Covering Radius of the (n-3)-rd Order Reed-Muller Code in the Set of Resilient Functions

INTRODUCTION In an important class of stream ciphers, called combination generators, the key stream is produced by combining the outputs of several independent Linear Feedback Shift Register (LFSR) sequences with a nonlinear Boolean function. Siegenthaler [12] was the first to point out that the combining function should possess certain properties in order to resist divide-and-conquer attacks.A Boolean function to be used in the combination generator (or more general also in stream ciphers) should satisfy several properties. Balancedness – the Boolean function has to output zeros and ones with equal probabilities. High nonlinearity-the Boolean function has to be at sufficiently high distance from any affine function. Correlation-immunity (of order t)-the output of the function should be statistically independent of the combination of any t of its inputs. A balanced correlation-immune function is called resilient. Besides the divide-and-conquer attacks, another important class of attacks on combination generators are the algebraic attacks [4, 5]. The central idea in the algebraic attacks is to use a lower degree approximation of the combining Boolean function and then to solve an over-defined system of nonlinear multivariate equations of low degree by efficient methods such as XL or simple linearization [3]. In order to resist these attacks, the Boolean function should have not only a a high algebraic degree but also a high distance to lower order degree functions. The trade-off between resiliency and algebraic degree is well-known. To achieve the desired trade-off designers typically fix one or two parameters and try to optimize the others. In this paper, we investigate the generalization of the trade-off between re-siliency and algebraic degree. In particular, we study the relation between re-siliency and distance to lower order degree functions. In order to define a the-oretic model for combining these properties, Kurosawa et al. [6] have introduced a new covering radiusˆ(t, r, n), which measures the maximum distance between t-resilient functions and r-th degree functions or the r-th order Reed-Muller code RM (r, n). That isˆ(t, r, n) = max d(f (x), RM (r, n)), where the maximum is taken over the set R t,n of t-resilient Boolean functions of n variables. Note that as the covering radius of Reed-Muller codes is defined by (r, n) = max d(f, RM (r, n)) where the maximum is taken over all Boolean functions f , it holds that 0 ≤ ˆ (t, r, n) ≤ (r, n). Kurosawa et al. also provide a …