On the algebraic immunity of multiplexer Boolean functions

Prasanna R. Mishra; Shashi Kant Pandey

doi:10.1515/jmc-2021-0027

Artikel Open Access

On the algebraic immunity of multiplexer Boolean functions

Prasanna R. Mishra und Shashi Kant Pandey

Veröffentlicht/Copyright: 15. Juli 2022

Veröffentlicht von

Veröffentlichen auch Sie bei De Gruyter Brill

Manuskript einreichen Informationen für Autor*innen

Aus der Zeitschrift Journal of Mathematical Cryptology Band 16 Heft 1

Abstract

A multiplexer generator is a device that accepts two or more inputs and based on some logic sends one of them as output. In a special case when inputs to a multiplexer generator are 2 k bits and one of them is selected according to the value of a k -bit number, a multiplexer generator can be regarded as a Boolean function in 2 k + k variables. We call this generator a multiplexer Boolean function. Boolean functions serve as combiners and filters in cryptographic designs. The study of their cryptographic strength attracts the cryptographer because of the extremely simple and cost effective of their design. The study of algebraic attacks on multiplexer generators is another major concern to judging the suitability for its use in cryptographic designs. In this article, we calculate the algebraic immunity of the multiplexer Boolean function, which is not an obvious task in the case of a Boolean function like a multiplexer generator.

Keywords: Boolean function; multiplexer; algebraic immunity

MSC 2010: 06E30; 94C10; 94Dxx

1 Introduction

In telecommunications and computer networks, a multiplexer generator (or simply a mux) is a device [1] that selects one of several inputs and forwards the selected input into a single line. The main purpose of employing a multiplexer is to share an expensive resource. In digital circuit design, multiplexers are used to implement a Boolean logic. Here the inputs to a multiplexer are binary values (0 or 1). Most commonly, such a multiplexer selects one out of 2 k , k ∈ N , input lines with the help of k select lines having binary values. A multiplexer of this kind is called a 2 k : 1 multiplexer. The working of a 2 k : 1 multiplexer is described as follows.

There are 2 k possible values that may be used to label the 2 k input lines. At a particular instant, the input whose label matches with the value at select lines is selected to be sent as output. For example, a 8 : 1 multiplexer is shown in Figure 1. There are eight input lines and three select lines. The eight input lines are labeled as 000, 001, 010, 011, 100, 101, 110, and 111. In this figure, the select line has values 110 and then the input at label 110 is sent as output which is 0. A 2 k : 1 multiplexer takes 2 k + k binary values and gives the output as one binary value. Therefore, a 2 k : 1 multiplexer can be regarded as a Boolean function in 2 k + k variables. We call this Boolean function a multiplexer Boolean function. Boolean functions are used as combiners and filters in cryptographic designs, especially in stream ciphers. A cryptographic Boolean function should be easy to implement, less resource consuming, and should be cryptographically robust [2,3]. In the next section, some essential preliminary definitions for the cryptographic analysis of a Boolean function are presented.

Figure 1

An 8:1 multiplexer.

2 Preliminaries

A Boolean function is a function from the n dimensional vector space F 2 n over F 2 into F 2 . Here the set of all Boolean functions defined on F 2 n is denoted as ℬ n . A Boolean function f ∈ ℬ n can be uniquely written as a multivariate polynomial in F 2 [ x 1 , x 2 , … , x n ] as,

(1) f ( x 1 , x 2 , … , x n ) = ⊕ P ⊆ { 1 , 2 , 3 , … , n } a P ∏ p ∈ P x p .

The above representation of any Boolean function is called its algebraic normal form of f . The algebraic degree of f , denoted as deg ( f ) , is defined as,

deg ( f ) = max { ∣ P ∣ : P ⊆ { 1 , 2 , 3 , … , n } , a P ≠ 0 } ,

where ∣ P ∣ denotes cardinality of the set P . A Boolean function of algebraic degree one or less than one is called an Affine Boolean function. The set of all Affine Boolean functions in ℬ n is denoted as A n .

Let f , g ∈ ℬ n . The Hamming distance between f and g is denoted as d H ( f , g ) , and it is the number of points at which values of f and g differ. Mathematically,

d H ( f , g ) = ∣ { x ∈ F 2 n : f ( x ) ≠ g ( x ) } ∣ .

The nonlinearity of a Boolean function is defined as,

(2) n l ( f ) = min g ∈ A n d H ( f , g ) ,

where d H ( f , g ) is the Hamming distance between f and g , which is equal to the Hamming weight of f + g . The Walsh transformation of a Boolean function is defined as a real valued function W f on F 2 n , and

(3) W f ( w ) = ∑ x ∈ F 2 n ( − 1 ) f ( x ) + w ⋅ x ,

where w ⋅ x is an inner product of w and x ∈ F 2 n , which is defined as w 1 x 1 + w 2 x 2 + … + w n x n . Walsh transformation and nonlinearity of a Boolean function from ℬ n are connected with the following relation:

(4) n l ( f ) = 2 n − 1 − 1 2 max w ∈ F 2 n ∣ W f ( w ) ∣ .

A Boolean function with flat Walsh spectrum value 2 n / 2 is called the bent Boolean function [4,5,6]. Obviously, it exists only for the even values of n . From this we can obtain the upper bound for the nonlinearity of a bent function which is 2 n − 1 − 2 n / 2 − 1 .

For any Boolean function f ∈ ℬ n , a nonzero function g ∈ ℬ n is called an annihilator of f if f g = 0 , and the algebraic immunity of f , denoted by A I ( f ) , is the minimum value of degree ( d ) such that f or f + 1 admits an annihilator of degree d [7]. It is known that the algebraic immunity of an n -variable Boolean function is bounded above by ⌈ n / 2 ⌉ [8]. To resist algebraic attacks, a Boolean function should have a high algebraic immunity.

3 Multiplexer Boolean function

In this section, we define a multiplexer Boolean function in rigorous mathematical terms. As discussed earlier, a 2 k : 1 , ( k ≥ 1 ) multiplexer has k + 2 k inputs and one output. It may be regarded as a Boolean function in ℬ k + 2 k . It is known that F 2 k + 2 k ≅ F 2 k × F 2 2 k . Therefore, X ∈ F 2 k + 2 k can be written as X = ( Y , Z ) , where Y ∈ F 2 k and Z ∈ F 2 2 k . Let f be a 2 k : 1 , k ≥ 1 , multiplexer Boolean function. Let Y = ( y 0 , y 1 , … , y k − 1 ) ∈ F 2 k and Z = ( z 0 , z 1 , … , z 2 k − 1 ) ∈ F 2 2 k . Then output of the multiplexer Boolean function is z t , where t is the decimal number whose binary digits are y 0 , y 1 , … , y k − 1 in the order of their increasing significance. We identify t with Y . With this identification, the output of the multiplexer can be written as:

f ( X ) = f ( ( Y , Z ) ) = z Y .

Another presentation of multiplexer Boolean function, f ( X ) = f ( ( Y , Z ) ) may be written as:

(5) f ( X ) = ⊕ Y ′ ∈ F 2 k δ ( Y ⊕ Y ′ ) z Y ′ ,

where δ is the Kronecker delta function. It takes value 1 when all inputs are zero and zero otherwise. δ may be defined as:

δ ( Y ) = ( y 0 ⊕ 1 ) ( y 1 ⊕ 1 ) … ( y k − 1 ⊕ 1 ) .

Clearly, the degree of δ is k and hence from (5), algebraic degree of a multiplexer Boolean function f is k + 1 . Trade off between algebraic immunity and degree of a Boolean function is one of the methods to fix its cryptographic suitability. Here we found that the degree of multiplexer Boolean function is quite low, which is not a common suitable choice for a filter or combiner functions. Further we study the algebraic immunity of multiplexer Boolean function and present the exact enumeration of algebraic immunity in the next section, which is quite practical measure in the direct use of multiplexer Boolean function as a filter function.

3.1 Algebraic immunity of multiplexer Boolean function

The statistical independence between input and output of a filter function is one of the preferred strength for its cryptographic use. Golić and Morgari have proposed the correlation attack on the multiplexer generator in ref. [9]. The future work on the design of immune multiplexer for enhanced keystream in stream cipher is emphasized in ref. [10].

The next theorem is an alternative definition of multiplexer Boolean function and with perpetuation of the notation in ref. [11], here we adopt the same notations.

Theorem 1

A Boolean function

f k ( y 0 , y 1 , … , y k − 1 , z 0 , z 1 , … , z 2 k − 1 ) ∈ ℬ k + 2 k ,

where k ≥ 1 represents a 2 k : 1 multiplexer Boolean function if and only if it satisfies the recurrence relation:

(6) f k + 1 ( Y , Z ) = ( 1 + y k ) f k ( Y , Z 1 ) + y k f k ( Y , Z 2 ) ,

where

Y = ( y 0 , y 1 , … y k − 1 , y k ) , Z 1 = ( z 0 , z 1 , … , z 2 k − 1 ) , Z 2 = ( z 2 k , z 2 k + 1 , … , z 2 k + 1 − 1 ) ,

and

Z = ( Z 1 , Z 2 ) .

Proof

We apply induction on k to show that for k ≥ 1 , f k ( y 0 , y 1 , … , y k − 1 , Z 1 ) represents a 2 k : 1 multiplexer Boolean function. For k = 1 we have f 1 ( y 0 , z 0 , z 1 ) = y 0 z 0 + y 0 z 1 + z 0 , which is clearly a 2 : 1 multiplexer Boolean function. Now we assume that the theorem is true for k ∈ N and let t = 2 k y k + 2 k − 1 y k − 1 + … + y 0 . Now from the definition of multiplexer Boolean function and the value of t ,

(7) f k ( y 0 , y 1 , … , y k − 1 , Z 1 ) = z t − 2 k y k

and

(8) f k ( y 0 , y 1 , … , y k − 1 , Z 2 ) = z 2 k + t − 2 k y k .

Using (7) and (8) and from induction hypothesis we have,

(9) f k + 1 ( Y , Z ) = f k + 1 ( y 0 , y 1 , … , y k − 1 , y k , z 0 , z 1 , … , z 2 k + 1 − 1 ) = z t − 2 k y k ( 1 + y k ) + z 2 k + t − 2 k y k y k .

There are two choices of y k ∈ F 2 and using them separately on (9), we obtain two following cases:

Case 1: ( y k = 0 )

f k + 1 ( Y , Z ) = f k + 1 ( y 0 , y 1 , … , y k − 1 , y k , z 0 , z 1 , … , z 2 k + 1 − 1 ) = z t ⊕ 0 = z t .

Case 2: ( y k = 1 )

f k + 1 ( Y , Z ) = f k + 1 ( y 0 , y 1 , … , y k − 1 , y k , z 0 , z 1 , … , z 2 k + 1 − 1 ) = z t . 0 ⊕ z t = z t .

Finally from both of the above cases, the multiplexer Boolean function is

f k + 1 ( Y , Z ) = f k + 1 ( y 0 , y 1 , … , y k − 1 , y k , z 0 , z 1 , … , z 2 k + 1 − 1 ) = z t .

Thus, induction completes the proof.□

In the next theorem, we show the correspondence between the annihilator of multiplexer Boolean function and its complement from the new representation of this function as discussed in the preceding theorem.

Theorem 2

Let X = ( Y , Z ) , where Y ∈ F 2 k , Z ∈ F 2 2 k , and f k ( X ) = f k ( ( Y , Z ) ) is a multiplexer Boolean function. Then there exists a one-to-one correspondence between annihilators of f k and f k + 1 , such that each annihilator of f k is mapped onto some annihilator of f k + 1 of the same degree.

Proof

Let 1 ∈ F 2 2 k denote the vector ( 1 , 1 , … , 1 ) . Now from the definition of multiplexer,

(10) f k ( Y , Z ) = z Y

and

(11) f k ( Y , Z + 1 ) = ( z + 1 ) Y = z Y + 1 .

Now (10) and (11) imply that

(12) f k ( Y , Z + 1 ) = 1 + f k ( Y , Z ) .

Now from (12), it is clear that if g k ( Y , Z ) is any annihilator of f k ( Y , Z ) of degree d , then g k ( Y , Z + 1 ) is an annihilator of degree d of 1 + f k ( Y , Z ) . This ensures one-to-one correspondence of f k ( Y , Z ) and 1 + f k ( Y , Z ) .□

The next theorem presents an important information about the algebraic immunity of a multiplexer Boolean function. It refers to the idea that how the algebraic immunity increases with the increment of the number of variables in the recurrence relation of a multiplexer Boolean function presented in Theorem 1. To find the algebraic immunity of f k , we have to find least degree annihilator of f k only. We proceed with the following lemma which will be used to establish the aforementioned assertions about algebraic immunity of multiplexer Boolean function. Recall that Aℐ ( f ) denotes the algebraic immunity of a multiplexer Boolean function.

Lemma 1

For k ≥ 1 , let f k be a multiplexer Boolean function. Then

Aℐ ( f k ) ≤ k + 1 .

Proof

We apply induction on k . For k = 1 we have f 1 ( y 0 , z 0 , z 1 ) = y 0 z 0 + y 0 z 1 + z 0 . To find its annihilator, we see that

( y 0 z 0 + y 0 ) ⋅ f 1 ( y 0 , z 0 , z 1 ) = ( y 0 z 0 + y 0 ) ⋅ ( y 0 z 0 + y 0 z 1 + z 0 ) = 0 ,

which implies that y 0 z 0 + y 0 annihilates f 1 . Therefore, Aℐ ( f 1 ) ≤ 2 . Now we assume the theorem to be true for some k = m , m ∈ N . Then from the hypothesis,

Aℐ ( f m ) ≤ m + 1 .

Let g m ( Y , Z ) = g m ( y 0 , y 1 , … , y m − 1 , z 0 , z 1 , … , z 2 m − 1 ) be an annihilator of the least degree, where Y = ( y 0 , y 1 , … , y m − 1 ) and Z = ( z 0 , z 1 , … , z 2 m − 1 ) , then deg g m ≤ m + 1 . We define function g m + 1 as

g m + 1 ( Y , y m , Z ) = ( 1 + y m ) g m ( Y , Z ) + y m g m ( Y , z 2 m , z 2 m + 1 , … , z 2 m + 1 − 1 ) .

It is easy to verify that g m + 1 annihilates f m + 1 . As

deg g m ≤ deg g m + 1 ≤ m + 2 ,

we conclude that

Aℐ ( f k ) ≤ k + 1 .

This completes the proof of induction as well as that of lemma.□

Now in the next theorem, we prove the statement made before the preceding lemma.

Theorem 3

For k ≥ 1 , let f k be a multiplexer Boolean function. Then,

Aℐ ( f k ) = k + 1 .

Proof

We apply induction on k . For k = 1 we have f 1 ( y 0 , z 0 , z 1 ) = y 0 z 0 + y 0 z 1 + z 0 . Let L be the set of all linear and affine functions in variables y 0 , z 0 , and z 1 , therefore, L = { y 0 + z 0 + z 1 , y 0 + z 0 + z 1 + 1 , y 0 , z 0 , z 1 , y 0 + 1 , z 0 + 1 , z 1 + 1 , y 0 + z 0 , y 0 + z 0 + 1 , z 0 + z 1 , z 0 + z 1 + 1 , y 0 + z 1 , y 0 + z 1 + 1 } . It is verified exhaustively that no one from L annihilates f 1 . In other words, there is no one degree annihilator of f 1 , while y 0 z 0 + y 0 annihilates f 1 . Therefore,

Aℐ ( f 1 ) = 2 .

Now we assume the theorem to be true for some k = m , m ∈ N . Then from the induction hypothesis

Aℐ ( f m ) = m + 1 .

Let g m + 1 ( y 0 , y 1 , … , y m , z 0 , z 1 , … , z 2 m + 1 − 1 ) be a least positive degree annihilator of f m + 1 . Without loss of generality, we may assume that

(13) g m + 1 ( y 0 , y 1 , … , y m , z 0 , z 1 … , z 2 m + 1 − 1 ) = ( 1 + y m ) g m 1 + y m g m 2 ,

where g m 1 and g m 2 are two polynomials in y 0 , y 1 , … , y m − 1 , z 0 , z 1 , … , z 2 m + 1 − 1 . We have

(14) f m + 1 g m + 1 = 0 .

Now (6) and (14) imply that

(15) g m 1 × f m ( y 0 , y 1 , … , y m − 1 , z 0 , z 1 , … , z 2 m − 1 ) = 0

and

(16) g m 2 × f m ( y 0 , y 1 , … , y m − 1 , z 2 m , z 2 m + 1 , … , z 2 m + 1 − 1 ) = 0 .

From (15) and the induction hypothesis, we have either g m 1 = 0 or deg g m 1 ≥ m + 1 . Similarly from (16) and induction hypothesis, either g m 2 = 0 or deg g m 2 ≥ m + 1 . Observe that both g m 1 and g m 2 cannot be simultaneously zero as g m + 1 is of positive degree. In view of Lemma 1,

m + 1 ≤ deg g m 1 ≤ m + 2 or m + 1 ≤ deg g m 2 ≤ m + 2 .

Further if any of the g m 1 or g m 2 is zero, other must have degree m + 1 . In this case, we have Aℐ ( f m + 1 ) = m + 2 . Now we have two cases:

Case 1: { deg g m 1 = m + 2 }

Either this is an impossible case (when deg ( g m 1 + g m 2 ) ≥ m + 2 ) or Aℐ ( f m + 1 ) = m + 2 .

Case 2: { deg g m 1 = m + 1 }

In this case, deg g m 2 must be equal to m + 1 . For deg g m 2 = m + 2 , deg g m + 1 = m + 3 . Here we observe two things. First, g m 1 must contain a term involving any of the variables y 0 , y 1 , … , y k − 1 , z 0 , z 1 , … , z 2 m − 1 as a function of z 2 m , z 2 m + 1 , … , z 2 m + 1 − 1 and it cannot annihilate

f m ( y 0 , y 1 , … , y k − 1 , y k , z 0 , z 1 , … , z 2 m + 1 − 1 ) .

The second thing we observe is that g m 1 ( y 0 , y 1 , … , y m − 1 , z 0 , z 1 , … , z 2 m + 1 − 1 ) is a family of annihilators of f m ( y 0 , y 1 , … , y m − 1 , z 0 , z 1 , … , z 2 m − 1 ) given by different values of variables z 2 m , z 2 m + 1 , … , z 2 m + 1 − 1 . We claim that in the ANF of g m 1 , there exists a term of degree m + 1 which does not involve any of the variables out of z 2 m , z 2 m + 1 , … , z 2 m + 1 − 1 . This holds true because in such case putting z 2 m = z 2 m + 1 = … = z 2 m + 1 − 1 = 1 will give an annihilator of f m ( y 0 , y 1 , … , y m − 1 , z 0 , z 1 , … , z 2 m − 1 ) of a positive degree less than m + 1 . Similarly, we can prove that in the ANF of g m 2 , there exists a term of degree m + 1 , which does not involve any of the variables out of z 0 , z 1 , … , z 2 m − 1 . Because of this fact, the degree of g m 1 ( y 0 , y 1 , … , y m − 1 , z 0 , z 1 , … , z 2 m + 1 − 1 ) + g m 2 ( y 0 , y 1 , … , y m − 1 , z 0 , z 1 , … , z 2 m + 1 − 1 ) will not be less than m + 1 . Consequently, Aℐ ( f m + 1 ) = m + 2 . Thus, from induction the theorem is proved.□

It is essential for cryptographic Boolean functions that they should have high nonlinearity and immunity from all algebraic attacks. In this article, we demonstrated the exact calculation of algebraic immunity of multiplexer Boolean function, which is still quite challenging in case of other well-known key stream generator such as product generator, Geffe generator, stop and go generator, alternating step generator, A5/1 generator, shrinking generator, and Knapsack generator. We found that multiplexer Boolean function or multiplexer generator has a significant algebraic immunity. An interesting finding in this work is the equality of the algebraic immunity and degree of a 2 k : 1 multiplexer Boolean function. Therefore, the methods [12,13,14, 15,16,17] based on the concatenation of two or more than two Boolean functions, chosen in some specific manner to construct a highly nonlinear Boolean function is recommended in case of direct use of multiplexer Boolean function [18,19].

Acknowledgment

We thank all the anonymous reviewers for their valuable comments and suggestions.

Conflict of interest: Authors state no conflict of interest.

References

[1] Horowitz P, Hill W. The art of electronics. 2nd edition. Cambridge University Press; 1980, (1989). Suche in Google Scholar

[2] Cusick TW, Stanica P. Cryptographic Boolean functions and applications. Amsterdam: Elsevier/Academic Press; 2009. 10.1016/B978-0-12-374890-4.00009-4Suche in Google Scholar

[3] Carlet C. Vectorial Boolean functions for cryptography. http://www.math.univ-paris13.fr/ carlet/chap-vectorial-fcts-corr.pdf. Suche in Google Scholar

[4] Rothaus OS. On “bent” functions. J Combinatorial Theory Ser A. 1976;20(3):300–5. 10.1016/0097-3165(76)90024-8Suche in Google Scholar

[5] Carlet C, Dobbertin H, Leander G. Normal extensions of bent functions. IEEE Trans Inform Theory. 2004;50(11):2880–5. 10.1109/TIT.2004.836681Suche in Google Scholar

[6] Mihaljević M, Gangopadhyay S, Paul G, Imai H. Generic cryptographic weakness of k-normal Boolean functions in certain stream ciphers and cryptanalysis of Grain-128. Period Math Hungar. 2012;65(2):205–27. 10.1007/s10998-012-4631-8Suche in Google Scholar

[7] Meier W, Pasalic E, Carlet C, Algebraic attacks and decomposition of Boolean functions. In: Advances in cryptology–EUROCRYPT 2004, Lecture Notes in Computer Science. Vol. 3027. Berlin: Springer; 2004. p. 474–91. 10.1007/978-3-540-24676-3_28Suche in Google Scholar

[8] Courtois NT, Meier W. Algebraic attacks on stream ciphers with linear feedback. In: Advances in cryptology–EUROCRYPT 2003. Lecture Notes in Computer Science. Vol. 2656. Berlin: Springer; 2003. p. 345–59. 10.1007/3-540-39200-9_21Suche in Google Scholar

[9] Golić JDj, Morgari G. Optimal correlation attack on the multiplexer generator. Inform Process Lett. 2009;109(15):838–41. 10.1016/j.ipl.2009.04.009Suche in Google Scholar

[10] Sulaiman HA, Othman MA, Othman MF, AbdRahim Y, Pee NC. Advanced Computer and Communication Engineering Technology: Proceedings of ICOCOE 2015, eBook ISBN 978-3-319-24584-3, Lecture Notes in Electrical Engineering. Vol. 362; 2016. Suche in Google Scholar

[11] Carlet C, Dalai DK, Gupta KC, Maitra S. Algebraic immunity for cryptographically significant Boolean functions: analysis and construction. IEEE Trans Inform Theory. 2006;52(7):3105–21. 10.1109/TIT.2006.876253Suche in Google Scholar

[12] Nyberg K. Perfect nonlinear S-boxes. In: Advances in cryptology–EUROCRYPT ’91 (Brighton, 1991), Lecture Notes in Computer Science. Vol. 547. Berlin: Springer: 1991. p. 378–86. 10.1007/3-540-46416-6_32Suche in Google Scholar

[13] Nyberg K. On the construction of highly nonlinear permutations. In: Advances in cryptology-EUROCRYPT ’92 (Balatonfüred, 1992), Lecture Notes in Computer Science. Vol. 658. Berlin: Springer; 1992. p. 92–8. 10.1007/3-540-47555-9_8Suche in Google Scholar

[14] Beelen P, Leander G. A new construction of highly nonlinear S-boxes. Cryptogr Commun. 2012;4(1):65–77. 10.1007/s12095-011-0052-4Suche in Google Scholar

[15] Kavut S, Yücel MD. Generalized rotation symmetric and dihedral symmetric Boolean functions-9 variable Boolean functions with nonlinearity 242. In: Applied algebra, algebraic algorithms and error-correcting codes, Lecture Notes in Computer Science. Vol. 4851. Berlin: Springer; 2007. p. 321–9. 10.1007/978-3-540-77224-8_37Suche in Google Scholar

[16] Pasalic E. A design of Boolean functions resistant to (fast) algebraic cryptanalysis with efficient implementation. Cryptogr Commun. 2012;4(1):25–45. 10.1007/s12095-011-0057-zSuche in Google Scholar

[17] Zhang X-M, Zheng Y. Cryptographically resilient functions. IEEE Trans Inform Theory. 1997;43(5):1740–7. 10.1109/18.623184Suche in Google Scholar

[18] Wang Q, Carlet C, Stanica P, Tan CH. Cryptographic properties of the hidden weighted bit function. Discrete Appl Math. 2014;174:1–10. 10.1016/j.dam.2014.01.010Suche in Google Scholar

[19] Carlet C, Feng K. An infinite class of balanced functions with optimal algebraic immunity, good immunity to fast algebraic attacks and good nonlinearity. In: Advances in cryptology-ASIACRYPT 2008, Lecture Notes in Computer Science. Vol. 5350. Berlin: Springer; 2008. p. 425–40. 10.1007/978-3-540-89255-7_26Suche in Google Scholar

Received: 2021-07-27

Revised: 2022-05-16

Accepted: 2022-06-22

Published Online: 2022-07-15

This work is licensed under the Creative Commons Attribution 4.0 International License.

Artikel in diesem Heft

https://doi.org/10.1515/jmc-2021-0027

Schlagwörter für diesen Artikel

Boolean function; multiplexer; algebraic immunity

Creative Commons

BY 4.0