GENERALIZED NONLINEARITY OF S -BOXES

. While analyzing S -boxes, or vectorial Boolean functions, it is of in-terest to approximate its component functions by aﬃne functions. In the usual attack models, it is assumed that all input vectors to an S -box are equiprob-able. The nonlinearity of an S -box is deﬁned, subject to this assumption. In this paper, we explore the possibility of linear cryptanalysis of an S -box by introducing biased inputs and thus propose a generalized notion of nonlinearity along with a generalization of the Walsh-Hadamard spectrum of an S -box.


Introduction
Let F 2 be the finite field with two elements and Z be the ring of integers. For any n ∈ Z + , the set of positive integers, let [n] = {1, . . . , n}. The Cartesian product of n copies of F 2 is F n 2 = {x = (x 1 , . . . , x n ) : x i ∈ F 2 , i ∈ [n]} which is an n-dimensional vector space over F 2 . For any m, n ∈ Z + , a function F : F n 2 → F m 2 is said to be an (n, m) vectorial Boolean function (in short, an (n, m)-function) or an n × m S-box. An (n, 1)-function is said to be a Boolean function in n variables. The S-boxes are important components in block cipher designs, since usually they are the only sources of nonlinearity. DES S-boxes have been studied for more than three decades and their analysis is still relevant today. Similarly, the AES S-box is studied extensively.
Matsui [5] introduced the linear cryptanalysis of block ciphers which involves linear approximation of the S-boxes employed in their designs. The component functions of the S-boxes are approximated by linear Boolean functions by assuming all the input vectors to be equiprobable. In this paper, we generalize the notion of linear approximation of S-boxes by introducing a framework where some of the input variables are biased although all the variables are independent. We sketch the possibility of a chosen-plaintext attack based on these considerations.
Boolean functions with biased inputs, which we refer to as µ p -Boolean functions, is a common generalization of Boolean functions which stems from the theory of random graphs developed by [1]. The graph properties in a random graph expressed as such Boolean functions are used by Friedgut and Kalai [2]. For a detailed discussion on the Fourier analysis of µ p -Boolean functions we refer to [6,Chapter 8]. Biased analysis is recently considered for cryptanalysis of the stream ciphers E 0 and Shannon cipher by Lu and Desmedt [4]. Generalized S-box nonlinearity has been considered by Parker [7], using nega-Hadamard spectrum of S-boxes. The recent work [3] has shown the connection between Boolean functions with biased inputs and nega-Hadamard spectra by resorting to quantum implementations of Boolean functions.
Our current work establishes a new design criterion for cryptographically secure S-boxes. We also believe that this is an important step towards developing cryptanalytic techniques based on Parker's theory [7].

Linear approximations of an S-box
An S-box F can also be thought of as a sequence of Boolean functions written as These are said to be coordinate functions of F . F 2 -linear combinations of coordinate functions are said to be component functions. For any v ∈ F m 2 , v·F is a component function of F . The inner product is defined by x · y = i∈[n] x i y i . The linear function corresponding to u ∈ F n 2 is ϕ u (x) = u · x, for all x ∈ F n 2 . The intersection of two vectors x = (x 1 , . . . , x n ), y = (y 1 , . . . , y n ) in F n 2 is defined by x * y = (x 1 y 1 , . . . , x n y n ). The (Hamming) distance between two Boolean functions f, g : F n 2 → F 2 is d(f, g) = |{x ∈ F n 2 : f (x) = g(x)}|. Thus, the Hamming distance between the component function v · F and the linear function ϕ u is where . The nonlinearity of F : F n 2 → F m 2 is given by (2) nl(F ) = min

Suppose that max
If the value of |W F (u 0 , v 0 )| is high then the component function v 0 · F (x) can be efficiently approximated by u 0 · x or its complement. Suppose that a plaintext block x = (x 1 , . . . , x n ) ∈ F n 2 XOR-ed to the key k = (k 1 , . . . , k n ) ∈ F n 2 after being acted upon by F produces the ciphertext y = (y 1 , . . . , y m ) = F (x ⊕ k) ∈ F m 2 . Let X, Y, K be the random variables corresponding to plaintext, ciphertext and key, respectively. Then is true with a probability close to 1. Thus if we have a large sample of the plaintextciphertext pairs we will be able to establish linear relationships between the key bits. This leads to linear cryptanalysis of block ciphers which was introduced by [5] for cryptanalysis of DES.

Linear approximation of an S-box with respect to partially biased inputs
is an m-tuple of random variables corresponding to plaintexts, chipertexts and keys, respectively, such that 3.1. Linear approximations when the inputs are partially biased. To simplify the notation assume that the input to F : F n 2 → F m 2 is X = (X 1 , . . . , X n ) having the following distribution.
We say that a component function v ·F can be approximated by Let e i ∈ F n 2 be the vector whose ith component is 1 and remaining components are 0's, for all i ∈ [n]. Define e S = i∈S e i . We introduce a notion of distance similar to that in [3] as follows: is a generalization of the Walsh-Hadamard transform for vectorial Boolean functions (S-boxes). As a side problem, we propose to the community that the transform defined in (7) be investigated for different S-boxes.

3.2.
A chosen-plaintext attack model. Let the coordinates of K be i.i.d.
(independent and identically distributed), i.e., If X i and K i had been independent, then assuming Pr[X i = 0] = q i , we would have In other words, the distribution of X i ⊕ K i would have been unbiased, irrespective of the bias in X i . But since we make X i dependent on our guess of K i , the above result do not hold and we can bias the distribution of X i ⊕ K i . If we guess the key-bits k i for all i ∈ S, then for all i ∈ [n] we can simulate X i ⊕ K i such that for any 0 ≤ p ≤ 1, by choosing X i 's appropriately, and ensuring that X i ⊕ K i are independent random variables. From the discussion above we observe that employing a chosen-plaintext model it is possible to ensure that the input to an S-box (equivalently, the vectorial Boolean function) F is partially-biased. With respect to such a partially-biased input if a component function of F can be approximated by a linear function ϕ u or its complement then one may be able to apply linear cryptanalysis techniques on F .
Suppose that v 0 ·F is close to a linear function ϕ u when the inputs of the variables with indexes in S 0 are biased. Then we can choose plaintexts x with respect to each guess of the key segment e S0 * k such that the following equation is satisfied with high probability To be more precise Thus the knowledge of u 0 ·(e S0 * k), u 0 ·x and v 0 ·y allows us to derive relationships between the unknown key-bits of k which form the vector (1 ⊕ e S0 ) * k. This might be translated to key recovery in time less than the exhaustive search. and v ∈ F m 2 . Consider an S-box F : F n 2 → F m 2 . Then from Equation (3), we have The absolute value of the bias of the above event is If the inputs follow the probability distribution (5), then from Equation (10), we have F,S (u, v) and the corresponding absolute value of the bias According to [5], if for an SPN-based iterated block cipher we can pile-up the biases up to the last-but-one round, and we can form a linear equation involving a subset of the key bits with a probability q = 1 2 , then we can mount linear cryptanalysis to find the values of that subset of key bits independent of the other key bits. For a constant success probability, the number of samples (i.e., plaintext-ciphertext pairs) required is given by where δ = |q − 1 2 |. Now, for some S-box F used in the block cipher, for some S ∈ [n], if we can find a suitable p, 0 < p < 1 and v ∈ F m 2 , such that (11) max u∈F n 2 (p) then we can pile-up the biases such that the resulting bias q p (for biased inputs as per distribution (5)) of the subkey-dependent expression corresponding to the last-but-one round is larger than the usual bias q without biased input. Thus, δ p = |q p − 1 2 | would be greater than δ, thereby requiring less number of samples for the linear cryptanalysis using biased inputs. The reduced data complexity would also lead to reduced time complexity of the attack. Note that, as long as one is able to find at least one S ∈ [n], one suitable p, 0 < p < 1 such that Equation (11) holds, then one can mount a better attack. However, if one performs an offline exhaustive enumeration of all the biases by varying all the parameters, then one would be able to mount the optimal attack.

3.4.
A piling-up lemma in the biased context. Let S ⊆ [n] and X i , 1 ≤ i ≤ k, be independent random variables whose values are as in (5). We let and the bias of a random variable X with some probability distribution p is defined by X = p − 1 2 . Thus, for our X i ,  and X i , 1 ≤ i ≤ k, be independent random variables whose values are as in (5). Then the probability that X 1 ⊕ X 2 ⊕ · · · ⊕ X k = 0 is and therefore, the bias for X = X 1 ⊕ X 2 ⊕ · · · ⊕ X k is X = 2 k−1 k i=1 i .
The following corollary is obvious.

Experimental results with DES and AES S-boxes
In Section 3.3, we have discussed how to mount a more efficient attack with biased inputs, if we can have max u∈F n 2 (p) for some S-box F used in a block cipher. In this section, we analyse some S-boxes F by computing the following ordered pair {2,4,6} (u 0 , e 1 · F ). Therefore, It seems that if we assume values of e {2,4,6} * K and choose X as described in the attack model, then the either is true with probability 0.994, depending on whether W (0.99) F,{2,4,6} (u 0 , e 1 ) is positive or negative, respectively.
In Table 1, we list max u∈F n 2 (u, v · F ) and max u∈F n 2 (p)

Conclusion
Linear cryptanalysis of block ciphers involving S-boxes requires approximation of component functions of some of the S-boxes by affine functions. Typically, linear cryptanalysis assumes that the inputs to the S-boxes are uniformly randomly distributed over the set of all binary strings of the same length as the data-width. Analysis of the S-boxes, in case the input distribution is biased, has remained an open problem so far. In this paper, for the first time we generalized the concept of non-linearity of S-boxes with biased inputs. We showed that the typical case of uniform distribution is a special case of our generalized analysis. Moreover, we outline a chosen-plaintext attack model that can exploit the above analysis.
Our results establish a new design criterion for cryptographically secure S-boxes. More research is needed in this direction to explore the possibility of efficient practical cryptanalysis using our approach.