Characterizing the upper bound on the transparency order of (n, m)-functions

Yu Zhou; You Wu; Bing Shen; Jinbo Wang; Rong Cheng

doi:10.1515/jmc-2023-0040

Enjoy 40% off

academic books on De Gruyter Brill *

Article Open Access

Characterizing the upper bound on the transparency order of (n, m)-functions

Yu Zhou , You Wu , Bing Shen , Jinbo Wang and Rong Cheng

Published/Copyright: July 9, 2024

Published by

Become an author with De Gruyter Brill

Submit Manuscript Author Information

From the journal Journal of Mathematical Cryptology Volume 18 Issue 1

Abstract

Transparency order ( TO ) is one of the indicators used to measure the resistance of ( n , m ) -function to differential power analysis. At present, there are three definitions: TO , redefined transparency order ( ℛTO ), and modified transparency order ( ℳTO ). For the first time, we give one necessary and sufficient condition for ( n , m ) -function reaching TO = m and completely characterize ( n , m ) -functions reaching TO = m for any n and m . We find that any ( n , 1 ) -function cannot reach TO = m for odd n . Based on the matrix product, the necessary conditions for ( n , m ) -function reaching ℳTO = m or ℛTO = m are given, respectively. Finally, it is proved that any balanced ( n , m ) -function cannot reach the upper bound on TO (or ℛTO , ℳTO ).

Keywords: (n, m)-functions; transparency order; redefined transparency order; modified transparency order

MSC 2010: 94C10; 94A60; 06E30

1 Introduction

( n , m )-function (also known as S-box) is one of the nonlinear components in block cipher, which plays an important role in the security of the algorithms. At present, more research is focused on the nonlinearity, balancedness, and the algebraic degree in S-box. However, with the in-depth study of differential power analysis (DPA) [1], some new indicators of S-box have been proposed, e.g., transparency order ( TO ) [2], redefined transparency order ( ℛTO ) [3], and modified transparency order ( ℳTO ) [4].

In 2005, based on the auto-correlation functions for ( n , m ) -functions, Prouff proposed the TO [2]. He gave some relationships between TO and nonlinearity or propagation criterion, and deduced 0 ≤ TO ≤ m . Finally, he proved that the bent function [5] can reach TO = m for even n and put up an open problem for odd n which kind of ( n , m ) -functions reaching TO = m . To solve this open problem, a kind of construction method was given in the study of Zhou et al. [6] if m is a power of 2, and the ( n , m ) -functions reaching the upper bound were found for odd n .

There are three main aspects to research TO . (1) Relationships between TO and other properties: Carlet [7,8] deduced a lower bound on TO for ( n , m ) -functions and gave a relationship between TO and the nonlinearity. (2) Fast calculating TO : Fan et al. [9] proposed a method for calculating TO . (3) Searching ( n , m ) -functions with better TO : Picek et al. [10] found Boolean functions with better TO . Mazumdar et al. searched some S-boxes with better TO in the study by Mazumdar et al. [11].

But in 2017, Chakraborty et al. [3] found some limitations of TO and proposed an ℛTO for ( n , m ) -functions and obtained some properties of ℛTO . If m = 1 , then an ( n , m ) -function also is an n -variable Boolean function. At this time, TO and ℛTO are the same. Wang and Stǎnicǎ [12] gave some upper bounds on ℛTO (or TO ) based on nonlinearity and the number of variables for n -variable Boolean functions, and obtained ℛTO (or, TO ) for rotation symmetric Boolean functions, the majority function, the hidden weighted bit function, and the Carlet-Feng function.

Recently, Li et al. [4] pointed out some flaws in ℛTO , and proposed ℳTO . A lower bound on ℳTO was obtained, and some distributions of ℳTO for optimal ( 4 , 4 ) S-boxes were calculated.

So far, few people studied the conditions on ( n , m ) -functions reaching TO = m , or ℛTO = m , or ℳTO = m . At present, only a kind of construction method [6] of ( n , m ) -function reaching TO = m was given for this open problem [2]; we do not know the general results for ( n , m ) -functions reaching the upper bound on TO , especially for balanced ( n , m ) -functions.

In this article, we focus on ( n , m ) -functions reaching TO = m , ℛTO = m , and ℳTO = m , respectively. One necessary and sufficient condition for ( n , m ) -functions reaching TO = m is given from the perspective of Hamming weight, and the condition fully characterizes TO = m for any ( n , m ) -function. From another point of view, it shows that we have completely characterized the open problem in [2]: is there an ( n , m ) -function reaching TO = m for odd n ? And we find that any ( n , 1 ) -function cannot reach TO = m for odd n . Then, we abstract this necessary condition as solving the quadratic equation and obtain the upper bound on the number of ( n , m ) -functions reaching TO = m for n ≤ 4 and m ≤ 4 . In the following, by analyzing ℛTO (or, ℳTO ), a necessary condition is given for any ( n , m ) -function reaching ℛTO = m (or, ℳTO = m ), and the result implies that there is no balanced ( n , m ) -function that reaching ℛTO = m or ℳTO = m .

This article is organized as follows. In Section 2, we introduce some basic concepts. In Section 3, we give one necessary and sufficient condition on ( n , m ) -functions reaching TO = m . In Section 4, some necessary conditions on ℛTO = m and ℳTO = m are given. Section 5 concludes this article.

2 Preliminaries

Let B n be the set of n -variable Boolean functions. If f ∈ B n , then f : F 2 n → F 2 . The support set of f is denoted by supp ( f ) = { ( x 1 , … , x n ) ∈ F 2 n ∣ f ( x 1 , … , x n ) = 1 } , then the Hamming weight of f is wt ( f ) = ∣ supp ( f ) ∣ . If wt ( f ) = 2 n − 1 , then f is balanced. Let 0 n (or, 1 n ) denote the zero (or, one) vector.

Let f , g ∈ B n . Then, the cross-correlation function is given by

△ f , g ( α ) = ∑ x ∈ F 2 n ( − 1 ) f ( x ) ⊕ g ( x ⊕ α ) , α ∈ F 2 n .

If f = g , then the auto-correlation function of f is given by

△ f ( α ) = ∑ x ∈ F 2 n ( − 1 ) f ( x ) ⊕ f ( x ⊕ α ) , α ∈ F 2 n .

Let F = ( f 1 , … , f m ) : F 2 n → F 2 m be an ( n , m ) -function, f i ∈ B n ( i = 1 , 2 , … , m ) . F is balanced if and only if all Boolean function v ⋅ F are balanced, v ∈ F 2 m * , where F 2 m * = F 2 m \ { 0 m } . Zhang and Pasalic [13] gave two methods of constructing highly nonlinear balanced S-boxes with good algebraic and differential properties.

In the following, we introduce three definitions of transparency order based on the auto-correlation and cross-correlation functions for ( n , m ) -functions.

In 2005, Prouff [2] introduced the concept of TO based on the auto-correlation function.

Definition 2.1

[2] Let F = ( f 1 , … , f m ) be an ( n , m ) -function. The TO is defined by

(1) TO ( F ) = max β ∈ F 2 m ∣ m − 2 wt ( β ) ∣ − 1 2 2 n − 2 n ∑ a ∈ F 2 n * ∣ ∑ i = 1 m ( − 1 ) β i △ f i ( a ) ∣ .

Later, Chakraborty et al. [3] redefined this definition ( ℛTO ) by using cross-correlation properties and Li et al. [4] modified ℛTO and gave a new definition of transparency order ( ℳTO ). For research convenience, we extend the original definitions ℛTO and ℳTO for balanced ( n , m ) -functions to any ( n , m ) -functions, and then obtain some necessary conditions on ℛTO = m and ℳTO = m for any ( n , m ) -functions, respectively. Finally, based on the aforementioned necessary conditions, we give mainly results about ℛTO = m and ℳTO = m for balanced ( n , m ) -functions.

Definition 2.2

[3] Let F = ( f 1 , … , f m ) be an ( n , m ) -function. The ℛTO order of F is defined by

(2) ℛTO ( F ) = max β ∈ F 2 m m − 1 2 2 n − 2 n ∑ a ∈ F 2 n * ∑ j = 1 m ∑ i = 1 m ( − 1 ) β i ⊕ β j △ f i , f j ( a ) .

Definition 2.3

[4] Let F = ( f 1 , … , f m ) be an ( n , m ) -function. The ℳTO of F is defined by

(3) ℳTO ( F ) = max β ∈ F 2 m m − 1 2 2 n − 2 n ∑ a ∈ F 2 n * ∑ j = 1 m ∑ i = 1 m ( − 1 ) β i ⊕ β j △ f i , f j ( a ) .

3 One necessary and sufficient condition on TO = m for ( n , m ) -functions

In this section, we give some properties of ( n , m ) -functions reaching TO = m , then we give one necessary and sufficient condition on TO ( F ) = m for ( n , m ) -functions F = ( f 1 , … , f m ) .

Theorem 3.1

Let F = ( f 1 , … , f m ) be an ( n , m ) -function. If TO ( F ) = m , then β = 0 m or 1 m in Definition 2.1.

Proof

Since TO ( F ) = m , there is a β ∈ F 2 m so that TO ( F ) = m . For the convenience of discussion, let β = ( β 1 , β 2 , … , β m ) and wt ( β ) = k ( 0 ≤ k ≤ m ) . According to Definition 2.1, we have

∣ m − 2 k ∣ − 1 2 2 n − 2 n ∑ a ∈ F 2 n * ∑ i = 1 m ( − 1 ) β i △ f i ( a ) = m ,

where k = wt ( β ) .

There are two cases:

Case one: m − 2 k ≥ 0 . We have

m − 2 k − 1 2 2 n − 2 n ∑ a ∈ F 2 n * ∑ i = 1 m ( − 1 ) β i △ f i ( a ) = m ,

i.e.,

∑ a ∈ F 2 n * ∑ i = 1 m ( − 1 ) β i △ f i ( a ) = − 2 k ( 2 2 n − 2 n ) ≥ 0 ,

which means that k = 0 . We have β = 0 m .

Case two: m − 2 k < 0 . We have

2 k − m − 1 2 2 n − 2 n ∑ a ∈ F 2 n * ∑ i = 1 m ( − 1 ) β i △ f i ( a ) = m ,

i.e.,

∑ a ∈ F 2 n * ∑ i = 1 m ( − 1 ) β i △ f i ( a ) = 2 ( k − m ) ( 2 2 n − 2 n ) ≥ 0 ,

which means that k = m . We have β = 1 m .□

Theorem 3.1 implies that we only need to calculate TO ( F ) for β = 0 m or 1 m in Definition 2.1, i.e.,

TO ( F ) = m − 1 2 2 n − 2 n ∑ a ∈ F 2 n * ∑ i = 1 m △ f i ( a )

but not all β ∈ F 2 m , if we want to know whether the transparent order of F reaches the upper bound m .

Theorem 3.2

Let F = ( f 1 , … , f m ) be an ( n , m ) -function. If TO ( F ) = m , then

∑ i = 1 m [ 2 n − 2 wt ( f i ) ] 2 = m ⋅ 2 n .

Proof

From Theorem 3.1, we have β = 0 m or 1 m in Definition 2.1. Whether β = 1 m or β = 0 m , there is

∑ a ∈ F 2 n * ∑ i = 1 m △ f i ( a ) = 0 .

Thus, for any a ∈ F 2 n * , we have

∣ △ f 1 ( a ) + △ f 2 ( a ) + … △ f m ( a ) ∣ = 0 ,

i.e., for any a ∈ F 2 n * , we have

△ f 1 ( a ) + △ f 2 ( a ) + … △ f m ( a ) = 0 .

Then,

∑ a ∈ F 2 n * △ f 1 ( a ) + ∑ a ∈ F 2 n * △ f 2 ( a ) + … ∑ a ∈ F 2 n * △ f m ( a ) = 0 .

But ∑ a ∈ F 2 n △ f ( a ) = [ 2 n − 2 wt ( f ) ] 2 and △ f ( 0 n ) = 2 n for any f ∈ B n . Thus,

[ 2 n − 2 wt ( f 1 ) ] 2 − 2 n + [ 2 n − 2 wt ( f 2 ) ] 2 − 2 n + … + [ 2 n − 2 wt ( f m ) ] 2 − 2 n = 0 .

We have

□ ∑ i = 1 m [ 2 n − 2 wt ( f i ) ] 2 = m ⋅ 2 n .

Theorem 3.3

Let F = ( f 1 , … , f m ) be an ( n , m ) -function. TO ( F ) = m if and only if both of the following conditions satisfy:

β = 1 m or β = 0 m ;
∑ i = 1 m [ 2 n − 2 wt ( f i ) ] 2 = m ⋅ 2 n .

Proof

According to Theorem 3.1, Theorem 3.2, and Definition 2.1, it is easy to prove this result.□

Prouff [2] pointed out that only bent functions with even elements reaching the upper bound on TO , and make “whether there is an ( n , m ) -function reaching the upper bound on TO for odd n or not” as an open problem. Theorem 3.3 completely characterizes the conditions by the F reaching the upper bound on the TO from the perspective of the Hamming weight of the component functions, which gives the answer to the open problem from the perspective of the Hamming weight.

Remark 3.4

From Theorem 3.3, we can find that the ( n , m ) -function F = ( f 1 , … , f m ) reaching the upper bound on TO can be constructed from the Hamming weight of the component functions f i ( 1 ≤ i ≤ m ) .

(1) When n is even. If TO ( F ) = m . Suppose wt ( f i ) = 2 n − 1 ± 2 n ∕ 2 − 1 ( 1 ≤ i ≤ m ) , then

∑ i = 1 m [ 2 n − 2 wt ( f i ) ] 2 = m ⋅ 2 n .

Obviously, if f i ( 1 ≤ i ≤ m ) is a bent function, then TO = m .

From the aforementioned equation, we know that the component functions of F include not only all bent functions (this is consistent with the result given by Prouff in [2]), but also non-bent functions with Hamming weight of wt ( f i ) = 2 n − 1 ± 2 n ∕ 2 − 1 ( 1 ≤ i ≤ m ) (Theorem 1 in [6]).

(2) When n is odd. Let m = 2 k ( k odd, m ≤ n ), wt ( f m ) = 2 n − 1 ± 2 n − k 2 − 1 , and wt ( f i ) = 2 n − 1 for 1 ≤ i ≤ m − 1 . Then, we have TO ( F ) = m . This includes the component function corresponding to the construction method in the study of Zhou et al. [6].

Corollary 3.5

Let F = ( f 1 , … , f m ) be an ( n , m ) -function. If F is a balanced ( n , m ) -function, then TO ( F ) < m .

Proof

If F is a balanced ( n , m ) -function, then f i is a balanced Boolean function for 1 ≤ i ≤ m , i.e., wt ( f i ) = 2 n − 1 ( 1 ≤ i ≤ m ) . Thus,

∑ i = 1 m [ 2 n − 2 wt ( f i ) ] 2 = ∑ i = 1 m [ 2 n − 2 ⋅ 2 n − 1 ] 2 = 0 ≠ m ⋅ 2 n ,

i.e., TO ( F ) ≠ m , only TO ( F ) < m .□

Corollary 3.5 implies that there is no balanced ( n , m ) -function reaching the upper bound on TO .

Let a i = 2 n − 2 wt ( f i ) ( 1 ≤ i ≤ m ) , then ∑ i = 1 m [ 2 n − 2 wt ( f i ) ] 2 = m ⋅ 2 n can be simplified to

(4) a 1 2 + a 2 2 + … + a m 2 = m ⋅ 2 n .

When n and m are given, if Eq. (4) has a solution ( a 1 , a 2 , … , a m ) , TO ( F ) may reach m . On the contrary, if Eq. (4) has no solution, TO ( F ) must be less than m .

For odd n and m = 1 , we have Theorem 3.6.

Theorem 3.6

Let F = ( f 1 , … , f m ) be an ( n , m ) -function. If n is an odd number and m = 1 , then TO ( F ) < m .

Proof

In terms of the aforementioned analysis, if m = 1 , then Eq. (4) is a 1 2 = m ⋅ 2 n = 2 n . Thus, a 1 has no solution in Z . This implies TO ( F ) ≠ m , i.e., TO ( F ) < m .□

When n is large, the number of solutions ( a 1 , a 2 , … , a m ) of Eq. (4) is very much. So we give the upper bound on the number of ( n , m ) -functions with TO = m for n = 4 and m ≤ 4 (Theorem 3.7 and Corollary 3.8).

Theorem 3.7

The number ( N ( 4 , 4 ) ) of ( 4 , 4 ) -functions F = ( f 1 , f 2 , f 3 , f 4 ) reaching TO ( F ) = 4 satify

896 4 4 ≤ N ( 4 , 4 ) ≤ 16 16 6 4 + 8 16 4 16 8 3 .

Proof

(1) At first, we give the upper bound on N ( 4 , 4 ) .

Because n = 4 and m = 4 , Eq. (4) is

a 1 2 + a 2 2 + a 3 2 + a 4 2 = 4 ⋅ 2 4 = 64 .

All solutions can be found by computer programming:

(0, 0, 0, ± 8);
(0, 0, ± 8, 0);
(0, ± 8, 0, 0);
( ± 8, 0, 0, 0);
( ± 4, ± 4, ± 4, ± 4).

The following analysis obtains the number of corresponding ( n , m ) -functions. We will discuss it in two cases:

Case one: ( a 1 , a 2 , a 3 , a 4 ) = ( 0 , 0 , 0 , ± 8 ) .

a 1 = 0 means 2 n − 2 wt ( f 1 ) = 0 , i.e., wt ( f 1 ) = 2 4 − 1 = 8 . Since the number of Boolean functions satisfying wt ( f ) = k is 2 n k for any f ∈ B n . Thus, we know that the number of f 1 is 2 4 2 4 − 1 = 16 8 . By the same method, the number of f 2 is also 16 8 and the number of f 3 is also 16 8 .

a 4 = ± 8 means 2 n − 2 wt ( f 1 ) = ± 8 , i.e., wt ( f 4 ) = 2 4 − 1 ± 4 = 12 or 4. Since wt ( f 4 ) = 12 , the number of f 4 is 16 12 , and if wt ( f 4 ) = 4 , the number of f 4 is 16 4 .

Thus, the upper bound on the number of ( 4 , 4 ) -functions is

16 8 3 16 4 + 16 12 = 2 16 4 16 8 3 .

Furthermore, the upper bound on the number of ( 4 , 4 ) -functions corresponding to four solutions (including (a), (b), (c), and (d)) is

4 2 16 4 16 8 3 = 8 16 4 16 8 3 .

Case two: ( a 1 , a 2 , a 3 , a 4 ) = ( ± 4 , ± 4 , ± 4 , ± 4 ) .

a 1 = ± 4 means 2 n − 2 wt ( f 1 ) = ± 4 , i.e., wt ( f 1 ) = 2 4 − 1 ± 2 = 10 or 6. Thus, we know that the number of f 1 is 16 10 + 16 6 .

Thus, the upper bound on the number of ( 4 , 4 ) -functions is

16 10 + 16 6 4 .

Combined with the aforementioned two cases, the total number is

N ( 4 , 4 ) ≤ 16 10 + 16 6 4 + 8 16 4 16 8 3 = 16 16 6 4 + 8 16 4 16 8 3 .

(2) In the following, we give the lower bound on N ( 4 , 4 ) . If every f i is a bent function for 1 ≤ i ≤ 4 , then TO ( F ) = 4 . Note that the number of 4-variable bent functions is 896 [5,8], thus the lower bound on N ( 4 , 4 ) is 896 4 4 .□

Because the solutions of a 1 2 + a 2 2 + a 3 2 = 3 ⋅ 2 4 = 48 are ( ± 4, ± 4, ± 4), the solutions of a 1 2 + a 2 2 = 2 ⋅ 2 4 = 32 are ( ± 4, ± 4), and the solutions of a 1 2 = 1 ⋅ 2 4 = 16 are ± 4. Based on the same method as Theorem 4, it can be seen that:

Corollary 3.8

The number ( N ( 4 , 3 ) ) of ( 4 , 3 ) -functions F = ( f 1 , f 2 , f 3 ) reaching TO ( F ) = 3 is N ( 4 , 3 ) ≤ 8 16 6 3 .
The number ( N ( 4 , 2 ) ) of ( 4 , 2 ) -functions F = ( f 1 , f 2 ) reaching TO ( F ) = 2 is N ( 4 , 3 ) ≤ 4 16 6 2 .
The number ( N ( 4 , 1 ) ) of ( 4 , 1 ) -functions F = ( f 1 ) reaching TO ( F ) = 1 is N ( 4 , 3 ) ≤ 2 16 6 .

4 Necessary conditions of ℛTO = m and ℳTO = m for ( n , m ) -functions

At first, we give two lemmas by some simply analysis.

Lemma 4.1

Let β = ( β 1 , β 2 , … , β m ) ∈ F 2 m and β i , j = ( − 1 ) β i ⊕ β j ( 1 ≤ i , j ≤ m ) . Then,

B m × m = β 1 , 1 β 2 , 1 ⋯ β m , 1 β 1 , 2 β 2 , 2 ⋯ β m , 2 ⋯ ⋯ ⋯ ⋯ β 1 , m β 2 , m ⋯ β m , m

satisfies:

( β 1 , i , β 2 , i , … , β m , i ) = ( − 1 ) ⋅ ( β 1 , j , β 2 , j , … , β m , j ) if β i = 1 and β j = 0 , for 1 ≤ i ≠ j ≤ m .
β i , j = β j , i , for 1 ≤ i ≠ j ≤ m .
β i , i = 1 , for 1 ≤ i ≤ m .

Lemma 4.2

Let F = ( f 1 , … , f m ) be an ( n , m ) -function and a i , j = [ 2 n − 2 wt ( f i ) ] [ 2 n − 2 w t ( f j ) ] − [ 2 n − 2 wt ( f i ⊕ f j ) ] ( 1 ≤ i , j ≤ m ) . Then,

A m × m = a 1 , 1 a 1 , 2 ⋯ a 1 , m a 2 , 1 a 2 , 2 ⋯ a 2 , m ⋯ ⋯ ⋯ ⋯ a m , 1 a m , 2 ⋯ a m , m

satisfies:

a i , i = [ 2 n − 2 wt ( f i ) ] 2 − 2 n , for 1 ≤ i ≤ m .
a i , j = a j , i , for 1 ≤ i ≠ j ≤ m .

For any ( n , m ) -function F , we know 0 ≤ ℛTO ( F ) ≤ m [6] and 0 ≤ ℳTO ( F ) ≤ m [4]. In the following, we focus on ℛTO ( F ) = m and ℳTO ( F ) = m .

Theorem 4.3

Let F = ( f 1 , … , f m ) be an ( n , m ) -function. If ℛTO ( F ) = m , then there is a β = ( β 1 , β 2 , … , β m ) ∈ F 2 m that makes B m × m ⋅ A m × m = 0 m × m .

Proof

According to Definition 2.2, if ℛTO ( F ) = m , then

m − 1 2 2 n − 2 n ∑ a ∈ F 2 n * ∑ j = 1 m ∑ i = 1 m ( − 1 ) β i ⊕ β j △ f i , f j ( a ) = m ,

i.e.,

∑ a ∈ F 2 n * ∑ j = 1 m ∑ i = 1 m ( − 1 ) β i ⊕ β j △ f i , f j ( a ) = 0 .

Thus, for any a ∈ F 2 n * , we have

∑ j = 1 m ∑ i = 1 m ( − 1 ) β i ⊕ β j △ f i , f j ( a ) = 0 .

Furthermore,

∑ i = 1 m ( − 1 ) β i ⊕ β 1 △ f i , f 1 ( a ) + ∑ i = 1 m ( − 1 ) β i ⊕ β 2 △ f i , f 2 ( a ) + … + ∑ i = 1 m ( − 1 ) β i ⊕ β m △ f i , f m ( a ) = 0 .

It can be written in the form of equations:

∑ i = 1 m ( − 1 ) β i ⊕ β 1 △ f i , f 1 ( a ) = 0 ,

∑ i = 1 m ( − 1 ) β i ⊕ β 2 △ f i , f 2 ( a ) = 0 ,

⋯

∑ i = 1 m ( − 1 ) β i ⊕ β m △ f i , f m ( a ) = 0 .

For the first equation, for any a ∈ F 2 n * , we obtain

( − 1 ) β 1 ⊕ β 1 △ f 1 , f 1 ( a ) + ( − 1 ) β 2 ⊕ β 1 △ f 2 , f 1 ( a ) + … + ( − 1 ) β m ⊕ β 1 △ f m , f 1 ( a ) = 0 .

Note that ∑ a ∈ F 2 n △ f , g ( a ) = [ 2 n − 2 wt ( f ) ] [ 2 n − 2 wt ( g ) ] and △ f , g ( 0 n ) = 2 n , for any f , g ∈ B n .

Thus,

( − 1 ) β 1 ⊕ β 1 ∑ a ∈ F 2 n * △ f 1 , f 1 ( a ) + ( − 1 ) β 2 ⊕ β 1 ∑ a ∈ F 2 n * △ f 2 , f 1 ( a ) + … + ( − 1 ) β m ⊕ β 1 ∑ a ∈ F 2 n * △ f m , f 1 ( a ) = 0 .

We have

( − 1 ) β 1 ⊕ β 1 [ [ 2 n − 2 wt ( f 1 ) ] [ 2 n − 2 wt ( f 1 ) ] − [ 2 n − 2 wt ( f 1 ⊕ f 1 ) ] ] + ( − 1 ) β 2 ⊕ β 1 [ [ 2 n − 2 wt ( f 2 ) ] [ 2 n − 2 wt ( f 1 ) ] − [ 2 n − 2 wt ( f 2 ⊕ f 1 ) ] ] + … + ( − 1 ) β m ⊕ β 1 [ [ 2 n − 2 wt ( f m ) ] [ 2 n − 2 wt ( f 1 ) ] − [ 2 n − 2 wt ( f m ⊕ f 1 ) ] ] = 0 ,

i.e.,

β 1 , 1 a 1 , 1 + β 2 , 1 a 2 , 1 + … + β m , 1 a m , 1 = 0 .

By the same method, we can obtain the following equations:

β 1 , 2 a 1 , 2 + β 2 , 2 a 2 , 2 + … + β m , 2 a m , 2 = 0 ,

⋯

β 1 , m a 1 , m + β 2 , m a 2 , m + … + β m , m a m , m = 0 .

Based on the aforementioned equations, we have B m × m ⋅ A m × m = 0 m × m .□

In the following, we obtain give ℛTO ( F ) < m if F is a balanced function.

Corollary 4.4

Let F = ( f 1 , … , f m ) be an ( n , m ) -function. If F is a balanced function, then ℛTO ( F ) < m .

Proof

Because F is a balanced function, f i and f k ⊕ f l are the balanced Boolean functions for any 1 ≤ i , k ≠ l ≤ m . Thus,

a i j = 0 , 1 ≤ i ≠ j ≤ m ; − 2 n , 1 ≤ i = j ≤ m .

We have A m × m = − 2 n I m × m ( I m × m is the identity matrix).

Because for every β ∈ F 2 n , the diagonal elements of B are always 1 from Lemma 1, so the diagonal elements of B ⋅ A are − 2 n , not 0, so ℛTO ( F ) ≠ m , i.e., ℛTO ( F ) < m .□

Corollary 4.4 implies that there is no balanced ( n , m ) -function reaching the upper bound on ℛTO .

Theorem 4.5

Let F = ( f 1 , … , f m ) be an ( n , m ) -function. If ℳTO ( F ) = m , then there is a β = ( β 1 , β 2 , … , β m ) ∈ F 2 m that makes ∑ i = 1 m c i , i = 0 , where c i , i is the diagonal elements of B ⋅ A.

Proof

According to Definition 2.3, if ℳTO ( F ) = m , then

m − 1 2 2 n − 2 n ∑ a ∈ F 2 n * ∑ j = 1 m ∑ i = 1 m ( − 1 ) β i ⊕ β j △ f i , f j ( a ) = m ,

i.e.,

∑ a ∈ F 2 n * ∑ j = 1 m ∑ i = 1 m ( − 1 ) β i ⊕ β j △ f i , f j ( a ) = 0 .

Thus, for any a ∈ F 2 n * , we have

∑ j = 1 m ∑ i = 1 m ( − 1 ) β i ⊕ β j △ f i , f j ( a ) = 0 .

Furthermore,

∑ i = 1 m ( − 1 ) β i ⊕ β 1 △ f i , f 1 ( a ) + ∑ i = 1 m ( − 1 ) β i ⊕ β 2 △ f i , f 2 ( a ) + … + ∑ i = 1 m ( − 1 ) β i ⊕ β m △ f i , f m ( a ) = 0 .

It can be written in the form of equations:

∑ i = 1 m ( − 1 ) β i ⊕ β 1 △ f i , f 1 ( a ) + ∑ i = 1 m ( − 1 ) β i ⊕ β 2 △ f i , f 2 ( a ) + … + ∑ i = 1 m ( − 1 ) β i ⊕ β m △ f i , f m ( a ) = 0 .

Thus,

∑ i = 1 m ( − 1 ) β i ⊕ β 1 ∑ a ∈ F 2 n * △ f i , f 1 ( a ) + ∑ i = 1 m ( − 1 ) β i ⊕ β 2 ∑ a ∈ F 2 n * △ f i , f 2 ( a ) + … + ∑ i = 1 m ( − 1 ) β i ⊕ β m ∑ a ∈ F 2 n * △ f i , f m ( a ) = 0 .

Since ∑ a ∈ F 2 n △ f , g ( a ) = [ 2 n − 2 wt ( f ) ] [ 2 n − 2 wt ( g ) ] and △ f , g ( 0 n ) = 2 n for any f , g ∈ B n , we have

∑ i = 1 m [ β i , 1 a i , 1 + β i , 2 a i , 2 + … + β i , m a i , m ] = 0 .

By the same method, we can obtain the following equations:

0 = β 1 , 1 a 1 , 1 + β 2 , 1 a 2 , 1 + … + β m , 1 a m , 1 + β 1 , 2 a 1 , 2 + β 2 , 2 a 2 , 2 + … + β m , 2 a m , 2 + … + β 1 , m a 1 , m + β 2 , m a 2 , m + … + β m , m a m , m .

From B ⋅ A , we know the aforementioned equation implies that the sum of the diagonal elements c i , i ( i = 1 , 2 , … , m ) of B ⋅ A is 0, i.e., c 1 , 1 + c 2 , 2 + … + c m , m = 0 , where c 1 , 1 = β 1 , 1 a 1 , 1 + β 2 , 1 a 2 , 1 + … + β m , 1 a m , 1 , c 2 , 2 , = β 1 , 2 a 1 , 2 + β 2 , 2 a 2 , 2 + … + β m , 2 a m , 2 , …, c m , m = β 1 , m a 1 , m + β 2 , m a 2 , m + … + β m , m a m , m .□

Based on Theorem 4.5, we have Corollary 4.6.

Corollary 4.6

Let F = ( f 1 , … , f m ) be an ( n , m ) -function. If F is a balanced function, then ℳTO ( F ) < m .

Proof

Based on proof of Corollary 4.4, we have c 1 , 1 + c 2 , 2 + … + c m , m = − m ⋅ 2 n ≠ 0 , so ℳTO ( F ) ≠ m , i.e., ℳTO ( F ) < m .□

5 Conclusion

In this paper, we focus on three upper bounds on TO for ( n , m ) -functions. We systematically give one necessary and sufficient condition for ( n , m ) -functions reaching TO = m and find that a class of ( n , 1 ) -functions cannot reach the upper bound for odd n . And we obtain some necessary conditions on ℛTO = m and ℳTO = m . These results enrich and perfect the study of the upper bound on transparent order for ( n , m ) -functions, and we hope that these theoretical results will help to design ( n , m ) -functions with better cryptographic properties.

Acknowledgements

The authors wish to thank the anonymous referees for their valuable comments to improve the presentation of this article.

Funding information: This work was supported in part by the Sichuan Science and Technology Program (Nos. 2020JDJQ0076, 2022JDRC0061).
Author contributions: Zhou Yu put up idea, and prove Theorem 3.1, Theorem 3.2, Theorem 3.3, Corollary 3.5, Theorem 3.6 and Theorem 3.7; Wu You prove Corollary 3.5 and Corollary 3.8; Shen Bing and Wang Jinbo prove Theorm 4.3, Corollary 4.4 and Theorem 4.5; Zhou Yu, Cheng Rong and Wu You edit paper by Latex. All authors check this paper.
Conflict of interest: The authors state no conflict of interest.

References

[1] Kocher P, Jaffe J, Jun B. Differential power analysis. In Wiener M, editor, Advances in Cryptology – CRYPTO’ 99. Berlin Heidelberg: Springer; 2009. p. 388–97. 10.1007/3-540-48405-1_25Search in Google Scholar

[2] Prouff E. DPA attacks and S-boxes. In: Fast Software Encryption: 12th International Workshop, FSE 2005, Paris, France, February 21–23, Revised Selected Papers. 2005. p. 424–41. 10.1007/11502760_29Search in Google Scholar

[3] Chakraborty K, Sarkar S, Maitra S, Mazumdar B, Mukhopadhyay D, Prouff E. Redefining the transparency order. Designs Codes Cryptography. 2017;82(1–2):95–115. 10.1007/s10623-016-0250-3Search in Google Scholar

[4] Li H, Zhou Y, Ming J, Yang G, Jin C. The notion of transparency order, revisited. Comput J. 2020;63(12):1915–38. 10.1093/comjnl/bxaa069Search in Google Scholar

[5] Rothaus OS. On bent functions. J Combinat Theory A. 1976;20:300–5. 10.1016/0097-3165(76)90024-8Search in Google Scholar

[6] Zhou Y, Wei Y, Zhang H, Li L, Pasalic, Wu W. On characterization of transparency order for (n, m)-functions, Inscrypt 2021. Yung YM. (Eds.), LNCS 13007; 2021. p. 351–70. 10.1007/978-3-030-88323-2_19Search in Google Scholar

[7] Carlet C. On highly nonlinear S-boxes and their inability to Thwart DPA attacks. INDOCRYPT, LNCS. 3797; 2005. p. 49–62. 10.1007/11596219_5Search in Google Scholar

[8] Carlet C. Boolean Functions for Cryptography and Coding Theory. New York: Cambridge University Press; 2020. 10.1017/9781108606806Search in Google Scholar

[9] Fan L, Zhou Y, Feng D. A fast implementation of computing the transparency order of S-Boxes. The 9th International Conference of Young Computer Scientists, 2008, ICYCS 2008. IEEE; 2008. p. 206–11. 10.1109/ICYCS.2008.302Search in Google Scholar

[10] Picek S, Batina L, Jakobovic D. Evolving DPA-resistant Boolean functions. International Conference on Parallel Problem Solving from Nature’ 2014. Springer-Verlag. LNCS 8672; 2014. p. 812–21. 10.1007/978-3-319-10762-2_80Search in Google Scholar

[11] Mazumdar B, Nyjgioadgtat D, Sengupta I. Constrained search for a class of good bijective S-boxes with improved DPA resistivity. IEEE Trans Inform Forensics Security. 2013;8(12):2154–63. 10.1109/TIFS.2013.2285522Search in Google Scholar

[12] Wang Q, Stǎnicǎ P. Transparency order for Boolean functions: analysis and construction. Designs Codes Cryptography. 2019;87(9):2043–59. 10.1007/s10623-019-00604-1Search in Google Scholar

[13] Zhang W, Pasalic E. Highly nonlinear balanced S-boxes with good differential properties. IEEE Trans Inform Theory. 2014;60(12):7970–9. 10.1109/TIT.2014.2360880Search in Google Scholar

Received: 2023-12-23

Revised: 2024-05-10

Accepted: 2024-05-13

Published Online: 2024-07-09

This work is licensed under the Creative Commons Attribution 4.0 International License.

Articles in the same Issue

https://doi.org/10.1515/jmc-2023-0040

Keywords for this article

(n, m)-functions; transparency order; redefined transparency order; modified transparency order

Creative Commons

BY 4.0