El campo de la Comunicación el Arte y la Expresión en el ciclo de

Previous optimisation approaches to evolving Boolean functions with desirable cryptographic properties have been generalised to the multiple output case. Millan has compared random generation and hill-climbing as means of evolving highly nonlinear bijective S-boxes [79]. Burnett et al. have investigated the use of genetic algorithms and hill-climbing to evolve regular S-boxes [80]. Both high nonlinear- ity and low autocorrelation were targets. The fitness and cost measures for an S-box were the nonlinearity and autocorrelation values of that S-box. These mea- sures are clearly ‘direct’. Since spectrum based approaches generated interesting results for single-output case an obvious question to pose is ‘Can the spectrum- based approaches be generalised to allow S-boxes to be evolved with desirable properties?’ This is investigated below.

3.8.1

Spectrum-based Cost Functions for S-boxes

The work so far is easily generalised. If

is an input output S-box then each

defines a function that is a linear combination

of the outputs of . This is given by

(3.19)

For each such function the Walsh-Hadamard values

and autocorrelation values

are defined in the usual way. Two cost functions can now be defined for use in S-box evolution. A cost function based on Walsh-Hadamard spectra is given by (3.20) and a similar cost function based on autocorrelation spectra is given by

(3.21)

The single output cost functions have been applied to each function defined as a linear combination of the outputs and the results summed over all such combina- tions.

Millan [79] Annealing n Rnd HC SA AC SA 5 8 10 10 16 6 20 20 22 32 7 44 46 48 48 8 98 100 102 80

Table 3.18: Summary Results for Bijective n

3.8.2

Experiments and Results

Table 3.18 records the best nonlinearity values achieved in Millan’s experiments comparing the ability of random search and hill-climbing to evolve

by

, by , by and by bijective S-boxes. The cost functions defined by Equations 3.20 and 3.21 have been used to evolve S-boxes of similar dimensions. At the end of each run hill-climbing was carried out with respect to nonlinearity and autocorre- lation respectively. The approaches thus mirror those of Section 3.4.

runs were carried out for each value of in the set

B CB .

was used throughout. Table 3.18 records the best joint values of nonlinearity and autocorrelation achieved by either technique (i.e. functions were generated which possessed both the indicated nonlinearity value and the indicated autocorrelation value).

The results for the bijective S-boxes are not optimal. 6 by 6 boxes with nonlinearity of 24 have been provided by construction but they seem quite rare (Millan [79] attempted one million random generation and hill-climbing attempts and found only a nonlinearity of 20). Deriving bijective S-boxes is not an easy task for annealing. As increases the number of derived linear combinations to check doubles. An 8 by 8 bijective S-box with the parameter values shown takes about 20 minutes on 1.4 GHz Pentium PC. However, again this is not easy. Only one (104,80) function was generated from 200 runs. Similarly, for n=7 only one (48,48) function was generated. Does this matter? We shall address this issue below.

Burnett et al. applied genetic algorithms followed by hill-climbing to evolve by regular S-boxes (for

). Table 3.19 records the best nonlinearity and autocorrelation values achieved (individually). The new cost functions were again used to evolve regular S-boxes of similar dimensions (with and the same range of as before). Table 3.18 records the best joint values of non- linearity and autocorrelation achieved by each technique. Burnett et al. presented their results as their ‘current conjectures for the achievable bounds’. The results of applying the annealing-based approaches with the new cost functions is fairly dramatic (the hill-climbing second stage with respect to nonlinearity or autocor-

Burnett et al. [80] Spectrum Based Nonlinearity Autocorrelation Joint (d,nl,ac)

n m Rnd GAs Rnd GAs SNLT SACT

8 2 108 110 56 48 (7,114,32) (7,114,32) 8 3 106 108 64 56 (7,112,40) (7,112,40) 8 4 104 106 72 64 (7,110,56) (7,110,48) 8 5 102 104 72 72 (7,108,64) (7,108,56) 8 6 100 104 80 80 (7,106,64) (7,106,64) 8 7 98 102 80 80 (7,104,80) (7,104,72)

Table 3.19: Nonlinearity and Autocorrelation Values Achieved for 8 by m S-boxes relation rarely improves matters). As increases the same general patterns of declining nonlinearity and increasing autocorelation are witnessed as by Burnett et al. However, the new cost functions and annealing-based searches have found functions that simultaneously improve nonlinearity and autocorrelation. Most typ- ically, for the best functions, nonlinearity is 4 higher and autocorrelation is 16 lower.

Comparison with theoretical approaches is difficult. On specific criteria it is clear that the derived S-boxes are not optimal. Nyberg, for example, has demon- strated by S-boxes with nonlinearity 112. For present purposes we note that spectrum-based cost functions have promise and have provided improvements on previous optimisation-based work.

There appears to be a growing interest in injective S-boxes where is greater than . For example, Youssef and Tavares have proposed constructions for by