Tools in analyzing linear approximation for boolean functions related to FLIP

Abstract

For cryptographic purposes, we generally study the characteristics of a Boolean function in n-variables with the inherent assumption that each of the n-bit inputs take the value 0 or 1, independently and randomly with probability 1 / 2. However, in the context of the FLIP stream cipher proposed by Méaux et al. (Eurocrypt 2016), this type of analysis warrants a different approach. To this end, Carlet et al. (IACR Trans. Symm. Crypto. 2018) recently presented a detailed analysis of Boolean functions with restricted inputs (mostly considering inputs with weight (Formula Presented)) and provided certain bounds on linear approximation, which are related to restricted nonlinearity. The Boolean function used in the FLIP cipher reveals that it is actually a direct sum of several Boolean functions on a small number of inputs. Thus, with a different approach, we start a study in order to understand how the inputs to the composite function are distributed on the smaller functions. In this direction, we obtain several results that summarize the exact biases related to such Boolean functions. Finally, for the nonlinear filter function of FLIP, we obtain the lower bound on the restricted Walsh–Hadamard transform (i.e., upper bound on restricted nonlinearity). Our techniques provide a general theoretical framework to study such functions and better than previously published estimations of the biases, which is directly linked to the security parameters of the stream cipher.