup>n</sup>*1, *<sup>n</sup>*<sup>2</sup> ≥ 1, *<sup>m</sup>* ≥ <sup>1</sup>*, F*<sup>1</sup> ∈ *Fn*1,*<sup>m</sup> and F*<sup>2</sup> ∈ *Fn*2,*m. The direct sum of F*<sup>1</sup> *and F*<sup>2</sup> *is the function:*

$$\begin{array}{l}(F\_1 \oplus F\_2): \mathbf{V\_{n\_1} \times V\_{n\_2} \to V\_m} \\ (\mathbf{x}, \mathbf{y}) \to (F\_1 \oplus F\_2)(\mathbf{x}, \mathbf{y}) = F\_1(\mathbf{x}) + F\_2(\mathbf{y})\end{array} \tag{1}$$

This is a generalization for Vector Boolean functions of the construction of Boolean functions first introduced in Rothaus (1976).

### **2.2.2 Adding coordinate functions**

**Definition 2.** *Let n* ≥ 1, *<sup>m</sup>* = *<sup>m</sup>*<sup>1</sup> + *<sup>m</sup>*2, *<sup>m</sup>*1, *<sup>m</sup>*<sup>2</sup> ≥ <sup>1</sup> *and F* ∈ *Fn*,*m*<sup>1</sup> *and G* ∈ *Fn*,*m*<sup>2</sup> *. The result of adding coordinate functions of F and G is the function:*

$$\begin{array}{c} (F,G): \mathbf{V\_n} \to \mathbf{V\_{m\_1}} \times \mathbf{V\_{m\_2}}\\ \mathbf{x} \to (F,G)(\mathbf{x}) = (f\_1(\mathbf{x}), \dots, f\_{\mathfrak{M}\_1}(\mathbf{x}), g\_1(\mathbf{x}), \dots, g\_{\mathfrak{M}\_2}(\mathbf{x})) \end{array} \tag{2}$$

This is a generalization for Vector Boolean functions of the method used in the CAST algorithm and studied in Nyberg (1995) by adding more than one coordinate function at the same time.

### **2.2.3 Bricklayer**

**Definition 3.** *Let n* = *<sup>n</sup>*<sup>1</sup> + *<sup>n</sup>*2, *<sup>n</sup>*1, *<sup>n</sup>*<sup>2</sup> ≥ 1, *<sup>m</sup>* = *<sup>m</sup>*<sup>1</sup> + *<sup>m</sup>*2, *<sup>m</sup>*1, *<sup>m</sup>*<sup>2</sup> ≥ <sup>1</sup>*, F* ∈ *Fn*1,*m*<sup>1</sup> *and G* ∈ *Fn*2,*m*<sup>2</sup> *. The Bricklayer of F and G is the function F*|*<sup>G</sup>* ∈ *Fn*,*m:*

$$\begin{array}{c} F|G: \mathbf{V\_{n\_1}} \times \mathbf{V\_{n\_2}} \to \mathbf{V\_{m\_1}} \times \mathbf{V\_{m\_2}}\\ (\mathbf{x}, \mathbf{y}) \to F|G(\mathbf{x}, \mathbf{y}) = (f\_1(\mathbf{x}), \dots, f\_{m\_1}(\mathbf{x}), g\_1(\mathbf{y}), \dots, g\_{m\_2}(\mathbf{y})) \end{array} \tag{3}$$

This construction corresponds to the bricklayer function Daemen & Rijmen (2002) as a parallel application of a number of Vector Boolean functions operating on smaller inputs.

Another interesting operation is the restriction o projection of a Vector Boolean Function, which can be found in ciphers such as MacGuffin Blaze & Schneier (1995).

### **2.2.4 Projection**

**Definition 4.** *Let F* ∈ *Fn*,*<sup>m</sup> and ordered set* <sup>A</sup> = {*i*1,..., *ip*}⊆{1, . . . , *<sup>m</sup>*}*. The result of projecting F onto* A *is the function:*

$$\begin{array}{c} F|\_{\mathsf{A}}: \mathsf{V}\_{\mathsf{n}} \to \mathsf{V}\_{\mathsf{p}}\\ \mathsf{x} \to F|\_{\mathsf{A}}(\mathsf{x}) = (f\_{i\_1}(\mathsf{x}), \dots, f\_{i\_p}(\mathsf{x})) \end{array} \tag{4}$$

### **2.3 Walsh spectrum, autocorrelation spectrum and differential profile**

The Walsh and Autocorrelation Spectrum together with the Differential Profile of the Vector Boolean Functions conforming a cipher play an important role. The cryptograhic criteria nonlinearity, resiliency, balancedness, linearity distance and propagation criteria can be obtained from these three matrices.

**Definition 5.** *Let a Boolean function f* ∈ *Fn, the Walsh Transform of f at* **<sup>u</sup>** ∈ Vn *is the n-dimensional Discrete Fourier Transform and can be calculated as follows:*

$$\mathcal{W}\_f(\mathbf{u}) = \mathfrak{X}\_f(\mathbf{u}) = \left< \mathfrak{T}\_{f'} \mathfrak{T}\_{l\_\mathbf{u}} \right> = \sum\_{\mathbf{x} \in \mathcal{V}\_\mathbf{n}} \chi\_f(\mathbf{x}) \chi\_\mathbf{u}(\mathbf{x}) = \sum\_{\mathbf{x} \in \mathcal{V}\_\mathbf{n}} (-1)^{f(\mathbf{x}) + \mathbf{u}\mathbf{x}} \tag{5}$$

The *Walsh Spectrum* of *f* can be represented by a matrix whose rows are characteristiced by **<sup>u</sup>** ∈ Vn in lexicographic order, denoted by WS(*f*) ∈ <sup>M</sup>2*<sup>n</sup>*×1(**R**) and defined as WS(*f*) = *χ*ˆ *<sup>f</sup>*(**ff0**) ... *χ*ˆ *<sup>f</sup>*(**u**) ... *χ*ˆ *<sup>f</sup>*(**ff2n**−**1**) *<sup>T</sup>* where *<sup>χ</sup>*<sup>ˆ</sup> *<sup>f</sup>*(**u**) = WS(*f*)(**u**) and satisfying that <sup>−</sup>2*<sup>n</sup>* <sup>≤</sup> *<sup>χ</sup>*<sup>ˆ</sup> *<sup>f</sup>*(**u**) <sup>≤</sup> <sup>2</sup>*n*.

The following fundamental result can be seen as an extension of the usual Fourier Transform properties:

**Theorem 1.** ∀ *<sup>f</sup>* , *<sup>g</sup>* ∈ *F<sup>n</sup> it holds that:*

$$\mathfrak{T}\_f \bullet \mathfrak{T}\_\mathcal{S} \xleftarrow{W} \frac{1}{2^\bullet} \mathbf{W} \mathbf{S}(f) \* \mathbf{W} \mathbf{S}(g) \tag{6}$$

*Proof.*

4 Cryptography

**Definition 1.** *Let n* = *<sup>n</sup>*<sup>1</sup> + *<sup>n</sup>*2, *<sup>n</sup>*1, *<sup>n</sup>*<sup>2</sup> ≥ 1, *<sup>m</sup>* ≥ <sup>1</sup>*, F*<sup>1</sup> ∈ *Fn*1,*<sup>m</sup> and F*<sup>2</sup> ∈ *Fn*2,*m. The direct sum of*

This is a generalization for Vector Boolean functions of the construction of Boolean functions

**Definition 2.** *Let n* ≥ 1, *<sup>m</sup>* = *<sup>m</sup>*<sup>1</sup> + *<sup>m</sup>*2, *<sup>m</sup>*1, *<sup>m</sup>*<sup>2</sup> ≥ <sup>1</sup> *and F* ∈ *Fn*,*m*<sup>1</sup> *and G* ∈ *Fn*,*m*<sup>2</sup> *. The result of*

This is a generalization for Vector Boolean functions of the method used in the CAST algorithm and studied in Nyberg (1995) by adding more than one coordinate function at the

**Definition 3.** *Let n* = *<sup>n</sup>*<sup>1</sup> + *<sup>n</sup>*2, *<sup>n</sup>*1, *<sup>n</sup>*<sup>2</sup> ≥ 1, *<sup>m</sup>* = *<sup>m</sup>*<sup>1</sup> + *<sup>m</sup>*2, *<sup>m</sup>*1, *<sup>m</sup>*<sup>2</sup> ≥ <sup>1</sup>*, F* ∈ *Fn*1,*m*<sup>1</sup> *and G* ∈ *Fn*2,*m*<sup>2</sup> *.*

This construction corresponds to the bricklayer function Daemen & Rijmen (2002) as a parallel

Another interesting operation is the restriction o projection of a Vector Boolean Function,

**Definition 4.** *Let F* ∈ *Fn*,*<sup>m</sup> and ordered set* <sup>A</sup> = {*i*1,..., *ip*}⊆{1, . . . , *<sup>m</sup>*}*. The result of projecting*

The Walsh and Autocorrelation Spectrum together with the Differential Profile of the Vector Boolean Functions conforming a cipher play an important role. The cryptograhic criteria nonlinearity, resiliency, balancedness, linearity distance and propagation criteria can be

application of a number of Vector Boolean functions operating on smaller inputs.

which can be found in ciphers such as MacGuffin Blaze & Schneier (1995).

*F*|<sup>A</sup> : Vn → Vp

**2.3 Walsh spectrum, autocorrelation spectrum and differential profile**

(**x**, **<sup>y</sup>**) <sup>→</sup> (*F*<sup>1</sup> <sup>⊕</sup> *<sup>F</sup>*2)(**x**, **<sup>y</sup>**) = *<sup>F</sup>*1(**x**) + *<sup>F</sup>*2(**y**) (1)

**<sup>x</sup>** <sup>→</sup> (*F*, *<sup>G</sup>*)(**x**)=(*f*1(**x**),..., *fm*<sup>1</sup> (**x**), *<sup>g</sup>*1(**x**),..., *gm*<sup>2</sup> (**x**)) (2)

(**x**, **<sup>y</sup>**) <sup>→</sup> *<sup>F</sup>*|*G*(**x**, **<sup>y</sup>**)=(*f*1(**x**),..., *fm*<sup>1</sup> (**x**), *<sup>g</sup>*1(**y**),..., *gm*<sup>2</sup> (**y**)) (3)

**<sup>x</sup>** <sup>→</sup> *<sup>F</sup>*|A(**x**)=(*fi*<sup>1</sup> (**x**),..., *fip* (**x**)) (4)

(*F*<sup>1</sup> ⊕ *F*2) : Vn1 × Vn2 → Vm

**2.2.1 Direct sum**

same time.

**2.2.3 Bricklayer**

**2.2.4 Projection**

*F onto* A *is the function:*

obtained from these three matrices.

*F*<sup>1</sup> *and F*<sup>2</sup> *is the function:*

first introduced in Rothaus (1976).

**2.2.2 Adding coordinate functions**

*adding coordinate functions of F and G is the function:*

*The Bricklayer of F and G is the function F*|*<sup>G</sup>* ∈ *Fn*,*m:*

*F*|*G* : Vn1 × Vn2 → Vm1 × Vm2

(*F*, *G*) : Vn → Vm1 × Vm2

$$\begin{array}{l} \mathcal{W}\{\boldsymbol{\tilde{\xi}}\_{f}\bullet\boldsymbol{\tilde{\xi}}\_{\mathcal{S}}\}(\mathbf{u}) = \sum\_{\mathbf{x}\in\mathcal{V}\_{n}} (\boldsymbol{\tilde{\xi}}\_{f}\bullet\boldsymbol{\tilde{\xi}}\_{\mathcal{S}})(\mathbf{x})\chi\_{\mathbf{u}}(\mathbf{x}) = \sum\_{\mathbf{x}\in\mathcal{V}\_{n}} \chi\_{f}(\mathbf{x})\chi\_{\mathcal{S}}(\mathbf{x})\chi\_{\mathbf{u}}(\mathbf{x}) \\\quad = \sum\_{\mathbf{x}\in\mathcal{V}\_{n}} \left(\frac{1}{2^{n}}\sum\_{\mathbf{v}\in\mathcal{V}\_{n}} \hat{\chi}\_{f}(\mathbf{v})\chi\_{\mathbf{v}}(\mathbf{x})\right)\chi\_{\mathcal{S}}(\mathbf{x})\chi\_{\mathbf{u}}(\mathbf{x}) \\\quad = \frac{1}{2^{n}}\sum\_{\mathbf{v}\in\mathcal{V}\_{n}} \hat{\chi}\_{f}(\mathbf{v})\sum\_{\mathbf{x}\in\mathcal{V}\_{n}} \chi\_{\mathbf{v}}(\mathbf{x})\chi\_{\mathcal{S}}(\mathbf{x})\chi\_{\mathbf{u}}(\mathbf{x}) \\\quad = \frac{1}{2^{n}}\sum\_{\mathbf{v}\in\mathcal{V}\_{n}} \hat{\chi}\_{f}(\mathbf{v})\sum\_{\mathbf{x}\in\mathcal{V}\_{n}} \chi\_{\mathcal{S}}(\mathbf{x})\chi\_{\mathbf{u}+\mathbf{v}}(\mathbf{x}) \\\quad = \frac{1}{2^{n}}\sum\_{\mathbf{v}\in\mathcal{V}\_{n}} \hat{\chi}\_{f}(\mathbf{v})\hat{\chi}\_{\mathcal{S}}(\mathbf{u}+\mathbf{v}) = \frac{1}{2^{n}}(\mathsf{WS}(f)\*\mathsf{WS}(g))(\mathbf{u}) \end{array}$$

**Theorem 2.** *Let* **<sup>u</sup>** ∈ Vn, **u1** ∈ Vn1 , **u2** ∈ Vn2 , *<sup>n</sup>* = *<sup>n</sup>*<sup>1</sup> + *<sup>n</sup>*<sup>2</sup> *so that* **<sup>u</sup>** = **u1** ⊕ **u2***. Let f*<sup>1</sup> ∈ *F<sup>n</sup>*<sup>1</sup> *and <sup>f</sup>*<sup>2</sup> <sup>∈</sup> *F<sup>n</sup>*<sup>2</sup> *, their direct sum f*<sup>1</sup> <sup>⊕</sup> *<sup>f</sup>*<sup>2</sup> <sup>∈</sup> *Fn, and it satisfies: <sup>χ</sup>*<sup>ˆ</sup> *<sup>f</sup>*1⊕*f*<sup>2</sup> (**u**) = *<sup>χ</sup>*<sup>ˆ</sup> *<sup>f</sup>*<sup>1</sup> (**u1**) · *<sup>χ</sup>*<sup>ˆ</sup> *<sup>f</sup>*<sup>2</sup> (**u2**) *Sarkar & Maitra (2000a).*

**Definition 6.** *Let the Vector Boolean function F* ∈ *Fn*,*m, its Walsh Transform is the two-dimensional Walsh Transform defined by:*

$$\mathcal{W}\_{\mathbf{F}}(\mathbf{u},\mathbf{v}) = \hat{\theta}\_{\mathbf{F}}(\mathbf{u},\mathbf{v}) = \sum\_{\mathbf{x} \in \mathcal{V}\_{\mathbf{n}}} \sum\_{\mathbf{y} \in \mathcal{V}\_{\mathbf{m}}} \theta\_{\mathbf{F}}(\mathbf{x},\mathbf{y}) \chi\_{(\mathbf{u},\mathbf{v})}(\mathbf{x},\mathbf{y}) = \sum\_{\mathbf{x} \in \mathcal{V}\_{\mathbf{n}}} (-1)^{\mathbf{u}\mathbf{x} + \mathbf{v}\mathbf{F}(\mathbf{x})} \tag{7}$$

**Corollary 1.** *The value of the Walsh transform of Vector Boolean function F* ∈ *Fn*,*<sup>m</sup> at* (**u**, **<sup>v</sup>**) *coincides with the value of the Walsh transform of the Boolean function* **<sup>v</sup>** · *F at* **<sup>u</sup>***:* <sup>ˆ</sup> *θF*(**u**, **v**) = *<sup>χ</sup>*ˆ**v**·*F*(**u**) ∀ (**u**, **<sup>v</sup>**) ∈ Vn × Vm*.*

The *Walsh Spectrum* of *F* can be represented by a matrix whose rows are characteristiced by **u** ∈ Vn and whose columns are characteristiced by **v** ∈ Vm in lexicographic order, denoted by WS(*F*) <sup>∈</sup> <sup>M</sup>2*<sup>n</sup>*×2*<sup>m</sup>* (**R**). It holds that <sup>ˆ</sup> *θF*(**u**, **v**) = WS(*F*)(**u**, **v**), WS(*F*)**<sup>u</sup>** is the row of the Walsh Spectrum characteristiced by **u** and WS(*F*)**<sup>v</sup>** is the column of the Walsh Sprectrum characteristiced by **v**.

**3. Characteristics**

**3.1 Nonlinearity**

*<sup>F</sup>* <sup>∈</sup> *Fn*,*<sup>m</sup>* as *l p*(*F*) = <sup>1</sup>

**3.2 Linearity distance**

**3.3 Balancedness**

*χ*ˆ *<sup>f</sup>*(**0**) = 0*.*

is reached when *F* is linear or affine.

*LD*(*F*) = <sup>2</sup>*n*−<sup>1</sup> · (<sup>1</sup> <sup>−</sup> *dp*(*F*)) <sup>=</sup> <sup>2</sup>*n*−<sup>1</sup> ·

*occurs with equal probability* <sup>1</sup>

*to say that for every* **y** ∈ Vm*:*

*LD*(*F*) = min

**v**�=**0**∈Vm

*(1993):*

*of F:*

functions present in modern block and stream ciphers.

<sup>2</sup> max**u**∈Vn |*χ*<sup>ˆ</sup> *<sup>f</sup>*(**u**)| *Meier & Staffelbach (1990).*

*NL*(*F*) = min

**v**�=**0**∈Vm

<sup>22</sup>*<sup>n</sup>* · <sup>∗</sup> max (WS(*F*)(**u**, **<sup>v</sup>**)

in linear cryptanalysis, and satisfies Chabaud & Vaudenay (1994) <sup>1</sup>

The resistance of the cryptosystems to the known attacks can be quantified through some fundamental characteristics of the Vector Boolean functions used in them. In this chapter, we consider the characteristics most commonly employed for the design of cryptographic

Cryptographic Criteria on Vector Boolean Functions 57

**Definition 11.** *The nonlinearity of the Boolean function f* ∈ *F<sup>n</sup> is a characteristic defined as the distance to the nearest affine function as follows: NL*(*f*) = min*a***u**∈*A<sup>n</sup> <sup>d</sup>*(*<sup>f</sup>* , *<sup>a</sup>***u**) = <sup>2</sup>*n*−<sup>1</sup> <sup>−</sup> <sup>1</sup>

**Definition 12.** *The nonlinearity of a Vector Boolean function F* ∈ *Fn*,*<sup>m</sup> is defined as the minimum among the nonlinearities of all nonzero linear combinations of the coordinate functions of F Nyberg*

*NL*(**<sup>v</sup>** · *<sup>F</sup>*) = <sup>2</sup>*n*−<sup>1</sup> <sup>−</sup> <sup>1</sup>

Alternatively, and also associated with the cardinality of the sets of values for which *<sup>F</sup>* ∈ *Fn*,*<sup>m</sup>* satisfies any given linear relation parametrized by (**u**, **v**) we can define the *linear potential* of

lower bound holds if and only if *F* has maximum nonlinearity (*F* is bent) and the upper bound

**Definition 13.** *The linearity distance of the Vector Boolean function F* ∈ *Fn*,*<sup>m</sup> is defined as the minimum among the linearity distances of all nonzero linear combinations of the coordinate functions*

**Definition 14.** *The linearity distance can be expressed in terms of the differential potential as follows:*

**Definition 15.** *<sup>f</sup>* ∈ *F<sup>n</sup> is balanced if its output is uniformly distributed over* GF(2) *satisfying*

**Definition 16.** *<sup>F</sup>* ∈ *Fn*,*<sup>m</sup> is balanced (or to have balanced output) if each possible output m-tuple*

<sup>1</sup><sup>−</sup> <sup>∗</sup> max (DP(*F*))

#{**<sup>x</sup>** <sup>∈</sup> Vn <sup>|</sup> *<sup>F</sup>*(**x**) = **<sup>y</sup>**} <sup>=</sup> <sup>2</sup>*n*−*<sup>m</sup>* ←→ <sup>ˆ</sup>

*LD*(**<sup>v</sup>** · *<sup>F</sup>*) = <sup>2</sup>*n*−<sup>1</sup> · min **<sup>u</sup>**�=**0**∈Vn,**v**�=**0**∈Vm

2

2

<sup>∗</sup> max (WS(*F*)(**u**, **v**)) (11)

<sup>2</sup>*<sup>n</sup>* ≤ *l p*(*F*) ≤ 1 so that the

{*δF*(**u**, **v**)} (12)

) which is also exploited as a measure of linearity

*Pommerening (2005).*

*θF*(**0**, **v**) = 0, ∀ **v** �= **0** ∈ Vm (13)

<sup>2</sup>*<sup>m</sup> , that is, its output is uniformly distributed in* Vm*. This is equivalent*

**Theorem 3.** *Let L*A,**<sup>b</sup>** ∈ *Fn*,*<sup>m</sup> an affine Vector Boolean function where L*A,**b**(**x**) = <sup>A</sup>**<sup>x</sup>** + **<sup>b</sup>** *with* A ∈ M*n*×*m*(GF(2)) *and* **b** ∈ Vm*, its spectrum holds that Pommerening (2005):*

$$\boldsymbol{\hat{\theta}}\_{\text{L}\_{\mathbf{A},\mathbf{b}}}(\mathbf{u},\mathbf{v}) = \begin{cases} 2^{n} & \text{if } \mathbf{v}^{T} \mathbf{A} = \mathbf{u}^{T} \quad \mathbf{v}^{T} \mathbf{b} = 0 \\ -2^{n} & \text{if } \mathbf{v}^{T} \mathbf{A} = \mathbf{u}^{T} \quad \mathbf{v}^{T} \mathbf{b} = 1 \\ 0 & \text{if } \mathbf{v}^{T} \mathbf{A} \neq \mathbf{u}^{T} \end{cases}$$

**Theorem 4.** *If F* <sup>∈</sup> *Fn*,*<sup>n</sup> is bijective then it holds that:* <sup>ˆ</sup> *θF*(**u**, **v**) = ˆ *θF*−<sup>1</sup> (**v**, **u**)*.*

**Definition 7.** *The autocorrelation of f* ∈ *F<sup>n</sup> with respect to the shift* **<sup>u</sup>** ∈ Vn *is the cross-correlation of f with itself, denoted by rf*(**u**) : Vn → **R** *and defined by:*

$$r\_f(\mathbf{u}) = \frac{1}{2^n} \sum\_{\mathbf{x} \in \mathcal{V}\_n} \chi\_f(\mathbf{x}) \chi\_f(\mathbf{x} + \mathbf{u}) = \frac{1}{2^n} \sum\_{\mathbf{x} \in \mathcal{V}\_n} (-1)^{f(\mathbf{x}) + f(\mathbf{u} + \mathbf{x})} \tag{8}$$

**Definition 8.** *The autocorrelation of F* ∈ *Fn*,*<sup>m</sup> with respect to the shift* (**u**, **<sup>v</sup>**) ∈ Vn × Vm *is the cross-correlation of F with itself, denoted by rF*(**u**, **v**) : Vn × Vm → *R, so that Nyberg (1995):*

$$r\_{\rm F}(\mathbf{u}, \mathbf{v}) = \frac{1}{2^{\rm n}} \sum\_{\mathbf{x} \in \mathcal{V}\_{\rm n}} \chi\_{\rm vF}(\mathbf{x} + \mathbf{u}) \chi\_{\rm vF}(\mathbf{x}) = \frac{1}{2^{\rm n}} \sum\_{\mathbf{x} \in \mathcal{V}\_{\rm n}} (-1)^{\mathbf{v}F(\mathbf{x} + \mathbf{u}) + \mathbf{v}F(\mathbf{x})} \tag{9}$$

Let *<sup>F</sup>* ∈ *Fn*,*m*, if we denote by *DF*(**u**, **<sup>v</sup>**) the set of vectors where the difference Vector Boolean function of *F* in the direction of **u** ∈ Vn coincides with **v** ∈ Vm by: *DF*(**u**, **v**) = {**x** ∈ Vn | Δ**u***F*(**x**) = **v**}.

Let *<sup>F</sup>* ∈ *Fn*,*<sup>m</sup>* where *<sup>n</sup>* ≥ *<sup>m</sup>*. The matrix containing all posible values of #*DF*(**u**, **<sup>v</sup>**) is referred to as its *XOR or Differential Distribution Table*. Let *DU*(*F*) be the largest value in differential distribution table of *F* (not counting the first element in the first row), namely,

$$DLI(F) = \max\_{(\mathbf{u}, \mathbf{v}) \neq (\mathbf{0}, \mathbf{0})} \# D\_F(\mathbf{u}, \mathbf{v}) = \max\_{(\mathbf{u}, \mathbf{v}) \neq (\mathbf{0}, \mathbf{0})} \# \{ \mathbf{x} \in \mathbf{V}\_{\mathbf{n}} \mid \Delta\_{\mathbf{u}} F(\mathbf{x}) = \mathbf{v} \} \tag{10}$$

Then *F* is said to be differentially *DU*(*F*)-uniform, and accordingly, *DU*(*F*) is called the *differential uniformity* of *F* J. Seberry & Zheng (1994). By normalizing the elements of the differential distribution table we obtain the Differential profile:

**Definition 9.** *Let the function <sup>δ</sup><sup>F</sup>* : Vn <sup>×</sup> Vm <sup>→</sup> *<sup>Q</sup> <sup>δ</sup>F*(**u**, **<sup>v</sup>**) = <sup>1</sup> <sup>2</sup>*<sup>n</sup>* #*DF*(**u**, **v**)*, then the Differential Profile of F can be represented by a matrix whose rows are characterized by* **u** ∈ Vn *and whose columns are characterized by* **v** ∈ Vm *in lexicographic order, denoted by* DP(*F*) ∈ M2*<sup>n</sup>*×2*<sup>m</sup>* (**R**) *where <sup>δ</sup>F*(**ffi**,**ffj**) *with i* ∈ {1, . . . , 2*<sup>n</sup>* <sup>−</sup> <sup>1</sup>} *and j* ∈ {1, . . . , 2*<sup>m</sup>* <sup>−</sup> <sup>1</sup>}*.*

**Definition 10.** *The maximum value of δF*(**u**, **v**) *is called the differential potential of F: dp*(*F*) = max {*δF*(**u**, **v**) | ∀ **u** ∈ Vn, **v** ∈ Vm,(**u**, **v**) �= (**0**, **0**)}*.*

Let *<sup>F</sup>* <sup>∈</sup> *Fn*,*<sup>m</sup>* then <sup>1</sup> <sup>2</sup>*<sup>m</sup>* ≤ *dp*(*F*) ≤ 1 and the lower bound holds if and only if *F* is bent and the upper bound is reached when *<sup>F</sup>* is linear or affine. The differential uniformity of *<sup>F</sup>* ∈ *Fn*,*<sup>m</sup>* and its differential potential are related as follows: *dp*(*F*) = <sup>1</sup> <sup>2</sup>*<sup>n</sup> DU*(*F*). The differential profile at (**u**, **v**) is related with the autocorrelation in the same point in the following way Nyberg (1995): *δF*(**u**, **v**) = <sup>1</sup> <sup>2</sup>*n*+*<sup>m</sup>* <sup>∑</sup>**w**∈Vm *rF*(**u**, **<sup>w</sup>**)*χ***v**(**w**).

### **3. Characteristics**

6 Cryptography

**Theorem 3.** *Let L*A,**<sup>b</sup>** ∈ *Fn*,*<sup>m</sup> an affine Vector Boolean function where L*A,**b**(**x**) = <sup>A</sup>**<sup>x</sup>** + **<sup>b</sup>** *with*

**Definition 7.** *The autocorrelation of f* ∈ *F<sup>n</sup> with respect to the shift* **<sup>u</sup>** ∈ Vn *is the cross-correlation*

**Definition 8.** *The autocorrelation of F* ∈ *Fn*,*<sup>m</sup> with respect to the shift* (**u**, **<sup>v</sup>**) ∈ Vn × Vm *is the cross-correlation of F with itself, denoted by rF*(**u**, **v**) : Vn × Vm → *R, so that Nyberg (1995):*

Let *<sup>F</sup>* ∈ *Fn*,*m*, if we denote by *DF*(**u**, **<sup>v</sup>**) the set of vectors where the difference Vector Boolean function of *F* in the direction of **u** ∈ Vn coincides with **v** ∈ Vm by: *DF*(**u**, **v**) =

Let *<sup>F</sup>* ∈ *Fn*,*<sup>m</sup>* where *<sup>n</sup>* ≥ *<sup>m</sup>*. The matrix containing all posible values of #*DF*(**u**, **<sup>v</sup>**) is referred to as its *XOR or Differential Distribution Table*. Let *DU*(*F*) be the largest value in differential

Then *F* is said to be differentially *DU*(*F*)-uniform, and accordingly, *DU*(*F*) is called the *differential uniformity* of *F* J. Seberry & Zheng (1994). By normalizing the elements of the

*Profile of F can be represented by a matrix whose rows are characterized by* **u** ∈ Vn *and whose columns are characterized by* **v** ∈ Vm *in lexicographic order, denoted by* DP(*F*) ∈ M2*<sup>n</sup>*×2*<sup>m</sup>* (**R**) *where*

**Definition 10.** *The maximum value of δF*(**u**, **v**) *is called the differential potential of F: dp*(*F*) =

the upper bound is reached when *<sup>F</sup>* is linear or affine. The differential uniformity of *<sup>F</sup>* ∈ *Fn*,*<sup>m</sup>*

at (**u**, **v**) is related with the autocorrelation in the same point in the following way Nyberg

<sup>2</sup>*<sup>m</sup>* ≤ *dp*(*F*) ≤ 1 and the lower bound holds if and only if *F* is bent and

(**u**,**v**)�=(**0**,**0**)

*<sup>χ</sup>f*(**x**)*χf*(**<sup>x</sup>** <sup>+</sup> **<sup>u</sup>**) = <sup>1</sup>

<sup>2</sup>*<sup>n</sup>* <sup>∑</sup>**x**∈Vn *<sup>χ</sup>***v***F*(**<sup>x</sup>** <sup>+</sup> **<sup>u</sup>**)*χ***v***F*(**x**) = <sup>1</sup>

distribution table of *F* (not counting the first element in the first row), namely,

#*DF*(**u**, **v**) = max

<sup>0</sup> *if* **<sup>v</sup>***T*<sup>A</sup> �<sup>=</sup> **<sup>u</sup>***<sup>T</sup>*

2*<sup>n</sup> if* **v***T*A = **u***T*, **v***T***b** = 0 <sup>−</sup>2*<sup>n</sup> if* **<sup>v</sup>***T*<sup>A</sup> <sup>=</sup> **<sup>u</sup>***T*, **<sup>v</sup>***T***<sup>b</sup>** <sup>=</sup> <sup>1</sup>

*θF*(**u**, **v**) = ˆ

<sup>2</sup>*<sup>n</sup>* ∑ **x**∈Vn *θF*−<sup>1</sup> (**v**, **u**)*.*

(−1)*f*(**x**)+*f*(**u**+**x**) (8)

<sup>2</sup>*<sup>n</sup>* <sup>∑</sup>**x**∈Vn (−1)**v***F*(**x**+**u**)+**v***F*(**x**) (9)
